[Wimse] Re: Request for Agenda Item: Workload identity authenticator levels
Watson Ladd <watsonbladd@gmail.com> Tue, 09 July 2024 18:39 UTC
Return-Path: <watsonbladd@gmail.com>
X-Original-To: wimse@ietfa.amsl.com
Delivered-To: wimse@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 02D55C14F6FB for <wimse@ietfa.amsl.com>; Tue, 9 Jul 2024 11:39:03 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.108
X-Spam-Level:
X-Spam-Status: No, score=-2.108 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id iCEoJsYbpmKC for <wimse@ietfa.amsl.com>; Tue, 9 Jul 2024 11:39:02 -0700 (PDT)
Received: from mail-wr1-x42d.google.com (mail-wr1-x42d.google.com [IPv6:2a00:1450:4864:20::42d]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 95186C14F6FA for <wimse@ietf.org>; Tue, 9 Jul 2024 11:39:02 -0700 (PDT)
Received: by mail-wr1-x42d.google.com with SMTP id ffacd0b85a97d-3678aa359b7so20642f8f.1 for <wimse@ietf.org>; Tue, 09 Jul 2024 11:39:02 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1720550340; x=1721155140; darn=ietf.org; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:from:to:cc:subject:date :message-id:reply-to; bh=sMUqGoN+2zRpDJ8pSfhRscsjNdL9RGOnNmYnpaZZgmo=; b=nDutL/cH677BHKrK8MjN6aaaUPv/sn5F6XPJWhizQ3LDSqTxJSr2zu9lyxO3quTW75 boF69cs93Y7OCd816Sj/vajQt1TeOjEbaLqiOGrEa0WyAzlGj+3EnSSyQk+kn0daXNYw ANcDvfhJxhAg/bEMwscTPSz8WiSK6ou+pQOd7jb2XXSz+82R0tO/4GyoGBKZ0lP+xCbp 3UzY3w2Oe3juklZVcRB699jhSWO0YiYRkCI4AD8tcJqV9zQ+CTjBVg+be7O/uEOCEi98 DcOncU/m6vxwVtjc2U7+bJtJthYa/vvxRkjmOl6L/Ec6AGdMC003U3Y8qZGWC/vU33rl 2tCw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1720550340; x=1721155140; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=sMUqGoN+2zRpDJ8pSfhRscsjNdL9RGOnNmYnpaZZgmo=; b=A60TEB6rB/7FNRXCCbgnvGET53OW4M06zf4SFGFOgTUMMyTUlMviCl6DO3TUaJOMlR 9mUy16/rOBvjNwf/PmcMFd+0TrMhZuZKQ+yCI95QeZiGZCMGx//irJPw9IVS2S++K+je lFnvcAYtDP9bqQV0G/9U8/lFV6SzYROHWmvIUTyFuihTu/54ybvcbM8sONliSuk+6feZ c4CwAYad5YktL8zIFo1cmYlpWbWW/AFScXggxwgSgNtppC0JeTCPMcoJiF0qCHkBZpIj SHifJ45kl/6+yjO1EFNSUckeiF84Tg7DPxQXhNbRnwT1xUMQMGCyxDrmTtmQ+bj8sRvQ PMfA==
X-Forwarded-Encrypted: i=1; AJvYcCW5c0jOpmOEI3+ISEPZWLJbffGfX9TqvCxzL1SUk0PoUAA1YwobOoJMg00y9819pqQjjq6a1+jfpT7oHOwZ8Q==
X-Gm-Message-State: AOJu0YxQzLmYuk9yo2lNBdB+mCdxTId73nnTtzWIHQOtXSnX+T6AIDrK 02B67MxzQj92ekf7vJ+lSok0h4JsUKUy520IZThQklKfAgx7WZlDIukPhAtrffd+HB+yhfaeM4Q Iir5Yp/k0Ab0s3yYENMtneyiq/pI=
X-Google-Smtp-Source: AGHT+IEfxpbxOyRtmI+HtJCDz9rTpZ5gm6v+HnMO+u+8jRxmU39vbSXpqf2O0A6/OON0MA+8KvMn/x7yWaiF+4nPujo=
X-Received: by 2002:a5d:6843:0:b0:366:e9f7:4e73 with SMTP id ffacd0b85a97d-367d293c3e7mr2608510f8f.5.1720550340263; Tue, 09 Jul 2024 11:39:00 -0700 (PDT)
MIME-Version: 1.0
References: <DBAPR83MB043778953C0CBEE5AF93CFD991DA2@DBAPR83MB0437.EURPRD83.prod.outlook.com> <26349E6F-7DFA-447D-977C-5E1C6E5E1F0D@amazon.com> <DBAPR83MB0437B1E1A87C9DDB4F2DFC3291DB2@DBAPR83MB0437.EURPRD83.prod.outlook.com> <CACsn0ckJKiFUG_SD6vd_kOh-vymudeEdZ4uc3YfVJgAGStFjWw@mail.gmail.com> <DBAPR83MB04377A8BF8F1BBEFE703F47D91DB2@DBAPR83MB0437.EURPRD83.prod.outlook.com>
In-Reply-To: <DBAPR83MB04377A8BF8F1BBEFE703F47D91DB2@DBAPR83MB0437.EURPRD83.prod.outlook.com>
From: Watson Ladd <watsonbladd@gmail.com>
Date: Tue, 09 Jul 2024 11:38:47 -0700
Message-ID: <CACsn0ckeudqMtV4rXqD5zBLaZU=QhWo1xxK7=Zv0vdHoiSgq7w@mail.gmail.com>
To: Pieter Kasselman <pieter.kasselman@microsoft.com>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Message-ID-Hash: HEJ66U7OWCFSMJIW3BAOE2WXUSPYTJ7Z
X-Message-ID-Hash: HEJ66U7OWCFSMJIW3BAOE2WXUSPYTJ7Z
X-MailFrom: watsonbladd@gmail.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: "Saxe, Dean" <deansaxe@amazon.com>, "wimse@ietf.org" <wimse@ietf.org>
X-Mailman-Version: 3.3.9rc4
Precedence: list
Subject: [Wimse] Re: Request for Agenda Item: Workload identity authenticator levels
List-Id: WIMSE Workload Identity in Multi-Service Environment <wimse.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/wimse/x0_r6EquTyLXkxIy9-_PiKQlR1I>
List-Archive: <https://mailarchive.ietf.org/arch/browse/wimse>
List-Help: <mailto:wimse-request@ietf.org?subject=help>
List-Owner: <mailto:wimse-owner@ietf.org>
List-Post: <mailto:wimse@ietf.org>
List-Subscribe: <mailto:wimse-join@ietf.org>
List-Unsubscribe: <mailto:wimse-leave@ietf.org>
On Tue, Jul 9, 2024 at 10:48 AM Pieter Kasselman <pieter.kasselman@microsoft.com> wrote: > > Hi Watson > > It's not so much about use cases/justification for weak authentication, but a way to classify it, and more importantly for people defining systems to define the level of authentication they desire. > > In an ideal world, we will only have strong cryptographic techniques with hardware protection for keys and attestation mechanisms that are frequently applied to ensure a workloads identity. The reality is that bearer tokens and shared secrets where no attestation of the workload ever takes place exists, and without a way to classify these relative to the better practices (strong crypto, hardware, attestation etc) only sophisticated customers will be able to discern systems. Put another way, it is hard to avoid something that is harmful, if you have no way to tell if it is harmful (or at least not calibrated to the risks your willing to take). We can just write "Shared Secrets considered harmful" and in particular part of what we're doing is saying is how to do the service to service right. No need for a heavyweight taxonomy. I'm also really confused by saying we need hardware protection and frequent attestation: to my mind workload approximates service in Kubernetes language, and one doesn't need attestation (attest what to whom?) as the constituents of the service are defined by the service definition. You trust the admission system (but I might by rusty on the exact terms) to deal with "who gets to define the service", which I think is largely orthogonal. On reflection I think there's an underlying difference here in terms of how and where and what kinds of policies are being enforced, and it might be useful to have that discussion explicitly. Sincerely, Watson > > Cheers > > Pieter (Identity enthusiast) > > -----Original Message----- > From: Watson Ladd <watsonbladd@gmail.com> > Sent: Tuesday, July 9, 2024 6:34 PM > To: Pieter Kasselman <pieter.kasselman@microsoft.com> > Cc: Saxe, Dean <deansaxe@amazon.com>; wimse@ietf.org > Subject: Re: [Wimse] Re: Request for Agenda Item: Workload identity authenticator levels > > I am very confused and not following the conversation here. > > The orchestrator definitionally authenticates workloads in the same way that e.g. a PID on a kernel identifies a process. One cannot talk about two PIDs being the same process (yes, yes linux threads, etc.) or two processes having the same PID at the same time, because the relevant data structures are indexed by PID. Conversely absent the orchestrator being trusted there's no way to know what a workload > "is": it's just some process executing on a compute environment that isn't trusted. > > When it comes to workload A directly authenticating to workload B, why not use strong crypto, per transaction? And if you have that, why do you need differentiation? It's easy to do service auth that's strong! > There might be issues with chaining, but that's what the standards effort here is to solve. > > This is different from human authentication as humans cannot multiply > 2048 bit numbers in their heads and thus have to make do with passwords, ssh keys, etc. each with their own drawbacks and hence need to talk about confidence in human to machine (and human to human: > medallion signature guarentees are a real thing!) authentication. > > What's the usecase for weak auth in service to service? > > Sincerely, > Watson Ladd -- Astra mortemque praestare gradatim
- [Wimse] Request for Agenda Item: Workload identit… Pieter Kasselman
- [Wimse] Re: Request for Agenda Item: Workload ide… Saxe, Dean
- [Wimse] Re: Request for Agenda Item: Workload ide… Pieter Kasselman
- [Wimse] Re: Request for Agenda Item: Workload ide… Watson Ladd
- [Wimse] Re: Request for Agenda Item: Workload ide… Pieter Kasselman
- [Wimse] Re: Request for Agenda Item: Workload ide… Watson Ladd
- [Wimse] Re: Request for Agenda Item: Workload ide… Saxe, Dean
- [Wimse] Re: Request for Agenda Item: Workload ide… Justin Richer
- [Wimse] Re: Request for Agenda Item: Workload ide… Dmitry Izumskiy