IETF Logo Mail Archive

[Wimse] Re: Request for Agenda Item: Workload identity authenticator levels

Pieter Kasselman <pieter.kasselman@microsoft.com> Tue, 09 July 2024 17:48 UTC

Return-Path: <pieter.kasselman@microsoft.com>
X-Original-To: wimse@ietfa.amsl.com
Delivered-To: wimse@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 42572C151532 for <wimse@ietfa.amsl.com>; Tue, 9 Jul 2024 10:48:28 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.257
X-Spam-Level:
X-Spam-Status: No, score=-2.257 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.148, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=-0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_NONE=0.001, T_SCC_BODY_TEXT_LINE=-0.01] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=microsoft.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id GkSIZnEAQWoj for <wimse@ietfa.amsl.com>; Tue, 9 Jul 2024 10:48:27 -0700 (PDT)
Received: from EUR02-DB5-obe.outbound.protection.outlook.com (mail-db5eur02on2116.outbound.protection.outlook.com [40.107.249.116]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B03E5C15106C for <wimse@ietf.org>; Tue, 9 Jul 2024 10:48:27 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=none; b=yRvJ4vkUbBzIaXFPg+liiYUWoqAFli4aQFZyOjRd25gSHvk2yZicTaTJ85ddGG6B1qxBRDz6lmt9OxXDA1/xmEQNm7lZ9GEiRpyK2zLeqKXzwQioqmIYpdiU6XJvgZGbZvgOW+X2+MRMoeF9UiirajmXqfu8Ha201861OY1M4f4NrnTE6K9+EeR9W+K+RaJV+uROyARKhiT8QwfunJVse6Y4R+P7qUWa0yjwNNr7OL27SVP4Djqr+XeK2OdvpdWNvkWDx+MBlaH9NDp0/RrNJcICxlgrRLTyvypwAqlwpM4USGSQdeKBLzQOFylIjtC1ibohJIPZchB2uPBAOXjVvg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector10001; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=nvAXB8GCtluYRqlkTKodWkVvt3elaA6PxyL0mPEULe0=; b=x1VInRqsr7q2OcLAseH4F8yHA30/va3Yiyat2cjy/D7l3jsAaZmODUlrFi5wV2dmIfIsXiukxlClL6K7dSddABqETJbB1MGA5mNaWyAoU3PDBPeZq8EQD5tU6YBmU4TCbEZnlLU9mer0V7ab7bBnfasxi4nNYiiDGj9tDzICCLQ+qAo8v17dmmmo+60R8dRH5chvrDd/YDwIAoYEAD6tiLEegA9j4H8mzLdOlPMq3DiH8+CjjgotMihpL3SQHPoHc+7BY5H0qWzq2e607jLQCajwNlwP+SXBIu3LMExxSoMiaoV9hrHo2FpFrqscowQ6Pl54t14ToExo9uiEicYIRA==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=microsoft.com; dmarc=pass action=none header.from=microsoft.com; dkim=pass header.d=microsoft.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=selector2; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=nvAXB8GCtluYRqlkTKodWkVvt3elaA6PxyL0mPEULe0=; b=JZjsiZZzJ8f5fqd366QxRdjt7ga+N+jmWzgkEZ7geVavoglNE8J2rJNndSF9unFpjFe+cBTg+GL76eXTgNOo/FaTTXv3Q9cm387U1WtD7TE7KGd953qjavHf9nLMd7j8jg3+1IO1hTZVFAHbg4BU1MT8ki1mIpiHMmMcgDKDsS4=
Received: from DBAPR83MB0437.EURPRD83.prod.outlook.com (2603:10a6:10:19e::6) by VI0PR83MB0764.EURPRD83.prod.outlook.com (2603:10a6:800:264::17) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.7784.5; Tue, 9 Jul 2024 17:48:24 +0000
Received: from DBAPR83MB0437.EURPRD83.prod.outlook.com ([fe80::9ee1:305:cfd7:dded]) by DBAPR83MB0437.EURPRD83.prod.outlook.com ([fe80::9ee1:305:cfd7:dded%3]) with mapi id 15.20.7784.001; Tue, 9 Jul 2024 17:48:24 +0000
From: Pieter Kasselman <pieter.kasselman@microsoft.com>
To: Watson Ladd <watsonbladd@gmail.com>
Thread-Topic: [Wimse] Re: Request for Agenda Item: Workload identity authenticator levels
Thread-Index: AQHa0iZKzJNFrZvtSEaXkBFKpXTjILHuqdSw
Date: Tue, 09 Jul 2024 17:48:23 +0000
Message-ID: <DBAPR83MB04377A8BF8F1BBEFE703F47D91DB2@DBAPR83MB0437.EURPRD83.prod.outlook.com>
References: <DBAPR83MB043778953C0CBEE5AF93CFD991DA2@DBAPR83MB0437.EURPRD83.prod.outlook.com> <26349E6F-7DFA-447D-977C-5E1C6E5E1F0D@amazon.com> <DBAPR83MB0437B1E1A87C9DDB4F2DFC3291DB2@DBAPR83MB0437.EURPRD83.prod.outlook.com> <CACsn0ckJKiFUG_SD6vd_kOh-vymudeEdZ4uc3YfVJgAGStFjWw@mail.gmail.com>
In-Reply-To: <CACsn0ckJKiFUG_SD6vd_kOh-vymudeEdZ4uc3YfVJgAGStFjWw@mail.gmail.com>
Accept-Language: en-IE, en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
msip_labels: MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_ActionId=9126375a-6001-4443-9d1e-524a4c206821;MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_ContentBits=0;MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Enabled=true;MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Method=Standard;MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Name=Internal;MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_SetDate=2024-07-09T17:40:18Z;MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_SiteId=72f988bf-86f1-41af-91ab-2d7cd011db47;
authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=microsoft.com;
x-ms-publictraffictype: Email
x-ms-traffictypediagnostic: DBAPR83MB0437:EE_|VI0PR83MB0764:EE_
x-ms-office365-filtering-correlation-id: 2133239f-174c-4139-89b3-08dca03f5460
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;ARA:13230040|376014|1800799024|366016|38070700018;
x-microsoft-antispam-message-info: UM7TuDl46mCH08Xp0Cqd/ITWwRrAOa6CGClNapkKm7+WXi+Os1eEz0X/6j0XxtyLjCpZR57X1QDyylPY5dkXBtPua3E+EP9FyPDNeNxJZnAZx8/JIsjebIa1IdEx5RMFFwK71QghC5hur+lkTCv0aiVbHHrKNIoGM6r/1fiqOaQQQvB5UmUGxwZUCgzuTFx0GUXVGn+QJKGtY4ejbaGhmYes2q7Txm04MUnBSfWC/+tHJzvJZ3nufxAKzfEl8TcDWsV/s5nnH+LXU/SrYtWfKu61xjfz9xCLmEhlR8Wh7g1KsHqa8HolUFRyxKBEIbj6lu59CQDjc3Oe3NOkxfiIVJxtekk8HahIxueWxhMnFwK7yL1+2EffYgwyEDpqRLfwpf36KfGewGBDieJ6+IR8lRKaOAhdT3UOPgeCUlYnRO4r+koaBSr+HOXa7mw3eP4keyAO1V1R1xg50uzpoCdY/iNpVcOBpmRtv6LOj+FTX+Ut7yWcVRcG7w9uvKxOU0MiQ3oVqN3Jdy8T+M5vJYAU1Soo9vYyuvaLARCsyuUPrru5TjB/QYJ9Qm6AaDkkxAFBzTdHTIpLF3zXYT60Q1mXxoGK/arSoEfxNJ4h6tyAFs+uiJcQBxSolrHE+BQgb/YZ9NZMj03vzz877R2I1oBRiGMR3cw00dtxeUWIDy16ptvxk41sj9Z2hrdS82P+FAHVUTS7T53jSqTML72tumQTBeDmbwgtjHYzFbYElfdHtL6r9rFlG/GQ2xgbR/GtUANTxoR8t16xBKrYAfgP1BdRcrQSN3gtF44sIgBtqr7VsSwB6GbKrsxQNtXPGFz4kuhUax/WUN2OJIh2VlLoW1+Rh6VOi6gdLEAK/vNvKpse3Kg2VxhGbh3slj9hN19r7PnBD357pX4CZZXWUXmyO9HUnHocz/DPiRJojw73ZGK/aIubOufMJnxadxFwr3Bc5HPJaI0VCfS6iELPiKOtgfn9HWu8lnPhr1oZZ+UlDzxwWRH8CdfJKC9Ob0zLNYnJ8UmJDVlWAXg8F/yAQOR2sRtebuScQ2kAksJ1EIUE7aOkoBnzREaYGTJ1tFGG8OAFLdwrhouTlzWD5QjpDQy2QSAO+3mq9llDxTyC/VPEugjsZGdd765kRKAkU8iFw0jzIlwMTA+catYEQ1EE8azlnRmWd21LMPLBlx2dMsT9fVxdK1ntwFwrv5u0bVXhr65Y+9TiF9rg98A6wlt5/9oO7OhZR7zygB7CU2pi4x4S5ET91p42pYRgEYb5qZmGylUedDF55NW4MmlMGRGIMBXRzXKApL7rJPiFOSRXY9UWP2hwC8XtFi9OU0CM0DsEDxzCzBPFTCi35NGCYW7TCL05MBFGIAPu1J/DmpciyozeMtrQ7SMzd+shaSzGS7/K/rZSqsprwjikLa/m08WCTbeXNmLPlA==
x-forefront-antispam-report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:DBAPR83MB0437.EURPRD83.prod.outlook.com;PTR:;CAT:NONE;SFS:(13230040)(376014)(1800799024)(366016)(38070700018);DIR:OUT;SFP:1102;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: F8fANmi0F09fDUXlKOTyAeBTx7W/vYIdLdnoE4hzDu4qLwkvYcZmCnYWtz9CQ18r32Efn8wvxtOrjn4jVfTnEYONu4PAbAA22tQgyxyELmh0kgRECuVuAhmP3UmCV1UdXBhDjTPZkZD7HLwLeeAcLCUwOGO1OKAEFgEbjv0oaIDj0193haIhfGcb8pNxTZPMdigSRU7rDof/8zTHsJQncAmUoAh0kXBvP/LovMtwLM6tqE1cb9Tum3qtSlCaQoWItUsP06RJR9+bnuk6AbHrris0QkGJcGHZREj1JFDL9ZjCoG9vvMWwuWGtYnacJvfK9MgcLAsbI+4ajB7/hUrzxarszQMnOjvshNxf95JKhRjcCHs6hSmpImYMHB0M+AJzHOGM4xImfzsAFvZIFncqyqUhCZamNWlM95kjWK1H3kIHKPie+ej4L1A0HVzJBS5F01+S+1vuFSAmaAX6nVwo6bxSWuhwZklbWAX+Z84srIYbeYFHrQNx/gVPpVHKTLKSSSzGKoOQ2VPQti/DpzVYRn4sHJM/AKwRpGoF1sHQKg7o9kg4EjgNamabuoD6oUXCHREF7YaHUEyd2oz6/mX5cUNKC3GFTcO2N+XN0zbn5gs32UsePv1hw93XAx/5AvG/ovt4erBK1uqZmO/xtJaSUymct+1F7CRCROiMrszpS5L6pkqog9mu9sLKI0rm9UpI8Jnx/W/nhYmuepmzIFWSaBm/ot9Z5UqeQiJ0VL/ssReNfRIL39gYMKSScajeAnAobaro1dhyFK8LRDCoZgezoMI/GgQuQOXU1v1odkEBKIHxEVfuIO2C5UdWXqiAopsuivPuGrWu7cv6ieTC0KRD1WZsWoUjp8deH604NLu7vHttEpkZpQ56SSrZfZz2rc3Hj3IaOeyddveyC80JmXOZ4wCtx1La5/i46JfPETMMb3v0kLKRt+W/nS4oPIZCyX3ocuBbyjh38aQJYad8+7lweQh9GoUeE7Ko1hH738T8U0Q/lTdxqeMKDZfHA4Zf34BZa1YGSBruIRT22c6kqiPwVv5XtEAcj1dcKJV6uFM9mS8J5RTUH7Ch13ZeG4Zf1Cqgf2mWn6MZe+EsF+M5nQ5VIAxt6etil04TkIktgXhNk7K/+6A/igQwaYQ7eabMEqZ2Ixxv8Q0YmnUTs3soo5FsYxQgHAagcwcrUJqAVyMIGV7fhleppIKtSAyzy6lubWUCLPysK/zmPj2p75XebCVToxyw6hDbeVB9J48l3vfLNdY8x03T0pMW8EIEfwgdyA1a/IeWJCporpmH2w/7OR/SLbYN2V3nMMmd7o5VTJeI8AQ1wmNt51WZaFsEMAcoSJ0aCEy5RZpWLWfsVVK8uSHvZyN6OjYXfw0c+eOM2LL8kWpw0i16QXaIL7XXUx3q0BqHJSmAeeRa95/vnuGWw5b3ILtNkzfM58rWx+AVAVsHOfif3wl1K1gfwC8Pt4Jo7qESvIkRLak9FJmSjLo72MixfW294sdODlEk8uXX9HcgjgITgwHywnPAF8R1kBR8TOdh
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-OriginatorOrg: microsoft.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: DBAPR83MB0437.EURPRD83.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 2133239f-174c-4139-89b3-08dca03f5460
X-MS-Exchange-CrossTenant-originalarrivaltime: 09 Jul 2024 17:48:23.8282 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 72f988bf-86f1-41af-91ab-2d7cd011db47
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: Kib4OidAFPzohSAn2PP9p+FWu8SO7X0sC/Nd8g8cwn7z1nZHQN+FPGtp5iMqmRlV33BwUY9XsWtEDVnnTellwpLN4epswH0Ij3Jpk91dwdY=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: VI0PR83MB0764
Message-ID-Hash: 5PRJF27KTXABYZ5YYAS3SZM7E3YOQYSN
X-Message-ID-Hash: 5PRJF27KTXABYZ5YYAS3SZM7E3YOQYSN
X-MailFrom: pieter.kasselman@microsoft.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: "Saxe, Dean" <deansaxe@amazon.com>, "wimse@ietf.org" <wimse@ietf.org>
X-Mailman-Version: 3.3.9rc4
Precedence: list
Subject: [Wimse] Re: Request for Agenda Item: Workload identity authenticator levels
List-Id: WIMSE Workload Identity in Multi-Service Environment <wimse.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/wimse/x4KkgjYC1YhOD9qHgbaRQxJM0ZY>
List-Archive: <https://mailarchive.ietf.org/arch/browse/wimse>
List-Help: <mailto:wimse-request@ietf.org?subject=help>
List-Owner: <mailto:wimse-owner@ietf.org>
List-Post: <mailto:wimse@ietf.org>
List-Subscribe: <mailto:wimse-join@ietf.org>
List-Unsubscribe: <mailto:wimse-leave@ietf.org>

Hi Watson

It's not so much about use cases/justification for weak authentication, but a way to classify it, and more importantly for people defining systems to define the level of authentication they desire. 

In an ideal world, we will only have strong cryptographic techniques with hardware protection for keys and attestation mechanisms that are frequently applied to ensure a workloads identity. The reality is that bearer tokens and shared secrets where no attestation of the workload ever takes place exists, and without a way to classify these relative to the better practices (strong crypto, hardware, attestation etc) only sophisticated customers will be able to discern systems. Put another way, it is hard to avoid something that is harmful, if you have no way to tell if it is harmful (or at least not calibrated to the risks your willing to take).

Cheers

Pieter (Identity enthusiast)

-----Original Message-----
From: Watson Ladd <watsonbladd@gmail.com> 
Sent: Tuesday, July 9, 2024 6:34 PM
To: Pieter Kasselman <pieter.kasselman@microsoft.com>
Cc: Saxe, Dean <deansaxe@amazon.com>; wimse@ietf.org
Subject: Re: [Wimse] Re: Request for Agenda Item: Workload identity authenticator levels

I am very confused and not following the conversation here.

The orchestrator definitionally authenticates workloads in the same way that e.g. a PID on a kernel identifies a process. One cannot talk about two PIDs being the same process (yes, yes linux threads, etc.) or two processes having the same PID at the same time, because the relevant data structures are indexed by PID. Conversely absent the orchestrator being trusted there's no way to know what a workload
"is": it's just some process executing on a compute environment that isn't trusted.

When it comes to workload A directly authenticating to workload B, why not use strong crypto, per transaction? And if you have that, why do you need differentiation? It's easy to do service auth that's strong!
There might be issues with chaining, but that's what the standards effort here is to solve.

This is different from human authentication as humans cannot multiply
2048 bit numbers in their heads and thus have to make do with passwords, ssh keys, etc. each with their own drawbacks and hence need to talk about confidence in human to machine (and human to human:
medallion signature guarentees are a real thing!) authentication.

What's the usecase for weak auth in service to service?

Sincerely,
Watson Ladd

v2.30.2 | Report a Bug | By Email | System Status