[Wimse] Discussing motivations and drawbacks for multiple service attestation

Daniel Feldman <dfeldman.mn@gmail.com> Thu, 23 May 2024 21:55 UTC

Return-Path: <dfeldman.mn@gmail.com>
X-Original-To: wimse@ietfa.amsl.com
Delivered-To: wimse@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2BF5BC14F5E4 for <wimse@ietfa.amsl.com>; Thu, 23 May 2024 14:55:30 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.087
X-Spam-Level:
X-Spam-Status: No, score=-2.087 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_KAM_HTML_FONT_INVALID=0.01] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id sZcroHp1xCJ2 for <wimse@ietfa.amsl.com>; Thu, 23 May 2024 14:55:29 -0700 (PDT)
Received: from mail-ed1-x52a.google.com (mail-ed1-x52a.google.com [IPv6:2a00:1450:4864:20::52a]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7BE7AC1840F4 for <wimse@ietf.org>; Thu, 23 May 2024 14:55:29 -0700 (PDT)
Received: by mail-ed1-x52a.google.com with SMTP id 4fb4d7f45d1cf-57851af0239so212191a12.2 for <wimse@ietf.org>; Thu, 23 May 2024 14:55:29 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1716501327; x=1717106127; darn=ietf.org; h=to:subject:message-id:date:from:mime-version:from:to:cc:subject :date:message-id:reply-to; bh=oW0nKuWSdlUSjdLZCh4XfMHs51lThXOFz5HL/7cjRC8=; b=d3qhWCQb8m/Np4qfdCyKoQczexlm1oGphfI7XFXTzPCn9RvycXoYXjVWWauV5c263R 1PJh8UIMmEZXMy0debCl2JjGc+Xyc9JmySv7r3ZD4U6oJgeSLI3+gutcIrV1DC4ncBCK 8X6vrdKbz3gK/vGkXCAqZ904TrD4fkuRlJdKHhYLQgA44Q6VO/XUKa7X/fgrFJJnm33T GDrcBjwNMN87CoCDLEA36IJgE8gLtYsIGSdqvoskyTXGjPVcQ32pVaJOPtq+71Vz6m/L OOhf8p4PTkLugN0aIxcm709Owe+nRrFjVKBxtu0sCCcQwbc+gm/FePQTML9HqBgtfjYF S0tA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1716501327; x=1717106127; h=to:subject:message-id:date:from:mime-version:x-gm-message-state :from:to:cc:subject:date:message-id:reply-to; bh=oW0nKuWSdlUSjdLZCh4XfMHs51lThXOFz5HL/7cjRC8=; b=lTLKFrdFlhJmnaDQ19yrAJBSsQxPtXbFnlUIqthY56yNUHGGbDP+8JRZHBAbTiyq0e dUCWQGLLIZdcJJsmrlw+xglex/+h6F6Nc4HkGnZEli8YdfuyJ3lUuWpGUM5Wa0TNS+bY kyXf+78nBjvr205a7OleknQX2GrESvd2KQIWtC820rxPBdF5BGekBYx9mN2+FUnIn1TY r7DyO0A84iE314WgDNR/VwC+ZBG2cDJWzpElYt0zFJ1P0/boojXggH9pjxLzMJROR44R cw71aUOIVLrkAdQl8jtDpSTQE/zkxC+7dtetcro46U5AmDdK5DQakN2zOgvRN+kZPnhR gNQQ==
X-Gm-Message-State: AOJu0Yxbor8K0jhanKp0a+LrJQOr5jZzAqykuwi0n4x8S+7dy8UT3GUw 87qj1oel7GBM8cD/OohZpl5XsFGaIXCA4oNpz8Sx1dcBwFAim6yYa07vNqNHf6NwtP/0hjG2GdI XIW9SJwhXEplRgGR+Mq1XFOs4gIpoNt61dyI=
X-Google-Smtp-Source: AGHT+IFQnTeiivS/aQU1NDwsk6BJfVFSAM9OzZ1VNSBxldUlxU6+Ejm3mDhbxsHekmAh1C86xS4ewuUMvrr5nO/bCFE=
X-Received: by 2002:a50:875c:0:b0:578:2608:65c2 with SMTP id 4fb4d7f45d1cf-578519a36d0mr308606a12.21.1716501327052; Thu, 23 May 2024 14:55:27 -0700 (PDT)
MIME-Version: 1.0
From: Daniel Feldman <dfeldman.mn@gmail.com>
Date: Thu, 23 May 2024 16:54:50 -0500
Message-ID: <CAOmUX7LpryugDRLdgaDDbRLVd3mwU0jjQyfLk8hg14CQFu1cBA@mail.gmail.com>
To: wimse@ietf.org
Content-Type: multipart/alternative; boundary="000000000000db0a760619261b84"
Message-ID-Hash: SFNE4H7WUTVHR4F5HWVG65B5E27T55NC
X-Message-ID-Hash: SFNE4H7WUTVHR4F5HWVG65B5E27T55NC
X-MailFrom: dfeldman.mn@gmail.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
X-Mailman-Version: 3.3.9rc4
Precedence: list
Subject: [Wimse] Discussing motivations and drawbacks for multiple service attestation
List-Id: WIMSE Workload Identity in Multi-Service Environment <wimse.ietf.org>
List-Archive: <https://mailarchive.ietf.org/arch/browse/wimse>
List-Help: <mailto:wimse-request@ietf.org?subject=help>
List-Owner: <mailto:wimse-owner@ietf.org>
List-Post: <mailto:wimse@ietf.org>
List-Subscribe: <mailto:wimse-join@ietf.org>
List-Unsubscribe: <mailto:wimse-leave@ietf.org>

It was great seeing everyone at the interim meeting yesterday and Justin's
overview at today's SPIFFE community meeting!

As I understand it, one initial goal of WIMSE was to develop a standard for
including a sequence of multiple service identity attestations, one for
each hop taken by a request. Currently, I believe this goal is not spelled
out formally in any working documents. It’s still early, and we definitely
can change course as we go through the working group process.

I am keen to compile a list of reasons why users might want this multiple
service attestation feature. For instance:

Authorization: Establish different policies based on the request's original
origin.
Node Identity: Ensure each hop executed on a verified node.
Supply Chain Identity: Verify each service's artifact signature per hop.
Auditing or Forensics: Trace the request's hop sequence for later analysis.
Binding User Identity: Prevent intermediary services from altering user
identities embedded in a request.
Performance Tracing: Use as a performance tracing mechanism.
Signing Async Requests: Signing requests that are processed later through
message queues.
Delegating Privileges: Similar to AWS Presigned Requests.

And also reasons users would NOT want to do this:

Increased implementation complexity
Compute time (adding a crypto signature at each hop may be expensive)
HTTP headers may get too big to conveniently process
Lack of support in HTTP client libraries, servers, gRPC, and other tooling
Reduced architectural separation of concerns between different microservices

Having a solid understanding of the pros and cons of this approach would
really help with getting people excited about the WIMSE project. I'd be
really interested in hearing additional bullet points in either list.

Looking forward to your thoughts!

Cheers, Daniel Feldman