Workload Identity in Multi System Environments (WIMSE)
bofreq-richer-wimse-00
| Document | Type | Approved BOF request | |
|---|---|---|---|
| Title | Workload Identity in Multi System Environments (WIMSE) | ||
| Last updated | 2023-09-28 | ||
| State | Approved | ||
| Editor | Justin Richer | ||
| Responsible leadership | |||
| Send notices to | (None) |
Name: Workload Identity in Multi System Environments (WIMSE)
Description
Secure workload identity is a foundational problem in cloud environments, and the applications built on top of such systems. While technologies like SPIFFE help solve workload identities, and technologies like OAuth help solve access rights, there are many open questions about where the overlaps and gaps are in this space. Identity for workloads, software stacks, transactions, users, authorities, and other entities can all have a part to play in determining the rights associated with a request and its response.
A presentation during IETF117 on proposed interest areas was made to DISPATCH: https://youtu.be/KT3mMX9CMdA?t=317. Several informal group conversations were held during the week.
An initial set of use cases has been published as an I-D.
Required Details
- Status: not WG Forming
- Responsible AD: TBD
- BOF proponents: Justin Richer <ietf@justin.richer.org>, Pieter Kasselman <pieter.kasselman@microsoft.com>, Evan Gilman <evan@spirl.com>, Joe Sallowey <joe@salowey.net>
- BOF chairs: Justin Richer <ietf@justin.richer.org>, Pieter Kasselman <pieter.kasselman@microsoft.com>
- Number of people expected to attend: 100
- Length of session (1 or 2 hours): 2 hours
- Conflicts (whole Areas and/or WGs)
- Chair Conflicts: oauth, gnap, http, rats, saag
- Technology Overlap: sec
Information for IAB/IESG
To allow evaluation of your proposal, please include the following items:
- Any protocols or practices that already exist in this space:
- SPIFFE open standard from CNCF https://spiffe.io/
- Which (if any) modifications to existing protocols or practices are required:
- likely additions to token formats (like JWT/CWT) and handling to account for workloads and crossing domain boundaries
- Which (if any) entirely new protocols or practices are required:
- potential new formats and protocols for carrying multi-domain information
- Open source projects (if any) implementing this work:
- SPIRE open source implementation of SPIFFE
Agenda
- Workload identity use cases https://www.ietf.org/archive/id/draft-gilman-wimse-use-cases-00.html
- SPIFFE technology overview
Links to the mailing list, draft charter if any, relevant Internet-Drafts, etc.
- Mailing List: https://www.ietf.org/mailman/listinfo/wimse
- Relevant Internet-Drafts: