Workload Identity in Multi System Environments (WIMSE)
bofreq-sheffer-workload-identity-in-multi-system-environments-wimse-00
Document | Type | Approved BOF request | |
---|---|---|---|
Title | Workload Identity in Multi System Environments (WIMSE) | ||
Last updated | 2024-02-08 | ||
State | Approved | ||
Editor | Yaron Sheffer | ||
Responsible leadership | |||
Send notices to | (None) |
WIMSE BOF Request - IETF-119
Name: Workload Identity in Multi System Environments (WIMSE)
Description
Secure workload identity is a foundational problem in cloud environments, and the applications built on top of such systems. While technologies like SPIFFE help solve workload identities, and technologies like OAuth and JWT help solve access rights, there are many open questions about where the overlaps and gaps are in this space. Identity for workloads, software stacks, transactions, users, authorities, and other entities can all have a part to play in determining the rights associated with a request and its response.
A non-WG forming BOF was held at IETF-118, and a series of informal conference calls followed, leading to the latest charter proposal: https://notes.ietf.org/Eg7vhJqUT_eyPI9LfJ9SXg?view (work in progress).
An initial set of use cases, as well as best practices for workload identity on Kubernetes, have both been published as I-Ds.
Required Details
- Status: WG Forming
- Responsible AD: TBD (Francesca Palombini was the responsible AD for the IETF-118 BOF)
- BOF proponents: Justin Richer <ietf@justin.richer.org>, Pieter Kasselman <pieter.kasselman@microsoft.com>, Evan Gilman <evan@spirl.com>
- BOF chairs: Joe Sallowey <joe@salowey.net>, Yaron Sheffer <yaronf.ietf@gmail.com>
- Number of people expected to attend: 100
- Length of session: 2 hours
- Conflicts (whole Areas and/or WGs)
- Chair Conflicts: oauth, gnap, http, rats, saag, tls, emu, privacypass
- Technology Overlap: SEC
Information for IAB/IESG
Existing protocols/practices in this space:
- SPIFFE open standard from CNCF: https://spiffe.io/
Required modifications to existing protocols or practices:
- Likely additions to token formats (like JWT/CWT), token issuance and processing (e.g. token exchange, introspection) to account for workloads and crossing domain boundaries.
Which (if any) entirely new protocols or practices are required:
- The current draft charter and proposed deliverables do not call for any new protocols.
Open source projects (if any) implementing this work:
- SPIRE open source implementation of SPIFFE.
Agenda
- Proposed charter and deliverables
- Scope and goals
- WIMSE architecture
- Securing service-to-service traffic
- Token issuance
- Token exchange
- Documenting existing practices
- BOF questions
Links to the mailing list, draft charter if any, relevant Internet-Drafts, etc.
- Mailing List: https://www.ietf.org/mailman/listinfo/wimse
- Relevant Internet-Drafts:
- Use Cases: https://datatracker.ietf.org/doc/draft-gilman-wimse-use-cases/
- Kubenetes BCP: https://datatracker.ietf.org/doc/draft-hofmann-wimse-workload-identity-bcp/
- Draft charter (informal): https://notes.ietf.org/fHJYa2ueSmGqAoDU9NJDnA?view