Internet-Draft | WIMSE Use Cases | August 2023 |
Gilman, et al. | Expires 29 February 2024 | [Page] |
- Workgroup:
- Network Working Group
- Internet-Draft:
- draft-gilman-wimse-use-cases-00
- Published:
- Intended Status:
- Informational
- Expires:
Workload Identity Use Cases
Abstract
Workload identity systems like SPIFFE provide a unique set of security challenges, constraints, and possibilities that affect the larger systems they are a part of. This document seeks to collect use cases within that space, with a specific look at both the OAuth and SPIFFE technologies.¶
Discussion Venues
This note is to be removed before publishing as an RFC.¶
Source for this draft and an issue tracker can be found at https://github.com/bspk/draft-gilman-wimse-use-cases.¶
Status of This Memo
This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79.¶
Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet-Drafts is at https://datatracker.ietf.org/drafts/current/.¶
Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress."¶
This Internet-Draft will expire on 29 February 2024.¶
Copyright Notice
Copyright (c) 2023 IETF Trust and the persons identified as the document authors. All rights reserved.¶
This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (https://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Revised BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Revised BSD License.¶
1. Introduction
The OAuth and SPIFFE communities have historically been fairly disjoint. The former is a set of identity standards shepherded by the IETF and is (mostly) human-centric, while the latter is a set of identity standards shepherded by the CNCF and is (mostly) workload-centric. Recently, members of both communities have begun to discuss a set of common challenges that they are facing, which they believe could be evidence of a gap in the broader ecosystem of identity standards.¶
This document captures those challenges as a set of use cases as a first step towards exploring that gap, should it in fact exist.¶
2. Conventions and Definitions
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all capitals, as shown here.¶
3. Use Cases
This section captures the underserved use cases identified. Once finished, we will see what patterns emerge (e.g. policy enforcement, operational, etc) and prioritize them. This is still a work in progress (WIP) and we invite members of the community to contribute additional use cases.¶
3.1. Constrained Credential Security
As a security engineer, I’d like to mitigate the unconstrained re-use of a credential by those who are able to observe it in use (e.g. a proxy, a log message, or a workload processing the request)¶
- As a security engineer, I’d like to prevent token replay in the event that one of my internal services is compromised.¶
- If a workload credential is compromised, I can’t re-use it.¶
- Workload authentication using asymmetric credentials 1. Support mTLS and alternaive forms of asymmetric authentication 1. More robust than PVT_KEY_JWT authentication¶
3.2. Cross-workload Access
As a [SPIFFE,OAuth] workload owner, I’d like to access other workloads that are using [SPIFFE,OAuth] in a simple and consistent way, regardless of their location, platform, or domain.¶
- As a SPIFFE user, I’d like to access OAuth protected resources without having to provide any additional secrets (as a SPIFFE user with more than 10k workloads, I’d like to access OAuth protected resources without having to manage 10k OAuth Clients).¶
- Access workloads from different service providers (access across different trust domains workloads to workload from different companies).¶
- Access workloads running in different cloud services (Multi-cloud deployments).¶
3.3. Chain of Custody for Requests
As a security engineer, I’d like a verifiable chain of custody for each request transiting my system, starting with the request initiator, which may be a human or a workload.¶
- As a security engineer, I’d like to authorize data access RPCs iff the data owner issued the original request (a requests made by the data owner transit many backend services prior to reaching the data access layer).¶
- Authenticating and authorizing a service that is operating on behalf of a logged in user.¶
- Authenticating and authorizing a service that is operating on behalf of a user as a schedule job.¶
- As a security engineer, I’d like to authorize payment RPCs iff the request has transited our fraud detection service.¶
- As a security engineer, I’d like to authorize an RPC iff the request entered our infrastructure via a specific front end system.¶
3.5. Audit Logs
As a security engineer, I’d like a place to record information about an entity for the purposes of remediation, reconciliation, audit and forensics.¶
- If a workload is compromised, I can remediate that specific workload without impacting others.¶
- If an account is onboarded based on info from another entity, we need to write that down into the account and carry it through the network, especially if the account is used to onboard onto an entity further down the call stack.¶
- Reconcile logs when a disconnected entity is re-connected to the overall network fabric.¶
3.6. Consistent Entity Identification
I need to be able to identify different entities uniquely and deterministically within the system.¶
3.8. General requirements
In addition to the above use cases, the authors have determined the following general requirements:¶
Observability should be a requirement. The credential should have a meaningful identifier that can be logged etc.¶
Accountability: Workloads need to be able to make a localized decision but still be accountable to the overarching policy and framework that provisioned them.¶
The system owner/operator should be able to effect changes in the system (the control plane) based on signals from the application plane.¶
Definition of information encapsulated in the document (e.g. capability transmission).¶
4. Normative References
- [RFC2119]
- Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, DOI 10.17487/RFC2119, , <https://www.rfc-editor.org/rfc/rfc2119>.
- [RFC8174]
- Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174, , <https://www.rfc-editor.org/rfc/rfc8174>.
Acknowledgments
TODO acknowledge.¶