[{"author": "Richard Barnes", "text": "

love the acronym

", "time": "2023-11-07T12:02:46Z"}, {"author": "Eric Rescorla", "text": "

Am I the only person finding the context here pretty confusing

", "time": "2023-11-07T12:12:49Z"}, {"author": "Richard Barnes", "text": "

i think there's a bunch of implicit assumptions here

", "time": "2023-11-07T12:15:07Z"}, {"author": "Eric Rescorla", "text": "

Yeah, that really need to be laid out

", "time": "2023-11-07T12:15:17Z"}, {"author": "Richard Barnes", "text": "

Kinda tough when you start from the gigantic pile of problems Pieter just showed :)

", "time": "2023-11-07T12:15:43Z"}, {"author": "Eric Rescorla", "text": "

yes.

", "time": "2023-11-07T12:15:48Z"}, {"author": "Richard Barnes", "text": "

sorry, i missed why DPoP is not OK for workloads?

", "time": "2023-11-07T12:16:50Z"}, {"author": "Eric Rescorla", "text": "

I think it's just tied to HTTP and they want to use it for !HTTP

", "time": "2023-11-07T12:17:13Z"}, {"author": "Evan Gilman", "text": "

Also uncomfortable oauth-isms that are required like ath claim and where the jwk that signs the proof lives

", "time": "2023-11-07T12:17:50Z"}, {"author": "Eric Rescorla", "text": "

I'm trying to wrap my head around the problem statement

", "time": "2023-11-07T12:18:11Z"}, {"author": "Eric Rescorla", "text": "

Dear chairs, this is the presentation that should have started the meeting

", "time": "2023-11-07T12:18:26Z"}, {"author": "Richard Barnes", "text": "

Thanks @Evan

", "time": "2023-11-07T12:18:44Z"}, {"author": "Richard Barnes", "text": "

Having a service need to know all the possible call paths that could land on it seems ... brittle

", "time": "2023-11-07T12:20:55Z"}, {"author": "Evan Gilman", "text": "

Might need to know only a few ... one example I've run into is a money movement service that want to know that the request passed through a fraud detection service prior to processing it. Another example is making authz decisions based on the ingress point (e.g. mobile or desktop, etc)

", "time": "2023-11-07T12:22:05Z"}, {"author": "Muhammad Sardar", "text": "

I didn't find these use case slides in the agenda. Is this slide deck uploaded?

", "time": "2023-11-07T12:26:45Z"}, {"author": "Joseph Salowey", "text": "

https://datatracker.ietf.org/meeting/118/materials/slides-118-wimse-wimse-use-cases

", "time": "2023-11-07T12:28:00Z"}, {"author": "Muhammad Sardar", "text": "

Thanks

", "time": "2023-11-07T12:30:02Z"}, {"author": "Ted Hardie", "text": "

@evan how different is that use case from the SFC use cases for guaranteeing that a packet has passed through a set of services? Is it just that we're dealing here with a workload rather than a packet?

", "time": "2023-11-07T12:30:24Z"}, {"author": "Muhammad Sardar", "text": "

Is workload representing a service here?

", "time": "2023-11-07T12:31:02Z"}, {"author": "Ted Hardie", "text": "

@evan Thinking here about the money movement service example, in case that wasn't clear.

", "time": "2023-11-07T12:31:20Z"}, {"author": "Daniel Feldman", "text": "

There is actually an SFC implementation that uses SPIFFE to identify the service functions (called NSM). But from a standards perspective I think they are very different since SPIFFE is at the application level.

", "time": "2023-11-07T12:34:53Z"}, {"author": "Evan Gilman", "text": "

Ah .. NSM does have this problem and the project blazed their own path on JWT wrapping/chaining to try and accomplish that

", "time": "2023-11-07T12:35:39Z"}, {"author": "Eric Rescorla", "text": "

I am really struggling to connect this to the problem statement

", "time": "2023-11-07T12:46:19Z"}, {"author": "A.J. Stein", "text": "

Are we looking at Golang structs for JSON last slide? That may be kind of confusing for some given the slide before it.

", "time": "2023-11-07T12:46:59Z"}, {"author": "Evan Gilman", "text": "
\n

I am really struggling to connect this to the problem statement

\n
\n

This work tries to solve use case 3.3 \"Chain of Custody for Requests\" within the constraints of a production system (e.g. extension of the token without round-tripping a central authority)

", "time": "2023-11-07T12:48:31Z"}, {"author": "Evan Gilman", "text": "

You can put dpop-style request binding in there. If ID 3 is the fraud detection service, it could assert that the checks have passed for $X amount

", "time": "2023-11-07T12:51:50Z"}, {"author": "Daniel Feldman", "text": "

If it helps, this token is meant to be inside a traditional mutual TLS pipe that provides confidentiality and integrity. The goal is to provide additional security guarantees beyond what mutual TLS can provide.

", "time": "2023-11-07T12:57:32Z"}, {"author": "Evan Gilman", "text": "

A compromised node can always lie about what it has done, but it should not be able to lie about what was done before

", "time": "2023-11-07T12:59:57Z"}, {"author": "Eric Rescorla", "text": "

That's totally reasonable, but I think we need to be able to be clear about what the security properties that provides are

", "time": "2023-11-07T13:00:41Z"}, {"author": "Eric Rescorla", "text": "

It's not quite clear to me what transparency is doing here.

", "time": "2023-11-07T13:19:37Z"}, {"author": "Eric Rescorla", "text": "

Usually, transparency is about preventing equivocation

", "time": "2023-11-07T13:19:49Z"}, {"author": "Richard Barnes", "text": "

i thought this was not a WG-forming BoF?

", "time": "2023-11-07T13:29:40Z"}, {"author": "Francesca Palombini", "text": "

it is a non-wg forming BoF, but I did ask the chair to talk about \"scope\" because there were a lot of questions about that

", "time": "2023-11-07T13:30:45Z"}, {"author": "Francesca Palombini", "text": "

chairs*

", "time": "2023-11-07T13:31:02Z"}, {"author": "Pete Resnick", "text": "

Re: Cullen's comment: \"Applicability Statement\" is the term used in some circles in the IETF for what you called a \"BCP\". Such things go into a standards track document, but they're about usage model rather than protocol elements.

", "time": "2023-11-07T13:37:26Z"}, {"author": "Cullen Jennings", "text": "

On serious answer about arch that ties together a bunch of standards from various places, at some level that is one of the things WebRTC did

", "time": "2023-11-07T13:44:20Z"}, {"author": "Sean Turner", "text": "

So there is this documentation from the K8 project page: https://kubernetes.io/docs/home/supported-doc-versions/

", "time": "2023-11-07T13:48:35Z"}, {"author": "Sean Turner", "text": "

I mean couldn't those be updated?

", "time": "2023-11-07T13:48:45Z"}, {"author": "Sean Turner", "text": "

What I was going to say at the mic ;)

", "time": "2023-11-07T13:48:57Z"}, {"author": "Cullen Jennings", "text": "

It might be instead of saying \"document other people stuff\" that we are explaining how to combine a bunch of related work to make a solution to some set of use cases.

", "time": "2023-11-07T13:49:34Z"}, {"author": "Sean Turner", "text": "

https://kubernetes.io/docs/concepts/security/

", "time": "2023-11-07T13:50:18Z"}, {"author": "Daniel Feldman", "text": "

Thanks everyone! I know some of us attending virtually are physically at Kubecon in Chicago, we should grab lunch while we're here!

", "time": "2023-11-07T14:00:44Z"}, {"author": "A.J. Stein", "text": "

I would say Sean my take is that these kinds of orchestrators (that is the term I use for k8s, but others don\u2019t depending on which community, this goes back to my concerns as a question) and how they interact with custom services and other cloud services (in the k8s space operators to talk to AWS or Azure or Google storage solutions; CloudFoundry calls these services) and that is not strictly in k8s or AWS/Azure/GCP documentation. Thus it is not always just one projects docs.

", "time": "2023-11-07T14:01:00Z"}]