[{"author": "Richard Barnes", "text": "
love the acronym
", "time": "2023-11-07T12:02:46Z"}, {"author": "Eric Rescorla", "text": "Am I the only person finding the context here pretty confusing
", "time": "2023-11-07T12:12:49Z"}, {"author": "Richard Barnes", "text": "i think there's a bunch of implicit assumptions here
", "time": "2023-11-07T12:15:07Z"}, {"author": "Eric Rescorla", "text": "Yeah, that really need to be laid out
", "time": "2023-11-07T12:15:17Z"}, {"author": "Richard Barnes", "text": "Kinda tough when you start from the gigantic pile of problems Pieter just showed :)
", "time": "2023-11-07T12:15:43Z"}, {"author": "Eric Rescorla", "text": "yes.
", "time": "2023-11-07T12:15:48Z"}, {"author": "Richard Barnes", "text": "sorry, i missed why DPoP is not OK for workloads?
", "time": "2023-11-07T12:16:50Z"}, {"author": "Eric Rescorla", "text": "I think it's just tied to HTTP and they want to use it for !HTTP
", "time": "2023-11-07T12:17:13Z"}, {"author": "Evan Gilman", "text": "Also uncomfortable oauth-isms that are required like ath claim and where the jwk that signs the proof lives
", "time": "2023-11-07T12:17:50Z"}, {"author": "Eric Rescorla", "text": "I'm trying to wrap my head around the problem statement
", "time": "2023-11-07T12:18:11Z"}, {"author": "Eric Rescorla", "text": "Dear chairs, this is the presentation that should have started the meeting
", "time": "2023-11-07T12:18:26Z"}, {"author": "Richard Barnes", "text": "Thanks @Evan
", "time": "2023-11-07T12:18:44Z"}, {"author": "Richard Barnes", "text": "Having a service need to know all the possible call paths that could land on it seems ... brittle
", "time": "2023-11-07T12:20:55Z"}, {"author": "Evan Gilman", "text": "Might need to know only a few ... one example I've run into is a money movement service that want to know that the request passed through a fraud detection service prior to processing it. Another example is making authz decisions based on the ingress point (e.g. mobile or desktop, etc)
", "time": "2023-11-07T12:22:05Z"}, {"author": "Muhammad Sardar", "text": "I didn't find these use case slides in the agenda. Is this slide deck uploaded?
", "time": "2023-11-07T12:26:45Z"}, {"author": "Joseph Salowey", "text": "https://datatracker.ietf.org/meeting/118/materials/slides-118-wimse-wimse-use-cases
", "time": "2023-11-07T12:28:00Z"}, {"author": "Muhammad Sardar", "text": "Thanks
", "time": "2023-11-07T12:30:02Z"}, {"author": "Ted Hardie", "text": "@evan how different is that use case from the SFC use cases for guaranteeing that a packet has passed through a set of services? Is it just that we're dealing here with a workload rather than a packet?
", "time": "2023-11-07T12:30:24Z"}, {"author": "Muhammad Sardar", "text": "Is workload representing a service here?
", "time": "2023-11-07T12:31:02Z"}, {"author": "Ted Hardie", "text": "@evan Thinking here about the money movement service example, in case that wasn't clear.
", "time": "2023-11-07T12:31:20Z"}, {"author": "Daniel Feldman", "text": "There is actually an SFC implementation that uses SPIFFE to identify the service functions (called NSM). But from a standards perspective I think they are very different since SPIFFE is at the application level.
", "time": "2023-11-07T12:34:53Z"}, {"author": "Evan Gilman", "text": "Ah .. NSM does have this problem and the project blazed their own path on JWT wrapping/chaining to try and accomplish that
", "time": "2023-11-07T12:35:39Z"}, {"author": "Eric Rescorla", "text": "I am really struggling to connect this to the problem statement
", "time": "2023-11-07T12:46:19Z"}, {"author": "A.J. Stein", "text": "Are we looking at Golang structs for JSON last slide? That may be kind of confusing for some given the slide before it.
", "time": "2023-11-07T12:46:59Z"}, {"author": "Evan Gilman", "text": "\n\nI am really struggling to connect this to the problem statement
\n
This work tries to solve use case 3.3 \"Chain of Custody for Requests\" within the constraints of a production system (e.g. extension of the token without round-tripping a central authority)
", "time": "2023-11-07T12:48:31Z"}, {"author": "Evan Gilman", "text": "You can put dpop-style request binding in there. If ID 3 is the fraud detection service, it could assert that the checks have passed for $X amount
", "time": "2023-11-07T12:51:50Z"}, {"author": "Daniel Feldman", "text": "If it helps, this token is meant to be inside a traditional mutual TLS pipe that provides confidentiality and integrity. The goal is to provide additional security guarantees beyond what mutual TLS can provide.
", "time": "2023-11-07T12:57:32Z"}, {"author": "Evan Gilman", "text": "A compromised node can always lie about what it has done, but it should not be able to lie about what was done before
", "time": "2023-11-07T12:59:57Z"}, {"author": "Eric Rescorla", "text": "That's totally reasonable, but I think we need to be able to be clear about what the security properties that provides are
", "time": "2023-11-07T13:00:41Z"}, {"author": "Eric Rescorla", "text": "It's not quite clear to me what transparency is doing here.
", "time": "2023-11-07T13:19:37Z"}, {"author": "Eric Rescorla", "text": "Usually, transparency is about preventing equivocation
", "time": "2023-11-07T13:19:49Z"}, {"author": "Richard Barnes", "text": "i thought this was not a WG-forming BoF?
", "time": "2023-11-07T13:29:40Z"}, {"author": "Francesca Palombini", "text": "it is a non-wg forming BoF, but I did ask the chair to talk about \"scope\" because there were a lot of questions about that
", "time": "2023-11-07T13:30:45Z"}, {"author": "Francesca Palombini", "text": "chairs*
", "time": "2023-11-07T13:31:02Z"}, {"author": "Pete Resnick", "text": "Re: Cullen's comment: \"Applicability Statement\" is the term used in some circles in the IETF for what you called a \"BCP\". Such things go into a standards track document, but they're about usage model rather than protocol elements.
", "time": "2023-11-07T13:37:26Z"}, {"author": "Cullen Jennings", "text": "On serious answer about arch that ties together a bunch of standards from various places, at some level that is one of the things WebRTC did
", "time": "2023-11-07T13:44:20Z"}, {"author": "Sean Turner", "text": "So there is this documentation from the K8 project page: https://kubernetes.io/docs/home/supported-doc-versions/
", "time": "2023-11-07T13:48:35Z"}, {"author": "Sean Turner", "text": "I mean couldn't those be updated?
", "time": "2023-11-07T13:48:45Z"}, {"author": "Sean Turner", "text": "What I was going to say at the mic ;)
", "time": "2023-11-07T13:48:57Z"}, {"author": "Cullen Jennings", "text": "It might be instead of saying \"document other people stuff\" that we are explaining how to combine a bunch of related work to make a solution to some set of use cases.
", "time": "2023-11-07T13:49:34Z"}, {"author": "Sean Turner", "text": "https://kubernetes.io/docs/concepts/security/
", "time": "2023-11-07T13:50:18Z"}, {"author": "Daniel Feldman", "text": "Thanks everyone! I know some of us attending virtually are physically at Kubecon in Chicago, we should grab lunch while we're here!
", "time": "2023-11-07T14:00:44Z"}, {"author": "A.J. Stein", "text": "I would say Sean my take is that these kinds of orchestrators (that is the term I use for k8s, but others don\u2019t depending on which community, this goes back to my concerns as a question) and how they interact with custom services and other cloud services (in the k8s space operators to talk to AWS or Azure or Google storage solutions; CloudFoundry calls these services) and that is not strictly in k8s or AWS/Azure/GCP documentation. Thus it is not always just one projects docs.
", "time": "2023-11-07T14:01:00Z"}]