diff --git a/notes/20240416.md b/notes/20240416.md new file mode 100644 index 0000000..42f51ea --- /dev/null +++ b/notes/20240416.md @@ -0,0 +1,22 @@ +**Agenda & Notes for April 16 2024** + +* Welcome + * "Token exchange: Specify a protocol for exchanging an incoming token of one format for a workload-specific WIMSE token at security boundaries (possibly based on RFC 8693). Additionally, this token exchange will require specifying as proposed standard a small set of token exchange profiles (mapping of claims) between existing and new WIMSE token formats." [WIMSE Charter](https://datatracker.ietf.org/doc/charter-ietf-wimse/) + * Weekly meetings - confirm meeting time works for everyone for the next few months, Dean to send out a meeting invitation + * Confirm everyone has access to [GitHub repo](https://github.com/dhs-aws/wimse-token-exch-design-team/) + * Weekly meeting notes to be stored in GitHub under the /notes folder + * Interim meeting scheduled for May 22 10:30 AM EDT (GMT-4). Need a volunteer to lead the token exchange discussion since I'll be working from Osaka + +* Intro from Evan - token exchange issues, considerations in SPIFFE, [draft use cases](https://datatracker.ietf.org/doc/draft-gilman-wimse-use-cases/) +* Getting Things Done - Workstreams + * Use Case development + * build off Evan's [draft use cases](https://datatracker.ietf.org/doc/draft-gilman-wimse-use-cases/) + * Token translation - SPIFFE to JWT, JWT to SPIFFE, etc. + * Do we know all the token types we wish to convert between? + * Or do we want to build a generic token translation mechanism and then profiles for X to Y, Y to Z, etc.? + * User mapping across domains - How does Workload User A at MSFT translate to a user in AWS/GCP? + * Do we need SCIM for both user and workload identities? + * How do we avoid static mappings which are hard to maintain in large environments? + * Security Considerations development + * Look into the [CSRB report on Microsoft](https://www.cisa.gov/sites/default/files/2024-04/CSRB_Review_of_the_Summer_2023_MEO_Intrusion_Final_508c.pdf) - can we reduce the risk of stolen signing keys/tokens? + *