addressing YR's comments

ietf-wg-wimse · Oct 18, 2024 · bf3f444 · bf3f444
1 parent a69511c
commit bf3f444
Showing 1 changed file with 2 additions and 2 deletions.
diff --git a/draft-ietf-wimse-arch.md b/draft-ietf-wimse-arch.md
@@ -79,11 +79,11 @@ Attestation is the function through which a task verifies the identity of a sepa
 
 ## Workload Identity {#whimsical-identity}
 
-The identity of a workload is a complex topic.  The WIMSE architecture document starts by defining a trust domain, a workload identifier and workload identity credentials. These constructs are sufficient for establishing basic authentication, authorization and accounting. More complex identity constructs can be created from these basic building blocks.
+Workload identity construct consists of three basic building blocks: trust domain, workload identifier and workflow identity credentials. These components are sufficient for establishing authentication, authorization and accounting processes. More complex identity constructs can be created from these basic building blocks.
 
 ### Trust Domain
 
-A trust domain is a logical grouping of systems that share a common set of security controls and policies. WIMSE certificates and tokens are issued under the authority of a trust domain. Trust domains SHOULD be identified by a fully qualified domain name belonging to the organization defining the trust domain. A trust domain maps to one or more trust anchors for validating X.509 certificates and a mechanism to securely obtain a JWK Set {{!RFC7517}} for validating WIMSE WIT tokens. This mapping MUST be obtained through a secure mechanism that ensures the authenticity and integrity of the mapping is fresh and not compromised. This secure mechanism is out of scope for this document.
+A trust domain is a logical grouping of systems that share a common set of security controls and policies. Workload certificates and tokens are issued under the authority of a trust domain. Trust domains SHOULD be identified by a fully qualified domain name associated with the organization defining the trust domain. THe FQDN format of trust domain helps to ensure uniqueness of the trust domain identifier. A trust domain maps to one or more trust anchors for validating X.509 certificates and a mechanism to securely obtain a JWK Set {{!RFC7517}} for validating WIMSE WIT tokens. This mapping MUST be obtained through a secure mechanism that ensures the authenticity and integrity of the mapping is fresh and not compromised. This secure mechanism is out of scope for this document.
 
 A single organization may define multiple trust domains for different purpose such as different departments or environments. Each trust domain must have a unique identifier. Workload identifiers are scoped within a trust domain. If two identifiers differ only by trust domain they still refer to two different entities.