From 5dc221f42adec74fcd26dcc1e45ead7cbce669b0 Mon Sep 17 00:00:00 2001 From: Joe Salowey Date: Fri, 1 Mar 2024 22:19:28 -0800 Subject: [PATCH 1/3] Expanded use cases --- draft-salowey-wimse-arch.md | 28 ++++++++++++++++++++++++---- 1 file changed, 24 insertions(+), 4 deletions(-) diff --git a/draft-salowey-wimse-arch.md b/draft-salowey-wimse-arch.md index 508efdf..cab5ae1 100644 --- a/draft-salowey-wimse-arch.md +++ b/draft-salowey-wimse-arch.md @@ -63,7 +63,25 @@ A workload is a running instance of software executing for a specific purpose th # Use Cases -1. Basic Service Authentication +## Initial Workload Identity + +Typically a workload obtains its identity early in its lifecycle. This identity is sometimes referred to as the "bottom turtle" on which further identity is built. Some common mechanisms for obtaining this initial identity include: + +* File System projection - in this mechanisms the identity is provisioned to the workload as an entity in the filesystem. +* Local API - the identity is provided through an api such as a local domain socket (SPIFFE) or local Network API call (Cloud Provider Metadata Server) +* Environment Injection - identity may also be injected into the workloads execution environment. + +### Attestation + +### Identity Credentials + +The identity is provisioned to the workload as a set of credentials. There are two main types of workload credentials: bearer tokens and X.509 certificates. + +Bearer tokens are tokens presented to another party as proof of identity. They are typically signed to prevent forgery, however since these credentials are not bound to other information its possible that they could be stolen and reused elsewhere. + +X.509 certificate credentials consist of two parts, a public key certificate that is a signed data structure that contains a public key and identity information and a private key which. The certificate is sent during authentication, however the private key is kept secret and only used in cryptographic computation to to prove that the presenter has access to the private that corresponds to the public key in the certificate. + +## Basic Service Authentication One of the most basic use cases for workload identity is for authenticating one workload to another such as in the case where one service is making a request of another service within a larger application. Even in this simple case the identity of the workload is often a composite of many attributes such as: @@ -88,11 +106,13 @@ There are several methods defined to perform this authentication. Some of the m * Mutual TLS authentication using X.509 certificate for both client and server * TLS authentication of the server and HTTP request signing using a secret key -2. Additional Context Establishment +## Security Context Establishment and Propagation + +In a typical system of workloads additional information is needed in order for the workload to perform its function. For example, it is common for a workload to require information about a user or other entity that originated the request. Other types of information may include information about the hardware or software that the workload is running or information about what processing and validation has already been done to the request. This type of information is part of the security context that the workload uses during authorization, accounting and auditing. This context is propagated and possibly augmented from workload to workload using tokens. Workload identity comes into play to ensure that the information in the context can only be used by an authorized workload and that the context information originated from an authorized workload. -3. Asynchronous Requests +## Delegation and Impersonation -4. Scheduled Batch Requests +## Asynchronous and Batch Requests From c8bade5c0955043413c5acb06c3a10b70d949809 Mon Sep 17 00:00:00 2001 From: jsalowey Date: Sun, 3 Mar 2024 14:51:45 -0800 Subject: [PATCH 2/3] Update draft-salowey-wimse-arch.md Addressed Yaroslav's comment --- draft-salowey-wimse-arch.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/draft-salowey-wimse-arch.md b/draft-salowey-wimse-arch.md index cab5ae1..1258f77 100644 --- a/draft-salowey-wimse-arch.md +++ b/draft-salowey-wimse-arch.md @@ -77,7 +77,7 @@ Typically a workload obtains its identity early in its lifecycle. This identity The identity is provisioned to the workload as a set of credentials. There are two main types of workload credentials: bearer tokens and X.509 certificates. -Bearer tokens are tokens presented to another party as proof of identity. They are typically signed to prevent forgery, however since these credentials are not bound to other information its possible that they could be stolen and reused elsewhere. +Bearer tokens are tokens presented to another party as proof of identity. They are typically signed to prevent forgery, however since these credentials are not bound to other information its possible that they could be stolen and reused elsewhere. To reduce some of thee risks, bearer tokens may have short lifespans and may be rotated often. X.509 certificate credentials consist of two parts, a public key certificate that is a signed data structure that contains a public key and identity information and a private key which. The certificate is sent during authentication, however the private key is kept secret and only used in cryptographic computation to to prove that the presenter has access to the private that corresponds to the public key in the certificate. From d40e6697cb209693b14f9859ceac0a3641b47cb3 Mon Sep 17 00:00:00 2001 From: jsalowey Date: Sun, 3 Mar 2024 14:52:56 -0800 Subject: [PATCH 3/3] Update draft-salowey-wimse-arch.md spelling --- draft-salowey-wimse-arch.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/draft-salowey-wimse-arch.md b/draft-salowey-wimse-arch.md index 1258f77..48dd2fd 100644 --- a/draft-salowey-wimse-arch.md +++ b/draft-salowey-wimse-arch.md @@ -77,7 +77,7 @@ Typically a workload obtains its identity early in its lifecycle. This identity The identity is provisioned to the workload as a set of credentials. There are two main types of workload credentials: bearer tokens and X.509 certificates. -Bearer tokens are tokens presented to another party as proof of identity. They are typically signed to prevent forgery, however since these credentials are not bound to other information its possible that they could be stolen and reused elsewhere. To reduce some of thee risks, bearer tokens may have short lifespans and may be rotated often. +Bearer tokens are tokens presented to another party as proof of identity. They are typically signed to prevent forgery, however since these credentials are not bound to other information its possible that they could be stolen and reused elsewhere. To reduce some of these risks, bearer tokens may have short lifespans and may be rotated often. X.509 certificate credentials consist of two parts, a public key certificate that is a signed data structure that contains a public key and identity information and a private key which. The certificate is sent during authentication, however the private key is kept secret and only used in cryptographic computation to to prove that the presenter has access to the private that corresponds to the public key in the certificate.