Script updating gh-pages from b0e09e4. [ci skip]

ietf-wg-wimse · Dec 6, 2024 · 6ea87a7 · 6ea87a7
1 parent 6961e86
commit 6ea87a7
Show file tree

Hide file tree

Showing 2 changed files with 96 additions and 75 deletions.
diff --git a/ys-figure/draft-ietf-wimse-s2s-protocol.html b/ys-figure/draft-ietf-wimse-s2s-protocol.html
@@ -23,12 +23,12 @@
 Service B with mutual TLS authentication, while the next call from Service B to Service C
 would be authenticated at the application level. 
     " name="description">
-<meta content="xml2rfc 3.24.0" name="generator">
+<meta content="xml2rfc 3.25.0" name="generator">
 <meta content="workload" name="keyword">
 <meta content="identity" name="keyword">
 <meta content="draft-ietf-wimse-s2s-protocol-latest" name="ietf.draft">
 <!-- Generator version information:
-  xml2rfc 3.24.0
+  xml2rfc 3.25.0
     Python 3.12.7
     ConfigArgParse 1.7
     google-i18n-address 3.1.1
@@ -1055,11 +1055,11 @@
 <thead><tr>
 <td class="left">Internet-Draft</td>
 <td class="center">WIMSE S2S Auth</td>
-<td class="right">November 2024</td>
+<td class="right">December 2024</td>
 </tr></thead>
 <tfoot><tr>
 <td class="left">Campbell, et al.</td>
-<td class="center">Expires 26 May 2025</td>
+<td class="center">Expires 9 June 2025</td>
 <td class="right">[Page]</td>
 </tr></tfoot>
 </table>
@@ -1072,12 +1072,12 @@
 <dd class="internet-draft">draft-ietf-wimse-s2s-protocol-latest</dd>
 <dt class="label-published">Published:</dt>
 <dd class="published">
-<time datetime="2024-11-22" class="published">22 November 2024</time>
+<time datetime="2024-12-06" class="published">6 December 2024</time>
     </dd>
 <dt class="label-intended-status">Intended Status:</dt>
 <dd class="intended-status">Standards Track</dd>
 <dt class="label-expires">Expires:</dt>
-<dd class="expires"><time datetime="2025-05-26">26 May 2025</time></dd>
+<dd class="expires"><time datetime="2025-06-09">9 June 2025</time></dd>
 <dt class="label-authors">Authors:</dt>
 <dd class="authors">
 <div class="author">
@@ -1153,7 +1153,7 @@ <h2 id="name-status-of-this-memo">
         time. It is inappropriate to use Internet-Drafts as reference
         material or to cite them other than as "work in progress."<a href="#section-boilerplate.1-3" class="pilcrow">¶</a></p>
 <p id="section-boilerplate.1-4">
-        This Internet-Draft will expire on 26 May 2025.<a href="#section-boilerplate.1-4" class="pilcrow">¶</a></p>
+        This Internet-Draft will expire on 9 June 2025.<a href="#section-boilerplate.1-4" class="pilcrow">¶</a></p>
 </section>
 </div>
 <div id="copyright">
@@ -1337,57 +1337,62 @@ <h3 id="name-deployment-architecture-and">
 <figure id="figure-1">
           <div id="section-1.1-2.1">
             <div class="alignLeft art-svg artwork" id="section-1.1-2.1.1">
-<svg xmlns="http://www.w3.org/2000/svg" version="1.1" height="320" width="352" viewBox="0 0 352 320" class="diagram" text-anchor="middle" font-family="monospace" font-size="13px" stroke-linecap="round">
-                <path d="M 8,32 L 8,128" fill="none" stroke="black"></path>
-                <path d="M 8,224 L 8,304" fill="none" stroke="black"></path>
-                <path d="M 56,136 L 56,216" fill="none" stroke="black"></path>
-                <path d="M 72,176 L 72,216" fill="none" stroke="black"></path>
-                <path d="M 112,32 L 112,128" fill="none" stroke="black"></path>
-                <path d="M 112,224 L 112,304" fill="none" stroke="black"></path>
-                <path d="M 240,32 L 240,128" fill="none" stroke="black"></path>
-                <path d="M 240,224 L 240,304" fill="none" stroke="black"></path>
-                <path d="M 256,136 L 256,176" fill="none" stroke="black"></path>
-                <path d="M 272,96 L 272,128" fill="none" stroke="black"></path>
-                <path d="M 304,136 L 304,216" fill="none" stroke="black"></path>
-                <path d="M 344,32 L 344,128" fill="none" stroke="black"></path>
-                <path d="M 344,224 L 344,304" fill="none" stroke="black"></path>
+<svg xmlns="http://www.w3.org/2000/svg" version="1.1" height="368" width="352" viewBox="0 0 352 368" class="diagram" text-anchor="middle" font-family="monospace" font-size="13px" stroke-linecap="round">
+                <path d="M 8,32 L 8,176" fill="none" stroke="black"></path>
+                <path d="M 8,272 L 8,352" fill="none" stroke="black"></path>
+                <path d="M 56,184 L 56,264" fill="none" stroke="black"></path>
+                <path d="M 72,224 L 72,264" fill="none" stroke="black"></path>
+                <path d="M 112,32 L 112,176" fill="none" stroke="black"></path>
+                <path d="M 112,272 L 112,352" fill="none" stroke="black"></path>
+                <path d="M 240,32 L 240,176" fill="none" stroke="black"></path>
+                <path d="M 240,272 L 240,352" fill="none" stroke="black"></path>
+                <path d="M 256,184 L 256,224" fill="none" stroke="black"></path>
+                <path d="M 272,144 L 272,176" fill="none" stroke="black"></path>
+                <path d="M 304,184 L 304,264" fill="none" stroke="black"></path>
+                <path d="M 344,32 L 344,176" fill="none" stroke="black"></path>
+                <path d="M 344,272 L 344,352" fill="none" stroke="black"></path>
                 <path d="M 8,32 L 112,32" fill="none" stroke="black"></path>
                 <path d="M 240,32 L 344,32" fill="none" stroke="black"></path>
                 <path d="M 120,62 L 232,62" fill="none" stroke="black"></path>
                 <path d="M 120,66 L 232,66" fill="none" stroke="black"></path>
-                <path d="M 120,94 L 232,94" fill="none" stroke="black"></path>
-                <path d="M 120,98 L 232,98" fill="none" stroke="black"></path>
-                <path d="M 272,96 L 344,96" fill="none" stroke="black"></path>
-                <path d="M 8,128 L 112,128" fill="none" stroke="black"></path>
-                <path d="M 240,128 L 344,128" fill="none" stroke="black"></path>
-                <path d="M 72,176 L 256,176" fill="none" stroke="black"></path>
-                <path d="M 8,224 L 112,224" fill="none" stroke="black"></path>
-                <path d="M 240,224 L 344,224" fill="none" stroke="black"></path>
-                <path d="M 8,304 L 112,304" fill="none" stroke="black"></path>
-                <path d="M 240,304 L 344,304" fill="none" stroke="black"></path>
-                <polygon class="arrowhead" points="312,216 300,210.4 300,221.6" fill="black" transform="rotate(90,304,216)"></polygon>
-                <polygon class="arrowhead" points="312,136 300,130.4 300,141.6" fill="black" transform="rotate(270,304,136)"></polygon>
-                <polygon class="arrowhead" points="264,136 252,130.4 252,141.6" fill="black" transform="rotate(270,256,136)"></polygon>
+                <path d="M 120,110 L 232,110" fill="none" stroke="black"></path>
+                <path d="M 120,114 L 232,114" fill="none" stroke="black"></path>
+                <path d="M 272,144 L 344,144" fill="none" stroke="black"></path>
+                <path d="M 120,158 L 232,158" fill="none" stroke="black"></path>
+                <path d="M 120,162 L 232,162" fill="none" stroke="black"></path>
+                <path d="M 8,176 L 112,176" fill="none" stroke="black"></path>
+                <path d="M 240,176 L 344,176" fill="none" stroke="black"></path>
+                <path d="M 72,224 L 256,224" fill="none" stroke="black"></path>
+                <path d="M 8,272 L 112,272" fill="none" stroke="black"></path>
+                <path d="M 240,272 L 344,272" fill="none" stroke="black"></path>
+                <path d="M 8,352 L 112,352" fill="none" stroke="black"></path>
+                <path d="M 240,352 L 344,352" fill="none" stroke="black"></path>
+                <polygon class="arrowhead" points="312,264 300,258.4 300,269.6" fill="black" transform="rotate(90,304,264)"></polygon>
+                <polygon class="arrowhead" points="312,184 300,178.4 300,189.6" fill="black" transform="rotate(270,304,184)"></polygon>
+                <polygon class="arrowhead" points="264,184 252,178.4 252,189.6" fill="black" transform="rotate(270,256,184)"></polygon>
+                <polygon class="arrowhead" points="240,112 228,106.4 228,117.6" fill="black" transform="rotate(0,232,112)"></polygon>
                 <polygon class="arrowhead" points="240,64 228,58.4 228,69.6" fill="black" transform="rotate(0,232,64)"></polygon>
-                <polygon class="arrowhead" points="128,96 116,90.4 116,101.6" fill="black" transform="rotate(180,120,96)"></polygon>
-                <polygon class="arrowhead" points="80,216 68,210.4 68,221.6" fill="black" transform="rotate(90,72,216)"></polygon>
-                <polygon class="arrowhead" points="64,216 52,210.4 52,221.6" fill="black" transform="rotate(90,56,216)"></polygon>
-                <polygon class="arrowhead" points="64,136 52,130.4 52,141.6" fill="black" transform="rotate(270,56,136)"></polygon>
+                <polygon class="arrowhead" points="128,160 116,154.4 116,165.6" fill="black" transform="rotate(180,120,160)"></polygon>
+                <polygon class="arrowhead" points="128,64 116,58.4 116,69.6" fill="black" transform="rotate(180,120,64)"></polygon>
+                <polygon class="arrowhead" points="80,264 68,258.4 68,269.6" fill="black" transform="rotate(90,72,264)"></polygon>
+                <polygon class="arrowhead" points="64,264 52,258.4 52,269.6" fill="black" transform="rotate(90,56,264)"></polygon>
+                <polygon class="arrowhead" points="64,184 52,178.4 52,189.6" fill="black" transform="rotate(270,56,184)"></polygon>
                 <g class="text">
-                  <text x="176" y="52">(2)</text>
-                  <text x="284" y="68">Workload</text>
-                  <text x="328" y="68">B</text>
-                  <text x="52" y="84">Workload</text>
-                  <text x="96" y="84">A</text>
-                  <text x="176" y="116">(4)</text>
-                  <text x="304" y="116">PEP</text>
-                  <text x="168" y="164">(1)</text>
-                  <text x="32" y="180">(1)</text>
-                  <text x="328" y="180">(3)</text>
-                  <text x="60" y="260">Identity</text>
-                  <text x="288" y="260">PDP</text>
-                  <text x="60" y="276">Server</text>
-                  <text x="292" y="276">(optional)</text>
+                  <text x="176" y="52">(1)</text>
+                  <text x="52" y="100">Workload</text>
+                  <text x="96" y="100">A</text>
+                  <text x="176" y="100">(3)</text>
+                  <text x="284" y="100">Workload</text>
+                  <text x="328" y="100">B</text>
+                  <text x="176" y="148">(5)</text>
+                  <text x="304" y="164">PEP</text>
+                  <text x="168" y="212">(2)</text>
+                  <text x="32" y="228">(2)</text>
+                  <text x="328" y="228">(4)</text>
+                  <text x="60" y="308">Identity</text>
+                  <text x="288" y="308">PDP</text>
+                  <text x="60" y="324">Server</text>
+                  <text x="292" y="324">(optional)</text>
                 </g>
               </svg><a href="#section-1.1-2.1.1" class="pilcrow">¶</a>
 </div>
@@ -1405,18 +1410,24 @@ <h3 id="name-deployment-architecture-and">
 <p id="section-1.1-5">The high-level message flow is as follows:<a href="#section-1.1-5" class="pilcrow">¶</a></p>
 <ol start="1" type="1" class="normal type-1" id="section-1.1-6">
 <li id="section-1.1-6.1">
-            <p id="section-1.1-6.1.1">Workload A (and similarly, Workload B) obtains a credential from the Identity Server. This happens periodically, e.g. once every 24 hours.<a href="#section-1.1-6.1.1" class="pilcrow">¶</a></p>
+            <p id="section-1.1-6.1.1">A transport connection is set up. In the case of mutual TLS, this includes authentication of both workloads to
+one another. In the case of application-level security, the TLS connection is typically one-way authenticated,
+and workload-level authentication does not yet take place.<a href="#section-1.1-6.1.1" class="pilcrow">¶</a></p>
 </li>
           <li id="section-1.1-6.2">
-            <p id="section-1.1-6.2.1">Workload A makes an HTTP call into Workload B. This is a regular HTTP request, with the additional protection
-mechanisms defined below.<a href="#section-1.1-6.2.1" class="pilcrow">¶</a></p>
+            <p id="section-1.1-6.2.1">Workload A (and similarly, Workload B) obtains a credential from the Identity Server. This happens periodically, e.g. once every 24 hours.<a href="#section-1.1-6.2.1" class="pilcrow">¶</a></p>
 </li>
           <li id="section-1.1-6.3">
-            <p id="section-1.1-6.3.1">Workload B now authenticates Workload A and decides whether to authorize the call.
-In certain architectures, Workload B may need to consult with an external server to decide whether to accept the call.<a href="#section-1.1-6.3.1" class="pilcrow">¶</a></p>
+            <p id="section-1.1-6.3.1">Workload A makes an HTTP call into Workload B. This is a regular HTTP request, with the additional protection
+mechanisms defined below.<a href="#section-1.1-6.3.1" class="pilcrow">¶</a></p>
 </li>
           <li id="section-1.1-6.4">
-            <p id="section-1.1-6.4.1">Workload B returns a response to Workload A, which may be an error response or a regular one.<a href="#section-1.1-6.4.1" class="pilcrow">¶</a></p>
+            <p id="section-1.1-6.4.1">In the case of application-level security, Workload B authenticates Workload A (when using mutual TLS, this happened in step 1).
+In either case, Workload B decides whether to authorize the call.
+In certain architectures, Workload B may need to consult with an external server when making this decision.<a href="#section-1.1-6.4.1" class="pilcrow">¶</a></p>
+</li>
+          <li id="section-1.1-6.5">
+            <p id="section-1.1-6.5.1">Workload B returns a response to Workload A, which may be an error response or a regular one.<a href="#section-1.1-6.5.1" class="pilcrow">¶</a></p>
 </li>
         </ol>
 </section>

diff --git a/ys-figure/draft-ietf-wimse-s2s-protocol.txt b/ys-figure/draft-ietf-wimse-s2s-protocol.txt
@@ -5,14 +5,14 @@
 Workload Identity in Multi System Environments               B. Campbell
 Internet-Draft                                             Ping Identity
 Intended status: Standards Track                              D. Feldman
-Expires: 26 May 2025                                         Independent
+Expires: 9 June 2025                                         Independent
                                                               J. Salowey
                                                                   Venafi
                                                       A. Schwenkschuster
                                                                    SPIRL
                                                               Y. Sheffer
                                                                   Intuit
-                                                        22 November 2024
+                                                         6 December 2024
 
 
                 WIMSE Service to Service Authentication
@@ -68,7 +68,7 @@ Status of This Memo
    time.  It is inappropriate to use Internet-Drafts as reference
    material or to cite them other than as "work in progress."
 
-   This Internet-Draft will expire on 26 May 2025.
+   This Internet-Draft will expire on 9 June 2025.
 
 Copyright Notice
 
@@ -160,15 +160,18 @@ Table of Contents
    steps listed below):
 
    +------------+               +------------+
-   |            |      (2)      |            |
-   |            |==============>| Workload B |
-   | Workload A |               |            |
-   |            |<==============|   +--------+
-   |            |      (4)      |   |  PEP   |
+   |            |      (1)      |            |
+   |            |<=============>|            |
+   |            |               |            |
+   | Workload A |      (3)      | Workload B |
+   |            |==============>|            |
+   |            |               |            |
+   |            |      (5)      |   +--------+
+   |            |<==============|   |  PEP   |
    +------------+               +---+--------+
          ^                        ^     ^
-         |            (1)         |     |
-     (1) | +----------------------+     | (3)
+         |            (2)         |     |
+     (2) | +----------------------+     | (4)
          | |                            |
          v v                            v
    +------------+               +------------+
@@ -194,20 +197,27 @@ Table of Contents
 
    The high-level message flow is as follows:
 
-   1.  Workload A (and similarly, Workload B) obtains a credential from
+   1.  A transport connection is set up.  In the case of mutual TLS,
+       this includes authentication of both workloads to one another.
+       In the case of application-level security, the TLS connection is
+       typically one-way authenticated, and workload-level
+       authentication does not yet take place.
+
+   2.  Workload A (and similarly, Workload B) obtains a credential from
        the Identity Server.  This happens periodically, e.g. once every
        24 hours.
 
-   2.  Workload A makes an HTTP call into Workload B.  This is a regular
+   3.  Workload A makes an HTTP call into Workload B.  This is a regular
        HTTP request, with the additional protection mechanisms defined
        below.
 
-   3.  Workload B now authenticates Workload A and decides whether to
-       authorize the call.  In certain architectures, Workload B may
-       need to consult with an external server to decide whether to
-       accept the call.
+   4.  In the case of application-level security, Workload B
+       authenticates Workload A (when using mutual TLS, this happened in
+       step 1).  In either case, Workload B decides whether to authorize
+       the call.  In certain architectures, Workload B may need to
+       consult with an external server when making this decision.
 
-   4.  Workload B returns a response to Workload A, which may be an
+   5.  Workload B returns a response to Workload A, which may be an
        error response or a regular one.
 
 2.  Conventions and Definitions