From 701797cc56d0d9ccc3aa70c9a5d2f1d4f2d7e074 Mon Sep 17 00:00:00 2001 From: ysheffer Date: Sat, 12 Oct 2024 14:55:34 +0300 Subject: [PATCH] Arndt's comments --- draft-ietf-wimse-s2s-protocol.md | 23 +++++++++++++++++------ 1 file changed, 17 insertions(+), 6 deletions(-) diff --git a/draft-ietf-wimse-s2s-protocol.md b/draft-ietf-wimse-s2s-protocol.md index d759332..ee6cf9b 100644 --- a/draft-ietf-wimse-s2s-protocol.md +++ b/draft-ietf-wimse-s2s-protocol.md @@ -495,20 +495,31 @@ The two options for protecting the workload's traffic vary with respect to imple complexity, extensibility and security. Here is a summary of the main differences between {{dpop-esque-auth}} and {{http-sig-auth}}. -- The DPoP-inspired solution is less HTTP-specific, making it easier to adapt for other protocols beyond HTTP. This flexibility is particularly valuable for asynchronous communication scenarios, such as event-driven systems. +- The DPoP-inspired solution is less HTTP-specific, making it easier to adapt for +other protocols beyond HTTP. This flexibility is particularly valuable for +asynchronous communication scenarios, such as event-driven systems. -- Message Signatures, on the other hand, benefit from an existing RFC with established implementations. This existing groundwork means that this option could be simpler to deploy. +- Message Signatures, on the other hand, benefit from an existing RFC with +established implementations. This existing groundwork means that this option could +be simpler to deploy. -- Given that the WIT (Web Interaction Token) is a type of JWT, the DPoP-inspired approach is less complex and technology-intensive than Message Signatures. In contrast, Message Signatures introduce additional layers of technology, potentially increasing the complexity of the overall system. +- Given that the WIT (Workload Identity Token) is a type of JWT, the +DPoP-inspired approach is less complex and technology-intensive than Message +Signatures. In contrast, Message Signatures introduce additional layers of +technology, potentially increasing the complexity of the overall system. -- Message Signatures offer superior integrity protection, particularly by mitigating message modification by middleboxes. +- Message Signatures offer superior integrity protection, particularly by mitigating +message modification by middleboxes. -- A key advantage of Message Signatures is that they support response signing. +- A key advantage of Message Signatures is that they support response signing. This opens up the possibility for future decisions about whether to make response signing mandatory, allowing for flexibility in the specification and/or in specific deployment scenarios. -- In general, Message Signatures provide greater flexibility compared to the DPoP-inspired approach. The draft (and subsequent implementations) can decide whether specific aspects of message signing, such as coverage of particular fields, should be mandatory or optional. +- In general, Message Signatures provide greater flexibility compared to +the DPoP-inspired approach. The draft (and subsequent implementations) can decide +whether specific aspects of message signing, such as coverage of particular fields, +should be mandatory or optional. # Using Mutual TLS for Service To Service Authentication {#mutual-tls}