Skip to content

Commit

Permalink
Address some of Arndt's comments.
Browse files Browse the repository at this point in the history
  • Loading branch information
ysheffer authored and ysheffer committed May 27, 2024
1 parent e1edc7c commit ae363fc
Showing 1 changed file with 13 additions and 9 deletions.
22 changes: 13 additions & 9 deletions draft-sheffer-wimse-s2s-protocol.md
Original file line number Diff line number Diff line change
Expand Up @@ -68,8 +68,8 @@ level ({{app-level}}).
* The other commonly deployed architecture has a mutual-TLS connection between each pair of services. This setup
can be addressed by a simpler solution ({{mutual-tls}}).

It is an explicit goal of this protocol that a service deployment, and in fact a single call chain,
can include both architectures. In other words, Service A can call Service B with mutual TLS protection,
It is an explicit goal of this protocol that a service deployment can include both architectures across a multi-chain call.
In other words, Service A can call Service B with mutual TLS protection,
while the next call to Service C is protected at the application level.

For application-level protection we currently propose two alternative solutions, one inspired by DPoP {{?RFC9449}} and
Expand All @@ -85,13 +85,14 @@ Regardless of the transport between the workloads, we assume the following logic
| | | |
| | | Workload B |
| Workload A |==============>| |
| | +------------+
| | | PEP |
+------------+ +------------+
^ ^
| |
| |
v v
| | | +--------+
| | | | PEP |
+------------+ +---+--------+
^ ^ ^
| | |
| +----------------------+ |
| | |
v v v
+------------+ +------------+
| | | |
| Identity | | PDP |
Expand All @@ -115,9 +116,12 @@ The high-level message flow is as follows:
mechanisms defined below.
* Workload B now authenticates Workload A and decides whether to authorize the call.
In certain architectures, Workload B may need to consult with an external server to decide whether to accept the call.
* Workload B returns a response to Workload A, which may be an error response or a regular one.

# Conventions and Definitions

This document uses "service" and "workload" interchangeably. Otherwise, all terms are as defined by {{?I-D.ietf-wimse-arch}}.

{::boilerplate bcp14-tagged}

# Application Level Service To Service Authentication {#app-level}
Expand Down

0 comments on commit ae363fc

Please sign in to comment.