Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Define WIMSE URI #49

Open
PieterKas opened this issue Jul 4, 2024 · 7 comments · May be fixed by #82
Open

Define WIMSE URI #49

PieterKas opened this issue Jul 4, 2024 · 7 comments · May be fixed by #82
Assignees
@jsalowey

Comments

@PieterKas
Copy link

PieterKas commented Jul 4, 2024
edited
Loading

Commenting as identity enthusiast as opposed to WIMSE co-chair:

Section 5 introduces the term "WIMSE URI" - if this is defined in the architecture document, it should be referenced. If this is defined in Section 3, perhaps rename as workload identitifier.
@yaronf
Copy link
Collaborator

yaronf commented Jul 4, 2024

Workload Identifier IMHO, and see #31.

@yaronf
Copy link
Collaborator

yaronf commented Aug 29, 2024
edited
Loading

I prefer the URI to be defined once, in the arch doc.

Brian: define it here.

Arndt: should coexist nicely with K8s. Joe: but do they have the notion of a trust domain.

@jsalowey
Copy link
Collaborator

jsalowey commented Sep 9, 2024

RFC5280 defines a URI SAN for certificates. These URIs must conform to RFC 3986. This includes both the URL and URN schemes. The main restriction is that 5280 does not allow relative URIs and a scheme must be included, the authority component is optional. This gives some flexibility and it might even be possible to represent a k8s URN in this filed under the urn scheme, but I'm not sure it would be a good idea.
I think we should specify that a URI MUST meet the criterial of 5280 and that any scheme that is used SHOULD specify an authority component that is a domain name. If present, he authority portion MUST be used to map the name to the trust domain parameters used to validate a WIT or certificate containing the name. If the authority field is not present then the mapping of the identity to trust domain parameters MUST be done through a locally specified mechanism that is beyond the scope of this specification.

@yaronf
Copy link
Collaborator

yaronf commented Sep 14, 2024

@jsalowey Why should we even worry about relative URIs? It seems weird for a certificate IMHO. We could simplify the whole thing by saying MUST meet the criteria of 5280 and MUST have an authority component. Have you seen relative URIs "in the wild" in similar situations?

@jsalowey
Copy link
Collaborator

K8s appears to use some form of URNs that do not have an authority component. They are just a colon separated series of names. But I am happy to say the URI must meet the criteria of 5280 and MUST have an authority component that identifies a trust domain.

@jsalowey
Copy link
Collaborator

See PR #61 and #62

@jsalowey jsalowey linked a pull request Dec 16, 2024 that will close this issue
Open
@jsalowey
Copy link
Collaborator

resolved by PR #82 by removing references WIMSE URI and using WIMSE Identity instead

@yaronf yaronf linked a pull request Dec 19, 2024 that will close this issue
resolve issue 49 #82
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@jsalowey jsalowey

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

resolve issue 49 ietf-wg-wimse/draft-ietf-wimse-s2s-protocol
3 participants
@yaronf @jsalowey @PieterKas