Section on WIMSE Identity #7
Conversation
|
https://github.com/yaronf/wimse-s2s/pull/8/files#diff-99cedafce05f1e1fafafbc415a81b34da2df6b52ad13892735fbdab5c43abf08R239 is kinda sorta related even if it doesn't actually say much edit: now can be found at https://github.com/yaronf/wimse-s2s/blob/main/draft-sheffer-wimse-s2s-protocol.md#iana-considerations |
Co-authored-by: Yaron Sheffer <[email protected]>
Co-authored-by: Brian Campbell <[email protected]>
Co-authored-by: Yaron Sheffer <[email protected]>
draft-sheffer-wimse-s2s-protocol.md
Outdated
| @@ -128,6 +128,12 @@ This document uses "service" and "workload" interchangeably. Otherwise, all term | |||
|
|
|||
| {::boilerplate bcp14-tagged} | |||
|
|
|||
| # Workload Identity {#whimsical-identity} | |||
|
|
|||
| This document defines a workload identity as a URI {{!RFC3986}}. This URI is used in the subject fields in the certificates and tokens defined later in this document. This specification treats the URI as opaque. The format of the URI and the namespace for the URI are chosen by the issuer of the token. Other specifications may define specific URI structures for particular use cases. An example of a defined identity format is the SPIFFE ID [SPIFFE-ID](https://github.com/spiffe/spiffe/blob/main/standards/SPIFFE-ID.md). | |||
There was a problem hiding this comment.
I'm rather unsure of the wording or terminology but the URI format/namespace/etc is chosen by a higher level entity than the issuer of the token. In the WPT http://www.sheffer.org/wimse-s2s/draft-sheffer-wimse-s2s-protocol.html#section-3.2-2.2.2.1.1 case, for example, the issuer of that token is the workload itself, which has no say over the URIs used in the system. Even the "Identity Server" is probably given a URI as it's identity in the over all system.
| This document defines a workload identity as a URI {{!RFC3986}}. This URI is used in the subject fields in the certificates and tokens defined later in this document. This specification treats the URI as opaque. The format of the URI and the namespace for the URI are chosen by the issuer of the token. Other specifications may define specific URI structures for particular use cases. An example of a defined identity format is the SPIFFE ID [SPIFFE-ID](https://github.com/spiffe/spiffe/blob/main/standards/SPIFFE-ID.md). | |
| This document defines a workload identity as a URI {{!RFC3986}}. This URI is used in the subject fields in the certificates and tokens defined later in this document. This specification treats the URI as opaque. The format of the URI and the namespace for the URI are at the discretion of the deployment at large. Other specifications may define specific URI structures for particular use cases. An example of a defined identity format is the SPIFFE ID [SPIFFE-ID](https://github.com/spiffe/spiffe/blob/main/standards/SPIFFE-ID.md). |
There was a problem hiding this comment.
Unresolving conversation as I believe the suggested change or something similar is still needed.
There was a problem hiding this comment.
for posterity and everything
https://github.com/yaronf/wimse-s2s/pull/7/files#r1659855931
This is a section on WIMSE identity format. This may eventually go in another document such as the arch document, but I felt it was an important topic to get a start on.