Internet DRAFT - draft-gilman-wimse-use-cases
draft-gilman-wimse-use-cases
Network Working Group E. Gilman, Ed.
Internet-Draft SPIRL
Intended status: Informational J. Richer
Expires: 29 February 2024 Bespoke Engineering
P. Kasselman
Microsoft
J. Salowey
Venafi
28 August 2023
Workload Identity Use Cases
draft-gilman-wimse-use-cases-00
Abstract
Workload identity systems like SPIFFE provide a unique set of
security challenges, constraints, and possibilities that affect the
larger systems they are a part of. This document seeks to collect
use cases within that space, with a specific look at both the OAuth
and SPIFFE technologies.
Discussion Venues
This note is to be removed before publishing as an RFC.
Source for this draft and an issue tracker can be found at
https://github.com/bspk/draft-gilman-wimse-use-cases.
Status of This Memo
This Internet-Draft is submitted in full conformance with the
provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet-
Drafts is at https://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress."
This Internet-Draft will expire on 29 February 2024.
Gilman, et al. Expires 29 February 2024 [Page 1]
�
Internet-Draft WIMSE Use Cases August 2023
Copyright Notice
Copyright (c) 2023 IETF Trust and the persons identified as the
document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents (https://trustee.ietf.org/
license-info) in effect on the date of publication of this document.
Please review these documents carefully, as they describe your rights
and restrictions with respect to this document. Code Components
extracted from this document must include Revised BSD License text as
described in Section 4.e of the Trust Legal Provisions and are
provided without warranty as described in the Revised BSD License.
Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2
2. Conventions and Definitions . . . . . . . . . . . . . . . . . 3
3. Use Cases . . . . . . . . . . . . . . . . . . . . . . . . . . 3
3.1. Constrained Credential Security . . . . . . . . . . . . . 3
3.2. Cross-workload Access . . . . . . . . . . . . . . . . . . 3
3.3. Chain of Custody for Requests . . . . . . . . . . . . . . 4
3.4. Local Authentication and Authorization Decisions . . . . 4
3.5. Audit Logs . . . . . . . . . . . . . . . . . . . . . . . 5
3.6. Consistent Entity Identification . . . . . . . . . . . . 5
3.7. Authorization . . . . . . . . . . . . . . . . . . . . . . 5
3.8. General requirements . . . . . . . . . . . . . . . . . . 6
4. Normative References . . . . . . . . . . . . . . . . . . . . 6
Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . . . 6
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 6
1. Introduction
The OAuth and SPIFFE communities have historically been fairly
disjoint. The former is a set of identity standards shepherded by
the IETF and is (mostly) human-centric, while the latter is a set of
identity standards shepherded by the CNCF and is (mostly) workload-
centric. Recently, members of both communities have begun to discuss
a set of common challenges that they are facing, which they believe
could be evidence of a gap in the broader ecosystem of identity
standards.
This document captures those challenges as a set of use cases as a
first step towards exploring that gap, should it in fact exist.
Gilman, et al. Expires 29 February 2024 [Page 2]
�
Internet-Draft WIMSE Use Cases August 2023
2. Conventions and Definitions
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and
"OPTIONAL" in this document are to be interpreted as described in
BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all
capitals, as shown here.
3. Use Cases
This section captures the underserved use cases identified. Once
finished, we will see what patterns emerge (e.g. policy enforcement,
operational, etc) and prioritize them. This is still a work in
progress (WIP) and we invite members of the community to contribute
additional use cases.
3.1. Constrained Credential Security
As a security engineer, I’d like to mitigate the unconstrained re-use
of a credential by those who are able to observe it in use (e.g. a
proxy, a log message, or a workload processing the request)
1. As a security engineer, I’d like to prevent token replay in the
event that one of my internal services is compromised.
2. If a workload credential is compromised, I can’t re-use it.
3. Workload authentication using asymmetric credentials 1. Support
mTLS and alternaive forms of asymmetric authentication 1. More
robust than PVT_KEY_JWT authentication
3.2. Cross-workload Access
As a [SPIFFE,OAuth] workload owner, I’d like to access other
workloads that are using [SPIFFE,OAuth] in a simple and consistent
way, regardless of their location, platform, or domain.
1. As a SPIFFE user, I’d like to access OAuth protected resources
without having to provide any additional secrets (as a SPIFFE
user with more than 10k workloads, I’d like to access OAuth
protected resources without having to manage 10k OAuth Clients).
2. Access workloads from different service providers (access across
different trust domains workloads to workload from different
companies).
3. Access workloads running in different cloud services (Multi-cloud
deployments).
Gilman, et al. Expires 29 February 2024 [Page 3]
�
Internet-Draft WIMSE Use Cases August 2023
3.3. Chain of Custody for Requests
As a security engineer, I’d like a verifiable chain of custody for
each request transiting my system, starting with the request
initiator, which may be a human or a workload.
1. As a security engineer, I’d like to authorize data access RPCs
iff the data owner issued the original request (a requests made
by the data owner transit many backend services prior to reaching
the data access layer).
2. Authenticating and authorizing a service that is operating on
behalf of a logged in user.
3. Authenticating and authorizing a service that is operating on
behalf of a user as a schedule job.
4. As a security engineer, I’d like to authorize payment RPCs iff
the request has transited our fraud detection service.
5. As a security engineer, I’d like to authorize an RPC iff the
request entered our infrastructure via a specific front end
system.
3.4. Local Authentication and Authorization Decisions
As a security engineer, I’d like to be able to make local
authentication and authorization decisions in order to meet my
performance and availability requirements.
1. As a developer, I’d like security-related hot path delays to not
exceed <<10ms.
2. As a developer, I’d like things to continue working through
(potentially asymmetric) network disruption.
3. Lookup of info/keys related to an entity's identity needs to work
when the entity is disconnected from the rest of the system
(particularly “upstream” entities that trust comes from).
4. Account onboarding is not strictly time-sensitive (can use
networks), but local account use is (day-to-day authentication
needs to stay local).
Gilman, et al. Expires 29 February 2024 [Page 4]
�
Internet-Draft WIMSE Use Cases August 2023
3.5. Audit Logs
As a security engineer, I’d like a place to record information about
an entity for the purposes of remediation, reconciliation, audit and
forensics.
1. If a workload is compromised, I can remediate that specific
workload without impacting others.
2. If an account is onboarded based on info from another entity, we
need to write that down into the account and carry it through the
network, especially if the account is used to onboard onto an
entity further down the call stack.
3. Reconcile logs when a disconnected entity is re-connected to the
overall network fabric.
3.6. Consistent Entity Identification
I need to be able to identify different entities uniquely and
deterministically within the system.
1. Each network entity needs to be identified uniquely (and http
urls don’t quite give us all the aspects we need)
2. As a SPIFFE user, I’d like a standard way to learn the bundle
endpoint parameters of a remote trust domain
3.7. Authorization
As a security engineer, I’d like a place to record information about
an entity for use in authorization decisions.
1. As a security engineer, I’d like to authorize an RPC iff the
origin and integrity of the software calling it can be verified
(e.g. matches a specific hash value, signature and trusted
software bill of materials (SBOM))
2. Authentication based on credential service provider (CSP),
infrastructure or workload identity documents.
3. Ability to carry rights/policies/privileges with a verifiable
artifact to a disconnected entity for that entity to verify
without having to reconnect.
4. Transporting capabilities to transfer the permission to execute
an operation from caller to service.
Gilman, et al. Expires 29 February 2024 [Page 5]
�
Internet-Draft WIMSE Use Cases August 2023
5. Record should be append-only as it goes through the call chain.
Participation (adding to the record) is not mandatory for every
node in the chain.
3.8. General requirements
In addition to the above use cases, the authors have determined the
following general requirements:
Observability should be a requirement. The credential should have a
meaningful identifier that can be logged etc.
Accountability: Workloads need to be able to make a localized
decision but still be accountable to the overarching policy and
framework that provisioned them.
The system owner/operator should be able to effect changes in the
system (the control plane) based on signals from the application
plane.
Definition of information encapsulated in the document (e.g.
capability transmission).
4. Normative References
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119,
DOI 10.17487/RFC2119, March 1997,
<https://www.rfc-editor.org/rfc/rfc2119>.
[RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC
2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174,
May 2017, <https://www.rfc-editor.org/rfc/rfc8174>.
Acknowledgments
TODO acknowledge.
Authors' Addresses
Evan Gilman (editor)
SPIRL
Email: evan@spirl.com
Justin Richer
Bespoke Engineering
Email: ietf@justin.richer.org
Gilman, et al. Expires 29 February 2024 [Page 6]
�
Internet-Draft WIMSE Use Cases August 2023
Pieter Kasselman
Microsoft
Email: pieter.kasselman@microsoft.com
Joseph Salowey
Venafi
Email: joe@salowey.net
Gilman, et al. Expires 29 February 2024 [Page 7]
