Episode 034: 07‐30‐2024 Fear not the rise of the machines, for we have standards - GluuFederation/identerati-office-hours GitHub Wiki
Title: Fear not the rise of the machines, for we have standards
- Host: Mike Schwartz, Founder/CEO Gluu
- Guest: Pieter Kasselman, Principal Program Manager Microsoft
- Co-Host: Evan Gilman, Co-founder of SPIRL
Description
Machine identities have been proliferating, outnumbering human identities by a considerable margin. Despite often having far more privilege than humans, they remain under governed relative to user identities. In this episode we will discuss the drivers behind this rise in machine identities and the work happening in standards working groups like the Workload Identity in Multi-System Environments (WIMSE) and OAuth working groups that will help make these environments safer and more secure.
Homework
- Identity Is Not Just For Humans
- Machine Identity Building Blocks
- IETF Draft: Workload Identity in a Multi System Environment (WIMSE)
- The goal of the WIMSE working group is to identify, articulate, and bridge the gaps and ambiguities in workload identity problems and define solutions across a diverse set of platforms and deployments, building on various protocols used in workload environments.
Takeaways
-
A SPIFFIE URI is a way to identify a workload, like
spiffe://example.org/serviceA. It can be carried in different kinds of credentials, for example, "X509v3 Subject Alternative Name" or thesubclaim of a JWT. Or maybe even theentityIDof a SAML assertion. -
SPIFFIE and the OAuth 2.0 Attestation-Based Client Authentication IETF draft serve a similar purpose: to provide a stable self-asserted identify for the workload that is registering. Not mentioned in the episode, but FIDO "Make Credential" also does this with more default privacy.
-
Workloads can assert identity during OAuth dynamic client registration ("DCR"). For example see The Use of Attestation in OAuth 2.0 Dynamic Client Registration IETF draft.
-
During DCR, a client may also present a software statement assertion ("SSA"), mentioned in section 2.3 of RFC 7591: OAuth 2.0 Dynamic Client Registration Protocol, to convey trust (i.e. authorization) and audit metadata to a workload.