What's Up In Workload Identity - August 2024
SPIFFE? WIMSE? All that and more inside the first edition of What's Up in Workload Identity.
Hey!
Welcome to the inaugural edition of What’s Up in Workload Identity, a monthly review of the world of Workload Identity (SPIFFE, WIMSE and much more…)
It’s a world that’s moving fast - and it’s hard to keep up 🚀
You can expect to see each edition covering:
News: significant events in the Workload Identity space
Content: awesome blog posts and talks that have been published
Releases: the latest and greatest changes to Workload Identity tooling
Coming Up: the events and talks you won’t want to miss
Who am I? I’m Noah. I’ve been working in the Workload Identity space for the past few years. I currently work at Teleport, leading the development of our Workload Identity product. That being said, this newsletter is in a personal capacity and I’m keen to keep it unbiased! You can find out more about me on my website.
News
The latest news from the Workload Identity space
WIMSE adopts Service to Service Authentication draft
On the 13th of August, the IETF Workload Identity in Multi System Environments (WIMSE) working group formally adopted the Service to Service Authentication draft following a vote. This is the third draft to have been adopted by the working group since they were established in March of this year.
The Service to Service Authentication draft is a “standards track” document and defines strategies for authentication and authorization between two services. Whilst the draft primarily focusses on authentication and authorization regarding HTTP services, there’s no reason why these same techniques couldn’t be applied to the other protocols we know and love (e.g gRPC).
The draft covers a range of topics, but the most interesting to me is the introduction of the Workload Identity Token (WIT) and Workload Proof Token (WPT). Together, these support an authentication flow similar to OAuth’s “Demonstrating Proof of Possession (dPoP)”. The flow mitigates many of the concerns traditionally associated with using JWTs for authentication, such as replay attacks, without significantly sacrificing performance or flexibility. This provides a strong alternative to mTLS for client authentication - which despite being popular, simply isn’t feasible in every scenario.
You can read the draft in full over on the IETF website: https://datatracker.ietf.org/doc/draft-sheffer-wimse-s2s-protocol/
Although the document is still in its infancy, and with formalisation as an RFC far on the horizon, it’s a fantastic sign of the things to come. WIMSE is also working on several other drafts, including setting out an overall architecture for Workload Identity and establishing procedures for Token Translation. Overall, I think we can expect to see their work covered in many of the coming editions of this newsletter.
Content
The best of recent blogs, webinars and talks on Workload Identity
Everyone’s Starting to Look SPIFFE: MTLS and Identity with Linkerd & Teleport
By Dave Sudia (Teleport) at CloudNativeSecurityCon
Solving ‘secret zero’, why you should care about SPIFFE!
By Mattias Gees (Venafi) at South California Linux Expo
Bringing SPIFFE to Linkerd for Mesh Expansion
By Zahari Dichev (Buoyant) at CloudNativeCon
Memory Armor for SPIRE: Fortifying SPIRE with Confidential Containers (CoCo)
By Matthew Bates (Cofide) and Suraj Deshmukh (Microsoft) at CloudNativeCon
Releases
Highlights from recent releases to Workload Identity tools
I’d love to cover more releases here! So, if you work on something in this space, please get in contact!
Teleport Workload Identity - v16.1.3 - August 7th
Introduced support for Kubernetes Workload Attestation. This allowing the Workload Identity agent to issue SVIDs with specific SPIFFE IDs to specific Kubernetes workloads.
GitHub Release
SPIRE - v1.10.1 - August 1st
Includes a number of bug fixes and support for publishing trust bundles directly to AWS Roles Anywhere as a trust anchor.
GitHub Release
Coming Up…
What’s happening soon in the world of Workload Identity
Open Source Summit Europe
September 16th to 18th - Vienna
Securing Workloads with Transaction Tokens and Minicloak - Dmitry Telegin (Backbase)
Let Them Eat CAKES: A Sweet Dive Into a Modern Cloud Networking Stack. - Christian Posta (Solo.io)
Find out more at https://events.linuxfoundation.org/open-source-summit-europe/
Teleport Connect 2024 in San Francisco
September 25th - San Francisco
Find out more at https://goteleport.com/teleport-connect-2024/
That’s all for this month’s edition of What’s Up in Workload Identity. If you’ve found this interesting, please subscribe and share!
Got something you’d love to see in the next edition? Please get in touch at wuiwi@noahstride.co.uk !