**Session Date/Time:** 18 Mar 2024 03:00

# wimse

## Summary

The wimse (Workload Identity in Multi-System Environments) working group held its first meeting at IETF 119. The session covered administrative details, charter overview, and presentations on relevant work in OAuth and architecture drafts. Key topics included transaction tokens, identity and authorization chaining, workload identity architecture, and best current practices for workload identity. The group discussed scope, deliverables, and how to coordinate work across different areas. Several action items were identified, including forming design teams and clarifying document scopes.

## Key Discussion Points

*   **Workload Definition:** Defining what constitutes a workload and its identity in multi-system environments. Agreement on a starting definition with the expectation of refinement.
*   **Scope of Work:** Balancing focus on HTTP-based solutions with broader discussions encompassing other protocols (gRPC, Kafka, etc.). Emphasis on presentation rather than provisioning aspects of workload identity.
*   **Transaction Tokens:** Presentation on transaction tokens and their potential use in down-scoping OAuth models within internal perimeters. Discussion on sender constraints and replay attacks.
*   **Identity and Authorization Chaining:** Review of work in the OAuth group on identity and authorization chaining across domains using token exchange and assertion frameworks.
*   **Architecture Document:** Presentation on an initial architecture document focusing on terminology, security properties, and system components. Discussion of security analysis, privacy considerations, and potential formal modeling.
*   **Best Current Practices:** Scoping and framing a BCP document for workload identity, particularly JWTs in Kubernetes. Debated whether to broaden the scope to include other token types and delivery mechanisms.
*   **Deliverables:** A review of the charter-defined deliverables including a proposed roadmap for the group’s first year, including the scope and relationship among the deliverables.

## Decisions and Action Items

*   **Adopt Architecture Document:** The working group intends to adopt the whimsy Architecture draft as a starting point, pending a call for consensus on the mailing list. A cleanup revision will be made before the call.
*   **Token BCP Scope Discussion:** The working group will discuss on the mailing list the appropriate scope for the token BCP document (narrow vs. wider scope), to help inform the decision on adoption. Consideration of multiple documents for this deliverable.
*   **Token Exchange Design Team:** A design team will be formed to investigate token exchange mechanisms, and possible frameworks for token translation across different security domains. A call for participation will be sent to the mailing list.
*   **Service to Service Traffic Team:** A team will look into the service to service traffic and identity management deliverable.
*   **Liberty Alliance Shifts:** George Fletcher will attempt to find a reference to the Liberty Alliance "Shifts" specification.

## Next Steps

*   Post call for consensus on the mailing list for adoption of the whimsy Architecture draft.
*   Post call for participation on the mailing list for the token exchange design team.
*   Discuss scope of token BCP document on the mailing list.
*   Chairs to create action items based on meeting notes and track progress.