Markdown Version | Session Recording

Session Date/Time: 24 Jul 2024 16:30

wimse

Summary

The second meeting of the Wimsy working group at IETF 120 covered updates on the architecture and OAuth client authentication drafts, outputs from the service-to-service and token exchange design teams, and a presentation on authentication levels for workloads. The discussions focused on defining workload identity, scoping the OAuth BCP, exploring service-to-service authentication mechanisms, and token translation.

Key Discussion Points

• Workload Identity: Discussion centered around defining workload identifiers as URIs, the structure of the URI (scheme, trust domain, path), and the relationship between the trust domain and issuer. The scope of the identifier focused around a workload and not issuers.
• OAuth Client Authentication BCP: The working group debated the document's scope: whether it should be a narrow BCP documenting current practices or a broader informational document including other approaches like X.509. The term "best" in "Best Current Practice" was questioned. The lack of validation information for bearer tokens was raised and seen as something that should be included.
• Service-to-Service Authentication: The service-to-service design team presented their draft, outlining transport-level (mutual TLS) and application-level authentication mechanisms. Two application-level mechanisms were proposed: a Deepop-inspired option and HTTP message signatures. Discussion involved the need to prevent replay attacks and potential inclusion of expiry times on tokens. The hop-by-hop nature of the design was clarified.
• Token Exchange Design Team: Renamed to Token Translation, the team presented two drafts: one defining requirements for token translation and another outlining token translation types (token exchange, lossless translation, lossy translation). Feedback was requested on use cases, the definition of token translation, and the need to profile lossy translations. There was lots of discussion about when translations would occur within a trust domain and why it might be preferrable.
• Authentication Levels for Workloads: Ryan Hurst presented the idea of an informational RFC to categorize authentication levels for workloads based on security properties, providing a framework for implementers and deployers.

Decisions and Action Items

• Architecture Draft: Authors to update the draft to be more focused on identifying the workloads, based on feedback.
• OAuth Client Authentication BCP: The Chairs will solicit feedback on what expanded scope should include while staying within the bounds of the charter.
• Service-to-Service Authentication Draft: The Chairs will start a call for adoption on the mailing list.
• Token Translation Drafts: The Chairs will start a thread to frame the discussion of the next steps for the documents in the mailing list.

Next Steps

• Continue discussions on the mailing list regarding workload identity, the OAuth BCP's scope, service-to-service authentication, and token translation.
• Solicit feedback on additional use-cases and deployment models for inclusion in future draft revisions.
• Authors to work on updating respective drafts based on working group feedback, as well as incorporating design team outputs.