Filter by topic and date
WIMSE Working Group: Serious business for cloud computing
- Pieter Kasselman WIMSE Working Group Co-chair
- Justin Richer WIMSE Working Group Co-chair
15 Oct 2024
Chartered in March 2024, the IETF Workload Identity in Multi System Environments (WIMSE) working group aims to address challenges of implementing fine-grained access control across platforms in the public and private clouds, which is increasingly important to how complex software functions are built and deployed.
The increasing prevalence of cloud computing and micro service architectures has led to the rise of complex software functions being built and deployed as workloads—instances of software executing for a specific purpose, across multiple service platforms.
WIMSE focuses on the unique identity and access management aspects of workloads at runtime and their execution context, particularly focusing on the propagation, representation, and processing of workload identity. While several standards and open-source projects—such as OAuth, JWT, and SPIFFE—offer foundational elements for this work, there are no established standards on how to combine these standards, or any guidance on how to bridge the gaps between them. . This can lead to inconsistencies, interoperability issues, and potential security vulnerabilities.
WIMSE formed from a Birds of a Feather session held during the IETF 118 meeting in Prague and first met as a working group during IETF 119 in Brisbane. Work has progressed rapidly since then and the group has already adopted three documents that identify, articulate, and bridge the gaps and ambiguities in multi-cloud workload identity deployments and define solutions that can be adopted across a diverse set of platforms and deployments. WIMSE is scheduled to meet during IETF 121 Dublin in November 2024.
“WIMSE Service to Service Authentication“ defines authentication and authorization for software workloads in a variety of runtime environments, from the most basic ones up to complex multi-service, multi-cloud, multi-tenant deployments. This document defines the simplest, atomic unit of this architecture: the protocol between two workloads that need to verify each other's identity in order to communicate securely.
“Workload Identity in a Multi System Environment (WIMSE) Architecture“ discusses an architecture for designing and standardizing protocols and payloads for conveying workload identity and security context information.
“Best Current Practice for OAuth 2.0 Client Authentication in Workload Environments” describes the current best practices to avoid client_secret provisioning and leverage platform attestation to receive access tokens from an OAuth 2.0 authorization server via RFC 7523.
Work is ongoing…. If you are interested in working on these issues and contributing ideas and solutions, please sign up for the mailing list and plan to attend the session during IETF 121.