c/ietf-wimse-ect
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Make SPIFFE ID format recommended, not required for iss claim

Browse Source 
Allow any URI scheme for the iss claim (SPIFFE, HTTPS, URN:UUID)
to support non-WIMSE deployments that want DAG tracing without
SPIFFE infrastructure. SPIFFE format remains SHOULD for WIMSE
deployments.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
This commit is contained in:
Christian Nennemann
2026-02-24 23:27:34 +01:00
parent a6d2a955ee
commit d8d1524dac
4 changed files with 570 additions and 563 deletions
Download Patch File Download Diff File Expand all files Collapse all files

14
draft-nennemann-wimse-execution-context-00.html
View File

@@ -1933,8 +1933,8 @@ following mechanisms:<a href="#section-3.3-1" class="pilcrow">¶</a></p>
key identifier from the agent's WIT.<a href="#section-3.3-2.1.1" class="pilcrow"></a></p>
</li>
<li class="normal" id="section-3.3-2.2">
<p id="section-3.3-2.2.1">The ECT "iss" claim <span class="bcp14">MUST</span> use the WIMSE workload identifier
format (a SPIFFE ID <span>[<a href="#SPIFFE" class="cite xref">SPIFFE</a>]</span>).<a href="#section-3.3-2.2.1" class="pilcrow"></a></p>
<p id="section-3.3-2.2.1">In WIMSE deployments, the ECT "iss" claim <span class="bcp14">SHOULD</span> use the WIMSE
workload identifier format (a SPIFFE ID <span>[<a href="#SPIFFE" class="cite xref">SPIFFE</a>]</span>).<a href="#section-3.3-2.2.1" class="pilcrow"></a></p>
</li>
<li class="normal" id="section-3.3-2.3">
<p id="section-3.3-2.3.1">The ECT <span class="bcp14">MUST</span> be signed with the same private key associated
@@ -2059,10 +2059,12 @@ every ECT:<a href="#section-4.2.1-1" class="pilcrow">¶</a></p>
<span class="break"></span><dl class="dlParallel" id="section-4.2.1-2">
<dt id="section-4.2.1-2.1">iss:</dt>
<dd style="margin-left: 1.5em" id="section-4.2.1-2.2">
<p id="section-4.2.1-2.2.1"><span class="bcp14">REQUIRED</span>. StringOrURI. The issuer of the ECT, which <span class="bcp14">MUST</span> be
the workload's SPIFFE ID in the format
<code>spiffe://&lt;trust-domain&gt;/&lt;path&gt;</code>. This <span class="bcp14">MUST</span> match the "sub"
claim of the agent's WIT.<a href="#section-4.2.1-2.2.1" class="pilcrow"></a></p>
<p id="section-4.2.1-2.2.1"><span class="bcp14">REQUIRED</span>. StringOrURI. A URI identifying the issuer of the
ECT. In WIMSE deployments, this <span class="bcp14">SHOULD</span> be the workload's
SPIFFE ID in the format <code>spiffe://&lt;trust-domain&gt;/&lt;path&gt;</code>,
matching the "sub" claim of the agent's WIT. Non-WIMSE
deployments <span class="bcp14">MAY</span> use other URI schemes (e.g., HTTPS URLs or
URN:UUID identifiers).<a href="#section-4.2.1-2.2.1" class="pilcrow"></a></p>
</dd>
<dd class="break"></dd>
<dt id="section-4.2.1-2.3">sub:</dt>