c/ietf-wimse-ect
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Make SPIFFE ID format recommended, not required for iss claim

Browse Source 
Allow any URI scheme for the iss claim (SPIFFE, HTTPS, URN:UUID)
to support non-WIMSE deployments that want DAG tracing without
SPIFFE infrastructure. SPIFFE format remains SHOULD for WIMSE
deployments.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
This commit is contained in:
Christian Nennemann
2026-02-24 23:27:34 +01:00
parent a6d2a955ee
commit d8d1524dac
4 changed files with 570 additions and 563 deletions
Download Patch File Download Diff File Expand all files Collapse all files

14
draft-nennemann-wimse-execution-context-00.md
View File

@@ -310,8 +310,8 @@ following mechanisms:
- The ECT JOSE header "kid" parameter MUST reference the public
key identifier from the agent's WIT.
- The ECT "iss" claim MUST use the WIMSE workload identifier
format (a SPIFFE ID {{SPIFFE}}).
- In WIMSE deployments, the ECT "iss" claim SHOULD use the WIMSE
workload identifier format (a SPIFFE ID {{SPIFFE}}).
- The ECT MUST be signed with the same private key associated
with the agent's WIT.
@@ -395,10 +395,12 @@ The following standard JWT claims {{RFC7519}} MUST be present in
every ECT:
iss:
: REQUIRED. StringOrURI. The issuer of the ECT, which MUST be
the workload's SPIFFE ID in the format
`spiffe://<trust-domain>/<path>`. This MUST match the "sub"
claim of the agent's WIT.
: REQUIRED. StringOrURI. A URI identifying the issuer of the
ECT. In WIMSE deployments, this SHOULD be the workload's
SPIFFE ID in the format `spiffe://<trust-domain>/<path>`,
matching the "sub" claim of the agent's WIT. Non-WIMSE
deployments MAY use other URI schemes (e.g., HTTPS URLs or
URN:UUID identifiers).
sub:
: OPTIONAL. StringOrURI. The subject of the ECT. When present,