c/ietf-wimse-ect
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
884d2dc83659ef4ce609324956fe96c211d7e5a0
ietf-wimse-ect/refimpl/README.md
Christian Nennemann 884d2dc836 feat: migrate refimpls from draft-00 to draft-01 claim names 
- Rename `par` to `pred` (predecessor) in types, serialization, tests
- Remove `pol`, `pol_decision` from core payload; move to `ect_ext`
- Remove `sub` from payload (not part of ECT spec)
- Update `typ` from `wimse-exec+jwt` to `exec+jwt` (accept both)
- Rename MaxParLength to MaxPredLength everywhere
- Update testdata, demos, READMEs with migration table
- All Go tests pass, all 56 Python tests pass (90% coverage)
2026-04-03 10:55:58 +02:00

2.8 KiB
Raw Blame History

WIMSE Execution Context Tokens — Reference Implementations

These reference implementations are aligned with draft-nennemann-wimse-ect-01.

The following claim name changes from -00 have been applied:

-00 (previous) -01 (current) Notes
par pred Predecessor task IDs
pol, pol_decision removed (use ect_ext) Policy claims moved to extension object
sub not defined Standard JWT claim, not part of ECT spec
typ: wimse-exec+jwt typ: exec+jwt (preferred) Both accepted for backward compat
MaxParLength MaxPredLength Renamed to match pred claim

This directory contains reference implementations of Execution Context Tokens (ECTs) for the WIMSE (Workload Identity in Multi System Environments) draft. Each refimpl provides ECT creation, verification, DAG validation, and an in-memory audit ledger.

Implementations

Language Path Description
Go go-lang/ Production-ready Go library and demo. Config via env; optional JTI replay cache.
Python python/ Python 3.9+ library and demo. Same API surface and env-based config.

Scope (all refimpls)

  • ECT format: JWT (JWS Compact Serialization) with required/optional claims per the spec.
  • Creation: Build and sign ECTs with ES256; kid and typ in the JOSE header.
  • Verification: Full verification procedure (parse, typ/alg, key resolution, signature, claims, optional DAG).
  • DAG validation: Uniqueness, predecessor existence, temporal ordering, acyclicity, predecessor policy.
  • Ledger: Interface plus in-memory append-only store.

No WIT/WPT issuance or full WIMSE stack; refimpls use key resolution only. Suitable for conformance testing and as a template for production integrations.

Replay cache (multi-instance)

The optional JTI replay cache (JTICache / JtiCache) is in-memory only. For multiple verifier instances behind a load balancer, replay detection must be shared. Use a distributed store (e.g. Redis, database) and implement the same contract as JTISeen: a function that returns true if the JTI was already seen, and ensure each verified JTI is recorded (e.g. with TTL). See go-lang/README and python/README for configuration and how to plug in a custom JTISeen / jti_seen.

Quick start

Go

cd refimpl/go-lang && go run ./cmd/demo
go test ./...

Python

cd refimpl/python && pip install -e . && python3 demo.py
python3 -m pytest tests/ -v

Specification

  • Current draft: draft-nennemann-wimse-ect-01
  • Refimpl implements: -01 claim names

License

Same as the Internet-Draft (IETF Trust). Code components under Revised BSD per BCP 78/79.

Reference in New Issue View Git Blame Copy Permalink