c/ietf-wimse-ect
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
ba044f6626f7fb331fdfdec169998ca743390428
ietf-wimse-ect/refimpl/README.md
Christian Nennemann 8cf0d8aade feat: polish draft-01 for submission — claim renames, review fixes, refimpl docs 
Draft improvements:
- Rename ext -> ect_ext, clarify iss/aud requirements per level
- Add algorithm agility guidance and RFC 8725 reference
- Add HTTP header size constraints and body transport fallback
- Add cross-level parent reference semantics
- Add emerging agent protocols (A2A, MCP) to Related Work
- Fix HTTP error handling (403 not 401), IANA +jwt suffix note
- Add workflow consistency check to DAG validation
- Add defense-in-depth note for acyclicity check

Supporting files:
- Fix blog post outdated claim names (par -> pred, ext -> ect_ext)
- Update refimpl README with -00 vs -01 migration mapping
- Add refimpl IMPROVEMENTS.md section 6 with -01 migration tasks
2026-04-03 07:49:36 +02:00

2.9 KiB
Raw Blame History

WIMSE Execution Context Tokens — Reference Implementations

Note

: These reference implementations were built against draft-nennemann-wimse-ect-00. The current draft (-01) introduced several claim name changes and structural updates:

-00 (refimpl) -01 (current draft) Notes
par pred Predecessor task IDs
pol, pol_decision removed (use ect_ext) Policy claims moved to extension object
sub not defined Standard JWT claim, not part of ECT spec
typ: wimse-exec+jwt typ: exec+jwt (preferred) Both accepted for backward compat

The refimpl update to -01 is tracked in IMPROVEMENTS.md.

This directory contains reference implementations of Execution Context Tokens (ECTs) for the WIMSE (Workload Identity in Multi System Environments) draft. Each refimpl provides ECT creation, verification, DAG validation, and an in-memory audit ledger.

Implementations

Language Path Description
Go go-lang/ Production-ready Go library and demo. Config via env; optional JTI replay cache.
Python python/ Python 3.9+ library and demo. Same API surface and env-based config.

Scope (all refimpls)

  • ECT format: JWT (JWS Compact Serialization) with required/optional claims per the spec.
  • Creation: Build and sign ECTs with ES256; kid and typ in the JOSE header.
  • Verification: Full verification procedure (parse, typ/alg, key resolution, signature, claims, optional DAG).
  • DAG validation: Uniqueness, parent existence, temporal ordering, acyclicity, parent policy.
  • Ledger: Interface plus in-memory append-only store.

No WIT/WPT issuance or full WIMSE stack; refimpls use key resolution only. Suitable for conformance testing and as a template for production integrations.

Replay cache (multi-instance)

The optional JTI replay cache (JTICache / JtiCache) is in-memory only. For multiple verifier instances behind a load balancer, replay detection must be shared. Use a distributed store (e.g. Redis, database) and implement the same contract as JTISeen: a function that returns true if the JTI was already seen, and ensure each verified JTI is recorded (e.g. with TTL). See go-lang/README and python/README for configuration and how to plug in a custom JTISeen / jti_seen.

Quick start

Go

cd refimpl/go-lang && go run ./cmd/demo
go test ./...

Python

cd refimpl/python && pip install -e . && python3 demo.py
python3 -m pytest tests/ -v

Specification

  • Current draft: draft-nennemann-wimse-ect-01
  • Refimpl implements: -00 claim names (see migration note above)

License

Same as the Internet-Draft (IETF Trust). Code components under Revised BSD per BCP 78/79.

Reference in New Issue View Git Blame Copy Permalink