c/ietf-wimse-ect
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
ba044f6626f7fb331fdfdec169998ca743390428
ietf-wimse-ect/refimpl/README.md
Christian Nennemann 8cf0d8aade feat: polish draft-01 for submission — claim renames, review fixes, refimpl docs 
Draft improvements:
- Rename ext -> ect_ext, clarify iss/aud requirements per level
- Add algorithm agility guidance and RFC 8725 reference
- Add HTTP header size constraints and body transport fallback
- Add cross-level parent reference semantics
- Add emerging agent protocols (A2A, MCP) to Related Work
- Fix HTTP error handling (403 not 401), IANA +jwt suffix note
- Add workflow consistency check to DAG validation
- Add defense-in-depth note for acyclicity check

Supporting files:
- Fix blog post outdated claim names (par -> pred, ext -> ect_ext)
- Update refimpl README with -00 vs -01 migration mapping
- Add refimpl IMPROVEMENTS.md section 6 with -01 migration tasks
2026-04-03 07:49:36 +02:00

62 lines
2.9 KiB
Markdown
Raw Blame History

# WIMSE Execution Context Tokens — Reference Implementations
> **Note**: These reference implementations were built against **draft-nennemann-wimse-ect-00**.
> The current draft (**-01**) introduced several claim name changes and structural updates:
>
> | -00 (refimpl) | -01 (current draft) | Notes |
> |---------------|---------------------|-------|
> | `par` | `pred` | Predecessor task IDs |
> | `pol`, `pol_decision` | removed (use `ect_ext`) | Policy claims moved to extension object |
> | `sub` | not defined | Standard JWT claim, not part of ECT spec |
> | `typ: wimse-exec+jwt` | `typ: exec+jwt` (preferred) | Both accepted for backward compat |
>
> The refimpl update to -01 is tracked in IMPROVEMENTS.md.
This directory contains **reference implementations** of Execution Context Tokens (ECTs) for the WIMSE (Workload Identity in Multi System Environments) draft. Each refimpl provides ECT creation, verification, DAG validation, and an in-memory audit ledger.
## Implementations
| Language | Path | Description |
|----------|-----------|-------------|
| **Go** | [go-lang/](go-lang/) | Production-ready Go library and demo. Config via env; optional JTI replay cache. |
| **Python** | [python/](python/) | Python 3.9+ library and demo. Same API surface and env-based config. |
## Scope (all refimpls)
- **ECT format**: JWT (JWS Compact Serialization) with required/optional claims per the spec.
- **Creation**: Build and sign ECTs with ES256; `kid` and `typ` in the JOSE header.
- **Verification**: Full verification procedure (parse, typ/alg, key resolution, signature, claims, optional DAG).
- **DAG validation**: Uniqueness, parent existence, temporal ordering, acyclicity, parent policy.
- **Ledger**: Interface plus in-memory append-only store.
No WIT/WPT issuance or full WIMSE stack; refimpls use key resolution only. Suitable for conformance testing and as a template for production integrations.
### Replay cache (multi-instance)
The optional JTI replay cache (`JTICache` / `JtiCache`) is **in-memory only**. For multiple verifier instances behind a load balancer, replay detection must be shared. Use a distributed store (e.g. Redis, database) and implement the same contract as `JTISeen`: a function that returns true if the JTI was already seen, and ensure each verified JTI is recorded (e.g. with TTL). See go-lang/README and python/README for configuration and how to plug in a custom `JTISeen` / `jti_seen`.
## Quick start
**Go**
```bash
cd refimpl/go-lang && go run ./cmd/demo
go test ./...
```
**Python**
```bash
cd refimpl/python && pip install -e . && python3 demo.py
python3 -m pytest tests/ -v
```
## Specification
- **Current draft**: `draft-nennemann-wimse-ect-01`
- **Refimpl implements**: `-00` claim names (see migration note above)
## License
Same as the Internet-Draft (IETF Trust). Code components under Revised BSD per BCP 78/79.
Reference in New Issue View Git Blame Copy Permalink