c/ietf-wimse-ect
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
eb79c6998a36fe06ce25c80eff3555e24a496d87
ietf-wimse-ect/refimpl/README.md
Christian Nennemann bbf557e54b Restructure refimpl into go-lang and python subdirectories 
Move Go reference implementation to refimpl/go-lang/ and add new
Python reference implementation in refimpl/python/. Update build.sh
with renamed draft and simplified tool paths.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-02-25 23:11:55 +01:00

50 lines
2.3 KiB
Markdown
Raw Blame History

# WIMSE Execution Context Tokens — Reference Implementations
This directory contains **reference implementations** of [Execution Context Tokens (ECTs)](../draft-nennemann-wimse-execution-context-00.txt) for the WIMSE (Workload Identity in Multi System Environments) draft. Each refimpl provides ECT creation, verification, DAG validation, and an in-memory audit ledger.
## Implementations
| Language | Path | Description |
|----------|-----------|-------------|
| **Go** | [go-lang/](go-lang/) | Production-ready Go library and demo. Config via env; optional JTI replay cache. |
| **Python** | [python/](python/) | Python 3.9+ library and demo. Same API surface and env-based config. |
## Scope (all refimpls)
- **ECT format**: JWT (JWS Compact Serialization) with required/optional claims per the spec (Section 4).
- **Creation**: Build and sign ECTs with ES256; `kid` and `typ: wimse-exec+jwt` in the JOSE header.
- **Verification**: Full Section 7 procedure (parse, typ/alg, key resolution, signature, claims, optional DAG).
- **DAG validation**: Section 6 (uniqueness, parent existence, temporal ordering, acyclicity, parent policy).
- **Ledger**: Interface plus in-memory append-only store (Section 9).
No WIT/WPT issuance or full WIMSE stack; refimpls use key resolution only. Suitable for conformance testing and as a template for production integrations.
### Replay cache (multi-instance)
The optional JTI replay cache (`JTICache` / `JtiCache`) is **in-memory only**. For multiple verifier instances behind a load balancer, replay detection must be shared. Use a distributed store (e.g. Redis, database) and implement the same contract as `JTISeen`: a function that returns true if the JTI was already seen, and ensure each verified JTI is recorded (e.g. with TTL). See go-lang/README and python/README for configuration and how to plug in a custom `JTISeen` / `jti_seen`.
## Quick start
**Go**
```bash
cd refimpl/go-lang && go run ./cmd/demo
go test ./...
```
**Python**
```bash
cd refimpl/python && pip install -e . && python3 demo.py
python3 -m pytest tests/ -v
```
## Specification
- **Draft**: `draft-nennemann-wimse-execution-context-00`
- **Sections**: 4 (format), 5 (HTTP header), 6 (DAG), 7 (verification), 9 (ledger interface).
## License
Same as the Internet-Draft (IETF Trust). Code components under Revised BSD per BCP 78/79.
Reference in New Issue View Git Blame Copy Permalink