logo-green.png

“Workload Identity”: It’s SPIFFY, but Central Policy Management?

Graphic depicting the concept of SPIFFY Mutual TLS (mTLS) securing workload identity and communication in a distributed system using SPIFFE and SPIRE standards. SPIFFE stands for Secure Production Identity Framework for Everyone, and SPIRE stands for SPIFFE Runtime Environment. The image illustrates the process of enforcing policies based on workload identities derived from X.509 client certificates within an East-West service mesh like Istio or Cilium. It also mentions the use of policy languages such as Cilium YAML and CEL, as well as the suggestion of using OPA or other Policy Decision Points (PDP) for managing enterprise policies. Additionally, the image highlights the overlap between mTLS workload identity and OAuth clients, mentioning RFC 8705 and RFC 9449 as potential mechanisms for binding OAuth access tokens to mutual-TLS certificates

SPIFFY Mutual TLS (mTLS) is a way to secure workload identity and communication in a distributed system using the SPIFFE and SPIRE standards. (see also: https://spiffe.io/) SPIFFE stands for Secure Production Identity Framework for Everyone, and SPIRE stands for SPIFFE Runtime Environment. SPIFFE defines a platform-agnostic identity format and API for workloads, and SPIRE provides […]