Last active
February 24, 2018 15:35
-
-
Save rezamt/1127b2cd29b85287b0f257fb2ea98313 to your computer and use it in GitHub Desktop.
SPIFEE Information
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
SPIFFE is to secure process to process communication | |
1- SPIFFE Identity | |
spiffe://trust-domain/path | |
1-1 Trusted domain | |
1-2 path | |
A- Identifying services directly | |
spiffe://staging.example.com/payments/mysql or | |
spiffe://staging.example.com/payments/web-fe | |
env .domain High level Service / Service | |
B- identifying service owners [for Higher level orchestrators and platfoms] | |
spiffe://k8s-west.example.com/ns/staging/sa/default | |
ns: namespace | |
sa: service account | |
C- Opaque SPIFFE identity [the SPIFFE path may be left opaque, carrying no visible hierarchical information] | |
spiffe://example.com/9eebccd2-12bf-40a6-b262-65fe0487d453 | |
Metadata, such as geographic location, logical system partitioning and/or service name, may be provided by a secondary system, where identities and their attributes are registered. That can be queried to retrieve any metadata associated with the SPIFFE identifier. | |
2- SPIFFE Verifiable Identity Document (SVID) | |
A SPIFFE SVID is the mechanism through which a workload communicates its identity to a resource or caller. | |
2-1 SVID Trust | |
- SPIFFE trust is rooted in a given ID's trust domain | |
- The SPIFFE ID of the signing authority SHOULD reside in the trust domain in which it is authoritative, and SHOULD NOT have a path component. | |
- The SVID of the signing authority then forms the basis of trust for a given trust domain. | |
Note: | |
Chaining of Trust | |
if desired, can be achieved by signing the authority’s SVID with the private key of a foreign trust domain’s authority. In the event that trust is not being chained, then the authority’s SVID is self-signed. | |
2-2 SVID Components | |
- A SPIFFE ID | |
- A public key | |
- A valid signature | |
2-3 SVID Format | |
- An SVID is not itself a NEW document type but the only supported document type is X.509 | |
- RFC 5280 for information specific to X.509. | |
2-4 SVID Skeleton | |
- SPIFFE ID is this document is SAN (Subject Alternative Name) | |
- Identify of a caller or resource is Leaf Certificates (as oppose to root / signing certificate) | |
- | |
REFERENCES | |
- https://github.com/spiffe/spiffe/blob/master/standards/SPIFFE.md | |
- https://github.com/spiffe/spiffe/blob/master/standards/SPIFFE-ID.md | |
- https://github.com/spiffe/spiffe/blob/master/standards/X509-SVID.md | |
- Appendix A. X.509 Field Reference | |
- https://github.com/spiffe/spire/blob/master/proto/api/workload/workload.proto |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment