rezamt/spiffy-framework

## spiffy-framework

SPIFFE is to secure process to process communication

1- SPIFFE Identity
    spiffe://trust-domain/path

1-1 Trusted domain
1-2 path
    A- Identifying services directly
        spiffe://staging.example.com/payments/mysql or
        spiffe://staging.example.com/payments/web-fe
                 env    .domain      High level Service / Service

    B- identifying service owners [for Higher level orchestrators and platfoms]
        spiffe://k8s-west.example.com/ns/staging/sa/default

            ns: namespace
            sa: service account

    C- Opaque SPIFFE identity [the SPIFFE path may be left opaque, carrying no visible hierarchical information]
        spiffe://example.com/9eebccd2-12bf-40a6-b262-65fe0487d453


        Metadata, such as geographic location, logical system partitioning and/or service name, may be provided by a secondary system, where identities and their attributes are registered. That can be queried to retrieve any metadata associated with the SPIFFE identifier.


2- SPIFFE Verifiable Identity Document (SVID)
A SPIFFE SVID is the mechanism through which a workload communicates its identity to a resource or caller.

2-1 SVID Trust
    - SPIFFE trust is rooted in a given ID's trust domain
    - The SPIFFE ID of the signing authority SHOULD reside in the trust domain in which it is authoritative, and SHOULD NOT have a path component.
    - The SVID of the signing authority then forms the basis of trust for a given trust domain.

    Note:
        Chaining of Trust
            if desired, can be achieved by signing the authority’s SVID with the private key of a foreign trust domain’s authority. In the event that trust is not being chained, then the authority’s SVID is self-signed.

2-2 SVID Components
    - A SPIFFE ID
    - A public key
    - A valid signature
2-3 SVID Format
    - An SVID is not itself a NEW document type but the only supported document type is X.509
    - RFC 5280 for information specific to X.509.


2-4 SVID Skeleton
    - SPIFFE ID is this document is SAN (Subject Alternative Name)
    - Identify of a caller or resource is Leaf Certificates (as oppose to root / signing certificate)
    -

REFERENCES
- https://github.com/spiffe/spiffe/blob/master/standards/SPIFFE.md
- https://github.com/spiffe/spiffe/blob/master/standards/SPIFFE-ID.md
- https://github.com/spiffe/spiffe/blob/master/standards/X509-SVID.md
    - Appendix A. X.509 Field Reference
- https://github.com/spiffe/spire/blob/master/proto/api/workload/workload.proto

	SPIFFE is to secure process to process communication

	1- SPIFFE Identity
	spiffe://trust-domain/path

	1-1 Trusted domain
	1-2 path
	A- Identifying services directly
	spiffe://staging.example.com/payments/mysql or
	spiffe://staging.example.com/payments/web-fe
	env .domain High level Service / Service

	B- identifying service owners [for Higher level orchestrators and platfoms]
	spiffe://k8s-west.example.com/ns/staging/sa/default

	ns: namespace
	sa: service account

	C- Opaque SPIFFE identity [the SPIFFE path may be left opaque, carrying no visible hierarchical information]
	spiffe://example.com/9eebccd2-12bf-40a6-b262-65fe0487d453


	Metadata, such as geographic location, logical system partitioning and/or service name, may be provided by a secondary system, where identities and their attributes are registered. That can be queried to retrieve any metadata associated with the SPIFFE identifier.


	2- SPIFFE Verifiable Identity Document (SVID)
	A SPIFFE SVID is the mechanism through which a workload communicates its identity to a resource or caller.

	2-1 SVID Trust
	- SPIFFE trust is rooted in a given ID's trust domain
	- The SPIFFE ID of the signing authority SHOULD reside in the trust domain in which it is authoritative, and SHOULD NOT have a path component.
	- The SVID of the signing authority then forms the basis of trust for a given trust domain.

	Note:
	Chaining of Trust
	if desired, can be achieved by signing the authority’s SVID with the private key of a foreign trust domain’s authority. In the event that trust is not being chained, then the authority’s SVID is self-signed.

	2-2 SVID Components
	- A SPIFFE ID
	- A public key
	- A valid signature
	2-3 SVID Format
	- An SVID is not itself a NEW document type but the only supported document type is X.509
	- RFC 5280 for information specific to X.509.


	2-4 SVID Skeleton
	- SPIFFE ID is this document is SAN (Subject Alternative Name)
	- Identify of a caller or resource is Leaf Certificates (as oppose to root / signing certificate)
	-

	REFERENCES
	- https://github.com/spiffe/spiffe/blob/master/standards/SPIFFE.md
	- https://github.com/spiffe/spiffe/blob/master/standards/SPIFFE-ID.md
	- https://github.com/spiffe/spiffe/blob/master/standards/X509-SVID.md
	- Appendix A. X.509 Field Reference
	- https://github.com/spiffe/spire/blob/master/proto/api/workload/workload.proto