Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Clarify the One-SPIFFE-ID-Per-SVID rule (spiffe#72)
* Clarify the One-SPIFFE-ID-Per-SVID rule From the very first version of the X.509-SVID specification, a requirement has been set that an SVID may contain one and only one SPIFFE ID. Users requiring more than one identity must use multiple SVIDs, as opposed to a single SVID representing multiple identities. SIG-Spec has re-visited this restriction. After a lengthy discussion, consensus was reached that the rule should stand. There were two primary concerns in relaxing this restriction: 1) Audit logging would become more difficult, as an authenticator would have to understand which identity is the one that was in fact authorized, and 2) authorization would become more difficult, and SPIFFE is not in a position to provide authorization instructions with regards to how policies governing multiple SPIFFE IDs should be combined. It was acknowledged that it would be useful to include multiple SPIFFE IDs in the context of a server certificate, however workloads may choose to use the same SVID as both server and client certificates, and the complexity introduced in allowing such a concession was decidedly more dangerous than simply keeping the restriction in place. This commit: 1. Updates the text to give a short explanation on the existence of the restriction 1. Updates the text to specify what a validator should do when encountering multiple SPIFFE IDs in an SVID 1. Clarifies SVID validation of signing certificates 1. Fixes spiffe#32 Signed-off-by: Evan Gilman <egilman@vmware.com>
- Loading branch information