Project Proposal: SPIFFE

[suniljames]

As requested during the 7 November 2017 CNCF TOC meeting (meeting minutes), we submit SPIFFE for consideration to be included as a CNCF project.

In addition to the public commentary within this pull request, Scytale is hosting "office hours" (Zoom) twice a week (Tues/Thurs @ 10:30am PDT for 30 minutes) through December 6, 2017.

Note: this is the original Google document where this content was drafted.

[jondb]

This is a game changer. Managing shared secrets between micro services and distributing private TLS to hosts is an operational problem. It's a point of contention between the security and ops team and it detracts from other valuable security improvements.

[ajessup]

Workload identity is at the heart of almost every current CNCF project and is a prerequisite of the perimeter-less zero-trust architecture that is a hallmark of cloud native deployments.

SPIFFE, by providing a strong, community supported specification and toolchain for workload identity across heterogeneous computing environments, will be of enormous benefit to organizations looking to adopt such an architecture.

[jainvipin]

standardization of identity format and management would bring security to applications, similar to what OCI/Docker brought to applications.

[mlakewood]

Having secure identity would hugely improve the ability to deliver secure cloud-native applications and systems. SPIFFE in particular strikes a great balance between standing on the shoulder of giants and taking the industry forward.

[jbeda]

In my mind, service identity (LOAS) is the one piece that is missing from the "magic" systems that made Google production platform work. Inside Google it has proven to be an enabler for more secure systems but also as a key to a lot beyond just security. Once you have implicit identity with every action you can start using that as context for so so many things.

SPIFFE/SPIRE is doing a great job of bringing together all the pieces to not just recreate the Google environment to but to take it to new places and new scenarios.

[halap]

Identity framework for micro services that can support multiple cloud environments is a compelling value prop. Eager to see the development.

[peterlamar]

Enterprise engineers need solutions that help them implement defense in depth. They have difficulty implementing security beyond the legacy perimeter mindset, which often means once the perimeter is breached the application is often wide open aka (Equifax et tal).
If Microservice platforms have workload identity built in, a perimeter breach could be less catastrophic for applications built upon them. This effort to make layered security more accessible to developers is a big win for the good guys.

[csepulv]

We use a lot of microservices (Bastille Networks) and a standard identity approach would certainly help manage the overhead of securing such services.

[MP237]

Service to service auth is going to be critical in standardizing identity for many use-cases going forward. Multi-cloud, Edge device management, HA etc. Definitely need something like this.

[ramsesm2018]

SPIFFE is a substantive step in defending micro services. Looking forward to seeing the future of this project.

[Black4ciD]

The potential embedded in SPIFFE is huge. I'm certain we will see more and more organizations adopt this standard as it provides a simple and elegant solution to a very painful problem. By mitigating the Service Identity problem we will be able to deliver higher security level in both standard cloud and multi-cloud environments.
This would be an awesome CNCF project!

[fbalus]

This project proposal is an important building block towards application-driven security and zero trust, perimeter-less environment.

[suniljames]

We just hung up from the 11/16 "office hours." Since nobody showed up, I am not uploading a video recording.

[REMINDER] Scytale is hosting "office hours" (Zoom) twice a week (Tues/Thurs @ 10:30am PDT for 30 minutes) through December 6, 2017. The next one is on 11/21.

[diogomonica]

I'm a big proponent of SPIFFE and having a strong, portable identity for application to application AAA.

[carstenjacobsen]

SPIFFE is important because it provides a standardized identity framework, which is independent of application types, industies and organisation sizes. It truly is built for everyone.

[randomvariable]

Hi @suniljames,

Will be helping out with the due diligence from next week.
Sorry I missed this week's call, will join next Tuesday!

Naadir

[suniljames]

Awesome to hear, @randomvariable ! Looking forward to chatting.

[bchav]

Here at AWS, SPIFFE is interesting to us for a number of reasons.

First, from a cloud provider perspective, a standard for pod/container identity eases the burden of securely passing secrets like IAM roles or credentials to workloads. We suspect there are other use cases here as well, like correlating AWS level metadata like tags, and granularly configuring security controls like VPC Security Groups.

More broadly speaking, we are excited about the potential for SPIFFE to provide a standard that applies to orchestration systems like Kubernetes, or container runtimes in general, whether that is Docker, CRI-Containerd, or whatever the future brings.

Finally, we sense the opportunity for this project to enhance other CNCF projects, especially in the service discovery and service mesh space. If Istio, Envoy, Linkerd can offload fingerprinting of workloads to SPIFFE, these projects can focus on their core competencies and not worry about underlying secure introduction problem.

[klynch]

I am excited for the ability to have true secure identity and communication between my services regardless of deployment locations (on premises, cloud) or orchestrator (VM, iron, K8S). This is huge!

[woloski]

Auth0 CTO here 👋 . This problem is very close to our heart :). We've seen customer struggling with how to secure service to service interactions in a micro-services architecture. Having an easy way to agnostically authenticate services would be a big win for the industry.

[suniljames]

Gentle reminder that Scytale today is hosting "office hours" (Zoom) at 10:30am PDT for 30 minutes.

[suniljames]

As requested by @randomvariable during today's SPIFFE "office hours" (video), please find this link to the repo page detailing the SPIFFE standards.

[bgrant0607]

Note for the record: We believe we should contribute SPIRE together with SPIFFE, as one project.

One project is simpler, and emphasizes that SPIFFE is not just a spec, but also has a working implementation. TUF also has a reference implementation.

Istio will also have a SPIFFE implementation, which will help ensure that multiple implementations of the spec will remain possible.

[bgrant0607]

s/proscribing/promoting/

[justincormack]

I think it might be a typo for prescribing but yes promoting is better.

[suniljames]

Will address this. Thanks for identifying it.

[suniljames]

Gentle reminder that Scytale today is hosting "office hours" (Zoom) at 10:30am PDT for 30 minutes.

[justincormack]

I have done a brief technical review of this. There is a lot to review (a lot more than last time I looked some months back), and I haven't had time to review all of it yet, and I am not sure that it really makes sense to do so at this particular point in time, and it makes more sense to continue to review over time. There is definitely a requirement for workload identity in microservice environments. The project is in a much younger state than either of the other CNCF inception projects, for example the specification is not yet finished, but I don't think this is necessarily a blocker. Indeed this seems to be what the inception stage is designed for, and the specification may get more attention in the CNCF than outside.

[suniljames]

Gentle reminder that @pragashj is hosting today's SPIFFE "office hours" (Zoom) at 10:30am PDT for 30 minutes. Thanks, JJ!

[pragashj]

We just finished the call. For any questions, please drop by our slack channel. Thanks!

…

On Dec 5, 2017 12:18 PM, "Sunil James" ***@***.***> wrote: Gentle reminder that @pragashj <https://github.com/pragashj> is hosting today's SPIFFE "office hours" (Zoom <https://zoom.us/j/5419605541>) at 10:30am PDT for 30 minutes. Thanks, JJ! — You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub <#68 (comment)>, or mute the thread <https://github.com/notifications/unsubscribe-auth/AdwPwPVvDGRopsU4D3ScQiR5Y7SfN2zMks5s9YkCgaJpZM4Qelz4> .

[jessfraz]

In my opinion projects should have adoption before being added. Why do you need to be in CNCF? Is it just for status for your commercial interests in selling it?

I also agree with @justincormack on the fact that the spec is not exactly mature. This project is so young. Adding it to the CNCF to get adoption and more visibility is for ALL the wrong reasons imo. Is that what this foundation is for? Marketing of projects for visibility?

[ultrasaurus]

Sorry to chime in late here -- just catching up on the details of this project and like others, have not completed a detailed technical review.

I agree with @jessfraz that the excitement expressed around SPIFFE is primarily around the problem it is focused on solving, rather than this specific solution (except for folks deeply familiar with the Google system that inspires it).

I'm not speaking for my employer, just chiming in based on my pre-Google experience. There are a lot of disparate identity systems that are pretty challenging to make interoperable without quite a bit of fragile logic. SPIFFE seems like it could solve a key part of the problem, yet would be important for there to be implementations of a complete system that uses SPIFFE/SPIRE and explore how those additional components fit into the CNCF ecosystem.

Also I agree with @monadic that it seems in the spirit of CNCF to adopt SPIRE, which can be used to validate SPIFFE.

[suniljames]

Following multiple F2F discussions over the past few weeks with people on (and off) this thread, we started this FAQ to address repeatedly asked questions. Definitely more to come, and we welcome comments (and suggestions).

[pragashj]

On protocol and standards

SPIFFE (unified identity model) is one of the key fundamental component required to enable seamless interoperability amongst heterogenous infrastructure. I also think an intentional standardization on identity will help towards usable security.

On technology

SPIRE is a clean simple code base that allows the community to learn and stabilize SPIFFE. While this isn't a sufficient condition for the production grade readiness, it is definitely a necessary condition.

On community

Having been involved with this from early on, I have seen some people with enthusiasm, some that have solved this problem at scale and some that have real need for this solution come together and chip in to build on SPIFFE. IMO: Being in CNCF can help accelerate this.

[jessfraz]

I just wanted to reiterate that when I said:

I definitely think the systems SPIFFE is based upon obviously give it a firm place in the future of infrastructure

that meant +1 to SPIFFE

[caniszczyk]

kicked off the official vote for SPIFFE as an inception level project, feel free to vote on the mailing list thread: https://lists.cncf.io/g/cncf-toc/topic/vote_spiffe_project/9616955

[pragashj]

+1 non-binding

…

On Thu, Feb 1, 2018 at 7:46 AM, Chris Aniszczyk ***@***.***> wrote: kicked off the official vote for SPIFFE as an inception level project, feel free to vote on the mailing list thread: https://lists.cncf.io/g/cncf-toc/topic/vote_spiffe_project/9616955 — You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub <#68 (comment)>, or mute the thread <https://github.com/notifications/unsubscribe-auth/AdwPwNGqiHzwf8P428Rm0COR9kCzWURkks5tQdxRgaJpZM4Qelz4> .

[sublimino]

+1 (non-binding)

[ddunstan]

+1 (non-binding)

[eghobo]

+1 (non-binding)

[fbalus]

+1 non-binding

…

On Thu, Feb 1, 2018 at 7:46 AM, Chris Aniszczyk ***@***.***> wrote: kicked off the official vote for SPIFFE as an inception level project, feel free to vote on the mailing list thread: https://lists.cncf.io/g/cncf-toc/topic/vote_spiffe_project/9616955 — You are receiving this because you commented. Reply to this email directly, view it on GitHub <#68 (comment)>, or mute the thread <https://github.com/notifications/unsubscribe-auth/AHIHSjM95fpCpZTKm3pIsjfpLStAz6UTks5tQdxSgaJpZM4Qelz4> .

-- Florin Balus <http://www.twitter.com/fbalus> <https://www.linkedin.com/pub/florin-balus/0/574/576>

[benschumacher]

+1, non-binding

[stevvooe]

Should this make it clear is this apache?

[dankohn]

Apache-2.0 is the SPDX notation.

https://spdx.org/licenses/Apache-2.0.html

[caniszczyk]

Yes it’s Apache v2.0 license

On Thu, Feb 1, 2018 at 9:38 PM Stephen Day ***@***.***> wrote: ***@***.**** commented on this pull request. ------------------------------ In proposals/spiffe.adoc <#68 (comment)>: > +* Support for automatic bootstrapping and node attestation on public cloud platforms (Amazon Web Services, Microsoft Azure, and Google Cloud Platform). +* Support for automatic bootstrapping and node attestation on virtualization platforms (VMWare and OpenStack). +* Support for Microsoft Windows-based workloads. +* SPIFFE Workload API client libraries in Go, C, Java, and Javascript, with support for TLS negotiation and JWT signing. +* gRPC support for the SPIFFE Workload API. +* SPIFFE Workload API certificate helpers for Linux and Windows. +* A standards conformance test suite. +* Secure introduction to popular products, including Lyft Envoy and Hashicorp Vault. + +*Sponsor / Advisor from TOC*: Brian Grant ***@***.***> + +*Preferred maturity level*: Inception + +*Unique Identifier*: spiffe + +*License*: ALv2 Should this make it clear is this apache? — You are receiving this because you commented. Reply to this email directly, view it on GitHub <#68 (review)>, or mute the thread <https://github.com/notifications/unsubscribe-auth/AAD5IdAfqdHmEHT_gNhdXo4vmLKe0maaks5tQi69gaJpZM4Qelz4> .

-- Cheers, Chris Aniszczyk http://aniszczyk.org +1 512 961 6719

[greggdonovan]

+1 (non-binding)

[aasmall]

+1 (non-binding)

[kbpawlowski]

+1 (non-binding)

[feangulo]

+1, non-binding

[caniszczyk]

@bgrant0607 is looking for an additional @cncf/toc sponsor, once we have one, we'll move forward and accept SPIFFE into the sandbox.

[bgrant0607]

Ken and Sam will cosponsor.

[caniszczyk]

final call for any more @cncf/toc sponsors outside of the 2 minimum we have for the sandbox entry, if I don't hear from anyone by next Monday, we will have SPIFFE enter the sandbox

[bgrant0607]

s/Inception/Sandbox/

[caniszczyk]

https://www.cncf.io/blog/2018/03/29/cncf-to-host-the-spiffe-project/