[Re-Cap] SPIFFE Community Day: Fall 2018

Scytale hosted SPIFFE’s seventh community day in November 2018. This event was a great way for participants to learn the latest SPIFFE/SPIRE updates, and to meet peers and practitioners. Being new to this community, it was a great learning experience for me. It certainly felt like drinking from a firehose!

The event nearly doubled in attendance, with 150+ participants representing various industries attending in person in San Francisco and New York and online.

The agenda was full of project updates, demos, and user presentations from organizations including Pinterest, Square, and VMware. Of the many project updates, two stood out for me:

• SPIFFE Federation: In today’s enterprise, a natural tension exists between a desire for a contiguous service identity namespace with consistently applied and auditable policies, and a desire for isolation and autonomy. Some examples of this include when distinct business units are supported by independent platforms teams but must establish mutual trust. The SPIFFE community foresees that adopters will want to establish mutual trust between SPIFFE-compatible vendors.
• SPIFFE Federation is a proposal to build trust between two identity namespaces, running across heterogeneous platforms. Work is being done in SPIFFE to define a standard interface for federation support, and in SPIRE to implement that interface. Here’s Scytale’s Max Lambrecht discussing the upcoming Federation API.
• JWT Support: Many organizations want to use JWT-based tokens for service-to-service authentication, but up till now the only way to authenticate using a SPIFFE ID was via an X.509 certificate. While this suffices for many use-cases (eg. mTLS), there are others where mTLS is unsuitable (e.g. when an application load balancer is in the network path, or when queue messages must be identified). A group of SPIFFE contributors has been working on a JWT-based token specification of the SPIFFE ID (the JWT-SVID), and a mechanism to generate and validate these tokens via the SPIFFE Workload API. This GREATLY simplifies JWT-based authentication between workloads. Here’s Scytale’s Andrew Harding discussing the JWT support.

Here’s a complete recording of the meeting (two parts):

SPIFFE Community Day: Fall 2018 (Part 1)

SPIFFE Community Day: Fall 2018 (Part 2)

Slides are available here:

A big thank you to all presenters, contributors, and attendees for making it a huge success. Special thanks to Square (in San Francisco) and Work-Bench (in New York) for hosting the SPIFFE community.