Markdown Version | Transcript | Session Recording | Session Materials

Session Date/Time: 17 Mar 2026 03:30

WIMSE

IETF 125 - Shenzhen, China
Session: WIMSE (Workload Identity in a Multi-System Environment)
Chairs: Justin Richer, Peter Loftquist
Note Taker: (Noted in transcript)
On-site Coordinator: Ory Segal

Summary

The WIMSE working group met at IETF 125 to discuss the progress of its seven active adopted drafts. The primary focus of the session was on refining the modularized documents resulting from the split of the original service-to-service authentication draft and aligning terminology across the architecture, identifier, and credential specifications. One document is currently in Working Group Last Call (WGLC), and several others are nearing that stage.

Key Discussion Points

1. Welcome and Chair Updates

Presentation: Welcome and Chair Updates
The chairs emphasized a focus on adopted work. With the group reaching the two-year mark, the priority is finishing existing items before taking on new work. The "elephant" draft (service-to-service) has been successfully split into four more manageable "gazelle" drafts to accelerate progress.

2. WIMSE Workload Credentials

Draft: draft-ietf-wimse-workload-creds
Presentation: WIMSE Workload Credentials

• Brian Campbell presented the status of the credential draft, which defines the Workload Identity Token (WIT) in JWT format and the Workload Identity Credential in X.509 format.
• Recent updates focused on removing identifier definitions and referencing draft-ietf-wimse-identifier directly.
• Kathleen Moriarty raised a concern regarding terminology, specifically distinguishing between identifiers and credentials (keys vs. binding of keys to identity). Brian clarified that the credential is the combination of the key pair and the binding to the identifier (e.g., via SAN in X.509 or sub in JWT).

3. WIMSE Workload Proof Token (WPT)

Draft: draft-ietf-wimse-wpt
Presentation: WIMSE Workload Proof Token

• Brian Campbell discussed the mechanism for proving possession of the private key associated with a WIT via a JWT signature.
• Updates include clarifying the jti claim, fixing example discrepancies, inlining ABNF for the header, and adding security considerations for the "audience" field.
• Flemming Andreasen noted that both WPT and HTTP Signatures depend on the completion of draft-ietf-wimse-workload-creds. The authors agreed that these should move in lockstep.

4. HTTP Signatures

Draft: draft-ietf-wimse-http-signature
Presentation: HTTP Signatures

• Joe Salowey (on behalf of Yaron Sheffer) presented a solution for audience alignment to prevent signature reuse. The proposal involves signing the entire URI, including the request target.
• Brian Campbell expressed reservations regarding the introduction of a new HTTP header and the architectural approach of "jamming" identifiers from different layers into the signature, suggesting this may face scrutiny from the HTTP Directorate.

5. WIMSE Architecture

Draft: draft-ietf-wimse-arch
Presentation: WIMSE Architecture (update)

• Joe Salowey provided updates on defining "workload instance" versus "workload" and revising the bootstrapping/attestation section.
• Hank Birkholz queried if platform capabilities should be part of the instance definition. Yaroslav Rosomakho suggested that platform hosting details could be handled via attestation or encoded in the identifier path.
• The authors plan to align terminology across all WIMSE documents.

6. WIMSE Identifier

Draft: draft-ietf-wimse-identifier
Presentation: WIMSE Identifier

• Yaroslav Rosomakho detailed the definition of "workload identifier origin" and the migration of the wimse: URI scheme into this draft.
• The authors currently see no need for a new IANA registry for WIMSE identifier schemes, preferring the existing URI scheme registry.
• There was a consensus to keep the WIMSE URI scheme flexible rather than being overly opinionated about path structures.

7. WIMSE Workload Identity Practices

Draft: draft-ietf-wimse-workload-identity-practices
Presentation: WIMSE Workload Identity Practices

• Arnt Gulbrandsen presented the status of the draft currently in WGLC.
• Key updates involve distinguishing between "access credentials" (e.g., IAM roles) and "signed instance metadata" used for federation.
• The group discussed the need for more reviews to finalize the document.

Decisions and Action Items

• Terminology Alignment: Authors across all drafts agreed to a tracking effort to ensure terms like "workload," "instance," "credential," and "identity" are used consistently, with definitions centralized in the architecture or identifier drafts where appropriate.
• Modular Draft Progression: The authors of the split drafts (draft-ietf-wimse-workload-creds, draft-ietf-wimse-wpt, and draft-ietf-wimse-http-signature) will aim to progress these in lockstep, focusing first on the credentials document as a prerequisite.
• Review Volunteers: The following participants committed to reviewing draft-ietf-wimse-workload-identity-practices:
  • Flemming Andreasen
  • Kathleen Moriarty (follow-up review)
  • Lucia Rodriguez
  • Brian Campbell

Next Steps

• Vienna (IETF 126) Goal: Authors for draft-ietf-wimse-identifier and draft-ietf-wimse-arch aim to be ready for WGLC by the next meeting.
• Interim Meetings: The chairs will schedule interim meetings if requested by the editors to resolve architectural alignment or discuss new topics.
• Draft Updates: Arnt Gulbrandsen to publish a new revision of draft-ietf-wimse-workload-identity-practices shortly; chairs will then re-issue the WGLC call.

Related Documents

draft-ietf-wimse-arch, draft-ietf-wimse-http-signature, draft-ietf-wimse-identifier, draft-ietf-wimse-workload-creds, draft-ietf-wimse-workload-identity-practices, draft-ietf-wimse-wpt