**Session Date/Time:** 17 Mar 2026 03:30 # [WIMSE](../wg/wimse.html) **IETF 125 - Shenzhen, China** **Session:** WIMSE (Workload Identity in a Multi-System Environment) **Chairs:** Justin Richer, Peter Loftquist **Note Taker:** (Noted in transcript) **On-site Coordinator:** Ory Segal --- ## Summary The WIMSE working group met at IETF 125 to discuss the progress of its seven active adopted drafts. The primary focus of the session was on refining the modularized documents resulting from the split of the original service-to-service authentication draft and aligning terminology across the architecture, identifier, and credential specifications. One document is currently in Working Group Last Call (WGLC), and several others are nearing that stage. --- ## Key Discussion Points ### 1. Welcome and Chair Updates *Presentation:* [Welcome and Chair Updates](https://datatracker.ietf.org/meeting/125/materials/slides-125-wimse-welcome-and-chair-updates-01) The chairs emphasized a focus on adopted work. With the group reaching the two-year mark, the priority is finishing existing items before taking on new work. The "elephant" draft (service-to-service) has been successfully split into four more manageable "gazelle" drafts to accelerate progress. ### 2. WIMSE Workload Credentials *Draft:* [draft-ietf-wimse-workload-creds](https://datatracker.ietf.org/doc/draft-ietf-wimse-workload-creds/) *Presentation:* [WIMSE Workload Credentials](https://datatracker.ietf.org/meeting/125/materials/slides-125-wimse-wimse-workload-credentials-00) * **Brian Campbell** presented the status of the credential draft, which defines the Workload Identity Token (WIT) in JWT format and the Workload Identity Credential in X.509 format. * Recent updates focused on removing identifier definitions and referencing [draft-ietf-wimse-identifier](https://datatracker.ietf.org/doc/draft-ietf-wimse-identifier/) directly. * **Kathleen Moriarty** raised a concern regarding terminology, specifically distinguishing between identifiers and credentials (keys vs. binding of keys to identity). Brian clarified that the credential is the combination of the key pair and the binding to the identifier (e.g., via SAN in X.509 or `sub` in JWT). ### 3. WIMSE Workload Proof Token (WPT) *Draft:* [draft-ietf-wimse-wpt](https://datatracker.ietf.org/doc/draft-ietf-wimse-wpt/) *Presentation:* [WIMSE Workload Proof Token](https://datatracker.ietf.org/meeting/125/materials/slides-125-wimse-wimse-workload-proof-token-00) * **Brian Campbell** discussed the mechanism for proving possession of the private key associated with a WIT via a JWT signature. * Updates include clarifying the `jti` claim, fixing example discrepancies, inlining ABNF for the header, and adding security considerations for the "audience" field. * **Flemming Andreasen** noted that both WPT and HTTP Signatures depend on the completion of [draft-ietf-wimse-workload-creds](https://datatracker.ietf.org/doc/draft-ietf-wimse-workload-creds/). The authors agreed that these should move in lockstep. ### 4. HTTP Signatures *Draft:* [draft-ietf-wimse-http-signature](https://datatracker.ietf.org/doc/draft-ietf-wimse-http-signature/) *Presentation:* [HTTP Signatures](https://datatracker.ietf.org/meeting/125/materials/slides-125-wimse-http-signatures-00) * **Joe Salowey** (on behalf of Yaron Sheffer) presented a solution for audience alignment to prevent signature reuse. The proposal involves signing the entire URI, including the request target. * **Brian Campbell** expressed reservations regarding the introduction of a new HTTP header and the architectural approach of "jamming" identifiers from different layers into the signature, suggesting this may face scrutiny from the HTTP Directorate. ### 5. WIMSE Architecture *Draft:* [draft-ietf-wimse-arch](https://datatracker.ietf.org/doc/draft-ietf-wimse-arch/) *Presentation:* [WIMSE Architecture (update)](https://datatracker.ietf.org/meeting/125/materials/slides-125-wimse-wimse-architecture-update-00) * **Joe Salowey** provided updates on defining "workload instance" versus "workload" and revising the bootstrapping/attestation section. * **Hank Birkholz** queried if platform capabilities should be part of the instance definition. **Yaroslav Rosomakho** suggested that platform hosting details could be handled via attestation or encoded in the identifier path. * The authors plan to align terminology across all WIMSE documents. ### 6. WIMSE Identifier *Draft:* [draft-ietf-wimse-identifier](https://datatracker.ietf.org/doc/draft-ietf-wimse-identifier/) *Presentation:* [WIMSE Identifier](https://datatracker.ietf.org/meeting/125/materials/slides-125-wimse-wimse-identifier-00) * **Yaroslav Rosomakho** detailed the definition of "workload identifier origin" and the migration of the `wimse:` URI scheme into this draft. * The authors currently see no need for a new IANA registry for WIMSE identifier schemes, preferring the existing URI scheme registry. * There was a consensus to keep the WIMSE URI scheme flexible rather than being overly opinionated about path structures. ### 7. WIMSE Workload Identity Practices *Draft:* [draft-ietf-wimse-workload-identity-practices](https://datatracker.ietf.org/doc/draft-ietf-wimse-workload-identity-practices/) *Presentation:* [WIMSE Workload Identity Practices](https://datatracker.ietf.org/meeting/125/materials/slides-125-wimse-wimse-workload-identity-practices-00) * **Arnt Gulbrandsen** presented the status of the draft currently in WGLC. * Key updates involve distinguishing between "access credentials" (e.g., IAM roles) and "signed instance metadata" used for federation. * The group discussed the need for more reviews to finalize the document. --- ## Decisions and Action Items * **Terminology Alignment:** Authors across all drafts agreed to a tracking effort to ensure terms like "workload," "instance," "credential," and "identity" are used consistently, with definitions centralized in the architecture or identifier drafts where appropriate. * **Modular Draft Progression:** The authors of the split drafts ([draft-ietf-wimse-workload-creds](https://datatracker.ietf.org/doc/draft-ietf-wimse-workload-creds/), [draft-ietf-wimse-wpt](https://datatracker.ietf.org/doc/draft-ietf-wimse-wpt/), and [draft-ietf-wimse-http-signature](https://datatracker.ietf.org/doc/draft-ietf-wimse-http-signature/)) will aim to progress these in lockstep, focusing first on the credentials document as a prerequisite. * **Review Volunteers:** The following participants committed to reviewing [draft-ietf-wimse-workload-identity-practices](https://datatracker.ietf.org/doc/draft-ietf-wimse-workload-identity-practices/): * Flemming Andreasen * Kathleen Moriarty (follow-up review) * Lucia Rodriguez * Brian Campbell --- ## Next Steps * **Vienna (IETF 126) Goal:** Authors for [draft-ietf-wimse-identifier](https://datatracker.ietf.org/doc/draft-ietf-wimse-identifier/) and [draft-ietf-wimse-arch](https://datatracker.ietf.org/doc/draft-ietf-wimse-arch/) aim to be ready for WGLC by the next meeting. * **Interim Meetings:** The chairs will schedule interim meetings if requested by the editors to resolve architectural alignment or discuss new topics. * **Draft Updates:** Arnt Gulbrandsen to publish a new revision of [draft-ietf-wimse-workload-identity-practices](https://datatracker.ietf.org/doc/draft-ietf-wimse-workload-identity-practices/) shortly; chairs will then re-issue the WGLC call.