rust-spiffe: provide a local validation of the JWT-SVID #289
Comments
hug-dev
added
security
From what I understand, this is based on JWK and for authenticating the Bundle Endpoint, there are two recommended approaches. The first one uses public CAs to authenticate the keys used in TLS - we'd need to use a TLS implementation and have access to a (local?) set of trusted CA certificates. Maybe we can ask them how they recommend this to be implemented? The second option uses TLS too, but ultimately relies on an initial trust bundle that is set up "through an offline exchange", so it'd have to be passed/configured by the admin (?) I'm curious if either of these options is already implemented somewhere in Rust, sounds like something that would be reusable by many other projects that integrate with Spiffe. |
|
From the freshly published JWT-SVID profile of the Workload API:
Also, there are security considerations of JWT-SVID which we currently apply (maybe we can check setting the lowest possible I think that using the |
|
Closing because of the above. If we wanted to add the validation in Parsec, we could use the |
This is an issue for the
rust-spifferepository when the JWT-SVID feature is merged in.Currently validation of JWT-SVID tokens is done through the Workload API (
ValidateJWTSVIDoperation). However this creates the constraint of trusting the Workload API endpoint: the JWT-SVID is a secret and is a parameter of that call. If an attacker controls that socket then they have access of the authentication values of clients.The validation could instead be done locally by fetching the trust bundle (the SPIFFE public keys) through the Bundle Endpoint which is authenticated.
The text was updated successfully, but these errors were encountered: