A draft proposal: Delegated Principal Authentication

[Andrew Jessup]

Hi Everyone,

In the last few weeks I finally got some time to put together a draft proposal that aims to solve a subset of the concerns we raised in this working group, namely the "end user context propagation" use case. You can read it here - and I'd love to hear feedback from this group on this design. Thanks to those who have already given feedback on earlier drafts.

Any and all feedback encouraged, but I'm particularly interested to hear:

• Does this provide the right trade off of complexity for security guarantees
• Are there weaknesses in this approach that aren't already captured in "Appendix B - Security concerns"
• And most importantly, for those who have a desire to solve for end user context propagation and are implementing SPIFFE, is this design directionally correct? Can you see how it would fit your environment and use case?

We're a little behind our original July 29 deadline for this but l aim to address any feedback as quickly as possible. I'll set up some time on the calendar for us to review this as a group face to face in a couple of weeks, before hopefully putting it in front of the SPIFFE SIG-Spec for broader feedback.

Cheers,

AJ