My colleague in CloudBees Operations, Ben Walding, shared some feedback with me
off list, which he's allowed me to share more broadly. A summary of his
questions are below with some of my responses inline
* UUID: If the UUID is the fingerprint of the Jenkins instance, are there any
PII issues?
In this design the UUID is literally a UUID generated on the server
side by the Node `uuid` module, so it's only correlated to the
instance after the registration has completed. That said, yes there is
a GDPR identification concern if/when that Instance UUID is associated in a
backend database with an individual's identity (e.g. GitHub Username). At this
point this is a concern which I am aware of, but we're not far enough along in
Jenkins Essentials to where this affects our designs.
* Service Authentication: I'm assuming you're thinking of TLS/HTTPS for
transport protection between the client and the server?
TLS is definitely a requirement full stop. I have updated the document with
this under the Security section.
* JWT Bearer Tokens vs. Request Signing: IIUC, the JWT is used as part of an
HMAC signing of the request? The way you've talked about it, it seems more
like a Bearer token (which have risks around replay).
JWT is being used much more as a bearer token rather than HMAC
signing of the request. ("JWT Simple" :))
At this point I do not see additional value in request signing, for the
additional key management overhead to pass a client's public key around between
backend services in order to verify request signatures. I've added some
additional notes to the "Alternative Approaches" section of the document to
capture this concern however.
I've had some constructive discussions around this design, and have made
substantial progress on the implementation work, so I have proposed my JEP
document for numbering and Draft status in this pull request:
https://github.com/jenkinsci/jep/pull/74
Thanks for providing feedback everybody!