58 lines
3.4 KiB
Markdown
58 lines
3.4 KiB
Markdown
# Secure Production Identity Framework for Everyone (SPIFFE)
|
|
|
|
> Source: https://raw.githubusercontent.com/spiffe/spiffe/main/standards/SPIFFE.md
|
|
> Downloaded: 2026-06-07
|
|
|
|
## Status of this Memo
|
|
This document specifies an identity and identity issuance standard for the internet community, and requests discussion and suggestions for improvements.
|
|
|
|
## Abstract
|
|
Distributed design patterns and practices such as microservices, container orchestrators, and cloud computing have led to production environments that are increasingly dynamic and heterogeneous. Conventional security practices (such as network policies that only allow traffic between particular IP addresses) struggle to scale under this complexity. A first-class identity framework for workloads in an organization becomes necessary.
|
|
|
|
The SPIFFE standard provides a specification for a framework capable of bootstrapping and issuing identity to services across heterogeneous environments and organizational boundaries.
|
|
|
|
## Table of Contents
|
|
1. [Introduction](#1-introduction)
|
|
2. [The SPIFFE ID](#2-the-spiffe-id)
|
|
3. [The SPIFFE Verifiable Identity Document](#3-the-spiffe-verifiable-identity-document)
|
|
4. [The Workload API](#4-the-workload-api)
|
|
5. [Conclusion](#5-conclusion)
|
|
|
|
## 1. Introduction
|
|
The SPIFFE standard comprises three major components:
|
|
- **SPIFFE ID** - standardizes an identity namespace
|
|
- **SPIFFE Verifiable Identity Document (SVID)** - dictates the manner in which an issued identity may be presented and verified
|
|
- **Workload API** - specifies an API through which identity may be retrieved and/or issued
|
|
|
|
## 2. The SPIFFE ID
|
|
A SPIFFE ID is a structured string (represented as a URI) which serves as the "name" of an entity. It is defined in the [SPIFFE Identity and Verifiable Identity Document](SPIFFE-ID.md) specification.
|
|
|
|
## 3. The SPIFFE Verifiable Identity Document
|
|
A SPIFFE Verifiable Identity Document (SVID) is a document which carries the SPIFFE ID itself — the functional equivalent of a passport. An SVID includes cryptographic properties which allow it to be:
|
|
|
|
1. proven as authentic
|
|
2. proven to belong to the presenter
|
|
|
|
An SVID itself is not a document type. Instead, we define:
|
|
1. the properties required of an SVID
|
|
2. the method by which SVID information can be encoded and validated in various existing document types
|
|
|
|
The supported document types are an **X.509 certificate** or a **JWT token**.
|
|
|
|
## 4. The Workload API
|
|
The SPIFFE Workload API is the method through which workloads obtain their SVID(s). It is typically exposed locally (e.g., via a Unix domain socket), and explicitly does not include an authentication handshake or authenticating token from the workload.
|
|
|
|
In addition to providing a workload with its necessary SVIDs, the Workload API delivers the CA bundles which the workload should outwardly trust. These bundles are used for federation.
|
|
|
|
## 5. Conclusion
|
|
Together, these components solve many of the authentication and traffic security challenges presented in modern, heterogeneous environments.
|
|
|
|
## Appendix A. List of SPIFFE Specifications
|
|
* [The SPIFFE Identity and Verifiable Identity Document](SPIFFE-ID.md)
|
|
* [The X.509 SPIFFE Verifiable Identity Document](X509-SVID.md)
|
|
* [The JWT SPIFFE Verifiable Identity Document](JWT-SVID.md)
|
|
* [The SPIFFE Workload Endpoint](SPIFFE_Workload_Endpoint.md)
|
|
* [The SPIFFE Workload API](SPIFFE_Workload_API.md)
|
|
* [The SPIFFE Trust Domain and Bundle](SPIFFE_Trust_Domain_and_Bundle.md)
|
|
* [SPIFFE Federation](SPIFFE_Federation.md)
|