Inside IETF Bangkok: Shaping the Future of Workload Identity and Access Management
I recently attended my first Internet Engineering Task Force (IETF 122) meeting in Bangkok and it was an eye-opening experience, especially regarding the evolving landscape of workload identity and access management.
One of the most interesting parts of attending these meetings is seeing firsthand how thoughtfully standards are crafted. As the organization’s mission statement puts it: “The overall goal of the IETF is to make the internet work better.”
Unlike the rapid, deadline-driven approach typical of everyday engineering, the IETF working groups meticulously debate and design protocols intended to last decades with an emphasis on practical real-world implementations that work well enough to be adopted widely enough to improve the internet. I never went to school for engineering and all of my experience is self-taught, so it was fascinating to see the more deliberate, academic, and sometimes philosophical side of engineering where even word choice can cause confusion between working groups and have long-lasting implications.
An unofficial motto of the IETF is: “We believe in rough consensus and running code.” That feels like a pretty good representation of the effort to balance the real-world implementations with the academic and philosophical considerations of standards development
The other thing that struck me was how many working groups there are and the interconnected relationships between them. I originally joined the IETF for one working group, Workload Identity in Multi-System Environments (WIMSE). By the end of the week I had joined 6 more working groups, including a few with some fun names, that are also related to Workload IAM:
- Remote ATtestation ProcedureS (rats): Standardizing formats, procedures, and protocols for attesting the trustworthiness of systems and system components.
- Common Authentication Technology Next Generation (kitten): Developing extensions to improve security of Kerberos and GSS-API.
- Java Object Signing and Encryption (jose): Enhancing mechanisms for securely signing and encrypting JSON objects like selective disclosure and zero knowledge proofs.
- Web Authorization Protocol (oauth): Improving the interoperability and security of Oauth deployments.
- Supply Chain Integrity, Transparency, and Trust (scitt): Defining a set of interoperable building blows that can be used to evaluate and attest the trustworthiness of software and its supply chain.
- Secure Patterns for Internet CrEdentials (spice): Analyzing existing and emerging IETF technologies coming from working groups like RATS, OAuth, JOSE, COSE, and SCITT to address gaps and facilitate application in digital credentials.
My main focus was still the WIMSE working group, which just turned 1 this year! WIMSE is developing a set of standards and informational documents addressing the unique identification, authentication, authorization, and accountability (IAAA) challenges that surface when trying to apply fine-grained, least-privilege access control across trust domains to your workloads. The goal is to provide clear guidance and implementation details to help combine the existing standards, open source projects, and community practices to enable consistent, secure and scalable IAAA for workloads that will even work in complex multi-cloud and multi-service environments like distributed microservices.
I am very excited about WIMSE and its growing support because it clearly indicates the broader industry’s acknowledgement of a critical gap we’ve long recognized: the need for standards that explicitly address secure cross-domain interactions between workloads. Several existing technologies like OIDC, JWT, and SPIFFE have been combined and implemented in various ways to make systems work, but these solutions are inconsistent and have been stitched together in isolation for purpose-built use cases. As the WIMSE charter clearly states in the core problem statement: “This ambiguity can lead to inconsistencies, interoperability issues, and potential security vulnerabilities.”
For us at Aembit, this aligns perfectly with our vision. Our existing suite of credential providers, such as those for OIDC (for example, Google Workload Identity Federation) and OAuth helps to improve the security and interoperability of Workload IAM for our customers.
Additionally, participating in these working groups highlighted another benefit: driving better security practices across the ecosystem. By establishing clear, well-thought-out standards, we empower customers and third-party vendors to move away from outdated authentication methods, such as static API keys, and adopt secure, scalable alternatives.
My involvement at IETF reinforced how important it is for many companies and individuals, from big enterprises to vendors like us to practitioners, students, and researchers, to actively contribute to shaping these emerging standards – not just to advance our products, but to genuinely enhance security practices industry-wide and fulfill the IETF mission of making the internet a better, more secure place. While standards adoption always remains optional, clearly defined protocols like WIMSE guide organizations in implementing secure, efficient, and interoperable workload identity solutions.
This ultimately benefits everyone striving to secure the increasingly complex interactions that define today’s digital infrastructure.
If you have the time and interest I highly recommend joining the IETF and signing up for a working group that you’re passionate about. I know I learned a ton — both from seasoned engineers and from newcomers bringing fresh perspectives
The Workload IAM Company
Manage Access, Not Secrets
Boost Productivity, Slash DevSecOps Time
No-Code, Centralized Access Management
The post Inside IETF Bangkok: Shaping the Future of Workload Identity and Access Management appeared first on Aembit.
