- https://github.com/spiffe/spiffe/blob/main/standards/SPIFFE.md
1、SPIFFE标准包括三个主要组件:
- SPIFFE ID:标准化身份名称空间 identity namespace(For JWT-SVIDs, the "sub" claim contains the SPIFFE ID
) - SPIFFE可验证标识文档(SVID):规定了发布身份的呈现和验证方式 be presented and verified,
- 工作负载API:指定了API,通过该API可以检索和/或发布身份be retrieved and/or issued(Implementors can verify the authenticity of the caller to the Workload API via an out-of-band method, such as inspecting the properties of the process calling the Unix domain socket that are provided by the operating system.);除了为工作负载提供必要的SVID之外,Workloadneneneba API还提供了工作负载应该外部信任outwardly trust的CA bundles。这些捆绑包与颁发的SVID之外的信任域相关联,并用于联合 federation。
- SPIFFE Workload Endpoint实现负责识别identify调用者caller。然后,SPIFFE Workload API使用有关caller的信息来确定要提供的适当内容
