OpenID Connect (OIDC) and mutual TLS are popular authentication mechanisms used widely in cloud native environments, and commonly as a basis for workload identity in SPIFFE. However, OIDC tokens are prone to interception, replay, and forwarding attacks and are unable to guarantee end-to-end request authenticity. Mutual TLS solves those problems at the transport layer, but is rarely used in browsers, and seldom fully end-to-end in microservices-oriented systems. HTTP Message Signatures is a new IETF specification that aims to solve credential replay, forwarding and end-to-end integrity attacks, and be broadly deployable.

This talk introduces the audience to HTTP Message Signatures and demonstrates its security benefits to authentication in cloud native, microservice-oriented, systems. Further, we’ll cover how the use of smart caching and replication allows this protocol to scale to millions of requests per second, and how this could be integrated with SPIFFE.