Lucas Käldström
Lucas is a Kubernetes and cloud native contributor and expert who has been serving the CNCF community in various lead positions. He was a CNCF Ambassador for 7 years and was awarded Top CNCF Ambassador 2017 with Sarah Novotny. Lucas was a co-lead for SIG Cluster Lifecycle, WG Component Standard, co-created kubeadm, Weave Ignite, and ported Kubernetes to ARM. Lucas founded and ran 3 meetups in Finland, co-created the meetup collective Cloud Native Nordics and has spoken at 10 KubeCons, including delivering a keynote with Nikhita Raghunath. Lucas wrote his BSc thesis on cloud native principles, and is now researching access control in cloud native control plane APIs, today working as a Senior Software Engineer at Upbound.
Senior Software Engineer at Upbound
Session
OpenID Connect (OIDC) and mutual TLS are popular authentication mechanisms used widely in cloud native environments, and commonly as a basis for workload identity in SPIFFE. However, OIDC tokens are prone to interception, replay, and forwarding attacks and are unable to guarantee end-to-end request authenticity. Mutual TLS solves those problems at the transport layer, but is rarely used in browsers, and seldom fully end-to-end in microservices-oriented systems. HTTP Message Signatures is a new IETF specification that aims to solve credential replay, forwarding and end-to-end integrity attacks, and be broadly deployable.
This talk introduces the audience to HTTP Message Signatures and demonstrates its security benefits to authentication in cloud native, microservice-oriented, systems. Further, we’ll cover how the use of smart caching and replication allows this protocol to scale to millions of requests per second, and how this could be integrated with SPIFFE.