Remix.run Logo
Remix clone Hacker News
new | show | ask | jobsGithub
louis79_hacker 3 days ago

You’re mixing models that don’t really fit together. SPIFFE isn’t designed for delegation at all—it’s a PKI-style system: centralized issuance, short-lived certs, and a single trust root per domain. It gives workloads authenticated identity, not transitive authority. There’s no notion of “A acts on behalf of B” baked into SPIFFE.

Verifiable Credentials (VCs) solve a different problem. They’re decentralized, flexible, and can express explicit delegation chains like “A asserts B may perform X.” That’s capability-style reasoning, not identity issuance.

Trying to bolt VC-style delegation onto SPIFFE breaks both systems’ assumptions:

SPIFFE’s hierarchical trust model doesn’t mesh with the web-of-trust VC model.

Its short-lived SVIDs don’t persist long enough for meaningful delegation chains.

SPIRE doesn’t understand VC proofs (JSON-LD, linked data signatures).

You’d need a whole external policy and capability layer to make it work.

SPIFFE nails workload identity; VCs and capability systems handle delegation and contextual authority. Mixing them because “they both do identity” misses the point—they live at different layers of the trust stack.

andylow 3 days ago | parent [-]

what will be a better approach then?

louis79_hacker 3 days ago | parent | next [-]

If you’re trying to make SPIFFE handle delegation, you’re forcing the wrong layer to do the wrong job. SPIFFE gives you workload identity and attestation, full stop. It’s PKI for machines — not a delegation framework.

A better model is to separate identity from capability:

SPIFFE/SPIRE handles who the agent is (short-lived, attested identity).

Capabilities / Macaroons / ZCAP-LD handle what that agent is allowed to do, and who delegated it.

OPA or Cedar enforces policy at runtime.

VCs come in only if you need cross-domain delegation (federated or multi-issuer trust).

So SPIFFE issues identities, and those identities mint or receive verifiable capabilities that describe explicit rights. You get composable, auditable delegation without breaking SPIFFE’s short-lived cert model or pretending it can do web-of-trust semantics.

Trying to bake delegation into SPIFFE itself is just reimplementing capability security badly.

andylow 2 days ago | parent [-]

I do understand what you are saying, but in my head feels a bit too overcomplicated to just tell any developer doing AI agents to do all this stuff, there most be a cleaner way to do it.

matyix 2 days ago | parent | prev [-]

[dead]