Hey everyone! I'm looking for your thoughts on Kliento, a workload authentication protocol that eliminates the need for long-lived shared secrets like API keys or the hassle of managing public keys as seen in JWTs and JWKS. The project is open source and built on decentralized protocols that have been independently audited for security.
Essentially, Kliento extends the idea of Kubernetes and GCP-style service accounts across the Internet, using short-lived credentials similar to JWTs that include a full DNSSEC-based trust chain.
This is designed for authenticating across organizations, such as when you're connecting to a third-party API or a managed DB server like MongoDB Atlas. However, it's not intended to replace Kubernetes' intra-cluster service accounts.
My main questions are: Would this be useful for you? How much of a challenge is workload authentication for you currently? And do you think the removal of API key management and JWKS endpoints would be beneficial? I'm all ears for any questions or feedback!
2 Answers
This is intriguing! I’m diving into workload authentication myself in scenarios where workloads need to be discovered and authorized on the fly. Is JavaScript the only server option available right now?
I see the fine line here. Clients need a way to show they’re legit, right? Traditional methods like API keys or SSH keys share some kind of secret ahead of time. And while JWTs give you short-lived tokens, they still require a secret to be exchanged first. Can you clarify how a server confirms the client’s identity with this protocol? I browsed your site, but it left me a bit perplexed.
The Kliento token bundle is where the magic happens; it includes the entire trust chain anchored in DNSSEC. So, when you present it to the server, it doesn't have to fetch any public keys since DNSSEC implementations are already equipped with the public key digests from IANA. Check out this animation that explains it better: https://veraid.net/#how-it-works. Basically, the server relies on DNSSEC root zone keys managed by IANA, which are present in every DNSSEC implementation.
Currently, yeah, it's just JS. The underlying protocol, VeraId, has a Kotlin implementation in the works, but I haven't integrated Kliento with it yet. We’ve also got a temporary solution for unsupported server languages that you can check out here: https://veraid.net/kliento/servers/#kliento-verifier. I’d love to hear more about your project! Are you focusing on cross-organization authentication? What server language are you using?