would you mind elaborating on "This inherently makes it impossible to ever work with any other software that uses SPIFFE IDs where the path implementation conveys information to the implementor'
The SPIFFE spec does not specify what a SPIFFE URI's path represents. The spec leaves it up to the implementor. However, it does state that the implementor may elect to use it to describe hierarchal information (SPIFFE-ID 2.2) and then provides some examples.
When an organization declares that only its SPIFFE ID format will be used within a certificate, it also implies that no other software can use the path information to store hierarchy information as it cannot guarantee the path formatting. Essentially, one implementor is saying only their format(s) is allowed, and any other format is invalid.
One could say that an agreement between the implementor's format and software could be made (i.e., "make it configurable"). However, there is no specification for that, meaning it would be a one-off implementation or a generic parsing solution. A generic parsing solution raises issues regarding declaration/parsing and poor configuration, adding complexity and attack vectors.
As an example, in OpenZiti, we are planning on moving towards network-specific SPIFFE IDs with hierarchal path information:
- Controllers:
spiffe://<trust domain>/controller/<id>
- Routers:
spiffe://<trust domain>/router/<id>
- Identity:
spiffe://<trust domain>/identity/<id>
- API Session Certificate:
spiffe://<trust domain>/identity/<id>/api-session/<id>/certificate/<id>
- ...among others
If someone says, "OpenZiti has no agency over their SPIFFE IDs," then OpenZiti cannot implement the features that seek to leverage SPIFFE IDs where the path conveys hierarchy information.
SPIFFE IDs can be used opaquely between implementors (i.e., using the URI as a single value). This is only spec assured usage when working between SPIFFE ID implementors.
As far as I understand, there is no hard-and-fast rule in spiffe spec which says you have to use diff trust domains across an organization and that choice is left to implementors.
There isn't and that isn't the issue. The trust domain could be the same. The issue is declaring eminent domain over the path formatting.
I am not sure I understand why openziti relies on having its own trust domain? If the primary objective of spiffe is to have a unique identity, why should it matter if its part of a same trust domain or 2 diff trust domains?
OpenZiti doesn't have to have its own trust domain. The only requirement is that OpenZiti requires it to be freely able to use its own path format when specifying SPIFFE IDs. If the trust domain OpenZiti is being instructed to use has its own required path formatting, then there is an issue.
I feel its a fair assumption that any organization who is already using spiffe is going to have some structure in their spiffe ids.
I agree.