Andrew Jessup
@whenfalse.bsky.social
Engineer, product-erer. 2x founder, 3x dad. Helped launch SPIFFE. HPE, Google, Scytale and a few other adventures. An Aussie in Michigan. Aspiring pilot. Appalling dancer.
Are you stopping by Osh?
July 22, 2025 at 11:06 AM
Are you stopping by Osh?
Plate on the north side has been consistently good for us.
July 18, 2025 at 11:07 PM
Plate on the north side has been consistently good for us.
Movie you’ve watched more than six times using gifs.
(“Hard mode” no Star Wars, Star Trek, or LOTR)
(“Hard mode” no Star Wars, Star Trek, or LOTR)
a man says give me a ping vasili in a dark room
ALT: a man says give me a ping vasili in a dark room
media.tenor.com
April 26, 2025 at 7:40 PM
Movie you’ve watched more than six times using gifs.
(“Hard mode” no Star Wars, Star Trek, or LOTR)
(“Hard mode” no Star Wars, Star Trek, or LOTR)
I've been on this train. And now I live in Ann Arbor. And I endorse this message.
February 19, 2025 at 6:14 AM
I've been on this train. And now I live in Ann Arbor. And I endorse this message.
What are you getting in? Mfd?
December 15, 2024 at 2:13 AM
What are you getting in? Mfd?
Basically it's translating a broad user auth token issued and validated online by an IdP into a new token that can be validated offline by anything that can validate a SPIFFE SVID.
December 7, 2024 at 3:14 PM
Basically it's translating a broad user auth token issued and validated online by an IdP into a new token that can be validated offline by anything that can validate a SPIFFE SVID.
Netflix built a much simpler system with E2E tokens that seemed to scale really well.
December 7, 2024 at 2:14 PM
Netflix built a much simpler system with E2E tokens that seemed to scale really well.
The implementation proposed here was only ever a POC, but there's a SPIFFE SIG pushing on the concept.
December 7, 2024 at 2:06 PM
The implementation proposed here was only ever a POC, but there's a SPIFFE SIG pushing on the concept.
Doing this safely (ie. without passing around broadly scooped user bearer tokens) isn't easy though.
Here's a write up with more context docs.google.com/document/d/1...
Here's a write up with more context docs.google.com/document/d/1...
Design Document: Delegated authentication context with SPIFFE
Design Document: Delegated Principal Authentication with SPIFFE Author(s): Andrew Jessup, Hewlett Packard Enterprise (HPE) Marcos A. Simplicio Jr., Universidade de São Paulo (USP) Charles C. Miers, U...
docs.google.com
December 7, 2024 at 2:03 PM
Doing this safely (ie. without passing around broadly scooped user bearer tokens) isn't easy though.
Here's a write up with more context docs.google.com/document/d/1...
Here's a write up with more context docs.google.com/document/d/1...
We spent a while looking into this when exploring delegated identity for SPIFFE. In practice nesting identity for every service call is hard on impl. and perf. and encourages brittle authz policies. Usually identity of last service and initial user is all you need.
December 7, 2024 at 1:48 PM
We spent a while looking into this when exploring delegated identity for SPIFFE. In practice nesting identity for every service call is hard on impl. and perf. and encourages brittle authz policies. Usually identity of last service and initial user is all you need.
We used the four quadrants for the original SPIFFE.io docs. It's changed a bit since then but it helped us a lot with the original structure.
SPIFFE – Secure Production Identity Framework for Everyone
SPIFFE.io
December 3, 2024 at 1:27 AM
We used the four quadrants for the original SPIFFE.io docs. It's changed a bit since then but it helped us a lot with the original structure.