EVIDENCE TRAIL
SPIFFE / SPIRE workload identity
Verbatim excerpts from the upstream sources cited on the mitigation page, with what each source does and does not prove. The primary specification source is the SPIFFE GitHub standard; OWASP Agentic AI Threats & Mitigations v1.1 (Playbook 4) provides the closest upstream mandate for mutual auth and short-lived credentials in AI-to-AI interactions; NIST SP 800-207 anchors the zero trust tenet that SPIFFE operationalises.
Last cross-checked against upstream sources: · 7 sources
References
Each entry shows what the source supports and what it does not prove.
SPIFFE Specification — spiffe/spiffe (CNCF)
SPIFFE specification — Abstract / Introduction
"Distributed design patterns and practices such as microservices, container orchestrators, and cloud computing have led to production environments that are increasingly dynamic and heterogeneous. … SPIFFE provides a specification for a framework capable of bootstrapping and issuing identity to services across heterogeneous environments and organizational boundaries."
Supports: Verbatim definition of the problem SPIFFE solves (heterogeneous, dynamic environments) and what SPIFFE is (a framework for bootstrapping and issuing identity to services). Establishes the primary upstream source for this control.
Does not prove: The specification defines the standard; it does not prescribe SVID rotation intervals or attestation methods — those are implementation concerns addressed by SPIRE.
SPIFFE Concepts — spiffe.io official documentation
SPIFFE Concepts — §SPIFFE ID and §SVID
"A SPIFFE ID is a string that uniquely and specifically identifies a workload. … An SVID is the document with which a workload proves its identity to a resource or caller. An SVID contains a single SPIFFE ID, which represents the identity of the service presenting it. It encodes the SPIFFE ID in a cryptographically-verifiable document, in one of two currently supported formats: an X.509 certificate or a JWT token."
Supports: Verbatim definition of the SVID as the cryptographic proof of workload identity. Confirms the X.509 / JWT format, which is the basis for mTLS inter-agent authentication described in the MDX.
Does not prove: Conceptual reference only — does not cover SPIRE's attestation process or operational concerns such as trust-bundle distribution.
SPIRE Concepts — spiffe.io official documentation
SPIRE Concepts — §SPIRE definition and §Workload Attestation
"SPIRE is a production-ready implementation of the SPIFFE APIs that performs node and workload attestation in order to securely issue SVIDs to workloads. … Workload attestation asks the question: "Who is this process?" The agent answers that question by interrogating locally available authorities … The agent determines the workload's identity by comparing discovered selectors to registration entries, and returns the correct cached SVID to the workload."
Supports: Confirms the attestation model the MDX deployment section relies on. Establishes that workload identity is derived from local-authority attestation, not network location — the zero trust primitive.
Does not prove: Does not cover HA topology, datastore choices, or the multi-node SPIRE federation model mentioned in the MDX's "dev effort: medium" trade-off.
CNCF — "SPIFFE and SPIRE Projects Graduate from Cloud Native Computing Foundation Incubator"
CNCF graduation announcement — project descriptions and endorsement quote
"SPIFFE provides a secure identity to every workload in a modern production environment, removing the need for shared secrets. … SPIRE is the code that implements the SPIFFE specification on a wide variety of platforms and enforces multi-factor attestation. … Modern application development requires a standardized, secure form of identity for workloads and SPIFFE/SPIRE respond extremely well to that need."
Supports: Independent third-party confirmation (CNCF) of production maturity, multi-factor attestation, and the "removing shared secrets" benefit cited in the MDX summary. Supports the T1 maturity tier reasoning.
Does not prove: Marketing/announcement framing — does not provide security audit findings or quantitative performance data.
OWASP Agentic AI — Threats & Mitigations v1.1
§Playbook 4: Strengthening Authentication, Identity & Privilege Controls — Step 1: Implement Secure AI Authentication Mechanisms
"Enforce mutual authentication for AI-to-AI interactions. Prevent unauthorized inter-agent communication by requiring bidirectional verification. Limit AI credential persistence. Ensure that AI-generated credentials are temporary and expire after short timeframes to reduce exploitation risk."
Supports: Verbatim upstream requirement for mutual authentication and short-lived credentials in AI-to-AI communication — the exact mechanism SPIFFE SVIDs provide. Directly supports T9 and T12 coverage claims in the MDX.
Does not prove: Does not name SPIFFE or SPIRE specifically. The playbook recommends the mechanism; the MDX identifies SPIFFE/SPIRE as the implementation.
NIST SP 800-207 — Zero Trust Architecture
§2.1 Tenets of Zero Trust — Tenet 2
"All communication is secured regardless of network location. Network location alone does not imply trust. … All communication should be done in the most secure manner available, protect confidentiality and integrity, and provide source authentication."
Supports: The ZTA foundation that SPIFFE operationalises at the workload level. "Source authentication" in every communication channel is what SVID-based mTLS enforces. Anchors the control in the canonical US government ZT standard.
Does not prove: NIST 800-207 is technology-agnostic and predates CNCF SPIFFE graduation by two years. Does not mention SPIFFE, SVID, or workload attestation. Provides the architectural rationale, not the implementation spec.
OWASP Agentic AI — Threats & Mitigations v1.1
§T9 Identity Spoofing & Impersonation — Description
"Identity Spoofing and Impersonation is a critical threat in AI agents where attackers exploit authentication mechanisms to impersonate AI agents, human users, or external services, gaining unauthorized access and executing harmful actions while remaining undetected. This is particularly dangerous in trust-based multi-agent environments, where attackers manipulate authentication processes, exploit identity inheritance, or bypass verification controls to act under a false identity."
Supports: Establishes the threat that SPIFFE/SPIRE directly counters: exploitation of authentication mechanisms in multi-agent trust chains. Supports MDX coverage entries for T9 (severityReductionSteps: 2) and T40.
Does not prove: Describes the threat scenario; the mitigation step (mutual auth / short-lived creds) is in Playbook 4 (owasp-threats-mitigations-t9-p4 above). The two entries together form the complete upstream chain.