If you’re trying to make SPIFFE handle delegation, you’re forcing the wrong layer to do the wrong job. SPIFFE gives you workload identity and attestation, full stop. It’s PKI for machines — not a delegation framework.
A better model is to separate identity from capability:
SPIFFE/SPIRE handles who the agent is (short-lived, attested identity).
Capabilities / Macaroons / ZCAP-LD handle what that agent is allowed to do, and who delegated it.
OPA or Cedar enforces policy at runtime.
VCs come in only if you need cross-domain delegation (federated or multi-issuer trust).
So SPIFFE issues identities, and those identities mint or receive verifiable capabilities that describe explicit rights. You get composable, auditable delegation without breaking SPIFFE’s short-lived cert model or pretending it can do web-of-trust semantics.
Trying to bake delegation into SPIFFE itself is just reimplementing capability security badly.
I do understand what you are saying, but in my head feels a bit too overcomplicated to just tell any developer doing AI agents to do all this stuff, there most be a cleaner way to do it.
If you’re trying to make SPIFFE handle delegation, you’re forcing the wrong layer to do the wrong job. SPIFFE gives you workload identity and attestation, full stop. It’s PKI for machines — not a delegation framework.
A better model is to separate identity from capability:
SPIFFE/SPIRE handles who the agent is (short-lived, attested identity).
Capabilities / Macaroons / ZCAP-LD handle what that agent is allowed to do, and who delegated it.
OPA or Cedar enforces policy at runtime.
VCs come in only if you need cross-domain delegation (federated or multi-issuer trust).
So SPIFFE issues identities, and those identities mint or receive verifiable capabilities that describe explicit rights. You get composable, auditable delegation without breaking SPIFFE’s short-lived cert model or pretending it can do web-of-trust semantics.
Trying to bake delegation into SPIFFE itself is just reimplementing capability security badly.