Summary
SPIFFE defines two SVID formats: JWT-SVID and X.509-SVID. ZeroID currently only issues JWT-SVIDs. X.509-SVIDs are the primary format used for mTLS workload authentication and are required for a full SPIFFE-compliant implementation.
Impact
ZeroID cannot participate in SPIFFE workload API ecosystems that rely on X.509-SVIDs for mTLS (e.g. Istio, SPIRE, Envoy SDS). AI agents that need mutual TLS identity cannot use ZeroID as a SPIFFE trust anchor.
Scope
Implementing X.509-SVIDs would require:
- A CA or delegated signing capability for issuing certificates with SPIFFE IDs in the SAN URI extension.
- A certificate issuance endpoint compatible with the SPIFFE Workload API (gRPC or HTTP).
- Certificate rotation / short-lived cert lifecycle management.
This is a significant feature addition — tracking here for roadmap awareness.
Reference
Summary
SPIFFE defines two SVID formats: JWT-SVID and X.509-SVID. ZeroID currently only issues JWT-SVIDs. X.509-SVIDs are the primary format used for mTLS workload authentication and are required for a full SPIFFE-compliant implementation.
Impact
ZeroID cannot participate in SPIFFE workload API ecosystems that rely on X.509-SVIDs for mTLS (e.g. Istio, SPIRE, Envoy SDS). AI agents that need mutual TLS identity cannot use ZeroID as a SPIFFE trust anchor.
Scope
Implementing X.509-SVIDs would require:
This is a significant feature addition — tracking here for roadmap awareness.
Reference