SVID Workload Identity Scheme
The SPIFFE-style URI scheme for internal service identities (SVIDs) issued by Koder ID for east-west mTLS (stack-RFC-009 Layer 2). Defines the canonical identity form `spiffe://koder/<area>/<sector>/<instance>`, its 1:1 binding to a Koder ID service-account, and how `<area>/<sector>` map to the RFC-003 taxonomy.
Internal service-to-service mTLS (stack-RFC-009 Layer 2) authenticates each workload by a short-lived x509 SVID whose SAN carries a SPIFFE-style URI. Koder ID's keys service is the single issuer (§7.4); this spec fixes the identity string so issuer, verifiers and the allow-list agree on one canonical form.
R1 — Canonical form
A workload identity is exactly:
spiffe://koder/<area>/<sector>/<instance>- Scheme is always
spiffe. Trust domain is alwayskoder(the URI host). <area>and<sector>are the RFC-003 taxonomy L2 area and L3 sector of theworkload (e.g.
netfleet,datakdb,foundation/id). Lowercase, the same tokens used in the monorepo path — nokoder-prefix.<instance>distinguishes co-running members of the same sector (e.g.hub,primary,region-b,0). Lowercase,[a-z0-9-]+.- All three segments are required and non-empty (
crypto.SVIDIDrejects otherwise).
R2 — 1:1 with a service-account
Each identity is bound to one Koder ID service-account. The issuer never lets a caller name its own identity: the authenticated SA subject is resolved to its pinned identity via the allow-list, and IssueForRequest signs only that identity (own-identity-only authz — a compromised SA can obtain only its own SVID). Two distinct workloads that must be told apart cryptographically MUST use distinct <instance> (or distinct sector) and distinct service-accounts.
R3 — TTL is the revocation
SVIDs are short-lived (≤ crypto.MaxSVIDTTL, 24h; cadence in hours). There is no CRL/OCSP in v1 — a revoked workload simply stops being re-issued (§7.5). Verifiers MUST reject expired SVIDs (standard x509 path validation) and SHOULD pin the expected peer identity string, not merely "any valid SVID".
R4 — Examples
| Workload | Identity |
|---|---|
| Fleet hub | spiffe://koder/net/fleet/hub |
| Fleet member, region B | spiffe://koder/net/fleet/region-b |
| kdb primary region | spiffe://koder/data/kdb/primary |
| Koder ID keys service | spiffe://koder/foundation/id/keys |
Origin: stack-RFC-009 §9.5 ("register the SVID identity scheme under specs/naming"). Implemented by
services/foundation/id/engine(id#204):pkg/crypto/svid.go(SVIDID, minting) + thekeys-service issuance endpoint.