mTLS Handshake with X.509-SVIDs
Mutual TLS authentication between two workloads using X.509-SVIDs as client and server certificates (SPIFFE X.509-SVID spec §5). Both services present their SPIFFE-issued certificates and verify the peer's certificate against the SPIFFE trust bundle (not system CAs). After cryptographic verification, each side extracts the peer's SPIFFE ID from the URI SAN and performs authorization based on the identity. This provides authentication, encryption, and integrity in a single handshake.
mTLS Handshake with X.509-SVIDs
Mutual TLS authentication between two workloads using X.509-SVIDs as client and server certificates (SPIFFE X.509-SVID spec §5). Both services present their SPIFFE-issued certificates and verify the peer's certificate against the SPIFFE trust bundle (not system CAs). After cryptographic verification, each side extracts the peer's SPIFFE ID from the URI SAN and performs authorization based on the identity. This provides authentication, encryption, and integrity in a single handshake.
Sequence Diagram
Click any step for details
Step-by-Step Breakdown
Token Inspector
Specs for this flow
Sections of the protocol that normatively define this flow, plus the security considerations that apply to it.