mTLS Handshake with X.509-SVIDs

Mutual TLS authentication between two workloads using X.509-SVIDs as client and server certificates (SPIFFE X.509-SVID spec §5). Both services present their SPIFFE-issued certificates and verify the peer's certificate against the SPIFFE trust bundle (not system CAs). After cryptographic verification, each side extracts the peer's SPIFFE ID from the URI SAN and performs authorization based on the identity. This provides authentication, encryption, and integrity in a single handshake.

Try in Looking Glass
Mutual TLSZero Trust

Sequence Diagram

Click any step for details

ClientServerBothBundle1Client Hello2Server Presents X.509-SVID3Server Requests Client Certificate4Client Presents X.509-SVID5Mutual Certificate Verification6SPIFFE ID Authorization7Encrypted Channel Established
Request
Response
Redirect
Internal

Step-by-Step Breakdown

1
Client Hello
Client ServiceServer Service
2
Server Presents X.509-SVID
Server ServiceClient Service
3
Server Requests Client Certificate
Server ServiceClient Service
4
Client Presents X.509-SVID
Client ServiceServer Service
5
Mutual Certificate Verification
Both ServicesTrust Bundle
6
SPIFFE ID Authorization
Server ServiceAuthorization Policy
7
Encrypted Channel Established
Client ServiceServer Service

Token Inspector

Specs for this flow

Sections of the protocol that normatively define this flow, plus the security considerations that apply to it.

Core specs

· The specifications that define this protocol.

Security & privacy

· Dedicated security and privacy considerations.