The Show Must Go On: Securing Netflix Studios at Scale — the
talk; high-value content traffic, identity, and policy at scale.
Netflix Metatron — credential bootstrap: inject identity into each
microservice at the continuous-delivery phase (the secret-zero
solution). Referenced across Netflix security talks/posts.
Zero Configuration Service Mesh with On-Demand Cluster Discovery —
Netflix TechBlog; Envoy + mTLS identity in the mesh direction.
https://netflixtechblog.com/zero-configuration-service-mesh-with-on-demand-cluster-discovery-ac6483b52a51
RFC 8446 — TLS 1.3 (the handshake, 0-RTT, session resumption).
RFC 6066 — TLS extensions incl. SNI . ALPN — RFC 7301.
RFC 5280 — X.509 certificates and path validation; SAN URI for
SPIFFE IDs.
RFC 7519 — JWT; RFC 7517 — JWK/JWKS for local validation.
BeyondCorp (Google) papers — the canonical zero-trust write-ups.
https://research.google/pubs/?q=beyondcorp
NIST SP 800-207 — Zero Trust Architecture (the reference model).
Cloudflare/Smallstep blogs on short-lived certificates and why
revocation (CRL/OCSP) is hard.
openssl s_client -connect host:443 -servername host — inspect the
handshake, cert chain, SNI, ALPN.
step (smallstep) — create a CA, issue certs, build an mTLS demo fast.
openssl x509 -text / openssl verify — read and validate certs.
Upstream: gw-01 (handshake cost / SNI passthrough), gw-03 (inbound
filter + hot-reload pattern), gw-04 (amortize the handshake).
Downstream: gw-08 (SDS), gw-09 (pod identity / mesh mTLS).