gw-07 — References

The Netflix angle (named in the JD)

  • The Show Must Go On: Securing Netflix Studios at Scale — the talk; high-value content traffic, identity, and policy at scale.
  • Netflix Metatron — credential bootstrap: inject identity into each microservice at the continuous-delivery phase (the secret-zero solution). Referenced across Netflix security talks/posts.
  • Zero Configuration Service Mesh with On-Demand Cluster Discovery — Netflix TechBlog; Envoy + mTLS identity in the mesh direction. https://netflixtechblog.com/zero-configuration-service-mesh-with-on-demand-cluster-discovery-ac6483b52a51

Identity standards & implementations

Protocol specs

  • RFC 8446 — TLS 1.3 (the handshake, 0-RTT, session resumption).
  • RFC 6066 — TLS extensions incl. SNI. ALPN — RFC 7301.
  • RFC 5280 — X.509 certificates and path validation; SAN URI for SPIFFE IDs.
  • RFC 7519 — JWT; RFC 7517 — JWK/JWKS for local validation.

Background

  • BeyondCorp (Google) papers — the canonical zero-trust write-ups. https://research.google/pubs/?q=beyondcorp
  • NIST SP 800-207 — Zero Trust Architecture (the reference model).
  • Cloudflare/Smallstep blogs on short-lived certificates and why revocation (CRL/OCSP) is hard.

Tooling

  • openssl s_client -connect host:443 -servername host — inspect the handshake, cert chain, SNI, ALPN.
  • step (smallstep) — create a CA, issue certs, build an mTLS demo fast.
  • openssl x509 -text / openssl verify — read and validate certs.

Cross-lab dependencies

  • Upstream: gw-01 (handshake cost / SNI passthrough), gw-03 (inbound filter + hot-reload pattern), gw-04 (amortize the handshake).
  • Downstream: gw-08 (SDS), gw-09 (pod identity / mesh mTLS).