NHI Forum
Read the full article here: https://blog.gitguardian.com/spice-wimse-and-scitt/?source=nhimg
As machines take on more responsibility in software delivery, identity standards must evolve to keep up. That’s where SPICE, WIMSE, and SCITT come in—three new IETF working groups shaping how workloads, credentials, and software artifacts will be verified, trusted, and authenticated in tomorrow’s machine-driven environments.
These standards aren’t theoretical—they’re being driven by real-world pressures like supply chain security mandates, privacy regulations, and the growing need for machine-to-machine trust in multi-cloud ecosystems.
Let’s break them down:
-
WIMSE (Workload Identity in Multi-System Environments): Aims to standardize how workloads in different environments (e.g. AWS, Kubernetes, on-prem) identify and trust each other using tokens like JWTs or SPIFFE IDs—without custom glue code or long-lived secrets
-
SPICE (Secure Patterns for Internet Credentials): Focuses on selective disclosure, letting machines (or humans) prove just enough—like confirming a workload passed a scan—without revealing full data trails. Think of it as privacy-respecting machine credentials
-
SCITT (Supply Chain Integrity, Transparency, and Trust): Provides a cryptographically verifiable audit trail for everything in a software supply chain. Like a passport for your software artifacts, SCITT logs how, when, and by whom code was built, tested, and shipped
Together, they create an end-to-end trust fabric
-
SCITT logs every key event
-
SPICE issues lightweight credentials from those logs
-
WIMSE ensures only verified workloads can access or act on them
Why This Matters
These standards are foundational for Zero Trust, workload identity, and verifiable software pipelines. But before you can adopt them, you need visibility into how your current machine identities are being used—and that’s where GitGuardian comes in.
GitGuardian’s NHI Security Platform helps organizations:
-
Discover and inventory machine identities like tokens, service accounts, and embedded secrets
-
Understand trust chains and credential sprawl
-
Prepare environments for modern identity standards and dynamic, short-lived credentials