The Ultimate Guide to Non-Human Identities Report
NHI Forum

Notifications
Clear all

SPICE, WIMSE, and SCITT Standards


(@gitguardian)
Eminent Member
Joined: 6 months ago
Posts: 9
Topic starter  

Read the full article here: https://blog.gitguardian.com/spice-wimse-and-scitt/?source=nhimg


As machines take on more responsibility in software delivery, identity standards must evolve to keep up. That’s where SPICE, WIMSE, and SCITT come in—three new IETF working groups shaping how workloads, credentials, and software artifacts will be verified, trusted, and authenticated in tomorrow’s machine-driven environments.

These standards aren’t theoretical—they’re being driven by real-world pressures like supply chain security mandates, privacy regulations, and the growing need for machine-to-machine trust in multi-cloud ecosystems.

 

Let’s break them down:

  • WIMSE (Workload Identity in Multi-System Environments): Aims to standardize how workloads in different environments (e.g. AWS, Kubernetes, on-prem) identify and trust each other using tokens like JWTs or SPIFFE IDs—without custom glue code or long-lived secrets

  • SPICE (Secure Patterns for Internet Credentials): Focuses on selective disclosure, letting machines (or humans) prove just enough—like confirming a workload passed a scan—without revealing full data trails. Think of it as privacy-respecting machine credentials

  • SCITT (Supply Chain Integrity, Transparency, and Trust): Provides a cryptographically verifiable audit trail for everything in a software supply chain. Like a passport for your software artifacts, SCITT logs how, when, and by whom code was built, tested, and shipped

Together, they create an end-to-end trust fabric

  • SCITT logs every key event

  • SPICE issues lightweight credentials from those logs

  • WIMSE ensures only verified workloads can access or act on them

Why This Matters

These standards are foundational for Zero Trust, workload identity, and verifiable software pipelines. But before you can adopt them, you need visibility into how your current machine identities are being used—and that’s where GitGuardian comes in.

GitGuardian’s NHI Security Platform helps organizations:

  • Discover and inventory machine identities like tokens, service accounts, and embedded secrets

  • Understand trust chains and credential sprawl

  • Prepare environments for modern identity standards and dynamic, short-lived credentials

 

 

This topic was modified 2 weeks ago by Abdelrahman

   
Quote
Share: