SPIFFE: No X.509-SVID support

## Summary

SPIFFE defines two SVID formats: JWT-SVID and X.509-SVID. ZeroID currently only issues JWT-SVIDs. X.509-SVIDs are the primary format used for mTLS workload authentication and are required for a full SPIFFE-compliant implementation.

## Impact

ZeroID cannot participate in SPIFFE workload API ecosystems that rely on X.509-SVIDs for mTLS (e.g. Istio, SPIRE, Envoy SDS). AI agents that need mutual TLS identity cannot use ZeroID as a SPIFFE trust anchor.

## Scope

Implementing X.509-SVIDs would require:
1. A CA or delegated signing capability for issuing certificates with SPIFFE IDs in the SAN URI extension.
2. A certificate issuance endpoint compatible with the SPIFFE Workload API (gRPC or HTTP).
3. Certificate rotation / short-lived cert lifecycle management.

This is a significant feature addition — tracking here for roadmap awareness.

## Reference

- [SPIFFE spec §3](https://github.com/spiffe/spiffe/blob/main/standards/SPIFFE.md#3-spiffe-verifiable-identity-document): defines both SVID types
- [X.509-SVID spec](https://github.com/spiffe/spiffe/blob/main/standards/X509-SVID.md)

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

SPIFFE: No X.509-SVID support #49

Summary

Impact

Scope

Reference

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

SPIFFE: No X.509-SVID support #49

Description

Summary

Impact

Scope

Reference

Metadata

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Issue actions