alt Hacker News1. Issuing certificates is a lengthy process requiring key generation which is neither fast nor cheap at scale.
2. Working with x509 is a hell of a lot more cumbersome than working with JWTs.
3. The point wasn't that they're two different services; they're the same service from the perspective of the user but are internally disparate when deployed at scale.
Replies
clvx • 06/17/2025
Isn't this the whole point of SPIRE/SPIFFE?. A workload can identify itself to a different trust domain as long as there's trust between the different domains and a policy that allows it.
1. Key generation is not required if you already have a key which is usable for this purpose. In this case, the server already has a public key since X.509 is already used for the server's certificate, so the certificate can be issued with the same public key. (If the client is issuing a certificate to the server, then the client's private key will be used to sign the certificate.)
2. I do not agree; I found X.509 to be better. I also think that DER is a better format than JSON (and that it does not require such things as escaping, base64 encoding, Unicode, etc). (I had made up a simpler usage for X.509 (more strict in some ways and less strict in other ways), although it is deliberately possible (without too much difficulty) to make a certificate which is compatible with both the normal usage and the simpler usage.)
3. OK. I had not considered that.