// Technology / Workload Identity

The workload proves itself before it speaks.

QHx binds running workloads to cryptographically verifiable identities so services can prove what they are before they communicate.

QHx PKIArchitecture →

// Mechanism

Identity is issued from evidence.

QHx follows a two-phase model. First the node establishes trust. Then the workload receives identity as a child of that trusted node.

  • Node attestationThe platform proves itself before any workload identity is issued.
  • Workload attestation via selectorsThe system identifies the process by container image digest, Kubernetes service account, UID, namespace, and runtime context.
  • Parent-child structureEach workload identity is a structural child of its node identity. The node must remain attested for the workload credential to renew.
  • Short-lived SVIDsCredentials are intentionally temporary, reducing standing access and the value of theft.
  • Peer verificationWorkloads know what they are connected to, not merely where the packet came from.
IDENTITY

Trust domain: mission.example

Namespace: ops

Service account: api

BOUND TO

Parent: attested node

Credential: X.509-SVID

Lifetime: short-lived