SPIFFE SVID is a new standard under development to issue identities to workloads. The play an important role in Istio Auth [1].

About Istio [2]:

Istio: an open platform to connect, manage, and secure microservices. Istio provides an easy way to create a network of deployed services with load balancing, service-to-service authentication, monitoring, and more, without requiring any changes in service code.

About SPIFFE [3]:

SPIFFE (Secure Production Identity Framework For Everyone) is an open-source framework that aims to provide a secure identity (and a means to prove that identity) to every workload in a modern production environment, no matter where it is running.

SPIFFE SVID are specified in [4]. SVID is an acronym for SPIFFE Verifiable Identity Document. Ultimately SVIDs X509 end-entity certificates with spiffe:// URI entries in X509v3 Subject Alt Name extension. The rest of the certificate is pretty standard, see #6996 for missing basic constraints in EE profiles. The SPIFFE URIs convey identity information much similar to Kerberos OtherName entries. SVID identities contain domain (realm) and workload. Example from [4]:

For example:
spiffe://staging.acme.com/payments/mysql
or
spiffe://staging.acme.com/payments/web-fe
The two SPIFFE names above refer to two different components - the mysql database service and a web front-end - of a payments service running in a staging environment.

In order to support SPIFFE SVID, we have to figure out and define how to include, map, and verify identity information CSRs and certs. From discussion with @ftweedal

a) Do not store SPIFFE info, but if present in a CSR validate it
according to a mapping like what you have outlined below at (3).

b) Store SPIFFE info, and validate info in CSRs against that. This
will require new schema I suppose.

Note: (a) and (b) are not mutually exclusive. (a) is less work, we
just decide define what the mapping is and implement the validation.
No changes in Dogtag necessary.

c) Store SPIFFE info with user/host/service entries, and automatically
include SPIFFE extensions for signing certs with special SPIFFE profile.

NOTE: SPIFFE SVID is still a draft. URI syntax has changed in the past (used to be urn:spiffe:...). Some aspects are not yet defined, too, e.g. cert invalidation. It's also not yet clear how Kubernetes and Istio Auth will interpret the path.

[1] https://istio.io/docs/concepts/network-and-auth/auth.html
[2] [3] https://istio.io/docs/concepts/what-is-istio/overview.html
[3] https://spiffe.io/about/
[4] https://github.com/spiffe/svid/blob/master/SPECIFICATION.md