Skip to content

20250724 ‐ Meeting notes: July 24, 2025

Jump to bottom
Jeff Lombardo edited this page Jul 25, 2025 · 2 revisions

Meeting on July 24th, 2025

Agenda

[5 mins] Tobin’s Regular Section: What happened in AI / agent IAM this week

[1 minute] Note Well and Note Really Well [5 minutes] Tobin’s Regular Section: What happened in AI / agent IAM this week

  • AAuth - Agentic Authorization OAuth 2.1 Extension: https://datatracker.ietf.org/doc/html/draft-rosenberg-oauth-aauth
  • Whitepaper next milestones / asks of AIIM CG:
  • IETF
  • ITU-T SG17
    • CyberSecurity lead and WG1 lead on Identity for an exchange on use cases, approach, AIIM Cochairs introduced to these leads.
    • Tobin/Gail to follow-up on next steps to avert duplication of work as this CG helps triage actions suitable for MCP, IETF, OIDF, etc, to remediate.
    • This builds on Geneva “AI for Good” panel where Tobin represented this CG and the whitepaper. OIDF eKYC & IDA
  • Authority Spec WG updates (if any)
  • UNDP
  • Gail pinged Robert OTT Chief Digital Officer about this CG, looking to align with them as well since they are already coordinating with ITU to address global south concerns related to AI. Other
  • Any other orgs we should be in dialogue with to support Whitepaper, AIIM CG landscape assessment, roadmap? Monitoring
  • Financial Data Exchange discussions on Open Finance consent, four-party authorization. Some of the FDX requirements “rhyme” with agentic AI use cases, which could become relevant given bank engagement on open data and Agentic AI development. 1033 Rule and CFPB/Banking industry court case.

[10 minutes] Jeff to lead discussion on Agentic AI threat modeling; Reference: cloudsecurityalliance.org/blog/2025/02/06/agentic-ai-threat-modeling-framework-maestro

  • MCP Threat modeling: https://github.com/fkautz/safe-mcp [15 minutes] Atul to lead discussion on MCP best practices [10 minutes] (Nick Steele) AuthZ/AuthN ideas about MCP

Attendees

Name Affiliation Participation Agreement signed?
Atul Tulshibagwale SGNL Yes
Jeff Lombardo AWS Yes
Tobin South WorkOS & Stanford Yes
Gail Hodges OIDF N/A Staff
Alex Keisner Vouched Yes
Chris Phillips Independent Yes
Paul Templeman Independent Yes
Dan Moore FusionAuth Yes
Elie Azerad Independent Yes
Bertrand Carlier Wavestone In progress
Eve Maler Venn Factory Yes
Nick Dawson Self Yes
Cleydson Andrade Independent Yes
Tom Jones Ind yes
Sean Connolly Roche Yes
Victor Lu Independent Yes
Vlad Shapiro BBH Yes
Nick Steele 1Password Yes
Max Crone 1Password Yes
Rene Leveille 1Password Yes
Thilina Senarath WSO2 Yes
Hannah Sutor Self Yes
Eleanor Meritt Self Yes
Jay Huang Visa Yes
Alex Babeanu Indykite Yes
Sean O’Dell Disney Yes

Previous action items:

  • Open a section for commenting links shared
  • Publish OIDF Authentic AI Whitepaper Disscussion on the CG GitHub

Notes

Tobin’s Regular Section: What happened in AI / agent IAM this week:

Gail staff update on partner conversations

IETF update: Thanks to Jeff and Joseph to find a slot

  • Lot of political pressure to work on AI in the ITU
  • Avoid duplication as much as possible. This group is very capable, so we can be super agile to contribute to all the fora (MCP, IETF, ITU) eKYC:
  • United Nations Development Program (UNDP): Gather requirements from the Global South and get feedback. Kantara:
  • is working on recommendations for agent delegations that should be kept in sync with this work to the greatest extent possible. Input to those recommendations is also encouraged. https://docs.google.com/document/d/1Ih38iKetyOzDZr1u6o6RL6NI18wK64Ne/edit?usp=sharing&ouid=109794657323597753486&rtpof=true&sd=true (Jeff) IETF Update
  • One more day - more presentations
  • BoF AI Agent might be one new WG
  • Side meeting on this topic as well
  • ID Chaining will go through WGLC at Montreal
  • Security BCP for JWT - e.g. cross-device flow, will help in the agentic AI world.
  • Dynamic Client Registration (DCR) - lot of proposals regarding that, use concepts from Workload Identity, and build more assurance (Tobin) The WP is a useful way to disseminate information. Put any relevant constituency, working groups, bring them into the WP.
  • We can get speakers from these WGs here.

MCP best practices

  • (Atul) Got a meeting about MCP with MCP involved parties, Okta, SGNL, Anthropic, AWS
    • Sharing the notes taken during the meeting
    • [Atul to share bullet point later]
    • What do you need to do when using the spec to not trip over?
      • DCR is a problem, how can we use Client Attestation to allow some clients and not other
      • ClientID metadata document, this is a new document
      • The document is an URL, when the client send the JWT for the authentication, then the AS can check the JWT is coming from who own the private key associated
    • Bearer Token Security
      • There is no real guidance about token lifetime / Token replay / session revocation
      • You could use SSF to control a part of that
      • Restricting the audience when issuing the tokens (by the AS) by providing an audience
      • There are no Proof of Possession
      • Support DPoP
    • Authorization
      • Static scopes… it is a problem, cannot be changed in real time
      • AuthZEN could be used dynamically to a PDP
      • SSF for signals
    • Audit
      • No way to correlate actions in between multiple MCP Servers and Client
  • (Tom) What about users? This is too much in the woods
  • (Jeff) We cannot ignore the fact that A2A and MCP exist and are being used, so we need to address their needs
  • (Tom) The W3C security group is looking into how to secure this in the browser. We got into issues like Gemini Nano
  • (Jeff) Would you like to present the various issues that you have discussed in W3C
  • (Tom) yes
  • (Jeff) Anyone wanting this group to consider something, please email it to the mailing list.
  • (Chris) One of the things is that the context is a bit absent. Is this a trusted computing environment?
    • Do you know the pedigree of the components?
    • It starts with the belief that the computing environment is trustworthy
    • If the end user doesn’t know about the MCP endpoint (whether it is bonafide), then this is all meaningless
    • OIDC federation might have applications here
  • (Nick) Clients ability to access credentials is different from the client’s ability to access resources
    • We see client credentials being exfiltrated
    • Agents store API keys in the host layer and shift them down to the client for use. If the Client is exploited, then those keys get compromised
    • There needs to be a discrete manager of credentials for hosts, which is not defined in MCP today.
    • Section 3.2 in MCP spec identifies this as a vulnerability but there is no good way to address this right now in the spec.
    • A credential manager could solve this problem
    • We’re thinking about the problem from the server side, whereas there is a big issue on the client side.

Using Other forms of AuthZ, e.g. OIDC4VP and SIOP for authentication

(Jeff) We will discuss this in the next meeting

One-pager

(Jeff) We are working on a one pager for all this

Action Items

  •  Atul to reach out to Safe MCP and MAestro to figure out if they can collaborate here.
  • Gail to reach out to Daniel Fett to figure out collaboration with AIIM for threat modeling

Document linked:

Book - Agentic Design Patterns - Antonio Gulli

Clone this wiki locally