Skip to content

Meeting Notes: Oct 30, 2025

Jump to bottom
Atul Tulshibagwale edited this page Oct 30, 2025 · 2 revisions

Four MCP Use Cases

MCP Use Cases Infographic (1)

  • (Atul) IIW updates:
    • Atul’s MCP talk
    • Four MCP Usage Scenarios
    • Needs stronger trust attestation and management
  • (George) Consent needs to be handled differently. The existing models do not work
    • How do I capture the constraints of what the user can do
    • Two ways: Users can convey what they want (like AP2)
    • Users could provide an “authorization agent” which can answer authorization questions on the user’s behalf
    • How do you represent the delegation that has occurred, and how do you get that understood across trust domains
    • We need to address these from a standards perspective
  • (Atul) So do you think client attestation is not needed?
    • (George) The basic attestation is still needed (e.g. x Agent is developed by Anthropic)
    • Think of an agentic world. How do you manage liability in that?
    • Some flows may interact with a trust domain even once a year, so a pre-authorization that expires won’t work
    • We need ad-hoc connection mechanisms will be needed
  • (Andy Lim) Do you think the composition of an agent, e.g. which LLM they talk to, all make up a set of meta-attributes that need to be attested.
    • This can guide trust decisions about the agent
  • (Tom Jones) I don’t think MCP is a particularly good model.
    • We need to access more information about the external needs and information of users.
  • (Chris) Great IIW week
    • Trust and risk profiles—software supply chain & browser security & trust systems have treated us well, and this information security paradigm needs to be mapped to AI & MCP.
    • A chat interface with a browser can really obfuscate a lot of this.
    • Harder to surface security or trust signaling (e.g., trust mark signaling)
    • (Tom) This needs to be continuously evaluated
  • (Flemming Andreasen) You want to carry authentication from one agent to another, with different authorizations
  • (Pieter Kasselman) Impersonation is a terrible pattern, because you can’t tell whether it’s the user or something else on behalf of the user
    • Another thing about the picture is that it hides the real complexity of the problem.
    • That is everything that happens to the right of the MCP server.
    • From everything I’ve seen as deployment challenges has been there (on the right)
    • (Atul) That’s supposed to be captured in the last use case (Chained)
    • (Pieter) but that’s not enough, because it is going to talk to legacy infrastructure.

Threat Modeling Subgroup

  • (Sarah Cecchetti) We’re forming a threat modeling subgroup
  • The charter is being worked on. The larger group is bigger, but we’re proposing to have a separate meeting and mailing list
  • We will identify potential attacks
  • Should this subgroup be focused only on identity based workflows?
    • (Sarah) I think it should, because that is where the AIIM group is focused
    • (Stan) I made some comments
    • (Sarah) I’ve incorporated them
    • (Nick Dawson) We might not just want to focus on identity threats, because the threat itself might not involve identity, but the response / detection might involve identity. I’d like to scope it such that we include threats that can also be responded to using identity
    • (Sarah) I’ll update the language accordingly.
    • (Tom) I’ve done a lot of work in threat modeling. I’m not sure we have enough specification about what it is, in order to create a threat model
    • (Tom) We can look at threats for specific implementations
    • (Tom) We can stop identifying people, and start identifying context
    • (Sarah) That’s a fair argument. MCP is the most widely adopted, but many implementations don’t follow the specs. Please join the group so that we can address this
    • (Flemming) How do we join the group
    • (Atul) We’ll make a mailing list and any AIIM CG participant can join.

AIIM CG call timing

  • (Atul) Can we alternate the time so that it is more Asia friendly on alternate weeks?

MCP Authorization Developments

  • (Atul) Right now in MCP OAuth, PKCE, OPRM, and DCR are optional
  • DCR is not widely adopted, so some folks want to move to CIDM with URL Mode Elicitation. Those have been approved and will be in the November spec release
  • Server cards and extension definitions and negotiations are in development - both proposed by Anthropic
  • Authorization extensions that have already been defined and approved and have their own repos
    • Enterprise Managed Authorization
    • Client Credentials
  • (Brook)
  • (Sarah) CIMD (Client ID Metadata) says that the client ID has a URL that points to the JSON document that identifies the company who owns the client.
  • (Brook) That’s one case, but what if the agent is not a mobile app. Are you relying on Apple or Google to do all this?
  • (Sarah) Aaron explained this in his presentation at IIW, how even a single-page app can work in this case.
  • (Brook) It’ll be good to raise the edge case with them
  • (Sarah) You should join the MCP Discord
  • (Govindaraj) We talked about cryptographic stuff earlier. The additional attributes are going to be dropped (e.g. extended key attributes for client authentication) by DigiCert.

AOB

  • (Govindaraj) Has anyone looked at Agent Cards? It’s part of the A2A spec: https://a2a-protocol.org/latest/tutorials/python/3-agent-skills-and-card/
  • (Chris) I’ve looked at it a bit to figure out how to exchange trust marks between agents
  • (Julie Maas) The agent card stuff has parallels in the healthcare industry, e.g. trusted dynamic registration has the ability to revoke previously established trust
  • (Govindaraj) OAuth 2.1 is still in draft. When is it going to get approved?

Clone this wiki locally