-
Notifications
You must be signed in to change notification settings - Fork 7
Meeting notes: September 4, 2025
Atul Tulshibagwale edited this page Sep 4, 2025
·
1 revision
| Name | Affiliation | Participation Agreement signed? |
|---|---|---|
| Atul Tulshibagwale | SGNL | Yes |
| Tom Jones | ind | yes |
| Alex Babeanu | Indykite | Yes |
| George Fletcher | Practical Identity LLC | Yes |
| Janak Amarasena | WSO2 | Yes |
| Mike Kiser | SailPoint | Yes |
| Chris Phillips | Independent | Yes |
| Bishnu Bista | safe-mcp | Yes |
| Gail Hodges | OIDF | N/A |
| Paul Lanzi | IDenovate | Yes |
| Eleanor Meritt | Self | Yes |
| Paul Templeman | Independent | Yes |
| Nick Steele | 1Password | Yes |
| Max Crone | 1Password | Yes |
| Vaibhav Narula | Independent | Yes |
| Apoorva Deshpande | Okta | Yes |
| Adwait Shinganwade | Independent | Yes |
| Nick Dawson | Self | Yes |
| Arjun Subedi | Self | Yes |
| Ramon Galate | Raidiam | Yes |
| Elie Azerad | Independent | Yes |
| Flemming Andreasen | Cisco | Yes |
| Aaron Parecki | Okta | Yes |
| Luiky Vasconcelos | Raidiam | Yes |
| Rania Khalaf | WSO2 | Yes |
| Jay Huang | Visa | Yes |
| Stan Bounev | Blue Label | Yes |
- (Tobin) Updates for the week (5 minutes)
- Tobin not present, Updates with Atul
- (Frederick Kautz and Arjun Subedi) Safe MCP (20 minutes)
- (Jeff) Taxonomy subgroup (10 minutes)
- AOB
- (George) Standard deployment models
- MCP Bundles
- Note from Gail that Tobin’s paper is out for review to the OIDF board, should go to review between Sep 2, 2025 and Sep 12, 2025
- Would like folks to view the NIST NCCoE paper discussing issues with mDL adoption for financial institutions
- Bill Fisher from NIST: The background on the NCCoE work is that KYC systems are getting slammed by Gen AI and deepfakes. mDLs offer an alternative for identity verification that could meet compliance requirements and would not be subject to the same type of GenAI/Deepfake attack scale. The paper we published is a proposed approach to help financial institutions trust mDLs and the mDL ecosystem, specifically the digital wallet and the mDL issuance process to the wallet.
- Paul Lanzi mentions 2 IETF drafts recently published discussing AI and Identity
- https://macyabbey.github.io/draft-scim-agent-extension/draft-scim-agent-extension.html
- https://datatracker.ietf.org/doc/draft-wahl-scim-agent-schema/
- Discussion around resource indicator spec (RFC) that would provide better bindings to access tokens and clients.
- Atul introduces Frederick Kautz and Arjun Subedi to discuss Safe MCP
- Slide Deck
- Frederick authored NIST SPD 800-240D, background in Cloud Native and Identity
- Safe MCP is based off the MITRE attack framework
- Plan to start with MCP and then eventually may move focus to other AI access technologies
- MCP Authorization with Auth 2.1 + PKCE is being vibe coded in some cases due to complexity
- Would like to establish clear identity channels
- New attack surfaces emerging
- Mentioned IETF Auth Drafts for AI access:
- AAuth: Agent-friendly authorization flows
- OBO for Al Agents: Explicit actor identity
- Identity Chaining: Cross-domain propagation
- Expects consumption of Safe MCP by enterprises to be based on desire for visibility (through CAEP, SSF) and through compliance frameworks.
- Example entry SAFE-T1001
- How do they see collaboration on Safe MCP?
- Would like to collaborate with OpenSSF, OIDF, and OWASP to output a threat database that is stewarded by a group of the three.
- By working together we can leverage domain expertise across the three domains without stovepiping security solutions
- Questions
- Rania Khalaf: Some of these threats are not MCP-specific, how do you determine what’s in scope?
- FK: Those threats have characteristics that are specific to an LLM not using MCP vs the threat being applied through MCP.
- RK: Maybe we should provide additional context about how the threat relates?
- FK showing example at safe-mcp/techniques/SAFE-T1001/README.md
- Stepping through threat and mediation event chain and discussion around how we can help outline specific contexts and why certain
-
Atul Tulshibagwale: Is there a way we could write this threat model in such a way that if it was included in the prompt, an agent could potentially take preventative action?
- FK: I believe so. There are multiple families of “vibe coding” style, or RAG or LSP styles, that models use that can take better initial prompt feedback, however many LLMs today suffer from token and context rot, causing them to drift or lose previous context. These services can also instantiate additional agents that help sanitize or review task objectives throughout the primary agent’s task session.
- AT: If an LLM is aware of a given threat, can it disregard or avoid scenarios that would introduce that threat.
- FK: Yes, [gives example of being able to provide guardrails to Anthropic LLM]
- Alex Babanue: I don’t think we should rely on LLMs to provide security until proven wrong, but would prefer to use a deterministic layer to provide security guarantees.
- FK: Agreed, and traditional unit tests can be provided to a certain extent.
- FK: One of the best examples of deterministic services being used to defend against AI is through authentication, very black and white system for determining what an LLM can do.
- Chris Phillips: Thanks for doing this work and very relevant to the work I’ve been doing in MCP and elsewhere. Could we surface this to supply chain defence / SBOM review?
- FK: I see this as fitting in very well there. [Anecdotal discussion around CVE associated with curl and dealing with patching fleets in a more performant way]. Would love to see a matrix that ties this framework together, tying CVEs to techniques.
- Rania Khalaf: Some of these threats are not MCP-specific, how do you determine what’s in scope?
- Next steps for forming a Threat Modeling sub-group as outlined by Frederick
- Jeff not present, differing taxonomy sub-group discussion
- AOB
- George Fletcher: we haven’t yet discussed standard deployment models. Was very interested in the MCP Bundle work, but lacks ability to trust those bundles. I think it would be helpful to discuss or produce an artifact about deployment models.
- Atul to schedule time to discuss
- Tom Jones: I posted a threat model that covered that last time, does that address that?
- GF: I’m looking for broader set of deployment models [currently have just one]
- Beginning discussion around what we’re trying to evaluate but approaching meeting time limits.
- Gail Hodges: I wanted to point out the administrative side of the subgroups we’re discussing, and it’s up to the CG to decide how to proceed