-
Notifications
You must be signed in to change notification settings - Fork 7
Meeting on 2025‐10‐16
| Name | Affiliation | Participation Agreement signed? |
|---|---|---|
| Atul Tulshibagwale | SGNL | Yes |
| Tobin South | Stanford / WorkOS | Yes |
| tomj | ind | Yes |
| Bertrand Carlier | Yes! finally | |
| Adwait Shinganwade | Independent | Yes |
| Alex Keisner | Vouched | Yes |
| Sarah Cecchetti | Beyond Identity | Yes |
| Alex Babeanu | Indykite | Yes |
| Steve Venema | Independent | Yes |
| Rick Burta | Okta | Yes |
| Gail Hodges | OIDF | N/A |
| Nick Dawson | Self | Yes |
| Flemming Andreasen | Cisco Systems | Yes |
| Vaibhav Narula | Independent | Yes |
| Stan Bounev | Blue Label Labs | Yes |
| Apoorva Deshpande | Okta | Yes |
- Tobin South’s weekly updates
- (Tobin) OpenAI AgentKit
- Only has API key and custom headers
- (Sarah) iFrames terrify me
- User management is handle by the MCP
- (Stan) Apps inside ChatGPT have their own login flow, similar to how AWS Cognito does it.
- (Tobin) Client ID Metadata is going to be a part of the MCP spec (approved)
- It goes a long way to address security risks left unaddressed by DCR
Atul’s profiles SEP has been folded into the concept of MCP extensions. The profiles SEP outlined how to negotiate between the MCP client and server which profiles are supported. Extensions do not yet have a way to negotiate what extensions are supported. That work still needs to be done.
Feedback for whitepaper: flesh out AP2 section (mandates and VCs) and KYAPay (tokens)
Alex is suggesting a new addition to payment protocols to add some of the features that exist today in the transaction tokens spec. One of those is the ability to “roll back” both transactions and permissions.
- (Tom) I don’t understand the idea of transaction in this space.
- It morphs during the interchange, so calling it a transaction tries to take it into a deterministic space, which is conflicting with the non-deterministic nature of agents.
- (Alex) You might want to predefine some transactions
- (Tom) I don’t know if you can predetermine in AI (conceivable but not likely)
- (Alex) We have deterministic systems for transactions, so we should be able to map AI to that
- (Brian) Despite the name “transaction” in Transaction Tokens, it is conceptually different from what Alex was talking about. We should not over apply that to transactions
- (Alex) I said “something like”, not exactly Transaction Tokens. Perhaps Macaroons, etc.
- (Steve) I’m thinking along the same lines as Alex. The end user doesn’t trust and agent with everything. Macaroons is one of the ideas I’m thinking about
- (Steve) We need to work out some use cases to figure out what we’re going to do about it
- (Pieter) Context on TraTs. The concept is to have a short-lived token to prevent people from having to pass access tokens. It’s really just a way to down-scope and preserve information. It is meant to be used within specific trust domains. There’s a separate draft for “Cross-domain Identity Chaining and Authorization”. The Cross-App access draft from Aaron is based on that.
- (Atul) The first MCP extension is “Enterprise Managed Access”, which is related to XAA (probably the same)
- (Tobin) Smithery, which hosts MCP servers. Aaron is trying to work with them to do XAA for consumer use cases
- (Tobin) Examples of non-deterministic reasoning
Threat Modeling
- (Atul) Thread modelling subgroup is a go ahead
- (Sarah) Looking at known experience from OIDF/identity experts at the type of attacks we are likely to see (Gail asked if she meant it was like FAPI 2.0 attacker model, no not exactly)
- (Tom) W3C already is working on threat modeling
- (Stan) We can start with the MITRE framework, but also get feedback from experts
- (Sarah) We can contribute back to Safe MCP. We might not need to create something different.
- (Stan) Implementers need guidance to make their implementations safer
- (Chirs) On the lines of Safe-MCP: Lowest hanging fruit are coding hygiene, token hygiene, etc. There are a bunch of “Security 101” things that need to be watched out for.
Tobin updates:
- ArXiv paper being published today
- IIW next week
- OIDF specific events on Monday and Friday
- (Sarah) Next meeting can be converted to an IIW session
- (Gail) Co-chairs have to say “Note Well” applies. Cochairs hosting an official CG meeting should just flash the usual event Note Well statement so people realize their feedback is covered by it and make any public statements with that in mind.
- People do not need to sign Participation Agreement, though of course they are all welcome at any time to take part regularly
OIDF workshop Monday 10/20. It is hybrid, and free. Can come in person to CISCO offices or attend online. https://openid.net/registration-open-for-openid-foundation-hybrid-workshop-at-cisco-on-mon-20th-october-2025/
DCP WG meeting invites are in notes to DCP WG email thread.
- 10/20 Morning pre-IIW DCP meeting: https://dcpwg-iiw-20oct25.eventbrite.co.uk/
- Post-IIW DCP Friday 10/24: https://dcpwg_iiw_24oct25.eventbrite.co.uk/
For WG meetings in person the Contribution agreement applies if you plan to make comments, since it is an official WG meeting called for that purpose. But you can also observe and not make comments, at Cochair notice/approval which is (in my observation) not an issue.
Great coverage on the AIIM CG Whitepaper since announcement on Oct 7th.
Big thanks to Serj @ OIDF for her PR work & coordination with Tobin for follow-up interviews and podcasts, etc.
· Unchecked AI agents could be disastrous for us all - but OpenID Foundation has a solution | ZDNET
· OpenID's new AI identity management whitepaper | Security News
· With the US all-in on AI, buzz on AI agents gets louder and need for trust increases | Biometric Update
· Zero Trust for AI Agents: Implementing Dynamic Authorization in an Autonomous World - Security Boulevard
· Beyond Chatbots: Why Agent Security Is the Industry's Next Major Challenge - Security Boulevard
· https://www.findarticles.com/openid-idea-to-tame-unchecked-ai-agents-at-scale/
· Unchecked AI agents could be disastrous for us all – but OpenID Foundation has a solution – TechNewsEKB – Engineering Knowledge Base
· Beyond Chatbots: Why Agent Security Is the Industry’s Next Major Challenge
· Unchecked AI agents could be disastrous for us all – but OpenID Foundation has a solution – SysLog.gr
· New whitepaper reveals urgent agentic AI security risks
· OpenID Foundation whitepaper exposes critical AI agent security gaps - Identity Week
· Amazon Quick Suite Challenges ChatGPT at Work
· Amazon takes shots at ChatGPT with Quick Suite - your new AI 'teammate' at work - WireFan - Your Source for Social News and Networking
· Amazon QuickSuite: AI Rival to ChatGPT for Work – Archyde
· Amazon takes shots at ChatGPT with Quick Suite – your new AI 'teammate' at work – Metapress
· AWS's new agentic solution is a searchable AI hub for all… – Unified Networking
· Agentic AI breaks zero trust: Here’s how to fix it | Biometric Update
· AI Agents Expose Critical Gaps in Cybersecurity – Mexican Business News
· OpenID Foundation warns of security flaws in AI agent identity | The Paypers
· Enterprises take nearly a week to grant new hires full access to critical workflows - Identity Week
· Also secured an email interview with iTNews Australia and a guest slot on Identity at the Center podcast. Links to be shared when ready.