-
Notifications
You must be signed in to change notification settings - Fork 7
20250925
Atul Tulshibagwale edited this page Sep 26, 2025
·
1 revision
| Name | Affiliation | Participation Agreement signed? |
|---|---|---|
| Tobin South | WorkOS & Stanford | Yes |
| Atul Tulshibagwale | SGNL | Yes |
| Rick Burta | Okta | Yes |
| Subramanya N | Independent | yes |
| Eleanor Meritt | Independent | yes |
| Dan Moore | FusionAuth | Yes |
| Tal Skverer | Astrix Security | Yes |
| Vaibhav Narula | Independent | Yes |
| Asanka Samaraweera | Independent | Yes |
| Ricky Padilla | 1Password | Yes |
| Nick Steele | 1Password | Yes |
| Paul Templeman | Independent | Yes |
| Paul Lanzi | IDenovate | Yes |
| Sarah Cecchetti | Beyond Identity | yes |
| Bertrand Carlier | Wavestone | Almost there… |
| Andrew Moran | Independent | Yes. First time! |
| Stan Bounev | Blue Label Labs | Yes |
| Lukasz Jaromin | Raidiam | Yes |
| Adwait Shinganwade | Independent | Yes |
| Victor Lu | independent | yes |
| Tom jones | ind | yes |
| Aldo Pietropaolo | Sophos Advisor | Yes |
| Max Crone | 1Password | Yes |
| Anuradha Karunarathna | WSO2 | Yes |
- Tobin’s weekly updates (5 minutes)
- Chris Phillips on OpenID Federation and MCP (20 minutes)
- Tobin: MCP Dev Summit preview: Agent Auth (20 minutes)
- Nick Steele: Agent Payment Protocol Intro (10 mins) - Slides
- Chris Phillips’ presentation: Improving AI Identity, Trust and Provenance using OpenID Federation
- Background in federated identity in the research and education sector
- Challenges:
- Shadow MCP
- “Rug pull problem”
- (many others in the slides)
- Multi-lateral federation is an opportunity for the AI space.
- Take things that are happening in past protocols and bring them to AI
- “Federation guides who you can trust. OAuth / OIDC still decides what you can do.”
- OpenID Federation is great at trust, but you still need a registry of “what you can trust”
- OpenID Federation is a trust fabric:
- A Trust Anchor (e.g. CA) signs an “Entity Statement”
- Each participant OP/ RP/ RS exposes an Entity Configuration
- Just like a browser flags untrusted certifications, a missing or untrusted attestation can flag untrustworthy participants in MCP
- It’s ready for primetime:
- Italy’s Public Digital Identity System (SPID)
- OpenID Federation pilot takes it to 10k entities to enable SAML2 federation
- Candidate use cases:
- Defense against rogue MCP
- SBOM for MCP servers
- Shard usage based on user’s role (authorization)
- Safe personal use of MCP
- Readiness for PQC
- Demo of gateway MCP
- Critical to secure AI
- “Meta MCP”
- Questions / comments:
- (Lukasz Jaromin) Connections in MCP do not require prior registration, so having trust marks would be good
- (Chris) Just like you can connect anonymously to a website, and then be challenged for authentication, you should be able to do something similar in MCP
- (Atul) How does this tie into threat modeling?
- (Chris) This is going to be important.
- The process of issuing a trust mark will be tied to threat modeling
- I’ve done a Safe MCP analysis
- (Paul Templeman) How do you see dynamic / unstructured ecosystems play into this
- (Chris) Think of an MCP Server that has “get customer information” as a tool. Who is the user that is asking the question?
- MCPs can be in multiple “venn diagrams” (trust domains?) Which one takes priority?
- (Tom Jones) i have posted an AI threat model - OIDC does not fit that - does anyone have a threat model for using this trust structure with AI? https://github.com/w3c-cg/threat-modeling/blob/main/models/ai-in-browser.md
- We are publishing the “future of agent identity” white paper in the OIDF soon.
- There’s an MCP Dev Summit next week.
- Tools can be highly dynamic - based on user roles and permissions
- Creates a bunch of security risks
- Cross-app authorization is an interesting proposal from Aaron
- Background agents are cool - you just get a PR from the agent.
- Hard to define the full scope of permissions in order for the agent to be effective
- Attenuation of permissions is also interesting (especially in transitive use cases)
- What does MCP look like in a world of fully autonomous agents?
- What are we missing as far as authorization in AI? Love to get opinions on this:
Questions:
- (Tom Jones) If you are talking about an AI, you need rich policy. We don’t have anyone working on that as far as I know.
- (Nick) ID-JAG (cross-app access) was meant to deal with the multiple trust boundary issue. If I have a central auth server, it solves some issues.
- (Tobin) Going to talk about agentic payments stuff
- ID-JAGs work as long as you are using the same IdP. If you are delegating to another organizations’ agent, then it might not work
- (Nick) We had multiple IdPs / gateways in Cisco, but being able to have a central authority across trust boundaries is better
- (Chris) It takes multiple ingredients to make a good cake. You’re going to have different contexts for different regions.
- It’s such a high step function today to do everything, that it needs to be brain dead easy to do some of the basic stuff first.
- (Atul) What’s the distinction between background agents and async agents
- (Tobin) You expect background agents to be able to prompt
- (Lukasz) Everything on your last slide makes sense. Couple of options on that list make the multi-domain thing work. But there is a question of adoption and how to make it tangible.
- AP2 works on top of MCP and A2A, and facilitates payment transactions
- “Intent mandates” with an attestable chain of events
- “Cart mandate” that reflects the intent.