[Openid-aiim] Meeting notes

[Atul Tulshibagwale]

Hi all,
The notes from today's AIIM CG call are saved here:
https://github.com/openid/cg-ai-identity-management/wiki/20250925

Thanks very much to Chris Phillips
<https://www.linkedin.com/in/chris-phillips-cidpro/>, Tobin South
<https://www.linkedin.com/in/tobinsouth/> and Nick Steele
<https://www.linkedin.com/in/nickelsteele/> for their presentations today.
Presenters, please share the decks for your presentations to this mailing
list.

I'm copying them below for convenience.

Atul

-- 

 Atul Tulshibagwale

 CTO

  <https://www.linkedin.com/in/tulshi/> <atul at sgnl.ai>

---
Sep 25, 2025Attendees

Name

Affiliation

Participation Agreement signed?

Tobin South

WorkOS & Stanford

Yes

Atul Tulshibagwale

SGNL

Yes

Rick Burta

Okta

Yes

Subramanya N

Independent

yes

Eleanor Meritt

Independent

yes

Dan Moore

FusionAuth

Yes

Tal Skverer

Astrix Security

Yes

Vaibhav Narula

Independent

Yes

Asanka Samaraweera

Independent

Yes

Ricky Padilla

1Password

Yes

Nick Steele

1Password

Yes

Paul Templeman

Independent

Yes

Paul Lanzi

IDenovate

Yes

Sarah Cecchetti

Beyond Identity

yes

Bertrand Carlier

Wavestone

Almost there…

Andrew Moran

Independent

Yes. First time!

Stan Bounev

Blue Label Labs

Yes

Lukasz Jaromin

Raidiam

Yes

Adwait Shinganwade

Independent

Yes

Victor Lu

independent

yes

Tom jones

ind

yes






Aldo Pietropaolo

Sophos Advisor

Yes

Max Crone

1Password

Yes

Anuradha Karunarathna

WSO2

Yes
Agenda

   -

   Tobin’s weekly updates (5 minutes)
   -

   Chris Phillips on OpenID Federation and MCP (20 minutes)
   -

   Tobin: MCP Dev Summit preview: Agent Auth (20 minutes)
   -

   Nick Steele <nick.steele at 1password.com>: Agent Payment Protocol Intro
   (10 mins) - Slides
   <https://docs.google.com/presentation/d/1PU0pl2TI-MzZfMthlMcRXGPEA7EYQJK15nwuS7bIa-Q/edit?usp=sharing>

NotesChris Phillips’ Presentation

   -

   Chris Phillips’ presentation: Improving AI Identity, Trust and
   Provenance using OpenID Federation
   -

   Background in federated identity in the research and education sector
   -

   Challenges:
   -

      Shadow MCP
      -

      “Rug pull problem”
      -

      (many others in the slides)
      -

   Multi-lateral federation is an opportunity for the AI space.
   -

      Take things that are happening in past protocols and bring them to AI
      -

   “Federation guides who you can trust. OAuth / OIDC still decides what
   you can do.”
   -

   OpenID Federation is great at trust, but you still need a registry of
   “what you can trust”
   -

   OpenID Federation is a trust fabric:
   -

      A Trust Anchor (e.g. CA) signs an “Entity Statement”
      -

      Each participant OP/ RP/ RS exposes an Entity Configuration
      -

   Just like a browser flags untrusted certifications, a missing or
   untrusted attestation can flag untrustworthy participants in MCP
   -

   It’s ready for primetime:
   -

      Italy’s Public Digital Identity System (SPID)
      -

      OpenID Federation pilot takes it to 10k entities to enable SAML2
      federation
      -

   Candidate use cases:
   -

      Defense against rogue MCP
      -

      SBOM for MCP servers
      -

      Shard usage based on user’s role (authorization)
      -

      Safe personal use of MCP
      -

      Readiness for PQC
      -

   Demo of gateway MCP
   -

   Critical to secure AI
   -

   “Meta MCP”
   -

   Questions / comments:
   -

      (Lukasz Jaromin) Connections in MCP do not require prior
      registration, so having trust marks would be good
      -

      (Chris) Just like you can connect anonymously to a website, and then
      be challenged for authentication, you should be able to do something
      similar in MCP
      -

      (Atul) How does this tie into threat modeling?
      -

         (Chris) This is going to be important.
         -

         The process of issuing a trust mark will be tied to threat modeling
         -

         I’ve done a Safe MCP analysis
         -

      (Paul Templeman) How do you see dynamic / unstructured ecosystems
      play into this
      -

         (Chris) Think of an MCP Server that has “get customer information”
         as a tool. Who is the user that is asking the question?
         -

         MCPs can be in multiple “venn diagrams” (trust domains?) Which one
         takes priority?
         -

      (Tom Jones) i have posted an AI threat model - OIDC does not fit that
      - does anyone have a threat model for using this trust structure with AI?
      https://github.com/w3c-cg/threat-modeling/blob/main/models/ai-in-browser.md

Tobin’s Presentation

   -

   We are publishing the “future of agent identity” white paper in the OIDF
   soon.
   -

   There’s an MCP Dev Summit next week.
   -

   Tools can be highly dynamic - based on user roles and permissions
   -

      Creates a bunch of security risks
      -

   Cross-app authorization is an interesting proposal from Aaron
   -

   Background agents are cool - you just get a PR from the agent.
   -

   Hard to define the full scope of permissions in order for the agent to
   be effective
   -

   Attenuation of permissions is also interesting (especially in transitive
   use cases)
   -

   What does MCP look like in a world of fully autonomous agents?
   -

   What are we missing as far as authorization in AI? Love to get opinions
   on this:

Questions:

   -

   (Tom Jones) If you are talking about an AI, you need rich policy. We
   don’t have anyone working on that as far as I know.
   -

   (Nick) ID-JAG (cross-app access) was meant to deal with the multiple
   trust boundary issue. If I have a central auth server, it solves some
   issues.
   -

      (Tobin) Going to talk about agentic payments stuff
      -

      ID-JAGs work as long as you are using the same IdP. If you are
      delegating to another organizations’ agent, then it might not work
      -

      (Nick) We had multiple IdPs / gateways in Cisco, but being able to
      have a central authority across trust boundaries is better
      -

   (Chris) It takes multiple ingredients to make a good cake. You’re going
   to have different contexts for different regions.
   -

   It’s such a high step function today to do everything, that it needs to
   be brain dead easy to do some of the basic stuff first.
   -

   (Atul) What’s the distinction between background agents and async agents
   -

      (Tobin) You expect background agents to be able to prompt
      -

   (Lukasz) Everything on your last slide makes sense. Couple of options on
   that list make the multi-domain thing work. But there is a question of
   adoption and how to make it tangible.

Nick’s Presentation on AP2

   -

   AP2 works on top of MCP and A2A, and facilitates payment transactions
   -

   “Intent mandates” with an attestable chain of events
   -

   “Cart mandate” that reflects the intent.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-aiim/attachments/20250925/d620a442/attachment-0001.htm>