[Openid-specs-authzen] FW: Follow-up on the Tuesday side meeting on AI Protocols
Alex Babeanu
alex.babeanu at indykite.com
Tue Nov 4 20:13:35 UTC 2025
Thanks Jeff, this is great !
./\.
On Tue, Nov 4, 2025 at 8:13 AM Lombardo, Jeff via Openid-specs-authzen <
openid-specs-authzen at lists.openid.net> wrote:
> FYI
>
>
>
> *Jean-François “Jeff” Lombardo* | Amazon Web Services
>
>
>
> Architecte Principal de Solutions, Spécialiste de Sécurité
> Principal Solution Architect, Security Specialist
> Montréal, Canada
>
> *Commentaires à propos de notre échange? **Exprimez-vous **ici*
> <https://urldefense.com/v3/__https:/feedback.aws.amazon.com/?ea=jeffsec&fn=Jean*20Francois&ln=Lombardo__;JQ!!Pe07N362zA!0k9CkAV8Djpw_8EfIAKrbhP3TQrJr0oMnznlUgBJ3V3NoEk6hihx7dNHnQuejn6SSH2CP8Iow3G-tTzppHeg$>
> *.*
>
>
>
> *Thoughts on our interaction? Provide feedback **here*
> <https://urldefense.com/v3/__https:/feedback.aws.amazon.com/?ea=jeffsec&fn=Jean*20Francois&ln=Lombardo__;JQ!!Pe07N362zA!0k9CkAV8Djpw_8EfIAKrbhP3TQrJr0oMnznlUgBJ3V3NoEk6hihx7dNHnQuejn6SSH2CP8Iow3G-tTzppHeg$>
> *.*
>
>
>
> *From:* Lombardo, Jeff <jeffsec at amazon.com>
> *Sent:* November 4, 2025 11:02 AM
> *To:* agent2agent <agent2agent at ietf.org>
> *Cc:* Pieter Kasselman <pieter at spirl.com>; Lombardo, Jeff <
> jeffsec at amazon.com>
> *Subject:* Follow-up on the Tuesday side meeting on AI Protocols
>
>
>
> Hi,
>
>
>
> As requested during the side meeting, here some additional pointers for
> the justifications that some of the elements of Authentication and
> Authorization are, as of now, worked on in other Area and SDO’s:
>
>
>
> - Delegation of Authorization is the core of the OAuth Working Group
> - The Working Group is making some good progress on Cross Trust
> Domain boundaries
> -
> https://datatracker.ietf.org/doc/draft-ietf-oauth-identity-assertion-authz-grant/01/
> -
> https://datatracker.ietf.org/doc/draft-ietf-oauth-identity-chaining/06/
> - We should not forget than Model Context Protocol decided to rely
> on OAuth to prevent defining a new way of dealing with Authorization in
> their specification. Such behavior accelerated the following draft in the
> OAuth WG:
> - OAuth 2.0 Protected Resource Metadata -
> https://datatracker.ietf.org/doc/rfc9728/
> - OAuth Client ID Metadata Document -
> https://datatracker.ietf.org/doc/draft-ietf-oauth-client-id-metadata-document/00/
> - OAuth 2.1 -
> https://datatracker.ietf.org/doc/html/draft-ietf-oauth-v2-1-14
> - Best Current Practice for OAuth 2.0 Security -
> https://datatracker.ietf.org/doc/html/rfc9700
> - We should also note A2A is completely capable of working with
> OAuth credentials
> - When involving users, the OpenID Foundation as this at the heart of
> OpenID Connect
> - https://openid.net/specs/openid-connect-core-1_0.html
> - Agent authentication and identification is the core of the WIMSE
> Working Group
> - Global repository:
> https://datatracker.ietf.org/group/wimse/documents/
> - Architecture:
> https://datatracker.ietf.org/doc/draft-ietf-wimse-arch/
> - Workload to Workload secure interactions (stop at the security,
> does not define the applicative layer of interactions):
> https://datatracker.ietf.org/doc/draft-ietf-wimse-s2s-protocol/
> - Identifier:
> https://datatracker.ietf.org/doc/draft-ietf-wimse-identifier/
> - Those two working groups are working *de concert* to ensure that all
> of this multi trust domain capable and credential exchanging capable
> - On the Authorization side:
> - The market, as part of Zero Trust, is embracing ABAC [NIST
> https://csrc.nist.gov/pubs/sp/800/162/upd2/final] in the form of
> policies that can handle expanded taxonomy
> - Cedar Language emerged as a mathematically provable language for
> scalable policy evaluation
> - https://github.com/cedar-policy
> - Currently looking to be transferred to CNCF
> - Automated Reasoning capabilities:
> https://arxiv.org/pdf/2403.04651
> - The OpenID Foundation is currently standardizing how a PEP can
> ask for an Authorization decision to a PDP. In your case, each Agent would
> be a PEP.
> - This is happening through the AuthZEN Working Group :
> https://openid.net/wg/authzen/
> - This currently going though final review for version 1.0 :
> https://openid.net/public-review-period-for-proposed-authorization-api-1-final-specification/
>
>
>
> I hope those elements would allow you to improve the definition of the
> scope by understanding that those ICAM (Identification, Credentialling, and
> Access Management) problems should be out of scope and should remain build
> upon what is done and standardized into those other Area / WG / SDO.
>
>
>
> Jeff
>
>
>
> *Jean-François “Jeff” Lombardo* | Amazon Web Services
>
>
>
> Architecte Principal de Solutions, Spécialiste de Sécurité
> Principal Solution Architect, Security Specialist
> Montréal, Canada
>
> *Commentaires à propos de notre échange? **Exprimez-vous **ici*
> <https://urldefense.com/v3/__https:/feedback.aws.amazon.com/?ea=jeffsec&fn=Jean*20Francois&ln=Lombardo__;JQ!!Pe07N362zA!0k9CkAV8Djpw_8EfIAKrbhP3TQrJr0oMnznlUgBJ3V3NoEk6hihx7dNHnQuejn6SSH2CP8Iow3G-tTzppHeg$>
> *.*
>
>
>
> *Thoughts on our interaction? Provide feedback **here*
> <https://urldefense.com/v3/__https:/feedback.aws.amazon.com/?ea=jeffsec&fn=Jean*20Francois&ln=Lombardo__;JQ!!Pe07N362zA!0k9CkAV8Djpw_8EfIAKrbhP3TQrJr0oMnznlUgBJ3V3NoEk6hihx7dNHnQuejn6SSH2CP8Iow3G-tTzppHeg$>
> *.*
>
>
> --
> Openid-specs-authzen mailing list
> Openid-specs-authzen at lists.openid.net
> https://lists.openid.net/mailman/listinfo/openid-specs-authzen
>
--
Alex Babeanu
Lead Product Manager, AI Control Suite
t. +1 604 728 8130
e. alex.babeanu at indykite.com
w. www.indykite.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-authzen/attachments/20251104/3adcad4a/attachment-0001.htm>
More information about the Openid-specs-authzen
mailing list