[Openid-specs-ipsie] 2025-10-07 Meeting Summary

[Aaron Parecki]

Hi all,

Below are the minutes from the working group call today.

As a reminder, we will not be having the regular working group call on
October 14th or 21st due to conflicting events many of us will be at.

As we talked about at the end of the call, everyone should feel free to use
the three weeks between now and the next meeting to make progress on any of
the documents!

We have the adopted OpenID SL1 and SCIM AL1 profiles that still need work,
and there is already a start to a SAML profile in an open PR. Feel free to
work on these individually or in small groups between now and the next
meeting on the 28th.

Thanks!

Aaron


---

# IPSIE WG Meeting Minutes
Date: 2025-10-07

## Attendees

* Aaron Parecki (Okta)
* Dick Hardt
* Shannon Roddy
* Travis Tripp
* Karl McGuinness
* Bjorn Helm
* Buster Doney


## Agenda

- Welcome and antitrust policy reminder https://openid.net/policies/
- OpenID Contributor Agreement reminder
https://openid.net/intellectual-property
- Reminder about OpenID Slack
- Community Events
    - OAuth Working Group interim meetings in September
        - https://events.oauth.net/
    - Authenticate, October 13 - 15 in Carlsbad, CA
    - IIW XVI October 21 - 23 in Mountain View, CA
        -
https://www.eventbrite.com/e/internet-identity-workshop-iiwxli-41-2025b-tickets-1393125719529?aff=oddtdtcreator
    - IIW Agentic AI unconference on October 24 (Friday)
        - https://agenticinternetworkshop.org/
    - IETF 124, November 1 - 7 in Montreal, Canada

- Upcoming call schedule
    - Dean out Oct 7
    - Oct 14 cancelled - Authenticate
    - Oct 21 cancelled - IIW
- IPSIE Playbook 2025-2026 planning
- Interop Event Planning and Rescope
- AOB

## Notes

Notetaker: Aaron

* Karl - talking about sessions only is limiting, we need to be able to
talk about access tokens, continuous access signals, scopes. We're
struggling to get the basics out (sessions, lifecycles), we need to just
get it done. We need to be able to focus on long term access. Why is it so
hard for us to get SL1/AL1 done?
* Travis - is the question does SL1-3/AL1-3 address AI use cases?
* Aaron - more like are the current levels sliced correctly
* Travis - one thing we are struggling with AI that is not in here is
managing the difference between an AI agent acting as itself or on behalf
of a user. From an auditability standpoint what is the role of the identity
service?
* Karl - There's a lot there to unpack, there's a bunch of gaps, the
existing enterprise identity systems have gaps. Those best practices are
changing. I don't think that's something we can easily pivot the levels to
address. The crossover is security for native apps. How do I only allow my
AI tools to be used on managed laptops with attestation.
* Travis - Is there a working group working on this?
* Karl - OpenID AI Community Group. Not a standards group, but sharing best
practices and discussions.
* Travis - Is Cross App Access something that fits in to the IPSIE levels
here?
* Aaron - I have gotten several questions about whether Cross App Access is
going to be part of IPSIE
* Karl - Is this essentially a resourcing problem, of not being able to
spend time on IPSIE?
* Aaron - As far as I can tell yes, we have good conversations for the 1
hour a week we meet, but we need to collectively spend more time on this
during the rest of the week.
* Travis - Yes from my perspective as well. If I can get 1 or 2 big
customers to say this is something we're going to require our vendors to do
it would be helpful.
* Karl - We haven't actually defined what "this" is. There's the controls
of what IPSIE is demanding, and there's the protocol controls. Is it so
hard for us to define the capabilities and outcomes you get in each level?
* (discussion about some individual bullet points in the list)
* Travis - When I go to my chief of product and ask for resourcing for
this, the question is what does it really mean, how hard is it to support,
can I map my existing business needs to it? What security does this get us?
* Buster - I don't have an opinion on the levels, I want all of them. I'm
more than happy to encourage our vendors to evangelize this. I'm not sure
how to encourage them to reach out and join the effort. I would love to
support that area.
* Travis - What would it take to get an endorsement of this?
* Buster - likely a per-vendor endorsement. I have direct conversations
with my vendor partners and can make requests.
* Aaron - Does seeing the list in this format help you have conversations?
* Buster - Yes, but what I'm missing is who I can connect them to and how
they can start. Having a few examples per level would help.
* Bjorn - This is a list of features, not a value proposition. It seems
like what we're missing is how to convey the value proposition. It could be
cost of ownership, onboarding time is faster, etc.
* Dick - Talking about how to change the value proposition is the wrong
conversation. A lot more people were participating 8 months ago than now. A
key question is why are those people not participating anymore. There was a
fair bit of excitement at the beginning. We've been talking for almost an
hour and haven't moved the needle on making progress on IPSIE.
* Shannon - we're rehashing the mythical man-month problem. I don't think
adding more people or changing the scope is going to mean progress. I'm not
an OpenID expert, we haven't gotten to SAML yet, so I haven't been able to
contribute much.
* Dick - why do you think you haven't contributed yet? what's holding you
back?
* Shannon - we've kicked the SAML profiles can down the road
...
* Kenn - we've been doing bottoms-up adoption plan, maybe we can try from
the top down as some sort of regulatory/compliance
* Karl - I can meet with Shannon and do the SAML profile.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ipsie/attachments/20251007/f301bcf7/attachment.htm>