<div dir="ltr">Hi all,<div>Here are the notes from today's call. They are also stored <a href="https://hackmd.io/@oidf-wg-sse/wg-meeting-20250902">here</a>.</div><div><br></div><div>It's awesome to note that the final specifications for SSF, CAEP and RISC are now <a href="https://openid.net/three-shared-signals-final-specifications-approved/">published</a>!</div><div><br></div><div>Thanks to everyone for their hard work, contributions and discussions that led up to this,</div><div>Atul</div><div><br></div><span class="gmail_signature_prefix">-- </span><br><div dir="ltr" class="gmail_signature" data-smartmail="gmail_signature"><div dir="ltr"><span><div dir="ltr" style="margin-left:0pt" align="left"><table style="border:none;border-collapse:collapse"><colgroup><col width="165"><col width="160"></colgroup><tbody><tr style="height:74.5pt"><td style="vertical-align:middle;padding:5pt;overflow:hidden"><p dir="ltr" style="line-height:1.44;margin-top:0pt;margin-bottom:0pt"><span style="font-size:11pt;font-family:Arial,sans-serif;color:rgb(0,0,0);background-color:transparent;vertical-align:baseline"><span style="border:none;display:inline-block;overflow:hidden;width:137px;height:68px"><img src="https://lh7-us.googleusercontent.com/OubMXEaSzW6cz-Rt9RyUGsuX2z_G2pbaWOSLNAI_1YuZEk9lVaehxLoZgJt6AbxshlaXTZ4HHvQjpxPRVTWVxlwCl-fPKhGsbSTcgVVvejMX1rS_DaeeX4yOVQyvp2y3cFkC6XMBihqiTrDY3qBYwq8" width="137" height="68" style="margin-left:0px;margin-top:0px"></span></span></p></td><td style="vertical-align:top;padding:5pt;overflow:hidden"><p dir="ltr" style="line-height:1.38;margin-top:0pt;margin-bottom:0pt"><span style="font-size:11pt;font-family:Poppins,sans-serif;color:rgb(0,0,0);background-color:transparent;vertical-align:baseline"> Atul Tulshibagwale</span></p><p dir="ltr" style="line-height:1.5;margin-top:0pt;margin-bottom:0pt"><span style="font-size:11pt;font-family:Poppins,sans-serif;color:rgb(102,102,102);background-color:transparent;vertical-align:baseline"> CTO</span></p><p dir="ltr" style="line-height:1.44;margin-top:0pt;margin-bottom:0pt"><span style="font-size:11pt;font-family:Arial,sans-serif;color:rgb(136,136,136);background-color:transparent;vertical-align:baseline"> </span><a href="https://www.linkedin.com/in/tulshi/" target="_blank"><span style="font-size:11pt;font-family:Arial,sans-serif;color:rgb(17,85,204);background-color:transparent;vertical-align:baseline"><span style="border:none;display:inline-block;overflow:hidden;width:24px;height:24px"><img src="https://lh7-us.googleusercontent.com/nf4RO594hvFNyujzHdKSn1RCJcOIC1-Mk2-_S2GLH4LUi6Prxj4bL0tyguJ-6XH50k_fHPq6nynNBdkJwAzgGdYlImXDDKv07yQuj5PcskVaBqf9vL1Z2esDwZsb5Z9J4tvDcPiiZdQSuyzywRbH3Fs" width="24" height="24" style="margin-left:0px;margin-top:0px"></span></span></a><a href="mailto:atul@sgnl.ai" target="_blank"><span style="font-size:11pt;font-family:Arial,sans-serif;color:rgb(17,85,204);background-color:transparent;vertical-align:baseline"><span style="border:none;display:inline-block;overflow:hidden;width:24px;height:24px"><img src="https://lh7-us.googleusercontent.com/jy9xWqMUZyDKsa5W_-BxVILzsnbgKHSkJVzdCeCWVVSvhJbGal-I_Ja-qTTnA1SpYE65RrEcWMMLNPfbrp9HXjBOKdeXNIVuhOBg-vZe-Ed8e0rCV8BMjih-COWlyljD_Hfqg2SzCuqKASIsPk1O6_w" width="24" height="24" style="margin-left:0px;margin-top:0px"></span></span></a></p></td></tr></tbody></table>---</div><div dir="ltr" style="margin-left:0pt" align="left"><h1 class="gmail-part" id="gmail-WG-Meeting-2025-09-02">WG Meeting: 2025-09-02</h1><h2 class="gmail-part" id="gmail-Agenda"><a class="gmail-anchor gmail-hidden-xs" href="#Agenda" title="Agenda"><span class="gmail-octicon gmail-octicon-link gmail-ph gmail-ph-link-simple-horizontal"></span></a>Agenda</h2><ul class="gmail-part">
<li class="gmail-">Final specs published!</li>
<li class="gmail-">Comment in AIIM about CAEP</li>
</ul><h2 class="gmail-part" id="gmail-Attendees"><a class="gmail-anchor gmail-hidden-xs" href="#Attendees" title="Attendees"><span class="gmail-octicon gmail-octicon-link gmail-ph gmail-ph-link-simple-horizontal"></span></a>Attendees</h2><ul class="gmail-part gmail-in-view">
<li class="gmail-">Atul Tulshibagwale (SGNL)</li>
<li class="gmail-">Mike Kiser (SailPoint)</li>
<li class="gmail-">John Marchesini (Jamf)</li>
<li class="gmail-">Shayne Miel (Cisco)</li>
<li class="gmail-">Stan Bounev (Blue Label)</li>
<li class="gmail-">Apoorva Deshpande (Okta)</li>
<li class="gmail-">Sean O'Dell (Disney)</li>
<li class="gmail-">George Fletcher (Practical Identity)</li>
<li class="gmail-">Gail Hodges (OIDF)</li>
<li class="gmail-">Thomas Darimont (OIDF)</li>
</ul><h2 class="gmail-part gmail-in-view" id="gmail-Notes"><a class="gmail-anchor gmail-hidden-xs" href="#Notes" title="Notes"><span class="gmail-octicon gmail-octicon-link gmail-ph gmail-ph-link-simple-horizontal"></span></a>Notes</h2><h3 class="gmail-part gmail-in-view" id="gmail-Final-specs-are-published"><a class="gmail-anchor gmail-hidden-xs" href="#Final-specs-are-published" title="Final-specs-are-published"><span class="gmail-octicon gmail-octicon-link gmail-ph gmail-ph-link-simple-horizontal"></span></a>Final specs are published!</h3><ul class="gmail-part gmail-in-view">
<li class="gmail-">OpenID Shared Signals Framework: <a href="https://openid.net/specs/openid-sharedsignals-framework-1_0-final.html" target="_blank" rel="noopener">https://openid.net/specs/openid-sharedsignals-framework-1_0-final.html</a></li>
<li class="gmail-">OpenID CAEP: <a href="https://openid.net/specs/openid-caep-1_0-final.html" target="_blank" rel="noopener">https://openid.net/specs/openid-caep-1_0-final.html</a></li>
<li class="gmail-">OpenID RISC: <a href="https://openid.net/specs/openid-risc-1_0-final.html" target="_blank" rel="noopener">https://openid.net/specs/openid-risc-1_0-final.html</a></li>
</ul><h3 class="gmail-part gmail-in-view" id="gmail-CAEP-Agentic-bindings"><a class="gmail-anchor gmail-hidden-xs" href="#CAEP-Agentic-bindings" title="CAEP-Agentic-bindings"><span class="gmail-octicon gmail-octicon-link gmail-ph gmail-ph-link-simple-horizontal"></span></a>CAEP Agentic bindings:</h3><ul class="gmail-part gmail-in-view">
<li class="gmail-"><a href="https://oidf.slack.com/archives/C091VMU2R3P/p1756400981992129" target="_blank" rel="noopener">Comment in AIIM</a></li>
<li class="gmail-">(Sean) When you get to register on first use, you just need to issue agents an ID</li>
<li class="gmail-">(Mike) There's some place for "OBO" transactions. We'd like to know not only the agent, but who the work was done on behalf of</li>
<li class="gmail-">(George) Gets into whether it is working autonomously or OBO.</li>
<li class="gmail-">(George) Are we continuously authenticating the AI agent. Are we using the same mechanism? Is it the short-lived credential being used?</li>
<li class="gmail-">(Sean) Agreed, but reality is different</li>
<li class="gmail-">(George) What are the relevant events from an agentic AI perspective? How would you revoke an agentic AI session? What would cause the backend system to invalidate it? What is the potential harm by doing so?</li>
<li class="gmail-">(George) Should an agentic AI system (MCP client, server, etc.) be able to leverage CAEP/SSF? Yes.</li>
<li class="gmail-">(Atul) "token claims change" events could also be interesting.</li>
<li class="gmail-">(George) Transaction audit is also very important. Shared Signals is an interesting infrastructure to support auditing (every system must report what they did in this transaction). Using the async push model is really useful / interesting in concept.</li>
<li class="gmail-">(George) when we delegate, we don't expect to be asked for every little thing.</li>
<li class="gmail-">(Mike)</li>
<li class="gmail-">(George) There's some min-max optimal solution that reduces user friction, but provides user protection</li>
<li class="gmail-">(George) I read the <a href="https://github.com/giovannypietro/poi" target="_blank" rel="noopener">"proof of intent"</a>, but I didn't get to the details part. I'm not sure that is there.</li>
<li class="gmail-">(Atul) proof of intent seems important, but hard.</li>
<li class="gmail-">(George) There's one approach of "figure out everything you want, and then ask", but I don't think that's viable.</li>
<li class="gmail-">(Atul) We could use adversarial networks to verify intent.</li>
<li class="gmail-">(George) Agents could be used to provide the consent.<br>
<span class="gmail-smartypants">…</span></li>
<li class="gmail-">(Sean) People implementing agents don't understand OAuth at all.</li>
<li class="gmail-">(George) We might need to define new events for agents</li>
</ul><h3 class="gmail-part gmail-in-view" id="gmail-Interop-testing--conformance"><a class="gmail-anchor gmail-hidden-xs" href="#Interop-testing--conformance" title="Interop-testing--conformance"><span class="gmail-octicon gmail-octicon-link gmail-ph gmail-ph-link-simple-horizontal"></span></a>Interop testing / conformance</h3><ul class="gmail-part gmail-in-view">
<li class="gmail-">(Thomas) How do you expose the poll endpoint from the transmitter side?</li>
<li class="gmail-">(Shayne) You get it as a part of the stream configuration</li>
<li class="gmail-"></li>
</ul><h2 class="gmail-part gmail-in-view" id="gmail-Action-Items"><a class="gmail-anchor gmail-hidden-xs" href="#Action-Items" title="Action-Items"><span class="gmail-octicon gmail-octicon-link gmail-ph gmail-ph-link-simple-horizontal"></span></a>Action Items</h2></div></span></div></div></div>