WG Meeting: 2025-09-02

# WG Meeting: 2025-09-02 ## Agenda - Final specs published! - Comment in AIIM about CAEP ## Attendees - Atul Tulshibagwale (SGNL) - Mike Kiser (SailPoint) - John Marchesini (Jamf) - Shayne Miel (Cisco) - Stan Bounev (Blue Label) - Apoorva Deshpande (Okta) - Sean O'Dell (Disney) - George Fletcher (Practical Identity) - Gail Hodges (OIDF) - Thomas Darimont (OIDF) ## Notes ### Final specs are published! - OpenID Shared Signals Framework: https://openid.net/specs/openid-sharedsignals-framework-1_0-final.html - OpenID CAEP: https://openid.net/specs/openid-caep-1_0-final.html - OpenID RISC: https://openid.net/specs/openid-risc-1_0-final.html ### CAEP Agentic bindings: - [Comment in AIIM](https://oidf.slack.com/archives/C091VMU2R3P/p1756400981992129) - (Sean) When you get to register on first use, you just need to issue agents an ID - (Mike) There's some place for "OBO" transactions. We'd like to know not only the agent, but who the work was done on behalf of - (George) Gets into whether it is working autonomously or OBO. - (George) Are we continuously authenticating the AI agent. Are we using the same mechanism? Is it the short-lived credential being used? - (Sean) Agreed, but reality is different - (George) What are the relevant events from an agentic AI perspective? How would you revoke an agentic AI session? What would cause the backend system to invalidate it? What is the potential harm by doing so? - (George) Should an agentic AI system (MCP client, server, etc.) be able to leverage CAEP/SSF? Yes. - (Atul) "token claims change" events could also be interesting. - (George) Transaction audit is also very important. Shared Signals is an interesting infrastructure to support auditing (every system must report what they did in this transaction). Using the async push model is really useful / interesting in concept. - (George) when we delegate, we don't expect to be asked for every little thing. - (Mike) - (George) There's some min-max optimal solution that reduces user friction, but provides user protection - (George) I read the ["proof of intent"](https://github.com/giovannypietro/poi), but I didn't get to the details part. I'm not sure that is there. - (Atul) proof of intent seems important, but hard. - (George) There's one approach of "figure out everything you want, and then ask", but I don't think that's viable. - (Atul) We could use adversarial networks to verify intent. - (George) Agents could be used to provide the consent. ... - (Sean) People implementing agents don't understand OAuth at all. - (George) We might need to define new events for agents ### Interop testing / conformance - (Thomas) How do you expose the poll endpoint from the transmitter side? - (Shayne) You get it as a part of the stream configuration - ## Action Items