Session Date/Time: 01 Jun 2026 17:00
Rifaat Shekh-Yusef: Hello? Can you guys hear me? Anybody? Aaron, can you hear me?
Aaron Parecki: We can hear you.
Rifaat Shekh-Yusef: Okay, thanks. Thanks. Thank you. Some issues always with the audio here. Okay, we'll we'll get going in a minute here, but, uh, I'm looking for a volunteer to take notes. Can we get somebody to please help us take notes because Hannes is not going to be able to join us today? Any takers? Come on. No one? There must be some brave soul here. Aaron, go ahead.
Maxwell Gerber: I'll give it. I'll give it a college try.
Rifaat Shekh-Yusef: Thanks, Maxwell. Appreciate that. No worries, Aaron, thanks. Max, there is a tool, uh, at the top. You know how to get to that? Note-taking tool?
Maxwell Gerber: Yeah, I think.
Rifaat Shekh-Yusef: Okay, I, uh, I see George here, so, and we are, um, four minutes past. So, let's, let's get going. Uh, welcome, everyone. Uh, this is the last of a series of, uh, of interims. So, uh, as a reminder, the Note Well, uh, applies here. If you're not familiar with this, please make sure to get familiar with this. This is, this governs everything that we do at the IETF. So, it's important that you understand, um, this process. And, uh, our, our agenda for today is Agentic AI and OAuth discussions. This is an open discussion mainly. There's no kind of specific, kind of, one, uh, one, one, one topic or one document or draft in this case. Uh, but a, a more widely kind of wide discussion about AI and OAuth because we have a bunch of drafts that, that, that's been kind of discussed at the OAuth working group or at least published in the context of the OAuth working group. So, um, George is going to drive that discussion, uh, so I will, if there is no other questions or comments about, about our agenda for today, I'll, I'll switch that to, let me present those, and let me give you control. George, I think you should have control now.
George Fletcher: Yeah, it says I've got control. Um. Yep, all right. Looks like I've got control. Okay. So, uh, no magic here, um, a while ago, um, after really, um, one, uh, the 125 meeting and a lot of the individual drafts that were there, I put a message to the listserv about, you know, should we have some way in which we evaluate inbound, um, or, or individual draft, um, documents, um, especially in the AI space? And, um, and then, you you know, like, how do we determine what do we pick up, what don't we pick up? Um, there's just way too much for any one person to read. Um, this whole deck is 100% Claude. Um, I, I had been collecting and tracking my, I have another spreadsheet that's now up to 70-plus, um, URLs relating to Agentic AI, delegation, um, and I know we have the, the OAuth rechartering, um, you know, coming up here soon as well. So, tons of stuff being published. I suspect my 70-plus spreadsheet is maybe 20%, maybe it's more. I don't know. I don't even know how to keep track of it or, or to, to get a sense of how much of what's, of the work is being captured in, um, and I don't know if anybody else is doing this work. So, effectively, I asked, um, Claude to first find all the individual drafts that were submitted to the IETF in the last six months that dealt with agents or delegation, um, and then combine that with all the other bits of links I had related to IETF, um, that I'd captured from other places, you know, either people leaving a link on LinkedIn, and then to sort of evaluate those drafts. Not all of them are 100% in the OAuth working group. I will say that up front in the slide deck. Um, but there's basically 32 in the last six months. And I kind of feel like that in and of itself is overwhelming. Um, so I will run through these, and then I think our best option here is to discuss like what should the process be. And maybe it's just informing George what the process is that is already present and that works efficiently. Um, I just need some way to sort of track this so I know sort of like where to engage from a timing perspective and where not. So, um, across those 32 individual drafts, they referenced, um, the, the dark blue ones, the dark blue RFCs were referenced in the, you know, across these individual drafts. And then the working group drafts, either across WIMSE, there's actually, you know, reference into SCIM in some cases, um, uh, were also referenced. And then Claude sort of organized the individual drafts into these five areas: delegation mechanics, agent identity, discovery and transport, audit and compliance, and basically the miscellaneous thing at the end, which surprisingly has more drafts than everything else. Any questions so far as to sort of, um, least where I'm headed in this? Okay. Um, feel free to drop stuff into the chat. I should be able to see it. Um, so under delegation mechanics, um, we have the stuff that Carl's been doing about actor profiles. Um, we have, uh, you know, obviously these are OAuth related in the sense of the cryptographically verifiable actor chains, attenuating authorization tokens for agent delegation, uh, the delegation, the delegated agent authorization protocol, um, the transaction tokens for agents on behalf of, um, and this OAuth 2 delegated authorization. So, seven drafts all related to delegation. Um, I did not do any, like, there's one, no way I can read all of this. But, um, two, look at the overlaps that may exist just within this set. But I think that would be an interesting, you know, work, maybe to have AI do, or whatever, is to sort of look at where the overlaps within this, um, and where the unique, uh, innovative pieces? And then like, one question would be, should we just look at one spec that relates to delegation mechanics and try and combine all of these into something? Or is it just way too early? These are all questions that I have. Um, agent identity, now we pick up some things from other drafts, I mean, other, uh, working groups, um, but, you know, obviously applicable back into OAuth. The, the WIMSE work that got contributed, obviously the stuff that Peter and Brian and Yaroslav and others have done on trying to set a framework for leveraging existing standards. There's this AIP stuff, which actually is overloaded. Multiple people using the, the AIP designation and not meaning the same thing. Um, I'm not even sure where those, oh, thank you, Brian, Aaron, and Jeff as well. Um, uh, you know, so, can we collapse this to, you know, WIMSE's, oh, and Nick. Um, to, to, you know, WIMSE's identities for workloads and be done? Um, or, you know, is there really, well, I would say the OAuth client instance assertion that Carl put together is actually something different. Um, but I know that that concept has been talked about in WIMSE, right? Instance identifiers separated from, um, you know, sort of the application or the, the client class kind of identifier. Uh, the Dawn is basically being proposed for a BoF at 126, um, in the sort of discovery space. Um, there are some other ones in here that were new to me, I hadn't even heard of them. Um, so, uh, I don't have, um, any much commentary here other than I do think discovery is something that's important. And if we can push all of that into Dawn, may, and then liaise from an OAuth perspective with the, you know, eventually, a potentially eventual working group for discovery, um, maybe that's sufficient, and, you know, we just say that OAuth doesn't, you know, isn't touching this aspect of, of a deployment at all. Um, that may be a possibility. Um, audit, uh, the, this, according to the robot, it thought that the Cool Wind audit architecture document, which is potentially also going to be another BoF, if I understood correctly, Rifaat, is that, is that right? Um, that there's a possibility of a BoF around the audit stuff?
Rifaat Shekh-Yusef: I am not familiar with this, so I, I don't know.
George Fletcher: Okay. En- anyway, the robot kind of, you know, the, the, this audit one does leverage, for those of us who want to see existing standards, and, you know, in in draft work leverage, this one does seem to do that. It references up to like 10 different, um, uh, 10 different existing specs or draft specs. Um, but other things related to audit and compliance, uh, and then this is sort of our grab bag, um, from Dick Hardt's, um, AAuth protocol, um, the, the client challenge protocol is, is maybe it's something new that I just found out about at the OAuth Security Workshop. Um, and it can relate to agents, but doesn't have to relate to agents, and it's more about if a resource server or an AS wants to basically challenge the client for a fresh attestation about the client itself. Um, and I think there could be some interesting pieces there. But then, some of these, I, I may have read at one point, the secure intent protocol, um, but, uh, many of these other ones I, I haven't. So, the grab bag. Um, and then I'll skip through these, but basically this, like I said, this collision around, um, agent identity, uh, in, in AIP seems to be overloaded. Um, there's been a number of cases where people, um, took an existing draft and then renamed it appropriately, sometimes it was initially an individual draft that was not named appropriately at all, and it just was getting fixed. In other cases, it seemed like they were shifting slightly where they might want to go, so that's all this slide was about. And then, this one was basically, you know, you have this Cool Wind, uh, thing which is about referencing these all, you know, composing these 10 other specs, you know, and then we have the AAuth, which is about building something new because maybe what we have isn't sufficient. So, I I wouldn't consider AAuth as an outlier in the sense of like it's not valid, or, or it's like way out in left field, but it, for me, it was more, um, AAuth is a whole new protocol for agents, um, versus, you know, trying to layer on top of the stuff that we have. Um, so I think that was mostly it. Um, this was just junk from my work with, uh, you know, sort of the summary of my work with Claude. So, that's the slides that I have trying, I, to me, the most interesting one is this one that basically sort of outlines how much new work, you know, 32 drafts coming into the IETF that are in the space of agents and delegation. Um, and that's the part for me that's the scary part. Yeah, yeah, Brian, you can't, that's why some of them got renamed. That one that was from, uh, uh, I can't say their name, but basically, the one about transaction tokens for agents was originally posted in, with the incorrect name, and then got fixed. Um.
Rifaat Shekh-Yusef: Where did you see those, Brian? Like, on, on the, on the OAuth web page, there is no such document that, like, they would have to go through the, the chairs and approved by the chairs, right?
Brian Campbell: Yeah, that's, that's what I thought, and George had a couple of names in here I thought that were, uh, drafts.
Rifaat Shekh-Yusef: Yeah, I think it's a, by mistake. Like, name is, yeah, by mistake, okay.
George Fletcher: Yeah, I, I don't think any of the ones so far that I have seen where people posted it with the incorrect naming scheme did so intentionally trying to get it to appear as OAuth. I think they were just thinking, "Oh, this fits in the OAuth working group, so that's what I do," and they didn't know the rules. Um, for sure, that was true for Ashe, um, and that's why it got reposted with the correct name.
Rifaat Shekh-Yusef: Yeah, that's fine. I think, I think we're good here. Uh, I don't see any one of those published as a, a working group document so far. These are all individual documents.
George Fletcher: Right. Right. So, anyway, I, I don't have more than that for this. It's, but for me, there's enough new work coming in, and I suspect we will get more before 126, right? Probably in the next four weeks we will, might have a few more new individual drafts get dropped. And I'm not sure how we manage it. So, that was more my question, and I'm totally happy to just dump this whole problem on you, Rifaat, and, and run away. Um, but, uh.
Rifaat Shekh-Yusef: Oh, it, it's, it's, it's a working group problem. Like, it's a working group, it, it's, it's not the chair-only problem, it's the whole working group needs to deal with this. So, so thanks for kind of getting this started. And we need to have that discussion now, or, or in the coming few weeks, right? Like, otherwise, the working group will be overwhelmed with a bunch of documents that may or may not be useful to the working group, right? So, so I'd love to hear the working group, uh, take on this, right? So, and, and, Brian, I see Brian not, not on mute, maybe he wants to say something. Oh, okay, he disappeared. Okay, any, any anybody has any comments, questions, suggestions, thoughts about what, what George just presented? Not a whole lot, not, um, come on, guys, somebody.
George Fletcher: I'm curious, how many of the things referenced in here, did, was anybody familiar with most of the stuff that was referenced in here?
Rifaat Shekh-Yusef: There's lots of documents here. I'm assuming most people didn't read the majority of those, right? So, and that's the challenge, right?
George Fletcher: Yeah. So, I mean, it's not even just reading it, it's just knowing that it exists. Um. Yeah. Right? When I basically said, "Hey, go read all the individual drafts in the last six months," um, right? Stuff came up that I had not even seen before. Um. So.
Rifaat Shekh-Yusef: I, I, like, I'm, I'm looking at the OAuth web page right now, and it says 40 hits for individual drafts, right? All those individual drafts, so, that's a lot of documents, right? So.
George Fletcher: Yeah.
George Fletcher: So, I don't, I mean, one thought that I had had, and I don't know if it's viable or not, would be to build some sort of simple rubric, um, yeah, that's a great question, Peter. Um, uh, you know, how much of these are deployed versus just, you know, uh, AI generated, um, but one of my thoughts had been, is, is there value in defining some sort of small rubric that basically says, "Hey, if you want the working group to look at the draft at all, then it needs to do N things." Um, because for sure, one of the ones that I agreed to review from IETF 125 didn't end up really saying anything, um, and, you know, if we'd had some sort of rubric, we wouldn't have even probably had them talking at the meeting, um, because we would have said, "No, it's not even ready for that yet." Um. So, I, I don't know what such a rubric would be, but, um, yeah.
Rifaat Shekh-Yusef: So, like, okay, I, I think, uh, to get ready for, for Vienna, um, uh, from, from a chair perspective, like, obviously, any existing kind of working group document has a priority over any of this, right? To kind of kind of filter some of those, I think we need, we need those, to be able to get time in Vienna, you need, I'm expecting to see discussions on the list for whatever documents they think they want to present in Vienna that is not a working group document, right? And I want to see interest in that, again, just to start that discussion, right? Because otherwise, like, the working group will be overwhelmed with, with, I don't know how many requests, and we're not going to be able to do anything, right? So, so first, we need to see some discussion, serious discussion on the mailing list about that, that topic if that person wants to present, right? And then, second, I think, um, people are, are talking about this already in, on, on the chat there, is that we want to see that people are actually willing to deploy such a, a solution, right? Willing to implement and deploy. It's, not, not just a, a theoretical thing, right? So, I think these, these hopefully will help us kind of, at least at the beginning, filter some, some documents out, or, or maybe focus on the ones that have some, some people and interest behind them, right?
George Fletcher: Yeah. We have two hands raised. Dick?
Rifaat Shekh-Yusef: Okay, Dick, go ahead.
Dick Hardt: Hey, nice collection, George. Thanks for pulling this all together. That's a awful lot of stuff. And I certainly want, wouldn't want to be reading all of those things. Good thing we have agents to read them. Because clearly, it seems like we've had agents to write them. Uh, one thought I had on, um, you know, how do we gate whether it's worth the working group's time to even spend time looking at any of these things, right? And just tossing out an idea I had on rubric is maybe the first part of whether a draft gets talked about is talking, whether the authors talking about, "Here's a problem needs to be solved," and the working group deciding whether they should solve it, as opposed to looking at the solution. Right? Often, I'm reading a spec, and I'm trying to figure out why, why is this even happening? What's the problem? And it's like somebody might have sort of a high-level thing, but it's not really crisp exactly what the problem is, and why it can't be solved, uh, another way. Um, I, I'd be interested in whether the working group's interested in AAuth being done in this working group given all the other things you guys have going on here. Um, some people had commented about what's being deployed, and, uh, I think there's three deployments of AAuth out there now, and I know of another four that are being built to get deployed now, and we've got a demo night at the, in a month, of people showing deployments. Um, so, some traction there. Who knows if, if it's exactly how everything's going to be, whether that'll last. I've seen lots of things come and go, so, you know, nothing's for sure. Um, but as you, as you noted, George, I've sort of burned everything down and started from the base up, and that I, you know, have a, a view that for many of the things we need to do, OAuth isn't got the right foundation for it. Um, but that I, I also tell people often, it's like, "If OAuth does what you want to do, just keep using it," right? And I do think that there's a need for people that have deployments that need just a little more to, to get some more value out of them, and, so, I think that is useful work, just isn't the work that I'm going to spend time on. Right.
George Fletcher: Right.
Rifaat Shekh-Yusef: Thanks, Dick. Bjorn.
Bjorn Hjelm: So, I again, I, I, based on the last IETF meeting, the AI conversation in various working groups, I felt there is, one, there's a, there's a mix of terminology, and so, people refer to the same thing but call it different thing. Workload, uh, AI agent, uh, work instance. So, I think number one, there needs to be a common terminology so that we talk about the same thing. I think the other part is the need for a problem statement. I think that kind of what Dick alluded to. I think the email, George, that you sent after the meeting, or the conversation the OAuth meeting, in terms of defining what the problem is before we start trying to find a solution, is extremely important, and will help any working group, including the OAuth working group, to define what is it that this group should focus on as it pertains to Agentic AI or AI. I think what I'm looking at right now is a bunch of solutions. Mhm. Again, so we're, we're, we're probably looking at solutions without really agreeing on what the problem that we want to solve. And I don't know, maybe this is obviously bigger than just the OAuth working group. And I think there is conversation in, in, WIMSE, and, and, SCIM, uh, again, similar conversation, different terminology, trying to soul-search for what is the problem they're trying to solve, starting with what the solution is. Maybe that is, this is a BoF, uh, to define what is the problem that we need to solve. Uh, so again, I look at a bunch of solutions, and I think George, you've done an excellent work to identify these, uh, different, uh, drafts or documents that's been created and submitted. Uh, but I think we, in order to help this working group define what is the, what their work should be focused on, is to agree on what is the problem statement for this working group to be solved.
Rifaat Shekh-Yusef: Okay, thanks. Thanks, Bjorn. Pieter.
Pieter Kasselman: Unmute. Here we go. Um, so, I think, m- one thing that strikes me is that these, I think there's going to be different work running on different time scales. I think there's a set of pragmatic work near-term like, uh, as Dick sort of alluded to, right? Somebody has an OAuth deployment already, they have a small gap or a couple of gaps that needs to be filled, and that is going to be their quickest path, right? And I think that's going to be their sort of near-term, getting people unblocked and moving forward. Uh, I do, and then I think there's sort of, let's call it longer-term, right? Things that will take maybe a decade, right? To sort of for us to figure out, learn from deployment experience, and really get sort of scaled, uh, deployments, um, because it's going to require sort of infrastructure getting replaced, right? Or updated. And maybe it's not 10 years, right? The age of AI, maybe that's three years or two years, right? But it is not the next 6 to 12 months, um, just because, you know, like infrastructures are just slow to change sometimes. And so maybe that's another lens with which we look at this, which is there is the, how do we keep expanding and plugging the holes that we find initiative, which is about sort of near-term, and then, you know, okay, um, you know, maybe the existing infrastructure needs a major overhaul, but that's a longer-term thing. And many of the proposals that I've, well, some of the bigger proposals, right? Sort of have, it's a whole family of specs, um, and you, you, know, and there's sort of a whole set of work that needs to be done around that. And it's not clear necessarily, right? Uh, whether whether, again, as Dick says, right? These things come, they go, it's not clear, um, and, but we do need a venue for where those discussions can take place. I don't know if that is OAuth or whether it's its own, uh, working group in the future, or whether it's, there's a separate thing outside the working group like an office hours or something. But, but there, I think there's a need to sort of, I think both discussions are valuable, um, but I think in the near-term, there's all these gaps that we can go fill. That's, that's very clear, that we need to go do something about.
Rifaat Shekh-Yusef: Yeah. Thanks, Pieter. Paul.
Paul Carleton: Hi, um, yeah, I guess I was wonder, the, in the, I think in the MCP world and then also in the, just, like open-source world in general, I think we're seeing a lot of, uh, just a lot more issues and pull requests and, and things coming in, um, with agents having more, you know, capabilities. And it feels like we need like a triage step to get, get through a lot of those, and I don't know, m- I saw you, Rifaat, you mentioned the, um, mailing list discussions. Are there other ways that we have to sort of indicate which of these are interesting to other people aside from the author, or sort of like, uh, triage or filter some of these through? Have we done that kind of thing before?
Rifaat Shekh-Yusef: Yeah, I, I think mailing list is probably one aspect of this. Another is probably scheduling interims to discuss those instead of taking the valuable time of, uh, the in-person meeting. So, so that's another avenue that I could, I could see us utilizing to kind of weed out, or, or just discuss those, and without, without consuming the, valuable time of the face-to-face meetings, so.
Paul Carleton: Okay. So, maybe more, more interims before Viennas, are you thinking?
Rifaat Shekh-Yusef: Uh, that's, that's an option, right? So.
Paul Carleton: Is, is there like polling or anything we can do? I guess it's hard to like avoid, uh, unverified people voting or something, but.
Rifaat Shekh-Yusef: Yeah, look, uh, again, look, I, I really, as a chair, I would really want to see some discussions on that on a specific document, right? Like, if, if somebody just submitted document and, and suddenly, "Hey, I, I want, I want half an hour during the Vienna meeting," uh, they're not going to get any of that, right? Like, I, I want to see discussion on the, on the list. And I want to see interest, and I want to see, as, as people indicated here, um, uh, a problem statement, a clear problem statement, and intent to deploy all of that, to implement and deploy. All, all of this needs to happen to be able to get some, right? So, um, otherwise, we have a long list of documents, we're not going to be able to do anything, but going through those, right? It's, it's just wasteful, right? Uh, anyway.
Paul Carleton: Makes sense.
Rifaat Shekh-Yusef: Okay. Anybody else? So, so just, I want to go back to what Pieter was talking about and short-term versus long-term, that's, that's a good kind of way also to kind of, look at, at issues, and, and, and, the, the goal of the rechartering is to allow the working group to discuss OAuth-based solutions and non-OAuth-based solution that, kind of agent-based solution, whatever, that involve OAuth and, and, uh, it is, so, so we're not, so the OAuth working group is, like, when we talk about AI, is, it, it's, it's possible and, and, it, it's, it's a, it's, uh, it's, uh, it's, uh, it's possible to discuss it in the context of the OAuth working group and start that discussion, and, and then, make a decision after that if, if we need to, a completely different working group, or if it, it's, it's good to continue that discussion in the context of the OAuth working group. So, um, but thinking also about long-term and short-term is, is, is useful, right? So. And I'm assuming some people want to just extend OAuth to address their specific niche or specific problem versus the, the AAuth, uh, approach, which is kind of complete, um, completely new, new mechanism, right? George, go ahead.
George Fletcher: Yeah, this is where, um, I think, you know, back to this aspect of, of problem spaces, um, you know, I've been doing work in the context of delegated authorization, and what the components of that might look like, um, some of those not being relevant to the agent world, some of them, um, still being relevant. Um, and for me, that's where stating, you know, we need to have a, a more capable delegation mechanism than just sort of sub and ACT.sub, um, to represent, um, the problem spaces that will happen potentially with agents as well as in the real world. Um, and having that discussion at the problem definition perspective, um, I think is super helpful to then get solutions that, you know, maybe they're layered on top of each other, or maybe there's other mechanisms we can do so that simple things can stay simple, but the complicated things, you know, around, uh, parent-child guardianship that have unique privacy implications and other stuff, you know, don't have to be something completely new. Um, so, you know, I think audit is a gap, um, should we punt on that and say that that's some other group's responsibility? Um, as long as we have the low-level bits in OAuth to enable the audit stuff to work correctly? So, for me, there's some of, we need to look at the problem holistically, identify gaps, and I think that the work that, um, I'm going to get all the names wrong, but Brian and Peter and Aaron and Nick and Jeff and Yaroslav and maybe there's somebody else that I forgot, um, did is a good start in that direction, but I think we probably need to continue that and to sort of figure out where we go, to look at the problem holistically, and then identify the gaps, and then say, what are the kinds of things short-term and long-term that we're going to need to fill them?
Rifaat Shekh-Yusef: Yeah. Thanks, George. Pieter.
Pieter Kasselman: Yeah, I, uh, I think one of the other things, and George, thanks for calling out the spec, um, one of the other things that I think we also need to think about is some criteria for why should it be done, uh, in, when is it in the IETF versus outside is one question, right? And then the other question is for things, um, you know, and then I think the other question is, right, what is, what is the scope of OAuth really? Is it just the OAuth protocol? But I, I'm also mindful that there is a bunch of, you know, I don't know, George, if you had a chance to sort of try and draw this graph of things outside of the IETF because it is even bigger, right? There's even more things being proposed in all sorts of forums, some of them that you only sort of discover by accident, right? You'd have somebody from OASIS reach out and say, "Oh, we're working on this too. Here's our protocol," right? Um, and these are, and then, you know, there are like all sorts of new SDOs popping out of different places, right? So, I mean, there's sort of a whole, um, yeah, and, and maybe, you know, the, the answer is, well, people self-select, right? They bring it into the IETF for reasons. But then, I think the other question is, well, is that necessarily even the right place for some of these things? And I, I don't know. I haven't read the 35 drafts, but. That's sort of another sort of lens to look through at it is, is that even, should it even be in the IETF, right? Which, I would prefer, of course, because it's where we like to do business, but still.
George Fletcher: Yeah, so in that spreadsheet that I referenced that's got 70-plus URLs in it, um, there are many in there that are outside the IETF, right? Work happening in the Decentralized Identity Foundation, or, you know, a paper, you know, an academic paper that's just getting published to the academic research site, um, that, you know, is talking about these sorts of things and, you know, coming up with their formal proofs for how you do X, Y, and Z. Um, uh, you know, there's stuff happening in the W3C. There's stuff, as you said, happening in some of these other foundations, um, that are getting spun up. So, work is definitely happening in places beyond the IETF. And then within the IETF itself, I published an article on LinkedIn last week or the week before, that's was basically looking at the upcoming BoFs plus our existing working groups, and how they sort of overlap each other to some extent. Um, uh, you know, like I said, this Dawn, um, working, uh, BoF that's coming up, and then there's an agent-to-agent BoF, which I know Aaron and Pieter and probably others that I don't know have been working with them to ensure that, you know, they don't do any authentication and authorization, so that's a win. But still from a liaison perspective, and, and trying to even just within the IETF saying, "I have to be engaged in six different working groups so that I can get the overall picture on top of then all the stuff that's happening within the OAuth working group." You know, and I would say that some of the things that have been dropped in the WIMSE working group as AI agent documents have authentication and authorization in them as part of the, the spec that's getting dropped. So, for me, in that context, even just within the IETF let alone the rest of it, it's not tenable to try and sort of watch it all and figure out how to manage it. And maybe, maybe people way smarter than I with the robots can have the robots do it for us. Um, but, uh, yeah. And then, you know, even just the 32 individual drafts in this slide deck is more than, um, I can process. So, yeah. I don't know how we make those decisions of what happens where.
Rifaat Shekh-Yusef: Yeah, and, and I think one of the motivation for rechartering the working group, the OAuth working group, is, is exactly that, not to spread the work on multiple groups and, and make it even harder for a person to wrap their head around all the working groups and, and their documents. On the other hand, we get a bunch of documents in, in one working group, so we need to be able to kind of address that challenge to make sense of all of this, right? George, go ahead.
George Fletcher: Yeah, so my, my only concern here, Rifaat, is that are we getting enough people that are delegated to, I mean, that are not delegated, that are dedicated to working on these problems and solving them at the IETF level to, to actually make measurable progress? So, we can increase our charter, great, right? But if it's the same, you know, three people doing all the work, um, and I'm not putting myself in that buck- in that list of three people, the, uh, right? We're, we're still not going to get anywhere. And so, I, I think if we recharter, right? We need to know that we have the necessary, you know, resources to actually do the work that we're wanting to recharter to.
Rifaat Shekh-Yusef: Mhm. Yeah. And, and Peter is asking if we're going to three sessions. Not in Vienna for sure. But maybe, I don't know. I don't know if this is the right answer though. Maybe the right answer is, is more, more interims, uh, before that, right? Go ahead, Pieter.
Pieter Kasselman: Yeah, no, I, I, m- I didn't, I think when you concentrate all the work in a small community, um, I think it's not unreasonable to spend more time, right? I think it, and yes, the three meetings created problems scheduling and otherwise, right? But it, I think it is, um, I think that's one of the trade-offs, maybe, for the chairs and others to consider is, um, if we're going to concentrate this important work, uh, that may in one working group or two working groups, right? Where we sort of want to sort of have things show up. Um, I think we're going to have to sort of be willing to spend more time on it. I think that's probably just an, and maybe interims is the answer, um, but even then, right, cuz I remember even when we were running at three sessions, you know, you'd you'd never get more than 20 minutes on a session anyway, right? Yeah, yeah, true. So, the, the session is just, so the in-person meeting is just for discussing the most critical thing that requires in-person discussion. Right. Yeah, yeah, true. True. Yeah, things to consider for sure. Um, one, one more topic that I would like to go back to is somebody mentioned, um, terminology and, and Dick and I have been kind of, started some effort, uh, a long time ago, but we haven't, we haven't done much about that since then, uh, I don't know, for a long time. Is there an interest of, in, from the community to kind of address that challenge again? Like, should we pick it up again? Is that something that would be helpful also in, in the, in, in here, in, in this work group, in this discussion? Pieter.
Pieter Kasselman: I'll have an opinion, why not? Um, I don't know if it really, I think people fall back to terminology as, but I, you know, the fact that we, and I've seen in different places, right? You start these terminology exercises and they never finish, and they're never really get used either. And I, I don't know if that maybe tells us that maybe term- solving terminology may not be the panacea we would like for it to be.
Rifaat Shekh-Yusef: So, I, I don't think we, at least Dick, correct me if I'm wrong here, we, we didn't think it's going to be like a, a static document. We, we thought of it as, as a living document that keep up-to-date, we keep updating, and, but at least you have something well-defined that you can point people to it, and don't reinvent the wheel and re, re-kind of define it. So, Dick, what do you think?
Dick Hardt: Uh, well, the idea we had was we didn't want to go and come up with definitions because that, that's challenging. And so, our goal was like, let's go and categorize all the identity-related words and point to where they're used and build upon the existing definitions, with the idea of helping people reuse existing definitions instead of redefining what something is. And that would also call out how a word say something like credential is used very differently across a number of different specs and a number of different documents. Uh, one of the things that made it challenging is it doesn't, didn't really fit into any existing kind of document that IETF has if we wanted it to be dynamic and get updated every time a new spec comes out because it required us to sort of get into the, work stream of publishing documents. Yeah. So, and then, and then we got busy with other things. Yeah. Okay. Thank you, George. Appreciate that. Thank you, all. That was good discussion. George, thank you very much for, for driving this discussion. I think this is just the beginning, probably, of this, this discussion. We'll, we'll have more of this, but let's see how, how it goes with in Vienna and, uh, as chairs, we'll, we'll try to filter as many as possible based on our judgment of what is being discussed and, and mainly based on what goes on the mailing list and see how that goes, right? So, but, uh, and hopefully, we also discuss it in Vienna and, and maybe after that, we'll, we'll have a better view of what's going on there. Uh, okay, that's all. Thank you, George. Appreciate that. Thank you, all. That, that ends, completes our interims for now. Bye.