WIMSE

WIMSE WG Interim Minutes - June 3, 2026

Summary

The WIMSE Working Group held an interim meeting on June 3, 2026, to discuss the individual proposal on AI Agent Authentication and Authorization. The presentation outlined how existing workload identity and federated authorization standards can be applied to secure AI agent ecosystems. The main objective was to gauge working group interest in pursuing this problem space and to determine if WIMSE is the appropriate venue for this work.

There was strong, broad support from the participants and the Area Director to tackle this problem space within WIMSE. It was agreed that while the work fits the spirit of the WIMSE charter, the group should first progress its active deliverables before formally adopting new documents. The chairs will initiate a mailing list thread to confirm consensus on the problem space.

Key Discussion Points

1. Welcome and Chair Updates

Slides: Welcome and Chair Updates
Presenter: Justin Richer
Justin Richer opened the meeting and reminded attendees of the IETF Note Well. Noah Stride volunteered to take minutes, with backup from Justin Richer.

2. AI Agent Authentication and Authorization

Slides: AI Agent Authentication and Authorization - WIMSE Interim
Presenters: Pieter Kasselman, Yaroslav Rosomakho, Brian Campbell, Jeff Lombardo

Introduction & Motivation

Pieter Kasselman introduced the draft, emphasizing that AI agents are fundamentally workloads that run code, execute actions on behalf of users, and communicate with Large Language Models (LLMs) and external tools in a loop.
Rather than inventing entirely new security protocols from scratch, the authors advocate for applying existing, robust identity and authorization frameworks (SPIFFE, WIMSE, OAuth, and the Shared Signals Framework) to avoid repeating past security mistakes.

Identity, Credentials, Provisioning, and Authentication

Yaroslav Rosomakho detailed the baseline architecture components:
- Identifiers: Verifiable, stable identifiers are foundational. WIMSE identifiers (specified in draft-ietf-wimse-identifier) and SPIFFE IDs work well for agentic AI deployments across different clouds and devices.
- Credentials: Agents must cryptographically prove ownership of their identifiers. Short-lived credentials, such as those defined in draft-ietf-wimse-workload-creds, should be used to eliminate the anti-pattern of static API keys.
- Provisioning: Automated, platform-dependent posture assessment (such as SPIFFE automated runtime provisioning or enterprise MDM tools) should occur before credentials are issued.
- Authentication: Strong service-to-service authentication mechanisms developed in WIMSE, including HTTP Message Signatures (draft-ietf-wimse-http-signature), Workload Proof Tokens (draft-ietf-wimse-wpt), and Mutual TLS (draft-ietf-wimse-mutual-tls), are highly applicable.

Federated & Delegated Authorization

Brian Campbell outlined the OAuth-based delegated authorization capabilities required for agentic workflows:
- Mechanisms such as OAuth 2.0 authorization code flow, client credentials, JWT-profiled access tokens, token exchange (RFC 8693), and RFC 7523 (JWT Assertion Grant) allow agents to act securely on behalf of users without exposing credentials.
- Emerging standards like Identity Chaining, Cross-App Access (ID-JAG), and Transaction Tokens help propagate user and authorization context down the backend call chain.
- Human-in-the-Loop: Acknowledge that mid-execution human approval is an open area. While CIBA (Client Initiated Backchannel Authentication) and MCP (Model Context Protocol) user solicitation are discussed, asynchronous approvals may ultimately be best handled at the application layer rather than the protocol layer.

Risk Evaluation and Communication

Jeff Lombardo discussed the importance of the Shared Signals Framework (SSF), specifically CAEP (Continuous Access Evaluation Profile) and RISC (Risk Incident Sharing and Coordination), to enable dynamic, cross-domain risk signaling. This allows real-time revocation and credential reissue when threat intelligence indicates an agent's posture or delegation status has changed.

3. Open Floor and WG Scope Discussion

Yaron Sheffer strongly supported the work, stating it belongs in WIMSE. He noted that Section 9 (the authorization section) currently reads like a "shopping list" of OAuth standards. He highlighted that a key area of future work must be clarifying the interaction and boundaries between WIMSE-native constructs and the OAuth stack.
Flemming Andreasen voiced interest but asked how this work would align with the proposed Agent Protocol (ACP) working group. He noted the need for clearer, high-level use-case scenarios (e.g., multi-chained agents) to understand whether specific mechanisms (such as the OAuth act claim) are sufficient.
Justin Richer clarified that the current discussion is focused on the viability of the problem space within WIMSE, rather than adopting the draft as-is. Draft adoption would be treated as a separate milestone step.
Joseph DeCock agreed that WIMSE is the right place for this work. Providing structured guidance on how authentication, authorization, and identifiers interoperate will benefit both AI and general non-AI workload architectures.
Yaroslav Rosomakho noted that the authors are actively finalizing draft-ietf-wimse-workload-identity-practices after its Working Group Last Call, which will free up working group cycles for new milestones.
Paul Carleton reported that in Model Context Protocol (MCP) discussions with enterprises, agent authentication and authorization are top-of-mind concerns. He requested extremely specific deployment examples and 2-3 standard delegation patterns to ensure industry interoperability.
Justin Richer (speaking as an individual contributor) cautioned against asserting that all agents are workloads, as there will always be counter-examples. He advised framing the work to address "when an agent acts like a workload."
Charles Eckel (Area Director) supported the work as an individual and stated that it fits the spirit and scope of the WIMSE charter. As AD, he noted that while a full recharter is likely unnecessary (milestones can be added), WIMSE must prioritize shipping its active, existing queue of drafts before officially committing to new work items.
Pieter Kasselman agreed that WIMSE is an appropriate home because our charter includes best practices. He noted that this work does not aim to invent new protocols directly within this document, but rather acts as an architectural index that identifies gaps to be solved via separate, focused specs (potentially in WIMSE or OAuth).
Flemming Andreasen questioned if restricting the document to profiling existing tools might be overly restrictive if new protocol machinery is needed.
Pieter Kasselman responded that trying to design deep new protocols within a single architectural document would make it unreadable; instead, the document should act as a pointer, allowing targeted protocol work to spawn in relevant working groups (like WIMSE or OAuth).

Decisions and Action Items

Decisions:
- There was clear consensus among the interim attendees that the problem space of AI Agent Authentication and Authorization is highly relevant, in-scope for WIMSE, and a valuable area of future study.
- The working group will prioritize clearing active drafts (e.g., draft-ietf-wimse-workload-identity-practices) before formally adopting new documents.

Next Steps

Action Item (Chairs): Justin Richer and Pieter Kasselman to start a thread on the WIMSE mailing list to confirm the working group’s interest in the AI Agent Authentication and Authorization problem space.
Action Item (Chairs & AD): Chairs and Charles Eckel to discuss the management of milestones and queue timing for adding this work to the program.
Action Item (Draft Authors): Authors to refine the individual draft based on feedback, focusing on scoping the "agent-as-workload" definition, clarifying the boundaries between OAuth and WIMSE, and incorporating specific deployment/delegation examples.

Automatic IETF Minutes