2025‐10‐07

IPSIE WG Meeting Minutes

Date: 2025-10-07

Attendees

• Aaron Parecki (Okta)
• Dick Hardt
• Shannon Roddy
• Travis Tripp
• Karl McGuinness
• Bjorn Helm
• Buster Doney

Agenda

• Welcome and antitrust policy reminder https://openid.net/policies/

• OpenID Contributor Agreement reminder https://openid.net/intellectual-property

• Reminder about OpenID Slack

• Community Events

  • OAuth Working Group interim meetings in September
    • https://events.oauth.net/
  • Authenticate, October 13 - 15 in Carlsbad, CA
  • IIW XVI October 21 - 23 in Mountain View, CA
    • https://www.eventbrite.com/e/internet-identity-workshop-iiwxli-41-2025b-tickets-1393125719529?aff=oddtdtcreator
  • IIW Agentic AI unconference on October 24 (Friday)
    • https://agenticinternetworkshop.org/
  • IETF 124, November 1 - 7 in Montreal, Canada

• Upcoming call schedule

  • Dean out Oct 7
  • Oct 14 cancelled - Authenticate
  • Oct 21 cancelled - IIW

• IPSIE Playbook 2025-2026 planning

• Interop Event Planning and Rescope

• AOB

Notes

Notetaker: Aaron

• Karl - talking about sessions only is limiting, we need to be able to talk about access tokens, continuous access signals, scopes. We're struggling to get the basics out (sessions, lifecycles), we need to just get it done. We need to be able to focus on long term access. Why is it so hard for us to get SL1/AL1 done?
• Travis - is the question does SL1-3/AL1-3 address AI use cases?
• Aaron - more like are the current levels sliced correctly
• Travis - one thing we are struggling with AI that is not in here is managing the difference between an AI agent acting as itself or on behalf of a user. From an auditability standpoint what is the role of the identity service?
• Karl - There's a lot there to unpack, there's a bunch of gaps, the existing enterprise identity systems have gaps. Those best practices are changing. I don't think that's something we can easily pivot the levels to address. The crossover is security for native apps. How do I only allow my AI tools to be used on managed laptops with attestation.
• Travis - Is there a working group working on this?
• Karl - OpenID AI Community Group. Not a standards group, but sharing best practices and discussions.
• Travis - Is Cross App Access something that fits in to the IPSIE levels here?
• Aaron - I have gotten several questions about whether Cross App Access is going to be part of IPSIE
• Karl - Is this essentially a resourcing problem, of not being able to spend time on IPSIE?
• Aaron - As far as I can tell yes, we have good conversations for the 1 hour a week we meet, but we need to collectively spend more time on this during the rest of the week.
• Travis - Yes from my perspective as well. If I can get 1 or 2 big customers to say this is something we're going to require our vendors to do it would be helpful.
• Karl - We haven't actually defined what "this" is. There's the controls of what IPSIE is demanding, and there's the protocol controls. Is it so hard for us to define the capabilities and outcomes you get in each level?
• (discussion about some individual bullet points in the list)
• Travis - When I go to my chief of product and ask for resourcing for this, the question is what does it really mean, how hard is it to support, can I map my existing business needs to it? What security does this get us?
• Buster - I don't have an opinion on the levels, I want all of them. I'm more than happy to encourage our vendors to evangelize this. I'm not sure how to encourage them to reach out and join the effort. I would love to support that area.
• Travis - What would it take to get an endorsement of this?
• Buster - likely a per-vendor endorsement. I have direct conversations with my vendor partners and can make requests.
• Aaron - Does seeing the list in this format help you have conversations?
• Buster - Yes, but what I'm missing is who I can connect them to and how they can start. Having a few examples per level would help.
• Bjorn - This is a list of features, not a value proposition. It seems like what we're missing is how to convey the value proposition. It could be cost of ownership, onboarding time is faster, etc.
• Dick - Talking about how to change the value proposition is the wrong conversation. A lot more people were participating 8 months ago than now. A key question is why are those people not participating anymore. There was a fair bit of excitement at the beginning. We've been talking for almost an hour and haven't moved the needle on making progress on IPSIE.
• Shannon - we're rehashing the mythical man-month problem. I don't think adding more people or changing the scope is going to mean progress. I'm not an OpenID expert, we haven't gotten to SAML yet, so I haven't been able to contribute much.
• Dick - why do you think you haven't contributed yet? what's holding you back?
• Shannon - we've kicked the SAML profiles can down the road ...
• Kenn - we've been doing bottoms-up adoption plan, maybe we can try from the top down as some sort of regulatory/compliance
• Karl - I can meet with Shannon and do the SAML profile.