[WIMSE] Re: Review of draft-klrc-aiagent-auth (editor's copy)
Songbo Bu <king347608@gmail.com> Thu, 04 June 2026 01:22 UTC
Return-Path: <king347608@gmail.com>
X-Original-To: wimse@mail2.ietf.org
Delivered-To: wimse@mail2.ietf.org
Received: from localhost (localhost [127.0.0.1]) by mail2.ietf.org (Postfix) with ESMTP id 5F7FCFA78763 for <wimse@mail2.ietf.org>; Wed, 3 Jun 2026 18:22:33 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=ietf.org; s=ietf1; t=1780536153; bh=+JNQIwsz3Q4YrjbaBdujKNvLZROrUEjvnIITpAamejU=; h=References:In-Reply-To:From:Date:Subject:To; b=BtZc/N4rF7nc36zrwmzCW39E91u7YpwNylQq+Or1yQdLlpd8onZyckGJkxDrFSS5x o4ZQfCIM4mUqfiEa7C/YUwstELunzw1UmtMSdeSbAGCcsEJD9SFeJGWREgc89A4X/f y07S9vVS5RG/mooO9+FDxQta0btqSpcIFq5FG/ug=
X-Virus-Scanned: amavisd-new at ietf.org
X-Spam-Flag: NO
X-Spam-Score: -1.848
X-Spam-Level:
X-Spam-Status: No, score=-1.848 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_ENVFROM_END_DIGIT=0.25, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: mail2.ietf.org (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail2.ietf.org ([166.84.6.31]) by localhost (mail2.ietf.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id RV6KP-BZ-E8n for <wimse@mail2.ietf.org>; Wed, 3 Jun 2026 18:22:32 -0700 (PDT)
Received: from mail-qv1-xf35.google.com (mail-qv1-xf35.google.com [IPv6:2607:f8b0:4864:20::f35]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by mail2.ietf.org (Postfix) with ESMTPS id 20B99FA7847D for <wimse@ietf.org>; Wed, 3 Jun 2026 18:20:47 -0700 (PDT)
Received: by mail-qv1-xf35.google.com with SMTP id 6a1803df08f44-8ccf18ef922so1911136d6.3 for <wimse@ietf.org>; Wed, 03 Jun 2026 18:20:47 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1780536046; cv=none; d=google.com; s=arc-20240605; b=FFsi0QTDt+3MW29zSJbLHQqEA5a2EVdidcqUWLrFP94pliU1KDKcbiUhPJHZfrHeju MK2Zioivg1MlSFvbbV4DwDaLeLp0CGbRuWhzVPvbMIgS+hQcOcKP5YyepE2xGIDaUo1b 45B5+1I+AyJEr/bv8k12+6l+dSSTqYvTN6/dWzzy0qqMgcz5UCtrYY4kgpuSWL3+qe6F 3MaQE9MCfEI4zA5MLpS/aNXZW7432NQ0LG2GAkp/JTRjwD4G0VoOSfreVnKlLNLdFWcK QF5PzcyEbrF1LEasmlEffB/xiV0ujP6zSosOTDs8oUePy46H6bmw4oJ3d7+1wD2Rbpa7 bOjg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20240605; h=to:subject:message-id:date:from:in-reply-to:references:mime-version :dkim-signature; bh=33oKmQ/KKD+dgRA2H7vSQ045zMF5pyr47TZZm74BZTU=; fh=dKf12lvXI2hCnl/KA9R7oCcFEAwSsHLNkPOLsc5fVHc=; b=jTb/RPSoTLr9KCbmkht1kXCxfKMwy+7HcqQ2UUnXD777hHMfkH4D6cb8uEEtZ+6ztG 3LTL3LRZbdxr+gSi0vgmj/ZECx8gs/4w/6E/A1bmXDMLyk86wwfrkmewACJDkyp7vzNn CLnVYsuQIyoLTTwASi5ZDtfTKoSlF+TNBqXFoxHtWbPodEJbIOqoOajOPggHaoUyOFlr /v8x7PFrJ+PdRSHRuamFkMLTZRnEbztCB3ns+Zn1FDmjTl/QbgBg3i+J2E6+8qKz0392 oe+qwWW52m27DF/bRUg9DBfk/LG3q9uHbMCy59A0yuN7x0i7X0JUbKrQROufP87uHZ8c JdPg==; darn=ietf.org
ARC-Authentication-Results: i=1; mx.google.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20251104; t=1780536046; x=1781140846; darn=ietf.org; h=to:subject:message-id:date:from:in-reply-to:references:mime-version :from:to:cc:subject:date:message-id:reply-to; bh=33oKmQ/KKD+dgRA2H7vSQ045zMF5pyr47TZZm74BZTU=; b=HLrhf8QA27yaKp2r21bQfKClDT/jHThnjmo+oQfyTyBcxtGHPkiDLWUvtueEgjpjmP /5wDoNf83deQtRHghj5OZGjzT+s7rifbBfDf4s12PkeiGLWEjZwUzLsnbYEnTGEO3anl q0xWEI0xQDvQtbTbvXWes4C3Xu08zBfTil9qGxarSyJUff3PMDTMyzJi9TkXgucgk2wg QeLSiLJN45Rw67R8um8IJqPTzqwyWmK4DL/S834AD0tLNCSG3ocTvvXa/gNGmU8J39bv Jea+fhzkPVNw6tAnlhsYWuzQtIz/aANLuXGajv2M0h3mN8Mj1xGP240HImLuYkxdnenZ 93og==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1780536046; x=1781140846; h=to:subject:message-id:date:from:in-reply-to:references:mime-version :x-gm-gg:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=33oKmQ/KKD+dgRA2H7vSQ045zMF5pyr47TZZm74BZTU=; b=YsHDf6HKS4gADTcNIoKiNSct4k4JVxO/fS//YoA8mrxElErJ4DVoxfzaAZkLZatITF 59DvcIdmAyfBrf+rIPxiqnavdjtl6HSXIM/gO65k5G+Vdkda0F9iWfS/2a2ETCWkG39M 80cJHgE6M8bftRAykxUvMzEYZb26Cr3+6R/mKsnJvhqwG2fwFfEi5or4W02A8enwA6ko v7/jzfyg1U7jpiCx0dwGnyosn/fOGeWt4P52Byl8bDhAQN3ca3vYnvFT6OwItwmqYW+c ls1c2MyYWGIZrZWdOb+gc3w00hIYQu4q7CfBLzq0/KEi3cxmH0C37xWgyyC5NfRs53dg Bd3g==
X-Gm-Message-State: AOJu0YwGY+uiuPxS8pMWpNfRJ0TxYxWr8xiZUZRpLWSxeQSvLS5ZVyVl 09Z7Jw0rEYyC9N6Zf6y8lv4pjBDAId03WBJ08bcxrnI4JCpDh7PV+e+jzO9lQlHrdSZO90fZsw2 ZvvFNeS458BBTyn0yimIUTLejk9V7AVkcDtwtcQQ=
X-Gm-Gg: Acq92OGuf1hm9yPp8yJ9G0KGJerDfh7imAKkp7598tcyv3GX0TXNRsBGv6ZuG2NdhEU DhCrfWsv2CWBSmXTgjc/ZmcYXIjFMHv+dWlfpvc7gyeRBhTSUBvVLOV414GDfHTx7eARjHVPPOO l1EdxPoNvXDutld8mB+OJMOOwVPrQzeGzNSxt9XK9rTLYOZXRE9BIIyC6xmg9hL8fy7LBmFjTJl DD/t5fMbyrJRW896ZpPcWNxf3Cs5xTQNFhqzWhgwGsDBMLptvHCL+rJDJLKe1lDtT6se7R7wwW4 ETrNBj9TbcUIy03OlUT9dwmgIvhborVG4Hn2Tka9+uk0SR1bvVVAhqVKDW1MMpsGMG9V9Hb7T29 lYSrFF4U=
X-Received: by 2002:a05:6214:5017:b0:8cc:f6a6:4854 with SMTP id 6a1803df08f44-8cecdf0a951mr86196646d6.26.1780536046197; Wed, 03 Jun 2026 18:20:46 -0700 (PDT)
MIME-Version: 1.0
References: <AS8P251MB0886613C1380F49C90AFBA8FA9132@AS8P251MB0886.EURP251.PROD.OUTLOOK.COM>
In-Reply-To: <AS8P251MB0886613C1380F49C90AFBA8FA9132@AS8P251MB0886.EURP251.PROD.OUTLOOK.COM>
From: Songbo Bu <king347608@gmail.com>
Date: Thu, 04 Jun 2026 09:20:34 +0800
X-Gm-Features: AVHnY4IBwQ5xN5r5baIQ2eT5EJ1tZvk8FlMnUhyNZIPYDyuU8xVtpoJ-L6eNrcU
Message-ID: <CAK08nYb8MEGAywHqtPt+Nu=n2E7FRUwS9k53qC20infD2r+eMg@mail.gmail.com>
To: wimse@ietf.org
Content-Type: multipart/alternative; boundary="0000000000008b1eee0653635ad5"
Message-ID-Hash: EAQHSIIYEWXQSNENGNU6QZBVVOHVMJOO
X-Message-ID-Hash: EAQHSIIYEWXQSNENGNU6QZBVVOHVMJOO
X-MailFrom: king347608@gmail.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
X-Mailman-Version: 3.3.9rc6
Precedence: list
Subject: [WIMSE] Re: Review of draft-klrc-aiagent-auth (editor's copy)
List-Id: WIMSE Workload Identity in Multi-Service Environment <wimse.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/wimse/_xou9ZYuB5f4YuCBh2-vYuH0mSU>
List-Archive: <https://mailarchive.ietf.org/arch/browse/wimse>
List-Help: <mailto:wimse-request@ietf.org?subject=help>
List-Owner: <mailto:wimse-owner@ietf.org>
List-Post: <mailto:wimse@ietf.org>
List-Subscribe: <mailto:wimse-join@ietf.org>
List-Unsubscribe: <mailto:wimse-leave@ietf.org>
Hi Yaron, authors, Yaron’s TECH-4 matches one of the boundaries I would also expect the draft to make explicit. One small way to frame it: the LLM-facing part of an agent should be treated as untrusted input/output processing, not as the component that directly holds or exercises workload credentials. Credentials, WITs, token exchange, signing keys, and proof-of-possession operations should sit behind a policy-enforcing component that receives a constrained request from the model/runtime and can reject it independently. That distinction would also help with delegated and third-party agent cases: even if the agent’s natural-language planner is compromised or confused by prompt injection, the credential-using component still has a narrower execution context and authorization policy to enforce. Best, Songbo Bu On Wed, 3 Jun 2026 18:06:57 +0000, Yaron Sheffer yaronf.ietf@gmail.com wrote: Hi Authors, Thank you for this very impressive work on agents-as-workloads. As I mentioned in the meeting earlier today, I am very supportive of this work and of doing it within WIMSE. I also have a bunch of comments, below (in ietf-comment format). Please let me know if you prefer that I upload them as GitHub issues. Thanks, Yaron ———— Yaron Sheffer’s review of draft-klrc-aiagent-auth (editor’s copy, 2026-06-01) CC @yaronf Major [MAJOR-1] WIMSE/OAuth interaction is underspecified The draft uses WIMSE and OAuth 2.0 throughout but never clearly defines how they relate to one another, or when each is required. Several questions go unanswered: - Are there cases where WIMSE identity alone is sufficient for access control, without an OAuth access token? - Are there cases where OAuth alone is sufficient, without a WIMSE workload credential? - When both are used together, how do the tokens relate? For example, should the WIMSE WIT and the OAuth access token carry the same sub claim? For the first question specifically: in plain workload-to-workload authentication, the callee sees a verified workload identity and makes an authorization decision locally — one round trip, no additional infrastructure. The draft is implicitly arguing that agents need OAuth on top because authorization is dynamic and fine-grained, delegation chains must be carried and verified, and authorization decisions may need to cross trust domain boundaries. Those are valid arguments, but the draft never states them explicitly, and never tells implementers when they can skip the OAuth layer. Suggested resolution: Add a section (or major appendix) that explicitly defines a tiered model — WIMSE-only as a valid baseline for same-domain, non-delegated calls, with OAuth layered on top only when delegation context needs to be conveyed. Complement this with a set of detailed use cases including sequence diagrams showing exactly which tokens flow where and what claims they carry. [MAJOR-2] Applicability to third-party/composed agent environments is not addressed The workload identity model is a good fit for traditional enterprise environments where workloads are home-grown, managed, and attested by the organization that deploys them. It is much less of a fit for environments where agents are purchased or rented from third-party vendors and composed into a system (the “agent marketplace” vision). In those cases the deploying organization may have limited ability to attest the agent, provision WIMSE credentials into it, or control its identity lifecycle. The draft should acknowledge this limitation and discuss what, if anything, the framework offers in that scenario. [MAJOR-3] Document status and use of normative language The document uses RFC 2119 language extensively, which is unusual for an Informational document and potentially confusing, since Informational documents are not standards-track. Moreover, many of the normative statements restate requirements already defined in the referenced specifications, making them redundant. This points to a deeper question the authors should address explicitly: what is the intended status of this document? If it is meant to seed new standardization work and describe best current practice, BCP status would be more appropriate. If it is meant to be a normative standard showing in detail how all the pieces of a complicated architecture fit together, Standards Track would be warranted. The current Informational framing fits neither goal well. Technical [TECH-1] Authorization policy left out of scope without adequate justification Section 11 excludes authorization policy from scope on the grounds that it is “deployment and risk-model-specific.” This mirrors a long-standing position of the OAuth community. However, the complexity of multi-agent systems — spanning organizations, trust domains, and dynamic delegation chains — means that even smaller deployments will need automated policy management. The main determinant of whether standardization is needed is not whether policies are deployment-specific, but whether interoperability requires a common policy language or exchange format, particularly for cross-domain scenarios. The draft should either scope in policy interoperability for cross-domain cases, or explain why it has concluded that no standard is needed there. [TECH-2] Deprovisioning is absent The document discusses credential provisioning and rotation (Section 7) but says nothing about deprovisioning. Section 7 should add a third phase — credential deprovisioning — even if it simply means stopping rotation when the agent is terminated. Beyond that, the identifier lifecycle is a distinct concern: when an agent is retired, its identifier needs to remain referenceable for forensic and audit purposes. The document should discuss how long an agent identifier should be retained, and in what registry, after the agent is gone. [TECH-3] Token exchange circularity in Section 9.5 Section 9.5 describes exchanging access tokens for transaction tokens and then using transaction tokens to obtain access tokens (for downstream calls). This is architecturally circular and raises unresolved questions about how authorization scope is preserved or narrowed across this chain. Transaction tokens (draft-ietf-oauth-transaction-tokens) do not carry a standard scope claim, so it is unclear how scope semantics are maintained when re-obtaining an access token from a transaction token. This should be resolved or at least explicitly flagged as an open issue. [TECH-4] LLM must not have access to agent credentials Section 7 (Credential Provisioning, which now encompasses attestation/posture assessment) should state explicitly that the LLM inference component of an agent MUST NOT have access to the agent’s cryptographic credentials. The LLM is the most vulnerable part of the agent to prompt injection attacks; a compromised prompt could cause the LLM to exfiltrate credentials or use them for unauthorized actions. Credential access must be strictly separated from the data flow that passes through the LLM. This is a security property that the architecture should mandate, not leave to implementers. [TECH-5] Live posture assessment not mentioned Section 7 discusses posture assessment only in the context of credential issuance and rotation. The document should also mention the possibility of continuous or live posture assessment, bound to individual workload-to-workload messages — for example, including a fresh attestation assertion in a WPT or HTTP Message Signature. This is particularly relevant in high-risk or cross-domain scenarios. [TECH-6] Streaming interactions not addressed Section 3 and Figure 1 depict agents that exchange discrete messages. Many real agent interactions involve streaming — text token streams, audio, and video are common. The document should clarify whether streaming interactions are in scope and, if so, how the authentication and authorization model applies to a long-lived streaming session. [TECH-7] User consent not mentioned User consent — distinct from user delegation via OAuth — is not discussed. Whether or not it is in scope for this framework, it deserves at least a brief mention, including a pointer to relevant work (e.g., MCP’s user confirmation model, or emerging consent frameworks). [TECH-8] CIBA not cited from text; human-in-the-loop model too narrow (Section 9.7) Section 9.7 mentions CIBA by name but does not include an inline citation to [OpenIDConnect.CIBA], even though that reference exists in the references list. Please add the citation. Additionally, the CIBA-based model may be too constrained. CIBA assumes a push notification to a separate device, but the main agent flow may already be running on a mobile device. More importantly, the threat model here is different from typical 2FA: the primary concern is not an external attacker but the agent itself acting outside its authorized scope. Explicit user consent mechanisms should be discussed in light of that threat. [TECH-9] MCP reference in Section 9.7 is too vague The reference to MCP’s user-solicitation pattern should point to a specific section or feature of the MCP specification rather than the top-level spec URL. Editorial [EDIT-1] Section 3, last paragraph: add OpenID Connect The list of standards the document builds on (SPIFFE, WIMSE, OAuth, SSF) should include OpenID Connect, which is used extensively in Section 9. [EDIT-2] Figure 2: Observability belongs in the vertical, not a layer In Figure 2, “Monitoring, Observability & Remediation” is shown as a horizontal layer. It is better characterized as a cross-cutting vertical, as it applies across all other layers, similar to how Policy and Compliance are depicted. [EDIT-3] Section 4: AIMS is defined but never used Section 4 defines the term “Agent Identity Management System (AIMS)” but the acronym does not appear again in the document (except once). Either use it consistently throughout, or drop it. Additionally, the word “system” implies a single centralized entity; “framework” or “model” would be more accurate given the explicitly distributed nature of the components described. [EDIT-4] Section 6: SPIFFE credential paragraph is imprecise The paragraph conflates SPIFFE credential types. SPIFFE WIT-SVID is a WIMSE credential. Other SPIFFE credential formats (X.509-SVID, JWT-SVID) are not WIMSE credentials. The text should be more precise about which formats are which.
- [WIMSE] Review of draft-klrc-aiagent-auth (editor… Yaron Sheffer
- [WIMSE] Re: Review of draft-klrc-aiagent-auth (ed… Songbo Bu