On Monday at the OAuth meeting for IETF 125 a number of AI related proposals were made to extend existing OAuth mechanisms in different ways. However, it seemed to me that there was overlap in the desired goals across these proposals and I’m wondering if for the AI space we need to take a step back and define the desired requirements before making spec level proposals. Just in what was presented, there is fragmentations and this doesn’t include a number of other proposals that have been made (either to IETF or otherwise) but were not presented.
General topics that seem to come up frequently: * identifiers - instance, owner, version, … * fine-grained authorization - RAR, scope extensions, transaction tokens, … * delegated authorization - delegation chain, delegation capabilities, on-behalf-of, for-the-benefit-of, … * context & intent - transformation of original intent for specific delegation task, ... * consent - levels of delegation before consent is required, back channel consent, … * privacy - I’m sure there are more. I know it takes more time, but I believe we should address these issues holistically rather than on a spec by spec basis. Thanks, George George Fletcher Identity Standards Architect Practical Identity LLC
_______________________________________________ OAuth mailing list -- [email protected] To unsubscribe send an email to [email protected]
