Hi George, Apologies for the delay here. Yes, I've open sourced the im the implementations and the protocol specs can be seen within the repo's linked below:
https://github.com/orgs/cred-ninja/repositories Thanks, Kieran Sweeney https://cred.ninja On Fri, Mar 13, 2026 at 2:01 PM <[email protected]> wrote: > Very interesting. Do you have any use case documents from which the > requirements you highlight as missing are defined? I’d love to see those. > > Thanks, > George > > -- > George Fletcher > Practical Identity LLC > > On Mar 11, 2026, at 4:50 PM, Kieran Sweeney <[email protected]> wrote: > > > > Hi all, > > I am writing to share comments on draft-klrc-aiagent-auth-00, attached as > a PDF. The core framework is well-grounded, and I have focused my feedback > on three areas where the delegation chain mechanics need further > specification work. > > The comment covers: (1) underspecification of multi-hop delegation > semantics in RFC 8693 as applied to this framework, specifically the > absence of chain verification, scope attenuation rules, and revocation > propagation standards; (2) a delegation chain splicing vulnerability in RFC > 8693 disclosed on the OAuth WG list in February 2026, which is directly > relevant to Sections 10.1-10.4; and (3) an architectural failure mode in > enterprise-managed authorization when the IdP is unavailable. > > I am also preparing a companion Internet-Draft > (draft-sweeney-oauth-agent-delegation-00) that profiles RFC 8693 for > multi-hop agent delegation chains -- covering delegation artifacts, chain > verification, mandatory scope attenuation, and cryptographic context > binding to resist the splicing attack. I plan to submit this draft ahead of > IETF 125 and would welcome discussion on the WIMSE or OAuth lists. > > The comment PDF is attached. Happy to discuss any of the points raised. > > Best, > > Kieran Sweeney > > <IETF-CRE12-COMMENT.pdf> > _______________________________________________ > OAuth mailing list -- [email protected] > To unsubscribe send an email to [email protected] > >
_______________________________________________ OAuth mailing list -- [email protected] To unsubscribe send an email to [email protected]
