**Session Date/Time:** 07 Nov 2024 13:00

# wimse

## Summary
The Wimsy working group meeting at IETF 121 covered several key topics, including the group's overall direction, updates on the Architecture and Service-to-Service Authentication documents, progress on token exchange and translation, and a discussion on workload authentication maturity levels. Discussions highlighted the need for clear definitions, guidance on using existing standards, and addressing cross-domain scenarios.

## Key Discussion Points
*   **Wimsy's Scope and Direction:** Brian Sipos presented on the purpose of the Wimsy working group and its charter.  The discussion revolved around which problems the group should focus on, specifically how existing standards might be used or profiled to solve cross-domain trust issues.
*   **Architecture Document Update:** Joe Salloway presented updates to the Architecture document, focusing on workload identity definition (trust domain, workload identifier). Discussion included the need for consistency with Spiffy and the use of FQDNs for trust domains.
*   **Service-to-Service Authentication:** Brian, Joe, and Arndt presented the status of the Service-to-Service Authentication document, focusing on two options for proof of possession: a workload proof token (WIT) and HTTP message signatures. Pros and cons of each approach were discussed, and a poll indicated support for defining both mechanisms.
*   **Token Exchange and Translation:** Dean Sacks provided an update on token exchange and translation efforts. The discussion focused on developing profiles for specific token exchange scenarios (Token A to Token B) and the challenges of handling non-OAuth token types.
*   **Workload Authentication Maturity Levels:** Ryan and Jeff Lombardo discussed the idea of a taxonomy for workload authentication maturity levels. There are concerns around keeping this abstract and useful.

## Decisions and Action Items
*   **Identity Definition:** Remove the identity definition from the Service-to-Service Authentication draft and reference the Architecture document instead. *Action: Editors to confirm the change on the mailing list.*
*   **Architecture Document Interim Meeting:** The chairs will investigate scheduling an interim meeting to focus on the Architecture document.
*   **Service-to-Service Authentication Poll:** The chairs will create a formal poll on the mailing list to gather feedback on the WIT, HTTP signature, and MTLS based security mechanisms.
*   **Arndt's Questions:** The chairs will address Arndt's remaining questions on the mailing list.

## Next Steps
*   Editors should integrate relevant feedback into the architecture and Service to service drafts, focusing on agreed items
*   Editors should explore a collaboration with transaction tokens group to align terminologies, and ensure potential interoperation
*   Participants should review the pull requests for both documents in GitHub.
*   Editors to generate a concrete list of profiles based on the discussion in token exchange and translation
*   Schedule interim for the Architecture document to be held.