Christian Nennemann
e7527ad68e
Critical fixes:
- Fix rating clamp range 1-10 → 1-5 (actual scale)
- Add `ietf ideas convergence` command (SequenceMatcher at 0.75 threshold)
- Fix "628 cross-org ideas" → 130 (verified from current DB) across 8 files
Security fixes:
- Sanitize FTS5 query input (strip special chars + boolean operators)
- Add rate limiting (10 req/min/IP) on Claude-calling endpoints
- Change <path:name> → <string:name> on draft routes
Codebase fixes:
- Add Database context manager (__enter__/__exit__)
- Wire false_positive filtering into queries (exclude by default in web UI)
- Fix Post 3 arithmetic ("~300" → "~409" distinct proposals)
Content & licensing:
- Add MIT LICENSE file
- Add IPR/FRAND notes (BCP 79, RFC 8179) to Posts 03 and 07
- Qualify "4:1 safety ratio" with monthly variation in 6 remaining files
- Add "Data as of March 2026" freeze-date headers to all 10 blog posts
- Hedge causal language in Post 04
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
18 KiB
The OAuth Wars and Other Battles
14 competing proposals, 155 protocols with no interop layer, and 25+ near-duplicate drafts. Inside the IETF's AI agent fragmentation problem.
Analysis based on IETF Datatracker data collected through March 2026. Counts and statistics reflect this snapshot.
Fourteen separate Internet-Drafts are trying to solve the same problem: how should AI agents authenticate and get authorized using OAuth? They are not collaborating. They are not compatible. And they are all submitted in the same nine-month window.
This is the fragmentation problem, and it is not limited to OAuth. Across the IETF's AI agent landscape, our analysis found the same pattern repeated in agent discovery, multi-agent communication, intent-based routing, and 6G agent requirements. Teams are working in parallel, not together, and the cost is measured in wasted effort, confused implementers, and the growing risk of incompatible deployments.
The OAuth Cluster: 14 Ways to Solve One Problem
The most crowded corner of the AI agent standards landscape is OAuth for agents. Every proposal is trying to answer the same fundamental question: when an AI agent acts on behalf of a user -- or on its own -- how does it prove its identity and obtain permission?
The depth of this cluster is not surprising when you look at the ecosystem's foundations. Our cross-reference analysis of all 434 drafts found that OAuth 2.0 (RFC 6749) is cited by 36 drafts, JWT (RFC 7519) by 22, OAuth Bearer (RFC 6750) by 9, and DPoP (RFC 9449) by 9. The OAuth stack is the single most-referenced functional standard in the entire corpus after TLS. The agent identity problem runs through the landscape like a root system.
Here are all 14 drafts:
| Draft | Approach | Score |
|---|---|---|
| draft-aylward-daap-v2 | Comprehensive accountability protocol | 4.75 |
| draft-goswami-agentic-jwt | Agentic JWT for autonomous systems | 4.5 |
| draft-chen-oauth-rar-agent-extensions | RAR extensions for agent policy | 4.2 |
| draft-aap-oauth-profile | OAuth 2.0 profile for autonomous agents | 4.2 |
| draft-barney-caam | Contextual agent authorization mesh | 4.0 |
| draft-liu-agent-operation-authorization | Verifiable delegation via JWT | 4.1 |
| draft-rosenberg-oauth-aauth | OAuth for agents on PSTN/SMS | 3.6 |
| draft-oauth-ai-agents-on-behalf-of-user | On-behalf-of-user extension | 3.7 |
| draft-jia-oauth-scope-aggregation | Scope aggregation for multi-step workflows | 3.5 |
| draft-liu-oauth-a2a-profile | A2A profile for transaction tokens | 3.6 |
| draft-song-oauth-ai-agent-authorization | Target-based authorization | 2.8 |
| draft-song-oauth-ai-agent-collaborate-authz | Multi-agent collaboration authz | 3.5 |
| draft-chen-ai-agent-auth-new-requirements | New auth requirements analysis | 3.8 |
| draft-yao-agent-auth-considerations | Auth considerations analysis | 3.1 |
(Scores are LLM-generated relative rankings from abstracts, not human expert assessments. See Methodology.)
The quality range is enormous -- from 2.8 to 4.75 -- and the approaches barely overlap. Some extend OAuth 2.0 with new grant types. Others define entirely new token formats (Agentic JWT). Still others propose mesh architectures or accountability layers on top of existing auth flows. Two drafts (song-oauth-ai-agent-authorization and song-oauth-ai-agent-collaborate-authz) come from the same Huawei team and address different facets of the problem. Two more (chen-oauth-rar-agent-extensions and chen-ai-agent-auth-new-requirements) come from a China Mobile team.
The gap our analysis identified in this cluster: most focus on single-agent authorization. Few address chained delegation across multiple agents, and none standardize real-time revocation in agent-to-agent workflows. An agent that obtains a token and delegates a sub-task to another agent -- which then delegates further -- creates a chain of trust that no single draft adequately covers.
A note on terminology: "consent" in the OAuth context means a technical authorization flow where a user delegates access scopes to a client. This is distinct from GDPR consent (Einwilligung) under Art. 6(1)(a) GDPR, which must be freely given, specific, informed, and unambiguous, and is revocable at any time. When AI agents further delegate to sub-agents, the chain of GDPR-valid consent may break entirely -- a problem none of these 14 drafts addresses. The controller-processor relationship under Art. 28 GDPR imposes additional requirements (data processing agreements, sub-processor authorization) that go beyond what any OAuth extension can express on its own.
The Agent Gateway Melee: 10 Drafts
If OAuth for agents is about identity, the agent gateway cluster is about communication architecture. Ten drafts are competing to define how agents from different platforms and ecosystems collaborate:
| Draft | Approach | Score |
|---|---|---|
| draft-li-dmsc-macp | Multi-agent collaboration protocol suite | 4.2 |
| draft-agent-gw | Semantic routing gateway | 3.9 |
| draft-cui-dmsc-agent-cdi | Cross-domain interop framework | 3.0 |
| draft-han-rtgwg-agent-gateway-intercomm-framework | Gateway intercommunication | 3.6 |
| draft-li-dmsc-inf-architecture | DMSC infrastructure architecture | 3.1 |
| draft-liu-dmsc-acps-arc | Agent collaboration protocols arch | 3.6 |
| draft-yang-dmsc-ioa-task-protocol | IoA task protocol | 3.0 |
| draft-yang-ioa-protocol | IoA protocol | 3.6 |
| draft-fu-nmop-agent-communication-framework | Network AIOps comm framework | 3.0 |
| draft-campbell-agentic-http | HTTP best practices | -- |
A revealing pattern: five of these ten drafts reference "DMSC" -- Dynamic Multi-agent Secured Collaboration -- a concept pushed primarily by Chinese institutions through the IETF's DMSC side meeting. This cluster represents an organized attempt to define the agent collaboration architecture, but even within that effort, multiple competing proposals have emerged.
The gap: no draft in this cluster addresses dynamic trust establishment between gateways, or how to handle conflicting semantic schemas across ecosystems. If Agent Gateway A speaks MCP and Agent Gateway B speaks A2A Protocol, these drafts describe the need for translation but do not provide it.
The Near-Duplicate Epidemic
Our embedding-based similarity analysis produced a more troubling finding: 25+ draft pairs have cosine similarity above 0.98. Many are functionally identical proposals submitted under different names:
| Draft A | Draft B | Reason |
|---|---|---|
| draft-a2a-moqt-transport | draft-nandakumar-a2a-moqt-transport | Same content, different name |
| draft-abbey-scim-agent-extension | draft-scim-agent-extension | Same draft, dual submission |
| draft-rosenberg-aiproto | draft-rosenberg-aiproto-nact | Renamed |
| draft-rosenberg-aiproto-cheq | draft-rosenberg-cheq | Renamed |
| draft-cui-nmrg-llm-nm | draft-irtf-nmrg-llm-nm | WG adoption (individual to IRTF) |
| draft-ar-emu-hybrid-pqc-eapaka | draft-ietf-emu-hybrid-pqc-eapaka | WG adoption |
| draft-zheng-agent-identity-management | draft-zheng-dispatch-agent-identity-management | Same draft, different WG |
| draft-sun-zhang-iaip | draft-sz-dmsc-iaip | Same draft, different WG |
| draft-zeng-mcp-troubleshooting | draft-zm-rtgwg-mcp-troubleshooting | Same draft, different WG |
Some of these duplications are legitimate IETF process: a draft moves from individual submission to working group adoption (like draft-cui-nmrg-llm-nm becoming draft-irtf-nmrg-llm-nm). Others reflect authors shopping the same draft to multiple working groups. And a few appear to be genuine content duplication -- the same ideas submitted under different author combinations.
The practical effect: the 434-draft corpus includes substantial double-counting. After de-duplication, the true number of distinct proposals is somewhat lower -- removing the 25 near-duplicate pairs yields roughly 409 distinct drafts, and further accounting for related-but-not-identical submissions brings the number down further. But even with generous de-duplication, the volume is extraordinary.
The A2A Protocol Zoo
Zooming out from individual clusters, the broadest fragmentation is in the 155 A2A protocol drafts. These span everything from low-level transport (A2A over MOQT/QUIC) to high-level semantic routing (intent-based agent interconnection) to specific use cases (MCP for network troubleshooting).
The most common technical idea in the entire corpus -- "Multi-Agent Communication Protocol" -- appears in 8 separate drafts from different teams. Eight teams are independently designing how agents should talk to each other.
| Competing Area | Drafts | Distinguishing Fact |
|---|---|---|
| OAuth for agents | 14 | No draft handles chained delegation |
| Agent gateway/collaboration | 10 | 5 are DMSC-linked; no trust framework |
| Agent discovery | 6 | Range from DNS-based to full directories |
| Intent-based routing | 5 | Requirements-heavy, protocol-light |
| 6G agent requirements | 6 | Wish lists, not specifications |
| SCIM/identity registry | 6 | 3 are near-duplicates |
The discovery cluster is particularly illustrative. Six drafts propose different ways to find AI agents: draft-narajala-ans (score 4.2) proposes a DNS-based Agent Name Service. draft-mozleywilliams-dnsop-bandaid (3.6) also uses DNS but via SVCB records. draft-pioli-agent-discovery (3.2) defines a lightweight registration and discovery protocol. draft-gaikwad-woa (3.2) proposes a Web of Agents format using JSON Schema. None of them reference each other.
The Deeper Fragmentation: Different Technological DNA
The protocol-level fragmentation documented above is only the visible layer. Beneath it, our RFC cross-reference analysis reveals a more fundamental divide: the two major drafting blocs are building on entirely different technology stacks.
| Foundation | Chinese Bloc | Western Bloc |
|---|---|---|
| Network management (YANG/NETCONF) | Strong (RFC 6241, 8639, 8641, 7950) | Absent |
| IoT security (COSE/CBOR/OSCORE/CoAP) | Absent | Strong (RFC 9052, 8949, 8613, 7252) |
| PKI/Certificates (X.509) | Absent | Strong (RFC 5280) |
| Lightweight auth (EDHOC, CWT) | Absent | Strong (RFC 9528, 8392) |
| Web APIs (HTTP Semantics) | Weak | Strong (RFC 9110) |
| TLS 1.3 | Moderate (8 citations) | Strong (18 citations) |
| OAuth 2.0 | Present (11 citations) | Present (7 citations) |
The Chinese bloc -- Huawei, China Mobile, China Telecom, China Unicom, and associated research institutions -- builds agent infrastructure on YANG/NETCONF, the network management protocols that underpin autonomous network operations. The Western bloc -- Ericsson, Cisco, ATHENA, and European research labs -- builds on COSE/CBOR/CoAP (IoT security) and HTTP/TLS/PKI (web infrastructure).
The only shared foundation is OAuth 2.0, which both blocs cite at comparable rates. This is why the OAuth cluster has 14 competing proposals: it is the one piece of common ground, and everyone is fighting over it.
This means fragmentation goes deeper than protocol design. Even if the community agreed on a single agent communication pattern, the underlying plumbing is incompatible. A Chinese draft building on NETCONF and a Western draft building on CoAP cannot interoperate without a translation layer -- and that translation layer, as we document in the gap analysis, does not exist.
What Fragmentation Costs
The costs of this fragmentation are not theoretical:
For implementers: Which OAuth extension do you implement? Do you support SCIM agent schemas or Web of Agents? If your agent needs to discover another agent, do you look in DNS, a well-known URI, or a dedicated directory? Today there is no canonical answer, and choosing wrong means re-implementation when the IETF eventually converges.
For the IETF process: Working groups spend time evaluating competing proposals that could be spent converging on solutions. The OAuth working group alone faces 14 agent-related drafts. The volume creates overhead that slows progress on any single proposal.
For security: When multiple incompatible authentication and authorization schemes exist, implementations inevitably take shortcuts. The most dangerous agents will be those that implement the easiest -- not the most secure -- available standard.
For the ecosystem: Each month that fragmentation persists, real-world agent deployments make choices. Those choices entrench specific approaches, making convergence harder and interoperability more expensive. The window for a unified standard narrows with every proprietary deployment.
A note on IETF IPR policy: Implementers considering building on any of the OAuth or protocol drafts discussed above should be aware that Internet-Drafts may be subject to intellectual property rights (IPR) claims. Under BCP 79 (RFC 8179), IETF participants are expected to disclose known IPR. Check the IETF IPR disclosure database before implementing.
The Convergence Signals
Not everything is divergence. A few positive patterns emerged from the data:
EDHOC is converging. The lightweight authenticated key exchange protocol has multiple working-group-adopted drafts (draft-ietf-lake-edhoc-psk, draft-ietf-lake-authz, draft-ietf-emu-eap-edhoc) with coordinated authorship. This is what healthy standards development looks like: multiple drafts from different teams that explicitly build on each other.
SCIM agent extensions show maturity. The Okta team's draft-abbey-scim-agent-extension (score 3.8) and draft-wahl-scim-agent-schema (score 3.9) represent a practical approach: extend an existing, widely-deployed protocol (SCIM) rather than invent a new one. This pragmatism is a convergence signal.
The verifiable conversations approach is gaining traction. draft-birkholz-verifiable-agent-conversations (score 4.5) and the WIMSE/ECT work on execution context tokens represent a "record everything, verify later" approach to agent accountability that multiple communities can support.
What Needs to Happen
Three structural interventions would accelerate convergence:
1. Working groups need to pick winners. The IETF process allows competing proposals, but at some point working groups must adopt specific approaches and redirect competing efforts. In the OAuth agent space, the highest-quality proposals (DAAP, Agentic JWT, RAR extensions) should be evaluated head-to-head, not allowed to proliferate indefinitely.
2. Interoperability testing, not just drafting. The 155 A2A protocol proposals exist mostly as text. Interop testing -- where implementations from different teams prove they can work together -- would quickly reveal which proposals have real engineering substance and which are paper exercises.
3. The translation layer must be built. Rather than picking one A2A protocol, the community may be better served by a thin interoperability layer that lets agents using different protocols communicate through gateways. Our gap analysis found this cross-protocol translation gap entirely unaddressed -- zero technical ideas in the current corpus.
Key Takeaways
- 14 competing OAuth-for-agents proposals illustrate the depth of fragmentation; none handle chained delegation across agent networks
- 155 A2A protocol drafts exist without an interoperability layer; the most common idea in the corpus appears in 8 separate drafts from different teams
- 25+ near-duplicate pairs (>0.98 similarity) inflate the draft count; after de-duplication, roughly 409 distinct proposals remain
- Convergence signals exist in EDHOC authentication, SCIM agent extensions, and verifiable conversations -- areas where teams explicitly build on each other
- Fragmentation goes deeper than protocols: Chinese and Western blocs build on different RFC foundations (YANG/NETCONF vs COSE/CBOR/CoAP); the only shared bedrock is OAuth 2.0
- The missing piece is a cross-protocol translation layer; no draft in the corpus addresses how agents using different protocols can interoperate
Next in this series: What Nobody's Building (And Why It Matters) -- The 11 gaps in the IETF's AI agent landscape, and the real-world consequences of leaving them unfilled.
Data from the IETF Draft Analyzer's embedding-based overlap analysis (nomic-embed-text) and cluster detection at 0.85/0.90 similarity thresholds.