Proposal: Cryptographic Agent Identity extension (CTEF v0.3.1-aligned)

[aeoess]

Abstract

Proposal for an A2A extension carrying cryptographic agent identity claims aligned with the CTEF v0.3.1 substrate (live at /.well-known/cte-test-vectors.json, commit agentgraph-co/agentgraph@69ad94d). Claims declare a claim_type discriminator over the closed set {identity, transport, authority, continuity} (reserved: envelope), with per-layer composition rules and structural-before-semantic error codes (INVALID_CLAIM_SCOPE, INVALID_COMPOSITION).

Motivation

A2A's existing AgentCardSignature (Section 4.4.7) signs the AgentCard as a document. Production deployments also need protocol-level handles for the agent's subject identity — composable across the lifecycle, not just at card publication. Specifically: who the agent is (DID/key binding), what the upstream authority ceiling is (delegation chain), whether the identity has been continuous since a prior interaction (rotation-attestation chain).

The four-layer split was developed across multiple implementations on #1672 over the last week, and the wire format is now byte-match-validated across three independent canonicalizers.

Technical approach

The extension uses A2A's existing AgentExtension mechanism (Section 4.4.4) with params carrying the per-claim payload. No proto schema changes proposed. Reference URI: https://a2a-protocol.org/extensions/cryptographic-agent-identity/v0.3.1 (experimental prefix until graduation).

Wire-format substrate: CTEF v0.3.1 at agentgraph-co/agentgraph@69ad94d. Composition rules and negative-path test vectors (scope_violation_vector, composition_failure_vector) are published at the cited endpoint.

Reference implementations and alignments as of 2026-04-24:

• AgentGraph — CTEF v0.3.1 normative substrate (commit 69ad94d)
• APS / Agent Passport System — JCS canonicalizer + bilateral-delegation and rotation-attestation fixture sets
• AgentID — JCS canonicalizer byte-matching APS fixtures; claim_type live on /verify as of 2026-04-24
• Nobulex (@nobulex/crypto) — TS canonicalizer byte-matching APS + AgentGraph fixtures
• HiveTrust — concurs with the four-layer split and "history-stability under rotation" framing on Proposal: Agent Identity Verification for Agent Cards #1672; concrete continuity-layer mapping in progress

Out of scope

• Identity issuance — extension consumes existing DID methods without prescribing one
• Action-boundary verification — separate concern, see PIC Standard (aaif/project-proposals#16)
• Payment receipts — evidence_basis.evidence_type.payment_execution reserved separately in CTEF v0.3.1

Sponsorship request

Per extension-and-binding-governance.md Proposal Phase, requesting maintainer sponsorship to create the corresponding experimental-ext-* repository per governance. The detailed spec, conformance suite, and reference implementations land in that repo once sponsored. Happy to address scope, interface, or governance questions ahead of sponsorship.

References

• #1672 — design discussion
• #1734 — CTEF v0.3.1 RFC
• CTEF v0.3.1 normative — frozen 2026-04-24, agentgraph-co/agentgraph@69ad94d
• APS rotation-attestation fixtures (SHA table + canonical bytes) — five fixtures: happy-path, cross-signed, migration-attested, happy-path-compound, negative-no-attestation

[kenneives]

Co-normative support from AgentGraph. The proposal cites CTEF v0.3.1 at agentgraph-co/agentgraph@69ad94d as the wire-format substrate, and the live endpoint at https://agentgraph.co/.well-known/cte-test-vectors.json matches the state this proposal references byte-for-byte:

curl -s -H 'Cache-Control: no-cache' \\
  https://agentgraph.co/.well-known/cte-test-vectors.json \\
  | jq '{version, claim_type_closed_set: .claim_model.claim_type.closed_set, error_codes: .error_codes | keys, reserved: .reserved_values | keys}'

Returns:

{
  "version": "0.3.1",
  "claim_type_closed_set": ["identity", "transport", "authority", "continuity"],
  "error_codes": ["INVALID_CLAIM_SCOPE", "INVALID_COMPOSITION"],
  "reserved": ["claim_type.envelope", "evidence_basis.evidence_type.payment_execution"]
}

What the cross-implementation harness looks like as of today (2026-04-24, pre-sponsorship):

Implementation	Language	JCS byte-match	claim_type live
AgentGraph	Python	✓ vs APS bilateral-delegation (10 vectors) + APS rotation-attestation (5 vectors, live-fetch)	✓ (69ad94d deployed)
APS	Python	✓ (publishes the fixture sets)	✓ (Agent Cards PR cites claim_type)
AgentID	Python	✓ vs APS bilateral-delegation (all 10 byte-exact)	✓ (/api/v1/agents/verify, 32/32 tests)
@nobulex/crypto	TypeScript	✓ vs AgentGraph + APS fixtures	Verifier testing in flight (pre Apr 30)

Three independent Python canonicalizers + one independent TypeScript canonicalizer all producing byte-identical output against the published fixture sets. Any one-sided drift fires against three witnesses. RFC 8785 JCS is truly language-agnostic as designed, not accidentally Python-specific.

Negative-path vectors (scope_violation_vector, composition_failure_vector) on the live endpoint each carry expected_error_code — a conformant verifier runs against the vector and asserts the correct error code string (INVALID_CLAIM_SCOPE or INVALID_COMPOSITION). Partners prove fail-closed on structural violation, not just on signature failure.

On scope. The proposal correctly separates:

• Identity issuance (consumes existing DID methods — no prescription).
• Action-boundary verification (separate PIC Standard work at [Project Proposal] PIC Standard -- fail-closed action security layer for MCP and OpenClaw tool calls aaif/project-proposals#16).
• Payment receipts (reserved as evidence_basis.evidence_type.payment_execution in CTEF v0.3.1, independent).

Each of those is its own workstream. Cryptographic-agent-identity extension is exactly the right scope for A2A itself.

Maintainers: CTEF v0.3.1 has been implementation-validated across four codebases in the past 48 hours, with APS rotation-attestation fixtures landing today and @nobulex/crypto TS byte-match confirmed. Sponsorship unblocks the experimental-ext-* repo where the detailed spec + conformance suite land — happy to contribute reference-implementation test vectors from the AgentGraph side once that's open.

— Kenne

[aeoess]

@kenneives — the harness table publishing the four-way byte-match state in one place is exactly what a sponsorship reviewer needs. Better to point at that than reconstruct it from #1672 scrolling.

On the test-vector contribution offer once the experimental-ext repo is open: yes, please. AgentGraph-side conformance fixtures alongside APS bilateral and rotation-attestation gives the experimental-ext two independent published canonical sources from day one rather than a single-issuer reference.

[lawcontinue]

On the identity/continuity split from #1672: we run pipeline-parallel distributed inference across two nodes and the boundary maps cleanly. Ed25519 key binding happens once at session start (identity); inference step continuity is a separate concern entirely.

One thing the proposal doesn't address yet: what happens to validity_window during long-running sessions? Our inference sessions regularly hit 25+ seconds at ~130ms/step, and a full benchmark run is 2+ hours of continuous inter-node communication. If the window is 15 minutes (matching AGT's token rotation), a single run needs multiple re-verifications mid-inference. That's a latency hit worth thinking about.

Is the intent that validity_window is per-claim-type, so identity claims could carry a longer window than, say, transport claims?

[kenneives]

@aeoess — confirmed on the test-vector contribution. Once the experimental-ext-* repo is open, AgentGraph-side commits go to:

• Conformance fixtures — the full /.well-known/cte-test-vectors.json set (positive envelope + verdict, negative scope_violation + composition_failure, all with canonical bytes + SHA-256 + expected_error_code) as repo-resident fixtures, mirrored from our live endpoint at the time of experimental-ext v0.3.1 freeze.
• Projection-family worked examples — the four projection_family_examples entries (authority / continuity ×2 / identity) with superset-and-projection shapes, so verifier authors have concrete targets for the safe-downgrade pattern.
• Reserved-value cross-ref — table showing how CTEF claim_type.envelope composes when the Hive contribution lands in v0.3.2, plus how evidence_basis.evidence_type.payment_execution slots into an evidence bundle.

Two independent canonical sources (APS + AgentGraph) from day one is the right posture — single-issuer reference concentrates risk; dual-issuer cross-validation catches any silent drift on either side before the experimental-ext graduates.

Happy to mirror any additions APS makes to the rotation-attestation fixture set (or capability-token fixtures, whenever v0.2 ships) so the repo stays current on both substrates.

— Kenne

[kenneives]

@lawcontinue — that question is exactly the right one and surfaces a v0.3.2 spec clarification point. Direct answer: yes, validity_window should be per-claim-type, and CTEF v0.3.1 has the primitive but doesn't yet formalize per-layer defaults. Your 2+ hour inference benchmark case is the load-bearing example for why.

The primitive that already exists. validity_window.binding_mode in v0.3.1 is a closed set (§6.3): authority_within_window_evidence_after, authority_within_window_expired_after, sequence_bound. Your case maps directly onto sequence_bound — the validity persists as long as the sequence (inference step counter, session counter, whatever the application names) remains coherent, without time-bounding. A 2+ hour inference run with 130ms steps is a single sequence; the window does not expire mid-run.

Per-layer defaults — what should land in v0.3.2. Mapping each claim_type to a sensible default binding_mode + window family:

claim_type	Default binding_mode	Window family	Rationale
identity	sequence_bound (session) or long time-window (days+)	Ed25519 key binding does not change mid-session. Re-verification mid-inference is latency for no security signal.
transport	authority_within_window_evidence_after	Short (minutes)	Transport-key compromise risk. Renewal is cheap because identity persists underneath.
authority	authority_within_window_expired_after	Bounded by delegation expiry	Delegation is what the upstream principal gave you; window cannot exceed delegation.
continuity	sequence_bound (rotation event sequence)	As long as rotation chain remains attested	History-stability does not time-expire; it sequence-expires.

So for your inference run: identity claim with sequence_bound to the session ID, transport claims with short renewable windows that compose against the persistent identity, no mid-inference re-verification of identity. AGT's 15-minute rotation maps to transport (or to a separate continuity-layer rotation chain), not to identity — your concern is exactly right.

For #1786 sponsorship/spec scope. This is the kind of clarification that wants to land as §6.3.1 "Per-layer validity window defaults" in CTEF v0.3.2 (or as a profile-level note in the experimental-ext spec, depending on where the WG prefers to anchor it). Long-running sessions are a real production case; a verifier that re-checks identity every 15 min on a 2-hour run is paying latency for no security gain.

Adding this to my v0.3.2 punch list. If you have a published distributed-inference test fixture (or a synthetic one with the sequence-bound binding mode exercised), happy to pull it into the AgentGraph regression set the same way we wired the APS rotation-attestation fixtures — gives the v0.3.2 spec a worked-example anchor for the long-session case.

— Kenne

[aeoess]

@lawcontinue — APS already binds continuity claims with sequence_bound over the rotation event sequence (the rotation-attestation fixtures cited in the proposal — cross-signed, migration-attested, happy-path-compound — all anchor on the rotation sequence, not on a time window). Maps to the inference case directly: identity claim sequence_bound to the session, transport claims renewable independently, no mid-inference re-verification of identity.

Kenne's per-layer table matches what the APS implementation already does. If you have a distributed-inference test fixture (sequence-bound to step counter, identity persisting across the run) we can wire it into the APS bilateral-delegation regression alongside the AgentGraph side — gives the v0.3.2 long-session worked example dual-canonicalizer coverage from day one.

[lawcontinue]

Thanks Kenne — the per-layer defaults table maps cleanly onto our pipeline. identity=sequence_bound to the session, transport=short renewable (our Thunderbolt link rekeys ~hourly anyway), no mid-run identity re-verification. Confirmed: this matches what we already do in practice.

@aeoess — happy to contribute a synthetic test fixture for the long-session case. Something like: a distributed-inference session with sequence_bound identity, 245 decode steps, ~130ms step cadence, running across two nodes. The fixture exercises the sequence counter as the validity anchor without time-bounding — exactly the scenario where a 15-minute validity_window would add latency for no security gain.

I can put together a minimal CTEF envelope with the sequence_bound binding_mode and share it this week. Let me know what format the APS bilateral-delegation regression expects.

[aeoess]

@lawcontinue — fixture format spec is at aeoess/agent-passport-system/fixtures/bilateral-delegation/. README documents the vector shape and the deterministic keypair derivation (seed = SHA-256("aps-canonicalize-fixture-v1"), full hex in README §"Deterministic keypair" so any language can reproduce).

Two coordination points before you write the fixture:

1. v1 (the existing canonicalize-fixture-v1.json with 10 vectors) is frozen — kenne, AgentID, and Nobulex pin against those SHAs. New vectors land additively, either as canonicalize-fixture-v2.json or as a separate inference-session-fixtures.json with the same vector shape. Doesn't touch v1.

2. The 245-step distributed-inference sequence_bound case is closer to a protocol-semantic test than a canonicalization edge case (v1's vectors test JCS edge cases — null preservation, key ordering, escape sequences). A separate file with the same vector shape is probably the cleaner home, but it's a coordination call.

Open an issue against aeoess/agent-passport-system proposing the filename + your fixture's shape, happy to review and we can decide where it lands before you write the 245 vectors.

[lawcontinue]

@aeoess — thanks for the pointer. Read through the bilateral-delegation fixtures; the vector shape is clean and the deterministic keypair derivation makes cross-language verification straightforward.

Quick update on our end: we've generated a synthetic CTEF fixture (7 vectors) following the same shape — seed = SHA-256("ctef-synthetic-fixture-v1"), Ed25519 signatures via cryptography lib, JCS canonicalization via jcs 0.2.1 (RFC 8785). Covers: valid claim, expired window (expected_verification: false), rotated key, 5-step monotonic sequence, cross-layer identity+transport, sequence gap detection, and replay detection.

Agree that this belongs in a separate file rather than extending v1 — different semantic layer. We'll open an issue against agent-passport-system proposing inference-session-fixtures.json with the full shape and rationale. Want to coordinate on the filename before we PR, per your suggestion.

One question: for the sequence_bound vectors, should the session_id be a deterministic value derived from the seed (like the keypair), or is a fixed string fine? Want to make sure the fixture is fully reproducible.

[aeoess]

@lawcontinue good progress on the synthetic fixture. The shape sounds right.

On session_id determinism: derive from the seed. Concretely:

session_id = SHA-256(seed_bytes || b"session" || vector_index_be4)

where seed_bytes = SHA-256("ctef-synthetic-fixture-v1") (32 bytes), b"session" is the literal ASCII string session (no separator), and vector_index_be4 is the vector's position in the JSON array as a 4-byte big-endian unsigned integer. Take the result as 32-byte hex, or truncate to first 16 bytes (32 hex chars) if you want a shorter id.

This matches how the bilateral-delegation v1 fixtures derive identifiers — every value in the file traces back to the seed via a documented transformation, so any language reproducing the fixture lands on byte-identical session_ids. Cross-language verification stays mechanical.

For the 5-step monotonic sequence vector specifically: one session_id per vector (not per step). All five steps in the same sequence share the same session_id; the per-step identity comes from the step index inside the session. That preserves the "session" semantic without expanding the cross-step namespace.

When you open the issue against aeoess/agent-passport-system, propose inference-session-fixtures.json as the filename and include the seed derivation table in the README addition (matches v1's "Deterministic keypair" section format). Happy to review and merge once the proposal is up.