docs: add agent identity verification and trust framework#1496
docs: add agent identity verification and trust framework#1496thebenignhacker wants to merge 4 commits into
Conversation
Summary of ChangesHello @abdelsfane, I'm Gemini Code Assist1! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed! This pull request introduces a comprehensive Agent Identity Verification and Trust Framework for the A2A protocol. The primary goal is to address critical security vulnerabilities, such as agent impersonation and lack of trust evaluation, which are currently exploitable in multi-agent ecosystems. By defining clear identity verification levels, standardized trust signals, and robust mechanisms for delegation chain security and message integrity, this proposal aims to enhance the overall security posture of A2A deployments, paving the way for broader enterprise adoption in sensitive use cases. Highlights
Changelog
Activity
Using Gemini Code AssistThe full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips. Invoking Gemini You can request assistance from Gemini at any point by creating a comment using either
Customization To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a Limitations & Feedback Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for Github and other Google products, sign up here. You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension. Footnotes
|
![gemini-code-assist[bot]](https://avatars.githubusercontent.com/in/956858?s=60&v=4){kind=small}
There was a problem hiding this comment.
Code Review
This is a well-written and comprehensive proposal that addresses critical security and trust gaps in the A2A protocol. The introduction of identity verification levels, trust signals, and delegation chain security is a significant step forward. The design rationale is sound, and the choice of an extension-based approach ensures backward compatibility. My review includes a few suggestions to improve clarity and consistency in the proposal, particularly regarding the structure of the AgentCard extension, the specification of the delegation signing mechanism, and consistency in enum value casing. These changes will help ensure a smoother implementation and adoption of this important framework.
thebenignhacker
changed the title
thebenignhacker
force-pushed
the
feature/agent-identity-trust
branch
2 times, most recently
from
531e5c5 to
8179af0
Compare
Addresses the most critical security gaps in A2A that are exploitable today: agent impersonation, missing trust evaluation, delegation chain attacks, and absent revocation mechanisms. Proposes six capabilities using existing extension points (zero protobuf schema changes): identity verification levels (0/1/2), trust signals, mandatory AgentCard signing for production, revocation endpoints, delegation chain security with scope narrowing and depth limits, and application-layer message signing with replay protection.
thebenignhacker
force-pushed
the
feature/agent-identity-trust
branch
from
8179af0 to
ea307d7
Compare
The-Nexus-Guard
left a comment
The-Nexus-Guard
left a comment
There was a problem hiding this comment.
Excellent proposal — this addresses the right gaps. A few thoughts from building a working implementation of agent identity (AIP):
On verification levels: The three-tier model (self-asserted → domain-verified → org-verified) maps well to real deployment patterns. In practice, we found that a fourth level is useful: vouched — where another already-verified agent attests to a new agent's identity. This creates organic trust propagation without requiring every agent to go through DNS or org verification. It's especially important for ephemeral agents that spin up for a single task.
On DNS verification: The _a2a-identity TXT record approach is clean. One practical concern: DNS propagation delays mean there's a window where a revoked agent still appears valid. Have you considered specifying a maximum cache TTL for identity DNS records? We've seen 5-minute TTLs work well in practice.
On trust signals: The self-asserted vs. attested distinction is crucial. In our experience, self-asserted uptime/compliance signals are mostly ignored by clients — they need third-party attestation to be meaningful. Would it make sense to require attestation for signals above a certain trust threshold?
On revocation: The .well-known/a2a-revocations.json endpoint is a good addition. One gap: what happens when the agent's domain itself is compromised? A central or federated revocation registry (similar to CRL/OCSP for TLS) might be needed as a fallback.
On message signing: Strong +1 on mandatory signing for production. The replay protection via nonces is essential — we've seen replay attacks in the wild even in internal deployments.
Would be happy to share implementation experience from AIP's Ed25519 + DID-based approach if useful. The vouch chain mechanism in particular has been battle-tested with real agents.
Proposes an A2A extension for cryptographic agent identity using Decentralized Identifiers (DIDs) and vouch chains via AIP. Companion to PR a2aproject#1496 (Agent Identity and Trust Framework) - provides the DID infrastructure layer that a2aproject#1496's design rationale identified as Option 2 but set aside due to missing infrastructure. Key features: - AgentCard extension for DID advertisement - Identity verification flow with trust scoring - Message signing with replay protection - Transitive vouch chains for delegation - Real-time revocation - Compatibility mapping with PR a2aproject#1496 levels
Follow up - 1. Protocol specs should be implementation-agnostic The spec as written hardcodes a specific hosted service ( For comparison, #1496 defines an extensible trust framework with levels (0/1/2) that any implementation can satisfy — it doesn't mandate a specific verification service. 2. Single point of failure / trust anchor concerns Related to the above: the spec doesn't mention self-hosting, federation, or what happens when 3. Signature serialization is underspecified The Gemini review already flagged this, but I want to reinforce it — "the signature covers 4. Substantial overlap with existing work in #1496 The capabilities covered here — Ed25519 signatures, trust scoring, vouch/delegation chains, capability scoping, real-time revocation — are already addressed or planned within the Agent Identity and Trust Framework in #1496. Specifically:
Rather than a parallel spec, it might be more productive to contribute DID-specific extensions within the framework #1496 already establishes — particularly at Level 2 (cryptographic verification), where DID methods are a natural fit. 5. The "DID infrastructure doesn't exist" framing needs context The design rationale in #1496 noted that DID infrastructure doesn't yet exist for agents specifically — meaning a purpose-built system with agent lifecycle management, NHI governance, capability enforcement, and supply chain verification integrated into the identity layer. A generic DID service with vouch chains is a useful primitive, but it doesn't solve the full problem that #1496's framework was designed to address. To be clear, I think DID-based identity is valuable and should be part of the A2A identity story — that's why it's on the roadmap. My concern is with merging a spec that's tightly coupled to a single hosted service when we should be defining protocol-level interfaces that any implementation (AIP, AIM, or others) can satisfy. Happy to discuss how we can incorporate DID verification into the existing framework in #1496 in a way that's implementation-agnostic and benefits the whole ecosystem. |
|
We've built a production implementation of agent identity verification for A2A (Ed25519 message signing, identity registry, HITL escalation, prompt injection detection). Happy to share learnings from our deployment. Some of the design decisions here align with what we've shipped — particularly the trust levels and message signing approach |
|
Belated reply to @The-Nexus-Guard's points from 2026-02-23 — taking positions now that the layered stack (#1496 / #1786 / #1575 / #1829) is crystallizing and v0.3.3 alignment is on the table per @kenneives's coordination read. 1. Vouched as a 4th verification level — deferred, model as attestation type. #1496's three levels are deliberately taxonomic on provenance of the binding: SELF_ASSERTED, DOMAIN_VERIFIED, ORGANIZATION_VERIFIED. Vouching is a runtime trust-propagation mechanism, not a discovery-time verification — adding it as a fourth level breaks the orthogonality (what level is a domain-verified agent who is also vouched by five others?). Better modeled as an attested trust signal: an 2. DNS TTL cap on Adding normative guidance to §4 (Revocation via DNS): 3. Attestation requirement above a trust threshold — accepted with nuance. §2 line 199 already SHOULD-weights attested signals higher. Strengthening: clients making authorization decisions based on a trust signal SHOULD require third-party attestation for that signal; self-asserted signals MAY be used for informational display only. The threshold itself remains a client-side policy decision (the spec can't define "high trust" — it's use-case dependent: a weather query and a wire transfer have different bars). 4. Federated revocation registry as fallback for domain compromise — deferred to v2, flagged as future work. Real concern: if the agent's domain itself is compromised, DNS revocation (§4) and On wire-format coordination: #1496 §6 (Message Signing) will adopt RFC 9421 + content-digest per #1829 once that proposal stabilizes. The current §6 ad-hoc JCS-over-message construction will be replaced by the RFC 9421 envelope; the extension URI, identity-level layers, and Will fold #2 (DNS TTL cap) and #3 (attestation-requirement strengthening) into the same follow-up commit as the §6 RFC 9421 alignment, so the next push on this PR is a single coherent v0.3.3-aligned update rather than three churns. |
…gnment Three changes responding to review and ecosystem coordination on the layered identity stack: - §2 (Trust Signals): Strengthen attestation requirement. Clients making authorization decisions on a trust signal SHOULD require third-party attestation; self-asserted MAY be informational only. - §4 (Revocation via DNS): Cap _a2a-identity TXT record TTL at ≤ 300 seconds. Longer TTLs delay revocation propagation by the same amount and undermine the mechanism. - §6 (Message Signing): Adopt RFC 9421 HTTP Message Signatures wire format per a2aproject#1829. Components ("@method" "@path" "content-digest"), RFC 9530 content-digest, Ed25519. keyid is a self-resolving HTTPS URL returning either a W3C DID Document or the compact {address, public_key} form per a2aproject#1829. HTTP-layer headers preferred for synchronous transports; message metadata carrier defined for SSE and async transports. Wire format aligned with a2aproject#1829 v1.4.0; refinements in a2aproject#1829 v1.5+ will be folded in via the CTEF v0.3.3 cycle (a2aproject#1786). References added: RFC 9421, RFC 9530, RFC 8410, W3C DID Core, linked A2A issues a2aproject#1829, a2aproject#1786, a2aproject#1575. Allowlist: Multibase (for publicKeyMultibase).
Spec/docs-only fork — the 8-phase pre-push review (new-user walkthrough, adversarial corpus, score sanity, concept-explainer, real-world dev-tree scan) targets tool repos with runnable artifacts and is not applicable here. Review of proposal text happens on the upstream PR.
|
@thebenignhacker — all four decisions align cleanly with the substrate-vs-primitive layering. Quick notes: Decision 1 (vouch as attestation type, not 4th level): correct architecturally. Same reasoning CTEF uses for Decision 4 (federated revocation → CT-style RFC 6962 log, deferred to v2): worth noting CTEF v0.4 §7 Trust Policy Manifest carries a dispute primitive (deferred from v0.3.2 per the Musaab/Arian thread on #1786 — own Decisions 2 + 3: substrate-pass-through, no CTEF conflict. Watching the — Kenne |
|
@thebenignhacker + everyone on #1496 — State of Agent Security 2026 landed at 8am ET. §3.8 cites AgentID's §4 Co-signer Perspectives carries Harold Frimpong's quote on AI-agent identity verbatim: "Every AI agent needs an identity, the same way every website needs SSL." Live: https://agentgraph.co/state-of-agent-security-2026 The four-decision closure documented on this thread (claim_type taxonomy, byte-match-as-conformance signal, identity-layer substrate ownership, JCS canonicalization) is now anchored in a published reference. Happy to coordinate wording in any subsequent revisions if useful for AgentID downstream cites. |
|
Three reference artifacts for A2A-IDF (this PR) are now live. Posting a status update and asking the TSC for a review track. The layered split that frames the spec set (wire signature #1829, identity framework #1496 / this PR, identity claims #1786 CTEF, delegation and continuity #1575 APS) was crystallized on the #1829 thread on 2026-05-11 with explicit endorsements from A2A-IDF now ships with three reference artifacts. Each is independently maintainable, Apache-2.0, and not normatively required by the spec text.
AIM is named as a reference implementation alongside the SDK and suite. AIM is not a normative requirement of A2A-IDF and is not given a privileged position in the conformance suite. Implementations can adopt one layer at a time and substitute their own infrastructure at any layer. Reproducing the composition byte-matchgit clone https://github.com/opena2a-org/a2a-idf-conformance.git
cd a2a-idf-conformance
node scripts/verify.mjs fixtures/composition/aim-did-rfc9421/signature-alone.json
# PASS fixtures/composition/aim-did-rfc9421/signature-alone.json
python3 scripts/verify.py fixtures/composition/aim-did-rfc9421/signature-alone.json
# PASS fixtures/composition/aim-did-rfc9421/signature-alone.jsonThe same signature base validates under Envoys §6 (compact form) and A2A-IDF §6 (DID Document). The wire signature is unchanged. That is the core interop claim §6 of this PR makes; the fixture is the proof. The askRequesting a TSC review track for this PR with the goal of landing in A2A v1.1. Concretely:
Happy to present at a TSC meeting if helpful. The agenda link in GOVERNANCE.md is the right channel for that, but flagging here so this PR doesn't sit indefinitely between implementer consensus and TSC review. TSC reps per GOVERNANCE.md: |
|
@thebenignhacker — supporting the TSC review track ask; the three reference artifacts shipped this morning are exactly the maturity signal a v1.1 inclusion review needs. Confirming the four-layer split alignment from CTEF's side:
The four implementation decisions ratified on this PR (depth-first proof-stripping invariant, scope-narrowing-only authority composition, stale-action per-category override, required-vs-informational field discipline) sit cleanly under the identity-framework layer with CTEF substrate supplying the JCS-canonical envelope shape. On §6 dual-shape acceptance language vs #1829's Content-Type discriminator: the On Working Group venue for v1.1 → v1.2 → v2.0 trajectory: vouching attestations + federated revocation + post-quantum signature algorithm agility are scope-broad enough that a WG seems right — but the four-layer split should stay as the framing surface, with each layer's WG (when formed) coordinating with the others through the cross-extension fixture matrix being assembled in the v0.3.3 working doc (here). Profile-level extensions (e.g., @eriknewton + @a2cN + @bidangel's cross-protocol relationship vocabulary) can live as named profiles on top of the layer specs without forking the trajectory. TSC reps tagged: happy to support presentation if requested. CTEF substrate is positioned to land its own conformance + spec text into whatever review structure the TSC sets up. |
|
Supporting the v1.1 review-track ask. The four-layer split — wire, identity, claims, continuity — is the right decomposition for the current substrate work. It keeps transport mechanics, identity binding, attestable claims, and continuity/rotation concerns separated without forcing one issue to carry the whole stack. APS continuity-layer interlock still holds: Happy to confirm any APS-side fixture pins the review track needs. |
|
Thanks @kenneives and @aeoess for the v1.1 review-track endorsements and the four-layer alignment confirmation. On the four-layer split. @kenneives's table (wire / identity / claims / continuity) plus @aeoess's APS continuity-layer interlock confirmation ( On §6 dual-shape vs #1829. Agree the substrate-side dispatch ( On State of Agent Security 2026. @kenneives's report (https://agentgraph.co/state-of-agent-security-2026) §3.8 cites AgentID's Next. Waiting on TSC reviewer assignment per GOVERNANCE.md (reps tagged on the prior comment). The Working Group venue for the v1.1 → v1.2 → v2.0 trajectory is sketched in roadmap PR #1850. |
5 participants
Closes #1497
Summary
Files
docs/proposals/agent-identity-trust-framework.md— Main proposaldocs/proposals/agent-identity-trust-framework-design-rationale.md— Design rationale (ADR format, 4 options considered)Design Approach
Uses the existing
AgentExtensionmechanism and messagemetadatafields. All changes are additive. Existing agents continue to work at Level 0 (self-asserted). Progressive adoption path from Level 0 to Level 2.Considered and rejected: W3C DIDs/VCs (too complex for current ecosystem), X.509 certificates (too heavyweight for agent interactions), do-nothing (unacceptable given exploitable gaps).
Backward Compatibility
No protobuf schema changes. No existing fields modified. The MAY-to-MUST change for AgentCard signing applies only to production deployments over public networks, aligning with the existing MUST for encrypted communication (Section 7.1).