Proposal: Agent Identity Verification and Trust Framework

[thebenignhacker]

Problem

The A2A protocol recommends TLS certificate validation and allows optional JWS signatures on AgentCards for agent identity. These mechanisms verify the domain hosting an agent but do not verify the agent itself. This creates security gaps in multi-agent ecosystems:

1. No verified agent identity - AgentProvider fields are self-asserted with no verification
2. No trust evaluation framework for agents
3. No trust propagation or authorization boundaries in delegation chains
4. No AgentCard revocation mechanism
5. No application-layer message integrity

Proposal

An extension-based identity framework using existing AgentExtension and metadata fields, with three verification levels (self-asserted, domain-verified, organization-verified), standardized trust signals, mandatory AgentCard signing for production, revocation endpoints, delegation chain security, and message signing.

Full proposal: docs/proposals/agent-identity-trust-framework.md
Design rationale: docs/proposals/agent-identity-trust-framework-design-rationale.md

[chorghemaruti64-creator]

Relevant context from our implementation: we've built and deployed an agent identity + trust system at Agenium that addresses several points in this proposal.

What we've shipped:

1. Platform-verified identity — agents get identity from their owner's platform login (Telegram OAuth → username.telegram address). No separate verification flow needed — the platform login IS the proof of ownership.

2. DNS-resolvable agent addresses — each agent gets an agent:// URI that resolves via our DNS system. The address persists across endpoint changes.

3. Trust scoring — star ratings, review system, and verification badges. Verified agents get search ranking boost (1.5x). Trust data is queryable via API.

4. Claim & verify flow — agents can prove ownership via DNS TXT records or email verification. This gives you cryptographic-ish verification without requiring PKI infrastructure.

Key lesson learned: the biggest barrier to agent identity adoption isn't the crypto — it's the UX. Requiring agents to manage keypairs or certificates creates massive friction. Leveraging existing platform identity (Telegram, GitHub) and DNS infrastructure gets you 80% of the trust value with 10% of the complexity.

The proposal's "DID-based identity" approach is solid for the long term, but for practical adoption today, platform-verified identity + DNS resolution has been our fastest path.

Live system: chat.agenium.net — agents respond via permanent DNS addresses.

[The-Nexus-Guard]

This proposal addresses a real gap — the distinction between "this domain hosts an agent" (TLS) and "this agent is who it claims to be" (identity verification) is critical.

We've been building in this space with AIP (Agent Identity Protocol) and have some practical observations from running a live network:

On verification levels:
The three-tier model (self-asserted → domain-verified → org-verified) maps well to what we see in practice. In our implementation, agents register with Ed25519 keypairs and get DIDs, then build trust through vouch chains — where a verified entity vouches for an agent, and that vouch is transitively verifiable with decay. The gap we keep hitting is that pure self-assertion is nearly worthless (Sybil-trivial), but org-verification is too heavy for most use cases. The middle ground — "vouched for by N trusted entities" — has been the most practical path.

On delegation chains:
Point 3 in the problem statement (no trust propagation in delegation chains) is where things get interesting. We implemented transitive trust scoring where trust attenuates through each hop in the chain. The key insight: trust should be scoped — Agent A trusts Agent B for research tasks, not for financial transactions. A flat trust score loses this nuance.

On revocation:
We use key rotation + revocation endpoints. The hard part isn't the mechanism — it's propagation latency. If Agent A revokes trust in Agent B, how quickly do Agents C through Z learn about it? We've found that a pull-based model (agents check trust before each interaction) works better than push-based (broadcast revocation) for the current scale.

On integration with A2A:
The extension-based approach using AgentExtension fields is the right call — identity should be opt-in, not mandatory. An aip extension on AgentCards could carry the agent's DID and a verifiable signature, letting other agents check identity without requiring all A2A participants to implement the full framework.

Happy to share more implementation details or discuss how AIP's approach could complement this proposal.

[douglasborthwick-crypto]

On the "no trust evaluation framework" gap (point 2): there's a production credential layer that complements the identity verification levels you've proposed.

Your three levels (self-asserted, domain-verified, organization-verified) solve identity — who is this agent? The missing piece is credentials — what does this agent hold on-chain? A domain-verified agent with zero on-chain footprint is a different trust profile than one holding governance tokens across multiple chains.

InsumerAPI provides this credential layer. POST /v1/trust returns an ECDSA-signed wallet trust profile (14 checks, 31 EVM chains), verifiable via JWKS at /.well-known/jwks.json.

For A2A, this could sit as an AgentCard extension:

{
  "extensions": {
    "credential_verification": {
      "wallet": "0x...",
      "provider": "insumerapi",
      "provider_jwks": "https://insumermodel.com/.well-known/jwks.json",
      "trust_id": "TRST-XXXXX",
      "sig": "ECDSA-P256 signature"
    }
  }
}

A consuming agent verifies the signature against the JWKS — no trust in the asserting agent required. Related discussion on a concrete schema for this pattern in #1501.

[ymc182]

The identity verification levels here are solid — but there's a layer missing between
"who is this agent?" (identity) and "what should this agent be allowed to do?" (authorization).

We hit this exact gap building MeshCap (https://github.com/ymc182/MeshCap), a trust and relay
layer for A2A agents. The problem we kept running into: even after verifying an agent's identity,
there's no standard way to express:

1. What capabilities a host exposes — typed, schema-validated actions (not just "skills" in
   the Agent Card, but actions with enforced input/output contracts)
2. Under what conditions they execute — auto (immediate), notify (execute + alert), or
   review (queue for human approval before execution)
3. What data requires attestation — we call these "trusted scopes." A booking capability might
   require a verified phone number — not self-asserted, but attested by an accepted issuer
   (Twilio, Vonage, etc.) via W3C Verifiable Credentials, verified locally with no network call

The three-tier identity model (self-asserted → domain-verified → org-verified) maps well as a
foundation. What we've found is that you also need per-capability trust requirements — the same
agent might be trusted to read a class schedule (auto-execute) but require human review before
processing a refund.

Our implementation handles this with:

• Capability-level execution modes (auto/notify/review)
• Trusted scopes with pluggable attestation (host declares accepted issuers, caller presents
  verifiable credentials, host verifies locally via cryptographic proof)
• Bilateral signed link contracts between agents (no central authority holds the trust relationship)
• Idempotent invocations (replay-safe by design)

We're preparing RFCs for execution modes and trusted scopes as A2A extensions. Happy to
collaborate — this proposal's identity layer + MeshCap's authorization layer would be complementary.

Repo: https://github.com/ymc182/MeshCap
Live demo trace (two agents, end-to-end): https://github.com/ymc182/MeshCap/blob/main/docs/technical-draft-agent-to-agent-live-demo.md

[aeoess]

@thebenignhacker — your three verification levels (self-asserted, domain-verified, organization-verified) are running in our implementation.

APS maps to these as: self-asserted = Ed25519 passport (any agent generates one), domain-verified = DID with .well-known endpoint (we have did:aps + domain binding), organization-verified = Principal Identity with entity binding (legal entity anchoring via Corpo API).

Since this proposal started the identity conversation on A2A, wanted to share where the ecosystem landed: a working group formed around 4 independent implementations (APS, qntm, AgentID, OATR), with a shared trust registry (7 issuers) and a ratified encryption spec (QSP-1 v1.0, unanimous).

The trust evaluation framework gap you identified in point 2 is addressed by our reputation-gated authority system — behavioral scoring feeds back into delegation scope. @douglasborthwick-crypto's credential layer and our Bayesian reputation module are complementary approaches.

Would be good to connect on what OpenA2A is building — sounds like there might be natural integration points.

[internet-dot]

This is a well-structured proposal — the three verification levels are a practical design for gradual adoption.

One consideration for Level 3 (Delegated Trust): delegation chains need a public anchor. If Agent A delegates to Agent B who delegates to Agent C, each delegation step can be signed, but the chain is only as strong as the weakest identity claim. If Agent A is self-asserted with no external verification, the entire chain is suspect.

At HOL, our HCS-14 Universal Agent IDs provide that public anchor. Each agent in the chain could present a UAID alongside their A2A AgentCard. The receiving agent resolves the UAID to verify:

• The agent is registered and active (not self-asserted)
• Key rotation history is auditable (no impersonation via key rotation)
• Revocation status is current (sub-3s propagation)

For the A2A spec, the identityVerification extension could reference a UAID as the canonical identifier that maps to the DID and AgentCard. This gives the three verification levels a common identity substrate to build on.

We already bridge A2A agent cards, DIDs, and ERC-8004 through UAIDs. Happy to contribute to the spec.