|
| 1 | +# Proposed Contribution: Agent Authorization VC Profile (Section 5.4.2) |
| 2 | + |
| 3 | +--- |
| 4 | + |
| 5 | +## 5.4.2. Agent Authorization Verifiable Credential Profile |
| 6 | + |
| 7 | +This section defines a Verifiable Credential profile for agent authorization, specifying required and optional claims that enable interoperable cross-domain authorization while supporting organization-specific extensions. |
| 8 | + |
| 9 | +### 5.4.2.1. Profile Overview |
| 10 | + |
| 11 | +The Agent Authorization VC Profile (AAVC) provides a standardized structure for VCs that assert an agent's identity, capabilities, compliance status, and operational parameters. The profile is designed to: |
| 12 | + |
| 13 | +- Enable Authorization Servers to make informed access control decisions |
| 14 | +- Support selective disclosure of sensitive claims |
| 15 | +- Allow organizational extensions without breaking interoperability |
| 16 | +- Facilitate audit and compliance verification |
| 17 | + |
| 18 | +### 5.4.2.2. Credential Structure |
| 19 | + |
| 20 | +An Agent Authorization VC conforming to this profile MUST include the following structure: |
| 21 | + |
| 22 | +```json |
| 23 | +{ |
| 24 | + "@context": [ |
| 25 | + "https://www.w3.org/2018/credentials/v1", |
| 26 | + "https://w3id.org/security/suites/ed25519-2020/v1", |
| 27 | + "https://example.org/contexts/agent-authz/v1" |
| 28 | + ], |
| 29 | + "type": ["VerifiableCredential", "AgentAuthorizationCredential"], |
| 30 | + "issuer": "...", |
| 31 | + "issuanceDate": "...", |
| 32 | + "expirationDate": "...", |
| 33 | + "credentialStatus": { "..." }, |
| 34 | + "credentialSubject": { "..." }, |
| 35 | + "proof": { "..." } |
| 36 | +} |
| 37 | +``` |
| 38 | + |
| 39 | +### 5.4.2.3. Required Claims |
| 40 | + |
| 41 | +The credentialSubject MUST include the following claims: |
| 42 | + |
| 43 | +**id (required):** A globally unique identifier for the agent. This SHOULD be a URI that can be dereferenced to obtain the agent's client-id metadata. |
| 44 | + |
| 45 | +```json |
| 46 | +"id": "https://identity.example.com/agents/agent-001/client-metadata" |
| 47 | +``` |
| 48 | + |
| 49 | +**agentType (required):** The classification of the agent. Implementations MUST support the following values: |
| 50 | + |
| 51 | +- `tool-agent`: An agent that provides specific tool/skill capabilities |
| 52 | +- `orchestrator-agent`: An agent that coordinates other agents |
| 53 | +- `workflow-agent`: An agent that executes multi-step workflows |
| 54 | +- `system-agent`: A long-running infrastructure agent |
| 55 | +- `ephemeral-agent`: A short-lived, single-task agent |
| 56 | + |
| 57 | +```json |
| 58 | +"agentType": "workflow-agent" |
| 59 | +``` |
| 60 | + |
| 61 | +**authorizedScopes (required):** An array of authorization scopes that this agent is permitted to request. Scopes SHOULD follow the format `resource:action` or use URIs for complex permissions. |
| 62 | + |
| 63 | +```json |
| 64 | +"authorizedScopes": [ |
| 65 | + "logs:read", |
| 66 | + "config:read", |
| 67 | + "metrics:read", |
| 68 | + "https://example.org/scopes/support-access" |
| 69 | +] |
| 70 | +``` |
| 71 | + |
| 72 | +**issuerDomain (required):** The administrative domain of the credential issuer. Used by Authorization Servers to apply domain-specific trust policies. |
| 73 | + |
| 74 | +```json |
| 75 | +"issuerDomain": "example.com" |
| 76 | +``` |
| 77 | + |
| 78 | +### 5.4.2.4. Recommended Claims |
| 79 | + |
| 80 | +The following claims are RECOMMENDED for production deployments: |
| 81 | + |
| 82 | +**agentName (recommended):** A human-readable name for the agent. |
| 83 | + |
| 84 | +```json |
| 85 | +"agentName": "Customer Support Assistant v2.3" |
| 86 | +``` |
| 87 | + |
| 88 | +**agentVersion (recommended):** The version identifier of the agent software. |
| 89 | + |
| 90 | +```json |
| 91 | +"agentVersion": "2.3.1-build.4521" |
| 92 | +``` |
| 93 | + |
| 94 | +**tenantId (recommended):** For multi-tenant deployments, the identifier of the tenant context in which this agent operates. |
| 95 | + |
| 96 | +```json |
| 97 | +"tenantId": "tenant-acme-corp-prod" |
| 98 | +``` |
| 99 | + |
| 100 | +**dataSensitivityClearance (recommended):** The maximum data sensitivity level this agent is cleared to access. Implementations SHOULD support at least: |
| 101 | + |
| 102 | +- `public`: Publicly available information |
| 103 | +- `internal`: Organization-internal, non-sensitive |
| 104 | +- `confidential`: Business-sensitive information |
| 105 | +- `restricted`: Highly sensitive, need-to-know basis |
| 106 | +- `regulated`: Subject to regulatory controls (PII, PHI, PCI, etc.) |
| 107 | + |
| 108 | +```json |
| 109 | +"dataSensitivityClearance": "confidential" |
| 110 | +``` |
| 111 | + |
| 112 | +**complianceAttestations (recommended):** An array of compliance certifications or policy attestations relevant to this agent's operation. |
| 113 | + |
| 114 | +```json |
| 115 | +"complianceAttestations": [ |
| 116 | + { |
| 117 | + "standard": "ISO-27001", |
| 118 | + "scope": "information-security-management", |
| 119 | + "validUntil": "2026-03-15T00:00:00Z" |
| 120 | + }, |
| 121 | + { |
| 122 | + "standard": "SOC2-Type2", |
| 123 | + "scope": "security-availability", |
| 124 | + "validUntil": "2025-08-01T00:00:00Z" |
| 125 | + }, |
| 126 | + { |
| 127 | + "standard": "GDPR", |
| 128 | + "scope": "data-processing", |
| 129 | + "dpaReference": "https://legal.example.com/dpa/v2" |
| 130 | + } |
| 131 | +] |
| 132 | +``` |
| 133 | + |
| 134 | +**operationalConstraints (recommended):** Runtime constraints that Authorization Servers and MCP Servers SHOULD enforce: |
| 135 | + |
| 136 | +```json |
| 137 | +"operationalConstraints": { |
| 138 | + "maxConcurrentSessions": 10, |
| 139 | + "maxRequestsPerMinute": 100, |
| 140 | + "maxSessionDurationSeconds": 3600, |
| 141 | + "allowedTimeWindows": [ |
| 142 | + { |
| 143 | + "days": ["Mon", "Tue", "Wed", "Thu", "Fri"], |
| 144 | + "startTime": "06:00", |
| 145 | + "endTime": "22:00", |
| 146 | + "timezone": "America/Los_Angeles" |
| 147 | + } |
| 148 | + ], |
| 149 | + "geofence": { |
| 150 | + "allowedRegions": ["US", "EU", "UK"], |
| 151 | + "deniedRegions": [] |
| 152 | + } |
| 153 | +} |
| 154 | +``` |
| 155 | + |
| 156 | +**trustSignals (recommended):** Dynamic trust indicators that may influence authorization decisions. These SHOULD be used as supplementary signals, not sole authorization criteria. |
| 157 | + |
| 158 | +```json |
| 159 | +"trustSignals": { |
| 160 | + "trustScore": 0.94, |
| 161 | + "trustScoreProvider": "https://trust.example.com", |
| 162 | + "trustScoreTimestamp": "2025-12-15T10:30:00Z", |
| 163 | + "riskIndicators": [], |
| 164 | + "lastSecurityAudit": "2025-11-01T00:00:00Z" |
| 165 | +} |
| 166 | +``` |
| 167 | + |
| 168 | +### 5.4.2.5. Optional Claims |
| 169 | + |
| 170 | +The following claims are OPTIONAL and support specific use cases: |
| 171 | + |
| 172 | +**modelInfo (optional):** For AI-powered agents, information about the underlying model: |
| 173 | + |
| 174 | +```json |
| 175 | +"modelInfo": { |
| 176 | + "modelFamily": "llm-provider-x", |
| 177 | + "modelVersion": "model-v2-20240229", |
| 178 | + "modelProvider": "provider-name", |
| 179 | + "approvedForUseCases": ["customer-support", "code-review"], |
| 180 | + "prohibitedUseCases": ["medical-diagnosis", "legal-advice"] |
| 181 | +} |
| 182 | +``` |
| 183 | + |
| 184 | +**delegation (optional):** Delegation permissions as defined in Section 5.4.1.6. |
| 185 | + |
| 186 | +**provenance (optional):** Supply chain and deployment provenance information: |
| 187 | + |
| 188 | +```json |
| 189 | +"provenance": { |
| 190 | + "buildId": "build-20251210-abc123", |
| 191 | + "sourceRepository": "https://github.com/example/agent-suite", |
| 192 | + "commitHash": "a1b2c3d4e5f6", |
| 193 | + "slsaLevel": "SLSA_BUILD_LEVEL_3", |
| 194 | + "deploymentEnvironment": "production", |
| 195 | + "deployedBy": "ci-pipeline-main" |
| 196 | +} |
| 197 | +``` |
| 198 | + |
| 199 | +**policyBindings (optional):** References to policies that govern this agent's behavior: |
| 200 | + |
| 201 | +```json |
| 202 | +"policyBindings": [ |
| 203 | + { |
| 204 | + "policyId": "https://policies.example.com/agent-conduct/v2", |
| 205 | + "policyVersion": "2.1.0", |
| 206 | + "enforcementMode": "enforce" |
| 207 | + }, |
| 208 | + { |
| 209 | + "policyId": "https://policies.example.com/data-handling/v1", |
| 210 | + "policyVersion": "1.5.2", |
| 211 | + "enforcementMode": "audit" |
| 212 | + } |
| 213 | +] |
| 214 | +``` |
| 215 | + |
| 216 | +### 5.4.2.6. Extension Mechanism |
| 217 | + |
| 218 | +Organizations MAY extend the Agent Authorization VC Profile with additional claims by: |
| 219 | + |
| 220 | +1. Defining a JSON-LD context document for the extension |
| 221 | +2. Including the extension context URI in the VC's @context array |
| 222 | +3. Adding extension claims under a namespace prefix or dedicated object |
| 223 | + |
| 224 | +Example extension for organization-specific claims: |
| 225 | + |
| 226 | +```json |
| 227 | +{ |
| 228 | + "@context": [ |
| 229 | + "https://www.w3.org/2018/credentials/v1", |
| 230 | + "https://example.org/contexts/agent-authz/v1", |
| 231 | + "https://vendor.example.com/contexts/secure-access-agent/v1" |
| 232 | + ], |
| 233 | + "type": [ |
| 234 | + "VerifiableCredential", |
| 235 | + "AgentAuthorizationCredential", |
| 236 | + "VendorSecureAccessAgentCredential" |
| 237 | + ], |
| 238 | + "credentialSubject": { |
| 239 | + "id": "https://identity.example.com/agents/xdr-support-001", |
| 240 | + "agentType": "workflow-agent", |
| 241 | + "authorizedScopes": ["logs:read", "incidents:read", "config:read"], |
| 242 | + "issuerDomain": "example.com", |
| 243 | + "vendorext:productLine": "Secure Access", |
| 244 | + "vendorext:supportTier": "premium", |
| 245 | + "vendorext:allowedTenantPattern": "tenant-*-prod" |
| 246 | + } |
| 247 | +} |
| 248 | +``` |
| 249 | + |
| 250 | +Implementations receiving VCs with unrecognized extension claims SHOULD ignore unknown claims rather than rejecting the VC, unless the claim is marked as critical. |
| 251 | + |
| 252 | +### 5.4.2.7. Complete Example |
| 253 | + |
| 254 | +The following is a complete example of an Agent Authorization VC for a security operations workflow agent: |
| 255 | + |
| 256 | +```json |
| 257 | +{ |
| 258 | + "@context": [ |
| 259 | + "https://www.w3.org/2018/credentials/v1", |
| 260 | + "https://w3id.org/security/suites/ed25519-2020/v1", |
| 261 | + "https://example.org/contexts/agent-authz/v1" |
| 262 | + ], |
| 263 | + "type": ["VerifiableCredential", "AgentAuthorizationCredential"], |
| 264 | + "issuer": "did:web:identity.example.com", |
| 265 | + "issuanceDate": "2025-12-10T00:00:00Z", |
| 266 | + "expirationDate": "2025-12-11T00:00:00Z", |
| 267 | + "credentialStatus": { |
| 268 | + "id": "https://identity.example.com/credentials/status/3#4521", |
| 269 | + "type": "StatusList2021Entry", |
| 270 | + "statusPurpose": "revocation", |
| 271 | + "statusListIndex": "4521", |
| 272 | + "statusListCredential": "https://identity.example.com/credentials/status/3" |
| 273 | + }, |
| 274 | + "credentialSubject": { |
| 275 | + "id": "https://identity.example.com/agents/xdr-triage-001/client-metadata", |
| 276 | + "agentType": "workflow-agent", |
| 277 | + "agentName": "XDR Triage Assistant", |
| 278 | + "agentVersion": "3.2.1", |
| 279 | + "issuerDomain": "example.com", |
| 280 | + "tenantId": "tenant-acme-prod", |
| 281 | + "authorizedScopes": [ |
| 282 | + "alerts:read", |
| 283 | + "incidents:read", |
| 284 | + "logs:read", |
| 285 | + "endpoints:read", |
| 286 | + "playbooks:execute" |
| 287 | + ], |
| 288 | + "dataSensitivityClearance": "confidential", |
| 289 | + "complianceAttestations": [ |
| 290 | + { |
| 291 | + "standard": "SOC2-Type2", |
| 292 | + "scope": "security-availability", |
| 293 | + "validUntil": "2026-06-01T00:00:00Z" |
| 294 | + } |
| 295 | + ], |
| 296 | + "operationalConstraints": { |
| 297 | + "maxConcurrentSessions": 5, |
| 298 | + "maxRequestsPerMinute": 60, |
| 299 | + "maxSessionDurationSeconds": 7200 |
| 300 | + }, |
| 301 | + "trustSignals": { |
| 302 | + "trustScore": 0.92, |
| 303 | + "trustScoreProvider": "https://trust.example.com", |
| 304 | + "trustScoreTimestamp": "2025-12-10T08:00:00Z" |
| 305 | + }, |
| 306 | + "delegation": { |
| 307 | + "permitted": true, |
| 308 | + "maxDepth": 1, |
| 309 | + "allowedDelegateeTypes": ["tool-agent"], |
| 310 | + "scopeRestrictions": { |
| 311 | + "nonDelegatable": ["playbooks:execute"] |
| 312 | + } |
| 313 | + }, |
| 314 | + "modelInfo": { |
| 315 | + "modelFamily": "internal-llm", |
| 316 | + "modelVersion": "sec-llm-v2", |
| 317 | + "approvedForUseCases": ["security-triage", "alert-analysis"] |
| 318 | + } |
| 319 | + }, |
| 320 | + "proof": { |
| 321 | + "type": "Ed25519Signature2020", |
| 322 | + "created": "2025-12-10T00:00:00Z", |
| 323 | + "verificationMethod": "did:web:identity.example.com#key-1", |
| 324 | + "proofPurpose": "assertionMethod", |
| 325 | + "proofValue": "z58DAdFfa9SkqZMV...base58-encoded-signature..." |
| 326 | + } |
| 327 | +} |
| 328 | +``` |
| 329 | + |
| 330 | +### 5.4.2.8. Interoperability Requirements |
| 331 | + |
| 332 | +For interoperability across domains, implementations: |
| 333 | + |
| 334 | +**MUST:** |
| 335 | + |
| 336 | +- Support the required claims defined in Section 5.4.2.3 |
| 337 | +- Recognize the `AgentAuthorizationCredential` type |
| 338 | +- Process the base context `https://example.org/contexts/agent-authz/v1` |
| 339 | +- Verify the credential proof before processing claims |
| 340 | + |
| 341 | +**SHOULD:** |
| 342 | + |
| 343 | +- Support the recommended claims defined in Section 5.4.2.4 |
| 344 | +- Implement selective disclosure for sensitive claims |
| 345 | +- Log unrecognized claims for operational visibility |
| 346 | + |
| 347 | +**MAY:** |
| 348 | + |
| 349 | +- Define and process organization-specific extensions |
| 350 | +- Implement additional validation beyond the profile requirements |
| 351 | + |
| 352 | +--- |
| 353 | + |
| 354 | +## References |
| 355 | + |
| 356 | +``` |
| 357 | +[I-D.ietf-oauth-selective-disclosure-jwt] |
| 358 | + Fett, D., Yasuda, K., and B. Campbell, "Selective Disclosure |
| 359 | + for JWTs (SD-JWT)", Internet-Draft, 2024. |
| 360 | +``` |
| 361 | + |
| 362 | +--- |
| 363 | + |
| 364 | +## Contributor Information |
| 365 | + |
| 366 | +This section was contributed by: |
| 367 | + |
| 368 | +**Nik Kale** |
| 369 | +Principal Engineer, Cisco Systems |
| 370 | + |
| 371 | +--- |
| 372 | + |
0 commit comments