Skip to content

Commit b36b959

Browse files
committed
feat(spec): Specify Agent Authorization Verifiable Credential profile (Section 5.4.2)
Define the Agent Authorization VC Profile (AAVC) for interoperable cross-domain agent authorization: Required Claims: - id: Globally unique agent identifier (dereferenceable URI) - agentType: Classification (tool, orchestrator, workflow, system, ephemeral) - authorizedScopes: Array of permitted authorization scopes - issuerDomain: Administrative domain for trust policy application Recommended Claims: - agentName, agentVersion, tenantId - dataSensitivityClearance (public → regulated) - complianceAttestations (ISO-27001, SOC2, GDPR, etc.) - operationalConstraints (rate limits, time windows, geofence) - trustSignals (scores, risk indicators, audit timestamps) Optional Claims: - modelInfo: AI model details and approved/prohibited use cases - delegation: Delegation permissions (per Section 5.4.1) - provenance: SLSA build provenance and deployment info - policyBindings: References to governing policies Extension Mechanism: - JSON-LD context-based extensions for organization-specific claims - Graceful handling of unrecognized claims Includes complete example VC for XDR Triage Assistant and interoperability requirements matrix (MUST/SHOULD/MAY). Section 5.4.2 of the DCR v1 Draft proposal. Signed-off-by: Nik Kale <nikkal@cisco.com>
1 parent dc1329b commit b36b959

1 file changed

Lines changed: 372 additions & 0 deletions

File tree

Lines changed: 372 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,372 @@
1+
# Proposed Contribution: Agent Authorization VC Profile (Section 5.4.2)
2+
3+
---
4+
5+
## 5.4.2. Agent Authorization Verifiable Credential Profile
6+
7+
This section defines a Verifiable Credential profile for agent authorization, specifying required and optional claims that enable interoperable cross-domain authorization while supporting organization-specific extensions.
8+
9+
### 5.4.2.1. Profile Overview
10+
11+
The Agent Authorization VC Profile (AAVC) provides a standardized structure for VCs that assert an agent's identity, capabilities, compliance status, and operational parameters. The profile is designed to:
12+
13+
- Enable Authorization Servers to make informed access control decisions
14+
- Support selective disclosure of sensitive claims
15+
- Allow organizational extensions without breaking interoperability
16+
- Facilitate audit and compliance verification
17+
18+
### 5.4.2.2. Credential Structure
19+
20+
An Agent Authorization VC conforming to this profile MUST include the following structure:
21+
22+
```json
23+
{
24+
"@context": [
25+
"https://www.w3.org/2018/credentials/v1",
26+
"https://w3id.org/security/suites/ed25519-2020/v1",
27+
"https://example.org/contexts/agent-authz/v1"
28+
],
29+
"type": ["VerifiableCredential", "AgentAuthorizationCredential"],
30+
"issuer": "...",
31+
"issuanceDate": "...",
32+
"expirationDate": "...",
33+
"credentialStatus": { "..." },
34+
"credentialSubject": { "..." },
35+
"proof": { "..." }
36+
}
37+
```
38+
39+
### 5.4.2.3. Required Claims
40+
41+
The credentialSubject MUST include the following claims:
42+
43+
**id (required):** A globally unique identifier for the agent. This SHOULD be a URI that can be dereferenced to obtain the agent's client-id metadata.
44+
45+
```json
46+
"id": "https://identity.example.com/agents/agent-001/client-metadata"
47+
```
48+
49+
**agentType (required):** The classification of the agent. Implementations MUST support the following values:
50+
51+
- `tool-agent`: An agent that provides specific tool/skill capabilities
52+
- `orchestrator-agent`: An agent that coordinates other agents
53+
- `workflow-agent`: An agent that executes multi-step workflows
54+
- `system-agent`: A long-running infrastructure agent
55+
- `ephemeral-agent`: A short-lived, single-task agent
56+
57+
```json
58+
"agentType": "workflow-agent"
59+
```
60+
61+
**authorizedScopes (required):** An array of authorization scopes that this agent is permitted to request. Scopes SHOULD follow the format `resource:action` or use URIs for complex permissions.
62+
63+
```json
64+
"authorizedScopes": [
65+
"logs:read",
66+
"config:read",
67+
"metrics:read",
68+
"https://example.org/scopes/support-access"
69+
]
70+
```
71+
72+
**issuerDomain (required):** The administrative domain of the credential issuer. Used by Authorization Servers to apply domain-specific trust policies.
73+
74+
```json
75+
"issuerDomain": "example.com"
76+
```
77+
78+
### 5.4.2.4. Recommended Claims
79+
80+
The following claims are RECOMMENDED for production deployments:
81+
82+
**agentName (recommended):** A human-readable name for the agent.
83+
84+
```json
85+
"agentName": "Customer Support Assistant v2.3"
86+
```
87+
88+
**agentVersion (recommended):** The version identifier of the agent software.
89+
90+
```json
91+
"agentVersion": "2.3.1-build.4521"
92+
```
93+
94+
**tenantId (recommended):** For multi-tenant deployments, the identifier of the tenant context in which this agent operates.
95+
96+
```json
97+
"tenantId": "tenant-acme-corp-prod"
98+
```
99+
100+
**dataSensitivityClearance (recommended):** The maximum data sensitivity level this agent is cleared to access. Implementations SHOULD support at least:
101+
102+
- `public`: Publicly available information
103+
- `internal`: Organization-internal, non-sensitive
104+
- `confidential`: Business-sensitive information
105+
- `restricted`: Highly sensitive, need-to-know basis
106+
- `regulated`: Subject to regulatory controls (PII, PHI, PCI, etc.)
107+
108+
```json
109+
"dataSensitivityClearance": "confidential"
110+
```
111+
112+
**complianceAttestations (recommended):** An array of compliance certifications or policy attestations relevant to this agent's operation.
113+
114+
```json
115+
"complianceAttestations": [
116+
{
117+
"standard": "ISO-27001",
118+
"scope": "information-security-management",
119+
"validUntil": "2026-03-15T00:00:00Z"
120+
},
121+
{
122+
"standard": "SOC2-Type2",
123+
"scope": "security-availability",
124+
"validUntil": "2025-08-01T00:00:00Z"
125+
},
126+
{
127+
"standard": "GDPR",
128+
"scope": "data-processing",
129+
"dpaReference": "https://legal.example.com/dpa/v2"
130+
}
131+
]
132+
```
133+
134+
**operationalConstraints (recommended):** Runtime constraints that Authorization Servers and MCP Servers SHOULD enforce:
135+
136+
```json
137+
"operationalConstraints": {
138+
"maxConcurrentSessions": 10,
139+
"maxRequestsPerMinute": 100,
140+
"maxSessionDurationSeconds": 3600,
141+
"allowedTimeWindows": [
142+
{
143+
"days": ["Mon", "Tue", "Wed", "Thu", "Fri"],
144+
"startTime": "06:00",
145+
"endTime": "22:00",
146+
"timezone": "America/Los_Angeles"
147+
}
148+
],
149+
"geofence": {
150+
"allowedRegions": ["US", "EU", "UK"],
151+
"deniedRegions": []
152+
}
153+
}
154+
```
155+
156+
**trustSignals (recommended):** Dynamic trust indicators that may influence authorization decisions. These SHOULD be used as supplementary signals, not sole authorization criteria.
157+
158+
```json
159+
"trustSignals": {
160+
"trustScore": 0.94,
161+
"trustScoreProvider": "https://trust.example.com",
162+
"trustScoreTimestamp": "2025-12-15T10:30:00Z",
163+
"riskIndicators": [],
164+
"lastSecurityAudit": "2025-11-01T00:00:00Z"
165+
}
166+
```
167+
168+
### 5.4.2.5. Optional Claims
169+
170+
The following claims are OPTIONAL and support specific use cases:
171+
172+
**modelInfo (optional):** For AI-powered agents, information about the underlying model:
173+
174+
```json
175+
"modelInfo": {
176+
"modelFamily": "llm-provider-x",
177+
"modelVersion": "model-v2-20240229",
178+
"modelProvider": "provider-name",
179+
"approvedForUseCases": ["customer-support", "code-review"],
180+
"prohibitedUseCases": ["medical-diagnosis", "legal-advice"]
181+
}
182+
```
183+
184+
**delegation (optional):** Delegation permissions as defined in Section 5.4.1.6.
185+
186+
**provenance (optional):** Supply chain and deployment provenance information:
187+
188+
```json
189+
"provenance": {
190+
"buildId": "build-20251210-abc123",
191+
"sourceRepository": "https://github.com/example/agent-suite",
192+
"commitHash": "a1b2c3d4e5f6",
193+
"slsaLevel": "SLSA_BUILD_LEVEL_3",
194+
"deploymentEnvironment": "production",
195+
"deployedBy": "ci-pipeline-main"
196+
}
197+
```
198+
199+
**policyBindings (optional):** References to policies that govern this agent's behavior:
200+
201+
```json
202+
"policyBindings": [
203+
{
204+
"policyId": "https://policies.example.com/agent-conduct/v2",
205+
"policyVersion": "2.1.0",
206+
"enforcementMode": "enforce"
207+
},
208+
{
209+
"policyId": "https://policies.example.com/data-handling/v1",
210+
"policyVersion": "1.5.2",
211+
"enforcementMode": "audit"
212+
}
213+
]
214+
```
215+
216+
### 5.4.2.6. Extension Mechanism
217+
218+
Organizations MAY extend the Agent Authorization VC Profile with additional claims by:
219+
220+
1. Defining a JSON-LD context document for the extension
221+
2. Including the extension context URI in the VC's @context array
222+
3. Adding extension claims under a namespace prefix or dedicated object
223+
224+
Example extension for organization-specific claims:
225+
226+
```json
227+
{
228+
"@context": [
229+
"https://www.w3.org/2018/credentials/v1",
230+
"https://example.org/contexts/agent-authz/v1",
231+
"https://vendor.example.com/contexts/secure-access-agent/v1"
232+
],
233+
"type": [
234+
"VerifiableCredential",
235+
"AgentAuthorizationCredential",
236+
"VendorSecureAccessAgentCredential"
237+
],
238+
"credentialSubject": {
239+
"id": "https://identity.example.com/agents/xdr-support-001",
240+
"agentType": "workflow-agent",
241+
"authorizedScopes": ["logs:read", "incidents:read", "config:read"],
242+
"issuerDomain": "example.com",
243+
"vendorext:productLine": "Secure Access",
244+
"vendorext:supportTier": "premium",
245+
"vendorext:allowedTenantPattern": "tenant-*-prod"
246+
}
247+
}
248+
```
249+
250+
Implementations receiving VCs with unrecognized extension claims SHOULD ignore unknown claims rather than rejecting the VC, unless the claim is marked as critical.
251+
252+
### 5.4.2.7. Complete Example
253+
254+
The following is a complete example of an Agent Authorization VC for a security operations workflow agent:
255+
256+
```json
257+
{
258+
"@context": [
259+
"https://www.w3.org/2018/credentials/v1",
260+
"https://w3id.org/security/suites/ed25519-2020/v1",
261+
"https://example.org/contexts/agent-authz/v1"
262+
],
263+
"type": ["VerifiableCredential", "AgentAuthorizationCredential"],
264+
"issuer": "did:web:identity.example.com",
265+
"issuanceDate": "2025-12-10T00:00:00Z",
266+
"expirationDate": "2025-12-11T00:00:00Z",
267+
"credentialStatus": {
268+
"id": "https://identity.example.com/credentials/status/3#4521",
269+
"type": "StatusList2021Entry",
270+
"statusPurpose": "revocation",
271+
"statusListIndex": "4521",
272+
"statusListCredential": "https://identity.example.com/credentials/status/3"
273+
},
274+
"credentialSubject": {
275+
"id": "https://identity.example.com/agents/xdr-triage-001/client-metadata",
276+
"agentType": "workflow-agent",
277+
"agentName": "XDR Triage Assistant",
278+
"agentVersion": "3.2.1",
279+
"issuerDomain": "example.com",
280+
"tenantId": "tenant-acme-prod",
281+
"authorizedScopes": [
282+
"alerts:read",
283+
"incidents:read",
284+
"logs:read",
285+
"endpoints:read",
286+
"playbooks:execute"
287+
],
288+
"dataSensitivityClearance": "confidential",
289+
"complianceAttestations": [
290+
{
291+
"standard": "SOC2-Type2",
292+
"scope": "security-availability",
293+
"validUntil": "2026-06-01T00:00:00Z"
294+
}
295+
],
296+
"operationalConstraints": {
297+
"maxConcurrentSessions": 5,
298+
"maxRequestsPerMinute": 60,
299+
"maxSessionDurationSeconds": 7200
300+
},
301+
"trustSignals": {
302+
"trustScore": 0.92,
303+
"trustScoreProvider": "https://trust.example.com",
304+
"trustScoreTimestamp": "2025-12-10T08:00:00Z"
305+
},
306+
"delegation": {
307+
"permitted": true,
308+
"maxDepth": 1,
309+
"allowedDelegateeTypes": ["tool-agent"],
310+
"scopeRestrictions": {
311+
"nonDelegatable": ["playbooks:execute"]
312+
}
313+
},
314+
"modelInfo": {
315+
"modelFamily": "internal-llm",
316+
"modelVersion": "sec-llm-v2",
317+
"approvedForUseCases": ["security-triage", "alert-analysis"]
318+
}
319+
},
320+
"proof": {
321+
"type": "Ed25519Signature2020",
322+
"created": "2025-12-10T00:00:00Z",
323+
"verificationMethod": "did:web:identity.example.com#key-1",
324+
"proofPurpose": "assertionMethod",
325+
"proofValue": "z58DAdFfa9SkqZMV...base58-encoded-signature..."
326+
}
327+
}
328+
```
329+
330+
### 5.4.2.8. Interoperability Requirements
331+
332+
For interoperability across domains, implementations:
333+
334+
**MUST:**
335+
336+
- Support the required claims defined in Section 5.4.2.3
337+
- Recognize the `AgentAuthorizationCredential` type
338+
- Process the base context `https://example.org/contexts/agent-authz/v1`
339+
- Verify the credential proof before processing claims
340+
341+
**SHOULD:**
342+
343+
- Support the recommended claims defined in Section 5.4.2.4
344+
- Implement selective disclosure for sensitive claims
345+
- Log unrecognized claims for operational visibility
346+
347+
**MAY:**
348+
349+
- Define and process organization-specific extensions
350+
- Implement additional validation beyond the profile requirements
351+
352+
---
353+
354+
## References
355+
356+
```
357+
[I-D.ietf-oauth-selective-disclosure-jwt]
358+
Fett, D., Yasuda, K., and B. Campbell, "Selective Disclosure
359+
for JWTs (SD-JWT)", Internet-Draft, 2024.
360+
```
361+
362+
---
363+
364+
## Contributor Information
365+
366+
This section was contributed by:
367+
368+
**Nik Kale**
369+
Principal Engineer, Cisco Systems
370+
371+
---
372+

0 commit comments

Comments
 (0)