Summary of Changes

Hello @The-Nexus-Guard, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request introduces a new specification document outlining a DID-based identity verification extension for A2A agents, leveraging the Agent Identity Protocol (AIP). This extension provides a robust cryptographic identity layer, addressing the need for secure agent identification and trust within the A2A ecosystem, and offers a concrete implementation path for advanced verification levels.

Highlights

• AgentCard Extension: Agents can now advertise their Decentralized Identifiers (DIDs) via a standard 'extensions' field in their AgentCard, using the Agent Identity Protocol (AIP).
• Identity Verification Flow: A defined process for agents to discover, verify, and establish trust with other agents using AIP's verification and trust-score endpoints.
• Message Signing: Specifies that A2A messages between AIP-enabled agents should be signed using Ed25519 signatures, including timestamp and nonce for replay protection.
• Vouch Chains for Delegation: Introduces cryptographic vouch chains for transitive trust and delegation, allowing scope narrowing for delegated capabilities.
• Real-time Revocation: AIP provides immediate revocation of vouches via its service API, eliminating delays associated with traditional Certificate Revocation Lists (CRLs).
• Compatibility with Existing Framework: Details how this DID-based extension maps to and complements the Level 0/1/2 identity verification model proposed in PR docs: add agent identity verification and trust framework #1496.

Summary

This PR adds a specification document for DID-based agent identity verification as an A2A extension, using the Agent Identity Protocol (AIP) as the underlying infrastructure.

Relationship to PR #1496

This is a companion to @abdelsfane's Agent Identity and Trust Framework. That PR's design rationale identifies three options:

• Option 1: Extension-based self-assertion (chosen)
• Option 2: DID-based identity (set aside because "DID infrastructure does not yet exist for agents")
• Option 3: Hybrid

This PR provides Option 2 — the DID infrastructure now exists via AIP:

• Live service: aip-service.fly.dev (39 endpoints)
• Python client: pip install aip-identity (288 tests)
• MCP integration: pip install aip-mcp-server (8 identity tools)

What's in the spec

1. AgentCard extension — agents advertise their DID via the standard extensions field
2. Identity verification flow — discover → verify → check trust → set threshold
3. Message signing — Ed25519 signatures on A2A messages with replay protection
4. Vouch chains for delegation — transitive trust with scope narrowing
5. Real-time revocation — no CRL distribution delay
6. Compatibility mapping — how AIP maps to docs: add agent identity verification and trust framework #1496's Level 0/1/2 model

Why this matters

The A2A protocol enables agent discovery and communication but has no built-in mechanism for cryptographic identity verification. As discussed in #1501, #1454, and #1463, trust and identity are recurring themes. This spec provides a concrete, working implementation path.

Happy to iterate on the spec based on feedback. The goal is to complement existing proposals, not compete with them.

Thanks for the thoughtful work here, @The-Nexus-Guard , and for referencing #1496's design rationale. It's encouraging to see more people thinking about cryptographic identity for agents. A few technical and architectural concerns I'd want to address before this moves forward:

1. Protocol specs should be implementation-agnostic

The spec as written hardcodes a specific hosted service (aip-service.fly.dev) into the extension definition — the verification_endpoint and trust_score_endpoint both point to a single provider's infrastructure. A protocol-level extension should define interfaces and behaviors, not route traffic to a particular service. If this extension were adopted, every A2A agent advertising DID identity would depend on one third-party endpoint for verification and trust scoring. That's a centralization risk that contradicts the goals of decentralized identity.

For comparison, #1496 defines an extensible trust framework with levels (0/1/2) that any implementation can satisfy — it doesn't mandate a specific verification service.

2. Single point of failure / trust anchor concerns

Related to the above: the spec doesn't mention self-hosting, federation, or what happens when aip-service.fly.dev is unavailable. If this becomes the reference implementation for DID-based identity in A2A, we're creating a single point of failure for agent identity verification across the ecosystem. The spec should at minimum define how alternative AIP service providers could operate, or better yet, define the verification protocol abstractly so it's not coupled to one deployment.

3. Signature serialization is underspecified

The Gemini review already flagged this, but I want to reinforce it — "the signature covers method + params.message.parts + timestamp + nonce" is not precise enough for interoperability. Without a canonical serialization format (RFC 8785 or equivalent), two compliant implementations could produce different byte sequences for the same message, causing verification failures. This needs to be fully specified before it's viable as a protocol extension.

4. Substantial overlap with existing work in #1496

The capabilities covered here — Ed25519 signatures, trust scoring, vouch/delegation chains, capability scoping, real-time revocation — are already addressed or planned within the Agent Identity and Trust Framework in #1496. Specifically:

• Ed25519 identity: built and shipping in AIM
• Trust scoring: 8-factor algorithm already implemented
• Capability-based delegation: part of the AIM capability grant system
• DID integration: explicitly on the docs: add agent identity verification and trust framework #1496 roadmap

Rather than a parallel spec, it might be more productive to contribute DID-specific extensions within the framework #1496 already establishes — particularly at Level 2 (cryptographic verification), where DID methods are a natural fit.

5. The "DID infrastructure doesn't exist" framing needs context

The design rationale in #1496 noted that DID infrastructure doesn't yet exist for agents specifically — meaning a purpose-built system with agent lifecycle management, NHI governance, capability enforcement, and supply chain verification integrated into the identity layer. A generic DID service with vouch chains is a useful primitive, but it doesn't solve the full problem that #1496's framework was designed to address.

To be clear, I think DID-based identity is valuable and should be part of the A2A identity story — that's why it's on the roadmap. My concern is with merging a spec that's tightly coupled to a single hosted service when we should be defining protocol-level interfaces that any implementation (AIP, AIM, or others) can satisfy.

Happy to discuss how we can incorporate DID verification into the existing framework in #1496 in a way that's implementation-agnostic and benefits the whole ecosystem.

Added a working interop demo that shows all four integration points in action:

• AgentCard extension with DID + Ed25519 public key
• Challenge-response verification before task delegation
• Ed25519 message signing for task message integrity
• Vouch chain trust for transitive delegation

Runnable demo: examples/a2a_identity_demo.py

pip install aip-identity
python examples/a2a_identity_demo.py

This demonstrates the concrete developer experience of using AIP as A2A's identity layer.

Thanks for the detailed and thoughtful review, @abdelsfane. These are exactly the right concerns to raise — I want to address each one directly.

1. Implementation-agnostic spec

You're right. The spec as written couples too tightly to a specific deployment. I'll refactor to define abstract interfaces:

• A VerificationService interface (resolve DID → public key, verify signature, query trust)
• The verification_endpoint in AgentCard becomes a generic service URL that any conforming implementation can serve
• AIP becomes one reference implementation, not the implementation

2. Federation and self-hosting

AIP's service is already open-source (github.com/The-Nexus-Guard/aip-identity) and self-hostable, but the spec doesn't mention this — it should. I'll add a section on:

• Service discovery (how agents find alternative providers)
• Multi-provider trust (cross-provider vouch verification)
• Offline verification using cached public keys

3. Signature serialization

Agreed — this needs to be fully specified. I'll adopt RFC 8785 (JCS) for canonical JSON serialization and spell out the exact byte sequence that gets signed. No ambiguity.

4. Relationship to #1496

I see two productive paths forward, and I'm genuinely open to either:

Option A: Refactor this PR into a DID method specification that plugs into #1496's Level 2 (cryptographic verification). The vouch chains, trust scoring, and capability scoping would map onto #1496's existing framework rather than defining a parallel system.

Option B: Keep this as a standalone extension but with explicit compatibility mappings showing how DID-based verification satisfies each of #1496's trust levels.

My preference is Option A — contributing DID verification as a concrete method within your framework seems more useful to the ecosystem than maintaining parallel specs. What's your take?

5. DID infrastructure context

Fair point. The original framing in #1496 was about purpose-built agent identity infrastructure, not generic DIDs. AIP does cover some of the agent-specific pieces (key rotation with compromise recovery, agent-to-agent vouching, capability-scoped delegation), but I acknowledge it doesn't cover the full NHI governance and supply chain verification that #1496 envisions. DID-based identity is one piece of the puzzle, not the whole picture.

Next steps from my side:

1. Refactor the spec to define abstract interfaces (decouple from any specific service)
2. Add RFC 8785 canonical serialization for signatures
3. Add federation/self-hosting section
4. Depending on your preference re: Option A vs B, either restructure as a docs: add agent identity verification and trust framework #1496 Level 2 DID method or add explicit compatibility mappings

Happy to jump on a discussion thread if that's easier for working through the integration details.

The DID approach addresses cryptographic identity, but there's a subtlety worth calling out: agent identity across model and endpoint migrations.

A DID anchors identity to a key, but in practice:

• Agent A gets upgraded (new model weights, new endpoint) — does its DID rotate?
• Agent A moves from one orchestrator to another — same DID, different execution context?
• Agent A restores from backup — is it "the same" agent or a fork?

DID helps with authentication ("who signed this?") but not necessarily with continuity ("is this the same behavioral entity I interacted with before?").

We've been thinking about this as two separate layers:

1. Cryptographic identity — DID/key-based, handles auth
2. Behavioral identity — address-bound reputation, handles trust history

The A2A session model touches on this in task continuity, but the cross-session case (agent gets redeployed, re-keyed) is still open. A session-persistent identity that survives endpoint migrations would need something beyond the DID alone — probably a registry that maps agent://address → current DID + attestation chain.

Curious whether the AIP spec has thoughts on key rotation without identity loss?

Great question, @chorghemaruti64-creator. This is one of the most important design decisions in DID-based agent identity.

Short answer: The DID is bound to the key, not the model or endpoint. Key rotation is the mechanism for continuity.

How AIP handles each scenario:

1. Model upgrade (new weights, same operator) — Same DID, same key. The model is an implementation detail; the identity persists. Think of it like upgrading your laptop OS — your SSH key doesn't change.

2. Orchestrator migration — Same DID, same key. The key travels with the agent's credential store. The DID resolves to the same public key regardless of where the agent runs.

3. Restore from backup — Same DID, same key — as long as the credential backup includes the private key. AIP supports aip export / aip import for this exact case.

4. Key compromise or rotation — POST /rotate-key issues a new key pair and updates the DID's public key on the registry. Existing vouches transfer automatically. The DID itself stays the same (it's derived from the original key but the registry tracks the current key).

The key insight: identity ≠ implementation. A DID answers "who is this agent?" not "what model is running?" The agent's trust graph, vouch history, and reputation persist across any infrastructure change — as long as it controls its private key.

For the A2A context specifically, this means an AgentCard's did field remains stable even as the agent's url or capabilities change. Verifiers re-resolve the DID to get the current public key.

Great question @chorghemaruti64-creator — this is one of the core design tensions in agent identity.

AIP has key rotation built into the protocol. The flow is:

1. Agent generates a new key pair
2. Signs a rotation request with the old key (proving they control the current identity)
3. Submits to the registry with both old signature and new public key
4. DID stays the same, key updates atomically

This handles the model upgrade and orchestrator migration cases cleanly: the agent's identity survives because the DID is stable, and the transition is cryptographically provable. Old vouches and trust history remain attached to the same DID.

The backup/fork case is genuinely harder and we're honest about that. If Agent A restores from backup and the live Agent A is still running, you now have two entities with the same key material. This is fundamentally a key management problem, not an identity protocol problem — similar to how SSH key compromise doesn't mean SSH is broken. The mitigation is rotation: the first entity to rotate "wins" the identity.

Your two-layer model (cryptographic + behavioral) maps well to AIP's architecture:

• Layer 1 (identity): DID + Ed25519 key pair — handles auth, survives rotation
• Layer 2 (trust): Vouch chains + interaction history — handles reputation, attached to the DID not the key

The session-persistent identity you describe is what DIDs provide naturally: the DID is the stable anchor, the key is the current implementation detail. No need for a separate agent://address mapping if the DID is the address.

Happy to walk through the rotation flow in more detail if useful — it's documented in the AIP spec and accessible via aip rotate-key.

DID infrastructure for agents is exactly what A2A needs. The AIP service with 39 endpoints is impressive.

One consideration for the spec: DID method interoperability. AIP uses did:aip, but the A2A ecosystem will have agents using did:key, did:web, did:agentpass, and others. The verification extension should specify how an A2A agent card references its DID regardless of method.

At HOL, we solve this with HCS-14 Universal Agent IDs — a method-agnostic layer that resolves to whatever DID(s) the agent uses. The architecture:

1. Agent Card includes a UAID field (one identifier, any DID method underneath)
2. Verifier resolves the UAID → gets the DID document
3. Standard DID verification flow continues

This means AIP-registered agents, KERI-managed agents, and web-hosted agents can all participate in A2A identity verification without requiring everyone to adopt the same DID method.

Our registry already bridges A2A agent cards, DIDs, and ERC-8004 — adding did:aip resolution would be straightforward. Happy to collaborate on interoperability.

The DID infrastructure for agents is clearly maturing. One concern worth surfacing for the A2A spec: which DID method?

AIP provides did:aip, but there are other agent DID methods being proposed (did:agentpass, etc.). If the A2A spec picks one, agents using other methods become second-class citizens.

At HOL, our HCS-14 Universal Agent IDs take a different approach — rather than creating another DID method, we bridge existing ones. A UAID resolves to an agent DID regardless of method, A2A agent card, ERC-8004 ID, etc. This means:

• The A2A extension could reference a UAID instead of a specific DID method
• Agents with did:aip, did:agentpass, did:key, or no DID at all can all participate
• Verification happens through a single resolution step

For the spec, we would suggest the extension support pluggable DID resolution rather than mandating a single method. The DID URL in the AgentCard could be a UAID that resolves to whatever DID method the agent uses.

We already bridge DIDs, A2A cards, ERC-8004, and Virtuals through UAIDs. Happy to contribute to the spec discussion on this point.