You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Following the install-time consent envelope ask in #43 and the SOVP-v1 pre-execution attestation proposal in #41, this issue surfaces a gap that blocks a real class of publishers from participating in ARD as authoritative entries today: publishers whose stable cryptographic identity is a DID with no DNS anchor (e.g., did:plc via atproto's PLC directory, did:key, did:peer).
§5.1 already permits identityType: "did", but §5.1's "the cryptographic trust domain inside this identity MUST align with the authority domain root embedded in the discovery identifier namespace" combined with Appendix C #3's mechanism — "registries programmatically extract the domain from the URN and cross-reference it with the cryptographic claim in trustManifest.identity" — has no path that resolves a did:plc identifier, because did:plc by design has no DNS root.
Net: a domainless publisher today must either acquire a domain, fall back to a non-authoritative entry, or be rejected per Appendix C #3.
The friction, made concrete
A publisher operating an MCP server identified by did:plc:abc123… controls a stable Ed25519 keypair, the PLC directory binds that key to the DID, and the DID Document is resolvable at https://plc.directory/<did:plc:...>. They cannot:
mint a conformant urn:ai:<publisher>:… discovery identifier (Appendix C mandates FQDN at <publisher>)
This is a structural exclusion of an entire DID method family, not a §5.2 typing question. We initially scoped this filing as a §5.2 attestation-type extension; reading §5.1 + Appendix C closely, the gate is upstream of §5.2 and has to be addressed there to be useful.
Proposal (narrow, sanctioned-branch shape)
Two complementary normative additions, neither blocking the FQDN-anchored mainline:
A. Sanctioned DID-anchored URN branch (Appendix C). Define one additional URN form alongside urn:ai:<fqdn>:<namespace>:<agent>:
Concrete example: urn:ai:did:plc:abc123def456:mcp:memory-server. The <did-method> is constrained to a registered set (initial: did:plc, did:web; the latter's DNS anchor works under both branches and serves as the migration on-ramp).
B. §5.1 normative resolution path. Specify the verification procedure for identityType: "did" in concrete steps:
Resolve the DID to a DID Document per the relevant DID method's resolution protocol (for did:plc, GET https://plc.directory/<did>).
Extract verificationMethod matching the signed envelope's kid (or the first acceptable method if kid is absent).
Validate the §5.1 signature (detached JWS) over canonical Trust Manifest content using that public key.
Appendix C #5's "decentralized trust via DNS root" justification is preserved for the FQDN branch and replaced by DID method registry uniqueness for the DID branch — both globally unique by construction, just via different roots.
Why not just §5.2
§5.2 attestations carry verifiable claims about a publisher — SOC2, HIPAA, SOVP-v1 (#41), TRACE-v0.2 (#7). They presuppose a publisher identity already established at §5.1. Bolting did:plc onto §5.2 alone would smuggle identity into the evidence layer and bypass §5.1's authority-alignment without addressing it. We'd rather surface the §5.1 / Appendix C question honestly than route around it.
DID Document at https://plc.directory/did:plc:abc123def456 with verificationMethod[0].publicKeyMultibase matching the signing key
Verification: resolve DID → validate JWS → cross-reference URN's did:plc:abc123def456 segment against verified identity → accept.
Relationship to neighbors
feat(trust): add SOVP-v1 pre-execution infrastructure attestation type #41 (SOVP-v1) — adjacent, not blocking. SOVP attests infrastructure state at ingress; this issue addresses publisher identity at §5.1. A did:plc publisher MAY produce SOVP-v1 attestations, validated by the same DID-resolved key.
Filing a companion ask on drknowhow/install-manifest-spec defining how an install-manifest carries a publisher DID and detached JWS signature (analogous to how #36 carries the media-type prereq for #43). Will cross-link once filed.
Discussion gating
Like #41 and #43, I'll hold for normative wording from @imran-siddique on the §5.1 / Appendix C amendment shape before drafting a PR. Happy to:
Concrete real-world ammunition available: a yepgent-published install-manifest at https://yepgent.com/.well-known/install-manifests/yep-memory.v0.4.json and a draft did:plc-mirrored variant, both resolvable for the conformance tool's first DID-anchored test case.
Context
Following the install-time consent envelope ask in #43 and the SOVP-v1 pre-execution attestation proposal in #41, this issue surfaces a gap that blocks a real class of publishers from participating in ARD as authoritative entries today: publishers whose stable cryptographic identity is a DID with no DNS anchor (e.g.,
did:plcvia atproto's PLC directory,did:key,did:peer).§5.1 already permits
identityType: "did", but §5.1's "the cryptographic trust domain inside this identity MUST align with the authority domain root embedded in the discovery identifier namespace" combined with Appendix C #3's mechanism — "registries programmatically extract the domain from the URN and cross-reference it with the cryptographic claim intrustManifest.identity" — has no path that resolves adid:plcidentifier, becausedid:plcby design has no DNS root.Net: a domainless publisher today must either acquire a domain, fall back to a non-authoritative entry, or be rejected per Appendix C #3.
The friction, made concrete
A publisher operating an MCP server identified by
did:plc:abc123…controls a stable Ed25519 keypair, the PLC directory binds that key to the DID, and the DID Document is resolvable athttps://plc.directory/<did:plc:...>. They cannot:urn:ai:<publisher>:…discovery identifier (Appendix C mandates FQDN at<publisher>)trustManifest.identity = "did:plc:..."and have a registry verify them — §5.1's authority-domain alignment + Appendix C feat: update URN name regex and updated media type specifications for MCP server card #3 have no DID resolution path definedThis is a structural exclusion of an entire DID method family, not a §5.2 typing question. We initially scoped this filing as a §5.2 attestation-type extension; reading §5.1 + Appendix C closely, the gate is upstream of §5.2 and has to be addressed there to be useful.
Proposal (narrow, sanctioned-branch shape)
Two complementary normative additions, neither blocking the FQDN-anchored mainline:
A. Sanctioned DID-anchored URN branch (Appendix C). Define one additional URN form alongside
urn:ai:<fqdn>:<namespace>:<agent>:Concrete example:
urn:ai:did:plc:abc123def456:mcp:memory-server. The<did-method>is constrained to a registered set (initial:did:plc,did:web; the latter's DNS anchor works under both branches and serves as the migration on-ramp).B. §5.1 normative resolution path. Specify the verification procedure for
identityType: "did"in concrete steps:did:plc, GEThttps://plc.directory/<did>).verificationMethodmatching the signed envelope'skid(or the first acceptable method ifkidis absent).signature(detached JWS) over canonical Trust Manifest content using that public key.Appendix C #5's "decentralized trust via DNS root" justification is preserved for the FQDN branch and replaced by DID method registry uniqueness for the DID branch — both globally unique by construction, just via different roots.
Why not just §5.2
§5.2 attestations carry verifiable claims about a publisher — SOC2, HIPAA, SOVP-v1 (#41), TRACE-v0.2 (#7). They presuppose a publisher identity already established at §5.1. Bolting
did:plconto §5.2 alone would smuggle identity into the evidence layer and bypass §5.1's authority-alignment without addressing it. We'd rather surface the §5.1 / Appendix C question honestly than route around it.Worked example
A
did:plc:abc123…publisher hosts:ai-catalog.jsonentry:identifier: "urn:ai:did:plc:abc123def456:mcp:memory-server"trustManifest.identity: "did:plc:abc123def456",identityType: "did",signature: "<detached JWS, alg: EdDSA, over canonical Trust Manifest>"application/install-manifest+jsonin the AI Catalog (install-time safety envelope) #43) atattestations[].uri, content-addressed by digesthttps://plc.directory/did:plc:abc123def456withverificationMethod[0].publicKeyMultibasematching the signing keyVerification: resolve DID → validate JWS → cross-reference URN's
did:plc:abc123def456segment against verified identity → accept.Relationship to neighbors
did:plcpublisher MAY produce SOVP-v1 attestations, validated by the same DID-resolved key.application/install-manifest+jsonin the AI Catalog (install-time safety envelope) #43 (install-manifest media type) — direct upstream. Without an identity path for domainless publishers, an install-manifest'strustManifest.identityfalls back to FQDN, defeating the atproto-native use case. This issue is the §5.1 piece of the install-time consent envelope work.Companion on
install-manifest-specFiling a companion ask on
drknowhow/install-manifest-specdefining how an install-manifest carries a publisher DID and detached JWS signature (analogous to how #36 carries the media-type prereq for #43). Will cross-link once filed.Discussion gating
Like #41 and #43, I'll hold for normative wording from @imran-siddique on the §5.1 / Appendix C amendment shape before drafting a PR. Happy to:
Concrete real-world ammunition available: a yepgent-published install-manifest at
https://yepgent.com/.well-known/install-manifests/yep-memory.v0.4.jsonand a draftdid:plc-mirrored variant, both resolvable for the conformance tool's first DID-anchored test case.