| Internet-Draft | Scalable Agent Enrollment | June 2025 |
| Huang & Huang | Expires 16 December 2025 | [Page] |
Agentic AI systems require robust, verifiable identities to operate securely. While traditional certificate enrollment protocols like SCEP and EST can be extended to include remote attestation evidence, performing a full validation for every agent's certificate request presents significant scalability and privacy challenges. This document proposes two distinct, scalable models for integrating attestation into the enrollment lifecycle. The first model leverages Zero-Knowledge Proofs (ZKP) to provide private, efficient, and continuous attestation. The second model uses a one-time, high-assurance bootstrapping process to establish a trusted host environment, which is then authorized to endorse certificate requests for the agents it runs. Both models enable high-assurance identity for AI agents while addressing the performance bottlenecks of naive per-enrollment verification.¶
This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79.¶
Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet-Drafts is at https://datatracker.ietf.org/drafts/current/.¶
Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress."¶
This Internet-Draft will expire on 16 December 2025.¶
Copyright (c) 2025 IETF Trust and the persons identified as the document authors. All rights reserved.¶
This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (https://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Revised BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Revised BSD License.¶
The need for strong, verifiable identity for Agentic AI is well-established. Our related work, "Capability Attestation Extensions for the Entity Attestation Token (EAT)" [I-D.huang-rats-agentic-eat-cap-attest], defines *what* an agent should attest to. This document addresses *how* an agent can obtain a certificate reflecting that attestation in a scalable and privacy-preserving manner.¶
The naive approach of sending full attestation evidence with every SCEP or EST enrollment request is computationally expensive for the verifying Registration Authority (RA) and can expose sensitive details about the agent's software stack. This document reframes the problem to prioritize scalability, proposing two advanced enrollment models designed for large-scale, dynamic agent deployments. These models allow enterprises to leverage the automation of SCEP [RFC8894] and EST [RFC7030] without creating a performance or management bottleneck.¶
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP 14.¶
A single enterprise or cloud environment may run thousands or even millions of ephemeral AI agents. A centralized RA performing a full attestation validation for every single enrollment request faces three major, prohibitive issues:¶
To be viable, any solution MUST address these challenges.¶
We propose two distinct models that leverage SCEP's automation while providing high-assurance identity. An implementation MAY support one or both models.¶
This model uses a Zero-Knowledge Proof (ZKP) to allow an agent to prove it meets all attestation requirements without revealing the evidence itself. This provides an optimal balance of strong security, privacy, and performance.¶
The RA does not validate the raw evidence. Instead, it validates a small, mathematically-sound proof that the agent possesses valid evidence satisfying a pre-defined set of rules.¶
Phase 1: One-Time Trusted Setup (per Agent Fleet)¶
This phase is performed once by the entity deploying a fleet of similar agents.¶
Define the Attestation Circuit: A ZKP circuit is created. This circuit is the formal specification of the validation policy. It MUST encode rules such as:¶
Generate Keys: A trusted setup ceremony is performed on the circuit to generate a Proving Key and a Verifying Key.¶
Phase 2: Automated Agent Enrollment (per Agent)¶
This is the fast, scalable, per-agent workflow.¶
Agent Initialization: The agent starts, generates a new key pair, and creates a CSR.¶
Evidence Collection: The agent collects its full attestation evidence (e.g., its EAT). This evidence REMAINS LOCAL and is not transmitted.¶
Proof Generation: The agent uses its Proving Key to execute the ZKP circuit. It provides its private evidence as private inputs and the hash of its CSR's public key as a public input. The output is a compact ZK-Proof.¶
SCEP Request: The agent initiates a SCEP request. The payload is a `multipart/mixed` object containing the standard CSR, the generated ZK-Proof, and its public inputs.¶
RA Verification: The RA receives the request. It performs a single, rapid ZKP verification using its Verifying Key. This validates that the agent possesses the correct private evidence without ever seeing it.¶
Certificate Issuance: If the proof is valid, the RA approves the request, and the CA issues the certificate.¶
This model amortizes the cost of attestation. A full, heavyweight attestation is performed only **once** to enroll the host environment (e.g., a VM or server). That trusted host is then empowered to issue lightweight endorsements for the agents it runs.¶
Instead of each agent proving its own integrity from scratch, it asks its already-trusted host to vouch for it. The RA's job is simplified to checking the host's "signature."¶
Phase 1: One-Time Host Environment Bootstrap¶
This is the high-assurance setup performed once per host machine.¶
Initial Host Attestation: The host environment performs a full remote attestation using its hardware root of trust (e.g., a TPM). It sends its detailed evidence to a dedicated, high-security **Bootstrap RA**.¶
Host Certificate Issuance: The Bootstrap RA validates the host's integrity. If successful, it instructs the CA to issue a special **Host Identity Certificate**. This certificate MUST have two key properties:¶
Device-Bound Key Storage: The private key corresponding to the Host Identity Certificate **MUST** be stored in the host's hardware-backed, non-exportable key store.¶
Phase 2: Automated Agent Enrollment (per Agent)¶
This is the highly scalable workflow that occurs on the trusted host.¶
Agent Initialization: An AI agent starts on the trusted host, generates a new key pair, and creates a CSR.¶
Request for Endorsement: The agent sends its CSR to a local **Host Endorser** service.¶
Host Endorsement: The Host Endorser service uses the device-bound private key from the Host Identity Certificate to create a detached signature (e.g., a PKCS#7 signature) over the agent's CSR.¶
SCEP Request: The agent initiates a SCEP request to the standard **Agent RA**. The request payload includes its own CSR, the detached signature from the Host Endorser, and the public Host Identity Certificate.¶
RA Verification (Simplified): The Agent RA performs two simple, fast checks:¶
Certificate Issuance: If both checks pass, the RA approves the request, and the CA issues a standard, short-lived certificate to the agent.¶
The security of this system relies on several key factors:¶
The two models presented have different privacy characteristics.¶
This document requests IANA to make the following allocations:¶