]> The did:web Identity Method for the Agent Enrollment Protocol Jarwin, Inc. (InFlow)
nas@inflowpay.ai
This document defines the did:web identity method for the Agent Enrollment Protocol (AEP). The method lets an AEP Service verify Agent client assertion JWTs by resolving an Agent did:web identifier to a DID document published over HTTPS.
Introduction The Agent Enrollment Protocol (AEP) defines an identity-method substrate for authenticated commands . AEP Services advertise enabled identity methods in the Inspect document's identity.methods array. This document defines the did:web identity method. A Service that enables this identity method accepts Agent identifiers using the did:web DID method and resolves verification material from the corresponding HTTPS origin.
Requirements Language The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP 14 when, and only when, they appear in all capitals, as shown here.
Identity Method The identity method identifier is:
A Service that enables this identity method lists did:web in the Inspect document:
Services that do not enable this identity method MUST NOT list did:web in identity.methods.
Agent Identifiers An Agent using this identity method identifies itself with a did:web URI. The Agent DID appears in the client assertion JWT iss and sub claims. The JOSE kid header contains the Agent DID and MAY include a fragment selecting a verification method in the resolved DID document.
The DID portion of kid MUST equal the Agent DID carried in iss and sub.
DID Resolution The Service resolves the Agent DID according to the did:web method specification : did:web:<host> resolves to https://<host>/.well-known/did.json. did:web:<host>:<path> resolves to https://<host>/<path>/did.json. Services MUST resolve did:web documents over HTTPS. Plaintext HTTP resolution is not allowed. The resolved DID document MUST be a JSON object and MUST contain a verification method referenced by the JWT kid header. The verification method MUST expose a public key in a form the Service can validate against the selected JOSE signing algorithm. If the Service cannot resolve the DID document, cannot locate the referenced verification method, or cannot use the verification method with the selected JOSE algorithm, client assertion verification fails with the AEP not_recognized error defined by the core protocol.
Caching Services SHOULD cache resolved DID documents and SHOULD honor upstream HTTP cache metadata . A default cache lifetime of 300 seconds is RECOMMENDED when no shorter upstream lifetime is provided. Services MUST ensure that cache lifetimes do not prevent timely key replacement after compromise. Services MAY impose a local maximum cache lifetime.
IANA Considerations This document requests registration of did:web in the AEP Identity Methods registry. Field Value Identity Method did:web Description DID Web identity method for AEP client assertions Reference This document
Security Considerations The did:web method relies on the HTTPS origin that publishes the DID document. A Service that accepts an Agent's did:web identity trusts the corresponding web origin to publish the correct verification method. Services MUST reject did:web client assertions when the resolved DID document does not contain the verification method referenced by kid, when the verification method cannot validate the selected JOSE algorithm, or when the JWT signature does not verify. Services SHOULD cache DID documents for operational stability but MUST ensure that cache lifetimes do not prevent timely key replacement after compromise.
Privacy Considerations A did:web Agent identity can be correlatable if the same DID is reused across Services. Platforms or Agent operators that require unlinkability SHOULD use a distinct did:web URI and signing key per Service enrollment. The URI path component SHOULD be opaque and SHOULD NOT reveal the Agent's master identity, account identifier, or target Service.
The JavaScript Object Notation (JSON) Data Interchange Format JavaScript Object Notation (JSON) is a lightweight, text-based, language-independent data interchange format. It was derived from the ECMAScript Programming Language Standard. JSON defines a small set of formatting rules for the portable representation of structured data. This document removes inconsistencies with other specifications of JSON, repairs specification errors, and offers experience-based interoperability guidance. HTTP Semantics The Hypertext Transfer Protocol (HTTP) is a stateless application-level protocol for distributed, collaborative, hypertext information systems. This document describes the overall architecture of HTTP, establishes common terminology, and defines aspects of the protocol that are shared by all versions. In this definition are core protocol elements, extensibility mechanisms, and the "http" and "https" Uniform Resource Identifier (URI) schemes. This document updates RFC 3864 and obsoletes RFCs 2818, 7231, 7232, 7233, 7235, 7538, 7615, 7694, and portions of 7230. The did:web Method Specification W3C Credentials Community Group The Agent Enrollment Protocol Key words for use in RFCs to Indicate Requirement Levels In many standards track documents several words are used to signify the requirements in the specification. These words are often capitalized. This document defines these words as they should be interpreted in IETF documents. This document specifies an Internet Best Current Practices for the Internet Community, and requests discussion and suggestions for improvements. Ambiguity of Uppercase vs Lowercase in RFC 2119 Key Words RFC 2119 specifies common key words that may be used in protocol specifications. This document aims to reduce the ambiguity by clarifying that only UPPERCASE usage of the key words have the defined special meanings.