Skip to content

Identity Initial Overview and Big Picture#9

Open
evabenn wants to merge 10 commits into
Agent-Control-Standard:mainfrom
evabenn:main
Open

Identity Initial Overview and Big Picture#9
evabenn wants to merge 10 commits into
Agent-Control-Standard:mainfrom
evabenn:main

Conversation

@evabenn

@evabenn evabenn commented Jun 1, 2026

Copy link
Copy Markdown
Collaborator

Adds the Identity for Agents workstream overview as a working document.

This PR adds

  • overview.md — the 5 unique runtime identity challenges that distinguish agent systems from human/workload identity (chain integrity, over-privilege, token theft resistance, last-mile enforcement, proof of intent), with each mapped to where existing standards fall short.
  • Documentation of identity and authentication standards relevant to ACS.

Next steps (for working group discussion)

  • Define maturity model for self-evaluation
  • Document anti-patterns
  • Practical builder checklist (Audrey Long)
  • Taxonomies and use cases (Aruneesh Salhotra)

evabenn added 2 commits May 31, 2026 20:31
Added an overview document for the Identity for Agents workstream, detailing unique identity challenges and the evolving nature of identity standards in agent systems.

Signed-off-by: Eva <130791729+evabenn@users.noreply.github.com>
Added a comprehensive overview of identity, authentication, and authorization standards relevant to ACS, including existing and emerging standards, their gaps, and the role of ACS in addressing these gaps.

Signed-off-by: Eva <130791729+evabenn@users.noreply.github.com>
Comment thread docs/identity/standards.md
Comment thread docs/identity/standards.md
Comment thread docs/identity/standards.md
Comment thread docs/identity/standards.md

@ashayraut ashayraut left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This document correctly identifies the composition boundary between token-issuance standards (AIMS, OIDC, WIMSE) and runtime enforcement (ACS). The framing is sound. However, the OAuth assumptions table has structural gaps that weaken the argument:

-> Token lifetime is treated as a refresh-token problem. It's not. The core broken assumption is that access tokens can live for 60 minutes. For agents, any token outliving the current reasoning step is ambient authority waiting to be exploited. This needs its own row.

-> Permission accumulation is invisible. OAuth assumes stateless, non-accumulating permissions per request. Agents with persistent memory carry forward effective authority across sessions — the token scope is fixed but the agent's de facto capability grows. The document doesn't name this.

-> What about position on impersonation vs. delegation? The document describes delegation chains but avoids the hard architectural question: should agents ever impersonate users, or must they always act on-behalf-of with attenuated scope? Taking a position here (or explicitly marking it as an open question) would strengthen the spec.

-> Thoughts on Revocation - its is incomplete without memory invalidation. Revoking a token stops future API calls. It doesn't undo what the agent already learned or cached from that token's access. Maybe the document should acknowledge that revocation in an agentic context requires purging derived context, not just killing the credential.

Cross-resource scope union is unaddressed. An agent holding tokens for Calendar + Email + Drive has an effective permission set no single OAuth grant authorized. The dangerous triad (sensitive data access + untrusted input exposure + external communication) emerges from this union, and per-resource aud restrictions don't prevent it.

bar-capsule
bar-capsule previously approved these changes Jun 11, 2026
Comment thread identity/overview.md Outdated
@bar-capsule

Copy link
Copy Markdown
Collaborator

Also - consider changing the doc location to: /docs/identity/

afogel
afogel previously approved these changes Jun 14, 2026

@afogel afogel left a comment

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

looks great!

@rocklambros rocklambros left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The direction is right: trust standards establish identity but don't enforce what an authenticated agent does at runtime, and that's ACS's lane. Most citations check out too (RFC 8693/6750/9396, the OAuth-WG splicing post, NIST, Unit 42). Requesting changes on a few specific items, then this is good to go.

Before merge:

  • standards.md treats WIMSE as the normative agent identifier ("WIMSE identifier required; SPIFFE conformant"), but the normative docs/concepts/identity.md says ACS mandates no auth mechanism and keeps schemes like SPIFFE/OIDC off the wire, so a posix_uid or oauth_subject deployment stays conformant. The two pages answer "does ACS require WIMSE" in opposite ways. A mandate should land in identity.md with WG sign-off rather than here.
  • The AIMS "TODO Security" quote has moved on. draft-klrc-aiagent-auth-02 (2026-06-01) has Security Considerations at §13 with real prose, and §14 is now "Privacy Considerations," so the link no longer backs the quote. "AIMS scopes runtime enforcement out of its model (§13)" keeps the point.
  • The "ACS §3.1 / 15 min / 5 min / 60 s" ceilings don't resolve against the spec: §3 is Wire Format, and those values aren't in docs/ or specification/. Worth marking proposed or open-work-item until there's a clause to cite.
  • "the same user, returning later" isn't in RFC 6749 §1.5 (the text there is functional), so dropping the quote marks keeps it as your paraphrase. Quick check on the arXiv 2602.19555 title pairing too.
  • Both files sit at repo-root identity/, outside docs_dir, so mkdocs won't build them and they're missing from nav, while docs/concepts/identity.md already covers this space. If that's deliberate staging, note it in the file; otherwise move under docs/ and cross-link.

Smaller, not blocking: no-cache vs the fail-open §6.4 default, "detects deviation" reading as detection when intent immutability really confines scope, the mermaid fence isn't configured, "seven concepts" is eight once you count Skill. Happy to pair on the identity.md reconciliation.

bar-capsule added a commit to bar-capsule/ACS that referenced this pull request Jun 17, 2026
Each item has a falsifying test in adapters/_common/tests/test_edge_cases.py
(17 tests total). Items not requiring code changes still have tests that
codify the safe behavior so a future regression would be caught.

## Items 1-12

Agent-Control-Standard#1  rfc8785 JCS consistency — test confirms fallback matches the
    rfc8785 package byte-for-byte on every ACS envelope shape we ship.
    No code change needed; a mixed-install signature mismatch would
    surface as test failure.

Agent-Control-Standard#2  Guardian regex DoS, server-side: _matches_destructive_bash now
    returns "too_large" for inputs > DESTRUCTIVE_SCAN_MAX_LEN (8 KiB).
    The Guardian denies with reason_codes=["input_too_large"] —
    fail-safe direction. Previously, _common had the cap but the
    Guardian iterated patterns directly, leaving the server unprotected.

Agent-Control-Standard#3  HA Guardian replay window: persist() now takes an exclusive flock
    on a .lock sidecar, re-reads on-disk state, merges (union of
    seen_request_ids / seen_nonces with earliest-timestamp wins), and
    atomically writes. check_replay re-reads the state on every call
    so Guardian A's writes are visible to Guardian B within one
    request. Cross-instance replay window closed under shared
    ACS_GUARDIAN_STATE_DIR.

Agent-Control-Standard#4  Unbounded seen_request_ids: switched to dict {rid: timestamp}.
    New evict_old_request_ids() drops entries older than 2 × skew
    window (replay impossible past skew anyway). check_replay calls
    eviction opportunistically every 100 inserts. Memory bound is now
    O(skew_window / inter-request-time), not unbounded. Backwards-
    compat for list-format state files preserved.

Agent-Control-Standard#5  Handshake cache TTL: do_handshake skips cache files older than
    ACS_HANDSHAKE_CACHE_TTL_SECONDS (default 3600s). Operator config
    changes propagate within the TTL.

Agent-Control-Standard#6  NAT id(context) collision: WeakKeyDictionary fallback for
    contexts that reject attribute assignment. Last-resort path
    (object isn't weak-referenceable either) returns a fresh uuid4
    per call and emits an audit event — pre→post correlation is
    lost in that path, but no silent collision.

Agent-Control-Standard#7  Unicode / NULL / surrogate round-trip: emoji, NULL bytes, multi-
    plane unicode all sign+verify cleanly. JCS handles them via
    UTF-8 encoding; no code change needed.

Agent-Control-Standard#8  ISO 8601 parse resilience: parse_iso8601 already accepts Z suffix,
    timezone offsets, millisecond + microsecond precision. Test
    codifies the accepted shapes + asserts garbage is rejected.

Agent-Control-Standard#9  ACS_GUARDIAN_HOST_ALLOWLIST: optional env-var allowlist that
    restricts validate_guardian_url to specific hostnames in addition
    to the http/https scheme check. Defense in depth against env-var
    attacks that smuggle a valid http:// URL to internal services.

Agent-Control-Standard#10 Cursor session-state file collision: _session_state_path now
    accepts an optional workspace parameter folded into the hash key.
    Cursor adapter passes the workspace_path / cwd so two Cursor
    windows with the same non-UUID conversation_id can't share state.

Agent-Control-Standard#11 Guardian envelope schema validation: if jsonschema + ACS_SPEC_DIR
    are available, every incoming envelope is validated against
    request-envelope.json before policy evaluation. Malformed envelopes
    rejected with -32600 Invalid Request. system/ping and
    handshake/hello exempt because their payload shapes differ.

Agent-Control-Standard#12 State-file hash length: bumped _session_state_path and
    _handshake_cache_path hashes from sha256[:16] (64-bit) to full
    sha256 (256-bit). Eliminates birthday collisions over deployment
    lifetime.

## Test counts after this commit (all green, 1 intentional manual skip)

  _common:            33 (16 security + 17 edge-cases)
  claude-code:        32
  cursor:             50
  example-guardian:   20
  nat:                24

  Total: 159 tests.

## Side-effects of the fixes

- Round-trip test fixtures updated to use real UUID session_ids
  (claude-code/test_adapter.py). Old "test-cc-session" fails the new
  Guardian-side envelope-schema check, which is correct — non-UUID
  session_ids never reached the Guardian from real Claude Code.
- Cursor adapter wires workspace through to load/save/record session
  state for Agent-Control-Standard#10 (new _workspace helper).
- example_guardian.py imports DESTRUCTIVE_SCAN_MAX_LEN from acs_common
  to keep the cap in one place.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
Updated various sections to clarify the scope of AIMS and ACS, including token lifetimes, identifier models, and runtime enforcement. Added details on agent behavior and security considerations.

Signed-off-by: Eva <130791729+evabenn@users.noreply.github.com>
@evabenn evabenn dismissed stale reviews from afogel and bar-capsule via fe23f5d July 8, 2026 22:53
evabenn added 5 commits July 8, 2026 18:04
Updated the overview document to reflect the feedback in the comments

Signed-off-by: Eva <130791729+evabenn@users.noreply.github.com>
Updated the identity standards document to focus on agents, outlining unique identity challenges and how ACS addresses them. Added sections on existing and emerging standards, and clarified the relationship between ACS and AIMS.

Signed-off-by: Eva <130791729+evabenn@users.noreply.github.com>
Signed-off-by: Eva <130791729+evabenn@users.noreply.github.com>
Signed-off-by: Eva <130791729+evabenn@users.noreply.github.com>
Signed-off-by: Eva <130791729+evabenn@users.noreply.github.com>
@evabenn

evabenn commented Jul 11, 2026

Copy link
Copy Markdown
Collaborator Author

@rocklambros @bar-capsule Moved both files to docs/identity/ and added them to the mkdocs nav, so they now build as part of the docs site (mkdocs build --strict passes). Thanks for flagging.

@evabenn evabenn requested a review from rocklambros July 11, 2026 02:36
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

5 participants