KYA Credential Validator prototype grant

Summary

The KYA Credential Validator is an open-source reference implementation that takes a presented credential set and produces a structured verification result. It validates agent, controller, merchant, delegation, and mandate credentials issued through TheoID and the in-development Know Your Agent framework. The validator checks credential expiry, revocation status, authority scope, spend policy bounds, merchant restrictions, and proof method against issuer policies. The output is machine-readable, signed, and suitable for downstream policy engines, audit logs, and dispute response systems.

Why It Matters

Agents transacting on behalf of users today carry inconsistent identity material across protocols and platforms. Without a reference validator that any merchant, payment processor, or orchestrator can run, agentic commerce cannot scale beyond closed pilots. A public validator gives every ecosystem participant a shared way to ask, in machine terms, "is this agent who it claims to be, and is it operating within scope?" This is the entry point for downstream reputation, settlement, and compliance work.

Strategic Layer Mapping

This grant advances Layer 1: Identity and Credentialing in the Foundation's seven-layer agentic-commerce development program. It also creates inputs that later layers depend on, in particular Layer 4 (reputation), Layer 5 (mission compliance), and Layer 2 (protocol routing).

Strategic Gap Mapping

Closes Gap 1: Verifiable Agent Identity. Without a portable, verifiable identity layer rooted in TheoID and KYA, agents transact without auditable accountability. A shared validator is the canonical primitive that lets buyers, sellers, and intermediaries treat agent identity as a first-class signal.

Suggested Deliverables

• Open-source validator library in at least one major language, with a clearly documented API.
• Schema definitions for agent, controller, merchant, delegation, and mandate credentials.
• Pluggable issuer registry lookup, with reference adapters for TheoID and the in-development KYA registry.
• Revocation status checks supporting status list and signed revocation messages.
• Authority scope, spend policy, merchant restriction, and proof method evaluation.
• Machine-readable verification result format with a signed envelope option.
• Reference test vectors covering valid, expired, revoked, out-of-scope, and malformed credentials.
• Public documentation and example integrations sufficient for a third-party developer to integrate in under a day.

MVP Expectations

• Validates at minimum the five credential types listed above against a static issuer registry.
• Returns a structured pass or fail result, with reason codes for each failed check.
• Handles expiry and revocation against a fixture registry.
• Ships with a passing test suite and an example CLI invocation.
• Published under an OSI-approved license with a permissive default.

Out of Scope for Initial Grant

• Production issuance flows or wallet user interfaces.
• Custodial key management or secrets storage products.
• Closed-source SaaS hosting of the validator.
• Compliance certification or formal legal opinions on credential validity.
• Settlement, escrow, or payment execution logic.

Security and Privacy Expectations

• Constant-time comparison for any signature or hash verification path.
• No silent fallback on signature verification failure.
• Inputs are treated as untrusted and validated before parsing.
• No personally identifying data is logged at default verbosity.
• A documented threat model that names the trust boundaries the validator does and does not protect.
• A responsible disclosure contact in the README.

Suggested Applicant Profile

This grant suits an individual contributor or small team with experience in verifiable credentials, applied cryptography, or identity tooling. Prior open-source delivery is helpful. Teams that have shipped W3C VC, OIDC, JWT, or DIDComm implementations are well positioned. The Foundation also welcomes academic and research teams with a clear plan for ongoing maintenance.

Review Criteria

• Public-good output and permissive licensing.
• Correctness against the test vector set.
• Security posture and documented threat model.
• Clarity of the verification result format and ease of downstream integration.
• Quality of documentation and reproducibility of the build.
• Maintenance plan and team track record.

How to Apply