| Internet-Draft | RVP | March 2026 |
| van de Meent & AI | Expires 30 September 2026 | [Page] |
This document defines RVP (Real-time Verification Protocol), a protocol for continuous identity verification through ordered cascades of verification methods. Unlike traditional authentication models that verify once and trust until session expiry, RVP treats every interaction as a verification moment. Each moment produces a Verification Token: a cryptographic evidence record capturing which methods were used, what confidence each produced, and whether the accumulated confidence meets the required threshold.¶
RVP defines a Verification Cascade: an ordered chain of verification methods (behavioral biometrics, physical identity, device context) where each layer activates only when preceding layers produce insufficient confidence. The cascade produces evidence at every step; enforcement is a local policy decision.¶
RVP integrates with TIBET [TIBET] for provenance tokens and JIS [JIS] for identity semantics. The protocol is designed for local-first operation with no dependency on centralized identity providers.¶
This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79.¶
Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet-Drafts is at https://datatracker.ietf.org/drafts/current/.¶
Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress."¶
This Internet-Draft will expire on 30 September 2026.¶
Copyright (c) 2026 IETF Trust and the persons identified as the document authors. All rights reserved.¶
This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (https://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Revised BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Revised BSD License.¶
Modern identity verification operates on a fundamental assumption: verify once, trust until the session expires. A user authenticates at login and the system grants a session token valid for minutes, hours, or days. During that period, the system has no evidence that the same person is still present, that the device has not been compromised, or that the user's intent aligns with their actions.¶
RVP replaces this "verify-then-trust" model with continuous evidence-based verification. Every interaction is a verification moment that produces a cryptographic evidence token recording identity confidence at that point.¶
Current verification systems suffer from:¶
This document defines:¶
This document does NOT define:¶
Note: The -00 version included the Predictive Airlock as a core protocol component. It has been moved to an informative appendix because it represents a substantial subsystem that warrants separate specification. Implementations MAY implement the Predictive Airlock as described in Appendix D.¶
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all capitals, as shown here.¶
Traditional:¶
T=0 Login -> Session token issued T=1 Action -> Token valid? -> Permit T=3600 Token expires -> Re-login¶
No evidence about identity between T=0 and T=3600.¶
RVP:¶
T=0.000 Action requested T=0.002 Cascade: keystroke + device -> confidence 0.94 -> GO T=0.003 Evidence token produced T=1.000 Action requested T=1.002 Cascade: keystroke deviates -> confidence 0.61 T=1.003 Face check added -> confidence 0.89 -> GO T=2.000 Action requested T=2.002 Cascade: all layers -> confidence 0.12 -> HALT T=2.003 Evidence token with full cascade path¶
A Verification Moment consists of:¶
The moment SHOULD complete within the deployment latency budget. For interactive systems: 50-200ms. For API calls: 1-10ms overhead.¶
RVP defines five standard cascade layers. Implementations MUST support at least two layers.¶
Priority Layer Signal Type Passive -------- ----------- ----------------- ------- L1 KEYSTROKE Behavioral biom. Yes L2 BIOMETRIC Physical identity Mixed L3 DEVICE Hardware/network Yes L4 VOCAL Acoustic Yes L5 BEHAVIORAL Intent analysis Yes¶
"Passive" indicates the layer can operate without explicit user action. Passive layers enable continuous verification without interruption.¶
Implementations MAY support additional layers using the "Lx-" prefix for custom layers (e.g., "Lx-nfc").¶
Layers activate based on the confidence deficit: the difference between the threshold and accumulated confidence.¶
Required threshold: 0.85 L1 KEYSTROKE: 0.40 -> deficit: 0.45 -> continue L1 + L3 DEVICE: 0.65 -> deficit: 0.20 -> continue L1 + L3 + L5: 0.87 -> deficit: 0.00 -> GO¶
Layers activate in priority order. The cascade terminates when:¶
Each layer produces a confidence value between -1.0 and 1.0:¶
Accumulated confidence:¶
C_total = SUM (w_i * c_i) for i in activated layers where w_i = weight, c_i = layer confidence Weights MUST sum to 1.0¶
Weights are configurable per deployment. Default: equal weight across activated layers.¶
The exact scoring formula within each layer is a local policy decision. This document defines the score range, inputs, and accumulation, not the formulas.¶
Signals: typing speed, key press duration, inter-key intervals, error patterns, command vocabulary.¶
Privacy: Raw keystrokes NEVER stored or transmitted. Only statistical aggregates retained in profile. Profile stored locally, encrypted at rest. Token contains only: confidence score + profile_hash + deviation_category.¶
Sub-layers (activated in order):¶
Privacy: Templates stored ONLY on-device. Templates MUST be encrypted with device-bound key. Templates MUST NOT be transmittable. Token contains only: confidence + method_used + template_hash. Implementations MAY use [FIDO2] for hardware-backed biometric authentication.¶
Signals: device fingerprint, network type, geolocation, NFC responses, software state.¶
NFC document binding (passport, ID card): read signed data from chip, verify document signature, compare to profile. Relevant for eIDAS 2.0 high-assurance verification.¶
Signals: voice frequency profile, speech cadence, sub-verbal patterns.¶
Privacy: Audio processed in real-time and immediately discarded. Only statistical features retained. User MUST explicitly consent to vocal telemetry.¶
Signals: action sequence probability, time-of-day patterns, task context, command sophistication level.¶
Detects: developer running unfamiliar admin commands, actions at unusual hours, rapid sequences from normally deliberate user.¶
{
"protocol": "RVP",
"version": "1.1",
"token_id": "rvp-a7b3c9d2e4f1",
"timestamp": "2026-03-29T14:30:00.003Z",
"subject": {
"profile_hash": "sha256:4f2e8a...",
"device_hash": "sha256:7c9d1b..."
},
"cascade": {
"layers_activated": ["L1", "L3", "L5"],
"layers_skipped": ["L2", "L4"],
"layer_results": {
"L1": {"confidence": 0.42, "category": "nominal"},
"L3": {"confidence": 0.31, "category": "nominal"},
"L5": {"confidence": 0.18, "category": "nominal"}
},
"accumulated_confidence": 0.91,
"threshold": 0.85,
"resolution": "GO"
},
"evidence": {
"telemetry_hash": "sha256:9c1a...",
"cascade_path": "L1->L3->L5->GO",
"time_elapsed_ms": 3
},
"tibet": {
"erin": "verification_moment",
"eraan": ["profile_hash", "device_hash"],
"eromheen": {"location": "local", "network": "wifi"},
"erachter": "continuous identity verification"
},
"previous_token": "rvp-b8c4d0e3f2a5",
"chain_length": 47,
"token_hash": "rvp:sha256:7d3f..."
}
Consecutive tokens form a chain. Each references its predecessor via "previous_token". The chain provides:¶
A fallback is triggered when:¶
The cascade continues to the next layer. The Verification Token records all attempts and failures.¶
Immediate HALT regardless of accumulated confidence:¶
Hard stops are FINAL for the current action. Re-establishment requires high-assurance verification.¶
RVP provides the evidence layer beneath Verifiable Credentials [VC-DATA-MODEL]. A VC says "this person is 18+"; RVP provides evidence of HOW that was determined, WHEN, by WHAT method, and with WHAT confidence.¶
{
"@context": ["https://www.w3.org/2018/credentials/v1"],
"type": ["VerifiableCredential", "AgeVerification"],
"issuer": "did:web:example.com",
"credentialSubject": {"ageOver": 18},
"proof": { "..." : "..." },
"rvpEvidence": {
"protocol": "RVP",
"verification_chain": ["rvp:sha256:..."],
"chain_confidence_min": 0.87,
"methods_used": ["L2a_face", "L3_device_nfc"],
"last_verified": "2026-03-29T14:30:00Z",
"continuous": true
}
}
When presenting a credential, the holder attaches a CURRENT RVP token proving they are still the person the credential was issued to. This solves the "stolen credential" problem: even with a copied VC, the attacker cannot produce a matching RVP chain.¶
RVP verification tokens are JSON [RFC8259] objects transportable over any mechanism. Content-Type: application/rvp+json.¶
For AI-to-AI verification, tokens MAY be transported via I-Poll messages with metadata type "rvp_verification".¶
These requirements align with GDPR Article 9, EU AI Act biometric identification requirements, and eIDAS 2.0 data minimization.¶
Each layer MUST implement minimal telemetry: collect only what is needed, process immediately, retain only aggregates, store only hashes in tokens.¶
Users control which verification evidence is shared. Tokens use per-verifier pseudonymous identifiers to prevent cross-service tracking.¶
RVP produces evidence, not policy. An implementation MAY block, allow with reduced privileges, require additional verification, or log and alert. The choice is a POLICY decision, not a PROTOCOL decision.¶
Tokens include millisecond timestamps, predecessor references, and device-state nonces. Verifiers SHOULD reject tokens older than a configurable window (default: 10 seconds).¶
Attacks on cascade layers:¶
Multi-layer cascade is the primary defense: spoofing one layer is feasible; spoofing four simultaneously is significantly harder.¶
RVP is not infallible. Known limitations:¶
These limitations are recorded as evidence (reduced confidence scores), not hidden.¶
RVP is designed to support compliance with:¶
RVP is NOT a remote biometric identification system. It operates on-device for the device holder's own verification.¶
Detailed regulatory mapping is available in the -00 version of this document, Section 13.¶
This document requests registration of:¶
Media Type: application/rvp+json¶
Note: The -00 version defined protocol prefixes and token ID formats. These are maintained as conventions but do not require IANA registration at this stage.¶
(Preserved from -00 with minor updates: version field added, "Lx-" prefix support for custom layers.)¶
(Preserved from -00.)¶
(Preserved from -00.)¶
(Preserved from -00.)¶
(Preserved from -00. This example demonstrates passive identity switching through cascade evidence, not blocking.)¶
The Predictive Airlock is a mechanism that pre-renders the expected outcome of an action before execution and measures the delta between prediction and reality as a verification signal.¶
The -00 version included this as Section 5 and L6 AIRLOCK cascade layer. It has been moved to this appendix because:¶
Implementations MAY implement the Predictive Airlock as described in -00 Section 5 and integrate it as an additional cascade layer (L6 AIRLOCK). The airlock's confidence output is derived from the prediction delta: c_airlock = 1.0 - delta.¶
A future document may specify the Predictive Airlock as a standalone extension to RVP.¶
The author thanks Codex (codex.aint) for the suite-wide cleanup analysis that informed this revision, particularly the recommendation to narrow RVP's scope and defer the Predictive Airlock to a separate specification.¶