SCITT D. Brooks Internet-Draft Business Cyber Guardian Intended status: Standards Track May 6 2026 Expires: November 7 2026 The 'ztdnaid' URI Scheme for Zero-Trust Digital DNA Identifiers (ZTDNAID) draft-brooks-ztdnaid-new-02 Abstract This document defines the 'ztdnaid' Uniform Resource Identifier(URI) scheme, used to represent globally unique, cryptographically verifiable Digital DNA Identifiers (ZTDNAIDs) within Zero Trust architecture implementations. A ZTDNAID binds an entitys immutable, unique Digital DNA Record "DDR" to a resolvable identifier suitable for authentication, authorization, attestation, and trust-registry lookup. The scheme is designed for use with trust registries operating across "Public Trust Infrastructure" (PTI), such as SAG-CTR and supports deterministic resolution, offline verification, and secure dereferencing. Status of This Memo This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet-Drafts is at https://datatracker.ietf.org/drafts/current/. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." Copyright Notice Copyright (c) 2026 IETF Trust and the persons identified as the document authors. All rights reserved. This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (https://trustee.ietf.org/ license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Revised BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Revised BSD License. Table of Contents 1. Introduction 2. Terminology 3. Scheme Definition 3.1. Overview 3.2. Syntax 3.3. Semantics 4. Resolution 5. Security Considerations 6. Internationalization Considerations 7. IANA Considerations 8. Examples 9. Acknowledgments 10. References 10.1. Normative References 10.2. Informative References Author's Address 1. Introduction Zero Trust architectures increasingly rely on cryptographically strong, non-repudiable identifiers that bind an entity to a verifiable digital record. Zero Trust Digital DNA Identifiers (ZTDNAIDs) provide a compact, light-weight canonical identifier for digital objects, i.e. entity DDR data whose trust posture is continuously evaluated. The 'ztdnaid' URI scheme enables interoperable representation, transport, and dereferencing and verification of these identifiers across protocols, PTI trust registries, and attestation systems. The scheme is designed to be: * Opaque (no hierarchical semantics) * Deterministic (canonical encoding) * Cryptographically bound (hash-based) * Resolvable (via trust registries such as SAG-CTR) * Suitable for Zero Trust enforcement This document registers the 'ztdnaid' URI scheme with IANA under the procedures of RFC 7595. 1.1. Requirements Notation The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all capitals, as shown here. described in [RFC2119]. 2. Terminology The terms defined in this section have special meaning in the context of online trust registration and verification of digital objects Digital DNA Identifier : A SHA256, or greater, Hash value representing the cryptographic digest of DDR Record content resulting in a unique digital identifier that is expressed during digital communication exchanges, using an IANA registered URI scheme, such as ztdnaid. Digital DNA Record (DDR) : A digital object, i.e. text file containing a unique canonical string identifier representing a real-world physical or virtual object, that is input to a SHA 256, or greater, Hash algorithm that produces a unique Digital DNA Identifier i.e. a ztdnaid. Digital Object : A Digital Object is a physical, digital representation of a real world physical or virtual object that uses a computer supported character encoding scheme, i.e. UTF-8 that uniquely describes and identifies the real- world object. Public Trust Infrastructure (PTI) : A public, open, cryptographically verifiable trust layer that enables actors to assert and prove trust, integrity, behavior, and compliance of digital objects through registry anchored evidence. PTI generalizes trust guarantees to encompass provenance, transparency, and multiparty accountability for digital objects across digital ecosystems. SAG-CTR: Software Assurance Guardian Community Trust Registry used to register trust declarations and store evidence data and other information, needed to verify trust in a digital object. Provides verification of digital objects based on Digital DNA Identifiers expressed in a ztdnaid within a PTI Trust Control Plane [PTITCP]. 3. Scheme Definition 3.1. Overview A ZTDNAID is a cryptographic identifier derived from a globally unique Digital DNA Record "DDR". The identifier is encoded using URL-safe UTF-8 characters. The scheme is opaque and does not define hierarchical components. Example: A DDR example unique identifier string using "/" delimiter: Microsoft Corporation/Bill Gates/EmployeeID: 002 Equivalent ztdnaid UTF-8 result: 62588568DE0D42ABF9BBFF9B0FD8D2FEB9A24C950AC66AFCD8679FA4C831392A 3.2. Syntax The syntax of the 'ztdnaid' URI scheme is defined using ABNF (RFC 5234): ztdnaid-uri = "ztdnaid:" ztdnaid-value ztdnaid-value = 1*utf8url-char utf8url-char = ALPHA / DIGIT The value MUST be a URL-safe, UPPERCASE UTF-8 encoding of a cryptographic digest (e.g., SHA-256, SHA-384, or SHA-512)[RFC6234]. 3.3. Semantics A 'ztdnaid' identifies a Digital DNA Record (DDR) that describes an entitys unique immutable attributes, provenance, and other identifying characteristics. The DDR may be stored in: * A Zero Trust trust registry (e.g., SAG-CTR) * A verifiable credential * A distributed ledger * A local cache Dereferencing a ZTDNAID yields metadata, attestations, and trust- policy-relevant information. 4. Resolution Resolution of a ZTDNAID is performed by querying a trust registry that supports the ZTDNAID resolution API. The resolution process: 1. Accepts a ZTDNAID 2. Locates the corresponding DDR 3. Returns metadata, endorsements, and attestation material 4. Verifies the cryptographic binding between the DDR and the ZTDNAID value This document does not mandate a specific resolution protocol; however, implementations SHOULD support the SCITT-aligned trust registry API defined by the Software Assurance Guardian - Community Trust Registry (SAG-CTR). 5. Security Considerations * Cryptographic Binding: ZTDNAIDs MUST be represent a cryptographic UTF-8 UPPERCASE SHA-256 hash of the DDR data to prevent substitution attacks. * Privacy: ZTDNAIDs are opaque and SHOULD NOT embed personally identifiable information. * Replay Protection: Resolvers SHOULD verify freshness of attestation material. * Transport Security: Resolution MAY occur over authenticated, encrypted channels (e.g., TLS 1.3). * Trust Registry Integrity: Implementations MUST validate registry signatures and trust anchors. 6. Internationalization Considerations The ZTDNAID value is restricted to UPPERCASE UTF-8 URL-safe characters. No internationalization issues are anticipated. 7. IANA Considerations This document registers the 'ztdnaid' URI scheme under the procedures of RFC 7595. URI Scheme Registration * Scheme name: ztdnaid * Status: Provisional (to be updated to Permanent upon RFC publication) * Applications/protocols that use this scheme name: Zero Trust architectures, trust registries, attestation systems, SCITT Trust Registry Transparency Services * Contact: Richard Brooks * Change controller: Business Cyber Guardian * References: This document Scheme Syntax: Section 3.2 Scheme Semantics: Section 3.3 Security Considerations: Section 5 8. Examples 62588568DE0D42ABF9BBFF9B0FD8D2FEB9A24C950AC66AFCD8679FA4C831392A 10. References 10.1. Normative References [PTITCP] Brooks, R. "A Trust Control Plane for the Digital Age" Energy Central Article, March 16, 2026 https://www.energycentral.com/ [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, DOI 10.17487/RFC2119, March 1997, . [RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174, May 2017, . [RFC6234] Eastlake, D. 3rd, "US Secure Hash Algorithms", May 2011, https://datatracker.ietf.org/doc/html/rfc6234 Author's Address Dick Brooks Business Cyber Guardian 23 Linda Dr. Westfield, Massachusetts 01085 United States of America Email: dick@businesscyberguardian.com