| Internet-Draft | AIPREF Grant Binding | July 2026 |
| Wallace | Expires 4 January 2027 | [Page] |
The AI Preferences (AIPREF) vocabulary lets those with rights in a digital asset express preferences -- for example, that training of AI models is disallowed -- about how automated systems process that asset. Such a preference expresses a reservation. It does not, by itself, provide a verifiable, revocable record of a specific grant that lifts a preference for a specific party.¶
This document describes that gap and proposes a candidate mechanism: a cryptographically signed, offline-verifiable credential that expresses a grant referencing an AIPREF usage category and a specific asset, that any party can verify without contacting the grantor, and that the grantor can revoke. It is intended as a starting point for discussion in the AI Preferences Working Group, not as a finished specification.¶
This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79.¶
Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet-Drafts is at https://datatracker.ietf.org/drafts/current/.¶
Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress."¶
This Internet-Draft will expire on 4 January 2027.¶
Copyright (c) 2026 IETF Trust and the persons identified as the document authors. All rights reserved.¶
This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (https://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Revised BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Revised BSD License.¶
The AI Preferences vocabulary [AIPREF-VOCAB] defines a machine-readable way to express preferences about how automated systems process a digital asset. Each usage category (for example, "train-ai") is assigned a value such as "allowed" or "disallowed". A preference of "train-ai=disallowed" is a standing statement of intent by a party with rights in the asset: a reservation.¶
Preferences describe a default posture toward the world. They do not express what a specific party has been permitted to do. When a rights holder does permit a specific use by a specific party -- under a license, a negotiated agreement, or otherwise -- there is at present no interoperable, verifiable way to express and check that grant. This produces three operational problems:¶
Informally: an AIPREF preference is the lock; what is missing is a verifiable key, and a receipt for it that survives inspection later. This document sketches that missing piece as a signed, revocable credential that sits on top of the AIPREF vocabulary rather than replacing it, and asks the Working Group whether and where such a mechanism belongs.¶
This document does not propose changes to the AIPREF vocabulary itself, nor does it assert that a preference is legally binding or that any particular use is or is not permitted absent a grant. Those questions are out of scope.¶
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all capitals, as shown here.¶
A grant references an AIPREF usage category by its label (for example "train-ai" from [AIPREF-VOCAB], or a category introduced through that document's vocabulary-extension mechanism). A grant is scoped to a tuple of (asset, category, grantee, validity period). A grant that asserts "allowed" for a category lifts a "disallowed" preference for that category for the named grantee only; it makes no statement about any other party.¶
Grants and preferences are therefore complementary layers. The preference is authored by the rights holder as a standing signal; the grant is a discrete, verifiable exception issued to a specific party. A verifier that observes both applies the grant in preference to the standing preference for the named grantee, and applies the standing preference otherwise.¶
This document does not require AIPREF to define any new category to carry grants. It observes only that a category value MAY be lifted, for a named grantee, by a grant that the grantee can present and any verifier can check.¶
Preferences and grants also differ in how they are distributed. AIPREF preferences are typically attached to content and expressed to the world -- for example through robots.txt or HTTP header fields -- as a broadcast, party-agnostic signal of a default posture. A grant is not distributed that way: it is a signed artifact bound to a named grantee, held and presented by that grantee (or retrieved by reference), and checkable by any verifier without being attached to the content or announced to the world. A grant therefore complements a content-attached preference rather than competing with it: the preference is the broadcast reservation; the grant is the verifiable, per-party exception.¶
A grant is expressed as a Verifiable Credential [VC-DATA-MODEL], secured as a JSON Web Signature per [VC-JOSE-COSE]. It carries at least:¶
A grant MUST be signed by the grantor's key. A grant MUST identify the asset by content digest. A grant SHOULD carry a revocation reference; a grant without one cannot be withdrawn after issuance.¶
The following is the (unsecured) JSON [RFC8259] payload of a grant that permits "train-ai" of a specific asset to a named grantee for one year. In transit it is secured as a JWS per [VC-JOSE-COSE].¶
{
"@context": ["https://www.w3.org/ns/credentials/v2"],
"type": ["VerifiableCredential", "AIUsageGrantCredential"],
"issuer": "did:web:publisher.example",
"validFrom": "2026-07-01T00:00:00Z",
"validUntil": "2027-07-01T00:00:00Z",
"credentialSubject": {
"asset": {
"id": "urn:asset:sha-256",
"digest": "sha-256:0f7e...c19a"
},
"grantee": "did:web:ai-lab.example",
"usage": [
{ "category": "train-ai", "value": "allowed" }
]
},
"credentialStatus": {
"type": "BitstringStatusListEntry",
"statusPurpose": "revocation",
"statusListIndex": "94",
"statusListCredential": "https://publisher.example/status/1"
}
}
¶
The "category" value ("train-ai") is an AIPREF category [AIPREF-VOCAB]. The "value" ("allowed") lifts a "disallowed" preference for that category, for the named grantee, over the validity period, unless the grant has been revoked.¶
To act on a grant, a verifier:¶
If all checks pass, a valid grant exists for that (asset, category, grantee); the corresponding preference is lifted for that grantee. Verification requires no interaction with the grantor beyond fetching the (cacheable) issuer key and status list, and can be performed offline against cached copies.¶
A grantor withdraws a grant by updating the referenced status list so that the grant's entry indicates revocation. Verifiers observe the change the next time they refresh the status list, bounded by their cache policy. Revocation lets a rights holder end a permission after issuance -- a property that a standing preference change alone cannot provide for permissions already relied upon.¶
This document is a discussion starter. The mechanism in Section 3 is one candidate, not a final design. The author invites the Working Group's view on the following questions in particular:¶
A grant proves who issued it, when, and what was declared. It does not attest that the grantor holds the rights it purports to grant: anyone in possession of an asset can compute its digest and issue a self-asserted grant over it. A verifier therefore MUST evaluate whether it trusts the issuer for the asset in question; the signature establishes the issuer's identity and the integrity of the declaration, not the truth of the underlying claim. Mechanisms for establishing that an issuer is authoritative for an asset are out of scope for this document.¶
Because a grant identifies its asset by content digest and does not carry the content, presenting a grant does not disclose the asset. Verifiers MUST confirm the digest matches the content actually processed; a grant for one asset says nothing about another.¶
Revocation is only as timely as verifiers' status-list refresh policy; a verifier relying on a stale cache may act on a revoked grant. Grants SHOULD carry a validity period so that a lost or unreachable status list does not extend a grant indefinitely.¶
This document has no IANA actions. Should the mechanism advance, a registry for the credential "type" and any grant-specific fields would be considered at that time.¶