Internet-Draft AIPREF Grant Binding July 2026
Wallace Expires 4 January 2027 [Page]
Workgroup:
AI Preferences
Published:
Intended Status:
Standards Track
Expires:
Author:
Wallace
LicenseFoundry

A Verifiable-Credential Binding for AI Usage Preferences: Expressing Grants that Lift AIPREF Preferences

Abstract

The AI Preferences (AIPREF) vocabulary lets those with rights in a digital asset express preferences -- for example, that training of AI models is disallowed -- about how automated systems process that asset. Such a preference expresses a reservation. It does not, by itself, provide a verifiable, revocable record of a specific grant that lifts a preference for a specific party.

This document describes that gap and proposes a candidate mechanism: a cryptographically signed, offline-verifiable credential that expresses a grant referencing an AIPREF usage category and a specific asset, that any party can verify without contacting the grantor, and that the grantor can revoke. It is intended as a starting point for discussion in the AI Preferences Working Group, not as a finished specification.

Status of This Memo

This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79.

Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet-Drafts is at https://datatracker.ietf.org/drafts/current/.

Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress."

This Internet-Draft will expire on 4 January 2027.

Table of Contents

1. Introduction

The AI Preferences vocabulary [AIPREF-VOCAB] defines a machine-readable way to express preferences about how automated systems process a digital asset. Each usage category (for example, "train-ai") is assigned a value such as "allowed" or "disallowed". A preference of "train-ai=disallowed" is a standing statement of intent by a party with rights in the asset: a reservation.

Preferences describe a default posture toward the world. They do not express what a specific party has been permitted to do. When a rights holder does permit a specific use by a specific party -- under a license, a negotiated agreement, or otherwise -- there is at present no interoperable, verifiable way to express and check that grant. This produces three operational problems:

Informally: an AIPREF preference is the lock; what is missing is a verifiable key, and a receipt for it that survives inspection later. This document sketches that missing piece as a signed, revocable credential that sits on top of the AIPREF vocabulary rather than replacing it, and asks the Working Group whether and where such a mechanism belongs.

This document does not propose changes to the AIPREF vocabulary itself, nor does it assert that a preference is legally binding or that any particular use is or is not permitted absent a grant. Those questions are out of scope.

1.1. Requirements Language

The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all capitals, as shown here.

1.2. Terminology

Preference:
An AIPREF value (e.g. "allowed"/"disallowed") assigned to a usage category for an asset, per [AIPREF-VOCAB].
Grant:
A statement that a named party is permitted a specific usage category for a specific asset, over a validity period, expressed as the credential defined in Section 3.
Grantor:
The party that issues (signs) a grant. Typically the rights holder or an authorised issuer acting on the rights holder's behalf.
Grantee:
The party a grant names as permitted.
Verifier:
Any party that checks a grant -- for example an AI system, an auditor, a court, or a counterparty.

2. Relationship to the AIPREF Vocabulary

A grant references an AIPREF usage category by its label (for example "train-ai" from [AIPREF-VOCAB], or a category introduced through that document's vocabulary-extension mechanism). A grant is scoped to a tuple of (asset, category, grantee, validity period). A grant that asserts "allowed" for a category lifts a "disallowed" preference for that category for the named grantee only; it makes no statement about any other party.

Grants and preferences are therefore complementary layers. The preference is authored by the rights holder as a standing signal; the grant is a discrete, verifiable exception issued to a specific party. A verifier that observes both applies the grant in preference to the standing preference for the named grantee, and applies the standing preference otherwise.

This document does not require AIPREF to define any new category to carry grants. It observes only that a category value MAY be lifted, for a named grantee, by a grant that the grantee can present and any verifier can check.

Preferences and grants also differ in how they are distributed. AIPREF preferences are typically attached to content and expressed to the world -- for example through robots.txt or HTTP header fields -- as a broadcast, party-agnostic signal of a default posture. A grant is not distributed that way: it is a signed artifact bound to a named grantee, held and presented by that grantee (or retrieved by reference), and checkable by any verifier without being attached to the content or announced to the world. A grant therefore complements a content-attached preference rather than competing with it: the preference is the broadcast reservation; the grant is the verifiable, per-party exception.

3. The Grant Credential

3.1. Structure

A grant is expressed as a Verifiable Credential [VC-DATA-MODEL], secured as a JSON Web Signature per [VC-JOSE-COSE]. It carries at least:

  • an issuer identifier that a verifier can resolve to a public key -- for example a "did:web" [DID-WEB] identifier resolvable over HTTPS;
  • the asset the grant concerns, identified by a cryptographic content digest (e.g. SHA-256) so the grant binds to specific content without carrying the content itself;
  • the grantee the grant names;
  • one or more usage entries, each naming an AIPREF category and the granted value (e.g. "train-ai" = "allowed");
  • a validity period (validFrom / validUntil); and
  • a revocation reference, such as a Bitstring Status List [BITSTRING] entry, that a verifier can check.

A grant MUST be signed by the grantor's key. A grant MUST identify the asset by content digest. A grant SHOULD carry a revocation reference; a grant without one cannot be withdrawn after issuance.

3.2. Example

The following is the (unsecured) JSON [RFC8259] payload of a grant that permits "train-ai" of a specific asset to a named grantee for one year. In transit it is secured as a JWS per [VC-JOSE-COSE].

{
  "@context": ["https://www.w3.org/ns/credentials/v2"],
  "type": ["VerifiableCredential", "AIUsageGrantCredential"],
  "issuer": "did:web:publisher.example",
  "validFrom": "2026-07-01T00:00:00Z",
  "validUntil": "2027-07-01T00:00:00Z",
  "credentialSubject": {
    "asset": {
      "id": "urn:asset:sha-256",
      "digest": "sha-256:0f7e...c19a"
    },
    "grantee": "did:web:ai-lab.example",
    "usage": [
      { "category": "train-ai", "value": "allowed" }
    ]
  },
  "credentialStatus": {
    "type": "BitstringStatusListEntry",
    "statusPurpose": "revocation",
    "statusListIndex": "94",
    "statusListCredential": "https://publisher.example/status/1"
  }
}

The "category" value ("train-ai") is an AIPREF category [AIPREF-VOCAB]. The "value" ("allowed") lifts a "disallowed" preference for that category, for the named grantee, over the validity period, unless the grant has been revoked.

4. Verification Procedure

To act on a grant, a verifier:

  1. resolves the issuer identifier to a public key (for "did:web", by fetching the DID document over HTTPS [DID-WEB]) and verifies the signature over the credential;
  2. confirms the current time is within the validity period;
  3. confirms the grant has not been revoked, by checking the referenced status list [BITSTRING];
  4. confirms the asset digest matches the content in question, and that the category and grantee match the use and party at hand.

If all checks pass, a valid grant exists for that (asset, category, grantee); the corresponding preference is lifted for that grantee. Verification requires no interaction with the grantor beyond fetching the (cacheable) issuer key and status list, and can be performed offline against cached copies.

5. Revocation

A grantor withdraws a grant by updating the referenced status list so that the grant's entry indicates revocation. Verifiers observe the change the next time they refresh the status list, bounded by their cache policy. Revocation lets a rights holder end a permission after issuance -- a property that a standing preference change alone cannot provide for permissions already relied upon.

6. Discussion and Open Questions

This document is a discussion starter. The mechanism in Section 3 is one candidate, not a final design. The author invites the Working Group's view on the following questions in particular:

7. Security Considerations

A grant proves who issued it, when, and what was declared. It does not attest that the grantor holds the rights it purports to grant: anyone in possession of an asset can compute its digest and issue a self-asserted grant over it. A verifier therefore MUST evaluate whether it trusts the issuer for the asset in question; the signature establishes the issuer's identity and the integrity of the declaration, not the truth of the underlying claim. Mechanisms for establishing that an issuer is authoritative for an asset are out of scope for this document.

Because a grant identifies its asset by content digest and does not carry the content, presenting a grant does not disclose the asset. Verifiers MUST confirm the digest matches the content actually processed; a grant for one asset says nothing about another.

Revocation is only as timely as verifiers' status-list refresh policy; a verifier relying on a stale cache may act on a revoked grant. Grants SHOULD carry a validity period so that a lost or unreachable status list does not extend a grant indefinitely.

8. IANA Considerations

This document has no IANA actions. Should the mechanism advance, a registry for the credential "type" and any grant-specific fields would be considered at that time.

9. Normative References

[AIPREF-VOCAB]
Keller, P. and M. Thomson, Ed., "A Vocabulary For Expressing AI Usage Preferences", Work in Progress, Internet-Draft, draft-ietf-aipref-vocab, , <https://datatracker.ietf.org/doc/draft-ietf-aipref-vocab/>.
[RFC2119]
Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, , <https://www.rfc-editor.org/info/rfc2119>.
[RFC8174]
Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC 2119 Key Words", BCP 14, RFC 8174, , <https://www.rfc-editor.org/info/rfc8174>.
[VC-DATA-MODEL]
W3C, "Verifiable Credentials Data Model v2.0", , <https://www.w3.org/TR/vc-data-model-2.0/>.
[VC-JOSE-COSE]
W3C, "Securing Verifiable Credentials using JOSE and COSE", , <https://www.w3.org/TR/vc-jose-cose/>.

10. Informative References

[BITSTRING]
W3C, "Bitstring Status List v1.0", , <https://www.w3.org/TR/vc-bitstring-status-list/>.
[DID-WEB]
W3C Credentials Community Group, "did:web Method Specification", , <https://w3c-ccg.github.io/did-method-web/>.
[RFC8259]
Bray, T., Ed., "The JavaScript Object Notation (JSON) Data Interchange Format", STD 90, RFC 8259, , <https://www.rfc-editor.org/info/rfc8259>.

Author's Address

Wallace
LicenseFoundry
Netherlands