<?xml version="1.0" encoding="utf-8"?>
<rfc xmlns:xi="http://www.w3.org/2001/XInclude"
     ipr="trust200902"
     docName="draft-wallace-aipref-grant-binding-00"
     category="std"
     submissionType="IETF"
     consensus="true"
     version="3"
     xml:lang="en"
     tocInclude="true"
     sortRefs="true"
     symRefs="true">

  <front>
    <title abbrev="AIPREF Grant Binding">A Verifiable-Credential Binding for AI Usage Preferences: Expressing Grants that Lift AIPREF Preferences</title>

    <author fullname="Wallace" surname="Wallace">
      <organization>LicenseFoundry</organization>
      <address>
        <postal>
          <country>NL</country>
        </postal>
        <email>wallace@licensefoundry.com</email>
      </address>
    </author>

    <date year="2026" month="July" day="3"/>

    <workgroup>AI Preferences</workgroup>
    <keyword>AI preferences</keyword>
    <keyword>text and data mining</keyword>
    <keyword>verifiable credentials</keyword>
    <keyword>licensing</keyword>

    <abstract>
      <t>The AI Preferences (AIPREF) vocabulary lets those with rights in a
      digital asset express preferences -- for example, that training of AI
      models is disallowed -- about how automated systems process that asset.
      Such a preference expresses a reservation. It does not, by itself,
      provide a verifiable, revocable record of a specific grant that lifts a
      preference for a specific party.</t>
      <t>This document describes that gap and proposes a candidate mechanism:
      a cryptographically signed, offline-verifiable credential that expresses
      a grant referencing an AIPREF usage category and a specific asset, that
      any party can verify without contacting the grantor, and that the
      grantor can revoke. It is intended as a starting point for discussion in
      the AI Preferences Working Group, not as a finished specification.</t>
    </abstract>
  </front>

  <middle>

    <section anchor="intro">
      <name>Introduction</name>
      <t>The AI Preferences vocabulary <xref target="AIPREF-VOCAB"/> defines a
      machine-readable way to express preferences about how automated systems
      process a digital asset. Each usage category (for example, "train-ai")
      is assigned a value such as "allowed" or "disallowed". A preference of
      "train-ai=disallowed" is a standing statement of intent by a party with
      rights in the asset: a reservation.</t>

      <t>Preferences describe a default posture toward the world. They do not
      express what a <em>specific</em> party has been permitted to do. When a
      rights holder does permit a specific use by a specific party -- under a
      license, a negotiated agreement, or otherwise -- there is at present no
      interoperable, verifiable way to express and check that grant. This
      produces three operational problems:</t>
      <ul>
        <li>a party acting on a permission cannot <em>prove</em>, to a third
        party, that it held that permission for a given asset on a given
        date;</li>
        <li>a rights holder that granted a permission cannot <em>withdraw</em>
        it in a way that downstream verifiers can observe; and</li>
        <li>a dispute over whether an asset was permitted for a use cannot be
        resolved on independently checkable evidence.</li>
      </ul>

      <t>Informally: an AIPREF preference is the lock; what is missing is a
      verifiable key, and a receipt for it that survives inspection later. This
      document sketches that missing piece as a signed, revocable credential
      that sits <em>on top of</em> the AIPREF vocabulary rather than replacing
      it, and asks the Working Group whether and where such a mechanism
      belongs.</t>

      <t>This document does not propose changes to the AIPREF vocabulary
      itself, nor does it assert that a preference is legally binding or that
      any particular use is or is not permitted absent a grant. Those questions
      are out of scope.</t>

      <section anchor="reqlang">
        <name>Requirements Language</name>
        <t>The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
        "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and
        "OPTIONAL" in this document are to be interpreted as described in
        BCP&#160;14 <xref target="RFC2119"/> <xref target="RFC8174"/> when, and
        only when, they appear in all capitals, as shown here.</t>
      </section>

      <section anchor="terms">
        <name>Terminology</name>
        <dl>
          <dt>Preference:</dt>
          <dd>An AIPREF value (e.g. "allowed"/"disallowed") assigned to a
          usage category for an asset, per <xref target="AIPREF-VOCAB"/>.</dd>
          <dt>Grant:</dt>
          <dd>A statement that a named party is permitted a specific usage
          category for a specific asset, over a validity period, expressed as
          the credential defined in <xref target="credential"/>.</dd>
          <dt>Grantor:</dt>
          <dd>The party that issues (signs) a grant. Typically the rights
          holder or an authorised issuer acting on the rights holder's
          behalf.</dd>
          <dt>Grantee:</dt>
          <dd>The party a grant names as permitted.</dd>
          <dt>Verifier:</dt>
          <dd>Any party that checks a grant -- for example an AI system, an
          auditor, a court, or a counterparty.</dd>
        </dl>
      </section>
    </section>

    <section anchor="relationship">
      <name>Relationship to the AIPREF Vocabulary</name>
      <t>A grant references an AIPREF usage category by its label (for example
      "train-ai" from <xref target="AIPREF-VOCAB"/>, or a category introduced
      through that document's vocabulary-extension mechanism). A grant is
      scoped to a tuple of (asset, category, grantee, validity period). A grant
      that asserts "allowed" for a category lifts a "disallowed" preference for
      that category <em>for the named grantee only</em>; it makes no statement
      about any other party.</t>

      <t>Grants and preferences are therefore complementary layers. The
      preference is authored by the rights holder as a standing signal; the
      grant is a discrete, verifiable exception issued to a specific party. A
      verifier that observes both applies the grant in preference to the
      standing preference for the named grantee, and applies the standing
      preference otherwise.</t>

      <t>This document does not require AIPREF to define any new category to
      carry grants. It observes only that a category value <bcp14>MAY</bcp14> be lifted, for a
      named grantee, by a grant that the grantee can present and any verifier
      can check.</t>

      <t>Preferences and grants also differ in how they are distributed. AIPREF
      preferences are typically attached to content and expressed to the world
      -- for example through robots.txt or HTTP header fields -- as a broadcast,
      party-agnostic signal of a default posture. A grant is not distributed
      that way: it is a signed artifact bound to a named grantee, held and
      presented by that grantee (or retrieved by reference), and checkable by
      any verifier without being attached to the content or announced to the
      world. A grant therefore complements a content-attached preference rather
      than competing with it: the preference is the broadcast reservation; the
      grant is the verifiable, per-party exception.</t>
    </section>

    <section anchor="credential">
      <name>The Grant Credential</name>

      <section anchor="structure">
        <name>Structure</name>
        <t>A grant is expressed as a Verifiable Credential
        <xref target="VC-DATA-MODEL"/>, secured as a JSON Web Signature per
        <xref target="VC-JOSE-COSE"/>. It carries at least:</t>
        <ul>
          <li>an <strong>issuer</strong> identifier that a verifier can resolve
          to a public key -- for example a "did:web"
          <xref target="DID-WEB"/> identifier resolvable over HTTPS;</li>
          <li>the <strong>asset</strong> the grant concerns, identified by a
          cryptographic content digest (e.g. SHA-256) so the grant binds to
          specific content without carrying the content itself;</li>
          <li>the <strong>grantee</strong> the grant names;</li>
          <li>one or more <strong>usage</strong> entries, each naming an AIPREF
          category and the granted value (e.g. "train-ai" = "allowed");</li>
          <li>a <strong>validity period</strong> (validFrom / validUntil);
          and</li>
          <li>a <strong>revocation</strong> reference, such as a Bitstring
          Status List <xref target="BITSTRING"/> entry, that a verifier can
          check.</li>
        </ul>
        <t>A grant <bcp14>MUST</bcp14> be signed by the grantor's key. A grant <bcp14>MUST</bcp14> identify
        the asset by content digest. A grant <bcp14>SHOULD</bcp14> carry a revocation
        reference; a grant without one cannot be withdrawn after issuance.</t>
      </section>

      <section anchor="example">
        <name>Example</name>
        <t>The following is the (unsecured) JSON <xref target="RFC8259"/>
        payload of a grant that permits "train-ai" of a specific asset to a
        named grantee for one year. In transit it is secured as a JWS per
        <xref target="VC-JOSE-COSE"/>.</t>
        <sourcecode type="json"><![CDATA[
{
  "@context": ["https://www.w3.org/ns/credentials/v2"],
  "type": ["VerifiableCredential", "AIUsageGrantCredential"],
  "issuer": "did:web:publisher.example",
  "validFrom": "2026-07-01T00:00:00Z",
  "validUntil": "2027-07-01T00:00:00Z",
  "credentialSubject": {
    "asset": {
      "id": "urn:asset:sha-256",
      "digest": "sha-256:0f7e...c19a"
    },
    "grantee": "did:web:ai-lab.example",
    "usage": [
      { "category": "train-ai", "value": "allowed" }
    ]
  },
  "credentialStatus": {
    "type": "BitstringStatusListEntry",
    "statusPurpose": "revocation",
    "statusListIndex": "94",
    "statusListCredential": "https://publisher.example/status/1"
  }
}
]]></sourcecode>
        <t>The "category" value ("train-ai") is an AIPREF category
        <xref target="AIPREF-VOCAB"/>. The "value" ("allowed") lifts a
        "disallowed" preference for that category, for the named grantee, over
        the validity period, unless the grant has been revoked.</t>
      </section>
    </section>

    <section anchor="verification">
      <name>Verification Procedure</name>
      <t>To act on a grant, a verifier:</t>
      <ol>
        <li>resolves the issuer identifier to a public key (for "did:web", by
        fetching the DID document over HTTPS <xref target="DID-WEB"/>) and
        verifies the signature over the credential;</li>
        <li>confirms the current time is within the validity period;</li>
        <li>confirms the grant has not been revoked, by checking the referenced
        status list <xref target="BITSTRING"/>;</li>
        <li>confirms the asset digest matches the content in question, and that
        the category and grantee match the use and party at hand.</li>
      </ol>
      <t>If all checks pass, a valid grant exists for that (asset, category,
      grantee); the corresponding preference is lifted for that grantee.
      Verification requires no interaction with the grantor beyond fetching the
      (cacheable) issuer key and status list, and can be performed offline
      against cached copies.</t>
    </section>

    <section anchor="revocation">
      <name>Revocation</name>
      <t>A grantor withdraws a grant by updating the referenced status list so
      that the grant's entry indicates revocation. Verifiers observe the change
      the next time they refresh the status list, bounded by their cache
      policy. Revocation lets a rights holder end a permission after issuance
      -- a property that a standing preference change alone cannot provide for
      permissions already relied upon.</t>
    </section>

    <section anchor="discussion">
      <name>Discussion and Open Questions</name>
      <t>This document is a discussion starter. The mechanism in
      <xref target="credential"/> is one candidate, not a final design. The
      author invites the Working Group's view on the following questions in
      particular:</t>
      <ul>
        <li>Is the expression of grants that lift preferences in scope for the
        AI Preferences Working Group, or is it better pursued elsewhere?</li>
        <li>Should the AIPREF vocabulary define any hook that indicates a
        category value is conditional on, or may be lifted by, a grant -- or
        should grants remain entirely a separate layer, as sketched here?</li>
        <li>Is a Verifiable Credential the right container, or should a lighter
        or different encoding be preferred? This document uses VCs because they
        provide issuer identity, offline verification, and revocation as
        existing, interoperable building blocks, but does not assert they are
        the only viable choice.</li>
        <li>How should grantee identity be expressed for interoperability
        across ecosystems?</li>
      </ul>
    </section>

    <section anchor="security">
      <name>Security Considerations</name>
      <t>A grant proves who issued it, when, and what was declared. It does
      <em>not</em> attest that the grantor holds the rights it purports to
      grant: anyone in possession of an asset can compute its digest and issue
      a self-asserted grant over it. A verifier therefore <bcp14>MUST</bcp14> evaluate whether
      it trusts the issuer for the asset in question; the signature establishes
      the issuer's identity and the integrity of the declaration, not the
      truth of the underlying claim. Mechanisms for establishing that an issuer
      is authoritative for an asset are out of scope for this document.</t>
      <t>Because a grant identifies its asset by content digest and does not
      carry the content, presenting a grant does not disclose the asset.
      Verifiers <bcp14>MUST</bcp14> confirm the digest matches the content actually processed;
      a grant for one asset says nothing about another.</t>
      <t>Revocation is only as timely as verifiers' status-list refresh policy;
      a verifier relying on a stale cache may act on a revoked grant. Grants
      <bcp14>SHOULD</bcp14> carry a validity period so that a lost or unreachable status list
      does not extend a grant indefinitely.</t>
    </section>

    <section anchor="iana">
      <name>IANA Considerations</name>
      <t>This document has no IANA actions. Should the mechanism advance, a
      registry for the credential "type" and any grant-specific fields would be
      considered at that time.</t>
    </section>

  </middle>

  <back>
    <references>
      <name>Normative References</name>

      <reference anchor="AIPREF-VOCAB" target="https://datatracker.ietf.org/doc/draft-ietf-aipref-vocab/">
        <front>
          <title>A Vocabulary For Expressing AI Usage Preferences</title>
          <author initials="P." surname="Keller"/>
          <author initials="M." surname="Thomson" role="editor"/>
          <date year="2026"/>
        </front>
        <seriesInfo name="Internet-Draft" value="draft-ietf-aipref-vocab"/>
      </reference>

      <reference anchor="VC-DATA-MODEL" target="https://www.w3.org/TR/vc-data-model-2.0/">
        <front>
          <title>Verifiable Credentials Data Model v2.0</title>
          <author><organization>W3C</organization></author>
          <date year="2025"/>
        </front>
      </reference>

      <reference anchor="VC-JOSE-COSE" target="https://www.w3.org/TR/vc-jose-cose/">
        <front>
          <title>Securing Verifiable Credentials using JOSE and COSE</title>
          <author><organization>W3C</organization></author>
          <date year="2025"/>
        </front>
      </reference>

      <reference anchor="RFC2119" target="https://www.rfc-editor.org/info/rfc2119">
        <front>
          <title>Key words for use in RFCs to Indicate Requirement Levels</title>
          <author initials="S." surname="Bradner"/>
          <date year="1997" month="March"/>
        </front>
        <seriesInfo name="BCP" value="14"/>
        <seriesInfo name="RFC" value="2119"/>
      </reference>

      <reference anchor="RFC8174" target="https://www.rfc-editor.org/info/rfc8174">
        <front>
          <title>Ambiguity of Uppercase vs Lowercase in RFC 2119 Key Words</title>
          <author initials="B." surname="Leiba"/>
          <date year="2017" month="May"/>
        </front>
        <seriesInfo name="BCP" value="14"/>
        <seriesInfo name="RFC" value="8174"/>
      </reference>
    </references>

    <references>
      <name>Informative References</name>

      <reference anchor="DID-WEB" target="https://w3c-ccg.github.io/did-method-web/">
        <front>
          <title>did:web Method Specification</title>
          <author><organization>W3C Credentials Community Group</organization></author>
          <date year="2025"/>
        </front>
      </reference>

      <reference anchor="BITSTRING" target="https://www.w3.org/TR/vc-bitstring-status-list/">
        <front>
          <title>Bitstring Status List v1.0</title>
          <author><organization>W3C</organization></author>
          <date year="2025"/>
        </front>
      </reference>

      <reference anchor="RFC8259" target="https://www.rfc-editor.org/info/rfc8259">
        <front>
          <title>The JavaScript Object Notation (JSON) Data Interchange Format</title>
          <author initials="T." surname="Bray" role="editor"/>
          <date year="2017" month="December"/>
        </front>
        <seriesInfo name="STD" value="90"/>
        <seriesInfo name="RFC" value="8259"/>
      </reference>
    </references>
  </back>
</rfc>
