| Internet-Draft | AEP did:web | June 2026 |
| Kavian | Expires 30 December 2026 | [Page] |
This document defines the did:web identity method for the Agent Enrollment Protocol (AEP). The method lets an AEP Service verify Agent client assertion JWTs by resolving an Agent did:web identifier to a DID document published over HTTPS.¶
This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79.¶
Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet-Drafts is at https://datatracker.ietf.org/drafts/current/.¶
Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress."¶
This Internet-Draft will expire on 30 December 2026.¶
Copyright (c) 2026 IETF Trust and the persons identified as the document authors. All rights reserved.¶
This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (https://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Revised BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Revised BSD License.¶
The Agent Enrollment Protocol (AEP) defines an identity-method substrate for authenticated commands [AEP-CORE]. AEP Services advertise enabled identity methods in the Inspect document's identity.methods array.¶
This document defines the did:web identity method. A Service that enables this identity method accepts Agent identifiers using the did:web DID method [DID-WEB] and resolves verification material from the corresponding HTTPS origin.¶
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all capitals, as shown here.¶
The identity method identifier is:¶
did:web¶
A Service that enables this identity method lists did:web in the Inspect document:¶
{
"identity": {
"methods": ["did:web"]
}
}
¶
Services that do not enable this identity method MUST NOT list did:web in identity.methods.¶
An Agent using this identity method identifies itself with a did:web URI.¶
The Agent DID appears in the client assertion JWT iss and sub claims. The JOSE kid header contains the Agent DID and MAY include a fragment selecting a verification method in the resolved DID document.¶
{
"alg": "EdDSA",
"typ": "JWT",
"kid": "did:web:agent.example.com:agents:123#key-1"
}
¶
{
"iss": "did:web:agent.example.com:agents:123",
"sub": "did:web:agent.example.com:agents:123"
}
¶
The DID portion of kid MUST equal the Agent DID carried in iss and sub.¶
The Service resolves the Agent DID according to the did:web method specification [DID-WEB]:¶
did:web:<host> resolves to https://<host>/.well-known/did.json.¶
did:web:<host>:<path> resolves to https://<host>/<path>/did.json.¶
Services MUST resolve did:web documents over HTTPS. Plaintext HTTP resolution is not allowed.¶
The resolved DID document MUST be a JSON object [RFC8259] and MUST contain a verification method referenced by the JWT kid header. The verification method MUST expose a public key in a form the Service can validate against the selected JOSE signing algorithm.¶
If the Service cannot resolve the DID document, cannot locate the referenced verification method, or cannot use the verification method with the selected JOSE algorithm, client assertion verification fails with the AEP not_recognized error defined by the core protocol.¶
Services SHOULD cache resolved DID documents and SHOULD honor upstream HTTP cache metadata [RFC9110]. A default cache lifetime of 300 seconds is RECOMMENDED when no shorter upstream lifetime is provided.¶
Services MUST ensure that cache lifetimes do not prevent timely key replacement after compromise. Services MAY impose a local maximum cache lifetime.¶
This document requests registration of did:web in the AEP Identity Methods registry.¶
| Field | Value |
|---|---|
| Identity Method |
did:web
|
| Description | DID Web identity method for AEP client assertions |
| Reference | This document |
The did:web method relies on the HTTPS origin that publishes the DID document. A Service that accepts an Agent's did:web identity trusts the corresponding web origin to publish the correct verification method.¶
Services MUST reject did:web client assertions when the resolved DID document does not contain the verification method referenced by kid, when the verification method cannot validate the selected JOSE algorithm, or when the JWT signature does not verify.¶
Services SHOULD cache DID documents for operational stability but MUST ensure that cache lifetimes do not prevent timely key replacement after compromise.¶
A did:web Agent identity can be correlatable if the same DID is reused across Services. Platforms or Agent operators that require unlinkability SHOULD use a distinct did:web URI and signing key per Service enrollment.¶
The URI path component SHOULD be opaque and SHOULD NOT reveal the Agent's master identity, account identifier, or target Service.¶