| Internet-Draft | TRIP | February 2026 |
| Ayerbe | Expires 5 August 2026 | [Page] |
This document specifies the Trajectory-based Recognition of Identity Proof (TRIP) protocol, a decentralized mechanism for establishing claims of physical-world presence through cryptographically signed, spatially quantized location attestations called "breadcrumbs." Breadcrumbs are chained into an append-only log, bundled into verifiable epochs, and distilled into a Trajectory Identity Token (TIT) that serves as a persistent pseudonymous identifier. Trust in a TIT accumulates through spatiotemporal diversity of the underlying trajectory rather than through biometric capture or centralized credential issuance. TRIP is designed to be transport-agnostic and operates independently of any particular naming system, blockchain, or application layer.¶
This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79.¶
Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet-Drafts is at https://datatracker.ietf.org/drafts/current/.¶
Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress."¶
This Internet-Draft will expire on 5 August 2026.¶
Copyright (c) 2026 IETF Trust and the persons identified as the document authors. All rights reserved.¶
This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (https://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document.¶
Conventional approaches to proving that an online actor corresponds to a physical human being rely on biometric capture, government-issued documents, or knowledge-based challenges. Each technique introduces a centralized trust anchor, creates honeypots of personally identifiable information (PII), and is susceptible to replay or deepfake attacks.¶
TRIP takes a fundamentally different approach: it treats sustained physical movement through the real world as evidence of embodied existence. A TRIP-enabled device periodically records its position as a "breadcrumb"--a compact, privacy- preserving, cryptographically signed attestation that the holder of a specific Ed25519 key pair was present in a particular spatial cell at a particular time. An adversary who controls only digital infrastructure cannot fabricate a plausible trajectory because doing so requires controlling radio-frequency environments (GPS, Wi-Fi, cellular, IMU) at many geographic locations over extended periods.¶
This document specifies the data structures, algorithms, and verification procedures that constitute the TRIP protocol. It intentionally omits transport bindings, naming-system integration, and blockchain anchoring, all of which are expected to be addressed in companion specifications.¶
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all capitals, as shown here.¶
TRIP defines three layers of abstraction:¶
All cryptographic operations use Ed25519 [RFC8032] for signing and SHA-256 [RFC6234] for hashing. Spatial coordinates are quantized to the H3 hexagonal grid system before any storage or transmission.¶
A TRIP identity is an Ed25519 key pair. The 32-byte public key is the identity. There is no registration authority; any entity capable of generating a valid Ed25519 key pair MAY participate in the protocol. The private key MUST be stored in a secure enclave or hardware-backed keystore and MUST NOT leave the originating device.¶
A single physical entity MAY maintain multiple TRIP identities. The protocol makes no attempt to link multiple identities to a single entity; such linkage is explicitly a non-goal.¶
The Trajectory Identity Token is a compact, deterministic identifier derived from the identity key and the genesis breadcrumb. It serves as a persistent pseudonym that is shorter than a full public key yet remains cryptographically bound to both the key and its origin point.¶
tit_input = identity_public_key || BreadcrumbHash(genesis) tit_full = SHA-256(tit_input) TIT = tit_full[0..15] // first 16 bytes (128 bits)
The TIT is 16 bytes (128 bits). Implementations SHOULD represent TITs as 32-character lowercase hexadecimal strings for display and interchange.¶
A TIT is immutable once computed. If an entity wishes to start a new trajectory (e.g., after key compromise), it MUST generate a new key pair, which will produce a new TIT. No mechanism exists within TRIP to link old and new TITs; such linkage is a higher-layer concern.¶
An epoch aggregates a contiguous range of breadcrumbs into a single verifiable unit. Epochs enable efficient verification: a verifier can check the epoch Merkle root and signature without examining every individual breadcrumb.¶
| Key | CBOR Label | Type | Description |
|---|---|---|---|
| epoch_index | 1 | uint | Zero-based epoch sequence number |
| identity | 2 | bstr | Ed25519 public key (32 bytes) |
| start_time | 3 | tag(1) | Timestamp of first breadcrumb in epoch |
| end_time | 4 | tag(1) | Timestamp of last breadcrumb in epoch |
| start_index | 5 | uint | Breadcrumb index of first entry |
| end_index | 6 | uint | Breadcrumb index of last entry |
| merkle_root | 7 | bstr | SHA-256 Merkle root of breadcrumb hashes (32 bytes) |
| count | 8 | uint | Number of breadcrumbs in epoch |
| previous_epoch | 9 | bstr / null | Hash of preceding epoch, or null for first epoch |
| signature | 10 | bstr | Ed25519 signature over fields 1-9 (64 bytes) |
The Merkle tree is a binary tree constructed from the breadcrumb hashes within the epoch. Leaves are the SHA-256 hashes of individual breadcrumbs. Internal nodes are computed as SHA-256(left_child || right_child). If the number of leaves is odd, the last leaf is duplicated.¶
MerkleRoot
/ \
H(AB) H(CD)
/ \ / \
H(B0) H(B1) H(B2) H(B3)
where H(Bn) = BreadcrumbHash(breadcrumb_n) and H(AB) = SHA-256(H(B0) || H(B1)).¶
A producer SHOULD bundle an epoch when the number of unbundled breadcrumbs reaches or exceeds 100. Implementations MAY use a different threshold but MUST NOT create epochs with fewer than 10 breadcrumbs (except for the final epoch if the trajectory is being closed).¶
Epochs MUST be sequential and contiguous: epoch N+1 MUST begin at the breadcrumb immediately following the last breadcrumb of epoch N. No breadcrumb may belong to more than one epoch, and no breadcrumb may be omitted from an epoch.¶
TRIP trust reflects the difficulty of fabricating a trajectory. A trajectory that visits many distinct spatial cells over a long duration is harder to fake than one confined to a small area or short time span. The trust model quantifies this intuition through three components: trajectory density, spatial diversity, and temporal decay.¶
The trust score T for a trajectory is computed using a Parisi percolation model [PARISI]:¶
T = D(t) * S * k_percolation
where:
D(t) = exp(-(t - t_last)^2 / (2 * tau^2))
Gaussian temporal decay function
t = current time
t_last = timestamp of most recent breadcrumb
tau = decay half-life (RECOMMENDED: 30 days)
S = unique_cells / total_breadcrumbs
Spatial diversity ratio (0.0 to 1.0)
unique_cells = count of distinct H3 cells visited
k_percolation = min(breadcrumb_count / 100.0, k_max)
Parisi percolation factor [PARISI]
k_max = 7 (RECOMMENDED)
A verifier MAY apply additional weighting factors (e.g., context digest richness, geographic spread) but MUST compute at least the base trust score defined above for interoperability.¶
TRIP does not mandate specific trust thresholds for application-level decisions. However, the following reference thresholds are RECOMMENDED for interoperability:¶
| Level | Min. Score | Min. Breadcrumbs | Typical Use |
|---|---|---|---|
| anonymous | 0 | 0 | Key pair exists, no trajectory |
| emerging | 0.5 | 50 | Read-only access, limited API |
| established | 1.0 | 100 | Handle claiming, messaging |
| trusted | 3.0 | 300 | Financial operations, publishing |
| sovereign | 5.0 | 500+ | Full protocol participation |
A verifier MUST perform the following checks on each epoch:¶
To verify a claimed TIT, a verifier MUST:¶
TRIP messages MUST be encoded using CBOR [RFC8949]. The canonical encoding follows the deterministic CBOR rules specified in Section 4.2 of [RFC8949]:¶
Implementations that also support JSON interchange (e.g., for debugging or logging) SHOULD use the following canonical JSON rules: keys sorted alphabetically, numbers normalized (integers where possible), and no trailing whitespace.¶
The following CDDL [RFC8610] defines the TRIP data structures:¶
; TRIP Protocol CDDL Schema
breadcrumb = {
1 => uint, ; index
2 => bstr .size 32, ; identity (Ed25519 public key)
3 => #6.1(number), ; timestamp (epoch seconds)
4 => uint, ; cell (H3 index)
5 => uint .le 15, ; resolution (0-15)
6 => bstr .size 32, ; context digest (SHA-256)
7 => bstr .size 32 / nil, ; previous hash or null
? 8 => meta-map, ; optional metadata
9 => bstr .size 64, ; signature (Ed25519)
}
meta-map = {
? "battery" => uint .le 100,
? "accuracy" => float,
? "network" => tstr,
? "entity_class" => entity-class,
? "manual" => bool,
* tstr => any,
}
entity-class = "human" / "vehicle" / "drone" / "anchor"
epoch = {
1 => uint, ; epoch_index
2 => bstr .size 32, ; identity
3 => #6.1(number), ; start_time
4 => #6.1(number), ; end_time
5 => uint, ; start_index
6 => uint, ; end_index
7 => bstr .size 32, ; merkle_root
8 => uint, ; count
9 => bstr .size 32 / nil, ; previous_epoch hash or null
10 => bstr .size 64, ; signature
}
trajectory-identity-token = bstr .size 16
¶
TRIP assumes the following threat model:¶
This specification mandates Ed25519 for signatures and SHA-256 for hashing. Future versions of TRIP MAY introduce algorithm negotiation. Implementations SHOULD be designed to allow algorithm substitution without protocol-level changes.¶
The monotonically increasing index and the chaining via the "previous" hash field provide replay protection within a single trajectory. A replayed breadcrumb will fail the chain integrity check. Cross-trajectory replay (using breadcrumbs from identity A in a trajectory of identity B) will fail signature verification.¶
An attacker can generate large numbers of breadcrumbs to consume verifier resources. Verifiers SHOULD rate-limit breadcrumb submission per identity and MAY require a minimum trust score before accepting further breadcrumbs for resource-intensive operations.¶
TRIP's primary privacy mechanism is H3 quantization. By design, a breadcrumb reveals only that the producer was within a hexagonal cell of known area--not the precise GPS coordinates. At the default resolution 10, each cell covers approximately 15,000 square meters (0.015 km2), providing meaningful location privacy in urban environments.¶
Implementations MUST NOT store raw GPS coordinates after H3 quantization. Implementations SHOULD provide users with the ability to choose their preferred resolution level, understanding that lower resolutions (larger cells) provide more privacy at the cost of reduced trust accumulation rate.¶
A trajectory is intrinsically linkable: all breadcrumbs share the same identity key. This is by design, as trust accumulation requires identity continuity. However, a user who desires unlinkability across contexts MAY maintain separate TRIP identities (key pairs) for separate contexts.¶
Verifiers SHOULD disclose their data retention policies. Breadcrumbs presented for verification need not be stored by the verifier after trust computation.¶
The context digest is a one-way hash. Wi-Fi BSSIDs, cell tower IDs, and IMU readings cannot be recovered from the digest. However, an attacker who knows the Wi-Fi environment at a specific location and time could reconstruct the digest and confirm the producer's presence. This is a known acceptable trade-off: the digest provides corroboration, not concealment.¶
This document has no IANA actions at this time. A future revision may request:¶
The following is a JSON representation of a breadcrumb for illustration. The canonical wire format is CBOR as specified in Section 8.¶
{
"index": 42,
"identity": "3b6a27bcceb6a42d62a3a8d02a6f0d73...",
"timestamp": "2026-01-15T14:32:10Z",
"cell": "8a2a1072b59ffff",
"resolution": 10,
"context": "e3b0c44298fc1c149afbf4c8996fb924...",
"previous": "a7ffc6f8bf1ed766...previous_hash...",
"meta": {
"battery": 72,
"accuracy": 8.5,
"network": "wifi",
"entity_class": "human",
"manual": false
},
"signature": "9d61b19deffd5a60ba844af49...sig..."
}
¶
The H3 system was selected over alternatives (S2, Geohash, Plus Codes) for several reasons: uniform cell area at each resolution level (hexagons tile more evenly than rectangles), hierarchical parent-child relationships enabling multi-resolution disclosure, efficient neighbor computation for velocity checking, and open-source availability with well-maintained libraries across platforms.¶
CBOR provides deterministic encoding essential for reproducible signature computation, compact binary representation suitable for constrained devices and bandwidth-limited networks, and native byte string support for cryptographic material. JSON remains useful for debugging and human-readable interchange but lacks deterministic encoding rules.¶
Biometric systems capture immutable characteristics (fingerprints, iris, face). Once compromised, the credential cannot be rotated. Biometric databases are high-value targets. Deepfake technology increasingly undermines facial recognition. In contrast, a trajectory is: continuously renewable (new movement generates new evidence), inherently distributed (no central biometric database), resistant to digital fabrication (requires physical presence in the real world), and privacy- preserving by design (quantized spatial cells, not raw coordinates).¶
The TRIP protocol builds upon foundational work in cryptographic identity systems, geospatial indexing, and percolation theory. The author thanks the contributors to the H3 geospatial system, the Ed25519 specification authors, and the broader IETF community for establishing the standards that TRIP builds upon.¶