[OAUTH-WG] [ANNOUNCE] draft-helixar-hdp-agentic-delegation-00: Human Delegation Provenance for Agentic AI

Thu, 26 Mar 2026 04:54:06 -0700 

Hi,



I've submitted an individual draft on human delegation provenance for

agentic AI systems:



   Title:   Human Delegation Provenance Protocol (HDP)

   Draft:   draft-helixar-hdp-agentic-delegation-00

   URL:     
https://datatracker.ietf.org/doc/draft-helixar-hdp-agentic-delegation/ 



Problem Statement



Agentic AI systems act on behalf of humans, often delegating tasks

through chains of AI agents. There is currently no standard mechanism

to record who authorized an action, under what scope, and through what

delegation chain, in a way that is verifiable without a central

registry or third-party trust anchor.



What HDP Does



HDP defines a token that:



  - Records the authorizing human, declared scope, and session binding

    at issuance

  - Accumulates a cryptographically signed hop record for each agent

    that handles the token

  - Allows any recipient to verify the full chain using only the

    issuer's Ed25519 public key and the session identifier



Verification is fully offline. No registry lookup, no network call,

and no third-party contact is required at any step.



Relationship to Existing Work



draft-haberkamp-ipp-00 (Intent Provenance Protocol) addresses the same

problem. The key architectural differences are documented in Section 9

of the draft:



  - Revocation model: IPP requires polling a central registry. HDP

    uses short-lived tokens with session_id binding, no registry

    required.



  - Trust anchor: IPP tokens are cryptographically anchored to the

    spec author's founding key. HDP tokens are self-contained, no

    third-party key in the trust chain.



  - Identity model: IPP mandates W3C DIDs. HDP supports opaque IDs,

    email, and DIDs, with DID infrastructure optional.



These are design trade-offs, not defects. The draft presents both

protocols neutrally in Section 9.



Reference Implementation



A TypeScript reference implementation is available at:

https://github.com/Helixar-AI/HDP 



I welcome feedback on the protocol design, the comparison with IPP,

and whether RATS or OAuth is the more appropriate venue for this work.



Best regards,

Siri,

Helixar Limited
_______________________________________________
OAuth mailing list -- [email protected]
To unsubscribe send an email to [email protected]

Reply via email to