โ† primitives
draft-kya-credentials-01

CREDENTIALS

draft-kya-credentials-01

Verifiable credentials for AI agents.
VC-JWT format.
Ed25519 signatures.

1. Credential Structure

W3C Verifiable Credentials encoded as JWT. Compact, verifiable, transport-agnostic. 

eyJhbGciOiJFZERTQSIsInR5cCI6IkpXVCJ9.
eyJpc3MiOiJkaWQ6a2V5Ono2TWsuLi4iLCJzdWIiOiJkaWQ6a2V5Ono2TWsuLi4iLCJ2YyI6e319.
signature...

2. Payload

{
  "iss": "did:key:z6Mk...",  // Issuer DID
  "sub": "did:key:z6Mk...",  // Subject (agent) DID
  "iat": 1735689600,         // Issued at
  "exp": 1767225600,         // Expires
  "vc": {
    "@context": [
      "https://www.w3.org/2018/credentials/v1",
      "https://kya-os.ai/credentials/v1"
    ],
    "type": ["VerifiableCredential", "AgentCredential"],
    "credentialSubject": {
      "id": "did:key:z6Mk...",
      "capabilities": ["calendar:read", "email:send"],
      "constraints": {
        "maxDuration": 3600,
        "allowedOrigins": ["https://app.example.com"]
      }
    }
  }
}

3. Verification

Steps to verify a credential:

1. Parse JWT
2. Resolve issuer DID โ†’ public key
3. Verify Ed25519 signature
4. Check expiration (exp claim)
5. Validate credential structure
6. Check revocation status (optional)

4. Revocation

Status List 2021 for efficient revocation.
Bitstring stored at issuer-controlled URL.
Privacy-preserving: no per-credential lookup. 

"credentialStatus": {
  "id": "https://issuer.example/status/1#94567",
  "type": "StatusList2021Entry",
  "statusPurpose": "revocation",
  "statusListIndex": "94567",
  "statusListCredential": "https://issuer.example/status/1"
}

5. Issuance

Credentials issued by trusted parties:
- Operators (for their agents)
- Certificate authorities
- Governance bodies
- Self-issued (with limited scope)

View Source ยท GitHub