[Proposal] SAIP: Signed Agent Identity Protocol - Addressing User-Agent Spoofing from Srecko Jovancevic on 2026-03-30 (ietf-http-wg@w3.org from January to March 2026)

From: Srecko Jovancevic <Srecko.Jovancevic@skgo.org>
Date: Mon, 30 Mar 2026 07:37:45 +0000
To: "To:" <ietf-http-wg@w3.org>
Message-ID: <DBBPR01MB1065198D369D2F5B25EA4BEC99552A@DBBPR01MB10651.eurprd01.prod.exchangela>

Hello HTTP Working Group,
My name is Srećko Jovančević, a systems expert and IT strategist. I have been analyzing the increasing gap in network accountability caused by the triviality of User-Agent spoofing in the modern AI-driven web ecosystem.
Current mechanisms (RFC 7231) rely on self-reported strings, which are no longer sufficient for distinguishing between legitimate automated agents and malicious actors. This leads to inefficient IP-based blocking and significant "collateral damage" for innocent users.
I am proposing a lightweight extension called SAIP (Signed Agent Identity Protocol).
Key Architectural Points:

  1.
Cryptographic Identity: Moving from "strings" to HMAC-SHA256 signatures at the application layer.
  2.
Rolling Key Derivation (RKDF): Utilizing sequence-based rolling keys to provide forward secrecy and prevent replay attacks.
  3.
Instance Isolation: A hierarchical model that identifies specific software instances, allowing servers to mitigate abuse without blacklisting entire vendors or IP ranges.
  4.
KISS Principle: Designed to be opt-in and backward compatible with existing HTTP/1.1+ infrastructures.

I have started a reference implementation and a preliminary specification (Project Genesis) to demonstrate the feasibility of hardware-backed (TPM) identity integration.
Project Link & Concept: https://github.com/sreckojovancevic/Project-Genesis<https://www.google.com/search?q=https://github.com/sreckojovancevic/Project-Genesis>
I would appreciate any initial feedback or guidance on moving this toward a formal Internet-Draft (I-D). Is there an interest within this group to discuss verifiable agent identities as an HTTP extension?
Best regards,



koordinator Jedinice za IKT podršku

Stalna konferencija gradova i opstina / Standing Conference of Towns and Municipalities

Makedonska 22, 11000 Belgrade

Tel. +381 11 3223 446

Fax. +381 11 3221 215

Mob: +381 64 870 3312

E-mail to: srecko.jovancevic@skgo.org<mailto:srecko.jovancevic@skgo.org>

Web: www.skgo.org<http://www.skgo.org/>



[A white background with red letters  Description automatically generated]<http://skgo.org/>



 [cid:8c63667a-0b6e-4eed-992f-68c0d34ad2a6] <http://www.facebook.com/skgo.sctm>   [cid:80b980ff-8f98-45a0-ae12-56ffbe97900c] <https://twitter.com/skgo_sctm>    [Icon  Description automatically generated] <https://www.instagram.com/skgo_sctm/>  [cid:a6848f37-bb8e-40e0-afcc-ae8320818cbd] <https://www.youtube.com/channel/UCHJVIEACwNz4UKUtaYCQ64Q/featured>

Attachments

image/png attachment: Outlook-A_white_ba.png
image/png attachment: Outlook-bkyofazn.png
image/png attachment: Outlook-xibvdqwo.png
image/png attachment: Outlook-Icon
image/png attachment: Outlook-bq5j3veo.png

Received on Monday, 30 March 2026 18:35:42 UTC