Re: [Proposal] SAIP: Signed Agent Identity Protocol - Addressing User-Agent Spoofing from Martin J. Dürst on 2026-03-31 (ietf-http-wg@w3.org from January to March 2026)

From: Martin J. Dürst <duerst@it.aoyama.ac.jp>
Date: Tue, 31 Mar 2026 11:03:45 +0900
To: Srecko Jovancevic <Srecko.Jovancevic@skgo.org>, "To:" <ietf-http-wg@w3.org>
Message-ID: <7204b71a-87e0-4a26-9fca-9676b4c9b690@it.aoyama.ac.jp>

Hello Srecko,


It looks like your proposal has at least some overlap with what the 
web-bot-auth WG is looking into. And there is an upcoming interim. 
Please see https://mailarchive.ietf.org/arch/browse/web-bot-auth/.

Regards,   Martin.

On 2026-03-30 16:37, Srecko Jovancevic wrote:
> Hello HTTP Working Group,
> My name is Srećko Jovančević, a systems expert and IT strategist. I have been analyzing the increasing gap in network accountability caused by the triviality of User-Agent spoofing in the modern AI-driven web ecosystem.
> Current mechanisms (RFC 7231) rely on self-reported strings, which are no longer sufficient for distinguishing between legitimate automated agents and malicious actors. This leads to inefficient IP-based blocking and significant "collateral damage" for innocent users.
> I am proposing a lightweight extension called SAIP (Signed Agent Identity Protocol).
> Key Architectural Points:
> 
>    1.
> Cryptographic Identity: Moving from "strings" to HMAC-SHA256 signatures at the application layer.
>    2.
> Rolling Key Derivation (RKDF): Utilizing sequence-based rolling keys to provide forward secrecy and prevent replay attacks.
>    3.
> Instance Isolation: A hierarchical model that identifies specific software instances, allowing servers to mitigate abuse without blacklisting entire vendors or IP ranges.
>    4.
> KISS Principle: Designed to be opt-in and backward compatible with existing HTTP/1.1+ infrastructures.
> 
> I have started a reference implementation and a preliminary specification (Project Genesis) to demonstrate the feasibility of hardware-backed (TPM) identity integration.
> Project Link & Concept: https://github.com/sreckojovancevic/Project-Genesis<https://www.google.com/search?q=https://github.com/sreckojovancevic/Project-Genesis>
> I would appreciate any initial feedback or guidance on moving this toward a formal Internet-Draft (I-D). Is there an interest within this group to discuss verifiable agent identities as an HTTP extension?
> Best regards,
> 
> 
> 
> koordinator Jedinice za IKT podršku
> 
> Stalna konferencija gradova i opstina / Standing Conference of Towns and Municipalities
> 
> Makedonska 22, 11000 Belgrade
> 
> Tel. +381 11 3223 446
> 
> Fax. +381 11 3221 215
> 
> Mob: +381 64 870 3312
> 
> E-mail to: srecko.jovancevic@skgo.org<mailto:srecko.jovancevic@skgo.org>
> 
> Web: www.skgo.org<http://www.skgo.org/>
> 
> 
> 
> [A white background with red letters  Description automatically generated]<http://skgo.org/>
> 
> 
> 
>   [cid:8c63667a-0b6e-4eed-992f-68c0d34ad2a6] <http://www.facebook.com/skgo.sctm>   [cid:80b980ff-8f98-45a0-ae12-56ffbe97900c] <https://twitter.com/skgo_sctm>    [Icon  Description automatically generated] <https://www.instagram.com/skgo_sctm/>  [cid:a6848f37-bb8e-40e0-afcc-ae8320818cbd] <https://www.youtube.com/channel/UCHJVIEACwNz4UKUtaYCQ64Q/featured>
>

Received on Tuesday, 31 March 2026 02:03:55 UTC