Re: Follow-up on last week’s discussion: Agent identity, authorization, and encrypted communication from Alan Karp on 2025-08-24 (public-agentprotocol@w3.org from August 2025)

From: Alan Karp <alanhkarp@gmail.com>
Date: Sun, 24 Aug 2025 15:35:04 -0700
To: Gaowei Chang <chgaowei@gmail.com>
Cc: public-agentprotocol@w3.org, cjphillips@gmail.com
Message-ID: <CANpA1Z0J99MoeXVBKCxcwZurb9zxgdfZnZ5GLJpcKr9ut36rDA@mail.gmail.com>

A nice writeup.  I like the way you categorize the issue.  I think you
should expand the section on agent identity.

Identity is about designating a responsible party.  (I facetiously say that
identity is only good for one thing; knowing who to throw in jail.)  An
authentication does you no good if you can't use it to hold the
authenticated party responsible for problems it causes.

When you speak to Bob at the BestBuy helpline, knowing it's Bob does you
very little good.  You need to know that Bob can speak for BestBuy on
customer support issues.  Further, Bob's identity might not be meaningful
to BestBuy if he works for a contractor.  If you call back the next day and
speak to Alice, you might ask to talk to Bob again in order to get
consistent answers.  In this case, it matters which instance of the agent
you're talking to.  Identity is tricky.

The problem is not exactly the same for AI agents.  You don't care about
the support agent's identity any more than you cared about Bob's.  The
situation is actually worse than with human agents.  If you contact the
support line the next day and  contact the same instance of the agent, you
are likely to get a completely different answer because LLMs are
non-deterministic.  The instance of the agent you're talking to matters
less.

Another issue is stability.  Human agents and non-AI software agents are
reasonably stable and deployed in modest numbers.  A stable identity makes
sense.  We expect AI agents to be spun up on demand and shut down just as
frequently.  When we start a new instance of an AI agent, does its identity
matter or is it the context it starts with or both?  Perhaps the AI agent's
identity should be the hash of its context.  That would make its identity
change as the agent interacts with people and other agents, but we could
know if it was the "same" agent on a restart.

I also like your section on authorization.  You don't actually use the word
"delegation," but you show examples of it.  There are additional use cases
that you need to consider, which I've enumerated in
https://alanhkarp.com/UseCases.pdf.

--------------
Alan Karp

On Sat, Aug 23, 2025 at 4:30 AM Gaowei Chang <chgaowei@gmail.com> wrote:

> Dear all,
>
> Last week in our regular meeting we discussed topics around *agent
> identity, authorization, and end-to-end encrypted communication*. Due to
> limited time, we weren’t able to cover everything in depth.
>
> I’ve written an article on Substack to further explore these ideas, and I
> would be very happy to continue the conversation with you:
>
> 👉 Agent identity, authorization, and encrypted communication
> <https://gaoweichang.substack.com/p/agent-identity-authorization-and>
>
> Looking forward to your thoughts and further exchange.
>
> Best regards,
> Gaowei
>

Received on Sunday, 24 August 2025 22:35:22 UTC