Summary
HDP hop records require agent_id: string but place no constraints on what that string represents. Ephemeral agents (serverless functions, short-lived containers, model instances with no stable identity) have no meaningful stable ID to provide. The spec gives no guidance, leading to random UUIDs that are useless for audit.
The gap
Two distinct sub-cases:
| Case |
Current workaround |
Problem |
| Ephemeral agent with no stable identity |
agent_id: "lambda-abc123" (random) |
Not auditable, not correlatable |
| Anonymous-but-accountable agent |
No mechanism |
Accountability impossible |
Proposed resolution (targeting §-01 of the IETF draft)
Add agent_id_type to hop records, mirroring principal.id_type:
agent_id_type: "stable" | "ephemeral" | "commitment"
stable — persistent identifier, current default behaviorephemeral — declared transient; agent_id is a run-scoped nonce; verifiers MUST NOT use it for identity correlationcommitment — agent_id is base64url(SHA-256(ephemeral_public_key || session_id)); the agent generates an Ed25519 keypair per session, signs its hop with the ephemeral private key, and includes agent_pub (the ephemeral public key) in the hop record
The commitment scheme provides anonymous-but-accountable participation: the hop is cryptographically bound to a key the agent controls, without revealing a stable identity across sessions.
Target
- IETF draft §-01 (update §5 hop record schema)
v0.2 of @helixar_ai/hdp (additive, non-breaking — agent_id_type defaults to "stable")
Related
Summary
HDP hop records require
agent_id: stringbut place no constraints on what that string represents. Ephemeral agents (serverless functions, short-lived containers, model instances with no stable identity) have no meaningful stable ID to provide. The spec gives no guidance, leading to random UUIDs that are useless for audit.The gap
Two distinct sub-cases:
agent_id: "lambda-abc123"(random)Proposed resolution (targeting §-01 of the IETF draft)
Add
agent_id_typeto hop records, mirroringprincipal.id_type:stable— persistent identifier, current default behaviorephemeral— declared transient;agent_idis a run-scoped nonce; verifiers MUST NOT use it for identity correlationcommitment—agent_idisbase64url(SHA-256(ephemeral_public_key || session_id)); the agent generates an Ed25519 keypair per session, signs its hop with the ephemeral private key, and includesagent_pub(the ephemeral public key) in the hop recordThe
commitmentscheme provides anonymous-but-accountable participation: the hop is cryptographically bound to a key the agent controls, without revealing a stable identity across sessions.Target
v0.2of@helixar_ai/hdp(additive, non-breaking —agent_id_typedefaults to"stable")Related
CoAuthorizationRequestv0.2 preview — both are v0.2 scope items