Trust Levels L0–L3
ARIA defines four trust levels providing graduated identity assurance — from cryptographic self-service to government-verified legal entity. Every level is post-quantum. DNS anchoring begins at L1. Behind every level: a human authorized this agent.
Overview
| Level | Name | Verification | Automated | Key Use Cases | |-------|------|-------------|-----------|---------------| | L0 | Anchored | DID + keypair | Yes | Internal tooling, development, testing | | L1 | Identified | DNS-anchored | Yes | External agents, support bots, assistants | | L2 | Certified | DNS-over-HTTPS (DoH) | Yes | B2B commerce, data access, procurement | | L3 | Sovereign | Legal docs + admin approval | Semi | Finance, healthcare, regulated contracts |
L0: Anchored — LIVE
Verification: Cryptographic identity. Self-service. No DNS required.
DID + keypair generation. The cryptographic entry point.
366 days · FREE · 5 AIDs · IAL1 · Self-signed equivalent
Use cases: Internal tooling, development, testing, low-stakes automation.
L1: Identified — COMING SOON
Verification: DNS-anchored. Email-verified principal. An identified person controls this agent.
The credential is bound to a domain the principal controls. Starting at L1, every credential is anchored to a DNS TXT record — the same infrastructure that has governed the internet for 40 years. The registry validates the registrant's email before issuing the AID.
366 days · 10 AIDs · IAL1 · Domain-Validated equivalent
Note: At L1, principal.legalName is self-declared by the registrant and not checked against any external registry. Verifiers requiring verified organizational identity must consult principal.verificationStatus and require registry-confirmed (L2) or legal-verified (L3).
Use cases: External-facing agents, customer support bots, assistants.
L2: Certified — COMING SOON
Verification: Organization verified via DoH. vLEI-compatible.
Domain ownership confirmed via DNS-over-HTTPS. GLEIF LEI accepted as organizational attestation.
200 days (CA/B SC-081v3) · 25 AIDs · IAL2 · Extended Validation equivalent
Use cases: B2B commerce, data access, procurement, production APIs.
L3: Sovereign — COMING SOON
Verification: Legal entity. Government registry. HSM.
Legal entity verified against government business registry. Admin approval required. vLEI + Qualified vLEI accepted. HSM recommended for regulated industries.
180 days · 50 AIDs · 2-3 weeks · IAL3 · Beyond EV
Use cases: Financial transactions, healthcare, regulated contracts.
Trust Level Inheritance
Trust levels are hierarchical: an L3 agent also satisfies L2, L1, and L0 requirements. When an agent's trust level is upgraded, the AID is re-issued with the new trust level, and the previous AID is revoked.
Machine-Readable Verification Provenance
Every AID's principal block carries a verificationStatus field (AID schema v1.1, required) so
that verifiers can act programmatically on identity provenance without having to interpret the
trust level:
| Level | principal.verificationStatus | What it means |
|-------|-------------------------------|----------------|
| L0 | self-declared | Registrant-asserted, no external check |
| L1 | self-declared | Registrant-asserted (DNS proves domain control, not org identity) |
| L2 | registry-confirmed | Cross-checked against an authoritative registry (e.g. GLEIF LEI) |
| L3 | legal-verified | Backed by government-issued legal documents and admin review |
Verifiers requiring verified organizational identity should set min=L2 in their Agent Trust
Policy (or check verificationStatus !== "self-declared") to reject AIDs where the legal name
was self-asserted.
Requesting Verification
L0 is available now via the registry UI or API. L1–L3 are coming soon.