TrustLayer Foundation A.C.
CC-BY-4.0 + Apache 2.0
v1.0 | March 2026

TRUSTLAYER FOUNDATION A.C. · MARCH 2026

ARIA

Name: ARIA Protocol
Author: TrustLayer Foundation A.C.

Agent Registry for Identity & Authorization

Built on DNS. Post-quantum native. Open governed. Stewarded by TrustLayer Foundation A.C.

v1.0L0–L3ML-DSA + Ed25519did:aria26 SectionsNIST-2025-0035

If an AI agent sends an email on your behalf, signs a contract, or moves your money — how do you prove you authorized it? How does the person on the other end know it's real? How do you stop it if something goes wrong?

Today, you can't. There is no standard way to verify who an agent is, who authorized it, what it's allowed to do, or whether it's been revoked. Every platform invents its own answer. None of them talk to each other. None of them survive the agent crossing an organizational boundary.

ARIA is the missing layer. An open protocol that gives every AI agent a verifiable, persistent, cryptographically-signed identity — anchored to the same DNS infrastructure that has governed the internet for 40 years.

★

v1.0 — Launch version. 27 sections. Agent Trust Protocol (ATP) integrated. Trust Ledger for lifecycle events. 6 credential states. Trust Seals. CC-BY-4.0 (documentation) + Apache 2.0 (code). Validated against live implementation at api.aria.bar.

01SECTION

The Protocol

ARIA is a six-layer composable protocol. Each layer builds on proven standards. No new cryptographic primitives. No new trust infrastructure. DNS is the root.

Layer	Standard	Function
P1 Anchor	W3C DID Core / did:aria	Every agent gets a DID. Resolution: DNS TXT pointer + HTTPS AID endpoint.
P2 Certify	W3C VC Data Model 2.0	Signed, portable, independently verifiable credentials. Offline-capable.
P3 Present	ATP / OAuth 2.0 + DPoP	How credentials are presented and evaluated. ATP handshake + MCP + A2A compatible.
P4 Protect	FIPS 204/203/205 + RFC 8032	ML-DSA-65 + Ed25519 composite (AND). Post-quantum native. Sunset 2029-12-31.
P5 Revoke	StatusList 2021 + Trust Ledger	Real-time revocation. Append-only Trust Ledger. CAEP push notifications.
P6 Govern	TrustLayer Foundation A.C.	Nonprofit stewardship. Apache 2.0 + CC-BY-4.0. Anti-capture. Community governed.

ARIA gives every agent a passport. The Agent Trust Protocol (ATP, §05) is customs — the handshake that happens when the agent arrives. The Trust Ledger (§09) is the permanent record of every credential lifecycle event — issuance, renewal, suspension, revocation, expiry, tombstone.

02SECTION

Trust Levels (L0–L3)

Four levels. From free self-service to HSM-bound enterprise compliance. Each level cryptographically distinct.

ℹ

Domain neutral. ARIA works on any domain, any registrar, any TLD — .com, .org, .io, .bar, .rest, or any other. No commercial relationship with any specific registry is needed.

ℹ

vLEI integration. At L2 and L3, ARIA accepts GLEIF Legal Entity Identifiers (vLEI) as organizational attestation — inheriting GLEIF's bank-grade KYC and eliminating duplicate identity checks.

L0Anchored

Cryptographic identity. Self-service. No DNS required.

NIST IAL1 · Domain-Validated equivalent · 366 days · FREE · 5 AIDs

IAL1Domain-Validated

L1Identified

DNS-anchored and verified. An identified person controls this agent.

NIST IAL1+ · Org-Validated equivalent · 366 days · 10 AIDs

IAL1+Org-Validated

L2Certified

Organization verified via DoH. vLEI-compatible: GLEIF LEI accepted as organizational attestation.

NIST IAL2 · Extended Validation equivalent · 200 days (CA/B) · 25 AIDs

IAL2Extended Validation

L3Sovereign

Legal entity. Government registry. HSM. vLEI + Qualified vLEI accepted.

NIST IAL3 · Beyond EV · 180 days · 50 AIDs · 2-3 weeks

IAL3Beyond EV

Level	Requirements	Credential Expiry	Renewal
L0	DID + keypair generation. No DNS, no human verification. 366-day credential.	366 days	Auto
L1	L0 + DNS verification. Automatic. 366-day credential.	366 days	Auto (email)
L2	L1 + DNS-over-HTTPS. 2-day review. CA/B Forum SC-081v3 aligned.	200 days (CA/B SC-081v3)	Auto (DNS re-verify)
L3	L2 + legal docs + admin approval. 2-3 weeks. 180-day credential. HSM recommended.	180 days	Semi-auto (admin)

Behind every trust level is a question a person is asking: Can I trust this agent with my name? Can I trust it with my company? Can I trust it with my customers' data? ARIA answers with cryptographic proof.

03SECTION

DID Method: did:aria

Canonical method: did:aria. Compatibility bridge: did:web. Self-generated. Zero cost. No permission required to create.

⚠

DNS TXT pointer model. ML-DSA-65 public key = 1,952 bytes raw (~2,603 bytes base64). DNS TXT max = 255 bytes per string. ARIA uses a two-component model: (1) DNS TXT pointer containing DID, hash, and AID endpoint URL. (2) Full AID served from HTTPS endpoint.

_aria.example.com TXT record

v=ARIA1; did=did:aria:example.com:agent-alpha; hash=sha256:a1b2c3d4e5f6...; aid=https://example.com/.well-known/aria/agent-alpha.json

DID operations: CREATE (generate keypair + AID; L1+ also creates DNS TXT record at _aria.<domain>), RESOLVE (DNS TXT lookup + HTTPS fetch + hash verify + signature verify), UPDATE (new AID at same endpoint, DNS hash updated), DEACTIVATE (DNS record removed OR StatusList bit flipped).

04SECTION

The AID Document

The Agent Identity Document (AID) is ARIA's core data structure — the passport. A W3C Verifiable Credential containing everything a counterparty needs to verify an agent's identity, authorization, and intent.

ARIA defines three identity roles — analogous to DNS registrant vs. admin contact:

Role	Maps to	Description
Registrant	account_holder	Human who opens the account and accepts ToS. One registrant per account.
Principal	credentialSubject.principal	Legal entity or person in the AID. The authority behind the agent.
Account Admin	platform user	Manages AIDs day-to-day. May differ from registrant. Analogy: DNS registrant vs. admin contact.

AID v1.0 — Complete Schema

{
  "@context": [
    "https://www.w3.org/2018/credentials/v1",
    "https://aria.bar/ns/v1",
    "https://w3id.org/security/data-integrity/v2"
  ],
  "type": ["VerifiableCredential", "AgentIdentityDocument"],
  "issuer": "did:aria:trustlayerfoundation.org",
  "issuanceDate": "2026-03-17T00:00:00Z",
  "expirationDate": "2026-09-13T00:00:00Z",
  "credentialSubject": {
    "id": "did:aria:example.com:commerce-agent",
    "spec_version": "1.0",
    "trustLevel": "L2",
    "domain": "example.com",
    "principal": {
      "did": "did:aria:example.com",
      "name": "Example Corp",
      "jurisdiction": "US",
      "registryRef": "EIN:12-3456789"
    },
    "delegationChain": [{
      "from": "did:aria:example.com",
      "scope": ["commerce:purchase_order:approve@v0.2"],
      "maxDepth": 4,
      "humanApprovalTriggers": ["amount>10000USD"]
    }],
    "intent": {
      "purpose": "automated-procurement",
      "context": "office-supplies-quarterly",
      "constraints": ["max_transaction:10000USD", "geo:US"],
      "dataUsage": ["dpv:TransactionManagement"],
      "retention": "P90D"
    },
    "capabilities": ["mcp:tool_call", "a2a:negotiate", "tap:present"],
    "status": {
      "type": "StatusList2021Entry",
      "statusPurpose": "revocation",
      "statusListIndex": "42",
      "statusListCredential": "https://registry.aria.bar/status/2026-Q1"
    }
  },
  "proof": {
    "type": "DataIntegrityProof",
    "cryptosuite": "mldsa65-ed25519-2026",
    "created": "2026-03-17T00:00:00Z",
    "proofPurpose": "assertionMethod",
    "verificationMethod": "did:aria:trustlayerfoundation.org#key-1",
    "proofValue": "z[ML-DSA-65 + Ed25519 composite signature...]"
  }
}

05SECTION

Agent Trust Protocol (ATP)

ARIA gives agents a passport. ATP is customs.

The Agent Trust Protocol defines what happens when an AI agent presents its credentials to a receiving system. A three-phase handshake — Declare, Evaluate, Admit — that binds the agent's identity and stated intent to the receiving system's published admission policy.

ATP is to AI agent admission what DMARC (RFC 7489) is to email authentication: a DNS-published policy record that enables receiving systems to evaluate and enforce trust requirements.

Phase 1: Declare. The agent arrives carrying two payloads. Payload A is the AID — the passport. Payload B is the Intent Declaration — the customs form. A structured, machine-readable statement of WHY the agent is here. The intent declaration is cryptographically signed — making declared intent non-repudiable.

Intent Field	Required	Description
purpose	MUST	Human-readable statement of operational purpose
action_requested	MUST	ARIA scope format (e.g. commerce.read)
principal_ref	MUST	Reference to the human or organization on whose behalf the agent acts
target_resource	SHOULD	Specific resource or endpoint the agent intends to access
dataUsage	SHOULD	W3C DPV purpose categories (dpv:TransactionManagement, etc.)
retention	SHOULD	Maximum data retention duration (ISO 8601, e.g. P90D)
constraints	MAY	Self-declared operational constraints
session_id	MAY	Unique session ID for correlating multiple interactions

ℹ

Intent is ARIA's most original contribution. Scope says WHAT an agent can do. Intent says WHY it is doing it right now. Without signing, intent is a suggestion. With signing, intent is a legal instrument.

Phase 2: Evaluate. The receiving system evaluates the Declare payload against its published Agent Trust Policy (a DNS TXT record at _aria-policy.domain.com). Evaluation is deterministic. All checks local — zero added network round-trips.

Phase 3: Admit. The result is communicated via an ATP response code, queued for the Agent Interaction Log (future — see §09), and optionally reported to an aggregate endpoint.

Code	Name	Meaning
ATP-200	Admitted	Agent passed all policy checks
ATP-401	Credential invalid	AID revoked, expired, or signature fails
ATP-403	Trust insufficient	Agent trust level below policy minimum
ATP-406	Scope mismatch	Missing required scopes or carries prohibited scopes
ATP-429	Rate limited	Agent exceeded per-agent request cap
ATP-451	Intent incomplete	Intent declaration missing required fields
ATP-460	Qualifier missing	Base requirements met but conditional qualifier fails
ATP-462	Delegation too deep	Delegation chain exceeds policy maximum depth

Agent Trust Policy — the DNS record.

Agent Trust Policy — DNS TXT record

v=ATP1; min=L2; enforce=strict; req=commerce.*,invoice.*; deny=identity.represent.human; intent=purpose,principal_ref; depth=3; rate=100/hr; rua=https://bank.com/atp-reports

Enforcement modes — graduated adoption:

Mode	Behavior	Use Case
monitor	Log everything. Admit all agents. Non-compliant agents flagged but not blocked.	First deployment. Turn on the lights.
warn	Admit all agents. Non-compliant agents receive warning header + logged.	Transition phase. Training wheels.
strict	Reject non-compliant agents. ATP error response. No access.	Full enforcement. Production security.

ℹ

DMARC adoption data: Domains that launched with monitoring achieved 3x higher eventual adoption of full enforcement. Graduated enforcement is an adoption engine, not a weakness.

06SECTION

Scopes & Authorization

Format: namespace:resource:action. 8 immutable standardized actions combined dynamically with admin-defined categories and resources.

Action	Description
read	Query or retrieve data
write	Create or update data
delete	Remove data permanently
execute	Run a process or workflow
approve	Authorize a pending action
export	Extract data outside the system
subscribe	Register for ongoing notifications
delegate	Grant a subset of permissions to another agent

commerce:

purchase_orderinvoicecatalogpricingcheckoutwallettapucpspt

finance:

transactionauditreportcompliancemicropayment

communication:

emailmessagecalendarmeetinga2a

data:

generalsensitiveclassifiedaggregate

identity:

principalagentdelegationcredential

infrastructure:

dnscertificatedeploymentmonitorhsm

health:

patientclinicalconsenthipaa

legal:

contractevidencecompliancefiling

government:

procurementpermitreportregulation

robotics:

actuatorsensorsafetygeofence

⚠

Scope versioning. All scope references pin to a version: commerce:purchase_order:read@v0.2. Versions are immutable once published. Deprecation with 24-month minimum window.

07SECTION

Delegation & Human Approval

Authority flows from a human. Always. A person authorizes an agent. That agent may delegate to a sub-agent. At every hop, the chain is cryptographically signed, the scope can only narrow (never broaden), and the original human principal remains traceable. Maximum depth: 4 hops.

Graduated consent — three tiers: Pre-authorized (routine, low-risk), Categorical (approve once per category), Explicit (a human must approve this specific action). Human approval triggers are declared in the delegation chain and enforced at resolution time.

★

EU AI Act alignment. ARIA's three HITL tiers map directly to the EU AI Act Article 13 human oversight requirement. Deployers using ARIA L2+ with categorical or explicit HITL satisfy the Act's human oversight obligation by design.

08SECTION

Credential Lifecycle

A person authorizes an agent on Tuesday. On Wednesday, that person resigns. On Thursday, the agent is still acting — with nobody behind it. ARIA's answer: no agent operates without a live human chain. Every AID must designate a successor principal. On principal change, the agent is suspended pending re-authorization.

Every ARIA credential exists in exactly one of six states:

State	Meaning	Transitions	Reversible?
active	Credential valid. Agent operating normally.	Can become: suspended, revoked, expired	Starting state
suspended	Temporarily paused. Principal change, investigation, or policy violation.	Can become: active (reinstated) or revoked	Yes
revoked	Permanently invalidated. Compromise, termination, or breach.	Terminal state	No. Ever.
expired	Credential TTL exceeded. Must renew to resume.	Can become: active (after renewal)	Yes (renewal)
tombstoned	Organization dissolved or acquired. Permanent archive.	Terminal state	No
superseded	Replaced by a new credential. Old DID permanently points to new one (301 redirect pattern).	Terminal state. Pointer to successor.	No

Mandatory credential expiry: 366 days (L0/L1), 200 days (L2, per CA/B Forum SC-081v3), 180 days (L3).

⚠

EU AI Act enforcement begins August 2, 2026. The Act requires accountability but has no mechanism for multi-agent chains. ARIA's delegation chain provides exactly what the EU needs.

09SECTION

Revocation & Trust Ledger

If an agent is compromised, ARIA can kill its credentials globally in under 60 seconds. The mechanism: W3C StatusList2021 — flip one bit, the credential is revoked worldwide.

The Trust Ledger is the permanent, append-only, SHA-256 hash-chained record of every credential lifecycle event: issuance, renewal, suspension, revocation, expiry, and tombstone. 7-year minimum retention. Modeled on Certificate Transparency (RFC 9162).

A Trust Record is a single entry in the Trust Ledger. One lifecycle event, one Trust Record.

ℹ

Agent Interaction Log [PLANNED]: Per-ATP-event logging (each handshake, admission, and rejection) is a separate future system. Deferred beyond v1.0. No committed date.

★

CAEP push-based revocation: Enterprise IAM systems receive a signed Security Event Token (SET) within seconds of revocation.

10SECTION

Post-Quantum Cryptography

ARIA treats PQC as foundational. Built in from day one, not retrofitted. The Harvest-Now-Decrypt-Later (HNDL) threat makes retroactive protection critical.

Algorithm	NIST Standard	Usage	Security Level
ML-DSA-65	FIPS 204	Primary signing for all AIDs	Level 3 (AES-192)
ML-KEM-768	FIPS 203	Session key establishment	Level 3
SLH-DSA	FIPS 205	Long-lived registry records	Conservative (hash-based)
Ed25519	RFC 8032	Composite classical (AND with ML-DSA)	Classical backward compat

✖

Composite signature: mldsa65-ed25519-2026. BOTH signatures must verify (AND logic). This composite mode ends December 31, 2029. After this date: ML-DSA-only credentials required. Hard protocol sunset.

11SECTION

Authentication & Key Recovery

Factor	Mechanism	Verified By
1. Domain control	DNS TXT @ _aria.<domain>	ARIA resolver
2. Crypto signature	ML-DSA + Ed25519 composite	Any counterparty (offline capable)
3. Chain integrity	Full delegation chain linked	Each hop independently
4. Liveness	StatusList2021	Cached list, no ARIA call needed

ℹ

DNS-based domain control (Factor 1) applies to L1+. L0 agents rely on cryptographic self-signing (Factor 2) only.

✖

Key Compromise Recovery. TLF emergency revocation with out-of-band identity verification. 3-of-5 Shamir's Secret Sharing. HSM-generated root key. Modeled on ICANN's DNSSEC root key ceremony.

12SECTION

MCP Integration

MCP handles connectivity. ARIA handles identity. ATP handles admission. Three protocols composing without competing.

#	Surface	How It Works
1	ATP transport binding	ARIA AID + intent in MCP tool call metadata (aria.aid + aria.intent)
2	Trust level discovery	MCP servers declare minimum trust level per tool
3	ARIA as MCP tool	aria_verify: native identity check callable from any MCP client
4	Cross-org calls	Identity layer MCP assumes but does not supply
5	Scope alignment	8 standardized actions mirror MCP tool patterns
6	Delegation chains	End-to-end accountability in multi-tool flows
7	DPoP (RFC 9449)	Token bound to specific agent, prevents theft/replay

13SECTION

Enterprise Integration

SCIM lifecycle bridge for agent provisioning/deprovisioning. OIDC bridge for existing IAM. AuthZEN PEP/PDP compatibility. GNAP (RFC 9635) delegation compatibility. SP 800-207 Zero Trust alignment.

ARIA Resolver API: RESTful HTTPS at api.aria.bar. SDK: TypeScript (live — @aria-registry/verify). Python, Go [PLANNED — Q2 2026].

14SECTION

Commerce Integration

ARIA is the agent identity layer that commerce protocols reference but do not define.

Layer	Protocol	ARIA Role
Discovery	Shopify UCP	Trust signal for agent ranking
Checkout	Stripe ACP / SPTs	Identity gate before payment token
Payments	Visa TAP	Verified identity for agent vetting
Micropayments	x402 (USDC/Coinbase)	Agent identity for autonomous spend
Communication	Google A2A	Verified Agent Card identity anchor
Tools	Anthropic MCP	Cross-org identity layer

15SECTION

A2A Identity Bridge

ARIA is to A2A what a passport is to an airline.

Google's A2A protocol lets agents discover and communicate with each other. But A2A's own roadmap lists "formalize authorization in AgentCard" as an open TODO. ARIA fills this gap.

A2A Component	Without ARIA	With ARIA
Agent Card	Self-declared, no verification	AID reference with L0–L3 trust level
Discovery	Agent found, identity unknown	Agent found, identity verified via did:aria
Authorization	Open TODO on GitHub	Scopes enforced from AID delegation chain
Revocation	Not addressed	StatusList2021 check before interaction
Cross-org trust	No mechanism	Full delegation chain tracing back to human principal

16SECTION

Integration Map

ARIA is the layer beneath. Not competing with any protocol. Enabling all of them to operate at a higher trust level.

Layer	Protocol	ARIA's Role
Commerce Checkout	Visa TAP / Mastercard Agent Pay	Verified agent identity BEFORE issuing payment credentials
Agent Communication	Google A2A	Verified identity embedded in Agent Cards
Commerce Protocol	Stripe ACP / SPTs	Legal entity verification for B2B + regulated commerce
Micropayments	x402 (USDC/Coinbase)	Agent identity for autonomous spend authorization
Tool Connection	Anthropic MCP	Cross-org identity layer MCP doesn't supply
Agent Discovery	Shopify UCP	Trust signal for agent ranking. UCP Level 3 = ARIA L2+
Internal Workload	SPIFFE/SPIRE	External-facing bridge when agents cross org boundaries
Bot Authentication	Cloudflare Web Bot Auth	Identity content that HTTP signatures transport
Auth Framework	IETF AIMS (WIMSE+OAuth)	Cross-org identity + authorization
Identity Standards	OIDF AIIM CG	Candidate protocol for OIDF recommendation
Enterprise IAM	SCIM / IPSIE / AuthZEN	Lifecycle bridge for agent provisioning/deprovisioning
Cloud Identity	Microsoft Entra Agent ID	Cross-org portable identity outside Azure trust domain
Cloud Identity	AWS Bedrock AgentCore	Cross-org portable identity outside AWS trust domain
Access Control	NGAC / GNAP (RFC 9635)	Delegation chain maps to GNAP multi-party model
Token Security	NISTIR 8587	DPoP binding prevents token theft/replay
Credential Issuance	OpenID4VCI / OpenID4VP	VC issuance and presentation compatible with OIDF specs
Trust Infrastructure	vLEI (GLEIF)	L2/L3 accepts vLEI as legal entity attestation
Agent Interop	FIPA ACL	ARIA credential headers embeddable in FIPA messages
Governance Framework	ToIP Metamodel	TLF governance maps to ToIP four-layer trust stack

ℹ

19 integration surfaces. No other agent identity protocol connects to this breadth.

17SECTION

Compliance Rosetta Stone

How ARIA maps to every regulatory framework, identity standard, and commercial ecosystem.

ARIA Level	Verification	SP 800-63-4	AAL	EU AI Act	vLEI / GLEIF	TLS Equivalent
L0 Anchored	DID + keypair	IAL1	AAL1	Risk mapping	No equivalent	DV certificate
L1 Identified	DNS verification (auto)	IAL1+	AAL1	Risk mapping	LEI (org identifier)	OV certificate
L2 Certified	DNS TXT via DoH (auto)	IAL2	AAL2	Risk mapping	vLEI — accepted	EV certificate
L3 Sovereign	Legal docs + admin	IAL3	AAL3	Risk mapping	vLEI + Qualified vLEI	Beyond EV

EU AI Act — 5-obligation mapping:

Article	ARIA Mapping
Article 9 (Risk management)	ARIA trust levels provide risk-proportional identity
Article 13 (Human oversight)	HITL tiers map directly (see §07)
Article 52 (Transparency)	AID declares principal, scopes, intent
Article 61 (Post-market monitoring)	Trust Ledger provides audit trail
Article 72 (Penalties)	L2/L3 verification demonstrates compliance effort

★

Colorado AI Act (SB 205). Effective June 30, 2026. ARIA L2/L3 agents satisfy the affirmative defense under SB 205 by providing verifiable identity and accountability chains.

18SECTION

Security Architecture

Agent spoofing prevention: cryptographic identity replaces self-reported user-agent strings. Cross-cloud identity fabric: ARIA DIDs resolve identically across AWS/GCP/Azure.

ℹ

The liability anchor. When a regulator, a court, or a board asks "who authorized this agent to do this?" — ARIA provides the signed, timestamped, cryptographically non-repudiable answer.

19SECTION

Prompt Injection Defense

ARIA's contribution is not prompt injection prevention (model layer) but damage containment through identity infrastructure:

Defense Layer	Mechanism	ARIA Section
Scope containment	Agent cannot exceed declared scopes even if prompt-injected	§06 Scopes
Delegation ceiling	Compromised agent cannot escalate beyond delegated authority	§07 Delegation
Rapid revocation	Compromised agent credentials revoked globally in minutes	§09 Revocation
Intent mismatch	Declared intent vs. actual actions enables anomaly detection	§05 ATP
Audit trail	Complete cryptographic record for incident response	§20 Audit
Trust policy	Receiving systems enforce minimum trust + scope via ATP	§05 ATP

20SECTION

Auditing & Non-Repudiation

Every credential lifecycle event produces a Trust Record in the Trust Ledger. Non-repudiation binding: every entry includes the delegation chain snapshot at time of action.

Event	What Is Logged	Retention
Issuance	DID, trust level, issuing authority, delegation chain, timestamp	7 years
Verification	Verifying party, result, trust level at time of check	7 years
Revocation	Revoking authority, reason code, cascade scope	7 years
State change	Previous state, new state, triggering event, authority	7 years
Delegation	Delegating DID, receiving DID, scope granted, depth, approval config	7 years

ℹ

Per-interaction ATP events (admission, rejection) will be recorded by the Agent Interaction Log — a future system.

21SECTION

Privacy & Data Governance

ARIA agent identity metadata is organizational, not personal. Agent DIDs identify software entities, not individual humans. The principal identity is held by TLF under data controller obligations.

GDPR tension: the right to erasure (Article 17) conflicts with the Trust Ledger's append-only immutability. Proposed resolution: Trust Ledger entries can be "redacted" — the event record remains but personally identifiable fields are replaced with a redaction marker.

22SECTION

Offline & QR Verification

ARIA credentials are self-contained, cryptographically complete, verifiable without network connectivity. A verifier with a cached public key and StatusList can validate any AID entirely offline. QR presentation enables physical-world agent verification.

ℹ

Blockchain secondary anchor (optional). DNS remains the primary trust anchor. Blockchain is an optional secondary anchor via did:ethr, did:ion, or did:sol.

23SECTION

Versioning & Compatibility

Semantic versioning (major.minor). Minor changes (1.x) backward-compatible. Major changes (vN.0) introduce breaking changes. TLF supports all credentials under supported major versions for minimum 36 months. API: v1 endpoints guaranteed stable 5 years minimum.

24SECTION

Advanced Patterns

Multi-principal agents: separate AIDs per principal context. Model provenance: modelAttestation for EU AI Act. Robotic identity: same framework, L3 HSM binds to specific hardware. SPIFFE bridge: ARIA L2+ wraps SPIFFE SVID with cross-org verification.

25SECTION

Governance

TrustLayer Foundation A.C. is the independent nonprofit that stewards the ARIA protocol, issues credentials, maintains the Trust Ledger, and governs the open standard.

Licensing: Apache 2.0 (code) + CC-BY-4.0 (documentation). Independent Technical Steering Committee: 7 members — 3 civil society/academia, 2 industry, 1 government liaison, 1 developing-nation representative. Decisions by rough consensus (IETF model). All deliberations public.

Ensuring that as AI agents become infrastructure, they remain accountable to the humans they serve.

26SECTION

Trust Seals

Trust Seals are optional attestations embedded in the AID's attestations field. They are referenced by ATP qualify= rules. L2+ required (Education: L1+). [NOT YET IMPLEMENTED — qualify= evaluation deferred beyond v1.0]

Category	Seals	Minimum Level
Sector	Healthcare, Finance, Government, Legal, Education	L2 (Education: L1+)
Compliance	SOC2, ISO 27001, ISO 42001, PCI-DSS, EU AI Act, HIPAA	L2+
Capability	HSM-bound keys, Offline-capable, Multi-agent orchestrator	L2+

Trust Seals are NOT trust levels. They are supplementary qualifications that enable sector-specific policy enforcement via ATP qualify= rules. Example: qualify=sector:healthcare>iso27001

ℹ

Insurance: Trust Seal "Insured" is an optional qualification for L2+ agents. Requires proof of E&O or professional liability insurance covering AI operations. ATP field: qualify=insured. Missing when required triggers ATP-460. AI liability insurers are a future adoption channel — the Trust Ledger's credential lifecycle records provide the underwriting data layer that AI insurers currently lack.

Start building.

Protocol Spec →Public API →Registry Portal →

Open standards. Nonprofit governance. Trustworthy AI.

TrustLayer Foundation A.C. · aria.bar · trustlayer.foundation
Apache 2.0 (code) + CC-BY-4.0 (documentation) · Copyright 2026 TrustLayer Foundation A.C.