Hi all, We have just submitted a new draft: "OAuth 2.0 Rich Authorization Requests for AS-Attested User Certificates". As AI Agents increasingly act on behalf of users, the traditional OAuth scope model often lacks the fine-grained intent verification needed for high-stakes operations. While Resource Owners (RO) can issue Verifiable Credentials (VCs) to Agents, there remains a "trust gap": the Resource Server (RS) has no standard way to verify that the public key used to sign the VC genuinely belongs to the RO.
This draft proposes an extension using Rich Authorization Requests (RAR) [RFC9396] to allow a Client to request an AS-attested certificate of the RO's public key. This establishes a robust trust chain, enabling the RS to verify user-signed delegation evidence securely. Looking forward to comments and feedbacks! Thank you! Best Regards, Cheng-Kang -----Original Message----- From: [email protected] <[email protected]> Sent: Monday, March 2, 2026 4:39 PM To: Chu Cheng Kang <[email protected]>; Wang Haiguang <[email protected]>; Liruochen <[email protected]>; Liruochen <[email protected]>; Li Tieyan <[email protected]>; Li Tieyan <[email protected]> Subject: New Version Notification for draft-chu-oauth-as-attested-user-cert-00.txt A new version of Internet-Draft draft-chu-oauth-as-attested-user-cert-00.txt has been successfully submitted by Cheng-Kang Chu and posted to the IETF repository. Name: draft-chu-oauth-as-attested-user-cert Revision: 00 Title: OAuth 2.0 Rich Authorization Requests for AS-Attested User Certificates Date: 2026-03-02 Group: Individual Submission Pages: 9 URL: https://www.ietf.org/archive/id/draft-chu-oauth-as-attested-user-cert-00.txt Status: https://datatracker.ietf.org/doc/draft-chu-oauth-as-attested-user-cert/ HTMLized: https://datatracker.ietf.org/doc/html/draft-chu-oauth-as-attested-user-cert Abstract: This document defines an extension to the OAuth 2.0 Rich Authorization Requests (RAR) framework. It introduces a mechanism that allows a Client, such as an autonomous AI Agent, to request an Authorization Server (AS) to include an AS-attested Resource Owner public key certificate within, or bound to, an Access Token. This mechanism enables the Resource Server (RS) to securely obtain the Resource Owner's trusted public key, which can then be used to verify application-layer delegation evidence (e.g., Verifiable Credentials) signed by the Resource Owner. The IETF Secretariat _______________________________________________ OAuth mailing list -- [email protected] To unsubscribe send an email to [email protected]
