AIMS Overview¶
Agent Identity Management System (AIMS) is a framework for AI agent authentication based on draft-klrc-aiagent-auth-00.
Experimental
This package implements a draft specification that is subject to change.
What is AIMS?¶
Unlike ID-JAG (which is a specific protocol), AIMS is a framework that composes multiple identity and security standards:
flowchart LR
subgraph Trust Domain
SPIRE[SPIRE Server]
Agent[AI Agent]
end
subgraph Target
Service[Target Service]
end
Agent -->|1. Attest & Get WIT| SPIRE
SPIRE -->|2. WIT with cnf| Agent
Agent -->|3. Create WPT| Agent
Agent -->|4. Request + WIT + WPT| Service
Service -->|5. Verify & Authorize| Service
Service -->|6. Response| Agent| Standard | Purpose |
|---|---|
| SPIFFE | Workload identity (SPIFFE IDs as canonical identifiers) |
| WIMSE | Token-based authentication (WIT and WPT) |
| OAuth 2.0 | Authorization delegation for various scenarios |
The Nine Layers¶
AIMS defines nine architectural layers for agent identity management:
block-beta
columns 1
block:core["Core Identity"]
L1["1. Identifiers<br/>SPIFFE IDs"]
L2["2. Credentials<br/>X.509, JWT-SVID, WIT"]
L3["3. Attestation<br/>TPM, SGX, Cloud"]
end
block:ops["Operations"]
L4["4. Provisioning<br/>SPIRE, Cloud-native"]
L5["5. Authentication<br/>mTLS, WIT/WPT"]
L6["6. Authorization<br/>Policy-based"]
end
block:governance["Governance"]
L7["7. Monitoring<br/>Audit, Telemetry"]
L8["8. Policy<br/>Centralized Mgmt"]
L9["9. Compliance<br/>Regulatory"]
end| Layer | Name | Description |
|---|---|---|
| 1 | Identifiers | SPIFFE IDs as canonical workload identifiers |
| 2 | Credentials | X.509 SVIDs, JWT-SVIDs, WITs |
| 3 | Attestation | TPM, SGX, SEV-SNP, cloud attestation |
| 4 | Provisioning | SPIRE, cloud-native credential issuance |
| 5 | Authentication | mTLS, WIT/WPT token flows |
| 6 | Authorization | Policy-based access control |
| 7 | Monitoring | Audit logging and telemetry |
| 8 | Policy | Centralized policy management |
| 9 | Compliance | Regulatory and audit requirements |
Key Components¶
SPIFFE ID¶
The canonical identifier format for workloads:
Examples:
spiffe://example.com/agent/calendar-botspiffe://prod.example.com/workload/api-serverspiffe://example.com/service/auth
Workload Identity Token (WIT)¶
A JWT representing workload identity per draft-ietf-wimse-s2s-protocol:
{
"iss": "https://spire.example.com",
"sub": "spiffe://example.com/agent/calendar-bot",
"aud": ["https://api.example.com"],
"exp": 1234567890,
"cnf": { "kid": "key-1" }
}
WIMSE Proof Token (WPT)¶
Binds authentication to a specific HTTP request:
{
"iss": "spiffe://example.com/agent/calendar-bot",
"aud": "https://api.example.com",
"htm": "POST",
"htu": "/api/v1/events",
"iat": 1234567890,
"exp": 1234568190
}
Credential Types¶
| Type | Description | Use Case |
|---|---|---|
| X.509 SVID | Certificate-based identity | mTLS authentication |
| JWT-SVID | JWT-based identity | Token-based authentication |
| WIT | Workload Identity Token | WIMSE S2S protocol |
Attestation Types¶
| Type | Description |
|---|---|
| TPM | TPM-based hardware attestation |
| SGX | Intel SGX enclave attestation |
| SEV-SNP | AMD SEV-SNP confidential VM attestation |
| TDX | Intel TDX trusted domain attestation |
| Kubernetes | Kubernetes service account attestation |
| AWS | AWS instance identity document attestation |
| GCP | GCP instance identity token attestation |
| Azure | Azure managed identity attestation |
| GitHub | GitHub Actions OIDC token attestation |
AIMS vs ID-JAG¶
| Aspect | ID-JAG | AIMS |
|---|---|---|
| Type | Protocol | Framework |
| Identity Model | OAuth assertions | SPIFFE IDs |
| Credential Format | JWT assertions | X.509 SVIDs, JWT-SVIDs, WITs |
| Authentication | Token exchange | mTLS or WIT/WPT |
| Standards | RFC 8693 | SPIFFE, WIMSE |