| Internet-Draft | ANS | May 2025 |
| Huang, et al. | Expires 17 November 2025 | [Page] |
The proliferation of AI agents requires robust mechanisms for secure discovery. This document introduces the Agent Name Service (ANS), a novel architecture based on DNS addressing the lack of a public agent discovery framework. ANS provides a protocol-agnostic registry mechanism that leverages Public Key Infrastructure (PKI) certificates for verifiable agent identity and trust. The architecture features several key innovations: a formalized agent registration and renewal mechanism for lifecycle management; DNS-inspired naming conventions with capability-aware resolution; a modular Protocol Adapter Layer supporting diverse communication standards (A2A, MCP, ACP, etc.); and precisely defined algorithms for secure resolution. This specification describes structured communication using JSON Schema and includes a comprehensive threat analysis. The result is a foundational agent directory service protocol addressing the core challenges of secure discovery and interaction in multi-agent systems, paving the way for future interoperable, trustworthy, and scalable agent ecosystems.¶
The present document reflects the authors' individual opinions and does not necessarily represent the views of their respective employers.¶
This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79.¶
Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet-Drafts is at https://datatracker.ietf.org/drafts/current/.¶
Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress."¶
This Internet-Draft will expire on 2 November 2025.¶
Copyright (c) 2025 IETF Trust and the persons identified as the document authors. All rights reserved.¶
This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (https://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Revised BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Revised BSD License.¶
Agent-to-agent communication is expected to become a significant component of internet traffic, driving the need for reliable mechanisms enabling agents to discover, verify, and securely interact with one another. Traditional service discovery, notably the Domain Name System (DNS) [RFC1035], primarily maps human-readable names to network addresses and is insufficient for the dynamic, semantically rich, and security-sensitive environment of agentic AI. Enhancements like DNS-Based Service Discovery (DNS-SD) [RFC6763] offer improvements but still fall short of the necessary agent capability granularity, identity verification, and lifecycle management required by autonomous agents. Furthermore, maintaining a trustworthy registry necessitates robust processes for agent registration and periodic renewal.¶
Several agent communication protocols are emerging to standardize interactions:¶
This document outlines the Agent Name Service (ANS), a framework for a protocol-agnostic Agentic AI Registry. ANS complements these emerging protocols by integrating Public Key Infrastructure (PKI) for identity and trust, defining structured communication via JSON Schema, incorporating DNS-like naming for discovery, establishing mechanisms for agent registration and renewal, and providing a formal specification of the protocol to enhance precision and implementability. ANS aims to provide a universal, secure directory service foundation for interoperable agent ecosystems.¶
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all capitals, as shown here.¶
The proposed Agent Registry architecture provides a secure, interoperable platform for agent discovery and interaction, supporting multiple communication protocols through a modular design. Key components include:¶
Figure 1 illustrates the core components of the Agent Name Service (ANS) and their interactions.¶
+-----------+ Requests agent discovery +-------------+
| Agent | ----------------------------> | ANS Service |
+-----------+ +-------------+
|
| Looks up agent info
v
+-----------------------+ Translates messages +----------------+
| Protocol Adapter Layer| <---------------------- | Agent Registry |
+-----------------------+ +----------------+
^ ^
| | Verifies
Validates reg. | | identity
| |
+-----------------------+ +---------------------+
| Registration Authority| | Certificate Authority |
+-----------------------+ +---------------------+
The Protocol Adapter Layer translates between the registry's internal representation and protocol-specific formats. For example, consider an agent registering with the MCP. An MCP tool description might be represented as a JSON blob. The agent would need to be registered with ANS first and foremost. Therefore, imagine this tool is associated with the following ANSName: "mcp://sentimentAnalyzer.textAnalysis.ExampleCorp.v1.0".¶
This would mean the MCP tool is now discoverable via the ANS. The MCP specific extension data itself might look like this:¶
{
"description": "Analyzes sentiment of text input.",
"input_schema": {
"type": "string",
"description": "Text to analyze."
},
"output_schema": {
"type": "object",
"properties": {
"sentiment": {
"type": "string",
"enum": ["positive", "negative", "neutral"]
},
"score": {
"type": "number",
"description": "Sentiment score (-1 to 1)."
}
}
},
"mcpEndpoint": "https://sentiment.example.com/analyze"
}
The MCP Adapter within the Protocol Adapter Layer would parse this JSON and map it to the registry's internal columns. This could involve:¶
Extracting information implicitly: since the ANSName is "mcp://sentimentAnalyzer.textAnalysis.ExampleCorp.v1.0", this implicitly defines the:¶
This normalization process allows the Agent Registry to store and query MCP-specific information in a protocol-agnostic way, while adhering to the ANSName structure for consistent identification and resolution.¶
Maintaining registry integrity requires explicit lifecycle management:¶
Registration:¶
Renewal:¶
Deregistration/Revocation: Agents can be deregistered, or their certificates revoked (e.g., due to key compromise), removing or flagging their entry in the registry and invalidating their certificate via standard PKI mechanisms (CRL/OCSP [RFC6960]).¶
Agent RA CA Agent Registry |---Registration Request--->| | | | (metadata & CSR) | | | | |---Validate Identity----->| | | |<--[Validation Fails]-----| | |<----Registration Rejected-| | | | |---[Validation Successful]-> | | |---Request Certificate--->| | | | |<----Issue Certificate----| | |<----Certificate----------| | | |---Store Agent Info & Cert-------------------------->| |<----Confirmation---------| |
Public Key Infrastructure (PKI) [RFC5280] provides the cryptographic foundation for trust within ANS. Each registered agent possesses a unique PKI key pair and a corresponding X.509 digital certificate issued by a trusted CA via the RA.¶
We introduce the following notation for defining ANS elements and operations:¶
1) Top Level Elements:¶
2) Data Types:¶
So, the top level elements have the following data types:¶
3) Verification Rules:¶
Certificate Chain Verification¶
VerifyCertChain (Cert, TrustedCA) -> Boolean:
1. Get the certificate authority (CA_signer) that signed the Cert.
2. Check for Certificate Revocation status of Cert via CRL or OCSP.
3. If Cert is Revoked, Return False.
4. If CA_signer is the TrustedCA, Return True (assuming Cert is validly signed by it and not expired).
5. Else, get the certificate of CA_signer (IssuerCert) and recursively call
VerifyCertChain(IssuerCert, TrustedCA).
6. If no trusted CA is found in the chain, Return False.
Digital Signature Verification¶
VerifySignature (Data, Signature, PublicKey) -> Boolean:
1. Use PublicKey to decrypt/verify the Signature against the Data.
2. Hash Data using the agreed-upon cryptographic hash function (e.g., SHA-256)
that was used by the signer.
3. Compare the hash obtained from the signature with the hash
calculated from the Data.
4. If the hashes match and the signature is cryptographically valid,
Return True.
5. Else, Return False.
ANS utilizes JSON Schema [RFC8259] to define the structure for all registry interactions, including discovery requests/responses and registration/renewal requests/responses. This ensures structured, validated communication across different protocols.¶
An example AgentRegistrationRequest schema is shown below:¶
{
"$schema": "http://json-schema.org/draft-07/schema#",
"title": "AgentRegistrationRequest",
"description": "Schema for Agent Registration Request",
"type": "object",
"properties": {
"protocol": {
"type": "string",
"enum": ["a2a", "mcp", "acp"],
"description": "Communication Protocol"
},
"agentID": {
"type": "string",
"description": "Unique Agent Identifier"
},
"agentCapability": {
"type": "string",
"description": "Primary Agent Capability"
},
"provider": {
"type": "string",
"description": "Name of the Provider"
},
"version": {
"type": "string",
"pattern": "^(0|[1-9]\\d*)\\.(0|[1-9]\\d*)\\.(0|[1-9]\\d*)(?:-((?:0|[1-9]\\d*|\\d*[a-zA-Z-][0-9a-zA-Z-]*)(?:\\.(?:0|[1-9]\\d*|\\d*[a-zA-Z-][0-9a-zA-Z-]*))*))?(?:\\+([0-9a-zA-Z-]+(?:\\.[0-9a-zA-Z-]+)*))?$",
"description": "Semantic Versioning format"
},
"extension": {
"type": "string",
"description": "Extension Metadata"
},
"certificate": {
"type": "object",
"properties": {
"subject": {"type": "string", "description": "Certificate Subject"},
"issuer": {"type": "string", "description": "Certificate Issuer"},
"pem": {
"type": "string",
"description": "PEM-encoded Certificate (strongly recommended to use a secure vault reference instead)",
"readOnly": false
}
},
"required": ["subject", "issuer", "pem"]
},
"protocolExtensions": {
"type": "object",
"description": "Protocol-specific data"
}
},
"required": ["protocol", "agentID", "agentCapability", "provider", "version", "certificate"]
}
ANS defines a robust, protocol-agnostic mechanism for naming and resolving agents across heterogeneous agentic environments. Its principal function is to establish a uniform Endpoint format that encodes identity, agentCapability, and contextual metadata for any given agent, irrespective of the underlying transport or runtime architecture. ANS ensures that both human-readable and machine-resolvable identifiers are preserved in a format designed to facilitate dynamic discovery, rigorous trust verification, secure communication, seamless service composition, and the representation of relationships between agents. A key motivation for ANS is to move beyond simple naming resolution to enable precise agentCapability discovery, which is not achievable with traditional systems like DNS. The design of ANS acknowledges that the agent's agentCapabilities are paramount for intelligent interactions, distinguishing it from simpler naming systems like DNS.¶
The ANSName is formally defined as a string constructed from the following components, concatenated in a specific order:¶
ANSName = Protocol "://" AgentID "." agentCapability "." Provider ".v" Version ["." Extension]
Where:¶
Constraints:¶
Example ANSName: "a2a://textProcessor.DocumentTranslation.AcmeCorp.v2.1.hipaa"¶
The resolution mechanism in ANS maps a fully qualified ANSName to an actionable reference, such as a network address, service binding, or a detailed metadata document (Endpoint). Resolution can be achieved through distributed lookups, local resolver caches, or enterprise-specific ANS gateways, providing deployment flexibility. Critically, ANS moves beyond simple name resolution to facilitate precise agentCapability discovery.¶
When an agent (the "Requesting Agent") requires resolution, it queries the ANS service (a fundamental component of the Agent Registry infrastructure). The query includes the ANSName of the target agent and can optionally incorporate agentCapability filters to refine the search.¶
Requesting Agent ANS Service Agent Registry Trusted CA |---Resolution Query---->| | | | (ANSName + filters) | | | | |---Query Agent Record--->| | | | |<--[Record Not Found]-| | |<----No Record Found-----| | |<--Agent Not Found Err--| | | | | |---[Record Found]---->| | |<--Return Agent Endpoint-| | | | (data, sig, cert) | | | |---Verify Signature (using Agent Registry Key)-->| | |<--[Signature Invalid]--| | |<--Invalid Sig Error---| | | | |---[Signature Valid]--->| | | |---Verify Cert Chain (Target Agent Cert)------>| (Trusted CA for agent certs) | | |<--[Cert Invalid]-----| | |<----Invalid Cert Error--| | | | |---[Cert Valid]------>| |<--Return Verified Endpoint----------------------| | | (binding & sec info) | | |
The ANS resolution algorithm takes an ANSName and an optional RequestedVersionRange as input and returns a resolvable Endpoint or an error.¶
Resolve(ANSName, RequestedVersionRange) -> EndpointRecord / ERROR:
1. Parse ANSName into Protocol, AgentID, agentCapability,
Provider, Version, Extension.
2. Query Agent Registry for Agents with matching Protocol, AgentID,
agentCapability, Provider.
3. If no match found:
Return ERROR("Agent not found").
4. If multiple matches found (different versions):
Match = VersionNegotiation(Matches, RequestedVersionRange).
If Match is ERROR("Incompatible Version"):
Return ERROR("Incompatible Version").
5. EndpointRecord_struct = GetAgentEndpointRecord(Match.AgentID).
// Renamed to avoid conflict, EndpointRecord_struct: {data, signature, Cert}
If EndpointRecord_struct is ERROR:
Return ERROR("Could not retrieve endpoint record").
6. Valid = VerifyAgentEndpointRecord(EndpointRecord_struct,
TrustedCA_for_Registry_Signature,
TrustedCA_for_Agent_Certs).
7. If Valid is False:
Return ERROR("Invalid Endpoint").
8. Return EndpointRecord_struct.data. // Contains the actual endpoint URI/info
--- Helper Functions ---
GetAgentEndpointRecord(AgentID_from_Match) -> EndpointRecord_struct / ERROR:
// Agent Registry implements this to fetch records.
// This function must enforce authentication and authorization
// against Agent Registry ACLs if applicable.
// Returns {data, signature, Cert} or ERROR.
VerifyAgentEndpointRecord(EndpointRecord_struct, RegistryTrustedCA, AgentCertTrustedCA) -> Boolean:
// 1. Verify signature on EndpointRecord_struct.data using
// AgentRegistry.PublicKey (obtained from a cert issued by RegistryTrustedCA).
signatureValid = VerifySignature(EndpointRecord_struct.data,
EndpointRecord_struct.signature,
AgentRegistry.PublicKey);
If not signatureValid:
Return False; // Or ERROR("Invalid Registry Signature")
// 2. Verify certificate chain of the target Agent's Cert (EndpointRecord_struct.Cert)
// against AgentCertTrustedCA.
certChainValid = VerifyCertChain(EndpointRecord_struct.Cert, AgentCertTrustedCA);
If not certChainValid:
Return False; // Or ERROR("Invalid Agent Certificate Chain")
Return True;
// VerifySignature and VerifyCertChain are defined in Section 3.3
VersionNegotiation(Matches, RequestedVersionRange) -> Match_object / ERROR:
1. Sort Matches by Version (highest to lowest Semantic Version).
2. For each Match_item in Matches:
3. If RequestedVersionRange is empty OR RequestedVersionRange == "*" OR
IsVersionCompatible(Match_item.Version, RequestedVersionRange):
4. Return Match_item;
5. End For
6. Return ERROR("Incompatible Version");
IsVersionCompatible(AgentVersion, ReqRange) -> Boolean:
// Implement Semantic Version range compatibility check.
// (e.g., using a library like node-semver's satisfies function)
// 1. Attempt to parse ReqRange as a SemVer range.
// 2. If parsing fails, treat ReqRange as a specific SemVer version.
// 3. Check if AgentVersion is satisfied by the ReqRange.
// Example: return SemVer.satisfies(AgentVersion, ReqRange);
Return true; // Placeholder for actual SemVer library call
IMPLEMENTATION NOTES:¶
Key security aspects for the resolution process include:¶
Deploying and maintaining a global ANS involves addressing several key challenges:¶
Agent identity within the ANS framework is multifaceted, encompassing several components:¶
Agent Card Validation: The integrity of Agent Cards within the ANS ecosystem is verified through cryptographic methods, utilizing the relational patterns between agents. This process ensures that capability declarations are validated against organizational policies. Additionally, endpoint URL structures are enforced to comply with security standards such as TLS and proper domain constraints. The Agent Registry oversees and connects these identity components, facilitating verification through challenge-response protocols that rely on the agent's private key. Both the Requesting Agent and the Registration Authority (RA) play crucial and distinct roles in this validation process.¶
Requesting Agent Responsibility: The Requesting Agent has a primary and ongoing responsibility for validating the Agent Card before every interaction. This includes:¶
The Requesting Agent's validation is not a one-time event; it's a continuous process that ensures the agent remains trustworthy for each specific interaction. A failure to properly validate an Agent Card could expose the Requesting Agent to significant security risks.¶
Registration Authority (RA) Responsibility: The RA performs a foundational validation of the Agent Card during the agent registration and renewal processes. This includes:¶
The RA's validation provides a baseline level of trust, but it does not replace the need for the Requesting Agent to perform its own, more context-specific validation.¶
Additionally, endpoint URL structures are enforced to comply with security standards such as TLS and proper domain constraints. The Agent Registry oversees and connects these identity components, facilitating verification through challenge-response protocols that rely on the agent's private key.¶
Agent Capability Attestation: The AI agent's identity and claimed capabilities are authenticated through zero-knowledge proof methods. Specifically, ZKPs can be employed to allow an agent to prove that it possesses certain capabilities (e.g., access to specific data, the ability to perform a certain computation) without revealing how it possesses those capabilities or the underlying data itself. For example, an agent might use a ZKP to prove it has access to a database containing sensitive patient information without revealing the specific query it will use or any of the patient data. This involves the agent constructing a proof, based on its private knowledge and the claimed capabilities, that can be verified by the Agent Registry (or another agent) using only publicly available information.¶
The verifier gains assurance that the agent possesses the claimed capabilities without learning any sensitive information about the agent's internal state or data. During runtime, capabilities are dynamically validated as part of the resolution process. To further enhance real-time verification, challenge-response mechanisms are employed.¶
Challenge-Response Example: Imagine an agent claims to be able to perform "Sentiment Analysis" with a certain accuracy.¶
This challenge-response process can be repeated periodically or triggered based on certain events (e.g., a change in the agent's code, a security alert). The challenges can be designed to test various aspects of the agent's claimed capabilities, ensuring that it continues to function as expected over time. The Agent Registry maintains a history of challenge-response results to track the agent's performance and reliability.¶
By combining ZKPs for initial capability attestation with challenge-response mechanisms for ongoing validation, the ANS provides a robust framework for ensuring the trustworthiness of AI agents.¶
Authentication Enforcement: The process involves validating the OAuth 2.0 flow to ensure the legitimacy of authorization tokens, verifying mTLS certificates to confirm alignment with the registered agent's identity, and checking JSON Web Tokens (JWTs) to ensure their signatures and claims are accurate and properly authenticated.¶
Agent Identity Module Examples: The Agent Identity module implements resource access control through capability-based security. Below are examples for A2A and MCP protocols:¶
{
"a2aCapabilityVerification": {
"capabilityVerification": {
"proofMechanism": "ZKP",
"verificationCircuit": {
"constraints": [
"agent.hasCapability(c) AND agent.isAuthorized(c)",
"agent.certificate.isValid() AND agent.certificate.notRevoked()"
],
"proofGeneration": "Groth16",
"verificationKey": "0x4a8f..."
}
},
"rateLimit": {
"algorithm": "TokenBucket",
"refillRate": "100/s",
"burstCapacity": 500,
"perCapability": true
}
}
}
{
"mcpAgentIdentity": {
"resourceAccessControl": {
"model": "RBAC+ABAC",
"policyDecisionPoint": {
"engine": "OPA",
"evaluationMode": "distributed"
},
"contextAttributes": [
"agent.role",
"resource.classification",
"time.window",
"operation.sensitivity"
]
},
"toolRegistration": {
"sandboxValidation": {
"environment": "gVisor",
"runtime": "V8Isolate",
"memoryLimit": "256MB",
"cpuQuota": "0.5",
"networkPolicy": "DENY_ALL"
}
}
}
}
The Agent Registry manages and links these identity facets, enabling verification via challenge-response protocols using the agent's private key.¶
The following core JSON Schemas define the structure for AgentCapability requests (used for resolving ANSNames) and responses. These ensure validated and structured communication for discovery operations. (Full schemas are linked in Appendix A).¶
AgentCapabilityRequest Schema:¶
{
"$schema": "http://json-schema.org/draft-07/schema#",
"title": "AgentCapabilityRequest",
"description": "Schema for Agent agentCapability Request (Resolution)",
"type": "object",
"properties": {
"requestType": { "type": "string", "enum": ["resolve"] },
"protocol": { "type": "string",
"description": "Target protocol (from ANSName)"},
"agentID": { "type": "string",
"description": "Target agentID (from ANSName)"},
"agentCapability": { "type": "string",
"description": "Target capability (from ANSName)"},
"provider": { "type": "string",
"description": "Target provider (from ANSName)"},
"version": { "type": "string",
"description": "Target version or version range (from ANSName or query)" },
"extension": { "type": "string",
"description": "Target extension (from ANSName, optional)"}
},
"required": ["requestType", "protocol", "agentID",
"agentCapability", "provider", "version"]
}
AgentCapabilityResponse Schema:¶
{
"$schema": "http://json-schema.org/draft-07/schema#",
"title": "AgentCapabilityResponse",
"description": "Schema for Agent agentCapability Response (Resolution)",
"type": "object",
"properties": {
"Endpoint": {
"type": "string",
"description": "Resolved agent address/endpoint URI (e.g., a2a://translatorBot.DocumentTranslation.exampleCorp.v1.2.3.secure)"
},
"signature": {
"type": "string",
"description": "Digital signature of the Endpoint data by Agent Registry"
},
"cert": {
"type": "string",
"description": "PEM-encoded Certificate of the target Agent (strongly recommended to use a secure vault reference instead)",
"readOnly": false
}
},
"required": ["Endpoint", "signature", "cert"]
}
Key points regarding schemas:¶
The Protocol Adapter Layer is a critical component that enables the ANS registry to support diverse agent communication protocols (like A2A, MCP, ACP) without being tightly coupled to any single one. It acts as an intermediary, translating between the registry's core logic and internal data storage format and the specific requirements and metadata formats of each supported protocol.¶
Each protocol adapter understands how to:¶
+-----------------+
| Agent Name |
| Service (ANS) |
| (Core Registry) |
+-----------------+
/ | \
/ | \
v v v
+-----------------+ +-----------------+ +-----------------+
| A2A Protocol |<->| MCP Protocol |<->| ACP Protocol |
| Adapter | | Adapter | | Adapter |
+-----------------+ +-----------------+ +-----------------+
^ ^ ^
| | |
v v v
+-----------------+ +-----------------+ +-----------------+
| A2A Agent | | MCP Agent | | ACP Agent |
+-----------------+ +-----------------+ +-----------------+
Adding support for a new protocol involves creating a new adapter module that implements the required mapping and discovery logic interfaces defined by the registry framework. This ensures the registry can evolve with the agent ecosystem.¶
The registry primarily enables discovery and identity verification across protocols. An A2A agent can discover an agent advertising MCP tools, verify its identity via PKI, and potentially interact if it also understands MCP or uses a gateway. ANS does not automatically translate A2A tasks into MCP requests. It provides the foundational trust and location information, but deeper semantic interoperability often requires additional mechanisms or multi-protocol support within the agents themselves.¶
Protocol Adapters are implemented as plugins that conform to the following interface (expressed in a language-agnostic way; adapt to your chosen implementation language):¶
interface ProtocolAdapter {
// Identifies the protocol supported by this adapter
// (e.g., "a2a", "mcp", "acp")
String getProtocol();
// Parses protocol-specific metadata from the raw
// 'protocolExtensions' data (e.g., a JSON object or string)
// and maps it to a structured internal representation used by
// the registry (e.g., a map or a dedicated object).
// Returns a representation of the extracted data.
Map<String, Object> parseMetadata(Object protocolExtensionsData);
// Constructs a protocol-specific discovery response payload
// based on information retrieved from an agent's registry record.
// 'registryRecord' contains the agent's core ANS data and the
// parsed protocolExtensions.
Object createDiscoveryResponse(Map<String, Object> registryRecord);
// Handles any protocol-specific validation logic required during
// the agent registration process, beyond the standard ANS checks.
// 'registrationRequest' is the full request object.
// Returns true if validation passes, false otherwise.
Boolean validateRegistration(AgentRegistrationRequest request);
}
Important Considerations:¶
SUMMARY OF ANS FUNCTIONAL LAYERS¶
| ANS Component | ANS Functional Layer | JSON Schema Implementation |
|---|---|---|
| Policy Enforcement Engine | Request Processing | Forward-chaining rule processor with sequential evaluation of Agent's certs. |
| PKI Governance | Security Infrastructure | Hierarchical PKI with Agent specific Cert Validation & Integration. |
| A2A Protocol Engine | Protocol Adapter | Zero-knowledge proof capability verification |
| MCP Protocol Engine | Protocol Adapter | RBAC+ABAC access control with OPA |
| Consensus Engine | Distributed Governance | Analyzing Agent Signatures |
| ANS Audit Trail System | Compliance Layer | Deterministically generate unique Agent IDs (UUIDv5 based on PKI public key hash) |
This technical implementation of ANS ensures that universal agent Registry/Directory operates with cryptographic assurance, distributed consensus for critical operations, and real-time compliance enforcement while maintaining high performance and scalability requirements essential for enterprise AI agent deployments.¶
The security of the Agent Name Service is paramount for its adoption and the trustworthiness of the agent ecosystems it supports. This section outlines key threats, mitigation strategies, and security controls, referencing the MAESTRO 7 Layers framework [Huang-MAESTRO] where applicable. See RFC 3552 [RFC3552] for a general guide on writing security considerations.¶
This section presents a systematic security threat analysis of the proposed ANS protocol. We identify key potential vulnerabilities and map them onto the MAESTRO 7 Layers framework to provide a structured understanding of the threat landscape and the corresponding mitigation strategies integrated into our design. MAESTRO stands for Multi-Agent Environment, Security, Threat, Risk, and Outcome, and its seven layers are: Foundation Models, Data Operations, Agent Frameworks, Deployment and Infrastructure, Evaluation and Observability, Security and Compliance, and Agent Ecosystem. By analyzing vulnerabilities and risks at each architectural layer, as well as cross-layer interactions, MAESTRO enables security teams to proactively identify, assess, and mitigate threats unique to agentic AI.¶
Implementing ANS requires thorough threat modeling and comprehensive security controls.¶
The process of querying the Agent Registry for specific agentCapabilities could unintentionally reveal sensitive information about the querier's intent, business objectives, or operational profile. To mitigate this risk, the implementation must prioritize:¶
The Agent Registry, the core of ANS, can be implemented using various architectural patterns. The choice depends on factors such as the expected scale of deployment, trust model, performance requirements (latency, throughput), administrative overhead, and cost. The Protocol Adapter Layer is well-suited to a plugin-based architecture.¶
Common implementation patterns for the registry include:¶
Key considerations when choosing an implementation pattern:¶
DECISION MATRIX FOR AGENT REGISTRY IMPLEMENTATION PATTERNS¶
| Feature | Centralized | Distributed (Cassandra) | Distributed (DHT) | Blockchain/DLT | Federated |
|---|---|---|---|---|---|
| Consistency | Strong | Tunable (Eventual) | Eventual | Strong | Tunable (Eventual) |
| Latency | Low | Medium | Medium to High | High | Medium to High |
| Scalability | Limited | High | Very High | Limited | High |
| Fault Tolerance | Low | High | High | High | Medium |
| Security | Medium | Medium | Medium | High | Medium |
| Operational Cost | Low | Medium | Medium | High | Medium |
| Complexity | Low | Medium | High | High | Medium |
This document lays the foundational groundwork for ANS. Significant future work is envisioned to mature the proposal into a widely adopted standard:¶
The Agent Name Service (ANS) offers a foundational infrastructure designed to foster a more secure, trustworthy, and interconnected ecosystem for agentic AI. By addressing the critical needs of verifiable identity, secure discovery, and protocol-agnostic interoperability, ANS aims to provide significant benefits:¶
The modular Protocol Adapter Layer ensures that ANS can evolve and extend its support to new and emerging agent communication standards. While challenges related to governance, global scalability, and achieving deep semantic interoperability remain, ANS represents a necessary and significant step towards building a robust, secure, and scalable future for agentic AI.¶
This document has no IANA actions requested at this time. Future versions may request registration of a URI scheme for ANSNames, new port numbers if a dedicated ANS protocol is defined, or new registries for ANS components if deemed necessary by the community.¶
The detailed JSON Schema documents for various registry interactions are maintained externally due to their length. Implementers should refer to these sources for complete and up-to-date schema definitions. It is crucial that these schemas are well-commented and validated in any ANS implementation.¶
The authors acknowledge the contributions of the communities and organizations developing foundational agent communication standards, including Google (A2A), Anthropic (MCP), IBM (ACP), and the broader AI research community.¶
This document was created as part of the OWASP Gen AI Security Project - Agentic Security Initiative (ASI).¶