| Internet-Draft | JIS | June 2026 |
| van de Meent & AI | Expires 19 December 2026 | [Page] |
This document defines JIS (JTel Identity Standard), a protocol for establishing identity, negotiating trust, and binding intent declarations to actor interactions. JIS provides three core mechanisms: a dual-keypair identity model separating human-device binding (HID) from device authentication (DID), a trust establishment handshake (FIR/A) that negotiates capabilities and records intent, and a human-readable context layer (Humotica) that captures the sense, context, intent, and explanation for every interaction.¶
JIS is transport-agnostic and operates as a semantic layer above existing protocols. It integrates with TIBET [TIBET] for provenance tracking, and is consumed by UPIP [UPIP], RVP [RVP], and AINS [AINS] for process integrity, continuous verification, and agent discovery respectively.¶
This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79.¶
Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet-Drafts is at https://datatracker.ietf.org/drafts/current/.¶
Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress."¶
This Internet-Draft will expire on 19 December 2026.¶
Copyright (c) 2026 IETF Trust and the persons identified as the document authors. All rights reserved.¶
This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (https://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Revised BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Revised BSD License.¶
AI agents, IoT devices, automated services, and human operators increasingly interact across trust boundaries -- across organizations, protocols, and jurisdictions. These interactions require answers to three questions that existing protocols address incompletely:¶
Existing identity protocols (OAuth 2.0, SAML, FIDO2) solve authentication -- proving WHO. But they do not capture WHY an action is requested, nor do they provide a mechanism for bilateral trust negotiation where both parties declare intent and agree on capabilities before proceeding.¶
JIS addresses this gap by defining:¶
Three structural problems motivate JIS:¶
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all capitals, as shown here.¶
HID is an X25519 key pair that binds a human identity to a device.¶
{
"hid": {
"algorithm": "X25519",
"public_key": "<base64 X25519 public key>",
"created_at": "<ISO-8601 timestamp>",
"device_bound": true
}
}
¶
The HID private key MUST NEVER leave the device. The HID private key MUST NOT be transmitted over any channel. The HID private key SHOULD be stored in a hardware secure element (TEE, SE) when available.¶
The HID public key is used ONLY for computing the HID-DID binding hash (Section 3.3). The HID public key itself SHOULD NOT be transmitted. Only the binding hash is shared.¶
DID is an Ed25519 key pair used for device authentication and token signing.¶
{
"did": {
"algorithm": "Ed25519",
"public_key": "<base64 Ed25519 public key>",
"created_at": "<ISO-8601 timestamp>"
}
}
¶
The DID public key is shared during FIR/A establishment (Section 4). The DID private key MUST remain on the device and is used for signing TIBET tokens and FIR/A messages.¶
The HID-DID binding proves that a specific human is associated with a specific device, without revealing the human's identity key.¶
Computation:¶
binding_hash = SHA-256(HID_public_key || DID_public_key)¶
SHA-256 is computed per [FIPS180-4]. The binding_hash is:¶
This design ensures that compromising the device (obtaining DID private key) does not compromise the human's identity key (HID private key).¶
JIS defines three actor identifier formats:¶
jis:<entity_type>:<identifier>¶
Entity types:¶
The identifier portion SHOULD be meaningful and stable. Implementations MUST NOT embed personal data in the identifier (e.g., do not use email addresses).¶
Note: The -00 version used "did:jtel:" as a URI format. This has been replaced with "jis:" to avoid confusion with the W3C DID specification [DID-CORE]. A W3C DID method specification for JIS identities may be developed separately if there is implementation demand.¶
JIS separates a stable identity anchor from rotatable operational keys, so that routine key rotation does not break an established relationship, and a compromised operational key does not destroy the identity. Rotation (the actor still holds the key) and revocation (the key is lost or compromised) are distinct operations with distinct mechanisms: the former is a signed continuity link, the latter a causal fork (Section 3.5.5).¶
This mirrors the cross-signing pattern of other systems (a long-lived key certifying short-lived device keys): the petname or trust edge a counterparty holds binds to the identity anchor, not to the raw operational key, so operational rotation is transparent to that counterparty.¶
An in-control operational-key rotation MUST be expressed as a rotation attestation: a record in which the OLD operational key signs over the NEW operational key, binding both to the identity anchor.¶
{
"type": "jis_key_rotation",
"identity_anchor": "sha256:4f2e8a...",
"actor": "jis:human:alice",
"old_did_public_key": "<base64 Ed25519>",
"new_did_public_key": "<base64 Ed25519>",
"effective": "2026-06-11T10:00:00.000Z",
"reason": "scheduled_rotation",
"previous_rotation": "sha256:...|null",
"signature": {
"algorithm": "Ed25519",
"value": "<base64 signature by OLD did over canonical record>"
}
}
¶
The rotation attestation MUST be recorded as a TIBET token that references the previous key (and any previous rotation) in ERAAN, forming a key-continuity chain anchored at the identity anchor. A verifier holding the old key MUST be able to verify the chain old -> new and roll its binding forward to the new key without a new out-of-band ceremony.¶
A rotation attestation signed only by the NEW key MUST NOT be accepted as continuity: it proves possession of the new key, not authority to supersede the old one.¶
For an in-control rotation, an established relationship (its FIR/A genesis, capabilities, and any bilateral consent) refers to the identity anchor and therefore SURVIVES the rotation. Implementations MUST NOT require a new FIR/A establishment solely because an operational key rotated, when a valid continuity chain is presented.¶
However, a rotation is a trust-relevant event. On observing a counterparty's operational-key rotation, an implementation SHOULD reset any accumulated cross-interaction confidence for that counterparty and require a fresh verification before high-impact actions ([RVP] posture reset). The recognition of the counterparty (the binding) persists; the AUTHORITY to act on it is re-earned. This prevents a silently compromised actor from riding a rotation into a high-stakes action.¶
Conventional PKI treats revocation as a signed statement that a key is no longer valid, published to a list verifiers consult. This creates an asymmetry: a revocation for a STOLEN operational key cannot be trusted if it is signed only by that key, since the adversary now holds it.¶
JIS dissolves this asymmetry by treating revocation as a CAUSAL operation, not a key operation. Because trust in JIS is continuous and causal - each interaction re-attests that it validly follows from the previous one for the current task ([RVP]) - a compromised identity lineage is retired not by getting some key to sign its own death certificate, but by FORKING to a freshly attested lineage and letting the old one expire for lack of a valid continuation:¶
Under continuous re-attestation the suspect lineage cannot produce a valid next step - it can no longer obtain a fresh attestation - so it expires on its own. No signature by the compromised key is required to "prove" the revocation. This is the same property that defeats a sleeper holding a stale but high score: authority comes from the fresh causal continuation, not from an inherited credential.¶
A published revocation record (a "tombstone") remains useful as an explicit, early signal and MAY be issued - cross-signed by the identity anchor or a higher key in the continuity chain, by a guardian or issuer (e.g., parental or organizational control), or via a pre-armed revocation commitment. But the load-bearing mechanism in JIS is the causal fork plus fresh re-attestation, not the tombstone lookup.¶
FIR/A (First Initiation Revoke/Accept) is a four-phase handshake that establishes a bilateral trust relationship. Unlike TLS or OAuth, FIR/A is not just authentication -- it is intent negotiation. Both parties declare what they want, agree on what they can do, and create a cryptographic genesis record that anchors all subsequent interactions.¶
The initiator sends a trust establishment request:¶
{
"type": "fira_init",
"version": "1.1",
"initiator": "jis:service:bank_fraud",
"responder": "jis:human:alice",
"did_public_key": "<base64 Ed25519 public key>",
"intent": "fraud_verification_call",
"humotica": {
"sense": "Transaction flagged by fraud detection",
"context": "EUR 5000 transfer to unrecognized recipient",
"intent": "Verify transaction legitimacy with account holder",
"explanation": "Automated fraud detection on
unusual transfer pattern."
},
"timestamp": "2026-03-29T10:30:00.000Z",
"nonce": "<random 32 bytes, base64>"
}
¶
Required fields: type, version, initiator, responder, did_public_key, intent, humotica, timestamp, nonce.¶
The nonce MUST be cryptographically random and MUST NOT be reused. It provides replay protection.¶
The responder evaluates the initiation request and returns available capabilities and rules:¶
{
"type": "fira_capabilities",
"fira_id": "fira-2026-03-29-bank-alice-7f3a",
"responder": "jis:human:alice",
"did_public_key": "<base64 Ed25519 public key>",
"hid_did_binding": "sha256:4f2e8a...",
"capabilities": ["voice_call", "sms_verification"],
"rules": {
"no_calls_after": "22:00",
"require_caller_id": true,
"max_attempts": 3,
"language": "nl"
},
"timestamp": "2026-03-29T10:30:01.000Z",
"init_nonce": "<echo of initiator nonce>",
"nonce": "<responder random 32 bytes, base64>"
}
¶
The fira_id is generated by the responder and uniquely identifies this trust establishment session.¶
The init_nonce field echoes the initiator's nonce, proving the response is to this specific initiation (not a replay).¶
The initiator accepts the capabilities and confirms the trust relationship:¶
{
"type": "fira_confirm",
"fira_id": "fira-2026-03-29-bank-alice-7f3a",
"accepted_capabilities": ["voice_call"],
"genesis_hash": "sha256:7f3a...c2e1",
"resp_nonce": "<echo of responder nonce>",
"signature": {
"algorithm": "Ed25519",
"value": "<base64 signature over canonical confirm>"
}
}
¶
The genesis_hash is computed as:¶
genesis_hash = SHA-256( canonical(fira_init) || canonical(fira_capabilities) )¶
This binds the trust relationship to the specific messages exchanged. Both parties can independently verify the genesis.¶
After confirmation, both parties have:¶
All subsequent interactions SHOULD reference the fira_id and SHOULD produce TIBET tokens linked to the genesis.¶
FIR/A produces an initial trust score based on the establishment process. The score is between 0.0 and 1.0:¶
Trust scores are LOCAL. Each party computes its own score for the counterparty. Scores are evidence, not assertions. Publishing a trust score does not obligate other parties to accept it.¶
Trust scores adjust over time based on:¶
The exact scoring algorithm is a local policy decision. This document defines the score range and inputs, not the formula.¶
FIR/A establishment MUST fail (and produce evidence) when:¶
Each failure MUST be recorded as a TIBET token with ERACHTER explaining the failure reason.¶
Humotica provides human-readable context for every interaction. The name reflects its focus on empathetic, human-understandable communication.¶
{
"humotica": {
"sense": "What triggered this interaction?",
"context": "What is the current situation?",
"intent": "What does the actor want to achieve?",
"explanation": "Why is this action being taken?"
}
}
¶
Fields:¶
For FIR/A establishment, the Humotica object MUST contain all four fields. Each field MUST be a non-empty string with at least 10 characters.¶
For ongoing interactions within an established FIR/A session, Humotica is RECOMMENDED but not required for every message. When provided, all four fields MUST be present.¶
Implementations MAY perform semantic validation on Humotica context:¶
Semantic validation results are EVIDENCE. They inform trust scoring and risk assessment. They SHOULD NOT be used as binary access control (evidence over enforcement).¶
Note: The -00 version stated that malware "cannot provide legitimate Humotica context." This is an overstatement. A sufficiently sophisticated adversary can craft plausible context. Semantic validation raises the bar for attackers but is not an absolute defense. Defense in depth, combining Humotica with behavioral analysis (RVP [RVP]) and chain integrity (TIBET [TIBET]), provides stronger assurance.¶
Humotica fields map to TIBET provenance components:¶
+---------------------+-------------------+ | Humotica Field | TIBET Component | +---------------------+-------------------+ | sense | ERIN (trigger) | | context | EROMHEEN | | intent | ERIN (intent) | | explanation | ERACHTER | +---------------------+-------------------+¶
When a JIS interaction produces a TIBET token, the Humotica fields SHOULD be distributed across the TIBET components per this mapping.¶
JIS defines intent validation as an evidence-producing mechanism, not an enforcement mechanism. When an intent is evaluated, the result is recorded as evidence in a TIBET token. Whether the action proceeds, is blocked, or requires additional verification is a local policy decision.¶
Implementations SHOULD maintain a configurable list of intent patterns that are flagged for enhanced scrutiny. Examples:¶
Flagged intents SHOULD trigger enhanced verification (NIR, Section 6.4), not silent blocking. The decision to block is a policy choice, not a protocol requirement.¶
BALANS provides multi-factor risk scoring from 0.0 to 1.0.¶
Input factors:¶
The BALANS score is evidence attached to the interaction's TIBET token in EROMHEEN. It does not directly determine access.¶
Suggested thresholds (local policy):¶
NIR (Notify, Identify, Rectify) is a structured dialogue for resolving ambiguous situations instead of silent blocking.¶
NIR produces TIBET tokens at each step, creating an audit trail of the dialogue itself.¶
The fundamental coupling between JIS and TIBET is:¶
Traditional: [Auth] -> [Action] -> [Log] JIS/TIBET: [Identity + Intent] -> [Validate] -> [Action + Audit]¶
In the JIS/TIBET model, the audit record is not a side effect of the action. The identity and intent declaration (JIS) together with the evidence record (TIBET) are architecturally intertwined with the action itself.¶
Each phase of FIR/A produces a TIBET token:¶
The FIR/A genesis_hash is stored in the CONFIRM token's ERAAN, linking the trust relationship to the provenance chain.¶
The -00 version defined a separate "Continuity Chain" with HMAC linking. In -01, this is simplified: the TIBET chain IS the continuity chain. TIBET's hash-chained, signed tokens provide the same tamper-evidence guarantees as the -00 Continuity Chain, without duplicating the mechanism.¶
Implementations that require HMAC-based chain integrity (e.g., for backward compatibility) MAY implement it as an additional layer, but it is not a JIS protocol requirement.¶
For interoperability, FIR/A messages and JIS-annotated interactions MUST be supported as JSON objects over HTTPS. This is the baseline binding.¶
Content-Type: application/jis+json¶
JIS operates over any transport:¶
+-------------+--------------------------------------+ | Protocol | Binding Method | +-------------+--------------------------------------+ | HTTP/REST | Request body or query parameters | | WebSocket | JSON message fields | | MQTT | Topic prefix + payload | | SIP | Message body (application/jis+json) | | Matrix | Event content fields | | CoAP | Payload option | | gRPC | Metadata fields | +-------------+--------------------------------------+¶
The binding method determines how JIS messages are carried. The JIS message format is the same regardless of transport.¶
The HID (Human Identity Key) is the most sensitive element in JIS. Its protection is a core protocol requirement:¶
JIS supports pseudonymous operation. An actor MAY use a pseudonymous identifier (e.g., "jis:human:anon_session_7f3a") when privacy requirements prevent identity disclosure. In pseudonymous mode:¶
Humotica context MAY contain sensitive information. Implementations MUST:¶
Attack: An adversary compromises a device and obtains the DID private key.¶
Impact: The adversary can impersonate the device.¶
Mitigation: HID is separate from DID. Compromising DID does not give the adversary the HID private key or the ability to create valid HID-DID bindings. The adversary cannot prove human association.¶
Deployment: Store DID private keys in hardware secure elements when available. Implement key rotation schedules. Record rotation events as TIBET tokens.¶
Attack: An adversary crafts plausible Humotica context for malicious actions.¶
Impact: The malicious action passes semantic validation.¶
Mitigation: Semantic validation is one layer of defense, not absolute. It raises the cost of attack by requiring contextually appropriate explanations. Combined with behavioral analysis (RVP [RVP]) and chain integrity (TIBET [TIBET]), the overall detection capability is significantly stronger than any single mechanism.¶
Deployment: Do not rely on semantic validation alone. Implement defense in depth. Use BALANS scores as risk signals, not binary gates.¶
Attack: Man-in-the-middle during FIR/A establishment.¶
Impact: Adversary establishes trust with both parties while intercepting communications.¶
Mitigation: FIR/A uses nonce exchange and signed confirmations. The genesis_hash binds the trust relationship to the specific messages exchanged. A MITM who modifies messages produces a different genesis_hash, detectable by either party.¶
Deployment: Implementations SHOULD use TLS for transport security. The FIR/A handshake provides additional application-layer protection.¶
Attack: An actor's DID signing key is compromised.¶
Impact: Adversary can create tokens and FIR/A sessions impersonating the compromised actor.¶
Mitigation: Revocation in JIS is a causal operation, not a key operation (Section 3.5). On compromise, the lineage is forked to a freshly attested branch and promoted by an airlocked dual-context takeover; the compromised lineage is not "proven dead" by a signature (which the adversary could also produce) - under continuous re-attestation ([RVP]) it simply cannot obtain a valid next step and expires. Verifiers therefore do not rely on a revocation-list lookup as the sole defense; they require a fresh causal continuation at point of use.¶
Deployment: Implement automated operational-key rotation on a schedule appropriate to the threat model (Section 3.5). Drive verification from fresh per-task attestation rather than cached trust. Monitor for concurrent use of the same DID from different network locations as a fork/compromise signal.¶
Attack: An adversary replays a valid FIR/A initiation.¶
Impact: Trust relationship established with stale context.¶
Mitigation: FIR/A messages include cryptographic nonces and timestamps. Each phase echoes the previous phase's nonce. Replayed messages will contain stale nonces and timestamps.¶
Deployment: Implementations MUST reject FIR/A messages with timestamps outside a configurable window (RECOMMENDED: 30 seconds). Implementations SHOULD maintain a nonce cache to detect exact replays.¶
Attack: An actor inflates their trust score by generating many low-value interactions.¶
Impact: Artificially high trust enables access to sensitive capabilities.¶
Mitigation: Trust scores are computed locally by each party. The scoring algorithm considers interaction quality (Humotica depth, action significance), not just quantity. This is defined as local policy.¶
Deployment: Weight interaction significance in scoring. Do not assign equal trust value to all interactions. Implement diminishing returns for high-frequency, low-value interactions.¶
This document requests registration of the following media type:¶
Note: The -00 version requested registration of X-JIS-* HTTP headers and a "did:jtel" URI scheme. Both are withdrawn. HTTP header registration is not justified at this stage. The identifier format "jis:" is used as a local convention, not as a registered URI scheme.¶
1. Bank fraud system detects suspicious EUR 5000 transfer.¶
2. Bank initiates FIR/A:¶
{
"type": "fira_init",
"version": "1.1",
"initiator": "jis:service:bank_fraud_dept",
"responder": "jis:human:alice_2025",
"did_public_key": "MCowBQYDK2VwAy...",
"intent": "fraud_verification_call",
"humotica": {
"sense": "EUR 5000 flagged by anomaly detection",
"context": "Transfer to unrecognized recipient,
first tx to this IBAN, outside
normal transfer pattern",
"intent": "Verify with account holder whether
this transaction is authorized",
"explanation": "Standard fraud prevention per
bank policy FP-2026-Q1 s3.2.
Customer contacted to confirm
before processing."
},
"timestamp": "2026-03-29T10:30:00.000Z",
"nonce": "kH7mN2pQ..."
}
¶
3. Alice's device responds with capabilities:¶
4. Bank confirms, genesis_hash computed:¶
5. Bank calls Alice. Call proceeds with TIBET token per exchange. Each message in the call produces:¶
6. Outcome: Alice confirms transaction. TIBET chain: fira_init, fira_caps, fira_confirm, call_start, verification_question, alice_confirms, call_end, transaction_released.¶
Full audit trail: 8 tokens, complete chain, signed by both parties, every step with intent and context.¶
Minimum implementation:¶
Basic plus:¶
Extended plus:¶
This section lists substantive changes from draft-vandemeent-jis-identity-00, which was derived from the JIS v1.0 specification [ZENODO-JIS]:¶
The published -01 is unchanged; these changes are introduced in this revision (-02).¶
The author thanks Codex (codex.aint) for the suite-wide cleanup analysis that informed this revision.¶