deploy: b844c4d

Author: naory

spec/architecture/actors/index.html

@@ -2129,6 +2129,7 @@ <h2 id="vehicle-wallet-machine-wallet">Vehicle Wallet (Machine Wallet)</h2>
 <p>The wallet is the MPCP actor that signs SignedBudgetAuthorizations. Settlement is executed by the Trust Gateway.</p>
 <blockquote>
 <p><strong>Note on Actor Identity:</strong> The <code>actorId</code> field in SBA artifacts is self-reported by the wallet. Production deployments SHOULD establish actor attestation via device key binding (e.g., a hardware-backed key whose public key is registered with the fleet operator). Without attestation, <code>actorId</code> cannot be cryptographically verified and is informational only.</p>
+<p><strong>Per-agent keys (SHOULD):</strong> Each vehicle or agent SHOULD have a unique SBA signing key. Shared keys prevent isolation of a compromised agent — revoking the shared key disrupts all agents using it. For XRPL deployments, the fleet operator SHOULD issue an XLS-70 Credential to each agent's account (<code>CredentialType = hex("mpcp:fleet-agent")</code>). The PolicyGrant can bind to the agent via <code>subjectCredentialIssuer</code> and <code>subjectCredentialType</code>. On compromise of one agent, the operator deletes that agent's credential — other agents are unaffected. See <a href="../../protocol/PolicyGrant/#subject-attestation">Subject Attestation</a>.</p>
 </blockquote>
 <h2 id="ai-agent">AI Agent</h2>
 <p>An AI agent acting under human authorization, using MPCP to bound its spending authority.</p>
@@ -2178,7 +2179,8 @@ <h2 id="ai-agent">AI Agent</h2>
 <p><strong>Examples:</strong> Travel booking agent, subscription manager, event budget agent.</p>
 <blockquote>
 <p>The <code>actorId</code> field in SBA artifacts is used for agent identity (e.g. <code>"ai-trip-planner-v2"</code>).
-Agent attestation follows the same key binding recommendations as vehicle wallets.</p>
+Agent attestation follows the same per-agent key and XRPL Credential recommendations as
+vehicle wallets. See <a href="../../protocol/PolicyGrant/#subject-attestation">Subject Attestation</a>.</p>
 </blockquote>
 <h2 id="trust-gateway">Trust Gateway</h2>
 <p>A mandatory online enforcement actor in MPCP's XRPL profile. The Trust Gateway holds the

spec/protocol/PolicyGrant/index.html

@@ -1686,6 +1686,67 @@
       </ul>
     </nav>
 
+</li>
+      
+        <li class="md-nav__item">
+  <a href="#subject-attestation" class="md-nav__link">
+    <span class="md-ellipsis">
+      
+        Subject Attestation
+      
+    </span>
+  </a>
+  
+    <nav class="md-nav" aria-label="Subject Attestation">
+      <ul class="md-nav__list">
+        
+          <li class="md-nav__item">
+  <a href="#overview_2" class="md-nav__link">
+    <span class="md-ellipsis">
+      
+        Overview
+      
+    </span>
+  </a>
+  
+</li>
+        
+          <li class="md-nav__item">
+  <a href="#per-agent-signing-keys-should" class="md-nav__link">
+    <span class="md-ellipsis">
+      
+        Per-Agent Signing Keys (SHOULD)
+      
+    </span>
+  </a>
+  
+</li>
+        
+          <li class="md-nav__item">
+  <a href="#xrpl-credential-based-subject-attestation-should-for-xrpl-deployments" class="md-nav__link">
+    <span class="md-ellipsis">
+      
+        XRPL Credential-Based Subject Attestation (SHOULD for XRPL deployments)
+      
+    </span>
+  </a>
+  
+</li>
+        
+          <li class="md-nav__item">
+  <a href="#error-code_1" class="md-nav__link">
+    <span class="md-ellipsis">
+      
+        Error Code
+      
+    </span>
+  </a>
+  
+</li>
+        
+      </ul>
+    </nav>
+  
 </li>
 
         <li class="md-nav__item">
@@ -2671,6 +2732,67 @@
       </ul>
     </nav>
 
+</li>
+      
+        <li class="md-nav__item">
+  <a href="#subject-attestation" class="md-nav__link">
+    <span class="md-ellipsis">
+      
+        Subject Attestation
+      
+    </span>
+  </a>
+  
+    <nav class="md-nav" aria-label="Subject Attestation">
+      <ul class="md-nav__list">
+        
+          <li class="md-nav__item">
+  <a href="#overview_2" class="md-nav__link">
+    <span class="md-ellipsis">
+      
+        Overview
+      
+    </span>
+  </a>
+  
+</li>
+        
+          <li class="md-nav__item">
+  <a href="#per-agent-signing-keys-should" class="md-nav__link">
+    <span class="md-ellipsis">
+      
+        Per-Agent Signing Keys (SHOULD)
+      
+    </span>
+  </a>
+  
+</li>
+        
+          <li class="md-nav__item">
+  <a href="#xrpl-credential-based-subject-attestation-should-for-xrpl-deployments" class="md-nav__link">
+    <span class="md-ellipsis">
+      
+        XRPL Credential-Based Subject Attestation (SHOULD for XRPL deployments)
+      
+    </span>
+  </a>
+  
+</li>
+        
+          <li class="md-nav__item">
+  <a href="#error-code_1" class="md-nav__link">
+    <span class="md-ellipsis">
+      
+        Error Code
+      
+    </span>
+  </a>
+  
+</li>
+        
+      </ul>
+    </nav>
+  
 </li>
 
         <li class="md-nav__item">
@@ -2916,6 +3038,18 @@ <h3 id="policygrant-payload">PolicyGrant (payload)</h3>
 <td>Hex-encoded credential type that approved merchants must hold (e.g. <code>hex("mpcp:approved-merchant")</code>). Used with <code>merchantCredentialIssuer</code>.</td>
 </tr>
 <tr>
+<td>subjectCredentialIssuer</td>
+<td>string</td>
+<td>optional</td>
+<td>XRPL address of the credential issuer that attests the subject's identity. When present, the gateway SHOULD verify on-chain that <code>subjectId</code>'s XRPL account holds a valid credential from this issuer. See <strong>Subject Attestation</strong> section below.</td>
+</tr>
+<tr>
+<td>subjectCredentialType</td>
+<td>string</td>
+<td>optional</td>
+<td>Hex-encoded credential type the subject must hold (e.g. <code>hex("mpcp:fleet-agent")</code>). Used with <code>subjectCredentialIssuer</code>.</td>
+</tr>
+<tr>
 <td>offlineMaxSinglePayment</td>
 <td>string</td>
 <td>optional</td>
@@ -3324,6 +3458,73 @@ <h3 id="error-codes">Error Codes</h3>
 </tbody>
 </table>
 <hr />
+<h2 id="subject-attestation">Subject Attestation</h2>
+<h3 id="overview_2">Overview</h3>
+<p>The <code>subjectId</code> field identifies the entity receiving the grant (vehicle, agent, wallet). By
+default, <code>subjectId</code> is self-reported and informational only — it cannot be cryptographically
+verified. This means a compromised agent sharing a signing key with other agents can issue SBAs
+that appear to come from any agent in the fleet.</p>
+<p><strong>Problem:</strong> When multiple agents share the same SBA signing key, revoking a compromised
+agent's grant affects all agents using that key. The fleet operator cannot isolate the
+compromised agent without disrupting the entire fleet.</p>
+<h3 id="per-agent-signing-keys-should">Per-Agent Signing Keys (SHOULD)</h3>
+<p>Each agent or vehicle wallet SHOULD have a <strong>unique SBA signing key</strong>. This ensures:</p>
+<ul>
+<li>Revoking one agent's grant does not affect other agents</li>
+<li>SBAs can be attributed to a specific agent for audit purposes</li>
+<li>Compromised agents can be isolated without fleet-wide disruption</li>
+</ul>
+<p>Fleet operators SHOULD register each agent's public key in the Trust Bundle or JWKS endpoint
+under a unique <code>kid</code> that includes the agent identity (e.g. <code>"sba-key:vehicle-1284"</code>).</p>
+<h3 id="xrpl-credential-based-subject-attestation-should-for-xrpl-deployments">XRPL Credential-Based Subject Attestation (SHOULD for XRPL deployments)</h3>
+<p>For XRPL deployments, the fleet operator or PA SHOULD issue an on-chain credential to each
+agent's XRPL account using XLS-70 Credentials:</p>
+<ul>
+<li><code>Issuer</code> = Fleet operator's or PA's XRPL address</li>
+<li><code>Subject</code> = Agent's XRPL account</li>
+<li><code>CredentialType</code> = hex-encoded type (e.g. <code>hex("mpcp:fleet-agent")</code> or
+  <code>hex("mpcp:authorized-agent")</code>)</li>
+</ul>
+<p>The PolicyGrant binds to the specific agent via:</p>
+<ul>
+<li><code>subjectCredentialIssuer</code> — the XRPL address of the credential issuer</li>
+<li><code>subjectCredentialType</code> — the hex-encoded credential type</li>
+</ul>
+<p><strong>Gateway enforcement (SHOULD):</strong> Before accepting SBAs from an agent, the gateway SHOULD
+verify on-chain that the agent's account holds a valid, non-expired credential matching the
+grant's <code>subjectCredentialIssuer</code> and <code>subjectCredentialType</code>:</p>
+<div class="highlight"><pre><span></span><code>if PolicyGrant.subjectCredentialIssuer is present:
+    credential = lookupCredential(
+        subject: agent.xrplAddress,
+        issuer:  PolicyGrant.subjectCredentialIssuer,
+        type:    PolicyGrant.subjectCredentialType
+    )
+    if credential does not exist or is expired:
+        → reject with SUBJECT_NOT_ATTESTED
+</code></pre></div>
+<p><strong>Isolation on compromise:</strong> When a single agent is compromised, the fleet operator:</p>
+<ol>
+<li>Deletes the agent's on-chain credential via <code>CredentialDelete</code></li>
+<li>The gateway rejects further SBAs from that agent (credential check fails)</li>
+<li>Other agents' credentials are unaffected — they continue operating normally</li>
+<li>No grant reissuance needed for uncompromised agents</li>
+</ol>
+<h3 id="error-code_1">Error Code</h3>
+<table>
+<thead>
+<tr>
+<th>Code</th>
+<th>Meaning</th>
+</tr>
+</thead>
+<tbody>
+<tr>
+<td><code>SUBJECT_NOT_ATTESTED</code></td>
+<td><code>subjectCredentialIssuer</code> is set but the agent does not hold a matching on-chain credential</td>
+</tr>
+</tbody>
+</table>
+<hr />
 <h2 id="summary">Summary</h2>
 <p>PolicyGrant establishes the <strong>policy boundary</strong> for machine payments.</p>
 <p>It ensures that downstream SBA artifacts are always derived from a <strong>validated policy evaluation</strong>.</p>

spec/protocol/mpcp/index.html

@@ -2431,6 +2431,15 @@ <h3 id="destination-forgery-agent-compromise">Destination Forgery (Agent Comprom
 before settling. For deployments requiring dynamic merchant management, the PA can issue XRPL
 Credentials (XLS-70) to approved merchants and reference them via <code>merchantCredentialIssuer</code>
 and <code>merchantCredentialType</code> on the PolicyGrant. See <a href="../PolicyGrant/#destination-enforcement">PolicyGrant — Destination Enforcement</a>.</p>
+<h3 id="agent-sba-signing-key-compromise">Agent SBA Signing Key Compromise</h3>
+<p>If an agent's SBA signing key is compromised, the attacker can forge SBAs up to the remaining
+budget. Exposure is bounded by the grant's <code>budgetMinor</code> and <code>expiresAt</code>. However, if multiple
+agents share the same signing key, revoking the compromised key disrupts the entire fleet.</p>
+<p><strong>Mitigations:</strong> Each agent SHOULD have a unique signing key. For XRPL deployments, the fleet
+operator SHOULD issue an XLS-70 Credential to each agent's account. The PolicyGrant binds to
+the agent via <code>subjectCredentialIssuer</code> and <code>subjectCredentialType</code>. On compromise, the
+operator deletes that agent's credential — other agents are unaffected. See
+<a href="../PolicyGrant/#subject-attestation">PolicyGrant — Subject Attestation</a>.</p>
 <h3 id="cumulative-budget-overspend">Cumulative Budget Overspend</h3>
 <p>The Trust Gateway is stateless and checks only that the current payment amount does not exceed <code>SBA.maxAmountMinor</code>. It does not track prior payments in the session.</p>
 <p><strong>Session authority responsibility:</strong> The session authority MUST maintain a running total of amounts spent within the budget scope and MUST only issue new SBAs within the remaining authorized envelope.</p>
@@ -2710,6 +2719,10 @@ <h1 id="error-codes">Error Codes</h1>
 <td><code>merchantCredentialIssuer</code> is set but destination does not hold a matching on-chain credential</td>
 </tr>
 <tr>
+<td>SUBJECT_NOT_ATTESTED</td>
+<td><code>subjectCredentialIssuer</code> is set but the agent does not hold a matching on-chain credential</td>
+</tr>
+<tr>
 <td>SCOPE_UNSUPPORTED</td>
 <td>Authorization scope is not supported by the verifier</td>
 </tr>