For people who know the web

Mapped to PKI & the web

OpenA2A invents very little. Almost every piece corresponds to something that already secures the internet. If you know how a padlock works, you already know most of this, here is the dictionary.

The whole system in one table

The web you already trust

OpenA2A for agents

Domain nameexample.com

→

DIDdid:opena2adid:opena2a:agent:acme/billing

DNS lookupname → address

→

DID resolutiondid:opena2aname → public key + endpoints

TLS handshakeprove key possession

→

Challenge-responseAIPsign a random nonce

Certificate AuthorityDigiCert, Let’s Encrypt

→

Trust authorityATPissues & cosigns credentials

TLS / X.509 certificateidentifies a server

→

ATX credentialATXidentifies an agent + its behavior

Certificate TransparencyRFC 6962 Merkle log

→

Transparency logATPthe same Merkle log

CRL / OCSPrevocation check

→

Federated CRLATPpush-propagated < 60s

OAuth 2.0 token exchangeRFC 8693, scoped tokens

→

grant:// + brokerAAPsecret never enters the agent

IAM / identity providerOkta, Entra

→

AIMAIMissues & enforces everything

Same guarantees, same standards, re-pointed from domains and servers to agents.

ATX is a TLS certificate, almost literally

The clearest analogy in the whole family. A TLS certificate is a signed statement, issued by a CA, that a given public key belongs to a given domain, and your browser checks it locally without phoning the CA on every page load. ATX is the same artifact for agents, with a few deliberate upgrades:

TLS certificate

ATX credential

Identifies a domain

→

Identifies an agent buildbound to a content hash

Identity only

→

Carries behavior tooscan results, capabilities, profile

Valid 90 days - 1 year

→

Valid 7 daysshort life forces re-scan

Classical signature

→

Hybrid Ed25519 + ML-DSA-65post-quantum on day one

Checked locally + OCSP

→

Checked locally + cached CRL~2ms, no authority on the path

If you trust the padlock in your address bar, you already understand ATX.

ATP's log is Certificate Transparency

After a CA mis-issued certificates, the web added Certificate Transparency: every certificate is written to a public, append-only Merkle log that independent monitors audit, so mis-issuance cannot stay hidden. ATP adopts this directly, same RFC 6962 tree, same Signed Tree Heads, same inclusion and consistency proofs, for trust assertions about agents.

Key idea

Why this matters for agents specifically

Trust you cannot audit is trust you have to take on faith. By logging every issuance and revocation, ATP makes it impossible for an authority to quietly grant a malicious agent a high trust level without leaving a permanent, public, tamper-evident record.

AAP is OAuth, with the secret amputated

OAuth token exchange (RFC 8693) lets one party swap an identity assertion for a narrowly-scoped access token. AAP's broker does exactly that, but adds the rule OAuth never needed, because OAuth clients aren't language models: the resulting token must never reach the agent. The agent gets the result of the action; the broker keeps the credential behind a trust boundary.

Where the analogy breaks (on purpose)

Certificates don't describe behavior. ATX does, because an agent's risk is in what it does, not just who it is.
OAuth assumes the client can hold a token. AAP assumes the opposite, because a persuadable model is a leaky vault.
Web identity is per-domain. Agent identity is per-build, bound to a content hash, so a tampered binary fails verification.

Everywhere else, the lesson is the same: this is the web's own security model, carefully re-aimed at software that thinks.