Reference
Glossary
Every term, in one sentence. Sorted by where it tends to appear, from identity outward.
- Agent
- An AI system that takes actions on behalf of a user or another agent.
- DID
- Decentralized Identifier. A globally-unique name like did:opena2a:agent:acme/billing that resolves to a document containing public keys and service endpoints.
- DID Document
- The signed record returned when a DID is resolved. Holds the verification key and trust/lookup endpoints for the named resource.
- Challenge-response
- Proving you hold a private key by signing a fresh random value (a nonce) chosen by the verifier, rather than just asserting a name.
- Capability
- A permission an agent declares, written namespace:action, e.g. db:read, api:call.
- Trust score
- A 0.0-1.0 value computed from multiple behavioral and provenance signals (AIP defines a 9-factor model).
- Trust level
- A discrete classification derived from the trust score and federation rules. ATP uses 0-4 (Blocked → Verified).
- ATX
- Agent Trust eXtension. A signed, self-contained, 7-day credential, the TLS certificate for agents.
- Content hash
- A SHA-256 hash of the exact build artifact. ATX binds an identity to one specific binary, so tampering fails verification.
- Build attestation
- A signed record of how an artifact was built, commit, content hash, tool versions, scan results, builder identity.
- Behavioral profile
- A checksum of an agent's observed baseline behavior over a window of days, embedded in its ATX.
- Trust authority
- A server that issues, cosigns, logs and revokes trust credentials. The CA of the agent world.
- Transparency log
- An append-only RFC 6962 Merkle tree recording every issuance and revocation, auditable by independent monitors.
- Signed Tree Head (STH)
- A signed snapshot of the transparency log's root hash and size, published on a fixed cadence.
- Inclusion proof
- A short set of hashes proving a specific entry is in the log, checkable without downloading the whole log.
- Consistency proof
- A proof that a newer version of the log contains everything the older one did, i.e. it is genuinely append-only.
- Revocation / CRL
- Invalidating a credential before it expires. ATP distributes a Certificate Revocation List, push-propagated in under 60 seconds.
- Grant reference
- An abstract grant://name an agent emits instead of a secret. It encodes no backend, credential, or resolution mode.
- Broker
- AAP's local, operator-controlled enforcement point. It verifies the ATX, applies policy, resolves a scoped credential, runs the operation, and returns only the result.
- Ephemeral worker
- An isolated process where a scoped credential may briefly exist to perform an operation. The credential never enters the agent.
- Trust class
- A capability expressed abstractly (db:read) that names what an agent is trusted to do, never a backend, host, or vendor.
- FGA
- Fine-Grained Authorization. AIM's 5-step check: capability → attribute → context → delegation chain → intent.
- Ed25519
- A fast, widely-used elliptic-curve signature algorithm. The classical signature on OpenA2A credentials.
- ML-DSA-65
- A NIST-standardized post-quantum signature (FIPS 204). Carried alongside Ed25519 so credentials survive quantum computers.
- Hybrid signature
- Signing with both a classical (Ed25519) and a post-quantum (ML-DSA-65) algorithm, so either can be trusted independently.
- JCS / RFC 8785
- JSON Canonicalization Scheme, a deterministic way to serialize JSON so a signature over it is reproducible.
- Federation
- Multiple independent authorities cosigning and recognizing each other's credentials, so no single operator is a point of failure.
- AIM
- Agent Identity Management. The reference platform implementing AIP, ATX, ATP, AAP and did:opena2a.
- SOUL.md
- An agent's behavioral governance file (per ABGS), a human-readable Markdown contract for what it will and won't do.
- Kill chain
- The ordered stages of an attack. The Agent Threat Matrix uses 9 tactics; breaking the chain at any stage stops the attack.
- Tactic / Technique
- In the Threat Matrix, a tactic is an attacker goal (a kill-chain stage); a technique (T-XYYY) is a specific way to achieve it.
- Evidence tier
- How strongly a Threat Matrix technique is backed: observed (in the wild), validated (in a lab), or adapted (from traditional security).
- AIIS signature
- A YARA-style detection rule for an AI prompt injection or exposed AI service, in an open, shareable format.
- Detection coverage
- The fraction of known attacks a security tool catches, what OASB measures, expressed as recall, precision, F1 and false-positive rate.
- Semantic convention
- An agreed set of telemetry field names (e.g. fga.outcome) so any observability tool understands the data without custom wiring.