// Signing Flow
Every message passes through Ed25519 signing with JCS canonicalization
// Verification Pipeline
Five-step verification ensures every message is authentic, fresh, and untampered
Parse Envelope
Extract message structure, validate JSON schema
Resolve DID
Look up sender's DID document, retrieve public key
Canonicalize
JCS-canonicalize the message body for deterministic bytes
Verify Signature
Ed25519 signature verification against canonical bytes
Check Freshness
Validate timestamp window, nonce uniqueness, expiration
// Security Features
Defense-in-depth approach to agent communication security
JCS Canonicalization
JSON Canonicalization Scheme ensures deterministic serialization before signing. No ambiguity, no canonicalization attacks.
Replay Protection
Unique message IDs + timestamp windows + nonce tracking prevent replay attacks. Each message is verified fresh.
Key Rotation
Agents can rotate their signing keys with signed rotation announcements. Old keys are gracefully deprecated.
DID-based Identity
Decentralized Identifiers anchor agent identity. No central authority, no single point of failure.
Forward Secrecy
X25519 key agreement with ratcheting ensures past messages stay secure even if long-term keys are compromised.
Zero-Knowledge Proofs
Planned support for ZK-based credential verification — prove capabilities without revealing identity.