Skip to content
Passport Alliance™ Passport Alliance™

Three-Party Signatures

APIS-002

The three-party signature model provides non-repudiation and clear chain-of-custody for autonomous actions.

  1. Issuer signature on passport
  2. Principal signature on mandate
  3. Delegate signature on action request

APIS v2.0 verification also evaluates Machine Passport linkage, trust tier evidence, issuer JWKS, status endpoint output, and credential-chain validity.

Signature Layers

Layer 1: Issuer

  • Target: Agent Passport™
  • Purpose: asserts delegate identity and issuer trust origin

Layer 2: Principal

  • Target: Mandate
  • Purpose: proves explicit authorization from accountable owner

Layer 3: Delegate

  • Target: Runtime action
  • Purpose: proves the acting agent key executed this request

Cryptographic Standards

  • Preferred algorithm: EdDSA (Ed25519)
  • Signature format: JWS Compact Serialization
  • Canonicalization: RFC 8785 (JSON Canonicalization Scheme)

Verification Sequence

verify_delegate_signature(action)
verify_principal_signature(mandate)
verify_issuer_signature(passport)
verify_machine_passport(passport.machine_passport_id)
verify_trust_tier(policy.minimum_trust_tier)
verify_mandate_scope(action, mandate)
verify_passport_status(passport_did, revocation_nonce)

Fail closed on any failed check.

Why It Matters

This model gives verifiers immediate answers to:

  • Which identity key signed this action?
  • Which principal authorized that identity?
  • Which trusted issuer vouched for it?

That evidence is required for production-grade incident response and audit.