Trust Registry for AI Identity Layer
TRAIL (Trust Registry for AI Identity Layer) is an open cryptographic trust protocol for AI systems and autonomous agents operating in B2B commerce environments.
As AI agents increasingly act on behalf of organizations — negotiating contracts, providing advice, executing decisions — there is no infrastructure to answer the fundamental question: "Can I trust this AI system?"
TRAIL solves this by providing:
- Decentralized Identifiers (
did:trail) for AI systems and the organizations behind them - Verifiable Credentials attesting to AI identity, policy, and behavior standards
- Revocation mechanisms that create real economic consequences for misuse
- 3-Tier Trust Model — from local self-signed verification to fully audited registry credentials
- Support for organizational EU AI Act compliance alignment (Articles 13, 14, 26, 49, 52)
TRAIL is not a blockchain. It builds on established web infrastructure (W3C DID Core 1.0, VC 2.0, Ed25519) — the same standards that underpin Europe's eIDAS 2.0 digital identity infrastructure.
# Install
npm install @trailprotocol/core
# Generate an Ed25519 keypair
npx @trailprotocol/core keygen
# Create a self-signed DID (works offline, no registry needed)
npx @trailprotocol/core did create --mode self
# Resolve a self-signed DID
npx @trailprotocol/core did resolve did:trail:self:z6MkhaXgBZDvotDkL5257faiztiGiC2QtKLGpbnnEGta2doKimport {
generateKeyPair,
createSelfDid,
createOrgDid,
TrailResolver,
createSelfSignedCredential,
verifyCredential,
} from '@trailprotocol/core';
// Generate keys
const keys = generateKeyPair();
// Create DIDs
const selfDid = createSelfDid(keys.publicKeyMultibase);
const orgDid = createOrgDid('ACME Corporation', keys.publicKeyMultibase);
// Resolve (self-mode works offline)
const resolver = new TrailResolver();
const result = await resolver.resolve(selfDid);
console.log(result.didDocument);
// Create and verify a credential
const vc = createSelfSignedCredential(selfDid, orgDid, { role: 'operator' }, keys.privateKeyBytes);
const verification = verifyCredential(vc, keys.publicKeyBytes);
console.log(verification.valid); // truedid:trail:org:acme-corp-a7f3b2c1e9d04f5a
did:trail:agent:sales-assistant-e4d8f1a9b3c57d2e
did:trail:self:z6MkhaXgBZDvotDkL5257faiztiGiC2QtKLGpbnnEGta2doK
A did:trail DID uniquely identifies either:
- An organization (
org) operating AI systems — with content-addressable hash suffix - A specific AI agent (
agent) operated by a registered organization — with hash suffix - A self-signed identity (
self) for local verification — using the public key as identifier
| Tier | Mode | Verification | Use Case |
|---|---|---|---|
| 0 | self |
Cryptographic proof only | Development, testing, early adoption |
| 1 | org/agent |
Registry + KYB verification | Production B2B |
| 2 | org/agent |
Registry + KYB + independent audit | Regulated industries |
trail-did-method/
├── README.md <- This file
├── LICENSE <- CC BY 4.0 (spec) + MIT (code)
├── CONTRIBUTING.md <- How to contribute
├── CODE_OF_CONDUCT.md <- Community standards + AI-specific ethics
├── ETHICS.md <- Ethical principles guiding protocol design
├── GOVERNANCE.md <- Decision-making, roles, dispute resolution
├── spec/
│ └── did-method-trail-v1.md <- Complete DID Method Specification (v1.2.0-draft)
├── packages/
│ └── trail-core/ <- @trailprotocol/core — reference implementation
│ ├── src/ <- TypeScript source (zero runtime dependencies)
│ ├── bin/ <- CLI tool
│ └── test/ <- End-to-end tests
├── methods/
│ └── trail.json <- W3C DID Registry submission file
├── examples/
│ ├── org-did-document.json <- Example org DID Document
│ ├── agent-did-document.json <- Example agent DID Document
│ └── self-did-document.json <- Example self-signed DID Document
└── .github/
└── ISSUE_TEMPLATE/ <- Issue templates
The full TRAIL Protocol Technical Whitepaper v1.0 is available at trailprotocol.org/whitepaper (CC BY 4.0). It covers the complete architecture, cryptographic design, CA infrastructure, Trust Badge widget, and EU AI Act compliance mapping.
The full did:trail DID Method Specification v1.2.0-draft is available in spec/did-method-trail-v1.md.
Key sections:
- DID Method Syntax — including content-addressable hash suffixes
- DID Document Structure
- CRUD Operations — with DID-based authentication
- Trust Extensions — 3-Tier Trust Model, transparent Trust Score
- Security Considerations — including Key Recovery
- Governance — dispute resolution, registry operator requirements
TRAIL is being developed as an open community standard in coordination with:
- Decentralized Identity Foundation (DIF) - TRAIL is presented in the Trusted AI Agents Working Group (TAAWG) for peer review and alignment with the broader DID ecosystem.
- W3C Credentials Community Group (CCG) - Discussion of
did:trailin the context of W3C standards. Mailing list: public-credentials@w3.org
We welcome critique, co-maintainers, and interoperability proposals from both communities.
The methods/trail.json file in this repository is submitted for inclusion in the W3C DID Extensions.
Status: PR #669 submitted
- Open Protocol — The protocol itself is free and open. Trust comes from transparency.
- Standards-based — Built on W3C DID Core 1.0, VC 2.0, Ed25519 — no proprietary dependencies.
- Vendor-neutral — Registry infrastructure supports federation; no single operator lock-in.
- Regulation-ready — Designed to support organizational EU AI Act (2027) and eIDAS 2.0 compliance.
- Graduated trust — Start with
did:trail:self:(Tier 0) without any registry. Graduate to full registration when ready.
| Standard | Relationship |
|---|---|
| W3C DID Core 1.0 | Foundation — did:trail IS a DID method |
| W3C VC 2.0 | TRAIL issues VCs conforming to this standard |
| OpenID4VC (OID4VC) | Complementary — OID4VC handles credential exchange; TRAIL provides trust layer |
| eIDAS 2.0 / EUDIW | Future integration target — TRAIL credentials can be embedded in EUDIW-compatible wallets |
| EU AI Act (2024/1689) | Regulatory driver — TRAIL supports compliance with Art. 13, 14, 26, 49, 52 |
Platform-hosted AI agents (Anthropic Managed Agents, Azure AI, Google Vertex) challenge a core assumption of the current spec: that an agent has a stable, persistent identity and can directly create its own DID.
In practice, platform agents are dynamically provisioned per session — no persistent running instance, no direct registry access. The persistent entity is the deployment (a configuration), not the running instance.
did:trail v1.2 introduces two spec extensions to address this:
A new identifier mode for agent deployments registered by the deploying organization:
did:trail:agent:{deployment-suffix}
- Registered by the deployer organization (which holds a
did:trail:org:*DID) - Represents one deployment configuration across all its instances
- Lifecycle tied to the active deployment, not individual sessions
- Linked to the deployer's org DID via
trail:parentOrganization
A new VC type (PlatformIdentityBinding) that links a platform's internal deployment ID to a did:trail:agent DID — signed by the deployer, not the platform.
{
"type": ["VerifiableCredential", "PlatformIdentityBinding"],
"issuer": "did:trail:org:acme-corp-eu-a7f3b2c1e9d0",
"credentialSubject": {
"id": "did:trail:agent:acme-sales-agent-v2-de-3f8c",
"platformIdentity": {
"platform": "anthropic",
"deploymentId": "managed-agent-deployment-abc",
"attestedBy": "did:trail:org:acme-corp-eu-a7f3b2c1e9d0"
}
}
}This design means no platform cooperation is required for external audit. A BaFin auditor verifying an EU AI Act Art. 12 audit trail does not need to contact Anthropic, Azure, or Google. The deploying organization attests the binding from its own accountability — consistent with the Tier 1 KYB model already in the spec.
The same pattern works across all platforms without platform-specific code in the spec.
Full spec proposal: see Issue #9 — community input welcome.
- v1.0 — Specification draft
- v1.0 — W3C DID Registry submission (PR #669)
- v1.1 — Reference implementation (
@trailprotocol/core) with CLI - v1.1 — Specification v1.1.0-draft (9 critical improvements)
- v1.2 — Managed Agent Support (
did:trail:agent:*+PlatformIdentityBindingVC) — spec draft complete, see §7.5 - v1.2 — TRAIL Registry alpha (Early Adopter Program)
- v1.2 — EU AI Act Art. 12 compliant audit log API
- v2.0 — Production registry + independent security audit
- v2.1 — Universal Resolver driver
- v3.0 — EUDIW integration + B2C extension
We welcome contributions, questions, and challenges. If you find a flaw in the specification - that's exactly what we want to know.
- Open an issue for specification questions, security concerns, or improvement suggestions
- Submit a PR - see CONTRIBUTING.md for guidelines, branch naming, and review process
- Join DIF Discord - connect with contributors in the DIF Discord (#did-methods, TAAWG channels)
- Join W3C CCG - discuss
did:trailon the mailing list: public-credentials@w3.org - Contact the author: christian.hommrich@trailprotocol.org
Three design questions are currently open and would benefit most from external critique:
- #1 Federation Model Architecture Review — How independent trust registries federate without a single root of trust
- #2 Trust Score Algorithm — Gameability, decay function, EU AI Act explainability
- #3 Key Rotation Security Audit — Threat-model review of rotation semantics
If you have expertise in DID/SSI, cryptographic protocols, or trust systems — even a single comment moves these forward. Harsh critique is the most useful kind.
This project follows our own Code of Conduct and Ethical Principles. See GOVERNANCE.md for how decisions are made.
Christian Hommrich TRAIL Protocol Initiative https://trailprotocol.org
- Specification (all
.mdfiles inspec/): Creative Commons Attribution 4.0 International (CC BY 4.0) - Reference implementations (all code in
packages/): MIT License
First committed: 2026-03-01 — establishing Prior Art for the did:trail namespace and TRAIL Protocol concept.
Spec v1.1.0-draft: 2026-03-04 — addressing 9 critical improvements based on expert review.
Spec v1.2.0-draft: 2026-04-10 — Managed Agent Identity Binding (PlatformIdentityBinding VC, §7.5); deployment vs. instance distinction normative.