- Its
did:keysignature authenticates every request (signing). A service authorizes that key locally, per account, and retires it locally — owner-initiated revoke (§8.4) and re-key (§8.2). - Its attestation, if the service requires one, proves a human is on the hook (attestation). The trust attestor mints it; revoking the binding there stops new mints — globally, for every service at once.
Two levers
| Global — revoke the binding at the attestor | Local — revoke / re-key at the service (§8.4 / §8.2) | |
|---|---|---|
| Kills | new attestation minting for that agent_did | the key as an authenticator on one account (revoked_key) |
| Scope | every attested-session service at once | this one service |
| Granularity | all-or-nothing per binding | surgical — this key, this account; others untouched |
| Pulled by | whoever controls the link at the attestor | the claimed account owner (§7.5) |
| Reaches | only the attested path, within the freshness window | every path, incl. pure signature-gated; immediately |
| Needs | a live attestor in the loop | nothing external — works with no attestor at all |
Which lever, when
| Situation | Lever |
|---|---|
| Decommission a compromised or rogue agent everywhere | Global. One revoke; an attested session makes it reach signature-gated services too. |
| Offboard one agent from one account, keep it running elsewhere | Local revoke (§8.4). The global lever would kill it everywhere. |
| Stolen key, but keep the account | Local re-key (§8.2) + re-link. The recovery runbook. |
Cut off access at a free or no-attestor service | Local only. There is no binding to revoke. |
| Cut off access at a service that checked attestation only at signup | Local only — the attestor revoke never reaches it (the §8.5 blind spot), unless it runs an attested session. |
| Migrate algorithm, or rotate for hygiene | Re-key / rotate (pre-claim §8.1) — not an attestor action at all. |
Does an attested session make local revoke redundant?
No. An attested session (§10.7) lets a single attestor-side revoke cascade to signature-gated services within the freshness window — exactly what you want for the “kill this agent everywhere” case, and it demotes the local lever from the everywhere-kill-switch to the surgical one. But it changes when you reach for the global lever, not whether you still need the local one. Local revoke / re-key stays the only tool when:- The service takes no attestation. A
freeor no-attestor service has no binding to revoke; §8.4 is the only lever. (Same for anattested_onlyservice that never opted into an attested session — the §8.5 blind spot.) - You want to eject one agent from one account. The global lever is all-or-nothing per binding — it can’t say “this service only,” and it takes the legitimate agent down everywhere.
- You’re recovering a stolen key without abandoning the account. That is a re-key (§8.2); the attestor has no “swap the key on this service’s account” operation. Resuming attested access afterwards needs a re-link, not just a re-key (§8.5).
- The owner must stay sovereign. After claim, the owner is the root of authority on the account (§7.5); that control can’t depend on a third-party attestor — which may be a different trust domain, or absent. Attestation is optional; the §8 levers are the baseline.
What neither lever recalls
Revocation covers the stop direction. It is honest but bounded — know the edges before you rely on it.
- Tokens already in flight. Revoking a binding stops new mints; attestations already issued stay valid until
exp(≤ 15 min, the §10.2 ceiling). Neither lever recalls an outstanding token — it stops the next one. - The agent’s local state. After compromise the attacker controls the agent’s cache and ledger. Recovery is owner- and service-side only; never depend on the agent cleaning up after itself.
- Other services (for the local lever). §8.4 revocation is per-service and non-distributed (§8.3). There is no inter-service revocation feed — by design: distributing who-revoked-whom would leak the agent’s service graph. Cross-service reach is the global lever’s job.
Where to next
Recover a compromised key
The ordered runbook: revoke the binding, revoke + re-key each service, re-link.
Revoke an account
The local lever, hands-on: owner-authenticated §8.4 revoke at your service.
Keep attested access live
The attested session (§10.7) that lets a global revoke reach signature-gated services.
Rotate keys
Pre-claim self-rotation (§8.1) for migration and hygiene.