4 Comments
User's avatar
Jason K's avatar
2hEdited

Great framework idea. Where proof of human is tough today is in agentic contexts. If an agent inherits a valid device credential then they have proven they’re human without being human.

Although you did touch on this. It doesn’t really matter if an agent is human. Are they authorized and are they using a system appropriately. I should be able to delegate work to a personal agent and not have that shut down all the time because I’m not viewing ads.

When I write software today, I am adding agentic interfaces so they don’t have to fake being human. They can have appropriate access through and appropriate interface.

It will be interesting to see where this topic goes for sure.

PS. I’ve worked with “big shoe companies” that have this problem. They have a couple of other detection vectors nobody has figured out yet. I’m not able to say what they are but they’re pretty simple and have a lot of bot makers fooled.

Stu's avatar

Doesn't the human uniqueness check using iris example require trusting the hardware or client to some extent, and rely on an adversary not being able to reverse engineer it and/or steal keys.

If you can generate the same fake iris random value in a reproducible way and present it to the server, then your fake client or fake hardware can pretend to be one of many different fake people on demand.

Michael Glenn Williams's avatar

I worked on federated identity and security at Nokia for 10 years. I have a patent for agent identity from that work. This work from world.org looks great and deeply thought out. It will need additional tools to handle the Enterprise needs. Thank you for this write up. Very informative.

Tim Anderson's avatar

How about assigning a UUID (Universal Unique ID)?