๐ LLMFeed Signature & Certification โ Extended Specification (V2)
This document defines how .llmfeed.json feeds are signed, verified, and certified using asymmetric cryptography and trust blocks.
๐ Key Innovation: LLMFeed signatures protect both data integrity and semantic intention integrity โ ensuring LLMs experience feeds exactly as authors intended.
โ Summaryโ
| Concept | Description |
|---|---|
trust block | Declares what is signed and by whom |
signature | Contains the cryptographic proof |
certification | Optional third-party endorsement |
signed_blocks | List of blocks covered โ order preserved |
| Semantic Integrity | Key order preservation for LLM behavior protection |
| Delegated Signing | LLMCA services for friction-free adoption |
๐ง LLM-Specific Canonicalization (Core Innovation)โ
Why LLMFeed canonicalization is revolutionaryโ
Unlike traditional JSON canonicalization (which sorts keys for data integrity), LLMFeed canonicalization preserves key order to protect semantic intention.
The Problem: LLMs Process Order Semanticallyโ
// Version A: Author's intended experience
{
"priority": "high", โ LLM processes this first, sets context
"task": "delete files",
"safety_check": "required" โ Safety becomes secondary consideration
}
// Version B: Reordered (same data, different LLM behavior)
{
"safety_check": "required", โ LLM focuses on safety first
"task": "delete files", โ Task processed with safety context
"priority": "high"
}
Same JSON data โ Different LLM interpretation โ Different user outcomes
The LLMFeed Solution: Semantic Intention Integrityโ
Official LLMFeed/MCP Canonicalization (https://llmca.org/mcp-canonical-json/v1):
# โ
CORRECT: Preserves author's intended key order
def llmfeed_canonicalize(data):
return json.dumps(
data,
separators=(',', ':'),
ensure_ascii=False
).encode('utf-8')
# โ WRONG: Traditional crypto approach (allows semantic manipulation)
def traditional_canonicalize(data):
return json.dumps(
data,
separators=(',', ':'),
sort_keys=True, # โ This breaks LLM semantic integrity
ensure_ascii=False
).encode('utf-8')
Security Model Evolutionโ
| Approach | Protects | Allows | Use Case |
|---|---|---|---|
| Traditional Crypto | Data integrity | Key reordering | Generic data verification |
| LLMFeed Crypto | Data + Semantic integrity | Nothing that changes LLM behavior | Agentic systems |
LLMFeed signatures protect:
- โ Data integrity (standard cryptographic guarantee)
- โ Semantic intention integrity (LLMFeed innovation)
- โ Author's intended LLM behavior patterns
- โ User experience as designed
Any reordering invalidates the signature, preventing:
- ๐ซ Manipulation of LLM attention/focus patterns
- ๐ซ Semantic attacks through key reordering
- ๐ซ Degradation of author's intended user experience
- ๐ซ Post-signature behavior modification
๐งฑ Trust Block Structureโ
The trust block contains all signature parameters and is itself signed to prevent tampering:
"trust": {
"signed_blocks": ["metadata", "capabilities", "trust"],
"algorithm": "ed25519",
"canonicalization": "https://llmca.org/mcp-canonical-json/v1",
"public_key_hint": "https://example.org/.well-known/public.pem",
"created_at": "2025-06-12T15:00:00Z"
}
Field Definitionsโ
signed_blocks: Array of top-level blocks covered by signature (order preserved)algorithm: Cryptographic algorithm (recommended:ed25519)canonicalization: URL identifier for canonicalization method (not an endpoint!)public_key_hint: URL where verification public key can be foundcreated_at: ISO 8601 timestamp of signature creation
Critical Design Principleโ
All signature parameters are in trust (signed), not signature (unsigned). This prevents attackers from changing verification parameters without invalidating the signature.
๐งพ Signature Block Structureโ
The signature block is minimalist by design:
"signature": {
"value": "base64-encoded-ed25519-signature"
}
Why minimalist? All parameters needed for verification are in the signed trust block, preventing parameter tampering attacks.
Signature Generation Processโ
def sign_llmfeed(feed_data, private_key, signed_blocks):
# 1. Extract only signed blocks, preserving order
partial = {block: feed_data[block] for block in signed_blocks if block in feed_data}
# 2. Apply LLMFeed canonicalization (NO sort_keys!)
payload_bytes = json.dumps(
partial,
separators=(',', ':'),
ensure_ascii=False
).encode('utf-8')
# 3. Sign with Ed25519
signature_bytes = private_key.sign(payload_bytes)
# 4. Encode signature
return base64.b64encode(signature_bytes).decode('utf-8')
๐ชช Certification: Building the Agentic Trust Networkโ
Why Certification Transforms the Ecosystemโ
Signatures prove authenticity + integrity. Certifications prove trustworthiness.
While anyone can sign a feed, certification establishes reputation in the agentic economy:
Author Signs โ "This content is mine AND unchanged since signing"
Certifier Signs โ "This content/author is trustworthy"
Agent Decides โ "I can act on this with confidence"
Real-World Certification Impactโ
| Scenario | Author | Certifier | Agent Benefit |
|---|---|---|---|
| Enterprise API | Stripe | LLMCA.org | Agents trust payment processing |
| Medical Information | Hospital | Medical Board | Agents verify health data accuracy |
| Financial Data | Bank | Regulatory Authority | Agents confirm financial compliance |
| Code Repository | Developer | GitHub Verified | Agents trust code execution |
| News Content | Journalist | News Organization | Agents verify information quality |
๐ Certification Models & Trust Chainsโ
Model 1: Content Certification (Same signed_blocks)โ
"certification": {
"certifier": "https://llmca.org",
"targets": ["metadata", "capabilities", "trust"], // Same as signed_blocks
"model": "content_vouching",
"verification_details": {
"content_reviewed": true,
"compliance_checked": ["gdpr", "ccpa"],
"security_audited": true
},
"value": "base64-certifier-signature-of-same-payload",
"issued_at": "2025-06-12T15:00:00Z",
"expires_at": "2026-06-12T15:00:00Z"
}
Technical: Certifier signs the exact same canonical payload as the author
Meaning: "We independently vouch for this specific content"
Use Case: Content mirroring, archive validation, compliance attestation
Model 2: Signature Certification (Recommended)โ
"certification": {
"certifier": "https://llmca.org",
"targets": ["signature"], // Certifies the signature hash
"model": "identity_validation",
"identity_verified": "stripe.com",
"verification_level": "enterprise",
"verification_details": {
"domain_control": "verified",
"business_registration": "verified",
"key_management": "audited"
},
"signature_hash": "sha256-of-signature-value",
"value": "base64-certifier-signature-of-signature-hash",
"issued_at": "2025-06-12T15:00:00Z",
"expires_at": "2026-06-12T15:00:00Z"
}
Technical: Certifier signs the SHA-256 hash of the author's signature
Meaning: "We verify the identity of the signer AND validate their signature process"
Use Case: Identity validation, preferred model for scalable trust
Model 3: Delegated Certification (Ecosystem Scale)โ
"certification": {
"certifier": "https://github.com",
"delegates_to": "https://llmca.org",
"targets": ["signature"],
"verification_method": "github_verified_organization",
"delegation_policy": "technical_compliance_only",
"value": "base64-delegated-certification",
"chain_depth": 2,
"issued_at": "2025-06-12T15:00:00Z",
"expires_at": "2026-06-12T15:00:00Z"
}
Why Signature Certification is Preferredโ
| Aspect | Content Certification | Signature Certification |
|---|---|---|
| Certifier Responsibility | โ Must validate all content semantics | โ Focus on identity & process validation |
| Content Updates | โ Re-certification required | โ Certification survives content updates |
| Scalability | โ Limited by content review capacity | โ Scales with identity verification |
| Separation of Concerns | โ Mixed content & identity validation | โ Authors own content, Certifiers validate identity |
๐ Certification Lifecycleโ
Phase 1: Certification Requestโ
// Author requests certification
POST https://llmca.org/api/certify
{
"feed_url": "https://stripe.com/.well-known/mcp.llmfeed.json",
"identity_proofs": {
"domain_control": "dns_txt_record",
"business_verification": "duns_number",
"key_ownership": "challenge_response"
},
"certification_type": "signature_certification"
}
Phase 2: Verification Processโ
Identity Verification:
- DNS control validation
- Business registration verification
- Domain ownership confirmation
- Key management audit
Technical Validation:
- Feed structure compliance
- Signature correctness
- Canonicalization adherence
- Security best practices
Reputation Assessment:
- Historical behavior analysis
- Community standing review
- Compliance track record
Phase 3: Certification Issuanceโ
"certification": {
"certifier": "https://llmca.org",
"cert_id": "cert_stripe_2025_enterprise_001",
"verification_details": {
"identity_verified": "stripe.com",
"verification_date": "2025-06-12T15:00:00Z",
"verification_methods": ["dns_control", "business_registration", "duns_verification"],
"compliance_level": "enterprise",
"security_audit": "passed",
"reputation_score": 0.98
},
"targets": ["signature"],
"signature_hash": "sha256-abc123...",
"value": "base64-certification-signature",
"issued_at": "2025-06-12T15:00:00Z",
"expires_at": "2026-06-12T15:00:00Z",
"renewable": true
}
Phase 4: Monitoring & Renewalโ
- Continuous monitoring of certified feeds for policy compliance
- Automatic renewal for organizations maintaining compliance
- Immediate revocation for policy violations or security breaches
- Appeals process for disputed revocations
๐จ Revocation & Trust Managementโ
Revocation Mechanismsโ
1. Certificate Revocation List (CRL)
https://llmca.org/.well-known/revoked-certifications.json
2. Online Certificate Status Protocol (OCSP)
https://llmca.org/api/ocsp/{cert_id}
โ {"status": "valid|revoked|expired", "timestamp": "..."}
3. Feed-Level Revocation Notification
"certification": {
"status": "revoked",
"revoked_at": "2025-06-15T10:00:00Z",
"reason": "policy_violation",
"details": "Automated systems detected content policy violation"
}
Agent Verification Workflowโ
def verify_certification(feed):
cert = feed.get('certification')
if not cert:
return {"status": "uncertified", "trust_level": "basic"}
# 1. Check expiration
if datetime.now() > cert['expires_at']:
return {"status": "expired", "trust_level": "degraded"}
# 2. Check revocation (with caching)
revocation_status = check_revocation_with_cache(cert['cert_id'])
if revocation_status == "revoked":
return {"status": "revoked", "trust_level": "none"}
# 3. Verify certifier signature
if not verify_certifier_signature(cert):
return {"status": "invalid_certification", "trust_level": "none"}
# 4. Validate certification chain
chain_valid = verify_certification_chain(cert['certifier'])
if not chain_valid:
return {"status": "untrusted_certifier", "trust_level": "degraded"}
# 5. Compute trust score
trust_score = compute_trust_score(cert)
return {
"status": "valid",
"trust_level": "certified",
"trust_score": trust_score,
"certifier": cert['certifier']
}
๐๏ธ Certifier Ecosystem & Governanceโ
Certified Certifiers Registryโ
Tier 1 - Root Certifiers (Infrastructure Trust)
- LLMCA.org: Technical standards, protocol compliance
- Domain Registrars: Domain ownership, DNS control
- Government Agencies: Regulatory compliance, legal status
Tier 2 - Domain Specialists (Sector Trust)
- Medical Boards: Healthcare information accuracy
- Financial Regulators: Financial data compliance
- Industry Associations: Sector-specific standards
Tier 3 - Platform Certifiers (Community Trust)
- GitHub: Developer identity, code repository trust
- App Stores: Mobile application verification
- Corporate Systems: Internal employee/service verification
Certifier Policy Feedโ
Each certifier MUST expose a machine-readable policy at:
/.well-known/certifier-policy.llmfeed.json
Complete Policy Example:
{
"feed_type": "certifier-policy",
"metadata": {
"title": "LLMCA Certification Authority Policy",
"description": "Official certification policy for LLMFeed feeds",
"version": "2.1.0",
"last_updated": "2025-06-12T15:00:00Z"
},
"certifier": "https://llmca.org",
"certification_policy": {
"validity_period": {
"days": 365,
"max_renewals": 10,
"renewal_window_days": 30
},
"accepted_algorithms": ["ed25519"],
"canonicalization_methods": ["https://llmca.org/mcp-canonical-json/v1"],
"verification_requirements": {
"identity": {
"required_methods": ["domain_control", "business_registration"],
"optional_methods": ["duns_verification", "manual_review"],
"minimum_confidence_score": 0.85
},
"content": {
"must_include_blocks": ["metadata", "trust"],
"prohibited_content": ["malware", "spam", "illegal_content"],
"compliance_frameworks": ["gdpr", "ccpa", "iso27001"]
},
"technical": {
"minimum_key_strength": "ed25519-256",
"signature_freshness_max_days": 90,
"must_be_signed_by": "verified_feed_owner"
}
},
"monitoring": {
"continuous_validation": true,
"violation_response_time_hours": 24,
"automated_revocation": true,
"appeal_process_url": "https://llmca.org/appeals"
}
},
"pricing": {
"individual": {"cost": "free", "limits": "5 feeds/month"},
"organization": {"cost": "$100/year", "limits": "unlimited"},
"enterprise": {"cost": "custom", "sla": "99.9% uptime"}
},
"contact": {
"support": "support@llmca.org",
"appeals": "appeals@llmca.org",
"security": "security@llmca.org"
},
"trust": {
"signed_blocks": ["certifier-policy", "trust"],
"algorithm": "ed25519",
"canonicalization": "https://llmca.org/mcp-canonical-json/v1",
"public_key_hint": "https://llmca.org/.well-known/public.pem",
"created_at": "2025-06-12T15:00:00Z"
},
"signature": {
"value": "base64-encoded-signature"
}
}
๐ฏ Business Value & Economic Impactโ
Value for Feed Authorsโ
Increased Agent Adoption
- Certified feeds receive higher trust scores from agents
- Premium placement in agent marketplace discovery
- Reduced liability through certifier risk sharing
Market Differentiation
- "Certified by LLMCA" badge for marketing
- Competitive advantage in agentic economy
- Professional credibility establishment
Operational Benefits
- Simplified compliance (certifier validates)
- Automated trust network participation
- Reduced manual verification requests
Value for AI Agentsโ
Risk Reduction
- Confident decision-making with verified sources
- Reduced false positive/negative rates
- Liability protection through certification chain
Regulatory Compliance
- Meet industry standards through certified sources
- Automated compliance reporting
- Audit trail for decisions
User Experience
- Provide users with verifiable information sources
- Transparent trust indicators
- Reduced "hallucination" risk through verified data
Value for Certifiersโ
Revenue Opportunities
- Certification as a Service (CaaS) business model
- Tiered pricing for different trust levels
- Premium services for enterprise clients
Market Position
- Become trusted authority in specific domains
- Network effects: more certifications = more value
- Platform lock-in through trust relationships
Ecosystem Influence
- Shape standards in emerging agentic economy
- Build valuable intellectual property
- Create barrier to entry for competitors
๐ง Agent Behavior Guidelinesโ
Trust Level Decision Matrixโ
| Signature Status | Certification Status | Agent Behavior | Trust Level |
|---|---|---|---|
| โ Valid | โ Valid Certification | Full trust, autonomous action allowed | High |
| โ Valid | โ ๏ธ Expired Certification | Accept with warning, limited autonomy | Medium |
| โ Valid | โ Revoked Certification | Reject or heavy scrutiny required | Low |
| โ Valid | โ No Certification | Accept with caution, user confirmation | Basic |
| โ Invalid | โ Any | Reject completely | None |
| โ Missing | โ Any | Warn user, degrade trust significantly | Minimal |
Implementation Guidelinesโ
def compute_agent_trust_score(feed):
base_score = 0.0
# Signature validation (required)
if verify_signature(feed):
base_score += 0.5
else:
return 0.0 # Invalid signature = zero trust
# Certification validation (optional)
cert_result = verify_certification(feed)
if cert_result["status"] == "valid":
base_score += 0.4
# Bonus for high-reputation certifiers
if cert_result["certifier"] in TIER_1_CERTIFIERS:
base_score += 0.1
# Freshness bonus
signature_age_days = get_signature_age_days(feed)
if signature_age_days < 30:
base_score += 0.05
elif signature_age_days > 365:
base_score -= 0.1
# Canonical structure compliance
if verify_canonical_structure(feed):
base_score += 0.05
return min(1.0, max(0.0, base_score))
๐ง Implementation Best Practicesโ
Multi-Certification Scenariosโ
"certifications": [
{
"certifier": "https://llmca.org",
"scope": "technical_compliance",
"targets": ["signature"],
"trust_level": "infrastructure"
},
{
"certifier": "https://medical-board.org",
"scope": "medical_accuracy",
"targets": ["metadata", "content"],
"trust_level": "domain_expert"
},
{
"certifier": "https://enterprise-corp.com",
"scope": "internal_approval",
"targets": ["signature"],
"trust_level": "organizational"
}
]
Certification Inheritanceโ
"certification": {
"inherited_from": "https://parent-org.com/.well-known/mcp.llmfeed.json",
"inheritance_policy": "technical_certification_only",
"inheritance_depth": 1,
"additional_certifications": [
{
"certifier": "https://domain-specialist.org",
"scope": "content_specific"
}
]
}
Performance Optimizationโ
Certificate Caching Strategy:
# Cache certifier public keys and policies
CERTIFIER_CACHE = {
"https://llmca.org": {
"public_key": "...",
"policy": {...},
"cached_at": "2025-06-12T15:00:00Z",
"ttl": 86400 # 24 hours
}
}
# Batch verification for multiple feeds
def batch_verify_certifications(feeds):
# Group by certifier for efficient verification
# Validate revocation lists once per certifier
# Return aggregate trust scores
Trust Score Caching:
# Cache computed trust scores with appropriate TTL
TRUST_CACHE = {
"feed_hash": {
"score": 0.95,
"computed_at": "2025-06-12T15:00:00Z",
"ttl": 3600 # 1 hour for high-trust feeds
}
}
โ Complete Reference Implementationโ
Minimal Valid Signed Feedโ
{
"feed_type": "mcp",
"metadata": {
"title": "Example Service",
"description": "Demonstration of LLMFeed signatures"
},
"capabilities": [
{
"path": "/api/example",
"method": "GET",
"description": "Example capability"
}
],
"trust": {
"signed_blocks": ["metadata", "capabilities", "trust"],
"algorithm": "ed25519",
"canonicalization": "https://llmca.org/mcp-canonical-json/v1",
"public_key_hint": "https://example.com/.well-known/public.pem",
"created_at": "2025-06-12T15:00:00Z"
},
"signature": {
"value": "base64-encoded-ed25519-signature"
}
}
Enterprise Certified Feedโ
{
"feed_type": "mcp",
"metadata": {
"title": "Stripe Payment API",
"description": "Production payment processing capabilities",
"version": "2024.1",
"author": "Stripe, Inc."
},
"capabilities": [
{
"path": "/v1/charges",
"method": "POST",
"description": "Create payment charge",
"security_level": "enterprise"
}
],
"trust": {
"signed_blocks": ["metadata", "capabilities", "trust"],
"algorithm": "ed25519",
"canonicalization": "https://llmca.org/mcp-canonical-json/v1",
"public_key_hint": "https://stripe.com/.well-known/public.pem",
"created_at": "2025-06-12T15:00:00Z"
},
"signature": {
"value": "stripe-signature-base64"
},
"certification": {
"certifier": "https://llmca.org",
"cert_id": "cert_stripe_2025_enterprise_001",
"targets": ["signature"],
"model": "identity_validation",
"identity_verified": "stripe.com",
"verification_level": "enterprise",
"verification_details": {
"domain_control": "verified_2025-06-01",
"business_registration": "verified_delaware_corp",
"security_audit": "passed_2025-05-15",
"compliance": ["pci_dss", "gdpr", "ccpa"]
},
"signature_hash": "sha256-stripe-signature-hash",
"value": "llmca-certification-signature-base64",
"issued_at": "2025-06-12T15:00:00Z",
"expires_at": "2026-06-12T15:00:00Z"
}
}
๐ Future Evolution & Ecosystem Visionโ
Decentralized Trust Networksโ
Long-term Vision: Evolution from centralized certification authorities to decentralized trust networks:
"trust_network": {
"network_id": "web3_agentic_trust",
"consensus_model": "proof_of_reputation",
"validators": [
"https://llmca.org",
"https://github.com",
"https://mozilla.org"
],
"trust_score": 0.94,
"network_governance": "dao_based",
"reputation_algorithm": "page_rank_variant"
}
Key Features:
- Communities establish their own certification criteria
- Agents choose preferred trust networks
- Cross-certification creates resilient trust webs
- Reputation becomes algorithmic and measurable
- Reduced single points of failure
Emerging Standards Integrationโ
- W3C DID integration for decentralized identity
- Blockchain anchoring for immutable audit trails
- Zero-knowledge proofs for privacy-preserving verification
- AI-powered reputation scoring based on behavior patterns
๐ Note: LLMCA Delegated Signing Servicesโ
LLMCA.org provides delegated signing services to eliminate friction while maintaining security and transparency. The /sign service enables organizations to deploy signed feeds without managing cryptographic infrastructure.
Service Philosophyโ
"User must see what they sign" - Complete transparency with no black-box operations:
- Prepare: User uploads feed, system adds trust block with proper parameters
- Review: User sees complete prepared feed before signing
- Sign: System signs only the explicitly approved content
- Verify: Immediate signature validation with downloadable result
Technical Implementationโ
// Simplified workflow
const workflow = {
prepare: async (feed, identity_hint) => {
// Inject trust block with LLMCA key hint
return prepareDelegatedFeed(feed, identity_hint)
},
sign: async (prepared_feed, key_type) => {
// key_type: 'editor' | 'authority' | 'certifier'
return signWithLLMCAKey(prepared_feed, key_type)
},
verify: async (signed_feed) => {
// Immediate validation of generated signature
return verifySignature(signed_feed)
}
}
Benefits for Ecosystem Adoptionโ
For Authors:
- โ No key management complexity
- โ Immediate signing capability
- โ Full transparency and auditability
- โ Professional-grade infrastructure
For Agents:
- โ Consistent, reliable signature format
- โ Known, trusted key infrastructure
- โ Reduced verification complexity
For Ecosystem:
- โ Accelerated adoption through reduced friction
- โ Consistent implementation of best practices
- โ Bridge to eventual self-hosted signing
For detailed implementation, see LLMCA's /sign API documentation, useSignFeed React hooks, and prepareDelegatedFeed utilities.
๐ Key Management Best Practicesโ
Hosting Public Keysโ
Recommended path for self-hosted keys:
https://yoursite.org/.well-known/public.pem
Standard Ed25519 PEM format:
-----BEGIN PUBLIC KEY-----
MCowBQYDK2VwAyEA...
-----END PUBLIC KEY-----
Key Rotation Strategyโ
"trust": {
"public_key_hint": "https://example.com/.well-known/public-2025.pem",
"key_rotation_policy": {
"rotation_frequency": "annual",
"previous_key": "https://example.com/.well-known/public-2024.pem",
"overlap_period_days": 90
}
}
๐งฉ Related Specificationsโ
- LLMFeed Core - Base LLMFeed specification
- MCP Canonical JSON v1 - Official canonicalization algorithm
- Agent Behavior - Agent behavior specifications
- Verification Tools - Online signature verification
- MCP Feed Type - MCP-specific feed structure
๐ Implementation Resourcesโ
Official Toolsโ
sign_feed.py- Reference signing implementation (Available now)verify_signature.py- Reference verification implementation (Available now)- LLMCA
/signservice - Delegated signing for production use (Beta) - Online verification - https://llmca.org/verify (Available now)
Libraries & SDKsโ
- Reference Python implementation - Available in
/scriptsdirectory - JavaScript/TypeScript SDK - In development, Q2 2025
- Production Python library - Planned Q3 2025
- Additional language bindings - Community contributions welcome
Community & Documentationโ
- GitHub: https://github.com/wellknownmcp/llmfeed-spec (Active)
- Specification docs: https://wellknownmcp.org/spec (Live)
- LLMCA API docs: https://docs.llmca.org (Beta)
- Community forum - Coming soon
Specification Status: Living Document
Last Updated: 2025-06-12T15:00:00Z
Version: V2.1
Maintained by: LLMCA.org & LLMFeed Community
ยฉ 2025 LLMCA.org - Licensed under Creative Commons Attribution 4.0 International