| ▲ | Muromec 7 hours ago |
| Why does it need cryptography even? If you gave the agent a token to interact with your bank account, then you gave it permission. If you want to limit the amount it is allowed to sent and a list of recipients, put a filter that sits between the account and the agent that enforces it. If you want the money to be sent only based on the invoice, let the filter check that invoice reference is provided by the agent. If you did neither of that and the platform that runs the agents didn't accept the liability, it's on you. Setting up filters and engineering prompts it's on you too. Now if you did all of that, but made a bug in implementing the filter, then you at least tried and wasn't negligible, but it's on you. |
|
| ▲ | niyikiza 6 hours ago | parent | next [-] |
| Tokens + filters work for single-agent, single-hop calls. Gets murky when orchestrators spawn sub-agents that spawn tools. Any one of them can hallucinate or get prompt-injected.
We're building around signed authorization artifacts instead. Each delegation is scoped and signed, chains are verifiable end-to-end. Deterministic layer to constrain the non-deterministic nature of LLMs. |
| |
| ▲ | Muromec 6 hours ago | parent [-] | | >We're building around signed authorization artifacts instead. Each delegation is scoped and signed, chains are verifiable end-to-end. Deterministic layer to constrain the non-deterministic nature of LLMs. Ah, I get it. So the token can be downscoped to be passed, like the pledge thing, so sub agent doesn't exceed the scope of it's parent. I have a feeling, that it's like cryptography in general -- you get one problem and reduce it to key management problem. In a more practical sense, if the non-deterministic layer decides what the reduced scope should be, all delegations can become "Allow: *" in the most pathological case, right? Or like play store, where a shady calculator app can have a permission to read your messages. Somebody has to review those and flag excessive grants. | | |
| ▲ | niyikiza 5 hours ago | parent [-] | | Right, the non-deterministic layer can't be the one deciding scope. That's the human's job at the root. The LLM can request a narrower scope, but attenuation is monotonic and enforced cryptographically. You can't sign a delegation that exceeds what you were granted. TTL too: the warrant can't outlive its parent. So yes, key management. But the pathological "Allow: *" has to originate from a human who signed it. That's the receipt you're left holding. You're poking at the right edges though. UX for scope definition and revocation propagation are what we're working through now. We're building this at tenuo.dev if you want to dig in the spec or poke holes. |
|
|
|
| ▲ | Wobbles42 6 hours ago | parent | prev [-] |
| How can you give an agent a token without cryptography being involved? |
| |
| ▲ | Muromec 6 hours ago | parent [-] | | Not every access token is a (public) key or a signed object. It may be, but it doesn't have to. It's not state of the art, but also not unheard of to use a pre-shared secret with no cryptography involved and to rely on presenting the secret itself with each request. Cookie sessions are often like that. |
|
