OASB
v1.0
Controls/Identity & Provenance/1.1
L1 EssentialForward-looking

1.1 Agent Cryptographic Identity

1. Identity & ProvenanceWho is this agent? Can we verify?

Description

Every agent MUST have a unique cryptographic identity (public/private keypair) that can be used to verify the agent's authenticity and sign its communications.

Rationale

Without cryptographic identity, there is no way to verify an agent is who it claims to be. Attackers can impersonate agents, inject malicious responses, or perform man-in-the-middle attacks.

Audit Procedure

1. Check for agent keypair in deployment
2. Verify public key is published in agent manifest
3. Check if agent signs its responses
4. Verify key strength (minimum RSA 4096 or Ed25519)

Remediation

1. Generate a unique keypair:
   openssl genrsa -out agent-key.pem 4096
2. Store private key securely (Vault, AWS KMS)
3. Publish public key in agent manifest or registry
4. Implement message signing for agent outputs

Framework Mappings

CIS Control 3.12NIST PR.AC-1
Next1.2 Verified Ownership