appliedbits
LIBRARY  ·  IETF LIBRARY ENTRY
Last updated 2026-05-06 drafted

draft-wendt-stir-vesper — VESPER core specification

draft-wendt-stir-vesper (Wendt, Sliwa) is the normative specification for the VESPER framework. I am the primary author. The conceptual context — what VESPER is, the four roles, why the certificate profile is structured the way it is, the relationship to STIR/SHAKEN — lives on the VESPER topic page. This page covers what’s specific to this draft.

What this draft specifies

The draft defines the normative requirements for VESPER deployment. Top-level sections cover the certificate profile (required and optional X.509 extensions on a VESPER delegate certificate), the issuance process (an ACME-based flow extended with TNAuthList Authority Tokens and optional JWTClaimConstraints Authority Tokens), the authentication and verification procedures (the normative steps Authentication Services and Verification Services follow when constructing or validating PASSporTs signed by VESPER delegate certificates), the RTU Token (the JWT form for portable proof of right-to-use in non-SIP contexts), and the Connected Identity integration with draft-ietf-stir-rfc4916-update.

What changed across revisions

Several architectural pieces present in earlier drafts have been removed or simplified. The vper PASSporT claim was removed — the VESPER trust signal is encoded in the certificate itself, and PASSporTs signed by a VESPER delegate certificate are standard RFC 8225 PASSporTs. The Claim Agent role (an intermediate entity asserting claims on behalf of the responsible entity) was also removed — VESPER puts the signing in the hands of the responsible entity directly, with delegate-certificate mechanics handling further sub-delegation. Privacy modes that were sketched in early drafts have been dropped in favor of simpler privacy semantics that emerge from short-lived certificates and reduced data exposure on the trust artifact itself.

The convergence across these changes is toward a smaller spec — fewer new claims, fewer roles, fewer mechanism-specific behaviors — leveraging existing infrastructure (X.509 extensions, ACME issuance, RFC 8225 PASSporTs) more heavily.

Status

Currently draft-wendt-stir-vesper-07, an individual draft (not yet a working-group document). The work is being discussed in the STIR working group, with the proposed STIR recharter expected to formalize VESPER as the working group’s primary direction for extending the framework. The recharter discussions explicitly identified VESPER as the work item that surfaced the architectural questions the expanded scope addresses.