Identity
Verifiable identifier (DID, DNS, GLEIF, organisation number) + cryptographic public key. The thing every other pillar hangs off.
KYE Protocol™ is the open identity, authority, relationship and state protocol for AI vendors, data processors, software suppliers and the agents that act on their behalf.
Static "vendor approved" rows are dead. Subscribe to a vendor's live state. Enforce authority at runtime.
Apache-2.0 · Maintained by the KYE Protocol Working Group · v0.1 (2026)
Most identity protocols stop at "who is this entity". KYE answers "can this entity act, right now, under what authority, in what state" — because authority is meaningless without state.
Verifiable identifier (DID, DNS, GLEIF, organisation number) + cryptographic public key. The thing every other pillar hangs off.
Edges to other entities — controller→processor, provider→deployer, parent→sub-processor, principal→agent — with role-typed semantics.
What this entity is permitted to do, on whose behalf, in what scope, until when. Authority is data, not magic.
Current operational status — active / suspended / verified / expired / restricted / revoked / under_review. Authority is meaningless without state.
Establish the entity's verifiable identifier (DID + DNS + GLEIF + organisation registry).
KYE Entity Lifecycle™ defines a controlled state vocabulary per entity kind. Click an entity to see its valid states.
Each state transition emits a KYE State Transition Event™ — signed, replayable, audit-trail-ready.
Current state is derived from events, not stored as a mutable row. Every change carries who asserted it, when, on what basis, with what evidence — so an auditor can replay the history byte-for-byte.
submitted→under_reviewDDQ acceptedunder_review→approvedEvidence verified by auditorapproved→conditionally_approvedSub-processor change pending reviewconditionally_approved→activeSub-processor re-attestedactive→expiredISO 27001 cert lapsed (auto)expired→suspended30-day grace exceededsuspended→offboardedCustomer terminated contractPolicies don't just check "is this entity registered". They check the live state graph: entity_state = active AND authority_state = valid AND evidence_state = current.
| Actor | Action | Decision | Why |
|---|---|---|---|
| Vendor X | process EU personal data | Deny | vendor_state = expired · DPA missing |
| Agent Z | submit AI Act docs | Allow | agent_state = active · authority valid · evidence current |
| AI System Y | serve high-risk inference | Deny | ai_system_state = restricted · post-incident review pending |
| Sub-processor S | store payment data | Deny | PCI AOC expired · trust_score < threshold |
Open spec — Apache-2.0. The protocol semantics are public + free to implement. Reference implementations welcome from any vendor.
DID + DNS + GLEIF + organisation-number resolution. Backwards-compatible with did:web, did:plc, ENS.
W3C Verifiable Credentials JSON-LD with EIP-1271 / Ed25519 signatures. Replayable + revocable.
Per-kind state vocabularies (Organisation, Vendor, AI System, Agent, Compliance Posture, Payment Authority) + controlled transition model.
Event-sourced state changes — from_state, to_state, reason, asserted_by, evidence, timestamp, audit_event_id.
Authority is a state, not a static fact. Includes scope, validity window, delegation chain, revocation status.
Open scoring formula combining completeness, freshness, attestation strength, incident decay, and live state.
WebSub-compatible feed of state transitions + attestation changes. Subscribe to a vendor; auto-receive updates.
/v1/kye/check { actor, action } → allow/deny + reasons, all derived from the live state graph.
Apache-2.0. Open repository. Implementations welcome.
KYE Protocol™, v0.1 (2026). KYE Protocol Working Group · https://kyeprotocol.com