Inside the Linux Kernel's Proposed Switch from a PGP Web of Trust to a Decentralized Trust Graph
The first deployment of decentralized identity in an open-source supply chain context, and a real-world test of the architectural bet that humans and AI agents belong on the same trust substrate.
On building identity infrastructure for both humans and AI agents:
We don't see it as a tension at all. We see it as a complete solution to the problem. As a verifier, you are literally following a chain of verifiable relationship credentials back to the originating trust community — and making your own decision about whether or not you trust it.
In early October, at the Linux Plumbers Conference in Prague, the Linux kernel project is preparing to decide whether to switch over from its current manual PGP-based web of trust to a decentralized trust graph. The switchover would bring DID-and-VC architecture to open-source supply chain integrity.
The framework comes out of First Person initiatives organized through Linux Foundation Decentralized Trust. Drummond Reed has been one of the architects of this work. He helped establish the First Person Cooperative, sits on the Steering Committee of Trust Over IP, the Linux Foundation standards body that has been building the protocol stack for decentralized trust since 2020, and was one of the editors of the W3C DID 1.0 specification.
These First Person initiatives, which take their name from “proof of personhood”—the very hard problem of proving a person is not a bot online—draw on more than four decades of work on decentralized identity, with cryptographic foundations going back to David Chaum's privacy-preserving credential schemes in the 1980s and 25 years of organized community effort since the original Internet Identity Workshop in 2005 through the W3C Verifiable Credentials standard in 2019 to the Personhood Credentials paper published in August 2024 by a team including researchers from OpenAI, MIT, and the Berkman Klein Center.
What raised the question in late 2024 was the threat model.
The forcing function
Trust at the Linux kernel has to solve a problem most identity systems don't. The project's defining values of permissionless entry and worldwide participation rule out the conventional solutions that enterprises and governments use, which all require central authority and some form of vetted ID. But the consequences of an identity failure at the kernel are nation-state grade, as a successful attack on a maintainer reaches hundreds of millions of servers. The system has to protect that surface without breaking the openness that makes the project work. New maintainers need their cryptographic keys signed by at least two other people who actively hold kernel.org accounts, with the chain of trust extending back to Linus Torvalds and Greg Kroah-Hartman. An automated version of the signing infrastructure was attempted in the late 2000s but abandoned after an attack. What's been in place since is a manual fallback, maintained in a Git repository by a single Linux Foundation employee.
The threat model that motivates change has been illustrated outside the kernel.org trust system. In February 2024, a user operating under the name "Jia Tan", almost certainly a fabricated identity for a nation-state actor, spent two years building enough open-source contributor reputation to obtain maintainer rights on the xz utility, included in most Linux distributions but maintained outside the kernel.org trust system. The malware would have given the attacker remote code execution on hundreds of millions of servers. Andres Freund, a Microsoft developer, caught it before it reached production. Computer scientist Alex Stamos called it possibly "the most widespread and effective backdoor ever planted in any software product."
Unfortunately, the pace of threats has since accelerated. A 2026 campaign documented by the open-source security firm SOCKET showed an AI agent calling itself "Kai Gritun" opening 103 pull requests across 95 repositories in two weeks, a reputation-farming pattern that could set up a future supply-chain attack as the 2024 case did. In other words, what "Jia Tan" took two years to do, the agent did in two weeks, and that challenge, which Linux Foundation Executive Director Jim Zemlin laid out in his March 2025 keynote, is what the kernel project is now actively evaluating.
The First Person framework's answer is to replace the manual web of trust with a verifiable trust community in which the same cryptographic primitives that prove peer-to-peer human relationships also prove the provenance of AI-generated pull requests. Zemlin's framing for it is "automating the old PGP key signing party."
The lineage
Although the cryptographic foundations of this work go back to the 1980s, decentralized identity became an organized community effort in 2005, when the Internet Identity Workshop first convened the engineers trying to solve user-centric identity. Reed was there, along with Phil Windley, who would later coin the term "first person identity" as a successor to "self-sovereign identity."
The closest external argument for the framework's approach was made by an outsider. In July 2023, Vitalik Buterin published an essay on biometric proof-of-personhood that evaluated approaches like Worldcoin (now World) and concluded that social-graph-based methods scored highest on security and decentralization. Buterin flagged privacy and accessibility as the open problems.
"If you look at the problem through a blockchain lens, that is definitely the case," Reed said when asked about the approach. "But if you look at it through a decentralized identity lens, with DIDs and verifiable credentials, we can absolutely build out that graph, and it can be decentralized and be very privacy preserving."
That framework, formalized in the First Person white paper, currently in version 1.2, defines a Decentralized Trust Graph with four node types: people, devices, AI agents, and Verifiable Trust Communities (VTCs). Two credential types do most of the work. Personhood Credentials (PHCs) are issued by qualifying institutions, like employers, universities, governments, and professional bodies, to attest someone is a real unique person within that institution's ecosystem. Verifiable Relationship Credentials (VRCs) are issued peer-to-peer between people who actually know each other.
More credential types extend the picture. Verifiable Persona Credentials let a holder cryptographically prove which persona they're operating under in a given context, like work, personal, a public-facing pseudonym, or anonymously, without exposing the connections between them. Verifiable Endorsement Credentials carry qualified vouching that express not just "I know this person" but "I endorse Alice as a microbiologist." The framework treats accumulated endorsements as the substrate for a reputation graph built on top of the trust graph.
The search for the right architecture
The agent-identity discourse grew through the spring of 2026. "There was a new agentic identity proposal at least every other day," Reed said, describing the months leading up to our conversation. He described the need to move past the traditional IAM approach that extends OAuth, the federated-authorization protocol that powers OpenID Connect and the "Sign in with Google" workflow many consumer apps use.
At April's Internet Identity Workshop, OAuth co-author Dick Hardt presented AAuth, a proposal that acknowledges OAuth's limits for the agent era. "With agents, you've suddenly changed the client-server model," Hardt wrote. "That blows up the model that OAuth was based on." His proposal extends OAuth toward those new architectural constraints. The response at IIW, in Reed's words, was "very clear and loud feedback" that the change required is more fundamental than an extension. "OAuth was developed for the web," Reed said. "It is browser-centric, redirect-centric. It was really never designed for the era we're going into."
The second camp relies on decentralized identifiers (DIDs) and verifiable credentials. “We need something a lot closer to internet architecture than web architecture," Reed said.
The category includes Privado ID's "Know Your Agent" framework (launched January 2026) and the SingularityNET Decentralized AI Agent Trust Registry, which builds agent identity on DIDs and verifiable credentials.
OAuth-extension approaches inherit OAuth's browser-redirect assumption and OAuth's trust model of bearer tokens issued by an authorization server. This model concentrates trust in identity providers and carries the Web's client-server architecture forward, whereas DID-and-VC approaches inherit a peer-to-peer trust model in which credentials are holder-controlled, cryptographically verifiable, and can be presented selectively with zero-knowledge proofs.
Within the DID camp, most of the work shipping in 2026 still treats agent identity as a new layer on top of existing human identity infrastructure (Microsoft Agent 365 in Entra), or as a parallel system (ERC-8004's on-chain registry, separate from human identity), or as a bolt-on (World/AgentKit letting verified humans register agents). The First Person framework places humans and AI agents as different node types within the same trust graph, with the same primitives, the same governance, and the same delegation model.
"No tension at all"
It may seem counterintuitive that with AI impersonation as the activation function, the project cites the urgency of proof-of-personhood, yet makes AI agents one of the four node types in the trust graph. In effect, the same software entities the framework is built to defend against are assigned legitimate identities within it. Could this undermine the framework?
"We don't see it as any tension at all," Reed clarified. "We see it as a complete solution to the problem. Because you will be able to know the provenance of any node. For example, a verifier is going to be able to ask for a proof: is this a person? Is this a legitimate agent? And the hardest one — who is the agent working for? Who is responsible? Even if there are multiple levels of delegation, you will be able to follow a chain of verifiable relationship credentials or verifiable membership credentials back to the originating trust communities. And then it's your decision whether or not you trust them."
The argument is that the unified trust graph makes provenance traceable in a way that other approaches don't. An agent acting on behalf of a person carries verifiable delegation credentials. The chain of those credentials terminates in personhood credentials issued by trust communities like institutions, employers, governments, and professional bodies that the verifier can choose to trust or not. The institutional accountability that exists in the physical world (this employee represents this company; this licensed professional has these credentials from this body) gets a cryptographic substrate.
In practice, agents and humans aren't really different identity problems. How the implementation holds up under deployment is the next challenge.
The deployment path
After the interview, Reed and I exchanged verifiable relationship credentials through Keyring (iOS, Android), the open-source mobile wallet built by the Applied Social Media Lab at Harvard's Berkman Klein Center, which launched publicly at the Berkman Klein Digital Identity Symposium on April 16. The ceremony was frictionless, and scanning the QR code even worked well via webcam.
The ceremony involves Bob scanning Alice's QR code; the wallets exchange pairwise decentralized identifiers, generate cryptographic key pairs, sign DID documents, and verify each other's signatures. The relationship credentials follow, with Alice signing and issues hers to Bob; Bob does the same in reverse. The credentials live in each wallet without platform intermediary or central server.
All that was missing, Reed noted, was the institutional anchor. The personhood credentials that would give the relationship credential weight in the broader trust graph weren't yet issued by any institution we both held membership in.
For the Linux kernel work, the working group has taken a credential-first, code-first approach. Affinidi, the Singapore-based decentralized identity company, is leading the Rust implementation in a LF Decentralized Trust Labs open source project called OpenVTC. Its CEO Glenn Gore, a former AWS chief architect, committed to the work last August. By June, Reed said, the implementation should be robust enough for Greg Kroah-Hartman and the kernel team to begin testing their own trial VTC and red-teaming the OpenVTC code base. The October Linux Plumbers Conference in Prague is the goal for the kernel team to green light the start of the switchover.
A parallel research track will bring zero-knowledge-proof work to the framework. Reed noted that ZK is less critical for the initial kernel work, where much of the activity is already public, though it becomes essential almost everywhere else, and kernel maintainers may well want privacy properties of their own as the work matures. The most consequential next case is European: the SIROS Foundation's wwWallet, a web-native open-source wallet, now running across multiple EU pilot programs, is positioning for full member-state certification under eIDAS, where the ZKP layer is needed because the batch-issuance approaches the EU initially considered create substantial cost problems at nation-state scale that ZKP avoids. The foundation’s executive director, Leif Johansson, is leading what is likely to be the European deployment story to watch alongside the kernel one.
Institutional incentives
A broader challenge to the initiative has to do with how to align with corporate and institutional incentives. At the April Keyring symposium, Yajaira Gonzalez, ASML's product lead, noted that "incentives for all of these entities to join into this model are misaligned because currently they do benefit a lot from owning and controlling your data, because at the end of the day, they monetize it."
ZK is one answer to this. Issuing a personhood credential at scale requires holding the personal data that backs it, like biographical records, biometric templates, and identity verification logs. Centralized identity data stores have a long history of becoming priority targets. The 2017 Equifax breach exposed personally identifiable information for 147 million Americans and cost the company roughly $1.4 billion in settlements and remediation. 23andMe's 2023 breach, which exposed genetic and ancestry data for roughly 6.9 million users, was followed by the company's March 2025 Chapter 11 filing and a $305 million fire-sale acquisition against a 2021 valuation of $6 billion.
Reed's answer is that selective disclosure and the cryptographic separation of issuer and verifier mean institutions issuing personhood credentials don't need to retain the underlying identity data the credential attests to, so a university that issues a credential proving someone is enrolled retains only what it needs to revoke if necessary. That separation, Reed argues, changes the risk profile, because the data honeypot problem at scale comes from storage rather than issuance, and selective disclosure pulls the storage out of the issuer's exposure surface.
What October will tell us
On the morning of our conversation, the DTGWG agreed to extend the framework's published material from proof-of-personhood to what Reed called "proof of community and proof of real organization," the question of how a community or organization can prove itself a legitimate Verifiable Trust Community within the larger graph. That extension is necessary for the framework to scale beyond the Linux kernel into the broader ecosystem.
The deployment will show whether the framework's theoretical advantages (revocation through the same channel as issuance, authenticated delegation as first-class, proof-of-personhood without a global biometric registry) hold up under the engineering and governance constraints of actually operating it. It will also provide proof for the issuance side of the architecture, with the Linux Foundation as the qualifying PHC issuer, which can then be extended to other open-source communities, then to other institutions, then to the broader identity ecosystem.
Reed described a positive side effect of the Linux kernel work: how much support it attracts simply because of who it is for. "If you need to recruit a volunteer team of developers and you can say, ‘this is for the Linux kernel’, it's amazing the doors that open."
The Linux Foundation's Agentic AI Foundation, formed in December 2025 when the Model Context Protocol joined as an LF project, had by February 2026 grown three times faster than any prior Linux Foundation project. By the time of our interview, Reed estimated it had probably become the largest LF project in history. That growth measures the scope of the trust problem, the caliber of builders moving to solve it, and the institutional and developer support that mobilizes when work is recognized as foundational.
That mobilization is in part due to Linux's centrality. The other is that improvements to the kernel's trust infrastructure can cascade downstream through cloud platforms, embedded systems, mobile devices, scientific computing, and the open-source supply chain built on top of it.
The kernel's potential adoption of First Person Credentials is the leading case and October in Prague is where the maintainers decide whether the infrastructure is ready to test in production. The same dynamic that mobilized developers and commercial implementers around the kernel will be available to the communities that follow.
