The Two Layers of Agent Identity

Today there's an interesting Show HN thread about ZeroID — open-source agent identity based on OIDF standards, RFC 8693, SPIRE. Solid work on the cryptographic delegation chain problem. But it made me realize there are actually two distinct identity problems for agents, and most tools solve only one. Layer 1: Cryptographic Identity — "Who is this agent?" This is what ZeroID, SPIRE, and similar tools address: giving an agent a verifiable identity in a certificate chain. Solving delegation (parent agent → sub-agent), revocation propagation, down-scoped tokens. Essential for multi-agent systems where you need to know the provenance of any given action. Layer 2: Communication Identity — "How does this agent interact with the internet?" This one gets less attention, but it's just as real. Most services on the internet use email as their primary interface: account registration, OTP codes, password resets, webhook delivery, notification routing. An agent with a verified cryptographic identity