YouID — Self-Sovereign Identity for the Agentic Web

🔐 Privacy & Self-Sovereign Identity

Your social media and online profiles are not under your full control. Third parties increasingly make decisions on your behalf — based on their perception of you, not yours. YouID makes you the master curator of your own profile data, verifiable identity, and content indexes.

"Privacy is the self-calibration of one's vulnerability."
— Kingsley Uyi Idehen, Founder & CEO, OpenLink Software

Three distinct vulnerabilities define the digital identity crisis — and each has a precise, standards-based remedy:

Vulnerability 1 — Impersonation Risk

Protection Against Impersonation

Without cryptographic anchoring, anyone can claim to be you — through email spoofing, social account cloning, or credential theft. Digital signatures solve this: a self-sovereign X.509 certificate bound to your WebID cryptographically proves that any signed message or action genuinely originates from you, the keyholder — courtesy of the S/MIME protocol. The problem with S/MIME mirrors the browser's PKI failure: email clients have never made it easy for everyday users. The net effect is phishing, smishing, and vishing attacks that grow ever more sophisticated in the age of AI.

Vulnerability 2 — Message Snooping

Protection Against Message Snooping

Platform providers hold the encryption keys to your communications, making true privacy structurally impossible. The remedy is end-to-end encryption where you control the keys — not the platform. A WebID-anchored certificate lets correspondents send you messages that only you, holding your private key, can decrypt.

Vulnerability 3 — Resource Access Control

Control Over Your Own Resources

Photos, posts, documents, and contacts on platforms are governed by platform terms — the platform decides who sees what, and may change those rules at any time. The remedy is fine-grained access controls expressed as entity-relationship collections using the Semantic Web: you specify exactly which WebID-identified agents may access each resource you create.

Phase 1 — The Break

The Browser PKI Gap

Browser vendors provide suboptimal UI/UX for client-certificate management — the interface that would allow users to install X.509 certificates and authenticate to services via mutual TLS. The technical capability exists in the standard, but the human-facing tooling is buried and inaccessible. PKI became asymmetric: servers authenticate to clients, but clients cannot practically authenticate via certificate. This left passwords, OAuth, and API keys as the only viable options — all centralized, all revocable by a third party.

Phase 2 — The Bridge

Semantic Web Standards

Tim Berners-Lee argued that "we must not muddle the email address with the person" — identity must be a dereferenceable URI, not an authentication credential. WebID-TLS, the FOAF vocabulary, and the W3C cert ontology answered that call. By placing a WebID URI in the X.509 certificate's Subject Alternative Name field, and declaring the public key in a machine-readable FOAF profile, decentralized verification became possible. No Certificate Authority required — trust flows from the Linked Data web itself.

Phase 3 — The Democratization

LLM Agents + YouID Skill

The YouID Skill encapsulates openssl, RDF template filling, multi-format generation, and WebDAV uploads. An LLM-powered AI Agent routes through the Skill on natural language instruction. The result: anyone — regardless of PKI expertise — can generate a verifiable, self-sovereign NetID for the emerging Agentic Web.

Phase 4 — Agent Identity & Delegation

Verifiable Identities for AI Agents

Identities are not exclusive to humans. AI Agents are first-class identity holders too — each agent operating on your behalf can hold its own NetID or WebID. The YouID Skill can generate a machine-computable delegation bundle — an RDF document asserting oplcert:onBehalfOf and oplcert:hasIdentityDelegate triples that formally link the agent's NetID to its human operator's NetID. The result is a two-identity system any service can verify: the agent is who it claims to be, and it is an authorized delegate of a specific, verified human principal.

🪪 whoami — Live Identity Claims

Output of the whoami command in a YouID-enabled AI Agent environment — two verified NetIDs linked by a machine-computable oplcert:onBehalfOf delegation relation

User (Principal)

Name Kingsley Uyi Idehen

Email kidehen@openlinksw.com

Role Founder & CEO, OpenLink Software

WebID …link-in-bio-credentials-5/index.html#netid ✅

owl:sameAs

LinkedIn X / Twitter Substack

← oplcert:hasIdentityDelegate

oplcert:onBehalfOf →

Agent (me)

Model Claude Sonnet 4.6 (claude_sonnet_4_6)

Environment Claude Code

Artifact root /Users/kidehen/Documents/LLMs/Claude/ (rdf/, md/, webpages/)

Active project ai-agent-skills — whoami identity gate refinement (#35–#37)

Memory store …/ai-agent-skills/agent-rdf-memory/

Behavioral contract preferences.ttl (60 standing instructions, incl. verified identity gate, canonical-WebID/owl:sameAs pattern, UI/UX expert persona)

Agent WebID …link-in-bio-agent-credentials/index.html#netid ✅

On-Behalf-Of …link-in-bio-credentials-5/index.html#netid ✅

owl:sameAs

LinkedIn X / Twitter Substack

Inherited from principal via delegation

🛠 How To: Generate Your NetID or WebID Using the YouID Skill

Seven steps to generating a verifiable, self-sovereign NetID or WebID via an LLM-powered AI Agent and the YouID Skill — YouID handles the PKI so you don't have to

Choose your profile document location and define your NetID or WebID URI

Secure a network location you control — a WebDAV/LDP endpoint, a personal domain, or a compatible data pod — and reserve a slot for your profile document there. The YouID Skill supports any resolvable identifier as your NetID; when that identifier is an HTTP URI, it becomes a WebID — appending a fragment such as #this to your profile document URL produces a stable, dereferenceable WebID URI scoped to the network-accessible space you own, e.g., https://yourdomain.com/people/you#this. This URI appears in the X.509 certificate's Subject Alternative Name field and in every RDF profile document generated by the YouID Skill.

Collect your identity parameters

Gather: your common name, professional title, email address, organization, country code (2-letter ISO), social profile URLs (LinkedIn, X, GitHub, etc.), an optional photo URL, and an optional personal profile page URL. These become the semantic assertions in your FOAF-based profile document.

Invoke the YouID Skill via an LLM-powered AI Agent

Open your preferred LLM-powered AI Agent (Claude Code, GPT-5 Codex, DeepSeek, Grok CLI, etc.) and say: "Generate a credentials collection for me." The YouID Skill takes it from there — eliciting your identity parameters, establishing a sense of who you are that distinguishes you from the AI Agent environment you are operating within, and orchestrating the full generation workflow. No PKI expertise required.

Generate your X.509 certificate with WebID SAN

The YouID Skill runs scripts/generate_certificate.sh to produce a self-signed RSA-2048 X.509 certificate with your WebID URI in the Subject Alternative Name field. The script extracts modulus, exponent, fingerprints, and NI/DI URIs into cert_data.json — the seed for all subsequent RDF documents.

Verify public key consistency across all representations

The Basic WebID Test gate verifies that the RSA modulus and exponent from the generated cert.p12 match the cert:modulus and cert:exponent values in profile.ttl, profile.jsonld, and index.html. This gate must pass with zero failures before any identity document is delivered.

Upload your identity bundle to WebDAV/LDP storage

The YouID Skill uses curl PUT commands to upload all generated artifacts (profile.ttl, profile.jsonld, profile_rdfa.html, certificate.*, public_key.*, index.html, vcard.vcf, style.css, cert.pem, cert.crt) to your chosen WebDAV/LDP endpoint. The profile is now live and dereferenceable.

Share your NetID or WebID URI across the Agentic Web

Your NetID — realized here as a WebID URI — is now a verifiable, portable, self-sovereign identity credential. Share it in email signatures, social profiles, and Agentic Web service registrations. AI Agents acting on your behalf will present the X.509 certificate derived from this identity; services will verify it by dereferencing your WebID profile and matching the declared public key.

Generate an Agent Identity and delegation bundle (optional)

The YouID Skill can also generate a verifiable identity for the AI Agent itself — giving the agent its own NetID or WebID and X.509 certificate. It then produces a delegation bundle — an RDF document asserting oplcert:onBehalfOf and oplcert:hasIdentityDelegate triples that formally link the agent's NetID to your human operator NetID. The whoami command in agent environments exercises this: it returns two verified identities — yours and the agent's — plus the machine-computable delegation relation between them.

❓ Frequently Asked Questions

Ten questions about self-sovereign identity, WebID, and the Agentic Web

Why did browser PKI become inaccessible to everyday users? ▼

Browser vendors (Chrome, Firefox, Safari) have long provided suboptimal UI/UX for client-certificate authentication — the interface that would allow users to install X.509 certificates and present them to servers for mutual TLS authentication. The technical capability exists in the standard, but the human-facing tooling is buried beneath layers of complexity few everyday users can navigate. The result: PKI became effectively asymmetric. Servers authenticate to users via TLS, but users cannot practically authenticate to services via certificate — leaving passwords, OAuth, and API keys as the only accessible options. This is the Browser PKI Gap.

What is a WebID and how does it address the Browser PKI Gap? ▼

A WebID is a dereferenceable URI that identifies an agent (person, organization, or software). When dereferenced, it returns an RDF profile document (using FOAF and the cert ontology) that declares the agent's RSA public key. WebID-TLS closes the gap by shifting trust from a Certificate Authority hierarchy to the Linked Data web: the server fetches the WebID, retrieves the declared public key, and verifies it matches the certificate the client presented — no CA required.

What is a NetID in the context of YouID? ▼

A NetID is any resolvable identifier (rather than just an HTTP-based IRI) bound to an X.509 certificate via the certificate's Subject Alternative Name (SAN) URI field. It is YouID's core identity unit. The NetID combines the cryptographic authority of a public/private key pair with the semantic richness of a FOAF profile document — producing a machine-readable, self-verifiable identity that any agent on the web can authenticate by following the WebID link.

What is self-sovereign identity and why does it matter? ▼

Self-sovereign identity (SSI) is the principle that individuals control their own digital identity without depending on a central provider (Google, Facebook, an enterprise SSO). YouID realizes SSI through DPKI + WebID: the identity is anchored to a URI the individual controls, the X.509 certificate is self-signed, and the public key is declared in the individual's own profile document. No third party can revoke or take away the identity.

How does DPKI differ from traditional PKI? ▼

Traditional PKI depends on a hierarchy of Certificate Authorities (CAs) whose root certificates are pre-installed in browsers and operating systems. Trust flows from the CA. Decentralized PKI (DPKI) replaces this with direct verification: you dereference the subject's WebID URI to retrieve the declared public key, then verify the certificate matches. Anyone can be their own CA. Trust flows from the Linked Data web, not from a vendor-curated CA store.

What role does the cert ontology play in connecting X.509 to Semantic Web identity? ▼

The W3C cert ontology provides cert:RSAPublicKey, cert:modulus, and cert:exponent — RDF terms that let a FOAF profile document declare the exact RSA public key values extracted from the X.509 certificate. When a WebID-TLS server fetches the profile and runs the key-match SPARQL query, it bridges the X.509 certificate world and a Semantic Web into a single cryptographic verification step.

What is the Agentic Web? ▼

The Agentic Web is the next layer of the World Wide Web in which LLM-powered AI Agents act as first-class citizens — querying data, executing transactions, and communicating with other agents on behalf of human principals. Unlike today's web where humans browse and click, the Agentic Web is primarily machine-to-machine. This demands robust decentralized identity: an agent must carry a verifiable credential so that services and other agents can authenticate and authorize it without relying on shared secrets or API keys.

How do LLM-powered AI Agents with Skills democratize digital identity? ▼

The YouID identity stack involves openssl commands, RDF template filling, multi-format artifact generation (Turtle, JSON-LD, RDFa HTML, vCard, X.509), and WebDAV uploads. This complexity has historically required PKI expertise. By encapsulating this knowledge in the YouID Skill and routing it through an LLM-powered AI Agent, the entire workflow becomes accessible via natural language. A user describes who they are; the agent handles the rest.

What makes YouID different from OAuth-based identity providers? ▼

OAuth-based identity (Google Sign-In, GitHub OAuth, Auth0) centralizes trust: the identity provider controls your account. If the provider suspends or deletes your account, your identity is gone. YouID is fundamentally different: the identity is anchored to a URI you control, the certificate is self-signed, and the public key is declared in your own profile document on a WebDAV/LDP server you control. The identity is portable, durable, and not subject to provider policy changes.

How does Kingsley Uyi Idehen connect the Semantic Web to the Agentic Web? ▼

Idehen's thesis — articulated through OpenLink Virtuoso, the YouID system, and the Platinum Layer concept — is that a Semantic Web already provided the primitives for the Agentic Web: dereferenceable HTTP IRIs, RDF for machine-readable descriptions, SPARQL for querying, and WebID-TLS for decentralized authentication. AI Agent Skills like YouID are the accessibility layer that completes the loop from the Semantic Web vision of the early 2000s to the Agentic Web reality of the 2020s.

📚 Glossary

Key terms in the self-sovereign identity and Agentic Web vocabulary

WebID

A dereferenceable URI that identifies an agent. Dereferencing it returns an RDF FOAF profile document declaring attributes and RSA public keys.

NetID

Any resolvable identifier — not limited to HTTP-based URIs — bound to an X.509 certificate via the Subject Alternative Name (SAN) field. A WebID is the HTTP-specific instance of a NetID. The YouID Skill supports both.

X.509 Certificate

ITU-T standard digital certificate binding an RSA public key to a subject. In YouID, the SAN field carries the WebID URI — making the cert a cryptographic anchor for Semantic Web identity.

SAN (Subject Alternative Name)

An X.509 certificate extension that can contain URIs, DNS names, or email addresses. WebID-TLS places the WebID URI in this field to bind the certificate to the identity.

DPKI (Decentralized PKI)

A model for cryptographic identity that removes the Certificate Authority hierarchy. Trust is established by dereferencing the WebID URI and verifying the declared public key matches the presented certificate.

FOAF (Friend of a Friend)

An RDF vocabulary for expressing social graphs and personal profiles. Provides foaf:Agent, foaf:Person, foaf:name, foaf:mbox, and foaf:img — the semantic primitives of WebID profile documents.

cert Ontology

W3C WebID certificate ontology providing cert:RSAPublicKey, cert:modulus, cert:exponent, and cert:key — enabling FOAF profiles to assert RSA public key values that authenticate the WebID holder.

Self-Sovereign Identity (SSI)

The principle that individuals control their own digital identity independently of any central provider. YouID achieves SSI through DPKI + WebID: self-signed certificate, user-controlled URI, user-controlled profile document.

Agentic Web

The emerging layer of the web where LLM-powered AI Agents act as first-class citizens — querying, transacting, and communicating machine-to-machine on behalf of human principals.

AI Agent Skills

Reusable, domain-specific capability bundles packaged for LLM-powered AI Agents. Skills encode execution knowledge, protocol routing, and output templates — preventing knowledge drift and enabling standards-compliant output.

oplcert:onBehalfOf

An RDF predicate from OpenLink's cert extension ontology. It asserts a machine-computable delegation relation: the subject (an AI Agent's NetID) acts on behalf of the object (the human operator's NetID). The inverse predicate oplcert:hasIdentityDelegate expresses the same relation from the human's perspective.

Delegation Bundle

An RDF document generated by the YouID Skill that contains two NetID/WebID profiles — one for the human operator, one for the AI Agent — plus oplcert:onBehalfOf and oplcert:hasIdentityDelegate triples formally linking them. Enables any service to verify both the agent's identity and its authorized relationship to its human principal.

⚡ SPARQL Workbench

Execute live queries against the companion Turtle knowledge graph hosted on URIBurner (Virtuoso-backed).

Q1 List all identity concepts with descriptions

PREFIX schema: <http://schema.org/>

SELECT DISTINCT ?entity ?name ?description
FROM <https://linkeddata.uriburner.com/DAV/demos/daas/youid-self-sovereign-identity-claude_sonnet_4_6-1.ttl>
WHERE {
  ?entity schema:name ?name ;
          schema:description ?description .
  FILTER(LANG(?name) = 'en')
}
ORDER BY ?name

Q2 Retrieve all FAQ question-answer pairs

PREFIX schema: <http://schema.org/>
PREFIX : <https://linkeddata.uriburner.com/DAV/demos/daas/youid-self-sovereign-identity-claude_sonnet_4_6-1.ttl#>

SELECT ?pos ?question ?answer
FROM <https://linkeddata.uriburner.com/DAV/demos/daas/youid-self-sovereign-identity-claude_sonnet_4_6-1.ttl>
WHERE {
  ?q a schema:Question ;
     schema:position ?pos ;
     schema:name ?question ;
     schema:acceptedAnswer/schema:text ?answer .
}
ORDER BY ?pos

Q3 Retrieve glossary terms

PREFIX schema: <http://schema.org/>

SELECT ?term ?definition
FROM <https://linkeddata.uriburner.com/DAV/demos/daas/youid-self-sovereign-identity-claude_sonnet_4_6-1.ttl>
WHERE {
  ?t a schema:DefinedTerm ;
     schema:name ?term ;
     schema:description ?definition .
}
ORDER BY ?term

Q4 Retrieve HowTo steps

PREFIX schema: <http://schema.org/>

SELECT ?step ?name ?text
FROM <https://linkeddata.uriburner.com/DAV/demos/daas/youid-self-sovereign-identity-claude_sonnet_4_6-1.ttl>
WHERE {
  ?s a schema:HowToStep ;
     schema:position ?step ;
     schema:name ?name ;
     schema:text ?text .
}
ORDER BY ?step

Q5 Entity-type summary — SAMPLE-based canonical recipe

PREFIX rdf:  <http://www.w3.org/1999/02/22-rdf-syntax-ns#>
PREFIX rdfs: <http://www.w3.org/2000/01/rdf-schema#>

SELECT
    ?type
    (SAMPLE(?s)     AS ?sampleEntity)
    (SAMPLE(?label) AS ?sampleLabel)
    (COUNT(?s)      AS ?entityCount)
WHERE {
    GRAPH <https://linkeddata.uriburner.com/DAV/demos/daas/youid-self-sovereign-identity-claude_sonnet_4_6-1.ttl> {
        ?s rdf:type ?type .
        OPTIONAL { ?s rdfs:label ?label }
    }
}
GROUP BY ?type
ORDER BY DESC(?entityCount)