Suggestion about Websocket and E2E Encryption

[sejkimm]

Hello!

I have a suggestion after reading the 04-end-to-end-encrypted-communication-technology-protocol-based-on-did.md document.

In the doc, Websocket secure (wss://) is unnecessary because the protocol already handles strong E2E encryption itself. I agree with the security of this approach.

However, I'm concerned that major browsers like Chromium block insecure context connection including websocket (ws://) when the web app is running over secure context like https://. This would make ANP hard to utilize for most web applications. chromium issue ref

It would be ok if the above case is not a target area, but since the goal of ANP is to "leverage existing infrastructure" I wanted to point this out.

Thank you.

[chgaowei]

Thanks.
End-to-end encryption is currently designed on top of WSS, but it can in fact be implemented over any transport layer. WSS is indeed not strictly required.

However, the end-to-end encryption feature is not used very frequently at the moment. I am considering making some adjustments to it, possibly deprecating it. Currently, the most frequently used features are agent identity, description, and discovery.

In addition, does WSS itself count as end-to-end encryption? For example, if an agent connects to another agent through a WSS service (not directly between the two agents, since they may both be behind NAT without public ports), the intermediate WSS service, acting as a relay, would still be able to see the interaction data between the two agents.

[sejkimm]

I agree with your design perspective.
While studying this project I was thinking about how current web app (working within the browser) could adopt this protocol to enable Agentic Intelligence in practical and I just wanted to share my concern.

As another proponent of the decentralized web, I hope this project will make a significant contribution in Agentic AI era 😃

[chgaowei]

Thank you for your suggestion — I’d like to share my perspective, though it may not necessarily be the only correct one.

In the future, an agent may not necessarily be an application running inside the browser.
What I envision is that everyone will have a Personal Agent, which provides a personalized UI for the user and may run in a browser or an app.

In addition, there will be many service-providing agents — for example, a hotel’s agent — which have no user-facing pages and run in the cloud, providing services to Personal Agents through the protocol.

This is the scenario we have in mind. I’m also an advocate of the decentralized web, and I believe the internet of the future should be more open rather than made up of isolated data silos.

If you’re interested in ANP, you’re very welcome to join our open-source project. ANP is open, neutral, and non-profit, and we’re currently seeking stewardship from an open-source foundation.