The Consent-Aware HTTP Framework is a multi-protocol architecture for ethical AI governance on the web. It provides a unified, standards-oriented approach to declaring, enforcing, auditing, and verifying AI interactions with digital content.
Originally conceived as a technical extension similar to robots.txt, the framework has evolved into a complete system addressing consent, identity, provenance, enforcement, and accountability.
This repository contains a set of complementary Internet-Drafts that together define a consent-based model for AI-web interaction.
The modern web lacks:
-
Machine-readable AI usage boundaries
-
Transparent identification of AI agents
-
Enforceable consent mechanisms
-
Verifiable content provenance
-
Standardised compliance reporting
This results in:
-
Unauthorised data harvesting
-
Lack of accountability for AI systems
-
Erosion of trust in digital content
The framework consists of six integrated protocols:
| Layer | Protocol | Purpose |
|---|---|---|
Declaration |
AI Boundary Declaration Protocol (AIBDP) |
Defines permitted and prohibited AI uses of content |
Identity |
AI Agent Identification Protocol |
Ensures AI systems declare who they are and what they do |
Consent Flow |
Web Consent Management Protocol |
Defines how consent is requested, granted, and tokenised |
Enforcement |
HTTP Status Code 430 |
Provides runtime enforcement of consent requirements |
Provenance |
Content Provenance Protocol |
Tracks origin and AI involvement in content |
Accountability |
AI Compliance Reporting Framework |
Monitors, audits, and reports violations |
Together, these form a complete governance stack.
-
A server declares AI usage boundaries via AIBDP
-
An AI agent identifies itself using standard headers
-
The server evaluates the request against declared policy
-
If consent is required, the server returns HTTP 430
-
The agent obtains consent via the consent management protocol
-
The agent retries with a Consent-Token
-
All interactions are logged and monitored for compliance
-
Content provenance metadata ensures transparency of outputs
/aibdp/ AI Boundary Declaration Protocol /http-430/ HTTP 430 Consent Required /agent-identification/ AI Agent Identification Protocol /content-provenance/ Content Provenance Protocol /compliance-reporting/ AI Compliance Reporting Framework /consent-management/ Web Consent Management Protocol (planned / draft)
== Design Principles * Declarative first: Policies are explicitly defined and machine-readable * Composability: Each protocol is independent but interoperable * Backward compatibility: Works alongside existing web standards * Transparency: All actors and actions are visible and auditable * Enforceability: Policies can be technically enforced, not just stated == Relationship to Existing Standards The framework builds on: * RFC 9110 (HTTP Semantics) * RFC 9309 (robots.txt) * RFC 9116 (security.txt) * JSON, HTTP headers, and DNS mechanisms It does not replace these standards, but extends them for AI-era requirements. == Status All components are currently Internet-Drafts (Work in Progress). They are designed for: * IETF discussion and standardisation * Experimental implementation * Policy and regulatory alignment == Why This Matters The framework enables: * Creators to retain control over their work * AI developers to operate transparently and ethically * Platforms to enforce clear rules * Regulators to access verifiable evidence of compliance == Next Steps * Finalise Web Consent Management Protocol * Align terminology across drafts * Submit drafts to relevant IETF working groups * Develop reference implementations == License See IETF Trust Legal Provisions (BCP 78 and BCP 79). == Authors Jonathan D. A. Jewell The Open University Joshua B. Jewell Royal Veterinary College