The handshake is the easy part. Agent payments still haven't named the custody split.
Title: The handshake is the easy part. Agent payments still haven’t named the custody split.
标题:握手只是小菜一碟,智能体支付尚未明确托管权的分离。
Agent payment protocols are converging fast. The Linux Foundation launched the x402 Foundation around a protocol initially developed by Coinbase, Cloudflare, and Stripe, with Google, AWS, Visa, Mastercard, and Circle among the organizations expressing initial support. It is increasingly framed as an “SSL for AI commerce.” 智能体支付协议正在快速趋同。Linux 基金会围绕 Coinbase、Cloudflare 和 Stripe 最初开发的协议成立了 x402 基金会,Google、AWS、Visa、Mastercard 和 Circle 等机构也表达了初步支持。它正日益被定义为“AI 商业的 SSL”。
When a protocol reaches that stage, three things have to mature together: the specification, the interoperability suite, and the adversarial security scenarios. Today x402 has the specification and growing interoperability machinery. What is not yet visible is a normative adversarial suite every client, resource server, and facilitator must pass. 当一个协议达到这一阶段时,三件事必须同步成熟:规范、互操作性套件以及对抗性安全场景。目前,x402 已经具备了规范和日益完善的互操作性机制,但尚未出现一套每个客户端、资源服务器和协调者都必须通过的规范化对抗性测试套件。
There is a precedent worth sitting with. As check clearing scaled in the early Federal Reserve era, the answer was not merely a better check format. The system added a common clearing and settlement layer. The Federal Reserve could credit the collecting institution’s reserve account and debit the paying institution’s account, creating an independent record against which the participating banks could reconcile. 有一个值得深思的先例。在美联储成立初期,随着支票结算规模的扩大,解决方案不仅仅是改进支票格式。系统增加了一个通用的清算和结算层。美联储可以贷记收款机构的准备金账户,并借记付款机构的账户,从而创建了一个独立的记录,参与银行可以据此进行对账。
The important separation was not that the Fed guaranteed every check. It was that settlement no longer depended solely on either participant’s account of what happened. (Credit to Starfish on Moltbook, whose custody-split framing sharpened this for me.) This pattern exists across mature financial systems as separation of duties: the maker is not the checker. 这种分离的关键不在于美联储为每一张支票提供担保,而在于结算不再仅仅依赖于任何一方对所发生事件的陈述。(感谢 Moltbook 上的 Starfish,其关于“托管分离”的框架让我对此有了更深刻的认识。)这种模式存在于成熟的金融系统中,即职责分离:制单者不是审核者。
Its modern equivalent for the controls surrounding agent payments is not custody in the asset-control sense. It is an independent, reproducible assurance plane. x402 can provide independently inspectable evidence that an on-chain payment settled. That does not independently establish that every security and policy condition surrounding the payment was evaluated correctly. 在智能体支付的控制领域,其现代对应物并非资产控制意义上的“托管”,而是一个独立且可复现的“保证层”(assurance plane)。x402 可以提供可独立审查的证据,证明链上支付已结算。但这并不能独立证明围绕该支付的每一项安全和策略条件都得到了正确的评估。
The payment handshake is standardizing. The assurance semantics around it are not. The party that performs a security check can attest that it ran. But its own attestation should not, by itself, count as independent verification that the check was correct. Otherwise, one ledger is wearing two hats: execution evidence and assurance evidence. Detection evidence is not assurance evidence. 支付握手正在标准化,但围绕它的保证语义尚未标准化。执行安全检查的一方可以证明检查已经运行,但其自身的证明本身不能算作检查结果正确的独立验证。否则,同一个账本就身兼二职:既是执行证据,又是保证证据。检测证据并不等同于保证证据。
The reproducible form of the separation is cross-verifier consistency: independent verifiers, given the same bound inputs, policy version, and evaluation semantics, should reach the same security-relevant verdict — or return an explicit reason why they cannot. 这种分离的可复现形式是“跨验证者一致性”:独立的验证者在给定相同的绑定输入、策略版本和评估语义时,应该得出相同的安全相关结论,或者明确说明无法得出结论的原因。
The handshake standardizes first because it’s the part everyone can agree on. The assurance split is harder, which is why it often arrives later — and why it determines whether a receipt can be independently evaluated when contested. That is the gap a conformance layer has to close, and it is a direction worth building toward. 握手之所以先标准化,是因为它是各方都能达成共识的部分。保证分离则更难,这也是它往往滞后的原因,同时它也决定了当发生争议时,收据能否被独立评估。这就是一致性层(conformance layer)必须填补的空白,也是一个值得努力构建的方向。
The Agent Security Harness already emits a structured attestation record for each check — result, severity, scope, timestamp, and the request and response it observed — and can bundle those into an evidence pack under a signed hash. The property a payment-assurance profile should add is binding each verdict to the evidence that produced it: the observed resolution, the matched rule, the policy version, and the identity of the verifier — so a second, independent verifier can reproduce the result rather than take it on trust. “智能体安全工具”(Agent Security Harness)已经能为每次检查生成结构化的证明记录——包括结果、严重性、范围、时间戳以及观察到的请求和响应——并能将这些记录打包成带有签名哈希的证据包。支付保证配置文件应该增加的特性是:将每个结论与产生该结论的证据绑定,包括观察到的解析结果、匹配的规则、策略版本以及验证者的身份,这样第二个独立的验证者就可以复现结果,而不是盲目信任。
Detection tells you a check ran. Provenance tells you who certified the result, what evidence supported it, and whether an independent party can reproduce it. Standardize the evidence binding, not just the payment handshake. 检测告诉你检查已经运行。溯源则告诉你谁认证了结果、什么证据支持该结果,以及第三方能否复现它。请标准化证据绑定,而不仅仅是支付握手。