What Is Layer 8?
Layer 8 is the Internet’s identity layer—a conceptual extension to the Open Systems Interconnection (OSI) model that addresses authentication, authorization, and audit at the network level. Just as Layer 3 provides addressing for hosts and Layer 7 provides services for applications, Layer 8 provides identity for participants.
The OSI Model Today
The OSI model defines seven layers of network communication. Each layer solves a specific problem and builds on the layers beneath it:
| Layer | Name | Function | Example |
|---|---|---|---|
| 7 | Application | Services and APIs | HTTP, SMTP, DNS |
| 6 | Presentation | Data encoding and encryption | TLS, JPEG, ASCII |
| 5 | Session | Connection management | NetBIOS, RPC |
| 4 | Transport | End-to-end delivery | TCP, UDP |
| 3 | Network | Packet routing | IP |
| 2 | Data Link | Node-to-node transfer | Ethernet, Wi-Fi |
| 1 | Physical | Electrical signals | RS-232, RJ-45 |
These seven layers excel at moving data between machines. But they say nothing about who is sending the data, who should receive it, or whether they are authorized. That responsibility has been left to individual applications.
The Identity Gap
Layer 7 protocols were designed to exchange data, not to establish identity. HTTP can transmit an authentication token, but it cannot verify who created it. TLS can encrypt a connection, but it authenticates servers, not the people or software behind them.
The result: every application must solve identity independently.
- Authentication is bolted on. OAuth, SAML, JWTs, API keys—each application implements its own scheme, often incompatibly.
- Identity is siloed. Your identity on one service is meaningless to another. There is no portable proof of who you are.
- Authorization is fragmented. Access control logic is scattered across applications, with no standard way to express or verify permissions.
- Machines have no identity. Devices, autonomous agents, and backend services lack first-class identity—they impersonate users or rely on shared secrets.
This architectural gap has led to decades of security vulnerabilities, data breaches, and increasingly complex authentication middleware.
Introducing Layer 8
Layer 8 extends the OSI model with a new foundational capability: endogenous identity. Just as Layer 3 gave every host an IP address, Layer 8 gives every participant a globally unique, cryptographically verifiable identifier.
| Layer | Name | Function | Addressing |
|---|---|---|---|
| 8 | Identity | Authentication and Authorization | DID |
| 7 | Application | Services and APIs | URL |
| 6 | Presentation | Data encoding | — |
| 5 | Session | Connection management | — |
| 4 | Transport | End-to-end delivery | Port |
| 3 | Network | Packet routing | IP |
| 2 | Data Link | Node-to-node transfer | MAC |
| 1 | Physical | Electrical signals | — |
Decentralized Identifiers
The addressing scheme for Layer 8 is the Decentralized Identifier (DID)—a W3C standard for globally unique, self-sovereign identifiers. A DID (e.g., did:web:example.com:alice) is to Layer 8 what an IP address is to Layer 3: the fundamental unit of addressing.
Each DID resolves to a DID Document containing public keys, service endpoints, and capabilities. This enables any party to verify the identity of a DID holder without relying on a central authority.
Agents
Layer 8 participants are called agents. An agent is a software program with its own identity, credentials, and the ability to act. Agents can represent people, organizations, devices, services, or other software. Unlike Layer 7 clients, agents are first-class network participants with cryptographically provable identity.
Peer-to-Peer Communication
Agents communicate using DIDComm—an encrypted, authenticated messaging protocol. Every message is signed by the sender and encrypted for the recipient. Identity verification is intrinsic to the protocol, not bolted on afterward.
How Layer 8 Works
Identity Resolution
When an agent needs to communicate with another agent, it resolves the target’s DID to obtain its DID Document. This document contains public keys for verifying signatures and encrypting messages, service endpoints describing how to reach the agent, and capabilities declaring what protocols the agent supports.
Resolution is decentralized. DIDs can resolve through web infrastructure, distributed ledgers, or peer-to-peer networks, depending on the DID method used.
Authentication
Layer 8 authentication is cryptographic and mutual. When one agent sends a message to another:
- The sender signs the message with its private key
- The sender encrypts the message using the recipient’s public key
- The recipient decrypts and verifies the signature against the sender’s DID Document
No passwords. No tokens. No certificate authorities. Both parties prove their identity through cryptographic operations tied to their DIDs.
Authorization
Layer 8 supports fine-grained authorization through verifiable credentials and capability delegation. Verifiable credentials are cryptographically signed attestations about an agent. Policies define rules that incoming requests must satisfy. Delegation allows agents to grant subsets of their authority to other agents.
Authorization decisions happen at the protocol layer, not inside application code.
Audit
Because all communication is cryptographically signed, Layer 8 enables verifiable audit trails. Agents can maintain hash-linked logs of interactions, providing cryptographic proof of what occurred between parties.
Relationship to Lower Layers
Layer 8 does not replace the layers beneath it—it builds on them. Agents use Layer 7 protocols (HTTP, WebSocket, databases) to accomplish tasks, while Layer 8 handles identity, authentication, and authorization.
Any entity can have a Layer 8 identity. A DID might identify a person, an organization, a device, an API, or a database. Layer 8 identity is orthogonal to the OSI layers—you can assign a DID to anything that needs authentication, authorization, or audit, regardless of where it lives in the network stack.