The Open Worldwide Application Security Project (OWASP) has recently introduced a new standard for securely discovering AI agents. Inspired by DNS, the Agent Name Service (ANS) provides a protocol-agnostic registry mechanism that uses Public Key Infrastructure (PKI) to establish agent identity and trust.
As OWASP explains in their ANS white paper:
Agent-to-agent communication is expected to become a significant component of internet traffic, driving the need for reliable mechanisms enabling agents to discover, verify, and securely interact with one another.
Both the widely-used Domain Name Service, which maps human-readable names to network addresses, and its evolutions, like the DNS-Based Service Discovery, are not suitable for agent discovery. In fact, the organization says, they do not meet the requirements of agentic AI environments, which are dynamic, semantically rich, and security-sensitive.
Traditional service discovery, like DNS [RFC 1035, 1987], provides essential name-to-address resolution but lacks the semantic understanding and security features needed for agentic AI. DNS-SD [RFC 6763, 2013] adds local service discovery capabilities but doesn’t address verifiable identity or complex
agentCapabilitymatching on a global scale.
To address these limitations, ANS adopts DNS-like naming for discovery and establishes agent registration and renewal mechanisms. In addition, it relies on Public Key Infrastructure (PKI) for identity verification, structured JSON for communication, and supports emerging protocols in the agentic space to enable full-spectrum capabilities.
Compatible protocols include Google’s Agent2Agent, which standardizes inter-agent communication; Anthropic’s Model Context Protocol, designed to streamline model integration with tools and data sources; and IBM’s Agent Communication Protocol, which focuses on consistent agent-to-agent messaging.
The format defined in ANS for agent naming includes several components, including the protocol, the agent ID, capability, provider, version, and extension, e.g., a2a://textProcessor.DocumentTranslation.AcmeCorp.v2.1.hipaa. In addition, an ANS name can specify optional capability filters.
In a nutshell, an agent uses ANS names to discover the endpoints where other agents are listening. It sends the target agent’s ANS name to the ANS Service, which queries the Agent Registry for a matching record. If found, the target agent’s cryptographic signature and certificate are verified. If any step fails, an error is returned; otherwise, the initiating agent receives the target agent’s endpoint information.
One challenge in ANS is maintaining compatibility with a wide range of protocols, each with its own specific requirements. To address this, ANS includes a protocol adapter layer, where each external protocol, such as MCP, A2A, and others, is handled by a dedicated adapter. This design ensures low coupling and supports cross-protocol discovery, such as an A2A agent locating an agent advertising MCP tools, verifying its identity via PKI, and potentially interacting with it through a protocol gateway.
PayPal staff software engineer Akshay Mittal, in a thorough review of the new protocol, expresses his view that “ANS can progress from an intriguing draft to the default discovery fabric for autonomous software”. However, he remarks,
Realizing this vision […] will depend on coordinated action. ANS is being promoted as a public good protocol, not a proprietary product, and therefore requires transparent governance, open reference implementations, and broad industry participation.
Still in its infancy, ANS already has a prototype implementation available on GitHub, which enables agents to register, renew, deactivate, and query their status. Future work will include improving performance and scalability, using privacy-preserving cryptography like zero-knowledge proofs, formal verification, and more.
Backed by a non-profit called The OWASP Foundation, the Open Worldwide Application Security Project is an online community that produces freely available articles, methodologies, documentation, tools, and technologies in the fields of IoT, system software and web application security.
