<?xml version="1.0" encoding="UTF-8"?>
<rfc xmlns:xi="http://www.w3.org/2001/XInclude"
     version="3"
     ipr="trust200902"
     docName="draft-bu-agentproto-security-principal-binding-01"
     category="info"
     submissionType="IETF"
     consensus="false">
  <front>
    <title abbrev="Agent Principal Binding">Security Principal and Verifier Binding for Agent Communication Protocols</title>
    <seriesInfo name="Internet-Draft" value="draft-bu-agentproto-security-principal-binding-01"/>
    <author fullname="Songbo Bu" initials="S." surname="Bu">
      <organization/>
      <address>
        <email>bluedognull@gmail.com</email>
      </address>
    </author>
    <date year="2026" month="July" day="4"/>
    <area>Applications and Real-Time</area>
    <workgroup>Agent Communication Protocols</workgroup>
    <keyword>agent communication</keyword>
    <keyword>delegation</keyword>
    <keyword>verifier binding</keyword>
    <keyword>security principal</keyword>
    <abstract>
      <t>Agent communication protocols often carry claims about user authority,
      agent instance identity, tool or external-resource identity, delegation
      state, session continuity, and action evidence.  These claims have
      different verifiers, freshness requirements, failure modes, and security
      consequences.  If they are collapsed into a single token, identity label,
      session identifier, or audit record, protocol text can accidentally imply
      more authority or accountability than the receiver can actually verify.</t>

      <t>This document defines a verifier-facing model for separating those
      claims.  It provides a reusable matrix format that protocol authors can
      use to state, for each security-relevant claim, which field carries it,
      which party verifies it, what binding or freshness rule applies, and what
      failure behavior is required when the claim is absent, stale,
      inconsistent, or not verifiable.  The document is protocol-neutral.  It is
      intended to help compare candidate agent communication drafts and to
      provide security-considerations and requirements text for agent session
      and delegation binding.</t>
    </abstract>
  </front>

  <middle>
    <section anchor="introduction" numbered="true">
      <name>Introduction</name>
      <t>Agent protocols are being proposed for long-lived communication among
      agents, tools, gateways, services, and human or organizational principals.
      These protocols need to express several different kinds of security
      meaning:</t>
      <ul>
        <li>who authorized the task;</li>
        <li>which live agent or runtime instance is acting;</li>
        <li>which tool, gateway, or external resource is being invoked;</li>
        <li>what authority has been delegated, by whom, and under what scope;</li>
        <li>what is bound to the current session or channel; and</li>
        <li>what evidence can later be verified about an action.</li>
      </ul>

      <t>These are not the same claim.  A valid organizational identifier does
      not by itself prove a live agent instance.  A session identifier does not
      by itself prove delegated authority.  A transparency receipt does not by
      itself prove that the action was authorized.  A tool invocation record
      does not by itself prove that the tool was within delegated scope.</t>

      <t>The purpose of this document is to make these boundaries reviewable.
      It does not define a new agent protocol, token format, audit log,
      transparency service, or authorization system.  Instead, it defines a
      claim-to-verifier discipline that other drafts can map to.</t>
    </section>

    <section anchor="conventions" numbered="true">
      <name>Conventions and Definitions</name>
      <t>The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
      "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and
      "OPTIONAL" in this document are to be interpreted as described in BCP 14
      <xref target="RFC2119"/> <xref target="RFC8174"/> when, and only when,
      they appear in all capitals, as shown here.</t>

      <t>This document is currently intended as Informational guidance.
      Requirement language is used to make security expectations reviewable by
      protocol authors; it does not by itself define a wire protocol.</t>
    </section>

    <section anchor="terminology" numbered="true">
      <name>Terminology</name>
      <dl>
        <dt>Agent</dt>
        <dd><t>An automated software component that initiates, receives,
        mediates, or performs actions on behalf of a human, organization,
        account, workload, or policy authority.</t></dd>

        <dt>Security principal</dt>
        <dd><t>An entity whose authority, identity, state, or responsibility is
        relevant to a security decision.</t></dd>

        <dt>Claim</dt>
        <dd><t>A security-relevant statement that a protocol participant,
        credential, token, receipt, attestation, record, or external system
        asserts or carries.</t></dd>

        <dt>Carrier</dt>
        <dd><t>The protocol field, credential, record, header, receipt,
        attestation, envelope, or external reference that carries a claim.</t></dd>

        <dt>Verifier</dt>
        <dd><t>The party that evaluates a claim for a particular security
        decision.</t></dd>

        <dt>Binding</dt>
        <dd><t>The relationship between a claim and the specific state to which
        it applies, such as a session transcript, task digest, delegation chain,
        subject identifier, tool invocation, or evidence record.</t></dd>

        <dt>Freshness</dt>
        <dd><t>The replay, expiration, revocation, sequence, rotation,
        challenge, nonce, or recency rule used to determine whether a claim can
        still be relied upon.</t></dd>

        <dt>Failure behavior</dt>
        <dd><t>The required behavior when a claim is missing, stale,
        inconsistent, not verifiable, or out of scope for the decision being
        made.</t></dd>

        <dt>Layer label</dt>
        <dd><t>A descriptive label for where a verifier decision is made or
        where a claim is carried.  The label can use ordinary protocol-layer
        terminology, such as application, transport, or network, or an
        agent-native architectural taxonomy, but the vocabulary needs to be
        defined by the draft that uses it.</t></dd>

        <dt>Evidence reference</dt>
        <dd><t>A stable reference to a public test vector, example, test case,
        implementation note, interop record, issue, pull request, or other
        reviewable artifact that supports a mapping row.</t></dd>
      </dl>
    </section>

    <section anchor="problem-statement" numbered="true">
      <name>Problem Statement</name>
      <t>Agent communication drafts can become difficult to review when a single
      architectural label is used to imply several security properties.  Common
      examples include:</t>
      <ul>
        <li>treating an account, organization, or credential identifier as
        evidence that a particular live agent instance is acting;</li>
        <li>treating session continuity as evidence of delegated authority;</li>
        <li>treating tool invocation evidence as evidence that the tool
        invocation was authorized;</li>
        <li>treating an audit record or transparency receipt as proof of
        correctness, completeness, or authorization;</li>
        <li>treating a governance or reputation mechanism as a current protocol
        guarantee when the current draft does not specify the verifier,
        evidence, or failure path; and</li>
        <li>treating inherited mechanisms from other drafts as if they were
        fully specified by the draft under review.</li>
      </ul>

      <t>These ambiguities are not merely editorial.  They affect
      interoperability and security review.  Two implementations can agree on a
      field name while making different decisions about who verifies the field,
      what state the field is bound to, and what happens when the field cannot
      be validated.</t>

      <t>This document addresses that problem by requiring each
      security-relevant claim to be mapped to a carrier, verifier, verification
      rule, binding, freshness rule, layer, and failure behavior.</t>
    </section>

    <section anchor="goals" numbered="true">
      <name>Goals</name>
      <ul>
        <li>Separate security principals and security claims that are often
        conflated in agent communication protocols.</li>
        <li>Define a reusable verifier matrix for agent protocol drafts.</li>
        <li>Make delegation, session binding, freshness, replay, revocation, and
        failure behavior mechanically reviewable.</li>
        <li>Support comparison among candidate protocols without requiring them
        to share the same wire format.</li>
        <li>Provide candidate security-considerations text for agent
        communication work.</li>
        <li>Make explicit which mechanisms are specified by the current draft,
        inherited from another document, planned for future work, or only
        architectural assumptions.</li>
      </ul>
    </section>

    <section anchor="non-goals" numbered="true">
      <name>Non-Goals</name>
      <t>This document does not:</t>
      <ul>
        <li>define a new agent transport protocol;</li>
        <li>define a credential format;</li>
        <li>define a delegation-token format;</li>
        <li>define an audit-record format;</li>
        <li>define a transparency-receipt format;</li>
        <li>require any specific public key, certificate, Verifiable Credential,
        SCITT, WIMSE, OAuth, GNAP, RATS, or vLEI mechanism;</li>
        <li>decide whether any existing draft satisfies the matrix; or</li>
        <li>select a single protocol as the architectural solution for all
        claims.</li>
      </ul>
    </section>

    <section anchor="principal-model" numbered="true">
      <name>Security Principal Model</name>
      <t>The following principals commonly appear in agent communication
      designs.</t>
      <dl>
        <dt>Human or organizational authority</dt>
        <dd><t>The person, organization, role, legal entity, account, or policy
        authority on whose behalf the agent acts.</t></dd>

        <dt>Agent instance</dt>
        <dd><t>The concrete live agent, runtime, workload, or execution
        environment that participates in the protocol exchange.</t></dd>

        <dt>Agent provider or runtime provider</dt>
        <dd><t>The party that supplies, hosts, or controls an agent
        implementation or runtime environment.</t></dd>

        <dt>Tool or external resource</dt>
        <dd><t>A tool, API, service, file, database, payment endpoint, browser,
        physical device, or other resource invoked by an agent.</t></dd>

        <dt>Gateway, broker, or mediator</dt>
        <dd><t>An intermediary that translates, routes, composes, gates, or
        mediates agent interactions.</t></dd>

        <dt>Delegator</dt>
        <dd><t>The party that grants authority to another party or agent.</t></dd>

        <dt>Delegatee</dt>
        <dd><t>The party or agent that receives attenuated authority.</t></dd>

        <dt>Verifier or relying party</dt>
        <dd><t>The party that decides whether a claim is sufficient for a
        specific protocol action.</t></dd>

        <dt>Evidence consumer</dt>
        <dd><t>A party that later reviews, audits, composes, or relies on
        evidence of an action.</t></dd>
      </dl>

      <t>A protocol can use one credential, key, session, or record to carry
      more than one claim, but the draft needs to identify each claim
      separately.  Reusing a carrier does not make the claims equivalent.</t>

      <t>Workload identity documents, such as the WIMSE architecture
      <xref target="I-D.ietf-wimse-arch"/> and workload identity practices
      <xref target="I-D.ietf-wimse-workload-identity-practices"/>, are useful
      examples of why an instance, workload, or execution environment claim
      should be separated from human or organizational authority and from
      delegated task scope.</t>
    </section>

    <section anchor="registry" numbered="true">
      <name>Claim Classes and Initial Claim Registry</name>
      <t>A draft SHOULD identify which of the following claim classes it carries
      or depends on.  The identifiers below are provisional and are intended to
      make early review concrete.</t>
      <table anchor="claim-registry">
        <name>Initial Claim Registry</name>
        <thead>
          <tr>
            <th>ID</th>
            <th>Claim Class</th>
            <th>Review Question</th>
          </tr>
        </thead>
        <tbody>
          <tr>
            <td>C-001</td>
            <td>Instance identity</td>
            <td>Which live agent, runtime, workload, endpoint, or process is acting now?</td>
          </tr>
          <tr>
            <td>C-002</td>
            <td>Human or organizational authority</td>
            <td>Who authorized the task, policy, role, or delegation?</td>
          </tr>
          <tr>
            <td>C-003</td>
            <td>Delegated scope</td>
            <td>What authority has been delegated, by whom, to whom, under what scope and attenuation?</td>
          </tr>
          <tr>
            <td>C-004</td>
            <td>Session continuity</td>
            <td>What state is bound to the current channel, connection, long-lived session, or task?</td>
          </tr>
          <tr>
            <td>C-005</td>
            <td>Action evidence</td>
            <td>What action was requested, attempted, completed, blocked, or failed?</td>
          </tr>
          <tr>
            <td>C-006</td>
            <td>Tool or resource identity</td>
            <td>Which external resource is being invoked or affected?</td>
          </tr>
          <tr>
            <td>C-007</td>
            <td>Evidence provenance</td>
            <td>What evidence, signature, receipt, attestation, log entry, or record supports an action or decision?</td>
          </tr>
          <tr>
            <td>C-008</td>
            <td>Freshness or revocation</td>
            <td>Is the authority, delegation, instance state, tool binding, or session state still current?</td>
          </tr>
          <tr>
            <td>C-009</td>
            <td>Failure handling</td>
            <td>What happens when the verifier cannot validate the claim for the requested action?</td>
          </tr>
          <tr>
            <td>C-010</td>
            <td>Composition boundary</td>
            <td>Which claims are preserved, transformed, or lost when agents, gateways, receipts, or tools are composed?</td>
          </tr>
        </tbody>
      </table>

      <t>The registry is intentionally claim-oriented rather than
      protocol-oriented.  More than one candidate protocol can map to the same
      claim, and a protocol can map to only a subset of the registry.</t>
    </section>

    <section anchor="matrix" numbered="true">
      <name>Verifier Matrix</name>
      <t>For each security-relevant claim, a protocol draft SHOULD provide a
      row with the following fields.</t>
      <dl>
        <dt>Claim ID</dt>
        <dd><t>The registry identifier for the claim being mapped.</t></dd>

        <dt>Claim</dt>
        <dd><t>The precise security statement being made.</t></dd>

        <dt>Carrier</dt>
        <dd><t>The protocol field, token, credential, record, header, receipt,
        attestation, or out-of-band reference that carries the claim.</t></dd>

        <dt>Verifier</dt>
        <dd><t>The party that validates the claim.</t></dd>

        <dt>Verification rule</dt>
        <dd><t>The check performed by the verifier.</t></dd>

        <dt>Layer</dt>
        <dd><t>The protocol layer or architectural review dimension associated
        with the row.  This field is descriptive.  It does not impose a fixed
        layer taxonomy on every protocol, and it does not require a protocol to
        spread claims across different layers.</t></dd>

        <dt>Binding</dt>
        <dd><t>The other state to which the claim is bound, such as a session
        identifier, TLS exporter, action digest, delegation chain, subject
        identifier, or tool invocation.</t></dd>

        <dt>Freshness</dt>
        <dd><t>The replay, expiration, revocation, rotation, sequence, or
        recency rule.</t></dd>

        <dt>Failure behavior</dt>
        <dd><t>The required behavior when the claim is missing, stale,
        inconsistent, or not verifiable.</t></dd>

        <dt>Implementation status</dt>
        <dd><t>Whether the row is implemented, not implemented, partially
        implemented, or externally implemented.</t></dd>

        <dt>Specification status</dt>
        <dd><t>Whether the row is specified in the current draft, planned for a
        later revision, inherited from another document, or an architectural
        assumption.</t></dd>

        <dt>External dependency</dt>
        <dd><t>The external draft, standard, service, governance process,
        transparency log, authorization system, attestation system, registry, or
        operational practice on which the row depends.</t></dd>

        <dt>Evidence reference</dt>
        <dd><t>An optional reference to a public test vector, example, test
        case, implementation artifact, interop note, issue, pull request, or
        other stable evidence that makes the row checkable.</t></dd>
      </dl>
    </section>

    <section anchor="review-rules" numbered="true">
      <name>Matrix Review Rules</name>
      <t>The matrix is intended to make review strict enough that a draft cannot
      obtain a security property merely by naming an adjacent mechanism.  The
      following rules apply to a verifier matrix.</t>
      <ol>
        <li>A carrier does not imply a claim unless the claim is explicitly
        stated.</li>
        <li>A claim does not imply a verifier unless the verifier is identified
        for the decision being made.</li>
        <li>A verifier decision is not complete unless the binding and freshness
        rule are stated.</li>
        <li>An inherited mechanism is not a current protocol guarantee unless
        the dependency and failure behavior are stated.</li>
        <li>A receipt, log entry, or audit record proves only the statement it
        records; it does not automatically prove authorization, completeness, or
        correct execution.</li>
        <li>A row that is marked as planned, inherited, partial, or assumption
        MUST NOT be used as evidence that the current draft fully specifies the
        corresponding security property.</li>
        <li>A layer label is not itself a security property.  It helps reviewers
        locate where a claim is carried or verified, but the security property
        still depends on the carrier, verifier, binding, freshness rule, and
        failure behavior.</li>
        <li>An evidence reference is not required for every early row, but when
        one is present it needs to support the specific verifier decision
        described by the row.</li>
      </ol>
    </section>

    <section anchor="layer-vocabulary" numbered="true">
      <name>Layer Vocabulary</name>
      <t>The Layer field needs to be explicit because candidate agent
      communication drafts do not all use the same architectural model.  A
      draft MAY use conventional protocol-layer language, such as application,
      transport, and network, when that is the clearest description of where
      the relevant carrier or verifier behavior sits.</t>

      <t>A draft MAY instead use an agent-native architectural taxonomy, such as
      substrate, composition, application, governance, or audit.  If it does so,
      the draft needs to define that taxonomy and explain how the labels are
      used.  For example, a "governance" label might be useful for review when
      a claim depends on a policy, registry, reputation process, slashing
      process, or administrative authority; however, that label is not a
      protocol layer unless the draft defines it as one.</t>

      <t>The Layer field is open-ended per row.  A protocol can place all of its
      relevant carriers or verifier behavior at the transport layer if that is
      how the protocol is designed.  Conversely, a protocol can use an
      architectural label when the verifier decision depends on composition,
      audit, or governance behavior outside the transport exchange.  The matrix
      does not require either vocabulary; it requires the chosen vocabulary to
      be explicit.</t>
    </section>

    <section anchor="two-level-model" numbered="true">
      <name>Two-Level Matrix Model</name>
      <t>The matrix can be maintained as two linked tables.</t>
      <t>The first table is a claim registry for AGENTPROTO review.  It assigns
      stable identifiers to security claims or requirements, without selecting
      one protocol as the general solution for every row.  Each row can name one
      or more candidate protocols that map to that claim.</t>

      <table anchor="two-level-claim-registry">
        <name>Example Claim Registry Rows</name>
        <thead>
          <tr>
            <th>ID</th>
            <th>Claim or Requirement</th>
            <th>Candidate Protocol Mapping</th>
          </tr>
        </thead>
        <tbody>
          <tr>
            <td>C-001</td>
            <td>Agent or workload instance identity</td>
            <td>AGTP, IACP, WIMSE profile, or another candidate</td>
          </tr>
          <tr>
            <td>C-002</td>
            <td>Human or organizational authority</td>
            <td>vLEI, OAuth, GNAP, authorization receipt, or another candidate</td>
          </tr>
          <tr>
            <td>C-003</td>
            <td>Delegated scope</td>
            <td>Delegation chain, delegation receipt, or capability profile</td>
          </tr>
          <tr>
            <td>C-004</td>
            <td>Session continuity</td>
            <td>Protocol session state, transport binding, or migration profile</td>
          </tr>
          <tr>
            <td>C-005</td>
            <td>Action evidence</td>
            <td>Audit receipt, capsule, transparency statement, or evidence graph</td>
          </tr>
        </tbody>
      </table>

      <t>The second table is a protocol mapping table.  Each candidate draft
      provides one table for the claims it carries or depends on.  This prevents
      a protocol from being treated as a complete architecture merely because it
      covers one claim well, and it lets the working group compare drafts row by
      row.</t>

      <t>A protocol mapping row records the claim ID, claim text, carrier,
      verifier, verification rule, binding, freshness rule, layer label, failure
      behavior, implementation status, specification status, and any external
      dependency.  For example, an instance-identity row might state that the
      carrier is a protocol field, the verifier is the peer, the binding is the
      handshake transcript, freshness is supplied by a nonce or epoch, and the
      failure behavior is connection rejection.</t>

      <t>The claim registry is not a conformance target by itself.  The protocol
      mapping table is the review surface: it states what the draft actually
      specifies, what is implemented, what is inherited from another component,
      what remains an architectural assumption, and what evidence or test vector
      can be used to check the row.</t>
    </section>

    <section anchor="status-values" numbered="true">
      <name>Status Value Semantics</name>
      <t>The implementation and specification status fields are security
      relevant.  They prevent an author, implementer, or reviewer from treating
      an intended mechanism as a current protocol guarantee.</t>
      <dl>
        <dt>specified</dt>
        <dd><t>The current draft contains enough protocol text for an
        independent implementer to identify the carrier, verifier, binding,
        freshness rule, and failure behavior.</t></dd>

        <dt>implemented</dt>
        <dd><t>At least one implementation performs the verification behavior
        described by the row.  The row SHOULD identify whether that evidence is
        source-level, unit-level, local-harness, interop, or deployment
        evidence.  If a public test vector or reproducible artifact exists, the
        row SHOULD include an evidence reference.</t></dd>

        <dt>partial</dt>
        <dd><t>The draft or implementation covers part of the row, but at least
        one of the carrier, verifier, binding, freshness rule, or failure
        behavior is incomplete.</t></dd>

        <dt>inherited</dt>
        <dd><t>The row depends on another specification or system.  The
        dependency needs to be identified, and the draft needs to state what
        happens if the dependency is absent or not trusted.  An inherited row is
        not complete if it merely names another document; it also needs to
        identify the inherited verifier, binding, freshness rule, and failure
        behavior or state that they are outside the current draft's scope.</t></dd>

        <dt>planned</dt>
        <dd><t>The row is intended for a later revision and MUST NOT be treated
        as a current security guarantee.</t></dd>

        <dt>assumption</dt>
        <dd><t>The row depends on architecture, deployment, governance, or
        operational behavior that the draft does not specify.</t></dd>
      </dl>
    </section>

    <section anchor="mapping-template" numbered="true">
      <name>Protocol Mapping Template</name>
      <t>Candidate protocol drafts can use the following compact template in a
      Security Considerations section, appendix, or companion document.</t>
      <table anchor="protocol-mapping-template-fields">
        <name>Protocol Mapping Template Fields</name>
        <thead>
          <tr>
            <th>Field</th>
            <th>Description</th>
          </tr>
        </thead>
        <tbody>
          <tr>
            <td>ID</td>
            <td>The claim identifier from the registry.</td>
          </tr>
          <tr>
            <td>Claim</td>
            <td>The precise statement being asserted or depended upon.</td>
          </tr>
          <tr>
            <td>Carrier</td>
            <td>The protocol field, credential, token, receipt, attestation,
            envelope, or external reference that carries the claim.</td>
          </tr>
          <tr>
            <td>Verifier and verification rule</td>
            <td>The party that performs the check and the rule it applies.</td>
          </tr>
          <tr>
            <td>Binding and freshness</td>
            <td>The state to which the claim is bound and the replay,
            revocation, expiration, sequence, nonce, or recency rule.</td>
          </tr>
          <tr>
            <td>Layer</td>
            <td>The protocol layer or architectural review dimension used by
            the draft for this row.</td>
          </tr>
          <tr>
            <td>Failure behavior</td>
            <td>The behavior when the claim is absent, stale, inconsistent, or
            not verifiable.</td>
          </tr>
          <tr>
            <td>Implementation status</td>
            <td>One of implemented, partial, none, or externally implemented.</td>
          </tr>
          <tr>
            <td>Specification status</td>
            <td>One of specified, planned, inherited, or assumption.</td>
          </tr>
          <tr>
            <td>Dependency</td>
            <td>The external document, system, service, registry, or
            operational process on which the row depends, if any.</td>
          </tr>
          <tr>
            <td>Evidence reference</td>
            <td>A stable public pointer to the test vector, example, test case,
            implementation artifact, interop record, issue, or pull request
            that supports the row, if available.</td>
          </tr>
        </tbody>
      </table>

      <t>When a draft does not carry a claim, the corresponding row MAY be
      omitted.  If the draft relies on the claim for a security decision, the
      row SHOULD NOT be omitted; it should instead state the dependency or
      assumption explicitly.</t>
    </section>

    <section anchor="evidence-references" numbered="true">
      <name>Evidence and Test Vector References</name>
      <t>A verifier matrix becomes more useful when its rows are checkable
      rather than only asserted.  A row therefore MAY include an evidence
      reference.  The reference can point to a public test vector, example,
      conformance test, implementation test, interop note, issue, pull request,
      or other stable artifact.</t>

      <t>An evidence reference does not need to prove that a protocol is
      complete.  It needs to support the specific row.  For example, a test
      vector for session replay resistance supports a freshness or binding row;
      it does not by itself prove delegated authority.  A receipt verification
      example supports an evidence-carrier row; it does not by itself prove that
      the recorded action was authorized.</t>

      <t>When evidence is implementation-related, the row SHOULD distinguish the
      evidence type.  Useful categories include source-level evidence,
      unit-level evidence, local-harness evidence, cross-implementation interop
      evidence, and deployment evidence.  This distinction prevents a draft from
      treating a local unit test, public interop vector, and deployment signal
      as equivalent.</t>

      <t>A useful evidence reference is row-specific.  It identifies the input
      object, the canonicalization or serialization rule when bytes are compared,
      the verifier decision being tested, the expected positive result, and at
      least one negative case that fails for the same row.  If the evidence
      depends on a private deployment or non-public implementation, the row
      should say so instead of treating the evidence as publicly reproducible.</t>
    </section>

    <section anchor="inheritance-targets" numbered="true">
      <name>Inheritance Targets and Artifact-Layer Mechanisms</name>
      <t>Some mechanisms used by agent communication protocols are not
      communication protocols themselves.  For example, an authorization
      receipt, transparency statement, action-evidence graph, revocation
      statement, or attestation result can be an artifact-layer mechanism that
      is carried by, referenced by, or bound to a communication exchange.</t>

      <t>Such a mechanism can be a valid inheritance target for a protocol
      mapping row.  If a draft marks a row as inherited, the row SHOULD identify
      the inherited mechanism and the decision state it supplies.  The row
      should state the inherited verifier, carrier, binding, freshness rule,
      failure behavior, and evidence reference when available.</t>

      <t>Marking a row as inherited is preferable to silently implying a
      guarantee.  It allows a communication protocol to stay focused on its
      transport or session design while still making authority, action evidence,
      revocation, or audit dependencies visible to reviewers.</t>
    </section>

    <section anchor="worked-example" numbered="true">
      <name>Protocol-Neutral Worked Example</name>
      <t>The following example is deliberately protocol-neutral.  It is not a
      complete mapping for AGTP <xref target="I-D.hood-independent-agtp"/>,
      IACP <xref target="I-D.gebauer-iacp"/>, WIMSE
      <xref target="I-D.ietf-wimse-arch"/>, or any other candidate draft.</t>

      <dl>
        <dt>C-002: user or organization authorized the task</dt>
        <dd><t>Possible carriers include a role credential, account policy,
        vLEI, OAuth token, GNAP grant <xref target="RFC9635"/>, or equivalent.
        The verifier is the receiving agent or policy verifier.  The claim is
        bound to the task, scope, subject, and resource.  Freshness comes from
        token lifetime, revocation, or policy version.  Failure behavior is
        rejection or fresh authorization.</t></dd>

        <dt>C-001: live agent instance is acting</dt>
        <dd><t>Possible carriers include channel authentication, an agent
        credential, attestation, or a protected key.  The verifier is a peer,
        gateway, or relying party.  The claim is bound to a session or channel
        transcript.  Freshness comes from handshake freshness or attestation
        recency.  Failure behavior is session rejection or capability
        downgrade.</t></dd>

        <dt>C-003: delegation is in scope</dt>
        <dd><t>Possible carriers include a delegation token or chain.  The
        verifier is the recipient or gateway.  The claim is bound to the
        delegator, delegatee, action class, and resource.  Freshness comes from
        expiry, revocation, or attenuation version.  Failure behavior is
        rejection of the delegated action.</t></dd>

        <dt>C-006: tool invocation is in scope</dt>
        <dd><t>Possible carriers include a tool call envelope or capability
        reference.  The verifier is the tool gateway or policy engine.  The
        claim is bound to delegated scope and tool identity.  Freshness comes
        from a per-call nonce, session binding, or sequence.  Failure behavior
        is denial of the invocation and failure recording if audit is
        claimed.</t></dd>

        <dt>C-005: action evidence refers to the same action</dt>
        <dd><t>Possible carriers include an action digest, receipt, capsule, or
        audit record.  The verifier is the profile verifier or composition
        verifier.  The claim is bound to the canonical action input and native
        record.  Freshness comes from digest context version and receipt policy.
        Failure behavior is refusal to compose the records as evidence of the
        same action.</t></dd>
      </dl>
    </section>

    <section anchor="negative-tests" numbered="true">
      <name>Negative Test Cases</name>
      <t>Protocol authors SHOULD consider negative tests for each row in the
      verifier matrix.  The following cases are intended as examples.</t>
      <dl>
        <dt>Stale delegation</dt>
        <dd><t>A delegation token or chain is structurally valid but expired,
        revoked, or superseded.  The verifier rejects the delegated action or
        requests fresh authorization.</t></dd>

        <dt>Unbound tool invocation</dt>
        <dd><t>A tool call envelope is valid, but the envelope is not bound to
        the delegation scope, resource identifier, or session state used for the
        decision.  The tool invocation is denied.</t></dd>

        <dt>Replay across sessions</dt>
        <dd><t>A claim or receipt from one session is replayed in another
        session.  The verifier detects that the claim is not bound to the
        current session transcript, nonce, exporter, or equivalent channel
        state.</t></dd>

        <dt>Mismatched action evidence</dt>
        <dd><t>A receipt, log entry, capsule, or evidence record refers to a
        different action digest, input, resource, or policy version than the
        action being reviewed.  The records are not composed as evidence of the
        same action.</t></dd>

        <dt>Inherited mechanism absent</dt>
        <dd><t>A draft states that another component supplies authorization,
        attestation, or evidence, but does not identify the dependency or the
        failure behavior when the dependency is unavailable.  The row is marked
        as inherited or assumption, not as a current protocol guarantee.</t></dd>
      </dl>
    </section>

    <section anchor="candidate-guidance" numbered="true">
      <name>Guidance for Candidate Protocol Drafts</name>
      <t>A candidate agent communication draft can use this document in three
      ways.</t>
      <ol>
        <li>It can include a verifier matrix in its Security Considerations
        section.</li>
        <li>It can publish a companion mapping document that maps its protocol
        fields to the claim registry.</li>
        <li>It can state that a claim is intentionally out of scope, inherited
        from another document, or left to deployment policy.</li>
        <li>It can link public vectors or evidence references for rows that have
        executable or reproducible evidence.</li>
      </ol>

      <t>A draft that takes the third path remains reviewable if it identifies
      the dependency and failure behavior.  The main review problem is not that
      a protocol omits a claim; the problem is when a protocol relies on a claim
      while leaving the verifier, binding, freshness rule, or failure behavior
      implicit.</t>
    </section>

    <section anchor="current-draft-vs-future" numbered="true">
      <name>Current-Draft Versus Future Mechanism</name>
      <t>When a draft supplies a verifier matrix, it SHOULD distinguish:</t>
      <ul>
        <li>mechanisms implemented or normatively specified in the current
        draft;</li>
        <li>mechanisms described as future work;</li>
        <li>mechanisms inherited from another draft or external system; and</li>
        <li>mechanisms that are architectural assumptions rather than protocol
        checks.</li>
      </ul>

      <t>This distinction is important for review.  A row that depends on a
      future reputation system, slashing process, governance committee, or
      external log can still be useful, but it should not be presented as a
      current protocol guarantee.</t>
    </section>

    <section anchor="security-considerations" numbered="true">
      <name>Security Considerations</name>
      <t>An agent communication protocol MUST NOT rely on a single identifier,
      token, session handle, log entry, or credential to imply multiple security
      properties unless the draft explicitly specifies the verification rule for
      each property.</t>
      <t>In particular:</t>
      <ul>
        <li>authority and live-instance identity need separate validation;</li>
        <li>possession of a session key does not by itself prove delegation
        scope;</li>
        <li>a delegation chain does not by itself prove current session
        continuity;</li>
        <li>a tool call does not by itself prove that the tool was within
        delegated authority;</li>
        <li>an audit log or transparency receipt does not by itself prove
        authorization, truth, completeness, or correct execution; and</li>
        <li>an architectural label such as "identity at the wire" should be
        mapped to concrete protocol checks.</li>
      </ul>

      <t>If a claim is required for a security decision and the verifier cannot
      validate that claim, the protocol MUST specify whether the action is
      rejected, downgraded, quarantined, delayed for additional authorization,
      or allowed with a recorded warning.  Silent acceptance is not an
      acceptable default for a security-relevant claim.</t>

      <t>Protocol authors should also consider cross-protocol composition.  A
      claim that is valid in one protocol context might lose its security
      meaning when it is copied into a receipt, gateway envelope, audit record,
      or delegated session without preserving the binding and freshness state
      needed by the verifier.</t>

      <t>Where attestation evidence is used, this document follows the RATS
      distinction among claims, evidence, appraisal, and relying-party decisions
      described in <xref target="RFC9334"/>.  Where transparency services or
      signed-statement receipts are used, this document treats those receipts as
      evidence carriers and not as automatic proof of authorization or correct
      execution; see the SCITT architecture in <xref target="RFC9943"/>.</t>
    </section>

    <section anchor="privacy-considerations" numbered="true">
      <name>Privacy Considerations</name>
      <t>Verifier-facing matrices can expose privacy-relevant design choices.  A
      draft that binds actions to human authority, organizational identifiers,
      tool invocations, or long-lived sessions should state whether the binding
      creates linkability across actions, sessions, deployments, or
      administrative domains.</t>

      <t>Drafts should avoid requiring globally linkable identifiers unless the
      security property being claimed requires them.  Where possible, a matrix
      row should state whether the verifier needs a stable identifier, a
      pairwise identifier, a role or capability assertion, a freshness proof, or
      only evidence that a locally authorized policy decision was made.</t>
    </section>

    <section anchor="iana-considerations" numbered="true">
      <name>IANA Considerations</name>
      <t>This document makes no IANA requests.</t>
      <t>If later versions define a reusable registry of claim identifiers,
      verifier matrix fields, or protocol mapping status values, that registry
      will need a separate IANA considerations section.</t>
    </section>

    <section anchor="initial-application" numbered="true">
      <name>Initial Application to AGENTPROTO Discussion</name>
      <t>The AGTP <xref target="I-D.hood-independent-agtp"/> and IACP
      <xref target="I-D.gebauer-iacp"/> discussion threads provide useful early
      examples.</t>

      <t>AGTP appears to expose candidate carriers for authority, agent identity,
      delegation, session state, composition-layer tool identity, and audit
      evidence.  The next useful step is to turn those carriers into a matrix
      that states who verifies each claim and what failure behavior applies.</t>

      <t>IACP has already been sketched by its author as a verifier-facing
      matrix.  For reviewability, the useful next step is to separate rows that
      are currently in draft-gebauer-iacp-01 from rows that are future work or
      depend on governance systems not yet specified in the current I-D.</t>

      <t>Both mappings can help converge a shared requirements note without
      requiring either protocol to adopt the other's wire format.</t>
    </section>

    <section anchor="open-issues" numbered="true">
      <name>Open Issues</name>
      <ul>
        <li>Should the matrix be a requirements document, a
        security-considerations companion, or a section to be imported by
        candidate protocol drafts?</li>
        <li>What is the minimal set of mandatory claim classes for
        AGENTPROTO?</li>
        <li>Should the matrix define conformance language, or remain an
        Informational review aid?</li>
        <li>Should a shared repository hold the claim registry and protocol
        mapping tables before the Internet-Draft is posted, or should the
        initial I-D define the table format first?</li>
        <li>How should action evidence be bound to delegation and session state
        without forcing a single audit-record format?</li>
        <li>Which negative test cases should protocol authors provide for stale
        delegation, replayed sessions, unbound tool calls, and mismatched
        evidence?</li>
        <li>Should privacy and linkability expectations be part of the same
        matrix, or a separate privacy considerations profile?</li>
        <li>Should the claim matrix repository require an optional evidence
        reference field from the beginning, or add it after the initial claim IDs
        are stable?</li>
      </ul>
    </section>

    <section anchor="acknowledgments" numbered="true">
      <name>Acknowledgments</name>
      <t>The author thanks Leonard Gebauer for proposing a two-level
      claim-registry and per-protocol mapping-table structure and for providing
      IACP-oriented mapping examples; Chris Hood for clarifying open-ended layer
      vocabulary and AGTP transport-layer mapping considerations; and Iman
      Schrock for proposing evidence-backed mapping rows and inheritance-target
      framing for artifact-layer mechanisms.  The author also thanks
      participants on the AGENTPROTO mailing list for discussion of
      security-principal separation, verifier-facing review matrices, protocol
      comparison, and claim-level coordination among candidate drafts.
      Acknowledgment does not imply endorsement of this document or of any
      particular protocol mapping.</t>
    </section>
  </middle>

  <back>
    <references>
      <name>References</name>
      <references>
        <name>Normative References</name>
        <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.2119.xml"/>
        <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.8174.xml"/>
      </references>

      <references>
        <name>Informative References</name>
        <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.9334.xml"/>
        <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.9635.xml"/>
        <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.9943.xml"/>

        <reference anchor="I-D.ietf-wimse-arch" target="https://datatracker.ietf.org/doc/draft-ietf-wimse-arch/">
          <front>
            <title>Workload Identity in a Multi System Environment (WIMSE) Architecture</title>
            <author fullname="IETF WIMSE Working Group"/>
            <date year="2026"/>
          </front>
          <seriesInfo name="Internet-Draft" value="draft-ietf-wimse-arch"/>
        </reference>

        <reference anchor="I-D.ietf-wimse-workload-identity-practices" target="https://datatracker.ietf.org/doc/draft-ietf-wimse-workload-identity-practices/">
          <front>
            <title>Workload Identity Practices</title>
            <author fullname="IETF WIMSE Working Group"/>
            <date year="2026"/>
          </front>
          <seriesInfo name="Internet-Draft" value="draft-ietf-wimse-workload-identity-practices"/>
        </reference>

        <reference anchor="I-D.hood-independent-agtp" target="https://datatracker.ietf.org/doc/draft-hood-independent-agtp/">
          <front>
            <title>Agent Transfer Protocol (AGTP)</title>
            <author fullname="Chris Hood" initials="C." surname="Hood"/>
            <date year="2026" month="June" day="28"/>
          </front>
          <seriesInfo name="Internet-Draft" value="draft-hood-independent-agtp-09"/>
        </reference>

        <reference anchor="I-D.gebauer-iacp" target="https://datatracker.ietf.org/doc/draft-gebauer-iacp/">
          <front>
            <title>Internet Agent Communication Protocol</title>
            <author fullname="Leonard Gebauer" initials="L." surname="Gebauer"/>
            <date year="2026" month="June" day="29"/>
          </front>
          <seriesInfo name="Internet-Draft" value="draft-gebauer-iacp-01"/>
        </reference>
      </references>
    </references>
  </back>
</rfc>
