[Rats] Re: [agent2agent] Re: New draft on AI Agent Auditing and proposed BoF/WG charter
toshiyuki sato <tomsato@myauberge.jp> Fri, 22 May 2026 12:34 UTC
Return-Path: <tomsato@myauberge.jp>
X-Original-To: rats@mail2.ietf.org
Delivered-To: rats@mail2.ietf.org
Received: from localhost (localhost [127.0.0.1]) by mail2.ietf.org (Postfix) with ESMTP id 959C5F330FD0 for <rats@mail2.ietf.org>; Fri, 22 May 2026 05:34:40 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=ietf.org; s=ietf1; t=1779453280; bh=gIwD4PGFh30opMHdZqh+PBtqbYgPOXMNKXojhaABtZw=; h=References:In-Reply-To:From:Date:Subject:To:Cc; b=vg9PRlPbFkmb6a0imMn9UKo5YgMXMCiDEd7JvmnAVVgKcbR6wcb7xLkbrDBTbiUNf lzTyjFpmPsFVlXO8xv8z3MfbnEVJV2e9y26D//sjO1k7XBDB4eFSJ9WyTtZHro/sj8 Ou8NZRbUop67YgX0bmXsK9aER3fiZMO1yyQf8veg=
X-Virus-Scanned: amavisd-new at ietf.org
X-Spam-Flag: NO
X-Spam-Score: -1.797
X-Spam-Level:
X-Spam-Status: No, score=-1.797 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, MIME_BOUND_DIGITS_15=0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_NONE=0.001] autolearn=no autolearn_force=no
Authentication-Results: mail2.ietf.org (amavisd-new); dkim=pass (2048-bit key) header.d=myauberge-jp.20251104.gappssmtp.com
Received: from mail2.ietf.org ([166.84.6.31]) by localhost (mail2.ietf.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id VtKJ_3vWxkXU for <rats@mail2.ietf.org>; Fri, 22 May 2026 05:34:39 -0700 (PDT)
Received: from mail-dy1-x1336.google.com (mail-dy1-x1336.google.com [IPv6:2607:f8b0:4864:20::1336]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by mail2.ietf.org (Postfix) with ESMTPS id 4443DF330FC8 for <rats@ietf.org>; Fri, 22 May 2026 05:34:39 -0700 (PDT)
Received: by mail-dy1-x1336.google.com with SMTP id 5a478bee46e88-2f0ad52830cso9340744eec.1 for <rats@ietf.org>; Fri, 22 May 2026 05:34:39 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1779453278; cv=none; d=google.com; s=arc-20240605; b=VZYAtml3LJMYe9eSpRdCH7CR+mFMacRI+237yRmVJOjLwtdfoN8WgPmliY57KP4GxV NldxfTbTrDIcGeZ/iksQmAyBjrvGy+ZJZIb9Y0iwNjOLNFB+k67Xh7IndhkzgPexvwTT z8L9Ez4SlqKUB6uO8jjQ+IXO+bu6FL6e2w3weJDMrxdwuX/lguCuISGboHO9abTnRd8s V9M1H76w9gAVdA9wNtWSH1Lb8LLZGuo2aDqJlH2MS4xxq1kVCGhAWYwvBxT4sFuiBBFi Gz3wIed4zebG6/oPLSgzYpjk1PzBTevb/Evlv7VFQuO21HVhYBT6jsaUt36MP8iAFrPD FbQA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20240605; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:dkim-signature; bh=r5Hsk2llFVizw3FG7dqTb2AYKw7hJCB77Ga1PmtuAGo=; fh=tZ67BK+wRkihtxcrWiD6slhFfWPvW4nxVe2bdIxGRrQ=; b=KP50QY19830JW1179osS8L7pGx0LGcAb21BCsb6IcgzrLYr34egF57XVulq27o7Tpr x5I7pXak4bgdAcUZf/BY9ZZB/uxwqGpbnK278QC4wBtCgxjl7n1n79EX8n8rTVn5+ZwF 39z+WZhiZtJrC3K4ZgTlDiiL8NuemYcmCWK2KpfflPm9ZZcGxYmd7970sypjT/P+rTKw 3x514BNdfu/DusHSQbObgC+igPB8QnQXDKI44XTEm4wrl0pnVu31N7Ar8fbOg2DxYgbL 36dE0JYNkqZMkyRNMY7Me00tQ2wzskmA8gqGobS2pa1AYqwlTuO+pfqiPqr6Sl9+RTZK Eiug==; darn=ietf.org
ARC-Authentication-Results: i=1; mx.google.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=myauberge-jp.20251104.gappssmtp.com; s=20251104; t=1779453278; x=1780058078; darn=ietf.org; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=r5Hsk2llFVizw3FG7dqTb2AYKw7hJCB77Ga1PmtuAGo=; b=jQwte+v+4IFIEHRcUhlblu+SavU2Q4TW9tad7WWzkq5QBELOJMQWnIWUi7WDob1N8i v9ckYsTlAWIGUpxq9OVKV6otPc/Fu40PnnTxvaatrKRY+9cpse9BmEECXrXmPEMKVwP+ YltXlCP+lygXgwYDfUVJ/8TlyF0WvIPlcer81XIhgrE3qbGlxDcU+gTTvvTp4UsdSjR5 cS0a50/tiuoUPbM/Q2zyMuBkB2P3E5ZVXbxCs43mIuiKwm39w7T5NyZWL6zSywa/v9Vm 3lK5HkhFuJwj+82dNUklbB2SenVQj8KYuyJIFRbRJVuWo1nvadepMN73+DsREtpTVa16 pSDQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1779453278; x=1780058078; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-gg:x-gm-message-state:from:to:cc:subject:date :message-id:reply-to; bh=r5Hsk2llFVizw3FG7dqTb2AYKw7hJCB77Ga1PmtuAGo=; b=WHFUkIMo5TGYewIAEg7lSP68Fn8eOwe+h1/EvNqUMwO3bZphUb+ZWdmhzFV+spph/k r7Y83QgVk9Aj20acfU8drJ4LSHzNU+fJhpJNdFWQg2eXUINdyqvgU89lwTo9Az15WPF4 0ERs1Cbp9wAhoL43Uqzfl+HtPpWykLSVSUJhaHvMHc8BRW/7/SxKDVML1AJwrEvAUhNc GSy0AC1G5v9LvPCmA7FTt+eo8KiWuCR6uJXIwPS9C09Wk7XoORiSW0vBHqFzQwmBzR5w maVUqwe8L+vB9bW/u310Dxlw6LvI8GAbR0qzlEluFaj3//KYEaZ5psz9C8sLqQVcZvst JLlA==
X-Forwarded-Encrypted: i=1; AFNElJ/vKGOlMYpvY0ONQ1nAk7EmAzAEU8F0YKDxnU9GAyeOb18u9IPyBR3Zc28vlYwyUMGGzW4s@ietf.org
X-Gm-Message-State: AOJu0Yzenr8vBvd6gRbqi3ek0CsDkGacnj8ZyXQ9kkRWBF/FnFD+zngB NttsZt64LYxp4VZwUv8Wrh+lCxM1Cpu/crwT5Ul903tdJyPK1pbH4mT82cJp9g2KWEWylYcjYre EnVOY6V3Svs9ucu6QMfIwZAus1rHbD7bhZlOEqtweWfE=
X-Gm-Gg: Acq92OERkhDWp+OrnPEXFSCJrdGfLpvTCGGS0Qqpi9kSa+0rxKbojlO//Nuyw9KmefR 7Bii66ZWX8c5vaEDhTB2yfZFJmYfKSrmPrY2CsQ3XHe4bCMOQiBZuc4nzPAC6xy3P55/fyAcmEC fCGk1QGRAofUZWmmztAsRgYDHlcS1k0SpY8qZcCjOukKDI69RM4MlEu5D5pq7C7h28xjyggUric sZsZ9qTxSYvu/PLL9UtSGSgwUKKxDR13RVdmTwPlSgR/6YSvz7RCshFzOWbCGeKjfb4MT5YvibT 5d9Jp9FAI4aS2bQHoHo5eG2zY85MQuyWN+BxnTYQtvVhihBHLVJifxC2EbhgzzDGtihwHNsayQ= =
X-Received: by 2002:a05:7301:6588:b0:2d3:2983:c87c with SMTP id 5a478bee46e88-3044904e0a8mr1812083eec.1.1779453278127; Fri, 22 May 2026 05:34:38 -0700 (PDT)
MIME-Version: 1.0
References: <0F12E264-D8D7-4746-B9F4-1C72A9D862F5@kuehlewind.net> <extvmht4nh2c6drh62vhwrlzucobkjecoquktbnyleqnys5iym@bofrnxusdzwy> <3ad7df2a-271c-fc75-b4c6-14dfba8ceb48@ietf.contact>
In-Reply-To: <3ad7df2a-271c-fc75-b4c6-14dfba8ceb48@ietf.contact>
From: toshiyuki sato <tomsato@myauberge.jp>
Date: Fri, 22 May 2026 21:34:28 +0900
X-Gm-Features: AVHnY4Is6mgaWTGzuxlCWjPPDXV5iKgKCcIU7wGPhrLbgdq8Wqk4zgFstPHWDdY
Message-ID: <CAFLkQy-K_mke6cBC2J4J7-d+9Jpz3SLbFz49jmD5jNu=7YdANQ@mail.gmail.com>
To: Henk Birkholz <henk.birkholz@ietf.contact>, "rats@ietf.org" <rats@ietf.org>
Content-Type: multipart/alternative; boundary="0000000000008998090652674057"
Message-ID-Hash: NSPLKGY2SC7VHIEVOGGYSDSWSVWDMWOM
X-Message-ID-Hash: NSPLKGY2SC7VHIEVOGGYSDSWSVWDMWOM
X-MailFrom: tomsato@myauberge.jp
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-rats.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: "Mirja Kuehlewind (IETF)" <ietf@kuehlewind.net>, Thomas Fossati <thomas.fossati@linaro.org>
X-Mailman-Version: 3.3.9rc6
Precedence: list
Subject: [Rats] Re: [agent2agent] Re: New draft on AI Agent Auditing and proposed BoF/WG charter
List-Id: Remote ATtestation procedureS <rats.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/rats/fXty8re4OmQ_t46sy3I9amTAY4o>
List-Archive: <https://mailarchive.ietf.org/arch/browse/rats>
List-Help: <mailto:rats-request@ietf.org?subject=help>
List-Owner: <mailto:rats-owner@ietf.org>
List-Post: <mailto:rats@ietf.org>
List-Subscribe: <mailto:rats-join@ietf.org>
List-Unsubscribe: <mailto:rats-leave@ietf.org>
Henk, all, Thank you for cross-posting the AUDIT charter. I want to flag a specific composition point with existing RATS building blocks that may be relevant to the AUDIT scope discussion. draft-sato-soos-gar-00 (Governance Audit Record) defines a kernel-generated, kernel-signed audit layer for agentic AI governance. GAR's Session Audit Record (SAR) is structurally an Attestation Result in the ar4si sense: it carries evidence of governance execution — authorization state transitions, human oversight decisions, prohibition enforcement events, and pre-action intent commitments — that a Relying Party such as a regulator or national AI safety institute can evaluate against a known governance policy. Two specific RATS composition points: 1. ar4si (draft-ietf-rats-ar4si). The SAR is a candidate ar4si Attestation Result profile for governance execution. The kernel acts as the Attester; the SAR carries the Evidence; the Relying Party (Verified External Auditor in GAR terminology) evaluates the SAR against the governance policy the agent was bound to. The non-suppressibility property — the kernel generates and signs the SAR independently of the agent and operator — maps directly to the ar4si attester trustworthiness model: the Attesting Environment is separate from the target of evaluation. 2. Epoch Markers (draft-ietf-rats-epoch-markers). GAR Type 4 audits are scheduled cross-session pattern audits that require correlating SARs across multiple sessions and administrative domains. Epoch Markers provide exactly the shared freshness anchor needed to make cross-session SAR correlation verifiable without requiring synchronized clocks across domains. This is a direct composition use case for Epoch Markers in the agentic governance context. The broader AUDIT charter question — how to ensure a compromised agent cannot forge or drop its own audit trail — is where the RATS attestation stack provides the answer. GAR's kernel attestation model requires that the Governance Kernel run in an attested execution environment; the kernel's signing key is bound to that environment via RATS attestation. Thomas Howe described three independent defenses against audit forgery on the agent2agent list; RATS attestation binding is the third and strongest layer. draft-sato-soos-gar-00: https://datatracker.ietf.org/doc/draft-sato-soos-gar/ The companion drafts that compose with GAR normatively: draft-sato-soos-idp-01: https://datatracker.ietf.org/doc/draft-sato-soos-idp/ draft-sato-soos-hem-01: https://datatracker.ietf.org/doc/draft-sato-soos-hem/ draft-sato-soos-cap-00: https://datatracker.ietf.org/doc/draft-sato-soos-cap/ Happy to discuss the ar4si profile mapping in more detail if that would be useful ahead of Vienna. Tom Sato CEO, MyAuberge K.K. / Chino, Nagano, Japan tomsato@myauberge.jp 2026年5月20日(水) 20:14 Henk Birkholz <henk.birkholz@ietf.contact>: > Dear Rodent Enthusiasts, > > on the agent2agent email list, Thomas highlighted that we should share > the charter draft for the AUDIT WG BoF proposal with aligned WGs. > > AUDIT: Agent Use of Delegation and Interaction Traceability > > On 20.05.26 09:48, Thomas Fossati wrote: > > 2. There seems to be quite a lot of overlap with WIMSE, OAUTH, SCITT, > > RATS -- at least, which is both good and bad. To minimise the risk of > > overlap, conflict, et cetera, I suggest you make the proposal visibile > > to these groups (if you haven't already done it). I understand it may > > be a bit too early to properly engage, but a quick heads-up would not > > hurt (_maybe_). > > Mirja just send a sharable copy of the charter text to the agent2agent > list. Please let me repost it to RATS for your convenience and awareness > (as this proposed charter text makes use of the authenticity assurances > RATS building blocks create). Please have look! > > Either in: > > > https://mailarchive.ietf.org/arch/msg/agent2agent/QHFRoQ5g8S7FvoN_Bz6olgx1hn4 > > or verbatim below. > > > Viele Grüße, > > Mirja & Henk > > > On 20.05.26 12:35, Mirja Kuehlewind (IETF) wrote: > Hi all, > > > > To make it easier to comment on the proposed charter text directly, I > thought I send another mail with the text directly imbedded. Again any > quick comments or expressions of interest before Friday are very welcome, > so we can decide on Friday if we want to put a preliminary BoF request in! > > > > Here is the initial draft for the proposed charter text: > > > > ————— > > # Agent Use of Delegation and Interaction Traceability (AUDIT) Working > Group Charter > > > > Autonomous and semi-autonomous software agents, including those based on > artificial intelligence (AI), are increasingly deployed to act on behalf of > users, organizations, and services across the Internet. These agents > interact across multiple administrative or trust domains and can initiate > actions without direct human oversight at each step. > > > > This introduces challenges for auditability, accountability, and > transparency, including: > > > > * Difficulty attributing actions to a specific user, agent instance, or > delegation context > > * Loss of visibility across long-running or distributed workflows > > * Inconsistent capture of delegation relationships, authorization > context, and identity transitions > > * Cross-domain interactions lack interoperable means to exchange or > verify audit-relevant information about the participating agents and their > interactions > > > > AI agents participate in two distinct classes of interactions that must > be audited: > > > > * User-facing interactions, such as prompts, conversations, and > approvals, capturing user intent and human-in-the-loop decisions > > * System-facing interactions, such as API calls, tool usage, and > delegation to other agents or services > > > > Effective auditing requires linking user intent to resulting system > actions across protocol and administrative boundaries. While traditional > workflows support evolving authorization, these transitions are usually > explicit and predefined. AI agent systems introduce dynamic, fine-grained > authorization changes that arise during execution, driven by agent > decisions, delegation, and human interaction. Auditing must therefore > capture authorization as a time-evolving state and correlate these > transitions across interactions and domains. > > > > Additionally, AI agent behavior may be non-deterministic and not fully > predefined, requiring auditing mechanisms to capture execution context and > structure as they emerge. Auditing must also distinguish between user, > agent, and service identities, and ensure audit data remains interpretable > across systems without shared assumptions. > > > > ## Scope and Goals > > > > The AUDIT working group will define interoperable mechanisms for > auditing and accountability of AI agents and delegated systems across > Internet protocols. > > > > The group will focus on architectures, protocol-layer specifications, > and data representations that enable systems to record, exchange, and > verify audit-relevant information across user-facing and system-facing > interactions. This includes capturing delegation chains, evolving > authorization state, and enabling consistent interpretation and correlation > of audit data across domains. > > > > The working group will not define auditing policies or compliance > frameworks, but instead provide the technical building blocks needed to > support them. > > > > ## Deliverables > > > > The AUDIT working group is expected to produce: > > > > 1. Architecture for AI Agent Auditing > > An Informational RFC describing roles, trust relationships, and data > flows for interoperable auditing, including the relationship between > user-facing and system-facing audit signals. > > > > 2. Audit Data Models and Semantics > > One or more Standards Track RFCs defining data models for representing > audit information, including interaction records, agent identity, > delegation context, authorization state over time, and action provenance. > > > > 3. Protocol Extensions or Profiles > > One or more Standards Track RFCs specifying extensions to existing IETF > protocols (e.g., HTTP, OAuth, or token formats) to convey audit-related > information. > > > > 4. Best Practices for Deployment and Operation > > An Informational or BCP document providing guidance for secure, > interoperable, and privacy-aware auditing, including correlation across > interaction types. > > ————— > > > > Again here is also the link to the charter text on github: > https://github.com/mirjak/draft-audit-architecture/blob/main/audit-charter.md > > > > And the architecture draft as reference: > https://www.ietf.org/archive/id/draft-kuehlewind-audit-architecture-00.html > > -> The draft provides further details and also has four brief examples > use cases. > > > > This is all early work, so any feedback is more than welcome! > > > > Mirja & Henk > > > > > > _______________________________________________ > RATS mailing list -- rats@ietf.org > To unsubscribe send an email to rats-leave@ietf.org > -- Tom Sato 佐藤俊之 代表取締役CEO マイオーベルジュ株式会社 090-6315-1325 tomsato@myauberge.jp
- [Rats] Re: [agent2agent] Re: New draft on AI Agen… Henk Birkholz
- [Rats] Re: [agent2agent] Re: New draft on AI Agen… toshiyuki sato