[SCITT] Re: New individual submission: draft-mih-scitt-agent-action-capsule-00
toshiyuki sato <tomsato@myauberge.jp> Wed, 01 July 2026 11:13 UTC
Return-Path: <tomsato@myauberge.jp>
X-Original-To: scitt@mail2.ietf.org
Delivered-To: scitt@mail2.ietf.org
Received: from localhost (localhost [127.0.0.1]) by mail2.ietf.org (Postfix) with ESMTP id BFE9310B86603 for <scitt@mail2.ietf.org>; Wed, 1 Jul 2026 04:13:49 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=ietf.org; s=ietf1; t=1782904429; bh=H9kJ+2RYL3KNMcRBpcNB8vQB+Vw+/RklGHGsKDPk7Fc=; h=References:In-Reply-To:From:Date:Subject:To:Cc; b=feNEbXTyw4vc/fbgmfxMCQ6ekJQl52h8QGnvDfbMkDskTdn2vJrqlkFl650Ae2zIQ q/8qUMeSL1yS5OQqcPWp1yOxZr1KPMeFlGDKqwHcwSwnqtlcb5S1oBi++BCcKwx5OG XhHz4XDOufpW05PB9sxyNyrCccOhJCHEevjf+psA=
X-Virus-Scanned: amavisd-new at ietf.org
X-Spam-Flag: NO
X-Spam-Score: -1.897
X-Spam-Level:
X-Spam-Status: No, score=-1.897 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_NONE=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: mail2.ietf.org (amavisd-new); dkim=pass (2048-bit key) header.d=myauberge-jp.20251104.gappssmtp.com
Received: from mail2.ietf.org ([166.84.6.31]) by localhost (mail2.ietf.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id AyAp2q5nihd0 for <scitt@mail2.ietf.org>; Wed, 1 Jul 2026 04:13:48 -0700 (PDT)
Received: from mail-dy1-x132d.google.com (mail-dy1-x132d.google.com [IPv6:2607:f8b0:4864:20::132d]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by mail2.ietf.org (Postfix) with ESMTPS id 2DA9D10B865CC for <scitt@ietf.org>; Wed, 1 Jul 2026 04:13:41 -0700 (PDT)
Received: by mail-dy1-x132d.google.com with SMTP id 5a478bee46e88-30ec3dfbcd1so893451eec.0 for <scitt@ietf.org>; Wed, 01 Jul 2026 04:13:41 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1782904414; cv=none; d=google.com; s=arc-20260327; b=mzCGo1SZjNy9ruynm2o3TGF8pQZ37NEcbL8nIkvVYk6aRWJJWqeNAW95Kzmv6EVIDe 3GmhbFEdZvm7UnDQL5cb5L7rvh158MYCmXlgG3XdiDFWn0mUdJCKYGA1UpGUOjp8tIvE 72qulhbIOKAzec4EaQITgOckkH9tdhmF6wBfhloTX65/Rq8Tt9oM8dcq3rnXYTetJ9Qg oNxQ9x/BtY+xBsr8/G8/lvSgmXEP4e7mEcsmDIGnlNwdZ6XwAuxBYsMCfye4ffjKVhtQ TcW9dLzr1uiUNEJoKI2jryaECFpwomfS73WuTKfXozwDIn72GK5qPMTTu+y+tKOi2e83 ASTg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20260327; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:dkim-signature; bh=kLHm4Ou/Sa/tu5tzKbamHluhD/lBvuOl3pn4qhlx/lY=; fh=o40buR/rzHU4o2uffYWwBEkhAzZSETCikuOmEpsKzTg=; b=bT8LlqpQ9AVmq2Qa9ir9lAqX55diKkGx18GLSjFYr7u8p6h87Glzf/ODagHDMM0AkY eXmIS/UTDDlkKnnSF5Je29Q9htw9+wOoMuy/0woEya50YriNm/TiUWMGWiksADElICly AUkJniO5hX9Va52C5G1mF9V/ZQZ5HHtLIgrcP8P1M/TzX5G4NtmxPqa2+rJT625K7zeb QUkEBgkyGL0jqLy/tc4GUBcwhsKqW2+uTvMKFMI2SCyWjl4mMRk+Z4QoY1LVV5e9dGs/ tAmGjTa7XOKzLuQuc1L4MC5qkVxXL1KmVlMg1rUtptuPyy1pzkPC4jIHmbGCJnJr26Z9 YOqg==; darn=ietf.org
ARC-Authentication-Results: i=1; mx.google.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=myauberge-jp.20251104.gappssmtp.com; s=20251104; t=1782904414; x=1783509214; darn=ietf.org; h=content-type:cc:to:subject:message-id:date:from:in-reply-to :references:mime-version:from:to:cc:subject:date:message-id:reply-to :content-type; bh=kLHm4Ou/Sa/tu5tzKbamHluhD/lBvuOl3pn4qhlx/lY=; b=LlKC+nJWIcYhKLxPzkIF5s3iackaaPjQfJvptmBu8iUa5OHt3B+aJ1iX4Y4TLXcvKS 2HG2BZCLEsTt3QeLWZlx/3GfyDN2NH9kUlxgERffMvIOP2ijJxj8vQ14DJUDc8Kcgnw1 1NhypMRK1EfLF+ZCpSRJ39XaqfkAwXCGJt2RUnDkR6B8lnomv/5VD+fju/Q8OhB2uOQZ 9dT2FxMiIa642GtNs1hffHJRbdlTP51O+/GLSBCv9cJ8FbBTGYInCRerPREDEpojTcEE of0gVXT0IUrhK5q6PTdxKHITiM/vOdHif8OxSgOP3ujaX2yjQgyt8g4vSOkJNPVBKmcQ nvdA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1782904414; x=1783509214; h=content-type:cc:to:subject:message-id:date:from:in-reply-to :references:mime-version:x-gm-gg:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to:content-type; bh=kLHm4Ou/Sa/tu5tzKbamHluhD/lBvuOl3pn4qhlx/lY=; b=VjD/DV1URTgc8El11nkr6IxWYg2pxmE28pJ1BdKvljGDLgDMaD8WRNvzGw4UYREuFj qjZ8siNfY7km80Etr2R3FYUiqKeCppxhR5QGTAxYJ/AvacrOY2Y/rtEDxNh+zKiUD47p e9vfZUR0gKWx6l2QvSpV1jA+fCKKgEFc89YU7e2k8NQyUQc619L7N1cxJZBqEUWzyD3m rErK3E5fGsQZ7QMpVI0P7zvhMIK3f2DfiTkHrwTQBZDiWM/sSaoqZ4sazu+suWu2TvLq +DZWoYRjl2PKx2GWenccnzEdk4ZTCx+LD2/rOF1+CMqkjC1zCZrhketcTL66QVk1KsRP ajgw==
X-Gm-Message-State: AOJu0Yx/BMTqBrRiEu+5N5kb8Bs13Q9QAMfgoqFc6N6dZSTISLHIvTyC HtANLKzlS8hQ71xH4JiN+uqQO/zXs6PlDiObKhl9BxqiL1sMp1oVbEvEgw5WyVBDwzu1Uf4aRhK FFlPUIQ4HM58mffJkHv9QL/vTWmU+/AD3Z6l3+IAcFG6CFcDM76wh03qC
X-Gm-Gg: AfdE7cl4xN17n7bhyslWG6jje5xP8zfvGVQ5x2Qt7aP0SG1SssJUvoI+zSBbqr5Ob1l sKWSdjp8SGe65IRfYGqz/q5RHk9JpGdzBIyeb6TkUSJyBK7TzUIuu6PcnwDL6dknpO8FsXQvCa8 wVOJ6dGIc8fKb4mfq+yYUA+Lcfe336vaS6hEdpS0SizPGOyjqA4QA2G+NMbrKf0OzzPYpROrw/D RpRZH5twJmQmUQpsIqm4fKiNtZqQYpDKCECRCMOFz8luJYRaYCkR94V1DwUjlMSomJMcBqUqEtX izkQYF91/T3eWzn5JNGpSQRnLjGKv1sJiSYQqIt5
X-Received: by 2002:a05:7300:a987:b0:30c:9449:7745 with SMTP id 5a478bee46e88-30f052ac2f3mr307322eec.15.1782904413922; Wed, 01 Jul 2026 04:13:33 -0700 (PDT)
MIME-Version: 1.0
References: <CAJsPq9sB6FaCF5fc62_Q_UZUCwjyoTDZ7koO4FXt+TRTqkGD3A@mail.gmail.com> <CAJsPq9unHDdqfbZ3NNtn6onCdX+ShPQcePCiZtEC3sLmoU+O9Q@mail.gmail.com>
In-Reply-To: <CAJsPq9unHDdqfbZ3NNtn6onCdX+ShPQcePCiZtEC3sLmoU+O9Q@mail.gmail.com>
From: toshiyuki sato <tomsato@myauberge.jp>
Date: Wed, 01 Jul 2026 20:13:23 +0900
X-Gm-Features: AVVi8CdmZRE1Az32wRFtY-afYfOpJzBDNWiqVwWlvpvpIGQwPQNLPYmy2MZPBX4
Message-ID: <CAFLkQy9LXbkG9vPqO-FSsmKW-_bEtBYt9kR+xP7bv5NAR4c+zw@mail.gmail.com>
To: Steven Mih <steven=40actionstate.ai@dmarc.ietf.org>
Content-Type: multipart/alternative; boundary="00000000000042b7b006558ac8b6"
Message-ID-Hash: RSA7GVCAGGTKCU6ICM6F5Q6NXXSO4QM7
X-Message-ID-Hash: RSA7GVCAGGTKCU6ICM6F5Q6NXXSO4QM7
X-MailFrom: tomsato@myauberge.jp
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: scitt@ietf.org
X-Mailman-Version: 3.3.9rc6
Precedence: list
Subject: [SCITT] Re: New individual submission: draft-mih-scitt-agent-action-capsule-00
List-Id: "Supply Chain Integrity, Transparency, and Trust" <scitt.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/scitt/4fFuBCJLnStitIfsGQ9P3eHbjMo>
List-Archive: <https://mailarchive.ietf.org/arch/browse/scitt>
List-Help: <mailto:scitt-request@ietf.org?subject=help>
List-Owner: <mailto:scitt-owner@ietf.org>
List-Post: <mailto:scitt@ietf.org>
List-Subscribe: <mailto:scitt-join@ietf.org>
List-Unsubscribe: <mailto:scitt-leave@ietf.org>
Hi Steven, Thank you for this — the Agent Action Capsule addresses exactly the right problem at the SCITT layer, and the design choices (verdict-complete audit trail, byte-level determinism via JCS) are ones we've independently arrived at in the SOOS project from the kernel side. I wanted to introduce a related set of drafts that may be useful context for the Capsule profile, specifically around what produces the statements that a Capsule-based transparency service would receive. The SOOS project (draft-sato-soos-*, 19 Internet-Drafts submitted to Datatracker ahead of the July 6 cutoff) defines a governance kernel architecture for agentic AI systems. The piece most directly relevant here is GAR (Governance Audit Record, draft-sato-soos-gar): a causally-ordered, append-only governance log produced by the kernel's Governing Enforcement Component (GEC), structured as a semantic convention layer on OpenTelemetry. GAR Session Blocks — Merkle-rooted, KIA-signed collections of Authority Lifecycle Events — are the natural upstream producer of SCITT Signed Statements: the Session Block Merkle root and KIA signature map directly onto the SCITT issuer-signed statement model. Two points of contact with the Capsule design: 1. Verdict completeness. GAR records every Authority Lifecycle Event including enforcement refusals (ALE-059: ACD_VALIDATION_FAILED), policy blocks, and HEM escalations — not just successful actions. The same survivorship-bias argument you make for Capsules applies at the kernel level: a gate firing is itself a governance event and must be in the audit record. 2. The producer/consumer boundary. The Capsule profile defines what a SCITT statement for agent actions looks like at the transparency service layer. GAR defines what the kernel-side enforcement log looks like before it becomes a SCITT statement. A SOOS kernel emitting GAR Session Blocks as SCITT Signed Statements would give Capsule verifiers a kernel-attested, tamper-evident source — the GEC signature (KIA private key, RFC 9334 attester model) provides the root of trust that the Capsule's digest commitment relies on. I've also been following the permit-profile and agentroa-route-authorization work you reference. GAR's ACD compliance handshake events (draft-sato-soos-acd) sit between those authorization records and the execution record your Capsule captures — pre-execution compliance disclosure → Capsule execution record → GAR audit log is a complete chain. Full draft index: https://soosproject.ai/drafts GAR specifically: https://datatracker.ietf.org/doc/draft-sato-soos-gar/ Happy to discuss further on-list or at Vienna if you're attending. Best regards, Tom Sato CEO, MyAuberge K.K. tomsato@myauberge.jp https://soosproject.ai 2026年6月20日(土) 4:38 Steven Mih <steven=40actionstate.ai@dmarc.ietf.org>: > Hi all, > Two quick updates on the Agent Action Capsule profile for SCITT, plus > a companion draft for review. > -01 is posted: > https://datatracker.ietf.org/doc/draft-mih-scitt-agent-action-capsule/ > > The reference implementation is now public. You can reproduce the > byte-level determinism in about a minute: > > git clone https://github.com/action-state-group/agent-action-capsule > cd agent-action-capsule && pip install -e python > agent-action-capsule verify > test-vectors/pos-executed-confirmed/input.json # ok: true > agent-action-capsule verify > test-vectors/neg-capsule-id-mismatch/input.json # ok: false > (capsule_id mismatch) > > A conformant Capsule recomputes its content-address and passes; a > tampered one is rejected. The same vectors pass under two independent > implementations (Python and Go) with zero divergences. The repo also > has the spec source, the profile's interim registry, and > positive/negative vectors for every verdict class and check. > > Companion (selective disclosure): I've filed "Selective Disclosure > Profile for Agent Action Capsules" > (draft-mih-scitt-agent-action-capsule-sel-disc-00): > > https://datatracker.ietf.org/doc/draft-mih-scitt-agent-action-capsule-sel-disc/ > > It does per-field selective disclosure of the JSON Capsule payload > (salted-hash commitments, decoy digests, disclosed [salt, name, value] > triples), following SD-JWT (RFC 9901), with JCS (RFC 8785) as the > canonicalization: already the base profile's canonical form. SD-CWT > (draft-ietf-spice-sd-cwt) is the CBOR sibling, and the profile stays > aligned with that SPICE work. It targets one signed Capsule serving > verifiers with different entitlements: a regulator gets every field, > an auditing partner only the disposition, without re-signing. > Disclosable fields are enumerated; the fields the base verifier needs > for the dispatched-vs-confirmed distinction are non-concealable. > > Two questions I have and welcome views: > fit with SCITT registration policy for these statement profiles; and > whether the companion should track SD-CWT (draft-ietf-spice-sd-cwt) > more tightly, rather than the SD-JWT / JSON model it follows now. > > Earlier asks still stand and are now in the implementation: the > provisional protected-header claim set (Section 3.1) and open/deferred > items via chained superseding Capsules (Section 5.4.4). > > Both are individual submissions, not WG documents and not RFCs; the > substrate (SCITT architecture, COSE Receipts) is itself pre-RFC. Code > components are royalty-free. > > Steven Mih > Action State Group, Inc. > On Sat, Jun 13, 2026 at 1:03 PM <steven@actionstate.ai> wrote: > > > > Hello SCITT Working Group, > > > > I've submitted a new individual draft, "An Agent Action Capsule Profile > for SCITT" (draft-mih-scitt-agent-action-capsule-00). > > > > The profile defines a SCITT statement profile for the "did" layer of AI > agent actions — a digest-committed record of what an agent actually did, > structurally binding the observed response so that a dispatched attempt > cannot be presented as a completed effect. It's intended to complement, not > overlap, the pre-execution authorization work already in this space (e.g. > draft-munoz-scitt-permit-profile and > draft-nivalto-agentroa-route-authorization): authorization records prove > permission was granted; Capsules record what occurred, including refusals. > > > > Two design choices I'd particularly value the group's eyes on: > > > > A Capsule on every verdict. Refusals, blocks, and timeouts are recorded > as affirmative evidence, not just successes — so the audit trail isn't > survivorship-biased and a gate firing is itself provable. > > > > Byte-level determinism. Verification relies strictly on JCS > canonicalization and exact decimal strings, reproducible by any > payload-bearing verifier without model re-prompting or heuristics. > > > > The two areas where I'd most welcome feedback are the provisional > protected-header claim set (Section 3.1) and the handling of open and > deferred items via chained superseding Capsules (Section 5.4.4). > > > > The draft is informed by an active reference implementation. IPR > disclosures for this draft have been filed and are being processed by the > datatracker; the declared licensing terms are royalty-free. > > > > I'd be glad to walk through the profile briefly if there's interest from > the group or the chairs. Feedback on-list is very welcome. > > > > Respectfully, > > Steven Mih > > Action State Group, Inc. > > -- > SCITT mailing list -- scitt@ietf.org > To unsubscribe send an email to scitt-leave@ietf.org > -- Tom Sato 佐藤俊之 代表取締役CEO マイオーベルジュ株式会社 090-6315-1325 tomsato@myauberge.jp
- [SCITT] New individual submission: draft-mih-scit… steven
- [SCITT] Re: New individual submission: draft-mih-… Steven Mih
- [SCITT] Re: New individual submission: draft-mih-… Steven Mih
- [SCITT] Re: New individual submission: draft-mih-… Songbo Bu
- [SCITT] Re: New individual submission: draft-mih-… Steven Mih
- [SCITT] Re: New individual submission: draft-mih-… toshiyuki sato
- [SCITT] Re: New individual submission: draft-mih-… Iman Schrock
- [SCITT] Re: New individual submission: draft-mih-… Steven Mih
- [SCITT] Re: New individual submission: draft-mih-… Iman Schrock
- [SCITT] Re: New individual submission: draft-mih-… Steven Mih
- [SCITT] Re: New individual submission: draft-mih-… Songbo Bu
- [SCITT] Re: New individual submission: draft-mih-… Iman Schrock
- [SCITT] Re: New individual submission: draft-mih-… toshiyuki sato
- [SCITT] Re: New individual submission: draft-mih-… Songbo Bu
- [SCITT] Re: New individual submission: draft-mih-… Iman Schrock
- [SCITT] Re: New individual submission: draft-mih-… Songbo Bu
- [SCITT] Re: New individual submission: draft-mih-… toshiyuki sato
- [SCITT] Re: New individual submission: draft-mih-… Steven Mih
- [SCITT] Re: New individual submission: draft-mih-… toshiyuki sato
- [SCITT] Re: New individual submission: draft-mih-… toshiyuki sato
- [SCITT] Re: New individual submission: draft-mih-… Songbo Bu
- [SCITT] Re: New individual submission: draft-mih-… Steven Mih
- [SCITT] Re: New individual submission: draft-mih-… Songbo Bu