[SCITT] Re: New individual submission: draft-mih-scitt-agent-action-capsule-00

toshiyuki sato <tomsato@myauberge.jp> Wed, 01 July 2026 11:13 UTC

Return-Path: <tomsato@myauberge.jp>
X-Original-To: scitt@mail2.ietf.org
Delivered-To: scitt@mail2.ietf.org
Received: from localhost (localhost [127.0.0.1]) by mail2.ietf.org (Postfix) with ESMTP id BFE9310B86603 for <scitt@mail2.ietf.org>; Wed, 1 Jul 2026 04:13:49 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=ietf.org; s=ietf1; t=1782904429; bh=H9kJ+2RYL3KNMcRBpcNB8vQB+Vw+/RklGHGsKDPk7Fc=; h=References:In-Reply-To:From:Date:Subject:To:Cc; b=feNEbXTyw4vc/fbgmfxMCQ6ekJQl52h8QGnvDfbMkDskTdn2vJrqlkFl650Ae2zIQ q/8qUMeSL1yS5OQqcPWp1yOxZr1KPMeFlGDKqwHcwSwnqtlcb5S1oBi++BCcKwx5OG XhHz4XDOufpW05PB9sxyNyrCccOhJCHEevjf+psA=
X-Virus-Scanned: amavisd-new at ietf.org
X-Spam-Flag: NO
X-Spam-Score: -1.897
X-Spam-Level:
X-Spam-Status: No, score=-1.897 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_NONE=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: mail2.ietf.org (amavisd-new); dkim=pass (2048-bit key) header.d=myauberge-jp.20251104.gappssmtp.com
Received: from mail2.ietf.org ([166.84.6.31]) by localhost (mail2.ietf.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id AyAp2q5nihd0 for <scitt@mail2.ietf.org>; Wed, 1 Jul 2026 04:13:48 -0700 (PDT)
Received: from mail-dy1-x132d.google.com (mail-dy1-x132d.google.com [IPv6:2607:f8b0:4864:20::132d]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by mail2.ietf.org (Postfix) with ESMTPS id 2DA9D10B865CC for <scitt@ietf.org>; Wed, 1 Jul 2026 04:13:41 -0700 (PDT)
Received: by mail-dy1-x132d.google.com with SMTP id 5a478bee46e88-30ec3dfbcd1so893451eec.0 for <scitt@ietf.org>; Wed, 01 Jul 2026 04:13:41 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1782904414; cv=none; d=google.com; s=arc-20260327; b=mzCGo1SZjNy9ruynm2o3TGF8pQZ37NEcbL8nIkvVYk6aRWJJWqeNAW95Kzmv6EVIDe 3GmhbFEdZvm7UnDQL5cb5L7rvh158MYCmXlgG3XdiDFWn0mUdJCKYGA1UpGUOjp8tIvE 72qulhbIOKAzec4EaQITgOckkH9tdhmF6wBfhloTX65/Rq8Tt9oM8dcq3rnXYTetJ9Qg oNxQ9x/BtY+xBsr8/G8/lvSgmXEP4e7mEcsmDIGnlNwdZ6XwAuxBYsMCfye4ffjKVhtQ TcW9dLzr1uiUNEJoKI2jryaECFpwomfS73WuTKfXozwDIn72GK5qPMTTu+y+tKOi2e83 ASTg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20260327; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:dkim-signature; bh=kLHm4Ou/Sa/tu5tzKbamHluhD/lBvuOl3pn4qhlx/lY=; fh=o40buR/rzHU4o2uffYWwBEkhAzZSETCikuOmEpsKzTg=; b=bT8LlqpQ9AVmq2Qa9ir9lAqX55diKkGx18GLSjFYr7u8p6h87Glzf/ODagHDMM0AkY eXmIS/UTDDlkKnnSF5Je29Q9htw9+wOoMuy/0woEya50YriNm/TiUWMGWiksADElICly AUkJniO5hX9Va52C5G1mF9V/ZQZ5HHtLIgrcP8P1M/TzX5G4NtmxPqa2+rJT625K7zeb QUkEBgkyGL0jqLy/tc4GUBcwhsKqW2+uTvMKFMI2SCyWjl4mMRk+Z4QoY1LVV5e9dGs/ tAmGjTa7XOKzLuQuc1L4MC5qkVxXL1KmVlMg1rUtptuPyy1pzkPC4jIHmbGCJnJr26Z9 YOqg==; darn=ietf.org
ARC-Authentication-Results: i=1; mx.google.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=myauberge-jp.20251104.gappssmtp.com; s=20251104; t=1782904414; x=1783509214; darn=ietf.org; h=content-type:cc:to:subject:message-id:date:from:in-reply-to :references:mime-version:from:to:cc:subject:date:message-id:reply-to :content-type; bh=kLHm4Ou/Sa/tu5tzKbamHluhD/lBvuOl3pn4qhlx/lY=; b=LlKC+nJWIcYhKLxPzkIF5s3iackaaPjQfJvptmBu8iUa5OHt3B+aJ1iX4Y4TLXcvKS 2HG2BZCLEsTt3QeLWZlx/3GfyDN2NH9kUlxgERffMvIOP2ijJxj8vQ14DJUDc8Kcgnw1 1NhypMRK1EfLF+ZCpSRJ39XaqfkAwXCGJt2RUnDkR6B8lnomv/5VD+fju/Q8OhB2uOQZ 9dT2FxMiIa642GtNs1hffHJRbdlTP51O+/GLSBCv9cJ8FbBTGYInCRerPREDEpojTcEE of0gVXT0IUrhK5q6PTdxKHITiM/vOdHif8OxSgOP3ujaX2yjQgyt8g4vSOkJNPVBKmcQ nvdA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1782904414; x=1783509214; h=content-type:cc:to:subject:message-id:date:from:in-reply-to :references:mime-version:x-gm-gg:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to:content-type; bh=kLHm4Ou/Sa/tu5tzKbamHluhD/lBvuOl3pn4qhlx/lY=; b=VjD/DV1URTgc8El11nkr6IxWYg2pxmE28pJ1BdKvljGDLgDMaD8WRNvzGw4UYREuFj qjZ8siNfY7km80Etr2R3FYUiqKeCppxhR5QGTAxYJ/AvacrOY2Y/rtEDxNh+zKiUD47p e9vfZUR0gKWx6l2QvSpV1jA+fCKKgEFc89YU7e2k8NQyUQc619L7N1cxJZBqEUWzyD3m rErK3E5fGsQZ7QMpVI0P7zvhMIK3f2DfiTkHrwTQBZDiWM/sSaoqZ4sazu+suWu2TvLq +DZWoYRjl2PKx2GWenccnzEdk4ZTCx+LD2/rOF1+CMqkjC1zCZrhketcTL66QVk1KsRP ajgw==
X-Gm-Message-State: AOJu0Yx/BMTqBrRiEu+5N5kb8Bs13Q9QAMfgoqFc6N6dZSTISLHIvTyC HtANLKzlS8hQ71xH4JiN+uqQO/zXs6PlDiObKhl9BxqiL1sMp1oVbEvEgw5WyVBDwzu1Uf4aRhK FFlPUIQ4HM58mffJkHv9QL/vTWmU+/AD3Z6l3+IAcFG6CFcDM76wh03qC
X-Gm-Gg: AfdE7cl4xN17n7bhyslWG6jje5xP8zfvGVQ5x2Qt7aP0SG1SssJUvoI+zSBbqr5Ob1l sKWSdjp8SGe65IRfYGqz/q5RHk9JpGdzBIyeb6TkUSJyBK7TzUIuu6PcnwDL6dknpO8FsXQvCa8 wVOJ6dGIc8fKb4mfq+yYUA+Lcfe336vaS6hEdpS0SizPGOyjqA4QA2G+NMbrKf0OzzPYpROrw/D RpRZH5twJmQmUQpsIqm4fKiNtZqQYpDKCECRCMOFz8luJYRaYCkR94V1DwUjlMSomJMcBqUqEtX izkQYF91/T3eWzn5JNGpSQRnLjGKv1sJiSYQqIt5
X-Received: by 2002:a05:7300:a987:b0:30c:9449:7745 with SMTP id 5a478bee46e88-30f052ac2f3mr307322eec.15.1782904413922; Wed, 01 Jul 2026 04:13:33 -0700 (PDT)
MIME-Version: 1.0
References: <CAJsPq9sB6FaCF5fc62_Q_UZUCwjyoTDZ7koO4FXt+TRTqkGD3A@mail.gmail.com> <CAJsPq9unHDdqfbZ3NNtn6onCdX+ShPQcePCiZtEC3sLmoU+O9Q@mail.gmail.com>
In-Reply-To: <CAJsPq9unHDdqfbZ3NNtn6onCdX+ShPQcePCiZtEC3sLmoU+O9Q@mail.gmail.com>
From: toshiyuki sato <tomsato@myauberge.jp>
Date: Wed, 01 Jul 2026 20:13:23 +0900
X-Gm-Features: AVVi8CdmZRE1Az32wRFtY-afYfOpJzBDNWiqVwWlvpvpIGQwPQNLPYmy2MZPBX4
Message-ID: <CAFLkQy9LXbkG9vPqO-FSsmKW-_bEtBYt9kR+xP7bv5NAR4c+zw@mail.gmail.com>
To: Steven Mih <steven=40actionstate.ai@dmarc.ietf.org>
Content-Type: multipart/alternative; boundary="00000000000042b7b006558ac8b6"
Message-ID-Hash: RSA7GVCAGGTKCU6ICM6F5Q6NXXSO4QM7
X-Message-ID-Hash: RSA7GVCAGGTKCU6ICM6F5Q6NXXSO4QM7
X-MailFrom: tomsato@myauberge.jp
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: scitt@ietf.org
X-Mailman-Version: 3.3.9rc6
Precedence: list
Subject: [SCITT] Re: New individual submission: draft-mih-scitt-agent-action-capsule-00
List-Id: "Supply Chain Integrity, Transparency, and Trust" <scitt.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/scitt/4fFuBCJLnStitIfsGQ9P3eHbjMo>
List-Archive: <https://mailarchive.ietf.org/arch/browse/scitt>
List-Help: <mailto:scitt-request@ietf.org?subject=help>
List-Owner: <mailto:scitt-owner@ietf.org>
List-Post: <mailto:scitt@ietf.org>
List-Subscribe: <mailto:scitt-join@ietf.org>
List-Unsubscribe: <mailto:scitt-leave@ietf.org>

Hi Steven,

Thank you for this — the Agent Action Capsule addresses exactly the right
problem at the SCITT layer, and the design choices (verdict-complete audit
trail, byte-level determinism via JCS) are ones we've independently arrived
at in the SOOS project from the kernel side.

I wanted to introduce a related set of drafts that may be useful context
for the Capsule profile, specifically around what produces the statements
that a Capsule-based transparency service would receive.

The SOOS project (draft-sato-soos-*, 19 Internet-Drafts submitted to
Datatracker ahead of the July 6 cutoff) defines a governance kernel
architecture for agentic AI systems. The piece most directly relevant here
is GAR (Governance Audit Record, draft-sato-soos-gar): a causally-ordered,
append-only governance log produced by the kernel's Governing Enforcement
Component (GEC), structured as a semantic convention layer on
OpenTelemetry. GAR Session Blocks — Merkle-rooted, KIA-signed collections
of Authority Lifecycle Events — are the natural upstream producer of SCITT
Signed Statements: the Session Block Merkle root and KIA signature map
directly onto the SCITT issuer-signed statement model.

Two points of contact with the Capsule design:

1. Verdict completeness. GAR records every Authority Lifecycle Event
including enforcement refusals (ALE-059: ACD_VALIDATION_FAILED), policy
blocks, and HEM escalations — not just successful actions. The same
survivorship-bias argument you make for Capsules applies at the kernel
level: a gate firing is itself a governance event and must be in the audit
record.

2. The producer/consumer boundary. The Capsule profile defines what a SCITT
statement for agent actions looks like at the transparency service layer.
GAR defines what the kernel-side enforcement log looks like before it
becomes a SCITT statement. A SOOS kernel emitting GAR Session Blocks as
SCITT Signed Statements would give Capsule verifiers a kernel-attested,
tamper-evident source — the GEC signature (KIA private key, RFC 9334
attester model) provides the root of trust that the Capsule's digest
commitment relies on.

I've also been following the permit-profile and
agentroa-route-authorization work you reference. GAR's ACD compliance
handshake events (draft-sato-soos-acd) sit between those authorization
records and the execution record your Capsule captures — pre-execution
compliance disclosure → Capsule execution record → GAR audit log is a
complete chain.

Full draft index: https://soosproject.ai/drafts
GAR specifically: https://datatracker.ietf.org/doc/draft-sato-soos-gar/

Happy to discuss further on-list or at Vienna if you're attending.

Best regards,
Tom Sato
CEO, MyAuberge K.K.
tomsato@myauberge.jp
https://soosproject.ai

2026年6月20日(土) 4:38 Steven Mih <steven=40actionstate.ai@dmarc.ietf.org>:

> Hi all,
> Two quick updates on the Agent Action Capsule profile for SCITT, plus
> a companion draft for review.
> -01 is posted:
> https://datatracker.ietf.org/doc/draft-mih-scitt-agent-action-capsule/
>
> The reference implementation is now public. You can reproduce the
> byte-level determinism in about a minute:
>
> git clone https://github.com/action-state-group/agent-action-capsule
> cd agent-action-capsule && pip install -e python
> agent-action-capsule verify
> test-vectors/pos-executed-confirmed/input.json    # ok: true
> agent-action-capsule verify
> test-vectors/neg-capsule-id-mismatch/input.json   # ok: false
> (capsule_id mismatch)
>
> A conformant Capsule recomputes its content-address and passes; a
> tampered one is rejected. The same vectors pass under two independent
> implementations (Python and Go) with zero divergences. The repo also
> has the spec source, the profile's interim registry, and
> positive/negative vectors for every verdict class and check.
>
> Companion (selective disclosure): I've filed "Selective Disclosure
> Profile for Agent Action Capsules"
> (draft-mih-scitt-agent-action-capsule-sel-disc-00):
>
> https://datatracker.ietf.org/doc/draft-mih-scitt-agent-action-capsule-sel-disc/
>
> It does per-field selective disclosure of the JSON Capsule payload
> (salted-hash commitments, decoy digests, disclosed [salt, name, value]
> triples), following SD-JWT (RFC 9901), with JCS (RFC 8785) as the
> canonicalization: already the base profile's canonical form. SD-CWT
> (draft-ietf-spice-sd-cwt) is the CBOR sibling, and the profile stays
> aligned with that SPICE work. It targets one signed Capsule serving
> verifiers with different entitlements: a regulator gets every field,
> an auditing partner only the disposition, without re-signing.
> Disclosable fields are enumerated; the fields the base verifier needs
> for the dispatched-vs-confirmed distinction are non-concealable.
>
> Two questions I have and welcome views:
> fit with SCITT registration policy for these statement profiles; and
> whether the companion should track SD-CWT (draft-ietf-spice-sd-cwt)
> more tightly, rather than the SD-JWT / JSON model it follows now.
>
> Earlier asks still stand and are now in the implementation: the
> provisional protected-header claim set (Section 3.1) and open/deferred
> items via chained superseding Capsules (Section 5.4.4).
>
> Both are individual submissions, not WG documents and not RFCs; the
> substrate (SCITT architecture, COSE Receipts) is itself pre-RFC. Code
> components are royalty-free.
>
> Steven Mih
> Action State Group, Inc.
> On Sat, Jun 13, 2026 at 1:03 PM <steven@actionstate.ai> wrote:
> >
> > Hello SCITT Working Group,
> >
> > I've submitted a new individual draft, "An Agent Action Capsule Profile
> for SCITT" (draft-mih-scitt-agent-action-capsule-00).
> >
> > The profile defines a SCITT statement profile for the "did" layer of AI
> agent actions — a digest-committed record of what an agent actually did,
> structurally binding the observed response so that a dispatched attempt
> cannot be presented as a completed effect. It's intended to complement, not
> overlap, the pre-execution authorization work already in this space (e.g.
> draft-munoz-scitt-permit-profile and
> draft-nivalto-agentroa-route-authorization): authorization records prove
> permission was granted; Capsules record what occurred, including refusals.
> >
> > Two design choices I'd particularly value the group's eyes on:
> >
> > A Capsule on every verdict. Refusals, blocks, and timeouts are recorded
> as affirmative evidence, not just successes — so the audit trail isn't
> survivorship-biased and a gate firing is itself provable.
> >
> > Byte-level determinism. Verification relies strictly on JCS
> canonicalization and exact decimal strings, reproducible by any
> payload-bearing verifier without model re-prompting or heuristics.
> >
> > The two areas where I'd most welcome feedback are the provisional
> protected-header claim set (Section 3.1) and the handling of open and
> deferred items via chained superseding Capsules (Section 5.4.4).
> >
> > The draft is informed by an active reference implementation. IPR
> disclosures for this draft have been filed and are being processed by the
> datatracker; the declared licensing terms are royalty-free.
> >
> > I'd be glad to walk through the profile briefly if there's interest from
> the group or the chairs. Feedback on-list is very welcome.
> >
> > Respectfully,
> > Steven Mih
> > Action State Group, Inc.
>
> --
> SCITT mailing list -- scitt@ietf.org
> To unsubscribe send an email to scitt-leave@ietf.org
>


-- 

Tom Sato
佐藤俊之
代表取締役CEO
マイオーベルジュ株式会社
090-6315-1325
tomsato@myauberge.jp