IETF Logo Mail Archive

[SCITT] Re: [agent2agent] Re: New draft on AI Agent Auditing and proposed BoF/WG charter

Dick Brooks <dick@businesscyberguardian.com> Thu, 28 May 2026 13:27 UTC

Return-Path: <dick@businesscyberguardian.com>
X-Original-To: scitt@mail2.ietf.org
Delivered-To: scitt@mail2.ietf.org
Received: from localhost (localhost [127.0.0.1]) by mail2.ietf.org (Postfix) with ESMTP id 12F00F6A5F57 for <scitt@mail2.ietf.org>; Thu, 28 May 2026 06:27:13 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=ietf.org; s=ietf1; t=1779974833; bh=TAQpGeL9EeIYxvEaByhJsm+kO0M7o6wnFUWDP9V8NKI=; h=Reply-To:From:To:Cc:References:In-Reply-To:Subject:Date; b=glz2F3C3Npf3RqY+tjQWnsl7uCD7Z5Y2ui23Yg/khJ0EnRLn6JNshcVKhaqv+9VHa +cVS3IABX1h9JPinb+C/QkithVPb+c6kcR7pd6dJuHwgLxlczK7lD/lLOML2MHlG1q ObQDoNH0Io7cyronxnhS9P7b3VDYY3FkDOSIi1UY=
X-Virus-Scanned: amavisd-new at ietf.org
X-Spam-Flag: NO
X-Spam-Score: -2.799
X-Spam-Level:
X-Spam-Status: No, score=-2.799 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_VALIDITY_CERTIFIED_BLOCKED=0.001, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: mail2.ietf.org (amavisd-new); dkim=pass (2048-bit key) header.d=businesscyberguardian.com header.b="ewnyX1q4"; dkim=pass (2048-bit key) header.d=messagingengine.com header.b="bp/b5qDy"
Received: from mail2.ietf.org ([166.84.6.31]) by localhost (mail2.ietf.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id hZKaNJWJ9omD for <scitt@mail2.ietf.org>; Thu, 28 May 2026 06:27:12 -0700 (PDT)
Received: from fout-b2-smtp.messagingengine.com (fout-b2-smtp.messagingengine.com [202.12.124.145]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by mail2.ietf.org (Postfix) with ESMTPS id 4877DF6A5F4F for <scitt@ietf.org>; Thu, 28 May 2026 06:27:12 -0700 (PDT)
Received: from phl-compute-02.internal (phl-compute-02.internal [10.202.2.42]) by mailfout.stl.internal (Postfix) with ESMTP id 183961D00060; Thu, 28 May 2026 09:27:05 -0400 (EDT)
Received: from phl-frontend-04 ([10.202.2.163]) by phl-compute-02.internal (MEProxy); Thu, 28 May 2026 09:27:05 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= businesscyberguardian.com; h=cc:cc:content-transfer-encoding :content-type:content-type:date:date:from:from:in-reply-to :in-reply-to:message-id:mime-version:references:reply-to :reply-to:subject:subject:to:to; s=fm3; t=1779974824; x= 1780061224; bh=zc2WJubdFzASPMLyVlW8WixeaYAv9CxIShiMH/VQ1Hg=; b=e wnyX1q4sWq/fYnlDzYEc5p20RL9sYqmRZAKaxwGqAeEHvId3m9dhdKZj6ebwDQ3a poer7a4fLqXgLwuu4JxbiGdyAls1tz4j9UB5OP24fg4aLQXS+3MeS1VxwZse/jpI WyVrG9EAzT0PuZNBknWPf7izdvuzBZ9kbBUo/CCpRKW5qPoyvw1y3xs5pCGOGnwv 7QyJEmtjIQHrQY+RCxdeCAnG2Ja3pXXa/KxzSqVNKgMbomAlBlhsVHAULBo+a0ZL rLpk1ZhXRZL7Krr04EP59xMvqSywqvIhjP70fDXkQUKmRJWpzV1ZWHIw74IPNZJG noEjNLD5eip88iVGLmYdw==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:cc:content-transfer-encoding :content-type:content-type:date:date:feedback-id:feedback-id :from:from:in-reply-to:in-reply-to:message-id:mime-version :references:reply-to:reply-to:subject:subject:to:to:x-me-proxy :x-me-sender:x-me-sender:x-sasl-enc; s=fm3; t=1779974824; x= 1780061224; bh=zc2WJubdFzASPMLyVlW8WixeaYAv9CxIShiMH/VQ1Hg=; b=b p/b5qDy+vqSwTsPMlY6sh5pzwMfGqmRdcGA8uMu6F3MQ7Nozh0d518mjP/CiA7rs UAXeUExfduQe8ju0Zkvs1rFKvrgfZP453n/KDjoBMV2sqpBbyrsT5zcqT+HMEPaX xKc5bZm+om1lkKxopA/Os+QpSMsPSyDGteUCz3wRmW7ZD21f/ctl40j+YWiVZW1B NlN+kIAbivAzWnA0s3m82qEWTOAhZvH57xCYDp3Bujh4gybDf46OtG4kMrlLpQCN QFl2j9BfuuFoaEzprW3LUXaGeZgQkhFvAxgjf3/JR6aL5QhDNlpYw/h1y3XBiAiz 9hUWIZ/CeWqY093yL02Zw==
X-ME-Sender: <xms:qEIYarQGwxN3nV_VYNeK90wvMTLvXJz1uBJJZ5xWkqr_dF0de0Y8Qw> <xme:qEIYas4TkfJ4J6aujdmOsuxhPZIPuIcVe9g-oo6otQ3uYSs4zV9JlBrVu4qnrDfAD lTALWminIjdzvjB_6QYY036P8RFfSYLoKZYeJYtGN6p5zlFUu8>
X-ME-Received: <xmr:qEIYaoyMS_NNjOY-0dNXOCJhIjMe-RJc-vH7HoMOshS7xsWEcShv-f0>
X-ME-Proxy-Cause: dmFkZTGDqOnu/5S/KZGTsvBql+ikVjU5m+rcqCq0V1XPW4uO0A/0YJiaxXNb2C/Luvohg2 U+PWHDW54SC94cZgU7D9Lx9seRy9hzhMTpO7YVWgg45IHWK7+14HcSfdeoQ6R+Moa1kiRh 1Tp5p2cmaUa7PaoOtOG413jAz2Q53DIwbv7gWyrxttVR6LAkMIzc6GOJtmaDixkiDWxpbm kwyuyF95UboG+q7CRCpv2fTHvtM4DU3bQ1SVxIf3YvzR9DV8QmSBPgevjEkv8IeDxxi+g+ rdyQwq98JLWV2zSAJWlQm7zYPPKO6gaaLqsEFAL8Xj2Q6es6J+SVAzuL7ktRrPX6y9WNuI dsnI4scb1+zzbcJlIvymicCFi4QUW+PBEBJ42hHSyGCcKHIQMGdrp/e3iP+9yMf4fP4vpZ oJb9RhFJ6o7GOLy+nOXaNY/RKYSizNDms+iIzu6XCQ7cdV4m4pfaoT+2Vrs2grhxl2wimi zDenJyAYMY6nQYj4n/I+oMgsQqTJ2CQM1LsYLReNC36JZRllOXJSfNxY81fG+8V1Oiyeaf L5wm3Jz5tPBG6a4AHOi7osYyLPOo2sFxxAvzthuffju5Zt8/vtz0HfukDftRDiu1DHpRm0 CKBM4LoxBREScfLHfnv3xZDHYX35RnbMBiPrFqanJTYO7FxZL7EDHjSVrvHw
X-ME-Proxy: <xmx:qEIYajRgr9NuwWT8q0szpXYcQSKT3Yupq1z8FqoFH3aQ3KoXyJ08FQ> <xmx:qEIYavW79Oc4wq6oZXr4OsuvoiobXonZ-7d5ehhv34rfSOjYA8yPYA> <xmx:qEIYalYzDjntknm1JaMccPZhfRYyIUmifcpyaVm6Fcwf2mgmIFL6fQ> <xmx:qEIYal1VtKG33_cETzQbSBFzn6DRFHZY4p4jsNZh9EvJQK_ZXmBItg> <xmx:qEIYakuW5PjEBxSC40L9KAGDctK3MochZyYK465KDLeQ-xOOsQp_YBbH>
Feedback-ID: i99214975:Fastmail
Received: by mail.messagingengine.com (Postfix) with ESMTPA; Thu, 28 May 2026 09:27:04 -0400 (EDT)
From: Dick Brooks <dick@businesscyberguardian.com>
To: "'Mirja Kuehlewind (IETF)'" <ietf@kuehlewind.net>
References: <0F12E264-D8D7-4746-B9F4-1C72A9D862F5@kuehlewind.net> <extvmht4nh2c6drh62vhwrlzucobkjecoquktbnyleqnys5iym@bofrnxusdzwy> <bc7706cd-5ec6-f77d-8c7a-d8c6c0f0f4df@ietf.contact> <04ab01dce853$0fa4f230$2eeed690$@businesscyberguardian.com> <F83A1D3D-2020-4F6E-8BDA-9CE9CFC8ED84@kuehlewind.net>
In-Reply-To: <F83A1D3D-2020-4F6E-8BDA-9CE9CFC8ED84@kuehlewind.net>
Date: Thu, 28 May 2026 09:27:02 -0400
Organization: Business Cyber Guardian
Message-ID: <30b901dceea5$ac655990$05300cb0$@businesscyberguardian.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
X-Mailer: Microsoft Outlook 16.0
Thread-Index: AQJdNXKB2kIc60csEvHyOoa4eNN7twF6SEDrAbSxAcsBh/9I9QK5kCIGtOdZ6EA=
Content-Language: en-us
Message-ID-Hash: 3IJAWUAVXIXY7TPSR3V7QFEFL7KXPSYU
X-Message-ID-Hash: 3IJAWUAVXIXY7TPSR3V7QFEFL7KXPSYU
X-MailFrom: dick@businesscyberguardian.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: 'Henk Birkholz' <henk.birkholz@ietf.contact>, scitt@ietf.org, 'Thomas Fossati' <thomas.fossati@linaro.org>
X-Mailman-Version: 3.3.9rc6
Precedence: list
Reply-To: dick@businesscyberguardian.com
Subject: [SCITT] Re: [agent2agent] Re: New draft on AI Agent Auditing and proposed BoF/WG charter
List-Id: "Supply Chain Integrity, Transparency, and Trust" <scitt.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/scitt/5lySE8ZxLncYuaNAec7g0b3som4>
List-Archive: <https://mailarchive.ietf.org/arch/browse/scitt>
List-Help: <mailto:scitt-request@ietf.org?subject=help>
List-Owner: <mailto:scitt-owner@ietf.org>
List-Post: <mailto:scitt@ietf.org>
List-Subscribe: <mailto:scitt-join@ietf.org>
List-Unsubscribe: <mailto:scitt-leave@ietf.org>

Mirja,

Thanks for your insights. 
Regarding " Yes, we need some kind of identifiers but I think this new group would need to rely on work done in other groups for this."

I agree, but this identifier technology needs to be available broadly so that anyone can implement a Transparency Service that is protected using a verifiable identifier, like the one suggested in this Internet Draft ztdnaid URI scheme:
https://www.ietf.org/archive/id/draft-brooks-ztdnaid-new-02.txt

A ztdnaid is an Uppercase SHA256 hash over unique data used to identify an entity or resource (DDR) operating in a Zero Trust environment.

This ztdnaid identifier can be verified as trusted before performing any COSE/SCITT processing to ensure that only trusted entities are allowed to register a Signed Statement in a Transparency Service.

We are presently using this ztdnaid approach to protect our own SAG-CTR Trust Registry.

Thanks,

Dick Brooks
   
Active Member of the CISA Critical Manufacturing Sector, 
Sector Coordinating Council – A Public-Private Partnership
Lifetime IEEE Member
Never trust software, always verify and report! ™
Risk always exists, but trust must be earned and awarded.™ 
https://businesscyberguardian.com/ 
Email: dick@businesscyberguardian.com
Tel: +1 978-696-1788


-----Original Message-----
From: Mirja Kuehlewind (IETF) <ietf@kuehlewind.net> 
Sent: Thursday, May 28, 2026 9:16 AM
To: dick@businesscyberguardian.com
Cc: Henk Birkholz <henk.birkholz@ietf.contact>; scitt@ietf.org; Thomas Fossati <thomas.fossati@linaro.org>
Subject: Re: [SCITT] [agent2agent] Re: New draft on AI Agent Auditing and proposed BoF/WG charter

Hi Dick,

This is a good question and related to one from Thomas, asking if the working group would define new identity primitives. I think the answer is actually clearly no and I added a sentence to the charter to clarify this. Yes, we need some kind of identifiers but I think this new group would need to rely on work done in other groups for this.

Mirja



> On 20. May 2026, at 14:20, Dick Brooks <dick@businesscyberguardian.com> wrote:
> 
> Henk,
> 
> Question regarding this statement: " Additionally, AI agent behavior may be non-deterministic and not fully predefined, requiring auditing mechanisms to capture execution context and structure as they emerge. Auditing must also distinguish between user, agent, and service identities, and ensure audit data remains interpretable across systems without shared assumptions."
> 
> How will these entities assert their identity that may be required for a Zero Trust implementation?
> 
> Thanks,
> 
> Dick Brooks
> 
> Active Member of the CISA Critical Manufacturing Sector, Sector 
> Coordinating Council – A Public-Private Partnership Lifetime IEEE 
> Member Never trust software, always verify and report! ™ Risk always 
> exists, but trust must be earned and awarded.™ 
> https://businesscyberguardian.com/
> Email: dick@businesscyberguardian.com
> Tel: +1 978-696-1788
> 
> 
> -----Original Message-----
> From: Henk Birkholz <henk.birkholz@ietf.contact>
> Sent: Wednesday, May 20, 2026 7:30 AM
> To: scitt@ietf.org
> Cc: Mirja Kuehlewind (IETF) <ietf@kuehlewind.net>; Thomas Fossati 
> <thomas.fossati@linaro.org>
> Subject: [SCITT] Re: [agent2agent] Re: New draft on AI Agent Auditing 
> and proposed BoF/WG charter
> 
> Hi SCITT List,
> 
> on the agent2agent email list, Thomas highlighted that we should share the charter draft for the AUDIT WG BoF proposal with aligned WGs.
> 
> AUDIT: Agent Use of Delegation and Interaction Traceability
> 
> On 20.05.26 09:48, Thomas Fossati wrote:
>> 2. There seems to be quite a lot of overlap with WIMSE, OAUTH, SCITT, 
>> RATS -- at least, which is both good and bad.  To minimise the risk 
>> of overlap, conflict, et cetera, I suggest you make the proposal 
>> visibile to these groups (if you haven't already done it).  I 
>> understand it may be a bit too early to properly engage, but a quick 
>> heads-up would not hurt (_maybe_).
> 
> Mirja just send a sharable copy of the charter text to the agent2agent list. Please let me repost it to SCITT for your convenience and awareness (as this proposed charter text refers to accountability and transparency as enabled by SCITT building blocks). Please have look!
> 
> Either in:
> 
> https://mailarchive.ietf.org/arch/msg/agent2agent/QHFRoQ5g8S7FvoN_Bz6o
> lgx1hn4
> 
> or verbatim below.
> 
> 
> Viele Grüße,
> 
> Mirja & Henk
> 
> 
> On 20.05.26 12:35, Mirja Kuehlewind (IETF) wrote: > Hi all,
>> 
>> To make it easier to comment on the proposed charter text directly, I thought I send another mail with the text directly imbedded. Again any quick comments or expressions of interest before Friday are very welcome, so we can decide on Friday if we want to put a preliminary BoF request in!
>> 
>> Here is the initial draft for the proposed charter text:
>> 
>> —————
>> # Agent Use of Delegation and Interaction Traceability (AUDIT) 
>> Working Group Charter
>> 
>> Autonomous and semi-autonomous software agents, including those based on artificial intelligence (AI), are increasingly deployed to act on behalf of users, organizations, and services across the Internet. These agents interact across multiple administrative or trust domains and can initiate actions without direct human oversight at each step.
>> 
>> This introduces challenges for auditability, accountability, and transparency, including:
>> 
>> * Difficulty attributing actions to a specific user, agent instance, 
>> or delegation context
>> * Loss of visibility across long-running or distributed workflows
>> * Inconsistent capture of delegation relationships, authorization 
>> context, and identity transitions
>> * Cross-domain interactions lack interoperable means to exchange or 
>> verify audit-relevant information about the participating agents and 
>> their interactions
>> 
>> AI agents participate in two distinct classes of interactions that must be audited:
>> 
>> * User-facing interactions, such as prompts, conversations, and 
>> approvals, capturing user intent and human-in-the-loop decisions
>> * System-facing interactions, such as API calls, tool usage, and 
>> delegation to other agents or services
>> 
>> Effective auditing requires linking user intent to resulting system actions across protocol and administrative boundaries. While traditional workflows support evolving authorization, these transitions are usually explicit and predefined. AI agent systems introduce dynamic, fine-grained authorization changes that arise during execution, driven by agent decisions, delegation, and human interaction. Auditing must therefore capture authorization as a time-evolving state and correlate these transitions across interactions and domains.
>> 
>> Additionally, AI agent behavior may be non-deterministic and not fully predefined, requiring auditing mechanisms to capture execution context and structure as they emerge. Auditing must also distinguish between user, agent, and service identities, and ensure audit data remains interpretable across systems without shared assumptions.
>> 
>> ## Scope and Goals
>> 
>> The AUDIT working group will define interoperable mechanisms for auditing and accountability of AI agents and delegated systems across Internet protocols.
>> 
>> The group will focus on architectures, protocol-layer specifications, and data representations that enable systems to record, exchange, and verify audit-relevant information across user-facing and system-facing interactions. This includes capturing delegation chains, evolving authorization state, and enabling consistent interpretation and correlation of audit data across domains.
>> 
>> The working group will not define auditing policies or compliance frameworks, but instead provide the technical building blocks needed to support them.
>> 
>> ## Deliverables
>> 
>> The AUDIT working group is expected to produce:
>> 
>> 1. Architecture for AI Agent Auditing An Informational RFC describing 
>> roles, trust relationships, and data flows for interoperable auditing, including the relationship between user-facing and system-facing audit signals.
>> 
>> 2. Audit Data Models and Semantics
>> One or more Standards Track RFCs defining data models for representing audit information, including interaction records, agent identity, delegation context, authorization state over time, and action provenance.
>> 
>> 3. Protocol Extensions or Profiles
>> One or more Standards Track RFCs specifying extensions to existing IETF protocols (e.g., HTTP, OAuth, or token formats) to convey audit-related information.
>> 
>> 4. Best Practices for Deployment and Operation An Informational or 
>> BCP document providing guidance for secure, interoperable, and privacy-aware auditing, including correlation across interaction types.
>> —————
>> 
>> Again here is also the link to the charter text on github: 
>> https://github.com/mirjak/draft-audit-architecture/blob/main/audit-ch
>> a
>> rter.md
>> 
>> And the architecture draft as reference: 
>> https://www.ietf.org/archive/id/draft-kuehlewind-audit-architecture-0
>> 0
>> .html
>> -> The draft provides further details and also has four brief examples use cases.
>> 
>> This is all early work, so any feedback is more than welcome!
>> 
>> Mirja & Henk
>> 
>> 
> 
> --
> SCITT mailing list -- scitt@ietf.org
> To unsubscribe send an email to scitt-leave@ietf.org
>

v2.46.0 | Report a Bug | By Email | System Status