[SCITT] Re: Question: Using SCITT-like transparency services for authority binding in AI decision records (draft-veridom-omp-01)
Christian — Keel <christian@keelapi.com> Tue, 12 May 2026 21:41 UTC
Return-Path: <christian@keelapi.com>
X-Original-To: scitt@mail2.ietf.org
Delivered-To: scitt@mail2.ietf.org
Received: from localhost (localhost [127.0.0.1]) by mail2.ietf.org (Postfix) with ESMTP id 8B4FEED5E909 for <scitt@mail2.ietf.org>; Tue, 12 May 2026 14:41:56 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=ietf.org; s=ietf1; t=1778622116; bh=bEj50dRv0Cao4xZz4PKEztukT8Tsu+lJic9p2p7d9CI=; h=Date:From:To:In-Reply-To:Subject; b=OaQ2XuxKJNZCFK1ISV4azPY+P/Pr7FpzUo4gVoHkTUjZk5aSXlhRvgpVMZnUSDQXu fEIykbRajDUYZTx38HbnrFPnbSVYnvVNm9CRjzvSbCrq1gMTWRoIJNcNXZp8HDcSKQ SlNS8Kosunxjnfu4j+927fRU27UMrB8JGfBhO+OM=
X-Virus-Scanned: amavisd-new at ietf.org
X-Spam-Flag: NO
X-Spam-Score: -2.095
X-Spam-Level:
X-Spam-Status: No, score=-2.095 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H4=0.001, RCVD_IN_MSPIKE_WL=0.001, RCVD_IN_VALIDITY_CERTIFIED_BLOCKED=0.001, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: mail2.ietf.org (amavisd-new); dkim=pass (1024-bit key) header.d=keelapi.com
Received: from mail2.ietf.org ([166.84.6.31]) by localhost (mail2.ietf.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 5Uku1AhQKOdM for <scitt@mail2.ietf.org>; Tue, 12 May 2026 14:41:52 -0700 (PDT)
Received: from sender4-op-o14.zoho.com (sender4-op-o14.zoho.com [136.143.188.14]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by mail2.ietf.org (Postfix) with ESMTPS id 353DEED5E8FC for <scitt@ietf.org>; Tue, 12 May 2026 14:41:52 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1778622103; cv=none; d=zohomail.com; s=zohoarc; b=JBqdwGElrmx2ocjLgZ9UXsC1xIMyKJpAH7l1N/+Gr9NuCyHJ0yyJCCNaJ5USYnd4s2yjBso/GPlNiZiuQN41X5+cnoeK7qHmuAidpVmf0RmqZ1YA0hgngjjjBy1DQwf44KmPXh2IWAkIAscR+4NHltVDzA9TGr7d9LiaxvHrqps=
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1778622103; h=Content-Type:Date:Date:From:From:MIME-Version:Message-ID:Subject:Subject:To:To:Message-Id:Reply-To:Cc; bh=bEj50dRv0Cao4xZz4PKEztukT8Tsu+lJic9p2p7d9CI=; b=dZ1Z+4EKZLf/bKRXivAo/2O4HCbx6Y07HRsNQXlrZS7t+UGspKAF1tma9VdxXltuzzdBja6+TOkDTueQ0XekojZR7agPj26V/XvZnXMEzXq+0p/QR62JjaJbyybTwPtUpWNn/yTCAlHGlsEsE/Bcyl95taUG/E0d3GXqt1CSbn0=
ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass header.i=keelapi.com; spf=pass smtp.mailfrom=christian@keelapi.com; dmarc=pass header.from=<christian@keelapi.com>
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; t=1778622103; s=zmail; d=keelapi.com; i=christian@keelapi.com; h=Date:Date:From:From:To:To:Message-Id:Message-Id:In-Reply-To:Subject:Subject:MIME-Version:Content-Type:Reply-To:Cc; bh=bEj50dRv0Cao4xZz4PKEztukT8Tsu+lJic9p2p7d9CI=; b=eBB/xlGeFV188ZO/4eO7EGOPgEVtDY3VRrRcSN4bUw4EksKV4XiTKKy5mg5R9qOh r42ylzQf5CaruxoxyYnV4bFpD+ADHs4SzIhTGKSHlyACTqTBf7rCDbPgYgcQFK7L3NW IPjkELf8BNr3YPoRO7cl1ZSWpJfcr1MICFnDyoB0=
Received: from mail.zoho.com by mx.zohomail.com with SMTP id 1778622100393625.5120561317302; Tue, 12 May 2026 14:41:40 -0700 (PDT)
Date: Tue, 12 May 2026 14:41:40 -0700
From: Christian — Keel <christian@keelapi.com>
To: scitt <scitt@ietf.org>
Message-Id: <19e1e237354.1b083a62785288.4988286990904091993@keelapi.com>
In-Reply-To:
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="----=_Part_2687984_459060269.1778622100309"
Importance: Medium
User-Agent: Zoho Mail
X-Mailer: Zoho Mail
Message-ID-Hash: 6FKKFD2NIXTF6JULIRIO6RBLCQEJACMK
X-Message-ID-Hash: 6FKKFD2NIXTF6JULIRIO6RBLCQEJACMK
X-MailFrom: christian@keelapi.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
X-Mailman-Version: 3.3.9rc6
Precedence: list
Subject: [SCITT] Re: Question: Using SCITT-like transparency services for authority binding in AI decision records (draft-veridom-omp-01)
List-Id: "Supply Chain Integrity, Transparency, and Trust" <scitt.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/scitt/C7eoQ4__A05WORJO0GkQsdTgm_s>
List-Archive: <https://mailarchive.ietf.org/arch/browse/scitt>
List-Help: <mailto:scitt-request@ietf.org?subject=help>
List-Owner: <mailto:scitt-owner@ietf.org>
List-Post: <mailto:scitt@ietf.org>
List-Subscribe: <mailto:scitt-join@ietf.org>
List-Unsubscribe: <mailto:scitt-leave@ietf.org>
Hi Tolulope, I’m Christian Munoz, founder of Keel. We published the Keel Permit spec ( http://github.com/keelapi/keel-permit ), a specification for pre-execution AI action authorization records linked via canonical request digests recorded both before and after dispatch. I've been drafting a SCITT profile for it, so your post landed at a useful moment. Brief responses to your three questions: 1) Publishing instrument or authority-state hashes to a SCITT-style transparency service is a sane pattern. We've explored a related construction in Keel using per-scope hash chains with signed checkpoints anchored in audit-export bundles — linked-list record-hash + prev-hash rather than a Merkle tree, which gives us append-only tamper-evidence characteristics with different verification tradeoffs (O(n)-from-checkpoint rather than O(log n) inclusion). 2) Mapping onto SCITT artifacts feels natural; in our profile draft the Signed Statement / Receipt distinction maps to a (Permit, chain-entry-segment) pair. One thing worth flagging since OMP anchors on it: we don't currently claim strict RFC 8785 JCS compliance — our canonicalization spec calls this out explicitly — and I'd be curious about your experience with JCS in adversarial / cross-implementation contexts. 3) For omission and equivocation: the strongest construct we've found is independent commitment to the same canonical request bytes at two points — pre-execution (the Permit) and post-dispatch (the closure record). Matching digests across the two independently signed records makes after-the-fact swap of the authorized artifact detectable at the AI-action-authorization layer. Not a defense against log equivocation per se, but it raises the attack cost. A layer observation, since I think OMP and Permit may be operating at different but composable layers: OMP proves who could approve; Permit proves what was approved and that it equals what was sent. In a regulated AI-assisted decision both layers seem necessary. A thin reference slot in a Permit pointing to an OMP-style authority_binding artifact (URI + digest, no embedded semantics) would, I think, give composition without either profile absorbing the other. Happy to take any of this off-list if it's tangential. Best, Christian Munoz Founder, Keel API, Inc. keelapi.com · http://github.com/keelapi/keel-permit
- [SCITT] Question: Using SCITT-like transparency s… Tolulope
- [SCITT] Re: Question: Using SCITT-like transparen… Christian — Keel