[SCITT] Re: New individual submission: draft-mih-scitt-agent-action-capsule-00

Iman Schrock <team@emiliaprotocol.ai> Wed, 01 July 2026 16:58 UTC

Return-Path: <team@emiliaprotocol.ai>
X-Original-To: scitt@mail2.ietf.org
Delivered-To: scitt@mail2.ietf.org
Received: from localhost (localhost [127.0.0.1]) by mail2.ietf.org (Postfix) with ESMTP id 58F9E10BB4766 for <scitt@mail2.ietf.org>; Wed, 1 Jul 2026 09:58:22 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=ietf.org; s=ietf1; t=1782925102; bh=wMziPIST8KNFycLhOLo6gWqVD1+8qki9RQGOJEwad0s=; h=References:In-Reply-To:From:Date:Subject:To; b=s35yXuKfqWH32tfK7pZcI2yOwJiQKuyUyDMqTvrD+YMGD5scxTHfK6pxlCCrlZqsc F9xkLn7ctt1ia+cv8AygqpoFeKQxsdoAn0b1Yd6yUJbq/Jl38MtQKXwz9NqVDQHTra IOxQiygTj/vuXdgkBbjQXet7Y2O3/CMXpRsWWaTQ=
X-Virus-Scanned: amavisd-new at ietf.org
X-Spam-Flag: NO
X-Spam-Score: -2.099
X-Spam-Level:
X-Spam-Status: No, score=-2.099 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: mail2.ietf.org (amavisd-new); dkim=pass (2048-bit key) header.d=emiliaprotocol.ai
Received: from mail2.ietf.org ([166.84.6.31]) by localhost (mail2.ietf.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id AAJBdvzoBfxF for <scitt@mail2.ietf.org>; Wed, 1 Jul 2026 09:58:21 -0700 (PDT)
Received: from mail-qt1-x829.google.com (mail-qt1-x829.google.com [IPv6:2607:f8b0:4864:20::829]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by mail2.ietf.org (Postfix) with ESMTPS id 5B55A10BB475F for <scitt@ietf.org>; Wed, 1 Jul 2026 09:58:21 -0700 (PDT)
Received: by mail-qt1-x829.google.com with SMTP id d75a77b69052e-51c1372f84dso6553191cf.2 for <scitt@ietf.org>; Wed, 01 Jul 2026 09:58:21 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1782925095; cv=none; d=google.com; s=arc-20260327; b=qk8knw47h00HBBwoieN/Csr0ydFf3iVkyUzaJ7PRxZ5bhkM1F+xBU6VaZAJDMvjRcp Pt170ud/RW9vmBeHnDnk7AmYISfO+vlcjzFsgaAz133TFHD6ZFyeQ+L1UIeUZXO6nZ2/ h3tlT9r21JITFfUKnuJ3ACPiVPwD8ntSKB513mD5flbPAisXf98Pwqf8z6hdmAjR9NdH Vf8ydV+BheyhwIZCUpDj/9dPcukFBS5gfP7CLYlryAaZ3ZEGtRbjHz1i9Ac2k/At4rh7 v1eGSYk7f0+ui1BUygqODzi6ksXe/zBKCUW7qTua2RbB3w8nQj9HlC2h/WBR6M3heT1M 5njw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20260327; h=to:subject:message-id:date:from:in-reply-to:references:mime-version :dkim-signature; bh=qw82rUbTCHAFeFO9xs+jIrBTdzSs3k0m+u5dV94gbF8=; fh=Anxmu+iCZVTaF0nwB+Di1xcbGc8IAUY7lT1BcRHJn1c=; b=Djtcks+kPTtzdRs2799L9zNsqnT0oCQzzbbtCXZvcrUUanaxhb/zjOWtuApdS+ow7l xpaIfrJl6jIsu9A6bQpp8uV4qE/oqWyUEzeT34DYLYxa3jx4kMT9TQPmR79hAGRjPjhh lrpskomPgugBY2Y5zV9cT2BlLK8JN8+/EU39h6JrBm9jP3XPFf9XdScsEuQ7FbS+rM35 KT5ywdRM1R8fEqH3T+mDKm2xiUb5cnNLT22MP8qvwhXtDFOcIISYAH9T1fPn5s49uUIJ /dcNKZ7PiS/my6O1ozFEcmLdWXE0RH87PkCoy8W5/2nUz5KWt7CWS9QTu4jj2ndpb6eW U3yQ==; darn=ietf.org
ARC-Authentication-Results: i=1; mx.google.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=emiliaprotocol.ai; s=google; t=1782925095; x=1783529895; darn=ietf.org; h=to:subject:message-id:date:from:in-reply-to:references:mime-version :from:to:cc:subject:date:message-id:reply-to; bh=qw82rUbTCHAFeFO9xs+jIrBTdzSs3k0m+u5dV94gbF8=; b=urGQ7SgcaGIOmkTWZ2rt8+bXNJiidy5zoTOuYmGlbPUQTZqpZAO8Oc3zcTCxpIjDmA wK8HngW/pXSrH4y4nmzf+T+XsYtTxTx7qQt9ybdJP2jtMYvr8EY7DHng5FIQHh+tiL1o NSZ86X1v49nOEHkBL5BxyqRxbTHsFJTaJZWqPWL86XeKKy8RMAS/B29QGw1zdPDujDE3 qCFU9RwBMdNxYJM6Wt032Pa61D+AUZRmMut6OLlxdm2VCjwKGpP9Ib0toSsPH9tMsdfv ctPpToTV68Ay75dT6OYMxiIXCgI11AgllDm3efvvd8nyNkQtPXImvpnMuo8TRXnKPZCe ziJg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1782925095; x=1783529895; h=to:subject:message-id:date:from:in-reply-to:references:mime-version :x-gm-gg:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=qw82rUbTCHAFeFO9xs+jIrBTdzSs3k0m+u5dV94gbF8=; b=GpiOCEIcD0TbhTUuQ2X++g7IgAEbfM3JzrOSC+eOyBiKNxkpYRqt8FdrjTMX3nyQSN 78KbLp5tVNrzRAF9XpuEtYBvn4wjpr+Zzwn+3aX/LBOSQMQSMlT/dBkmvFdQ34PZskR/ HngOhnMpsVgsvK7Syd0yk9H8VyT7ee4mH96ADpRVI2l+tZMDAY6mS2mrqUwwePpH86pY 9WEQ2LfyVUSfxPuStFl6moIb6cg+Y7ifmVZuA4uBbBf5qxmA+D3bjNZsXN5g9BQ3Hu3O QZAlNa8QZaLve+X9sXJvKwmWr/nr4/yQrQITnLTq3ldU2UCvnqfLPc7aPuxFsyUivcOQ NzrQ==
X-Gm-Message-State: AOJu0YzPWXxG3EaIc2J/iLgr09fOmj/wdiSCoi4TUfeKWdS9XtjImTYI CnZ1+QMW5L6usdMAni6v5TguXRgw4PqypsjQKqDojTm6qCxS+ABh6bwOfHzisZP9LwGgVyfWu8t o6zYZRIQ7ObsQpeuCkCOOI0BSRBzMfLD5p4wnu/1GW7T4+WUhNNTD8zy1Odw=
X-Gm-Gg: AfdE7cmaEmT4wTflT9AhXas//+tFUh5AmPAhPdjYgzcPMJA0nWOdmTmevMiCaJOtot5 LbzazN/uBUz+sulqyJZAyG24IitWmrQXuHPpDCtB/5Z23XppBDAHl/YqAOxTywFsUaP/kM7q6DB s6hr1m8Bl0fz20jQ+u7BP5/tytpSsgkuBhpPolZdMjAEFbOMr+BmMbLT3KgApvJNdtjKM7AuVFI AiZWcBL7gfFxE0AtixD+FoJ29D4/uDFVtsIWgjRXqZmqwnIMgDLSGf2iSQtTbJFLlUg6x8QU6Yi jx0jPSfQD7egTYvcTjCMloNCWD9KHPePQARFWEPMGkSOa+zxm16+5XcydTW4NEAambYnZKTwARz uYAclnqXQEg==
X-Received: by 2002:a05:622a:1b1c:b0:51c:a7b:f730 with SMTP id d75a77b69052e-51c2aeeab88mr20757791cf.33.1782925094125; Wed, 01 Jul 2026 09:58:14 -0700 (PDT)
MIME-Version: 1.0
References: <CAJsPq9sB6FaCF5fc62_Q_UZUCwjyoTDZ7koO4FXt+TRTqkGD3A@mail.gmail.com> <CAJsPq9unHDdqfbZ3NNtn6onCdX+ShPQcePCiZtEC3sLmoU+O9Q@mail.gmail.com> <CAFLkQy9LXbkG9vPqO-FSsmKW-_bEtBYt9kR+xP7bv5NAR4c+zw@mail.gmail.com>
In-Reply-To: <CAFLkQy9LXbkG9vPqO-FSsmKW-_bEtBYt9kR+xP7bv5NAR4c+zw@mail.gmail.com>
From: Iman Schrock <team@emiliaprotocol.ai>
Date: Wed, 01 Jul 2026 09:58:03 -0700
X-Gm-Features: AVVi8CcRXSiIXm5Kfzf8_4euZMEeJYX7FWXktfcNvmYCYNFbItxJqE4YrHwFb6A
Message-ID: <CAOfgHgpcVHY+YS_x9uuL+J7Q=9Egqp1xX2DeCcX8_On54z_H9Q@mail.gmail.com>
To: scitt@ietf.org
Content-Type: multipart/alternative; boundary="000000000000e5926006558f98d8"
Message-ID-Hash: S23XT644RERPNG4YUEQFJOKTW62WCMNI
X-Message-ID-Hash: S23XT644RERPNG4YUEQFJOKTW62WCMNI
X-MailFrom: team@emiliaprotocol.ai
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
X-Mailman-Version: 3.3.9rc6
Precedence: list
Subject: [SCITT] Re: New individual submission: draft-mih-scitt-agent-action-capsule-00
List-Id: "Supply Chain Integrity, Transparency, and Trust" <scitt.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/scitt/ZPAuAVHCI9BH_VRX17PAxvMmiIk>
List-Archive: <https://mailarchive.ietf.org/arch/browse/scitt>
List-Help: <mailto:scitt-request@ietf.org?subject=help>
List-Owner: <mailto:scitt-owner@ietf.org>
List-Post: <mailto:scitt@ietf.org>
List-Subscribe: <mailto:scitt-join@ietf.org>
List-Unsubscribe: <mailto:scitt-leave@ietf.org>

Steven, Tom, all,

Great thread — the pieces are composing into one chain, and I think there's
a clean fourth leg that's implied here but not yet named as its own SCITT
statement profile.

Mapping what's on the table:
- permit-profile / agentroa route-authorization → CAN: permission was
granted (the workload may act).
- EMILIA authorization receipt → WHO: a specific, named human (or a quorum
of humans) authorized this exact action — portable, offline-verifiable, no
trust in the operator.
- Steven's Capsule → WHAT: a digest-committed record of what the agent
actually did, verdict-complete.
- Tom's GAR → the kernel-side enforcement/audit log that can produce these
statements.

So the chain reads: permit (CAN) → EMILIA receipt (WHO authorized —
accountable human) → Capsule (WHAT was done) → GAR (audit log). Four
complementary profiles over one transparency service, each answering a
different question.

The "WHO" leg is worth naming distinctly because "authorization" is
overloaded: permit/agentroa establish machine/scope permission; EMILIA
establishes that an accountable named human approved the exact action. Both
are needed; they're not the same statement.

Like the Capsule, the EMILIA receipt is verdict-complete (a missing or
refused human approval is itself a signed, provable event) and
byte-deterministic (JCS / RFC 8785), and it rides as a SCITT Signed
Statement the same way: COSE_Sign1 over the receipt's JCS-canonical payload
(Ed25519), registered via SCRAPI. Cross-language verifiers (JS/Python/Go)
agree on a shared vector set, and there's a runnable register → receipt →
verify demo.

- Profile:
https://github.com/emiliaprotocol/emilia-protocol/blob/main/docs/EP-RECEIPT-SCITT-PROFILE.md
- Runnable end-to-end:
https://github.com/emiliaprotocol/emilia-protocol/blob/main/examples/scitt/ep-receipt-scitt-end-to-end.mjs
- I-D: draft-schrock-ep-authorization-receipts (
https://datatracker.ietf.org/doc/draft-schrock-ep-authorization-receipts/)

I'd genuinely welcome being told where the "WHO" is already served by
permit/agentroa, or where an EMILIA statement composes badly with the
Capsule. And +1 to naming the cluster — if an agentproto BOF is forming, a
shared CAN / WHO / WHAT / audit decomposition might be a useful frame to
walk in with.

Thanks,
Iman Schrock
EMILIA Protocol · team@emiliaprotocol.ai

On Wed, Jul 01, 2026 04:14 AM, toshiyuki sato <tomsato@myauberge.jp> wrote:

> Hi Steven,
>
> Thank you for this — the Agent Action Capsule addresses exactly the right
> problem at the SCITT layer, and the design choices (verdict-complete audit
> trail, byte-level determinism via JCS) are ones we've independently arrived
> at in the SOOS project from the kernel side.
>
> I wanted to introduce a related set of drafts that may be useful context
> for the Capsule profile, specifically around what produces the statements
> that a Capsule-based transparency service would receive.
>
> The SOOS project (draft-sato-soos-*, 19 Internet-Drafts submitted to
> Datatracker ahead of the July 6 cutoff) defines a governance kernel
> architecture for agentic AI systems. The piece most directly relevant here
> is GAR (Governance Audit Record, draft-sato-soos-gar): a causally-ordered,
> append-only governance log produced by the kernel's Governing Enforcement
> Component (GEC), structured as a semantic convention layer on
> OpenTelemetry. GAR Session Blocks — Merkle-rooted, KIA-signed collections
> of Authority Lifecycle Events — are the natural upstream producer of SCITT
> Signed Statements: the Session Block Merkle root and KIA signature map
> directly onto the SCITT issuer-signed statement model.
>
> Two points of contact with the Capsule design:
>
> 1. Verdict completeness. GAR records every Authority Lifecycle Event
> including enforcement refusals (ALE-059: ACD_VALIDATION_FAILED), policy
> blocks, and HEM escalations — not just successful actions. The same
> survivorship-bias argument you make for Capsules applies at the kernel
> level: a gate firing is itself a governance event and must be in the audit
> record.
>
> 2. The producer/consumer boundary. The Capsule profile defines what a
> SCITT statement for agent actions looks like at the transparency service
> layer. GAR defines what the kernel-side enforcement log looks like before
> it becomes a SCITT statement. A SOOS kernel emitting GAR Session Blocks as
> SCITT Signed Statements would give Capsule verifiers a kernel-attested,
> tamper-evident source — the GEC signature (KIA private key, RFC 9334
> attester model) provides the root of trust that the Capsule's digest
> commitment relies on.
>
> I've also been following the permit-profile and
> agentroa-route-authorization work you reference. GAR's ACD compliance
> handshake events (draft-sato-soos-acd) sit between those authorization
> records and the execution record your Capsule captures — pre-execution
> compliance disclosure → Capsule execution record → GAR audit log is a
> complete chain.
>
> Full draft index: https://soosproject.ai/drafts
> GAR specifically: https://datatracker.ietf.org/doc/draft-sato-soos-gar/
>
> Happy to discuss further on-list or at Vienna if you're attending.
>
> Best regards,
> Tom Sato
> CEO, MyAuberge K.K.
> tomsato@myauberge.jp
> https://soosproject.ai
>
> 2026年6月20日(土) 4:38 Steven Mih <steven=40actionstate.ai@dmarc.ietf.org>:
>
>> Hi all,
>> Two quick updates on the Agent Action Capsule profile for SCITT, plus
>> a companion draft for review.
>> -01 is posted:
>> https://datatracker.ietf.org/doc/draft-mih-scitt-agent-action-capsule/
>>
>> The reference implementation is now public. You can reproduce the
>> byte-level determinism in about a minute:
>>
>> git clone https://github.com/action-state-group/agent-action-capsule
>> cd agent-action-capsule && pip install -e python
>> agent-action-capsule verify
>> test-vectors/pos-executed-confirmed/input.json    # ok: true
>> agent-action-capsule verify
>> test-vectors/neg-capsule-id-mismatch/input.json   # ok: false
>> (capsule_id mismatch)
>>
>> A conformant Capsule recomputes its content-address and passes; a
>> tampered one is rejected. The same vectors pass under two independent
>> implementations (Python and Go) with zero divergences. The repo also
>> has the spec source, the profile's interim registry, and
>> positive/negative vectors for every verdict class and check.
>>
>> Companion (selective disclosure): I've filed "Selective Disclosure
>> Profile for Agent Action Capsules"
>> (draft-mih-scitt-agent-action-capsule-sel-disc-00):
>>
>> https://datatracker.ietf.org/doc/draft-mih-scitt-agent-action-capsule-sel-disc/
>>
>> It does per-field selective disclosure of the JSON Capsule payload
>> (salted-hash commitments, decoy digests, disclosed [salt, name, value]
>> triples), following SD-JWT (RFC 9901), with JCS (RFC 8785) as the
>> canonicalization: already the base profile's canonical form. SD-CWT
>> (draft-ietf-spice-sd-cwt) is the CBOR sibling, and the profile stays
>> aligned with that SPICE work. It targets one signed Capsule serving
>> verifiers with different entitlements: a regulator gets every field,
>> an auditing partner only the disposition, without re-signing.
>> Disclosable fields are enumerated; the fields the base verifier needs
>> for the dispatched-vs-confirmed distinction are non-concealable.
>>
>> Two questions I have and welcome views:
>> fit with SCITT registration policy for these statement profiles; and
>> whether the companion should track SD-CWT (draft-ietf-spice-sd-cwt)
>> more tightly, rather than the SD-JWT / JSON model it follows now.
>>
>> Earlier asks still stand and are now in the implementation: the
>> provisional protected-header claim set (Section 3.1) and open/deferred
>> items via chained superseding Capsules (Section 5.4.4).
>>
>> Both are individual submissions, not WG documents and not RFCs; the
>> substrate (SCITT architecture, COSE Receipts) is itself pre-RFC. Code
>> components are royalty-free.
>>
>> Steven Mih
>> Action State Group, Inc.
>> On Sat, Jun 13, 2026 at 1:03 PM <steven@actionstate.ai> wrote:
>> >
>> > Hello SCITT Working Group,
>> >
>> > I've submitted a new individual draft, "An Agent Action Capsule Profile
>> for SCITT" (draft-mih-scitt-agent-action-capsule-00).
>> >
>> > The profile defines a SCITT statement profile for the "did" layer of AI
>> agent actions — a digest-committed record of what an agent actually did,
>> structurally binding the observed response so that a dispatched attempt
>> cannot be presented as a completed effect. It's intended to complement, not
>> overlap, the pre-execution authorization work already in this space (e.g.
>> draft-munoz-scitt-permit-profile and
>> draft-nivalto-agentroa-route-authorization): authorization records prove
>> permission was granted; Capsules record what occurred, including refusals.
>> >
>> > Two design choices I'd particularly value the group's eyes on:
>> >
>> > A Capsule on every verdict. Refusals, blocks, and timeouts are recorded
>> as affirmative evidence, not just successes — so the audit trail isn't
>> survivorship-biased and a gate firing is itself provable.
>> >
>> > Byte-level determinism. Verification relies strictly on JCS
>> canonicalization and exact decimal strings, reproducible by any
>> payload-bearing verifier without model re-prompting or heuristics.
>> >
>> > The two areas where I'd most welcome feedback are the provisional
>> protected-header claim set (Section 3.1) and the handling of open and
>> deferred items via chained superseding Capsules (Section 5.4.4).
>> >
>> > The draft is informed by an active reference implementation. IPR
>> disclosures for this draft have been filed and are being processed by the
>> datatracker; the declared licensing terms are royalty-free.
>> >
>> > I'd be glad to walk through the profile briefly if there's interest
>> from the group or the chairs. Feedback on-list is very welcome.
>> >
>> > Respectfully,
>> > Steven Mih
>> > Action State Group, Inc.
>>
>> --
>> SCITT mailing list -- scitt@ietf.org
>> To unsubscribe send an email to scitt-leave@ietf.org
>>
>
>
> --
>
> Tom Sato
> 佐藤俊之
> 代表取締役CEO
> マイオーベルジュ株式会社
> 090-6315-1325
> tomsato@myauberge.jp
> --
> SCITT mailing list -- scitt@ietf.org
> To unsubscribe send an email to scitt-leave@ietf.org
>