[SCITT] Re: New individual submission: draft-mih-scitt-agent-action-capsule-00
Iman Schrock <team@emiliaprotocol.ai> Wed, 01 July 2026 16:58 UTC
Return-Path: <team@emiliaprotocol.ai>
X-Original-To: scitt@mail2.ietf.org
Delivered-To: scitt@mail2.ietf.org
Received: from localhost (localhost [127.0.0.1]) by mail2.ietf.org (Postfix) with ESMTP id 58F9E10BB4766 for <scitt@mail2.ietf.org>; Wed, 1 Jul 2026 09:58:22 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=ietf.org; s=ietf1; t=1782925102; bh=wMziPIST8KNFycLhOLo6gWqVD1+8qki9RQGOJEwad0s=; h=References:In-Reply-To:From:Date:Subject:To; b=s35yXuKfqWH32tfK7pZcI2yOwJiQKuyUyDMqTvrD+YMGD5scxTHfK6pxlCCrlZqsc F9xkLn7ctt1ia+cv8AygqpoFeKQxsdoAn0b1Yd6yUJbq/Jl38MtQKXwz9NqVDQHTra IOxQiygTj/vuXdgkBbjQXet7Y2O3/CMXpRsWWaTQ=
X-Virus-Scanned: amavisd-new at ietf.org
X-Spam-Flag: NO
X-Spam-Score: -2.099
X-Spam-Level:
X-Spam-Status: No, score=-2.099 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: mail2.ietf.org (amavisd-new); dkim=pass (2048-bit key) header.d=emiliaprotocol.ai
Received: from mail2.ietf.org ([166.84.6.31]) by localhost (mail2.ietf.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id AAJBdvzoBfxF for <scitt@mail2.ietf.org>; Wed, 1 Jul 2026 09:58:21 -0700 (PDT)
Received: from mail-qt1-x829.google.com (mail-qt1-x829.google.com [IPv6:2607:f8b0:4864:20::829]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by mail2.ietf.org (Postfix) with ESMTPS id 5B55A10BB475F for <scitt@ietf.org>; Wed, 1 Jul 2026 09:58:21 -0700 (PDT)
Received: by mail-qt1-x829.google.com with SMTP id d75a77b69052e-51c1372f84dso6553191cf.2 for <scitt@ietf.org>; Wed, 01 Jul 2026 09:58:21 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1782925095; cv=none; d=google.com; s=arc-20260327; b=qk8knw47h00HBBwoieN/Csr0ydFf3iVkyUzaJ7PRxZ5bhkM1F+xBU6VaZAJDMvjRcp Pt170ud/RW9vmBeHnDnk7AmYISfO+vlcjzFsgaAz133TFHD6ZFyeQ+L1UIeUZXO6nZ2/ h3tlT9r21JITFfUKnuJ3ACPiVPwD8ntSKB513mD5flbPAisXf98Pwqf8z6hdmAjR9NdH Vf8ydV+BheyhwIZCUpDj/9dPcukFBS5gfP7CLYlryAaZ3ZEGtRbjHz1i9Ac2k/At4rh7 v1eGSYk7f0+ui1BUygqODzi6ksXe/zBKCUW7qTua2RbB3w8nQj9HlC2h/WBR6M3heT1M 5njw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20260327; h=to:subject:message-id:date:from:in-reply-to:references:mime-version :dkim-signature; bh=qw82rUbTCHAFeFO9xs+jIrBTdzSs3k0m+u5dV94gbF8=; fh=Anxmu+iCZVTaF0nwB+Di1xcbGc8IAUY7lT1BcRHJn1c=; b=Djtcks+kPTtzdRs2799L9zNsqnT0oCQzzbbtCXZvcrUUanaxhb/zjOWtuApdS+ow7l xpaIfrJl6jIsu9A6bQpp8uV4qE/oqWyUEzeT34DYLYxa3jx4kMT9TQPmR79hAGRjPjhh lrpskomPgugBY2Y5zV9cT2BlLK8JN8+/EU39h6JrBm9jP3XPFf9XdScsEuQ7FbS+rM35 KT5ywdRM1R8fEqH3T+mDKm2xiUb5cnNLT22MP8qvwhXtDFOcIISYAH9T1fPn5s49uUIJ /dcNKZ7PiS/my6O1ozFEcmLdWXE0RH87PkCoy8W5/2nUz5KWt7CWS9QTu4jj2ndpb6eW U3yQ==; darn=ietf.org
ARC-Authentication-Results: i=1; mx.google.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=emiliaprotocol.ai; s=google; t=1782925095; x=1783529895; darn=ietf.org; h=to:subject:message-id:date:from:in-reply-to:references:mime-version :from:to:cc:subject:date:message-id:reply-to; bh=qw82rUbTCHAFeFO9xs+jIrBTdzSs3k0m+u5dV94gbF8=; b=urGQ7SgcaGIOmkTWZ2rt8+bXNJiidy5zoTOuYmGlbPUQTZqpZAO8Oc3zcTCxpIjDmA wK8HngW/pXSrH4y4nmzf+T+XsYtTxTx7qQt9ybdJP2jtMYvr8EY7DHng5FIQHh+tiL1o NSZ86X1v49nOEHkBL5BxyqRxbTHsFJTaJZWqPWL86XeKKy8RMAS/B29QGw1zdPDujDE3 qCFU9RwBMdNxYJM6Wt032Pa61D+AUZRmMut6OLlxdm2VCjwKGpP9Ib0toSsPH9tMsdfv ctPpToTV68Ay75dT6OYMxiIXCgI11AgllDm3efvvd8nyNkQtPXImvpnMuo8TRXnKPZCe ziJg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1782925095; x=1783529895; h=to:subject:message-id:date:from:in-reply-to:references:mime-version :x-gm-gg:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=qw82rUbTCHAFeFO9xs+jIrBTdzSs3k0m+u5dV94gbF8=; b=GpiOCEIcD0TbhTUuQ2X++g7IgAEbfM3JzrOSC+eOyBiKNxkpYRqt8FdrjTMX3nyQSN 78KbLp5tVNrzRAF9XpuEtYBvn4wjpr+Zzwn+3aX/LBOSQMQSMlT/dBkmvFdQ34PZskR/ HngOhnMpsVgsvK7Syd0yk9H8VyT7ee4mH96ADpRVI2l+tZMDAY6mS2mrqUwwePpH86pY 9WEQ2LfyVUSfxPuStFl6moIb6cg+Y7ifmVZuA4uBbBf5qxmA+D3bjNZsXN5g9BQ3Hu3O QZAlNa8QZaLve+X9sXJvKwmWr/nr4/yQrQITnLTq3ldU2UCvnqfLPc7aPuxFsyUivcOQ NzrQ==
X-Gm-Message-State: AOJu0YzPWXxG3EaIc2J/iLgr09fOmj/wdiSCoi4TUfeKWdS9XtjImTYI CnZ1+QMW5L6usdMAni6v5TguXRgw4PqypsjQKqDojTm6qCxS+ABh6bwOfHzisZP9LwGgVyfWu8t o6zYZRIQ7ObsQpeuCkCOOI0BSRBzMfLD5p4wnu/1GW7T4+WUhNNTD8zy1Odw=
X-Gm-Gg: AfdE7cmaEmT4wTflT9AhXas//+tFUh5AmPAhPdjYgzcPMJA0nWOdmTmevMiCaJOtot5 LbzazN/uBUz+sulqyJZAyG24IitWmrQXuHPpDCtB/5Z23XppBDAHl/YqAOxTywFsUaP/kM7q6DB s6hr1m8Bl0fz20jQ+u7BP5/tytpSsgkuBhpPolZdMjAEFbOMr+BmMbLT3KgApvJNdtjKM7AuVFI AiZWcBL7gfFxE0AtixD+FoJ29D4/uDFVtsIWgjRXqZmqwnIMgDLSGf2iSQtTbJFLlUg6x8QU6Yi jx0jPSfQD7egTYvcTjCMloNCWD9KHPePQARFWEPMGkSOa+zxm16+5XcydTW4NEAambYnZKTwARz uYAclnqXQEg==
X-Received: by 2002:a05:622a:1b1c:b0:51c:a7b:f730 with SMTP id d75a77b69052e-51c2aeeab88mr20757791cf.33.1782925094125; Wed, 01 Jul 2026 09:58:14 -0700 (PDT)
MIME-Version: 1.0
References: <CAJsPq9sB6FaCF5fc62_Q_UZUCwjyoTDZ7koO4FXt+TRTqkGD3A@mail.gmail.com> <CAJsPq9unHDdqfbZ3NNtn6onCdX+ShPQcePCiZtEC3sLmoU+O9Q@mail.gmail.com> <CAFLkQy9LXbkG9vPqO-FSsmKW-_bEtBYt9kR+xP7bv5NAR4c+zw@mail.gmail.com>
In-Reply-To: <CAFLkQy9LXbkG9vPqO-FSsmKW-_bEtBYt9kR+xP7bv5NAR4c+zw@mail.gmail.com>
From: Iman Schrock <team@emiliaprotocol.ai>
Date: Wed, 01 Jul 2026 09:58:03 -0700
X-Gm-Features: AVVi8CcRXSiIXm5Kfzf8_4euZMEeJYX7FWXktfcNvmYCYNFbItxJqE4YrHwFb6A
Message-ID: <CAOfgHgpcVHY+YS_x9uuL+J7Q=9Egqp1xX2DeCcX8_On54z_H9Q@mail.gmail.com>
To: scitt@ietf.org
Content-Type: multipart/alternative; boundary="000000000000e5926006558f98d8"
Message-ID-Hash: S23XT644RERPNG4YUEQFJOKTW62WCMNI
X-Message-ID-Hash: S23XT644RERPNG4YUEQFJOKTW62WCMNI
X-MailFrom: team@emiliaprotocol.ai
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
X-Mailman-Version: 3.3.9rc6
Precedence: list
Subject: [SCITT] Re: New individual submission: draft-mih-scitt-agent-action-capsule-00
List-Id: "Supply Chain Integrity, Transparency, and Trust" <scitt.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/scitt/ZPAuAVHCI9BH_VRX17PAxvMmiIk>
List-Archive: <https://mailarchive.ietf.org/arch/browse/scitt>
List-Help: <mailto:scitt-request@ietf.org?subject=help>
List-Owner: <mailto:scitt-owner@ietf.org>
List-Post: <mailto:scitt@ietf.org>
List-Subscribe: <mailto:scitt-join@ietf.org>
List-Unsubscribe: <mailto:scitt-leave@ietf.org>
Steven, Tom, all, Great thread — the pieces are composing into one chain, and I think there's a clean fourth leg that's implied here but not yet named as its own SCITT statement profile. Mapping what's on the table: - permit-profile / agentroa route-authorization → CAN: permission was granted (the workload may act). - EMILIA authorization receipt → WHO: a specific, named human (or a quorum of humans) authorized this exact action — portable, offline-verifiable, no trust in the operator. - Steven's Capsule → WHAT: a digest-committed record of what the agent actually did, verdict-complete. - Tom's GAR → the kernel-side enforcement/audit log that can produce these statements. So the chain reads: permit (CAN) → EMILIA receipt (WHO authorized — accountable human) → Capsule (WHAT was done) → GAR (audit log). Four complementary profiles over one transparency service, each answering a different question. The "WHO" leg is worth naming distinctly because "authorization" is overloaded: permit/agentroa establish machine/scope permission; EMILIA establishes that an accountable named human approved the exact action. Both are needed; they're not the same statement. Like the Capsule, the EMILIA receipt is verdict-complete (a missing or refused human approval is itself a signed, provable event) and byte-deterministic (JCS / RFC 8785), and it rides as a SCITT Signed Statement the same way: COSE_Sign1 over the receipt's JCS-canonical payload (Ed25519), registered via SCRAPI. Cross-language verifiers (JS/Python/Go) agree on a shared vector set, and there's a runnable register → receipt → verify demo. - Profile: https://github.com/emiliaprotocol/emilia-protocol/blob/main/docs/EP-RECEIPT-SCITT-PROFILE.md - Runnable end-to-end: https://github.com/emiliaprotocol/emilia-protocol/blob/main/examples/scitt/ep-receipt-scitt-end-to-end.mjs - I-D: draft-schrock-ep-authorization-receipts ( https://datatracker.ietf.org/doc/draft-schrock-ep-authorization-receipts/) I'd genuinely welcome being told where the "WHO" is already served by permit/agentroa, or where an EMILIA statement composes badly with the Capsule. And +1 to naming the cluster — if an agentproto BOF is forming, a shared CAN / WHO / WHAT / audit decomposition might be a useful frame to walk in with. Thanks, Iman Schrock EMILIA Protocol · team@emiliaprotocol.ai On Wed, Jul 01, 2026 04:14 AM, toshiyuki sato <tomsato@myauberge.jp> wrote: > Hi Steven, > > Thank you for this — the Agent Action Capsule addresses exactly the right > problem at the SCITT layer, and the design choices (verdict-complete audit > trail, byte-level determinism via JCS) are ones we've independently arrived > at in the SOOS project from the kernel side. > > I wanted to introduce a related set of drafts that may be useful context > for the Capsule profile, specifically around what produces the statements > that a Capsule-based transparency service would receive. > > The SOOS project (draft-sato-soos-*, 19 Internet-Drafts submitted to > Datatracker ahead of the July 6 cutoff) defines a governance kernel > architecture for agentic AI systems. The piece most directly relevant here > is GAR (Governance Audit Record, draft-sato-soos-gar): a causally-ordered, > append-only governance log produced by the kernel's Governing Enforcement > Component (GEC), structured as a semantic convention layer on > OpenTelemetry. GAR Session Blocks — Merkle-rooted, KIA-signed collections > of Authority Lifecycle Events — are the natural upstream producer of SCITT > Signed Statements: the Session Block Merkle root and KIA signature map > directly onto the SCITT issuer-signed statement model. > > Two points of contact with the Capsule design: > > 1. Verdict completeness. GAR records every Authority Lifecycle Event > including enforcement refusals (ALE-059: ACD_VALIDATION_FAILED), policy > blocks, and HEM escalations — not just successful actions. The same > survivorship-bias argument you make for Capsules applies at the kernel > level: a gate firing is itself a governance event and must be in the audit > record. > > 2. The producer/consumer boundary. The Capsule profile defines what a > SCITT statement for agent actions looks like at the transparency service > layer. GAR defines what the kernel-side enforcement log looks like before > it becomes a SCITT statement. A SOOS kernel emitting GAR Session Blocks as > SCITT Signed Statements would give Capsule verifiers a kernel-attested, > tamper-evident source — the GEC signature (KIA private key, RFC 9334 > attester model) provides the root of trust that the Capsule's digest > commitment relies on. > > I've also been following the permit-profile and > agentroa-route-authorization work you reference. GAR's ACD compliance > handshake events (draft-sato-soos-acd) sit between those authorization > records and the execution record your Capsule captures — pre-execution > compliance disclosure → Capsule execution record → GAR audit log is a > complete chain. > > Full draft index: https://soosproject.ai/drafts > GAR specifically: https://datatracker.ietf.org/doc/draft-sato-soos-gar/ > > Happy to discuss further on-list or at Vienna if you're attending. > > Best regards, > Tom Sato > CEO, MyAuberge K.K. > tomsato@myauberge.jp > https://soosproject.ai > > 2026年6月20日(土) 4:38 Steven Mih <steven=40actionstate.ai@dmarc.ietf.org>: > >> Hi all, >> Two quick updates on the Agent Action Capsule profile for SCITT, plus >> a companion draft for review. >> -01 is posted: >> https://datatracker.ietf.org/doc/draft-mih-scitt-agent-action-capsule/ >> >> The reference implementation is now public. You can reproduce the >> byte-level determinism in about a minute: >> >> git clone https://github.com/action-state-group/agent-action-capsule >> cd agent-action-capsule && pip install -e python >> agent-action-capsule verify >> test-vectors/pos-executed-confirmed/input.json # ok: true >> agent-action-capsule verify >> test-vectors/neg-capsule-id-mismatch/input.json # ok: false >> (capsule_id mismatch) >> >> A conformant Capsule recomputes its content-address and passes; a >> tampered one is rejected. The same vectors pass under two independent >> implementations (Python and Go) with zero divergences. The repo also >> has the spec source, the profile's interim registry, and >> positive/negative vectors for every verdict class and check. >> >> Companion (selective disclosure): I've filed "Selective Disclosure >> Profile for Agent Action Capsules" >> (draft-mih-scitt-agent-action-capsule-sel-disc-00): >> >> https://datatracker.ietf.org/doc/draft-mih-scitt-agent-action-capsule-sel-disc/ >> >> It does per-field selective disclosure of the JSON Capsule payload >> (salted-hash commitments, decoy digests, disclosed [salt, name, value] >> triples), following SD-JWT (RFC 9901), with JCS (RFC 8785) as the >> canonicalization: already the base profile's canonical form. SD-CWT >> (draft-ietf-spice-sd-cwt) is the CBOR sibling, and the profile stays >> aligned with that SPICE work. It targets one signed Capsule serving >> verifiers with different entitlements: a regulator gets every field, >> an auditing partner only the disposition, without re-signing. >> Disclosable fields are enumerated; the fields the base verifier needs >> for the dispatched-vs-confirmed distinction are non-concealable. >> >> Two questions I have and welcome views: >> fit with SCITT registration policy for these statement profiles; and >> whether the companion should track SD-CWT (draft-ietf-spice-sd-cwt) >> more tightly, rather than the SD-JWT / JSON model it follows now. >> >> Earlier asks still stand and are now in the implementation: the >> provisional protected-header claim set (Section 3.1) and open/deferred >> items via chained superseding Capsules (Section 5.4.4). >> >> Both are individual submissions, not WG documents and not RFCs; the >> substrate (SCITT architecture, COSE Receipts) is itself pre-RFC. Code >> components are royalty-free. >> >> Steven Mih >> Action State Group, Inc. >> On Sat, Jun 13, 2026 at 1:03 PM <steven@actionstate.ai> wrote: >> > >> > Hello SCITT Working Group, >> > >> > I've submitted a new individual draft, "An Agent Action Capsule Profile >> for SCITT" (draft-mih-scitt-agent-action-capsule-00). >> > >> > The profile defines a SCITT statement profile for the "did" layer of AI >> agent actions — a digest-committed record of what an agent actually did, >> structurally binding the observed response so that a dispatched attempt >> cannot be presented as a completed effect. It's intended to complement, not >> overlap, the pre-execution authorization work already in this space (e.g. >> draft-munoz-scitt-permit-profile and >> draft-nivalto-agentroa-route-authorization): authorization records prove >> permission was granted; Capsules record what occurred, including refusals. >> > >> > Two design choices I'd particularly value the group's eyes on: >> > >> > A Capsule on every verdict. Refusals, blocks, and timeouts are recorded >> as affirmative evidence, not just successes — so the audit trail isn't >> survivorship-biased and a gate firing is itself provable. >> > >> > Byte-level determinism. Verification relies strictly on JCS >> canonicalization and exact decimal strings, reproducible by any >> payload-bearing verifier without model re-prompting or heuristics. >> > >> > The two areas where I'd most welcome feedback are the provisional >> protected-header claim set (Section 3.1) and the handling of open and >> deferred items via chained superseding Capsules (Section 5.4.4). >> > >> > The draft is informed by an active reference implementation. IPR >> disclosures for this draft have been filed and are being processed by the >> datatracker; the declared licensing terms are royalty-free. >> > >> > I'd be glad to walk through the profile briefly if there's interest >> from the group or the chairs. Feedback on-list is very welcome. >> > >> > Respectfully, >> > Steven Mih >> > Action State Group, Inc. >> >> -- >> SCITT mailing list -- scitt@ietf.org >> To unsubscribe send an email to scitt-leave@ietf.org >> > > > -- > > Tom Sato > 佐藤俊之 > 代表取締役CEO > マイオーベルジュ株式会社 > 090-6315-1325 > tomsato@myauberge.jp > -- > SCITT mailing list -- scitt@ietf.org > To unsubscribe send an email to scitt-leave@ietf.org >
- [SCITT] New individual submission: draft-mih-scit… steven
- [SCITT] Re: New individual submission: draft-mih-… Steven Mih
- [SCITT] Re: New individual submission: draft-mih-… Steven Mih
- [SCITT] Re: New individual submission: draft-mih-… Songbo Bu
- [SCITT] Re: New individual submission: draft-mih-… Steven Mih
- [SCITT] Re: New individual submission: draft-mih-… toshiyuki sato
- [SCITT] Re: New individual submission: draft-mih-… Iman Schrock
- [SCITT] Re: New individual submission: draft-mih-… Steven Mih
- [SCITT] Re: New individual submission: draft-mih-… Iman Schrock
- [SCITT] Re: New individual submission: draft-mih-… Steven Mih
- [SCITT] Re: New individual submission: draft-mih-… Songbo Bu
- [SCITT] Re: New individual submission: draft-mih-… Iman Schrock
- [SCITT] Re: New individual submission: draft-mih-… toshiyuki sato
- [SCITT] Re: New individual submission: draft-mih-… Songbo Bu
- [SCITT] Re: New individual submission: draft-mih-… Iman Schrock
- [SCITT] Re: New individual submission: draft-mih-… Songbo Bu
- [SCITT] Re: New individual submission: draft-mih-… toshiyuki sato
- [SCITT] Re: New individual submission: draft-mih-… Steven Mih
- [SCITT] Re: New individual submission: draft-mih-… toshiyuki sato
- [SCITT] Re: New individual submission: draft-mih-… toshiyuki sato
- [SCITT] Re: New individual submission: draft-mih-… Songbo Bu
- [SCITT] Re: New individual submission: draft-mih-… Steven Mih
- [SCITT] Re: New individual submission: draft-mih-… Songbo Bu