<?xml version="1.0" encoding="UTF-8"?>
  <?xml-stylesheet type="text/xsl" href="rfc2629.xslt" ?>
  <!-- generated by https://github.com/cabo/kramdown-rfc version 1.7.39 (Ruby 3.0.2) -->


<!DOCTYPE rfc  [
  <!ENTITY nbsp    "&#160;">
  <!ENTITY zwsp   "&#8203;">
  <!ENTITY nbhy   "&#8209;">
  <!ENTITY wj     "&#8288;">

]>


<rfc ipr="trust200902" docName="draft-mih-sato-agent-accountability-composition-00" category="info" submissionType="IETF">
  <front>
    <title abbrev="Agent Accountability Composition">Agent Accountability: Composition and Conformance</title>

    <author initials="S." surname="Mih" fullname="Steven Mih">
      <organization>Action State Group, Inc.</organization>
      <address>
        <email>steven@actionstate.ai</email>
      </address>
    </author>
    <author initials="T." surname="Sato" fullname="Tom Sato">
      <organization>MyAuberge K.K.</organization>
      <address>
        <postal>
          <country>Japan</country>
        </postal>
        <email>tomsato@myauberge.jp</email>
      </address>
    </author>
    <author initials="S." surname="Bu" fullname="Songbo Bu">
      <organization>Independent</organization>
      <address>
        <email>bluedognull@gmail.com</email>
      </address>
    </author>
    <author initials="I." surname="Schrock" fullname="Iman Schrock">
      <organization>EMILIA Protocol, Inc.</organization>
      <address>
        <email>team@emiliaprotocol.ai</email>
      </address>
    </author>

    <date year="2026" month="July" day="05"/>

    <area>Security</area>
    
    <keyword>agent</keyword> <keyword>accountability</keyword> <keyword>audit</keyword> <keyword>SCITT</keyword> <keyword>composition</keyword> <keyword>conformance</keyword> <keyword>attestation</keyword>

    <abstract>


<?line 39?>

<t>Autonomous and semi-autonomous software agents increasingly take consequential
actions across administrative and trust domains. Holding such an action
accountable — to a regulator, auditor, or counterparty who does not trust the
operator — requires answering several questions, each answerable by an
independently-verifiable profile: whether the agent was permitted to act (CAN),
which accountable human authorized the specific action (WHO), what the agent
actually did (WHAT), and whether the runtime enforced correctly (AUDIT).</t>

<t>This document specifies, in Informational terms, how such profiles compose — by a
shared action-digest, each verifying independently — and defines a shared
conformance-vector suite against which any profile may be tested. It complements
existing audit-architecture and record-format work rather than replacing it,
reusing existing signing, transport, and transparency mechanisms. Its focus is an
assurance tier those documents leave open: most agent records today are
self-attested by an interested party; this document makes reachable and testable an
anchored, third-party-verifiable tier, in which a record is registered to a
transparency service (SCITT) so a party who trusts neither the agent nor the
operator can verify it. Self-attestation remains a valid baseline; convergence on
the disinterested tier — by any conforming profile — is the goal, not a single
mandated format.</t>



    </abstract>



  </front>

  <middle>


<?line 62?>

<section anchor="introduction"><name>Introduction</name>

<t>Autonomous agents are non-deterministic, act without per-step human oversight, cross
administrative and trust boundaries, and delegate to other agents. The assumptions that
let earlier systems be trusted — predictability, runtime supervision, a nameable human in
the loop — do not hold by default. When behaviour cannot be supervised as it happens, trust
must relocate to evidence that can be checked afterward and, because agents act across
organizational boundaries, checked without trusting the operator.</t>

<t>Identity and authorization are necessary but not sufficient: they establish which agent and
what it was permitted to do, but the risks that characterize agent systems — goal drift,
prompt injection, fabricated tool results, action outside scope — occur in the gap between
what was authorized and what was actually done. Holding a consequential agent action
accountable therefore requires answering several questions, each answerable by an
independently-verifiable profile: whether the agent was permitted to act (CAN), which
accountable human authorized the specific action (WHO), what the agent actually did (WHAT),
and whether the runtime enforced correctly (AUDIT).</t>

<t>This document does not define a new audit architecture; it complements the existing architecture
and record-format work in this space (see Relationship to Existing Work) and specifies the piece
they leave open: how profiles answering these questions compose, by a shared action-digest, into
one record, and how conformance — both to that composition and to an anchored, third-party-verifiable
assurance tier — is tested. Two principles frame it: (1) composition by shared digest, not
containment — each profile verifies independently and refers to the same action by a shared digest;
and (2) producer-agnostic neutrality — no profile is a required root of trust for another. The set
of questions is open and extensible (agent identity and belief-provenance are natural further slots),
and the composed evidence serves both after-the-fact accountability and the forward-looking
authorization and trust decisions that rely on it.</t>

<section anchor="terminology"><name>Terminology</name>

<t>Slot; profile; composition vector; profile-tagged digest; trust root. [Define in a
later revision; align with the constituent-profile terminology.]</t>

</section>
</section>
<section anchor="overview-questions-and-composition"><name>Overview: Questions and Composition</name>

<t>The work centers on a set of interchangeable <strong>slots</strong>, each a question that a
conforming <strong>profile</strong> answers:</t>

<t><list style="symbols">
  <t><strong>CAN</strong> — the "may": was the agent permitted to act?</t>
  <t><strong>WHO</strong> — which accountable human authorized this exact action?</t>
  <t><strong>WHAT</strong> — the "did": what did the agent actually do (verdict-complete; a byte-stable serialization of the observed record, not a replay)?</t>
  <t><strong>AUDIT</strong> — did the runtime enforce correctly, in causal order, tamper-evidently?</t>
</list></t>

<t>Any conforming profile may fill a slot; the profiles cited in this document are the
first instances, not the definition. An action fills the slots its trust
requirement calls for; not every action populates every slot. The set is extensible
(see Extension Points).</t>

</section>
<section anchor="the-composition-model"><name>The Composition Model</name>

<t>Profiles compose by reference to a shared <strong>subject digest</strong> over the action —
<spanx style="verb">subject_digest = SHA-256(JCS(action))</spanx> — which is the join key all slots refer to.
A profile-tagged <strong>authority-reference digest</strong> binds a slot's evidence to the
registered object it commits to, and a <strong>receipt-payload digest</strong> binds transparency
receipts. Digests committing to signed bytes require deterministic encoding.</t>

<t>Digest equality is a join key: it does not, by itself, prove truth, authorization,
sufficiency, completeness, or policy compliance. Native profile verification, digest
recomputation, receipt or transparency verification, completeness and sequencing
checks, and relying-party acceptance remain separate results.</t>

<t>[Full three-digest binding rules, profile-label discipline, and raw-bytes-vs-ASCII
-hex rules to be imported from the digest-binding thread / conformance issue in a
later revision.]</t>

</section>
<section anchor="trust-root-separation"><name>Trust-Root Separation</name>

<t>Each slot may root in a different trust anchor (e.g. a human device key, a kernel
attestation key (<xref target="RFC9334"/>), a transparency-log operator). The composition holds even if any one
party is compromised or under review. No slot is a required root of trust for
another; profiles remain producer-agnostic.</t>

</section>
<section anchor="slot-profiles"><name>Slot Profiles</name>

<t>The profiles in this section are first instances filling the slots named above,
recorded so the composition can be tested against something concrete. They are not
the slot definitions; any conforming profile may fill a slot (see Overview). Each
profile's text is contributed and maintained by its authors.</t>

<section anchor="the-can-slot"><name>The CAN Slot</name>

<t>[Profile text to be contributed by the slot's owners.]</t>

</section>
<section anchor="the-who-slot-named-human-authorization"><name>The WHO Slot: Named-Human Authorization</name>

<t>The WHO slot answers a single question: which named, accountable human — or quorum
of distinct humans — authorized this exact action before it ran. It is deliberately
narrow. It does not define the composition model itself, a sufficiency or policy
decision, a new audit-record format, or a replacement for agent or workload
identity: "which agent acted" is a different slot, and "was this authorization
sufficient for this action" is a layer above the composition. It binds the
authorization to the exact observed action by the composition's shared action
digest — the subject digest of the Composition Model — and exposes the binding
metadata a composition verifier needs, and nothing more. Digest equality itself
neither authorizes the action nor proves completeness.</t>

<t>In the first-instance profile (<xref target="I-D.schrock-human-authorization-binding"/>, with
the receipt format in <xref target="I-D.schrock-ep-authorization-receipts"/>), the WHO record is
an authorization receipt: a device-bound signature by a named principal — or a set
of distinct principals — over the canonical bytes of one action, verifiable offline
against the signer's public key. Any record form meeting the producer and verifier
requirements below conforms.</t>

<t>A conforming WHO producer MUST state: the authorizing principal identifier(s) — the
named human(s), not the agent; for a quorum, the quorum descriptor (an M-of-N
threshold or an ordered sequence) and the eligible or actual signer identifiers;
the subject of the action being authorized; the covered action bytes or data model,
the canonicalization rule (if any), the digest algorithm and version, and the
domain-separation context; the binding between the subject digest and the receipt
signature(s) — the signed payload MUST cover the digest; the validity window and
any freshness or one-time-use semantics; and the failure behavior when a required
binding input, signer, or quorum member is absent — fail closed: absence of
authorization is not authorization.</t>

<t>A conforming WHO verifier MUST be able to produce a result that states: whether
each signature validates under the profile rules; the exact digest bytes it
recomputed and the canonicalization and hash parameters used; whether the digest is
covered by each signature; for a quorum, whether the threshold is met, whether the
counted signers are distinct principals, whether every counted signer signed the
same canonical action bytes under the same digest context, and — for an ordered
quorum — whether the required order held; whether the receipt is within its
validity window and any one-time-use constraint; and the verified-versus-accepted
distinction (below). The verifier MUST keep signature validation, digest
recomputation, quorum evaluation, and freshness as separate results, and MUST NOT
collapse them into a single opaque "authorized" boolean.</t>

<t>The WHO slot separates two claims a composition verifier must never conflate:
VERIFIED — the signature(s) and the digest binding hold, given a public key;
objective and offline — and ACCEPTED — the relying party additionally trusts the
authorizing principal(s) via out-of-band key pinning; a relying-party decision, not
a property of the receipt. A WHO verifier MUST surface these separately: a valid
signature over the bound digest proves VERIFIED and never implies ACCEPTED, and
neither implies the authorization was sufficient for the action.</t>

<t>At the composition join, the WHO slot exposes a minimal, disclosure-aware
reference: the subject digest and its declared digest context; the authorizing
principal identifier(s) — or, under selective disclosure, a commitment to them; the
quorum descriptor, if any, with a distinctness assertion; and the binding assertion
that the signature(s) cover the subject digest. The reference carries no agent
identity, no policy verdict, and no sufficiency claim.</t>

<t>Where a WHO record is also registered to a transparency service (see Assurance
Tiers), the transparency receipt proves registration of the submitted statement
under the service policy; it does not prove that a named human authorized the
action. A WHO verifier MUST keep native signature validation, digest recomputation,
and transparency-receipt validation as separate results.</t>

<t>In addition to the composition-level negative classes (see Conformance), a WHO
profile MUST reject each of the following, and the verifier MUST report which check
failed: semantically similar action input with different canonical bytes; a changed
subject; a changed authorizing-principal reference; replay of the receipt under a
different action (a different subject digest); a quorum satisfied by a non-distinct
principal filling two slots; an ordered quorum satisfied out of order; a threshold
not met; a mismatched or absent receipt signature; a signature that verifies but
whose signed payload does not cover the subject digest (an unbound signature); a
stale receipt; a post-hoc ratification presented as pre-execution authorization; a
reusable authorization presented under one-time semantics, or a one-time
authorization presented as reusable; and WHO digest bytes that do not match an
adjacent slot's digest for the same claimed action under compatible digest contexts
(per the binding rules of the Composition Model, to be imported). [The WHO
positive-vector classes are imported with the conformance suite in a later
revision.]</t>

</section>
<section anchor="the-what-slot"><name>The WHAT Slot</name>

<t>[Profile text to be contributed by the slot's owners.]</t>

</section>
<section anchor="the-audit-slot"><name>The AUDIT Slot</name>

<t>[Profile text to be contributed by the slot's owners.]</t>

</section>
</section>
<section anchor="assurance-tiers"><name>Assurance Tiers</name>

<t>A record answering these questions may be produced at different assurance levels, and the
distinction is the crux for a relying party who does not trust the operator:</t>

<t><list style="symbols">
  <t><strong>Self-attested (baseline).</strong> The record is signed by the agent or its operator and held by an
interested party. This is useful telemetry and a reasonable default, but it cannot, by itself,
satisfy a regulator, counterparty, or insurer who does not trust the producer.</t>
  <t><strong>Anchored / third-party-verifiable.</strong> The record, or a digest of it, is registered to a
transparency service — the SCITT substrate (<xref target="RFC9943"/>) — yielding a receipt
that lets a party who trusts neither the agent nor the operator verify the record's existence, its
content at registration time, and non-equivocation, independent of any single producer's
infrastructure.</t>
</list></t>

<t>This document does not mandate the anchored tier; self-attestation remains valid. It specifies how any
conforming profile MAY reach the anchored tier by registering to a transparency service, and how that
tier is tested (see Conformance) — so that third-party-verifiability is a property profiles can
converge on, not a single format they must adopt.</t>

</section>
<section anchor="conformance"><name>Conformance</name>

<t>Conformance is expressed as a shared vector suite: a positive composition vector
(one action threaded through the populated slots) plus, per slot, the negative-case
classes it MUST expose (e.g. non-deterministic encoding, ASCII-hex-as-bytes,
profile-label mismatch, receipt bound to a different statement, broken join digest).</t>

<t>A conformance vector freezes only after it has been recomputed by at least two
independent implementations. This document specifies no implementation; each slot is
implemented independently, and any party may verify against the vectors.</t>

</section>
<section anchor="extension-points"><name>Extension Points</name>

<t>Additional question-slots compose by the same digest discipline. Belief-provenance
("why the agent believed what it acted on") is a named extension socket. [Others as
identified.]</t>

</section>
<section anchor="relationship-to-existing-work"><name>Relationship to Existing Work</name>

<t>This document complements, rather than replaces, existing efforts. An architecture for auditing agent
delegation and interactions is developed separately (<xref target="I-D.kuehlewind-audit-architecture"/>, with its
interaction, action, delegation, and authorization-transition record types); record and logging formats
and action-lineage protocols are defined in adjacent documents (e.g.,
<xref target="I-D.sharif-agent-audit-trail"/>, <xref target="I-D.bates-atp"/>, <xref target="I-D.aylward-aiga"/> — cited as live adjacent
work, not positioned). The four questions here map onto those record types rather than redefining
them.</t>

<t>What this document adds is the piece those leave open: the composition of independently-verifiable
profiles by a shared action-digest, a shared conformance-vector suite, and the anchored,
third-party-verifiable assurance tier (see Assurance Tiers). It defines no new signing, transport, or
transparency mechanism. Specific documents will be cited normatively and informatively in a later
revision.</t>

</section>
<section anchor="security-considerations"><name>Security Considerations</name>

<t>The security properties are those of the composed profiles plus the binding
rules here; no single layer suffices. The agent is not trusted. Distributed trust
roots mean no single verifier or transparency service is assumed sufficient. This
document does not address an adversarial party that refuses to record at its own
boundary, nor collusion across all roles, nor model alignment. [Expand.]</t>

</section>
<section anchor="privacy-considerations"><name>Privacy Considerations</name>

<t>Records may be rich in information about users and the data an agent processed.
Profiles SHOULD support content-private, hash-only (detached-payload) records so a
registered statement carries only a digest, with content held under deployment
controls. The shared join digest enables cross-slot correlation; pairwise or
encrypted correlation identifiers SHOULD be available where correlation is not
required. [Expand.]</t>

</section>
<section anchor="iana-considerations"><name>IANA Considerations</name>

<t>This document has no IANA actions. [A registry of slot identifiers / profile labels
may be proposed in a later revision.]</t>

</section>


  </middle>

  <back>




    <references title='Informative References' anchor="sec-informative-references">



<reference anchor="RFC9943">
  <front>
    <title>An Architecture for Trustworthy and Transparent Digital Supply Chains</title>
    <author fullname="H. Birkholz" initials="H." surname="Birkholz"/>
    <author fullname="A. Delignat-Lavaud" initials="A." surname="Delignat-Lavaud"/>
    <author fullname="C. Fournet" initials="C." surname="Fournet"/>
    <author fullname="Y. Deshpande" initials="Y." surname="Deshpande"/>
    <author fullname="S. Lasker" initials="S." surname="Lasker"/>
    <date month="June" year="2026"/>
    <abstract>
      <t>Traceability in supply chains is a growing security concern. While Verifiable Data Structures (VDSs) have addressed specific issues, such as equivocation over digital certificates, they lack a universal architecture for all supply chains. This document defines such an architecture for single-issuer signed statement transparency. It ensures extensibility and interoperability between different transparency services as well as compliance with various auditing procedures and regulatory requirements.</t>
    </abstract>
  </front>
  <seriesInfo name="RFC" value="9943"/>
  <seriesInfo name="DOI" value="10.17487/RFC9943"/>
</reference>

<reference anchor="RFC9334">
  <front>
    <title>Remote ATtestation procedureS (RATS) Architecture</title>
    <author fullname="H. Birkholz" initials="H." surname="Birkholz"/>
    <author fullname="D. Thaler" initials="D." surname="Thaler"/>
    <author fullname="M. Richardson" initials="M." surname="Richardson"/>
    <author fullname="N. Smith" initials="N." surname="Smith"/>
    <author fullname="W. Pan" initials="W." surname="Pan"/>
    <date month="January" year="2023"/>
    <abstract>
      <t>In network protocol exchanges, it is often useful for one end of a communication to know whether the other end is in an intended operating state. This document provides an architectural overview of the entities involved that make such tests possible through the process of generating, conveying, and evaluating evidentiary Claims. It provides a model that is neutral toward processor architectures, the content of Claims, and protocols.</t>
    </abstract>
  </front>
  <seriesInfo name="RFC" value="9334"/>
  <seriesInfo name="DOI" value="10.17487/RFC9334"/>
</reference>


<reference anchor="I-D.kuehlewind-audit-architecture">
   <front>
      <title>An Architecture for Auditing AI Agent Delegation and Interactions</title>
      <author fullname="Mirja Kühlewind" initials="M." surname="Kühlewind">
         <organization>Ericsson</organization>
      </author>
      <author fullname="Henk Birkholz" initials="H." surname="Birkholz">
         <organization>Fraunhofer SIT</organization>
      </author>
      <date day="18" month="May" year="2026"/>
      <abstract>
	 <t>   This document describes an architecture for auditing of agent-driven
   interactions on the Internet.  Autonomous and semi-autonomous
   software agents, including those based on artificial intelligence,
   increasingly act on behalf of users, organizations, and services.
   Existing auditing mechanisms often capture isolated system events but
   do not consistently represent delegation relationships, user intent,
   or evolving authorization.  In agent-driven systems, auditability
   requires linking intent, delegation, authorization, and execution.
   The proposed architecture enables this through distributed audit
   record generation, propagation of audit context, optional
   attestation, and additonal logging for transparency.

	 </t>
      </abstract>
   </front>
   <seriesInfo name="Internet-Draft" value="draft-kuehlewind-audit-architecture-00"/>
   
</reference>


<reference anchor="I-D.sharif-agent-audit-trail">
   <front>
      <title>Agent Audit Trail: A Standard Logging Format for Autonomous AI Systems</title>
      <author fullname="Raza Sharif" initials="R." surname="Sharif">
         <organization>CyberSecAI Ltd</organization>
      </author>
      <date day="29" month="March" year="2026"/>
      <abstract>
	 <t>   This document specifies a standard logging format for autonomous
   AI agent systems.  The Agent Audit Trail (AAT) defines a
   JSON-based record structure with mandatory fields for agent
   identity, action classification, outcome tracking, and trust
   level reporting.  Records are linked via tamper-evident hash
   chaining using SHA-256 per RFC 8785, with optional ECDSA
   signatures for non-repudiation.

   The format addresses requirements from the EU AI Act
   (Regulation 2024/1689), which mandates automatic recording of
   events for high-risk AI systems effective August 2026.  It also
   maps to SOC 2 Trust Services Criteria, ISO/IEC 42001, and
   PCI DSS v4.0.1 logging requirements.

   The design is transport-agnostic and supports export to JSONL,
   Syslog (RFC 5424), and CSV while preserving chain integrity.
   Privacy is addressed through input/output hashing and tombstone-
   based deletion compatible with GDPR Article 17.

	 </t>
      </abstract>
   </front>
   <seriesInfo name="Internet-Draft" value="draft-sharif-agent-audit-trail-00"/>
   
</reference>


<reference anchor="I-D.bates-atp">
   <front>
      <title>Agent Transaction Protocol (ATP)</title>
      <author fullname="David Asher Bates" initials="D. A." surname="Bates">
         <organization>SVT Robotics</organization>
      </author>
      <date day="11" month="May" year="2026"/>
      <abstract>
	 <t>   ATP defines a cryptographically verifiable directed acyclic graph
   (DAG) model for agent transactions.  ATP enables tamper-evident
   signed causality and auditable lineage across agentic systems by
   representing each action as a signed node with one or more parent
   references, assuming verifier access to issuer public keys and the
   referenced parent nodes.  The protocol is designed to be lightweight,
   transport-independent, and suitable for environments where
   accountability, provenance, and verifiable history are required.

	 </t>
      </abstract>
   </front>
   <seriesInfo name="Internet-Draft" value="draft-bates-atp-00"/>
   
</reference>


<reference anchor="I-D.aylward-aiga">
   <front>
      <title>Artificial Intelligence Governance Architecture (AIGA)</title>
      <author fullname="Edward Richard Aylward Jr." initials="E. R." surname="Aylward">
         </author>
      <date day="13" month="January" year="2026"/>
      <abstract>
	 <t>   This document defines the Artificial Intelligence Governance
   Architecture (AIGA), an application-layer protocol for the discovery,
   authentication, and state management of Autonomous Agents.  The
   protocol specifies a cryptographic handshake mechanism, a standard
   header schema for risk classification, and a transport-agnostic
   method for immutable activity logging via Merkle Trees.  To address
   latency and enforcement concerns, this version introduces &quot;Session
   Resumption&quot; for high-frequency transactions and &quot;Hardware-Enforced
   Termination&quot; using Trusted Execution Environments (TEEs).

	 </t>
      </abstract>
   </front>
   <seriesInfo name="Internet-Draft" value="draft-aylward-aiga-00"/>
   
</reference>


<reference anchor="I-D.schrock-human-authorization-binding">
   <front>
      <title>Binding Named-Human Authorization Evidence into Agent-Action Records</title>
      <author fullname="Iman Schrock" initials="I." surname="Schrock">
         <organization>EMILIA Protocol, Inc.</organization>
      </author>
      <date day="3" month="July" year="2026"/>
      <abstract>
	 <t>   A recurring pattern spans the agent-action record formats now in
   development: a record about an agent&#x27;s action reserves a place for
   &quot;the human authorization&quot; — an approver disposition, an authority
   context, a human-override field, an actor slot, a signed grant, an
   approval reference — and leaves its semantics undefined.  Each
   format, reasonably, does not want to specify human-authorization
   evidence itself; none, so far, says what filling the slot means.
   This document defines that one thing, host-agnostically: how any
   record binds named-human authorization evidence, either BY REFERENCE
   (a content digest of the authorization artifact&#x27;s canonical bytes) or
   EMBEDDED (a compact, self-describing claim carrying named approvals
   and optional distinct-human quorum semantics), with five requirements
   that make the binding mean the same thing in every host: digest
   grounding, action agreement, verified-versus-accepted discipline,
   fail-closed absence, and embedded/referenced consistency.  The SCITT
   signed-statement host family is expressed concretely (digest
   selection, and the observed-absence statement that is the only way
   absence of authorization becomes evidence); an informative appendix
   maps the binding onto the reserved slots of eleven current documents.
   This document defines no new authorization format: the referenced
   evidence verifies under its own specification.

	 </t>
      </abstract>
   </front>
   <seriesInfo name="Internet-Draft" value="draft-schrock-human-authorization-binding-00"/>
   
</reference>


<reference anchor="I-D.schrock-ep-authorization-receipts">
   <front>
      <title>Authorization Receipts for High-Risk Agent Actions</title>
      <author fullname="Iman Schrock" initials="I." surname="Schrock">
         <organization>EMILIA Protocol, Inc.</organization>
      </author>
      <date day="3" month="July" year="2026"/>
      <abstract>
	 <t>   This document defines the EMILIA Protocol (EP) authorization receipt,
   a cryptographic primitive that binds a named, accountable human
   approver to one exact high-risk action before that action executes.
   An approver holding their own signing key produces a signature over a
   canonical Authorization Context containing the action hash, policy
   reference, one-time nonce, and validity window.  The resulting Trust
   Receipt is Merkle-anchored and verifiable fully offline: a relying
   party can confirm that a specific action was approved by an
   authorized human, exactly once, without network access to any EP
   operator, log, or API.  The protocol additionally enforces separation
   of duties (an initiator must not approve its own action) and one-time
   consumption (an authorization, once consumed or refused, is
   terminally unusable).  These invariants are machine-checked in
   published TLA+ and Alloy models.

   EP addresses organizational authorization of agent actions (approver-
   to-action trust).  It is complementary to, not a replacement for,
   user-to-operator delegation work (draft-nelson-agent-delegation-
   receipts), service-to-service identity (WIMSE), and authentication-
   layer approval (CIBA).  EP is the human-authorization apex of the
   agent stack: it composes with, and does not replace, the agent
   identity, delegation, machine-policy, and transparency-log layers,
   supplying the named-human authorization evidence those layers
   reference but do not themselves produce.

	 </t>
      </abstract>
   </front>
   <seriesInfo name="Internet-Draft" value="draft-schrock-ep-authorization-receipts-05"/>
   
</reference>




    </references>



<?line 310?>

<section numbered="false" anchor="acknowledgments"><name>Acknowledgments</name>

<t>[To be completed with the constituent-profile authors and reviewers, with permission.]</t>

</section>


  </back>

<!-- ##markdown-source:
H4sIAAAAAAAAA81b23Ikx3F9r6+ogB4EbExDNCk7goNQiNDu0oSkJWkCNMPB
UEg13TUzRfR0jbu6MTtibIQ/wl/oL/HJzKrq6sFgLYf1YD5wB32pS15OnszK
rqpKDW5o7VJf3G5sN+jbuvZjN5iVa91wXOrXfrf3wQ3Od9p0Df7u1r7fma62
F8qsVr19euHd8tUL1fi6MzvM0/RmPVQ7t62CGXxl6M3KzN6s6unN6pNPVG0G
u/E9VuMwuXL7fqmHfgzDp5988vknnyrTW7PU97Yee7ytHu3x4PtmqX/kwRd6
Pjr+HhuHy/ev7x4eFrqYjP7I28Nzw2DDYOjOnxR+dM2fTes7bOJogwrjaudC
wM3huMe1u7cPXyozDlvfL5WulMZ/suX7wT7ZTr9zW77o+80SsmKR3mN4q/+5
9+N+oe+6+pqfsDvj2qUO/N4Xhh+lhdhr4+ZDP/idvoccp4HfHW/Hle03Vv/h
+g8yHO+exPd7szddOcPgd6SFL3ZHIy9d/7Q/WbvvNiuvfzdOM9x1jd1b/K8b
yrFW7Wgbv+nGtv1iQ5euIdn5YHcQrL6vt72vH6fx3r67++Pdrf6294Ovfftc
DoM1uy/sDtoz+/gQCaIjRQ3uyS6VE63JH1p/9+Xrzz//9Wfp52ef/Zp+3lVv
rh9Hu23twXVNxVZQmb7eusHWw9jb9FDYmt6tk2nyY0NPK4n3V9BEqMywTxfM
sT2YHkO6jcmDyDar7YhNV2IX7q9sTNUK87tuc/qo3Z8819vauv0QlqqqKm1W
AcuoB6Vux8F3fufHwD4ZIBt6M10Lfj1gPVbzDgK8poaHBMzYHvVgHi2ZebD/
PuKuM62KBgY/6X3AP83OdY7mInnyDOxtuvHQRxeu9Ve+pfXrMNZb3NcygMp+
1lr9X//xn7AubXRvN2MLG+uj39EP34tN2n5veiDFYesxuA2680Oca9ha5fe2
pzd5sB7rdb2lHYeD7Xl6uEdvWo2NBN7BQlvDK6IneBmrI/6CeWSLbY8VXnJr
x7dhTmtH6HfYWszY07QiNX0wQWP+nQMINLyVetCXr2+/vlqow9bRNMV2Wcs6
aY9ewEBhb2vMVEf56MsfvvrmaoG5zDBNRNIfTQvNNK6hR24f8AwJvVxTj4nc
zmpLhl5j/Nr3sA5sR1/efv/m7uHqWqmHrQuQYz3uaANxdgupuA4+FT3Ed5AY
JL/D9a0/iA6jHEIEQ1EfyU6RL2A62UHVuA1EHcXMcjySImby5Xdp/Y1du44U
pmUQVYArlFCTZsMI54MgyK4gc5Frd0wL0jtz1CurCYdtc63vBl5ha2mHQdn3
MFNawHNf5hVAQggElexcIyg8ahiUyBTq6u2+NTVvYFio3o7kIjoPGtymw78L
WCQsau/7YRGdgf7Ejrr6qHe2xlAu7AKtLug1xA+PIzNVJoSxp93qwfGcJNmk
n6Bba+BeMPJuqXce2xfDk0UHmFyDzWMaFWwLNBpECGLSEDl0KBfYh24wfKn9
Hdw8YCwoig2UF07RTP5QWBZM1TYLeg8y4kFK16Als+VEpcR10dbg0hCR7aNf
qJlAgu2fHLZ8yeH1CmCEdyc3Z++Go1t34m9A87nT19ilmBjUc43wnoXAVoxV
MBph9CfTwnVWBnKCwd0Quj1RMCPJA5ZojsaFQmKsjmTisLZomKT0ZHh0F1ul
dzfeICgRNMGSCUStgg03hkYS04LvEUDvXNPgpvoFvG3ofTMKLM7gWhCZwLkj
f7LkiYy2rl4wxBwgGD8OhD0VFruP0OKxIxjkFjbIKK1eROkVQKlBACPHFzds
7YZYBnTlWeiyiGv9QMKHje72gv9wikG1doB79y2JKByxgl1gD6SxsWGSyx6a
d/XEpxI4hXFPyg/MpAzH/AIcnWii9X7PozSeZbpFLCE9AC3M2ELRP2zBlVZ2
a56cH9kM6LHVNDzBEVwMr5o9nCcsZHFqR7vvbevruFv75Bo2AtoY2xNGqbe2
fqQh1hA9RW0S0gJ3ajOGHDJJExIOFTgKHPyvCTpL8aaxks54HWRFtNFkyDCO
O0JGosSkj1mIF0tAmA/B9IC6cWChhHGNuOHw1pLGOmrxXBe2yR3ZZzCc4mji
zsSrxi94PA4fLjyGKAZgMXZnKUzFYZKaSStk7ODobg1EhC/ANKC4n2wt9Hht
Vr2rjczgW0g7QGdhkSIchBAgcx1q7J7H8zVYOcEIe5LZQ9DDwdpO1k2LLoKm
RL10PcdFUO6Jc5g5eUmSeM5AyNQt/NP+f6IOoj7196EO+hx1UH8H6pC5mIRw
8mV7kCCryyB7Q4ZXBGSebwrKxZPqhXDMhoGpET4oZgRr9Xe2ZdcIW7cn4b1N
4/2AF66E8CZqwxPuHfxHsZuUIZXITeY1k+bxHNw86z0xngXrW5+nOwgdXsEK
4w4EV2n8gtFIPAHA0prF005SZzIE+vXxwHvKGlIgigzo4eCxKzB6t6d9rXuA
LLSw1Jf/cDWbEduJm0m7gEKJgg2ImqxlGpmNPsU8WYQNJ3xOVLdG/JGtwTpp
0miZpdhkphtW9uWnVzQwgiACmdl0nkIc7GhExOLyAE3f+Tw5UabkqZjPw/r8
OoY0yBir4OAlUSvYQeHupEW8TVrntdr3A6KCI9+6FD9xJf6uwBLsusK8SK5Z
zozBBmYKQFiPPXtOaP0QojfRlqOZNFNQIaIDWbHKOZhUeK5aS+SYFULSGNgG
p4kIgY8wRXUSCaY8C9YdckSmkHYEjyEWBG7xC/3AlMG3fnNU6h7rvElCvJlZ
gFDsfLMazGYzKSnORYK+1j++EUeHOxoF94MAeiuR/EZDXZuOY1yUBKi6Gwh/
q6S8YVrS9Z+IAH3zRKHaHpb6X7KOpHyU10egYwUFakvcLNAmDemWNM90jbj1
RkjEq1esklevElJn7YuUjCpY3KtXcWWvXkXXRw6tKlwHCuMaZ6eY/QL5xcWS
AXtC1VPo/i2/CACOL/5N2R8M0r4XW6A1pjFuH8rZAds0Oy2fEPwcsHt9CVES
3aoEaAdo2cDrBltFNg9DRCBMZkROQ+xjxfbZZMgS/sopz/FKlsPoH9eT5j+J
FlOw4FyAOBKcBANScjCYHbFU8Qg88ltQ3fNsmtI4/GhJvWywjNs56XQk7BQK
chQit6SMYO36QCyEKnA10S6uEhCpJ6NlW7rWt6kKwfOIOtlg4DYhEsSILjx4
beipNfkHDUd04JhG2Ps9lSywMrlM42Tc0azZhDCKQ9Zb+Ruvfutht4Ei6i/4
hbJ8+s6Diiv17WmuDQRleBWq6ic4hcmPK+Je0WehKkoDxE5kqVCd+kt86s/y
lP6Nvv/qtvr0H//p8vev7y/lwaurvxS2GxObn7BY/YiwCVlEYfFCsIhrdXuK
G69eRQNHuJrWm1dGNa0Q9fvLUHBvDhmqyBm97Emow47V4yWkGkwSa16Ii8fW
m+Z0gjLXVKk+dq3f8FMhjigc3HMGzxnzwLkwa1/Pci7Yee2JV0JjMobGYxKg
OCIlGS1pvYkXMVnAwpGSLjQHErKwYbuYk/uFyjy+Pi508t8OZJ9rYHvfuvoo
1x3Z9rX+WrK5eUSuZbQoCto13hiHeDUKgQacJeLzd8vJY9GQKDRVPxSnMTFb
pGCDa0JLCOTsnt0uptt4DXcov4rUH3L78csR9jNse2sjY9KxwAk0aclhkyW1
BsGXcnFiL4g3cUpzqFhF1VOobu9f392pamvfy8ukRmRtbkf1F0q4kZOI8/NM
qZTK08NafjWjZA5U6mxQkyD1QKhQfUdU4162xWHpLYUXMmOGLWYiNARmXLPV
pxKlMDl9aa8317gtQaCxXP2AxVAK/Gj7Dj5fli3I3y5//jnWpT98oGLfTHGg
B5ucPF4J7pRhnRJmRiYwgjWXL8BMlejLCapARpwmY3VIVuO+7QHm5WVj/wPZ
UpFs3UwYHdX/jNEx0hEJ0QnXJK7nFzPDlxySUf0E0RmyU9osOES1A+DBCq61
UBLC8HfwBRcTacSsPtbGUiEx+B0SIBoS5lD3sHuW4zEWXgaVZipiSLh5qRZ0
Er0kTUkMBxoig1Hx4V8SVX8/iCa6oXdIwWNmSwIk8i01PMI9QYsQaR2Fi9uv
WZhwqm8ztcJo4gTlgBgh7QFT+kMHisNWLQOBrfBASyAKJFl9xcZ5W6KT6Ike
5E1FmpRrXJleLWPQYJUszvAeTvN7PO/7cUe0vOGEDRDP96Wu8DFyhL1xng6E
hR9wlZd4AHj6irwAiKQ60/f+wLdOk9NTi9hRmM3obHSBwRPoqsSxF2VyW8Ua
p2SojNGRMtXCGjgRYYaGH0RdKUSplF4s9cWsOlNDURfiaxN2kLAF9y6Edrow
jxpT0JD55AkWVBwMDI6qeCuOO/Pds4RipETUnWcYMXsT0WeCOOVxJ2PBrmbp
sIrgnujrnJwk4vmM8eTzAPue6I5QjwjbCm5qGjMYLuuUqQtnoj1UY5sYmQiS
yCt3MJUU8ItgzfpWqa6czS2UbIlqzByuwyweUoVOClQMTFUCpgwAwOu/8Ujv
w4cFZ0oMMCkyx4IHkHA+zovnfRwVhuidue6uihwjlcD5+SUZGMediquTzHsM
n4Jwdi5gGqsGpk0Oa1Ianf01PyI+m8kmQNZ3oBJtpFJ4h6ohJlYFi6qYX68p
sKsExGwnxMJ6WNN+XMH3KAISXz/qwtv0ztpcOU1BhtWeTKFk71SRbqfyCynw
tgRuElse5N339w+aT8+XYgtRhILwSSbiwzTRZbhKJq5EcqxvXJ4yD3bwG4GD
CHyiMPkNbYS6h2aIHkBr7yq/rr5WxFEC17u5niFplM1UzF7lSgGgb8MFDHqQ
c8EoxWKd4UaVXhjdLyOqHIsl0L2Jzv1k+9LlWZm9Zg9k3Fyomb6zoY3kBUI3
omlGrzfthlKC7S4pK4KqbETJkXEVMr3iIIaQdlPCQCoKn4OVJJJo6yrbdqGn
RPRTzsAqr7P55ooHfvNZEQEG9QDAhKiETmF/Taphcgx5wLgryoIrOhEIYD4Q
ec38IBZyjGvZu+SUoqd6a1cwKpX25Trw9EXU3WKKkjD33Yq0GehUPxXjaFhd
t1RmWsp1OsBan6C4k+g3u3jOATKGsjRAH6Qq7pNn8HqJw0v9hD0k5HK24iLL
BCQsN86JhVEWCbwQ9ZsitqQsgO3LTRlLJEJnTYxLqiZs6awQXsf1IIgfllsW
s+PIAMNky0C4+VJP3bJ8ffJASBGTzO4q6UloorrklO4MNk4vSXlg/lqyRRqQ
66QTeM7cbhIjPxU3Fr1DHIhtYgYVKpqPpPJFjT9ReX5Ob217IrcUirBtCk+O
qolBnXGGlFBM9s/1vp646+QA0bYaqluHMVSSJ2J9SVx8ZsEgHTOYuTU+Wrt/
blwfSXLjvi2eHOMlWsvktSY8S03lEZ7v628eoN22NfvAlGnHJf2J6/q9AQTr
iwkwL/TK+9aa7vqEJ6dZQCwOHt5q3C68xF74RLIjK2HnpBx0qf717Xd3X969
fTMDr4xoScIniTTZ7EJv3BPjzBRIb5RUU9IRcIy/mXPdvn799tuHYrKY38cT
edM0Ts41qTNIjuZL3jiLkbS8J2fokI/i2YrGp2x27zrqk7hhQCmrBxPHppTL
EF4grcWNGKuiUYIMnAGsMPZrw2e3lkFYpN4el+nAf4oEE1ER+hNlF5leljeT
SFaGo4ILbiXpsKVk7pjulmRBMIoI+zN2nmIuYfDwLBuh+tHE5diCEg9GyEXq
uaPmAiqJAPexl8pQ55bKBbblSzGR8kcIuC0OXuaxtdCh+hjPoYYsASMw6GhK
03oWYts7N3ACJCnEjmdQz8jOIlYkhANz2iNwEF0UGccgRwrRypN551tqSCec
M6+YYvlcEoItUzWyRproOD2MzVUpNVvwUZPU22I9PWUVswSR/Rma/IEOj7GB
GQEH2Qn+tPtFn+9+oRLBbTrJUw/E1yJxmj2fcDnaqozdzyr53GfKxxEcokkN
qggecULZ201ZpUyVST4d0QWVPTlsjv1/592QkbqTquTHAFvPAVudNkql3KZ4
9RxmSyqWYCllrGU/cAsPbuHHG1kTFBbImVjgRXMyl9WwnVSXkd30lo2HCUMU
7xphwR+4z+skuvXpHSo9xiIIl0oVETXiaIkaMnwGt3PwxhTlmfqJH0zJ/0ki
RZApR1yNioZdXCo9uJo8OFv7TTzNOYHT6MxGTdOmJoJZHWLmSFc3mTGBjwwu
UHSP2SMfhIsfF0CSa3YHqSkyPc4pzbOhqD2G0ka6T3NlJqbIUkHFbhgPAxJl
yFgyJGHGaVsFwTOFKbJ555Pr1TioA/fZnaQE2SleghJO1MbuJIEmuVDrd5vF
S7PDGIdq62vqJsw1dmqLogVLexL+qOx7W49i6WUYoSGp2VBa8WYBZhpClJiI
2JSExKJUuqFeet8QmMgcArfk2jNezoKLTVgsdW4LbH4ydSpTIWWPb6RIJ4SW
MHLKImWl5KJYA21pHoyCutyn6FyeCrxYL1qclPxBIH+MDEzJk0+5fTR5PzH1
fERQnlTnowBpNOU6Ph8FqNlRQCqa3j78fcqvfLL6fx1qih+a4wfleDEWvdzO
EhtmY46HJ4fC56fWEkbRUOTpBW+Pp4N1P76PqdScNJ7v1s5HFvGg/X7WtHqZ
ujOvrl+9ikE7RdV8SlccgGNaIji5GZSzQ9vG7leln/W/EhNw3AeCnGU9Uosz
NSUNfWy6o1bYAKLLBiqthtIe54bYYlge6mECga7jvIO97FpnT3QdkaT+JZmk
ItS1nLfH1h/9qxd6f+ayia4+lVfpo5Uz7bf6PAVJjJ/7cAnsmFjYdPj0+a8/
+/BBGODR2dRbl6osWuChtXRK8b9o3500Flt3h7wdOhSmVi7L39ZQ+qkFI8gw
hzn1IWhL/KyrKLl98ukks2hOIqFQvhqzuCTtXwY2kHVvMODI/Wcvt7jFVl7Z
SlIQdV7d6PBSyzFzGC61T51oW86fj+rM+dG723+TTuznk8jhv+gzHlqfZ5RT
zxl36fK7uS3sOfthvYbYiHbO2Nx0xJ3TsqkhAy6Wmqh1zN+mZDmWswc6T+MM
1zR+z71J5RKUej07iaW0Bw4bu3dzj0P5HcBSQqsTYvesk0ldTkXneN7LBLb3
40ZEmxo3mti+pfftSMfPsZ9L+HeijlUNSFIpggAGmO1JchYPdZ+1aOd2gYXm
g2o6p65MkOPrhZqfcyc2Mx3RC7lgHRdELLF6AFDvH63kjImXlZU9lmQU2Lq3
lk43fEcdetR+Jh3RVBq3nS4qboSY5MmGMOngy45WTnV5bum4jCD6/BMSSpPm
z97EqpucJqt8kxt5iu7BRS4qCYhQfIrQUJ4RyK74JPRZNw0kkMsUOdJVck5c
9NCcltKmNoNr/bvTnj91eXHYlgGHuwLpOCz1U/PpHcR7cSVeIvmTzWsLvn60
1Dr3DSEhZbcq59aNxO+PdrKeAlLRRrs485UKtVHkzlq7hjlQ2wt1PZUfvXC4
ppNMRnPOgGP7fyqxctxMH3zxKSuIAPy/KUos6bzrox/LpZMuRvJi1EU+Fppm
XjxvfK8Y5Fw6xiIqQJ9RhqubieM0uvWbDW1FICdwVhl7c0mx2KFOXwTGci2f
CXMzWaay0xc37NULFU/hXvjKjzYmT+Tv/KZL5Zd+Hz4wykr3Ghyv5SJcnFXR
6bAAZ4IxprIPnHKOfUHZuNSwM3sYG+e7ZM+lSE6sQToWug2d1EipQiC+7Jxr
mpBoHHdHx1HL9ujTQhW3XJ7vdVc5MHykRzpff+krrym/zi3Q6oVvj05aoOfF
FCHDV9ILED8xAzzRIf65L7YQN85/sHWt71OT/WQhB2rzIILOSs1fmMYu6OIz
U1w5l0xwN0z8EJmiIX0NIZwm9sWEdDNGXRezF1FQzIlys3EWPAWy2cG55FBk
Ojdcw5LQLJ0BUtCy6QsfaYEuqCn1kb8hshUzkNgd6QlQd9Z0xYC5FHLaXZZY
pgvyCREBSK6MShxRz8kWDLOXBjT8pLMDQ62rMTTEZuf1GKTtK+HAIKnAoVPx
2xuu5lHK2UIqDGzxw1XorvettIj2sRGEu5d3vKgf377fQ40Czt/27snUz5X0
Xfz8LiZSPfdLdpPqaboVVTOwzD5M9XpuYuhSC3Hva+Y611O75/1X33z/xzf0
FRPXkyL1pcLOkyHvoMOvisP5JTiHoSpIaoK8yh8F0td0ZS9lJg+59CmEIDf9
M0Qnms0ZlOTr8PTWH7mYyMkoADS2uIoXFxwEpIe8MsiHZxx4pS24jUxgb1x/
cGS+vYJx9Ec6CiofKU+tkxzoQPIJcMsOf2AMnL3BBpMO/ZsT5d3dfn17xr1K
DCQqBDvmJ2O8wyC3Kc/gqpmwl2Jtv8qcnSlcUFM6LQ45+fysl5C+/luZ+pGz
9vqx84fWNhv5SPXnZTfSYa9tfnOxNm2wFx+U+vEh1gGkC6X5eHt97BOLDZrU
dYbFRt1yt3qIC/lvYYWhzNBBAAA=

-->

</rfc>

