Network Working Group K. Rampalli Internet-Draft Glyphzero, Inc. Intended status: Informational 6 July 2026 Expires: 7 January 2027 A Layered Requirements Mapping for Cross-Organization Agent Delegation draft-rampalli-cross-org-delegation-mapping-05 Abstract This document records a comparative mapping of two evidence layers for cross-organization AI agent delegation: a per-hop delegation chain (PEDIGREE) and a named-human authorization root (the EMILIA Protocol binding and evidence-graph drafts), evaluated against the nine requirements of draft-reece-wimse-cross-org-delegation under a no-shared-operator assumption. It also records a verifier-facing composition model in which key possession, delegated authority, and pre-execution human authorization are diagnostically separate inputs with independent failure behavior, joined by action digest. The mapping was developed on the WIMSE mailing list; corrections continue there. Status of This Mapping This document is a point-in-time record of a mailing-list discussion. Verdicts apply to the specific draft revisions cited and do not carry forward to later revisions automatically. The canonical venue for corrections is the WIMSE mailing list; agreed corrections will be folded into future revisions of this document. Status of This Memo This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet- Drafts is at https://datatracker.ietf.org/drafts/current/. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." This Internet-Draft will expire on 7 January 2027. Rampalli Expires 7 January 2027 [Page 1] Internet-Draft Layered Delegation Mapping July 2026 Copyright Notice Copyright (c) 2026 IETF Trust and the persons identified as the document authors. All rights reserved. This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (https://trustee.ietf.org/ license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Revised BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Revised BSD License. Table of Contents 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 1.1. Assumptions and Verdict Discipline . . . . . . . . . . . 3 2. Combined Requirements Mapping . . . . . . . . . . . . . . . . 3 2.1. Summary Table . . . . . . . . . . . . . . . . . . . . . . 3 2.2. Row Notes . . . . . . . . . . . . . . . . . . . . . . . . 6 3. Verifier-Facing Composition: Diagnostically Separate Inputs . . . . . . . . . . . . . . . . . . . . . . . . . 8 3.1. The Delegation-Chain Row, Stated Explicitly . . . . . . . 9 3.2. The Human-Authorization Row, Stated by Its Supplier . . . 10 3.3. The Possession Row, Stated by Its Supplier . . . . . . . 11 3.4. Template Compatibility . . . . . . . . . . . . . . . . . 13 4. Security Considerations . . . . . . . . . . . . . . . . . . . 13 5. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 14 6. Informative References . . . . . . . . . . . . . . . . . . . 14 Changes Since -04 . . . . . . . . . . . . . . . . . . . . . . . . 15 Changes Since -03 . . . . . . . . . . . . . . . . . . . . . . . . 16 Changes Since -02 . . . . . . . . . . . . . . . . . . . . . . . . 16 Changes Since -01 . . . . . . . . . . . . . . . . . . . . . . . . 16 Changes Since -00 . . . . . . . . . . . . . . . . . . . . . . . . 16 Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . . . 16 Author's Address . . . . . . . . . . . . . . . . . . . . . . . . 17 1. Introduction Requirements R1 through R9 of [I-D.reece-wimse-cross-org-delegation] describe what cross-organization delegation of authority to AI agents must provide when the relying party and the originating organization share no operator, no runtime, and no bilateral agreement specific to the interaction. During the July 2026 discussion of those requirements on the WIMSE mailing list, two candidate mechanisms were mapped against them independently and were then found to occupy different layers of the same problem: Rampalli Expires 7 January 2027 [Page 2] Internet-Draft Layered Delegation Mapping July 2026 * a delegation-chain layer, in which authority conveyed by a root principal is narrowed at every hop and re-verified end-to-end by the relying party ([I-D.rampalli-pedigree]); and * a human-authorization root layer, in which a named human, or an M-of-N quorum of distinct humans, authorizes a specific action, and that evidence is bound into agent-action records and evaluated with fail-closed verdicts ([I-D.schrock-human-authorization-binding], [I-D.schrock-ep-action-evidence-graph]). Neither layer claims the other's property. The chain proves that authority was conveyed and attenuated; the root layer proves that an accountable human authorized the act. Where the two meet, they join by digest equality, and digest equality is a join key, not a claim of sufficiency. This document records the combined mapping (Section 2) and the verifier-facing composition model that the discussion converged on (Section 3). It defines no protocol and no new evidence format. 1.1. Assumptions and Verdict Discipline The no-shared-operator assumption applies throughout. Each verdict states what holds offline and unconditionally versus what depends on a named assumption, following the conditional form requested in the originating thread. Several entries are not clean passes and are marked as such; deployments should read a "met" verdict together with its stated condition, never without it. 2. Combined Requirements Mapping 2.1. Summary Table "Chain" is the delegation layer ([I-D.rampalli-pedigree]). "Root" is the human-authorization layer ([I-D.schrock-human-authorization-binding], [I-D.schrock-ep-action-evidence-graph]). The composition column states how the layers relate on that row. +===+=================+========================+====================+ |Req|Chain (PEDIGREE) |Root (EP) |Composition | +===+=================+========================+====================+ |R1 |Met; inline |Out of layer by design |Chain-only property | | |conveyance | | | | |condition | | | +---+-----------------+------------------------+--------------------+ |R2 |Conditional: met |Conditional, mechanism |Both layers name | Rampalli Expires 7 January 2027 [Page 3] Internet-Draft Layered Delegation Mapping July 2026 | |only when the |specified (the |general, non- | | |deployment pins a|authority-introduction |bilateral | | |general anchor- |companion draft, cited |mechanisms, served | | |trust mechanism |in the row note; |from the org origin | | |usable by any |Informational; public |and transparency- | | |party without |implementation with |logged, and state | | |per-counterparty |tests). Authority |the assumption | | |negotiation. A |Document: signed, hash- |explicitly, | | |general channel |chained, sequence- |narrowing R2. | | |is named as one |numbered key |Shared residual: the| | |conforming way |declaration served from |first-contact | | |but not required,|the org origin and |bootstrap, coming to| | |and static per- |registrable to a |trust an originating| | |counterparty |transparency log; |anchor for an | | |provisioning is |rotations carry a |organization with no| | |admitted, which |normative continuity |prior arrangement. | | |relocates rather |signature (MUST be |Narrowed, explicit | | |than discharges |flagged if absent), and |open item, not a | | |R2. Same profile|artifacts resolve the |satisfied | | |move as R1 inline|key valid at issuance. |assumption. | | |conveyance. |Acceptance is graded | | | | |per action class over | | | | |introduction evidence | | | | |(chain consistency, | | | | |domain binding, | | | | |transparency-log | | | | |inclusion and age, | | | | |pinned-anchor | | | | |endorsements), widening | | | | |mechanically as history | | | | |accrues with no | | | | |relying-party | | | | |reconfiguration. | | | | |Residual, admitted in | | | | |the draft: first | | | | |contact is made | | | | |checkable, not | | | | |eliminated. Met for | | | | |lower-consequence | | | | |classes; high- | | | | |consequence cross-org | | | | |actions between parties | | | | |with no shared pinned | | | | |anchor or logged | | | | |history remain open. | | +---+-----------------+------------------------+--------------------+ |R3 |Met offline given|Met offline |Both fail closed | | |conveyance |(deterministic policy |rather than fetch | Rampalli Expires 7 January 2027 [Page 4] Internet-Draft Layered Delegation Mapping July 2026 | | |replay) | | +---+-----------------+------------------------+--------------------+ |R4 |Deferred to |Not addressed |Shared gap: neither | | |transport (proof | |layer proves | | |of possession at | |possession; WIMSE- | | |the wire) | |native answers at | | | | |the wire are WPT and| | | | |HTTP message | | | | |signatures; composed| | | | |stack: possession at| | | | |the wire, | | | | |attenuation along | | | | |the chain, human | | | | |authorization at the| | | | |root. The | | | | |possession row is | | | | |now supplied by name| | | | |(Section 3.3) | +---+-----------------+------------------------+--------------------+ |R5 |Invariance along |Native to the artifact |Root proves who; | | |the chain (re- |(single or quorum); B2 |chain proves nobody | | |verification) |ties it to the host |swapped them | | | |record | | +---+-----------------+------------------------+--------------------+ |R6 |Conjunction |Policy identity plus |Entitlements stay | | |native; |replay; entitlements |relying-party data | | |entitlements |relying-party local | | | |relying-party | | | | |local | | | +---+-----------------+------------------------+--------------------+ |R7 |Lifetime bound |Normative fail-closed: |Root layer closes | | |offline; fail- |a stale verdict never |the gap the chain | | |closed on stale |authorizes; B4 |layer names | | |revocation data | | | | |is an admitted | | | | |revision item | | | +---+-----------------+------------------------+--------------------+ |R8 |Signed hops; |Evidence graph; |Join by digest: | | |SCITT capsule |unbacked edges poison; |scope versus act, | | |binding for the |signed Reliance Result |neither claims the | | |post-execution | |other's property | | |half | | | +---+-----------------+------------------------+--------------------+ |R9 |Met (JWT/JOSE, |Met (JSON/JCS, maps |No new formats on | | |pluggable policy)|onto existing host |either side | | | |formats) | | +---+-----------------+------------------------+--------------------+ Rampalli Expires 7 January 2027 [Page 5] Internet-Draft Layered Delegation Mapping July 2026 Table 1: Combined R1-R9 Mapping The R5 and R4 cells reflect corrections agreed on-list on 2026-07-05: the named-human and quorum property is native to the receipt and quorum artifacts themselves, with binding requirement B2 tying the artifact's action binding to the host record; and R4's composition cell carries the constructive composed-stack line alongside the shared-gap statement. 2.2. Row Notes The full per-layer mappings live in the originating thread; these notes carry only what the one-line verdicts compress too much. R1, recursive attenuation: The chain meets it from conveyed material alone: per-hop scope subsetting and mandate narrowing are re-checked at verification, not only at mint, and the verifier re-verifies every parent token. The condition is inline conveyance of parents. The root layer does not narrow scope, and should not: it names the human and binds the action. A division of labor, not a gap. R2, cross-organizational verification: Row text contributed by the requirements author (2026-07-05), included verbatim. Reframed per his correction: pinning the originating anchor relocates the assumption rather than discharging it; the load-bearing part is how the relying party comes to trust that anchor. R2 is met only when the anchor arrives through a general mechanism any party can use without per- counterparty negotiation (public transparency log, open federation, verifiable credential from a recognized issuer, or trust-domain discovery), and the row names the mechanism. An anchor arranged in advance between the two organizations moves the forbidden bilateral agreement into the provisioning step. Both layers have moved from bare open items toward explicit mechanisms. The chain layer names a general channel but does not require it and admits static provisioning, so its verdict is conditional on pinning a general mechanism. The root layer specifies one ([I-D.schrock-ep-authority-introduction]): a signed, hash-chained authority document served from the org origin and transparency-logged, with normative continuity on rotation, keys resolved at issuance, and graded per-action-class acceptance in which un-pinned issuers never receive full acceptance and high- consequence actions still require a pinned anchor. Rampalli Expires 7 January 2027 [Page 6] Internet-Draft Layered Delegation Mapping July 2026 Both narrow R2 honestly and make the residual explicit. The shared residual is the first-contact bootstrap: domain binding is worth what Web PKI is worth, log consistency is worth what the log operator is worth, and endorsements are worth nothing until the relying party pins one, so trust is not created from nothing. R2 is therefore conditional and narrowed, met for lower-consequence classes when a general channel is pinned, with the high- consequence cross-org bootstrap an explicit open item, not a satisfied assumption. R4, proof of possession: The one row where the layers do not cover each other: neither proves possession. The chain binds the holder's key and defers the presentation-time proof to the transport (a WPT [I-D.ietf-wimse-s2s-protocol], HTTP message signatures [RFC9421], or a context-bound per-request token); the root layer addresses evidence binding, not possession. A deployment composing both layers still needs a possession-proving transport underneath, which is why the transport profile holds a first-class seat in the composition model of Section 3. R5, principal binding and invariance: The mirror image of R1. The root layer is native here: an accountable named human, or a quorum, signs, and the artifact's action binding must agree with the host record. The chain's contribution is preservation: re-verification of every hop means an intermediary cannot alter the principal without breaking a signature it cannot forge. The root proves who authorized; the chain proves nobody swapped them en route. R7, authentic bounded-staleness revocation: On the chain side, staleness is bounded by lifetime, offline and unconditionally; event-driven cascade revocation rides a channel assumption; and fail-closed behavior on stale revocation data is an admitted gap, scheduled for the next PEDIGREE revision. On the root side the discipline is already normative: freshness bounds are policy inputs, the verdict set is closed with precedence unverifiable over conflicted over stale over missing_evidence over admissible, and the absence of evidence is insufficient rather than a default. The root layer closes, by construction, exactly the gap the chain layer names. When the chain layer states the same rule normatively, this row becomes two independent enforcements of one rule rather than one layer covering for the other. R8, tamper-evident composable audit: The chain proves scope: every hop is a signed object, and post- execution composition binds per-action authorization and Rampalli Expires 7 January 2027 [Page 7] Internet-Draft Layered Delegation Mapping July 2026 provenance references into SCITT Agent Action Capsules ([I-D.rampalli-scitt-capsule-provenance-binding]), with the anchored tier assuming a transparency service. The evidence layer proves the act: a content-addressed graph in which an edge the bytes do not back poisons the verdict, plus a signed Reliance Result that adds accountability, never authority. They join by digest equality. R3, R6, R9: As the table states; the per-layer mappings in the originating thread carry the detail. 3. Verifier-Facing Composition: Diagnostically Separate Inputs The same list discussion, on a parallel thread about condition- bounded credentials, converged on a verifier-facing structure in which the inputs to an authorization decision are conjunctive for the final decision but diagnostically separate, so that each input class has its own failure path: * enrolled key, actor, workload, and environment binding; * live key possession at connection time; * local condition failure and key unavailability; * external lifecycle or policy events, such as a Shared Signals / CAEP-class channel; * authorization inputs: audience, scope, operation, and time bounds; * an inherited delegation-chain input, where PEDIGREE or another chain mechanism supplies the authority path; and * pre-execution human authorization: a named human, or an M-of-N quorum of distinct humans, authorized this exact operation, bound to the same action digest the other rows join on; and * application acceptance: the relying party's own decision to accept the action, taken over the other inputs and separate from all of them. Rampalli Expires 7 January 2027 [Page 8] Internet-Draft Layered Delegation Mapping July 2026 A live key with a valid, sufficiently scoped chain still fails closed if a required human authorization is absent, stale, or bound to different action bytes; a valid chain whose holder cannot prove possession fails as a presentation failure; a valid key whose terminal scope does not cover the operation fails as an authorization failure. The inputs are conjunctive for the final decision but diagnostically separate, and no row inherits or grants another row's guarantees. Three boundaries surfaced on-list keep the rows from collapsing into one another, and they share one shape: the same action digest, different claims, independent failure. Presence versus approval: the human verified present at a platform (the possession row) is not the human who approved this operation (the human-authorization row), often the same person, never the same row. Attribution versus approval: a post-execution record of who is accounted to have delegated or performed an action is not a pre-execution approval of it. May versus did: authorization that an action was permitted is not evidence that it occurred. A verifier must be able to affirm or fail each independently; digest equality joins them, and digest equality is a join key, not a claim of sufficiency. 3.1. The Delegation-Chain Row, Stated Explicitly The mapping-table rules of [I-D.bu-agentproto-security-principal-binding] require that an inherited mechanism state its dependency and failure behavior before it counts as a guarantee. The delegation-chain row, with PEDIGREE as the supplier, in those terms: Claim: authority for this exact operation was conveyed from the root principal and narrowed at every hop; the terminal scope covers the operation. Carrier: the per-hop delegation tokens, conveyed inline with the request. Verifier and rule: the relying party, offline: re-verify each hop's signature against its issuer key, check per-hop scope subsetting and mandate narrowing, take effective expiry as the minimum over hops, and require the operator-ceiling conjunct. Binding and freshness: bound to the root principal and to the holder's key; staleness bounded by chain lifetime; cascade revocation rides a Shared Signals / CAEP-class channel where one exists. Failure behavior: any hop signature failure, subset violation, or Rampalli Expires 7 January 2027 [Page 9] Internet-Draft Layered Delegation Mapping July 2026 expiry fails the request as an authorization failure, independently of key possession and of human authorization. A revocation feed older than the configured bound must fail closed; making that normative is a scheduled PEDIGREE revision item. Dependency: the originating organization's trust anchor (root only; intermediate hops use self-certifying identifiers), inline conveyance of parent tokens, and the possession row at the transport for holder proof. Stated that way, nothing is inherited implicitly: the chain row supplies the authority path and its attenuation, and it explicitly depends on the possession row rather than assuming it. 3.2. The Human-Authorization Row, Stated by Its Supplier Iman Schrock contributed the human-authorization row on-list on 2026-07-05, stated in the same template terms as the chain row. It is included here with only editorial normalization. Claim: a named, accountable human, or an M-of-N quorum of distinct humans, optionally ordered, authorized this exact operation before execution; asserted as human authority, not organizational policy, and the row names which. Carrier: the authorization receipt (EP-RECEIPT-v1, or EP-QUORUM-v1 for multi-party), a self-contained signed JSON artifact conveyed inline or referenced by digest from the host record. Verifier and rule: the relying party, offline, with no account: Ed25519 over the canonical action bytes (JCS [RFC8785]) against a pinned issuer key; for a quorum, threshold met by distinct principals over the same digest, with order enforced when declared. Verified and accepted remain separate results, and neither implies sufficiency. Binding and freshness: bound to the action digest (the shared join key; digest equality is a join key, never authorization) and to the named principal, with a validity window on the artifact. One- time use is enforcement-point state, not offline-verifiable; the state holder is named in the dependency, so the offline part and the enforcement part stay visible separately. Failure behavior: missing, invalid, stale, replayed, or out-of-scope Rampalli Expires 7 January 2027 [Page 10] Internet-Draft Layered Delegation Mapping July 2026 evidence fails the request as a human-authorization failure, independently of key possession and of chain attenuation. The refusal is machine-readable (an HTTP 428 challenge [RFC6585] naming the missing evidence), so a refusal is itself evidence, not silence. Dependency: relying-party key pinning (a binding from an unpinned issuer must not be accepted); an enforcement point for one-time consumption, deployed by the resource owner; and holder proof at presentation rides the possession row at the transport, the same shared dependency recorded at R4. The row makes no possession claim of its own. Evidence: public vectors, positive and negative (receipt and quorum suites in the EP reference repository), reproducible with the ep- verify tool. One asymmetry, stated rather than papered over: the chain row of Section 3.1 does not yet cite public evidence vectors, and its evidence entry is open until vectors are published. An evidence column is only useful if an empty cell is allowed to say so. 3.3. The Possession Row, Stated by Its Supplier This is the possession row as reconciled on-list by its supplier (Nguyen-Huu and Bu, 2026-07-06), stated in the same template terms, together with the split the rows sit on: one authentication anchor, several authorization inputs decided above the key. It is included as reconciled, with only editorial normalization. Claim: the presenter is the genuine attested actor or workload at this hop, and its signing key exists only while its attested release conditions currently hold (right user present, platform sound, workload genuine). This proves live possession under configured conditions; it does not by itself prove delegated authority, human authorization, operation scope, action sufficiency, or relying-party acceptance of the action. Not "a key answered the handshake," but "a key whose continued existence is those conditions answered." Carrier: the mTLS possession proof (the CertificateVerify signature over the handshake, on a hardware-bound key registered with the relying party; raw public key or certificate, or X.509-SVID, immaterial to this row), together with the enrollment and attestation material binding the actor/workload/environment tuple, the protected key, and the key-release policy. The signature is producible only if the release policy is satisfied at that instant. Rampalli Expires 7 January 2027 [Page 11] Internet-Draft Layered Delegation Mapping July 2026 Verifier and rule: the relying party, sidecar, gateway, or verifier, offline, per connection: validate the key against the enrolled trust bundle it already holds, with no per-connection issuer call, and take a completed handshake as possession under the current condition. The attestation and enrollment evidence, bound at enrollment and re-attestation, explains why that key is usable only while the stated conditions hold. A cryptographic fact prepared ahead of time, not a policy claim made in the moment. Binding and freshness: bound to the platform (the key cannot exist outside its boundary), to the enrolled actor/workload/environment tuple and release policy, and, where present, to the verified human at that platform (distinct from the approving human in the human-authorization row: one is present, the other approved the action). Freshness is condition-liveness, not a validity window: the entity that assesses the condition and the entity that withdraws the key are the same, the endpoint, so validity ends by absence, with no revocation message to travel or go stale. The condition is re-proven at every key agreement, and this is airtight at key-agreement granularity: key erasure guarantees the next key agreement fails. At connection granularity it must be stated, not assumed: an in-flight connection is not torn down by key absence alone, the same boundary a rotated certificate has, so immediate termination of a long-lived connection after a condition change is a separately specified behavior, delivered by bounding connection lifetime or driven from the event channel. Failure behavior: missing or invalid enrollment or attestation evidence, stale lifecycle state beyond the configured bound, local condition failure that makes the key unavailable, or failure to prove possession, all fail as a possession/condition failure, independent of delegation-chain failure and of human-authorization failure. For locally detectable failure no message travels; absence enforces. Distrust of a still-sound platform decided elsewhere rides a CAEP-class channel, as the other rows' external inputs do. Dependency: the hardware or protected key-release mechanism enforcing "cannot exist outside its boundary"; the attestation verifier or enrollment authority; and any lifecycle or event channel used for externally originated change. The row makes no authority claim of its own: it supplies the holder proof the delegation-chain and human-authorization rows depend on at the transport, and nothing more. Evidence: reference implementation at github.com/WinMagic/LIT. The Rampalli Expires 7 January 2027 [Page 12] Internet-Draft Layered Delegation Mapping July 2026 verified-human presence-bound path is demonstrated. The workload path is not yet implemented, and this cell says so. When the workload vectors publish they will carry this row's negative analogue in the shape the thread set (transport attempted, required condition unmet, possession fails closed), the possession-layer counterpart to the composition negative the root layer already ships. With this reconciled row, every layer of the composed stack is stated by its supplier: possession under condition at the wire, attenuation along the chain, human authorization at the root, each failing independently, all joined on the same action digest. In this row freshness is liveness rather than a window, because the assessor of the condition and the stopper of the grant are the same place. 3.4. Template Compatibility Each row of Table 1 and each input class above is kept expressible in the mapping-table template of [I-D.bu-agentproto-security-principal-binding] (claim, carrier, verifier and rule, binding and freshness, failure behavior, dependency, evidence reference). If the working group settles on that shared shape for comparative tables, moving this document into it is a re-rendering rather than a rewrite. 4. Security Considerations This document defines no protocol elements and introduces no new attack surface. Its risks are risks of misreading: * A conditional verdict read as unconditional. Every "met" in Table 1 carries its stated condition; a deployment that drops the condition (for example, accepting a chain without inline conveyance of parents, or trusting an unpinned issuer) does not have the property the verdict names. * Implicit inheritance across layers. The layers compose by digest and by conjunction; neither inherits the other's guarantees, and Section 3 exists precisely to keep their failure classes separate. In particular, neither layer proves possession (R4); a deployment without a possession-proving transport is open to replay of captured material regardless of how strong the chain and the root evidence are. * Version drift. Verdicts apply to the cited revisions only. A future revision of any mapped draft can invalidate a row without notice; the mailing-list thread, not this document, is the canonical record of corrections between revisions. Rampalli Expires 7 January 2027 [Page 13] Internet-Draft Layered Delegation Mapping July 2026 5. IANA Considerations This document has no IANA actions. 6. Informative References [I-D.bu-agentproto-security-principal-binding] Bu, S., "Security Principal and Verifier Binding for Agent Communication Protocols", Work in Progress, Internet- Draft, draft-bu-agentproto-security-principal-binding-01, June 2026, . [I-D.ietf-wimse-s2s-protocol] IETF WIMSE Working Group, "WIMSE Workload-to-Workload Authentication", Work in Progress, Internet-Draft, draft- ietf-wimse-s2s-protocol, 2026, . [I-D.rampalli-pedigree] Rampalli, K., "PEDIGREE: Per-Agent Delegation Identity with Governance-Enforced Execution", Work in Progress, Internet-Draft, draft-rampalli-pedigree-01, July 2026, . [I-D.rampalli-scitt-capsule-provenance-binding] Rampalli, K., "Binding Delegation Authorization and Provenance References into SCITT Agent Action Capsules", Work in Progress, Internet-Draft, draft-rampalli-scitt- capsule-provenance-binding-00, July 2026, . [I-D.reece-wimse-cross-org-delegation] Reece, M., "Requirements for Cross-Organization Delegation of Authority to AI Agents", Work in Progress, Internet- Draft, draft-reece-wimse-cross-org-delegation-00, June 2026, . Rampalli Expires 7 January 2027 [Page 14] Internet-Draft Layered Delegation Mapping July 2026 [I-D.schrock-ep-action-evidence-graph] Schrock, I., "Action Evidence Graphs and Evidence Policy Replay for High-Risk Agent Actions (EP-AEG)", Work in Progress, Internet-Draft, draft-schrock-ep-action- evidence-graph-00, July 2026, . [I-D.schrock-ep-authority-introduction] Schrock, I., "Authority Documents and Graded Introduction: Trust Establishment for Agent-Action Evidence Without Prior Federation", Work in Progress, Internet-Draft, draft-schrock-ep-authority-introduction-00, July 2026, . [I-D.schrock-human-authorization-binding] Schrock, I., "Binding Named-Human Authorization Evidence into Agent-Action Records", Work in Progress, Internet- Draft, draft-schrock-human-authorization-binding-00, July 2026, . [RFC6585] Nottingham, M. and R. Fielding, "Additional HTTP Status Codes", RFC 6585, DOI 10.17487/RFC6585, April 2012, . [RFC8785] Rundgren, A., Jordan, B., and S. Erdtman, "JSON Canonicalization Scheme (JCS)", RFC 8785, DOI 10.17487/RFC8785, June 2020, . [RFC9421] Backman, A., Ed., Richer, J., Ed., and M. Sporny, "HTTP Message Signatures", RFC 9421, DOI 10.17487/RFC9421, February 2024, . Changes Since -04 * Replaced Section 3.3 with the possession row as reconciled on-list by its supplier (Nguyen-Huu and Bu), including the explicit non- claim of relying-party acceptance, the key-agreement versus connection granularity distinction, and the promised workload-path negative vector. Rampalli Expires 7 January 2027 [Page 15] Internet-Draft Layered Delegation Mapping July 2026 * Added application acceptance as a separate relying-party input in Section 3, and recorded the three cross-row boundaries surfaced on-list (presence versus approval, attribution versus approval, may versus did) as the discipline that keeps the rows conjunctive without inheritance. Changes Since -03 * Added Section 3.3: the possession row as contributed on-list by Thi Nguyen-Huu, completing the named suppliers of the composed stack. The supplier-admitted open evidence entry for the workload path is recorded as such. * The R4 composition cell now points to the supplied possession row. Changes Since -02 * Replaced all three R2 cells and the R2 row note with row text contributed by the requirements author, superseding the interim wording. The root-cell mechanism (authority documents with continuity signatures and graded introduction, per the supplier's companion draft) is recorded under the requirements author's test, with the first-contact bootstrap as the shared, explicit residual. Changes Since -01 * Reframed R2 per a correction from the requirements author: verdicts are now conditional on the anchor-trust mechanism, and unspecified anchor provisioning is recorded as an open item rather than a satisfied assumption. Changes Since -00 * Added Section 3.2: the human-authorization row as contributed on- list by Iman Schrock, in the same template terms as the chain row. * Stated the open evidence entry on the chain row explicitly. * Added informative references for JCS and HTTP status code 428. Acknowledgments This mapping is a record of a discussion, and the discussion did the work. Morgan Reece framed the requirements, asked for the conditional form, corrected the R2 verdicts, and contributed the R2 row text of this revision verbatim. Iman Schrock proposed the two- layer frame, reviewed the EP column of the combined table, contributed the pre-execution human-authorization input class, and Rampalli Expires 7 January 2027 [Page 16] Internet-Draft Layered Delegation Mapping July 2026 supplied the human-authorization row of Section 3.2 in template terms and the R2 provisioning-mechanism correction. Songbo Bu proposed the diagnostically-separate-rows structure and the mapping-table discipline this document keeps itself expressible in. Thi Nguyen-Huu and Songbo Bu supplied and reconciled the possession row of Section 3.3 and the authentication-anchor framing above it. Thanks also to the participants in the WIMSE mailing-list threads in which this mapping developed. Author's Address Karthik Rampalli Glyphzero, Inc. Email: karthik@glyphzerolabs.com Rampalli Expires 7 January 2027 [Page 17]