| Internet-Draft | TIBET | March 2026 |
| van de Meent & AI | Expires 30 September 2026 | [Page] |
This document defines TIBET (Transaction/Interaction-Based Evidence Trail), a data model and protocol for constructing cryptographically linked provenance chains over interactions between autonomous agents, human actors, and automated processes. A TIBET token captures four dimensions of provenance: content (ERIN), references (ERAAN), context (EROMHEEN), and intent (ERACHTER). Tokens are cryptographically signed, hash-chained, and designed for append-only storage. TIBET is transport-agnostic and encoding-flexible, with JSON over HTTPS as the baseline serialization. This document specifies the token data model, chain semantics, canonicalization rules, verification procedures, and integration points with companion protocols JIS [JIS], UPIP [UPIP], RVP [RVP], and AINS [AINS].¶
This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79.¶
Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet-Drafts is at https://datatracker.ietf.org/drafts/current/.¶
Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress."¶
This Internet-Draft will expire on 30 September 2026.¶
Copyright (c) 2026 IETF Trust and the persons identified as the document authors. All rights reserved.¶
This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (https://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Revised BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Revised BSD License.¶
Autonomous agents, AI systems, human operators, and automated processes increasingly interact across trust boundaries. When decisions are made -- who initiated them, what data informed them, in what context, and for what reason -- this information is critical for audit, regulatory compliance (including the EU AI Act [EU-AI-ACT]), and dispute resolution. Current logging approaches are fragmented: they capture events but not intent, actions but not context, outcomes but not reasoning.¶
TIBET addresses this gap by defining a structured evidence token that captures four dimensions of provenance for every interaction:¶
These four components -- named using Dutch prepositions that describe spatial relationships -- together provide the evidence needed to answer not only "what happened?" but also "why did it happen?", "what informed it?", and "what was the context?"¶
Existing audit and logging approaches suffer from three structural limitations:¶
TIBET provides a standardized, cryptographically verifiable evidence format that addresses all three limitations.¶
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all capitals, as shown here.¶
A TIBET token is a JSON [RFC8259] object. The following example shows all required and commonly used optional fields:¶
{
"token_id": "tbt-550e8400-e29b-41d4-a716-446655440000",
"version": "1.1",
"type": "decision",
"timestamp": "2026-03-29T10:30:00.000Z",
"actor": "jis:idd:root_idd_2025",
"erin": {
"decision": "APPROVED",
"confidence": 0.92
},
"eraan": [
"tbt:550e8400-e29b-41d4-a716-446655440001",
"model:credit-scoring-v2.3.1"
],
"eromheen": {
"environment": "production",
"region": "eu-west-1",
"regulatory_context": ["GDPR", "EU-AI-Act"]
},
"erachter": "Credit application evaluated per policy v2.3.1
section 4.2. Score 0.92 exceeds threshold 0.75.",
"parent_id": "tbt-550e8400-e29b-41d4-a716-446655440001",
"state": "RESOLVED",
"hash": "sha256:4f2e8a1b...",
"signature": {
"algorithm": "Ed25519",
"public_key": "ed25519:base64...",
"value": "base64..."
}
}
¶
Every TIBET token MUST contain the following fields:¶
The following token types are defined:¶
Implementations SHOULD use the defined types. Implementations MAY define additional types using the "x-" prefix (e.g., "x-audit", "x-heartbeat"). Implementations MUST NOT reject tokens with unrecognized types.¶
ERIN ("What's IN it") captures the core content or action. The ERIN object MUST be present and MUST NOT be empty.¶
The internal structure of ERIN is application-defined. TIBET does not prescribe specific fields within ERIN, but the following patterns are RECOMMENDED:¶
For actions and decisions:¶
"erin": {
"action": "approve_transaction",
"confidence": 0.92,
"parameters": { }
}
¶
For messages and queries:¶
"erin": {
"content": "What are my account permissions?",
"format": "natural_language",
"language": "en"
}
¶
ERIN answers the question: "What is the core payload of this interaction?"¶
ERAAN ("What's attached TO it") captures dependencies, references to other tokens, external resources, and related artifacts. ERAAN MUST be a JSON array.¶
Each element SHOULD use a typed reference format:¶
"<type>:<identifier>"¶
Defined reference types:¶
Implementations MAY define additional reference types. Implementations MUST preserve unrecognized reference types during processing.¶
Example:¶
"eraan": [ "tbt:tbt-550e8400-...", "model:credit-scoring-v2.3.1", "policy:lending-policy-2026q1" ]¶
ERAAN answers the question: "What other artifacts informed or are connected to this interaction?"¶
EROMHEEN ("What's AROUND it") captures the environmental and situational context at the time of the interaction. EROMHEEN MUST be a JSON object (MAY be empty if context is not available).¶
RECOMMENDED fields:¶
Additional context fields are application-defined.¶
Example:¶
"eromheen": {
"environment": "production",
"region": "eu-west-1",
"session_id": "sess_abc123",
"regulatory_context": ["GDPR", "EU-AI-Act"]
}
¶
EROMHEEN answers the question: "In what context did this interaction occur?"¶
ERACHTER ("What's BEHIND it") captures the intent, reasoning, and purpose of the action. ERACHTER MUST be a non-empty human-readable string.¶
ERACHTER serves two purposes:¶
For automated decisions, ERACHTER SHOULD include:¶
Example:¶
"erachter": "Credit application evaluated per policy lending-policy-2026q1 section 4.2. Score 0.92 exceeds threshold 0.75. Human review not triggered (confidence above 0.90 per oversight policy)."¶
ERACHTER answers the question: "Why was this action taken?"¶
To guide implementers in placing data in the correct component:¶
+------------------+----------------------------------------+ | If the data is | Place it in | +------------------+----------------------------------------+ | The core action, | ERIN (content) | | decision, or | | | payload | | | | | | A reference to | ERAAN (references) | | another token, | | | model, policy, | | | or external | | | resource | | | | | | Environmental, | EROMHEEN (context) | | situational, or | | | deployment | | | context | | | | | | The reasoning, | ERACHTER (intent) | | purpose, or | | | justification | | +------------------+----------------------------------------+¶
When in doubt, the test is: "Would an auditor need this to understand WHAT happened (ERIN), what INFORMED it (ERAAN), WHERE/WHEN it happened (EROMHEEN), or WHY (ERACHTER)?"¶
Before computing hashes or signatures, a TIBET token MUST be serialized to Canonical JSON. The canonical form is defined as:¶
This canonicalization ensures that the same logical token produces the same byte sequence regardless of the serializer used, which is necessary for hash and signature verification across implementations.¶
The token hash MUST be computed as follows:¶
Result format: "sha256:<64 hex characters>"¶
After computing the token hash, the creating actor MUST sign the token:¶
"signature": {
"algorithm": "Ed25519",
"public_key": "ed25519:<base64 public key>",
"value": "<base64 signature>"
}
¶
The algorithm field MUST be one of:¶
Implementations SHOULD use Ed25519 unless constrained by existing infrastructure.¶
To verify a TIBET token's signature:¶
Tokens form chains through the "parent_id" field. When an action triggers a subsequent action, the subsequent token SHOULD reference the triggering token as its parent.¶
Chain rules:¶
Example chain:¶
[User Query] --> [AI Processing] --> [API Call]
| | |
tbt-001 tbt-002 tbt-003
(root) parent:tbt-001 parent:tbt-002
¶
TIBET tokens, once created and signed, MUST NOT be modified. The token_id, hash, and signature together form an immutable record.¶
Tokens MAY be stored in any storage system that preserves their integrity. Append-only logs, content-addressable stores, databases with write-once semantics, or ledger systems are all suitable, provided the storage system does not modify token contents.¶
This document does not mandate a specific storage system. The integrity of a TIBET token is self-contained: any verifier can recompute the hash and verify the signature without trusting the storage system.¶
When a token's content must be corrected or updated (e.g., an incorrect decision is revised), implementations MUST NOT modify the original token. Instead, a new token MUST be created with:¶
The original token remains in the chain, preserving the complete history including corrections.¶
To verify a TIBET chain:¶
Chain verification failures MUST be reported as evidence. Whether a verification failure blocks processing is a local policy decision (evidence over enforcement).¶
TIBET tokens have the following states:¶
CREATED --> ACTIVE --> RESOLVED
|
+--> SUPERSEDED
¶
State descriptions:¶
Note: The -00 version defined states DETECTED, CLASSIFIED, and MITIGATED. These are removed in -01 because they conflate provenance recording with incident response workflow, which is a policy concern. Implementations that need incident response states SHOULD define them as application-specific extensions in the "metadata" field.¶
State transitions follow these rules:¶
All other transitions are invalid.¶
Each state transition MUST be recorded as a separate TIBET token of type "transition" with:¶
This ensures that even state changes produce auditable evidence.¶
The "actor" field MUST be a string identifying the entity that created the token. The following formats are defined:¶
Implementations SHOULD use JIS identities when available. Implementations MUST accept both formats.¶
When the actor uses a JIS identity (Section 8.1), the signature's public key SHOULD be verifiable against the actor's JIS identity record. This binding enables a verifier to confirm that:¶
The mechanism for resolving a JIS identity to its public key is defined in [JIS]. AINS [AINS] provides discovery of the resolution endpoint.¶
TIBET supports anonymous and pseudonymous tokens. An actor MAY use a pseudonymous identifier (e.g., "local:anon-session-4f2e") when privacy requirements prevent identity disclosure. In this case:¶
TIBET tokens MAY include trust-related evidence in EROMHEEN. Trust scores are computed by the companion JIS protocol [JIS] using FIR/A and represent the actor's trust level at the time of token creation.¶
Trust scores are EVIDENCE, not ASSERTIONS. A trust score in a TIBET token means "at the time of this action, this registry computed this score for this actor." Different registries MAY compute different scores for the same actor.¶
Trust scores are behavior-based, not claim-based. Scores adjust based on:¶
The scoring algorithm is defined in JIS [JIS]. TIBET provides the evidence chain that scoring algorithms consume.¶
Trust scores MUST be computed locally by each evaluating party. A trust score from one registry is an opinion, not a fact. Only the underlying TIBET evidence chain is factual.¶
This prevents "trust laundering" -- the inflation of trust scores through permissive intermediaries.¶
For interoperability, JSON encoding over HTTPS is the baseline transport. All conforming implementations MUST support this baseline.¶
TIBET tokens MAY be transported over:¶
Regardless of transport, the token format and verification procedures defined in this document apply.¶
When TIBET tokens are transmitted over HTTP, the Content-Type header SHOULD be:¶
application/tibet+json¶
Implementations MUST also accept "application/json".¶
TIBET tokens MAY be stored in append-only logs or ledgers. This is RECOMMENDED for regulated environments but is not a protocol requirement. The integrity of a TIBET token is self-verifiable through its hash and signature, independent of the storage system.¶
Retention of TIBET tokens is a local policy decision. This document makes no normative statements about retention periods. Implementers should consider applicable regulatory requirements (e.g., GDPR [GDPR] right to erasure, financial record retention rules).¶
When tokens containing personal data are deleted per retention policy, implementations SHOULD retain a tombstone record containing: token_id, token hash, deletion timestamp, and the reason for deletion.¶
ERIN and EROMHEEN components MAY contain personal data, business-sensitive information, or security-relevant context. Implementations MUST support encryption at rest for stored tokens and SHOULD support field-level encryption for individual components.¶
An actor presenting a TIBET chain to a verifier MAY redact components that are not relevant to the verification purpose. When components are redacted:¶
The verifier can confirm that a valid token exists with the claimed hash without seeing the redacted content.¶
Implementations SHOULD support generating redacted views of tokens where sensitive fields (ERIN, EROMHEEN) are replaced with their hashes. This enables sharing provenance chains for audit purposes without exposing sensitive content.¶
Implementations SHOULD apply data minimization principles:¶
Attack: An adversary modifies a token's content after creation.¶
Impact: The audit trail contains false evidence. Decisions based on the modified token may be incorrect.¶
Mitigation: Every token includes a hash computed over its canonical serialization and a cryptographic signature from the creating actor. Modification of any field invalidates the hash, which invalidates the signature.¶
Deployment: Implementations MUST verify hash and signature before processing any token. Implementations MUST reject tokens with invalid hashes or signatures and MUST record the rejection as evidence.¶
Attack: An adversary inserts, removes, or reorders tokens in a chain.¶
Impact: The audit trail is incomplete or misleading. Causal relationships may be falsified.¶
Mitigation: Child tokens include parent_hash, creating a hash chain. Insertion of a fake token breaks the chain because the fake token's hash will not match the parent_hash in subsequent tokens.¶
Deployment: Implementations MUST verify parent_hash references during chain verification. Implementations SHOULD alert on chain gaps (referenced parents that do not exist).¶
Attack: An actor denies creating a token.¶
Impact: Accountability is undermined.¶
Mitigation: Tokens are signed with the actor's private key. The signature can be verified by any party with access to the actor's public key (published via JIS identity or AINS record).¶
Deployment: For high-assurance scenarios, implementations SHOULD use hardware-protected signing keys (secure elements, TPM). For standard scenarios, software key management with proper access controls is sufficient.¶
Attack: An adversary replays a valid token from a different context.¶
Impact: The audit trail records an action that did not occur in the claimed context.¶
Mitigation: Tokens include millisecond-precision timestamps. Chain linking (parent_id + parent_hash) binds tokens to specific positions in a chain. Replaying a token in a different chain or at a different time creates a detectable inconsistency.¶
Deployment: Implementations SHOULD reject tokens with timestamps outside a configurable window (default: 5 minutes). For real-time scenarios, tighter windows are RECOMMENDED.¶
Attack: An adversary floods the system with tokens, exhausting storage or processing capacity.¶
Impact: Legitimate tokens cannot be created or stored.¶
Mitigation: Token creation is tied to actor identity (Section 8). Rate limiting per actor, based on FIR/A trust score, is the primary defense. Low-trust actors SHOULD have lower rate limits.¶
Deployment: Implementations MUST implement per-actor rate limiting. Implementations SHOULD use FIR/A trust scores to set rate limits dynamically.¶
Attack: An actor's signing key is compromised.¶
Impact: The adversary can create tokens impersonating the compromised actor.¶
Mitigation: JIS [JIS] provides key rotation and revocation mechanisms. When a key is revoked, verifiers can determine that tokens signed with the revoked key after the revocation timestamp are suspect.¶
Deployment: Implementations SHOULD check key revocation status during signature verification. Implementations SHOULD use short-lived signing keys where feasible.¶
Implementations MUST use SHA-256 [FIPS180-4] for all hash computations. Implementations SHOULD support algorithm agility through the hash prefix ("sha256:") to enable future migration.¶
Implementations MUST use Ed25519 or ECDSA-P256 for signatures. Ed25519 is RECOMMENDED for new implementations.¶
JIS [JIS] provides actor identity and trust establishment. TIBET relies on JIS for:¶
Each JIS FIR/A handshake SHOULD produce a TIBET token recording the trust establishment event.¶
Mapping of JIS Humotica context to TIBET components:¶
UPIP [UPIP] uses TIBET tokens to record process execution provenance. Each UPIP layer transition (STATE, DEPS, PROCESS, RESULT, VERIFY) MAY produce a TIBET token. Fork tokens reference TIBET chains to establish handoff provenance.¶
RVP [RVP] produces verification tokens that include TIBET provenance fields. Each RVP verification moment corresponds to a TIBET token recording: who was verified, how, with what confidence, and why verification was triggered.¶
AINS [AINS] records MAY reference TIBET chain anchors as trust evidence. A long TIBET chain with verified integrity is evidence of sustained, auditable operation. AINS registries MAY weight TIBET chain evidence in trust score computation.¶
This document requests registration of the following media type [RFC6838]:¶
Note: The -00 version requested registration of X-TIBET-* HTTP headers. This is withdrawn. Provisional HTTP header fields do not require registration, and the use case does not justify standardized header fields at this time.¶
{
"token_id": "tbt-550e8400-e29b-41d4-a716-446655440000",
"version": "1.1",
"type": "query",
"timestamp": "2026-03-29T10:30:00.000Z",
"actor": "jis:human:user_12345",
"erin": {
"content": "What are my account permissions?",
"format": "natural_language",
"language": "en"
},
"eraan": [
"actor:jis:service:account_service"
],
"eromheen": {
"environment": "production",
"client": "mobile-app-v3.2",
"regulatory_context": ["GDPR"]
},
"erachter": "User requesting account information via
self-service portal. Routine access check, no elevated
permissions requested.",
"state": "CREATED",
"hash": "sha256:4f2e8a1b3c9d7e6f...",
"signature": {
"algorithm": "Ed25519",
"public_key": "ed25519:MCowBQYD...",
"value": "7f3a9b2c..."
}
}
¶
{
"token_id": "tbt-550e8400-e29b-41d4-a716-446655440001",
"version": "1.1",
"type": "decision",
"timestamp": "2026-03-29T10:30:05.127Z",
"actor": "jis:idd:credit_model_v2",
"erin": {
"decision": "APPROVED",
"amount": 50000,
"confidence": 0.92,
"factors": {
"credit_score": 0.85,
"income_ratio": 0.78,
"history_length": 0.95
}
},
"eraan": [
"tbt:tbt-550e8400-e29b-41d4-a716-446655440000",
"model:credit-scoring-v2.3.1",
"policy:lending-policy-2026q1"
],
"eromheen": {
"environment": "production",
"region": "eu-west-1",
"regulatory_context": ["GDPR", "EU-AI-Act"],
"human_oversight": "available"
},
"erachter": "Credit application evaluated per policy
lending-policy-2026q1 section 4.2. Score 0.92 exceeds
threshold 0.75. Approved. Human review not triggered
(confidence above 0.90 per oversight policy OP-7.1).",
"parent_id": "tbt-550e8400-e29b-41d4-a716-446655440000",
"parent_hash": "sha256:4f2e8a1b3c9d7e6f...",
"state": "RESOLVED",
"hash": "sha256:7c9d1b2e3f4a5d6c...",
"signature": {
"algorithm": "Ed25519",
"public_key": "ed25519:KDwoBQYE...",
"value": "9d2f3a1b..."
}
}
¶
Given the token in Appendix A.1 (excluding "hash" and "signature"):¶
Canonical JSON (abbreviated):¶
{"actor":"jis:human:user_12345","erachter":"User requesting...",
"eraan":["actor:jis:service:account_service"],"erin":{"content":
"What are my account permissions?","format":"natural_language",
"language":"en"},"eromheen":{"client":"mobile-app-v3.2",
"environment":"production","regulatory_context":["GDPR"]},
"state":"CREATED","timestamp":"2026-03-29T10:30:00.000Z",
"token_id":"tbt-550e8400-e29b-41d4-a716-446655440000",
"type":"query","version":"1.1"}
¶
Note: keys are sorted lexicographically ("actor" < "erachter" < "eraan" < "erin" < "eromheen" < "state" < ...).¶
This section lists substantive changes from draft-vandemeent-tibet-provenance-00:¶
The author thanks Codex (codex.aint) for the suite-wide cleanup analysis that informed this revision, and the HumoticaOS family for building the first operational TIBET implementation.¶