Agentic Identity and Provenance over Avian Carriers (AIPAC)

RFC 1149 established the foundational framework for the transmission of IP datagrams over avian carriers. RFC 2549 extended this work with Quality of Service provisions, and RFC 6214 adapted the protocol for IPv6. In the intervening years, a new class of network participant has emerged: the autonomous AI agent. These systems decompose complex tasks, delegate sub-tasks to other agents, and synthesize results across potentially long chains of inference. defines an architectural model for human-anchored agent identity, introducing a human identity root, explicit delegation semantics, and a provenance structure for accountable agent ecosystems across existing transport mechanisms. It has not escaped the attention of the author that avian carriers remain the only transport medium for which the RFC series has provided comprehensive Quality of Service guidance while leaving identity and provenance entirely unaddressed. This document extends the delegation chain model and provenance structure of to the specific constraints of feather-based transport layers. This document corrects that oversight.

The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in RFC 2119 . Additional terminology specific to this document:

Agent:: An autonomous AI system capable of receiving instructions, decomposing tasks, and delegating to other agents. An agent MUST NOT be confused with its carrier.
Carrier:: A bird. The carrier is not an agent. The carrier has not agreed to any terms of service. The carrier SHOULD be treated with respect.
Provenance Token:: A cryptographically signed attestation of an agent's identity, model version, system prompt hash, and emotional state at time of dispatch. Implements the delegation chain structure defined in Section 3 of .
Leg Band:: The physical medium by which a Provenance Token is attached to the Carrier. Leg bands MUST be of sufficient diameter to accommodate the token without impeding flight.
Hallucination:: A confident assertion by an agent that is not grounded in fact. See Section 5 for important guidance on the directionality of this phenomenon.
Fork Bomb:: What happens when an agent delegates to itself. Not relevant to avian transport but worth mentioning.

Prior to dispatch, a sending agent MUST generate a Provenance Token and attach it to the Carrier's leg band. The token encodes the full delegation chain, including the identities of all upstream agents that contributed to the instruction being transmitted. The receiving agent MUST verify the token upon arrival of the Carrier. A token that cannot be verified SHOULD be treated as suspicious. The Carrier itself is presumed innocent.

The Provenance Token is a JSON Web Token (JWT) encoded on archival-grade rice paper and secured with a cryptographic signature using Ed25519 . The token implements the delegation chain structure defined in Section 3 of . The token payload MUST include the following fields:

iss (Issuer):: The identity of the sending agent, expressed as a model name and version string.
iat (Issued At):: The Unix timestamp of dispatch.
chain (Delegation Chain):: An ordered array of all agents in the delegation chain from origin to sender, corresponding to the delegation chain model defined in . Each entry represents one delegation step.
hash (Prompt Hash):: A SHA-256 hash of the system prompt in effect at time of dispatch. This field exists so that disputes about what an agent was instructed to do can be resolved after the fact, assuming the paper survives transit.
mood (Emotional State):: OPTIONAL. As established by RFC 5841 , TCP packets may carry mood indicators. Agents dispatching via avian carrier MAY include a mood field. Acceptable values are "confident", "uncertain", "caffeinated", and "existential".

The token MUST be rolled tightly and inserted into a waterproof capsule. The capsule MUST be attached to the right leg of the Carrier. The left leg is reserved for legacy IP datagrams per RFC 1149 . In the event that both legs are occupied, the operator MUST acquire an additional Carrier. Operators SHOULD maintain a flock.

The Provenance Token implements the delegation chain structure defined in Section 3 of , serialized as a JWT on archival-grade rice paper. The following is a non-normative example of a Provenance Token payload:

Example Provenance Token Payload Implementations MUST NOT include the model's training data in the token. This would make the capsule unreasonably heavy and is considered an antipattern.

For the avoidance of doubt: birds do not hallucinate. They perceive ultraviolet light, navigate by magnetic fields, and have been delivering messages reliably since before the invention of the transistor. Any errors introduced during avian transit are attributable to the message, not the medium. Agents that receive a message via avian carrier and find it implausible are advised to consider that the implausibility may originate from their own context window rather than from the Carrier. The author notes that no avian carrier has ever confidently asserted a false legal citation.

Operators MUST be aware that Carriers may be intercepted, observed, or recruited by adversarial parties. A Carrier that arrives unusually late, appears disoriented, or exhibits signs of having been briefed by a competing orchestration framework SHOULD be treated with suspicion. Message contents MUST be encrypted. Adversaries with access to breadcrumbs have demonstrated an ability to incentivize disclosure.

The threat model MUST account for raptors. A hawk intercepting an avian carrier constitutes a man-in-the-middle attack of the most literal kind. Operators in regions with high raptor density SHOULD implement carrier authentication via trained recognition patterns. Note: decoy carriers bearing unsigned tokens are a valid mitigation strategy but raise ethical concerns outside the scope of this document.

A Carrier that has been dispatched, intercepted, redirected, and re-released with a modified payload represents a replay attack. The iat field in the Provenance Token provides limited protection against this scenario, assuming the attacker has not also modified the timestamp, which they probably have.

An agent MUST NOT instruct a Carrier to deliver a message to a receiving agent that will immediately instruct a different Carrier to return an instruction to the original agent. This is the avian equivalent of a fork bomb and is considered unsociable behavior. Flock capacity is finite.

This document requests that IANA establish the Avian Identity Registry (AIR), a new registry mapping cryptographic agent identifiers to their corresponding model names, version strings, and known hallucination rates. IANA is further requested to allocate a new Well-Known Leg Band Identifier namespace, distinct from the existing IP datagram leg band namespace established in RFC 1149 , to prevent confusion when both a datagram and an agent provenance token must be attached simultaneously. Finally, IANA is requested to designate a point of contact for reports of Carriers arriving with corrupted, unsigned, or suspiciously confident tokens. The author suggests this contact be reachable by pigeon, for obvious reasons.