| Internet-Draft | WCA | March 2026 |
| Bondar | Expires 2 September 2026 | [Page] |
Large Language Model (LLM)-based agent systems increasingly invoke external tools and data sources, yet the epistemic provenance of consumed data remains architecturally unregulated. Data crossing tool-call boundaries acquires the apparent trustworthiness of the interface rather than reflecting the institutional standing of its actual source -- a phenomenon termed "semantic laundering."¶
This document specifies the Warrant Certificate Authority (WCA): an end-to-end cryptographic attestation infrastructure that certifies data sources, not data content. WCA introduces a provenance layer satisfying reference monitor properties (complete mediation, tamperproofness, verifiability) for all agent-to-tool interactions. The architecture draws on the PKI trust model, OS provenance paradigms (IMA, CamFlow, LPM), and supply-chain security frameworks (SLSA, in-toto).¶
This document defines data structures for tool-call attestation, warrant certificates, and a trust hierarchy of certificate authorities. It specifies the provenance-layer protocol and introduces Warrant Attestation Levels (WAL-0 through WAL-3) as a graduated adoption framework analogous to SLSA build levels.¶
This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79.¶
Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet-Drafts is at https://datatracker.ietf.org/drafts/current/.¶
Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress."¶
This Internet-Draft will expire on 2 September 2026.¶
Copyright (c) 2026 IETF Trust and the persons identified as the document authors. All rights reserved.¶
This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (https://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document.¶
The rapid deployment of Large Language Model (LLM)-based agent architectures has created a category of data provenance risk that existing security frameworks do not address. When AI agents invoke external tools -- APIs, databases, web scrapers, knowledge graphs -- they implicitly trust the data returned. A response from a trusted API may have originated from a retracted study passed through several interpretive layers, yet the agent treats all tool outputs uniformly as "tool output," conflating the channel's trustworthiness with the content's actual provenance.¶
This problem is structurally analogous to the blockchain oracle problem [CHAINLINK], where smart contracts must rely on external data feeds without the ability to verify their correctness on-chain. However, AI-agent systems face an additional dimension: not merely data accuracy, but preservation of epistemic justification across architectural boundaries.¶
Prior work [SEMANTIC-LAUNDERING] formalized two phenomena:¶
Warrant Erosion: the inevitable degradation of epistemic justification through interpretive processing.¶
Semantic Laundering: the acquisition of unwarranted credibility by data crossing trusted tool boundaries, constituting a channel-to-content trust conflation.¶
The same authors [RESPONSIBILITY-VACUUM] demonstrated that human oversight undergoes a phase transition from genuine evaluation to ritualized approval at sufficient throughput, establishing that content-evaluating mediators cannot scale.¶
This document specifies the Warrant Certificate Authority (WCA), an infrastructure that certifies data sources rather than data content. The key insight is architectural: just as PKI Certificate Authorities certify server identity without evaluating web page content, WCA certifies the institutional standing of data sources without judging the truth of individual responses.¶
This design is structurally analogous to provenance layers in operating systems:¶
IMA (Integrity Measurement Architecture) [IMA] tracks what code ran on a system via kernel-level measurement and TPM anchoring.¶
CamFlow [CAMFLOW] tracks all information flows as a provenance monitor satisfying the reference monitor concept.¶
LPM (Linux Provenance Modules) [LPM] provides 170 provenance hooks parallel to LSM security hooks with 2.7% overhead.¶
PASS [PASS] introduced provenance-aware storage at the filesystem level.¶
None of these systems evaluate the correctness or meaning of the data they track. They provide complete, tamperproof, verifiable records of what happened. WCA provides the same for AI agent tool calls: not judgment, but attestation.¶
This document makes the following contributions:¶
Specification of data structures for tool-call attestation, warrant certificates, and a hierarchical trust model for certificate authorities.¶
A provenance-layer protocol satisfying reference monitor properties (complete mediation, tamperproofness, verifiability) for AI agent tool calls.¶
Warrant Attestation Levels (WAL-0 through WAL-3): a graduated adoption framework analogous to SLSA [SLSA] build levels, providing practical deployment milestones.¶
Non-interference requirements and mitigation strategies for mediated self-licensing risks.¶
Security analysis covering response substitution, self-licensing, replay attacks, source impersonation, and attestation log tampering.¶
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all capitals, as shown here.¶
The following terms are used throughout this document:¶
An LLM-based system that invokes external tools and data sources to accomplish tasks.¶
A cryptographically signed record binding a specific query to a specific response from an identified source at a specific time.¶
An append-only, hash-chained sequence of attestation records maintained by the provenance layer.¶
The error of treating a communication channel's trustworthiness as evidence for the trustworthiness of specific data transmitted through that channel.¶
An intermediate certificate authority covering a specific epistemic domain, subordinate to a Root WCA.¶
A bounded field of knowledge within which a source's institutional authority applies (e.g., "pharmacology", "legal-records").¶
The structured justification backing a proposition, comprising observations, inference rules, and institutional attestations. WCA operationalizes only the institutional attestation component.¶
The organizational basis for a source's authority within its epistemic domain.¶
The condition that an agent is purely a consumer of registered source data, with no pathway to modify or influence what registered sources store or return.¶
The mandatory intermediary component that mediates all tool calls between agent and external sources.¶
The top-level certificate authority in a WCA hierarchy.¶
The phenomenon whereby weakly warranted data acquires unwarranted epistemic status by crossing a trusted tool-call boundary.¶
The condition where an agent generates a proposition and subsequently treats it as externally warranted.¶
An external system that provides data to agents via tool calls.¶
A registry maintained by WCA operators containing registered sources with their public keys, epistemic domains, and institutional anchors.¶
A compound data structure comprising a tool-call attestation, the source's certificate, and a chain proof to a trusted Root WCA.¶
One of four graduated levels (WAL-0 through WAL-3) specifying increasing provenance guarantees for agent systems.¶
The institutional warrant of source s in domain D.¶
Epistemic warrant is a structured object, not a scalar:¶
warrant(p) = <O, I, S>
where:
O = {observations grounding p}
I = {admissible inference rules deriving p from O}
S = {signed attestations from institutional sources}
¶
For any interpretive process f:¶
warrant(f(p)) is a subset of warrant(p) by O and I¶
Interpretation can only lose observations and inference rules, never gain them. This is the Warrant Erosion Principle [SEMANTIC-LAUNDERING].¶
Semantic laundering occurs when:¶
Laundering(p, t) iff
S(p) = {} AND trusted(t) AND agent_assigns(W(p) >= W_min)
¶
Data without institutional attestation gains "warranted" status solely by crossing a trusted tool-call interface. This constitutes channel-to-content trust conflation.¶
For any mediator M that evaluates content:¶
evaluates_content(M) implies
there exists boundary b_M such that
Laundering(p, b_M) is possible
¶
The argument proceeds in four steps: (a) M must identify proposition boundaries (semantic judgment), (b) M must define canonical representations (representational assumptions), (c) M must assign warrant status (ritualizes under throughput [RESPONSIBILITY-VACUUM]), (d) M's "certified" label becomes a new laundering channel.¶
This result motivates WCA's design: certify sources, not content.¶
WCA certifies sources, not content. This distinction avoids the mediator vulnerability. Evaluating content requires semantic judgment that scales poorly; certifying provenance requires only identity verification and institutional audit -- operations performed at registration time, not per-query.¶
A WCA deployment consists of:¶
Root WCA: Top-level certificate authority.¶
Domain WCAs: Intermediate CAs for specific epistemic domains.¶
Trusted Source Registry (R): Authorized data sources with keys and domain assignments.¶
Provenance Layer: Enforcement component mediating all tool calls.¶
Attestation Log (L): Append-only, hash-chained transaction log.¶
Registered Sources: Data providers implementing WCA signing.¶
+--------------+
| LLM Agent |
+------+-------+
| query q + nonce n
v
+------+---------------------------+
| PROVENANCE LAYER |
| +-----------------------------+ |
| | 1. Log outgoing query | |
| | 2. Lookup source in R | |
| | 3. Route query to source | |
| | 4. Receive signed response | |
| | 5. Verify signature + cert | |
| | 6. Build warrant certificate| |
| | 7. Append to attestation log| |
| | 8. Deliver (r, WC) or REJECT| |
| +-----------------------------+ |
+------+---------------------------+
| response r + WC (or rejection)
v
+------+-------+
| Tool / Source |
| (signs r) |
+--------------+
¶
{
"source_id": "urn:wca:source:<name>",
"public_key": "<SubjectPublicKeyInfo>",
"domain": "urn:wca:domain:<domain-name>",
"anchor": { "organization": "...", "basis": "..." },
"valid_from": "<DateTime>",
"valid_until": "<DateTime>",
"issuer_wca": "urn:wca:authority:<wca-name>",
"revocation": { "crl_uri": "...", "ocsp_uri": "..." }
}
¶
Globally unique URI using the "urn:wca:source:" prefix.¶
MUST be from the WCA Epistemic Domain Registry (Section 12.3).¶
Institutional basis for authority, populated during registration audit.¶
Validity period. Source certificates SHOULD have a maximum validity of one year. Renewal requires re-audit.¶
For query q from agent a to source s returning response r:¶
signature = Sign(K_priv_s,
H(query || response || timestamp ||
nonce || agent_id))
¶
where Sign() is ECDSA-P256-SHA256 [RFC6979] or Ed25519 [RFC8032], H() is SHA-256 [RFC6234], and || denotes concatenation of canonical byte encodings.¶
Each field MUST be prefixed with a 4-byte big-endian length followed by the field bytes.¶
The source MUST sign the binding of all five components. Nonce inclusion prevents replay; agent_id inclusion prevents cross-agent substitution.¶
Protocol:¶
Agent generates query q and cryptographically random nonce n (>= 16 bytes).¶
Provenance layer forwards (q, agent_id, n) to source s.¶
Source computes response r.¶
Source obtains timestamp tau from a trusted time source.¶
Source computes signature.¶
Source returns (r, tau, signature).¶
Provenance layer verifies using K_pub_s from R.¶
{
"attestation": "<ToolCallAttestation>",
"source_certificate": "<SourceCertificate>",
"chain_proof": ["<CertificateChainEntry>"]
}
¶
The SourceCertificate issuer_signature is:¶
issuer_signature = Sign(K_priv_WCA,
H(source_id || public_key ||
domain || anchor ||
valid_from || valid_until))
¶
{
"wca_id": "urn:wca:authority:<name>",
"public_key": "<SubjectPublicKeyInfo>",
"domain_scope": ["urn:wca:domain:<d1>", "..."],
"trust_anchor": { "organization": "...", "basis": "..." },
"parent_wca": "urn:wca:authority:<parent>" or null,
"valid_from": "<DateTime>",
"valid_until": "<DateTime>",
"parent_signature": "<OCTET STRING>" or null
}
¶
Root WCA certificates are self-signed. Domain WCA certificates MUST be signed by their parent WCA. WCA key pairs MUST be generated and stored in HSMs. Root WCA key generation MUST use multi-party key ceremony procedures.¶
{
"sequence_number": 42,
"query": "<exact bytes>",
"source_id": "urn:wca:source:<name>",
"response": "<exact bytes>",
"signature": "<base64>",
"timestamp": "<DateTime>",
"warrant_cert": "<WarrantCertificate>",
"previous_hash": "<hex>",
"entry_hash": "<hex>"
}
¶
entry_hash is computed over all preceding fields. previous_hash links to the predecessor. The log MUST be append-only. Implementations SHOULD periodically commit the chain head to an external transparency log.¶
MUST have certificate signed by Root or parent Domain WCA.¶
MUST specify domain_scope.¶
MUST perform institutional audit before issuing source certificates.¶
MUST maintain CRL or operate OCSP responder.¶
Example hierarchy:¶
Root WCA (global trust anchor)
|
+-- Health WCA (medicine, pharmacology, genomics)
| +-- urn:wca:source:fda-druginteractions-v3
| +-- urn:wca:source:pubmed-api-v2
|
+-- Legal WCA (legal-records, court-rulings)
| +-- urn:wca:source:pacer-federal-courts
|
+-- Meteorological WCA (weather, climate)
+-- urn:wca:source:noaa-weather-api-v3
¶
Issuance requires: (1) institutional audit, (2) key verification, (3) domain validation. Certificates SHOULD have maximum one-year validity. Renewal MUST include re-audit.¶
Issuance -> Active -> Renewal (with re-audit) or Revocation. Revocation triggers: key compromise, institutional standing change, misrepresentation of data sourcing, WCA operator determination.¶
Provenance layer MUST check revocation before accepting signatures. Implementations SHOULD cache revocation status (max 24 hours).¶
Agent submits query q with fresh nonce n. Provenance layer records (q, agent_id, n, timestamp_local).¶
Consult R; verify source is registered and certificate is valid. If invalid, MUST reject and log rejection with reason code.¶
Forward (q, agent_id, n) to source over authenticated channel. SHOULD use mTLS.¶
Source computes r, obtains tau, signs binding, returns (r, tau, signature).¶
Verify using K_pub_s from Cert_s. On failure, MUST reject, MUST log failure, MUST NOT deliver to agent.¶
Assemble WC = (Att(q,s,r), Cert_s, ChainProof).¶
Append e_i = (seq_i, q, s_id, r, signature, tau, WC, H(e_{i-1})).¶
Deliver (r, WC) or rejection notice. Rejected data MUST NOT enter agent reasoning context.¶
Warrant assignment upon delivery:¶
W(r | valid WC from source s in domain D) = W_institutional(s, D) W(r | invalid WC or absent WC) = 0¶
The provenance layer MUST satisfy three properties per [ANDERSON] and [CAMFLOW]:¶
Every external data access by the agent MUST pass through the provenance layer. The agent MUST NOT have direct network access to external sources. SHOULD be enforced via network isolation.¶
Attestation log MUST be append-only and hash-chained.¶
Any party with log access and public keys MUST be able to independently verify every entry.¶
The log MUST be append-only and hash-chained. Implementations SHOULD replicate to external audit services. SHOULD define retention policy per regulatory context. SHOULD periodically commit chain head to external transparency log.¶
Baseline state. No guarantees. Default for current agent systems.¶
Source identification recorded; cryptographic verification MAY be absent. Provenance layer MUST log source identity and responses. Post-hoc attribution possible but not cryptographically verified. Adoption cost: minimal (middleware only).¶
Sources MUST sign responses per Section 5.2. Source keys MUST be certified by Domain WCA. Provenance layer MUST verify signatures. Guarantees: query-response binding, source authenticity, anti-laundering bound. Adoption cost: moderate.¶
Provenance layer MUST satisfy RM1-RM3. All tool calls MUST be logged in hash-chained attestation log. Agents MUST generate signed queries with nonces. Non-interference MUST be enforced or M2 MUST be implemented (Section 9.3). Guarantees: all five security properties (Appendix A). Adoption cost: highest.¶
| Use Case | Min WAL | Rationale |
|---|---|---|
| Exploratory research | WAL-0 | Low stakes |
| General info retrieval | WAL-1 | Post-hoc review |
| Business intelligence | WAL-2 | Source verify |
| Medical decision support | WAL-3 | Safety-critical |
| Legal research | WAL-3 | Regulatory |
| Financial trading | WAL-3 | Fiduciary duty |
Phase 1 (WAL-0 to WAL-1): Deploy logging middleware. Phase 2 (WAL-1 to WAL-2): Source signing + Domain WCA setup. Phase 3 (WAL-2 to WAL-3): Full RM1-RM3 + attestation log.¶
Agent a satisfies non-interference w.r.t. registry R iff:¶
a has no write access to any registered source s in R.¶
a does not control or operate any registered source s in R.¶
a cannot influence the stored state of any upstream system feeding s in R.¶
WAL-3 deployments MUST enforce non-interference or implement an equivalent mitigation.¶
When NI-1 is violated, the following loop is possible:¶
Agent generates content.¶
Agent writes content to registered source.¶
Agent queries that source.¶
Source returns content with valid signature.¶
Provenance layer issues WC.¶
Agent's own content carries institutional warrant.¶
TLA+ model checking confirms: with non-interference, 286 states explored, no self-licensing. Without: counterexample in 3 transitions.¶
WAL-3 deployments MUST enforce at least one:¶
Read-only access to registered sources. Strongest mitigation.¶
If data in source was written by agent a, queries from a receive W = 0.¶
Agent-written data undergoes institutional process (peer review, QA) before becoming queryable with warrant.¶
Provenance layer as BaseTool.invoke() wrapper.¶
Shared provenance layer at tool execution boundary.¶
MCP servers implement signing; MCP clients verify via provenance layer.¶
Provenance layer wraps function execution step.¶
Sources at WAL-2+ MUST: generate key pair (ECDSA P-256 or Ed25519), implement signing endpoint, undergo institutional audit, implement certificate renewal and key rotation.¶
Sources SHOULD: use HSMs, implement rate limiting, monitor for anomalous signing.¶
Per-query overhead: sub-millisecond for cryptographic operations. Ed25519 signs at ~70K ops/sec, verifies at ~30K ops/sec. SHA-256 >1 GB/s. Dominated by network latency.¶
LPM demonstrated 2.7% overhead for whole-system kernel provenance; WCA at tool-call granularity is expected negligible.¶
Attacker can: MITM traffic, operate malicious sources, inject unattested data, replay responses, impersonate sources, tamper with log.¶
Trust assumptions: Root WCA key security (HSM), sound crypto primitives, correct RM1-RM3 enforcement, institutional audit at registration.¶
Out of scope: registered source providing incorrect data (source quality, not provenance).¶
Defense: signature covers H(q || r || tau || nonce || agent_id). Modification detected. Residual: key compromise (standard PKI mitigations).¶
Defense: non-interference prevents registration and indirect pathways. W = 0 for agent-generated propositions. Residual: NI violation enables mediated self-licensing (Section 9.3).¶
Defense: nonce in signature binding. Timestamp enables freshness. Implementations MUST use >= 16 byte random nonces.¶
Defense: certificate chain to Root WCA. Residual: WCA compromise.¶
Defense: HSMs, multi-party ceremonies, CT logs, CRLs/OCSP, short-lived certificates.¶
Defense: hash chain; modification cascades. External transparency log anchoring for additional assurance.¶
WCA does NOT defend against: source inaccuracy, domain mismatch, agent reasoning errors, WCA-source collusion, interpretive warrant erosion (but preserves originals in log for audit).¶
This document requests registration of formal URN namespace "wca" per [RFC8141].¶
Syntax: urn:wca:<entity-type>:<entity-name>¶
Entity types: "authority", "source", "domain".¶
New IANA registry "Warrant Attestation Levels":¶
| Level | Name | Reference |
|---|---|---|
| 0 | No Provenance | This document |
| 1 | Provenance Exists | This document |
| 2 | Signed Provenance | This document |
| 3 | Full Verification | This document |
New IANA registry "WCA Epistemic Domains" with initial entries:¶
| Domain | Description |
|---|---|
| pharmacology | Drug data, interactions |
| medical-records | Clinical records |
| medical-lit | Peer-reviewed medical literature |
| legal-records | Court records, filings |
| legal-lit | Legal scholarship |
| meteorology | Weather, climate |
| genomics | Genomic sequences |
| financial-reg | Regulatory filings |
| financial-market | Market data |
| geospatial | Geographic, satellite data |
All properties assume RM1-RM3 and EUF-CMA signature security.¶
For all p received by agent a: W(p) <= W_institutional(source(p)). Data cannot gain warrant above source's institutional standing.¶
For all p generated by agent a: if NonInterference(a, R) then W(p) = 0.¶
For all data d in agent context: either d has attestation log entry with valid WC, or W(d) = 0.¶
Valid signature implies r is exactly what source s returned to query q at time tau. Substitution detectable.¶
Agent interpretation may degrade warrant, but original data and attestation are always recoverable from log L.¶
Multi-hop chains: W(final) = min_i(W_institutional(source_i)). No laundering through composition.¶
Model verified with TLC:¶
{
"attestation": {
"query": "GET /interactions?drug_a=ibuprofen&drug_b=warfarin",
"source_id": "urn:wca:source:fda-druginteractions-v3",
"response": "{\"interaction\":\"major\",\"severity\":\"high\"}",
"timestamp": "2026-02-12T14:30:00Z",
"nonce": "a7f3c9e1d4b2f6a8e0c7d3b5a9f1e2c4",
"agent_id": "urn:agent:medical-advisor-v2",
"signature": "MEUCIQD.../base64...=="
},
"source_certificate": {
"source_id": "urn:wca:source:fda-druginteractions-v3",
"public_key": "MFkwEwYHKoZIzj0.../base64...",
"domain": "urn:wca:domain:pharmacology",
"anchor": {
"organization": "U.S. Food and Drug Administration",
"basis": "Federal regulatory mandate",
"audit_date": "2026-01-15"
},
"valid_from": "2026-01-01T00:00:00Z",
"valid_until": "2027-01-01T00:00:00Z",
"issuer_wca_id": "urn:wca:authority:health-wca-us",
"issuer_signature": "MEUCIQCx.../base64...=="
},
"chain_proof": [
{
"wca_id": "urn:wca:authority:health-wca-us",
"parent": "urn:wca:authority:root-wca-global-v1",
"signature": "MEYCIQDp.../base64...=="
}
]
}
¶
The foundational concepts of warrant erosion and semantic laundering were developed jointly with Oleg Romanchuk in [SEMANTIC-LAUNDERING] and [RESPONSIBILITY-VACUUM].¶