<?xml version="1.0" encoding="UTF-8"?>
<rfc xmlns:xi="http://www.w3.org/2001/XInclude"
     category="info"
     docName="draft-liu-icnrg-disruption-aware-task-descriptor-00"
     ipr="trust200902"
     submissionType="IETF"
     version="3">
  <front>
    <title abbrev="Disruption-Aware Task Descriptors">Requirements for Disruption-Aware Compute-Task Descriptors in Heterogeneous Space-Terrestrial-Maritime Edge Networks</title>
    <seriesInfo name="Internet-Draft" value="draft-liu-icnrg-disruption-aware-task-descriptor-00"/>
    <author fullname="Shuai Liu" initials="S." surname="Liu">
      <organization>Nanjing University</organization>
      <address>
        <postal>
          <street>School of Electronic Science and Engineering</street>
          <city>Nanjing</city>
          <code>210023</code>
          <country>China</country>
        </postal>
        <email>shuai_liu@smail.nju.edu.cn</email>
      </address>
    </author>
    <author fullname="Wenjun Liu" initials="W." surname="Liu">
      <organization>Nanjing University</organization>
      <address>
        <postal>
          <street>School of Electronic Science and Engineering</street>
          <city>Nanjing</city>
          <code>210023</code>
          <country>China</country>
        </postal>
        <email>liuwj19988@163.com</email>
      </address>
    </author>
    <date/>
    <area>Internet</area>
    <workgroup>Information-Centric Networking Research Group</workgroup>
    <keyword>information-centric networking</keyword>
    <keyword>edge computing</keyword>
    <keyword>compute-task descriptor</keyword>
    <keyword>non-terrestrial networks</keyword>
    <keyword>disruption tolerance</keyword>
    <abstract>
      <t>Compute tasks in heterogeneous edge environments may traverse terrestrial, maritime, airborne, and non-terrestrial domains before an eligible execution site becomes reachable.  Conventional request formats often assume an immediately selected endpoint and a continuously available request-response path.  Those assumptions are fragile when connectivity is intermittent, service instances move, inputs are named and distributed, and duplicate delivery can occur.</t>
      <t>This document describes a problem statement, a conceptual compute-task descriptor, and requirements for carrying a portable task description across disruption-prone edge networks.  The descriptor separates the identity and semantics of a task from a particular execution location.  It binds the requested service, named inputs, relevant parameters, timing constraints, authorization policy, and expected result properties while supporting store-carry-forward operation, duplicate suppression, verifiable execution receipts, and result provenance.  This document does not define a wire encoding, task-placement algorithm, traffic-steering protocol, or execution runtime.</t>
    </abstract>
  </front>

  <middle>
    <section anchor="intro" numbered="true" toc="include">
      <name>Introduction</name>
      <t>Edge computing allows data to be processed near users and data sources.  In many deployments, an application sends a request to a selected endpoint, waits for that endpoint to execute the requested function, and receives a response over the same or a continuously available path.  This interaction model is effective when service instances and network paths remain stable for the duration of the transaction.</t>
      <t>Heterogeneous space-terrestrial-maritime edge systems can violate these assumptions.  A sensor platform may reach a buoy gateway only intermittently.  A maritime gateway may contact a low-Earth-orbit node during a finite visibility window.  A task may then be forwarded to a terrestrial edge site or cloud service after a later contact.  The execution site may not be known when the task is created, and the node carrying the task may not be the node that finally executes it.</t>
      <t>In such environments, a task needs a portable description that remains meaningful after forwarding, caching, replication, and delayed execution.  The description needs to identify the requested logical service without binding the task to a temporary instance.  It also needs to identify the input objects, parameters, acceptable execution context, timing constraints, security policy, and expected result.  Because retransmission and multi-path forwarding can create duplicates, the description also needs an identity and idempotency semantics that allow safe duplicate detection.</t>
      <t>Information-Centric Networking (ICN) provides concepts for naming information independently of host location, caching named objects, and applying object-level integrity protection <xref target="RFC7927"/> <xref target="RFC8793"/>.  IoT edge systems require resilience to intermittent services as well as privacy and security <xref target="RFC9556"/>.  Delay-tolerant networking provides store-carry-forward delivery when continuous end-to-end paths do not exist <xref target="RFC9171"/>.  These concepts motivate a task description that can be treated as a portable, verifiable object rather than only as transient application data on an established connection.</t>
      <t>This document is requirements-oriented.  It identifies properties expected of a future compute-task descriptor, including:</t>
      <ul spacing="normal">
        <li>a stable task identity and a stable binding to a logical computing service;</li>
        <li>verifiable references to named input objects and expected output properties;</li>
        <li>explicit creation time, expiration, deadline, freshness, and retry semantics;</li>
        <li>operation during partitions and across store-carry-forward paths;</li>
        <li>duplicate suppression and idempotent execution where applicable;</li>
        <li>result-to-task binding, provenance, and execution receipts;</li>
        <li>cross-domain authorization, confidentiality, and policy-controlled disclosure; and</li>
        <li>incremental use over existing IP, ICN, and disruption-tolerant infrastructures.</li>
      </ul>
      <t>The space-terrestrial-maritime scenario is used as a motivating example.  The requirements may also apply to disaster-response networks, remote industrial systems, mobile edge deployments, and other environments in which execution cannot be coupled to a continuously reachable endpoint.</t>
      <t>This document does not define a universal serialization, a remote procedure call interface, a programming model, a task-placement algorithm, a traffic-steering mechanism, a transport protocol, or a general workflow language.</t>
    </section>

    <section anchor="terminology" numbered="true" toc="include">
      <name>Terminology</name>
      <section anchor="requirements-language" numbered="true" toc="include">
        <name>Requirements Language</name>
        <t>The key words <bcp14>MUST</bcp14>, <bcp14>MUST NOT</bcp14>, <bcp14>REQUIRED</bcp14>, <bcp14>SHALL</bcp14>, <bcp14>SHALL NOT</bcp14>, <bcp14>SHOULD</bcp14>, <bcp14>SHOULD NOT</bcp14>, <bcp14>RECOMMENDED</bcp14>, <bcp14>NOT RECOMMENDED</bcp14>, <bcp14>MAY</bcp14>, and <bcp14>OPTIONAL</bcp14> in this document are to be interpreted as described in BCP 14 <xref target="RFC2119"/> <xref target="RFC8174"/> when, and only when, they appear in all capitals, as shown here.</t>
        <t>These key words describe requirements for a future task-description design.  They do not require a particular syntax, transport, or implementation architecture.</t>
      </section>
      <section anchor="definitions" numbered="true" toc="include">
        <name>Definitions</name>
        <dl spacing="normal" newline="false">
          <dt>Computing Service:</dt>
          <dd>A logical function that consumes one or more inputs and produces one or more outputs.  The service may be implemented by multiple service instances at different sites.</dd>
          <dt>Compute Task:</dt>
          <dd>A request to apply a specified computing service, version, and parameter set to specified inputs under stated timing, policy, and result constraints.</dd>
          <dt>Compute-Task Descriptor:</dt>
          <dd>A portable description of a compute task.  It binds the task identity to the requested service, inputs, parameters, timing constraints, authorization policy, and expected result properties without requiring a final execution locator.</dd>
          <dt>Descriptor Core:</dt>
          <dd>The integrity-protected portion of a compute-task descriptor whose semantics are established by the task originator and are not changed by transit nodes.</dd>
          <dt>Transit Metadata:</dt>
          <dd>Information added or updated while a task is forwarded, such as hop observations, custody state, local priority, or contact hints.  Transit metadata is not part of the originator-defined task semantics unless explicitly incorporated by reference.</dd>
          <dt>Task Originator:</dt>
          <dd>The entity that creates and authorizes a compute task.</dd>
          <dt>Task Carrier:</dt>
          <dd>A node that stores, forwards, replicates, or otherwise transports a compute-task descriptor or its referenced objects.</dd>
          <dt>Execution Site:</dt>
          <dd>A site at which an eligible service instance executes a compute task.</dd>
          <dt>Task Identifier:</dt>
          <dd>A stable identifier for a compute task.  It is used to correlate descriptor copies, execution receipts, failures, and result objects.</dd>
          <dt>Idempotency Key:</dt>
          <dd>A value used by an execution site to recognize requests that are intended to represent the same logical invocation and to suppress or safely handle duplicate execution.</dd>
          <dt>Input Object:</dt>
          <dd>A named data, model, configuration, or other object consumed by the requested service.</dd>
          <dt>Result Object:</dt>
          <dd>A named output generated by executing a compute task and bound to the task identifier, service version, input identities, and relevant execution context.</dd>
          <dt>Execution Receipt:</dt>
          <dd>An integrity-protected statement indicating that a task was accepted, completed, rejected, cancelled, or failed, together with sufficient information to correlate the statement with the task.</dd>
          <dt>Deadline:</dt>
          <dd>The latest time at which a result remains useful according to the task originator or application policy.</dd>
          <dt>Descriptor Lifetime:</dt>
          <dd>The period during which the descriptor may be stored, forwarded, or considered for execution.  The descriptor lifetime can differ from the task deadline.</dd>
        </dl>
      </section>
    </section>

    <section anchor="problem" numbered="true" toc="include">
      <name>Problem Statement and Scope</name>
      <section anchor="characteristics" numbered="true" toc="include">
        <name>Target Characteristics</name>
        <t>The target environment has one or more of the following characteristics:</t>
        <ul spacing="normal">
          <li><strong>Unknown execution location:</strong> The task is created before an eligible execution site is selected or reachable.</li>
          <li><strong>Intermittent connectivity:</strong> A continuous path from the task originator to an execution site and back cannot be assumed.</li>
          <li><strong>Multiple carriers:</strong> Gateways, mobile nodes, satellites, or caches may store and forward the task or its referenced inputs.</li>
          <li><strong>Distributed inputs:</strong> Input data, models, and configuration objects may reside at different locations and may become reachable at different times.</li>
          <li><strong>Dynamic service placement:</strong> Service instances can start, stop, move, or be replaced while the task is in transit.</li>
          <li><strong>Duplicate delivery:</strong> Retransmission, replication, or route convergence may deliver the same task to an execution site more than once.</li>
          <li><strong>Multiple administrative domains:</strong> Task metadata, inputs, and results can cross domains with different trust anchors and disclosure policies.</li>
          <li><strong>Resource constraints:</strong> Contacts, storage, energy, and processing resources may be limited.</li>
        </ul>
      </section>
      <section anchor="limitations" numbered="true" toc="include">
        <name>Limitations of Endpoint-Bound Requests</name>
        <t>An endpoint-bound request normally identifies a destination before transmission.  Connection state, transport-level request identifiers, and application session state may then be used to correlate the response.  This model becomes fragile when the endpoint is not yet known, a connection cannot remain open, or an intermediate node must retain the task for later forwarding.</t>
        <t>Copying an ordinary application request into a store-carry-forward payload does not by itself define:</t>
        <ul spacing="normal">
          <li>whether two copies represent the same logical task;</li>
          <li>which parts of the request may be modified by transit nodes;</li>
          <li>how named inputs and service versions are bound to the task;</li>
          <li>whether the task may still be executed after a deadline or expiration;</li>
          <li>whether duplicate execution is safe;</li>
          <li>how a result is cryptographically bound to the original task; or</li>
          <li>which domain is authorized to inspect, forward, execute, or retrieve the result.</li>
        </ul>
        <t>A portable task descriptor addresses these semantic questions.  It does not replace transport, service discovery, task placement, or traffic steering.</t>
      </section>
      <section anchor="scope" numbered="true" toc="include">
        <name>Scope</name>
        <t>This document focuses on the information carried by or referenced from a compute-task descriptor.  It considers the following functions:</t>
        <ul spacing="normal">
          <li>identifying a logical task and the requested computing service;</li>
          <li>binding named inputs, parameters, and expected outputs;</li>
          <li>expressing execution eligibility, timing, retry, and disclosure policy;</li>
          <li>supporting storage and forwarding during disruption;</li>
          <li>detecting duplicate task delivery and correlating task state;</li>
          <li>binding results and execution receipts to the originating task; and</li>
          <li>preserving integrity and provenance across gateways and caches.</li>
        </ul>
      </section>
      <section anchor="non-goals" numbered="true" toc="include">
        <name>Non-Goals</name>
        <t>The following topics are out of scope:</t>
        <ul spacing="normal">
          <li>defining a wire encoding or media type;</li>
          <li>standardizing a programming language, executable format, or container format;</li>
          <li>selecting an execution site or ranking candidates;</li>
          <li>defining traffic steering, routing, congestion control, or contact planning;</li>
          <li>reserving computing, storage, energy, or bandwidth resources;</li>
          <li>guaranteeing exactly-once execution in a partitioned distributed system;</li>
          <li>defining application-specific equivalence among inputs or results; and</li>
          <li>standardizing underwater, satellite, radio, acoustic, or optical link technologies.</li>
        </ul>
      </section>
    </section>

    <section anchor="model" numbered="true" toc="include">
      <name>Conceptual Model</name>
      <section anchor="entities" numbered="true" toc="include">
        <name>Entities</name>
        <t>The conceptual model contains the following entities:</t>
        <ul spacing="normal">
          <li><strong>Task originators</strong> create descriptors and specify the requested service, inputs, constraints, and policy.</li>
          <li><strong>Discovery functions</strong> identify logical services, candidate instances, or reusable results.  Discovery may occur before or after task creation.</li>
          <li><strong>Task carriers</strong> store, forward, replicate, or translate descriptors and referenced objects.</li>
          <li><strong>Execution sites</strong> evaluate eligibility, obtain required inputs, execute tasks, and produce results or failure receipts.</li>
          <li><strong>Result stores</strong> retain named results and execution receipts for later retrieval.</li>
          <li><strong>Trust services</strong> provide credentials, authorization information, revocation status, or trust anchors used to validate descriptors, inputs, and results.</li>
        </ul>
      </section>
      <section anchor="structure" numbered="true" toc="include">
        <name>Descriptor Structure</name>
        <t>A compute-task descriptor conceptually contains a descriptor core and optional transit metadata.</t>
        <t>The descriptor core contains some subset of the following information:</t>
        <ul spacing="normal">
          <li>a task identifier and, where needed, an idempotency key;</li>
          <li>the task originator and the authority under which the task is issued;</li>
          <li>a stable logical service identifier and service or interface version;</li>
          <li>immutable references or digests for required input objects;</li>
          <li>invocation parameters and properties that affect result semantics;</li>
          <li>expected output type, result naming information, or validation constraints;</li>
          <li>creation time, descriptor lifetime, deadline, freshness bounds, and retry policy;</li>
          <li>execution eligibility constraints, such as trusted domains or required capabilities;</li>
          <li>authorization and disclosure policy; and</li>
          <li>integrity-protection and provenance information.</li>
        </ul>
        <t>Transit metadata may contain forwarding observations, local custody state, locally assigned priority, contact hints, or diagnostic information.  A future design needs to distinguish transit metadata from originator-defined semantics so that forwarding nodes cannot silently alter the task.</t>
      </section>
      <section anchor="states" numbered="true" toc="include">
        <name>Conceptual Task States</name>
        <t>A task may move through conceptual states such as created, in transit, accepted, executing, completed, failed, rejected, expired, or cancelled.  These states are descriptive and do not mandate a state machine.  A deployment may expose fewer states, but state reports need to be unambiguously correlated with the task identifier and the reporting authority.</t>
        <t>Different nodes can temporarily have different views of the same task.  For example, a carrier may still retain a copy after another copy has completed elsewhere.  Therefore, a state report is evidence from a particular source and time, not necessarily a globally synchronized truth.</t>
      </section>
      <section anchor="separation" numbered="true" toc="include">
        <name>Separation from Discovery, Placement, and Transport</name>
        <t>Service discovery determines which services, instances, or results exist.  Task placement selects an execution site.  Traffic steering and routing determine how data reaches a selected site.  Transport or store-carry-forward mechanisms move descriptors and objects.  The compute-task descriptor supplies portable task semantics to these functions but does not replace them.</t>
        <t>A descriptor may be created before discovery, after discovery of a logical service, or after selection of one or more candidate instances.  Even when a candidate instance is included as a hint, the logical task identity and requested service remain independent of that temporary locator.</t>
      </section>
    </section>

    <section anchor="use-cases" numbered="true" toc="include">
      <name>Use Cases</name>
      <section anchor="uc-maritime" numbered="true" toc="include">
        <name>Maritime Event Analysis</name>
        <t>An autonomous underwater vehicle records an observation that requires anomaly analysis.  It creates, or asks a buoy gateway to create, a task descriptor referencing the named observation, the requested analysis service, the model or service version, a deadline, and an authorization policy.  No eligible execution site is continuously reachable.</t>
        <t>The descriptor and observation are transferred to a buoy during a short contact.  The buoy later forwards them to a satellite or terrestrial edge site.  An eligible site executes the task and stores a named result.  The result can be returned during a later contact because it is bound to the original task identifier and inputs rather than to the connection over which the request was first sent.</t>
      </section>
      <section anchor="uc-leo" numbered="true" toc="include">
        <name>Opportunistic Non-Terrestrial Execution</name>
        <t>A maritime gateway knows that a low-Earth-orbit node may become available during an upcoming visibility window but cannot assume that the contact will occur or last long enough.  The gateway forwards a task descriptor that identifies an acceptable service version, input-size limit, deadline, and result policy.</t>
        <t>If the satellite accepts and completes the task, it returns an execution receipt and result reference.  If the contact ends before execution or result transfer, another carrier may later forward the same descriptor.  The idempotency information allows an execution site to determine whether the task has already been accepted or completed.</t>
      </section>
      <section anchor="uc-delayed" numbered="true" toc="include">
        <name>Delayed Batch Preprocessing</name>
        <t>A remote sensing site generates many low-priority preprocessing tasks.  The tasks can be executed locally, on a visiting mobile edge node, or after bulk transfer to a terrestrial site.  Each descriptor expresses a lifetime, a deadline, permitted execution domains, and references to the relevant input objects.</t>
        <t>Carriers can retain the descriptors during a partition and forward them when capacity is available.  Expired tasks are not executed merely because a stale copy remains in a cache.  Completed results are correlated with the original tasks even when they return along a different path.</t>
      </section>
      <section anchor="uc-duplicate" numbered="true" toc="include">
        <name>Duplicate Delivery after a Partition</name>
        <t>Two gateways obtain copies of the same task before their domains become partitioned.  Each forwards its copy toward a different execution site.  One site completes the task while the other receives a delayed duplicate.  The delayed site uses the task identifier and idempotency policy to avoid an unsafe second execution or to return a previously generated result reference.</t>
        <t>This use case illustrates why transport-level request identifiers are insufficient: the duplicate may arrive over a different protocol, path, or administrative domain.</t>
      </section>
    </section>

    <section anchor="requirements" numbered="true" toc="include">
      <name>Requirements</name>
      <section anchor="req-identity" numbered="true" toc="include">
        <name>Task Identity and Service Binding</name>
        <t><strong>R1 - Stable task identity:</strong> A descriptor design <bcp14>MUST</bcp14> provide a stable task identifier that remains unchanged when the descriptor is copied, cached, forwarded, or transported by different protocols.</t>
        <t><strong>R2 - Service and location separation:</strong> The descriptor <bcp14>MUST</bcp14> identify the requested logical computing service separately from any service-instance identifier or locator.</t>
        <t><strong>R3 - Immutable originator semantics:</strong> The design <bcp14>MUST</bcp14> distinguish an integrity-protected descriptor core from metadata that may be added or changed by transit nodes.</t>
        <t><strong>R4 - Version binding:</strong> The descriptor <bcp14>MUST</bcp14> identify the service and interface version.  When execution semantics depend on a model, executable, configuration, or policy artifact, the descriptor <bcp14>SHOULD</bcp14> bind an immutable identifier or digest for that artifact.</t>
        <t><strong>R5 - Origin authority:</strong> A relying party <bcp14>MUST</bcp14> be able to determine which authority created or authorized the task and whether that authority is permitted to request the named service.</t>
      </section>

      <section anchor="req-io" numbered="true" toc="include">
        <name>Inputs, Outputs, and Execution Context</name>
        <t><strong>R6 - Named inputs:</strong> Required input objects <bcp14>MUST</bcp14> be identified by immutable names, cryptographic digests, or an equivalent mechanism that permits verification of the exact inputs used.</t>
        <t><strong>R7 - Input roles:</strong> The descriptor <bcp14>SHOULD</bcp14> distinguish required, optional, and alternative inputs and identify the role of each input in the invocation.</t>
        <t><strong>R8 - Parameters:</strong> Parameters that affect result semantics <bcp14>MUST</bcp14> be included in the descriptor core or bound through a verifiable manifest.</t>
        <t><strong>R9 - Output expectations:</strong> The descriptor <bcp14>SHOULD</bcp14> identify the expected output type, validation constraints, result naming rule, or a verifiable reference to such information.</t>
        <t><strong>R10 - Execution context:</strong> When result validity depends on geographic scope, observation time, precision, hardware class, trusted execution environment, or other execution context, the descriptor <bcp14>MUST</bcp14> express the relevant requirement or bind it through a verifiable reference.</t>
        <t><strong>R11 - Defined resource semantics:</strong> Resource requirements or preferences <bcp14>MUST NOT</bcp14> be compared across domains unless their semantics, units, and measurement scope are defined.  Candidate ranking remains outside the descriptor.</t>
      </section>

      <section anchor="req-time" numbered="true" toc="include">
        <name>Timing and Disruption Awareness</name>
        <t><strong>R12 - Creation and validity:</strong> A descriptor <bcp14>MUST</bcp14> include sufficient information to determine its creation time and descriptor lifetime.</t>
        <t><strong>R13 - Deadline separation:</strong> The design <bcp14>MUST</bcp14> distinguish the time until which the descriptor may be forwarded from the deadline after which executing or returning the result is no longer useful.</t>
        <t><strong>R14 - Freshness bounds:</strong> When input or result age affects usefulness, the descriptor <bcp14>MUST</bcp14> support an explicit freshness bound or revalidation policy.</t>
        <t><strong>R15 - Store-carry-forward eligibility:</strong> The descriptor <bcp14>SHOULD</bcp14> indicate whether it may be stored, carried, replicated, or forwarded after immediate delivery fails.</t>
        <t><strong>R16 - Contact uncertainty:</strong> Contact or reachability hints, when included, <bcp14>MUST</bcp14> carry a source and validity indication and <bcp14>MUST NOT</bcp14> be represented as a guarantee of execution.</t>
        <t><strong>R17 - Offline evaluation:</strong> An execution site <bcp14>SHOULD</bcp14> be able to evaluate basic task eligibility, expiration, integrity, and authorization from locally available information when a remote control service is unreachable.</t>
        <t><strong>R18 - Bounded descriptor size:</strong> The design <bcp14>SHOULD</bcp14> support references, manifests, selective disclosure, or compact representations so that constrained contacts are not consumed by unnecessary inline metadata.</t>
      </section>

      <section anchor="req-lifecycle" numbered="true" toc="include">
        <name>Duplicate Handling and Lifecycle</name>
        <t><strong>R19 - Duplicate correlation:</strong> A receiving node <bcp14>MUST</bcp14> be able to determine whether two descriptor copies refer to the same task identity.</t>
        <t><strong>R20 - Idempotency semantics:</strong> The design <bcp14>MUST</bcp14> support an idempotency key or equivalent policy when duplicate execution could cause inconsistent state, repeated side effects, or unnecessary resource consumption.</t>
        <t><strong>R21 - No implicit exactly-once guarantee:</strong> A descriptor design <bcp14>MUST NOT</bcp14> claim exactly-once execution solely from duplicate suppression.  The application or service needs to define the consequences of retries and uncertain completion.</t>
        <t><strong>R22 - State correlation:</strong> Acceptance, progress, completion, rejection, cancellation, expiration, and failure reports <bcp14>MUST</bcp14> be unambiguously correlated with the task identifier and reporting authority.</t>
        <t><strong>R23 - Retry policy:</strong> The descriptor <bcp14>SHOULD</bcp14> support a bounded retry policy or a reference to application policy, including whether retries may occur at another execution site.</t>
        <t><strong>R24 - Cancellation and supersession:</strong> A design <bcp14>SHOULD</bcp14> support an authenticated indication that a task is cancelled, superseded, or no longer eligible.  Disconnected nodes may not receive the indication immediately; that limitation <bcp14>MUST</bcp14> be visible to the relying party.</t>
      </section>

      <section anchor="req-results" numbered="true" toc="include">
        <name>Results and Execution Receipts</name>
        <t><strong>R25 - Result-to-task binding:</strong> A result object <bcp14>MUST</bcp14> be bound to the task identifier, requested service version, input identities, and parameters that affect result semantics.</t>
        <t><strong>R26 - Result provenance:</strong> A requester <bcp14>MUST</bcp14> be able to verify which service or authorized execution environment produced a result.</t>
        <t><strong>R27 - Completion receipt:</strong> A design <bcp14>SHOULD</bcp14> support an integrity-protected completion receipt containing the task identifier, result reference or digest, completion time, and producing authority.</t>
        <t><strong>R28 - Failure receipt:</strong> A design <bcp14>SHOULD</bcp14> support an integrity-protected rejection or failure receipt that distinguishes policy rejection, invalid input, expiration, unsupported service version, unavailable resources, and execution failure where disclosure policy permits.</t>
        <t><strong>R29 - Path independence:</strong> Retrieval of a result or receipt <bcp14>MUST NOT</bcp14> require use of the same path, connection, carrier, or protocol over which the task was submitted.</t>
      </section>

      <section anchor="req-security" numbered="true" toc="include">
        <name>Trust, Authorization, and Privacy</name>
        <t><strong>R30 - Descriptor integrity:</strong> The descriptor core <bcp14>MUST</bcp14> be integrity protected and attributable to the task originator or an authorized delegate.</t>
        <t><strong>R31 - Separate authorization decisions:</strong> Authorization to inspect a descriptor, retrieve an input, forward a task, execute a service, and retrieve a result <bcp14>MUST</bcp14> be expressible as separate decisions.</t>
        <t><strong>R32 - Confidentiality:</strong> A design <bcp14>SHOULD</bcp14> support confidentiality for sensitive task parameters, input references, policies, and result references.</t>
        <t><strong>R33 - Disclosure minimization:</strong> The descriptor <bcp14>SHOULD</bcp14> permit policy-controlled or selective disclosure so that a carrier does not receive execution details that it does not need.</t>
        <t><strong>R34 - Replay resistance:</strong> A relying party <bcp14>MUST</bcp14> be able to detect or limit replay of expired, cancelled, superseded, or already completed tasks.</t>
        <t><strong>R35 - Delegation:</strong> When an intermediary creates, modifies, or submits a task on behalf of another entity, the design <bcp14>MUST</bcp14> make the delegation and resulting authority verifiable.</t>
        <t><strong>R36 - Auditability:</strong> Implementations <bcp14>SHOULD</bcp14> expose sufficient diagnostics to determine the descriptor source, validation outcome, state-report source, selected service version, and result binding without revealing protected metadata.</t>
      </section>

      <section anchor="req-deployment" numbered="true" toc="include">
        <name>Incremental Deployment and Extensibility</name>
        <t><strong>R37 - Infrastructure independence:</strong> The abstract descriptor model <bcp14>SHOULD NOT</bcp14> require every participating node to use native ICN forwarding or a disruption-tolerant transport.</t>
        <t><strong>R38 - Gateway preservation:</strong> A gateway translating among IP application protocols, ICN objects, and store-carry-forward transports <bcp14>MUST NOT</bcp14> silently discard task identity, validity, input binding, authorization, or provenance information.</t>
        <t><strong>R39 - Partial participation:</strong> A deployment <bcp14>SHOULD</bcp14> provide useful operation when only gateways and execution sites understand the complete descriptor and constrained originators use a reduced profile.</t>
        <t><strong>R40 - Functional separation:</strong> The descriptor interface <bcp14>SHOULD</bcp14> supply portable task semantics without mandating a particular service-discovery, placement, scheduling, routing, or traffic-steering system.</t>
        <t><strong>R41 - Extensibility:</strong> The descriptor model <bcp14>MUST</bcp14> support new optional attributes and service-specific extensions.  Unknown optional attributes <bcp14>SHOULD</bcp14> be safely ignored, while unknown critical attributes <bcp14>MUST</bcp14> cause the task to be rejected or left unexecuted.</t>
      </section>
    </section>

    <section anchor="workflow" numbered="true" toc="include">
      <name>Illustrative Workflow</name>
      <t>The following workflow is illustrative and does not specify a protocol:</t>
      <ol spacing="normal" type="1">
        <li>The originator creates a task identifier and descriptor core, binds the requested service, inputs, parameters, timing constraints, and policy, and applies integrity protection.</li>
        <li>A local discovery function may return candidate service instances or reusable results.  The descriptor remains valid even if no candidate is currently reachable.</li>
        <li>A carrier stores and forwards the descriptor and required objects.  The carrier may add separately protected transit metadata but does not alter the descriptor core.</li>
        <li>An execution site validates the task, checks expiration and authorization, resolves required inputs, and evaluates whether its service version and capabilities satisfy the descriptor.</li>
        <li>The execution site checks the task identifier and idempotency policy against local or synchronized task state.</li>
        <li>The site accepts, rejects, or executes the task.  It produces an execution receipt and, on completion, a result object bound to the task and inputs.</li>
        <li>The result or receipt is stored and returned over any available path.  The originator verifies provenance and task binding before accepting it.</li>
      </ol>
      <t>A realization may combine, omit, or reorder these steps.  For example, input objects may be transferred before the descriptor, and result discovery may locate a previously completed equivalent task.  The requirements in this document focus on preserving semantics across such variations.</t>
    </section>

    <section anchor="existing-work" numbered="true" toc="include">
      <name>Relationship with Existing Work</name>
      <section anchor="existing-icn" numbered="true" toc="include">
        <name>Information-Centric Networking</name>
        <t>ICN research has examined location-independent naming, caching, object security, mobility, and deployment considerations <xref target="RFC7927"/> <xref target="RFC8763"/>.  CCNx defines Interest and Content Object semantics and a TLV message format <xref target="RFC8569"/> <xref target="RFC8609"/>.  ICN terminology is documented in <xref target="RFC8793"/>.</t>
        <t>A future realization could represent a task descriptor, its inputs, execution receipts, and results as named content objects.  This document does not modify ICN forwarding semantics or define a new name syntax.</t>
      </section>
      <section anchor="existing-edge" numbered="true" toc="include">
        <name>IoT Edge Computing</name>
        <t><xref target="RFC9556"/> describes IoT edge challenges and functions, including time sensitivity, data volume, connectivity cost, resilience to intermittent services, privacy, and security.  This document focuses more narrowly on the portable description and lifecycle semantics of an individual compute task.</t>
      </section>
      <section anchor="existing-cats" numbered="true" toc="include">
        <name>Computing-Aware Traffic Steering and Task Placement</name>
        <t>CATS defines a framework for selecting a suitable service contact instance using network and computing information <xref target="I-D.ietf-cats-framework"/>.  Its problem statement and requirements focus on steering service traffic among distributed service sites <xref target="I-D.ietf-cats-usecases-requirements"/>.</t>
        <t>The Compute-Aware Task Placement and Traffic Steering framework jointly considers execution location and input/output traffic under compute and network constraints <xref target="I-D.luan-cats-catpts"/>.  This document is complementary: it does not select a site or optimize a path.  It specifies requirements for the task information that remains meaningful before, during, and after such selection, including during disruption.</t>
      </section>
      <section anchor="existing-dtn" numbered="true" toc="include">
        <name>Delay-Tolerant Networking</name>
        <t>Bundle Protocol Version 7 supports store-carry-forward communication in disruption-tolerant environments <xref target="RFC9171"/>, and BPSec provides integrity and confidentiality services for Bundle Protocol exchanges <xref target="RFC9172"/>.  A compute-task descriptor may be carried as a Bundle Protocol payload, but this document neither requires nor modifies Bundle Protocol.</t>
        <t>Transporting a task through a disruption-tolerant network does not by itself define task identity, duplicate execution behavior, input binding, or result provenance.  Those are the descriptor semantics addressed here.</t>
      </section>
      <section anchor="existing-discovery" numbered="true" toc="include">
        <name>Cross-Domain Compute-Service Discovery</name>
        <t><xref target="I-D.liu-icnrg-cross-domain-compute-discovery"/> identifies requirements for name-based discovery of logical services, service instances, and reusable results in heterogeneous space-terrestrial-maritime edge networks.  That work asks what service or result is available.  This document asks how a specific task is described and carried when the execution location and return path may not yet be known.</t>
      </section>
    </section>

    <section anchor="security" numbered="true" toc="include">
      <name>Security Considerations</name>
      <t>A portable compute-task descriptor can cause processing, data access, and state changes across multiple domains.  A protocol realization needs a complete threat model and concrete mechanisms for integrity, confidentiality, authentication, authorization, replay resistance, and resource control.</t>
      <section anchor="sec-forgery" numbered="true" toc="include">
        <name>Forged or Modified Tasks</name>
        <t>An attacker could change the requested service, inputs, parameters, deadline, or result destination.  The descriptor core therefore needs end-to-end integrity protection and origin authorization.  A gateway must not replace the originator's protection with an unauthenticated local assertion.</t>
      </section>
      <section anchor="sec-replay" numbered="true" toc="include">
        <name>Replay and Duplicate Execution</name>
        <t>Replaying a valid task can waste scarce resources or repeat side effects.  Task identifiers, lifetimes, idempotency policy, completion state, and authenticated cancellation or supersession information can limit replay.  Duplicate suppression does not prove that exactly one execution occurred, especially during partitions.  Applications with non-idempotent effects require stronger transactional or compensating mechanisms outside this document.</t>
      </section>
      <section anchor="sec-exhaustion" numbered="true" toc="include">
        <name>Resource Exhaustion</name>
        <t>Attackers can submit expensive tasks, excessively large descriptors, unresolved input references, or tasks designed to trigger repeated validation and forwarding.  Implementations should apply admission control, quotas, bounded descriptor and manifest sizes, rate limits, inexpensive rejection of malformed tasks, and policy limits on storage, replication, retries, and execution cost.</t>
      </section>
      <section anchor="sec-inputs" numbered="true" toc="include">
        <name>Input and Artifact Substitution</name>
        <t>A valid task can produce an incorrect result if a carrier or execution site substitutes input data, model artifacts, configuration objects, or service versions.  Immutable names, cryptographic digests, and result manifests need to bind all properties that affect execution semantics.</t>
      </section>
      <section anchor="sec-results" numbered="true" toc="include">
        <name>Forged Results and Receipts</name>
        <t>An attacker could claim completion, fabricate a failure, or substitute an unrelated result.  Results and receipts require integrity protection, producing-authority authentication, task correlation, and binding to inputs and service version.  A requester must not accept a result based only on a human-readable task or service name.</t>
      </section>
      <section anchor="sec-privacy" numbered="true" toc="include">
        <name>Privacy and Operational Confidentiality</name>
        <t>Descriptors can reveal sensor activity, locations, mission timing, requested algorithms, input identities, model versions, resource needs, and operational priorities.  Even when input content is encrypted, names and metadata can enable traffic analysis.  Deployments should minimize disclosed attributes and use confidentiality, access control, pseudonymous identifiers, or selective disclosure where appropriate.</t>
      </section>
      <section anchor="sec-cross-domain" numbered="true" toc="include">
        <name>Cross-Domain Trust and Gateways</name>
        <t>Authorization to forward a task does not imply authorization to inspect inputs or execute the task.  Trust in one domain's identity does not automatically authorize every service request.  Gateways are potential downgrade and policy-confusion points.  When a target protocol cannot preserve a descriptor property, the gateway should report the limitation rather than silently claiming equivalent semantics.</t>
      </section>
    </section>

    <section anchor="iana" numbered="true" toc="include">
      <name>IANA Considerations</name>
      <t>This document has no IANA actions.</t>
    </section>

    <section anchor="acknowledgements" numbered="true" toc="include">
      <name>Acknowledgements</name>
      <t>The authors welcome discussion on the scope of a portable compute-task descriptor, its relationship to service discovery and task placement, and suitable experimental realizations over IP, ICN, and disruption-tolerant infrastructures.</t>
    </section>
  </middle>

  <back>
    <references>
      <name>Normative References</name>
      <reference anchor="RFC2119" target="https://www.rfc-editor.org/info/rfc2119">
        <front>
          <title>Key words for use in RFCs to Indicate Requirement Levels</title>
          <author initials="S." surname="Bradner" fullname="Scott Bradner"/>
          <date month="March" year="1997"/>
        </front>
        <seriesInfo name="BCP" value="14"/>
        <seriesInfo name="RFC" value="2119"/>
        <seriesInfo name="DOI" value="10.17487/RFC2119"/>
      </reference>
      <reference anchor="RFC8174" target="https://www.rfc-editor.org/info/rfc8174">
        <front>
          <title>Ambiguity of Uppercase vs Lowercase in RFC 2119 Key Words</title>
          <author initials="B." surname="Leiba" fullname="Barry Leiba"/>
          <date month="May" year="2017"/>
        </front>
        <seriesInfo name="BCP" value="14"/>
        <seriesInfo name="RFC" value="8174"/>
        <seriesInfo name="DOI" value="10.17487/RFC8174"/>
      </reference>
    </references>

    <references>
      <name>Informative References</name>
      <reference anchor="RFC7927" target="https://www.rfc-editor.org/info/rfc7927">
        <front>
          <title>Information-Centric Networking (ICN) Research Challenges</title>
          <author initials="D." surname="Kutscher" fullname="Dirk Kutscher"/>
          <author initials="S." surname="Eum" fullname="Suyong Eum"/>
          <author initials="K." surname="Pentikousis" fullname="Kostis Pentikousis"/>
          <author initials="I." surname="Psaras" fullname="Ioannis Psaras"/>
          <author initials="D." surname="Corujo" fullname="Daniel Corujo"/>
          <author initials="D." surname="Saucez" fullname="Damien Saucez"/>
          <author initials="T." surname="Schmidt" fullname="Thomas Schmidt"/>
          <author initials="M." surname="Waehlisch" fullname="Matthias Waehlisch"/>
          <date month="July" year="2016"/>
        </front>
        <seriesInfo name="RFC" value="7927"/>
        <seriesInfo name="DOI" value="10.17487/RFC7927"/>
      </reference>
      <reference anchor="RFC8569" target="https://www.rfc-editor.org/info/rfc8569">
        <front>
          <title>Content-Centric Networking (CCNx) Semantics</title>
          <author initials="M." surname="Mosko" fullname="Marc Mosko"/>
          <author initials="I." surname="Solis" fullname="Ignacio Solis"/>
          <author initials="C." surname="Wood" fullname="Christopher Wood"/>
          <date month="July" year="2019"/>
        </front>
        <seriesInfo name="RFC" value="8569"/>
        <seriesInfo name="DOI" value="10.17487/RFC8569"/>
      </reference>
      <reference anchor="RFC8609" target="https://www.rfc-editor.org/info/rfc8609">
        <front>
          <title>Content-Centric Networking (CCNx) Messages in TLV Format</title>
          <author initials="M." surname="Mosko" fullname="Marc Mosko"/>
          <author initials="I." surname="Solis" fullname="Ignacio Solis"/>
          <author initials="C." surname="Wood" fullname="Christopher Wood"/>
          <date month="July" year="2019"/>
        </front>
        <seriesInfo name="RFC" value="8609"/>
        <seriesInfo name="DOI" value="10.17487/RFC8609"/>
      </reference>
      <reference anchor="RFC8763" target="https://www.rfc-editor.org/info/rfc8763">
        <front>
          <title>Deployment Considerations for Information-Centric Networking (ICN)</title>
          <author initials="A." surname="Rahman" fullname="Akbar Rahman"/>
          <author initials="D." surname="Trossen" fullname="Dirk Trossen"/>
          <author initials="D." surname="Kutscher" fullname="Dirk Kutscher"/>
          <author initials="R." surname="Ravindran" fullname="Ravi Ravindran"/>
          <date month="April" year="2020"/>
        </front>
        <seriesInfo name="RFC" value="8763"/>
        <seriesInfo name="DOI" value="10.17487/RFC8763"/>
      </reference>
      <reference anchor="RFC8793" target="https://www.rfc-editor.org/info/rfc8793">
        <front>
          <title>Information-Centric Networking (ICN): Content-Centric Networking (CCNx) and Named Data Networking (NDN) Terminology</title>
          <author initials="B." surname="Wissingh" fullname="Bastiaan Wissingh"/>
          <author initials="C." surname="Wood" fullname="Christopher Wood"/>
          <author initials="A." surname="Afanasyev" fullname="Alex Afanasyev"/>
          <author initials="L." surname="Zhang" fullname="Lixia Zhang"/>
          <author initials="D." surname="Oran" fullname="David Oran"/>
          <author initials="C." surname="Tschudin" fullname="Christian Tschudin"/>
          <date month="June" year="2020"/>
        </front>
        <seriesInfo name="RFC" value="8793"/>
        <seriesInfo name="DOI" value="10.17487/RFC8793"/>
      </reference>
      <reference anchor="RFC9171" target="https://www.rfc-editor.org/info/rfc9171">
        <front>
          <title>Bundle Protocol Version 7</title>
          <author initials="S." surname="Burleigh" fullname="Scott Burleigh"/>
          <author initials="K." surname="Fall" fullname="Kevin Fall"/>
          <author initials="E." surname="Birrane" fullname="Edward Birrane"/>
          <date month="January" year="2022"/>
        </front>
        <seriesInfo name="RFC" value="9171"/>
        <seriesInfo name="DOI" value="10.17487/RFC9171"/>
      </reference>
      <reference anchor="RFC9172" target="https://www.rfc-editor.org/info/rfc9172">
        <front>
          <title>Bundle Protocol Security (BPSec)</title>
          <author initials="E." surname="Birrane" fullname="Edward Birrane"/>
          <author initials="K." surname="McKeever" fullname="Kenneth McKeever"/>
          <date month="January" year="2022"/>
        </front>
        <seriesInfo name="RFC" value="9172"/>
        <seriesInfo name="DOI" value="10.17487/RFC9172"/>
      </reference>
      <reference anchor="RFC9556" target="https://www.rfc-editor.org/info/rfc9556">
        <front>
          <title>Internet of Things (IoT) Edge Challenges and Functions</title>
          <author initials="J." surname="Hong" fullname="Jong-Hyouk Hong"/>
          <author initials="Y-G." surname="Hong" fullname="Young-Geun Hong"/>
          <author initials="X." surname="de Foy" fullname="Xavier de Foy"/>
          <author initials="M." surname="Kovatsch" fullname="Matthias Kovatsch"/>
          <author initials="E." surname="Schooler" fullname="Eve Schooler"/>
          <author initials="D." surname="Kutscher" fullname="Dirk Kutscher"/>
          <date month="April" year="2024"/>
        </front>
        <seriesInfo name="RFC" value="9556"/>
        <seriesInfo name="DOI" value="10.17487/RFC9556"/>
      </reference>
      <reference anchor="I-D.ietf-cats-framework" target="https://datatracker.ietf.org/doc/draft-ietf-cats-framework/">
        <front>
          <title>A Framework for Computing-Aware Traffic Steering (CATS)</title>
          <author initials="C." surname="Li" fullname="Cheng Li"/>
          <author initials="Z." surname="Du" fullname="Zongpeng Du"/>
          <author initials="M." surname="Boucadair" fullname="Mohamed Boucadair"/>
          <author initials="L. M." surname="Contreras" fullname="Luis M. Contreras"/>
          <author initials="J." surname="Drake" fullname="John Drake"/>
          <date month="April" day="2" year="2026"/>
        </front>
        <seriesInfo name="Internet-Draft" value="draft-ietf-cats-framework-24"/>
      </reference>
      <reference anchor="I-D.ietf-cats-usecases-requirements" target="https://datatracker.ietf.org/doc/draft-ietf-cats-usecases-requirements/">
        <front>
          <title>Computing-Aware Traffic Steering (CATS) Problem Statement, Use Cases, and Requirements</title>
          <author initials="K." surname="Yao" fullname="Kehan Yao"/>
          <author initials="L. M." surname="Contreras" fullname="Luis M. Contreras"/>
          <author initials="H." surname="Shi" fullname="Hang Shi"/>
          <author initials="S." surname="Zhang" fullname="Shuai Zhang"/>
          <author initials="Q." surname="An" fullname="Qing An"/>
          <date month="February" day="3" year="2026"/>
        </front>
        <seriesInfo name="Internet-Draft" value="draft-ietf-cats-usecases-requirements-14"/>
      </reference>
      <reference anchor="I-D.luan-cats-catpts" target="https://datatracker.ietf.org/doc/draft-luan-cats-catpts/">
        <front>
          <title>A Framework for Compute-Aware Task Placement and Traffic Steering in Heterogeneous Computing Networks</title>
          <author initials="Q." surname="Li" fullname="Qing Li"/>
          <author initials="Z." surname="Luan" fullname="Zeyu Luan"/>
          <author initials="Y." surname="Jiang" fullname="Yong Jiang"/>
          <date month="March" day="1" year="2026"/>
        </front>
        <seriesInfo name="Internet-Draft" value="draft-luan-cats-catpts-00"/>
      </reference>
      <reference anchor="I-D.liu-icnrg-cross-domain-compute-discovery" target="https://datatracker.ietf.org/doc/draft-liu-icnrg-cross-domain-compute-discovery/">
        <front>
          <title>Requirements for Name-Based Compute-Service Discovery in Heterogeneous Space-Terrestrial-Maritime Edge Networks</title>
          <author initials="S." surname="Liu" fullname="Shuai Liu"/>
          <date month="June" day="26" year="2026"/>
        </front>
        <seriesInfo name="Internet-Draft" value="draft-liu-icnrg-cross-domain-compute-discovery-00"/>
      </reference>
    </references>
  </back>
</rfc>
