| Internet-Draft | Layered Delegation Mapping | July 2026 |
| Rampalli | Expires 7 January 2027 | [Page] |
This document records a comparative mapping of two evidence layers for cross-organization AI agent delegation: a per-hop delegation chain (PEDIGREE) and a named-human authorization root (the EMILIA Protocol binding and evidence-graph drafts), evaluated against the nine requirements of draft-reece-wimse-cross-org-delegation under a no-shared-operator assumption. It also records a verifier-facing composition model in which key possession, delegated authority, and pre-execution human authorization are diagnostically separate inputs with independent failure behavior, joined by action digest. The mapping was developed on the WIMSE mailing list; corrections continue there.¶
This document is a point-in-time record of a mailing-list discussion. Verdicts apply to the specific draft revisions cited and do not carry forward to later revisions automatically. The canonical venue for corrections is the WIMSE mailing list; agreed corrections will be folded into future revisions of this document.¶
This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79.¶
Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet-Drafts is at https://datatracker.ietf.org/drafts/current/.¶
Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress."¶
This Internet-Draft will expire on 7 January 2027.¶
Copyright (c) 2026 IETF Trust and the persons identified as the document authors. All rights reserved.¶
This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (https://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Revised BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Revised BSD License.¶
Requirements R1 through R9 of [I-D.reece-wimse-cross-org-delegation] describe what cross-organization delegation of authority to AI agents must provide when the relying party and the originating organization share no operator, no runtime, and no bilateral agreement specific to the interaction. During the July 2026 discussion of those requirements on the WIMSE mailing list, two candidate mechanisms were mapped against them independently and were then found to occupy different layers of the same problem:¶
Neither layer claims the other's property. The chain proves that authority was conveyed and attenuated; the root layer proves that an accountable human authorized the act. Where the two meet, they join by digest equality, and digest equality is a join key, not a claim of sufficiency.¶
This document records the combined mapping (Section 2) and the verifier-facing composition model that the discussion converged on (Section 3). It defines no protocol and no new evidence format.¶
The no-shared-operator assumption applies throughout. Each verdict states what holds offline and unconditionally versus what depends on a named assumption, following the conditional form requested in the originating thread. Several entries are not clean passes and are marked as such; deployments should read a "met" verdict together with its stated condition, never without it.¶
"Chain" is the delegation layer ([I-D.rampalli-pedigree]). "Root" is the human-authorization layer ([I-D.schrock-human-authorization-binding], [I-D.schrock-ep-action-evidence-graph]). The composition column states how the layers relate on that row.¶
| Req | Chain (PEDIGREE) | Root (EP) | Composition |
|---|---|---|---|
| R1 | Met; inline conveyance condition | Out of layer by design | Chain-only property |
| R2 | Conditional: met only when the deployment pins a general anchor-trust mechanism usable by any party without per-counterparty negotiation. A general channel is named as one conforming way but not required, and static per-counterparty provisioning is admitted, which relocates rather than discharges R2. Same profile move as R1 inline conveyance. | Conditional, mechanism specified (the authority-introduction companion draft, cited in the row note; Informational; public implementation with tests). Authority Document: signed, hash-chained, sequence-numbered key declaration served from the org origin and registrable to a transparency log; rotations carry a normative continuity signature (MUST be flagged if absent), and artifacts resolve the key valid at issuance. Acceptance is graded per action class over introduction evidence (chain consistency, domain binding, transparency-log inclusion and age, pinned-anchor endorsements), widening mechanically as history accrues with no relying-party reconfiguration. Residual, admitted in the draft: first contact is made checkable, not eliminated. Met for lower-consequence classes; high-consequence cross-org actions between parties with no shared pinned anchor or logged history remain open. | Both layers name general, non-bilateral mechanisms, served from the org origin and transparency-logged, and state the assumption explicitly, narrowing R2. Shared residual: the first-contact bootstrap, coming to trust an originating anchor for an organization with no prior arrangement. Narrowed, explicit open item, not a satisfied assumption. |
| R3 | Met offline given conveyance | Met offline (deterministic policy replay) | Both fail closed rather than fetch |
| R4 | Deferred to transport (proof of possession at the wire) | Not addressed | Shared gap: neither layer proves possession; WIMSE-native answers at the wire are WPT and HTTP message signatures; composed stack: possession at the wire, attenuation along the chain, human authorization at the root. The possession row is now supplied by name (Section 3.3) |
| R5 | Invariance along the chain (re-verification) | Native to the artifact (single or quorum); B2 ties it to the host record | Root proves who; chain proves nobody swapped them |
| R6 | Conjunction native; entitlements relying-party local | Policy identity plus replay; entitlements relying-party local | Entitlements stay relying-party data |
| R7 | Lifetime bound offline; fail-closed on stale revocation data is an admitted revision item | Normative fail-closed: a stale verdict never authorizes; B4 | Root layer closes the gap the chain layer names |
| R8 | Signed hops; SCITT capsule binding for the post-execution half | Evidence graph; unbacked edges poison; signed Reliance Result | Join by digest: scope versus act, neither claims the other's property |
| R9 | Met (JWT/JOSE, pluggable policy) | Met (JSON/JCS, maps onto existing host formats) | No new formats on either side |
The R5 and R4 cells reflect corrections agreed on-list on 2026-07-05: the named-human and quorum property is native to the receipt and quorum artifacts themselves, with binding requirement B2 tying the artifact's action binding to the host record; and R4's composition cell carries the constructive composed-stack line alongside the shared-gap statement.¶
The full per-layer mappings live in the originating thread; these notes carry only what the one-line verdicts compress too much.¶
Row text contributed by the requirements author (2026-07-05), included verbatim. Reframed per his correction: pinning the originating anchor relocates the assumption rather than discharging it; the load-bearing part is how the relying party comes to trust that anchor. R2 is met only when the anchor arrives through a general mechanism any party can use without per-counterparty negotiation (public transparency log, open federation, verifiable credential from a recognized issuer, or trust-domain discovery), and the row names the mechanism. An anchor arranged in advance between the two organizations moves the forbidden bilateral agreement into the provisioning step.¶
Both layers have moved from bare open items toward explicit mechanisms. The chain layer names a general channel but does not require it and admits static provisioning, so its verdict is conditional on pinning a general mechanism. The root layer specifies one ([I-D.schrock-ep-authority-introduction]): a signed, hash-chained authority document served from the org origin and transparency-logged, with normative continuity on rotation, keys resolved at issuance, and graded per-action-class acceptance in which un-pinned issuers never receive full acceptance and high-consequence actions still require a pinned anchor.¶
Both narrow R2 honestly and make the residual explicit. The shared residual is the first-contact bootstrap: domain binding is worth what Web PKI is worth, log consistency is worth what the log operator is worth, and endorsements are worth nothing until the relying party pins one, so trust is not created from nothing. R2 is therefore conditional and narrowed, met for lower-consequence classes when a general channel is pinned, with the high-consequence cross-org bootstrap an explicit open item, not a satisfied assumption.¶
The same list discussion, on a parallel thread about condition-bounded credentials, converged on a verifier-facing structure in which the inputs to an authorization decision are conjunctive for the final decision but diagnostically separate, so that each input class has its own failure path:¶
A live key with a valid, sufficiently scoped chain still fails closed if a required human authorization is absent, stale, or bound to different action bytes; a valid chain whose holder cannot prove possession fails as a presentation failure; a valid key whose terminal scope does not cover the operation fails as an authorization failure. No row inherits or grants another row's guarantees.¶
The mapping-table rules of [I-D.bu-agentproto-security-principal-binding] require that an inherited mechanism state its dependency and failure behavior before it counts as a guarantee. The delegation-chain row, with PEDIGREE as the supplier, in those terms:¶
Stated that way, nothing is inherited implicitly: the chain row supplies the authority path and its attenuation, and it explicitly depends on the possession row rather than assuming it.¶
Iman Schrock contributed the human-authorization row on-list on 2026-07-05, stated in the same template terms as the chain row. It is included here with only editorial normalization.¶
One asymmetry, stated rather than papered over: the chain row of Section 3.1 does not yet cite public evidence vectors, and its evidence entry is open until vectors are published. An evidence column is only useful if an empty cell is allowed to say so.¶
Thi Nguyen-Huu contributed the possession row on-list on 2026-07-05, stated in the same template terms, together with the split the rows sit on: one authentication anchor, several authorization inputs decided above the key. It is included here with only editorial normalization.¶
With this row, every layer of the composed stack is stated by its supplier: possession under condition at the wire, attenuation along the chain, human authorization at the root, each failing independently, all joined on the same action digest. In this row freshness is liveness rather than a window, because the assessor of the condition and the stopper of the grant are the same place.¶
Each row of Table 1 and each input class above is kept expressible in the mapping-table template of [I-D.bu-agentproto-security-principal-binding] (claim, carrier, verifier and rule, binding and freshness, failure behavior, dependency, evidence reference). If the working group settles on that shared shape for comparative tables, moving this document into it is a re-rendering rather than a rewrite.¶
This document defines no protocol elements and introduces no new attack surface. Its risks are risks of misreading:¶
This document has no IANA actions.¶
This mapping is a record of a discussion, and the discussion did the work. Morgan Reece framed the requirements, asked for the conditional form, corrected the R2 verdicts, and contributed the R2 row text of this revision verbatim. Iman Schrock proposed the two-layer frame, reviewed the EP column of the combined table, contributed the pre-execution human-authorization input class, and supplied the human-authorization row of Section 3.2 in template terms and the R2 provisioning-mechanism correction. Songbo Bu proposed the diagnostically-separate-rows structure and the mapping-table discipline this document keeps itself expressible in. Thi Nguyen-Huu supplied the possession row of Section 3.3 and the authentication-anchor framing above it. Thanks also to the participants in the WIMSE mailing-list threads in which this mapping developed.¶