| Internet-Draft | PoP Appraisal | February 2026 |
| Condrey | Expires 22 August 2026 | [Page] |
This document specifies the forensic appraisal methodology and quantitative security model for the Proof of Process (PoP) framework. It defines how Verifiers evaluate behavioral entropy, perform liveness detection, and calculate forgery cost bounds. Additionally, it establishes the taxonomy for Absence Proofs and the Writers Authenticity Report (WAR) format, as well as the Tool Receipt protocol for artificial intelligence (AI) attribution within the linear human authoring process.¶
This note is to be removed before publishing as an RFC.¶
Source for this draft and an issue tracker can be found at https://github.com/writerslogic/draft-condrey-rats-pop.¶
This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79.¶
Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet-Drafts is at https://datatracker.ietf.org/drafts/current/.¶
Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress."¶
This Internet-Draft will expire on 22 August 2026.¶
Copyright (c) 2026 IETF Trust and the persons identified as the document authors. All rights reserved.¶
This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (https://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document.¶
The value of Proof of Process (PoP) evidence lies in the Verifier's ability to distinguish biological effort from algorithmic simulation. While traditional RATS [RFC9334] appraisals verify system state, PoP appraisal verifies a continuous physical process. This document provides the normative framework for forensic appraisal, defining the logic required to generate a Writers Authenticity Report (WAR).¶
This document is a companion to [PoP-Protocol], which defines the Evidence Packet wire format and Attester procedures. The present document specifies the Verifier's appraisal logic, Attestation Result (WAR) wire format, and forensic methodology. Implementers of Verifier components require both documents.¶
At T3/T4 attestation tiers, platform integrity verification as described in the SEAT use cases [SEAT-UseCases] provides the trust anchor for PoP's hardware-bound claims. When PoP Evidence is delivered over an attested TLS channel [SEAT-EXPAT], the Verifier gains assurance that the Attesting Environment's platform was trustworthy during evidence generation.¶
This document uses the following terms in addition to those defined in [RFC9334] and [PoP-Protocol]:¶
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all capitals, as shown here.¶
A Verifier MUST perform the following procedure to appraise a PoP Evidence Packet:¶
Steps 4 and 5 apply only when jitter-binding and entangled-mac fields are present (ENHANCED and MAXIMUM profiles). For CORE Evidence Packets lacking these fields, the Verifier MUST skip Steps 4 and 5 and note in the WAR warnings that behavioral analysis was not performed.¶
The appraisal logic is designed to detect "Synthetic Authoring" -- content generated by AI and subsequently "back-filled" with timing and hardware attestation.¶
A conforming Verifier MUST evaluate all forensic mechanisms for which the Evidence Packet contains sufficient data. Any single triggered flag is sufficient to assign the suspicious verdict. Verifiers MAY implement additional analysis mechanisms beyond those defined in this specification.¶
The signal-to-noise ratio measures productive editing activity versus idle or mechanical noise within each evidence window:¶
SNR = 10 * log10(P_signal / P_noise)
where:
P_signal = (keystroke_count + revision_count) / window_duration
P_noise = (pause_total_ms + idle_intervals) / window_duration
¶
Typical ranges observed in human authorship:¶
The Verifier SHOULD compute per-window SNR and session-wide SNR statistics (mean, variance, trend) as forensic indicators.¶
The Compositional Lyapunov Coefficient (CLC) measures the rate at which writing complexity evolves over the session, analogous to Lyapunov exponents in dynamical systems:¶
CLC = (1/n) * sum_{i=1}^{n} ln(|delta_IKI[i]| / |delta_IKI[i-1]|)
where:
delta_IKI[i] = IKI_mean[i] - IKI_mean[i-1]
n = number of consecutive window pairs
¶
The Incremental Kolmogorov Information (IKI) measures informational complexity added per window:¶
IKI[i] ~= compressed_size(delta_content[i]) / raw_size(delta_content[i])¶
Typical ranges: human authorship exhibits positive CLC values (0.01 to 0.5) reflecting natural creative divergence. CLC near zero indicates mechanical regularity. IKI values for human writing typically range from 0.3 to 0.8; values consistently near 1.0 suggest random content insertion, values near 0.0 suggest verbatim copying.¶
Indicators of mechanical turk behavior include:¶
Verifiers SHOULD compute a mechanical turk probability score from 0.0 (no indicators) to 1.0 (all indicators present). A score exceeding 0.6 SHOULD trigger a recommendation for tool receipt documentation.¶
Error topology analysis constructs a directed graph of error and correction patterns. The error graph G = (V, E) has vertices V representing edit operations and edges E representing temporal succession. Human error topology exhibits:¶
Simulated error injection produces uniform error distribution, regular correction intervals, and no correlation between error rates and structural boundaries. A graph clustering coefficient below 0.1 combined with uniform correction latency is flagged as potentially synthetic.¶
Forgery cost bounds provide a Verifier with a lower bound on the computational resources required to forge an Evidence Packet. The cost (C_total) is computed as:¶
C_total = C_swf + C_entropy + C_hardware¶
The SWF cost component provides a lower bound on the computational time an adversary must expend:¶
C_swf >= n * t_checkpoint
where:
n = number of checkpoints in the Evidence chain
t_checkpoint = wall-clock time for one SWF computation
¶
The memory-hard nature of Argon2id ensures that an adversary with k parallel processors achieves at most O(sqrt(k)) speedup due to memory bandwidth constraints. The minimum forgery time equals the sum of SWF claimed-durations across all checkpoints. At T1 tier without hardware binding, C_swf represents an economic cost only (the adversary must spend real time, but has no hardware constraint).¶
The entropy cost component estimates the resources required to synthesize behavioral noise satisfying all forensic constraints:¶
C_entropy = O(d * n * log(1/epsilon))
where:
d = number of independent forensic dimensions
n = number of checkpoints
epsilon = target false-negative rate
¶
At T1/T2, only basic entropy and timing are checked (d = 2). For T3/T4, the full forensic assessment applies (d >= 7, including CLC, IKI, error topology, SNR dynamics, session consistency, and cross-checkpoint correlation), making synthesis exponentially more expensive in the number of correlated dimensions the adversary must simultaneously satisfy.¶
The cost of synthesizing behavioral noise that satisfies all forensic constraints is inherently uncertain and depends on adversary capability. Verifiers SHOULD set C_entropy conservatively. When the Verifier cannot independently assess AI synthesis costs, C_entropy SHOULD be set to 0 and the WAR warnings field SHOULD note that entropy cost was not estimated.¶
Verifiers MUST include these estimates in the WAR to allow Relying Parties to set trust thresholds based on objective economic risk.¶
The c-total field in the forgery-cost-estimate MUST equal the sum of c-swf, c-entropy, and c-hardware. All component costs within a single forgery-cost-estimate MUST be expressed in the same cost-unit.¶
Absence proofs assert that certain events did NOT occur during the monitored session. They are divided into categories based on verifiability:¶
Type 1 (Computationally-Bound) claims MUST be verified computationally by the Verifier from the Evidence Packet data alone. Type 3 (Environmental) claims SHOULD be evaluated against physical-state markers when present, and MUST be treated as unverifiable when physical-state is absent.¶
The Writers Authenticity Report (WAR) is a CBOR-encoded [RFC8949] Attestation Result identified by semantic tag 1463894560 (encoding ASCII "WAR "). The CDDL notation [RFC8610] defines the wire format:¶
pop-war = #6.1463894560(attestation-result)
attestation-result = {
1 => uint, ; version (MUST be 1)
2 => hash-value, ; evidence-ref
3 => verdict, ; appraisal verdict
4 => attestation-tier, ; assessed assurance level
5 => uint, ; chain-length
6 => uint, ; chain-duration (seconds)
? 7 => entropy-report, ; entropy assessment (omit for CORE)
? 8 => forgery-cost-estimate, ; quantified forgery cost
? 9 => [+ absence-claim], ; absence claims (1+ when present)
? 10 => [* tstr], ; warnings
11 => bstr, ; verifier-signature (COSE_Sign1)
12 => pop-timestamp, ; created (appraisal timestamp)
* int => any, ; extension fields
}
verdict = &(
authentic: 1, ; consistent with human authorship
inconclusive: 2, ; insufficient evidence
suspicious: 3, ; anomalies detected
invalid: 4, ; chain broken or forged
)
entropy-report = {
1 => float32, ; timing-entropy (bits/sample)
2 => float32, ; revision-entropy (bits)
3 => float32, ; pause-entropy (bits)
4 => bool, ; meets-threshold
}
forgery-cost-estimate = {
1 => float32, ; c-swf
2 => float32, ; c-entropy
3 => float32, ; c-hardware
4 => float32, ; c-total
5 => cost-unit, ; currency
}
cost-unit = &(
usd: 1,
cpu-hours: 2,
)
absence-claim = {
1 => absence-type, ; proof category
2 => time-window, ; claimed window
3 => tstr, ; claim-id
? 4 => any, ; threshold/parameter
5 => bool, ; assertion
}
absence-type = &(
computationally-bound: 1, ; verifiable from Evidence alone
monitoring-dependent: 2, ; requires trust in AE monitoring
environmental: 3, ; environmental assertions
)
time-window = {
1 => pop-timestamp, ; start
2 => pop-timestamp, ; end
}
; Shared type definitions reproduced from [PoP-Protocol] for reader
; convenience. In case of conflict, [PoP-Protocol] is authoritative.
pop-timestamp = #6.1(float32) ; CBOR tag 1 (epoch-based, float32)
hash-value = {
1 => hash-algorithm,
2 => bstr,
}
hash-algorithm = &(
sha256: 1,
sha384: 2,
sha512: 3,
)
attestation-tier = &(
software-only: 1, ; T1: AAL1
attested-software: 2, ; T2: AAL2
hardware-bound: 3, ; T3: AAL3
hardware-hardened: 4, ; T4: LoA4
)
¶
The evidence-ref field MUST contain a hash-value computed as SHA-256 over the CBOR-encoded evidence-packet structure (including CBOR tag 1347571280), excluding any COSE_Sign1 wrapper. This binds the Attestation Result to a specific Evidence Packet.¶
In the absence-claim structure, claim-id is a unique textual identifier for the claim (e.g., "no-paste-event", "max-delta-below-500"). The assertion field is true if the claim holds and false if the Verifier determined it does not hold. The time-window specifies the temporal scope of the claim within the Evidence Packet's session.¶
When appraising CORE Evidence Packets that lack jitter-binding data, the Verifier SHOULD omit the entropy-report field from the Attestation Result and include a warning indicating that behavioral entropy analysis was not performed.¶
The created field (key 12) MUST contain the timestamp at which the Verifier completed the appraisal. Relying Parties use this field to evaluate the freshness of the Attestation Result.¶
The Verifier MUST compute entropy-report fields as follows:¶
The Verifier MUST assign the verdict based on the appraisal outcome:¶
NOTE: This section is informational. The complete CDDL wire format for Tool Receipts, including signature algorithms and binding mechanisms, will be specified in a future revision. Implementations SHOULD treat this section as guidance only.¶
When external tools (LLMs) contribute content, the framework enables a "compositional provenance" model:¶
Verifiers appraise the ratio of human-to-machine effort based on these receipts and the intervening SWF-proved intervals.¶
This document inherits the adversary model defined in the Threat Model section of [PoP-Protocol]. The appraisal procedures defined herein assume the adversarial Attester capabilities and constraints specified there. The primary threat is an adversarial Attester -- an author who controls the Attesting Environment and seeks to generate Evidence for content they did not authentically author.¶
The following adversary tiers characterize the appraisal-specific threat landscape. Each tier defines the adversary capabilities that the corresponding Attestation Tier is designed to resist:¶
High-resolution behavioral data poses a stylometric de-anonymization risk [Goodman2007]. Implementations SHOULD support Evidence Quantization, reducing timing resolution to a level that maintains forensic confidence while breaking unique author fingerprints.¶
The entropy-report in Attestation Results (timing-entropy, revision-entropy, pause-entropy) may enable cross-document author identification by Relying Parties. Verifiers SHOULD quantize entropy-report values to reduce fingerprinting precision while preserving forensic utility. Relying Parties MUST NOT correlate entropy reports across multiple Attestation Results to identify or track authors.¶
Attestation Results MUST quantize forensic indicator values to the following resolutions:¶
These quantization levels are calibrated to preserve the forensic utility of all assessment mechanisms defined in Section 5 while limiting the precision available for stylometric fingerprinting.¶
Verifiers MUST NOT maintain per-author behavioral profile databases. Attestation Results SHOULD NOT include raw forensic indicator values; tier-level pass/fail determinations are sufficient for Relying Parties. Evidence retention SHOULD NOT exceed 90 days (the default validity period). Implementations SHOULD support anonymous Evidence submission to prevent linking authorship sessions to real-world identities.¶
Verifiers MUST NOT automatically reject evidence based solely on atypical timing patterns. Implementations MUST support "Assistive Modes" that adjust SNR and CLC thresholds for authors with motor disabilities or those using assistive technologies (eye-tracking, dictation).¶
To signal assistive mode usage, the Attester SHOULD include an assistive-mode indicator in the profile-declaration structure of the Evidence Packet. When this indicator is present, Verifiers MUST apply adjusted thresholds as follows:¶
Eye-tracking input produces IKI ranges of 500-3000 ms (versus 100-300 ms for keyboard). Adjusted thresholds:¶
Dictation input produces burst patterns with higher cadence variance than keyboard. Adjusted thresholds:¶
The WAR MUST indicate when assistive mode thresholds were applied. Assistive mode is signaled through the profile-declaration structure in the Evidence Packet. Implementations MAY include an assistive-mode feature flag (value 60) in the feature-flags array. The following values are defined: 0 (none), 1 (motor-disability), 2 (eye-tracking), 3 (dictation). A future revision of [PoP-Protocol] will formalize this signaling mechanism.¶
This document has no IANA actions. All IANA registrations for the PoP framework are defined in [PoP-Protocol].¶
This document defines forensic appraisal procedures that inherit and extend the security model from [PoP-Protocol]. The broader RATS security considerations [Sardar-RATS] also apply. Implementers should consider the following security aspects:¶
An adversary may attempt to inject synthetic jitter patterns that satisfy entropy thresholds while lacking biological origin. The use of multi-dimensional analysis (SNR, CLC, Error Topology) rather than single metrics provides defense-in-depth against high-fidelity simulation.¶
The forensic assessments defined in this document produce probabilistic confidence scores, not binary determinations. Relying Parties MUST understand that forgery cost bounds represent economic estimates, not cryptographic guarantees. Trust decisions SHOULD incorporate the declared Attestation Tier (T1-T4) and the specific absence proof types claimed.¶
High-resolution behavioral data (keystroke timing, pause patterns) can enable author identification even when document content is not disclosed. Implementations SHOULD support Evidence Quantization to reduce timing resolution while maintaining forensic utility. The trade-off between forensic confidence and privacy should be documented for Relying Parties.¶
Adversaries may falsely claim assistive technology usage to bypass behavioral entropy checks. Verifiers SHOULD require consistent assistive mode declarations across sessions and MAY request additional out-of-band verification for mode changes. The WAR should indicate when assistive modes were active, as specified in the accessibility section above.¶
The following constraints summarize the verification requirements defined in the preceding sections:¶
This appendix summarizes the verification thresholds and constraints for each Attestation Tier. These values are the normative defaults; deployment profiles MAY adjust them within the ranges specified.¶
The author thanks the participants of the RATS working group for their ongoing work on remote attestation architecture and security considerations that informed this specification.¶