| Internet-Draft | Agent Principal Binding | July 2026 |
| Bu | Expires 7 January 2027 | [Page] |
Agent communication protocols often carry claims about user authority, agent instance identity, tool or external-resource identity, delegation state, session continuity, and action evidence. These claims have different verifiers, freshness requirements, failure modes, and security consequences. If they are collapsed into a single token, identity label, session identifier, or audit record, protocol text can accidentally imply more authority or accountability than the receiver can actually verify.¶
This document defines a verifier-facing model for separating those claims. It provides a reusable matrix format that protocol authors can use to state, for each security-relevant claim, which field carries it, which party verifies it, what binding or freshness rule applies, what failure behavior is required when the claim is absent, stale, inconsistent, or not verifiable, and what constrained result an application may consume after successful verification. It also separates specification status, implementation status, and evidence type so that reviewers can distinguish current protocol text, implementation evidence, inherited mechanisms, and architectural assumptions. The document is protocol-neutral. It is intended to help compare candidate agent communication drafts and to provide security-considerations and requirements text for agent session and delegation binding.¶
This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79.¶
Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet-Drafts is at https://datatracker.ietf.org/drafts/current/.¶
Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress."¶
This Internet-Draft will expire on 7 January 2027.¶
Copyright (c) 2026 IETF Trust and the persons identified as the document authors. All rights reserved.¶
This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (https://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Revised BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Revised BSD License.¶
Agent protocols are being proposed for long-lived communication among agents, tools, gateways, services, and human or organizational principals. These protocols need to express several different kinds of security meaning:¶
These are not the same claim. A valid organizational identifier does not by itself prove a live agent instance. A session identifier does not by itself prove delegated authority. A transparency receipt does not by itself prove that the action was authorized. A tool invocation record does not by itself prove that the tool was within delegated scope.¶
The purpose of this document is to make these boundaries reviewable. It does not define a new agent protocol, token format, audit log, transparency service, or authorization system. Instead, it defines a claim-to-verifier discipline that other drafts can map to.¶
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all capitals, as shown here.¶
This document is currently intended as Informational guidance. Requirement language is used to make security expectations reviewable by protocol authors; it does not by itself define a wire protocol.¶
An automated software component that initiates, receives, mediates, or performs actions on behalf of a human, organization, account, workload, or policy authority.¶
An entity whose authority, identity, state, or responsibility is relevant to a security decision.¶
A security-relevant statement that a protocol participant, credential, token, receipt, attestation, record, or external system asserts or carries.¶
The protocol field, credential, record, header, receipt, attestation, envelope, or external reference that carries a claim.¶
The party that evaluates a claim for a particular security decision.¶
The relationship between a claim and the specific state to which it applies, such as a session transcript, task digest, delegation chain, subject identifier, tool invocation, or evidence record.¶
The replay, expiration, revocation, sequence, rotation, challenge, nonce, or recency rule used to determine whether a claim can still be relied upon.¶
The required behavior when a claim is missing, stale, inconsistent, not verifiable, or out of scope for the decision being made.¶
The constrained verifier output that an application, gateway, policy engine, or relying party is allowed to consume after successful verification. An accepted result is not the raw peer-provided token, receipt, claim, or attestation. It is the verifier-produced result, including its scope and limitations.¶
A descriptive label for where a verifier decision is made or where a claim is carried. The label can use ordinary protocol-layer terminology, such as application, transport, or network, or an agent-native architectural taxonomy, but the vocabulary needs to be defined by the draft that uses it.¶
A stable reference to a public test vector, example, test case, implementation note, interop record, issue, pull request, or other reviewable artifact that supports a mapping row.¶
Agent communication drafts can become difficult to review when a single architectural label is used to imply several security properties. Common examples include:¶
These ambiguities are not merely editorial. They affect interoperability and security review. Two implementations can agree on a field name while making different decisions about who verifies the field, what state the field is bound to, and what happens when the field cannot be validated.¶
This document addresses that problem by giving protocol authors a common way to map each security-relevant claim to a carrier, verifier, verification rule, binding, freshness rule, accepted result, layer, and failure behavior.¶
This document does not:¶
This document is applicable when an agent communication draft carries, depends on, or inherits claims about authority, live instance identity, delegated scope, session continuity, tool or resource identity, action evidence, freshness, revocation, or verifier output. A draft does not need to define all of these claims to use the matrix; it only needs to identify the claims it carries or depends on.¶
The matrix can be used at several levels of formality. A mature draft can include a complete verifier matrix in its Security Considerations section or appendix. An early draft can use partial rows to make open questions explicit. A design team can maintain the mapping in a companion document, repository, issue, or pull request before importing stable text into an Internet-Draft.¶
The review mode should match the status claimed by a row. A row marked as specified should contain enough detail for independent implementation. A row marked as implemented should identify the implementation boundary and evidence type. A row marked as inherited, planned, partial, none, or assumption should not be treated as a current protocol guarantee.¶
The following principals commonly appear in agent communication designs.¶
The person, organization, role, legal entity, account, or policy authority on whose behalf the agent acts.¶
The concrete live agent, runtime, workload, or execution environment that participates in the protocol exchange.¶
The party that supplies, hosts, or controls an agent implementation or runtime environment.¶
A tool, API, service, file, database, payment endpoint, browser, physical device, or other resource invoked by an agent.¶
An intermediary that translates, routes, composes, gates, or mediates agent interactions.¶
The party that grants authority to another party or agent.¶
The party or agent that receives attenuated authority.¶
The party that decides whether a claim is sufficient for a specific protocol action.¶
A party that later reviews, audits, composes, or relies on evidence of an action.¶
A protocol can use one credential, key, session, or record to carry more than one claim, but the draft needs to identify each claim separately. Reusing a carrier does not make the claims equivalent.¶
Workload identity documents, such as the WIMSE architecture [I-D.ietf-wimse-arch] and workload identity practices [I-D.ietf-wimse-workload-identity-practices], are useful examples of why an instance, workload, or execution environment claim should be separated from human or organizational authority and from delegated task scope.¶
A draft SHOULD identify which of the following claim classes it carries or depends on. The identifiers below are provisional and are intended to make early review concrete. They are not an IANA registry and do not by themselves define protocol conformance.¶
Which live agent, runtime, workload, endpoint, or process is acting now?¶
Who authorized the task, policy, role, or delegation?¶
What authority has been delegated, by whom, to whom, under what scope and attenuation?¶
What state is bound to the current channel, connection, long-lived session, or task?¶
What action was requested, attempted, completed, blocked, or failed?¶
Which tool or external resource is being invoked or affected?¶
What evidence, signature, receipt, attestation, log entry, or record supports an action or decision?¶
Is the authority, delegation, instance state, tool binding, or session state still current?¶
What happens when the verifier cannot validate the claim for the requested action?¶
Which claims are preserved, transformed, or lost when agents, gateways, receipts, or tools are composed?¶
What normalized result may the application consume after successful verification, and what does that result not authorize?¶
Is the row claiming pre-execution authority, delegated scope, post-execution attribution, execution evidence, audit enforcement, or relying-party acceptance, and which of those does it not claim?¶
The registry is intentionally claim-oriented rather than protocol-oriented. More than one candidate protocol can map to the same claim, and a protocol can map to only a subset of the registry. The initial list is expected to change as AGENTPROTO discussion identifies additional claim classes or merges overlapping ones.¶
For each security-relevant claim, a protocol draft SHOULD provide a row with the following fields.¶
The registry identifier for the claim being mapped.¶
The precise security statement being made.¶
The protocol field, token, credential, record, header, receipt, attestation, or out-of-band reference that carries the claim.¶
The party that validates the claim.¶
The check performed by the verifier.¶
The other state to which the claim is bound, such as a session identifier, TLS exporter, action digest, delegation chain, subject identifier, or tool invocation.¶
The replay, expiration, revocation, rotation, sequence, or recency rule.¶
The required behavior when the claim is missing, stale, inconsistent, or not verifiable.¶
The constrained output that a verifier returns to the relying application when the row succeeds. It should name the normalized claim or decision state, the scope in which it may be used, and any important non-claims. For example, a successful possession check might return "holder of enrolled key under current release policy" without returning "delegated authority is sufficient" or "human authorization is present".¶
The protocol layer or architectural review dimension associated with the row. This field is descriptive. It does not impose a fixed layer taxonomy on every protocol, and it does not require a protocol to spread claims across different layers.¶
Whether the row is implemented, not implemented, partially implemented, or external.¶
Whether the row is specified in the current draft, planned for a later revision, inherited from another document, or an architectural assumption.¶
The draft, standard, service, governance process, transparency log, authorization system, attestation system, registry, or operational practice on which the row depends, if any.¶
An optional reference to a public test vector, example, test case, implementation artifact, interop note, issue, pull request, or other stable evidence that makes the row checkable.¶
The kind of evidence being referenced, such as source-level, unit-level, local-harness, interop, deployment, document, issue, pull-request, or other evidence.¶
The matrix is intended to make review strict enough that a draft cannot obtain a security property merely by naming an adjacent mechanism. The following rules apply to a verifier matrix.¶
The Layer field needs to be explicit because candidate agent communication drafts do not all use the same architectural model. A draft MAY use conventional protocol-layer language, such as application, transport, and network, when that is the clearest description of where the relevant carrier or verifier behavior sits.¶
A draft MAY instead use an agent-native architectural taxonomy, such as substrate, composition, application, governance, or audit. If it does so, the draft needs to define that taxonomy and explain how the labels are used. For example, a "governance" label might be useful for review when a claim depends on a policy, registry, reputation process, slashing process, or administrative authority; however, that label is not a protocol layer unless the draft defines it as one.¶
The Layer field is open-ended per row. A protocol can place all of its relevant carriers or verifier behavior at the transport layer if that is how the protocol is designed. Conversely, a protocol can use an architectural label when the verifier decision depends on composition, audit, or governance behavior outside the transport exchange. The matrix does not require either vocabulary; it requires the chosen vocabulary to be explicit.¶
The matrix can be maintained as two linked review levels: a claim registry and one or more protocol mapping records.¶
The first level is a claim registry for AGENTPROTO review. It assigns stable identifiers to security claims or requirements, without selecting one protocol as the general solution for every row. Each row can name one or more candidate protocols that map to that claim.¶
Candidate mappings include AGTP, IACP, a WIMSE profile, or another candidate.¶
Candidate mappings include vLEI, OAuth, GNAP, an authorization receipt, or another candidate.¶
Candidate mappings include a delegation chain, delegation receipt, or capability profile.¶
Candidate mappings include protocol session state, transport binding, or a migration profile.¶
Candidate mappings include an audit receipt, capsule, transparency statement, or evidence graph.¶
Candidate mappings include the verifier-produced result that an application, gateway, policy engine, or relying party is allowed to consume after successful verification.¶
Candidate mappings include human-authorization receipts, delegation records, mandate records, attribution records, audit records, action-evidence graphs, or other mechanisms whose security meaning depends on whether they speak before execution, during execution, after execution, or at relying-party acceptance time.¶
The second level is the set of protocol mapping records. Each candidate draft can provide one or more records for the claims it carries or depends on. This prevents a protocol from being treated as a complete architecture merely because it covers one claim well, and it lets the working group compare drafts row by row.¶
A protocol mapping row records the claim ID, claim text, carrier, verifier, verification rule, binding, freshness rule, accepted result, layer label, failure behavior, implementation status, specification status, any external dependency, evidence reference, and evidence type. For example, an instance-identity row might state that the carrier is a protocol field, the verifier is the peer, the binding is the handshake transcript, freshness is supplied by a nonce or epoch, the accepted result is a session-scoped instance decision, the failure behavior is connection rejection, and the evidence type is interop or local-harness evidence.¶
The claim registry is not a conformance target by itself. The protocol mapping record set is the review surface: it states what the draft actually specifies, what is implemented, what is inherited from another component, what remains an architectural assumption, and what evidence or test vector can be used to check the row.¶
The implementation and specification status fields are security relevant. They prevent an author, implementer, or reviewer from treating an intended mechanism as a current protocol guarantee.¶
The specification-status vocabulary is specified, planned, inherited, and assumption. The implementation-status vocabulary is implemented, partial, none, and external.¶
The two vocabularies are independent. A row can be specified but have no known implementation, implemented experimentally but not yet specified in the draft, inherited from another document with external implementation evidence, or planned without any current implementation claim.¶
The current draft contains enough protocol text for an independent implementer to identify the carrier, verifier, binding, freshness rule, accepted result when applicable, and failure behavior.¶
The row depends on another specification or system. The dependency needs to be identified, and the draft needs to state what happens if the dependency is absent or not trusted. An inherited row is not complete if it merely names another document; it also needs to identify the inherited verifier, binding, freshness rule, accepted result when applicable, and failure behavior or state that they are outside the current draft's scope.¶
The row is intended for a later revision and MUST NOT be treated as a current security guarantee.¶
The row depends on architecture, deployment, governance, or operational behavior that the draft does not specify.¶
At least one implementation performs the verification behavior described by the row. The row SHOULD identify whether that evidence is source-level, unit-level, local-harness, interop, or deployment evidence. If a public test vector or reproducible artifact exists, the row SHOULD include an evidence reference.¶
The draft or implementation covers part of the row, but at least one of the carrier, verifier, binding, freshness rule, accepted result, or failure behavior is incomplete.¶
No implementation evidence is currently claimed for the row.¶
The implementation evidence exists outside the candidate draft's own implementation. The row should identify the external system, artifact, or implementation boundary.¶
Candidate protocol drafts can use the following compact template in a Security Considerations section, appendix, or companion document.¶
The claim identifier from the registry.¶
The precise statement being asserted or depended upon.¶
The protocol field, credential, token, receipt, attestation, envelope, or external reference that carries the claim.¶
The party that performs the check.¶
The rule applied by the verifier.¶
The state to which the claim is bound.¶
The replay, revocation, expiration, sequence, nonce, or recency rule.¶
The verifier-produced result that the relying application may consume after successful verification. This field should state the scope of reliance and important non-claims.¶
The protocol layer or architectural review dimension used by the draft for this row.¶
The behavior when the claim is absent, stale, inconsistent, or not verifiable.¶
One of implemented, partial, none, or external.¶
One of specified, planned, inherited, or assumption.¶
The external document, system, service, registry, or operational process on which the row depends, if any.¶
A stable public pointer to the test vector, example, test case, implementation artifact, interop record, issue, or pull request that supports the row, if available.¶
The type of evidence, such as source-level, unit-level, local-harness, interop, deployment, document, issue, pull-request, or other evidence.¶
When a draft does not carry a claim, the corresponding row MAY be omitted. If the draft relies on the claim for a security decision, the row SHOULD NOT be omitted; it should instead state the dependency or assumption explicitly.¶
When a row produces a result that application logic consumes, the row SHOULD define the accepted result. For example, a verifier can return a constrained result such as "session-bound token possessed on this connection" without also returning "this request target is authorized" or "human authorization is present".¶
A verifier matrix becomes more useful when its rows are checkable rather than only asserted. A row therefore MAY include an evidence reference. The reference can point to a public test vector, example, conformance test, implementation test, interop note, issue, pull request, or other stable artifact.¶
An evidence reference does not need to prove that a protocol is complete. It needs to support the specific row. For example, a test vector for session replay resistance supports a freshness or binding row; it does not by itself prove delegated authority. A receipt verification example supports an evidence-carrier row; it does not by itself prove that the recorded action was authorized.¶
When evidence is implementation-related, the row SHOULD distinguish the evidence type. Useful categories include source-level evidence, unit-level evidence, local-harness evidence, cross-implementation interop evidence, and deployment evidence. This distinction prevents a draft from treating a local unit test, public interop vector, and deployment signal as equivalent.¶
A useful evidence reference is row-specific. It identifies the input object, the canonicalization or serialization rule when bytes are compared, the verifier decision being tested, the expected positive result, and at least one negative case that fails for the same row. If the evidence depends on a private deployment or non-public implementation, the row should say so instead of treating the evidence as publicly reproducible.¶
When a row produces an accepted result, the evidence reference should identify both the successful verifier output and at least one case in which a raw, stale, unbound, or incomplete claim is not passed to the application as an accepted result.¶
Some mechanisms used by agent communication protocols are not communication protocols themselves. For example, an authorization receipt, transparency statement, action-evidence graph, revocation statement, or attestation result can be an artifact-layer mechanism that is carried by, referenced by, or bound to a communication exchange.¶
Such a mechanism can be a valid inheritance target for a protocol mapping row. If a draft marks a row as inherited, the row SHOULD identify the inherited mechanism and the decision state it supplies. The row should state the inherited verifier, carrier, binding, freshness rule, accepted result, failure behavior, and evidence reference when available.¶
Marking a row as inherited is preferable to silently implying a guarantee. It allows a communication protocol to stay focused on its transport or session design while still making authority, action evidence, revocation, or audit dependencies visible to reviewers.¶
Some agent accountability drafts describe review in terms of slots or profiles rather than a single protocol. The same matrix discipline applies. Each slot should be representable as one or more mapping rows with its own carrier, verifier, binding, freshness rule, accepted result, failure behavior, and evidence reference.¶
For example, the composition model in [I-D.mih-sato-agent-accountability-composition] uses CAN, WHO, WHAT, and AUDIT profiles joined by a shared action digest. In this document's terms, the shared digest is a binding and composition aid for C-005 and C-010. It is not, by itself, an accepted result for authority, delegation, human authorization, completeness, runtime enforcement, or relying-party policy sufficiency.¶
Pre-execution approval, delegated authority, post-execution attribution, observed action evidence, and audit enforcement can name the same principal and the same action. They nevertheless remain different claims unless a draft specifies a verifier that intentionally joins them and defines the accepted result and failure behavior for that joined decision. A shared digest can make the join checkable; it does not make the rows interchangeable.¶
The following example is deliberately protocol-neutral. It is not a complete mapping for AGTP [I-D.hood-independent-agtp], IACP [I-D.gebauer-iacp], WIMSE [I-D.ietf-wimse-arch], or any other candidate draft. It illustrates how rows should separate claims, verifier decisions, accepted results, and failure behavior.¶
Possible carriers include a role credential, account policy, vLEI, OAuth token, GNAP grant [RFC9635], or equivalent. The verifier is the receiving agent or policy verifier. The claim is bound to the task, scope, subject, and resource. Freshness comes from token lifetime, revocation, or policy version. Failure behavior is rejection or fresh authorization.¶
Possible carriers include channel authentication, an agent credential, attestation, or a condition-bound protected key. The verifier is a peer, gateway, or relying party. The claim is bound to a session or channel transcript and to any declared protection conditions. Freshness comes from handshake freshness, attestation recency, nonce challenge, or equivalent live-key check. The accepted result is limited to live instance or key-possession status under those conditions; it does not by itself prove delegated task scope or human authority. Failure behavior is session rejection or capability downgrade.¶
Possible carriers include a delegation token or chain. The verifier is the recipient or gateway. The claim is bound to the delegator, delegatee, action class, and resource. Freshness comes from expiry, revocation, or attenuation version. Failure behavior is rejection of the delegated action.¶
Possible carriers include a tool call envelope or capability reference. The verifier is the tool gateway or policy engine. The claim is bound to delegated scope and tool identity. Freshness comes from a per-call nonce, session binding, or sequence. Failure behavior is denial of the invocation and failure recording if audit is claimed.¶
Possible carriers include an action digest, receipt, capsule, or audit record. The verifier is the profile verifier or composition verifier. The claim is bound to the canonical action input and native record. Freshness comes from digest context version and receipt policy. Failure behavior is refusal to compose the records as evidence of the same action.¶
After validating a row, the verifier returns a normalized result that states what the next component may rely on. For example, a gateway might return "this connection currently holds the enrolled live key" but not "this request is authorized for this resource" unless the authority and delegated-scope rows also succeed.¶
A human authorization receipt can show that a named human or quorum approved an action before execution. An attribution or audit record can show who was recorded as delegating, performing, or observing the action after execution. Even when both records are joined by the same action digest, the verifier returns separate accepted results for pre-execution authority and post-execution attribution unless another specified rule intentionally combines them.¶
Protocol authors SHOULD consider negative tests for each row in the verifier matrix. The following cases are intended as examples.¶
A delegation token or chain is structurally valid but expired, revoked, or superseded. The verifier rejects the delegated action or requests fresh authorization.¶
A tool call envelope is valid, but the envelope is not bound to the delegation scope, resource identifier, or session state used for the decision. The tool invocation is denied.¶
A claim or receipt from one session is replayed in another session. The verifier detects that the claim is not bound to the current session transcript, nonce, exporter, or equivalent channel state.¶
A receipt, log entry, capsule, or evidence record refers to a different action digest, input, resource, or policy version than the action being reviewed. The records are not composed as evidence of the same action.¶
A draft states that another component supplies authorization, attestation, or evidence, but does not identify the dependency or the failure behavior when the dependency is unavailable. The row is marked as inherited or assumption, not as a current protocol guarantee.¶
A protocol field, token, credential, receipt, or attestation is structurally valid, but the application consumes the raw object directly instead of a verifier-produced accepted result. The test fails unless the draft defines what normalized result may be consumed and what scope that result has.¶
A live-key, protected-key, or session-binding check succeeds, but the requested action is outside the delegated scope or lacks human or organizational authority. The key-possession row can pass while the authority or delegation row fails.¶
Two records carry the same action digest, and the implementation treats that equality as authorization, completeness, correctness, or policy sufficiency. The test fails unless the relevant authority, evidence, audit, and accepted-result rows are separately verified.¶
A post-execution attribution or audit record names a principal, but the system treats that record as proof that the principal approved the action before execution. The verifier rejects the substitution unless a pre-execution authorization row is independently satisfied.¶
A candidate agent communication draft can use this document in four ways.¶
A draft that takes the third path remains reviewable if it identifies the dependency and failure behavior. The main review problem is not that a protocol omits a claim; the problem is when a protocol relies on a claim while leaving the verifier, binding, freshness rule, or failure behavior implicit.¶
When a draft supplies a verifier matrix, it SHOULD distinguish:¶
This distinction is important for review. A row that depends on a future reputation system, slashing process, governance committee, or external log can still be useful, but it should not be presented as a current protocol guarantee.¶
An agent communication protocol MUST NOT rely on a single identifier, token, session handle, log entry, or credential to imply multiple security properties unless the draft explicitly specifies the verification rule for each property.¶
In particular:¶
A successful verification step should produce a constrained accepted result for the relying component. Protocol authors should avoid designs in which application logic consumes raw peer-provided claims, tokens, receipts, or attestations as if their mere presence were a completed security decision. The accepted result needs to preserve the scope, binding, freshness, and limitations of the verifier decision.¶
If a claim is required for a security decision and the verifier cannot validate that claim, the protocol MUST specify whether the action is rejected, downgraded, quarantined, delayed for additional authorization, or allowed with a recorded warning. Silent acceptance is not an acceptable default for a security-relevant claim.¶
Protocol authors should also consider cross-protocol composition. A claim that is valid in one protocol context might lose its security meaning when it is copied into a receipt, gateway envelope, audit record, or delegated session without preserving the binding and freshness state needed by the verifier.¶
Where attestation evidence is used, this document follows the RATS distinction among claims, evidence, appraisal, and relying-party decisions described in [RFC9334]. Where transparency services or signed-statement receipts are used, this document treats those receipts as evidence carriers and not as automatic proof of authorization or correct execution; see the SCITT architecture in [RFC9943].¶
Verifier-facing matrices can expose privacy-relevant design choices. A draft that binds actions to human authority, organizational identifiers, tool invocations, or long-lived sessions should state whether the binding creates linkability across actions, sessions, deployments, or administrative domains.¶
Drafts should avoid requiring globally linkable identifiers unless the security property being claimed requires them. Where possible, a matrix row should state whether the verifier needs a stable identifier, a pairwise identifier, a role or capability assertion, a freshness proof, or only evidence that a locally authorized policy decision was made.¶
Accepted results can also affect privacy. A verifier can often return a scoped decision such as "authorized for this task in this session" instead of exposing the raw credential, stable identifier, receipt, or attestation evidence to application logic. Drafts should describe when raw identifying material is preserved, transformed, minimized, or withheld from the accepted result.¶
This document makes no IANA requests.¶
If later versions define a reusable registry of claim identifiers, verifier matrix fields, or protocol mapping status values, that registry will need a separate IANA considerations section.¶
The AGTP [I-D.hood-independent-agtp] and IACP [I-D.gebauer-iacp] discussion threads provide useful early examples. This section does not judge whether either draft satisfies the matrix; it only identifies useful first mapping targets.¶
AGTP appears to expose candidate carriers for authority, agent identity, delegation, session state, composition-layer tool identity, and audit evidence. The next useful step is to turn those carriers into mapping records that state who verifies each claim, what accepted result is returned, what evidence type supports the row, and what failure behavior applies.¶
IACP has already been sketched by its author as a verifier-facing matrix. For reviewability, the useful next step is to separate rows that are currently in draft-gebauer-iacp-01 from rows that are future work, inherited from other mechanisms, or dependent on governance systems not yet specified in the current I-D.¶
The accountability composition work in [I-D.mih-sato-agent-accountability-composition] is another early application. Its CAN, WHO, WHAT, and AUDIT slots can be reviewed as mapping rows. The most important boundary for interop is that the shared action digest joins independently verified rows; it does not replace the native verifier for any slot and does not by itself produce an accepted result.¶
Both mappings can help converge a shared requirements note without requiring either protocol to adopt the other's wire format.¶
The author thanks Leonard Gebauer for proposing a two-level claim-registry and per-protocol mapping-record structure and for providing IACP-oriented mapping examples; Chris Hood for clarifying open-ended layer vocabulary and AGTP transport-layer mapping considerations; Iman Schrock for proposing evidence-backed mapping rows and inheritance-target framing for artifact-layer mechanisms; and Steven Mih and Tom Sato for accountability-composition and conformance-vector discussion that helped clarify action-digest joins and slot-style review. The author thanks Akira Okutomi for discussion that motivated clearer accepted-result and success-output boundaries, Karthik Rampalli for discussion of composed-stack review and failure classes, and Thi Nguyen-Huu for discussion of condition-bound credentials and live-key examples. The author also thanks participants on the AGENTPROTO mailing list for discussion of security-principal separation, verifier-facing review matrices, protocol comparison, and claim-level coordination among candidate drafts. Acknowledgment does not imply endorsement of this document or of any particular protocol mapping.¶