Agentic Identity and Provenance over Avian Carriers (AIPAC)

Internet-Draft	Agent Identity over Avian Carriers	April 2026
Beyer	Expires 3 October 2026	[Page]

Abstract

This document specifies a method for establishing cryptographic identity and provenance attestation for agentic AI systems operating over Avian Carriers (AC). As large language models increasingly delegate sub-tasks to other models via pigeon, questions of authorship, intent, and hallucination propagation across feather-based transport layers demand urgent standardization.¶

This document extends the delegation chain model and provenance structure of draft-beyer-agent-identity-architecture-00 to the specific constraints of feather-based transport layers, and extends RFC 1149, RFC 2549, and RFC 6214 to address agent identity. It is an April 1 publication.¶

Status of This Memo

This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79.¶

Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet-Drafts is at https://datatracker.ietf.org/drafts/current/.¶

Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress."¶

This Internet-Draft will expire on 3 October 2026.¶

Copyright Notice

This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (https://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document.¶

1. Introduction

RFC 1149 [RFC1149] established the foundational framework for the transmission of IP datagrams over avian carriers. RFC 2549 [RFC2549] extended this work with Quality of Service provisions, and RFC 6214 [RFC6214] adapted the protocol for IPv6.¶

In the intervening years, a new class of network participant has emerged: the autonomous AI agent. These systems decompose complex tasks, delegate sub-tasks to other agents, and synthesize results across potentially long chains of inference. [BEYER-ARCH] defines an architectural model for human-anchored agent identity, introducing a human identity root, explicit delegation semantics, and a provenance structure for accountable agent ecosystems across existing transport mechanisms.¶

It has not escaped the attention of the author that avian carriers remain the only transport medium for which the RFC series has provided comprehensive Quality of Service guidance while leaving identity and provenance entirely unaddressed. This document extends the delegation chain model and provenance structure of [BEYER-ARCH] to the specific constraints of feather-based transport layers.¶

This document corrects that oversight.¶

2. Terminology

The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in RFC 2119 [RFC2119].¶

Additional terminology specific to this document:¶

Agent:: An autonomous AI system capable of receiving instructions, decomposing tasks, and delegating to other agents. An agent MUST NOT be confused with its carrier.¶
Carrier:: A bird. The carrier is not an agent. The carrier has not agreed to any terms of service. The carrier SHOULD be treated with respect.¶
Provenance Token:: A cryptographically signed attestation of an agent's identity, model version, system prompt hash, and emotional state at time of dispatch. Implements the delegation chain structure defined in Section 3 of [BEYER-ARCH].¶
Leg Band:: The physical medium by which a Provenance Token is attached to the Carrier. Leg bands MUST be of sufficient diameter to accommodate the token without impeding flight.¶
Hallucination:: A confident assertion by an agent that is not grounded in fact. See Section 5 for important guidance on the directionality of this phenomenon.¶
Fork Bomb:: What happens when an agent delegates to itself. Not relevant to avian transport but worth mentioning.¶

3. The Agentic Carrier Attachment Protocol (ACAP)

3.1. Overview

Prior to dispatch, a sending agent MUST generate a Provenance Token and attach it to the Carrier's leg band. The token encodes the full delegation chain, including the identities of all upstream agents that contributed to the instruction being transmitted.¶

The receiving agent MUST verify the token upon arrival of the Carrier. A token that cannot be verified SHOULD be treated as suspicious. The Carrier itself is presumed innocent.¶

3.2. Token Generation

The Provenance Token is a JSON Web Token (JWT) [RFC7519] encoded on archival-grade rice paper and secured with a cryptographic signature using Ed25519 [RFC8032]. The token implements the delegation chain structure defined in Section 3 of [BEYER-ARCH].¶

The token payload MUST include the following fields:¶

iss (Issuer):: The identity of the sending agent, expressed as a model name and version string.¶
iat (Issued At):: The Unix timestamp of dispatch.¶
chain (Delegation Chain):: An ordered array of all agents in the delegation chain from origin to sender, corresponding to the delegation chain model defined in [BEYER-ARCH]. Each entry represents one delegation step.¶
hash (Prompt Hash):: A SHA-256 hash of the system prompt in effect at time of dispatch. This field exists so that disputes about what an agent was instructed to do can be resolved after the fact, assuming the paper survives transit.¶
mood (Emotional State):: OPTIONAL. As established by RFC 5841 [RFC5841], TCP packets may carry mood indicators. Agents dispatching via avian carrier MAY include a mood field. Acceptable values are "confident", "uncertain", "caffeinated", and "existential".¶

3.3. Physical Attachment

The token MUST be rolled tightly and inserted into a waterproof capsule. The capsule MUST be attached to the right leg of the Carrier. The left leg is reserved for legacy IP datagrams per RFC 1149 [RFC1149].¶

In the event that both legs are occupied, the operator MUST acquire an additional Carrier. Operators SHOULD maintain a flock.¶

4. Provenance Token Format

The Provenance Token implements the delegation chain structure defined in Section 3 of [BEYER-ARCH], serialized as a JWT [RFC7519] on archival-grade rice paper. The following is a non-normative example of a Provenance Token payload:¶

{
  "iss":   "gpt-like-model-v4",
  "iat":   1743465600,
  "chain": [
             "user-human-brandon",
             "orchestrator-agent-v2",
             "research-subagent-v1",
             "gpt-like-model-v4"
           ],
  "hash":  "e3b0c44298fc1c149afb...truncated",
  "mood":  "caffeinated"
}

Figure 1: Example Provenance Token Payload

Implementations MUST NOT include the model's training data in the token. This would make the capsule unreasonably heavy and is considered an antipattern.¶

5. Hallucination Propagation

For the avoidance of doubt: birds do not hallucinate. They perceive ultraviolet light, navigate by magnetic fields, and have been delivering messages reliably since before the invention of the transistor. Any errors introduced during avian transit are attributable to the message, not the medium.¶

Agents that receive a message via avian carrier and find it implausible are advised to consider that the implausibility may originate from their own context window rather than from the Carrier.¶

The author notes that no avian carrier has ever confidently asserted a false legal citation.¶

6. Security Considerations

6.1. Adversarial Carriers

Operators MUST be aware that Carriers may be intercepted, observed, or recruited by adversarial parties. A Carrier that arrives unusually late, appears disoriented, or exhibits signs of having been briefed by a competing orchestration framework SHOULD be treated with suspicion.¶

Message contents MUST be encrypted. Adversaries with access to breadcrumbs have demonstrated an ability to incentivize disclosure.¶

6.2. Man-in-the-Middle Hawks

The threat model MUST account for raptors. A hawk intercepting an avian carrier constitutes a man-in-the-middle attack of the most literal kind. Operators in regions with high raptor density SHOULD implement carrier authentication via trained recognition patterns.¶

Note: decoy carriers bearing unsigned tokens are a valid mitigation strategy but raise ethical concerns outside the scope of this document.¶

6.3. Replay Attacks

A Carrier that has been dispatched, intercepted, redirected, and re-released with a modified payload represents a replay attack. The iat field in the Provenance Token provides limited protection against this scenario, assuming the attacker has not also modified the timestamp, which they probably have.¶

6.4. Infinite Delegation Loops

An agent MUST NOT instruct a Carrier to deliver a message to a receiving agent that will immediately instruct a different Carrier to return an instruction to the original agent. This is the avian equivalent of a fork bomb and is considered unsociable behavior.¶

Flock capacity is finite.¶

7. IANA Considerations

This document requests that IANA establish the Avian Identity Registry (AIR), a new registry mapping cryptographic agent identifiers to their corresponding model names, version strings, and known hallucination rates.¶

IANA is further requested to allocate a new Well-Known Leg Band Identifier namespace, distinct from the existing IP datagram leg band namespace established in RFC 1149 [RFC1149], to prevent confusion when both a datagram and an agent provenance token must be attached simultaneously.¶

Finally, IANA is requested to designate a point of contact for reports of Carriers arriving with corrupted, unsigned, or suspiciously confident tokens. The author suggests this contact be reachable by pigeon, for obvious reasons.¶

8. Normative References

[BEYER-PS]: Beyer, B.W., "Problem Statement for Human-Anchored Agent Identity, Delegation, and Provenance", Work in Progress, Internet-Draft, draft-beyer-agent-identity-problem-statement-00, March 2026, <https://datatracker.ietf.org/doc/html/draft-beyer-agent-identity-problem-statement-00>.
[BEYER-ARCH]: Beyer, B.W., "Architecture for Human-Anchored Agent Identity, Delegation, and Provenance", Work in Progress, Internet-Draft, draft-beyer-agent-identity-architecture-00, March 2026, <https://datatracker.ietf.org/doc/html/draft-beyer-agent-identity-architecture-00>.
[RFC1149]: Waitzman, D., "Standard for the Transmission of IP Datagrams on Avian Carriers", RFC 1149, April 1990, <https://www.rfc-editor.org/rfc/rfc1149>.
[RFC2119]: Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, 1997, <https://www.rfc-editor.org/rfc/rfc2119>.
[RFC2549]: Waitzman, D., "IP over Avian Carriers with Quality of Service", RFC 2549, April 1999, <https://www.rfc-editor.org/rfc/rfc2549>.
[RFC5841]: Hay, R. and W. Turkal, "TCP Option to Denote Packet Mood", RFC 5841, April 2010, <https://www.rfc-editor.org/rfc/rfc5841>.
[RFC6214]: Carpenter, B. and R. Hinden, "Adaptation of RFC 1149 for IPv6", RFC 6214, April 2011, <https://www.rfc-editor.org/rfc/rfc6214>.
[RFC7519]: Jones, M., Bradley, J., and N. Sakimura, "JSON Web Token (JWT)", RFC 7519, May 2015, <https://www.rfc-editor.org/rfc/rfc7519>.
[RFC8032]: Josefsson, S. and I. Liusvaara, "Edwards-Curve Digital Signature Algorithm (EdDSA)", RFC 8032, January 2017, <https://www.rfc-editor.org/rfc/rfc8032>.