Individual Submission A. Okutomi Internet-Draft Individual Intended status: Informational 25 June 2026 Expires: 27 December 2026 A Core Acceptance Profile for Session-Bound Agent Identity draft-okutomi-session-bound-agent-identity-02 Abstract This document defines a core verifier-side acceptance profile for session-bound Agent identity. A verifier accepts an Agent only when a verified authority grant, holder-of-key proof, accepted TLS or exported-authenticator session, freshness and replay state, any required attestation result, and verifier-local policy all describe the same intended interaction. This document does not define a TLS extension, attestation evidence format, identity provider, holder-side presentation format, registry, control plane, gateway, or application protocol. Instead, it defines the fail-closed acceptance rule for composing existing Internet mechanisms at the verifier boundary. Status of This Memo This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet- Drafts is at https://datatracker.ietf.org/drafts/current/. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." This Internet-Draft will expire on 27 December 2026. Copyright Notice Copyright (c) 2026 IETF Trust and the persons identified as the document authors. All rights reserved. Okutomi Expires 27 December 2026 [Page 1] Internet-Draft Core Agent Identity June 2026 This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (https://trustee.ietf.org/ license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Revised BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Revised BSD License. Table of Contents 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 3 3. Scope and Non-Goals . . . . . . . . . . . . . . . . . . . . . 4 4. Core Invariant . . . . . . . . . . . . . . . . . . . . . . . 5 5. Design Intent . . . . . . . . . . . . . . . . . . . . . . . . 5 6. Internet Applicability and Deployment Assumptions . . . . . . 6 7. Conformance . . . . . . . . . . . . . . . . . . . . . . . . . 6 8. Acceptance Model . . . . . . . . . . . . . . . . . . . . . . 7 9. Threat Model . . . . . . . . . . . . . . . . . . . . . . . . 8 10. Authority and Key Separation . . . . . . . . . . . . . . . . 8 11. Binding Profiles and Related RFCs . . . . . . . . . . . . . . 9 12. Grant and Authority Material . . . . . . . . . . . . . . . . 11 13. Session Proof Material . . . . . . . . . . . . . . . . . . . 11 14. Direct Session Binding Construction . . . . . . . . . . . . . 12 15. Verification Procedure . . . . . . . . . . . . . . . . . . . 15 16. Minimal Positive Acceptance Case . . . . . . . . . . . . . . 16 17. Minimal Negative Acceptance Cases . . . . . . . . . . . . . . 16 18. Freshness, Replay, Rotation, and Revocation . . . . . . . . . 17 19. Canonical Policy Values . . . . . . . . . . . . . . . . . . . 18 20. Deployment Topologies . . . . . . . . . . . . . . . . . . . . 19 20.1. Direct-Agent Mode . . . . . . . . . . . . . . . . . . . 19 20.2. Gateway-Routed Mode . . . . . . . . . . . . . . . . . . 19 21. Privacy Considerations . . . . . . . . . . . . . . . . . . . 19 22. Caching and Replay-State Reuse . . . . . . . . . . . . . . . 19 23. Diagnostics . . . . . . . . . . . . . . . . . . . . . . . . . 20 24. Security Considerations . . . . . . . . . . . . . . . . . . . 20 25. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 21 26. Normative References . . . . . . . . . . . . . . . . . . . . 21 27. Informative References . . . . . . . . . . . . . . . . . . . 22 Author's Address . . . . . . . . . . . . . . . . . . . . . . . . 25 1. Introduction Automated agents often combine transport authentication, signed authorization material, platform attestation, and local policy. Each component can verify successfully while the composition still authenticates the wrong session, task, platform, or Agent. Okutomi Expires 27 December 2026 [Page 2] Internet-Draft Core Agent Identity June 2026 This document defines a deterministic verifier-side acceptance gate. The verifier accepts a peer only when the authenticated identity, session binding, freshness and replay state, any required attestation state, and verifier-local policy describe the same intended interaction. This core profile does not change TLS [RFC8446], exported authenticators [RFC9261], remote attestation roles [RFC9334], JWT/ JWS, CWT/COSE, OAuth, or HTTP. Existing sender-constraining mechanisms can prove possession of a key, and attestation mechanisms can appraise evidence, but they do not by themselves define the verifier-side rule that the authority grant, live TLS session, request context, replay state, attestation result, and local policy all refer to the same intended interaction. 2. Terminology The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all capitals, as shown here. Core profile The verifier-side acceptance rules defined by this document. The core profile is not a complete wire-binding profile by itself. Binding profile A specification that instantiates the core profile for a protocol or deployment by fixing wire representation, canonicalization, exporter label, replay rules, diagnostic behavior, and other protocol-specific inputs. Deployment profile Deployment policy that selects trusted issuers, local expected values, attestation requirements, disclosure policy, and operational limits. Agent The workload, process, service component, or automated actor whose identity is being accepted by the verifier. Principal A person or organization on whose behalf an Agent acts. Verifier The party that authenticates the grant, checks the session binding, evaluates freshness and replay state, and compares the result with local policy before returning an accepted identity to the application. Policy authority A locally trusted issuer of authority statements. Okutomi Expires 27 December 2026 [Page 3] Internet-Draft Core Agent Identity June 2026 Authority grant A signed or MACed authority statement issued by a policy authority. It authorizes upper-layer identity, task, and authorization values. It does not prove that the authorized Agent is present on the current TLS session. Session proof A holder-of-key proof that binds one verified authority grant to one accepted TLS or exported-authenticator session. It proves possession and session binding. It does not authorize service, tenant, task, scope, resource, or capability values. Expected value A verifier-local policy input. Observed value A value extracted from authenticated grants, session- bound statements, attestation results, trusted manifests, or locally derived request state. An observed value does not become an expected value without a trusted local policy decision. Wrong-context acceptance Accepting cryptographically valid material for a different service, tenant, Agent, task, delegation, or authority boundary than the verifier intended. Context diversion is a failure description, not a wire mechanism. Intermediary A gateway, relay, proxy, broker, service on the communication path, or component that terminates transport security for either side. Acceptance decision Returning a peer identity or authorization result to the application as profile-authenticated. For one-shot bindings, replay state is committed before this decision is returned. 3. Scope and Non-Goals This core profile defines verifier behavior before an application treats an accepted TLS peer as the intended platform, service, Agent, task, or authorized actor. It binds accepted TLS and post-handshake attestation facts, authenticated identity and authorization material, and verifier-local expected policy. This document uses "Agent" broadly. The accepted identity can represent a workload, process, service component, or automated actor, depending on the binding profile and local policy. This document does not require a universal Agent namespace or a common semantic definition of agenthood. Okutomi Expires 27 December 2026 [Page 4] Internet-Draft Core Agent Identity June 2026 The core profile does not select an identity provider, define a wire- token format, change attestation evidence or TLS, define holder-side presentation behavior, define discovery or rendezvous, or provide a complete authorization framework. A requirement belongs here only if omitting it could cause acceptance of the wrong live session, wrong service or tenant, wrong Agent, wrong task, stale or replayed state, peer-selected policy, or a security result reused outside its intended request. 4. Core Invariant A verifier MUST NOT return a profile-authenticated Agent identity unless the verified authority grant, holder-of-key proof, accepted TLS or exported-authenticator session, freshness and replay state, any required attestation result, and verifier-local policy all identify the same intended interaction. The intended interaction is determined by verifier-local expected values and trusted policy inputs, not by peer-provided descriptive metadata. Before this acceptance decision succeeds, all peer-provided identity, task, scope, service, tenant, capability, attestation-related, and diagnostic values are observed values only. They do not define the verifier's expected policy. No inference, alias repair, display-name matching, peer-selected exporter label, or reserialized semantic metadata is part of the final acceptance path unless a binding profile and local policy explicitly define it. 5. Design Intent This core profile is intentionally conservative. It does not create an Agent namespace, governance layer, registry, rendezvous service, mandatory intermediary, or application semantic model. Its purpose is to make existing Internet mechanisms compose safely at the verifier's acceptance boundary. Application semantics remain with application protocols and deployment profiles. This keeps the core profile usable across deployments without requiring unnecessary centralization or replacement of existing RFC-defined mechanisms. Okutomi Expires 27 December 2026 [Page 5] Internet-Draft Core Agent Identity June 2026 6. Internet Applicability and Deployment Assumptions This core profile is usable in open Internet and enterprise deployments. Closed-world provisioning and prior bilateral relationships are deployment choices, not protocol requirements. A verifier still requires a local trust path to each issuer, attestation result, trust framework, or other accepted authority; otherwise acceptance fails closed. No globally trusted authority, registry, rendezvous service, gateway, online authority, transparency log, or control plane is required. Intermediaries are not trusted by default; a component that terminates transport security is a separate relying party and sees only the claims and payloads disclosed to it. When an Agent acts for a Principal, deployment profiles SHOULD support audience-scoped disclosure, short-lived grants, selective disclosure or reference tokens, and Principal-selected authorities and disclosure modes where practical. Security-required claims should be distinguished from application-convenience claims. These assumptions preserve cryptographic protection, avoid standardizing wiretapping or pervasive monitoring functions, keep privacy analysis explicit, favor end-user interests, and avoid unnecessary centralization of Internet functions [RFC1984] [RFC2804] [RFC7258] [RFC6973] [RFC8890] [RFC9518]. 7. Conformance This document defines a core verifier acceptance profile for Direct- Agent mode. It is not, by itself, a complete wire-binding profile. A complete deployment of this core profile requires a binding profile that fixes protocol-specific wire representation, canonicalization rules, exporter label, replay rules, diagnostic behavior, and the items in Section 11. The normative requirements in this document apply only to implementations that claim conformance to this core profile or to a binding profile that incorporates it. A claim of conformance to this document MUST identify the binding profile being implemented. An implementation that accepts authority grants or session proofs without such a binding profile is not conforming to this core profile. Okutomi Expires 27 December 2026 [Page 6] Internet-Draft Core Agent Identity June 2026 For Direct-Agent mode, a conforming implementation completes all grant verification, holder-of-key verification, session-binding verification, required attestation checks, freshness checks, replay checks, and local-policy comparisons before returning a profile- authenticated identity or authorization result to the application. A conforming implementation MUST fail closed. It MUST NOT report a profile-authenticated identity from only a verified authority grant, only a session proof, only a TLS endpoint identity, only an attestation result, or only peer-supplied metadata. 8. Acceptance Model The labels D0 through D6 are acceptance dimensions used for policy separation and diagnostics. They are not OSI layers, encapsulation layers, wire-format layers, or trust hierarchy levels. The numbering is only a stable diagnostic order. It does not imply that D6 is above D5 or that every deployment evaluates all dimensions. +===========+==========================+=========================+ | Dimension | Verification target | Main failure class | +===========+==========================+=========================+ | D0 | Live TLS or exported- | MITM or session | | | authenticator session | confusion | +-----------+--------------------------+-------------------------+ | D1 | Attested platform | Fake, malformed, stale, | | | validity, when required | or untrusted evidence | +-----------+--------------------------+-------------------------+ | D2 | Attestation or | Relay, replay, or | | | authenticator-to-session | borrowed evidence | | | binding | | +-----------+--------------------------+-------------------------+ | D3 | Service, tenant, | Wrong service or | | | deployment, or | tenant; context | | | environment | diversion | +-----------+--------------------------+-------------------------+ | D4 | Workload, process, or | Same-host wrong-Agent | | | Agent | confusion | +-----------+--------------------------+-------------------------+ | D5 | Task, thread, context, | Wrong task or | | | or delegation | delegation; context | | | | diversion | +-----------+--------------------------+-------------------------+ | D6 | Authorization or | Confused deputy or | | | capability policy | privilege escalation | +-----------+--------------------------+-------------------------+ Table 1 Okutomi Expires 27 December 2026 [Page 7] Internet-Draft Core Agent Identity June 2026 D0 through D2 are authentication and binding dimensions. D3 through D6 are verifier-local policy dimensions. Peer-provided metadata can be observed input; it is not expected policy. Remote attestation is optional in this core profile. When local policy or a binding profile does not require attestation, D1 and the attestation-specific part of D2 are not evaluated. The remaining session-binding, freshness, replay, grant, and local-policy checks still apply. 9. Threat Model The attacker can observe, replay, reorder, relay, substitute messages, supply malicious peer metadata, and run another Agent on the same host or deployment environment. This core profile assumes correct TLS 1.3, exported-authenticator validation, and evidence appraisal by the underlying mechanisms. It defines what must be bound to those facts before an application accepts the peer as the intended actor. Out of scope are a fully compromised verifier process, a malicious trusted policy authority, compromise of all local secret storage, denial of service, and side channels outside the identity-binding path. The main threats are relay, replay, token substitution, stale key use, same-host wrong-Agent confusion, peer-metadata injection, context diversion, confused deputy behavior, cache confusion, and gateway route confusion. 10. Authority and Key Separation This core profile keeps three key roles separate. Okutomi Expires 27 December 2026 [Page 8] Internet-Draft Core Agent Identity June 2026 +==================+========================================+ | Key role | Purpose | +==================+========================================+ | TLS endpoint key | Proves possession for the accepted TLS | | | or exported-authenticator endpoint. | +------------------+----------------------------------------+ | Agent binding | Signs the session proof. | | key | | +------------------+----------------------------------------+ | Policy-authority | Signs authority grants. | | key | | +------------------+----------------------------------------+ Table 2 These keys can be related by deployment policy, but they are not interchangeable by default. Policy-authority signing keys MUST NOT be accepted as Agent confirmation keys. Agent confirmation keys MUST NOT be accepted as policy-authority signing keys. Endpoint keys are valid for session binding only when the verified grant or local policy explicitly authorizes that use and the endpoint credential or local endpoint-key lifetime remains valid. The protected-header kid is only a key-selection hint. Acceptance also depends on issuer, audience, algorithm allow-list, key type, key use, key status, profile version, token type, time validity, revocation state, and local policy. The none algorithm is forbidden. 11. Binding Profiles and Related RFCs This core profile does not define a new authority-token format, proof-token format, HTTP header, error format, or attestation evidence format. A binding profile fixes the exact wire representation and canonicalization needed to instantiate this core profile over a specific application protocol or deployment profile. A binding profile that uses this document MUST define the following values. Okutomi Expires 27 December 2026 [Page 9] Internet-Draft Core Agent Identity June 2026 +================================+============================+ | Required binding-profile item | Prevents | +================================+============================+ | profile identifier and version | cross-profile confusion | +--------------------------------+----------------------------+ | protocol_id | cross-protocol replay or | | | substitution | +--------------------------------+----------------------------+ | TLS exporter label | peer-selected or colliding | | | channel bindings | +--------------------------------+----------------------------+ | canonical aud form | audience confusion | +--------------------------------+----------------------------+ | exact bytes used for | parse-and-reserialize | | grant_hash | substitution | +--------------------------------+----------------------------+ | session-proof encoding and | algorithm, type, and key- | | protected-header rules | use confusion | +--------------------------------+----------------------------+ | task_context and request- | wrong-task acceptance | | context construction | | +--------------------------------+----------------------------+ | nonce generation, lifetime, | replay and cross-task | | and replay-key construction | reuse | +--------------------------------+----------------------------+ | attestation requirement and | borrowed or replayed | | session-binding rule | evidence | +--------------------------------+----------------------------+ | verifier-local source of D3 | peer-selected policy | | through D6 expected values | | +--------------------------------+----------------------------+ | diagnostic error classes | disclosure of attacker- | | | controlled values | +--------------------------------+----------------------------+ Table 3 OAuth deployments [RFC6749] can use the JWT access-token profile [RFC9068], token revocation and introspection [RFC7009] [RFC7662], mutual-TLS certificate-bound tokens [RFC8705], resource indicators [RFC8707], rich authorization requests [RFC9396], and DPoP [RFC9449] where those models fit. These mechanisms do not by themselves provide this core profile's TLS-exporter, request-context, replay, and attestation-to-session binding. Okutomi Expires 27 December 2026 [Page 10] Internet-Draft Core Agent Identity June 2026 HTTP bindings can use HTTP Message Signatures [RFC9421], Digest Fields [RFC9530], Structured Field Values [RFC9651], and Problem Details [RFC9457] instead of defining new HTTP-specific syntax. Tokenized attestation claims can use EAT [RFC9711] within the RATS model [RFC9334]. These reused RFC mechanisms remain independently specified by their RFCs. This document only specifies the verifier-side acceptance rule that decides when the verified grant, session proof, accepted TLS session, freshness state, any required attestation result, and verifier-local policy are accepted as the same intended interaction. 12. Grant and Authority Material An authority grant authorizes application semantics. It is signed or MACed by a policy authority and identifies the Agent confirmation key, usually through a confirmation-key claim such as cnf.kid for JWT [RFC7800] or the corresponding CWT confirmation method [RFC8747]. This core profile does not define a new authority grant token format. A grant carries the deployment-specific equivalent of profile type, profile version, issuer, subject, audience, grant identifier, issued- at time, expiration time, and confirmation key. When policy requires it, the grant also carries D3 through D6 fields such as service, tenant, deployment, workload, Agent, task, delegation, canonical intent or capability references, scopes, resources, and authorization details. The Agent is not the authority for those values. They are accepted only after grant verification, session binding, freshness checks, replay checks, and local policy comparison. Multi-audience grants are rejected unless local policy explicitly allows the exact audience set and the resulting authority boundary. 13. Session Proof Material A session proof proves that the holder of the confirmation key bound the verified grant to the accepted TLS session, or to an exported authenticator accepted for that session. It contains at least the abstract profile fields below. A binding profile fixes the exact JWT claim names [RFC7519], CWT claim labels, COSE/JWS protected-header requirements, canonical encoding rules, and collision-avoidance rules used on the wire. * profile type and profile version; Okutomi Expires 27 December 2026 [Page 11] Internet-Draft Core Agent Identity June 2026 * audience (aud), proof identifier (jti for JWT-based encodings or cti for CWT/COSE-based encodings), issued-at time (iat), and expiration time (exp); * grant_hash over the exact verified grant bytes; * tls_leaf_spki_sha256; * tls_exporter_sha256; * request_context_sha256; * nonce; and * attestation_binder_sha256 when local policy requires attestation or when accepted attestation-to-session evidence is used. For binding profiles that use compact JWS grants [RFC7515] or COSE_Sign1/COSE_Mac0 grants, this document fixes the grant_hash input to avoid parser-dependent acceptance behavior: grant_hash = SHA-256("sbaip.identity-grant.jwt.v1" || NUL || exact-compact-jws-grant-bytes) grant_hash = SHA-256("sbaip.identity-grant.cwt.v1" || NUL || exact-cose-sign1-or-mac0-grant-bytes) exact-compact-jws-grant-bytes is the exact ASCII byte sequence of the compact JWS as received and successfully verified, including protected header, payload, and signature segments. This document does not define the grant_hash input for JWS JSON Serialization; a binding profile that uses it MUST define the exact hash input. exact-cose-sign1-or-mac0-grant-bytes is the exact byte sequence of the signed or MACed COSE object as received and successfully verified. A verifier MUST NOT compute grant_hash by parsing claims and reserializing JSON, CBOR, or COSE in the acceptance path. Deterministic CBOR/COSE is acceptable only when the binding profile normatively fixes the deterministic encoding rules [RFC8392] [RFC8949] [RFC9052]. Domain-separation strings beginning with sbaip or SBAIP are fixed constants for this profile version. They are not external registry names. The session proof does not authorize service, tenant, task, scope, resource, or capability values. Those values come from the verified grant and local policy. 14. Direct Session Binding Construction This section fixes the Direct-Agent D2 construction. A verifier MUST NOT replace these inputs with peer-selected labels, inferred context, display names, or reserialized semantic metadata. Okutomi Expires 27 December 2026 [Page 12] Internet-Draft Core Agent Identity June 2026 Inputs: * tls_connection: the accepted TLS 1.3 connection; * exporter_label: an application- or deployment-profile-selected TLS exporter label. This document does not define that label; * leaf_spki: DER SubjectPublicKeyInfo of the accepted endpoint public key [RFC5280]; * role, protocol_id, aud, grant_hash, task_context, and verifier_nonce_or_attempt_id from verifier-local state. The exporter label is selected by the application or deployment profile, not by the peer. A verifier MUST NOT accept a peer-selected exporter label. Local experiments can use private-use labels, such as labels beginning with EXPERIMENTAL, as described by [RFC5705]. A generally applicable label can be defined later by another specification and registered according to the TLS Exporter Labels registry procedures updated by [RFC9847]. Because the exporter label and other wire-visible inputs are protocol-specific, two implementations do not interoperate by implementing this core profile alone. Interoperability requires a binding profile that selects a stable exporter label and all other wire-visible inputs. The context bytes are sbaip_context_v1: field(name, value) = u16be(len(name)) || name || u32be(len(value)) || value context = "SBAIP-CONTEXT-v1" || NUL || field("role", role) || field("protocol_id", protocol_id) || field("aud", aud) || field("grant_hash", raw_32_byte_grant_hash) || field("task_context", task_context) || field("verifier_nonce_or_attempt_id", verifier_nonce_or_attempt_id) Field names are ASCII. Lengths are unsigned big-endian integers. The field sequence and field names are fixed. grant_hash is the raw 32-byte digest, not a hex string. task_context is itself length- delimited when it contains multiple values. Construction: Okutomi Expires 27 December 2026 [Page 13] Internet-Draft Core Agent Identity June 2026 EKM = TLS-Exporter(tls_connection, label = exporter_label, context = context, length = 32) attestation_binding_input = "SBAIP-ATTESTATION-BINDING-v1" || NUL || field("leaf_spki", leaf_spki) || field("ekm", EKM) tls_leaf_spki_sha256 = SHA-256(leaf_spki) tls_exporter_sha256 = SHA-256(EKM) request_context_sha256 = SHA-256(context) attestation_binder_sha256 = SHA-256(attestation_binding_input) The session proof carries the SHA-256 values [RFC6234]. A common serialization is lowercase hexadecimal without a sha256: prefix, but the encoding profile fixes the exact representation. tls_leaf_spki_sha256 confirms the endpoint key, but it is not session unique. The primary session binding is the TLS exporter under the accepted profile context, plus the grant hash, audience, nonce, attestation binder when present, and replay state. This construction uses the TLS exporter interface [RFC8446] to provide the channel- binding property described by [RFC5056] in a profile-specific form; it is not the bare tls-exporter channel-binding value defined by [RFC9266]. Accepted attestation evidence or attestation results MUST be appraised against the same attestation_binding_input. A binding profile for a specific attestation evidence format can map this binding input to evidence-specific fields, such as report data or nonce fields. For example, such a profile can derive: report_data = SHA-512(attestation_binding_input) evidence_nonce = SHA-256("SBAIP-EVIDENCE-NONCE-v1" || NUL || EKM) This example does not define an attestation evidence format and does not replace evidence-format-specific appraisal rules. If local policy requires attestation, absence of an accepted attestation result, attestation-to-session evidence, or attestation_binder_sha256 is an authentication failure. A verifier MUST NOT silently downgrade an attestation-required interaction to a channel-binding-only interaction. Okutomi Expires 27 December 2026 [Page 14] Internet-Draft Core Agent Identity June 2026 A verifier compares tls_exporter_sha256 and request_context_sha256 with its own accepted values. Missing or mismatched mandatory fields fail closed. 15. Verification Procedure Acceptance has an authentication phase, a policy phase, and a replay- commit step. Authentication phase: 1. Verify the authority grant under a trusted policy-authority key. 2. Check issuer, audience, profile guard, algorithm, key status, iat, exp, grant ID, and required authorization fields. 3. Verify the session proof under the Agent confirmation key or an explicitly authorized endpoint key. 4. Check that the binding signer is authorized by the verified grant or by local policy. 5. Check endpoint credential or endpoint-key validity under local TLS, PKIX, and key-status policy. 6. Recompute grant_hash over the exact verified grant bytes. 7. Recompute the accepted context and exporter-derived values. 8. Compare aud, endpoint-key hash, TLS exporter hash, request- context hash, attestation binder when required or present, and nonce. 9. Build an internal observed assertion only from verified material. Policy phase: 1. Load verifier-local expected values for required dimensions. 2. Reject missing, ambiguous, non-canonical, or peer-supplied expected values. 3. Compare each observed D3 through D6 value with local expected policy. 4. Enforce D6 set semantics. The effective authorization is the intersection of capabilities authorized by the verified grant, capabilities allowed by verifier-local policy, and capabilities requested for the current task context. A requested capability absent from any of those sets is rejected. Surplus observed capabilities are ignored or rejected according to local policy, but they MUST NOT expand the effective authorization. Replay commit: * before returning the acceptance decision, atomically insert the replay key with an expiry; * if the insert fails because the key already exists, reject; Okutomi Expires 27 December 2026 [Page 15] Internet-Draft Core Agent Identity June 2026 * failed authentication or policy attempts do not consume a one-shot value unless deployment policy deliberately chooses that anti- probing behavior. An implementation MUST NOT expose a profile-authenticated result to the application until it has constructed an internal accepted assertion from verified material and verifier-local policy. Applications consume that accepted assertion. They MUST NOT treat raw peer-provided identity, scope, task, service, tenant, capability, or attestation-related values as accepted identity. Neither an authority grant alone nor a session proof alone is enough. Sender-constraining proves possession and freshness; it does not authorize surplus scopes, resources, capabilities, or authorization details. 16. Minimal Positive Acceptance Case A minimal positive Direct-Agent case has all of the following: * a verified authority grant from a trusted policy authority; * a session proof signed by the authorized confirmation key; * a recomputed TLS exporter hash matching the proof; * a fresh nonce or attempt identifier not previously accepted; * matching audience, grant hash, endpoint-key hash, and request- context hash; and * local policy that accepts the observed D3 through D6 values required for the request. This is a minimum success pattern, not a complete binding profile. 17. Minimal Negative Acceptance Cases The following cases are not exhaustive. They define a minimal rejection-preserving acceptance-case set for binding profiles and implementations. Okutomi Expires 27 December 2026 [Page 16] Internet-Draft Core Agent Identity June 2026 +=========================================+=========================+ | Case | Required | | | result | +=========================================+=========================+ | Valid grant, but TLS exporter hash | Reject | | mismatch | | +-----------------------------------------+-------------------------+ | Valid sender-constrained token, but no | Reject | | profile-defined TLS-exporter binding | | +-----------------------------------------+-------------------------+ | Valid session proof, but grant_hash was | Reject | | computed from reserialized claims | | +-----------------------------------------+-------------------------+ | Valid endpoint identity, but D3 service | Reject | | value is only peer-supplied metadata | | +-----------------------------------------+-------------------------+ | Valid attestation result, but not bound | Reject | | to the accepted TLS session | | +-----------------------------------------+-------------------------+ | Valid grant with surplus capability not | Do not expand | | allowed by local policy | effective | | | authorization | +-----------------------------------------+-------------------------+ | Reused nonce and request context on the | Reject | | same TLS connection for another task | | +-----------------------------------------+-------------------------+ | Profile-authenticated identity | Reject | | requested for TLS 0-RTT data | | +-----------------------------------------+-------------------------+ Table 4 18. Freshness, Replay, Rotation, and Revocation The accepted assertion expiry is the earliest applicable expiry among: grant exp, session proof exp, TLS endpoint credential or endpoint-key lifetime, attestation-result exp, evidence challenge lifetime, attestation collateral or TCB lifetime, replay-cache TTL, local policy maximum TTL Okutomi Expires 27 December 2026 [Page 17] Internet-Draft Core Agent Identity June 2026 A missing required freshness policy value fails closed. Evidence without a trusted timestamp is acceptable only for the current challenge and current authentication attempt. TLS resumption creates a new accepted TLS connection for this core profile. A resumed connection MUST NOT reuse a session proof or replay-cache entry from the original connection. Profile- authenticated identity MUST NOT be returned for TLS 0-RTT data. When multiple tasks share one TLS connection, each accepted task binding MUST include a task-specific task_context and verifier_nonce_or_attempt_id. Reusing the same context and nonce across tasks fails closed. Replay protection is keyed at least over: grant_hash || aud || tls_exporter_sha256 || request_context_sha256 || nonce When available, the key also includes the binding statement ID, task- binding value, evidence nonce, verifier challenge, or attestation- result identifier. Key lookup and key caches MUST be scoped by the equivalent of: profile_version || token_type || issuer || audience || key_use || alg || kty || kid || key_status || public_key_thumbprint kid is never a global key name. Unknown, revoked, retired, stale, wrong-use, or ambiguous keys fail closed. Deployments that need early invalidation must support grant revocation, policy-authority- key revocation, and Agent-binding-key revocation separately. 19. Canonical Policy Values Decision-sensitive semantic values must be canonical before acceptance. Common examples are ontology_id, intent_ref, and capability_ref. Receivers MUST NOT repair peer-provided aliases, display labels, natural language phrases, case variants, URI variants, or model interpretations during the final acceptance path. Alias resolution belongs to the policy authority, trusted registry, or local policy engine before issuance or comparison. An alias is acceptable only when it resolves to exactly one canonical reference under a pinned registry namespace and version. Missing, ambiguous, deprecated, or unsupported registry data fails closed. Okutomi Expires 27 December 2026 [Page 18] Internet-Draft Core Agent Identity June 2026 20. Deployment Topologies 20.1. Direct-Agent Mode In Direct-Agent mode, the Agent terminates TLS and signs the session proof with the confirmation key named by the verified authority grant, or with an endpoint key explicitly authorized by the grant or local policy. 20.2. Gateway-Routed Mode Gateway-routed deployments are separate binding profiles. This section gives requirements for avoiding misinterpretation of gateway authentication as final-Agent authentication; it does not define a complete gateway-routed binding profile. Gateway authentication proves the gateway endpoint, not the final Agent. A verifier MUST NOT accept a final Agent identity through a gateway unless a binding profile defines route assertions, final- Agent holder-of-key requirements when required by policy, freshness, replay protection, and local route policy. A route assertion binds the gateway identity, relying-party audience, route, tenant or authority partition, target Agent, request context, nonce, and expiry. Missing, stale, replayed, wrong-route, wrong- tenant, wrong-task, or wrong-Agent assertions fail closed. A gateway, route service, transparency log, or action log is a deployment choice, not a protocol requirement. Gateway deployments that exchange tokens can use OAuth 2.0 Token Exchange [RFC8693] when applicable. 21. Privacy Considerations Identity-binding data can create correlation. Deployments SHOULD prefer audience-scoped or pairwise identifiers, short lifetimes, selective disclosure, reference tokens, and minimized logs. Full grants, session proofs, key fingerprints, attestation evidence, tenant IDs, task IDs, and capability references should not be logged unless needed for security audit. Intermediaries SHOULD receive only the claims and payloads needed for their role. 22. Caching and Replay-State Reuse Response caching and security-state caching are different. This document does not change HTTP caching semantics. It states that security state from this core profile is not reusable acceptance evidence for a later request or session. Okutomi Expires 27 December 2026 [Page 19] Internet-Draft Core Agent Identity June 2026 Verified grants, session proofs, attestation evidence, authorization decisions, and verification results MUST NOT be cached as acceptance evidence for a later session or request. HTTP responses whose contents depend on such state are expected to use cache controls appropriate to that sensitivity. The default for profile-sensitive HTTP responses is no-store [RFC9111]. Vary is not enough when the decision depends on non-header security state. 23. Diagnostics Diagnostics should preserve the acceptance dimension, field, and error class, but should not echo raw peer values. Implementations should reject invalid UTF-8, CRLF, control characters, and HTML delimiter characters in profile fields unless the field profile explicitly permits and canonicalizes them. 24. Security Considerations The security of this core profile depends on preserving the Core Invariant before returning a profile-authenticated identity to the application. Partial verification is not enough. Implementations need fail-closed parsing for token type, algorithm, key, audience, duplicate claim names, malformed base64url, unsupported nesting, unexpected crit, and typ/cty ambiguity [RFC8725]. A parser that silently accepts duplicate JSON member names or unsupported critical headers is not suitable for this core profile. High-risk hazards fall into three classes: * parsing and key-selection hazards: duplicate claims, unsupported crit, typ/cty ambiguity, malformed base64url, global kid, wrong key use, and parsed or reserialized grant bytes for grant_hash; * binding hazards: peer-selected exporter label, TLS resumption, 0-RTT, HTTP/2 or gRPC request reuse without a fresh task binding, distributed replay-cache races, and borrowed attestation; and * policy hazards: peer metadata as expected policy, alias repair, surplus capability expansion, endpoint authentication treated as Agent authorization, and gateway route confusion. Gateway mode, when used, authenticates the gateway endpoint and the gateway-to-Agent route separately. A gateway, relay, registry, or transparency service is a deployment component, not a trust root unless local policy says so. Okutomi Expires 27 December 2026 [Page 20] Internet-Draft Core Agent Identity June 2026 Deployment profiles should evaluate what is exposed to intermediaries, whether mandatory gatekeeping or monitoring is introduced, and whether Principals can choose trusted authorities and disclosed claims. 25. IANA Considerations This document makes no IANA requests. This core profile does not define a new TLS exporter label. Binding profiles using it are expected to define or select an appropriate application-specific exporter label. Any future generally applicable label is expected to follow the registration procedures for the "TLS Exporter Labels" registry, as updated by [RFC9847]. 26. Normative References [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, DOI 10.17487/RFC2119, March 1997, . [RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174, May 2017, . [RFC5280] Cooper, D., Santesson, S., Farrell, S., Boeyen, S., Housley, R., and W. Polk, "Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile", RFC 5280, DOI 10.17487/RFC5280, May 2008, . [RFC6234] Eastlake 3rd, D. and T. Hansen, "US Secure Hash Algorithms (SHA and SHA-based HMAC and HKDF)", RFC 6234, DOI 10.17487/RFC6234, May 2011, . [RFC8446] Rescorla, E., "The Transport Layer Security (TLS) Protocol Version 1.3", RFC 8446, DOI 10.17487/RFC8446, August 2018, . [RFC9261] Sullivan, N., "Exported Authenticators in TLS", RFC 9261, DOI 10.17487/RFC9261, July 2022, . Okutomi Expires 27 December 2026 [Page 21] Internet-Draft Core Agent Identity June 2026 [RFC9334] Birkholz, H., Thaler, D., Richardson, M., Smith, N., and W. Pan, "Remote ATtestation procedureS (RATS) Architecture", RFC 9334, DOI 10.17487/RFC9334, January 2023, . [RFC7515] Jones, M., Bradley, J., and N. Sakimura, "JSON Web Signature (JWS)", RFC 7515, DOI 10.17487/RFC7515, May 2015, . [RFC7519] Jones, M., Bradley, J., and N. Sakimura, "JSON Web Token (JWT)", RFC 7519, DOI 10.17487/RFC7519, May 2015, . [RFC8725] Sheffer, Y., Hardt, D., and M. Jones, "JSON Web Token Best Current Practices", BCP 225, RFC 8725, DOI 10.17487/RFC8725, February 2020, . [RFC7800] Jones, M., Bradley, J., and H. Tschofenig, "Proof-of- Possession Key Semantics for JSON Web Tokens (JWTs)", RFC 7800, DOI 10.17487/RFC7800, April 2016, . [RFC8392] Jones, M., Wahlstroem, E., Erdtman, S., and H. Tschofenig, "CBOR Web Token (CWT)", RFC 8392, DOI 10.17487/RFC8392, May 2018, . [RFC8747] Jones, M., Seitz, L., Selander, G., Erdtman, S., and H. Tschofenig, "Proof-of-Possession Key Semantics for CBOR Web Tokens (CWTs)", RFC 8747, DOI 10.17487/RFC8747, March 2020, . [RFC8949] Bormann, C. and P. Hoffman, "Concise Binary Object Representation (CBOR)", STD 94, RFC 8949, DOI 10.17487/RFC8949, December 2020, . [RFC9052] Schaad, J., "CBOR Object Signing and Encryption (COSE): Structures and Process", STD 96, RFC 9052, DOI 10.17487/RFC9052, August 2022, . 27. Informative References [RFC1984] IAB and IESG, "IAB and IESG Statement on Cryptographic Technology and the Internet", BCP 200, RFC 1984, DOI 10.17487/RFC1984, August 1996, . Okutomi Expires 27 December 2026 [Page 22] Internet-Draft Core Agent Identity June 2026 [RFC2804] IAB and IESG, "IETF Policy on Wiretapping", RFC 2804, DOI 10.17487/RFC2804, May 2000, . [RFC5056] Williams, N., "On the Use of Channel Bindings to Secure Channels", RFC 5056, DOI 10.17487/RFC5056, November 2007, . [RFC5705] Rescorla, E., "Keying Material Exporters for Transport Layer Security (TLS)", RFC 5705, DOI 10.17487/RFC5705, March 2010, . [RFC6749] Hardt, D., Ed., "The OAuth 2.0 Authorization Framework", RFC 6749, DOI 10.17487/RFC6749, October 2012, . [RFC6973] Cooper, A., Tschofenig, H., Aboba, B., Peterson, J., Morris, J., Hansen, M., and R. Smith, "Privacy Considerations for Internet Protocols", RFC 6973, DOI 10.17487/RFC6973, July 2013, . [RFC7009] Lodderstedt, T., Ed., Dronia, S., and M. Scurtescu, "OAuth 2.0 Token Revocation", RFC 7009, DOI 10.17487/RFC7009, August 2013, . [RFC7258] Farrell, S. and H. Tschofenig, "Pervasive Monitoring Is an Attack", BCP 188, RFC 7258, DOI 10.17487/RFC7258, May 2014, . [RFC7662] Richer, J., Ed., "OAuth 2.0 Token Introspection", RFC 7662, DOI 10.17487/RFC7662, October 2015, . [RFC8693] Jones, M., Nadalin, A., Campbell, B., Ed., Bradley, J., and C. Mortimore, "OAuth 2.0 Token Exchange", RFC 8693, DOI 10.17487/RFC8693, January 2020, . [RFC8705] Campbell, B., Bradley, J., Sakimura, N., and T. Lodderstedt, "OAuth 2.0 Mutual-TLS Client Authentication and Certificate-Bound Access Tokens", RFC 8705, DOI 10.17487/RFC8705, February 2020, . [RFC8707] Campbell, B., Bradley, J., and H. Tschofenig, "Resource Indicators for OAuth 2.0", RFC 8707, DOI 10.17487/RFC8707, February 2020, . Okutomi Expires 27 December 2026 [Page 23] Internet-Draft Core Agent Identity June 2026 [RFC8890] Nottingham, M., "The Internet is for End Users", RFC 8890, DOI 10.17487/RFC8890, August 2020, . [RFC9068] Bertocci, V., "JSON Web Token (JWT) Profile for OAuth 2.0 Access Tokens", RFC 9068, DOI 10.17487/RFC9068, October 2021, . [RFC9111] Fielding, R., Ed., Nottingham, M., Ed., and J. Reschke, Ed., "HTTP Caching", STD 98, RFC 9111, DOI 10.17487/RFC9111, June 2022, . [RFC9266] Whited, S., "Channel Bindings for TLS 1.3", RFC 9266, DOI 10.17487/RFC9266, July 2022, . [RFC9396] Lodderstedt, T., Richer, J., and B. Campbell, "OAuth 2.0 Rich Authorization Requests", RFC 9396, DOI 10.17487/RFC9396, May 2023, . [RFC9421] Backman, A., Ed., Richer, J., Ed., and M. Sporny, "HTTP Message Signatures", RFC 9421, DOI 10.17487/RFC9421, February 2024, . [RFC9449] Fett, D., Campbell, B., Bradley, J., Lodderstedt, T., Jones, M., and D. Waite, "OAuth 2.0 Demonstrating Proof of Possession (DPoP)", RFC 9449, DOI 10.17487/RFC9449, September 2023, . [RFC9457] Nottingham, M., Wilde, E., and S. Dalal, "Problem Details for HTTP APIs", RFC 9457, DOI 10.17487/RFC9457, July 2023, . [RFC9518] Nottingham, M., "Centralization, Decentralization, and Internet Standards", RFC 9518, DOI 10.17487/RFC9518, December 2023, . [RFC9530] Polli, R. and L. Pardue, "Digest Fields", RFC 9530, DOI 10.17487/RFC9530, February 2024, . [RFC9651] Nottingham, M. and P. Kamp, "Structured Field Values for HTTP", RFC 9651, DOI 10.17487/RFC9651, September 2024, . Okutomi Expires 27 December 2026 [Page 24] Internet-Draft Core Agent Identity June 2026 [RFC9711] Lundblade, L., Mandyam, G., O'Donoghue, J., and C. Wallace, "The Entity Attestation Token (EAT)", RFC 9711, DOI 10.17487/RFC9711, April 2025, . [RFC9847] Salowey, J. and S. Turner, "IANA Registry Updates for TLS and DTLS", RFC 9847, DOI 10.17487/RFC9847, December 2025, . Author's Address Akira Okutomi Individual Email: okutomi+ietf@pm.me Okutomi Expires 27 December 2026 [Page 25]