A Core Acceptance Profile for Session-Bound Agent Identity

Introduction Automated agents often combine transport authentication, signed authorization material, platform attestation, and local policy. Each component can verify successfully while the composition still authenticates the wrong session, task, platform, or Agent. This document defines a deterministic verifier-side acceptance gate. The verifier accepts a peer only when the authenticated identity, session binding, freshness and replay state, any required attestation state, and verifier-local policy describe the same intended interaction. This core profile does not change TLS , exported authenticators , remote attestation roles , JWT/JWS, CWT/COSE, OAuth, or HTTP. Existing sender-constraining mechanisms can prove possession of a key, and attestation mechanisms can appraise evidence, but they do not by themselves define the verifier-side rule that the authority grant, live TLS session, request context, replay state, attestation result, and local policy all refer to the same intended interaction.

Terminology The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP 14 when, and only when, they appear in all capitals, as shown here.

Core profile: The verifier-side acceptance rules defined by this document. The core profile is not a complete wire-binding profile by itself.
Binding profile: A specification that instantiates the core profile for a protocol or deployment by fixing wire representation, canonicalization, exporter label, replay rules, diagnostic behavior, and other protocol-specific inputs.
Deployment profile: Deployment policy that selects trusted issuers, local expected values, attestation requirements, disclosure policy, and operational limits.
Agent: The workload, process, service component, or automated actor whose identity is being accepted by the verifier.
Principal: A person or organization on whose behalf an Agent acts.
Verifier: The party that authenticates the grant, checks the session binding, evaluates freshness and replay state, and compares the result with local policy before returning an accepted identity to the application.
Policy authority: A locally trusted issuer of authority statements.
Authority grant: A signed or MACed authority statement issued by a policy authority. It authorizes upper-layer identity, task, and authorization values. It does not prove that the authorized Agent is present on the current TLS session.
Session proof: A holder-of-key proof that binds one verified authority grant to one accepted TLS or exported-authenticator session. It proves possession and session binding. It does not authorize service, tenant, task, scope, resource, or capability values.
Expected value: A verifier-local policy input.
Observed value: A value extracted from authenticated grants, session-bound statements, attestation results, trusted manifests, or locally derived request state. An observed value does not become an expected value without a trusted local policy decision.
Wrong-context acceptance: Accepting cryptographically valid material for a different service, tenant, Agent, task, delegation, or authority boundary than the verifier intended. Context diversion is a failure description, not a wire mechanism.
Intermediary: A gateway, relay, proxy, broker, service on the communication path, or component that terminates transport security for either side.
Acceptance decision: Returning a peer identity or authorization result to the application as profile-authenticated. For one-shot bindings, replay state is committed before this decision is returned.

Scope and Non-Goals This core profile defines verifier behavior before an application treats an accepted TLS peer as the intended platform, service, Agent, task, or authorized actor. It binds accepted TLS and post-handshake attestation facts, authenticated identity and authorization material, and verifier-local expected policy. This document uses "Agent" broadly. The accepted identity can represent a workload, process, service component, or automated actor, depending on the binding profile and local policy. This document does not require a universal Agent namespace or a common semantic definition of agenthood. The core profile does not select an identity provider, define a wire-token format, change attestation evidence or TLS, define holder-side presentation behavior, define discovery or rendezvous, or provide a complete authorization framework. A requirement belongs here only if omitting it could cause acceptance of the wrong live session, wrong service or tenant, wrong Agent, wrong task, stale or replayed state, peer-selected policy, or a security result reused outside its intended request.

Core Invariant A verifier MUST NOT return a profile-authenticated Agent identity unless the verified authority grant, holder-of-key proof, accepted TLS or exported-authenticator session, freshness and replay state, any required attestation result, and verifier-local policy all identify the same intended interaction. The intended interaction is determined by verifier-local expected values and trusted policy inputs, not by peer-provided descriptive metadata. Before this acceptance decision succeeds, all peer-provided identity, task, scope, service, tenant, capability, attestation-related, and diagnostic values are observed values only. They do not define the verifier's expected policy. No inference, alias repair, display-name matching, peer-selected exporter label, or reserialized semantic metadata is part of the final acceptance path unless a binding profile and local policy explicitly define it.

Internet Applicability and Deployment Assumptions This core profile is usable in open Internet and enterprise deployments. Closed-world provisioning and prior bilateral relationships are deployment choices, not protocol requirements. A verifier still requires a local trust path to each issuer, attestation result, trust framework, or other accepted authority; otherwise acceptance fails closed. No globally trusted authority, registry, rendezvous service, gateway, online authority, transparency log, or control plane is required. Intermediaries are not trusted by default; a component that terminates transport security is a separate relying party and sees only the claims and payloads disclosed to it. When an Agent acts for a Principal, deployment profiles SHOULD support audience-scoped disclosure, short-lived grants, selective disclosure or reference tokens, and Principal-selected authorities and disclosure modes where practical. Security-required claims should be distinguished from application-convenience claims. These assumptions preserve cryptographic protection, avoid standardizing wiretapping or pervasive monitoring functions, keep privacy analysis explicit, favor end-user interests, and avoid unnecessary centralization of Internet functions .

Conformance This document defines a core verifier acceptance profile for Direct-Agent mode. It is not, by itself, a complete wire-binding profile. A complete deployment of this core profile requires a binding profile that fixes protocol-specific wire representation, canonicalization rules, exporter label, replay rules, diagnostic behavior, and the items in . The normative requirements in this document apply only to implementations that claim conformance to this core profile or to a binding profile that incorporates it. A claim of conformance to this document MUST identify the binding profile being implemented. An implementation that accepts authority grants or session proofs without such a binding profile is not conforming to this core profile. For Direct-Agent mode, a conforming implementation completes all grant verification, holder-of-key verification, session-binding verification, required attestation checks, freshness checks, replay checks, and local-policy comparisons before returning a profile-authenticated identity or authorization result to the application. A conforming implementation MUST fail closed. It MUST NOT report a profile-authenticated identity from only a verified authority grant, only a session proof, only a TLS endpoint identity, only an attestation result, or only peer-supplied metadata.

Acceptance Model The labels D0 through D6 are acceptance dimensions used for policy separation and diagnostics. They are not OSI layers, encapsulation layers, wire-format layers, or trust hierarchy levels. The numbering is only a stable diagnostic order. It does not imply that D6 is above D5 or that every deployment evaluates all dimensions.

Dimension	Verification target	Main failure class
D0	Live TLS or exported-authenticator session	MITM or session confusion
D1	Attested platform validity, when required	Fake, malformed, stale, or untrusted evidence
D2	Attestation or authenticator-to-session binding	Relay, replay, or borrowed evidence
D3	Service, tenant, deployment, or environment	Wrong service or tenant; context diversion
D4	Workload, process, or Agent	Same-host wrong-Agent confusion
D5	Task, thread, context, or delegation	Wrong task or delegation; context diversion
D6	Authorization or capability policy	Confused deputy or privilege escalation

D0 through D2 are authentication and binding dimensions. D3 through D6 are verifier-local policy dimensions. Peer-provided metadata can be observed input; it is not expected policy. Remote attestation is optional in this core profile. When local policy or a binding profile does not require attestation, D1 and the attestation-specific part of D2 are not evaluated. The remaining session-binding, freshness, replay, grant, and local-policy checks still apply.

Threat Model The attacker can observe, replay, reorder, relay, substitute messages, supply malicious peer metadata, and run another Agent on the same host or deployment environment. This core profile assumes correct TLS 1.3, exported-authenticator validation, and evidence appraisal by the underlying mechanisms. It defines what must be bound to those facts before an application accepts the peer as the intended actor. Out of scope are a fully compromised verifier process, a malicious trusted policy authority, compromise of all local secret storage, denial of service, and side channels outside the identity-binding path. The main threats are relay, replay, token substitution, stale key use, same-host wrong-Agent confusion, peer-metadata injection, context diversion, confused deputy behavior, cache confusion, and gateway route confusion.

Authority and Key Separation This core profile keeps three key roles separate.

Key role	Purpose
TLS endpoint key	Proves possession for the accepted TLS or exported-authenticator endpoint.
Agent binding key	Signs the session proof.
Policy-authority key	Signs authority grants.

These keys can be related by deployment policy, but they are not interchangeable by default. Policy-authority signing keys MUST NOT be accepted as Agent confirmation keys. Agent confirmation keys MUST NOT be accepted as policy-authority signing keys. Endpoint keys are valid for session binding only when the verified grant or local policy explicitly authorizes that use and the endpoint credential or local endpoint-key lifetime remains valid. The protected-header kid is only a key-selection hint. Acceptance also depends on issuer, audience, algorithm allow-list, key type, key use, key status, profile version, token type, time validity, revocation state, and local policy. The none algorithm is forbidden.

Binding Profiles and Related RFCs This core profile does not define a new authority-token format, proof-token format, HTTP header, error format, or attestation evidence format. A binding profile fixes the exact wire representation and canonicalization needed to instantiate this core profile over a specific application protocol or deployment profile. A binding profile that uses this document MUST define the following values.

Required binding-profile item	Prevents
profile identifier and version	cross-profile confusion
`protocol_id`	cross-protocol replay or substitution
TLS exporter label	peer-selected or colliding channel bindings
canonical `aud` form	audience confusion
exact bytes used for `grant_hash`	parse-and-reserialize substitution
session-proof encoding and protected-header rules	algorithm, type, and key-use confusion
`task_context` and request-context construction	wrong-task acceptance
nonce generation, lifetime, and replay-key construction	replay and cross-task reuse
attestation requirement and session-binding rule	borrowed or replayed evidence
verifier-local source of D3 through D6 expected values	peer-selected policy
diagnostic error classes	disclosure of attacker-controlled values

OAuth deployments can use the JWT access-token profile , token revocation and introspection , mutual-TLS certificate-bound tokens , resource indicators , rich authorization requests , and DPoP where those models fit. These mechanisms do not by themselves provide this core profile's TLS-exporter, request-context, replay, and attestation-to-session binding. HTTP bindings can use HTTP Message Signatures , Digest Fields , Structured Field Values , and Problem Details instead of defining new HTTP-specific syntax. Tokenized attestation claims can use EAT within the RATS model . These reused RFC mechanisms remain independently specified by their RFCs. This document only specifies the verifier-side acceptance rule that decides when the verified grant, session proof, accepted TLS session, freshness state, any required attestation result, and verifier-local policy are accepted as the same intended interaction.

Grant and Authority Material An authority grant authorizes application semantics. It is signed or MACed by a policy authority and identifies the Agent confirmation key, usually through a confirmation-key claim such as cnf.kid for JWT or the corresponding CWT confirmation method . This core profile does not define a new authority grant token format. A grant carries the deployment-specific equivalent of profile type, profile version, issuer, subject, audience, grant identifier, issued-at time, expiration time, and confirmation key. When policy requires it, the grant also carries D3 through D6 fields such as service, tenant, deployment, workload, Agent, task, delegation, canonical intent or capability references, scopes, resources, and authorization details. The Agent is not the authority for those values. They are accepted only after grant verification, session binding, freshness checks, replay checks, and local policy comparison. Multi-audience grants are rejected unless local policy explicitly allows the exact audience set and the resulting authority boundary.

Session Proof Material A session proof proves that the holder of the confirmation key bound the verified grant to the accepted TLS session, or to an exported authenticator accepted for that session. It contains at least the abstract profile fields below. A binding profile fixes the exact JWT claim names , CWT claim labels, COSE/JWS protected-header requirements, canonical encoding rules, and collision-avoidance rules used on the wire.

profile type and profile version;
audience (aud), proof identifier (jti for JWT-based encodings or cti for CWT/COSE-based encodings), issued-at time (iat), and expiration time (exp);
grant_hash over the exact verified grant bytes;
tls_leaf_spki_sha256;
tls_exporter_sha256;
request_context_sha256;
nonce; and
attestation_binder_sha256 when local policy requires attestation or when accepted attestation-to-session evidence is used.

For binding profiles that use compact JWS grants or COSE_Sign1/COSE_Mac0 grants, this document fixes the grant_hash input to avoid parser-dependent acceptance behavior: exact-compact-jws-grant-bytes is the exact ASCII byte sequence of the compact JWS as received and successfully verified, including protected header, payload, and signature segments. This document does not define the grant_hash input for JWS JSON Serialization; a binding profile that uses it MUST define the exact hash input. exact-cose-sign1-or-mac0-grant-bytes is the exact byte sequence of the signed or MACed COSE object as received and successfully verified. A verifier MUST NOT compute grant_hash by parsing claims and reserializing JSON, CBOR, or COSE in the acceptance path. Deterministic CBOR/COSE is acceptable only when the binding profile normatively fixes the deterministic encoding rules . Domain-separation strings beginning with sbaip or SBAIP are fixed constants for this profile version. They are not external registry names. The session proof does not authorize service, tenant, task, scope, resource, or capability values. Those values come from the verified grant and local policy.

Direct Session Binding Construction This section fixes the Direct-Agent D2 construction. A verifier MUST NOT replace these inputs with peer-selected labels, inferred context, display names, or reserialized semantic metadata. Inputs:

tls_connection: the accepted TLS 1.3 connection;
exporter_label: an application- or deployment-profile-selected TLS exporter label. This document does not define that label;
leaf_spki: DER SubjectPublicKeyInfo of the accepted endpoint public key ;
role, protocol_id, aud, grant_hash, task_context, and verifier_nonce_or_attempt_id from verifier-local state.

The exporter label is selected by the application or deployment profile, not by the peer. A verifier MUST NOT accept a peer-selected exporter label. Local experiments can use private-use labels, such as labels beginning with EXPERIMENTAL, as described by . A generally applicable label can be defined later by another specification and registered according to the TLS Exporter Labels registry procedures updated by . Because the exporter label and other wire-visible inputs are protocol-specific, two implementations do not interoperate by implementing this core profile alone. Interoperability requires a binding profile that selects a stable exporter label and all other wire-visible inputs. The context bytes are sbaip_context_v1: Field names are ASCII. Lengths are unsigned big-endian integers. The field sequence and field names are fixed. grant_hash is the raw 32-byte digest, not a hex string. task_context is itself length-delimited when it contains multiple values. Construction: The session proof carries the SHA-256 values . A common serialization is lowercase hexadecimal without a sha256: prefix, but the encoding profile fixes the exact representation. tls_leaf_spki_sha256 confirms the endpoint key, but it is not session unique. The primary session binding is the TLS exporter under the accepted profile context, plus the grant hash, audience, nonce, attestation binder when present, and replay state. This construction uses the TLS exporter interface to provide the channel-binding property described by in a profile-specific form; it is not the bare tls-exporter channel-binding value defined by . Accepted attestation evidence or attestation results MUST be appraised against the same attestation_binding_input. A binding profile for a specific attestation evidence format can map this binding input to evidence-specific fields, such as report data or nonce fields. For example, such a profile can derive: This example does not define an attestation evidence format and does not replace evidence-format-specific appraisal rules. If local policy requires attestation, absence of an accepted attestation result, attestation-to-session evidence, or attestation_binder_sha256 is an authentication failure. A verifier MUST NOT silently downgrade an attestation-required interaction to a channel-binding-only interaction. A verifier compares tls_exporter_sha256 and request_context_sha256 with its own accepted values. Missing or mismatched mandatory fields fail closed.

Verification Procedure Acceptance has an authentication phase, a policy phase, and a replay-commit step. Authentication phase:

Verify the authority grant under a trusted policy-authority key.
Check issuer, audience, profile guard, algorithm, key status, iat, exp, grant ID, and required authorization fields.
Verify the session proof under the Agent confirmation key or an explicitly authorized endpoint key.
Check that the binding signer is authorized by the verified grant or by local policy.
Check endpoint credential or endpoint-key validity under local TLS, PKIX, and key-status policy.
Recompute grant_hash over the exact verified grant bytes.
Recompute the accepted context and exporter-derived values.
Compare aud, endpoint-key hash, TLS exporter hash, request-context hash, attestation binder when required or present, and nonce.
Build an internal observed assertion only from verified material.

Policy phase:

Load verifier-local expected values for required dimensions.
Reject missing, ambiguous, non-canonical, or peer-supplied expected values.
Compare each observed D3 through D6 value with local expected policy.
Enforce D6 set semantics. The effective authorization is the intersection of capabilities authorized by the verified grant, capabilities allowed by verifier-local policy, and capabilities requested for the current task context. A requested capability absent from any of those sets is rejected. Surplus observed capabilities are ignored or rejected according to local policy, but they MUST NOT expand the effective authorization.

Replay commit:

before returning the acceptance decision, atomically insert the replay key with an expiry;
if the insert fails because the key already exists, reject;
failed authentication or policy attempts do not consume a one-shot value unless deployment policy deliberately chooses that anti-probing behavior.

An implementation MUST NOT expose a profile-authenticated result to the application until it has constructed an internal accepted assertion from verified material and verifier-local policy. Applications consume that accepted assertion. They MUST NOT treat raw peer-provided identity, scope, task, service, tenant, capability, or attestation-related values as accepted identity. Neither an authority grant alone nor a session proof alone is enough. Sender-constraining proves possession and freshness; it does not authorize surplus scopes, resources, capabilities, or authorization details.

Minimal Negative Acceptance Cases The following cases are not exhaustive. They define a minimal rejection-preserving acceptance-case set for binding profiles and implementations.

Case	Required result
Valid grant, but TLS exporter hash mismatch	Reject
Valid sender-constrained token, but no profile-defined TLS-exporter binding	Reject
Valid session proof, but `grant_hash` was computed from reserialized claims	Reject
Valid endpoint identity, but D3 service value is only peer-supplied metadata	Reject
Valid attestation result, but not bound to the accepted TLS session	Reject
Valid grant with surplus capability not allowed by local policy	Do not expand effective authorization
Reused nonce and request context on the same TLS connection for another task	Reject
Profile-authenticated identity requested for TLS 0-RTT data	Reject

Freshness, Replay, Rotation, and Revocation The accepted assertion expiry is the earliest applicable expiry among: A missing required freshness policy value fails closed. Evidence without a trusted timestamp is acceptable only for the current challenge and current authentication attempt. TLS resumption creates a new accepted TLS connection for this core profile. A resumed connection MUST NOT reuse a session proof or replay-cache entry from the original connection. Profile-authenticated identity MUST NOT be returned for TLS 0-RTT data. When multiple tasks share one TLS connection, each accepted task binding MUST include a task-specific task_context and verifier_nonce_or_attempt_id. Reusing the same context and nonce across tasks fails closed. Replay protection is keyed at least over: When available, the key also includes the binding statement ID, task-binding value, evidence nonce, verifier challenge, or attestation-result identifier. Key lookup and key caches MUST be scoped by the equivalent of: kid is never a global key name. Unknown, revoked, retired, stale, wrong-use, or ambiguous keys fail closed. Deployments that need early invalidation must support grant revocation, policy-authority-key revocation, and Agent-binding-key revocation separately.

Canonical Policy Values Decision-sensitive semantic values must be canonical before acceptance. Common examples are ontology_id, intent_ref, and capability_ref. Receivers MUST NOT repair peer-provided aliases, display labels, natural language phrases, case variants, URI variants, or model interpretations during the final acceptance path. Alias resolution belongs to the policy authority, trusted registry, or local policy engine before issuance or comparison. An alias is acceptable only when it resolves to exactly one canonical reference under a pinned registry namespace and version. Missing, ambiguous, deprecated, or unsupported registry data fails closed.

Deployment Topologies

Direct-Agent Mode In Direct-Agent mode, the Agent terminates TLS and signs the session proof with the confirmation key named by the verified authority grant, or with an endpoint key explicitly authorized by the grant or local policy.

Gateway-Routed Mode Gateway-routed deployments are separate binding profiles. This section gives requirements for avoiding misinterpretation of gateway authentication as final-Agent authentication; it does not define a complete gateway-routed binding profile. Gateway authentication proves the gateway endpoint, not the final Agent. A verifier MUST NOT accept a final Agent identity through a gateway unless a binding profile defines route assertions, final-Agent holder-of-key requirements when required by policy, freshness, replay protection, and local route policy. A route assertion binds the gateway identity, relying-party audience, route, tenant or authority partition, target Agent, request context, nonce, and expiry. Missing, stale, replayed, wrong-route, wrong-tenant, wrong-task, or wrong-Agent assertions fail closed. A gateway, route service, transparency log, or action log is a deployment choice, not a protocol requirement. Gateway deployments that exchange tokens can use OAuth 2.0 Token Exchange when applicable.

Caching and Replay-State Reuse Response caching and security-state caching are different. This document does not change HTTP caching semantics. It states that security state from this core profile is not reusable acceptance evidence for a later request or session. Verified grants, session proofs, attestation evidence, authorization decisions, and verification results MUST NOT be cached as acceptance evidence for a later session or request. HTTP responses whose contents depend on such state are expected to use cache controls appropriate to that sensitivity. The default for profile-sensitive HTTP responses is no-store . Vary is not enough when the decision depends on non-header security state.

Security Considerations The security of this core profile depends on preserving the Core Invariant before returning a profile-authenticated identity to the application. Partial verification is not enough. Implementations need fail-closed parsing for token type, algorithm, key, audience, duplicate claim names, malformed base64url, unsupported nesting, unexpected crit, and typ/cty ambiguity . A parser that silently accepts duplicate JSON member names or unsupported critical headers is not suitable for this core profile. High-risk hazards fall into three classes:

parsing and key-selection hazards: duplicate claims, unsupported crit, typ/cty ambiguity, malformed base64url, global kid, wrong key use, and parsed or reserialized grant bytes for grant_hash;
binding hazards: peer-selected exporter label, TLS resumption, 0-RTT, HTTP/2 or gRPC request reuse without a fresh task binding, distributed replay-cache races, and borrowed attestation; and
policy hazards: peer metadata as expected policy, alias repair, surplus capability expansion, endpoint authentication treated as Agent authorization, and gateway route confusion.

Gateway mode, when used, authenticates the gateway endpoint and the gateway-to-Agent route separately. A gateway, relay, registry, or transparency service is a deployment component, not a trust root unless local policy says so. Deployment profiles should evaluate what is exposed to intermediaries, whether mandatory gatekeeping or monitoring is introduced, and whether Principals can choose trusted authorities and disclosed claims.