<?xml version="1.0" encoding="UTF-8"?>
<reference anchor="I-D.winmagic-wimse-condition-bounded-credentials" target="https://datatracker.ietf.org/doc/html/draft-winmagic-wimse-condition-bounded-credentials-00">
   <front>
      <title>Condition-Bounded Credentials for Workload and Agent Identity: Non-Exfiltratable Keys and Validity by Presence</title>
      <author initials="T." surname="Huu" fullname="Thi Nguyen Huu">
         <organization>WinMagic</organization>
      </author>
      <author initials="S." surname="Nikitin" fullname="Sergei Nikitin">
         <organization>WinMagic</organization>
      </author>
      <author initials="J." surname="O&#x27;Leary" fullname="John O&#x27;Leary">
         <organization>WinMagic</organization>
      </author>
      <date month="July" day="3" year="2026" />
      <abstract>
	 <t>   The WIMSE architecture binds a workload credential to a cryptographic
   key presented with proof of possession, and leaves credential
   lifetime and rotation to the implementation.  In common practice the
   binding key is held in software and rotated frequently, because a
   software key can be copied: rotation is a compensating control for a
   key that can be exfiltrated.

   This document defines a profile in which the binding key is hardware-
   rooted and non-exfiltratable, and in which credential validity is
   gated by attested conditions -- the workload and its required posture
   being measured and present -- rather than by a fixed expiry.  Two
   consequences follow.  Frequent rotation is no longer required to
   bound exfiltration, because the key cannot leave the hardware
   boundary.  And a grant cannot outlive the workload, even with no
   expiry date, because the key, and with it the ability to prove
   possession, is gone once the workload or its conditions cease to
   hold.  Condition failure is therefore enforced by the key&#x27;s absence
   rather than by a revocation message, and the credential can be
   appraised without a live connection to its issuing authority.

   The profile is specified against a verifier contract -- authority,
   live-instance, condition, freshness, and fail-closed checks -- that
   other credential profiles can share, so these properties are made
   explicit and reviewable without standardizing a single credential
   format or hardware recipe.  It is offered as one conforming way to
   instantiate WIMSE credentials, suited to stable, attestable
   platforms, and is explicitly not proposed for high-churn, hardware-
   less workloads.

	 </t>
      </abstract>
   </front>
   <seriesInfo name="Internet-Draft" value="draft-winmagic-wimse-condition-bounded-credentials-00" />
   
</reference>
