@techreport{liu-wimse-wit-attestation-00,
    number =    {draft-liu-wimse-wit-attestation-00},
    type =      {Internet-Draft},
    institution =   {Internet Engineering Task Force},
    publisher = {Internet Engineering Task Force},
    note =      {Work in Progress},
    url =       {https://datatracker.ietf.org/doc/draft-liu-wimse-wit-attestation/00/},
    author =    {Dapeng Liu and Judy Zhu and Jian Jin},
    title =     {{Carrying Remote Attestation Evidence in Workload Identity Tokens (WIT)}},
    pagetotal = 17,
    year =      2026,
    month =     mar,
    day =       25,
    abstract =  {This document specifies how Remote Attestation evidence, as defined by the IETF RATS architecture, can be conveyed within a Workload Identity Token (WIT) as used in the WIMSE (Workload Identity for Micro-Services Environments) framework. The WIT includes attestation measurements that enable fast-path policy evaluation without requiring immediate access to full evidence. The WIT is bound to the HTTP request using OAuth 2.0 Demonstrating Proof-of-Possession (DPoP), ensuring that attestation claims are protected against replay and token theft. This specification defines a two-tier verification model: lightweight verification using embedded measurements for common scenarios, and deep verification using externalized evidence for high-assurance requirements. This enables secure, cross-domain verification of workload integrity without requiring direct access to platform- specific reference values, while enabling efficient deployments.},
}