Bilateral Attestation of Cross-Organization Agent Actions
draft-mih-agent-bilateral-attestation-00
This document is an Internet-Draft (I-D).
Anyone may submit an I-D to the IETF.
This I-D is not endorsed by the IETF and has no formal standing in the
IETF standards process.
| Document | Type | Active Internet-Draft (individual) | |
|---|---|---|---|
| Author | Steven Mih | ||
| Last updated | 2026-07-06 | ||
| RFC stream | (None) | ||
| Intended RFC status | (None) | ||
| Formats | |||
| Stream | Stream state | (No stream defined) | |
| Consensus boilerplate | Unknown | ||
| RFC Editor Note | (None) | ||
| IESG | IESG state | I-D Exists | |
| Telechat date | (None) | ||
| Responsible AD | (None) | ||
| Send notices to | (None) |
draft-mih-agent-bilateral-attestation-00
Network Working Group S. Mih
Internet-Draft Action State Group, Inc.
Intended status: Informational 6 July 2026
Expires: 7 January 2027
Bilateral Attestation of Cross-Organization Agent Actions
draft-mih-agent-bilateral-attestation-00
Abstract
When an agent operated by one organization requests a consequential
action from an agent operated by another, today's record of that
exchange — if one exists — is kept by one side, editable by that
side, and deniable by the other. Disputes reduce to my-log-versus-
your-log. This document describes a bilateral attestation exchange
for such actions: the requesting organization signs a request
attestation binding it to the action and its material terms; the
performing organization evaluates the request against deterministic
constraints at the boundary where the action takes effect and signs
an action attestation recording the constraint results and the
disposition — performed, declined, or escalated to a human — by
reference to the request; and each party acknowledges the other's
attestation. The combined record binds each organization to its
part, gives each proof of the other's, and can be anchored to a
transparency service so that a third party who trusts neither
organization can verify its integrity, timing, and both parties'
signatures. The exchange records refusals with the same fidelity as
performance, and degrades gracefully when a counterparty cannot
attest, marking the record's reduced assurance rather than blocking
the transaction.
Status of This Memo
This Internet-Draft is submitted in full conformance with the
provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet-
Drafts is at https://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress."
This Internet-Draft will expire on 7 January 2027.
Mih Expires 7 January 2027 [Page 1]
Internet-Draft Bilateral Agent Attestation July 2026
Copyright Notice
Copyright (c) 2026 IETF Trust and the persons identified as the
document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents (https://trustee.ietf.org/
license-info) in effect on the date of publication of this document.
Please review these documents carefully, as they describe your rights
and restrictions with respect to this document. Code Components
extracted from this document must include Revised BSD License text as
described in Section 4.e of the Trust Legal Provisions and are
provided without warranty as described in the Revised BSD License.
Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2
2. Motivating Scenarios . . . . . . . . . . . . . . . . . . . . 3
3. Conventions and Definitions . . . . . . . . . . . . . . . . . 4
4. The Bilateral Exchange . . . . . . . . . . . . . . . . . . . 5
5. Refusal Across the Boundary . . . . . . . . . . . . . . . . . 6
6. Graceful Degradation . . . . . . . . . . . . . . . . . . . . 6
7. Relationship to Existing Work . . . . . . . . . . . . . . . . 6
8. Security Considerations . . . . . . . . . . . . . . . . . . . 7
9. Privacy Considerations . . . . . . . . . . . . . . . . . . . 8
10. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 8
11. References . . . . . . . . . . . . . . . . . . . . . . . . . 9
11.1. Normative References . . . . . . . . . . . . . . . . . . 9
11.2. Informative References . . . . . . . . . . . . . . . . . 9
Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . . . 10
Author's Address . . . . . . . . . . . . . . . . . . . . . . . . 10
1. Introduction
Agents increasingly transact with agents of other organizations with
no human present at the moment of delegation. The transports are
standardized — RPC conventions, tool-call protocols, message queues —
but transports answer _how_ agents communicate, not _who is
accountable_ for what was requested and what was done. Each side
keeps its own log, written by an interested party, alterable by that
party, and carrying no assent from the other. When the payment posts
twice, when the deletion was out of scope, when the delivery never
happened, the evidence is two self-interested logs that need not
agree.
Classical signed B2B messaging — AS2/EDIINT signed MDNs, AS4/ebMS3
signed receipts with non-repudiation-of-receipt — binds parties to
_transmissions_: it attests that a message was sent and received, not
Mih Expires 7 January 2027 [Page 2]
Internet-Draft Bilateral Agent Attestation July 2026
what an agent then _did_ about it. Such schemes do not gate
execution on verifying the requester's organizational identity at the
boundary where the action takes effect, do not bind constraint
evaluation into the performer's record, and do not record a
disposition distinguishing an executed action from a refusal from a
human escalation at the moment of action. The distinction this
document draws is action-level, not transport-level.
This document describes an exchange producing a *bilaterally attested
action record*: each organization's signature over its part of the
exchange is durable, independently verifiable evidence that it
produced that part, each holds proof of the other's, and the combined
record can be anchored so third parties can verify it. It is an
individual submission. It composes with the existing agent action
record layer [I-D.mih-scitt-agent-action-capsule] rather than
defining a new one, and its records are designed to be consumable by
the layers above the record, such as accountability composition
[I-D.mih-sato-agent-accountability-composition].
2. Motivating Scenarios
*Cross-organization procurement.* Org A's purchasing agent requests a
fulfillment action from org B's agent. A's request attestation binds
A to the order's material terms; B's action attestation binds B to
what it did about them. A later assertion of different terms by
either party can be checked against a record both parties signed,
rather than argued over two private ones.
*Agent-to-agent service delegation.* An orchestrating agent
subcontracts a task across a trust boundary. Each hop produces its
own bilateral record, so a failure in a multi-hop chain is
attributable to the hop where it occurred rather than to the chain as
a whole. Chain-linking semantics that make the full responsibility
path independently reconstructable are left to a future revision.
*Refusal at the boundary.* B's agent declines A's request as out of
policy. B's action attestation records the decline and its
constraint basis; A's acknowledgment is verifiable evidence
contradicting a later claim by A that the request was never answered.
The refusal becomes durable, third-party-verifiable evidence — for B,
that its gate worked; for A, that the request was made and declined
(see Section 5).
*Feeding shared history.* Every completed handshake yields a
counterparty-attested record — the highest-assurance evidence class
for any layer that computes over action history. Two organizations
that transact build verifiable shared history as a side effect of
transacting.
Mih Expires 7 January 2027 [Page 3]
Internet-Draft Bilateral Agent Attestation July 2026
3. Conventions and Definitions
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and
"OPTIONAL" in this document are to be interpreted as described in
BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all
capitals, as shown here.
Requesting party: The organization (via its agent) requesting a
consequential action across an organizational boundary.
Performing party: The organization (via its agent) that evaluates
and disposes of the requested action.
Request attestation: A signed statement by the requesting party
describing the requested action and its material terms, bound to
the requesting party's verifiable organizational identity and
naming the intended performing party; including at minimum a
content digest of the request, a nonce, a timestamp, and a
validity window. A request attestation is valid only against the
performing party it names, and only within its validity window
(with an implementation-defined clock-skew tolerance the verifier
applies).
Action attestation: A signed statement by the performing party,
referencing a request attestation by digest, recording the
deterministic constraint results evaluated at the effect boundary
— each constraint identified by reference so a third party can
tell which check produced which result — and the disposition of
the request, bound to the performing party's verifiable
organizational identity.
Acknowledgment: A signed statement by which a party records receipt
of the counterparty's attestation, completing the bilateral
record. Receipt does not assert agreement with the attestation's
contents; a party disputing a disposition does so in a subsequent
linked record.
Verifiable organizational identity: An organizational identity a
relying party can validate independently of that organization's
infrastructure — a credential chaining to a root of trust the
relying party accepts (a certificate authority, federation
operator, registry, or published trust list). This document does
not nominate roots.
Reduced-assurance indicator: A marker recording that a given
exchange completed with fewer than the full set of attestations
(see Section 6).
Mih Expires 7 January 2027 [Page 4]
Internet-Draft Bilateral Agent Attestation July 2026
4. The Bilateral Exchange
The exchange has four moves:
1. *Request attestation.* Before the performing party acts, the
requesting party produces a request attestation over the action
and its material terms. The requester is now bound: it cannot
later deny having asked, or having asked on these terms.
2. *Constraint evaluation.* The performing party verifies the
requester's organizational identity and evaluates the request
against deterministic constraints _at the boundary where the
action would take effect_ — not at the transport edge.
Verification gates execution: no verified request attestation, no
consequential action (policy MAY permit degraded operation; see
Section 6).
3. *Action attestation.* The performing party produces an action
attestation referencing the request attestation by digest and
recording the constraint results and the disposition.
Dispositions use the verdict-complete vocabulary of
[I-D.mih-scitt-agent-action-capsule] verbatim — _executed,
blocked, denied, timeout, errored, deferred, expired, escalated_
— so the record covers every outcome, not only success. A
performing party MUST produce at most one action attestation per
request attestation; repeated execution of a single request is
representable only as distinct request instances, each with its
own request attestation.
4. *Acknowledgment.* Each party acknowledges the other's
attestation. On completion, each organization is bound to its
part and holds proof of the other's.
Attestations and acknowledgments SHOULD be anchored: registered to a
transparency service per [RFC9943] — carried, for example, as the
payload of a profiled Signed Statement per
[I-D.mih-scitt-agent-action-capsule] — so that inclusion and non-
equivocation are verifiable by a party who trusts neither
organization. An unanchored bilateral record still binds the two
parties to each other; anchoring is what makes it evidence for
everyone else.
Wire encodings for the four objects are TBD for a future revision;
this document fixes the exchange, the binding obligations, and the
disposition semantics.
Mih Expires 7 January 2027 [Page 5]
Internet-Draft Bilateral Agent Attestation July 2026
5. Refusal Across the Boundary
A declined request is not a failed exchange; it is a completed
exchange with a decline disposition. The action attestation records
_that_ the request was declined and _on what constraint basis_; the
requester's acknowledgment completes the record. This has two
consequences.
For the performing party, a bilaterally-acknowledged decline is
evidence, verifiable by an auditor who trusts neither party, that its
boundary enforcement works — the strongest form of refusal-as-
positive-signal evidence, because here even the _counterparty that
was refused_ has signed the record.
For the requesting party, a history of acknowledged declines is
legible too: a pattern of out-of-policy requests is now provable by
its counterparties. Bilateral records cut both ways by construction;
parties should expect their requesting behavior, not only their
performing behavior, to become reputation-bearing.
6. Graceful Degradation
Counterparties will be of mixed capability for years. A performing
party whose counterpart cannot produce request attestations MAY
proceed under policy, producing its own action attestation
unilaterally and recording a reduced-assurance indicator in place of
the missing attestations. The record format is the same; the
assurance marking differs. This keeps one protocol across mixed
peers while preserving the distinction relying parties need: a fully-
bilateral record and a degraded record are never confusable, and
consumers can require a minimum assurance level. Degradation MUST be
recorded, never silent.
7. Relationship to Existing Work
*Record layer.* This document defines an exchange, not a record
format: its attestations are designed to be carried in existing agent
action records — the Agent Action Capsule
[I-D.mih-scitt-agent-action-capsule] supplies the disposition
vocabulary, effect binding, and anchoring path this document relies
on, and its selective-disclosure profile
[I-D.mih-scitt-agent-action-capsule-sel-disc] applies to cross-
boundary privacy (Section 9).
Mih Expires 7 January 2027 [Page 6]
Internet-Draft Bilateral Agent Attestation July 2026
*Delegation receipts.* [I-D.nelson-agent-delegation-receipts] binds a
_principal_ (the delegating user) to an authorization before any
action, on one side of the boundary. This document binds two
_organizations_ to a specific action at the moment of action. The
two compose: a request attestation may reference the delegation
receipt authorizing the requesting agent.
*Remote attestation.* RATS [RFC9334] attests platform and workload
_state_ — what software is running where. This document attests
_actions_ — what was requested and what was done. A deployment may
use RATS evidence to strengthen confidence in a counterparty's agent
runtime; the two are orthogonal layers.
*Audit and approval records.* The audit architecture
[I-D.kuehlewind-audit-architecture] describes recording agent
interactions across parties, and
[I-D.schrock-ep-authorization-receipts] records human authorization
of high-risk actions; both are complementary record sources this
exchange can feed and reference. The accountability composition
[I-D.mih-sato-agent-accountability-composition] describes how such
records compose by shared action digest; a bilateral record naturally
fills its cross-party leg.
8. Security Considerations
*Identity is the floor.* The evidentiary weight of a bilateral record
is bounded by the binding of keys to organizations. This document
inherits, and does not solve, the organizational-identity problem; it
requires only that the credential chain to a root the relying party
accepts, and that identity be bound to the _record_, not merely the
transport session.
*Half-completed exchanges.* A party that aborts mid-exchange
(requests, then never acknowledges the decline; performs, then
withholds the action attestation) creates an asymmetric record.
Timeout dispositions and anchoring deadlines bound the asymmetry: an
unacknowledged attestation anchored with a timeout marking is itself
evidence of the counterparty's non-completion. Policies SHOULD treat
chronic non-completion as reputation-bearing.
*Downgrade attacks.* If degraded operation is permitted, an attacker
prefers to be recorded at reduced assurance. Reduced-assurance
records MUST be unambiguously marked, acceptance of degraded
exchanges is a policy decision of the performing party, and consumers
SHOULD weight degraded records accordingly. Silent downgrade is the
failure mode to design out.
Mih Expires 7 January 2027 [Page 7]
Internet-Draft Bilateral Agent Attestation July 2026
*Replay and cross-binding.* Nonces and digests bind each attestation
to one request instance; an action attestation MUST NOT be verifiable
against any request other than the one it references.
*Key compromise and revocation.* A signature valid at attestation
time may be produced under a key compromised by verification time. A
verifier SHOULD be able to establish key validity _as of the
attestation's anchored time_, not only at verification time;
revocation and rotation semantics for organizational keys are
inherited from the identity layer and are out of scope here, but a
record without an anchored time cannot support this distinction.
*Canonicalization and hash agility.* Because every binding is by
digest, the canonicalization of the attested objects is security-
relevant: divergent serializations of the "same" terms produce
different digests, and ambiguous canonicalization enables terms-
substitution disputes. A future revision fixing wire encodings MUST
specify a deterministic canonicalization (e.g. JCS, [RFC8785]) and
carry an explicit hash-algorithm identifier for agility.
*Verification-cost DoS.* Verifying a request attestation (identity-
chain plus anchor inclusion) is more expensive than producing one. A
performing party SHOULD be able to cheaply reject unverifiable
request attestations before performing full verification, so request-
attestation flooding cannot exhaust a performer at the effect
boundary.
9. Privacy Considerations
A bilateral record discloses, by construction, that two organizations
transacted — to each other, and if anchored with cleartext
identifiers, to anyone. Deployments SHOULD anchor commitments rather
than cleartext (selective-disclosure structures per
[I-D.mih-scitt-agent-action-capsule-sel-disc]), disclose material
terms only to the counterparty and auditors, and treat counterparty
identity itself as a selectively-disclosable field where the use case
allows. Correlation of anchored records across a party's exchanges
(client-list reconstruction) is the residual risk; mitigations are
TBD alongside the reputation layer's, which faces the same problem
from the consumption side.
10. IANA Considerations
This document has no IANA actions at this time. A future revision
defining wire encodings is expected to register media types for the
four exchange objects and a registry for reduced-assurance indicator
values. TBD.
Mih Expires 7 January 2027 [Page 8]
Internet-Draft Bilateral Agent Attestation July 2026
11. References
11.1. Normative References
[RFC9943] Birkholz, H., Delignat-Lavaud, A., Fournet, C., Deshpande,
Y., and S. Lasker, "An Architecture for Trustworthy and
Transparent Digital Supply Chains", RFC 9943,
DOI 10.17487/RFC9943, June 2026,
<https://www.rfc-editor.org/rfc/rfc9943>.
[I-D.mih-scitt-agent-action-capsule]
Mih, S., "An Agent Action Capsule Profile for SCITT", Work
in Progress, Internet-Draft, draft-mih-scitt-agent-action-
capsule-01, 19 June 2026,
<https://datatracker.ietf.org/doc/html/draft-mih-scitt-
agent-action-capsule-01>.
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119,
DOI 10.17487/RFC2119, March 1997,
<https://www.rfc-editor.org/rfc/rfc2119>.
[RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC
2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174,
May 2017, <https://www.rfc-editor.org/rfc/rfc8174>.
[RFC8785] Rundgren, A., Jordan, B., and S. Erdtman, "JSON
Canonicalization Scheme (JCS)", RFC 8785,
DOI 10.17487/RFC8785, June 2020,
<https://www.rfc-editor.org/rfc/rfc8785>.
11.2. Informative References
[I-D.mih-sato-agent-accountability-composition]
Mih, S., Sato, Bu, S., and I. Schrock, "Agent
Accountability: Composition and Conformance", Work in
Progress, Internet-Draft, draft-mih-sato-agent-
accountability-composition-00, 5 July 2026,
<https://datatracker.ietf.org/doc/html/draft-mih-sato-
agent-accountability-composition-00>.
[I-D.mih-scitt-agent-action-capsule-sel-disc]
Mih, S., "Selective Disclosure Profile for Agent Action
Capsules", Work in Progress, Internet-Draft, draft-mih-
scitt-agent-action-capsule-sel-disc-00, 19 June 2026,
<https://datatracker.ietf.org/doc/html/draft-mih-scitt-
agent-action-capsule-sel-disc-00>.
Mih Expires 7 January 2027 [Page 9]
Internet-Draft Bilateral Agent Attestation July 2026
[I-D.nelson-agent-delegation-receipts]
Nelson, R., "Delegation Receipt Protocol for AI Agent
Authorization", Work in Progress, Internet-Draft, draft-
nelson-agent-delegation-receipts-10, 13 June 2026,
<https://datatracker.ietf.org/doc/html/draft-nelson-agent-
delegation-receipts-10>.
[I-D.kuehlewind-audit-architecture]
Kühlewind, M. and H. Birkholz, "An Architecture for
Auditing AI Agent Delegation and Interactions", Work in
Progress, Internet-Draft, draft-kuehlewind-audit-
architecture-00, 18 May 2026,
<https://datatracker.ietf.org/doc/html/draft-kuehlewind-
audit-architecture-00>.
[I-D.schrock-ep-authorization-receipts]
Schrock, I., "Authorization Receipts for High-Risk Agent
Actions", Work in Progress, Internet-Draft, draft-schrock-
ep-authorization-receipts-06, 6 July 2026,
<https://datatracker.ietf.org/doc/html/draft-schrock-ep-
authorization-receipts-06>.
[RFC9334] Birkholz, H., Thaler, D., Richardson, M., Smith, N., and
W. Pan, "Remote ATtestation procedureS (RATS)
Architecture", RFC 9334, DOI 10.17487/RFC9334, January
2023, <https://www.rfc-editor.org/rfc/rfc9334>.
Acknowledgments
This exchange pattern owes its framing to discussions in the SCITT
and agent-accountability communities, and composes with the work of
the authors cited above.
Author's Address
Steven Mih
Action State Group, Inc.
Email: spec@actionstate.ai
Mih Expires 7 January 2027 [Page 10]