SDLP Architecture (arch)
draft-norton-sdlp-arch-03
This document is an Internet-Draft (I-D).
Anyone may submit an I-D to the IETF.
This I-D is not endorsed by the IETF and has no formal standing in the
IETF standards process.
| Document | Type | Active Internet-Draft (individual) | |
|---|---|---|---|
| Author | Mark Norton | ||
| Last updated | 2026-07-02 | ||
| RFC stream | (None) | ||
| Intended RFC status | (None) | ||
| Formats | |||
| Stream | Stream state | (No stream defined) | |
| Consensus boilerplate | Unknown | ||
| RFC Editor Note | (None) | ||
| IESG | IESG state | I-D Exists | |
| Telechat date | (None) | ||
| Responsible AD | (None) | ||
| Send notices to | (None) |
draft-norton-sdlp-arch-03
Internet-Draft M. Norton
Intended status: Informational Independent
Expires: January 1, 2027 July 1, 2026
SDLP Architecture (arch)
draft-norton-sdlp-arch-03
M. Norton
Email: mark433norton@gmail.com
July 2026
This Internet-Draft is submitted in full conformance with the
provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering Task
Force (IETF), its areas, and its working groups. Note that other groups
may also distribute working documents as Internet-Drafts.
Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference material
or to cite them other than as "work in progress."
The list of current Internet-Drafts can be accessed at
https://www.ietf.org/1id-abstracts.html
The list of Internet-Draft Shadow Directories can be accessed at
https://www.ietf.org/shadow.html
Abstract
The Secured Digital Lifecycle Protocol (SDLP) defines an architecture
for lifecycle-governed digital objects. SDLP introduces a uniform
model for object identity, provenance, state transitions, and
authorized transformations, enabling digital goods to enforce their
own lifecycle rules across heterogeneous systems and distribution
environments.
This document describes the architectural components that support
SDLP objects, including identity construction, lifecycle state
definitions, transition conditions, and the mechanisms by which
objects validate their own integrity and permitted operations. The
architecture defines how SDLP objects are created, transformed,
distributed, consumed, and retired, and specifies the interoperability
requirements needed for consistent behavior across independent
implementations.
This document does not define wire formats or protocol exchanges.
Instead, it provides the architectural foundation upon which SDLP
protocol specifications, security mechanisms, and implementation
profiles can be built.
Status of This Memo
This Internet-Draft is being made available through the Independent
Submission Stream. It is not a product of the Internet Engineering
Task Force (IETF) and does not represent IETF consensus or IESG
approval. It is published for informational purposes.
Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF), its areas, and its working groups. Note that other
groups may also distribute working documents as Internet-Drafts.
Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress."
Information about the current status of this document, any errata,
and how to provide feedback may be obtained at the RFC Editor
website.
Copyright Notice
Copyright (c) 2026 IETF Trust and the persons identified as the
document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents
(https://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect
to this document.
Table of Contents
0. Architectural Purpose
1. Introduction
2. Terminology
3. Object Identity
4. Lifecycle Semantics
5. Lineage Model
6. Environment Validation
7. Security Considerations
8. IANA Considerations
23. References
24. Acknowledgments
25. Author’s Address
Appendix A. Rationale
0. Architectural Purpose
The Secured Digital Lifecycle Protocol (SDLP) defines a deterministic
lifecycle model for digital objects. The architecture assumes that
user behavior, operational environments, and administrative controls
cannot be relied upon to provide consistent security guarantees.
Consequently, SDLP does not depend on user intent, discretionary
policy enforcement, or external trust assumptions.
SDLP establishes mandatory lifecycle rules that govern the creation,
existence, transition, and termination of digital instances. These
rules are enforced by the instances themselves and are not subject to
override by users or intermediaries.
The architecture supports a security model in which digital objects
validate their own state, detect unauthorized conditions, and enter
terminal destruction states when required. This approach ensures that
object integrity and lifecycle compliance are maintained even in the
presence of operational error, misconfiguration, or malicious
activity.
The purpose of SDLP is to provide lifecycle integrity in environments
where external behavioral or administrative controls cannot be
guaranteed.
0.1. Out-of-Scope Items
The following items are out of scope for this document. SDLP defines
lifecycle rules, not the implementation details of systems that adopt
them.
* Implementation details
* Transport mechanisms
* Storage formats
* Cryptographic algorithm selection
* Commercial licensing models
* UI or UX considerations
* External content-protection mechanisms (e.g., DRM)
1. Introduction
The Secured Digital Lifecycle Protocol (SDLP) defines identity,
lineage, and lifecycle semantics for digital objects. An SDLP object
is a structured instance with a verifiable identity, a deterministic
lifecycle, and an environment binding that governs how the object
may be activated, transformed, or copied.
SDLP generalizes concepts familiar from OAuth—identity, introspection,
environment validation, and lifecycle transitions—and applies them to
digital objects rather than authorization artifacts. Unlike ordinary
files, SDLP objects do not rely on user intent or discretionary
policy; their behavior is determined entirely by lifecycle rules and
environment constraints.
Copying an SDLP object does not produce a second instance of the same
object. For identity‑bound objects (e.g., sealed digital collectibles),
a copied byte sequence fails identity validation and cannot activate
in any compliant environment. For entertainment media and other
copy‑permitted classes, copying is a lifecycle transition: the copied
bytes instantiate a new child object with its own SDLP identifier,
lineage entry, and environment binding. SDLP does not prevent
copying; it ensures that copying results in either a non‑functional
duplicate or a valid child object, depending on the object’s class.
SDLP objects maintain lineage across all lifecycle transitions.
Environment validation ensures that each transition—activation,
copying, transformation, or sealing—occurs only in a compliant
environment. These mechanisms provide deterministic lifecycle
behavior even in the presence of operational error, misconfiguration,
or malicious activity.
2. Terminology
The following terms are used throughout this document.
SDLP Object
A digital object that carries SDLP-defined metadata including
identity, lifecycle state, lineage, and environment constraints.
An SDLP object is activated, transformed, validated, and retired
according to the rules defined in this protocol.
Object Identity
A unique identifier assigned to an SDLP object at issuance.
Identity is validated by compliant environments prior to
activation or transformation. Identity validation is analogous
to OAuth token introspection.
Lifecycle State
The current operational state of an SDLP object. Lifecycle states
include: "issued", "active", "transformed", "expired", "revoked",
and "destroyed". Lifecycle transitions are governed by SDLP rules
and validated by compliant environments.
Lineage
Metadata describing the ancestry of an SDLP object. Lineage
records the issuer, issuance time, and any transformations that
produced descendant objects. Lineage is preserved across
transformations and validated by compliant environments.
Environment
A system, application, or service capable of validating SDLP
object identity, evaluating lifecycle state, enforcing transition
rules, and performing transformations. Environments must
implement SDLP-compliant behavior to activate or transform
objects.
Activation
The process by which an environment validates an SDLP object’s
identity, evaluates its lifecycle state, and authorizes its use.
Activation is analogous to the acceptance of an OAuth token by a
resource server.
Transformation
A state transition that produces a descendant SDLP object with
updated lifecycle metadata and preserved lineage. Transformations
are analogous to OAuth token derivation or token exchange.
Introspection
The process by which an environment evaluates an SDLP object’s
identity, lineage, lifecycle state, and constraints. SDLP
introspection is conceptually similar to OAuth token
introspection but applies to digital objects rather than access
tokens.
Constraint
A rule limiting where or how an SDLP object may be activated or
transformed. Constraints may include environment identifiers,
permitted lifecycle transitions, or other protocol-defined
restrictions.
3. Object Identity
Every SDLP object carries a unique identity assigned at issuance.
Object identity is the foundational element of SDLP lifecycle
governance. Identity determines whether an object may be activated,
transformed, introspected, or retired by a compliant environment.
SDLP object identity is conceptually similar to the identity of an
OAuth access token. As with OAuth tokens, the bytes of an SDLP object
may be copied, but the identity cannot be duplicated. A copied object
fails identity validation and cannot be activated by any compliant
environment.
3.1. Identity Structure
SDLP object identity consists of protocol-defined metadata that
includes:
* A globally unique object identifier.
* Issuer information identifying the environment that created the
object.
* Issuance timestamp.
* Lifecycle state at issuance.
* Lineage root (the initial ancestor of the object).
The identity structure is immutable. Transformations may produce
descendant objects, but the identity of the original object does not
change.
3.2. Identity Validation
Identity validation is performed by compliant environments prior to
activation or transformation. Validation includes:
* Confirming that the object identifier is well-formed.
* Verifying that the object was issued by a recognized environment.
* Ensuring that the object has not been revoked or destroyed.
* Confirming that the object’s lineage metadata is intact.
* Evaluating whether the object’s lifecycle state permits the
requested operation.
Identity validation is analogous to OAuth token introspection. An
environment must validate identity before accepting or transforming
an object.
3.3. Identity and Copying
SDLP does not prevent copying of object bytes. However, copying does
not produce a second valid object. A copied object:
* Retains the original bytes.
* Fails identity validation.
* Cannot be activated.
* Cannot be transformed.
* Cannot progress through the lifecycle.
SDLP enforces lifecycle behavior through identity validation rather
than through access control or rights management. Copying is allowed,
but copied objects do not function.
3.4. Identity and Lineage
Identity is tightly coupled with lineage. The identity of an object
establishes the root of its lineage tree. Descendant objects inherit
lineage metadata but receive new identities. Identity validation
ensures that lineage is preserved and that transformations produce
legitimate descendants rather than unauthorized copies.
4. Lifecycle Semantics
SDLP defines a deterministic lifecycle for digital objects. Each
object carries an identity, a lineage entry, and an environment
binding. Lifecycle transitions occur only when the environment
satisfies the validation rules associated with the object’s class.
SDLP objects fall into two broad categories:
* Identity‑bound objects: These objects have a sealed identity and
cannot produce functional copies. Copying the bytes yields a
duplicate that fails identity validation and cannot activate or
progress through the lifecycle.
* Copy‑permitted objects: These objects allow copying as a lifecycle
transition. Copying produces a new child object with a new SDLP
identifier, a lineage reference to the parent, and a fresh
environment binding. Entertainment media, courseware, and other
distributable content fall into this category.
Lifecycle transitions include:
* Activation: The environment validates the object’s identity and
binding before allowing use.
* Copy: For copy‑permitted objects, the environment instantiates a
new child object with inherited metadata and a new SDLP identifier.
For identity‑bound objects, the copied bytes cannot activate.
* Transformation: The environment produces a new object derived from
the parent, with updated lineage and lifecycle state.
* Sealing: The environment finalizes the object, preventing further
lifecycle transitions except those explicitly permitted by class
rules.
Each transition updates the object’s lineage, ensuring that SDLP
objects maintain a verifiable history across all environments and
operational contexts.
5. Lineage Model
SDLP defines a lineage model that records the ancestry of digital
objects as they undergo protocol-defined transformations. Lineage
provides a verifiable history of how an object was created, how it
has changed, and which environments performed those changes.
The lineage model is conceptually similar to OAuth token derivation
and token exchange, where a new token is produced based on an
existing token. SDLP generalizes this concept to digital objects and
ensures that lineage is preserved across all transformations.
5.1. Lineage Structure
Each SDLP object carries lineage metadata that includes:
* The identity of the issuing environment.
* The issuance timestamp.
* The identity of the parent object, if any.
* A record of transformations performed on the object.
* The environment identifiers of systems that performed those
transformations.
Lineage metadata is immutable once written. Descendant objects may
append new lineage entries, but existing entries cannot be altered.
5.2. Lineage Preservation
When an SDLP object is transformed, the resulting descendant object
inherits the lineage of its parent. The descendant:
* Receives a new identity.
* Preserves the complete lineage of the parent.
* Appends a new lineage entry describing the transformation.
* Records the environment that performed the transformation.
Lineage preservation ensures that compliant environments can verify
the ancestry of any object and determine whether it was produced
through legitimate transformations.
5.3. Lineage Validation
Prior to activation or transformation, environments MUST validate the
lineage of an SDLP object. Lineage validation includes:
* Confirming that the lineage chain is intact and well-formed.
* Ensuring that each transformation was performed by a recognized
environment.
* Verifying that no lineage entry has been removed or altered.
* Evaluating whether the lineage permits the requested operation.
Lineage validation is conceptually similar to validating the claims
within a structured OAuth token, but applies to digital objects
rather than authorization artifacts.
5.4. Lineage and Copying
Copying an SDLP object does not produce a second instance of the same
object. SDLP distinguishes between two object classes:
* Identity-bound objects: Copying the bytes yields a duplicate that
fails identity validation and cannot activate. These objects do
not produce functional children, and their lineage does not
extend through copying.
* Copy-permitted objects (e.g., entertainment media): Copying is a
lifecycle transition. The copied bytes instantiate a new child
object with a new SDLP identifier, a lineage reference to the
parent, and a fresh environment binding. Copying extends lineage
and produces a new descendant object.
SDLP does not prevent copying; it ensures that copying results in
either a non-functional duplicate or a valid child object, depending
on the object’s class.
5.5. Lineage and Descendant Objects
Descendant objects form a lineage tree rooted at the original object.
Each descendant:
* Has its own identity.
* Inherits the lineage of its parent.
* Appends a new lineage entry describing the transformation or copy.
* May itself be transformed or copied, producing further descendants.
This lineage tree provides a complete, verifiable history of all
transformations and copy events performed on an object. Environments
may use lineage to determine whether a descendant object is
legitimate, whether it was produced by authorized environments, and
whether it may be activated or further transformed.
6. Environment Validation
SDLP relies on compliant environments to validate object identity,
evaluate lifecycle state, enforce transition rules, and preserve
lineage. Environment validation is the mechanism through which SDLP
ensures that digital objects behave consistently across systems,
platforms, and deployments.
Environment validation is conceptually similar to OAuth resource
servers validating access tokens. In OAuth, a resource server
evaluates a token’s issuer, claims, expiry, and revocation status
before allowing access. SDLP generalizes this model to digital
objects, requiring environments to validate identity, lineage,
lifecycle state, and constraints before activating or transforming
an object.
6.1. Environment Responsibilities
A compliant environment MUST perform the following actions prior to
activation or transformation:
* Validate the object’s identity.
* Validate the object’s lineage chain.
* Validate the object’s lifecycle state.
* Evaluate any constraints associated with the object.
* Enforce legal lifecycle transitions.
* Reject illegal or unauthorized transitions.
* Record transformations in lineage metadata.
These responsibilities ensure that SDLP objects behave consistently
regardless of where they are activated or transformed.
6.2. Identity Validation
Environments MUST validate object identity before activation or
transformation. Identity validation includes:
* Confirming that the object identifier is well-formed.
* Verifying that the object was issued by a recognized environment.
* Ensuring that the object has not been revoked or destroyed.
* Confirming that the object’s identity metadata is intact.
Identity validation is analogous to OAuth token introspection.
6.3. Lineage Validation
Environments MUST validate lineage to ensure that the object was
produced through legitimate transformations. Lineage validation
includes:
* Confirming that the lineage chain is intact.
* Verifying that each transformation was performed by a recognized
environment.
* Ensuring that no lineage entry has been removed or altered.
Lineage validation is conceptually similar to validating structured
claims within an OAuth token.
6.4. Lifecycle Validation
Environments MUST validate lifecycle state prior to activation or
transformation. Lifecycle validation includes:
* Confirming that the object is not expired.
* Confirming that the object is not revoked or destroyed.
* Ensuring that the requested operation is permitted for the current
lifecycle state.
Lifecycle validation is analogous to OAuth token expiry and revocation
checks.
6.5. Constraint Evaluation
SDLP objects may include constraints that limit where or how they may
be activated or transformed. Environments MUST evaluate constraints
prior to activation or transformation. Constraints may include:
* Environment identifiers.
* Permitted lifecycle transitions.
* Transformation restrictions.
* Operational limitations.
Constraint evaluation ensures that SDLP objects behave consistently
across environments.
6.6. Rejection of Invalid Objects
Environments MUST reject objects that fail identity, lineage,
lifecycle, or constraint validation. Rejected objects:
* Cannot be activated.
* Cannot be transformed.
* Cannot progress through the lifecycle.
SDLP enforces object behavior through validation rather than through
access control or rights management. Copying is allowed, but copied
objects do not function.
7. Security Considerations
SDLP requires that all lifecycle transitions be authenticated,
authorized, and recorded. Identity spoofing, unauthorized
transformations, lineage tampering, and state forgery MUST be
mitigated by protocol-level controls defined in the SDLP Security
Architecture.
Initialization is a mandatory trust boundary. Instances MUST evaluate
their environment prior to activation and MUST perform Pre-Init
Termination if any requirement is unmet.
Zeroization-class terminal states MUST be irreversible, and destroyed
instances MUST NOT be recoverable, rehydrated, resurrected, or
reinstantiated.
These requirements ensure that SDLP instances uphold lifecycle
guarantees regardless of user behavior or platform integrity.
8. IANA Considerations
This document makes no requests of IANA.
23. References
23.1. Normative References
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119,
DOI 10.17487/RFC2119.
[RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC
2119 Key Words", BCP 14, RFC 8174,
DOI 10.17487/RFC8174.
[RFC6749] Hardt, D., "The OAuth 2.0 Authorization Framework",
RFC 6749, DOI 10.17487/RFC6749.
[RFC7662] Richer, J. and M. Jones, "OAuth 2.0 Token Introspection",
RFC 7662, DOI 10.17487/RFC7662.
23.2. Informative References
[SDLP-SEC-ARCH]
Norton, M., "SDLP Security Architecture", Work in
Progress, draft-norton-sdlp-sec-arch-00.
[SDLP-IDENTITY]
Norton, M., "SDLP Identity Model", Work in Progress,
draft-norton-sdlp-identity-00.
[SDLP-LIFECYCLE]
Norton, M., "SDLP Lifecycle Specification", Work in
Progress, draft-norton-sdlp-lifecycle-00.
[SDLP-OBJ-FORMAT]
Norton, M., "SDLP Object Format", Work in Progress,
draft-norton-sdlp-obj-format-00.
[RFC6819] Lodderstedt, T., Bradley, J., and N. Sakimura, "OAuth 2.0
Threat Model and Security Considerations", RFC 6819,
DOI 10.17487/RFC6819.
24. Acknowledgments
The author thanks the members of the OAuth community whose work
established the identity, introspection, and lifecycle concepts
generalized by SDLP. Their contributions provided the architectural
foundation upon which this document is built.
The author also acknowledges the feedback provided by early
reviewers, implementers, and independent contributors whose
discussions helped refine the SDLP object model, lifecycle semantics,
and environment‑validation framework.
25. Author’s Address
M. Norton
Independent
Email: mark433norton@gmail.com
Appendix A. Rationale
This appendix provides background context and design rationale for
the architectural choices made in SDLP. The intent is to document the
motivations, constraints, and conceptual foundations that informed
the SDLP object model, lifecycle semantics, and environment‑validation
framework.
SDLP generalizes concepts familiar to OAuth implementers—identity,
lifecycle, introspection, and environment constraints—and applies
them to digital objects rather than authorization artifacts. This
approach enables consistent lifecycle behavior across heterogeneous
systems without relying on user intent, discretionary policy, or
external administrative controls.
The architectural model prioritizes deterministic lifecycle behavior,
verifiable lineage, and environment‑validated transitions. These
principles ensure that SDLP objects maintain integrity even in the
presence of operational error, misconfiguration, or malicious
activity.