Network Working Group D. Condrey, Ed. Internet-Draft WritersLogic Inc Intended status: Informational 11 February 2026 Expires: 15 August 2026 Proof of Process (PoP) CDDL Schema draft-condrey-rats-pop-schema-01 Abstract This document provides the normative Concise Data Definition Language (CDDL) schema for the Proof of Process (PoP) protocol. The schema defines the CBOR-encoded wire format for PoP evidence packets, semantic editing event transcripts, time anchors, signed tool receipts, compact evidence references, and verifier-produced attestation results. The schema is published separately to enable independent tooling, validation, and schema versioning decoupled from narrative specification text. Status of This Memo This note is to be removed before publishing as an RFC. This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet- Drafts is at https://datatracker.ietf.org/drafts/current/. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." Copyright Notice Copyright (c) 2026 IETF Trust and the persons identified as the document authors. All rights reserved. Condrey Expires 15 August 2026 [Page 1] Internet-Draft PoP CDDL February 2026 This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (https://trustee.ietf.org/ license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Status of This Memo This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet- Drafts is at https://datatracker.ietf.org/drafts/current/. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." This Internet-Draft will expire on 15 August 2026. Copyright Notice Copyright (c) 2026 IETF Trust and the persons identified as the document authors. All rights reserved. This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (https://trustee.ietf.org/ license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Revised BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Revised BSD License. Table of Contents 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3 1.1. Requirements Language . . . . . . . . . . . . . . . . . . 3 2. Schema Information . . . . . . . . . . . . . . . . . . . . . 3 3. Signing and Hashing Surfaces . . . . . . . . . . . . . . . . 4 4. Complete CDDL Schema . . . . . . . . . . . . . . . . . . . . 4 5. Security Considerations . . . . . . . . . . . . . . . . . . . 9 6. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 10 7. Normative References . . . . . . . . . . . . . . . . . . . . 10 8. Informative References . . . . . . . . . . . . . . . . . . . 10 Condrey Expires 15 August 2026 [Page 2] Internet-Draft PoP CDDL February 2026 Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . . . 11 Author's Address . . . . . . . . . . . . . . . . . . . . . . . . 11 1. Introduction This document contains the normative CDDL schema for the Proof of Process (PoP) protocol defined in [I-D.condrey-rats-pop-protocol]. The schema defines the CBOR-encoded structures used to represent PoP Evidence Packets (.pop), transcripts of semantic editing events, time anchors, signed tool receipts, compact evidence references, and Attestation Results (.war). Implementations that produce or verify PoP artifacts MUST conform to this schema. The schema is provided as a separate document to facilitate independent tooling and validation and to support schema versioning separate from narrative specification updates. 1.1. Requirements Language The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP 14 [RFC2119] and [RFC8174] when, and only when, they appear in all capitals, as shown here. 2. Schema Information This schema is specified using CDDL as defined in [RFC8610]. CDDL provides a notation for expressing CBOR [RFC8949] data structures with precise type constraints and extensibility support. *Schema Version:* 1.5.1 *Compatibility:* Breaking changes increment the major version number. Minor version changes add optional fields or new enumeration values. Patch version changes are documentation or clarification only. *Deterministic Encoding:* For any structure that participates in hashing or signing, implementations MUST use deterministic CBOR encoding as defined in RFC 8949, Section 4.2. Verifiers MUST reject signatures if the reconstructed payload bytes do not match the deterministic encoding of the signed structure defined in this document. Condrey Expires 15 August 2026 [Page 3] Internet-Draft PoP CDDL February 2026 *Label Space:* Integer keys 1..99 are reserved for this schema. Integer keys 100..32767 are reserved for future IETF extensions. String keys are for vendor/private extensions and MUST NOT be required for interoperability. Verifiers MAY ignore unknown keys under policy. *Semantic Tags:* Evidence Packets (.pop) use CBOR tag 1347571280 (Proof of Process Packet, "PPPP"). Compact Evidence References use CBOR tag 1347571281. Attestation Results (.war) use CBOR tag 1463894560 (Writers Authenticity Report, "WAR"). These tag values are registered in the IANA "CBOR Tags" registry [IANA.cbor-tags]. 3. Signing and Hashing Surfaces This section defines the byte-level payloads that MUST be used for hashing and signing in PoP artifacts. All payloads in this section MUST be encoded using deterministic CBOR encoding as defined in RFC 8949, Section 4.2. *Evidence Packet Signature Payload:* The COSE_Sign1 payload in the evidence-packet structure MUST be the deterministic CBOR encoding of the evidence-packet fields excluding the signature itself. The signature field MUST NOT be included in the signed bytes. *Attestation Result Signature Payload:* The COSE_Sign1 payload in an attestation-result (field 7) MUST be the deterministic CBOR encoding of fields 1-6 plus any optional fields 8-11. The signature field itself MUST NOT be included in the signed bytes. *Detached Payload:* If a COSE_Sign1 structure uses a detached payload (i.e., the COSE payload is CBOR null), the verifier MUST reconstruct the payload bytes exactly as specified above and validate that the signature covers those bytes. 4. Complete CDDL Schema The following CDDL defines the complete wire format for PoP artifacts and associated structures. This schema is normative and implementations MUST conform to it. The schema constrains COSE_Sign1 structures to the array shape specified in [RFC9052] and defines unambiguous signing payloads (see Section 3). This schema does not reproduce the COSE algorithm registries; COSE processing rules remain as specified in [RFC9052]. Condrey Expires 15 August 2026 [Page 4] Internet-Draft PoP CDDL February 2026 *COSE Header Requirements:* The protected header of each COSE_Sign1 structure MUST decode to a CBOR map that includes the alg header parameter. Either the protected or unprotected header map MUST provide key identification sufficient for verification (for example, kid or an X.509 chain) per deployment policy. ; ============================================================ ; Proof of Process (PoP) — Normative CDDL Schema ; Schema Version: 1.5.1 ; ============================================================ ; ; Notes: ; - This schema constrains COSE_Sign1 to its array shape per RFC 9052. ; - COSE header registries and algorithm processing remain in RFC 9052. ; - Deterministic CBOR encoding (RFC 8949 §4.2) is REQUIRED for any ; structure that participates in hashing or signing. ; ; ============================================================ ; Label Space / Extensibility ; ============================================================ ; ; Integer labels 1..99: reserved by this schema (normative). ; Integer labels 100..32767: reserved for future IETF extensions. ; Text labels: vendor/private extensions; MUST NOT be required for interop. ; ; ============================================================ ; Top-Level Objects ; ============================================================ ; IANA-registered CBOR tags: ; - 1347571280: Proof of Process Packet (PPPP) ; - 1347571281: Compact Evidence Reference ; - 1463894560: Writers Authenticity Report (WAR) tagged-evidence-packet = #6.1347571280(evidence-packet) tagged-evidence-reference = #6.1347571281(evidence-reference) tagged-attestation-result = #6.1463894560(attestation-result) ; ============================================================ ; Core Scalar Types ; ============================================================ ; UUID as 16-byte string (RFC 9562) uuid = bstr .size 16 ; Timestamp as CBOR epoch-based date/time (tag 1) pop-timestamp = #6.1(number) Condrey Expires 15 August 2026 [Page 5] Internet-Draft PoP CDDL February 2026 ; Hash value (SHA-256, SHA-384, or SHA-512) hash-value = bstr .size 32 / bstr .size 48 / bstr .size 64 ; Fixed-point type definitions for compact encoding confidence-millibits = uint .le 1000 ; 0-1000 representing 0.000-1.000 ratio-millibits = uint .le 1000 ; generic 0.0-1.0 ratio entropy-decibits = uint .le 640 ; 0-640 representing 0.0-64.0 bits ; ============================================================ ; Evidence Packet (.pop) ; ============================================================ ; ; The primary Evidence artifact produced by the Attester. ; Contains all cryptographic proofs and behavioral evidence. evidence-packet = { 1 => uint, ; version (1) 2 => vdf-structure, ; VDF proof 3 => jitter-seal-structure, ; Jitter Seal (mandatory in v1.1+) 4 => content-hash-tree, ; Merkle tree for segments 5 => correlation-proof, ; Spearman Correlation 6 => error-topology, ; Fractal Error Pattern 7 => hardware-attestation, ; Hardware Assurance Binding 8 => process-metrics, ; Raw Process Measurements * tstr => any, ; extensions } vdf-structure = { 1 => bstr, ; input: H(DST_CHAIN || content || jitter_seal) 2 => bstr, ; output 3 => uint, ; iterations 4 => [* uint], ; rdtsc_checkpoints (continuous calibration) 5 => bstr, ; entropic_pulse: HMAC(SK, T ^ E) * tstr => any, } jitter-seal-structure = { 1 => tstr, ; lang (e.g., "en-US") 2 => bstr, ; bucket_commitment (ZK-Private) 3 => uint, ; entropy_millibits 5 => int .within -100..100, ; pink_noise_slope_decibits (-10.0..10.0) * tstr => any, } content-hash-tree = { 1 => bstr, ; root 2 => uint .ge 20, ; segment_count * tstr => any, Condrey Expires 15 August 2026 [Page 6] Internet-Draft PoP CDDL February 2026 } correlation-proof = { 1 => int .within -1000..1000, ; rho (scaled: -1000..1000 = -1.0..1.0) 2 => uint, ; threshold (e.g., 700 = 0.7) * tstr => any, } error-topology = { 1 => bstr, ; fractal-signature commitment 2 => ratio-millibits, ; pattern-score ? 3 => bstr, ; stark-proof (optional ZK proof) * tstr => any, } hardware-attestation = { 1 => tstr, ; attestation-type ("tpm2.0" / "secure-enclave") 2 => bstr, ; attestation-data ? 3 => [* bstr], ; certificate-chain * tstr => any, } process-metrics = { 1 => ratio-millibits, ; linearity-score 2 => ratio-millibits, ; structural-edit-ratio 3 => int, ; hesitation-phase-offset (signed millibits) 4 => ratio-millibits, ; revision-clustering 5 => ratio-millibits, ; fatigue-slope 6 => uint, ; checkpoint-count 7 => uint, ; total-duration-ms ? 8 => [+ ratio-millibits], ; per-checkpoint-conformity-scores * tstr => any, } ; ============================================================ ; Compact Evidence Reference (Tagged) ; ============================================================ evidence-reference = { 1 => uint, ; version 2 => uuid, ; packet-id (matches evidence-packet) 3 => hash-value, ; content-hash ? 4 => pop-timestamp, ; created timestamp ? 5 => forensic-assessment, ; verdict (if available) ? 6 => confidence-millibits, ; confidence (0-1000) * tstr => any, } Condrey Expires 15 August 2026 [Page 7] Internet-Draft PoP CDDL February 2026 ; ============================================================ ; Attestation Result (.war) ; ============================================================ ; ; The Verifier's assessment of an Evidence packet. ; Implements a witnessd-specific profile of EAR. attestation-result = { 1 => uint, ; version 2 => uuid, ; reference-packet-id 3 => pop-timestamp, ; verified-at 4 => forensic-assessment, ; verdict 5 => confidence-millibits, ; confidence (0-1000 = 0.0-1.0) 6 => [+ result-claim], ; verified-claims 7 => cose-signature, ; verifier-signature ? 8 => tstr, ; verifier-identity ? 9 => verifier-metadata, ; additional info ? 10 => [+ tstr], ; caveats ? 11 => source-consistency-analysis, ; Verifier's interpretation * tstr => any, } ; Forensic assessment enumeration forensic-assessment = &( not-assessed: 0, manual-composition-consistent: 1, manual-composition-likely: 2, inconclusive: 3, automated-assisted-likely: 4, automated-insertion-consistent: 5, ) result-claim = { 1 => uint, ; claim-type 2 => bool, ; verified ? 3 => tstr, ; detail ? 4 => confidence-millibits, ; claim-confidence * tstr => any, } verifier-metadata = { ? 1 => tstr, ; verifier-version (software version) ? 2 => tstr, ; verifier-uri (service endpoint) ? 3 => [+ bstr], ; verifier-cert-chain (X.509 DER) ? 4 => tstr, ; policy-id (appraisal policy used) * tstr => any, } Condrey Expires 15 August 2026 [Page 8] Internet-Draft PoP CDDL February 2026 source-consistency-analysis = { 1 => tstr, ; detected-pattern 2 => ratio-millibits, ; aggregate-consistency (0-1000) ? 3 => [+ uint], ; deviation-checkpoint-indices ? 4 => tstr, ; verifier-policy-id * tstr => any, } ; ============================================================ ; COSE Signatures ; ============================================================ cose-signature = [ protected : bstr, unprotected : { * int => any, * tstr => any }, payload : bstr / nil, signature : bstr ] Figure 1: Proof of Process (PoP) CDDL Schema (Version 1.5.1) 5. Security Considerations This document defines a data format schema for PoP artifacts. Security considerations for the PoP protocol, including verification requirements and threat models, are specified in the companion protocol document [I-D.condrey-rats-pop-protocol]. *Disclosure Risk:* Transcripts may reveal sensitive intermediate content, including deleted text and draft iterations. Deployments SHOULD define disclosure policies that minimize unnecessary exposure, and MAY use selective disclosure proofs where supported by the companion protocol specification. *Auxiliary Data:* Implementations MUST treat auxiliary fields and vendor extensions as potentially sensitive. Verifiers SHOULD ignore unknown extensions unless explicitly allowed by policy. *Receipt Trust:* A valid receipt signature only attests that a tool produced an output commitment; it does not itself establish that the tool behaved honestly. Deployments SHOULD define trust and revocation policies for tool keys and SHOULD surface receipt flags to users and verifiers. *Replay and Rebinding:* Implementations SHOULD bind receipts and anchors to a session (directly or via commitments) to prevent replay in unrelated documents or sessions, as specified by the companion protocol document. Condrey Expires 15 August 2026 [Page 9] Internet-Draft PoP CDDL February 2026 6. IANA Considerations This document has no IANA actions. The PoP-related CBOR tags referenced by this schema are already registered in the IANA "CBOR Tags" registry [IANA.cbor-tags]. 7. Normative References [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, DOI 10.17487/RFC2119, March 1997, . [RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174, May 2017, . [RFC8610] Birkholz, H., Vigano, C., and C. Bormann, "Concise Data Definition Language (CDDL)", RFC 8610, DOI 10.17487/RFC8610, June 2019, . [RFC8949] Bormann, C. and P. Hoffman, "Concise Binary Object Representation (CBOR)", STD 94, RFC 8949, DOI 10.17487/RFC8949, December 2020, . [RFC9052] Schaad, J., "CBOR Object Signing and Encryption (COSE): Structures and Process", STD 96, RFC 9052, DOI 10.17487/RFC9052, August 2022, . 8. Informative References [I-D.condrey-rats-pop-protocol] Condrey, D., "Proof of Process (PoP): A Verifiable Process Transcript Format", Work in Progress, Internet-Draft, draft-condrey-rats-pop-protocol-00, . [IANA.cbor-tags] IANA, "Concise Binary Object Representation (CBOR) Tags", . Condrey Expires 15 August 2026 [Page 10] Internet-Draft PoP CDDL February 2026 Acknowledgments The author thanks the RATS community and early implementers for review feedback on schema determinism, COSE signing surfaces, and CBOR tag interoperability. Author's Address David Condrey (editor) WritersLogic Inc United States Email: david@writerslogic.com Condrey Expires 15 August 2026 [Page 11]