| Internet-Draft | ATA Protocol | June 2026 |
| Anokhin | Expires 20 December 2026 | [Page] |
This document describes a session-layer mechanism addressing a requirement independently exhibited by emerging agentic communication systems: the need for recipients to determine the authorization type of the communicating party (a human-controlled credential or an AI provider instance) before or during interaction.¶
The Authorization Type Attestation (ATA) protocol defines a transport-layer extension that carries this authorization type using existing hardware roots of trust (Secure Enclaves, FIDO2, TPM, Confidential Computing) and PKI infrastructure.¶
ATA does not replace existing identity systems (mTLS, SPIFFE, OAuth 2.1, FIDO2). ATA does not verify content authorship or model behavior. ATA provides a mechanism to carry authorization type at the session layer, composably with TLS, QUIC, MLS, MCP, and A2A.¶
This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79.¶
Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet-Drafts is at https://datatracker.ietf.org/drafts/current/.¶
Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress."¶
This Internet-Draft will expire on 20 December 2026.¶
Copyright (c) 2026 IETF Trust and the persons identified as the document authors. All rights reserved.¶
This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (https://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Revised BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Revised BSD License.¶
Modern communication protocols (TLS, DTLS, QUIC [RFC9000], MLS [RFC9420]) verify that data reached the correct endpoint securely. They do not indicate the authorization type of the communicating party at the session layer.¶
This produces four communication states lacking session-layer authorization type encoding:¶
| State | Direction | Current gap |
|---|---|---|
| H2H | human to human | No mutual authorization attestation |
| H2AI | human to AI | Human side: FIDO2; AI side: unattested |
| AI2H | AI to human | No session-layer standard exists |
| AI2AI | AI to AI | No attestation standard |
Existing authentication mechanisms (mTLS, OAuth 2.1, SPIFFE/SPIRE, signed agent cards) establish workload identity and permission scope. They do not indicate whether the authorizing party is a human principal or an AI provider instance. Current MCP and A2A authorization mechanisms do not specify hardware-level AI provider attestation.¶
We observe that emerging agentic systems across independent implementations require this signal. This document specifies a mechanism to address this class of problems.¶
This problem was previously theoretical. It becomes practical with the emergence of agentic systems capable of autonomously initiating real-time interactions at scale. MCP and A2A are early instances of a broader class of protocols that expose this gap operationally. This motivates documenting a transport-layer mechanism before incompatible deployments emerge.¶
Absence of ATA data indicates an unattested session and is not, by itself, evidence of fraud.¶
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all capitals, as shown here.¶
ATA explicitly does not address the following:¶
ATA cryptographically guarantees:¶
ATA does NOT cryptographically guarantee:¶
ATA is applicable to a protocol when all three of the following conditions are satisfied simultaneously:¶
If any condition is not satisfied, existing standards (C2PA, DKIM, S/MIME, GPG) address the use case more appropriately. See Section 10 for explicit out-of-scope categories.¶
ATA is intended to address three threat classes:¶
An AI agent presents itself as a human in a real-time channel without cryptographic disclosure. Recipients cannot distinguish this without content analysis. ATA makes the authorization type available at session initiation, before content is received.¶
A human recipient engages with an AI agent without knowledge of its provider identity. No existing transport-layer standard requires cryptographic provider disclosure at session initiation. ATA provides this before content delivery.¶
An unaffiliated AI agent is injected into a multi-agent pipeline (MCP tool chain, A2A task delegation). Certificate issuer mismatch or UNSIGNED state is detectable at the point of injection without content analysis.¶
Both parties present SIGNED_HUMAN credentials. Certificate issuer identifies organizational affiliation. A party without organizational device infrastructure presents personal SIGNED_HUMAN or UNSIGNED; this distinction is available at session initiation without content analysis.¶
Applicable to: legally and financially significant communications requiring session-layer audit trail.¶
A human initiates a session with a service presenting SIGNED_AI. The human can verify the provider certificate against known issuers. Certificate issuer mismatch is detectable without content analysis.¶
Complements FIDO2 [FIDO-CTAP2]: ATA adds AI-side attestation where FIDO2 provides human-side attestation.¶
Applicable to: client-facing AI services operated by regulated institutions.¶
An AI agent initiates a session. SIGNED_AI provides the recipient with cryptographic evidence of the AI provider before content delivery. No existing transport-layer standard addresses this scenario. This is the primary gap ATA targets.¶
Scope boundary: ATA guarantees that an AI provider authorized the session initiation. It does not prevent a SIGNED_HUMAN party from relaying AI-generated content within an authorized session. Recipients requiring per-message content authorship guarantees should use C2PA [C2PA] in conjunction with ATA.¶
Non-normative regulatory note: EU AI Act Article 52 requires disclosure that content is AI-generated. ATA can provide technical evidence of AI provider authorization at session initiation. Per-message content disclosure requires additional mechanisms (C2PA) beyond ATA scope.¶
Applicable to: AI-operated services where the recipient needs to identify the authorizing party type before engaging. This case has fewer relay-related limitations in fully-automated AI2H scenarios where no human relay is present.¶
Multi-agent pipelines (MCP tool chains, A2A task delegation) produce a verifiable authorization chain across each hop. An agent without organizational certificate infrastructure produces certificate issuer mismatch or UNSIGNED at the point of entry, detectable without content analysis.¶
Applicable to: multi-agent workflows requiring accountability logging and forensic auditability.¶
Existing traffic continues to function. UNSIGNED is a defined state. Recipients determine their own policy.¶
MCP defines agent-to-tool communication over HTTPS. The MCP security specification documents that OAuth 2.1 and PKCE establish token integrity but do not prove which AI provider instance initiated the request at the hardware level. ATA addresses this as a TLS extension beneath MCP. No MCP protocol changes required. The ATA handshake completes before any MCP messages are exchanged.¶
A2A defines agent-to-agent communication over HTTPS. Signed agent cards (A2A v1.0) establish card content integrity. ATA adds hardware-bound provider attestation at the TLS session layer, complementing signed cards. No A2A protocol changes required.¶
An optional ATA field MAY be included in the A2A agent card to advertise ATA support. The authoritative attestation is the TLS-layer handshake.¶
MCP and A2A are current instances of a broader class. Any agentic protocol operating over TLS and satisfying Section 4 criteria can adopt ATA without changes to the agentic protocol itself.¶
ATA follows Control Plane / Data Plane separation:¶
[EDITOR NOTE: Detailed ATA Extension Payload structure, TLS 1.3 ClientHello/ServerHello extension integration, and formal KDF specification (proposed: HKDF-SHA256, consistent with [RFC8446]) to be provided in draft-01.]¶
Transport: QUIC or TLS 1.3 extension (port 443).¶
Human participant:¶
AI participant:¶
Result: Authorization type established; session key derived.¶
Transport: UDP / QUIC data plane.¶
Encryption: AES-GCM (AES-NI hardware acceleration).¶
Integrity: MAC with session key from Phase 1.¶
No additional per-packet round trip after session establishment.¶
A packet with invalid MAC MUST be silently dropped.¶
Email (SMTP/SMTPS), RSS/Atom, webhooks, and push notifications do not satisfy criterion (2). C2PA, DKIM, and S/MIME apply.¶
DNS, NTP, CDN delivery, and multicast do not satisfy criterion (1). DNSSEC and equivalent standards apply.¶
Code signing, package registries, and Git commits do not satisfy criterion (2) in the ATA sense. GPG and Authenticode apply.¶
ATA attestation_payload uses Entity Attestation Token (EAT) format [RFC9711], consistent with IETF RATS architecture [RFC9334].¶
Hardware-specific attestation evidence (Intel SGX, AMD SEV, ARM TrustZone, TPM) is expressed as EAT claims and verified by RATS Verifier services. Receiving parties verify the EAT token from a RATS Verifier rather than raw hardware evidence directly. This abstracts hardware vendor diversity from the ATA session layer and reuses existing RATS infrastructure.¶
[EDITOR NOTE: Specific EAT claim set and RATS Verifier interaction model to be specified in draft-01.]¶
ATA inherits the PKI trust model [RFC5280].¶
The protocol provides cryptographic proof of authorization type at the session layer. Trust in the authorizing party is a reputational and legal concern outside protocol scope, consistent with TLS [RFC8446] and FIDO2 [FIDO-CTAP2].¶
Certificate issuance follows existing CA/Browser Forum requirements. An AI provider endpoint certificate is issued to a verified organization on the same basis as a domain certificate. CA accountability for misissuance applies on the same basis as in existing PKI deployments.¶
Authorization type is encoded at the organizational level. An authorized session produces verifiable session metadata.¶
ATA verifies who authorized the channel. Content authorship verification is outside scope.¶
Internal model architecture, weights, and implementation details are outside attestation scope, consistent with TLS not attesting to server application behavior.¶
SIGNED_AI proves a hardware-bound provider endpoint. Provider trustworthiness is a reputational concern outside protocol scope.¶
Physical security of attesting devices is a precondition for all hardware attestation schemes. Outside protocol scope, consistent with FIDO2.¶
A SIGNED_HUMAN party may relay AI-generated content within an authorized session. The protocol records the human as the accountable authorizing party per Section 14. This is an intentional design boundary: the protocol establishes accountability at the session layer, not content authorship at the application layer. Continuous liveness attestation (periodic re-attestation within the data stream) is a proposed optional extension that raises the operational cost of sustained relay by requiring continuous physical presence at the attesting device. Specification deferred to a future draft.¶
Corporate firewalls and DPI proxies may drop connections with unknown TLS extension types on port 443. ATA defines three operational modes to address deployment constraints:¶
GREASE-style extension probing and automatic fallback negotiation between Mode A and Mode B to be specified in draft-01.¶
EAT payloads may be several kilobytes when including certificate chains and attestation evidence. Large ClientHello extensions risk MTU fragmentation in QUIC Initial packets and additional RTT in TLS due to Initial Congestion Window constraints.¶
Mitigations under consideration for draft-01:¶
EAT payloads additionally reveal organizational affiliation and infrastructure metadata. Depending on deployment mode, these identifiers are visible to the peer and may be visible to passive observers when not protected by ECH or an equivalent confidentiality mechanism. The protocol is intended to provide session accountability metadata, not per-message author identity or continuous presence tracking. Privacy-preserving options (selective disclosure, zero-knowledge proofs) to be explored in future drafts. The IETF Privacy Considerations guidelines [RFC6973] apply.¶
Outside protocol scope per Section 14.¶
AI provider endpoint attestation requires a registry of valid provider certificates. Certificate Transparency-style logging [RFC9162] is one possible mitigation. Governance model to be defined in working group.¶
URI scheme registrations to be requested upon working group formation and reference implementation availability. IANA assignment is a standardization milestone, not a prerequisite for experimental implementation.¶
No known conflicts with the existing IANA URI scheme registry as of the date of this document.¶