Internet-Draft Agent Protocol Dimensions July 2026
Foroughi Expires 7 January 2027 [Page]
Workgroup:
Individual Submission
Internet-Draft:
draft-foroughi-agent-protocol-dimensions-00
Published:
Intended Status:
Informational
Expires:
Author:
P. Foroughi
Nokia

A Dimensional Model for Characterizing AI Agent Protocol Proposals and Their Substrates

Abstract

Discussions about agent protocols are frequently muddied by overloaded terms; asks such as "we need a session protocol" or "we need cross-domain support" bundle several distinct concerns across transport, agent protocol, and orchestration layers. This document offers a dimensional model that routes each concern to its proper layer.

The document defines a small set of protocol-visible dimensions for characterizing AI agent protocol interactions and applies them to representative agentic protocol proposals (A2A, MCP, and the ACP invocation surface of the AGNTCY stack) alongside their substrate bindings, making explicit which dimensions each proposal owns at the protocol layer and which it inherits from its substrate. The document does not rank proposals and does not prescribe an architecture. It is standalone: it neither depends on nor prescribes any use-case or requirements document.

Status of This Memo

This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79.

Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet-Drafts is at https://datatracker.ietf.org/drafts/current/.

Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress."

This Internet-Draft will expire on 7 January 2027.

Table of Contents

1. Introduction

1.1. Scope

Discussions about agent protocols are frequently muddied by overloaded terms. A single ask -- "we need a session protocol" or "we need cross-domain support" -- typically bundles several distinct concerns spread across transport, agent protocol, and orchestration layers, and the conversation loses precision fast. This document offers a dimensional model that routes such statements to their proper layer: which piece is a concrete agent-protocol choice, which piece is substrate, and which piece belongs to broader-scope work outside the model.

The model has three outputs:

  • A small set of protocol-visible dimensions with fixed value domains, independently characterizable at the exchange level, sufficient to describe an agent protocol exchange (Section 5).

  • A comparison table placing representative agentic protocol proposals (A2A, MCP, and the ACP invocation surface of the AGNTCY stack) in the dimensional space, together with the substrates they bind to (Section 6).

  • A statement of what the model enables analytically (Section 7).

1.2. Non-goals

  • This document does not rank protocol proposals. Different proposals occupy different regions of the dimensional space and may serve complementary purposes at the exchange level.

  • This document does not define a new agent protocol or wire format.

  • This document does not define an architectural framework.

  • This document does not enumerate use cases and does not derive requirements. The dimensional model is independent of any specific use-case corpus; the comparison table in Section 6 is offered as a starting point that the authors and the community will iterate on. Similarly, the set of proposals covered in the comparison table may be expanded in subsequent revisions.

1.3. Standalone character

This document does not depend on and does not prescribe any use-case document, requirements document, or architectural framework. Where a dimensional value or extension is illustrated with an example of practical use, the example is included for orientation only, not as a normative reference.

2. Terminology

The following terms are used with these meanings:

Dimension:

A protocol-visible property of an agent-protocol exchange, with a small fixed value domain.

Extension:

A named protocol augmentation that does not warrant a new dimension value but does introduce distinct protocol primitives.

Substrate:

The layer below the agent protocol from which specific properties of the exchange are inherited. Substrate facets include transport, identity and authorization carriage, discovery, audit format, and security channel.

Agentic protocol proposal:

A body of protocol work, standardized or proposed, whose primary subject is agent-to-agent or agent-to-tool interaction. A2A, MCP, and the ACP invocation surface of the AGNTCY stack are examples used throughout this document.

Layer boundary contract:

The narrow interface exposed between two adjacent layers, comprising only the artifacts and signals each layer exposes to the other.

Exchange:

A single agent-protocol interaction between two endpoints, from initiation through completion or termination. The dimensions of Section 5 are properties of an exchange.

Association:

A transport-level connection or session between two endpoints within which one or more messages of an exchange are conveyed. In current practice, an association is opened by the caller.

Substrate profile:

A specification that binds an agent protocol to a substrate mechanism by constraining which of the substrate's features and parameters are used, and how agent-protocol semantics map onto substrate constructs.

3. Layered View

Each dimension in this document is a property of an agent-protocol exchange. Not all dimensions are satisfied by the agent protocol itself; several are sourced from adjacent substrate layers. Figure 1 shows the three layers of interest and, within each, the substrates the layer consumes.

+===================================================================+
|                    ORCHESTRATION / CONTROL LAYER                  |
|                       (above agent protocol)                      |
|                                                                   |
|   holds: workflow composition, cross-domain admission,            |
|          delegation lineage across trust domains, persistent      |
|          user/session memory                                      |
|                                                                   |
|   substrates it consumes:                                         |
|     - schedulers / workflow engines                               |
|     - orchestrator frameworks                                     |
|     - broker subscriptions                                        |
+==================================^================================+
                                   |
           layer boundary contract | (task/session requests,
                                   |  bounded work delegations)
                                   v
+===================================================================+
|                     AGENT PROTOCOL LAYER                          |
|                    (A2A, MCP, ACP, ...)                           |
|                                                                   |
|   holds: bounded tasks, capability advertisement, delegated       |
|          authorization carriage, referenceable artifacts,         |
|          within-association server-initiated messages, bounded-   |
|          task re-attach, audit records                            |
|                                                                   |
|   substrates it consumes:                                         |
|     identity:      OAuth 2.0 / 2.1, WIMSE, chainable capabilities |
|     discovery:     Well-Known URI, Agent Directory + OASF         |
|     transport:     HTTP/1.1, HTTP/2, HTTP/3, SSE, WebSocket, SLIM |
|     content ref:   HTTP GET + signed URLs                         |
|     audit format:  CloudEvents                                    |
+==================================^================================+
                                   |
           layer boundary contract | (bytes on the wire, connection
                                   |  lifecycle, integrity, identity
                                   |  material, delivery guarantees)
                                   v
+===================================================================+
|                        SUBSTRATE LAYER                            |
|                    (below agent protocol)                         |
|                                                                   |
|   holds: connection lifecycle, encryption, delivery semantics,    |
|          workload identity attestation, name resolution,          |
|          broker durability                                        |
|                                                                   |
|   substrates and standards:                                       |
|     transport:    TCP, UDP, QUIC                                  |
|     security:     TLS 1.3, mTLS                                   |
|     naming:       DNS, DNS-SD, DIDs                               |
|     broker:       AMQP, Kafka, MQTT                               |
|     identity fed: OIDC federations, X.509 chains                  |
+===================================================================+
Figure 1: Three layers of interest for exchange-level analysis of agentic protocol interactions. Substrates are shown inside the layer that consumes them.

Figure 1 is not intended as an exhaustive account of layers that may exist in agent systems; other layers not shown may hold concerns whose scope is neither a single exchange nor a substrate facet. Concerns that do not cross a depicted layer boundary do not affect the adjacent depicted layer.

4. The Protocol's Substrate

Several of the dimensions in Section 5 have values that are not defined by the agent protocol itself but are inherited from the layers to which the agent protocol binds. Collectively these adjacent layers are referred to as the protocol's substrate. Substrate facets relevant to the dimensional model include:

Where an existing standard provides the needed substrate behaviour in a given facet, the path forward is binding specification or profile, not protocol invention. Where none does, the gap is named where relevant.

5. Dimensions

The model identifies seven dimensions. Each dimension is defined over a small value domain. An agent protocol exchange is described by selecting one value from each dimension, together with zero or more extensions (Section 8) and an optional deployment-context modifier (Section 9). Additional dimensions were considered and set aside; these are recorded in Section 11 to make the boundary of the adopted model explicit.

5.1. Dimension 1 (D1): Message Origination Within an Association

In current practice, the transport-level association between two agent endpoints is opened by the caller in essentially all agentic protocol proposals. This dimension does not capture who opens the association; rather, it captures whether the callee is permitted to originate messages within an already-open association, without waiting for a fresh caller request.

Values:

  • none: the callee may only produce messages in response to a caller message. The interaction is strict request-response.

  • within-association: the callee may originate messages to the caller after the association is established, supporting streamed intermediate results, notifications, and pause-or-resume signalling.

Contemporary agentic protocol proposals uniformly expose within-association origination as a first-class primitive (for example, streamed task updates and server-sent notifications). Where an agentic protocol proposal declines to expose this and restricts itself to strict request-response, the value is none.

The mechanism by which within-association callee origination is realized -- SSE, WebSocket, HTTP/2 server push, HTTP/3 server-initiated streams, stdio bidirectionality -- is a substrate choice. The decision to expose within-association callee origination as a semantic primitive of the protocol (for example, named notification messages or streamed status events with defined semantics) is a protocol-layer choice.

5.2. Dimension 2 (D2): Output Cadence

The temporal shape of a task's output. Values:

  • atomic: a single request yields a single response.

  • streamed: a single request yields a sequence of partial outputs over time.

Contemporary agent-to-agent interfaces default to streamed. Atomic is the degenerate substrate-layer case (for example, a simple tool call) and is retained here for completeness.

5.3. Dimension 3 (D3): Lifecycle Control

Whether and how a task may pause or persist beyond a single association. Values:

  • none: the task runs to completion within the originating exchange without pause or reattachment.

  • suspend-resume: the task may pause awaiting an out-of-band input (such as an authorization decision) and resume.

  • durable-reattach: the task survives transport interruption and may be reattached using a persistent task identifier.

Interactions with an approval or human-in-the-loop step exercise suspend-resume. Interactions whose task outlives the transport association exercise durable-reattach; an alternative realization maintains state at the application layer with repeated independent exchanges, in which case D3 is none and the multi-round structure is invisible at the protocol layer.

5.4. Dimension 4 (D4): Authorization Derivation

The source of the authority under which an agent acts. Values:

  • direct: the agent acts under authority granted directly to it by the request originator.

  • derived-1hop: the agent acts under authority derived from a single prior authorization, with verifiable derivation and scope narrowing.

  • derived-chain: the agent acts under authority derived through two or more derivation steps, each cryptographically verifiable and progressively narrowed back to the originator.

  • local-policy: the agent acts under its own standing authority granted by its operator, applying local rules upon authentication of the requester.

Tool-using agents typically exercise derived-1hop. Multi-hop delegation across administrative boundaries exercises derived-chain. A mediator receiving an inbound request and issuing an outbound request on the caller's behalf may either preserve the originator's authorization chain to the downstream target (yielding a derived-* value on the outbound leg) or terminate the chain at the mediator and present its own credentials downstream (yielding local-policy). The two options have materially different audit, trust, and compromise-blast-radius implications. This document does not prescribe a choice: the model records which value each proposal or deployment realizes, and treats the reasoning behind the choice as broader-scope.

The value derived-chain describes the credential form carried at a single crossing. It does not by itself model lineage continuity across the delegation chain, cumulative behavior across hops, or revocation propagation with bounded freshness. Those properties have a scope broader than a single exchange and are therefore outside the scope of this model.

5.5. Dimension 5 (D5): Endpoint Binding

How the calling party comes to know the addressable identifier of its counterpart. Values:

  • pre-bound: the endpoint is known to the caller before the exchange begins, by configuration or out-of-band agreement.

  • registry-resolved: the caller queries a third-party registry at runtime to obtain the endpoint and its advertised capabilities.

Most current agentic-protocol deployments proceed pre-bound, with per-agent capability self-description published at a Well-Known URI. Federated agent directories exercise registry-resolved. Mediator patterns may internalize the discovery step, performing registry-resolved dispatch on behalf of pre-bound callers.

5.6. Dimension 6 (D6): State Locality

Where the state required to continue a task across messages is maintained. Values:

  • caller-held: the caller carries the necessary context on each message; the callee is stateless across messages.

  • callee-held: the callee maintains task state keyed by an identifier; the caller references the state by that identifier.

Current agentic protocols implicitly assume callee-held, which combines naturally with D3 durable-reattach. REST-style and tool-call-oriented protocols realize the caller-held alternative; D6 admits both values.

5.7. Dimension 7 (D7): Result Addressability

How the output of a task is exposed. Values:

  • inline-only: the result is contained in the response.

  • referenceable-artifact: the result is produced as a named artifact with an identifier; the artifact can be fetched, shared with a third party, or referenced in subsequent calls, and may outlive the producing task.

Contemporary agentic interfaces default to inline-only. Consensus outcomes, long-running artifacts, and structured audit records are natural candidates for referenceable-artifact semantics.

In this document, the term "artifact" in the value name referenceable-artifact refers to the addressability of a task result at the agent protocol layer. It is used in a distinct sense from any use of "artifact" as a control-plane carriage object in adjacent work.

6. Applying the Model to Representative Agentic Protocol Proposals

This section applies the dimensional model to representative agentic protocol proposals. The purpose is descriptive, not evaluative: to show which dimensional values are realized at the agent-protocol layer and which capabilities are inherited from substrate.

Dimension cells use only values from the corresponding dimension. Parenthesized text identifies a specific realization.

supports X and Y:

The proposal explicitly supports more than one valid dimensional value.

not specified:

The proposal does not commit to a value for that dimension at the agent-protocol layer. The function may be provided by deployment policy or by an underlying substrate.

unclear:

The available specification text does not allow the authors to determine the value with confidence.

n/a:

The dimension is not applicable because the proposal does not define the relevant agent-protocol-layer exchange.

The mapping in this revision is a starting point and is expected to evolve with community feedback.

The dimensional signature per proposal is given in Table 1. The substrate bindings per proposal are given in Table 2.

Table 1: Dimensional signature per proposal.
Dimension A2A MCP ACP (AGNTCY) [note 1]
D1 Message origination within-association within-association within-association
D2 Output cadence streamed streamed streamed
D3 Lifecycle control supports suspend-resume and durable-reattach (input-required state; tasks/resubscribe on taskId) none (session-scoped; no task-level pause or reattach) supports none and suspend-resume (stateless runs; thread runs with interrupt semantics)
D4 Authorization derivation not specified (deployment defines via AgentCard authentication) not specified (OAuth 2.1 profile evolving) not specified by ACP
D5 Endpoint binding pre-bound (Agent Card at Well-Known URI) pre-bound (out-of-band configuration) registry-resolved (Agent Directory + OASF)
D6 State locality callee-held (taskId) callee-held (sessionId) callee-held (thread_id, run_id)
D7 Result addressability supports inline-only and referenceable-artifact (Artifact objects) inline-only inline-only
Table 2: Substrate bindings per proposal.
Proposal Transport substrate Identity substrate Discovery substrate
A2A HTTP with SSE or Streamable HTTP; SLIM available as alternative OAuth 2.1 with resource indicators Well-Known URI (Agent Card)
MCP stdio; HTTP with SSE or Streamable HTTP; SLIM available as alternative OAuth 2.1 (profile evolving) not specified (out-of-band)
ACP (AGNTCY) HTTP; SLIM available as alternative (draft-mpsb-agntcy-slim) pluggable (AGNTCY Identity: verifiable credentials, agent badges) Agent Directory Service (OASF records)

Note 1: The AGNTCY collective publishes a stack of components including the Agent Connect Protocol (ACP) as the agent-protocol-layer invocation surface, Agent Directory Service (federated discovery), OASF (Open Agentic Schema Framework, the data model behind agent descriptors), SLIM (Secure Low-Latency Interactive Messaging, a substrate-layer secure messaging protocol also submitted as an IETF individual Internet-Draft draft-mpsb-agntcy-slim), and Identity (verifiable credentials and agent badges). This row characterizes the ACP invocation surface at the agent-protocol layer together with the substrate components (Agent Directory + OASF for discovery, SLIM for transport, Identity for identity carriage) that constitute the rest of the stack. The ACP repository was archived by its maintainers on 11 April 2026, pending a successor invocation specification; the other components of the AGNTCY stack remain active. SLIM is explicitly positioned by its authors as a substrate available to A2A, MCP, and other agent protocols as well.

The substrate columns anchor the layered view of Section 3. Convergence in a substrate column indicates a substrate-binding question rather than a primary protocol-design question. Divergence indicates a candidate area for coordination or profiling.

7. What the Model Enables

8. Extensions

An extension augments the baseline dimensional tuple with primitives the baseline does not require. Extensions are used when an additional behaviour does not warrant a new dimension value but does require a named protocol augmentation.

9. Deployment-Context Modifier: Cross-Domain Operation

Cross-administrative-domain deployment is not modelled as a dimension. It interacts with the exchange-level dimensions of this model in two distinct ways.

First, cross-domain deployment tightens the practical value sets on existing exchange-level dimensions:

The substrate options for globally meaningful identity (verifiable identifier formats, federated identity providers, publicly anchored certificate chains) are a binding question rather than a dimensional value.

Second, cross-domain deployment surfaces concerns whose scope is not a single exchange and which are therefore not captured by any exchange-level dimension. Examples include cumulative behavioral bounds accumulated across a delegation chain, source-asserted constraints carried with data across subsequent crossings, and revocation or invalidation freshness applied consistently across artifacts of different lifetimes. These concerns are neither properties of the substrate below nor properties of a single exchange at the agent protocol layer; they are properties of the delegation lineage as a whole. This model does not define these concerns, does not exclude them, and does not assign them to any specific layer.

10. Recognizable Patterns

For orientation, several combinations of dimensional values correspond to patterns that readers may already recognise. The following are illustrative, not exhaustive:

11. Dimensions Considered but Not Adopted

During the construction of this model, additional candidate dimensions were considered and set aside. They are recorded here so that the boundaries of the adopted model are explicit and so that future revisions can revisit them if new evidence motivates doing so.

12. Open Questions

The following questions are surfaced by the model but are not resolved by this document. They are recorded here so that reviewers and subsequent revisions can address them explicitly. This document does not attempt to answer them; it treats them as inputs to future revisions, to companion documents, or to community discussion.

13. Security Considerations

To be completed in future revisions of this document.

14. IANA Considerations

This document has no IANA actions.

Acknowledgements

The author thanks colleagues at Nokia and the wider agent-protocol community for early discussions that shaped this model.

Author's Address

Parisa Foroughi
Nokia