Network Working Group B. Morrison Internet-Draft Alter Meridian Pty Ltd Intended status: Informational April 2026 Expires: 13 October 2026 Identity-Attributed Git Commits via Tier-Structured Trailers draft-morrison-identity-attributed-commits-00 Abstract This document defines a git commit trailer grammar for identity- attributed contributions using the ~handle identity primitive defined in [MCPDNS]. The grammar binds sovereign actors, automated bots, and AI instruments to specific commits via three tier-structured trailers (Acted-By, Executed-By, Drafted-With) and three optional cryptographic trailers (Identity-Signature, Identity-Key-Id, Identity-Anchor). The signature is computed with Ed25519 over the commit's tree hash rather than its commit hash, preserving attribution across rebase, cherry-pick, and squash merge operations. Conformant parsers reject cross-tier category errors (e.g., an Instrument-tier handle in an Acted-By slot) as malformed. The mechanism is provider-neutral, depends only on DNS [RFC1035] and the ~handle resolution algorithm of [MCPDNS], and requires no central authority or platform-specific verification service. Status of This Memo This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet- Drafts is at https://datatracker.ietf.org/drafts/current/. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." This Internet-Draft will expire on 3 October 2026. Copyright Notice Copyright (c) 2026 IETF Trust and the persons identified as the document authors. All rights reserved. Morrison Expires 13 October 2026 [Page 1] Internet-Draft Identity-Attributed Commits April 2026 This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (https://trustee.ietf.org/ license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Revised BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Revised BSD License. Table of Contents 1. Status of This Memo . . . . . . . . . . . . . . . . . . . . . 3 2. Copyright Notice . . . . . . . . . . . . . . . . . . . . . . 3 3. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3 3.1. Problem Statement . . . . . . . . . . . . . . . . . . . . 3 3.2. Design Goals . . . . . . . . . . . . . . . . . . . . . . 4 3.3. Scope . . . . . . . . . . . . . . . . . . . . . . . . . . 5 4. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 5 4.1. Requirements Language . . . . . . . . . . . . . . . . . . 6 4.2. Definitions . . . . . . . . . . . . . . . . . . . . . . . 6 5. Identity Tier Taxonomy (Informative Reference) . . . . . . . 7 6. Trailer Grammar (Normative) . . . . . . . . . . . . . . . . . 7 6.1. ABNF . . . . . . . . . . . . . . . . . . . . . . . . . . 7 6.2. Placement . . . . . . . . . . . . . . . . . . . . . . . . 8 6.3. Ordering . . . . . . . . . . . . . . . . . . . . . . . . 8 6.4. Multiplicity Rules . . . . . . . . . . . . . . . . . . . 9 7. Signature Algorithm (Normative) . . . . . . . . . . . . . . . 10 7.1. Algorithm . . . . . . . . . . . . . . . . . . . . . . . . 10 7.2. Signed Payload . . . . . . . . . . . . . . . . . . . . . 10 7.3. Rationale for Tree-Hash Signing . . . . . . . . . . . . . 10 7.4. Signature Format . . . . . . . . . . . . . . . . . . . . 11 7.5. Key Derivation and Rotation . . . . . . . . . . . . . . . 11 8. DNS Resolution (Normative Reference) . . . . . . . . . . . . 11 8.1. Sovereign Key Resolution . . . . . . . . . . . . . . . . 12 8.2. Instrument Metadata Resolution . . . . . . . . . . . . . 12 9. Verifier Behaviour (Normative) . . . . . . . . . . . . . . . 12 10. Security Considerations . . . . . . . . . . . . . . . . . . . 13 10.1. Sovereign Key Compromise . . . . . . . . . . . . . . . . 13 10.2. Instrument Handle Spoofing . . . . . . . . . . . . . . . 14 10.3. DNS Poisoning . . . . . . . . . . . . . . . . . . . . . 14 10.4. Tree-Hash Collision . . . . . . . . . . . . . . . . . . 14 10.5. Squash-Merge Trailer Aggregation Race . . . . . . . . . 15 10.6. Key Custody at the Commit-Signing Boundary . . . . . . . 15 10.7. Negative-Attribution Risk . . . . . . . . . . . . . . . 15 11. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 15 11.1. Git Trailer Name Registration . . . . . . . . . . . . . 15 11.2. URI Scheme Dependencies . . . . . . . . . . . . . . . . 16 11.3. No Other IANA Actions . . . . . . . . . . . . . . . . . 16 Morrison Expires 13 October 2026 [Page 2] Internet-Draft Identity-Attributed Commits April 2026 12. Relationship to Existing Standards . . . . . . . . . . . . . 16 13. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 17 14. References . . . . . . . . . . . . . . . . . . . . . . . . . 18 14.1. Normative References . . . . . . . . . . . . . . . . . . 18 14.2. Informative References . . . . . . . . . . . . . . . . . 18 15. Author's Address . . . . . . . . . . . . . . . . . . . . . . 19 16. References . . . . . . . . . . . . . . . . . . . . . . . . . 19 16.1. Normative References . . . . . . . . . . . . . . . . . . 19 16.2. Informative References . . . . . . . . . . . . . . . . . 20 Author's Address . . . . . . . . . . . . . . . . . . . . . . . . 21 1. Status of This Memo This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet- Drafts is at https://datatracker.ietf.org/drafts/current/. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." This Internet-Draft will expire on October 9, 2026. 2. Copyright Notice Copyright (c) 2026 IETF Trust and the persons identified as the document authors. All rights reserved. This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (https://trustee.ietf.org/ license-info) in effect on the date of publication of this document. 3. Introduction 3.1. Problem Statement Modern source-control workflows produce commits whose authorship is shared between human contributors, automated bots, and AI instruments operating under varying degrees of delegation. The prevailing mechanisms for attaching identity to a commit are fragmented and individually inadequate for this mixed reality: Morrison Expires 13 October 2026 [Page 3] Internet-Draft Identity-Attributed Commits April 2026 * *Git Signed-off-by [DCO].* A legal attestation of contribution rights under the Developer Certificate of Origin. It carries no cryptographic identity proof, no tier distinction, and no resolution to a verifiable key. A Signed-off-by: line is whatever the committer types. * *Git commit signing (git commit -S).* Cryptographically binding, but the key model is provider-locked: GPG keys uploaded to GitHub, SSH keys uploaded to GitLab, with each platform maintaining its own key directory. There is no DNS-resolved key path and no canonical identity-to-key mapping. * *Sigstore / gitsign [GITSIGN].* A keyless signing path using short-lived certificates issued from OIDC identity tokens and recorded in the Rekor transparency log. The cryptography is sound, but the identity layer is bound to the operator of the OIDC provider. Migrating between providers re-roots identity. No tier structure exists for non-sovereign signers. * *Anthropic's Co-Authored-By: Claude convention [ANTHROPIC-COAUTHOR].* An informal text convention for AI attribution. It is unverifiable, ungrammatical with respect to the underlying identity layer (the model is not a co-author in the sovereign sense), and offers no resolution path. Any committer can paste any string. None of the above provides a provider-neutral, DNS-resolvable, tier- structured identity binding for the human/bot/AI contribution mix that has become typical of agent-augmented codebases. 3.2. Design Goals This document defines a trailer grammar with the following goals: 1. *Provider-neutral.* No dependency on any specific identity provider, certificate authority, or transparency log operator. 2. *DNS-resolvable.* Public key material is reached via the ~handle resolution algorithm of [MCPDNS], which itself resolves to a DNS TXT record under the handle's policy zone. 3. *Tier-structured.* Three distinct trailer slots correspond to three distinct identity tiers: Sovereign (humans and organisations with cryptographic agency), Bot (autonomous agents under scoped delegation), and Instrument (AI models and tool classes that lack keys). Each slot accepts only handles from its corresponding tier. Morrison Expires 13 October 2026 [Page 4] Internet-Draft Identity-Attributed Commits April 2026 4. *Cryptographically verifiable at the sovereign layer.* Sovereign attribution is bound by an Ed25519 signature whose public key is reachable from DNS without prior trust establishment. 5. *Category-safe against misattribution.* Conformant parsers reject cross-tier handle placement (e.g., an Instrument handle in an Acted-By slot) as a structural grammar violation, not a policy decision. Misattribution is detected at parse time. 3.3. Scope This document specifies: * The trailer grammar in ABNF [RFC5234]. * Multiplicity, placement, and ordering rules. * The Ed25519 signature algorithm over the commit's tree hash. * Verifier behaviour for accepting, rejecting, and surfacing attribution states. * Security considerations specific to the trailer mechanism. This document does NOT specify: * The ~handle identity primitive itself. This is defined by [MCPDNS] and incorporated here by reference. * The full normative tier taxonomy. This is maintained as an internal ALTER doctrine in [ALTER-DID8]. Section 3 of this document restates the taxonomy briefly so the spec is standalone- readable. * Sovereign key custody, derivation, and recovery. These are addressed by [ALTER-KEY-CUSTODY]. * The IdentityLog transparency-log mechanism backing the optional Identity-Anchor trailer. A future document will define it. 4. Terminology Morrison Expires 13 October 2026 [Page 5] Internet-Draft Identity-Attributed Commits April 2026 4.1. Requirements Language The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP 14 RFC2119 [RFC8174] when, and only when, they appear in all capitals, as shown here. 4.2. Definitions Handle A ~-prefixed identifier per [MCPDNS]. Handles are the unit of identity addressing in this document. Resolution proceeds by extracting the policy zone from the handle and querying the zone's _alter underscore-prefixed TXT record. Sovereign Tier Handle A handle representing a human individual or formal organisation with direct cryptographic agency. Holds its own private key. Can sign. Examples: ~blake, ~truealter.com, ~anthropic.com. Bot Tier Handle A handle representing an autonomous agent acting under scoped delegation from a sovereign. Holds a scoped key whose authority is bounded by the sovereign's published delegation policy. Can counter-sign within the delegation envelope. Examples: ~dependabot.bot, ~github.merge.bot. Instrument Tier Handle A handle representing an AI model, API endpoint, or tool class. Does NOT hold cryptographic keys. Cannot sign. Exists as a DNS-resolvable descriptive label only, suitable for attaching provenance metadata to a contribution without making any identity claim that requires cryptographic backing. Examples: ~cc-opus-4.6, ~gpt-5-turbo, ~gemini-ultra-2. Tree Hash The SHA-1 (or SHA-256 in git's newer object format) hash of a git tree object, as produced by git write-tree against the staged index, or equivalently by git cat-file -p ^{tree} on an existing commit. The tree hash is a function of the committed content and is invariant under operations that preserve the tree (e.g., rebase, cherry-pick, squash merge into an empty parent). Tier-Slot Grammar The constraint that a given trailer name accepts handles only from its corresponding tier. Cross-tier placement is a grammatical error, not a policy violation. Conformant Verifier A consumer of commit trailers that implements the parsing, rejection, and signature-verification rules defined in Section 7. Morrison Expires 13 October 2026 [Page 6] Internet-Draft Identity-Attributed Commits April 2026 5. Identity Tier Taxonomy (Informative Reference) The trailer grammar in Section 4 partitions handles into three tiers. The normative reference for the tier taxonomy is the internal ALTER doctrine [ALTER-DID8]. This section restates the taxonomy briefly so this document is standalone-readable. +============+===============+===============+===================+ | Tier | Cryptographic | Trailer Slot | Examples | | | Agency | | | +============+===============+===============+===================+ | Sovereign | Holds own | Acted-By: | ~blake, | | | key, signs | | ~truealter.com, | | | | | ~anthropic.com | +------------+---------------+---------------+-------------------+ | Bot | Scoped | Executed-By: | ~dependabot.bot, | | | delegated key | | ~github.merge.bot | +------------+---------------+---------------+-------------------+ | Instrument | No key, no | Drafted-With: | ~cc-opus-4.6, | | | signature | | ~gpt-5-turbo, | | | | | ~gemini-ultra-2 | +------------+---------------+---------------+-------------------+ Table 1 The tier of a given handle is determined by DNS metadata published under its _alter TXT record per [MCPDNS]. Implementations MAY treat the tier assignments above as authoritative when they correspond to DNS-published tiers; implementations MUST NOT promote or demote a handle's tier without re-resolving DNS. The key invariant is that Instrument-tier handles cannot make attestational claims. An Drafted-With: trailer is informational provenance metadata, not a verifiable identity binding. 6. Trailer Grammar (Normative) 6.1. ABNF The following ABNF [RFC5234] defines the syntax of each trailer. Implementations MUST accept exactly this grammar. Morrison Expires 13 October 2026 [Page 7] Internet-Draft Identity-Attributed Commits April 2026 ``` acted-by-trailer = "Acted-By:" SP sovereign-handle CRLF executed- by-trailer = "Executed-By:" SP bot-handle CRLF drafted-with-trailer = "Drafted-With:" SP instrument-handle CRLF identity-signature = "Identity-Signature:" SP "ed25519:" base64url-signature CRLF identity-key-id = "Identity-Key-Id:" SP did-alter-uri CRLF identity- anchor = "Identity-Anchor:" SP "identitylog://" timestamp "Z/sth/" seq "#" commit-id CRLF sovereign-handle = "~" handle-label bot-handle = "~" handle-label ".bot" instrument-handle = "~" handle-label ; tier determined by DNS resolution per [MCPDNS] handle-label = 1_63( ALPHA / DIGIT / "-" / "_" / "." ) did-alter-uri = "did:alter:" sovereign-handle "#" key-id key-id = 1_64( ALPHA / DIGIT / "-" / "_" ) base64url-signature = 86( base64url-char ) "==" ; 64-byte Ed25519 signature, base64url-encoded base64url-char = ALPHA / DIGIT / "-" / "_" timestamp = date-fullyear "-" date-month "-" date- mday "T" time-hour ":" time-minute ":" time-second seq = 1*DIGIT commit-id = 40HEXDIG / 64HEXDIG ; SHA-1 or SHA-256 commit identifier ``` The terminals ALPHA, DIGIT, HEXDIG, SP, and CRLF are imported from [RFC5234]. The bot-handle rule requires the .bot suffix, which makes the tier syntactically distinguishable for Bot trailers. Sovereign and Instrument handles share the same surface syntax; their tier distinction is enforced by DNS resolution per [MCPDNS] and by verifier-side rejection of cross-slot placement (Section 7). 6.2. Placement Trailers MUST appear in the commit message footer block per the git trailer convention [GIT-TRAILERS]. The footer block is separated from the commit message body by exactly one blank line. Each trailer occupies one line of the footer block in the form Key: Value. A commit message that places trailers anywhere other than the footer block (e.g., interleaved with body paragraphs) is malformed under this specification. Conformant verifiers MUST refuse to parse trailers from outside the footer block. 6.3. Ordering Trailers SHOULD appear in the following canonical order: 1. Acted-By: Morrison Expires 13 October 2026 [Page 8] Internet-Draft Identity-Attributed Commits April 2026 2. Executed-By: 3. Drafted-With: 4. Identity-Signature: 5. Identity-Key-Id: 6. Identity-Anchor: Verifiers MUST accept trailers in any order, but emitters SHOULD follow the canonical order to support diff-based review. The canonical order is also the order most natural for a human reader: sovereign first, then delegate, then instruments, then proofs. 6.4. Multiplicity Rules The following multiplicity constraints apply to a single commit: * *Acted-By:* - Exactly one trailer per signed commit. A squash- merged commit MAY contain multiple Acted-By: trailers aggregating the contributor handles of the squashed commits; this is the only case in which multiple Acted-By: trailers are permitted. Verifiers MUST treat each aggregated Acted-By: as a separate sovereign attribution that requires its own signature pair if cryptographic verification is desired. * *Executed-By:* - At most one trailer per commit. A commit is executed by at most one bot in a single delegation context. * *Drafted-With:* - Zero or more trailers per commit. Multi- instrument drafting (e.g., a commit drafted partly with ~cc-opus- 4.6 and partly with ~gpt-5-turbo) is permitted and expected. Multiple Drafted-With: trailers on a single commit form an unordered set; order of appearance is not semantically significant and verifiers MUST NOT attribute differential authority to earlier-appearing entries. * *Identity-Signature: and Identity-Key-Id:* - These two trailers MUST appear together or not at all. An Identity-Signature: without an Identity-Key-Id: is malformed, and vice versa. When present, they bind to the most recent preceding Acted-By: trailer in the trailer block. Morrison Expires 13 October 2026 [Page 9] Internet-Draft Identity-Attributed Commits April 2026 * *Identity-Anchor:* - OPTIONAL in this version of the specification. Implementations targeting Rung-3-compliant attribution (transparency-log-anchored) MUST emit it; all other implementations MAY omit it. Future revisions of this document may upgrade the requirement. 7. Signature Algorithm (Normative) 7.1. Algorithm The signature algorithm is Ed25519 [RFC8032], which uses SHA-512 internally and produces a 64-byte signature over an arbitrary input message. Implementations MUST use Ed25519 and MUST NOT use Ed25519ph or Ed25519ctx variants. 7.2. Signed Payload The signed payload is the raw byte representation of the commit's tree hash: * For repositories using SHA-1 git objects, the payload is the 20-byte SHA-1 tree hash. * For repositories using SHA-256 git objects, the payload is the 32-byte SHA-256 tree hash. The tree hash is obtained by git write-tree at signing time (operating on the staged index) or equivalently by git cat-file -p ^{tree} on an existing commit. The hash is signed in its raw binary form, not as a hex-encoded string. 7.3. Rationale for Tree-Hash Signing The decision to sign the tree hash rather than the commit hash is load-bearing for the operational viability of the scheme. A commit hash is a function of the commit's tree, its parent commits, its author, its committer, its timestamps, and its message - including, recursively, any trailers in the message. Signing the commit hash directly creates a chicken-and-egg problem (the trailer would be part of the input to its own signature) and, more fundamentally, invalidates the signature on any history-rewriting operation: rebase, cherry-pick, squash merge, amend, and filter- branch all change the commit hash while preserving the tree. A tree hash is a function of the committed content alone. It is stable across rebase, cherry-pick, and squash merge into an empty parent (the squash result has the same tree as the union of the input Morrison Expires 13 October 2026 [Page 10] Internet-Draft Identity-Attributed Commits April 2026 trees if no conflicts arose). Signing the tree hash preserves attribution across the full range of git workflows that modern teams depend on, at the cost of being unable to distinguish between two commits with the same tree but different histories. This trade-off is acceptable: git's own merkle structure ensures content integrity, the parent chain is independently auditable through git itself, and the cases in which two distinct commits share a tree are precisely the cases in which attribution should be preserved (a clean rebase is the same content by the same author). Where stronger anchoring is required, the optional Identity-Anchor: trailer binds the signature to a specific commit-id within a transparency log entry, recovering commit-level identity at the cost of an external dependency. 7.4. Signature Format The signature is encoded for placement in the trailer as: ed25519: The base64url encoding follows [RFC4648] Section 5 (URL- and filename-safe alphabet) without line breaks. A 64-byte Ed25519 signature encodes to 86 base64url characters plus two = padding characters, for a total of 88 characters in the trailer value following the ed25519: prefix. 7.5. Key Derivation and Rotation Sovereign keys are derived out-of-band; their public components are published under the sovereign's _alter DNS record per [MCPDNS]. Key derivation, custody, and recovery procedures are out of scope for this document. This document treats the sovereign key as a pre- existing Ed25519 keypair whose public component is reachable via the DNS-resolved path of Section 6.1. Key rotation is supported by the Identity-Key-Id: trailer, which identifies which key was used to sign a given commit. A sovereign's DNS record MAY publish multiple historical keys indexed by key-id, allowing verifiers to validate older commits against the key that was current at the time of signing even after the sovereign has rotated their primary signing key. 8. DNS Resolution (Normative Reference) Morrison Expires 13 October 2026 [Page 11] Internet-Draft Identity-Attributed Commits April 2026 8.1. Sovereign Key Resolution The sovereign handle's public key is resolved via the [MCPDNS] _alter. DNS record mechanism. Verifiers MUST use the resolution algorithm specified in [MCPDNS] to obtain the public key corresponding to the key-id named in the Identity-Key-Id: trailer. Verifiers MUST require DNSSEC [RFC4034] validation on the _alter. lookup when DNSSEC is available for the zone. For zones lacking DNSSEC deployment, verifiers MAY accept the HTTPS .well-known fallback resolution path defined in [MCPDNS], provided the TLS chain validates against the policy domain. 8.2. Instrument Metadata Resolution Instrument-handle metadata (provider, version, deprecation status, capability profile) is resolved via the same _alter mechanism, but the resolved record is descriptive only. Verifiers SHOULD treat Instrument metadata as informational provenance and MUST NOT treat any field of an Instrument record as an attestational claim. Instrument handles cannot cryptographically sign commits; their DNS records advertise what the model is, not that the commit was authorised by it. 9. Verifier Behaviour (Normative) A conformant verifier MUST perform the following steps in order: 1. *Parse all trailers from the footer block.* Trailers appearing outside the footer block MUST be ignored. 2. *Reject cross-slot category errors.* For each trailer, resolve the handle's tier per [MCPDNS] (or, where DNS resolution is unavailable, fall back to the syntactic tier indicators of Section 4.1). If any handle appears in a slot other than its tier's slot - for example, an Instrument-tier handle in an Acted- By: slot, or a Sovereign-tier handle in a Drafted-With: slot - the commit is malformed and the verifier MUST reject it as a category error. The error message SHOULD identify the offending trailer by name. 3. *Verify signatures, if present.* If Identity-Signature: and Identity-Key-Id: are present, the verifier MUST: Morrison Expires 13 October 2026 [Page 12] Internet-Draft Identity-Attributed Commits April 2026 a. Extract the key-id from the Identity-Key-Id: trailer. b. Resolve the corresponding public key by querying the Acted-By: handle's _alter record per Section 6.1. c. Compute the commit's tree hash via git cat-file or an equivalent. d. Verify the Ed25519 signature against the tree hash using the resolved public key. If signature verification fails, the verifier MUST mark the commit as unverified and MUST NOT report it as having a valid sovereign attribution. 4. *Verify the transparency anchor, if present.* If Identity-Anchor: is present, the verifier SHOULD verify the anchor against the referenced log according to the log's own verification protocol. Failure to verify the anchor MUST be surfaced to the user but MUST NOT silently downgrade the commit's verified status. A conformant verifier SHOULD additionally: 1. *Cache handle-to-key resolutions.* DNS lookups for the same handle within a single verification pass should be performed at most once. Cache TTL SHOULD respect the DNS record TTL. 2. *Distinguish attribution states in user-facing output.* Verifiers SHOULD present three distinct states to users: * verified - Acted-By: present with a valid Identity-Signature: resolving to the published key. * claimed - Acted-By: present without a signature, or with a signature whose key cannot be resolved. * anonymous - no Acted-By: present. Conflating these states is a security defect. 10. Security Considerations 10.1. Sovereign Key Compromise If a sovereign's signing key is compromised, the sovereign rotates the key and publishes the new key under a new key-id in their _alter record. The previous key SHOULD remain published as a historical record so that commits signed during its validity period continue to verify. Sovereigns SHOULD also publish revocation metadata distinguishing keys that were rotated for hygiene from keys that were rotated due to compromise; verifiers encountering a compromise- revoked key SHOULD warn the operator that any commit signed by that Morrison Expires 13 October 2026 [Page 13] Internet-Draft Identity-Attributed Commits April 2026 key is suspect even if the signature still validates mathematically. 10.2. Instrument Handle Spoofing Because Instrument handles cannot sign, the Drafted-With: trailer is an unverified provenance claim. A malicious committer can always paste Drafted-With: ~cc-opus-4.6 into a commit they hand-wrote. Implementations MUST treat Instrument attribution as informational, not attestational, and MUST NOT extend trust decisions on the basis of an Instrument trailer alone. This is explicit by design: the Instrument tier is a documentation mechanism, not an attestation mechanism. The protection against Instrument-trailer abuse is the sovereign signature on Acted-By:, which binds a real cryptographic identity to the overall commit and to the committer's claim about what tools they used. 10.3. DNS Poisoning A successful DNS poisoning attack against the _alter. zone could redirect verifiers to a substitute public key under the attacker's control. This risk is mitigated by: * DNSSEC validation when available. Verifiers SHOULD require DNSSEC on the policy zone and MAY refuse to verify against an unsigned zone. * The HTTPS .well-known fallback path defined in [MCPDNS], which terminates the trust chain at the TLS certificate of the policy domain. * Independent transparency-log anchoring via the optional Identity- Anchor: trailer, which provides a second source of truth that is unaffected by DNS poisoning. 10.4. Tree-Hash Collision Most git repositories currently use SHA-1 for tree hashing. SHA-1 is cryptographically weakened (SHAttered, 2017) for collision resistance, and tree-hash signing inherits that weakness. Implementations operating in high-assurance contexts SHOULD migrate to SHA-256 git objects, which use SHA-256 for the tree hash and eliminate the SHA-1 weakness. Until such migration is complete, verifiers SHOULD record both the tree hash and the commit hash in any local audit log so that any future SHA-1 collision attack against the verifier's history is detectable ex post. Morrison Expires 13 October 2026 [Page 14] Internet-Draft Identity-Attributed Commits April 2026 10.5. Squash-Merge Trailer Aggregation Race The aggregation of contributor Acted-By: trailers into a squash- merged commit is an implementation responsibility of the hosting platform or merge tool. If aggregation is skipped or fails silently, the trailers from individual contributor commits are lost, and the merge commit appears to have a single sovereign when it actually had several. Implementations performing squash merges MUST validate that contributor trailers have been aggregated before completing the merge, and SHOULD refuse to complete a squash that loses trailer attribution. This is an implementation concern, not a protocol-level issue, but it is listed here because the operational consequence of a missing trailer is a silent loss of attribution. 10.6. Key Custody at the Commit-Signing Boundary The pre-commit hook (or analogous integration point) that invokes the signing operation is a trust-sensitive boundary: the hook runs in the unprivileged developer process and may have access to the sovereign's private key. Implementations SHOULD route signing through a privileged helper - for example, a unix domain socket exposed by a dedicated signing daemon, or a hardware authenticator using WebAuthn PRF - rather than reading the private key directly from unprivileged process memory. Direct key handling in the developer process is acceptable for prototyping but MUST NOT be relied upon in production deployments where commit attribution carries weight. 10.7. Negative-Attribution Risk A committer may deliberately omit the Drafted-With: trailer to conceal AI-instrument involvement in a contribution. This is detectable only by out-of-band evidence and is not addressable at the protocol layer. Where AI-disclosure obligations exist (for example, in regulated software development contexts), they SHOULD be enforced at the policy layer with this protocol providing the truthful path for honest committers, not the verification path for dishonest ones. 11. IANA Considerations 11.1. Git Trailer Name Registration At the time of writing, IANA does not maintain a registry of git commit trailer names. If such a registry is established, this document requests registration of the following trailer names with reference to this specification: * Acted-By Morrison Expires 13 October 2026 [Page 15] Internet-Draft Identity-Attributed Commits April 2026 * Executed-By * Drafted-With * Identity-Signature * Identity-Key-Id * Identity-Anchor Until a formal registry exists, this document recommends that implementers coordinate via the ALTER discovery community and treat the trailer names defined here as reserved for the identity- attributed commit grammar. 11.2. URI Scheme Dependencies This document depends on the did:alter: URI scheme via the Identity- Key-Id: trailer. The alter: URI scheme is the subject of IANA considerations in [MCPDNS]; this document does not separately register it. The identitylog:// URI scheme used by the optional Identity-Anchor: trailer is reserved by this document for future registration when a normative IdentityLog specification is published. Implementations encountering identitylog:// URIs without a registered scheme MUST treat the anchor as an opaque reference and SHOULD NOT attempt resolution. 11.3. No Other IANA Actions This document requests no other IANA actions. 12. Relationship to Existing Standards The trailer grammar defined here is intended to coexist with prior commit-attribution mechanisms rather than to replace them. Morrison Expires 13 October 2026 [Page 16] Internet-Draft Identity-Attributed Commits April 2026 +======================+===============+===========================+ | Mechanism | Purpose | Coexistence with this | | | | spec | +======================+===============+===========================+ | Git Signed-off-by | Legal | Orthogonal. A commit MAY | | [DCO] | attestation | carry both a Signed-off- | | | of | by: and an Acted-By: | | | contribution | trailer. They answer | | | rights | different questions. | +----------------------+---------------+---------------------------+ | Git commit signing | Cryptographic | Orthogonal. A commit MAY | | (git commit -S) | identity via | be both GPG-signed and | | | GPG/SSH key | Acted-By-signed. | | | directories | Verifiers handle each | | | | path independently. | +----------------------+---------------+---------------------------+ | Sigstore / gitsign | Keyless | Architecturally adjacent. | | [GITSIGN] | cryptographic | Different identity | | | identity via | provider model (OIDC + | | | OIDC | Rekor vs DNS-resolved DID | | | | + IdentityLog). May | | | | coexist. | +----------------------+---------------+---------------------------+ | Anthropic Co- | Informal AI | Superseded for AI | | Authored-By: Claude | co-authorship | attribution by Drafted- | | [ANTHROPIC-COAUTHOR] | convention | With: (Instrument tier). | | | | Implementations MAY emit | | | | both during a transition | | | | window. | +----------------------+---------------+---------------------------+ Table 2 The Instrument tier is novel to this specification and has no analogue in any existing mechanism. Sigstore identifies signers; the DCO attests to legal rights; the Anthropic convention is a plain-text marker. None expresses the structural distinction between a sovereign actor, a delegated bot, and a non-signing instrument. This distinction is the load-bearing contribution of the present document. 13. Acknowledgments The author thanks Drew Dylan (co-founder, Alter Meridian Pty Ltd) for the cosmological framing of identity tiers, and Jake McCallum (Sentinel) for adversarial review of the tier-slot grammar and the cross-tier rejection rules. The members of the ALTER founding circle provided extensive review and pressure-testing of earlier drafts. Additional contributors will be named at review time. Morrison Expires 13 October 2026 [Page 17] Internet-Draft Identity-Attributed Commits April 2026 14. References 14.1. Normative References [RFC1035] Mockapetris, P., "Domain names - implementation and specification", STD 13, RFC 1035, November 1987. [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, March 1997. [RFC4034] Arends, R., et al., "Resource Records for the DNS Security Extensions", RFC 4034, March 2005. [RFC4648] Josefsson, S., "The Base16, Base32, and Base64 Data Encodings", RFC 4648, October 2006. [RFC5234] Crocker, D. and P. Overell, "Augmented BNF for Syntax Specifications: ABNF", STD 68, RFC 5234, January 2008. [RFC8032] Josefsson, S. and I. Liusvaara, "Edwards-Curve Digital Signature Algorithm (EdDSA)", RFC 8032, January 2017. [RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC 2119 Key Words", BCP 14, RFC 8174, May 2017. [RFC8552] Crocker, D., "Scoped Interpretation of DNS Resource Records through 'Underscored' Naming of Attribute Leaves", BCP 222, RFC 8552, March 2019. [RFC8785] Rundgren, A., et al., "JSON Canonicalization Scheme (JCS)", RFC 8785, June 2020. [MCPDNS] Morrison, B., "Discovery of Model Context Protocol Servers via DNS TXT Records", draft-morrison-mcp-dns-discovery, work in progress. 14.2. Informative References [RFC7942] Sheffer, Y. and A. Farrel, "Improving Awareness of Running Code: The Implementation Status Section", BCP 205, RFC 7942, July 2016. [DCO] "Developer Certificate of Origin v1.1", https://developercertificate.org/, 2004. [GIT-TRAILERS] "git-interpret-trailers(1)", https://git-scm.com/docs/ git-interpret-trailers. Morrison Expires 13 October 2026 [Page 18] Internet-Draft Identity-Attributed Commits April 2026 [GITSIGN] "gitsign: Keyless Git Signing", https://docs.sigstore.dev/cosign/signing/gitsign/. [SIGSTORE] "Sigstore: Software Signing for Everybody", https://www.sigstore.dev/. [ANTHROPIC-COAUTHOR] Anthropic, "Co-Authored-By: Claude - convention for AI-assisted commits". [ALTER-DID8] Morrison, B., "ALTER Decision Register entry D-ID8 - Three-Tier Handle Taxonomy", internal, 2026. [ALTER-DDW4] Morrison, B., "ALTER Decision Register entry D-DW4 - Governance Break Invariant", internal, 2026. [ALTER-KEY-CUSTODY] Morrison, B., "ALTER Key Custody Doctrine - WebAuthn PRF Dual-Enrol", internal, 2026. [MORRISON-IFT] Morrison, B., "Identity Field Theory: Toward a Physics of Being Known", https://doi.org/10.6084/m9.figshare.31951383, 2026. 15. Author's Address Blake Morrison Alter Meridian Pty Ltd Cronulla, NSW 2230 Australia Email: blake@truealter.com URI: https://truealter.com 16. References 16.1. Normative References [RFC1035] Mockapetris, P., "Domain names - implementation and specification", STD 13, RFC 1035, DOI 10.17487/RFC1035, November 1987, . [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, DOI 10.17487/RFC2119, March 1997, . [RFC4034] Arends, R., Austein, R., Larson, M., Massey, D., and S. Rose, "Resource Records for the DNS Security Extensions", RFC 4034, DOI 10.17487/RFC4034, March 2005, . [RFC4648] Josefsson, S., "The Base16, Base32, and Base64 Data Encodings", RFC 4648, DOI 10.17487/RFC4648, October 2006, . Morrison Expires 13 October 2026 [Page 19] Internet-Draft Identity-Attributed Commits April 2026 [RFC5234] Crocker, D., Ed. and P. Overell, "Augmented BNF for Syntax Specifications: ABNF", STD 68, RFC 5234, DOI 10.17487/RFC5234, January 2008, . [RFC8032] Josefsson, S. and I. Liusvaara, "Edwards-Curve Digital Signature Algorithm (EdDSA)", RFC 8032, DOI 10.17487/RFC8032, January 2017, . [RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174, May 2017, . [RFC8552] Crocker, D., "Scoped Interpretation of DNS Resource Records through "Underscored" Naming of Attribute Leaves", BCP 222, RFC 8552, DOI 10.17487/RFC8552, March 2019, . [RFC8785] Rundgren, A., Jordan, B., and S. Erdtman, "JSON Canonicalization Scheme (JCS)", RFC 8785, DOI 10.17487/RFC8785, June 2020, . [MCPDNS] Morrison, B., "Discovery of Model Context Protocol Servers via DNS TXT Records", 2026, . 16.2. Informative References [RFC7942] Sheffer, Y. and A. Farrel, "Improving Awareness of Running Code: The Implementation Status Section", BCP 205, RFC 7942, DOI 10.17487/RFC7942, July 2016, . [SIGSTORE] "Sigstore: Software Signing for Everybody", 2022, . [GITSIGN] "gitsign: Keyless Git Signing", 2023, . [DCO] "Developer Certificate of Origin v1.1", 2004, . [GIT-TRAILERS] "git-interpret-trailers(1)", n.d., . Morrison Expires 13 October 2026 [Page 20] Internet-Draft Identity-Attributed Commits April 2026 [ANTHROPIC-COAUTHOR] Anthropic, "Co-Authored-By: Claude - convention for AI- assisted commits", 2025, . [ALTER-DID8] Morrison, B., "ALTER Decision Register entry D-ID8 - Three-Tier Handle Taxonomy", 2026, . [ALTER-DDW4] Morrison, B., "ALTER Decision Register entry D-DW4 - Governance Break Invariant", 2026, . [ALTER-KEY-CUSTODY] Morrison, B., "ALTER Key Custody Doctrine - WebAuthn PRF Dual-Enrol", 2026, . [MORRISON-IFT] Morrison, B., "Identity Field Theory: Toward a Physics of Being Known", 2026, . Author's Address Blake Morrison Alter Meridian Pty Ltd Cronulla, NSW Australia Email: blake@truealter.com Morrison Expires 13 October 2026 [Page 21]