<?xml version="1.0" encoding="utf-8"?>
<rfc xmlns:xi="http://www.w3.org/2001/XInclude"
     docName="draft-schrock-ep-authorization-evidence-chain-02"
     category="info" ipr="trust200902" submissionType="IETF"
     version="3" tocInclude="true" sortRefs="true" symRefs="true">
  <front>
    <title abbrev="Authorization Evidence Chains">Authorization Evidence Chains: Composing Heterogeneous Agent-Authorization Receipts (EP-AEC)</title>
    <seriesInfo name="Internet-Draft" value="draft-schrock-ep-authorization-evidence-chain-02"/>
    <author fullname="Iman Schrock">
      <organization>EMILIA Protocol, Inc.</organization>
      <address>
        <postal>
          <country>US</country>
        </postal>
        <email>team@emiliaprotocol.ai</email>
      </address>
    </author>
    <date year="2026" month="July" day="6"/>
    <area>sec</area>
    <keyword>AI agents</keyword>
    <keyword>authorization</keyword>
    <keyword>receipts</keyword>
    <keyword>composition</keyword>
    <keyword>human oversight</keyword>
    <keyword>JCS</keyword>
    <abstract>
      <t>A growing family of Internet-Drafts defines signed "receipts"
      about an AI agent's action: delegation receipts that attest an
      agent was authorized to act for a principal, policy or permit
      receipts that attest a policy allowed an external effect, decision
      and compliance receipts, route authorizations, and
      human-authorization receipts that attest a named, accountable human
      approved a specific action. The mature efforts independently
      converged on a common substrate: bind the action with a canonical
      digest (JSON Canonicalization Scheme, RFC 8785) and sign it. No
      specification, however, defines how a relying party verifies that,
      for one action, the several heterogeneous receipts it has been
      handed all bind the same canonical action and each verify under
      their own rules, yielding a single, offline, fail-closed ALLOW or
      DENY. This document defines the Authorization Evidence Chain
      (EP-AEC): a transport-agnostic composition object and an offline
      verification algorithm that references existing receipts, checks
      that every component binds one canonical action digest, dispatches
      each component to a verifier for its type, and evaluates a
      fail-closed requirement expression. EP-AEC introduces no new receipt
      type and replaces none; it is the verifier-side glue that lets
      independently specified receipts compose into one accountability
      decision. This revision additionally profiles two optional
      component record types for that composition: the effect
      attestation, a post-execution record in which the executor signs
      the receipt identifier together with a digest of the observed
      effect, and ceremony evidence, a signed record of
      signing-ceremony telemetry (the challenge issued, viewed, and
      approved instants and the approver identity) that enables
      review-latency policies.</t>
    </abstract>
  </front>
  <middle>
    <section anchor="intro"><name>Introduction</name>
      <t>As autonomous and semi-autonomous agents begin to take
      irreversible external actions -- moving funds, changing records,
      releasing data, invoking privileged APIs -- relying parties
      increasingly demand a verifiable artifact answering "was this exact
      action authorized, and by whom?" The IETF community has responded
      with a cluster of receipt formats, each answering one facet:</t>
      <ul>
        <li>Identity -- who or what the agent is.</li>
        <li>Delegation -- that the agent was authorized to act for a
        principal (e.g. <xref target="DRP"/>, <xref target="DAAP"/>).</li>
        <li>Policy or permit -- that policy permitted the effect before
        commit (e.g. <xref target="PERMIT"/>,
        <xref target="AGENTROA"/>).</li>
        <li>Decision or compliance -- that a decision or compliance check
        occurred (e.g. <xref target="ACTA"/>,
        <xref target="ASQAV"/>).</li>
        <li>Human authorization -- that a named, accountable human, or a
        quorum of distinct humans, approved the exact action
        (<xref target="EP-RECEIPTS"/>, <xref target="EP-QUORUM"/>).</li>
        <li>Transparency -- that a statement was registered in an
        append-only log (<xref target="SCITT"/>).</li>
      </ul>
      <t>These are complementary layers, not competitors: a single
      high-risk action may warrant a delegation receipt AND a policy
      permit AND a human authorization. Yet each effort defines only its
      own receipt. The relying party is left to correlate heterogeneous
      artifacts by hand, and in practice implementers hand-roll ad-hoc
      "composite proofs" with no shared correctness model -- in
      particular, no guarantee that the several receipts authorize the
      same action rather than different ones spliced together (a
      cross-binding attack).</t>
      <t>The Entity Attestation Token <xref target="RFC9711"/> provides a
      CBOR mechanism (detached submodules / detached EAT bundles) for
      composing claims from multiple attesting environments into one
      token. No equivalent exists for the predominantly JSON/JCS receipt
      cluster described above. This document fills that gap.</t>
      <section anchor="scope"><name>Scope and non-goals</name>
        <t>EP-AEC defines (1) a composition object that references
        component receipts and declares a requirement over them, and (2)
        an offline verification algorithm. EP-AEC does NOT define any
        component receipt format, does not require any particular
        component to be present, and does not bless any component
        specification. It is deliberately minimal: its only novel
        normative content is the same-action binding check and the
        requirement evaluation.</t>
      </section>
    </section>

    <section anchor="terminology"><name>Terminology</name>
      <t>The key words "MUST", "MUST NOT", "SHOULD", and "MAY" in this
      document are to be interpreted as described in BCP 14
      <xref target="RFC2119"/> <xref target="RFC8174"/> when, and only
      when, they appear in all capitals, as shown here.</t>
      <dl>
        <dt>Action Object</dt>
        <dd>the canonical representation of the external effect being
        authorized, as defined by <xref target="EP-RECEIPTS"/>
        Section 3.</dd>
        <dt>Canonical action digest</dt>
        <dd>the SHA-256 digest of the JCS <xref target="RFC8785"/>
        serialization of the Action Object, expressed as lowercase
        hexadecimal, optionally prefixed "sha256:". The Action Object MUST
        conform to the I-JSON <xref target="RFC7493"/> profile of
        <xref target="EP-RECEIPTS"/> Section 3 (strings, booleans, null,
        arrays, objects, and safe integers only) so that the digest is
        byte-identical across implementations.</dd>
        <dt>Component</dt>
        <dd>one referenced receipt within a chain, carrying a type, the
        receipt evidence, and an optional human-readable label.</dd>
        <dt>Component verifier</dt>
        <dd>a function that verifies one component and returns both a
        validity result AND the canonical action digest that component
        attests it authorized.</dd>
        <dt>Requirement</dt>
        <dd>a Boolean expression over component types/labels that
        determines ALLOW.</dd>
      </dl>
    </section>

    <section anchor="object"><name>The Authorization Evidence Chain object</name>
      <sourcecode type="json"><![CDATA[
{
  "@version": "EP-AEC-v1",
  "action": { ... Action Object ... },
  "action_digest": "sha256:<hex>",
  "components": [
    { "type": "ep-quorum",
      "label": "two-person human authorization",
      "evidence": { ... EP-QUORUM-v1 object ... } },
    { "type": "policy-permit",
      "label": "machine policy permit",
      "evidence": { ... permit receipt ... } },
    { "type": "delegation",
      "label": "agent delegation",
      "evidence": { ... delegation receipt ... } }
  ],
  "requirement": "ep-quorum AND policy-permit"
}
]]></sourcecode>
      <ul>
        <li>"@version" (string, REQUIRED) -- MUST be "EP-AEC-v1".</li>
        <li>"action" (object, REQUIRED) -- the Action Object every
        component must authorize.</li>
        <li>"action_digest" (string, OPTIONAL) -- if present, MUST equal
        the canonical action digest recomputed from "action"; a mismatch
        is a fatal error.</li>
        <li>"components" (array, REQUIRED, non-empty) -- each has "type"
        (string), "evidence" (object), and optional "label" (string).</li>
        <li>"requirement" (string, REQUIRED) -- a Boolean expression
        (<xref target="requirement"/>). NOTE (changed in -01): this
        member is PRESENTER-SUPPLIED -- a claim of what the chain
        satisfies, never the relying party's sufficiency bar; see
        <xref target="whose-requirement"/>.</li>
      </ul>
      <t>The chain carries the Action Object once; components reference
      the same action by digest rather than re-embedding it. This is what
      makes the same-action binding check possible and is the heart of the
      format.</t>
    </section>

    <section anchor="verify"><name>Verification algorithm</name>
      <t>A verifier is configured with a set of component verifiers keyed
      by type. Given a chain C, the verifier MUST proceed fail-closed:</t>
      <ol>
        <li>If C is malformed (missing "@version", wrong version, missing
        or non-object "action", empty "components", or missing
        "requirement"), return DENY.</li>
        <li>Compute chain_digest = canonical action digest of C.action. If
        C.action_digest is present and does not equal chain_digest, return
        DENY.</li>
        <li><t>For each component k:</t>
          <ol>
            <li>If no verifier is registered for k.type, mark k
            unsatisfied (reason: no verifier) and continue.</li>
            <li>Invoke the verifier on k.evidence. It returns valid and
            action_digest. Any exception marks k unsatisfied.</li>
            <li>k is SATISFIED iff valid is true AND the returned
            action_digest equals chain_digest. A valid component that
            binds a different action MUST be treated as unsatisfied
            (reason: binds a different action). This is the cross-binding
            defense.</li>
            <li>If satisfied, add k.type and k.label (if present) to the
            satisfied set.</li>
          </ol>
        </li>
        <li>Select the requirement to evaluate: if the relying party
        supplied its own requirement expression to the verifier, use it
        and record requirement_source = "relying_party"; otherwise use
        C.requirement and record requirement_source = "presenter"
        (<xref target="whose-requirement"/>). Evaluate it over the
        satisfied set (<xref target="requirement"/>). Return ALLOW iff
        it evaluates true; otherwise DENY.</li>
        <li>Any unexpected error at any step MUST yield DENY.</li>
      </ol>
      <t>The result SHOULD include, per component, whether it verified and
      whether it was bound, with a reason for any failure, to support
      audit.</t>
      <t>Two optional component record types, the effect attestation
      (<xref target="effect-attestation"/>) and ceremony evidence
      (<xref target="ceremony-evidence"/>), attach additional evidence
      rules on top of step 3. Findings from those rules are
      conflict-class: they never move the outcome toward ALLOW, and in
      the graded verdict set used by the reference evaluation
      (admissible, missing_evidence, stale, conflicted, unverifiable)
      they downgrade the verdict to "conflicted". A record whose
      signature does not verify is "unverifiable", which is strictly
      worse and is never softened to "conflicted". No rule in this
      document ever moves a verdict toward a more admissible one.</t>
    </section>

    <section anchor="requirement"><name>Requirement expressions</name>
      <t>A requirement is a Boolean expression with the grammar:</t>
      <sourcecode type="abnf"><![CDATA[
expr := term (('AND' | 'OR') term)*
term := '(' expr ')' | IDENT
]]></sourcecode>
      <t>IDENT matches a component type or label in the satisfied set; an
      unknown identifier evaluates to false. Implementations MUST evaluate
      the expression with a bounded parser and MUST NOT use a
      general-purpose evaluator. AND and OR have EQUAL binding
      strength and are evaluated strictly left to right; implementations
      MUST NOT assume AND binds tighter than OR. Parentheses group
      explicitly and are the only precedence mechanism. Example: "ep-quorum AND (policy-permit
      OR delegation)" requires a human quorum plus either a policy permit
      or a delegation receipt, all bound to the same action.</t>
    </section>

    <section anchor="whose-requirement">
      <name>Whose requirement is it? (changed in -01)</name>
      <t>The chain document's "requirement" member is supplied by the
      PRESENTER of the chain. A presenter must never be able to choose
      its own sufficiency bar: a chain that says "delegation" satisfies
      itself, however weak, if the verifier takes the document's word
      for what suffices. This is the same confused-deputy class as a
      quorum policy read from the object it governs.</t>
      <t>Accordingly: a verifier MUST accept a requirement expression
      supplied out-of-band by the RELYING PARTY, and when one is
      supplied it MUST take precedence over the document's; the
      document's member is then treated as a recorded claim only. The
      result MUST record which source was evaluated
      (requirement_source: "relying_party" or "presenter"), and SHOULD
      note when a presenter requirement was ignored in favor of a
      pinned one. The document member remains REQUIRED for
      self-describing interchange, but relying parties SHOULD pin their
      own bar for any consequential decision. The reference
      implementations (JavaScript, Python, Go) implement this behavior
      and agree on shared conformance vectors covering both sources,
      including a vector where the presenter's weak bar would pass and
      the relying party's pinned bar correctly fails.</t>
      <t>The generalization of this principle -- the entire sufficiency
      policy (requirement, freshness, revocation, required bindings)
      supplied by the relying party, with a purpose-relative classified
      verdict -- is specified in
      <xref target="I-D.schrock-ep-action-evidence-graph"/>.</t>
    </section>

    <section anchor="human-leg"><name>The human-authorization leg</name>
      <t>Of the receipt families enumerated in
      <xref target="intro"/>, only the EP human-authorization receipt
      binds a named, accountable human (or, via
      <xref target="EP-QUORUM"/>, a quorum of distinct humans under
      separation of duties) to the exact action. Several policy/permit
      formats reserve a slot for a threshold or multi-party signature but
      specify no human semantics behind it. EP-AEC lets a relying party
      require the human leg explicitly (e.g. requirement includes
      "ep-quorum") while composing it with machine-side delegation and
      permit receipts. The built-in component verifiers "ep-quorum" and
      "ep-receipt" are defined by <xref target="EP-QUORUM"/> and
      <xref target="EP-RECEIPTS"/> respectively; all other types are
      supplied by the relying party.</t>
    </section>

    <section anchor="effect-attestation"><name>Effect Attestation</name>
      <t>Every receipt family enumerated in <xref target="intro"/>
      attests something about an action before or at authorization
      time. None of them states what was then done. An effect
      attestation is a post-execution evidence record that closes that
      "approved X, executed Y" gap: the executor signs the receipt
      identifier of the authorization it acted under together with a
      digest of the effect it observed. Any third party holding both
      the authorization (which commits to the approved effect) and the
      effect attestation can check divergence offline: if the observed
      effect digest differs from the approved action's committed effect
      digest, "approved X, executed Y" is demonstrated by the two
      records alone, with no access to the executing system, and in the
      evidence verdict the divergence surfaces as a conflict.</t>
      <t>Use of this record type is OPTIONAL. Its component type
      identifier is "effect_attestation". When it is used, the
      following rules apply:</t>
      <ul>
        <li>The record MUST carry the receipt identifier of the
        authorization it attests and the digest of the observed effect,
        and MUST be signed by the executor. The component verifier for
        this type returns, alongside "valid" and "action_digest", the
        fields "receipt_id", "observed_effect_digest", and, where the
        verifier could read the approved effect out of the referenced
        authorization, "committed_effect_digest". Digest values are
        compared as lowercase hexadecimal after removal of an optional
        "sha256:" prefix.</li>
        <li>An effect attestation whose executor signature does not
        verify, or whose executor key is not pinned by the relying
        party, is inadmissible as evidence: the component verifier MUST
        report it invalid, and it MUST NOT be weighed as effect
        evidence at all (fail closed).</li>
        <li>The committed effect digest against which the observed
        digest is compared MUST NOT be taken from the presenter. It is
        either pinned by the relying party (the
        "expected_effect_digest" member of the relying-party policy) or
        read by the component verifier from the referenced
        authorization; where both are available, the relying-party pin
        takes precedence.</li>
        <li>If the observed effect digest differs from the committed
        effect digest, the verification result MUST record the reason
        code "effect_divergence" and treat the finding as a conflict
        (<xref target="verify"/>); it never moves the outcome toward
        ALLOW.</li>
        <li>A verified effect attestation that carries no observed
        effect digest MUST likewise be recorded under
        "effect_divergence" and treated as a conflict (fail
        closed).</li>
        <li>A verified effect attestation with no committed effect
        digest to compare against MUST record the reason code
        "effect_commitment_missing" and be treated as a conflict, never
        as admissible: an observed effect that cannot be tied to an
        approved effect does not show the effect was approved (fail
        closed).</li>
      </ul>
      <t>Stated honestly: an effect attestation says what the executor
      CLAIMS was observed. It is one more accountable, signed leg in
      the chain, not ground truth. Its value is that an executor that
      misreports the effect is now misreporting in a signed,
      attributable artifact bound to a specific receipt, and that a
      divergence between two honest records is checkable offline by any
      third party holding both. How the observed effect is represented
      and digested is action-family specific and out of scope for this
      document.</t>
    </section>

    <section anchor="ceremony-evidence"><name>Ceremony Evidence</name>
      <t>A human-authorization receipt proves that an accountable human
      approved the exact action. It does not show how the approval
      happened. Ceremony evidence carries signing-ceremony telemetry as
      a first-class evidence record: the instants at which the
      authorization challenge was issued, viewed, and approved, and the
      approver identity. Its component type identifier is
      "ceremony_evidence"; the component verifier for this type
      returns, alongside "valid" and "action_digest", the fields
      "approver", "issued_at", "viewed_at", and "approved_at". The
      component verifier proves the ceremony record is authentic; the
      rules below judge what it says.</t>
      <t>Ceremony evidence enables review-latency policies. An approval
      that comes in below a policy floor every time is itself
      evidence of rubber-stamping: the recorded human review
      contradicts a genuine one, and a relying party MAY weigh it as a
      conflict. A relying party adopting such a policy sets a
      review-latency floor (the "ceremony_min_review_sec" member of the
      relying-party policy). When a floor is set, the following rules
      apply:</t>
      <ul>
        <li>The review interval of a verified ceremony record is
        "approved_at" minus "viewed_at", in whole seconds.</li>
        <li>A verified ceremony record whose review interval is
        strictly below the floor MUST be recorded under the reason code
        "rubber_stamped_ceremony" and treated as a conflict
        (<xref target="verify"/>); it never moves the outcome toward
        ALLOW.</li>
        <li>If the telemetry on a verified ceremony record is absent or
        unusable (a missing or unparseable "viewed_at" or "approved_at",
        or "approved_at" earlier than "viewed_at"), real review cannot
        be shown; the record MUST be recorded under the reason code
        "ceremony_telemetry_missing" and treated as a conflict, never
        as a silent pass (fail closed).</li>
        <li>A ceremony record whose signature does not verify is
        unverifiable; it is never softened to a conflict.</li>
      </ul>
      <t>When no floor is set, this document attaches no judgment to
      the telemetry. Stated honestly: ceremony telemetry is
      operator-originated. The issued, viewed, and approved instants
      are recorded by the operator of the signing ceremony, not by an
      independent observer; ceremony evidence gives the relying party
      an accountable, signed record of the claimed timeline, not an
      independent measurement of human attention.</t>
    </section>

    <section anchor="security"><name>Security Considerations</name>
      <t>Presenter-chosen sufficiency (fixed in -01). Prior to this
      revision the requirement was read only from the presented
      document, letting a presenter select the bar its own evidence
      would be judged against. Section
      "<xref target="whose-requirement" format="title"/>" closes this:
      relying-party-supplied requirements take precedence and the
      evaluated source is recorded. Deployments of -00 verifiers SHOULD
      upgrade or wrap verification with an out-of-band requirement
      check.</t>
      <t>Cross-binding (action substitution). The core threat is splicing
      receipts that authorize different actions into one chain. Step 3c of
      <xref target="verify"/> defeats this by requiring every satisfied
      component to attest the chain's exact canonical digest. The strength
      of this defense rests entirely on the canonical digest being
      byte-identical across implementations; the I-JSON profile
      (<xref target="EP-RECEIPTS"/> Section 3) is therefore normative,
      and one restriction in it is load-bearing enough to restate here:
      canonical payloads MUST NOT contain non-integer numbers (amounts
      travel as strings). Within that restriction the reference
      canonicalizers coincide with RFC 8785 output; full RFC 8785
      number serialization (for payloads outside the profile) is an
      open conformance item, and implementations MUST reject payloads
      containing non-integer numbers rather than guess.</t>
      <t>Component verifier trust. A chain is only as sound as its weakest
      registered verifier and the keys it trusts. Relying parties MUST
      configure verifiers and trust anchors explicitly; an unconfigured
      type is unsatisfied, never assumed.</t>
      <t>Requirement under-specification. A weak requirement yields a weak
      decision. Requirements SHOULD name every leg the relying party
      depends on, including the human leg where accountability is
      required.</t>
      <t>Freshness and revocation. EP-AEC composes point-in-time evidence;
      it does not by itself prove the absence of a later revocation.
      Components that carry status/freshness evidence SHOULD be verified
      against the relying party's freshness policy.</t>
      <t>No transport assumptions. EP-AEC is a data structure; it inherits
      the confidentiality and integrity properties of whatever conveys it.
      It is fail-closed by construction (<xref target="verify"/>).</t>
      <t>Post-execution and ceremony evidence are operator-originated.
      The effect attestation (<xref target="effect-attestation"/>) and
      ceremony evidence (<xref target="ceremony-evidence"/>) records
      carry what the executor and the ceremony operator report, signed
      and attributable, not an independent measurement. Their guarantee
      is accountability, not ground truth: a false report is a signed,
      bound artifact, and a divergence or below-floor review is
      checkable offline. Both are fail-closed in the same direction as
      the rest of this document: a signature that does not verify is
      unverifiable, a missing committed effect or missing ceremony
      telemetry is a conflict, and no finding from either record ever
      moves a verdict toward a more admissible one
      (<xref target="verify"/>).</t>
    </section>

    <section anchor="relationship"><name>Relationship to Other Work</name>
      <t>EP-AEC is complementary to, and composes, the efforts in
      <xref target="intro"/>. It is the JSON/JCS analogue of the EAT
      <xref target="RFC9711"/> detached-bundle composition model and can
      itself be registered as a SCITT <xref target="SCITT"/> signed
      statement for transparency. It neither extends nor constrains
      <xref target="DRP"/>, <xref target="PERMIT"/>,
      <xref target="ACTA"/>, or <xref target="AGENTROA"/>; each plugs in
      as a component type.</t>
    </section>

    <section anchor="iana"><name>IANA Considerations</name>
      <t>This document has no IANA actions. A future revision may request
      a media type (e.g. "application/ep-aec+json") and a registry of
      component type identifiers should the work be adopted.</t>
    </section>

    <section anchor="impl"><name>Implementation Status</name>
      <t>A reference verifier and a runnable demonstration (composing a
      real EP human quorum with a policy-permit leg, and rejecting both a
      cross-binding attack and a missing human leg;
      examples/authorization-chain.mjs in the repository) are maintained
      as open-source software and are exercised offline, with no network
      dependency, by the reference suite's three language
      implementations (JavaScript, Python, Go), which agree on a shared
      conformance vector set. These are one project's implementations --
      a cross-language consistency check, not independently developed
      implementations; a third party has separately executed and
      verified the published artifacts against a pinned commit, as
      reported to the IETF SECDISPATCH mailing list on 23 June 2026.</t>
      <t>The evidence rules for the effect-attestation and
      ceremony-evidence record types
      (<xref target="effect-attestation"/>,
      <xref target="ceremony-evidence"/>) are implemented in a
      JavaScript-only reference evaluation in the same repository; they
      are not yet part of the shared cross-language conformance vector
      set.</t>
    </section>
  </middle>
  <back>
    <references>
      <name>Normative References</name>
      <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.2119.xml"/>
      <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.8174.xml"/>
      <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.7493.xml"/>
      <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.8785.xml"/>
      <reference anchor="EP-RECEIPTS" target="https://datatracker.ietf.org/doc/draft-schrock-ep-authorization-receipts/">
        <front>
          <title>Authorization Receipts for High-Risk Agent Actions (EP)</title>
          <author fullname="Iman Schrock">
            <organization>EMILIA Protocol, Inc.</organization>
          </author>
          <date year="2026" month="June"/>
        </front>
        <seriesInfo name="Internet-Draft" value="draft-schrock-ep-authorization-receipts"/>
      </reference>
      <reference anchor="EP-QUORUM" target="https://datatracker.ietf.org/doc/draft-schrock-ep-quorum/">
        <front>
          <title>Multi-Party Quorum Authorization for High-Risk Agent Actions (EP-QUORUM)</title>
          <author fullname="Iman Schrock">
            <organization>EMILIA Protocol, Inc.</organization>
          </author>
          <date year="2026" month="June"/>
        </front>
        <seriesInfo name="Internet-Draft" value="draft-schrock-ep-quorum"/>
      </reference>
    </references>
    <references>
      <name>Informative References</name>
      <reference anchor="I-D.schrock-ep-action-evidence-graph" target="https://datatracker.ietf.org/doc/draft-schrock-ep-action-evidence-graph/">
        <front>
          <title>Action Evidence Graphs and Evidence Policy Replay for High-Risk Agent Actions (EP-AEG)</title>
          <author fullname="Iman Schrock"><organization>EMILIA Protocol, Inc.</organization></author>
          <date year="2026" month="July"/>
        </front>
        <seriesInfo name="Internet-Draft" value="draft-schrock-ep-action-evidence-graph-00"/>
      </reference>
      <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.9711.xml"/>
      <reference anchor="SCITT" target="https://datatracker.ietf.org/doc/draft-ietf-scitt-architecture/">
        <front>
          <title>An Architecture for Trustworthy and Transparent Digital Supply Chains</title>
          <author><organization>IETF SCITT WG</organization></author>
          <date year="2026"/>
        </front>
        <seriesInfo name="Internet-Draft" value="draft-ietf-scitt-architecture"/>
      </reference>
      <reference anchor="DRP" target="https://datatracker.ietf.org/doc/draft-nelson-agent-delegation-receipts/">
        <front>
          <title>Delegation Receipt Protocol for AI Agent Authorization</title>
          <author fullname="R. Nelson"/>
          <date year="2026"/>
        </front>
        <seriesInfo name="Internet-Draft" value="draft-nelson-agent-delegation-receipts"/>
      </reference>
      <reference anchor="PERMIT" target="https://datatracker.ietf.org/doc/draft-lee-orprg-permit-receipts/">
        <front>
          <title>Permit Receipts for Permit-Before-Commit Authorization of AI-Agent and Workload External Effects</title>
          <author fullname="Y. Lee"/>
          <date year="2026"/>
        </front>
        <seriesInfo name="Internet-Draft" value="draft-lee-orprg-permit-receipts"/>
      </reference>
      <reference anchor="ACTA" target="https://datatracker.ietf.org/doc/draft-farley-acta-signed-receipts/">
        <front>
          <title>Signed Decision Receipts for Machine-to-Machine Access Control</title>
          <author fullname="A. Farley"/>
          <date year="2026"/>
        </front>
        <seriesInfo name="Internet-Draft" value="draft-farley-acta-signed-receipts"/>
      </reference>
      <reference anchor="AGENTROA" target="https://datatracker.ietf.org/doc/draft-nivalto-agentroa-route-authorization/">
        <front>
          <title>Agent Route Origin Authorization (AgentROA)</title>
          <author fullname="Nivalto"/>
          <date year="2026"/>
        </front>
        <seriesInfo name="Internet-Draft" value="draft-nivalto-agentroa-route-authorization"/>
      </reference>
      <reference anchor="DAAP" target="https://datatracker.ietf.org/doc/draft-mishra-oauth-agent-grants/">
        <front>
          <title>Delegated Agent Authorization Protocol (DAAP)</title>
          <author fullname="Mishra"/>
          <date year="2026"/>
        </front>
        <seriesInfo name="Internet-Draft" value="draft-mishra-oauth-agent-grants"/>
      </reference>
      <reference anchor="ASQAV" target="https://datatracker.ietf.org/doc/draft-marques-asqav-compliance-receipts/">
        <front>
          <title>Compliance Profile of Signed Action Receipts for AI Agents</title>
          <author fullname="J. Marques"/>
          <date year="2026"/>
        </front>
        <seriesInfo name="Internet-Draft" value="draft-marques-asqav-compliance-receipts"/>
      </reference>
    </references>
  </back>
</rfc>
