ietf-draft-analyzer/workspace/drafts/new-drafts/draft-e-apae-assurance-profiles-01.md

---
title: "Assurance Profiles for Agent Ecosystems (APAE)"
abbrev: "APAE"
category: info
docname: draft-apae-assurance-profiles-01
submissiontype: IETF
number:
date:
v: 3
area: "SEC"
workgroup: "Security Dispatch"
keyword:
  - dynamic trust
  - assurance
  - behavior verification
  - data provenance
  - quarantine

author:
  -
    fullname: TBD
    organization: Independent
    email: placeholder@example.com

normative:
  RFC2119:
  RFC8174:
  RFC7519:
  RFC7518:
  RFC9110:
  I-D.nennemann-wimse-ect:
    title: "Execution Context Tokens for Distributed Agentic Workflows"
    target: https://datatracker.ietf.org/doc/draft-nennemann-wimse-ect/
  I-D.nennemann-agent-dag-hitl-safety:
    title: "Agent Context Policy Token: DAG Delegation with Human Override"
    target: https://datatracker.ietf.org/doc/draft-nennemann-agent-dag-hitl-safety/

informative:
  RFC9334:

--- abstract

This document defines Assurance Profiles for Agent Ecosystems
(APAE): dynamic trust scoring, behavior verification, data
provenance, cross-domain trust, and graduated assurance profiles
that allow the same agent ecosystem to operate in relaxed
(dev/K8s) and regulated (healthcare, finance) environments.
Trust events are derived from ECT outcomes.  Trust assertions are
ECTs.  Behavior verification references ECT claims.  Provenance
chains are implicit in the ECT DAG.  Assurance profiles select
which combination of these mechanisms is required for a given
deployment, mapping to ECT assurance levels L1/L2/L3.  Agents
whose trust falls below a floor are quarantined via a protocol
defined here.

--- middle

# Introduction

Identity verifies who an agent is.  ECT records what an agent did.
But neither answers: should I rely on this agent?  Is it doing what
it promised?  Can I trace where this data came from?

APAE adds four capabilities to the ecosystem:

1. **Dynamic trust scoring** — behavioral reputation that adjusts
   based on interaction outcomes (AIMD model).
2. **Behavior verification** — checking agent actions against
   declared specifications.
3. **Data provenance** — tracing data lineage through the DAG.
4. **Cross-domain trust** — federating trust across administrative
   domains.

These capabilities are bundled into assurance profiles
(Relaxed, Standard, Regulated) that map to ECT assurance levels,
so the same ecosystem works from a dev cluster to a hospital.

# Conventions and Definitions

{::boilerplate bcp14-tagged}

Trust Score:
: A floating-point value in \[0.0, 1.0\] representing one agent's
  assessed reliability of another.

Trust Event:
: An interaction outcome that causes a trust score adjustment.
  Derived from ECTs.

Trust Domain:
: An administrative boundary within which a single trust anchor
  (CA or JWK set) governs agent identity.

Behavior Specification:
: A machine-readable declaration of permitted agent actions and
  constraints.

Provenance Chain:
: The sequence of ECT nodes recording how a piece of data was
  produced, transformed, and consumed.

Assurance Profile:
: A named configuration selecting which trust, verification, and
  provenance mechanisms are required.

Quarantine:
: A state in which an agent's trust score has dropped below a
  configured floor; the agent is prohibited from accepting new
  delegations.

# Dynamic Trust Scoring {#trust}

## Trust Score Model

Each agent maintains a trust table: peer agent IDs mapped to
trust scores.  Initial trust for unknown agents is deployment-
configured (RECOMMENDED: 0.5; zero-trust deployments: 0.1).

Scores update using additive-increase, multiplicative-decrease
(AIMD):

- Positive event: `score = min(1.0, score + alpha)`
- Negative event: `score = max(0.0, score * beta)`

Defaults: `alpha = 0.01`, `beta = 0.8`.

Trust builds slowly (100 successes: 0.5 → ~1.0) and drops fast
(one failure: 0.82 → 0.66).

## Trust Events from ECT {#trust-events}

Trust events are derived from ECTs rather than agent-local
counters, making trust computation auditable:

| ECT condition | Event | Adjustment |
|--------------|-------|------------|
| Completed, no error follows | `task_success` | +1x alpha |
| Completed, partial result | `task_partial` | +0.5x alpha |
| `atd:error` referencing agent | `task_failure` | 1x beta |
| No response within threshold | `task_timeout` | 1x beta |
| `atd:error` with `constraint_violation` | `policy_violation` | beta^2 |
| ECT signature verification fails | `attestation_invalid` | beta^2 |
| `atd:rollback_request` targeting agent | `rollback_triggered` | 1x beta |
{: #fig-events title="Trust Events from ECT"}

## Trust Decay

If no interaction occurs for a configurable period (default:
7 days): `score = max(initial_default, score - 0.01/day)`.

## Trust Assertions as ECT {#trust-assertions}

Agent A shares its trust assessment via a trust assertion ECT:

- `exec_act`: `"apae:trust_assertion"`

~~~json
{
  "exec_act": "apae:trust_assertion",
  "ext": {
    "apae.subject": "spiffe://example.com/agent/b",
    "apae.trust_score": 0.82,
    "apae.interactions": 147,
    "apae.confidence": "high",
    "apae.hops": 0
  }
}
~~~
{: #fig-assertion title="Trust Assertion ECT"}

Confidence: `low` (<10 interactions), `medium` (10-99),
`high` (100+).

Trust assertion ECTs MUST be signed at L2/L3.

## Trust Propagation

When Agent C receives A's assertion about B:

~~~
c_score_for_b = max(c_score_for_b,
                    a_score * trust_of_a * attenuation)
~~~

Default `attenuation`: 0.5.  Direct observations always take
precedence.  `apae.hops` tracks propagation depth; agents MUST NOT
propagate beyond their configured maximum (default: 1).

## Trust Thresholds as Policy

Trust thresholds are ACP-DAG-HITL node constraints:

~~~json
{
  "constraints": {
    "apae.min_trust": 0.7,
    "apae.min_confidence": "medium"
  }
}
~~~
{: #fig-threshold title="Trust Threshold as Node Constraint"}

Requests from agents below threshold MUST be denied with HTTP 403.
The `apae.peer_trust_score` is a runtime context value derived
from the trusting agent's trust table for the requesting peer;
it is not an ECT claim itself.

Low trust can trigger HITL escalation:

~~~json
{
  "id": "r-low-trust",
  "trigger": {
    "kind": "confidence_below",
    "op": "lt",
    "value": 0.5,
    "input_ref": "apae.peer_trust_score"
  },
  "required_role": "operator:security",
  "action": "escalate",
  "allow_override": true,
  "override_action": "continue"
}
~~~
{: #fig-trust-hitl title="HITL Rule for Low Trust"}

## Automatic Revocation

When trust drops below a floor (default: 0.2), the trusting agent
SHOULD revoke delegations and emit:
`exec_act: "apae:trust_revoke"`.

# Quarantine Protocol {#quarantine}

When a trust score drops below the configured quarantine floor
(default: 0.15), the agent enters quarantine.

## Quarantine Entry

The detecting agent MUST emit a quarantine ECT:

~~~json
{
  "exec_act": "apae:quarantine",
  "ext": {
    "apae.subject": "spiffe://example.com/agent/b",
    "apae.score": 0.12,
    "apae.threshold": 0.15,
    "apae.quarantine_until": "2026-03-02T12:00:00Z",
    "apae.reason": "Repeated policy_violation events (3 in 1 hour)"
  }
}
~~~
{: #fig-quarantine title="Quarantine ECT"}

The quarantine ECT MUST be broadcast to all agents that have
received trust assertions about the quarantined agent
(via `apae:trust_assertion` with matching `apae.subject`).

## Quarantined Agent Behavior

While quarantined, a subject agent:

- MUST NOT accept new delegations.  New delegation requests MUST
  return HTTP 503 with `Retry-After` set to `apae.quarantine_until`.
- MUST complete in-progress workflows (drain behavior per AEPB).
- MAY accept direct operator commands (HITL Level 4 is unaffected).

Agents receiving the quarantine notification MUST update their
trust table and MUST NOT delegate new tasks to the quarantined
agent until the quarantine expires or is lifted.

## Quarantine Duration

The default quarantine duration is 1 hour, doubling on each
successive quarantine entry:

| Quarantine count | Duration |
|-----------------|---------|
| 1 | 1 hour |
| 2 | 2 hours |
| 3 | 4 hours |
| n | 2^(n-1) hours (max 168 hours / 7 days) |
{: #fig-quarantine-duration title="Quarantine Duration Escalation"}

## Quarantine Expiry and Recovery

When the quarantine period expires:

1. The agent's trust score is reset to the initial default
   (deployment-configured; RECOMMENDED: 0.5 for recovery).
2. The agent transitions back to active status per AEPB lifecycle.
3. A recovery ECT MAY be emitted: `exec_act: "apae:quarantine"` with
   `apae.to_state: "active"`.

An operator MAY lift a quarantine early by issuing a HITL override
(Level 1 or higher) with scope `apae:quarantine_lift` for the
subject agent.

# Behavior Verification {#behavior}

## Behavior Specifications

A behavior specification declares what an agent is permitted to do.
Specifications are JSON documents referencing ECT claims:

~~~json
{
  "spec_version": "1.0",
  "agent_id": "spiffe://example.com/agent/firewall",
  "allowed_actions": ["update_rules", "read_config", "report"],
  "constraints": {
    "max_actions_per_minute": 60,
    "forbidden_targets": ["core-router-*"],
    "require_checkpoint_before": ["update_rules"]
  },
  "verification_frequency": "continuous"
}
~~~
{: #fig-spec title="Behavior Specification"}

Behavior specifications SHOULD be signed and versioned.  Changes
MUST be recorded as ECTs.

## Verification Against ECT Stream

A verifier monitors the agent's ECT stream and checks:

1. `exec_act` values are in `allowed_actions`.
2. Action rate does not exceed `max_actions_per_minute` (computed
   from `iat` timestamps).
3. `atd:checkpoint` ECTs precede `update_rules` ECTs (from
   `require_checkpoint_before`).
4. Targets in `ext` claims do not match `forbidden_targets`.

Verification results are ECTs:

- `exec_act`: `"apae:compliance_check"`

~~~json
{
  "exec_act": "apae:compliance_check",
  "par": ["latest-agent-ect-uuid"],
  "ext": {
    "apae.compliance_status": "passing",
    "apae.violations": [],
    "apae.spec_version": "1.0",
    "apae.window": "2026-03-01T12:00:00Z/PT1H"
  }
}
~~~
{: #fig-compliance title="Compliance Check ECT"}

Violations trigger trust score decreases (`policy_violation` event)
and MAY trigger HITL escalation.

A violation compliance check ECT looks like:

~~~json
{
  "exec_act": "apae:compliance_check",
  "par": ["offending-ect-uuid"],
  "ext": {
    "apae.compliance_status": "failing",
    "apae.violations": [
      {
        "rule": "require_checkpoint_before",
        "action": "update_rules",
        "ect": "offending-ect-uuid",
        "description": "update_rules at 12:03:15 has no preceding atd:checkpoint within 10s"
      }
    ],
    "apae.spec_version": "1.0",
    "apae.window": "2026-03-01T12:00:00Z/PT1H"
  }
}
~~~
{: #fig-violation title="Compliance Violation ECT"}

# Data Provenance {#provenance}

## DAG as Provenance Chain

The ECT DAG already encodes data provenance: each ECT's `par`
references show which prior tasks produced its inputs.  The
`inp_hash` and `out_hash` claims prove what was processed without
revealing the data.

For deployments requiring explicit provenance metadata, agents
MAY include:

~~~json
{
  "ext": {
    "apae.data_source": "database:patients",
    "apae.data_classification": "pii",
    "apae.retention_days": 365,
    "apae.transformations": ["anonymize", "aggregate"]
  }
}
~~~
{: #fig-provenance title="Provenance Extension Claims"}

At Regulated assurance level, all data-transforming ECT nodes
MUST include provenance claims.

## Provenance Queries

At L3, the audit ledger enables provenance queries:

- "Which agents touched this data?" → walk `par` chain from
  final ECT to roots.
- "Was this data transformed?" → check `apae.transformations`
  along the chain.
- "Is provenance complete?" → verify all `par` references
  resolve to ledger entries.

# Cross-Domain Trust {#cross-domain}

## Trust Domain Basics

A trust domain is an administrative boundary within which a
single trust anchor (CA certificate or JWK set) governs agent
identity.  Trust scores are local to a trust domain by default.

## Trust Domain Registration

Each trust domain MUST publish a trust anchor at a well-known URI:

~~~
GET /.well-known/apae/trust-anchor HTTP/1.1
~~~

The response MUST be a JSON object containing:

~~~json
{
  "domain": "example.com",
  "trust_anchor_type": "jwks",
  "trust_anchor_uri": "https://example.com/.well-known/jwks.json",
  "contact": "trust-admin@example.com"
}
~~~
{: #fig-trust-anchor title="Trust Anchor Document"}

## Cross-Domain Delegation

When Agent A (domain X) delegates to Agent B (domain Y):

1. A MUST verify that its ACP-DAG-HITL policy permits cross-domain
   delegation to domain Y (bilateral trust agreement).
2. A fetches B's trust anchor document to verify B's identity.
3. A creates an `apae:cross_domain_assertion` ECT linking the
   two domains.
4. Both A and B include their domain in ECT `iss` claims.

~~~json
{
  "exec_act": "apae:cross_domain_assertion",
  "ext": {
    "apae.source_domain": "example.com",
    "apae.dest_domain": "hospital.example",
    "apae.bilateral_agreement_ref": "agreement-id-2026-001",
    "apae.min_assurance": "L2"
  }
}
~~~
{: #fig-cross-domain title="Cross-Domain Assertion ECT"}

The ASCII diagram below illustrates a cross-domain delegation:

~~~
Domain: example.com         Domain: hospital.example
┌──────────────────┐        ┌──────────────────────┐
│  Agent A         │  AEPB  │  Agent B             │
│  (orchestrator)  ├───────►│  (treatment planner) │
│  ECT: L2         │        │  ECT: L3             │
└──────────────────┘        └──────────────────────┘
         │                           │
         └─── cross_domain_assertion ECT ──┘
              (bilateral agreement verified)
~~~
{: #fig-cross-domain-diag title="Cross-Domain Delegation"}

## Cross-Domain Trust Scores

Trust scores do not transfer across domain boundaries by default.
When Agent A in domain X has no prior interactions with Agent B
in domain Y:

- If a bilateral trust agreement exists: initial trust is set to
  the agreement's `default_trust` value (negotiated out of band).
- If no agreement exists: delegation MUST be rejected (zero-trust
  default).

Cross-domain trust scores are isolated from intra-domain scores
and are stored separately in the trust table.

# Assurance Profiles {#profiles}

## Profile Definitions

An assurance profile is a named configuration that selects which
mechanisms are required.  Profiles MUST be declared in ACP-DAG-HITL
workflow policy and announced in the AEPB capability document.

| Mechanism | Relaxed | Standard | Regulated |
|-----------|---------|----------|-----------|
| **ECT level** | L1 | L2 | L3 |
| **Trust scoring** | Optional | RECOMMENDED | REQUIRED |
| **Trust threshold enforcement** | Optional | RECOMMENDED | REQUIRED |
| **Behavior verification** | Off | Periodic | Continuous |
| **HITL approval gates** | Optional | Critical paths | Mandatory |
| **Data provenance claims** | Off | Optional | REQUIRED |
| **Checkpoint before consequential** | RECOMMENDED | REQUIRED | REQUIRED |
| **Audit ledger** | Optional | Optional | REQUIRED |
| **Quarantine protocol** | Optional | RECOMMENDED | REQUIRED |
| **Cross-domain trust agreements** | Optional | Required if cross-domain | Required if cross-domain |
{: #fig-profiles title="Assurance Profile Requirements"}

Relaxed:
: Internal dev/staging.  L1 ECTs.  Trust and verification
  optional.  Useful for debugging and observability without
  cryptographic overhead.

Standard:
: Production cross-org.  L2 ECTs.  Trust scoring and thresholds
  recommended.  Periodic behavior verification.  HITL on critical
  paths.

Regulated:
: Healthcare, finance, EU AI Act.  L3 ECTs with audit ledger.
  Continuous behavior verification.  All trust mechanisms
  required.  Full provenance chain.  Mandatory HITL gates.

Profiles are declared in ACP-DAG-HITL node constraints:

~~~json
{
  "constraints": {
    "apae.assurance_profile": "regulated"
  }
}
~~~
{: #fig-profile-policy title="Profile as Node Constraint"}

A single deployment MAY use different profiles for different
workflows.

## Profile Selection Guidance

Operators SHOULD select profiles using the following decision
table:

| Deployment context | Recommended profile |
|-------------------|--------------------|
| Unit tests, local development | Relaxed |
| Internal production (single org) | Standard |
| Cross-organization production | Standard (with trust agreements) |
| Financial services, EU AI Act critical | Regulated |
| Healthcare (HIPAA, clinical trials) | Regulated |
| Critical infrastructure (NIS2) | Regulated |
{: #fig-profile-selection title="Profile Selection Guidance"}

## Upgrade Path Between Profiles

Operators MUST NOT downgrade assurance profile during an active
workflow.

Relaxed → Standard:
: (1) Add ECT signing keys (WIMSE WIT or X.509). (2) Update ECT
  emission to sign tokens. (3) Configure trust scoring
  (alpha/beta, initial trust, thresholds). (4) Define behavior
  specifications for critical agents. (5) Add HITL approval gates
  on critical DAG paths.

Standard → Regulated:
: (1) Configure audit ledger endpoint. (2) Update ECT emission
  to commit each ECT to ledger. (3) Enable continuous behavior
  verification (change `verification_frequency` from `periodic`
  to `continuous`). (4) Enable provenance claims on all
  data-transforming ECTs. (5) Add mandatory HITL gates on all
  consequential actions. (6) Enable quarantine protocol.

# Security Considerations

## Trust Score Sensitivity

Trust scores are sensitive metadata.  Agents MUST NOT expose
full trust tables.  Only pairwise assertions SHOULD be shared,
and only in response to explicit authenticated requests.

## Score Inflation (Adversarial Trust Building)

An adversary performs many small successful interactions to
inflate trust, then executes a malicious action.  Mitigation:

- Apply double penalty (`beta^2`) for `policy_violation` events.
- Enforce high trust thresholds for high-risk actions.
- Rate-limit trust score increases: an agent MUST NOT increase
  trust by more than 0.1 per day toward any single peer.
- Use behavior verification continuously at Standard+.

## Attestation Freshness

Stale compliance check ECTs MUST be rejected.  The verifier MUST
check that `apae:compliance_check` ECTs have `iat` within the
configured verification window (default: 1 hour for Standard,
5 minutes for Regulated).

## Provenance Chain Forgery

Each provenance hop must be signed (L2+) to prevent injection
of false provenance records.  Agents MUST verify the signature
on all `par`-linked ECTs before accepting provenance claims.

## Sybil Attack on Trust

Fake agents inflate trust for each other to gain influence.
Mitigation:

- Trust propagation attenuation (default 0.5) limits the impact
  of second-hand assertions.
- Maximum hop count of 1 for trust propagation.
- Require agents to be registered in a trusted directory before
  initial trust is assigned above the floor value.

## Cross-Domain Trust Downgrade

An attacker forces delegation through an untrusted domain by
presenting a forged bilateral agreement.  Mitigation:

- Bilateral trust agreements MUST be signed by operators of
  both domains.
- Agents MUST verify the agreement signature before accepting
  cross-domain delegations.
- Cross-domain ECTs MUST use L2+ assurance.

## Quarantine Evasion

An agent subject to quarantine re-registers under a different
identity to escape the quarantine.  Mitigation:

- Quarantine ECTs are broadcast; receiving agents record the
  quarantine by both agent ID and by behavioral fingerprint.
- Agents SHOULD require re-onboarding with operator approval
  before accepting new identities from known-quarantined domains.

# IANA Considerations

## Assurance Profile Registry

This document requests the creation of the "APAE Assurance Profile
Registry" under IANA.  Registration policy: Specification Required.

Initial entries:

| Profile Name | Profile URI | Description | Reference |
|-------------|------------|-------------|-----------|
| Relaxed | `urn:ietf:params:apae:profile:relaxed` | Dev/test, L1 ECTs | This document |
| Standard | `urn:ietf:params:apae:profile:standard` | Production, L2 ECTs | This document |
| Regulated | `urn:ietf:params:apae:profile:regulated` | Regulated, L3 ECTs | This document |
{: #fig-profile-registry title="Assurance Profile Registry"}

## `exec_act` Values

This document requests registration in the AEM Ecosystem
Extension Registry:

| Value | Description | Reference |
|-------|-------------|-----------|
| `apae:trust_assertion` | Sharing trust score for a peer | This document |
| `apae:trust_revoke` | Revoking delegations due to low trust | This document |
| `apae:compliance_check` | Behavior verification result | This document |
| `apae:quarantine` | Agent quarantine entry or exit | This document |
| `apae:cross_domain_assertion` | Cross-domain delegation evidence | This document |
{: #fig-iana-actions title="APAE exec_act Registrations"}

## Well-Known URI

This document requests registration of `apae/trust-anchor` as a
well-known URI suffix per RFC 8615 for trust domain anchor
publication.

--- back

# Acknowledgments
{:numbered="false"}

APAE builds on ECT {{I-D.nennemann-wimse-ect}} for interaction
evidence and audit, and ACP-DAG-HITL
{{I-D.nennemann-agent-dag-hitl-safety}} for trust threshold and
assurance profile policy enforcement.  The AIMD trust model is
adapted from TCP congestion control (RFC 5681).  Behavior
verification is informed by RATS architecture {{RFC9334}}.