c/ietf-draft-analyzer
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
e83491cb91623976150ca3b0d3a090993164e421
ietf-draft-analyzer/data/reports/draft-proposals/camel-inspired/00-index.md
Christian Nennemann 5ec7410b89 feat: proposal intake pipeline with AI-powered generation on /proposals/new 
Add full proposal system: DB schema (proposals + proposal_gaps tables),
CLI `ietf intake` command, and web UI with Quick Generate on /proposals/new.
The new page merges AI intake (paste URL/text → Haiku generates multiple
proposals auto-linked to gaps) with manual form entry. Generated proposals
are clickable cards that fill the editor below for refinement.

Uses claude_model_cheap (Haiku) for cost-efficient web intake. Includes
CaML-inspired draft proposals from arXiv:2503.18813 analysis.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-03-09 03:15:11 +01:00

80 lines
3.9 KiB
Markdown
Raw Blame History

---
title: "CaML-Inspired IETF Draft Proposals"
source_paper: "Defeating Prompt Injections by Design (arXiv:2503.18813)"
source_authors: "Debenedetti, Shumailov, Fan, Hayes, Carlini, Fabian, Kern, Shi, Terzis, Tramèr"
date: 2026-03-09
status: proposal
---
# CaML-Inspired IETF Draft Proposals
Six IETF Internet-Draft proposals derived from [Defeating Prompt Injections by Design](https://arxiv.org/abs/2503.18813) (Google DeepMind / ETH Zurich, 2025), cross-referenced with the 12 identified gaps in the IETF AI agent standards landscape.
## Source Paper: CaML (CApabilities for MachinE Learning)
CaML proposes a **capability-based security layer** around LLM agents that defeats prompt injection attacks by design, not through model training. Key concepts:
- **Privileged/Quarantined LLM separation**: planning (trusted) vs. data processing (untrusted)
- **Capability tags**: every data value carries provenance (source) and access control (allowed readers)
- **Security policies**: Python-expressible per-tool policies checked before execution
- **Data flow graph**: tracks dependencies between all variables across tool calls
- **Control flow integrity**: prevents untrusted data from influencing execution plans
- Evaluated on AgentDojo: 77% task success with **provable** security (vs. 84% undefended)
## Draft Overview
| # | Draft Name | Status | Primary Gaps | CaML Section |
|---|-----------|--------|-------------|-------------|
| 1 | [Capability-Based Security Policies](01-capability-security-policies.md) | outline | #86, #89, #93 | §5.2, §5.3 |
| 2 | [Control/Data Flow Integrity](02-control-data-flow-integrity.md) | outline | #85, #88, #89 | §2, §5.4, §6.4 |
| 3 | [Data Provenance Tracking Protocol](03-data-provenance-tracking.md) | outline | #84, #88, #93 | §5.3, §5.4 |
| 4 | [Security Policy Federation](04-security-policy-federation.md) | outline | #83, #87, #90 | §5.2, §9.1 |
| 5 | [Privileged/Quarantined Execution Model](05-privileged-quarantined-execution.md) | outline | #89, #92, #94 | §5.1 |
| 6 | [Side-Channel Mitigation Framework](06-side-channel-mitigation.md) | outline | #89, #93 | §7 |
## Dependency Graph
```
Draft 5 (Execution Model)
└─► Draft 1 (Capabilities) ◄── foundational
├─► Draft 2 (Flow Integrity)
├─► Draft 3 (Provenance)
└─► Draft 4 (Policy Federation)
└─► Draft 6 (Side Channels) ◄── BCP document
```
**Reading order**: 5 → 1 → 2/3 (parallel) → 4 → 6
## Gap Coverage Matrix
| Gap | Topic | Drafts |
|-----|-------|--------|
| #83 | Cross-org AI agent liability | 4 |
| #84 | Real-time explainability | 3 |
| #85 | Emergency shutdown coordination | 2 |
| #86 | Resource consumption governance | 1 |
| #87 | Cross-domain identity federation | 4 |
| #88 | Decision audit trail interop | 2, 3 |
| #89 | Adversarial agent detection | 1, 2, 5, 6 |
| #90 | Capability negotiation protocols | 4 |
| #91 | Decentralized model version control | — |
| #92 | Ethical decision conflict resolution | 5 (partial) |
| #93 | Privacy-preserving A2A communication | 1, 3, 6 |
| #94 | Behavioral specification languages | 5 |
## Relationship to Existing Work
These drafts **build on** (not compete with) existing IETF work:
- **WIMSE** (Workload Identity in Multi-System Environments): identity + security context propagation → our capabilities extend this with data-level provenance
- **ECT** (Execution Context Tokens): DAG-linked audit records → our provenance tracking is complementary
- **MCP** (Model Context Protocol): tool interface standard → our security policies wrap around MCP tool calls
- **A2A** (Agent-to-Agent): agent communication → our flow integrity applies to A2A message exchanges
- **GNAP/OAuth**: authorization → our policy federation extends authz to data-flow-aware decisions
## Iteration Tracking
| Date | Change | Author |
|------|--------|--------|
| 2026-03-09 | Initial outlines for all 6 drafts | — |
Reference in New Issue View Git Blame Copy Permalink