| Internet-Draft | +WIMSE Execution Context | +February 2026 | +
| Nennemann | +Expires 28 August 2026 | +[Page] | +
This document defines Execution Context Tokens (ECTs), an extension +to the Workload Identity in Multi System Environments (WIMSE) +architecture for distributed agentic workflows in regulated +environments. ECTs provide cryptographic proof of task execution +order, policy enforcement decisions, and compliance state across +agent-to-agent communication. By extending WIMSE Workload Identity +Tokens with execution context claims in JSON Web Token (JWT) +format, this specification enables regulated systems to maintain +structured audit trails that support compliance verification. +ECTs use a directed acyclic graph (DAG) structure to represent task +dependencies, record policy evaluation outcomes at each decision +point, and integrate with WIMSE Workload Identity Tokens (WIT) and +Workload Proof Tokens (WPT) using the same signing model and +cryptographic primitives. A new HTTP header field, +Execution-Context, is defined for transporting ECTs alongside +existing WIMSE headers. ECTs are a technical building block that +supports, but does not by itself constitute, compliance with +regulatory frameworks.¶
++ This Internet-Draft is submitted in full conformance with the + provisions of BCP 78 and BCP 79.¶
++ Internet-Drafts are working documents of the Internet Engineering Task + Force (IETF). Note that other groups may also distribute working + documents as Internet-Drafts. The list of current Internet-Drafts is + at https://datatracker.ietf.org/drafts/current/.¶
++ Internet-Drafts are draft documents valid for a maximum of six months + and may be updated, replaced, or obsoleted by other documents at any + time. It is inappropriate to use Internet-Drafts as reference + material or to cite them other than as "work in progress."¶
++ This Internet-Draft will expire on 28 August 2026.¶
++ Copyright (c) 2026 IETF Trust and the persons identified as the + document authors. All rights reserved.¶
++ This document is subject to BCP 78 and the IETF Trust's Legal + Provisions Relating to IETF Documents + (https://trustee.ietf.org/license-info) in effect on the date of + publication of this document. Please review these documents + carefully, as they describe your rights and restrictions with + respect to this document. Code Components extracted from this + document must include Revised BSD License text as described in + Section 4.e of the Trust Legal Provisions and are provided without + warranty as described in the Revised BSD License.¶
+The Workload Identity in Multi System Environments (WIMSE) +framework [I-D.ietf-wimse-arch] provides robust workload +authentication through Workload Identity Tokens (WIT) and Workload +Proof Tokens (WPT). The WIMSE service-to-service protocol +[I-D.ietf-wimse-s2s-protocol] defines how workloads authenticate +each other across call chains using the Workload-Identity and +Workload-Proof-Token HTTP headers.¶
+However, workload identity alone does not address execution +accountability. Knowing who performed an action does not prove +what was done, what policy was applied, or whether compliance +requirements were satisfied at each decision point.¶
+Regulated environments increasingly deploy autonomous agents that +coordinate across organizational boundaries. Multiple regulatory +frameworks motivate the need for structured execution records:¶
+The EU Artificial Intelligence Act [EU-AI-ACT] Article 12 +requires high-risk AI systems to be designed with capabilities +enabling automatic recording of events ("logs") while the +system is operating.¶
+The U.S. FDA 21 CFR Part 11 [FDA-21CFR11] requires +computer-generated, timestamped audit trails that independently +record the date, time, operator identity, and actions taken +(Section 11.10(e)).¶
+The Markets in Financial Instruments Directive (MiFID II) +[MIFID-II] requires firms to maintain records of transactions +and orders that are sufficient to enable supervisory authorities +to monitor compliance.¶
+The Digital Operational Resilience Act (DORA) [DORA] Article 12 +requires financial entities to have logging policies that record +ICT activities and anomalies.¶
+This document defines an extension to the WIMSE architecture that +addresses the gap between workload identity and execution +accountability. WIMSE authenticates agents; this extension records +what they did, in what order, and what policy was evaluated.¶
+As identified in [I-D.ni-wimse-ai-agent-identity], call context +in agentic workflows must always be visible and preserved. ECTs +provide a mechanism to address this requirement with cryptographic +assurances.¶
+Three core gaps exist in current approaches to regulated agentic +systems:¶
+WIMSE authenticates agents but does not record what they +actually did. A WIT proves "Agent A is authorized" but not +"Agent A executed Task X, under Policy Y, producing Output Z."¶
+No standard mechanism exists to record policy evaluation +outcomes at each decision point in a multi-agent workflow.¶
+No mechanism exists to cryptographically link compensation and +rollback decisions to original actions.¶
+Existing observability tools such as distributed tracing +[OPENTELEMETRY] provide visibility for debugging and monitoring +but do not provide cryptographic assurances. Tracing data is not +cryptographically signed, not tamper-evident, and not designed for +regulatory audit scenarios.¶
+This document defines:¶
+Policy checkpoint recording (Section 4.2.3)¶
+The following are out of scope and are handled by WIMSE:¶
+ +ECTs are a technical mechanism that can support compliance programs +by providing structured, cryptographically signed execution +records. ECTs do not by themselves constitute compliance with any +regulatory framework referenced in this document.¶
+Compliance with each referenced regulation requires organizational +controls, policies, procedures, validation, and governance measures +beyond the scope of this specification. The regulatory references +in this document are intended to motivate the design requirements, +not to claim that implementing ECTs satisfies these regulations.¶
+ECTs provide evidence of claimed execution ordering and policy +evaluation. They do not independently verify that the claimed +execution actually occurred as described, that the policy +evaluation was correct, or that the agent faithfully performed the +stated action. The trustworthiness of ECT claims depends on the +trustworthiness of the signing agent and the integrity of the +broader deployment environment.¶
+The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", +"MAY", and "OPTIONAL" in this document are to be interpreted as +described in BCP 14 [RFC2119] [RFC8174] when, and only when, they +appear in all capitals, as shown here.¶
+The following terms are used in this document:¶
+An autonomous workload, as defined by WIMSE +[I-D.ietf-wimse-arch], that executes tasks within a workflow.¶
+A discrete unit of agent work that consumes inputs and produces +outputs.¶
+A graph structure representing task dependency ordering where +edges are directed and no cycles exist.¶
+A JSON Web Token [RFC7519] defined by this specification that +records task execution details and policy evaluation outcomes.¶
+An append-only, immutable log of all ECTs within a workflow or +set of workflows, used for regulatory audit and compliance +verification.¶
+A point in a workflow where a policy evaluation outcome is +recorded within an ECT.¶
+A WIMSE credential proving a workload's identity within a trust +domain.¶
+A WIMSE proof-of-possession token used for request-level +authentication.¶
+A WIMSE concept representing an organizational boundary with a +shared identity issuer, corresponding to a SPIFFE [SPIFFE] +trust domain.¶
+A third-party entity that observes and attests to the execution +of a task, providing additional accountability.¶
+The WIMSE architecture [I-D.ietf-wimse-arch] defines:¶
+Workload Identity Tokens (WIT) that prove a workload's identity +within a trust domain ("I am Agent X in trust domain Y")¶
+Workload Proof Tokens (WPT) that prove possession of the private +key associated with a WIT ("I control the key for Agent X")¶
+Multi-hop authentication via the service-to-service protocol +[I-D.ietf-wimse-s2s-protocol]¶
+The following execution accountability needs are complementary to +the WIMSE scope and are not addressed by workload identity alone:¶
+ +ECTs extend WIMSE by adding an execution accountability layer +between the identity layer and the application layer:¶
+++--------------------------------------------------+ +| WIMSE Layer (Identity) | +| WIT: "I am Agent X (spiffe://td/agent/x)" | +| WPT: "I prove I control the key for Agent X" | ++--------------------------------------------------+ + | + v ++--------------------------------------------------+ +| ECT Layer (Execution Accountability) [This Spec]| +| ECT: "Task executed, dependencies met, | +| policy evaluated, outcome recorded" | ++--------------------------------------------------+ + | + v ++--------------------------------------------------+ +| Ledger Layer (Immutable Record) | +| "All ECTs appended to audit ledger" | ++--------------------------------------------------+ ++
This extension reuses the WIMSE signing model, extends JWT claims +using standard JWT extensibility [RFC7519], and maintains WIMSE +concepts including trust domains and workload identifiers.¶
+An ECT integrates with the WIMSE identity framework through the +following mechanisms:¶
+The ECT JOSE header "kid" parameter MUST reference the public +key identifier from the agent's WIT.¶
+The ECT "iss" claim MUST use the WIMSE workload identifier +format (a SPIFFE ID [SPIFFE]).¶
+The ECT MUST be signed with the same private key used to +generate the agent's WPT.¶
+The ECT signing algorithm (JOSE header "alg" parameter) MUST +match the algorithm used in the corresponding WIT.¶
+When an agent makes an HTTP request to another agent, the three +tokens are carried in their respective HTTP header fields:¶
++HTTP Request from Agent A to Agent B: + Workload-Identity: <WIT for Agent A> + Workload-Proof-Token: <WPT proving A controls key> + Execution-Context: <ECT recording what A did> ++
The receiving agent (Agent B) verifies in order:¶
+ +An Execution Context Token is a JSON Web Token (JWT) [RFC7519] +signed as a JSON Web Signature (JWS) [RFC7515] using the Compact +Serialization. JWS JSON Serialization MUST NOT be used for ECTs.¶
+The ECT JOSE header MUST contain the following parameters:¶
+
+{
+ "alg": "ES256",
+ "typ": "wimse-exec+jwt",
+ "kid": "agent-a-key-id-123"
+}
+
+REQUIRED. The digital signature algorithm used to sign the ECT. +MUST match the algorithm in the corresponding WIT. +Implementations MUST support ES256 [RFC7518]. The "alg" +value MUST NOT be "none". Symmetric algorithms (e.g., HS256, +HS384, HS512) MUST NOT be used, as ECTs require asymmetric +signatures for non-repudiation.¶
+REQUIRED. MUST be set to "wimse-exec+jwt" to distinguish ECTs +from other JWT types, consistent with the WIMSE convention for +type parameter values.¶
+REQUIRED. The key identifier referencing the public key from +the agent's WIT [RFC7517]. Used by verifiers to look up the +correct public key for signature verification.¶
+The ECT payload contains both WIMSE-compatible standard JWT claims +and execution context claims defined by this specification.¶
+The following standard JWT claims [RFC7519] MUST be present in +every ECT:¶
+REQUIRED. StringOrURI. The issuer of the ECT, which MUST be
+the workload's SPIFFE ID in the format
+spiffe://<trust-domain>/<path>. This MUST match the "sub"
+claim of the agent's WIT.¶
OPTIONAL. StringOrURI. The subject of the ECT. When present, +MUST equal the "iss" claim.¶
+REQUIRED. StringOrURI or array of StringOrURI. The intended +recipient(s) of the ECT. Typically the next agent in the +workflow or the ledger endpoint.¶
+REQUIRED. NumericDate. The time at which the ECT was issued. +The ECT records a completed action, so the "iat" value reflects +when the record was created, not when task execution began.¶
+REQUIRED. NumericDate. The expiration time of the ECT. +Implementations SHOULD set this to 5 to 15 minutes after "iat" +to limit the replay window while allowing for reasonable clock +skew and processing time.¶
+OPTIONAL. String. A unique identifier for the ECT, useful for +additional replay detection.¶
+The following claims are defined by this specification:¶
+OPTIONAL. String. A workflow identifier that groups related +ECTs into a single workflow. When present, MUST be a UUID +[RFC9562]. When absent, the "tid" uniqueness requirement +applies globally across the entire ledger.¶
+REQUIRED. String. A globally unique task identifier in UUID +format [RFC9562]. Each task MUST have a unique "tid" value. +When "wid" is present, uniqueness is scoped to the workflow; +when "wid" is absent, uniqueness MUST be enforced globally +across the ledger.¶
+REQUIRED. String. The action or task type identifier describing +what the agent performed (e.g., "process_payment", +"validate_safety", "calculate_dosage"). Note: this claim is +intentionally named "exec_act" rather than "act" to avoid +collision with the "act" (Actor) claim registered by +[RFC8693].¶
+REQUIRED. Array of strings. Parent task identifiers +representing DAG dependencies. Each element MUST be a valid +"tid" from a previously executed task. An empty array indicates +a root task with no dependencies. A workflow MAY contain +multiple root tasks.¶
+The following claims record policy evaluation outcomes:¶
+REQUIRED. String. The identifier of the policy rule that was +evaluated for this task (e.g., +"clinical_data_access_policy_v1").¶
+REQUIRED. String. The result of the policy evaluation. MUST +be one of: "approved", "rejected", or "pending_human_review".¶
+OPTIONAL. StringOrURI. The identity of the entity (system or +person) that evaluated the policy decision. When present, +SHOULD use SPIFFE ID format.¶
+OPTIONAL. NumericDate. The time at which the policy decision +was made. When present, MUST be equal to or earlier than the +"iat" claim.¶
+The following claims provide integrity verification for task +inputs and outputs without revealing the data itself:¶
+OPTIONAL. String. A cryptographic hash of the input data, +formatted as "hash-algorithm:base64url-encoded-hash" (e.g., +"sha-256:n4bQgYhMfWWaL-qgxVrQFaO_TxsrC4Is0V1sFbDwCgg"). The +hash algorithm identifier SHOULD be "sha-256". The hash MUST be +computed over the raw octets of the input data.¶
+OPTIONAL. String. A cryptographic hash of the output data, +using the same format as "inp_hash".¶
+OPTIONAL. String. The data sensitivity classification of the +input (e.g., "public", "confidential", "restricted").¶
+The following claims provide additional operational context:¶
+OPTIONAL. Integer. The execution duration of the task in +milliseconds. MUST be a non-negative integer.¶
+OPTIONAL. String. The regulatory domain applicable to this +task. Values are drawn from an extensible set; initial values +include "medtech", "finance", and "military".¶
+OPTIONAL. String. The version identifier of the AI or ML model +used to perform the task, if applicable.¶
+OPTIONAL. Array of StringOrURI. Identifiers of third-party +entities that observed or attested to the execution of this +task. When present, each element SHOULD use SPIFFE ID format. +In regulated environments, implementations SHOULD use witness +attestation for critical decision points to mitigate the risk +of single-agent false claims.¶
+OPTIONAL. Boolean. Indicates whether this task is a +compensation or rollback action for a previous task.¶
+OPTIONAL. String. A human-readable reason for the compensation +action. MUST be present if "compensation_required" is true.¶
+Note: compensation ECTs reference historical parent tasks via the +"par" claim. The referenced parent ECTs may have passed their own +"exp" time; ECT expiration applies to the verification window of +the ECT itself, not to its validity as a parent reference in the +ledger.¶
+OPTIONAL. Object. An extension object for domain-specific +claims not defined by this specification. Implementations +that do not understand extension claims SHOULD ignore them. +To avoid key collisions between different domains, extension +key names SHOULD use reverse domain notation (e.g., +"com.example.custom_field").¶
+The "ext" claim is a generic extension mechanism; it is not +registered in the IANA JWT Claims registry because its semantics +depend on the domain-specific claims within it.¶
+The following is a complete ECT payload example:¶
+
+{
+ "iss": "spiffe://example.com/agent/clinical",
+ "sub": "spiffe://example.com/agent/clinical",
+ "aud": "spiffe://example.com/agent/safety",
+ "iat": 1772064150,
+ "exp": 1772064750,
+
+ "wid": "a0b1c2d3-e4f5-6789-abcd-ef0123456789",
+ "tid": "550e8400-e29b-41d4-a716-446655440001",
+ "exec_act": "recommend_treatment",
+ "par": [],
+
+ "pol": "clinical_reasoning_policy_v2",
+ "pol_decision": "approved",
+ "pol_enforcer": "spiffe://example.com/policy/clinical-engine",
+ "pol_timestamp": 1772064145,
+
+ "inp_hash": "sha-256:n4bQgYhMfWWaL-qgxVrQFaO_TxsrC4Is0V1sFbDwCgg",
+ "out_hash": "sha-256:LCa0a2j_xo_5m0U8HTBBNBNCLXBkg7-g-YpeiGJm564",
+ "inp_classification": "confidential",
+ "exec_time_ms": 245,
+ "regulated_domain": "medtech",
+ "model_version": "clinical-reasoning-v4.2",
+
+ "witnessed_by": [
+ "spiffe://example.com/audit/observer-1"
+ ]
+}
+
+This specification defines the Execution-Context HTTP header field +[RFC9110] for transporting ECTs between agents.¶
+The header field value is the ECT in JWS Compact Serialization +format [RFC7515]. The value consists of three Base64url-encoded +parts separated by period (".") characters.¶
+An agent sending a request to another agent includes the +Execution-Context header alongside the WIMSE Workload-Identity +and Workload-Proof-Token headers:¶
++GET /api/safety-check HTTP/1.1 +Host: safety-agent.example.com +Workload-Identity: eyJhbGci...WIT... +Workload-Proof-Token: eyJhbGci...WPT... +Execution-Context: eyJhbGci...ECT... ++
When multiple parent tasks contribute context to a single request, +multiple Execution-Context header field lines MAY be included, each +carrying a separate ECT in JWS Compact Serialization format.¶
+ECTs form a Directed Acyclic Graph (DAG) where each task +references its parent tasks via the "par" claim. This structure +provides a cryptographically signed record of execution ordering, +enabling auditors to reconstruct the complete workflow and verify +that required predecessor tasks were recorded before dependent +tasks.¶
+When receiving and verifying an ECT, implementations MUST perform +the following DAG validation steps:¶
+Task ID Uniqueness: The "tid" claim MUST be unique within the +applicable scope (the workflow identified by "wid", or the +entire ledger if "wid" is absent). If a task with the same +"tid" already exists, the ECT MUST be rejected.¶
+Parent Existence: Every task identifier listed in the "par" +array MUST correspond to a task that has been previously +recorded in the ledger. If any parent task is not found, the +ECT MUST be rejected.¶
+Temporal Ordering: The "iat" value of every parent task MUST be +less than the "iat" value of the current task plus a +configurable clock skew tolerance (RECOMMENDED: 30 seconds). +If any parent task has an "iat" that violates this constraint, +the ECT MUST be rejected.¶
+Acyclicity: Following the chain of parent references MUST NOT +lead back to the current task's "tid". If a cycle is detected, +the ECT MUST be rejected.¶
+Trust Domain Consistency: Parent tasks SHOULD belong to the +same trust domain or to a trust domain with which a federation +relationship has been established.¶
+The following pseudocode describes the DAG validation procedure:¶
+
+function validate_dag(ect, ledger, clock_skew_tolerance):
+ // Step 1: Uniqueness check
+ if ledger.contains(ect.tid, ect.wid):
+ return error("Task ID already exists in ledger")
+
+ // Step 2: Parent existence and temporal ordering
+ for parent_id in ect.par:
+ parent = ledger.get(parent_id)
+ if parent is null:
+ return error("Parent task not found: " + parent_id)
+ if parent.iat >= ect.iat + clock_skew_tolerance:
+ return error("Parent task not earlier than current")
+
+ // Step 3: Cycle detection
+ visited = set()
+ if has_cycle(ect.tid, ect.par, ledger, visited):
+ return error("Circular dependency detected")
+
+ return success
+
+function has_cycle(target_tid, parent_ids, ledger, visited):
+ for parent_id in parent_ids:
+ if parent_id == target_tid:
+ return true
+ if parent_id in visited:
+ continue
+ visited.add(parent_id)
+ parent = ledger.get(parent_id)
+ if parent is not null:
+ if has_cycle(target_tid, parent.par, ledger, visited):
+ return true
+ return false
+
+The cycle detection traverses the ancestor graph rooted at the +current task's parents. The complexity is O(V) where V is the +number of ancestor nodes reachable from the current task's parent +references. For typical workflows with shallow DAGs, this is +efficient. Implementations SHOULD cache cycle detection results +for previously verified tasks to avoid redundant traversals.¶
+When an agent receives an ECT, it MUST perform the following +verification steps in order:¶
+Parse the JWS Compact Serialization to extract the JOSE header, +payload, and signature components per [RFC7515].¶
+Verify that the "typ" header parameter is "wimse-exec+jwt".¶
+Verify that the "alg" header parameter is not "none" and is +not a symmetric algorithm.¶
+Verify the "kid" header parameter references a known, valid +public key from a WIT within the trust domain.¶
+Retrieve the public key identified by "kid" and verify the JWS +signature per [RFC7515] Section 5.2.¶
+Verify the "alg" header parameter matches the algorithm in the +corresponding WIT.¶
+Verify the "iss" claim matches the "sub" claim of the WIT +associated with the "kid" public key.¶
+Verify the "aud" claim contains the verifier's own workload +identity or an expected recipient identifier.¶
+Verify the "exp" claim indicates the ECT has not expired.¶
+Verify the "iat" claim is not unreasonably far in the past +(implementation-specific threshold, RECOMMENDED maximum of +15 minutes).¶
+Verify all required claims ("tid", "exec_act", "par", "pol", +"pol_decision") are present and well-formed.¶
+Verify "pol_decision" is one of "approved", "rejected", or +"pending_human_review".¶
+If all checks pass, the ECT MUST be appended to the audit +ledger.¶
+If any verification step fails, the ECT MUST be rejected and the +failure MUST be logged for audit purposes. Error messages +SHOULD NOT reveal whether specific parent task IDs exist in the +ledger, to prevent information disclosure.¶
+
+function verify_ect(ect_jws, verifier_id,
+ trust_domain_keys, ledger):
+ // Parse JWS
+ (header, payload, signature) = parse_jws(ect_jws)
+
+ // Verify header
+ if header.typ != "wimse-exec+jwt":
+ return reject("Invalid typ parameter")
+
+ if header.alg == "none" or is_symmetric(header.alg):
+ return reject("Prohibited algorithm")
+
+ // Look up public key
+ public_key = trust_domain_keys.get(header.kid)
+ if public_key is null:
+ return reject("Unknown key identifier")
+
+ // Verify signature
+ if not verify_jws_signature(header, payload,
+ signature, public_key):
+ return reject("Invalid signature")
+
+ // Verify algorithm alignment
+ wit = get_wit_for_key(header.kid)
+ if header.alg != wit.alg:
+ return reject("Algorithm mismatch with WIT")
+
+ // Verify issuer matches WIT subject
+ if payload.iss != wit.sub:
+ return reject("Issuer does not match WIT subject")
+
+ // Verify audience
+ if verifier_id not in payload.aud:
+ return reject("ECT not intended for this recipient")
+
+ // Verify not expired
+ if payload.exp < current_time():
+ return reject("ECT has expired")
+
+ // Verify iat freshness
+ if payload.iat < current_time() - max_age_threshold:
+ return reject("ECT issued too long ago")
+
+ // Verify required claims
+ for claim in ["tid", "exec_act", "par",
+ "pol", "pol_decision"]:
+ if claim not in payload:
+ return reject("Missing required claim: " + claim)
+
+ // Validate pol_decision value
+ if payload.pol_decision not in
+ ["approved", "rejected", "pending_human_review"]:
+ return reject("Invalid pol_decision value")
+
+ // Validate DAG
+ result = validate_dag(payload, ledger,
+ clock_skew_tolerance)
+ if result is error:
+ return reject("DAG validation failed")
+
+ // All checks passed; append to ledger
+ ledger.append(payload)
+ return accept
+
+ECTs are designed to be recorded in an immutable audit ledger for +compliance verification and post-hoc analysis. This specification +defines the logical interface for the ledger but does not mandate +a specific storage technology. Implementations MAY use +append-only logs, databases with cryptographic commitment schemes, +distributed ledgers, or any storage mechanism that provides the +required properties.¶
+An audit ledger implementation MUST provide:¶
+Append-only semantics: Once an ECT is recorded, it MUST NOT be +modified or deleted.¶
+Ordering: The ledger MUST maintain a total ordering of ECT +entries via a monotonically increasing sequence number.¶
+Lookup by task ID: The ledger MUST support efficient retrieval +of ECT entries by "tid" value.¶
+Integrity verification: The ledger SHOULD provide a mechanism +to verify that no entries have been tampered with (e.g., +hash chains or Merkle trees).¶
+The ledger SHOULD be maintained by an entity independent of the +workflow agents to reduce the risk of collusion.¶
+Each ledger entry is a logical record containing:¶
+
+{
+ "ledger_sequence": 42,
+ "task_id": "550e8400-e29b-41d4-a716-446655440001",
+ "agent_id": "spiffe://example.com/agent/clinical",
+ "action": "recommend_treatment",
+ "parents": [],
+ "ect_jws": "eyJhbGciOiJFUzI1NiIs...<complete JWS>",
+ "signature_verified": true,
+ "verification_timestamp": "2026-02-24T15:42:31.000Z",
+ "stored_timestamp": "2026-02-24T15:42:31.050Z"
+}
+
+The "ect_jws" field contains the full JWS Compact Serialization +and is the authoritative record. The other fields ("agent_id", +"action", "parents") are convenience indexes derived from the +ECT payload; if they disagree with the JWS payload, the JWS +payload takes precedence.¶
+This section describes representative use cases demonstrating how +ECTs provide execution records in regulated environments. These +examples demonstrate ECT mechanics; production deployments would +include additional domain-specific requirements beyond the scope +of this specification.¶
+Note: task identifiers in this section are abbreviated for +readability. In production, all "tid" values MUST be UUIDs per +[RFC9562].¶
+In a medical device software development lifecycle (SDLC), +AI agents assist across multiple phases from requirements +analysis through release approval. Regulatory frameworks +including [FDA-21CFR11] Section 11.10(e) and [EU-MDR] require +audit trails documenting the complete development process for +software used in medical devices.¶
++Agent A (Spec Reviewer): + tid: task-001 par: [] + exec_act: review_requirements_spec + pol: spec_review_policy_v2 pol_decision: approved + +Agent B (Code Generator): + tid: task-002 par: [task-001] + exec_act: implement_module + pol: coding_standards_v3 pol_decision: approved + +Agent C (Test Agent): + tid: task-003 par: [task-002] + exec_act: execute_test_suite + pol: test_coverage_policy_v1 pol_decision: approved + +Agent D (Build Agent): + tid: task-004 par: [task-003] + exec_act: build_release_artifact + pol: build_validation_v2 pol_decision: approved + +Human Release Manager: + tid: task-005 par: [task-004] + exec_act: approve_release + pol: release_approval_policy pol_decision: approved + pol_enforcer: spiffe://meddev.example/human/release-mgr-42 + witnessed_by: [spiffe://meddev.example/audit/qa-observer-1] ++
ECTs record that requirements were reviewed before implementation +began, that tests were executed against the implemented code, that +the build artifact was validated, and that a human release manager +explicitly approved the release. The DAG structure ensures no +phase was skipped or reordered.¶
+During a regulatory audit, an FDA reviewer requests evidence of +the development process for a specific software release. The +auditing authority retrieves all ECTs sharing the same workflow +identifier ("wid") from the audit ledger and reconstructs the +complete DAG:¶
++task-001 (review_requirements_spec) + | + v +task-002 (implement_module) + | + v +task-003 (execute_test_suite) + | + v +task-004 (build_release_artifact) + | + v +task-005 (approve_release) [human, witnessed] ++
The reconstructed DAG provides cryptographic evidence that:¶
+Each phase was executed by an identified and authenticated agent.¶
+Policy checkpoints were evaluated at every phase transition.¶
+The execution sequence was maintained (no step was bypassed).¶
+A human-in-the-loop approved the final release, with independent +witness attestation.¶
+Timestamps and execution durations are recorded for each step.¶
+This can contribute to compliance with:¶
+[FDA-21CFR11] Section 11.10(e): Computer-generated audit trails +that record the date, time, and identity of the operator.¶
+[EU-MDR] Annex II: Technical documentation traceability for the +software development lifecycle.¶
+[EU-AI-ACT] Article 12: Automatic logging capabilities for +high-risk AI systems involved in the development process.¶
+[EU-AI-ACT] Article 14: ECTs can record evidence that human +oversight events occurred during the release process.¶
+In a financial trading workflow, agents perform risk assessment, +compliance verification, and trade execution. The DAG structure +records that compliance checks were evaluated before trade +execution.¶
++Agent A (Risk Assessment): + tid: task-001 par: [] + exec_act: calculate_risk_exposure + pol: risk_limits_policy_v2 pol_decision: approved + +Agent B (Compliance): + tid: task-002 par: [task-001] + exec_act: verify_compliance + pol: compliance_check_v1 pol_decision: approved + +Agent C (Execution): + tid: task-003 par: [task-002] + exec_act: execute_trade + pol: execution_policy_v3 pol_decision: approved ++
This can contribute to compliance with:¶
+ +When a compliance violation is discovered after execution, ECTs +provide a mechanism to record authorized compensation actions with +a cryptographic link to the original task:¶
+
+{
+ "iss": "spiffe://bank.com/agent/operations",
+ "sub": "spiffe://bank.com/agent/operations",
+ "aud": "spiffe://bank.com/system/ledger",
+ "iat": 1772150550,
+ "exp": 1772151150,
+ "wid": "d3e4f5a6-b7c8-9012-def0-123456789012",
+ "tid": "550e8400-e29b-41d4-a716-446655440099",
+ "exec_act": "initiate_trade_rollback",
+ "par": ["550e8400-e29b-41d4-a716-446655440003"],
+ "pol": "compensation_policy_v1",
+ "pol_decision": "approved",
+ "pol_enforcer": "spiffe://bank.com/human/compliance-officer",
+ "compensation_required": true,
+ "compensation_reason": "policy_violation_in_parent_trade"
+}
+
+The "par" claim links the compensation action to the original +trade, creating an auditable chain from execution through +violation discovery to remediation.¶
+In a logistics workflow, multiple compliance checks must complete +before shipment commitment. The DAG structure records that all +required checks were completed:¶
++Agent A (Route Planning): + tid: task-001 par: [] + exec_act: plan_route + pol: route_policy_v1 pol_decision: approved + +Agent B (Customs): + tid: task-002 par: [task-001] + exec_act: validate_customs + pol: customs_policy_v2 pol_decision: approved + +Agent C (Safety): + tid: task-003 par: [task-001] + exec_act: verify_cargo_safety + pol: safety_policy_v1 pol_decision: approved + +Agent D (Payment): + tid: task-004 par: [task-002, task-003] + exec_act: authorize_payment + pol: payment_policy_v3 pol_decision: approved + +System (Commitment): + tid: task-005 par: [task-004] + exec_act: commit_shipment + pol: commitment_policy_v1 pol_decision: approved ++
Note that tasks 002 and 003 both depend only on task-001 and can +execute in parallel. Task 004 depends on both, demonstrating the +DAG's ability to represent parallel execution with a join point.¶
+This section addresses security considerations following the +guidance in [RFC3552].¶
+The following threat actors are considered:¶
+Malicious agent (insider threat): An agent within the trust +domain that intentionally creates false ECT claims.¶
+Compromised agent (external attacker): An agent whose private +key has been obtained by an external attacker.¶
+Ledger tamperer: An entity attempting to modify or delete ledger +entries after they have been recorded.¶
+Time manipulator: An entity attempting to manipulate timestamps +to alter perceived execution ordering.¶
+ECTs are self-asserted by the executing agent. The agent claims +what it did, and this claim is signed with its private key. A +compromised or malicious agent could create ECTs with false claims +(e.g., setting "pol_decision" to "approved" without actually +evaluating the policy).¶
+ECTs do not independently verify that:¶
+The claimed execution actually occurred as described¶
+The policy evaluation was correctly performed¶
+The input/output hashes correspond to the actual data processed¶
+The agent faithfully performed the stated action¶
+The trustworthiness of ECT claims depends on the trustworthiness +of the signing agent. To mitigate single-agent false claims, +regulated environments SHOULD use the "witnessed_by" mechanism +to include independent third-party observers at critical decision +points.¶
+ECTs operate within a broader trust framework. The guarantees +provided by ECTs are only meaningful when the following +organizational controls are in place:¶
+Key management governance: Controls over who provisions agent +keys and how keys are protected.¶
+Ledger integrity governance: The ledger is maintained by an +entity independent of the workflow agents.¶
+Policy lifecycle management: Policy identifiers in ECTs map to +actual, validated policy rules.¶
+Agent deployment governance: Agents are deployed and maintained +in a manner that preserves their integrity.¶
+ECTs MUST be signed with the agent's private key using JWS +[RFC7515]. The signature algorithm MUST match the algorithm +specified in the agent's WIT. Receivers MUST verify the ECT +signature against the WIT public key before processing any +claims. Receivers MUST verify that the signing key has not been +revoked within the trust domain.¶
+If signature verification fails, the ECT MUST be rejected entirely +and the failure MUST be logged.¶
+Implementations MUST use established JWS libraries and MUST NOT +implement custom signature verification.¶
+ECTs include short expiration times (RECOMMENDED: 5-15 minutes) to +limit the window for replay attacks. The "aud" claim restricts +replay to unintended recipients: an ECT intended for Agent B +will be rejected by Agent C. The "iat" claim enables receivers to +reject ECTs that are too old, even if not yet expired.¶
+The DAG structure provides additional replay protection: an ECT +referencing parent tasks that already have a recorded child task +with the same action can be flagged as a potential replay.¶
+Implementations SHOULD maintain a cache of recently-seen "jti" +values (when present) to detect replayed ECTs within the +expiration window.¶
+ECTs do not replace transport-layer security. ECTs MUST be +transmitted over TLS or mTLS connections. When used with the WIMSE +service-to-service protocol [I-D.ietf-wimse-s2s-protocol], +transport security is already established. HTTP Message Signatures +[RFC9421] provide an alternative channel binding mechanism.¶
+The defense-in-depth model provides:¶
+ +If an agent's private key is compromised, an attacker can forge +ECTs that appear to originate from that agent. To mitigate this +risk:¶
+Implementations SHOULD use short-lived keys and rotate them +frequently (hours to days, not months).¶
+Private keys SHOULD be stored in Hardware Security Modules (HSMs) +or equivalent secure key storage.¶
+Trust domains MUST support rapid key revocation.¶
+Upon suspected compromise, the trust domain MUST revoke the +compromised key and issue a new WIT with a fresh key pair.¶
+ECTs signed with a compromised key that were recorded in the +ledger before revocation remain valid historical records but SHOULD +be flagged in the ledger as "signed with subsequently revoked key" +for audit purposes.¶
+A single malicious agent cannot forge parent task references +because DAG validation requires parent tasks to exist in the +ledger. However, multiple colluding agents could potentially +create a false execution history if they control the ledger.¶
+Mitigations include:¶
+Independent ledger maintenance: The ledger SHOULD be maintained +by an entity independent of the workflow agents.¶
+Witness attestation: Using the "witnessed_by" claim to include +independent third-party observers.¶
+Cross-verification: Multiple independent ledger replicas can be +compared for consistency.¶
+Out-of-band audit: External auditors periodically verify ledger +contents against expected workflow patterns.¶
+ECT signature verification is computationally inexpensive +(approximately 1ms per ECT on modern hardware for ES256). DAG +validation complexity is O(V) where V is the number of ancestor +nodes reachable from the parent references; for typical shallow +DAGs this is efficient.¶
+Implementations SHOULD apply rate limiting at the API layer to +prevent excessive ECT submissions. DAG validation SHOULD be +performed after signature verification to avoid wasting resources +on unsigned or incorrectly signed tokens.¶
+ECTs rely on timestamps ("iat", "exp") for temporal ordering. +Clock skew between agents can lead to incorrect ordering +judgments. Implementations SHOULD use synchronized time sources +(e.g., NTP) and SHOULD allow a configurable clock skew tolerance +(RECOMMENDED: 30 seconds).¶
+The temporal ordering check in DAG validation incorporates the +clock skew tolerance to account for minor clock differences +between agents.¶
+ECTs with many parent tasks or large extension objects can +increase HTTP header size. Implementations SHOULD limit the "par" +array to a reasonable size and SHOULD set maximum size limits for +the "ext" object to prevent abuse.¶
+ECTs necessarily reveal:¶
+Agent identities ("iss", "aud") for accountability purposes¶
+Action descriptions ("exec_act") for audit trail completeness¶
+Policy evaluation outcomes ("pol", "pol_decision") for +compliance verification¶
+Timestamps ("iat", "exp") for temporal ordering¶
+ECTs are designed to NOT reveal:¶
+ +Implementations SHOULD minimize the information included in ECTs. +The "exec_act" claim SHOULD use structured identifiers (e.g., +"process_payment") rather than natural language descriptions. +The "pol" claim SHOULD reference policy identifiers rather than +embedding policy content.¶
+ECTs stored in audit ledgers SHOULD be access-controlled so that +only authorized auditors and regulators can read them. +Implementations SHOULD consider encryption at rest for ledger +storage containing sensitive regulatory data.¶
+Full input and output data (corresponding to the hashes in ECTs) +SHOULD be stored separately from the ledger with additional access +controls, since auditors may need to verify hash correctness but +general access to the data values is not needed.¶
+ECTs are designed for interpretation by qualified human auditors +and regulators. ECTs provide structural records of execution +ordering and policy evaluation; they are not intended for public +disclosure.¶
+This document requests registration of the following media type +in the "Media Types" registry maintained by IANA:¶
+application¶
+wimse-exec+jwt¶
+none¶
+none¶
+8bit; an ECT is a JWT that is a JWS using the Compact +Serialization, which is a sequence of Base64url-encoded values +separated by period characters.¶
+See the Security Considerations section of this document.¶
+none¶
+This document¶
+Applications that implement regulated agentic workflows requiring +execution context tracing and audit trails.¶
+Magic number(s): none +File extension(s): none +Macintosh file type code(s): none¶
+Christian Nennemann, ietf@nennemann.de¶
+COMMON¶
+none¶
+Christian Nennemann¶
+IETF¶
+This document requests registration of the following header field +in the "Hypertext Transfer Protocol (HTTP) Field Name Registry" +maintained by IANA:¶
+ +This document requests registration of the following claims in +the "JSON Web Token Claims" registry maintained by IANA:¶
+| Claim Name | +Claim Description | +Change Controller | +Reference | +
|---|---|---|---|
| wid | +Workflow Identifier | +IETF | ++ Section 4.2.2 + | +
| tid | +Task Identifier | +IETF | ++ Section 4.2.2 + | +
| exec_act | +Action/Task Type | +IETF | ++ Section 4.2.2 + | +
| par | +Parent Task Identifiers | +IETF | ++ Section 4.2.2 + | +
| pol | +Policy Rule Identifier | +IETF | ++ Section 4.2.3 + | +
| pol_decision | +Policy Decision Result | +IETF | ++ Section 4.2.3 + | +
| pol_enforcer | +Policy Enforcer Identity | +IETF | ++ Section 4.2.3 + | +
| pol_timestamp | +Policy Decision Timestamp | +IETF | ++ Section 4.2.3 + | +
| inp_hash | +Input Data Hash | +IETF | ++ Section 4.2.4 + | +
| out_hash | +Output Data Hash | +IETF | ++ Section 4.2.4 + | +
| inp_classification | +Input Data Classification | +IETF | ++ Section 4.2.4 + | +
| exec_time_ms | +Execution Time (ms) | +IETF | ++ Section 4.2.5 + | +
| witnessed_by | +Witness Identities | +IETF | ++ Section 4.2.6 + | +
| regulated_domain | +Regulatory Domain | +IETF | ++ Section 4.2.5 + | +
| model_version | +AI/ML Model Version | +IETF | ++ Section 4.2.5 + | +
| compensation_required | +Compensation Flag | +IETF | ++ Section 4.2.7 + | +
| compensation_reason | +Compensation Reason | +IETF | ++ Section 4.2.7 + | +
A minimal conforming implementation should:¶
+Create JWTs with all required claims ("iss", "aud", "iat", +"exp", "tid", "exec_act", "par", "pol", "pol_decision").¶
+Sign ECTs with the agent's private key using an algorithm +matching the WIT (ES256 recommended).¶
+Verify ECT signatures against WIT public keys.¶
+Perform DAG validation (parent existence, temporal ordering, +cycle detection).¶
+Append verified ECTs to an audit ledger.¶
+Append-only log: Simplest approach; immutability by design.¶
+Database with hash chains: Periodic cryptographic commitments +over batches of entries.¶
+Distributed ledger: Maximum immutability guarantees for +cross-organizational audit.¶
+Hybrid: Hot storage in a database, cold archive in immutable +storage.¶
+ES256 signature verification: approximately 1ms per ECT on +modern hardware.¶
+DAG validation: O(V) where V is the number of reachable ancestor +nodes (typically small for shallow workflows).¶
+JSON serialization: sub-millisecond per ECT.¶
+Total per-request overhead: approximately 5-10ms, acceptable +for regulated workflows where correctness is prioritized over +latency.¶
+Implementations should use established JWT/JWS libraries (JOSE) +for token creation and verification. Custom cryptographic +implementations should not be used. Implementations should be +tested against multiple JWT libraries to ensure interoperability.¶
+The following table summarizes how ECTs can contribute to +compliance with various regulatory frameworks. ECTs are a +technical building block; achieving compliance requires +additional organizational measures beyond this specification.¶
+| Regulation | +Requirement | +ECT Contribution | +
|---|---|---|
| FDA 21 CFR Part 11 | +Audit trails recording date, time, operator, actions (11.10(e)) | +Cryptographic signatures and append-only ledger contribute to audit trail requirements | +
| EU MDR | +Technical documentation traceability (Annex II) | +ECTs provide signed records of AI-assisted decision sequences | +
| EU AI Act Art. 12 | +Automatic logging capabilities for high-risk AI | +ECTs contribute cryptographic activity logging | +
| EU AI Act Art. 14 | +Human oversight capability | +ECTs can record evidence that human oversight events occurred | +
| MiFID II | +Transaction records for supervisory authorities | +ECTs provide cryptographic execution sequence records | +
| DORA Art. 12 | +ICT activity logging policies | +ECT ledger contributes to ICT activity audit trail | +
Agent A executes a data retrieval task and sends the ECT to +Agent B:¶
+ECT JOSE Header:¶
+
+{
+ "alg": "ES256",
+ "typ": "wimse-exec+jwt",
+ "kid": "agent-a-key-2026-02"
+}
+¶
+ECT Payload:¶
+
+{
+ "iss": "spiffe://example.com/agent/data-retrieval",
+ "sub": "spiffe://example.com/agent/data-retrieval",
+ "aud": "spiffe://example.com/agent/validator",
+ "iat": 1772064150,
+ "exp": 1772064750,
+ "wid": "b1c2d3e4-f5a6-7890-bcde-f01234567890",
+ "tid": "550e8400-e29b-41d4-a716-446655440001",
+ "exec_act": "fetch_patient_data",
+ "par": [],
+ "pol": "clinical_data_access_policy_v1",
+ "pol_decision": "approved",
+ "inp_hash": "sha-256:n4bQgYhMfWWaL-qgxVrQFaO_TxsrC4Is0V1sFbDwCgg",
+ "out_hash": "sha-256:LCa0a2j_xo_5m0U8HTBBNBNCLXBkg7-g-YpeiGJm564",
+ "exec_time_ms": 142,
+ "regulated_domain": "medtech"
+}
+¶
+Agent B receives the ECT, verifies it, executes a validation +task, and creates its own ECT:¶
+
+{
+ "iss": "spiffe://example.com/agent/validator",
+ "sub": "spiffe://example.com/agent/validator",
+ "aud": "spiffe://example.com/system/ledger",
+ "iat": 1772064160,
+ "exp": 1772064760,
+ "wid": "b1c2d3e4-f5a6-7890-bcde-f01234567890",
+ "tid": "550e8400-e29b-41d4-a716-446655440002",
+ "exec_act": "validate_safety",
+ "par": ["550e8400-e29b-41d4-a716-446655440001"],
+ "pol": "safety_validation_policy_v2",
+ "pol_decision": "approved",
+ "exec_time_ms": 89,
+ "regulated_domain": "medtech"
+}
+¶
+The resulting DAG:¶
++task-...-0001 (fetch_patient_data) + | + v +task-...-0002 (validate_safety) +¶ +
A multi-step medical device software lifecycle workflow with +autonomous agents and human release approval:¶
+Task 1 (Spec Review Agent):¶
+
+{
+ "iss": "spiffe://meddev.example/agent/spec-reviewer",
+ "sub": "spiffe://meddev.example/agent/spec-reviewer",
+ "aud": "spiffe://meddev.example/agent/code-gen",
+ "iat": 1772064150,
+ "exp": 1772064750,
+ "wid": "c2d3e4f5-a6b7-8901-cdef-012345678901",
+ "tid": "a1b2c3d4-0001-0000-0000-000000000001",
+ "exec_act": "review_requirements_spec",
+ "par": [],
+ "pol": "spec_review_policy_v2",
+ "pol_decision": "approved",
+ "regulated_domain": "medtech",
+ "model_version": "spec-review-v3.1",
+ "inp_hash": "sha-256:n4bQgYhMfWWaL-qgxVrQFaO_TxsrC4Is0V1sFbDwCgg",
+ "out_hash": "sha-256:LCa0a2j_xo_5m0U8HTBBNBNCLXBkg7-g-YpeiGJm564"
+}
+¶
+Task 2 (Code Generation Agent):¶
+
+{
+ "iss": "spiffe://meddev.example/agent/code-gen",
+ "sub": "spiffe://meddev.example/agent/code-gen",
+ "aud": "spiffe://meddev.example/agent/test-runner",
+ "iat": 1772064200,
+ "exp": 1772064800,
+ "wid": "c2d3e4f5-a6b7-8901-cdef-012345678901",
+ "tid": "a1b2c3d4-0001-0000-0000-000000000002",
+ "exec_act": "implement_module",
+ "par": ["a1b2c3d4-0001-0000-0000-000000000001"],
+ "pol": "coding_standards_v3",
+ "pol_decision": "approved",
+ "regulated_domain": "medtech",
+ "model_version": "codegen-v2.4"
+}
+¶
+Task 3 (Autonomous Test Agent):¶
+
+{
+ "iss": "spiffe://meddev.example/agent/test-runner",
+ "sub": "spiffe://meddev.example/agent/test-runner",
+ "aud": "spiffe://meddev.example/agent/build",
+ "iat": 1772064260,
+ "exp": 1772064860,
+ "wid": "c2d3e4f5-a6b7-8901-cdef-012345678901",
+ "tid": "a1b2c3d4-0001-0000-0000-000000000003",
+ "exec_act": "execute_test_suite",
+ "par": ["a1b2c3d4-0001-0000-0000-000000000002"],
+ "pol": "test_coverage_policy_v1",
+ "pol_decision": "approved",
+ "regulated_domain": "medtech",
+ "exec_time_ms": 4523
+}
+¶
+Task 4 (Build Agent):¶
+
+{
+ "iss": "spiffe://meddev.example/agent/build",
+ "sub": "spiffe://meddev.example/agent/build",
+ "aud": "spiffe://meddev.example/human/release-mgr-42",
+ "iat": 1772064310,
+ "exp": 1772064910,
+ "wid": "c2d3e4f5-a6b7-8901-cdef-012345678901",
+ "tid": "a1b2c3d4-0001-0000-0000-000000000004",
+ "exec_act": "build_release_artifact",
+ "par": ["a1b2c3d4-0001-0000-0000-000000000003"],
+ "pol": "build_validation_v2",
+ "pol_decision": "approved",
+ "regulated_domain": "medtech",
+ "out_hash": "sha-256:Ry1YfOoW2XpC5Mq8HkGzNx3dL9vBa4sUjE7iKt0wPZc"
+}
+¶
+Task 5 (Human Release Manager Approval):¶
+
+{
+ "iss": "spiffe://meddev.example/human/release-mgr-42",
+ "sub": "spiffe://meddev.example/human/release-mgr-42",
+ "aud": "spiffe://meddev.example/system/ledger",
+ "iat": 1772064510,
+ "exp": 1772065110,
+ "wid": "c2d3e4f5-a6b7-8901-cdef-012345678901",
+ "tid": "a1b2c3d4-0001-0000-0000-000000000005",
+ "exec_act": "approve_release",
+ "par": ["a1b2c3d4-0001-0000-0000-000000000004"],
+ "pol": "release_approval_policy",
+ "pol_decision": "approved",
+ "pol_enforcer": "spiffe://meddev.example/human/release-mgr-42",
+ "witnessed_by": [
+ "spiffe://meddev.example/audit/qa-observer-1"
+ ],
+ "regulated_domain": "medtech"
+}
+¶
+The resulting DAG records the complete SDLC: spec review preceded +implementation, implementation preceded testing, testing preceded +build, and a human release manager approved the final release +with independent witness attestation.¶
++task-...-0001 (review_requirements_spec) + | + v +task-...-0002 (implement_module) + | + v +task-...-0003 (execute_test_suite) + | + v +task-...-0004 (build_release_artifact) + | + v +task-...-0005 (approve_release) [human, witnessed] +¶ +
An FDA auditor reconstructs this DAG by querying the audit ledger +for all ECTs with wid "c2d3e4f5-a6b7-8901-cdef-012345678901" and +verifying each signature. The DAG provides cryptographic evidence +that the SDLC followed the prescribed process with human oversight +at the release gate.¶
+A workflow where two tasks execute in parallel and a third task +depends on both:¶
++task-...-0001 (assess_risk) + | \ + v v +task-...-0002 task-...-0003 +(check (verify +compliance) liquidity) + | / + v v +task-...-0004 (execute_trade) +¶ +
Task 004 ECT payload:¶
+
+{
+ "iss": "spiffe://bank.example/agent/execution",
+ "sub": "spiffe://bank.example/agent/execution",
+ "aud": "spiffe://bank.example/system/ledger",
+ "iat": 1772064250,
+ "exp": 1772064850,
+ "wid": "d3e4f5a6-b7c8-9012-def0-123456789012",
+ "tid": "f1e2d3c4-0004-0000-0000-000000000004",
+ "exec_act": "execute_trade",
+ "par": [
+ "f1e2d3c4-0002-0000-0000-000000000002",
+ "f1e2d3c4-0003-0000-0000-000000000003"
+ ],
+ "pol": "trade_execution_policy_v3",
+ "pol_decision": "approved",
+ "regulated_domain": "finance"
+}
+¶
+The "par" array with two entries records that both compliance +checking and liquidity verification were completed before trade +execution.¶
+The author thanks the WIMSE working group for their foundational +work on workload identity in multi-system environments. The +concepts of Workload Identity Tokens and Workload Proof Tokens +provide the identity foundation upon which execution context +tracing is built.¶
+