feat: draft -02 with ACT liaison, related work, IETF 123 prep

- bump docname to draft-nennemann-wimse-ect-02
- add Relationship to ACT subsection (normative ACT reference)
- add Related Work: WIMSE arch §3.3.9, Composition Safety (AgentRFC),
  MIGT taxonomy, NIST/NCCoE, SCITT-AI-agent-execution, DAWN
- acknowledge wimse-http-signature -03 breaking change (wimse-aud param)
- pin SCITT arch to -22 (AUTH48), txn-tokens to -08 (WG Last Call)
- add DIFF vs txn-tokens-for-agents-06 for WIMSE list intro
- add IETF 123 slide outline (10-min WIMSE slot)
- add wimse-intro-email draft for mailing list post
- mark refimpl as moved to workspace/packages/ect/
This commit is contained in:
2026-04-12 07:32:47 +02:00
parent ba38569319
commit d47f041265
5 changed files with 665 additions and 2 deletions

View File

@@ -0,0 +1,163 @@
# ACT + ECT vs. draft-oauth-transaction-tokens-for-agents: Differentiation
**Purpose**: Pre-emptive overlap analysis for the WIMSE mailing list introduction.
This document is factual and non-adversarial. Raut et al.'s work is relevant
and well-motivated; the goal is to clarify where these specifications are
complementary and where they address genuinely different problems.
---
## What Each Specification Does
- **draft-nennemann-act (ACT)**: Defines a two-phase JWT lifecycle that first
authorizes an agent via a signed capability mandate and then seals that
authorization into a tamper-evident execution record, requiring no shared
Authorization Server or identity infrastructure.
- **draft-nennemann-wimse-ect (ECT)**: Defines a single-phase, WIMSE-profile
JWT for recording task execution with explicit assurance levels (L1L3) and
workload-identity binding; a sibling profile of ACT for deployments that
already run SPIFFE/SPIRE or equivalent.
- **draft-oauth-transaction-tokens-for-agents-06 (Txn-Agents)**: Extends the
OAuth Transaction Tokens (draft-ietf-oauth-transaction-tokens) issuance model
by adding agent identity context (`act`, `agentic_ctx`, `actchain`) to tokens
issued by a central Transaction Token Service (TTS), covering both
principal-initiated and autonomous agent flows.
---
## Claim-Level Comparison
| Claim / Concept | ACT (Phase 1) | ACT (Phase 2) | ECT | Txn-Agents |
|-----------------------|--------------------|--------------------|--------------------|--------------------|
| `iss` | Required | Required | Required (L2/L3) | TTS URI |
| `sub` | Target agent id | Target agent id | — | Principal identity |
| `aud` | Required | Required | Required (L2/L3) | Resource server |
| `iat` / `exp` | Required | Required | Required | Required |
| `jti` | Task UUID | Task UUID | Task + token UUID | — |
| `act` | — | — | — | Acting agent id |
| `actchain` | `del.chain` (ACT) | `del.chain` (ACT) | — | Delegation array |
| `txn` | — | — | — | Txn correlation id |
| `purp` / `task` | `task.purpose` | `task.purpose` | `exec_act` | `purp` |
| `cap` (capabilities) | Required array | Preserved | — | `scope` (OAuth) |
| `oversight` | Optional HITL ref | Preserved | — | — |
| `inp_hash` | — | Recommended | Optional | — |
| `out_hash` | — | Recommended | Optional | — |
| `pred` (DAG parents) | — | Required array | Required array | — |
| `wid` (workflow id) | Optional | Optional | Optional | — |
| `agentic_ctx` | — | — | — | Optional object |
| `req_wl` | — | — | — | Requesting wl id |
| `exec_ts` / `status` | — | Required | — | — |
| Assurance levels | Trust tiers (03) | Trust tiers (03) | L1 / L2 / L3 | Single model |
| Identity binding | Pre-shared/PKI/DID | Pre-shared/PKI/DID | WIMSE WIT / X.509 | OAuth access token |
**Shared semantics** (identical or directly comparable): `jti`, `wid`,
`inp_hash`, `out_hash`, `pred`. ECT's `exec_act` and ACT's `task.purpose`
overlap in intent (action type identifier) but differ in schema. ACT's
`del.chain` and Txn-Agents' `actchain` both track delegation lineage but
through different issuance models (peer-signed vs. TTS-issued).
---
## Lifecycle Model
**Txn-Agents** is a single-phase extension. A Transaction Token Service (TTS)
issues one token per request, populated from the agent's OAuth access token.
Token replacement re-issues a new token with updated `act`/`actchain` but the
same `txn`. There is no concept of a pre-execution authorization phase separate
from the token itself; the token *is* the authorization assertion at the moment
of issuance.
**ACT** is two-phase by design. Phase 1 (Mandate): a delegating agent signs an
authorization token encoding capabilities, constraints, and oversight
requirements *before* execution begins. Phase 2 (Record): the executing agent
appends `exec_act`, `inp_hash`, `out_hash`, `pred`, and `exec_ts` and
re-signs the entire token with its own key. This re-signature binds the
agent's cryptographic identity to both the mandate it received and the
execution it performed in a single non-repudiable envelope.
**ECT** is single-phase and records execution only. It does not carry
authorization intent. It is designed for deployments where authorization is
handled by the existing identity plane (WIMSE WIT/WPT, OAuth, X.509) and only
execution recording is needed.
---
## Accountability Story
**ACT's unique property** is the commitment transition. A Phase 2 ACT is
cryptographic evidence of two facts simultaneously: (a) the agent *was
authorized* under specific capability constraints at a specific time, and (b)
the agent *did act*, processing specific inputs and producing specific outputs
as hashed. No other specification in this space fuses pre-execution
authorization and post-execution recording in a single token whose signature
chain preserves both. Txn-Agents can assert who acted and in what context; it
cannot assert what was permitted before the fact.
**ECT's unique property** is graduated assurance and WIMSE integration.
L1/L2/L3 let deployments select the appropriate compliance posture. L3
requires every ECT to be committed to an audit ledger with hash-chain or
Merkle-tree commitment — satisfying DORA, EU AI Act Article 12, and IEC 62304
requirements without a separate log format. ECT's `iss` is anchored to the
SPIFFE workload identity, providing stronger workload binding than a client
credential alone.
**Txn-Agents' accountability model** relies on the TTS to produce honest
tokens from verified access tokens. The audit trail consists of logged `act`
and `sub` claims per the spec's SHOULD recommendation. This is operationally
simpler and sufficient for many enterprise deployments, but it does not
constitute a tamper-evident record of what the agent actually processed.
---
## Where These Could Be Used Together
ACT and Txn-Agents are complementary in OAuth-enabled deployments. A Txn-Agent
token can serve as the bearer credential for the initial service call; an ACT
Mandate, carried in a separate `ACT-Mandate` header, adds fine-grained
capability constraints on top of the OAuth scope. The Txn-Agents token handles
the transaction correlation and TTS-based trust; the ACT Mandate and subsequent
ACT Record handle per-invocation authorization evidence and tamper-evident
execution recording.
ECT and Txn-Agents are similarly composable: Txn-Agents handles principal and
agent identity within an OAuth trust domain; ECT handles workload-level
execution recording within the WIMSE trust domain. They operate at different
layers and their co-presence is additive.
---
## When to Use Which
| Situation | Recommendation |
|------------------------------------------------------------------|-----------------------------------------|
| You have OAuth infrastructure and a TTS | Txn-Agents as authorization layer |
| You need tamper-evident pre/post execution binding | ACT (two-phase lifecycle) |
| You have WIMSE/SPIFFE deployed and need execution recording | ECT |
| Cross-org federation with no shared AS or identity provider | ACT (Tier 1 pre-shared key bootstrap) |
| Regulated environment requiring ledger-committed audit trail | ECT L3 (or ACT + SCITT anchor) |
| You need delegation lineage across multiple agent hops | Txn-Agents `actchain` or ACT `del.chain`|
| You need capability-level constraints beyond OAuth scope strings | ACT `cap` array |
| HITL approval gating before execution | ACT `oversight` claim |
---
## Honest Overlap
The real overlap zone is multi-agent delegation tracking. Both Txn-Agents'
`actchain` and ACT's `del.chain` record which agents delegated to which.
Implementers who already run a TTS and OAuth infrastructure have less reason to
adopt ACT's peer-to-peer delegation model. For those deployments,
Txn-Agents covers the identity and delegation layer adequately, and only the
execution recording gap (handled by ECT or ACT Phase 2) would remain unaddressed.
ACT does not require a TTS, an Authorization Server, or a SPIFFE trust domain.
This is its primary differentiator for cross-organizational or
infrastructure-light deployments — not a claim of superiority over
OAuth-native approaches in environments where that infrastructure exists.
---
*draft-nennemann-act-01 / draft-nennemann-wimse-ect-02 vs.
draft-oauth-transaction-tokens-for-agents-06 (Raut, Amazon, April 2026)*