c/ietf-wimse-ect
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Add SCITT integration section linking wid to Transparency Services

Browse Source 
The ECT workflow identifier (wid) can serve as a correlation point
in SCITT Signed Statements, bridging per-step execution accountability
with end-to-end supply chain transparency.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
This commit is contained in:
Christian Nennemann
2026-02-24 06:46:38 +01:00
parent 6676196ea9
commit d6d44285eb
4 changed files with 663 additions and 487 deletions
Download Patch File Download Diff File Expand all files Collapse all files

200
draft-nennemann-wimse-execution-context-00.txt
View File

@@ -148,20 +148,20 @@ Internet-Draft WIMSE Execution Context February 2026
13.1. Normative References . . . . . . . . . . . . . . . . . . 33
13.2. Informative References . . . . . . . . . . . . . . . . . 34
Related Work . . . . . . . . . . . . . . . . . . . . . . . . . . 35
WIMSE Workload Identity . . . . . . . . . . . . . . . . . . . . 35
WIMSE Workload Identity . . . . . . . . . . . . . . . . . . . . 36
OAuth 2.0 Token Exchange . . . . . . . . . . . . . . . . . . . 36
Distributed Tracing (OpenTelemetry) . . . . . . . . . . . . . . 36
Blockchain and Distributed Ledgers . . . . . . . . . . . . . . 36
W3C Verifiable Credentials . . . . . . . . . . . . . . . . . . 36
Implementation Guidance . . . . . . . . . . . . . . . . . . . . . 36
Minimal Implementation . . . . . . . . . . . . . . . . . . . . 36
Storage Recommendations . . . . . . . . . . . . . . . . . . . . 37
Performance Considerations . . . . . . . . . . . . . . . . . . 37
Interoperability . . . . . . . . . . . . . . . . . . . . . . . 37
SCITT (Supply Chain Integrity, Transparency, and Trust) . . . . 37
W3C Verifiable Credentials . . . . . . . . . . . . . . . . . . 37
Implementation Guidance . . . . . . . . . . . . . . . . . . . . . 37
Minimal Implementation . . . . . . . . . . . . . . . . . . . . 37
Storage Recommendations . . . . . . . . . . . . . . . . . . . . 38
Performance Considerations . . . . . . . . . . . . . . . . . . 38
Interoperability . . . . . . . . . . . . . . . . . . . . . . . 38
Regulatory Compliance Mapping . . . . . . . . . . . . . . . . . . 38
Examples . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38
Example 1: Simple Two-Agent Workflow . . . . . . . . . . . . . 38
Example 2: Medical Device SDLC with Release Approval . . . . . 40
Examples . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39
Example 1: Simple Two-Agent Workflow . . . . . . . . . . . . . 39
@@ -170,9 +170,10 @@ Nennemann Expires 28 August 2026 [Page 3]
Internet-Draft WIMSE Execution Context February 2026
Example 3: Parallel Execution with Join . . . . . . . . . . . . 42
Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . . . 43
Author's Address . . . . . . . . . . . . . . . . . . . . . . . . 43
Example 2: Medical Device SDLC with Release Approval . . . . . 40
Example 3: Parallel Execution with Join . . . . . . . . . . . . 43
Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . . . 44
Author's Address . . . . . . . . . . . . . . . . . . . . . . . . 44
1. Introduction
@@ -220,7 +221,6 @@ Internet-Draft WIMSE Execution Context February 2026
Nennemann Expires 28 August 2026 [Page 4]
Internet-Draft WIMSE Execution Context February 2026
@@ -1891,13 +1891,13 @@ Internet-Draft WIMSE Execution Context February 2026
Electronic Signatures", <https://www.ecfr.gov/current/
title-21/chapter-I/subchapter-A/part-11>.
[I-D.ni-wimse-ai-agent-identity]
Yuan, N. and P. C. Liu, "WIMSE Applicability for AI
Agents", Work in Progress, Internet-Draft, draft-ni-wimse-
ai-agent-identity-01, 20 October 2025,
<https://datatracker.ietf.org/doc/html/draft-ni-wimse-ai-
agent-identity-01>.
[I-D.ietf-scitt-architecture]
Birkholz, H., Delignat-Lavaud, A., Fournet, C., Deshpande,
Y., and S. Lasker, "An Architecture for Trustworthy and
Transparent Digital Supply Chains", Work in Progress,
Internet-Draft, draft-ietf-scitt-architecture-22, 10
October 2025, <https://datatracker.ietf.org/doc/html/
draft-ietf-scitt-architecture-22>.
@@ -1906,6 +1906,13 @@ Nennemann Expires 28 August 2026 [Page 34]
Internet-Draft WIMSE Execution Context February 2026
[I-D.ni-wimse-ai-agent-identity]
Yuan, N. and P. C. Liu, "WIMSE Applicability for AI
Agents", Work in Progress, Internet-Draft, draft-ni-wimse-
ai-agent-identity-01, 20 October 2025,
<https://datatracker.ietf.org/doc/html/draft-ni-wimse-ai-
agent-identity-01>.
[MIFID-II] European Parliament and Council of the European Union,
"Directive 2014/65/EU of the European Parliament and of
the Council on markets in financial instruments (MiFID
@@ -1941,15 +1948,8 @@ Internet-Draft WIMSE Execution Context February 2026
Related Work
WIMSE Workload Identity
The WIMSE architecture [I-D.ietf-wimse-arch] and service-to- service
protocol [I-D.ietf-wimse-s2s-protocol] provide the identity
foundation upon which ECTs are built. WIT/WPT answer "who is this
agent?" and "does it control the claimed key?" while ECTs record
"what did this agent do?" and "what policy was evaluated?" Together
they form an identity-plus-accountability framework for regulated
agentic systems.
@@ -1962,6 +1962,16 @@ Nennemann Expires 28 August 2026 [Page 35]
Internet-Draft WIMSE Execution Context February 2026
WIMSE Workload Identity
The WIMSE architecture [I-D.ietf-wimse-arch] and service-to- service
protocol [I-D.ietf-wimse-s2s-protocol] provide the identity
foundation upon which ECTs are built. WIT/WPT answer "who is this
agent?" and "does it control the claimed key?" while ECTs record
"what did this agent do?" and "what policy was evaluated?" Together
they form an identity-plus-accountability framework for regulated
agentic systems.
OAuth 2.0 Token Exchange
[RFC8693] defines the OAuth 2.0 Token Exchange protocol and registers
@@ -1995,6 +2005,39 @@ Blockchain and Distributed Ledgers
or any storage providing the required properties defined in
Section 8.
Nennemann Expires 28 August 2026 [Page 36]
Internet-Draft WIMSE Execution Context February 2026
SCITT (Supply Chain Integrity, Transparency, and Trust)
The SCITT architecture [I-D.ietf-scitt-architecture] defines a
framework for creating transparent and auditable supply chain records
through Transparency Services, Signed Statements, and Receipts. ECTs
and SCITT are naturally complementary: the ECT "wid" (Workflow
Identifier) claim can serve as a correlation identifier referenced in
SCITT Signed Statements, linking a complete ECT audit trail to a
supply chain transparency record. For example, in a regulated
manufacturing workflow, each agent step produces an ECT (recording
what was done, by whom, under what policy), while the overall
workflow identified by "wid" is registered as a SCITT Signed
Statement on a Transparency Service. This enables auditors to verify
both the individual execution steps (via ECT DAG validation) and the
end-to-end supply chain integrity (via SCITT Receipts) using the
"wid" as the shared correlation point. The "ext" claim in ECTs
(Section 4.2.2) can carry SCITT-specific metadata such as
Transparency Service identifiers or Receipt references for tighter
integration.
W3C Verifiable Credentials
W3C Verifiable Credentials represent claims about subjects (e.g.,
@@ -2009,15 +2052,6 @@ Minimal Implementation
A minimal conforming implementation should:
Nennemann Expires 28 August 2026 [Page 36]
Internet-Draft WIMSE Execution Context February 2026
1. Create JWTs with all required claims ("iss", "aud", "iat", "exp",
"tid", "exec_act", "par", "pol", "pol_decision").
@@ -2031,6 +2065,15 @@ Internet-Draft WIMSE Execution Context February 2026
5. Append verified ECTs to an audit ledger.
Nennemann Expires 28 August 2026 [Page 37]
Internet-Draft WIMSE Execution Context February 2026
Storage Recommendations
* Append-only log: Simplest approach; immutability by design.
@@ -2064,16 +2107,6 @@ Interoperability
implementations should not be used. Implementations should be tested
against multiple JWT libraries to ensure interoperability.
Nennemann Expires 28 August 2026 [Page 37]
Internet-Draft WIMSE Execution Context February 2026
Regulatory Compliance Mapping
The following table summarizes how ECTs can contribute to compliance
@@ -2081,6 +2114,22 @@ Regulatory Compliance Mapping
block; achieving compliance requires additional organizational
measures beyond this specification.
Nennemann Expires 28 August 2026 [Page 38]
Internet-Draft WIMSE Execution Context February 2026
+============+========================+==========================+
| Regulation | Requirement | ECT Contribution |
+============+========================+==========================+
@@ -2121,15 +2170,6 @@ Example 1: Simple Two-Agent Workflow
ECT JOSE Header:
Nennemann Expires 28 August 2026 [Page 38]
Internet-Draft WIMSE Execution Context February 2026
{
"alg": "ES256",
"typ": "wimse-exec+jwt",
@@ -2138,6 +2178,14 @@ Internet-Draft WIMSE Execution Context February 2026
ECT Payload:
Nennemann Expires 28 August 2026 [Page 39]
Internet-Draft WIMSE Execution Context February 2026
{
"iss": "spiffe://example.com/agent/data-retrieval",
"sub": "spiffe://example.com/agent/data-retrieval",
@@ -2177,15 +2225,6 @@ Internet-Draft WIMSE Execution Context February 2026
The resulting DAG:
Nennemann Expires 28 August 2026 [Page 39]
Internet-Draft WIMSE Execution Context February 2026
task-...-0001 (fetch_patient_data)
|
v
@@ -2196,6 +2235,13 @@ Example 2: Medical Device SDLC with Release Approval
A multi-step medical device software lifecycle workflow with
autonomous agents and human release approval:
Nennemann Expires 28 August 2026 [Page 40]
Internet-Draft WIMSE Execution Context February 2026
Task 1 (Spec Review Agent):
{
@@ -2234,16 +2280,24 @@ Example 2: Medical Device SDLC with Release Approval
"model_version": "codegen-v2.4"
}
Task 3 (Autonomous Test Agent):
Nennemann Expires 28 August 2026 [Page 40]
Nennemann Expires 28 August 2026 [Page 41]
Internet-Draft WIMSE Execution Context February 2026
Task 3 (Autonomous Test Agent):
{
"iss": "spiffe://meddev.example/agent/test-runner",
"sub": "spiffe://meddev.example/agent/test-runner",
@@ -2293,7 +2347,9 @@ Internet-Draft WIMSE Execution Context February 2026
Nennemann Expires 28 August 2026 [Page 41]
Nennemann Expires 28 August 2026 [Page 42]
Internet-Draft WIMSE Execution Context February 2026
@@ -2349,7 +2405,7 @@ Example 3: Parallel Execution with Join
Nennemann Expires 28 August 2026 [Page 42]
Nennemann Expires 28 August 2026 [Page 43]
Internet-Draft WIMSE Execution Context February 2026
@@ -2405,4 +2461,4 @@ Author's Address
Nennemann Expires 28 August 2026 [Page 43]
Nennemann Expires 28 August 2026 [Page 44]