Address 11 items from peer review:
- Fix area designation from Security to ART (WIMSE is in ART area)
- Switch inp_hash/out_hash to fixed SHA-256 without algorithm prefix,
matching DPoP (RFC 9449) and WIMSE WPT tth claim patterns
- Add partial DAG verification guidance for unavailable parents
- Add DAG integrity attacks subsection (false parents, pruning, shadow DAGs)
- Add privilege escalation subsection (ECTs are not authorization)
- Add revocation propagation semantics through the DAG
- Add W3C PROV Data Model to Related Work
- Strengthen Txn-Token differentiation with fan-in/convergence bullet
- Add explicit token binding paragraph to replay prevention
- Switch verification step 3 to algorithm allowlist model
- Add par/ext claim naming justification notes
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Remove all companion draft (ect-pol) references, regulatory
compliance mappings, pre-defined extension keys, witness concept,
pseudocode blocks, implementation guidance appendix, and redundant
examples. Keep only the core token format, DAG validation,
verification procedure, and one cross-organization use case.
Draft reduced from ~40 pages to 27 pages.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
