- Remove sub claim (always equals iss, added no information)
- Move compensation_required and compensation_reason to ext keys
- Move pol, pol_decision, pol_enforcer to ext keys
- IANA JWT Claims table reduced from 11 to 6 registered claims
- Trim witness attestation section to concise guidance
- Fix remaining ledger-mandatory language in verification
step 15 and minimal implementation guidance
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Move 6 metadata claims (pol_timestamp, inp_classification,
exec_time_ms, regulated_domain, model_version, witnessed_by)
from registered JWT claims to recommended ext extension keys.
Use short key names for spec-defined extensions.
Make audit ledger explicitly optional: rename pseudocode
parameter from ledger to ect_store, mark architecture diagram
ledger layer as optional, add conditional append logic, and
soften Audit Ledger Interface language.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Allow any URI scheme for the iss claim (SPIFFE, HTTPS, URN:UUID)
to support non-WIMSE deployments that want DAG tracing without
SPIFFE infrastructure. SPIFFE format remains SHOULD for WIMSE
deployments.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Use correct IETF reverse domain notation for spec-defined
extension keys within the ext object.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
- Remove Operational Modes section (point-to-point, deferred,
full ledger) to reduce surface area for a -00 submission
- Trim Ledger Interface to essential properties only, remove
ledger entry JSON example
- Condense regulatory motivation in Introduction to 2 sentences
with forward reference to compliance mapping table
- Reframe "cryptographic proof" to "signed, structured records"
in abstract and introduction to accurately reflect self-assertion
- Make WPT co-presence RECOMMENDED rather than assumed, hedging
against s2s-protocol evolution; ECT is independently verifiable
via WIT public key
- Fix broken reference: draft-oauth-transaction-tokens-for-agents
(not an ietf- WG draft)
- Add jti to all JSON examples (required claim was missing from 9
of 10 examples)
- Clean up dangling cross-references to removed sections
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
- Eliminate the "tid" claim; "jti" now serves as both token ID (for
replay detection) and task ID (for DAG parent references in "par")
- Make "pol" and "pol_decision" OPTIONAL (must be paired when present)
- Regulated deployments SHOULD still include policy claims
- Reduces required ECT-specific claims to just "exec_act" and "par"
- Remove "tid" from IANA JWT Claims registration
- Update all examples, pseudocode, and DAG validation rules
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
ECTs can now be deployed without a centralized ledger. Three modes
are defined: point-to-point (agents pass parent ECTs inline via HTTP
headers), deferred ledger (collect ECTs in-flight, submit later), and
full ledger (immediate append, RECOMMENDED for regulated environments).
DAG validation is generalized to work against an "ECT store" which
can be either a ledger or the set of inline parent ECTs received in
the request.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Add paragraph in Policy Claims section explicitly stating that
policy definition, distribution, and evaluation are out of scope.
The pol claim is an opaque identifier; any policy engine may be
used provided outcomes are faithfully recorded.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Remove RFC 2119 and RFC 8174 from normative YAML block since the
BCP 14 boilerplate directive adds them automatically, causing
duplicate reference warnings. Rebuild draft with zero warnings.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
The ECT workflow identifier (wid) can serve as a correlation point
in SCITT Signed Statements, bridging per-step execution accountability
with end-to-end supply chain transparency.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
