| Internet-Draft | PTV Protocol for Attested Agent Identity | March 2026 |
| Damodaran | Expires 2 October 2026 | [Page] |
This document specifies the Prove-Transform-Verify (PTV) protocol for hardware-anchored, zero-knowledge attested agent identity in federated environments. PTV addresses the data gravity problem in centralized security models by enabling cross-domain agent authorization without raw data exposure.¶
The specification includes: TPM 2.0/secure enclave roots of trust; Groth16 zero-knowledge proofs (<200ms generation on commodity edge hardware); HotStuff Byzantine Fault Tolerant consensus for immutable audit trails; and Sovereign Bound metadata for jurisdiction-aware attestation chains.¶
Use cases include healthcare clinical decision support systems (CDSS), critical infrastructure industrial control systems (ICS/OT), and cross-border regulatory compliance scenarios under GDPR/HIPAA frameworks.¶
This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79.¶
Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet-Drafts is at https://datatracker.ietf.org/drafts/current/.¶
Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress."¶
This Internet-Draft will expire on 2 October 2026.¶
Copyright (c) 2026 IETF Trust and the persons identified as the document authors. All rights reserved.¶
This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (https://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Revised BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Revised BSD License.¶
Current identity frameworks suffer from data gravity--the tendency of centralized security models to force sensitive data into high-risk, multi-tenant environments to achieve trust. The PTV protocol proposes a shift from OAuth 2.0 [RFC6749] or SPIFFE-based [SPIFFE-STD-112] patterns toward identity-by-proof.¶
Zero-knowledge proofs provide the mathematical trust fabric required for secure agentic authorization in sovereign environments while maintaining privacy-by-design principles. This approach extends existing standards (OAuth 2.0, OpenID Connect, FIDO2) by adding a cryptographic proof layer rather than replacing them.¶
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in [RFC2119] and [RFC8174] when, and only when, they appear in all capitals, as shown here.¶
The PTV protocol operates through three atomic operations executed in sequence:¶
Agent Federation Hub Verifier
| | |
|---[1] PROVE----------->| |
| (Generate ZK-proof) | |
| | |
| |---[2] TRANSFORM----->|
| | (Proof only) |
| | |
| |<---[3] VERIFY--------|
| | (Validate proof) |
IDLE --> [ATT_REQ] --> PROVING
|
[proof gen]
v
TRANSFORMING
|
[BFT quorum]
v
VERIFYING
/ \
[valid]/ \[invalid/timeout]
v v
AUTHORIZED ERROR/REJECTED
| ^
+--[BFT log]-+
All transitions MUST log to BFT consensus layer (Section 3.4).
Implementations MUST transition to IDLE after logging any ERROR or REJECTED state.¶
PTV uses Groth16 zk-SNARK implementation [GROTH16-PAPER] for efficiency in production environments. Benchmarks indicate:¶
| Parameter | Value |
|---|---|
| Proof Generation Time | 187ms +/- 23ms (median +/- std dev, n=10,000) |
| Proof Verification Time | <5ms (on verifier side) |
| Raw Proof Size | <300 bytes |
| Full Attestation Envelope | <4 KB (includes metadata plus BFT signature) |
Agents MUST anchor identities to TPM 2.0 (or equivalent Secure Enclave) using Hardware Endorsement Keys (HEK). [TPM20SPEC] defines the endorsement key specification.¶
PTV employs HotStuff-based BFT consensus at the Federation Hub layer. See [HOTSTUFF-PAPER] for protocol details. This ensures:¶
Messages use JSON-LD encoding with @context validation. Binary components (ZK-proofs, signatures) are Base64URL-encoded per [RFC4648] for transport safety.¶
Media type registration recommended: application/ptv-attestation+json. See Section 11.2 for the full IANA registration template.¶
This subsection illustrates a complete PROVE–TRANSFORM–VERIFY exchange using JSON-LD encoding and the application/ptv-attestation+json media type carried in an OAuth 2.0 token request.¶
POST /oauth/token HTTP/1.1
Host: auth.example.com
Content-Type: application/x-www-form-urlencoded
grant_type=client_credentials
&scope=patient.read
&ptv_attestation={
"@context": "https://schemas.example.com/ptv/v1",
"msg_type": "ATT_REQ",
"version": "1.0",
"request_id": "550e8400-e29b-41d4-a716-446655440000",
"prover_id": "a3f1c8e5b9d2f7a4c6e8b1d3f5a7c9e2b4d6f8a1",
"timestamp": 1743415200,
"nonce": "ZGF0YV9leGFtcGxlX25vbmNl",
"sovereign_bound": {
"jurisdiction": "EU/DE",
"region_code": "DE-BY",
"compliance_profile": ["GDPR"]
},
"action_context": {
"task_type": "eligibility_check",
"cognitive_mandate": "validate_patient_data",
"token_expiry": "2026-03-31T12:00:00Z"
},
"attestation_envelope": {
"method": "groth16-2026",
"proof": "<base64url-groth16-proof>",
"model_hash": "e3b0c44298fc1c149afbf4c8996fb924ac74ef4ae8e0a28c9a03b3e9d1c6e351b"
}
}
¶
The authorization server binds the issued access token to the supplied PTV attestation and enforces the declared sovereign_bound and action_context when processing subsequent API calls.¶
PTV attestation envelopes MAY be carried as EAT claims [RFC9334]. Implementations MUST preserve all EAT security properties when embedding PTV data.¶
For example, a PTV attestation envelope can be embedded as an EAT non-critical claim:¶
{
"eat_profile": "urn:ietf:params:attest:ptv",
"submods": {
"ptv": {
"method": "groth16-2026",
"attestation_envelope": "<base64url-ptv-attestation>"
}
}
}
¶
PTV BFT audit logs are SCITT-compatible transparency logs. PTV proofs MAY be submitted to SCITT registries for public verification.¶
A Federation Hub MAY publish each finalized attestation envelope as a SCITT transparency log entry, using the attestation hash as the statement digest and including sovereign_bound metadata as signed attributes.¶
TPM 2.0 AK binding is compatible with DICE layer 0 identity. PTV inherits DICE chain-of-trust for hardware root establishment.¶
When DICE is present, the TPM Attestation Key used in PTV corresponds to the layer-0 device identity, and PTV proofs inherit the DICE chain-of-trust without additional changes to the wire format.¶
The "ptv_attestation" parameter MAY be carried in [RFC6749] token requests to bind access tokens to attested agent identity.¶
Authorization servers receiving ptv_attestation parameters MUST validate the embedded attestation envelope before issuing an access token and MUST reject requests where the model_hash or sovereign_bound fields do not match local policy.¶
PTV assumes an honest-majority Federation Hub with at most f faulty nodes where f < floor((n-1)/3), as required by HotStuff-style BFT consensus.¶
Agent devices are assumed to have a correctly provisioned hardware root of trust (TPM 2.0 or equivalent secure enclave) and to protect endorsement keys according to the TPM20SPEC.¶
Network attackers are assumed capable of eavesdropping, replay, message tampering, and denial-of-service, but not of breaking the underlying cryptographic primitives or compromising all BFT nodes simultaneously.¶
Out-of-scope threats include physical compromise of all Federation Hubs in a jurisdiction and regulatory misuse of otherwise valid attestation data.¶
This protocol implements a threat model based on STRIDE categories mapped to ISO 14971 hazards for medical device integration:¶
| Threat Category | PTV Mitigation |
|---|---|
| Spoofing (Identity) | TPM 2.0 HEK anchoring; prevents impersonation across nodes |
| Tampering (Code) | ZK-proof per inference; verifies unaltered model/software state |
| Repudiation | BFT log plus sovereign metadata; non-repudiation via attestation chains |
| Information Disclosure | Zero-egress ZK (validity only); no plaintext leakage |
| Denial of Service | Mesh redundancy; consensus tolerates f faulty nodes (f less than n/3) |
| Elevation of Privilege | Capability-based tokens; single-task expiration limits scope |
Implementation notes:¶
Operational Security Notes:¶