]> Tyche Institute

Tallinn Estonia anton.sokolov@tyche.institute

Security Remote ATtestation ProcedureS (RATS) attestation evidence AI agents accountability This document sketches a composition pattern in which an application-layer "action evidence package" (AEP) — a signed, append-only record of an action taken by an automated (for example, AI-agent) system, the authority under which it was taken, and its outcome — is treated as Evidence in the sense of the RATS Architecture (RFC 9334) and bound to platform Evidence produced by a hardware root of trust. The intent is that a single Verifier, or a composition of Verifiers, can appraise both the platform state and the application-layer action together, and emit an Attestation Result that a Relying Party can use to reason about what an automated system did and on what platform it did so without trusting the operator's self-report for either. This is an individual sketch intended to ask the working group whether the pattern is already covered by existing mechanisms or warrants a short document.

Introduction Records of automated decision-making are increasingly produced for accountability purposes: an action identifier, an authorising principal, inputs and tool calls, and an outcome, chained so that tampering is detectable. Such an action evidence package (AEP) is useful but has the standard self-report limitation: every field is asserted by the same software stack whose integrity is in question. The signature proves the record was produced by a key the runtime holds; it does not prove what the runtime was. The RATS Architecture separates the party that produces Evidence (Attester), the party that appraises it (Verifier), and the party that acts on the verdict (Relying Party). Binding an AEP to platform Evidence appraised under RATS supplies the independence the self-report lacks. This document describes the composition and asks whether it is novel enough to specify.

Conventions and Definitions The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP 14 when, and only when, they appear in all capitals, as shown here. This document uses RATS terminology as defined in : the roles Attester, Verifier, Relying Party, Endorser, and Reference Value Provider, and the conceptual messages Evidence, Endorsements, Reference Values, and Attestation Results.

The Action Evidence Package An AEP is an application-layer, signed, append-only record. For the purposes of this document its salient properties are: (a) it records an action, an authorising principal, and an outcome; (b) it is chained for tamper-evidence; and (c) it is produced by the same software stack that performs the action. Property (c) is precisely why it benefits from composition with platform Evidence.

Composition with RATS The composition treats the AEP as application-layer Evidence conveyed alongside platform Evidence: The platform produces hardware-rooted Evidence (for example, a TPM quote over measured-boot registers, or a TEE attestation token), appraised against Reference Values (for example, conveyed as a Concise Reference Integrity Manifest ) and Endorsements by a Verifier. The AEP is conveyed as a further Evidence item. Candidate conveyances are an EAT carrying the AEP (or a digest of it) as a claim or submodule (the EAT submodule / Detached-Submodule-Digest mechanism is the standard nesting facility here), or a CMW collection — the RATS Conceptual Messages Wrapper — that groups the platform Evidence and the AEP into one message. A Verifier — or, following the layered Platform-Verifier / Workload-Verifier pattern of , a platform Verifier and an application Verifier in composition — appraises both and emits an Attestation Result. The binding between the two is load-bearing: the AEP, at record time, SHOULD incorporate a reference to a fresh platform appraisal (or to the platform Evidence and the nonce that scoped it), so that a later Relying Party can ask not only "what did the automated system do, and under what authority?" but "and was it done on a platform whose state was independently attested within the same freshness window?". The Section 10 freshness mechanisms — nonces, synchronised-clock timestamps, and Epoch IDs/handles — apply unchanged.

A Result Vocabulary For a non-specialist Relying Party, this work resolves an appraisal to a small two-axis vocabulary: an authorisation axis computed from the AEP and policy (Authorised / Unauthorised / Indeterminate) and a platform axis (Attested / Contested / Expired). AR4SI defines four trustworthiness tiers — none, affirming, warning, contraindicated — serialised in an EAR . Two of the platform terms map directly onto those tiers: an affirming appraisal to Attested; a warning or contraindicated appraisal that runs but contradicts Reference Values to Contested; while the none tier, in which the Verifier asserts nothing, denotes an inconclusive appraisal rather than a pass or fail. Expired is deliberately NOT an AR4SI trustworthiness tier: it captures a separate, token-level condition — evidence stale relative to the freshness policy, or supporting material that has lapsed — surfaced by the EAT exp claim and by nonce-based evidence freshness, not by the trustworthiness vocabulary. This correspondence is provisional and SHOULD be validated against a Verifier's actual EAR output; the working group's view on whether such a mapping belongs in a document, or purely in deployment guidance, is solicited.

Feasibility Note A small emulated feasibility check (software TPM via swtpm, with a minimal Verifier stand-in) folds the hash of an AEP outcome and a fresh nonce into an attestation-key-signed quote, with a model-artefact measurement in a platform register, and resolves the three platform-axis cases and rejects a forged outcome bound to a valid quote. It is emulated and minimal; it demonstrates the binding, not a hardware-rooted guarantee. Details are in .

Security Considerations Composition does not dissolve trust assumptions; it relocates them. The platform axis depends on the hardware vendor's Endorsements and the Verifier's independence; the AEP axis depends on the integrity of the key the runtime holds, which is exactly what the platform Evidence is meant to ground. Binding an AEP to a platform appraisal is only as fresh as the weaker of the two freshness mechanisms. Attesting a specific model or workload version requires that artefact be measured into the attested state, which is a deployment commitment. A forged AEP outcome presented under an otherwise-valid platform quote MUST be detectable through the output-binding: the outcome digest is covered by the quote's signed data, so an implementation that binds the AEP reference outside the signed data does not achieve this property. The feasibility note above demonstrates this binding in emulation only (a software TPM); on real hardware the guarantee holds to the extent the outcome digest is genuinely inside the signed and quoted data.

IANA Considerations This document has no IANA actions. (If a future revision defines an EAT claim or a CMW type for an AEP, the corresponding registrations would appear here.)

&RFC2119; &RFC8174; &RFC9334; &RFC9711; &I-D.ietf-rats-ar4si; &I-D.ietf-rats-ear; &I-D.ietf-rats-msg-wrap; &I-D.ietf-rats-corim; &I-D.ietf-rats-multi-verifier;

Acknowledgements Thanks to the Veraison community for the discussion that prompted this sketch.