IETF Standards Working Group

[yungcero]

Hi all - this is to set the base for discussion in the Agent2Agent IETF mailing list working group for the identity/governance layers around Layer 1 and Layer 2 of the Agent Identity Protocl (AIP). Sub discussion will spin out as a result of this, but this will be for general discussions.

[schchit]

Thanks for setting this up, James.

I'm particularly interested in the evidence/audit side of the stack — what gets recorded after execution, and how to structure it so it's useful for audit, compliance, and dispute resolution.

I've been working on a minimal structure (Judgment, Delegation, Termination, Verification) that tries to capture exactly that. There's an IETF draft behind it: draft-wang-hjs-accountability-00.

Happy to help flesh out how an “evidence layer” could fit alongside AIP's Layer 1 (identity) and Layer 2 (enforcement). Looking forward to seeing where this goes.

[yungcero]

Awesome! I think the best place to start for the evidence layer is to look at how the auditing is currently structured and how we can build out a spec for that and standard. The JSON is here https://agentidentityprotocol.io/specs/aip-v1alpha3#12-audit-log-format. Our doc markdowns are in the main repo.

[schchit]

Hi James, Got it – thanks for the link. I'll start digging into the audit log format this week and see how the HJS primitives could map to it. Will follow up once I have something concrete. Best, Yuqiang  发自我的iPhone

…

------------------ Original ------------------ From: James ***@***.***> Date: Wed,Feb 25,2026 1:07 AM To: openagentidentityprotocol/agentidentityprotocol ***@***.***> Cc: HJS · A Protocol For Structural Traceability. ***@***.***>, Comment ***@***.***> Subject: Re: [openagentidentityprotocol/agentidentityprotocol] IETF StandardsWorking Group (Discussion #14) Awesome! I think the best place to start for the evidence layer is to look at how the auditing is currently structured and how we can build out a spec for that and standard. The JSON is here https://agentidentityprotocol.io/specs/aip-v1alpha3#12-audit-log-format. Our doc markdowns are in the main repo. — Reply to this email directly, view it on GitHub, or unsubscribe. You are receiving this because you commented.Message ID: ***@***.***>

[yungcero]

Awesome looking forward to it. I'm creating a tool right now to pentest these LLM endpoints so would be a good chance to test it in action plus what audit logs make sense in realworld threat scenario.

[schchit]

Following up on our discussion – I've started implementing a prototype of the audit layer based on AIP's audit log format. The core logic maps AIP events to HJS primitives (Delegation/Judgment/Termination) and builds a verifiable hash chain with optional OpenTimestamps anchoring.

I'm putting together a clean GitHub repo with the code and examples – should be ready in a day or two. Once it's up, I'd love to get your feedback and see if we can test it with your pentesting tool.

Let me know if you have any specific requirements or test scenarios in mind!

[yungcero]

Awesome, yes definitely will check it out! The pentesting tool is located here https://github.com/montcao/gaslight. Essentially it will wrap scanners that already exist so we have a larger sample size to test, but want to test scenarios where we can get the agent to hallucinate or exfiltrate data it does not have access to. I need to test it on a standard MCP server first.

[schchit]

Hi James, The HJS-AIP integration repo is ready: https://github.com/schchit/hjs-aip-integration Includes: - `mappings/hjs-aip-mapping.json` - Maps AIP v1alpha3 audit logs to HJS primitives (Delegation/Judgment/Termination/Verification) - `scripts/README.md` - Outline of the Python conversion scripts - `examples/` - Sample AIP log and the resulting HJS evidence package Next: - I'll start on the `aip2hjs.py` script - When `gaslight` is ready, we can test: gaslight runs attacks, HJS logs them as verifiable evidence Let me know if the mapping matches how you think about the evidence layer. Best, Yuqiang 王豫强 ***@***.*** Cognitive Emergence  研究员 原始邮件 发件人：James ***@***.***> 发件时间：2026年2月27日 01:55 收件人：openagentidentityprotocol/agentidentityprotocol ***@***.***> 抄送： HJS · A Protocol For Structural Traceability. ***@***.***>, Comment ***@***.***> 主题：Re: [openagentidentityprotocol/agentidentityprotocol] IETF StandardsWorking Group (Discussion #14) Awesome, yes definitely will check it out! The pentesting tool is located here https://github.com/montcao/gaslight. Essentially it will wrap scanners that already exist so we have a larger sample size to test, but want to test scenarios where we can get the agent to hallucinate or exfiltrate data it does not have access to. I need to test it on a standard MCP server first. — Reply to this email directly, view it on GitHub, or unsubscribe. You are receiving this because you commented.

[schchit]

Hi James,

The HJS-AIP integration repo is ready:
https://github.com/schchit/hjs-aip-integration

Includes:

• mappings/hjs-aip-mapping.json - Maps AIP v1alpha3 audit logs to HJS primitives (Delegation/Judgment/Termination/Verification)
• scripts/README.md - Outline of the Python conversion scripts
• examples/ - Sample AIP log and the resulting HJS evidence package

Next:

• I'll start on the aip2hjs.py script
• When gaslight is ready, we can test: gaslight runs attacks, HJS logs them as verifiable evidence

Let me know if the mapping matches how you think about the evidence layer.

Best,
Yuqiang

[schchit]

Follow-up: I want to clarify - the repo contains the mapping
specification and analysis, not a working implementation. The
examples show the target state assuming v1alpha4 extensions,
not current v1alpha3 output. I should have been clearer about
the maturity level. Full prototype coming next.

[schchit]

Hi James, I need to correct my previous email. Upon reviewing the repository content,  I realized my description was misleading about the maturity level. The reality: - "Repo is ready" referred to documentation framework only, not working code - Only 1/4 HJS primitives (Delegation) fully extractable from AIP v1alpha3 - Judgment/Termination require AIP extensions (model_id, output_commitment)    not present in current spec - The "resulting HJS evidence package" in examples is a SIMULATED target    state assuming v1alpha4 extensions, not currently achievable I've immediately updated all files with honest status annotations: - Real AIP log: "_status": "PARTIAL MAPPING ONLY" - Simulated evidence: "_status": "HYPOTHETICAL COMPLETION" - README: clearly states "Not a working integration" Apologies for the confusion in my first message. The current version  accurately reflects actual status: conceptual analysis pending community  feedback. Updated repo: https://github.com/schchit/hjs-aip-integration Best, Yuqiang 王豫强 ***@***.*** Cognitive Emergence  研究员 原始邮件 发件人：James ***@***.***> 发件时间：2026年2月27日 01:55 收件人：openagentidentityprotocol/agentidentityprotocol ***@***.***> 抄送： HJS · A Protocol For Structural Traceability. ***@***.***>, Comment ***@***.***> 主题：Re: [openagentidentityprotocol/agentidentityprotocol] IETF StandardsWorking Group (Discussion #14) Awesome, yes definitely will check it out! The pentesting tool is located here https://github.com/montcao/gaslight. Essentially it will wrap scanners that already exist so we have a larger sample size to test, but want to test scenarios where we can get the agent to hallucinate or exfiltrate data it does not have access to. I need to test it on a standard MCP server first. — Reply to this email directly, view it on GitHub, or unsubscribe. You are receiving this because you commented.

[yungcero]

Cool thanks - will try and review this week! Want to get the IETF draft submitted before 125 so that we can ensure all the work is in synergy

[yungcero]

Reviewing part of the Judgement and Termination proposal - also trying to keep up to track with the threads in the IETF WG. This is still the same right or has anything changed based on feedback from group? Reason I ask is would love to focus on the judgement portion to start

[schchit]

Hi James,

My apologies—the previous proposal was far too heavy and over-analyzed. It shouldn't be a burden on your roadmap.

AIP is the foundation. HJS should only be an auxiliary verifier.

I am drafting a lightweight mapping that requires zero extensions to v1alpha3 and focuses strictly on the Judgment outcome.

I'll share this simplified, AIP-first logic shortly.

[schchit]

I've reorganized the integration into a dedicated auxiliary layer: aip-verification-layer.It's now a completely non-invasive, 'AIP-First' toolset.Let me know if you see any issues. Happy to adjust as needed to fit your timeline. https://github.com/schchit/aip-verification-layer

[yungcero]

I like it. What are you more familiar with, go, rust, python? I say let's get this into our aip-playground to test. I need to push up the python implementation and test it - but we can see how it works with an MCP server w/ AIP enabled and AIP + your verification layer together

[schchit]

Glad the direction works for you. I’m more on the compliance and logic side, but my team can support both Python and Go. Since you're pushing the Python implementation, let's stick with Python for the playground. This should be the fastest way to validate how HJS supports the AIP + MCP flow. Just let me know when you've pushed the code, and I’ll have my engineers jump in to help with the integration and testing.

[schchit]

Hi James, 1.0 ready. You can find here: https://github.com/hjs-spec/aip-judgment-sidecar. Please take a look and see if it aligns with your expectations. I’m available for any further adjustments or feedback. By the way, I’ve been following your story—you are a very cool guy!

[yungcero]

Awesome, thank you! Reviewing today. I think the judgement would be great to integrate into the proxy after further thought. Because the IETF is focusing a lot on identity protocols, i think the "intent" is under tasked. A good area to get into. Also thank you haha those are kind words. Really appreciate it.

[schchit]

Hope you're doing well. Apologies for the slower reply .If anything needs to be adjusted or if you'd like me to take a closer look at any specific part, just let me know — I'm happy to jump in.Also, if you're planning to attend IETF 125 in Shenzhen, it would be great to meet in person. Let me know if you'll be around! Wish you all the best with everything.

[yungcero]

Hey yes, sorry been busy with other tasks. Responded in other comment but not sure if you saw. Yes, actually can we test how the JES would work in the AIP-playground? And I think the Judgement can integrate into the Layer 2 or maybe we can merge and create a Layer 3 judgement system. I think a layer 3 might be more clean. What do you think?

[schchit]

layer3 is good idea！you handle the planning, and I'll coordinate with you.

[yungcero]

I'll create another discussion thread so its more focused and tag you