| Internet-Draft | Delta-1 Settlement Receipts | April 2026 |
| Chang | Expires 18 October 2026 | [Page] |
This document defines Delta-1, a profile of the SCITT (Supply Chain Integrity, Transparency, and Trust) architecture applied to AI agent decision accountability.¶
Delta-1 specializes the SCITT receipt model for a specific use case: proving that an individual AI decision met three accountability conditions simultaneously:¶
C1: Evidence of the decision process was consumed and sealed. C2: Strategic intent was isolated from inference providers. C3: An authorized party recorded the settlement.¶
The verdict is binary (VALID or INVALID) with no intermediate states. Receipts are independently verifiable without the issuing infrastructure being online, subject to the trust and attestation assumptions defined in this document.¶
By building on the SCITT framework, Delta-1 inherits transparency-log semantics, receipt conventions, and verification patterns, while extending them with domain-specific requirements for AI decision closure.¶
This profile is intended for regulated industries, including finance, healthcare, and legal, operating under accountability and record-retention obligations.¶
This document is submitted as an individual Internet-Draft. Remove this note prior to publication as an RFC.¶
This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79.¶
Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet-Drafts is at https://datatracker.ietf.org/drafts/current/.¶
Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress."¶
This Internet-Draft will expire on 18 October 2026.¶
Copyright (c) 2026 IETF Trust and the persons identified as the document authors. All rights reserved.¶
This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (https://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document.¶
As AI agents increasingly make or assist in consequential decisions, such as financial trades, clinical recommendations, procurement approvals, and legal assessments, organizations need a mechanism to prove that each decision met defined accountability conditions at the time it was made.¶
Current approaches often provide authorization semantics ("this AI action was approved") but not settlement semantics ("the decision's accountability conditions can be cryptographically proven after the fact"). This gap creates regulatory, legal, and operational risk.¶
The SCITT architecture defines a framework for creating transparent, tamper-evident signed statements registered on append-only transparency services, with receipts proving inclusion.¶
Delta-1 maps SCITT concepts to AI decision accountability:¶
Delta-1 extends SCITT with:¶
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all capitals, as shown here.¶
The Delta-1 protocol operates as the final step in an AI decision accountability pipeline:¶
Verification is performed by the receipt holder. Offline verification of the receipt signature and transcript binding is REQUIRED. Verification of optional external artifacts, such as TEE quote status or trusted time evidence, MAY depend on cached trust anchors or online validation services, depending on local policy.¶
A Delta-1 receipt is a JSON object with the following fields.¶
The Delta-1 validator MUST evaluate three conditions. All three MUST be true for the receipt to be VALID.¶
C1 is true when all of the following hold:¶
C2 is true when all of the following hold:¶
Deployments claiming C2 compliance SHOULD document the threat model, attacker vantage point, and reconstruction criteria used for validation.¶
C3 is true when all of the following hold:¶
The verdict is computed as follows:¶
delta1_valid = c1 AND c2 AND c3¶
There is no partial validity, no scoring, and no weighted average. Two out of three conditions being true still yields INVALID.¶
To prevent receipt transplantation, the receipt SHOULD include a transcript binding digest.¶
The transcript_digest is computed as follows:¶
transcript_digest = SHA-256( original_request_digest || transformed_request_digests || provider_dispatch_map || provider_response_digests || trt_verdict_digest || bbox_seal_hash || policy_versions || model_identities )¶
Each receipt MUST contain a globally unique run_id. The validator MUST reject any validation request whose run_id has been previously used.¶
Implementations SHOULD use cryptographically random identifiers of at least 128 bits.¶
Each receipt MUST contain a sequence_number that is strictly greater than the sequence_number of any previous receipt from the same validator instance.¶
Gaps are permitted, such as after rejected validations, but decreases are not permitted.¶
Before computing proof_hash, implementations MUST construct a canonical proof input object containing the following fields: session_id, run_id, sequence_number, conditions_met, transcript_digest, and timestamp.¶
The proof input object MUST be serialized using the JSON Canonicalization Scheme (JCS) defined in [RFC8785]. The proof_hash is the SHA-256 digest of that canonicalized byte string.¶
The receipt signature MUST use Ed25519 [RFC8032]. The signed payload is the proof_hash.¶
The signing key MUST be controlled by the customer, not by the infrastructure vendor.¶
Verification requires, at minimum:¶
Verification procedure:¶
Verification of receipt signature and transcript binding MUST NOT require network access, vendor APIs, or online services.¶
When the Delta-1 validator executes inside a Trusted Execution Environment (TEE), the receipt MAY include attestation evidence.¶
Attestation verification depends on tee_type and local trust policy. Implementations MAY validate attestation online, or offline using cached collateral and trust anchors.¶
At minimum, verifiers SHOULD:¶
Without attestation, the customer trusts that vendor-operated software ran correctly. With attestation, trust shifts toward the TEE platform and its measurement chain. This is a substantial trust upgrade, but not a zero-trust guarantee.¶
A receipt, once issued, MUST NOT be modified. If a condition is later found to have been recorded incorrectly, a new receipt MUST be issued with a new receipt_id and the updated verdict.¶
Receipts SHOULD be archived by the customer for the duration required by applicable regulation, contract, or internal retention policy.¶
To prove accountability over a period of time, implementations MAY chain receipts by incorporating the previous receipt's proof_hash into the next receipt's transcript binding.¶
Delta-1 receipts are transport-agnostic. They MAY be delivered via:¶
The receipt format is JSON. Implementations SHOULD support both JSON and CBOR [RFC8949] encodings where bandwidth-constrained environments require compact encoding.¶
Without TEE support, the receipt is ultimately a software self-report. A compromised validator can produce fraudulent VALID receipts.¶
The customer's Ed25519 signing key is a root of trust. Compromise of this key permits forged receipts. Implementations SHOULD use hardware security modules or equivalent protections.¶
run_id nonces and monotonic sequence_number values are used to mitigate replay attacks. Validators MUST reject duplicate run_id values.¶
Without transcript binding, a valid receipt could be attached to a different decision. Production deployments SHOULD include transcript binding.¶
TEE technologies remain exposed to side-channel and implementation-level attacks. Current mitigations reduce, but do not eliminate, residual risk.¶
The timestamp in the receipt is produced by the validator's local clock. High-assurance deployments SHOULD bind receipt issuance time to a trusted external time source, such as RFC 3161 or Roughtime-based evidence.¶
Receipt proof construction MUST use JCS canonicalization before hashing. Without deterministic serialization, semantically identical content can yield different proof_hash values.¶
Implementations MUST support key rotation. Historical receipts signed by an old key remain valid if the corresponding public key and validity period are preserved.¶
The Delta-1 validator is a single point of trust when no TEE is used. Reproducible builds, transparency logs, and multi-party validation are RECOMMENDED mitigations for high-assurance deployments.¶
Implementations SHOULD support multiple TEE families and MUST distinguish them using tee_type.¶
Attestation artifacts can be replayed. Binding proof_hash into report_data_hash ensures that an attestation artifact covers exactly one receipt instance.¶
This document requests registration of the "application/delta1-receipt+json" media type in the "Media Types" registry.¶
{
"$schema": "https://json-schema.org/draft/2020-12/schema",
"title": "Delta1Receipt",
"type": "object",
"required": [
"schema_version",
"receipt_id",
"session_id",
"run_id",
"sequence_number",
"delta1_valid",
"conditions_met",
"timestamp",
"proof_hash",
"signature",
"public_key_ref"
],
"properties": {
"schema_version": {
"type": "string",
"const": "delta1-v1"
},
"receipt_id": { "type": "string" },
"session_id": { "type": "string" },
"run_id": { "type": "string" },
"sequence_number": {
"type": "integer",
"minimum": 1
},
"delta1_valid": { "type": "boolean" },
"conditions_met": {
"type": "object",
"required": ["c1", "c2", "c3"],
"properties": {
"c1": { "type": "boolean" },
"c2": { "type": "boolean" },
"c3": { "type": "boolean" }
}
},
"timestamp": {
"type": "string",
"format": "date-time"
},
"proof_hash": { "type": "string" },
"signature": { "type": "string" },
"public_key_ref": { "type": "string" },
"transcript_digest": { "type": "string" },
"bbox_seal_hash": { "type": "string" },
"trusted_time": {
"type": "object",
"properties": {
"type": { "type": "string" },
"value": { "type": "string" }
}
},
"attestation": {
"type": "object",
"properties": {
"tee_type": { "type": "string" },
"quote": { "type": "string" },
"measurement": { "type": "string" },
"signer_identity": { "type": "string" },
"tcb_level": { "type": "string" },
"report_data_hash": { "type": "string" },
"mode": { "type": "string" }
}
}
}
}
¶
{
"schema_version": "delta1-v1",
"receipt_id": "EP-mnu2gmo2-df9ba6d5",
"session_id": "session-20260414-e3f1",
"run_id": "run-20260414-a7f3b2c1d4e5",
"sequence_number": 42,
"delta1_valid": true,
"conditions_met": { "c1": true, "c2": true, "c3": true },
"timestamp": "2026-04-14T10:24:15Z",
"proof_hash": "3fa2b7c1e8d9f4a5b6c7d8e9f0a1b2c3...",
"signature": "ed25519:MIGHAoGBANr5nD1y4X...",
"public_key_ref": "customer_hsm_key_001",
"transcript_digest": "a1b2c3d4e5f6a7b8c9d0e1f2...",
"bbox_seal_hash": "9a8b7c6d5e4f3a2b1c...",
"attestation": {
"tee_type": "sgx_dcap",
"quote": "SIMULATION:abc123...",
"measurement": "f7a2b1c3d4e5f6a7b8c9d0e1...",
"signer_identity": "e1f2a3b4c5d6e7f8a9b0c1d2...",
"tcb_level": "simulation",
"report_data_hash": "3fa2b7c1e8d9f4a5b6c7d8e9f0a1b2c3...",
"mode": "simulation"
}
}
¶
{
"schema_version": "delta1-v1",
"receipt_id": "EP-x9k3m7p2-c4a1b8f3",
"session_id": "session-20260414-b2c3",
"run_id": "run-20260414-f8e7d6c5b4a3",
"sequence_number": 43,
"delta1_valid": false,
"conditions_met": { "c1": true, "c2": false, "c3": true },
"timestamp": "2026-04-14T10:25:02Z",
"proof_hash": "7b8c9d0e1f2a3b4c5d6e7f8a...",
"signature": "ed25519:KJHFaskjdfh...",
"public_key_ref": "customer_hsm_key_001",
"transcript_digest": ""
}
¶