Internet-Draft Mission Audit Transparency July 2026
McGuinness Expires 8 January 2027 [Page]
Workgroup:
Network Working Group
Internet-Draft:
draft-mcguinness-mission-audit-latest
Published:
Intended Status:
Standards Track
Expires:
Author:
K. McGuinness
Independent

Mission Audit Transparency

Abstract

Mission-Bound Authorization for OAuth 2.0 and its companions produce many evidence records: the approval event, lifecycle transitions, consent evidence, runtime decision and execution evidence, and further evidence types profiles define. Each is signed, but signed is not the same as tamper-evident, append-only, or independently verifiable: a holder of the signing key can still backdate, drop, or reorder records, and a cross-domain party cannot confirm what was recorded without trusting the issuer's own logs. This document defines an OPTIONAL Mission Audit Transparency profile. It registers Mission evidence into a SCITT Transparency Service as Signed Statements, with the Mission as the statement subject so a Mission's records form one coherent, append-only feed, and binds the resulting Receipt back so any party, in any domain, can verify offline that a record was registered and not altered. To keep sensitive task data out of the log, statements commit to the evidence by hash rather than carrying it.

About This Document

This note is to be removed before publishing as an RFC.

The latest revision of this draft can be found at https://mcguinness.github.io/mission-bound-authorization/draft-mcguinness-mission-audit.html. Status information for this document may be found at https://datatracker.ietf.org/doc/draft-mcguinness-mission-audit/.

Source for this draft and an issue tracker can be found at https://github.com/mcguinness/mission-bound-authorization.

Status of This Memo

This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79.

Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet-Drafts is at https://datatracker.ietf.org/drafts/current/.

Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress."

This Internet-Draft will expire on 8 January 2027.

Table of Contents

1. Introduction

Mission-Bound Authorization for OAuth 2.0 [I-D.draft-mcguinness-oauth-mission] (the "issuance profile") and its companions record evidence at every governance and enforcement point. The evidence is signed, which makes a single record attributable and tamper-evident in isolation. It does not make the record set as a whole trustworthy: the party that holds the signing key can backdate a record, omit an inconvenient one, or present different histories to different auditors, and nothing a relying party holds detects it. A cross-domain auditor is worse off still, with only the issuer's assertion that its logs are complete.

This document closes that gap by profiling the SCITT architecture [RFC9943] (the "transparency substrate"). A Mission evidence record is registered with a Transparency Service as a Signed Statement; the service appends it to a verifiable, non-equivocating log and returns a Receipt proving inclusion. The Signed Statement plus its Receipt is a Transparent Statement that any party can verify offline: the record was registered, at a committed time, in a log that cannot later drop or reorder it. The Mission is the statement subject, so all of a Mission's evidence shares one subject and forms one feed an auditor can assemble and replay as a single narrative (Section 6.5).

This adds transparency to evidence the suite already defines; it defines no new evidence object. It is OPTIONAL, and what it proves is bounded: transparency makes misbehavior detectable and attributable, it does not make a dishonest issuer honest (Section 10).

2. Status: An OPTIONAL Extension

This document is OPTIONAL. A deployment that retains evidence without a Transparency Service is fully conformant to the issuance profile and its companions and is unaffected by this document. It places no new requirement on them and defines no new evidence; it registers the records they already produce.

A deployment claims this profile only when it registers Mission evidence with a Transparency Service.

The transparency substrate this profile builds on is ratified: it depends normatively on the SCITT architecture [RFC9943], a published standard. Its hash commitment uses the COSE hash-envelope headers ([I-D.draft-ietf-cose-hash-envelope]), approved and in the RFC Editor queue. The profile itself is newer than the substrate and less exercised in deployment, so an implementer treats its interfaces as still settling and validates them against real audits before relying on them. The signed evidence the suite produces without a Transparency Service ([I-D.draft-mcguinness-oauth-mission]) does not depend on this profile.

3. Relationship to the Issuance Profile

This document depends normatively on the issuance profile and the transparency substrate, and is not implementable alone. It reuses the issuance profile's mission claim and integrity anchors, the evidence objects defined across the suite, and the transparency substrate's Signed Statement, Receipt, Transparent Statement, and subject (feed) constructs and COSE_Sign1 [RFC9052] format. It uses Mission, Mission Issuer, and the evidence objects as the suite defines them, and Transparency Service, Signed Statement, Receipt, and Transparent Statement as the transparency substrate defines them. The transparency substrate's Receipt, the Transparency Service's proof of inclusion, is distinct from the runtime profile's Mission Receipt, portable evidence of an action taken under a Mission ([I-D.draft-mcguinness-mission-runtime]); this document uses Receipt in the SCITT sense only. Registering a Mission Receipt's underlying evidence on the Mission's feed provides tamper-evident ordering and inclusion; the receipt-chaining alternative, each Mission Receipt binding its predecessor's digest, is for a deployment without a Transparency Service.

4. Conventions and Terminology

The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all capitals, as shown here.

Mission evidence:

Any evidence record the suite defines, including the approval event, lifecycle transitions, consent evidence ([I-D.draft-mcguinness-oauth-mission-consent-evidence]), and runtime decision and execution evidence ([I-D.draft-mcguinness-mission-runtime]).

5. Mission Substrate

This profile is defined against the Mission model rather than against OAuth 2.0 mechanics. It consumes these substrate primitives: the Mission identifier and issuer, from which the statement subject is constructed; the evidence types and their canonical bytes; the integrity-anchor envelope; each producer's published key material; and the audit horizon, the retention window the registered evidence must survive. The issuance profile [I-D.draft-mcguinness-oauth-mission] is this version's normative substrate. Evidence produced under another Mission substrate registers and verifies the same way once its types and canonical bytes are defined as in the evidence-type table (Section 6.2).

6. Registering Mission Evidence

A producer of Mission evidence (the Mission Issuer, a Policy Decision Point, a harness, or another component the deployment trusts to record) MAY register a record with a Transparency Service as a Signed Statement ([RFC9943]). The Signed Statement's protected header carries, in its CWT Claims:

6.1. Hash Commitment

A Signed Statement MUST commit to the evidence by hash rather than carry the evidence itself, so sensitive task data stays out of the log (Section 13). The commitment uses the COSE hash-envelope mechanism [I-D.draft-ietf-cose-hash-envelope]: the COSE_Sign1 payload is the hash of the evidence, carried inline, and the protected header signals how the hash was produced. The payload is not detached, and it is not the sha-256:... display string an integrity anchor uses ([I-D.draft-mcguinness-oauth-mission]); it is the digest bytes themselves.

The committed value is the SHA-256 [RFC6234] digest of the evidence bytes that Section 6.2 fixes for the evidence type. For an object that is already signed, those bytes are the retained object as issued, hashed as-is; for an object this profile canonicalizes, they are its JCS canonical bytes. The protected header carries:

The log then proves a specific record was registered at a time; the evidence is retrieved separately, under access control, and its canonical bytes are rehashed and checked against the committed digest (Section 8).

6.2. Evidence Types

Each registrable evidence type fixes the exact bytes that are hashed, the media type carried in payload-preimage-content-type, and the producer authoritative for it. A producer MUST commit to the canonical bytes named here, and a relying party MUST verify the producer is authoritative for the type (Section 6.3) before treating a record as part of the Mission's feed.

Table 1
Evidence type Canonical bytes (hashed) payload-preimage-content-type Producer
Approval event Mission record at creation, state excluded, canonicalized application/mission-approval-record+json issuer
Lifecycle transition Signals SET as issued; else Section 6.2.1 (JCS) application/secevent+jwt, else application/mission-lifecycle-transition+json issuer
Derivation record Section 6.2.2 (JCS) application/mission-derivation-record+json issuer
Consent evidence retained signed object, as issued application/mission-consent-evidence+json issuer
Decision evidence Decision Evidence object, as issued application/mission-decision-evidence+json PDP key
Execution evidence Execution Evidence object, as issued application/mission-execution-evidence+json PEP key
Mission Mandate JWS Compact Serialization, as issued application/mission-mandate+jwt issuer

The table is extensible by specification: a profile MAY define an additional evidence type by fixing its canonical bytes, its payload-preimage-content-type, and its authoritative producer, as the Mandate profile does for the Mission Mandate ([I-D.draft-mcguinness-mission-mandate]). A relying party admits an extension type it implements; it ignores records of a type it does not implement, and they are not audit failures.

The producer identifiers are principals the suite already names. For every record whose producer is the Mission issuer, the Signed Statement's iss MUST equal that issuer ([I-D.draft-mcguinness-oauth-mission]). The PDP and PEP keys are those in the deployment-published key sets the runtime and AuthZEN profiles require ([I-D.draft-mcguinness-mission-runtime], [I-D.draft-mcguinness-mission-authzen]).

The approval event, the lifecycle-transition object, and the derivation record are canonicalized under the issuance profile's canonicalization rules ([I-D.draft-mcguinness-oauth-mission]); an already-signed object (the consent, decision, and execution evidence, the Signals SET, and the Mandate) is hashed as issued, not re-canonicalized. The approval-event, lifecycle-transition, and derivation-record media types are defined by this profile (Section 14); the consent, decision, and execution evidence types are registered by the profiles that define those objects ([I-D.draft-mcguinness-oauth-mission-consent-evidence], [I-D.draft-mcguinness-mission-authzen]), the Signals SET media type by the Signals profile it is carried in ([I-D.draft-mcguinness-oauth-mission-signals]), and the Mandate media type by the Mandate profile ([I-D.draft-mcguinness-mission-mandate]).

6.2.1. The Lifecycle Transition Object

A deployment that does not run the Signals profile commits a lifecycle transition as a minimal JSON object with these members, JCS-canonicalized [RFC8785]:

  • mission_id (string, required): the Mission id.

  • issuer (string, required): the Mission issuer.

  • state (string, required): the new lifecycle state.

  • prior_state (string, optional): the state immediately before the transition.

  • transitioned_at (string, required): an RFC 3339 [RFC3339] date-time at which the transition was committed.

Its media type is application/mission-lifecycle-transition+json (Section 14).

6.2.1.1. Computed Example

A minimal transition object recording the revocation of Mission msn_8RfX2Lqv9TqMv4z7sA2bN1k0YpEdHc9-:

{
  "mission_id": "msn_8RfX2Lqv9TqMv4z7sA2bN1k0YpEdHc9-",
  "issuer": "https://as.example.com",
  "state": "revoked",
  "transitioned_at": "2026-11-02T08:30:00Z"
}

Its JCS canonical bytes (one line; breaks are for display only):

{"issuer":"https://as.example.com","mission_id":"msn_8RfX2Lqv9TqMv
4z7sA2bN1k0YpEdHc9-","state":"revoked","transitioned_at":"2026-11-
02T08:30:00Z"}

The committed digest is the SHA-256 of those bytes; its base64url form is 9xMd0Ge2W5oh7f_a964mvK66QOOHYOe-kDz3HUYXkd8. The Signed Statement carries the digest bytes inline as its payload, with this protected header (Section 6.1, Section 7):

{
  / alg /                    1: -7,   / ES256 /
  / payload-hash-alg /     258: -16,  / SHA-256 /
  / payload-preimage-content-type / 259:
      "application/mission-lifecycle-transition+json",
  / kid /                    4: h'61732d6b65792d323032362d7133',
  / CWT Claims /            15: {
    / iss / 1: "https://as.example.com",
    / sub / 2: "https://as.example.com/missions/
                msn_8RfX2Lqv9TqMv4z7sA2bN1k0YpEdHc9-"
  }
}

6.2.2. The Derivation Record

The family's evidence runs from the approval to the enforced action, but the derivation event between them, the issuer issuing a token under the Mission ([I-D.draft-mcguinness-oauth-mission]), is otherwise visible only in Authorization Server logs no profile mandates. A derivation record closes that gap: it commits which token was issued, to which audience, carrying which entries, under which Mission.

A derivation record is a JSON object with these members, JCS-canonicalized [RFC8785]:

  • mission_id (string, required): the Mission id.

  • issuer (string, required): the Mission issuer.

  • token_digest (string, required): a digest in the issuance profile's encoded form ([I-D.draft-mcguinness-oauth-mission]), over the UTF-8 bytes of the issued token's JWS Compact Serialization, or of the token's jti where the deployment retains no token bytes.

  • aud (string, required): the audience the token was issued for.

  • entries_digest (string, required): the integrity-anchor envelope digest ([I-D.draft-mcguinness-oauth-mission]) over the issued authorization_details array, with typ mission-derivation-entries and iss the issuer.

  • actor (string, optional): the delegate's sub, present when the derivation was a delegation.

  • issued_at (string, required): an RFC 3339 [RFC3339] date-time at which the token was issued.

Its media type is application/mission-derivation-record+json (Section 14), and its authoritative producer is the issuer: the Signed Statement's iss MUST equal the Mission issuer (Section 6.2).

6.2.2.1. Computed Example

For Mission msn_8RfX2Lqv9TqMv4z7sA2bN1k0YpEdHc9-, the Mission Issuer issues a token for audience https://erp.example.com, narrowed to the write entry, with jti at_5v9Kq2mR7xW4nP8sL1zT6. The issued authorization_details:

[
  { "type": "mission_resource_access",
    "resource": "https://erp.example.com",
    "actions": ["journal-entries.write"],
    "constraints":
      { "max_amount": { "amount": "500.00", "currency": "USD" } } }
]

entries_digest is the integrity-anchor envelope digest over that array with typ mission-derivation-entries and iss https://as.example.com; token_digest is over the UTF-8 bytes of the jti. The derivation was not a delegation, so actor is absent. The record:

{
  "mission_id": "msn_8RfX2Lqv9TqMv4z7sA2bN1k0YpEdHc9-",
  "issuer": "https://as.example.com",
  "token_digest":
    "sha-256:V1Wbh4Z3wK39B_YmzHlvkGr7hEA1rUoJMuj00y0q-eE",
  "aud": "https://erp.example.com",
  "entries_digest":
    "sha-256:Hilv4npLEWlcp2y5z7xcACgXxRhx-LO6dqs5AX0xL8o",
  "issued_at": "2026-10-15T14:32:12Z"
}

Its JCS canonical bytes (one line; breaks are for display only):

{"aud":"https://erp.example.com","entries_digest":"sha-256:Hilv4np
LEWlcp2y5z7xcACgXxRhx-LO6dqs5AX0xL8o","issued_at":"2026-10-15T14:3
2:12Z","issuer":"https://as.example.com","mission_id":"msn_8RfX2Lq
v9TqMv4z7sA2bN1k0YpEdHc9-","token_digest":"sha-256:V1Wbh4Z3wK39B_Y
mzHlvkGr7hEA1rUoJMuj00y0q-eE"}

The committed digest is the SHA-256 of those bytes; its base64url form is _cM7GYYiV3VI-QrtRWSogl5Wz1-sB90GM4ZHxuPC3j0. The Signed Statement carries the digest bytes inline as its payload, with payload-preimage-content-type application/mission-derivation-record+json and the same iss and sub as Section 6.2.1.1.

6.3. Registration Policy and Authoritative Producers

Each evidence type has one authoritative producer (Section 6.2). A relying party MUST verify that a record's iss is the authoritative producer for the record's type before treating the record as part of the Mission's feed; a record from any other producer is not part of the feed, whatever its sub.

The deployment's Transparency Service registration policy SHOULD restrict who may register Signed Statements for a Mission subject to those authoritative producers, so the log does not accumulate records from components that are not entitled to write to a Mission's feed.

A relying party discovers a producer's key by the producer's role. The issuer's key is resolved through its published key material: the Authorization Server's metadata jwks_uri in the OAuth binding ([I-D.draft-mcguinness-oauth-mission]), or the Mission Authority Server's discovery jwks_uri in the standalone binding ([I-D.draft-mcguinness-mission-authority-server]). A PDP or PEP key is resolved through the deployment-published key sets the runtime and AuthZEN profiles require ([I-D.draft-mcguinness-mission-runtime], [I-D.draft-mcguinness-mission-authzen]).

6.4. Registration Availability

Registration is asynchronous to the events it records. A producer MUST NOT block approval, issuance, or a lifecycle transition on a Transparency Service being reachable or on a Receipt being returned; the governed operation proceeds and the record is registered out of band. A conforming deployment registers each record within a documented time bound and records its registration backlog, so a gap between an event and its registration is visible rather than silent.

A record registered late is transparent only from its registration time: the Receipt proves inclusion from when the log received the Signed Statement, not from when the event occurred. A deployment that needs the event time itself attested relies on the timestamps the evidence carries, which the record's hash commits.

6.5. Retrieval

The transparency substrate registers Signed Statements and resolves a Receipt by its entry identifier; the SCITT reference APIs [I-D.draft-ietf-scitt-scrapi] give a concrete interface for registration, Receipt resolution, and Transparency Service key discovery where a deployment runs them. Neither the substrate nor those APIs defines a query that enumerates a subject's whole feed. A deployment that wants an auditor to retrieve all of a Mission's records by sub provides that enumeration itself, out of band, over the records it registered; this profile fixes the sub so those records share one correlator (Section 7), not a standardized feed query.

6.6. What to Register

A deployment claiming this profile MUST register at least the governance-critical records: the approval event and every Mission lifecycle transition. It SHOULD also register the runtime decision and execution evidence for the action classes it enforces, so the action trail is transparent and not only the governance trail.

A Mission Issuer deploying this profile SHOULD register a derivation record (Section 6.2.2) for each derivation event. The derivation is where approval becomes an issued token, and the family's evidence otherwise leaves that step to Authorization Server logs no profile mandates; registering it closes the approval-to-action gap.

7. The Mission as Subject

The sub of every Signed Statement about a Mission is a stable identifier of that Mission, derived from the mission claim's issuer and id. All evidence about one Mission shares one sub and forms one Transparency Service feed. Where the deployment provides feed retrieval (Section 6.5), an auditor collects a Mission's complete, ordered, append-only evidence by that sub, and the substrate's non-equivocation guarantee means the auditor and the deployment see the same records.

For that to hold, every producer MUST compute the identical sub. This profile fixes a single construction; a producer MUST use it and MUST NOT use any other. The sub is the URI formed by appending the literal path segment missions and the Mission id to the issuer:

<issuer>/missions/<id>

The issuer is used exactly as it appears in the mission claim, with any single trailing slash removed, and the id is appended without transformation; the issuance profile constrains the Mission Identifier to the URL-safe characters [A-Za-z0-9_-] ([I-D.draft-mcguinness-oauth-mission]), so no percent-encoding is required. Because the construction is fixed, independent producers writing evidence about the same Mission (the Mission Issuer, a PDP, a harness) compute the same sub and write to one feed.

The sub is a correlator, not a credential; presenting it authorizes nothing ([I-D.draft-mcguinness-oauth-mission]).

A Child Mission ([I-D.draft-mcguinness-oauth-mission-child-delegation]) is its own Mission with its own id and issuer, so its evidence forms its own feed; its lifecycle events, including a cascaded transition, appear in that feed. The event that triggered the cascade is in the parent's feed, and the child's lineage to the parent is the parent member of its mission claim, which an auditor follows to the parent's sub to see that trigger.

Across trust domains a Mission's issuer and id are unchanged ([I-D.draft-mcguinness-oauth-mission]), so every producer in every domain computes the same sub. They share one feed only when they register with the same Transparency Service. Where domains register with different services, each service holds a partial feed and its non-equivocation guarantee is per-service (Section 8); an auditor that needs the Mission's whole history reconciles it across those services, and a deployment that wants a single coherent feed SHOULD have its cross-domain producers register with one shared service.

8. Receipts and Transparent Statements

On registration the Transparency Service returns a Receipt, a signed inclusion proof ([RFC9943]). The producer SHOULD retain the Receipt with the evidence, or on the Mission record, as a Transparent Statement (the Signed Statement augmented with its Receipt).

A relying party verifies a Transparent Statement offline, without contacting the producer or the service:

  1. verify the Signed Statement signature against the producing component's (iss) trust anchor;

  2. verify the Receipt signature against the Transparency Service's published key or configured trust anchor;

  3. verify the inclusion proof binds the Signed Statement to the log;

  4. when auditing a specific Mission, confirm sub is that Mission's feed (Section 7); and

  5. retrieve the referenced evidence under access control, rehash the evidence bytes as Section 6.2 fixes them for its type (with the retained salt, where one was used, Section 13), and compare the result against the committed digest.

A relying party MUST complete steps 1 through 5 before relying on a record as transparent.

8.1. Verification Failures

This profile distinguishes an integrity failure, where the transparency claim is false, from an audit failure, where the claim cannot be fully checked but is not refuted, as the consent evidence profile does ([I-D.draft-mcguinness-oauth-mission-consent-evidence]):

  • A failed Signed Statement signature, Receipt signature, or inclusion proof (steps 1 through 3), or a committed hash that does not match the retrieved evidence (step 5), is an integrity failure. The relying party MUST reject the Transparent Statement and MUST NOT treat the record as transparent.

  • Evidence that cannot be retrieved within the retention window (step 5 incomplete) is an audit failure, not an integrity failure. Steps 1 through 3 still establish that the record was registered, at a committed time, in a non-equivocating log; only the content check is incomplete. The relying party MUST NOT treat the record as content-verified, and MUST NOT treat unretrievable evidence as evidence of tampering.

  • A producer or Transparency Service key that the relying party cannot verify against a trust anchor (step 1 or step 2 unresolved) is an audit failure, not an integrity failure. The relying party cannot attribute the Signed Statement or the Receipt to a known key, so it MUST NOT treat the record as transparent; it is not evidence of tampering, and the relying party MUST NOT treat it as such.

A deployment MAY register the same evidence with more than one Transparency Service and retain multiple Receipts. A relying party detects equivocation by comparing two things across services: the Receipts issued for the same Signed Statement, which must prove inclusion of the identical statement, and the records listed for the same sub, which must not differ in ways the append-only property forbids. A service that presents inconsistent Receipts for one statement, or a subject listing that diverges from another service's, is equivocating, and the relying party can rely on the others.

9. Worked Example

At the approval event for Mission msn_8RfX2Lqv9TqMv4z7sA2bN1k0YpEdHc9-, the Mission Issuer records Consent Evidence and registers it. It does not put the disclosure in the log; it signs a Signed Statement whose payload is the hash of the Consent Evidence, carried inline, with the hash algorithm and the evidence media type in the protected header (Section 6.1). The sub is the Mission feed, derived from the Mission issuer and id; the iss is the Mission Issuer. Protected header, in CBOR extended diagnostic notation ([RFC8610], Appendix G):

{
  / alg /                    1: -7,   / ES256 /
  / payload-hash-alg /     258: -16,  / SHA-256 /
  / payload-preimage-content-type / 259:
      "application/mission-consent-evidence+json",
  / kid /                    4: h'61732d6b65792d323032362d7133',
  / CWT Claims /            15: {
    / iss / 1: "https://as.example.com",
    / sub / 2: "https://as.example.com/missions/
                msn_8RfX2Lqv9TqMv4z7sA2bN1k0YpEdHc9-"
  }
}

The payload is the SHA-256 digest of the retained Consent Evidence object as issued (Section 6.2), carried inline as the raw digest whose base64url form is CnS3nT9sQ7nM2vL4tY6bD1eF8jC5wH0pV2nR3kQ4xVz, not that display string. The Transparency Service appends the statement and returns a Receipt, a COSE_Sign1 with an inclusion proof in its unprotected header, which the Mission Issuer keeps with the evidence as a Transparent Statement.

As the Mission proceeds, its other producers write to the same sub: the Mission Issuer registers a derivation record when it derives the agent's token (Section 6.2.2), the PDP registers a decision-evidence commitment when it permits the journal-entries.write, and the Mission Issuer registers a lifecycle-change commitment when alice later completes the Mission. Collecting the records registered under that one sub (Section 6.5) gives the Mission's whole history, in order, append-only:

sub =
https://as.example.com/missions/msn_8RfX2Lqv9TqMv4z7sA2bN1k0YpEdHc9-

  #1  approval-event        iss=as.example.com    t0
  #2  consent-evidence      iss=as.example.com    t0
  #3  derivation-record     iss=as.example.com    t0
  #4  decision-evidence     iss=pdp.example.com   t0+6h
  #5  lifecycle: completed  iss=as.example.com    t0+6h

A compliance auditor in another domain, holding none of these deployments' logs, takes the Transparent Statement for #2, verifies the Receipt against the Transparency Service's published key and the inclusion proof, retrieves the Consent Evidence under access control, and rehashes the retained object to compare against the committed digest. The auditor now knows that exact disclosure was registered at t0 and has not since been altered, dropped, or reordered, without trusting the Mission Issuer's own records.

Two failures are distinct (Section 8.1). If the retrieved Consent Evidence hashes to a value other than the committed digest, the retained record was altered after registration: an integrity failure, and the auditor rejects it. If the record cannot be retrieved at all, the auditor still knows from the Receipt that record #2 was registered at t0 and not reordered, but cannot confirm its content: an audit failure, not proof of tampering.

10. What Transparency Adds, and Does Not

Transparency makes the evidence set tamper-evident and independently verifiable: a registered record cannot be silently backdated, dropped, or reordered, the feed is the same for every auditor, and a cross-domain party verifies a record without trusting the producer's logs, which a bare signature over a narrowed token cannot give it ([I-D.draft-mcguinness-oauth-mission]).

It does not make a dishonest producer honest. A producer can register a false record; transparency makes the false record permanent, attributable, and visible to every auditor, which is accountability, not prevention, the transparency substrate's own model ([RFC9943]). It also proves only that a record was registered, not that the action the record describes occurred or was authorized; that is the evidence's own semantics. And because statements commit by hash, a Receipt without the retrievable evidence proves only that some record was logged, not what it said.

11. Conformance

A producer conforming to this profile MUST:

A relying party conforming to this profile MUST:

12. Security Considerations

The transparency substrate's security considerations apply. This profile adds:

13. Privacy Considerations

A Transparency Service log is append-only and may be widely readable, so nothing registered can be redacted later. A producer MUST NOT register Mission evidence in the clear; it registers an inline hash commitment (Section 6), and the evidence, which can carry task descriptions, principals, and high-risk authority, is retained separately under access control. Even the committed metadata leaks information: the sub is a durable per-Mission correlator and the registration times reveal a Mission's activity pattern. The sub construction is fixed (Section 7) and does not expose the Subject directly, so the concern is not Subject leakage but that the Mission's durable identifier, its existence, and its registration cadence are visible in the log. A deployment SHOULD weigh whether those are sensitive, and whether the issuer and id that compose the sub reveal more than intended, before registering a Mission's evidence in a shared or widely readable log.

Evidence whose canonical bytes are low-entropy or drawn from an enumerable space MUST be committed with a random salt, retained alongside the evidence and hashed together with the evidence's canonical bytes. Without a salt, a party that can guess the evidence can confirm the commitment by dictionary; the salt makes the committed digest unguessable while still reproducible at verification, where the salt is retrieved with the evidence (Section 8).

Deleting retained evidence has a consequence the log makes permanent. The Receipt, the sub, and the registration cadence stay in the log, but the evidence they commit to is gone, so every record over the erased evidence becomes a permanent audit failure (Section 8.1): its content can never again be checked against the commitment. A deployment that may need to erase evidence, for a data-subject request or a retention limit, weighs this before registering. Registration does not prevent erasure; it converts an erased record into a permanent, visible gap rather than a silent one.

14. IANA Considerations

This document defines three media types for the evidence types of Section 6.2 that no other profile defines: application/mission-approval-record+json for the approval-event record, application/mission-lifecycle-transition+json for the minimal lifecycle-transition object (Section 6.2.1), and application/mission-derivation-record+json for the derivation record (Section 6.2.2). This document makes no registration request for them yet; registration is deferred pending a demonstrated cross-domain interoperability need, and deployments using these media types do so by local agreement until then.

The other evidence media types this profile registers into a Transparency Service are defined elsewhere: the runtime decision and execution evidence types by the AuthZEN profile ([I-D.draft-mcguinness-mission-authzen]), the consent evidence type by the consent evidence profile ([I-D.draft-mcguinness-oauth-mission-consent-evidence]), the Mission Mandate media type by the Mandate profile ([I-D.draft-mcguinness-mission-mandate]), and the Signals SET media type application/secevent+jwt by RFC 8417, which the Signals profile carries the event in ([I-D.draft-mcguinness-oauth-mission-signals]). The Signed Statement and Receipt media types are the transparency substrate's ([RFC9943]). This profile derives the sub by profile rather than registering a new identifier.

15. References

15.1. Normative References

[I-D.draft-ietf-cose-hash-envelope]
Steele, O., Lasker, S., and H. Birkholz, "COSE Hash Envelope", Work in Progress, Internet-Draft, draft-ietf-cose-hash-envelope-10, , <https://datatracker.ietf.org/doc/html/draft-ietf-cose-hash-envelope-10>.
[I-D.draft-mcguinness-oauth-mission]
McGuinness, K., "Mission-Bound Authorization for OAuth 2.0", , <https://mcguinness.github.io/mission-bound-authorization/draft-mcguinness-oauth-mission.html>.
[RFC2119]
Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, DOI 10.17487/RFC2119, , <https://www.rfc-editor.org/rfc/rfc2119>.
[RFC3339]
Klyne, G. and C. Newman, "Date and Time on the Internet: Timestamps", RFC 3339, DOI 10.17487/RFC3339, , <https://www.rfc-editor.org/rfc/rfc3339>.
[RFC6234]
Eastlake 3rd, D. and T. Hansen, "US Secure Hash Algorithms (SHA and SHA-based HMAC and HKDF)", RFC 6234, DOI 10.17487/RFC6234, , <https://www.rfc-editor.org/rfc/rfc6234>.
[RFC8174]
Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174, , <https://www.rfc-editor.org/rfc/rfc8174>.
[RFC8785]
Rundgren, A., Jordan, B., and S. Erdtman, "JSON Canonicalization Scheme (JCS)", RFC 8785, DOI 10.17487/RFC8785, , <https://www.rfc-editor.org/rfc/rfc8785>.
[RFC9052]
Schaad, J., "CBOR Object Signing and Encryption (COSE): Structures and Process", STD 96, RFC 9052, DOI 10.17487/RFC9052, , <https://www.rfc-editor.org/rfc/rfc9052>.
[RFC9943]
Birkholz, H., Delignat-Lavaud, A., Fournet, C., Deshpande, Y., and S. Lasker, "An Architecture for Trustworthy and Transparent Digital Supply Chains", RFC 9943, DOI 10.17487/RFC9943, , <https://www.rfc-editor.org/rfc/rfc9943>.

15.2. Informative References

[I-D.draft-ietf-scitt-scrapi]
Birkholz, H., Geater, J., and A. Delignat-Lavaud, "Supply Chain Integrity, Transparency, and Trust (SCITT) Reference APIs", Work in Progress, Internet-Draft, draft-ietf-scitt-scrapi-11, , <https://datatracker.ietf.org/doc/html/draft-ietf-scitt-scrapi-11>.
[I-D.draft-mcguinness-mission-authority-server]
McGuinness, K., "Mission Authority Server", , <https://mcguinness.github.io/mission-bound-authorization/draft-mcguinness-mission-authority-server.html>.
[I-D.draft-mcguinness-mission-authzen]
McGuinness, K., "Mission-Bound Runtime Enforcement: AuthZEN Profile", , <https://mcguinness.github.io/mission-bound-authorization/draft-mcguinness-mission-authzen.html>.
[I-D.draft-mcguinness-mission-mandate]
McGuinness, K., "Mission Mandate", , <https://mcguinness.github.io/mission-bound-authorization/draft-mcguinness-mission-mandate.html>.
[I-D.draft-mcguinness-mission-runtime]
McGuinness, K., "Mission-Bound Runtime Enforcement", , <https://mcguinness.github.io/mission-bound-authorization/draft-mcguinness-mission-runtime.html>.
[I-D.draft-mcguinness-oauth-mission-child-delegation]
McGuinness, K., "Mission Child Delegation for OAuth 2.0", , <https://mcguinness.github.io/mission-bound-authorization/draft-mcguinness-oauth-mission-child-delegation.html>.
McGuinness, K., "Mission Consent Evidence for OAuth 2.0", , <https://mcguinness.github.io/mission-bound-authorization/draft-mcguinness-oauth-mission-consent-evidence.html>.
[I-D.draft-mcguinness-oauth-mission-signals]
McGuinness, K., "Mission Lifecycle Signals for OAuth 2.0", , <https://mcguinness.github.io/mission-bound-authorization/draft-mcguinness-oauth-mission-signals.html>.
[RFC8610]
Birkholz, H., Vigano, C., and C. Bormann, "Concise Data Definition Language (CDDL): A Notational Convention to Express Concise Binary Object Representation (CBOR) and JSON Data Structures", RFC 8610, DOI 10.17487/RFC8610, , <https://www.rfc-editor.org/rfc/rfc8610>.

Acknowledgments

This document is part of the Mission-Bound Authorization for OAuth 2.0 work and profiles the SCITT architecture to make Mission evidence transparent and independently verifiable.

Author's Address

Karl McGuinness
Independent