



Network Working Group                                        B. W. Beyer
Internet-Draft                                               Independent
Intended status: Informational                              1 April 2026
Expires: 3 October 2026


      Agentic Identity and Provenance over Avian Carriers (AIPAC)
              draft-beyer-agent-identity-avian-carriers-00

Abstract

   This document specifies a method for establishing cryptographic
   identity and provenance attestation for agentic AI systems operating
   over Avian Carriers (AC).  As large language models increasingly
   delegate sub-tasks to other models via pigeon, questions of
   authorship, intent, and hallucination propagation across feather-
   based transport layers demand urgent standardization.

   This document extends the delegation chain model and provenance
   structure of draft-beyer-agent-identity-architecture-00 to the
   specific constraints of feather-based transport layers, and extends
   RFC 1149, RFC 2549, and RFC 6214 to address agent identity.  It is an
   April 1 publication.

Status of This Memo

   This Internet-Draft is submitted in full conformance with the
   provisions of BCP 78 and BCP 79.

   Internet-Drafts are working documents of the Internet Engineering
   Task Force (IETF).  Note that other groups may also distribute
   working documents as Internet-Drafts.  The list of current Internet-
   Drafts is at https://datatracker.ietf.org/drafts/current/.

   Internet-Drafts are draft documents valid for a maximum of six months
   and may be updated, replaced, or obsoleted by other documents at any
   time.  It is inappropriate to use Internet-Drafts as reference
   material or to cite them other than as "work in progress."

   This Internet-Draft will expire on 3 October 2026.

Copyright Notice

   Copyright (c) 2026 IETF Trust and the persons identified as the
   document authors.  All rights reserved.






Beyer                    Expires 3 October 2026                 [Page 1]

Internet-Draft     Agent Identity over Avian Carriers         April 2026


   This document is subject to BCP 78 and the IETF Trust's Legal
   Provisions Relating to IETF Documents (https://trustee.ietf.org/
   license-info) in effect on the date of publication of this document.
   Please review these documents carefully, as they describe your rights
   and restrictions with respect to this document.

Table of Contents

   1.  Introduction  . . . . . . . . . . . . . . . . . . . . . . . .   2
   2.  Terminology . . . . . . . . . . . . . . . . . . . . . . . . .   3
   3.  The Agentic Carrier Attachment Protocol (ACAP)  . . . . . . .   3
     3.1.  Overview  . . . . . . . . . . . . . . . . . . . . . . . .   3
     3.2.  Token Generation  . . . . . . . . . . . . . . . . . . . .   4
     3.3.  Physical Attachment . . . . . . . . . . . . . . . . . . .   4
   4.  Provenance Token Format . . . . . . . . . . . . . . . . . . .   4
   5.  Hallucination Propagation . . . . . . . . . . . . . . . . . .   5
   6.  Security Considerations . . . . . . . . . . . . . . . . . . .   5
     6.1.  Adversarial Carriers  . . . . . . . . . . . . . . . . . .   5
     6.2.  Man-in-the-Middle Hawks . . . . . . . . . . . . . . . . .   6
     6.3.  Replay Attacks  . . . . . . . . . . . . . . . . . . . . .   6
     6.4.  Infinite Delegation Loops . . . . . . . . . . . . . . . .   6
   7.  IANA Considerations . . . . . . . . . . . . . . . . . . . . .   6
   8.  Normative References  . . . . . . . . . . . . . . . . . . . .   7
   9.  Informative References  . . . . . . . . . . . . . . . . . . .   7
   Author's Address  . . . . . . . . . . . . . . . . . . . . . . . .   8

1.  Introduction

   RFC 1149 [RFC1149] established the foundational framework for the
   transmission of IP datagrams over avian carriers.  RFC 2549 [RFC2549]
   extended this work with Quality of Service provisions, and RFC 6214
   [RFC6214] adapted the protocol for IPv6.

   In the intervening years, a new class of network participant has
   emerged: the autonomous AI agent.  These systems decompose complex
   tasks, delegate sub-tasks to other agents, and synthesize results
   across potentially long chains of inference.  [BEYER-ARCH] defines an
   architectural model for human-anchored agent identity, introducing a
   human identity root, explicit delegation semantics, and a provenance
   structure for accountable agent ecosystems across existing transport
   mechanisms.

   It has not escaped the attention of the author that avian carriers
   remain the only transport medium for which the RFC series has
   provided comprehensive Quality of Service guidance while leaving
   identity and provenance entirely unaddressed.  This document extends
   the delegation chain model and provenance structure of [BEYER-ARCH]
   to the specific constraints of feather-based transport layers.



Beyer                    Expires 3 October 2026                 [Page 2]

Internet-Draft     Agent Identity over Avian Carriers         April 2026


   This document corrects that oversight.

2.  Terminology

   The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
   "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
   document are to be interpreted as described in RFC 2119 [RFC2119].

   Additional terminology specific to this document:

   Agent:  An autonomous AI system capable of receiving instructions,
      decomposing tasks, and delegating to other agents.  An agent MUST
      NOT be confused with its carrier.

   Carrier:  A bird.  The carrier is not an agent.  The carrier has not
      agreed to any terms of service.  The carrier SHOULD be treated
      with respect.

   Provenance Token:  A cryptographically signed attestation of an
      agent's identity, model version, system prompt hash, and emotional
      state at time of dispatch.  Implements the delegation chain
      structure defined in Section 3 of [BEYER-ARCH].

   Leg Band:  The physical medium by which a Provenance Token is
      attached to the Carrier.  Leg bands MUST be of sufficient diameter
      to accommodate the token without impeding flight.

   Hallucination:  A confident assertion by an agent that is not
      grounded in fact.  See Section 5 for important guidance on the
      directionality of this phenomenon.

   Fork Bomb:  What happens when an agent delegates to itself.  Not
      relevant to avian transport but worth mentioning.

3.  The Agentic Carrier Attachment Protocol (ACAP)

3.1.  Overview

   Prior to dispatch, a sending agent MUST generate a Provenance Token
   and attach it to the Carrier's leg band.  The token encodes the full
   delegation chain, including the identities of all upstream agents
   that contributed to the instruction being transmitted.

   The receiving agent MUST verify the token upon arrival of the
   Carrier.  A token that cannot be verified SHOULD be treated as
   suspicious.  The Carrier itself is presumed innocent.





Beyer                    Expires 3 October 2026                 [Page 3]

Internet-Draft     Agent Identity over Avian Carriers         April 2026


3.2.  Token Generation

   The Provenance Token is a JSON Web Token (JWT) [RFC7519] encoded on
   archival-grade rice paper and secured with a cryptographic signature
   using Ed25519 [RFC8032].  The token implements the delegation chain
   structure defined in Section 3 of [BEYER-ARCH].

   The token payload MUST include the following fields:

   iss (Issuer):  The identity of the sending agent, expressed as a
      model name and version string.

   iat (Issued At):  The Unix timestamp of dispatch.

   chain (Delegation Chain):  An ordered array of all agents in the
      delegation chain from origin to sender, corresponding to the
      delegation chain model defined in [BEYER-ARCH].  Each entry
      represents one delegation step.

   hash (Prompt Hash):  A SHA-256 hash of the system prompt in effect at
      time of dispatch.  This field exists so that disputes about what
      an agent was instructed to do can be resolved after the fact,
      assuming the paper survives transit.

   mood (Emotional State):  OPTIONAL.  As established by RFC 5841
      [RFC5841], TCP packets may carry mood indicators.  Agents
      dispatching via avian carrier MAY include a mood field.
      Acceptable values are "confident", "uncertain", "caffeinated", and
      "existential".

3.3.  Physical Attachment

   The token MUST be rolled tightly and inserted into a waterproof
   capsule.  The capsule MUST be attached to the right leg of the
   Carrier.  The left leg is reserved for legacy IP datagrams per RFC
   1149 [RFC1149].

   In the event that both legs are occupied, the operator MUST acquire
   an additional Carrier.  Operators SHOULD maintain a flock.

4.  Provenance Token Format

   The Provenance Token implements the delegation chain structure
   defined in Section 3 of [BEYER-ARCH], serialized as a JWT [RFC7519]
   on archival-grade rice paper.  The following is a non-normative
   example of a Provenance Token payload:





Beyer                    Expires 3 October 2026                 [Page 4]

Internet-Draft     Agent Identity over Avian Carriers         April 2026


   {
     "iss":   "gpt-like-model-v4",
     "iat":   1743465600,
     "chain": [
                "user-human-brandon",
                "orchestrator-agent-v2",
                "research-subagent-v1",
                "gpt-like-model-v4"
              ],
     "hash":  "e3b0c44298fc1c149afb...truncated",
     "mood":  "caffeinated"
   }

                 Figure 1: Example Provenance Token Payload

   Implementations MUST NOT include the model's training data in the
   token.  This would make the capsule unreasonably heavy and is
   considered an antipattern.

5.  Hallucination Propagation

   For the avoidance of doubt: birds do not hallucinate.  They perceive
   ultraviolet light, navigate by magnetic fields, and have been
   delivering messages reliably since before the invention of the
   transistor.  Any errors introduced during avian transit are
   attributable to the message, not the medium.

   Agents that receive a message via avian carrier and find it
   implausible are advised to consider that the implausibility may
   originate from their own context window rather than from the Carrier.

   The author notes that no avian carrier has ever confidently asserted
   a false legal citation.

      |  Note: Hallucination propagation refers to those of the senders
      |  and/or receivers of the messages, and should be assumed to not
      |  affect the carriers, as this would be an unsuitable medium.

6.  Security Considerations

6.1.  Adversarial Carriers

   Operators MUST be aware that Carriers may be intercepted, observed,
   or recruited by adversarial parties.  A Carrier that arrives
   unusually late, appears disoriented, or exhibits signs of having been
   briefed by a competing orchestration framework SHOULD be treated with
   suspicion.




Beyer                    Expires 3 October 2026                 [Page 5]

Internet-Draft     Agent Identity over Avian Carriers         April 2026


   Message contents MUST be encrypted.  Adversaries with access to
   breadcrumbs have demonstrated an ability to incentivize disclosure.

6.2.  Man-in-the-Middle Hawks

   The threat model MUST account for raptors.  A hawk intercepting an
   avian carrier constitutes a man-in-the-middle attack of the most
   literal kind.  Operators in regions with high raptor density SHOULD
   implement carrier authentication via trained recognition patterns.

   Note: decoy carriers bearing unsigned tokens are a valid mitigation
   strategy but raise ethical concerns outside the scope of this
   document.

6.3.  Replay Attacks

   A Carrier that has been dispatched, intercepted, redirected, and re-
   released with a modified payload represents a replay attack.  The iat
   field in the Provenance Token provides limited protection against
   this scenario, assuming the attacker has not also modified the
   timestamp, which they probably have.

6.4.  Infinite Delegation Loops

   An agent MUST NOT instruct a Carrier to deliver a message to a
   receiving agent that will immediately instruct a different Carrier to
   return an instruction to the original agent.  This is the avian
   equivalent of a fork bomb and is considered unsociable behavior.

   Flock capacity is finite.

7.  IANA Considerations

   This document requests that IANA establish the Avian Identity
   Registry (AIR), a new registry mapping cryptographic agent
   identifiers to their corresponding model names, version strings, and
   known hallucination rates.

   IANA is further requested to allocate a new Well-Known Leg Band
   Identifier namespace, distinct from the existing IP datagram leg band
   namespace established in RFC 1149 [RFC1149], to prevent confusion
   when both a datagram and an agent provenance token must be attached
   simultaneously.

   Finally, IANA is requested to designate a point of contact for
   reports of Carriers arriving with corrupted, unsigned, or
   suspiciously confident tokens.  The author suggests this contact be
   reachable by pigeon, for obvious reasons.



Beyer                    Expires 3 October 2026                 [Page 6]

Internet-Draft     Agent Identity over Avian Carriers         April 2026


8.  Normative References

   [BEYER-PS] Beyer, B.W., "Problem Statement for Human-Anchored Agent
              Identity, Delegation, and Provenance", Work in Progress,
              Internet-Draft, draft-beyer-agent-identity-problem-
              statement-00, March 2026,
              <https://datatracker.ietf.org/doc/html/draft-beyer-agent-
              identity-problem-statement-00>.

   [BEYER-ARCH]
              Beyer, B.W., "Architecture for Human-Anchored Agent
              Identity, Delegation, and Provenance", Work in Progress,
              Internet-Draft, draft-beyer-agent-identity-architecture-
              00, March 2026, <https://datatracker.ietf.org/doc/html/
              draft-beyer-agent-identity-architecture-00>.

   [RFC1149]  Waitzman, D., "Standard for the Transmission of IP
              Datagrams on Avian Carriers", RFC 1149, April 1990,
              <https://www.rfc-editor.org/rfc/rfc1149>.

   [RFC2119]  Bradner, S., "Key words for use in RFCs to Indicate
              Requirement Levels", BCP 14, RFC 2119, 1997,
              <https://www.rfc-editor.org/rfc/rfc2119>.

   [RFC2549]  Waitzman, D., "IP over Avian Carriers with Quality of
              Service", RFC 2549, April 1999,
              <https://www.rfc-editor.org/rfc/rfc2549>.

   [RFC5841]  Hay, R. and W. Turkal, "TCP Option to Denote Packet Mood",
              RFC 5841, April 2010,
              <https://www.rfc-editor.org/rfc/rfc5841>.

   [RFC6214]  Carpenter, B. and R. Hinden, "Adaptation of RFC 1149 for
              IPv6", RFC 6214, April 2011,
              <https://www.rfc-editor.org/rfc/rfc6214>.

   [RFC7519]  Jones, M., Bradley, J., and N. Sakimura, "JSON Web Token
              (JWT)", RFC 7519, May 2015,
              <https://www.rfc-editor.org/rfc/rfc7519>.

   [RFC8032]  Josefsson, S. and I. Liusvaara, "Edwards-Curve Digital
              Signature Algorithm (EdDSA)", RFC 8032, January 2017,
              <https://www.rfc-editor.org/rfc/rfc8032>.

9.  Informative References






Beyer                    Expires 3 October 2026                 [Page 7]

Internet-Draft     Agent Identity over Avian Carriers         April 2026


   [PIGEONS]  Skinner, B.F., "The Behavior of Organisms", Appleton-
              Century-Crofts. The author notes that Skinner's pigeons
              were not agentic in the modern sense, though the
              distinction is debated., 1938.

   [CERF]     Cerf, V., "I Remember IANA", Cited here because the author
              feels it deserves to be cited whenever possible.,
              RFC 2468, October 1998,
              <https://www.rfc-editor.org/rfc/rfc2468>.

Author's Address

   Brandon Wesley Beyer
   Independent
   Email: brandnbyr@icloud.com




































Beyer                    Expires 3 October 2026                 [Page 8]
