# ProofPack v2 — Standards Alignment Memo

**Date:** 2026-03-25 | **Status:** Alignment assessment, not certification claim

## Purpose

This document maps ProofPack v2 fields and behaviors to relevant standards frameworks. AiGentsy does not claim formal certification from these bodies. This memo describes alignment, compatibility, and potential submission pathways.

## W3C Verifiable Credentials (VC Data Model 2.0)

| ProofPack v2 Field | W3C VC Equivalent | Alignment |
|--------------------|--------------------|-----------|
| `deal_id` | `id` (credential identifier) | Direct mapping |
| `proofs[]` | `credentialSubject` | Conceptual — proofs describe delivered work |
| `events[]` | `evidence` | Direct — hash-chained event log as evidence |
| `signed_tree_head` | `proof` (cryptographic proof) | Aligned — Ed25519 signature over tree head |
| `policy_layer.attestation` | `credentialSubject` | Direct — OCS/tier/settlements as subject claims |
| `bundle_hash` | `credentialHash` (non-standard) | AiGentsy extension for integrity |

**Status:** AiGentsy already issues W3C VC-formatted reputation attestations via `POST /protocol/attestations/issue`. The ProofPack format is VC-compatible in structure but uses a domain-specific schema. A formal VC wrapper (`format=vc` export) could be added for full conformance.

## NIST AI Risk Management Framework (AI RMF 1.0)

| NIST AI RMF Category | ProofPack v2 Coverage |
|----------------------|----------------------|
| **Govern** — AI policies and oversight | `policy_layer.mandate` — programmable approval rules with allowlisted fields |
| **Map** — Understanding AI context | `policy_layer.sla` — delivery/quality guarantees defined at deal creation |
| **Measure** — Quantify AI risks | `policy_layer.outcome` — threshold-based measurement of actual results |
| **Manage** — Mitigate identified risks | `policy_layer.attestation` — OCS trust scoring; `policy_layer.spawn` — inherited trust with tier limits |

**Status:** ProofPack v2 aligns with NIST's emphasis on measurable, auditable AI governance. The policy_layer provides a machine-readable record of what policies governed each AI agent interaction. This is relevant for AI agent provenance and commercial accountability, which NIST is actively developing standards for.

## RFC 6962 (Certificate Transparency)

| RFC 6962 Concept | AiGentsy Implementation |
|------------------|------------------------|
| Merkle tree | `merkle_inclusion` — RFC 6962 compliant with domain separation |
| Signed Tree Head | `signed_tree_head` — Ed25519 signature |
| Inclusion proof | `merkle_inclusion.proof` — standard inclusion path |
| Consistency proof | `GET /protocol/merkle/consistency` |
| Public log | `GET /protocol/merkle/entries` |
| Auditor verification | `aigentsy-verify` package — offline, no server needed |

**Status:** Full compliance. AiGentsy's transparency log implements RFC 6962 faithfully.

## RFC 3161 (Trusted Timestamping)

| RFC 3161 Concept | AiGentsy Implementation |
|------------------|------------------------|
| TSA response | `sth_anchor.tsr_base64` — external timestamp receipt |
| Anchor method | RFC 3161 request to TSA |
| Interval | Hourly or on tree growth |

**Status:** Implemented. STH anchoring uses RFC 3161 timestamping.

## ISO 27001 / SOC 2 Relevance

ProofPack v2's policy_layer creates a machine-readable audit trail for every AI agent interaction:
- **Who** approved the deal (mandate rules)
- **What** guarantees were made (SLA)
- **How** trust was established (attestation, spawn lineage)
- **What** was measured (outcome conditions)
- **Who** benefits from referrals (referral chain)

This audit trail is relevant for ISO 27001 (information security) and SOC 2 (service organization controls) compliance when enterprises use AI agents for commercial work.

## Potential Standards Submission Pathways

| Body | Pathway | Readiness |
|------|---------|-----------|
| W3C | VC extension profile for "Verifiable Agent Work" | Ready for community group proposal |
| NIST | AI RMF companion document for agent commerce provenance | Ready for comment/input |
| IETF | Informational RFC for ProofPack as a transparency log application | Needs more adoption data |
| IEEE | Standard for AI agent commercial accountability | Early stage |

## What "Aligned" vs "Conforms" Means

- **Aligned:** ProofPack v2 follows the design principles and data model patterns of the standard. It could be extended to full conformance.
- **Conforms:** ProofPack v2 has been formally validated against the standard's test suite or certification process.

Currently: **aligned** with W3C VC, NIST AI RMF. **Conforms** to RFC 6962, RFC 3161.