JAJoão André Marquesinasqav.hashnode.dev·May 9 · 2 min readOne Receipt, Nine RegulatorsThe IETF Internet-Draft for AI agent Compliance Receipts grew up. What started as a binding to EU AI Act Article 12 is now a bindings table across nine regulatory regimes: EU AI Act, DORA, NYDFS Part 500, Colorado AI Act, Texas TRAIGA, NIST AI RMF, C...00
JAJoão André Marquesinasqav.hashnode.dev·May 4 · 3 min readAn IETF profile for AI agent compliance receiptsWe published an IETF Internet-Draft, draft-marques-asqav-compliance-receipts, that profiles the upstream draft-farley-acta-signed-receipts envelope for EU AI Act and DORA bindings. This post explains what the profile does and why each piece is there....00
JAJoão André Marquesinasqav.hashnode.dev·May 4 · 2 min readVerify is not just true or false, granular outcomes on /verifyUntil last week the public verify endpoint at GET /api/v1/verify/{signature_id} returned a single boolean: {verified: true} or {verified: false}. That works for the buyer's first-glance UX. It does not work for a regulator or a court trying to figure...00
JAJoão André Marquesinasqav.hashnode.dev·May 4 · 2 min readEvery rejection leaves a trail, persistent log of rejected attemptsA rejection is data. Until last week we were throwing it away. If an attacker submitted a forged signature against the public verify endpoint, we returned 404 signature_not_found and that was the entire footprint. Same for a cross-org access attempt ...00
JAJoão André Marquesinasqav.hashnode.dev·May 4 · 2 min readPer-agent hash chain, with a verifier that re-derivesWe hash-chain every signature record so a tamper or a delete is detectable on a later integrity check. The chain has been live for months. It worked. It also had two real problems we did not surface until we did a cold audit against an older trust-da...00