EMILIA in the IETF landscape — a complement, not a competitor.
EMILIA Protocol is the human-authorization-receipt layer. It composes with the accepted standards the ecosystem already runs — it rides inside them, sits beside them, and is logged by them — rather than replacing any of them. The receipt EMILIA produces is the one durable artifact none of these standards emit on their own: portable, offline-verifiable proof that a named human authorized one exact irreversible action.
The three-pillar story
EMILIA is the human-authorization receipt that Step-Up triggers, RATS/EAT sits beside, and SCITT logs.
Step-Up demands a fresh human challenge for a sensitive action, but produces no durable artifact. EMILIA is the offline, verifiable receipt of that step-up — the proof that survives after the challenge passes.
Attestation answers "is this agent’s platform trustworthy / which workload is this." EMILIA answers the orthogonal question: "did a NAMED HUMAN authorize THIS exact irreversible action." Same evidence bundle, different trust root.
A SCITT "Receipt" is a transparency / INCLUSION proof: it proves a statement was logged in an append-only ledger. SCITT is deliberately AGNOSTIC about who authorized anything — that delegated-away question is exactly EMILIA’s payload. An EMILIA authorization receipt rides AS a SCITT Signed Statement; SCITT returns a transparency receipt that it was logged. Defuse the shared word: "authorization receipt" (EMILIA) vs "transparency / inclusion receipt" (SCITT).
Where EMILIA composes today
These are shipped, widely-deployed standards. EMILIA does not compete with any of them; it supplies the human-authorization evidence that sits on top.
| Standard | Status | How EMILIA complements it |
|---|---|---|
| OAuth 2.0 / OIDC — RFC 6749 | Published · ubiquitous | Grants access. EMILIA proves a named human authorized the exact act. |
| Step-Up Authentication — RFC 9470 | Proposed Standard | The trigger. EMILIA is the durable proof that the step-up happened. |
| Rich Authorization Requests (RAR) — RFC 9396 | Proposed Standard | EMILIA signs the human approval of the same authorization_details (RAR = request schema; EMILIA = evidence over it). |
| RATS — RFC 9334 + EAT — RFC 9711 | Published | Machine attestation (platform / workload). EMILIA = human authorization. Orthogonal trust roots, same bundle. |
| HTTP Message Signatures — RFC 9421 | Proposed Standard | EMILIA rides inside a signed request. |
| JWS — RFC 7515 / COSE — RFC 9052 / CWT — RFC 8392 | Published | Interop serializations EMILIA receipts express in. |
| Token Exchange — RFC 8693 | Proposed Standard | Delegates authority between services. EMILIA proves the human authorized the irreversible act at the chain’s end. |
| SPIFFE / SPIRE | CNCF graduated | Agent identity. EMILIA adds who approved what it does. |
| Trusted timestamp — RFC 3161 · Evidence Record Syntax (ERS) — RFC 4998 · JCS — RFC 8785 | Published | RFC 3161 trusted time; RFC 4998 ERS is the lineage for EMILIA’s evidence-record renewal; JCS is EMILIA’s canonical base. |
Where EMILIA positions for what’s standardizing
These efforts are still moving through the IETF. EMILIA tracks them as complements; the relationship is a composition story, not a claim of adoption by those working groups.
| Standard | Status | How EMILIA complements it |
|---|---|---|
| SCITT — architecture + SCRAPI + COSE Receipts | Active drafts | EMILIA authorization receipts ride as SCITT Signed Statements; SCITT logs them and returns transparency receipts. |
| OAuth Transaction Tokens (Txn-Tokens) | Active draft | Short-lived call-chain context. EMILIA is the human-authorization evidence over the irreversible act, not the transport token. |
| WIMSE (Workload Identity in Multi-System Environments) | Active drafts | Workload identity. EMILIA adds the human-authorization layer above the workload trust root. |
| SD-JWT-VC / EUDI | Active drafts | Selective-disclosure credentials. EMILIA receipts can be carried / referenced; the authorization claim is EMILIA’s. |
Interop: one canonical base, three serializations
EMILIA keeps JCS (RFC 8785) as its canonical base and offers receipts as JWS (RFC 7515) for universal web reach and COSE_Sign1 / CWT (RFC 9052 / RFC 8392) CBOR-native form for SCITT interop. The same authorization claim travels across all three — no lock-in to a wire format.
Honest framing. EMILIA is an active individual Internet-Draft, draft-schrock-ep-authorization-receipts, licensed Apache-2.0. It is not an IETF standard and not an endorsement by any working group. The relationships above are complement relationships — how EMILIA composes with these standards — not claims of adoption by the OAuth, RATS, SCITT, WIMSE, or any other WG.