Individual Submission C. R. Pereira Internet-Draft eColabs Desenvolvimento de Pessoas e Organizações LTDA. Intended status: Informational 2 July 2026 Expires: 3 January 2027 LICET: Multi-Modal Physiological Human-Intent Verification for Autonomous AI Agent Authorization draft-pereira-licet-human-intent-01 Abstract Autonomous AI agents executing consequential actions require authorization mechanisms that verify not only identity but voluntary intent. Existing mechanisms verify _who_ authorized an action; they cannot verify _whether the authorizing human was uncoerced and cognitively capable_ at the moment of authorization. This document specifies LICET (Latin: _it is permitted_), a cryptographic middleware protocol binding AI agent authorization to real-time multi-modal physiological state via a three-layer architecture: (1) ECG waveform morphology matching as a medication- resistant identity and liveness anchor; (2) electrodermal activity (EDA) as a sympathetic cholinergic liveness signal immune to beta- adrenergic blockade; and (3) personalized Mahalanobis distance fusion over five physiological signals to elevate the cost of pharmacological coercion attacks rather than claim binary detection. LICET defines a Biometric Trust Level hierarchy (L0-L3) aligned with the IETF RATS architecture (RFC 9334), a baseline calibration protocol establishing individual physiological profiles, per-event HKDF session-key derivation, HMAC biometric temporal signatures, Schnorr zero-knowledge proofs over BN128 enabling third-party audit without biometric exposure, and a SHA-256 hash-chained tamper-evident ledger. A reference implementation is publicly deployed at https://licet.dev/ v1/ and available as open source at https://github.com/christianrp45/ licet-protocol. Status of This Memo This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79. Pereira Expires 3 January 2027 [Page 1] Internet-Draft LICET Human Intent Protocol July 2026 Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet- Drafts is at https://datatracker.ietf.org/drafts/current/. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." This Internet-Draft will expire on 3 January 2027. Copyright Notice Copyright (c) 2026 IETF Trust and the persons identified as the document authors. All rights reserved. This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (https://trustee.ietf.org/ license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Revised BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Revised BSD License. Table of Contents 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3 1.1. The Intent Gap . . . . . . . . . . . . . . . . . . . . . 4 1.2. Motivation . . . . . . . . . . . . . . . . . . . . . . . 4 1.3. Relationship to RATS Architecture . . . . . . . . . . . . 5 1.4. Conventions and Definitions . . . . . . . . . . . . . . . 5 2. Three-Layer Architecture . . . . . . . . . . . . . . . . . . 6 2.1. Layer 1: ECG Identity and Liveness Anchor . . . . . . . . 6 2.2. Layer 2: EDA Liveness Signal . . . . . . . . . . . . . . 6 2.3. Layer 3: Mahalanobis Fusion . . . . . . . . . . . . . . . 7 2.4. Pharmacological Attack Detection . . . . . . . . . . . . 8 3. Protocol Overview . . . . . . . . . . . . . . . . . . . . . . 8 4. Biometric Capture . . . . . . . . . . . . . . . . . . . . . . 9 4.1. Biometric Sources . . . . . . . . . . . . . . . . . . . . 9 4.2. Captured Signals . . . . . . . . . . . . . . . . . . . . 10 4.3. Layer Execution . . . . . . . . . . . . . . . . . . . . . 10 4.4. SpO2 Cognitive Impairment Check . . . . . . . . . . . . . 11 5. Intent Hash and Cryptographic Binding . . . . . . . . . . . . 11 5.1. Intent Hash . . . . . . . . . . . . . . . . . . . . . . . 11 5.2. Session Key Derivation . . . . . . . . . . . . . . . . . 11 5.3. Biometric Temporal Signature . . . . . . . . . . . . . . 11 Pereira Expires 3 January 2027 [Page 2] Internet-Draft LICET Human Intent Protocol July 2026 6. Zero-Knowledge Proof . . . . . . . . . . . . . . . . . . . . 12 6.1. Proof Generation . . . . . . . . . . . . . . . . . . . . 12 6.2. Proof Verification . . . . . . . . . . . . . . . . . . . 13 7. Tamper-Evident Ledger . . . . . . . . . . . . . . . . . . . . 13 7.1. Structure . . . . . . . . . . . . . . . . . . . . . . . . 13 7.2. Chaining . . . . . . . . . . . . . . . . . . . . . . . . 13 7.3. Integrity Verification . . . . . . . . . . . . . . . . . 14 8. API Specification . . . . . . . . . . . . . . . . . . . . . . 14 8.1. Authorization Request . . . . . . . . . . . . . . . . . . 14 8.2. Authorization Response . . . . . . . . . . . . . . . . . 14 9. Biometric Trust Levels . . . . . . . . . . . . . . . . . . . 15 9.1. RATS Composite Attester Mapping . . . . . . . . . . . . . 16 10. Baseline Capture Protocol . . . . . . . . . . . . . . . . . . 16 10.1. Baseline Requirements . . . . . . . . . . . . . . . . . 16 10.2. Baseline Data . . . . . . . . . . . . . . . . . . . . . 17 10.3. Baseline Validity . . . . . . . . . . . . . . . . . . . 17 10.4. Baseline Security . . . . . . . . . . . . . . . . . . . 17 11. Security Considerations . . . . . . . . . . . . . . . . . . . 17 11.1. Replay Attack Prevention . . . . . . . . . . . . . . . . 17 11.2. Pharmacological Attack Resistance . . . . . . . . . . . 17 11.3. Consumer Hardware Accuracy . . . . . . . . . . . . . . . 18 11.4. Master Key Compromise . . . . . . . . . . . . . . . . . 18 11.5. Biometric Privacy . . . . . . . . . . . . . . . . . . . 18 12. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 19 13. Open Research Problems . . . . . . . . . . . . . . . . . . . 19 14. References . . . . . . . . . . . . . . . . . . . . . . . . . 19 14.1. Normative References . . . . . . . . . . . . . . . . . . 19 14.2. Informative References . . . . . . . . . . . . . . . . . 20 Appendix A. Protocol Timestamp . . . . . . . . . . . . . . . . . 21 Appendix B. Reference Implementation . . . . . . . . . . . . . . 21 Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . . . 22 Author's Address . . . . . . . . . . . . . . . . . . . . . . . . 22 1. Introduction Artificial intelligence agents are transitioning from passive tools to autonomous actors capable of executing actions with real, irreversible consequences. A medical AI agent may adjust medication dosages. A financial AI may execute wire transfers. An infrastructure AI may modify power-grid parameters. In each case, the assumed safeguard is human authorization. Pereira Expires 3 January 2027 [Page 3] Internet-Draft LICET Human Intent Protocol July 2026 1.1. The Intent Gap Contemporary authorization primitives are designed to answer one question: _is this person who they claim to be?_ They are silent on a second, equally critical question: _is this person currently in a state that constitutes genuinely free, conscious, and cognitively competent intent?_ The following table contrasts existing mechanisms against the authorization properties required for high-stakes AI agent actions: +=========+========+========+===========+=============+===========+ |Mechanism|Identity|Liveness| Coercion- | Cognitively | Drug- | | | | | free | intact | resistant | +=========+========+========+===========+=============+===========+ |Password | ~ | N | N | N | N | +---------+--------+--------+-----------+-------------+-----------+ |Static | Y | Y | N | N | N | |biometric| | | | | | +---------+--------+--------+-----------+-------------+-----------+ |FIDO2 / | Y | Y | N | N | N | |passkey | | | | | | +---------+--------+--------+-----------+-------------+-----------+ |Digital | Y | N | N | N | N | |signature| | | | | | +---------+--------+--------+-----------+-------------+-----------+ |LICET | Y | Y | Y | Y | Y | +---------+--------+--------+-----------+-------------+-----------+ Table 1 This gap is the _intent gap_ — the absence of a cryptographically verifiable mechanism to attest that a human was genuinely capable of and free to form the intent they expressed. 1.2. Motivation The EU AI Act [EUAIACT] mandates human oversight capability for high- risk AI systems (Articles 9, 12, and 26(5)). Article 9 requires risk management systems. Article 12 requires logging sufficient to assess compliance. Article 26(5) requires deployers to ensure human oversight capability. LICET provides the technical substrate for these operational requirements. Pereira Expires 3 January 2027 [Page 4] Internet-Draft LICET Human Intent Protocol July 2026 1.3. Relationship to RATS Architecture LICET maps onto the IETF RATS architecture (RFC 9334 [RFC9334]). In LICET deployments, the wearable device acts as a Sub-Attester, the mobile application acts as Lead Attester, and the LICET Server acts as Verifier. This Composite Attester topology (RFC 9334 Section 3.1.4) is not fully specified in this document; a separate specification defining the wearable Sub-Attester role and its chain of trust is designated as a future work item (see Section 10). 1.4. Conventions and Definitions The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all capitals, as shown here. The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP 14 [RFC2119] [RFC8174]. *Authorizer (H):* The human whose physiological state and intent are being verified. *Agent (A):* An autonomous AI system requesting authorization to perform an action. *LICET Server (S):* The server that holds the master secret key and executes the protocol logic. *Auditor (V):* Any third party who may later verify that a valid authorization occurred, without accessing biometric data. *Wearable (W):* A biometric sensing device worn by the Authorizer. *Intent Hash (h):* A cryptographic binding of an action request to a specific moment in time. *Biometric Signature (σ):* An HMAC commitment of biometric state to the intent hash. *Coercion Risk:* A categorical assessment (LOW, MEDIUM, HIGH) of the probability that the Authorizer is under duress. Pereira Expires 3 January 2027 [Page 5] Internet-Draft LICET Human Intent Protocol July 2026 2. Three-Layer Architecture LICET authorization requires evidence from three independent physiological layers. Each layer addresses a distinct attack surface. 2.1. Layer 1: ECG Identity and Liveness Anchor Electrocardiogram (ECG) waveform morphology — specifically QRS complex shape and PR/QT interval ratios — is anatomically determined by cardiac geometry and conduction pathway structure. These features are stable across sessions for the same individual and distinct across individuals. LICET uses ECG morphology as a medication-resistant identity anchor. The cosine similarity between the session ECG feature vector and the enrolled baseline is computed: rho_ECG = cosine_similarity(f(ecg_session), f(ecg_enrolled)) where f() denotes the ECG feature extraction function producing a normalized vector of QRS morphological features. Authorization requires rho_ECG >= theta_ECG (RECOMMENDED: 0.85). *Drug resistance:* Beta-blockers lengthen PR interval but do not alter QRS morphology. No common medication class changes ECG morphology sufficiently to defeat morphology-based matching at this threshold. *Platform support:* Apple Watch Series 4+ via HealthKit HKElectrocardiogram (512 Hz sampling). Other ECG-capable wearables MAY be used if equivalent sampling rate and feature extraction are demonstrated. 2.2. Layer 2: EDA Liveness Signal Electrodermal activity (EDA) — comprising skin conductance level (SCL) and skin conductance responses (SCR) — is mediated by sympathetic cholinergic innervation of eccrine sweat glands. Because the efferent pathway is cholinergic (not adrenergic), EDA is immune to beta-adrenergic blockade [FOWLES1986]. EDA serves as the liveness signal in LICET: the presence of EDA activity confirms a biological subject is present and physiologically active. Authorization requires: Pereira Expires 3 January 2027 [Page 6] Internet-Draft LICET Human Intent Protocol July 2026 z_EDA_SCL = (SCL_session - mu_SCL) / sigma_SCL > theta_EDA where mu_SCL and sigma_SCL are derived from the individual's baseline (Section 9). *Platform support:* WHOOP 5 (continuous EDA); Samsung Galaxy Watch 7 (spot-check mode). EDA is not available on Apple Watch or most consumer wearables. Deployments without EDA-capable hardware operate at reduced liveness assurance (see Section 8). 2.3. Layer 3: Mahalanobis Fusion Layer 3 replaces population-level threshold comparison with a personalized multivariate distance measure. The Mahalanobis distance computes how many standard deviations the current session's signal vector lies from the individual's enrolled calm-state baseline: D_M = sqrt((z - mu_calm)^T * S^{-1} * (z - mu_calm)) where z is the vector of per-signal z-scores: z_i = (x_i - mu_i^B) / sigma_i^B with mu_i^B and sigma_i^B derived from the individual's baseline (Section 9), and S is the covariance matrix of baseline z-scores. The five-signal fusion vector is: z = [z_RMSSD, z_EDA_SCL, z_EDA_SCR, z_TEMP, z_TREMOR] where: * z_RMSSD: RMSSD heart rate variability z-score * z_EDA_SCL: skin conductance level z-score * z_EDA_SCR: skin conductance response rate z-score * z_TEMP: skin temperature delta from resting baseline z-score * z_TREMOR: 8-12 Hz physiological tremor power z-score [LAKIE2019] Authorization requires D_M <= theta_DM (RECOMMENDED: 2.5). Pereira Expires 3 January 2027 [Page 7] Internet-Draft LICET Human Intent Protocol July 2026 *Note on coercion cost elevation:* Layer 3 does not claim to detect coercion with certainty. It elevates the cost of pharmacological attacks by requiring that an adversary simultaneously manipulate five independent physiological signals to remain within the individual's personal baseline distribution. Each additional signal exponentially increases the required pharmacological complexity. 2.4. Pharmacological Attack Detection Three pharmacological attack patterns produce detectable signal combinations in the fused space: Beta-blocker attack (propranolol, metoprolol): DETECTED if: z_TREMOR < -2.0 AND delta_HR_baseline > 15% Note: beta-blockers do NOT suppress RMSSD. Propranolol blocks sympathetic (adrenergic) innervation; RMSSD reflects parasympathetic (vagal) withdrawal under acute stress, which persists under beta- blockade [BRANTIGAN1982]. The tremor suppression signal (z_TREMOR < -2.0) combined with elevated baseline-relative HR is the detection indicator. Anticholinergic attack (atropine, scopolamine): DETECTED if: z_EDA_SCL < -1.5 AND z_RMSSD > +1.0 AND delta_TEMP > 0 This pattern (EDA flat, HRV paradoxically elevated, skin warm) is the pharmacological inverse of the coercion signature and is detectable as a distinct toxidrome. Opioid attack (fentanyl, morphine): DETECTED if: z_RESP < -2.0 AND delta_TEMP > 0 AND z_RMSSD < 0 Detection of any pharmacological attack pattern MUST result in authorization denial with reason code PHARMACOLOGICAL_ANOMALY. 3. Protocol Overview The LICET authorization protocol proceeds as follows: 1. *Request.* Agent A submits an authorization request to LICET Server S specifying: action descriptor (a), agent identifier (id_A), target entity (tgt), and Unix timestamp (ts). Pereira Expires 3 January 2027 [Page 8] Internet-Draft LICET Human Intent Protocol July 2026 2. *Biometric Capture.* Server S instructs Wearable W to capture physiological data over a minimum window t_c of 60 seconds. RMSSD computation requires a minimum of 60 seconds of inter-beat interval data to achieve acceptable statistical reliability. 3. *Three-Layer Evaluation.* Server S evaluates the captured signals according to Sections 3 and 5. If any layer fails, or cognitive impairment is detected, authorization MUST be denied with the appropriate reason code. 4. *Intent Hash Generation.* Server S computes: h = SHA-256(a || id_A || tgt || ts) 5. *Session Key Derivation.* Server S derives a per-event session key using HKDF [RFC5869]: k_s = HKDF-SHA256(k_m, h) where k_m is the master key held by S. 6. *Biometric Signature.* Server S computes: σ = HMAC-SHA256(h || f_HR || s_O2 || v_RMSSD || ts, k_s) 7. *Zero-Knowledge Proof.* Server S generates a Schnorr proof π over BN128 as specified in Section 6. 8. *Ledger Append.* Server S appends an entry to the hash-chained ledger as specified in Section 7. 9. *Authorization Token.* Server S returns to Agent A: intent hash h, biometric signature σ, ZKP proof π, ledger record identifier, and timestamp. 4. Biometric Capture 4.1. Biometric Sources LICET MUST accept biometric input from hardware meeting the trust level requirements defined in Section 8. The minimum capture window is 60 seconds. Supported source types: * ECG: Apple Watch Series 4+ (HealthKit HKElectrocardiogram, 512 Hz) * EDA: WHOOP 5 (continuous); Samsung Galaxy Watch 7 (spot-check) Pereira Expires 3 January 2027 [Page 9] Internet-Draft LICET Human Intent Protocol July 2026 * HR/HRV: Any BLE GATT Heart Rate Profile device (IEEE 11073) * HR/HRV: Android Health Connect API; Apple HealthKit * Direct I2C sensor integration (e.g., MAX30102 for HR/SpO2) * Software simulation (development environments only; trust level L0) 4.2. Captured Signals The following signals MUST be captured where hardware supports them: * *f_HR*: Heart rate (BPM) — required * *v_RMSSD*: RMSSD of RR intervals (ms) — required; minimum 60s window * *s_O2*: Peripheral oxygen saturation (%) — required * *v_EDA_SCL*: Skin conductance level (microsiemens) — required for L2+ * *v_EDA_SCR*: Skin conductance response rate (events/min) — required for L2+ * *v_TEMP*: Skin temperature delta from resting baseline (°C) — RECOMMENDED * *v_TREMOR*: 8-12 Hz accelerometer power (m/s²) — RECOMMENDED * *v_RESP*: Respiratory rate (breaths/min) — RECOMMENDED 4.3. Layer Execution The three layers defined in Section 3 MUST be executed in order: 1. Layer 1 (ECG identity): if rho_ECG < theta_ECG, DENY with IDENTITY_MISMATCH 2. Layer 2 (EDA liveness): if z_EDA_SCL <= theta_EDA, DENY with LIVENESS_FAILED (if EDA hardware unavailable, log LIVENESS_UNVERIFIED and continue at reduced assurance) 3. Pharmacological pattern check (Section 3.4): if any pattern detected, DENY with PHARMACOLOGICAL_ANOMALY Pereira Expires 3 January 2027 [Page 10] Internet-Draft LICET Human Intent Protocol July 2026 4. Layer 3 (Mahalanobis fusion): if D_M > theta_DM, DENY with STATE_ANOMALY 4.4. SpO2 Cognitive Impairment Check I(s_O2) = IMPAIRED if s_O2 < 90%, NORMAL otherwise Authorization MUST be denied if I(s_O2) = IMPAIRED with reason COGNITIVE_IMPAIRMENT. 5. Intent Hash and Cryptographic Binding 5.1. Intent Hash The intent hash uniquely identifies the requested action: h = SHA-256(a || id_A || tgt || ts) where || denotes concatenation, a is the UTF-8 encoded action descriptor, id_A is the UTF-8 encoded agent identifier, tgt is the UTF-8 encoded target entity, and ts is the Unix timestamp encoded as a 64-bit big-endian integer. The intent hash is the cryptographic anchor binding the biometric authorization to a specific action at a specific time. 5.2. Session Key Derivation A per-event session key SHALL be derived using HKDF [RFC5869]: k_s = HKDF(hash=SHA-256, IKM=k_m, info=h, L=32) where k_m is the server master key (minimum 256 bits, generated using a cryptographically secure random number generator) and h is the intent hash. HKDF's extract step MAY use a salt; if omitted, HKDF uses a zero- length salt as defined in [RFC5869] Section 2.2. Session key isolation ensures that compromise of k_s for event i does not expose k_s for any other event j, nor the master key k_m. 5.3. Biometric Temporal Signature σ = HMAC-SHA256(h || f_HR || s_O2 || v_HRV || ts, k_s) The biometric values f_HR, s_O2, v_HRV MUST be encoded as IEEE 754 double-precision (64-bit) big-endian floating-point values. Pereira Expires 3 January 2027 [Page 11] Internet-Draft LICET Human Intent Protocol July 2026 Properties: * *Event-unique:* ts ensures no replay across distinct events. * *Action-bound:* h is embedded; σ is cryptographically invalid for any action other than the one specified in h. * *Non-invertible:* biometric values cannot be recovered from σ without k_s. 6. Zero-Knowledge Proof LICET uses a non-interactive Schnorr proof over the BN128 elliptic curve with the Fiat-Shamir heuristic [FIAT1987]. Let G be the BN128 generator point and q the group order. 6.1. Proof Generation 1. Compute witness: w = SHA-256(σ || h) mod q 2. Compute public key: PK = w · G 3. Sample random nonce: r ← Z_q 4. Compute commitment: R = r · G 5. Compute challenge (Fiat-Shamir): c = SHA-256(R || PK || h) mod q 6. Compute response: s = (r - c · w) mod q The proof is π = (R, c, s, PK). Pereira Expires 3 January 2027 [Page 12] Internet-Draft LICET Human Intent Protocol July 2026 6.2. Proof Verification Given π = (R, c, s, PK) and intent hash h, a verifier V computes: s · G + c · PK =?= R AND verifies: c =?= SHA-256(R || PK || h) mod q If both equalities hold, V is convinced that the prover possessed knowledge of w — and therefore that a valid biometric signature existed for this intent hash — without learning σ, f_HR, s_O2, or v_HRV. 7. Tamper-Evident Ledger 7.1. Structure Every authorization event MUST be appended to a hash-chained ledger. Each entry contains: * Sequential record identifier * Intent hash h * Authorization result (authorized: true/false) * Coercion risk level * Cognitive state * ZKP proof π * Unix timestamp 7.2. Chaining L_0 = SHA-256(entry_0 || "LICET-GENESIS") L_n = SHA-256(entry_n || L_{n-1}), n >= 1 Any retroactive modification to entry i invalidates L_i, L_{i+1}, ..., L_n, making tampering mathematically detectable by any party recomputing the chain. Pereira Expires 3 January 2027 [Page 13] Internet-Draft LICET Human Intent Protocol July 2026 7.3. Integrity Verification Implementations MUST provide a mechanism to verify the full hash chain and return a boolean integrity result. This mechanism MUST be publicly accessible without authentication. 8. API Specification Implementations SHOULD expose the following HTTP endpoints: +========+=========================+==============================+ | Method | Path | Description | +========+=========================+==============================+ | GET | /v1/health | Protocol liveness and mode | +--------+-------------------------+------------------------------+ | POST | /v1/authorize | Full biometric authorization | +--------+-------------------------+------------------------------+ | POST | /v1/biometric/push | Receive wearable data | +--------+-------------------------+------------------------------+ | POST | /v1/authorize/from-push | Authorize from push data | +--------+-------------------------+------------------------------+ | POST | /v1/verify | ZKP verification | +--------+-------------------------+------------------------------+ | GET | /v1/ledger/integrity | Chain integrity check | +--------+-------------------------+------------------------------+ | GET | /v1/ledger/history | Authorization history | +--------+-------------------------+------------------------------+ Table 2 8.1. Authorization Request POST /v1/authorize Content-Type: application/json { "action": string, "agent_id": string, "target": string, "capture_seconds": integer (minimum: 60) } 8.2. Authorization Response Pereira Expires 3 January 2027 [Page 14] Internet-Draft LICET Human Intent Protocol July 2026 { "authorized": boolean, "intent_hash": hex string, "biometric_signature": hex string, "coercion_risk": "LOW" | "MEDIUM" | "HIGH", "cognitive_state": "NORMAL" | "IMPAIRED", "trust_level": "L0" | "L1" | "L2" | "L3", "denial_reason": string | null, "zkp_proof": { "commitment": { "x": string, "y": string }, "challenge": hex string, "response": hex string, "public_key": { "x": string, "y": string } }, "ledger_id": integer, "timestamp": number } 9. Biometric Trust Levels LICET defines four trust levels for wearable evidence, aligned with the IETF RATS architecture (RFC 9334 [RFC9334]): +=======+===============+=========================+================+ | Level | Name | Description | Example | | | | | Hardware | +=======+===============+=========================+================+ | L0 | No | Software simulation; no | Development | | | attestation | hardware binding | only | +-------+---------------+-------------------------+----------------+ | L1 | Platform | App-level attestation; | Consumer BLE + | | | attestation | OS-signed evidence | HealthKit/ | | | | | Health Connect | +-------+---------------+-------------------------+----------------+ | L2 | Hardware | Device-rooted | Pixel Watch 2 | | | attestation | attestation key; third- | + Titan M2 + | | | | party verifiable CA | Android Key | | | | | Attestation | +-------+---------------+-------------------------+----------------+ | L3 | Sensor-to-TEE | Sensor measurement | Not yet | | | direct | attested directly | available in | | | | within TEE | consumer | | | | | hardware | +-------+---------------+-------------------------+----------------+ Table 3 Pereira Expires 3 January 2027 [Page 15] Internet-Draft LICET Human Intent Protocol July 2026 Deployments MUST declare their trust level in the authorization response. Verifiers and Relying Parties MUST NOT treat L0 or L1 physiological evidence as proof of genuine measurement — these levels provide dimensionality and raise attack complexity but do not constitute hardware-rooted attestation. L3 is specified as a future target. A separate specification defining the wearable Sub-Attester role, its signing key establishment procedure, and the chain-of-trust from sensor to Verifier is required before L3 can be normatively specified. 9.1. RATS Composite Attester Mapping In LICET deployments following the RATS Composite Attester topology (RFC 9334 Section 3.1.4): * *Sub-Attester*: Wearable device (physiological signal source) * *Lead Attester*: Mobile application (Evidence aggregator) * *Verifier*: LICET Server * *Endorser*: Hardware manufacturer (for L2: device attestation CA) * *Relying Party*: AI agent or authorization system This topology is informative only. Normative specification of the Composite Attester profile for physiological wearable Attesters is future work. 10. Baseline Capture Protocol The Mahalanobis distance computation (Section 3.3) requires an individual physiological baseline. Implementations MUST collect baseline data before enabling Layer 3 authorization. 10.1. Baseline Requirements * Minimum 5 sessions * Minimum 3 minutes per session * Sessions collected in calm resting state (no acute stress, no exercise within 30 minutes, no stimulant intake within 2 hours) * Sessions distributed across at least 3 calendar days Pereira Expires 3 January 2027 [Page 16] Internet-Draft LICET Human Intent Protocol July 2026 10.2. Baseline Data For each session, compute and store: * Per-signal mean (mu_i^B) and standard deviation (sigma_i^B) for all captured signals * Covariance matrix S of z-scores across sessions * Session timestamp and declared collection conditions 10.3. Baseline Validity Baselines expire after 30 days. Implementations MUST require re- calibration after expiry. Pre-medication anomaly detection: if resting HR deviates more than 15% from baseline mean, or EDA SCL is below 50% of baseline mean, the implementation SHOULD flag BASELINE_ANOMALY and require manual confirmation before accepting the authorization. 10.4. Baseline Security Baseline data MUST be stored with integrity protection (e.g., HMAC under a key separate from k_m). Baseline tampering MUST be treated as a security event. The baseline is self-asserted by the Authorizer and MUST NOT be treated as a trusted Reference Value in the RATS sense — it is corroborative, not authoritative. 11. Security Considerations 11.1. Replay Attack Prevention Each authorization event produces a unique intent hash h binding the action, agent identifier, target, and timestamp. An authorization token for action a at time ts is cryptographically invalid for any other action or time. Implementations MUST reject authorization requests with timestamps outside a configurable window (RECOMMENDED: 60 seconds). 11.2. Pharmacological Attack Resistance LICET employs three mechanisms to raise the cost of pharmacological attacks: Pereira Expires 3 January 2027 [Page 17] Internet-Draft LICET Human Intent Protocol July 2026 1. *ECG morphology anchor (Layer 1):* No common medication class alters ECG QRS morphology sufficiently to defeat morphology-based identity matching. This layer is medication-resistant by anatomical constraint. 2. *EDA liveness (Layer 2):* EDA is mediated by sympathetic cholinergic (not adrenergic) innervation. Beta-adrenergic blockers (propranolol, metoprolol, atenolol) do not suppress EDA [FOWLES1986]. 3. *Mahalanobis fusion (Layer 3):* Personalized distance over five signals requires simultaneous manipulation of five independent physiological dimensions. Beta-blockers suppress tremor (detectable as z_TREMOR < -2.0) but do not suppress RMSSD — parasympathetic vagal withdrawal under acute stress persists under beta-blockade [BRANTIGAN1982]. Anticholinergic agents suppress EDA but produce an inverted toxidrome (elevated HRV, warm skin) detectable as a distinct pattern. No currently known pharmacological combination simultaneously defeats all five signals while remaining hemodynamically compatible with cognitive function. LICET does not claim to make coercion impossible. It elevates the cost and complexity of coercion attacks to a level that raises the probability of detection through other channels (behavioral anomaly, medical supervision, witness observation). 11.3. Consumer Hardware Accuracy Wrist-based photoplethysmography (PPG) provides HR and SpO2 estimates adequate for the detection thresholds defined in this document. Clinical deployments SHOULD require medically certified sensor hardware. 11.4. Master Key Compromise Compromise of the master key k_m exposes all session keys computable from it. Implementations MUST protect k_m using hardware security modules or equivalent mechanisms. Key rotation procedures MUST be defined by the deployment. 11.5. Biometric Privacy Raw biometric values MUST NOT be stored in the ledger. The ZKP mechanism defined in Section 6 ensures that auditors can verify authorization validity without accessing biometric data, satisfying the data minimization principle of privacy regulations including [LGPD] and GDPR. Pereira Expires 3 January 2027 [Page 18] Internet-Draft LICET Human Intent Protocol July 2026 12. IANA Considerations This document has no IANA actions at this time. Future versions of this protocol may request registration of: * A media type for LICET authorization tokens * An OAuth 2.0 token type for LICET tokens [RFC7519] * A well-known URI for LICET discovery 13. Open Research Problems The following problems are identified for future specification: 1. *L3 wearable attestation:* Specification of a sensor-to-TEE direct attestation mechanism for consumer wearable devices. Requires hardware vendor cooperation for signing key establishment and CA infrastructure. 2. *RATS Composite Attester profile:* Normative definition of the wearable Sub-Attester role, Evidence format, and Endorser requirements for physiological Attesters in the RATS architecture (RFC 9334). 3. *ECG feature extraction standardization:* Standardization of the feature vector f(ecg) to enable interoperability across wearable platforms. 4. *Baseline federation:* Secure transfer of baseline profiles across devices and deployments while preserving the self-asserted (non-trusted) nature of baseline data. 5. *EDA hardware coverage:* Extension of Layer 2 to hardware platforms beyond WHOOP 5 and Samsung Galaxy Watch 7, or definition of an equivalent liveness signal achievable on PPG- only hardware. 14. References 14.1. Normative References [RFC2104] Krawczyk, H., Bellare, M., and R. Canetti, "HMAC: Keyed- Hashing for Message Authentication", RFC 2104, DOI 10.17487/RFC2104, February 1997, . Pereira Expires 3 January 2027 [Page 19] Internet-Draft LICET Human Intent Protocol July 2026 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, DOI 10.17487/RFC2119, March 1997, . [RFC5869] Krawczyk, H. and P. Eronen, "HMAC-based Extract-and-Expand Key Derivation Function (HKDF)", RFC 5869, DOI 10.17487/RFC5869, May 2010, . [RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174, May 2017, . 14.2. Informative References [BRANTIGAN1982] Brantigan, C. O., "Effect of beta blockade and beta stimulation on stage fright", Am J Med 72(1):88-94, 1982. [EUAIACT] European Parliament, "Regulation (EU) 2024/1689 on Artificial Intelligence (EU AI Act)", 2024. [FIAT1987] Fiat, A. and A. Shamir, "How to Prove Yourself: Practical Solutions to Identification and Signature Problems", CRYPTO '86 LNCS vol. 263, pp. 186-194, 1987. [FOWLES1986] Fowles, D. C., "The eccrine system and electrodermal activity", Psychophysiology Handbook of Psychophysiology, pp. 51-96, 1986. [LAKIE2019] Lakie, M., "Physiological tremor", J Neurol Neurosurg Psychiatry 57(Suppl):56-60, 1994. [LGPD] Brazil, "Lei Geral de Proteção de Dados Pessoais (Lei 13.709/2018)", 2018. [RFC6962] Laurie, B., Langley, A., and E. Kasper, "Certificate Transparency", RFC 6962, DOI 10.17487/RFC6962, June 2013, . [RFC7519] Jones, M., Bradley, J., and N. Sakimura, "JSON Web Token (JWT)", RFC 7519, DOI 10.17487/RFC7519, May 2015, . Pereira Expires 3 January 2027 [Page 20] Internet-Draft LICET Human Intent Protocol July 2026 [RFC8610] IETF, "Concise Data Definition Language (CDDL): A Notational Convention to Express Concise Binary Object Representation (CBOR) and JSON Data Structures", 2019. [RFC9334] IETF, "Remote ATtestation procedureS (RATS) Architecture", 2023. [SSRN7018458] Pereira, C. R., "LICET: A Biometric Intent Authorization Protocol for Autonomous AI Agents", 29 June 2026, . [THAYER2012] Thayer, J. F., "A meta-analysis of heart rate variability and neuroimaging studies", Neuroscience & Biobehavioral Reviews 36(2):747-756, 2012. [WESAD2018] Schmidt, P., "Introducing WESAD, a Multimodal Dataset for Wearable Stress and Affect Detection", ACM ICMI 2018 Proceedings of the 20th ACM International Conference on Multimodal Interaction, 2018. Appendix A. Protocol Timestamp The LICET protocol was first documented and registered on the Bitcoin blockchain via OpenTimestamps on February 25, 2026. The SHA-256 hash of the original protocol document is publicly archived as a tamper- evident timestamp predating this Internet-Draft. Appendix B. Reference Implementation A reference implementation of this protocol is publicly available: * *Live API:* https://licet.dev/v1/ * *Source code:* https://github.com/christianrp45/licet-protocol * *Preprint:* https://papers.ssrn.com/sol3/ papers.cfm?abstract_id=7018458 Pereira Expires 3 January 2027 [Page 21] Internet-Draft LICET Human Intent Protocol July 2026 Acknowledgments The author thanks the open-source communities behind FastAPI, py_ecc, and OpenTimestamps. Protocol design was informed by prior work on coercion-resistant authentication, affective computing, and blockchain-based audit trails. The author thanks David Condrey (Linux Foundation) for technical review identifying the attestation chain gap and the need for a separate wearable Attester specification. Author's Address Christian Rodrigues Pereira eColabs Desenvolvimento de Pessoas e Organizações LTDA. Brazil Email: contato@ecolabs.com.br URI: https://licet.dev Pereira Expires 3 January 2027 [Page 22]