| Internet-Draft | V-GAP | March 2026 |
| Krishnan, et al. | Expires 14 September 2026 | [Page] |
Modern cloud and distributed computing rely heavily on software-only identities and bearer tokens that are easily stolen, replayed, or used from unauthorized locations. Furthermore, traditional methods of location verification — such as IP-address-based geolocation — are easily spoofed via VPNs or proxies and significantly compromise infrastructure security and privacy for sovereign workloads and high-assurance environments.¶
This document defines the Verifiable Geofencing Attestation Profile (V-GAP), a profile of the RATS Architecture {{!RFC9334}}, that solves these challenges through hardware-rooted cryptographic verifiability. A host machine runs a Workload Identity Agent for managing the workload identities on that platform. This profile replaces implicit trust and spoofable indicators with cryptographically verifiable hardware-rooted Evidence of integrity and location for this agent. Critically, this framework prioritizes location privacy by utilizing Zero-Knowledge Proofs (ZKPs), allowing a workload to prove it is within a compliant zone without disclosing precise coordinates.¶
By binding software identities to persistent silicon identities and verified physical residency, V-GAP establishes a silicon-to-workload chain of trust. It ensures that sensitive operations are only performed by authorized workloads running on untampered hardware in cryptographically verified, privacy-preserving geographic boundaries, fulfilling the high-assurance requirements of the WIMSE Architecture {{!I-D.ietf-wimse-architecture}}.¶
This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79.¶
Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet-Drafts is at https://datatracker.ietf.org/drafts/current/.¶
Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress."¶
This Internet-Draft will expire on 14 September 2026.¶
Copyright (c) 2026 IETF Trust and the persons identified as the document authors. All rights reserved.¶
This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (https://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Revised BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Revised BSD License.¶
Operators of sovereign and high-assurance workloads need cryptographic assurance that sensitive computation occurs only on approved hardware within approved geographic boundaries. Traditional methods — IP-based geolocation, region labels, bearer tokens — are easily spoofed, stolen, or replayed and provide no hardware-rooted verifiability. Key gaps include:¶
This document defines the Verifiable Geofencing Attestation Profile (V-GAP), a profile of the RATS Architecture {{!RFC9334}} that makes platform integrity and geofence residency verifiable inputs to workload credential issuance. V-GAP enables a Relying Party (or credential issuer) to require Evidence that:¶
To maintain location privacy while providing cryptographic verifiability, V-GAP supports Transparent Zero-Knowledge Proofs (ZKPs) — non-interactive, hash-based proofs that allow a platform to demonstrate "in-zone" residency without disclosing exact coordinates and without requiring a trusted setup.¶
V-GAP covers platform integrity verification (Layer 2) and residency verification (Layer 3). It assumes that the binding of individual workloads to the local Workload Identity Agent (Layer 1) is established by a co-location mechanism such as {{!I-D.mw-wimse-transitive-attestation}}. Together, these three layers form a complete chain of trust from silicon to workload, as required by the WIMSE Architecture {{!I-D.ietf-wimse-architecture}}.¶
| Layer | Scope | Responsibility |
|---|---|---|
| Layer 1 | {{!I-D.mw-wimse-transitive-attestation}} | Bind workload to a local Workload Identity Agent (co-location). |
| Layer 2 | This document | Verify platform integrity for the Workload Identity Agent (platform Evidence). |
| Layer 3 | This document | Verify platform residency within an approved boundary (location Evidence). |
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP 14 {{!RFC2119}} {{!RFC8174}} when, and only when, they appear in all capitals, as shown here.¶
nonce field in the lah-bundle.¶
This profile supports attested data residency and geofencing for workloads and (optionally) users. Common use cases fall into: server-centric enforcement, user-centric enforcement, and compliance and risk reduction.¶
Enterprises need cryptographic proof that workloads run only on approved hosts within an approved geographic boundary, and that data flows only between approved boundaries.¶
Workload-to-workload (general): Relying parties accept workload identities only when the issuing host attests platform integrity and "in-zone" residency, preventing credentials from being used outside the approved boundary.¶
Agentic AI workloads: An AI agent may access sensitive data or perform sensitive actions only when its Workload Identity Agent presents hardware-rooted integrity evidence and a verifiable "in-zone" proof (optionally privacy-preserving), binding identity to both platform state and residency.¶
Federated / edge AI (key or model release): High-value artifacts (e.g., decryption keys or model weights in federated learning) are released only when the partner/edge host attests it is integral and resident within the required boundary. This is useful for intermittently connected sites.¶
User-to-server: Clients validate that the server endpoint is operating within an approved boundary (e.g., by policy tied to the server's attested identity and residency evidence).¶
Enterprises may also need trustworthy location signals for user-facing access decisions.¶
Geofenced access control: User access is permitted only when the user (or user device) proves it is within an allowed boundary, ideally without requiring precise location disclosure.¶
On-premises boundaries: Customer-premises equipment can define an enterprise boundary, with a network or enterprise infrastructure providing supporting evidence for policy enforcement.¶
Restricted support geographies: Administrative or support actions can be allowed only when the operator proves presence within allowed geographies, reducing policy and insider-risk exposure.¶
Geofence attestation provides audit-ready evidence to support data residency and sovereignty controls, and it can also reduce non-compliance risk from misconfiguration or spoofable signals. Even when not mandated, "in-zone" proofs help address: configuration drift, edge relocation/proxying, contractual residency requirements, and location-privacy minimization (proving "inside the zone" without storing coordinates).¶
V-GAP is a profile of the RATS Architecture {{!RFC9334}} that binds a Workload Identity Agent to (1) hardware-rooted platform integrity and (2) verified residency within a configured geofence. The Attester (Location Anchor Host) produces a V-GAP Evidence structure (lah-bundle) that the Verifier (Host Identity Management Plane) appraises to produce an Attestation Result.¶
V-GAP instantiates the RATS Architecture {{!RFC9334}} with the following role assignments.¶
| RATS Role ({{!RFC9334}}) | V-GAP Entity | Function |
|---|---|---|
| Attester | Location Anchor Host (LAH) | Produces V-GAP Evidence (the lah-bundle), including TPM quotes and geolocation claims. |
| Verifier | Host Identity Management Plane | Appraises V-GAP Evidence — validates TPM quotes, checks PCRs, verifies geolocation proofs — and produces an Attestation Result. |
| Endorser | Mobile Network Operator (MNO) | Provides a location Endorsement (mno-endorsement) attesting device location within carrier visibility. |
| Relying Party + Credential Issuer | Workload Identity Management Plane | Consumes the Attestation Result and decides whether to issue or renew workload credentials (e.g., X.509-SVIDs). Also acts as the CA that signs the credential. |
| Downstream Relying Party (note 1) | mTLS peer / service consumer | Consumes the workload credential containing the V-GAP extension; trusts the CA signature as proxy for verified integrity and residency. |
Note 1: "Downstream Relying Party" is not a role defined by {{!RFC9334}}. It is used here to distinguish the entity that consumes the issued credential from the Relying Party that consumes the Attestation Result.¶
The V-GAP evidence flow follows the RATS background-check model ({{!RFC9334}}, Section 3.2): the Attester conveys Evidence to the Verifier, the Verifier appraises it and conveys the Attestation Result to the Relying Party.¶
Attester (LAH)
|
| V-GAP Evidence (lah-bundle)
v
Verifier (Host Identity Mgmt Plane) <--- Endorsement (MNO)
|
| Attestation Result
v
Relying Party + Credential Issuer (Workload Identity Mgmt Plane)
|
| X.509-SVID with V-GAP extension
v
Downstream Relying Party (mTLS peer)
¶
The Relying Party in V-GAP also acts as a Credential Issuer (CA): it materializes the Attestation Result into an X.509 workload identity credential (for example, a SPIFFE SVID) containing the V-GAP Evidence as a CRITICAL extension. This "trust translator" pattern allows downstream consumers to rely on standard X.509/mTLS verification without needing to understand RATS or V-GAP directly.¶
Implementations of this profile MUST mark the X.509 extension containing the V-GAP Evidence Bundle as CRITICAL. When marked CRITICAL, any downstream Relying Party that does not understand the extension MUST reject the credential, enforcing fail-closed behavior for residency-constrained workloads.¶
The lah-bundle is the RATS Evidence structure defined by this profile. It is a hardware-sealed object embedded as an X.509 extension (OID 1.3.6.1.4.1.65284.1.1) in the workload identity credential (for example, a SPIFFE SVID). It binds a workload identity to physically verifiable claims — TPM hardware identity, privacy-preserving geolocation, and agent binary integrity — without exposing PII.¶
{
"lah-bundle": { },
"mno-endorsement": { },
"workload": { }
}
¶
| Field | Type | Required | Description |
|---|---|---|---|
tpm-ak
|
string (Base64URL) | Yes | TPM Attestation Key public key (PEM-encoded). Hardware identity anchor. The TPM enforces that only this key can produce tpm-quote-seal — proving co-residency. |
geolocation-id-hash
|
string (Base64URL) | Yes | SHA-256 over tpm-ak-bytes concatenated with any sensor-specific identifiers (see Sensor Type Input Recipes appendix for per-sensor constructions). Binds the TPM identity anchor to the geolocation sensor identity. Sensor integrity is assumed to be established by the host management plane via an out-of-band channel. |
geolocation-proof-hash
|
string (Base64URL) | Yes | SHA-256 commitment over geolocation-payload. Required in both privacy modes. When privacy-technique=zkp: SHA-256(zkp-proof-bytes). When privacy-technique=none: SHA-256(JCS({lat, lon, accuracy})). |
privacy-technique
|
string enum | Yes |
"none" = raw lat/lon/accuracy in payload. "zkp" = zero-knowledge proof URI in payload. Controls location privacy only; device identity privacy is always protected via geolocation-id-hash. |
geolocation-payload
|
object | Yes | Inner location data. Structure depends on privacy-technique (see Payload Variants below). Committed to by geolocation-proof-hash and optionally signed by mno-endorsement.mno-sig. |
nonce
|
string (Base64URL) | Yes | Freshness nonce (N_fusion) issued by the Relying Party (Workload Identity Management Plane) for each attestation interval. Implementations may use chained nonce constructions for additional audit guarantees (see Nonce Chain and Merkle Audit Log appendix). |
timestamp
|
integer (int64) | Yes | Unix epoch seconds. Set by the Attester (LAH) at bundle construction time. |
tpm-quote-seal
|
string (Base64URL) | Yes |
TPM2_Quote produced by the AK in tpm-ak. Qualifying data = SHA-256(JCS({tpm-ak, geolocation-id-hash, geolocation-proof-hash, privacy-technique, nonce, timestamp, workload-identity-agent-image-digest})). Binds all fields into a single hardware-sealed statement. |
workload-identity-agent-image-digest
|
string (hex SHA-256) | Yes | SHA-256 digest of the Workload Identity Agent binary, measured at attestation time by the Verifier (Host Identity Management Plane). Detects agent binary compromise on every renewal cycle. |
When privacy-technique = "none" (raw coordinates):¶
| Field | Type | Required | Description |
|---|---|---|---|
lat
|
number (float64) | Yes | Latitude, WGS-84 decimal degrees |
lon
|
number (float64) | Yes | Longitude, WGS-84 decimal degrees |
accuracy
|
number (float64) | Yes | Accuracy radius in meters |
geolocation-proof-hash = Base64URL(SHA-256(JCS({lat, lon, accuracy})))¶
When privacy-technique = "zkp" (zero-knowledge proof):¶
| Field | Type | Required | Description |
|---|---|---|---|
zkp-proof-uri
|
string (URI) | Yes | URI to fetch full ZKP proof bytes from the proof depository. Verifier fetches bytes, computes SHA-256(bytes), checks against geolocation-proof-hash. |
zkp-format
|
string enum | Yes | ZKP proof system. Currently: "plonky2". |
geolocation-proof-hash = Base64URL(SHA-256(zkp-proof-bytes))¶
The mno-endorsement is a RATS Endorsement {{!RFC9334}}: a signed statement from a third party (the Mobile Network Operator) about the Attester's location. The MNO attests device location within carrier visibility but does not sign host-level fields. This element is OPTIONAL at the top level; when present, its fields are REQUIRED.¶
| Field | Type | Required | Description |
|---|---|---|---|
mno-key-cert
|
string (Base64URL DER) | Yes | MNO signing certificate. Verifiers SHOULD validate this certificate chains to a known MNO root before accepting the endorsement. |
mno-sig
|
string (Base64URL) | Yes | ECDSA/EdDSA signature over JCS(geolocation-payload) only. The MNO attests location within carrier visibility — does not sign host fields (tpm-ak, nonce, tpm-quote-seal). |
The workload object binds the V-GAP Evidence to a specific workload identity, enabling the Verifier to associate platform and residency claims with the credential being issued.¶
| Field | Type | Required | Description |
|---|---|---|---|
workload-id
|
string (SPIFFE ID) | Yes | The workload's SPIFFE identity URI (e.g., spiffe://example.org/python-app). |
key-source
|
string | Yes | Identifier for the origin of the workload's key material (for example, "tpm-app-key"). Values are deployment-specific; this field is recorded for audit and policy evaluation. |
The Verifier MUST perform the following steps to validate the tpm-quote-seal:¶
tpm-quote-seal (Base64URL → bytes)¶
TPMS_ATTEST structure¶
TPMS_ATTEST.type == TPM_ST_ATTEST_QUOTE¶
expected_qd = SHA-256(JCS({tpm-ak, geolocation-id-hash, geolocation-proof-hash, privacy-technique, nonce, timestamp, workload-identity-agent-image-digest}))¶
TPMS_ATTEST.qualifyingData == expected_qd¶
TPMS_ATTEST bytes using tpm-ak public key (RSASSA-PKCS1-v1_5 or ECDSA)¶
If any step fails, the Verifier MUST reject the Evidence and MUST NOT produce a positive Attestation Result.¶
To prevent mix-and-match and replay attacks, Verifiers MUST enforce the following:¶
nonce field in the lah-bundle MUST be a freshness value issued by the Relying Party (Workload Identity Management Plane) for each attestation interval.¶
timestamp falls outside the configured freshness window.¶
Where policy requires it, the Verifier can additionally require that an agent software measurement (for example, image digest) is covered by validated platform Evidence, reducing the risk that a modified or unauthorized agent obtains credentials.¶
V-GAP reduces reliance on spoofable location signals and stolen tokens by making integrity and residency cryptographically verifiable. Implementers still need to address the following threats:¶
IANA is requested to register the following Object Identifier (OID) in the "SMI Numbers" registry under the "SMI Private Enterprise Numbers" (1.3.6.1.4.1) branch, or as appropriate for the V-GAP profile.¶
This profile assumes two cooperating control planes, mapped to RATS roles:¶
In intermittently connected edge deployments, local operation can continue during outages, while centralized policy can be enforced on renewal and on release of high-value secrets once connectivity is available.¶
To support edge deployments and intermittent connectivity, identity issuance may be distributed within a sovereign boundary.¶
When a workload moves between anchors or boundaries, the Workload Identity Agent should obtain a new V-GAP bundle that reflects the new LAH and current residency.¶
Verifiers should treat this as a normal re-attestation event: - platform integrity continuity can remain stable, but - residency checks should be re-evaluated for the new anchor/boundary.¶
To scale location sensing, a deployment may use dedicated anchors:¶
Large deployments need lifecycle management for the attestation keys referenced by V-GAP (for example, tpm-ak) and for the policies that authorize them.¶
One way to satisfy the freshness requirements in this profile is through a chained nonce and Merkle audit log. Where bundle[n] denotes the JCS-canonicalized lah-bundle object at attestation interval n:¶
chain[n] = SHA-256(chain[n-1] || SHA-256(JCS(bundle[n]))) nonce[n] = HMAC(secret, n || chain[n-1])¶
| Mechanism | Role |
|---|---|
| Chained nonce | Input control — agent cannot submit without responding to the management plane's current state. |
| Merkle chain | Audit output — proves inclusion of past bundles, detects gaps, and enables regulatory audit. |
To prevent rogue key injection during rotation:¶
{
"new-ak-pub": "Base64URL_Encoded_Public_Key",
"serial-number": "AK_Serial_XYZ",
"timestamp": 1708845600,
"hardware-uuid": "Host_Hardware_UUID",
"signature": "Base64URL_Signature_from_Previous_AK"
}
¶
Credential activation (for example, TPM2_MakeCredential) is expensive to run on every request. Verifiers should perform it on events such as:¶
Between full activations, Verifiers may accept fresh quotes from registered AKs as proof of continued compliance, subject to policy.¶
For intermittent connectivity, the Verifier may issue identities with extended validity (a lease) under policy. If a lease is used:¶
Implementations commonly fall into the following patterns, differing in how platform integrity Evidence and the tpm-quote-seal are collected:¶
In-band host attestation: Evidence collected by host software (for example, Keylime-style deployments). In this pattern, the Relying Party (for example, SPIRE Server) generates N_fusion and shares it with the Verifier (for example, the Keylime Verifier) over a server-to-server channel. The Keylime Verifier then delivers N_fusion to the Keylime Agent running on the host, which collects TPM and geolocation evidence, assembles the lah-bundle, and returns it via the host-side channel. This pattern is well-suited to commodity servers and cloud VMs where a BMC path is not available or not required.¶
Out-of-band management: Evidence collected via a management controller / BMC path (for example, iLO-class OOB management such as HPE OneView). In this pattern, the Relying Party (for example, SPIRE Server) generates N_fusion and shares it with the Verifier (for example, HPE OneView) over a server-to-server channel. The Verifier delivers N_fusion to the host via the BMC / OOB path — bypassing the host OS entirely. The host TPM seals the lah-bundle with that nonce, and the sealed bundle is returned via the same OOB path. This pattern is recommended for high-assurance environments where the host OS is part of the threat model.¶
Cloud-hosted attestation environments: Provider mechanisms exposing measured boot and TPM-backed claims (for example, Nitro-class enclaves or shielded VM instances). The cloud provider supplies a hardware-rooted quote that can serve as the tpm-quote-seal; the geolocation claim is typically derived from the provider's zone or region attestation. Implementations should verify that the provider's attestation scope satisfies the geofence policy.¶
Relying parties and credential issuers can use V-GAP Attestation Results as inputs to authorization.¶
{
"lah-bundle": {
"tpm-ak": "-----BEGIN PUBLIC KEY-----\nMIIBIjANBgkqhkiG...\n-----END PUBLIC KEY-----",
"geolocation-id-hash": "7f4a2c1b9e3d8f0a6b5c4d2e1f0a9b8c...",
"geolocation-proof-hash": "c8bc2ed62a7a650d99e0884197cdf345...",
"privacy-technique": "zkp",
"geolocation-payload": {
"zkp-proof-uri": "https://verifier.example/v1/proof/c8bc2ed6...",
"zkp-format": "plonky2"
},
"nonce": "ZmUyZjdmMzlmZGVlZWQxOTM1YjY0Mjk0...",
"timestamp": 1740693456,
"tpm-quote-seal": "ARoAAQALAAUACwEA...",
"workload-identity-agent-image-digest": "a1b2c3d4e5f6...64-char-hex-sha256"
},
"mno-endorsement": {
"mno-key-cert": "MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8A...",
"mno-sig": "MEYCIQDx9z2k..."
},
"workload": {
"workload-id": "spiffe://example.org/python-app",
"key-source": "tpm-app-key"
}
}
¶
The following recipes define how geolocation-id-hash is constructed from different sensor types. The Verifier sees only the opaque hash — never the raw identifiers.¶
| Sensor Type | geolocation-id-hash Input |
|---|---|
| Mobile (CAMARA) |
SHA-256(tpm-ak-bytes \|\| IMEI-bytes \|\| IMSI-bytes)
|
| GNSS receiver |
SHA-256(tpm-ak-bytes \|\| sensor-serial-bytes \|\| sensor-class-id-bytes)
|
[Note to RFC Editor: This section may be removed before publication as per {{!RFC7942}}.]¶
A reference implementation of the V-GAP profile is publicly available:¶
hybrid-cloud-poc/¶
The implementation demonstrates the in-band host attestation deployment pattern ({{deployment-patterns-informative}}) using:¶
unifiedidentity plugin that embeds the lah-bundle as an X.509 extension (OID 1.3.6.1.4.1.65284.1.1)¶
workload-identity-agent-image-digest)¶
privacy-technique = "zkp" geofence proofs¶
geolocation-id-hash¶
The implementation includes automated end-to-end tests (./run-demo.sh) that exercise the full attestation flow from TPM quote construction through ZKP proof generation and SVID issuance with embedded V-GAP Evidence.¶
India -- Reserve Bank of India (RBI): Payment System Data Localization (2018): From RBI Circular RBI/2017-18/153 (April 6, 2018): "All system providers shall ensure that the entire data relating to payment systems operated by them are stored in a system only in India. This data should include the full end-to-end transaction details / information collected / carried / processed as part of the message / payment instruction."¶
South Korea's Data Localization Regulations -- Geospatial Information Management Act (Spatial Data Act): Article 16, Paragraph 1: Prohibits the export of state-led survey data.¶