Three readings, each of a mechanism that comes near the problem: provenance, which records where a claim came from; attestation, which certifies who produced an artefact and that it was unaltered; and the policy engine, which decides at runtime whether an action is permitted. Each was read in its own specification, and each was pressed with the strongest version of the objection that it already does what this work proposes. This is where the three come together, and where the gap the problem statement asserted becomes something the reading has shown.
The three, on the same four questions
Each near-neighbour was examined against the same four questions, so they answer on common axes rather than each on its own terms.
| Provenance (W3C PROV) | Attestation (in-toto, SLSA) | Policy (OPA, XACML) | |
|---|---|---|---|
| What it establishes | Where a claim came from: the entities, activities, and agents in its production | Who produced an artefact, and that it was not altered | That a decision was computed according to the rules and facts supplied |
| When it operates | Retrospectively; a record of what happened | Across the supply chain; certifies production after the fact | At runtime, on query, at the point of action |
| Represents basis, and adjudicates fitness for an action? | No. Records origin; adjudicates nothing | No. Certifies custody and process; content-agnostic by construction | No. Evaluates supplied attributes; supplies no model of them |
| Where it ends, by its own scope | At the record. Assessment is a use by external parties | At the signature. What was signed may be false | At evaluation. The rules and the facts are the user's |
Read across the bottom two rows, the three answers are one answer in three registers. None represents a claim's basis. None adjudicates fitness for an intended action. Each, by its own stated scope, stops exactly short of the question this work asks.
Why the three together still leave the gap open
The natural rejoinder is that what none covers alone, the three might cover together: provenance records the origin, attestation authenticates it, the policy engine decides on it. But composing them does not produce the missing part, because the missing part is not a fourth mechanism of the same kind. It is the model the three would operate on.
Provenance can record that a value was generated by a model; it cannot say what that licenses. Attestation can carry and sign that record across a boundary; it cannot say whether the record is true or sufficient. A policy engine can refuse an action when a claim's basis falls below the bar, but only once basis, the bar, and the action's requirement have been defined, represented, and handed to it. Each rival presupposes the same absent thing: a principled, portable representation of a claim's evidentiary basis and of the actions that basis can and cannot warrant. The three are transport, record, and evaluation. What they would transport, record, and evaluate is what does not yet exist.
Where the missing model would attach
The reading did not only find an absence. It found where the absent model would connect to what already works. Two of the rivals resolved into parts of the eventual solution rather than competitors to it:
- Attestation as transport: an authenticated envelope that will carry a claim of basis across a trust boundary, once such a claim exists to carry.
- The policy engine as evaluator: a runtime decision point that will adjudicate admissibility, once the model is defined and supplied to it.
The in-toto specification joins these two directly, naming automated policy engines as an attestation's intended consumers. So the existing machinery already composes into a pipeline, transport feeding evaluation, with exactly one part missing: the model of basis that would give the pipeline something meaningful to carry and to decide. That model is the contribution, and its route to deployment is now concrete rather than hypothetical.
The gap, now a finding
The problem statement asserted that no existing mechanism lets a receiving owner determine whether the evidence behind a claim is sufficient for the specific action they intend to take. After reading provenance, attestation, and policy in their own specifications, that is no longer an assertion. It is the conclusion of the reading, and each near-neighbour has testified to it in its own words. Provenance externalises the assessment, calling it a use by parties outside itself (W3C, 2013). Attestation is content-agnostic: in-toto does not validate whether the claims it carries are correct (in-toto, n.d.), and SLSA makes no claim about whether an artefact is fit for purpose (OpenSSF, 2023). The policy engine supplies no model, being domain-agnostic and accepting arbitrary input with no built-in notion of basis (Open Policy Agent, n.d.).
The gap is real, it is specific, and it is unaddressed by the mechanisms that come nearest to it. Across all of the reading, not one specification forced a claim in the problem statement to soften. The question that opens is therefore licensed: because no artefact supplies action-relative admissibility, whether one can be built is genuinely open, and worth the building.
References
in-toto (n.d.). in-toto Attestation Framework: Specification. in-toto project. github.com/in-toto/attestation
Open Policy Agent (n.d.). Documentation and Rego Policy Language Reference. openpolicyagent.org/docs/latest
OpenSSF (2023). Supply-chain Levels for Software Artifacts (SLSA): Threat Model, v1.0. Open Source Security Foundation. slsa.dev/spec/v1.0/threats
W3C (2013). PROV-Overview. W3C Working Group Note. w3.org/TR/prov-overview