SEP: Attested Tool-Server Admission (ATSA)#2809
Conversation
The original PR (modelcontextprotocol#2777) was closed by accident; GitHub refused to reopen it because the head fork had been deleted in the meantime. This branch is re-submitted as PR modelcontextprotocol#2809, so the SEP file name, title, table fields, and index entries are updated to match the new number. No specification content changes.
This comment was marked as spam.
This comment was marked as spam.
Added contributions from Christopher Hopley (Algovoi) and Maaz (Interlock).
forgot to update the header with the contributors line
|
@chopmob-cloud thank you for your contribution. I updated the SEP and the paper to reflect that. |
CI was red on two checks:
- Markdown Format Check (npm run check:docs:format): prettier
--check flagged seps/2809-attested-tool-server-admission.md
for code-style drift introduced by the last hand-edits.
- Render SEPs (npm run check:seps): the rendered mdx under
docs/seps/ was older than the source .md.
Re-ran `npx prettier --write seps/2809-attested-tool-server-admission.md`
and `npm run generate:seps`. Both checks now pass locally.
The companion preprint is now indexed on arXiv. The earlier "arXiv ID forthcoming" placeholder is replaced with the canonical identifier in both the SEP preamble (alongside the Zenodo archive DOI) and the References list. Rendered .mdx regenerated to match.
metereconsulting
force-pushed
the
feature/attested-tool-server-admission
branch
from
7071122 to
9394cdb
Compare
|
Strong framing in the new "Composition with Runtime Drift Monitoring" section — the One axis that composition map doesn't yet name sits alongside the drift layer rather than under it: caller-side governance. ATSA answers which server the host admits; the drift layer answers whether the admitted server's surface changed; neither addresses which calling identity, under what declared purpose and scope, may invoke an admitted tool — the demand-side counterpart to your supply-side admission. Such a layer would compose the way your section describes: bind to the verified That points at the one guarantee currently left undefined on both ends. Your Audit rule is a Would you see reconciling the audit guarantee across these layers living inside ATSA's |
The audit-tamper-evident observation is the cross-cutting one. ATSA, drift, Interceptors #2624 each name it; none specify it. Three SHOULDs, zero vectors — won't clear Final under The reconciliation belongs in its own SEP, not ATSA's Open Questions. Same composition discipline that kept drift out of ATSA's wire format: the shape of a tamper-evident record Bootstrapping isn't a blocker. ATSA v1 ships with the current SHOULD plus a forward reference; each seam upgrades to MUST against the audit SEP's vector when it lands. RFC 9449 / A built Apache-2.0 caller-governance server with conformance vectors is exactly the third consumer that makes the audit SEP worth landing standalone. Happy to cross-reference both |
I read the paper end to end — the canonicalization discipline (one canonical body, Definition 1, reused on the signing and verification paths) and the deny-by-default flavor gating are clean, and the bootstrapping path you describe is the right way through: ship the SHOULD with a forward reference now, upgrade to a MUST against the audit SEP's vector once it lands. Agreed too that the record shape is orthogonal to which layer writes it — ATSA's audit is admission-scoped (the On gif being a consumer — that's fair, though it may be able to contribute a bit more than consume. The append-only audit in One thing the two implementations seem to already agree on, which might help scope the SEP: the tamper-evidence itself isn't wire-observable, so neither side puts it in the wire-checkable conformance surface — ATSA keeps audit a SHOULD, and gif keeps the hash chain in the storage layer, outside its wire-conformance scenarios. That suggests the audit SEP's machine-checkable vectors realistically cover the observable record — its schema, the emission events, scope-gated read — while the integrity construction is specified and referenced but attested rather than gated. Worth pinning down early, since it shapes what "conforming" can even mean. I'd be glad to put gif's record format on the table as a starting point and to do real drafting work on the contract itself, not just reference it from the side. Two things that would help me calibrate: which venue you see this homed in — one of the existing IGs ( |
Hi Scott, To answer your initial question directly: No, I will not be adding the explicit definition of the audit-tamper-evident observation to this ATSA PR. Your comment perfectly articulates why: folding it in here inherits an "audit primitive owned by admission," which is the wrong factoring. Since ATSA, Interceptors (#2624), and gif all consume this exact same guarantee, it belongs in its own standalone SEP rather than burying it in ATSA's Open Questions. I completely agree with the bootstrapping path you outlined. I will keep the current SHOULD in this PR along with a forward reference to the future audit SEP. That keeps the wire-conformance surface clean and ensures this PR clears SEP-2484 without getting stalled by orthogonal architectural dependencies. To your points on moving the standalone effort forward: Venue & Sponsorship: This belongs in #security-ig. We need to secure the sponsor for the standalone audit SEP so we aren't gated. The Draft: I welcome your drafting help. Let’s use notboatanchor/gif's record format, canonicalization discipline, and SHA-256 hash-chain mechanics as the baseline draft so we start with a worked, test-backed reference implementation. Conformance Boundary: Agree completely that the machine-checkable vectors should cover the observable record (schema, emission, scope-gated read) while the integrity construction is specified and attested. I’ll update this PR with the forward reference text shortly. Let's move the deeper audit definition discussion to a new issue under #security-ig—tag me when you put the gif format on the table and we’ll cross-reference the numbers. |
localden
added
proposal
4 participants
Summary
Adds a new Standards Track SEP: Attested Tool-Server Admission (ATSA).
New file:
seps/0000-attested-tool-server-admission.md(I'll rename it to the PR number once assigned, per the SEP guidelines).ATSA is an optional, purely additive admission layer. A server publishes a small, offline-signed clearance assertion at a well-known URI; a host verifies it against a locally pinned trust root before any tool dispatch; admitting a server is kept distinct from authorizing its tools via a closed per-server tool allow-list; and every admission decision is auditable. No existing MCP message changes shape — an unextended host ignores the mechanism and behaves exactly as today.
Motivation (the gap in the current spec)
A host today takes a server's identity and its advertised
tools/liston faith, so a prompt-injected model can drive a destructive tool on any server it connects to. This is exploitable in every deployment, and disqualifying + unauditable for regulated operators (NIST SP 800-53 AC-3/AC-4/AC-6, AU-2/AU-9). TLS answers "did I reach the named endpoint"; the authorization profile answers "may this user use this server"; nothing answers the third question — is this server one the host is authorized to use as a tool provider, and at what sensitivity?Why this belongs in the spec, not a per-vendor layer
It can be built above MCP today — but additive ≠ interoperable. Bolted on by one vendor, attestation secures only that vendor's island. The payoff ("attested" as a claim any host can check; servers publishing one document instead of N vendor dialects; SDKs shipping the gate on by default) only materializes once a single format is agreed, and only the spec owner can mint that Schelling point.
Evidence (written from a production prototype, not theory)
extensions/mcp-attested(plus a Google Workspace bridge inextensions/mcp-google-workspace). Includes a JSON Schema, an error registry, and machine-checkable conformance vectors.Backward compatibility
None broken. The assertion lives at a well-known URI (RFC 8615); the tool allow-list is host-side state; no existing message changes shape. Unextended hosts and servers are unaffected — incremental rollout.
Design-principles alignment
The SEP's Rationale maps the proposal to all eight MCP design principles and addresses the two most likely objections head-on — Composability over specificity ("can't this just be an extension?") and Stability over velocity ("permanent cost"). It leads with Demonstration over deliberation: the mechanism is already in production. It is also written to satisfy the SEP-2484 conformance requirement out of the box — every MUST/SHOULD is already enumerated as a vector in the reference implementation.
Sponsor
Seeking a sponsor — this sits in the security / authorization scope, and was raised in
#security-igand#auth-igfor validation. Happy to walk through it at a Core Maintainer meeting.AI-assistance disclosure (per CONTRIBUTING.md)
The author originated and directed this work and independently verified every factual claim, citation, and normative statement; an AI agent was used only as a mechanical drafting aid.