Technical note

Agents Secure Binding

Binding delegated agent identity to the actual TLS and attestation session.

We propose this as a security profile, implementation experiment, and optional hardening layer for agent protocols such as AGTP or A2A. It is not a replacement for those protocols.

Read the SSOT Download PDF GitHub repository

Source of truth

This page is an entry point, not the specification

The only source of truth for the profile is docs/SSOT.md in the GitHub repository. This ToppyMicroServices page is a short reader-facing note and link hub. If this page and the SSOT ever differ, the SSOT wins.

The receiver accepts only when the Identity Grant and the Session Binding Statement match the current TLS or attestation-bound session and Alice's local expected policy. Replayed bindings, substituted grants, wrong keys, and peer-supplied metadata fail closed.

Happy path

grant and live session match

1. Manager Issues the delegated identity. Identity Grant packet

2. Agent Starts the TLS / attestation session. live session

3. Agent → Alice Sends proof for this grant and this session. Session Binding Statement packet

Result: ACCEPT

Attack path

valid-looking material, wrong binding

1. Attacker Replays a binding or substitutes a grant. old / wrong grant

2. Attacker → Alice Adds peer-supplied service or task metadata. Metadata packet

3. Alice Verifier Detects grant_hash, key, session, or policy mismatch. local expected policy wins

Result: REJECT

Verifier outcomes

Case	Result	Why
valid grant + valid binding	ACCEPT	The signed grant, Agent key, `grant_hash`, session binding, and local policy all match.
replayed binding	REJECT	The statement does not bind to Alice's current TLS or attestation session.
grant_hash mismatch	REJECT	The binding statement points at a different Identity Grant.
wrong Agent key	REJECT	The confirmation key does not match the agent authorized by the grant.
Manager key reused as Agent key	REJECT	Manager authority and Agent confirmation roles are separate.
missing attestation binder	REJECT	The receiver cannot bind the statement to the attested session evidence.
peer metadata injection	REJECT	Alice uses local expected policy, not peer-supplied metadata, as the acceptance policy.

Problem

TLS and attestation do not name the whole delegation

A valid TLS session or attested platform can still be the wrong session, wrong task, wrong delegation, or wrong authority boundary for the receiving application.

Valid credentials are not enough

A peer can present valid cryptographic material while still causing replay, relay, diversion, wrong-agent, or confused-deputy failures.

Peer metadata is not policy

The receiver should not turn service, tenant, task, scope, or agent metadata supplied by the peer into local authorization policy.

Approach

Separate authority from session proof

This profile separates who is allowed to authorize a delegated identity from who proves possession in the live TLS or attestation-bound session.

Two signed materials

Identity Grant: Manager or policy authority signs the intended agent, task, delegation, scope, and related values.
Session Binding Statement: the holder of the authorized confirmation key binds that exact grant to the accepted session.

Three key roles

Manager or policy-authority key for Identity Grants.
Agent confirmation key for Session Binding Statements.
TLS endpoint key for the accepted TLS or exported-authenticator endpoint.

Local policy comparison

The receiver compares signed and session-bound material against local expected policy. Observed peer values do not become expected policy by themselves.

Optional hardening profile

For AGTP/A2A-style agent protocols, this is an optional security-hardening profile layered around identity, delegation, and session binding.

Implemented work

What the repository currently contains

The implementation tests focus on fail-closed acceptance: attacker-shaped input should be rejected before an application treats the observed identity as accepted.

Token profiles

JWT/JWS Identity Grant and Session Binding Statement profile.
CWT/COSE verifier coverage for the same trust model.

Verifier and cache safety

Local expected-policy comparison before acceptance.
Response-cache safety policy for caller-dependent results.

Red-team coverage

Live-style red-team tests for replay, relay, diversion, wrong-agent, key-role confusion, grant substitution, and cache misuse.
Separate notes for boundaries that remain outside the direct-Agent profile.

Readable specification artifact

The repository includes the Markdown SSOT and a rendered PDF for review.

View red-team report View security red-team tests

Boundaries

What is not claimed

Not a standard

This is not an IETF standard or consensus document.
This is not AGTP or A2A core protocol text.

Not a deployment claim

This page does not claim hardware confidential-VM evidence has been measured across all environments.
Gateway-routed deployments remain separate design work because the gateway trust model is different.

Links

Repository entry points

Use the repository documents for the current profile text, rendered specification, and red-team evidence.

GitHub repository Read the SSOT Download PDF View red-team report View security red-team tests