Technical note

Session-Bound Identity for Agent Protocols

Binding delegated agent identity to the actual TLS and attestation session.

We propose this as a security profile, implementation experiment, and optional hardening layer for agent protocols such as AGTP or A2A. It is not a replacement for those protocols.

Read the SSOT Download PDF GitHub repository

Source of truth

This page is an entry point, not the specification

The only source of truth for the profile is docs/SSOT.md in the GitHub repository. This ToppyMicroServices page is a short reader-facing note and link hub. If this page and the SSOT ever differ, the SSOT wins.

Problem

TLS and attestation do not name the whole delegation

A valid TLS session or attested platform can still be the wrong session, wrong task, wrong delegation, or wrong authority boundary for the receiving application.

Valid credentials are not enough

A peer can present valid cryptographic material while still causing replay, relay, diversion, wrong-agent, or confused-deputy failures.

Peer metadata is not policy

The receiver should not turn service, tenant, task, scope, or agent metadata supplied by the peer into local authorization policy.

Approach

Separate authority from session proof

This profile separates who is allowed to authorize a delegated identity from who proves possession in the live TLS or attestation-bound session.

Two signed materials

  • Identity Grant: Manager or policy authority signs the intended agent, task, delegation, scope, and related values.
  • Session Binding Statement: the holder of the authorized confirmation key binds that exact grant to the accepted session.

Three key roles

  • Manager or policy-authority key for Identity Grants.
  • Agent confirmation key for Session Binding Statements.
  • TLS endpoint key for the accepted TLS or exported-authenticator endpoint.

Local policy comparison

The receiver compares signed and session-bound material against local expected policy. Observed peer values do not become expected policy by themselves.

Optional hardening profile

For AGTP/A2A-style agent protocols, this is an optional security-hardening profile layered around identity, delegation, and session binding.

Implemented work

What the repository currently contains

The implementation tests focus on fail-closed acceptance: attacker-shaped input should be rejected before an application treats the observed identity as accepted.

Token profiles

  • JWT/JWS Identity Grant and Session Binding Statement profile.
  • CWT/COSE verifier coverage for the same trust model.

Verifier and cache safety

  • Local expected-policy comparison before acceptance.
  • Response-cache safety policy for caller-dependent results.

Red-team coverage

  • Live-style red-team tests for replay, relay, diversion, wrong-agent, key-role confusion, grant substitution, and cache misuse.
  • Separate notes for boundaries that remain outside the direct-Agent profile.

Readable specification artifact

The repository includes the Markdown SSOT and a rendered PDF for review.

View red-team report View test notes

Boundaries

What is not claimed

Not a standard

  • This is not an IETF standard or consensus document.
  • This is not AGTP or A2A core protocol text.

Not a deployment claim

  • This page does not claim hardware confidential-VM evidence has been measured across all environments.
  • Gateway-routed deployments remain separate design work because the gateway trust model is different.

Links

Repository entry points

Use the repository documents for the current profile text, rendered specification, and red-team evidence.

Read the SSOT Download PDF View red-team report View GitHub repository