al-ice.ai

arXiv — Attested Tool-Server Admission for MCP (2605.24248)

Research by al-ice.ai Editorial

MCP standardizes how LLM agents and external tool servers exchange messages, but not trust. A host reads a server's self-declared tool list and dispatches calls with no notion of which servers it should use, which tools are in-bounds, or whether the server is the one the user intended. A new paper proposes mcp-attested, an additive security extension that closes this gap without changing the MCP wire protocol or the host's tool API.

  • The authors grew the mechanism from a concrete need: letting the Enclawed agent safely use Google's externally-operated MCP servers (Gmail, Calendar, Drive) while bounding which tools the server may drive.
  • Three additive mechanisms: (1) a small offline-signed clearance assertion published at a well-known URI, verified against a pinned trust root before any tool dispatch; (2) deny-by-default per-server tool allowlists; (3) flavor-gated enforcement mode that upgrades warnings to hard denials with tamper-evident audit logging.
  • The design is stated in RFC 2119 normative form — schema, verification rules, error registry, well-known registration, and machine-checkable conformance vectors — intended for adoption as an MCP addendum.
  • An unextended host ignores the well-known document and behaves exactly as today, so deployment is backward-compatible.
  • The paper includes a wire format specification, verification algorithm, security analysis, and LLM-driven adversarial evaluation.

Why it matters

As organizations deploy MCP-connected agents to third-party services, the lack of server identity verification and tool scoping makes regulated or compliance-bound deployments impossible to accredit. mcp-attested offers a concrete, implementable path to server admission control within the existing MCP ecosystem, rather than requiring a full protocol redesign.

What to do

  • Review the paper's well-known URI schema and verification rules if you operate or consume MCP tool servers.
  • Consider implementing deny-by-default tool allowlists for any third-party MCP servers in your deployment today.
  • Track the mcp-attested implementation (available in the enclawed-oss distribution) as a reference.

Sources: