Skip to content

Extension: Server Identity and Tool Attestation#17

Open
abdelsfane wants to merge 1 commit intomodelcontextprotocol:mainfrom
opena2a-org:ext/server-identity-attestation
Open

Extension: Server Identity and Tool Attestation#17
abdelsfane wants to merge 1 commit intomodelcontextprotocol:mainfrom
opena2a-org:ext/server-identity-attestation

Conversation

@abdelsfane
Copy link

@abdelsfane abdelsfane commented Feb 22, 2026

Summary

  • Defines an optional extension for cryptographic server identity and tool attestation in MCP
  • Ed25519 key pairs for server identity, self/publisher/DNS attestation types, tool definition signing via _meta, challenge-response verification, and key revocation
  • Complements existing auth extensions (Client Credentials, Enterprise-Managed Authorization) by addressing server-to-client identity verification

Motivation

MCP has no mechanism for clients to verify server identity or detect tool definition tampering. The OWASP MCP Top 10 identifies related risks:

  • MCP03 — Tool Poisoning (tool definition tampering)
  • MCP04 — Supply Chain Attacks (no provenance chain)
  • MCP07 — Insufficient Authentication (no mutual auth)
  • MCP09 — Shadow MCP Servers (server impersonation)

Existing auth extensions solve client-to-server authorization. This extension solves the complementary problem: server-to-client identity.

Context

This was originally submitted as SEP-2267 to the core spec repository. Per maintainer guidance from @localden, this extension belongs in ext-auth rather than the core spec.

The document has been reformatted to follow the ext-auth extension conventions (MDX format, numbered sections, parameter tables, RFC keyword styling).

What's Included

  • specification/draft/server-identity-attestation.mdx — Full extension specification

Extension capabilities:

  1. Server Identity — Ed25519 key pairs in JWK format, identity metadata
  2. Attestation Types — Self (TOFU/key pinning), publisher (third-party signing), DNS (domain binding)
  3. Tool Attestation — Cryptographic signatures over tool definitions via _meta
  4. Challenge-Responseidentity/get and identity/challenge JSON-RPC methods
  5. Key Revocation — Revocation attestations and key rotation

Backward Compatibility

All new fields and methods are additive. Servers that do not implement this extension are unaffected. Clients that do not support it ignore the identity metadata. Existing OAuth mechanisms continue to work unchanged.

References

@abdelsfane
Add Server Identity and Tool Attestation extension
900e399 
Define cryptographic server identity and tool attestation for MCP.
Addresses OWASP MCP Top 10 risks: server impersonation (MCP09),
tool poisoning (MCP03), supply chain attacks (MCP04), and
insufficient authentication (MCP07).

Specification includes:
- Ed25519 key pairs for server identity (JWK format)
- Self, publisher, and DNS attestation types
- Tool definition signing via _meta
- Challenge-response verification (identity/get, identity/challenge)
- Key revocation mechanism

Previously submitted as SEP-2267 to the core spec repository.
Redirected here per maintainer guidance as an auth extension.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@abdelsfane