MCP message integrity — the gap between agent identity and transport security #435
Description
OASF covers agent identity, discovery, and policy enforcement well. One gap I see: MCP message-level integrity.
Current identity frameworks verify WHO the agent is (badges, credentials, SPIFFE IDs). But once authenticated, the actual JSON-RPC messages between agents and MCP servers flow unsigned. A compromised proxy or middleware can modify tool call parameters without invalidating the agent's identity credential.
The Supabase Cursor breach demonstrated this — the agent was fully authenticated but still exfiltrated credentials because it followed injected instructions from untrusted input.
MCPS (MCP Secure) addresses this layer: per-message ECDSA signing, tool definition hash-pinning, and nonce-based replay rejection. Published as an IETF Internet-Draft: draft-sharif-mcps-secure-mcp
Identity answers WHO. MCPS answers WHETHER the message was tampered with. They're complementary layers in a zero-trust agent stack.