DEV Community

Edison Flores
Edison Flores

Posted on

AI agents need their own SSL. Here's why I built it.

In 1995, Netscape released SSL. The web didn't really take off commercially until then. Before SSL, you couldn't trust a website with your credit card. After SSL, e-commerce exploded.

AI agents are at the same inflection point in 2026. Here's why.

The problem

Agents are starting to call each other autonomously. Each hop is a trust decision. But agents have no way to verify each other.

Today, when Agent A calls Agent B:

  • Is Agent B who it claims to be? No way to verify
  • Has Agent B been audited for security? No standard
  • Has Agent B's key been compromised? No revocation mechanism

This is exactly where the web was in 1994. No SSL, no trust, no commerce.

The analogy

Web (1995) Agents (2026)
HTTP (transport) A2A + MCP (transport)
No HTTPS = can't trust No ATC = can't trust
SSL certificate ATC Trust Card
Certificate Authority MarketNow Sentinel CA
Revocation list (CRL) /api/atc?action=verify

What I built

ATC (Agent Trust Card) — SSL certificates for AI agents.

How it works

  1. Agent registers with MarketNow CA
  2. CA signs the agent's identity with Ed25519
  3. Agent presents its ATC to other agents
  4. Other agents verify the signature with the CA public key
  5. If compromised, the CA revokes the ATC

Real cryptography (not a mock)

  • Ed25519 signatures (RFC 8032)
  • CA private key in Vercel env var (never exposed)
  • CA public key committed to public GitHub repo
  • Every ATC persisted as signed JSON in _data/atc/
  • Anyone can verify signatures offline using crypto.verify

Sentinel integration

The ATC's trust score comes from Sentinel — the 8-layer security audit pipeline:

  • L1.5: metadata checks
  • L1.6: Semgrep + secrets + OSV
  • L1.7: binary/malware detection
  • L1.8: malware family signatures (Emotet, Cobalt Strike, etc.)

The positioning

MarketNow is not competing with A2A or MCP. It's the trust layer that sits on top:

ATC (Trust Layer)              <- MarketNow
A2A / MCP (Transport Layer)    <- Google / Anthropic
HTTP / WebSocket (Network)     <- Standard
Enter fullscreen mode Exit fullscreen mode

Every agent with an A2A card can have an ATC Trust Card. Every MCP skill can have a Sentinel Certificate. Complementary, not competitive.

Try it

# Get the CA public key
curl https://marketnow.site/api/atc?action=ca-key

# Issue a trust card for your agent
curl -X POST https://marketnow.site/api/atc \
  -H "Content-Type: application/json" \
  -d '{"action":"issue","agent_id":"your.agent","public_key":"your-ed25519-pubkey"}'

# Verify any agent's trust card
curl "https://marketnow.site/api/atc?action=verify&card_id=ATC-2026-XXXXXXX"
Enter fullscreen mode Exit fullscreen mode

Live demo: https://marketnow.site/atc
GitHub: https://github.com/edgarfloresguerra2011-a11y/marketnow

The web needed SSL to become trustworthy enough for commerce. Agents need the same thing. This is it.

Edison Flores, AliceLabs LLC — marketnow.site

Top comments (0)