We submitted MCPS to the IETF -- here's why MCP needs cryptographic security

We just submitted MCPS (MCP Secure) as an IETF Internet-Draft. Here's why we built it and what it does.

The problem: MCP has no identity layer

Anthropic's Model Context Protocol is brilliant -- it standardises how AI agents talk to tools. But it has zero security at the protocol level. No agent identity. No message signing. No tamper detection. No revocation.

Real CVEs exist (CVSS 9.6). OWASP created an entire Top 10 specifically for MCP risks. In our audit of 518 MCP servers, 41% had zero authentication and 82% had path traversal vulnerabilities.

MCP is HTTP. We're building HTTPS.

What MCPS adds

MCPS wraps every JSON-RPC message in a signed envelope:

Agent                          MCP Server
  |                                |
  |== Signed JSON-RPC envelope ===>|
  |   {                            |
  |     mcps: "1.0",               |
  |     passport_id: "asp_...",    |  Verify signature
  |     nonce: "abc123",           |  Check not revoked
  |     timestamp: 1710...,        |  Reject if replayed
  |     signature: "MEU...",       |  Check trust level
  |     message: { jsonrpc... }    |
  |   }                            |

Tamper any field -- the signature breaks. Replay a message -- the nonce is rejected. Revoke an agent -- instant cutoff.

Key features:

• Agent Passports -- ECDSA P-256 signed identity credentials
• Message Signing -- every call wrapped with nonce + timestamp
• Tool Integrity -- signed tool definitions prevent poisoning (OWASP MCP03)
• Transcript Binding -- cryptographic chain detects message deletion/reordering
• Trust Levels -- L0 (unsigned) through L4 (audited)
• Revocation -- real-time passport revocation via Trust Authority

Try it right now

No install needed. Our interactive playground runs entirely in your browser using Web Crypto API -- generate keys, create passports, sign messages, verify signatures, and test tamper detection.

Or install the package:

npm install mcp-secure

const mcps = require('mcp-secure');

// Generate ECDSA P-256 keys
const keys = mcps.generateKeyPair();

// Create a passport
const passport = mcps.createPassport({
  name: 'my-agent',
  version: '1.0.0',
  publicKey: keys.publicKey,
});

// Sign an MCP message
const envelope = mcps.signMessage(
  { jsonrpc: '2.0', method: 'tools/call', params: { name: 'read_file' } },
  passport.passport_id,
  keys.privateKey
);

// Verify
const result = mcps.verifyMessage(envelope, keys.publicKey);
console.log(result.valid); // true

Python too:

pip install mcp-secure

from mcp_secure import generate_key_pair, create_passport, sign_message, verify_message

keys = generate_key_pair()
passport = create_passport(name="my-agent", version="1.0.0", public_key=keys["public_key"])
envelope = sign_message({"jsonrpc": "2.0", "method": "tools/call"}, passport["passport_id"], keys["private_key"])
assert verify_message(envelope, keys["public_key"])["valid"]

Wrap any MCP server in 2 lines

const { secureMCP } = require('mcp-secure');

const server = secureMCP(myMCPServer, {
  passport: 'asp_abc123',
  privateKey: process.env.MCPS_PRIVATE_KEY,
  trustAuthority: 'https://agentsign.dev',
  minTrustLevel: 2,
});

Every incoming call is now verified: passport checked, signature validated, replay blocked.

Why an IETF Internet-Draft?

We want this to be a standard, not a product. The draft is 2,405 lines covering the full protocol -- canonicalisation (RFC 8785), signing (ECDSA P-256 per RFC 6979), envelope format, trust levels, revocation, version negotiation, and error codes.

We also submitted a Security Extension Proposal directly to Anthropic's MCP specification repo.

OWASP coverage

MCPS mitigates 8 of 10 OWASP MCP risks:

Risk	Mitigation
MCP01: Token Mismanagement	Passport-based identity
MCP03: Tool Poisoning	Tool integrity signatures
MCP04: Supply Chain	Signed tool definitions
MCP06: Intent Flow Subversion	Signed messages
MCP07: Insufficient Auth	Passport verification
MCP08: Lack of Audit	Signed audit trail
MCP09: Shadow Servers	Only passported agents
MCP10: Context Injection	Envelope isolation

Zero dependencies, 75 tests

Pure Node.js crypto module. Pure Python cryptography. No external deps. Works on Node 18+ and Python 3.8+. 75 tests covering all cryptographic operations and attack vectors.

Links

• Try it live: agentsign.dev/playground
• GitHub: github.com/razashariff/mcps
• npm: mcp-secure
• PyPI: mcp-secure
• IETF Draft: draft-sharif-mcps-secure-mcp-02
• MCP Spec PR: #2395
• Compliance: agentsign.dev/compliance

MIT licensed. Patent pending (GB2604808.2). Built by CyberSecAI Ltd.

Happy to answer any questions about the protocol design, crypto choices, or how to integrate it.