Attested Tool-Server Admission: A Security Extension to the Model Context Protocol
Title: Attested Tool-Server Admission: A Security Extension to the Model Context Protocol
Abstract:
While the Model Context Protocol (MCP) establishes a standard for message exchange between large-language-model (LLM) agents and external tool servers, it currently lacks mechanisms for establishing trust. In the standard model, a host simply accepts a server’s self-reported tool list and dispatches calls without verifying which servers are permitted, their required sensitivity levels, or whether specific tools fall within acceptable boundaries. This study addresses a specific operational requirement: enabling the Enclawed agent to safely interact with Google’s externally managed MCP servers (such as Gmail, Calendar, and Drive). The goal was to admit these servers and restrict the tools they can access, all without modifying MCP itself or Enclawed’s existing tool application-programming interface (API).
The solution developed, named mcp-attested, is available in both the open-source enclawed-oss distribution and the enclaved flavor. This mechanism offers a generalized fix; the vulnerabilities inherent in unmediated third-party connections for individual users similarly prevent accredited, regulated deployments. To resolve this, we introduce three complementary mechanisms:
- Clearance Assertions: Servers publish a small, offline-signed clearance assertion at a well-known Uniform Resource Identifier (URI). Hosts verify this assertion against a pinned trust root prior to any tool dispatch.
- Per-Server Allowlists: A deny-by-default policy is applied to tool allowlists on a per-server basis, ensuring that admitting a server does not implicitly grant trust in all its tools.
- Enforcement Modes: A flavor-gated enforcement mode converts previous warnings into hard denials, while recording every decision in a tamper-evident audit log.
This paper provides the wire format, verification algorithm, and security analysis, alongside an adversarial evaluation driven by LLMs. Furthermore, we present the design in normative Request-for-Comments (RFC 2119) format—including schema, verification rules, error registries, well-known registration protocols, and machine-checkable conformance vectors—facilitating its adoption as an MCP addendum to avoid redundant development. Notably, hosts that do not implement this extension will simply ignore the well-known document, continuing to operate exactly as they do today.
Source: arXiv Generated at: 2026-06-02 00:00:00 UTC
