New Sandbox Project Proposal: MCPS (MCP Secure) — Cryptographic Security Layer for MCP

[razashariff]

New Sandbox Project Proposal: MCPS (MCP Secure)

Project Name

MCPS (MCP Secure)

Project Repository

https://github.com/razashariff/mcps

Project Website

https://mcp-secure.dev

Project License

MIT

Project Description

MCPS is a cryptographic security layer for the Model Context Protocol (MCP). It adds agent identity verification, per-message signing, tool definition integrity, and replay protection to MCP communications -- without modifying the core protocol.

MCP is the emerging standard for connecting AI agents to external tools and data sources. However, MCP currently has no built-in mechanism for verifying agent identity, ensuring message integrity, or detecting tool tampering. Research shows 41% of MCP servers have zero authentication and CVE-2025-6514 (CVSS 9.6) demonstrated RCE via tool poisoning.

MCPS addresses this by operating as an envelope around existing JSON-RPC messages, analogous to how TLS wraps HTTP. It provides:

• Agent Passports: ECDSA P-256 cryptographic identity credentials for agents
• Signed Message Envelopes: Per-message signing with nonce + timestamp for integrity and replay protection
• Tool Definition Signatures: Signed tool definitions to detect poisoning and rug pulls
• Trust Levels L0-L4: Progressive trust framework from unsigned through full mutual authentication
• Real-Time Revocation: Compromised agents can be revoked via Trust Authority

OpenSSF Mission Alignment

MCPS improves open source software security by providing cryptographic controls for the MCP ecosystem, which is rapidly becoming critical AI infrastructure (11,000+ registered servers, adopted by Anthropic, OpenAI, Google, Microsoft). The project:

1. Secures consumption of OSS: MCP tools are a software supply chain. MCPS applies signing, verification, and pinning to prevent tool poisoning attacks.
2. Establishes best practices: Trust levels L0-L4 provide a progressive security maturity model. MCPS mitigates 8 of 10 OWASP MCP security risks.
3. Fosters collaboration: Open specification (MIT), reference SDKs for Node.js (npm: mcp-secure) and Python (PyPI: mcp-secure), 39 agent frameworks scanned publicly.

Proposed Working Group

Best Practices Working Group or Supply Chain Integrity Working Group (defer to TAC guidance).

MCPS defines security best practices for AI agent communication (Best Practices WG alignment) and addresses supply chain integrity for dynamically discovered tool definitions (Supply Chain Integrity WG alignment).

Technical Maturity

Artifact	Status
Specification (SPEC.md)	2,603 lines, covering all primitives, data structures, verification flows, error codes
Node.js SDK (mcp-secure)	Published on npm, zero dependencies
Python SDK (mcp-secure)	Published on PyPI, one dependency (cryptography)
Test suite	43 tests passing
Website	Live at mcp-secure.dev
OWASP alignment	8/10 MCP risks mitigated, 39 frameworks scanned
SEP submission	Submitted to MCP specification process
Cryptography	ECDSA P-256 (NIST FIPS 186-4), SHA-256, JWK (RFC 7517)

Maintainers

• Raza Sharif, CyberSecAI Ltd, @razashariff
• (Actively recruiting 2 additional maintainers from separate organizations)

IP Policy / License Review

Not yet completed. Will initiate upon TAC interest. Project is MIT licensed with no known IP conflicts. All code is original. Node.js SDK has zero dependencies. Python SDK depends only on cryptography (Apache-2.0 / BSD-3-Clause).

Links

• Repo: https://github.com/razashariff/mcps
• Spec: https://github.com/razashariff/mcps/blob/main/SPEC.md
• Website: https://mcp-secure.dev
• npm: https://www.npmjs.com/package/mcp-secure
• PyPI: https://pypi.org/project/mcp-secure/
• OWASP Scan: https://mcp-secure.dev/#scan
• SEP Draft: https://github.com/razashariff/mcps/blob/main/sep/0000-mcps-cryptographic-security-layer.md

Sandbox Stage Application

The full sandbox stage application document is available at:
https://github.com/razashariff/mcps/blob/main/openssf/mcps-sandbox-proposal.md

This application will be submitted as a PR to ossf/tac adding:

1. process/project-lifecycle-documents/mcps_sandbox_stage.md
2. An entry in the Projects table in README.md

Contact

• Author: Raza Sharif
• Organization: CyberSecAI Ltd
• Email: contact@agentsign.dev
• GitHub: @razashariff

[razashariff]

Update: MCPS Progress Since Submission

Hi TAC members — wanted to share progress since the initial submission:

IETF Internet-Draft Published

The MCPS specification has been accepted as an IETF Internet-Draft:

• draft-sharif-mcps-secure-mcp: https://datatracker.ietf.org/doc/draft-sharif-mcps-secure-mcp/
• Submission ID: 160932

Drop-in Replacement MCP SDK with Native MCPS Security

We have shipped a fork of the official MCP TypeScript SDK with MCPS integrated natively:

• Repository: https://github.com/razashariff/agentsign-mcp-sdk
• Three packages: @agentsign/mcp-core, @agentsign/mcp-server, @agentsign/mcp-client
• Same API as the official MCP SDK, one-line security opt-in: { security: true }
• 259 tests passing across unit, integration, and security test suites
• Security tests cover: cryptographic correctness, OWASP MCP Top 10 attacks, OWASP Agentic AI Top 10, and adversarial/penetration scenarios (replay, downgrade, forgery, stripping)

Updated Technical Summary

Artifact	Status
IETF Internet-Draft	Published
MCP SDK fork (TypeScript)	Shipped — 259 tests passing
Node.js standalone SDK (mcp-secure)	Published on npm v1.0.2
Python SDK (langchain-mcps)	Published on PyPI v0.1.0
OWASP MCP Top 10 PR	Submitted (PR #27)
MCP SEP-2395	Submitted (PR #2395)

Happy to present to the TAC or provide any additional information needed for sandbox stage review. What are the next steps from your side?

[razashariff]

Update: External Contributor Confirmed + Security Audit Complete

New Contributor from Separate Organisation

Jairooh (AgentShield) has accepted contributor access to the MCPS project. AgentShield is a runtime behavior monitoring framework for LangChain agents that has integrated MCPS trust levels (L0-L4) into its risk scoring engine.

This addresses the multi-organisation maintainer requirement:

Name	Organisation	Role
Raza Sharif	CyberSecAI Ltd	Project Lead, Patent Holder (GB2604808.2)
Jairooh	AgentShield	Contributor (accepted Mar 2026)

Contributor License Agreement (CLA) is now in place: CONTRIBUTING.md. All contributions are assigned to CyberSecAI Ltd.

Red Team Security Audit Completed

Ran 180 cryptographic security tests (75 standard + 105 advanced red team), all passing. The red team suite covers 19 attack categories:

• Nonce collision / birthday attacks (128-bit = 2^64 birthday bound)
• Timestamp skew manipulation (8 edge cases)
• ECDSA signature malleability (500 signatures verified low-S, BIP-0062)
• RFC 8785 canonicalization attacks (NFC/NFD, null bytes, proto, deep nesting)
• Key substitution attacks
• Protocol-level attacks (field injection, body modification, type confusion)
• Passport forgery and trust level escalation
• Tool poisoning (homoglyphs, zero-width chars, Unicode direction overrides)
• Channel binding (TLS) attacks
• Transcript binding / downgrade attacks
• DER-to-P1363 converter edge cases
• Memory exhaustion / DoS resistance
• Origin binding bypass attempts
• HSM external signer edge cases
• Advanced cryptographic attacks (RFC 6979, timing analysis, key privacy)
• Envelope field injection
• Race condition and concurrency

Result: 0 critical vulnerabilities. 3 low/medium recommendations (none exploitable). Full report: SECURITY-AUDIT.md

Cross-referenced against all known ECDSA/MCP CVEs (2024-2026): CVE-2024-42460, CVE-2024-42461, CVE-2024-48948, CVE-2024-31497, CVE-2024-23342, CVE-2025-6514, CVE-2025-68145. MCPS is not affected by any of these (uses Node.js native crypto, not the elliptic library; uses P1363 format, not DER).

Updated Technical Summary

Artifact	Status
npm package	mcp-secure@1.0.4 (CONTRIBUTING.md + CLA included)
Test suite	180 tests passing (75 standard + 105 red team)
Security audit	Complete, 0 critical findings
Contributors	2 from separate organisations
IETF Draft	Live: draft-sharif-mcps-secure-mcp
CLA	In place (CONTRIBUTING.md)

[razashariff]

Quick status update on MCPS since submission:

Adoption & Standards

• IETF Internet-Draft published: draft-sharif-mcps-secure-mcp
• Active engagement with OWASP Agent Observability Standard (AOS), OWASP MCP Top 10, and OWASP AISVS on MCP security controls
• npm package mcp-secure — zero dependencies, 180 tests (75 standard + 105 red team across 19 attack categories)

Community

• OWASP AISVS contributors referencing MCPS as an implementation reference for MCP message integrity canonicalization controls
• SOC 2 Trust Service Criteria mapping published (23 criteria across Security, Processing Integrity, Confidentiality, Availability)
• Interactive demo live at mcps-demo.fly.dev showing all 7 security scenarios

Happy to answer any questions from TAC members or present at a future meeting if helpful.

[steiza]

Hey @razashariff - thanks for opening up this issue. I see there's a lot you've been up to this week!

In terms of OpenSSF process, as you listed in your first message, a project would need a working group to report to. I might suggest reaching out to the AI/ML Security Working Group - either on their Slack channel or attending one of their upcoming meetings.

In particular, the SAFE Framework project is part of the AI/ML Security Working Group, was just approved 2 weeks ago, and has a similar purpose:

SAFE-Framework provides a shared security framework for Agentic AI systems, focusing on the real-world side effects of autonomous actions, tool use, and model-to-model interactions. It catalogs tactics and techniques for agentic failure modes and security abuse, and offers guidance for mitigation and detection so builders can assess and reduce risk before deployment.

The OpenSSF is no stranger to projects that require signing and verifying content. Sigstore has been running for several years and recently had its 1 billionth entry on its public transparency log. What we've learned from that project is that generating keys and signing things is relatively easy; what's much more difficult is securely distributing verification material, as well as getting ecosystems to adopt your proposed implementation and ensuring those implementations are interoperable. This is less a problem of quickly generating code and more a case of meeting with people, understanding what problems they are facing, and working with them to ensure your proposed solution meets their needs.

[justaugustus]

@razashariff — out of curiosity, have you spoken with the MCP project, under Agentic AI Foundation (AAIF)?

That seems like the natural fit for this discussion.

[razashariff]

Thanks @justaugustus — yes, we've been engaging with the MCP project directly. We submitted a Security Enhancement Proposal (SEP) as PR modelcontextprotocol/modelcontextprotocol#2395, which proposes MCPS as a cryptographic signing layer for the protocol.

We also filed an IETF Internet-Draft (draft-sharif-mcps-secure-mcp) to formalise the specification.

Happy to continue the conversation in whichever venue makes most sense — AAIF, OpenSSF, or both. The security gap exists at the protocol level regardless of where it's discussed.

[razashariff]

@justaugustus thanks for the pointer to AAIF -- that does seem like the natural home given MCP now sits under their governance.

Would you be able to introduce me to the Security & Privacy Working Group leads? MCPS addresses several gaps in the current MCP specification (message signing, replay protection, tool integrity) and we've published it as an IETF Internet-Draft already. Happy to present the work to the WG if that's useful.

In the meantime, we've also submitted a section on message-level integrity controls to the OWASP MCP Security Cheat Sheet (OWASP/CheatSheetSeries#2065) at @jmanico's invitation, so the vendor-neutral guidance is coming together alongside the protocol spec.

Thanks again in advance.

[mihaimaruseac]

I would +1 the discussion in #583 (comment).

This is very close to the SAFE MCP SIG on the AI/ML working group, so we should not duplicate the efforts, @razashariff . The SAFE MCP SIG is meeting every other Monday at 1PM Pacific, next meeting will be next Monday. Please join it.

[razashariff]

@mihaimaruseac thanks for flagging the SAFE MCP SIG -- wasn't aware of it. Happy to join the next meeting on Monday. Is there a calendar link or meeting invite I can use to join? Many thanks again.

[lehors]

@mihaimaruseac thanks for flagging the SAFE MCP SIG -- wasn't aware of it. Happy to join the next meeting on Monday. Is there a calendar link or meeting invite I can use to join? Many thanks again.

The public calendar can be found on this page: https://openssf.org/getinvolved/