The Authorization Type Attestation (ATA) Protocol

Introduction Modern communication protocols (TLS, DTLS, QUIC , MLS ) verify that data reached the correct endpoint securely. They do not indicate the authorization type of the communicating party at the session layer. This produces four communication states lacking session-layer authorization type encoding: Communication states lacking session-layer authorization type encoding

State	Direction	Current gap
H2H	human to human	No mutual authorization attestation
H2AI	human to AI	Human side: FIDO2; AI side: unattested
AI2H	AI to human	No session-layer standard exists
AI2AI	AI to AI	No attestation standard

Existing authentication mechanisms (mTLS, OAuth 2.1, SPIFFE/SPIRE, signed agent cards) establish workload identity and permission scope. They do not indicate whether the authorizing party is a human principal or an AI provider instance. Current MCP and A2A authorization mechanisms do not specify hardware-level AI provider attestation. We observe that emerging agentic systems across independent implementations require this signal. This document specifies a mechanism to address this class of problems. This problem was previously theoretical. It becomes practical with the emergence of agentic systems capable of autonomously initiating real-time interactions at scale. MCP and A2A are early instances of a broader class of protocols that expose this gap operationally. This motivates documenting a transport-layer mechanism before incompatible deployments emerge. Absence of ATA data indicates an unattested session and is not, by itself, evidence of fraud.

Terminology The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP 14 when, and only when, they appear in all capitals, as shown here.

Authorizing Party:: The human principal or AI provider instance that cryptographically authorized a communication session.
Authorization Type:: The semantic classification of the authorizing party: SIGNED_HUMAN, SIGNED_AI, or UNSIGNED. Distinct from workload identity as provided by mTLS or SPIFFE.
Authorization Handshake:: The ATA Phase 1 process establishing mutual session authorization type and deriving a session key.
Attestation:: A cryptographically signed claim about the hardware and credential state of the authorizing party at session time, expressed in EAT format .
Provider Endpoint:: The attestable unit for AI participants: the AI provider's service endpoint on verified hardware infrastructure. The underlying model implementation is outside attestation scope.
Certificate Issuer Mismatch:: A condition in which the certificate presented by a party is issued to an organization other than the expected authorizing party. Detectable without content analysis.
Agentic Protocol:: A communication protocol designed for autonomous AI agent interactions, typically operating over HTTPS. MCP and A2A are current instances of this class.

Non-Goals ATA explicitly does not address the following:

Replacement of existing identity systems. ATA is composable with mTLS, SPIFFE/SPIRE, OAuth 2.1, and FIDO2. It does not supersede or conflict with these mechanisms.
Content authorship verification. ATA verifies who authorized the channel. It makes no claim about the origin of individual messages within the channel. Recipients requiring per-message content authorship verification should use C2PA in conjunction with ATA.
Model implementation attestation. The attestable unit is the provider's service endpoint. Internal architecture, weights, and model versions are outside scope.
Trust scoring or behavioral guarantees. ATA encodes authorization type, not trustworthiness or intent.
Biological presence. ATA does not determine biological presence. It verifies that a human principal's device-bound credential authorized the session.
Continuous presence guarantee. ATA attests the authorization type at session initiation time. It does not guarantee that the authorizing party remains present or active throughout the session duration.
Prevention of relay attacks within authorized sessions. A SIGNED_HUMAN party may relay AI-generated content within an authorized session. ATA records the human as the accountable authorizing party at session initiation. This is an explicit scope boundary: ATA establishes session-layer accountability, not per-message content authorship.
Cryptographic proof of provider identity beyond organizational certificate level. SIGNED_AI proves that a session was authorized by a hardware-bound endpoint holding a certificate issued to a verified organization. It does not prevent an adversary from obtaining a certificate for a similarly-named organization. Recipients SHOULD maintain pre-authorized provider certificate lists and treat certificate issuer mismatch as a policy signal, not a cryptographic proof of fraud.

ATA cryptographically guarantees:

Which attestation class authorized the session (SIGNED_HUMAN, SIGNED_AI, or UNSIGNED).
That the session was authorized by a hardware-bound credential at initiation time.
The organizational-level identity of the authorizing party.

ATA does NOT cryptographically guarantee:

Continuous presence of the authorizing party.
Per-message content authorship.
Provider identity beyond organizational certificate level.
Prevention of relay attacks within an authorized session.

Applicability Criteria ATA is applicable to a protocol when all three of the following conditions are satisfied simultaneously:

Real-time bidirectional channel: the protocol establishes a session in which both parties are present concurrently.
Pre-interaction authorization visibility: the recipient can act on authorization type information before or during the interaction, not solely after content delivery.
Authorizing party type is material: the type of authorizing party (human principal or AI provider instance) is relevant to the recipient's decision to engage.

If any condition is not satisfied, existing standards (C2PA, DKIM, S/MIME, GPG) address the use case more appropriately. See for explicit out-of-scope categories.

Threat Model ATA is intended to address three threat classes:

AI Impersonation of Human Principal An AI agent presents itself as a human in a real-time channel without cryptographic disclosure. Recipients cannot distinguish this without content analysis. ATA makes the authorization type available at session initiation, before content is received.

Undisclosed AI Interaction A human recipient engages with an AI agent without knowledge of its provider identity. No existing transport-layer standard requires cryptographic provider disclosure at session initiation. ATA provides this before content delivery.

Rogue Agent Injection in Pipeline An unaffiliated AI agent is injected into a multi-agent pipeline (MCP tool chain, A2A task delegation). Certificate issuer mismatch or UNSIGNED state is detectable at the point of injection without content analysis.

Authorization States ATA defines three authorization states as a minimal initial classification. This set is designed for extension and policy layering above the protocol level.

SIGNED_HUMAN: The channel was authorized by a human-controlled credential, cryptographically bound to a device via biometric attestation (FIDO2 + Secure Enclave). ATA does not prove continuous human presence; it attests that a human-controlled device credential authorized the session. Device certificates may additionally attest organizational affiliation. Authorization type is encoded at the organizational level, not the individual entity level.
SIGNED_AI: The channel was authorized by an AI provider instance, cryptographically bound to hardware via TPM or Confidential Computing attestation. The attestable unit is the provider's service endpoint on attested hardware. Provider accountability for model behavior is analogous to server operator accountability for application behavior in TLS deployments.
UNSIGNED: No ATA data is present. Legacy fallback. UNSIGNED is a defined state, not an error condition. Recipients determine their own policy for UNSIGNED sessions. ATA does not introduce a negative trust signal. The protocol only introduces positive attestations; UNSIGNED means the absence of proof, not the presence of risk.

Applicability

H2H - Mutual Authorization Attestation Both parties present SIGNED_HUMAN credentials. Certificate issuer identifies organizational affiliation. A party without organizational device infrastructure presents personal SIGNED_HUMAN or UNSIGNED; this distinction is available at session initiation without content analysis. Applicable to: legally and financially significant communications requiring session-layer audit trail.

H2AI - Verified AI Provider Identity A human initiates a session with a service presenting SIGNED_AI. The human can verify the provider certificate against known issuers. Certificate issuer mismatch is detectable without content analysis. Complements FIDO2 : ATA adds AI-side attestation where FIDO2 provides human-side attestation. Applicable to: client-facing AI services operated by regulated institutions.

AI2H - Disclosed AI Initiation An AI agent initiates a session. SIGNED_AI provides the recipient with cryptographic evidence of the AI provider before content delivery. No existing transport-layer standard addresses this scenario. This is the primary gap ATA targets. Scope boundary: ATA guarantees that an AI provider authorized the session initiation. It does not prevent a SIGNED_HUMAN party from relaying AI-generated content within an authorized session. Recipients requiring per-message content authorship guarantees should use C2PA in conjunction with ATA. Non-normative regulatory note: EU AI Act Article 52 requires disclosure that content is AI-generated. ATA can provide technical evidence of AI provider authorization at session initiation. Per-message content disclosure requires additional mechanisms (C2PA) beyond ATA scope. Applicable to: AI-operated services where the recipient needs to identify the authorizing party type before engaging. This case has fewer relay-related limitations in fully-automated AI2H scenarios where no human relay is present.

AI2AI - Agent Pipeline Attestation Multi-agent pipelines (MCP tool chains, A2A task delegation) produce a verifiable authorization chain across each hop. An agent without organizational certificate infrastructure produces certificate issuer mismatch or UNSIGNED at the point of entry, detectable without content analysis. Applicable to: multi-agent workflows requiring accountability logging and forensic auditability.

UNSIGNED - Legacy Compatibility Existing traffic continues to function. UNSIGNED is a defined state. Recipients determine their own policy.

Applicability to Agentic Protocols

Model Context Protocol (MCP) MCP defines agent-to-tool communication over HTTPS. The MCP security specification documents that OAuth 2.1 and PKCE establish token integrity but do not prove which AI provider instance initiated the request at the hardware level. ATA addresses this as a TLS extension beneath MCP. No MCP protocol changes required. The ATA handshake completes before any MCP messages are exchanged.

Agent2Agent Protocol (A2A) A2A defines agent-to-agent communication over HTTPS. Signed agent cards (A2A v1.0) establish card content integrity. ATA adds hardware-bound provider attestation at the TLS session layer, complementing signed cards. No A2A protocol changes required. An optional ATA field MAY be included in the A2A agent card to advertise ATA support. The authoritative attestation is the TLS-layer handshake.

Protocol-Agnostic Applicability MCP and A2A are current instances of a broader class. Any agentic protocol operating over TLS and satisfying criteria can adopt ATA without changes to the agentic protocol itself.

Protocol Operation ATA follows Control Plane / Data Plane separation: [EDITOR NOTE: Detailed ATA Extension Payload structure, TLS 1.3 ClientHello/ServerHello extension integration, and formal KDF specification (proposed: HKDF-SHA256, consistent with ) to be provided in draft-01.]

Phase 1 - Authorization Handshake (once per session) Transport: QUIC or TLS 1.3 extension (port 443). Human participant:

Device-bound biometric attestation (FIDO2 / Secure Enclave).
Generates symmetric session key.
Signed by biometric credential and hardware.

AI participant:

Hardware attestation (TPM / Confidential Computing).
Attestation expressed in EAT format .
Verified by RATS Verifier service.
Generates symmetric session key.
Signed by hardware attestation credential.

Result: Authorization type established; session key derived.

Phase 2 - Data Stream (per packet) Transport: UDP / QUIC data plane. Encryption: AES-GCM (AES-NI hardware acceleration). Integrity: MAC with session key from Phase 1. No additional per-packet round trip after session establishment. A packet with invalid MAC MUST be silently dropped.

Out of Scope

Asynchronous Delivery Email (SMTP/SMTPS), RSS/Atom, webhooks, and push notifications do not satisfy criterion (2). C2PA, DKIM, and S/MIME apply.

Non-Bidirectional Sessions DNS, NTP, CDN delivery, and multicast do not satisfy criterion (1). DNSSEC and equivalent standards apply.

Content Signing Code signing, package registries, and Git commits do not satisfy criterion (2) in the ATA sense. GPG and Authenticode apply.

Attestation Payload Format ATA attestation_payload uses Entity Attestation Token (EAT) format , consistent with IETF RATS architecture . Hardware-specific attestation evidence (Intel SGX, AMD SEV, ARM TrustZone, TPM) is expressed as EAT claims and verified by RATS Verifier services. Receiving parties verify the EAT token from a RATS Verifier rather than raw hardware evidence directly. This abstracts hardware vendor diversity from the ATA session layer and reuses existing RATS infrastructure. [EDITOR NOTE: Specific EAT claim set and RATS Verifier interaction model to be specified in draft-01.]

Trust Model ATA inherits the PKI trust model . The protocol provides cryptographic proof of authorization type at the session layer. Trust in the authorizing party is a reputational and legal concern outside protocol scope, consistent with TLS and FIDO2 . Certificate issuance follows existing CA/Browser Forum requirements. An AI provider endpoint certificate is issued to a verified organization on the same basis as a domain certificate. CA accountability for misissuance applies on the same basis as in existing PKI deployments. Authorization type is encoded at the organizational level. An authorized session produces verifiable session metadata.

Relation to Existing Standards

TLS 1.3: Authenticates server certificate. Does not indicate authorization type. ATA adds this encoding as a TLS extension.
mTLS: Mutual certificate authentication establishing workload identity. Does not encode human vs AI authorization type. ATA adds semantic type encoding above the mTLS identity layer.
FIDO2: Human-device binding. Human side only. ATA adds AI-side attestation and session-level type encoding. Composable.
SPIFFE/SPIRE: Workload identity for cloud and Kubernetes environments. Establishes infrastructure identity without human/AI semantic distinction. ATA operates as a semantic layer above SPIFFE-class identity.
OAuth 2.1: Authorization scope and token integrity. Permission layer. ATA is the attestation layer below. Composable.
RATS / EAT: Remote attestation architecture and token format. ATA attestation_payload uses EAT format. RATS Verifiers handle hardware-specific verification.
HTTP Message Signatures: HTTP-layer request signing. ATA operates at the TLS session layer. Different layers; composable.
MCP Authorization Specification: OAuth-based MCP client authorization for HTTP transports. Hardware-level AI provider attestation is not specified. ATA addresses this at the TLS layer without MCP changes.
A2A Protocol: Agent-to-agent communication. Signed agent cards (v1.0) establish card integrity. ATA adds session-layer hardware attestation. Composable.
C2PA: Content signing post-creation. Out of ATA scope per .
Certificate Transparency: Potential audit model for ATA AI provider attestation registries.

Scope Boundaries

Content Authorship ATA verifies who authorized the channel. Content authorship verification is outside scope.

Model Implementation Internal model architecture, weights, and implementation details are outside attestation scope, consistent with TLS not attesting to server application behavior.

Provider Trustworthiness SIGNED_AI proves a hardware-bound provider endpoint. Provider trustworthiness is a reputational concern outside protocol scope.

Physical Coercion Physical security of attesting devices is a precondition for all hardware attestation schemes. Outside protocol scope, consistent with FIDO2.

Security Considerations

Content Relay A SIGNED_HUMAN party may relay AI-generated content within an authorized session. The protocol records the human as the accountable authorizing party per . This is an intentional design boundary: the protocol establishes accountability at the session layer, not content authorship at the application layer. Continuous liveness attestation (periodic re-attestation within the data stream) is a proposed optional extension that raises the operational cost of sustained relay by requiring continuous physical presence at the attesting device. Specification deferred to a future draft.

TLS Middlebox Ossification Corporate firewalls and DPI proxies may drop connections with unknown TLS extension types on port 443. ATA defines three operational modes to address deployment constraints:

Mode A (preferred):: TLS ClientHello extension. Full ATA handshake at connection establishment. Optimal latency.
Mode B (fallback):: Post-TLS ATA handshake. ATA attestation exchanged as a separate message after TLS establishment. Compatible with middleboxes that drop unknown extensions. Adds one RTT.
Mode C (legacy):: UNSIGNED. No ATA attestation. Backward compatible with all existing infrastructure. Recipients apply their own policy.

GREASE-style extension probing and automatic fallback negotiation between Mode A and Mode B to be specified in draft-01.

Attestation Payload Size and Privacy EAT payloads may be several kilobytes when including certificate chains and attestation evidence. Large ClientHello extensions risk MTU fragmentation in QUIC Initial packets and additional RTT in TLS due to Initial Congestion Window constraints. Mitigations under consideration for draft-01:

Deferred attestation: ATA handshake as a post-TLS message, avoiding ClientHello size constraints.
TLS Encrypted ClientHello (ECH): ATA attestation_payload carried inside ECH, concealing organizational metadata from passive observers and reducing fragmentation risk.

EAT payloads additionally reveal organizational affiliation and infrastructure metadata. Depending on deployment mode, these identifiers are visible to the peer and may be visible to passive observers when not protected by ECH or an equivalent confidentiality mechanism. The protocol is intended to provide session accountability metadata, not per-message author identity or continuous presence tracking. Privacy-preserving options (selective disclosure, zero-knowledge proofs) to be explored in future drafts. The IETF Privacy Considerations guidelines apply.

Device Coercion Outside protocol scope per .

Attestation Registry Centralization AI provider endpoint attestation requires a registry of valid provider certificates. Certificate Transparency-style logging is one possible mitigation. Governance model to be defined in working group.

IANA Considerations URI scheme registrations to be requested upon working group formation and reference implementation availability. IANA assignment is a standardization milestone, not a prerequisite for experimental implementation.

httpsa://: ATA-attested HTTPS. Designator "a" denotes an ATA-attested channel. Follows precedent of https:// over http://.
wssa://: ATA-attested WebSocket Secure. Follows precedent of wss:// over ws://. Valid only as an explicit scheme; ATA via HTTP upgrade deferred to a future draft.

No known conflicts with the existing IANA URI scheme registry as of the date of this document.