research(security): AgentRFC — 6-layer agent protocol security model + conformance checker, 11 formalized principles (arXiv:2603.23801) #2509
Description
Source
arXiv:2603.23801 — AgentRFC: Security Design Principles and Conformance Testing for Agent Protocols (March 24, 2026)
Summary
Develops a 6-layer architectural model for agent protocols (transport, session, identity, authorization, execution, audit) and derives 11 formalized security principles applicable across MCP, A2A, and ACP. Introduces AgentConform, an automated conformance checker that identifies cross-protocol design gaps — specifically:
- Incomplete credential lifecycle in MCP
- Missing audit completeness guarantees in A2A
- Weak session binding in ACP stdio transport
Results: found critical conformance gaps in all three major protocols when evaluated against the 11-principle model.
Relevance to Zeph
Zeph implements MCP client (zeph-mcp), A2A (zeph-a2a), and ACP (zeph-acp). The 11 security principles provide a concrete checklist against which all three transport stacks can be audited.
Current gap: no formal security conformance analysis exists for Zeph's protocol implementations. Issues #2496, #2497 cover specific MCP/A2A threats; this paper provides the overarching framework to systematically audit all protocol layers.
Implementation sketch
- Map Zeph's MCP/A2A/ACP implementations against the 6-layer model — identify which layers are absent or partially implemented
- Apply the 11 principles as a security checklist (can be done without implementing AgentConform)
- File targeted issues for any violations found
- Consider contributing Zeph's test cases to AgentConform once the tool is open-sourced
Relation to existing issues
- research(security): MCP/A2A protocol threat modeling — shadowing attacks, privilege escalation, coarse-grained tokens (arXiv:2602.11327) #2496 (MCP/A2A threat modeling) — complementary: research(security): MCP/A2A protocol threat modeling — shadowing attacks, privilege escalation, coarse-grained tokens (arXiv:2602.11327) #2496 covers specific attacks; AgentRFC provides the systematic framework
- research(security): SMCP — formal security hardening for MCP lifecycle (tool poisoning, stolen credentials, privilege escalation) (arXiv:2602.01129) #2497 (SMCP hardening) — both address MCP security; AgentRFC is broader (all protocols)
- research(security): AIP — Invocation-Bound Capability Tokens for verifiable agent delegation across MCP and A2A #2504 (AIP delegation tokens) — AIP would satisfy several of the 11 principles (identity, delegation layers)