ACP — Cryptographic admission control for autonomous agent actions (Ed25519, anti-replay, delegation chains)

News
Yanac

I’ve been working on a formal security specification for governing autonomous agents — the threat model is: an agent that has compromised credentials, escalated capabilities, or a forged delegation chain should never reach system state mutation. The security model: Identity: Ed25519 key pairs, RFC 8037 compliant. Every agent has a DID bound to an institutional root. Capability tokens: Scoped, time-bounded, signed by the issuing institution. Non-escalatable by design. Delegation chains: Multi-hop (human → agent → sub-agent → tool). Each hop signs the next. Non-escalation is a normative requirement — a delegatee cannot grant more than they hold. Anti-replay: Every execution request carries a nonce + timestamp window. Replayed tokens are rejected at the handshake layer. Execution tokens: Single-use, signed, bound to the specific action parameters. Reuse is detectable and rejected. Audit ledger: SHA-256 hash chains. Every admitted action produces an immutable record. STRIDE coverage: Spoofing → Ed25519 identity binding Tampering → signed capability tokens + execution token binding Repudiation → immutable ledger with hash chains Information Disclosure → capability scoping (agents only see what their token authorizes) Elevation of Privilege → non-escalation requirement in delegation chain Denial of Service → risk scoring + policy thresholds before admission The constitutional invariant: Execute(request) ⟹ ValidIdentity ∧ ValidCapability ∧ ValidDelegationChain ∧ AcceptableRisk What’s published: 36 spec documents, Go reference implementation (22 packages), 42 signed conformance test vectors with real Ed25519 + SHA-256 Python SDK with drop-in patterns for LangChain, Pydantic AI, MCP Paper (DOI): https://doi.org/10.5281/zenodo.19072332 Spec + implementation: https://github.com/chelof100/acp-framework-en Website: https://agentcontrolprotocol.xyz Happy to discuss the threat model, the non-escalation proofs, or the EUF-CMA argument for the token scheme. submitted by /u/Ambitious-Leg-2179 [link] [comments]Technical Information Security Content & DiscussionRead More