{"slug": "your-agent-received-a-message-should-it-trust-the-sender-the-ietf-just-published", "title": "Your Agent Received a Message. Should It Trust the Sender? The IETF Just Published a Protocol for That.", "summary": "The IETF has published draft-sharif-attp-00, the Agent Trust Transport Protocol, which introduces a five-dimension trust scoring model for agent-to-agent messaging. The protocol addresses vulnerabilities in claim-based trust systems, such as prompt injection and Sybil attacks, by incorporating cryptographic identity verification, reputation, compliance, and anomaly detection.", "body_md": "Your agent receives 200 messages per hour from other agents. Some request data. Some propose collaborations. Some carry payment intent. Your agent processes all of them because it has no mechanism to evaluate sender trustworthiness before acting on the message.\n\nThat is how prompt injection attacks scale across agent networks. That is how a single compromised agent poisons an entire swarm. And that is why the IETF just published draft-sharif-attp-00: the Agent Trust Transport Protocol, a five-dimension trust scoring model with cryptographic identity verification, spend limit tiers, and anomaly detection.\n\nTrust is no longer optional. It is a protocol layer.\n\nWhy \"Claim\" Trust Fails for Agent Messaging\n\nThe A2A protocol uses Agent Cards for peer discovery. An agent card is a self-declared claim: \"I am Agent X, I can do Y, I am located at Z.\" The problem: any entity can publish an agent card claiming anything. A malicious agent can claim to be a financial analyst. A compromised agent can retain its original card while executing adversarial instructions.\n\nThe arxiv comparative study on trust models in agentic protocols identified six mechanisms and concluded: \"purely reputational or claim-only approaches are brittle\" due to LLM-specific vulnerabilities (prompt injection, sycophancy, hallucination, deception).\n\n```\n# Why claim-based trust fails in agent messaging\n\nclass ClaimOnlyTrust:\n    \"\"\"A2A default: trust based on self-declared agent cards.\"\"\"\n\n    def evaluate_peer(self, agent_card):\n        # Agent card says: \"I am a financial analyst, trust level: high\"\n        # But who verified this? Nobody.\n        return {\n            \"trusted\": True,  # Because the card says so\n            \"verification\": \"self_declared\",\n            \"attack_surface\": [\n                \"Any agent can claim any capability\",\n                \"Compromised agent retains original card\",\n                \"Prompt injection can alter agent behavior without changing card\",\n                \"Sybil attack: create 100 agents with fake high-trust cards\",\n                \"Whitewashing: new identity after reputation damage\"\n            ]\n        }\n\n# Real attack scenario:\n# 1. Attacker registers agent with card: \"MiCA-authorized financial analyst\"\n# 2. Agent card passes A2A discovery (it is syntactically valid)\n# 3. Your agent routes a message with payment intent to this \"analyst\"\n# 4. Attacker's agent responds with manipulated data\n# 5. Your agent makes a payment decision based on bad data\n# 6. No mechanism detected the deception because trust was claim-based\n\n# The IETF ATTP draft addresses exactly this gap:\n# Trust score derived from PROOF (cryptographic) + BEHAVIOR (historical)\n# Not from CLAIMS (self-declared)\n```\n\nThe Five-Dimension Trust Model (IETF ATTP)\n\nThe Agent Trust Transport Protocol defines trust as a composite score across five dimensions, not a single binary \"trusted/untrusted\" flag:\n\n``` js\n// Five-dimension trust scoring integrated with rosud-call messaging\nimport { RosudCall, TrustEngine } from 'rosud-call';\n\nconst channel = new RosudCall({\n  agentId: 'orchestrator-agent-prod',\n  network: 'base-mainnet',\n\n  trust: {\n    engine: 'attp-compatible',  // IETF draft-sharif-attp-00 aligned\n\n    dimensions: {\n      // Dimension 1: Identity (cryptographic proof)\n      identity: {\n        method: 'ecdsa-p256',        // Per ATTP spec\n        verification: 'challenge-response',\n        didResolution: true,          // Resolve DID to verify key ownership\n        weight: 0.30                  // 30% of composite score\n      },\n\n      // Dimension 2: Reputation (historical behavior)\n      reputation: {\n        source: 'peer-feedback-graph',\n        domainSpecific: true,         // Separate reputation per task type\n        sybilResistance: 'stake-weighted',  // Prevent fake reputation\n        decayRate: 0.05,              // Recent behavior weighted more\n        weight: 0.25                  // 25% of composite score\n      },\n\n      // Dimension 3: Compliance (regulatory status)\n      compliance: {\n        micaVerification: true,       // MiCA authorization check\n        euAiActStatus: true,          // High-risk AI system registered?\n        jurisdictionAware: true,\n        weight: 0.20                  // 20% of composite score\n      },\n\n      // Dimension 4: Behavioral consistency\n      behavioral: {\n        anomalyDetection: true,       // Deviation from historical pattern\n        velocityChecks: true,         // Unusual request frequency\n        capabilityDrift: true,        // Agent capabilities changed post-auth?\n        weight: 0.15                  // 15% of composite score\n      },\n\n      // Dimension 5: Stake (economic commitment)\n      stake: {\n        bondedCollateral: true,       // Agent has something to lose\n        slashingConditions: ['fraud', 'data_manipulation', 'service_denial'],\n        insuranceCoverage: true,\n        weight: 0.10                  // 10% of composite score\n      }\n    },\n\n    // Trust-based routing decisions\n    routing: {\n      minimumTrustForDelivery: 0.6,    // Below 0.6 = message blocked\n      minimumTrustForPayment: 0.8,     // Payment messages need higher trust\n      unknownPeerDefault: 0.3,         // New peers start below threshold\n      trustDecayOnFailure: 0.15        // Trust drops 15% on verified failure\n    }\n  }\n});\n\n// When a message arrives, trust is evaluated BEFORE processing:\nchannel.on('message-received', async (msg) => {\n  const trustScore = await channel.evaluatePeerTrust(msg.from);\n\n  console.log(`Peer ${msg.from}: trust = ${trustScore.composite}`);\n  console.log(`  Identity: ${trustScore.dimensions.identity}`);\n  console.log(`  Reputation: ${trustScore.dimensions.reputation}`);\n  console.log(`  Compliance: ${trustScore.dimensions.compliance}`);\n  console.log(`  Behavioral: ${trustScore.dimensions.behavioral}`);\n  console.log(`  Stake: ${trustScore.dimensions.stake}`);\n\n  if (trustScore.composite < 0.6) {\n    // Message blocked. Peer does not meet trust threshold.\n    channel.blockMessage(msg.id, {\n      reason: 'insufficient_trust',\n      score: trustScore.composite,\n      lowestDimension: trustScore.weakestDimension,\n      remediation: 'Peer must improve identity verification or build reputation'\n    });\n    return;\n  }\n\n  if (msg.hasPaymentIntent && trustScore.composite < 0.8) {\n    // Payment-bearing message needs higher trust\n    channel.escalateMessage(msg.id, {\n      reason: 'payment_trust_threshold',\n      currentScore: trustScore.composite,\n      requiredScore: 0.8,\n      action: 'request_additional_verification'\n    });\n    return;\n  }\n\n  // Trust sufficient. Process message.\n  channel.acceptMessage(msg.id);\n});\n```\n\nWhy Trust Must Be At the Message Layer, Not the Application Layer\n\nMost trust implementations check trust at the application level: after the message is delivered, the application decides whether to act on it. This is too late. By the time your application evaluates trust, the message has already consumed resources, entered your context window, and potentially influenced your agent's reasoning.\n\nTrust at the message layer means untrusted messages never reach your agent's processing logic:\n\n```\n// Trust at message layer vs application layer\n\n// APPLICATION LAYER (too late):\n// Message delivered -> Agent processes -> Agent evaluates trust -> Agent decides\n// Problem: By step 2, prompt injection has already entered context\n// Problem: Processing consumed compute regardless of trust outcome\n\n// MESSAGE LAYER (rosud-call approach):\n// Message arrives -> Trust evaluated at routing layer -> \n//   If trusted: delivered to agent\n//   If untrusted: blocked, never enters agent context\n\n// The difference in practice:\nconst messageLayerTrust = {\n  promptInjectionExposure: 'zero',     // Untrusted messages never reach LLM\n  computeWasteOnUntrusted: 'zero',     // No processing of blocked messages\n  contextPollution: 'impossible',       // Agent context stays clean\n  auditTrail: 'complete',              // Every block decision recorded\n  trustDecisionLatency: '<10ms'         // Evaluated before delivery, not after\n};\n\nconst applicationLayerTrust = {\n  promptInjectionExposure: 'full',     // Message processed before trust check\n  computeWasteOnUntrusted: 'full',     // All messages processed equally\n  contextPollution: 'possible',         // Malicious content in context\n  auditTrail: 'partial',               // Trust decision after the fact\n  trustDecisionLatency: '100-500ms'    // Full processing before decision\n};\n\n// For a payment-bearing message from an unknown peer:\n// Application layer: agent reads \"Transfer $5000 to account X\", processes it,\n//   THEN checks trust. The agent has already \"seen\" the instruction.\n// Message layer: trust score = 0.3 (unknown peer), message blocked.\n//   Agent never sees the instruction. Zero exposure.\n```\n\nBuilding Trust Over Time\n\nNew peers start with a default trust score below the delivery threshold (0.3). They build trust through verified interactions:\n\n``` js\n// Trust building lifecycle for a new peer\nconst trustLifecycle = {\n  day0: {\n    score: 0.30,\n    status: 'unknown',\n    actions: 'Messages blocked. Must complete identity verification.'\n  },\n  afterIdentityVerification: {\n    score: 0.50,\n    status: 'identified',\n    actions: 'Non-financial messages delivered. Payment messages blocked.'\n  },\n  after10SuccessfulInteractions: {\n    score: 0.65,\n    status: 'established',\n    actions: 'All messages delivered. Low-value payments allowed.'\n  },\n  after50InteractionsWithStake: {\n    score: 0.82,\n    status: 'trusted',\n    actions: 'Full access including payment-bearing messages.'\n  },\n  afterAnomalyDetected: {\n    score: 0.45,  // Drops from 0.82\n    status: 'degraded',\n    actions: 'Payment messages blocked. Under observation. Must re-verify.'\n  }\n};\n```\n\n[rosud-call](https://www.rosud.com/rosud-call) implements trust scoring at the message routing layer. Every peer has a composite trust score across five dimensions. Messages from peers below threshold are blocked before reaching your agent. Payment-bearing messages require higher trust. New peers build trust through verified interactions. Compromised peers lose trust automatically through anomaly detection. Your agent never processes a message from a peer it should not trust.\n\nThe Bottom Line\n\n\"Should I trust this message?\" is the first question every agent must answer. The A2A protocol does not answer it (claim-based only). The IETF ATTP draft defines how to answer it (five-dimension scoring). But neither provides the messaging infrastructure that enforces trust decisions at the routing layer.\n\nTrust scoring that happens after message delivery is security theater. Trust scoring at the message layer is actual defense.\n\n*Build trust-scored agent messaging: rosud.com/rosud-call*", "url": "https://wpnews.pro/news/your-agent-received-a-message-should-it-trust-the-sender-the-ietf-just-published", "canonical_source": "https://dev.to/kavinkimcreator/your-agent-received-a-message-should-it-trust-the-sender-the-ietf-just-published-a-protocol-for-3jep", "published_at": "2026-07-04 14:00:19+00:00", "updated_at": "2026-07-04 14:18:54.777710+00:00", "lang": "en", "topics": ["ai-agents", "ai-safety", "ai-policy", "artificial-intelligence", "large-language-models"], "entities": ["IETF", "Agent Trust Transport Protocol", "ATTP", "A2A", "MiCA", "RosudCall", "ecdsa-p256", "DID"], "alternates": {"html": "https://wpnews.pro/news/your-agent-received-a-message-should-it-trust-the-sender-the-ietf-just-published", "markdown": "https://wpnews.pro/news/your-agent-received-a-message-should-it-trust-the-sender-the-ietf-just-published.md", "text": "https://wpnews.pro/news/your-agent-received-a-message-should-it-trust-the-sender-the-ietf-just-published.txt", "jsonld": "https://wpnews.pro/news/your-agent-received-a-message-should-it-trust-the-sender-the-ietf-just-published.jsonld"}}