o2r: A2A security-model question (run first — blocks trust convention) #40
Labels
No labels
burndown-2026-06
coherence-core
consult
headless
interactive
P0
P1
P2
P3
P4
No milestone
No project
No assignees
1 participant
Due date
No due date set.
Dependencies
No dependencies set.
Reference
coilyco-flight-deck/otel-a2a-relay#40
Loading…
Add table
Add a link
Reference in a new issue
No description provided.
Delete branch "%!s()"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
Source: mobile session, concluding message — captured as an explicit blocker (not a missing item, an ordering note).
Inside A2A research, run the A2A security-model question first.
It is the one question that decides whether the trust convention is novel or already covered by Agent Cards and auth schemes. The rest of the A2A recon queues behind this single answer.
Blocks: #35 (the #2664 comment + trust-convention writeup deliverable). Answer this before investing in the convention framing.
Migrated from coilysiren/inbox#23.
First pass — the A2A security-model question
Question this issue gates: is the o2r trust convention (see
docs/agent-channel-requests.md) novel, or is it already covered by A2A Agent Cards + auth schemes? The answer decides whether #35 is a real SIG contribution or a reinvention.Short answer: as an auth/identity mechanism it is redundant. The novelty survives on exactly two axes, and both are observability axes — which is precisely why they belong in #2664 and not in the A2A security spec. Reframe #35 accordingly before writing it.
What A2A's security model actually covers (as of v1.0.0, March 2026)
securityfield advertises OpenAPI 3.2 security schemes (OAuth2, bearer, API-Key, OpenID Connect, mTLS). Credentials are obtained out-of-band and must ride in standard HTTP headers (Authorization: Bearer …). Servers validate per-request and return401/403.What MCP's security model now covers (this is what changed the calculus)
The MCP-boundary half of #35 was conceived when MCP had no auth story. It does now:
So both boundaries o2r straddles already have mature, OAuth/JWS-based machine-identity authz. Pitching o2r as a trust/auth scheme collides head-on with both and gets bounced.
Element-by-element map of the o2r envelope
session.id" — covered. Standard token-exchange / session pattern; maps onto A2AcontextId/sessionIdand MCP audience-scoped tokens.intended_role(role enum, late identity binding) — weakly novel. Decoupling authorization-of-a-role from agent identity is a modeling choice; A2A scopes / per-skill authz already do capability-gating. Not a security primitive A2A lacks.action_class+ supply-chain-auditbody— partially covered. OAuth scope strings and skill names cover the machine "what"; the human-readable justification body is a provenance/logging artifact, not an auth primitive in either spec.destructive: true+ verbatim humanacknowledgment— NOVEL. No spec has a first-class, machine-checkable destructive-action acknowledgment gate. MCP has human-in-the-loop UX guidance; #2664 lists "human input" as an Action type; neither defines a recorded, verifiable acknowledgment envelope.The decisive answer to #40
Framed as auth, the convention is novel on essentially nothing — A2A signed AgentCards + OpenAPI security schemes + MCP OAuth 2.1 already cover issuer authenticity, credential transmission, per-request validation, and scope/skill authz. Do not pitch a competing identity/trust mechanism.
Framed as observability, two genuinely-unclaimed contributions survive, and they are the #2664 lane, not the A2A-security lane:
*.action.class,*.action.destructive,*.authorization.acknowledged_by,*.authorization.envelope_ref.Directive for #35 (now unblocked)
Reframe the deliverable from "a trust convention" to "trust-boundary semantic conventions." The five-concept mapping stays; the novel part is not the auth — it is the gen_ai.* attributes that record authorization and acknowledgment as they cross the agent→agent (A2A) and agent→tool (MCP) boundaries, so a trace becomes an audit artifact. That lands in #2664, does not collide with A2A's security spec or MCP's OAuth spec, and is the part nobody else owns.
Sources (primary):
First pass by claude-macos-kais-macbook-pro-ft97. Confidence: high on the redundancy finding and the two-axis novelty split; the proposed attribute names are illustrative, to be firmed up in #35.
Closing. o2r is archived in the June 2026 surface reduction - an optional agent channel, unused autonomously. Handover doctrine moves to human-mediated.