Deep-Dive SDD-B13 — The A2A Protocol

The A2A Protocol — Agent-to-Agent Communication Security

B6 introduced inter-agent trust in the abstract. This deep-dive goes deep on the A2A protocol that makes inter-agent communication real — and the attack surface it creates. The Agent Card, the Task lifecycle, signed JSON-RPC payloads: every B6 attack now targets a concrete protocol artifact.

45
minutes
8
artifacts
3
sub-sections

A2A is a transport and coordination protocol, not a security protocol. It defines how agents talk; it does not guarantee who is talking, that the message is intact, or that the message is fresh. The authentication, integrity, freshness, and authorization are the implementer's responsibility, layered on top — and the places implementers skimp are exactly where the attacker enters.

Learning objectives

01
Describe the A2A specification — Agent Cards, Task lifecycle, Messages, Artifacts, JSON-RPC methods — as a concrete attack surface.
02
Explain the A2A trust model: how agents authenticate to each other, how delegation chains propagate (and over-propagate) authority, and where the protocol is silent.
03
Identify the four core security threats — agent impersonation, task hijacking, message tampering, replay — and map each to its B6 control and A2A-specific fix.
04
Articulate the precise relationship between MCP (agent-to-tool) and A2A (agent-to-agent), and why the boundary between them is an attack surface.
05
Evaluate the four orchestration architectures (orchestrator-worker, peer-to-peer, hierarchical, market-based) for cascade blast radius, and design authorization that bounds propagation.

Load-bearing claims

A2A is a transport protocol, not a security protocol

A2A defines how agents talk. It does not guarantee who is talking, that the message is intact, or that the message is fresh. The security is the implementer's responsibility, layered on top. The Agent Card's authentication field declares what scheme the agent expects; it does not perform the authentication. The places implementers skimp — payload signing, delegation-depth limits, Agent Card integrity, push-notification endpoint auth — are exactly where the attacker enters.

The four core threats are the protocol-level realization of B6's abstract attacks

The forged orchestrator message from B6 is now a forged message/send JSON-RPC call. The unauthenticated peer is now an Agent Card whose authentication field was not validated. The replay is now a captured tasks/pushNotification/set registration replayed to redirect results. The cascade is now a multi-hop delegation chain. B6 named the attacks in the abstract; A2A names the protocol artifacts.

Every defense is a B5/B6 control applied at the A2A boundary

No new primitives. HMAC payload signatures (B6), nonces and timestamps (B6), scoped credentials (B5), caller-bound authorization (B5/B6), attenuated capability tokens (B5/B6). The same controls B6 built for the abstract message channel, now scoped to A2A artifacts. The Task ID is a natural scope boundary; the Agent Card is a natural identity artifact; the JSON-RPC envelope is a natural payload to sign.

Delegation-chain attenuation is the cascade-bounding control

Over-propagation gives a compromised leaf the root's full authority. Attenuated capability tokens — each hop mints a strictly weaker token — bound the leaf's compromise to the task it was minted for. This is B5's scoped credential and B6's blast-radius cap, applied inter-agent. A2A makes it enforceable because the Task ID is a natural scope boundary.

Artifacts