The A2A Protocol — Agent-to-Agent Communication Security
B6 introduced inter-agent trust. This deep-dive goes deep on the A2A protocol that makes inter-agent communication real — and the attack surface it creates. The Agent Card, the Task lifecycle, signed JSON-RPC payloads: every B6 attack now targets a concrete protocol artifact.
A2A is a transport and coordination protocol, not a security protocol. It defines how agents talk; it does not guarantee who is talking, that the message is intact, or that the message is fresh. The Agent Card's `authentication` field declares what scheme the agent expects (OAuth2, API key, mTLS); it does not perform the authentication. The places implementers skimp — payload signing, delegation-depth limits, Agent Card integrity, push-notification endpoint auth — are exactly where the attacker enters.
The four core threats (impersonation, task hijacking, tampering, replay) are the concrete protocol-level realization of B6's abstract attacks. The forged orchestrator message from B6 is now a forged `message/send` JSON-RPC call. The unauthenticated peer is now an Agent Card whose `authentication` field was not validated. The replay is now a captured `tasks/pushNotification/set` registration replayed to redirect task results to an attacker's webhook. The cascade is now a multi-hop delegation chain.
Every defense that defeats each threat is a B5/B6 control applied at the A2A boundary — no new primitives. HMAC payload signatures (B6), nonces and timestamps with freshness windows (B6), scoped credentials (B5), caller-bound authorization on state-mutating calls (B5/B6), attenuated capability tokens with max-delegation-depth (B5/B6). The same controls B6 built for the abstract message channel, now scoped to A2A artifacts.
Delegation-chain attenuation is the cascade-bounding control. Over-propagation gives a compromised leaf agent the orchestrator's full authority. Attenuated capability tokens — each hop mints a strictly weaker token authorizing only a specific method on a specific Task, with a max-depth that decreases at each hop — bound the leaf's compromise to the task it was minted for. This is B5's scoped credential and B6's blast-radius cap, applied inter-agent.