Update MCP Security Whitepaper for 2026-07-28

[imolloy]

Summary

The MCP specification published its 2026-07-28 release candidate,
introducing significant architectural changes to the protocol. The WS4 white paper
and any associated guidance documents that reference MCP should be reviewed and
updated to accurately reflect the current specification.

Tasks

Protocol Architecture

• Update session model guidance — initialize/initialized handshake and
  Mcp-Session-Id are eliminated; client metadata now travels via _meta on every
  request. Review any security guidance around session establishment and sticky sessions.
• Update server-to-client request documentation — server-initiated requests are
  now restricted to occur only while the server is actively processing a client
  request; InputRequiredResult (Multi-Round-Trip Requests) replaces SSE streams.

Extensions Framework

• Add coverage of the formalized Extensions Framework — reverse-DNS identifiers,
  independent versioning, delegated maintainers, and the Extensions Track in the
  SEP process.
• Add or update guidance on the MCP Apps extension — server-rendered UIs
  delivered in sandboxed iframes, including security implications (sandboxing model,
  audit trail via JSON-RPC layer).
• Add or update guidance on the Tasks extension — graduated from experimental;
  covers tool-call-to-task-handle lifecycle, tasks/get, tasks/update,
  tasks/cancel.

Authorization & Security

• Update OAuth 2.0 / OIDC guidance to reflect the six SEP hardening changes:
  • Required iss parameter validation (RFC 9207)
  • application_type declaration in Dynamic Client Registration
  • Credential binding to issuing authorization servers
  • Refresh token and scope accumulation procedures

Operational Concerns

• Document Mcp-Method and Mcp-Name header semantics and their implications
  for routing, observability, and threat modeling.
• Add caching guidance — ttlMs / cacheScope response caching parameters and
  their security/privacy trade-offs.
• Update distributed tracing guidance to reference W3C Trace Context propagation
  as now formally specified.

Deprecations

• Update or remove guidance on Roots (deprecated; replaced by tool parameters
  or server configuration).
• Update or remove guidance on Sampling (deprecated; direct LLM provider API
  integration preferred).
• Update or remove guidance on Logging (deprecated; stderr or OpenTelemetry
  recommended). Note: twelve-month deprecation window applies.

Schema & Error Handling

• Update tool schema guidance to reflect full JSON Schema 2020-12 support
  (oneOf, anyOf, allOf, conditionals, $ref).
• Update error code references — missing resource error changes from -32002 to
  JSON-RPC standard -32602.

References

• MCP 2026-07-28 Release Candidate

[ragsvasan]

The T9 section ("Trust Boundary and Privilege Design Failures") states the right control objective — restricting LLM judgment for security-critical decisions — but the current text leaves it unoperationalized: no architectural pattern, no checklist, no way for a deployment to demonstrate it holds.

As part of the v2 update, I'd like to contribute a proposed augmentation to the T9 mitigation guidance: a three-layer pattern (execution-authority separation, external loop termination, extraction governance) with a 19-item binary compliance checklist and a full mapping across all twelve MCP threat categories.

Draft and T1–T12 mapping: https://github.com/ragsvasan/agent-dreaming/blob/main/cosai/WS4_contribution.md
Full pattern spec: https://github.com/ragsvasan/agent-dreaming/blob/main/WHITEPAPER.md

This is not entirely new, two of the three layers codify existing consensus (AWS Well-Architected, NeMo Guardrails/AgentSpec). The new element is an upstream pre-classifier admission gate — a "separated rejector" in the Hendrickx et al. sense — that decides whether an input is admissible for classification at all, on an external pre-committed criterion rather than the model's own confidence. The composition claim (all three must be present; any two leave the third failure mode open) is the main contribution.