You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
`@adcp/sdk` shipped `signResponse` + `verifyResponseSignature` for RFC 9421 §2.2.9 response signing (adcontextprotocol/adcp-client#1823 + #1832), using `tag=adcp/response-signing/v1` parallel to the existing `adcp/request-signing/v1` and `adcp/webhook-signing/v1` tags. The SDK is coining the tag string; the spec hasn't blessed it.
Risk: another SDK implementor reads RFC 9421 §2.2.9 plus the existing AdCP tag pattern and independently picks `adcp/response-signing/v1` (same string, fine) — OR picks `adcp/signed-response/v1` / `adcp/response/v1` / no AdCP-namespaced tag at all. The wire incompat is a stable interop bug for years.
Proposed change
1-paragraph addition to `security.mdx` reserving the tag alongside the existing request-signing and webhook-signing tag definitions. Decoupled from the broader "should AdCP mandate response signing" question — reservation is just naming, not mandate.
Suggested text:
Response signing
RFC 9421 §2.2.9 response-signing context. When a server emits signed responses, the signature MUST carry `tag="adcp/response-signing/v1"`. The default covered components are `@status`, `@authority`, `@target-uri`, plus `content-type` and `content-digest` when the response carries a body. The originating request's URL (specifically its authority and target-uri) is bound to the signature so a compromised origin cannot cross-sign for sibling tenants on the same fleet.
The signing key's JWK MUST declare `adcp_use: "response-signing"` per the AdCP step-8 purpose-binding check. Whether servers MUST sign responses for any specific operation is a separate normative discussion — this section reserves the wire vocabulary.
Out of scope
Mandating response signing for any operation (separate spec PR, parallel to the request-signing mandate discussion).
Defining `verifyResponseSignature` behavior (already shipped in adcontextprotocol/adcp-client).
1-paragraph spec PR that reserves `adcp/response-signing/v1`, names `RESPONSE_MANDATORY_COMPONENTS`, and adds `response-signing` to the documented `adcp_use` enum.
Gap
`@adcp/sdk` shipped `signResponse` + `verifyResponseSignature` for RFC 9421 §2.2.9 response signing (adcontextprotocol/adcp-client#1823 + #1832), using `tag=adcp/response-signing/v1` parallel to the existing `adcp/request-signing/v1` and `adcp/webhook-signing/v1` tags. The SDK is coining the tag string; the spec hasn't blessed it.
Risk: another SDK implementor reads RFC 9421 §2.2.9 plus the existing AdCP tag pattern and independently picks `adcp/response-signing/v1` (same string, fine) — OR picks `adcp/signed-response/v1` / `adcp/response/v1` / no AdCP-namespaced tag at all. The wire incompat is a stable interop bug for years.
Proposed change
1-paragraph addition to `security.mdx` reserving the tag alongside the existing request-signing and webhook-signing tag definitions. Decoupled from the broader "should AdCP mandate response signing" question — reservation is just naming, not mandate.
Suggested text:
Out of scope
Acceptance
1-paragraph spec PR that reserves `adcp/response-signing/v1`, names `RESPONSE_MANDATORY_COMPONENTS`, and adds `response-signing` to the documented `adcp_use` enum.
Filed from adcontextprotocol/adcp-client#1823 protocol expert review (cross-references issue #1829 in that repo).