MCP server attestation

Supports: Names T40 as an identity-management threat against MCP, establishing that server-side identity verification is a first-class control in this threat model. The control inverts the attack surface: attestation prevents a rogue server from exploiting a client that lacks a means to verify identity.

Does not prove: T40 describes client impersonation of a server, not rogue-server substitution. Helmwart applies server attestation symmetrically to address both directions; T40 alone does not cover T47.

Supports: Primary upstream threat this control addresses. Verbatim names rogue-server substitution as an ecosystem-level identity attack. Cryptographic attestation is the structural countermeasure: a client that verifies the server's signed identity and binary hash before connecting will reject a rogue server that cannot produce a valid attestation.

Does not prove: Does not specify which attestation primitive (SPIFFE, Sigstore, TUF) to use; the protocol is not mandated. The MDX's composition of three primitives is Helmwart's design, not MAESTRO's.

Supports: Provides the formal vocabulary the MDX uses: MCP server as Attester, MCP client as Relying Party, attestation evidence as the SVID + binary hash + Rekor proof bundle. Establishes that the Relying Party's trust decision is evidence-driven rather than network-address-based.

Does not prove: RFC 9334 is a general architecture for remote attestation; it does not address MCP specifically, nor does it mandate SPIFFE, Sigstore, or TUF as implementation choices.

Supports: Direct upstream mandate for binary-integrity verification via cryptographic checksum — exactly the property Sigstore's cosign sign-blob and Rekor inclusion proof establish for the MCP server binary. Technique AML.T0011.000 use: "Introduce proper checking of signatures to ensure that unsafe AI artifacts will not be executed in the system."

Does not prove: Scoped to AI artifacts (models, datasets); does not specifically address MCP server binaries or workload identity. Helmwart extends the pattern to server-binary attestation at connection time.

Supports: Establishes supply-chain provenance as a canonical ATLAS mitigation. Sigstore's Rekor transparency log and the cosign signature bundle are the implementation of BOM provenance for the MCP server binary: they record what was signed, by whom, and when — providing the audit trail AML.M0023 describes.

Does not prove: AML.M0023 focuses on training-time artifact provenance; it does not address runtime attestation at connection time. The connection-time verification step is Helmwart's extension.

Supports: Names the exact guarantee this control relies on: an immutable, tamper-resistant ledger that records binary signatures. The append-only property means a substituted binary — one not signed at build time — cannot retroactively produce a valid Rekor inclusion proof. This is the structural basis for "binary has not been tampered with since signing."

Does not prove: Rekor records that a signature was made; it does not independently verify that the running server process matches the signed binary. The client must perform the hash comparison step described in the MDX.

Supports: Establishes why TUF is used for distributing the attestation trust root (SPIFFE trust bundle + Sigstore Rekor public key): TUF's design explicitly decouples its trust root from external PKI, making it resilient against CA compromise. §1.5 additionally mandates threshold/quorum signing: "must support roles with multiple keys and threshold/quorum trust to minimize key compromise impact."

Does not prove: TUF is a distribution framework; it does not provide workload identity (that is SPIFFE's role) or binary signing (that is Sigstore's role). The MDX is correct to describe TUF as the trust-root distribution layer, not the attestation layer itself.