Skip to main content

Overview

The Problem: When agents communicate, how do you know they are who they claim to be? How do you prevent man-in-the-middle attacks? The Solution: Mutual TLS (mTLS) - Both client and server authenticate each other using certificates, not just passwords or API keys.

Why mTLS?

Traditional Auth (API Keys):
  • ❌ Keys can be stolen or leaked
  • ❌ No cryptographic proof of identity
  • ❌ Difficult to rotate
  • ❌ No protection against MITM attacks
mTLS (Certificate-Based):
  • ✅ Cryptographic proof of identity
  • ✅ Automatic encryption
  • ✅ Protection against MITM attacks
  • ✅ Certificate rotation built-in
  • ✅ Works at the transport layer

How It Works

Agent A wants to talk to Agent B:

1. Agent A presents its certificate
2. Agent B verifies A's certificate
3. Agent B presents its certificate
4. Agent A verifies B's certificate
5. ✅ Both authenticated, encrypted connection established

Use Cases

Agent-to-Agent Communication - Secure A2A protocol messages
Enterprise Deployments - Meet security compliance requirements
Multi-Tenant Platforms - Isolate tenant agents
Production Environments - Zero-trust architecture

Integration Plan

Phase 1: Certificate Infrastructure

Using Third-Party Certificate Authorities:
  • Support for Let’s Encrypt, AWS Certificate Manager, HashiCorp Vault
  • Integration with existing enterprise PKI
  • Automatic certificate provisioning
  • Certificate storage and rotation
  • Revocation list management
We won’t build our own CA—we’ll integrate with proven third-party solutions.

Phase 2: Bindu Integration

Example 1: Using Let’s Encrypt 
from bindu import bindufy

config = {
    "security": {
        "mtls": {
            "enabled": True,
            "cert_path": "/etc/letsencrypt/live/agent.example.com/fullchain.pem",
            "key_path": "/etc/letsencrypt/live/agent.example.com/privkey.pem",
            "ca_path": "/etc/letsencrypt/live/agent.example.com/chain.pem"
        }
    }
}

bindufy(agent, config, handler)
Example 2: Using AWS Certificate Manager 
config = {
    "security": {
        "mtls": {
            "enabled": True,
            "provider": "aws_acm",
            "certificate_arn": "arn:aws:acm:us-east-1:123456789012:certificate/abc123",
            "region": "us-east-1"
        }
    }
}
Example 3: Using HashiCorp Vault 
config = {
    "security": {
        "mtls": {
            "enabled": True,
            "provider": "vault",
            "vault_addr": "https://vault.example.com:8200",
            "vault_token": "s.xxxxxx",
            "pki_path": "pki/issue/agent-role"
        }
    }
}

Phase 3: Client Support

  • Update client SDKs to support mTLS
  • Automatic certificate loading
  • Certificate renewal handling

Phase 4: Monitoring & Ops

  • Certificate expiry monitoring
  • Automated renewal
  • Audit logging
  • Revocation handling

Status

📋 Planned - Certificate infrastructure and integration design

What’s Next

  • Discuss - Share your security requirements on Discord
  • Enterprise - Need mTLS for compliance? Let us know