]> The MyClerk Protocol: Tiered Security Communication for Distributed Family Systems Arcan Consulting
rfc@arcan-consulting.de https://myclerk.eu
Applications Independent Submission protocol family distributed encryption smart home This document specifies the MyClerk Protocol, a tiered-security communication protocol designed for distributed family orchestration systems. The protocol provides six security tiers ranging from 1-byte minimal overhead for tunneled messages to 144-byte full security for critical operations. It supports multiple transport mechanisms including NATS, Matrix, WebSocket, and direct TCP, while maintaining end-to-end encryption using ChaCha20-Poly1305 AEAD with hybrid post-quantum key establishment combining ML-KEM-768 and X25519. A classical-only mode (X25519 without ML-KEM) remains available for resource-constrained devices and legacy interoperability. The protocol is transport-agnostic, federation-capable, and optimized for environments ranging from resource-constrained IoT devices to full-featured desktop clients.
Introduction Modern families operate across multiple locations and devices: a primary home with network-attached storage, a vacation house with a mini-PC, grandparents with a Raspberry Pi, and mobile devices requiring access while traveling. The MyClerk Protocol addresses the communication requirements of such distributed family systems. Traditional protocols impose significant overhead that becomes problematic for constrained channels. The MyClerk Protocol introduces tiered security levels, allowing applications to select appropriate overhead based on the security requirements of each operation.
Requirements Language The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP 14 when, and only when, they appear in all capitals, as shown here.
Terminology
Node
A device participating in a MyClerk deployment, such as a server, desktop client, mobile device, or IoT device.
Core Node
A node classified as stable and reliable, expected to maintain high availability (>95% uptime over 30 days).
Bonus Node
A node with variable availability, used opportunistically for additional redundancy.
Family
A group of users and nodes sharing a common trust domain and cryptographic key hierarchy.
Federation
The interconnection of multiple families for resource sharing or communication.
Tier
A security level (0-5) determining the header structure and cryptographic protections applied to a message.
Session
A stateful connection between two endpoints with established cryptographic keys.
Protocol Overview The MyClerk Protocol is a binary protocol using MessagePack for payload encoding. It defines six security tiers with increasing header sizes and cryptographic protections.
Design Goals
  1. Tiered Security: 1-144 bytes overhead depending on security requirements.
  2. Transport Agnostic: Operates over NATS, Matrix, WebSocket, TCP, or other transports.
  3. Federation Ready: Supports multi-server, multi-family deployments.
  4. Future Proof: Extensible operations and feature negotiation.
  5. Post-Quantum Security: Default key establishment for Tier 4 and Tier 5 is resistant to attacks by cryptographically relevant quantum computers (CRQCs), using a hybrid of ML-KEM-768 and X25519 , while retaining a classical-only mode for resource-constrained devices.
Default Port When using TCP or UDP as the transport protocol, implementations SHOULD use port 5657 as the default listening port. This port is registered with IANA for the "myclerk" service (see ). Implementations MAY use alternative ports when:
  • Operating behind a reverse proxy or load balancer
  • Running multiple instances on the same host
  • Required by local network policies
Service discovery mechanisms (such as mDNS or DNS-SD) SHOULD advertise the actual port in use, regardless of whether it matches the default.
Security Tiers Overview Security Tier Summary
Tier Header Encryption Auth KEX Use Case
01 BNone (tunneled)None--Inside session
14 BNoneNone--Fire-and-forget
26 BOptionalCRC-16--Home automation
312 BChaCha20-Poly1305HMAC-32from T4/T5Conversational
414 BChaCha20-Poly1305HMAC-64hybridKey exchange
514 B+tagChaCha20-Poly1305HMAC-256hybridMax security
KEX abbreviations: "hybrid" denotes ML-KEM-768 + X25519 hybrid key establishment; "from T4/T5" indicates the session key is derived in a separate Tier 4 or Tier 5 handshake and inherited by subsequent Tier 3 traffic.
Message Format All messages consist of a header, optional payload, and optional trailer. The header format varies by security tier.
Common Header Fields The first byte (Flags) is present in all tiers and has the following structure:
Tier 0 Header (1 byte) Tier 0 is used for messages tunneled inside an already-secure session. It provides minimal overhead. Tier 0 messages MUST only be sent within an established Tier 3+ session. Implementations receiving a Tier 0 message outside of a secure session MUST discard it.
Tier 1 Header (4 bytes)
Operation Code (16 bits)
Identifies the operation. See .
Sequence (8 bits)
Message sequence number, wrapping at 255.
Tier 2 Header (6 bytes)
Session ID (16 bits)
Identifies the session context for this message.
Tier 2 messages SHOULD include a CRC-16 trailer for error detection.
Tier 3 Header (12 bytes)
Timestamp (32 bits)
Unix timestamp in seconds. Used for replay protection.
Nonce (16 bits)
Random nonce component. Combined with timestamp and counter to form the full 96-bit nonce for ChaCha20-Poly1305.
Tier 3 messages with the E flag set MUST be encrypted using ChaCha20-Poly1305 as specified in .
Tier 4 Header (14 bytes) Tier 4 carries the messages that establish a session (SESSION_INIT, SESSION_ACK). Earlier drafts of this document carried the 32-byte X25519 ECDH public key inline in a 42-byte header. With the move to a hybrid post-quantum KEX the key material grew to 1184 bytes (ML-KEM-768 encapsulation key) plus 1088 bytes (ML-KEM-768 ciphertext) plus the existing 32 bytes of X25519 per direction, which no longer fits in any sensibly-sized fixed header. Consequently, Tier 4 headers no longer carry KEX material inline; all public keys and ciphertexts are transported in the SESSION_INIT / SESSION_ACK payloads (see ), and the header retains only session and nonce identifiers.
Key ID (32 bits)
Identifier for the session key being used or negotiated. Zero during the initial SESSION_INIT before a key has been established.
Tier 5 Header (14 bytes + Poly1305 Tag) Tier 5 uses the same 14-byte header as Tier 4 but appends a full Poly1305 authentication tag after the header (before the payload): Prior drafts of this document mandated an additional HMAC-SHA256 trailer on Tier 5 as a post-quantum resilience workaround against potential future quantum attacks on Poly1305. With hybrid ML-KEM-768 key establishment now baked into Tier 4/5 (see ), that trailer is redundant and has been removed. Implementations conforming to this draft MUST NOT emit an HMAC-SHA256 trailer on Tier 5 messages.
Request Correlation (Version 1) Version 0 of the protocol correlates responses to requests by Operation Code. This limits each connection to one outstanding request per Operation Code, preventing parallel requests for the same operation (e.g., multiple concurrent thumbnail fetches). Version 1 extends each tier-specific header with a 32-bit Request ID field, inserted after the tier-specific fields and before the payload. The Version field in the Flags byte (bits 0-1) distinguishes V0 from V1. Example: Tier 1 Version 1 Header (8 bytes): Header sizes by version: Header Sizes: Version 0 vs Version 1
TierV0V1Delta
01 byte5 bytes+4
14 bytes8 bytes+4
26 bytes10 bytes+4
312 bytes16 bytes+4
442 bytes46 bytes+4
558 bytes62 bytes+4
Request ID Semantics
Format
32-bit unsigned integer, big-endian byte order.
Generation
Client-generated, monotonically increasing per connection.
Echo
The server MUST echo the Request ID from the request in its response.
Fire-and-Forget
A Request ID of 0x00000000 indicates fire-and-forget; no response correlation is expected.
Wrap
When the counter reaches 0xFFFFFFFF, it MUST wrap to 0x00000001, skipping zero.
Backward Compatibility Servers MUST support Version 0 and Version 1 simultaneously. The version is determined by bits 0-1 of the Flags byte. A response MUST use the same version as the request that triggered it. Clients that support Version 1 SHOULD set their version bits to 01 and include a Request ID in every request. When communicating with a Version 0 server that ignores the Request ID, the client MUST fall back to Operation Code correlation.
Nonce Construction ChaCha20-Poly1305 requires a 96-bit (12-byte) nonce that MUST NOT be reused with the same key. The MyClerk Protocol constructs nonces as follows:
Timestamp (32 bits)
Unix epoch seconds. Provides cross-session replay protection.
Random (32 bits)
Cryptographically random value generated per session using a CSPRNG. Provides 2^32 possible values per second.
Counter (32 bits)
Per-message counter starting at 0, incremented for each message. Allows 2^32 messages per session.
All fields are encoded in big-endian byte order. This construction provides a collision probability of less than 2^-80 per year at 1 million operations per second, assuming proper CSPRNG implementation.
Key Derivation Session keys are derived using HKDF as specified in with SHA-256 as the hash function.
Hybrid Key Exchange Tier 4+ sessions establish a shared symmetric key using a hybrid construction that combines classical X25519 ECDH with post-quantum ML-KEM-768 . The hybrid output is secure as long as at least one of the two primitives remains unbroken: an adversary that eventually breaks X25519 (e.g. by running Shor's algorithm on a cryptographically relevant quantum computer) still has to defeat ML-KEM, and vice versa. ML-KEM-768 (NIST category 3, approximately AES-192-equivalent security) is the default parameter set. ML-KEM-1024 MAY be offered by implementations requiring higher security margin; ML-KEM-512 is NOT RECOMMENDED for new deployments. The initiator generates an ephemeral X25519 key pair and an ephemeral ML-KEM-768 decapsulation key pair, and sends both public keys in SESSION_INIT (see ). The responder generates its own ephemeral X25519 key pair, encapsulates against the initiator's ML-KEM encapsulation key to obtain the PQ shared secret and its ciphertext, and returns the X25519 public key together with the ML-KEM ciphertext in SESSION_ACK. Both sides then compute the combined shared secret: The concatenation order ss_classical || ss_pq is fixed and normative. Implementations that swap the order derive a different session key and will fail to communicate; this is a deliberate fail-closed property, not a bug. The transcript_hash folded into the HKDF info parameter binds the session key to the exact bytes of the handshake as observed by the deriving endpoint. An on-path attacker who modifies any handshake field -- stripping a capability, downgrading kex-mode, swapping nonces, altering any declared parameter -- causes the two endpoints to derive different session keys, and the first post-handshake Tier 3 or Tier 5 frame fails its AEAD check. See for the full security argument.
Classical-only Key Exchange (Legacy / Constrained) Implementations that cannot afford the ~2.3 KB of wire overhead of the hybrid handshake (e.g. ESP32-class devices on low-bandwidth modem links, or legacy clients predating this draft) MAY negotiate classical-only mode by omitting the ML-KEM fields from SESSION_INIT and signalling kex-mode: classical-only. The responder MUST either accept and mirror classical-only in SESSION_ACK, or refuse the session if local policy requires PQ. In classical-only mode the derivation reduces to: The info string intentionally differs between hybrid and classical-only derivations so that a key produced in one mode cannot be mistaken for a key in the other mode -- a domain-separation precaution against cross-protocol attacks. Classical-only sessions MUST NOT be used for data requiring long-term confidentiality (conservatively: more than 10 years), because an attacker who records the traffic today and gains access to a cryptographically relevant quantum computer later can recover the session key. Implementations SHOULD log classical-only negotiations for audit purposes.
Key Rotation Keys MUST be rotated after any of the following conditions:
  • 2^32 messages sent (nonce exhaustion)
  • 24 hours elapsed (time-based)
  • Explicit KEY_ROTATE operation received
Rotated keys are derived as:
Protocol Operations Operations are identified by a 16-bit operation code. The operation space is divided into ranges: Operation Code Ranges
Range Category
0x0000-0x00FFCore Operations (Session, Key Management)
0x0100-0x01FFStandard Operations (Device, Identity, Messaging)
0x0200-0x02FFResource Sharing (Streams, GPU, Routing)
0x0300-0x03FFFederation
0x0400-0x04FFBilling and Economics
0x0500-0x05FFVirtual File System (VFS)
0x0600-0x06FFHardware Passthrough (USB, GPIO, I2C, SPI, CAN)
0x0700-0x07FFKnowledge Base
0x0800-0x08FFSettings & Configuration
0x0900-0x09FFRoom/Channel Management
0x0A00-0x0AFFMedia Handling
0x0B00-0x0BFFTelephony (Voice, Video, SMS, IVR)
0x0C00-0x0CFFCalendar & Events
0x0D00-0x0DFFTasks, Shopping & Gamification
0x0E00-0x0EFFSmart Home Devices
0x0F00-0x0FFFAutomation Rules
0x1000-0x10FFMaya AI Assistant
0x1100-0x11FFSynchronization & VFS Federation
0x1200-0x12FFOrchestration (Notifications, Finance)
0x1300-0x13FFPresence & Status (Education)
0x1400-0x14FFHealth (Social, Community)
0x1500-0x15FFLocation & Mobility
0x1600-0x16FFDebug, Testing & Plugins
0x1700-0x17FFMobile Device Management (MDM)
0x1800-0x18FFLegal Documents & Care Directives
0x1900-0x19FFMobility & Vehicle Management
0x1A00-0x1AFFTravel & Vacation
0x1B00-0x1BFFAudit & Compliance
0x1C00-0x1CFFAudio Pipeline
0x1D00-0x1DFFDesktop Client
0x1E00-0xEFFFUnassigned (reserved for future standard categories)
0xF000-0xFFFEVendor Extensions (third-party/vendor-specific use only)
0xFFFFReserved
Core Operations (0x0000-0x00FF)
Session Management (0x0000-0x000F) Session Management Operations
CodeNameDescription
0x0000NOPNo operation
0x0001KEEPALIVESession keepalive
0x0002KEEPALIVE_ACKKeepalive acknowledgment
0x0003SESSION_INITInitialize session
0x0004SESSION_ACKSession acknowledgment
0x0005SESSION_CLOSEClose session
0x0006SESSION_CLOSE_ACKClose acknowledgment
0x0007SESSION_RESUMEResume session with ticket
0x0008SESSION_RESUMEDSession resumed
Key Management (0x0010-0x001F) Key Management Operations
CodeNameDescription
0x0010KEY_EXCHANGE_INITInitiate key exchange
0x0011KEY_EXCHANGE_RESPONSEKey exchange response
0x0012KEY_EXCHANGE_COMPLETEKey exchange complete
0x0016SESSION_ROTATERotate session key
0x0017SESSION_REVOKERevoke session key
Standard Operations (0x0100-0x01FF) Standard Operations cover authentication, device registration, messaging, and identity management. The 0x0100-0x018F range is defined for authentication, key exchange, sessions, device registration, backup codes, and messaging. The 0x0190-0x01EF range is allocated to identity management operations.
Identity Management (0x0190-0x01EF) Identity Management operations handle user lifecycle, profile management, authentication credentials, and two-factor authentication. All Identity Management operations MUST be sent at Tier 3 (Encrypted) or higher.
User Identity (0x0190-0x019F) User Identity Operations
CodeNameDescription
0x0190USER_CREATECreate user account
0x0191USER_GETGet user information
0x0192USER_UPDATEUpdate user account
0x0193USER_DELETEDelete user account
0x0194USER_LISTList users
0x0195USER_SEARCHSearch users
User Moderation (0x01A0-0x01AF) User Moderation Operations
CodeNameDescription
0x01A0USER_BLOCKBlock user
0x01A1USER_UNBLOCKUnblock user
0x01A2USER_MUTEMute user
0x01A3USER_UNMUTEUnmute user
Profile and Avatar (0x01B0-0x01BF) Profile and Avatar Operations
CodeNameDescription
0x01B0PROFILE_GETGet user profile
0x01B1PROFILE_UPDATEUpdate user profile
0x01B2AVATAR_SETSet user avatar
0x01B3AVATAR_GETGet user avatar
Preferences (0x01C0-0x01CF) Preferences Operations
CodeNameDescription
0x01C0PREFERENCES_GETGet user preferences
0x01C1PREFERENCES_SETSet user preferences
Password and Email (0x01D0-0x01DF) Password and Email Operations
CodeNameDescription
0x01D0PASSWORD_CHANGEChange password
0x01D1PASSWORD_RESETReset password
0x01D2EMAIL_CHANGEChange email address
0x01D3EMAIL_VERIFYVerify email address
PASSWORD_CHANGE requires the current password in the payload. PASSWORD_RESET initiates an out-of-band reset flow. EMAIL_CHANGE triggers a verification email to the new address; the change is not effective until EMAIL_VERIFY is completed.
TOTP Two-Factor Authentication (0x01E0-0x01EF) TOTP Operations
CodeNameDescription
0x01E0TOTP_ENABLEEnable TOTP for account
0x01E1TOTP_DISABLEDisable TOTP for account
0x01E2TOTP_VERIFYVerify TOTP code
TOTP_ENABLE returns a shared secret and provisioning URI compatible with RFC 6238. The client MUST verify the secret by submitting a valid TOTP code via TOTP_VERIFY before the enablement is finalized. TOTP_DISABLE requires a valid TOTP code or backup code for confirmation.
Resource Sharing Operations (0x0200-0x02FF) Resource Sharing operations enable devices to expose and consume resources across the network. These operations support video, audio, HID, and GPU services.
Device Management (0x0200-0x020F) Device Management Operations
CodeNameDescription
0x0200DEVICE_LISTList available devices
0x0201DEVICE_INFOGet device information
0x0202DEVICE_SUBSCRIBESubscribe to device events
0x0203DEVICE_UNSUBSCRIBEUnsubscribe from device
0x0204DEVICE_LOCKLock device for exclusive use
0x0205DEVICE_UNLOCKRelease device lock
0x0206DEVICE_CONFIGUREConfigure device parameters
0x0207DEVICE_CAPABILITIESQuery device capabilities
0x020BDEVICE_DISCOVERList all connected devices (including unshared)
DEVICE_LIST (0x0200) returns only devices currently being shared. DEVICE_DISCOVER (0x020B) returns all connected devices regardless of sharing status, enabling provisioning workflows.
Stream Operations (0x0210-0x021F) Stream Operations
CodeNameDescription
0x0210STREAM_STARTStart data stream
0x0211STREAM_STOPStop data stream
0x0212STREAM_DATAStream data payload
0x0213STREAM_CONFIGUREConfigure stream parameters
0x0214STREAM_QUALITYAdjust quality settings
0x0215STREAM_PAUSEPause stream
0x0216STREAM_RESUMEResume paused stream
Stream types are indicated in the STREAM_START payload:
  • 0x01: Video (H.264, MJPEG)
  • 0x02: Audio (Opus, PCM)
  • 0x03: HID (evdev events)
  • 0x04: Serial (byte stream)
GPU Service Operations (0x0220-0x022F) GPU operations enable queue-based access to inference services (LLM, TTS, STT, Image Generation). GPU Service Operations
CodeNameDescription
0x0220GPU_REQUESTSubmit GPU request
0x0221GPU_RESPONSEGPU response (streaming)
0x0222GPU_STATUSQuery service status
0x0223GPU_CANCELCancel pending request
0x0224GPU_QUEUE_INFOQueue position and ETA
GPU service types:
  • 0x01: LLM (Large Language Model)
  • 0x02: TTS (Text-to-Speech)
  • 0x03: STT (Speech-to-Text)
  • 0x04: ImageGen (Image Generation)
Dynamic Routing and ACL (0x0240-0x024F) Dynamic routing enables Hub-controlled device assignment and per-client access control. A Hub can redirect device streams between clients dynamically. Dynamic Routing Operations
CodeNameDescription
0x0240ROUTE_CREATECreate device route
0x0241ROUTE_DELETEDelete device route
0x0242ROUTE_LISTList active routes
0x0243ROUTE_MODIFYModify existing route
0x0244ACL_SETSet access control
0x0245ACL_GETGet access control
0x0246ACL_GRANTGrant client access
0x0247ACL_REVOKERevoke client access
0x0248ROUTE_PRIORITYSet routing priority
Access modes:
  • 0x00: None (no access)
  • 0x01: Read-only
  • 0x02: Write-only
  • 0x03: Read-write
  • 0x04: Exclusive (single client)
Client Assignment Operations (0x0250-0x025F) Client Assignment operations enable Hub-managed device provisioning. A Hub can assign devices to clients, and servers can request approval for sharing new devices through a token-based workflow. Client Assignment Operations
CodeNameDescription
0x0250CLIENT_REGISTERRegister client with server
0x0251CLIENT_HEARTBEATClient keepalive
0x0252CLIENT_ASSIGNAssign device to client
0x0253CLIENT_REVOKERevoke device from client
0x0254CLIENT_STATUSQuery client status
0x0255CLIENT_LISTList registered clients
0x0256CLIENT_INFOGet client information
0x0257DEVICE_REQUEST_CREATECreate device sharing request
0x0258DEVICE_REQUEST_LISTList pending device requests
0x0259DEVICE_REQUEST_DETAILSGet request details
0x025ADEVICE_REQUEST_RESPONDApprove/reject device request
0x025BDEVICE_REQUEST_CANCELCancel pending request
Device Request Workflow:
  1. Hub queries server with DEVICE_DISCOVER (0x020B) to list available devices
  2. Hub administrator creates request via DEVICE_REQUEST_CREATE (0x0257)
  3. Server queries pending requests via DEVICE_REQUEST_LIST (0x0258)
  4. Server retrieves details via DEVICE_REQUEST_DETAILS (0x0259)
  5. Server administrator approves/rejects via DEVICE_REQUEST_RESPOND (0x025A)
Request states:
  • 0x00: Pending (awaiting server approval)
  • 0x01: Approved (all devices accepted)
  • 0x02: Partially Approved (subset of devices accepted)
  • 0x03: Rejected (request denied)
  • 0x04: Expired (token timeout)
  • 0x05: Cancelled (hub cancelled request)
Hardware Passthrough Operations (0x0600-0x06FF) Hardware Passthrough operations enable low-level access to hardware interfaces. Unlike service-based resource sharing, these operations provide direct protocol-level access to hardware buses.
USB Operations (0x0600-0x060F) USB passthrough virtualizes USB at the URB (USB Request Block) level, allowing any USB device to appear as natively connected on the client. USB Operations
CodeNameDescription
0x0600USB_DEVICE_LISTList USB devices
0x0601USB_DEVICE_ATTACHAttach USB device
0x0602USB_DEVICE_DETACHDetach USB device
0x0603USB_CONTROL_TRANSFERUSB control transfer
0x0604USB_BULK_TRANSFERUSB bulk transfer
0x0605USB_INTERRUPT_TRANSFERUSB interrupt transfer
0x0606USB_ISOCHRONOUS_TRANSFERUSB isochronous transfer
0x0607USB_GET_DESCRIPTORGet USB descriptor
0x0608USB_SET_CONFIGURATIONSet USB configuration
0x0609USB_SET_INTERFACESet USB interface
0x060AUSB_CLEAR_HALTClear endpoint halt
0x060BUSB_RESETReset USB device
Serial Operations (0x0610-0x061F) Serial passthrough supports RS-232, RS-485, and UART interfaces. Serial Operations
CodeNameDescription
0x0610SERIAL_PORT_LISTList serial ports
0x0611SERIAL_PORT_OPENOpen serial port
0x0612SERIAL_PORT_CLOSEClose serial port
0x0613SERIAL_PORT_CONFIGUREConfigure baud, parity, etc.
0x0614SERIAL_DATA_WRITEWrite to serial port
0x0615SERIAL_DATA_READRead from serial port
0x0616SERIAL_CONTROL_SETSet control lines (DTR, RTS)
0x0617SERIAL_CONTROL_GETGet control line status
0x0618SERIAL_BREAKSend break condition
GPIO Operations (0x0620-0x062F) GPIO operations enable control of General Purpose Input/Output pins. GPIO Operations
CodeNameDescription
0x0620GPIO_CHIP_LISTList GPIO chips
0x0621GPIO_LINE_INFOGet line information
0x0622GPIO_LINE_REQUESTRequest GPIO line
0x0623GPIO_LINE_RELEASERelease GPIO line
0x0624GPIO_LINE_SETSet line value
0x0625GPIO_LINE_GETGet line value
0x0626GPIO_LINE_WATCHWatch for edge events
0x0627GPIO_EVENTGPIO edge event notification
0x0628GPIO_PWM_CONFIGUREConfigure PWM output
0x0629GPIO_PWM_SETSet PWM duty cycle
I2C Operations (0x0630-0x063F) I2C (Inter-Integrated Circuit) bus operations for sensor and peripheral communication. I2C Operations
CodeNameDescription
0x0630I2C_BUS_LISTList I2C buses
0x0631I2C_BUS_SCANScan for devices on bus
0x0632I2C_TRANSFERI2C read/write transfer
0x0633I2C_WRITE_BYTEWrite single byte
0x0634I2C_READ_BYTERead single byte
0x0635I2C_WRITE_BLOCKWrite data block
0x0636I2C_READ_BLOCKRead data block
0x0637I2C_SMBUS_COMMANDSMBus protocol command
SPI Operations (0x0640-0x064F) SPI (Serial Peripheral Interface) operations for high-speed peripheral communication. SPI Operations
CodeNameDescription
0x0640SPI_BUS_LISTList SPI buses
0x0641SPI_DEVICE_OPENOpen SPI device
0x0642SPI_DEVICE_CLOSEClose SPI device
0x0643SPI_CONFIGUREConfigure mode, speed, bits
0x0644SPI_TRANSFERFull-duplex SPI transfer
0x0645SPI_WRITESPI write-only
0x0646SPI_READSPI read-only
CAN Bus Operations (0x0650-0x065F) CAN (Controller Area Network) bus operations for automotive and industrial protocols. CAN Bus Operations
CodeNameDescription
0x0650CAN_INTERFACE_LISTList CAN interfaces
0x0651CAN_INTERFACE_OPENOpen CAN interface
0x0652CAN_INTERFACE_CLOSEClose CAN interface
0x0653CAN_CONFIGUREConfigure bitrate, mode
0x0654CAN_FRAME_SENDSend CAN frame
0x0655CAN_FRAME_RECEIVEReceive CAN frame
0x0656CAN_FILTER_SETSet receive filter
0x0657CAN_ERROR_STATUSGet error counters
1-Wire Operations (0x0660-0x066F) 1-Wire bus operations for temperature sensors, iButtons, and similar devices. 1-Wire Operations
CodeNameDescription
0x0660ONEWIRE_BUS_LISTList 1-Wire buses
0x0661ONEWIRE_SEARCHSearch for devices
0x0662ONEWIRE_RESETReset bus
0x0663ONEWIRE_READ_ROMRead device ROM
0x0664ONEWIRE_MATCH_ROMSelect device by ROM
0x0665ONEWIRE_SKIP_ROMSkip ROM (single device)
0x0666ONEWIRE_READRead bytes
0x0667ONEWIRE_WRITEWrite bytes
GSM Modem Operations (0x0670-0x067F) GSM modem operations provide direct access to cellular modems for SMS, GNSS (GPS), voice calls, and USSD services. These operations abstract the underlying AT command interface. GSM Modem Operations
CodeNameDescription
0x0670GSM_MODEM_INITInitialize GSM modem
0x0671GSM_MODEM_STATUSGet modem status
0x0672GSM_NETWORK_REGNetwork registration status
0x0673GSM_SIGNAL_QUALITYSignal quality (RSSI, BER)
0x0674GSM_SMS_SENDSend SMS via AT commands
0x0675GSM_SMS_RECEIVEReceive SMS notification
0x0676GSM_SMS_LISTList SMS messages
0x0677GSM_SMS_DELETEDelete SMS from SIM
0x0678GSM_USSD_SENDSend USSD command
0x0679GSM_USSD_RESPONSEUSSD response
0x067AGSM_GNSS_ENABLEEnable/disable GNSS module
0x067BGSM_GNSS_POSITIONGet GNSS position fix
0x067CGSM_GNSS_CONFIGConfigure GNSS
0x067DGSM_VOICE_DIALInitiate voice call
0x067EGSM_VOICE_HANGUPHangup voice call
0x067FGSM_VOICE_ANSWERAnswer incoming call
GSM modem types supported:
  • SIM7600: 4G LTE Cat-4 with GNSS
  • SIM800: 2G GSM/GPRS
  • Quectel EC25: 4G LTE
Telephony: SMS Gateway (0x0B50-0x0B7F) The SMS Gateway operations provide application-level SMS handling for the MyClerk platform. Unlike the low-level GSM Modem operations which deal with AT commands and hardware, these operations provide intelligent message routing, TAN/OTP detection, and emergency fallback services. These are standard protocol operations in the Telephony category (0x0B00-0x0BFF).
SMS Gateway Operations (0x0B50-0x0B5F) SMS Gateway Operations
CodeNameDescription
0x0B50SMS_CREATECreate outgoing SMS
0x0B51SMS_SENDSend SMS via gateway
0x0B52SMS_RECEIVEIncoming SMS notification
0x0B53SMS_STATUSQuery message delivery status
0x0B54SMS_LISTList messages in gateway
0x0B55SMS_DELETEDelete message from gateway
0x0B56SMS_ROUTE_ADDAdd routing rule
0x0B57SMS_ROUTE_REMOVERemove routing rule
0x0B58SMS_ROUTE_LISTList routing rules
0x0B59SMS_GATEWAY_STATUSGateway health status
SMS Parsing Operations (0x0B60-0x0B6F) SMS Parsing operations handle intelligent classification and extraction of structured data from SMS messages. SMS Parsing Operations
CodeNameDescription
0x0B60SMS_PARSEDParsed SMS event
0x0B61SMS_CLASSIFYClassify SMS type
0x0B62SMS_TAN_RECEIVEDTAN/OTP received event
0x0B63SMS_TAN_ANNOUNCEAnnounce TAN to family
0x0B64SMS_TAN_CLAIMClaim TAN ownership
0x0B65SMS_TAN_EXPIRETAN expiration notification
0x0B66SMS_DELIVERY_RECEIVEDDelivery notification received
0x0B67SMS_APPOINTMENT_RECEIVEDAppointment SMS received
0x0B68SMS_SPAM_DETECTEDSpam SMS detected
0x0B69SMS_ALERT_RECEIVEDAlert/warning SMS received
SMS classification types:
  • 0x01: TAN/OTP (banking, 2FA codes)
  • 0x02: Delivery notification (package tracking)
  • 0x03: Appointment reminder
  • 0x04: Marketing/Spam
  • 0x05: Alert/Warning (weather, emergency)
  • 0x06: Personal message
  • 0x07: Unknown
Emergency Gateway Operations (0x0B70-0x0B7F) Emergency Gateway operations provide fallback communication when primary channels (internet, Matrix) are unavailable. The SMS gateway automatically activates emergency mode during outages. Emergency Gateway Operations
CodeNameDescription
0x0B70EMERGENCY_GATEWAY_STATUSGateway health status
0x0B71EMERGENCY_INTERNET_DOWNInternet outage detected
0x0B72EMERGENCY_INTERNET_UPInternet restored
0x0B73EMERGENCY_SMS_ALERTEmergency alert via SMS
0x0B74EMERGENCY_SMS_COMMANDEmergency command via SMS
0x0B75EMERGENCY_LOCATION_REQUESTRequest device location
0x0B76EMERGENCY_LOCATION_RESPONSEDevice location response
0x0B77EMERGENCY_HEALTH_CHECKRemote health check request
0x0B78EMERGENCY_HEALTH_RESPONSEHealth check response
0x0B79EMERGENCY_MODE_ACTIVATEActivate emergency mode
0x0B7AEMERGENCY_MODE_DEACTIVATEDeactivate emergency mode
Emergency mode features:
  • Automatic activation when internet connectivity is lost
  • Predefined SMS commands for remote device control
  • Location sharing via GNSS coordinates in SMS
  • Health monitoring with battery and connectivity status
  • Graceful transition back to normal operation
Note: As of the reference implementation, SMS Gateway operations (0xF350-0xF35F), SMS Parsing operations (0xF360-0xF36F), and Emergency Gateway operations (0xF370-0xF37F) have been relocated to the Telephony category (0x0B50-0x0B7F) for consistency. The vendor extension range assignments are retained for backwards compatibility but implementations SHOULD use the Telephony range.
Application Operations (0x0700-0x1DFF) Application-layer operations covering knowledge management, settings, messaging, telephony, calendar, tasks, smart home, automation, AI assistant, synchronization, orchestration, presence, health, location, plugins, MDM, legal documents, mobility, travel, audit, audio pipeline, and desktop client operations are defined in the companion document . The companion document serves as the authoritative registry for all application-layer operation codes in the 0x0700-0x1DFF range, following the "Assigned Numbers" pattern established by Bluetooth SIG specifications. This separation allows the core protocol specification to remain stable while application operations evolve independently.
Payload Formats Payloads are encoded using MessagePack (a subset of CBOR). This section defines payload structures using CDDL .
SESSION_INIT Payload The initiator MUST always include its X25519 public key. It SHOULD additionally include its ML-KEM-768 encapsulation key (and set kex-mode: hybrid-mlkem768) to negotiate the hybrid post-quantum KEX. If the initiator cannot afford the 1184-byte ML-KEM public, it MAY omit mlkem-public and set kex-mode: classical-only; servers that require PQ by policy will refuse such a session.
SESSION_ACK Payload The responder MUST echo a selected-kex-mode. When that mode is hybrid-mlkem768, the responder MUST include mlkem-ciphertext: the 1088-byte ML-KEM ciphertext produced by encapsulating against the initiator's encapsulation key.
SESSION_RESUME Payload
Tier Compatibility When endpoints support different maximum tiers, they MUST negotiate to the highest common tier. The server MUST respond with the minimum of its supported tier and the client's requested tier. Servers MAY enforce minimum tier requirements for specific operations. If a client requests an operation at an insufficient tier, the server MUST respond with error code 0x12 (FORBIDDEN) and include the required tier in the error payload.
Minimum Tier Requirements The following operations have minimum tier requirements: Minimum Tier Requirements
Operation CategoryMinimum Tier
Lock/Unlock (physical access)3
Key Exchange4
Federation Operations4
Emergency Operations3
Error Handling Error codes are 8-bit values organized into ranges: Error Codes
RangeCategory
0x00-0x0FSuccess
0x10-0x1FClient Errors
0x20-0x2FServer Errors
0x30-0x3FFederation Errors
0xF0-0xFFReserved
Specific Error Codes
0x00 OK
Operation completed successfully.
0x10 BAD_REQUEST
Malformed message or invalid parameters.
0x11 UNAUTHORIZED
Authentication required or failed.
0x12 FORBIDDEN
Insufficient permissions or tier.
0x13 NOT_FOUND
Requested resource does not exist.
0x17 INVALID_SESSION
Session expired or invalid.
0x20 INTERNAL_ERROR
Server encountered an unexpected error.
0x21 SERVICE_UNAVAILABLE
Service temporarily unavailable.
0x22 TIMEOUT
Operation timed out.
Security Considerations
Nonce Reuse Reusing a nonce with the same key in ChaCha20-Poly1305 completely compromises the confidentiality and authenticity of all messages encrypted with that key-nonce pair. Implementations MUST ensure nonces are never reused by:
  • Using cryptographically random values for the Random field
  • Maintaining a monotonic counter per session
  • Rotating keys before counter exhaustion
Replay Protection Tier 3+ messages include timestamps for replay protection. Implementations SHOULD reject messages with timestamps more than 5 minutes in the past or future. Session resumption tickets include a nonce that MUST be tracked to prevent replay attacks.
Tier Downgrade Attacks An attacker might attempt to force communication at a lower tier. Servers MUST enforce minimum tier requirements for sensitive operations. Clients SHOULD warn users when connecting at a lower tier than expected.
Key Compromise If a session key is compromised, an attacker can decrypt all messages in that session. The 24-hour automatic key rotation limits the window of exposure. For forward secrecy, implementations SHOULD use ephemeral ECDH keys for each session.
Post-Quantum Considerations Tier 4 and Tier 5 sessions use hybrid post-quantum key establishment by default, combining ML-KEM-768 with X25519 via concatenation and HKDF-SHA256 extraction (see ). The hybrid output remains secure as long as at least one of the two primitives does, which defeats both a future cryptographically relevant quantum computer (CRQC) running Shor's algorithm against X25519 and any currently unknown classical break of ML-KEM. The symmetric layer (ChaCha20-Poly1305 with 256-bit keys) is considered post-quantum secure: Grover's algorithm reduces the effective key strength to 128 bits, which remains computationally infeasible to brute-force. No change to the symmetric primitive is required and none is prescribed. Classical-only mode (kex-mode: classical-only) MAY be used by resource-constrained implementations (e.g. deeply embedded devices where the 1184-byte ML-KEM encapsulation key is infeasible over a low-bandwidth modem link) or for interoperability with legacy endpoints predating this draft. Classical-only mode MUST NOT be used for data requiring long-term confidentiality (conservatively, more than 10 years) due to store-now-decrypt-later attacks. Implementations MUST NOT negotiate classical-only mode when at least one endpoint signals the pq-mlkem768 capability and local policy requires PQ for the session's intended use.
KEX Mode Downgrade Protection Like tier negotiation (), KEX-mode negotiation is vulnerable to active on-path downgrade attempts. An attacker could strip mlkem-public from SESSION_INIT or remove the pq-mlkem768 capability to force classical-only. This draft binds the full handshake to the session key to make such modifications detectable. Specifically, both endpoints fold a transcript hash of the complete SESSION_INIT and SESSION_ACK byte sequences into the HKDF-SHA256 info parameter during session key derivation (see ). Any modification of any handshake field by an intermediary causes the two endpoints to observe different transcript hashes, derive different session keys, and fail AEAD verification on the first Tier 3 or Tier 5 frame. The domain separator strings "myclerk-session-v1-hybrid" and "myclerk-session-v1-classical" additionally prevent a hybrid-derived key from being confused with a classical-derived key of the same inputs. Implementations MUST:
  1. Include the exact wire-form bytes of SESSION_INIT and SESSION_ACK in the transcript hash, in the order they were sent.
  2. Refuse to complete a session where the responder's selected KEX mode is weaker than the mode the initiator offered AND the local policy requires the stronger mode.
  3. Log classical-only negotiations for audit purposes so operators can detect systemic downgrade attempts.
ML-KEM Implementation Hazards ML-KEM-768 implementations MUST observe the following safety properties. These are standard Fujisaki-Okamoto precautions but are called out explicitly because ahistorical implementations have repeatedly failed at them.
  1. Constant-time decapsulation. The decapsulation routine MUST run in time independent of the secret key and the ciphertext contents, to prevent timing side channels that can recover the private key over repeated queries.
  2. Implicit rejection. On a ciphertext-validity failure, decapsulation MUST return a pseudo-random shared secret derived from the private key and the ciphertext (the Fujisaki-Okamoto transform's "implicit rejection" branch), NOT an error. Returning an error leaks ciphertext-validity information to the attacker.
  3. Private-key hygiene. ML-KEM decapsulation private keys MUST be cleared from memory (e.g. via crypto/subtle.ConstantTimeCompare-adjacent zero-wipe helpers) once the session key has been derived and the ephemeral has no further use.
Implementations SHOULD use a well-reviewed library rather than implementing ML-KEM from scratch. In the Go ecosystem the standard library crypto/mlkem package (available since Go 1.24) satisfies all three requirements and is the RECOMMENDED choice; the liboqs project, BoringSSL's ML-KEM implementation, and libcrux are also suitable alternatives.
IANA Considerations
Service Name and Port Number Registration IANA is requested to register the following service name and port number in the "Service Name and Transport Protocol Port Number Registry" :
Service Name:
myclerk
Port Number:
5657
Transport Protocol(s):
TCP, UDP
Description:
MyClerk Protocol
Assignee:
IESG <iesg@ietf.org>
Contact:
IETF Chair <chair@ietf.org>
Reference:
This document
TCP is the primary transport for control messages, synchronization, authentication, and VFS operations. UDP is used for real-time streaming (video, audio) and low-latency sensor telemetry where latency is prioritized over reliability.
Operation Code Registry IANA is requested to create a new registry titled "MyClerk Protocol Operation Codes" with the following structure:
Registration Procedure:
Expert Review per
Reference:
This document
The initial entries are the operation codes defined in of this document, organized into the following ranges:
Range Category Reference
0x0001-0x00FFCore OperationsSection 4
0x0100-0x01FFStandard Operations (Device, Identity, Messaging)Section 5
0x0200-0x02FFResource Sharing (Streams, GPU, Routing)Section 6
0x0300-0x03FFFederationSection 6
0x0400-0x04FFBilling and EconomicsSection 6
0x0500-0x05FFVirtual File System (VFS)draft-myclerk-vfs
0x0600-0x06FFHardware Passthrough (USB, GPIO, I2C, SPI, CAN)Section 6
0x0700-0x07FFKnowledge BaseSection 6
0x0800-0x08FFSettings & ConfigurationSection 6
0x0900-0x09FFRoom/Channel ManagementSection 6
0x0A00-0x0AFFMedia HandlingSection 6
0x0B00-0x0BFFTelephony (Voice, Video, SMS, IVR)Section 6
0x0C00-0x0CFFCalendar & EventsSection 6
0x0D00-0x0DFFTasks, Shopping & GamificationSection 6
0x0E00-0x0EFFSmart Home DevicesSection 6
0x0F00-0x0FFFAutomation RulesSection 6
0x1000-0x10FFMaya AI AssistantSection 6
0x1100-0x11FFSynchronization & VFS FederationSection 6
0x1200-0x12FFOrchestration (Notifications, Finance)Section 6
0x1300-0x13FFPresence & Status (Education)Section 6
0x1400-0x14FFHealth (Social, Community)Section 6
0x1500-0x15FFLocation & MobilitySection 6
0x1600-0x16FFDebug, Testing & PluginsSection 6
0x1700-0x17FFMobile Device Management (MDM)[MYCLERK-OPS]
0x1800-0x18FFLegal Documents & Care Directives[MYCLERK-OPS]
0x1900-0x19FFMobility & Vehicle Management[MYCLERK-OPS]
0x1A00-0x1AFFTravel & Vacation[MYCLERK-OPS]
0x1B00-0x1BFFAudit & Compliance[MYCLERK-OPS]
0x1C00-0x1CFFAudio Pipeline[MYCLERK-OPS]
0x1D00-0x1DFFDesktop Client[MYCLERK-OPS]
0x1E00-0xEFFFUnassignedThis document
0xF000-0xFFFEVendor Extensions (third-party/vendor-specific use only)This document
0xFFFFReservedThis document
References Normative References &RFC2119; &RFC5869; &RFC6335; &RFC7748; &RFC8126; &RFC8174; &RFC8439; &RFC8610; &RFC8949; Module-Lattice-Based Key-Encapsulation Mechanism Standard National Institute of Standards and Technology Informative References MyClerk Protocol Application Operations Registry Arcan Consulting
Acknowledgements This specification is part of the MyClerk project, a privacy-first family orchestration platform currently in development. For more information, visit https://myclerk.eu.