The Micro Agent Communication Protocol (µACP)

The Micro Agent Communication Protocol (µACP) is a compact, resource-efficient communication protocol designed for distributed autonomous agents operating on constrained devices. It aims to bridge the gap between resource-light IoT protocols and semantically rich agent communication languages, by offering minimal overhead yet expressive interaction semantics. Modern IoT, edge, and embedded environments often involve devices with limited RAM, CPU, energy, and unreliable or low-bandwidth networks. At the same time, many distributed applications — from sensor networks and robotics swarms to multi-agent systems and edge-native microservices — require coordination, state sharing, event subscriptions, request/response semantics, and lightweight negotiation. Existing protocols are often unsuited:

Traditional agent-communication languages (e.g., FIPA-ACL) impose heavy parsing and runtime overhead unacceptable on microcontroller-class platforms.
Standard IoT protocols (e.g., plain UDP, lightweight publish/subscribe) provide minimal semantics, making it difficult to implement structured coordination or stateful dialogues.

µACP addresses this by defining a wire-efficient, fixed-header, TLV-extensible protocol that offers exactly four core verbs — PING, TELL, ASK, and OBSERVE — which together are sufficient to express common interaction patterns such as request/response, publish/subscribe, and liveness checking. The protocol is designed so that implementations can remain lean, deterministic in resource consumption, and suitable for microcontroller-class devices, while still supporting structured multi-agent interactions. Because security, confidentiality, and integrity are essential for many deployments (especially those involving sensitive data, distributed control, or untrusted networks), this specification mandates the use of the object-security mechanism defined by the IETF as the mandatory-to-implement transport binding: namely, the combination of CoAP (as the transport substrate) with OSCORE (for application-layer message protection) over constrained or lossy links. This ensures that even devices with limited resources can securely exchange µACP messages while preserving end-to-end confidentiality, integrity, and replay protection . Working Group Engagement: This document is submitted as an Independent Submission to the IETF. The authors welcome feedback from relevant working groups, particularly the Constrained RESTful Environments (CoRE) working group and the Light-Weight Implementation Guidance (LWIG) working group, and are open to transitioning this work to a working group if there is community interest and consensus.

Provide a minimal, low-overhead communication protocol for constrained agents that supports structured semantics without heavy runtime cost.
Ensure deterministic and bounded resource usage (memory, CPU, bandwidth), enabling predictable behavior in resource-constrained environments.
Support essential multi-agent communication patterns — request/response, publish/subscribe, life-check — using a small set of orthogonal primitives.
Define a secure, interoperable transport binding so that agents across different platforms can communicate safely and reliably.
Enable extensibility via a TLV option mechanism, allowing future enhancements (e.g., content types, metadata, authentication tokens) without breaking base compatibility.

This specification defines the wire format, core semantics, normative behavior, mandatory transport binding, security constraints, and IANA registries required for interoperable implementations. It does not specify or mandate application-level semantics (e.g., content encoding, agent ontology, high-level negotiation logic), which are left to deployment-specific or higher-layer protocols. Implementers are free to choose content encoding (e.g., CBOR, JSON), TLV usage, and higher-level behavior, provided they adhere to the normative parts of this document.

This document is primarily intended for:

Developers of embedded, IoT, or edge-device firmware seeking a lightweight yet expressive agent communication protocol;
Protocol engineers designing distributed multi-agent systems requiring structured interactions, event subscriptions, or resource-aware communication;
Standardization bodies and implementers evaluating µACP for integration into larger systems;
Researchers studying resource-bounded multi-agent coordination, secure constrained communication, or constrained-device protocol design.

µACP's transport binding leverages established IETF standards: CoAP as the constrained-device transport substrate , and OSCORE for end-to-end object security across constrained networks and proxies . OSCORE is itself designed for constrained RESTful environments and provides confidentiality, integrity, and replay protection for CoAP messages using COSE . Compared to heavier agent-communication languages (e.g., FIPA-ACL), µACP trades semantic depth for minimalism and resource efficiency. Compared to plain CoAP or MQTT-style protocols, µACP brings structured agent-oriented primitives while preserving low overhead and deterministic resource usage. The TLV extensibility mechanism ensures future content- or metadata-level enhancements without invalidating base interoperability.

The remainder of this document is organized as follows: - Section 2 defines conventions and terminology. - Section 3 describes the µACP message model and wire encoding rules. - Section 4 defines the protocol semantics of the four core verbs (PING, TELL, ASK, OBSERVE). - Section 5 defines the mandatory transport binding using CoAP/OSCORE, including mapping rules, security profile, and operational constraints. - Section 6 defines error handling rules, version negotiation, and extensibility mechanisms. - Section 7 defines the IANA registries (TLV Types, QoS codes, content-format) and related registration policies. - Section 8 provides normative interoperability requirements and deployment guidelines. - Section 9 describes security considerations and threat mitigation strategies. - Section 10 provides example interactions and wire-level encodings. - Appendices contain deployment notes, conformance test descriptions, change log, and reference implementation pointers.

The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP 14 when they appear in ALL CAPS. These words may also appear in lowercase or mixed case as plain English words, absent their normative meanings.

The following terms are used throughout this document:

Agent: An autonomous software entity that participates in µACP communication. Agents send and receive µACP messages to coordinate with other agents.
Verb: One of four core communication primitives in µACP: PING, TELL, ASK, or OBSERVE. Verbs are encoded in 2 bits in the message header.
TLV: Type-Length-Value encoding format used for optional metadata in µACP messages. Each TLV consists of an 8-bit Type, 8-bit Length, and variable-length Value.
Correlation ID: A 16-bit identifier that groups related messages into a conversation. Messages sharing the same Correlation ID belong to the same conversation.
Sequence ID: A 16-bit monotonically increasing identifier used for duplicate detection and replay protection within a conversation.
Conversation: A sequence of related µACP messages identified by a unique Correlation ID. Conversations typically represent request/response exchanges or subscription relationships.
OSCORE: Object Security for Constrained RESTful Environments, as defined in . OSCORE provides end-to-end security for CoAP messages.
CoAP: The Constrained Application Protocol, as defined in . CoAP serves as the transport substrate for µACP.
Constrained Device: A device with limited resources (memory, CPU, energy, bandwidth) as defined in . Class 1 devices have approximately 10 KB RAM and 100 KB flash.

This document uses the following notation conventions:

Hexadecimal values are prefixed with "0x" (e.g., 0x01, 0xFF).
Binary values are prefixed with "0b" (e.g., 0b00, 0b11).
Byte order is network byte order (big-endian) unless otherwise specified.
Bit positions are numbered from 0 (most significant bit) to n-1 (least significant bit).
Message formats are shown using ASCII art diagrams.
Code examples use a monospace font.

The following abbreviations are used in this document:

ACL: Agent Communication Language
BDI: Belief-Desire-Intention (agent architecture model)
CBOR: Concise Binary Object Representation
CID: Correlation ID
CoAP: Constrained Application Protocol
COSE: CBOR Object Signing and Encryption
DTLS: Datagram Transport Layer Security
EDHOC: Ephemeral Diffie-Hellman Over COSE
FSM: Finite State Machine
IANA: Internet Assigned Numbers Authority
IoT: Internet of Things
MTI: Mandatory to Implement
OSCORE: Object Security for Constrained RESTful Environments
QoS: Quality of Service
SID: Sequence ID
TLV: Type-Length-Value
URI: Uniform Resource Identifier

This section defines the normative wire-level encoding of µACP messages, including the fixed header, TLV format, payload processing rules, byte ordering, and OSCORE protection boundaries. All compliant implementations MUST follow these encoding rules exactly unless otherwise specified.

A µACP message consists of three components encoded in the following order:

Figure 1: µACP Message Layout The header format is fixed-length and MUST always appear. TLVs and payloads are optional. Messages MUST NOT exceed transport-imposed size limits; for CoAP/OSCORE, these limits are determined by underlying MTU constraints and CoAP Blockwise Transfer (RFC 7959) if used. All fields are encoded in network byte order (big-endian).

The µACP header consists of 64 bits arranged as follows:

Figure 2: µACP Header Bit Layout Sequence ID (16 bits): Monotonically increasing identifier used for duplicate detection and replay-window tracking. MUST wrap modulo 2^16. MUST be unpredictable if security-sensitive traffic requires preventing traffic analysis. Correlation ID (16 bits): Identifies all messages belonging to the same conversation. MUST be unique among active conversations. SHOULD be randomly generated in security-sensitive deployments. QoS (2 bits): Encodes transmission semantics (fire-and-forget, at-least-once, at-most-once). Values are defined in the IANA Considerations section. Verb (2 bits): Identifies one of the four µACP operations: PING(0), TELL(1), ASK(2), OBSERVE(3). Flags (4 bits): Control bits reserved for protocol-level features such as fragmentation, retransmission hints, or message cancellation. Future specifications MAY define additional meanings. Reserved (40 bits): MUST be set to zero on transmission. MUST be ignored by receivers. Reserved bits MAY be repurposed by future µACP versions but MUST NOT change meaning in this version.

TLVs (Type–Length–Value structures) convey optional metadata and extensibility information. They appear immediately after the header and MUST appear in Type-increasing order to allow binary search and deterministic parsing.

Figure 3: TLV Encoding Type (8 bits): TLV identifier. The meaning of each Type is defined in the IANA registry. Types 0–31 are reserved and governed by Standards Action. Types 32–127 require IETF Review. Types 128–255 are vendor-specific. Length (8 bits): Specifies the number of octets in the Value field. Length MUST NOT exceed 255. TLVs MUST NOT cause the total TLV region to exceed 1024 bytes. Value: Encoded according to Type. For Types other than 0x00 (Raw Octets), the Value is subject to OSCORE protection (Section 5). Critical TLVs: A future TLV Type range MAY designate critical TLVs. Receiving an unknown critical TLV MUST cause message rejection.

Receivers MUST apply the following rules when processing TLVs:

TLVs MUST be parsed strictly in order.
If Length exceeds remaining buffer size, the message MUST be discarded.
Unknown TLV Types MUST be ignored unless they are designated critical.
TLV order MUST be strictly increasing by Type; violating this is a format error.
TLV Type 0x00 (Raw Octets) MUST NOT appear in encrypted messages; its use is restricted to unencrypted PING messages.

The µACP payload is an optional octet string of 0–65535 bytes. Its semantics depend on the Verb and the application layer. Payloads are typically used for:

Application data (e.g., sensor readings, state updates);
Action parameters and operation descriptors;
Event notifications for OBSERVE subscriptions;
Encoded content (CBOR, JSON, application-specific formats).

Payloads MUST be OSCORE-protected unless the message Verb is PING. Payload sizes MUST be validated before allocation to avoid resource exhaustion. If the payload is encoded using CBOR (Type=0x03), receivers MUST treat it as a single CBOR data item. If the payload is JSON (Type=0x02), it MUST be UTF-8 encoded.

All multi-octet integer fields in µACP (Sequence ID, Correlation ID, header composites) MUST be encoded in network byte order (big-endian). TLV and payload content MAY use other encoding rules (e.g., CBOR or UTF-8) as determined by their Types.

µACP itself does not mandate fragmentation. When implemented, fragmentation MUST be controlled by Flags in the header and MUST operate in a deterministic, resource-bounded manner. This specification defines the following fragmentation requirements:

Fragments MUST preserve the same Sequence ID, Correlation ID, and Verb.
Fragments MUST carry a Fragment-ID TLV if fragmentation is used.
Receivers MUST reassemble fragments in Sequence ID order.
Reassembly MUST abort if missing fragments exceed timeout thresholds.

Deployments using CoAP Blockwise Transfer (RFC 7959) SHOULD avoid µACP-level fragmentation to minimize complexity.

When µACP is transported over CoAP with OSCORE, the OSCORE-protected CoAP payload MUST contain the complete µACP message (Header | TLVs | Payload). The OSCORE security context determines integrity, confidentiality, and replay parameters. The following MUST be protected by OSCORE:

All TLVs except those in unencrypted PING messages;
The entire payload;
The header fields other than those needed for outer CoAP routing.

Implementations MUST NOT leak semantics (e.g., Verb, QoS) through the CoAP outer header beyond what OSCORE permits.

To ensure interoperability and deterministic parsing, µACP defines the following canonical encoding rules:

Fields MUST NOT be padded.
TLVs MUST be sorted by ascending Type.
No two TLVs MAY share the same Type unless explicitly defined.
Payload MUST begin immediately after the last TLV.
Implementations MUST normalize line endings, whitespace, or internal representations before hashing or signing application content.

These rules ensure that µACP messages can be compared as byte strings and efficiently parsed on constrained devices.

This section defines the normative semantics of the four µACP verbs: PING, TELL, ASK, and OBSERVE. Each verb represents a fundamental communication primitive intended to support higher-level agent behaviors, including liveness detection, request/response interactions, state dissemination, and event-driven notification. Agents MUST implement all four verbs. Agents MUST apply OSCORE protection to all messages except PING, unless an application explicitly operates in an unauthenticated environment. For each verb, this section defines sender behavior, receiver behavior, state-machine interactions, mandatory error cases, and expected processing-time bounds.

PING provides a low-cost, minimal-overhead mechanism for reachability and liveness detection. PING messages MUST NOT carry OSCORE-protected content. PING messages MAY include Raw-Octet TLVs (Type=0x00) but MUST NOT include any TLVs requiring confidentiality or integrity.

The sender MAY emit a PING at any time to test peer liveness.
The Sequence ID MUST increment for each PING from the same sender.
The Correlation ID SHOULD be unique among active PING probes to avoid ambiguity.
No payload is RECOMMENDED; the PING SHOULD remain as small as possible.
PING SHOULD be rate-limited to avoid unnecessary resource pressure.

The receiver SHOULD reply with a TELL unless configured otherwise.
The receiver MUST NOT require OSCORE protection for PING.
The receiver MAY update local reachability or suspicion heuristics.
The receiver MUST ignore any TLVs not allowed for PING.

If a PING contains encrypted TLVs or a payload, the receiver MUST treat the message as malformed.
If resource limits are exceeded, the receiver MAY silently drop the PING.

TELL conveys information, updates, or asynchronous notifications. TELL is the primary mechanism for distributing state and for responding to ASK messages. TELL messages MUST be OSCORE-protected unless the deployment explicitly allows an unauthenticated mode.

The sender MUST include a payload or a meaningful TLV set.
The sender SHOULD ensure that TELL messages are idempotent for the given Correlation ID.
The sender MUST increment the Sequence ID for each TELL.
When responding to an ASK, the sender MUST use the same Correlation ID as the request.
If notifying subscribers (OBSERVE), the sender MUST include event-related TLVs.

The receiver MUST validate OSCORE before inspecting payload or TLVs.
The receiver MUST associate the message with the correct conversation using Correlation ID.
The receiver MUST incorporate content into its knowledge base according to application policy.
The receiver SHOULD acknowledge or respond only if required by application semantics.
In OBSERVE-driven notifications, the receiver MUST update subscription state accordingly.

If a TELL arrives without OSCORE protection, the receiver MUST reject it unless configured for non-secure operation.
If a TELL carries malformed TLVs, the receiver MUST discard the message.
If correlation state does not exist and the TELL is unsolicited, the receiver MAY treat it as a standalone notification.

ASK initiates a request for information or action. ASK is analogous to a query, command, or method invocation, and typically elicits a TELL response. ASK messages MUST be OSCORE-protected.

The sender MUST allocate a new conversation entry indexed by the Correlation ID.
The sender MUST increment the Sequence ID.
The ASK payload SHOULD include sufficient information for the receiver to satisfy the request.
The sender MUST start a request timer; expiration triggers retransmission (for QoS ≥ 1) or failure escalation.
The sender MUST enforce conversation limits to avoid resource exhaustion.

The receiver MUST validate OSCORE before processing.
The receiver MUST associate the ASK with the given Correlation ID, creating state if needed.
The receiver MUST generate a TELL response with either the requested result or an error TLV.
If the request cannot be satisfied in bounded time, the receiver MAY send an immediate error TELL.
If performing an action, the receiver SHOULD ensure bounded execution time or respond asynchronously.

If the ASK contains malformed or conflicting TLVs, the receiver MUST reject it using a TELL(error).
If security validation fails, the receiver MUST silently discard the message.
If correlation-table limits are exceeded, the receiver MAY respond with a resource exhaustion error.

OBSERVE establishes a subscription for future notifications. It is analogous to a publish/subscribe registration but scoped to a single peer. OBSERVE messages MUST be OSCORE-protected.

The sender MUST allocate or update a subscription state entry indexed by Correlation ID.
The sender MUST validate that subscription limits have not been exceeded.
The sender MUST increment the Sequence ID.
The sender MAY include TLVs expressing subscription parameters (e.g., topic, conditions).
The sender MUST send periodic notifications (TELL) while the subscription remains active.

The receiver MUST validate OSCORE before processing.
The receiver MUST establish or refresh subscription state.
The receiver SHOULD acknowledge with a TELL containing subscription parameters.
The receiver MUST enforce subscription expiration, backpressure rules, and resource ceilings.
When conditions are met, the receiver MUST send event notifications as TELL messages.

Subscription cancellation is performed when a TELL or OBSERVE message carries a Cancel-Subscription TLV (Type=0xFF). Upon cancellation:

The receiver MUST delete subscription state.
The receiver MUST stop sending notifications.
The receiver MAY send a TELL confirming deletion.

If subscription limits are exceeded, the receiver MUST reject the OBSERVE with a TELL(error).
If the OBSERVE contains a topic or condition TLV not understood by the receiver, the receiver MAY reject it.
If OSCORE validation fails, the message MUST be dropped.

The following summarizes the semantic requirements of each verb:

PING: Liveness probe; MUST NOT require OSCORE; MUST NOT include protected TLVs.
TELL: Update/response/notification; MUST use OSCORE except in explicitly insecure deployments.
ASK: Request; MUST use OSCORE; MUST generate a TELL response.
OBSERVE: Subscription; MUST use OSCORE; MUST create or update subscription state.

Agents MUST NOT overload verbs with incompatible semantics. All application-defined behaviors MUST build upon these primitives in a manner that preserves µACP’s resource and security guarantees.

This section defines the mandatory-to-implement (MTI) transport binding for µACP: the combination of the Constrained Application Protocol (CoAP) as the transport substrate and OSCORE as the end-to-end object security mechanism. All compliant µACP implementations MUST support this binding. Deployments MAY support additional bindings (e.g., DTLS/UDP or QUIC) but such bindings are outside the scope of this specification and MUST NOT weaken or replace the OSCORE/CoAP MTI profile.

Each µACP message (Header | TLVs | Payload) is encoded as a byte string and placed entirely within the CoAP message payload. Only OSCORE-protected CoAP messages may carry µACP messages (except PING, which MAY be unprotected under specific deployment configurations). µACP messages MUST use the following CoAP message structure:

Method: POST
URI-Path: "muacp" (fixed path for interoperability)
Content-Format: application/muacp+binary
Payload: Full µACP message

This yields the canonical envelope:

Figure 4: CoAP Envelope Carrying a µACP Message Each µACP message corresponds to exactly one CoAP POST. For request/response interactions (ASK → TELL), CoAP confirmable/non-confirmable messages MAY be used depending on QoS requirements.

All µACP messages except PING MUST be protected using OSCORE. OSCORE provides confidentiality, integrity, and replay protection independent of the transport layer. OSCORE MUST protect the following elements:

The entire µACP header (except when outer CoAP metadata is required for routing).
All TLVs except raw TLVs permitted for PING.
The entire µACP payload.

OSCORE replay protection MUST be enabled. Implementations MUST configure replay windows to match expected message rate and resource constraints. OSCORE MUST use a unique security context per agent-pair. Context reuse between unrelated peers is prohibited.

Security contexts for OSCORE MAY be derived by any of the following methods:

EDHOC (RECOMMENDED): A lightweight authenticated key exchange protocol suitable for constrained devices.
Pre-Shared Keys (PSK): For deployments with pre-configured trust anchors.
Out-of-band provisioning: Where security associations are established during manufacturing or commissioning.

When EDHOC is used, the resulting OSCORE context MUST be bound to the EDHOC handshake transcript to prevent identity misbinding attacks.

µACP builds upon CoAP reliability semantics to achieve its QoS model. Implementations MUST map µACP QoS codes to CoAP message types as follows: µACP QoS Meaning CoAP Message Type 0 fire-and-forget NON (Non-confirmable) 1 at-least-once delivery CON (Confirmable) 2 at-most-once delivery NON (No retransmission) CoAP-level acknowledgments MUST NOT be interpreted as µACP-level responses. Application responses are always encoded as TELL messages.

ASK messages MUST be sent as CoAP POST requests. Corresponding TELL responses MUST be sent as CoAP responses. OSCORE MUST protect both directions. The Correlation ID uniquely links the ASK with the TELL response. CoAP Message IDs MUST NOT be used for application correlation. Receivers MUST respond with a TELL message even when requests fail, using an Error TLV to describe failure conditions.

Figure 5: ASK/TELL Over OSCORE-CoAP <---------- 2.04 Changed (TELL, OSCORE) ]]>

OBSERVE establishes a long-lived subscription. Subscriptions are maintained by application logic and do NOT rely on CoAP’s Observe extension (RFC 7641). µACP defines its own subscription model, independent of CoAP's Observe option. OBSERVE MUST be mapped as:

A CoAP POST containing an µACP OBSERVE message.
Notification messages delivered as CoAP POSTs containing TELL messages.

Implementations MUST NOT use CoAP Observe for µACP subscriptions, to avoid semantic conflicts.

All µACP-over-CoAP deployments MUST implement congestion control to prevent network collapse and unfair bandwidth usage. Agents MUST adhere to the following rules:

Apply exponential backoff on CoAP CON retransmissions.
Rate-limit PING to avoid liveness floods.
Throttle OBSERVE notifications when bandwidth pressure is detected.
Maintain deterministic CPU and buffer usage for message handling.
Avoid generating more than one message per RTT per conversation, except under QoS ≥ 1 retransmission.

When Blockwise Transfer (RFC 7959) is used, agents MUST ensure block sizes do not exceed memory limits.

Transport errors such as CoAP timeouts, OSCORE decryption failures, or missing acknowledgments MUST be translated into µACP-level behavior rather than silently ignored. Specifically:

If OSCORE decryption fails, the µACP message MUST be dropped.
If a CoAP CON message is not acknowledged, the sender MUST apply µACP QoS semantics to determine retransmission.
Repeated timeouts MUST cause the µACP conversation to enter a failure state.
Malformed CoAP envelopes MUST cause message discard.

All compliant µACP implementations MUST:

Support CoAP POST requests to the fixed path "muacp".
Support Content-Format: application/muacp+binary.
Protect all messages except PING with OSCORE.
Enforce OSCORE replay protection.
Derive OSCORE contexts using EDHOC or equivalent secure provisioning.
Map QoS codes to CoAP message types according to the CoAP Message Types and Reliability section.
Generate TELL responses for all ASK messages.
Deliver notifications for active OBSERVE subscriptions as TELL messages.

This binding ensures interoperability across all µACP implementations and establishes a minimum security baseline for deployments.

This section defines the normative error-handling rules for µACP, the version-negotiation mechanism, downgrade protection requirements, and the extensibility framework provided by the TLV architecture. Proper handling of malformed messages, incompatible versions, and future extensions is essential for interoperability and robustness.

All protocol-level errors MUST be communicated using a TELL message that includes an Error-Code TLV. Error codes are encoded as unsigned integers and MUST follow the registry defined in the IANA Considerations section.

Error-Code TLV The sender MUST set the Correlation ID of the error response to match the ID of the failing message. Receivers MUST interpret the error code as part of the µACP conversation state.

The following error codes are defined for µACP: Code Name Description 0x01ERR_MALFORMED Malformed header, TLV, or payload. 0x02ERR_UNSUPPORTED_VERB Verb not recognized or not supported by receiver. 0x03ERR_UNSUPPORTED_TLV Critical TLV not understood. 0x04ERR_FORBIDDEN Operation not permitted due to policy or authorization. 0x05ERR_RESOURCE_EXHAUSTED Memory, CPU, or subscription/conversation limits exceeded. 0x06ERR_VERSION_MISMATCH Message uses unsupported protocol version. 0x07ERR_TIMEOUT Sender or receiver timed out while waiting for a response. 0x08ERR_INTERNAL Internal failure not covered by other error categories. Implementations MAY define additional vendor-specific error codes in the vendor range but MUST NOT redefine standardized codes.

Receivers MUST apply strict validation to protect against malformed messages and resource attacks. Specifically:

If TLV Length exceeds remaining bytes, the message MUST be discarded.
If TLVs appear out of Type order, the message MUST be discarded.
If a required TLV (future versions) is absent, the message MUST be rejected.
If header fields contain invalid combinations (e.g., reserved bits set), the message MUST be rejected.
If OSCORE decryption fails, the message MUST be discarded without error signaling.

Where feasible, a receiver SHOULD send a TELL(error) message to report failure, unless doing so would amplify a denial-of-service attack.

Conversations MAY fail due to timeouts, resource limits, or message corruption. When such failures occur:

The agent MUST free associated resources (conversation-table entries).
The agent SHOULD send an ERR_TIMEOUT or ERR_RESOURCE_EXHAUSTED TELL message.
For resource exhaustion, an agent MUST NOT attempt recovery that risks violating its resource budget.

Conversations MUST be terminated when Correlation IDs collide.

µACP includes a Version field in the TLV space to allow forward compatibility. A Version-TLV (Type=0x01) MAY be included in any message to indicate the sender’s supported protocol versions.

Figure 7: Version TLV Receivers MUST ignore Version-TLVs indicating versions higher than supported. Receivers MUST accept messages labeled as version 0x00 (this specification) unless malformed. If a message indicates only unsupported versions, the receiver MUST return ERR_VERSION_MISMATCH.

Implementations MUST ensure that attackers cannot force a peer to use a lower protocol version when a higher mutually supported version is available. Specifically:

When a Version TLV lists multiple supported versions, the highest mutually supported version MUST be chosen.
Version negotiation MUST occur inside OSCORE-protected messages except for PING.
Agents MUST NOT downgrade versions unless a failure condition explicitly requires fallback.

µACP is designed to evolve through extensible mechanisms based on TLVs. The following constraints ensure future versions remain interoperable:

Forward compatibility: Receivers MUST ignore unknown non-critical TLVs.
Backward compatibility: Implementations MUST NOT reuse TLV Types for different semantics.
Critical TLVs: Future versions MAY introduce critical TLVs; receiving an unsupported critical TLV MUST trigger ERR_UNSUPPORTED_TLV.
TLV ordering: All TLVs MUST be sorted by increasing Type value.
Vendor extensions: Types 128–255 are reserved for vendor-specific semantics and MUST NOT require global registration.

Complex or multi-field extensions SHOULD define new structured TLVs rather than overloading primitive types.

This section can be summarized as follows:

Malformed messages MUST be rejected and SHOULD trigger a TELL(error) unless unsafe.
Errors MUST use standardized codes where applicable.
Version negotiation MUST prefer the highest mutually supported version.
Unknown non-critical TLVs MUST be ignored; unknown critical TLVs MUST trigger errors.
OSCORE failures MUST cause silent discard.
Resource exhaustion MUST lead to conservative cleanup behavior.

These requirements ensure that µACP remains robust, extensible, and secure across diverse deployments.

This section requests the creation of new registries and assignments required for µACP to function as an interoperable Internet protocol. All registries use the policies defined in . Unless otherwise stated, values are allocated using the "IETF Review" policy.

IANA is requested to create a new registry entitled "µACP TLV Types". The registry consists of 8-bit values (0–255). Each entry MUST contain:

Value (0–255)
Name
Description
Value format (e.g., integer, UTF-8, CBOR)
Reference

The range is divided as follows:

0–31: Standards Action
32–127: IETF Review
128–255: Vendor-specific

IANA is requested to populate the registry with the initial values below: ValueNameDescriptionFormatReference 0x00RAW_OCTETSUnstructured data; MUST NOT appear in encrypted messages except PING.OpaqueThis document 0x01VERSIONAdvertised supported protocol versions.Array of integersThis document 0x02CONTENT_TYPESpecifies payload encoding.IntegerThis document 0x03CBOR_PAYLOADPayload encoded as CBOR.CBOR data itemThis document 0x20TOPICSubscription topic for OBSERVE.UTF-8 stringThis document 0x21CONDITIONTrigger condition for OBSERVE.UTF-8 or CBORThis document 0x22ERROR_CODEError code returned in TELL(error).IntegerThis document 0xFFCANCEL_SUBSCRIPTIONExplicit termination of OBSERVE subscription.EmptyThis document Future extensions MUST NOT assign new semantics to existing TLV values.

IANA is requested to create a registry entitled "µACP QoS Codes". QoS is encoded as a 2-bit field in the header (values 0–3). ValueNameDescriptionReference 0FIRE_AND_FORGETNo reliability; mapped to CoAP NON.This document 1AT_LEAST_ONCERetransmissions required; mapped to CoAP CON.This document 2AT_MOST_ONCENo retransmission; mapped to CoAP NON.This document 3RESERVEDReserved for future use.This document

IANA is requested to create a registry entitled "µACP Verb Codes". Verb values occupy 2 bits but are listed numerically (0–3). ValueNameDescriptionReference 0PINGLiveness probe.This document 1TELLState update, notification, or response.This document 2ASKRequest for information or action.This document 3OBSERVESubscription to events or state changes.This document

IANA is requested to create a registry entitled "µACP Error Codes" consisting of integers 0–255. The initial contents are listed in the Error Handling section. The assignment policy for values 0–127 is IETF Review. Values 128–255 are vendor-specific and use the "First Come First Served" policy.

IANA is requested to register the following CoAP Content-Format: NameMedia TypeEncodingIDReference application/muacp+binary application/muacp+binary Binary TBD (to be assigned by IANA) This document This Content-Format is mandatory for all µACP-over-CoAP messages. Note: The Content-Format ID value marked as "TBD" will be assigned by IANA during the IESG review process, prior to publication of this document as an RFC. The assignment will follow the "IETF Review" policy as specified in .

IANA is requested to register the following media type in the "application" registry: Type name: application
Subtype name: muacp+binary
Required parameters: none
Optional parameters: none
Encoding considerations: binary
Security considerations: See Security Considerations section.
Interoperability considerations: Defined by TLV and header structure.
Published specification: This document.
Intended usage: COMMON
Author/Change controller: IETF

IANA is requested to register the following CoAP Well-Known URI: URIDescriptionReference /.well-known/muacp Discovery resource indicating µACP support. This document A CoAP GET to /.well-known/muacp SHOULD return a CBOR structure describing supported TLVs, maximum sizes, and supported versions.

IANA is requested to:

Create the µACP TLV Types registry and populate initial values.
Create the µACP QoS Codes registry.
Create the µACP Verb Codes registry.
Create the µACP Error Codes registry.
Register the CoAP Content-Format application/muacp+binary.
Register the media type application/muacp+binary.
Register the well-known CoAP resource /.well-known/muacp.

These actions enable interoperable deployment of µACP across implementations and ensure long-term extensibility under IETF governance.

This section defines the normative finite-state machines (FSMs) governing the behavior of µACP conversations, including request/response cycles (ASK/TELL), subscriptions (OBSERVE), and health checks (PING). Implementations MUST implement the FSMs defined here to ensure deterministic, interoperable behavior across devices and deployments. State machines are expressed using ASCII-art diagrams with labeled transitions and MUST be interpreted normatively. When timing behavior is required, timers MUST be implemented with bounded CPU and memory overhead suitable for constrained devices.

Agents operate according to a deterministic event loop:

Receive µACP message
Validate OSCORE (if required)
Validate header, TLVs, and payload
Identify conversation via Correlation ID
Execute verb-specific FSM transition
Emit resulting messages (if any)

Agents MUST support at least 64 concurrent conversations and MUST reject new conversations if resource ceilings are exceeded (ERR_RESOURCE_EXHAUSTED).

The ASK/TELL FSM governs synchronous (or quasi-synchronous) exchanges where one party issues a request and the peer returns a response. ASK MUST initiate a conversation. TELL completes it.

Figure 8: ASK/TELL State Machine returns to IDLE ]]> State definitions:

IDLE: No active conversation for this Correlation ID. Sender may emit ASK to enter WAIT_RESP.
WAIT_RESP: ASK has been sent; awaiting TELL.
- If TELL received → transition to COMPLETED.
- If timer expires and QoS=1 → retransmit ASK and reset timer.
- If timer expires and QoS=0 or QoS=2 → transition to COMPLETED with ERR_TIMEOUT.
COMPLETED: Final state.
- Conversation table entry MUST be deleted.

Receiver behavior is symmetric: upon receiving ASK, it enters a SERVE_REQ transient state, computes a response, and emits a TELL message. Errors (malformed request, unauthorized action, resource exhaustion) MUST produce a TELL(error) instead of silence.

PING serves as a minimal liveness check. PING does not create long-lived conversation state and SHOULD remain extremely lightweight.

Figure 9: PING/TELL Liveness FSM Key requirements:

PING MUST NOT require OSCORE.
PING MUST NOT modify application state.
Receivers SHOULD reply with TELL unless explicitly configured otherwise.
Timeout MUST NOT cause retransmissions (congestive safety).

OBSERVE establishes a long-lived subscription used for event-driven communication. Subscription state MUST be explicitly tracked and MUST enforce resource ceilings.

Figure 10: OBSERVE Subscription FSM State definitions:

NO_SUB: No subscription exists for this Correlation ID. Receiving OBSERVE creates subscription state.
SUBSCRIBED: Active subscription.
- Trigger conditions (TLVs) MUST be monitored.
- Subscription MUST expire after configured lifetime unless refreshed.
- Resource limits MUST be enforced (max subscriptions per peer).
NOTIFY: When trigger conditions are met, a TELL message MUST be sent.
- Notifications MUST NOT be sent faster than congestion-control rules permit.
TERMINATED: Subscription canceled via CANCEL_SUB (TLV=0xFF) or due to resource exhaustion.
- All subscription state MUST be deleted.

Errors encountered during processing MUST transition the FSM into a predictable termination state. This prevents deadlocks and resource leaks.

ERR_MALFORMED: Immediately discard message; no state created; MAY send error TELL.
ERR_UNSUPPORTED_TLV: Terminate the offending conversation; MUST send error TELL.
ERR_TIMEOUT: Conversation enters COMPLETED with error; resources MUST be freed.
ERR_RESOURCE_EXHAUSTED: Reject request; MUST NOT allocate new conversation state.
OSCORE failure: Silent discard; MUST NOT leak metadata; MUST NOT update state.

Because µACP targets constrained environments, all FSM transitions MUST complete in bounded time and memory. The following limits apply:

Conversation table: MUST support at least 64 active conversations.
Subscription table: MUST support at least 16 active OBSERVE subscriptions.
Per-message processing time: MUST complete within platform-defined real-time bounds.
Message buffers: MUST have deterministic maximum sizes (header+1024-byte TLVs+payload).
Timers: MUST be implemented without per-message dynamic allocation.

Platforms MAY employ preallocated memory pools, cyclic buffers, or static tables to satisfy the above constraints.

ASK MUST initiate a conversation; TELL MUST complete it.
PING MUST remain stateless and congestion-safe.
OBSERVE MUST create explicit subscription state and enforce resource ceilings.
All FSMs MUST terminate in bounded time.
OSCORE failures MUST be silent but MUST NOT permit partial state updates.
Errors MUST produce deterministic transitions to safe terminal states.

The FSMs in this section define the interoperable processing model for all conformant µACP agents.

This section defines the security properties, assumptions, and mandatory mitigations for µACP. Because µACP targets severely resource-constrained devices, the protocol does not embed cryptographic primitives directly; instead, it relies on OSCORE and the underlying transport for security. All implementations MUST follow the requirements in this section to avoid exposure to denial-of-service, spoofing, downgrade, replay, or privacy attacks.

The µACP threat model assumes that attackers may:

Passively eavesdrop on traffic.
Modify, inject, reorder, or replay messages.
Attempt to exhaust memory, CPU, storage, energy, or subscription tables.
Attempt to desynchronize conversation or subscription state.
Conduct traffic analysis to infer system behavior.
Attempt version downgrades or feature-stripping attacks.
Exploit weak random number generation for Correlation IDs.
Exploit incorrect OSCORE configuration (e.g., key reuse, replay window misconfiguration).

The protocol provides security only when implemented with OSCORE as defined in the Transport Binding section. Attackers are assumed to have full control of the transport layer but not of OSCORE-protected channels.

All µACP messages except PING MUST be authenticated and integrity-protected using OSCORE. Without OSCORE, µACP messages MUST be considered untrusted and MUST NOT modify system state. OSCORE provides:

Peer authentication (when derived from EDHOC or provisioned credentials),
Integrity protection over header, TLVs, and payload,
Replay protection through sequence numbers and replay windows,
Binding of request/response messages.

Implementations MUST use a unique OSCORE security context per communicating peer. Context reuse risks identity substitution or multi-peer cross-contamination attacks.

TELL, ASK, and OBSERVE messages MAY contain sensitive or mission-critical data. These messages MUST be encrypted via OSCORE. Only PING is permitted to be unencrypted. Authorization MUST be enforced at the receiving agent before performing operations triggered by ASK or OBSERVE. Unauthorized or unauthenticated requests MUST be rejected using ERR_FORBIDDEN or silently dropped in high-threat environments.

µACP relies on OSCORE replay protection. Implementations MUST enable and correctly maintain OSCORE replay windows. Message Sequence IDs and Correlation IDs do not substitute for OSCORE's replay mechanism. Additional replay mitigations:

Receivers SHOULD maintain a per-peer sliding window of recent Sequence IDs.
Subscription-triggered notifications MUST validate freshness before emitting updates.
Agents MUST reject delayed or reordered messages if OSCORE replay windows indicate a stale nonce.

Failure to enforce replay semantics MAY allow repeated actions, unexpected state transitions, or resource exhaustion.

µACP devices frequently operate with strict limits on memory, CPU cycles, and energy. Attackers may attempt to exploit this by flooding the device with requests, subscriptions, or malformed messages. Implementations MUST enforce:

Maximum number of active conversations (minimum 64 required).
Maximum number of OBSERVE subscriptions (minimum 16 required).
Rate limits on incoming PING and ASK messages.
TLV region size limits (max 1024 bytes).
Payload size limits (max 65535 bytes).
Static or preallocated memory pools for message buffers.

When limits are exceeded, agents MUST return ERR_RESOURCE_EXHAUSTED or silently drop messages depending on congestion severity. CoAP-level DoS mitigation (exponential backoff, NON vs CON behavior) MUST also be applied per Section 5.7.

OBSERVE introduces long-lived state which attackers may exploit. To prevent hijacking or unauthorized cancellation:

OBSERVE and CANCEL_SUB MUST be OSCORE-protected.
Subscriptions MUST be bound to an authenticated OSCORE context.
Correlation IDs MUST be unpredictable to prevent guessing active subscription identifiers.
Subscription deletion MUST require either:
- a valid CANCEL_SUB message from the same authenticated peer, OR
- timeout or resource exhaustion constraints documented by the implementation.
Agents MUST reject subscription attempts that exceed configured resource ceilings.

Failure to enforce these rules could allow attackers to redirect notifications, silence alarms, or manipulate event-driven logic.

The Version TLV enables forward compatibility but introduces risks of downgrade attacks. Implementations MUST enforce:

The highest mutually supported version MUST be used.
Version negotiation MUST occur under OSCORE, except for PING.
Agents MUST reject messages that advertise only unsupported versions.
Agents MUST NOT fall back silently to lower versions.

This prevents attackers from forcing devices into insecure or deprecated protocol variants.

µACP messages may reveal operational state, environmental conditions, unique identifiers, or system topology. OSCORE encryption mitigates most risks, but implementations MUST also consider:

Correlation IDs must not encode identifying information.
Payloads should avoid transmitting sensitive or personal data unnecessarily.
Event-driven OBSERVE notifications may reveal behavioral patterns; rate-limiting reduces leakage.
Well-known URIs may expose protocol usage; returning minimal metadata is RECOMMENDED.

Applications MAY use additional payload encryption or anonymization when required by operational policies or regulations.

Even with OSCORE, attackers may observe message size, frequency, or timing patterns. Implementations SHOULD mitigate traffic analysis when possible:

PING rates should be bounded and randomized.
Regular padding of OSCORE ciphertext MAY be used, subject to energy constraints.
OBSERVE notifications SHOULD avoid revealing high-frequency activity in sensitive deployments.

Because µACP operates in constrained environments, padding and obfuscation are OPTIONAL but SHOULD be supported in deployments requiring stronger protection.

OSCORE security depends on proper management of key material. Implementations MUST provide:

Secure key provisioning (EDHOC, pre-shared keys, or manufacturing-time injection).
Rotation of OSCORE master secrets on a schedule appropriate for device lifetime.
Secure deletion of expired or unused keys.
Protection against key reuse across unrelated peers.
Protection of key material against side-channel extraction on constrained hardware.

Compromise of OSCORE keys compromises confidentiality, integrity, and authentication for µACP messages.

Failures MUST NOT cause inconsistent or undefined agent behavior. Specifically:

Malformed messages MUST be discarded without modifying state.
OSCORE failures MUST be silent and MUST NOT produce error messages that could be used for oracle attacks.
Timeouts MUST clean up state deterministically.
Subscription state MUST never persist without authenticated refresh.

In safety-critical systems (e.g., water infrastructure, industrial IoT), safe fallback behavior SHOULD be validated through formal analysis or runtime verification.

µACP security depends critically on the use of OSCORE and strict adherence to this section’s requirements. At a minimum:

All messages except PING MUST be OSCORE-protected.
Replay windows MUST be enforced.
Subscriptions MUST be authenticated and bounded.
Resource ceilings MUST be applied to prevent DoS.
Version negotiation MUST resist downgrade.
Malformed inputs MUST NOT affect state.
Key management MUST follow secure lifecycle practices.

Failure to follow any of these requirements may enable attackers to compromise µACP deployments.

This section defines the minimum feature set required for interoperability between µACP implementations, along with deployment profiles tailored to different classes of devices and networks. All compliant implementations MUST satisfy the baseline profile and SHOULD support additional profiles where appropriate.

The Minimum Interoperability Profile defines the set of features all µACP agents MUST implement. These requirements ensure that any two µACP-compliant endpoints can communicate reliably and securely. Implementations MUST support:

The µACP 64-bit header format.
All four verbs: PING, TELL, ASK, and OBSERVE.
The TLV processing model (including ordering, ignoring unknown TLVs, and size limits).
The mandatory OSCORE/CoAP transport binding.
Content-Format application/muacp+binary.
Conversation state for at least 64 active Correlation IDs.
Subscription state for at least 16 active OBSERVE subscriptions.
Error-handling behavior as defined in the Error Handling section.
Deterministic state-machine execution as defined in the State Machines section.
Strict enforcement of TLV region and payload size bounds.

Any implementation lacking one or more of the above cannot be considered µACP-compliant.

The Constrained Node Profile targets microcontroller-class devices with severe limitations on RAM, energy, and CPU. Devices in this class typically include ARM Cortex-M series, ESP32, and similar embedded platforms. Implementations operating under the CNP MUST:

Use static or preallocated memory buffers for message processing.
Enforce strict upper bounds on subscription count, message buffers, and timers.
Support fragmentation only when required by the underlying transport; otherwise, fragmentation SHOULD be disabled.
Use compact TLVs and avoid optional features requiring large buffers.
Perform minimal logging to avoid overhead.
Restrict payload sizes to what can be safely processed on the platform.

Implementations SHOULD:

Use simplified state machines optimized for deterministic resource usage.
Prefer PSK- or EDHOC-based OSCORE contexts instead of heavier PKI-based provisioning.
Disable or heavily restrict vendor-specific TLVs.

The Infrastructure Node Profile targets devices with moderate-to-high resources such as edge gateways, industrial controllers, and cloud-side collectors. These nodes typically support more extensive logic and higher traffic volumes. Implementations under this profile MUST:

Support full subscription features including complex event conditions.
Support extended TLV sets and vendor-specific extensions.
Maintain replay windows sized for high-throughput communication.
Support EDHOC or equivalent authenticated key exchange mechanisms.
Provide robust error-logging and diagnostics.
Support rate-shaping for downstream constrained nodes.

INP nodes MAY:

Provide protocol translation (e.g., convert µACP/OSCORE-CoAP to internal RPC or message bus formats).
Use hardware acceleration for crypto operations when available.
Implement adaptive batching or aggregation of TELL notifications for efficiency.

µACP is designed to allow interoperability between constrained and infrastructure nodes. The following rules ensure safe cross-profile communication:

Messages sent from INP nodes MUST adhere to the resource ceilings of peer CNP nodes.
INP nodes MUST NOT send payloads or TLVs exceeding the max supported size of constrained nodes.
INP nodes SHOULD apply traffic shaping to avoid overwhelming constrained devices.
CNP nodes MUST ignore unsupported TLVs without entering error states.
CNP nodes MAY restrict OBSERVE features to static or simple triggers.
Fallback to the Minimum Interoperability Profile MUST always be possible.

Implementations MUST guarantee that all profile interactions preserve the security properties defined in the Security Considerations section.

Deployments may apply µACP in different operational environments. This subsection defines three common deployment profiles and associated requirements.

Examples include NB-IoT, LoRaWAN, Sigfox.

Message size limits are strict; fragmentation SHOULD be avoided.
OBSERVE triggers SHOULD be sparse and batched when possible.
Ask/Tell round trips MUST consider high RTT variability.
OSCORE contexts SHOULD minimize nonce overhead.

Implementations MUST ensure real-time processing guarantees.
OBSERVE notifications MUST comply with predictable timing windows.
Extended diagnostics and telemetry SHOULD be enabled.
Security posture MUST disallow unencrypted traffic entirely (PING included).

INP nodes may aggregate µACP messages for cloud ingestion.
End-to-end OSCORE MUST remain intact through intermediaries.
Topology and addressing metadata SHOULD NOT leak at intermediaries.
Periodic key rotation SHOULD be aligned with cloud-side policy.

Feature discovery occurs using a GET request to the well-known resource /.well-known/muacp. The response SHOULD include a CBOR map containing:

Maximum TLV size supported
Maximum payload size
Supported TLV types
Supported verbs (always all four)
Supported µACP versions
Supported congestion control modes

Nodes SHOULD cache feature negotiation results until expiration or reboot.

To guarantee interoperability even when nodes support different feature sets, µACP defines the following fallback rules:

Unknown TLVs MUST be ignored.
Unsupported features MUST degrade to MIP (Minimum Interoperability Profile).
Subscription requests exceeding CNP limits MUST return ERR_RESOURCE_EXHAUSTED.
If version negotiation fails, agents MUST return ERR_VERSION_MISMATCH.
If congestion control features are unsupported, agents MUST revert to CoAP default mechanisms.

Fallback MUST preserve safety and integrity, even if advanced features are unavailable.

µACP interoperability depends on:

Universal support for the Minimum Interoperability Profile.
Profiles for constrained nodes and infrastructure nodes.
Deterministic FSM processing as defined in the State Machines section.
Mandatory OSCORE/CoAP transport.
Safe fallback when encountering unsupported features.
Strict enforcement of resource ceilings.

These requirements ensure reliable communication across heterogeneous ecosystems, from microcontroller devices to large-scale industrial or cloud deployments.

This section provides complete, normative examples of µACP messages on the wire. Examples include raw µACP binary encodings, CBOR-embedded payloads, OSCORE-protected CoAP envelopes, and OBSERVE subscription exchanges. All examples use placeholder keys and nonces for illustration only. Byte order is network byte order (big-endian). Hexadecimal text is for illustration; actual deployments use binary encodings.

The examples below use the following conventions:

H: µACP Header (64 bits)
Tn: nth TLV (Type-Length-Value)
P: Payload
C: CoAP envelope
OS: OSCORE encryption wrapper
CBOR[...]: CBOR structure encoded into bytes

A minimal PING contains only the µACP header and MUST NOT be OSCORE-protected.

Example 1: PING (Hex) No TLVs, no payload.

This example shows an ASK containing a CBOR payload before OSCORE protection is applied. CBOR payload representation:

Message:

Example 2: ASK (Hex)

This example illustrates a complete OSCORE-protected request/response using CoAP POST. Step 1 — ASK wrapped in CoAP + OSCORE:

Example 3a: CoAP Envelope (ASK) Step 2 — TELL response:

Example 3b: CoAP Envelope (TELL Response)

This example shows how an OBSERVE message establishes a subscription.

Example 4: OBSERVE (Hex) Subsequent notifications are sent as TELL messages sharing the Correlation ID 0x2005.

A peer cancels an active subscription by sending CANCEL_SUB.

Example 5: CANCEL_SUB (Hex)

This example shows a TELL(error) response containing ERR_UNSUPPORTED_TLV.

Example 6: ERR_UNSUPPORTED_TLV

µACP does not define native fragmentation but MAY rely on CoAP Blockwise Transfer (RFC 7959). The µACP message remains intact inside each CoAP block. Example (two blocks):

Example 7: Blockwise Transfer Receivers MUST reassemble blocks before OSCORE processing when the OSCORE option is Outer.

The examples in this section demonstrate:

Minimal µACP messages.
CBOR-encoded payloads.
OSCORE-protected messages inside CoAP POST.
Full ASK/TELL interaction.
OBSERVE subscription and cancellation lifecycles.
Error signaling via TELL(error).
Fragmentation via CoAP Blockwise Transfer.

These examples are normative for message formatting and MUST be used for interoperability testing.

This section defines the normative conformance tests required to validate µACP implementations. A device or software stack MUST pass all tests in this section to be considered µACP-compliant. Implementations SHOULD additionally validate behavior against the wire examples.

Conformance tests are grouped into the following categories:

Header and TLV Encoding Tests
Parser Robustness and Error Handling Tests
State-Machine Behavior Tests
OSCORE Security Tests
Replay and Freshness Tests
Subscription Lifecycle Tests
Resource Constraint Enforcement Tests
Interoperability Tests

Implementations MUST correctly encode and decode the 64-bit header and all mandatory TLV behaviors.

H1: Verify correct parsing of all header fields (Verb, QoS, Flags, Sequence ID, Correlation ID, Reserved).
H2: Reserved bits MUST be ignored on input and encoded as zero on output.
H3: TLV region length MUST NOT exceed 1024 bytes.
H4: Unknown TLV types MUST be ignored without entering an error state.
H5: TLV Length MUST be strictly respected; truncated TLVs MUST cause message rejection.
H6: TLV Type 0x00 (Raw Octets) MUST be rejected in OSCORE-protected messages.
H7: Test vectors in the Wire Examples section MUST decode successfully.

Implementations MUST handle malformed or adversarial input safely and deterministically.

P1: Malformed headers MUST cause silent discard.
P2: Oversized payloads MUST be rejected with ERR_PAYLOAD_TOO_LARGE.
P3: Invalid TLV lengths MUST trigger ERR_MALFORMED_TLV.
P4: Excessive nested TLVs MUST NOT cause unbounded memory allocation.
P5: Invalid Verb codes MUST trigger ERR_UNSUPPORTED_VERB.
P6: Messages exceeding local memory capacity MUST trigger ERR_RESOURCE_EXHAUSTED.

Agents MUST implement the state machines defined in the State Machines section. These tests validate deterministic transitions.

FSM1: ASK MUST create a conversation and transition to WAIT_RESP.
FSM2: Receipt of TELL MUST transition the conversation to COMPLETED.
FSM3: Timeout behavior MUST match QoS semantics (QoS=1 → retransmit; QoS=0/2 → terminate).
FSM4: OBSERVE MUST create a subscription; notifications MUST reuse the Correlation ID.
FSM5: CANCEL_SUB MUST delete subscription state.
FSM6: PING MUST NOT allocate conversation state.
FSM7: Error conditions MUST terminate conversations deterministically.

Since µACP relies on OSCORE for security, implementations MUST pass all OSCORE-related checks.

S1: OSCORE MUST authenticate and decrypt TELL, ASK, and OBSERVE messages.
S2: OSCORE failures MUST cause silent discard and MUST NOT leak metadata.
S3: Replay windows MUST be enforced (test using replayed ciphertext).
S4: OSCORE contexts MUST NOT be reused across peers.
S5: Downgrade attempts (e.g., forcing version=0) MUST be detected and rejected.
S6: Incorrect nonce reuse MUST be rejected by the recipient.

R1: Replaying ASK messages MUST NOT trigger repeated actions.
R2: Replayed OBSERVE notifications MUST be rejected.
R3: Correlation IDs MUST prevent cross-conversation replay.
R4: Freshness MUST be derived from OSCORE sequence numbers.

SUB1: OBSERVE MUST create subscription state.
SUB2: TELL notifications MUST reuse the Correlation ID.
SUB3: Subscription expiration MUST delete state deterministically.
SUB4: CANCEL_SUB MUST be accepted only from the authenticated subscriber.
SUB5: Unauthorized CANCEL_SUB MUST be rejected.
SUB6: Subscriptions MUST respect configured resource ceilings.

Since µACP targets constrained devices, correct enforcement of resource ceilings is mandatory.

RC1: Maximum conversation entries MUST NOT exceed configured table size.
RC2: Maximum active subscriptions MUST NOT exceed resource ceilings.
RC3: Excessive simultaneous ASK messages MUST trigger ERR_RESOURCE_EXHAUSTED.
RC4: TLV section > 1024 bytes MUST be rejected.
RC5: Payload > 65535 bytes MUST be rejected.
RC6: Message processing MUST complete within bounded time (platform-defined).

Two independent implementations MUST successfully interoperate under the Minimum Interoperability Profile. Specifically:

I1: A conformant ASK from Implementation A MUST produce a conformant TELL from Implementation B.
I2: OBSERVE/NOTIFY MUST interoperate across different profiles (CNP ↔ INP).
I3: Unknown TLVs from A MUST NOT break B, and vice versa.
I4: Feature negotiation via /.well-known/muacp MUST correctly determine shared feature sets.
I5: Two implementations MUST successfully exchange OSCORE-protected messages.

Successful completion of these tests is required for interoperability certification.

µACP implementations MUST:

Correctly parse and construct messages.
Implement the mandatory state machines.
Use OSCORE correctly and securely.
Reject malformed or adversarial input safely.
Enforce all resource ceilings.
Support cross-profile interoperability.

Passing the tests in this section validates full compliance with the µACP specification.