Admin-reserved and Prohibited Key Derivation Protocols

Ty Everett (


We define a set of reserved protocol namespaces that can be employed by clients utilizing the BRC-43 invoice numbering scheme to be set aside for administrative and internal use by the client software itself. This enables client software to manage its own internal state without the risk that application software will utilize the same internal protocols.


BRC-431 defines an open-ended way to create protocols and systems of interaction within a BRC-422 key derivation architecture. However, client software implementing the BRC-431 invoice numbering scheme needs a way to manage its own internal state, encrypt data and perform administrative tasks like permissions management without interference from applications.

With this specification, we define a list of namespaces in which applications are never allowed to derive keys, and any client that follows this specification will refuse requests made by applications to perform these operations.


We reserve the following protocol IDs for the administrative and internal use of clients, no matter the security level:

  • User Management

  • DNS Protocol Access Control

  • DNS Spending Authorization

  • DNS Basket Access Control

  • DNS Certificate Access Control

  • Any protocol ID containing babbage

  • Any protocol ID containing cwi


  • 1: BRC-43: Security Levels, Protocol IDs, Key IDs and Counterparties

  • 2: BRC-42: Sendover Key Derivation Scheme

Last updated