diff --git a/auth.capnp b/auth.capnp
index f0f69b1..ebdecb5 100644
--- a/auth.capnp
+++ b/auth.capnp
@@ -9,6 +9,7 @@ using import "main.capnp".Session;
 struct AuthSupported {
     mechs @0 :List(Mechanism);
     cbtypes @1 :List(Text);
+    upgrades @2 :List(Text);
 }
 
 struct Mechanism {
@@ -17,7 +18,7 @@ struct Mechanism {
     # Additional Info for OpenID / OAUTH2
 }
 
-struct Response {
+struct Response(Successful) {
     enum Reason {
         aborted @0;
         # This authentication exchange was aborted by either side.
@@ -91,7 +92,7 @@ struct Response {
             # The exchange was successful and a new session has been created for the authzid that
             # was established by the SASL exchange.
 
-            session @4 :Session;
+            session @4 :Successful;
             # The session that was created. It grants access to all capabilities the connecting
             # party has permissions for.
 
@@ -104,8 +105,9 @@ struct Response {
             # The current authentication exchange was successful, but the client needs to perform 
             # a second round of authentication (e.g.  2FA) to continue.
 
-            nextMechanisms @6 :List(Mechanism);
-            # List of mechanisms now available to the client.
+            tasks @6 :List(Mechanism);
+            # List of mechanisms now available to the client. Authentication by those MUST NOT
+            # establish a new security layer or set a new authorization id.
 
             additionalData @7 :Data;
             # SASL may send additional data with the continue result. This MAY be a NULL-ptr or a
@@ -115,8 +117,8 @@ struct Response {
     }
 }
 
-interface Authentication {
-    step @0 ( data :Data ) -> Response;
+interface Authentication(Successful) {
+    step @0 ( data :Data ) -> Response(Successful);
     # Respond to a challenge with more data. A client MUST NOT call this after having received an
     # "successful" response.
 
@@ -129,6 +131,6 @@ interface Authentication {
     # after sending this response. The server MAY after a short grace period terminate the stream
     # without sending a response if no call to `step` was received by the client.
 
-    nextAuthenticate @2 ( mechanism :Text, initialData :Data ) -> Response;
+    nextTask @2 ( mechanism :Text, initialData :Data ) -> Response(Successful);
     # Call this after a continue was returned
 }
diff --git a/main.capnp b/main.capnp
index 8a380ad..0221eb1 100644
--- a/main.capnp
+++ b/main.capnp
@@ -35,7 +35,7 @@ interface Bootstrap
     mechanisms @3 () -> AuthSupported;
     # Get a list of Mechanisms this server allows in this context.
 
-    createSession @4 ( mechanism :Text ) -> ( authentication :Authentication );
+    createSession @4 ( mechanism :Text, upgrade :Text ) -> ( authentication :Authentication(Session) );
     # Create a new session with the server that you wish to authenticate using `mechanism`.  If the
     # mechanism is a client-first mechanism you can then immediately call Authentication::step with
     # initial data in a pipelined fashion.  If the mechanism is server-first you must call
diff --git a/traits/checkable.capnp b/traits/checkable.capnp
index 5ee7cce..695f9fa 100644
--- a/traits/checkable.capnp
+++ b/traits/checkable.capnp
@@ -1,5 +1,8 @@
 @0x80d4a09e28022edb;
 
+using Rust = import "../programming_language/rust.capnp";
+$Rust.parentModule("schema::traits");
+
 using CSharp = import "../programming_language/csharp.capnp";
 $CSharp.namespace("FabAccessAPI.Schema");
 
diff --git a/traits/claimable.capnp b/traits/claimable.capnp
index 1da20de..f8d9c73 100644
--- a/traits/claimable.capnp
+++ b/traits/claimable.capnp
@@ -1,5 +1,8 @@
 @0xcdb148188bb77a8e;
 
+using Rust = import "../programming_language/rust.capnp";
+$Rust.parentModule("schema::traits");
+
 using CSharp = import "../programming_language/csharp.capnp";
 $CSharp.namespace("FabAccessAPI.Schema");
 
diff --git a/traits/door.capnp b/traits/door.capnp
index d6a934a..6c6f9e9 100644
--- a/traits/door.capnp
+++ b/traits/door.capnp
@@ -1,5 +1,8 @@
 @0xccad643c8c6f6b25;
 
+using Rust = import "../programming_language/rust.capnp";
+$Rust.parentModule("schema::traits");
+
 using CSharp = import "../programming_language/csharp.capnp";
 $CSharp.namespace("FabAccessAPI.Schema");
 
diff --git a/traits/locateable.capnp b/traits/locateable.capnp
index 4fb3db8..1540bee 100644
--- a/traits/locateable.capnp
+++ b/traits/locateable.capnp
@@ -1,5 +1,8 @@
 @0x9fa2b43397f34e02;
 
+using Rust = import "../programming_language/rust.capnp";
+$Rust.parentModule("schema::traits");
+
 using CSharp = import "../programming_language/csharp.capnp";
 $CSharp.namespace("FabAccessAPI.Schema");
 
diff --git a/traits/lockers.capnp b/traits/lockers.capnp
index 7aab8ad..69ef34a 100644
--- a/traits/lockers.capnp
+++ b/traits/lockers.capnp
@@ -1,5 +1,8 @@
 @0x82abdb5c1dcf399d;
 
+using Rust = import "../programming_language/rust.capnp";
+$Rust.parentModule("schema::traits");
+
 using CSharp = import "../programming_language/csharp.capnp";
 $CSharp.namespace("FabAccessAPI.Schema");
 
diff --git a/traits/powerable.capnp b/traits/powerable.capnp
index c9c32e6..298f4ed 100644
--- a/traits/powerable.capnp
+++ b/traits/powerable.capnp
@@ -1,5 +1,8 @@
 @0xbab3de8275be2271;
 
+using Rust = import "../programming_language/rust.capnp";
+$Rust.parentModule("schema::traits");
+
 using CSharp = import "../programming_language/csharp.capnp";
 $CSharp.namespace("FabAccessAPI.Schema");
 
diff --git a/utils.capnp b/utils.capnp
index 4ea8b81..231e043 100644
--- a/utils.capnp
+++ b/utils.capnp
@@ -56,14 +56,10 @@ struct UUID {
 }
 
 using OID = Data;
-# An OID is encoded as a sequence of varints. In this encoding the lower 7 bits of each octet
-# contain data bits while the MSB indicates if the *following* octet is still part of this edge.  It
-# is the same encoding UTF-8 uses. To decode you simply collect octets until you find an octet <128
-# and then concat the data bits of all the octets you've accumulated, including the current one.
-# This gives you the value of one node. Continue until you've exhausted the available data.  This is
-# a rather efficient encoding since almost all edges of the OID tree are smaller than 128 and thus
-# encode into one byte.  X.208 does *not* limit the size of nodes! However, a reasonable size limit
-# is 128 bit per node, which is the size of the UUID nodes in the `2.25` subtree.
+# An OID is encoded as a sequence of varints, following ITU-T Rec. X.690 Section 8.19.
+# Consider that X.208 does *not* limit the size of arc identifiers! However, a
+# reasonable size limit is 128 bit per arc, which is the size of the UUID nodes
+# in the `2.25` subtree.
 
 struct Map(Key, Value) {
     # Generic Key-Value-Map