<?xml version='1.0' encoding='utf-8'?>
<!DOCTYPE rfc [
  <!ENTITY nbsp    "&#160;">
  <!ENTITY zwsp   "&#8203;">
  <!ENTITY nbhy   "&#8209;">
  <!ENTITY wj     "&#8288;">
]>
<?xml-stylesheet type="text/xsl" href="rfc2629.xslt" ?>
<!-- generated by https://github.com/cabo/kramdown-rfc version 1.7.39 (Ruby 3.2.3) -->
<?rfc rfcedstyle="yes"?>
<?rfc tocindent="yes"?>
<?rfc strict="yes"?>
<?rfc comments="yes"?>
<?rfc inline="yes"?>
<?rfc text-list-symbols="-o*+"?>
<?rfc docmapping="yes"?>
<rfc xmlns:xi="http://www.w3.org/2001/XInclude" ipr="trust200902" docName="draft-fossati-seat-early-attestation-05" category="std" consensus="true" submissionType="IETF" tocInclude="true" sortRefs="true" symRefs="true" version="3">
  <!-- xml2rfc v2v3 conversion 3.34.0 -->
  <front>
    <title abbrev="Attestation in TLS/DTLS">Using Attestation in Transport Layer Security (TLS) and Datagram Transport Layer Security (DTLS)</title>
    <seriesInfo name="Internet-Draft" value="draft-fossati-seat-early-attestation-05"/>
    <author initials="Y." surname="Sheffer" fullname="Yaron Sheffer">
      <organization>Intuit</organization>
      <address>
        <email>yaronf.ietf@gmail.com</email>
      </address>
    </author>
    <author initials="I." surname="Mihalcea" fullname="Ionut Mihalcea">
      <organization>Arm Limited</organization>
      <address>
        <email>Ionut.Mihalcea@arm.com</email>
      </address>
    </author>
    <author initials="Y." surname="Deshpande" fullname="Yogesh Deshpande">
      <organization>Arm Limited</organization>
      <address>
        <email>Yogesh.Deshpande@arm.com</email>
      </address>
    </author>
    <author initials="T." surname="Fossati" fullname="Thomas Fossati">
      <organization>Linaro</organization>
      <address>
        <email>thomas.fossati@linaro.org</email>
      </address>
    </author>
    <author initials="T." surname="Reddy" fullname="Tirumaleswar Reddy">
      <organization>Nokia</organization>
      <address>
        <email>k.tirumaleswar_reddy@nokia.com</email>
      </address>
    </author>
    <date year="2026" month="July" day="03"/>
    <area>Security</area>
    <workgroup>TLS</workgroup>
    <keyword>attestation</keyword>
    <keyword>RATS</keyword>
    <keyword>TLS</keyword>
    <abstract>
      <?line 139?>

<t>The TLS handshake protocol allows authentication of one or both peers using static, long-term credentials.
In some cases, it is also desirable to ensure that the peer runtime environment is in a secure state.
Such an assurance can be achieved using remote attestation which is a process by which an entity produces Evidence about itself that another party can use to appraise whether that entity is found in a secure state.
This document describes a series of TLS extensions that enable the binding of the TLS authentication key to a remote attestation session.
This enables an entity capable of producing attestation Evidence, such as a confidential workload running in a Trusted Execution Environment (TEE), or an IoT device that is trying to authenticate itself to a network access point, to present a more comprehensive set of security metrics to its peer.
These extensions have been designed to allow the peers to use any attestation technology, in any remote attestation topology, and to use them mutually.</t>
    </abstract>
    <note removeInRFC="true">
      <name>About This Document</name>
      <t>
        The latest revision of this draft can be found at <eref target="https://yaronf.github.io/draft-fossati-seat-early-attestation/draft-fossati-seat-early-attestation.html"/>.
        Status information for this document may be found at <eref target="https://datatracker.ietf.org/doc/draft-fossati-seat-early-attestation/"/>.
      </t>
      <t>
        Discussion of this document takes place on the
        SEAT Working Group mailing list (<eref target="mailto:seat@ietf.org"/>),
        which is archived at <eref target="https://mailarchive.ietf.org/arch/browse/seat/"/>.
        Subscribe at <eref target="https://www.ietf.org/mailman/listinfo/seat/"/>.
      </t>
      <t>Source for this draft and an issue tracker can be found at
        <eref target="https://github.com/yaronf/draft-fossati-seat-early-attestation"/>.</t>
    </note>
  </front>
  <middle>
    <?line 148?>

<section anchor="introduction">
      <name>Introduction</name>
      <t>Remote Attestation (RA) <xref target="RFC9334"/> is the process by which an entity produces evidence about itself that another party can use to evaluate the trustworthiness of that entity.
This document describes a series of extensions to the TLS handshake that enable the binding of the TLS connection and its authentication key to a remote attestation session.
This enables an attester, such as a confidential workload running in a Trusted Execution Environment (TEE) <xref target="I-D.ietf-teep-architecture"/>, or an IoT device that is trying to authenticate itself to a network access point, to present a more comprehensive set of security metrics to its peer.
This, in turn, allows for the implementation of authorization policies at the relying parties that are based on stronger security signals.</t>
      <t>Given the variety of deployed and emerging attestation technologies (e.g., <xref target="TPM1.2"/>, <xref target="TPM2.0"/>, <xref target="I-D.ietf-rats-eat"/>) these extensions have been explicitly designed to be agnostic to the attestation formats.
This is achieved by reusing the generic encapsulation defined in <xref target="I-D.ietf-rats-msg-wrap"/> for transporting Evidence and Attestation Results payloads in the <tt>remoteAttestation</tt> extension.</t>
      <t>This specification provides both one-way (server-only) and mutual (client and server) authentication using traditional TLS authentication combined with attestation, and allows the attestation topologies at each peer to be independent of each other.
The proposed design supports both background-check and passport topologies, as described in Sections <xref target="RFC9334" section="5.2" sectionFormat="bare"/> and <xref target="RFC9334" section="5.1" sectionFormat="bare"/> of <xref target="RFC9334"/>.
This is detailed in <xref target="negotiating-protocol"/>.</t>
      <t>The protocol we propose is implemented completely at the TLS level, resulting in several related advantages:</t>
      <ul spacing="normal">
        <li>
          <t>Implementation is within a single system component.</t>
        </li>
        <li>
          <t>Security does not depend on application-level code, which tends to be less secure than widely shared infrastructure components.</t>
        </li>
        <li>
          <t>It is easier to reason about the application's security, since the peers' identities and security postures are known as soon as the handshake completes
and the TLS connection is established.</t>
        </li>
        <li>
          <t>Application code does not need to change. At most, some configuration is needed, similar to the current use of certificate trust stores.</t>
        </li>
      </ul>
      <t>This document does not mandate any particular attestation technology.</t>
    </section>
    <section anchor="conventions-and-terminology">
      <name>Conventions and Terminology</name>
      <t>The reader is assumed to be familiar with the vocabulary and concepts defined in
<xref section="4" sectionFormat="of" target="RFC9334"/>.</t>
      <t>The following terms are used in this document:</t>
      <dl newline="true">
        <dt>The terms "appraise" and "verify" are used with distinctive semantics throughout the document:</dt>
        <dd>
          <t>"Appraise" covers the act of checking the validity of Attestation Results or Evidence, as per <xref target="RFC9334"/>, performed by Relying Parties and Verifiers respectively.
"Verify" covers all other checks performed by the two TLS peers, intended to assess the correctness of the cryptographic and protocol operations of the TLS layer.</t>
        </dd>
        <dt>TLS Identity Key (TIK):</dt>
        <dd>
          <t>A cryptographic key used by one of the peers to authenticate itself during the
TLS handshake. The protocol's security is critically dependent on the provenance, lifetime and
protection properties of the TIK. The TIK <bcp14>MUST</bcp14> be the X.509 certificate's end entity key and is maintained and protected by the TEE.</t>
        </dd>
        <dt>TIK-C, TIK-S:</dt>
        <dd>
          <t>The TIK that identifies the client or the server, respectively.</t>
        </dd>
        <dt>TIK-C-ID, TIK-S-ID:</dt>
        <dd>
          <t>An identifier for TIK-C or respectively, TIK-S. This may be a fingerprint
(cryptographic hash) of the public key, but other implementations are possible.</t>
        </dd>
        <dt>Attestation binder:</dt>
        <dd>
          <t>A cryptographic nonce value provided by the TLS stack to the TEE. It is used for binding attestation Evidence to a specific TLS handshake and for providing freshness.</t>
        </dd>
      </dl>
      <!-- -->

<t>The key words "<bcp14>MUST</bcp14>", "<bcp14>MUST NOT</bcp14>", "<bcp14>REQUIRED</bcp14>", "<bcp14>SHALL</bcp14>", "<bcp14>SHALL
NOT</bcp14>", "<bcp14>SHOULD</bcp14>", "<bcp14>SHOULD NOT</bcp14>", "<bcp14>RECOMMENDED</bcp14>", "<bcp14>NOT RECOMMENDED</bcp14>",
"<bcp14>MAY</bcp14>", and "<bcp14>OPTIONAL</bcp14>" in this document are to be interpreted as
described in BCP 14 <xref target="RFC2119"/> <xref target="RFC8174"/> when, and only when, they
appear in all capitals, as shown here.</t>
      <?line -18?>

</section>
    <section anchor="overview">
      <name>Overview</name>
      <t>The basic functional goal is to link the authenticated key exchange of TLS with an interleaved remote attestation session in such a way that the key used to sign the handshake can be proven to be residing within the boundaries of an attested TEE.
The requirement is that the attester can provide Evidence containing the security status of both the signing key and the platform that is hosting it.
The associated security goal is to obtain such binding so that no replay, relay or splicing from an adversary is possible.</t>
      <t>The protocol's security relies on the verifiable binding between the TLS Identity Key, the
specific TLS session
and the platform state through attestation Evidence or Attestation Results conveyed
in the CMW (Conceptual Message Wrapper) <xref target="I-D.ietf-rats-msg-wrap"/> payload.</t>
      <section anchor="authentication-vs-attestation">
        <name>Authentication vs. Attestation</name>
        <t>The protocol combines platform attestation with X.509 certificate authentication.</t>
        <t>Attestation when used alone is vulnerable to identity spoofing attacks, in particular when zero-day attacks exist for a class of hardware. (TODO: reference). Therefore it needs to be combined with traditional authentication, which in the case of TLS takes the form of CA-signed certificates.</t>
        <t>We RECOMMEND that regular applications use authentication and attestation in tandem, to gain the full security guarantees of an authenticated TLS handshake (for the peer/peers being authenticated) as
well as guarantees of platform integrity.</t>
      </section>
      <section anchor="integration-into-the-tls-handshake">
        <name>Integration into the TLS Handshake</name>
        <t>The lightweight integration of attestation into the TLS handshake is designed to have
minimal impact on the existing TLS security properties. The changes consist of:</t>
        <ul spacing="normal">
          <li>
            <t>Negotiation extensions: New TLS extensions are added to ClientHello and
EncryptedExtensions messages to negotiate the use of attestation and indicate
supported attestation formats and Verifiers. A new <tt>remoteAttestation</tt> extension is
introduced to the Certificate message. This extension carries attestation Evidence
or Attestation Results.</t>
          </li>
          <li>
            <t>Independent key derivation: Binder derivation for attestation (see <xref target="crypto-ops"/>) is completely independent of the
regular TLS key schedule. Attestation processing does not affect the standard TLS key derivation and security properties.</t>
          </li>
        </ul>
        <t>This minimal integration approach provides an intuitive explanation of why the
addition of attestation does not adversely affect TLS security. The attestation
components operate independently, leaving the core TLS handshake protocol and
key derivation mechanisms unmodified. Nevertheless, formal validation of these
security properties is still required.</t>
      </section>
    </section>
    <section anchor="attestation-extension">
      <name>Attestation Extension</name>
      <t>As typical with new features in TLS, the client indicates support for the new extension in the ClientHello message.
The newly introduced extension allows attestation Evidence or Attestation Results to be exchanged.
Freshness of the exchanged Evidence is guaranteed through an Attestation Binder mechanism (see <xref target="crypto-ops"/>) when the Background Check Model is in use.
In the Passport Model, freshness expectations are more relaxed and are governed by the lifetime of the signed Attestation Results.</t>
      <t>When the extension is successfully negotiated, attestation Evidence or Attestation Results are conveyed in a <tt>remoteAttestation</tt> extension (see <xref target="remote-attestation-extension-section"/>).
The CMW payload in the Attestation extension contains the attestation Evidence or Attestation Results encoded according to <xref target="I-D.ietf-rats-msg-wrap"/>.</t>
      <t>The attestation payload <bcp14>MUST</bcp14> contain assertions relating to the attester's TLS Identity Key (TIK-C for client attester, TIK-S for server attester), which associate the private key with the attestation information.
The TEE's signature over the Evidence within the CMW <bcp14>MUST</bcp14> include an attestation binder derived from the message transcript (see <xref target="crypto-ops"/>) and the attester's TLS identity public key, as specified in <xref target="remote-attestation-extension-section"/>.</t>
      <t>The relying party can obtain and appraise the remote Attestation Results either
directly from the Attestation extension (in the Passport Model), or by relaying
the Evidence from the Attestation extension to the Verifier and receiving the
Attestation Results. Subsequent verification of possession of the attested key in the
CertificateVerify message remains unchanged from baseline TLS.</t>
      <t>When using the Passport Model, the remote Attestation Results obtained by the
attester from its trusted Verifier can be cached and used for any number of
subsequent TLS handshakes, as long as the freshness policy requirements are
satisfied.</t>
      <t>This protocol supports both monolithic and split implementations. In a monolithic
implementation, the TLS stack is completely embedded within the TEE. In a split
implementation, the TLS stack is located outside the TEE, but any private keys
(and in particular, the TIK) only exist within the TEE. In order to support
both options, only the TIK's identity, its public component and a short generated binder are ever
passed between the Client or Server TLS stack and its Attestation Service.
While the two types of implementations offer identical functionality,
their security properties often differ, see <xref target="sec-guarantees"/> for more details.</t>
      <section anchor="remote-attestation-extension-section">
        <name>Remote Attestation Extension</name>
        <t>As defined in Section 4.4.2 of <xref target="I-D.ietf-tls-rfc8446bis"/>, the TLS <tt>Certificate</tt> message
contains a <tt>certificate_list</tt>, which is a sequence of <tt>CertificateEntry</tt>
structures.</t>
        <t>When attestation is negotiated via the extension defined in this document,
the <tt>remoteAttestation</tt> extension defined in this document <bcp14>MUST</bcp14> appear only in
the first <tt>CertificateEntry</tt> of the <tt>Certificate</tt> message and applies
exclusively to the end-entity certificate.</t>
        <t>The extension <bcp14>MUST NOT</bcp14> appear in any other <tt>CertificateEntry</tt>.</t>
        <t>If the <tt>remoteAttestation</tt> extension is received in any other position, the
receiver <bcp14>MUST</bcp14> abort the handshake with a fatal <tt>illegal_parameter</tt> alert.</t>
        <t>This message carries a CMW (Conceptual Message Wrapper) payload as defined in <xref target="I-D.ietf-rats-msg-wrap"/>.</t>
        <t>The <tt>remoteAttestation</tt> extension structure is defined in <xref target="_figure-remote-attestation-extension"/>.
As per <xref section="4.2" sectionFormat="of" target="I-D.ietf-tls-rfc8446bis"/>, a single extension is used across the entire handshake.
The extension is used in ClientHello, EncryptedExtensions, and CertificateRequest messages for protocol negotiation (see <xref target="negotiating-protocol"/>).
The extension is used in Certificate messages for carrying attestation credentials.</t>
        <figure anchor="_figure-remote-attestation-extension">
          <name>TLS Extension Structure for Remote Attestation negotiation.</name>
          <artwork><![CDATA[
    enum { CONTENT_FORMAT(0), MEDIA_TYPE(1) } typeEncoding;

    struct {
        typeEncoding type_encoding;
        select (EvidenceType.type_encoding) {
            case CONTENT_FORMAT: uint16 content_format;
            case MEDIA_TYPE: opaque media_type<0..2^16-1>;
        };
    } EvidenceType;

    struct {
        opaque verifier_identity<0..2^16-1>;
    } VerifierIdentityType;

    enum { evidence(0), result(1), (255) } AttestationMechanism;

    struct {
        AttestationMechanism mechanism;
        select (mechanism) {
            case evidence: EvidenceType;
            case result:   VerifierIdentityType;
        } argument;
    } AttestationScheme;

    struct {
        select (Handshake.msg_type) {
            case client_hello:
                AttestationScheme server_attester_schemes<0..2^16-1>;

                AttestationScheme client_attester_schemes<0..2^16-1>;

            case encrypted_extensions:
                AttestationScheme chosen_server_scheme;

            case certificate_request:
                AttestationScheme chosen_client_scheme;

            case certificate:
                opaque cmw_payload<1..2^24-1>;
        };
    } remoteAttestation;
]]></artwork>
        </figure>
        <t>The <tt>cmw_payload</tt> field contains a CMW structure as defined in <xref target="I-D.ietf-rats-msg-wrap"/>.
Both JSON and CBOR serializations are allowed in CMW, with the emitter choosing
which serialization to use.</t>
        <t>The CMW payload <bcp14>MUST</bcp14> contain attestation Evidence (in Background Check Model) or Attestation Results (in Passport Model) that binds the TLS Identity Key (TIK) to the platform and workload state.
The TEE's signature over the Evidence within the CMW <bcp14>MUST</bcp14> include a binder ensuring that the attestation is associated with this particular TLS connection, as well as the attester's TLS identity public key (TIK-C for client attester, TIK-S for server attester).</t>
        <t>This binding ensures that the attested key is the one used in the TLS handshake
and provides freshness guarantees through derivation from both peers' randomness.
See <xref target="crypto-ops"/> for details.</t>
      </section>
    </section>
    <section anchor="use-of-attestation-in-the-tls-handshake">
      <name>Use of Attestation in the TLS Handshake</name>
      <t>For both the Passport Model (described in Section 5.1 of <xref target="RFC9334"/>) and
Background Check Model (described in Section 5.2 of <xref target="RFC9334"/>) the following
modes of operation are allowed when used with TLS, namely:</t>
      <ul spacing="normal">
        <li>
          <t>TLS client is the attester,</t>
        </li>
        <li>
          <t>TLS server is the attester, and</t>
        </li>
        <li>
          <t>TLS client and server mutually attest towards each other.</t>
        </li>
      </ul>
      <t>As noted, each peer's attestation is carried in the <tt>remoteAttestation</tt> extension within
that peer's Certificate message. This section describes how the attestation
is produced, bound to the TLS handshake and verified by the recipient.</t>
      <section anchor="crypto-ops">
        <name>Cryptographic Operations</name>
        <t>The cryptographic operations defined in this section bind attestation Evidence
to a specific TLS handshake. This binding prevents replay and relay of attestation
Evidence across different TLS connections, and ensures that attestation Evidence
presented during a handshake corresponds to the authenticated
TLS session in which it is conveyed.</t>
        <t>The attestation Evidence or Attestation Results are generated by a TEE and
signed using an attestation key. The signed Evidence includes
inputs originating from different trust domains.</t>
        <t>The attestation binder is provided by the TLS stack and serves as a
nonce that ensures freshness and binding to a specific TLS handshake,
as well as binding to the attester's TLS public key.</t>
        <section anchor="attestation-binder-definition">
          <name>Attestation Binder Definition</name>
          <t>The attestation binder is computed using primitives
defined in Section 4.4.1 and 7.1 of <xref target="I-D.ietf-tls-rfc8446bis"/>.</t>
          <t>Both peers derive a single attestation base from the same transcript
checkpoint, <tt>ClientHello...ServerHello</tt>.</t>
          <artwork><![CDATA[
attest_base = HKDF-Expand-Label(0, "attestation base",
                                Hash(ClientHello...ServerHello), Hash.length)

c_attest_binder = HKDF-Expand-Label(attest_base, "attestation",
                                    Hash(TLS_Client_Public_Key), Hash.length)
s_attest_binder = HKDF-Expand-Label(attest_base, "attestation",
                                    Hash(TLS_Server_Public_Key), Hash.length)
]]></artwork>
          <t><tt>TLS_Client_Public_Key</tt> and <tt>TLS_Server_Public_Key</tt> denote the DER-encoded
SubjectPublicKeyInfo of the peer's end-entity certificate. <tt>Hash</tt> is the
cipher suite hash function for the handshake (<xref section="7.1" sectionFormat="of" target="I-D.ietf-tls-rfc8446bis"/>).</t>
          <t>We note that <tt>HKDF-Expand-Label</tt> is used to produce binding values rather than keying material. <tt>HKDF-Extract</tt> is not invoked, as there is no input key material to combine. The "0" parameter denotes a byte string of <tt>Hash.length</tt> zeroes.</t>
        </section>
        <section anchor="verification">
          <name>Verification</name>
          <t>Upon receipt of a <tt>remoteAttestation</tt> extension, the peer <bcp14>MUST</bcp14> compute the attestation binder.</t>
          <t>If the peer's Evidence is rejected (binder mismatch, failed Evidence appraisal, or malformed CMW),
the receiver <bcp14>MUST</bcp14> send an <tt>attestation_failed</tt> fatal alert and abort the handshake
(see <xref target="tls-alerts"/>).</t>
          <t>Depending on the architecture (see also <xref target="stack-tee-interface"/>), either the peer verifies
the binding or else it delegates this responsibility to an external Verifier.</t>
          <ul spacing="normal">
            <li>
              <t>In the former case, the peer <bcp14>MUST</bcp14> compare the computed binder value to the attestation binder
included in the
signed Evidence or signed Attestation Results. If the values do not match, the peer <bcp14>MUST</bcp14> treat the
attestation as invalid.</t>
            </li>
            <li>
              <t>In the latter case, the RP <bcp14>MUST</bcp14> convey the binder to the
Verifier. The Verifier <bcp14>MUST</bcp14> appraise that the conveyed binder is identical to the one that was signed
in the Evidence or Attestation Results. If appraisal fails, the receiver <bcp14>MUST</bcp14> treat the
attestation as invalid.</t>
            </li>
          </ul>
          <t><cref>TODO: define a way to transport the binder to a remote Verifier. Possibly
as a (new) conceptual message (CM) within a collection. This would provide
the Verifier whatever information it cannot compute on its own, while
not forcing the TLS stack to parse the Evidence.</cref></t>
        </section>
        <section anchor="security-properties">
          <name>Security Properties</name>
          <t>Binding attestation Evidence to the TLS handshake transcript hash provides the
following security properties:</t>
          <ul spacing="normal">
            <li>
              <t>Replay protection: Evidence generated for a previous handshake cannot be
reused in a later handshake.</t>
            </li>
            <li>
              <t>Relay protection: Evidence obtained from one TLS connection cannot be
successfully presented in a different TLS connection, even in the presence of
a MiTM attacker.</t>
            </li>
          </ul>
          <t>In typical deployments where the TLS handshake executes outside the TEE, a
compromised host can execute the TLS handshake in the rich operating system and
use the TEE as a signing oracle by presenting the attestation binder value to
obtain valid-looking attestation Evidence.</t>
          <t>However an endorsed TEE (one that is operating as required by this protocol)
is required to verify the binder against the TLS public key associated
with the private key that it holds. This verification, in conjunction with the TEE's
endorsement being appraised, ensures that relay attacks are prevented.</t>
          <t>The attestation binder prevents replay of Evidence across TLS connections. The binding to the TLS identity key ensures that Evidence produced by one endpoint cannot be replayed in a TLS connection involving a different endpoint, as the verifier checks that the binder matches the public key presented in the current TLS connection. The additional binding to the transcript through ClientHello and ServerHello ensures that Evidence cannot be replayed across TLS connections, as ClientHello.random and ServerHello.random are independently generated by each peer for every TLS connection.</t>
        </section>
      </section>
      <section anchor="tik-binding">
        <name>Binding the TIK to the TEE</name>
        <t>This specification assumes that the TIK private key corresponding to the end-entity certificate used in the TLS handshake is generated inside a TEE and never leaves it. A platform could instead generate the TIK private key outside the TEE and compute the CertificateVerify signature using that external key. A relying party cannot detect this attack unless additional safeguards are in place.</t>
        <t>This risk is particularly relevant in split deployments, where the TLS stack does not reside inside the TEE. In such architectures, attesting the TEE alone does not prove that the TIK private key used by the TLS endpoint was generated, is stored, or is controlled by the TEE.</t>
        <t>To address this, the signed Evidence <bcp14>MUST</bcp14> include an Attestation Binder generated using the hash of the TIK public key (TIK_pub_hash) (see <xref target="crypto-ops"/>).</t>
        <t>The Relying Party <bcp14>MUST</bcp14> compute the hash of the TIK public key extracted from the TLS end-entity certificate using
the same hash algorithm and verify that it matches the TIK_pub_hash included in the Evidence. Successful
verification binds the attestation Evidence to the TLS identity used for authentication. This verification is performed by the Relying Party, as the Verifier may not be co-located with the Relying Party and may not have access to the TLS handshake or the TLS end-entity certificate, consistent with the RATS architecture.
Alternatively, in deployments where the Verifier is not co-located with the Relying Party, the Relying Party <bcp14>MAY</bcp14>
supply the Verifier with the hash of the TIK public key. The Verifier then compares this value with the TIK
public key hash included in the Evidence. If the values do not match, the attestation <bcp14>MUST</bcp14> be considered invalid.</t>
        <t>Without this binding, a non-TEE TLS endpoint can obtain Evidence from a separate TLS endpoint that genuinely runs
inside a TEE and relay that Evidence to the relying party while executing the TLS handshake itself. If the
Evidence only attests that a TLS stack is running in a TEE, the relying party cannot determine whether the
attested TLS stack is the one that actually performed the handshake. Binding the Evidence to the TIK public key
prevents this relay attack.</t>
        <t>The proposed binding ensures that the relying party does not establish a TLS session with a TLS endpoint whose TIK is not generated and controlled by the TEE. It does not - in and of itself - ensure security of the TLS stack when the stack is
outside the TEE, and see <xref target="sec-guarantees"/> for a further discussion.</t>
      </section>
      <section anchor="stack-tee-interface">
        <name>The TLS Stack's Interface to the TEE</name>
        <t>When the TEE signs the Evidence or Attestation Results, it also binds them to the TLS Identity public key and the TLS
session. TEE implementations differ, and some only allow a single user-provided challenge value to be added to the Evidence with no associated checks.</t>
        <t>Architecturally we propose to add a thin shim between the traditional TLS stack and the TEE
as shown in <xref target="_figure-tls-tee-interface"/>. Implementations will choose whether to incorporate
the shim into the TEE (making for a "smarter" TEE and better protection
for the remote attestation protocol), or in case of a legacy TEE that cannot be modified,
the shim can be added to the TLS stack.</t>
        <figure anchor="_figure-tls-tee-interface">
          <name>TLS Stack Interface with the TEE</name>
          <artset>
            <artwork type="svg"><svg xmlns="http://www.w3.org/2000/svg" version="1.1" height="432" width="544" viewBox="0 0 544 432" class="diagram" text-anchor="middle" font-family="monospace" font-size="13px" stroke-linecap="round">
                <path d="M 8,32 L 8,96" fill="none" stroke="black"/>
                <path d="M 8,192 L 8,256" fill="none" stroke="black"/>
                <path d="M 8,320 L 8,416" fill="none" stroke="black"/>
                <path d="M 24,368 L 24,400" fill="none" stroke="black"/>
                <path d="M 64,96 L 64,184" fill="none" stroke="black"/>
                <path d="M 64,256 L 64,312" fill="none" stroke="black"/>
                <path d="M 168,368 L 168,400" fill="none" stroke="black"/>
                <path d="M 272,104 L 272,192" fill="none" stroke="black"/>
                <path d="M 272,264 L 272,320" fill="none" stroke="black"/>
                <path d="M 432,32 L 432,96" fill="none" stroke="black"/>
                <path d="M 432,192 L 432,256" fill="none" stroke="black"/>
                <path d="M 432,320 L 432,416" fill="none" stroke="black"/>
                <path d="M 504,32 L 504,192" fill="none" stroke="black"/>
                <path d="M 504,256 L 504,416" fill="none" stroke="black"/>
                <path d="M 8,32 L 432,32" fill="none" stroke="black"/>
                <path d="M 456,32 L 504,32" fill="none" stroke="black"/>
                <path d="M 8,96 L 432,96" fill="none" stroke="black"/>
                <path d="M 8,192 L 432,192" fill="none" stroke="black"/>
                <path d="M 8,256 L 432,256" fill="none" stroke="black"/>
                <path d="M 8,320 L 432,320" fill="none" stroke="black"/>
                <path d="M 24,368 L 168,368" fill="none" stroke="black"/>
                <path d="M 24,400 L 168,400" fill="none" stroke="black"/>
                <path d="M 8,416 L 432,416" fill="none" stroke="black"/>
                <path d="M 456,416 L 504,416" fill="none" stroke="black"/>
                <polygon class="arrowhead" points="280,264 268,258.4 268,269.6" fill="black" transform="rotate(270,272,264)"/>
                <polygon class="arrowhead" points="280,104 268,98.4 268,109.6" fill="black" transform="rotate(270,272,104)"/>
                <polygon class="arrowhead" points="72,312 60,306.4 60,317.6" fill="black" transform="rotate(90,64,312)"/>
                <polygon class="arrowhead" points="72,184 60,178.4 60,189.6" fill="black" transform="rotate(90,64,184)"/>
                <g class="text">
                  <text x="192" y="68">TLS</text>
                  <text x="232" y="68">Stack</text>
                  <text x="116" y="132">Transcript</text>
                  <text x="180" y="132">hash</text>
                  <text x="296" y="132">CMW</text>
                  <text x="344" y="132">(Signed</text>
                  <text x="372" y="148">Evidence/AR;</text>
                  <text x="88" y="164">TIK</text>
                  <text x="132" y="164">public</text>
                  <text x="176" y="164">key</text>
                  <text x="212" y="164">hash</text>
                  <text x="348" y="164">Nonce)</text>
                  <text x="492" y="212">Measured</text>
                  <text x="536" y="212">&amp;</text>
                  <text x="144" y="228">Early</text>
                  <text x="216" y="228">Attestation</text>
                  <text x="284" y="228">Shim</text>
                  <text x="500" y="228">Reported</text>
                  <text x="500" y="244">Components</text>
                  <text x="96" y="292">Nonce</text>
                  <text x="308" y="292">Signed</text>
                  <text x="384" y="292">Evidence/AR</text>
                  <text x="216" y="356">TEE</text>
                  <text x="48" y="388">TIK</text>
                  <text x="96" y="388">Private</text>
                  <text x="144" y="388">Key</text>
                </g>
              </svg>
            </artwork>
            <artwork type="ascii-art"><![CDATA[
+----------------------------------------------------+  ------+
|                                                    |        |
|                     TLS Stack                      |        |
|                                                    |        |
+------+---------------------------------------------+        |
       |                         ^                            |
       | Transcript hash         | CMW (Signed                |
       |                         |      Evidence/AR;          |
       | TIK public key hash     |      Nonce)                |
       v                         |                            |
+--------------------------------+-------------------+        |
|                                                    |   Measured &
|              Early Attestation Shim                |    Reported
|                                                    |   Components
+------+---------------------------------------------+        |
       |                         ^                            |
       | Nonce                   | Signed Evidence/AR         |
       v                         |                            |
+--------------------------------+-------------------+        |
|                                                    |        |
|                        TEE                         |        |
| +-----------------+                                |        |
| | TIK Private Key |                                |        |
| +-----------------+                                |        |
+----------------------------------------------------+  ------+
]]></artwork>
          </artset>
        </figure>
        <t>We adopt a defense-in-depth approach:</t>
        <ul spacing="normal">
          <li>
            <t>Separate attesting applications within the same TEE <bcp14>SHOULD NOT</bcp14> be capable of impersonating each other via Evidence or Attestation Results. Therefore, if multiple applications are expected to use attestation credentials, evidence/AR generation APIs <bcp14>SHOULD</bcp14> reflect identifiers for the calling contexts into the generated credential. These identifiers can be reflected as separate claims in the credential, or can be measured as part of more generic claims. A Relying Party <bcp14>SHOULD</bcp14> be capable of differentiating between the attesting applications based on their credentials.</t>
          </li>
          <li>
            <t>The RP <bcp14>SHOULD NOT</bcp14> base its trust decision only on the Attester's trust root. It <bcp14>SHOULD</bcp14> also ensure that the entire attested software stack is endorsed.</t>
          </li>
          <li>
            <t>The TEE itself, when possible, <bcp14>SHOULD</bcp14> generate the attestation secret by running the derivation operations defined in <xref target="crypto-ops"/>, and, if it holds the TIK, <bcp14>SHOULD</bcp14> validate the public key. The attestation secret can be generated by the TEE only if TLS is running inside the TEE.</t>
          </li>
          <li>
            <t>As shown in the diagram, the TEE itself as well as the TLS stack and the shim <bcp14>SHOULD</bcp14>
all be measured and reported as part of the platform's remote attestation.</t>
          </li>
        </ul>
      </section>
      <section anchor="reattestation">
        <name>Reattestation</name>
        <t>Attestation Evidence or Attestation Results may become stale over time. For long-lived TLS connections, a relying party may require updated assurance that the peer continues to operate in a trustworthy state.</t>
        <section anchor="post-handshake-reattestation-using-client-authentication">
          <name>Post-Handshake Reattestation Using Client Authentication</name>
          <t>Post-handshake client authentication defined in <xref section="4.6.2" sectionFormat="of" target="I-D.ietf-tls-rfc8446bis"/> can
be used to obtain updated attestation Evidence or Attestation Results from the TLS client. In this case, the TLS server sends a <tt>CertificateRequest</tt> message after the TLS handshake authentication. The client responds with the standard TLS authentication messages (<tt>Certificate</tt>, <tt>CertificateVerify</tt>, and <tt>Finished</tt>). If attestation has been negotiated for the TLS connection, the client includes the <tt>remoteAttestation</tt> extension in the <tt>Certificate</tt> message carrying updated Evidence or Attestation Results.</t>
          <t>The attestation binder can be derived from the post-handshake authentication
transcript defined in Section 4.4 of <xref target="I-D.ietf-tls-rfc8446bis"/>.</t>
          <t>This mechanism allows a server to request updated attestation from the client. However, TLS currently does not define a mechanism for post-handshake server authentication. To address this limitation, the subsequent sections discuss design options for handling attestation freshness.</t>
        </section>
        <section anchor="option-1-carrying-attestation-in-extended-key-update">
          <name>Option 1: Carrying Attestation in Extended Key Update</name>
          <t>One possible approach is to extend the Extended Key Update (EKU) mechanism by introducing a new <tt>ExtendedKeyUpdate</tt> message subtype to carry attestation Evidence or Attestation Results.</t>
          <t>However, this approach tightly couples attestation to EKU, even though the two serve different purposes.</t>
        </section>
        <section anchor="option-2-no-reattestation-reconnect-for-freshness">
          <name>Option 2: No Reattestation (Reconnect for Freshness)</name>
          <t>Another approach is to not support reattestation within an established TLS connection. When fresh attestation is required, the client and server terminate the existing TLS session and establish a new one, during which fresh Evidence or Attestation Results are exchanged as part of the handshake.</t>
          <t>This approach keeps the TLS protocol unchanged and avoids introducing post-handshake mechanisms. However, it will be disruptive for long-lived TLS connections.</t>
        </section>
        <section anchor="option-3-post-handshake-reattestation-using-certificateupdate">
          <name>Option 3: Post-Handshake Reattestation Using CertificateUpdate</name>
          <t>In this design, reattestation is supported using the <tt>CertificateUpdate</tt> message defined in <xref target="I-D.rosomakho-tls-cert-update"/>. Under this approach, the attester sends a <tt>CertificateUpdate</tt> message carrying a new <tt>Certificate</tt> message with updated attestation information. The refreshed attestation is bound to the existing TLS session using post-handshake TLS context.</t>
        </section>
      </section>
    </section>
    <section anchor="negotiating-protocol">
      <name>Negotiating This Protocol</name>
      <t>This section defines the TLS extension used to negotiate the use of attestation in the TLS handshake.
Both remote attestation topologies are supported: the Background Check Model, where Evidence is exchanged and appraised during the handshake, and the Passport Model, where pre-appraised Evidence in the form of Attestation Results are presented.
The extension defined in <xref target="_figure-remote-attestation-extension"/> allows peers to indicate their support for attestation and negotiate which attestation format and, if required, which Verifier to use.</t>
      <t>The <tt>remoteAttestation</tt> extension structure contains indicators for both remote attestation topologies, and allows both peers to act as attesters independently during the handshake.</t>
      <t>The client selects the remote attestation schemes it supports for both server- or client-as-attester.
The client <bcp14>MUST</bcp14> populate at least one AttestationScheme structure.</t>
      <t>The server replies with its preferred schemes for both server- and client-as-attester.
The selected server-as-attester scheme is sent in the EncryptedExtensions message.
While for Background Check the server scheme can be extracted from the CMW sent by the server as part of its Certificate message, for Passport model the Verifier which issued the Attestation Results must be confirmed by the server explicitly.
In order to preserve symmetry and aid the client in handling the server's attestation token, the server explicitly sends its scheme as part of EncryptedExtensions.
The selected client-as-attester scheme is sent in the CertificateRequest message.
The server <bcp14>MUST</bcp14> omit the <tt>remoteAttestation</tt> extension from EncryptedExtensions and CertificateRequest messages if it does not support the corresponding proposed schemes, or if it does not want the corresponding peer to engage in remote attestation.</t>
      <t>The <tt>remoteAttestation</tt> extension used to negotiate support for the protocol described in this document is defined in <xref target="_figure-remote-attestation-extension"/>.</t>
      <t>Values for media_type are defined in <xref target="iana-media-types"/>.
Values for content_format are defined in <xref target="iana-content-formats"/>.
The verifier_identity field can be used to carry an identifier for a Verifier instance.
The identifier needs to be stable across the lifetime of the connection (potentially across Verifier credential rotation), for example a subjectAltName.</t>
    </section>
    <section anchor="behavior">
      <name>TLS Client and Server Handshake Behavior</name>
      <t>The high-level message exchange in <xref target="_figure-overview"/> shows the <tt>remoteAttestation</tt> extension added to the ClientHello, the EncryptedExtensions, the CertificateRequest, and the Certificate messages.</t>
      <figure anchor="_figure-overview">
        <name>Early Attestation Handshake Overview</name>
        <artwork><![CDATA[
       Client                                           Server

Key  ^ ClientHello
Exch | + key_share*
     | + signature_algorithms*
     | + psk_key_exchange_modes*
     | + pre_shared_key*
     v + remoteAttestation*
     -------->
                                                  ServerHello ^ Key
                                                 + key_share* | Exch
                                            + pre_shared_key* v
                                        {EncryptedExtensions} ^ Server
                                         + remoteAttestation* | Params
                                        {CertificateRequest*} |
                                         + remoteAttestation* v
                                               {Certificate*} ^
                                        + remoteAttestation*  |
                                         {CertificateVerify*} | Auth
                                                   {Finished} v
                               <--------  [Application Data*]
     ^ {Certificate*}
     | + remoteAttestation*
Auth | {CertificateVerify*}
     v {Finished}              -------->
       [Application Data]      <------->  [Application Data]
]]></artwork>
      </figure>
      <section anchor="client-hello">
        <name>Client Hello</name>
        <t>The <tt>remoteAttestation</tt> extension defined in <xref target="negotiating-protocol"/> enables the two peers to use either the Background Check Model or the Passport Model for remote attestation.</t>
        <t>To indicate support for either Evidence (for Background Check) or Attestation Results (for Passport), the client includes schemes with either <tt>evidence</tt> or <tt>result</tt> as the AttestationMechanism in the ClientHello extension.
For Evidence, the scheme indicates the expected Evidence type.
For Attestation Results, the scheme indicates the identity of the Verifier from which results can be relayed.
In both cases, whether the scheme is sent as <tt>server_attester_schemes</tt> or <tt>client_attester_schemes</tt> indicates which peer is expected to produce the attestation credential.</t>
        <t>The <tt>remoteAttestation</tt> extension carries a list of supported schemes, sorted by preference.
If the client only supports one attestation credential type, it is a list containing a single element.</t>
        <t>The client <bcp14>MUST</bcp14> omit schemes from the <tt>client_attester_schemes</tt> field in the extension if it cannot respond to a request from the server to present an attestation credential of the proposed type, or if the client is not configured to use the proposed scheme with the given server.
If the client chooses to include <tt>client_attester_schemes</tt>, it <bcp14>MUST</bcp14> be capable of authenticating itself with a certificate.</t>
        <t>For the Background Check Model, the client <bcp14>MUST</bcp14> omit Evidence types from the <tt>server_attester_schemes</tt> field in the extension if it is not able to pass the Evidence type to a Verifier.</t>
      </section>
      <section anchor="server-hello">
        <name>Server Hello</name>
        <t>If the server receives a ClientHello that contains the <tt>remoteAttestation</tt> extension, then three outcomes are possible:</t>
        <ul spacing="normal">
          <li>
            <t>The server does not support the extension defined in this document.
In this case, the server returns the EncryptedExtensions without the <tt>remoteAttestation</tt> extension.</t>
          </li>
          <li>
            <t>The server supports the extension defined in this document, but it does not have any remote attestation scheme in common with the client.
Then, the server terminates the session with a fatal alert of type "unsupported_attestation_schemes".</t>
          </li>
          <li>
            <t>The server supports the extension defined in this document and has at least one remote attestation scheme in common with the client.
In this case, the processing rules described below are followed.</t>
          </li>
        </ul>
        <t>The <tt>remoteAttestation</tt> extension in the ClientHello indicates the attestation schemes for both peers to act as relying parties.
For schemes conveyed under <tt>server_attester_schemes</tt> the server is expected to act as an attester, while the client is the relying party.
For schemes conveyed under <tt>client_attester_schemes</tt> the server is expected to act as a relying party, while the client is the attester.</t>
        <t>If the server chooses to attest itself, it <bcp14>MUST</bcp14> select one of the schemes provided by the client in <tt>server_attester_schemes</tt>.
The server <bcp14>MUST</bcp14> then also include the <tt>remoteAttestation</tt> extension in the EncryptedExtensions message, and <bcp14>MUST</bcp14> include the chosen attestation scheme in the <tt>chosen_server_scheme</tt>.
The server <bcp14>MUST</bcp14> populate the Certificate message extension according to its chosen scheme.
If the server has chosen an <tt>evidence</tt> scheme, the signed Evidence contained in the CMW payload <bcp14>MUST</bcp14> include an Attestation Binder as a nonce value (see <xref target="crypto-ops"/>) in the TEE's signature.</t>
        <t>Both schemes selected for <tt>chosen_server_scheme</tt> and <tt>chosen_client_scheme</tt> <bcp14>MUST</bcp14> be selected from the schemes provided in the <tt>remoteAttestation</tt> extension sent in the ClientHello.</t>
        <t>If both <tt>server_attester_schemes</tt> and <tt>client_attester_schemes</tt> are empty, or if the server does not want to proceed with remote attestation, the server <bcp14>MUST</bcp14> terminate the session as described above, with a fatal alert of type "unsupported_attestation_schemes".</t>
      </section>
      <section anchor="certificate-request">
        <name>Certificate Request</name>
        <t>If the server chooses to request that the client attests itself, it <bcp14>MUST</bcp14> select one of the schemes provided by the client in <tt>client_attester_schemes</tt>.
The server <bcp14>MUST</bcp14> then also send a CertificateRequest message that includes the <tt>remoteAttestation</tt> extension (see <xref target="_figure-remote-attestation-extension"/>), and <bcp14>MUST</bcp14> include the chosen attestation scheme in <tt>chosen_client_scheme</tt>.</t>
      </section>
      <section anchor="following-server-hello">
        <name>Following Server Hello</name>
        <t>Upon receipt of the EncryptedExtensions and potentially of the CertificateRequest messages, the client can verify that the server's choices are valid.
The client <bcp14>MUST</bcp14> check that at least one remote attestation scheme was returned, and that the returned schemes were among the corresponding proposed lists.
If the server has rejected that one peer act as an attester by not selecting a corresponding scheme, and the client's policy demands that the remote attestation take place, the client <bcp14>MUST</bcp14> terminate the session with a fatal alert of type "attestation_required".</t>
        <t>If the server has selected a valid <tt>chosen_client_scheme</tt>, the client <bcp14>MUST</bcp14> populate the Certificate message extension according to that scheme.
If the server has chosen an <tt>evidence</tt> scheme for the client, the signed Evidence contained in the CMW payload <bcp14>MUST</bcp14> include an Attestation Binder as a nonce value (see <xref target="crypto-ops"/>) in the TEE's signature.</t>
      </section>
    </section>
    <section anchor="sec-cons">
      <name>Security Considerations</name>
      <t>TBD.</t>
      <section anchor="sec-guarantees">
        <name>Security Guarantees</name>
        <t>We note that as a pure cryptographic protocol, attested TLS as-is only guarantees that the Identity Key is known by the TEE. A number of additional guarantees must be provided by the platform and/or the TLS stack,
and the overall security level depends on their existence and quality of assurance:</t>
        <ul spacing="normal">
          <li>
            <t>The Identity Key is generated by the TEE.</t>
          </li>
          <li>
            <t>The Identity Key is never exported or leaked outside the TEE.</t>
          </li>
          <li>
            <t>The TLS protocol, whether implemented by the TEE or outside the TEE, is implemented correctly and (for example) does not leak any session key material.</t>
          </li>
        </ul>
        <t>These properties may be explicitly promised ("attested") by the platform, or they can be assured in other ways such as by providing source code, reproducible builds, formal verification etc. The exact mechanisms are out of scope of this document.</t>
      </section>
      <section anchor="freshness-guarantees">
        <name>Freshness Guarantees</name>
        <t><cref> TODO: Discuss freshness guarantees provided by the Attestation Binder.
Differences between Background Check and Passport mode.
</cref></t>
      </section>
    </section>
    <section anchor="priv-cons">
      <name>Privacy Considerations</name>
      <t>In this section, we are assuming that the Attester is a TLS client, representing an individual person.
We are concerned about the potential leakage of privacy sensitive information about that person, such as the correlation of different connections initiated by them.</t>
      <t>In background-check mode, the Verifier not only has access to detailed information about the Attester's TCB through Evidence, but it also knows the exact time and the party with whom the secure channel establishment is attempted (i.e., the RP).
The privacy implications are similar to online OCSP <xref target="RFC6960"/>.
While the RP may trust the Verifier not to disclose any information it receives, the same cannot be assumed for the Attester, which generally has no prior relationship with the Verifier.
Some ways to address this include:</t>
      <ul spacing="normal">
        <li>
          <t>Client-side redaction of privacy-sensitive evidence claims,</t>
        </li>
        <li>
          <t>Using selective disclosure (e.g., SD-JWT <xref target="I-D.ietf-oauth-selective-disclosure-jwt"/> with EAT <xref target="I-D.ietf-rats-eat"/>),</t>
        </li>
        <li>
          <t>Co-locating the Verifier role with the RP,</t>
        </li>
        <li>
          <t>Utilizing privacy-preserving attestation schemes (e.g., DAA <xref target="I-D.ietf-rats-daa"/>), or</t>
        </li>
        <li>
          <t>Utilizing Attesters manufactured with group identities (e.g., <xref target="FIDO-REQS"/>).</t>
        </li>
      </ul>
      <t>The latter two also have the property of hiding the peer's identity from the RP.</t>
      <t>Note that the equivalent of OCSP "stapling" involves using a passport topology where the Verifier's involvement is unrelated to the TLS session.</t>
      <t>Due to the inherent asymmetry of the TLS protocol, if the Attester acts as the TLS server, a malicious TLS client could potentially retrieve sensitive information from attestation Evidence without the client's trustworthiness first being established by the server.</t>
    </section>
    <section anchor="iana-considerations">
      <name>IANA Considerations</name>
      <section anchor="tls-extensions">
        <name>TLS Extensions</name>
        <t>IANA is asked to allocate a new TLS extension, <tt>remoteAttestation</tt>, from the
"TLS ExtensionType Values" subregistry of the "Transport Layer Security (TLS)
Extensions" registry <xref target="TLS-Ext-Registry"/>.  This extension is used in the
ClientHello, EncryptedExtensions, CertificateRequest, and Certificate messages.
The values carried in this extension are defined in
<xref target="_figure-remote-attestation-extension"/>.</t>
      </section>
      <section anchor="tls-alerts">
        <name>TLS Alerts</name>
        <t>IANA is requested to allocate values in the "TLS Alerts"
subregistry of the "Transport Layer Security (TLS) Parameters" registry
<xref target="TLS-Param-Registry"/> and populate it with the following entries:</t>
        <ul spacing="normal">
          <li>
            <t>Value: TBD1</t>
          </li>
          <li>
            <t>Description: unsupported_attestation_schemes</t>
          </li>
          <li>
            <t>DTLS-OK: Y</t>
          </li>
          <li>
            <t>Reference: [This document]</t>
          </li>
          <li>
            <t>Comment:</t>
          </li>
          <li>
            <t>Value: TBD2</t>
          </li>
          <li>
            <t>Description: attestation_required</t>
          </li>
          <li>
            <t>DTLS-OK: Y</t>
          </li>
          <li>
            <t>Reference: [This document]</t>
          </li>
          <li>
            <t>Comment:</t>
          </li>
          <li>
            <t>Value: TBD3</t>
          </li>
          <li>
            <t>Description: attestation_failed</t>
          </li>
          <li>
            <t>DTLS-OK: Y</t>
          </li>
          <li>
            <t>Reference: [This document]</t>
          </li>
          <li>
            <t>Comment:</t>
          </li>
        </ul>
      </section>
    </section>
    <section anchor="acknowledgements">
      <name>Acknowledgements</name>
      <t>We would like to thank Paul Howard, Arto Niemi, and Hannes Tschofenig for their contributions to earlier versions of this document.</t>
    </section>
  </middle>
  <back>
    <references anchor="sec-combined-references">
      <name>References</name>
      <references anchor="sec-normative-references">
        <name>Normative References</name>
        <reference anchor="I-D.ietf-tls-rfc8446bis">
          <front>
            <title>The Transport Layer Security (TLS) Protocol Version 1.3</title>
            <author fullname="Eric Rescorla" initials="E." surname="Rescorla">
              <organization>Independent</organization>
            </author>
            <date day="13" month="September" year="2025"/>
            <abstract>
              <t>   This document specifies version 1.3 of the Transport Layer Security
   (TLS) protocol.  TLS allows client/server applications to communicate
   over the Internet in a way that is designed to prevent eavesdropping,
   tampering, and message forgery.

   This document updates RFCs 5705, 6066, 7627, and 8422 and obsoletes
   RFCs 5077, 5246, 6961, 8422, and 8446.  This document also specifies
   new requirements for TLS 1.2 implementations.

              </t>
            </abstract>
          </front>
          <seriesInfo name="Internet-Draft" value="draft-ietf-tls-rfc8446bis-14"/>
        </reference>
        <reference anchor="I-D.ietf-rats-msg-wrap">
          <front>
            <title>RATS Conceptual Messages Wrapper (CMW)</title>
            <author fullname="Henk Birkholz" initials="H." surname="Birkholz">
              <organization>Fraunhofer SIT</organization>
            </author>
            <author fullname="Ned Smith" initials="N." surname="Smith">
              <organization>Independent</organization>
            </author>
            <author fullname="Thomas Fossati" initials="T." surname="Fossati">
              <organization>Linaro</organization>
            </author>
            <author fullname="Hannes Tschofenig" initials="H." surname="Tschofenig">
              <organization>University of Applied Sciences Bonn-Rhein-Sieg</organization>
            </author>
            <author fullname="Dionna Glaze" initials="D." surname="Glaze">
              <organization>Google LLC</organization>
            </author>
            <date day="11" month="December" year="2025"/>
            <abstract>
              <t>   The Conceptual Messages introduced by the RATS architecture (RFC
   9334) are protocol-agnostic data units that are conveyed between RATS
   roles during remote attestation procedures.  Conceptual Messages
   describe the meaning and function of such data units within RATS data
   flows without specifying a wire format, encoding, transport
   mechanism, or processing details.  The initial set of Conceptual
   Messages is defined in Section 8 of RFC 9334 and includes Evidence,
   Attestation Results, Endorsements, Reference Values, and Appraisal
   Policies.

   This document introduces the Conceptual Message Wrapper (CMW) that
   provides a common structure to encapsulate these messages.  It
   defines a dedicated CBOR tag, corresponding JSON Web Token (JWT) and
   CBOR Web Token (CWT) claims, and an X.509 extension.

   This allows CMWs to be used in CBOR-based protocols, web APIs using
   JWTs and CWTs, and PKIX artifacts like X.509 certificates.
   Additionally, the draft defines a media type and a CoAP content
   format to transport CMWs over protocols like HTTP, MIME, and CoAP.

   The goal is to improve the interoperability and flexibility of remote
   attestation protocols.  Introducing a shared message format such as
   CMW enables consistent support for different attestation message
   types, evolving message serialization formats without breaking
   compatibility, and avoiding the need to redefine how messages are
   handled within each protocol.

              </t>
            </abstract>
          </front>
          <seriesInfo name="Internet-Draft" value="draft-ietf-rats-msg-wrap-23"/>
        </reference>
        <reference anchor="RFC2119">
          <front>
            <title>Key words for use in RFCs to Indicate Requirement Levels</title>
            <author fullname="S. Bradner" initials="S." surname="Bradner"/>
            <date month="March" year="1997"/>
            <abstract>
              <t>In many standards track documents several words are used to signify the requirements in the specification. These words are often capitalized. This document defines these words as they should be interpreted in IETF documents. This document specifies an Internet Best Current Practices for the Internet Community, and requests discussion and suggestions for improvements.</t>
            </abstract>
          </front>
          <seriesInfo name="BCP" value="14"/>
          <seriesInfo name="RFC" value="2119"/>
          <seriesInfo name="DOI" value="10.17487/RFC2119"/>
        </reference>
        <reference anchor="RFC8174">
          <front>
            <title>Ambiguity of Uppercase vs Lowercase in RFC 2119 Key Words</title>
            <author fullname="B. Leiba" initials="B." surname="Leiba"/>
            <date month="May" year="2017"/>
            <abstract>
              <t>RFC 2119 specifies common key words that may be used in protocol specifications. This document aims to reduce the ambiguity by clarifying that only UPPERCASE usage of the key words have the defined special meanings.</t>
            </abstract>
          </front>
          <seriesInfo name="BCP" value="14"/>
          <seriesInfo name="RFC" value="8174"/>
          <seriesInfo name="DOI" value="10.17487/RFC8174"/>
        </reference>
      </references>
      <references anchor="sec-informative-references">
        <name>Informative References</name>
        <reference anchor="RFC6960">
          <front>
            <title>X.509 Internet Public Key Infrastructure Online Certificate Status Protocol - OCSP</title>
            <author fullname="S. Santesson" initials="S." surname="Santesson"/>
            <author fullname="M. Myers" initials="M." surname="Myers"/>
            <author fullname="R. Ankney" initials="R." surname="Ankney"/>
            <author fullname="A. Malpani" initials="A." surname="Malpani"/>
            <author fullname="S. Galperin" initials="S." surname="Galperin"/>
            <author fullname="C. Adams" initials="C." surname="Adams"/>
            <date month="June" year="2013"/>
            <abstract>
              <t>This document specifies a protocol useful in determining the current status of a digital certificate without requiring Certificate Revocation Lists (CRLs). Additional mechanisms addressing PKIX operational requirements are specified in separate documents. This document obsoletes RFCs 2560 and 6277. It also updates RFC 5912.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="6960"/>
          <seriesInfo name="DOI" value="10.17487/RFC6960"/>
        </reference>
        <reference anchor="RFC9334">
          <front>
            <title>Remote ATtestation procedureS (RATS) Architecture</title>
            <author fullname="H. Birkholz" initials="H." surname="Birkholz"/>
            <author fullname="D. Thaler" initials="D." surname="Thaler"/>
            <author fullname="M. Richardson" initials="M." surname="Richardson"/>
            <author fullname="N. Smith" initials="N." surname="Smith"/>
            <author fullname="W. Pan" initials="W." surname="Pan"/>
            <date month="January" year="2023"/>
            <abstract>
              <t>In network protocol exchanges, it is often useful for one end of a communication to know whether the other end is in an intended operating state. This document provides an architectural overview of the entities involved that make such tests possible through the process of generating, conveying, and evaluating evidentiary Claims. It provides a model that is neutral toward processor architectures, the content of Claims, and protocols.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="9334"/>
          <seriesInfo name="DOI" value="10.17487/RFC9334"/>
        </reference>
        <reference anchor="I-D.fossati-tls-attestation">
          <front>
            <title>Using Attestation in Transport Layer Security (TLS) and Datagram Transport Layer Security (DTLS)</title>
            <author fullname="Hannes Tschofenig" initials="H." surname="Tschofenig">
         </author>
            <author fullname="Yaron Sheffer" initials="Y." surname="Sheffer">
              <organization>Intuit</organization>
            </author>
            <author fullname="Paul Howard" initials="P." surname="Howard">
              <organization>Arm Limited</organization>
            </author>
            <author fullname="Ionuț Mihalcea" initials="I." surname="Mihalcea">
              <organization>Arm Limited</organization>
            </author>
            <author fullname="Yogesh Deshpande" initials="Y." surname="Deshpande">
              <organization>Arm Limited</organization>
            </author>
            <author fullname="Arto Niemi" initials="A." surname="Niemi">
              <organization>Huawei</organization>
            </author>
            <author fullname="Thomas Fossati" initials="T." surname="Fossati">
              <organization>Linaro</organization>
            </author>
            <date day="30" month="April" year="2025"/>
            <abstract>
              <t>   The TLS handshake protocol allows authentication of one or both peers
   using static, long-term credentials.  In some cases, it is also
   desirable to ensure that the peer runtime environment is in a secure
   state.  Such an assurance can be achieved using attestation which is
   a process by which an entity produces evidence about itself that
   another party can use to appraise whether that entity is found in a
   secure state.  This document describes a series of protocol
   extensions to the TLS 1.3 handshake that enables the binding of the
   TLS authentication key to a remote attestation session.  This enables
   an entity capable of producing attestation evidence, such as a
   confidential workload running in a Trusted Execution Environment
   (TEE), or an IoT device that is trying to authenticate itself to a
   network access point, to present a more comprehensive set of security
   metrics to its peer.  These extensions have been designed to allow
   the peers to use any attestation technology, in any remote
   attestation topology, and mutually.

              </t>
            </abstract>
          </front>
          <seriesInfo name="Internet-Draft" value="draft-fossati-tls-attestation-09"/>
        </reference>
        <reference anchor="I-D.ietf-rats-eat">
          <front>
            <title>The Entity Attestation Token (EAT)</title>
            <author fullname="Laurence Lundblade" initials="L." surname="Lundblade">
              <organization>Security Theory LLC</organization>
            </author>
            <author fullname="Giridhar Mandyam" initials="G." surname="Mandyam">
              <organization>Mediatek USA</organization>
            </author>
            <author fullname="Jeremy O'Donoghue" initials="J." surname="O'Donoghue">
              <organization>Qualcomm Technologies Inc.</organization>
            </author>
            <author fullname="Carl Wallace" initials="C." surname="Wallace">
              <organization>Red Hound Software, Inc.</organization>
            </author>
            <date day="6" month="September" year="2024"/>
            <abstract>
              <t>   An Entity Attestation Token (EAT) provides an attested claims set
   that describes state and characteristics of an entity, a device like
   a smartphone, IoT device, network equipment or such.  This claims set
   is used by a relying party, server or service to determine the type
   and degree of trust placed in the entity.

   An EAT is either a CBOR Web Token (CWT) or JSON Web Token (JWT) with
   attestation-oriented claims.

              </t>
            </abstract>
          </front>
          <seriesInfo name="Internet-Draft" value="draft-ietf-rats-eat-31"/>
        </reference>
        <reference anchor="I-D.ietf-rats-daa">
          <front>
            <title>Direct Anonymous Attestation for the Remote Attestation Procedures Architecture</title>
            <author fullname="Henk Birkholz" initials="H." surname="Birkholz">
              <organization>Fraunhofer SIT</organization>
            </author>
            <author fullname="Christopher Newton" initials="C." surname="Newton">
              <organization>University of Surrey</organization>
            </author>
            <author fullname="Liqun Chen" initials="L." surname="Chen">
              <organization>University of Surrey</organization>
            </author>
            <author fullname="Thanassis Giannetsos" initials="T." surname="Giannetsos">
              <organization>Ubitech</organization>
            </author>
            <author fullname="Dave Thaler" initials="D." surname="Thaler">
              <organization>Microsoft</organization>
            </author>
            <date day="2" month="March" year="2026"/>
            <abstract>
              <t>   This document maps the concept of Direct Anonymous Attestation (DAA)
   to the Remote Attestation Procedures (RATS) Architecture.  The
   protocol entity DAA Issuer is introduced and its mapping with
   existing RATS roles in DAA protocol steps is specified.

              </t>
            </abstract>
          </front>
          <seriesInfo name="Internet-Draft" value="draft-ietf-rats-daa-09"/>
        </reference>
        <reference anchor="I-D.ietf-oauth-selective-disclosure-jwt">
          <front>
            <title>Selective Disclosure for JWTs (SD-JWT)</title>
            <author fullname="Daniel Fett" initials="D." surname="Fett">
              <organization>Authlete</organization>
            </author>
            <author fullname="Kristina Yasuda" initials="K." surname="Yasuda">
              <organization>Keio University</organization>
            </author>
            <author fullname="Brian Campbell" initials="B." surname="Campbell">
              <organization>Ping Identity</organization>
            </author>
            <date day="29" month="May" year="2025"/>
            <abstract>
              <t>   This specification defines a mechanism for the selective disclosure
   of individual elements of a JSON data structure used as the payload
   of a JSON Web Signature (JWS).  The primary use case is the selective
   disclosure of JSON Web Token (JWT) claims.

              </t>
            </abstract>
          </front>
          <seriesInfo name="Internet-Draft" value="draft-ietf-oauth-selective-disclosure-jwt-22"/>
        </reference>
        <reference anchor="I-D.ietf-teep-architecture">
          <front>
            <title>Trusted Execution Environment Provisioning (TEEP) Architecture</title>
            <author fullname="Mingliang Pei" initials="M." surname="Pei">
              <organization>Broadcom</organization>
            </author>
            <author fullname="Hannes Tschofenig" initials="H." surname="Tschofenig">
              <organization>Arm Limited</organization>
            </author>
            <author fullname="Dave Thaler" initials="D." surname="Thaler">
              <organization>Microsoft</organization>
            </author>
            <author fullname="Dave Wheeler" initials="D. M." surname="Wheeler">
              <organization>Amazon</organization>
            </author>
            <date day="24" month="October" year="2022"/>
            <abstract>
              <t>A Trusted Execution Environment (TEE) is an environment that enforces the following: any code within the environment cannot be tampered with, and any data used by such code cannot be read or tampered with by any code outside the environment.  This architecture document discusses the motivation for designing and standardizing a protocol for managing the lifecycle of Trusted Applications running inside such a TEE.
              </t>
            </abstract>
          </front>
          <seriesInfo name="Internet-Draft" value="draft-ietf-teep-architecture-19"/>
        </reference>
        <reference anchor="I-D.rosomakho-tls-cert-update">
          <front>
            <title>Certificate Update in TLS 1.3</title>
            <author fullname="Yaroslav Rosomakho" initials="Y." surname="Rosomakho">
              <organization>Zscaler</organization>
            </author>
            <author fullname="Tirumaleswar Reddy.K" initials="T." surname="Reddy.K">
              <organization>Nokia</organization>
            </author>
            <date day="18" month="June" year="2026"/>
            <abstract>
              <t>   This document defines a mechanism that enables TLS 1.3 endpoints to
   update their certificates during the lifetime of a connection using
   Exported Authenticators.  A new extension is introduced to negotiate
   support for certificate update at handshake time.  When negotiated,
   either endpoint can provide a post-handshake authenticator containing
   an updated certificate, delivered via a new handshake message.  This
   mechanism allows long-lived TLS connections to remain valid across
   certificate rotations without requiring session termination.

              </t>
            </abstract>
          </front>
          <seriesInfo name="Internet-Draft" value="draft-rosomakho-tls-cert-update-02"/>
        </reference>
        <reference anchor="TPM1.2" target="https://trustedcomputinggroup.org/resource/tpm-main-specification/">
          <front>
            <title>TPM Main Specification Level 2 Version 1.2, Revision 116</title>
            <author>
              <organization>Trusted Computing Group</organization>
            </author>
            <date year="2011" month="March"/>
          </front>
        </reference>
        <reference anchor="TPM2.0" target="https://trustedcomputinggroup.org/resource/tpm-library-specification/">
          <front>
            <title>Trusted Platform Module Library Specification, Family "2.0", Level 00, Revision 01.59</title>
            <author>
              <organization>Trusted Computing Group</organization>
            </author>
            <date year="2019" month="November"/>
          </front>
        </reference>
        <reference anchor="TLS-Ext-Registry" target="https://www.iana.org/assignments/tls-extensiontype-values">
          <front>
            <title>Transport Layer Security (TLS) Extensions</title>
            <author>
              <organization>IANA</organization>
            </author>
          </front>
        </reference>
        <reference anchor="TLS-Param-Registry" target="https://www.iana.org/assignments/tls-parameters">
          <front>
            <title>Transport Layer Security (TLS) Parameters</title>
            <author>
              <organization>IANA</organization>
            </author>
          </front>
        </reference>
        <reference anchor="iana-media-types" target="https://www.iana.org/assignments/media-types">
          <front>
            <title>Media Types</title>
            <author>
              <organization>IANA</organization>
            </author>
          </front>
        </reference>
        <reference anchor="iana-content-formats" target="https://www.iana.org/assignments/core-parameters">
          <front>
            <title>CoAP Content-Formats</title>
            <author>
              <organization>IANA</organization>
            </author>
          </front>
        </reference>
        <reference anchor="I-D.acme-device-attest">
          <front>
            <title>Automated Certificate Management Environment (ACME) Device Attestation Extension</title>
            <author fullname="Brandon Weeks" initials="B." surname="Weeks">
         </author>
            <author fullname="Ganesh Mallaya" initials="G." surname="Mallaya">
         </author>
            <author fullname="Sven Rajala" initials="S." surname="Rajala">
         </author>
            <date day="7" month="December" year="2025"/>
            <abstract>
              <t>   This document specifies new identifiers and a challenge for the
   Automated Certificate Management Environment (ACME) protocol which
   allows validating the identity of a device using attestation.

              </t>
            </abstract>
          </front>
          <seriesInfo name="Internet-Draft" value="draft-acme-device-attest-08"/>
        </reference>
        <reference anchor="FIDO-REQS" target="https://fidoalliance.org/specs/fido-security-requirements/">
          <front>
            <title>FIDO Authenticator Security Requirements</title>
            <author initials="B." surname="Peirani" fullname="Beatrice Peirani">
              <organization/>
            </author>
            <author initials="J." surname="Verrept" fullname="Johan Verrept">
              <organization/>
            </author>
            <date year="2021" month="November"/>
          </front>
        </reference>
        <reference anchor="RA-TLS" target="https://arxiv.org/abs/1801.05863">
          <front>
            <title>Integrating Remote Attestation with Transport Layer Security</title>
            <author initials="T." surname="Knauth" fullname="Thomas Knauth">
              <organization/>
            </author>
            <author initials="M." surname="Steiner" fullname="Michael Steiner">
              <organization/>
            </author>
            <author initials="S." surname="Chakrabarti" fullname="Somnath Chakrabarti">
              <organization/>
            </author>
            <author initials="L." surname="Lei" fullname="Li Lei">
              <organization/>
            </author>
            <author initials="C." surname="Xing" fullname="Cedric Xing">
              <organization/>
            </author>
            <author initials="M." surname="Vij" fullname="Mona Vij">
              <organization/>
            </author>
            <date year="2018" month="January"/>
          </front>
        </reference>
        <reference anchor="DICE-Layering" target="https://trustedcomputinggroup.org/resource/dice-layering-architecture/">
          <front>
            <title>DICE Layering Architecture Version 1.00 Revision 0.19</title>
            <author>
              <organization>Trusted Computing Group</organization>
            </author>
            <date year="2020" month="July"/>
          </front>
        </reference>
      </references>
    </references>
    <?line 781?>

<section anchor="document-history">
      <name>Document History</name>
      <section anchor="draft-fossati-seat-early-attestation-04">
        <name>draft-fossati-seat-early-attestation-04</name>
        <ul spacing="normal">
          <li>
            <t>Register the <tt>attestation_failed</tt> alert for Evidence verification failure after
the <tt>attestation</tt> extension is processed; clarify roles of the three attestation-related
alerts in <xref target="tls-alerts"/>.</t>
          </li>
          <li>
            <t>Hash TLS public keys in <tt>HKDF-Expand-Label</tt> context so <tt>HkdfLabel</tt> stays
within the 255-octet limit (post-quantum public keys); see <xref target="crypto-ops"/>.</t>
          </li>
          <li>
            <t>Simplify attestation binder derivation to a single shared transcript
checkpoint (<tt>ClientHello...ServerHello</tt>) for both peers (see <xref target="crypto-ops"/>).</t>
          </li>
          <li>
            <t>Replaced Derive-Secret with HKDF-Expand-Label</t>
          </li>
        </ul>
      </section>
      <section anchor="draft-fossati-seat-early-attestation-03">
        <name>draft-fossati-seat-early-attestation-03</name>
        <ul spacing="normal">
          <li>
            <t>Replace the Attestation message by an Attestation (certificate) extension,
to bring this protocol within the requirements of the SEAT charter.</t>
          </li>
          <li>
            <t>Define the attestation binder and decouple it from the TLS key schedule.</t>
          </li>
          <li>
            <t>List multiple design options for reattestation.</t>
          </li>
          <li>
            <t>Add architecture diagram for TLS stack interface with the TEE.</t>
          </li>
          <li>
            <t>Add defense-in-depth guidance for measuring TEE, TLS stack, and shim.</t>
          </li>
          <li>
            <t>Remove various outdated sections.</t>
          </li>
        </ul>
      </section>
      <section anchor="draft-fossati-seat-early-attestation-02">
        <name>draft-fossati-seat-early-attestation-02</name>
        <ul spacing="normal">
          <li>
            <t>Fix typo in key schedule. Clarify (again) that this is only adding to the schedule, not modifying any existing key derivations.</t>
          </li>
        </ul>
      </section>
      <section anchor="draft-fossati-seat-early-attestation-01">
        <name>draft-fossati-seat-early-attestation-01</name>
        <t>(Submitted by mistake.)</t>
      </section>
      <section anchor="draft-fossati-seat-early-attestation-00">
        <name>draft-fossati-seat-early-attestation-00</name>
        <t>Initial version of draft-fossati-seat-early-attestation.</t>
        <t>This version represents a major architectural change from <xref target="I-D.fossati-tls-attestation"/>.
The key changes include:</t>
        <ul spacing="normal">
          <li>
            <t>Removed certificate extension mechanism for conveying attestation Evidence</t>
          </li>
          <li>
            <t>Introduced new <tt>Attestation</tt> handshake message for carrying CMW (Conceptual Message Wrapper) payload</t>
          </li>
          <li>
            <t><tt>Attestation</tt> message sent after CertificateVerify when server is attester</t>
          </li>
          <li>
            <t><tt>Attestation</tt> message sent after CertificateVerify message when client is attester</t>
          </li>
          <li>
            <t>Removed use cases section</t>
          </li>
          <li>
            <t>Removed KAT (Key Attestation Token) and PAT (Platform Attestation Token) references, using CMW directly</t>
          </li>
          <li>
            <t>Nonces (client and server) and attester's TLS identity public key are included in TEE-signed Evidence/AttestationResults within CMW</t>
          </li>
          <li>
            <t>CertificateVerify remains unchanged from baseline TLS (no proof-of-possession needed)</t>
          </li>
          <li>
            <t>Added session resumption discussion (resumption <bcp14>MUST</bcp14> be rejected if reattestation is required per local policy)</t>
          </li>
          <li>
            <t>Added reattestation</t>
          </li>
        </ul>
        <!-- Start of Appendices -->

</section>
    </section>
  </back>
  <!-- ##markdown-source:
H4sIAAAAAAAAA9V9a3PbRrbgd/wKjFx1IyUEbTmPmyiZ3CiSPFFi2RpJSW5q
aiKBQJNEDAK8aFAKR+P9Lftb9pftefULACXak9qadU1NRAD9On36vM/pJEmi
tmhLdRD/qItqFh+2rdJt2hZ1FRdVfNWklV7WTRu/TNeqiS9VtmqKdh3vXr28
3IvTKo+P0zadNenigW+P8eMonUwadXvQG+Ll5VP8IMrrrEoXMJO8SadtMq21
ho8SrdI2UWlTrpPUtUyefRrp1WRRaA2/2vUS2p2eXL2IsrRVs7pZH8S6zaOo
WDYHcdusdPv82bMvnj2P0kalB3Zu0V3dvJk19Wp5gBOJ3qg1PMkP4r/F3mCj
+OLw6nKEX8R/jyJ4WuXXaVlXMOha6WhZHERx3Ewzlet2XcrTOG7rzPuzqHJV
teaBBkA1aqrt7/Ui+Nk2RWY/zurFAtrat0VVFpUbRv3eJmWh2wQ6mdQlfJbU
H34EbwCki3S5hI3lb6NbVa0UTlbWvHN5cni1g30QBHd+BnAgGvwFX+PzRVqU
8Bw34ZtCtdNx3czwedpkc3g+b9ulPnj6FD/DR8WtGpvPnuKDp5OmvtPqKXbw
FBvOina+mkDTddrU1fTpNpuN7coUf3pDcvsx9zcu6q162uqj8bxdlDtRlK7a
ed0AtBIYn/4VFcD2l3F8OVfTqWrMY0bbX3BC3VcAh7Qq/kH9AoZW7apozTvF
wJWFINi+meGjMWx31B31dByfFfO0zFQaDntaV6u29y4c97BZxC+LRdGqvDM4
tR6b1t+kzWJwdFjzsdLzJSC+6qy6nsGL/tttJ8Dtx7b9xilcjeMXvG3hBK7m
9SLV3Xfh8C+LCoDcGbmlhmPBhW9K+gYRd2joC5Xn687ARbNapKXSd2kTvg8H
f1W/KdLO2G/Grdf6usHW31T4Ia+9qpsFNL+ls3qaHBN2JG2pE6Ayn3/yyWeT
AuYFv/c/9j9o0lYnCz1L7poUTne2uAMKWE39zi5eHH32xWfPDuI600v+/cXH
H39yEFNbPLLSoTkjOKh3OKBhmSd0jHojw2mSfuCv3ts8TeUt/OW/rfGgwVks
VYazTPJCZ2WtV41KfruDHnWO/w0AodSS5goIlbXwIcDCPJLvmlrD9r6Z17SA
TDVtslrmQEQALO4HfHx1frY/fn5AG9SmzUzBiIbGEONQOWzJctUCXSSqSbSt
UbpeNZl62i4XCexpleilyoppkTGd4e6Ys8II8Rl8El/6n8Qv1a0q4+fxT6pB
HhbDLIDRqNuCf+1/Rn1YIkT/LF4ijkHPPL/4yEyQCTd9xGs9Q5DEz5/t7/NS
n4+f/UtLLYtJkzbrh1YrczoHio2YF5/V+apUcAapZQiEUfwiXRTlOt6Bie2M
BCbPnnmAeLY//vSLPwIUr+pbtZiAYALQwA6BmycnwDkv1Ax4J0oMp4evDseI
LsBQVWUEi+Q2LVfEaLHFeQqyzlCbJb5QLWwmMui0SpOFyos0wS60fOc9MR9l
MAiw9oQPqfkwqwH5XY9PO18JjqfZAk4LACpTckQROC9Oj18nFyd/vRze6GmR
12lZwuCZov3FrdT0GM4gi0VJo/5nVTSKhI5gd3ew9/gQdgJe4SbWnqB34bXa
Gdgyb8+Irn47js9VAWKjJdtCWr8F+gHyj+q+7rT/foyHp1HLttP++3qeVsG7
Hgo8xwNxcZjAng7DKW1+L25Zjpnop/ufAx4++/Tzzz72oQH8XIHsS+h2oRZ1
qwLp9g5kk41i8RbwAb7zQ4WfdJYnLC9812l7BlJKq0BKbDqNz4psnsIh67zt
NL8cx0fz9E2TTtKm7W7PZb2oUljawBedbl6O4Uh3m78s/IedFkfj+L8BnJ0m
RyoHfAje9Nf7U/Fbd611ldrHjALfp9UKyRAQgc/h8fHp0UlCG4NC8vtSxhxP
YCm9BIwpODw4WGwGA5nIfeYxgWfPPNo33v9DSN/3qxJX/PxZFCVJEgNCt02a
tVF0NVek1cBxyTXspoqXTQ26Sl3GQCNAcqeR5ajjjOppDGoPjBtPasCApYJ5
xytSHQnrs1EMetEMODRQ/gzkGmyblnocnVag8yxUnKVa6VFctHEBvZe6jnOl
4ZRPgEe0dQx0F+HRztMW/k/RCHGzgl6grapuCxCWkcBga2CpaUw0S9Hoahxd
roDdwdlPNXSDJA7Gq+KJilMANjCXXCbb8GlN/dM6h5NBk0IgZErreLKWp9AH
LgRoHLzKV/AyPrktYHEwQDqpQQAvWhBgpjzvtALYwLSBgEMLnMBK0+JAF2vS
Av6+myv6gj6XnmHkab0CjXpgWVdzeAva3IqWDgDLmmKiNH3XFPAH7Avuo2Vc
2nTNcAVATkD/xJXXU/qJX3f2FpRfmuQQcGDPsFuZCXerPbBk6ZJGgt4ZQjiU
34EB1yjWtEU4d+Bq00IwJEZNvKzTHDe7wtYEBoPbJ78DPLgjDwd2r05O9kaI
jTCT0/oqZmbIa4d5AofGnnBRbqnK7hWutVItjgz4QTu+rIuqHeGrJZxuHCON
F8CMUQWHJ3OE7i1si2pxqYZfxsCmgT5pbAedE9IiqKAHf0vmKTSdKFURys8q
WBfOAQ+axXXqA9ElrdYBAIFSzKu6rGfrEYEGXg/sU1sv5Ru0zUhX0PciXqza
FQy1HjMNWBR5XqooehIjF6Mtww6iaICP7V4c7sX394lVEd6+JejO1VYnRb3H
SVEodOFe4SBEgWGX2jlwLK0Zhe3B2e50+CejtifA0b0tjguga6UISgRc3Og/
4gTxR6r5408G7pnVi96+/Tc+KIUmpAZWCCqBcB6QdQn0xWJZkkxpORBzQ1Gw
YSZlkeEuC8doVEmLQZzCx4xoMLMJcJ48xq0AfK9mgHZ2WngaiUtFf4FZV9TP
bQq4A+9gwFwty3oNjXHfYS7NrEve7OnEEXfVeDYeAfRZt0TI09+g4/DfVl1+
+3YPx9pEJtTvS1xbC9zbpxjIzmZVrWGXDDL7cxElQTANGZrhfROkGcwAsdFM
gQAIfcDhTJd6VXLzXE0LHAj2A2aaLe7gtNNeGEEWmzvuBxDxacWFgo5wZ9M1
4iwxaRzrho+E9+mNW/M44rkGWiUSEBxFs6gBYkdyl67jXTjTt6pJ6qpcswWa
KVu8m5UF4SE84m/2uudTlt6keYG/odEAGwQEnhAASHwPzMDYtWBnF+hCeAUP
FYCcRRfeLrT9LhUZgIkY4WuifMQlcKXLGpGTdxkIwRIBLSufpBnZqKs8yeYq
e0PTWIKEQ1qFG3iEtMNQP9m/SyZYOv50/JzafTrexxn4tNwhSq7atChN20rN
aiBAuN+JEQvxazNllhPv7PRJJDOHFTpBSlCC/lquzdFEaJeo4o8ADxFPhJpp
eNbAbsDRTbFlmt+mcN5noDhH0YfxaUgBYBjcGhaToAeg2HoNtHBBIwKeVO0Y
Wlm1NK9hU4DRxLwHSAFAECtlvxOaEDTNQTZhHgZYmWvZuRKJnQhjLWqVd4CS
sCLgGg0BatqkQE9WLMbbCWicwSnRVpXqghGhgT9xcGKDhEBuGh9oS41GuKpM
OZHgg5h5AZEzRm9ZGoAdx9VE395U9R1KviBn1/Rf7MBxOLMdOiLRoM/UcK6A
zpOy0HOV4wIO3fwIQA6UlWJSBLokUNIxkACg/hoYAsv4yL5mq8buF36uclzY
Ah0FhmrBKho8Esj0ASnRMMfHX3g+UGpgKdqQB8fizTQWsBT8GqUhovfZCrsf
lpvGKO0c1dUtwhLPBMLhChSVgt8zYsMm5bBdSDZBh1hYijtFQ1UBnRNZIAZR
Z+kEx1tTT7DoTC1b7RHQyB7A+JP+qaPhpjXSEyJLMBPeyJXmI9j6i4aTcH8Q
3+plmqk/7zzbecvtudWO0Sx2aCo7cJyK6XrH9UaTzgtgGRUZWQGFAHYtseI5
0JbZ3OCkG+8g3jm03Wb1LQmniLUZETGiRYaVgLhW5AVzyyF2APzDaQApMv6m
I1GO8BmyLuZTF8LFz4WL47J+wlUVOA1AiiVbi1Gg3flJliuTBBLN1JXnqMOe
SaK8qwn76Xih6IFHXsRxjZIao2cN6Jm1TuaER8162dazJl0CpWBCbAhhDaOk
jFie0EhWAdxr+Ps0F9H4B4Ue1NMf9hDIh51OUYikPYO5kq49DZWDIQktXzWy
E1Eg1o5jn1Z7NAbxG/gE9lKSdGG5U2XkejgmKW1XWUwVqd/Qa4R9CUoj2Ve8
O2bBpz/wiPBHfPbj5RUeHHzx3+NPn33hn+8PUATOjaqASyaRWqPDEeg8nR8D
XRjO7RzItQjN0x+SoxEOk1wiDM2YLM8SmKcs+8GWsVgg0iRLBqMOBnGHyemx
9Al/0dZUrrOGhCD6Dvvy20sjXDqtYE0SWgxUAITMJexMG+2GezxP9XzP7uwK
SC7t+yiewClk1A3FXiYMQO51AXoDTNg/ZKirqGYIlyqkSTEZsI045SAJiAI9
gDxhFCIArfAswj9cr1GDhlR51guMzNbRp3DzsAMeFbuYAsjmeJZg9l/9CVTQ
JPmaaRhuP7rdgY4h0uyM+L/xq9f098XJX388vTg5xr8vvzt8+dL+EckXl9+9
/vHlsfvLtTx6fXZ28uqYG8PTOHgU7Zwd/rLDct3O6/Or09evDl/u9Egvwd4I
ci1uqSIpRUeBtPXt0fn/+d/7nwBd+9PFi6Pn+/tfgOTMPz7f/89P4McdHFwe
DaVX+QmgX0dAvxXwFpRpgHiBOF60oI8QqdRzZOuAErjtH/4NIfP3g/irSbbc
/+RreYALDh4amAUPCWb9J73GDMSBRwPDWGgGzzuQDud7+Evw28Dde/jVf2F8
Q5zsf/5fgCLAtV/Dmb0t1B3jCyhygG/TVZWJFD+r4f8Koo7Q8A1zKY9M5oRi
6neWVoyxjOX7ive0VClqSJsVd5JTSUGPUQ2xBkpLrmFwEt47UhebH5meChLB
QeAjIWIs2RtQvk+NtcKZBXKmeCyZWPcKm19kBsaAQGPJKXeHFF1HQE8No3Yq
LyxvRYORkkHvYPr4nSHHRJyMG8+YCuaod6LY3vKsgF/WWUFAtn17+1FPcHSG
nCEmuubeKhSJYYD1iCT/NdJVTRovkYt6QXDIkaejkFVonwBuYmzQEwFRlHgS
GciqY0afqPZOiY7f5cp0GqOApMn2Rz2AkGnWSE/DBBLWMyQMZSiDrlUeyd4f
nf0c7x6x+Iia7BkMCcpP/HODZKHZc3q4aNUoyT7xvXDY+60e+6N11DTRarWb
f9r1VPWYdEcz7nAdpF6M+RQKhdtzuyorZU35hQEsKKr1VLgI8Bu29XjiOvX0
D9XUSZ6uzUdwXEFcJR6SAg9PWQYDrSu/A3I8Bvnp9fHrA9juKVBGAN0eSR7w
E41QBWsoRokLVXpf/w9XaBRA2Rd0VRhi0cJhZnmCgAdPjw4TMcl4IEPm9rNy
tI8RvVEz1kucPqXZyBtuIdkXwvA4jDVTCzK0zVKZ13QFPMIdtlXagCivHOUI
KF/IlneNVQ3FyacsU04U7Y3fag+Z252CYYABhQNY/CnI+UkGWMRG6wuleXs2
1u/M4IyRZTGbwwHE/5cunF0vWPqgmZaMFM4ShqayCPS3YoEEZ7Ek1YSBROiD
C+NDbBRmK7OyoMocgY6kRnSrp6BnJfErY/qoK88ydwDP77p+FpQN0lyUhyOS
Nb8DwNUkLcfxSUUSmcpPXJMFn2/CTmNkYTlZFGEfECQXA+XKOFxFTEMqHzL5
hVoSkAPo/u5h0xtAlAIK2QXAqyCa5JEBma/It65pljYNG7z6tC+KN1A/9D8A
sjiNA7kNiK/FrcQXfUvSrPeIaYDvj9BKAU1kUTeplxrNqKjQOINTx+CGVD22
xxB3EEfVoB5ibEpAN41LA1HH2hnS6RSEfWaSeCKBCtlevImGthmHamK/sIjq
oT0q7jVZC421kyWSVUFqOlqA08qekLs5ye4RIFwxdGrchIlrkumNp+6fAkZ9
r13k7FaixgYmS9RwUD4yMgRGp2x0GwPWd6CyUHjKCr0Amlct6hyxMx/DWYIp
QndoYRsxBpdsR7DLJdN4NABR3G043WVphCJiicE22vMGXEtjfCuquswA8FBM
VcqWMw5BHvmqojlu2pw264vAlt7REfbtHXpzVIjUwdeEivZsuabGu/4OUgOz
MiPEwoJfGIXKKJL2neur8Mh37oSVKhhBTpzdp+EDRlwah/nW2qPjI7JHn9W5
KsUhDxSMfP344bmxUdMHI6cBIloDUnqaLbmOUAj8XRR/fDhDc07lNFZriJD1
Ch8YJjI/m+n6pA7lUDzcyEHXjvbmo3faiZQsvSzDsTPuYRIr4ORvgih2+w2G
XuETADTjDsqEIu0ZPPOn4hFhlu/7HonHVgHvamRbaQbnORf3n5E0RcD2+zOz
IX1TRiVrWcPbSMZ76cZXS0A4HzR+JUd0rIzXxnpByZZCr9hWY1/tGfHMqhxi
qkJCI1YEY5sNRQmJgGXvKxk6UGNAnx9Z7RHNqJUFmaeY4UbQkosqK1e5crqZ
b3xheodGE1RbsJ1QAnabZU2xbIePldErOuCywrNvHUqti8z4aLbDqbExbTvP
KHvbRTujA2diU9iH2gsCsGhToHkqygs0jcIhsgseRs/dYogWcNAGuSNB78Oo
rgD8j/QpCGYEHZo+zEYVhkNFQyQhvlxNNHALxDZWC11ME+qVouYLbbHqN6IV
ryHyZCK2ONtNbjCuG2X6ylBgWgJ6nMmSATtqSJJzv3bJ4yOA572y1DCyaj8N
hd50iVRzgBHjQ5aioENgsoY99JhUKwqGrKeYSmNAE/B1tkBhRJfxJzkaTn73
tW+VIMoYYdS4JhYvYo+VDUK35qKuoIfW2NFR8W+7Vs8xSIoUWGA+jcIPRh1L
ZigEYqwnSebecWYjJ7kOccDH+ytr1qPqVavRsCKdsKmW/E6O/uhol8V1T7sd
Gcv4Hhv9WK0dmBEQYXYTCpgidnsvCRAjbixdAY0w9GHEcRRMJKwYxycaTYeA
XuTmpzUIrUL+hcJXhE5kfOxZRI6stfySqa8Dhgl68ZETPyoyYPk/zwuJnEHf
CoU441HqWrFrTI6RyaM85ox4uBakAkUzJEJDwxbjpgpsP4qZkMJ3iVNOJUyB
JAl2ZGvWTAcimqxwGN8/2YqEkhDpRUZYt974k/FzXCiG2mA6BjqyDA7deATj
xtCKyDJsEBs8y8E1ZnDdjPwwRD6SGck7fl8nIFGubyLrdrbiTsD1tCffxLdF
2hGGvMUExm7ahEcEmk1tmVGKLZsQtqiou2nRANL312Co7SCkDFtCe14Esm25
0uRuMfQflJPEhB+65sLr3GSNfTz2bOxwbNnL0p8StD+dPh6ygvBlniMyoO0S
eElhaUkk3zQCmgmFbAQWYjZDx9O0hfNwAzqNmqXltQ3+vwFdAeZodUiBjdW9
H7ceGsEt1UOxPQKvhxfrIhyKTifk51fJQ4cIxzg0Ll93cOjYuENjYzkCELN9
MWtqccnifjce9MadzTZNYG6eWjYaMsOwI8bbf0xfgNk784z4r5h5VZ5JSAS5
4QCZvYfm1Leq8DC4neuuoy2In47+F/yjmG4FfDu+j49ev7o6eXV1/eL1xdnh
1e4zkKnOTo5PD6+vfjk/2d3fi98SGT5BMR96/jKixryT8b0NIfe/oR/XyrYw
33BuVrxrBLQr+GwcfLvn9Yj/yHQazvAgXoEqvP9ZLMks1yyVf9lv55ZxAPwv
hV2JKXPmGof86tl4/PzX/c+S/a9d07f859vYn+GmFUuXtyIlXRtW2uv5rZWk
jPLidSu7YIJbCf4c1ASwH8W7zz/9FLfAO1BnRr/eNLGhb51W3t8O+2oQ+mZm
Bx2g9D7kWR/Az+HlWiCD4DAjOm/A4034EkTMxUaQmxlbW/B4oWe0nYNTZ53w
eo5n9yB43QETjyqK4rWRiK81PdbBhm7RjQy7fTcMZ0Narj1L8TajzWutqmuZ
u/bhFwLDkxEaJlHv0L2saavu+93KUQFGcS1c5Kt9BMbzT4aPX4+JfMlk6/4g
frIFp+BEmT/voPDkRLRLy3yQUg5Icx5pHpu4qBtvzjcgf6gyjz3JC5mmY2qb
OOO3KIF/f/n6FbOKb19fUEQ5CKv/8GxXZMsT+n7288gZIdSiaMkvO69rZG4R
y3ZBFxKjL1zYt/qEdpYhww7q1sPGuL1NRh9s0lHF2UWFqoEe9IlypJIRupz7
EEa0kek2TeVfNq4YHYXygFhTDtzcVrj1/M4CcFQ1nVMxDG4kPdY4tLYzt7yn
kcoIasbdzAlNfXe9WBZ4Nug/dVF/HeN6JIFQ7B5wCrjnlzOGXd9pQgYIm6T1
QQzf5vWCA3Aue4YoWounNsU/siuqU61jwKn3wiSD9W0a8W4QIGNkP4lBvr+X
5HMxg0UbDMubOnne66T1AyqjRZ2zEmoj84Lj6vzXnKeJTgBMGyzX5AIk/BF/
QIgyI3krO999S0sJ2ruIdJuFI5/DqbpLMfDJjwhHYbmqySpt48g/0F38ZwXA
YszD8jsfuYhwULrb7OATnddLpJlLgpLvMmLDDvk1Rhy9MpxYg4sXUcsa8kEp
KpYFxWmjgn4UxKy9dnGU9088FGUKGca3eTGXXZ3UrALP4bCH8oHwNYGEOcPL
Rt2SfYvDVcTgSBErgf8tcmkRrLKwvcKY1Rw5EuUjoA2Dc5TkGkwNYHKYBhHd
DYYh1hKt3najniIvfgXhIqaFls1k7L8YMPRv4/7wbEprTEY6OSG0F48M2zg7
hnIgd+x4lI+cj4ppv46KarmiWOFiVlTsSyAq5qDIUeFAxpCND0xdmAfj5oZo
R3saNeVaRRwjKflfvB+OxuLHBgsewJdR5LEX7/sBTuMYDCH/kyFP3DHicuGi
eIaXyBnJFtzLBgusFLCuaIOhah+X8x/VRC+//E9Dgo0CDpP51mX0sjfD6eTB
BFBqtBZ6DRTT83FEFHEtyWE3ngo+Ho/ZoEi/blifjcSIfU19/jn+7ofjF8nJ
71gIJnmZTlS5+2wU73QH3xn15NTuv+9SPd/dODqoZ/jBuFTVrJ3vRVF2bebB
wB2aiTfTcE5bTMdOCRDgmqd1fU54cA0CVnc6+v/lbBgsD8yGtulmcOI3dDxu
Bru5ARxCJkZIcnxykYi7MbpcTX4DnOQv4cPTalr7Me4cGT5k2ItvcGI3wnAj
YCFobtOrolUUUG2NydZd78U9OcuToL5B/D2O2JK5AhG46UH7xppwKN2RmJ49
5VwdBAvbSEI3UTp8s4BJo6Q/tl1S1j31hjEaRXVbvyHfMy2IjWtVHRMZJOnQ
9ECZNhzDxiR059lObC2EAmlUaybrVlHtMM5cvfF28oYi7JQWqvOT5wGLoh+B
ibA5c0nxMo94tEd2t4yWQpSoJ6YzAjuLquyvH53QqN84vn9XsH1RaFh2Nh/F
U85FczyVPZRpSc7DRVpKTgcoEXtstQ6NrRozDGA7brwpXXOnN2JuJdMq25n7
ltlIzHxUAQk/1IwtxxQXQyBm2csv+MC2QaprcH9PDAdTcBOKMZ6mmYIuRuJD
dUAU+UjTImzmMShBpaZYRpCC1YwCUki0Yaavi0mBXhPiS+webTCk0RhxxpQ6
V9mYRfIHIrno7x3Ft8+V4yiyF5w4MJBiyu8j4dxGCI26nB3Vo80xGrFghZyg
vJaULtr8cJJto1h7ioLQOIw4oYghf61lykq3XevFudWlbxVLA7I+XllkIUZn
y3pPjTPDuMVFf7ORH44TO3+WwAr1OWpwl2oBgQn2fUS6IqhYTKczoI1r2Efu
LSDyVdao6dccJssSgYldr10ybwccNnXdweScY67XEWWm71bqbs/kuqG7wTgk
do/O9lxeZgZaGNNbEaXv6lVptdgocN/fAaAUaVIuUAOxPksrRAhDXOghSId3
HKZbqgjfQovMONSDjBZAaglmMBAff/WUIMIE0KaHnlsnI4hAj6S79NUbL7yD
eJDV03FrXHLfgEuTUlsvWKFwWVXOWuvJ2BwEjVpIUa90mF2AQJhwdKOxIKRU
LbHxvSQ40saBbGQBSXV11csM9YcJIqicekLDblJ3RuhutvYDbkRuTegvjc+K
qzOJ+mZmUdlwPU6859iCO2KR/R1QVAABNf2uhz6luEZYU4GAwcQFioiQBgNd
yQQbVJNEtcS94+Ri1G+kmgbrO+SilZSJGjg75hhYkBicHBDdDVWNJPqGzmtS
1vWbTagHQPmuvqMzQvU18rrRnBkS71pSU2hvzqm2kZGsAXlxGHtR4b0FrOZs
UZ8SpBhrrl3StmcVc3a3yBo6/RAsnguchrrMtRx+P9yGgv8BNX4zwprthSyH
kayO3MkSmS4kGO0hvsLMGrhJF6D8ONbTB7VaWVlXlQdhp6u0d1R15godpS6w
GVJykT8z26OxkJhcTlgc6UbuRMk8zAnqpmSDiFjest7vDpfpxUiO1pVl8l0t
rzIyFfJUSV/wtjI4vcTaJB87nIWEC+c2aaIDC48EGjtkJw4+9pSvDZAaAMjw
dtCifdWO7ZrdYezjphPKHJouXKEGpLF4wtbd1ZOJyjAGCcDxUibj+ydt8SYR
mLwdrGTBmeTevmAX/qFxlhwPrsNq0GY7MQX72sXB+S3IoC62mbgi+kF5bhqz
t+JDZ8zPiDvjkVdpbjsZnGqHykrqu5P/+0FyzhdgYt/Q1GLEVTILHfZjE7lg
Q8th94WWcx6vKqrI4GGjTqcKTeG5ls3GZWXK2OGbQlMcl3MNlBR2qLDEBCX1
UeCZx2lGHVbDIoUNrafsPWXg60dwcXqgpwxoE1dsUQcBRtlStjvKDNyMGSYT
3EzGUhCULO1ujzggvm7wz1qsQxh3Xpa91OkagddwjnshsmVXcO8GvA7YqBym
uYhGkoBcLnjXmXINv6859XkoFFaItp/5v+7rlw+MoVjB9qNwBWTD58jEnZIN
i/pNy1kNYtp84czWjqP5VNRfTdxRgxzbji+tsBQFIafO2/aYpGmZjIvcDJPy
+hyWsL1b8SCAqmUcVgbHpHWhv1mdmJhHy5rDPaGiO9KAihVJTahBAVlMMZs3
YmSSr5DzuBEPry6DszSODksiGSbnvqg2iId2UWJneXRBo4E1nh3+EmEgpgRd
OmXF9LAZDztqJO6W0bJFgWcJ0Ak+pz9EHho/glOPac0+RpkaDARhOLXUn9EP
f4bxueqHc3VgHFZVVwkSqoDceNHiYZg2himiKart0Cc6NUAkVqBZIMVdVWjg
7/AkFuFCSUCwKGQIpPCJ5O6rex7zo0oYBjzOE0NhiAwT42gJA3zDqmqoN/SH
9/gRlovxCzjaQOw87DYwAwBVYrefO5eBqWkcCBg9OhCgV2RFWDEGOSnYpUVz
OamNPuhwdZYX2fI/BkbiO5IQxZD/YHwJTU2OmWMIUg1ngP1geQk7WhJL6gHG
CXMdk8TU/7T6sldKhUFr05AMpKO+3kceno0Rwmk8XTW0e1hpfCVl+VDKu5KR
LrHrDzTltJLVLpT3hsx6XsIRfoQMVW9j76FKqGQutDxh4RNSG4nhq2CuflNk
ygrSqN1oaxMuTQDBwkx8GKjgpPXtAGNpEusuy+bwWmGVBGv8m3gJrsGKOJmu
9kMxWAFBH7Yj3YT4XpmwliSQGAOSUfyaF4sgAr1bns157QS4kS2K4UegopW2
Y2kddyqHYd0wrK6B4TjeEUaLOwjgyxqxlwUCnJPLQEY1e5GSds74s6MXcHBU
s2MJGSygVY1nXomMD2KgooRVxFlWq2yieRqjnTdbU7d0WJ1aZBInR26GprSt
vzkWYuxhi9NU386ij5L3+PdRHMsf0T+38Sl1/9lG/9zQ3h6192y//fiy/ncD
w0eufbfH3r9fH5yIa3/VMRe6uVIY9yXL4ZvbP7JWczSfHl58OTx+KDHbOUj7
V2jX3ds4/u1j4294+Tj+DX3gwf+99/9MpchP8vg/un2ckCIY5LLgmRpa14Xi
lPv3n8aRza/+90FF2uvB+V6G2iAgU7/9/3+o8Fh7pLlbte9P8KONDYfa8yk8
FyUfIywfXdMfOP6/ygo64bw9tuvH8DJxd1KUb+rFQN2fkXnVSxTJczUF0Q/7
SUCrQ3FTCiOQm+TSqBjOnBLUUvFCSkmZx710Jas4B9IWKAcpSTW6lggjF3lH
SVKPuueuTJEZkNym8QKLmC5LFU6HEuwoxV3ZItwbEjtGNk4fj5nI0PjN4fmp
NmuAASl+3hWjc+WRsYAfroOyKn5vtZNbnEDuxqP5o1PZ60nECBmECps5nS4r
02Jhq/i6jkh0kZYLQ2RTNrMhkCkNzxQY5k7QzBcq2bK8cHusnZszawLZcMP2
28rOLeUPBnkzH5JUf3Ee4ENKfnVt4slUxvctkHhc+9n2FK/AXzV13ZICIx2R
0N69rkDyk6xKqOtpi/WKnF5ovDdmZiS3k/YzYt3G1LgamYECc6yPRqDdNKql
NGrRYfELLwZ4ODwyNLuRdkC4bJw2Rue0E5CiHKrjP+iVETETErQIDO1GkOas
QK6pFCjfgTUVa896Qj4tq6BrBke2J1EZO3HdfY2BRGVeSYTF9QKEJRuEKajj
sJcWKsbxD/SADG8yS/3VYyqp9/ttWC7rsahKLhuZoZYGr0oTOF8sFF581vC1
GiWlG/Y9Ih2FHvsSB1/MF13l3o0Y4d0aSDeKasXViFzxF1TPbNn9tQnwJ8/5
ea3bxAaAd4DA10hKFnFYoSyKqKXnvZbw6LAIVoCpLnzxszBhEJEsmigbliW2
Kbvad4B8YCzmOY05mITCrE0YiRfyralAdBpkj0r2oJe9Om2Vs316AdE9+62F
hI3mtYwyqDbUAZRNINwN0mdHwbTYB3PDNoCbF0VFxZ1v9jjOxIPGHCNXkc56
WcNTz3jre/PbuVcrh4N36dkjGbMSqT6Y62sTIM0OPsaIN3p4hfr0CnIsQ+QL
gRl5Tszh6NleuKyk45o8PVPRx+AI1fvmhNIhpLTTMggnDn6+ZVQcsWVQvFwi
eNyQlJ8arspko3RxLHT6xCWGCnsVD7z6D9pUjBfjmKlJL4UIaFAcr+wGK/j1
XZFMvKYG8f5BfGT2tpNMQileaLtAGfhHvpAvel25OreuOhYXkyRcYqo+0Dbe
Pfnhxz0PPhNXfIld6FQNzbSEhtzOISGAAXMSKdwS5/wuZMTFaIzEYWnm3mKt
uxKdvKtl2SmXBiPBpCU+Bs3xMz73WESB9tJz+y9XDdrPOvB9jteadYjw7oWS
40rbZQtF7QFLkhtXOpBFDDPFrgIuZkO6Kr84fC9CgIyfhAHdPBUTaBJQDS8j
hi3qRrroVO1j8zOlSnimadxG0KZHJieC8xp49G2SF1ydrA7L9wKm+HhbKL1R
aukEDJsU7uq9UAzpbV3QjRcO5zrH05VC8w580bJdEolWoZvVkiq/TR/k+SEO
fHywFVN2dNccNsPl+IyPOltfaK/coPPy3vQ6cieok0bpbtpEa+yPHGXoA9Z3
WW1grN0hXKo8n+dBdkIMdIju+sWgiPWC2oOI0/1MhzlNg3gpeRfhFstGoS5G
eXSvXJEAdtWeG+S5fzJYQMBEkNgsrCnVbbVOVMtPjejzaAnJoWARSW7dfIVU
IbdKWAw4oE6Gc/RMyIQf2e2dMq+8VO7VqvfyZ6y03i2KxP0uG5W4HrzMIWpj
KrJuOu82zqlbmeHdK1kYNm+r8ZtagaJ6+gUDg8BcCsAx+yRlzHzmSUhpVTFH
NPlT50z2s4W3rdlh855lsrWYDyaPYkBw5Y134x+6cIC5pNoeXd2JshraZZm2
8ACuCaA3OUkk+R6po60bZSctdwDFNjU3Sc0txeZOHRmFPODLeom3G+EAGACF
dV4rNVRHwIBMZiosCiPS8DgQUaFyS1R1GBVIM8vezMgHumFqvHJlWKD/gXRI
pJfFa5Z2NleRNaWXcAa9w9m6RUjHIh0PhMpQSjxFXa79dh6LxKUPpI1S8U53
cBeUtBsGTUhNI70Sx/egAoxGlolcHuOHrshE3GVYVGDSlsui042Skl4v8Hox
9o+mRR6qKU5odX1+0BXG3igjEHfHFNaEIBBIeoAZ2J7OTvdRYcNOb65HM/ZR
ktC6BiF+C72LdngIgx6rf8M2IauBGNpGYA0CFm3AgRwH9muGre/SarCpXJKl
qhny7aIaNrY8Tu763LBbvNVKbUE+eVjA6j3LG0U/cTQOFSCzpWqI+QTdde+F
xrZe07Ayzobmnbug+f6ugXI2pugFH3gDHtFrehebpF7YVIVWh0wQzvvOL6lO
4rjySzN1q7N6Ycy7y7plgyyGH3ATV6TQWmtj2CAC7h6TFPV7uiDbOipmmCZ2
WLav0gXZoUiaOXLahFSrcxLwt2qe3hbQy/2TifwpKeRz0Mfk1i8jLtqrIfxN
r+XSCeD6aIncxsQRuOKDAlQbqPhow6F3AtFQySi/GhT8EzBs/4+BFUWoO8e/
+hONTgAS8T/jj9DAe02XnH0YiQvpIxfJe20DJbX3eqnfXGMzA81rqsDgfwAt
+eI0/E5e3MKLHlDlnfE/fb1VUuvQIjnm/Fc0E7x7Hz4UYAEIm3fqpLfi+Hbr
9vcD2PIWFiJ79w5z6AMX1kL32OvtZ9NH0Q/fOm/we05je2gMTAPG/3Xr9oPD
v8v873s2VVw/WbjfAzfje2OJffs4EL4ypyCO/+bfyHectumHf+fWv3ZA487c
wNHCScO7oSWZI+nNL/jXO5C9Gf09nPTXQ5/0ikIZUmucx/3gDEfYzV1A6EDG
4iFM/Jh6bSEnBAx1uIKfvZ3XWOKCi5m95N0NBWtE3ujUwpnSrWFDso2nRfoy
iwzkyj0NifibKz35QvnesM3eaC+k2MhwN8YffYM933BxuBvjXvNGciXqBurg
e1e7vgju/iPhWiRfW2afLSziL3fRr1hlkJoPxk1u7MkKQCKIWEmDBGHWRRpz
FY/xfVPKESkWpMbJLfVemG9XXgeA3GyoO8eQ21BN7sabLc+FROBCBxEDpspA
1+XrefK3QXZXJbTk2008g56V1TX/5txFuU1nbFL2ze156La1ejhqz8Ozok0b
SY0ZGdW7gcoV+eSwzNAi4JQaq1Yb5XQzNFnKLXq1/qdeCrHoGybBmdUcV8LE
OmzsVdbVpuUZ37BReHi5rO34J8xkHvA9qC4KJGgsGGWdfTO6e5qn090ADloV
kxPn5WyECcHfhv67yArfK0Q3eJEDXYK7wxK6L+qHKFxATdyuBSfX37yN5+TB
zRMgmuuksFh1GH9sfDWpX/OAUrtZF2CWIHC0thzKoqcagB694mBb/yqFxwtg
4KwbpTAjDt324RWNVEMs9jT2QTX68ZLKY2S0fWe0XQ1ema432ojubIrH4zdw
h9O1Z327aXI5dF/f58Sgar3ZtseJwIuFnwMs3lBc9NW8Y4yxniItT4PkBL+g
B55SxI2dVWXp3bVfBUQQcOdfXTZpaXMyg3qGxfddcX+bvbuImhVKJM50MVEU
xd+Yinc26XkrJ7yP+yH3HLLBWutm1/rrh53QRUdIN0wrWyhjRX6fzVTA2+MO
GzRGZnsdYiO1HzrElm3IXgjMwzPZyEwen0k4zObZOItvhwB5hJy/sdFfhmhL
sVzv7l+zjm5RM2fc3AjcvtWQKBcFrxlG8rhd43EzNBssgrxRmiFVod1wFJix
D5TBHZi1NeFvsIn4Rhj/Qhs02MokuO9xZz/w9JpZVr70y58P58cKp3Dpeb3C
rQ8nzxIm+ZfzDl9pZvOJ/IqqplKbQQprY56S1DkETg7+GaoIfGPlBNeNlYu6
WLdVqcnAmO2l6dM5ICKymRDwNDcdTnLdL5Z46pzA1eWubGaumXKajM8+QQ4Y
Cx+LIA7Bhh74JDedgJ46+lcZDuqsHv6KNeUBMmEEVleByK9Gq/8Y+rEJ6g/R
Dy6w9YALgaf8DiFicgy2srrvvQ/JGT4EvCsvbLWeUIDsFkfbRAmpTK9n6JZP
H/CwBHI0qqJ+xnngpoJpF5mImJK/21WcMvH4USnRraSRO+LgKEFSFToyONsE
UX7sTATohk8XtbsCcMj/g/qeHqKwtswbjYDTIq23z98RNUlKJiRmnTEczNBl
YyBnGHxgLyTK1SLlTEq7lr6Hm+4sxDIRfVVmmBA8dOj9g2489zs9xj9PPVqd
8i5uwMf+pN6X/REQ3ovxuQQDmsa/JR/0qngdSYa7hLvfP8HUX0x7R6fPt8dG
MZSv/+JKZ/OXXpJwpxwkTXFJYRRB6WFjLjQlPiRGK9UJFmJCc0lQn1twMSis
Dh++qTDE3c+QPnTXcvlVTrzOjKO8S8390uxPvchdCocf2Qus0daa+hcIsyuM
gze0y6KgkCeuiwQt/2dFVzTRrEwkOaXmXA2saijyf7zhWy5LA6I2W6FqKlHz
RvUu3LL5El78nTPQ2cznTrZB068KhvX6vK+JuNBNdrjMXc/vuOekCpwSKbOG
HPjVOVnv0sq/roqj+f34AVuHbHfHIMzOXnfrRmI7XtvcXs2JCnAEOG7zLl1r
KTSj2WSHSMC3qq8aOpK5wkA+tiBSFO1kVZS5d8eqXytEtRnHwcGis9a/qxVZ
DdoO0GiYwcKYnwWmCeKatlZycKhsNHB4tLgmYcxFCY8lwniwpH0Xu/vUYxwd
S2wsckaTJtSzWOG2BsEp48gVAuQ0vGyAfmARHkNAjGKuTQD8Hfv2qa5TcEmB
yRpi86dLKOAdsZXh6I7fvIAFYglFTkcbUzoch2tlfO8pCJxivLFyBaEiEny8
tVDmrpHyU9CoX0HRNKaS7zjAyOKN5eCl5Al5WVd+lGlMVai9g7zg8nwTC+OE
pY4FIV1gbMdjQ2SQzCO2QAxfMUAY3Z9qkHV1dfRtbOqJOf+BmJlI/kTiaSw1
iLwUfWDInNQNQbZ9N7eW3owIOaB4BSTPxhSb0A88mIslVaMtxmpsyofKjU4G
3Eg9glQ/XSwKvHIC01Aquu/x9dHlOQbA1pleYoCGux3v4pxoA6eU9QCGAIJD
UWJ9AiQ3nYqYxngpzDhd+HXTuMiYS9o49C0msO9MlEvZkQpVpIJcUowEel4s
nVXKGVQva5IU11rqNrgkAmHtxAVY00uI0gK9SjODVwK0xOGossIDZQWOoDXH
J4vIRzHvBAMqp6vGM9iIy+Pk+5+vEKQ6T367a9++5bmeHNJDOLY6UWmLWgHO
Rir+mGgvC+OmLj17+8U5Dd4WZfEPqaBOc5WIsm6CgxGFZUrHh4d26DxNSSGp
m6BDswXID6rVNKXYQtFJ8fwsja+qcN3e3784PX6dXJz89dLVxJKatuiLJMwn
46rxJaiG+fK8sBVkpNCyCwUyOv3FOfT4ygo3dHZAYAXhS/FN6YS5O7DkJcbK
7UgFQqVNTX8yw7P9mqNE1wOVlz7Qpp05WauK8KxTp0KZ2ivHrsxwUc2ZDqU2
ns+rAeM4v+j/luCmGEvqJwGSlIu5ccDzgAdj4VTvTg6ueOera6DyNIXCOMJB
csrFjobyQXwju1VGXPJcQZyNb0DkgpZ+IkUQ40gi7enhq8MOO+LiNP6lSPCI
vqOLcN6IibLkMlcSGB8Ei4+GFO+RxYsovHIJ7/2KOS5tB2OvGjUDWdDtxM6V
LR/8Ml2rxgnWWFN+L3LT3Ilt2/t7eIdF0JMLeYQ5ARwTP3hZHs7r8Uv8NsVO
DcdN4WGSylnBBSrBHMK4u2j7KEDZpUMqFo6FIV3l8MhtmNhzOpsmsxJdZ8f1
sxO9+w5weA9Wq/J2IOIdoFfeHojdQvTLwqvB5soXwx40XLI4Ybw4iEGp2odf
x4qz5gqsKPyI9Qs/xxm8/uEg/gV+XBhv80H8tytfsvw7vDyqF/hnZ8jn3SGH
dO8/YJyPHxqHa8i/5yhP4sMMBRfoYSa3Jt8/STuPWAnlmtll8UaIY1q9gY1d
lZg6lDb5KD5s4PmrQi0KxvnvUK4BMgfwrqeqKmZGGCg4trQpQHwisQUjbtOm
LLj4PNuvBuR7DDpCYQ+nfWx8Xt8VWGkSDvQT82Uy50cckZM36RTDUzXeBA2M
P20THGsdHJxnn3D5a8RCCbAYrNPPppapF0MS6i/4HV3hhtm2UdzrqHNlqzjU
VP4lih9kbEOZQJtzxR5df6LCt7BSNR9rChzy7wRAzRQvWuhUSqYvhy6TkOwg
UNjg9Zt8Ko9hwDUG5Hm1LJ5/+imIkK1qOWET42h1m4AqXrWrhT/U3pdx33CC
87okYXUaZjL6V9bbNEQbmsHhiv6dLnHsbnXBZOONt7rsdT2Fw2U+pew51kU+
pizd5JILBxDl6UHsHZDqY9d3T2k0lrLJumuM2vViH/Y8nok3RE0kjcW/x9zb
oeD2c8GhSxRKQcdoyP33Id/ms+lyDDq3ueLcUKS+QTY6mhmQeOarkoq4v8R4
GltzZCAzN0jgozIKWGnNv59C6ijQ117BwsEaLaaDXnGW2arIqZYAB7ynclcf
2VecyYnTPOfFgrd8gYVub+HQoSgGAhMn52k/o3HLbX6OtONF8TvaX9GNGcIJ
lBE+2btUxnzPiLqosohpDg1rrtCyaTniUppYaI0TDKu1S/zDIdyJeafp7kfR
7uVqQrdBksS3gD4xH2rvHTp5hpp3QSYAodiktm/R1iSzmmbWEqFJOP4No//9
an2xxMITJqISW+YJjWNSDahiNX3jK4GJbHEeVNl11DfMW2eX/KaC99DZqWTR
qpzTPAOPkZ9Ry6c6uER52yuxYZiwX5sITgoIFXDo17OmKi0uSsB4Lt6vM5uw
SlVibQiB16mBKoaPUViiOTLeux+A4uyiQdUna1eYzrTH9i98f27swwMf2cA/
kKhZ00MY5gWbRmEkqhYGBL2XwM0DmPk+cJ0mF+d2VW2BWCS6W2nMzczEsQqx
hemgGNWDH9BeCtlymdh88SUAiiwxOJtdMnbU9TSB/2GAlhhxMZ9F5XvQ7yHl
bZjnGBy64MxqVyE03vUeG6e5dWtRzuaGzHe6+Ryl/FJcVG7EoE0UffUnkLcu
W8kqO1zSPUMIdgy4jv4vAigMsK23AAA=

-->

</rfc>
