<?xml version='1.0' encoding='utf-8'?>
<!DOCTYPE rfc [
  <!ENTITY nbsp    "&#160;">
  <!ENTITY zwsp   "&#8203;">
  <!ENTITY nbhy   "&#8209;">
  <!ENTITY wj     "&#8288;">
]>
<?xml-stylesheet type="text/xsl" href="rfc2629.xslt" ?>
<!-- generated by https://github.com/cabo/kramdown-rfc version 1.7.39 (Ruby 3.4.9) -->
<rfc xmlns:xi="http://www.w3.org/2001/XInclude" ipr="trust200902" docName="draft-kohbrok-mls-opportunistic-channels-00" category="info" consensus="true" submissionType="IETF" tocInclude="true" sortRefs="true" symRefs="true" version="3">
  <!-- xml2rfc v2v3 conversion 3.34.0 -->
  <front>
    <title>Opportunistic Channels</title>
    <seriesInfo name="Internet-Draft" value="draft-kohbrok-mls-opportunistic-channels-00"/>
    <author fullname="Konrad Kohbrok">
      <organization>Phoenix R&amp;D</organization>
      <address>
        <email>konrad@ratchet.ing</email>
      </address>
    </author>
    <author fullname="Raphael Robert">
      <organization>Phoenix R&amp;D</organization>
      <address>
        <email>ietf@raphaelrobert.com</email>
      </address>
    </author>
    <date year="2026" month="July" day="06"/>
    <area>Security</area>
    <workgroup>Messaging Layer Security</workgroup>
    <keyword>messaging</keyword>
    <abstract>
      <?line 35?>

<t>This document defines Opportunistic Channels: a way for two members of a
Messaging Layer Security (MLS) group to efficiently create and operate an
end-to-end encrypted 1-to-1 channel. In contrast to a full MLS group, the
channel participants can't independently update their key material. Instead,
participants opportunistically inject key material exported from other groups.
As such, opportunistic channels are more efficient than full MLS groups, but
achieve lower security guarantees. Their use case is the transmission of
lower-security messages such as message delivery receipts.</t>
      <t>To keep messaging in opportunistic channels efficient, this document also
defines MLS WireFormats that are equivalent to the MLS PublicMessage and
PrivateMessage formats, but omit signatures. These WireFormats are otherwise
independent of opportunistic channels and can be used in regular MLS groups.</t>
    </abstract>
    <note removeInRFC="true">
      <name>About This Document</name>
      <t>
        The latest revision of this draft can be found at <eref target="https://kkohbrok.github.io/draft-kohbrok-mls-opportunistic-channels/"/>.
        Status information for this document may be found at <eref target="https://datatracker.ietf.org/doc/draft-kohbrok-mls-opportunistic-channels/"/>.
      </t>
      <t>
        Discussion of this document takes place on the
        Messaging Layer Security Working Group mailing list (<eref target="mailto:mls@ietf.org"/>),
        which is archived at <eref target="https://mailarchive.ietf.org/arch/browse/mls/"/>.
        Subscribe at <eref target="https://www.ietf.org/mailman/listinfo/mls/"/>.
      </t>
      <t>Source for this draft and an issue tracker can be found at
        <eref target="https://github.com/kkohbrok/draft-kohbrok-mls-opportunistic-channels"/>.</t>
    </note>
  </front>
  <middle>
    <?line 51?>

<section anchor="introduction">
      <name>Introduction</name>
      <t>MLS <xref target="RFC9420"/> provides authenticated group key agreement, encrypted
application messages, and group evolution with forward secrecy and
post-compromise security.  Some applications need a light-weight encrypted
channel between two members who already share at least one MLS group, for
example to transmit read or delivery receipts.</t>
      <t>Creating a normal two-member MLS group for every such channel carries the full
cost of an MLS ratchet tree, which can be restrictive, especially when using
post-quantum cipher suites.</t>
      <t>This document has two parts.</t>
      <t>The first part defines Opportunistic Channels (OCs).  An OC is an MLS group with
exactly two members, no ratchet tree, and a GroupContext that marks the group as
an OC using an MLS application component.  OCs are bootstrapped through MLS
targeted messages <xref target="I-D.ietf-mls-targeted-messages"/> sent in an existing MLS
group.  OCs achieve post-compromise security by committing PreSharedKey
proposals that inject resumption PSKs from MLS groups shared by both members.</t>
      <t>The second part defines unsigned variants of the MLS PublicMessage and
PrivateMessage WireFormats. These WireFormats are not specific to OCs and can
be used by any MLS group whose members support them.  They
use the same framing as their signed MLS counterparts, except that the
signature is not transmitted and is not verified.  The formats therefore
authenticate that the sender is a member of the group, but they do not
authenticate the sender identity indicated by the sender leaf index.</t>
    </section>
    <section anchor="conventions-and-definitions">
      <name>Conventions and Definitions</name>
      <t>The key words "<bcp14>MUST</bcp14>", "<bcp14>MUST NOT</bcp14>", "<bcp14>REQUIRED</bcp14>", "<bcp14>SHALL</bcp14>", "<bcp14>SHALL
NOT</bcp14>", "<bcp14>SHOULD</bcp14>", "<bcp14>SHOULD NOT</bcp14>", "<bcp14>RECOMMENDED</bcp14>", "<bcp14>NOT RECOMMENDED</bcp14>",
"<bcp14>MAY</bcp14>", and "<bcp14>OPTIONAL</bcp14>" in this document are to be interpreted as
described in BCP 14 <xref target="RFC2119"/> <xref target="RFC8174"/> when, and only when, they
appear in all capitals, as shown here.</t>
      <?line -18?>

<t>This document uses the terminology and presentation language from <xref target="RFC9420"/>.</t>
    </section>
    <section anchor="opportunistic-channels">
      <name>Opportunistic Channels</name>
      <t>An Opportunistic Channel is an MLS group variant with exactly two
members.  OCs use the MLS key schedule, transcript hashes, message protection,
GroupContext, and PSK processing defined in <xref target="RFC9420"/>, except where this
document explicitly changes those rules.</t>
      <t>An OC has no ratchet tree.  Instead, the OC has two virtual member positions
with leaf indices 0 and 1.  The member that creates the OC has OC leaf index 0.
The member that receives the bootstrap targeted message
(<xref target="I-D.ietf-mls-targeted-messages"/>) has OC leaf index 1.</t>
      <section anchor="oc-marker-component">
        <name>OC Marker Component</name>
        <t>An OC is identified by the presence of an <tt>opportunistic_channel</tt> application
component in the <tt>app_data_dictionary</tt> GroupContext extension defined in
<xref target="I-D.ietf-mls-extensions"/>.</t>
        <sourcecode type="tls"><![CDATA[
struct {
} OpportunisticChannel;
]]></sourcecode>
        <t>The OC ComponentID is <tt>0x0008</tt> (suggested; see IANA Considerations).  The
<tt>opportunistic_channel</tt> component <bcp14>MUST</bcp14> appear only in GroupContext objects.</t>
      </section>
      <section anchor="oc-state">
        <name>OC State</name>
        <t>An OC member maintains the following state:</t>
        <ul spacing="normal">
          <li>
            <t>A GroupContext.</t>
          </li>
          <li>
            <t>The MLS epoch secrets derived as part of the MLS key schedule.</t>
          </li>
          <li>
            <t>A secret tree with exactly two leaves, indexed 0 and 1.</t>
          </li>
          <li>
            <t>The transcript hashes defined in <xref target="RFC9420"/>.</t>
          </li>
          <li>
            <t>A capability source for each OC member, as defined in <xref target="capabilities"/>.</t>
          </li>
        </ul>
        <t>An OC does not maintain a ratchet tree.  The <tt>tree_hash</tt> field of the
GroupContext <bcp14>MUST</bcp14> be set to the zero-length octet string in every epoch.  A
receiver <bcp14>MUST</bcp14> reject an OC GroupContext whose <tt>tree_hash</tt> is not the
zero-length octet string.</t>
        <t>OCs do not support adding, removing, or updating members.</t>
      </section>
      <section anchor="bootstrapping">
        <name>Bootstrapping</name>
        <t>An OC is bootstrapped from an existing MLS group, called the bootstrap source
group.  The bootstrap source group <bcp14>MUST</bcp14> contain both OC members in the epoch
used for bootstrapping.</t>
        <t>The OC creator sends an MLS targeted message to the other OC member in the
bootstrap source group.  The targeted message <tt>application_data</tt> field <bcp14>MUST</bcp14>
contain an <tt>OCBootstrap</tt> value.</t>
        <t>How a receiver recognizes that a targeted message payload contains an
<tt>OCBootstrap</tt> is up to the application.  Applications that use targeted
messages for more than one purpose <bcp14>MAY</bcp14> wrap targeted message payloads in a
container format of their choice that distinguishes the individual payload
types, for example the media-type-based <tt>ApplicationFraming</tt> format defined in
<xref section="6.2.4" sectionFormat="of" target="I-D.ietf-mls-extensions"/>.</t>
        <sourcecode type="tls"><![CDATA[
struct {
    GroupContext group_context;
    Extension extensions<V>;
    MAC confirmation_tag;
} UnsignedGroupInfo;

struct {
    opaque joiner_secret<V>;
    UnsignedGroupInfo group_info;
} OCBootstrap;
]]></sourcecode>
        <t><tt>joiner_secret</tt> <bcp14>MUST</bcp14> be a fresh random byte string of length <tt>KDF.Nh</tt> for the
OC cipher suite.  The OC cipher suite <bcp14>MUST</bcp14> be the cipher suite of the
bootstrap source group.</t>
        <t>OPEN QUESTION: Maybe generate <tt>joiner_secret</tt> from the targeted message HPKE context.</t>
        <t>The <tt>UnsignedGroupInfo</tt> structure is the OC analogue of the <tt>GroupInfo</tt>
structure in <xref target="RFC9420"/>, without the <tt>signer</tt> and <tt>signature</tt> fields.  The
integrity and sender authentication of this object are provided by the targeted
message in the bootstrap source group.</t>
        <t>The OC GroupContext in the bootstrap message <bcp14>MUST</bcp14> have:</t>
        <ul spacing="normal">
          <li>
            <t><tt>group_id</tt> set to a fresh value that is unique among the creator's MLS
groups.</t>
          </li>
          <li>
            <t><tt>version</tt> set to <tt>mls10</tt>.</t>
          </li>
          <li>
            <t><tt>cipher_suite</tt> set to the cipher suite of the bootstrap source group.</t>
          </li>
          <li>
            <t><tt>epoch</tt> set to 0.</t>
          </li>
          <li>
            <t><tt>tree_hash</tt> set to the zero-length octet string.</t>
          </li>
          <li>
            <t><tt>confirmed_transcript_hash</tt> set to the zero-length octet string.</t>
          </li>
          <li>
            <t><tt>extensions</tt> containing an <tt>app_data_dictionary</tt> extension with the
<tt>opportunistic_channel</tt> component, and a <tt>required_wire_formats</tt> extension.</t>
          </li>
        </ul>
        <t>The creator <bcp14>MUST NOT</bcp14> include in the OC GroupContext a required WireFormat,
extension, proposal type, or component that is not supported by both OC
members according to their capability sources in the bootstrap source group
(<xref target="capabilities"/>).</t>
        <t>The <tt>UnsignedGroupInfo.extensions</tt> field <bcp14>MUST NOT</bcp14> contain a <tt>ratchet_tree</tt>
extension.  OC bootstrap does not use the ratchet tree or GroupInfo signature
validation steps from <xref target="RFC9420"/>.</t>
        <t>The creator derives the OC epoch 0 secrets by using the <tt>joiner_secret</tt> value
from <tt>OCBootstrap</tt> directly as the epoch 0 <tt>joiner_secret</tt> in the epoch secret
derivation that Welcome processing uses after GroupInfo decryption in
<xref target="RFC9420"/>.  The PSK list is empty, so <tt>psk_secret</tt> is the all-zero vector of
length <tt>KDF.Nh</tt>, as specified in Section 8.4 of <xref target="RFC9420"/>.  The two-leaf OC
secret tree is derived from the
resulting <tt>encryption_secret</tt> as in <xref target="RFC9420"/>, with leaf 0 corresponding to
the bootstrap sender and leaf 1 corresponding to the bootstrap recipient.  The
creator computes the epoch 0 confirmation tag over the zero-length confirmed
transcript hash and includes it in <tt>UnsignedGroupInfo.confirmation_tag</tt>.</t>
        <t>The recipient <bcp14>MUST</bcp14> complete targeted message validation according to
<xref target="I-D.ietf-mls-targeted-messages"/> before processing the embedded
<tt>OCBootstrap</tt> value.  The recipient then verifies that the <tt>OCBootstrap</tt> value
satisfies all requirements of this section, including that both OC members
support the capabilities required by the OC GroupContext according to their
capability sources (<xref target="capabilities"/>), verifies that the OC <tt>group_id</tt> is
not already in use by
one of the recipient's MLS groups, derives the epoch 0 secrets from
<tt>joiner_secret</tt>, and verifies <tt>UnsignedGroupInfo.confirmation_tag</tt>.  If any
validation step fails, the recipient <bcp14>MUST</bcp14> reject the bootstrap message and <bcp14>MUST
NOT</bcp14> create the OC state.</t>
      </section>
      <section anchor="proposals-and-commits">
        <name>Proposals and Commits</name>
        <t>Proposals and Commits are created and processed as in <xref target="RFC9420"/> with the
following exceptions:</t>
        <ul spacing="normal">
          <li>
            <t>Proposals that require an update path or whose semantics affect or require
the ratchet tree <bcp14>MUST NOT</bcp14> be used.  A recipient of an OC Commit that covers
such a proposal, whether by value or by reference, <bcp14>MUST</bcp14> reject the Commit.</t>
          </li>
          <li>
            <t>An AppDataUpdate proposal (<xref target="I-D.ietf-mls-extensions"/>) in an OC <bcp14>MUST NOT</bcp14>
add, modify, or remove the <tt>opportunistic_channel</tt> component.</t>
          </li>
          <li>
            <t>An OC Commit <bcp14>MUST NOT</bcp14> contain an <tt>UpdatePath</tt>.  As specified for Commits
without a path in <xref target="RFC9420"/>, the <tt>commit_secret</tt> input to the key
schedule is therefore the all-zero vector of length <tt>KDF.Nh</tt>.</t>
          </li>
          <li>
            <t><tt>tree_hash</tt> is set to the zero-length octet string when updating the
GroupContext, as required by <xref target="oc-state"/>.</t>
          </li>
        </ul>
        <t>The restrictions around proposals are due to the lack of a ratchet tree in
OCs.  To achieve post-compromise security, group members should use
PreSharedKey proposals that inject a <tt>usage=application</tt> resumption PSK from
a group that contains both OC members; the referenced source group epoch <bcp14>MUST</bcp14>
contain both OC members.</t>
        <t>OPEN QUESTION: Do we want to restrict proposals to an allow list instead of
the category-based rule above?  For example, the rule above permits ReInit
proposals, since they require neither an update path nor a ratchet tree, but
reinitialization as defined in <xref target="RFC9420"/> relies on Welcome messages and
therefore cannot produce an OC.</t>
      </section>
      <section anchor="message-processing">
        <name>Message Processing</name>
        <t>Members process OC messages according to the message processing rules of
<xref target="RFC9420"/> and, where applicable, <xref target="unsigned-messages"/>, with the following
changes to validation steps that consult the ratchet tree:</t>
        <ul spacing="normal">
          <li>
            <t>The <tt>sender_type</tt> of an OC message sender <bcp14>MUST</bcp14> be <tt>member</tt>, and the sender
leaf index <bcp14>MUST</bcp14> be 0 or 1.  This rule replaces the RFC 9420 check that the
sender leaf index identifies a non-blank leaf in the ratchet tree.</t>
          </li>
          <li>
            <t>For WireFormats that carry a signature, the receiver verifies the signature
using the signature public key of the LeafNode in the sender's current
capability source (<xref target="capabilities"/>) instead of a LeafNode in the OC's
ratchet tree.</t>
          </li>
        </ul>
      </section>
      <section anchor="capabilities">
        <name>Capabilities</name>
        <t>OCs have no ratchet tree and therefore do not have OC-local LeafNodes from
which capabilities and capability negotiation extensions can be read.  Instead,
each OC member has a capability source.  A capability source identifies a
source group, a source group epoch, the GroupContext for that source group
epoch, and the LeafNode that represents the OC member in that source group
epoch.  Determining which LeafNode represents an OC member in a source group
is the responsibility of the MLS Authentication Service (see <xref target="RFC9750"/>).</t>
        <t>The inherited capability state for an OC member consists of the following
values from the capability source:</t>
        <ul spacing="normal">
          <li>
            <t>The <tt>capabilities</tt> field of the source LeafNode.</t>
          </li>
          <li>
            <t>The <tt>supported_wire_formats</tt> extension in the source LeafNode, if present.</t>
          </li>
          <li>
            <t>The <tt>required_wire_formats</tt> extension in the source GroupContext, if present.
A WireFormat required by the source GroupContext is treated as supported by
every member represented in that source group epoch.</t>
          </li>
          <li>
            <t>The <tt>app_data_dictionary</tt> extension in the source LeafNode, if present, with
the components that have support semantics in <xref target="I-D.ietf-mls-extensions"/>.
This includes <tt>safe_aad</tt>, <tt>app_components</tt>, and <tt>content_media_types</tt>.</t>
          </li>
          <li>
            <t>The <tt>app_data_dictionary</tt> extension in the source GroupContext, if present,
with the same support-semantic components.  Values required by the source
GroupContext are treated as supported by every member represented in that
source group epoch.</t>
          </li>
        </ul>
        <t>From OC creation until the first OC Commit, the capability source for both
members is the LeafNode for that member in the bootstrap source group and epoch.</t>
        <t>After an OC Commit that covers at least one resumption PreSharedKey proposal
is accepted, the capability source for the Commit sender is the LeafNode for
that member in the source group and epoch identified by the first such
proposal in the order used for the <tt>psk_secret</tt> computation (see
<xref section="8.4" sectionFormat="of" target="RFC9420"/>).  The capability source for
the other member is unchanged.  An OC Commit that covers no resumption
PreSharedKey proposal does not change either capability source.</t>
        <t>When an OC member evaluates whether the peer supports an extension, proposal
type, credential type, cipher suite, WireFormat, component, or media type, it
<bcp14>MUST</bcp14> use the peer's current inherited capability state.</t>
        <t>An OC member <bcp14>MUST</bcp14> ignore unknown values in inherited capability negotiation
extensions according to <xref target="I-D.ietf-mls-extensions"/>.</t>
      </section>
    </section>
    <section anchor="unsigned-messages">
      <name>Unsigned Messages</name>
      <t>This section defines two new MLS WireFormats that are independent of OCs:
<tt>mls_unsigned_public_message</tt> and <tt>mls_unsigned_private_message</tt>.  They are
equivalent to the <tt>mls_public_message</tt> and <tt>mls_private_message</tt> WireFormats
defined in <xref target="RFC9420"/>, except that the <tt>signature</tt> field of
<tt>FramedContentAuthData</tt> is not transmitted and is not verified.</t>
      <t>All other RFC 9420 validation rules for PublicMessages and PrivateMessages
apply.  Receivers <bcp14>MUST NOT</bcp14> verify a signature for these WireFormats and <bcp14>MUST</bcp14>
verify the confirmation tag for a Commit as described in <xref target="RFC9420"/>.</t>
      <t>To ensure transcript agreement, members <bcp14>MUST NOT</bcp14> send a Proposal or Commit using
one of these WireFormats unless the WireFormat is listed in the group's
<tt>required_wire_formats</tt> GroupContext extension defined in
<xref target="I-D.ietf-mls-extensions"/>.  A receiver <bcp14>MUST</bcp14> reject a Proposal or Commit that
does not satisfy this condition.</t>
      <t>Application messages do not contribute to the shared group state, so members
<bcp14>MAY</bcp14> send them using one of these WireFormats under a weaker condition: every
member in the current epoch supports the WireFormat, as indicated by the
group's <tt>required_wire_formats</tt> extension or by the <tt>supported_wire_formats</tt>
LeafNode extension of every member.</t>
      <sourcecode type="tls"><![CDATA[
case mls_unsigned_public_message:
    UnsignedPublicMessage unsigned_public_message;

case mls_unsigned_private_message:
    UnsignedPrivateMessage unsigned_private_message;
]]></sourcecode>
      <section anchor="unsigned-public-messages">
        <name>Unsigned Public Messages</name>
        <section anchor="format">
          <name>Format</name>
          <t><tt>UnsignedPublicMessage</tt> has the same fields as <tt>PublicMessage</tt> in <xref target="RFC9420"/>,
except that the <tt>signature</tt> field of <tt>FramedContentAuthData</tt> is omitted and
the <tt>membership_tag</tt> is always present.</t>
          <sourcecode type="tls"><![CDATA[
struct {
    FramedContent content;

    select (UnsignedPublicMessage.content.content_type) {
        case commit:
            MAC confirmation_tag;
        case application:
        case proposal:
            struct{};
    };

    MAC membership_tag;
} UnsignedPublicMessage;
]]></sourcecode>
          <t>The <tt>sender_type</tt> of an <tt>UnsignedPublicMessage</tt> sender <bcp14>MUST</bcp14> be <tt>member</tt>.
Senders with sender type <tt>external</tt>, <tt>new_member_proposal</tt>, or
<tt>new_member_commit</tt> are authenticated exclusively by their signature and
therefore cannot use this WireFormat.  A receiver <bcp14>MUST</bcp14> reject an
<tt>UnsignedPublicMessage</tt> with any other sender type.</t>
          <t>As in <xref target="RFC9420"/>, application messages <bcp14>MUST NOT</bcp14> be sent as
<tt>UnsignedPublicMessage</tt>: the <tt>content_type</tt> <bcp14>MUST</bcp14> be <tt>proposal</tt> or <tt>commit</tt>.</t>
          <t>The <tt>membership_tag</tt> field is computed and verified as described in Section
6.2 of <xref target="RFC9420"/>, with the <tt>FramedContentAuthData</tt> value in
<tt>AuthenticatedContentTBM</tt> taken from the canonical <tt>AuthenticatedContent</tt>
representation defined in <xref target="authenticated-content"/>, i.e., with the
<tt>signature</tt> field set to the zero-length octet string.</t>
        </section>
        <section anchor="decoding">
          <name>Decoding</name>
          <t>The receiver reconstructs the corresponding <tt>AuthenticatedContent</tt> from the
message fields as described in <xref target="authenticated-content"/>, with <tt>wire_format</tt>
set to <tt>mls_unsigned_public_message</tt>.</t>
          <t>Receivers <bcp14>MUST</bcp14> verify the <tt>membership_tag</tt>.</t>
        </section>
      </section>
      <section anchor="unsigned-private-messages">
        <name>Unsigned Private Messages</name>
        <section anchor="format-1">
          <name>Format</name>
          <t><tt>UnsignedPrivateMessage</tt> has the same outer fields as <tt>PrivateMessage</tt> in
<xref target="RFC9420"/>.</t>
          <sourcecode type="tls"><![CDATA[
struct {
    opaque group_id<V>;
    uint64 epoch;
    ContentType content_type;
    opaque authenticated_data<V>;
    opaque encrypted_sender_data<V>;
    opaque ciphertext<V>;
} UnsignedPrivateMessage;
]]></sourcecode>
          <t>The content encrypted in <tt>ciphertext</tt> is an <tt>UnsignedPrivateMessageContent</tt>.
This structure carries the same content alternatives and padding rules as
<tt>PrivateMessageContent</tt>, but omits the <tt>signature</tt> field from
<tt>FramedContentAuthData</tt>.  Commits still carry a confirmation tag.</t>
          <sourcecode type="tls"><![CDATA[
struct {
    select (UnsignedPrivateMessage.content_type) {
        case application:
          opaque application_data<V>;

        case proposal:
          Proposal proposal;

        case commit:
          Commit commit;
    };

    select (UnsignedPrivateMessage.content_type) {
        case commit:
            MAC confirmation_tag;
        case application:
        case proposal:
            struct{};
    };

    opaque padding[length_of_padding];
} UnsignedPrivateMessageContent;
]]></sourcecode>
          <t>The <tt>encrypted_sender_data</tt> field is computed as in Section 6.3.2 of
<xref target="RFC9420"/>.  The <tt>SenderData</tt> structure, sender data AAD, ciphertext sample,
key derivation, nonce derivation, and sender data validation rules are
unchanged.</t>
          <t>The content encryption uses the same AEAD keys, nonces, AAD, reuse guard, and
padding rules as Section 6.3.1 of <xref target="RFC9420"/>, with
<tt>UnsignedPrivateMessageContent</tt> in place of <tt>PrivateMessageContent</tt>.</t>
          <t>OPEN QUESTION: Do we want a dedicated ratchet for unsigned private messages?</t>
        </section>
        <section anchor="decoding-1">
          <name>Decoding</name>
          <t>After decrypting an <tt>UnsignedPrivateMessage</tt>, the receiver reconstructs the
corresponding <tt>FramedContent</tt> from the outer message fields, decrypted sender
data, and decrypted content, following the same construction used for
<tt>PrivateMessage</tt> in <xref target="RFC9420"/>.  The corresponding <tt>AuthenticatedContent</tt> is
then constructed as described in <xref target="authenticated-content"/>, with <tt>wire_format</tt>
set to <tt>mls_unsigned_private_message</tt>.</t>
        </section>
      </section>
      <section anchor="authenticated-content">
        <name>AuthenticatedContent Representation</name>
        <t>For compatibility with RFC 9420 algorithms that consume an
<tt>AuthenticatedContent</tt> value, an unsigned message is represented as an
<tt>AuthenticatedContent</tt> with:</t>
        <ul spacing="normal">
          <li>
            <t><tt>wire_format</tt> set to <tt>mls_unsigned_public_message</tt> or
<tt>mls_unsigned_private_message</tt>, matching the WireFormat the message was
framed in.</t>
          </li>
          <li>
            <t><tt>content</tt> set to the message's <tt>FramedContent</tt> (for unsigned public
messages) or the reconstructed <tt>FramedContent</tt> (for unsigned private
messages).</t>
          </li>
          <li>
            <t><tt>auth.signature</tt> set to the zero-length octet string.</t>
          </li>
          <li>
            <t><tt>auth.confirmation_tag</tt> set to the confirmation tag carried in the message,
if the content type is <tt>commit</tt>.</t>
          </li>
        </ul>
        <t>Senders and receivers <bcp14>MUST</bcp14> use this representation in all RFC 9420 algorithms
that consume an <tt>AuthenticatedContent</tt> value.</t>
      </section>
      <section anchor="transcript-hashes-and-proposal-references">
        <name>Transcript Hashes and Proposal References</name>
        <t>RFC 9420 computes transcript hashes and Proposal references over
<tt>AuthenticatedContent</tt> objects; the canonical representation defined in
<xref target="authenticated-content"/> applies as follows.</t>
        <t>For a Commit carried in an unsigned message,
<tt>ConfirmedTranscriptHashInput.signature</tt> is the zero-length octet string.  The
other fields of <tt>ConfirmedTranscriptHashInput</tt> and
<tt>InterimTranscriptHashInput</tt> are computed as in <xref target="RFC9420"/>.</t>
        <t>For a Proposal carried in an unsigned message, <tt>MakeProposalRef</tt> uses the
encoded <tt>AuthenticatedContent</tt> representation with <tt>auth.signature</tt> set to
the zero-length octet string.  Without this rule, two implementations could
process the same unsigned Proposal but hash different byte strings when
producing a Proposal reference.</t>
      </section>
      <section anchor="sender-authentication">
        <name>Sender Authentication</name>
        <t>The WireFormats defined in this section authenticate that the message was
created by a party with access to the relevant MLS epoch secrets: the
<tt>membership_key</tt> in the case of <tt>mls_unsigned_public_message</tt>, and the message
protection keys derived from the <tt>encryption_secret</tt> in the case of
<tt>mls_unsigned_private_message</tt>.  They do not authenticate which group member
created the message.  Any group member that can derive those secrets for an
epoch can construct a valid message that claims any non-blank member sender
leaf index in that epoch.</t>
        <t>Applications <bcp14>MUST NOT</bcp14> use these WireFormats when cryptographic sender
authentication is required.  Applications that use these WireFormats <bcp14>MUST</bcp14>
treat the sender leaf index as a claimed sender leaf index authenticated only
by group membership.</t>
      </section>
    </section>
    <section anchor="security-considerations">
      <name>Security Considerations</name>
      <t>The <tt>mls_unsigned_public_message</tt> and <tt>mls_unsigned_private_message</tt>
WireFormats intentionally remove MLS sender signatures.  They provide group
membership authentication for message contents (and, in the case of
<tt>mls_unsigned_private_message</tt>, confidentiality), but, as described in
<xref target="sender-authentication"/>, they do not authenticate the sender: in any group
using these WireFormats, a malicious member can forge messages that appear to
come from another member.</t>
      <t>This property has a key-compromise impersonation consequence in two-party
groups.  If Alice's OC state is compromised, an attacker can use Alice's copy
of the epoch secrets to send Alice a valid OC message that claims Bob's sender
index.  Alice can verify only that the message was produced with OC epoch
secrets.  Alice cannot verify that Bob produced it.</t>
      <t>The same property creates a sender-ratchet denial of service risk.  An attacker
that has compromised a member's OC state can create messages under the other
member's sender leaf index and advance the receiver's view of that sender's message
ratchet.  This can cause later honest messages from that sender to be rejected
as reused or out of order.  Applications using OCs need a recovery strategy,
such as committing a fresh shared PSK from a source group or recreating the OC.</t>
      <t>OCs do not use UpdatePaths.  As a result, OC Commits do not provide the
post-compromise security properties that RFC 9420 obtains from fresh path
secrets in a ratchet tree.  Injecting PSKs from MLS groups shared by both OC
members can provide a weaker form of post-compromise security for OC epoch
secrets.  This weaker property holds only if the source group epoch provides a
resumption PSK unknown to the attacker and the attacker cannot prevent both
members from accepting the OC Commit.</t>
      <t>The OC bootstrap relies on the security properties of MLS targeted messages.
The unsigned GroupInfo in the bootstrap message is authenticated by the
targeted message from the bootstrap source group.</t>
    </section>
    <section anchor="iana-considerations">
      <name>IANA Considerations</name>
      <t>This document requests the following registrations in the "MLS Wire Formats"
registry:</t>
      <table>
        <thead>
          <tr>
            <th align="left">Value</th>
            <th align="left">Name</th>
            <th align="left">Recommended</th>
            <th align="left">Reference</th>
          </tr>
        </thead>
        <tbody>
          <tr>
            <td align="left">0x0007 (suggested)</td>
            <td align="left">mls_unsigned_private_message</td>
            <td align="left">N</td>
            <td align="left">RFCXXXX</td>
          </tr>
          <tr>
            <td align="left">0x0008 (suggested)</td>
            <td align="left">mls_unsigned_public_message</td>
            <td align="left">N</td>
            <td align="left">RFCXXXX</td>
          </tr>
        </tbody>
      </table>
      <t>This document requests the following registration in the "MLS Component Types"
registry defined by <xref target="I-D.ietf-mls-extensions"/>:</t>
      <table>
        <thead>
          <tr>
            <th align="left">Value</th>
            <th align="left">Name</th>
            <th align="left">Where</th>
            <th align="left">Recommended</th>
            <th align="left">Reference</th>
          </tr>
        </thead>
        <tbody>
          <tr>
            <td align="left">0x0008 (suggested)</td>
            <td align="left">opportunistic_channel</td>
            <td align="left">GC</td>
            <td align="left">N</td>
            <td align="left">RFCXXXX</td>
          </tr>
        </tbody>
      </table>
    </section>
  </middle>
  <back>
    <references anchor="sec-combined-references">
      <name>References</name>
      <references anchor="sec-normative-references">
        <name>Normative References</name>
        <reference anchor="RFC9420">
          <front>
            <title>The Messaging Layer Security (MLS) Protocol</title>
            <author fullname="R. Barnes" initials="R." surname="Barnes"/>
            <author fullname="B. Beurdouche" initials="B." surname="Beurdouche"/>
            <author fullname="R. Robert" initials="R." surname="Robert"/>
            <author fullname="J. Millican" initials="J." surname="Millican"/>
            <author fullname="E. Omara" initials="E." surname="Omara"/>
            <author fullname="K. Cohn-Gordon" initials="K." surname="Cohn-Gordon"/>
            <date month="July" year="2023"/>
            <abstract>
              <t>Messaging applications are increasingly making use of end-to-end security mechanisms to ensure that messages are only accessible to the communicating endpoints, and not to any servers involved in delivering messages. Establishing keys to provide such protections is challenging for group chat settings, in which more than two clients need to agree on a key but may not be online at the same time. In this document, we specify a key establishment protocol that provides efficient asynchronous group key establishment with forward secrecy (FS) and post-compromise security (PCS) for groups in size ranging from two to thousands.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="9420"/>
          <seriesInfo name="DOI" value="10.17487/RFC9420"/>
        </reference>
        <reference anchor="I-D.ietf-mls-targeted-messages">
          <front>
            <title>Messaging Layer Security (MLS) Targeted Messages</title>
            <author fullname="Raphael Robert" initials="R." surname="Robert">
              <organization>Phoenix R&amp;D GmbH</organization>
            </author>
            <date day="6" month="July" year="2026"/>
            <abstract>
              <t>   This document defines targeted messages for the Messaging Layer
   Security (MLS) protocol.  A targeted message allows a member of an
   MLS group to send an encrypted and authenticated message to another
   member of the same group without creating a new group.  The mechanism
   reuses Hybrid Public Key Encryption (HPKE) and the MLS key schedule
   to provide confidentiality, authentication, and binding to the group
   state.

              </t>
            </abstract>
          </front>
          <seriesInfo name="Internet-Draft" value="draft-ietf-mls-targeted-messages-01"/>
        </reference>
        <reference anchor="RFC2119">
          <front>
            <title>Key words for use in RFCs to Indicate Requirement Levels</title>
            <author fullname="S. Bradner" initials="S." surname="Bradner"/>
            <date month="March" year="1997"/>
            <abstract>
              <t>In many standards track documents several words are used to signify the requirements in the specification. These words are often capitalized. This document defines these words as they should be interpreted in IETF documents. This document specifies an Internet Best Current Practices for the Internet Community, and requests discussion and suggestions for improvements.</t>
            </abstract>
          </front>
          <seriesInfo name="BCP" value="14"/>
          <seriesInfo name="RFC" value="2119"/>
          <seriesInfo name="DOI" value="10.17487/RFC2119"/>
        </reference>
        <reference anchor="RFC8174">
          <front>
            <title>Ambiguity of Uppercase vs Lowercase in RFC 2119 Key Words</title>
            <author fullname="B. Leiba" initials="B." surname="Leiba"/>
            <date month="May" year="2017"/>
            <abstract>
              <t>RFC 2119 specifies common key words that may be used in protocol specifications. This document aims to reduce the ambiguity by clarifying that only UPPERCASE usage of the key words have the defined special meanings.</t>
            </abstract>
          </front>
          <seriesInfo name="BCP" value="14"/>
          <seriesInfo name="RFC" value="8174"/>
          <seriesInfo name="DOI" value="10.17487/RFC8174"/>
        </reference>
        <reference anchor="I-D.ietf-mls-extensions">
          <front>
            <title>The Messaging Layer Security (MLS) Extensions</title>
            <author fullname="Raphael Robert" initials="R." surname="Robert">
              <organization>Phoenix R&amp;D</organization>
            </author>
            <date day="2" month="March" year="2026"/>
            <abstract>
              <t>   The Messaging Layer Security (MLS) protocol is an asynchronous group
   authenticated key exchange protocol.  MLS provides a number of
   capabilities to applications, as well as several extension points
   internal to the protocol.  This document provides a consolidated
   application API, guidance for how the protocol's extension points
   should be used, and a few concrete examples of both core protocol
   extensions and uses of the application API.

              </t>
            </abstract>
          </front>
          <seriesInfo name="Internet-Draft" value="draft-ietf-mls-extensions-09"/>
        </reference>
      </references>
      <references anchor="sec-informative-references">
        <name>Informative References</name>
        <reference anchor="RFC9750">
          <front>
            <title>The Messaging Layer Security (MLS) Architecture</title>
            <author fullname="B. Beurdouche" initials="B." surname="Beurdouche"/>
            <author fullname="E. Rescorla" initials="E." surname="Rescorla"/>
            <author fullname="E. Omara" initials="E." surname="Omara"/>
            <author fullname="S. Inguva" initials="S." surname="Inguva"/>
            <author fullname="A. Duric" initials="A." surname="Duric"/>
            <date month="April" year="2025"/>
            <abstract>
              <t>The Messaging Layer Security (MLS) protocol (RFC 9420) provides a group key agreement protocol for messaging applications. MLS is designed to protect against eavesdropping, tampering, and message forgery, and to provide forward secrecy (FS) and post-compromise security (PCS).</t>
              <t>This document describes the architecture for using MLS in a general secure group messaging infrastructure and defines the security goals for MLS. It provides guidance on building a group messaging system and discusses security and privacy trade-offs offered by multiple security mechanisms that are part of the MLS protocol (e.g., frequency of public encryption key rotation). The document also provides guidance for parts of the infrastructure that are not standardized by MLS and are instead left to the application.</t>
              <t>While the recommendations of this document are not mandatory to follow in order to interoperate at the protocol level, they affect the overall security guarantees that are achieved by a messaging application. This is especially true in the case of active adversaries that are able to compromise clients, the Delivery Service (DS), or the Authentication Service (AS).</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="9750"/>
          <seriesInfo name="DOI" value="10.17487/RFC9750"/>
        </reference>
      </references>
    </references>
  </back>
  <!-- ##markdown-source:
H4sIAAAAAAAAA8Vc63Ict5X+j6fASlVraWtmTDlex6Gy8dKkFKusWyQ53lQq
xcZMYzgd9nRPGj2kxrTyLPss+2R7bkADfSHpZKvWVRbJ7sbt4Fy+cwHm87lq
i7a0x/rBm92ubtp9Vbi2WOnTjakqW7oHamVae1E3h2NdVOtaqbxeVWYLLfLG
rNv5Zb1ZNvXlfFu6eR13MV9JF/OjI+X2y23hXFFX7WEHbV88+/BcVfvt0jbH
KocRjtWqrpyt3N4d67bZW3V1rH+lTGMNzO29Xe2boj08UNd1c3nR1PsdPH1l
nTMXRXWhX5qDbXT31aU9wIf5sdJzvfVfqStb7WEgre/uQGue54MfYTz84PfY
BJ9vTVHCc1jufxa2XS/q5gIfm2a1gcebtt25488/x6/wUXFlF/6zz/HB50Cs
a2c/h/afY7uLot3sl9DyUgj5+X3Jiq1LoJxro3F9Lwvud1HU9+4PpqPMvt3U
DZINOtd6vS9L3uvv66oxOfygXuglrMhUxU+mhU091m83ta2Kj/rdv57RW8t0
uqR2/9mYdrWx7QJ3YdD3O7PbGFvqdzVwQ3v/vpGu0DM1bqjtYlVvlVosFkrN
53Ntlq5tzKpV6sOmcBoYd7+1Vatzuy4q6/Q4xx9ro6/NQa/rRrfXNfAPcqnT
9VobNcUx+tGrl+8fM2PpttZ2vS5WBQxWHvQKeLi12lS5rne24d+VrfJ5W8/h
h7bVqjnsWpvrJ/joiZYtWegXlQaxgEW4Fns1RDUNQ/FIM91urJKv9c40sI5i
Z6rW6ZWpPmtBYnO7gyF4IvsdShq2KRoNIgK83NqmMDSQa63JZyrpJGEUU0IX
RfVXu2qTxtp+xK9g9uum3uoaum94em6hTpx2+9VmlnblF+hAbKze1vBPIBhM
z1S9dbqZXu5bZUCe7JXVZX0NQzhP+ou9aWC61rqF/kBr2zsLBIB/YNdhOqBP
TOVE/8A+KupgHjpgDWF5qto4/wAYpQQBbg66sStb7FpYkPpQw+rtrlMrQJOp
1YVF4UbFHGhKVyvPhrjMH4vGPq8boCnO2LREGPu3fXFlSiJKTQvBT9/ul2Wx
eiVTBK5Sbxv4rLX+0Zr7IZrpelu02hUXlWn3jVAICBOPh0PRrl0XzqqIZZDl
p/YN2BZYTC8tEjtHGjT2Yg86L9o1EcNtkeelVeohcFnb1Pl+hWKtFH54c/Mv
756f/ubLL44+fdK7pr4qcqAIqiEYv0DTk4tQIcuZi8baLdEzyIwyu12JX+Le
+p2c0QS5ob2qyz29vQadiNS5Nk2O7AO7eiAC7mrXzkF3wASAS2xgrYXW7+st
ELkbwunKwpyMLouLTTu/tvgjmo0XxqVtr62tEg1yvQERLkEb5AftNkh22OjS
onDXlY3FGiap7Eez3ZWWtp75t9XYFpTjKGOeoppBfjS6wp0tcew5j931TWrN
Ulvidj/flWmawrK4oPCBOXbEALDJ2Fg0OEzF2hmspMC2zADAVm1TwKZewRvr
dnZVkK64hj0E7kCdTwT+2x6kdL/VoF1QRbh9AcZr0VfOG5A/JBoqIn4LEyoa
mAw+uUN360dvTt1j2LaTSr85RfGX6fPakQGQrivUhtHOzIBivRUi/xi2+qeg
ge3HluVya5pLphJ3aZwyNBYt1A8X8yTyFWxv1cK0YHYkbsu6btE27XbAS+0G
errYYEPVmubCItMHnQQS8mJ+RiCCjLf/Yu6/AMFxSDgQQRjdfkSKwEywN5qi
H1aU5xSv6+UBpwpcRs3fNvY9smj+vT0o+BaagdJiGogRgH3fb3e0xrfvv3es
/jvpZxbPsd8lqBdPa9lSGLYGEid7uq9QUUGTKwOGhQzQ+v5qL1JpU1quqkEX
In+CWka5IrqwJlNeky1RJRxiptnU0JWXYbcnxsNpbYGyMM5BobnBaTqAM0AF
syVOcGJoZU3Y4areAys1xNogKh9XdidshXY8aGnkW5yqF3vkB5ymPAbhhQXY
nIf36h67aCz8YVWsPkP3yCQ5iB3KhKzGk1eUDpoL+PMAsojj9LvpekDbgBwD
pkJUNBAt+gBU2pqgx8cFan2QnytsgcoTl3GG213Q38wLqNoRrjtA5D+8//Bg
xj/16zf0+7tnf/jhxbtnZ/j7++9OXr4Mvyj54v13b354edb91rU8ffPq1bPX
Z9wYnurkkXrw6uRPD1jYH7x5++HFm9cnLx+gJPXMdUNqGFikoP1rSERB9MFY
rZpiyQbw29O3//PfT74Um/bFkye/AdHkP75+8usv4Q/UiDxaXYmCJAh3QCNm
wXaiDJeojHdFC+I2Qy5ym/q60ri5QM1/+zNS5i/H+rfL1e7Jl7+TB7jg5KGn
WfKQaDZ8MmjMRBx5NDJMoGbyvEfpdL4nf0r+9nSPHv72mxIUgp4/+fqb36m+
gQBpE1RnG5C0uqwvyIoDfLCoCFnrlqYCXIhoCLVSDDOIJ8fNh1JoN8ZeDUyJ
qCjGFJFJUV7Nsdb1qgEbIps7MDH5vgQDQ8INzLMjk7dBzOJhJ6jb1hJImqnY
AjHrgK7FL1bwMeoZVp7EgPEqg3q5Rs4hflaBhIDYQZcW5JzA+i6IoKjlGpga
amg2n2iKe4YRluVdBVqXfIW29KoAqgHqEN0CBkNknEjkdUIB89ZHtJAnosCk
ASkq9pVc3Df86BSKPlqofhvCQFfSKFhW3Tel6tHNzV2W9PHIiE+QYR7iw1dg
+2HQU2/QPZ2AN1gnolb2upC5cWUFQ2UJkD4X2JXFSEEFpMAayOoM3p6Dz2bO
84L4wTSHLAUl8L+tyK/pGEH1MUP4yBH7//3vf9ctcDvQCbC4vlGfUqYXnn+K
H7KGhkWGVb84wwVnRx+Pjo6+zvQjt78A2gEdn4L+t/rFyesTVPkOSNIwZH7M
G62maNCtm3SZ6EJSkUCIZLn1EqGHC1vyvkXjdPOwXs0d/vrJ74kwyNaAxob/
BdjWJbh+KDX08TH4J/okGWABTz6IvNpdDSCX/AQwr7AaYDLU+gxaImgSC/aC
uuRGJDEDDYG8dYXiTuwFPXppkKEHimFKxHkosBVmWZRoj129b1aWET7AvY4M
ZEeSXkKrwjJPMNXy2jLG8HQDrNATf5xihr+f4+wywOa2zIUaibbizVwiKgj+
60+2qefg0F4ASepVCy/QdWAfmp0SIjoCeCVi3XA/jSXMyVg7GYbxWTwlD59g
QlMDwopRPTPSCaDO5Dm8m8FgW/BE8TcgJUVNcI4dgAXe+zYgePRvOkWQIHuy
PT1Q7tEWxlMI/Mc6i3cw4PYPIy/F/hBRMDaEm0T4Ouy28+qDaKkI1SJPLOMp
L4Jgk8qtGwJvwcj1laffQI7udPLFI6nxScoKBn1lkdIj9ea5CBel/KJQab45
DXTOwOSWe8RA39XXyJaePeCX+qIqfrI+cjIccGcOZQ2es3SNq1Rp37BzHLjD
RUbTQ06MnX8agYy6jKGCo4YkplAWBbDQod/tmx3yJiAefT1mkvzEaMeMXzms
iTG9SBX4EKtNDYaTR8+Zl/YF6QacL5rVqyJH4ysdKoxeuxmrAh9HILOZF2aO
L+dLg3yRRat7zp5L5kdPDMp7BiT6q8UXiy9xYr/IwGDUNhFa4o/zFf/1lN4/
C5as6+23f/wdv3x1coq7ty5wZsg2rbl4CnbrB3EZqfMX1bp+qtJR6535297q
v9ZI13PWy6HXQWuZV0EdgVXsWESMYZZ0lAUdZ0DWrduAsqxykPnlAaySqDag
lSig7Puz54vXm4xDyyA2KH1RMETkpfc0jIEbmLwQpTshfKDh3j57rf/ww7P3
CLCPAb4coJcLW3EMur8UUlbtmLx+9/b7Z3rlDSTpjWxAukwz3cV/FQBnKgP4
fO/nqrPuexV938euaDNrdkd1RgM1GVnJLDjJojOcYAt0zC4ojoGfiSMaebAc
+WW/jkEEeXUScgyorS/WXpVO0lg2LGHuQRvfGe3kBqw/IY9MmC3PvIn0XESa
TmItGBYpkIXNtgZuIiZgjf0ZhY59OsshHMhAIaLghB4zkM4nRxm9Y945J97J
Yqs8wlSTC4Z+yKyEDo7oWWR972HueToszjY/7xDPL+yiUxSZ1+0ShBtHzh1Y
JlCGwqMnkXlApT4YmDUYkG9gwtfw77nEXaJehR28QfWOOfDDqtzngZf67IK2
jDuOAlYzFbqdaR9/o6QkgZIOMnsuiXBMFHR7c+odUm1Wq7pBfCOkRbPSx47u
dn5HFypFjo8n9cEi3pzOvBNBgokHmjK6PEcGyro1k/sczSIAU+9Qx6gUCdKp
8KAhFIhRkbPog3+yc6OxgHjHGOMH5cUOwFFwAYCoHOUltdRTnySzikZIoUUO
e0rYnyOCodd+BzFokyEVTYhXQPv8oy1XmJCI/H8Kh5h1a2Ma5JbyEdiO3cFu
xWxjMIhQAsMj59jtrj3MYKN1tnOX3Xx4ugBT5yiE+gpWUTeUPkvNGUepOKzK
/oUHC18zVBgZH1MT5GMDg8bOUtE5Wt4eKYwzlwSfM8mzIADw0zRu3HywC38E
vNZAByAswvqqx95iKUDCqcGTQYOePMBmFruCw/loeDzvoETufejC73EMWcC2
ABi4oqhFqteCJlQ934+jvqw9YJlkWUYkrQ+MMmHrMFXvLSAObEcMfCQosZZQ
dwdMAJdgyDlmSFo/qJwczKoaQ/DMAd3k0Eb7oLbr4tUjTZWDSTr6DMOkojYx
pOWCcXcSORO68Yygy56PpKJAvo51WqeMBRIM1PVAj6oRPTrUlLORNULfEQoo
nEIV51OERUXabnlQ6EyIXQ5kY+sf8uOx6urrLZSkPnJloxZmdC+u0voFxrIO
fcWq16bAYHU75Dlx28fhEM6AXD6yCVwlIVSh+Ax72m9D8gm/P6UUlVNq9DFh
Ou4pl5gw8SXHbXp6ogMBXVyIg6ZotAiivU0TX8IaCDCklmJnEJc0EoRwdmsQ
bqJCXuO668a3wYqivtkK9lByT+hsRgTkwCGH3jD5ywFS1CAOeuNahQANMCdr
yTkHtmX8WNPvjV3bBgORs8GOcL8URqrQzT0DvPSDrMsjjn7QNPb0HkvOEUOj
shSshMrzGTjCebE+zJgAW5gzi/RdUEvm0q15CBlQA9Ic3wLpkSdPYuODnpVn
ER3cCMP7NLATNCdOekZmeLcP6PPSHpDUEtsTk8hZtgnj2Pf1+uiYNNTd8TDO
nfvIEwPVXiog1VQ3NyEE+imof8nLU+INGrM8eKmBJeT7ENgpzeqSOC5lUUAP
b07Jx6rvzCDPJDQVUqVAe0B9wNkqzibr8WwyYME9aoX/iKIvWS/HzJrM+DIr
lgcJ6fT0+1PRRsL8eRo9Yw2ZhJt67Yfu81mtr62+NlyN44kbr6ZG7jSoSgRb
caYEIRNbGS6klNAL5lq0WYJsfKP18y5QI3o0vNU7zHOBbntnX1RF2yXjAbIV
FUWF7CGopsoWpAV6KqqC/k2vxAFLqhpLqVjQ5z+J/Z8MN8MQJZoK+MjD0BD7
wnR8JxkrEOuaKJPvV5Y1BOtyn6t/G+CCUq+EXURV8x74fnu2Nk6RebxBOSuk
cTJZmNFMcl/CUEsk7c2NLzKIQMwsWIIuQ6BCYqzWAz/Ccx7i0oFaJ8NBPhFj
y3N02rJOm/slCPL00Z2MGU8Mc5dNxyrPLhnlvz5CzcoJNNAoxCyN3YEQCwQA
QmikhIZpgWCHGgM9zNF3uStHpUPVfFma6tJ/MVgfajRk10HJGpYQgZfTOWAB
EXCgNoI/NvLSdORUdSUQOyr3oNSKIJ+XMJ/XdedG80IABoH2aTAbp0dyIUMY
FkklzLXf6ZvTz9BwpOtFzj2NIeLNw6RTziVgXKefLvV7KYIh6Qb68s3pvKxX
YGH9FASn+dKqaDguUQlLq0CLgMi2aai0q8YyeZSlVWkmiPKbZkgogh5D8sWs
oWINOsN9HmhU3vAELXOoE7gjiSPI157Twy4IypJMfnDE42TDaFcw/TPL9QBs
PZGGodeoQ1Ol/aWrUOLzsv/nCiFGlOo7SSOK721zhYH5R5j5vLn5BvXPr//9
qIuLFBVsfoFoNCYuJS2RMsl0UKGA2QhVT50uIjznugjtYKM6nRMzTpqc8yv1
ZFkENeWjRlNxrSBxaQfgYq190UXo7K4YWa+vFNPE/SFDdipm4JWNtCd45rG/
S4Jh0BunF4XUgSPYzA24StKQflF3BBPvJg9bGPEBAtoVvUnqwLujnQtB5veW
LIvo/hAeyJxZ23NjcjAhNONuHDEqGcXwq/ac0kBkl1z2jy1yat9mgrr5W6yH
k4XN/cKi5YPU/pE5e3x3e5iXy7DGN/jO7UXLN7LB6jnKlM+C4jr3MMmS5Y+q
ToMvMhsXPUmtwu6G7KtLlVpQgUnOdCqxixvlJ3dCYb0pJzCtHo6R8hjaRt0G
cMpilfJtS+kcw6hisL8eNbKe8VWMVMYwXdF/DVjW9wFgzzY6ZKzJP4tjkhxk
441CnRslJiXWGBCgFJ2Mr5LwOOey/SIwz8KYLw/1wyM0r+qI0uN+TRes5v60
QPKh0VXqR/TzEitgUdlTDZR36HGuO0sJGmJ4xyUFg+yA4uwAUIpIHtIFcXpn
FqcY4hQHJq9RK0gb8DMIavpwO47fQa1bzNqiV4BDvQCqQ/izry4rrGUUc1ZU
4/1E+EZF+CbxBW7VjOphyOx6jwMx2xD5S2mhhAxDHTIW6VT2evpgRu+MBKC/
Y4WZtnM/xDnD13MZSXKX6RdcvRw+kWJi7F8ND35Q28lO+33Fs1Z3FQh2Add+
bhWdqgyrAmx+ypYD4c8ZFWzcs0QZuKEsRdKCTxL5U+y8oawn9d2MedMCb0cn
PfBMxjvxKFwXHqIBE+fDK5B+GbiPOUoLNsi9KD1BMy/95BFHZb79/FGt8dRi
kxRuRQdVvFUIU0WtCr370KIOESs5K9EFe3tT31cl+sc44wgYAcUx2OAtnShg
8GKmoNh9ygenhUtClCOVWWMrIssb1CFH7w8cp8fyfyoQRR4ZOcLjnSU6/1Ys
920IVcm5AjY0pHQoeeUD+1htQzSGb7fiW95CU8r+6GtrLhmC86SOGVCo1MR5
9Sc5Oq+O0x2Zcag5LY1Xsiv3AMgctm1vQeYqmOKo1TqBQFERDh2Eu0U5HSel
MOkxi4kmT9VYr6kS6nWbntWYaiRVNg8jBc4TCnocXz7UTGmlstFpZ1yT7BEo
14ngrmS9z/oqUd1HJepbVGLdqULFapuZclPsKIVCZeTltTm4ztEZr5ZKxtAC
3IHu+M7ZEiXu0ejiF/Kt/0kw/7H0iv/RznHQ+zg8nK6xSppFsdnj9I0HIWmX
vKSbT9zNJ5k/DpQSJi7lSlYT1SCPhdOm9n8itrZQ7+mFYx9FvsIOuZakqUyJ
3hMY/3Nucu7XlSFEUvEbJmFGgCA9sAhcVILeubLlQURZjgGxYRoNljLQAvbo
FMkturaa5HxaGB5gYpsbLRH17EiufOz4ZJKZosNlxk2NeOyzKB23dWVxWSAf
qjVJtfj09EA4WMLINlAuPY9zlPnAEAvyV18tvuhXGUQR3Slp5RwZWLvsJN48
+e7Dt68ygAKXgM6jqEtVV3gOWo82yVRwO02bWlSYW8Ihc6EWTrRY2EU3XTXU
OPcqhiKteGZXdU4x9Q9x3BULZCuWRCd4J65wGF9MV37h49WdGu3Bocml0aKy
yHRlKipLmwTLsJoewouwWp9pFj1rwfbkTnORmKOevaj36HXHVqP3db+kZkKF
S+mpz++HqtN9UbVffckggp94pkNFFAvS07ifhMwUqQk9yhfhFPK5qMqxj9gb
RPBHbz5NmOhI8cqMomsKsAyl6yeTw1ET1PUctRBnK1R9xkeOifB+IFOSKm6p
oIGy+FyYL94C6qLxIboj727CfHMpxLhKWOhQRuDaoixDQqPvH0xt+MAuJ5O8
3SCPWtZu73sF87R1dxvggMj9y36jIQwQ4M4vUrP9zyzv/xVvCBGFi/7MCvS8
Xp/Lk79Mi8GpB14dDBmVslHj5eJauK8WvyI7NVaNlzEsYcMUBGTmrTcOoE9O
zmaR8KLEYLIYr7rRXZkgnmTHnHD8JCqIpp4G7jeGHLrg16jQU2TUxcJ68uzk
DNNzToaEnzTFxiKUwTs58hlfrtAT3oQiT8Yt95SmDtYJCEvZTsLjU/rmlgy+
AQp5D80n7NDrD0fQxTEJkOibvonl2KwvtJSq4wn70kuE9g2y6hnkRD1Fhfls
mFJ7PPNTsH6T8Tolw7vevZLtnEVH4GK1y5ORTabYa1/FDpwlH169D5YoHALe
qhtpBM39X+CIfkiNsMHYlPS7FKrdPBwfXKnnUtoJ30l4kmYTYlmmvKgbeLKN
qwK2dMPPBDEIeM6oQMMzWzhs4JLUhXG3dIPT4GMEMWH0fQAWejL6DtrN8H6f
1cYzShRwisswrg1my9fEr7CJvq6fZxgBV/ke4x895n6USh1NFG/ZErF7rCUN
EMkMHlu6vRdeS9wNzQz3eBFBgvseM6B2g3LI5ARFP4LI2CbE5GQemB0r1r4F
MSI5n3ietvONvI+KEtykQDh4iT1XQ+4NGOFK1ePKKRH1h+tAYD50cczv+AAq
B2MFS7zzNVUArrsyk1D9PDi9mjQOBVmOSqGnmFuO+T7t+V2TDpaa1B4MIdjw
sO7D0q7ncYA32qsRoZyp7NTXZ3eUQcK8wErBmJ8kUTbJS1wwzo65uBdovm7r
noL8KnuB104U2/EPGtvHHD3vhFcb9uCO9ersFfi9/mvY7SxYfgU7V+d0bHB0
23r7w3p7XOrUHZT6MZwAk/qmGaVlCgQ9Wz8Cgq19mStfOhZM2r7zB2XR6BhQ
SX1erIkF2/iQHiXbKsUVa3yH0pBlWTpYOvuFIDcP2fjO0yNnnxhMxRHnKCoQ
16vr8UtbYkXr65rxhho6gy62CLO6znlV1ABKv0KIMzjCfswBhsiBBvgWzp0Q
qkZ2vM1ydCU7/lKF7q4KAoOD0xujZzbSIfups4nEmOQDEjpxoU9cdhqoFE2S
8rmH5DNfsVbJhHUrBdxSMU+1OVxbRF8F46MFP3cHo6mj0hRbR3G3roBORhJU
FhfcScVJSPPHJ4xD6E1Sr72EBRUGE0HrC7z7sFj5AXqHHYuuqmL6EPOge0qN
UY1FVGMXFwty+RguNwDO5HUSCMUrHNQypTwyHqVow9WJ6WURPjb4z2VTVbyo
gtQTlrTgtWRSj47iIfOPr8djXpNjoVIV1k28f6KUznwLI4jJcfoR1Z7+Ih6f
MYKQvD0Q5TGFMmZ9lAx2blzPcDH7uJB0G3nMOl82RIW6y5QJsLZva/CCmHrv
QnGaodVeREW/nA7nyzpAoVNFsNx4EJdW+Bve0GO3qLS4BBG0RVxEDoodSFxX
/s60ygHz0v0pBV2iNyeFp+SoK51EOYEpIqT0x0W88809kvepTdua1aXMH1ne
N1rVu4OSwrj0og/Qo5Q+pC+DuEeFu7HEf1svP3NeAvnKKy0tcUQJXNJVJmM6
3ddI56zJ/ZlDORLn4r5CWl16gpG71oU/l03WL1Da36ZjZIZz7+oCo2F9CKzf
SQVjU7hLrnvxJFNSnJYQNdwdFtOdFCQf3wnMwYnVUGajQqsRnYH58Bxs1som
fjJ8fFXYa07cGl+O9Fm4nlP5W2WlEo6mYXCT8VrcRm/qyrq2m5KYpNCTXOnF
ORW8SNJx8IJuWETsgddfYkFSX3+y3GDNr9wFic4JX6nY4tH6i8NM+atEoyv1
/OluyV/78wz9Slo6MrPylzm2VAGbXleCS+zOwDg+A2M0n5OcdYVLoYFXZ2j/
J+//E64J59MCtq+XfMKCJstLwDMFnkn12C0xL+hQB10keI+rAaNTyriJfroh
LY/OLe7G5NxRD48ID7GF9NGpn5qAN90ulBTGxkdDuqtIVe8Iii9i8neFeAXj
gVGscZj29orQZlwiyPtO1XjdJofzWP5SgfjQqT96wcp8uGVAnbF7WxxflxXw
cHdEePKSgqJ//6pUMAxOjQaIN3k5wsOx26D697khSrGu7d/Q1NiLgsSJRE5m
+8CXZElKxz1Q8t3hWKmfuZxU/6xfoxr8GQuFgKQo7Dn9JUBe/wyf4s20I//C
G7rZ6tfRxVaP4eVt5hsHxP6fn/4X/Nf18fWtfSSYZtDFLydSQqNwW5fGpFJE
puB/0JmxyTqfMWr+SKdp/iGqprTt02X0VCA8//3pgCz/C0zEeI6xXgAA

-->

</rfc>
