<?xml version='1.0' encoding='utf-8'?>
<!DOCTYPE rfc [
  <!ENTITY nbsp    "&#160;">
  <!ENTITY zwsp   "&#8203;">
  <!ENTITY nbhy   "&#8209;">
  <!ENTITY wj     "&#8288;">
]>
<?xml-stylesheet type="text/xsl" href="rfc2629.xslt" ?>
<!-- generated by https://github.com/cabo/kramdown-rfc version 1.7.39 (Ruby 3.4.9) -->
<rfc xmlns:xi="http://www.w3.org/2001/XInclude" ipr="trust200902" docName="draft-meunier-privacypass-reverse-flow-06" category="info" consensus="true" submissionType="IETF" tocInclude="true" sortRefs="true" symRefs="true" version="3">
  <!-- xml2rfc v2v3 conversion 3.34.0 -->
  <front>
    <title abbrev="Privacy Pass Reverse Flow">Privacy Pass Reverse Flow</title>
    <seriesInfo name="Internet-Draft" value="draft-meunier-privacypass-reverse-flow-06"/>
    <author fullname="Thibault Meunier">
      <organization>Cloudflare Inc.</organization>
      <address>
        <email>ot-ietf@thibault.uk</email>
      </address>
    </author>
    <date year="2026" month="July" day="06"/>
    <area>Security</area>
    <workgroup>Privacy Pass</workgroup>
    <abstract>
      <?line 46?>

<t>This document specifies an instantiation of Privacy Pass Architecture <xref target="RFC9576"/>
that allows for a "reverse" flow from the Origin to the Client.
It describes a method for an Origin to issue a state update to the Client in response to a request in
which a token is redeemed.</t>
    </abstract>
    <note removeInRFC="true">
      <name>About This Document</name>
      <t>
        The latest revision of this draft can be found at <eref target="https://thibmeu.github.io/draft-meunier-privacypass-reverse-flow-informational/draft-meunier-privacypass-reverse-flow.html"/>.
        Status information for this document may be found at <eref target="https://datatracker.ietf.org/doc/draft-meunier-privacypass-reverse-flow/"/>.
      </t>
      <t>
        Discussion of this document takes place on the
        Privacy Pass Working Group mailing list (<eref target="mailto:privacy-pass@ietf.org"/>),
        which is archived at <eref target="https://mailarchive.ietf.org/arch/browse/privacy-pass/"/>.
        Subscribe at <eref target="https://www.ietf.org/mailman/listinfo/privacy-pass/"/>.
      </t>
      <t>Source for this draft and an issue tracker can be found at
        <eref target="https://github.com/thibmeu/draft-meunier-privacypass-reverse-flow-informational"/>.</t>
    </note>
  </front>
  <middle>
    <?line 53?>

<section anchor="introduction">
      <name>Introduction</name>
      <t>This document specifies an instantiation of Privacy Pass Architecture <xref target="RFC9576"/>
that allows for a reverse flow from the Origin to the Client.</t>
      <t>In other words, it specifies a way for an Origin to act as an Attester + Issuer.</t>
      <t>This document does not replace <xref target="RFC9576"/>. Each issuance and redemption step
still follows that architecture. The gap is composition: <xref target="RFC9576"/> does not
define how token redemption at an Origin causes that Origin to issue new
Client-held state in the same exchange. Reverse Flow defines that composition,
including Client coordination, transport binding, and the privacy effects of
letting the Origin's redemption decision shape later tokens.</t>
    </section>
    <section anchor="motivation">
      <name>Motivation</name>
      <t>With Privacy Pass issuance as described in <xref target="RFC9576"/>, once a token is presented by a Client,
it is considered spent and cannot be reused in order to guarantee unlinkability. If a token
was to be presented twice, the two requests would be linkable by the Origin.</t>
      <t>However, requiring that all tokens are spent only once means that Clients need
to request more tokens to perform more requests. This is true even if the initial request
didn't need a token presentation, for instance due to a cost being insignificant to the Origin.</t>
      <t>This draft provides a mechanism for an Origin to provide a requesting Client with an updated
state, allowing them to present new tokens on future requests. Origin act as a new Attester/Issuer
entity.</t>
      <t>Below, we present different use cases.</t>
      <section anchor="refunding-tokens">
        <name>Refunding tokens</name>
        <t>Certain Origins use Privacy Pass tokens to rate-limit requests they receive over a certain
time window because of resource constraints. If a Client sends a request that can
be served without utilising that resource, the Origin would like to authorise them
to do a second request. This is the case for request requiring compute and the compute is low,
or when the request leads to a redirection instead of content generation for instance.</t>
        <t>With a reverse flow,
a Client that has already been authorised by an Origin can maintain that authorization,
without losing the unlinkability property provided by Privacy Pass.</t>
      </section>
      <section anchor="bootstrapping-issuer">
        <name>Bootstrapping Issuer</name>
        <t>An Origin wants to grant 30 access for Clients that solved a
CAPTCHA. To do so, it consumes a type 0x0002 public verifiable token from an initial Issuer that guarantees
a CAPTCHA has been solved,
and use it to issue 30 type 0x0001 private tokens.
Without a reverse flow, the Origin would have to require 30 0x0002 Issuer tokens, which
have lower performance and a higher number of requests going to the Issuer.</t>
      </section>
      <section anchor="attester-feedback-loop">
        <name>Attester feedback loop</name>
        <t>In <xref target="RFC9576"/>, a Client gets a token from an Issuer and redeems it at an Origin.
However, if the Client's request is deemed unwanted by the Origin at redemption
time, there is no mechanism that prevents the Client from going back to
the initial Issuer to get a new token and be authorized again.</t>
        <t>With a reverse flow, the initial Issuer may require Clients to present an
Origin-issued token before providing them with a second token.
This allows for a feedback loop between the Origin and the initial Issuer,
without breaking Client unlinkability.</t>
      </section>
      <section anchor="anonymous-credential-composition">
        <name>Anonymous credential composition</name>
        <t>Privacy Pass Architecture as defined by <xref target="RFC9576"/> centers around tokens,
which issuance flows are defined in <xref target="RFC9578"/>.</t>
        <t>More recent explorations (<xref target="PRIVACYPASS-ARC"/>, <xref target="PRIVACYPASS-BBS"/>, <xref target="PRIVACYPASS-ACT"/>)
are providing credentials to clients, which presentation result in a scoped token.
These schemes are instantiation of a reverse flow, both because the Client holds a state
it can use to perform multiple token presentation, as well as because the Origin can
provides an updated state to requesting Client.</t>
        <t>In additions, these schemes are more costly, and usage specific.
With a reverse flow, the initial Issuer and the Origin issuer may use
different credentials, which are suited to their use case.
One use case is rate limiting and blocking. <xref target="PRIVACYPASS-ARC"/> provides
rate-limit per origin with a unique credentials, while <xref target="PRIVACYPASS-ACT"/>
allows to rate-limit a specific session once it's been established.</t>
      </section>
    </section>
    <section anchor="terminology">
      <name>Terminology</name>
      <t>The key words "<bcp14>MUST</bcp14>", "<bcp14>MUST NOT</bcp14>", "<bcp14>REQUIRED</bcp14>", "<bcp14>SHALL</bcp14>", "<bcp14>SHALL
NOT</bcp14>", "<bcp14>SHOULD</bcp14>", "<bcp14>SHOULD NOT</bcp14>", "<bcp14>RECOMMENDED</bcp14>", "<bcp14>NOT RECOMMENDED</bcp14>",
"<bcp14>MAY</bcp14>", and "<bcp14>OPTIONAL</bcp14>" in this document are to be interpreted as
described in BCP 14 <xref target="RFC2119"/> <xref target="RFC8174"/> when, and only when, they
appear in all capitals, as shown here.</t>
      <?line -18?>

<t>We reuse terminology from <xref target="RFC9576"/>.</t>
      <t>The following terms are used throughout this document:</t>
      <dl>
        <dt><strong>Flow:</strong></dt>
        <dd>
          <t>Direction from PrivateToken issuance to its redemption. The entity starting
the flow acts as an Issuer, while the end of the flow acts as an Origin. The
Client is always included, as it finalises the CredentialResponse, and coordinate
interactions.</t>
        </dd>
        <dt><strong>Initial Flow:</strong></dt>
        <dd>
          <t>Issuer -&gt; Attester -&gt; Client -&gt; Origin. This flow produces a PrivateToken that
is used by the Origin to kickstart a Reverse Flow.</t>
        </dd>
        <dt><strong>Reverse Flow:</strong></dt>
        <dd>
          <t>Issuer &lt;- Attester &lt;- Client &lt;- Origin. This flow allows the Origin to issue
a PrivateToken. In the reverse flow, the Origin operates one or more Issuer, and
the Client <bcp14>MAY</bcp14> provide these tokens either to the Initial Attester/Issuer, or
use them against the Origin</t>
        </dd>
        <dt><strong>Initial Attester/Issuer:</strong></dt>
        <dd>
          <t>Attester/Issuer part of the Initial Flow</t>
        </dd>
        <dt><strong>Origin Issuer:</strong></dt>
        <dd>
          <t>Issuer operated by the Origin</t>
        </dd>
        <dt><strong>Origin PrivateToken:</strong></dt>
        <dd>
          <t>PrivateToken issued by the Origin</t>
        </dd>
        <dt><strong>Reverse Origin:</strong></dt>
        <dd>
          <t>An entity that consumes the Origin PrivateToken. It can be the Origin, or the
Initial Attester/Issuer</t>
        </dd>
      </dl>
    </section>
    <section anchor="architecture">
      <name>Architecture overview</name>
      <t>Along with sending their PrivateToken for authentication (as specified in <xref target="RFC9576"/>), Client
sends CredentialRequest</t>
      <figure anchor="fig-reverse-flow-architecture">
        <name>Architecture of Privacy Pass with a Reverse Flow</name>
        <artset>
          <artwork type="svg"><svg xmlns="http://www.w3.org/2000/svg" version="1.1" height="336" width="888" viewBox="0 0 888 336" class="diagram" text-anchor="middle" font-family="monospace" font-size="13px" stroke-linecap="round">
              <path d="M 8,32 L 8,64" fill="none" stroke="black"/>
              <path d="M 32,64 L 32,320" fill="none" stroke="black"/>
              <path d="M 136,32 L 136,64" fill="none" stroke="black"/>
              <path d="M 208,32 L 208,64" fill="none" stroke="black"/>
              <path d="M 240,64 L 240,320" fill="none" stroke="black"/>
              <path d="M 280,32 L 280,64" fill="none" stroke="black"/>
              <path d="M 552,32 L 552,64" fill="none" stroke="black"/>
              <path d="M 584,64 L 584,176" fill="none" stroke="black"/>
              <path d="M 584,240 L 584,288" fill="none" stroke="black"/>
              <path d="M 624,32 L 624,64" fill="none" stroke="black"/>
              <path d="M 704,32 L 704,64" fill="none" stroke="black"/>
              <path d="M 744,64 L 744,144" fill="none" stroke="black"/>
              <path d="M 744,192 L 744,320" fill="none" stroke="black"/>
              <path d="M 792,32 L 792,64" fill="none" stroke="black"/>
              <path d="M 808,32 L 808,64" fill="none" stroke="black"/>
              <path d="M 840,64 L 840,320" fill="none" stroke="black"/>
              <path d="M 880,32 L 880,64" fill="none" stroke="black"/>
              <path d="M 8,32 L 136,32" fill="none" stroke="black"/>
              <path d="M 208,32 L 280,32" fill="none" stroke="black"/>
              <path d="M 552,32 L 624,32" fill="none" stroke="black"/>
              <path d="M 704,32 L 792,32" fill="none" stroke="black"/>
              <path d="M 808,32 L 880,32" fill="none" stroke="black"/>
              <path d="M 8,64 L 136,64" fill="none" stroke="black"/>
              <path d="M 208,64 L 280,64" fill="none" stroke="black"/>
              <path d="M 552,64 L 624,64" fill="none" stroke="black"/>
              <path d="M 704,64 L 792,64" fill="none" stroke="black"/>
              <path d="M 808,64 L 880,64" fill="none" stroke="black"/>
              <path d="M 248,96 L 376,96" fill="none" stroke="black"/>
              <path d="M 456,96 L 584,96" fill="none" stroke="black"/>
              <path d="M 240,112 L 304,112" fill="none" stroke="black"/>
              <path d="M 512,112 L 576,112" fill="none" stroke="black"/>
              <path d="M 592,142 L 608,142" fill="none" stroke="black"/>
              <path d="M 592,146 L 608,146" fill="none" stroke="black"/>
              <path d="M 720,142 L 736,142" fill="none" stroke="black"/>
              <path d="M 720,146 L 736,146" fill="none" stroke="black"/>
              <path d="M 584,160 L 632,160" fill="none" stroke="black"/>
              <path d="M 792,160 L 832,160" fill="none" stroke="black"/>
              <path d="M 592,176 L 632,176" fill="none" stroke="black"/>
              <path d="M 800,176 L 840,176" fill="none" stroke="black"/>
              <path d="M 248,240 L 344,240" fill="none" stroke="black"/>
              <path d="M 472,240 L 584,240" fill="none" stroke="black"/>
              <path d="M 40,256 L 56,256" fill="none" stroke="black"/>
              <path d="M 216,256 L 240,256" fill="none" stroke="black"/>
              <path d="M 32,272 L 56,272" fill="none" stroke="black"/>
              <path d="M 560,288 L 576,288" fill="none" stroke="black"/>
              <polygon class="arrowhead" points="840,160 828,154.4 828,165.6" fill="black" transform="rotate(0,832,160)"/>
              <polygon class="arrowhead" points="744,144 732,138.4 732,149.6" fill="black" transform="rotate(0,736,144)"/>
              <polygon class="arrowhead" points="600,176 588,170.4 588,181.6" fill="black" transform="rotate(180,592,176)"/>
              <polygon class="arrowhead" points="600,144 588,138.4 588,149.6" fill="black" transform="rotate(180,592,144)"/>
              <polygon class="arrowhead" points="584,288 572,282.4 572,293.6" fill="black" transform="rotate(0,576,288)"/>
              <polygon class="arrowhead" points="584,112 572,106.4 572,117.6" fill="black" transform="rotate(0,576,112)"/>
              <polygon class="arrowhead" points="256,240 244,234.4 244,245.6" fill="black" transform="rotate(180,248,240)"/>
              <polygon class="arrowhead" points="256,96 244,90.4 244,101.6" fill="black" transform="rotate(180,248,96)"/>
              <polygon class="arrowhead" points="48,256 36,250.4 36,261.6" fill="black" transform="rotate(180,40,256)"/>
              <g class="text">
                <text x="44" y="52">Origin</text>
                <text x="100" y="52">Issuer</text>
                <text x="244" y="52">Origin</text>
                <text x="588" y="52">Client</text>
                <text x="748" y="52">Attester</text>
                <text x="844" y="52">Issuer</text>
                <text x="416" y="100">Request</text>
                <text x="372" y="116">TokenChallenge</text>
                <text x="468" y="116">(Issuer)</text>
                <text x="664" y="148">Attestation</text>
                <text x="712" y="164">CredentialRequest</text>
                <text x="716" y="180">CredentialResponse</text>
                <text x="588" y="196">CredentialFinalization</text>
                <text x="584" y="212">|</text>
                <text x="588" y="228">CredentialPresentation</text>
                <text x="408" y="244">Request+Token</text>
                <text x="136" y="260">CredentialRequest</text>
                <text x="412" y="260">+CredentialRequest(Origin)</text>
                <text x="140" y="276">CredentialResponse</text>
                <text x="228" y="276">-&gt;</text>
                <text x="252" y="292">--</text>
                <text x="408" y="292">Response+CredentialResponse(Origin)</text>
                <text x="588" y="308">CredentialFinalization</text>
                <text x="584" y="324">|</text>
              </g>
            </svg>
          </artwork>
          <artwork type="ascii-art"><![CDATA[
+---------------+        +--------+                                 +--------+         +----------+ +--------+
| Origin Issuer |        | Origin |                                 | Client |         | Attester | | Issuer |
+--+------------+        +---+----+                                 +---+----+         +----+-----+ +---+----+
   |                         |                                          |                   |           |
   |                         |<---------------- Request ----------------+                   |           |
   |                         +-------- TokenChallenge (Issuer) -------->|                   |           |
   |                         |                                          |                   |           |
   |                         |                                          |<== Attestation ==>|           |
   |                         |                                          +------ CredentialRequest ----->|
   |                         |                                          |<----- CredentialResponse -----+
   |                         |                                CredentialFinalization        |           |
   |                         |                                          |                   |           |
   |                         |                                CredentialPresentation        |           |
   |                         |<------------ Request+Token --------------+                   |           |
   |<-- CredentialRequest ---+        +CredentialRequest(Origin)        |                   |           |
   +--- CredentialResponse ->|                                          |                   |           |
   |                         |-- Response+CredentialResponse(Origin) -->|                   |           |
   |                         |                                CredentialFinalization        |           |
   |                         |                                          |                   |           |
]]></artwork>
        </artset>
      </figure>
      <t>The initial flow matches the one defined by <xref target="RFC9576"/>. A Client gets challenged when
accessing a resource on an Origin. The Client goes to the Attester to get issued a Token.</t>
      <t>The Client learns that the Origin acts as a Reverse Flow Issuer through the
Origin Issuer's configuration (<xref target="discovery"/>).</t>
      <t>This is an extension of <xref target="RFC9576"/>. The redemption flow of a Privacy Pass token is defined in
<xref section="3.6.4" sectionFormat="of" target="RFC9576"/>. Reverse flow extends this so that redemption flow is interleaved with
the issuance flow described in <xref section="3.6.3" sectionFormat="of" target="RFC9576"/>.
This is denoted in the diagram above by the Client sending <tt>Request</tt>+<tt>Token</tt>+<tt>CredentialRequest(Origin)</tt>.
The Origin runs the issuance protocol, and returns <tt>Response</tt>+<tt>CredentialResponse(Origin)</tt>.</t>
      <t>Such flow can be performed through various means, such as HTTP headers (<xref target="REVERSE-FLOW-HTTP-HEADER"/>), MOQ Parameters (<xref target="MOQ-PRIVACYPASS"/>), or even a dedicated endpoint.</t>
      <section anchor="credentialrequest-credentialresponse-and-credentialfinalization">
        <name>CredentialRequest, CredentialResponse, and CredentialFinalization</name>
        <t>In <xref target="fig-reverse-flow-architecture"/>, the Client sends an <tt>CredentialRequest</tt> and receives an <tt>CredentialResponse</tt>.
These are meant to abstract request from different protocol to the Issuer.</t>
        <t>As specified in <xref section="3.5" sectionFormat="of" target="RFC9576"/>,</t>
        <ul empty="true">
          <li>
            <t>The structure and semantics of the TokenRequest and TokenResponse messages depend on the issuance protocol and token type being used.</t>
          </li>
        </ul>
        <t>The introduction of Privacy Pass issuance protocol based on Anonymous Credentials, such as <xref target="PRIVACYPASS-ARC"/> or <xref target="PRIVACYPASS-ACT"/>,
modifies <tt>TokenRequest</tt> (resp. <tt>TokenResponse</tt>) to use <tt>CredentialRequest</tt> instead (resp. <tt>CredentialResponse</tt>).</t>
        <t>Upon receiving an <tt>CredentialResponse</tt>, the Client has to finalise the <tt>Credential</tt> so it can be
presented to an Origin.
This may be a <tt>Finalization</tt> for type 0x0002 as defined in <xref section="7" sectionFormat="of" target="RFC9578"/>,
a presentation for <xref section="7.3" sectionFormat="of" target="PRIVACYPASS-ARC"/>,
or even a <tt>TokenRefund</tt> for <xref target="PRIVACYPASS-ACT"/>.</t>
        <t>All three examples ensure that an Origin Issuer provides the Client with a state update that it needs to finalize, and present.</t>
      </section>
      <section anchor="client-behaviour">
        <name>Client behaviour</name>
        <t>Along with sending a finalised token from the Initial Issuer to the Origin that it sends through an authorization response as defined in
<xref target="RFC9577"/>, the Client may send a <tt>TokenRequest</tt> as defined in <xref target="RFC9578"/>,
<xref target="BATCHED-TOKENS"/>, or <xref target="PRIVACYPASS-ARC"/>. In all these definitions, <tt>CredentialRequest</tt> <bcp14>MUST</bcp14>
prepended by a <tt>uint16_t</tt> representing the token type.</t>
        <t>The same security and privacy guarantees applies as to the initial issuance flow.
The Client is responsible to coordinate between the different entities.
Specifically, if the Reverse Origin is the Initial Attester/Issuer, the Client
<bcp14>SHOULD</bcp14> account for possible privacy leakage.</t>
      </section>
      <section anchor="discovery">
        <name>Origin Issuer discovery and consistency</name>
        <t>An Origin Issuer is an Issuer. It advertises its token types and keys in a
directory as defined in <xref section="4" sectionFormat="of" target="RFC9578"/>, and Clients retrieve this
configuration as they would for any other Issuer.</t>
        <t>If an Origin Issuer can vary this configuration freely, it can partition or
track Clients, for instance by serving a targeted Client a unique configuration
it can later recognise. Deployments <bcp14>SHOULD</bcp14> make configuration material
consistent across Clients and resistant to split views, using
<xref target="CONSISTENCY-MIRROR"/>, <xref target="KEYTRANS"/>, <xref target="SCITT"/>, or another mechanism with similar
properties.</t>
      </section>
    </section>
    <section anchor="deployment-modes">
      <name>Deployment modes</name>
      <t>Similar to <xref section="5" sectionFormat="of" target="RFC9576"/>, Privacy Pass with a Reverse Flow supports multiple
deployment modes.</t>
      <t>Any deployment needs a transport to carry the CredentialRequest and CredentialResponse from
<xref target="architecture"/> alongside the regular Client-Origin exchange. Transport and deployment model
are independent choices. Options include MOQ Parameters (<xref target="MOQ-PRIVACYPASS"/>), an HTTP header
(<xref target="REVERSE-FLOW-HTTP-HEADER"/>), or a dedicated endpoint — each covered in its own document.</t>
      <section anchor="originissuerattester-deployment">
        <name>Origin/Issuer/Attester deployment</name>
        <t>In this model, the Origin, Attester, and Issuer are all operated by the same
entity, as shown in <xref target="fig-deploy-shared"/>. The Reverse Flow is the same as
the Initial Flow, except for the request/response encapsulation.
The Origin is the Reverse Origin.</t>
        <figure anchor="fig-deploy-shared">
          <name>Shared Deployment Model</name>
          <artset>
            <artwork type="svg"><svg xmlns="http://www.w3.org/2000/svg" version="1.1" height="304" width="552" viewBox="0 0 552 304" class="diagram" text-anchor="middle" font-family="monospace" font-size="13px" stroke-linecap="round">
                <path d="M 56,48 L 56,80" fill="none" stroke="black"/>
                <path d="M 88,80 L 88,192" fill="none" stroke="black"/>
                <path d="M 88,256 L 88,288" fill="none" stroke="black"/>
                <path d="M 128,48 L 128,80" fill="none" stroke="black"/>
                <path d="M 232,32 L 232,80" fill="none" stroke="black"/>
                <path d="M 256,48 L 256,80" fill="none" stroke="black"/>
                <path d="M 304,80 L 304,96" fill="none" stroke="black"/>
                <path d="M 304,144 L 304,160" fill="none" stroke="black"/>
                <path d="M 344,48 L 344,80" fill="none" stroke="black"/>
                <path d="M 360,48 L 360,80" fill="none" stroke="black"/>
                <path d="M 400,80 L 400,104" fill="none" stroke="black"/>
                <path d="M 400,136 L 400,208" fill="none" stroke="black"/>
                <path d="M 432,48 L 432,80" fill="none" stroke="black"/>
                <path d="M 448,48 L 448,80" fill="none" stroke="black"/>
                <path d="M 480,80 L 480,288" fill="none" stroke="black"/>
                <path d="M 520,48 L 520,80" fill="none" stroke="black"/>
                <path d="M 544,48 L 544,80" fill="none" stroke="black"/>
                <path d="M 232,32 L 528,32" fill="none" stroke="black"/>
                <path d="M 56,48 L 128,48" fill="none" stroke="black"/>
                <path d="M 256,48 L 344,48" fill="none" stroke="black"/>
                <path d="M 360,48 L 432,48" fill="none" stroke="black"/>
                <path d="M 448,48 L 520,48" fill="none" stroke="black"/>
                <path d="M 56,80 L 128,80" fill="none" stroke="black"/>
                <path d="M 256,80 L 344,80" fill="none" stroke="black"/>
                <path d="M 360,80 L 432,80" fill="none" stroke="black"/>
                <path d="M 448,80 L 520,80" fill="none" stroke="black"/>
                <path d="M 248,96 L 296,96" fill="none" stroke="black"/>
                <path d="M 312,96 L 392,96" fill="none" stroke="black"/>
                <path d="M 408,96 L 472,96" fill="none" stroke="black"/>
                <path d="M 488,96 L 528,96" fill="none" stroke="black"/>
                <path d="M 88,112 L 240,112" fill="none" stroke="black"/>
                <path d="M 320,112 L 472,112" fill="none" stroke="black"/>
                <path d="M 96,128 L 216,128" fill="none" stroke="black"/>
                <path d="M 352,128 L 480,128" fill="none" stroke="black"/>
                <path d="M 96,158 L 144,158" fill="none" stroke="black"/>
                <path d="M 96,162 L 144,162" fill="none" stroke="black"/>
                <path d="M 256,158 L 296,158" fill="none" stroke="black"/>
                <path d="M 256,162 L 296,162" fill="none" stroke="black"/>
                <path d="M 88,176 L 160,176" fill="none" stroke="black"/>
                <path d="M 320,176 L 392,176" fill="none" stroke="black"/>
                <path d="M 96,192 L 160,192" fill="none" stroke="black"/>
                <path d="M 328,192 L 400,192" fill="none" stroke="black"/>
                <path d="M 88,256 L 112,256" fill="none" stroke="black"/>
                <path d="M 448,256 L 472,256" fill="none" stroke="black"/>
                <path d="M 96,272 L 136,272" fill="none" stroke="black"/>
                <path d="M 440,272 L 480,272" fill="none" stroke="black"/>
                <path d="M 528,32 C 536.83064,32 544,39.16936 544,48" fill="none" stroke="black"/>
                <path d="M 248,96 C 239.16936,96 232,88.83064 232,80" fill="none" stroke="black"/>
                <path d="M 528,96 C 536.83064,96 544,88.83064 544,80" fill="none" stroke="black"/>
                <polygon class="arrowhead" points="480,256 468,250.4 468,261.6" fill="black" transform="rotate(0,472,256)"/>
                <polygon class="arrowhead" points="480,112 468,106.4 468,117.6" fill="black" transform="rotate(0,472,112)"/>
                <polygon class="arrowhead" points="400,176 388,170.4 388,181.6" fill="black" transform="rotate(0,392,176)"/>
                <polygon class="arrowhead" points="304,160 292,154.4 292,165.6" fill="black" transform="rotate(0,296,160)"/>
                <polygon class="arrowhead" points="104,272 92,266.4 92,277.6" fill="black" transform="rotate(180,96,272)"/>
                <polygon class="arrowhead" points="104,192 92,186.4 92,197.6" fill="black" transform="rotate(180,96,192)"/>
                <polygon class="arrowhead" points="104,160 92,154.4 92,165.6" fill="black" transform="rotate(180,96,160)"/>
                <polygon class="arrowhead" points="104,128 92,122.4 92,133.6" fill="black" transform="rotate(180,96,128)"/>
                <g class="text">
                  <text x="92" y="68">Client</text>
                  <text x="300" y="68">Attester</text>
                  <text x="396" y="68">Issuer</text>
                  <text x="484" y="68">Origin</text>
                  <text x="280" y="116">Request</text>
                  <text x="284" y="132">TokenChallenge</text>
                  <text x="200" y="164">Attestation</text>
                  <text x="240" y="180">CredentialRequest</text>
                  <text x="244" y="196">CredentialResponse</text>
                  <text x="92" y="212">CredentialFinalization</text>
                  <text x="304" y="212">|</text>
                  <text x="88" y="228">|</text>
                  <text x="92" y="244">CredentialPresentation</text>
                  <text x="280" y="260">Request+Token+CredentialRequest(Origin)</text>
                  <text x="288" y="276">Response+CredentialResponse(Origin)</text>
                </g>
              </svg>
            </artwork>
            <artwork type="ascii-art"><![CDATA[
                            +-------------------------------------.
      +--------+            |  +----------+ +--------+ +--------+  |
      | Client |            |  | Attester | | Issuer | | Origin |  |
      +---+----+            |  +-----+----+ +----+---+ +---+----+  |
          |                  `-------|-----------|---------|------'
          +------------------- Request ------------------->|
          |<--------------- TokenChallenge ----------------+
          |                          |           |         |
          |<====== Attestation =====>|           |         |
          +--------- CredentialRequest --------->|         |
          |<-------- CredentialResponse ---------+         |
CredentialFinalization               |           |         |
          |                                                |
CredentialPresentation                                     |
          +--- Request+Token+CredentialRequest(Origin) --->|
          |<----- Response+CredentialResponse(Origin) -----+
          |                                                |
]]></artwork>
          </artset>
        </figure>
        <t>Similar to the original Shared Deployment Model (<xref section="4.1" sectionFormat="of" target="RFC9576"/>), the Attester,
Issuer, and Origin share the attestation, issuance, and redemption
contexts. Even if this context changes between the Initial and
Reverse Flow, attestation mechanism that can uniquely identify
a Client are not appropriate as they could lead to unlinkability violations.</t>
      </section>
      <section anchor="split-origin-attester-deployment">
        <name>Split Origin-Attester deployment</name>
        <t>In this model, the Attester and Issuer are operated by the same entity
that is separate from the Origin. The Origin trusts the joint Attester
and Issuer to perform attestation and issue Tokens.
Origin Tokens can then be sent by Client on new requests, as long as the
Reverse Origin trusts the Origin to perform attestation and issue Tokens.</t>
        <figure anchor="fig-deploy-joint-issuer">
          <name>Joint Attester and Issuer Deployment Model</name>
          <artset>
            <artwork type="svg"><svg xmlns="http://www.w3.org/2000/svg" version="1.1" height="320" width="944" viewBox="0 0 944 320" class="diagram" text-anchor="middle" font-family="monospace" font-size="13px" stroke-linecap="round">
                <path d="M 8,48 L 8,80" fill="none" stroke="black"/>
                <path d="M 40,80 L 40,304" fill="none" stroke="black"/>
                <path d="M 136,48 L 136,80" fill="none" stroke="black"/>
                <path d="M 216,48 L 216,80" fill="none" stroke="black"/>
                <path d="M 248,80 L 248,304" fill="none" stroke="black"/>
                <path d="M 288,48 L 288,80" fill="none" stroke="black"/>
                <path d="M 592,48 L 592,80" fill="none" stroke="black"/>
                <path d="M 624,80 L 624,176" fill="none" stroke="black"/>
                <path d="M 624,240 L 624,304" fill="none" stroke="black"/>
                <path d="M 664,48 L 664,80" fill="none" stroke="black"/>
                <path d="M 712,32 L 712,80" fill="none" stroke="black"/>
                <path d="M 736,48 L 736,80" fill="none" stroke="black"/>
                <path d="M 784,80 L 784,144" fill="none" stroke="black"/>
                <path d="M 784,192 L 784,304" fill="none" stroke="black"/>
                <path d="M 824,48 L 824,80" fill="none" stroke="black"/>
                <path d="M 840,48 L 840,80" fill="none" stroke="black"/>
                <path d="M 880,80 L 880,304" fill="none" stroke="black"/>
                <path d="M 912,48 L 912,80" fill="none" stroke="black"/>
                <path d="M 936,48 L 936,80" fill="none" stroke="black"/>
                <path d="M 712,32 L 920,32" fill="none" stroke="black"/>
                <path d="M 8,48 L 136,48" fill="none" stroke="black"/>
                <path d="M 216,48 L 288,48" fill="none" stroke="black"/>
                <path d="M 592,48 L 664,48" fill="none" stroke="black"/>
                <path d="M 736,48 L 824,48" fill="none" stroke="black"/>
                <path d="M 840,48 L 912,48" fill="none" stroke="black"/>
                <path d="M 8,80 L 136,80" fill="none" stroke="black"/>
                <path d="M 216,80 L 288,80" fill="none" stroke="black"/>
                <path d="M 592,80 L 664,80" fill="none" stroke="black"/>
                <path d="M 736,80 L 824,80" fill="none" stroke="black"/>
                <path d="M 840,80 L 912,80" fill="none" stroke="black"/>
                <path d="M 728,96 L 776,96" fill="none" stroke="black"/>
                <path d="M 792,96 L 872,96" fill="none" stroke="black"/>
                <path d="M 888,96 L 920,96" fill="none" stroke="black"/>
                <path d="M 248,112 L 264,112" fill="none" stroke="black"/>
                <path d="M 472,112 L 616,112" fill="none" stroke="black"/>
                <path d="M 632,142 L 648,142" fill="none" stroke="black"/>
                <path d="M 632,146 L 648,146" fill="none" stroke="black"/>
                <path d="M 760,142 L 776,142" fill="none" stroke="black"/>
                <path d="M 760,146 L 776,146" fill="none" stroke="black"/>
                <path d="M 624,160 L 672,160" fill="none" stroke="black"/>
                <path d="M 832,160 L 872,160" fill="none" stroke="black"/>
                <path d="M 632,176 L 672,176" fill="none" stroke="black"/>
                <path d="M 840,176 L 880,176" fill="none" stroke="black"/>
                <path d="M 256,240 L 272,240" fill="none" stroke="black"/>
                <path d="M 608,240 L 624,240" fill="none" stroke="black"/>
                <path d="M 48,256 L 64,256" fill="none" stroke="black"/>
                <path d="M 224,256 L 248,256" fill="none" stroke="black"/>
                <path d="M 40,272 L 56,272" fill="none" stroke="black"/>
                <path d="M 224,272 L 240,272" fill="none" stroke="black"/>
                <path d="M 248,288 L 272,288" fill="none" stroke="black"/>
                <path d="M 576,288 L 616,288" fill="none" stroke="black"/>
                <path d="M 920,32 C 928.83064,32 936,39.16936 936,48" fill="none" stroke="black"/>
                <path d="M 728,96 C 719.16936,96 712,88.83064 712,80" fill="none" stroke="black"/>
                <path d="M 920,96 C 928.83064,96 936,88.83064 936,80" fill="none" stroke="black"/>
                <polygon class="arrowhead" points="880,160 868,154.4 868,165.6" fill="black" transform="rotate(0,872,160)"/>
                <polygon class="arrowhead" points="784,144 772,138.4 772,149.6" fill="black" transform="rotate(0,776,144)"/>
                <polygon class="arrowhead" points="640,176 628,170.4 628,181.6" fill="black" transform="rotate(180,632,176)"/>
                <polygon class="arrowhead" points="640,144 628,138.4 628,149.6" fill="black" transform="rotate(180,632,144)"/>
                <polygon class="arrowhead" points="624,288 612,282.4 612,293.6" fill="black" transform="rotate(0,616,288)"/>
                <polygon class="arrowhead" points="624,112 612,106.4 612,117.6" fill="black" transform="rotate(0,616,112)"/>
                <polygon class="arrowhead" points="264,240 252,234.4 252,245.6" fill="black" transform="rotate(180,256,240)"/>
                <polygon class="arrowhead" points="248,272 236,266.4 236,277.6" fill="black" transform="rotate(0,240,272)"/>
                <polygon class="arrowhead" points="56,256 44,250.4 44,261.6" fill="black" transform="rotate(180,48,256)"/>
                <g class="text">
                  <text x="44" y="68">Origin</text>
                  <text x="100" y="68">Issuer</text>
                  <text x="252" y="68">Origin</text>
                  <text x="628" y="68">Client</text>
                  <text x="780" y="68">Attester</text>
                  <text x="876" y="68">Issuer</text>
                  <text x="332" y="116">TokenChallenge</text>
                  <text x="428" y="116">(Issuer)</text>
                  <text x="704" y="148">Attestation</text>
                  <text x="752" y="164">CredentialRequest</text>
                  <text x="756" y="180">CredentialResponse</text>
                  <text x="628" y="196">CredentialFinalization</text>
                  <text x="624" y="212">|</text>
                  <text x="628" y="228">CredentialPresentation</text>
                  <text x="440" y="244">Request+Token+CredentialRequest(Origin)</text>
                  <text x="144" y="260">CredentialRequest</text>
                  <text x="140" y="276">CredentialResponse</text>
                  <text x="424" y="292">Response+CredentialResponse(Origin)</text>
                </g>
              </svg>
            </artwork>
            <artwork type="ascii-art"><![CDATA[
                                                                                        +--------------------------.
+---------------+         +--------+                                     +--------+     |  +----------+ +--------+  |
| Origin Issuer |         | Origin |                                     | Client |     |  | Attester | | Issuer |  |
+---+-----------+         +---+----+                                     +---+----+     |  +-----+----+ +----+---+  |
    |                         |                                              |           `-------|-----------|-----'
    |                         +-- TokenChallenge (Issuer) ------------------>|                   |           |
    |                         |                                              |                   |           |
    |                         |                                              |<== Attestation ==>|           |
    |                         |                                              +------ CredentialRequest ----->|
    |                         |                                              |<----- CredentialResponse -----+
    |                         |                                    CredentialFinalization        |           |
    |                         |                                              |                   |           |
    |                         |                                    CredentialPresentation        |           |
    |                         |<-- Request+Token+CredentialRequest(Origin) --+                   |           |
    |<-- CredentialRequest ---+                                              |                   |           |
    +-- CredentialResponse -->|                                              |                   |           |
    |                         +--- Response+CredentialResponse(Origin) ----->|                   |           |
    |                         |                                              |                   |           |
]]></artwork>
          </artset>
        </figure>
        <t>The Origin Issuer <bcp14>MUST NOT</bcp14> issue privately verifiable tokens, as this would
lead to secret material being shared between the Origin and the Reverse Origin.</t>
        <t>A particular deployment model is when the Reverse Origin is the Attester/Issuer.
This model is described in <xref target="fig-deploy-joint-issuer-reserve"/></t>
        <figure anchor="fig-deploy-joint-issuer-reserve">
          <name>Joint Attester and Issuer Deployment Model with reverse</name>
          <artset>
            <artwork type="svg"><svg xmlns="http://www.w3.org/2000/svg" version="1.1" height="384" width="944" viewBox="0 0 944 384" class="diagram" text-anchor="middle" font-family="monospace" font-size="13px" stroke-linecap="round">
                <path d="M 8,48 L 8,80" fill="none" stroke="black"/>
                <path d="M 40,80 L 40,368" fill="none" stroke="black"/>
                <path d="M 136,48 L 136,80" fill="none" stroke="black"/>
                <path d="M 216,48 L 216,80" fill="none" stroke="black"/>
                <path d="M 248,80 L 248,368" fill="none" stroke="black"/>
                <path d="M 288,48 L 288,80" fill="none" stroke="black"/>
                <path d="M 592,48 L 592,80" fill="none" stroke="black"/>
                <path d="M 624,80 L 624,176" fill="none" stroke="black"/>
                <path d="M 624,240 L 624,288" fill="none" stroke="black"/>
                <path d="M 624,352 L 624,368" fill="none" stroke="black"/>
                <path d="M 664,48 L 664,80" fill="none" stroke="black"/>
                <path d="M 712,32 L 712,80" fill="none" stroke="black"/>
                <path d="M 736,48 L 736,80" fill="none" stroke="black"/>
                <path d="M 784,80 L 784,144" fill="none" stroke="black"/>
                <path d="M 784,192 L 784,344" fill="none" stroke="black"/>
                <path d="M 824,48 L 824,80" fill="none" stroke="black"/>
                <path d="M 840,48 L 840,80" fill="none" stroke="black"/>
                <path d="M 880,80 L 880,368" fill="none" stroke="black"/>
                <path d="M 912,48 L 912,80" fill="none" stroke="black"/>
                <path d="M 936,48 L 936,80" fill="none" stroke="black"/>
                <path d="M 712,32 L 920,32" fill="none" stroke="black"/>
                <path d="M 8,48 L 136,48" fill="none" stroke="black"/>
                <path d="M 216,48 L 288,48" fill="none" stroke="black"/>
                <path d="M 592,48 L 664,48" fill="none" stroke="black"/>
                <path d="M 736,48 L 824,48" fill="none" stroke="black"/>
                <path d="M 840,48 L 912,48" fill="none" stroke="black"/>
                <path d="M 8,80 L 136,80" fill="none" stroke="black"/>
                <path d="M 216,80 L 288,80" fill="none" stroke="black"/>
                <path d="M 592,80 L 664,80" fill="none" stroke="black"/>
                <path d="M 736,80 L 824,80" fill="none" stroke="black"/>
                <path d="M 840,80 L 912,80" fill="none" stroke="black"/>
                <path d="M 728,96 L 776,96" fill="none" stroke="black"/>
                <path d="M 792,96 L 872,96" fill="none" stroke="black"/>
                <path d="M 888,96 L 920,96" fill="none" stroke="black"/>
                <path d="M 248,112 L 264,112" fill="none" stroke="black"/>
                <path d="M 472,112 L 616,112" fill="none" stroke="black"/>
                <path d="M 632,142 L 648,142" fill="none" stroke="black"/>
                <path d="M 632,146 L 648,146" fill="none" stroke="black"/>
                <path d="M 760,142 L 776,142" fill="none" stroke="black"/>
                <path d="M 760,146 L 776,146" fill="none" stroke="black"/>
                <path d="M 624,160 L 672,160" fill="none" stroke="black"/>
                <path d="M 832,160 L 872,160" fill="none" stroke="black"/>
                <path d="M 632,176 L 672,176" fill="none" stroke="black"/>
                <path d="M 840,176 L 880,176" fill="none" stroke="black"/>
                <path d="M 256,240 L 272,240" fill="none" stroke="black"/>
                <path d="M 608,240 L 624,240" fill="none" stroke="black"/>
                <path d="M 48,256 L 64,256" fill="none" stroke="black"/>
                <path d="M 224,256 L 248,256" fill="none" stroke="black"/>
                <path d="M 40,272 L 64,272" fill="none" stroke="black"/>
                <path d="M 248,288 L 272,288" fill="none" stroke="black"/>
                <path d="M 576,288 L 616,288" fill="none" stroke="black"/>
                <path d="M 624,352 L 720,352" fill="none" stroke="black"/>
                <path d="M 784,352 L 872,352" fill="none" stroke="black"/>
                <path d="M 920,32 C 928.83064,32 936,39.16936 936,48" fill="none" stroke="black"/>
                <path d="M 728,96 C 719.16936,96 712,88.83064 712,80" fill="none" stroke="black"/>
                <path d="M 920,96 C 928.83064,96 936,88.83064 936,80" fill="none" stroke="black"/>
                <polygon class="arrowhead" points="880,352 868,346.4 868,357.6" fill="black" transform="rotate(0,872,352)"/>
                <polygon class="arrowhead" points="880,160 868,154.4 868,165.6" fill="black" transform="rotate(0,872,160)"/>
                <polygon class="arrowhead" points="784,144 772,138.4 772,149.6" fill="black" transform="rotate(0,776,144)"/>
                <polygon class="arrowhead" points="640,176 628,170.4 628,181.6" fill="black" transform="rotate(180,632,176)"/>
                <polygon class="arrowhead" points="640,144 628,138.4 628,149.6" fill="black" transform="rotate(180,632,144)"/>
                <polygon class="arrowhead" points="624,288 612,282.4 612,293.6" fill="black" transform="rotate(0,616,288)"/>
                <polygon class="arrowhead" points="624,112 612,106.4 612,117.6" fill="black" transform="rotate(0,616,112)"/>
                <polygon class="arrowhead" points="264,240 252,234.4 252,245.6" fill="black" transform="rotate(180,256,240)"/>
                <polygon class="arrowhead" points="56,256 44,250.4 44,261.6" fill="black" transform="rotate(180,48,256)"/>
                <g class="text">
                  <text x="44" y="68">Origin</text>
                  <text x="100" y="68">Issuer</text>
                  <text x="252" y="68">Origin</text>
                  <text x="628" y="68">Client</text>
                  <text x="780" y="68">Attester</text>
                  <text x="876" y="68">Issuer</text>
                  <text x="332" y="116">TokenChallenge</text>
                  <text x="428" y="116">(Issuer)</text>
                  <text x="704" y="148">Attestation</text>
                  <text x="752" y="164">CredentialRequest</text>
                  <text x="756" y="180">CredentialResponse</text>
                  <text x="620" y="196">CredentialFinalization</text>
                  <text x="624" y="212">|</text>
                  <text x="620" y="228">CredentialPresentation</text>
                  <text x="440" y="244">Request+Token+CredentialRequest(Origin)</text>
                  <text x="144" y="260">CredentialRequest</text>
                  <text x="148" y="276">CredentialResponse</text>
                  <text x="236" y="276">-&gt;</text>
                  <text x="424" y="292">Response+CredentialResponse(Origin)</text>
                  <text x="620" y="308">CredentialFinalization</text>
                  <text x="624" y="324">|</text>
                  <text x="620" y="340">CredentialPresentation</text>
                  <text x="752" y="356">Token</text>
                  <text x="784" y="372">|</text>
                </g>
              </svg>
            </artwork>
            <artwork type="ascii-art"><![CDATA[
                                                                                        +--------------------------.
+---------------+         +--------+                                     +--------+     |  +----------+ +--------+  |
| Origin Issuer |         | Origin |                                     | Client |     |  | Attester | | Issuer |  |
+---+-----------+         +---+----+                                     +---+----+     |  +-----+----+ +----+---+  |
    |                         |                                              |           `-------|-----------|-----'
    |                         +-- TokenChallenge (Issuer) ------------------>|                   |           |
    |                         |                                              |                   |           |
    |                         |                                              |<== Attestation ==>|           |
    |                         |                                              +------ CredentialRequest ----->|
    |                         |                                              |<----- CredentialResponse -----+
    |                         |                                   CredentialFinalization         |           |
    |                         |                                              |                   |           |
    |                         |                                   CredentialPresentation         |           |
    |                         |<-- Request+Token+CredentialRequest(Origin) --+                   |           |
    |<-- CredentialRequest ---+                                              |                   |           |
    +--- CredentialResponse ->|                                              |                   |           |
    |                         +--- Response+CredentialResponse(Origin) ----->|                   |           |
    |                         |                                   CredentialFinalization         |           |
    |                         |                                              |                   |           |
    |                         |                                   CredentialPresentation         |           |
    |                         |                                              +------------ Token ----------->|
    |                         |                                              |                   |           |
]]></artwork>
          </artset>
        </figure>
        <t>This deployment <bcp14>SHOULD</bcp14> not allow the Reverse Origin such as an Initial Issuer
to infer the request made to the Origin, as it would break unlinkability.</t>
      </section>
    </section>
    <section anchor="privacy-considerations">
      <name>Privacy Considerations</name>
      <t>Privacy Pass <xref target="RFC9576"/> states</t>
      <ul empty="true">
        <li>
          <t>In general, limiting the amount of metadata permitted helps limit the extent
to which metadata can uniquely identify individual Clients. Failure to bound the
number of possible metadata values can therefore lead to a reduction in Client
privacy. Most token types do not admit any metadata, so this bound is implicitly
enforced.</t>
        </li>
      </ul>
      <t>In Privacy Pass with a reverse flow, Clients are provided with new PrivateTokens
depending on their request. They can present these tokens to continue making further
requests.</t>
      <t>While the tokens are still unlinkable, the <tt>token_key_id</tt> associated to them
represent metadata. It leaks some information about the Client. The following
subsections discuss the issues that influence the anonymity set, and possible
mitigations/safeguards to protect against this underlying problem.</t>
      <section anchor="issuer-face-values">
        <name>Issuer face values</name>
        <t>When setting up a reverse flow deployment, an Origin <bcp14>MAY</bcp14> operate multiple
Issuers, and assign them some metadata to them. The amount of possible metadata
grows as <tt>2^(origin_issuers)</tt>.</t>
        <t>We RECOMMEND that:</t>
        <ol spacing="normal" type="1"><li>
            <t>Origins define their anonymity sets, and deploy no more than
<tt>log2(#anonymity_sets)</tt>. This bounds the possible anonymity sets by design.</t>
          </li>
          <li>
            <t>Clients to only send 1 PrivateToken per request. This is consistent with <xref section="3.2" sectionFormat="of" target="RFC9577"/>
and <xref section="11.6.2" sectionFormat="of" target="RFC9110"/> which only allows one challenge response to be
provided as part of Authorization HTTP header.</t>
          </li>
          <li>
            <t>Issuers metadata to be publicly disclosed via an Origin endpoint, and
externally monitored.</t>
          </li>
        </ol>
      </section>
      <section anchor="token-for-specific-clients">
        <name>Token for specific Clients</name>
        <t>In Privacy Pass with a reverse flow, an Origin <bcp14>MAY</bcp14> operate multiple Issuers,
with arbitrary metadata associated to them. A malicious Origin <bcp14>MAY</bcp14> uses this
opportunity to associate certain token values to a specific set of Clients.</t>
        <t>Let's consider the following deployment: the Origin operates two Issuers A and
B. The Client sends Token_A, and (CredentialRequest_A, CredentialRequest_B). Issuer B is
associated to people that like croissant. Issuer A is for the rest of the clients.</t>
        <t>If a Client requests croissant, or sends Token_B, the Origin provides
CredentialResponse_B. If not, it provides CredentialResponse_A.</t>
        <t>Over time, this means the Origin is able to track people that like croissants.</t>
        <t>To mitigate this, we RECOMMEND:</t>
        <ol spacing="normal" type="1"><li>
            <t>The initial PrivateToken to be provided by an Issuer not in control of the
Origin.</t>
          </li>
          <li>
            <t>Clients to reset their state regularly with the initial Issuer.</t>
          </li>
        </ol>
      </section>
      <section anchor="swap-endpoint-and-its-privacy-implication">
        <name>Swap endpoint and its privacy implication</name>
        <t>With multiple Issuers, a Client <bcp14>MAY</bcp14> end up with a bunch of tokens, for various
Issuers. Origins <bcp14>MAY</bcp14> propose a swap endpoint at which a Client can exchange one
or more Origin tokens against one or more new Origin tokens.</t>
        <t>The Origin <bcp14>SHOULD</bcp14> ensure this endpoint receives enough traffic to not reduce the
anonymity sets.</t>
      </section>
    </section>
    <section anchor="security-considerations">
      <name>Security Considerations</name>
      <t>The security considerations of <xref target="RFC9576"/> apply. Each issuance and redemption
step in a reverse flow is a regular Privacy Pass exchange; this section covers
risks introduced by their composition.</t>
      <section anchor="redemption-gates-issuance">
        <name>Redemption gates issuance</name>
        <t>The redeemed token is the attestation for the reverse flow. An Origin <bcp14>MUST</bcp14>
verify the presented token before processing the accompanying
CredentialRequest, and <bcp14>MUST NOT</bcp14> return a CredentialResponse if verification
fails or the Client presents no token.</t>
      </section>
      <section anchor="issuance-amplification">
        <name>Issuance amplification</name>
        <t>A reverse flow can issue more value than it redeems (<xref target="bootstrapping-issuer"/>),
and Origin PrivateTokens can themselves start further reverse flows, so
issuance compounds. Origins <bcp14>MUST</bcp14> bound the total value issued per redeemed
token, and <bcp14>SHOULD</bcp14> limit Origin PrivateToken validity, for instance by rotating
Origin Issuer keys, so stockpiled tokens expire.</t>
      </section>
      <section anchor="double-spend-prevention">
        <name>Double-spend prevention</name>
        <t>Double-spend prevention follows <xref section="7.1" sectionFormat="of" target="RFC9576"/>. When the Reverse
Origin is not the Origin Issuer (<xref target="fig-deploy-joint-issuer-reserve"/>), the two
<bcp14>MUST</bcp14> share redemption state, or each token <bcp14>MUST</bcp14> be redeemable at exactly one
Reverse Origin.</t>
      </section>
    </section>
    <section anchor="iana-considerations">
      <name>IANA Considerations</name>
      <t>This document has no IANA actions.</t>
    </section>
  </middle>
  <back>
    <references anchor="sec-combined-references">
      <name>References</name>
      <references anchor="sec-normative-references">
        <name>Normative References</name>
        <reference anchor="BATCHED-TOKENS">
          <front>
            <title>Batched Token Issuance Protocol</title>
            <author fullname="Raphael Robert" initials="R." surname="Robert">
              <organization>Phoenix R&amp;D</organization>
            </author>
            <author fullname="Christopher A. Wood" initials="C. A." surname="Wood">
              <organization>Cloudflare</organization>
            </author>
            <author fullname="Thibault Meunier" initials="T." surname="Meunier">
              <organization>Cloudflare Inc.</organization>
            </author>
            <date day="4" month="May" year="2026"/>
            <abstract>
              <t>   This document specifies two variants of the Privacy Pass issuance
   protocol that allow for batched issuance of tokens.  These allow
   clients to request more than one token at a time and for issuers to
   issue more than one token at a time.

              </t>
            </abstract>
          </front>
          <seriesInfo name="Internet-Draft" value="draft-ietf-privacypass-batched-tokens-08"/>
        </reference>
        <reference anchor="RFC9576">
          <front>
            <title>The Privacy Pass Architecture</title>
            <author fullname="A. Davidson" initials="A." surname="Davidson"/>
            <author fullname="J. Iyengar" initials="J." surname="Iyengar"/>
            <author fullname="C. A. Wood" initials="C. A." surname="Wood"/>
            <date month="June" year="2024"/>
            <abstract>
              <t>This document specifies the Privacy Pass architecture and requirements for its constituent protocols used for authorization based on privacy-preserving authentication mechanisms. It describes the conceptual model of Privacy Pass and its protocols, its security and privacy goals, practical deployment models, and recommendations for each deployment model, to help ensure that the desired security and privacy goals are fulfilled.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="9576"/>
          <seriesInfo name="DOI" value="10.17487/RFC9576"/>
        </reference>
        <reference anchor="RFC9578">
          <front>
            <title>Privacy Pass Issuance Protocols</title>
            <author fullname="S. Celi" initials="S." surname="Celi"/>
            <author fullname="A. Davidson" initials="A." surname="Davidson"/>
            <author fullname="S. Valdez" initials="S." surname="Valdez"/>
            <author fullname="C. A. Wood" initials="C. A." surname="Wood"/>
            <date month="June" year="2024"/>
            <abstract>
              <t>This document specifies two variants of the two-message issuance protocol for Privacy Pass tokens: one that produces tokens that are privately verifiable using the Issuer Private Key and one that produces tokens that are publicly verifiable using the Issuer Public Key. Instances of "issuance protocol" and "issuance protocols" in the text of this document are used interchangeably to refer to the two variants of the Privacy Pass issuance protocol.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="9578"/>
          <seriesInfo name="DOI" value="10.17487/RFC9578"/>
        </reference>
        <reference anchor="RFC2119">
          <front>
            <title>Key words for use in RFCs to Indicate Requirement Levels</title>
            <author fullname="S. Bradner" initials="S." surname="Bradner"/>
            <date month="March" year="1997"/>
            <abstract>
              <t>In many standards track documents several words are used to signify the requirements in the specification. These words are often capitalized. This document defines these words as they should be interpreted in IETF documents. This document specifies an Internet Best Current Practices for the Internet Community, and requests discussion and suggestions for improvements.</t>
            </abstract>
          </front>
          <seriesInfo name="BCP" value="14"/>
          <seriesInfo name="RFC" value="2119"/>
          <seriesInfo name="DOI" value="10.17487/RFC2119"/>
        </reference>
        <reference anchor="RFC8174">
          <front>
            <title>Ambiguity of Uppercase vs Lowercase in RFC 2119 Key Words</title>
            <author fullname="B. Leiba" initials="B." surname="Leiba"/>
            <date month="May" year="2017"/>
            <abstract>
              <t>RFC 2119 specifies common key words that may be used in protocol specifications. This document aims to reduce the ambiguity by clarifying that only UPPERCASE usage of the key words have the defined special meanings.</t>
            </abstract>
          </front>
          <seriesInfo name="BCP" value="14"/>
          <seriesInfo name="RFC" value="8174"/>
          <seriesInfo name="DOI" value="10.17487/RFC8174"/>
        </reference>
      </references>
      <references anchor="sec-informative-references">
        <name>Informative References</name>
        <reference anchor="CONSISTENCY-MIRROR">
          <front>
            <title>Checking Resource Consistency with HTTP Mirrors</title>
            <author fullname="Benjamin Beurdouche" initials="B." surname="Beurdouche">
              <organization>Inria &amp; Mozilla</organization>
            </author>
            <author fullname="Matthew Finkel" initials="M." surname="Finkel">
              <organization>Apple Inc.</organization>
            </author>
            <author fullname="Steven Valdez" initials="S." surname="Valdez">
              <organization>Google LLC</organization>
            </author>
            <author fullname="Christopher A. Wood" initials="C. A." surname="Wood">
              <organization>Cloudflare</organization>
            </author>
            <author fullname="Tommy Pauly" initials="T." surname="Pauly">
              <organization>Apple Inc.</organization>
            </author>
            <date day="23" month="October" year="2023"/>
            <abstract>
              <t>   This document describes the mirror protocol, an HTTP-based protocol
   for fetching mirrored HTTP resources.  The primary use case for the
   mirror protocol is to support HTTP resource consistency checks in
   protocols that require clients have a consistent view of some
   protocol-specific resource (typically, a public key) for security or
   privacy reasons, including Privacy Pass and Oblivious HTTP.  To that
   end, this document also describes how to use the mirror protocol to
   implement these consistency checks.

              </t>
            </abstract>
          </front>
          <seriesInfo name="Internet-Draft" value="draft-group-privacypass-consistency-mirror-01"/>
        </reference>
        <reference anchor="KEYTRANS">
          <front>
            <title>Key Transparency Architecture</title>
            <author fullname="Brendan McMillion" initials="B." surname="McMillion">
         </author>
            <date day="29" month="June" year="2026"/>
            <abstract>
              <t>   This document defines the terminology and interaction patterns
   involved in the deployment of Key Transparency in a general secure
   group messaging infrastructure, and specifies the security properties
   that the protocol provides.  It also gives more general, non-
   prescriptive guidance on how to securely apply Key Transparency to a
   number of common applications.

              </t>
            </abstract>
          </front>
          <seriesInfo name="Internet-Draft" value="draft-ietf-keytrans-architecture-09"/>
        </reference>
        <reference anchor="MOQ-PRIVACYPASS">
          <front>
            <title>Privacy Pass Authentication for Media over QUIC (MoQ)</title>
            <author fullname="Suhas Nandakumar" initials="S." surname="Nandakumar">
              <organization>Cisco</organization>
            </author>
            <author fullname="Cullen Fluffy Jennings" initials="C. F." surname="Jennings">
              <organization>Cisco</organization>
            </author>
            <author fullname="Thibault Meunier" initials="T." surname="Meunier">
              <organization>Cloudflare Inc.</organization>
            </author>
            <date day="2" month="March" year="2026"/>
            <abstract>
              <t>   This document specifies the use of Privacy Pass architecture and
   issuance protocols for authorization in Media over QUIC (MoQ)
   transport protocol.  It defines how Privacy Pass tokens can be
   integrated with MoQ's authorization framework to provide privacy-
   preserving authentication for subscriptions, fetches, publications,
   and relay operations while supporting fine-grained access control
   through prefix-based track namespace and track name matching rules.

              </t>
            </abstract>
          </front>
          <seriesInfo name="Internet-Draft" value="draft-ietf-moq-privacy-pass-auth-02"/>
        </reference>
        <reference anchor="PRIVACYPASS-ACT">
          <front>
            <title>Privacy Pass Issuance Protocol for Anonymous Credit Tokens</title>
            <author fullname="Samuel Schlesinger" initials="S." surname="Schlesinger">
              <organization>Google</organization>
            </author>
            <author fullname="Thibault Meunier" initials="T." surname="Meunier">
              <organization>Cloudflare Inc.</organization>
            </author>
            <date day="13" month="February" year="2026"/>
            <abstract>
              <t>   This document specifies the issuance and redemption protocols for
   tokens based on the Anonymous Credit Tokens (ACT) protocol.

              </t>
            </abstract>
          </front>
          <seriesInfo name="Internet-Draft" value="draft-schlesinger-privacypass-act-01"/>
        </reference>
        <reference anchor="PRIVACYPASS-ARC">
          <front>
            <title>Privacy Pass Issuance Protocol for Anonymous Rate-Limited Credentials</title>
            <author fullname="Cathie Yun" initials="C." surname="Yun">
              <organization>Apple, Inc.</organization>
            </author>
            <author fullname="Christopher A. Wood" initials="C. A." surname="Wood">
              <organization>Apple, Inc.</organization>
            </author>
            <author fullname="Armando Faz-Hernandez" initials="A. F." surname="Faz-Hernandez">
              <organization>Cloudflare</organization>
            </author>
            <date day="2" month="March" year="2026"/>
            <abstract>
              <t>   This document specifies the issuance and redemption protocols for
   tokens based on the Anonymous Rate-Limited Credential (ARC)
   cryptographic protocol.

              </t>
            </abstract>
          </front>
          <seriesInfo name="Internet-Draft" value="draft-ietf-privacypass-arc-protocol-01"/>
        </reference>
        <reference anchor="PRIVACYPASS-BBS">
          <front>
            <title>BBS for PrivacyPass</title>
            <author fullname="Watson Ladd" initials="W." surname="Ladd">
              <organization>Akamai Technologies</organization>
            </author>
            <date day="26" month="February" year="2024"/>
            <abstract>
              <t>   Existing token types in privacy pass conflate attribution with rate
   limiting.  This document describes a token type where the issuer
   attests to a set of properties of the client, which the client can
   then selectively prove to the origin.  Repeated showings of the same
   credential are unlinkable, unlike other token types in privacy pass.

              </t>
            </abstract>
          </front>
          <seriesInfo name="Internet-Draft" value="draft-ladd-privacypass-bbs-01"/>
        </reference>
        <reference anchor="REVERSE-FLOW-HTTP-HEADER">
          <front>
            <title>Privacy Pass Reverse Flow HTTP Transport</title>
            <author fullname="Thibault Meunier" initials="T." surname="Meunier">
              <organization>Cloudflare Inc.</organization>
            </author>
            <date day="18" month="June" year="2026"/>
            <abstract>
              <t>   This document specifies an instantiation of Privacy Pass Reverse Flow
   [REVERSE-FLOW] where HTTP is used as a transport mechanism.

   It describes a novel HTTP header field that Clients and Origins can
   use to carry reverse flow data.

              </t>
            </abstract>
          </front>
          <seriesInfo name="Internet-Draft" value="draft-meunier-privacypass-reverse-flow-http-00"/>
        </reference>
        <reference anchor="RFC9110">
          <front>
            <title>HTTP Semantics</title>
            <author fullname="R. Fielding" initials="R." role="editor" surname="Fielding"/>
            <author fullname="M. Nottingham" initials="M." role="editor" surname="Nottingham"/>
            <author fullname="J. Reschke" initials="J." role="editor" surname="Reschke"/>
            <date month="June" year="2022"/>
            <abstract>
              <t>The Hypertext Transfer Protocol (HTTP) is a stateless application-level protocol for distributed, collaborative, hypertext information systems. This document describes the overall architecture of HTTP, establishes common terminology, and defines aspects of the protocol that are shared by all versions. In this definition are core protocol elements, extensibility mechanisms, and the "http" and "https" Uniform Resource Identifier (URI) schemes.</t>
              <t>This document updates RFC 3864 and obsoletes RFCs 2818, 7231, 7232, 7233, 7235, 7538, 7615, 7694, and portions of 7230.</t>
            </abstract>
          </front>
          <seriesInfo name="STD" value="97"/>
          <seriesInfo name="RFC" value="9110"/>
          <seriesInfo name="DOI" value="10.17487/RFC9110"/>
        </reference>
        <reference anchor="RFC9577">
          <front>
            <title>The Privacy Pass HTTP Authentication Scheme</title>
            <author fullname="T. Pauly" initials="T." surname="Pauly"/>
            <author fullname="S. Valdez" initials="S." surname="Valdez"/>
            <author fullname="C. A. Wood" initials="C. A." surname="Wood"/>
            <date month="June" year="2024"/>
            <abstract>
              <t>This document defines an HTTP authentication scheme for Privacy Pass, a privacy-preserving authentication mechanism used for authorization. The authentication scheme specified in this document can be used by Clients to redeem Privacy Pass tokens with an Origin. It can also be used by Origins to challenge Clients to present Privacy Pass tokens.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="9577"/>
          <seriesInfo name="DOI" value="10.17487/RFC9577"/>
        </reference>
        <reference anchor="SCITT">
          <front>
            <title>An Architecture for Trustworthy and Transparent Digital Supply Chains</title>
            <author fullname="H. Birkholz" initials="H." surname="Birkholz"/>
            <author fullname="A. Delignat-Lavaud" initials="A." surname="Delignat-Lavaud"/>
            <author fullname="C. Fournet" initials="C." surname="Fournet"/>
            <author fullname="Y. Deshpande" initials="Y." surname="Deshpande"/>
            <author fullname="S. Lasker" initials="S." surname="Lasker"/>
            <date month="June" year="2026"/>
            <abstract>
              <t>Traceability in supply chains is a growing security concern. While Verifiable Data Structures (VDSs) have addressed specific issues, such as equivocation over digital certificates, they lack a universal architecture for all supply chains. This document defines such an architecture for single-issuer signed statement transparency. It ensures extensibility and interoperability between different transparency services as well as compliance with various auditing procedures and regulatory requirements.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="9943"/>
          <seriesInfo name="DOI" value="10.17487/RFC9943"/>
        </reference>
      </references>
    </references>
    <?line 486?>

<section numbered="false" anchor="acknowledgments">
      <name>Acknowledgments</name>
      <t>The author would like to thank Tommy Pauly, Chris Wood, Raphael Robert, and Armando Faz Hernandez
for helpful discussion on Privacy Pass architecture and its considerations.</t>
    </section>
    <section numbered="false" anchor="changelog">
      <name>Changelog</name>
      <t>v06</t>
      <ul spacing="normal">
        <li>
          <t>Add Security Considerations: redemption gates issuance, issuance amplification, double-spend prevention</t>
        </li>
        <li>
          <t>Add Origin Issuer discovery and consistency section, following <xref target="RFC9578"/> directory and referencing consistency mechanisms</t>
        </li>
      </ul>
      <t>v05</t>
      <ul spacing="normal">
        <li>
          <t>Clarify why Reverse Flow is more than applying <xref target="RFC9576"/> twice</t>
        </li>
        <li>
          <t>Add transport requirement text to Deployment Modes</t>
        </li>
        <li>
          <t>Add anonymous credential composition motivation</t>
        </li>
        <li>
          <t>Update terminology and diagrams to use Credential vocabulary</t>
        </li>
        <li>
          <t>Use "Origin Issuer" consistently for the entity providing Client state updates</t>
        </li>
      </ul>
      <t>v04</t>
      <ul spacing="normal">
        <li>
          <t>Fix: Client finalises a <tt>Credential</tt>, not a <tt>Token</tt>, upon receiving a <tt>CredentialResponse</tt></t>
        </li>
        <li>
          <t>Use "Origin Issuer" consistently when referring to the entity that provides the Client with a state update</t>
        </li>
      </ul>
      <t>v03</t>
      <ul spacing="normal">
        <li>
          <t>Add "Anonymous credential composition" motivation use case</t>
        </li>
        <li>
          <t>Rename section and update diagrams to use Credential vocabulary: <tt>CredentialRequest</tt>, <tt>CredentialResponse</tt>, <tt>CredentialFinalization</tt>, <tt>CredentialPresentation</tt> (previously <tt>TokenRequest</tt>, <tt>TokenResponse</tt>, <tt>Finalisation</tt>)</t>
        </li>
        <li>
          <t>Update PRIVACYPASS-ARC reference to IETF working group draft (<tt>draft-ietf-privacypass-arc-protocol</tt>)</t>
        </li>
        <li>
          <t>Update PRIVACYPASS-ACT reference to use proper I-D reference (<tt>draft-schlesinger-privacypass-act</tt>)</t>
        </li>
        <li>
          <t>Add normative reference to RFC9577</t>
        </li>
        <li>
          <t>Editorial pass and spelling fixes</t>
        </li>
      </ul>
      <t>v02</t>
      <ul spacing="normal">
        <li>
          <t>Diagrams now use Credential instead of Token, and use both Finalization and Presentation as keyword</t>
        </li>
        <li>
          <t>Rework the intro to make it consistent with Anonymous credentials evolutions</t>
        </li>
        <li>
          <t>Have Anonymous credentials use case, given it needs a new architecture</t>
        </li>
        <li>
          <t>Editorial pass on PrivacyPass-Reverse header</t>
        </li>
      </ul>
      <t>v01</t>
      <ul spacing="normal">
        <li>
          <t>Editorial pass on the introduction</t>
        </li>
        <li>
          <t>Add a motivation section: refunding tokens, bootstraping issuer, attester feedback loop</t>
        </li>
        <li>
          <t>Split protocol overview via HTTP headers in its own section</t>
        </li>
        <li>
          <t>Add consideration about anonymous credentials in joint origin/issuer deployment</t>
        </li>
      </ul>
      <t>v00</t>
      <ul spacing="normal">
        <li>
          <t>Initial draft</t>
        </li>
        <li>
          <t>Possibility of a new HTTP request for inlining request</t>
        </li>
        <li>
          <t>Privacy considerations about additional metadata</t>
        </li>
      </ul>
    </section>
  </back>
  <!-- ##markdown-source:
H4sIAAAAAAAAA+0923YbOXLv+ApEfhh7RNKW7bmsMp5dWpZjZceWV9Ksz5yc
xAK7QRKrZje3L9JwJO/JR+QD8i35lHxJ6gKggWZTone9c3ZOhn4w2Y1LoapQ
VagqlIbDoahNnel9ufO2NJcqWcm3qqrkib7UZaXly6y42hFqMin15e1tElXr
WVGu9qXJp4UQaZHkagEDp6Wa1sOFbnKjy+GSR1jCAMOSBxhOYYDhoy9F1UwW
pqpMkderJfQ8Ojx7KfJmMdHlvkhh/H2RFHml86qp9mVdNloAUE+EKrUC4E51
0pSmXu2Iq6K8mJVFs+yAvCMudd7AMFL2v5aSZ955ByOYfCb/BZvh84UyGTy3
4A8R/t8ZXU9HRTnD96pM5vB+XtfLav/hQ2yOj8ylHrlmD/HBw0lZXFX6YTjQ
QxxgZup5M4Eh6rmZALYebok3xHa5UDVgTWU4UAaIquoAFjvgiGcYmeKvGnrL
TqN5vQAwhGrqeQFkk0MAScppk2XMDmcAjWqyWr7mkeg1YEfl5ieaal8eZEWT
TgF/Wh7lyYhaaCZAUQ8Rnb+r7Sij5kKInKG8JMI+H58dvDp8MTw7/v3hm1Ng
ouGLEYOOHSO4J6pO5jod1sUF8BT0PXl58Jsvvvpy33/9el8IjwUe/+D4zenR
6dnhm4Mfhq+PTk6OT8I5iK2iSZBjTVXrHIi9MGVZ4Ip/f/jD2cm4B7wLvapL
lVdDYp5aJ3VTaujw+vgPw7cnR38cH/zwdny63m9R/HkYstQQ8Q/9gj7D8cFZ
2K9K5pmugMk71FRJ3e14cnArHgFW+F3URVJkna7Pn0ewZipNYxJMCO+Hfzw8
OT0cvvzu+N3w1dnZ2+Grw/GLwwizd3Irsrsl3N7eo5aGX+HX04OjM1g9PvnN
0ydCiOFwKNWkAmTDcgUwZSVBYjULndeyWurETI2upMpBmlW1ymtDvCmLqYxk
4Dggk7y+tgz04YOo56qWKgPAKgn8I5XcsdDuSARXTstiIeu5lselmZlc1gX9
OsgMgDASR7VMdZWUZoJgyIWG7ZTySHnQBcRlo+E9wFhr2SxRSsZDwQJkqasl
Ck58o+DXnxuQEPBCXM1NModHtANgMHiXar3Q6YgxtDBpmmkh7sFGrMsibRLE
ws+DL4uurbAljmAqeFBKEP1pNZAmgkpeqdU67oDyUhHM4xpFJvTelUeI0HLU
XWJawDh5UQNUy0wlEewjeagAi0gKlcMrlaeEx8WSUAADL0VVmywDEHiBvNgA
FSMQi1rO1BJpkBSLZVEZloXBPB4IkeqpybWcA2KYcsF0OLJfZaKaStv5ukyT
6yvB+BvOdZZaFsIWAEoFslrqH5O5AvkwilS95NntqAGwAxCVSdakqDct7yUF
kMPkxAsDSZJtWZS1nJgcmw0IVzif3dVST6eAkQr4RmS6rnGoluqfVeFCUyBv
RQieq6UmtVcyOqoRcuzrAkS2Yn59B6ovZsSWWpXfaCmuPkD4QBbUot0eS9hJ
sC5oOVnBc14lrLtmuoGkTzWAiLyX17S4ROXINhMNoAMtaArACYEqZ40ClNQa
dm6emfxCTUwGBsxIHk3drOIKAISmEx1MXl+ZRA8IM/VV4TZ0BczfACGhKQ+W
aQSzxR+g5VVxhaQcUB9TMn5551ncSVS7DH+RZytGwUID5bglrxn4UOtU1H5y
uShK7YaAx0tdotrkxw5AZHODuCfjTQIkgNUpQWhy4CGVuaYiNWn+WU2zeAJY
BFhuwv3MwgYATBsr3JKiQmzjwuClmeUgAoAGtZMYHhO8v1G1wLjFJRCO5Syy
vKkW6+LCtmoFaMDnV8hf0JoFcCpoLw1YnlkeXvAYtALcew5XwMDThsRhiyU7
qRNQ1NzJqIcsoQQMg6wixHMNkwzklWcQmRrYRSV+A44DDgQRgDviHmzjaUMb
z04uxIEua2XcMivqEO2TlqIlLGmYmYWpW4aDda3gV6LBOJIFMBZSgIeEcwWI
EFh9CiJjokkSoToAGIumBJLhdgGJYHJcMTG8RSasIa0CPcVyRuUCGLvS5SVw
BOK7aGB9IFZN5bnYjT0IVQVvisxcMIeQXWpQFwJNkIFTZJtKAzipmzLg0zkj
kNjBAdTuHZR+Ta29GHO/oScSRUCnq7lmkep6Z1qlldPEqQHskThDVoY3iCIA
pUZEzHSuS9ajIbOPrDyLVeRAeAQSLubIORmcjNIVoB9g8Ctn4RXoiBxPNznx
AQsDbsnm+EA4ZGdF5eRxJK5wZ8B25y+4RWiCkIuY+54XRY0UXy5xGGZjeX1v
Ej4ekm4qPwgx9gBeKZQ3KC5RWMonj2BjJLpiO8GJIwK8KjLkDiUOxm/hFDAG
OhJ9q4IsAuQ4UOfIW3jMk49+fPTo0WO5bCaZSSSgEmQFSU0WN2RzkEXDoslC
TDN5yV0h2nk2QjmhmuEAigBbINubulW7AH47+R4rvlp7xfXOIrtD3HWGnqtL
YmhmRhrXrsfBSSOCYEAbT1BzGAleWNHsbRUl52aGthMftXmT2g0+K1ha0Pze
NgJiepNpChJ6opILGLxYkiEWaVDPlDNdV16SO9RaUJ3FpBcV4io0YUatyrKa
gscjW8DasajB0WgFtkReYf4LEEaSwdkNJJcInyXt07wIhD7RdomYZ57yRjQB
zMigxdaFCLWWRzku0wpsXikuDeSW21LInTNFCqhvD8ueQRdq5Ynsub1VJSAX
eZm8dVI770RPUfPyjvQqiPWUk3bUcsSaMDK9I5rCUPWVtkLMYdTKuxjUVlRM
QO5cBPoxNm+YgfIiXy2KBuwmJE5O4wTWpBCbDw5ks6ERSpQOTeQEDaQSjZii
cSusBvac422+Ka0VDR03TGD4fQ0WvRCv2W7B8cAOXmYFC+JK3r++7pyNkc3j
h3DqXX8Ix+8PHx6gsyqgSrt2ImrC9LWbNjJ4ULmh2wSxL6sEJG5AQGgGz4DC
mpe1dgjr8tkETkteKwd8Pi8y0r1kwKBdi9qh4ZOjN+kADLP0YjK2yoA0VxqM
SRKF7fCtrhGtteXtJXv2aK3JlnX4bKfSlJiioh3SWSyZmGj3ZSs+UDSVmml3
/ktGW+80x9UWWNPuP1iGaK2qgGiOUmQ0N4aMcxKWpvTG10gcw2HN/aJTNq6W
TClcKImIrEhww4y6TIPs5Q1UEdhgS5TUViHw+prcAPLWoMt0HyMKu+Fjw055
rIGMIE8s2/8G5S2pNiAOqEhTzclHcE+e6XJh8iIrZiu0qbW8AIuQDuFy5/X3
p2c7A/5fvjmm7yeHf/j+6OTwBX4/fTX+7jv/RdgWp6+Ov//uRfut7Xlw/Pr1
4ZsX3BmeyuiR2Hk9/mGHOWDn+O3Z0fGb8Xc7fKANj/KKzikolA3KCmBfpJqq
RHQMfH7w9n/+e+8poO6fQCw83tv7DdCBf3y999VT+IGGHc9G5yT+iQaxAFNG
q5J2KuyERC1NTcSAPVHBmT2XqHsAe5//G2Lm3/flN5Nkuff0W/sAFxw9dDiL
HhLO1p+sdWYk9jzqmcZjM3rewXQM7/iH6LfDe/Dwm99m6KwY7n39228FqD17
EpZ1yzmsXkOXCvMS+0tIe0Fj3u10iK7nIN9npGoi4u4DUj9HJ8X+55+LffnC
W9c0wVu2tc7sad4qA7TM6tCzwM4YPl+hZCpxl2JoYG6dUQo9FOw5sorP7rOa
+pEN39fYWjQ4PDqSrXsOde+VWoHlQ94TsBuxOWxG0EwKdpq2hojf1ifWm8fM
510sOCZxtKIlo9H9+edHVsK1OLGybvhta8LBdwsMfGuBBMhoBUty/JHZHGEQ
jSWcs2KaxDYXYPXCJBeEPugYOpAIsPBBBNg3wxYw+G4Bg2/rgDkRFs1KUhsD
MhGwcMJ0p7ANVjUeYTByArsZzqklaxVHXkC0ZQALD/C9dwiwRrIHZW3IDeks
Zov+zuF9ICkKYJXjgk1COuk6cELadToztjoP5RLxbPkuJDoOZFcYdre97KI7
xAv6hDjknmubqK+3oy4/sRDnbk9Zx6E9jAU06FCMrY9JaEEg5vAnYG8DelAp
RcYiuiUuDRjk1/dClyseMbMCRAtpT/Q5WCsZNHe0RjKJwXxH4BM2qO6jJLfu
5a7T8MHA8ohgP0a4b9m1Jf7yl78oVV3OxO4w/uxK+9lde7Lx09N0NxyxfS9u
ZMQJ8sZ18C9ueqcIPzduB9wEj/yGvYF/bnBcXbTAaHW7269ut2d1u8Hq+IEg
SDaDvfWnr2n47OaOmb7pEHUoLeFl90Xf8j9iJo9cSYx6MAd5qHOwfO8zCR74
Cb/9W9e08c1WTf9OM33z7JnlPN6Vz559+/eZySJ6fStLi91PuKb1mWzobvgp
uLwd9yUZF+zi6+v+y+GIdk1vw+PyXzFTtHPdrt1lLfDX7NxvNvFMKwnXXt9n
SfzgtuWvzbS7iWd6N/6m5W+1ps3dCWU88e46LH5dP4M0+sfkctD64npf3pua
WZy4EFolkrKxnu3EFkwniG7P+1H+1Qc+MTmPBtnHC8pvYQsLrdp+n9lIjiMf
beL0SEpnWsHOdnJUtMEbDDRHBxo/BMaorfXrzQLrF7XWomJ9Zc94tl8GJ2YX
Ygwdje70FIegvSuejoFkEEamzWcUjQVMNzZ+cv/6OjVVgrbgCmw0F/8zdC7T
P9ZgultPWYSZMzox+JAzYZW8aesxMnZDO2+iuL4+tUfPJ6MvR0+xVzDuSZjb
QNNjSAghqgoXyopnRWDxcAd4cgEw9kCHPs1uJDsE4UkMgl8/7JSi5g44XmrU
rFRwJJkArpxhHwTmkA/Oraw63z0nSsL/G+XYObknHTnLJmd29GC7vKGBDQIA
w0OTcyc2OkPHsgTGFqdNMue127OC9VK2TgJ5qUqDfmYKYg9khT2ApTDPSM61
StFfDPyxKQmJTPrXx38AWgNidG2bdzKyqBWcFCimrQCrKR4WAArA2bIw5Mi8
d29dHQw2Huz7pZiNsNwqRND33CEb8fk6lc4t1imAu97G0sB5mMnZqm0w3SVP
+TAMuVhaJ6kj7FrwaLx2dmrZ9IuISQdCfEtbEGZqrOcfwK30An3bSeXOu8SE
Tr1iC/vAakE4ZKJDGFl9Sd6ZvJ8F2f/Lrg2M0HEWAfo2Rk64tjlQa0J5fbiJ
QrcING1DHQehb9YxYp/HFzipx2k7EIsi5Zym83DR5/I+pniN/FNLuAeIfPQy
9FHeBZxd1x7Co5z8fkmxB+QQdlb3towYbs4pK85/Ra+CTuco5Iw73IsgraUI
434koND5juEzeR5ugnM6lIcxXFXFoRzHUl+1DPU14k/FMZUp4dk3ZiG5Ht4R
7cZ2GMZEinPbf41OyOWYUDMvNWZRqcUyA5Jh3jJq+HmUouX8Ny4qEuDRReui
3D7sbTgxJsDyT1Zo2NVZYcPDTPRcXYIELHs9HsrTKQ2Ds6EfqY1uhq42C0hl
dRfLWpXH2QNt6qHqqEebnNmRVUhvHDHAtBNU1YZg3QAGi5N+KXNrjTBISXID
Uq4TCTQa0AWW+vYIuuORQVFuuKSv8wbkwN6X7+E1vGB8u7yIVnpYkUF5dJVN
TLcUYqHRZhBItVxmlKfoLSdnxkXafRTaS5SrSag1nLEQOIKjiG0rkcn7ZjAX
6NQGeQATKx9Xj312LvllowezJZqw8QQwFIsGY+WA+2VRMWBuuWC3XIAQZsaM
Wd8bZtaf7fOl5fW91mgLM0JsRxO44MldqFJoWpPL3NRVQI2Khr7Q5GWXSnDa
TYFTbhAcT2PBwRrZRt/BSimNxvQLEFEiNjSVTYriJA1OIlvZ3FSvAjHbqbsY
lIZgqazYDIwHnYIcIUqx0ERfr2ElVApUwhcOtE5W3GRFCVO8zWtVzijUZTmo
DRiGc7mYL6dTApaKWQ4IHckXepkVqwUhwBJ8oS46vfHIoUvgF+HJCBMlJXCD
xx5bHPjSWhIVcH8t0UUL8Dd40oAdvZ5mzxF1lznPvyit2253lTOW22wOlnNm
gVcxhE1SMpwLFyxHgk4FBgFe84+G9AhY7pQ7I5Qta3SMlDvPZqDol5j1WvnI
uUg7s6PCADYJHrN8V0HOLG5xVZartWhQa/f0uABQmAM6Y/MQRCDogcoGL4Aa
swZXabOBLV+22b9nHgacpAN7JjjhgI0rCo/PCwNHxpE8XnLKhA1sbWlEA/MF
prm4yzKnhJV1c1v+73/+l9SYl03yg7c3CgWMv7pwYSiNrGB76A+t7TrJ5qZt
SQsOw0YDLxhZRLhMAjRVQc104yuoDmzmZhAONs6i5ymH1Rz6p+78GbGSlcqk
VlQlutGeAVJNL1kGB0mHD70aBrmqlhWQmyKd4dnMDh2rgRFFKySHK27zf3RD
Gf2fkei0jhxpNxtDF1GHG+Gar4UieJANAYkozHETQLIei/CQ7AbT7w7jiEM7
yAYH0LmF+SbAwE3322fBGH1I3Bg9GDrPswOgG3johgW6vXdvh77vVRD0iWZ+
Rp+ON/5Z1yHf27ld8yb/Oq90w8y9nUOXeUzbG3G7c3D7NW/A1sZPOHOfo/qO
zu333WHXOX2LF3kDk2zpqd2eSTaBHTo9I+nmHJ2n/CtQx69Rxu7Eypc8mAQW
CLoNXVCfeOtttBcp6QeDyCE5EEFg3wkFgouaqZaNB94Edw4qn0dKWdo/YvL6
ob/HwJYbPpasPKvIFneiGtMJQrE+CKfspqNSBh5ZatlKGiLWdNUmeyPQeMME
DhFg4YDtVWtvhCac+o6nfHQEREnbcCJkJWCzs0/JCrOppNsqQd+uo/v69J6N
/vNNL/R0arBjEdrO3S7Weu6UWTb2noH8E6l1N6MIZgxyE0M8YgvOuT6zydV2
UP5JiMWwvqR7BXhQXjmkQm9M4XVp0KSr6ejMmBWds1IAZXBfZCuQ2mSAj91c
235u0cyjzRkIH5OC0NP8FlUOUmFjIsLHZCJw88gEuEX3cz5ClJAQr3XLhISe
5rcYC1Zwf5IIU7f5Zuviszsm3d0iZaD9bBeu+/us8eeYbps0gk833Va5BJ9y
devTrSUU/K3TfWS89RfGKh+ZX3BHgsFHWG5bJRlsk2Ww3Wc7ZO5uYqaPSTXY
frrbs5+2N2P/8YRYj2VMFo69Aefs43+NrJ7QzuozmQPLybZyCeXW7LDXzcCS
7F53YyOHDDzyXQpnNlY6KXXtPXs2LGat+FvuBq05EsbsuEzI19T1IqFF6K9K
9ruiOy5oFyFyvTux7w14HeIeLi/1hw+/ml6/ml4f8fnV9PrV9Pqoz89het3h
zPqFs8odDrP/h6bX357luf10vyjT69eN8AmnCz6RkSLXUqE/ucy849mdZrMz
7z7efObIravR9cEViGlb2aA3+Vrx4lmfpepSujAtIUqewUIjJp/qKCoHNnWq
47Qad/fPVvLBa/Rrl+fFPR9yPrAlh9iR27kyH96LpxyiCvPpjnJbVyQbtFeQ
yeu9oOyNYorFxlSqaoUuTGiAfty5zpYVt+dbjpizWuOq+P6z79LrrcbwsLk0
aQP4sGkAI/lSmayxd3H5sv5ci7YEhc8g8UNfqgyw5ty2JRc4cKcUKqbSuFIq
LjPFZp+MgMR4vS7IB0kLpmRK157zlZ9mwCm4QHuGCrNkF8vMJMBQK6GxGGBC
GYFHeW/kP75g6JMe/K1/m7xL/uXwnhneP17anCzOUDS+4gy5xFec+2HLPkSX
Din7B7OQ4IS34MIL06ZEJAlfVEiId/6OaljpiQqTORbLbOmcc2rx/kKv3psU
c6+qIjGqvd2+ED71ySOOMnAwzQeTmBdaBtUjMZu4qYOUIfbx++u9WPmz4tBN
RelATdWmCbtKYzAe0J9u7CK3Uk4l3dDVtc19sxwjkKlnvCUeVmqqMdUqtUUz
CkyCCC5c4u3VHHZQtkKswXsYYMERESsopljujXkPcYjlXWxlsmbZLVPXiotB
kOGDl0VtRKRNAeHRKwYdEGxmOV8GJeR5prf4ZoS1W3Rtd4hZSTUtKnn++D/u
c6zsPcvEihKl3+n2EjchdF+IPVdqyiVBWbaLkGtB5KVRuZSCsxhzlP3nWTF7
fP+e7/Eee8CEfE2XthCT0kMcD45BFzi5w+pH4vEoLHBCt+opF3AvvpC51NHG
4DT2IN+ItleYVfy4jQV+Bed+gBoX1LbY2xt92Tba23tEt/tRrBEM9pox3qDw
dyOikooTvI7abm+ggbuNO45yIYO0lpF4MrIMVkXExgx2qkcEE+NOyApMzLw0
KuAnl+Pi7iWTNC5zzOYD4oDeAQKlzMPtFVZf2MGieEsBdjsXuyVw5RcQKBNT
l5jE5pe0LjrwvslCoUDFjOhgcFuq0FSioHwpUCN4Wbhox3C1xawktwqBpH9Q
t4Iw79SMEN/p+rO2OB9fzPd1BdoNu997GRzL6zkyjQndz6PrLpz9Slh+P+aN
cn/tRIBv1h8+f+A4QD4HDhYxppa6oBIrKPmodllSFrCdFcpO22uMfN8m+lT+
/nfi1x6WVfM1nfxIlDwVruB5dCPeVx1Zt/DfP6eSbaBBKSnRJy/3tBwDGMeX
5NDkukum8uUEQw+f9URKzmfcvHxc1hkIIZbxnINJ1e+8dGPBFt6GissW2GKK
bamythAVmgRYpqbATP/M4hN3mHNixiIKNWBtZSZnadtUOqwHghsizOUNq2ed
Xqllm6pGUeG68rmybG+EpSvX9ltLVtw5KCRBGdkNPGlyFF1T79dFHrGXYJza
aQW/rWQA4pnqyMaA1a68jS/oqdrEQJSIwlVK8HFvtiysfg1rKaDBE7UaRf5q
a177JHlTtXD4Cyo65/tepZriXq8LW5MV61MQqWLlQpmeriz4mrFM+dnuZRK9
7FwEowzt1e11XgXWeeXqTJFJYLiUIWdYRvLW4fGf7c0vq40oX7ESpakuKn/l
xKdSAKcFRbJcWUd/V2xGUsuByGt0NX3be2qdJJdAiLSAj2Sbb01p8BQw4HSO
8MpGXGzMXRWkGRKEFGxrtPB6Lj4h/nx4gm9+IaOtOzjM1EYr7J6YwsmhsoUg
HGNakKiemy2L5Ww4JhbuKT+CGMdEQrbmAAmxKikWMnGkqX1luvvX1721Cj88
4Ep/PUUs/GllUekMGZjroVjjPIIBLwQVwjMXERmNp2CnIq78UQlWWYNUYVDt
zUq2jJjagrDAWLZ7i49vPWDiKCalpNRu/jgYzIrq38RhA0ylp5NSVRfJxRIO
Fq7YGlZLM6VN9H9RgC2jhxXdu7J19Qj/G174CsnhpZy9zuXJd50wkWiVCEqD
QK1YYO9vEQ164MvpCsIzZ4NFZZyppCveBEIpwIzPJHFbjFSYwnpxKqmpdG43
U4gE0tH4zbhHGIU1qvAGFTAytWzL+VBJbqzLRzVOkou8uAK8zygnX1zv89lZ
p892pipzPgxXerBTBhV5+wK0/mKBwqjBywUHcxA58l1RpAN5opZzpTN5UsCI
dquOsWQkHJtfqp/kKzQ34dj0k0B+QefAtMncyY2rhsWyLrrj7PRdLHMJNwck
EeFM0b+ey0dfAhbkOE03ifX9kGaxNBwEojuUBgPAez+b8kzb3laxAnwQmJfB
NSUZ3DkhxUG3chKuItsO4pP/KlztF7jaA9AcKHmv5qu1ZHB/FmMVFc6JeosK
RdtltDcJbDVJ4jTKVQSG6LjDKttJ3VGlEQDwVbaH8nt7Ry2o7EVHR75TXLnb
iK2Il5dFoiaoGlfYHd7tRNjeCc512crrKc4kDMooOms8uClH+HuK+Htpftz3
dTx9TS0VXUkcsDfIXjqDn03n2mPvrcdtYKagNlG7DEqp6qAS0pZX/3A9Txz3
79xVPnMnoIyvPSjQbZ/bK2k+IdHeLNyKSvt91+QGG66Envd75eM3oUf7XN7H
3YeGKmAuvgA46F5uHbg7oRX3fdAyYOfen99sJPrwr8pghUJyk9Hf67BlwO+f
b/H3LTZOc3AWT4Mo5DtH+Ecsgndumlv+/gZNgmT2f9kkHtv6MqDRYYqnfaTR
ksRsTrXns4xcgOZH3gWPkWteOPKC1ujSN6g9fdZaDdiI6oRGIRV8E0UhQFWB
NYAlH4m9ELP23AOmK0JL18Rs+eXQRdPHwmA+XBZZw0pxKF9h1eL+do6nB3Jm
KP+6vTOFJ43o76es4alVT6idhk6q2itHgLI90dvJr8v9JQwrJcPNZrcWKqK4
2jpWXbXmI5Wndyno/ZWUhzYj218n93XM0BkUFS8IbjbZyS1ckYK1Ttg+iU5D
cH41ew4f2iSkMP378tEjRIqLaxATw++35NfjnHIqjYHYJ/B8YQAyKYElcdWu
vv/Q2wedk5eF0hZ8hYm8h/P/AO3fk7WtagAA

-->

</rfc>
