<?xml version='1.0' encoding='utf-8'?>
<!DOCTYPE rfc [
  <!ENTITY nbsp    "&#160;">
  <!ENTITY zwsp   "&#8203;">
  <!ENTITY nbhy   "&#8209;">
  <!ENTITY wj     "&#8288;">
]>
<?xml-stylesheet type="text/xsl" href="rfc2629.xslt" ?>
<!-- generated by https://github.com/cabo/kramdown-rfc version 1.7.39 (Ruby 3.4.9) -->
<rfc xmlns:xi="http://www.w3.org/2001/XInclude" ipr="trust200902" docName="draft-nygren-httpbis-http11-request-binding-01" category="std" consensus="true" submissionType="IETF" tocInclude="true" sortRefs="true" symRefs="true" version="3">
  <!-- xml2rfc v2v3 conversion 3.34.0 -->
  <front>
    <title abbrev="HTTP/1.1 Message Binding">HTTP/1.1 Request Smuggling Defense using Cryptographic Message Binding</title>
    <seriesInfo name="Internet-Draft" value="draft-nygren-httpbis-http11-request-binding-01"/>
    <author fullname="Erik Nygren">
      <organization>Akamai Technologies</organization>
      <address>
        <email>erik+ietf@nygren.org</email>
      </address>
    </author>
    <author fullname="Mike Bishop">
      <organization>Akamai Technologies</organization>
      <address>
        <email>mbishop@evequefou.be</email>
      </address>
    </author>
    <date year="2026" month="July" day="06"/>
    <area>WIT</area>
    <workgroup>httpbis</workgroup>
    <keyword>HRS</keyword>
    <keyword>Request Smuggling</keyword>
    <keyword>Message Binding</keyword>
    <abstract>
      <?line 81?>

<t>HTTP/1.1 Message Binding adds new hop-by-hop header fields that are cryptographically bound to requests and responses. The use of this protocol is negotiated out-of-band from the HTTP datastream, and keys can be communicated either in-band in the first request or out-of-band (such as via TLS Exporters). These header fields allow endpoints to detect and mitigate desynchronization attacks, such as HTTP Request Smuggling, that exist due to datastream handling differences.</t>
    </abstract>
  </front>
  <middle>
    <?line 85?>

<section anchor="introduction">
      <name>Introduction</name>
      <section anchor="motivation">
        <name>Motivation</name>
        <t>HTTP Request Smuggling is a class of desynchronization attack <xref target="HTTPSYNC"/> where a malicious endpoint can cause a chain of other endpoints to get confused about HTTP request framing due to attributes of the HTTP/1.1 protocol leading to ambiguities in interpretation and variations in implementation.  For example, if in a flow of:</t>
        <artwork><![CDATA[
    User Agent => Intermediary => Origin Server
]]></artwork>
        <t>the User Agent can send an HTTP request header field with two Content-Length header fields and a Body that contains a second smuggled HTTP request after one of the content lengths.  If the Intermediary and Origin Server interpret the request in different ways, the Intermediary might think that there was one request while the Origin Server thinks there are now two requests. Not only would the first request get smuggled past Intermediary defenses, if there is a second real request (so a total of three requests if you include the smuggled one) then the Intermediary might cache the contents of the smuggled response with the cache key of the third request.</t>
        <t>There are nigh-infinite variations on this class of attack against HTTP/1.1 with frequent vulnerabilities being found and fixed. While some of these are implemenation bugs, others are due to underspecification in the HTTP/1.1 protocol itself. This latter case is hard for any single party to fix, hence where this specification can act as an additonal line of defense.</t>
        <t>While HTTP/2 and HTTP/3 are better (<xref target="RFC9113"/> <xref target="RFC9114"/>), conversions between HTTP versions can also be vectors for vulnerabilities here to creep in. Additionally, a malicious User Agent could force an HTTP/1.1 connection to pollute shared resources (a cache or persistent connection) shared with other User Agents using newer HTTP protocols. Furthermore, the simplicity of HTTP/1.1 and large legacy code bases mean that there is extensive use of HTTP/1.1 in Intermediaries such as reverse proxies in the ecosystem: Origin Servers themselves may have an implementation where an Intermediary proxy fronts application servers, each of which having distinct HTTP implementations potentially from different vendors.</t>
      </section>
      <section anchor="threat-model">
        <name>Threat Model</name>
        <t>This specification is specifically aimed at reducing the cases where a User Agent can influence the behavior between an Intermediary (an Upstream Server) and a Downstream Server (which may be an Origin Server or another Intermediary). Concretely, the following are intended to be defended against:</t>
        <ul spacing="normal">
          <li>
            <t>T1. The User Agent smuggling a request past an Intermediary (Upstream Server) to a Downstream Server in a way that the Upstream and Downstream Servers become desynchronized on which requests they are processing.</t>
          </li>
          <li>
            <t>T2. The User Agent exploiting desynchronization vulnerabilities to receive the response payload not intended for it (in the case where the Upstream to Downstream Server connection is multiplexed and contains requests beyond just those belonging to the User Agent).</t>
          </li>
          <li>
            <t>T3. The User Agent exploiting smuggling vulnerabilities to get the Downstream Server to process a request bypassing policy enforcements from the Upstream Server</t>
          </li>
          <li>
            <t>T4. The user agent exploiting smuggling vulnerabilities to get the Downstream Server to process a request that includes header fields supplied by a malicious User Agent but which were supposed to have been hop-by-hop headers supplied by the Intermediary (such as those supposedly annotating authentication results).</t>
          </li>
          <li>
            <t>T5. The User Agent exploiting implementation vulnerabilities in the parsing of HTTP/1.1's equivalents of HTTP/2 pseudo-headers (authority, path, and method) to bypass policy controls on an Upstream Server or to get a Downstream Server to differently interpret the request due to smuggled header field or body contents.</t>
          </li>
          <li>
            <t>T6. The User Agent exploiting <em>this</em> specification to cause communication failures between an Upstream Server and a Downstream Server for the case where the Downstream Server has implemented this specification but the Upstream Server has not, meaning that the Upstream Server passes through the hop-by-hop headers defined here without removing them.</t>
          </li>
        </ul>
        <t>This specification is NOT intended to defend against:</t>
        <ul spacing="normal">
          <li>
            <t>N1. Protecting communications between a User Agent and an Intermediary. User Agents are assumed to always be potentially hostile.</t>
          </li>
          <li>
            <t>N2. Acting as a primary security control that obviates the need for proper implementations. It is intended only to act as a secondary stop-gap to mitigate vulnerabilities.</t>
          </li>
          <li>
            <t>N3. Protecting against actors who can intercept, view, or modify communications between the Upstream Server and Downstream Server.</t>
          </li>
          <li>
            <t>N5. Protecting User Agents or Upstream Servers against malicious or compromised Downstream Servers.</t>
          </li>
          <li>
            <t>N4. Protecting against actors who have control over an Upstream Server or a Downstream Server, although this specification may help in some cases to contain attacks where a hostile Upstream Server is communicating to a Downstream Server which in-turn is communicating to another Downstream Server.</t>
          </li>
        </ul>
      </section>
      <section anchor="mitigation-overview">
        <name>Mitigation Overview</name>
        <t>The key concept of this specification is for HTTP/1.1 endpoints (such as an Intermediary and an Origin Server) to be able to share information about their state (e.g., which request/response they think they're parsing) in a way that is cryptographically bound to the hop-by-hop series of requests (ie, either to the TLS connection or to keying information passed in the first request). Since the attacker has no access to the key used for the cryptographic binding, this allows the endpoints to detect desynchronization and fail out but without needing changes to the HTTP/1.1 protocol itself. This shared key is then used to authenticate newly introduced hop-by-hop header fields, binding information in those header fields (which includes sequential request/response serial numbers) to the request. Cases where requests or responses do become desynchronized will be detected due to invalid bound header fields (either due to failing to validate or not matching what is expected).</t>
        <t>While "Request Framing Confusion" attacks (such as HTTP Request Smuggling or HRS) are one of the most common forms of HTTP Processing Discrepancy attacks, other types of attacks such as Host Confusion can also cause problems (<xref target="HTTPSYNC"/>). This specification focuses on the former, but as it evolves we may be able to extend the approach taken to defend against other forms of attacks such as Host Confusion and Path Confusion, as well as to protect header fields added by Intermediaries.</t>
        <t><em>(FOR DISCUSSION: How broadly do we want to scope this specification? How much do we include here, and how much do we leave hooks to enable future extension? At the moment this is intentionally in a middle-ground, and we may either want to simplify or make more general.)</em></t>
        <t>The use of Message Binding header fields is negotiated during the TLS handshake (or may be statically configured for cases where communications between and configuration for the Upstream and Downstream Servers are tightly controlled).</t>
        <t>Multiple mechanisms then exist for key exchange:</t>
        <t>1) The cipher suite and keying information may be sent as a hop-by-hop header field for the first request on a connection.
2) HTTP endpoints communicating HTTPS over TLS may use TLS Exporters to obtain the key used for the binding (<xref section="7.5" sectionFormat="comma" target="RFC8446"/> <xref target="RFC5705"/>), enabling both endpoints of a connection to securely derive this key out-of-band from the request flow in a way that can't be tampered with.
3) As the key used for the binding is abstracted out, proprietary implementations not using TLS can distribute the key in some other manner, such as in a preface attribute that could be added to the PROXY protocol <xref target="PROXY"/>.</t>
      </section>
      <section anchor="illustrative-example">
        <name>Illustrative Example</name>
        <t>In an example HRS attack from a malicious User Agent to an Origin Server through an Intermediary, the request might start out normally but the malicious User Agent smuggles a second malicious request into the initial request (e.g., due to a bug in the Intermediary or due to the Intermediary and Origin Server interpreting the HTTP/1.1 protocol slightly differently).</t>
        <t><em>(TODO: Add a diagram)</em></t>
        <t>The net result is that the Intermediary and Origin Server get desynchronized as to how requests and responses line up. When the malicious User Agent makes a second request, it gets back the response to the smuggled request, and a caching Intermediary may actually cache the response to the smuggled request with the cache key of this second request. This means the attacker can not only bypass any controls the Intermediary may be implementing, but may also be able to poison its cache.</t>
        <t>With the proposed mitigation, the Intermediary augments the first and second requests (from its perspective) with cryptographically protected hop-by-hop <tt>Bound-Request</tt> header fields indicating a serial number (e.g., 1 and 2). While the Origin Server is able to validate the header field in the first request, the smuggled request is missing the header field (and even if the attacker tried to add one it would fail validation due to the attacker not having the cryptographic secret). This allows the Origin Server to detect the desynchronization, enabling it to refuse to process the smuggled request and terminate the connection.</t>
        <t><em>(TODO: Add a diagram)</em></t>
        <t>Request Smuggling is a family of attacks with many variations. This is why it's valuable to include the request and response binding hop-by-hop header fields in both directions, as in some other variations it might be possible for things to get reordered such that an Intermediary making request A with serial=1 might get back a response for a request C with serial=2 and needs to be able to fail on that as well, as well as any wide range of other similar cases of desynchronization.</t>
        <t>The need for a cryptographic binding to the channel between the Intermediary and Downstream Server (e.g., with TLS Exporters) is required to prevent the malicious User Agent from including a fake request binding header field in what is being smuggled in (which by its nature may be invisible to the Intermediary due to some bug or vulnerability).</t>
      </section>
    </section>
    <section anchor="conventions-and-definitions">
      <name>Conventions and Definitions</name>
      <t>The key words "<bcp14>MUST</bcp14>", "<bcp14>MUST NOT</bcp14>", "<bcp14>REQUIRED</bcp14>", "<bcp14>SHALL</bcp14>", "<bcp14>SHALL
NOT</bcp14>", "<bcp14>SHOULD</bcp14>", "<bcp14>SHOULD NOT</bcp14>", "<bcp14>RECOMMENDED</bcp14>", "<bcp14>NOT RECOMMENDED</bcp14>",
"<bcp14>MAY</bcp14>", and "<bcp14>OPTIONAL</bcp14>" in this document are to be interpreted as
described in BCP 14 <xref target="RFC2119"/> <xref target="RFC8174"/> when, and only when, they
appear in all capitals, as shown here.</t>
      <?line -18?>

<t>This document uses terms defined in <xref section="3" sectionFormat="of" target="RFC9110"/>, including
"Client", "Server", "Intermediary", "Origin", "upstream", "downstream",
"inbound", and "outbound".</t>
    </section>
    <section anchor="bound-message-header-protocol">
      <name>Bound Message Header Protocol</name>
      <t>This specification introduces new hop-by-hop <tt>Bound-Request-Init</tt>, <tt>Bound-Request</tt>, and <tt>Bound-Response</tt> message header fields, which use <xref target="RFC8941"/> structured fields. These header fields convey a request/response Serial number, additional attributes, and a cryptographic binding.</t>
      <t>As these are hop-by-hop header fields they are added by the endpoints on the HTTP/1.1 persistent connection (<xref target="RFC9112"/>). Below we refer to the outbound endpoint making the request as the Intermediary (<xref section="3.7" sectionFormat="comma" target="RFC9110"/>) and the inbound endpoint receiving the request and issuing a response as the Downstream Server. The Downstream Server may be either another Intermediary or an Origin Server.</t>
      <t>Intermediaries and Downstream Servers <bcp14>MUST NOT</bcp14> exchange <tt>Bound-Request-Init</tt>, <tt>Bound-Request</tt>, or <tt>Bound-Response</tt> header fields unless they have mutually negotiated this protocol, either as described below in <xref target="tls-negotiation"/> or via some other out-of-band mechanism. If the User Agent and Downstream Server have negotiated using this protocol for a connection, the Upstream Server <bcp14>MUST</bcp14> send a <tt>Bound-Request-Init</tt> header field on the first request (and only the first request) on that connection. If the User Agent and Downstream Server have negotiated using this protocol for a connection, they <bcp14>MUST</bcp14> also send <tt>Bound-Request</tt> and <tt>Bound-Response</tt> header fields in all requests and responses on that connection.</t>
      <section anchor="serials">
        <name>Request/Response Serials</name>
        <t>The Request Serial (<tt>$req_serial</tt>) is a counter starting at 1 for the initial request in an HTTP/1.1 persistent connection, and then incrementing by 1 for each subsequent request. The Response Serial (<tt>$resp_serial</tt>) for a response is then reflected back to match the Request Serial from the corresponding request.</t>
      </section>
      <section anchor="binding-mechanism">
        <name>Binding Mechanism</name>
        <t>The Binding Mechanism specifies how the Binding Key is derived as well as the cryptographic function used to bind requests. A list of mechanisms and associated keys is sent by the Upstream Server in its first request in a <tt>Bound-Request-Init</tt> header field.</t>
        <t>The server selects one of the offered mechanisms and echoes that choice back on every subsequent <tt>Bound-Response</tt> via a <tt>mechanism</tt> parameter, so that the Upstream Server can unambiguously determine which construction was used for the lifetime of the connection.</t>
        <t>The initial registry of mechanism names includes:</t>
        <ul spacing="normal">
          <li>
            <t><tt>inband-hmac-sha256</tt> -- HMAC-SHA256 (<xref target="RFC2104"/>) keyed with a 256 bit (32 octet) key value carried inband in the <tt>key</tt> parameter.</t>
          </li>
          <li>
            <t><tt>exporter-hmac-sha256</tt> -- HMAC-SHA256 using a key derived from a TLS exporter, as described in <xref target="keying-from-tls-exporters"/>. The <tt>key</tt> parameter for this mechanism is unused and <bcp14>MUST</bcp14> be omitted, since the actual key comes from the TLS exporter.</t>
          </li>
          <li>
            <t><tt>inband-siphash</tt> -- SipHash (<xref target="SIPHASH"/>) keyed with the 128 bit (16 octet) key value carried inband in the <tt>key</tt> parameter.  This uses SipHash-2-4 with 64 bit (8 octet) output.</t>
          </li>
        </ul>
        <t>Unless explicitly negotiated and configured out-of-band, <tt>inband-hmac-sha256</tt> is mandatory to implement and <bcp14>MUST</bcp14> be used in the Bound-Request for the first request on a connection.</t>
        <t><em>(TODO: Determine which of these is Mandatory to Implement as well as which to use for the Bound-Request in the first request. It may make sense for the TLS handshake to be able to negotiate <tt>exporter-hmac-sha256</tt> in which case that is the only one used.)</em></t>
        <t><em>(TODO: Add an IANA registry section for these.)</em></t>
        <t><em>(FOR DISCUSSION: Which of these do we want to include? With hardware acceleration, hmac-sha256 may perform close enough to siphash to not be worth including both. We could consider AES-GMAC-128 since the keys must be unique but that has its own risks on nonce reuse so it would be critical that the nonce was a function of direction+serial. Using a non-cryptographic function might reduce the overhead but would make the security properties considerably harder to reason about.)</em></t>
      </section>
      <section anchor="binding-key">
        <name>Binding Key</name>
        <t>The Binding Key is a binary cryptographic value that is associated with the connection. Below we will refer to the binding key for requests as <tt>$req_key</tt> and the binding key for responses as <tt>$resp_key</tt>.</t>
        <t>With HTTPS over TLS and <tt>exporter-hmac-sha256</tt> the binding keys <bcp14>MUST</bcp14> be derived as described in <xref target="keying-from-tls-exporters"/>.</t>
      </section>
      <section anchor="header-spec-init">
        <name>Bound-Request-Init Header Specification</name>
        <t>The <tt>Bound-Request-Init</tt> header field is sent by the Upstream Server only on the first request of a connection. Its value is a Structured Fields List
(<xref target="RFC8941"/>) whose members are Tokens identifying a
supported mechanism, each parameterized with an initial key for that
mechanism.</t>
        <artwork type="abnf" align="left"><![CDATA[
Bound-Request-Init = 1#mechanism-entry

mechanism-entry     = mechanism-name *( ";" OWS mechanism-param )
mechanism-name      = sf-token
mechanism-param     = key-param
key-param           = "key=" mechanism-key
mechanism-key       = sf-binary
]]></artwork>
        <t>Where:</t>
        <ul spacing="normal">
          <li>
            <t><tt>mechanism-name</tt> is one of the supported mechanisms listed in  <xref target="binding-mechanism"/></t>
          </li>
          <li>
            <t><tt>mechanism-key</tt> is the corresponding key to use if that mechanism is selected.</t>
          </li>
        </ul>
        <t>An Upstream Server <bcp14>MUST</bcp14> list at least one mechanism, and <bcp14>MAY</bcp14> list more than one mechanism in order of preference, most-preferred first. A client <bcp14>MUST</bcp14> supply a distinct <tt>key</tt> for each mechanism that requires an inband key, and <bcp14>MUST</bcp14> generate these keys using a cryptographically secure random number generator. Keys carried in <tt>Bound-Request-Init</tt> are scoped to the connection on which they are sent and <bcp14>MUST NOT</bcp14> be reused across connections.</t>
        <t>For example, a Upstream Server offering all three mechanisms might send:</t>
        <artwork type="example" align="left"><![CDATA[
Bound-Request-Init: exporter-hmac-sha256, \
  inband-siphash;key=:AAAAAAAAAAAAAAAAAAAAAA==:, \
  inband-hmac-sha256;key=:BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB=:
]]></artwork>
      </section>
      <section anchor="header-spec">
        <name>Bound-Request and Bound-Response Header Specification</name>
        <t>The <tt>Bound-Request</tt> and <tt>Bound-Response</tt> header fields are specified as an integer item (the Serial) followed by a parameter list of items.</t>
        <t>The ABNF is as follows:</t>
        <sourcecode type="abnf"><![CDATA[
bound_header      = bound_header_name ":" serial ";" OWS
                    "mechanism=" mechanism ";" OWS
                    "method=" method ";" OWS
                    "authority=" authority ";" OWS
                    "path=" path ";" OWS
                    ("response-code" = response_code ";" OWS)?
                    "binding=" binding_value
bound_header_name = "Bound-Request" | "Bound-Response"
serial            = sf-integer
mechanism         = sf-token
method            = sf-string
authority         = sf-string
path              = sf-string
response_code     = sf-integer
binding_value     = sf-binary
]]></sourcecode>
        <t><em>(TODO: restructure the ABNF to allow the parameter orders to vary)</em></t>
        <t>The binding value for a request or response with a given key is constructed as:</t>
        <artwork><![CDATA[
   binding_value = $function($key,
                      $serial "|" $direction "|"
                                          $method "|" $authority "|" $path)
]]></artwork>
        <t>In the above:</t>
        <ul spacing="normal">
          <li>
            <t><tt>$serial</tt> is the request or response serial as a string</t>
          </li>
          <li>
            <t><tt>$direction</tt> is the string <tt>req</tt> for the <tt>Bound-Request</tt> header
 or <tt>resp</tt> for <tt>Bound-Response</tt> header</t>
          </li>
          <li>
            <t><tt>$method</tt> is the HTTP request method associated with the request</t>
          </li>
          <li>
            <t><tt>$authority</tt> is the authority ((as defined in <xref section="4.2.3" sectionFormat="comma" target="RFC9110"/>) from the normalized URI (as defined in <xref section="4.2.3" sectionFormat="comma" target="RFC9110"/>) for the request and <bcp14>MUST</bcp14> match the value in the request's Host header field</t>
          </li>
          <li>
            <t><tt>$path</tt> is the path ((as defined in <xref section="4.2.3" sectionFormat="comma" target="RFC9110"/>) from the normalized URI (as defined in <xref section="4.2.3" sectionFormat="comma" target="RFC9110"/>) for the request and <bcp14>MUST</bcp14> match the value from the the URI following normalization.</t>
          </li>
          <li>
            <t><tt>$response_code</tt> is the response code for the response</t>
          </li>
        </ul>
        <t>The <tt>$function</tt> and <tt>$key</tt> for the for <tt>binding_value</tt> varies based on the mechanism:</t>
        <ul spacing="normal">
          <li>
            <t>For <tt>inband-hmac-sha256</tt>, the <tt>$function</tt> is HMAC-SHA256 (<xref target="RFC2104"/>) keyed with the <tt>key</tt> parameter sent with the <tt>Bound-Request-Init</tt>.</t>
          </li>
          <li>
            <t>For <tt>inband-siphash</tt>, the <tt>$function</tt> is SipHash-2-4 (<xref target="SIPHASH"/>) with 64-bit output and keyed with the <tt>key</tt> parameter sent with the <tt>Bound-Request-Init</tt>.</t>
          </li>
          <li>
            <t>For <tt>exporter-hmac-sha256</tt> the <tt>$function</tt> is HMAC-SHA256 using a <tt>$key</tt> derived from a TLS exporter, as described in <xref target="keying-from-tls-exporters"/>. The <tt>$key</tt> is either <tt>$req_key</tt> or <tt>$resp_key</tt> depending on if this is a request or response.</t>
          </li>
        </ul>
        <t><em>(TODO: better specify how to normalize the path and the path matching rules)</em></t>
        <t>For example, the header field added to the first request on a connection might be:</t>
        <artwork><![CDATA[
   Bound-Request: 1; mechanism=inband-hmac-sha256;
                  method=POST; authority=www.example.com; path="/hello.txt";
                  binding=:yYwktnfv9Ehgr+pvSTu67FuxxMuyCcb8K7tH9m/yrTE=:
]]></artwork>
      </section>
      <section anchor="for-discussion-additional-attributes-to-bind">
        <name>For Discussion: Additional Attributes to Bind?</name>
        <t><em>FOR DISCUSSION: Do we want to add in additional information to defend against additional sorts of attacks?  Would we want to change how we encode these?</em></t>
        <t>The reasons to include attributes into the Message Binding are:</t>
        <ul spacing="normal">
          <li>
            <t>Information from an Intermediary or Origin Server endpoint is intermixed in the bytestream with information that was sourced from a potentially malicious User Agent. HTTP/2 and HTTP/3 use distinct pseudoheaders to encode some of these separately, but other header fields such as Client-Cert (<xref target="RFC9440"/>) have no such protections.</t>
          </li>
          <li>
            <t>The encoding within HTTP/1.1 is underspecified in ways that lead to ambiguity, such as with variations in Path and Host header field parsing.</t>
          </li>
        </ul>
        <t>Some options might include:</t>
        <ul spacing="normal">
          <li>
            <t>Adding the <tt>:path</tt> as a parameter (or adding an attribute indicating that it should be considered included) and also binding it in. This new draft version proposes that, but it is still under-specified.</t>
          </li>
          <li>
            <t>Having a way to more generally encode HTTP/2 pseudoheader field values in a way that is less ambiguous (converted to sf-binary?) and gets bound in.</t>
          </li>
          <li>
            <t>Including a list of header fields to bind in, and then use <xref target="RFC9421"/> HTTP Message Signatures or similar to protect them. This would be particularly useful for protecting header fields such as Client-Cert.</t>
          </li>
        </ul>
        <t>Adding more in does add more complexity and has more risks of compatibility issues. It may also be worth considering going the other direction and removing method and authority parameters.</t>
      </section>
      <section anchor="upstream-req-handling">
        <name>Intermediary Request Handling</name>
        <t>Intermediaries which have negotiated this protocol <bcp14>MUST</bcp14> add a <tt>Bound-Request-Init</tt> header field to the first request on a connection listing the mechanisms that it supports.</t>
        <t>Intermediaries which have negotiated this protocol <bcp14>MUST</bcp14> add a <tt>Bound-Request</tt> header field with each request they make.  The <tt>$req_serial</tt> <bcp14>MUST</bcp14> start at 1 for the first request on a persistent connection, and <bcp14>MUST</bcp14> be incremented by 1 for each subsequent request.</t>
        <t>If the Intermediary is an Intermediary, regardless of whether or not this protocol was negotiated for the connection, it <bcp14>MUST</bcp14> remove any <tt>Bound-Request</tt> and <tt>Bound-Request-Init</tt> header fields that it received (prior to adding its own, if applicable).</t>
        <t>The mechanism used in the <tt>Bound-Request</tt> header field for the first request on a connection <bcp14>MUST</bcp14> match a mechanism included in the <tt>Bound-Request-Init</tt> header field. This mechanism <bcp14>MUST</bcp14> be one that the Downstream Server is known to support, either as negotiated during the TLS handshake, as the mandatory-to-implement <tt>inband-hmac-sha256</tt>, or statically configured out-of-band.</t>
        <t>The mechanism used in all but the first <tt>Bound-Request</tt> header fields <bcp14>MUST</bcp14> match the mechanism returned by the Downstream Server in its first <tt>Bound-Response</tt>.</t>
      </section>
      <section anchor="downstream-req-handling">
        <name>Downstream Server Request Handling</name>
        <t>A Downstream Server that receives a <tt>Bound-Request-Init</tt> header field <bcp14>MUST</bcp14> select exactly one of the offered mechanisms and reflect that choice on the corresponding and all subsequent <tt>Bound-Response</tt> header fields on the connection. If the Downstream Server does not support any of the offered mechanisms, it <bcp14>MUST</bcp14> terminate the connection.</t>
        <t>A Downstream Server <bcp14>MUST</bcp14> terminate the connection if it receives a <tt>Bound-Request-Init</tt> header field on any request other than the first request of a connection.</t>
        <t>A Downstream Server <bcp14>MUST</bcp14> terminate the connection if this specification was negotiated but the first request on the connection does not include the <tt>Bound-Request-Init</tt> header field.</t>
        <t>A Downstream Server <bcp14>MUST</bcp14> terminate the connection if this specification was NOT negotiated but a <tt>Bound-Request-Init</tt> header field was received in any request.</t>
        <t>Downstream Servers which have negotiated this protocol <bcp14>MUST</bcp14> validate the presence and contents of the <tt>Bound-Request</tt> header field prior to processing a request. Any failures <bcp14>MUST</bcp14> be detected early in request processing (such as during request parsing), and Downstream Servers <bcp14>MUST</bcp14> immediately terminate the connection without returning an error response.</t>
        <t>Validation checks <bcp14>MUST</bcp14> include:</t>
        <ul spacing="normal">
          <li>
            <t>Confirmation that the <tt>Bound-Request</tt> header field is present</t>
          </li>
          <li>
            <t>Confirmation that the cryptographic binding hash matches what was expected</t>
          </li>
          <li>
            <t>Confirmation that the <tt>$req_serial</tt> matches what was expected, starting at 1 for the first request on the connection and incrementing by 1 for each subsequent request</t>
          </li>
          <li>
            <t>Confirmation that the authority and method and path match those in the request</t>
          </li>
        </ul>
        <t>If the Server is an Intermediary, it <bcp14>MUST</bcp14> remove the <tt>Bound-Request</tt> and <tt>Bound-Request-Init</tt> header fields before constructing a request to the upstream hop, regardless of whether this protocol was used on the downstream connection.</t>
        <t>When constructing a response to an HTTP request the Downstream Server <bcp14>MUST</bcp14> add a <tt>Bound-Response</tt> header field with a <tt>$resp_serial</tt> matching the <tt>$req_serial</tt> of the incoming request.</t>
        <t>If the Server is an Intermediary, it <bcp14>MUST</bcp14> first remove any <tt>Bound-Response</tt>
header fields that it received, regardless of whether this protocol was used on
the upstream connection.</t>
      </section>
      <section anchor="upstream-resp-handling">
        <name>Intermediary Response Handling</name>
        <t>Intermediaries which have negotiated this protocol <bcp14>MUST</bcp14> validate the presence and contents of the <tt>Bound-Response</tt> header field prior to processing a response. Any failures <bcp14>MUST</bcp14> be detected early in response processing (such as during response parsing), and Intermediaries <bcp14>MUST</bcp14> immediately terminate the connection without processing any data from the response.</t>
        <t>Validation checks <bcp14>MUST</bcp14> include:</t>
        <ul spacing="normal">
          <li>
            <t>Confirmation that the <tt>Bound-Response</tt> header field is present</t>
          </li>
          <li>
            <t>Confirmation that the cryptographic binding MAC matches what was expected</t>
          </li>
          <li>
            <t>Confirmation that the <tt>$resp_serial</tt> matches the <tt>$req_serial</tt> of the request that the response is in-response to.</t>
          </li>
          <li>
            <t>Confirmation that the authority and method and path match those from the corresponding request</t>
          </li>
          <li>
            <t>Confirmation that the <tt>$response_code</tt> matches that from the response (or interim response, as discussed in <xref target="handling-1xx"/>)</t>
          </li>
        </ul>
        <t>The Intermediary <bcp14>MUST</bcp14> remove the <tt>Bound-Response</tt> header field before constructing a response to the downstream connection, regardless of whether this protocol is used for the downstream connection.</t>
      </section>
      <section anchor="handling-1xx">
        <name>Handling 100 Continue and 103 Early Hints</name>
        <t>When using <tt>100 Continue</tt> and <tt>103 Early Hints</tt>, the <tt>$req_serial</tt> and <tt>$resp_serial</tt> <bcp14>MUST</bcp14> remain the same and match for all interim and final responses. Each interim response <bcp14>MUST</bcp14> contain a <tt>Bound-Response</tt> header field with a response-code parameter matching the response code of the interim response.</t>
        <t><em>(TODO can we safely extend this requirement to all 1xx status codes?)</em></t>
      </section>
      <section anchor="retry-handling">
        <name>Retrying Requests</name>
        <t>Requests which are retried <bcp14>MUST</bcp14> be treated no differently than other forms of request, with their <tt>$req_serial</tt> coming from the order of the request in a persistent connection. If a request is retried over a different connection a new <tt>Bound-Request</tt> header field <bcp14>MUST</bcp14> be reconstructed corresponding to the new connection.</t>
      </section>
      <section anchor="tls13-0rtt">
        <name>Handling TLS 1.3 Early Data</name>
        <t><em>TODO: define how this works with TLS 1.3 0RTT as it adds additional wrinkles. While this maybe could be made to work there (e.g., using the separate early exporter secret and potentially a distinct space for request_serials) <xref target="RFC8446"/>, we need to ensure that we properly handle situations where an HTTP request spans 0-RTT and 1-RTT data.</em></t>
      </section>
    </section>
    <section anchor="use-with-https-over-tls-and-tls-exporters">
      <name>Use with HTTPS over TLS and TLS Exporters</name>
      <section anchor="tls-negotiation">
        <name>Negotiation</name>
        <t>Since the <tt>Bound-Request</tt> and <tt>Bound-Request-Init</tt> header fields are hop-by-hop header fields they are not safe to send unless the Intermediary knows that recipient supports them, will process them, and then will remove them. Intermediaries and Downstream Servers <bcp14>MUST NOT</bcp14> send <tt>Bound-Request</tt> or <tt>Bound-Request-Init</tt> or <tt>Bound-Response</tt> header fields on connections where they have not negotiated this protocol.</t>
        <t>Negotiation needs to happen out-of-band (e.g., at the TLS layer) due to the nature of the attacks this is trying to mitigate.</t>
        <t>Options for negotiation include:</t>
        <ul spacing="normal">
          <li>
            <t>A modification to the ALPN (eg, <tt>http/1.1-bound-inband</tt> or <tt>http/1.1-bound-exporter</tt>). This may be the lowest-effort lift to retrofit into existing legacy HTTP/1.1 applications (which is the target use-case for this specification) as it requires no changes to the TLS library. This is recommended for interop testing of initial experimental implementations.</t>
          </li>
          <li>
            <t>ALPS (stalled/expired) <xref target="I-D.vvv-tls-alps"/></t>
          </li>
          <li>
            <t>TLS Extension Flags (waiting on implementation) <xref target="I-D.ietf-tls-tlsflags"/></t>
          </li>
          <li>
            <t>An all-new TLS extension specific to this purpose, which could also make it easier to version this protocol.</t>
          </li>
        </ul>
        <t>Note that the first two options only support TLS 1.3 <xref target="RFC8446"/> between the Intermediary and Downstream Server.</t>
        <t>It would also be preferable for the mechanism here to negotiate the supported versions of this protocol, such as if cryptographic agility or additional functionality is needed.</t>
        <t>Application Protocols (ALPN values, per <xref target="RFC7301"/>) other than <tt>http/1.1</tt> are not supported, and a Downstream Server <bcp14>MUST NOT</bcp14> negotiate this Request-Binding protocol when negotiating an application protocol other than <tt>http/1.1</tt>.</t>
      </section>
      <section anchor="keying-from-tls-exporters">
        <name>Key Derivation using TLS Exporters</name>
        <t>When <tt>exporter-hmac-sha256</tt> is used, the <tt>$req_key</tt> and <tt>$resp_key</tt> are derived using TLS Exporters.</t>
        <ul spacing="normal">
          <li>
            <t>For TLS 1.3 this is specified in <xref section="7.5" sectionFormat="comma" target="RFC8446"/></t>
          </li>
          <li>
            <t>For TLS 1.2 this is specified in <xref target="RFC5705"/></t>
          </li>
        </ul>
        <t>Endpoints <bcp14>MAY</bcp14> support TLS 1.2 using <xref target="RFC5705"/>, but if they do they <bcp14>MUST</bcp14> only use this extension when the extended master secret (<xref target="RFC7627"/>) extension is also used. Endpoints <bcp14>MUST NOT</bcp14> use this protocol for versions of TLS prior to 1.2.</t>
        <t>The request and response keys are constructed for a connection with:</t>
        <artwork><![CDATA[
$req_key = TLS-Exporter("HTTP-Request-Binding", "request-"+$alpn, 32)
$resp_key = TLS-Exporter("HTTP-Request-Binding", "response-"+$alpn, 32)
]]></artwork>
        <t>The added context ensures that we get different keys derived for different negotiated ALPNs. When HTTP/1.1 was negotiated without an ALPN, <tt>$alpn</tt> <bcp14>SHALL</bcp14> be <tt>http/1.1</tt>.</t>
        <t>When this extension is negotiated, HTTP requests that indicate an HTTP-version other than HTTP/1.1 <bcp14>MUST</bcp14> be rejected, with the connection closed prior to sending an HTTP-layer response.</t>
      </section>
    </section>
    <section anchor="security-considerations">
      <name>Security Considerations</name>
      <section anchor="handling-detection-of-desynchronized-connections">
        <name>Handling detection of desynchronized connections</name>
        <t>When an endpoint detects desynchronization (due to a missing or invalid Message Binding header field) it needs to consider itself to be in an unknown, inconsistent, and potentially adversary-controlled state. Any processing that happens past this point for this or other requests on the connection is dangerous and suspect, as nothing in the connection bytestream can be trusted at this point. Letting the request or response get past validation failures during parsing would leave the endpoint vulnerable and might execute smuggled instructions.</t>
        <t>Returning an HTTP error response would be bad as this response would be desynchronized and could be cached. While breaking the connection does not provide information to Intermediaries as to why things broke, it is imperative to terminate immediately.</t>
        <t><em>TODO: explore if there may be a way to use a TLS alert to signal that badness happened to the other endpoint.</em></t>
      </section>
      <section anchor="logging-failures">
        <name>Logging failures</name>
        <t>Endpoints <bcp14>SHOULD</bcp14> log information indicating why the request or connection failed. Even more care than usual needs to be taken handling information received as there is no way to distinguish information as having come from a potentially trusted Intermediary vs having come from a malicious adversary.</t>
        <t>Downstream Servers logging information from detected smuggled requests need to take care as all information is suspect. It is critical that validation (and fail-out) happens very early in handling the request, such as during the request/response parsing itself. Even logging things from the smuggled request must be handled very carefully.</t>
      </section>
      <section anchor="use-of-keys-negotiated-out-of-band">
        <name>Use of keys negotiated out-of-band</name>
        <t>With the use of TLS Exporters each connection gets a unique pair of <tt>$req_key</tt> and <tt>$resp_key</tt>. With the use of inband mechanisms, a unique key is sent in the first request on the connection.</t>
        <t>If an alternate mechanism is used by proprietary implementations to exchange these keys then they <bcp14>MUST</bcp14> be unique per connection. Otherwise an attacker who can get a request header reflected back from one connection might be able to replay it in another connection.</t>
      </section>
      <section anchor="leakage-of-key-communicated-inband">
        <name>Leakage of key communicated inband</name>
        <t>When <tt>inband-*</tt> mechanisms are used there is a risk that a Downsteam Server might return back the contents of the <tt>Bound-Request-Init</tt> header. If this were to happen, a malicious User Agent could forge subsequent <tt>Bound-Request</tt> headers and defeat the protections of this specification. Servers implementing this specification <bcp14>MUST</bcp14> take care to not leak the contents of the <tt>Bound-Request-Init</tt> header (such as through diagnostic features or error responses).</t>
        <t>The use of <tt>exporter-*</tt> mechanisms defends against this risk and is thus <bcp14>RECOMMENDED</bcp14> given the nature of the vulnerabilities this specification aims to defend against.</t>
      </section>
      <section anchor="potentially-weak-cryptography-with-siphash-is-used">
        <name>Potentially weak cryptography with SipHash is used</name>
        <t>The use of the <tt>inband-siphash</tt> mechanism is only appropriate for the use of this as a secondary defense against implementation vulnerabilities. It is likely NOT appropriate if other information with primary security control properties is bound into the request.</t>
      </section>
    </section>
    <section anchor="privacy-considerations">
      <name>Privacy considerations</name>
      <t>Due to this protocol primarily being used between Intermediaries and Downstream Servers, information sent by the Intermediary during the TLS handshake for negotiation does not cause privacy issues for end-users. If this protocol were to be extended into end-user User Agents as well, more evaluation of privacy considerations would be warranted.</t>
    </section>
    <section anchor="iana-considerations">
      <name>IANA Considerations</name>
      <t><em>TODO: Add IANA considerations for the HTTP Headers, for TLS Exporter labels, and for the TLS extension details used for negotiation.</em></t>
    </section>
  </middle>
  <back>
    <references anchor="sec-combined-references">
      <name>References</name>
      <references anchor="sec-normative-references">
        <name>Normative References</name>
        <reference anchor="RFC2104">
          <front>
            <title>HMAC: Keyed-Hashing for Message Authentication</title>
            <author fullname="H. Krawczyk" initials="H." surname="Krawczyk"/>
            <author fullname="M. Bellare" initials="M." surname="Bellare"/>
            <author fullname="R. Canetti" initials="R." surname="Canetti"/>
            <date month="February" year="1997"/>
            <abstract>
              <t>This document describes HMAC, a mechanism for message authentication using cryptographic hash functions. HMAC can be used with any iterative cryptographic hash function, e.g., MD5, SHA-1, in combination with a secret shared key. The cryptographic strength of HMAC depends on the properties of the underlying hash function. This memo provides information for the Internet community. This memo does not specify an Internet standard of any kind</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="2104"/>
          <seriesInfo name="DOI" value="10.17487/RFC2104"/>
        </reference>
        <reference anchor="RFC2119">
          <front>
            <title>Key words for use in RFCs to Indicate Requirement Levels</title>
            <author fullname="S. Bradner" initials="S." surname="Bradner"/>
            <date month="March" year="1997"/>
            <abstract>
              <t>In many standards track documents several words are used to signify the requirements in the specification. These words are often capitalized. This document defines these words as they should be interpreted in IETF documents. This document specifies an Internet Best Current Practices for the Internet Community, and requests discussion and suggestions for improvements.</t>
            </abstract>
          </front>
          <seriesInfo name="BCP" value="14"/>
          <seriesInfo name="RFC" value="2119"/>
          <seriesInfo name="DOI" value="10.17487/RFC2119"/>
        </reference>
        <reference anchor="RFC5705">
          <front>
            <title>Keying Material Exporters for Transport Layer Security (TLS)</title>
            <author fullname="E. Rescorla" initials="E." surname="Rescorla"/>
            <date month="March" year="2010"/>
            <abstract>
              <t>A number of protocols wish to leverage Transport Layer Security (TLS) to perform key establishment but then use some of the keying material for their own purposes. This document describes a general mechanism for allowing that. [STANDARDS-TRACK]</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="5705"/>
          <seriesInfo name="DOI" value="10.17487/RFC5705"/>
        </reference>
        <reference anchor="RFC7301">
          <front>
            <title>Transport Layer Security (TLS) Application-Layer Protocol Negotiation Extension</title>
            <author fullname="S. Friedl" initials="S." surname="Friedl"/>
            <author fullname="A. Popov" initials="A." surname="Popov"/>
            <author fullname="A. Langley" initials="A." surname="Langley"/>
            <author fullname="E. Stephan" initials="E." surname="Stephan"/>
            <date month="July" year="2014"/>
            <abstract>
              <t>This document describes a Transport Layer Security (TLS) extension for application-layer protocol negotiation within the TLS handshake. For instances in which multiple application protocols are supported on the same TCP or UDP port, this extension allows the application layer to negotiate which protocol will be used within the TLS connection.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="7301"/>
          <seriesInfo name="DOI" value="10.17487/RFC7301"/>
        </reference>
        <reference anchor="RFC7627">
          <front>
            <title>Transport Layer Security (TLS) Session Hash and Extended Master Secret Extension</title>
            <author fullname="K. Bhargavan" initials="K." role="editor" surname="Bhargavan"/>
            <author fullname="A. Delignat-Lavaud" initials="A." surname="Delignat-Lavaud"/>
            <author fullname="A. Pironti" initials="A." surname="Pironti"/>
            <author fullname="A. Langley" initials="A." surname="Langley"/>
            <author fullname="M. Ray" initials="M." surname="Ray"/>
            <date month="September" year="2015"/>
            <abstract>
              <t>The Transport Layer Security (TLS) master secret is not cryptographically bound to important session parameters such as the server certificate. Consequently, it is possible for an active attacker to set up two sessions, one with a client and another with a server, such that the master secrets on the two sessions are the same. Thereafter, any mechanism that relies on the master secret for authentication, including session resumption, becomes vulnerable to a man-in-the-middle attack, where the attacker can simply forward messages back and forth between the client and server. This specification defines a TLS extension that contextually binds the master secret to a log of the full handshake that computes it, thus preventing such attacks.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="7627"/>
          <seriesInfo name="DOI" value="10.17487/RFC7627"/>
        </reference>
        <reference anchor="RFC8174">
          <front>
            <title>Ambiguity of Uppercase vs Lowercase in RFC 2119 Key Words</title>
            <author fullname="B. Leiba" initials="B." surname="Leiba"/>
            <date month="May" year="2017"/>
            <abstract>
              <t>RFC 2119 specifies common key words that may be used in protocol specifications. This document aims to reduce the ambiguity by clarifying that only UPPERCASE usage of the key words have the defined special meanings.</t>
            </abstract>
          </front>
          <seriesInfo name="BCP" value="14"/>
          <seriesInfo name="RFC" value="8174"/>
          <seriesInfo name="DOI" value="10.17487/RFC8174"/>
        </reference>
        <reference anchor="RFC8446">
          <front>
            <title>The Transport Layer Security (TLS) Protocol Version 1.3</title>
            <author fullname="E. Rescorla" initials="E." surname="Rescorla"/>
            <date month="August" year="2018"/>
            <abstract>
              <t>This document specifies version 1.3 of the Transport Layer Security (TLS) protocol. TLS allows client/server applications to communicate over the Internet in a way that is designed to prevent eavesdropping, tampering, and message forgery.</t>
              <t>This document updates RFCs 5705 and 6066, and obsoletes RFCs 5077, 5246, and 6961. This document also specifies new requirements for TLS 1.2 implementations.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="8446"/>
          <seriesInfo name="DOI" value="10.17487/RFC8446"/>
        </reference>
        <reference anchor="RFC8941">
          <front>
            <title>Structured Field Values for HTTP</title>
            <author fullname="M. Nottingham" initials="M." surname="Nottingham"/>
            <author fullname="P-H. Kamp" surname="P-H. Kamp"/>
            <date month="February" year="2021"/>
            <abstract>
              <t>This document describes a set of data types and associated algorithms that are intended to make it easier and safer to define and handle HTTP header and trailer fields, known as "Structured Fields", "Structured Headers", or "Structured Trailers". It is intended for use by specifications of new HTTP fields that wish to use a common syntax that is more restrictive than traditional HTTP field values.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="8941"/>
          <seriesInfo name="DOI" value="10.17487/RFC8941"/>
        </reference>
        <reference anchor="RFC9110">
          <front>
            <title>HTTP Semantics</title>
            <author fullname="R. Fielding" initials="R." role="editor" surname="Fielding"/>
            <author fullname="M. Nottingham" initials="M." role="editor" surname="Nottingham"/>
            <author fullname="J. Reschke" initials="J." role="editor" surname="Reschke"/>
            <date month="June" year="2022"/>
            <abstract>
              <t>The Hypertext Transfer Protocol (HTTP) is a stateless application-level protocol for distributed, collaborative, hypertext information systems. This document describes the overall architecture of HTTP, establishes common terminology, and defines aspects of the protocol that are shared by all versions. In this definition are core protocol elements, extensibility mechanisms, and the "http" and "https" Uniform Resource Identifier (URI) schemes.</t>
              <t>This document updates RFC 3864 and obsoletes RFCs 2818, 7231, 7232, 7233, 7235, 7538, 7615, 7694, and portions of 7230.</t>
            </abstract>
          </front>
          <seriesInfo name="STD" value="97"/>
          <seriesInfo name="RFC" value="9110"/>
          <seriesInfo name="DOI" value="10.17487/RFC9110"/>
        </reference>
        <reference anchor="RFC9112">
          <front>
            <title>HTTP/1.1</title>
            <author fullname="R. Fielding" initials="R." role="editor" surname="Fielding"/>
            <author fullname="M. Nottingham" initials="M." role="editor" surname="Nottingham"/>
            <author fullname="J. Reschke" initials="J." role="editor" surname="Reschke"/>
            <date month="June" year="2022"/>
            <abstract>
              <t>The Hypertext Transfer Protocol (HTTP) is a stateless application-level protocol for distributed, collaborative, hypertext information systems. This document specifies the HTTP/1.1 message syntax, message parsing, connection management, and related security concerns.</t>
              <t>This document obsoletes portions of RFC 7230.</t>
            </abstract>
          </front>
          <seriesInfo name="STD" value="99"/>
          <seriesInfo name="RFC" value="9112"/>
          <seriesInfo name="DOI" value="10.17487/RFC9112"/>
        </reference>
      </references>
      <references anchor="sec-informative-references">
        <name>Informative References</name>
        <reference anchor="RFC9113">
          <front>
            <title>HTTP/2</title>
            <author fullname="M. Thomson" initials="M." role="editor" surname="Thomson"/>
            <author fullname="C. Benfield" initials="C." role="editor" surname="Benfield"/>
            <date month="June" year="2022"/>
            <abstract>
              <t>This specification describes an optimized expression of the semantics of the Hypertext Transfer Protocol (HTTP), referred to as HTTP version 2 (HTTP/2). HTTP/2 enables a more efficient use of network resources and a reduced latency by introducing field compression and allowing multiple concurrent exchanges on the same connection.</t>
              <t>This document obsoletes RFCs 7540 and 8740.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="9113"/>
          <seriesInfo name="DOI" value="10.17487/RFC9113"/>
        </reference>
        <reference anchor="RFC9114">
          <front>
            <title>HTTP/3</title>
            <author fullname="M. Bishop" initials="M." role="editor" surname="Bishop"/>
            <date month="June" year="2022"/>
            <abstract>
              <t>The QUIC transport protocol has several features that are desirable in a transport for HTTP, such as stream multiplexing, per-stream flow control, and low-latency connection establishment. This document describes a mapping of HTTP semantics over QUIC. This document also identifies HTTP/2 features that are subsumed by QUIC and describes how HTTP/2 extensions can be ported to HTTP/3.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="9114"/>
          <seriesInfo name="DOI" value="10.17487/RFC9114"/>
        </reference>
        <reference anchor="RFC9261">
          <front>
            <title>Exported Authenticators in TLS</title>
            <author fullname="N. Sullivan" initials="N." surname="Sullivan"/>
            <date month="July" year="2022"/>
            <abstract>
              <t>This document describes a mechanism that builds on Transport Layer Security (TLS) or Datagram Transport Layer Security (DTLS) and enables peers to provide proof of ownership of an identity, such as an X.509 certificate. This proof can be exported by one peer, transmitted out of band to the other peer, and verified by the receiving peer.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="9261"/>
          <seriesInfo name="DOI" value="10.17487/RFC9261"/>
        </reference>
        <reference anchor="RFC9421">
          <front>
            <title>HTTP Message Signatures</title>
            <author fullname="A. Backman" initials="A." role="editor" surname="Backman"/>
            <author fullname="J. Richer" initials="J." role="editor" surname="Richer"/>
            <author fullname="M. Sporny" initials="M." surname="Sporny"/>
            <date month="February" year="2024"/>
            <abstract>
              <t>This document describes a mechanism for creating, encoding, and verifying digital signatures or message authentication codes over components of an HTTP message. This mechanism supports use cases where the full HTTP message may not be known to the signer and where the message may be transformed (e.g., by intermediaries) before reaching the verifier. This document also describes a means for requesting that a signature be applied to a subsequent HTTP message in an ongoing HTTP exchange.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="9421"/>
          <seriesInfo name="DOI" value="10.17487/RFC9421"/>
        </reference>
        <reference anchor="RFC9440">
          <front>
            <title>Client-Cert HTTP Header Field</title>
            <author fullname="B. Campbell" initials="B." surname="Campbell"/>
            <author fullname="M. Bishop" initials="M." surname="Bishop"/>
            <date month="July" year="2023"/>
            <abstract>
              <t>This document describes HTTP extension header fields that allow a TLS terminating reverse proxy (TTRP) to convey the client certificate information of a mutually authenticated TLS connection to the origin server in a common and predictable manner.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="9440"/>
          <seriesInfo name="DOI" value="10.17487/RFC9440"/>
        </reference>
        <reference anchor="I-D.vvv-tls-alps">
          <front>
            <title>TLS Application-Layer Protocol Settings Extension</title>
            <author fullname="David Benjamin" initials="D." surname="Benjamin">
              <organization>Google</organization>
            </author>
            <author fullname="Victor Vasiliev" initials="V." surname="Vasiliev">
              <organization>Google</organization>
            </author>
            <date day="21" month="September" year="2020"/>
            <abstract>
              <t>   This document describes a Transport Layer Security (TLS) extension
   for negotiating application-layer protocol settings (ALPS) within the
   TLS handshake.  Any application-layer protocol operating over TLS can
   use this mechanism to indicate its settings to the peer in parallel
   with the TLS handshake completion.

              </t>
            </abstract>
          </front>
          <seriesInfo name="Internet-Draft" value="draft-vvv-tls-alps-01"/>
        </reference>
        <reference anchor="I-D.ietf-tls-tlsflags">
          <front>
            <title>A Flags Extension for TLS 1.3</title>
            <author fullname="Yoav Nir" initials="Y." surname="Nir">
              <organization>Dell Technologies</organization>
            </author>
            <date day="17" month="March" year="2026"/>
            <abstract>
              <t>   A number of extensions are proposed in the TLS working group that
   carry no interesting information except the 1-bit indication that a
   certain optional feature is supported.  Such extensions take 4 octets
   each.  This document defines a flags extension that can provide such
   indications at an average marginal cost of 1 bit each.  More
   precisely, it provides as many flag extensions as needed at 4 + the
   order of the last set bit divided by 8.

              </t>
            </abstract>
          </front>
          <seriesInfo name="Internet-Draft" value="draft-ietf-tls-tlsflags-17"/>
        </reference>
        <reference anchor="PROXY" target="https://www.haproxy.org/download/1.8/doc/proxy-protocol.txt">
          <front>
            <title>The PROXY protocol</title>
            <author>
              <organization>HAProxy Technologies</organization>
            </author>
            <date year="2017"/>
          </front>
        </reference>
        <reference anchor="HTTPSYNC" target="https://arxiv.org/abs/2510.09952">
          <front>
            <title>HTTP Request Synchronization Defeats Discrepancy Attacks</title>
            <author initials="C." surname="Topcuoglu" fullname="Cem Topcuoglu">
              <organization/>
            </author>
            <author initials="K." surname="Onarlioglu" fullname="Kaan Onarlioglu">
              <organization/>
            </author>
            <author initials="S." surname="Sprecher" fullname="Steven Sprecher">
              <organization/>
            </author>
            <author initials="E." surname="Kirda" fullname="Engin Kirda">
              <organization/>
            </author>
            <author>
              <organization>Northeastern University</organization>
            </author>
            <date year="2025" month="October"/>
          </front>
          <seriesInfo name="arXiv" value="2510.09952"/>
        </reference>
        <reference anchor="SIPHASH" target="https://cr.yp.to/siphash/siphash-20120918.pdf">
          <front>
            <title>SipHash: a fast short-input PRF</title>
            <author initials="J." surname="Aumasson" fullname="Jean-Philippe Aumasson">
              <organization/>
            </author>
            <author initials="D. J." surname="Bernstein" fullname="Daniel J. Bernstein">
              <organization/>
            </author>
            <date year="2012" month="September"/>
          </front>
          <seriesInfo name="INDOCRYPT" value="2012"/>
        </reference>
      </references>
    </references>
    <?line 489?>

<section anchor="appendix-alternate-approaches-and-similar-protocols">
      <name>Appendix: Alternate Approaches and Similar Protocols</name>
      <t>TLS Exporters are used in other protocols such as <xref target="RFC9261"/> (Exported Authenticators in TLS). While it is meant as a building block, it requires round-trips for some scenarios which would make it not suitable here.</t>
    </section>
    <section anchor="appendix-bikeshed-topics">
      <name>Appendix: Bikeshed Topics</name>
      <t>Some details to work through include:</t>
      <ul spacing="normal">
        <li>
          <t>Should the starting serial be 1 or 0?</t>
        </li>
      </ul>
    </section>
    <section numbered="false" anchor="acknowledgments">
      <name>Acknowledgments</name>
      <t>The authors would like to thank Kaan Onarlioglu, Rich Salz, Benjamin Kaduk, Uttaran Dutta, and others who have contributed to this proposal.</t>
    </section>
  </back>
  <!-- ##markdown-source:
H4sIAAAAAAAAA819a3Pbxpbgd/6KHjlVkXwJWpJfsTK+Hlmy15r4tZa8mdTO
VgSSTaqvQICDBkRxPLq/ZX/L/LI5r250A6AkZzNV66pEJIh+nT7vc/p0kiSD
Bw8eDCpTZfpAbb07O/v8aG+0p77of6u1rdTpop7PM5PP1bGe6dxqVVv8dlSu
l1UxL9PlhZmoD9radK7Va5NP4detQToel/oq7LDzyiSt9Lwo1wfKVtPBYFpM
8nQBc5iW6axK8vW81HlyUVXLsbH0d28vKXlWyZg7SXb3BrYeL4y1psir9RKa
n7w5eztYzQ+UNB1MCph1bmt7oKqy1gOY1eNBWur0QP16cja41OtVUU4PBipR
776c4p/O2vFha/6DQVpXF0WJ7QYK/s3qLOMFvCnNpfpI86dfinKe5ubf0wrm
eKAOL9NFatSZnlzkRVbMjbb0loan2YHS0PgvRlezf2IIjKB1d4gP5hJnYi+K
5fcPsRhTw3/SV7jOWVGPxnowyItyAe2vNKxIfXl7tL+3+8R/3HshH58+330q
H58/3t1zH5/tP5ePP+09d81+evLkmfv44ol798Xe3m7zcf9gMDD5rDU2/PC4
+ej6e7H/zHfyZL/5+IT6O0mOR1dXV0mV2STNltY9Q1jSQ/hvlqVz+uHzl0//
8tsBAaVKy7muGF3swaNHq9VqdJEuy+J6jbB/NC1WeVakU0Din+DL5BH9lMD/
q2JSZKPquuJ+mILOLjT3rtwb9KtHFtXdrneHn7HL7n5NgUIO1P7u3nP4ioR0
+tvHo/5Zp+W1uaL5pmP7aP/p3u5o98WLp/vh1IgWG+Re55OLsnDTIPJOK6uO
jZ2Uepnmk7U6rKp0cmm3epaQKMbEI71QZ8VyUhfzrG799kua5upTnpaZ6fn1
tAIEzNXpsoR167L165t8bnL1iymnqf8lBtvHoqwudGorXebqaw7YU1pTrSPI
7T9N9nbpiQXC0hZRza0gLf/FIIdqgIXrPD35/O7w9N1BBLhTs3yX2osDlaoZ
DKiAfMoqMfmyrmCz3/bCR/4qZXLgPP88Sj6P1GG9SK0tcv8br/WfdZonny9M
ZpZL3X6p1dHxCPpSr2HNsHDT7ukY4KOz7hsek/aT3Rcb4LF18vH409GX3z6f
bSFU4N2tCNW2HK5NytF6OaqKR9YsLwAs7m+CbXZf7P00Wk5nW4PRaDQYJEmi
ACOrMp1Ug8EmYaDS6dSqXK8U8KVkvE7gj4K9nepSzWBB8GN1kVawZVpNQsGT
ZtlajYs6n6qqUCIdrErhe6ntEjm/HRFN1iC5ihl0Y6ynTGVw0HlRGQDPVBV1
lRSzZIytZ2WxgJc1kR2CD7YdRMZiSH2DzLBqAsg9hvkUi0Wdmwl1oQ20KWGn
uBfAYOxjZkpAGpkdYHE00ratJxcqterKpOrs/al6c70E7AJk3qGZw7xjSMCa
i5XS+XRZmBwWCwuf6kpPKprawlRmDnOBZ7ZF4SlT81C5EWN+4ITdkGGtrw08
ndaaBvAAUBcwCukDUzObaZBQEwAxb/TCTKcZiJIH6iSvymJaT3Bc+P5AfQAg
X/E0vj1Y+C83jBM92gZsTaomGVACbtumxahv3xxfvLlRK4C9hmaLNDMTU9TW
Q4k2a5IiEkCvFylsDPRa0GZFkARMhx3NZ/DmFBAXNoqh5DZvVqYLWjzDBWZR
mnFdacvIxfhCKO6RLIPdwyb4OojeeQ07BO/DFGBQXQL7q2RJsH1XaWnoG7+w
WGZ6oXN+YaTUW0AefZ3i46EyM3wHWBLiQzEDSfr3v/+dSPYrULc6nEND9fKv
uBm6XOipScs1fv9UGuStp7oElkltBjjzoBFCC3QmgEAeLz/ERLUCZFfVqlBH
oHtBs+S9zufwqIWu2I16XUzXjFcA3Qrgj9trNXyZKkubDvCOhgIlEDopcu0g
O+FRAJ44CpC1OuEfovXhcNECGyjTy657+N0hcKVW6doOu30tzPwCW5n8kude
EYKtgHRwXq6rFXBuTa3jgamhlUbIunLYJ4SX41MjkGHAD3LgYauiBoh2mQXi
o4fPEmVPNMMp6+SWkIEHMgFkgWAz39W2BQQELKzgGYG01LphmdB+XdQAlklW
T3k1flxY7A4+yTeBaJKCBA83yZOD78OxY8EafJUaASt17wK8yqmbEbCUswZw
MAqI25nJDXC2gEaKnDm6ZxTCFtI5oljVUCONOqO+Yb+v6izXZToGiUu0ONZI
oDOSI8T9zbWejtSvtLG2WDgctDwdR5ZMtuN6DvAnXmLpZ+EN0Bk8WeqJmaF0
wFdFHnR5hKmszmbI72ExGSwC0GeSWtrNixSgAhoyzGyt0PaCOS3TslrjIDDT
IRAcMGHhfgSOeFSk5hTFAxIjilpTFTkgAfBZzcyVkAggzgum6e0TIOjjY1rV
WNOstr99EwUdGK77/OTmZmeIe086GG4MvL3SWriHf0ozyQAPQW5egcQqAGK4
svZ+8EoKkPVaLwFqoDnhrA1OO1sPIxYfsi0iIugQoCGci8AME8s1ySLsdFlk
GXBsUOJgWYSYRQ0trNpOBSdhRkucsq24V9d6x7UhbGLp0QxvxTIGNQYe0cLd
/gKlv61RWy0XRamZ01jEIlhDRfjv54pQz1DjAj43T0EHnxRAjmPABasWoCeG
jAh2Wl/DHC3ovk7B8R0BrgWUilB1Yh8Mc1idxtldiyTCCQHLsGtY8uIg5mPE
wRaAn1c4hXQNCHlF8I2lk5O+ecwgyFpCdQoBlC5xyfy65c6HSgPMcebARuED
dM7Kha2AF4n0jUcCBa7AnTGk/ZGm1rByMCmmgFYj0jrOgMcBtD4ACDPQOyr6
mizw6w3ylw6phA+w89QsUA9AfgzaDElx4ly4G07baMlNYFNZTQSJr441LggQ
yhFEGz7b8ODrUnQrBviOyMxjsDyjH9Q2wwg3YUygjgUO8QhGy3AM0CNBQgMt
VRqJh4RMgUokad6IR8izp5p06LFmfoBfhYuCYvFQne2xHh2s1nplLfVChkRU
Z42dBaIu1LM+UmdAGHskb0CDIOk0QD4zQfYc6ocksASbvHiDvta0VsBHoHUk
1BGuar+zKn29zArgNYiEHa2zzajI6JhopD9WLkTILdM1+gxA4lcNdJHTGZDD
Qm/E3x3TDlYKfXYhE7AwwNFFnVUGSOJas7zyOpVf71ivUQH4W20RjoVFTMwK
tKlJEY31vR0CxePbQNHsdQ8I5qJbdaeN7JYBHuDIeA1YQqwSWLEBFqdz4tkL
YqLe8mohDU7xibflANP/O6dI+Ce6kG0ptLZGLgaQH683CSKwCAQBV7i92KKw
TF/EPMfICTqmbtx1R9XyhiLvp+sUuVQOeJYSENAJgaxR+BkgJKCK5Q1+etsG
t5h5G4SCs6B30MYFguZHEEL/VoM9lzm9T/SHpdX1tEjc2rbZPwLybgjdVBds
SS80PJwSQ2C0cDiBKF2C5FRkGLWRAVmd7GofH0GL1UkEgE+/BSBqmtdQI9sG
OTaaLE6fJQA+uw2AD1HzetiSJ6jDkNXZeAnw8Sw1WV1qG0qF9go3yQDkIj3s
o/viBaCK31VEvq64QzztITVqCig1JI2DpV6bH8ubuGVIYcAk6znr9T14DRIF
dM0p63WoPKFdXepFcSUidTHaJI4/fjqL5BMLp0g0fQTR9Bk0LeSP0F0E6gDE
4b6lbNuG9DWKVDkUFbC0esGjphmaiCgcQ9UD6LAChRlx4yMIkkMeH9VsYClm
gUQLhliNOO/wmSFZjK/Q5URiCfRFkQ3AhpYoBGNlZ6ROKgSEBwLZizgnUenF
2KPRKoD9PF3iz94R1CJlmu3jCGLOWkpZI19dFKLJAHQmegl4cGX0aohEAbqT
ma03wbgPQ3oFN03iaTSJEPowUKsb6yfZMNwCxeICoLYwyFy72gGN8uSupRJH
dttT8JT7+E0PMQIPyxCZCfM72Eu6ss7QgGEjkvVG5Aksr51HzquSglCd0dHC
bSAuvqQekmeZY/Kkqsu8v5Xohz07wn46xhqc/id4ivtOhjjZ6TBtRAfvR+0Q
K2KxN0Aav5qXXG3FUMgw0mJ3RAtNxxnz5wtWUSVGhOKA3HKwDFMCxiOKb+vR
fDSMdb5HXhkj3c95cfT6x9LLsZ2WxokQ2+xebjE39qAjMLzWtW3AuBMfsDRA
j26gvLHcAmCSzA0WRYy032MM+vupcQYFo4zn0YDIpLrIaLhL5Lr0UiIK00rY
dMjbR45k5kF93uQenyu6RkB0of+adRxh5cjCiPVepPlc+9nc4ecQYxrnbCz7
l2rRkgI1BhnkioU4uZRRjGwIEgzdAiPIEkiLjht92xGLKHmWfUOm8Zg1GIRb
Dc/zejFGv7xbn3NVqaPAIPTIADvgYxBqWmwwVVYmy9joQqDDA1FLTA4alZkK
9rWmLigmr+KWCHlTG4QZDI62B4BgcoG/rQS9QWGhYXa8t2fL+d7fimv7iNzf
ALktz5+2b48Y4GjvvpzukNQMPLYLYGfEglDlgf3w2iFyZLHConijj1Awk8KA
fuDVazwY77BjP8/GrcS6FmAb8A4YbTuMDuw4rIuY1qyY1Lg/hdAdzBLZOiI3
qk+g4V0V5PhYaW92C2Mi1wv7bNMljIlujCq91HlXTZH1eBjcsR6ks8+gIjeP
hvjWSgOqpFYsFqLRlqt9OmXbIXb8wFY/3H776Ys6Pjk9+np6evLp4wEMuVJj
mDTaD4CcK3Rrg2KEDHcCakgPg39FbRY4ZW7gfMWI9qzNX8QvZBpF60VRXNKk
dU6gm9UgnbTzXGG/h5WgC2o9PLJTeJzPjxk1B5iSeYlEwUPKvghF+DWQcw0U
FVRZYE8U+t3AXEBFKBvtPGSZJi6zdjAyBmocI5yCNideIOTsGAwDNgYDbNNI
hCAok0R2YCjJzOtSOHLoONqkprI5T60cipb3coUg8VXojs+8tpkxoX8QdwGo
88ihjV0Iu+UYHw6ATFhfM/8GpXpvhyydiVkiVG2NbncJfLbZq1s0qdWWlJhe
7uzX0YqG4r42AnI02N9hFtGIpFiJIYpmPQ13AIfHfYwip4gCxZhUrF6p6MQE
MIh/kESVIcCRRfTz0VNybf+DpLuQb5twF5uMgZSDuSExt/zLpPJrJCuQGldC
SRTm6Isv+8AiBvFibQTY2o8VwrZKF2AYiN95NHi8ow7t7QtD6S5Rdw5sD8m6
AG5Qod7V9qeiqGDnNakraU7+V45s+oGcFsu8bJHCmssmlkxTBxt7lk50ExZ1
IT/0yyPrnIoVV3WyZADg9ODmhl23J1lW4wIwKwg2lkKeg8EJmcoSAUWZ4wI+
BM8N3hhSezuxOTZYWxrpMNoTDm4BOZcVqTyUIkUqodjNvcOJQyEIwzWvNdFH
AQJGtEwYpGNN1oWXMbjkdMJIcy689P+eCKhjXV3FzGbCOQK/yQ4JjrNPx58O
MP4Cs4EBQJVcOP6Z60o8TKzAiY/gjtmg06alBLFQQ+nRn8LBoap6iSE5MTN7
QY+sPgp/UmdDlOMwKjBZRJXIUSsADMKU0oTdLxgPQqDFMU8gUCCsmjm8D33e
1efGyCcK2mjCoqmg88XGSj+SZu5ixuIww7Cg95Z1A7TMnj3Fk/qP+EurkFic
U2mAqVnUmJHp4hxRSXSTRv5BTsyFNxF7QuZpPWc3bsPpEZLx+kAzI3rFcZYc
I0Uy32EIdS0w0XZizf/8NSoBiSij522pDXxQBEYaq++OxDjUtr/jwrzd+D0x
UQaM16vJBgylWp/BNuzff9xSw0pvp5ttnAzlw3Egv9ly4KRiE00pEo/IzNkC
ZIrJzFD2BAzBt0ZkkZBa1xyEXQGm4BTjwBxs8UpvEuJvHbMwEI6m4ogIps+E
jvVecOCKEXNM7gAbqgGbOc+GXKEZWC/ZOtSuCZsWSB5NxoCs1aAWBiKt+tEi
BGu3z2H6QzhPT9tOwG7MUwOwkYowNSUvxQ5FPAbCM8zycWKGfIuAHaQiF5w9
Mvexi1IX5ZR0ABK4nA2Xt0n9Eqfm5n3IAGDkf7knw2BnxAbTZlGUXODbHUXt
OA8ADXzbcsywJ0AC0mKeRHYKQn5lAJolapVNwhUo5yZLnTbcl901cvJFVJu0
34/hsB3V1lxnkRuyI4R6oqniNcLVxol3iB8IDlMy6S0xZJ7fIvOZnRHyMMuZ
oU3gA149hgVihDPKOf3EEwj8Is6J8Zp4JBAIWkyOledXhtGkT/q7qAYiGyoP
rewKEuqDB2hZXrF1xaL2WFNyDX5v/H2YF2/V1oevp2dbQ/6L/nj8/OXN//x6
8uXNMX4+fXf4/r3/MJA3Tt99+vr+uPnUtDz69OHDm4/H3Bj9+9GjwdaHw9+2
WABvffp8Btbq4fst5rMGHSmTmszElFNExrpRb0iTGAA2TUD7ZEC+Pvr8n/93
74mo85jI7nV7zFTnpMGcR+NELPqKfsIBWPU65aA0IPQkXZoKBCahuAVdJSfD
FznV/0bI/J8D9Y/jyXLvyV/lAS44euhgFj0kmHWfdBozEHse9QzjoRk9b0E6
nu/hb9F3B/fg4T++IiUs2fvp1V8HEq3xm0E+FMTCJtYDYPv2zdlUj5HMJfn/
5mbYkMpg6ygz0APhCZElfgoxGr+zPMJPtRjB+HnqKRqxxuTkKnOYA/o6f0dz
QpGu4A39d0yHn12Cfm/oybkbO3nJseKRnADZnA/b6gjPwj9kRnsOKh3PoOW2
ZGpHoSmo+eLJHqAmLK6eVOw9oDf7E4Ip72rdcPDGb3kaKj5DTv0ih0qQuOpV
3T4OC8BjU1My325Jz5b8Cu+Dit3KRTvzrS+/ytnjeC6EHHavNVrFK+Sks8al
7ra2ye4VyRdJ7R5duOl+tzH3H4+ew1isjZBB1uqb8zs63WN2t7W1y34RgMuo
3egKuVO6IkhYuniv+pJ3OKkn1shGaAhHqV0bXEKODXnXzn2RFwbt4G684XWe
iWYnCWGLWiyiwFsWZdv7yEiKTMLx6LEWx8e3b3hIxzXG3PAbEl4mDTWn0Ifi
vVkjlwncivD2xcSvdDjBWrTx8FCAKBweK4e9YU0CLedI9wK1lU7QdxBg2wud
bsjHK1aBTvzfv8o1L4vMQlpb28jqZWodBRjF5QZDvmdZ5O6RER59iVmXVd8e
sCJqb1gv8do/s7bt8x9gpN/5nfMdOTYAE8RcVfLcEIVWYO45H1nb5WLyKFm0
lzMNHX9AwQBGk1jSyOe4Y0pitPVYokihJY9zjvkxTdoum1k7BVxec9Ew4HoZ
273suCg4nkOraMHB+xMnRcn9TANbgGHs/NsfHN0AcN1BSk9LAubuuyIeMR0K
09iDd37hAB67O6dRpKJjcs7qnNmui/ThBIKE+EOVoUsatIXAV00CytpiwuhM
p2/IaYKpVute8jTsxYgJjnyUdxKrGB+cnwp/cAtsGNYqyEM2bc8QvhVa3GDw
0Uw0bxssFhNu1yF6dGgI2RzMzXd5jiHqdAE6LfpYi80JOOgRqnM+WAJGCbmd
2arWolbg+VdSJChJN7WxxzgzM12ZRXjKoiHMs4hc5ugTXkd7Q8fOrA+iUjrO
OYhQgEdysUgnib1I958+O1dJot59ODxKQLmF704S4xlTFL6woy6rOlX4+xjz
JB/vqwKwv6LfyUxH11lJ/hAew3lfzuGFAGKY93GuxZq7dR7MGVMawOGvuJLR
InR9DGOZRdKKQyEJvk3HS9279uaGqb41KWfU2wB6BuUoHzVC9RR5L2gDxcJU
gOdDTPZ3UX9yN0oSBkLc03s4zVEAfTmTRyuW44sIdTne2AI6drS3/xODfe/Z
HwW7YucKGQMyZrKfPOExnj3h7n9yvYMoX9bImr6yKoG5dJgPH6sQYTwsPqM3
7Mc0BDA8TKuipDQp7/mMYFwHyRYRQ7hvmMr7p45b5OZPisBEPoQTOWkm0nBI
boOnRaz2Q8cT6vMwUlIYKo8U3LQ6D1rHccnYZ+MBu4k+jMucpvRClxRDXA8V
FeSCCDoKoUYeulydHH48bLiEFfVaZmW1NGnHoX+NgRaHooWvvFLkhcaDMCuy
MSYT4MqleB+D+RNIQIBjdFJNMkz60DmnZ2FMmCiCwFCQv22FJ4gDtw067kbq
Vy0BK2ScBsXC4ZvT5H8g10AaaYiS5NACM6wRoXIDOyORobTi7EuUGyuQ48Ze
kuqTYwIVwAg3G5i69+TiMdLSUNC44fT88opiql5sorfMeRb/wvoDJi4yF4MW
yQZxy84/OsXAk8cAKko9zuOhWRAukavWJS1yRiIlADtgACataSfYHgNRZF1K
Fu1woGegXtBoGACtlm4hekOKOgBaOvHUmfE4DAzEfxNGCVRjbylSPk1kLjrv
G3KzGSXlOM3UKtYeiY05A7D7utNd5X1Q3LCBi4204tGkIffTVqt365lRoDl9
h5BhWHeUGefdOI3cGd8esIqToBqXoEyXzbjbdrlD0xK+0Mcz49g48iwr20rb
ftq4N96y7fAeeMdgO/SB7GCKpsXMBUq9IhfDWXGp0XM+RSV8RgkJ6YDS4csq
VMvkaJGXT5JvVVHU16k1bpsR0QaNRUlnaQGt89mgB8Qv1d4D/24C0yjXg0Hr
AZ2pf9nMJkFVST3cVls/b6lPv54Gv9AM1c6g9a70YGdJhSsetBvwz7AA/j7w
n1Tz76Xagscvt4LR4Psg+qaCkZgU6VDwtwOAdgU88jJJMzPPX25lelZt3WDi
GOi/rOvFUybpG2jKPZtiScFn/AYE79ofN3G3RJsigmLbBmcugpNiZsAoIs2K
NXeN+vxhN6GXaI9sjRSPFKck43WIPKQuHP7GL1H+EIyRx2/hKigwgyteEtvB
o19DSn1L+AG770oU2ocglNDbKd4DPO2xpuCWHHZjhcrbk80wtDqJSFhG37Hk
4wwbvYbzmziYZkU+OQ23G1XlPBUMzkxBl5TgqHRRgDL3Cxc5cIpfP6dAeqSE
MZ/WESa7OmXCewdtpIehZ2os8hC436QsrA3aY+JadOA97TIfNMVogRlKTjzR
HGCa5G/ofMpn411PPSR9oPp49lD960CpWKP+Genp4LD338uXB1GToCtu9vqO
fy8P7iC9LtMncMbm5D1EQC/3v5d/h7ZRfAFTSerGCMwcre5KL9Q2YgG7JXbk
oKE7LNUYQ87KxxZWLM3D1x/fsqyXZvYgYMPklv1d5iIMK3z2O/HMrYMtF+4X
PjtQPf+2PJaErPGuJnhUid7HD7e/7A87wfv+8+1N8FAUvI1/bn1xe8upJAme
Dd4COLgHv9NhYWm886p/HGG5MJR8+p1k8qALTBAeEX5sqf9onvCIWwOBdiRz
QJAISjSSJv7ZSTSCZLstpp7l80EDt75fCU5qU9sYIp1ZRStvfg6kn7duoCen
pxB/IyylI0GZ+MEarCZRYDlhpFy7NCmn8/FgcbA9UDCd/2NuMA1EsuK984Zo
rSnxES/gpfrBafrbP6BM6N15pX5wpPEfW+oHb0fg1w0Nejtx+I+dBLiNX3FT
dhh+J6wSgmVwJbqCjO7FeR8MZIJ8rom3Elv6ufrG/KM6h07OvenbnxOEa8OA
Bg7C725gcTQUr86PE9UkkZX3GSPyCnXhgeJ7acC0vZ22YqTdkNST0f7oMeq+
3svDmYekwH79cqK+qw+BTRi5Iunb+JJFJ8/D936UrPSQ+dPicIv9uogI//9d
kh+MDBcYpTn37oaXfJOHYtp5nhFgqaAmcZJmaH4qYtSTn4jQH7wiR2YRolxE
seeUAoQHQFOrfXjI80qiF1R9+jxcHI8Kh4SZ3s+52uO0Y5Ws+bVHyRu1JuNc
i70TCf1+sb9RvIAJegHZ9+dSyv+k6W22um8BltOPZcv+dCfwD86AkeBn4HEo
ytCfAF0vNQuKQrIAOVGtV1hgFo+TUFKZhZWyNYdnioa+GkJ1Lg764o8GlXWm
LcqqSNeu2hmKUe72rc5Rn9DWiKto2w7U3s8Nrr/s0ZV7pJFoX58/nZ793LDT
l1itUeY8mhSLnxVrUY8uNBA61mbc6uvMqUAH699Wl1U+u3rx5mJe/mV5dXpW
P3v+tr6+/lCvjybjn355Xr17sXi0Ls/eiGqO+jcCCo8t1VR29CAoToMVE11B
MAAVerpewUa1nZ7HkZcTEztNHmZnhOcruoeJghctYFt4ouiVUr+SLy/oXiL/
F+wfA/O0mIqF+EoUFHbi2TABMihs5nPVO0X7xAlwEsyW6SbvpDDEGaU+uUKO
+ZQLLLjkJNB4XWkx84jwI2igIYw+US7a4wk1PJbdl6E36qlqhJ4Db3pztQJ3
YJ1OKxGg4upPViNn4joq6DjlpIR2fQg+EcGJTcmRLitXNenJk13khByfL/hN
SW5me/chMQ0amk7tGcwCDWr62KiqFIOMTqYTXLDSXFhmbt0czyBAxsXlPjuW
0JHz7ngsMJlTWv6SGzFdC4rQ1iPmS2bM+QFrBnz83fNvPBeV8ltpHhwMCRK0
2cdLVTWdM1yczbRAGm0qRXEoYd0dcqmoNBTFnDBHiwoHu2JTLl+dQcO7ZQjh
8Ih1xnBMPCAR9O84T1pO4BTRmbFs7RAiqm4RQY0ku+0eKabolo/Qqm2uk1Ux
N/VWxyteIZ9ToBQkQ3rJSZBV6qzmVu6VRNFNmKbAyWRSKvfmhvVYR8GnZs45
pXRK1eXjBucKKyzJwJD1EQqsOWYmNbyZ0amjWZ25sgXudP2dhIC+OEYGAi4W
4cOYOXJAeoDn+TN9jYoynSeE1vRcIigzegGwhnNZKQNLWx8Mc8cZOK7jkAhH
mxcOTZliG9uH01OkEoXT7xHTvMbucVmKSkWszTlh3rmqmN8euBRFLFaduGqZ
N52ULV/uSm/MmJJsnOn9cozuJZoz4nfzWN20DQmyw9Z2M8z+n6bbmikxI/Jw
NvV2NMcyKYasVZTVI95SOoYVZfL0LPWW7B0XbfEJPOyVuj1/B+DQU2TSdEoZ
DDHymZZTonUqZqY5X42PYMRwQvkVANGf1Q8mbMRHTKipKZX+Vl/dJqxotlbq
VE3V9rI0XIZA+LKEKamGpFRoG2d6R7xyjQMnjJnfur/3CqGHFlsaedSZ4feP
1Jev405LuR58HkWum2hqT7Exqy5zDM8iF2a8D1MU73Hod+hynHzCQVIVSZNw
0G+9FeWGE8JBbsNG2KOf250+ZPDefg6qZRY3HZYaa4Q0qbq9xdiaFKq2x4RZ
YbdRDz9s0rTbHPGwr3QTRzoIV+29+J5kYmKwB82XSSV5Crdna0luXZSuJWZ4
HGZitSO7NXsrhrnvppO52V0uiT/kEIKBROkbZ97whVsOTvVB9dY2VEj4O4FO
knPd0DZRDcXH7o4D/8Ep9pScaTHSmDACvtPqzAM9PO51n7zAP3PeGPxqzf0+
gF9RAU9h5SbaBZhgTw74vQV3dMZxCRRARSxdecGwqO+tzN9Ll6bSYuPCGKlD
mK8vf9YkQMj5Tk3KpcmbepJNJ74IibDjpuQk1/IZ3poFbxYkqdF027xbTWky
ZI5is+iyjB0v/6s5cjm50HjSkEcI7CIs3GEim/VOuNF+INCrje37D8FRUhOx
eFLTxD52hV42TyZSsTa2H27Ior6LxjhN8DtSpTdOtNHEm4KB9LFxYyku8BN7
sL3qFhznbSttLTWrb5PuqWaN9YwNGJdsG5VFFd3cmQZ4jmaTxthVFevARdwI
05ij0rn4zuDNgfR2Ifd+adSnwPfJOBeqivPYG5diF7+EcwBGFIs4Mf3+m+RQ
rqsRyxwHt2u+3w3xQbRn7SMLLTvQhd57DUG7/DMswT/AoXt3bxOLFg53fx7t
qt3exqR9RdyQS7cg8P0cOpw5zBbvpwhrqvyJvLoXgn+YWX84PPqDvLpNZ1I9
spfMojK2URCLHK5JwBlGfwLfvf3wyR2rCiJuzbrSqrub5Eokb7FZ+IcclGFf
vAvKOEpL9q6vb2522JSKqHUjz+/d7E2sPS730cuZ78dyTOtMxiYmj1zH85e9
3V26eMPkNfOAvd3H6g3R5js6cvntQQQIkREc7zoPW4uMa7X34b0Qvzi4GSGj
g6UrtmQxc4QwhjCE0h2yzG8cX6+Q04ESf0HPm5Qq8cVbyz37Upn3k0hRakzg
ho5EUxzS9aIpHt6n+NMRmxUubIasyZd9a2oELFyVIVgngJrM+9pS7/aVJEV/
0VVJqapfXPrxtwclPgsFg/+NRUJK5QS5AIhjw4gWyIXzuMQxpyZWUZU5X43E
hU9N2dpOEcae1HwqY8hEzEa/Gtm1jZJDAOHZchnVoCx/qBmSs/5WXdgtttRh
/kvMXYTssK+2ZPY0gt6avZFD62MUEt8eVJnde5zslhWmQD/kECpnHsjJNnJ6
l66AiOtj98vZmdQEpNuqgijcCkTdZYaI7ErJ0CGU9didJBiji2hKrAJ7xomX
vmpp7SvCuOiSiFgXTJY6Lcx7gzhXkDhql1h2K8hu/1fZY7vDUQAscYYH71dS
VYMCXJZzmlAKacn1p+R+gB7eT1HVEizyNztEKiSMCb/tJgQX5D/0CSXx6CEl
KmL4jWHYkyMfFdygXfvYHP3lXYoOAw8GTQ3UP6ii3+8AOzljgNS5lBv03Jx0
joUIOg+t91eZJSX2Ogc6RVCGfBohqIKzCCI0clLBCSE8xfx9h7p7T+iG2U0h
KO4+0V3kYe5tU1p87eKV1Ub1FMgu3D1fLeYCS2jk8XVnjPSiAiAWZOkaq/4G
1Yuk3kkRVkKyyuVDCB8NSlzD8J8kRIkkEKBNHKzk6tVBbXbs/vD9548wq/lQ
neMFdxhnTSj+lrD3lkHX+smR5rkrniQH+bFDzHcFsOvZDP15mZlJUaSqLGZG
Sr9R4UVchVzy0lz/0tyQ0pSoZeTje/hQU0jocJY/Txj5lnaER/lk8bxol+Ul
oJtxSUXPXTkkZLWggDcXVSAuApVgKN5wxX93ZALVVZCUWD4w61QrRzi/B2Lf
BiGI9ScfwdtYRgf5UPuKTsr1Z0YgtUDVW7yhExaeclH9on3LjOumc6sn9XVI
DvIEZQJn7rhuHYgYBIi5dYnR4aE/I4tsmuKHdAoKC7+m1vAhIhdR7qB8UQUB
BrZO8XovFy6nkzHOr+vESFNx8ubmOwsWobHszmq5UCcfMUibolGhj99do9Sc
+iMp4w9l+HuZ2hcjBmUdZy1DJp1z6FXC+iIBXXpVKmFZYgF89CK48scVXIEN
JqrjgPkQlQuWUnilLCZIBO5kT3nnDXd2C3ClSzY4MiIPKy/Q8USXwtJY/ciR
PeOQZIVg6v7F3qmx2oHn2Y4xfyyVE+5OBWnqkn57sDljTBT0TQcz2UYIlXJ/
bC3MIqMLyCSJrWcGI5dZ6PDRcdUopWRjWdSo8f5tjbly6mDwxpeAwbM0MTXs
ywzDFpKpMWPJMy34L+0n0RNVlrtobr7ii6fkBqtruSJhQbfCOr1J8iHxkmJE
rqYhFb2zBZ9oVcFMHfb4waKyGSHZ4EK8OwVWNHIZVT214+g8Thpakk15s9jD
IYlzbpfVSxwncZu4TRf5Ji1cxopIMmyy9ZcfgL+C9fl4f2fgkeM7uhEjKuqH
st9wcZwJSC6n60rUSOv1SCrv6fV+WrNPqsSqpf6nQJlAbmCluGdzZV8c3HGe
HyA8fH2IedYwt3PF9bKAF0b0KIVCI0SJSjkPI23WeQs5K8kru4nj/QHZN5fY
eivlb+Iq7zmayseQA5+b1S6uyCOQ+hPldT5AmuMDuEfu1K1UZguNG3bIuUPB
cUHVQJETUGAgw2XdcUvbU+F/2xeedZUqSRXgUvS31cneQZHp9T5/cprr/fs6
bYqKVVDUnWqA4WtkVA67xs0UQQ+yMGlqWfNtD+yfDByAct4aVU3LF5AxzdJa
vZaE1+7SJvod7wYtsIoJqkol5mlR3dKaipOSlwmLM1G6RKdZkLAolwIDddMh
xzScy0i911XVOCG6px+QdmgBQVVP74gVj6q7gon1AC6xTszP7a4r95eJG4aS
9vQ1oFSlwyKDvigICoUvYcSL629HYa8mDWyccr1e9n+0f20X9iXftMvqw5Ky
/lrNMcDLV+3qC87CDl9h9chWMmzbSCKEw2KeUjBzXBaYmcG5fgYLZ3MNadT8
vFc58DWPvBOALnMqdXOVqiv47xIC+fpgsmAzzOqkogLz3B3aB8jkaOcxKjbJ
0vE1wyP2B70v5nQZm9veUFJKYb+saF9k4VMmeb0REgUgxD5JouFBIs6rS93x
1dpiIZGwniffWeCvdQ5H9IHm1F1ja8igEHiw+2FeGxsn6abW1ZylGy96UnQd
fURK71Vvsyab17OE/kB3JhA17XRkH7lol6C13heCMGAgpVbclQHcreMD7i6m
uFhDQKxU0gvBn4Co2vFMicr/+LiJB3Wwg43GHSQbder5Odp316jQBrt1C/57
Z16n4K4rVcEOninPChc9qzOigwfssgFxQmK7/2r0oCS03J8Qq7gU3g2QkRJa
U1cfY5kacjBu1mBHqt2/nHUO02B8f3JMjk6J9N+23knGoZAj3RgC8yVuEBfk
sZwUdVu9fLLgJa++as5aV6KIrpsyM7JqXUZu009ITCtjteREc61md+8W32rn
FiBStlULjHYZs5x6jl34ai+lXoJ2wXnSvrhg21n6HthwOne7Hl9nz5B3holk
sz08j3KpSimm4/lDStm6TBrONgtLHkolErqiyhdkvz3FJHLnSTYVemnFvmUy
u/ta4LnuzeKKPNAs9/HEhdj1QX5+/8VXI8+BwiLrPS9KqpBnNVKIBkT4d8Mg
vAySLzLAAtk5Xh82UTh1l9sdS3HrkjqFshpbM95UPnDS3LnGwh53letewgMA
cVBMVg6tdp13nas4u1BJzcJ2T7kwcn4OZMYK4RQ4I9asbrviVkK60foIiu2C
WBG1k01J1/csS3ITOC+K74EPpIe37Ml92R46t1+d6WRGZi4xfIRmZTiecVWx
Q4lDC9t4hWBQlcc0ZwVad1KhGfEZfRF8l2ZkRRw7V2to2fJwWEKdy1EzHxQH
1b0808NoDWHNmFaF6g1X6LR9t14TdNc68Wo46Z9TiWBf8TJY2/CExqOjfYFo
7xdg36s0iu97dPXLSV3SVBPe2VbLXjA2Ou8qLcs050ojAHWqg9U23B42pbLo
91ZfDutI8+bqDQDOmbhanHBVWTrWmVTsDct9NSYu6DqgfQTx5ACgHJZJkoTY
Lk71cElHDq9hYl4YHspdVrLNp3I4xPvugMAiee8FgHFWsr/13Os0fBBl/xke
RNmWpmD1N5e84V2M0B569vcxsAKPd2DIvULj2mRcpisrJpfDyMlNF0IlVWmW
DEs6tWUnOgd8LVw4NahyhcYqeRJNRcJSKnmHEHkN9GrBXlFnxdJMrByFcvBt
InnMfsM4wymfYyIdzOXOybl2wJY9ZMu7rwhVDidoC4MuxpdmDL4dcBkWPX25
NUszq7ekTgfnYjicQ1bCBJzml+qXFOsDw0ozU8yzeqi+4GJP0+zfh+q1zv+G
t7rBS9MaYPYVdA3AVXVcwwepeo571r4Jk85oTUMmsSxsmo0G/wVO6A2bMI4A
AA==

-->

</rfc>
