<?xml version='1.0' encoding='utf-8'?>
<!DOCTYPE rfc [
  <!ENTITY nbsp    "&#160;">
  <!ENTITY zwsp   "&#8203;">
  <!ENTITY nbhy   "&#8209;">
  <!ENTITY wj     "&#8288;">
]>
<?xml-stylesheet type="text/xsl" href="rfc2629.xslt" ?>
<!-- generated by https://github.com/cabo/kramdown-rfc version 1.7.39 (Ruby 3.2.3) -->
<rfc xmlns:xi="http://www.w3.org/2001/XInclude" ipr="trust200902" docName="draft-su-sidrops-rpki-rp-incremental-validation-00" category="std" consensus="true" submissionType="IETF" version="3">
  <!-- xml2rfc v2v3 conversion 3.34.0 -->
  <front>
    <title abbrev="RPKI RP Incremental Validation">A Publication-Point-Based Incremental Validation Procedure for RPKI Relying Parties</title>
    <seriesInfo name="Internet-Draft" value="draft-su-sidrops-rpki-rp-incremental-validation-00"/>
    <author initials="Y." surname="Su" fullname="Yingying Su">
      <organization>Zhongguancun Laboratory</organization>
      <address>
        <postal>
          <city>Beijing</city>
          <country>China</country>
        </postal>
        <email>suyy@mail.zgclab.edu.cn</email>
      </address>
    </author>
    <author initials="L." surname="Qin" fullname="Lancheng Qin">
      <organization>Zhongguancun Laboratory</organization>
      <address>
        <postal>
          <city>Beijing</city>
          <country>China</country>
        </postal>
        <email>qinlc@mail.zgclab.edu.cn</email>
      </address>
    </author>
    <author initials="D." surname="Li" fullname="Dan Li">
      <organization>Tsinghua University</organization>
      <address>
        <postal>
          <city>Beijing</city>
          <country>China</country>
        </postal>
        <email>tolidan@tsinghua.edu.cn</email>
      </address>
    </author>
    <date year="2026" month="July" day="06"/>
    <area>Operations and Management</area>
    <workgroup>SIDROPS</workgroup>
    <keyword>RPKI, Relying Party</keyword>
    <abstract>
      <?line 52?>

<t>RPKI Relying Parties commonly perform top-down validation of the RPKI certificate tree after repository synchronization. Existing repository synchronization mechanisms can update the local repository incrementally, avoiding a complete retrieval of all repository data. However, after such an incremental repository update, an RP implementation may still repeat full top-down validation over the local repository. It means that the RP starts from the trust anchors and performs complete validation checks for all currently reachable RPKI objects encountered during the traversal. Repeating such validation for objects whose validation inputs have not changed can introduce unnecessary validation overhead.</t>
      <t>This document specifies a publication-point-based incremental validation procedure for RPKI RPs. The procedure is intended to reduce redundant validation work after incremental repository synchronization, while preserving the same validation result as a full top-down validation over the same repository snapshot, trust anchor set, validation policy, and validation time. This document does not change the syntax or validation semantics of any RPKI object.</t>
    </abstract>
  </front>
  <middle>
    <?line 58?>

<section anchor="sec-intro">
      <name>Introduction</name>
      <t>RPKI RPs validate RPKI data by traversing the certificate tree from trust anchors to subordinate CAs and payload-carrying signed objects, such as ROAs and ASPA. This top-down validation model ensures that each object is evaluated in the context of its issuing CA, the applicable manifest, the applicable CRL, the applicable effective resource context, and the current validation time. However, repeating full top-down validation after every repository synchronization cycle can introduce significant validation overhead, even when only a small portion of the publication point has changed.</t>
      <t>This document specifies a publication-point-based incremental validation procedure. The procedure uses cached validation state associated with CA publication points, together with the current manifest and CRL, to determine which validation results can be safely reused and which checks must be re-executed. The RP still traverses the currently reachable RPKI tree from the trust anchors. The difference is that unchanged objects do not necessarily require repeated parsing, signature verification, and full object validation during every validation cycle.</t>
      <t>This document specifies an optional procedure for reducing redundant validation work inside an RP implementation. This document does not define a new RPKI object format, does not change RRDP or rsync behavior, and does not modify the validation semantics of RPKI certificates, manifests, CRLs, ROAs, ASPA objects, or other RPKI signed objects. The cache structures and identifiers described in this document are conceptual; implementations may use equivalent internal representations. The intended correctness property is that, for the same repository snapshot, trust anchor set, validation policy, and validation time, the incremental validation procedure produces the same validated payload output as a full top-down validation.</t>
    </section>
    <section anchor="requirements-language">
      <name>Requirements Language</name>
      <t>The key words "<bcp14>MUST</bcp14>", "<bcp14>MUST NOT</bcp14>", "<bcp14>REQUIRED</bcp14>", "<bcp14>SHALL</bcp14>", "<bcp14>SHALL
NOT</bcp14>", "<bcp14>SHOULD</bcp14>", "<bcp14>SHOULD NOT</bcp14>", "<bcp14>RECOMMENDED</bcp14>", "<bcp14>NOT RECOMMENDED</bcp14>",
"<bcp14>MAY</bcp14>", and "<bcp14>OPTIONAL</bcp14>" in this document are to be interpreted as
described in BCP 14 <xref target="RFC2119"/> <xref target="RFC8174"/> when, and only when, they
appear in all capitals, as shown here.</t>
      <?line -18?>

</section>
    <section anchor="cache-state-and-bootstrapping">
      <name>Cache State and Bootstrapping</name>
      <t>Incremental validation depends on validation state produced by a previous validation cycle. When no usable cache exists, the RP first obtains a complete local repository snapshot using its selected synchronization mechanism, and then performs full top-down validation from the trust anchors. During this initial validation, the RP validates the currently reachable CA publication points, including the manifest, CRL, and all objects referenced by each valid manifest. The validation results produced during this process are used to build the initial cache state.</t>
      <t>The cache can be represented as a mapping from a CA identifier to the validation state of the publication point associated with that CA:</t>
      <artwork><![CDATA[
ValidationCache = {
    CA_ID -> PublicationPointState
}
]]></artwork>
      <t>A cache entry is created only for a CA that has been validated successfully in a previous validation cycle and whose publication point has a valid manifest and a valid CRL. A <tt>CA_ID</tt> identifies the validated CA certificate object and the publication point associated with that CA. The representation is:</t>
      <artwork><![CDATA[
CA_ID = (CA_certificate_URI, hash(CA_certificate_object))
]]></artwork>
      <t>A publication point cache entry contains the state needed to determine whether the publication point, or individual objects in that publication point, can be reused in a later validation cycle:</t>
      <artwork><![CDATA[
PublicationPointState = {

    ca_effective_resources,

    manifest: {
        uri,
        hash,
        thisUpdate,
        nextUpdate,
    },

    crl: {
        uri,
        hash,
        thisUpdate,
        nextUpdate,
    },

    objects: {
        (filename, file_hash) -> ObjectValidationState
    }
}
]]></artwork>
      <t>For the publication point, <tt>ca_effective_resources</tt> records the effective IP address and AS number resources of the CA certificate under which the publication point was validated. For the manifest, <tt>thisUpdate</tt> and <tt>nextUpdate</tt> refer to the time fields in the manifest eContent. For the CRL, <tt>thisUpdate</tt> and <tt>nextUpdate</tt> refer to the CRL validity interval.</t>
      <t>The per-object validation state records the information needed to decide whether a previous validation result can be reused in a later validation cycle:</t>
      <artwork><![CDATA[
ObjectValidationState = {
    uri,
    filename,
    hash,
    object_type,
    validation_status,
    failure_reason,
    cert_serial,
    notBefore,
    notAfter,
    effective_resources,
    derived_payload
}
]]></artwork>
      <t>The <tt>cert_serial</tt>, <tt>notBefore</tt>, and <tt>notAfter</tt> fields record the serial number and validity interval of the CA certificate or the EE certificate associated with the signed object.  The <tt>effective_resources</tt> field is relevant only for valid subordinate CA certificates and records the subordinate CA's current effective resources. The <tt>derived_payload</tt> field is relevant only for valid payload-carrying signed objects. For example, <tt>derived_payload</tt> records the effective validated payload generated by ROA and ASPA objects.</t>
      <t>The <tt>failure_reason</tt> field is relevant only for objects that were invalid in the cached state. This field requires distinguishing at least failures caused by the validation time being earlier than the relevant <tt>notBefore</tt> time and failures caused by CRL revocation. Such objects can become valid in a later validation cycle if the current validation time has entered the relevant validity interval, or if the current CRL no longer revokes the relevant certificate serial number.</t>
    </section>
    <section anchor="incremental-validation-procedure">
      <name>Incremental Validation Procedure</name>
      <t>After the RP has obtained an updated local repository snapshot, validation starts from the configured trust anchors and proceeds top-down. In this document, the recursive validation process is modeled as repeated execution of <tt>ValidatePP(CA)</tt> for each currently valid CA encountered during the traversal.</t>
      <t>For each accepted trust anchor or validated subordinate CA, the RP computes the corresponding <tt>CA_ID</tt>. If no usable cache entry exists for the <tt>CA_ID</tt>, the publication point is processed as a new CA publication point as described in <xref target="sec-new-pp"/>. If a usable cache entry exists, the publication point is processed as an existing CA publication point as described in <xref target="sec-existing-pp"/>.</t>
      <section anchor="trust-anchor-processing">
        <name>Trust Anchor Processing</name>
        <t>The RP starts validation from its configured trust anchors. Trust anchor processing follows the applicable TAL processing rules <xref target="RFC8630"/> and the RP's local trust anchor configuration.</t>
        <t>After a trust anchor has been accepted in the current validation cycle, it is treated as a special self-signed root CA for the purpose of its publication point processing. The RP computes the corresponding <tt>CA_ID</tt> for the accepted trust anchor certificate. If a usable cache entry exists for this <tt>CA_ID</tt>, the trust anchor publication point is processed as an existing CA publication point as described in <xref target="sec-existing-pp"/>. Otherwise, it is processed as a new CA publication point as described in <xref target="sec-new-pp"/>.</t>
        <t>If a trust anchor is not accepted in the current validation cycle, its subtree does not contribute to the current validated payload output.</t>
      </section>
      <section anchor="sec-new-pp">
        <name>New CA Publication Point</name>
        <t>A CA publication point is considered new when the <tt>CA_ID</tt> of the current CA does not match any usable entry in the validation cache. For a new CA publication point, the RP performs full validation for that publication point according to the applicable RPKI specifications, including resource certificate and CRL validation <xref target="RFC6487"/> <xref target="RFC9829"/>, signed object validation <xref target="RFC6488"/> <xref target="RFC9589"/>, manifest validation <xref target="RFC9286"/>, and validation of supported payload-carrying object types such as ROAs <xref target="RFC9582"/> and ASPA objects <xref target="I-D.ietf-sidrops-aspa-profile"/>. In general, the RP may:</t>
        <ol spacing="normal" type="1"><li>
            <t>locate and validate the manifest and CRL associated with the current CA;</t>
          </li>
          <li>
            <t>check that the objects referenced by the manifest are present in the current local repository snapshot and match the hashes recorded in the manifest;</t>
          </li>
          <li>
            <t>fully validate the objects referenced by the manifest, generate validated payloads from valid payload-carrying objects, and recursively process valid subordinate CAs;</t>
          </li>
          <li>
            <t>record the resulting publication point state, including <tt>ca_effective_resources</tt> and per-object state, in the validation cache for later validation cycles.</t>
          </li>
        </ol>
        <t>This subsection does not redefine the validation rules for RPKI objects. Certificate and CRL validation, manifest processing, signed object validation, and payload extraction follow the applicable RPKI specifications for the corresponding object types.</t>
      </section>
      <section anchor="sec-existing-pp">
        <name>Existing CA Publication Point</name>
        <t>A CA publication point is considered existing when the <tt>CA_ID</tt> of the current CA matches a usable entry in the validation cache. A <tt>CA_ID</tt> cache hit indicates that the CA certificate object itself has not changed. It does not, by itself, indicate that the CA is reached under the same resource context, or that all cached validation results can be reused.</t>
        <section anchor="ca-effective-resource-context-checking">
          <name>CA Effective Resource Context Checking</name>
          <t>The RP first compares the current effective resources (<tt>effective_resources</tt>) of the CA certificate, as computed when validating that CA certificate in its parent publication point, with the cached <tt>ca_effective_resources</tt> of the CA's own publication point cache.</t>
          <t>If the two values differ, the RP does not reuse the cached publication point state or cached object validation state for this CA publication point. The publication point is processed by full validation as described in <xref target="sec-new-pp"/> under the current <tt>ca_effective_resources</tt>.</t>
          <t>If the two values are equal, the RP processes the current manifest and CRL as described in <xref target="sec-mft-process"/>.</t>
        </section>
        <section anchor="sec-mft-process">
          <name>Manifest and CRL Processing</name>
          <t>The RP locates the current manifest and CRL associated with the CA in the current local repository snapshot and computes their object hashes. If either the manifest or the CRL is missing, the RP may fall back to the cached publication point state according to local policy.</t>
          <t>The RP then applies one of the following cases.</t>
          <t><strong>Case 1: Manifest and CRL unchanged.</strong></t>
          <t>If both the current manifest hash and the current CRL hash match the cached manifest hash and cached CRL hash, the RP checks the cached manifest <tt>thisUpdate</tt> and <tt>nextUpdate</tt> values and the cached CRL <tt>thisUpdate</tt> and <tt>nextUpdate</tt> values against the current validation time.</t>
          <t>If these checks succeed, the RP processes the publication point as described in <xref target="pp-reuse"/>. If either the cached manifest or the cached CRL is not valid at the current validation time, the publication point is considered invalid for the current validation cycle.</t>
          <t><strong>Case 2: Manifest changed.</strong></t>
          <t>If the current manifest hash differs from the cached manifest hash, the RP validates the current manifest and current CRL according to the applicable RPKI validation rules. The current CRL must be referenced by the current manifest and must match the hash recorded in the current manifest.</t>
          <t>If validation succeeds, the RP uses the object set defined by the current manifest and processes the publication point as described in <xref target="object-reuse"/>. If the manifest or CRL validation fails, the RP may fall back to the cached publication point state according to local policy.</t>
        </section>
        <section anchor="pp-reuse">
          <name>Publication-Point-Level Reuse</name>
          <t>Publication-point-level reuse is used when the <tt>CA_ID</tt>, <tt>ca_effective_resources</tt>, manifest hash, and CRL hash all match the cached state.</t>
          <t>In this case, the RP reuses the cached validation state for the publication point, subject only to checks that depend on the current validation time.</t>
          <ol spacing="normal" type="1"><li>
              <t>For each cached object that was valid in the cached state, the RP checks whether the relevant certificate or signed object is valid at the current validation time.</t>
            </li>
            <li>
              <t>For each cached object that was invalid only because the validation time was earlier than the relevant <tt>notBefore</tt> time, the RP checks whether the relevant certificate or signed object is within its validity interval at the current validation time. If it is, the RP fully validates the object before treating it as valid in the current validation cycle.</t>
            </li>
            <li>
              <t>If an object is valid in the current validation cycle and is a payload-carrying signed object, its <tt>derived_payload</tt> contributes to the current validated payload output.</t>
            </li>
            <li>
              <t>If an object is valid in the current validation cycle and is a subordinate CA certificate, the RP recursively applies <tt>ValidatePP(child CA)</tt> using the subordinate CA's <tt>effective_resources</tt>.</t>
            </li>
          </ol>
          <t>Cached objects that are not valid in the current validation cycle do not contribute to the current validated payload output.</t>
        </section>
        <section anchor="object-reuse">
          <name>Object-Level Reuse</name>
          <t>Object-level reuse is used when the <tt>CA_ID</tt> and <tt>ca_effective_resources</tt> match the cached state, but the current manifest hash differs from the cached manifest hash.</t>
          <t>The current manifest defines the object set of the current publication point. Objects that are not referenced by the current manifest do not contribute to the current validated payload output.</t>
          <ol spacing="normal" type="1"><li>
              <t>For every object referenced by the current manifest, the RP checks that the corresponding raw object exists in the current local repository snapshot and that the object hash matches the hash recorded in the current manifest. If any referenced object is missing or has a mismatching hash, the RP may fall back to the cached publication point state according to local policy.</t>
            </li>
            <li>
              <t>For each object referenced by the current manifest, the RP looks for cached object validation state using the object's filename and hash.</t>
            </li>
            <li>
              <t>If matching cached object validation state exists and the object was valid in the cached state, the RP checks whether the relevant certificate or signed object is valid at the current validation time. If the current CRL hash differs from the cached CRL hash, the RP also checks whether the relevant certificate serial number is revoked by the current CRL. If these checks succeed, the cached object validation result is reused.</t>
            </li>
            <li>
              <t>If matching cached object validation state exists and the object was invalid in the cached state, the RP uses the recorded <tt>failure_reason</tt> to decide whether the object needs to be validated again. The RP fully validates the object again only when one of the following conditions is met:  </t>
              <ul spacing="normal">
                <li>
                  <t>the previous failure was caused by the validation time being earlier than the relevant <tt>notBefore</tt> time, and the relevant certificate or signed object is within its validity interval at the current validation time; or</t>
                </li>
                <li>
                  <t>the previous failure was caused by CRL revocation, the current CRL hash differs from the cached CRL hash, and the current CRL no longer contains the relevant certificate serial number.</t>
                </li>
              </ul>
              <t>
If neither condition is met, the object remains invalid in the current validation cycle.</t>
            </li>
            <li>
              <t>If no matching cached object validation state exists, the RP fully validates the object according to the applicable RPKI validation rules.</t>
            </li>
            <li>
              <t>For each object that is valid in the current validation cycle, the RP processes the object according to its type. If the object is a payload-carrying signed object, its derived payload contributes to the current validated payload output. If the object is a subordinate CA certificate, the RP recursively applies <tt>ValidatePP(child CA)</tt> using the subordinate CA's current <tt>effective_resources</tt>.</t>
            </li>
          </ol>
          <t>Objects that are not valid in the current validation cycle do not contribute to the current validated payload output.</t>
        </section>
        <section anchor="updating-the-publication-point-cache">
          <name>Updating the Publication Point Cache</name>
          <t>After the existing CA publication point has been processed successfully for the current validation cycle, the RP updates the cache entry for the corresponding <tt>CA_ID</tt>.</t>
          <t>The updated cache entry records the current <tt>ca_effective_resources</tt>, current manifest state, current CRL state, and the validation state of the objects in the current publication point. The previous cache entry for the same <tt>CA_ID</tt> is replaced by the newly computed publication point state.</t>
          <t>Implementations may update the cache using any internal mechanism. To avoid using partially updated validation state in later cycles, an implementation can update the cache entry atomically after the publication point has been processed.</t>
        </section>
      </section>
    </section>
    <section anchor="failure-handling-and-fallback">
      <name>Failure Handling and Fallback</name>
      <t>If a new CA publication point cannot be validated, no previous publication point state exists for the corresponding <tt>CA_ID</tt>. In this case, the publication point is invalid for the current validation cycle, and no valid cache entry is created for that <tt>CA_ID</tt>.</t>
      <t>For an existing CA publication point, processing can fail if the current manifest is invalid, the current CRL is invalid, the current repository snapshot is inconsistent with the current manifest, or the publication point has to be fully validated but full validation does not succeed. In these cases, the RP may use the cached publication point state for the same <tt>CA_ID</tt> as a fallback according to local policy. This fallback represents the last successfully validated state for that CA publication point.</t>
      <t>Fallback to cached publication point state is a local policy behavior and is outside the equivalence guarantee of this procedure. When fallback is used, the RP still applies checks that depend on the current validation time, such as validity-time checks for the cached manifest, cached CRL, and cached objects. Objects that remain valid after these checks may contribute to the current validated payload output.</t>
      <t>An implementation should not replace a previous valid cache entry with partial or failed state. The cache entry for a <tt>CA_ID</tt> should be updated only after the publication point has been successfully processed in the current validation cycle.</t>
    </section>
    <section anchor="correctness-considerations">
      <name>Correctness Considerations</name>
      <t>The correctness of this procedure relies on the following properties:</t>
      <ol spacing="normal" type="1"><li>
          <t>Validation still proceeds top-down from the accepted trust anchors, so only currently reachable objects can contribute to the validated payload output.</t>
        </li>
        <li>
          <t>The <tt>CA_ID</tt> binds cached state to a specific CA certificate object. If the CA certificate changes, the cache entry is not reused and the publication point is processed as new.</t>
        </li>
        <li>
          <t>Publication-point-level reuse is used only when the <tt>CA_ID</tt>, <tt>ca_effective_resources</tt>, manifest hash, and CRL hash all match the cached state. Cached results are reused only after applying checks that depend on the current validation time.</t>
        </li>
        <li>
          <t>If the <tt>CA_ID</tt> matches but the current <tt>ca_effective_resources</tt> differ from the cached <tt>ca_effective_resources</tt>, this procedure does not reuse cached publication point state or cached object validation results from that publication point.</t>
        </li>
        <li>
          <t>During object-level reuse, the current manifest defines the object set of the publication point. A cached object validation result is reused only for an object that is referenced by the current manifest and has the same filename and hash as the cached object state.</t>
        </li>
        <li>
          <t>A cache hit does not bypass checks that may change across validation cycles. The current validation time is applied before reuse. When object-level reuse is performed with a CRL that differs from the cached CRL, the relevant certificate serial number is checked against the current CRL before reuse.</t>
        </li>
      </ol>
      <t>Under these conditions, the incremental procedure preserves the validation result of a complete top-down validation over the same repository snapshot, trust anchor set, validation policy, and validation time.</t>
    </section>
    <section anchor="sec-security">
      <name>Security Considerations</name>
      <t>This document does not change the syntax or validation semantics of any RPKI object. The main security consideration is that cached validation state <bcp14>MUST NOT</bcp14> be reused unless the cache reuse conditions specified in this document are satisfied. In particular, an RP <bcp14>MUST</bcp14> apply the current validation time, <bcp14>MUST</bcp14> apply the current CRL state when required by this procedure, and <bcp14>MUST</bcp14> confirm that the current effective resource context matches the cached state before reusing cached validation results.</t>
      <t>Implementations should protect the integrity of the validation cache. Corruption or unauthorized modification of cached validation state could cause an RP to reuse incorrect validation results. If cache state is missing, inconsistent, or cannot be trusted, the RP should perform full validation for the affected publication point.</t>
      <t>Fallback to cached publication point state is a local policy behavior and is outside the equivalence guarantee of this procedure.</t>
    </section>
    <section anchor="sec-iana">
      <name>IANA Considerations</name>
      <t>This document has no IANA requests.</t>
    </section>
    <section numbered="false" anchor="acknowledgements">
      <name>Acknowledgements</name>
    </section>
  </middle>
  <back>
    <references anchor="sec-normative-references">
      <name>Normative References</name>
      <reference anchor="RFC8630" target="https://www.rfc-editor.org/info/rfc8630" xml:base="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.8630.xml">
        <front>
          <title>Resource Public Key Infrastructure (RPKI) Trust Anchor Locator</title>
          <author fullname="G. Huston" initials="G." surname="Huston"/>
          <author fullname="S. Weiler" initials="S." surname="Weiler"/>
          <author fullname="G. Michaelson" initials="G." surname="Michaelson"/>
          <author fullname="S. Kent" initials="S." surname="Kent"/>
          <author fullname="T. Bruijnzeels" initials="T." surname="Bruijnzeels"/>
          <date month="August" year="2019"/>
          <abstract>
            <t>This document defines a Trust Anchor Locator (TAL) for the Resource Public Key Infrastructure (RPKI). The TAL allows Relying Parties in the RPKI to download the current Trust Anchor (TA) Certification Authority (CA) certificate from one or more locations and verify that the key of this self-signed certificate matches the key on the TAL. Thus, Relying Parties can be configured with TA keys but can allow these TAs to change the content of their CA certificate. In particular, it allows TAs to change the set of IP Address Delegations and/or Autonomous System Identifier Delegations included in the extension(s) (RFC 3779) of their certificate.</t>
            <t>This document obsoletes the previous definition of the TAL as provided in RFC 7730 by adding support for Uniform Resource Identifiers (URIs) (RFC 3986) that use HTTP over TLS (HTTPS) (RFC 7230) as the scheme.</t>
          </abstract>
        </front>
        <seriesInfo name="RFC" value="8630"/>
        <seriesInfo name="DOI" value="10.17487/RFC8630"/>
      </reference>
      <reference anchor="RFC6487" target="https://www.rfc-editor.org/info/rfc6487" xml:base="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.6487.xml">
        <front>
          <title>A Profile for X.509 PKIX Resource Certificates</title>
          <author fullname="G. Huston" initials="G." surname="Huston"/>
          <author fullname="G. Michaelson" initials="G." surname="Michaelson"/>
          <author fullname="R. Loomans" initials="R." surname="Loomans"/>
          <date month="February" year="2012"/>
          <abstract>
            <t>This document defines a standard profile for X.509 certificates for the purpose of supporting validation of assertions of "right-of-use" of Internet Number Resources (INRs). The certificates issued under this profile are used to convey the issuer's authorization of the subject to be regarded as the current holder of a "right-of-use" of the INRs that are described in the certificate. This document contains the normative specification of Certificate and Certificate Revocation List (CRL) syntax in the Resource Public Key Infrastructure (RPKI). This document also specifies profiles for the format of certificate requests and specifies the Relying Party RPKI certificate path validation procedure. [STANDARDS-TRACK]</t>
          </abstract>
        </front>
        <seriesInfo name="RFC" value="6487"/>
        <seriesInfo name="DOI" value="10.17487/RFC6487"/>
      </reference>
      <reference anchor="RFC9829" target="https://www.rfc-editor.org/info/rfc9829" xml:base="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.9829.xml">
        <front>
          <title>Handling of Resource Public Key Infrastructure (RPKI) Certificate Revocation List (CRL) Number Extensions</title>
          <author fullname="J. Snijders" initials="J." surname="Snijders"/>
          <author fullname="B. Maddison" initials="B." surname="Maddison"/>
          <author fullname="T. Buehler" initials="T." surname="Buehler"/>
          <date month="July" year="2025"/>
          <abstract>
            <t>This document revises how the Resource Public Key Infrastructure (RPKI) handles Certificate Revocation List (CRL) Number extensions. This document updates RFC 6487.</t>
          </abstract>
        </front>
        <seriesInfo name="RFC" value="9829"/>
        <seriesInfo name="DOI" value="10.17487/RFC9829"/>
      </reference>
      <reference anchor="RFC6488" target="https://www.rfc-editor.org/info/rfc6488" xml:base="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.6488.xml">
        <front>
          <title>Signed Object Template for the Resource Public Key Infrastructure (RPKI)</title>
          <author fullname="M. Lepinski" initials="M." surname="Lepinski"/>
          <author fullname="A. Chi" initials="A." surname="Chi"/>
          <author fullname="S. Kent" initials="S." surname="Kent"/>
          <date month="February" year="2012"/>
          <abstract>
            <t>This document defines a generic profile for signed objects used in the Resource Public Key Infrastructure (RPKI). These RPKI signed objects make use of Cryptographic Message Syntax (CMS) as a standard encapsulation format. [STANDARDS-TRACK]</t>
          </abstract>
        </front>
        <seriesInfo name="RFC" value="6488"/>
        <seriesInfo name="DOI" value="10.17487/RFC6488"/>
      </reference>
      <reference anchor="RFC9589" target="https://www.rfc-editor.org/info/rfc9589" xml:base="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.9589.xml">
        <front>
          <title>On the Use of the Cryptographic Message Syntax (CMS) Signing-Time Attribute in Resource Public Key Infrastructure (RPKI) Signed Objects</title>
          <author fullname="J. Snijders" initials="J." surname="Snijders"/>
          <author fullname="T. Harrison" initials="T." surname="Harrison"/>
          <date month="May" year="2024"/>
          <abstract>
            <t>In the Resource Public Key Infrastructure (RPKI), Signed Objects are defined as Cryptographic Message Syntax (CMS) protected content types. A Signed Object contains a signing-time attribute, representing the purported time at which the object was signed by its issuer. RPKI repositories are accessible using the rsync and RPKI Repository Delta protocols, allowing Relying Parties (RPs) to synchronize a local copy of the RPKI repository used for validation with the remote repositories. This document describes how the CMS signing-time attribute can be used to avoid needless retransfers of data when switching between different synchronization protocols. This document updates RFC 6488 by mandating the presence of the CMS signing-time attribute and disallowing the use of the binary-signing-time attribute.</t>
          </abstract>
        </front>
        <seriesInfo name="RFC" value="9589"/>
        <seriesInfo name="DOI" value="10.17487/RFC9589"/>
      </reference>
      <reference anchor="RFC9286" target="https://www.rfc-editor.org/info/rfc9286" xml:base="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.9286.xml">
        <front>
          <title>Manifests for the Resource Public Key Infrastructure (RPKI)</title>
          <author fullname="R. Austein" initials="R." surname="Austein"/>
          <author fullname="G. Huston" initials="G." surname="Huston"/>
          <author fullname="S. Kent" initials="S." surname="Kent"/>
          <author fullname="M. Lepinski" initials="M." surname="Lepinski"/>
          <date month="June" year="2022"/>
          <abstract>
            <t>This document defines a "manifest" for use in the Resource Public Key Infrastructure (RPKI). A manifest is a signed object (file) that contains a listing of all the signed objects (files) in the repository publication point (directory) associated with an authority responsible for publishing in the repository. For each certificate, Certificate Revocation List (CRL), or other type of signed objects issued by the authority that are published at this repository publication point, the manifest contains both the name of the file containing the object and a hash of the file content. Manifests are intended to enable a relying party (RP) to detect certain forms of attacks against a repository. Specifically, if an RP checks a manifest's contents against the signed objects retrieved from a repository publication point, then the RP can detect replay attacks, and unauthorized in-flight modification or deletion of signed objects. This document obsoletes RFC 6486.</t>
          </abstract>
        </front>
        <seriesInfo name="RFC" value="9286"/>
        <seriesInfo name="DOI" value="10.17487/RFC9286"/>
      </reference>
      <reference anchor="RFC9582" target="https://www.rfc-editor.org/info/rfc9582" xml:base="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.9582.xml">
        <front>
          <title>A Profile for Route Origin Authorizations (ROAs)</title>
          <author fullname="J. Snijders" initials="J." surname="Snijders"/>
          <author fullname="B. Maddison" initials="B." surname="Maddison"/>
          <author fullname="M. Lepinski" initials="M." surname="Lepinski"/>
          <author fullname="D. Kong" initials="D." surname="Kong"/>
          <author fullname="S. Kent" initials="S." surname="Kent"/>
          <date month="May" year="2024"/>
          <abstract>
            <t>This document defines a standard profile for Route Origin Authorizations (ROAs). A ROA is a digitally signed object that provides a means of verifying that an IP address block holder has authorized an Autonomous System (AS) to originate routes to one or more prefixes within the address block. This document obsoletes RFC 6482.</t>
          </abstract>
        </front>
        <seriesInfo name="RFC" value="9582"/>
        <seriesInfo name="DOI" value="10.17487/RFC9582"/>
      </reference>
      <reference anchor="I-D.ietf-sidrops-aspa-profile" target="https://datatracker.ietf.org/doc/html/draft-ietf-sidrops-aspa-profile-27" xml:base="https://bib.ietf.org/public/rfc/bibxml3/reference.I-D.ietf-sidrops-aspa-profile.xml">
        <front>
          <title>A Profile for Autonomous System Provider Authorization</title>
          <author fullname="Job Snijders" initials="J." surname="Snijders">
            <organization>BSD Software Development</organization>
          </author>
          <author fullname="Alexander Azimov" initials="A." surname="Azimov">
            <organization>Yandex</organization>
          </author>
          <author fullname="Eugene Uskov" initials="E." surname="Uskov">
            <organization>JetLend</organization>
          </author>
          <author fullname="Randy Bush" initials="R." surname="Bush">
            <organization>Internet Initiative Japan</organization>
          </author>
          <author fullname="Russ Housley" initials="R." surname="Housley">
            <organization>Vigil Security, LLC</organization>
          </author>
          <author fullname="Ben Maddison" initials="B." surname="Maddison">
            <organization>Workonline</organization>
          </author>
          <date day="19" month="June" year="2026"/>
          <abstract>
            <t>This document defines a Cryptographic Message Syntax (CMS) protected content type for Autonomous System Provider Authorization (ASPA) objects for use with the Resource Public Key Infrastructure (RPKI). An ASPA is a digitally signed object through which the issuer (the holder of an Autonomous System identifier), can authorize one or more other Autonomous Systems (ASes) as its transit providers. When validated, an ASPA's eContent can be used for detection and mitigation of route leaks.</t>
          </abstract>
        </front>
        <seriesInfo name="Internet-Draft" value="draft-ietf-sidrops-aspa-profile-27"/>
      </reference>
      <reference anchor="RFC2119" target="https://www.rfc-editor.org/info/rfc2119" xml:base="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.2119.xml">
        <front>
          <title>Key words for use in RFCs to Indicate Requirement Levels</title>
          <author fullname="S. Bradner" initials="S." surname="Bradner"/>
          <date month="March" year="1997"/>
          <abstract>
            <t>In many standards track documents several words are used to signify the requirements in the specification. These words are often capitalized. This document defines these words as they should be interpreted in IETF documents. This document specifies an Internet Best Current Practices for the Internet Community, and requests discussion and suggestions for improvements.</t>
          </abstract>
        </front>
        <seriesInfo name="BCP" value="14"/>
        <seriesInfo name="RFC" value="2119"/>
        <seriesInfo name="DOI" value="10.17487/RFC2119"/>
      </reference>
      <reference anchor="RFC8174" target="https://www.rfc-editor.org/info/rfc8174" xml:base="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.8174.xml">
        <front>
          <title>Ambiguity of Uppercase vs Lowercase in RFC 2119 Key Words</title>
          <author fullname="B. Leiba" initials="B." surname="Leiba"/>
          <date month="May" year="2017"/>
          <abstract>
            <t>RFC 2119 specifies common key words that may be used in protocol specifications. This document aims to reduce the ambiguity by clarifying that only UPPERCASE usage of the key words have the defined special meanings.</t>
          </abstract>
        </front>
        <seriesInfo name="BCP" value="14"/>
        <seriesInfo name="RFC" value="8174"/>
        <seriesInfo name="DOI" value="10.17487/RFC8174"/>
      </reference>
    </references>
    <?line 314?>



  </back>
  <!-- ##markdown-source:
H4sIAAAAAAAAA80863LURrr/9RR94McGamYKCMkas8nuxCYV1xrstc2eyqEo
3CP12Fo0kqKWMBOX32WfZZ/sfJfuVrcu4zEBzuFHMpb68vV3v6mn02lUp3Wm
dsVcHDeLLI1lnRb59LhI83r6k9QqEQd5XKmVymuZiX/KLE1oiDiuilglTaXE
sqjEyfHfD8SJytZpfiGOZVWnSkdysajUh13z8nhkpSgp4lyuAIakkst6qpup
TpOqKPW0Kt+n8J9p2k6cfnATp48eRcVCF5mqld6NmhIe4w/8324EJ1EXRbXe
FbpOIt0sVqnWMOtsXcJWBy/Ofo6itKx2RV01un7y6NGzR08iWSm5K45KVdEO
Wsg8ES9lLi9o++iqqN5fVEVT7orTg/2To+PT6L1aw9OETzkJcLCOItnUl0W1
G4lpJESa613x60ycNvAHH/lXGEvj6VlRXcg8/Z323hX/c1nkFxeNzOMmF4dy
UQBQcCAYp1YyzeBgzXr9N/w5+/0izuRiBvSYxTkMiNMaDv6TSv8Fa+PfRZPX
iIu9yzSXkQfO4Uz8I80dPIew26UCePjhHQH6Lc2z+I9CtD8Th6kDaF/m/GcI
ypmGZS4bKV7n6QdVaVi9BaMukEXyv9Vm0PZQ5EW1gh0+AP8IcfLz3s733z4y
P79/uvNn8/PZzpNn7dMd+/S7Hfv02ZOd79unT/DnwXR/lqp66Xhb6lJOy6pY
piB+0Ww2i6LpdCrkQteVjOsoGhIpAHi1KvJsLYBFQe5WcNZymhRXuWjlQhRL
UV8qFrtYwcQlyrUCTldKgIipSlSqLABpQD2h10DyqrC4nYkXH1Nd46bjg8RK
xZdADr0CkIBCLHu0a1bEIN7eVE94s/VEyA9FmuDqEg9TovDC6LpKFZwAQYdh
/nRYWM7EL8WVAjpPDPi6iS9BNv21/TkMzgRHgNpJcRcaxKBLOE6d8i5K1mLZ
wO9BPMKOg2eaiYMaUCBBQdSXsAJjG1YFKmmxrIoVPSLNIlCiiopViaGabo/u
bQeCF7/XpE4RB3FTVQA00BqUEmB7kRmSFot/qRj2UTmxr6pASYMiRpzyrhIl
QmYz4B48IL4ghHl74SZ2navLQgeApHnZwPNLWEfkRS2Q1BewSUwYr6siaWIl
mjxXsdJaAsI7SLtUMgF+PrtMtQDt3iDyhS5VDJwITCxF6dmakmzNgmyNT09v
zXLA1hzrmTiD47bvYDNYSeUJLFQXgDUCE/+Xgzao/QVRjxtWGmGhDsNPAEsg
qLCb0qr6YHGtQUf568LbJgOS4xlvZyua7e+Zy1JfFvUk4ByhFTzxsQHqLUZJ
AobyHtfpSiFKfJwnBaC7JSHvuoazfgR96k/WoDrzOo01SWC+9jltJlg1rdIk
yVQE/+6DKWc2oMnX97WKp8QZN1ZvHWu7vOFalGOxWFv2tBjs6SeWnkBygJhg
v8HIgo6GYXtzI0xynRUymcayqkhJ6vQiB9obvp4YLaHFyZGZMT89nhsUDRFm
VSQqA7HSwE1GslHyzILIX6ijGoABOZXBL4DjPtaItRREBlyMBiHZm0/otSxL
5HMUXcBvulS67r3YOznsPVPLJewIdgg5qmiq2O3EZKetWT/0WcDpysqJ/ygv
sgzg8PUmdR+vY4AqlH/ENlEuhMHK/wRXBUkDb0KQxZJCr1CvlUXlWylPFQhS
BaB3tFU5X0SJdPVGo9GwAqFVIE+gzYHZpNZFnBLJr9L6EijbhxhYrS4uFJym
4kE+eSzdiW5M60IkoPqrVZorVCuhZmYVwmZ1gTpiqcgENHg0XINnGGOxQjlZ
IJtM1UcVNwAnH4/MERo5I2/E0GrcqHiy17VcvGCSAk/C3JgULQlHk1vLYE1J
UpC2sYYhpX1+a9JKGWZUKLYk/RNiIFkjBQBA1gGkafGQxLBG7jzkGDPH/Oqb
TuTPTcwC7FbiSGCJ0JiQlWBnZ8xOgFeaJmrQmRjVt4laInUloOLK16W4J3iY
k55mPjnZP0adXKHoAUXB+KZFxchwY0FBpcs1UWhMd3edPuBNy4HwE/gP/ov6
cELKsNWV6A8QA9MCoSZlBiAJAaaqQOuTgkTQADE5bgUcBmfWcZUurHL08QJx
FSqwWJV1I7PnHSxq8smAwQXyCpwMp6Apr3I2ymh07VgGxhn6uACGjusc+A0p
Cw5WvbYMOiEKfxlLyyr7Vn+lZGWpe96CcvZLFE0N/tZmp2GGRveERQn30xip
QSh2oZDplYAoFJk10eLey9enZ/cm/H/x6oh+n7z4x+uDkxf7+Pv0l/nhofsR
mRGnvxy9Ptxvf7Uz945evnzxap8nw1MRPIruvZz/eo9RdO/o+Ozg6NX88N4w
B4DiWzDpKiApokDqKOCan/aO//Pvx0/F9fV/Qez05PHjZzc35o+dx39+Cn+g
PeHdyKjwn4DcdQTmU0n059h7lmUKVAHOBrwCqQGbwN2oIx6+Qcy83RV/WcTl
46c/mgd44OChxVnwkHDWf9KbzEgceDSwjcNm8LyD6RDe+a/B3xbv3sO//DVD
BTR9vPPXH9ll2yP5PWWrBvj7qShqjDXLEmPh6GCYlRNQ2zmwVZH3baNh7gTd
OomuMaisRvf1svhvdALyAkScDA5rEoVhpp7Y4GmZViCIxaKWKeZd2gipF1Ba
4YXlUHGj36VVBkoAIBmNU53flLdB2KhXNGYH922URaFGWqcBrtxRrIiPm9wR
LwLUSdYk1jVuPUZyGxB+6ayihtWMPSb8k6NKG7t5rCkHXAtHt8Q7D+ksUKKS
PSIKoRZNmiVG0fFprRGA081Y8/AT4604XU2yDVRcMXsxRiWeu7UYuEPXlBFf
jXqGXWeMvJC9+W4UCfjXphSZ1X8Q1/Qc/+3N3x3si+mPfpaTkpwkDzQMQpe5
ZU1MCqEVAZGg3UjXUGCOR6Bt0UtdKJV7Ch3iDUQhstWa9NC4TBhPDgPvYQdY
dojJ5DcPgR9mYi7O6VTnLUq1j08ACGD14yvjgtgAYmv8MiOFdhiwY9DOqP1B
fAM/vN3evT45mOBRLrsvGIwHDxDffRh8CmDMQ+qgtkwH/pQy8b3vQ7PvPXgo
cm3SPEk/pEkjW/EhCwXHG5jgmLnhcALwnkmMk7pUNBgY5CliP8d/sXznYrp3
NqbTk3aApfOux7T4DyR0EjxAjIZPUHxfc8YreJ5DuNh9fuNtGVfZV9zN4L27
4zeY/8RULzhr8OsdbvgABfWIxrcy3QoqrWxF9udilO7nw0g/B8LG5CrhvDbS
PjgWMkkq0oGUKxB5s1pQrtTMtIqpI1YQNmDgR2HZsFxdyTYbAvGZhblV8Oct
Vs9p9/MWnees6a22ROcTUKWyRNskhNMRag+TBHndbkGW4w6rw3iGNEU3Gj01
+As0Pal6MJzTfkzGcunjNM05ysG3vrzGGEZZYR1WjiaBdlcJHGSWwAAEnO14
zj0J+ZwP+a5el96Qdut3eORGe+vJNANvH3hMavADWgkDLnmnIbiVWfsQArmf
FCBIBY/mmIhpnwwqC/sS2A3eJO9MAGFFAUl07m15DpR3m51PDOXNVueWh5hw
rGFpmmV7F/T4rDAiAobbXrwInvbNiQojy5kgy3I+KKUEHxrhCpy7DxiYOyvM
VjDMCQZBLwHvs2Q49k/apWf6mTYTYZ53sLwFQLckJFkq1UeJju1kYINhvdQP
GC9UjgVKdvwgmHe5TbeTYYaQLzeewJpFsolXCtPpOZ/KZjo5QcauH6c9eDmT
4IFYj8tGTaovqb5Tiwz2ra10YEqLxHnRy2CQTlsoSu3IKiPfENx2GuZA9XiZ
J1CeqL82qjDQLEVsMjSnjUvh2qwaxBZm/026RaTLTYlWctOUqb8EkPakhn2Q
cDUEE0KirMgvyMZ8KN4b/82t48tSIJszk4PfXJgH/4qyuyYqQXA5vKJEoimS
JePx1aSj5YPaFrhmy/SiobP3y1wIgkraLPsMgA0TAhNzVECH9rjcZU80JtM5
I8+xhMsfcp7TZJDPzcHV8TG4mQ/OiZcpFmrDLuMzz28vmEXsT9B8GWO2qnM8
r2qiugrIhX8YuTYu+sP8lC6LnMI647EDOpb9eJhcXo6KXeLKTJiMOBZt3GYD
Lsw3DkWX+DZItVxfY9EGhk/L8uaGIJLjAG0NQM4TuAiyNRh2DsOC3H1fnBHe
54z3Y96EMhUuvU0c2Q3bMR0wxpwzs6ghZukWBXxnWXGlu3WYs/mhP6pqMiDr
G9MY8NZFUifHYFFYjgJusXDYFB7LowwHuUDScZzVuH29Q3ppAmekFKcJTonu
lOuG/bXKsMeA7E5VFBi+OWYqm6rEiNMUq/rEaY/qigi3M7NbflhiPCV2G5OZ
leBoAdsHy30lFhRH6KRepdph+zPJWRQRDoIzpZzdvwv9NSofqtm0hQTw/WHX
plbWme8s0Es5z0jOXvFJvCBWUBRryroGcgzWB8+bkrhhhQTFDdFCJT9PeVmf
0Vm+uVfRkDV1cqwtV5jUS951EYhb2IMaR75TwWGKr9P3MBz2I/pJm19Y9Hl6
gIsiXE7iSUG2ri3S+t4v1/v83a+vTSMRZbVNJ9HNzSR0FIdm7LgZ3+3QDBfz
eYPfmNajt72KBVBANyVWXtWAm2q2xXBHh0XzN6aD6W3PxRRvNnY0vSWLz45q
5siykmsI2B7PSFcaFLkugSCStcgbCiFaPnoePZlxJbTtwxlOj4aLV6aRg8pM
wZrjyWaEiLkVx2O8qGzw1Iqs3eJ59O1McB4wON/twE2cd98XW+N+jQQbrpRn
Yh92rLBVzPhTQ1GTfh49nfkxIAfguF5fQsj39/l+NMNiep1stsBNHJRqEsph
F1zbmi5ArRV3mzjdAfqGq6ydRdlKu04hF33tbRROT6RaMzgumRO/BQUMDjXt
sYZBT2ILBeLsZmhVfWE0ntALz5yNqWnffG2pq52V3EJhE+dT18V2erpNTjOJ
L9GIwgFjUxYxwjqcoAbzBl4MOUZe+xk13VniT1BueNzELRysS1Eux6ycoPPq
wN2WGmsUuHDYbQTpdGRwUops533c6IWL1E/swnumK2gPVRN1mlqnlatc6FTJ
KqwPDWUixDeDqZEHw1kYKnUafy1hotpTUKRDufwA30A+cgQlATBgTludy1gZ
FXgHEDjCWEwbyetjK9kBD62vCgSvocQBtpY4K+EJOPYEeNuPqCSknxkxlp50
nuWQXJiGoM2eJfBb15nY7Op5bGdJPIa+2RBW0Eqp3xrPfFpgQr4ZsJlDYK2W
9dQsQG4ocu/L7tQ2zDJqxZ/lIi+23rdC0bfcKJZ3sbd+8JHaHJWxvRRMqNQV
fhwAbeabMgipUeStCyKWKOcLiV5DsQ17BZ4hQ8ydITOHEiosk77HMkHuaphs
DXBqLDUp9IcP9+CXeLzbx77rp5o9fEgcsSjGmskQB71OQFyDXrR+ijlZf555
Yae0yQvuKxuau7mMYLnWwtSuv928Cyz01ZsSbk5KAH0GTKq4qmREQrYJzspy
SmrGpEA8huoev6i6BzNxG/tVciPsG/InnkW2KVfnGYxEgC0bPfHYqMM843zD
+tZP5g1wyeZuhlDefQa8NYzqemqmu8xbom1q7HrJg7vT8NA17znm3YnMS76Z
YE5q+1Eay0XWh1W2q28zNHdnQd4gYMOuQuvEkZj11l9MpaFl6H8MdqggmAAX
B03y9X0nNlHkD+U23IyGsvUGBqfEfNfHHC/PTrp8aNUj6y44Z0+92X4Um2RG
XevQQ3AEGm3EOxgsIkPgQeSnQgngyulHWZveKGyN2qy1HpvKD6WlAz+Fqy22
OjxUaukqZr/XYbBQgG2MQcyS6q00FMD55HY4rYYidCwUVV0Gqzk4ePtazmc5
JboZxqPt1y1vOTwKHeX52n60IHoPVMGCIOf8K3egiR4JxzX3t5wGzXv0uWUq
99tS4/vGOiOnB/vVxTY/qO+QIHz6h6EdL9N6ItpmK6wT5Vd24kvsQ6P6TuO+
HOmVdAdjJTjCns/KRnTRuW5t921nMW3tn5RhJXXK/QkdHRro/SgyY7ZRnuxF
jcViw+oRIuYmlIFPcApsz193BTaMPXvZySMMBF5HQ0TZwu7/EYpYdUwfERho
b9+y7yFblRKkbyp5Zdc0RY07RTydNKbnzhvsbufdsMyu/WO18mtCImFqTxIf
0Bb4MHD9Prdn4RuYuyM+KwrzeeQtwX6rI3jEn7Tr+CEkG05mRexOfsuihpo2
vjHD/p/YbnHQby7YKNW9uE9mutgazrBRiDJt2L7QIyH1qW6M2UaRbhrBaG2T
b3v6mei1obGl7/07Ues10/Rb2rx9ctP+gGFMq4ooyHWl1Q0eBg1sv3AYySig
yuFUMkq1qrkZ7iG7sra5zoBNJ/+8DTjtp4hfw0V7DgtufbywB2jyqbIxlGBp
e3aC7uStmnYAfGz8MEkGRz9DvonPARXeZZD3mXXcr/zOdpXcTUK2cXjvHtNH
0fd9XU/GbVsHciSnMwQRshPWS5wabBluO2fZ+MrOVfgUV3lo76/m+roE84gL
POhmfXnfF11fyvNZwPvVK3LO/U61zb0brlmmTcwHX13cljlrFXzp5bS8TpTh
opzt22L313bO+fP83s3b0v2Tvj9rrI+vaMwjq4PGvpIJvmfY6Guf+Xpz6MxU
HXMflVDLXSY9zyxXV9m6rTCNeICYhxn6vLO9IoT3ZnZGL9V96um+1gJgC74p
xAwr8f4TvEDEIb+HD0AAF5G5cky3f3Su/uhcVeLjQNbFCg6DO0jHi9vwH/di
/mzM0C9ArozPlcDDLEPP2fT8jLYMAVgoYr6rMEFF7og15mt3mgXHeg17WbHB
PPS2yWdmybww+mPkiynXaNOKDvXu3NKcNfHb7ZBcaN+7rbNOalqo+yZ+7N1Q
5EVjKQ+v8fOJ8Y/4J2IsU0icwf5eaEgTiru7pUNX4zTesKESuclYKApCsC2r
oINizF8VG0bcEJyZjm470H3sxRotwz7uQNF6XbDe5lxi7usebKy1S2MSdfNB
yHb60Lnv4W1WCSwMfZNPBsN+Mx4rcdHICpwwZbSjLeDyrQ/0Fao7ocmtOETz
bQnWBN85zdveNmId2yk51d6lPgNJlYnnc078upxrWgksNzuFNiS0aqoNrZBZ
PslQz3uqEuSiyRKTjiEz0PtiJxB9EhmjpVFIUG79zwX6VlY6HjV7LVrLyheG
bKOHA6ZsnYLb3WX8Itq7O2DPVOHYYpk0l/e+x0/o8XOxtxOWmVsIUryKDnNN
//QNFfJYrzu+jUAGW2jxJpuCUTL0LbH/aUOf+BuI/sR86GKosEjxO28/GsY1
pOtaGm7WcX5v5y0XI7UX5bc2wvV2JBu+Re223IL15JzNdvWmNnb28qZfoOgk
THbZNgnJyn225jExqhUKPj6lfPTU4diSyiYEuxnd0ZQwh7q9SHccGx1e77Tk
/IF2HIsnA8pQJy7HsuZb+6KXFQ/N+ZYp6AF3eL598sn7/jvvBrNbFqnJPbDG
uZeNFDIoUPptkxxK2y/TsY/OEWOxLqUObRVZAL5RRsZVoftfnnfq7d0kENpe
soGJLXMRCoz17FOD5JS7rW2njyTBYRYfT7HYD4C2SS/SCW3+rNMkgnsFkEbR
a9t4pZWXJOvf2OJf00LXuoUf0HucgJeitTdSfO1L3fj+jlPMFGDCLDRVplFL
m7c33UuQPtMVcMgz5HzYjVzfirQpLKL4WIndXrHifdbb5Bla1tZAGOXSpjXt
BU4jNwpp2EDja/KeyfmIm0xW9uJH2pNU72bPbWScC8LZjpjvHI2Y++qRqUar
0Bc/ldFs/mLjN7oF5Z3A/Hps7aXz+soUGaQbchufCmCsWVvxxTsXRDqjFPtt
u+gRNSUzdAUE4utr09/RZcW7p6wKhQXGCB3TvtwYwGSguxhJVeTGoxo6A9o4
73aRoHfPD84mbF5sxExC5bvx5tzmetTh7z/wFtQlXxgzZH3+z0MV/rxz/mo+
LOupzGVPzrlbmmchq+KFX3Rr1Dx+nxdX4IzzHcY6ut5lzaqSH+5BOKTVvRu+
4JFzFf8LxgvVKxVaAAA=

-->

</rfc>
