<?xml version="1.0" encoding="UTF-8"?>
  <?xml-stylesheet type="text/xsl" href="rfc2629.xslt" ?>
  <!-- generated by https://github.com/cabo/kramdown-rfc version 1.7.39 (Ruby 3.0.2) -->


<!DOCTYPE rfc  [
  <!ENTITY nbsp    "&#160;">
  <!ENTITY zwsp   "&#8203;">
  <!ENTITY nbhy   "&#8209;">
  <!ENTITY wj     "&#8288;">

]>


<rfc ipr="trust200902" docName="draft-tsyrulnikov-rats-attested-inference-receipt-02" category="info" submissionType="IETF" tocInclude="true" sortRefs="true" symRefs="true">
  <front>
    <title abbrev="AIR v1">Attested Inference Receipt (AIR): A COSE/CWT Profile for Confidential AI Inference</title>

    <author initials="B." surname="Tsyrulnikov" fullname="Borys Tsyrulnikov">
      <organization>Cyntrisec</organization>
      <address>
        <email>borys@cyntrisec.com</email>
      </address>
    </author>

    <date year="2026" month="July" day="05"/>

    <area>Security</area>
    <workgroup>RATS</workgroup>
    <keyword>attestation</keyword> <keyword>AI inference</keyword> <keyword>receipt</keyword> <keyword>COSE</keyword> <keyword>CWT</keyword> <keyword>EAT</keyword> <keyword>confidential computing</keyword>

    <abstract>


<?line 136?>

<t>This document defines the Attested Inference Receipt (AIR), an
application-layer COSE_Sign1 envelope carrying CWT claims profiled
per the Entity Attestation Token (EAT) framework. An AIR receipt
binds model identity, input/output hashes, attestation-linked
metadata, and operational telemetry into a single signed artifact
suitable for independent third-party verification of a confidential
AI inference. An AIR receipt is Attester-signed Evidence, not an
appraisal verdict: a RATS Verifier must appraise the referenced platform
attestation before the receipt establishes TEE provenance.</t>

<t>AIR v1 targets single-inference receipts emitted by workloads running
inside hardware-isolated Trusted Execution Environments (TEEs). AIR
is attestation-linked: it carries measurements and a hash reference to
the platform attestation evidence associated with the inference, but
it does not replace platform-specific attestation verification. This
version defines AWS Nitro Enclaves and Intel TDX measurement profiles
only, and assumes a single platform attestation document per receipt.
Pipeline chaining, multi-inference receipts, composite attesters,
multi-verifier orchestration, accelerator / GPU confidential-compute
attestation integration, and extensibility mechanisms for additional
claim or platform profiles are out of scope.</t>



    </abstract>



  </front>

  <middle>


<?line 160?>

<section anchor="introduction"><name>Introduction</name>

<t>Deployments that run machine learning models on cloud infrastructure
lack a standardized, interoperable mechanism to prove what happened
during a specific inference. Existing attestation frameworks such as
RATS <xref target="RFC9334"/> establish platform identity and code integrity, but
they do not produce per-inference evidence binding a model, its
inputs and outputs, and the platform state into a single verifiable
artifact.</t>

<t>Platform attestation and ordinary logs are both necessary but
insufficient for this purpose. Platform attestation proves properties
of the workload and its execution environment, typically at a point in
time, while ordinary logs are implementation-specific and often
unsigned. Neither provides a standard, portable object that binds one
inference event to model identity, request/response hashes, and
attestation-linked metadata in a form a third party can verify
independently of the underlying platform.</t>

<t>The Attested Inference Receipt (AIR) fills this gap. An AIR receipt is
an application-layer COSE_Sign1 <xref target="RFC9052"/> envelope whose payload is
a CWT <xref target="RFC8392"/> claims set profiled as an EAT <xref target="RFC9711"/>. The
receipt is signed with Ed25519 <xref target="RFC8032"/> by the workload running
inside a Trusted Execution Environment (TEE). AIR verification is
split into two concerns: AIR-local verification of the signed receipt
itself, and platform-specific verification of the underlying
attestation evidence and key binding. This document standardizes the
former and references the latter, but does not replace platform-
specific attestation procedures.</t>

<t>AIR v1 is scoped to a single inference: one request processed by one
model inside one attested workload produces one receipt. Pipeline
chaining, multi-stage proofs, and integration with transparency logs
(such as SCITT <xref target="SCITT"/>) are deferred to future versions.</t>

<section anchor="goals"><name>Goals</name>

<t>The goals of AIR v1 are:</t>

<t><list style="numbers" type="1">
  <t>Define a receipt wire format using existing IETF standards
(COSE_Sign1, CWT, EAT).</t>
  <t>Bind model identity (cryptographic hash), input/output hashes,
attestation metadata, and operational telemetry in a single
signed envelope.</t>
  <t>Support AIR-local verification using standard COSE/CWT tooling,
while allowing deployments to combine AIR with separate
platform-specific attestation verification as needed.</t>
  <t>Carry platform measurements in a portable receipt shape while
preserving their platform-specific semantics via
<spanx style="verb">measurement_type</spanx>.</t>
  <t>Define an intentionally closed v1 profile with fail-closed
parsing semantics.</t>
</list></t>

</section>
<section anchor="non-goals"><name>Non-Goals</name>

<t>AIR v1 explicitly does not:</t>

<t><list style="symbols">
  <t>Define a transport protocol or session management scheme.</t>
  <t>Specify attestation document verification procedures (these are
platform-specific).</t>
  <t>Define an extension registry or compatibility mechanism for new
claim or platform profiles.</t>
  <t>Prove data deletion or model correctness.</t>
  <t>Provide regulatory certification or compliance guarantees.</t>
  <t>Define pipeline chaining or multi-inference receipts.</t>
  <t>Support composite attesters with multiple distinct attestation
documents per receipt (e.g., CPU TEE + GPU confidential compute).
Workloads running on accelerator-equipped platforms such as
NVIDIA H100 Confidential Compute can emit AIR v1 receipts, but
those receipts cover only the CPU-side attestation; accelerator
attestation is verified out of band and is not embedded in the
receipt. A future composite-attester AIR profile would pair the
CPU-side receipt with device-side Evidence such as the EAT Device
Assignment profile (<xref target="I-D.poirier-rats-eat-da"/>); the RATS
Conceptual Messages Wrapper (<xref target="I-D.ietf-rats-msg-wrap"/>) is a
candidate standard conveyance for carrying platform Evidence and an
AIR receipt together. An AIR v1 receipt emitted on such a platform
<bcp14>MUST NOT</bcp14> be presented as evidence that the accelerator was in a
confidential-computing mode; see <xref target="accelerator-scope"/>.</t>
  <t>Define verifier-emitted Attestation Results. Where a deployment
needs a Verifier-signed appraisal alongside an AIR receipt, an
EAT Attestation Result (EAR, draft-ietf-rats-ear) is the natural
complement.</t>
</list></t>

</section>
</section>
<section anchor="requirements-language"><name>Requirements Language</name>

<t>The key words "<bcp14>MUST</bcp14>", "<bcp14>MUST NOT</bcp14>", "<bcp14>REQUIRED</bcp14>", "<bcp14>SHALL</bcp14>", "<bcp14>SHALL
NOT</bcp14>", "<bcp14>SHOULD</bcp14>", "<bcp14>SHOULD NOT</bcp14>", "<bcp14>RECOMMENDED</bcp14>", "<bcp14>NOT RECOMMENDED</bcp14>",
"<bcp14>MAY</bcp14>", and "<bcp14>OPTIONAL</bcp14>" in this document are to be interpreted as
described in BCP 14 <xref target="RFC2119"/> <xref target="RFC8174"/> when, and only when, they
appear in all capitals, as shown here.</t>

<?line -18?>

</section>
<section anchor="terminology"><name>Terminology</name>

<t>In this document, the term "verifier" (lowercase, or "Verifiers" when
used at the start of a sentence) refers to the AIR Receipt Validator
defined below. This is distinct from the RATS Verifier role defined
in <xref target="RFC9334"/> Section 4.1. Where this document needs to refer to the
RATS Verifier role, it uses the explicit phrase "RATS Verifier."</t>

<dl>
  <dt>Attested Inference Receipt (AIR):</dt>
  <dd>
    <t>An application-layer COSE_Sign1 signed CWT/EAT artifact emitted by
a workload after processing a single AI inference request inside a
TEE. The receipt binds model identity, input/output hashes,
attestation-linked metadata, and operational telemetry.</t>
  </dd>
  <dt>Confidential Workload:</dt>
  <dd>
    <t>The software executing inside a TEE that loads a model, processes
inference requests, and generates AIR receipts. In RATS
<xref target="RFC9334"/> terminology, the confidential workload acts as the
Attester.</t>
  </dd>
  <dt>AIR Receipt Validator:</dt>
  <dd>
    <t>An entity that performs AIR-local checks on a receipt: COSE
signature verification, claim structure validation, and policy
evaluation on receipt contents (see <xref target="verification-procedure"/>).
The AIR Receipt Validator is distinct from the RATS Verifier role
in <xref target="RFC9334"/> Section 4.1. A RATS Verifier appraises Evidence
against reference values and endorsements to produce Attestation
Results; the AIR Receipt Validator does not perform that appraisal.
Full TEE assurance additionally requires platform-specific
verification of the underlying attestation evidence and
signing-key binding; those procedures are outside AIR-local
verification and are performed by a RATS Verifier using
platform-specific procedures.</t>
  </dd>
  <dt>Relying Party:</dt>
  <dd>
    <t>An entity that consumes AIR receipts (together, where applicable,
with platform Attestation Results) to make trust decisions (e.g.,
an auditor, compliance officer, or end user). In RATS <xref target="RFC9334"/>
terminology, this maps to the Relying Party role.</t>
  </dd>
  <dt>Endorser:</dt>
  <dd>
    <t>The TEE hardware vendor (e.g., AWS for Nitro, Intel for TDX) whose
attestation infrastructure anchors trust in the platform
measurements carried by the receipt.</t>
  </dd>
  <dt>Measurement Map:</dt>
  <dd>
    <t>The <spanx style="verb">enclave_measurements</spanx> claim containing platform-specific
register values carried in portability-oriented slots. The
<spanx style="verb">measurement_type</spanx> field determines the actual semantics of those
slots on each platform.</t>
  </dd>
  <dt>Receipt:</dt>
  <dd>
    <t>In this document, "receipt" always refers to an AIR receipt. Note
that this differs from the SCITT usage of "receipt" (which refers
to a countersigned statement from a transparency service). The two
are complementary: a future version could register an AIR receipt
with a SCITT transparency service and receive a SCITT receipt in
return.</t>
  </dd>
</dl>

</section>
<section anchor="air-v1-receipt-format"><name>AIR v1 Receipt Format</name>

<section anchor="cosesign1-envelope"><name>COSE_Sign1 Envelope</name>

<t>An AIR v1 receipt is a tagged COSE_Sign1 structure (CBOR tag 18) as
defined in <xref target="RFC9052"/> Section 4.2:</t>

<figure><artwork><![CDATA[
COSE_Sign1 = [
  protected   : bstr,          ; serialized protected header
  unprotected : map,            ; unprotected header map
  payload     : bstr,           ; serialized CWT claims map
  signature   : bstr .size 64   ; Ed25519 signature
]
]]></artwork></figure>

<t>The signature covers <spanx style="verb">Sig_structure = ["Signature1", protected,
external_aad, payload]</spanx> where <spanx style="verb">external_aad</spanx> is empty (<spanx style="verb">h''</spanx>).</t>

<t>Verifiers <bcp14>MUST</bcp14> reject untagged COSE_Sign1 structures. The CBOR tag 18
is mandatory.</t>

</section>
<section anchor="protected-header"><name>Protected Header</name>

<t>The protected header is a CBOR map containing exactly two entries:</t>

<texttable>
      <ttcol align='right'>Label</ttcol>
      <ttcol align='left'>Name</ttcol>
      <ttcol align='right'>Value</ttcol>
      <ttcol align='left'>Description</ttcol>
      <c>1</c>
      <c>alg</c>
      <c>-8</c>
      <c>EdDSA (Ed25519)</c>
      <c>3</c>
      <c>content type</c>
      <c>61</c>
      <c>application/cwt</c>
</texttable>

<t>Verifiers <bcp14>MUST</bcp14> reject receipts where <spanx style="verb">alg</spanx> is not -8 or where
<spanx style="verb">content type</spanx> is not 61. Additional protected header parameters are
not defined in v1 and <bcp14>MUST NOT</bcp14> be present.</t>

<t>The signing algorithm is Ed25519 (<xref target="RFC8032"/>). Receipts <bcp14>MUST</bcp14> be
verified with the strict procedure specified in
<xref target="verification-procedure"/>, Layer 2: a non-canonical scalar S (S
outside [0, L), where L is the Ed25519 group order), a small-order R
or A point, and any signature failing the cofactorless group equation
are all rejected. This is stricter than the baseline verification of
<xref target="RFC8032"/> Section 5.1.7.</t>

</section>
<section anchor="unprotected-header"><name>Unprotected Header</name>

<t>The unprotected header <bcp14>MUST</bcp14> be empty for AIR v1 receipts. AIR v1 does
not use <spanx style="verb">kid</spanx> or any other unprotected header parameter. Because
unprotected header parameters are not covered by the COSE signature,
verifiers <bcp14>MUST</bcp14> reject receipts with non-empty unprotected headers.</t>

</section>
<section anchor="payload-cwt-claims-map"><name>Payload: CWT Claims Map</name>

<t>The payload is a CBOR-encoded CWT claims map. The map uses
deterministic encoding per <xref target="RFC8949"/> Section 4.2.1: map keys are
sorted in the bytewise lexicographic order of their encoded form.</t>

<t>The claims map is closed: verifiers <bcp14>MUST</bcp14> reject maps containing
unknown integer keys. Duplicate keys <bcp14>MUST</bcp14> be rejected.</t>

</section>
<section anchor="cddl"><name>CDDL Schema</name>

<t>The following CDDL <xref target="RFC8610"/> defines the complete wire shape:</t>

<figure><sourcecode type="cddl"><![CDATA[
air-receipt = #6.18([
  protected:   bstr .cbor air-protected-header,
  unprotected: air-unprotected-header,
  payload:     bstr .cbor air-claims,
  signature:   bstr .size 64
])

air-protected-header = {
  1 => -8,          ; alg: EdDSA (Ed25519)
  3 => 61,          ; content type: application/cwt
}

air-unprotected-header = {}

air-claims = {
  ; --- Standard CWT/EAT claims ---
  1   => tstr,                  ; iss: issuer
  6   => uint,                  ; iat: issued-at (Unix seconds)
  7   => bstr .size 16,         ; cti: CWT ID (UUID v4, 16 bytes)
  265 => "https://spec.cyntrisec.com/air/v1",  ; eat_profile
  ? 10 => bstr .size (8..64),   ; eat_nonce (optional)

  ; --- AIR private claims ---
  -65537 => tstr,               ; model_id
  -65538 => tstr,               ; model_version
  -65539 => sha256-hash,        ; model_hash
  -65540 => sha256-hash,        ; request_hash
  -65541 => sha256-hash,        ; response_hash
  -65542 => sha256-hash,        ; attestation_doc_hash
  -65543 => enclave-measurements, ; enclave_measurements
  -65544 => tstr,               ; policy_version
  -65545 => uint,               ; sequence_number
  -65546 => uint,               ; execution_time_ms
  -65547 => uint,               ; memory_peak_mb
  -65548 => tstr,               ; security_mode
  ? -65549 => tstr,             ; model_hash_scheme (optional)
}

sha256-hash = bstr .size 32
sha384-hash = bstr .size 48

enclave-measurements = nitro-measurements / tdx-measurements

nitro-measurements = {
  "pcr0"             => sha384-hash,   ; image
  "pcr1"             => sha384-hash,   ; kernel + ramdisk
  "pcr2"             => sha384-hash,   ; application
  ? "pcr3"           => sha384-hash,   ; IAM role (optional)
  ? "pcr4"           => sha384-hash,   ; instance identity (optional)
  ? "pcr8"           => sha384-hash,   ; signing cert (optional)
  "measurement_type" => "nitro-pcr",
}

tdx-measurements = {
  "pcr0"             => sha384-hash,   ; MRTD
  "pcr1"             => sha384-hash,   ; RTMR0
  "pcr2"             => sha384-hash,   ; RTMR1
  ? "pcr3"           => sha384-hash,   ; RTMR2 (optional)
  ? "pcr4"           => sha384-hash,   ; RTMR3 (optional)
  "measurement_type" => "tdx-mrtd-rtmr",
}
]]></sourcecode></figure>

<t>The full CDDL is also provided in <xref target="appendix-cddl"/>.</t>

</section>
</section>
<section anchor="claim-semantics"><name>Claim Semantics</name>

<section anchor="standard-cwteat-claims"><name>Standard CWT/EAT Claims</name>

<section anchor="iss-issuer-key-1"><name>iss (Issuer) -- key 1</name>

<t>A text string identifying the issuing entity (e.g.,
<spanx style="verb">"cyntrisec.com"</spanx>). The value is operator-assigned and opaque to the
receipt format. Verifiers <bcp14>MAY</bcp14> check against an expected issuer
allowlist.</t>

</section>
<section anchor="iat-issued-at-key-6"><name>iat (Issued At) -- key 6</name>

<t>An unsigned integer representing the Unix timestamp (seconds since
epoch) when the inference completed. Verifiers apply a freshness
check: <spanx style="verb">now - max_age &lt;= iat &lt;= now + clock_skew</spanx>. Verifiers <bcp14>SHOULD</bcp14>
reject future timestamps.</t>

</section>
<section anchor="cti-cwt-id-key-7"><name>cti (CWT ID) -- key 7</name>

<t>A 16-byte binary string that uniquely identifies the receipt. Each
receipt <bcp14>MUST</bcp14> have a unique <spanx style="verb">cti</spanx>. Implementations <bcp14>SHOULD</bcp14> derive <spanx style="verb">cti</spanx>
from a cryptographically random source; UUID v4 encoded as raw bytes
(not the 36-character string form) is <bcp14>RECOMMENDED</bcp14>. Other 16-byte
unique identifiers (for example, the first 128 bits of a randomly
drawn 256-bit value) are acceptable.</t>

<t>Verifiers maintaining replay state <bcp14>SHOULD</bcp14> track observed <spanx style="verb">cti</spanx>
values and reject duplicates.</t>

</section>
<section anchor="eatprofile-key-265"><name>eat_profile -- key 265</name>

<t>The fixed string value <spanx style="verb">"https://spec.cyntrisec.com/air/v1"</spanx>.
Verifiers <bcp14>MUST</bcp14> reject receipts with unknown eat_profile values.</t>

</section>
<section anchor="eatnonce-key-10"><name>eat_nonce -- key 10</name>

<t>An optional binary string (8-64 bytes per <xref target="RFC9711"/> Section 4.1)
provided by the verifier or relying party to bind the receipt to a
specific request session. Per <xref target="RFC9711"/> Section 4.1 the nonce <bcp14>MUST</bcp14>
have at least 64 bits of entropy. The nonce <bcp14>MUST</bcp14> be supplied by the
party checking freshness; an Attester-generated nonce provides no
replay protection. If the verifier supplied a nonce, it <bcp14>MUST</bcp14> check that
eat_nonce matches. This is the primary replay resistance mechanism
when verifier-side cti deduplication is not feasible.</t>

</section>
</section>
<section anchor="air-private-claims"><name>AIR Private Claims</name>

<t>AIR uses negative integer keys in the CWT private-use range to
avoid collision with IANA-registered claims. Keys -65537 through
-65548 are assigned and required. Key -65549 is assigned and
optional. No other AIR private claim keys are defined in v1.</t>

<section anchor="modelid-key-65537"><name>model_id -- key -65537</name>

<t>A text string containing the human-readable model identifier (e.g.,
<spanx style="verb">"minilm-l6-v2"</spanx>). Operator-assigned, opaque. Not cryptographic; use
model_hash for binding.</t>

</section>
<section anchor="modelversion-key-65538"><name>model_version -- key -65538</name>

<t>A text string containing the human-readable model version (e.g.,
<spanx style="verb">"1.0.0"</spanx>). Operator-assigned, opaque.</t>

</section>
<section anchor="modelhash-key-65539"><name>model_hash -- key -65539</name>

<t>A 32-byte SHA-256 <xref target="FIPS180-4"/> binding for the model artifact set
used for the inference. If <spanx style="verb">model_hash_scheme</spanx> is present, it defines
how this binding was computed; if <spanx style="verb">model_hash_scheme</spanx> is absent,
verifiers <bcp14>SHOULD</bcp14> treat <spanx style="verb">model_hash</spanx> as an opaque model-identity value
that can still be compared against a known-good reference hash.</t>

<t>This claim is application-layer model identity evidence. It does not
by itself prove that the referenced model artifacts were loaded or
executed under hardware attestation; that stronger conclusion requires
independent verification of the attested workload and its relation to
the application-layer model-loading path. The model_hash <bcp14>MUST NOT</bcp14> be
all zeros.</t>

</section>
<section anchor="requesthash-key-65540"><name>request_hash -- key -65540</name>

<t>A 32-byte SHA-256 hash of the inference request payload. Binds the
receipt to a specific input. Clients holding the original request
can recompute and compare.</t>

</section>
<section anchor="responsehash-key-65541"><name>response_hash -- key -65541</name>

<t>A 32-byte SHA-256 hash of the inference response payload. Binds the
receipt to a specific output.</t>

<t><spanx style="verb">request_hash</spanx> and <spanx style="verb">response_hash</spanx> commit to specific input and output
byte strings. They do not prove that the response is the model's output
for that input, and each hash is computed over the request or response
payload as the workload defines it, which <bcp14>MAY</bcp14> differ from the
pre-processed (for example, tokenized or normalized) bytes the model
actually consumed or produced.</t>

</section>
<section anchor="attestationdochash-key-65542"><name>attestation_doc_hash -- key -65542</name>

<t>A 32-byte SHA-256 digest that links the receipt to the platform
attestation document without embedding the (potentially large)
document itself.</t>

<t>The hash preimage is the raw attestation artifact, pinned per
platform:</t>

<t><list style="symbols">
  <t><strong>AWS Nitro Enclaves:</strong> SHA-256 of the NSM attestation document --
the COSE_Sign1 byte string returned by the Nitro Security Module,
hashed exactly as returned, with no re-encoding.</t>
  <t><strong>Intel TDX:</strong> SHA-256 of the raw DCAP quote -- the TDX quote
structure, header through quote signature, as produced by the
platform. The preimage is the quote bytes alone: it <bcp14>MUST NOT</bcp14>
include any transport framing wrapped around the quote, and <bcp14>MUST
NOT</bcp14> include DCAP collateral (certificate chains, TCB info, QE
identity, or CRLs).</t>
</list></t>

<t><spanx style="verb">attestation_doc_hash</spanx> binds the receipt to the attestation artifact
bytes themselves. It does not bind to collateral bundles, to verifier
policy, or to any derived measurement summary; those are obtained and
appraised separately.</t>

<t>The TDX quote version (for example, v4 or v5) is not carried as a
separate AIR v1 claim. A verifier that needs the version parses it
from the quote bytes it obtains and hashes. A future AIR profile may
add explicit attestation metadata for this purpose.</t>

<t>AIR v1 does not define attestation document verification. A verifier
reproduces this digest by obtaining the same raw attestation artifact;
it <bcp14>SHOULD</bcp14> also independently verify that artifact -- its signature and
trust chain -- before relying on it, then compare the artifact's
SHA-256 to this claim.</t>

<t>For a receipt asserting end-to-end TEE provenance, <spanx style="verb">attestation_doc_hash</spanx>
<bcp14>MUST</bcp14> reference the same attestation document that carries the
signing-key binding of <xref target="key-binding"/> and the measurement registers
reconciled by the validator (see <xref target="validator-behavior"/>). A receipt used
only as an application-layer signed log (AIR-local, asserting no TEE
provenance) <bcp14>MAY</bcp14> reference a different or boot-time document, but <bcp14>MUST NOT</bcp14>
be presented as TEE-provenance evidence. A split model that combines a
boot-time <spanx style="verb">attestation_doc_hash</spanx> with a separate per-session key-binding
quote is out of scope for AIR v1 and may be defined by a future profile.</t>

<t>Even in the single-document model, the attestation is typically captured
at workload start, not per inference. A provenance-checked AIR receipt
therefore demonstrates that a key bound to an attested workload signed
these claims; it does NOT by itself demonstrate that this specific
inference executed at the time the attestation was captured. Deployments
needing per-inference or contemporaneous binding require a mechanism
beyond AIR v1 (a fresh per-session attestation, or the external
transparency/sequencing layer discussed in <xref target="replay-protection"/>).</t>

<t>A conformant AIR receipt <bcp14>MUST</bcp14> set <spanx style="verb">attestation_doc_hash</spanx> to the
per-platform preimage defined above. Populating the field with any
other value -- for example, a digest of the receipt signing key used
as an internal placeholder -- does not produce a conformant
attestation-bound AIR receipt, and such a receipt <bcp14>MUST NOT</bcp14> be
presented as one.</t>

</section>
<section anchor="measurements"><name>enclave_measurements -- key -65543</name>

<t>A map containing platform-specific measurement registers. The map
structure depends on the <spanx style="verb">measurement_type</spanx> field within it.</t>

<section anchor="nitro-pcr-variant-measurementtype-nitro-pcr"><name>Nitro PCR Variant (measurement_type = "nitro-pcr")</name>

<texttable>
      <ttcol align='left'>Field</ttcol>
      <ttcol align='left'>Type</ttcol>
      <ttcol align='left'>Required</ttcol>
      <ttcol align='left'>Description</ttcol>
      <c><spanx style="verb">"pcr0"</spanx></c>
      <c>bstr 48</c>
      <c>Yes</c>
      <c>PCR0 (image)</c>
      <c><spanx style="verb">"pcr1"</spanx></c>
      <c>bstr 48</c>
      <c>Yes</c>
      <c>PCR1 (kernel + ramdisk)</c>
      <c><spanx style="verb">"pcr2"</spanx></c>
      <c>bstr 48</c>
      <c>Yes</c>
      <c>PCR2 (application)</c>
      <c><spanx style="verb">"pcr3"</spanx></c>
      <c>bstr 48</c>
      <c>No</c>
      <c>PCR3 (IAM role)</c>
      <c><spanx style="verb">"pcr4"</spanx></c>
      <c>bstr 48</c>
      <c>No</c>
      <c>PCR4 (instance identity)</c>
      <c><spanx style="verb">"pcr8"</spanx></c>
      <c>bstr 48</c>
      <c>No</c>
      <c>PCR8 (signing certificate)</c>
      <c><spanx style="verb">"measurement_type"</spanx></c>
      <c>tstr</c>
      <c>Yes</c>
      <c><spanx style="verb">"nitro-pcr"</spanx></c>
</texttable>

<t>PCR3 and PCR4 are <bcp14>OPTIONAL</bcp14> and <bcp14>RECOMMENDED</bcp14> for multi-tenant
deployments where IAM role and instance identity are part of the
trust decision. PCR8 is <bcp14>OPTIONAL</bcp14> and <bcp14>RECOMMENDED</bcp14> when the deployment
relies on a signing-certificate measurement. Absence of an optional
PCR does not invalidate the receipt; verifiers <bcp14>MAY</bcp14> require specific
optional PCRs by local policy.</t>

</section>
<section anchor="tdx-mrtdrtmr-variant-measurementtype-tdx-mrtd-rtmr"><name>TDX MRTD/RTMR Variant (measurement_type = "tdx-mrtd-rtmr")</name>

<texttable>
      <ttcol align='left'>Field</ttcol>
      <ttcol align='left'>Type</ttcol>
      <ttcol align='left'>Required</ttcol>
      <ttcol align='left'>Description</ttcol>
      <c><spanx style="verb">"pcr0"</spanx></c>
      <c>bstr 48</c>
      <c>Yes</c>
      <c>MRTD</c>
      <c><spanx style="verb">"pcr1"</spanx></c>
      <c>bstr 48</c>
      <c>Yes</c>
      <c>RTMR0</c>
      <c><spanx style="verb">"pcr2"</spanx></c>
      <c>bstr 48</c>
      <c>Yes</c>
      <c>RTMR1</c>
      <c><spanx style="verb">"pcr3"</spanx></c>
      <c>bstr 48</c>
      <c>No</c>
      <c>RTMR2 (optional)</c>
      <c><spanx style="verb">"pcr4"</spanx></c>
      <c>bstr 48</c>
      <c>No</c>
      <c>RTMR3 (optional)</c>
      <c><spanx style="verb">"measurement_type"</spanx></c>
      <c>tstr</c>
      <c>Yes</c>
      <c><spanx style="verb">"tdx-mrtd-rtmr"</spanx></c>
</texttable>

<t>TDX exposes four Runtime Measurement Registers (RTMR0 through RTMR3).
RTMR2 and RTMR3 are <bcp14>OPTIONAL</bcp14> in AIR v1: RTMR2 is commonly extended by
the guest runtime (container platforms, language runtimes) and
RTMR3 by the workload itself. Deployments that extend either register
as part of their trust model <bcp14>SHOULD</bcp14> include the corresponding value
in the receipt. Absence of an optional RTMR does not invalidate the
receipt; verifiers <bcp14>MAY</bcp14> require specific optional RTMRs by local
policy.</t>

<t>The TDX registers are mapped to <spanx style="verb">pcr0</spanx>/<spanx style="verb">pcr1</spanx>/<spanx style="verb">pcr2</spanx>/<spanx style="verb">pcr3</spanx>/<spanx style="verb">pcr4</spanx>
portability slots for cross-platform verifier simplicity. The
<spanx style="verb">measurement_type</spanx> field disambiguates the actual register semantics.
These slot names do not imply that Nitro PCRs and TDX MRTD/RTMRs are
semantically identical.</t>

<t>Future AIR revisions may carry measurements via the EAT Measured
Component claim (<xref target="I-D.ietf-rats-eat-measured-component"/>) once that
work is published. AIR v1 uses the bespoke map above to avoid taking
a dependency on a not-yet-RFC document.</t>

<t>All measurement values present in the map (whether required or
optional) <bcp14>MUST</bcp14> be exactly 48 bytes. Verifiers <bcp14>MUST</bcp14> reject receipts
where any measurement register is the wrong length. The
<spanx style="verb">measurement_type</spanx> <bcp14>MUST</bcp14> be one of the defined values; unknown types
<bcp14>MUST</bcp14> be rejected.</t>

</section>
</section>
<section anchor="policyversion-key-65544"><name>policy_version -- key -65544</name>

<t>A text string identifying the version of the policy governing the
workload (e.g., <spanx style="verb">"policy-2026.02"</spanx>). Informational.</t>

</section>
<section anchor="sequencenumber-key-65545"><name>sequence_number -- key -65545</name>

<t>An unsigned integer that <bcp14>SHOULD</bcp14> increase by one for each receipt
produced within a single workload session, resetting on workload
restart.</t>

<t>This claim is <strong>informational only</strong>. It is not a cryptographic
freshness or replay-protection mechanism:</t>

<t><list style="symbols">
  <t><spanx style="verb">sequence_number</spanx> is signed as part of the receipt, but a
compromised workload can emit any value it chooses.</t>
  <t><spanx style="verb">sequence_number</spanx> resets on workload restart, so it provides no
cross-session ordering.</t>
  <t>Gaps in <spanx style="verb">sequence_number</spanx> <bcp14>MAY</bcp14> indicate missed receipts within a
session but are NOT a receipt-verification failure.</t>
</list></t>

<t>Verifiers <bcp14>MUST NOT</bcp14> treat <spanx style="verb">sequence_number</spanx> in isolation as evidence
of freshness or as a replay-detection signal. Replay resistance
comes from <spanx style="verb">cti</spanx> deduplication and, where applicable, <spanx style="verb">eat_nonce</spanx>
challenge-binding; see <xref target="replay-protection"/>.</t>

</section>
<section anchor="executiontimems-key-65546"><name>execution_time_ms -- key -65546</name>

<t>An unsigned integer representing the wall-clock inference time in
milliseconds. Informational; anomalously low or high values may
indicate issues but are not a verification failure.</t>

</section>
<section anchor="memorypeakmb-key-65547"><name>memory_peak_mb -- key -65547</name>

<t>An unsigned integer representing the peak memory usage during
inference in megabytes. Informational.</t>

</section>
<section anchor="securitymode-key-65548"><name>security_mode -- key -65548</name>

<t>A text string identifying the security mode of the emitting workload.
AIR v1 defines a closed set of values; verifiers <bcp14>MUST</bcp14> reject receipts
whose <spanx style="verb">security_mode</spanx> is outside this set (fail-closed, same pattern
as <spanx style="verb">model_hash_scheme</spanx>, <xref target="mhscheme"/>).</t>

<t>Defined values:</t>

<texttable>
      <ttcol align='left'>Value</ttcol>
      <ttcol align='left'>Meaning</ttcol>
      <c><spanx style="verb">"production"</spanx></c>
      <c>Workload runs in a production configuration.</c>
      <c><spanx style="verb">"evaluation"</spanx></c>
      <c>Workload runs in an evaluation / demonstration configuration. Receipts with <spanx style="verb">security_mode</spanx> = <spanx style="verb">"evaluation"</spanx> <bcp14>MUST NOT</bcp14> be accepted by verifiers configured for production trust decisions.</c>
</texttable>

<t>Verifiers <bcp14>MAY</bcp14> additionally enforce deployment-specific policy on
<spanx style="verb">security_mode</spanx>; for example, a verifier configured for production
use <bcp14>MUST</bcp14> reject receipts whose <spanx style="verb">security_mode</spanx> is <spanx style="verb">"evaluation"</spanx>, and <bcp14>MAY</bcp14>
reject receipts whose <spanx style="verb">security_mode</spanx> is any value other than an
allowlisted production set.</t>

<t>No other <spanx style="verb">security_mode</spanx> values are defined in AIR v1. Future
revisions <bcp14>MAY</bcp14> define additional values. AIR v1 implementations <bcp14>MUST
NOT</bcp14> invent new values; an implementation needing a value outside the
defined set should use a future AIR revision or a vendor-specific
extension outside the AIR profile.</t>

<t>The <spanx style="verb">security_mode</spanx> claim is self-asserted: it is written and signed by
the workload and states only the configuration the workload believes it
is in. It is not the output of any appraisal and conveys no positive
assurance. A Verifier or Relying Party <bcp14>MUST NOT</bcp14> treat any <spanx style="verb">security_mode</spanx>
value -- including <spanx style="verb">"production"</spanx> -- as evidence of a secure or
production posture, and <bcp14>MUST NOT</bcp14> base a positive trust decision on it.
Its only sound use is fail-closed: a verifier configured for production
trust decisions <bcp14>MUST</bcp14> reject <spanx style="verb">"evaluation"</spanx> (and <bcp14>MAY</bcp14> reject any
non-allowlisted value), so that a receipt an honest workload self-marks
as non-production cannot be accepted. A workload's actual security
posture is established solely by verifying the referenced platform
attestation and appraising its measurements, TCB, and debug state
against reference values (see <xref target="validator-behavior"/>).</t>

<t>This design is deliberate. Earlier EAT work carried a self-asserted
<spanx style="verb">security-level</spanx> claim that the RATS working group removed before
RFC 9711, precisely because a device asserting its own security level
proves nothing. <spanx style="verb">security_mode</spanx> is not a graded positive security
level; it is a binary fail-closed sentinel whose only effect is to let
an honest emitter downgrade itself (<spanx style="verb">"evaluation"</spanx>) so verifiers reject
it. A lying workload gains nothing by writing <spanx style="verb">"production"</spanx>, because no
positive weight is placed on the value: trust comes only from the
attestation appraisal (see <xref target="claim-trust-classes"/>).</t>

<t>Product- or deployment-specific submodes (for example, vendor-defined
production profiles) are out of scope for AIR v1. Implementations
needing such distinctions <bcp14>SHOULD</bcp14> map them to the generic AIR v1 value
space for interoperability.</t>

</section>
<section anchor="mhscheme"><name>model_hash_scheme -- key -65549</name>

<t>An optional text string declaring how model_hash was computed,
enabling verifiers to reproduce the hash from model artifacts.</t>

<t>Defined scheme values:</t>

<texttable>
      <ttcol align='left'>Scheme</ttcol>
      <ttcol align='left'>Description</ttcol>
      <c><spanx style="verb">"sha256-single"</spanx></c>
      <c>SHA-256 of a single model weights file</c>
      <c><spanx style="verb">"sha256-concat"</spanx></c>
      <c>SHA-256 of deterministically concatenated model weight files (lexicographic filename order)</c>
      <c><spanx style="verb">"sha256-manifest"</spanx></c>
      <c>SHA-256 of a self-describing manifest that identifies the model artifact set (for example, weights files and associated tokenizer or configuration artifacts) via per-file hashes</c>
</texttable>

<t>If present, verifiers <bcp14>MUST</bcp14> recognize the scheme value. Unknown
schemes <bcp14>MUST</bcp14> be rejected (fail-closed). If absent, verifiers <bcp14>SHOULD</bcp14>
treat model_hash as opaque (can still compare against a known-good
hash, but cannot independently reproduce it).</t>

<t>No additional scheme values are defined in AIR v1. Future revisions
<bcp14>MAY</bcp14> define more scheme values. AIR v1 implementations <bcp14>MUST NOT</bcp14> invent
new scheme values.</t>

</section>
</section>
</section>
<section anchor="eat-profile-declaration"><name>EAT Profile Declaration</name>

<t><xref target="RFC9711"/> Section 6.2 requires a full profile to be complete enough
that a receiver can decode, verify, and check the freshness of a
receipt; Section 6.3 lists the profile issues a profile should address.
This section states AIR v1's position on each.</t>

<t><list style="numbers" type="1">
  <t><strong>Profile identifier</strong>: URI
<spanx style="verb">"https://spec.cyntrisec.com/air/v1"</spanx> (carried in eat_profile,
key 265).</t>
  <t><strong>Encoding</strong>: CBOR only (<xref target="RFC8949"/>). JSON serialization is not
defined.</t>
  <t><strong>Envelope</strong>: COSE_Sign1 (<xref target="RFC9052"/> Section 4.2), CBOR tag 18.
Untagged COSE_Sign1 <bcp14>MUST</bcp14> be rejected.</t>
  <t><strong>Payload content type</strong>: COSE content_type = 61
(<spanx style="verb">application/cwt</spanx>). The payload is a CWT claims map.</t>
  <t><strong>HTTP media type</strong>: <spanx style="verb">application/eat+cwt</spanx> (<xref target="RFC9782"/>).
Receivers <bcp14>SHOULD</bcp14> accept both <spanx style="verb">application/cwt</spanx> and
<spanx style="verb">application/eat+cwt</spanx>. Senders <bcp14>MAY</bcp14> include the <spanx style="verb">eat_profile</spanx>
media-type parameter defined by <xref target="RFC9782"/> --
<spanx style="verb">application/eat+cwt; eat_profile="https://spec.cyntrisec.com/air/v1"</spanx>
-- so that receivers can route on the profile without decoding the
receipt body. An AIR receipt <bcp14>MAY</bcp14> also be carried inside a RATS
Conceptual Messages Wrapper (<xref target="I-D.ietf-rats-msg-wrap"/>) when it is
conveyed alongside other attestation messages.</t>
  <t><strong>Signing algorithm</strong>: Ed25519 only (COSE alg = -8). Signatures
<bcp14>MUST</bcp14> be verified with the strict procedure of
<xref target="verification-procedure"/>, Layer 2 (canonical scalar S,
small-order R/A rejection, cofactorless group equation). No
algorithm negotiation in v1.</t>
  <t><strong>Detached bundles</strong>: Not supported in v1. The attestation
document is referenced by hash (attestation_doc_hash), not
embedded.</t>
  <t><strong>Key identification</strong>: Out of band. The verifier obtains the
Ed25519 public key through a platform-specific channel (e.g.,
attestation document, key registry). AIR v1 does not use <spanx style="verb">kid</spanx>.</t>
  <t><strong>Mandatory claims</strong>: 16 required claims: iss, iat, cti,
eat_profile, model_id, model_version, model_hash, request_hash,
response_hash, attestation_doc_hash, enclave_measurements,
policy_version, sequence_number, execution_time_ms,
memory_peak_mb, security_mode.</t>
  <t><strong>Optional claims</strong>: 2 optional claims: eat_nonce (replay
resistance), model_hash_scheme (hash computation method).</t>
  <t><strong>Freshness</strong>: <spanx style="verb">iat</spanx> carries the execution timestamp (Unix
seconds). Verifiers apply <spanx style="verb">max_age</spanx> + <spanx style="verb">clock_skew</spanx> policy.
<spanx style="verb">eat_nonce</spanx> provides optional challenge-response replay
resistance (<xref target="RFC9711"/> Section 4.1, 8-64 bytes).</t>
  <t><strong>Deterministic encoding</strong>: Required. Map keys sorted per
<xref target="RFC8949"/> Section 4.2.1 (bytewise lexicographic order of the
encoded map keys).</t>
  <t><strong>Closed claims map</strong>: The claims map is closed. Unknown integer
keys <bcp14>MUST</bcp14> be rejected. Duplicate keys <bcp14>MUST</bcp14> be rejected.</t>
  <t><strong>Unprotected header</strong>: <bcp14>MUST</bcp14> be empty. All header parameters are
carried in the protected header. Receipts with non-empty
unprotected headers <bcp14>MUST</bcp14> be rejected.</t>
  <t><strong>Private claim keys</strong>: Keys -65537 through -65549 are assigned
in the CWT private-use range (<xref target="RFC8392"/>). No IANA registration
is required. AIR v1 defines no extension mechanism or additional
private claim keys beyond this set.</t>
  <t><strong>Endorsement / reference-value identification</strong>: Out of scope for
the AIR receipt. An AIR receipt carries no endorsement or
reference-value identifiers; reference values and endorsements are
supplied to and appraised by a RATS Verifier (see
<xref target="validator-behavior"/> and Trust Assumption TA-4 in
<xref target="trust-assumptions"/>), not by the AIR Receipt Validator, keeping
the receipt strictly Evidence and not an Attestation Result. The
standard EAT entity-identity claims (<spanx style="verb">ueid</spanx>, <spanx style="verb">sueids</spanx>, <spanx style="verb">oemid</spanx>,
<spanx style="verb">hwmodel</spanx>, <spanx style="verb">hwversion</spanx>) are not used and are prohibited by the
closed claims map.</t>
</list></t>

</section>
<section anchor="key-binding"><name>Key Binding</name>

<t>AIR-local verification (see <xref target="verification-procedure"/>) does not
require any particular relationship between the Ed25519 signing key
and the underlying platform attestation. Deployments that use AIR
receipts purely as a signed log of application-layer claims, without
asserting TEE provenance, may operate without key binding.</t>

<t>However, a common and load-bearing deployment model uses the AIR
receipt as evidence that a specific inference ran inside a specific
attested workload. For that model, end-to-end TEE provenance is only
sound when the signing key is cryptographically bound to the attested
workload. Deployments that assert such end-to-end TEE provenance <bcp14>MUST</bcp14>
bind the Ed25519 signing key to accepted platform attestation evidence
via an out-of-band cryptographic construction.</t>

<section anchor="single-purpose-signing-key"><name>Single-Purpose Signing Key</name>

<t>The Ed25519 key bound to the platform attestation is a single-purpose
AIR receipt signing key.</t>

<t><list style="symbols">
  <t>The key <bcp14>MUST</bcp14> be used only to produce the signature of an AIR
COSE_Sign1 receipt: the Ed25519 signature over the receipt's COSE
<spanx style="verb">Sig_structure</spanx> (<xref target="RFC9052"/> Section 4.4) for the AIR profile named
in the receipt's <spanx style="verb">eat_profile</spanx> claim.</t>
  <t>The key <bcp14>MUST NOT</bcp14> be reused for any other purpose. In particular it
<bcp14>MUST NOT</bcp14> be used for transport-layer handshakes, attestation or
key-exchange protocols, JWT or other token signing,
transparency-log or audit-log signing, general-purpose Ed25519
signatures, or any other application protocol.</t>
  <t>An implementation that needs a signing key for any additional role
<bcp14>MUST</bcp14> generate and separately attest a distinct key, or derive a
distinct key under a separate, domain-separated key schedule. It
<bcp14>MUST NOT</bcp14> repurpose the attested AIR signing key.</t>
</list></t>

<t>With this restriction, every signature the attested key can produce is
an AIR receipt for the advertised profile, so an attested AIR signature
is unambiguous.</t>

</section>
<section anchor="conformant-constructions"><name>Conformant Constructions</name>

<t>The following constructions satisfy the key binding requirement above
when the associated attestation is verified by a RATS Verifier against
the platform's trust chain:</t>

<t><list style="numbers" type="1">
  <t><strong>AWS Nitro Enclaves:</strong> generate the Ed25519 receipt signing key
inside the enclave and carry either its 32-byte public key, or an
unambiguous encoded structure containing it, in the <spanx style="verb">user_data</spanx>
field of the NSM attestation document. The Nitro Security Module
signs the document, including <spanx style="verb">user_data</spanx>, so the receipt signing
key is covered by the hardware-rooted signature. A verifier
validates the document against the AWS Nitro root and checks that
the receipt signing key carried in <spanx style="verb">user_data</spanx> matches the public
key used to verify the AIR signature.</t>
  <t><strong>Intel TDX:</strong> generate the Ed25519 receipt signing key inside the
Trusted Domain and bind it into the TDX quote's 64-byte
REPORTDATA. Because REPORTDATA is fixed at 64 bytes, the binding
is a SHA-512 digest -- placed as the full REPORTDATA -- over a
domain-separated, length-prefixed encoding of: a domain label,
the platform identifier, the protocol version, the transport
handshake public key, the Ed25519 receipt signing key, the
session nonce, and an optional platform-evidence hash.  <vspace blankLines='1'/>
To make the binding independently reproducible, one interoperable
construction pins the SHA-512 preimage exactly as the concatenation,
in order, of: (1) the domain label, length-prefixed; (2) the
platform identifier (a UTF-8 string, for example <spanx style="verb">"gcp-cs-tdx"</spanx>),
length-prefixed; (3) the protocol version as a 4-octet unsigned
big-endian integer (fixed width, not length-prefixed); (4) the
32-octet transport handshake public key, length-prefixed; (5) the
32-octet Ed25519 receipt signing key, length-prefixed; (6) the
32-octet session nonce, length-prefixed; and (7) a 1-octet
platform-evidence flag -- <spanx style="verb">0x01</spanx> followed by the 32-octet
platform-evidence hash when present, or <spanx style="verb">0x00</spanx> alone when absent.
"Length-prefixed" means a 4-octet unsigned big-endian octet count
immediately preceding the field it describes; the handshake key,
receipt signing key, and nonce <bcp14>MUST</bcp14> each be exactly 32 octets. The
REPORTDATA is the 64-octet SHA-512 digest of this preimage, and the
domain label (for this construction, the ASCII string
<spanx style="verb">"cyntrisec-tdx-envelope-v2"</spanx>) distinguishes it from any other use
of the same input shape. A verifier
validates the quote via DCAP against the Intel SGX and TDX trust
chains, recomputes the SHA-512 binding from the attestation
envelope's stated inputs, and rejects the quote unless the result
equals the quote's REPORTDATA.</t>
</list></t>

<t>These constructions describe the key-binding attestation itself. In
AIR v1, whether a receipt's <spanx style="verb">attestation_doc_hash</spanx> references that
same per-session attestation -- rather than a separate boot-time
attestation -- is a profile-versioning question. For a receipt
asserting end-to-end TEE provenance, <xref target="validator-behavior"/> requires
<spanx style="verb">attestation_doc_hash</spanx> to reference the same document that carries this
key binding; a profile that separates the two (a boot-time
<spanx style="verb">attestation_doc_hash</spanx> plus a per-session key-binding quote) is out of
scope for AIR v1 and may be addressed by a future profile.</t>

<t>Other constructions <bcp14>MAY</bcp14> be used where the target attestation platform
supports them. Implementers <bcp14>SHOULD</bcp14> consult
<xref target="I-D.reddy-rats-key-binding"/> for a general treatment of key binding
in RATS as that work matures. The Nitro and TDX constructions above
instantiate the "combined" key-binding model of
<xref target="I-D.reddy-rats-key-binding"/> -- the attestation Evidence and the
key binding are produced together by the Attester -- and a future AIR
profile could align this binding with that draft's confirmation
(<spanx style="verb">cnf</spanx>) claim encoding once it stabilizes. AIR v1 binds the key through
the platform quote (REPORTDATA / <spanx style="verb">user_data</spanx>) rather than a receipt-level
<spanx style="verb">cnf</spanx> claim because the binding must be rooted in the hardware-signed
attestation itself: the Attester generates the ephemeral signing key
inside the TEE and commits it into the quote the vendor signs, which a
<spanx style="verb">cnf</spanx> claim signed only by the workload cannot by itself provide.</t>

</section>
<section anchor="validator-behavior"><name>Validator Behavior</name>

<t>For the end-to-end TEE assurance procedure below, the attestation
document referenced by <spanx style="verb">attestation_doc_hash</spanx> <bcp14>MUST</bcp14> be the same document
that carries the key binding (<xref target="key-binding"/>) and the measurement
registers reconciled below. AIR v1 does not define a provenance
procedure for a deployment whose key-binding attestation and
<spanx style="verb">attestation_doc_hash</spanx> are different documents (for example, a
per-session key-binding quote plus a separate boot-time attestation);
such a split is left to a future profile.</t>

<t>An AIR Receipt Validator configured for end-to-end TEE assurance:</t>

<t><list style="symbols">
  <t><bcp14>MUST</bcp14> obtain the platform attestation document referenced by
<spanx style="verb">attestation_doc_hash</spanx> and validate it via platform-specific
procedures before accepting the receipt.</t>
  <t><bcp14>MUST</bcp14> check the binding described in the construction above:
the public key used to verify the AIR signature matches the
public-key value embedded in the attestation document (or its
hash, depending on the construction).</t>
  <t><bcp14>MUST</bcp14> reject the receipt if the binding check fails.</t>
  <t><bcp14>MUST</bcp14> reconcile the receipt's <spanx style="verb">enclave_measurements</spanx> claim against
the measurement registers carried in the validated attestation
document. Every measurement register present in
<spanx style="verb">enclave_measurements</spanx> <bcp14>MUST</bcp14> equal, byte for byte, the
corresponding register in the validated attestation document; a
register that the attestation document does not expose cannot be
reconciled. The validator <bcp14>MUST</bcp14> reject the receipt if any register
in <spanx style="verb">enclave_measurements</spanx> is unequal to, or cannot be reconciled
against, the validated attestation document (fail-closed). The
<spanx style="verb">enclave_measurements</spanx> claim is signed only by the workload's own
key; it is corroborated platform evidence only after this
reconciliation succeeds (see <xref target="claim-trust-classes"/>).</t>
  <t><bcp14>MUST</bcp14> require the presence of every measurement register its policy
deems security-critical, and <bcp14>MUST</bcp14> reject a receipt that omits such
a register (fail-closed). Byte-for-byte reconciliation quantifies
only over the registers present in <spanx style="verb">enclave_measurements</spanx>, and the
emitting workload chooses that set; a validator that does not
enforce required-register presence can be handed a receipt that
omits a workload- or runtime-identifying register. On Intel TDX in
particular, the application and guest-runtime measurements are
carried in the <bcp14>OPTIONAL</bcp14> RTMR2/RTMR3 slots, so a validator asserting
that a specific workload executed <bcp14>MUST</bcp14> require the register(s) that
identify that workload rather than only the mandatory MRTD/RTMR0/
RTMR1 platform registers.</t>
  <t><bcp14>MUST NOT</bcp14> treat successful reconciliation as workload
acceptability. Reconciliation establishes only that the receipt's
measurement values match the validated attestation document
(hardware-rootedness), not that those values, the platform TCB, or
the debug state are acceptable. A validator asserting end-to-end
TEE assurance <bcp14>MUST</bcp14> additionally appraise the reconciled
measurements and the platform TCB/debug state against its
reference-value policy -- or defer that appraisal to a RATS
Verifier that performs it -- and <bcp14>MUST</bcp14> reject unacceptable values.
In particular, a validator asserting a production security posture
<bcp14>MUST</bcp14> reject a TEE that reports a debug or development mode (for
example, Intel TDX <spanx style="verb">TD_ATTRIBUTES.DEBUG</spanx> set, or an SGX enclave in
DEBUG mode), and <bcp14>MUST</bcp14> reject a platform whose TCB is out of date or
revoked, unless the deployment explicitly accepts such a platform
for a non-production purpose.</t>
  <t><bcp14>MUST</bcp14> require the receipt to bind at least one freshness mechanism
-- a verifier-supplied <spanx style="verb">eat_nonce</spanx> or <spanx style="verb">cti</spanx> deduplication -- before
asserting end-to-end TEE provenance. <xref target="RFC9711"/> Section 9.3 requires
an EAT to have a freshness mechanism to prevent replay and reuse; a
provenance claim over a receipt carrying no freshness binding is
vulnerable to replay of a pre-signed receipt (see
<xref target="replay-protection"/>).</t>
  <t><bcp14>MUST</bcp14>, when the key-binding construction commits a session nonce into
the platform quote (for example, TDX REPORTDATA) and the receipt
also carries <spanx style="verb">eat_nonce</spanx>, check that the quote-bound nonce and
<spanx style="verb">eat_nonce</spanx> are equal, so that the receipt and the underlying
platform attestation share one freshness challenge.</t>
</list></t>

<t>An AIR Receipt Validator that does not require end-to-end TEE
assurance (for example, in a deployment that uses AIR only as a
signed log bound by application-layer trust decisions) <bcp14>MAY</bcp14> skip the
checks in this section (key binding, measurement reconciliation,
appraisal, and required-register presence). Such a validator <bcp14>MUST NOT</bcp14>
claim TEE provenance from the receipt alone.</t>

</section>
</section>
<section anchor="verification-procedure"><name>Verification Procedure</name>

<t>The AIR v1 verification procedure is organized into four layers. The
checks proceed strictly in this order:</t>

<ul empty="true"><li>
  <t>COSE structure/header validation -&gt; signature verification -&gt;
payload CBOR decode -&gt; AIR claim validation -&gt;
relying-party policy checks</t>
</li></ul>

<t>Layer 1 performs COSE structure and header validation; Layer 2 verifies
the signature; Layer 3 decodes the payload CBOR and then validates the
AIR claims; Layer 4 applies relying-party policy checks.</t>

<t>These layers define AIR-local verification only. A deployment that
requires full TEE assurance <bcp14>MUST</bcp14> additionally obtain and verify the
underlying platform attestation evidence and the binding between that
evidence and the AIR signing key using platform-specific procedures.</t>

<t>A conformant verifier <bcp14>MUST</bcp14> indicate, in its result, which assurance
level it established: AIR-local verification (Layers 1-4 of this
section only) or end-to-end TEE assurance (Layers 1-4 plus the full set
of checks in <xref target="validator-behavior"/> -- key binding, measurement
reconciliation, required-register presence, and measurement/TCB/debug
appraisal). An AIR-local result <bcp14>MUST NOT</bcp14> be presented or recorded as
TEE provenance.</t>

<t>Each AIR-local layer <bcp14>MUST</bcp14> complete successfully before proceeding to
the next. If any check fails, the verifier <bcp14>MUST</bcp14> reject the receipt and
<bcp14>SHOULD</bcp14> report the specific failure.</t>

<t>A verifier <bcp14>MUST NOT</bcp14> decode the payload CBOR or interpret any claim
value before the Layer 2 signature check succeeds. Layers 1 and 2
operate only on the COSE_Sign1 structure, the protected header, and the
payload as an opaque byte string; the CWT claims are decoded and
validated in Layer 3, only after the signature over them has been
verified.</t>

<section anchor="layer-1-cose-structure-and-header-validation"><name>Layer 1: COSE Structure and Header Validation</name>

<t><list style="numbers" type="1">
  <t>Decode the input as CBOR. Confirm the outer structure is tagged
with CBOR tag 18.</t>
  <t>Decode the COSE_Sign1 array (4 elements).</t>
  <t>Confirm the receipt size does not exceed 65,536 bytes. This
bound is a verifier-side denial-of-service guard; typical AIR v1
receipts are under 1 KB. The bound applies to the serialized
tagged COSE_Sign1 structure. Deployments requiring larger
receipts (for example, with embedded certificate chains not
defined in this version) <bcp14>MUST</bcp14> use a future AIR revision that
specifies the additional payload.</t>
  <t>Decode the protected header. Confirm it is a well-formed CBOR
map.</t>
  <t>Confirm <spanx style="verb">alg</spanx> (label 1) in the protected header is -8 (EdDSA).
Reject receipts with any other algorithm.</t>
  <t>Confirm <spanx style="verb">content type</spanx> (label 3) in the protected header is 61
(<spanx style="verb">application/cwt</spanx>).</t>
  <t>Confirm the unprotected header is empty.</t>
</list></t>

<t>The payload is carried through this layer as an opaque byte string; it
is not decoded until Layer 3, after signature verification.</t>

</section>
<section anchor="layer-2-signature-verification"><name>Layer 2: Signature Verification</name>

<t><list style="numbers" type="1">
  <t>Construct Sig_structure = ["Signature1", protected, h'',
payload] per <xref target="RFC9052"/> Section 4.4. The result is the message M
over which the signature is verified.</t>
  <t>Verify the Ed25519 signature -- the point R (first 32 octets) and
the scalar S (last 32 octets) -- over M with the Ed25519 public
key A. A conformant verifier <bcp14>MUST</bcp14> perform all of the following
checks and <bcp14>MUST</bcp14> reject the receipt if any of them fails:  <vspace blankLines='1'/>
a.  Decode S as a 32-octet little-endian integer. Reject unless
    0 &lt;= S &lt; L, where L is the order of the Ed25519 prime-order
    subgroup. A verifier <bcp14>MUST NOT</bcp14> reduce S modulo L; an S value
    outside [0, L) is a verification failure.  <vspace blankLines='1'/>
b.  Recover R and A as Edwards curve points from their 32-octet
    encodings. Reject the signature if either encoding does not
    decode to a point on the curve.  <vspace blankLines='1'/>
c.  Reject if A is a small-order point, or if R is a small-order
    point (a point of order 1, 2, 4, or 8).  <vspace blankLines='1'/>
d.  Compute k = SHA-512(R || A || M), interpreted as a
    little-endian integer (its reduction modulo L is implicit in
    the scalar multiplication [k]A). Verify the cofactorless group
    equation [S]B = R + [k]A, where B is the Ed25519 base
    point. Reject if it does not hold. The cofactored equation
    <bcp14>MUST NOT</bcp14> be used in place of the cofactorless equation.</t>
</list></t>

<t>Checks (c) and (d) make AIR signature verification stricter than the
baseline of <xref target="RFC8032"/> Section 5.1.7, which permits the cofactored
equation and does not require small-order rejection. The stricter
procedure removes signature malleability the baseline would otherwise
permit.</t>

<t>Step (b) requires only that R and A decode to points on the curve.
AIR v1 does NOT require rejecting a non-canonical point encoding (an
encoded y-coordinate not reduced modulo the field prime); the
mandatory-to-implement Ed25519 verification routines accept such
encodings. Rejecting them is not necessary for AIR security: a
non-canonical re-encoding leaves the receipt's <spanx style="verb">cti</spanx> and claims
unchanged, so it yields no new receipt identity, and the public key A
is obtained out of band from the attestation in canonical form. The
canonical-scalar check in step (a) is required and is distinct from
point-encoding canonicalization.</t>

</section>
<section anchor="layer-3-payload-decode-and-claim-validation"><name>Layer 3: Payload Decode and Claim Validation</name>

<t>Layer 3 is the first layer that decodes the payload CBOR, and it is
entered only after the Layer 2 signature check has succeeded.</t>

<t><list style="numbers" type="1">
  <t>Decode the payload. Confirm it is a well-formed CBOR map.
Confirm that every mandatory claim enumerated in the CDDL
(<xref target="cddl"/>) and the EAT Profile Declaration is present; reject the
receipt if any mandatory claim is absent. The closed-claims-map
check below rejects unknown keys but does not by itself guarantee
that the mandatory claims are present.</t>
  <t>Confirm <spanx style="verb">eat_profile</spanx> (key 265) equals
<spanx style="verb">"https://spec.cyntrisec.com/air/v1"</spanx>. Reject receipts with
unknown profile values.</t>
  <t>Confirm <spanx style="verb">cti</spanx> (key 7) is exactly 16 bytes.</t>
  <t>Confirm <spanx style="verb">iat</spanx> (key 6) is a non-zero unsigned integer.</t>
  <t>Confirm <spanx style="verb">model_hash</spanx> (key -65539) is exactly 32 bytes and not
all zeros.</t>
  <t>Confirm all required text string claims (iss, model_id,
model_version, policy_version, security_mode) are non-empty and
within reasonable bounds (implementation-defined, <bcp14>RECOMMENDED</bcp14>
maximum 1024 bytes each).</t>
  <t>Confirm <spanx style="verb">enclave_measurements</spanx> (key -65543) is a map.</t>
  <t>Confirm <spanx style="verb">measurement_type</spanx> within enclave_measurements is one
of the defined values (<spanx style="verb">"nitro-pcr"</spanx> or <spanx style="verb">"tdx-mrtd-rtmr"</spanx>).</t>
  <t>Confirm that every measurement value present in the map (whether
required or optional) is exactly 48 bytes.</t>
  <t>If <spanx style="verb">measurement_type</spanx> is <spanx style="verb">"tdx-mrtd-rtmr"</spanx>, confirm <spanx style="verb">pcr8</spanx> is
absent. TDX measurement maps <bcp14>MUST NOT</bcp14> contain <spanx style="verb">pcr8</spanx> (<spanx style="verb">pcr8</spanx>
is a Nitro-only field).</t>
  <t>If <spanx style="verb">model_hash_scheme</spanx> (key -65549) is present, confirm it is
one of the defined values (<spanx style="verb">"sha256-single"</spanx>,
<spanx style="verb">"sha256-concat"</spanx>, <spanx style="verb">"sha256-manifest"</spanx>). Unknown values <bcp14>MUST</bcp14> be
rejected.</t>
  <t>Confirm <spanx style="verb">security_mode</spanx> (key -65548) is one of the defined values
(<spanx style="verb">"production"</spanx>, <spanx style="verb">"evaluation"</spanx>). Unknown values <bcp14>MUST</bcp14>
be rejected (fail-closed).</t>
  <t>Confirm <spanx style="verb">request_hash</spanx> (key -65540), <spanx style="verb">response_hash</spanx> (key
-65541), and <spanx style="verb">attestation_doc_hash</spanx> (key -65542) are each exactly
32 bytes, and that <spanx style="verb">sequence_number</spanx> (key -65545),
<spanx style="verb">execution_time_ms</spanx> (key -65546), and <spanx style="verb">memory_peak_mb</spanx> (key
-65547) are each unsigned integers.</t>
  <t>Confirm the claims map contains no unknown integer keys and no
duplicate keys.</t>
  <t>If <spanx style="verb">eat_nonce</spanx> (key 10) is present, confirm it is between 8
and 64 bytes inclusive; reject otherwise (<xref target="RFC9711"/> Section 4.1).</t>
</list></t>

</section>
<section anchor="layer-4-policy-evaluation"><name>Layer 4: Policy Evaluation</name>

<t>Policy checks are configurable per verifier deployment. The following
checks are defined:</t>

<dl>
  <dt><strong>FRESH</strong> (timestamp bounds):</dt>
  <dd>
    <t>If configured, verify <spanx style="verb">now - max_age &lt;= iat &lt;= now + clock_skew</spanx>.</t>
  </dd>
  <dt><strong>NONCE</strong> (challenge binding):</dt>
  <dd>
    <t>If the verifier supplied a nonce, verify eat_nonce matches.</t>
  </dd>
  <dt><strong>MODEL</strong> (expected model):</dt>
  <dd>
    <t>If configured, verify model_hash and/or model_id match expected
values.</t>
  </dd>
  <dt><strong>PLATFORM</strong> (expected platform):</dt>
  <dd>
    <t>If configured, verify measurement_type matches expected value.</t>
  </dd>
  <dt><strong>REPLAY</strong> (deduplication):</dt>
  <dd>
    <t>If the verifier maintains a seen-cti store, reject duplicate cti
values.</t>
  </dd>
</dl>

<t>Verifiers <bcp14>SHOULD</bcp14> document which Layer 4 policies they enforce.</t>

</section>
<section anchor="interaction-model-compatibility"><name>Interaction Model Compatibility</name>

<t>AIR is a receipt format; transport and session management are out of
scope (see <xref target="non-goals"/>). AIR receipts are compatible with both the
Challenge/Response and Uni-Directional interaction models of
<xref target="I-D.ietf-rats-reference-interaction-models"/>:</t>

<t><list style="symbols">
  <t><strong>Challenge/Response</strong>: when the <spanx style="verb">eat_nonce</spanx> claim is present and
was supplied by the verifier to the workload out of band (for
example, as an inference-API parameter), the receipt provides
challenge-response freshness per <xref target="RFC9711"/> Section 4.1.</t>
  <t><strong>Uni-Directional</strong>: when <spanx style="verb">eat_nonce</spanx> is absent, freshness
reduces to the <spanx style="verb">iat</spanx> timestamp plus verifier-side <spanx style="verb">cti</spanx>
deduplication. This is acceptable for deployments that do not
require challenge-binding, but <bcp14>MUST</bcp14> be understood as weaker than
challenge-bound freshness: a compromised workload can pre-sign
receipts, and verifiers relying only on <spanx style="verb">iat</spanx> gain no defense
beyond clock skew. A validator operating in this mode <bcp14>MUST</bcp14> apply a
bounded acceptance window (a <spanx style="verb">max_age</spanx> policy) and treat the result
as recentness, not freshness: it conveys that a receipt is no older
than the window, not that it was produced in response to a live
challenge.</t>
</list></t>

<t>Attester-generated nonce values (nonce values not supplied by a
verifier) provide no replay protection and <bcp14>SHOULD NOT</bcp14> be placed in
<spanx style="verb">eat_nonce</spanx>. An implementation that needs a unique per-receipt
identifier for internal purposes should use <spanx style="verb">cti</spanx> or an
application-layer field, not <spanx style="verb">eat_nonce</spanx>.</t>

<t>Deployments that require platform-clock-independent freshness
(for example, where the workload clock is not trusted by the
verifier) may combine AIR with epoch-markers per
<xref target="I-D.ietf-rats-epoch-markers"/>. AIR v1 does not itself define an
epoch-marker claim; this integration is out of scope for v1 and may
be considered in a future revision.</t>

</section>
</section>
<section anchor="relationship-to-other-work"><name>Relationship to Other Work</name>

<section anchor="draft-messous-eat-ai"><name>draft-messous-eat-ai</name>

<t><xref target="I-D.messous-eat-ai"/> defines AI-related claims for EAT,
including model identification, training metadata, and data-handling policy and SBOM
references. AIR v1 is complementary: where draft-messous-eat-ai focuses
on per-agent identity, provenance, and authorization metadata, AIR v1
focuses narrowly on per-inference execution evidence from a
confidential workload. AIR intentionally binds a specific request/
response event to attestation-linked metadata; it is not a general AI
agent identity profile. A future version of AIR could adopt
registered claim keys from draft-messous-eat-ai once they stabilize,
replacing the current private-use integer keys. The two drafts do not
collide in the private-use key space -- draft-messous-eat-ai uses keys
in the -75000 range while AIR uses -65537 through -65549 -- but a future
coordinated registration <bcp14>SHOULD</bcp14> align them.</t>

</section>
<section anchor="concurrent-ai-attestation-work"><name>Concurrent AI-Attestation Work</name>

<t>Several concurrent efforts address adjacent parts of the AI-attestation
problem. <xref target="I-D.sharif-ai-model-lifecycle-attestation"/> spans the whole
model lifecycle -- from training-data attestation through per-inference
output signing; AIR v1 is narrower, defining only the per-inference
receipt wire format and its verification, and could serve as the
receipt object such a lifecycle framework emits. In the research
literature, AEX (arXiv:2603.14283) attests LLM API request/response
provenance at the API boundary, and "Notarized Agents"
(arXiv:2606.04193) defines receiver-attested receipts for AI agent
actions. AIR's specific contribution is a closed, fail-closed
COSE_Sign1 / CWT / EAT profile for a single confidential inference; it
is not the only or first per-inference evidence scheme, and a future
version could align its claim keys with these efforts.</t>

</section>
<section anchor="scitt"><name>SCITT</name>

<t>The Supply Chain Integrity, Transparency and Trust framework
(<xref target="RFC9943"/>) uses "Receipt" to mean a
Merkle-tree inclusion proof produced by a Transparency Service for a
Signed Statement submitted to it. In AIR, "receipt" means a
workload-signed per-inference evidence object. These are different
artifacts despite the shared word; this document uses "AIR receipt"
throughout to refer to the AIR v1 COSE_Sign1 artifact defined here,
and "SCITT Receipt" when referring to a Transparency-Service
inclusion proof.</t>

<t>AIR receipts are candidate <strong>payloads</strong> for SCITT Signed Statements,
not Signed Statements themselves. A SCITT Signed Statement is a
COSE_Sign1 structure carrying specific CWT claims (issuer, subject,
etc.) that a Transparency Service uses for registration-policy
evaluation. An AIR v1 COSE_Sign1 does not carry those outer
registration-relevant claims. Deployments wishing to anchor AIR
receipts in a SCITT Transparency Service should wrap an AIR COSE_Sign1
as the payload of an outer Signed Statement produced by the issuer,
with the outer envelope supplying the claims required by the
Transparency Service's registration policy.</t>

<t>TEE-backed Transparency Service profiles such as
<xref target="I-D.ietf-scitt-receipts-ccf-profile"/> are natural complements to
AIR's TEE-attested workload model. Complementary work by
<xref target="I-D.kamimura-scitt-refusal-events"/> covers the refusal-event side
of AI inference auditing, which pairs with AIR's successful-inference
scope to give broader audit coverage.</t>

<t>A SCITT Transparency Service can provide an independent inclusion time
and ordering record for AIR receipts that are submitted to it. It does
not, by itself, prove when the underlying inference ran, and it does
not detect a receipt that the issuer never submitted. Completeness
requires a deployment policy on top of transparency logging, such as
mandatory submission, monotonic counters, per-session manifests, or
client-enforced inclusion proofs.</t>

<t>AIR v1 does not define the outer Signed Statement wrapping or a
registration profile for a SCITT Transparency Service. Future
revisions may define such a profile.</t>

</section>
<section anchor="rats-architecture"><name>RATS Architecture</name>

<t>AIR receipts fit the RATS <xref target="RFC9334"/> architecture as follows:</t>

<t><list style="symbols">
  <t>The confidential workload is the <strong>Attester</strong>. AIR receipts are
Attester-generated claims; they are Evidence in the general sense
of <xref target="RFC9334"/> Section 4.2, specialized to a per-inference
application scope.</t>
  <t>The <strong>AIR Receipt Validator</strong> (see <xref target="terminology"/>) performs
AIR-local checks (signature, claim structure, local policy). The
AIR Receipt Validator is not the RATS Verifier of <xref target="RFC9334"/>
Section 4.1; it does not appraise platform Evidence against
reference values or produce Attestation Results.</t>
  <t>A <strong>RATS Verifier</strong> appraises the platform attestation evidence
referenced by <spanx style="verb">attestation_doc_hash</spanx> using platform-specific
procedures and reference values. AIR v1 does not define those
procedures.</t>
  <t>The end user, auditor, or compliance officer is the <strong>Relying
Party</strong>. In a deployment that combines AIR with platform attestation,
the Relying Party consumes both the AIR receipt and any platform
Attestation Results.</t>
  <t>The TEE hardware vendor (AWS, Intel) is the <strong>Endorser</strong>; their
attestation infrastructure anchors trust in the platform evidence.</t>
</list></t>

<t>AIR v1 is a workload-emitted artifact, not a Verifier-emitted
Attestation Result. It is therefore distinct from IETF EAR (<xref target="I-D.ietf-rats-ear"/>, EAT
Attestation Results), which is produced by a Verifier after evaluating
platform Evidence. In a complete deployment, a Verifier may evaluate
platform Evidence and an AIR receipt together, and an EAR may reference
an AIR receipt as part of the evidence it considered.</t>

<t>This version of AIR assumes a single Attester producing one
attestation document per receipt. Patterns for composite attesters
(multiple sub-attesters in one environment, e.g., CPU TEE + GPU
confidential compute) and multi-verifier orchestration are the
subject of active RATS WG work; see
<xref target="I-D.richardson-rats-composite-attesters"/> and
<xref target="I-D.ietf-rats-multi-verifier"/>. AIR v1 does not support these
patterns; future versions may define how AIR receipts compose across
such environments.</t>

</section>
</section>
<section anchor="future-profile-candidates"><name>Future Profile Candidates</name>

<t>AIR v1 defines an intentionally closed claims map with no extension
registry (<xref target="non-goals"/>). This section records claim families that
implementation experience and reviewer feedback have identified as
candidates for a FUTURE AIR profile. It defines no new claims and adds
no wire-format requirements; a future revision <bcp14>MAY</bcp14> define some or all
of them, and this document commits to no delivery date. The purpose is
to reserve the design space and to record the trust analysis any such
claims would inherit.</t>

<section anchor="decoding-and-sampling-parameters"><name>Decoding and Sampling Parameters</name>

<t>A future profile could carry the decoding configuration of the
inference -- for example temperature, top_p, top_k, a random seed, and
the stop-sequence set. Under the AIR trust model these are
workload-asserted values (Trust Assumption TA-2, <xref target="trust-assumptions"/>):
a verifier can policy-pin them -- reject a receipt whose asserted
decoding configuration is not the expected one -- but generally cannot
recompute the response to confirm the configuration was actually
applied, because production inference on hardware accelerators is not
bit-reproducible across runs. Such claims therefore add policy-pinning
value, not independent verifiability, and a profile defining them
<bcp14>SHOULD</bcp14> state this explicitly so that a Relying Party does not read a
pinned decoding claim as proof of the decoding that occurred.</t>

</section>
<section anchor="structured-context-commitments"><name>Structured Context Commitments</name>

<t>AIR v1's <spanx style="verb">request_hash</spanx> commits to the request payload as a single
opaque byte string. A future profile could decompose the context into
separately committed parts -- for example distinct hashes for the user
input, the system prompt, retrieved context (as in retrieval-augmented
generation), and a tool-call / tool-result log -- and could add a
prior-receipt hash to chain multi-step or multi-turn interactions.
These share the decoding parameters' trust class: they are
workload-asserted and corroborable only against artifacts a Relying
Party independently holds. This design space overlaps with the agent
identity and provenance claims of <xref target="I-D.messous-eat-ai"/> and with
recent work on attestation and provenance for LLM API
request/response outputs (for example, AEX, arXiv:2603.14283); a future
AIR profile <bcp14>SHOULD</bcp14> reuse registered claim
keys from that work where they exist rather than minting private-use
keys.</t>

</section>
</section>
<section anchor="security-considerations"><name>Security Considerations</name>

<section anchor="trust-assumptions"><name>Trust Assumptions</name>

<t>The security properties of AIR verification depend on the following
Trust Assumptions. If any of these assumptions is broken, the
corresponding AIR guarantees are void.</t>

<t><list style="symbols">
  <t><strong>TA-1 (TEE hardware correctness):</strong> the TEE hardware computes
measurements faithfully, isolates enclave memory from the host
and hypervisor as specified, and protects the attestation
signing key. A hardware vulnerability, firmware bug, or supply
chain compromise affecting the TEE voids all AIR TEE-provenance
guarantees. AIR v1 does not define revocation mechanisms for
compromised platforms.</t>
  <t><strong>TA-2 (Workload honesty and evidence scope):</strong> the signing
workload computes the hashes it signs over the data it actually
processed, and populates claims consistently with the inference
it actually performed. An AIR receipt only speaks for what the
signing workload observed and emitted. A malicious or
misconfigured workload can produce syntactically valid receipts
that do not correspond to a genuine inference; AIR does not
protect against such a signer. This assumption is meaningful
only when combined with TA-3. Moreover, because
<spanx style="verb">attestation_doc_hash</spanx> <bcp14>MAY</bcp14> reference a reused boot-time attestation
rather than a per-inference one (see the <spanx style="verb">attestation_doc_hash</spanx>
claim definition), a valid receipt does not establish that a
specific inference occurred at a specific time, even when TA-1
through TA-4 all hold.</t>
  <t><strong>TA-3 (Key binding enforced out of band):</strong> for deployments
asserting end-to-end TEE provenance, the Ed25519 signing key is
cryptographically bound to the attested workload per
<xref target="key-binding"/>. Without this binding, key substitution attacks
(see <xref target="key-substitution-attack"/>) defeat the TEE-provenance
claim regardless of TA-1 and TA-2.</t>
  <t><strong>TA-4 (Platform attestation verifiable via Endorser trust
chain):</strong> the attestation document referenced by
<spanx style="verb">attestation_doc_hash</spanx> can be obtained and validated by a RATS
Verifier against the platform vendor's trust chain (for
example, the AWS Nitro root CA, or the Intel DCAP / Provisioning
Certification Service). AIR v1 does not define these procedures
and relies on platform-specific verifiers.</t>
</list></t>

<t>AIR-local verification (Layers 1-4 of <xref target="verification-procedure"/>)
proves only TA-independent properties: receipt well-formedness,
signature validity under a provided public key, claim structural
correctness, and policy match. Claims of TEE provenance require
TA-1 through TA-4 to hold, with TA-3 enforced by the Validator and
TA-4 enforced by a RATS Verifier.</t>

</section>
<section anchor="receipt-integrity"><name>Receipt Integrity</name>

<t>The Ed25519 signature over the COSE Sig_structure protects the
protected header and all claims against tampering. The unprotected
header is not covered by the signature; AIR v1 requires it to be
empty (Section 4.3).</t>

</section>
<section anchor="algorithm-pinning"><name>Algorithm Pinning</name>

<t>AIR v1 pins the signing algorithm to Ed25519 (alg = -8). The
algorithm identifier is carried in the protected header and is
therefore signed. This prevents algorithm confusion attacks where an
attacker substitutes a weaker algorithm.</t>

<t>As of <xref target="RFC9864"/>, the generic EdDSA algorithm identifier -8 is no
longer marked "Recommended" in the IANA COSE Algorithms registry (its
Recommended status is "Deprecated") in favor of algorithm-specific
identifiers. AIR v1 pins -8 for interoperability with currently
deployed COSE tooling; a future AIR profile <bcp14>MAY</bcp14> adopt the
Ed25519-specific algorithm identifier. Algorithm agility in AIR is
handled by profile versioning, not in-band negotiation: a future
revision needing a different or post-quantum signature scheme defines a
new profile identifier (the <spanx style="verb">eat_profile</spanx> value), so a verifier never
has to accept an algorithm the profile did not pin.</t>

</section>
<section anchor="replay-protection"><name>Replay Protection</name>

<t>Replay protection in AIR v1 is a shared responsibility:</t>

<t><list style="symbols">
  <t>The <spanx style="verb">cti</spanx> claim provides a unique receipt identifier. Verifiers
maintaining state <bcp14>SHOULD</bcp14> track observed cti values and reject
duplicates.</t>
  <t>The <spanx style="verb">eat_nonce</spanx> claim (optional) provides challenge-response
freshness. When present, it binds the receipt to a specific
verifier-supplied challenge, preventing replay to other verifiers.</t>
  <t>The <spanx style="verb">sequence_number</spanx> claim provides monotonicity within an
observed session. Gaps indicate missing sequence numbers within
that observed stream; absence of a gap does not prove that every
receipt was submitted.</t>
</list></t>

<t>Verifiers not maintaining state and not using eat_nonce have limited
replay protection (only iat-based freshness). Deployments requiring
strong replay resistance <bcp14>MUST</bcp14> use at least one of cti deduplication
or eat_nonce. A verifier configured with neither cti deduplication nor
eat_nonce checking <bcp14>SHOULD</bcp14> surface a warning that the receipt has no
replay protection beyond iat-based freshness.</t>

<section anchor="freshness-boundary"><name>Freshness Boundary</name>

<t>The freshness an AIR receipt conveys is bounded by who holds the
nonce. <spanx style="verb">eat_nonce</spanx> demonstrates freshness only to the party that
issued the nonce; a later auditor who did not issue or observe that
nonce cannot infer freshness from it. The <spanx style="verb">iat</spanx> claim is a
workload-asserted time -- useful for verifier policy such as an age
bound, but not an externally attested timestamp, and a compromised
workload can assert any value.</t>

<t>An AIR receipt therefore does not, on its own, give an after-the-fact
auditor verifiable freshness, nor evidence that the set of receipts is
complete. Audit-time freshness and non-omission require an external
mechanism -- for example, a transparency log that countersigns
receipts with an independent timestamp, or an external sequencing
authority -- layered on AIR. AIR v1 does not define that layer.</t>

</section>
</section>
<section anchor="model-hash-limitations"><name>Model Hash Limitations</name>

<t>The <spanx style="verb">model_hash</spanx> claim proves byte-level identity for the model
artifact set as defined by <spanx style="verb">model_hash_scheme</spanx>, not model correctness,
bias, or safety. Two distinct artifact sets with identical hashes are
computationally infeasible, but a model with a correct hash may still
produce harmful or incorrect outputs.</t>

<t><spanx style="verb">model_hash</spanx> identifies the serialized model artifact set, not the
in-memory computational form actually executed. Quantization, kernel
fusion, speculative decoding, and other runtime optimizations can make
the executing model differ numerically from the hashed artifacts;
<spanx style="verb">model_hash</spanx> binds which artifacts were referenced, not the exact
computation performed.</t>

<t>The <spanx style="verb">model_hash_scheme</spanx> claim (<xref target="mhscheme"/>) declares how the hash
was computed. Unknown scheme values <bcp14>MUST</bcp14> be rejected. This prevents
a verifier from accepting a hash computed with an unrecognized method
that might weaken integrity guarantees.</t>

<t>The <spanx style="verb">model_hash</spanx> claim is application-layer evidence. By itself it
does not prove that the corresponding artifacts were loaded or
executed inside a hardware-attested environment; that requires
verification of the attested workload and its model-loading path.</t>

</section>
<section anchor="attestation-document-not-verified-by-receipt"><name>Attestation Document Not Verified by Receipt</name>

<t>The <spanx style="verb">attestation_doc_hash</spanx> claim is a SHA-256 hash of the platform
attestation document. AIR v1 does not embed or verify the attestation
document. AIR-local verification alone is therefore insufficient to
establish TEE assurance. Verifiers requiring such assurance <bcp14>MUST</bcp14>
independently obtain and verify the attestation document using
platform-specific procedures (e.g., Nitro COSE verification against
the AWS root CA, Intel TDX DCAP verification against Intel PCS).</t>

</section>
<section anchor="accelerator-scope"><name>Accelerator Attestation Scope</name>

<t>An AIR v1 receipt attests the CPU-side TEE only. On a platform that
also provides accelerator (for example, GPU) confidential computing,
the accelerator's confidential-computing mode, device identity, and
memory-protection state are NOT covered by the receipt, and are not
implied by a successful <spanx style="verb">enclave_measurements</spanx> reconciliation. A
Relying Party <bcp14>MUST NOT</bcp14> infer accelerator confidentiality from an AIR v1
receipt, and a party presenting such a receipt <bcp14>MUST NOT</bcp14> represent it as
covering accelerator confidentiality. Where accelerator confidentiality
is part of the trust decision, it <bcp14>MUST</bcp14> be established out of band from
device-side Evidence (see the composite-attester note in <xref target="non-goals"/>)
and <bcp14>MUST NOT</bcp14> be assumed from the presence of an AIR receipt. A future
composite-attester AIR profile may bind CPU-side and accelerator-side
Evidence into a single verifiable object.</t>

</section>
<section anchor="workload-honesty-and-evidence-scope"><name>Workload Honesty and Evidence Scope</name>

<t>An AIR receipt only speaks for what the signing workload observed and
emitted. If the workload is malicious, misconfigured, or signs hashes
for data that did not come from the claimed inference path, AIR can
still produce a syntactically valid receipt. AIR therefore does not
protect against an untrusted signer or against semantics outside the
measured workload boundary.</t>

<t>Deployments that rely on AIR for end-to-end assurance <bcp14>MUST</bcp14> treat the
receipt as meaningful only when the signing key is bound to an
attested workload whose measurement set and execution policy are
acceptable to the verifier.</t>

</section>
<section anchor="claim-trust-classes"><name>Claim Trust Classes</name>

<t>Every claim in an AIR receipt is covered by the receipt signature, but
that signature proves only that the <em>workload</em> asserted the claim. It
does not, on its own, make the claim true. Claims differ in whether,
and how, a verifier or Relying Party can corroborate them against
evidence outside the receipt. This section classifies every AIR v1
claim so that implementers and Relying Parties do not mistake a
workload self-assertion for independently established fact.</t>

<t>In RATS terms (<xref target="RFC9334"/>), a claim is corroborated hardware Evidence
only when an Attesting Environment measured it and a Verifier appraises
it against reference values; the remaining claims are workload
assertions that the receipt signature authenticates but does not make
true. Three trust classes are used:</t>

<t><list style="symbols">
  <t><strong>Self-asserted:</strong> backed only by the workload's signature. A
malicious or misconfigured workload can place any syntactically
valid value in the claim; the receipt signature does not elevate
such a claim beyond "the workload stated this."</t>
  <t><strong>Externally corroborable:</strong> a Relying Party that independently
holds the corresponding artifact (a known-good reference value,
the request or response bytes, or a verifier-supplied nonce) can
confirm the claim by recomputation or comparison.</t>
  <t><strong>Attestation-corroborable:</strong> the claim is meaningful only after a
verifier obtains and validates the platform attestation document
and reconciles the claim against it per <xref target="validator-behavior"/>.
Before that reconciliation the claim is self-asserted.</t>
</list></t>

<texttable>
      <ttcol align='left'>Claim</ttcol>
      <ttcol align='left'>Trust class</ttcol>
      <ttcol align='left'>Corroboration available to a Relying Party</ttcol>
      <c><spanx style="verb">iss</spanx></c>
      <c>Self-asserted</c>
      <c>None; <bcp14>MAY</bcp14> be checked against an issuer allowlist</c>
      <c><spanx style="verb">iat</spanx></c>
      <c>Self-asserted</c>
      <c>None; workload clock (see <xref target="replay-protection"/> and Clock Integrity)</c>
      <c><spanx style="verb">cti</spanx></c>
      <c>Self-asserted</c>
      <c>None; uniqueness is assumed, not proven</c>
      <c><spanx style="verb">eat_profile</spanx></c>
      <c>Self-asserted (fixed constant)</c>
      <c>Verifier checks the exact AIR v1 profile URI</c>
      <c><spanx style="verb">eat_nonce</spanx></c>
      <c>Externally corroborable</c>
      <c>Only by the verifier that supplied the nonce</c>
      <c><spanx style="verb">model_id</spanx></c>
      <c>Self-asserted</c>
      <c>None; operator-assigned opaque string</c>
      <c><spanx style="verb">model_version</spanx></c>
      <c>Self-asserted</c>
      <c>None; operator-assigned opaque string</c>
      <c><spanx style="verb">model_hash</spanx></c>
      <c>Externally corroborable</c>
      <c>Compare against a known-good reference hash</c>
      <c><spanx style="verb">request_hash</spanx></c>
      <c>Externally corroborable</c>
      <c>Recompute from the request bytes the Relying Party holds</c>
      <c><spanx style="verb">response_hash</spanx></c>
      <c>Externally corroborable</c>
      <c>Recompute from the response bytes the Relying Party holds</c>
      <c><spanx style="verb">attestation_doc_hash</spanx></c>
      <c>Attestation-corroborable</c>
      <c>Re-hash the independently obtained attestation document. For a TEE-provenance receipt this is the same document that carries the key binding and reconciled measurements; it is typically boot-time, so it shows execution <em>in</em> the attested workload, not <em>at the time of</em> this inference (see the <spanx style="verb">attestation_doc_hash</spanx> claim definition).</c>
      <c><spanx style="verb">enclave_measurements</spanx></c>
      <c>Attestation-corroborable</c>
      <c>Reconcile against the validated attestation document per <xref target="validator-behavior"/>; self-asserted until then</c>
      <c><spanx style="verb">policy_version</spanx></c>
      <c>Self-asserted</c>
      <c>None; operator-assigned</c>
      <c><spanx style="verb">sequence_number</spanx></c>
      <c>Self-asserted</c>
      <c>None; informational only (see its claim definition)</c>
      <c><spanx style="verb">execution_time_ms</spanx></c>
      <c>Self-asserted</c>
      <c>None; informational</c>
      <c><spanx style="verb">memory_peak_mb</spanx></c>
      <c>Self-asserted</c>
      <c>None; informational</c>
      <c><spanx style="verb">security_mode</spanx></c>
      <c>Self-asserted</c>
      <c>None; does not substitute for attestation-based trust</c>
      <c><spanx style="verb">model_hash_scheme</spanx></c>
      <c>Self-asserted</c>
      <c>Structural; declares how <spanx style="verb">model_hash</spanx> was computed</c>
</texttable>

<t>The <spanx style="verb">enclave_measurements</spanx> claim warrants specific attention. It
carries platform measurement registers (PCR or MRTD/RTMR values) and
therefore resembles hardware-rooted evidence, but within the receipt
it is a Self-asserted claim: the values are written and signed by the
workload, not by the platform attestation service. It becomes
corroborated platform evidence only after the <xref target="validator-behavior"/>
reconciliation against the validated attestation document. A verifier
that presents <spanx style="verb">enclave_measurements</spanx> to a Relying Party as a verified
measurement, without performing that reconciliation, misrepresents a
workload self-assertion as hardware evidence.</t>

</section>
<section anchor="key-substitution-attack"><name>Key Substitution Attack</name>

<t>If an implementation does not enforce key binding as described in
<xref target="key-binding"/>, a workload compromise enables a key-substitution
attack. An attacker with code execution in the workload may:</t>

<t><list style="numbers" type="1">
  <t>Extract the Ed25519 signing private key.</t>
  <t>Obtain or generate a fresh platform attestation document with a
different REPORTDATA (or equivalent field), which may correspond
to a different measurement or a different workload image.</t>
  <t>Sign AIR receipts with the extracted key and populate
<spanx style="verb">attestation_doc_hash</spanx> with the hash of the new attestation
document.</t>
</list></t>

<t>A verifier that checks only the AIR signature and the
<spanx style="verb">attestation_doc_hash</spanx> field cannot distinguish such receipts from
receipts produced by the attested workload. AIR-local verification
remains valid in the narrow sense that the signature and claim
structure are well-formed, but end-to-end TEE provenance is broken.</t>

<t>Deployments that claim end-to-end TEE provenance from AIR receipts
<bcp14>MUST</bcp14> therefore enforce key binding per <xref target="key-binding"/>, and verifiers
enforcing such claims <bcp14>MUST</bcp14> check that binding using platform-specific
procedures.</t>

</section>
<section anchor="signing-key-reuse"><name>Signing Key Reuse</name>

<t><xref target="key-binding"/> requires the attested AIR signing key to be
single-purpose. Ed25519 unforgeability is analyzed for a key used in a
single signing role; reusing the attested key across protocols falls
outside that model and can enable cross-protocol signature confusion,
in which a signature produced for another protocol is presented as an
AIR receipt, or an AIR receipt signature is replayed into another
protocol.</t>

</section>
<section anchor="tee-compromise"><name>TEE Compromise</name>

<t>See TA-1 in <xref target="trust-assumptions"/>. Operators of verifiers <bcp14>SHOULD</bcp14>
consult platform-vendor advisories and maintain an allowlist or
denylist of accepted platform measurements and TCB versions to
respond to disclosed hardware or firmware vulnerabilities. AIR v1
does not itself define revocation or TCB-rollback signaling; this is
typically performed by the platform-specific RATS Verifier against
its reference-value store.</t>

</section>
<section anchor="clock-integrity"><name>Clock Integrity</name>

<t>The <spanx style="verb">iat</spanx> claim depends on the workload's system clock. On AWS
Nitro, the enclave uses the host clock (no independent time source).
On Intel TDX, the CVM has a TSC but it is subject to frequency
scaling. AIR v1 freshness checks are only as accurate as the
platform clock.</t>

</section>
<section anchor="deterministic-encoding"><name>Deterministic Encoding</name>

<t>AIR v1 requires deterministic CBOR encoding (<xref target="RFC8949"/> Section
4.2.1). This ensures that the same claims always produce the same
payload bytes, preventing signature-valid variants of the same
receipt. Implementations <bcp14>MUST</bcp14> sort map keys per the CBOR
deterministic encoding rules.</t>

</section>
<section anchor="closed-claims-map"><name>Closed Claims Map</name>

<t>The claims map is closed: unknown integer keys <bcp14>MUST</bcp14> be rejected.
This prevents downgrade attacks where an attacker adds unrecognized
claims that a naive verifier might silently accept as benign. This
closed-scope behavior is intentional in AIR v1; future extensions
require a revised profile.</t>

</section>
</section>
<section anchor="privacy-considerations"><name>Privacy Considerations</name>

<section anchor="inputoutput-hashes"><name>Input/Output Hashes</name>

<t>The request_hash and response_hash claims contain SHA-256 hashes,
not plaintext inputs or outputs. However, for low-entropy inputs
(e.g., binary classification queries, yes/no questions), an
adversary with knowledge of the input space could brute-force the
hash to recover the original input. Deployments handling sensitive
low-entropy data <bcp14>SHOULD</bcp14> consider whether receipt exposure risks
input recovery.</t>

<t>A deployment <bcp14>MAY</bcp14> mitigate this by folding a per-receipt secret salt
(for example, the <spanx style="verb">eat_nonce</spanx>, or a random value retained by the
issuer) into the hashed preimage, so that <spanx style="verb">request_hash</spanx> and
<spanx style="verb">response_hash</spanx> are not dictionary-confirmable by an observer who does
not hold the salt. This is a deliberate trade-off: a salted hash is no
longer independently recomputable by a Relying Party that holds only
the request or response bytes, so the claim's trust class shifts from
externally-corroborable to corroborable-only-with-the-salt (see
<xref target="claim-trust-classes"/>). A profile that defines salting <bcp14>MUST</bcp14> specify
how the salt is conveyed to authorized verifiers.</t>

</section>
<section anchor="correlation-metadata"><name>Correlation Metadata</name>

<t>AIR receipts contain timestamps (iat), sequence numbers, and
identifiers (cti, iss) that could be used to correlate activity
across receipts. In privacy-sensitive deployments, operators <bcp14>SHOULD</bcp14>
consider whether the combination of receipt metadata enables
unwanted profiling.</t>

</section>
<section anchor="nonce-privacy"><name>Nonce Privacy</name>

<t>The eat_nonce claim, when present, may leak correlation data if the
same nonce is reused across sessions or if the nonce encodes
client-identifying information. Verifiers <bcp14>SHOULD</bcp14> use random nonces
and avoid embedding client identifiers in nonce values.</t>

</section>
<section anchor="issuer-identity"><name>Issuer Identity</name>

<t>The <spanx style="verb">iss</spanx> claim identifies the emitting entity. If the deployment
assigns <spanx style="verb">iss</spanx> a human-readable value such as an organization name,
the resulting receipts disclose the issuer's identity to anyone who
can read them. For receipts that flow to auditors or relying parties
outside the trust boundary of the issuer, this is usually intended
and acceptable. For receipts that may be shared further (for
example, aggregated in a transparency log, forwarded to external
regulators, or included in public audit artifacts), the human-readable
issuer identity may exceed the intended disclosure scope.</t>

<t>Deployments requiring issuer pseudonymity <bcp14>SHOULD</bcp14> use opaque <spanx style="verb">iss</spanx>
values (for example, UUIDs or randomly-generated identifiers) and
distribute issuer mappings out of band to the parties that need
them.</t>

</section>
<section anchor="signing-key-and-identifier-linkability"><name>Signing Key and Identifier Linkability</name>

<t>The Ed25519 receipt signing key is, in effect, a persistent pseudonym:
every receipt a given attested workload emits is signed by the same
key, so an observer can link all of that workload's inferences to one
another and, via the key binding, to one attested environment. The
<spanx style="verb">model_id</spanx> and <spanx style="verb">enclave_measurements</spanx> claims are likewise stable
cross-receipt correlators. Where unlinkability across receipts or
across relying parties matters, a deployment <bcp14>SHOULD</bcp14> use
per-relying-party or rotating signing keys, each separately attested,
accepting the additional attestation cost. AIR v1 does not use the EAT
<spanx style="verb">ueid</spanx>, <spanx style="verb">sueids</spanx>, <spanx style="verb">oemid</spanx>, <spanx style="verb">hwmodel</spanx>, or <spanx style="verb">hwversion</spanx> claims -- the
closed claims map prohibits them -- which avoids the permanent-
hardware-identifier linkability discussed in <xref target="RFC9711"/> Section 8. The
<spanx style="verb">cti</spanx> claim <bcp14>SHOULD</bcp14> be a random 128-bit value rather than a counter (see
its claim definition); <spanx style="verb">sequence_number</spanx> is a deliberately
session-linkable field, and because it is informational only a
deployment concerned with linkability <bcp14>MAY</bcp14> emit a constant value for it.</t>

</section>
</section>
<section anchor="iana-considerations"><name>IANA Considerations</name>

<t>This document has no IANA actions at this time.</t>

<t>AIR v1 uses negative integer keys in the CWT private-use range
(keys -65537 through -65549). If AIR gains adoption, a future
version may request registration of these claims in the CWT Claims
registry established by <xref target="RFC8392"/>. The eat_profile URI
(<spanx style="verb">"https://spec.cyntrisec.com/air/v1"</spanx>) follows the EAT profile
naming conventions in <xref target="RFC9711"/> but is not registered in any
IANA registry.</t>

<t>The HTTP media type <spanx style="verb">application/eat+cwt</spanx> referenced in Section 6
is registered by <xref target="RFC9782"/>.</t>

</section>
<section anchor="implementation-status"><name>Implementation Status</name>

<t>Note to RFC Editor: Please remove this section before publication.</t>

<t>This section records the status of known implementations of the
protocol defined by this specification at the time of posting, per
<xref target="RFC7942"/>.</t>

<section anchor="reference-implementation-rust"><name>Reference Implementation (Rust)</name>

<dl>
  <dt>Organization:</dt>
  <dd>
    <t>Cyntrisec</t>
  </dd>
  <dt>Implementation:</dt>
  <dd>
    <t>EphemeralML (<spanx style="verb">common/src/air_receipt.rs</spanx>, <spanx style="verb">common/src/air_verify.rs</spanx>)</t>
  </dd>
  <dt>Description:</dt>
  <dd>
    <t>Full AIR v1 emitter and 4-layer verifier. Generates COSE_Sign1
receipts with deterministic CBOR encoding and Ed25519 signing.
Verifier implements all four layers (parse, crypto, claims, policy)
with structured error codes.</t>
  </dd>
  <dt>Maturity:</dt>
  <dd>
    <t>Demonstration. The implementation emits AIR v1 receipts and performs
AIR-local verification on the Nitro, TDX, and GCP Confidential Space
paths. Enforced single-document AIR TEE provenance per
<xref target="validator-behavior"/> is implemented for Nitro: the AIR signing key is
extracted from the AWS-signed NSM attestation document referenced by
<spanx style="verb">attestation_doc_hash</spanx>, and the client reconciles and appraises that
document's measurement registers against caller-supplied reference
values before asserting provenance. On TDX and GCP Confidential Space
today, the receipt's <spanx style="verb">attestation_doc_hash</spanx> references a boot-time
quote, while the receipt-signing-key binding and DCAP/platform
verification are carried through a separate transport attestation and
platform-evidence bundle. That is exactly the split model
<xref target="validator-behavior"/> places out of scope for AIR v1 TEE provenance,
so those receipts are treated as AIR-local. Binding the
receipt-signing key into the <spanx style="verb">attestation_doc_hash</spanx> quote and a
TDX/GCP AIR chained verifier that validates that quote and appraises
its MRTD/RTMR registers against reference values are future work.</t>
  </dd>
  <dt>Coverage:</dt>
  <dd>
    <t>The reference implementation passes its test suite, including the
AIR v1 golden conformance vectors (<xref target="appendix-vectors"/>).</t>
  </dd>
  <dt>Contact:</dt>
  <dd>
    <t>borys@cyntrisec.com</t>
  </dd>
</dl>

</section>
<section anchor="python-interop-verifier"><name>Python Interop Verifier</name>

<dl>
  <dt>Organization:</dt>
  <dd>
    <t>Cyntrisec (same team, independent implementation)</t>
  </dd>
  <dt>Implementation:</dt>
  <dd>
    <t><spanx style="verb">spec/v1/scripts/interop_test.py</spanx></t>
  </dd>
  <dt>Description:</dt>
  <dd>
    <t>Minimal Python verifier using <spanx style="verb">pycose</spanx> and <spanx style="verb">cbor2</spanx> libraries.
Validates COSE_Sign1 structure, Ed25519 signature, and claim
presence.</t>
  </dd>
  <dt>Maturity:</dt>
  <dd>
    <t>Test/interop.</t>
  </dd>
</dl>

</section>
<section anchor="client-nonce-conveyance"><name>Client Nonce Conveyance</name>

<t>The reference gateway accepts an optional client-supplied challenge
nonce on its OpenAI-compatible HTTP endpoints via a request header,
<spanx style="verb">X-Cyntrisec-Air-Nonce</spanx> (a hex string). When the header is present and
within the RFC 9711 length bounds, the gateway conveys the nonce to
the workload, which binds it into the receipt's <spanx style="verb">eat_nonce</spanx> claim.</t>

<t>This header is an implementation convention of the reference gateway
only. It is not part of the AIR receipt format, is not required for
conformance, and a different deployment may convey the nonce by any
means. AIR v1 defines the <spanx style="verb">eat_nonce</spanx> claim; it does not define how a
nonce reaches the workload.</t>

</section>
<section anchor="e2e-validation"><name>E2E Validation</name>

<t>The reference implementation has been exercised on three confidential
computing platforms. "PASS" below means AIR receipt emission plus
AIR-local verification plus measurement hardware-rootedness. Nitro
additionally exercises the enforced single-document AIR TEE-provenance
path of <xref target="validator-behavior"/>. On TDX and GCP Confidential Space the
evidence is currently split between the boot-time <spanx style="verb">attestation_doc_hash</spanx>
quote and the separate transport / platform-evidence verifier; full
single-document Validator Behavior on those platforms is future work
(see Maturity above):</t>

<texttable>
      <ttcol align='left'>Platform</ttcol>
      <ttcol align='left'>Status</ttcol>
      <ttcol align='left'>Date</ttcol>
      <ttcol align='left'>Notes</ttcol>
      <c>AWS Nitro Enclaves (m6i)</c>
      <c>PASS</c>
      <c>2026-02-28</c>
      <c>Nitro PCR measurements carried in the receipt.</c>
      <c>GCP Confidential Space TDX (c3-standard-4)</c>
      <c>PASS</c>
      <c>2026-02-27</c>
      <c>TDX MRTD/RTMR0/RTMR1 carried in the receipt.</c>
      <c>GCP Confidential Space GPU H100 CC (a3-highgpu-1g)</c>
      <c>PASS</c>
      <c>2026-02-27</c>
      <c>AIR v1 receipt emitted on a platform that also provides NVIDIA GPU confidential compute. The receipt carries only the CPU-side (TDX) attestation per AIR v1 scope; GPU attestation is verified out of band and is not embedded in the receipt.</c>
</texttable>

</section>
</section>
<section anchor="examples"><name>Examples</name>

<section anchor="valid-receipt-walkthrough"><name>Valid Receipt Walkthrough</name>

<t>The following describes a valid AIR v1 receipt in diagnostic
notation. This corresponds to the <spanx style="verb">v1-nitro-no-nonce</spanx> golden vector.</t>

<t>The COSE_Sign1 envelope (tagged with CBOR tag 18):</t>

<figure><artwork><![CDATA[
18([
  h'A2012703183D',           / protected: {1: -8, 3: 61} /
  {},                         / unprotected: empty /
  h'B0...',                   / payload: CWT claims map /
  h'<64 bytes>'               / signature: Ed25519 /
])
]]></artwork></figure>

<t>The protected header decodes to:</t>

<figure><artwork><![CDATA[
{
  1: -8,    / alg: EdDSA /
  3: 61     / content type: application/cwt /
}
]]></artwork></figure>

<t>The payload (CWT claims map) includes 16 required claims, including the
EAT profile:</t>

<figure><artwork><![CDATA[
{
  1: "cyntrisec.com",                          / iss /
  6: 1740000000,                               / iat /
  7: h'<16 bytes UUID v4>',                    / cti /
  265: "https://spec.cyntrisec.com/air/v1",    / eat_profile /
  -65537: "minilm-l6-v2",                      / model_id /
  -65538: "1.0.0",                             / model_version /
  -65539: h'<32 bytes SHA-256>',               / model_hash /
  -65540: h'<32 bytes SHA-256>',               / request_hash /
  -65541: h'<32 bytes SHA-256>',               / response_hash /
  -65542: h'<32 bytes SHA-256>',               / attestation_doc_hash /
  -65543: {                                    / enclave_measurements /
    "pcr0": h'<48 bytes SHA-384>',
    "pcr1": h'<48 bytes SHA-384>',
    "pcr2": h'<48 bytes SHA-384>',
    "measurement_type": "nitro-pcr"
  },
  -65544: "policy-2026.02",                    / policy_version /
  -65545: 1,                                   / sequence_number /
  -65546: 77,                                  / execution_time_ms /
  -65547: 0,                                   / memory_peak_mb /
  -65548: "production"                         / security_mode /
}
]]></artwork></figure>

<t>Verification with the corresponding Ed25519 public key succeeds
through all four layers.</t>

</section>
<section anchor="invalid-receipt-categories"><name>Invalid Receipt Categories</name>

<t>The specification includes invalid golden vectors covering failure
modes across all verification layers. The structural and policy
vectors are:</t>

<texttable>
      <ttcol align='left'>Vector</ttcol>
      <ttcol align='left'>Layer</ttcol>
      <ttcol align='left'>Expected Failure</ttcol>
      <c>wrong-key</c>
      <c>L2</c>
      <c>SIG_FAILED</c>
      <c>wrong-alg</c>
      <c>L1</c>
      <c>BAD_ALG</c>
      <c>zero-model-hash</c>
      <c>L3</c>
      <c>ZERO_MODEL_HASH</c>
      <c>bad-measurement-length</c>
      <c>L3</c>
      <c>BAD_MEASUREMENT_LENGTH</c>
      <c>nonce-mismatch</c>
      <c>L4</c>
      <c>NONCE_MISMATCH</c>
      <c>model-hash-mismatch</c>
      <c>L4</c>
      <c>MODEL_HASH_MISMATCH</c>
      <c>platform-mismatch</c>
      <c>L4</c>
      <c>PLATFORM_MISMATCH</c>
      <c>stale-iat</c>
      <c>L4</c>
      <c>TIMESTAMP_STALE</c>
</texttable>

<t>The signature-strictness vectors exercise the strict Ed25519
verification algorithm of <xref target="verification-procedure"/> Layer 2. Each is a
valid receipt body whose 64-octet signature violates one Layer 2 check
(the letters reference the checks enumerated in that section):</t>

<texttable>
      <ttcol align='left'>Vector</ttcol>
      <ttcol align='left'>Layer</ttcol>
      <ttcol align='left'>Expected Failure</ttcol>
      <ttcol align='left'>Check</ttcol>
      <c>sig-s-out-of-range</c>
      <c>L2</c>
      <c>SIG_FAILED</c>
      <c>(a)</c>
      <c>sig-small-order-r</c>
      <c>L2</c>
      <c>SIG_FAILED</c>
      <c>(c)</c>
      <c>sig-small-order-a</c>
      <c>L2</c>
      <c>SIG_FAILED</c>
      <c>(c)</c>
      <c>sig-cofactored-only</c>
      <c>L2</c>
      <c>SIG_FAILED</c>
      <c>(d)</c>
</texttable>

<t>Complete vector files (JSON with hex-encoded COSE bytes, expected
failure codes, and policy overrides) are available in the reference
implementation repository.</t>

</section>
</section>


  </middle>

  <back>


<references title='References' anchor="sec-combined-references">

    <references title='Normative References' anchor="sec-normative-references">



<reference anchor="RFC8032">
  <front>
    <title>Edwards-Curve Digital Signature Algorithm (EdDSA)</title>
    <author fullname="S. Josefsson" initials="S." surname="Josefsson"/>
    <author fullname="I. Liusvaara" initials="I." surname="Liusvaara"/>
    <date month="January" year="2017"/>
    <abstract>
      <t>This document describes elliptic curve signature scheme Edwards-curve Digital Signature Algorithm (EdDSA). The algorithm is instantiated with recommended parameters for the edwards25519 and edwards448 curves. An example implementation and test vectors are provided.</t>
    </abstract>
  </front>
  <seriesInfo name="RFC" value="8032"/>
  <seriesInfo name="DOI" value="10.17487/RFC8032"/>
</reference>

<reference anchor="RFC8392">
  <front>
    <title>CBOR Web Token (CWT)</title>
    <author fullname="M. Jones" initials="M." surname="Jones"/>
    <author fullname="E. Wahlstroem" initials="E." surname="Wahlstroem"/>
    <author fullname="S. Erdtman" initials="S." surname="Erdtman"/>
    <author fullname="H. Tschofenig" initials="H." surname="Tschofenig"/>
    <date month="May" year="2018"/>
    <abstract>
      <t>CBOR Web Token (CWT) is a compact means of representing claims to be transferred between two parties. The claims in a CWT are encoded in the Concise Binary Object Representation (CBOR), and CBOR Object Signing and Encryption (COSE) is used for added application-layer security protection. A claim is a piece of information asserted about a subject and is represented as a name/value pair consisting of a claim name and a claim value. CWT is derived from JSON Web Token (JWT) but uses CBOR rather than JSON.</t>
    </abstract>
  </front>
  <seriesInfo name="RFC" value="8392"/>
  <seriesInfo name="DOI" value="10.17487/RFC8392"/>
</reference>

<reference anchor="RFC8610">
  <front>
    <title>Concise Data Definition Language (CDDL): A Notational Convention to Express Concise Binary Object Representation (CBOR) and JSON Data Structures</title>
    <author fullname="H. Birkholz" initials="H." surname="Birkholz"/>
    <author fullname="C. Vigano" initials="C." surname="Vigano"/>
    <author fullname="C. Bormann" initials="C." surname="Bormann"/>
    <date month="June" year="2019"/>
    <abstract>
      <t>This document proposes a notational convention to express Concise Binary Object Representation (CBOR) data structures (RFC 7049). Its main goal is to provide an easy and unambiguous way to express structures for protocol messages and data formats that use CBOR or JSON.</t>
    </abstract>
  </front>
  <seriesInfo name="RFC" value="8610"/>
  <seriesInfo name="DOI" value="10.17487/RFC8610"/>
</reference>

<reference anchor="RFC8949">
  <front>
    <title>Concise Binary Object Representation (CBOR)</title>
    <author fullname="C. Bormann" initials="C." surname="Bormann"/>
    <author fullname="P. Hoffman" initials="P." surname="Hoffman"/>
    <date month="December" year="2020"/>
    <abstract>
      <t>The Concise Binary Object Representation (CBOR) is a data format whose design goals include the possibility of extremely small code size, fairly small message size, and extensibility without the need for version negotiation. These design goals make it different from earlier binary serializations such as ASN.1 and MessagePack.</t>
      <t>This document obsoletes RFC 7049, providing editorial improvements, new details, and errata fixes while keeping full compatibility with the interchange format of RFC 7049. It does not create a new version of the format.</t>
    </abstract>
  </front>
  <seriesInfo name="STD" value="94"/>
  <seriesInfo name="RFC" value="8949"/>
  <seriesInfo name="DOI" value="10.17487/RFC8949"/>
</reference>

<reference anchor="RFC9052">
  <front>
    <title>CBOR Object Signing and Encryption (COSE): Structures and Process</title>
    <author fullname="J. Schaad" initials="J." surname="Schaad"/>
    <date month="August" year="2022"/>
    <abstract>
      <t>Concise Binary Object Representation (CBOR) is a data format designed for small code size and small message size. There is a need to be able to define basic security services for this data format. This document defines the CBOR Object Signing and Encryption (COSE) protocol. This specification describes how to create and process signatures, message authentication codes, and encryption using CBOR for serialization. This specification additionally describes how to represent cryptographic keys using CBOR.</t>
      <t>This document, along with RFC 9053, obsoletes RFC 8152.</t>
    </abstract>
  </front>
  <seriesInfo name="STD" value="96"/>
  <seriesInfo name="RFC" value="9052"/>
  <seriesInfo name="DOI" value="10.17487/RFC9052"/>
</reference>

<reference anchor="RFC9334">
  <front>
    <title>Remote ATtestation procedureS (RATS) Architecture</title>
    <author fullname="H. Birkholz" initials="H." surname="Birkholz"/>
    <author fullname="D. Thaler" initials="D." surname="Thaler"/>
    <author fullname="M. Richardson" initials="M." surname="Richardson"/>
    <author fullname="N. Smith" initials="N." surname="Smith"/>
    <author fullname="W. Pan" initials="W." surname="Pan"/>
    <date month="January" year="2023"/>
    <abstract>
      <t>In network protocol exchanges, it is often useful for one end of a communication to know whether the other end is in an intended operating state. This document provides an architectural overview of the entities involved that make such tests possible through the process of generating, conveying, and evaluating evidentiary Claims. It provides a model that is neutral toward processor architectures, the content of Claims, and protocols.</t>
    </abstract>
  </front>
  <seriesInfo name="RFC" value="9334"/>
  <seriesInfo name="DOI" value="10.17487/RFC9334"/>
</reference>

<reference anchor="RFC9711">
  <front>
    <title>The Entity Attestation Token (EAT)</title>
    <author fullname="L. Lundblade" initials="L." surname="Lundblade"/>
    <author fullname="G. Mandyam" initials="G." surname="Mandyam"/>
    <author fullname="J. O'Donoghue" initials="J." surname="O'Donoghue"/>
    <author fullname="C. Wallace" initials="C." surname="Wallace"/>
    <date month="April" year="2025"/>
    <abstract>
      <t>An Entity Attestation Token (EAT) provides an attested claims set that describes the state and characteristics of an entity, a device such as a smartphone, an Internet of Things (IoT) device, network equipment, or such. This claims set is used by a relying party, server, or service to determine the type and degree of trust placed in the entity.</t>
      <t>An EAT is either a CBOR Web Token (CWT) or a JSON Web Token (JWT) with attestation-oriented claims.</t>
    </abstract>
  </front>
  <seriesInfo name="RFC" value="9711"/>
  <seriesInfo name="DOI" value="10.17487/RFC9711"/>
</reference>


<reference anchor="FIPS180-4" target="https://csrc.nist.gov/publications/detail/fips/180/4/final">
  <front>
    <title>Secure Hash Standard (SHS)</title>
    <author >
      <organization>National Institute of Standards and Technology</organization>
    </author>
    <date year="2015" month="August"/>
  </front>
</reference>


<reference anchor="RFC2119">
  <front>
    <title>Key words for use in RFCs to Indicate Requirement Levels</title>
    <author fullname="S. Bradner" initials="S." surname="Bradner"/>
    <date month="March" year="1997"/>
    <abstract>
      <t>In many standards track documents several words are used to signify the requirements in the specification. These words are often capitalized. This document defines these words as they should be interpreted in IETF documents. This document specifies an Internet Best Current Practices for the Internet Community, and requests discussion and suggestions for improvements.</t>
    </abstract>
  </front>
  <seriesInfo name="BCP" value="14"/>
  <seriesInfo name="RFC" value="2119"/>
  <seriesInfo name="DOI" value="10.17487/RFC2119"/>
</reference>

<reference anchor="RFC8174">
  <front>
    <title>Ambiguity of Uppercase vs Lowercase in RFC 2119 Key Words</title>
    <author fullname="B. Leiba" initials="B." surname="Leiba"/>
    <date month="May" year="2017"/>
    <abstract>
      <t>RFC 2119 specifies common key words that may be used in protocol specifications. This document aims to reduce the ambiguity by clarifying that only UPPERCASE usage of the key words have the defined special meanings.</t>
    </abstract>
  </front>
  <seriesInfo name="BCP" value="14"/>
  <seriesInfo name="RFC" value="8174"/>
  <seriesInfo name="DOI" value="10.17487/RFC8174"/>
</reference>




    </references>

    <references title='Informative References' anchor="sec-informative-references">



<reference anchor="RFC7942">
  <front>
    <title>Improving Awareness of Running Code: The Implementation Status Section</title>
    <author fullname="Y. Sheffer" initials="Y." surname="Sheffer"/>
    <author fullname="A. Farrel" initials="A." surname="Farrel"/>
    <date month="July" year="2016"/>
    <abstract>
      <t>This document describes a simple process that allows authors of Internet-Drafts to record the status of known implementations by including an Implementation Status section. This will allow reviewers and working groups to assign due consideration to documents that have the benefit of running code, which may serve as evidence of valuable experimentation and feedback that have made the implemented protocols more mature.</t>
      <t>This process is not mandatory. Authors of Internet-Drafts are encouraged to consider using the process for their documents, and working groups are invited to think about applying the process to all of their protocol specifications. This document obsoletes RFC 6982, advancing it to a Best Current Practice.</t>
    </abstract>
  </front>
  <seriesInfo name="BCP" value="205"/>
  <seriesInfo name="RFC" value="7942"/>
  <seriesInfo name="DOI" value="10.17487/RFC7942"/>
</reference>

<reference anchor="RFC9782">
  <front>
    <title>Entity Attestation Token (EAT) Media Types</title>
    <author fullname="L. Lundblade" initials="L." surname="Lundblade"/>
    <author fullname="H. Birkholz" initials="H." surname="Birkholz"/>
    <author fullname="T. Fossati" initials="T." surname="Fossati"/>
    <date month="May" year="2025"/>
    <abstract>
      <t>The payloads used in Remote ATtestation procedureS (RATS) may require an associated media type for their conveyance, for example, when the payloads are used in RESTful APIs.</t>
      <t>This memo defines media types to be used for Entity Attestation Tokens (EATs).</t>
    </abstract>
  </front>
  <seriesInfo name="RFC" value="9782"/>
  <seriesInfo name="DOI" value="10.17487/RFC9782"/>
</reference>

<reference anchor="RFC9864">
  <front>
    <title>Fully-Specified Algorithms for JSON Object Signing and Encryption (JOSE) and CBOR Object Signing and Encryption (COSE)</title>
    <author fullname="M.B. Jones" initials="M.B." surname="Jones"/>
    <author fullname="O. Steele" initials="O." surname="Steele"/>
    <date year="2025"/>
  </front>
  <seriesInfo name="RFC" value="9864"/>
  <seriesInfo name="DOI" value="10.17487/RFC9864"/>
</reference>

<reference anchor="RFC9943">
  <front>
    <title>An Architecture for Trustworthy and Transparent Digital Supply Chains</title>
    <author fullname="H. Birkholz" initials="H." surname="Birkholz"/>
    <author fullname="A. Delignat-Lavaud" initials="A." surname="Delignat-Lavaud"/>
    <author fullname="C. Fournet" initials="C." surname="Fournet"/>
    <author fullname="Y. Deshpande" initials="Y." surname="Deshpande"/>
    <author fullname="S. Lasker" initials="S." surname="Lasker"/>
    <date month="June" year="2026"/>
    <abstract>
      <t>Traceability in supply chains is a growing security concern. While Verifiable Data Structures (VDSs) have addressed specific issues, such as equivocation over digital certificates, they lack a universal architecture for all supply chains. This document defines such an architecture for single-issuer signed statement transparency. It ensures extensibility and interoperability between different transparency services as well as compliance with various auditing procedures and regulatory requirements.</t>
    </abstract>
  </front>
  <seriesInfo name="RFC" value="9943"/>
  <seriesInfo name="DOI" value="10.17487/RFC9943"/>
</reference>


<reference anchor="I-D.messous-eat-ai">
  <front>
    <title>Entity Attestation Token (EAT) Profile for Autonomous AI Agents</title>
    <author initials="A." surname="Messous">
      <organization></organization>
    </author>
    <author initials="L." surname="Morand">
      <organization></organization>
    </author>
    <author initials="P. C." surname="Liu">
      <organization></organization>
    </author>
    <date year="2026"/>
  </front>
</reference>
<reference anchor="I-D.sharif-ai-model-lifecycle-attestation">
  <front>
    <title>Cryptographic Attestation for AI Model Lifecycle: From Training Data to Inference Output</title>
    <author initials="R." surname="Sharif">
      <organization></organization>
    </author>
    <date year="2026"/>
  </front>
</reference>
<reference anchor="I-D.reddy-rats-key-binding">
  <front>
    <title>Key Attestation for Entity Attestation Tokens (EAT)</title>
    <author initials="T." surname="Reddy">
      <organization></organization>
    </author>
    <author initials="H." surname="Tschofenig">
      <organization></organization>
    </author>
    <author initials="T." surname="Fossati">
      <organization></organization>
    </author>
    <author initials="I." surname="Mihalcea">
      <organization></organization>
    </author>
    <date year="2026"/>
  </front>
</reference>
<reference anchor="I-D.ietf-rats-reference-interaction-models">
  <front>
    <title>Reference Interaction Models for Remote Attestation Procedures</title>
    <author initials="H." surname="Birkholz">
      <organization></organization>
    </author>
    <author initials="M." surname="Eckel">
      <organization></organization>
    </author>
    <author initials="W." surname="Pan">
      <organization></organization>
    </author>
    <author initials="E." surname="Voit">
      <organization></organization>
    </author>
    <date year="2026"/>
  </front>
</reference>
<reference anchor="I-D.ietf-rats-epoch-markers">
  <front>
    <title>Epoch Markers</title>
    <author initials="H." surname="Birkholz">
      <organization></organization>
    </author>
    <author initials="T." surname="Fossati">
      <organization></organization>
    </author>
    <author initials="W." surname="Pan">
      <organization></organization>
    </author>
    <author initials="I." surname="Mihalcea">
      <organization></organization>
    </author>
    <author initials="C." surname="Bormann">
      <organization></organization>
    </author>
    <date year="2026"/>
  </front>
</reference>
<reference anchor="I-D.ietf-rats-eat-measured-component">
  <front>
    <title>Entity Attestation Token (EAT) Measured Component</title>
    <author initials="S." surname="Frost">
      <organization></organization>
    </author>
    <author initials="T." surname="Fossati">
      <organization></organization>
    </author>
    <author initials="H." surname="Tschofenig">
      <organization></organization>
    </author>
    <author initials="H." surname="Birkholz">
      <organization></organization>
    </author>
    <date year="2026"/>
  </front>
</reference>
<reference anchor="I-D.ietf-scitt-receipts-ccf-profile">
  <front>
    <title>CCF Profile for COSE Receipts</title>
    <author initials="H." surname="Birkholz">
      <organization></organization>
    </author>
    <author initials="A." surname="Delignat-Lavaud">
      <organization></organization>
    </author>
    <author initials="C." surname="Fournet">
      <organization></organization>
    </author>
    <author initials="A." surname="Chamayou">
      <organization></organization>
    </author>
    <date year="2026"/>
  </front>
</reference>
<reference anchor="I-D.kamimura-scitt-refusal-events">
  <front>
    <title>Verifiable AI Refusal Events using SCITT</title>
    <author initials="T." surname="Kamimura">
      <organization></organization>
    </author>
    <date year="2026"/>
  </front>
</reference>
<reference anchor="I-D.ietf-rats-multi-verifier">
  <front>
    <title>Remote Attestation with Multiple Verifiers</title>
    <author initials="Y." surname="Deshpande">
      <organization></organization>
    </author>
    <author initials="J." surname="Zhang">
      <organization></organization>
    </author>
    <author initials="H." surname="Labiod">
      <organization></organization>
    </author>
    <author initials="H." surname="Birkholz">
      <organization></organization>
    </author>
    <date year="2026"/>
  </front>
</reference>
<reference anchor="I-D.richardson-rats-composite-attesters">
  <front>
    <title>Taxonomy of Composite Attesters</title>
    <author initials="M." surname="Richardson">
      <organization></organization>
    </author>
    <author initials="H." surname="Birkholz">
      <organization></organization>
    </author>
    <author initials="Y." surname="Deshpande">
      <organization></organization>
    </author>
    <author initials="T." surname="Fossati">
      <organization></organization>
    </author>
    <date year="2026"/>
  </front>
</reference>
<reference anchor="I-D.poirier-rats-eat-da">
  <front>
    <title>An EAT Profile for Trustworthy Device Assignment</title>
    <author initials="M." surname="Poirier">
      <organization></organization>
    </author>
    <author initials="H." surname="Birkholz">
      <organization></organization>
    </author>
    <author initials="T." surname="Fossati">
      <organization></organization>
    </author>
    <date year="2026"/>
  </front>
</reference>
<reference anchor="I-D.ietf-rats-msg-wrap">
  <front>
    <title>RATS Conceptual Messages Wrapper (CMW)</title>
    <author initials="H." surname="Birkholz">
      <organization></organization>
    </author>
    <author initials="N." surname="Smith">
      <organization></organization>
    </author>
    <author initials="T." surname="Fossati">
      <organization></organization>
    </author>
    <author initials="H." surname="Tschofenig">
      <organization></organization>
    </author>
    <author initials="D." surname="Glaze">
      <organization></organization>
    </author>
    <date year="2026"/>
  </front>
</reference>
<reference anchor="I-D.ietf-rats-ear">
  <front>
    <title>EAT Attestation Results</title>
    <author initials="T." surname="Fossati">
      <organization></organization>
    </author>
    <author initials="E." surname="Voit">
      <organization></organization>
    </author>
    <author initials="S." surname="Trofimov">
      <organization></organization>
    </author>
    <author initials="H." surname="Birkholz">
      <organization></organization>
    </author>
    <date year="2026"/>
  </front>
</reference>
<reference anchor="SCITT" target="https://datatracker.ietf.org/wg/scitt/about/">
  <front>
    <title>Supply Chain Integrity, Transparency and Trust (SCITT)</title>
    <author >
      <organization></organization>
    </author>
    <date year="n.d."/>
  </front>
</reference>


    </references>

</references>


<?line 2072?>

<section anchor="appendix-cddl"><name>Full CDDL Schema</name>

<t>This appendix reproduces the complete CDDL schema from <xref target="cddl"/> for
convenience.</t>

<figure><sourcecode type="cddl"><![CDATA[
; Attested Inference Receipt (AIR) v1 -- CDDL Schema
; Status: v1.0 -- closed claim set, single-inference scope
; References: RFC 9052, RFC 8392, RFC 9711, RFC 8949, RFC 8610

air-receipt = #6.18([
  protected:   bstr .cbor air-protected-header,
  unprotected: air-unprotected-header,
  payload:     bstr .cbor air-claims,
  signature:   bstr .size 64
])

air-protected-header = {
  1 => -8,          ; alg: EdDSA (Ed25519)
  3 => 61,          ; content type: application/cwt
}

air-unprotected-header = {}

air-claims = {
  ; --- Standard CWT/EAT claims ---
  1   => tstr,                  ; iss: issuer
  6   => uint,                  ; iat: issued-at (Unix seconds)
  7   => bstr .size 16,         ; cti: CWT ID (UUID v4, 16 bytes)
  265 => "https://spec.cyntrisec.com/air/v1",  ; eat_profile
  ? 10 => bstr .size (8..64),   ; eat_nonce (optional)

  ; --- AIR private claims ---
  -65537 => tstr,               ; model_id
  -65538 => tstr,               ; model_version
  -65539 => sha256-hash,        ; model_hash
  -65540 => sha256-hash,        ; request_hash
  -65541 => sha256-hash,        ; response_hash
  -65542 => sha256-hash,        ; attestation_doc_hash
  -65543 => enclave-measurements, ; enclave_measurements
  -65544 => tstr,               ; policy_version
  -65545 => uint,               ; sequence_number
  -65546 => uint,               ; execution_time_ms
  -65547 => uint,               ; memory_peak_mb
  -65548 => tstr,               ; security_mode

  ; --- Optional claims (v1.0) ---
  ? -65549 => tstr,             ; model_hash_scheme
}

sha256-hash = bstr .size 32
sha384-hash = bstr .size 48

enclave-measurements = nitro-measurements / tdx-measurements

nitro-measurements = {
  "pcr0"             => sha384-hash,   ; image
  "pcr1"             => sha384-hash,   ; kernel + ramdisk
  "pcr2"             => sha384-hash,   ; application
  ? "pcr3"           => sha384-hash,   ; IAM role (optional)
  ? "pcr4"           => sha384-hash,   ; instance identity (optional)
  ? "pcr8"           => sha384-hash,   ; signing cert (optional)
  "measurement_type" => "nitro-pcr",
}

tdx-measurements = {
  "pcr0"             => sha384-hash,   ; MRTD
  "pcr1"             => sha384-hash,   ; RTMR0
  "pcr2"             => sha384-hash,   ; RTMR1
  ? "pcr3"           => sha384-hash,   ; RTMR2 (optional)
  ? "pcr4"           => sha384-hash,   ; RTMR3 (optional)
  "measurement_type" => "tdx-mrtd-rtmr",
}
]]></sourcecode></figure>

</section>
<section anchor="appendix-vectors"><name>Golden Vector Summary</name>

<t>The reference implementation includes 19 golden test vectors (2 valid,
17 invalid) generated with a deterministic Ed25519 key pair:</t>

<t><list style="symbols">
  <t>Seed: <spanx style="verb">2a2a2a2a2a2a2a2a2a2a2a2a2a2a2a2a2a2a2a2a2a2a2a2a2a2a2a2a2a2a2a2a</spanx></t>
  <t>Public key: <spanx style="verb">197f6b23e16c8532c6abc838facd5ea789be0c76b2920334039bfa8b3d368d61</spanx></t>
</list></t>

<t>Vectors are JSON files containing the COSE_Sign1 bytes (hex-encoded),
expected verification outcomes, and policy overrides for Layer 4
tests. They are available in the repository under <spanx style="verb">spec/v1/vectors/</spanx>.</t>

<t>Valid vectors:</t>

<t><list style="symbols">
  <t><spanx style="verb">v1-nitro-no-nonce.json</spanx>: Nitro measurements, no eat_nonce
(canonical golden vector).</t>
  <t><spanx style="verb">v1-tdx-with-nonce.json</spanx>: TDX measurements, with eat_nonce
(tests nonce binding and TDX measurement variant).</t>
</list></t>

<t>Invalid vectors exercise specific failure modes across all four
verification layers. The following are a representative subset; the
complete set (including the signature-strictness, trailing-byte, and
duplicate-key vectors) is in the repository under <spanx style="verb">spec/v1/vectors/</spanx>:</t>

<t><list style="symbols">
  <t><spanx style="verb">v1-wrong-key.json</spanx> (L2: SIG_FAILED)</t>
  <t><spanx style="verb">v1-wrong-alg.json</spanx> (L1: BAD_ALG)</t>
  <t><spanx style="verb">v1-zero-model-hash.json</spanx> (L3: ZERO_MODEL_HASH)</t>
  <t><spanx style="verb">v1-bad-measurement-length.json</spanx> (L3: BAD_MEASUREMENT_LENGTH)</t>
  <t><spanx style="verb">v1-nonce-mismatch.json</spanx> (L4: NONCE_MISMATCH)</t>
  <t><spanx style="verb">v1-model-hash-mismatch.json</spanx> (L4: MODEL_HASH_MISMATCH)</t>
  <t><spanx style="verb">v1-platform-mismatch.json</spanx> (L4: PLATFORM_MISMATCH)</t>
  <t><spanx style="verb">v1-stale-iat.json</spanx> (L4: TIMESTAMP_STALE)</t>
</list></t>

</section>
<section numbered="false" anchor="acknowledgments"><name>Acknowledgments</name>

<t>The author thanks the RATS working group for the foundational
architecture (<xref target="RFC9334"/>), the EAT editors for the profiling
framework (<xref target="RFC9711"/>), and the COSE editors for the signing
structures (<xref target="RFC9052"/>). The measurement of confidential computing
overhead referenced in this document was performed on AWS Nitro
Enclaves and GCP Confidential Space (Intel TDX).</t>

</section>


  </back>

<!-- ##markdown-source:
H4sIAAAAAAAAA6y96XbbSJYt/D+eAlf+kaSLoAbLk9xVfWVZmanbnlqSK6tW
VS0LIiEJ1yTBBkDJLGf2s3zP8j3ZPWPECQCUld2da1XZloBAjCfOsM8+aZq6
pmhm+UGyddg0ed3k0+RkcZVX+WKSJ6f5JC+WTTI4PDkdHiSHydGHs+Pto1/O
k49VeVXM8uSqrJKjcnFVTPNFU2Sz5PAkvL/lssvLKr/Fxk9Ok9vdLTctJ4ts
Dp+bVtlVkzb1ulrNFsWX8jatsqZOM+lEWmgjacWdSHf23CRr8uuyWh8k8OvS
FcvqIGmqVd3s7ey8hN/Xq8t5UddFuWjWS/jIyfH5jy6r8uwgOcsnq6po1u6u
rL5cV+VqeZCcHp6fuS/5Gn40PXBJkib8+ayBFujfMBrfEfqBdIb+jpPBf/nl
nP48PuQ/J3ZCJuV8uWqKxbVz0PJi+jmblQvo2zqv3bLAzzblhP+ZJHVZNVV+
Vft/r+fhny5bNTdlRT2F/yXQNfjN63FyHmaRfs4z/Bomqu78rqyus0XxTxri
QXK0XjRVUecT+l0+z4rZQXKJL/7vif5qDCNwblFWc3jpNsfPn/549GLnyZ7+
9clL/9dnuzv615f7L+WvL3ee6gMvnzzZ178+393Fv/548vFs98VOSj+H2ZDt
SAuWJz9n9U1yhhOXVdNkcPbz2XCLnguTIcM6SN7TqGDOTxY1NLNq8qS88i/X
CfyZnOeTm0U5K6/X9OYUdtRBsrez+zTdecHfz6rrvDlIbppmWR9sb0/qajJe
FHUzvi5vt5ery1kxoe/U29O8gQnbviqW9TaMYHsf/gqfdw53Zzxdz1/u+yl4
/sL/9cUzPxsv95/gX0/SN+N5Xtflqk7zrEmzIp6WY9hVzTo5DBs1OS+/5Itk
ALtvGJ3Lw1VTLso5tIT7+PAaNmTdN3ep/Ckb6nCcvOMO9P/+Lfy+rGAu+3/9
cZwcjZO3xSqa371nMrb6JquKKxhWOi+n+SydFVf5ZD2Z5ak5e/GQj6r1simv
q2x5U0yikdMoT6A70BJ8Ulo6SH6synlyXmXFAs5d8iZrMjhkRq59WDVwJh8w
F6fj5Iw63D+YKp9O1yy4QIykl8ViCh+Me/9v+brT502LWPMqPqBj52MQzvDx
/n4VeXPF3QLpIWK0WDR5lU3wYzz1ddzPU30S5sk/yVNbU6dP83kJJ8p2Gnbb
JJ/CMX3Ivvp5nLwuqi835eyf3+t1viwnN+k8q77kVaubx/ir5B3/6n/4q3Dc
5nlWw3imKYptkNOLpvX5w3M4HfwMXHzyzP9YP+pJ0TR649XpZHKVLvlEt4Tj
0cn5uV7P0Hp0BcM/8B4pVnM4CHAV4I2nguF/oqdfsnkxX1WZ7+3Vqs5maX6L
Aibu559zODtFdgkSCc7pKT+ZHNOTyarG00lDediO/zf58PcWcr6aNUV6S9/O
q/Y27+ziu6KBHYXvLKGff5bXHrK5/jpO3uT1zRKEYb5BQhSTG7x74NBR12hb
1UWj4q6zv8+zryi013hzHenD0t2HdeodiAb/1f5eLcuigiGGbT/N4l4cLlCZ
iW6Tc9SzYCs1N2sY9G0BguIQVK3rxfxhBwC69ZE/+7Bt17cBfizrGtbsu+tf
X6d3cF20Vh60PTwbk3zZrGAX4iWXXed18gs8usyrZHD07peHyN57Dwht59Zh
XS2Xs3VydAP3EQnXa1RER3hBLeplhkJ3zboJTjHoONiEdKStjcC3sgaEM0g/
GvAYFJ/tu+ttOorb2WW5aradS1NQZS9rfLBx7vymqBNQvFe4Usk0ByUFRt3c
+G21UeUfQbccTI6qPOksW8NEoeL7+QyWfjfJF7f5rFzmySSrqjWeZ7QOJrOs
mNeJiK6pw9nF731HeblSaTVOYAOiyaDqNt6sdULXVsJyDiewWMAtvl3SZZ7c
gKKY1yOrwoNysfgCn5+DnoYTN6JZht5Wqig2+SyH31ZraAs0hCxBkQQbHvc1
TEsGUvQK57BeFQ1JMTwJ0Jd8mS+wGzCqopqmsIgwLBY4PFN4fLPIEHDWlmgP
MIEV0jOeysePb/HVST5KFmUjCwEqDQpQ+NK0mMC2yMiG8TIrmeMGkudymnKv
AEyT5SxrUC91ZoqSyxx+pI9yX/B3oOXidCbnx8e4jCCwM+y2c2zIyb6sZb6C
taaN1GBMwI6Er16uE1zSWZnBClarBapkoCDXMLgEhdQdHIC0qEvoXC5HAAf/
FdR/6uDx4raoSpIyoB5Bf+rhGKfOwZR11xosw4b2YgGdl8ucX8Wlz2iXhDkB
rdDhyHVmbINJLvOfZKAMTwrqHl0V+IYf8Ci5XDUOPjot4Yu4UlUOzU1Co2m9
zCe4MaLW7WYBCw6OqIMfoenqT+jhL2fJ+6KpSpgDOFG3OQ8CJcgsOX/zFzs+
PWu1KxezNW906Dcc+Trs6t5hesGAh1RWb+w+FsscZhTO9Q1r0aOEb9XuSo8S
f6kl/lIbufgSBgNtAvup4ZMH/ZtM4OjBv+A8bSc/ffwUnZWUjeY82qkFSU59
H8aXf21AZS4uixkKlTkYdmDZ1nPWVrPptOBD7kgaQQfC+HWy4ICDiQjCA05r
PQHBMGbZOS+m01nu3COc7KqcrkgZdu4NLG255v3U3GQN7udknk1ucKZmeVaR
vcHadQJdnszK1RT3SpXB0KEVWC0Hm+MLromYpcU/8+mIBleRZEIp48eCZgsd
v+QOP3eDFxXIBgc6N34JWtG9ZUTL8VewVunX1uxQ2QpndgUadFY7Eh3fvolV
/ttv4eCHmVJhSxM+gYHJMpD8xZ0Ph2ENe4h2/pKmKsedZPaJP0diHkGvaYZg
0E3tSIbzxmZBXvPiRscSB5G3RPStVy2dimlYvY99W5wah5leZCDowfTndb8s
4SwvYBODGgA/p2O8qFdXMJsFngfcRQ1enctVBdsbJra3cVoeuutg2E2BJ/CK
eq9Sjz5foET0Mi0PMm2UNOslyIEZaAiwwlkCuhl8vFi4ppiDdLm7QQWs2/ti
vpzRyWfpF2QMjvUKDoZbLfgiGSfvcxBbcAaxq7AWtdl9I/hexVdbefl/80nD
+5rvW7BtnF1HuvDKzjVc5f+xgunYBjMQzKE6D1fxYuq6IjrR6xgGCT3hCeWL
NOGLdJKJfFw7c9fOSCfGmV3Bv6sZaRu6Rcao5nxfoUng2M9qXtbrbNlzDTv4
9r0aDx+Ynad7eGBU+7m7gQ0CvV/TgmMrpAfRs+geg2dFJ6pzL6tRQsMckabN
rT7f3f3tN7wNcmcUA9EH6O45nu49fbr7UlreeYItww0b7bfWJZvdf6nSncpX
aqzBwChqmIeGzx2o/iiiJ3lFPqKT03RWTlgViZQe7Il0WJU32Pv57IqPdfdS
7GsgLLDrv5GhpS8gd0Si8P0ZbjIjWknPdfhFWEV8zd/9rAHPsP2KRNk9N7jr
vcKX3vsR9CJcLrxIpomVVf4QHeCZ0gPDDdQ1K0l42ORk8brhk+oOD4srMraW
hvi6TvS6du3rGvp6neNL5ZUIVnONijpjzRCUL24gNwQbM7DX6M/ffhuS5Jni
DFY8wqsVXmmJaC44D48eJT+V2azm83iNf8VVlemB9w+c2x0nYEKikgNTpBv9
rqhIvZ6D+GHPQK73GLrx/aKyV3IQTuQIj9oIT9EQvr8Hbb+GbdGSUslgEnkR
UUQN+y0INgDNOj/MfPCrTe/LEVABAR17Ah1DSxDE7abjw8PWgYZgS1OWM1xT
apkvBLgvyjt8empVEjyi80ucV5xvWt06h6WF25PefbhKiqu/yPMpXB/O7UPX
j9C+CzdypFrT4P09ogtag7aSc3f543BQ8uoWOw0nr6h6elPn8wyWa1IntwV7
eS7Mhz5jUOcC+vPU7B/WCxe8IHBFgMqFBwr2mkhZnoarrACtkn7Hnckqnmz9
Im/d9yDxafsm3x4t4O+0f3/zpzv/ihdDgVeRCgvYzmlitjOfJlxk+H5TTsoZ
ap51TlEp0BUXcB5ZSIE+PIeNgW+f0QSs+/XyaFmCzEkGMItw6cCR6l/b4Tjq
2UL1ZWilyq/haMF6QtdQ1Ya221o0qT+L/I7a3qxB8zc+kopKdzocupxFeSVH
cFKCtJg0YNGYp1HAQS9WM7QAYNVQdQq3APdqVqDNmVyvYAPDGuvHZEDLtoVC
X9xgo8g0y/HrsVd4l8zVCTglyQPaUBwQTPyq1NZcSgb5+HoMcgjMGDSY/9Ax
aCQKmMOaYCu/tA1iNBaMSZTCBVEsl8ZmD1o7vv/+zydvTg6Tn3d3dtquX/oM
aVBogKvcDbYaqrnkWCKNxVvrE1hAMNLAdqRrEUaSsvIQxv/K9rAjJOHiE1tv
qhbVJRmheOXwtZrPL/MpSBSUF3grYxP+BjvUu6TrIaVB+NNcrmaoJxaVb8N3
NlwlsJZT8lHyL9SVopPIzihQu9iRSa0EZ6b/1uDbtw3eUrgLX1EjFEKmTtzn
WOR2ug5KvFLRjcGHDKaqQF9iuAFgC93mazoFeBy9j80fw2OrEWW8Ra0+Cxde
jqq/V3TDXvAOGlg8npbgIMJm3n06O0/efzhPLnMW3YuGNVavhZGlgJNgjfm7
jO8DHlLXplcD+RXIxBxUC7vrSXMCBdgec3UgpNpd6zw8zWs4sfU4+QXGiNI3
3IYcCIcbDK0d9Y+pay140jAYf807PbIERjqbuEu6n0SH5elIQAw2glTRguKk
LDLYztlM5kGtNbhm3CNoBM633p5vswWIuOucNSZUaxGPUCdbuAJbI/4TVwL/
fnr8759OTo/f4N/Pfj58+9b/xckTZz9/+PT2TfhbePPow7t3x+/f8Mu4stGP
3Na7w79usY6z9eHj+cmH94dvt/isWuUaVUBQNC7ZE1DB1uB94cCwnFTFJZ/v
10cf////b3cfFvh/gaGyt7v7EgwV/seL3efobLi7ycWPQ1KH/4neBPRzwkTS
LpqB5MyWRQO38Aj3Xn1T3i0SXGyYyMd/w5n5x0HyL5eT5e7+n+QHOODohzpn
0Q9pzro/6bzMk9jzo57P+NmMft6a6bi/h3+N/q3zbn74L/9Kt1y6++Jf/+Ro
95zn1bxgDAOoKU34FygqJ63loilN8JlkS4/SVjIA5TGvJlmdj/DW3AoxL1oH
t0IVSg43bPyqYXc2yQA4+UO2okjhpDACnBs1s/+czVCIwQ3BbkywbUADvhMT
DXumV+sVBulVhgYXdlXOcnGBTsGEjRxUZzlHpZ+N9/XMx5uTDzx0izoo/XPd
D6DvCdRtMQJVrUuWNxXMiYSK9IXxFuh/38NGuQOUsPc6DkT2gEK/jUJFnVbG
UQ6yIjNuo6uGfTZoI4q3j81JG0nwxqRa+9AI6CDkRPCi/uHhE5f0ONUfYgHB
eYw0EVVxcGawK3V51aCrX71gMJ7gnwCdiS4T1om8f1DtY1R6OgMWc/Y6X2Bv
0F0epDfcCHAQ5G62G8gcFj4ZkZIWpn6CLslaNAwNzIiV39npsvhiaNJAYIZY
awuWHqj7ky/kFfY274FCyHBrZGpJez14JHq3dx0nt/xJ7wFfgl04wW2Tw29W
ojwv/LLD4BoOm/BdaxtPvSUBSghqpeebDvJDDy0t0ubjeth6RaNUtVdicO9d
gy5fNyZCgwOTwEe+mJZVnXtbV93Nh5GOLjrBq82SKTh6ZJl4zbxSgLPx4wqu
HtyXGESpSAMLEQW4riq+weuu2QUv3+/S2hBkIjwVbgR4JDXOrVeiqhvLT6IW
dHr8Bmt/lzTCKtcxspOpHS8kj4PrcwxEzq3TnHv+Ed2zPdsdNhqHmuwZBANV
tE/0YpN+xuLxEuQvfJO0dK/J9qh1Q3I2Z19yxnjCpTApyM0k9hbuFxjnCpal
rEbWZCzRiY/fhcWGXYOSvhp6mWD3KLTRkgmw2+fZ0t9t0dBpn8N8HPNOrFS4
4UbRWCasAv5WbUIM4qHuToG8kQTvCE/x5i9D9hu7liUVhYtgiJObEu9amgM2
naymHnliOPI5VZewD+e5dyZU+A6REdzxi5wji59tKxcid1B8iGndt8vZiQCb
SI6ofhu6yL4g8iikZVWw6VDPShTM5yRTu36dBDYkWHbTnNdDrmaQxGhSBccQ
HSeeNGoQ5V2eTW5sJEBOPA6yqw9tyaRsgXZ5l61ro8vEJsA4eV+S30zsHBKD
V/Ssl4LsIF2huYc9C20P7m6KiUSa8foib/CkXKHKLIoABbVoQai5LHbEkqsM
VC2+yJu7EneJmMcS+EEcdNZyweI3ZtOwNvGQ9NRl0vG+L4qXHJ6/zf2DPhqx
oIWHLy7YkhGbUmXsj+S/JVea0XyOxQsK92fHCkXzN2my6+t8GilLfv8Pjl5/
OMUnkt0XQ7YzWK/0lw3HYvSy2R/vHTj3n//5n84098fkbyjlKljQCe7FJDlI
EB8zSvx/aJBWoAVgPNY8eZNnU4IsrRbhhwcoIsy7+Lb9Pb+ED+FXJSqU9H01
/qzBzvC7QTHQd5NxDY8mz/bpXQ0H+efcP2joZEqGl8m7UycXMBmf/czSrGyd
6UO7W6Mw7JFDZ2EFd93nLMMgIY/hHxciyS/sry9wEfP5Er3sFzc//HCBfnhv
UrAjocopuAj7f/NSs3BIzHo7EsYLurXX7KH96Cf5Z14ZGmpn6mlbUUswkVaS
5V9BpKCX667EKwxxIrBdfgUrHOyU5NfkfTbPzfL8imrDKoc/35B5u6Q91vPf
r+7XlP47+PUgjf/b+Iv2f9AGtbULn8tm11Hz+H/pC/jzePrm7DAZyMoPe/pB
fz6BR0X/wwhzrm08o8aDnbI9uWu6bWxYPn+1yy6ATl6odw86h+4f/IW7sF/2
TzzbBS3QK1HdNcNAxTwnbyw6tfEVc9YxegSSqcctNQ7bndSr2TXcOc3NHL+r
B2RgAqbDsUfOcnOXufO+S4/wgW1ZTJqgBynUgnrjNivTI9hKaPntoXDGGMIk
g//HCH9Sw/9lVXKWDM6c6m9//9sOvDFUFemtuo+045SqgvF/0GBGaALOQf9M
6d/JqUP8OyMGBPKzWJtjj0EPCbfAXkBjs6xmYFBJo6DCstKM9wq6WniVETGg
xjpPAqH3MtY8LsFAngXHnFdynY1Iqyx+Ot4dP+dz+8mIR3tye8SmrImIFMb4
R17ssf4AFXnaJ6DgJRdfChBFCP2BSSgJ8NDTuN9k4+R1PsngRXffU6xs4ydI
hgbVCgVYmOqRbqCNBwa3Fe4GHlT3kxKA+siC9oCugiO+CkBfEynn8QUi3FK4
uMtp5+JgOYqCD10cTlUqtOEmCb1COh2Mkxft5f7L+AId79INh85IPouIJ/eO
e5iCJr9DgOEs/1pMfEyVNyXbO0WVaN8MPCN0EcfA4biDpH/qSAkPghtW6csC
nX8Uv4bvYN/GyZsVS7Kc+6pbx+9kVkXevHmbnGG8LUu+PZpMp7PfuD9XpYZR
6RGejWe7OzAbFibLOleTc4ya4pqsYiTYlsuKSiH7cKU+ejbefTGI1I0DkKl8
d08ucX/C8/53KS//KNYwDugh8wPz2FK3SNJtlid4ZDWH8HFRHNw/hs719QE6
/83h7fPHP4E0j1QjkKkH7ZvH4SUDjz7bjR61ov+gfdO43/jT3ZHhx+WXsku4
N68SBOT5BDD1nskz8DvqcYIdaVqqle9SUdcH+H8rUuSe8dMrEpp9T2eNPD1N
QfEffFoUX0FJg3FNaxz0c37fzOnus5F5H04RH9+TN/DyJ/j/2/0RPEPHhlrY
e/YUW9hSUDfeLOMo324b5mH7FlUyaDDPms8SkoKX/zXZ3dHvd/vPTy8wGJUM
yiVftbDeOpEcSitu8cREc5g+e/r0yfNN0/iKXXKfi6k++uJ7j4pBos+/xOfh
6Ow9fZair3HUfh5/KA/v72x+WLx/0eO79z3OmLTo+b3NzxtD/DPYjNFrtNvF
YE6twTzCae8xpPXF/c1zxR681mTtP920QdFagPHD6n5erOaXtJ/pjWeb3/Cw
w8+IKPw89916vvmdeT4HjfvzMs++fJ5f6gv3rHkt6bWfcTFpl9IbL/vfsGv+
mYEQdreCHDCrA4LAnLUne/i7Jy/2e363/8K5vvWBpxbofol/uJ0006/Rj5zr
eYzF0NZyUu1sRYPgPaQ9GdGwijkG8vjx3e8//gVsKLA6/pCAtjEt6i/y5t73
3zRylWYbX3uy9Z2XTg7fcXjFzLW+vP+9l9EvS861AKnqtvLie62oko6Aj7iB
rbZHaItkJK8INL01wn3RXrLftzzvTs/fPHx1Ts/fne48fEnw8d2HLwY+vvdf
Wgl888mDJo9mq2qmadXMeQK9c+AKHdyk9aA2OatLRQeLY4WQ5tPia0rq0m/s
7SGFFBRFccaRctW5mllrxd89wms0GZzQzTuEi4ai27vOHSZN/rUh6wLjQLSh
rtZqquDdS6a6bDN29l5sRTfk1oW4xsj7iIPgsFRZpVmtYX4KVmUgMDUSqGoa
4wzHiTFzD//KIRofgyDE1JJ1dFEeCHU3w1xwGR7qBzQ8xCX4ET4jR5fir73G
WuVisOpASbNAoQwna77EKA0pGRjmm+SOkmCHFJCNU068Pjq1A8goySxLruAb
Nwi2cjScg+QC1OYkBX3662d0U/7LH6nb8Af+/A+ohU++fK6/5HcXtjkOcjtR
xsXJ6PtaywSArpMMWNfxo3+O67v7LEV1B4MYCFuXlSZP6mpRwIpAX2XdC9Gy
vdv1OJvc+JUijf4mI18kv5lcwFehrycRAl57DIp7hZ5LesiJZzXCfnL8BvYG
/KouV9Ukf5WImuZtlqyGJ+5YY3MDNP+wh0+epZhXmZFFLEPCnUSYDxPiHycf
yPyUSXDSbz9emN4BmrX51wzHwJHIq6KCTbe79wLmrKk54M69nK3dFHqzSPBG
hF/ylmcwLsJnloS7jHxuc9jC6vEiNPNacihkkiiFMCkv0ecLw+XJMqE2Wfap
Wle63kYV1eUGZVYkSvGVvNo0LXwqLx6g4l6Mv+tsQttZzT/bA+6w6RrrvSpn
dugYqphsbcXBi/TZPi9wsIQZgG8s4d2h82JRDH+T0QRdlCwECg4hKqaQ1JUA
wEqygB7XWL3AQcfJx81fZhARDQhnxfEZaDDNCFrAvss2QS9muVyzNAwvoBlc
Y+ZpiAc5Sa9AuUB7V0XFK4oTaP6hhtSn0ppPG1mUTjaTWG80hpOreF78RzN+
n7AW1COWrygEXFgtkMOYGRZ8ThTfqkCTqta6d6GfhWgfHqDqSDDeBmTXNCdx
BEu18rqRuh6vYNIKPiSPOGjxUYwgva3wZwQIWeTXRNwRORrU84GiTsynFH1O
cECvKYswuy0LxOvNZhSi5D17cvj+MNVQDEwIG1zj5N+wRTG4mpuqXF3fOFGw
6Uzb+0sCzVN6S5VqvLLNQ073OIasxPXVMfS8Myd2qsrpUfNODw/3rn1TGz86
zsbNChQBGGA25aw1gy+hneBvbnQ+zebp7Fl6u0cX94f2XT2Si5qCbrG8foXr
4oLBQB5BzfywvdcQmB3Ci//KELQh3//d8c545zsdtz2hbtpuvMRuPNnjO/Hs
58MURDkcfE99g1k8kh3HaWfaFY8SqvOGYVn6e5PwByfwomNQkdtdFA46guLR
cjdw7VM0U7+IkE3BJ09Bz9/YWHZJbRlXp79N4Djbty4ks0mUL2Z68XYDiW3H
wAF4qG4KUEUvWa3J8Jx4DSwhmZ9el6VJ3CGo0ljS2nlrF3UP9KqVAKJIC5iu
kOrjQDByepKkWXpMq8mbjlcC7iN01KMLDsGzlWP7Gv5OEI+AA4ig09QubMFy
gSIFE6lmK4HiM5DEZrr1Aki6qUCaVwi3ED8p2cwbpiLFl/i2am7ERRx2q4mr
oJqb/DOvSr1arc/Fbuv9nb5tTU9Jp7swNfFejilJp46Ucs6YCgmtsCHHIJ8L
svNuytlUD21ZFddItKSNOtxG0IqA3zlVlfaSH4DxAkUj2P09I5D0xgcPgaF1
0IcLO4MX1MGLqE8X2GHE60MD8QyYzFhHnWQ5xrFSm3kbb17pqlyntM4/1NoO
i5Cs4S9IMjViKGjgRZAGCWUFcIu8fKT0cONOwxGCp/f7Ul3nRUPpq0jXA8YV
Yyc8dAL0qjwNCXAtfRhJISgijkkoaKtRfHwo+pofkmN4CKb9MAKJXhBc2FQW
v8+lF+2Bvb49MC2ucbwMSywWX+q2WhfBcHoTd1AHwFQIznvQzTtYlg3jDaHb
M6RRGDr/CssiiZZQR2GayKmkS4lmSZTbLGJplCyLBd7qcEE57ZckJz1+3KUS
OHj82I9Vtvr7s3f9GUhpKikjuY3bm90okJCgJPO3lHMPWaRWDPpKGGg69XF4
tLTk5ZFGyeAnqYapxjoET3vQ03OclDdHhx+T/1ghuQ8sLv4UKRLoB5yRpzCD
kQb5RPWSl0IsD/uke0g1Z2zBI4wShhzEC8Ot8AYVij/Ve0GsUgMFSn1KNVib
PDHMzKdrmLJFELRXrsSKoDZHPu7NuT8go7UhGjMqnRkyds2SQcijkryoepSc
H70musRR8u/H3A2PAEbyxtO3NeI1LvqOyYUgh3u2ft8edP54zmEb36JSb+5a
MY5K2+FLGOkMU8Xhx6pWOPaJU+8IlLUWm34aEV7AcUcTQeGRhIm8RNVOdGLF
l059CuRsLQfLb4yg6UXi53Yfv337dKjmg0LbUKtx2pwGoUkFQXyrt4BIaAgU
/SZ8BHMOSSw6jx+zmwZ2Cw+ATXAGZJvEKJsFNc/WLptOA3K9L1+1y2DgExn9
mkwlO/B7iYd2fGgEahaywOJIVmIS86VVrmvE0mwSWK+QNEUUSPI/xqn+nP8v
yFxVguFgF01tEA640AyMpN2ODwihjZrmaANyFsRClQLev9LmD7VTYUI7W3VK
mKsfMajq9z0o/Hi4yC85TZsyRWBpTI8zSvpPkRO3hmed0bnpnXZRjJnCBmVP
DygYBd+3b4ZzEAwIZc2wh0SNzxo1FFA6iXVAHRkeD63wcP1BepnfZLdFWRFW
5tBPAdofxC8j6n1X0RSbdFZeU14EI5NHZu5AuMOcuTBnQ1IOwtxkoihg79HO
K8smRbejQXBirr6Xq+3sNGg9Da0brf8wYTYD1uYFtkzJ0niow3c2CELBTfrD
jxwnmtVr1sHxiS7qiFbGglhwmeD4osHjM2TWAccpJxxBxjAG9TsIzZLfI5Ig
0RbEeBV5NpFJtsQWkYIj6GaUzTNS8HtESGU2ckqeGnRqG+wouhX4bE3zOahb
Dadd8AllOga+uAhI2zVXeG84zlpmV8irRImTyPLwtpj5gEHfeuyx4SRR20sU
X1rB9qyQfSuTgYR9PmHeoYwWKIxJGqb0Y9hP8yXSnObIn6rHTqw1TFHxfqjL
fF0uprq8A/HARxvE9IavNUo6YgSlsyDcbQnv4rf4RE2LerIiFZnCMuwQS4P/
jbI3QH/FRBZUlBdNlABK5wQ5RzZsa4mLYGdNbrdoNro/s0vYGEjft8R8bZXu
jNfmc7FYO3Y7sd8XxHB0oWZ6Rai+phQBEg3EzUPCheUKJRYSRBBpONDyg5ah
zZC3IZkfmRl2xDTDO7GVzznVPNdocsTmjYQIaG/qVe4J60fGw5Pk2yP7SyQL
aGNOu9kVvTLaw7ZcQD/zlUgod5y4jbB5XIYCrzru9yPRwD8enSZ/zqoCt8Wg
/W7yRxteHSIK9kdqLPrv1+Sc4aPwN8lbnX4HDvur64W6hh+aX98PikU06wUH
dy+iPlHUfx/xsH+FPSE/hNHuJAPau7242AsO/D6sJTjK7fD8MG5p74Et7YFQ
CDel6Zlv6cnGlt6XiWnpSTLQGH48QN/S/gNb2od5agf0h1FLLx7Y0gtQH0xQ
X6yPobbUCUxfwGuICImn6cLsRPtd7pKjseMJpq6jDqeZsvRTE3sjwcM0EA1e
Zo2zDCkMsvU4CObDaeMaKGtKkl5ROMbZR2MeNNxHG7vgQ7YmHR300SKX9D9V
6Ky1ZuYJ7mL0tFIeE3tRhcgOT7OXgcVC9LWIvPGVRVOSYsUXlr87fTgMGqvx
yuXsRLa5VHiggYRYiW2EGtwvQGKIwX9biPx3RcfvExg4xvZe+z1ighAi/e8/
SDgQZKT//QeJhDaG5PcKgjaS5Hcf2nj1L/Co4t4Bs7REU/eqXFXJ6WpBaplN
QTvVOy8Z8ByqL4Z6BBoNj4wOFvUxOvKFZhEdyAywy3JOpgmx3HC8lrzh1+S3
rKQTA7mW88BlU49A1WIKBn2sHpJlyZ9u06uJjy7pkEHylxMh29NrHXUaI02Q
t4TkCdshYgCrQ4fRxhW7WKc+kO7EDAhsKb0CgmZjk4RwD5QQcWtBRDgvItSF
4hUXWp05e69AobzA43exjX/s8h97/McT/mP/wpkEQUnjI36TqqzroIeGiDKS
HaKbg4PcbnPyYAFm9WUBa6luYskf9Plwhu/pnAwR/DoVzKjVl44fE8eDV6Kk
doQViwKMl/bI4uIbZIIZxO7H4LSpwAjlvFW0+4jEJc7avC0yzvkw5PLOk8tL
jKtDItNPV4+UMqWys1CxE4oDrpjQd+pTJzz5wSXutS+cLkCKPhlwFM5usi9E
wZeoY2ay5gsMpild5016+uORt8vRCpnNIs1WACWiWqstix8awBUpp0Qug7Jy
QQz5DBBxEoPcIh9ZBNjqgYo4yTNerHs1bHXV3mEYLpnli2sJhPXtKO0D8uyJ
2aL2EI/rlcek4Au16809eNRC+Ea2w/73kHD6knyfm0quMSqjTjbn5ZIkHIP0
p8dSJCQf73C8/UQLkhBKgDvWQhJHPXvaj2CjQxFEVpUjWwZzF7LBl1HOK/sL
vAtdbBNPXxE8AmweI4MomKiNuOv01yCwyFvRCfU+flzY4RB/zOPH5GsWf20L
8eU80IXjVy0TOtjyEi+5aE3NhWHhjKV5MC/RKaWkR3Noe06uZz9UT8iFe1Mg
i+i0LPGeHG/4Kk1LbeckkTkZJegwbSJoDn2bJKi6HSghh2Io2P5PmFAD69D9
Dl4D6OBgRbQgb0OEvvKETtoyjRZOGhrP3p5Oo7A1Jp+tqhiW5g1uQQx05xl9
WOXMUxCq+w45daNFREeBriTmN/FCkmN4hul9LdiQg0XJJW+bwG4tmBBI9x6S
guTCw5QukFlzhiIjTz0xA7tNe1wy6jxoI++jM/ZQlOgdJvwRStMEo0mZKRZu
XiDiiHGjrWOOoK5yns3KVY2RxvIO5+2mACVL5DIGEfyyE8K19gvLp2jDghLQ
JcoQiAb2/IEDw3elHUmhZ1pr498r8HBeZyL8+6WYSTyIutGB/rSlq75Kqpge
aGLjoXCcHLmxj5lIWDtTjkl0q8FbehvcnwHomCL4IurvhTiKCbzGPk5oc2DI
KkccKFgSTe0CdckecM4IduH8hv/B/sA30U1FCc6cx2wsAtA06BL5/f/1GGnf
zW3+vpPH86yTtfGLYTNWhlH/BNP2XK8qiU31mFCBEWdDcwtLmrNtXM497Z9G
UNT2Gv6x/Tmbo8wAXXbyhx2i7Quey4ysRXUybiVjg6SOeGhyPBIT62kwFC6s
LpQL1+rxq7Z31mvaG/uF2LNNqeAb9nU8KRLFPvyre3AD4apk3zLlIGMdDEXh
51M7c3B0YOd7AGS7QUU3xwBIPtvjhNV1F1R1gqxIcDTkrAviWJXoogVBpyA9
B+hvmY7szosH9GtHjycafch0lF4Q5J7kAuVBfUOcHrgCmQ0Ga2fpPhTamUDQ
EtheTbs2iCyWXHuevJqFVm7KkTupqwE/vKuQrIzZhUS+i50dwdIIbF4HPtHo
PMXm9CU6xm45Lo4A4IVV5AjtxQRlZOquLXXjQgky8dmESEOL29x5xiaMaf3Z
oLVjKp+WLoJtt6bC+WAGm+f4bktOYZ0dw4gpLHlUuBAMGrM5oXeCLYk4DDJa
U+166/Bz7HrsThqZyZqiGivGdZlL4uBhR7jNomSPc0uCDeSw6q8xwIPZ6/bo
cRYCaaISA/Sh8kVyAyZBbeOOuJmwoFuNd9iCKRO8NM8WhA8J0hKXTt/9oQ4s
QFLDU2aTeEd8sRr4SDnDvBKVtP6i/14NHGJO4H1FekITl44hCA2v3DS/XF3z
7nYbucruDadrOaYcTw9Rq8H+vyS8PWa+VDNcQ3QEkOnugSfxaQwCPZ3B2Znp
qfUAQKK5whZwPMz2AIMpb4mOEWO4Dk13TDpA0hfcETRxTIhAPKpMBeTj9pRr
cLcIOhN910nxC1i9G+Lh75HirEmCJYY+Ob/T/VJSO69EumSapGE2d8IqYz6T
i4KdfFdXuC0Lom2a5Y0LW47pFJHk7W5BX9Wg8iDe40PcuOFG5o3uCqIiZjnh
Ny8ttA6SChpB17vSYOQnEKwxP9K7HFRu6ipFM6cayqPNIuVrEzZPaGgeIBnt
UC/1ZHPReqf0MubLI0ki766P3KEUBV6fUoAlcku0GFuQJ749lHfTSi5h+h52
iuUYVEMnG8uH1inkqvSBNk8L3UCIFFNAGWWdYH1PvlrZ71kvs4kW3fIFcsht
2MHbax6xNQFeYnBWFeM4G8gaBiASZxn9DbHxBhRtkfEjly9Q0qBP1u8aYhrV
aHSjmE1awhZq3Cjl0lGjm5/xT2I19nuMQ9/RyH+/Ws6Ks2Res68GrgLsiYFb
ei8Oj493d50QKi1qAOFGWdNtIGIjUewumqALSjmyzSZcpGkQ04zgD9FhK6Q4
8VfnYNNcwbEhpT/uNgpQ4SgmEmp5UpDQcS5iN/midV7suGuttqVVwhS+XAmU
xKg+fj8MyeuLuAuaOkb7obJ/chWyNjomJcwCNszmq9lG4+QT+yId/7TLhBJZ
lUPKGZF8jqSdz+FYIzLnACERnMoxCBkbiqbry9ZwnK2M3gS53GN0Xzg0RTNk
rd1o2dEBuV9jD851ZzT2OaKUolbuVdmToLI7VNnjNynz2VbDfEPignPvXV/2
3rPxXiAIzTjVWpGbTJ3tGWXyBWV/WQUKIfc4yyCVYAVkeaSkm2bQ5dYbBisZ
gjuhD08SVNQ0n46/Ll6ezP9AbAuY/IrqM5yzE0IsqsYT697ughrGdxorpujq
HXMpl8ePdWZC7tfjxwfJp9MTruHxkCxQ3FmeP9IkeTJoXBJNtcDL48fHAg/H
7xDNG92dA8NnBHv8/5x9eO/p9Ww+IJdy4D0lpVmwSWYppCYDzH2wgWQQNF/D
VMd1HT710Nv1hAX2edIkfcIS5ui39YcaZn+2y1VvLlp8OpoEHzNDxWRQXC/l
8eOfz88/gl47xWCTfCpqDib9D9ikjvj5iz2hBk7YAXJrUr5YUecaap1OJVoc
vLf9McwiZkrV4ncOkc8Ls+4X1AB1N6VJ8JRcFjZpeqpZCn3fjDh0/viQ7UhN
gSqhxk3lJ4ByjUqqLb+Izpame9C51egMNuNZuMvpulNxjDw6CH++zA2DqhBj
//erSxAUhZRrLcgA9jIaFL7uAXtLYvw4fwF2zjPaOWdtZj3cO0pQxwePNi1y
Fv4xSV/ApvS0knUoJnHpk4Tvo9krudb6Awj26DJqUeuxuIhI8rYP5exRqOke
HrwhJp9yYRNPIbjIr8umUGJezpd9TpPyJm9ABOI25BwGnBPMXa25yIzPr6Xz
uamMDB5YY53Cjqb7dtAH1hyOvOjSSirQmRfUGcwNVuHLM4bd+RDqsAhXhveG
SKKBblFdTIoTT0jcKiIj64EvYrgMLTLPw5z0QtlH1JAWGxpGtH1JRNsHA3lJ
A3mnbJ8iwXAYu89CmJh/SvxcI+SxGGHON/fAXho+n3kU5waPjFbjCxfyv+So
mqS8UW/q2KgXE8qvx7HeUTvEOupGhEYi5mwwZRQHNfCW3RnD3HxQ2yVMzV4w
aHRmDP8XR6Z0YBIKG456jKYBbTs2dXwSyU05xQt3dxc//qPqG3RvwMxf2BwF
U9vS8Jkgv4mEDZk9rctXciG0JBfJH5ILQ0XiAWkk0kMYLkQ8w8B9YM6nPfYO
3N9rbaaFURK4IGjAe2M+3z2siTj6U5+S/045EoUfcSnFzTfSKiaDB3An8m4W
JhKlYaSOPcGOHbFbJNzw2KfzDeyK3jDQMJyqUz1ciQ8gU9zdxx586rBXYhci
2k4466D09hO70kUUlL2mh7+3HXLxzJn0cg97Zm9nn45JN22TIGBneygY1GVg
KRgkbS/ZzP0wMDU+6QIh1gcVekHik6DXfdOKKC5KU5stVGCLqxiTfOkSOkj2
gQYPcdjPxqTN+mIJyXa4Y1LBHmy6K7xjx2d8RozoLeVFJQAOwHxP3t70UViu
V12vaafCg24VzydCiSXeU9tf0ADdY6o/9PhfGcZFLrdDrI7NzpXzw3Sfqc3x
PXaqZf7X6FjjjBlBAvYWlcC7Ll9yNYUkTnIgDQdkXVSsi2u695Q9UIb8JJQB
Q+OTscmBREEO++BilcP9OUouavxLjX8r8zn+iEXnzR1Je/z5zZ1cTBdDH+Pn
Sj9aKqIqb4rLoonTXidtecMWMaocryUt5tsjm4pGWYZ99S2/V4Yk0DL4PJvF
muA2xWSF6p0yHdQ3xRJ2fnOXC9Da8qBLQonTfLieasH2Yu8BcuLpxgrzPkS5
XGE6IYNOTIobWt6dFDihYFVzwAUfejtZENGATFoWjAdb1da5n8u7/Bb1hkzw
rbRUaOnBns6quP6nOK08sM+MoFu2ra9yOEq0YHv4QGInk2uMNP/cjOShbcyI
JHwDGAiOQ1ceGG8Tf/Cu6vBz+VQyS33hQg86a8bTzO7mzd2hAK0naerZNSRk
NGTft10CJAn9dxlFV9PyKqVih3GN2QkBCtiNzsRDZ5zG95HTcRO1q+AocSxW
OxQl01migXa2n3pjU8nwdVY6m2FJFj1+A9vWy5JOPwdpQzkdXR/OsGWEMe4l
skODX8PXMGrPpLwXmCPouR9qLXaUtOoQXGxysewPPdmNzX1G3290MYcvRA4E
zePtDFyQGVXu+XQCY7iv9X6ysIKnaIIZK68HMh7N5BcBALf3tL7JvlAFdLNc
pde90vwr3vFcmJlqxMKj/wfUC2hNoA7oQdYFZElu0wRTkj4V176hf+ijUg9r
phtCV4YvFG+Uj2KedCPFfJd44g47qAWT3J5FJ0cn0jhypSyUTJzyijFCwCfl
yyRRkqBUmYLmRhzAIi4/xh7a3wrXTsjHHcHdgaR3qf6AC4SjeYPUE4gpiFcQ
TASZISthaKPF5+YX9lSQ/sZXOZl2KJct137UCn4a/UTeyU1l5e3Z1I2dTW/x
dqgZysK2ax0n0GqXuL4H9GO1YJB7uRLS+KOQ+3lkZE7dJjm3Agm0RVjP+opV
GptaXoXilAwId15smxjHptqvPTqZBAicFWQ/aEEjyts/UEdyP0+J3zhW1PRI
OREKHuwihjp7zgl2L7kZGM1Wwpfg8pBDISaGn2NvioWsTJPbieQCIocusMzU
Z2ReYPch5yR8h1yFHTO9fCn+zPJ9HrwqBo4SPilAjE5yrfefF3W7hoFSVaVV
WVKFJt1lEdsDvq+JJHFPfOiHRLRfOmwtRCv4fu5qxUZyGGPQDEiZAfkCpFXy
YyHhq5whQSsPA9A4QcQa89B9ZPYQfZEMBvjgGxIxNDTSIdCvupAb2nOKwM5+
ts+8n+Q5P/744fT8zeH5oS84YX5GQB7izcyY0xF9EJzXr4QCYjxmFM18urun
qdRpqoAC4V+iMJNpGh6gS1ikZ0s8jiT/ARTwnHvgC0OUVwgo4heSGdbFGfnl
84pIMOZG3oKnaufe+UX5+Ho3CvWP3IzRofvOYoz8Mij4XFglud5J8AN5N6XX
dIUojpZQK8mFmd0QkiwI+Y0ZDQZyIIfRClDkW+KJ14XxefOG20jAbxLfxnlR
zYU8PiOa7MHuUM6VmfL2+rxKBntDPxc964DUA5/Of0xfCKxhZFGeycXW9WSZ
Tuq0mX7duhhyN7qfeDLsXU02ffbTctLkjYd2UxsgJVHTLrJQmmPAG+qumDY3
bDm3PjSEL+2HwYAo5oYDKVL/Vun292lPK/dupm4Tz3qaaG21zku49wbPwYxO
dvmNaFHCDryaZdd4EC92vu7sXshVHASwfm/D24xBwcvXIwJgRbGtnQvmmOLf
ciCffaVbb+O+biGUbdG3enbl+DdUn47355wib6SeIT4s9/RlfKkRnSSXe5ZK
m2HBcJqjuFc0/+z78CS1lDFkMr2e7HFf6uAGiaUlfuuZDqUlEumqZdZLOogj
5cQxEpBPF6M5mO3HnGkWRodnRycncogkgO2DhHh8YNI4UsxspqKYXq8KgnAU
Ws8vVCGquQOiCRCgn7n9qJTMdy5bIaoCY5PYvuyVy5fb2U9/8dmJpFOxqBL2
L0+LGMsqzzaqTFTtCJWO8YeaYQBT7rJU3WUvq+3gakERNb7i0Y/FrfzHKpuZ
x36o7YXoJAcz1kt1Y6liqn6lWOWUJNyThaRnUPoOGzPWIOxnPfHOR1FOOMei
n7AFjy/cmAGAHjiAPGmQaz1fGIhFKiIUR0DhJvI5RdxS7kHcUhs8mp5AdDPD
Sw/z1Ca2KbBUotqzASnCDKYydF5SrKEHl06Yhg1dWM5WNCH9lEm8M4aBM8nd
x5kkSJWNrEnMvB7vKIyxq8V+J1XD4X/IvRgzp3l0sARxmcvOgBsNAoIYJ2Gb
c/QdtOrpmsPvMSsXWcVqlTPWnH3kV9bowgRvMpoycWcR+neembKIrFvrQY8H
yGYaM1lgtJoHuCX8VnAH2OlmNyFVbLu358KiaOcn8mCjXLV2o3iQOedTS/96
n7mQixNiHhU3k8jgdItx7VLY5NdStdUzFLMNDvMyrbIrPNiEqpNcMDe4mCyu
QBBzWCToseSARAc8YUb/aVBggdbQhLojA1XE2sDcPtvWOhm2hILmQDIumjok
/VFQsFU952j6og+KDS8xIL09JupVV+AdxJMZip+TubvEWC5uM2sTG3uY6lkz
Oe4cTWBrv/BwCZjM9YvJ8FQC1ywakegP5DhssyMolj/iVS6mwrweanC/FgmW
fHvUI9aYfI9t+EgghnLcATEC93l51yFDC6SqMcBig4xSl2hHQro2H1/kLBm0
WPiGfTR8LjAlWBo+7HYXE6FJR0b2uzBWFifG6c+g+E3XJAKxNgyYYJWeak9H
28aFZ+5eqa2ivXsl2m4MXzlh3mIKPjjZs/xK2JI7ElxijN2y7a3Mlk07Q5K4
aUEZ57LZhd6/RwRH1j9ti6lX0PAAEYq3pzp2Ygu2CyclBxZCVooU5/a9DehO
nWTVhbyIiCxQEvsHwTYP4J3v+Uesb4U7S+8SxSQHaxVipB/unbVBSb40z+s7
EqYIyeRvd3hoxiqJRdYlVFxFY+fZQNRyHb0nB6jj+r+nkrl6IHWmeunX2pgE
XeXpRvTWGC7EvNrANRFYLwTD0ts/NoJQSx4xoTIVN1g3eXB7xHwwgcvinl76
Hr4S749/y2cI9a6nF0JM4BMSs9SeE9nlKy/JybxnRdEM8lQ44vrYMBfk2qa5
gK1Lpm5IDAvfZrQZL+joAVPQBr6rWXnvhgl8D32X3A+UC6XOSE1ewnUqL0sO
PnhpE3IDiTf1ihdB4Jg6KgEYgpCcUGDle0k+5jRwnJx9NrknBco370u8+Blc
JSjofF57wFk6wcwm5mzVREVNAfSrSnuoJA0CxTovSPhAa75fw2ZOr/Byx+3d
GjEstqRdsIWMc2Qih3oyDYNM/7LFln4nh1+JNtSIwXNhti9rloo9YOuX06oV
spO2jvWEzgZuTPR7UIKenR0eDM1Q5jtBKVlCMJVaLgJte5x8WCTeYa2CI0Qh
RcVZRrQVzG+VKr9VxCu0AWzlebSIPGubWa6IhYljT2ZmvGEqojNGDvjp9TSs
nU2pYxvUwzAzOvhg6nBqvlGofeawL/8emJd2ttkvRORp/qAFGk1zPkJ+L52t
ur5azdp7EEwuTzlDW1lKanGaGeoh9umQb+rTm7MmvosE0tnhQaI79wESi6H+
reAMQi8FhiRfRAHNLY9iBYeyVQ2CyySttmuGoeupu9hGtWLneaR408RGJASK
yNJpsJI63pCiG9uubkfdE++WKhVtCJlQGqSS3nilN1rIjySd0uPmfQySngJV
lgjfUGCLHWol3GoRZsYn/2ArERZg1H9AYn4KnyYrmcoh9uylKU6qpBawqyGT
haKRkfPNo3pIKWfBpIp5kBMX528+H56fn568/nR+fDZ+c/z6008XKOQknkkO
Qg2FilChh6jpYZ+k9+vD1gVVEPCM1qT5eojfbfkFg0nG/WeME6Wnxz1CU1sr
Ba/3tGArbNS0ksIDZ33vbWfKEVAszldGIy4qnxwVaJrxQ7jopmSYAgstvhgd
7D0EQZ5YnkXE9/114966bi/HT4LDjlpaELoPRiE1Dnu6zuCc/JavcWI2Yh8s
aPmq4BmME2swHPqLkJprIWAPn/CRMO7M7Wq24GiXJLbipyh5cumdEr5Fg7Tc
QEqt6zYKuC9rQEamjLoksjj0Qv6JbvBRfDORpYpHIThrgh2uPlaabUy0UVPe
rPrIlKYL3hBhkeaO+JQms1dQmIrurnlCdmt2AYhx6M7K/vqGsqujveuB7fcZ
xZHu4k9IvC0DJUZrzohWx5xXRT9yzp9n+ncG88hzcrnuQT62+CWY2b/+UlCe
txMwQCGuPc0xHBhvyqilsdqLd+S8jNcQxCbVDNOPWMq0LBSsF8CnowUL9FEQ
v3QzoQCXG0SkwEfvh/n2aAOKlTE3msRuXw5OHJSl1XXGFY7IA0dEqTSLEviS
2aJ3GHrCGGKdPooeHzj3J04X9NCUbYHcy8hJdP3J2P1Rj9I/wfuaOkjJjJxz
iq/gCHiuoqbgBamskXIxSbmRub/OcWrWbrhq4+5xZZN2F1/5jC6RzTW5Yn2v
9fdPpH8CCbEdl7O2iINnzo+i1jb2eePm9X3j8JEpXhL1yW2ANeM5QU2qdZCc
TwEmZMb3lChxVZF/yXtt3HfAy8G8VGGj0jWgo7HaZvupFswNznw/T33wYbWL
DPhUMhqJ0siRSOGadBgc8e5jHTfTfaD+ZXhbDjZN7OAtT/9uuq+xXadyAyd9
mNzjBozeJjelB8lgLUVoL0ikDaE1oZLok06uJZ3uEUcsrsy7217rDTJtqLkV
Mg88fxHgNFQoIBLLCYoABP+4luLhHBZQNm2xdGYPo+adB3OIeF/IPSnChvyT
XElwkX9tmCpgsbb+OPG7RFugx/2Dd6ZEy1jJZe+6bq5AKHjYagtHLKKoc9KV
CwSmg1mb6HwLV5OMBF9SkRJkHw9AnSzjRPcHrc+eUyg+OyEk5yfgnU39MEXI
2Ayk4IEwZfFCCUxTLI3xEiZJmwkOpPA0TFmwDmFriuQbxf6jvAdpPUcXLMxA
vtAKnUxBK03sSmb5WSSLf2ZZ/GcvixmJ+SZMvlQhrGn2x4Q1LSq+LTELujLC
HeEZlP9Oeg4F7aIUecLkmabN7IJOBrrmYD/JOdBK+W6Yl2+/FwAl/8ytr5Ku
yGdPR0+fPFOe4HN1sbG+QgH5uFYwCMQimyF0H4tgI9vR9QpM7ldaQUfucItk
4aVi6PFu8m+v2Q3KX9BbRcJpyjogc9GlBfCzFucysBjh8i+Vpuv5z7c4SHCC
vZ++W/qtzXTglQdBJAjP8mZeOe+wkSOrnNoB4K2lMJnTwCxtN6FPF1KZnu7y
2Qz9gli0EXcJews8X4E+fpHNri+SAaN2doebEgaxzfRFMjievjk79KQFPXXE
Dehdk7wlz91/0RIy+E8/uffT9/AzcL643cbd9EUiMqO0SVYfDZ2D+u40SZEW
kCX6ZgHDVHocTWS5gu7BWRAmLEf61UIrNPYOQiZ/pAqzmPBo8yTK6NhN/pj8
/W9b/s3drVGYtVFy88MPki7Nw/z7P0wF9k4SCB8yuQ+1nikzFCTv2NGKApAV
jVgyGly6CJ8/h3hYN2VFAA/LssAKBYhirMCe8Yi0obcB6StCOID7I35Kcbfv
AslBnF7vUcyHqDVu1KlEhU6wGq9AxzyUXyBepL+03Tc9ARh+fc6X9wEjYrNw
YM8Y3unRj7OiaWZ5C9U51vPErh5qA//bSf7lj9DCvyRvlUH5rS6TTWoOc1Ch
/5t+5duoV5dExRBVUTSpGpREcYb+qtWsTN4SmeaZUIRpG8py+fe/7YySt0Mr
8jsExnQxjInWhJaK7YdDnIZjdLpO4dytqlvZC7W3D4sqhmxyqIDhJrWfoNYm
vNKsAw9MiUINLKBZcJZEBonbT6On2Avp8GTsRRq0eSjpX4bpgt4kpx/8/rTz
e/81/sLAf+pKFmp3lOyNkn1q4cVQvjqlY86Flb/AuRYA4eA0+fVX6AT837vh
KGhkuRTJ1G/1bqVkwCaCuvp0XbHLWupBPZWt80aVfYJb7m9f/nGorALKNNrm
9wgrJTwfsEXO/v6P1zCY0+QP8I8vf//Hoe7d17p3dbsiRWc8c2OzCoXxvWCd
MhZW2gcE1cs3fROdFLJiwTh+PSfRAPR1WIwjPu2DCbu2BtMhI9rjuH604dlr
oCEV1E1xNLOCKxpw4vrOEytvn453x8/Valsi/0FTR70CfcZPIxFitj1PdkN6
2hWeFu2OgbMwKWUdARNms1xLg5BBq12+I3QY3d1IoOC4ezAzZ02+TAaXQ+9Z
NYEZPdnhhMmRjg+YBeGwyOHRyAjIvY/+6UA4w2fHH+lBtnCaJ7ROJyVMQIGE
djI3DIqTfd54GDXJwiEZBM4HutCa9Tl3fh9GC4v8Q8xFzjRMFIbtCCIBmsyV
hXORo8lH9JoCrdQwxQGc2Hh4pgIz+tVv86gIMOItyElOaDKyYtxqwTmNU61N
sMYhEjcAcqr5G8kXH/bBoABbOUS1xVfxLQN9TS9OGY9O6LGvzOz8z1IRGmz4
FXggcKdkQ8vGwEXA6pBeiJ9ytLxhCnyTwiNmdaQnB4lSecl9ii0eke/M2lXq
wxIBw9qFeE7JibvBt8UzxRxOBEFVVEIwBjfZumgQir3LjBgtJV0L2X9PN2e9
HMVX0GOx4BGjDGLKHjgTq3leZQbXePTmzVvWj799m0ynMwuT20CslxQ+6v/K
KDZRXoEoN+3v4wg4IUJYURCIkPIuTbG6otedGILnwexazoV5NVa2crVHM6KN
CKqahD68y7/Vh1rAsDnnZZDq6c2LKEd5oMx2ApWXfIMHMJSNe+0bel8Horha
T2T4JDJz8ADT95/TgdAUjF01otmo888T5w89/0y0KxQZ/8yrslProW3DBcIh
aYGYV15GnwUNWoqnMzuGBGxmCX6hbtlo+HN/gC2Vq9JiED+UJ4Fi2zImgupy
NRnOJSXIENYZr/lLMRQsfFMuKFBG1j9+MMqSViLdka0LKBbu12K+mie7O3uS
7kc5MG07cQM6yU/e/hNZA7aYX0Sz3allJN3uLWZKDA1Rgkpc5gh5k21tRgyQ
tuu+DYW/q086tHEQ95WDkuPtS0IloSSU2Sm+GhQTY51c9Q2ZChC0ujlS2DiV
KHtxoXFPLy7e/CXq7xwr5niFTZJ+9d0B/8mAFlwJAuinzOGMV59yZ1H/OjU7
zFLyOfApXhMrjAUWtaEEFa5Ni69XaF/aLLyjPorcYWCHkvYEBS3rEJiU9sId
0ab4DuN4MZTN1N9Z8ZC0KLNbpNy9PWJ7bSOXLRNj+f5ZVjfbvR2wUy4igjf+
LSMD8IldAUNsgP6GpvZYPlDymuxKyR/UDF6+3nprHIVmnkoa5kWHFs4+9Ux7
FbPEtTv/3PSpLY9roe6yXijDFiY7m3S1VUwXxpchi2S2ByOOMKsH7YMexEG0
Y7+izn20cTXqoSdERvGJjh9v8YcAGl/dwd1hXpdNdeDc48c/nh6f/fz4cTII
pHMsj4cH7gAPXoCMK49ucgHDS9JEeOfQeQEXG/6BP/9DYjjoxviJ9x/eHx3j
J3w0XuNB+o0oFOIxJZnmjspnAy2fQK+p9Xcf3hy/xdbzr0ve2iQp7um+ZWVe
TLex2K3ccoIv05ZcEu79x48/vj08//HD6bvoWxrvu+9z7ZKvChz3jTD/NH7j
9Bi+8lf8QoSd6Z0nTMXkPYeIjxxMj6aAO7zE8Iqoe2Gnwe/saAKHoASXPNSX
7VYN9NINL05rXymHdyyip6qMbd53lA+FPg7oLhuexGDFUt0QdsDQX5kUZWYx
YbAKyFTYTMyJ4FnyJY9NwLyoTFyXoOIRT5zhAtFTwd8XIllm1kWN90j33fap
0hvilz8tivQNXJMT8cQXZkS0I+qQ4hWoYQOezjyf8vO//SaZE48fd7+JFHEe
xWMxMF7n1mvdq0pke8hpEAC1X36JknjopzX1ulg3rQqvfT/8eBI4BYejyOOp
/JCaBNumhgzwmuBz7jBCjmUeWpPsJ8FOgDc3RqFtuT/R6vcRIdafg6CikHQc
kiKVXCI25gBxNIs+FPCJV1F9h1pxQF5zVg9Gp2wds7J7BihiYm7Kkvx2d3C1
iLuoNX8c5PIDPGBGsv46hwoWi2JXo4BskHobjGrQaCtPD8I/8RZCaOdCHG/C
cMgV8FAwx6hVDtsynwNHRwgxyQAL4hjNQiAQBTPPIUpiuFqmIPQHmaEhZbNA
7FNCDjc3UUpzRklcMOc4DwzINdOCRR2lJlGrKA45YZJypp5Y9clJLwy0F9rA
w+NzKcngkO1LLuIZljmK1gdj6JIUmGpSoCLXVFWM/rUQpmI9nZnGjKuhHiHs
rmAATa1MnBcRu4pLYBaSYuHMsRh/jzlqtSgwbIXZZYrQM1QWvuIHBRkZCVrb
QlhsvTJfTxeJRvo3z6jtE5bgaJ0YPSYe+kLbLDXUIOZUt8KvPpM47H6u0ii1
q4Q1RqgUw/xSFWBOzaV7gOO4y3JyQxWSKOEBNkmn3q994rffupmD4qLQBMKF
s2+woH7FJ4SUu+Bo6RR1CSnX7pJTuGBtKt6KPlSsYWKmgzy11IywSzkPG8vu
0YVLebspxu3KFZcuzgonQ4x/CpJYeVEPT1JifAzsk9i548PzkQsUSJzOHBOa
jvCaZn4muCMyTNhl+SMxNYIiwW8qLATtK0PUAo+hHVutD2SF+7oOHZkgTtIh
rg+2MIiOhfVt2rx9SndeNTdlpUUIQp8EYyCtJYusqso7FojYbKBmDPzKgVuE
WCYcKW30YTgqgSCRFBiKYyvAjHOeTfqGGErbzksXxhijjAkGUDorFl9QMZVO
a7qT1HWSxPbDExfPgU/oBGEtG8ZUMyZcnlSeABvfJ8jqSrPZQSPsnX6pcI0M
b5rcPXIkrCaaXglGKmW2Wspea9SwiYEUBvQFLf8N8zmbofTz0f7wOjHKUUWi
NO3vF60itq4V29PnT3d2doQrGNTTGR95eq6ffhiR5gi4kVlzIZYwTSyrsK/E
IOny+dyTwenQ4fxYflk+jGfol0Ha7PBcfnXFGQjMrQB//t9sQnOX4Y/FmofW
bCIkrC/oIXPEueMhRgBzcQVzwNok7JqrfLKezHL7EpxtmD+hTbq7QXZAPr7+
aRw++/rlAKe45yKvv85XdECcVAkUUOMrc6j5UCFCi+SKVzpodaM29Kq+KzjT
ep414nuvo/iL1GKh/YvgoVyYnnwD5SVZMJLrEAZ3hTorUTtgihpVtFX1Is+q
yY0D4wPvbkKZHR7/BVST6i/F7cHes50n4939vRdPhjIVdfL27bsEFWE9xXqI
ncE1i/aCj5H6A1KN+771vgQRR/jjQzy29ZYLn3o23tnffQmfUjmsxS9Sz0no
TReOJCV09h2bEyxRkTfGlwso0YF9uQqspVrc1vhxnAFHbRM8bpuCA+rE5iQR
KT4VCT2/gBb4QvgD0i0rCbW0BKqKUfbHjSJWCqeiyjJS4C4wwknBHSg2+fwI
x+vRyfk5w3jOVqR/HiEai0zO64puh3ND5WkYqf3ucEKI+nL/CYZKSFhsCfR/
C8UzUjqB6H+Xg7TPU1BTc+YErAVnXl4F7ZFoUqIvngnejWbUnbGn6Azzr8iA
xQpxWEKPEsixHt4JAVNHyValXRBKKc/Hq7khG6aYjwMJ3DqPiQecL4iFue7L
QjgoKB2CzIqpqCzexufZMPbzlhOJgGqMst2o1SViIEIaSlEv9U7iJT8itugt
WrvEzzTZetRcxaDY1kymMpOuNflj57r2PXyASQMeP5a4W/34Ma0Bf7W9DvXI
4T7u/JhEPSh6t0RnsuFlOmWuD24YMoH88TRQ1AEViAJRCZsA12zk8mYyHqot
07uNaEGuCJMcbqdUUoyDc9eTx8fL4bVXJujktEYClrqoPVAEoS0YGfc0Rk3e
FfWNrtBicsPR7UDfTVorT1TvCMSuwJo5QnZseuiyOCTLhMgMfe1Muz11BJ7l
6XQeCcbvKbkWm2C+Tqksgg+AiOXQ1+cf6lgZ0HIZCAZPL7MJamy9Y9VyjnI5
1dbMqCdw7tUcq9PJ5CqVx5E5HwNieDVlM6Mno3vDsbjHL3e4wlk9H5N7zWvW
zG50uZZvf8nmxRza9d+/WtXZLCVlFAwdZi1V/IH5XYJWiSNt0pCYEycy+TkE
xZKB9GdpLdeSh76bq59tH9g/10g4fFmVBMuktvj7GRvZ920jYfwl25n8VcGG
DAKC6cIWU8Zccfo3Qvk9JsPvWj5zCKnpCGQOTaN8GIXYtFgdwU1nckcijncP
KNBGqCZjN8U/bGCw2m/JuS0d0fUE8wLtYlPrzuTA+PLj0O0lKZF20mbl9TWt
ku7DEEKnz9Rargf6h9ALJieEfTCKeMQ0mEWM1m4yK3KCbZCrd9q+FGsRzD10
O+Fsds40ioUlaY0VFdqzpy7STTZvjZ764ugEkG9rSqxnwAEtgsjADkElLHBl
8NX4SrkqTKFf1haePNmnYxreQbWUYyg1uXYZm9ZjLiom5fFj9SI9ftz1Ubsk
6XEyaXoVWWO4XT1JmJhAaiLW4tFT6Jl02NTHGfGdxLh5QUNGCnoSsR/QmR3L
uKDrffmRGI1g/ztX8ylh361RqdIENRyUz5SRMNPA42hGyngVkj/4SXETKp1I
f26mUUVjRux4CuD9ULVx/1UEKvSp9T77K3CweVKbTi0VX/c77ykwQmw6hzBh
UZ9govRbct/dW/zAfPQ+Vq0NeWUuYkfibM54CBt5sUhBiN7XHZBzbXTMxEGx
jSVZiDQKAaUZ86LApxlsz5tdCsJDa1QSHvf8SV9GrDjr6uCt65scjOXSUkdl
5okmEAuyakAnooFnDuO1TYffsGA4Qkz0UloIpWkbHP5yJmwAwzAyqf4Dq/qK
ccsuaSHnwNiwWZmoNCkle5swSxc9SM8i4jXJ5XZSzXokviHdWvqA6yt2c6Kg
/opTtyIYXnJyfP4jWIGnyQBMwZ73h3rLF3XL4gns84SSUz0UVrtzkmTVfW5c
WP6RbQgltjSTdxtROmq7ukqC6LmqcSTYjN/t7bIA6PaHaVSXi7egOKwgXlit
Id/yp1HFojzUBAk0gUJsTY6PmKvUW1VLgutKlaeP+Ei1YK0epwXrvvryBlXt
BgLDJt0k9T8nWusFnsTboioXPINUIjA5+viJtu8fkp8+fop9lsJPyyEXajgN
dQorDDbrdZuxv92JcUKq+ISKrJMo++Un2pOvMKCs5JawNxDOjwYE+tD9YEKn
uShUx9sed6TP3S4coewDcEuZs1ctb2d002N58ehW5f4gJUtVgiIl1Wv87Enx
YSl1rDDJIzUl6+TbI/6a6umpNzPr34KuI24cAeAHj3CnspMWWwvlyFTfodq6
cQg7KhXMSqw6SK5Ao+dsOMwga4WBEDlQFf7MoEqU32HQJs+naLkwE4YPBlGK
axiW6Fo/fjr/dHps68KwWhwqqiHoWMGYC6pwjLou+fZS8e2ZShf1q25gIzEV
peuSCo4j8NBJNo2CfKxzQmksmpKjmBipg7nDnkuhXik6UtSOXBXsPmSwFGod
4l/OuPSPmAb4axbNGSzcukbxu1gz6luGyOD4YgHShjDxoEK+0Tq0FLLDoJXc
SlKLD62ZmHxR3F1qieehlG1cxFzKFAajAp22hmseFOeld2OC8v95yX98QXkK
6vEUJDuc0SnNIKf6w69TRUpRHbvkE6VZ6oXJw2dncaNupOB/YkIWg4vrq/G2
N9pQ3e3AheRQtuJIu0uXfBPOiQK6zYLG1Dj6YbdhqowK6BEzKCLFyy+68Wwt
VHfO03WrX9iHfScWuxV9A4PFIAdX2A4HQ3FqlXbWUOqEBYN/eEUCA+IzXC7U
AKQ+9mWBdngoiCACCunLamHXkI0Xbm44YWbiqPQIrQarA9Ya5rmWJA/1vOoe
9E56nHlNH2d2KDprhlNISVeyls5lklIwD9thd2DewxIxKWQtrlKPVvR1m5Hf
bkLREUmh9knTU4yvEOD4iI46yQ6VtJgWEaMPjTzg9aRfJjZFXG5r183jNKGz
+IBOc703ZDNQh4gqx5RV4m8TzovCOK1D6hUt7KnIVfIawIZ2lPTNwJp6Ddfk
HHsABwbBWdC3/Daf+u8OspohCvSLbJZmq2viyp46sRIRBKbL3JTlLMUab8k2
/10yO5FbRji5NDBIS1cVpUcIcEEEPAvkUecrmnI6SskMS2G2FhYLRSXtUVww
wU60zqEs6Q9ajAhJFg+8KdsjX7h/QvSIB4MzMYS2LDiz/ZZ0vCXjWiOYKiZJ
6rHcR0/TDFHH3mHIkRUfVaUgdovrqWZ7sjeUjs9TXgBjVtjz1iK4b7WJG0GC
S64dXEo4zNbORD88/gusbztUFa5UZ+u3eUYIKqLaCvy6EPgNPOgeaQEK+Fd4
PGIKBKOe0D8mUOsEmgqqky+pdCTqM4MU6FC37whUp7rXA4dyAqEbVYRpULkR
vTvKzOJV1uyyAGDtfMvTarD04avEdwS5zyusAcc0sDEFLH7U56FwdOG2LKZj
Re/BVbcLN6A1FqmBCUGWhlgJqWlbk1okosvZd5XB9iGekBF0q5yREqZ0cgxJ
DtlZcCcKSgp5ftZLdH/VRJPnOQSmI91wjS8h0SbYtRXYQAgGm1cIyuTiwPuQ
fn65uiZjn93pCo0qFgajBnbgVciJo8HjpNWUSoIziu5rQ7mNbYRJ3uiOQAK8
iaI6hK+t9vVzLUROLcbartNeMvhFfXA3oBfUcsRNdBK2m18yW9IrgI5sfQ8R
5kUjhcM8mSqF0eHHXlGgfFZ0otS1X5NyueL1FblCNmfdsNDyIsn64xLbpjrV
qMRxbNiSmKwRus43zZ04mKPlDnDQS9KLWdzm6nM+xORQuPqxJptMMEytYQVv
oRDZAVavwfCYNFJXlHCD3v4KSVwM/jBcy+x+BOG7Kha5DTHjqKIEbtnJ/hJQ
qnP0I1ci5MPZxqON4VMYLxwqSe/A2UWvvRZs4LmG/fFknLwD3aqkIrCi0XHK
wAYWe7BYgistS6TGZS8rO8MzoyIGcfwW9VRynhJ8tfeDvMtJnWK9Te/6eKIN
WYvSPonmZulFbClaVb+SmHEWx0C1Fxc8YSjqZBEZFEKlnPFIUza2OWlPksG/
Gd5+HyIwyGM6Zi1c7UPpHuMyZnF5W56kh5W4DXs41JKPCgyMk1+kVLCtkDFi
bNLqEnS6hnEW0GKGlGyUdcMucGzIPpPyM1R5GTaNhHx6BCGvMNzVIIgpLx1m
jG4ZAi+AGLMzvZ8MPvb5jlXrn3E1I3VRtmsWeWH33+PpF3pmn0xseftNlUpq
ol2pMnZ/sqM1LljZA1InSzWugXh0SLcS/obpWqmC0zY6ctjDoLL8yHP3ELCL
g0bDe3zgeW0KYNT+xq1y8rqYSjaBys1Dr8eb63PHfGv3VOpmkJEk2sOaW+su
aEgHwVgOCcUEm3aGsQAXBTUrLekqIdRpVPktDsNkM2c0Gr28KNxI+SljTr/m
fRpTPYrPx9H2jaQGcrCWCBv2wjdICQnnh9AOOi7oLftIq/CpRPJkCjz+Jy71
3FMxmWm6YkIdqy65Dn0QmVYg9NTfpds4Qz8MWZLnMe+QC7xDfO1FdUEN8aLs
QB/hLZhxN3ecFzsI0bsnQx7vodIqJR/FC6B+SF8wUcWjZ2DCNnVCBvDT5I9J
+kKCa+Ehgw8vOtUaeuekICJJ8U8wRkkuZOHTrU0fUJFY1UZ0it2BCHP6AUfA
WXrmnCZP6RKWSOqwDsG9F8/2f/ttFGKgsJeJnirpHVL6glfDzcrFNYUbKgRx
IO4LDHk8W9MtHezJ4ftD3iZ+tj0eZE3sKs68Rt6TFRkVW29yLOeHMnCLCK2u
stuS4pG+TyFIFzoX9F9aQ+iqB+hzfUym66CDI6BS0DD5GhXaMzL2paSY4RpT
oxAVF4IC0waXvRCEV9+Mjc1Wy665BwVrnbDuyMs/4y3t0+B9ITZ1SXHV9kV+
XTbM43gQTFbvBV4IJ2JmyuVggBVMnZTqF6zm5hQznDD43B36obUHtlinT6Ty
XADkLRsqB7/eSQS9cMjk4EvToyffnJ2b4B+aFpQ7j8uk0ocSOD6GBI5vj7p0
zc6ddhI9Co/WYiIhRuSJI0Dy5DyqgNMxWEhrBlZI8oi5P3jtfBKfS3wyIKHS
yNMnPoKmwniAtwYwR1AcvKEIoTM5qWxbnfemqA1CLrnvYTc/DFrz+R6gakW1
N0H2hbphhn886KeYpdhhF/cfGanUYdQPTTi8zmx09nqWIXQyh1vz67ExevaI
PhYRFjphgpIZJz+hT0lJWhNC1+Bcq8OdP1BLI05sotAMJkLNX3GeGzMVgWmU
LYNiwsijkPbvAksH5wEqcMhmb+KL3aUX+geBDoS0WYoKzQpoB66vbl7SgFQR
OMUpEgaZVLXhBoJFB6Mqw0LA40XdBG5eYkW0nPJIGAv7L8rMc+gE0x5G5GXW
KqWYmnCAdZqAsVYujJIQKDhwdXyvqisKCME8VgvvnbY7EEUDXBvdKZHEuZ45
IdnwKPnR50K+FnS4VIz3P2+FpzW1DQ0PSae7RNOVNSdWTmQu7AGc5nMiCuT4
nW+cUfiloCurZi3hQoSccdCL3scbA70SleI66IMq6ehpooq41FgatCGTyeWD
yKo03yVvVSE55px3GJhjeny+ZDinKW4JLB9CCVK6zqJ1CoiNBPN17mhyONGS
oBALCqhWUi1DTT2fC6q+ceMucpEvg7tC7kJNt275VwyAQs4kMsYSZr28W4wY
1ogtIRoihadT9FM7nVFjm/l5wkuyCp4ov+/qnCzmgK6tnUIn4Ahgg+xqsLuI
chHTUmB9PuvOTIwL5Q7iQAU6E9rIQYXlMCIQHV0B7Cssn1HAycw0l8TQr6oI
RHkgOVoNlRehPEKK1eE032OJZcLhxNct55L/jGGKtyiq1NtMO82y4ARRjtAg
LJEkzNjq6NdwDL3kUfI0+VntseuIvOpyi7B6w8FSaye5yyKr2VGaXeVY3OYc
0580EGQ/IvPI3UFDURyLGWUkocMx8zACPF9ZzXXTOXWJP80roT3g4A2CIeBz
s5lT/xzoFXM8VqRQ6rMSZoBJjWbNKxBiR3iSXfmiHYEm1GKcOhU/ddTzhD0U
6rvUGkbj5N+pKNU/JdUHNPwFrACbBoxQRCcpnieNJPH55XtcCzGhtjGXRmo6
xMjW5zgQTLl8PneR1cqEaLPENxQc6jjtAVpVv4onhPURIVn3wae7nFAM6ikZ
mRA0HnozC8Zj29mknqlG9Kdv3+Y3/CN2GCFXFywEYlq0pw4ve/FHTwOVi+jE
McdM4JeJLTIbi+cUR181MeM9pB/wR321wLD5NddTmOdwjKdctXNeXN80bKYJ
owmdb+PX33g08S7o5BV7JFzy2jOCFY3rU4M4MmvDNq31QeFOJEfOV8+SUq1Z
KATr7woDCnqV2Mzl2sW1CK42uBM1j02y8+BHHAJtbsRsN962N+ptew9jEn2N
ZI34MmTSNjje/PQRV+je02e8atIzj3Tsc+915SzRWyd6Q6070aLozT6fFlXy
iCGGMM0rhIIWnOzqgk86KiBgbBRDyy03va3j4OLgbm8hh35vJum47r6yC8mA
8XPsVSRDOh6egIDV++j9jqE+FDkd+16SZz4enanrJiBBov1wRskR3x4ZpEhK
ganfvB5CPiLBMEqCIrmyPn5iagucWa6T8WFhC0yRtkZleYLZaHoRh5l/+vhp
mPRgB1EE0wyYV7VGtDyZ+ifpBGAuKOVsRHSUjq8JYxmbqmlMARb5yWTEor4R
YRyj3ZRUwVad28DoFteRgG3sYiyLpx9jLdZOjh0fqQwkLXU9XNw70bDFmA07
2S+boVv2DG0NYe9w0CTANn+bTOUYS9R+BBMzLbY1rhZE1rXeDKY2SIcE1PHC
8a7y4FsfpuoCPHFRci7yYfGLztNmC40Fw2cN06itpxnbQQGY43q+Z91aVLQe
y5P5g0CLYc8R5jCZlAn2JzCA12jlkkJJx9RHjH82EWPfBB3Wjn2wKf56f+zV
+dir8DfZhBEfjB3FYVhWMCn6zEqjo5gaxp851CqW26Scm8pLdG3QHaghQLyb
mCEBtCdHSqMP6mb3hXX5FulaROo3D3AdVB2UpoPjtWQfaCA3R1b2YlJ7bnHU
JuX4mqtVU6v7+UWYzQF71Cpa3SoG5MlmfBZ5ZiPFJkpsl40jjCGWyM7q1t3P
UEXLbEhmxGJqaCXEkEX93rAMiXV+G0U0mNqWES1HXJYWLoe+YrXOcYFk0QkW
bX8CUW70idTEZOCAScHaXHCy2uiT17Ye63gfJ8F0152F6GDXbxoTi7Z/EOVS
7uNHopoXFG4mKD/JjRvk6zF6KixsK+sjW9h6wIwi1bs65EWHbRX2bgSrpolk
g4fpNEW2SzhM8I8eYI2qCvbPdgbfFXTDHD1cMNjg5EhQhRVPB36P3fpWm7Gy
GLVX2AInC45zYUZVnQxMJhNF/r0CGBVE9hgeFVQubGjcFbRpsc/HQdNN/Fkr
JFXGhGo1WckV4UC3s4heydTOxcNoyHl9yVc/+LrrWgs7Dp0DbAqjDysiB2a7
jnbN+Q2m4hssocCzEIThydXOwpTDTx8/TiRdd0Olad8H1A2YQTaAYO4FwMwY
Sb6OZSW1wfKS+Vi1srzyA/UNP+jjmIXdCGyHFQheb3E2bkW3BGlPjJEfb8nw
j4MnzAIpcSLaOF7e3HY70ne9r3GDgYWEXmR4wmVfdlLLRr6Eh6JxKXVd8I1C
30k5Bl1XPrkVh3QfMbyrRaeJy6cIbrHHOIEmq4oamZJ4CoxunbbnILRVdMU/
5zIxaCYIn0shUjQIh3tS+KIqwxxGkYK9tfl4KMQrPHl9BdKYEvy11tzK2jUb
48HUdt+DGPlVLpJf5SqhAwP/OvJig2yV26yY6V3U3iC/ul9T/k//7PvX9/6D
VpKLogZl/NckOpzw7/egYr2i6OSlOOdRMwr6g+RHZ4jznCE0lRtDn/Kmxlps
YYLN6amhKjzy+JAHDwz5AxRu2/QBjrqR51WhZ+oEYiAEtxHFHtttDa6Kr4zx
xqBIA58NoleyZL1DyceGRen9dHoSviAhgF+TDecefvPBCL7AEEk3vh48Hwzg
hpXydPMcMCsg7Fa8PymhW/D1whNumpGw8P9IW+wCuW+wxDNahUrXG0QVuUyo
4Tih4L6mT33uiKlnyiKOicabTnYqi1L5TsSM/Ls/ZAXo/V/q9xv9mmwSi/TF
lLH/BD/telvy/krq4+RHkuQxpM0ETZhWkxTqDKP26pjh+IIUCsZfmzqQsdCM
KjvWSo4mNeQI5SfQSy2LUYPyWBvF+3GxsHg3c4vzkX0sOgl7la8eS6+9mfQd
hGYXnTmWw9nrjvjOKsigI6Dc/cXs77k+XsVXgtQoQz2Lexgz9P+e80mvd8Ln
m94vuACXRAXooqVJDYRPZvZk8rqE3Q9rnWVFi8j7d7zaIl/f9KZJUlXAEidO
msXlmDArqy0R5l3/3fbPPATvVRwDiCSgjQNA4+wv7t9xPMN3WAASreYA+Wkk
VZVMNz2LXqWJK0VzEgkYIx+PqELou9PzN9un5+9OxRAYaqahuATQtTO/RJXH
u9rRc5oH5D2HsgRVYZRipzVS4omhURzoeViJ3n9XofuEfcGyNYXTJz7jcvn1
VwZXCpGTBhHg5TyvXWRZdfL029Vh+k9fq4Lt7zjSFujAlrk4DOtNa9yjumWm
IufUmccZf4luP4lNedBDu+Qu2D7eV1nfY9RmYZUtl8GjRwkiws8saPqQgH7J
t0eboNJg/ZI3sJXTHOwjhoPG9wUleU2q4pL8W66F6B4ZLgWbsJJTgRGcpnZn
BI9ISRYemsjgO6Q+DneLbN1AxpQhZAurAMHljhlyvah1yaSi7BsqXfOBIxpw
rpT2BWFyGN6/38SQAB0zWnvs3Onxxw9wPA/PD5MBesT+YwWfmxHTLpXNUEoH
pslVA4+ttjJC4VkZQPd8+FVwVM6JuQkr3yCzT5x+71Nacp4OWB9cOJsLcx/G
3L9uA1yI92tnWfiTE5U6ZiWDlWnPSBmXc9Oawhs6wFXEBObCcfzrFQayyDQP
ZEHoN/f/anOUdfSOTbE0x46UWrwHsrmYXpPZfQxIJBoCp/YZvhGUjQESzrJ2
Y25FyIbr87Bq0alNL5OKalfdsbvV3wV9R5aVlvYxtQTmjl/zgRRxLXGVbSou
Rb3TBjcR4UQF1jHRWM4gSqZTTN5xbXERsNjR4rUrujNKmwMJqbAOjP1RX2Hn
r32dPSIUyGZrjJ8zvwIXhWd4dSbN+Parcpa/otwiTafz3aDjw7niaMqWk3KG
KYSzWe2CtzNTcArtDYTjcC0lei/V92w1M4VmI/Gzwh1ifzBvaer8gpEYvp1Q
nCCXqtyWS0shQdYvHZWQZcucpoIc7NS609Z52XDPHXnRjSS7OSfIUNyph3Ng
nHxYas49CI7Ai8+4P0e0QbMm7Bih+8mmlFBZCARW4ZOMCFYfRFk5uOTW/Pcr
AVBYTSFK8KQcnqPXgbCkKZ1JggOxIjwh/hJlStV5JyWzCImSbgMrucmXhFbg
s6B3zWZE+0GTzhBxMcxcMKM8TqWtK4WgeUyxpc52rjSqlSPY40l1RjSWEblX
RFM1mEC2NX29SOuY5cR48uJQWPvwlzNHcXrG/GuO7EoZtTA5Vp0+i7IDUAP7
cFVh2o/7sAjhe27r6M/vCOcJpuzZEUlLVkOVCQfW6apie2ftsOoh0wewXyYA
8UwZHdYRKdq+4htdckt0j/C4hEmEydPwgpkkx1IU0ed1eIE0jZ6jwoGhQCaX
G325/zJwvrn98d54V6lk4AJZVbnxwpNJri772V229neX/7VTJgXx2xqAtT/D
qTq7q4IsDLmn6XUfdTmJ9DmR4zXS+yAtDiWlLzU9B4uVx0P1o6xWM5XkR3xo
JJD0Llvy3jJkOxgioYcO+qsudYBSLk5dmcIb11U2zTsJK0ErRNqbCB+lhDFC
nLHIEMgWyvIQYKouZuxc0XQDuH/zBcwnr5STkorMmakWRSJ1BYReKOQPeEYk
TyrkGSMJfnDL6dGe/dA9Sj6iBjrpTdo/QWaK7Q/M9v0zx5dpYq2fTFw0xqFl
MppJXlpoUi5Uu7D1C6XSIJIDRBULEDH5ubzLKQsXrxgQtKBqwElfruVZJzgd
uKYzDnhS3E5EHfQMRfYoWef1Nhx96ikOiWgxHAh1kL1EjIoaJW6FWT699nXU
6BPCEMHkGJcVWNYp6y14apUYo5KC1vgW3BLXBa8EvB6j4Ck7hlMAYIYRzOjs
mChYLwh05R3TCKi/JPOvoFMQX1JRf6mZMkQ7sCZN1/DooQd9Dh+69jwul4hx
nUlmjSkDgrHPKoc/slnTqrjhU2bYqSxhGiEUYtEOb2aFsbPZPz/ku9sAKuEQ
kWUw8kHUlqMV/QVtn6hAfOBK5IJAFVb6pRAQl4JcEzMw4ycEpa4Mq+j+FLEz
0yBvwYSpM7ALOUiMZzktr64wCwmfozu3vonzwmL3p482aQf6Qmjse0WJ774T
96rLELMJGa8UmKlviiu1JQKaPXYREk1R+DcVQ0xxTxPiHIdEnjVQafvQAlQX
y0cRpCYup1HhqzgoFst046+dIk+pXYo3Y3aCMIdKwY18GmXWUH2EqpJaJck7
qWnRIldVIeFh40iMnSHZYDtjhmFjJlEuGcDWQKKMeuhB6nhepdi3TBAVNWHu
OlQ6lFxJvk98hEsWgak/oDYrfeR9npHCGB1TQUOhQFJkqJ4wLeWhLga3Wtxl
pB3z5KPyQHP1nkIuIo1ZzJpUFVzCEUfwfY4UGu2zPPvih0n+AOKeYNIwutS5
AdKtaVpkAiRdqZYS9iHow5W1a+X3lflWZmP1kVrApggvophh+UAt1QTfyJD5
g6GlwgdFUFC7jFSGytCR8t3Dwb4TwQyqslh7L2YLn07oKaYNaAgkd6JMU7qS
jl3WtbSSJTereYZk57A+l1q512aXgNWWLbSOzALmciRHGq0FYZPmTax6O98g
1HM40T6/gEyZNWJjQU4hvx6TZSFQhaMmMQ/1FRZKpnNFCSM1Cw+WNEtGmTgL
Z2HJocgof5EJu7wGXlb1SjIIGspUdYqOY/hRX0cIUecLBFytKtrslI4fEkau
r5GrQCpQd9NH6BIH62XKJ9KnoMBL6PMpK0YAcI0hbkRy0ZkQ3CO5pfZcvGhy
54SpJuLQr1iEW25zHqyuEGeNEpWx681U0yDzss5X03KxnmOjZoNLNJK2kFMC
vOji/PTp5A0vGZ0FEMqBv9nsevaSox+JqnV49u85E2DXERjTJG4p0yOlyrrG
l6Kxzgx85SSkv74tFl8yLbZ4bpyQ1gQPALcRrkFODD4jVheElyZMyoFjhJRH
z1HO06IHCk+1V8h6si55NgiIbAATcM1FjocDiyBRij3t5KyxhqCPxVGKLlGs
igsiwywwJLtohRBH8mDonMH3c9q7iXFT8dd7gids0M2KL/kd+o0JsJU7dqaE
zD0Wx2VVK1Z3tZiFRUhadxD6EPyPomOODAvMwx4RJYf96FiZo5dSRh3jziub
zNtlsrDQBpWrNaR1OiEjF9I+yME0nRZiWFhP8wRM6m7SwEqkHnIGX6xymMNR
clHjX2r8WwkbgH50c0eTzIok/MtHGmVa05SurC5NKlyTN8VlIcU48DnxSTGl
FJ2LHMuM4W3lfIjJpH/bqUc5sKrF2dZXkfKFbAmTZC3TfZkHBXh370UKfVJF
OCL2kVQ51r5645qvegKmLQUV1Ee5oVPuPmYLcqU93KJKOMmeiZ6gaubMfsFQ
DmZWSRaPnQ+0FfCMUr8ZfyKDInhiwzYicyC0DMTziI2VM2P5SaED5JJIGKEH
3S4QWnP1NbwzUNOKrHBxc2ORFFsLjCp6uQE90lvIa0jXPXG1MTxrygnoo26V
IaaEZqU8qi/gueFk75m+sF8h0PNanCYINPa2PHm5h65G1dsMQMcNLrZummZZ
H2xvoz49nqyxRlONfyvn21lRbd/ubl0MtX6AnidVzx3oHsJ2essmf93eveSl
Uh5Oz/JHvsq1ozXRzksW1s/n5x9BN52ivMRSwxcmAWsb+v+HyV1zYRmA0I5X
4nxX1PYzOgUvn7/AKeAdE8fszogVw7n3mB8A8hiehlsItZuD5CPmfRNylBO6
DCT3kqMGrBCw3in7rs2FTJcKU2/AQoqDp+VnEipd76s2iZ38VfFuSow2goIQ
BQXdJlwuEgbw/OU+D5eoHxQi0hr44BR0s6FzH4wuiTWaj3QLOBe/gb88XiIi
oMpm794mgwvkFoFFqasJbpXP6karSL62fslJUPi7ISo4GAhdaqs/roR9D84g
5xowccu+JNx54HnykygstS3NE8rLshS5zwFJSRJxpBPxi95hXISSNnjPX5Wr
ijN7QZmC66nGWhDE4SVkROht5CIQ0Ap9vQ4ksTkYwRVFY9F0eId+SKLLOEje
+Fz4giv75u1YMqsncVJVbatXxjUr4vQ/FhDihSb3Mb7409FHrv2ueVNn6EvC
KgpwS4BCcKwkRhIv8hJUiBFtPI15yfoxBST4PRidwzHUl4MothlRo4XQqweT
Hf5yphXF3p+9exgRWH+EVDm6c7XxDNiVbA1T8iIjKhFp/4d6A8JEYRIYlrDQ
4EDpr5XKVVIE9rgwixQvwOS8e1enKafZOipvjQzD/aFg/328sz3oDBr5jxXI
t5HUnjRNpbISaRvahvmC26YgRZw6KBXEGJTJ913mFThbHT0mmMW9phEbj1O5
XCFHDx6CjK4KQpNKHLyGaZUw4ebtRhD3nvq1cnhaFH3QDvm3yjo35wqhy5h6
w7FBf67GyWuZk+YmD4ImjfavOhU3rAlNPe8zaAGWexuXmjKabthLGWMBLHob
/mle98kOCaHSArypuzE7xWBwhOKBR6MF5NGRFLRCecSuc32lJYqWnMJAim5O
1JYF7qVQfLfx1W9guq+xuPWCgrVSYxfGNyFvweDbNxgDmL3F11R+hu4+7Aql
JmBPLstqXf/vSA+he+zjGpaMI2JVufQC+577C9Rc9DI1eTYfxWW4ouEN++65
C7xxQffZ5nuq3haWq884AePl+qJzh72D+2YOp1b66ZeUo+MXyzUYKblYcRMY
5N4FaLuXVYYRAbqB/Kr31esbdZniRgZTkfg0xdY9c460zdJ3DUgVnNONC3NE
vlIieHTxFkC/yV2msR92OglzkgjRHmojIVyRtKoPMN+HJ5RyC/OKZgKpdrAI
y7LACxZN4syrvEzYNnIXf0n9EqaHRZW+Z+z4IINHvgraeiisTOR38SR2mrGK
ksZg9lClQ200wU7CDU3+qFoo2WScoVy7ehub0tlQr+KRmGuhaMKxN0K5TTel
OmHoYhc0FnRn9Y91VsFxzvSJ16RtBq1FLLCxNQoKt5QQRL+YOZCaDByAUsYk
m/vZMJNBQY21o4qfwdIWt3wrIKM5RLaAlal8kskuqdDol7c95oi26PHesR4H
DA+7e4XTDYUlcyRzyasJBRG5OnAeVzlzIfU7cDAnWx8Pz862oAF0bHI9Uzuf
uVLVLGdgI2zQtvB3kZrQApMyiRgpQC44MJhrhHosbuLvaF+WjRUVNuHm7EvI
+b5aQSI71BWqA1+fXLmXeXOXywELvMEb6H/DFUV3dlcN2O659lVCYmB4NnPt
UQeSzdcaWqZ1LU0VNHLfmUvNEWBb5V+SXcKEDQ8wx8hT0Xb++1UsQPjLG+y0
/hTtQcpUOLgnZeig/Rf7D0RTByrYY/bcwSU4f1YM8Qu49ehTezt7z9KdvXTv
BX6XnkYAcwTPafFcesQCfmTDEuMOGEyepOg6mcKWTPeH+lXzzeeYeQVPemVi
h/5/97/yxZ8+fkp+3t3ZSY6OQFw/SW+K65vr5Srdvd705RZphNYQKzvsEEnM
DvH+zydvTg7pg31VpMai0IjXU1DjHl3p0/AHMPJhpKT+v9KutjltIwh/16+4
oR8CUwRIIoBFkwyxieOOsTPBSWfa6dgykh0aGzxAnBfH+e3dl3sVEpDWyQQH
3a7uTnenfZ7b273LtN1IhmSf7uEkTVtqh2WHCedIoyZcSVrYd8hADJmQZ08G
Guc6POwfyc1HaVDLIGwqd4B2Hl7qsNq5zoObpdPkeoZ0wAS3mzW4lKdw2ZtL
pyG5uA/8GY42f4Z/aemWxhsbZ5KQsewRnbG2ukqurxVrRwgbvhBBD2fbjx8/
vKBX/Quskg9PBmErCLutKOhFB0/q1rxrmlitsXgIYuH36iKKRSd4FE209R/r
65NVy1pBbGPBQWibdL+XrUaj8aRItKnyrcR2qmPkcVnyt06b97+fP1mT1EZX
rO2wpvd3jZpKfbQWd5aCQtFWgOyRB7iJbCWpTG6uYxkIFu9PLZd3o5Qq6A72
9Q5uaNNfk8+wlnqP1n2l41PVbVJN7VotRdAxZoAsQC8sfAFYTJ5by4pjf1fK
nwTUFt6Q1IJOLIJuu8U/GySUWLIisW6MfQ+15CNjuEcl7tvPCx8h9s1qSmJh
5ylUczt3KXvb5j1RnLla0IA00c2tf9Px78OydjaF2oUxsj2QDRqtRmtT51iy
iuTVCvao3VEo2y09kdbbrRSQC4iSbrd2lnYcorR88BPytv+UVhDurKDIZDB6
YNw/bOxArado64v0CFG5myxaFapRu2fVKOrhQNJFgu1Fwi1FrJuf4/SE4hVe
Q0G4AmUe66plbbgkE2HhK6/RKhlfTeGecDN9AyM82DaRWENuz8aogEnZ7e6g
oynWzrIZJTBPtk5oVuIeaTMacLaYDGSVjS2xTraZte69bXDrAxfuwX+1MpuA
8Rx4KUsx/rckqVxOVzp0zO6dl/A+2IHX5F0ts/447LteWadSzHlnylAmWJ+r
ZHqD+zu3c45nRduoWAEHPciKkMFiAttbsew9pRgQBdmy7+n/uZ77LihqPx3Y
lQnmXvH9TZEyW1YbrOWmLhp9nzFQLvGE7n1D/hwfHZ6/GhwdDw/yVdOyGNPd
lQ348+Xg4HxwfLg+IFD2WwbTiwPW0dqhZCP+/HP49vR8dHowPD5/PRi/dmUv
k9S35qwvGQCW5vuOhoPxu7fD0fDk7Px4eHJ49lrKkknkAwKkZAKmzm3+PDk9
2R+ej47Go8HZ/utcnU11LQVG1lQ3pwBlNVSyb21k3xwPzl6dvh2t3RplYaEF
EIXvVrefpezZ0Wg4PhuM3pzDv8dDu8480rW3NNIsHC9UD2wFV+WOFl5Xc86N
PmiCkm9MHyFHbNgQw4Rz9yaemy/mcp5+lWGLOm1/DqPaPpQBmJDTFKELhdTF
vu0ehVW/ychDwaIOaM1g5/eM4mwq5yAOM8Abd7XSSbZhjn0X+3Tap2yObZhi
NlyExvlLH1CFP8cEtLPrbOMM+w4oq6aePIrewvLizxcpul6IbaKTMtHk50Qn
c/SCmoOBSZ6eW0RTFvX2VZ5lHl7iinZjqr+PT094gf+QffHZ40+mDpDOqSqB
pifXV95fc7J/4Aq8QJxYI9rbBA/ReEzt0uTIpEVGYdzmtBnt+ZieM4HhRMl3
YeHePzg4FmM8FJ1gHERFZU/S9OZRMn3qS6HyZqp4Kqq5pGPJOmir6+GB5B8V
SXefzaaSyYVXn8CLXl9lcU7hZaVGs3pdVQEH1hAIQnWtGoIQMxsxXGu08Krt
wsLBcSXrYuIIEOgFUb1tDOLEn7aehnX6Dd0J6ppTld/ttffkb52g5XlgfGuf
o2fil05D4kELtAlxCWuIaCAXLrC8vuYrJli4MA8LWV9YxTSwE+tq5S6tJ2wQ
p0otp99waUEo5xXVASpPiEg8e66QG//0bfxWlasgbgFHWLQTOEU34jmwcLzi
luHN5UUJ3Lg2fYEDcyxZHQSzTQRy2lvJpxoLrMgKWllgufURtMXSrw+hG5f+
NEXf3aLSyUqWTn1YKKvvZjDAl7iHmi6x0V2Wt/o06NQteVhXGXQDtqtKhFcX
CvPVGM6hht0AXd+GcyD8QgQtdf/1+vctZ2WT/cHTHcmBGvmss9OH0p+npBv7
GhRqSLitqDTwNQLE8ssPCeAmshTq+fIUS1kBvvLCNsLT+G5TcQvQaThXXr4I
v2n0hmISmNl2FizH/ULApsFReV+5aEhjobIB2s+DHw19yiXWsI5GOuUyLrTR
wKa8HQ6SMcPt1Oyi0Vir4uJck0PuhfQaK9ZqjwsZmwNXD+uxwQphTcIoxGsA
XwuutXueV/TgoBTjWRdmi1X6xfnK8wqK8frEaNypOQ8uVZM6tYUO3ngKmW8t
zgHYxa9ikdym0+VHTwH2rZLWgktdjGJRZYvQ0WBEB5ztJUMJt7cJT2cyh4h2
/i7Q0tumRfkYTDDpg6NgnYagxdMQEXUcF/lH9nOPB/cDdn86tHGw+yOhHYbd
HwYWD//Tk0DJaKfOo95arFJ/sbrlDiTiAUy/Q8b3EhGMP93e4lkGy/5Trgxb
dioNJbunOANyp9DeESHz+nUv6CpyoSaMi75MpOB6tynSA2H5HbwiKb7kOEN7
6SJM/t+fC1D1RpMpoDDY6151LsMoCzqT3tMonHSSy0kv6oH9nz7Nkm5v7zJr
TbpQZC9sRVG7Fe1dXiW9yyiNOr20E1wgkaPJDEG2Ptv98qyV8vO2thyYh6ta
aKBW9xQGyLm9fVpRYJxiLMAZrQnAtT2KTU6ky9cyiKCQgMxIqD1C5ONqXmAW
Iz5TzN/I0J7r2yqNf5bz2UUst/bc1+RsbswTohirk2SG2ZzgDeEQS7WGUY9j
lc7TOepxF89VTiMmp56jsstdfcvfKyetDkrXKNLrvd1OQwToQ/cKiq1RXci1
eaV8l9ncSuQpYOnBwQ7YGOwmo0QHmc4tQzGLq47rUSFrUcfdZzrD5uMI4hN6
OkMYsViyOTX2U9/1qVtPWRNi/ARE9TiMLcxbyxUExKALBrHivEypHM+ly0Zx
nuMyMsX8li1aTHEZDS7LpSXbcY7gMhIF3JYtVsBtGdk1bsuWXGO2jJzmtezy
OTarRqv1YKIOTrOd8hCzWZilzypXyc0yq8h1ms+G0tEIGcaSQkegHwEOrOvF
/NOdzr9zRUfY+CXiJYvJhylCNRzyucDHykE+kwfklAJ9pNK7AgMmo4T2VctP
vmZ8VInsyMurnN/aI0yHXAZgTmdmsU1OKKSrkiQJHi6JCDFzTvQr59QExm4z
4TbmM+PK4GlXhg3+JVUdugJWkH8B8YvCTmB+AQA=

-->

</rfc>

