<?xml version='1.0' encoding='utf-8'?>
<!DOCTYPE rfc [
  <!ENTITY nbsp    "&#160;">
  <!ENTITY zwsp   "&#8203;">
  <!ENTITY nbhy   "&#8209;">
  <!ENTITY wj     "&#8288;">
]>
<?xml-stylesheet type="text/xsl" href="rfc2629.xslt" ?>
<!-- generated by https://github.com/cabo/kramdown-rfc version 1.7.39 (Ruby 3.4.9) -->
<rfc xmlns:xi="http://www.w3.org/2001/XInclude" ipr="trust200902" docName="draft-usama-tls-fatt-extension-09" category="info" consensus="true" submissionType="IETF" tocInclude="true" sortRefs="true" symRefs="true" version="3">
  <!-- xml2rfc v2v3 conversion 3.34.0 -->
  <front>
    <title>Proposed Document Template for TLS FATT Process</title>
    <seriesInfo name="Internet-Draft" value="draft-usama-tls-fatt-extension-09"/>
    <author fullname="Muhammad Usama Sardar">
      <organization>TU Dresden, Germany</organization>
      <address>
        <email>muhammad_usama.sardar@tu-dresden.de</email>
      </address>
    </author>
    <author fullname="Songbo Bu">
      <organization>Shanghai Guan An Information Technology Co., Ltd., China</organization>
      <address>
        <email>bluedognull@gmail.com</email>
      </address>
    </author>
    <date year="2026" month="July" day="06"/>
    <area>Security</area>
    <workgroup>Transport Layer Security</workgroup>
    <abstract>
      <?line 88?>

<t>This document applies only to non-trivial extensions of TLS, which require formal analysis.
FATT process has successfully discovered CVEs of <strong>CVSS 7.5</strong> and most recently expected <strong>CVSS 9.1</strong> in the <strong>production</strong> implementations of the drafts proposed for adoption in the TLS WG.
To achieve high cryptographic assurances, this document proposes the drafts specify a clear threat model and informal security goals in the Security Considerations section, as well as motivation and a protocol diagram in the draft.</t>
    </abstract>
    <note removeInRFC="true">
      <name>About This Document</name>
      <t>
        The latest revision of this draft can be found at <eref target="https://muhammad-usama-sardar.github.io/tls-fatt-extension/draft-usama-tls-fatt-extension.html"/>.
        Status information for this document may be found at <eref target="https://datatracker.ietf.org/doc/draft-usama-tls-fatt-extension/"/>.
      </t>
      <t>
        Discussion of this document takes place on the
        Transport Layer Security Working Group mailing list (<eref target="mailto:tls@ietf.org"/>),
        which is archived at <eref target="https://mailarchive.ietf.org/arch/browse/tls/"/>.
        Subscribe at <eref target="https://www.ietf.org/mailman/listinfo/tls/"/>.
      </t>
      <t>Source for this draft and an issue tracker can be found at
        <eref target="https://github.com/muhammad-usama-sardar/tls-fatt-extension"/>.</t>
    </note>
  </front>
  <middle>
    <?line 94?>

<section anchor="introduction">
      <name>Introduction</name>
      <t>While the TLS FATT process <xref target="TLS-FATT"/> marks a historic change in achieving high cryptographic assurances by tightly integrating formal methods in the working group (WG) process, it would be helpful to adapt the way in which drafts are typically written to get the benefits.</t>
      <section anchor="motivation">
        <name>Motivation</name>
        <t>Unverified protocol designs, imprecisely stated threat model and security goals have led to high and critical severity vulnerabilities of the extensions proposed in the drafts.</t>
        <section anchor="sec-mot-example">
          <name>Concrete Motivational Example: Practical Exploits in Production Systems</name>
          <t>As an illustrative example, authors of <xref target="I-D.fossati-tls-attestation-08"/> asked for adoption in IETF 121, explicitly requesting us (by name) for formal analysis <xref target="Intra-handshake-attestation"/>. We carried out formal analysis of draft in support for FATT process. The formal analysis led to three orthogonal issues:</t>
          <ul spacing="normal">
            <li>
              <t>Formal analysis <xref target="ID-Crisis-repo"/> found <strong>diversion</strong> attacks for <xref target="I-D.fossati-tls-attestation-08"/>. For technical details, please see the corresponding paper <xref target="ID-Crisis"/>.</t>
            </li>
            <li>
              <t>Formal analysis <xref target="Intra-handshake.fail-repo"/> of several <strong>production</strong> implementations of <xref target="I-D.fossati-tls-attestation-09"/> led to discovery of <xref target="CVE-2026-33697"/> of <strong>CVSS 7.5</strong> for <strong>relay</strong> attacks. For technical details, please see the corresponding paper <xref target="Intra-handshake.fail"/>.</t>
            </li>
            <li>
              <t>Further formal analysis of <strong>production</strong> implementation of <xref target="I-D.fossati-tls-attestation-09"/> has led to discovery of another class of attacks and will potentially lead to three CVEs (currently under <em>responsible</em> disclosure) each with an expected <strong>CVSS 9.1</strong>.</t>
            </li>
          </ul>
          <t>This shows the value of FATT process in the design of secure protocols to find subtle vulnerabilities, which could otherwise be missed.</t>
        </section>
      </section>
      <section anchor="proposal">
        <name>Proposal</name>
        <t>To produce high-quality specifications, this document outlines the corresponding changes in the way drafts are typically written.
For the draft to be useful for the formal analysis, this document proposes that it would be helpful for the formal analysis if the draft contains four main items, namely:</t>
        <ul spacing="normal">
          <li>
            <t>motivation,</t>
          </li>
          <li>
            <t>a threat model,</t>
          </li>
          <li>
            <t>informal security goals, and</t>
          </li>
          <li>
            <t>a protocol diagram (<xref target="sec-prot-diagram"/>).</t>
          </li>
        </ul>
        <t>Each one of these is summarized in <xref target="sec-res-authors"/>. Future versions of this draft will include further concrete examples.</t>
      </section>
      <section anchor="scope">
        <name>Scope</name>
        <t>The scope of this document is only non-trivial extensions of TLS, which require formal analysis.
As per FATT process <xref target="TLS-FATT"/>, this includes changes in the key schedule or the authentication process or any other part of the cryptographic protocol that has been formally modeled and analyzed in the past.
As per FATT process <xref target="TLS-FATT"/>, the chairs make a determination whether the change proposed by the document requires review by the FATT to determine if formal protocol analysis is necessary for the change.
Hence, such a determination is out of scope of this document.</t>
      </section>
    </section>
    <section anchor="conventions-and-definitions">
      <name>Conventions and Definitions</name>
      <section anchor="sec-prot-diagram">
        <name>Protocol Diagram</name>
        <t>In the context of this document, a Protocol Diagram specifies the proposed cryptographically-relevant changes compared to the standard TLS protocol <xref target="I-D.ietf-tls-rfc8446bis"/>. This is conceptually similar to the Protocol Model in <xref target="RFC4101"/>. However, while <xref target="RFC4101"/> only recommends diagrams, we consider diagrams to be essential to reduce the gap between:</t>
        <ul spacing="normal">
          <li>
            <t>the specifications and formal analysis</t>
          </li>
          <li>
            <t>the specifications and implementation</t>
          </li>
        </ul>
      </section>
    </section>
    <section anchor="sec-res-authors">
      <name>Contents of Drafts</name>
      <t>The following contents are expected in drafts:</t>
      <section anchor="motivation-1">
        <name>Motivation</name>
        <t>Drafts are expected to provide the motivation of the work (i.e., the proposed extension of TLS).</t>
      </section>
      <section anchor="sec-th-model">
        <name>Threat Model</name>
        <t>A threat model identifies which threats are in scope for the protocol design. So it can answer questions like:</t>
        <ul spacing="normal">
          <li>
            <t>What are the capabilities of the adversary? What can the adversary do?</t>
          </li>
          <li>
            <t>Whether post-quantum threats are in scope?</t>
          </li>
          <li>
            <t>What can go wrong in the system? etc.</t>
          </li>
          <li>
            <t>What are the computational and memory resources available to the adversary?</t>
          </li>
        </ul>
        <section anchor="typical-dolev-yao-adversary">
          <name>Typical Dolev-Yao adversary</name>
          <t>A typical threat model assumes the classical Dolev-Yao adversary, who has full control over the communication channel.</t>
          <t>Any additional adversary capabilities and assumptions ought to be explicitly stated.</t>
        </section>
        <section anchor="keys">
          <name>Keys</name>
          <t>This is particularly relevant for proposals of hybrid key establishment or hybrid authentication.
This section ought to specify any keys in the system (e.g., long-term keys of the server) in addition to the standard TLS key schedule. Theoretically and arguably practically, any key may be compromised (i.e., become available to the adversary).</t>
          <t>For readability, we propose defining each key clearly as in Section 4.1 of <xref target="ID-Crisis"/>. Alternatively, present as a table with the following entries for each key:</t>
          <ul spacing="normal">
            <li>
              <t>Name (or symbol) of the key</t>
            </li>
            <li>
              <t>Purpose of the key</t>
            </li>
            <li>
              <t>(optionally but preferably -- particularly when the endpoint is not fully trusted) Which software in the system has access to the key?</t>
            </li>
          </ul>
          <t>If more than one servers are involved (such as migration cases), the keys for servers ought to be distinguished in an unambiguous way.</t>
        </section>
        <section anchor="template">
          <name>Template</name>
          <t>For the threat model, useful fields might include:</t>
          <ul spacing="normal">
            <li>
              <t>protocol participants and roles;</t>
            </li>
            <li>
              <t>assets or properties to protect;</t>
            </li>
            <li>
              <t>initial authenticated knowledge;</t>
            </li>
            <li>
              <t>adversary capabilities;</t>
            </li>
            <li>
              <t>trust boundaries;</t>
            </li>
            <li>
              <t>key-compromise assumptions;</t>
            </li>
            <li>
              <t>downgrade and negotiation assumptions;</t>
            </li>
            <li>
              <t>deployment or migration assumptions;</t>
            </li>
            <li>
              <t>explicit non-goals.</t>
            </li>
          </ul>
        </section>
      </section>
      <section anchor="informal-security-goals">
        <name>Informal Security Goals</name>
        <t>Knowing what you want is the first step toward achieving it. Hence, informal security goals such as integrity, authentication, freshness, etc. ought to be outlined in the draft.</t>
        <t>Examples:</t>
        <ul spacing="normal">
          <li>
            <t>Integrity of message X holds unless some key Y is leaked.</t>
          </li>
          <li>
            <t>(stated differently) Integrity of message X holds as long as some key Y is protected.</t>
          </li>
          <li>
            <t>Freshness of message X holds unless some key Y or some key Z is leaked.</t>
          </li>
          <li>
            <t>Server Authentication holds unless some key Y or some key Z is leaked.</t>
          </li>
        </ul>
        <t>See Section 5.1 of <xref target="ID-Crisis"/> for concrete examples.</t>
        <section anchor="template-1">
          <name>Template</name>
          <ul spacing="normal">
            <li>
              <t>Property:</t>
            </li>
            <li>
              <t>Protected object:</t>
            </li>
            <li>
              <t>Adversary capability:</t>
            </li>
            <li>
              <t>Required assumptions:</t>
            </li>
            <li>
              <t>Failure condition:</t>
            </li>
            <li>
              <t>Non-goals:</t>
            </li>
            <li>
              <t>Candidate formal query or correspondence:</t>
            </li>
          </ul>
        </section>
      </section>
      <section anchor="protocol-diagram">
        <name>Protocol Diagram</name>
        <t>A Protocol Diagram ought to clearly mention the initial knowledge of the protocol participants, e.g., which authentic public keys are known to the protocol participants at the start of the protocol. An example of a Protocol Diagram for <xref target="I-D.fossati-tls-attestation-08"/> is provided in Figure 5 in <xref target="ID-Crisis"/>.</t>
      </section>
    </section>
    <section anchor="document-structure">
      <name>Document Structure</name>
      <t>While the needs may differ for some drafts, we propose the following baseline template, with examples of <xref target="I-D.wang-tls-service-affinity"/> and <xref target="I-D.sheffer-tls-pqc-continuity"/>:</t>
      <t>The template is easy for:</t>
      <ul spacing="normal">
        <li>
          <t>readers</t>
        </li>
        <li>
          <t>reviewers</t>
        </li>
        <li>
          <t>formal analysis team</t>
        </li>
      </ul>
      <t>TODO: Currently it is almost a copy of the <eref target="https://mailarchive.ietf.org/arch/msg/tls/LfIHs1OVwDKWmDuCEx0p8wP-KPs/">guidance email</eref> to the authors. We request feedback on what to add in next versions.</t>
      <section anchor="introduction-1">
        <name>Introduction</name>
        <ul spacing="normal">
          <li>
            <t>Problem statement: Say in general what the problem is.</t>
          </li>
          <li>
            <t>For <xref target="I-D.wang-tls-service-affinity"/>, we believe this
 may preferably <em>not</em> include CATS. Anyone unfamiliar with CATS ought to be
 able to understand the problem statement.</t>
          </li>
        </ul>
      </section>
      <section anchor="terminology">
        <name>Terminology</name>
        <ul spacing="normal">
          <li>
            <t>Define any terms not defined in RFC8446bis or point to other drafts from where the definition is used.</t>
          </li>
        </ul>
      </section>
      <section anchor="motivation-and-design-rationale">
        <name>Motivation and design rationale</name>
        <ul spacing="normal">
          <li>
            <t>We really like how the author of <xref target="I-D.ietf-tls-8773bis"/> motivates the problem statement. Use it as a sample.</t>
          </li>
          <li>
            <t>Here authors can address all the concerns from WG, including
 justification with compelling arguments and authentic references
 why authors think it ought to be done within TLS WG (and within handshake).</t>
          </li>
          <li>
            <t>For <xref target="I-D.wang-tls-service-affinity"/>, authors could put CATS here as a motivational use case.</t>
          </li>
          <li>
            <t>For <xref target="I-D.sheffer-tls-pqc-continuity"/>, it should clarify why the problem is specific to PQ-only and why did the WG do such a thing for the transition for other primitives, as requested by several WG participants.</t>
          </li>
        </ul>
      </section>
      <section anchor="proposed-solution-one-or-more-sections">
        <name>Proposed solution (one or more sections)</name>
        <ul spacing="normal">
          <li>
            <t>Protocol design with Protocol Diagram: we work on the formal analysis of TLS 1.3 exclusively. Please contact someone else if your draft relates to older versions.</t>
          </li>
        </ul>
      </section>
      <section anchor="security-considerations">
        <name>Security considerations</name>
        <section anchor="threat-model">
          <name>Threat model</name>
        </section>
        <section anchor="desired-security-goals">
          <name>Desired security goals</name>
          <t>As draft proceeds these desired security goals will become what the draft actually achieves.</t>
          <ul spacing="normal">
            <li>
              <t>For <xref target="I-D.sheffer-tls-pqc-continuity"/>, it should clarify which property of the TLS protocol is broken and how does the proposal improve the security.</t>
            </li>
          </ul>
        </section>
        <section anchor="other-security-implicationsconsiderations">
          <name>Other security implications/considerations</name>
        </section>
      </section>
    </section>
    <section anchor="sec-sec-cons">
      <name>Security Considerations</name>
      <t>The whole document is about improving security considerations. As mentioned in <xref target="sec-mot-example"/>, unverified specifications have led to high and critical severity exploits.</t>
      <t>Like all security proofs, formal analysis is only as strong as its assumptions and model. The scope is typically limited, and the model does not necessarily capture real-world deployment complexity, implementation details, operational constraints, or misuse scenarios. Formal methods should be used as complementary and not as subtitute of other analysis methods.</t>
    </section>
    <section anchor="iana-considerations">
      <name>IANA Considerations</name>
      <t>This document has no IANA actions.</t>
    </section>
  </middle>
  <back>
    <references anchor="sec-combined-references">
      <name>References</name>
      <references anchor="sec-normative-references">
        <name>Normative References</name>
        <reference anchor="TLS-FATT" target="https://github.com/tlswg/tls-fatt">
          <front>
            <title>TLS FATT Process</title>
            <author>
              <organization>IETF TLS WG</organization>
            </author>
            <date year="2025" month="June"/>
          </front>
        </reference>
      </references>
      <references anchor="sec-informative-references">
        <name>Informative References</name>
        <reference anchor="I-D.ietf-tls-rfc8446bis">
          <front>
            <title>The Transport Layer Security (TLS) Protocol Version 1.3</title>
            <author fullname="Eric Rescorla" initials="E." surname="Rescorla">
              <organization>Independent</organization>
            </author>
            <date day="13" month="September" year="2025"/>
            <abstract>
              <t>   This document specifies version 1.3 of the Transport Layer Security
   (TLS) protocol.  TLS allows client/server applications to communicate
   over the Internet in a way that is designed to prevent eavesdropping,
   tampering, and message forgery.

   This document updates RFCs 5705, 6066, 7627, and 8422 and obsoletes
   RFCs 5077, 5246, 6961, 8422, and 8446.  This document also specifies
   new requirements for TLS 1.2 implementations.

              </t>
            </abstract>
          </front>
          <seriesInfo name="Internet-Draft" value="draft-ietf-tls-rfc8446bis-14"/>
        </reference>
        <reference anchor="I-D.fossati-tls-attestation-08">
          <front>
            <title>Using Attestation in Transport Layer Security (TLS) and Datagram Transport Layer Security (DTLS)</title>
            <author fullname="Hannes Tschofenig" initials="H." surname="Tschofenig">
         </author>
            <author fullname="Yaron Sheffer" initials="Y." surname="Sheffer">
              <organization>Intuit</organization>
            </author>
            <author fullname="Paul Howard" initials="P." surname="Howard">
              <organization>Arm Limited</organization>
            </author>
            <author fullname="Ionuț Mihalcea" initials="I." surname="Mihalcea">
              <organization>Arm Limited</organization>
            </author>
            <author fullname="Yogesh Deshpande" initials="Y." surname="Deshpande">
              <organization>Arm Limited</organization>
            </author>
            <author fullname="Arto Niemi" initials="A." surname="Niemi">
              <organization>Huawei</organization>
            </author>
            <author fullname="Thomas Fossati" initials="T." surname="Fossati">
              <organization>Linaro</organization>
            </author>
            <date day="21" month="October" year="2024"/>
            <abstract>
              <t>   The TLS handshake protocol allows authentication of one or both peers
   using static, long-term credentials.  In some cases, it is also
   desirable to ensure that the peer runtime environment is in a secure
   state.  Such an assurance can be achieved using attestation which is
   a process by which an entity produces evidence about itself that
   another party can use to appraise whether that entity is found in a
   secure state.  This document describes a series of protocol
   extensions to the TLS 1.3 handshake that enables the binding of the
   TLS authentication key to a remote attestation session.  This enables
   an entity capable of producing attestation evidence, such as a
   confidential workload running in a Trusted Execution Environment
   (TEE), or an IoT device that is trying to authenticate itself to a
   network access point, to present a more comprehensive set of security
   metrics to its peer.  These extensions have been designed to allow
   the peers to use any attestation technology, in any remote
   attestation topology, and mutually.

              </t>
            </abstract>
          </front>
          <seriesInfo name="Internet-Draft" value="draft-fossati-tls-attestation-08"/>
        </reference>
        <reference anchor="I-D.fossati-tls-attestation-09">
          <front>
            <title>Using Attestation in Transport Layer Security (TLS) and Datagram Transport Layer Security (DTLS)</title>
            <author fullname="Hannes Tschofenig" initials="H." surname="Tschofenig">
         </author>
            <author fullname="Yaron Sheffer" initials="Y." surname="Sheffer">
              <organization>Intuit</organization>
            </author>
            <author fullname="Paul Howard" initials="P." surname="Howard">
              <organization>Arm Limited</organization>
            </author>
            <author fullname="Ionuț Mihalcea" initials="I." surname="Mihalcea">
              <organization>Arm Limited</organization>
            </author>
            <author fullname="Yogesh Deshpande" initials="Y." surname="Deshpande">
              <organization>Arm Limited</organization>
            </author>
            <author fullname="Arto Niemi" initials="A." surname="Niemi">
              <organization>Huawei</organization>
            </author>
            <author fullname="Thomas Fossati" initials="T." surname="Fossati">
              <organization>Linaro</organization>
            </author>
            <date day="30" month="April" year="2025"/>
            <abstract>
              <t>   The TLS handshake protocol allows authentication of one or both peers
   using static, long-term credentials.  In some cases, it is also
   desirable to ensure that the peer runtime environment is in a secure
   state.  Such an assurance can be achieved using attestation which is
   a process by which an entity produces evidence about itself that
   another party can use to appraise whether that entity is found in a
   secure state.  This document describes a series of protocol
   extensions to the TLS 1.3 handshake that enables the binding of the
   TLS authentication key to a remote attestation session.  This enables
   an entity capable of producing attestation evidence, such as a
   confidential workload running in a Trusted Execution Environment
   (TEE), or an IoT device that is trying to authenticate itself to a
   network access point, to present a more comprehensive set of security
   metrics to its peer.  These extensions have been designed to allow
   the peers to use any attestation technology, in any remote
   attestation topology, and mutually.

              </t>
            </abstract>
          </front>
          <seriesInfo name="Internet-Draft" value="draft-fossati-tls-attestation-09"/>
        </reference>
        <reference anchor="RFC4101">
          <front>
            <title>Writing Protocol Models</title>
            <author fullname="E. Rescorla" initials="E." surname="Rescorla"/>
            <author>
              <organization abbrev="IAB">Internet Architecture Board</organization>
            </author>
            <date month="June" year="2005"/>
            <abstract>
              <t>The IETF process depends on peer review. However, IETF documents are generally written to be useful for implementors, not reviewers. In particular, while great care is generally taken to provide a complete description of the state machines and bits on the wire, this level of detail tends to get in the way of initial understanding. This document describes an approach for providing protocol "models" that allow reviewers to quickly grasp the essence of a system. This memo provides information for the Internet community.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="4101"/>
          <seriesInfo name="DOI" value="10.17487/RFC4101"/>
        </reference>
        <reference anchor="ID-Crisis">
          <front>
            <title>Identity Crisis in Confidential Computing: Formal Analysis of Attested TLS</title>
            <author fullname="Muhammad Usama Sardar" initials="M." surname="Sardar">
              <organization>TU Dresden, Dresden, Germany</organization>
            </author>
            <author fullname="Mariam Moustafa" initials="M." surname="Moustafa">
              <organization>Aalto University, Espoo, Finland</organization>
            </author>
            <author fullname="Tuomas Aura" initials="T." surname="Aura">
              <organization>Aalto University, Espoo, Finland</organization>
            </author>
            <date month="June" year="2026"/>
          </front>
          <seriesInfo name="Proceedings of the ACM Asia Conference on Computer and Communications Security" value="pp. 547-560"/>
          <seriesInfo name="DOI" value="10.1145/3779208.3785387"/>
          <refcontent>ACM</refcontent>
        </reference>
        <reference anchor="ID-Crisis-repo" target="https://github.com/CCC-Attestation/formal-spec-id-crisis">
          <front>
            <title>Identity Crisis in Confidential Computing: Formal Analysis of Attested TLS</title>
            <author initials="M. U." surname="Sardar">
              <organization/>
            </author>
            <author initials="M." surname="Moustafa">
              <organization/>
            </author>
            <author initials="T." surname="Aura">
              <organization/>
            </author>
            <date year="2025" month="November"/>
          </front>
        </reference>
        <reference anchor="I-D.ietf-tls-8773bis">
          <front>
            <title>TLS 1.3 Extension for Using Certificates with an External Pre-Shared Key</title>
            <author fullname="Russ Housley" initials="R." surname="Housley">
              <organization>Vigil Security, LLC</organization>
            </author>
            <date day="5" month="September" year="2025"/>
            <abstract>
              <t>   This document specifies a TLS 1.3 extension that allows TLS clients
   and servers to authenticate with certificates and provide
   confidentiality based on encryption with a symmetric key from the
   usual key agreement algorithm and an external pre-shared key (PSK).
   This Standards Track RFC (once approved) obsoletes RFC 8773, which
   was an Experimental RFC.

              </t>
            </abstract>
          </front>
          <seriesInfo name="Internet-Draft" value="draft-ietf-tls-8773bis-13"/>
        </reference>
        <reference anchor="I-D.wang-tls-service-affinity">
          <front>
            <title>Service Affinity Solution based on Transport Layer Security (TLS)</title>
            <author fullname="Wei Wang" initials="W." surname="Wang">
              <organization>China Telecom</organization>
            </author>
            <author fullname="Aijun Wang" initials="A." surname="Wang">
              <organization>China Telecom</organization>
            </author>
            <author fullname="汪宗斌" initials="P." surname="汪宗斌">
              <organization>Beijing Infosec Technologies Co., LTD.</organization>
            </author>
            <author fullname="Mohit Sahni" initials="M." surname="Sahni">
              <organization>Palo Alto Networks</organization>
            </author>
            <author fullname="Ketul Sheth" initials="K." surname="Sheth">
              <organization>Palo Alto Networks</organization>
            </author>
            <date day="6" month="July" year="2026"/>
            <abstract>
              <t>   This draft proposes a service affinity solution between client and
   server based on Transport Layer Security (TLS).  It defines a minimal
   extension to TLS 1.3 by which a server instance can authorize a
   client to resume an established session on a different instance of
   the same service (for example, another node of a load-balanced
   cluster) and request, in band, that the client do so.  The relocation
   authorization is carried inside the server's own session ticket, so
   it inherits the security properties of TLS 1.3 ticket-based
   resumption; the relocation target is an opaque identifier resolved by
   the application or control plane rather than an address carried in
   TLS.

   This document also introduces a Reliable Framing Layer that operates
   above the TLS record layer to provide message framing, sequence
   numbering, acknowledgment tracking, and automatic retransmission.
   The Framing Layer ensures zero application data loss during TLS
   session migration by buffering unacknowledged data frames and
   retransmitting them to the new server endpoint after migration
   completes.

              </t>
            </abstract>
          </front>
          <seriesInfo name="Internet-Draft" value="draft-wang-tls-service-affinity-04"/>
        </reference>
        <reference anchor="I-D.sheffer-tls-pqc-continuity">
          <front>
            <title>PQC Continuity: Downgrade Protection for TLS Servers Migrating to PQC</title>
            <author fullname="Yaron Sheffer" initials="Y." surname="Sheffer">
              <organization>Intuit</organization>
            </author>
            <author fullname="Tirumaleswar Reddy.K" initials="T." surname="Reddy.K">
              <organization>Nokia</organization>
            </author>
            <date day="9" month="June" year="2026"/>
            <abstract>
              <t>   As the Internet transitions toward post-quantum cryptography (PQC),
   many TLS servers will continue supporting traditional certificates to
   maintain compatibility with legacy clients.  However, this
   coexistence introduces a significant vulnerability: an undetected
   rollback attack, where a malicious actor strips the PQC or composite
   certificate and forces the use of a classical certificate once
   quantum-capable adversaries exist.

   To defend against this, this document defines a TLS extension that
   allows a TLS client to cache a server's declared commitment to
   present PQC or composite certificates for a specified duration.  On
   subsequent connections, the client enforces that cached commitment
   and rejects traditional-only certificates that conflict with it.
   This mechanism, inspired by HTTP Strict Transport Security (HSTS) but
   operating at the TLS layer, provides PQC downgrade protection without
   requiring changes to certificate authority (CA) infrastructure.

              </t>
            </abstract>
          </front>
          <seriesInfo name="Internet-Draft" value="draft-sheffer-tls-pqc-continuity-02"/>
        </reference>
        <reference anchor="Intra-handshake.fail" target="https://www.researchgate.net/publication/408219182_Intra-handshakefail_CVE-2026-33697_High-severity_CVE_in_Attested_TLS">
          <front>
            <title>Intra-handshake.fail (CVE-2026-33697): High-severity CVE in Attested TLS</title>
            <author initials="M. U." surname="Sardar">
              <organization/>
            </author>
            <author initials="V." surname="Dubeyko">
              <organization/>
            </author>
            <author initials="J.-M." surname="Jacquet">
              <organization/>
            </author>
            <date year="2026" month="June"/>
          </front>
        </reference>
        <reference anchor="Intra-handshake.fail-repo" target="https://github.com/CCC-Attestation/formal-spec-KBS">
          <front>
            <title>Intra-handshake.fail (CVE-2026-33697): High-severity CVE in Attested TLS</title>
            <author initials="M. U." surname="Sardar">
              <organization/>
            </author>
            <author initials="V." surname="Dubeyko">
              <organization/>
            </author>
            <author initials="J.-M." surname="Jacquet">
              <organization/>
            </author>
            <date year="2026" month="June"/>
          </front>
        </reference>
        <reference anchor="Intra-handshake-attestation" target="https://datatracker.ietf.org/meeting/121/materials/slides-121-tls-tls-and-attestation-00.pdf">
          <front>
            <title>Attestation and TLS</title>
            <author initials="" surname="Hannes Tschofenig">
              <organization/>
            </author>
            <date year="2024" month="November"/>
          </front>
        </reference>
        <reference anchor="CVE-2026-33697" target="https://www.cve.org/CVERecord?id=CVE-2026-33697">
          <front>
            <title>CoCoS attested TLS is vulnerable to relay attacks via extracted ephemeral TLS keys</title>
            <author>
              <organization>CVE</organization>
            </author>
            <date year="2026" month="March"/>
          </front>
        </reference>
      </references>
    </references>
    <?line 280?>

<section numbered="false" anchor="appendix">
      <name>Appendix</name>
      <section numbered="false" anchor="document-history">
        <name>Document History</name>
        <t>-09</t>
        <ul spacing="normal">
          <li>
            <t>Template for threat model and informal security goals</t>
          </li>
          <li>
            <t>Added Songbo as co-author</t>
          </li>
        </ul>
        <t>-08</t>
        <ul spacing="normal">
          <li>
            <t>Focused on document structure only</t>
          </li>
          <li>
            <t>Motivational examples</t>
          </li>
        </ul>
        <t>-07</t>
        <ul spacing="normal">
          <li>
            <t>Failure of current process</t>
          </li>
          <li>
            <t>Students of FATT</t>
          </li>
          <li>
            <t>Lead FATT Person for Contact</t>
          </li>
          <li>
            <t>Feedback from the WG</t>
          </li>
        </ul>
        <t>-06</t>
        <ul spacing="normal">
          <li>
            <t>Solution for ML-KEM: FATT analysis</t>
          </li>
          <li>
            <t>Solution for FATT contact: new mailing list</t>
          </li>
          <li>
            <t>Replaced responsibilities by expected contributions</t>
          </li>
          <li>
            <t>Clarified Verifier even further that it is just a WG member; no formal role</t>
          </li>
          <li>
            <t>s/pure/non-hybrid</t>
          </li>
        </ul>
        <t>-05</t>
        <ul spacing="normal">
          <li>
            <t>Removed process-related stuff</t>
          </li>
          <li>
            <t>Moved discussion at meeting to solutions</t>
          </li>
          <li>
            <t>Added ML-KEM</t>
          </li>
        </ul>
        <t>-04</t>
        <ul spacing="normal">
          <li>
            <t>Extended threat model <xref target="sec-th-model"/></t>
          </li>
          <li>
            <t>Helpful discussions on formal analysis in meetings</t>
          </li>
          <li>
            <t>Pointer to formal analysis and costs</t>
          </li>
        </ul>
        <t>-03</t>
        <ul spacing="normal">
          <li>
            <t>Limitations of formal analysis in security considerations</t>
          </li>
          <li>
            <t>Proposed solutions section</t>
          </li>
          <li>
            <t>More guidance for authors: Threat Model and Informal Security Goals</t>
          </li>
        </ul>
        <t>-02</t>
        <ul spacing="normal">
          <li>
            <t>Added document structure</t>
          </li>
          <li>
            <t>FATT-bypass by Other TLS-related WGs</t>
          </li>
          <li>
            <t>FATT process not being followed</t>
          </li>
        </ul>
        <t>-01</t>
        <ul spacing="normal">
          <li>
            <t>Pain points of Verifier <xref target="sec-prot-diagram"/></t>
          </li>
          <li>
            <t>Small adjustment of phrasing</t>
          </li>
        </ul>
      </section>
    </section>
    <section numbered="false" anchor="acknowledgments">
      <name>Acknowledgments</name>
      <t>We thankfully acknowledge the following for their valuable input:</t>
      <ul spacing="normal">
        <li>
          <t>Eric Rescorla for review of -02, -05, and -06.</t>
        </li>
        <li>
          <t>John Mattsson for proposing text for security considerations.</t>
        </li>
        <li>
          <t>David Benjamin for review of -06.</t>
        </li>
        <li>
          <t>Mike Ounsworth for review of -07.</t>
        </li>
      </ul>
      <t>We gratefully acknowledge the valuable contributions of co-authors of papers for their instrumental contributions in formal analysis: Mariam Moustafa, Tuomas Aura, Viacheslav Dubeyko, and Jean-Marie Jacquet.</t>
      <t>We sincerely thank the contributors of the formal analyses <xref target="ID-Crisis-repo"/> and <xref target="Intra-handshake.fail-repo"/> mentioned in the respective repositories.</t>
      <t>We express our appreciation to Yaakov Stein and Ilari Liusvaara for their substantial technical guidance, valuable feedback, and contributions in early attempts to formally model ML-KEM.</t>
      <t>The research work is funded by German Research Foundation ("Deutsche Forschungsgemeinschaft.")</t>
    </section>
  </back>
  <!-- ##markdown-source:
H4sIAAAAAAAAA71ba3PbRpb9zl/RpXyRVARl+RHbnJ3NKJIfSuzEayn2ZlNT
ribQJBGBAIIGSDMu/fc553Y3CJCU7dlUzVRNLAGN7tv3ce65t1tRFA3qtM7M
WB28qYqysCZRF0XcLExeq2uzKDNdGzUtKnX96ko9P7u+VhgXG2sPBjFezYpq
PVZpPi0Gg6SIc73AVEmlp3XUWL3QUZ3ZaKrrOjIfa5PbtMije08HtpksUsvf
6nWJLy6fXT9X6hulM1tAlDRPTGnwn7w+GKoDk6R1UaU64y+XZ9/jHwh0cPn2
+vnBIG8WE1ONBwmkGQ/iIrdYprFjVVeNGSzH6sFAV0Zj1isTN1Varw8Gq6K6
mVVFU+LpdaVzWxZVrV7ptanUZtTS5A2mVOrLQ5Vy+zh4j5nTfKZe8BM+X+g0
w3Oo4R+pqaejoprxsa7iOR7P67q045MTjuKjdGlGYdgJH5xMqmJlzQm+P+F3
s7SeNxN8uWjmerHQiVez1VWiq5NdbfMj2tDW3eX2fTxyc4/SYs80J5+36Whe
L7KDwUA39byAMVSEZZWaNlnmXOLgtV9S/cIp1JUseSCjsFedp3/qGhON1fUv
6qIyFrYfqhemWuh8LaOM12SQ/YPIMnKy/6NuosR9NUrMwZ71r4p8NinU982+
Na/mOp/NdapeNDpXZ7m6hENjab5FFMTzvMiK2VqdF6OhelUn+O/5PM11T7BJ
1pikmOVY8x8zPhvFxQI6GeRuqqX4EsIoYhiN5VvVKsz/D3L5aGC8vX/hXvgQ
3Q5B/1JXMwPrBuN6M2Jx2nE1a63phkucqB+a3Kj79+4/GgzSsFcn4GV0IS4o
Vq6m8ZOHD7+dpDa8mhbWYqy8xZzwK9FSdO/JF0c85Yi3z88fnt47lcEX0XmV
WsytLn6+HJ3eG52ePnx08uDx46f37z0ZPXj85NGDJ4+7A6PKlIVTVkCtS4IE
YlC5EYAiWCmfpvJYZ/hlUTY1QnKsnnObGcyrszWHFlN1JvIB86Ba5xhOPT8V
S0NYERUNB19Q8/n5eXS22emJ6DOLbGniKE2iWCQb7Jo7grTY/OuR+mXkI2Ln
zeuiwbRT3X9xPVJnTaW3zfXk8eMHHVut4NXy3JpqmcYm0tNpmkNZYYCdm+nU
VDKm/COOgJ5QVRNG5HWlI4RGYuf6xoym9PO+8veMUIfn755F0Nu30YMH3z59
fDRWL9PZHDIsTSWGeveMVrpL9cEzv92v9tVqNUKgG4LjDB+MclOflM0kS2On
/If3ntw/fXr65P6HLeko3Ie+bB96kvHlhzT/ECT7AMn+P1Z7N1IXzcSsb4r+
8x8ifPODjv9oTH2Hevc5+H9ex1/p2j9+/x9UTxdK+grqiKcwenuvT3rB/HD/
jjFUY7n4xlSb/LswhsBxcnr/FAm6NmQg9sRmwBYb4aGEjaBcnvSR7t6oTKZ3
6+alznNj1bWN58XU5OkMr/sG/Vx2wMheVjgvzosrpTumVgC3ZZPlptKTzKi6
UJXJ9JpjsEW8S7VC6sZ++YEp52aBoZl8emPWd+QVRl4MfkLVQIa3Ji6q5Ls0
+Xtf9G6Wec0oFUdDGhxEUaT0xMq6g8H1HFImgWrqssxS6KTIszUFzqHGukqX
hPCWZQhkQ8ihWs1TTFyZP5q0EnpKYNce2EcDSZKlS5Jqrq2yTcyfyQfWKklt
DJeosHeILpMeH5+/u7pSj0ePjo/FiRaFrTF/DNnwhfkIf6eu/Lino1OMQ4DV
c4NnWClpYpqeT8GZDfckviCzc5TwJ0uhHMkmpdZJUYrb+plcyh8NrgulwQUR
zGqOsFZxtS7rYlbpEttW2lpAf479DPFVV4l+cttdkJGaTmF7FWcATbwCGa6x
v8RkslOf/jNlPZtVswJ+HmQKHJdZ1cLzK78tjOYPQ4ijVibL+O+iAInYBKKm
QHURFxlUriH+Ikwqso2cRyzSJMnMYPCNRHxQ5OD9PKXreq30DPrpUyBRt7fg
1xU8WkNRljVCrGJyOcOVnA7Jxj+rRTWBx2EADZ3mKGm4RXzk1bIwiMGk1cfK
E3ypCdTh+xdHQa6hSmu8brJETWA4k5VwN/qyTnRZu481l/De6w2E4oTFA9IX
fXMFXcPb+RmCTz6amNxM0xpuDSV9A0IQlDz4JSfcT1O400bTxqaznMIsSvhv
ag1mJTBh0I7tt0w+1/C4jAMLpzKOAXupKZxqk0uAljTDG9N6eCdMWy/v2psb
+AYbgCPFlUFVudkJZn/2UTNwxuC2gAdZ8NnHMiuwcc7ypvUMdbUGzi3s4NNY
fYMNRPA6FCLytbodDM6gUkRUljVEGrJa5d8OPZ6KxJ8+fZ7NwrW0vdkTqELO
gf5DogJYR0q/IRLhYzpGY9UhPIplx5F8vIVOXPnu1HZ7O1LvjYp1VdGsRVPv
fA/hRZ8Uxjal1KNcpxsjI3U938HFYFq6gUEugS5montU4pB+jHgMHLkrbI98
Qy3TosmJhAlUW1kHeiGzUI4va3bEZVTNukoMnZgapAY+CyNpa+BpLvKRYED1
yiJPqNhSl6bqCoSJ7hD5LmYF6aE9cWR88WXg/sJWnmI+r9OQU9bus35KdMv2
cgwVdXwsaXmjvr+olz27DipqYGyz64oi1WeU8JU6YIbdpwedF7JsnAFt5YF3
E+LKCiGqyqJ2dRpiCHvsuKdk5kPAU+VSMHwOMx27fdsUvOZYFssK4DgizQDt
MWdN0Nqfr0eec9h5sXIpcqlRslOuXnoJmCVA6vwFYpgWYi2FRB0F+GwmYGDb
eBjYSSypQDSwAgwzKbDnZRLBQeXabTpjtncmcNk++qPRGWHWZW5f1uzkeiBD
luY+1/cdwmXATcZC0vlcrgFdotcFmObuIGpjDdPX1L/a8pzPMA8kmH158I6J
VNqhR4r1pwZFJsZUbJ0BcYn1Q4HTDFXp4LjDMob4TfeyGp/cQWiG9Dr5YIeV
HH76xETC55F/dnt7BDM9o1MVufEpDkak/zQLkI70T5fe3KfQfuSTi8BbU9Nj
PD76DEl9yS7F89M8zpoE+vChGYes6JOVy5bqKi5KMyCYW/60mSloPvWc+a8R
ZiRNgsidNMvb2wttt10MRQPkm5ukyZhY5BnVwdh2/tvOymyar11YALqQuzx9
6NOz1kbiUASYiQEtcoJju2JtWEB4Jrfx54ZtlNrWX7clw42kIAQLACY8A4Br
qkWaO5FXcyNS+nFklS2xIWek2wYzeM1a/LBMzSq8l9UJi35iQ3/32m+3uIkF
q3JDQTXwMwSMW3k0eGlAVoesZOY7ktIJGtHkfi+hL5F3LWkQugXVdmGkGcTf
B4PfUOxz5P1/jtV//TciYjyeFGDglTsAmMTl6cOo1rOZSW6PAn458S9cxLR8
rBtGJGSXuccocOuP9Y5siMuduQL2eXhrtd7zEfoBAi8zSw0DBI/EPuBVgegY
Ut880ZWri1uVu6S2p83J6JUskVoJSVPWjTicTRds0YdpW4lfC5kWIPCtTU7x
sliRZEjcISQ671y0gpmLvlFXeE0xbYiSpMhqn3o0hk/4fqYU85IsKMZMl3hd
rxAbgo2y417eEFNvxfvdA/vpf+DdhjlaoORC0khr6Q7q0dCOcmZZsZIsFL5j
0mkTMhTlctF4u5i52KSodnQtqXEJjYjAnfrSgwarMXWYjsxo2PeUFgI9Ah45
OL12uUKM1m6jnkeuJGL10C+SXBtZHNEhqHvrxCT/lnALobpVhI3UVcFcGGvW
w3YFs7oqgdrO0hsjJntPgJPEzCDR5U5dpRPmEUDCd24sp+s9Ryh9JxM5uIIC
apKIvG4We+X9LqzKmWYFeEABe3nwtFJdfadMHY92pJNeeqjYpE1iFkVFd7ZI
2Kyl9ZInWb7r1JfeVX/Xjn6oiwKBG/2qi80IKt+/7VeqKE8WgemQSt41AcOt
kGTBRo94YAVrkI8G+RdNHjISESM3GRzjDAlJJ0kaNtYqtmcOSTUUpfT1QTOb
B7bUKQVdre1r3R/ZTQt4wmyXxg1QRBDAAxedp/RcUGw+X0+qNJGcSpo9yVI7
d5SvCu/6uXXkea3ryGzkals/2B7ben0Tq0MzmiFssoKHBEgmbox3Op4YmOpI
2iheM3sRtZv5pegsQGI8vxSFVbMGW1hji76sz9bDIBHS7prao19VBcgxAtcH
84QAaT7jTgxo8lb4SeJstBYE9QiAEGR2g19LYcDFpP9FsUQRV15bD0envsrp
lJXqLINGcukeUN6SJw7sUrLTVIs8UmrUPcTDiIqOQouGVSXEfwJ5VYd4ateL
SZEdBSXjPd6+aSqRuPfw0DUcRI+ThgTbTKWdu1ZR1Pck0BRnV6STskgdJ0Tl
pVy3s64a9oWPEMoEMFtM65VHg44zMGi09EiDpiEHQvZyiiCU8AdWkAk7xwiA
siyyJY3mWAl4VDqrfHShYLVHwzCV00r4uBs6KOLYN2ng5S4/YKEGdH+Szpqi
sSxffDCF6whtvdJj/m3FkposEUnmdSCs0tpo0dlpLy21ZCc4KUDC2L9hCMLb
1MJR6Uamkrh3SQhVec0hQpkIEpsQhNg3ebECHZ0ZmWUvfvCN2EJN2EDRlX8G
5USbAOgiDN8mxSqHSpEAKWhuZkiBvsO6NdCUWbEOOLGxw9awAFRSL0hd5BLj
ZSia2n7vC74c/Jg7314xD6yLBuZwDiauD+pcAw9MCSWtCAmblmtagwU5ynpX
hzk4jWu6SgD3gW2opgi8eS7NVSaknuP4CjjZbir/5oHQM9nLPHBmuqRzyMuc
4W3qSEgHOwKsVhkzkw0HY3VhBV/WvSagwBws5TYRh0K3W8u0G437TXPvt2cl
L7ekH0dg0r7vaQUoLoMmONGChQBqjv9V84Ie3eQZw9MSF4lnvypp6aFySZip
D32TN0l5pCtNk6PPT8iuDTO/3p7Uu7ub93kwwdfJxCgPv/1fX8IriX511i8M
/+2JBlfGtPD9aA98i7X219MdEEEwvHFBDpCWn92eVTH5HT/w2dluIMvYt67Y
69EBPn+OZMW6P2Yjxh1URuqnEGj85RxRnCb+ShVDAoSQvbKq08Jh0Iz3l1hn
u5VSGxEhvS1cjSeOFsCqhafgoHuxEDEmjMAx3TYUlTtddyhO2OdsLRu4A1Xr
QBU2QRFGjnjBJjTs2RTc3dTXtZG9q7I8EBB4jowB8R65aqzfJv5mc6vtCigc
sz/TOWPKjWHOYKdMwsdlK7qfq1Z61KKf9SdAFeKQqr1nDR03CH636aHeeR2D
Zw1Adzfq7jsZt7djV2SFlagAo63Ak+AHwQoeKz+xDeF+3m651QauNLj++eLn
sTpvG6ypwLrO5OQTYFmU62C535CdE56VubtO/zz88rW1hZV7Ryevppcv7enP
71YXP75fXDTnzz7eK5+s3kQ/vrEnRy2pczWknHz4kxQ1hUUmOr5R0ojRtTtI
EzvnbCOE3lpIX52jQ6XUMX0KNG3h6DjtPlZX7vRtZnJp/7tZnWPKUDbC5Nvn
rft9xmTiEhOYnse07Gj4U3o6UYetHSOrHLfdvvOz6yv6/5pUqsmnegFQ0ZXz
GL7sZjg/YaC/0gEX8t2Tut2gr3ClLSTX1dxmpM1jhHKT5TtqKOzYRc3b5+e+
9yG8RwgkVnMNOt83noKckGf6OjBpO0d0maZtab/un//6DnrlC0bj5BEbu4Y/
SmDA/6rjA5tg2b7TxKNeN/2mKbS1f/ULG7SepVuJPm/Ql5Q8dCqkHE94W5Du
noXmVAxG4Hf6/sXQWwwB7q3wO5hb2yxx9iJrM1lGEGCZszCBT26gU/yAgB68
YzVft4LAafIbCtyjw/QMTg/TuPsA6tAdl8ij9njn6N/z1XbzQldQxTtvE5OK
vhbdw1iYVNjSzhqfAyc5//ZUCmV6xdKT2+2HWNt14n7f/E8k7TDZ4Jzg63wb
m06KQNu471nbY6l5B9f5Hh/5PnKVLlIWa3boOJtgiGvThtM+zNlNUd1DGAy0
RdbIpIfS7q9c1eOZpD1qMaXb33FesJ28xsQF6Uv5JLzn0I2GPR09QI6Ak1kp
MkfqjTvkkzOQuJbsQ1lMZqVrvOaRiDtA4LFh7SoTkCfsvw+GV/vZp+c/nZrJ
PbnAZkhm+uxcDtLdctI9Z350RyDJ3vHuVMOX7S20ugmwHddE9bdaKOdfdixy
FF+ltYmq1+OFqidVcWMcGBFnkqLXUObJN+uupemRdk8UfxbPajfJzmholZ5s
K7Ztn/uaQ/oxkkiJcTydEf0JoYiLokraI4bQRQgpkL31u+7ctA1L/p8ihKbr
Chza9I6E9ITnAW53jJ47ChKkIhsIY/c4q3OlgupvNvdMtnrGX3ljxPibHFDt
K4I+YbcVCTIWUwTuzsmgP9lieVJXvlDhdZBuE87d1YIvuxsPrh9LjtOecmaE
BpPI8Z/vIrOpKL7AVBhOXNJMaL4c3DFBRYjhLOnW1cT7zHyUQnXrnLw9qac/
BhSlrgFXqVBrKcotgdXGJsdyhTvu714x8j7uTl+l+nRLyjqVg0mKLBfaJnVa
N7UwaAeCreL8dHJfSF2e/XS27Udbd+/Y+8kLN1I7wBv563pkYJwlVKxwwSZ3
f3FhkltBm5ZXv5QbWOvtIfxzD5DQ3t+SfO0lNHx3lpDd+9v7ohF/5MCZn3Dm
5xCA6qIZgiw2cHxxIQzq3TUK1JxTPJYpfOEGXfobB+HIkGVr3SThAITneXj0
ilcV3E18IK9PRecOuDld4K7CJlxCo0LvfcvFrkKq4UevX0U/Pns9dpN1zmd6
g+SlzwtjOOxK/qqEcZ1B5xj9Fk6qY+igvR4RmtaTzuVF6Yenk8Y5wbE6Fyxl
VL9z4V0pBGzeHkmHs3z4CtkPUjFy6EKu0v6NDuNNxu4ZZrMnJVR4wr6S61Jz
w48GIt2iWLo7alRp5NIXsKRuplOxzVL6FhZ2lCMbuoa7eyttbK+KjTc4pXH+
h5z/Gc96ku37bQ7JwtnO7e2ANNDdRdgsRYjZBZ48LM8l35ARGzn42x4oYAeU
F0d6QFFeEWw294f2zHwHEg+Od7lI29IXHcE92zJM2lEuY4x7Z1oi0l29PAh5
f9AqcTdW6LnwtGiyLnlfB67jciDPzIPN3r+wflh7qO7aZo6jsSg2YvlTrvSG
NzikpBB1tG62774FnZ5n++Dm9DbXyZyqcl5pSxpOFIpDI0O4NpAm4MzfD6bY
oTm4Hbx3veob1/zW8ab10S/bPZ9MK7kFJDVWmoMXSx39jBdJ3xpkkyrTMtQf
60MgKHGI/zxyCQUxzdbWD8U8V691XduABo5iiAuzXHXd7/1JGN9f6CWo7/cm
/x0VYb6zoqzxmpnz5ya3K17d2xnzGJiNzbPva/Zvvt1oDwgE9IqoczVSLpTZ
joZS5jFxFp1tfZzuhI/c+k71ov3LlaG6booFoJt/sTJU71KwQGMzvQx/BuA0
+YPRecRPTfgjALch6BClGUmU2LW9SyAyeIl3aLbZe3PRN1k+czuwx4U4KwGV
QbjkjzQoLxkLgX0vp35SRZKZ61Ku2+pwUvar1jfFEsnDpI6AXhJtARCNXWpd
6Y56kctZ1rvj/fbyXwj24cZuoScy9MizZQh/vFWzPVTbDWCF6zIeN0eONIY/
onG1SsozUwFRhL37szsGgBvxXA4sXHl0cGGamid+JC/4twFKzsBQ4CPxnA34
g6PBvwCwCjKmVjoAAA==

-->

</rfc>
