<?xml version='1.0' encoding='utf-8'?>
<!DOCTYPE rfc [
  <!ENTITY nbsp    "&#160;">
  <!ENTITY zwsp   "&#8203;">
  <!ENTITY nbhy   "&#8209;">
  <!ENTITY wj     "&#8288;">
]>
<?xml-stylesheet type="text/xsl" href="rfc2629.xslt" ?>
<!-- generated by https://github.com/cabo/kramdown-rfc version 1.7.39 (Ruby 3.3.8) -->
<rfc xmlns:xi="http://www.w3.org/2001/XInclude" ipr="trust200902" docName="draft-ietf-ace-oscore-gm-admin-coral-06" category="std" consensus="true" submissionType="IETF" tocInclude="true" sortRefs="true" symRefs="true" version="3">
  <!-- xml2rfc v2v3 conversion 3.34.0 -->
  <front>
    <title abbrev="CoRAL Admin Interface for the OSCORE GM">Using the Constrained RESTful Application Language (CoRAL) with the Admin Interface for the OSCORE Group Manager</title>
    <seriesInfo name="Internet-Draft" value="draft-ietf-ace-oscore-gm-admin-coral-06"/>
    <author initials="M." surname="Tiloca" fullname="Marco Tiloca">
      <organization>RISE AB</organization>
      <address>
        <postal>
          <street>Isafjordsgatan 22</street>
          <city>Kista</city>
          <code>164 40</code>
          <country>Sweden</country>
        </postal>
        <email>marco.tiloca@ri.se</email>
      </address>
    </author>
    <author initials="R." surname="Höglund" fullname="Rikard Höglund">
      <organization>RISE AB</organization>
      <address>
        <postal>
          <street>Isafjordsgatan 22</street>
          <city>Kista</city>
          <code>164 40</code>
          <country>Sweden</country>
        </postal>
        <email>rikard.hoglund@ri.se</email>
      </address>
    </author>
    <date year="2026" month="July" day="06"/>
    <area>Security</area>
    <workgroup>ACE Working Group</workgroup>
    <keyword>Internet-Draft</keyword>
    <abstract>
      <?line 90?>

<t>Group communication for the Constrained Application Protocol (CoAP) can be secured using Group Object Security for Constrained RESTful Environments (Group OSCORE). A Group Manager is responsible to handle the joining of new group members, as well as to manage and distribute the group keying material. The Group Manager can provide a RESTful admin interface that allows an Administrator entity to create and delete OSCORE groups, as well as to retrieve and update their configuration. This document specifies how an Administrator interacts with the admin interface at the Group Manager by using the Constrained RESTful Application Language (CoRAL). The ACE framework for Authentication and Authorization is used to enforce authentication and authorization of the Administrator at the Group Manager. Protocol-specific transport profiles of ACE are used to achieve communication security, proof of possession, and server authentication.</t>
    </abstract>
    <note removeInRFC="true">
      <name>Discussion Venues</name>
      <t>Discussion of this document takes place on the
    Authentication and Authorization for Constrained Environments Working Group mailing list (ace@ietf.org),
    which is archived at <eref target="https://mailarchive.ietf.org/arch/browse/ace/"/>.</t>
      <t>Source for this draft and an issue tracker can be found at
    <eref target="https://github.com/ace-wg/ace-oscore-gm-admin-coral"/>.</t>
    </note>
  </front>
  <middle>
    <?line 94?>

<section anchor="intro">
      <name>Introduction</name>
      <t>The Constrained Application Protocol (CoAP) <xref target="RFC7252"/> can also be used for group communication <xref target="I-D.ietf-core-groupcomm-bis"/>, where messages are exchanged between members of a group (e.g., over IP multicast). Applications relying on CoAP can achieve end-to-end security at the application layer by using Object Security for Constrained RESTful Environments (OSCORE) <xref target="RFC8613"/> and especially Group OSCORE <xref target="I-D.ietf-core-oscore-groupcomm"/> in group communication scenarios.</t>
      <t>When group communication for CoAP is protected with Group OSCORE, nodes are required to explicitly join the correct OSCORE group. To this end, a joining node interacts with a Group Manager entity responsible for that group, and it retrieves from the Group Manager the required keying material to securely communicate with other group members using Group OSCORE.</t>
      <t>The method in <xref target="I-D.ietf-ace-key-groupcomm-oscore"/> specifies how nodes can join an OSCORE group through the respective Group Manager. Such a method builds on the ACE framework for Authentication and Authorization <xref target="RFC9200"/>, so ensuring a secure joining process as well as authentication and authorization of joining nodes (clients) at the Group Manager (resource server).</t>
      <t>Furthermore, <xref target="I-D.ietf-ace-oscore-gm-admin"/> specifies a RESTful admin interface at the Group Manager, which is intended for an Administrator as a separate entity external to the Group Manager and its application. The interface allows the Administrator to create and delete OSCORE groups, as well as to configure and update their configuration.</t>
      <t>This document builds on <xref target="I-D.ietf-ace-oscore-gm-admin"/> and specifies how an Administrator interacts with the same RESTful admin interface by using the Constrained RESTful Application Language (CoRAL) <xref target="I-D.ietf-core-coral"/>. Compared to <xref target="I-D.ietf-ace-oscore-gm-admin"/>, there is no change in the admin interface and its operations, nor in the way the group configurations are organized and represented.</t>
      <t>Interaction examples using Packed CBOR <xref target="I-D.ietf-cbor-packed"/> are provided and are expressed in CBOR diagnostic notation as defined in <xref section="8" sectionFormat="of" target="RFC8949"/> and <xref section="G" sectionFormat="of" target="RFC8610"/>. <xref target="notation-coral-examples"/> provides the notation and assumptions used in the examples.</t>
      <t>The ACE framework is used to ensure authentication and authorization of the Administrator (client) at the Group Manager (resource server). In order to achieve communication security, proof of possession, and server authentication, the Administrator and the Group Manager leverage protocol-specific transport profiles of ACE, such as <xref target="RFC9202"/> or <xref target="RFC9203"/>. These also include possible forthcoming transport profiles that comply with the requirements in <xref section="C" sectionFormat="of" target="RFC9200"/>.</t>
      <section anchor="terminology">
        <name>Terminology</name>
        <t>The key words "<bcp14>MUST</bcp14>", "<bcp14>MUST NOT</bcp14>", "<bcp14>REQUIRED</bcp14>", "<bcp14>SHALL</bcp14>", "<bcp14>SHALL
NOT</bcp14>", "<bcp14>SHOULD</bcp14>", "<bcp14>SHOULD NOT</bcp14>", "<bcp14>RECOMMENDED</bcp14>", "<bcp14>NOT RECOMMENDED</bcp14>",
"<bcp14>MAY</bcp14>", and "<bcp14>OPTIONAL</bcp14>" in this document are to be interpreted as
described in BCP 14 <xref target="RFC2119"/> <xref target="RFC8174"/> when, and only when, they
appear in all capitals, as shown here.</t>
        <?line -18?>

<t>Readers are expected to be familiar with the terms and concepts from the following specifications.</t>
        <ul spacing="normal">
          <li>
            <t>Concise Binary Object Representation (CBOR) <xref target="RFC8949"/>, Packed CBOR <xref target="I-D.ietf-cbor-packed"/>, and CBOR Object Signing and Encryption (COSE) <xref target="RFC9052"/><xref target="RFC9053"/>.</t>
          </li>
          <li>
            <t>The Constrained RESTful Application Language (CoRAL) <xref target="I-D.ietf-core-coral"/> and Constrained Resource Identifiers (CRIs) <xref target="I-D.ietf-core-href"/>.</t>
          </li>
          <li>
            <t>CoAP <xref target="RFC7252"/>, also in group communication scenarios <xref target="I-D.ietf-core-groupcomm-bis"/>. These especially include the concepts below:  </t>
            <ul spacing="normal">
              <li>
                <t>"Application group", as a set of CoAP nodes that share a common set of resources.</t>
              </li>
              <li>
                <t>"Security group", as a set of CoAP nodes that share the same security material and use it to protect and verify exchanged messages.</t>
              </li>
            </ul>
          </li>
          <li>
            <t>The security protocols OSCORE <xref target="RFC8613"/> and Group OSCORE <xref target="I-D.ietf-core-oscore-groupcomm"/>. These especially include the concepts below:  </t>
            <ul spacing="normal">
              <li>
                <t>Group Manager, as the entity responsible for a set of OSCORE groups where communications among members are secured using Group OSCORE. An OSCORE group is used as the security group for one or many application groups.</t>
              </li>
              <li>
                <t>Authentication credential, as the set of information associated with an entity, including that entity's public key and parameters associated with the public key. Examples of authentication credentials are CBOR Web Tokens (CWTs) and CWT Claims Sets (CCSs) <xref target="RFC8392"/>, X.509 certificates <xref target="RFC5280"/>, and C509 certificates <xref target="I-D.ietf-cose-cbor-encoded-cert"/>.</t>
              </li>
            </ul>
          </li>
          <li>
            <t>The ACE framework for Authentication and Authorization <xref target="RFC9200"/>. The terminology for entities in the considered architecture is defined in OAuth 2.0 <xref target="RFC6749"/>. In particular, this includes client (C), resource server (RS), and authorization server (AS).</t>
          </li>
          <li>
            <t>The management of keying material for groups in ACE <xref target="RFC9594"/> and specifically for OSCORE groups <xref target="I-D.ietf-ace-key-groupcomm-oscore"/>. These include the concept of group-membership resource hosted by the Group Manager. Candidate group members access such a resource to join the OSCORE group, while current group members can access it to retrieve updated keying material.</t>
          </li>
        </ul>
        <t>Readers are also expected to be familiar with the terms and concepts used in <xref target="I-D.ietf-ace-oscore-gm-admin"/>, with particular reference to "Administrator", "group name", "group-collection resource", and "group-configuration resource".</t>
        <t>Like in <xref target="I-D.ietf-ace-oscore-gm-admin"/>, this document uses /manage as the url-path of the group-collection resource at the Group Manager when providing examples; implementations can use a different url-path. Building on that, this document uses /manage/GROUPNAME as the url-path of a group-configuration resource; implementations are not required to use this name and can define their own instead.</t>
        <t>Note that the term "endpoint" is used here following its OAuth definition <xref target="RFC6749"/>, aimed at denoting resources such as /token and /introspect at the AS, and /authz-info at the RS.  The CoAP definition, which is "[a]n entity participating in the CoAP protocol" <xref target="RFC7252"/>, is not used in this document.</t>
      </section>
      <section anchor="notation-coral-examples">
        <name>Notation and Assumptions in Examples</name>
        <t>As per <xref section="2.4" sectionFormat="of" target="I-D.ietf-core-coral"/>, CoRAL expresses Uniform Resource Identifiers (URIs) <xref target="RFC3986"/> as Constrained Resource Identifier (CRI) references <xref target="I-D.ietf-core-href"/>.</t>
        <t>Examples in this document use the following notation.</t>
        <t>When using the CURIE syntax <xref target="CURIE-20101216"/>, the following applies.</t>
        <ul spacing="normal">
          <li>
            <t>'core.osc.gcoll' stands for http://coreapps.org/core.osc.gcoll</t>
          </li>
          <li>
            <t>'core.osc.gconf' stands for http://coreapps.org/core.osc.gconf</t>
          </li>
          <li>
            <t>'linkformat' stands for http://www.iana.org/assignments/linkformat/  </t>
            <t>
This URI is to be defined with IANA, together with other URIs that build on it through further path segments, e.g., http://www.iana.org/assignments/linkformat/rt</t>
          </li>
        </ul>
        <t>When using a URI http://www.iana.org/assignments/linkformat/SEG1/SEG2</t>
        <ul spacing="normal">
          <li>
            <t>The path segment SEG1 is the name of a web link target attribute.  </t>
            <t>
Names of target attributes used in Link Format <xref target="RFC6690"/> are expected to be coordinated through the "Target Attributes" registry <xref target="IANA.Target.Attributes"/>.</t>
          </li>
          <li>
            <t>The path segment SEG2 is the value of the target attribute.</t>
          </li>
        </ul>
        <t>The application-extension identifier "cri" defined in <xref section="3.6" sectionFormat="of" target="I-D.ietf-cbor-edn-literals"/> is used to notate a Concise Diagnostic Notation (CDN) literal for a CRI or CRI reference. This format is not expected to be sent over the network.</t>
        <t>Packed CBOR <xref target="I-D.ietf-cbor-packed"/> is also used, thus reducing representation size. Examples in this document especially refer to the values from the two shared item tables in <xref target="sec-packed-cbor-tables"/>.</t>
        <t>Finally, examples in this document consider a Group Manager with address [2001:db8::ab] and use the CoAP Content-Format ID 65087 for the media type "application/coral+cbor".</t>
      </section>
    </section>
    <section anchor="overview">
      <name>Group Administration</name>
      <t>The group administration is enforced as defined in <xref section="2" sectionFormat="of" target="I-D.ietf-ace-oscore-gm-admin"/>.</t>
      <section anchor="managing-groups">
        <name>Managing OSCORE Groups</name>
        <t>This document uses the same resource model defined in <xref section="2.1" sectionFormat="of" target="I-D.ietf-ace-oscore-gm-admin"/>, which is based on a group-collection resource and multiple group-configuration resources.</t>
        <t>When accessing such resources, the Administrator relies on the same interface defined in <xref section="6" sectionFormat="of" target="I-D.ietf-ace-oscore-gm-admin"/>, for which differences that apply when using CoRAL are compiled in <xref target="interactions"/> of this document.</t>
      </section>
      <section anchor="collection-representation">
        <name>Collection Representation</name>
        <t>A collection of group configurations is represented as a CoRAL document containing the list of corresponding group-configuration resources.</t>
        <t>Each group configuration is represented as a top-level link element, with the URI of the group-configuration resource as link target and with http://coreapps.org/core.osc.gcoll#item as relation type.</t>
      </section>
      <section anchor="discovery">
        <name>Discovery</name>
        <t>The Administrator can discover the group-collection resource from a Resource Directory (see, for instance, <xref target="I-D.hartke-t2trg-coral-reef"/>) or from /.well-known/core, by using the resource type "core.osc.gcoll" registered in <xref section="11.3" sectionFormat="of" target="I-D.ietf-ace-oscore-gm-admin"/>.</t>
        <t>The Administrator can discover group-configuration resources for the group-collection resource as specified in <xref target="collection-resource-get"/> and <xref target="collection-resource-fetch"/> of this document.</t>
      </section>
    </section>
    <section anchor="scope-format">
      <name>Format of Scope</name>
      <t>In order to express authorization information for the Administrator (see <xref target="getting-access"/>), the same format and encoding of scope defined in <xref section="3" sectionFormat="of" target="I-D.ietf-ace-oscore-gm-admin"/> is used, as relying on the Authorization Information Format (AIF) <xref target="RFC9237"/> and the extended AIF data model AIF-OSCORE-GROUPCOMM originally defined in <xref section="3" sectionFormat="of" target="I-D.ietf-ace-key-groupcomm-oscore"/>.</t>
    </section>
    <section anchor="getting-access">
      <name>Getting Access to the Group Manager</name>
      <t>All communications between the involved entities rely on CoAP and <bcp14>MUST</bcp14> be secured.</t>
      <t>In particular, communications between the Administrator and the Group Manager leverage protocol-specific transport profiles of ACE to achieve communication security, proof of possession, and server authentication. To this end, the AS may explicitly signal the specific transport profile to use, consistent with requirements and assumptions defined in the ACE framework <xref target="RFC9200"/>.</t>
      <t>With reference to the AS, communications between the Administrator and the AS (/token endpoint) as well as between the Group Manager and the AS (/introspect endpoint) can be secured by different means, for instance using DTLS <xref target="RFC9147"/> or OSCORE <xref target="RFC8613"/>. Further details on how the AS secures communications (with the Administrator and the Group Manager) depend on the transport profile of ACE used, and they are out of the scope of this document.</t>
      <t>The Administrator requests access to the Group Manager as per Steps 1-3 in <xref section="4" sectionFormat="of" target="I-D.ietf-ace-oscore-gm-admin"/>.</t>
      <t>The Administrator accesses the admin interface at the Group Manager as per Step 4 in <xref section="4" sectionFormat="of" target="I-D.ietf-ace-oscore-gm-admin"/>, with the difference that administrative operations are not performed as defined in <xref section="6" sectionFormat="of" target="I-D.ietf-ace-oscore-gm-admin"/>, but instead as defined in <xref target="interactions"/> of this document.</t>
      <section anchor="multiple-administrators-for-the-same-oscore-group">
        <name>Multiple Administrators for the Same OSCORE Group</name>
        <t>What is defined in <xref section="4.1" sectionFormat="of" target="I-D.ietf-ace-oscore-gm-admin"/> also holds for this document, with the following difference.</t>
        <t>The Administrator performs administrative operations at the Group Manager not as defined in <xref section="6" sectionFormat="of" target="I-D.ietf-ace-oscore-gm-admin"/>, but instead as defined in <xref target="interactions"/> of this document.</t>
      </section>
    </section>
    <section anchor="group-configurations">
      <name>Group Configurations</name>
      <t>A group configuration consists of a set of parameters.</t>
      <section anchor="config-repr">
        <name>Group Configuration Representation</name>
        <t>The same group configuration representation defined in <xref section="5.1" sectionFormat="of" target="I-D.ietf-ace-oscore-gm-admin"/> is used, as including configuration parameters and status parameters.</t>
        <section anchor="config-repr-config-parameters">
          <name>Configuration Parameters</name>
          <t>The same configuration parameters defined in <xref section="5.1.1" sectionFormat="of" target="I-D.ietf-ace-oscore-gm-admin"/> are used.</t>
        </section>
        <section anchor="config-repr-status-parameters">
          <name>Status Parameters</name>
          <t>The same status parameters defined in <xref section="5.1.2" sectionFormat="of" target="I-D.ietf-ace-oscore-gm-admin"/> are used.</t>
        </section>
      </section>
      <section anchor="default-values">
        <name>Default Values</name>
        <t>The Group Manager refers to the same default values defined in <xref section="5.2" sectionFormat="of" target="I-D.ietf-ace-oscore-gm-admin"/>.</t>
      </section>
    </section>
    <section anchor="interactions">
      <name>Interactions with the Group Manager</name>
      <t>The same as defined in <xref section="6" sectionFormat="of" target="I-D.ietf-ace-oscore-gm-admin"/> holds, with the following differences.</t>
      <ul spacing="normal">
        <li>
          <t>The Content-Format in messages containing a payload is set to "application/coral+cbor", which is registered in <xref section="7.2" sectionFormat="of" target="I-D.ietf-core-coral"/>.</t>
        </li>
        <li>
          <t>The parameters 'sign_params', 'ecdh_params', 'app_groups', and 'group_policies' are referred to as "structured parameters".</t>
        </li>
        <li>
          <t>If a message payload specifies a link element corresponding to a structured parameter, then the following applies:  </t>
          <ul spacing="normal">
            <li>
              <t>The payload <bcp14>MUST NOT</bcp14> include any link element corresponding to an inner information element of that structured parameter.</t>
            </li>
            <li>
              <t>The link element <bcp14>MUST</bcp14> have the link target with value the CBOR simple value <tt>false</tt> (0xf4) for indicating the structured parameter with no elements.      </t>
              <t>
Editor's note: this should change to using an empty CBOR array or an empty CBOR map as appropriate, once this is made explicitly possible in the binary format of link items in CoRAL (see <xref section="3.1.4" sectionFormat="of" target="I-D.ietf-core-coral"/>).</t>
            </li>
          </ul>
        </li>
        <li>
          <t>If a message payload specifies an information element of a structured parameter from the group configuration, then that information element <bcp14>MUST</bcp14> be specified by means of the corresponding link element.</t>
        </li>
      </ul>
      <section anchor="collection-resource-get">
        <name>Retrieve a List of Group Configurations</name>
        <t>This operation <bcp14>MUST</bcp14> be supported by the Group Manager.</t>
        <t>The Administrator can send a GET request to the group-collection resource, in order to retrieve a list of the existing OSCORE groups at the Group Manager.</t>
        <t>The same as defined in <xref section="6.1" sectionFormat="of" target="I-D.ietf-ace-oscore-gm-admin"/> holds.</t>
        <t>An example of message exchange is shown below.</t>
        <artwork><![CDATA[
=> 0.01 GET
   Uri-Path: "manage"

<= 2.05 Content
   Content-Format: 65087 (application/coral+cbor)

   Payload:

   [
     [1, cri'coap://[2001:db8::ab]/manage'],
     [2, 6(17) / item 50 for core.osc.gcoll:#item /, cri'/gp1', [
       [2, simple(6) / item 6 for linkformat:rt /,
        6(-200) / item 415 for cri'http://www.iana.org/assignments
                                   /linkformat/rt/core.osc.gconf' /]]
     ],
     [2, 6(17) / item 50 for core.osc.gcoll:#item /, cri'/gp2', [
       [2, simple(6) / item 6 for linkformat:rt /,
        6(-200) / item 415 for cri'http://www.iana.org/assignments
                                   /linkformat/rt/core.osc.gconf' /]]
     ],
     [2, 6(17) / item 50 for core.osc.gcoll:#item /, cri'/gp3', [
       [2, simple(6) / item 6 for linkformat:rt /,
        6(-200) / item 415 for cri'http://www.iana.org/assignments
                                   /linkformat/rt/core.osc.gconf' /]]
     ]
   ]
]]></artwork>
      </section>
      <section anchor="collection-resource-fetch">
        <name>Retrieve a List of Group Configurations by Filters</name>
        <t>This operation <bcp14>MUST</bcp14> be supported by the Group Manager.</t>
        <t>The Administrator can send a FETCH request to the group-collection resource, in order to retrieve a list of the existing OSCORE groups that fully match a set of specified filter criteria.</t>
        <t>The same as defined in <xref section="6.2" sectionFormat="of" target="I-D.ietf-ace-oscore-gm-admin"/> holds, with the following differences.</t>
        <ul spacing="normal">
          <li>
            <t>The filter criteria are specified in the request payload with top-level link elements, each of which corresponds to an entry of the group configuration (see <xref target="config-repr"/>), with the exception of non-empty structured parameters.</t>
          </li>
          <li>
            <t>If names of application groups are used as filter criteria, each element of the 'app_groups' array from the status parameters is included as a separate link element with name 'app_group'.</t>
          </li>
          <li>
            <t>With the exception of the 'app_group' element, a valid request <bcp14>MUST NOT</bcp14> include the same element multiple times. Element values are the ones admitted for the corresponding labels in the POST request for creating a group configuration (see <xref target="collection-resource-post"/>).</t>
          </li>
        </ul>
        <t>An example of message exchange is shown below.</t>
        <artwork><![CDATA[
=> 0.05 FETCH
   Uri-Path: "manage"
   Content-Format: 65087 (application/coral+cbor)

   Payload:

   [
     [2, 6(27) / item 70 for core.osc.gconf:#group_mode /, true],
     [2, 6(-28) / item 71 for core.osc.gconf:#gp_enc_alg /, 10],
     [2, 6(26) / item 68 for core.osc.gconf:#hkdf /, 5]
   ]

<= 2.05 Content
   Content-Format: 65087 (application/coral+cbor)

   Payload:

   [
    [1, cri'coap://[2001:db8::ab]/manage'],
    [2, 6(17) / item 50 for core.osc.gcoll:#item /, cri'/gp1', [
      [2, simple(6) / item 6 for linkformat:rt /,
       6(-200) / item 415 for cri'http://www.iana.org/assignments
                                  /linkformat/rt/core.osc.gconf' /]]
    ],
    [2, 6(17) / item 50 for core.osc.gcoll:#item /, cri'/gp2', [
      [2, simple(6) / item 6 for linkformat:rt /,
       6(-200) / item 415 for cri'http://www.iana.org/assignments
                                  /linkformat/rt/core.osc.gconf' /]]
    ],
    [2, 6(17) / item 50 for core.osc.gcoll:#item /, cri'/gp3', [
      [2, simple(6) / item 6 for linkformat:rt /,
       6(-200) / item 415 for cri'http://www.iana.org/assignments
                                  /linkformat/rt/core.osc.gconf' /]]
    ]
   ]
]]></artwork>
      </section>
      <section anchor="collection-resource-post">
        <name>Create a New Group Configuration</name>
        <t>This operation <bcp14>MUST</bcp14> be supported by the Group Manager.</t>
        <t>The Administrator can send a POST request to the group-collection resource, in order to create a new OSCORE group at the Group Manager.</t>
        <t>The same as defined in <xref section="6.3" sectionFormat="of" target="I-D.ietf-ace-oscore-gm-admin"/> holds, with the following differences.</t>
        <ul spacing="normal">
          <li>
            <t>In the request payload, each link element corresponds to an entry of the group configuration (see <xref target="config-repr"/>), with the exception of non-empty structured parameters.</t>
          </li>
          <li>
            <t>In the request payload, each element of the 'app_groups' array from the status parameters is included as a separate element with name 'app_group'.</t>
          </li>
          <li>
            <t>The Group Manager <bcp14>MUST</bcp14> respond with a 4.00 (Bad Request) response if any link element is specified multiple times in the payload of the POST request, with the exception of the 'app_group' link element.</t>
          </li>
          <li>
            <t>The response payload includes one link element for each specified parameter, with the exception of non-empty structured parameters.</t>
          </li>
          <li>
            <t>In the response payload, each element of the 'app_groups' array from the status parameters is included as a separate element with name 'app_group'.</t>
          </li>
          <li>
            <t>If the Administrator performs the registration of the group-membership resource to a Resource Directory on behalf of the Group Manager, then the names of the application groups using the OSCORE group <bcp14>MUST</bcp14> take the values possibly specified by the different 'app_group' link elements in the POST request.</t>
          </li>
        </ul>
        <t>An example of message exchange is shown below.</t>
        <artwork><![CDATA[
=> 0.02 POST
   Uri-Path: "manage"
   Content-Format: 65087 (application/coral+cbor)

   Payload:

   [
     [2, 6(-28) / item 71 for core.osc.gconf:#gp_enc_alg /, 10],
     [2, 6(26) / item 68 for core.osc.gconf:#hkdf /, 5],
     [2, 6(-31) / item 77 for core.osc.gconf:#pairwise_mode /, true],
     [2, 6(-36) / item 87 for core.osc.gconf:#active /, true],
     [2, 6(36) / item 88 for core.osc.gconf:#group_name /, "gp4"],
     [2, 6(-37) / item 89 for core.osc.gconf:#group_description /,
      "rooms 1 and 2"],
     [2, 6(39) / item 94 for core.osc.gconf:#app_group /, "room 1"],
     [2, 6(39) / item 94 for core.osc.gconf:#app_group /, "room 2"],
     [2, 6(43) / item 102 for core.osc.gconf:#as_uri /,
      cri'coap://as.example.com/token']
   ]

<= 2.01 Created
   Location-Path: "manage"
   Location-Path: "gp4"
   Content-Format: 65087 (application/coral+cbor)

   Payload:

   [
     [2, 6(36) / item 88 for core.osc.gconf:#group_name /, "gp4"],
     [2, 6(-41) / item 97 for core.osc.gconf:#joining_uri /,
      cri'coap://[2001:db8::ab]/ace-group/gp4/'],
     [2, 6(43) / item 102 for core.osc.gconf:#as_uri /,
      cri'coap://as.example.com/token']
   ]
]]></artwork>
      </section>
      <section anchor="configuration-resource-get">
        <name>Retrieve a Group Configuration</name>
        <t>This operation <bcp14>MUST</bcp14> be supported by the Group Manager.</t>
        <t>The Administrator can send a GET request to the group-configuration resource /manage/GROUPNAME associated with an OSCORE group with group name GROUPNAME, in order to retrieve the complete current configuration of that group.</t>
        <t>The same as defined in <xref section="6.4" sectionFormat="of" target="I-D.ietf-ace-oscore-gm-admin"/> holds, with the following differences.</t>
        <ul spacing="normal">
          <li>
            <t>The response payload includes one link element for each entry of the group configuration (see <xref target="config-repr"/>), with the exception of non-empty status parameters.</t>
          </li>
          <li>
            <t>Each element of the 'app_groups' array from the status parameters is included as a separate link element with name 'app_group'.</t>
          </li>
        </ul>
        <t>An example of message exchange is shown below.</t>
        <artwork><![CDATA[
=> 0.01 GET
   Uri-Path: "manage"
   Uri-Path: "gp4"

<= 2.05 Content
   Content-Format: 65087 (application/coral+cbor)

   Payload:

   [
     [2, 6(26) / item 68 for core.osc.gconf:#hkdf /, 5],
     [2, 6(-27) / item 69 for core.osc.gconf:#cred_fmt /, 33],
     [2, 6(27) / item 70 for core.osc.gconf:#group_mode /, true],
     [2, 6(-28) / item 71 for core.osc.gconf:#gp_enc_alg /, 10],
     [2, 6(28) / item 72 for core.osc.gconf:#sign_alg /, -8],
     [2, 6(29) / item 74 for
      core.osc.gconf:#sign_params.alg_capab.key_type /, 1],
     [2, 6(-30) / item 75 for
      core.osc.gconf:#sign_params.key_type_capab.key_type /, 1],
     [2, 6(30) / item 76 for
      core.osc.gconf:#sign_params.key_type_capab.curve /, 6],
     [2, 6(-31) / item 77 for core.osc.gconf:#pairwise_mode /, true],
     [2, 6(31) / item 78 for core.osc.gconf:#alg /, 10],
     [2, 6(-32) / item 79 for core.osc.gconf:#ecdh_alg /, -27],
     [2, 6(-33) / item 81 for
      core.osc.gconf:#ecdh_params.alg_capab.key_type /, 1],
     [2, 6(33) / item 82 for
      core.osc.gconf:#ecdh_params.key_type_capab.key_type /, 1],
     [2, 6(-34) / item 83 for
      core.osc.gconf:#ecdh_params.key_type_capab.curve /, 6],
     [2, 6(34) / item 84 for core.osc.gconf:#det_req /, false],
     [2, 6(35) / item 86 for core.osc.gconf:#rt /, "core.osc.gconf"],
     [2, 6(-36) / item 87 for core.osc.gconf:#active /, true],
     [2, 6(36) / item 88 for core.osc.gconf:#group_name /, "gp4"],
     [2, 6(-37) / item 89 for core.osc.gconf:#group_description /,
      "rooms 1 and 2"],
     [2, 6(37) / item 90 for core.osc.gconf:#ace_groupcomm_profile /,
      "coap_group_oscore_app"],
     [2, 6(-38) / item 91 for core.osc.gconf:#max_stale_sets /, 3],
     [2, 6(38) / item 92 for core.osc.gconf:#exp /, 1360289224],
     [2, 6(-39) / item 93 for core.osc.gconf:#gid_reuse /, false],
     [2, 6(39) / item 94 for core.osc.gconf:#app_group /, "room 1"],
     [2, 6(39) / item 94 for core.osc.gconf:#app_group /, "room 2"],
     [2, 6(-41) / item 97 for core.osc.gconf:#joining_uri /,
      cri'coap://[2001:db8::ab]/ace-group/gp4/'],
     [2, 6(43) / item 102 for core.osc.gconf:#as_uri /,
      cri'coap://as.example.com/token']
   ]
]]></artwork>
      </section>
      <section anchor="configuration-resource-fetch">
        <name>Retrieve Part of a Group Configuration by Filters</name>
        <t>This operation <bcp14>MUST</bcp14> be supported by the Group Manager.</t>
        <t>The Administrator can send a FETCH request to the group-configuration resource /manage/GROUPNAME associated with an OSCORE group with group name GROUPNAME, in order to retrieve part of the current configuration of that group.</t>
        <t>The same as defined in <xref section="6.5" sectionFormat="of" target="I-D.ietf-ace-oscore-gm-admin"/> holds, with the following differences.</t>
        <ul spacing="normal">
          <li>
            <t>The request payload includes one link element for each requested configuration parameter or status parameter of the current group configuration (see <xref target="config-repr"/>). All the specified link elements <bcp14>MUST</bcp14> have the link target with value the CBOR simple value <tt>null</tt> (0xf6).</t>
          </li>
          <li>
            <t>The request payload <bcp14>MUST NOT</bcp14> include any link element corresponding to an inner information element of a structured parameter.</t>
          </li>
          <li>
            <t>The response payload includes the requested configuration parameters and status parameters, and is formatted like the response payload of a GET request to a group-configuration resource (see <xref target="configuration-resource-get"/>).  </t>
            <t>
If the request payload specifies a parameter that is not included in the group configuration, then the response payload <bcp14>MUST NOT</bcp14> include a corresponding link element.</t>
          </li>
        </ul>
        <t>An example of message exchange is shown below.</t>
        <artwork><![CDATA[
=> 0.05 FETCH
   Uri-Path: "manage"
   Uri-Path: "gp4"
   Content-Format: 65087 (application/coral+cbor)

   Payload:

   [
     [2, 6(-28) / item 71 for core.osc.gconf:#gp_enc_alg /, null],
     [2, 6(26) / item 68 for core.osc.gconf:#hkdf /, null],
     [2, 6(-31) / item 77 for core.osc.gconf:#pairwise_mode /, null],
     [2, 6(-36) / item 87 for core.osc.gconf:#active /, null],
     [2, 6(-37) / item 89 for core.osc.gconf:#group_description /,
      null],
     [2, 6(41) / item 98 for core.osc.gconf:#app_groups /, null]
   ]

<= 2.05 Content
   Content-Format: 65087 (application/coral+cbor)

   Payload:

   [
     [2, 6(-28) / item 71 for core.osc.gconf:#gp_enc_alg /, 10],
     [2, 6(26) / item 68 for core.osc.gconf:#hkdf /, 5],
     [2, 6(-31) / item 77 for core.osc.gconf:#pairwise_mode /, true],
     [2, 6(-36) / item 87 for core.osc.gconf:#active /, true],
     [2, 6(-37) / item 89 for core.osc.gconf:#group_description /,
      "rooms 1 and 2"],
     [2, 6(39) / item 94 for core.osc.gconf:#app_group /, "room 1"],
     [2, 6(39) / item 94 for core.osc.gconf:#app_group /, "room 2"]
   ]
]]></artwork>
      </section>
      <section anchor="configuration-resource-post">
        <name>Overwrite a Group Configuration</name>
        <t>This operation <bcp14>MAY</bcp14> be supported by the Group Manager.</t>
        <t>The Administrator can send a POST request to the group-configuration resource /manage/GROUPNAME associated with an OSCORE group with group name GROUPNAME, in order to overwrite the current configuration of that group with a new one.</t>
        <t>The same as defined in <xref section="6.6" sectionFormat="of" target="I-D.ietf-ace-oscore-gm-admin"/> holds, with the following difference.</t>
        <ul spacing="normal">
          <li>
            <t>If the Administrator updates the registration of the group-membership resource in the Resource Directory on behalf of the Group Manager, then the names of the application groups using the OSCORE group <bcp14>MUST</bcp14> take the values possibly specified by the different 'app_group' link elements in the POST request.</t>
          </li>
        </ul>
        <t>An example of message exchange is shown below.</t>
        <artwork><![CDATA[
=> 0.02 POST
   Uri-Path: "manage"
   Uri-Path: "gp4"
   Content-Format: 65087 (application/coral+cbor)

   Payload:

   [
     [2, 6(-28) / item 71 for core.osc.gconf:#gp_enc_alg /, 11],
     [2, 6(26) / item 68 for core.osc.gconf:#hkdf /, 5]
   ]

<= 2.04 Changed
   Content-Format: 65087 (application/coral+cbor)

   Payload:

   [
     [2, 6(36) / item 88 for core.osc.gconf:#group_name /, "gp4"],
     [2, 6(-41) / item 97 for core.osc.gconf:#joining_uri /,
      cri'coap://[2001:db8::ab]/ace-group/gp4/'],
     [2, 6(43) / item 102 for core.osc.gconf:#as_uri /,
      cri'coap://as.example.com/token']
   ]
]]></artwork>
        <section anchor="sssec-effects-overwrite-joining-nodes">
          <name>Effects on Joining Nodes</name>
          <t>The same as defined in <xref section="6.6.1" sectionFormat="of" target="I-D.ietf-ace-oscore-gm-admin"/> holds.</t>
        </section>
        <section anchor="sssec-effects-overwrite-group-members">
          <name>Effects on the Group Members</name>
          <t>The same as defined in <xref section="6.6.2" sectionFormat="of" target="I-D.ietf-ace-oscore-gm-admin"/> holds.</t>
        </section>
      </section>
      <section anchor="configuration-resource-patch">
        <name>Selective Update of a Group Configuration</name>
        <t>This operation <bcp14>MAY</bcp14> be supported by the Group Manager.</t>
        <t>The Administrator can send a PATCH/iPATCH request <xref target="RFC8132"/> to the group-configuration resource /manage/GROUPNAME associated with an OSCORE group with group name GROUPNAME, in order to update the value of only part of the group configuration.</t>
        <t>The same as defined in <xref section="6.7" sectionFormat="of" target="I-D.ietf-ace-oscore-gm-admin"/> holds, with the following differences.</t>
        <ul spacing="normal">
          <li>
            <t>If the request payload specifies names of application groups to be removed from or added to the 'app_groups' status parameter, then such names are specified by means of the following top-level link elements.  </t>
            <ul spacing="normal">
              <li>
                <t>'app_group_del', with value a text string specifying the name of an application group to remove from the 'app_groups' status parameter. This link element can be included multiple times.</t>
              </li>
              <li>
                <t>'app_group_add', with value a text string specifying the name of an application group to add to the 'app_groups' status parameter. This link element can be included multiple times.</t>
              </li>
            </ul>
            <t>
The Group Manager <bcp14>MUST</bcp14> respond with a 4.00 (Bad Request) response, if the request payload includes any 'app_group' link element together with any 'app_group_del' and/or 'app_group_add' link element.</t>
          </li>
          <li>
            <t>The Group Manager <bcp14>MUST</bcp14> respond with a 4.00 (Bad Request) response, if the request payload includes no link elements.</t>
          </li>
          <li>
            <t>When the request uses specifically the iPATCH method, the Group Manager <bcp14>MUST</bcp14> respond with a 4.00 (Bad Request) response, if any link element 'app_group_del' and/or 'app_group_add' is included.</t>
          </li>
          <li>
            <t>When updating the 'app_groups' status parameter by difference, the Group Manager:  </t>
            <ul spacing="normal">
              <li>
                <t>Deletes from the 'app_groups' status parameter the names of the application groups specified in the different 'app_group_del' link elements.</t>
              </li>
              <li>
                <t>Adds to the 'app_groups' status parameter the names of the application groups specified in the different 'app_group_add' link elements.</t>
              </li>
            </ul>
          </li>
        </ul>
        <t>An example of message exchange is shown below.</t>
        <artwork><![CDATA[
=> 0.06 PATCH
   Uri-Path: "manage"
   Uri-Path: "gp4"
   Content-Format: 65087 (application/coral+cbor)

   Payload:

   [
     [2, 6(-28) / item 71 for core.osc.gconf:#gp_enc_alg /, 10],
     [2, 6(-40) / item 95 for core.osc.gconf:#app_group_del /,
      "room1"],
     [2, 6(40) / item 96 for core.osc.gconf:#app_group_add /, "room3"],
     [2, 6(40) / item 96 for core.osc.gconf:#app_group_add /, "room4"]
   ]

<= 2.04 Changed
   Content-Format: 65087 (application/coral+cbor)

   Payload:

   [
     [2, 6(36) / item 88 for core.osc.gconf:#group_name /, "gp4"],
     [2, 6(-41) / item 97 for core.osc.gconf:#joining_uri /,
      cri'coap://[2001:db8::ab]/ace-group/gp4/'],
     [2, 6(43) / item 102 for core.osc.gconf:#as_uri /,
      cri'coap://as.example.com/token']
   ]
]]></artwork>
        <section anchor="effects-on-joining-nodes">
          <name>Effects on Joining Nodes</name>
          <t>The same as defined in <xref section="6.7.1" sectionFormat="of" target="I-D.ietf-ace-oscore-gm-admin"/> holds.</t>
        </section>
        <section anchor="effects-on-the-group-members">
          <name>Effects on the Group Members</name>
          <t>The same as defined in <xref section="6.7.2" sectionFormat="of" target="I-D.ietf-ace-oscore-gm-admin"/> holds.</t>
        </section>
      </section>
      <section anchor="configuration-resource-delete">
        <name>Delete a Group Configuration</name>
        <t>This operation <bcp14>MUST</bcp14> be supported by the Group Manager.</t>
        <t>The Administrator can send a DELETE request to the group-configuration resource /manage/GROUPNAME associated with an OSCORE group with group name GROUPNAME, in order to delete that OSCORE group.</t>
        <t>The same as defined in <xref section="6.8" sectionFormat="of" target="I-D.ietf-ace-oscore-gm-admin"/> holds.</t>
        <section anchor="effects-on-the-group-members-1">
          <name>Effects on the Group Members</name>
          <t>The same as defined in <xref section="6.8.1" sectionFormat="of" target="I-D.ietf-ace-oscore-gm-admin"/> holds.</t>
        </section>
      </section>
    </section>
    <section anchor="support-of-top-level-link-elements">
      <name>Support of Top-Level Link Elements</name>
      <t>Consistent with <xref section="7" sectionFormat="of" target="I-D.ietf-ace-oscore-gm-admin"/>, the following holds for the Group Manager.</t>
      <ul spacing="normal">
        <li>
          <t>It <bcp14>MUST</bcp14> support the top-level link elements 'ace_groupcomm_profile', 'exp', and 'group_policies' corresponding to the ACE Groupcomm Parameters defined in <xref section="8" sectionFormat="of" target="RFC9594"/>.  </t>
          <t>
This is consistent with what is defined in <xref section="8" sectionFormat="of" target="RFC9594"/> for the Key Distribution Center (KDC), of which the Group Manager defined in <xref target="I-D.ietf-ace-key-groupcomm-oscore"/> is a specific instance.</t>
        </li>
        <li>
          <t>It <bcp14>MUST</bcp14> support the top-level link elements corresponding to all the parameters listed in <xref section="7" sectionFormat="of" target="I-D.ietf-ace-oscore-gm-admin"/>, with the exception of 'app_groups_diff' that <bcp14>MUST</bcp14> be supported only if the Group Manager supports the selective update of a group configuration (see <xref target="configuration-resource-patch"/>).</t>
        </li>
      </ul>
      <t>The following holds for an Administrator.</t>
      <ul spacing="normal">
        <li>
          <t>It <bcp14>MUST</bcp14> support the top-level link elements 'ace_groupcomm_profile', 'exp', and 'group_policies' corresponding to the ACE Groupcomm Parameters defined in <xref section="8" sectionFormat="of" target="RFC9594"/>.</t>
        </li>
        <li>
          <t>It <bcp14>MUST</bcp14> support the top-level link elements corresponding to all the parameters listed in <xref section="7" sectionFormat="of" target="I-D.ietf-ace-oscore-gm-admin"/>, with the following exceptions.  </t>
          <ul spacing="normal">
            <li>
              <t>'conf_filter', which <bcp14>MUST</bcp14> be supported only if the Administrator supports the partial retrieval of a group configuration by filters (see <xref target="configuration-resource-fetch"/>).</t>
            </li>
            <li>
              <t>'app_groups_diff', which <bcp14>MUST</bcp14> be supported only if the Administrator supports the selective update of a group configuration (see <xref target="configuration-resource-patch"/>).</t>
            </li>
          </ul>
        </li>
      </ul>
    </section>
    <section anchor="error-identifiers">
      <name>Error Identifiers</name>
      <t>If the Group Manager sends an error response with Content-Format "application/concise-problem-details+cbor" <xref target="RFC9290"/> as defined in <xref section="4.1.2" sectionFormat="of" target="RFC9594"/>, then the 'error-id' field within the Custom Problem Detail entry 'ace-groupcomm-error' takes value from those defined in <xref section="9" sectionFormat="of" target="RFC9594"/> and in <xref section="8" sectionFormat="of" target="I-D.ietf-ace-oscore-gm-admin"/>.</t>
      <t>The same guidelines in <xref section="8" sectionFormat="of" target="I-D.ietf-ace-oscore-gm-admin"/> for the Administrator to handle such error identifiers hold.</t>
    </section>
    <section anchor="sec-security-considerations">
      <name>Security Considerations</name>
      <t>Security considerations are inherited from the ACE framework for Authentication and Authorization <xref target="RFC9200"/> and from the transport profile of ACE specifically used between the Administrator and the Group Manager, such as <xref target="RFC9202"/> or <xref target="RFC9203"/>.</t>
      <t>The same security considerations from <xref target="RFC9594"/> and <xref target="I-D.ietf-ace-key-groupcomm-oscore"/> also apply, with particular reference to the process of rekeying OSCORE groups.</t>
      <t>The same security considerations from <xref target="I-D.ietf-ace-oscore-gm-admin"/> also apply, as well as the security considerations for CoRAL <xref target="I-D.ietf-core-coral"/> and Packed CBOR <xref target="I-D.ietf-cbor-packed"/>.</t>
    </section>
    <section anchor="iana">
      <name>IANA Considerations</name>
      <t>This document has no actions for IANA.</t>
    </section>
  </middle>
  <back>
    <references anchor="sec-combined-references">
      <name>References</name>
      <references anchor="sec-normative-references">
        <name>Normative References</name>
        <reference anchor="I-D.ietf-core-oscore-groupcomm">
          <front>
            <title>Group Object Security for Constrained RESTful Environments (Group OSCORE)</title>
            <author fullname="Marco Tiloca" initials="M." surname="Tiloca">
              <organization>RISE AB</organization>
            </author>
            <author fullname="Göran Selander" initials="G." surname="Selander">
              <organization>Ericsson AB</organization>
            </author>
            <author fullname="Francesca Palombini" initials="F." surname="Palombini">
              <organization>Ericsson AB</organization>
            </author>
            <author fullname="John Preuß Mattsson" initials="J. P." surname="Mattsson">
              <organization>Ericsson AB</organization>
            </author>
            <author fullname="Rikard Höglund" initials="R." surname="Höglund">
              <organization>RISE AB</organization>
            </author>
            <date day="23" month="December" year="2025"/>
            <abstract>
              <t>   This document defines the security protocol Group Object Security for
   Constrained RESTful Environments (Group OSCORE), providing end-to-end
   security of messages exchanged with the Constrained Application
   Protocol (CoAP) between members of a group, e.g., sent over IP
   multicast.  In particular, the described protocol defines how OSCORE
   is used in a group communication setting to provide source
   authentication for CoAP group requests, sent by a client to multiple
   servers, and for protection of the corresponding CoAP responses.
   Group OSCORE also defines a pairwise mode where each member of the
   group can efficiently derive a symmetric pairwise key with each other
   member of the group for pairwise OSCORE communication.  Group OSCORE
   can be used between endpoints communicating with CoAP or CoAP-
   mappable HTTP.

              </t>
            </abstract>
          </front>
          <seriesInfo name="Internet-Draft" value="draft-ietf-core-oscore-groupcomm-28"/>
        </reference>
        <reference anchor="I-D.ietf-ace-key-groupcomm-oscore">
          <front>
            <title>Key Management for Group Object Security for Constrained RESTful Environments (Group OSCORE) Using Authentication and Authorization for Constrained Environments (ACE)</title>
            <author fullname="Marco Tiloca" initials="M." surname="Tiloca">
              <organization>RISE AB</organization>
            </author>
            <author fullname="Francesca Palombini" initials="F." surname="Palombini">
              <organization>Ericsson AB</organization>
            </author>
            <date day="14" month="March" year="2026"/>
            <abstract>
              <t>   This document defines an application profile of the Authentication
   and Authorization for Constrained Environments (ACE) framework, to
   request and provision keying material in group communication
   scenarios that are based on the Constrained Application Protocol
   (CoAP) and are secured with Group Object Security for Constrained
   RESTful Environments (Group OSCORE).  This application profile
   delegates the authentication and authorization of Clients, which join
   an OSCORE group through a Resource Server acting as Group Manager for
   that group.  This application profile leverages protocol-specific
   transport profiles of ACE to achieve communication security, server
   authentication, and proof of possession of a key owned by the Client
   and bound to an OAuth 2.0 access token.

              </t>
            </abstract>
          </front>
          <seriesInfo name="Internet-Draft" value="draft-ietf-ace-key-groupcomm-oscore-21"/>
        </reference>
        <reference anchor="I-D.ietf-ace-oscore-gm-admin">
          <front>
            <title>Admin Interface for the OSCORE Group Manager</title>
            <author fullname="Marco Tiloca" initials="M." surname="Tiloca">
              <organization>RISE AB</organization>
            </author>
            <author fullname="Rikard Höglund" initials="R." surname="Höglund">
              <organization>RISE AB</organization>
            </author>
            <author fullname="Peter Van der Stok" initials="P." surname="Van der Stok">
         </author>
            <author fullname="Francesca Palombini" initials="F." surname="Palombini">
              <organization>Ericsson AB</organization>
            </author>
            <date day="26" month="March" year="2026"/>
            <abstract>
              <t>   Group communication for the Constrained Application Protocol (CoAP)
   can be secured using Group Object Security for Constrained RESTful
   Environments (Group OSCORE).  A Group Manager is responsible for
   handling the joining of new group members, as well as for managing
   and distributing the group keying material.  This document defines a
   RESTful admin interface at the Group Manager that allows an
   Administrator entity to create and delete OSCORE groups, as well as
   to retrieve and update their configuration.  The Authentication and
   Authorization for Constrained Environments (ACE) framework is used to
   enforce authentication and authorization of the Administrator at the
   Group Manager.  Protocol-specific transport profiles of ACE are used
   to achieve communication security, proof of possession, and server
   authentication.

              </t>
            </abstract>
          </front>
          <seriesInfo name="Internet-Draft" value="draft-ietf-ace-oscore-gm-admin-17"/>
        </reference>
        <reference anchor="I-D.ietf-core-coral">
          <front>
            <title>The Constrained RESTful Application Language (CoRAL)</title>
            <author fullname="Christian Amsüss" initials="C." surname="Amsüss">
         </author>
            <author fullname="Thomas Fossati" initials="T." surname="Fossati">
              <organization>ARM</organization>
            </author>
            <date day="4" month="March" year="2024"/>
            <abstract>
              <t>   The Constrained RESTful Application Language (CoRAL) defines a data
   model and interaction model as well as a compact serialization
   formats for the description of typed connections between resources on
   the Web ("links"), possible operations on such resources ("forms"),
   and simple resource metadata.

              </t>
            </abstract>
          </front>
          <seriesInfo name="Internet-Draft" value="draft-ietf-core-coral-06"/>
        </reference>
        <reference anchor="I-D.ietf-core-groupcomm-bis">
          <front>
            <title>Group Communication for the Constrained Application Protocol (CoAP)</title>
            <author fullname="Esko Dijk" initials="E." surname="Dijk">
              <organization>IoTconsultancy.nl</organization>
            </author>
            <author fullname="Marco Tiloca" initials="M." surname="Tiloca">
              <organization>RISE AB</organization>
            </author>
            <date day="10" month="February" year="2026"/>
            <abstract>
              <t>   The Constrained Application Protocol (CoAP) is a web transfer
   protocol for constrained devices and constrained networks.  In a
   number of use cases, constrained devices often naturally operate in
   groups (e.g., in a building automation scenario, all lights in a
   given room may need to be switched on/off as a group).  This document
   specifies the use of CoAP for group communication, including the use
   of UDP/IP multicast as the default underlying data transport.  Both
   unsecured and secured CoAP group communication are specified.
   Security is achieved by use of the Group Object Security for
   Constrained RESTful Environments (Group OSCORE) protocol.  The target
   application area of this specification is any group communication use
   cases that involve resource-constrained devices or networks that
   support CoAP.  This document replaces and obsoletes RFC 7390, while
   it updates RFC 7252 and RFC 7641.

              </t>
            </abstract>
          </front>
          <seriesInfo name="Internet-Draft" value="draft-ietf-core-groupcomm-bis-18"/>
        </reference>
        <reference anchor="I-D.ietf-cbor-packed">
          <front>
            <title>Packed CBOR</title>
            <author fullname="Carsten Bormann" initials="C." surname="Bormann">
              <organization>Universität Bremen TZI</organization>
            </author>
            <author fullname="Mikolai Gütschow" initials="M." surname="Gütschow">
              <organization>TUD Dresden University of Technology</organization>
            </author>
            <date day="2" month="February" year="2026"/>
            <abstract>
              <t>   The Concise Binary Object Representation (CBOR, RFC 8949 == STD 94)
   is a data format whose design goals include the possibility of
   extremely small code size, fairly small message size, and
   extensibility without the need for version negotiation.

   CBOR does not provide any forms of data compression.  CBOR data
   items, in particular when generated from legacy data models, often
   allow considerable gains in compactness when applying data
   compression.  While traditional data compression techniques such as
   DEFLATE (RFC 1951) can work well for CBOR encoded data items, their
   disadvantage is that the recipient needs to decompress the compressed
   form before it can make use of the data.

   This specification describes Packed CBOR, a set of CBOR tags and
   simple values that enable a simple transformation of an original CBOR
   data item into a Packed CBOR data item that is almost as easy to
   consume as the original CBOR data item.  A separate decompression
   step is therefore often not required at the recipient.


   // (This cref will be removed by the RFC editor:) The present
   // revision -19 is a work-in-progress release in preparation for
   // another cbor-packed side meeting.  This revision resolves the use
   // of the tunables A/B/C by setting A=16, B=8, and C=8, and choosing
   // requested simple values and tag numbers, in preparation for
   // continuing the early allocation process.

              </t>
            </abstract>
          </front>
          <seriesInfo name="Internet-Draft" value="draft-ietf-cbor-packed-19"/>
        </reference>
        <reference anchor="I-D.ietf-core-href">
          <front>
            <title>Constrained Resource Identifiers</title>
            <author fullname="Carsten Bormann" initials="C." surname="Bormann">
              <organization>Universität Bremen TZI</organization>
            </author>
            <author fullname="Henk Birkholz" initials="H." surname="Birkholz">
              <organization>Fraunhofer SIT</organization>
            </author>
            <date day="21" month="November" year="2025"/>
            <abstract>
              <t>   The Constrained Resource Identifier (CRI) is a complement to the
   Uniform Resource Identifier (URI) that represents the URI components
   in Concise Binary Object Representation (CBOR) rather than as a
   sequence of characters.  This approach simplifies parsing,
   comparison, and reference resolution in environments with severe
   limitations on processing power, code size, and memory size.

   This RFC updates RFC 7595 by adding a column on the "URI Schemes"
   registry.


   // (This "cref" paragraph will be removed by the RFC editor:) After
   // approval of -28 and nit fixes in -29, the present revision -30
   // contains two more small fixes for nits that were uncovered in the
   // RPC intake process.

              </t>
            </abstract>
          </front>
          <seriesInfo name="Internet-Draft" value="draft-ietf-core-href-30"/>
        </reference>
        <reference anchor="I-D.ietf-cbor-edn-literals">
          <front>
            <title>Concise Diagnostic Notation (CDN)</title>
            <author fullname="Carsten Bormann" initials="C." surname="Bormann">
              <organization>Universität Bremen TZI</organization>
            </author>
            <date day="15" month="June" year="2026"/>
            <abstract>
              <t>   This document formalizes and consolidates the definition of the
   Concise Diagnostic Notation (CDN) of the Concise Binary Object
   Representation (CBOR), addressing implementer experience.

   Replacing CDN's previous informal descriptions, it updates RFC 8949,
   obsoleting its Section 8, and RFC 8610, obsoleting its Appendix G.

   It also specifies registry-based extension points and uses them to
   support text representations such as of epoch-based dates/times and
   of IP addresses and prefixes.


   // (This cref will be removed by the RFC editor:) -26 is intended to
   // address the May/June 2026 Working Group Last Call comments on -25
   // and the ensuing WG discussions.  Specifically, this update: • is
   // going further with the idea to entirely replace the non- backwards
   // compatible update considered for the RFC 8610/G.4 concatenation by
   // two new application extensions (temporarily named b1/t1), and to
   // add related application-oriented extensions that deprecate the
   // original streamstring syntax. • includes the float'' application-
   // extension so that the entire CBOR format can be covered. • now
   // uses rules closer to those of markdown for handling data
   // transparency in raw strings, simplifying their implementation. •
   // adds security considerations. • proactively reserves the
   // application-extension identifier "pragma" for potential future
   // standardization. • This update does not address certain comments
   // that propose some editorial restructuring requiring moving text
   // around; this is best done in a next revision after the technical
   // comments are addressed.

              </t>
            </abstract>
          </front>
          <seriesInfo name="Internet-Draft" value="draft-ietf-cbor-edn-literals-26"/>
        </reference>
        <reference anchor="RFC3986">
          <front>
            <title>Uniform Resource Identifier (URI): Generic Syntax</title>
            <author fullname="T. Berners-Lee" initials="T." surname="Berners-Lee"/>
            <author fullname="R. Fielding" initials="R." surname="Fielding"/>
            <author fullname="L. Masinter" initials="L." surname="Masinter"/>
            <date month="January" year="2005"/>
            <abstract>
              <t>A Uniform Resource Identifier (URI) is a compact sequence of characters that identifies an abstract or physical resource. This specification defines the generic URI syntax and a process for resolving URI references that might be in relative form, along with guidelines and security considerations for the use of URIs on the Internet. The URI syntax defines a grammar that is a superset of all valid URIs, allowing an implementation to parse the common components of a URI reference without knowing the scheme-specific requirements of every possible identifier. This specification does not define a generative grammar for URIs; that task is performed by the individual specifications of each URI scheme. [STANDARDS-TRACK]</t>
            </abstract>
          </front>
          <seriesInfo name="STD" value="66"/>
          <seriesInfo name="RFC" value="3986"/>
          <seriesInfo name="DOI" value="10.17487/RFC3986"/>
        </reference>
        <reference anchor="RFC6690">
          <front>
            <title>Constrained RESTful Environments (CoRE) Link Format</title>
            <author fullname="Z. Shelby" initials="Z." surname="Shelby"/>
            <date month="August" year="2012"/>
            <abstract>
              <t>This specification defines Web Linking using a link format for use by constrained web servers to describe hosted resources, their attributes, and other relationships between links. Based on the HTTP Link Header field defined in RFC 5988, the Constrained RESTful Environments (CoRE) Link Format is carried as a payload and is assigned an Internet media type. "RESTful" refers to the Representational State Transfer (REST) architecture. A well-known URI is defined as a default entry point for requesting the links hosted by a server. [STANDARDS-TRACK]</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="6690"/>
          <seriesInfo name="DOI" value="10.17487/RFC6690"/>
        </reference>
        <reference anchor="RFC6749">
          <front>
            <title>The OAuth 2.0 Authorization Framework</title>
            <author fullname="D. Hardt" initials="D." role="editor" surname="Hardt"/>
            <date month="October" year="2012"/>
            <abstract>
              <t>The OAuth 2.0 authorization framework enables a third-party application to obtain limited access to an HTTP service, either on behalf of a resource owner by orchestrating an approval interaction between the resource owner and the HTTP service, or by allowing the third-party application to obtain access on its own behalf. This specification replaces and obsoletes the OAuth 1.0 protocol described in RFC 5849. [STANDARDS-TRACK]</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="6749"/>
          <seriesInfo name="DOI" value="10.17487/RFC6749"/>
        </reference>
        <reference anchor="RFC7252">
          <front>
            <title>The Constrained Application Protocol (CoAP)</title>
            <author fullname="Z. Shelby" initials="Z." surname="Shelby"/>
            <author fullname="K. Hartke" initials="K." surname="Hartke"/>
            <author fullname="C. Bormann" initials="C." surname="Bormann"/>
            <date month="June" year="2014"/>
            <abstract>
              <t>The Constrained Application Protocol (CoAP) is a specialized web transfer protocol for use with constrained nodes and constrained (e.g., low-power, lossy) networks. The nodes often have 8-bit microcontrollers with small amounts of ROM and RAM, while constrained networks such as IPv6 over Low-Power Wireless Personal Area Networks (6LoWPANs) often have high packet error rates and a typical throughput of 10s of kbit/s. The protocol is designed for machine- to-machine (M2M) applications such as smart energy and building automation.</t>
              <t>CoAP provides a request/response interaction model between application endpoints, supports built-in discovery of services and resources, and includes key concepts of the Web such as URIs and Internet media types. CoAP is designed to easily interface with HTTP for integration with the Web while meeting specialized requirements such as multicast support, very low overhead, and simplicity for constrained environments.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="7252"/>
          <seriesInfo name="DOI" value="10.17487/RFC7252"/>
        </reference>
        <reference anchor="RFC8132">
          <front>
            <title>PATCH and FETCH Methods for the Constrained Application Protocol (CoAP)</title>
            <author fullname="P. van der Stok" initials="P." surname="van der Stok"/>
            <author fullname="C. Bormann" initials="C." surname="Bormann"/>
            <author fullname="A. Sehgal" initials="A." surname="Sehgal"/>
            <date month="April" year="2017"/>
            <abstract>
              <t>The methods defined in RFC 7252 for the Constrained Application Protocol (CoAP) only allow access to a complete resource, not to parts of a resource. In case of resources with larger or complex data, or in situations where resource continuity is required, replacing or requesting the whole resource is undesirable. Several applications using CoAP need to access parts of the resources.</t>
              <t>This specification defines the new CoAP methods, FETCH, PATCH, and iPATCH, which are used to access and update parts of a resource.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="8132"/>
          <seriesInfo name="DOI" value="10.17487/RFC8132"/>
        </reference>
        <reference anchor="RFC8610">
          <front>
            <title>Concise Data Definition Language (CDDL): A Notational Convention to Express Concise Binary Object Representation (CBOR) and JSON Data Structures</title>
            <author fullname="H. Birkholz" initials="H." surname="Birkholz"/>
            <author fullname="C. Vigano" initials="C." surname="Vigano"/>
            <author fullname="C. Bormann" initials="C." surname="Bormann"/>
            <date month="June" year="2019"/>
            <abstract>
              <t>This document proposes a notational convention to express Concise Binary Object Representation (CBOR) data structures (RFC 7049). Its main goal is to provide an easy and unambiguous way to express structures for protocol messages and data formats that use CBOR or JSON.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="8610"/>
          <seriesInfo name="DOI" value="10.17487/RFC8610"/>
        </reference>
        <reference anchor="RFC8613">
          <front>
            <title>Object Security for Constrained RESTful Environments (OSCORE)</title>
            <author fullname="G. Selander" initials="G." surname="Selander"/>
            <author fullname="J. Mattsson" initials="J." surname="Mattsson"/>
            <author fullname="F. Palombini" initials="F." surname="Palombini"/>
            <author fullname="L. Seitz" initials="L." surname="Seitz"/>
            <date month="July" year="2019"/>
            <abstract>
              <t>This document defines Object Security for Constrained RESTful Environments (OSCORE), a method for application-layer protection of the Constrained Application Protocol (CoAP), using CBOR Object Signing and Encryption (COSE). OSCORE provides end-to-end protection between endpoints communicating using CoAP or CoAP-mappable HTTP. OSCORE is designed for constrained nodes and networks supporting a range of proxy operations, including translation between different transport protocols.</t>
              <t>Although an optional functionality of CoAP, OSCORE alters CoAP options processing and IANA registration. Therefore, this document updates RFC 7252.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="8613"/>
          <seriesInfo name="DOI" value="10.17487/RFC8613"/>
        </reference>
        <reference anchor="RFC8949">
          <front>
            <title>Concise Binary Object Representation (CBOR)</title>
            <author fullname="C. Bormann" initials="C." surname="Bormann"/>
            <author fullname="P. Hoffman" initials="P." surname="Hoffman"/>
            <date month="December" year="2020"/>
            <abstract>
              <t>The Concise Binary Object Representation (CBOR) is a data format whose design goals include the possibility of extremely small code size, fairly small message size, and extensibility without the need for version negotiation. These design goals make it different from earlier binary serializations such as ASN.1 and MessagePack.</t>
              <t>This document obsoletes RFC 7049, providing editorial improvements, new details, and errata fixes while keeping full compatibility with the interchange format of RFC 7049. It does not create a new version of the format.</t>
            </abstract>
          </front>
          <seriesInfo name="STD" value="94"/>
          <seriesInfo name="RFC" value="8949"/>
          <seriesInfo name="DOI" value="10.17487/RFC8949"/>
        </reference>
        <reference anchor="RFC9052">
          <front>
            <title>CBOR Object Signing and Encryption (COSE): Structures and Process</title>
            <author fullname="J. Schaad" initials="J." surname="Schaad"/>
            <date month="August" year="2022"/>
            <abstract>
              <t>Concise Binary Object Representation (CBOR) is a data format designed for small code size and small message size. There is a need to be able to define basic security services for this data format. This document defines the CBOR Object Signing and Encryption (COSE) protocol. This specification describes how to create and process signatures, message authentication codes, and encryption using CBOR for serialization. This specification additionally describes how to represent cryptographic keys using CBOR.</t>
              <t>This document, along with RFC 9053, obsoletes RFC 8152.</t>
            </abstract>
          </front>
          <seriesInfo name="STD" value="96"/>
          <seriesInfo name="RFC" value="9052"/>
          <seriesInfo name="DOI" value="10.17487/RFC9052"/>
        </reference>
        <reference anchor="RFC9053">
          <front>
            <title>CBOR Object Signing and Encryption (COSE): Initial Algorithms</title>
            <author fullname="J. Schaad" initials="J." surname="Schaad"/>
            <date month="August" year="2022"/>
            <abstract>
              <t>Concise Binary Object Representation (CBOR) is a data format designed for small code size and small message size. There is a need to be able to define basic security services for this data format. This document defines a set of algorithms that can be used with the CBOR Object Signing and Encryption (COSE) protocol (RFC 9052).</t>
              <t>This document, along with RFC 9052, obsoletes RFC 8152.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="9053"/>
          <seriesInfo name="DOI" value="10.17487/RFC9053"/>
        </reference>
        <reference anchor="RFC9200">
          <front>
            <title>Authentication and Authorization for Constrained Environments Using the OAuth 2.0 Framework (ACE-OAuth)</title>
            <author fullname="L. Seitz" initials="L." surname="Seitz"/>
            <author fullname="G. Selander" initials="G." surname="Selander"/>
            <author fullname="E. Wahlstroem" initials="E." surname="Wahlstroem"/>
            <author fullname="S. Erdtman" initials="S." surname="Erdtman"/>
            <author fullname="H. Tschofenig" initials="H." surname="Tschofenig"/>
            <date month="August" year="2022"/>
            <abstract>
              <t>This specification defines a framework for authentication and authorization in Internet of Things (IoT) environments called ACE-OAuth. The framework is based on a set of building blocks including OAuth 2.0 and the Constrained Application Protocol (CoAP), thus transforming a well-known and widely used authorization solution into a form suitable for IoT devices. Existing specifications are used where possible, but extensions are added and profiles are defined to better serve the IoT use cases.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="9200"/>
          <seriesInfo name="DOI" value="10.17487/RFC9200"/>
        </reference>
        <reference anchor="RFC9202">
          <front>
            <title>Datagram Transport Layer Security (DTLS) Profile for Authentication and Authorization for Constrained Environments (ACE)</title>
            <author fullname="S. Gerdes" initials="S." surname="Gerdes"/>
            <author fullname="O. Bergmann" initials="O." surname="Bergmann"/>
            <author fullname="C. Bormann" initials="C." surname="Bormann"/>
            <author fullname="G. Selander" initials="G." surname="Selander"/>
            <author fullname="L. Seitz" initials="L." surname="Seitz"/>
            <date month="August" year="2022"/>
            <abstract>
              <t>This specification defines a profile of the Authentication and Authorization for Constrained Environments (ACE) framework that allows constrained servers to delegate client authentication and authorization. The protocol relies on DTLS version 1.2 or later for communication security between entities in a constrained network using either raw public keys or pre-shared keys. A resource-constrained server can use this protocol to delegate management of authorization information to a trusted host with less-severe limitations regarding processing power and memory.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="9202"/>
          <seriesInfo name="DOI" value="10.17487/RFC9202"/>
        </reference>
        <reference anchor="RFC9203">
          <front>
            <title>The Object Security for Constrained RESTful Environments (OSCORE) Profile of the Authentication and Authorization for Constrained Environments (ACE) Framework</title>
            <author fullname="F. Palombini" initials="F." surname="Palombini"/>
            <author fullname="L. Seitz" initials="L." surname="Seitz"/>
            <author fullname="G. Selander" initials="G." surname="Selander"/>
            <author fullname="M. Gunnarsson" initials="M." surname="Gunnarsson"/>
            <date month="August" year="2022"/>
            <abstract>
              <t>This document specifies a profile for the Authentication and Authorization for Constrained Environments (ACE) framework. It utilizes Object Security for Constrained RESTful Environments (OSCORE) to provide communication security and proof-of-possession for a key owned by the client and bound to an OAuth 2.0 access token.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="9203"/>
          <seriesInfo name="DOI" value="10.17487/RFC9203"/>
        </reference>
        <reference anchor="RFC9237">
          <front>
            <title>An Authorization Information Format (AIF) for Authentication and Authorization for Constrained Environments (ACE)</title>
            <author fullname="C. Bormann" initials="C." surname="Bormann"/>
            <date month="August" year="2022"/>
            <abstract>
              <t>Information about which entities are authorized to perform what operations on which constituents of other entities is a crucial component of producing an overall system that is secure. Conveying precise authorization information is especially critical in highly automated systems with large numbers of entities, such as the Internet of Things.</t>
              <t>This specification provides a generic information model and format for representing such authorization information, as well as two variants of a specific instantiation of that format for use with Representational State Transfer (REST) resources identified by URI path.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="9237"/>
          <seriesInfo name="DOI" value="10.17487/RFC9237"/>
        </reference>
        <reference anchor="RFC9290">
          <front>
            <title>Concise Problem Details for Constrained Application Protocol (CoAP) APIs</title>
            <author fullname="T. Fossati" initials="T." surname="Fossati"/>
            <author fullname="C. Bormann" initials="C." surname="Bormann"/>
            <date month="October" year="2022"/>
            <abstract>
              <t>This document defines a concise "problem detail" as a way to carry machine-readable details of errors in a Representational State Transfer (REST) response to avoid the need to define new error response formats for REST APIs for constrained environments. The format is inspired by, but intended to be more concise than, the problem details for HTTP APIs defined in RFC 7807.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="9290"/>
          <seriesInfo name="DOI" value="10.17487/RFC9290"/>
        </reference>
        <reference anchor="RFC9594">
          <front>
            <title>Key Provisioning for Group Communication Using Authentication and Authorization for Constrained Environments (ACE)</title>
            <author fullname="F. Palombini" initials="F." surname="Palombini"/>
            <author fullname="M. Tiloca" initials="M." surname="Tiloca"/>
            <date month="September" year="2024"/>
            <abstract>
              <t>This document defines how to use the Authentication and Authorization for Constrained Environments (ACE) framework to distribute keying material and configuration parameters for secure group communication. Candidate group members that act as Clients and are authorized to join a group can do so by interacting with a Key Distribution Center (KDC) acting as the Resource Server, from which they obtain the keying material to communicate with other group members. While defining general message formats as well as the interface and operations available at the KDC, this document supports different approaches and protocols for secure group communication. Therefore, details are delegated to separate application profiles of this document as specialized instances that target a particular group communication approach and define how communications in the group are protected. Compliance requirements for such application profiles are also specified.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="9594"/>
          <seriesInfo name="DOI" value="10.17487/RFC9594"/>
        </reference>
        <reference anchor="CURIE-20101216" target="http://www.w3.org/TR/2010/NOTE-curie-20101216">
          <front>
            <title>CURIE Syntax 1.0 - A syntax for expressing Compact URIs - W3C Working Group Note</title>
            <author initials="M." surname="Birbeck" fullname="Mark Birbeck">
              <organization/>
            </author>
            <author initials="S." surname="McCarron" fullname="Shane McCarron">
              <organization/>
            </author>
            <date year="2010" month="December" day="16"/>
          </front>
        </reference>
        <reference anchor="RFC2119">
          <front>
            <title>Key words for use in RFCs to Indicate Requirement Levels</title>
            <author fullname="S. Bradner" initials="S." surname="Bradner"/>
            <date month="March" year="1997"/>
            <abstract>
              <t>In many standards track documents several words are used to signify the requirements in the specification. These words are often capitalized. This document defines these words as they should be interpreted in IETF documents. This document specifies an Internet Best Current Practices for the Internet Community, and requests discussion and suggestions for improvements.</t>
            </abstract>
          </front>
          <seriesInfo name="BCP" value="14"/>
          <seriesInfo name="RFC" value="2119"/>
          <seriesInfo name="DOI" value="10.17487/RFC2119"/>
        </reference>
        <reference anchor="RFC8174">
          <front>
            <title>Ambiguity of Uppercase vs Lowercase in RFC 2119 Key Words</title>
            <author fullname="B. Leiba" initials="B." surname="Leiba"/>
            <date month="May" year="2017"/>
            <abstract>
              <t>RFC 2119 specifies common key words that may be used in protocol specifications. This document aims to reduce the ambiguity by clarifying that only UPPERCASE usage of the key words have the defined special meanings.</t>
            </abstract>
          </front>
          <seriesInfo name="BCP" value="14"/>
          <seriesInfo name="RFC" value="8174"/>
          <seriesInfo name="DOI" value="10.17487/RFC8174"/>
        </reference>
      </references>
      <references anchor="sec-informative-references">
        <name>Informative References</name>
        <reference anchor="I-D.hartke-t2trg-coral-reef">
          <front>
            <title>Resource Discovery in Constrained RESTful Environments (CoRE) using the Constrained RESTful Application Language (CoRAL)</title>
            <author fullname="Klaus Hartke" initials="K." surname="Hartke">
              <organization>Ericsson</organization>
            </author>
            <date day="9" month="May" year="2020"/>
            <abstract>
              <t>   This document explores how the Constrained RESTful Application
   Language (CoRAL) might be used for two use cases in Constrained
   RESTful Environments (CoRE): CoRE Resource Discovery, which allows a
   client to discover the resources of a server given a host name or IP
   address, and CoRE Resource Directory, which provides a directory of
   resources on many servers.

              </t>
            </abstract>
          </front>
          <seriesInfo name="Internet-Draft" value="draft-hartke-t2trg-coral-reef-04"/>
        </reference>
        <reference anchor="I-D.ietf-cose-cbor-encoded-cert">
          <front>
            <title>CBOR Encoded X.509 Certificates (C509 Certificates)</title>
            <author fullname="John Preuß Mattsson" initials="J. P." surname="Mattsson">
              <organization>Ericsson AB</organization>
            </author>
            <author fullname="Göran Selander" initials="G." surname="Selander">
              <organization>Ericsson AB</organization>
            </author>
            <author fullname="Shahid Raza" initials="S." surname="Raza">
              <organization>University of Glasgow</organization>
            </author>
            <author fullname="Joel Höglund" initials="J." surname="Höglund">
              <organization>RISE AB</organization>
            </author>
            <author fullname="Martin Furuhed" initials="M." surname="Furuhed">
              <organization>IN Groupe</organization>
            </author>
            <author fullname="Lijun Liao" initials="L." surname="Liao">
              <organization>NIO</organization>
            </author>
            <date day="30" month="June" year="2026"/>
            <abstract>
              <t>   This document specifies a CBOR encoding of X.509 certificates.  The
   resulting certificates are called C509 certificates.  The CBOR
   encoding supports a large subset of RFC 5280 and common certificate
   profiles, and it is extensible.

   Two types of C509 certificates are defined.  One type is an
   invertible CBOR re-encoding of DER-encoded X.509 certificates with
   the signature field copied from the DER encoding.  The other type is
   identical except that the signature is computed over the CBOR
   encoding instead of the DER encoding, thereby avoiding the use of
   ASN.1.  Both types of certificates have the same semantics as X.509
   while providing comparable size reduction.

   This document also specifies CBOR-encoded data structures for
   certification requests and certification request templates, new COSE
   headers, as well as a TLS certificate type and a file format for
   C509.  This document updates RFC 6698 by extending the TLSA selectors
   registry to include C509 certificates.

              </t>
            </abstract>
          </front>
          <seriesInfo name="Internet-Draft" value="draft-ietf-cose-cbor-encoded-cert-20"/>
        </reference>
        <reference anchor="RFC5280">
          <front>
            <title>Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile</title>
            <author fullname="D. Cooper" initials="D." surname="Cooper"/>
            <author fullname="S. Santesson" initials="S." surname="Santesson"/>
            <author fullname="S. Farrell" initials="S." surname="Farrell"/>
            <author fullname="S. Boeyen" initials="S." surname="Boeyen"/>
            <author fullname="R. Housley" initials="R." surname="Housley"/>
            <author fullname="W. Polk" initials="W." surname="Polk"/>
            <date month="May" year="2008"/>
            <abstract>
              <t>This memo profiles the X.509 v3 certificate and X.509 v2 certificate revocation list (CRL) for use in the Internet. An overview of this approach and model is provided as an introduction. The X.509 v3 certificate format is described in detail, with additional information regarding the format and semantics of Internet name forms. Standard certificate extensions are described and two Internet-specific extensions are defined. A set of required certificate extensions is specified. The X.509 v2 CRL format is described in detail along with standard and Internet-specific extensions. An algorithm for X.509 certification path validation is described. An ASN.1 module and examples are provided in the appendices. [STANDARDS-TRACK]</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="5280"/>
          <seriesInfo name="DOI" value="10.17487/RFC5280"/>
        </reference>
        <reference anchor="RFC8392">
          <front>
            <title>CBOR Web Token (CWT)</title>
            <author fullname="M. Jones" initials="M." surname="Jones"/>
            <author fullname="E. Wahlstroem" initials="E." surname="Wahlstroem"/>
            <author fullname="S. Erdtman" initials="S." surname="Erdtman"/>
            <author fullname="H. Tschofenig" initials="H." surname="Tschofenig"/>
            <date month="May" year="2018"/>
            <abstract>
              <t>CBOR Web Token (CWT) is a compact means of representing claims to be transferred between two parties. The claims in a CWT are encoded in the Concise Binary Object Representation (CBOR), and CBOR Object Signing and Encryption (COSE) is used for added application-layer security protection. A claim is a piece of information asserted about a subject and is represented as a name/value pair consisting of a claim name and a claim value. CWT is derived from JSON Web Token (JWT) but uses CBOR rather than JSON.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="8392"/>
          <seriesInfo name="DOI" value="10.17487/RFC8392"/>
        </reference>
        <reference anchor="RFC9147">
          <front>
            <title>The Datagram Transport Layer Security (DTLS) Protocol Version 1.3</title>
            <author fullname="E. Rescorla" initials="E." surname="Rescorla"/>
            <author fullname="H. Tschofenig" initials="H." surname="Tschofenig"/>
            <author fullname="N. Modadugu" initials="N." surname="Modadugu"/>
            <date month="April" year="2022"/>
            <abstract>
              <t>This document specifies version 1.3 of the Datagram Transport Layer Security (DTLS) protocol. DTLS 1.3 allows client/server applications to communicate over the Internet in a way that is designed to prevent eavesdropping, tampering, and message forgery.</t>
              <t>The DTLS 1.3 protocol is based on the Transport Layer Security (TLS) 1.3 protocol and provides equivalent security guarantees with the exception of order protection / non-replayability. Datagram semantics of the underlying transport are preserved by the DTLS protocol.</t>
              <t>This document obsoletes RFC 6347.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="9147"/>
          <seriesInfo name="DOI" value="10.17487/RFC9147"/>
        </reference>
        <reference anchor="IANA.Target.Attributes" target="https://www.iana.org/assignments/core-parameters/core-parameters.xhtml#target-attributes">
          <front>
            <title>Target Attributes</title>
            <author>
              <organization>IANA</organization>
            </author>
            <date/>
          </front>
        </reference>
      </references>
    </references>
    <?line 707?>

<section anchor="sec-packed-cbor-tables">
      <name>Shared Item Tables for Packed CBOR</name>
      <t>This appendix defines the two shared item tables that the examples in this document refer to for using Packed CBOR <xref target="I-D.ietf-cbor-packed"/>.</t>
      <t>The application-extension identifier "cri" defined in <xref section="3.6" sectionFormat="of" target="I-D.ietf-cbor-edn-literals"/> is used to notate a Concise Diagnostic Notation (CDN) literal for a CRI.</t>
      <section anchor="compacting-coral-predicates-with-packed-cbor">
        <name>Compacting CoRAL Predicates with Packed CBOR</name>
        <t>The following shared item table is used for compacting CoRAL predicates, as per <xref section="2.2" sectionFormat="of" target="I-D.ietf-cbor-packed"/>.</t>
        <table align="center" anchor="_table-packed-cbor-table-1">
          <name>Shared Item Table for Compacting CoRAL Predicates.</name>
          <thead>
            <tr>
              <th align="left">Index</th>
              <th align="left">Item</th>
            </tr>
          </thead>
          <tbody>
            <tr>
              <td align="left">6</td>
              <td align="left">cri'http://www.iana.org/assignments/linkformat/rt'</td>
            </tr>
            <tr>
              <td align="left">50</td>
              <td align="left">cri'http://coreapps.org/core.osc.gcoll#item'</td>
            </tr>
            <tr>
              <td align="left">68</td>
              <td align="left">cri'http://coreapps.org/core.osc.gconf#hkdf'</td>
            </tr>
            <tr>
              <td align="left">69</td>
              <td align="left">cri'http://coreapps.org/core.osc.gconf#cred_fmt'</td>
            </tr>
            <tr>
              <td align="left">70</td>
              <td align="left">cri'http://coreapps.org/core.osc.gconf#group_mode'</td>
            </tr>
            <tr>
              <td align="left">71</td>
              <td align="left">cri'http://coreapps.org/core.osc.gconf#gp_enc_alg'</td>
            </tr>
            <tr>
              <td align="left">72</td>
              <td align="left">cri'http://coreapps.org/core.osc.gconf#sign_alg'</td>
            </tr>
            <tr>
              <td align="left">73</td>
              <td align="left">cri'http://coreapps.org/core.osc.gconf#sign_params'</td>
            </tr>
            <tr>
              <td align="left">74</td>
              <td align="left">cri'http://coreapps.org/core.osc.gconf#sign_params <br/>       .alg_capab.key_type'</td>
            </tr>
            <tr>
              <td align="left">75</td>
              <td align="left">cri'http://coreapps.org/core.osc.gconf#sign_params <br/>       .key_type_capab.key_type'</td>
            </tr>
            <tr>
              <td align="left">76</td>
              <td align="left">cri'http://coreapps.org/core.osc.gconf#sign_params <br/>       .key_type_capab.curve'</td>
            </tr>
            <tr>
              <td align="left">77</td>
              <td align="left">cri'http://coreapps.org/core.osc.gconf#pairwise_mode'</td>
            </tr>
            <tr>
              <td align="left">78</td>
              <td align="left">cri'http://coreapps.org/core.osc.gconf#alg'</td>
            </tr>
            <tr>
              <td align="left">79</td>
              <td align="left">cri'http://coreapps.org/core.osc.gconf#ecdh_alg'</td>
            </tr>
            <tr>
              <td align="left">80</td>
              <td align="left">cri'http://coreapps.org/core.osc.gconf#ecdh_params'</td>
            </tr>
            <tr>
              <td align="left">81</td>
              <td align="left">cri'http://coreapps.org/core.osc.gconf#ecdh_params <br/>       .alg_capab.key_type'</td>
            </tr>
            <tr>
              <td align="left">82</td>
              <td align="left">cri'http://coreapps.org/core.osc.gconf#ecdh_params <br/>       .key_type_capab.key_type'</td>
            </tr>
            <tr>
              <td align="left">83</td>
              <td align="left">cri'http://coreapps.org/core.osc.gconf#ecdh_params <br/>       .key_type_capab.curve'</td>
            </tr>
            <tr>
              <td align="left">84</td>
              <td align="left">cri'http://coreapps.org/core.osc.gconf#det_req'</td>
            </tr>
            <tr>
              <td align="left">85</td>
              <td align="left">cri'http://coreapps.org/core.osc.gconf#det_hash_alg'</td>
            </tr>
            <tr>
              <td align="left">86</td>
              <td align="left">cri'http://coreapps.org/core.osc.gconf#rt'</td>
            </tr>
            <tr>
              <td align="left">87</td>
              <td align="left">cri'http://coreapps.org/core.osc.gconf#active'</td>
            </tr>
            <tr>
              <td align="left">88</td>
              <td align="left">cri'http://coreapps.org/core.osc.gconf#group_name'</td>
            </tr>
            <tr>
              <td align="left">89</td>
              <td align="left">cri'http://coreapps.org/core.osc.gconf#group_description'</td>
            </tr>
            <tr>
              <td align="left">90</td>
              <td align="left">cri'http://coreapps.org/core.osc.gconf <br/>       #ace_groupcomm_profile'</td>
            </tr>
            <tr>
              <td align="left">91</td>
              <td align="left">cri'http://coreapps.org/core.osc.gconf#max_stale_sets'</td>
            </tr>
            <tr>
              <td align="left">92</td>
              <td align="left">cri'http://coreapps.org/core.osc.gconf#exp'</td>
            </tr>
            <tr>
              <td align="left">93</td>
              <td align="left">cri'http://coreapps.org/core.osc.gconf#gid_reuse'</td>
            </tr>
            <tr>
              <td align="left">94</td>
              <td align="left">cri'http://coreapps.org/core.osc.gconf#app_group'</td>
            </tr>
            <tr>
              <td align="left">95</td>
              <td align="left">cri'http://coreapps.org/core.osc.gconf#app_group_del'</td>
            </tr>
            <tr>
              <td align="left">96</td>
              <td align="left">cri'http://coreapps.org/core.osc.gconf#app_group_add'</td>
            </tr>
            <tr>
              <td align="left">97</td>
              <td align="left">cri'http://coreapps.org/core.osc.gconf#joining_uri'</td>
            </tr>
            <tr>
              <td align="left">98</td>
              <td align="left">cri'http://coreapps.org/core.osc.gconf#app_groups'</td>
            </tr>
            <tr>
              <td align="left">99</td>
              <td align="left">cri'http://coreapps.org/core.osc.gconf#group_policies'</td>
            </tr>
            <tr>
              <td align="left">100</td>
              <td align="left">cri'http://coreapps.org/core.osc.gconf#group_policies <br/>       .key_update_check_interval'</td>
            </tr>
            <tr>
              <td align="left">101</td>
              <td align="left">cri'http://coreapps.org/core.osc.gconf#group_policies <br/>       .exp_delta'</td>
            </tr>
            <tr>
              <td align="left">102</td>
              <td align="left">cri'http://coreapps.org/core.osc.gconf#as_uri'</td>
            </tr>
          </tbody>
        </table>
      </section>
      <section anchor="compacting-values-of-the-rt-target-attribute-with-packed-cbor">
        <name>Compacting Values of the rt= Target Attribute with Packed CBOR</name>
        <t>The following shared item table is used for compacting values of the rt= target attribute, as per <xref section="2.2" sectionFormat="of" target="I-D.ietf-cbor-packed"/>.</t>
        <table align="center" anchor="_table-packed-cbor-table-2">
          <name>Shared Item Table for Compacting Values of the rt= Target Attribute.</name>
          <thead>
            <tr>
              <th align="left">Index</th>
              <th align="left">Item</th>
            </tr>
          </thead>
          <tbody>
            <tr>
              <td align="left">415</td>
              <td align="left">cri'http://www.iana.org/assignments/linkformat/rt <br/>       /core.osc.gconf'</td>
            </tr>
          </tbody>
        </table>
      </section>
    </section>
    <section anchor="sec-document-updates" removeInRFC="true">
      <name>Document Updates</name>
      <section anchor="sec-05-06">
        <name>Version -05 to -06</name>
        <ul spacing="normal">
          <li>
            <t>Removed unnecessary normative language, aligned with draft-ietf-ace-oscore-gm-admin.</t>
          </li>
          <li>
            <t>Updated references.</t>
          </li>
          <li>
            <t>Editorial fixes and improvements.</t>
          </li>
        </ul>
      </section>
      <section anchor="sec-04-05">
        <name>Version -04 to -05</name>
        <ul spacing="normal">
          <li>
            <t>Use "compacting" instead of "compressing" when referring to Packed CBOR.</t>
          </li>
          <li>
            <t>Updated references.</t>
          </li>
          <li>
            <t>Editorial fixes and improvements.</t>
          </li>
        </ul>
      </section>
      <section anchor="sec-03-04">
        <name>Version -03 to -04</name>
        <ul spacing="normal">
          <li>
            <t>Updated references.</t>
          </li>
          <li>
            <t>Editorial improvements and fixes.</t>
          </li>
        </ul>
      </section>
      <section anchor="sec-02-03">
        <name>Version -02 to -03</name>
        <ul spacing="normal">
          <li>
            <t>Uri-Path and Location-Path as text strings in examples.</t>
          </li>
          <li>
            <t>Updated references.</t>
          </li>
          <li>
            <t>Editorial fixes.</t>
          </li>
        </ul>
      </section>
      <section anchor="sec-01-02">
        <name>Version -01 to -02</name>
        <ul spacing="normal">
          <li>
            <t>Avoid quotation marks for CBOR simple values.</t>
          </li>
          <li>
            <t>Fixed use of 'linkformat' in the CURIE syntax.</t>
          </li>
          <li>
            <t>Fixed use of CURIEs that result in a URI with the fragment component.</t>
          </li>
          <li>
            <t>Renamed 'group_title' as 'group_description'.</t>
          </li>
          <li>
            <t>Status/Configuration "properties" renamed as "parameters".</t>
          </li>
          <li>
            <t>POST (instead of PUT) for overwriting a group-configuration resource.</t>
          </li>
          <li>
            <t>Remove reference to the abandoned, custom format for error messages.</t>
          </li>
          <li>
            <t>Editorial improvements.</t>
          </li>
        </ul>
      </section>
      <section anchor="sec-00-01">
        <name>Version -00 to -01</name>
        <ul spacing="normal">
          <li>
            <t>Updated reference and introductory text for the CBOR EDN application-extension identifier "cri".</t>
          </li>
        </ul>
      </section>
      <section anchor="sec-00">
        <name>Version -00</name>
        <ul spacing="normal">
          <li>
            <t>CoRAL content taken out from draft-ietf-ace-oscore-gm-admin-08.</t>
          </li>
        </ul>
      </section>
    </section>
    <section numbered="false" anchor="acknowledgment">
      <name>Acknowledgments</name>
      <t>Most of the content in this document was originally specified in draft-ietf-ace-oscore-gm-admin, which is co-authored also by Peter van der Stok and Francesca Palombini, and where Klaus Hartke contributed in the initial definition of the resource model and interactions using CoRAL.</t>
      <t>The authors sincerely thank <contact fullname="Christian Amsüss"/>, <contact fullname="Carsten Bormann"/>, and <contact fullname="Jim Schaad"/> for their comments and feedback.</t>
      <t>This work was supported by the Sweden's Innovation Agency VINNOVA within the EUREKA CELTIC-NEXT projects CRITISEC and CYPRESS; and by the H2020 project SIFIS-Home (Grant agreement 952652).</t>
    </section>
  </back>
  <!-- ##markdown-source:
H4sIAAAAAAAAA+1963bjOJLmfz0FVnnO2u4VZV18766eVcnKKk9lOr2Ws6v7
VNfx0CIksS2RGpLypbO9zzJPMb/2186LbVwAELxIlpxyZnVt5alTligSDAQC
EV9cADiOU7k7Ee1KJfGTiTwRH2M/GIlkLEU3DOIkcv1AeuKy178azieiM5tN
/IGb+GEg3rnBaO6OpNjuhpeddzvi3k/G9GTHm/qBOAsSGQ3dgRTDMKLrH/rd
D5c98V0UzmfivRvAw1HFvbmJJJBAjTz76PuKFw4CdwqUepE7TBxfJkMH7nTC
eBBG0hlNHRfbcOCbO3EmbiLjpFLxZ9GJSKJ5nLQajeNGq+JG0j0RfTmYR37y
WLkfnYhOtyd+DKNbZADRWLm9P2FaApk4p/i+CnT+RMSJV4nnN1M/joETyeMM
yDnrXb2tVAahB4+fiDlQdVSpuPNkHEYnFUH/HPVXCD+IT8T7urjyJ+HANZe5
Y+/daBDmfwojaPXyrN8TnW/NRRgfKYGes9gd/i2MvHjkJm4gWi1zxwA6dyJ+
8OMkbQpohLf0e07zYE/sNazr8yCJ4Pb+vfRkYK7LqetPTsQUyaonRNb/jPx6
LMu7dVkX3//Xf44m88DLdezSv3Ujr/jr1+9bRJTVxyERpnpXCcJoCrJ+J3EA
z5zTOgkbiZmWNhSTQTidZu5AcbyVj+mv6vbCTTmZLb6GhLh4OW34xo+zP9+E
kTNzB7fSKz42juSweLf0Amfig5C7E2rr8m23fXx0oD4eHBw39MfDvWP18bC1
31Ifj5pt8/Gg2Ug/tvXHY/PYccM8Bh/1DccwJdOPrfRjekP70Hw05BzvH+/h
x+7Hy7Oe02o0G81W84Dn2nPz7ls/upGD2+LEu839lHu0XxfvB103isIg92x/
7AYy+6PSqESf6D8GifsgmvWGcERHxPwV1Zt8mEUyJrXbDacwdomAJ2K47cd2
N6uQxHmY8KzzQK+dCOy002yBsPML3WiEU2acJLOT3d37+/v6fbsOs2v36nIX
7909/3DVc1DlScMw0I3BMC/oYzdKbqWTtJJopDQpzMac8ISxVBIU4LTznIGM
EjU4+60jIwrtYzOmzT0ayLPOead+RdTWO0kS+TdzUNNlQ0eqAW+3ej0EQZU2
h7klkbZU4Eas2OGD0SGGuMDwUTCVQRLv0tyYuRGMI8yCwvf6wziZTt5wc46b
vqQCT6MKgrf1e+/enojqT9BH58/w7+dqpeI4jnBv0IQOwADx+OGcnQfagmrj
Zlta28JeRGESDsIJWtjOxY4YgP67kSJGowW3zuNUMD7c/E2C4Gh7Rk2XGfBe
cOeDfFLHxbZ6lmzrTh3EMmOahR8LkMwZNOPfTKRIQgFC7uEnIPpvoR/g+8Oh
COS9IJUkpnJ6AyyrCTcW93Iywb/w2JQaFPCw8EBdMwOpFX4MlCU2BTIoI9+d
gF2En7K0YN9nUXjne9CO6Q6pTZiaGi4kYzcR7mQS3sfwNkYT+EI3wYlGw4X0
DMD4J4oeOYFR1viCyCmQH0kgWd7xA/MZSiES7wNVYTD0R/OIxgvJBpYBQJkj
f0U8kwN/6MtYjMP7IjlENchGnAKnfHegM0mBEzePauRfAtKYtYh0hijf96Bd
SFY6MOuQP+ox7GiHJqL/d74CHZvH8BJgh0R9gdQVn3Ezz4BoGDhoul3Wp7oR
dUcxbQBgzQ1A9qIEh33oT4CN0B5SDtDN0OIOxjQy2YkVq2lQw2fhKfhvFsax
JLhWI0pjGd0BM7N9qPOsnfoeSHml8gbBXxR68wG1+kZ8euPjhadK5WqNafvp
k7KYT08kxqC+QpzH1Adk/qhEN3z6tMTkPz3VxP1YAh+m0CfgYExMkQ8DmKAj
aPVGJvdSBno+IgNc9ZptWR/VayLE3p9diOl8gr2PE5z/aSdw5k9oUgIt2A2m
XHFbBp6ThKD3PcNqPa6uxYiJ+2jL68t0lNJOzEWEFcBFHEBJkgJz/VHYaqzA
uDxSg8dhjpWxPB7IwI38MAYx+BGkovQmJhr4ARMChCuBHgHpNINtMmoiAJPI
wxLJf5/7kZo7D8geMFuPpECJZUBfhIyxdRDM0xB+hJcAk0FijbrFZvOqw81p
CKXobN3NpgbGiFrnKeAnRrPFoA7CaYmywSuG/pyaxv6wLYLepFySTFQIj0ZZ
s5C1WNTbOk8lsLTj0MOBsYZvEYyGEcyqVmY1CijxFP7arIQ+wJ/RWPUFH0Wo
k9dA/fkAOakouZn7Ey9G4U9epi9JXBHZ4lyNUWnGIPXQe1fxzIwoSNEAZrFt
c1bRrLZAwDQZTHycLzvlNmMb+h3OUWmz3tsBvr+dRzhEU+BoLc/2nGOS4fhi
61v2alRUPnAWJBlvDDyl8wrmELsN1CHuSqQWYfmAzjeLWrFXLMSxrXPYvlkk
MRYomqH1UYC29c/CABRpGweksvQsl8kyrQ0bYpDMhYPyWXChoE3JF3h6qrOr
opTac92q4buBb8CUAPhINkoo5VeQITWm4UwyO2NUpZG+/d59tHBjhu+sbAHc
u4H/dyAMW4ok+lYwCNKDYTlTrMOeygd3OkNQwcy5IJdZdL/9cJnpc+pO4+hA
+wqDcvNsdMl9k6S96HnPd0dBGMP0BcoTNYVBHuSQ+E5Kri+ZjCOcyspJVuOf
/vid/hH8auT5p0+6PeWT6U7Ak4ouFvX0tUhkHM+nM+bQXNGJN+mHlQrO6rgM
3ItJ6F+E9pReWlktAeKCIfRktHlwVysDo3BzkawJvDTCWTBbHZWCkicDEhvN
j3APXqG/tnEEgdGxZADoB4PJHGw50q5NdDKGrtJcLb6GrDf8PANja2a+Ms0M
lTKC1VWywyYIxvjNG3EF2t4Pwkk4ehRvEM0m6QWFacHeinuMtonq+4/9q2qN
/4rzD/T5sve/Pp5d9k7xc//7zrt35kNF3dH//sPHd6fpp/TJ7of373vnp/ww
XBWZS5Xq+85fqjx81Q8XV2cfzjvvqiyrtjLFKZcQfCadAXMP8ZcbV0D2B+BY
snx/2734v//R3AN+/DfgQavZxMnFX46ah3vwBeCzEpYwQI7SV2DpYwWsiXRJ
4YDxAFQx8xMYMLIGMWjkQKAuA4b+7ifkzM8n4g83g1lz74/qAnY4c1HzLHOR
eFa8UniYmVhyqeQ1hpuZ6zlOZ+nt/CXzXfPduviHf5mA1hJO8+hf/lipVC6l
6yGSU5qP0S+Px9Cd+hMfOGekE8UrJh6Doh7IWWLBzGGIlhllXc8tVuLIWDRT
Ax8myrc+APJH7ThcamXOemAbla32C0h91lZS4zzqdIv2SPwRQSm83gsG0eNM
veBDXzseGLl8etIf2zSjfifyXuDnmFSmym5M68YzD5UYIALg+3b38iwutoGR
XUUTOSeWy1nT6ma5z/Ocw6l1l+V2aQ3GPowa4BsJw3pSqQjhiKrNB2qvWtM4
L0H9RLQygCX1Fo9RrlyikTQ93aWNBMoGNWs8yNXbNDDJ+KvGiyE0Bz0DdwgE
Wfl0dBWsgD98tNxq7W2bwTetaUsRp25o1l1d00d9CbtzuNtlLLDAGTT8ymBe
FVXIyAjwFgZjZJw4ZGdpCJIdOtHJuV8aSih64szgES1hgLgNo4SPmfgB06RG
PedxAXinaeFOamnL1CETzibYFYfAPuOiA5pmftQUOxkYg5jw5S1w6uc3QAAZ
Qhy3NA5caAzfmd5dFz0NKTHasoha5h9pnx/lDXj5t4CvYFr/eIW+G6qAH69E
d+L6oDn7EgMg3W4/1mqufUwz+s/1/caxwHA7K06pUAdG3Y2CK7nlmdi9pdU+
z+NlL8xCF5zoQBajX2PiHiCPYE1QNiKAejjv5uwmWFj5A75FtOoNfgEmofAF
gBNhaICc+cSNagwS1AyJBYNOYN1OTeQgpti+7O/USuCr/rnT3zFc4Lg14Q4Y
03z4w4TuqEfIMWbB/vFe1pUb0PzF27OTbaVYh9YEJdMfiaIHHDU3x/4s7e8Y
XBAMBT6WxVu7QJ5PHmw2QuMOKBbBWDZtCxSjCVfZfSDvHjQKTOkIuZRtjEOG
1CArVxNIZ++5EFGqZwEGGa6XoAzt5jzvmFIrqSABhUMQyIC7XM04CwhbuX+Y
8TPfYC5NJgp0a35pHKtvsLzU9B7o7Dv/Vq5GZxYEQ/9isauzKqz95tEEIA4G
3oaph1xGXLkrhgBYOZE4Ito5/L3w8e9Uoy4eVDSXLvi5Q2JWYt5dF99irEOF
jVGvLqN897vLDx8vzjvve2V9cMUy7hXpQoEBvzcTbUU66f04YiwiQD0rFxW6
QUDvA+gCsYMBwfwq2wMtWaIqA28Gsp9UjSUjG5kCWAxXsJailv1UG7KyAmHw
p6jkErgBSMRnDKYxbuNugqaAiNylLAMFKvVgdfosUruotP7uoI3TP13260Ih
UUA+KQlW5K3615/cv/6sbZ+Sdx84TeQHKjQET2sYU80iSArcJFb0wBpSdi3P
7YhDx4o4wO3GLpLPuSiEUal0wPjKyPJhW/U9lIRSuFxTBUM6/BKLj4GPhn8B
bv6ocLOqbkAFHT8Htwlt76Q6oQiSDe42fSw4rCyDtrxoDug0gxWeo1IBVRvw
6VO2skHF0ayGCCspNLqF9NRBc9RHOOe3RJzAUMRkdVQ9AN4Bj8SUAM/eXmgh
GK7VQjCkFsBVvGXwVfb0wgR8+tguYj2KnkLXUexY6Ws4QNoaqwGAE+FIUobB
SjZQ2QTNXgq5og5Cu6PC/0OOdwtSMLEc0btrgtNha5AYJZlxc4nUNZ7v975r
4v9aGmXYBAn8lTqOYTzUWqQK7wEqYhOqqEGYKgQCx+dwH6HO/K+pJXyHD78l
ApRqOjhuqJBmzsIOwjACFU722U6dVAtlFlWYGiM0j484MUprOixIme9mS3fz
zp3MpTZbJR28yqYVHUwKBDElpdOpWh1EfrU8xtquH2TVSL7qCVOCabyTpifa
Nx2FOE3juUbNbXdPz3eEakA5VKAs0I3BP0ZlqJoAHnqtR3MMjwlf3qlsWyAT
xNzQ75Vi0tAkwSSkHvXDHDO33nzARiYTMIn9v0vLSyloKsvXJPp10oXGxwrd
AH3sVWOkXsI190a19+kTeHeKNqaTfyMpeAsyBW3X0tB7gQLtERQymuy8eR6q
evHXn8DJaJ54N0cnJ+7NX382HrwxYzByICKJowT+7FQc7DeODk3BDVhj3xVY
tymqlmTtkm35H0g4orM3iggLBeoyABytO1/eq6gpw0I3ex/lbqlSwlsY/m9l
BLMU+7F9JUZQEt2qoVUWdap+Y+chfsrnnwhzmQCIgYFT8PsmC8iqN58nzMIX
Ny7OHbT+y2AnjBJVG8DYL8V2Jv/OvgPFCBEkmd/LIvmRRFOoE7bU0zSpVNrJ
g1W6iBLD3dRod6ADSyg4HDhWloABicvxkxm4ReqFfpp2QlVDiq4AoLopx7Jx
TsBFwmKndvnyuS+q1TLJLo6IMUH27EpcThojjybAO2yOyg8wOES4/bmB6bnA
ixIKSglIwpmDyZQJGy/JgL2W+m5oOnP+StmLsbWM+QsUFnge2bwhFeVSPQs3
itOeeX7qw4DDTH5UGbCMQJGnoG54xqEizeimCPLUx3qOEMzidiwlCxH6GC4I
j061L6iwfHraQRtCLe7WMfvs3Abgo1CvatlkbuqdkyLL9lvbZgqvZOS+2ay3
V1I7z/BkqaQYVbtEH8Qm1a0oTO9y9F0ODLfJi5b9PpTJYLxgVmnAA7/1ByHw
CLVljJ8cNshPmBNO843Kl8gFhux4ou5VLskJowzkAanoUDmstmAka6kuUgCA
CpcCXiSAZBExC1DL82OkUUtNyfejcbxlLjZ3ZvVBMWW7c/ZWJzda7UPFZE4M
qzoNuANLbl1lKuCrw+bHIc8dc0rAPH/Ehn3VbiwIc5G9ZQ6KDgeNSos+cAxz
nAYViZm6bNBal8AlVA9yF07upJeGIKlmSZe2YccpdZcW11K1QCbCuKT518op
v0KBY7asjCMLYuo+2oVp6LVgyQ3K7kIaVXilxpgtRrjFKjmTks7XH1giUqyr
sgPIgAC4MSscp+Mga48EdHFbhVd0MGfHLu6xWyhWGJkWrKhM2kyuJhsUdBoW
m0oXy1ds9a/U9+nVu77qb3PvkAsFiomjulA1WsA3sNwTgjdYFKRI4pfGeYZs
ZxdiLRfMHWh7JikNzuC+MNBKFpWi4TYeudZmnmjrzYqsRAkXjQgKiIwTE2su
L+3iWFA/kYBym047q1T2Xmi/+I0KDa9UbG3RAW9dlwgL6aTwUaFHy1mA6Z2W
O5lAJlxBpb3Ee1gJwYITrQOchYZWQqbvNWbP8DK18H20b7Zbguidnd1SqvdW
cS7YqR2HE0+/yKLLYmsaDEsZXDr0ipvxMsaXCQCOxNfkvyKnm0X7ZASL+ItM
YSk6V1paVYKrTKm1xoVGuuRV+aILcji5aQfhvnKACeOUvTcXgihl4/5KAmFj
nTR3m32bnaxFEwhvncf5br7J9fAifehNvnuKvdZqILvDC1++qJurSb5a3qCI
7XMnllLJHV1AZYELi8lbIRyRJU+cyqEL+kH8iWNEn954fMHhoJGiIzulyKgb
vU80qqd0qGkBgStGS4RV52lVyRZhZGb6WRz7jPnOKusZBZXWj+QCVX6QLuiw
vHUXBu9xEoICgUmAcxdzkwviVlZUZpEDeJhjZKawN43WGnHZQkB4TRfirZrY
kgNvbH0FQq458rTF+GCLvl3PQgSUMt5SiyCg8yotB/ytggKeU7rfLrGo0uvP
hlSHT3wwPbfrz+1gQi58ga2LsrYJ7AblCRRVP8Pd5tfpSj6TdsfalGfei2Ai
wGVzlrOl7ybVjtVIJaTV09dn3kA0jN07qcI1afyDpIvD5hTzxAhxTAlRdfXf
aI3kv4ntxsNwb0chUI/ERQUPygjhdoNQU8ClN0L0PB9M6BYFr+UJ26h4HM4n
ni7mJmeAS+iEBLD/yDS5UQSuBVf7W5en7oziQzOAmLMIK2pqImRk5FMka+p6
0vZITI2s8htuuC5waNx7Yg5GeiiozHEv5ZWnWYDmknTizkqSFywa23KZS0Pm
JabRCCTN+2KrxiE1MRLwLcij0Jg7K4G26LBuvjTLFsU7FesrBxNsTspjLyqY
bGBSStd8hm7CogqTReGjGH0NV3zXu9KOgDYECyNFWKuVBmnSxZgmgslBC/hi
BchViU3pasNVVP1KppqUPTTXMesJ8CEtQLpuUPi6cpiq9eD+/53+q3zzR9Go
N5rIEZxsHyPfuXCT8YmocpVEtVL5wzdY/7SvrQXeljUcJyq/sV1uFHZoGl+w
PJOyEz/x+uqfmuBOR/7WIHQxjppJrPysyjS2fq6pm1s1cbDdPNwRu5z42W+Q
ZskGHk844rrLDe+OZk0wCz/p1fLYBmuq7QPTzgE1k6ZIT8D73K2ZBfYH2w7Q
Ze7ea+7za6H5Z9Kupokl/7Kp3VxWe0vs/vwzt/KZXGj9xgXgQvtXwoUK/c+e
xusoXFCYb/2JwvILdC/HtV9J+77tXXW//yL6l8zbcI7hYWAqFRUq5zO1a0Pi
BY4hVQGupp5XcVXWw+I5MrjO2U5QJGrBDfJMgwNuuzTNhbUlmCwDOhmSp/Y6
VnhR4p40mQRYzqdUGMZ2uDGtYHoEJkbOdF4wwNoIQlml4FojnEBXixRLrdOl
9cD4HD9UbzKAVmbQv4J7BvQUHc+0RtfLrffMAF+GoTj+afNbRP6PpR3PErKV
5hldhMO+Z0atgOqNA6pfbRLUiQ9cqoueuq4cU72UIAwkR5KSRK1nLQFkLph7
U+x88aGfIh5WWZLRuLt85IuqAdBwwoj183HHPuuCBchDbA5okL1opfbisGgv
guEJB7WuMd+EVgPEWGYtjtM6Sptoljcxu4aJfe1ORthEs5FtoGWZmqPS58e3
3hCf3Fda/vXg1zroawPg6wX29lXN7YrW9vMY0Pr/nQHtXwEDyuFWV63fF+fy
vjR2vRBckQZ9JWyVUfTrQSu9IQFtqJRZQ/VyN3aVMoLVcdJZKQpS0GBBeOwr
gp1l1L4SkHkewxQD4iR4ilt6R5e9eqMhtr91sTCdyN/RS/jArg+L4UjfrqbJ
ohgNQTRmVT22BXURl/PIKhdk4s4YukyUWq/DwoV9GSppGRhyP6XVitBuYKSz
lHztoT4r2xLBZCKZ4lFaMZqphCtb0kXR7ZIysxAh3tidDHUTuaWgJvRtsH+S
ranW+D8tLsuoHxLQxL2Vdj2wCso+ZiOUdq47WSg7pbB4I4C2RU1+ITz7RdFo
Fge3m+mbD0ufnLl+dO/HchmabqfvPypvxeXNkkoft58up57hPM2NXVwwN9ur
5ilI8czR8ZI2eHsHVgoGnVSjMISJ1KS0UyvXdPvYtHy8V943LZxEHLYlmpto
JE/JXts00gQBLW0lvp5Hftozyy1w47qaE/VBOOU6pq2sb9JUWIi21H0XqnUS
ReHP/4TjsfFJsQmp2Eul+7hcLtX2Vwu5lnOmEPjQawER7+1ufanxWRIhXAJY
rUtfOxlTWo1dtn6zsM4+Y0DoYrp4VpgnF8QWOZqCPE3SxcVZanRGlbfLWwkL
r1CxtWbM8CXQ5/VwcLHa5Xei97WDdq+bG8teJX32mumyzzTaVvzroNzY4UYR
18MpeuCi3c6BhV9A9Mx6vlxRUq2Ieto5yj2dGtNDMqZamZa1wQUmdWjqeuDO
3Jv6rXy8ppUOSFceRaQRisP9FVvW7T3fvN36wctaBx3GKOrgNXCc3Ui5RC4Y
T6fdSp8sl0iq9tED2jrMP5+azqPmEtZYNUOrDandcGvFhlcfUae9lzbfflnz
i4bUbrocMnoyuQZ7i89SnU7u+f30+YPS5ylAl13wEwwLwPrXDO3Tlo/LNSEY
92uzyORal7KnrSN24xuuGQNcgy0odCDVdsfl2nLqPlyDxZzI6xj36kGlnaPU
aqJcYcoH8hya7YNG6+i41drLE2F5IO1yLvoeiBMugF0gUL8YR+jXj+sv3EgV
hJXh+2LivxTqf73c/1eC+zPFNYL9m0L7+6+A9rPJ/xXAvnpEeouKxbE6Mo+5
86xY2UmoC1wIZy3cgvdmw26fU1MazCcTLik92FnIk1conC0vrlzBB7OC/4sH
YMFSAbVFut66ISFOqgBo4Y084bNe9PL9i7LjV+rsU4Zf6Bhyns92PXQqOMk4
3WXCOG0q1LqsBrWkT8WBXF5w+gVqEfKe3qYdu7XdI5wRLw3oFp99iS9Q1soa
wK/s8c9BbcX2bIu/wDUxwQhD0WsXXvwWvv81x97LIdqHOxndYy3bC2KvC+oF
On953XKBL4vGQsOgFWGYTlVjtQIgoNVQ2abWUC3Or/Leki9JrypD+VuC9XMS
rL84I91svlxpZwzRnujyPtC/pcy+nGv9RvRA1vG4E5hE/6rOvDmn7b15HWwc
455jkm9yjBJzVG8d2gp8pdWd9fUW/eRos7SC2v52OX0ZNbQqfStXvfMKsL6c
qMOOPvJxNQsjE0utn1sejtiI+esA4t/16Y8xg7wFRrONJ2h8VZOYHvKTblJI
x0XYAYsSv2o1U3i42dK85/zEZXX/vBFhJKch7pJDyUBctel5vGC3kDTMu8vK
AtI2bfye7OqJ/NLFtBsL1k6oNbHpSwGETrZqdpTCFYl8oBW16SkSj9q6mq0z
g2J3OfSEXU3Tnkt7pzZxzEYxeN8X42TnFg4UyAdebpB8aG2lcXkh5Z9doljD
GsUycTSxGQwLLQIvuc1ds7eSIKDTsQsSmmNweX3iK/ckCAui+zvxYxpX4cdo
E8bMfvD4q1J8fOhcrWSbgpdQW4i4rcg8K9Gf9oFUoBbLpbJm732Elc2Fzqhl
9qd01lq84txbCVUXlmmVAWTue5mW6XhevNJ02iAxBXHdzDriA7ao/0zwPJ+S
3kuz7cf7y91+HNJcRCIfRLBbK8+mZsbEBBLaG2pnr/qbE/ELdyJWA2sb9w1W
fO2akJ+16wtQPh+B+VpZx9Peu95V75cR6FKHfVIgK3Pm7kojcvQ1xOBoPekT
fR4sfOYKAPY7Ati0B7xa0BpXKt3cxo3WBkGr7GuWhfH2Tm1F0QDvRC2+VVJE
dy2A/mAly4o3aOehh9miPYYKWUUKDHbVlnTYkL2F1tKzOPkAn7o5isCPC5tc
3i/b4C7bjmHKD/IRdxzmfe3xvi7ulByJ7R9O8Zwis0y8CAIzb1nleGSfyjT1
3p1678m1B6KYqVXZZSt5insAFDaYWmtnxEw5qwW/rhE3bfE0LSohcsP9kmCs
vkefCaYjIHMrAvJsQn1BDIRSslcLBD9/Uu8/r9z/EqUk5biRF+Nl45hd83YF
W3r/s+USk7VTGYmhPX/diS5OgU8LRQYM4VCV8yyXHrVJ9U4hLKCE/LOJfgUx
B8sVRfAe6xSdSuWsdMJJXOSJKzzpAVNJQGOXhbj5bevogA0HJP0GpMlRu9zy
RnZ6O2A+pmTxXqIMkIz4WrmYLaLH8cHRAvInDBr0aUfzOAH384LfDKgJ36xK
87cMaCWtSq1sUXYmVrEb5bqG8YK9u4+zFoAqSQozbqX9a3ljzbkPmMUPZLx2
Mwt2LIdZCl6IN5EcsuOB863zklCtMZLQxzV21dkc1g6kGNjWO1E7g8zvgCPN
k9lfKDLoB2OJUXAvjQJ83omD9Gt6QsmiTYwzARja6GTNfbxXOubZ3nxzAROI
1PxxgasZd9oZlw6feOb4OtJmUUibLId4jKo6bS+zQ88axK6yY6+iy9pcm9XT
goaBcbxZ37JDcVc5B4f3/eycd8rkFHcnKJyKMnYpdKe3CUVS6AijSsVxHHED
7ZL48zk3Z+ijXvE5N3inTZKeCSXH3qh34onSYB0flLJgniw4RcccPrf4lBxz
OA9Ssvrx9f9cJynpU1GmMxwhc7rKBfBLHWdKsm91PI/MCsw1pHGgIdfyzLRc
07t+2wfitIodtxj7D3EWePJB/IMl5ev8+weQccCfVtmfI7v5xtZGydhvFMgY
PHNGy+YISMk4OFqdjGBIef9XIeN4LTL0GrBNkoJkHK4xKEBGuphss7Jx2FyP
DBMt3jAZrbXI0OvaNj4o7fXJUHsvb5SMvZeSIf5wE/1R/PfgJp79fvn/SxZ+
beXJ2P8CZCxYJrZlkXHw5cmg5WRbWW4crkVGpmJ0Q9JBZKynRTc8SVIy1tOi
et3ipifs0Xpa1N4sfaNkrKdFLTI2OmGP1tOiLyPj+Ql7tJ4W3QgZJRP2aD0t
qtaBbnS2EBnraVEkA7yhjc4WImM9LbpJDJohYz0tyhXzmyWFyFhPi6a52s3C
nqP1tGhhAcAGqEEyjtfSoqtP0vKFv6VEExnradHsct/NDAyRsaYWfZi9ioU9
Xk+LmnXHGySGyFhPi1pFZJslYz0tmqsz2hwZ62nRXIXR5shYT4taZSIbhT3H
a2JRq5hro2S8RIumSbtNkdFsNF5OxprIhxNL14OxHNxe08lJdy7IOZPR/CJk
gN7DyZW4RQ4yGa11yODSok0b+k8n4g1FG4vxYKcpEj+ZyG+qhaiyioQvDHbW
q8KdgJf5TXVARQPVp3x4VB3ApcoSo+QbaJjWdXcSrjiQmwuY3hXepc9l1u/6
pwmhotzgnsYvipmuLrqFrY2XC0prZUF5fthLRUec6mTCR7VaTmcxdJbBUcvo
noBQLpb3g2g4YLn7k4woa+A09jHO7zQOuLQMG2jsw9cnLCK4VMsJ5kEgMQmF
RzYFvMD/ToqJG4zm7ghFBcnTNV1e5A4TZ1GaiYoTmGQvTXapnc7olCpM3Q/9
B8nL+v0pIMA7U1+bIX2PSd+3SN+Dr0T6x5gO1NZsrpoTHIHRdD3ig+mrfP47
H26myh+sGbZJcttM7p5Fbhu+Pq30CrthTpXiO/OvaPEr2tYrWvCVX6Hqhunp
zD6SlORLlzJQwkonr9ZgQJ6YJhPTsohpwlcipnMX+p7497nOIU3d6FZlE/Pb
VvC73sIbPNRlVGOUTuItXaPd/Xh51hPxY5C4D8Un6FeVm4ORx5MK4TmXjq9P
K1Qid6Q2uJjOwkCvQLiU6MSZyh2a2FvIs62ib0UP8IGPu9nKzSoelSYjPLsa
T3bnJvEcvfzhebTec9sS14uPV3wAnF56Zp05saD0sp7O3mJG2b0BCYDueTUx
4CIKZiXveUKFBPoMwyVCmB/tBo920xrtBnwtl25VUJFEoTfn9bkkf7rUgWSg
d3q+YqqzSIpFAxHA1njAlSxUCBLQ2ceUF1+usJzGEaWmO4PbILyfSG/EcxDf
4GauoaIN5lgWKr1vqrSNE6rq92F6xo6moJARvgdJsA5iz6xAWE6fdVzkIHT4
4HuULMzl3zyKC1r1cOfiya14CnJ4S7x/G2E9YTxwQdlNwukNYH0uTwNtGEnx
w8Sdx+J7N0pumWi2RGZBBNxOJVaUY/bttdmm+JdPnFfjnB7mydluGg+dziaS
Y5jzQBGd6g6zNMDDxD91xxGeSYR1edP4v/5PHD9heRD+4EZYyym+RcENArrM
9Ref/tWfiv5g7LoASkzxjE/ox1KeUnpYIFBX+X2qWMExKNRI9+8lSNtWDNgm
CO94lnVGIMOP4k9n5+cf/tSxi5J6Hy97P3REt/fu6qzrnPf+fIX1G3+j8uHu
5dnVWb/XJQK6f7m47PX7v6cv6lXftxqthr5f9M/envWd78OpFNvfwWgBNhtF
kpcDHe+3DvZbO/XK/wMOXXiO/bEAAA==

-->

</rfc>
