<?xml version='1.0' encoding='utf-8'?>
<!DOCTYPE rfc [
  <!ENTITY nbsp    "&#160;">
  <!ENTITY zwsp   "&#8203;">
  <!ENTITY nbhy   "&#8209;">
  <!ENTITY wj     "&#8288;">
]>
<?xml-stylesheet type="text/xsl" href="rfc2629.xslt" ?>
<!-- generated by https://github.com/cabo/kramdown-rfc version 1.7.39 (Ruby 3.4.9) -->
<rfc xmlns:xi="http://www.w3.org/2001/XInclude" ipr="trust200902" docName="draft-ietf-lake-authz-08" category="std" consensus="true" submissionType="IETF" tocDepth="2" tocInclude="true" sortRefs="true" symRefs="true" version="3">
  <!-- xml2rfc v2v3 conversion 3.34.0 -->
  <front>
    <title abbrev="ELA">Lightweight Authorization using Ephemeral Diffie-Hellman Over COSE (ELA)</title>
    <seriesInfo name="Internet-Draft" value="draft-ietf-lake-authz-08"/>
    <author initials="G." surname="Selander" fullname="Göran Selander">
      <organization>Ericsson AB</organization>
      <address>
        <postal>
          <country>Sweden</country>
        </postal>
        <email>goran.selander@ericsson.com</email>
      </address>
    </author>
    <author initials="J" surname="Preuß Mattsson" fullname="John Preuß Mattsson">
      <organization>Ericsson AB</organization>
      <address>
        <postal>
          <country>Sweden</country>
        </postal>
        <email>john.mattsson@ericsson.com</email>
      </address>
    </author>
    <author initials="M." surname="Vučinić" fullname="Mališa Vučinić">
      <organization>INRIA</organization>
      <address>
        <postal>
          <country>France</country>
        </postal>
        <email>malisa.vucinic@inria.fr</email>
      </address>
    </author>
    <author initials="G." surname="Fedrecheski" fullname="Geovane Fedrecheski">
      <organization>INRIA</organization>
      <address>
        <postal>
          <country>France</country>
        </postal>
        <email>geovane.fedrecheski@inria.fr</email>
      </address>
    </author>
    <author initials="M." surname="Richardson" fullname="Michael Richardson">
      <organization>Sandelman Software Works</organization>
      <address>
        <postal>
          <country>Canada</country>
        </postal>
        <email>mcr+ietf@sandelman.ca</email>
      </address>
    </author>
    <date year="2026" month="July" day="06"/>
    <area>Security</area>
    <workgroup>LAKE Working Group</workgroup>
    <keyword>Internet-Draft</keyword>
    <abstract>
      <?line 139?>

<t>Ephemeral Diffie-Hellman Over COSE (EDHOC) is a lightweight authenticated key exchange protocol intended for use in constrained scenarios.
This document specifies Lightweight Authorization using EDHOC (ELA).
The procedure allows authorizing enrollment of new devices using the extension point defined in EDHOC.
ELA is applicable to zero-touch onboarding of new devices to a constrained network leveraging trust anchors installed at manufacture time.</t>
    </abstract>
    <note removeInRFC="true">
      <name>About This Document</name>
      <t>
        The latest revision of this draft can be found at <eref target="https://lake-wg.github.io/authz/draft-ietf-lake-authz.html"/>.
        Status information for this document may be found at <eref target="https://datatracker.ietf.org/doc/draft-ietf-lake-authz/"/>.
      </t>
      <t>
        Discussion of this document takes place on the
        Lightweight Authenticated Key Exchange Working Group mailing list (<eref target="mailto:lake@ietf.org"/>),
        which is archived at <eref target="https://mailarchive.ietf.org/arch/browse/lake/"/>.
        Subscribe at <eref target="https://www.ietf.org/mailman/listinfo/lake/"/>.
      </t>
      <t>Source for this draft and an issue tracker can be found at
        <eref target="https://github.com/lake-wg/authz"/>.</t>
    </note>
  </front>
  <middle>
    <?line 146?>

<section anchor="intro">
      <name>Introduction</name>
      <t>For constrained IoT deployments <xref target="RFC7228"/> the overhead and processing contributed by security protocols may be significant, which motivates the specification of lightweight protocols that are optimizing, in particular, message overhead (see <xref target="I-D.ietf-lake-reqs"/>).
This document describes Lightweight Authorization using EDHOC (ELA), a procedure for augmenting the lightweight authenticated Diffie-Hellman key exchange EDHOC <xref target="RFC9528"/> with third party-assisted authorization.</t>
      <t>ELA involves a device, a domain authenticator, and an enrollment server.
The device and domain authenticator perform mutual authentication and authorization, assisted by the enrollment server that provides relevant authorization information to the device (a "voucher") and to the authenticator. The high-level model is similar to BRSKI <xref target="RFC8995"/>.</t>
      <t>In this document, we consider the target interaction for which authorization is needed to be "enrollment", for example joining a network for the first time (e.g., <xref target="RFC9031"/>), but it can be applied to authorize other target interactions.</t>
      <t>The enrollment server may represent the manufacturer of the device, or some other party with information about the device from which a trust anchor has been pre-provisioned into the device.
The (domain) authenticator may represent the service provider or some other party controlling access to the network in which the device is enrolling.</t>
      <t>ELA assumes that authentication between device and authenticator is performed with EDHOC <xref target="RFC9528"/>, and defines the integration of a lightweight authorization procedure using the External Authorization Data (EAD) fields defined in EDHOC.</t>
      <t>ELA enables a low message count by performing authorization and enrollment in parallel with authentication, instead of in sequence, which is common for network access.
It further reuses protocol elements from EDHOC, leading to reduced message sizes on constrained links.</t>
      <t>This protocol is applicable to a wide variety of settings, and can be mapped to different authorization architectures.</t>
      <section anchor="terminology">
        <name>Terminology</name>
        <t>The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP 14 <xref target="RFC2119"/> <xref target="RFC8174"/> when, and only when, they appear in all capitals, as shown here.</t>
        <t>Readers are expected to have an understanding of CBOR <xref target="RFC8949"/>, CDDL <xref target="RFC8610"/>, and EDHOC <xref target="RFC9528"/>.
Appendix C.1 of <xref target="RFC9528"/> contains some basic info about CBOR.</t>
      </section>
    </section>
    <section anchor="outline">
      <name>Protocol Outline</name>
      <t>The goal of ELA is to enable a (potentially constrained) device (U) to enroll into a domain over a constrained link.
The device authenticates and enforces authorization of the (non-constrained) domain authenticator (V) with the help of a voucher conveying authorization information.
The voucher has a similar role as in <xref target="RFC8366"/> but should be considerably more compact.
The domain authenticator, in turn, authenticates the device and authorizes its enrollment into the domain.
ELA also enables scenarios where only V needs to authorize U, by allowing the voucher to be optional.</t>
      <t>The procedure is assisted by a (non-constrained) enrollment server (W) located in a non-constrained network behind the domain authenticator, e.g., on the Internet, providing information to the device (conveyed in the voucher) and to the domain authenticator as part of the protocol.</t>
      <t>The objective of this document is to specify such a protocol that is lightweight over the constrained link, by reusing elements of EDHOC <xref target="RFC9528"/> and by shifting message overhead to the non-constrained side of the network.
See illustration in <xref target="fig-overview"/>.</t>
      <t>Note the cardinality of the involved parties. It is expected that the domain authenticator needs to handle a large unspecified number of devices, but for a given device type or manufacturer it is expected that one or a few nodes host enrollment servers.</t>
      <figure anchor="fig-overview">
        <name>Overview of the message flow. EDHOC is used on the constrained link between U and V. Voucher_Info and Voucher are sent in EDHOC External Authorization Data (EAD). The link between V and W is not constrained.</name>
        <artset>
          <artwork type="svg" align="center"><svg xmlns="http://www.w3.org/2000/svg" version="1.1" height="208" width="560" viewBox="0 0 560 208" class="diagram" text-anchor="middle" font-family="monospace" font-size="13px" stroke-linecap="round">
              <path d="M 8,64 L 8,176" fill="none" stroke="black"/>
              <path d="M 96,64 L 96,176" fill="none" stroke="black"/>
              <path d="M 136,120 L 136,176" fill="none" stroke="black"/>
              <path d="M 152,64 L 152,120" fill="none" stroke="black"/>
              <path d="M 200,64 L 200,176" fill="none" stroke="black"/>
              <path d="M 328,64 L 328,176" fill="none" stroke="black"/>
              <path d="M 424,64 L 424,176" fill="none" stroke="black"/>
              <path d="M 552,64 L 552,176" fill="none" stroke="black"/>
              <path d="M 8,64 L 96,64" fill="none" stroke="black"/>
              <path d="M 200,64 L 328,64" fill="none" stroke="black"/>
              <path d="M 424,64 L 552,64" fill="none" stroke="black"/>
              <path d="M 96,80 L 192,80" fill="none" stroke="black"/>
              <path d="M 104,96 L 200,96" fill="none" stroke="black"/>
              <path d="M 96,112 L 144,112" fill="none" stroke="black"/>
              <path d="M 160,112 L 192,112" fill="none" stroke="black"/>
              <path d="M 328,112 L 416,112" fill="none" stroke="black"/>
              <path d="M 104,128 L 128,128" fill="none" stroke="black"/>
              <path d="M 144,128 L 200,128" fill="none" stroke="black"/>
              <path d="M 336,128 L 424,128" fill="none" stroke="black"/>
              <path d="M 8,176 L 96,176" fill="none" stroke="black"/>
              <path d="M 200,176 L 328,176" fill="none" stroke="black"/>
              <path d="M 424,176 L 552,176" fill="none" stroke="black"/>
              <polygon class="arrowhead" points="424,112 412,106.4 412,117.6" fill="black" transform="rotate(0,416,112)"/>
              <polygon class="arrowhead" points="344,128 332,122.4 332,133.6" fill="black" transform="rotate(180,336,128)"/>
              <polygon class="arrowhead" points="200,112 188,106.4 188,117.6" fill="black" transform="rotate(0,192,112)"/>
              <polygon class="arrowhead" points="200,80 188,74.4 188,85.6" fill="black" transform="rotate(0,192,80)"/>
              <polygon class="arrowhead" points="112,128 100,122.4 100,133.6" fill="black" transform="rotate(180,104,128)"/>
              <polygon class="arrowhead" points="112,96 100,90.4 100,101.6" fill="black" transform="rotate(180,104,96)"/>
              <circle cx="136" cy="128" r="6" class="opendot" fill="white" stroke="black"/>
              <circle cx="152" cy="112" r="6" class="opendot" fill="white" stroke="black"/>
              <g class="text">
                <text x="164" y="36">Voucher_</text>
                <text x="148" y="52">Info</text>
                <text x="376" y="84">Voucher</text>
                <text x="260" y="100">Domain</text>
                <text x="376" y="100">Request</text>
                <text x="492" y="100">Enrollment</text>
                <text x="52" y="116">Device</text>
                <text x="264" y="116">Authenticator</text>
                <text x="492" y="116">Server</text>
                <text x="48" y="148">(U)</text>
                <text x="264" y="148">(V)</text>
                <text x="376" y="148">Voucher</text>
                <text x="488" y="148">(W)</text>
                <text x="380" y="164">Response</text>
                <text x="144" y="196">Voucher</text>
              </g>
            </svg>
          </artwork>
          <artwork type="ascii-art" align="center"><![CDATA[
                Voucher_
                Info
+----------+      |     +---------------+           +---------------+
|          +------+---->|               |  Voucher  |               |
|          |<-----+-----+    Domain     |  Request  |   Enrollment  |
|  Device  +------o---->| Authenticator +---------->|     Server    |
|          |<---o-------+               |<----------+               |
|   (U)    |    |       |      (V)      |  Voucher  |      (W)      |
|          |    |       |               |  Response |               |
+----------+    |       +---------------+           +---------------+
              Voucher
]]></artwork>
        </artset>
      </figure>
    </section>
    <section anchor="assumptions">
      <name>Assumptions</name>
      <t>The protocol is based on the following pre-existing relations between the device (U), the domain authenticator (V) and the enrollment server (W), see <xref target="fig-trust"/>.</t>
      <ul spacing="normal">
        <li>
          <t>U and W have an explicit relation: U is configured with a public key of W, see <xref target="device"/>.</t>
        </li>
        <li>
          <t>V and W have an implicit relation, e.g., based on web PKI with trusted CA certificates, see <xref target="domain-auth"/>.</t>
        </li>
        <li>
          <t>U and V need not have any previous relation. This protocol establishes a relation between U and V.</t>
        </li>
      </ul>
      <t>Each of the three parties can gain protected communication with the other two during the protocol.</t>
      <t>V may be able to access credentials over non-constrained networks, but U may be limited to constrained networks. Implementations wishing to leverage the zero-touch capabilities of this protocol are expected to support transmission of credentials from V to U by value during the EDHOC exchange, which will impact the message size depending on the type of credential used.</t>
      <figure anchor="fig-trust">
        <name>Overview of pre-existing relations.</name>
        <artset>
          <artwork type="svg" align="center"><svg xmlns="http://www.w3.org/2000/svg" version="1.1" height="272" width="568" viewBox="0 0 568 272" class="diagram" text-anchor="middle" font-family="monospace" font-size="13px" stroke-linecap="round">
              <path d="M 8,96 L 8,192" fill="none" stroke="black"/>
              <path d="M 48,64 L 48,96" fill="none" stroke="black"/>
              <path d="M 48,192 L 48,224" fill="none" stroke="black"/>
              <path d="M 96,96 L 96,192" fill="none" stroke="black"/>
              <path d="M 200,96 L 200,192" fill="none" stroke="black"/>
              <path d="M 264,192 L 264,224" fill="none" stroke="black"/>
              <path d="M 328,96 L 328,192" fill="none" stroke="black"/>
              <path d="M 432,96 L 432,192" fill="none" stroke="black"/>
              <path d="M 496,64 L 496,96" fill="none" stroke="black"/>
              <path d="M 496,192 L 496,224" fill="none" stroke="black"/>
              <path d="M 560,96 L 560,192" fill="none" stroke="black"/>
              <path d="M 64,64 L 480,64" fill="none" stroke="black"/>
              <path d="M 8,96 L 96,96" fill="none" stroke="black"/>
              <path d="M 200,96 L 328,96" fill="none" stroke="black"/>
              <path d="M 432,96 L 560,96" fill="none" stroke="black"/>
              <path d="M 8,192 L 96,192" fill="none" stroke="black"/>
              <path d="M 200,192 L 328,192" fill="none" stroke="black"/>
              <path d="M 432,192 L 560,192" fill="none" stroke="black"/>
              <path d="M 64,224 L 248,224" fill="none" stroke="black"/>
              <path d="M 280,224 L 480,224" fill="none" stroke="black"/>
              <polygon class="arrowhead" points="488,224 476,218.4 476,229.6" fill="black" transform="rotate(0,480,224)"/>
              <polygon class="arrowhead" points="488,64 476,58.4 476,69.6" fill="black" transform="rotate(0,480,64)"/>
              <polygon class="arrowhead" points="288,224 276,218.4 276,229.6" fill="black" transform="rotate(180,280,224)"/>
              <polygon class="arrowhead" points="256,224 244,218.4 244,229.6" fill="black" transform="rotate(0,248,224)"/>
              <polygon class="arrowhead" points="72,224 60,218.4 60,229.6" fill="black" transform="rotate(180,64,224)"/>
              <polygon class="arrowhead" points="72,64 60,58.4 60,69.6" fill="black" transform="rotate(180,64,64)"/>
              <g class="text">
                <text x="108" y="52">Explicit</text>
                <text x="180" y="52">relation</text>
                <text x="244" y="52">(e.g.,</text>
                <text x="292" y="52">from</text>
                <text x="340" y="52">device</text>
                <text x="424" y="52">manufacturer)</text>
                <text x="52" y="132">Device</text>
                <text x="148" y="132">con-</text>
                <text x="260" y="132">Domain</text>
                <text x="360" y="132">not</text>
                <text x="396" y="132">con-</text>
                <text x="500" y="132">Enrollment</text>
                <text x="148" y="148">strained</text>
                <text x="264" y="148">Authenticator</text>
                <text x="380" y="148">strained</text>
                <text x="500" y="148">Server</text>
                <text x="48" y="164">(U)</text>
                <text x="144" y="164">network</text>
                <text x="264" y="164">(V)</text>
                <text x="376" y="164">network</text>
                <text x="496" y="164">(W)</text>
                <text x="92" y="244">No</text>
                <text x="140" y="244">previous</text>
                <text x="212" y="244">relation</text>
                <text x="340" y="244">Implicit</text>
                <text x="412" y="244">relation</text>
                <text x="316" y="260">(e.g.,</text>
                <text x="360" y="260">web</text>
                <text x="392" y="260">PKI</text>
                <text x="436" y="260">based)</text>
              </g>
            </svg>
          </artwork>
          <artwork type="ascii-art" align="center"><![CDATA[

         Explicit relation (e.g., from device manufacturer)
     | <---------------------------------------------------> |
     |                                                       |
+----+-----+            +---------------+            +-------+-------+
|          |            |               |            |               |
|  Device  |    con-    |    Domain     |  not con-  |   Enrollment  |
|          |  strained  | Authenticator |  strained  |     Server    |
|   (U)    |  network   |      (V)      |  network   |      (W)      |
|          |            |               |            |               |
+----+-----+            +-------+-------+            +-------+-------+
     |                          |                            |
     | <----------------------> | <------------------------> |
          No previous relation        Implicit relation
                                    (e.g., web PKI based)
]]></artwork>
        </artset>
      </figure>
      <section anchor="device">
        <name>Device (U)</name>
        <t>To authenticate to V, the device (U) runs EDHOC in the role of Initiator with authentication credential CRED_U, for example, an X.509 certificate <xref target="RFC5280"/> or a CBOR Web Token (CWT, <xref target="RFC8392"/>). CRED_U may, for example, be carried by value in ID_CRED_I of EDHOC message_3 or be provisioned to V over a non-constrained network, leveraging a credential identifier in ID_CRED_I (see <xref target="fig-protocol"/>).</t>
        <t>U also needs to identify itself to W, for which it reuses ID_CRED_I.
Note that while typically ID_CRED_I is treated as a field that only needs to be understood between two EDHOC peers (here U and V), in this case ID_CRED_I also MUST be formatted in a way that it is unambiguous to W.
W will use ID_CRED_I to determine if the device with this identifier is authorized to enroll with V.</t>
        <t>U is also provisioned with information about W:</t>
        <ul spacing="normal">
          <li>
            <t>A static public key of W (PK_W) used to establish secure communication with the enrollment server (see <xref target="U-W"/>).</t>
          </li>
          <li>
            <t>Location information about the enrollment server (LOC_W) that can be used by V to reach W. This is typically a URI but may alternatively be only the domain name.</t>
          </li>
        </ul>
      </section>
      <section anchor="domain-auth">
        <name>Domain Authenticator (V)</name>
        <t>To authenticate to U, the domain authenticator (V) runs EDHOC in the role of Responder with an authentication credential CRED_V containing a public key of V, see <xref target="V_2"/>. This proves to U the possession of the private key corresponding to the public key of CRED_V. CRED_V typically needs to be transported to U in EDHOC (using  ID_CRED_R = CRED_V, see <xref section="3.5.2" sectionFormat="of" target="RFC9528"/>) since there is no previous relation between U and V.</t>
        <t>V and W need to establish a secure (confidentiality and integrity protected) connection for the Voucher Request/Response protocol.
Furthermore, W needs to access the same credential CRED_V that V uses with U (to compute the Voucher), and V needs to prove to W the possession of the private key corresponding to the public key of CRED_V.
V MUST authenticate to W using the same credential CRED_V as with U.</t>
        <t>Note that the type of credential used by V will depend on what is supported by U and W.
U can signal its supported credential types by advertising EDHOC Application Profiles <xref target="I-D.ietf-lake-app-profiles"/>, specifically by using the "cred_types" element.</t>
        <t>Regarding the secure channel between V and W, the choice of protocols may affect which type of credential and methods should be used by V.
For example, in case V and W select TLS for the secure channel and PoP, then CRED_V is an X.509 certificate, and the EDHOC method used by V is signature-based.
Some of the possible combinations of protocols to secure the connection between V and W are listed in <xref target="creds-table"/> below.</t>
        <table anchor="creds-table">
          <name>Examples of how to secure the connection between V and W.</name>
          <thead>
            <tr>
              <th align="left">Secure channel between V and W</th>
              <th align="left">Proof-of-Possession from V to W</th>
              <th align="left">Type of CRED_V</th>
              <th align="left">EDHOC method used by V</th>
            </tr>
          </thead>
          <tbody>
            <tr>
              <td align="left">[D]TLS 1.3 with mutual authentication, where V is the client and W is the server.</td>
              <td align="left">Provided by [D]TLS.</td>
              <td align="left">Restricted to types that are supported by both [D]TLS and EDHOC, e.g., X.509 certificates.</td>
              <td align="left">V MUST authenticate using a signature.</td>
            </tr>
            <tr>
              <td align="left">[D]TLS 1.3, where V is the client and W is the server.</td>
              <td align="left">Run an EDHOC session on top of the TLS-protected channel.</td>
              <td align="left">Any type supported by EDHOC, e.g., X.509, C509, CWT, or CCS.</td>
              <td align="left">Any method may be used.</td>
            </tr>
            <tr>
              <td align="left">EDHOC and OSCORE, where V is the initiator and W is the responder.</td>
              <td align="left">Already provided by EDHOC during the setup of the secure channel.</td>
              <td align="left">Any type supported by EDHOC.</td>
              <td align="left">Any method may be used.</td>
            </tr>
          </tbody>
        </table>
        <t>Note also that the secure connection between V and W may be long-lived and reused for multiple voucher requests/responses.</t>
        <t>Other details of proof-of-possession related to CRED_V and transport of CRED_V are out of scope of this document.</t>
      </section>
      <section anchor="authz-server">
        <name>Enrollment Server (W)</name>
        <t>The enrollment server (W) is assumed to have the private key corresponding to PK_W, which is used to establish secure communication with the device (see <xref target="U-W"/>).
W provides to U the authorization decision for enrollment with V in the form of a voucher (see <xref target="voucher"/>).
Authorization policies are out of scope for this document.</t>
        <t>Authentication credentials and communication security with V is described in <xref target="domain-auth"/>.
To calculate the voucher, W needs access to the hash of EDHOC message_1 and message_2 (H_12), ID_CRED_I, and CRED_V as used in the EDHOC session between U and V, see <xref target="voucher"/>.</t>
        <ul spacing="normal">
          <li>
            <t>W MUST verify that CRED_V is bound to the secure connection between W and V</t>
          </li>
          <li>
            <t>W MUST verify that V is in possession of the private key corresponding to the public key of CRED_V</t>
          </li>
        </ul>
        <t>W needs to be available during the execution of the protocol between U and V.</t>
      </section>
    </section>
    <section anchor="protocol">
      <name>The Protocol</name>
      <section anchor="protocol-overview">
        <name>Overview</name>
        <t>The ELA protocol consists of three security sessions going on in parallel:</t>
        <ol spacing="normal" type="1"><li>
            <t>The EDHOC session between device (U) and (domain) authenticator (V)</t>
          </li>
          <li>
            <t>Voucher Request/Response between authenticator (V) and enrollment server (W)</t>
          </li>
          <li>
            <t>An exchange of voucher-related information, including the voucher itself, between device (U) and enrollment server (W), mediated by the authenticator (V).</t>
          </li>
        </ol>
        <t><xref target="fig-protocol"/> provides an overview of the message flow detailed in this section. An outline of EDHOC is given in <xref section="2" sectionFormat="of" target="RFC9528"/>.</t>
        <figure anchor="fig-protocol">
          <name>Overview of ELA: W-assisted authorization of U and V to each other: EDHOC between U and V, and Voucher Request/Response between V and W. Before the protocol, V and W are assumed to have established a secure channel and performed proof-of-possession of relevant keys. Credential lookup of CRED_U may involve W or other credential database.</name>
          <artset>
            <artwork type="svg" align="center"><svg xmlns="http://www.w3.org/2000/svg" version="1.1" height="736" width="584" viewBox="0 0 584 736" class="diagram" text-anchor="middle" font-family="monospace" font-size="13px" stroke-linecap="round">
                <path d="M 8,48 L 8,224" fill="none" stroke="black"/>
                <path d="M 8,304 L 8,704" fill="none" stroke="black"/>
                <path d="M 256,48 L 256,224" fill="none" stroke="black"/>
                <path d="M 256,304 L 256,704" fill="none" stroke="black"/>
                <path d="M 576,48 L 576,224" fill="none" stroke="black"/>
                <path d="M 576,304 L 576,704" fill="none" stroke="black"/>
                <path d="M 264,96 L 288,96" fill="none" stroke="black"/>
                <path d="M 312,96 L 328,96" fill="none" stroke="black"/>
                <path d="M 352,96 L 368,96" fill="none" stroke="black"/>
                <path d="M 392,96 L 408,96" fill="none" stroke="black"/>
                <path d="M 432,96 L 448,96" fill="none" stroke="black"/>
                <path d="M 472,96 L 488,96" fill="none" stroke="black"/>
                <path d="M 512,96 L 528,96" fill="none" stroke="black"/>
                <path d="M 552,96 L 568,96" fill="none" stroke="black"/>
                <path d="M 264,160 L 288,160" fill="none" stroke="black"/>
                <path d="M 312,160 L 328,160" fill="none" stroke="black"/>
                <path d="M 352,160 L 368,160" fill="none" stroke="black"/>
                <path d="M 392,160 L 408,160" fill="none" stroke="black"/>
                <path d="M 432,160 L 448,160" fill="none" stroke="black"/>
                <path d="M 472,160 L 488,160" fill="none" stroke="black"/>
                <path d="M 512,160 L 528,160" fill="none" stroke="black"/>
                <path d="M 552,160 L 568,160" fill="none" stroke="black"/>
                <path d="M 8,256 L 576,256" fill="none" stroke="black"/>
                <path d="M 8,352 L 248,352" fill="none" stroke="black"/>
                <path d="M 16,400 L 256,400" fill="none" stroke="black"/>
                <path d="M 8,464 L 248,464" fill="none" stroke="black"/>
                <path d="M 256,528 L 568,528" fill="none" stroke="black"/>
                <path d="M 264,608 L 576,608" fill="none" stroke="black"/>
                <path d="M 16,672 L 256,672" fill="none" stroke="black"/>
                <polygon class="arrowhead" points="576,528 564,522.4 564,533.6" fill="black" transform="rotate(0,568,528)"/>
                <polygon class="arrowhead" points="576,160 564,154.4 564,165.6" fill="black" transform="rotate(0,568,160)"/>
                <polygon class="arrowhead" points="576,96 564,90.4 564,101.6" fill="black" transform="rotate(0,568,96)"/>
                <polygon class="arrowhead" points="272,608 260,602.4 260,613.6" fill="black" transform="rotate(180,264,608)"/>
                <polygon class="arrowhead" points="272,160 260,154.4 260,165.6" fill="black" transform="rotate(180,264,160)"/>
                <polygon class="arrowhead" points="272,96 260,90.4 260,101.6" fill="black" transform="rotate(180,264,96)"/>
                <polygon class="arrowhead" points="256,464 244,458.4 244,469.6" fill="black" transform="rotate(0,248,464)"/>
                <polygon class="arrowhead" points="256,352 244,346.4 244,357.6" fill="black" transform="rotate(0,248,352)"/>
                <polygon class="arrowhead" points="24,672 12,666.4 12,677.6" fill="black" transform="rotate(180,16,672)"/>
                <polygon class="arrowhead" points="24,400 12,394.4 12,405.6" fill="black" transform="rotate(180,16,400)"/>
                <g class="text">
                  <text x="8" y="36">U</text>
                  <text x="256" y="36">V</text>
                  <text x="576" y="36">W</text>
                  <text x="360" y="84">Establish</text>
                  <text x="428" y="84">secure</text>
                  <text x="488" y="84">channel</text>
                  <text x="332" y="116">(e.g.,</text>
                  <text x="376" y="116">TLS</text>
                  <text x="412" y="116">with</text>
                  <text x="460" y="116">server</text>
                  <text x="516" y="116">cert.)</text>
                  <text x="360" y="148">Proof-of-possession</text>
                  <text x="468" y="148">w.r.t.</text>
                  <text x="524" y="148">CRED_V</text>
                  <text x="380" y="180">(e.g.,</text>
                  <text x="436" y="180">EDHOC)</text>
                  <text x="228" y="276">CORE</text>
                  <text x="284" y="276">PROTOCOL</text>
                  <text x="104" y="340">EDHOC</text>
                  <text x="168" y="340">message_1</text>
                  <text x="104" y="388">EDHOC</text>
                  <text x="168" y="388">message_2</text>
                  <text x="104" y="452">EDHOC</text>
                  <text x="168" y="452">message_3</text>
                  <text x="68" y="484">(EAD_3</text>
                  <text x="104" y="484">=</text>
                  <text x="140" y="484">LOC_W,</text>
                  <text x="196" y="484">EK_CT)</text>
                  <text x="352" y="516">Voucher</text>
                  <text x="416" y="516">Request</text>
                  <text x="476" y="516">(VREQ)</text>
                  <text x="364" y="548">(SS,</text>
                  <text x="412" y="548">EK_CT,</text>
                  <text x="464" y="548">H_12,</text>
                  <text x="364" y="564">ID_CRED_I,</text>
                  <text x="464" y="564">Fetch_CRED_U)</text>
                  <text x="352" y="596">Voucher</text>
                  <text x="420" y="596">Response</text>
                  <text x="484" y="596">(VRES)</text>
                  <text x="372" y="628">(?Voucher,</text>
                  <text x="452" y="628">?CRED_U)</text>
                  <text x="104" y="660">EDHOC</text>
                  <text x="168" y="660">message_4</text>
                  <text x="104" y="692">(?EAD_4</text>
                  <text x="144" y="692">=</text>
                  <text x="188" y="692">Voucher)</text>
                </g>
              </svg>
            </artwork>
            <artwork type="ascii-art" align="center"><![CDATA[
U                              V                                       W
|                              |                                       |
|                              |                                       |
|                              |        Establish secure channel       |
|                              +<---  ---  ---  ---  ---  ---  ---  -->|
|                              |      (e.g., TLS with server cert.)    |
|                              |                                       |
|                              |   Proof-of-possession w.r.t. CRED_V   |
|                              +<---  ---  ---  ---  ---  ---  ---  -->|
|                              |            (e.g., EDHOC)              |
|                              |                                       |
|                              |                                       |
|                              |                                       |

------------------------------------------------------------------------
                          CORE PROTOCOL

|                              |                                       |
|                              |                                       |
|         EDHOC message_1      |                                       |
+----------------------------->|                                       |
|                              |                                       |
|         EDHOC message_2      |                                       |
|<-----------------------------+                                       |
|                              |                                       |
|                              |                                       |
|         EDHOC message_3      |                                       |
+----------------------------->|                                       |
|    (EAD_3 = LOC_W, EK_CT)    |                                       |
|                              |                                       |
|                              |        Voucher Request (VREQ)         |
|                              +-------------------------------------->|
|                              |           (SS, EK_CT, H_12,           |
|                              |        ID_CRED_I, Fetch_CRED_U)       |
|                              |                                       |
|                              |        Voucher Response (VRES)        |
|                              |<--------------------------------------+
|                              |         (?Voucher, ?CRED_U)           |
|                              |                                       |
|         EDHOC message_4      |                                       |
|<-----------------------------+                                       |
|        (?EAD_4 = Voucher)    |                                       |
|                              |                                       |

]]></artwork>
          </artset>
        </figure>
      </section>
      <section anchor="reuse">
        <name>Reuse of EDHOC</name>
        <t>The ELA protocol illustrated in <xref target="fig-protocol"/> reuses several components of EDHOC:</t>
        <ul spacing="normal">
          <li>
            <t>SUITES_I includes the cipher suite for EDHOC selected by U, and also defines the algorithms used between U and W (see <xref section="3.6" sectionFormat="of" target="RFC9528"/>):  </t>
            <ul spacing="normal">
              <li>
                <t>EDHOC AEAD algorithm: used to generate voucher</t>
              </li>
              <li>
                <t>EDHOC hash algorithm: used for key derivation</t>
              </li>
              <li>
                <t>EDHOC key exchange algorithm: used to calculate the shared secret between U and W</t>
              </li>
            </ul>
          </li>
          <li>
            <t>EAD_3, EAD_4 are the External Authorization Data message fields of message_3 and message_4, respectively, see <xref section="3.8" sectionFormat="of" target="RFC9528"/>.
In case U acts as Responder (see <xref target="reverse-u-responder"/>), EAD_2 and EAD_3 are used in message_2 and message_3, respectively.
This document specifies two new EAD items, with ead_label = TBD1 and TBD2, see <xref target="iana-ead"/>.</t>
          </li>
          <li>
            <t>ID_CRED_I and ID_CRED_R are used to identify the authentication credentials CRED_U and CRED_V, respectively. As shown at the bottom of <xref target="fig-protocol"/>, V may use W to obtain CRED_U.
By default, CRED_V is transported in ID_CRED_R in message_2, see <xref target="V_2"/>.
In case U is Responder, CRED_V is transported in ID_CRED_I in message_3.</t>
          </li>
        </ul>
        <t>The protocol also reuses the EDHOC_Extract and EDHOC_Expand key derivation from EDHOC (see <xref section="4" sectionFormat="of" target="RFC9528"/>).</t>
        <t>The intermediate pseudo-random key PRK is derived using EDHOC_Extract():</t>
        <ul spacing="normal">
          <li>
            <t>PRK = EDHOC_Extract(salt, IKM)
            </t>
            <ul spacing="normal">
              <li>
                <t>where salt = 0x (the zero-length byte string)</t>
              </li>
              <li>
                <t>Computation of IKM depends on the EDHOC method in use.
                </t>
                <ul spacing="normal">
                  <li>
                    <t>If the method is based on Diffie-Hellman, IKM is computed as an ECDH cofactor Diffie-Hellman shared secret from the public key of W, PK_W, and the private key corresponding to G_U (or vice versa), see Section 5.7.1.2 of <xref target="NIST-800-56A"/> and <xref target="U-W"/>.</t>
                  </li>
                  <li>
                    <t>If the method is based on a Key Encapsulation Mechanism (KEM), IKM is the KEM shared secret resulting from encapsulating PK_W, see Section 2.2 of <xref target="NIST-800-227"/>. For example, the use of ML-KEM in COSE is currently being specified at <xref target="I-D.ietf-jose-pqc-kem"/>.</t>
                  </li>
                </ul>
              </li>
            </ul>
          </li>
        </ul>
        <t>The output keying material OKM is derived from PRK using EDHOC_Expand(), which is defined in terms of the EDHOC hash algorithm of the selected cipher suite SS, see <xref section="4.1.2" sectionFormat="of" target="RFC9528"/>:</t>
        <ul spacing="normal">
          <li>
            <t>OKM = EDHOC_Expand(PRK, info, length)  </t>
            <t>
where</t>
          </li>
        </ul>
        <sourcecode type="cddl"><![CDATA[
info = (
   info_label : int,
   context : bstr,
   length : uint,
)
]]></sourcecode>
        <t>Finally, since the ELA authorization flow happens in EDHOC message_3 and message_4, ELA is also compatible with EDHOC application profiles, as defined in <xref target="I-D.ietf-lake-app-profiles"/> where advertisement of supported profiles happens in message_1 and message_2.
This can be used, for example, to enable U or V to learn about each other's capability for executing the ELA protocol, see <xref target="ela-profile"/>.
Specifically, support for ELA can be advertised by indicating support for EAD items defined in this document.</t>
      </section>
      <section anchor="U-W">
        <name>Device &lt;-&gt; Enrollment Server (U &lt;-&gt; W)</name>
        <t>The protocol between U and W is carried between U and V in message_3 and message_4 (<xref target="U-V"/>), and between V and W in the Voucher Request/Response (<xref target="V-W"/>). The data is protected between the endpoints using secret keys derived from a shared secret (see <xref target="reuse"/>) as further detailed in this section.</t>
        <section anchor="voucher_info">
          <name>Voucher_Info</name>
          <t>The external authorization data EAD_3 contains a critical EAD item with ead_label = -TBD1 and ead_value = Voucher_Info, which is a CBOR byte string:</t>
          <sourcecode type="cddl"><![CDATA[
Voucher_Info = bstr .cborseq Voucher_Info_Seq

Voucher_Info_Seq = [ ; used as a CBOR sequence, not array
    LOC_W: tstr,
    EK_CT: bstr,
]
]]></sourcecode>
          <t>where</t>
          <ul spacing="normal">
            <li>
              <t>LOC_W is a text string used by V to locate W, e.g., a URI or a domain name.</t>
            </li>
            <li>
              <t>EK_CT is a field containing either an ephemeral Diffie-Hellman key or a KEM ciphertext, depending on the EDHOC method being used in the current session:
              </t>
              <ul spacing="normal">
                <li>
                  <t>if the method is based on Diffie-Hellman, the device generates an ephemeral Diffie-Hellman key pair, where the public part G_U is placed in the EK_CT field. The private part of G_U will be used to decrypt and verify the voucher, see <xref target="voucher"/> and <xref target="reuse"/>.</t>
                </li>
                <li>
                  <t>if the method is based on a PQC KEM, the device performs key encapsulation and places the resulting ciphertext CT in the EK_CT field. Here, the secret emitted by the encapsulation mechanism will be used to decrypt and verify the voucher, see <xref target="voucher"/> and <xref target="reuse"/>.</t>
                </li>
              </ul>
            </li>
          </ul>
        </section>
        <section anchor="voucher">
          <name>Voucher</name>
          <t>If W generates a Voucher, as determined by the application, the external authorization data EAD_4 contains an EAD item with ead_label = -TBD2 and ead_value = Voucher.</t>
          <t>The voucher is an assertion to U that W has authorized V.
It is encrypted using the EDHOC AEAD algorithm of the selected cipher suite SS specified in SUITES_I of EDHOC message_1.
It consists of the 'ciphertext' field of a COSE_Encrypt0 object <xref target="RFC9052"/>, which is a byte string, as defined below.</t>
          <sourcecode type="cddl"><![CDATA[
Voucher = bstr
]]></sourcecode>
          <t>Its corresponding plaintext value consists of an opaque field that can be used by W to convey information to U, such as a voucher scope.
The authentication tag present in the ciphertext is also bound to the current EDHOC handshake, the identity of U, and the credential of V as described below.</t>
          <ul spacing="normal">
            <li>
              <t>The encryption key K and nonce IV are derived as specified below.</t>
            </li>
            <li>
              <t>'protected' is a byte string of size 0</t>
            </li>
            <li>
              <t>'plaintext' and 'external_aad' as below:</t>
            </li>
          </ul>
          <sourcecode type="cddl"><![CDATA[
plaintext = (
    ?OPAQUE_INFO: bstr
)
]]></sourcecode>
          <sourcecode type="cddl"><![CDATA[
external_aad = (
    H_12:         bstr,
    ID_CRED_I:    bstr,
    CRED_V:       bstr,
)
]]></sourcecode>
          <t>where</t>
          <ul spacing="normal">
            <li>
              <t>OPAQUE_INFO is an opaque field provided by the application.
If present, it will contain application data that W may want to convey to U, e.g., a voucher scope.
Note that OPAQUE_INFO is opaque when viewed as an information element in EDHOC.
It is opaque to V, while the application in U and W can read its contents.</t>
            </li>
            <li>
              <t>H_12 is H(H(message_1), message_2), used to bind the voucher to the current EDHOC session. It is computed using the EDHOC hash algorithm of the selected cipher suite SS specified in SUITES_I of EDHOC message_1. H_12 is sent to W as part of the voucher request, see <xref target="voucher_request"/>.</t>
            </li>
            <li>
              <t>ID_CRED_I is the identifier of U transmitted via the voucher request.</t>
            </li>
            <li>
              <t>CRED_V is the credential used by V to authenticate to U and W, see <xref target="V_2"/> and <xref target="creds-table"/>.</t>
            </li>
          </ul>
          <t>The derivation of K = EDHOC_Expand(PRK, info, length) uses the following input to the info struct (see <xref target="reuse"/>):</t>
          <ul spacing="normal">
            <li>
              <t>info_label = 2</t>
            </li>
            <li>
              <t>context  = h'' (the empty CBOR string)</t>
            </li>
            <li>
              <t>length is length of the key of the EDHOC AEAD algorithm in bytes</t>
            </li>
          </ul>
          <t>The derivation of IV = EDHOC_Expand(PRK, info, length) uses the following input to the info struct (see <xref target="reuse"/>):</t>
          <ul spacing="normal">
            <li>
              <t>info_label = 3</t>
            </li>
            <li>
              <t>context = h''  (the empty CBOR string)</t>
            </li>
            <li>
              <t>length is length of the nonce of the EDHOC AEAD algorithm in bytes</t>
            </li>
          </ul>
        </section>
      </section>
      <section anchor="U-V">
        <name>Device &lt;-&gt; Authenticator (U &lt;-&gt; V)</name>
        <t>This section describes the processing in U and V, which includes the EDHOC protocol, see <xref target="fig-protocol"/>. Normal EDHOC processing is omitted here.</t>
        <section anchor="m1">
          <name>Message 1</name>
          <section anchor="processing-in-u">
            <name>Processing in U</name>
            <t>U composes EDHOC message_1 using authentication method, identifiers, etc. according to an agreed application profile, see <xref section="3.9" sectionFormat="of" target="RFC9528"/>.
The selected cipher suite, in this document denoted SS, applies also to the interaction with W as detailed in <xref target="reuse"/>, in particular, with respect to the key agreement algorithm used between U and W.
U sends EDHOC message_1 to V.</t>
          </section>
          <section anchor="processing-in-v">
            <name>Processing in V</name>
            <t>V processes EDHOC message_1 as specified in <xref target="RFC9528"/>.</t>
            <t>Note that as part of normal EDHOC processing, U and V negotiate a selected cipher suite SS, as specified in <xref section="6.3.1" sectionFormat="of" target="RFC9528"/>.</t>
          </section>
        </section>
        <section anchor="m2">
          <name>Message 2</name>
          <section anchor="V_2">
            <name>Processing in V</name>
            <t>V composes EDHOC message_2 as specified in <xref section="5.3.2" sectionFormat="of" target="RFC9528"/>.</t>
            <t>The type of CRED_V may depend on the selected mechanism for the establishment of a secure channel between V and W, See <xref target="creds-table"/>.</t>
            <t>In case the network between U and V is constrained, it is recommended that CRED_V be a CWT Claims Set (CCS) <xref target="RFC8392"/>.
The CCS contains the public authentication key of V encoded as a COSE_Key in the 'cnf' claim, see <xref section="3.5.2" sectionFormat="of" target="RFC9528"/>.
ID_CRED_R contains the CWT Claims Set with 'kccs' as COSE header_map, see <xref section="10.6" sectionFormat="of" target="RFC9528"/>.</t>
          </section>
          <section anchor="processing-in-u-1">
            <name>Processing in U</name>
            <t>U receives EDHOC message_2 from V and processes it as specified in <xref section="5.3.3" sectionFormat="of" target="RFC9528"/>.</t>
          </section>
        </section>
        <section anchor="message-3">
          <name>Message 3</name>
          <section anchor="processing-in-u-2">
            <name>Processing in U</name>
            <t>U prepares EDHOC message_3 with EAD item (-TBD1, Voucher_Info) included in EAD_3, where Voucher_Info is specified in <xref target="U-W"/>.
The negative sign indicates that the EAD item is critical, see <xref section="3.8" sectionFormat="of" target="RFC9528"/>.</t>
          </section>
          <section anchor="processing-in-v-1">
            <name>Processing in V</name>
            <t>V receives EDHOC message_3 from U and processes it as specified in <xref section="5.4.3" sectionFormat="of" target="RFC9528"/>, with the additional step of processing the EAD item in EAD_3.
Since the EAD item is critical, if V does not recognize it or it contains information that V cannot process, then V MUST abort the EDHOC session, see <xref section="3.8" sectionFormat="of" target="RFC9528"/>.
The ead_label = -TBD1 triggers the voucher request to W as described in <xref target="V-W"/>.
The exchange between V and W needs to be completed successfully for the EDHOC session to be continued.</t>
            <t>As part of normal processing of EDHOC message_3, V must verify the credential of U.
It is up to the application to decide whether to verify the credential of U before or after the voucher request to W, see pre and post -verification processing of EAD items in <xref target="I-D.ietf-lake-edhoc-impl-cons"/>.</t>
            <t>In case V has access to a credential database, it MAY query it with ID_CRED_I to obtain a corresponding CRED_U and verify the identity of U before making the Voucher request to W.
If the verification of CRED_U fails, the EDHOC session is aborted.
In this scenario, the EAD item in EAD_3 is processed as a post-verification item <xref target="I-D.ietf-lake-edhoc-impl-cons"/>.</t>
            <t>Alternatively, V MAY proceed and perform a voucher request and wait for a voucher response.
If the response contains CRED_U, V then continues processing EDHOC message_3 where it verifies the credential of U.
Even upon reception of a successful voucher response from W, if the verification of CRED_U fails, the EDHOC session is aborted.
In this scenario, the EAD item in EAD_3 is processed as a pre-verification item <xref target="I-D.ietf-lake-edhoc-impl-cons"/>.</t>
            <t>In case V fails to obtain CRED_U, the session is aborted.</t>
          </section>
        </section>
        <section anchor="m4">
          <name>Message 4</name>
          <section anchor="V_4">
            <name>Processing in V</name>
            <t>At this point, V has authenticated U, and received a valid voucher response from W as described in <xref target="V-W"/>.</t>
            <t>V prepares EDHOC message_4 where, if the voucher response contains a voucher, V includes the critical EAD item (-TBD2, Voucher) in EAD_4, i.e., ead_label = -TBD2 and ead_value = Voucher, as specified in <xref target="voucher"/>.</t>
          </section>
          <section anchor="processing-in-u-3">
            <name>Processing in U</name>
            <t>U receives EDHOC message_4 from V and processes it as specified in <xref section="5.5.3" sectionFormat="of" target="RFC9528"/>, with the additional step of processing EAD_4.</t>
            <t>If EAD_4 contains an EAD item with label = -TBD2, U MUST verify the Voucher using H_12, ID_CRED_I, CRED_V, and the keys derived as in <xref target="voucher"/>.
If the verification fails then U MUST abort the EDHOC session.</t>
            <t>If U does not recognize the EAD item or the EAD item contains information that U cannot process, then U MUST abort the EDHOC session, see <xref section="3.8" sectionFormat="of" target="RFC9528"/>.</t>
            <t>If OPAQUE_INFO is present, it is made available to the application.</t>
          </section>
        </section>
      </section>
      <section anchor="V-W">
        <name>Authenticator &lt;-&gt; Enrollment Server (V &lt;-&gt; W)</name>
        <t>It is assumed that V and W have set up a secure connection, W has accessed the authentication credential CRED_V to be used in the EDHOC session between V and U, and that W has verified that V is in possession of the private key corresponding to CRED_V, see <xref target="domain-auth"/> and <xref target="authz-server"/>.
V and W run the Voucher Request/Response protocol over the secure connection.</t>
        <section anchor="voucher_request">
          <name>Voucher Request</name>
          <section anchor="processing-in-v-2">
            <name>Processing in V</name>
            <t>V sends the voucher request to W.
The Voucher Request SHALL be a CBOR array as defined below:</t>
            <sourcecode type="cddl"><![CDATA[
Voucher_Request = [
    SS:             int,
    EK_CT:          bstr,
    H_12:           bstr,
    ID_CRED_I:      bstr,
    Fetch_CRED_U:   bool,
]
]]></sourcecode>
            <t>where</t>
            <ul spacing="normal">
              <li>
                <t>SS is the selected cipher suite used in the EDHOC session between U and V.</t>
              </li>
              <li>
                <t>EK_CT is either an ephemeral DH public key or a KEM ciphertext set by U, as defined in <xref target="U-W"/>.</t>
              </li>
              <li>
                <t>H_12 corresponds to H(H(message_1), message_2). It is computed as defined in <xref target="voucher"/>.</t>
              </li>
              <li>
                <t>ID_CRED_I is an identifier of CRED_U and is used as the identity of U during ELA execution, see <xref target="device"/>.</t>
              </li>
              <li>
                <t>Fetch_CRED_U is a flag indicating whether W should try to load and return the credential CRED_U corresponding to ID_CRED_I.</t>
              </li>
            </ul>
          </section>
          <section anchor="processing-in-w">
            <name>Processing in W</name>
            <t>W receives and parses the voucher request received over the secure connection with V.
W extracts from Voucher_Request:</t>
            <ul spacing="normal">
              <li>
                <t>SS - the selected cipher suite.</t>
              </li>
              <li>
                <t>EK_CT - either an ephemeral DH public key or a KEM ciphertext.</t>
              </li>
              <li>
                <t>H_12 - the hash of message_1 and message_2.</t>
              </li>
              <li>
                <t>ID_CRED_I - the identifier of U.</t>
              </li>
              <li>
                <t>Fetch_CRED_U - flag indicating whether V requests W to return CRED_U.</t>
              </li>
            </ul>
            <t>W verifies that it supports the cipher suite SS, and uses the corresponding EDHOC Key Exchange Algorithm to determine whether EK_CT contains an ephemeral Diffie-Hellman public key or a KEM ciphertext.</t>
            <t>W uses H_12 as a session identifier, and associates it to the device identifier ID_CRED_I.
Note that EK_CT is unique, as the ephemeral key or the ciphertext MUST not be reused, therefore H_12 is expected to be unique.</t>
            <t>If processing fails up until this point, the protocol SHALL be aborted with an error code signaling a generic issue with the request, see <xref target="rest-voucher-request"/>.</t>
            <t>W uses ID_CRED_I to look up the associated authorization policies for U and enforces them. This is out of scope for the specification.</t>
            <t>If ID_CRED_I is known by W, but authorization fails, the protocol SHALL be aborted with an error code signaling an access control issue, see <xref target="err-handling"/> and <xref target="rest-voucher-request"/>.</t>
            <t>If Fetch_CRED_U is true, W uses ID_CRED_I to try to retrieve the corresponding credential CRED_U.
If retrieval succeeds, W MUST include CRED_U in the voucher response, see <xref target="voucher_response"/>.
If the retrieval fails, W sends the voucher response without CRED_U.
If Fetch_CRED_U is false, W MUST NOT include CRED_U in the voucher response.</t>
          </section>
        </section>
        <section anchor="voucher_response">
          <name>Voucher Response</name>
          <section anchor="processing-in-w-1">
            <name>Processing in W</name>
            <t>In case a Voucher is needed (as determined by the application), W retrieves CRED_V associated with the secure connection with V, and constructs the Voucher for the device with identifier ID_CRED_I (see <xref target="voucher"/>).</t>
            <t>W generates the voucher response and sends it to V over the secure connection.
The Voucher_Response SHALL be a CBOR array as defined below:</t>
            <sourcecode type="cddl"><![CDATA[
Voucher_Response = [
    ? Voucher:        bstr,
    ? CRED_U:       bstr,
]
]]></sourcecode>
            <t>where</t>
            <ul spacing="normal">
              <li>
                <t>The Voucher is defined in <xref target="voucher"/>, if present.</t>
              </li>
              <li>
                <t>CRED_U is the credential of U corresponding to ID_CRED_I passed in the voucher request. CRED_U is included only if Fetch_CRED_U was set in the voucher request and W successfully retrieved the credential.</t>
              </li>
            </ul>
            <t>W signals the successful processing of Voucher_Request via a status code in the REST interface, as defined in <xref target="rest-voucher-request"/>.</t>
          </section>
          <section anchor="processing-in-v-3">
            <name>Processing in V</name>
            <t>V receives the voucher response from W over the secure connection.
If the voucher response is successfully received from W, then V responds to U with EDHOC message_4 as described in <xref target="V_4"/>.</t>
          </section>
        </section>
      </section>
      <section anchor="err-handling">
        <name>Error Handling</name>
        <t>This section specifies a new EDHOC error code and how it is used in ELA.</t>
        <section anchor="edhoc-error-access-denied">
          <name>EDHOC Error "Access denied"</name>
          <t>This section specifies the new EDHOC error "Access denied", see <xref target="fig-error-codes"/>.</t>
          <figure anchor="fig-error-codes">
            <name>EDHOC error code and error information for ‘Access denied’.</name>
            <artset>
              <artwork type="svg"><svg xmlns="http://www.w3.org/2000/svg" version="1.1" height="112" width="568" viewBox="0 0 568 112" class="diagram" text-anchor="middle" font-family="monospace" font-size="13px" stroke-linecap="round">
                  <path d="M 8,32 L 8,96" fill="none" stroke="black"/>
                  <path d="M 96,32 L 96,96" fill="none" stroke="black"/>
                  <path d="M 232,32 L 232,96" fill="none" stroke="black"/>
                  <path d="M 560,32 L 560,96" fill="none" stroke="black"/>
                  <path d="M 8,32 L 560,32" fill="none" stroke="black"/>
                  <path d="M 8,62 L 560,62" fill="none" stroke="black"/>
                  <path d="M 8,66 L 560,66" fill="none" stroke="black"/>
                  <path d="M 8,96 L 560,96" fill="none" stroke="black"/>
                  <g class="text">
                    <text x="52" y="52">ERR_CODE</text>
                    <text x="140" y="52">ERR_INFO</text>
                    <text x="196" y="52">Type</text>
                    <text x="288" y="52">Description</text>
                    <text x="68" y="84">TBD3</text>
                    <text x="160" y="84">error_content</text>
                    <text x="268" y="84">Access</text>
                    <text x="324" y="84">denied</text>
                  </g>
                </svg>
              </artwork>
              <artwork type="ascii-art"><![CDATA[
+----------+----------------+----------------------------------------+
| ERR_CODE | ERR_INFO Type  | Description                            |
+==========+================+========================================+
|     TBD3 | error_content  | Access denied                          |
+----------+----------------+----------------------------------------+
]]></artwork>
            </artset>
          </figure>
          <t>Error code TBD3 is used to indicate to the receiver that access control has been applied and the sender has aborted the EDHOC session.
The ERR_INFO field contains error_content which is a CBOR Sequence consisting of an integer and an optional byte string.</t>
          <sourcecode type="cddl"><![CDATA[
error_content = (
  REJECT_TYPE:      int,
  ? REJECT_INFO:    bstr,
)
]]></sourcecode>
          <t>Where:</t>
          <ul spacing="normal">
            <li>
              <t>REJECT_TYPE specifies the type and handling of the optional REJECT_INFO field.</t>
            </li>
            <li>
              <t>REJECT_INFO, if present, provides verifiable and actionable information to the receiver about the error, so that an automated action may be taken to try to obtain access, e.g. in the form of a retry request.</t>
            </li>
          </ul>
          <figure anchor="fig-reject">
            <name>REJECT_TYPE and REJECT_INFO for ‘Access denied’.</name>
            <artset>
              <artwork type="svg"><svg xmlns="http://www.w3.org/2000/svg" version="1.1" height="144" width="568" viewBox="0 0 568 144" class="diagram" text-anchor="middle" font-family="monospace" font-size="13px" stroke-linecap="round">
                  <path d="M 8,32 L 8,128" fill="none" stroke="black"/>
                  <path d="M 120,32 L 120,128" fill="none" stroke="black"/>
                  <path d="M 248,32 L 248,128" fill="none" stroke="black"/>
                  <path d="M 560,32 L 560,128" fill="none" stroke="black"/>
                  <path d="M 8,32 L 560,32" fill="none" stroke="black"/>
                  <path d="M 8,62 L 560,62" fill="none" stroke="black"/>
                  <path d="M 8,66 L 560,66" fill="none" stroke="black"/>
                  <path d="M 8,96 L 560,96" fill="none" stroke="black"/>
                  <path d="M 8,128 L 560,128" fill="none" stroke="black"/>
                  <g class="text">
                    <text x="64" y="52">REJECT_TYPE</text>
                    <text x="176" y="52">REJECT_INFO</text>
                    <text x="304" y="52">Description</text>
                    <text x="104" y="84">0</text>
                    <text x="136" y="84">-</text>
                    <text x="268" y="84">No</text>
                    <text x="328" y="84">REJECT_INFO</text>
                    <text x="104" y="116">1</text>
                    <text x="148" y="116">bstr</text>
                    <text x="304" y="116">REJECT_INFO</text>
                    <text x="372" y="116">from</text>
                    <text x="424" y="116">trusted</text>
                    <text x="480" y="116">third</text>
                    <text x="528" y="116">party</text>
                  </g>
                </svg>
              </artwork>
              <artwork type="ascii-art"><![CDATA[
+-------------+---------------+--------------------------------------+
| REJECT_TYPE | REJECT_INFO   | Description                          |
+=============+===============+======================================+
|           0 | -             | No REJECT_INFO                       |
+-------------+---------------+--------------------------------------+
|           1 | bstr          | REJECT_INFO from trusted third party |
+-------------+---------------+--------------------------------------+
]]></artwork>
            </artset>
          </figure>
        </section>
        <section anchor="error-handling-in-w-v-and-u">
          <name>Error handling in W, V, and U</name>
          <t>ELA uses the EDHOC Error "Access denied" in the following way:</t>
          <ul spacing="normal">
            <li>
              <t>W generates error_content and transfers it to V via the secure connection.
If REJECT_TYPE is 1, then REJECT_INFO is encrypted from W to U using the EDHOC AEAD algorithm.
W signals the error via an appropriate status code in the REST interface, as defined in <xref target="rest-voucher-request"/>.</t>
            </li>
            <li>
              <t>V receives error_content, prepares an EDHOC "Access denied" error, and sends it to U.</t>
            </li>
            <li>
              <t>U receives the error message and extracts the error_content.
If REJECT_TYPE is 1, then U decrypts REJECT_INFO, based on which it may retry to gain access.</t>
            </li>
          </ul>
          <t>The encryption of REJECT_INFO follows a procedure analogous to the one defined in <xref target="voucher"/>, with the following differences:</t>
          <sourcecode type="cddl"><![CDATA[
plaintext = (
    OPAQUE_INFO:   bstr,
 )
]]></sourcecode>
          <sourcecode type="cddl"><![CDATA[
external_aad = (
    H_12:          bstr,
 )
]]></sourcecode>
          <t>where</t>
          <ul spacing="normal">
            <li>
              <t>OPAQUE_INFO is an opaque field that contains actionable information about the error.
It may contain, for example, a list of suggested Vs through which U should join instead.</t>
            </li>
            <li>
              <t>H_12 is the hash of EDHOC message_1 and message_2, obtained from the associated voucher request, see <xref target="voucher_request"/>.</t>
            </li>
          </ul>
        </section>
      </section>
      <section anchor="reverse-u-responder">
        <name>Reverse flow with U as Responder</name>
        <t>This section presents a protocol variant in which U is the EDHOC Responder.
This may allow optimizations in certain constrained network technologies.
For example, one use case is having V broadcast message_1, to which U responds with a message_2 whose EAD_2 field contains Voucher_Info.</t>
        <t>Note that this is different from the EDHOC reverse message flow defined in <xref section="A.2.2" sectionFormat="of" target="RFC9528"/>, since we make no assumption about whether U or V is a CoAP server.</t>
        <section anchor="_u-initiator">
          <name>Baseline: U is the Initiator</name>
          <t>For clarity, we first present the regular flow with U as Initiator, as described in <xref target="protocol-overview"/> and <xref target="U-V"/>.
Note that Voucher_Info and Voucher are carried in EDHOC message_3 and message_4, respectively.</t>
          <figure anchor="fig-u-initiator">
            <name>In ELA regular flow, U is the EDHOC Initiator.</name>
            <artset>
              <artwork type="svg" align="center"><svg xmlns="http://www.w3.org/2000/svg" version="1.1" height="464" width="568" viewBox="0 0 568 464" class="diagram" text-anchor="middle" font-family="monospace" font-size="13px" stroke-linecap="round">
                  <path d="M 8,32 L 8,80" fill="none" stroke="black"/>
                  <path d="M 56,80 L 56,448" fill="none" stroke="black"/>
                  <path d="M 104,32 L 104,80" fill="none" stroke="black"/>
                  <path d="M 264,32 L 264,80" fill="none" stroke="black"/>
                  <path d="M 312,80 L 312,448" fill="none" stroke="black"/>
                  <path d="M 360,32 L 360,80" fill="none" stroke="black"/>
                  <path d="M 560,224 L 560,368" fill="none" stroke="black"/>
                  <path d="M 8,32 L 104,32" fill="none" stroke="black"/>
                  <path d="M 264,32 L 360,32" fill="none" stroke="black"/>
                  <path d="M 8,80 L 104,80" fill="none" stroke="black"/>
                  <path d="M 264,80 L 360,80" fill="none" stroke="black"/>
                  <path d="M 56,128 L 304,128" fill="none" stroke="black"/>
                  <path d="M 64,176 L 304,176" fill="none" stroke="black"/>
                  <path d="M 56,224 L 304,224" fill="none" stroke="black"/>
                  <path d="M 312,272 L 552,272" fill="none" stroke="black"/>
                  <path d="M 320,352 L 560,352" fill="none" stroke="black"/>
                  <path d="M 64,416 L 304,416" fill="none" stroke="black"/>
                  <polygon class="arrowhead" points="560,272 548,266.4 548,277.6" fill="black" transform="rotate(0,552,272)"/>
                  <polygon class="arrowhead" points="328,352 316,346.4 316,357.6" fill="black" transform="rotate(180,320,352)"/>
                  <polygon class="arrowhead" points="312,224 300,218.4 300,229.6" fill="black" transform="rotate(0,304,224)"/>
                  <polygon class="arrowhead" points="312,128 300,122.4 300,133.6" fill="black" transform="rotate(0,304,128)"/>
                  <polygon class="arrowhead" points="72,416 60,410.4 60,421.6" fill="black" transform="rotate(180,64,416)"/>
                  <polygon class="arrowhead" points="72,176 60,170.4 60,181.6" fill="black" transform="rotate(180,64,176)"/>
                  <g class="text">
                    <text x="56" y="52">U</text>
                    <text x="312" y="52">V</text>
                    <text x="56" y="68">Initiator</text>
                    <text x="312" y="68">Responder</text>
                    <text x="136" y="116">EDHOC</text>
                    <text x="200" y="116">message_1</text>
                    <text x="136" y="164">EDHOC</text>
                    <text x="200" y="164">message_2</text>
                    <text x="136" y="212">EDHOC</text>
                    <text x="200" y="212">message_3</text>
                    <text x="560" y="212">W</text>
                    <text x="88" y="244">EAD_3</text>
                    <text x="120" y="244">=</text>
                    <text x="160" y="244">(-TBD1,</text>
                    <text x="248" y="244">Voucher_info)</text>
                    <text x="436" y="260">VREQ</text>
                    <text x="396" y="292">(SS,</text>
                    <text x="444" y="292">EK_CT,</text>
                    <text x="496" y="292">H_12,</text>
                    <text x="388" y="308">ID_CRED_I,</text>
                    <text x="488" y="308">Fetch_CRED_U)</text>
                    <text x="436" y="340">VRES</text>
                    <text x="404" y="372">(?Voucher,</text>
                    <text x="484" y="372">?CRED_U)</text>
                    <text x="136" y="404">EDHOC</text>
                    <text x="200" y="404">message_4</text>
                    <text x="108" y="436">?EAD_4</text>
                    <text x="144" y="436">=</text>
                    <text x="184" y="436">(-TBD2,</text>
                    <text x="252" y="436">Voucher)</text>
                  </g>
                </svg>
              </artwork>
              <artwork type="ascii-art" align="center"><![CDATA[
+-----+-----+                   +-----------+
|     U     |                   |     V     |
| Initiator |                   | Responder |
+-----+-----+                   +-----+-----+
      |                               |
      |       EDHOC message_1         |
      +------------------------------>|
      |                               |
      |       EDHOC message_2         |
      +<------------------------------|
      |                               |
      |       EDHOC message_3         |                              W
      +------------------------------>|                              |
      | EAD_3 = (-TBD1, Voucher_info) |                              |
      |                               |             VREQ             |
      |                               +----------------------------->|
      |                               |        (SS, EK_CT, H_12,     |
      |                               |    ID_CRED_I, Fetch_CRED_U)  |
      |                               |                              |
      |                               |             VRES             |
      |                               |<-----------------------------+
      |                               |      (?Voucher, ?CRED_U)     |
      |                               |
      |       EDHOC message_4         |
      +<------------------------------|
      |   ?EAD_4 = (-TBD2, Voucher)   |
      |                               |
]]></artwork>
            </artset>
          </figure>
          <t>In the ELA regular flow, once message_4 processing is finalized (including processing of EAD_4), both U and V are authorized to interact.</t>
        </section>
        <section anchor="_u-responder">
          <name>U is the Responder</name>
          <t>ELA also works with U as the EDHOC Responder, a setup we refer to as the "ELA reverse flow", as shown in <xref target="fig-u-responder"/>.</t>
          <t>We present this variant as a set of changes to the regular protocol flow.
That is, here we only describe the differences in processing, when compared to the ELA regular flow.</t>
          <t>Here is a summary of the changes needed in the ELA reverse flow:</t>
          <ul spacing="normal">
            <li>
              <t>Voucher_Info and Voucher are transported in EDHOC message_2 and message_3, respectively (instead of message_3 and message_4).</t>
            </li>
            <li>
              <t>The EAD_2 and EAD_3 fields carry critical EAD items identified with labels -TBD1 and -TBD2, respectively.</t>
            </li>
            <li>
              <t>The VREQ / VRES protocol takes place between message_2 and message_3.</t>
            </li>
          </ul>
          <figure anchor="fig-u-responder">
            <name>ELA when U is the EDHOC Responder.</name>
            <artset>
              <artwork type="svg" align="center"><svg xmlns="http://www.w3.org/2000/svg" version="1.1" height="480" width="568" viewBox="0 0 568 480" class="diagram" text-anchor="middle" font-family="monospace" font-size="13px" stroke-linecap="round">
                  <path d="M 8,32 L 8,80" fill="none" stroke="black"/>
                  <path d="M 56,80 L 56,464" fill="none" stroke="black"/>
                  <path d="M 104,32 L 104,80" fill="none" stroke="black"/>
                  <path d="M 264,32 L 264,80" fill="none" stroke="black"/>
                  <path d="M 312,80 L 312,464" fill="none" stroke="black"/>
                  <path d="M 360,32 L 360,80" fill="none" stroke="black"/>
                  <path d="M 560,224 L 560,368" fill="none" stroke="black"/>
                  <path d="M 8,32 L 104,32" fill="none" stroke="black"/>
                  <path d="M 264,32 L 360,32" fill="none" stroke="black"/>
                  <path d="M 8,80 L 104,80" fill="none" stroke="black"/>
                  <path d="M 264,80 L 360,80" fill="none" stroke="black"/>
                  <path d="M 64,176 L 304,176" fill="none" stroke="black"/>
                  <path d="M 56,224 L 304,224" fill="none" stroke="black"/>
                  <path d="M 312,272 L 552,272" fill="none" stroke="black"/>
                  <path d="M 320,352 L 560,352" fill="none" stroke="black"/>
                  <path d="M 64,416 L 304,416" fill="none" stroke="black"/>
                  <polygon class="arrowhead" points="560,272 548,266.4 548,277.6" fill="black" transform="rotate(0,552,272)"/>
                  <polygon class="arrowhead" points="328,352 316,346.4 316,357.6" fill="black" transform="rotate(180,320,352)"/>
                  <polygon class="arrowhead" points="312,224 300,218.4 300,229.6" fill="black" transform="rotate(0,304,224)"/>
                  <polygon class="arrowhead" points="72,416 60,410.4 60,421.6" fill="black" transform="rotate(180,64,416)"/>
                  <polygon class="arrowhead" points="72,176 60,170.4 60,181.6" fill="black" transform="rotate(180,64,176)"/>
                  <g class="text">
                    <text x="56" y="52">U</text>
                    <text x="312" y="52">V</text>
                    <text x="56" y="68">Responder</text>
                    <text x="312" y="68">Initiator</text>
                    <text x="144" y="116">Trigger</text>
                    <text x="208" y="116">Message</text>
                    <text x="64" y="132">-</text>
                    <text x="80" y="132">-</text>
                    <text x="96" y="132">-</text>
                    <text x="112" y="132">-</text>
                    <text x="128" y="132">-</text>
                    <text x="144" y="132">-</text>
                    <text x="160" y="132">-</text>
                    <text x="176" y="132">-</text>
                    <text x="192" y="132">-</text>
                    <text x="208" y="132">-</text>
                    <text x="224" y="132">-</text>
                    <text x="240" y="132">-</text>
                    <text x="256" y="132">-</text>
                    <text x="272" y="132">-</text>
                    <text x="288" y="132">-</text>
                    <text x="304" y="132">&gt;</text>
                    <text x="136" y="164">EDHOC</text>
                    <text x="200" y="164">message_1</text>
                    <text x="136" y="212">EDHOC</text>
                    <text x="200" y="212">message_2</text>
                    <text x="560" y="212">W</text>
                    <text x="88" y="244">EAD_2</text>
                    <text x="120" y="244">=</text>
                    <text x="160" y="244">(-TBD1,</text>
                    <text x="248" y="244">Voucher_info)</text>
                    <text x="436" y="260">VREQ</text>
                    <text x="388" y="292">(SS,</text>
                    <text x="436" y="292">EK_CT,</text>
                    <text x="488" y="292">H_12,</text>
                    <text x="388" y="308">ID_CRED_I,</text>
                    <text x="488" y="308">Fetch_CRED_U)</text>
                    <text x="436" y="340">VRES</text>
                    <text x="404" y="372">(?Voucher,</text>
                    <text x="484" y="372">?CRED_U)</text>
                    <text x="120" y="404">EDHOC</text>
                    <text x="184" y="404">message_3</text>
                    <text x="108" y="436">?EAD_3</text>
                    <text x="144" y="436">=</text>
                    <text x="184" y="436">(-TBD2,</text>
                    <text x="252" y="436">Voucher)</text>
                  </g>
                </svg>
              </artwork>
              <artwork type="ascii-art" align="center"><![CDATA[
+-----+-----+                   +-----------+
|     U     |                   |     V     |
| Responder |                   | Initiator |
+-----+-----+                   +-----+-----+
      |                               |
      |       Trigger Message         |
      +- - - - - - - - - - - - - - - >|
      |                               |
      |       EDHOC message_1         |
      +<------------------------------|
      |                               |
      |       EDHOC message_2         |                              W
      +------------------------------>|                              |
      | EAD_2 = (-TBD1, Voucher_info) |                              |
      |                               |             VREQ             |
      |                               +----------------------------->|
      |                               |       (SS, EK_CT, H_12,      |
      |                               |    ID_CRED_I, Fetch_CRED_U)  |
      |                               |                              |
      |                               |             VRES             |
      |                               |<-----------------------------+
      |                               |      (?Voucher, ?CRED_U)     |
      |                               |
      |     EDHOC message_3           |
      +<------------------------------|
      |   ?EAD_3 = (-TBD2, Voucher)   |
      |                               |
      |                               |
]]></artwork>
            </artset>
          </figure>
          <t>The following sections detail how the processing of ELA reverse flow changes in each of the three security sessions (U-W, U-V, V-W), when compared to the baseline ELA regular flow described in sections <xref target="protocol-overview"/> to <xref target="err-handling"/>.</t>
          <section anchor="reverse-u-w">
            <name>Reverse U &lt;-&gt; W</name>
            <t>The protocol between U and W is carried between U and V in message_2 and message_3, and between V and W in the Voucher Request/Response (<xref target="V-W"/>).</t>
            <t>Voucher_Info:</t>
            <ul spacing="normal">
              <li>
                <t>Voucher_Info is carried in EAD_2.</t>
              </li>
              <li>
                <t>It uses a critical EAD item with ead_label = -TBD1 and ead_value = Voucher_Info.</t>
              </li>
            </ul>
            <t>Voucher:</t>
            <ul spacing="normal">
              <li>
                <t>The Voucher is carried in EAD_3.</t>
              </li>
              <li>
                <t>It uses a critical EAD item with ead_label = -TBD2 and ead_value = Voucher.</t>
              </li>
            </ul>
          </section>
          <section anchor="reverse-u-v">
            <name>Reverse U &lt;-&gt; V</name>
            <t>Message 1:</t>
            <ul spacing="normal">
              <li>
                <t>V composes message_1 and sends it to U.</t>
              </li>
              <li>
                <t>U processes message_1 and extracts SS.</t>
              </li>
            </ul>
            <t>Message 2:</t>
            <ul spacing="normal">
              <li>
                <t>U composes message_2 with a critical EAD item (-TBD1, Voucher_Info) included in EAD_2.</t>
              </li>
              <li>
                <t>U sends message_2 to V.</t>
              </li>
              <li>
                <t>V processes message_2 and the EAD item in EAD_2, extracting the Voucher_Info struct.</t>
              </li>
              <li>
                <t>V sends the voucher request to W.</t>
              </li>
            </ul>
            <t>Here, V can choose to validate CRED_U before or after making the voucher request, depending on application requirements and availability of CRED_U, as detailed in <xref target="U-V"/>.</t>
            <t>Message 3:</t>
            <ul spacing="normal">
              <li>
                <t>V receives the voucher response from W.</t>
              </li>
              <li>
                <t>V sends message_3 with critical EAD item (-TBD2, Voucher) included in EAD_3.</t>
              </li>
              <li>
                <t>U processes message_3 and the EAD item in EAD_3.</t>
              </li>
            </ul>
            <t>The ELA reverse flow does not require sending a final EDHOC message_4.</t>
          </section>
          <section anchor="reverse-v-w">
            <name>Reverse V &lt;-&gt; W</name>
            <t>Processing in V:</t>
            <ul spacing="normal">
              <li>
                <t>The Voucher_Request fields are prepared as defined in <xref target="voucher_request"/>, with the following changes:
                </t>
                <ul spacing="normal">
                  <li>
                    <t>EK_CT is as extracted from the EAD_2 field of message_2.</t>
                  </li>
                </ul>
              </li>
            </ul>
            <t>Processing in W happens as specified in <xref target="voucher_request"/>.</t>
          </section>
        </section>
        <section anchor="interoperability-considerations">
          <name>Interoperability considerations</name>
          <t>A Device (U) MUST implement one of the ELA flows, and it MAY choose to implement both.</t>
          <t>V MUST support both regular and reverse flows.</t>
          <t>From the point of view of W, there is no difference whether U and V run as EDHOC Initiator or Responder.</t>
        </section>
        <section anchor="security-implications">
          <name>Security implications</name>
          <t>In the reverse flow, Voucher_Info is confidentiality and integrity protected, while Voucher is also authenticated.
These properties are inherited from EDHOC message_2 and message_3.
In contrast, the ELA regular flow provides confidentiality, integrity protection, and authentication to both Voucher_Info and Voucher, as inherited from EDHOC message_3 and message_4.</t>
        </section>
      </section>
    </section>
    <section anchor="rest_interface">
      <name>REST Interface at W</name>
      <t>The interaction between V and W is enabled through a RESTful interface exposed by W.
This RESTful interface MAY be implemented using either HTTP or CoAP.
V SHOULD access the resources exposed by W through the protocol indicated by the scheme in the LOC_W URI.</t>
      <section anchor="scheme-https">
        <name>Scheme "https"</name>
        <t>In case the scheme indicates "https", V MUST perform a TLS handshake with W and access the resources defined in <xref target="uris"/> using HTTP.
If the authentication credential CRED_V can be used in a TLS handshake, e.g., an X.509 certificate of a signature public key, then V SHOULD use it to authenticate to W as a client.
If the authentication credential CRED_V cannot be used in a TLS handshake, e.g., if the public key is a static key, then V SHOULD first perform a TLS handshake with W using available compatible keys.
V MUST then perform an EDHOC session over the TLS connection proving to W the possession of the private key corresponding to CRED_V.
Performing the EDHOC session is only necessary if V did not authenticate with CRED_V in the TLS handshake with W.</t>
        <t>The relationship between V and W is long-lived.  HTTP/1.1 and higher support persistent connections, and SHOULD be used in order to reduce overhead if a flood of new devices need to be onboarded.  Support for TLS session resumptions tickets <xref section="2.2" sectionFormat="comma" target="RFC8446"/> is appropriate for longer term associations.
While a policy for renewal of the TLS connection should be applied, it is out of scope of this document.</t>
      </section>
      <section anchor="scheme-coaps">
        <name>Scheme "coaps"</name>
        <t>In case the scheme indicates "coaps", V SHOULD perform a DTLS handshake with W and access the resources defined in <xref target="uris"/> using CoAP.
The normative requirements in <xref target="scheme-https"/> on performing the DTLS handshake and EDHOC session remain the same, except that TLS is replaced with DTLS.
As in <xref target="scheme-https"/>, it is RECOMMENDED to allow reuse of the DTLS session.</t>
      </section>
      <section anchor="scheme-coap">
        <name>Scheme "coap"</name>
        <t>In case the scheme indicates "coap", V SHOULD perform an EDHOC session with W, as specified in <xref section="A" sectionFormat="of" target="RFC9528"/> and access the resources defined in <xref target="uris"/> using OSCORE <xref target="RFC8613"/> and CoAP.
The authentication credential in this EDHOC session MUST be CRED_V.
As in <xref target="scheme-https"/>, it is RECOMMENDED to allow reuse of the EDHOC session.</t>
      </section>
      <section anchor="uris">
        <name>URIs</name>
        <t>The URIs defined below are valid for both HTTP and CoAP.
W MUST support the use of the path-prefix "/.well-known/", as defined in <xref target="RFC8615"/>, and the registered name "lake-authz".
A valid URI in case of HTTP thus begins with</t>
        <ul spacing="normal">
          <li>
            <t>"https://www.example.com/.well-known/lake-authz"</t>
          </li>
        </ul>
        <t>In case of CoAP with DTLS:</t>
        <ul spacing="normal">
          <li>
            <t>"coaps://example.com/.well-known/lake-authz"</t>
          </li>
        </ul>
        <t>In case of EDHOC and OSCORE:</t>
        <ul spacing="normal">
          <li>
            <t>"coap://example.com/.well-known/lake-authz"</t>
          </li>
        </ul>
        <t>Each operation specified in the following is indicated by a path-suffix.</t>
        <section anchor="rest-voucher-request">
          <name>Voucher Request (/voucherrequest)</name>
          <t>To request a voucher, V MUST issue a request such that:</t>
          <ul spacing="normal">
            <li>
              <t>Method is POST</t>
            </li>
            <li>
              <t>Payload is the serialization of the Voucher Request object, as specified in <xref target="voucher_request"/>.</t>
            </li>
            <li>
              <t>Content-Format (Content-Type) is set to "application/lake-authz-voucherrequest+cbor"</t>
            </li>
          </ul>
          <t>In case of successful processing at W, W MUST issue a response such that:</t>
          <ul spacing="normal">
            <li>
              <t>Status code is 200 OK if using HTTP, or 2.04 Changed if using CoAP</t>
            </li>
            <li>
              <t>Payload is the serialized Voucher Response object, as specified in <xref target="voucher_response"/></t>
            </li>
            <li>
              <t>Content-Format (Content-Type) is set to "application/lake-authz-voucherresponse+cbor"</t>
            </li>
          </ul>
          <t>In case of error, two cases should be considered:</t>
          <ul spacing="normal">
            <li>
              <t>Voucher Request processing fails. In this case, W MUST reply with 400 Bad Request if using HTTP, or 4.00 if using CoAP.</t>
            </li>
            <li>
              <t>U is not authorized: this happens if W is able to process the Voucher Request, but the access policies forbid authorization. For example, the policy could enforce enrollment to a restricted list of identities, within a delimited time window, via a specific V, etc. In this case, W MUST reply with a 403 Forbidden code if using HTTP, or 4.03 if using CoAP; the payload is the serialized error_content object, with Content-Format (Content-Type) set to "application/lake-authz-vouchererror+cbor". The payload MAY be used by V to prepare an EDHOC error "Access Denied", see <xref target="err-handling"/>.</t>
            </li>
          </ul>
        </section>
        <section anchor="certificate-request-certrequest">
          <name>Certificate Request (/certrequest)</name>
          <t>V requests the public key certificate of U from W through the "/certrequest" path-suffix.
To request U's authentication credential, V MUST issue a request such that:</t>
          <ul spacing="normal">
            <li>
              <t>Method is POST</t>
            </li>
            <li>
              <t>Payload is the serialization of the ID_CRED_I (ID_CRED_R) object, as received in EDHOC message_3 (message_2).</t>
            </li>
            <li>
              <t>Content-Format (Content-Type) is set to "application/lake-authz-certrequest+cbor"</t>
            </li>
          </ul>
          <t>In case of a successful lookup of the authentication credential at W, W MUST issue a response such that:</t>
          <ul spacing="normal">
            <li>
              <t>Status code is 200 OK if using HTTP, or 2.04 Changed if using CoAP</t>
            </li>
            <li>
              <t>Payload is the serialized CRED_U</t>
            </li>
            <li>
              <t>Content-Format (Content-Type) is set to "application/lake-authz-certresponse+cbor"</t>
            </li>
          </ul>
        </section>
      </section>
    </section>
    <section anchor="sec-cons">
      <name>Security Considerations</name>
      <t>This specification builds on and reuses many of the security constructions of EDHOC, e.g., shared secret calculation and key derivation.
The security considerations of EDHOC <xref target="RFC9528"/> apply with modifications discussed here.
These considerations apply to the ELA regular flow.
For considerations about the ELA reverse flow, see <xref target="reverse-u-responder"/>.</t>
      <t>The Voucher_Info and Voucher structs are sent over authenticated channels that are confidentiality and integrity protected between U and V, i.e., in EDHOC fields EAD_3 and EAD_4.
While ELA reuses several components of EDHOC, it does not reuse keys from EDHOC (such as the ephemeral key G_X when using DH) to protect fields Voucher_Info and Voucher.
Reuse of G_X is avoided since ephemeral keys are expected to be used only once.
Similarly, for KEM-based methods a fresh encapsulation is performed for each session.</t>
      <t>ELA is compatible with the currently standardized Diffie-Hellman shared secret derivation of EDHOC.
Considering cryptographic recommendations by government agencies and the industry, ELA is also compatible with post-quantum cryptography primitives for deriving a shared secret, namely via the EK_CT field which can contain a KEM ciphertext according to the selected cipher suite.
Post-quantum KEMs that could be used in EDHOC are currently under standardization in COSE <xref target="I-D.ietf-jose-pqc-kem"/>.</t>
      <t>EDHOC provides identity protection of the Initiator, here the device.
In ELA, the device U will share its identity with an authenticated V, albeit before knowing (via the Voucher received from W) whether U is authorized to interact with W.</t>
      <t>W may be used for lookup of CRED_U from ID_CRED_I, or this credential lookup function may be separate from the authorization function of W, see <xref target="U-V"/>.
The trust model used here is that U reveals its identity to any V, before knowing if the ELA authorization flow will be successfully completed.
In onboarding use cases, U MAY choose to use an onboarding-only identity, whereas future operational communications can use a different identity under the already established secure channel.</t>
      <t>In the ELA regular flow, EDHOC message_4 is mandatory since it carries the Voucher.
Implementations MUST NOT omit message_4 when ELA is in use.</t>
    </section>
    <section anchor="iana">
      <name>IANA Considerations</name>
      <section anchor="iana-ead">
        <name>EDHOC External Authorization Data Registry</name>
        <t>IANA has registered the following entries in the "EDHOC External Authorization Data" registry under the group name "Ephemeral Diffie-
   Hellman Over COSE (EDHOC)".</t>
        <table anchor="ead-table">
          <name>Addition to the EDHOC EAD registry</name>
          <thead>
            <tr>
              <th align="right">Name</th>
              <th align="left">Label</th>
              <th align="left">Description</th>
            </tr>
          </thead>
          <tbody>
            <tr>
              <td align="right">Voucher_Info</td>
              <td align="left">TBD1</td>
              <td align="left">Voucher_Info structure (a byte string), prepared by the Device (U).</td>
            </tr>
            <tr>
              <td align="right">Voucher</td>
              <td align="left">TBD2</td>
              <td align="left">Voucher structure (a byte string), prepared by the Enrollment Server (W).</td>
            </tr>
          </tbody>
        </table>
        <t>The ead_label = TBD1 corresponds to the ead_value = Voucher_Info, which can be carried in either EAD_2 or EAD_3, depending on whether U acts as EDHOC Initiator or Responder, see <xref target="reverse-u-responder"/>.</t>
        <t>The ead_label = TBD2 corresponds to ead_value = Voucher, and can be carried in either EAD_3 or EAD_4, see <xref target="reverse-u-responder"/>.</t>
        <t>Note for IANA reviewers: the preferred value range is 0-23 (Standards Action with Expert Review).</t>
      </section>
      <section anchor="the-well-known-uri-registry">
        <name>The Well-Known URI Registry</name>
        <t>IANA has registered the following entry in "The Well-Known URI Registry", using the template from <xref target="RFC8615"/>:</t>
        <ul spacing="normal">
          <li>
            <t>URI suffix: lake-authz</t>
          </li>
          <li>
            <t>Change controller: IETF</t>
          </li>
          <li>
            <t>Specification document: [[this document]]</t>
          </li>
          <li>
            <t>Status: permanent</t>
          </li>
          <li>
            <t>Related information: None</t>
          </li>
        </ul>
      </section>
      <section anchor="well-known-name-under-arpa-name-space">
        <name>Well-Known Name Under ".arpa" Name Space</name>
        <t>This document allocates a well-known name under the .arpa name space according to the rules given in <xref target="RFC3172"/> and <xref target="RFC6761"/>.
The name "lake-authz.arpa" is requested.
No subdomains are expected, and addition of any such subdomains requires the publication of an IETF Standards Track RFC.
No A, AAAA, or PTR record is requested.</t>
        <section anchor="domain-name-reservation-considerations">
          <name>Domain Name Reservation Considerations</name>
          <t>As required by <xref target="RFC6761"/>, the following considerations apply to the reservation of "lake-authz.arpa":</t>
          <ol spacing="normal" type="1"><li>
              <t>Users:
Are human users expected to recognize these names as special and use them differently? In what way?</t>
            </li>
          </ol>
          <t>No. This name is not intended for direct use or recognition by human users.</t>
          <ol spacing="normal" type="1"><li>
              <t>Application Software:
Are writers of application software expected to make their software recognize these names as special and treat them differently? In what way? (For example, if a human user enters such a name, should the application software reject it with an error message?)</t>
            </li>
          </ol>
          <t>Yes. Applications that implement ELA and use CoAP may include "lake-authz.arpa" in the URI-Host option when the Device (U) does not yet know the address or identity of the Authenticator (V), such as during zero-touch enrollment.</t>
          <ol spacing="normal" type="1"><li>
              <t>Name Resolution APIs and Libraries:
Are writers of name resolution APIs and libraries expected to make their software recognize these names as special and treat them differently? If so, how?</t>
            </li>
          </ol>
          <t>No.</t>
          <ol spacing="normal" type="1"><li>
              <t>Caching DNS Servers:
Are developers of caching domain name servers expected to make their implementations recognize these names as special and treat them differently? If so, how?</t>
            </li>
          </ol>
          <t>No.</t>
          <ol spacing="normal" type="1"><li>
              <t>Authoritative DNS Servers:
Are developers of authoritative domain name servers expected to make their implementations recognize these names as special and treat them differently? If so, how?</t>
            </li>
          </ol>
          <t>No.</t>
          <ol spacing="normal" type="1"><li>
              <t>DNS Server Operators:
Does this reserved Special-Use Domain Name have any potential impact on DNS server operators? If they try to configure their authoritative DNS server as authoritative for this reserved name, will compliant name server software reject it as invalid? Do DNS server operators need to know about that and understand why? Even if the name server software doesn't prevent them from using this reserved name, are there other ways that it may not work as expected, of which the DNS server operator should be aware?</t>
            </li>
          </ol>
          <t>No.</t>
          <ol spacing="normal" type="1"><li>
              <t>DNS Registries/Registrars:
How should DNS Registries/Registrars treat requests to register this reserved domain name? Should such requests be denied? Should such requests be allowed, but only to a specially designated entity? (For example, the name "www.example.org" is reserved for documentation examples and is not available for registration; however, the name is in fact registered; and there is even a website at that name, which states circularly that the name is reserved for use in documentation and cannot be registered!)</t>
            </li>
          </ol>
          <t>Any requests to register this domain name should be denied.</t>
        </section>
      </section>
      <section anchor="media-types-registry">
        <name>Media Types Registry</name>
        <t>IANA has added the media types "application/lake-authz-voucherrequest+cbor" to the "Media Types" registry.</t>
        <section anchor="applicationlake-authz-voucherrequestcbor-media-type-registration">
          <name>application/lake-authz-voucherrequest+cbor Media Type Registration</name>
          <ul spacing="normal">
            <li>
              <t>Type name: application</t>
            </li>
            <li>
              <t>Subtype name: lake-authz-voucherrequest+cbor</t>
            </li>
            <li>
              <t>Required parameters: N/A</t>
            </li>
            <li>
              <t>Optional parameters: N/A</t>
            </li>
            <li>
              <t>Encoding considerations: binary (CBOR)</t>
            </li>
            <li>
              <t>Security considerations: See <xref target="sec-cons"/> of this document.</t>
            </li>
            <li>
              <t>Interoperability considerations: N/A</t>
            </li>
            <li>
              <t>Published specification: [[this document]] (this document)</t>
            </li>
            <li>
              <t>Application that use this media type: To be identified</t>
            </li>
            <li>
              <t>Fragment identifier considerations: N/A</t>
            </li>
            <li>
              <t>Additional information:
              </t>
              <ul spacing="normal">
                <li>
                  <t>Magic number(s): N/A</t>
                </li>
                <li>
                  <t>File extension(s): N/A</t>
                </li>
                <li>
                  <t>Macintosh file type code(s): N/A</t>
                </li>
              </ul>
            </li>
            <li>
              <t>Person &amp; email address to contact for further information: IETF LAKE Working Group (lake@ietf.org)</t>
            </li>
            <li>
              <t>Intended usage: COMMON</t>
            </li>
            <li>
              <t>Restrictions on usage: N/A</t>
            </li>
            <li>
              <t>Author: LAKE WG</t>
            </li>
            <li>
              <t>Change Controller: IETF</t>
            </li>
          </ul>
        </section>
      </section>
      <section anchor="coap-content-formats-registry">
        <name>CoAP Content-Formats Registry</name>
        <t>IANA has added the following Content-Format number in the "CoAP Content-Formats" registry under the registry group "Constrained RESTful Environments (CoRE) Parameters".</t>
        <table anchor="coap-content-formats">
          <name>Addition to the CoAP Content-Formats registry</name>
          <thead>
            <tr>
              <th align="left">Content Type</th>
              <th align="left">Content Coding</th>
              <th align="left">ID</th>
              <th align="left">Reference</th>
            </tr>
          </thead>
          <tbody>
            <tr>
              <td align="left">application/lake-authz-voucherrequest+cbor</td>
              <td align="left">-</td>
              <td align="left">TBD3</td>
              <td align="left">[[this document]]</td>
            </tr>
          </tbody>
        </table>
        <t>Note for IANA reviewers: the preferred value range is 0-255 (Expert Review).</t>
      </section>
    </section>
  </middle>
  <back>
    <references anchor="sec-combined-references">
      <name>References</name>
      <references anchor="sec-normative-references">
        <name>Normative References</name>
        <reference anchor="RFC8366" target="https://www.rfc-editor.org/info/rfc8366" xml:base="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.8366.xml">
          <front>
            <title>A Voucher Artifact for Bootstrapping Protocols</title>
            <author fullname="K. Watsen" initials="K." surname="Watsen"/>
            <author fullname="M. Richardson" initials="M." surname="Richardson"/>
            <author fullname="M. Pritikin" initials="M." surname="Pritikin"/>
            <author fullname="T. Eckert" initials="T." surname="Eckert"/>
            <date month="May" year="2018"/>
            <abstract>
              <t>This document defines a strategy to securely assign a pledge to an owner using an artifact signed, directly or indirectly, by the pledge's manufacturer. This artifact is known as a "voucher".</t>
              <t>This document defines an artifact format as a YANG-defined JSON document that has been signed using a Cryptographic Message Syntax (CMS) structure. Other YANG-derived formats are possible. The voucher artifact is normally generated by the pledge's manufacturer (i.e., the Manufacturer Authorized Signing Authority (MASA)).</t>
              <t>This document only defines the voucher artifact, leaving it to other documents to describe specialized protocols for accessing it.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="8366"/>
          <seriesInfo name="DOI" value="10.17487/RFC8366"/>
        </reference>
        <reference anchor="RFC8392" target="https://www.rfc-editor.org/info/rfc8392" xml:base="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.8392.xml">
          <front>
            <title>CBOR Web Token (CWT)</title>
            <author fullname="M. Jones" initials="M." surname="Jones"/>
            <author fullname="E. Wahlstroem" initials="E." surname="Wahlstroem"/>
            <author fullname="S. Erdtman" initials="S." surname="Erdtman"/>
            <author fullname="H. Tschofenig" initials="H." surname="Tschofenig"/>
            <date month="May" year="2018"/>
            <abstract>
              <t>CBOR Web Token (CWT) is a compact means of representing claims to be transferred between two parties. The claims in a CWT are encoded in the Concise Binary Object Representation (CBOR), and CBOR Object Signing and Encryption (COSE) is used for added application-layer security protection. A claim is a piece of information asserted about a subject and is represented as a name/value pair consisting of a claim name and a claim value. CWT is derived from JSON Web Token (JWT) but uses CBOR rather than JSON.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="8392"/>
          <seriesInfo name="DOI" value="10.17487/RFC8392"/>
        </reference>
        <reference anchor="RFC8949" target="https://www.rfc-editor.org/info/rfc8949" xml:base="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.8949.xml">
          <front>
            <title>Concise Binary Object Representation (CBOR)</title>
            <author fullname="C. Bormann" initials="C." surname="Bormann"/>
            <author fullname="P. Hoffman" initials="P." surname="Hoffman"/>
            <date month="December" year="2020"/>
            <abstract>
              <t>The Concise Binary Object Representation (CBOR) is a data format whose design goals include the possibility of extremely small code size, fairly small message size, and extensibility without the need for version negotiation. These design goals make it different from earlier binary serializations such as ASN.1 and MessagePack.</t>
              <t>This document obsoletes RFC 7049, providing editorial improvements, new details, and errata fixes while keeping full compatibility with the interchange format of RFC 7049. It does not create a new version of the format.</t>
            </abstract>
          </front>
          <seriesInfo name="STD" value="94"/>
          <seriesInfo name="RFC" value="8949"/>
          <seriesInfo name="DOI" value="10.17487/RFC8949"/>
        </reference>
        <reference anchor="RFC9052" target="https://www.rfc-editor.org/info/rfc9052" xml:base="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.9052.xml">
          <front>
            <title>CBOR Object Signing and Encryption (COSE): Structures and Process</title>
            <author fullname="J. Schaad" initials="J." surname="Schaad"/>
            <date month="August" year="2022"/>
            <abstract>
              <t>Concise Binary Object Representation (CBOR) is a data format designed for small code size and small message size. There is a need to be able to define basic security services for this data format. This document defines the CBOR Object Signing and Encryption (COSE) protocol. This specification describes how to create and process signatures, message authentication codes, and encryption using CBOR for serialization. This specification additionally describes how to represent cryptographic keys using CBOR.</t>
              <t>This document, along with RFC 9053, obsoletes RFC 8152.</t>
            </abstract>
          </front>
          <seriesInfo name="STD" value="96"/>
          <seriesInfo name="RFC" value="9052"/>
          <seriesInfo name="DOI" value="10.17487/RFC9052"/>
        </reference>
        <reference anchor="RFC8613" target="https://www.rfc-editor.org/info/rfc8613" xml:base="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.8613.xml">
          <front>
            <title>Object Security for Constrained RESTful Environments (OSCORE)</title>
            <author fullname="G. Selander" initials="G." surname="Selander"/>
            <author fullname="J. Mattsson" initials="J." surname="Mattsson"/>
            <author fullname="F. Palombini" initials="F." surname="Palombini"/>
            <author fullname="L. Seitz" initials="L." surname="Seitz"/>
            <date month="July" year="2019"/>
            <abstract>
              <t>This document defines Object Security for Constrained RESTful Environments (OSCORE), a method for application-layer protection of the Constrained Application Protocol (CoAP), using CBOR Object Signing and Encryption (COSE). OSCORE provides end-to-end protection between endpoints communicating using CoAP or CoAP-mappable HTTP. OSCORE is designed for constrained nodes and networks supporting a range of proxy operations, including translation between different transport protocols.</t>
              <t>Although an optional functionality of CoAP, OSCORE alters CoAP options processing and IANA registration. Therefore, this document updates RFC 7252.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="8613"/>
          <seriesInfo name="DOI" value="10.17487/RFC8613"/>
        </reference>
        <reference anchor="RFC9528" target="https://www.rfc-editor.org/info/rfc9528" xml:base="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.9528.xml">
          <front>
            <title>Ephemeral Diffie-Hellman Over COSE (EDHOC)</title>
            <author fullname="G. Selander" initials="G." surname="Selander"/>
            <author fullname="J. Preuß Mattsson" initials="J." surname="Preuß Mattsson"/>
            <author fullname="F. Palombini" initials="F." surname="Palombini"/>
            <date month="March" year="2024"/>
            <abstract>
              <t>This document specifies Ephemeral Diffie-Hellman Over COSE (EDHOC), a very compact and lightweight authenticated Diffie-Hellman key exchange with ephemeral keys. EDHOC provides mutual authentication, forward secrecy, and identity protection. EDHOC is intended for usage in constrained scenarios, and a main use case is to establish an Object Security for Constrained RESTful Environments (OSCORE) security context. By reusing CBOR Object Signing and Encryption (COSE) for cryptography, Concise Binary Object Representation (CBOR) for encoding, and Constrained Application Protocol (CoAP) for transport, the additional code size can be kept very low.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="9528"/>
          <seriesInfo name="DOI" value="10.17487/RFC9528"/>
        </reference>
        <reference anchor="NIST-800-56A" target="https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-56Ar3.pdf">
          <front>
            <title>Recommendation for Pair-Wise Key-Establishment Schemes Using Discrete Logarithm Cryptography - NIST Special Publication 800-56A, Revision 3</title>
            <author initials="E." surname="Barker" fullname="Elaine Barker">
              <organization/>
            </author>
            <author initials="L." surname="Chen" fullname="Lily Chen">
              <organization/>
            </author>
            <author initials="A." surname="Roginsky" fullname="Allen Roginsky">
              <organization/>
            </author>
            <author initials="A." surname="Vassilev" fullname="Apostol Vassilev">
              <organization/>
            </author>
            <author initials="R." surname="Davis" fullname="Richard Davis">
              <organization/>
            </author>
            <date year="2018" month="April"/>
          </front>
        </reference>
        <reference anchor="NIST-800-227" target="https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-227.pdf">
          <front>
            <title>Recommendations for Key-Encapsulation Mechanisms - NIST Special Publication 800-227</title>
            <author initials="G." surname="Alagic" fullname="Gorjan Alagic">
              <organization/>
            </author>
            <author initials="E." surname="Barker" fullname="Elaine Barker">
              <organization/>
            </author>
            <author initials="L." surname="Chen" fullname="Lily Chen">
              <organization/>
            </author>
            <author initials="D." surname="Moody" fullname="Dustin Moody">
              <organization/>
            </author>
            <author initials="A." surname="Robinson" fullname="Angela Robinson">
              <organization/>
            </author>
            <author initials="H." surname="Silberg" fullname="Hamilton Silberg">
              <organization/>
            </author>
            <author initials="N." surname="Waller" fullname="Noah Waller">
              <organization/>
            </author>
            <date year="2025" month="September"/>
          </front>
        </reference>
      </references>
      <references anchor="sec-informative-references">
        <name>Informative References</name>
        <reference anchor="RFC2119" target="https://www.rfc-editor.org/info/rfc2119" xml:base="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.2119.xml">
          <front>
            <title>Key words for use in RFCs to Indicate Requirement Levels</title>
            <author fullname="S. Bradner" initials="S." surname="Bradner"/>
            <date month="March" year="1997"/>
            <abstract>
              <t>In many standards track documents several words are used to signify the requirements in the specification. These words are often capitalized. This document defines these words as they should be interpreted in IETF documents. This document specifies an Internet Best Current Practices for the Internet Community, and requests discussion and suggestions for improvements.</t>
            </abstract>
          </front>
          <seriesInfo name="BCP" value="14"/>
          <seriesInfo name="RFC" value="2119"/>
          <seriesInfo name="DOI" value="10.17487/RFC2119"/>
        </reference>
        <reference anchor="RFC3172" target="https://www.rfc-editor.org/info/rfc3172" xml:base="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.3172.xml">
          <front>
            <title>Management Guidelines &amp; Operational Requirements for the Address and Routing Parameter Area Domain ("arpa")</title>
            <author fullname="G. Huston" initials="G." role="editor" surname="Huston"/>
            <date month="September" year="2001"/>
            <abstract>
              <t>This memo describes the management and operational requirements for the address and routing parameter area ("arpa") domain. This document specifies an Internet Best Current Practices for the Internet Community, and requests discussion and suggestions for improvements.</t>
            </abstract>
          </front>
          <seriesInfo name="BCP" value="52"/>
          <seriesInfo name="RFC" value="3172"/>
          <seriesInfo name="DOI" value="10.17487/RFC3172"/>
        </reference>
        <reference anchor="RFC5280" target="https://www.rfc-editor.org/info/rfc5280" xml:base="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.5280.xml">
          <front>
            <title>Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile</title>
            <author fullname="D. Cooper" initials="D." surname="Cooper"/>
            <author fullname="S. Santesson" initials="S." surname="Santesson"/>
            <author fullname="S. Farrell" initials="S." surname="Farrell"/>
            <author fullname="S. Boeyen" initials="S." surname="Boeyen"/>
            <author fullname="R. Housley" initials="R." surname="Housley"/>
            <author fullname="W. Polk" initials="W." surname="Polk"/>
            <date month="May" year="2008"/>
            <abstract>
              <t>This memo profiles the X.509 v3 certificate and X.509 v2 certificate revocation list (CRL) for use in the Internet. An overview of this approach and model is provided as an introduction. The X.509 v3 certificate format is described in detail, with additional information regarding the format and semantics of Internet name forms. Standard certificate extensions are described and two Internet-specific extensions are defined. A set of required certificate extensions is specified. The X.509 v2 CRL format is described in detail along with standard and Internet-specific extensions. An algorithm for X.509 certification path validation is described. An ASN.1 module and examples are provided in the appendices. [STANDARDS-TRACK]</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="5280"/>
          <seriesInfo name="DOI" value="10.17487/RFC5280"/>
        </reference>
        <reference anchor="RFC6761" target="https://www.rfc-editor.org/info/rfc6761" xml:base="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.6761.xml">
          <front>
            <title>Special-Use Domain Names</title>
            <author fullname="S. Cheshire" initials="S." surname="Cheshire"/>
            <author fullname="M. Krochmal" initials="M." surname="Krochmal"/>
            <date month="February" year="2013"/>
            <abstract>
              <t>This document describes what it means to say that a Domain Name (DNS name) is reserved for special use, when reserving such a name is appropriate, and the procedure for doing so. It establishes an IANA registry for such domain names, and seeds it with entries for some of the already established special domain names.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="6761"/>
          <seriesInfo name="DOI" value="10.17487/RFC6761"/>
        </reference>
        <reference anchor="RFC7228" target="https://www.rfc-editor.org/info/rfc7228" xml:base="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.7228.xml">
          <front>
            <title>Terminology for Constrained-Node Networks</title>
            <author fullname="C. Bormann" initials="C." surname="Bormann"/>
            <author fullname="M. Ersue" initials="M." surname="Ersue"/>
            <author fullname="A. Keranen" initials="A." surname="Keranen"/>
            <date month="May" year="2014"/>
            <abstract>
              <t>The Internet Protocol Suite is increasingly used on small devices with severe constraints on power, memory, and processing resources, creating constrained-node networks. This document provides a number of basic terms that have been useful in the standardization work for constrained-node networks.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="7228"/>
          <seriesInfo name="DOI" value="10.17487/RFC7228"/>
        </reference>
        <reference anchor="RFC7593" target="https://www.rfc-editor.org/info/rfc7593" xml:base="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.7593.xml">
          <front>
            <title>The eduroam Architecture for Network Roaming</title>
            <author fullname="K. Wierenga" initials="K." surname="Wierenga"/>
            <author fullname="S. Winter" initials="S." surname="Winter"/>
            <author fullname="T. Wolniewicz" initials="T." surname="Wolniewicz"/>
            <date month="September" year="2015"/>
            <abstract>
              <t>This document describes the architecture of the eduroam service for federated (wireless) network access in academia. The combination of IEEE 802.1X, the Extensible Authentication Protocol (EAP), and RADIUS that is used in eduroam provides a secure, scalable, and deployable service for roaming network access. The successful deployment of eduroam over the last decade in the educational sector may serve as an example for other sectors, hence this document. In particular, the initial architectural choices and selection of standards are described, along with the changes that were prompted by operational experience.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="7593"/>
          <seriesInfo name="DOI" value="10.17487/RFC7593"/>
        </reference>
        <reference anchor="RFC8137" target="https://www.rfc-editor.org/info/rfc8137" xml:base="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.8137.xml">
          <front>
            <title>IEEE 802.15.4 Information Element for the IETF</title>
            <author fullname="T. Kivinen" initials="T." surname="Kivinen"/>
            <author fullname="P. Kinney" initials="P." surname="Kinney"/>
            <date month="May" year="2017"/>
            <abstract>
              <t>IEEE Std 802.15.4 defines Information Elements (IEs) that can be used to extend 802.15.4 in an interoperable manner. The IEEE 802.15 Assigned Numbers Authority (ANA) manages the registry of the Information Elements. This document formulates a request for ANA to allocate a number from that registry for the IETF and describes how the IE is formatted to provide subtypes.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="8137"/>
          <seriesInfo name="DOI" value="10.17487/RFC8137"/>
        </reference>
        <reference anchor="RFC8174" target="https://www.rfc-editor.org/info/rfc8174" xml:base="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.8174.xml">
          <front>
            <title>Ambiguity of Uppercase vs Lowercase in RFC 2119 Key Words</title>
            <author fullname="B. Leiba" initials="B." surname="Leiba"/>
            <date month="May" year="2017"/>
            <abstract>
              <t>RFC 2119 specifies common key words that may be used in protocol specifications. This document aims to reduce the ambiguity by clarifying that only UPPERCASE usage of the key words have the defined special meanings.</t>
            </abstract>
          </front>
          <seriesInfo name="BCP" value="14"/>
          <seriesInfo name="RFC" value="8174"/>
          <seriesInfo name="DOI" value="10.17487/RFC8174"/>
        </reference>
        <reference anchor="RFC8446" target="https://www.rfc-editor.org/info/rfc8446" xml:base="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.8446.xml">
          <front>
            <title>The Transport Layer Security (TLS) Protocol Version 1.3</title>
            <author fullname="E. Rescorla" initials="E." surname="Rescorla"/>
            <date month="August" year="2018"/>
            <abstract>
              <t>This document specifies version 1.3 of the Transport Layer Security (TLS) protocol. TLS allows client/server applications to communicate over the Internet in a way that is designed to prevent eavesdropping, tampering, and message forgery.</t>
              <t>This document updates RFCs 5705 and 6066, and obsoletes RFCs 5077, 5246, and 6961. This document also specifies new requirements for TLS 1.2 implementations.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="8446"/>
          <seriesInfo name="DOI" value="10.17487/RFC8446"/>
        </reference>
        <reference anchor="RFC8610" target="https://www.rfc-editor.org/info/rfc8610" xml:base="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.8610.xml">
          <front>
            <title>Concise Data Definition Language (CDDL): A Notational Convention to Express Concise Binary Object Representation (CBOR) and JSON Data Structures</title>
            <author fullname="H. Birkholz" initials="H." surname="Birkholz"/>
            <author fullname="C. Vigano" initials="C." surname="Vigano"/>
            <author fullname="C. Bormann" initials="C." surname="Bormann"/>
            <date month="June" year="2019"/>
            <abstract>
              <t>This document proposes a notational convention to express Concise Binary Object Representation (CBOR) data structures (RFC 7049). Its main goal is to provide an easy and unambiguous way to express structures for protocol messages and data formats that use CBOR or JSON.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="8610"/>
          <seriesInfo name="DOI" value="10.17487/RFC8610"/>
        </reference>
        <reference anchor="RFC8615" target="https://www.rfc-editor.org/info/rfc8615" xml:base="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.8615.xml">
          <front>
            <title>Well-Known Uniform Resource Identifiers (URIs)</title>
            <author fullname="M. Nottingham" initials="M." surname="Nottingham"/>
            <date month="May" year="2019"/>
            <abstract>
              <t>This memo defines a path prefix for "well-known locations", "/.well-known/", in selected Uniform Resource Identifier (URI) schemes.</t>
              <t>In doing so, it obsoletes RFC 5785 and updates the URI schemes defined in RFC 7230 to reserve that space. It also updates RFC 7595 to track URI schemes that support well-known URIs in their registry.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="8615"/>
          <seriesInfo name="DOI" value="10.17487/RFC8615"/>
        </reference>
        <reference anchor="RFC8995" target="https://www.rfc-editor.org/info/rfc8995" xml:base="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.8995.xml">
          <front>
            <title>Bootstrapping Remote Secure Key Infrastructure (BRSKI)</title>
            <author fullname="M. Pritikin" initials="M." surname="Pritikin"/>
            <author fullname="M. Richardson" initials="M." surname="Richardson"/>
            <author fullname="T. Eckert" initials="T." surname="Eckert"/>
            <author fullname="M. Behringer" initials="M." surname="Behringer"/>
            <author fullname="K. Watsen" initials="K." surname="Watsen"/>
            <date month="May" year="2021"/>
            <abstract>
              <t>This document specifies automated bootstrapping of an Autonomic Control Plane. To do this, a Secure Key Infrastructure is bootstrapped. This is done using manufacturer-installed X.509 certificates, in combination with a manufacturer's authorizing service, both online and offline. We call this process the Bootstrapping Remote Secure Key Infrastructure (BRSKI) protocol. Bootstrapping a new device can occur when using a routable address and a cloud service, only link-local connectivity, or limited/disconnected networks. Support for deployment models with less stringent security requirements is included. Bootstrapping is complete when the cryptographic identity of the new key infrastructure is successfully deployed to the device. The established secure connection can be used to deploy a locally issued certificate to the device as well.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="8995"/>
          <seriesInfo name="DOI" value="10.17487/RFC8995"/>
        </reference>
        <reference anchor="RFC9031" target="https://www.rfc-editor.org/info/rfc9031" xml:base="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.9031.xml">
          <front>
            <title>Constrained Join Protocol (CoJP) for 6TiSCH</title>
            <author fullname="M. Vučinić" initials="M." role="editor" surname="Vučinić"/>
            <author fullname="J. Simon" initials="J." surname="Simon"/>
            <author fullname="K. Pister" initials="K." surname="Pister"/>
            <author fullname="M. Richardson" initials="M." surname="Richardson"/>
            <date month="May" year="2021"/>
            <abstract>
              <t>This document describes the minimal framework required for a new device, called a "pledge", to securely join a 6TiSCH (IPv6 over the Time-Slotted Channel Hopping mode of IEEE 802.15.4) network. The framework requires that the pledge and the JRC (Join Registrar/Coordinator, a central entity), share a symmetric key. How this key is provisioned is out of scope of this document. Through a single CoAP (Constrained Application Protocol) request-response exchange secured by OSCORE (Object Security for Constrained RESTful Environments), the pledge requests admission into the network, and the JRC configures it with link-layer keying material and other parameters. The JRC may at any time update the parameters through another request-response exchange secured by OSCORE. This specification defines the Constrained Join Protocol and its CBOR (Concise Binary Object Representation) data structures, and it describes how to configure the rest of the 6TiSCH communication stack for this join process to occur in a secure manner. Additional security mechanisms may be added on top of this minimal framework.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="9031"/>
          <seriesInfo name="DOI" value="10.17487/RFC9031"/>
        </reference>
        <reference anchor="I-D.ietf-jose-pqc-kem" target="https://datatracker.ietf.org/doc/html/draft-ietf-jose-pqc-kem-06" xml:base="https://bib.ietf.org/public/rfc/bibxml3/reference.I-D.ietf-jose-pqc-kem.xml">
          <front>
            <title>Post-Quantum Key Encapsulation Mechanisms (PQ KEMs) for COSE</title>
            <author fullname="Tirumaleswar Reddy"/>
            <author fullname="Aritra Banerjee"/>
            <author fullname="Hannes Tschofenig"/>
            <date day="6" month="July" year="2026"/>
            <abstract>
              <t>This document describes conventions for using Post-Quantum Key
   Encapsulation Mechanisms (PQ-KEMs) with CBOR Object Signing and
   Encryption (COSE).</t>
            </abstract>
          </front>
          <seriesInfo name="Internet-Draft" value="draft-ietf-jose-pqc-kem-06"/>
        </reference>
        <reference anchor="I-D.ietf-lake-reqs" target="https://datatracker.ietf.org/doc/html/draft-ietf-lake-reqs-04" xml:base="https://bib.ietf.org/public/rfc/bibxml3/reference.I-D.ietf-lake-reqs.xml">
          <front>
            <title>Requirements for a Lightweight AKE for OSCORE</title>
            <author fullname="Mališa Vučinić" initials="M." surname="Vučinić">
              <organization>Inria</organization>
            </author>
            <author fullname="Göran Selander" initials="G." surname="Selander">
              <organization>Ericsson AB</organization>
            </author>
            <author fullname="John Preuß Mattsson" initials="J. P." surname="Mattsson">
              <organization>Ericsson AB</organization>
            </author>
            <author fullname="Dan Garcia-Carillo" initials="D." surname="Garcia-Carillo">
              <organization>Odin Solutions S.L.</organization>
            </author>
            <date day="8" month="June" year="2020"/>
            <abstract>
              <t>This document compiles the requirements for a lightweight authenticated key exchange protocol for OSCORE. This draft has completed a working group last call (WGLC) in the LAKE working group. Post-WGLC, the requirements are considered sufficiently stable for the working group to proceed with its work. It is not currently planned to publish this draft as an RFC.</t>
            </abstract>
          </front>
          <seriesInfo name="Internet-Draft" value="draft-ietf-lake-reqs-04"/>
        </reference>
        <reference anchor="I-D.ietf-lake-edhoc-impl-cons" target="https://datatracker.ietf.org/doc/html/draft-ietf-lake-edhoc-impl-cons-06" xml:base="https://bib.ietf.org/public/rfc/bibxml3/reference.I-D.ietf-lake-edhoc-impl-cons.xml">
          <front>
            <title>Implementation Considerations for Ephemeral Diffie-Hellman Over COSE (EDHOC)</title>
            <author fullname="Marco Tiloca" initials="M." surname="Tiloca">
              <organization>RISE AB</organization>
            </author>
            <date day="2" month="March" year="2026"/>
            <abstract>
              <t>This document provides considerations for guiding the implementation of the authenticated key exchange protocol Ephemeral Diffie-Hellman Over COSE (EDHOC).</t>
            </abstract>
          </front>
          <seriesInfo name="Internet-Draft" value="draft-ietf-lake-edhoc-impl-cons-06"/>
        </reference>
        <reference anchor="I-D.ietf-lake-app-profiles" target="https://datatracker.ietf.org/doc/html/draft-ietf-lake-app-profiles-04" xml:base="https://bib.ietf.org/public/rfc/bibxml3/reference.I-D.ietf-lake-app-profiles.xml">
          <front>
            <title>Coordinating the Use of Application Profiles for Ephemeral Diffie-Hellman Over COSE (EDHOC)</title>
            <author fullname="Marco Tiloca" initials="M." surname="Tiloca">
              <organization>RISE AB</organization>
            </author>
            <author fullname="Rikard Höglund" initials="R." surname="Höglund">
              <organization>RISE AB</organization>
            </author>
            <date day="2" month="March" year="2026"/>
            <abstract>
              <t>The lightweight authenticated key exchange protocol Ephemeral Diffie- Hellman Over COSE (EDHOC) requires certain parameters to be agreed out-of-band, in order to ensure its successful completion. To this end, application profiles specify the intended use of EDHOC to allow for the relevant processing and verifications to be made. In order to ensure the applicability of such parameters and information beyond transport- or setup-specific scenarios, this document defines a canonical, CBOR-based representation that can be used to describe, distribute, and store EDHOC application profiles. Furthermore, in order to facilitate interoperability between EDHOC implementations and support EDHOC extensibility for additional integrations, this document defines a number of means to coordinate the use of EDHOC application profiles. Finally, this document defines a set of well- known EDHOC application profiles.</t>
            </abstract>
          </front>
          <seriesInfo name="Internet-Draft" value="draft-ietf-lake-app-profiles-04"/>
        </reference>
        <reference anchor="IEEE802.15.4">
          <front>
            <title>IEEE Std 802.15.4 Standard for Low-Rate Wireless Networks</title>
            <author initials="" surname="IEEE standard for Information Technology">
              <organization/>
            </author>
            <date>n.d.</date>
          </front>
        </reference>
        <reference anchor="IEEE802.1X">
          <front>
            <title>IEEE Standard for Local and metropolitan area networks - Port-Based Network Access Control</title>
            <author initials="" surname="IEEE standard for Information Technology">
              <organization/>
            </author>
            <date year="2010" month="February"/>
          </front>
        </reference>
      </references>
    </references>
    <?line 1096?>

<section anchor="optimization-strat">
      <name>Optimization Strategies</name>
      <t>When ELA is used for zero-touch enrollment of IoT devices, U may have little to no knowledge about V's available in its vicinity.
This may lead to situations where U retries several times at different V's until it finds one that works.
This section presents two optimization strategies and different approaches to implement it.
These strategies were developed to address scenarios where V's are radio gateways to which U wants to enroll, but may also be applicable to other use cases.</t>
      <section anchor="ela-profile">
        <name>Using EDHOC Application Profiles</name>
        <t>This section provides an example of how support for ELA can be advertised using EDHOC application profiles.</t>
        <t>Application Profiles for EDHOC <xref target="I-D.ietf-lake-app-profiles"/> defines mechanisms to describe and distribute parameters regarding the supported capabilities of EDHOC peers.
Specifically, <xref section="5" sectionFormat="of" target="I-D.ietf-lake-app-profiles"/> describes how EDHOC peers can advertise supported profiles by using fields EAD_1 and EAD_2 in EDHOC message_1 and message_2, respectively.</t>
        <t>Since the ELA regular flow uses message_3 and message_4, peers can advertise support for ELA, and refrain from attempting the protocol in case one does not support it.
In the case of the reverse flow, V can advertise a profile in message_1, while the protocol happens in message_2 and message_3.</t>
        <t>For example, to advertise support for ELA in the regular flow, U prepares EAD_1 containing an item where ead_label = TBD_EAD_LABEL and ead_value encodes a profile_id_with_eads, containing the following value:</t>
        <artwork><![CDATA[
<<
   true,                                   / reply_flag /
   [e'APP-PROF-MINIMAL-CS-2', TBD1, TBD2]  / profile_id_with_eads /
>>
]]></artwork>
        <t>Where:</t>
        <ul spacing="normal">
          <li>
            <t>true indicates that U expects an application profile response from V in EAD_2, see <xref section="5.1" sectionFormat="of" target="I-D.ietf-lake-app-profiles"/></t>
          </li>
          <li>
            <t>APP-PROF-MINIMAL-CS-2 corresponds to a well-known EDHOC application profile (Method 3; Cipher Suite 2; CCS; kid), see <xref section="8" sectionFormat="of" target="I-D.ietf-lake-app-profiles"/></t>
          </li>
          <li>
            <t>TBD1 and TBD2 correspond to the EAD labels registered in this document, see <xref target="iana"/></t>
          </li>
        </ul>
        <t>In the reply, V prepares EAD_2 containing an item where ead_label = TBD_EAD_LABEL and ead_value encodes a profile_id_with_eads, containing the following value:</t>
        <artwork><![CDATA[
<<
   [e'APP-PROF-EXTENSIVE', TBD1, TBD2]  / profile_id_with_eads /
>>
]]></artwork>
        <t>Where APP-PROF-EXTENSIVE corresponds to a well-known EDHOC application profile, see <xref section="8" sectionFormat="of" target="I-D.ietf-lake-app-profiles"/>.</t>
      </section>
      <section anchor="strat-advertise">
        <name>V advertises support for ELA</name>
        <t>In this strategy, V shares some information (V_INFO) with a potential U, that can help it decide whether to try to enroll with that V.</t>
        <t>The exact contents of the V_INFO structure, as well as the mechanism used to transport it, will depend on the underlying communication technology and also on application needs.
For example, V_INFO may state that:</t>
        <ul spacing="normal">
          <li>
            <t>V implements ELA -- similarly to how EAPOL <xref target="IEEE802.1X"/> frames state support for IEEE 802.1X.</t>
          </li>
          <li>
            <t>V is part of a certain domain -- similarly to how Eduroam <xref target="RFC7593"/> is used in the SSID field of IEEE 802.11 packets</t>
          </li>
        </ul>
        <t>V_INFO can be sent over a network beacon (see <xref target="adv-beacon"/>), which may require technology specific profiling, e.g., the IEEE 802.15.4 enhanced beacon may be extended according to <xref target="RFC8137"/>.
Alternatively, V_INFO can be sent as part of an EAD field, as shown in <xref target="adv-ead1"/>.</t>
        <t>As a guideline for implementers, we define the following field that can be included in a V_INFO structure:</t>
        <sourcecode type="cddl"><![CDATA[
DOMAIN_ID: bstr
]]></sourcecode>
        <t>The DOMAIN_ID field identifies the domain to which V belongs to, for example an URL or UUID.</t>
        <t>Below are three examples of how the advertisement strategy may be applied according to different application needs.
The examples include sending V_INFO in network beacons, as part of EAD_1 in reverse message flow, or as part of a periodic CoAP multicast packet.
The advantages, costs, and security impacts of each approach are also discussed.</t>
        <section anchor="adv-beacon">
          <name>V_INFO in network beacons</name>
          <t>This approach allows carrying V_INFO in beacons sent over the network layer, as shown in <xref target="fig-adv-beacon"/>.
It requires that the network layer offers a mechanism to configure its beacon packets.
Depending on the network type, a solicitation packet may also be needed, as is the case of non-beaconed IEEE 802.15.4 and BLE with GATT.</t>
          <figure anchor="fig-adv-beacon">
            <name>Advertising ELA using V_INFO in network-layer beacons.</name>
            <artset>
              <artwork type="svg" align="center"><svg xmlns="http://www.w3.org/2000/svg" version="1.1" height="432" width="504" viewBox="0 0 504 432" class="diagram" text-anchor="middle" font-family="monospace" font-size="13px" stroke-linecap="round">
                  <path d="M 8,32 L 8,96" fill="none" stroke="black"/>
                  <path d="M 72,32 L 72,64" fill="none" stroke="black"/>
                  <path d="M 72,104 L 72,384" fill="none" stroke="black"/>
                  <path d="M 144,32 L 144,96" fill="none" stroke="black"/>
                  <path d="M 360,32 L 360,96" fill="none" stroke="black"/>
                  <path d="M 424,32 L 424,56" fill="none" stroke="black"/>
                  <path d="M 424,104 L 424,384" fill="none" stroke="black"/>
                  <path d="M 496,32 L 496,96" fill="none" stroke="black"/>
                  <path d="M 8,32 L 144,32" fill="none" stroke="black"/>
                  <path d="M 360,32 L 496,32" fill="none" stroke="black"/>
                  <path d="M 8,64 L 144,64" fill="none" stroke="black"/>
                  <path d="M 360,64 L 496,64" fill="none" stroke="black"/>
                  <path d="M 8,96 L 144,96" fill="none" stroke="black"/>
                  <path d="M 360,96 L 496,96" fill="none" stroke="black"/>
                  <path d="M 80,176 L 424,176" fill="none" stroke="black"/>
                  <path d="M 72,256 L 416,256" fill="none" stroke="black"/>
                  <path d="M 80,304 L 416,304" fill="none" stroke="black"/>
                  <path d="M 72,352 L 416,352" fill="none" stroke="black"/>
                  <polygon class="arrowhead" points="424,352 412,346.4 412,357.6" fill="black" transform="rotate(0,416,352)"/>
                  <polygon class="arrowhead" points="424,256 412,250.4 412,261.6" fill="black" transform="rotate(0,416,256)"/>
                  <polygon class="arrowhead" points="88,304 76,298.4 76,309.6" fill="black" transform="rotate(180,80,304)"/>
                  <polygon class="arrowhead" points="88,176 76,170.4 76,181.6" fill="black" transform="rotate(180,80,176)"/>
                  <g class="text">
                    <text x="36" y="52">Init</text>
                    <text x="108" y="52">Client</text>
                    <text x="388" y="52">Resp</text>
                    <text x="460" y="52">Server</text>
                    <text x="72" y="84">U</text>
                    <text x="424" y="84">V</text>
                    <text x="88" y="132">-</text>
                    <text x="104" y="132">-</text>
                    <text x="120" y="132">-</text>
                    <text x="136" y="132">-</text>
                    <text x="152" y="132">-</text>
                    <text x="168" y="132">-</text>
                    <text x="184" y="132">-</text>
                    <text x="200" y="132">-</text>
                    <text x="216" y="132">-</text>
                    <text x="232" y="132">-</text>
                    <text x="248" y="132">-</text>
                    <text x="264" y="132">-</text>
                    <text x="280" y="132">-</text>
                    <text x="296" y="132">-</text>
                    <text x="312" y="132">-</text>
                    <text x="328" y="132">-</text>
                    <text x="344" y="132">-</text>
                    <text x="360" y="132">-</text>
                    <text x="376" y="132">-</text>
                    <text x="392" y="132">-</text>
                    <text x="412" y="132">-&gt;</text>
                    <text x="156" y="148">Optional</text>
                    <text x="224" y="148">network</text>
                    <text x="308" y="148">solicitation</text>
                    <text x="120" y="196">Network</text>
                    <text x="208" y="196">advertisement</text>
                    <text x="304" y="196">(contains</text>
                    <text x="376" y="196">V_INFO)</text>
                    <text x="200" y="244">EDHOC</text>
                    <text x="264" y="244">message_1</text>
                    <text x="200" y="292">EDHOC</text>
                    <text x="264" y="292">message_2</text>
                    <text x="200" y="340">EDHOC</text>
                    <text x="264" y="340">message_3</text>
                    <text x="164" y="372">(EAD_3</text>
                    <text x="200" y="372">=</text>
                    <text x="264" y="372">Voucher_Info)</text>
                    <text x="96" y="420">(</text>
                    <text x="120" y="420">...</text>
                    <text x="172" y="420">protocol</text>
                    <text x="248" y="420">continues</text>
                    <text x="324" y="420">normally</text>
                    <text x="376" y="420">...</text>
                    <text x="400" y="420">)</text>
                  </g>
                </svg>
              </artwork>
              <artwork type="ascii-art" align="center"><![CDATA[
+-------+--------+                          +-------+--------+
| Init  | Client |                          | Resp  | Server |
+-------+--------+                          +----------------+
|       U        |                          |       V        |
+----------------+                          +----------------+
        |                                           |
        + - - - - - - - - - - - - - - - - - - - - ->|
        |      Optional network solicitation        |
        |                                           |
        |<------------------------------------------+
        |  Network advertisement (contains V_INFO)  |
        |                                           |
        |                                           |
        |             EDHOC message_1               |
        +------------------------------------------>|
        |                                           |
        |             EDHOC message_2               |
        +<------------------------------------------|
        |                                           |
        |             EDHOC message_3               |
        +------------------------------------------>|
        |        (EAD_3 = Voucher_Info)             |
        |                                           |

           ( ... protocol continues normally ... )
]]></artwork>
            </artset>
          </figure>
          <t>This strategy can be used, for example, in IEEE 802.15.4, where an Enhanced Beacon <xref target="IEEE802.15.4"/> can be used to transmit V_INFO.
Specifically, a new information element for carrying V_INFO can be defined according to <xref target="RFC8137"/>.</t>
          <t>This approach has the advantage of requiring minimal changes to the regular protocol as presented in <xref target="protocol-overview"/>, i.e., it does not require using the ELA reverse flow.
It requires, however, some profiling of the lower layer beacons.</t>
        </section>
        <section anchor="adv-ead1">
          <name>V_INFO in EAD_1</name>
          <t>The ELA reverse flow (see <xref target="reverse-u-responder"/>) allows implementing advertising where U first sends a trigger packet, in the format of a CoAP request that is broadcasted to the network.
When a suitable V receives the solicitation, if it implements ELA, it should respond with an EDHOC message_1 whose EAD_1 has label -TBD4 and value V_INFO (see <xref target="strat-advertise"/>).</t>
          <figure anchor="fig-adv-ead1">
            <name>Advertising ELA using V_INFO in EAD_1, employing the EDHOC reverse flow with U as responder.</name>
            <artset>
              <artwork type="svg" align="center"><svg xmlns="http://www.w3.org/2000/svg" version="1.1" height="272" width="424" viewBox="0 0 424 272" class="diagram" text-anchor="middle" font-family="monospace" font-size="13px" stroke-linecap="round">
                  <path d="M 8,32 L 8,96" fill="none" stroke="black"/>
                  <path d="M 72,32 L 72,64" fill="none" stroke="black"/>
                  <path d="M 72,104 L 72,224" fill="none" stroke="black"/>
                  <path d="M 144,32 L 144,96" fill="none" stroke="black"/>
                  <path d="M 280,32 L 280,96" fill="none" stroke="black"/>
                  <path d="M 344,32 L 344,56" fill="none" stroke="black"/>
                  <path d="M 344,104 L 344,224" fill="none" stroke="black"/>
                  <path d="M 416,32 L 416,96" fill="none" stroke="black"/>
                  <path d="M 8,32 L 144,32" fill="none" stroke="black"/>
                  <path d="M 280,32 L 416,32" fill="none" stroke="black"/>
                  <path d="M 8,64 L 144,64" fill="none" stroke="black"/>
                  <path d="M 280,64 L 416,64" fill="none" stroke="black"/>
                  <path d="M 8,96 L 144,96" fill="none" stroke="black"/>
                  <path d="M 280,96 L 416,96" fill="none" stroke="black"/>
                  <path d="M 72,128 L 336,128" fill="none" stroke="black"/>
                  <path d="M 80,192 L 336,192" fill="none" stroke="black"/>
                  <polygon class="arrowhead" points="344,128 332,122.4 332,133.6" fill="black" transform="rotate(0,336,128)"/>
                  <polygon class="arrowhead" points="88,192 76,186.4 76,197.6" fill="black" transform="rotate(180,80,192)"/>
                  <g class="text">
                    <text x="36" y="52">Resp</text>
                    <text x="108" y="52">Client</text>
                    <text x="308" y="52">Init</text>
                    <text x="380" y="52">Server</text>
                    <text x="72" y="84">U</text>
                    <text x="344" y="84">V</text>
                    <text x="116" y="148">CoAP</text>
                    <text x="228" y="148">discovery/solicitation</text>
                    <text x="160" y="180">EDHOC</text>
                    <text x="224" y="180">message_1</text>
                    <text x="160" y="212">(?EAD_1</text>
                    <text x="200" y="212">=</text>
                    <text x="240" y="212">V_INFO)</text>
                    <text x="48" y="260">(</text>
                    <text x="72" y="260">...</text>
                    <text x="120" y="260">reverse</text>
                    <text x="172" y="260">flow</text>
                    <text x="232" y="260">continues</text>
                    <text x="308" y="260">normally</text>
                    <text x="360" y="260">...</text>
                    <text x="384" y="260">)</text>
                  </g>
                </svg>
              </artwork>
              <artwork type="ascii-art" align="center"><![CDATA[
+-------+--------+                +-------+--------+
| Resp  | Client |                | Init  | Server |
+-------+--------+                +----------------+
|       U        |                |       V        |
+----------------+                +----------------+
        |                                 |
        +-------------------------------->|
        |   CoAP discovery/solicitation   |
        |                                 |
        |        EDHOC message_1          |
        +<--------------------------------|
        |       (?EAD_1 = V_INFO)         |
        |                                 |

     ( ... reverse flow continues normally ... )
]]></artwork>
            </artset>
          </figure>
          <t>Note that V will only reply if it supports ELA.
V_INFO can be structured to contain only an optional domain identifier:</t>
          <sourcecode type="cddl"><![CDATA[
V_INFO = (
  ?DOMAIN_ID: bstr,
)
]]></sourcecode>
          <t>This approach enables a simple filtering mechanism, where only V's that support ELA will reply.
In addition, it may not require layer-two profiling (in case the network allows transporting data before authorization).</t>
        </section>
        <section anchor="adv-coap-mult">
          <name>V_INFO in a CoAP Multicast Packet</name>
          <t>In this approach, V periodically multicasts a CoAP packet containing V_INFO, see <xref target="fig-adv-coap-mult"/>.
Upon receiving one or more CoAP messages and processing V_INFO, U can decide whether or not to initiate the ELA protocol with a given V.
Next, the application can either keep U acting as a server, and thus employ the EDHOC reverse flow, or implement a CoAP client and use the forward flow.</t>
          <figure anchor="fig-adv-coap-mult">
            <name>Advertising ELA using the network layer.</name>
            <artset>
              <artwork type="svg" align="center"><svg xmlns="http://www.w3.org/2000/svg" version="1.1" height="400" width="520" viewBox="0 0 520 400" class="diagram" text-anchor="middle" font-family="monospace" font-size="13px" stroke-linecap="round">
                  <path d="M 8,32 L 8,96" fill="none" stroke="black"/>
                  <path d="M 80,32 L 80,64" fill="none" stroke="black"/>
                  <path d="M 80,104 L 80,336" fill="none" stroke="black"/>
                  <path d="M 160,32 L 160,96" fill="none" stroke="black"/>
                  <path d="M 360,32 L 360,96" fill="none" stroke="black"/>
                  <path d="M 432,32 L 432,56" fill="none" stroke="black"/>
                  <path d="M 432,104 L 432,336" fill="none" stroke="black"/>
                  <path d="M 512,32 L 512,96" fill="none" stroke="black"/>
                  <path d="M 8,32 L 160,32" fill="none" stroke="black"/>
                  <path d="M 360,32 L 512,32" fill="none" stroke="black"/>
                  <path d="M 8,64 L 160,64" fill="none" stroke="black"/>
                  <path d="M 360,64 L 512,64" fill="none" stroke="black"/>
                  <path d="M 8,96 L 160,96" fill="none" stroke="black"/>
                  <path d="M 360,96 L 512,96" fill="none" stroke="black"/>
                  <path d="M 88,144 L 432,144" fill="none" stroke="black"/>
                  <path d="M 80,208 L 424,208" fill="none" stroke="black"/>
                  <path d="M 88,256 L 424,256" fill="none" stroke="black"/>
                  <path d="M 80,304 L 424,304" fill="none" stroke="black"/>
                  <polygon class="arrowhead" points="432,304 420,298.4 420,309.6" fill="black" transform="rotate(0,424,304)"/>
                  <polygon class="arrowhead" points="432,208 420,202.4 420,213.6" fill="black" transform="rotate(0,424,208)"/>
                  <polygon class="arrowhead" points="96,256 84,250.4 84,261.6" fill="black" transform="rotate(180,88,256)"/>
                  <polygon class="arrowhead" points="96,144 84,138.4 84,149.6" fill="black" transform="rotate(180,88,144)"/>
                  <g class="text">
                    <text x="44" y="52">Init</text>
                    <text x="120" y="52">Cli/Ser</text>
                    <text x="396" y="52">Resp</text>
                    <text x="472" y="52">Cli/Ser</text>
                    <text x="80" y="84">U</text>
                    <text x="432" y="84">V</text>
                    <text x="180" y="132">POST</text>
                    <text x="276" y="132">/ela-advertisement</text>
                    <text x="140" y="164">CoAP</text>
                    <text x="200" y="164">multicast</text>
                    <text x="280" y="164">(contains</text>
                    <text x="352" y="164">V_INFO)</text>
                    <text x="208" y="196">EDHOC</text>
                    <text x="272" y="196">message_1</text>
                    <text x="208" y="244">EDHOC</text>
                    <text x="272" y="244">message_2</text>
                    <text x="208" y="292">EDHOC</text>
                    <text x="272" y="292">message_3</text>
                    <text x="172" y="324">(EAD_3</text>
                    <text x="208" y="324">=</text>
                    <text x="272" y="324">Voucher_Info)</text>
                    <text x="104" y="372">(</text>
                    <text x="128" y="372">...</text>
                    <text x="180" y="372">protocol</text>
                    <text x="256" y="372">continues</text>
                    <text x="332" y="372">normally</text>
                    <text x="384" y="372">...</text>
                    <text x="408" y="372">)</text>
                  </g>
                </svg>
              </artwork>
              <artwork type="ascii-art" align="center"><![CDATA[
+--------+---------+                        +--------+---------+
|  Init  | Cli/Ser |                        |  Resp  | Cli/Ser |
+--------+---------+                        +------------------+
|        U         |                        |        V         |
+------------------+                        +------------------+
         |                                           |
         |          POST /ela-advertisement          |
         |<------------------------------------------+
         |     CoAP multicast (contains V_INFO)      |
         |                                           |
         |             EDHOC message_1               |
         +------------------------------------------>|
         |                                           |
         |             EDHOC message_2               |
         +<------------------------------------------|
         |                                           |
         |             EDHOC message_3               |
         +------------------------------------------>|
         |        (EAD_3 = Voucher_Info)             |
         |                                           |

            ( ... protocol continues normally ... )

]]></artwork>
            </artset>
          </figure>
          <t>The V_INFO structure is sent as part of the CoAP payload.
It is encoded as a CBOR sequence:</t>
          <sourcecode type="cddl"><![CDATA[
V_INFO = (
  ?DOMAIN_ID: bstr,
)
]]></sourcecode>
          <t>In this approach, the periodic multicast may have resource usage impacts in the network.</t>
        </section>
      </section>
    </section>
    <section anchor="examples">
      <name>Examples of protocol execution</name>
      <t>This section presents high level examples of the protocol execution.</t>
      <t>Note: the examples below include samples of access policies used by W. These are provided for the sake of completeness only, since the authorization mechanism used by W is out of scope in this document.</t>
      <section anchor="example_minimal">
        <name>Minimal</name>
        <t>This is a simple example that demonstrates a successful execution of ELA.</t>
        <t>Premises:</t>
        <ul spacing="normal">
          <li>
            <t>device u1 has identity ID_CRED_I = key id = 14</t>
          </li>
          <li>
            <t>the access policy in W specifies, via a list of identities, that device u1 can enroll via any domain authenticator, i.e., the list contains ID_CRED_I = 14.
In this case, the policy only specifies a restriction in terms of U, effectively allowing enrollment via any V.</t>
          </li>
        </ul>
        <t>Execution:</t>
        <ol spacing="normal" type="1"><li>
            <t>device u1 discovers a gateway (v1) and tries to enroll</t>
          </li>
          <li>
            <t>gateway v1 identifies the zero-touch join attempt by checking that the label of the EAD item in EAD_3 is -TBD1, and prepares a Voucher Request using the information contained in the value of the EAD item</t>
          </li>
          <li>
            <t>upon receiving the request, W obtains ID_CRED_I = 14, authorizes the access, and replies with Voucher Response</t>
          </li>
        </ol>
      </section>
      <section anchor="example_wrong_gateway">
        <name>Wrong gateway</name>
        <t>In this example, a device u1 tries to enroll a domain via gateway v1, but W denies the request because the pairing (u1, v1) is not configured in its access policies.</t>
        <t>This example also illustrates how the REJECT_INFO field of the EDHOC error Access Denied could be used, in this case to suggest that the device should select another gateway for the join procedure.</t>
        <t>Premises:</t>
        <ul spacing="normal">
          <li>
            <t>devices and gateways communicate via Bluetooth Low Energy (BLE), therefore their network identifiers are MAC addresses (EUI-48)</t>
          </li>
          <li>
            <t>device u1 has ID_CRED_I = key id = 14</t>
          </li>
          <li>
            <t>there are 3 gateways in the radio range of u1:
            </t>
            <ul spacing="normal">
              <li>
                <t>v1 with MAC address = A2-A1-88-EE-97-75</t>
              </li>
              <li>
                <t>v2 with MAC address = 28-0F-70-84-51-E4</t>
              </li>
              <li>
                <t>v3 with MAC address = 39-63-C9-D0-5C-62</t>
              </li>
            </ul>
          </li>
          <li>
            <t>the access policy in W specifies, via a mapping of shape (ID_CRED_I; MAC1, MAC2, ...) that device u1 can only join via gateway v3, i.e., the mapping is: (14; 39-63-C9-D0-5C-62)</t>
          </li>
          <li>
            <t>W is able to map the PoP key of the gateways to their respective MAC addresses</t>
          </li>
        </ul>
        <t>Execution:</t>
        <ol spacing="normal" type="1"><li>
            <t>device u1 tries to join via gateway v1, which forwards the request to W</t>
          </li>
          <li>
            <t>W determines that MAC address A2-A1-88-EE-97-75 is not in the access policy mapping, and replies with an error. The error_content has REJECT_TYPE = 1, and the plaintext OPAQUE_INFO (used to compute the encrypted REJECT_INFO) specifies a list of suggested gateways = [h'3963C9D05C62']. The single element in the list is the 6-byte MAC address of v3, serialized as a bstr.</t>
          </li>
          <li>
            <t>gateway v1 assembles an EDHOC error "Access Denied" with error_content, and sends it to u1</t>
          </li>
          <li>
            <t>device u1 processes the error, decrypts REJECT_INFO, and retries the protocol via gateway v3</t>
          </li>
        </ol>
      </section>
    </section>
    <section numbered="false" anchor="acknowledgments">
      <name>Acknowledgments</name>
      <t>The authors sincerely thank <contact fullname="Aurelio Schellenbaum"/> for his contribution in the initial phase of this work, and Marco Tiloca for extensively reviewing the document.
We also thank Christian Amsüss for his active participation in discussions that led to improvements in the document.</t>
      <t>Work on this document has in part been supported by the Horizon Europe Framework Programme project OpenSwarm (grant agreement No. 101093046).</t>
    </section>
  </back>
  <!-- ##markdown-source:
H4sIAAAAAAAAA+19yXIbWbbYHl+RpiIssgqAOGlitaqaIqESnwayCQ7dUV3B
SAJJIlsAEp2ZIIstyfF2Xnlvrxz+Ca+8e88/4i/xGe+UmSCpUnd1hM3uKJFA
5r3n3nvumYdOp9Mq03KcbEVv08tReZ3gf6PteTnK8vRvcZlm02hepNPLqDcb
JZMkj8fRbnpxkSad18l4PImn0f5Vkkc7+/1etNx7u73SGmaDaTyBEYd5fFF2
0qS86IzjD0knhlH/1ll91orPz/PkaiuCx1vpLN+KynxelOurq89X11uDuNyK
inLYKubnk7QoAILyZgbD7fWOXrXiPIm3on4ymOdpedO6zvIPl3k2nwH82296
0Sn8jcD+iJ+1PiQ38MAQXp2WST5Nys4ugtQaZEN4aCuaA2TPWrN0K3oQDWJc
aBLFeR7fRMvpRRSPx9FNUqxEWR6N4mIUjZI8aUVRmQ228Av4tcjyMk8uCvP3
zcT9E54cJrNytBWtt1ox7elWqxPx7vz4b/8zhzn7yTieDpMc357n/JXzWZYD
nL08HRQFnMT2S/hokM2nZX4Dj10nw2QKnySTOB1vRZcZDNgt5OXfJ/JWd5BN
zKz/ko2m0UGezP/tv0fv4rLEB2CEdJqWaTwGyP/FBaT64H3g+QvM1Z3Iu/Xg
vIvH6f/+H3F0Mv/3/wIw/Pt/dmd3P6R5994f7m27M76CBQ8SO+MEhivi7tV8
AO8Nfp9O8zTuXuR2z5PsKp4m0atkmCeDUVJ8SN0J/Y/vNuUlD9m9sO9W532X
DkZxMo4O8d98yFtppvU+pVn7eIJ0ufrZRXkNSE+YXbiA7MTTeBg7ax/k3+Jd
+32hL3cHcavVmmY5nEF6lWy14OHDVzvPNp482dJfn6/rr883n8uvz1cfm0+f
rG3op4/Xn+Gv7/f6R51nq6udx0+28e8oUsyO6Kcj/yJSAT71utHLOP9AyMw/
vOjeOE7hJLzvglffdqOdESGU++LbdHzjfh68tN2NDrNL+PXDTfDi9nicTMMv
q2+fxEBzxslV+PYsK8psHH4dvH/YjXbjq7QIXpYTdr4TonuYwG2YJNMhU9oL
IDUHcZp3TlMgRW+Sm06vKONzQOoRPFRG/QHS4CI6Joq8mxaDPCmT6G12GQM5
HE2infxmVmaXeTwb3UQdOquoP0sGcLejgzkMNOCJ5PzaAABAhJ9sEFgAB0C1
vrr2rLO6yYDG+WUCFHlUlrNi69Gj6dV4Nj8vutO0KLuX2dUj/AU/eSTzONMU
jxCAbv+gK/PlG93Z8MJFovX1p3dAoh+7cHrxZToI9vXHLP8LXBLvu98Y/3a7
0bssG4bItwsMLp16X9Uh7jn8moUzbk8vgaaH3wavv+5G/XR8nuSXwduv40k6
LuGE/a+D1993o1NgeJVtep/FI/ebWrwtCHEJXaeDeFbMx4xl74AgxoAfk+I2
XAQ08PBv/XFn9flXxj+Yg7CvlU4vQpq4vram1G9j7alSP6B4q/Lrk6dP1uTX
p+tMCPHXx8+VPD5b23hqfn26qb9ubj6xpHTV/vrYkN3njw3Z3aAp9jq7XRKa
/pIVSWf210HnQzLxviBpKk/+WlQ/TYajbNBJJ7NxZwAbUH0gns06szy7ABrG
3/Z6vWer6921x93NLfeIl/CbqF8OI/0a/gDWgnQMj/ttdt05hOOKTtM8gcGK
6H1SojxWLNVcaEIyHrJwR9nTswBEOAJ0mWbj7PJmyQXsj7VgeZAMAKXgg2iS
lHk2y8YpfB2hqBhNBSZAwAMQ1jov4yIZKqTR9mCAgO+AiJln4yUHBV8l5/k8
zm+QFq5+hfW0rpLpPMG3RVxdCuVtoO+ItgAdXKSo9wtencsEYWLxd8mTbfFz
5vtLeKy/xwPuguyAn8f5AETOJb0x+Bh+BOje1cce4QePzvPsukge4QCP8MVL
4CHzcxmycw1PocSO38CFTorSGVSe6PIr3TTjZx/VyvzdUTmB3W11Op0oPi/K
PB6UrdadFIrd1/s7K1FaRHE0djYs9jYM5PwokQ2LALlB7gZOnYLQD5IQnwuK
9kB/8U7A9ED5h1ExSKbANrOi2zoawQygt8yJyxZISACg4nadCMFjtQcHockH
yXAO8hqQTNhcwZr0b/h0MgUkG9MU2QVg5nU0BO4LGCijwZJgGQA0MeRZBguA
Jy4IWICdJuu2YDLaj9kMydz5OAE1I/pbkmedMpsPRlE2Pc8AG3HAYBZ4LvZ2
QC5HBOIMnMMlwYCaGNylAUBdIJaXSPuHUVwCuk3nF3ByuLoynSRdPtBJOhyO
k1brAWpZeTacD2iDoo8PUvz7M4igr+AA3Hn3siMAajbObnAziujjRyGrnz/T
JmQAziiJh3SnaUsL2qAB3tP0fI5nfn4TFaIFmiMvAMab6DyJivRyCicIOl3Z
jq5HIH1FkwzoPWIxzSBHLBwI9slFLjtcOYJ1o/SdzWDFdIptPIpZnAPuAZvL
20BziiK+dIBeLpIEllSl1p8/r4SoNkxAhEvP74dqbThGi2iI3fH8EodTJGq+
KcFN8y4Oz0BngbI+nMU1XG4YMAXahiu+6aDsW+A4sQshIAIh5fQqG18leFUZ
4xDOYQbkZ+pCkcGe4bnC9M6FKJIc9o8vEb9ND9W9Hs2SHIlsNJmXcyT89kvc
LhrbBQ+mU7ABaeiShfPyQcOeXqVwIhHyM1DqSn+cKHVoO9yl0oK6HEdLV3j7
knxphSCQ7z3AuxGubgTH0sEbNwacBEUNL3MByAXIhG+9POy/2eNTQNng82fY
3b0pnoJFG8DphC4UQJvTPCwlEclD4qq6BKN+sIoC7n2CdBFmg7uyZHdjqU1v
Jb/EID8koL+DFg0oZbgofYvTXaQ5UAkkAtFy0r3stgVtQIIBJG9HcEWjtCSb
CsxApIrnU1DgusA4eQ3cQI0JCapnhHc7T2Z5UuCHCIZDkXK8xPZE2mi0KbKJ
zkPoy/jsnmJ8ns1L9yAv8myiu+bRQrQAwVpAgQQAOoQpSKWJMnu4wCi8zIi7
EmBudQm4NpxYcC+vhXvA8smYDoNFFplTDwbuCEPtrAUOmjcRXpMrChdhPkmU
rvn35hyGwvU5t88HHsaTmwerpq2sUAy+2cyzmNDiyYI6qmS2ysUtYlqSZtlh
7xc03MEl90niblzGQAu3d1cAFZPxsKjhk7Rg4PDAIUl6yK4NqSYbChIDWQ/t
qzcBLsPBQCb5yAnHvHJ/79rEKJH2wxLh2SL56zyZIhbyocDOobokl1LPjE+y
29oro4t5TsedJyCnFFaEATrEHJLwkhbWBm4dE3cHFMhhv2DPzMIKuFkFSAAe
t4Xz/8C3KnWGrogQMaxsmERXIBIlgHOwkiIpkaUUfKpymSfwFt/lIfCSJE8q
ZJJkzTKha4nzPngAkjBuMonCEUoGpf37M1935ERoqy2ipXfH/SOgRPRv9H6f
fj/s/eF477C3i7/3X2+/fWt+0Sf6r/eP3+7a3+ybO/vv3vXe7/LL8GkUfPRu
+09LvMSl/YOjvf3322+X8BQ9kktSABNMIlYzNLzADSkMCyfce7lzEK1t8pVA
nRKYKJNyUAmRoQLS8FTZdHwjf8LJ3+BZJMAAkNeNx7DXM1BhxrjzwBxG2fWU
jM+wmYdw+AlIZghO8gtIMSUfxii+wjsbzdH0SxqJCIA7L/cPlZ1sPscrurO7
+1Y+AZVUL23lLndb2wATjPNLtNNdw6Fc0QBJEqBXwcTqPC7SAVFWIak4Kx59
dKD4tj8vx2hw+fgg49/k4C8zuN0wuIi1sBS+s4CPy7OsxEsGO3LjYvSKYbvH
K/wCXlQmxEbiQHEsEHfxIvgShiMbFXLn4YairOyjtPCW5Wk27fiA1Mknyycr
KjoBu0/GM6Z8IiAgSFfJTZXmOIyJodQXkPXERkaAtSaIFjAtH+LGkydwIMhy
AVPm4yHiqAoHsJM3IGbk+MlkBqxS1l8rlSHOz3NEUG9fSl8kMywcQCgLn0oq
J6ThWVUBLM4MGTYqF6I+itV4C05IHil88eC4jfSZlCjlBbodfAtRIs+AM4i4
YJkHEjZH3otrTq0qWyyfrgCHYBkZNyYK3jFE+zwZpSjeNW4ii0MoIcIj6ndq
C3/HpSyQIhkzGARnxZ5EWYtxgA4oKSieKpGXvcnO/wJ0AtR//t6lanzjWBsC
hWpOco/hESQmwCMuz86uROQMbxYdGDIwUnWVceHNrugVuBzU30bpBeksFRVK
pZvgEBCldY1yIN1WH7StdDye41Nyj2Cyi/Syg8Ndpck1ydDvgZYw3KQcx+OU
mRwLKaS5sJYDen832qN1WwKLG9G4+wZ9QY8aEuUao1gLtFgtCYA/88k5C6mi
jbOQTMpbdAlnYwQvtPZEJCs6wm1aAw9InxG9fgE6/jRDxWWUgcBawW5kwv/J
/kRxXFxdtoyhV39OGNvOKl+gTav1bcf8fMsff6L/Op+7X9Z/1/pU+ZL++d75
XMcWcHQe5zt3lE+/s6Pw3Lt8RDLKIYpisCk0Ss/uDI+yy1uusGQCy7Z3vM4q
BM4+E41aWLKafXAArf+ORkFuptuqo8q/yFGa9gVJV82+1IzifnmYFDO4WUnN
7oYnrU/c76T9UQVoFw1bH7eiB+41ZQvvi6V9/Vtup1KHC+AFXaEmKdrMkqHS
2ZAWGWXmmGjNSdcg9x7JKPiZbCMKUoXI+Dz2rToH6/HePCc05ikp11npwtNd
gimIVHWA5lxOXywBD4QJltAwBgLSNqpkxMsKw8mMhH4eO4u8yJQbogqa/JIW
RDzzZCxOGAXGZSnHK+1mwoVoFQs3q+WJ7YhtWXhMpA0TKf1GtvXUSJ1AmECT
ACKlwGzBI6T1TOFVoGCiMAJvIe8MiftwvKc6AYOLo39j9lIHR2eGN7gyWbM7
18l5dPBmT4QuhBM+39mOBgmQ8wsWY8xMtBFkl+bpBEWIitPhybxoVgSosnlh
JsaDd3WoRJ2zpGHqUxXkA1U0RsMso3M5ygEQ4TSkVV3iyeCgTNxRVZxPVS03
gqQYTK5B8ZrnKhM5nP5EjZ9GoWNLwSDHqAyK7mDm3SDaCEc61mHGIG+KclH3
NPBINBIhwgj6XcNGiF4qBmVmuI5tGvSa+DwF1otLV2HEbGeo0xTz2SwDqQam
nhYSCoRvuSsixfgEnz5GkeIqHs8Td4P4SquNUxXy6xT1BRKIPRKD+jNaphNR
n/guMUd25yXiU89VLeHrhZdCbWUEs1xQl8uvtIQ6/65z/5/vgXLXEvu7/gjh
dzhpI3Gv+9L8W+FCtX/c+qXLnulLQMKOedJn8kJyOw1c3pnDoHEUcvngS/wJ
2bxl0KoN1DLo6pfNHPoL9+a2k/r2bidVO/qCiQMo5JkGbP1+ESIbbKWf91mV
1up3eyH1r4indT9y05QxEKdYqZU+2MhbI3rUM9lb2PkDxVnElY8PhK0BY888
pRrp1Uk7YNRRDgqDyjdMeUjXB1j2KDwP0bTG+ujSpZ3D3u7ZsWfGR/NO9Mfu
49XnLj9kfQwDHEAfIy2CDEWnsGFH2QdgXss7p0dttTA8X0fflYyODCKY4ZzU
qjxllZuJMCxhb/eMXtmzaqBQ2rMNnPRc7N5iScdNUbtNA5Nqu77K2F15Sr+A
rpX7My9bCUYZDfnhWsdsmjDKmwxwg1aNZHyBH522HS8KoSCZZ83gXdUqQRuD
h8bEKmB70V5lIUAdO09iMRfGbLFWFQ6eNBCcJ2q+y7KhleaA4/PezRK0/C2T
5URki5W2sVQOAMedWWlxZEI9Jx8hxmGqceM6vhHdntTK+TSenIOYhtcPV91t
nTKHnHsjosk3YcstnK7rbTGOwsI7BmtF48MVOx09fEIngI8gnC4WNDhpTrdQ
8NzGaAtA/FCOjJYP3pwBmSWlAKdSyYydxEmTUFUj9TK+HHdOCU2+oeiSivvP
Oo5qRni7v4Ow0A6L1ZzgOr9hSQWQAfDpVKRJRA+DNXF0fLhHchhKYfGYNBE0
3YxJJiN8ccR5jNFiC7swxO2KfA9EyJF4aynR8S0qQjNdYi0S3VZMl6a3kaYT
NRzz/fVP8URl9JMzoDdW2L7i2IVjlnizokiMKMgyMDn2aZRBlucMk0ii9IA3
C8PRVXjs3rv3kEROFD4ZnY6tdrjMBi5zLw6jFzKUQt9P2AG70X3cXaddUsPX
CgiY0wFJxWyonNYxvqr6oBoRqSgedseK38ukasleo2kL32Dnm0ZIkFy9ggcw
TayLGDdIdWExljwyxgGrXrxiDxWaktsCSeEoGeTKBGSsOXC6BicRUU7CkuNo
mXSKyWwuJjmZf6XtqGI0Oh0+0aSvevawoUQZw4tw6ngeG1YT6yKsSVFMgw1a
At96IqesWJDCKoZV0XD4KVGqu0AXkWpgDAvytdJ9zBkc5yvIwj28Qr7uRIls
s2OPzvhAYv0qESluICA6gUxIDN4FGNZuxRLOekbzLalll1xRlxJnxI5sprOg
Z02TcWgYYQozGGXILUi4ciN24osLwEj1YFf3UUL7RtmwcHwcZne7FGBkhBEM
80JeqLcGuDmOfvS2bxA+ABafO8gOCMipnjTyphrBqW0sJirQIFzOUVM4Bxwd
qnQdEjy7rT559C8MEqeoosMNOE+nojx7e4K6L0Moxi29sKG5CTXmMbs6yOqN
e1Z0kDgk6BJK0GLWAqWjv/BwQFAHLMkuOvD/A3vFrGqNTxzJscjufGpaPug4
nY79P0z+0+7PuPdr3Q2+OrVhO23xCNH+0arHKbld1aymwRJJ3mV4MVyC5uTx
8VOgW2WeqvmAL4gJ4fLu2nkGgAhgxvupdqXKmRc4eB3N4DsS2wPvRv6K77ms
wzmGHsjWGlKHfqKZog8M3HFsRXyi+O729IbvjrfQ6sLa0Q7/F+V7uA87O319
XQ5TDEBk46D1MDwI835/Z/+wV1lVavQTb2G5igdd1hS3xyD6DG802MUC6Fps
iqScm9X6F/WWZS5eBip8zv1Qla/HZINu4Ci7vvPdA0UQ7+qLpXEE/0P1j9gB
ibOGJxjhs/EGq7Etm152xin6oPBzUjQ4cHUyH5cpRmOp+zNnJl08yoVLo3tn
n4yDIJ7H6ViJCV9oh2eShMF3Q7kZkjIVdZzbTSGPc/qkGGSzquOwK9quY2vp
W0/qxwec6seI/bkpoAsfZW/tfOJEMdzK11HUd0Jr7ivzq8btC/qnNvzPyJq+
f34I/LFQsclZDeszKhpTZKLn75eJ5E+azPcsYMD6AC2ilW1nfuXv+3aThM0R
DP6iTYisAhnEq1Ts4aAegASAoa0imwnYVujzA9AoMbKi3a8Jy+a/1qPl12dr
6yDeGWWSuaiVqegMZQd96hdIwypkm90kf8Qp02ZAKlTg6fpZLg6qmnWfN9/I
U56gfjQaCK30X0cCbbVOPXUjvsIYfaRKDiFMfgFYS28qMZRXNYQH5JIywTYf
HxhbB11TY9eyX1jvOF9PjNUwE1D4SFGKjR79FQaRZPlFdJmJidwJjgMdfY29
Y/WH6Bi7EPKGKEnQOVvr3WatREerd2bV0pnWRhdYg411hnUJBnWUKjrqPcqQ
g/F8GEaesGWo3bScBhca0LY0dqKPK2DD+YUGKkuMYg5lanKICs3X24PCJ+M1
rVdCrewFhe852IDuvmqqvpZa79c4XmxwPbmLVRZ+Tlu3+Cfu6r749I8fqFdh
MCJP33Ggb9EcHkW3/ef7u0IkRm4UNYm8C9Kh4Npdud/Sbvm500AHNSLHdTfv
lsbW8hvsEf/ITkk20f2Xdpeff8aBWk3+l/v+LHC6oEIQHRzuH+3v7L9t/RNu
gn0yFFLuOVDoBw1cWv9ES1u/90CLXc5hwNJdIKp/4LccKPRA3XOgr3v8GEkE
MLyIyFsAtOnN2c6RDQC759LqH/jqAwUiGQgvh70/WIJ6O3W/G7W5H3Vf7vdl
+9oR6hntL1qao5q8SsrBiP861sX9ppstci/udt/s9u0D3TGM5Nu7L235hxNV
B3/w9+d+S7vlp/nSbt57oK9O2JZ/wJu7CTdX3Rb3hOiWB+48UG04g43drkY0
gIq3FZ02JHHiAxoKh8YUilhDq9KWHEFFEXejKBt1NLWWRS+TiyxPPD227dmx
QzOQDa4bWjeXa7G3yWh1xi5YjknjBN27ACHUOhTGWfaBjYw2pEGjwAEcUMs4
2s7xQQxjACcuklsDQA7RdufEvT8gY16dlm2i1tUWE+iAEm5QUMTDmDxm2dSL
qiefeP9476jXx0ADUlolY2OQznAFxTwt2Y6kGvmYLcfocJJEXDRZujl78fgy
o3IyYpfxT/5UDVrWz/nE93JucRDcN+qNgvtix9wy9rrLZJrg4lW99l4iu1L4
Ei4D7SjDhIwuGgyk73jZzDUT+oatYhRjXCogVp6U4RpxX4lBtyO+7bHg7qLg
YKOXc0oi7ImVNVx72GabLOOckzG+qfqNnwX6+J54tAC4QYkGU8fxLoeRI5IU
SWfeMUZ3ysRF6NfZxUHyRpwnxthmpUUXug0fuubiCBiYguUF8HgBySZFm9XQ
JB6ejeNzuKUvoqOXu2wLhF/WdaFpPI078JQY75yYFXjQ+tUNqG5wTmBACS2g
cp2tcTFYTLSt+XRioT/PyjKbcHabf/2QOiFZwNt8ijBk5xi4IFN0Wy8RDy/i
+bhsO8ZGN3DAiUM69Pbbj3Nwjjd1TvYOo+65o250g/hxutdCQ4xd9QwQGDOt
rdcLPpnhH/7FcjJOw/u+6d92mZayIsXUFc2KZD7MOgD1EEbBkQ8O37DxOScn
h1PTQCFaZrrxDT36IviuiHGb9968W5Ebzw4o/BieXf0lWjaRxuNkeglYeH4D
cKA7cHqp7+xQyIHhdjCauOQLjfT1fJopFQTsiuoLeKrWN/7Wic73qyoQnJLz
O5tr2Nc06u3svobPMNoX6FhQicGnRrT5VeMxqAns+1AX9ELj849wEZZhJrJR
InWIJZ5fD/Jx92l3jUNUPn50y7pJipY4R+6yAzEXramv/hQtv+m9WzHbgkPA
B8GSAXb0dAHotPjEDgUf8apd2NcrcK+vP8WgIS8UAKcSbvzubQcnxQuMlWXw
eOY5Zi9TZBVOYpO1gDY40RJuGSYiWZRTNy/hbHHjKYENDiFHKWGfl6hoTktB
fPbxHe/b8orjwnKy1/EWFWrpreOF1jUqnNzj9KgLBddVz9hcWZIaENIXPkQA
aJvM4BhliZdoBS8k3TRH2IwGw+GYamjB+8uIG/i7UPwtpANt/BDjvJJfSvgE
C/7QR3IzgSHTQ248bqv1CnPyiBlqiBQJS76MShbvEeZKTwsbktXIZbVUDhJC
yn8tKfDCqV0QO5EyGgzT5qxucyKLA2eEEmkQTqLlfax7Wp91AW9wlAmzdYIG
g0Bbmx59jFLqCSdbxLlGJFqx/WFhsy1uZBDyJ2lihCOJKsok41hXhojedyKC
2iYbg2RJeFmLe+jCSaRMgfoM+M56z6uI4GF64Ni0wdO/63xf51k+pi/Iv4yE
KWB3oZRK+ygxyb7q4nFNH2eiZSR6JyQ6UZZqmN81XRwwB6+fsEOZvGCoNESS
4iJit5OjBZyHijxp/SehhKit+BQkDmilkflQsfi8gviqFSQa3UG4vw/8NLiP
D0TyPsMbrG56FXAD5zeuhEVIk/qP8dcpimFjc8BVCbBjRED8lEPDX3hwOHRQ
otAd3r3lO6OI9niLeEH0JeoOzjOQf//qjXzWT/7aaoWfwCs/Rd+xaBmbOW3N
DswmoSrAxPfIPLcVlUrE2NKkVO1nTwlvCa38ht/iFREV5MX4YcCcb45Mnb0T
HPtLsfheeO83PCWPxsHjThBtktK5YxJeUz01kh5wWGSAzC0QqHY108mTf5gr
up554Zjq1t0icS29s1jkBF+o7lfcCvgsTnONN3IkIkp3RwkHb9c4HjjhA7RZ
tE98CVVI0gx5fIviMc+tfjGEi3UzY6nY+P2d4Icg6EDEI7mA3Vv2IY4O/rCD
m+9tgZgvClZbPcmJrBu4KBNGJaKRPbwIEaJmwa+TXOQeoRXJJC290lfuRBMj
on3lDXGJjaUzQGL2MFjfOf3IGBSJ6Up6gfWVW/7clqCIxeRp0yFP01vI0noT
WRIZz7j9aay4KJDRcdWGYw4LOeXaHDbL4YTK+VDlJdo/o+rY2+WbQ26T5hyp
FI7bmHqqETc0sR+3kUQPLcI8FNJBoUkoAp/1GMRVqQ+hJbwer6Pu65Bkhxp7
opGGlzbRZyHNPoXcK4tAU5lhIV5CaT4Fdw0Y/DCLgTC7STNBSsWpZKheJTdh
bY3jtpS0KJxwLIqs4jIogSGhjCm1WrPBrRWNoFNB0gsnUoqogjrokiOQERlX
2WjBZSaOrdLmGBUx6cGvIaSb+k3EMXN0RAgcUok3NMY0QwF5j6P0VE7AOkEG
U2SQb6KHRvB4WDlLElIx33WVHtRTeEhzPNR7dhbH8C7VPoMx67ixPT9RB6If
9g+2/3DcO9t7/2qfGWXLz72rjOHOZoZBX86WsXcbLcJaP7b8z9lcsuU9v9LA
nx0I5Xp7eOYGqAZkqIskTLCkjQlURDmF6Hj6BNEkIRNoSLpGU7TFVcZPZf0B
dtrUggBSARMrR0Vo1zfWBRf1JUbfKYbGREle5uRDSVjzV4evqACN9wzjdSkF
gdQ5EFUJNfFkcLzXy6+XDQFaaVs9Bn5XRnKu5XKc8j3VmyMShRZeMZaTkHje
TxW+O/E0S+LCfBjyHtTUCcJvAw54Jh9XTJoaIG3T4sjPIintxJmv0rhuBhrI
MQH6lMOTJCsJXZp04ZgZhUN7GQLC5xyrHwD35nazQGRsirYmRTpFe4gcLlkH
4ALOBxVlhYwPjsXgRbQOH6i1AP4cPXzI1rxkMgPaycK52PG+URsCFiXi3+R4
xELWyGbh/JH2FXUrBlL6D17yhrNkXvEXLJn5wN0W7evWQZYg69UnrFeffJZK
gaI4OiVqxXen1XhTxxco4oLrgJKc1cDE4NvYu9F7JFpj+7AZHKiV3A+pfIcS
5TvxsKwBqJM1im19QDXmXJgwVpF8ZXhiYciPZGz4jJ9l9rZzSwugzOWgi8HO
Wa4GVRQCL3PMwasxG1W9OM8DL85RE6VqV6whsOmghcJjaM7j8qkifRhss4Ve
SbY9FfnZKP8G/SoFi+l58YroeHh9aG1c69BgUJ3/DxPUCrKah5uLjKVbeygn
mMQox1tzKp70ooXtTDSqZYYOTZ7WI07bqedymZXkjYgX2EqrM+sBPulucNlD
FxQXCdcRCdfrkfAEq1wi3cV1NyDj+oLJH8PklajcIyfLUBgDyhU2rdDjhVa3
06y3xOslQorAbVl7fcLpkGmow4qokCmMF9jYCrdsTFtSzXPtG6FFzGQdaEjE
jKRoB6RJ0In7aOXa2emvuBUI+ArBp1bHcywCwZ3WnGKUobOhMfWg4vOGNAVR
kKYXD6MBTnp7+i6IUcad50EQAE4X7OGHwaAgyZn8DSOq23k2iWfhPGurgf+8
/gYRWYPtS9KrGkySXD2nXjqVZ7wFwzYWofdGMxgg/sI1rIAh+X1G6V4m21/b
M8mtKJPgUr3sYpdsMtesl1YAF1/UEeHcJSXFU96d2pw11494j4KAWCg2ytvd
7I2Eq2HbN3jbj++37ZvBtrdtZlI8HKZc1RLYfzKTPC6Fxl+YbF631bf+ktpV
p3gJhlnClcnwAl5OUe0DMDMqLGhQ2dOeOesFdAB8S6CQBFnNhDyn4kxhssft
+0yabcVEDPLO5SUWuKiRhY1EHiQvnVicMIEfocnezbNBSjymwr3FnNKYLuaY
7awE0k9a0Vewrv6cyj1tV9iPczzVEicUQYDVZRwDmq/8H6tmNp+ZivGOaMF2
OCx6CTekFOWpeTAAl2Ks0NZ7UUqZzrqd5COa5VzQFRtbRR0a1pFp3GUZ702N
NyxoOOPxhxM2j5mEsbguoIpYw7vtP0UAX37DGjXcB6/uiIRexIHpyIn2cHbF
M7vonkziD3qHTmp2hLR62i53G2x82AXmVbZrkASNB+fk5+uaMv1a5bZdf2XF
IUTUQtgSHoF/AvTGXfZ6260RghiHW0nDSy6pdkuIK6iA317HqVYhtV+zM8vs
iX5gKYWWGTphgqB3pHARp8IbuOiF3IY0qai0fB96mJ00n1G66iCZ2cLx9sZW
IGU6fNpWG/xvdIh58oVnaO8LgVgJNlKDfhVaj2NvokC6uVAgxW+3S14h+R7b
ekm9NiFirRS+h/GXV/E4HTZtfDNlJqm/VljYZISwZxYO7bgZjdfhJIhxrLgf
SeRYb9vQXDmvTZinm3Tbd/cB1KkGbtLpPUW0zS8S0R5/qaxAa+6Su+U2r4i3
G6g++cmvll6y6swR9k60vMbZqXnbc19rnXJn5+oIraD9iPSHRcIFL+m4Tp7x
rqkydP27WcY5rpdxFoNxB1kSwAxMt67ROMXCJ0M38bfK/jkkwrfVNERGnNjI
iBOKjGCpwoRUszDnlFUtQE0BmcMqgCYfuq1OrYHQtnJRxKUp8pMZl8zCLG4G
wjhDjAtNeIIB9Yuyrf0yTF5iu1g/vbIEn7umsFI+vyWuw0SZmPLnlY0LnJ6a
ImODLNRE3KxnsFWlSWpjOTccn5tgsP6MdkPuXxy66RaFUehIL6KfyI/S71uv
S0ThXaUX+VDjkvFdNc3OGvcbN8sGvzzPsnFzQEW/b6ul1Nly7lxAwIunqA2e
eO1FXVbjJujySPh8ECgmOqp4SCyCEktv9pZU3B7huA75DJwL6PnxfAuOTKy1
MWLXB6FysRQaoCY5Wmigrhqze0wSgjKOL91AL9VNTrU2U5nfcHxLrNVMsK1E
KO7JkJVb7FRXrLsop1g7wTBZ4qZxrrb58NoYAab52ppyhKcYW5BTgD2zav96
bAkWdpqR0KJW58swy2AOT6K1NRqDBV1c6NT5mSoH2Gk8vRNTWIY96nJoGu0O
2+PI7Vw6UiL8avJNyLI6HVqniX/KfEHdNpfRtjE5e2UmFTreVleIaQwaum2L
W6cMFm00d1ZRwdpsniTGFEU2SMmylBpLuTbXshtdWw7UkJj5NIVtbesltGAL
gEGUAUkdKI6cJ1IFiASSnLVY9VK6VbKpaijOwUKHIwSyVAVsfg6gjj2hv3Qj
Jy0LYbXCFHNM8pw6Nw4TqUbH1a4ofAf7/YB4kViJNPCMwnmDTmuKbFj3qOy/
p+BjQhYZQUaJ3fYwQ83UyUF99Tjy+vXAixNbULOmiE7Q85E3yyOlH6aYF4IR
JVwJPQg9tsrjl27c1JRk535uvIEm+DbPO9RABJ51AqoaNhGADylzmc+pNmN1
d4Ugw5XO0+QqqbmRFbpMcrq8gCoGKt/JsGhrcRzRw5SK+w1rjBJX9ZLz544e
YOeQHT6tFYNEDsMNpv5SFshwGy7icZEYOLHf191grchvMqUrwAn0TYxJ9XgT
1eY0W1y+Lb5tBWHWIypsbSRzGcxFa+Jh0qeNvC7zgdBlhURvgVuxt46I1ZWr
arkhe7XnghPzsTGlPFkoKDty7JnZ568hyMpQKsn+oLNsVQXTHyIretpvmsRP
V/JOm4QzsmWIltfV4I3jmuANEsCaBR+QaApHnA3jQpxxjS+FCgOnwWW4RtNC
UjaMo9UxXUO4ol8YqEYowJRMhHBrjPNtxaFSgcEtMRVtnhdMEAWawx5REbgQ
F/EgqYrSjZTvVidNLYKKoWoRVu41GKKoTqu3SSJUqtVRnCKurH/sJplYG1CN
nexsU1YV9YhpvBYWAHTH4wh+UIbNwow5B5PbXFi2g4eL5QylwregE0j7Quak
1Q29sCRt0OGwQQVfajVNxe5ef7LgXTfMgx7oIDRFQ1Ept9NQJTP/bsULuHxB
7/DwbGd/txfxr2RxoYKl8MEubfjM7SlQ9/Op9e0L8+P82vBB048WUzh6ubsB
k9MenEnwHJXAdLdrITRfZ29ccqY1ApyDMVUw6/CH/3QtZshE/s+//ldvEf/n
X/9bF5Pfe/ZlWrxTmVE9tCpDyw2StsuBUGQa7WrbYDUsIn/Rbogib9XYB5FS
GxzwsiWK4DTCrJO+ZIBoBLJQNIqtLJPLhIubUqioGF6daNq6OGh/Og5rPez9
S2/n6OzoTwe9Lc+88oN+xVGzTRGsp8iRSBd1RgruKMWIEAFQWiLWMwO4M5Uk
DtgB8UOXk2nvwkStdNydE7eCCAT9WdPU0ByyUysfNwRIhFRI5XLx2YRFfaY2
Ug+1jLEHhRVd1QE4YBMtRs1WC24i97pxwicXEpyaa3THa4VX3N38T9523pnk
eASnhsTckeT41VtWYfaOPw12V/EBvJXg/Lq9sT9rMDtlZznQeKhHac7Sr8vp
M//1oKkjf3lC6Q5C+dyTRKT24FtA7h4Yjm1uGSoBbRXDj7kBtZ99X89wLSZr
ZOl1fLPFdU2t3O1TE1O59wJDJlTo1lDiGukmwuxtd7FA+NZEdnHX7OWuiNRE
As3iPBacwBcRmXuQ/Ee0PM9mOYXjfUVh8JvIkfu8DWpbv6MpqB1uu5CjUHc5
5q5wnjzJi9ECH8Qc1VhovtapF+/1saZWFT7Btc3stNsMN4sXAnhpyV9X6ymb
3JDsIkBbxCN2SWtX3BjOJbuUDi/EC6ZJoxpjNE2LkdrsGwC4WxKIlwNiFK9f
nwdSP9KdMzs4g8jYEes5WMCx6ED5POTNsMESFeHnrO/Ly4TI2QliRp7NL0dy
osdqHv9LlqJIQQ3jvXQK1+a7sJ5yW/ih3tDAanaPVAWqV0SVYzi3Xhp0eBVm
sIJRtbhMoCWIsFC47YOxlXzMaSi6BalLDM0UkvbOLW8QDBRUJmJ5I08g1jTF
G1DXkrlMBiPqJY+de/1WEIjkWP+BrDIpZuBfITKfROd5Fg/h09JuMSXXK5xG
l5O2lTbS8nqUFYmU1QnESzeAMWgPwmZJvUROgQ/eCdngsLKvcztNL/bt7noQ
lqolE64pygnzAtjxO3NwWe3oUjWAhd5s+0B7DzA/ewnbhPWCt+xJ2c5jHx/M
O6bOPxw/bvRgHGNRaGy0BpuRF6XJn2MJ8BIjzkPMMkO2a/ThanlqW4vkBFHW
7urClq6a+n97kQi/2FGj0FjTbU9+vvUkDpZ/jkXaqRG06L8nInR9cja4/ml7
Dz/dERL5b8udr/nnU/BcbY1U57lbRK/vw/G+bN716ry3VDP8OvNu2OcWD3N6
1+24KzRaDjQMmk4paPrOw9zynPcXFu/8omFuq4R6X2jqK3jea5jm8p1ftjfV
r790i/tfNswtdSvvB01T3c6vc2k2K8/d57KacpqV2L37wFen6Dn8SrW9PbKB
epypHYolhiIvKvW4J6EmlcEoKc/ujJ/SdoFFjqhQwLLtMFAJtj7bXGlzhyJN
pqH6mF4vRU0AE85tluCKbb64RtWUMIWM2jc7/LhGIGuTVxz78FwjG7/gyHN5
dokXbaXGJY6VpLJ6po6lV4gQ/QeJIxsAsCocigeepGeOBSisBYk31giU1AEe
ZEVqntamxEAEkJwfKkewk8tqK1HqhrO3OXOaikHliUnjD48R4H0tLfow8Hgy
iXOTXqpAil8vdRHB7gmp7wsllKCmXyU3rLkkIyIPaQ8LSkxS68qjUVIpACnF
KVE+uqkG0DoNPIdOeGjhlPGRW+qLTeIhQ4byiImeLUQLMqnUaDGxWA3L/A3E
L0e8qn3aEc/+IeLXEWfBmJju8LlvO9Gi/30l8atG7PuHiF+O2Ld4mL+L+LX+
/6b41VA//f+LX80/v6n41aSx/Arxa+PXil93fa5eTDOSgnFHAje9Zmtpg8Vo
gWh25BkuxUClyfHc42+UhFJXwL4NlwfOzDUVmfk3NcNaPu6cgiDZOYH965yu
NIgZ52JfqcgbvhXEgFxvDoHBwmgxDYtQW55USvRMd9dfp2BiRTL5dWUS/fJ8
VanJAUpSeTjutWTPylcqQWjB2KqJ9gkA2PgiABYVG6s5uxPv7K7g7EztC94k
W1XANxLXeDJsupH/qHFh9PtdO/46jX9cHX9djaENaVe3ZnqvMzgMoR2Vq0bg
kqqArhvvf5iBB5RK4A/yOhlvOASOh70traLFRfMo2xl7FKOBFxNtMeUNHVYS
ThVm1zoppRWLu1dZ0U3pxSfSnMpscPS6ZABxmVYTv6/l8JxyHmL/NOe0IXhw
l7gndx+CbP075dAFGftNaLXReFpanLxCZ51ELtoYApLDjElZDk0N4W05qVC6
K6J0QYBYeK1NfJqoQ6iQicOwMfvCOk5qPWTCMbgopq3YWSiaus4a133g6HBw
QQLAT03R4MZsxMCf8wBUFsDObJbkilUUzzJENzJylVZrW2sBYeNCjuZFdwlX
BZnakkJwVnhGBdN4ydK298O+hLYKyvWkwbTwL1kwlMtxHog9ePRivjJVzjEo
nXoySqeSUwl6p/jZzFHnHUcGcybM3IqL0HKDl9TxLtG29JVpI9xyHQtjyHFh
a1dZUDa9SCUWEoeg/cCgIBrQFNnTomoO7yCLi5dcSyFKnFI2w4KS0vc1ncIb
qcGSheYAbhmA8VJxIcH8FYnCBO0EsLergFPmD9GioB5ixmfYZMZoc3rnArgD
owQ1KiVf/576+iNKAcTbW5RnJgLgs9NTIK5vnExxCui5HRo/a0xjY0yqGQgz
JTItFCluxupDiNfniUVoU3hOsnheHx0dUKvsbPsAkwb7r/eP3+6awgacIp/N
KRHBndBA5mUNaDScCQIvBpgTokITlw4+PuT8p6jPXy6NynJWLMFO8dMd+vuz
V4rHjKP1UOSltlbssKUAsGekqVZpKkhRTFfNmjxqCJcIy55LNjDsjImcvTVL
1K3cSeUcPDBMMcRptQO7lADQNutOko8Jv5VDQXcvSz9hVbxTtjVyB/Z7AS35
OLfALYnsTv4Rmw+x40QtqOIxXXwoUrDM5Ak7deyprZFSXRrajFXpIa9xzziH
kzhAVILDz0+FFH9Bym23dcAT+xFCTsECMtHCpEgJ8hupSZMOuda2e060aq16
ODUgh9si4gT17kU6PkpndRTCtlXvRoSrj9a6LPuO0ktOV2NeBRtHTbGmpbM7
wvjktBwEyPIhW8QBWeZYgw92d0SVMi8oPzLLiK1jrDSnW7C1WLK1sul5FsMI
CFPfKZKP67St2tWBjyG6gw9JWUglrM3NJ223CwZcRUQzJ74Kx8KFI4gJIoNE
huBg3dYpcaiYk6m49A1w1uSa0xJqUESiVs4TDcjVBPbbGsQ7xGuQxUCHbiFW
/FDb3g97M3a/Fr1iCo6oM+Von6vEF8npFY/EfkYRfubjdwCP6aXjnB8VcKeF
xhMkEb9gMRMOXMCXqRaaFC6n5eCQXawwVAOB7vhhb2f/3bve+93eLhE4ipXJ
td+YAczWSgiO4C4nUHsAITnhA6grkWHjVLwYlS85q/0+tZZltH+ytiGj2CNs
Jt1aT9GHmujkeWKI1q/d7LAyBfrhDvcK9LzhOphE0SdeChOJe1xPBW8fiVgk
YdjVnfqSNE7mzAv0f9QBbeUCtnnpUfc6GY87lLz4aKkaOsmb9xjXpcoZyIlI
61DVwQ4D0RK3NcHaCEuwKwIbNiNIBV1gYoKwHM0xOP8So50QB1CrYiFj69Gj
6+vrrkRedYFLeYA5M9g0OdR2MQbJ4D9paUwHYLz7jiUdXWCRjDl2tLsO1iNL
30w0JR+1fWWPcq8cMS7mQynmF3AoDZUglh+JxiYK24qIvZXAVkCczGZpudVv
WFmjtNvYPEElzpGw0ILfmf4DB/v9I/jgIL6hTHxTPgEbFTlNH2sMdVIRfkEJ
nDMvCHeHA187r4imRsv6N6bgrHBVZZLIlhxLiLPzHX9fvsVWHv7R1qeboepg
E1LNrojlw9+Wvht0XETrq6vR/hvk11aObaOIv95d3Yx2SJUf2q8RTZu3MhlW
s0bvsoOaC/s1d5DHrNlCCXbGpn34UeHwdbUPJEPX/mqQIcwo70ZaI2sQO5m2
yM5u+C5vwu6+hH3SEarbvNmFR7ztZZtSWhiRkGMdtngm0zrpggU7LZkjsNUh
MSdxk4jPfMdNHz9Pg+TymsZhIiENaJsk0Rz+NcV3qKAdXuA8JeuOxgBLnY00
kYaIpDEMk3E6ITW5TCcowUyHaGiQ9EjJTMfcASo7fNsGx7DFGwgxrGNIjgZE
67pd3vB3+TthIE147CcZKBKzUL4QRe+GnzQ8I6f0ZhFIRAP3qpqLPc5KH37G
4a6fcVjnEIl2HA3SkmHUK5UGc+aoFL4I1LdA/zw26RCOVr/kjrbkcwGHih8/
LJrFlb8nZXfyuk3x2hWXOpls1ppIWVOuZn3la5B5Z6dqCJRX4c826F2so/8T
sQA23H+1bfIJuWO+3PGsuVjWr0gGXEtQY/LdQhdABdMxd7hkGyy5rSbx1AQ0
GW+mqRxAA6tEpeYNvwWZ9tLVdkV+91Atdu4M7IBseyN/dBSEmaFuk2xowMeg
+WIwp3z4ERWCZ+tpMCS/3RjNRbHqwRsmxyP0SdgCJjUtdcXw0BjZpaUXYnZl
lGx58asrSrVtKaQTc6LWXezL1R7cXNTQXF3xZkirX4n52lSlnxd6W09p0n8c
twwqHlTTz+sIK211KEfGK2nz49kf2fnN12b39YrwaVyCAti0fd2W6Z6N4yCj
v8qoEQunOHhT8SaHpXAKrYaAgZhYHXmSAh5gaVRUtt703nU404pr/lM9Kzje
UdAYCyvlmPbilOuDqoFV9aSzZNhUkuIDTVvRooSlxfmQyMPCfq9+Pwrp2aIX
neuz3MzK7DKPZyNgTqaKuuAycMxLxLMpV++/hLWkUhyrJDP6EPuM3yxuiEk1
aP86j6flfOLOh/iHogv5GHErCFh20XmraJM2CevWLESnMZkk1pCDVVvlhGXV
vF4LTJhqi2wduIDCGIUmdYk4a4odsD6Yu0cypygTezCm6Q0VaV/U9NU0GmCv
iimmZn0ohuXa/JaRdq1jMyD5beAMvD5w0oyOtpJa7ZihtZqQTz0wv3R8nqSl
OqRRkcVdW9Z9twWOvUIVK47zLC0a4omtffVUc7FN63XLlLWgLo7rhH5RiRkq
Pm4YtLxzMZ96+d0FinZkrDT5a361JX2enYFMkMUDjvSXkoaRUSTSCke9hVLT
E2k3JqJ6+0ktPG5wA4OdS63Ds6bfrLbG84qAmEridKZi0pV+iaxgUSlVz2E6
p0I5zsMdLtsi8EkdfGrmSU4OY4lgQj2ZTw1TxItEwzk5ZWadjOS0qWNs4HRj
Oz/wZXVaPnQXhLKHUf6UoodEJ8tvhCBj+XiKjvFUMNgTdaUJvKYWEzZ18WsA
T5UqpdJvG4Sdve332zWCDjaO/8y1UjibWpsBbnuntouNtw7JyAWA8mvUbx7W
igOPSOw1NjDfsgMw03LE5LN060xLMlbubvwlaAgzsa71wkp1GC2nfGAfxQMi
Pss008oSbMCn6D2++Sl6SwFEfkEBjFr2+OeniOKbPtUFwOBJL3tt31baNtBB
/I82GqDrjs4Dr9uB7zNmTZHaUxoeo/7gLLibiMb7bUsxYyPB8aZv75q9XYIb
MC5eLAEVisYa5efGWNEeBBU3S3lmUddZ8Uk6MV7i9OUYDW5ejHFuXkiPE4ZA
0t7iCIS7SJTBWirVQ+tLVGO9r0UL2NAFbN4GA+VVIpWnKwJPYXO5vNgSHyDm
gODxMgg51WyEO7vaWQc1sS/8tIi2nXpkvV8wvgEjdWCoFbaP40pP0fr6hort
oY1ZL+pdLyf1bllaMNBS26lVUCZAiQyjcczhHOUGr7G2vhVZDQx1OK5KKTVp
xlhBbK939Aq1SE+5UnfXVvTnn/78k+cB+/PPf/7ZaJ1bKE7CfYfPsdIKui3p
rEzO+Vb0HuRw2iNnWUQGjomqLHXjfAbEhj7qz+JBItqe6RmFHoqBdFW1Fm4m
QpYy0TD8YTGjAIxQ7Mrn2Kz8MsVC/OpC2Fh7anvIwd9Pnj5ZM91YAh+CAEoe
LlL2kUm+B4o0P+eazL7gLqEnSgGo4s4Nq+7OG+Kkc200sX2eDieyaHgEoswH
9D7RxCBvbcMPyScHR4ckPufDAECyF+1y32XaY7i9QLh4kp0wgsoARATP2ZJ2
GBW2QE/NnRlgGZUtBBRd60bHBV7D1jZs2Wg+Yb6f+yVAvSLoBZ+IjRhDMwnX
YsWvJ1ZiGN/8gJbGaxSZruObH5AISA1NOlMxxqJoSA2bSPiHNQ9K9kblOjHb
GW5c+GBD17vRthP52M8uyusYixfhUq4xZijnJq/OQ4U85C2PstoB9DS3399p
ySVIP+Uti46WPcMvefDtOiKKKi+kjSzN0jZljkdJPexSYEY7mZh6oCL2/LDS
av0pKbzd0aK6JqSOZFE5NXKSoeCshSxrLhtLK0DPOq+xnQtXemLxymfxVrW/
wV7zUwmHh/uXo1UVC345daLxq6Bb4MmK7aorRaT/luRZp0Sm5NjHAQM2uuYq
ZWOqMB1tH+yxYvo2Pc9jlLQq+EC4l9e8MtZX/s7YcQEDtTFRgG9Eq7XZjXZA
/yd7xvu+CDQCOGhxyRgldYJ9II85DdylxEIj0GkgKn9l2B93VWYtOdzhlhXE
3sP/POt40nUgj/ZJNcpwCbsZcQWi5gTikHl0PO4A6fRIOrU+QO4yy0qNFJjM
UOtFWf59X5YoiheMToAAdDdah4wMdZfzXBcdV7ZWhrBtweW7C1WODZRMTKR9
MMakYjqss9N1BIUCLsk//wOsrBZmE2pEd1vNnDGXjCI5gMwfQBtgn6nbjqi/
tVMjtZg+pLoeV1LXY8KylMpY1SXFvD2owZIgCmTWFg1HOobUh0q3xIUjBgDy
sUhOBKu6MjcSCWFTzHjKmCHiH5CHR/JrjOjxGjZBXmx8StDQ+oEyI4IGC3Tu
ww9Rn4clYmjePU+kvlTz9xRKgitGByWZAMiVKPeCc5kp0hEdckSKQy5ljmvJ
DbrI8ksRuwRaYtgiHkpnaH600P4A5Gw1sYUcDMa7go9/hxcQ9QVnRlbUL/DS
WDH9O7U1shEGUYWE0PMCq8HHgoCC8HTGGBWJwclpTl1JcQ+0eZ9O4y2Dwjqn
wWpE/THl0hWc/wAcdnt6s+BAPbpm0IoPDlCqRV2VhmlMVUSLOh0FGKaoJxN6
sKQH7xPhoGLgkjOTNSaIRHr38RyAFV56jTIf8ENc7JY7IGon8/PSfrd4AlJc
ROhF690Eq1mDZvP+0TbW3dLaktWvetiBsyoMb2FvcIwGXcbym9jpuF/vMNqS
NqTGz/W5Jtzwm9vyHhSag7mxhLmq3Fb0k6+//fwz9mR2PkAIXYGWEJalarSM
GSzYio7IFWEz6bELQx5fTqyVjmpu18O3bRs7ufohpVh+E72LL9NBNJ1PzpN8
uVjhl/irV+jjwQpqU3RSBF++iwcgx2fFKLqgtu946OgJNY/BxsCRwbL+Y4Sx
i2MjETLXK/HC40W8mOdE1D3dldSvt9tvetEpkHU86h/JALaMGPV7NKgjcVqR
QyJlYo6i8FaEMXb77wm1OJCCPYRT/V72hFjplkzxo1XQd0IFHW8uycu+F/aW
K2z1tcB5yxttjIF1I9fa/8xHbAhc2nHqlmn+QW96lebZlONOl3eyw95KdGAu
D9sBZS6+wPbPHb5Pn6K9XSoRpdkxaL27B8XAWqGftFRxFf3ZWIcBdB2JCOlc
yG422O1qdz404Y3VhPfFJqfHj6PlinWp0+lE56D2o/1436kfF/WRECZYHS76
+MCtLNchEvmZiuoaK7TxdtQqNdQuPjvSsG608aNAQ4Il0JySo5KmLHyNk+Fl
IhLYCQaAGEaLBQBhZ2AMrFBz49S/G2MYOQwBjHMugjQ3TjyW4uzWd4uBRAUy
V+sCwFm42Qd2dUyn5PeXcmlU9qXbULUPw8LcrYkKu2nIZe0UFGkOWg6XabEK
a1qqa9559Tpx9Atal1IVba+oy6P9QVE3HqZY7bJMWGq0Jfmu4ylzcj4Nlp64
ZGCRmfD0gUaGsehpvDESnut0pnRJ+QH3cEcEScZxR1q6V2scivMvNoIU4gNm
lBdOHD8ikhhl4+EVxhAVJqFIfJLV9vEIYC1ENKJES/idJGEUhRRZIkf9Frbv
d8GtdKQsDp8i0ljYt8Th0ng/xXdFTldeCXpd4xlzUjxJE7MxS8i6Y8ygY3St
Oz0L6YYshpMhKmjjnEFp08yOOYDoy2hi4m104hzWTJzDejWEqVI3Myj25/RO
DvPn5tXEVqdo4AKAFQe0heYFkn1WmeISzdEmYdnJCJMoqGlizTM6HF4scdFp
qFRZTVgMYIl109zU/TXNT/QmN6GVi8ry+NpH1rxqZZVhhS3bBZTOTIIApC0O
Z80THQjcIGf4+Nvtl723Qfo8d3Uv7ELP0uEZmtvO4Bmgy84EPoOn1/0Stq3f
/Q6lJO6fc/vPI47EPKNOWo/wzZ+Sh9sHB52Dw/1XnXd77/febb/t7PQ76w/b
EefFo0PnZ3yzDlgY4/vvm6q8I1BR0OH8WJTmQiorh7QkyP4+cVLm/baVj7tr
t11XFL7qlha6pzyXQyOVi5YliHHju2iHgzr61DBsHf7e6X8XfUiHKyGUz+4A
o6nwELjOjENxe1crWTnOJU0TUZlHZyY/82cnN3jGrZU9JF7/p0RiFxV7fzzq
ve/vnfR+HR5G1QG/7PTvfbDMtE8stSkq5ObjAxI3OuYRPTbk2yyI0NFReA18
lE38Us/LJ1QqekXjqq1lkLouY1wRnO0oGc8oLK7SjV3sgiyTaBAYFqdVt+4v
qDiJ+FyYfAuuT2386RSJi1uoMXWGiZseGqZcHMAhVkP2SEcZYykpH+Mb1rOd
YBFbH5njCklcCqpSoMkwrJ0sMKKERcYaDaTtIEFRsa+gQwDJu9A4O4SVGPv2
wf5blFl6vd6z1fXu2h+B91/kZATm8dyjxKcifqwrUxTUC4Ajg7X8s5htaucb
zkEuFRfv08fPNzgx0u0L2u/v7dqiC3bKNZiJUixbLVm0iG9OAKepNn2exAPE
G0ZlQLsOf/L584ratrhwO5ezcDbfRPkzglM1Qg6tpagxA87j7ibgExz/gCI+
aToJmyLtfkjdMhynLXu11zae4o0J+8FXFxQ7O8vNoGlPwiKOuDQgC2vcZR6J
1OU8HXL9Ijwymy2fF1QAmgXQgFK5VdcZBreaSFy5CXXF5Xf3323vvT/b292i
4u8+icJLZh6Q6YyNhS+TYI3RJU4oD296iaTLq+SO+3F8+BadYMfHe7uw7pcm
YY8rPxn7qcj97DoT0kN6kBIdPTLTxcY9MU+dCm+hkA2eR11+WhZF9gttlx5C
Fm33XFnISqe1hcXJD+4iAcYmpBmIGOJpnI/R2YeZP3QtJNlyeAUKGIxBfKko
C22cYKtqUCgMphphrKzqiVy7FGmOCeTW/LimpQBRd+6VKGF2PG5uQAUs/R3R
1+21JXOyDD6Ob7Sru1+p1L3DXeyc7cQaqEnaHQOWSE03YodKe66hlMz8dG+F
sHRbu270kDskWuKo3CplJ4lhm1/ztFsuN8olNwpPG5hmU4Ef0MwnI3hCL9/2
mC/9uH10tLArjqkrWFfcUn6qz0oNc6z+tkOlFRaVgeOCm/ivOPI+fdHsHXd2
/jm2UyyYnX9OzAet6oj3mv0Ok1ahMG99u7CWp/e/7z+FcxmDu2KSh0GVub4M
wlvqIDbvxnsByieOy7ZXgohdvx7Cr/BWU/HT8K07913r1JzXV4RwvfGt2yo/
uj9/Twg3Gt/6lXu4rOUq/VJzd4HwtnW1nL+Wo263a20kiLbpdE6WGdAc0EeL
36/U1rO0/MSayfkSaMN1NmJV+F+H2YuwscUlLh31xi2rEzSmSac+Q5AQc5L7
VMJ8yaA6kjo8CMKzW6xH9Q8M3mawQwsgt6F0NatEDMMIUMisZWwtVNAszQa8
fyTqkRFGkP8xu8a3J6ArTzBY/pY64ij8sOV7QdsRk1xVVovUOb2wguQxT4Bo
W/85KZ5G8Fc9EOMA8sg/9lA4YlmORSKSxxsq6S0viO9dUanJCO1ktHDQUp0M
XJOIKwXGcOhcjZrlkbbbci8W2ZFERlNPkUuz2/Y6tvap4HiXnS0xJfOQrT6o
YOhyMQrHS8tA3aQjEae9mnk00C6k5LZbzxohD1tlsMAhC0dsh5HNlh0MDQpU
pfRLpKZaWUnlnyZZyUpT95CQvkgu+iJp6FfJQPfgAgHtJyxDBQLv582jQNS5
D8WvebaR/d+Hr1bHXf6B8e6FFXaaYVgALz/MHMmvUXxfroTk4648iWBvRxg+
n934db08IGwfifwuxZmd9k1sxKL4Jy5twJddzEIFNysO7BdqJhiasAQsx4VD
uH1ZReG3oRZsVZBu4Twid5f7IbAtSL/VkO9wpUGq5ka0CIMoSs7MNDqg8laC
Bt2ZtEo1clFFa1wvLZU8Ohry3nbD4pTDEE/ooFvWMo3l1KnepFK/EHZjHqTo
U0yAkhw3L6FtpcJdhIC/Mzr/AauezG/I94/2AMeqqptCBnExHBDuGbuBaS4m
aqxjxj6Rboe2S7Q/DbD84xnVz0KWwOoyRZpPcC1snuB7yn5ppzaJDn1MyBJY
amEE3F1KdKQMHev1M1KBWIA58eGk23qf/CLFNV0jDQ4uCTYfkmTGGUDETbmR
SX6liTlULInvT8PlIUuMdaHLrnGBQjdmHxnudZwPtTdJMzNyOqM2KrJ1zyK7
cLT4R/2GhhhKtBwuxs9+GQQdHwL+MRxrIQT8c2I/qjKv+0Jw+7x1oNS+hhU6
okcYS+ArwLWvfZGOLbMFFrsaBbsZyC9cW3R3hfkLtb2/B5DNOvMXKs1/DyCb
1eZfvZP3Upx/heZ8Z9W5UUox3GCxqFKxy97WEyJ0NXApFt8hYoLYpDARqXPc
Ejkbcmlw6RZfSLf4+4sWVUZK8Rhqg7eX2USWabVEDoo0pvZ06mtWrQdRz/FP
mCNIfkkGnErz8YE6Fj43BIJhXdRojBFbnq/Dixgx40naKAfsmce5yKFxXNhB
wjpcc1OYOeLIMa7CTkFWQ0mYwAE+kJqvGfdTSlOaotGhMOE7ftp+4D2lUsxh
wdLQ98++5ndiQTAbdSY2Bdmv1JEB1WlEct4wmXCIJ+dfOqWM7O5znxGq8Z5M
0JtN3lQpAzFnBdUkX9nCTS+4ljA2RF7bhBfKoKTZDReK1zJzhVYVq6tHJrDq
jCTMsOuaG3XfqOwcu0lfagohkwWOariMC+XaZtfgNhcuK20VNZKKDYhO4TSp
v4GVaglJjkHnuLgwrc5im/prYjAVVPSx93R3OVnSLk2VRXJccjhhtHy1tiJp
R2nixBJiqqI+c7UWug+dQFBq3SxRXIhWQEgH0gRCPEVsYNACoWEXBMQfaZXB
0qu2KK8U3bM0zrWpyb5blzbbL4LpMO9u7kvRbAaTunin0j46PL62rQlSOFim
gWzox5S+gWG5Q85bzjOYSffR3qBr/PxMPv9sUMTpnm1PLTgY/I7xEc/cHhEH
f55ywkbhrg6ozyBWsXkWs11weQ5v4NlLxotx1Q01EjcgTWp4NH5hdMKB9jbX
G66+X6/tukYWWGGf8z69gnV+nZq2oUOs2GXaQdxilGyOGLy4Jg6cCMe36pYo
sSQENV3f60kNa04mxNYGiyS0yy8Bo8oMi9K+xbCKaZJfws15+ba3Ik0ZSK3k
9Dflv1bT5ijed9s7GukL0y33jvc6m89WKsRuIY3LmR9sWEg1tJBChDkeHHZ7
voa5ER28uISbztww2vZ6Z3ut8+xZp9frPH/aefqYn12ve3b9WWf1VefpaufZ
ZufxWqe3yc9u1D278bzzZKOz87yzu9p5vNN5sn4PwjwBzi9G4GIUAy8ypfn2
vsNpAFnhv+ttFJRW6kg2EVM6au9abLh0WidJi61oeW3zuyrEeB5eMU14hV49
yA7oOASV3WBsPnYbReuf9AJybC52Few1jZsRLde/z1iZHukzXnZkEhTjTHvi
HkjlmG3yes2xyN7UEDbN1ebqlH41TMRYue9HfzroIaramsqzcYx58r+U0f7B
9h+Oe2JRVu8JCi9zMTqA1IjVtSgTxFCPFY85KusWYpA41/VF9OefRg83nj/Z
2Hm+u/p458n6wz//zOAiy0C5RCPyp5ZhS8jAkw5VbXF3DruubLTdQoYk46LE
2kVG4vDFGM54wnawhSU5pQGWu3kaLGJ7U83XMK3aIojtJlTqzmPNFdqqwt0p
PbXSVB0ygql/GzCND2ivZmKQ/wAVDc7pSYYvlqaZ6gbM+AqWKPOE0xGnH6KP
Hz9uAyEdA8HBQurjcTI9j+eTzxjLBgsfcW8YDqpXSYZ4dkoxhLORidiGJ5FU
MvTv4nyQRUcpFuwQjx2lbZHIw4kwyrWtfHoqfIgh2xnlcLApnMT2pPi3/1UU
BqCYbyaqNMDMZqbEmcTf2GoDYyn9NUGZ29a/92dtYUYXB624xUZIVp2y3nSO
JQltuL5UAHqNggS815tjUh4mwE0SYhYHORaWm7A/jBKb92fJtA9XfxItwzdU
wi5PGImxIsXa6trq843VzSea5nMxnl9ctP4vHUF7TrwWAQA=

-->

</rfc>
