<?xml version='1.0' encoding='utf-8'?>
<!DOCTYPE rfc [
  <!ENTITY nbsp    "&#160;">
  <!ENTITY zwsp   "&#8203;">
  <!ENTITY nbhy   "&#8209;">
  <!ENTITY wj     "&#8288;">
]>
<?xml-stylesheet type="text/xsl" href="rfc2629.xslt" ?>
<!-- generated by https://github.com/cabo/kramdown-rfc version 1.7.39 (Ruby 3.4.9) -->
<rfc xmlns:xi="http://www.w3.org/2001/XInclude" ipr="trust200902" docName="draft-ietf-webtrans-overview-13" category="std" consensus="true" tocInclude="true" sortRefs="true" symRefs="true" version="3">
  <!-- xml2rfc v2v3 conversion 3.34.0 -->
  <front>
    <title abbrev="WebTransport">The WebTransport Protocol Framework</title>
    <seriesInfo name="Internet-Draft" value="draft-ietf-webtrans-overview-13"/>
    <author initials="E." surname="Kinnear" fullname="Eric Kinnear">
      <organization>Apple Inc.</organization>
      <address>
        <email>ekinnear@apple.com</email>
      </address>
    </author>
    <author initials="V." surname="Vasiliev" fullname="Victor Vasiliev">
      <organization>Google</organization>
      <address>
        <email>vasilvv@google.com</email>
      </address>
    </author>
    <date year="2026" month="July" day="06"/>
    <area>Web and Internet Transport</area>
    <workgroup>WEBTRANS</workgroup>
    <keyword>webtransport</keyword>
    <abstract>
      <?line 41?>

<t>The WebTransport Protocol Framework enables clients constrained by the Web
security model to communicate with a remote server using a secure multiplexed
transport.  It consists of a set of individual protocols that are safe to expose
to untrusted applications, combined with an abstract model that allows them to
be used interchangeably.</t>
      <t>This document defines the overall requirements on the protocols used in
WebTransport, as well as the common features of the protocols, support for some
of which is optional.</t>
    </abstract>
    <note removeInRFC="true">
      <name>About This Document</name>
      <t>
        The latest revision of this draft can be found at <eref target="https://ietf-wg-webtrans.github.io/draft-ietf-webtrans-overview/draft-ietf-webtrans-overview.html"/>.
        Status information for this document may be found at <eref target="https://datatracker.ietf.org/doc/draft-ietf-webtrans-overview/"/>.
      </t>
      <t>
        Discussion of this document takes place on the
        WebTransport Working Group mailing list (<eref target="mailto:webtransport@ietf.org"/>),
        which is archived at <eref target="https://mailarchive.ietf.org/arch/browse/webtransport/"/>.
        Subscribe at <eref target="https://www.ietf.org/mailman/listinfo/webtransport/"/>.
      </t>
      <t>Source for this draft and an issue tracker can be found at
        <eref target="https://github.com/ietf-wg-webtrans/draft-ietf-webtrans-overview"/>.</t>
    </note>
  </front>
  <middle>
    <?line 53?>

<section anchor="introduction">
      <name>Introduction</name>
      <t>The WebTransport Protocol Framework enables clients constrained by the Web
security model to communicate with a remote server using a secure multiplexed
transport.  It consists of a set of individual protocols that are safe to expose
to untrusted applications, combined with an abstract model that allows them to
be used interchangeably.</t>
      <t>This document defines the overall requirements on the protocols used in
WebTransport, as well as the common features of the protocols, support for some
of which is optional.</t>
      <section anchor="background">
        <name>Background</name>
        <t>Historically, web applications that needed a bidirectional data stream between a
client and a server could rely on WebSockets <xref target="RFC6455"/>, a message-based
protocol compatible with the Web security model.  However, since the abstraction
it provides is a single ordered reliable stream of messages, it suffers from
head-of-line blocking, meaning that all messages must be sent and received in
order even if they could be processed independently of each other, and some
messages might no longer be relevant.  This makes it a poor fit for
latency-sensitive applications which rely on partial reliability and stream
independence for performance.</t>
        <t>One existing option available to Web developers is WebRTC data channels
<xref target="RFC8831"/>, which provide a WebSocket-like API for a peer-to-peer SCTP channel
protected by DTLS.  In theory, it is possible to use it for the use cases
addressed by this specification. However, in practice, it has not seen wide
adoption outside of browser-to-browser settings due to its dependency on ICE
(which fits poorly with the Web model) and userspace SCTP (which has a limited
number of implementations available due to not being used in other contexts).</t>
        <t>An alternative design would be to open multiple WebSocket connections over
HTTP/3 <xref target="RFC9220"/>.  That would avoid head-of-line blocking and provide an
ability to cancel a stream by closing the corresponding WebSocket session.
However, this approach has a number of drawbacks, which all stem primarily from
the fact that semantically each WebSocket is a completely independent entity:</t>
        <ul spacing="normal">
          <li>
            <t>Each new stream would require a WebSocket handshake to agree on application
protocol used, meaning that it would take at least one RTT to establish each
new stream before the client can write to it.</t>
          </li>
          <li>
            <t>Only clients can initiate streams.  Server-initiated streams and other
alternative modes of communication (such as the QUIC DATAGRAM frame
<xref target="RFC9221"/>) are not available.</t>
          </li>
          <li>
            <t>While the streams would normally be pooled by the user agent, this is not
guaranteed, and the general process of mapping a WebSocket to a server is
opaque to the client.  This introduces unpredictable performance properties
into the system, and prevents optimizations which rely on the streams being on
the same connection (for instance, it might be possible for the client to
request different retransmission priorities for different streams, but that
would be much more complex unless they are all on the same connection).</t>
          </li>
        </ul>
        <t>WebTransport avoids all of those issues by letting applications create a single
WebTransport session that can contain multiple streams multiplexed together in a
single context (similar to SCTP, HTTP/2, QUIC and others), and can also be used
to send unreliable datagrams (similar to UDP).</t>
      </section>
      <section anchor="conventions-and-definitions">
        <name>Conventions and Definitions</name>
        <t>The keywords "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD",
"SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in BCP 14 <xref target="RFC2119"/> <xref target="RFC8174"/>
when, and only when, they appear in all capitals, as shown here.</t>
        <t>WebTransport is a framework that aims to abstract away the underlying transport
protocol while still exposing a few key transport-layer aspects to application
developers.  It is structured around the following concepts:</t>
        <dl>
          <dt>WebTransport session:</dt>
          <dd>
            <t>A WebTransport session is a single communication context established between a
client and a server.  It might correspond to a specific transport-layer
connection, or it might be a logical entity within an existing multiplexed
transport-layer connection.  WebTransport sessions are logically independent
from one another even if some sessions can share an underlying transport-layer
connection.</t>
          </dd>
          <dt>WebTransport protocol:</dt>
          <dd>
            <t>A WebTransport protocol is a specific protocol that can be used to establish
a WebTransport session.</t>
          </dd>
          <dt>Datagram:</dt>
          <dd>
            <t>A datagram is a unit of transmission that is limited in size (typically to the
path MTU), does not have an expectation of being delivered reliably, is
treated atomically by the transport, and is not flow controlled.</t>
          </dd>
          <dt>Stream:</dt>
          <dd>
            <t>A stream is a sequence of bytes that is reliably delivered to the receiving
application in the same order as it was transmitted by the sender.  Streams
can be of arbitrary length, and therefore cannot always be buffered entirely
in memory. WebTransport protocols and APIs are expected to provide partial
stream data to the application before the stream has been entirely received.</t>
          </dd>
          <dt>Message:</dt>
          <dd>
            <t>A message is a stream that is sufficiently small that it can be fully buffered
before being passed to the application.  WebTransport does not define messages
as a primitive, since from the transport perspective they can be simulated by
fully buffering a stream before passing it to the application.  However, this
distinction is important to highlight since some of the similar protocols and
APIs (notably WebSocket <xref target="RFC6455"/>) use messages as a core abstraction.</t>
          </dd>
          <dt>Application:</dt>
          <dd>
            <t>A WebTransport application refers to executable code that is provided by a
developer to perform some, often user-visible, function, such as sending and
receiving data. For example, a JavaScript application using WebTransport that
is running inside a browser or code running within an executable that makes
outgoing or accepts incoming WebTransport sessions.</t>
          </dd>
          <dt>Server:</dt>
          <dd>
            <t>A WebTransport server is an application that accepts incoming WebTransport
sessions.  In cases when WebTransport is served over a multiplexed protocol
(such as HTTP/2 or HTTP/3), "WebTransport server" refers to a handler for a
specific multiplexed endpoint (e.g. an application handling specific HTTP
resource), rather than the application listening on a given TCP or UDP socket.</t>
          </dd>
          <dt>Client:</dt>
          <dd>
            <t>A WebTransport client is an application that initiates the transport session
and may be running in a constrained security context, for instance, a
JavaScript application running inside a browser.</t>
          </dd>
          <dt>Endpoint:</dt>
          <dd>
            <t>An endpoint refers to either a Server or a Client.</t>
          </dd>
          <dt>User agent:</dt>
          <dd>
            <t>A WebTransport user agent is a software system that has an unrestricted access
to the host network stack and can create transports on behalf of the client.</t>
          </dd>
          <dt>Event:</dt>
          <dd>
            <t>An event is a notification, callback, or signal that a WebTransport endpoint
can provide to a WebTransport application to notify it that some change of
interest to the application has occurred.</t>
          </dd>
        </dl>
      </section>
    </section>
    <section anchor="common-requirements">
      <name>Common Transport Requirements</name>
      <t>Since clients are not necessarily trusted and have to be constrained by the Web
security model, WebTransport imposes certain requirements on any specific
protocol used.</t>
      <t>All WebTransport protocols MUST use TLS <xref target="RFC8446"/> or a semantically
equivalent security protocol (for instance, DTLS <xref target="RFC9147"/>).  The protocols
SHOULD use TLS version 1.3 or later, unless they aim for backwards compatibility
with legacy systems.</t>
      <t>All WebTransport protocols MUST require the user agent to obtain and maintain
explicit consent from the server to send data.  For connection-oriented
protocols (such as TCP or QUIC), the connection establishment and keep-alive
mechanisms suffice.  STUN Consent Freshness <xref target="RFC7675"/> is another example of a
mechanism satisfying this requirement.</t>
      <t>All WebTransport protocols MUST limit the rate at which an endpoint sends data.
This SHOULD be accomplished via a feedback-based congestion control mechanism
(such as <xref target="RFC5681"/> or <xref target="RFC9002"/>).  A WebTransport protocol MAY expose a
way for the application to select among different congestion control profiles
(for example, one optimized for throughput and one optimized for low latency),
where the underlying transport supports it.</t>
      <t>All WebTransport protocols MUST support simultaneously establishing multiple
sessions between the same client and server.</t>
      <t>All WebTransport protocols MUST prevent clients from establishing transport
sessions to network endpoints that are not WebTransport servers.</t>
      <t>All WebTransport protocols MUST provide a way for the user agent to indicate the
origin <xref target="RFC6454"/> of the client to the server.</t>
      <t>All WebTransport protocols MUST provide a way for a server endpoint location to
be described using a URI <xref target="RFC3986"/>.  This enables integration with various
Web platform features that represent resources as URIs, such as Content Security
Policy <xref target="CSP"/>.</t>
      <t>All WebTransport protocols MUST provide a way for the session initiator to
negotiate a subprotocol with the peer when establishing a WebTransport session.
The session initiator provides an optional list of subprotocols to the peer.
The peer selects one and responds indicating the selected subprotocol or rejects
the session establishment request if none of the subprotocols are supported.
Note that the semantics of individual subprotocol token values are determined by
the WebTransport resource in question and are not registered in IANA's "ALPN
Protocol IDs" registry.  Resources SHOULD use tokens that clearly identify their
intended protocol; reusing identifiers associated with established ALPN
protocols for unrelated purposes is NOT RECOMMENDED.</t>
    </section>
    <section anchor="session-establishment">
      <name>Session Establishment</name>
      <t>WebTransport session establishment is an asynchronous process.  A session is
considered <em>ready</em> from the client's perspective when the server has confirmed
that it is willing to accept the session with the provided origin and URI.
WebTransport protocols MAY allow clients to send data before the session is
ready; however, they MUST NOT use mechanisms that are unsafe against replay
attacks without an explicit indication from the client.</t>
      <t>Where a WebTransport protocol is layered on a protocol whose session
establishment carries additional metadata (for example, HTTP response header
fields), the WebTransport protocol MAY expose that metadata to the
application once the session is ready.</t>
      <section anchor="application-protocol-negotiation">
        <name>Application Protocol Negotiation</name>
        <t>WebTransport sessions offer a protocol negotiation mechanism, similar to
TLS Application-Layer Protocol Negotiation Extension (ALPN) <xref target="RFC7301"/>.</t>
        <t>When establishing a session, a WebTransport client can offer the server a list
of protocols that it would like to use on that session, in preference order.
When the server receives such a list, it selects a single choice from that list
and communicates that choice to the client.  A server that does not wish to use
any of the protocols offered by the client can reject the WebTransport session
establishment attempt.</t>
      </section>
    </section>
    <section anchor="transport-features">
      <name>Transport Features</name>
      <t>In order to make the transport protocols interchangeable, all transport
protocols MUST provide datagrams, unidirectional streams, and bidirectional
streams.</t>
      <section anchor="features-session">
        <name>Session-Wide Features</name>
        <t>Any WebTransport protocol SHALL provide the following operations on the
session:</t>
        <dl>
          <dt>establish a session</dt>
          <dd>
            <t>Create a new WebTransport session given a URI <xref target="RFC3986"/> of the requester.
An origin <xref target="RFC6454"/> MUST be given if the WebTransport session is coming
from a browser client; otherwise, it is OPTIONAL.</t>
          </dd>
          <dt>terminate a session</dt>
          <dd>
            <t>Terminate the session while communicating to the peer an unsigned 32-bit
error code and a UTF-8 encoded error reason string of at most 1024 bytes.
As soon as the session is terminated, no further application data will be
exchanged on it.  The error code and string are optional; the default
values are 0 and "".  The delivery of the error code and string MAY be
best-effort.</t>
          </dd>
          <dt>drain a session</dt>
          <dd>
            <t>Indicate to the peer that it expects the session to be gracefully terminated
as soon as possible.  Either endpoint MAY continue using the session and MAY
open new streams.  This signal is intended to allow intermediaries and
endpoints to request a session be drained of traffic without enforcement.</t>
          </dd>
          <dt>export keying material</dt>
          <dd>
            <t>Derive a TLS keying material exporter (<xref section="7.5" sectionFormat="of" target="RFC8446"/>) to provide
keying material specific to the WebTransport session.</t>
          </dd>
        </dl>
        <t>Any WebTransport protocol SHALL provide the following events:</t>
        <dl>
          <dt>session terminated event</dt>
          <dd>
            <t>Indicates that the WebTransport session has been terminated, either by the
peer or by the local networking stack, and no user data can be exchanged on
it any further.  If the session has been terminated as a result of the peer
performing the "terminate a session" operation above, a corresponding error
code and an error string can be provided.</t>
          </dd>
          <dt>session draining event</dt>
          <dd>
            <t>Indicates that the WebTransport session has been asked to drain as soon as
possible.  Continued use of the session, including opening new streams is
discouraged, but allowed.</t>
          </dd>
        </dl>
      </section>
      <section anchor="features-datagrams">
        <name>Datagrams</name>
        <t>The general goal for WebTransport datagrams is to be similar in behavior to UDP
while being subject to common requirements expressed in <xref target="common-requirements"/>.</t>
        <t>A WebTransport sender is not expected to retransmit datagrams, though it may end
up doing so if it is using TCP or some other underlying protocol that only
provides reliable delivery.  WebTransport datagrams are not expected to be flow
controlled, meaning that the receiver might drop datagrams if the application is
not consuming them fast enough.</t>
        <t>The application MUST be provided with the maximum datagram size that it can
send.  The size SHOULD be derived from the result of performing path MTU
discovery, when the underlying transport supports it.</t>
        <t>WebTransport datagrams have bounded send and receive buffers.  Either endpoint
can drop a datagram when its buffer is full: the sender can drop an outgoing
datagram that does not fit in its send buffer, and the receiver can drop an
incoming datagram that does not fit in its receive buffer.</t>
        <t>Additionally, because datagrams are not reliably delivered, applications
sending time-sensitive data can use age-based limits to request that stale
data is not sent.  A sender MAY impose an age-based limit that caps how long
an outgoing datagram remains queued before it is either sent or discarded.
A receiver MAY apply a similar age-based limit to discard incoming datagrams
that have waited in the receive queue for longer than the application is
willing to accept.</t>
        <t>Any WebTransport protocol SHALL provide the following operations on the session:</t>
        <dl>
          <dt>send a datagram</dt>
          <dd>
            <t>Enqueues a datagram to be sent to the peer.  This can potentially result in
the datagram being dropped if the queue is full.</t>
          </dd>
          <dt>receive a datagram</dt>
          <dd>
            <t>Dequeues an incoming datagram, if one is available.</t>
          </dd>
          <dt>get maximum datagram size</dt>
          <dd>
            <t>Returns the largest size of the datagram that a WebTransport session is
expected to be able to send.</t>
          </dd>
        </dl>
        <t>The maximum size of an incoming datagram is determined by the WebTransport
protocol binding and the underlying transport.  WebTransport protocols MAY
expose a way for the application to influence the maximum receive datagram
size or buffer capacity.</t>
      </section>
      <section anchor="features-streams">
        <name>Streams</name>
        <t>A unidirectional stream is a one-way reliable in-order stream of bytes where the
initiator is the only endpoint that can send data.  A bidirectional stream
allows both endpoints to send data and can be conceptually represented as a pair
of unidirectional streams.</t>
        <t>The streams are in general expected to follow the semantics and the state
machine of QUIC streams (<xref target="RFC9000"/>, Sections 2 and 3).</t>
        <t>A WebTransport stream sender can reset its send side, indicating that no
further data will be transmitted on the stream.  The sender can indicate an
offset in the stream (possibly zero) after which data that was already sent
will not be retransmitted.</t>
        <t>A WebTransport stream receiver can abort its receive side, indicating that it
is not interested in receiving further data and signaling the sender to stop
sending.  These operations are independent: the two directions of a
bidirectional stream can be terminated separately.</t>
        <t>Errors signaled through resetting or aborting a stream are scoped to that
stream and do not terminate the WebTransport session.  Session-level errors,
signaled through the "terminate a session" operation, apply to the entire
session.</t>
        <t>WebTransport protocols are designed so that streams are sufficiently lightweight
to be used as messages.</t>
        <t>Data sent on a stream is flow controlled by the transport protocol.  In addition
to flow controlling stream data, the creation of new streams is flow controlled
as well: an endpoint may only open a limited number of streams until the peer
explicitly allows creating more streams.  From the receiver's perspective, this
is presented as a size-bounded queue of incoming streams.  A WebTransport
protocol MUST expose enough information about the current stream-creation flow
control state that a caller can determine whether stream creation would succeed
and know when additional stream credit becomes available.</t>
        <t>Applications MAY provide the transport with hints about how sending on different
streams and datagrams should be scheduled relative to each other.  A
WebTransport protocol MAY honor these hints using the prioritization facilities
of the underlying transport, where such facilities are available.</t>
        <t>Any WebTransport protocol SHALL provide the following operations on the session:</t>
        <dl>
          <dt>create a unidirectional stream</dt>
          <dd>
            <t>Creates an outgoing unidirectional stream.</t>
          </dd>
          <dt>create a bidirectional stream</dt>
          <dd>
            <t>Creates an outgoing bidirectional stream.</t>
          </dd>
          <dt>receive a unidirectional stream</dt>
          <dd>
            <t>Returns the next stream from the queue of incoming unidirectional streams, if
one is available.</t>
          </dd>
          <dt>receive a bidirectional stream</dt>
          <dd>
            <t>Returns the next stream from the queue of incoming bidirectional streams, if
one is available.</t>
          </dd>
        </dl>
        <t>Any WebTransport protocol SHALL provide the following operations on an
individual stream:</t>
        <dl>
          <dt>send bytes</dt>
          <dd>
            <t>Add bytes into the stream send buffer.  The sender can also indicate a FIN
together with the bytes, signaling that no new data will be sent on the
stream.  Not applicable for incoming unidirectional streams.</t>
          </dd>
          <dt>close send side</dt>
          <dd>
            <t>Indicate a FIN on the stream without writing additional bytes, signaling
that no new data will be sent.  Equivalent to calling send bytes with an
empty payload and a FIN.  Not applicable for incoming unidirectional
streams.</t>
          </dd>
          <dt>receive bytes</dt>
          <dd>
            <t>Reads bytes from the stream receive buffer.  FIN can be received together
with the stream data.  Not applicable for outgoing unidirectional streams.</t>
          </dd>
          <dt>abort send side</dt>
          <dd>
            <t>Sends a signal to the peer that the write side of the stream has been aborted,
including an offset in the stream that is reliably delivered.  Discards the
send buffer after that offset; if possible, no currently outstanding data
after the provided send offset is transmitted or retransmitted.  If omitted,
the offset is 0.  An unsigned 32-bit error code can be supplied as a part of
the signal to the peer; if omitted, the error code is 0.</t>
          </dd>
          <dt>abort receive side</dt>
          <dd>
            <t>Sends a signal to the peer that the read side of the stream has been aborted.
Discards the receive buffer; the peer SHOULD abort the corresponding send
side in response (similar to <xref section="3.5" sectionFormat="of" target="RFC9000"/>).  An unsigned 32-bit
error code can be supplied as a part of the signal to the peer.</t>
          </dd>
        </dl>
        <t>Any WebTransport protocol SHALL provide the following events for an individual
stream:</t>
        <dl>
          <dt>send side aborted</dt>
          <dd>
            <t>Indicates that the peer has aborted the corresponding receive side of the
stream.  An unsigned 32-bit error code from the peer might be available.</t>
          </dd>
          <dt>receive side aborted</dt>
          <dd>
            <t>Indicates that the peer has aborted the corresponding send side of the
stream.  An unsigned 32-bit error code from the peer might be available.</t>
          </dd>
          <dt>all data committed</dt>
          <dd>
            <t>Indicates that all of the outgoing data on the stream, including the end
stream indication, is in the state where aborting the send side would have no
further effect on any data being delivered.</t>
          </dd>
          <dt/>
          <dd>
            <t>For protocols, like HTTP/2, stream data might be passed to another component
(like a kernel) for transmission. Once data is passed to that component it
might not be possible to abort the sending of stream data without also
aborting the entire connection.  For these protocols, data is considered
committed once it passes to the other component.</t>
          </dd>
          <dt/>
          <dd>
            <t>A protocol, like HTTP/3, that uses a more integrated stack might be able to
prevent the transmission or retransmission of data that has not yet been
acknowledged by the peer. For these protocols, sending on a
stream might be aborted at any time until all data has been received and
acknowledged by the peer, corresponding to the "Data Recvd" state in QUIC; see
<xref section="3.1" sectionFormat="of" target="QUIC"/>.</t>
          </dd>
        </dl>
      </section>
    </section>
    <section anchor="transport-properties">
      <name>Transport Properties</name>
      <t>WebTransport defines common semantics for multiple protocols to allow them to be
used interchangeably.  Nevertheless, those protocols still have substantially
different performance properties that an application might want to query.</t>
      <t>The most notable property is support for unreliable data delivery.  The protocol
is defined to support unreliable delivery if:</t>
      <ul spacing="normal">
        <li>
          <t>Resetting a stream results in the lost stream data no longer being
retransmitted, and</t>
        </li>
        <li>
          <t>Datagrams are never retransmitted.</t>
        </li>
      </ul>
      <t>Applications that depend on unreliable delivery, such as applications sending
time-sensitive datagrams, MAY require it when establishing a session, and a
WebTransport protocol MAY expose a way for such applications to refuse a
protocol binding that cannot provide unreliable delivery.</t>
      <t>Another important property is pooling support.  Pooling means that multiple
transport sessions may end up sharing the same transport layer connection, and
thus share a congestion controller and other contexts.</t>
    </section>
    <section anchor="security-considerations">
      <name>Security Considerations</name>
      <t>Providing untrusted clients with a relatively low-level access to the network
comes with risks.  This document mitigates those risks by imposing a set of
common requirements described in <xref target="common-requirements"/>.</t>
      <t>WebTransport mandates the use of TLS for all protocols implementing it.  This
provides confidentiality and integrity for the transport, protecting it from
both potential attackers and ossification by intermediaries in the network.</t>
      <t>One potential concern is that even when a transport cannot be created, the
connection error would reveal enough information to allow an attacker to scan
the network addresses that would normally be inaccessible.  Because of that, the
user agent that runs untrusted clients MUST NOT provide any detailed error
information until the server has confirmed that it is a WebTransport endpoint.
For example, a client cannot distinguish between a network address that is
unreachable and one that is reachable but is not a WebTransport server.</t>
      <t>Since WebTransport requires TLS, individual transport protocols MAY expose
TLS-based authentication capabilities such as client certificates and custom
validation of server certificates, including validation using a client-specified
set of server certificate hashes.</t>
    </section>
    <section anchor="iana-considerations">
      <name>IANA Considerations</name>
      <t>There are no requests to IANA in this document.</t>
    </section>
  </middle>
  <back>
    <references anchor="sec-combined-references">
      <name>References</name>
      <references anchor="sec-normative-references">
        <name>Normative References</name>
        <reference anchor="RFC2119">
          <front>
            <title>Key words for use in RFCs to Indicate Requirement Levels</title>
            <author fullname="S. Bradner" initials="S." surname="Bradner"/>
            <date month="March" year="1997"/>
            <abstract>
              <t>In many standards track documents several words are used to signify the requirements in the specification. These words are often capitalized. This document defines these words as they should be interpreted in IETF documents. This document specifies an Internet Best Current Practices for the Internet Community, and requests discussion and suggestions for improvements.</t>
            </abstract>
          </front>
          <seriesInfo name="BCP" value="14"/>
          <seriesInfo name="RFC" value="2119"/>
          <seriesInfo name="DOI" value="10.17487/RFC2119"/>
        </reference>
        <reference anchor="RFC8174">
          <front>
            <title>Ambiguity of Uppercase vs Lowercase in RFC 2119 Key Words</title>
            <author fullname="B. Leiba" initials="B." surname="Leiba"/>
            <date month="May" year="2017"/>
            <abstract>
              <t>RFC 2119 specifies common key words that may be used in protocol specifications. This document aims to reduce the ambiguity by clarifying that only UPPERCASE usage of the key words have the defined special meanings.</t>
            </abstract>
          </front>
          <seriesInfo name="BCP" value="14"/>
          <seriesInfo name="RFC" value="8174"/>
          <seriesInfo name="DOI" value="10.17487/RFC8174"/>
        </reference>
        <reference anchor="RFC8446">
          <front>
            <title>The Transport Layer Security (TLS) Protocol Version 1.3</title>
            <author fullname="E. Rescorla" initials="E." surname="Rescorla"/>
            <date month="August" year="2018"/>
            <abstract>
              <t>This document specifies version 1.3 of the Transport Layer Security (TLS) protocol. TLS allows client/server applications to communicate over the Internet in a way that is designed to prevent eavesdropping, tampering, and message forgery.</t>
              <t>This document updates RFCs 5705 and 6066, and obsoletes RFCs 5077, 5246, and 6961. This document also specifies new requirements for TLS 1.2 implementations.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="8446"/>
          <seriesInfo name="DOI" value="10.17487/RFC8446"/>
        </reference>
        <reference anchor="RFC6454">
          <front>
            <title>The Web Origin Concept</title>
            <author fullname="A. Barth" initials="A." surname="Barth"/>
            <date month="December" year="2011"/>
            <abstract>
              <t>This document defines the concept of an "origin", which is often used as the scope of authority or privilege by user agents. Typically, user agents isolate content retrieved from different origins to prevent malicious web site operators from interfering with the operation of benign web sites. In addition to outlining the principles that underlie the concept of origin, this document details how to determine the origin of a URI and how to serialize an origin into a string. It also defines an HTTP header field, named "Origin", that indicates which origins are associated with an HTTP request. [STANDARDS-TRACK]</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="6454"/>
          <seriesInfo name="DOI" value="10.17487/RFC6454"/>
        </reference>
        <reference anchor="RFC3986">
          <front>
            <title>Uniform Resource Identifier (URI): Generic Syntax</title>
            <author fullname="T. Berners-Lee" initials="T." surname="Berners-Lee"/>
            <author fullname="R. Fielding" initials="R." surname="Fielding"/>
            <author fullname="L. Masinter" initials="L." surname="Masinter"/>
            <date month="January" year="2005"/>
            <abstract>
              <t>A Uniform Resource Identifier (URI) is a compact sequence of characters that identifies an abstract or physical resource. This specification defines the generic URI syntax and a process for resolving URI references that might be in relative form, along with guidelines and security considerations for the use of URIs on the Internet. The URI syntax defines a grammar that is a superset of all valid URIs, allowing an implementation to parse the common components of a URI reference without knowing the scheme-specific requirements of every possible identifier. This specification does not define a generative grammar for URIs; that task is performed by the individual specifications of each URI scheme. [STANDARDS-TRACK]</t>
            </abstract>
          </front>
          <seriesInfo name="STD" value="66"/>
          <seriesInfo name="RFC" value="3986"/>
          <seriesInfo name="DOI" value="10.17487/RFC3986"/>
        </reference>
        <reference anchor="QUIC">
          <front>
            <title>QUIC: A UDP-Based Multiplexed and Secure Transport</title>
            <author fullname="J. Iyengar" initials="J." role="editor" surname="Iyengar"/>
            <author fullname="M. Thomson" initials="M." role="editor" surname="Thomson"/>
            <date month="May" year="2021"/>
            <abstract>
              <t>This document defines the core of the QUIC transport protocol. QUIC provides applications with flow-controlled streams for structured communication, low-latency connection establishment, and network path migration. QUIC includes security measures that ensure confidentiality, integrity, and availability in a range of deployment circumstances. Accompanying documents describe the integration of TLS for key negotiation, loss detection, and an exemplary congestion control algorithm.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="9000"/>
          <seriesInfo name="DOI" value="10.17487/RFC9000"/>
        </reference>
      </references>
      <references anchor="sec-informative-references">
        <name>Informative References</name>
        <reference anchor="CSP" target="https://www.w3.org/TR/CSP/">
          <front>
            <title>Content Security Policy Level 3</title>
            <author>
              <organization>W3C</organization>
            </author>
            <date year="2026" month="July"/>
          </front>
        </reference>
        <reference anchor="RFC6455">
          <front>
            <title>The WebSocket Protocol</title>
            <author fullname="I. Fette" initials="I." surname="Fette"/>
            <author fullname="A. Melnikov" initials="A." surname="Melnikov"/>
            <date month="December" year="2011"/>
            <abstract>
              <t>The WebSocket Protocol enables two-way communication between a client running untrusted code in a controlled environment to a remote host that has opted-in to communications from that code. The security model used for this is the origin-based security model commonly used by web browsers. The protocol consists of an opening handshake followed by basic message framing, layered over TCP. The goal of this technology is to provide a mechanism for browser-based applications that need two-way communication with servers that does not rely on opening multiple HTTP connections (e.g., using XMLHttpRequest or s and long polling). [STANDARDS-TRACK]</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="6455"/>
          <seriesInfo name="DOI" value="10.17487/RFC6455"/>
        </reference>
        <reference anchor="RFC8831">
          <front>
            <title>WebRTC Data Channels</title>
            <author fullname="R. Jesup" initials="R." surname="Jesup"/>
            <author fullname="S. Loreto" initials="S." surname="Loreto"/>
            <author fullname="M. Tüxen" initials="M." surname="Tüxen"/>
            <date month="January" year="2021"/>
            <abstract>
              <t>The WebRTC framework specifies protocol support for direct, interactive, rich communication using audio, video, and data between two peers' web browsers. This document specifies the non-media data transport aspects of the WebRTC framework. It provides an architectural overview of how the Stream Control Transmission Protocol (SCTP) is used in the WebRTC context as a generic transport service that allows web browsers to exchange generic data from peer to peer.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="8831"/>
          <seriesInfo name="DOI" value="10.17487/RFC8831"/>
        </reference>
        <reference anchor="RFC9220">
          <front>
            <title>Bootstrapping WebSockets with HTTP/3</title>
            <author fullname="R. Hamilton" initials="R." surname="Hamilton"/>
            <date month="June" year="2022"/>
            <abstract>
              <t>The mechanism for running the WebSocket Protocol over a single stream of an HTTP/2 connection is equally applicable to HTTP/3, but the HTTP-version-specific details need to be specified. This document describes how the mechanism is adapted for HTTP/3.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="9220"/>
          <seriesInfo name="DOI" value="10.17487/RFC9220"/>
        </reference>
        <reference anchor="RFC9221">
          <front>
            <title>An Unreliable Datagram Extension to QUIC</title>
            <author fullname="T. Pauly" initials="T." surname="Pauly"/>
            <author fullname="E. Kinnear" initials="E." surname="Kinnear"/>
            <author fullname="D. Schinazi" initials="D." surname="Schinazi"/>
            <date month="March" year="2022"/>
            <abstract>
              <t>This document defines an extension to the QUIC transport protocol to add support for sending and receiving unreliable datagrams over a QUIC connection.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="9221"/>
          <seriesInfo name="DOI" value="10.17487/RFC9221"/>
        </reference>
        <reference anchor="RFC9147">
          <front>
            <title>The Datagram Transport Layer Security (DTLS) Protocol Version 1.3</title>
            <author fullname="E. Rescorla" initials="E." surname="Rescorla"/>
            <author fullname="H. Tschofenig" initials="H." surname="Tschofenig"/>
            <author fullname="N. Modadugu" initials="N." surname="Modadugu"/>
            <date month="April" year="2022"/>
            <abstract>
              <t>This document specifies version 1.3 of the Datagram Transport Layer Security (DTLS) protocol. DTLS 1.3 allows client/server applications to communicate over the Internet in a way that is designed to prevent eavesdropping, tampering, and message forgery.</t>
              <t>The DTLS 1.3 protocol is based on the Transport Layer Security (TLS) 1.3 protocol and provides equivalent security guarantees with the exception of order protection / non-replayability. Datagram semantics of the underlying transport are preserved by the DTLS protocol.</t>
              <t>This document obsoletes RFC 6347.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="9147"/>
          <seriesInfo name="DOI" value="10.17487/RFC9147"/>
        </reference>
        <reference anchor="RFC7675">
          <front>
            <title>Session Traversal Utilities for NAT (STUN) Usage for Consent Freshness</title>
            <author fullname="M. Perumal" initials="M." surname="Perumal"/>
            <author fullname="D. Wing" initials="D." surname="Wing"/>
            <author fullname="R. Ravindranath" initials="R." surname="Ravindranath"/>
            <author fullname="T. Reddy" initials="T." surname="Reddy"/>
            <author fullname="M. Thomson" initials="M." surname="Thomson"/>
            <date month="October" year="2015"/>
            <abstract>
              <t>To prevent WebRTC applications, such as browsers, from launching attacks by sending traffic to unwilling victims, periodic consent to send needs to be obtained from remote endpoints.</t>
              <t>This document describes a consent mechanism using a new Session Traversal Utilities for NAT (STUN) usage.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="7675"/>
          <seriesInfo name="DOI" value="10.17487/RFC7675"/>
        </reference>
        <reference anchor="RFC5681">
          <front>
            <title>TCP Congestion Control</title>
            <author fullname="M. Allman" initials="M." surname="Allman"/>
            <author fullname="V. Paxson" initials="V." surname="Paxson"/>
            <author fullname="E. Blanton" initials="E." surname="Blanton"/>
            <date month="September" year="2009"/>
            <abstract>
              <t>This document defines TCP's four intertwined congestion control algorithms: slow start, congestion avoidance, fast retransmit, and fast recovery. In addition, the document specifies how TCP should begin transmission after a relatively long idle period, as well as discussing various acknowledgment generation methods. This document obsoletes RFC 2581. [STANDARDS-TRACK]</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="5681"/>
          <seriesInfo name="DOI" value="10.17487/RFC5681"/>
        </reference>
        <reference anchor="RFC9002">
          <front>
            <title>QUIC Loss Detection and Congestion Control</title>
            <author fullname="J. Iyengar" initials="J." role="editor" surname="Iyengar"/>
            <author fullname="I. Swett" initials="I." role="editor" surname="Swett"/>
            <date month="May" year="2021"/>
            <abstract>
              <t>This document describes loss detection and congestion control mechanisms for QUIC.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="9002"/>
          <seriesInfo name="DOI" value="10.17487/RFC9002"/>
        </reference>
        <reference anchor="RFC7301">
          <front>
            <title>Transport Layer Security (TLS) Application-Layer Protocol Negotiation Extension</title>
            <author fullname="S. Friedl" initials="S." surname="Friedl"/>
            <author fullname="A. Popov" initials="A." surname="Popov"/>
            <author fullname="A. Langley" initials="A." surname="Langley"/>
            <author fullname="E. Stephan" initials="E." surname="Stephan"/>
            <date month="July" year="2014"/>
            <abstract>
              <t>This document describes a Transport Layer Security (TLS) extension for application-layer protocol negotiation within the TLS handshake. For instances in which multiple application protocols are supported on the same TCP or UDP port, this extension allows the application layer to negotiate which protocol will be used within the TLS connection.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="7301"/>
          <seriesInfo name="DOI" value="10.17487/RFC7301"/>
        </reference>
        <reference anchor="RFC9000">
          <front>
            <title>QUIC: A UDP-Based Multiplexed and Secure Transport</title>
            <author fullname="J. Iyengar" initials="J." role="editor" surname="Iyengar"/>
            <author fullname="M. Thomson" initials="M." role="editor" surname="Thomson"/>
            <date month="May" year="2021"/>
            <abstract>
              <t>This document defines the core of the QUIC transport protocol. QUIC provides applications with flow-controlled streams for structured communication, low-latency connection establishment, and network path migration. QUIC includes security measures that ensure confidentiality, integrity, and availability in a range of deployment circumstances. Accompanying documents describe the integration of TLS for key negotiation, loss detection, and an exemplary congestion control algorithm.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="9000"/>
          <seriesInfo name="DOI" value="10.17487/RFC9000"/>
        </reference>
      </references>
    </references>
  </back>
  <!-- ##markdown-source:
H4sIAAAAAAAAA+1cWZPbSHJ+x68o9zxYcpDUOcf2hMPb02rNyNZldWsnNhyO
jSJRJGGBABcFNsWZ0H93fplZB0i0Rjtev+3DaJokUMjK88ujMJ1Oi77qa3du
btbO/OzmN51t/LbtevO2a/t20dbmeWc3bt92Hwo7n3fu9nxwXVG2i4YuODdl
Z5f9tHL9crp38x4XTNtb191Wbj999KRodpu5686L0vbuvFi0jXeN3/lz03c7
V9CyT4oF/bRqu8O58X1Z2M7Zc3NGTzO2Kc2Lpndd43oTn31W7FdEzdUPN+8u
Xl8Xt67Z0crGrLp2t5U7s2uN6Q9bh69pL1WzMj/iMny/sVVN3weqcfkfsY9Z
263wu+0Wa/p93fdbf/7gAS7HV9Wtm4XLHuCLB/Ou3Xv3IF/oARZYVf16N6cl
hDuryKAHn2Ma7qyJI77PHn68wkzWnlXtZ9f67I+zdb+pz4oP7kBiLsHBqcn3
UNhdv247/oH+M6ZqSGxXM/MfVdM42/F3ogRXXbUYfE28OTcX223tSICLGX/n
hOHug1z3R4ufZ4t2M3zAn2bmT9ZXdeVusyf8qVr0bTf8hR5im+oX21dtc25+
bNtV7fIn3eLi29s/rvgXflJRNcu229Att6wzl9dvz/mW3nYrRxwPDN/v97P9
E5bxzbsHdNkDuUzM5uyyJbVsenPtFruu6g/mbVtXi4N56W5dbZ6c8cWJf5El
Pz+55I9sDSao5DNIqSim06mxc08CWNCnLzBN4xo7r503C+JJ09P/ybzo9qpx
pZkfTC9LFD5QuWlLIq9v6cLNZtdUsDyzJ1Uy1nRu09InT8rhOrPzIMwavtWZ
za7uKxLXR1cWUUFmxrzo+ZmVp4e3S76+xx9VU1a3Vbmztdkq2Z7IsT1ZFT3D
Lh2ocB+3rXcF/bVryB34nsiGVoAukqmfgM4570aIbCJ/wlZ4ybomA8RuN7Rq
MXdEPd1SwXMs1rZZOeLSYQaWVt6Q59ptILvSLWlpvs/AJmgZYsJfdxVxgrnZ
Nvxb2oAuW+RimRjryWzoXitLgbV059LZnjjHbBmsMjF+t2WBkiYa325cQZfs
19VibYi8dout23om+rCpypK0uvgKjrBry90CP/9DO/6hHV99ZX6wiw+Iek1Z
FD8Rl1tyw0TnYQI/PuCVsKJxrgQTzbwqaR8LWQvOiETTU9zdmLnr984RJwvR
Go7BNsh90e7qkthQH7B92uh1u/jgiBm//vpv755ffvP0668/faI9m43z3q7c
dG6JKUXYHXa/JYJIK0VkqoJmqIKkOT+1e/KkHXGjahaOrwuyhfpXPThGKkQc
JK5YXEYunnxs6TrHFFbQ/bArYqFSRAymm/1uuXSdN8uOYsLa2XLaLqc1ydvM
a9oRLTahGyi4kJYHJYorkLr7nhhFVCt/iJWOAgpLn0kwRHxjKpbtQbk2Zykv
aBG+sHRbR/80PXi5NM6SgFu6nPaMJVny6YnVak3ia03dkr52WIu26G5tAzNj
xd3YD2AGEWS2LanOsmIVKgAlmsVhCthVIewN9UI0K0h0a7u+srXyjyItiYSp
YTYWiWqSCfRz6zoOp/SZNPIN8c99JD0E20RTjb0FbIIoyI4h6hIRst2C+0Q1
ffPu5lI0EMbYuNoXokzffffkEZRJKFRx0+6i1pHAPjhz8fYFk0Lbdq6b9u0U
/zfXlzdvw4qsf6Tt4vae3by8hm9i8yXUyQpBpJCz8ZUSSqZshH+sevi4IE32
hS3LTiTIDpRu81u3qJbKz1lS3Iq4yeq6cPyENTmApiXVg3XtaSu0lvKo3fUe
eyM1ECjJ29A/4TPBUHJNO6atInOLYmCpvbi8Ku4Jm5b4FfIneQ4sjA3rPguT
dtP5rSURMpP0TtBnTV1tKuKTonb21Rty7PB4qjBJoEoPNjV3ELk6QFFjeP7e
fez9fdKMC1KEGjiegReR76sVcSHYBa1CGtHEOJJkjFUacVSe3XDx083N2wdP
1OH84fHjh58+sQmQkcp69ratSjNq1Lz9qElNEVQcIQ86XJvkB8ls69aLA4Db
7kju25YCF32TyCOd8JB7EeXOSkEm1rU2cjVxk/D4fk5e2we9hmOhyLYhsqqN
7SqSGzslPHSJSMbuxxOibXpx7uIqEgns/+BYa9fDjDPXQgiAAOvhvCj+xVzh
rsbtwwb36so5ouVmRTQ3pV+TOwFf7KpzDkqWeQ1CsNGjQ+ZHvrIKkuixBn1R
O0sOsyVBvLu54cjue9Kgyq95L7RcRtfckdWJx9cIRKIxe4oOqv0z2sybpj4k
WEO/Vw35NsAVWcWTSlxzyJqGX4IT86wErKLI8TKthIlwQE7wB9Z5z+8gJwnf
//n+xaV5dnFz8eO7i1ckKYJatEpURnJY9xnDwCiipYDin9dVLbsKZAiPGrhP
SBXhoW3rBM1gpsR+2qIqVcUOBHnlzhK+6B04j83garoOGCWEGI54JDKBaUm2
kGgI5pWntdqt/avYceJ4CCmVIk7iyq7ZUlylHIwtP3P7eCB97CuH1egOWcgf
oNQTNThEw17Ay0bztePIk3NGvAnrGX9NTM78gLkHt0ypYo/ns2+V8MgcVB8e
PLeqEOE+w7pOmmfKCsEfX3eO0eqmYiOGCRKCwlb4/nSdEjYx850YJK0WndcG
6rGBzooRfiRm1RABx34oA2w8bHG4F/jGAYpn5+XlDqCHFoHIe6IbalFLKBhG
8AXR1ruIgYbrqX8Sw4ShwCtTBpBcbWB6huGJXZQLw4dXAIKKrdSfkz2QEGvb
QWcQQCaGXfLjiRhHtC5/X8SPp9rat0aRNwA9gRGKQ02EaYj/qw5k5Ku/f/b2
vgBdSrehQhKA6NZnAOcVf5ZUSIsY3py9en99czaR/5vXb/jvd1dE2rurZ/j7
+qeLly/jH+GK65/evH9Jvxf6V7rz8s2rV1evn8nN9K05+urVxZ/PZKNnb97e
vHjz+uLlGfgGky1iNgE16JkFnHeQSXA2g0juF101l8D5w+Vb8+gpuZN/Infy
+NGjP3z6pB++e/Tt00+fiv3aNfKwFh5QPoqebbfOisBIdxZ2W/UW2QQ9wq/b
fUMBsXPH2sahYxnzRUG6FUkBbiKkUnZv1SFRTCFcwX4+1ohiINizgyPsR4/n
zE1cz5I8Owkn3TGt7QGODbiplydlkSWhQ0kfAbAo91sgWSJ+ca7DxCxbpHV4
Bunlwm17f16Mqj59fW4uzKhV5KnD0OkHZY+RCn45pkbGjCRHQrC4ogQX1OMq
SDxmA1aKzmBi4Ncyb0ZwrF0h6GscZ0QHCTcJZueptznhclqcqBtjgWfN1McM
wQMtByTCcds2gulCWoPsJC0BCyfAAE/XjGrJyGaPVTHoEYvrWF5RyURggZnx
6+jdQnKfYwzU2+zo5omGZ+p4VEuCH5IHkTpwuWIQJATi+ICUYXG++sWZe/1h
q0yUGAiUZAmBv7p5T56wbJ3g/7W9dSJBGIBoG4A/xzzC6IREsgwW2YlnwTrG
MLZvN/oUhQl9VmogdROQYJZkHKzEHdmJK2mn1+zndZ+KtYSdCIuI5KDi0Dsf
txhoyMjS8C4JL1EMCJXMV/yeRjlJhC3npHvAJ+Fi3yeIgzDAhiPEYaMqRVSL
unlF93QIe82qX0es0wlCpCsZZdXkn4AZKDhzvC7ZWoArGJAQNqXgfJiNa5SE
E8ohxRBEKLLPkCdoTkyLKdc4WVVG5JvPkKteCfQ/h8sIFMVKAQnklST3KhFN
9VUkcnuQA6oV1aKSWoEHXIxAW9m13LFGKAOIVKVFtGprvU+yy0g+dgpRSaX4
FSsekDLoQo7CNYRQl2EHMdBCYEN27UDUUv0QEimu72orwodrySjWWuIA/4Nm
fF/143QP8i1ar2R/KAAR0HUDYixDP7Mmh1qzUxWq2Xtp4S3AjYFC0HqsEveI
F2wACUDnha77XBiIRRoriVg3KFUh+U2EjwWjXIVItVEY4eKnW+wEbS8oL4m6
oFrJJoRAFAMmq6zgct4gRZNlT6qHNGJ6WzEsnhDbG401IauBDWpqzBhZDZu1
fGaeU0hyHy1wLcp6/045zTXhle2QbCkHD3alKBleZNdwbkiIXQo4obDRdrK1
cEEe3eLmed9c20KysutXLecG5FgWHPVpWYrcJ48PsQmOj6PzOAzQPIhLx9l+
BAh97gHwBuERXEvi8hADMnMMsfgxJVcvUBnNcHZQOlotZpkCprFDqXRQ7Dgb
ofos0xXLKXtNy3MhDLSFEJk/jQS9Je4Rgnez1ex4z7wEthnvxfNZJXy76xaO
COksowBiT3Pi/SjUkrpJ4kYUrSpAhRsCtEQSAXnSSdgPyeOSodOYPBRU3SGP
kMj7I4ejcoCPIle+sZxKJ6Vjm0x9j1hpVoQ3McNsEty7Q8vvUmTa05WyVnbV
JFZnBl0x76zWJViFjfCCFngfk/0xxqRSgMYHMu09t0o4zRb+cKmp4ayKdltx
GIMOe8YP4kMpn0QXoGe4T1tefIgpmqaRka/c4Ji7ta2XwVcuArVXty7b622k
i9xlLIVODGAKal2Ma1Hws6EjM9xdYJZG/xB3WbHv9JRSeKyWB44QXCODV5eG
DhEsxQgHXozFajCrXZAqdByLkWFyXyY97F3e6zG/fiWNm2neAvpEzoUDSqhE
hcoPYVwEBa7mxc4V8Zmxn6SBX9SLmxz5kg0aYoS3Xcc5/HE7yjaHaL3FoEKH
KESo4Q4IxKkyQtnNy+uQbz59+g0ln6ykefGxwCNvbc1VkUBrfNRRZeaZrMe1
sUdPv6WAyZWlrNtVaLYdHk6GwSD70ewJng28QCF+UE+pNmyxUCwygdLHnhKX
cgsuetduZRcHtQ7/BZsPZdBh3Y3r0nNmtbiWimsnBaFEUqRKmpu4LsIgjSih
wiExlINoynymbQdtydpiPnl/dZiopNyfaOU5Fr5iSrMJuecH57ZTC3BebBx0
v/KbgBcdcPXN+9conjCVz8kY1g04KTL59ptvCcSIu9X0TiI9o++0IMH5vvJL
SenWnBdEvfsC3nKiJFkD16n6UPnO3CS45YVd0oZVvUASvOCymqTgt5XlmoIr
IX/pLoJDBL9i2k4Zj4m0F5Gzsuevv/nukei16uXDh49FL+9KOV9d/Fk70cQT
lEJCafHIG3lXO1RLyEmsstLhCHG09LIijS7YXCK6Qp6tFVLalDyla3er9XbX
a8nn+AIkedrfuz9BcSio8EgOHvrKnkvovym10IVm2E727NqdR+8hqGBeeyhi
JSCUSFKpM9VJtEry24/WenH0qmxdgwen8lN8MuKBxrWgVdlIAZzyCIj6EteQ
Go+58IdOAvMMPCyBtJ/Me0UeQ/woJQpPoW95AA3x6G9gyDEJsYYfLahuoypi
xCGVFcOoxvt3L5SmJ3/47httmpGlhSERRMtVJ2uwE72l+EVCR5nGbEnLOLOI
cwvM2s6RrLxU0gUkchZEj/IpwTgelSp0VOq/Lq/f/vfvFkAs4QkqxLdt0bhV
K20gYtBunmqToRPKrWEG6QN9uqs8dDP6oDh5QB4szGMw/IWYs8f6IGg8VRbj
54un8FpYQ6mHK4U+qFHoOcp1wKzZVuj5nfsf3F/kbBiGhtDpqJak+U3KdXPa
GD6KkQMfvG57TbZkWQn5/mhaJ6ekbz8QHwkLoDmB1UpH0XqjiKbojweUgooA
kzN5PB6AAqoaaOdWyCE6Kaq9uHh98c/enF28fPu6iMNNL575M70QNR1CaUHv
MiTBlKmKLmpn0QyvUNIEXCS6qq6AtjdlloJ9T6uKqeiVFXC79ZS2SPeQdSgv
BzNhiZ9QTO5o8NXbXSdYjSzsqGnAcPNa5XaVy228gH0kW82O/KFZUHhoyEJD
z4+DWCpt86xtJfMwfyFwXx7+koCKeCLib16uYcPIYAxAMi2yrLoN2jZaciIC
9lXNqSIgOmfJA5NM1hZqFeoSIWzyDbPxyq/nUMvTWtH150BqUF9Lu+SdfU+Z
TawHEUoMzR8t0ERkFAPCruEpM7uygKtwZLU9FLZHSuR5By1HXROxXjBODG8N
uYhSNodee3fVmgvg4ETDZbTYMwGsCAnsUM4L23XoRNqyrNTHbFxvmRND4IA8
XZ0IrYbBB9cVpL916RVD/iaykSpLWF7r1znAacMUVtY6Yc5Lfy4rcaVBxNfq
jXlecbz50AIm5Rxp0j1JbhOTmoIF0oTscdOX3OgYe6i5+thj6AktYxjr/YB7
nzwkDChSOwkEStrkWJjZLIIQndmJZe+POb2jacY4CcGTSjpXFOoZ8Uk8KeQY
Ly60bD4T2rJnaOHYa1jlJ8oom0aT1Mhat1UqzWL8AsRxmp/GOoN3lGuPu/8X
MZHBRbEqvMfEhuyiQK55PLsonEkJbcYziVmnyjiu+2SHbrPt2VOma58r9iiK
F412F4iYDQ+qDEvQkaDhkCfKO6idnzQvj5BG7EYj9RxMSsZBALBzMERZhMET
tgd179OfsVygG1WEgJ+muvFPmI063GGg0qGO9ZBB1xMlXx0AkNGCIvU703hN
1Ofi3FyGOQEM24wGGqnZnULFIGiFFVBPg8rPGNJlRhIAlbVkAvLO5qsUVkOj
MVWGRXG+lzkC0joXZvRCh524LFhDsV7c5E38dhCRuDeddXgldkVEyGUzVKhI
d588ns4r1KJc14UKtbR53988n35HeBlflfoz8dTTA1Bwg1CWSG83KLI9evj4
qbTTmFlkty18vz92onEb5QTznctdJ2XCzKGyT0bIJb6Cro+i0BxMql5LKkfU
KkEIdQGifs+PLt3SUtpG62TI7aHML5zpWtruiwY+vjbCBxM0J52YuuUSM99F
UXZcL8lk8iJmRxnLg3+UjtuQLVIhIwtcOGkTJSZJJyrwMoz7EN1XUl6N+RCo
Q8JdNTunOVD+COyDLuEBKNLTNH/mQ16kBUsZgxKsCLjD8ITdCmGiykqI5tZJ
lna2EYFHPmBHpdb7pKWMGk1EGg7HUhahpIKoTJbywXEKv0EVDB3Ic/OM/kD7
mItlRz8buYuYcO/XX6+1ZPTt7Gs8LpX07metTSL6eI00qNDeabmz3+uzZAyM
HFQUdJSr/JYpi0/JyKj3iK3V3IC0xi7hB/13J4V2jUfIketQJuBWR8/laShD
00pOL5PI0rLMLQ315J4rrGqiaPssBzo1QpL0BMnfk8nFcOl4FEJ7dUExz0b8
2Vny8sbO21tuwQ0nUdk0ebAiuKlGzVWtVLcSoPgsMZ+1MYrl97De+g9iFWrz
0TCxvWSal2qGpcCfAdOAfhb1rtSQxvRkxmhCb3dBWZ5dQcYYwWMrlML9V+ZZ
nB3L42uM4Z9kQCzMR65a+gfwedj4jmtUXt1PgJyVdEFuqzbMpBUSTqS3Thmx
IJs2HO0YVOXJJrsw8U+BcqyJACR60phEAS/McuRDCXFisc9RCnzIas2zQ/YA
R1TstgTbmL4WQViip7hBLTFLE5ztJSsXDkdqMGRWxHJHmtbT+HAyPhC5GFL6
nHSMKZDYijSVcjQ3nAZLiCYZgiq7dpsLZ3lSeSUFwYOQ6+6CMW3MEgPHrgFX
ZiL//J6AUWJ+GjPWjf1YbXabNAfEoz3ZsEUB0WiY5N9Sobpk31ym7DCZfWbr
YSSoYKUGFycp7/6Cuu0dDOfO0hzTcdzjbMr8XIqOWfjTMFnAPTCTbdozk4Nz
BHIbNAdh+Dwb2THpviZ25Yu4wjBtWHL2zCsyZbJsGl2OMs8WLWLX/bcXHe4S
1hRTZsxPzd3CwvGcaufpfNNkMFpbhNmIvtq47ABNjBFYNp5ykkbHIPpLntfb
2jFvgkH7lGUxM4FVpLfHpZ3hgmG4betR4+ADQEXG9MSfDqdeKR2gR+94WpGr
JWL5Ghi5VMuTzX5hOw4HF4n9XH6h7R84lxTvd0JMG242JxLyhfahUUqyYTgu
k7CQpp0LPsc0OklAJn1SYPrdmOMkT8rmQsVOIv0UAq8aJtHn5qDhICvccz1X
YSJ3rFsUuCueylOjr8LwelxGB/xIvbdgjHgyYYgaGO0xMGpA1DMXiGpOmT7B
UqjxVj4/cFCsXD/uzWjBd45iZCOYu8a5Z9+LM9PYPDS58eK4ROYj/x7OebGT
FL8baAjrj+0BtA+KxyfYI3Wz51UcV7rTZR7HpUGFsQjNPPOZZl7VLGsZisyj
QpBOlI1sqguOkozULqpea2I60zjM+uU7ZP3jpQWZoyB5TkFdjLgVusZwFek8
o4xqxp5fkfoTlR5axYR4zIfiiGzemL44Ogiqx/z0xOy8RcU7z2pSLTZMjcgk
Ayx0p+qvHaGAfbe26lAZGy+kqJLEkzkddwcCVsu1Syz6qDkRlIBcbO+KjV2s
K+l28EmEsOq92Op9iPOE1+E42WO+/8n9EfwlXM5iHTbVpxCGuvpk2K/B8dq2
CPl7nrMPJl8HR10CkEjPiZ1ECoHtcskPze8w9xRYH8wvrmvvG7vsuaWFjroU
b/kkHHhfc4GWPRc7VD2pl2HIXiZDRjc/iMqUfXT9INiOc6DqC41xYfhGgkAa
KxwwiKsJnGen/LzRup7v220IwMInJA/Jm4uuxGl1QSeU2ZmoZnLmvBhT8aC7
Wabm3dZiQIGPgl8hhQo1ACigdOJFDfowgQimDGZXuae2aLdh2Nb2RfgFhiNn
JftBiWo0wTaxgFjz+yQ4o/OT4oSeL8gcJxrTNXbJJHKRUvm7xqK7cEwTvGkD
lEl2OhhK5unavcO/RR9P+sADhOlYnbVXCNIkniH4DYfVTybbI1kyahk6InjS
4FZJ6eOMts7PoOypQ/bDzPL4uYUe1T8fjKYgo2JXyoWieEI2O9MZVtwRa+uU
4ofOEfCUOFQhBeUWILNUb3qeMgaxuWFfTmecefh34FsRfqYB9AuU4Hathtf0
gIs7giknQhoPJVsy8f0oUnPYSVrGg3LxINw08jRP6MQLB8yAabEA6UNoR7QS
HKpGGJaRJonfEdSDGDDY1JBoOBHJ+l/pNvoKuJ5S2CHqucgPxgHP5qAw6RPn
e2uOarJHIOsA9lEaCeM7RdR4DXySQPh1OPznF2tX7mo5sCHHSDHrGQ/zg/nj
JsbkrdtGAAgad0xPKlWG04i/KKsJWtR8OLFQmDYGfSaKCLhLlG6RY4g5o/7u
YDoeQxyN9LH/4POMcfzaWbbYKD4ZX2vs0gGkvouwHA43OPSlehYT+VPTuqst
VGHudASNJyLu2NDvoGFspc+Q8PeQOOflaRgknCiSrB54FBPBpf6dHQZOcCok
6SfAh0+IJvRjnr94zWPLehA1Vmh46ckANTDyYt8+QF0h0kgpOAKu120cJA4H
hX9DrNDHWhr1Cv3ypgaTOoR1saqPU+sMEJIPO6af08TP7AA1mzRyyy8q0EAX
mR7efoN8bLPFPK491K0ttW1F5P1N247M8pniBum+I0jp9bFp6nWAGJOIwRgF
WvENKUGiOEEdZJrF7HFKP+8vQKcA1FxA1zxSauPg+XHvCZ/krQLh3RsZKanE
Pef5qAmPk4dCtcwAnGLzu8/N0baeSdnEB31MxqAYXiquvO73SOpDBZ37ghqA
AUN2Peary5BAoyOm92cVTV4+EDk8e8ddyzwD4EZGKx8mWrZItz6cca/3qD+a
9wTDAa8dhJbyvq6XMXxm0IkQeIvhocddRn5sEGqecXyhXJH4fIlY0ZrN5XKk
wt+npbXMKxQxIhq0YcBuCBWP5HRHh3Hy0+ypKfdEmnIpKb0/yuNhD/pzXL6D
x//HRp1MmjbZ/F8xdPlyDEZYOd4/Yt7xwRS5aoR1uXh1K7m7/rzqRRfED0oH
p0dC79+F2LTt/wdKMZsipeV2I4ZxSmd8MYQbVoCHASjvqknSV6bjq2mQbSLd
7VRCUfAYE9uQkcuWBaVzebdp+QinpPKObGXRhwMoOqo3OM08w1Gh5212ynIi
I1HhzRH5ydr0Mo94bDWcT8BJAII2fFToHi9gzQe8HbS+L5W87KD2zLxB/S7U
3fMzsKiEhZUM21l4v9bwJSL8FoRg8DE9WA6ojaOChF/ginPWSa49PIT/POL9
jBeByDSxyS3dTawZLbiQz3uIU8VHLJnJubGwas7gJxPZ9M5zZZuzzzDuze/F
wTmwpJKydX7Jjwzix+QpnIHPQ4h+s8yqT+FVVwfXs7sFXxbI6ChPWqX8Xsro
owzJcjGbNDcjUQzUSkce7RnNvqMNRVcfkYdMadxFyOTI0pXJZ1y0eOcWt+WZ
2ggZDMqL3+NNXvzun+TWH/GsBX791+jbj4bY3qbX5Rz18vR9g9pFTkVOKHZ8
W8tgttyGkqg2KYrRFxsSosJkLF2GU1TcLM6Zra/sYLP2uzmwhbQyinSIZfx9
P+qRhkc1RUZ7PXlNWUt3CJ0APnvY6huEZJWDHG9PLzw8eidM3mq+yUYNC+4Y
LLldgFqhrpDfHWaYqiW//updrNzZhFfRqokesAZ9uWnnr9sTpD7ATdzApJXT
/AH3FZ1Max6VWE9exSiFSyj4CNHp8MTgTT9qFcVIO1IHAVBTCGfZMHz62QFX
ZAefqU2c9EmEpsFO0Opcchf0tEMTOg7wBAFmjOyVQYr4snRoP1cPvBVLJi22
2tx5q99gekDZGY8inZwL9mEmwuy2/JaSGNhwPildfvzCFBFvv9758G6TkbNc
NQ8PlkdvvNMJfz0dealOXXvKOMtAvJBsJhwODfPu8WWrUktCZbXdaxFYzvIG
x6RTTIXUwPi+rvIf4vhafPMQXtiwUgABefJV8HzccQ46wVh9bIBl8H6iuwdY
BmpEjqKMB7V15gcDa4wn6/ydr/HlgvKqByU+jZzw6YNSmqvhXZQSufApNO+y
6pe+6VHfHMFv0uM2VmzRGpnx58MdEBzpSDixzEwZTvapa1Bm6ysu01rc+upk
jhNayK/HkaplpllqA3OtRWu+U+QHOxknhjfy3Tp+489JOTZ6fLhc3QV7P8yl
ZGSa8JJKper0RXNVI8qkA1o/6IQEA0vbC3n5CTc+60XgdkRj40mL9FpF5L09
wdowJFvkm0hF8rFDJqGLJG3Q0VPis+LonRRpypzfXCLvRdph+jm+sOmYMyFT
L+CPLMVKOKRwxDJl8eEXjJxpW+ukGa5H+OQc+NF5J7YRD9Wf5IeoxgbVk8PF
AQcducD7wx2fvBafY7fywsoqHgPwcfcIyUvNFLg5S2Ii5b8luylj/yO8xTe7
OE8VsovDqUFZfqpjoYRL9Q3OpytBkGsnvg9nt0783o3kFjx7EyZk2J3x1frG
tOi39PXXOOZb/C+VxsRKsGAAAA==

-->

</rfc>
