<?xml version='1.0' encoding='utf-8'?>
<!DOCTYPE rfc [
  <!ENTITY nbsp    "&#160;">
  <!ENTITY zwsp   "&#8203;">
  <!ENTITY nbhy   "&#8209;">
  <!ENTITY wj     "&#8288;">
]>
<?xml-stylesheet type="text/xsl" href="rfc2629.xslt" ?>
<!-- generated by https://github.com/cabo/kramdown-rfc version 1.7.39 (Ruby 3.4.9) -->
<rfc xmlns:xi="http://www.w3.org/2001/XInclude" ipr="trust200902" docName="draft-gray-plants-mtc-deploy-use-cases-00" category="info" consensus="true" submissionType="IETF" tocInclude="true" sortRefs="true" symRefs="true" version="3">
  <!-- xml2rfc v2v3 conversion 3.34.0 -->
  <front>
    <title abbrev="MTC Use Cases">Merkle Tree Certificates Deployment Use Cases</title>
    <seriesInfo name="Internet-Draft" value="draft-gray-plants-mtc-deploy-use-cases-00"/>
    <author initials="J." surname="Gray" fullname="John Gray">
      <organization abbrev="Entrust">Entrust Limited</organization>
      <address>
        <postal>
          <street>2500 Solandt Road – Suite 100</street>
          <city>Ottawa, Ontario</city>
          <code>K2K 3G5</code>
          <country>Canada</country>
        </postal>
        <email>john.gray@entrust.com</email>
      </address>
    </author>
    <author initials="J." surname="Klaussner" fullname="Jan Klaussner">
      <organization>Bundesdruckerei GmbH</organization>
      <address>
        <postal>
          <street>Kommandantenstr. 18</street>
          <city>Berlin</city>
          <code>10969</code>
          <country>Germany</country>
        </postal>
        <email>jan.klaussner@bdr.de</email>
      </address>
    </author>
    <author initials="L." surname="Tindell" fullname="Luke Tindell">
      <organization>UK National Cyber Security Centre</organization>
      <address>
        <postal>
          <country>United Kingdom</country>
        </postal>
        <email>luke.t2@ncsc.gov.uk</email>
      </address>
    </author>
    <author initials="G." surname="Mallaya" fullname="Ganesh Mallaya">
      <organization abbrev="AppViewX Inc">AppViewX Inc</organization>
      <address>
        <postal>
          <street>107 Spring Street</street>
          <city>Seattle, Washington</city>
          <country>USA</country>
        </postal>
        <email>ganesh.mallaya@appviewx.com</email>
      </address>
    </author>
    <date year="2026" month="July" day="06"/>
    <area>Security</area>
    <workgroup>PKI, Logs, And Tree Signatures</workgroup>
    <keyword>Merke Tree Certificate</keyword>
    <keyword>Post Quantum</keyword>
    <keyword>PKI</keyword>
    <abstract>
      <?line 70?>

<t>Merkle Tree Certificates (MTC)
I-D.ietf-plants-merkle-tree-certs has been defined for the
use case of the WebPKI.
In this document we explore when and how MTC in parts or full can be used in different
use cases. Some of this use-cases may provide benefit for private PKI usage.</t>
    </abstract>
    <note removeInRFC="true">
      <name>About This Document</name>
      <t>
        The latest revision of this draft can be found at <eref target="https://johngray-dev.github.io/draft-gray-plants-mtc-deploy-use-cases/draft-gray-plants-mtc-deploy-use-cases.html"/>.
        Status information for this document may be found at <eref target="https://datatracker.ietf.org/doc/draft-gray-plants-mtc-deploy-use-cases/"/>.
      </t>
      <t>
        Discussion of this document takes place on the
        PKI, Logs, And Tree Signatures Working Group mailing list (<eref target="mailto:plants@ietf.org"/>),
        which is archived at <eref target="https://mailarchive.ietf.org/arch/browse/plants"/>.
        Subscribe at <eref target="https://www.ietf.org/mailman/listinfo/plants/"/>.
      </t>
      <t>Source for this draft and an issue tracker can be found at
        <eref target="https://github.com/johngray-dev/draft-gray-plants-mtc-deploy-use-cases"/>.</t>
    </note>
  </front>
  <middle>
    <?line 79?>

<section anchor="introduction">
      <name>Introduction</name>
      <t>EdNote: Before getting into the nitty gritty, let's start with the potential benefit</t>
      <t>Merkle Tree Certificates (MTC) have been designed to solve two problems for the WebPKI:</t>
      <ol spacing="normal" type="1"><li>
          <t><strong>Size.</strong> A <em>landmark-relative Merkle Tree Certificate</em> is small as it
  only contains a public key and a small Merkle Tree inclusion proof.</t>
        </li>
        <li>
          <t><strong>Downgrade Detection.</strong> MTC ensures Certificate Transparency is post-quantum secure, and with that
allows detection of post-quantum downgrade attacks.</t>
        </li>
      </ol>
      <t>Besides solving these two problems, MTC has additional benefits.</t>
      <t><strong>Batch Signing.</strong> MTC reduces the load on the CA because a single signature is used for a batch of certificates.</t>
      <t>A PKI that operates with any of these three challenges could benefit from MTC.
These advantages come with trade-offs:</t>
      <ol spacing="normal" type="1"><li>
          <t>The small <em>landmark-relative</em> MTCs can only be used if the verifier
has been updated with recent <em>landmarks</em>. If the verifier is stale, it
has to fall back to a larger <em>standalone</em> MTC or it will need a
mechanism to be able to fetch the latest landmarks (refresh its
state). The prover and verifier need a mechanism to negotiate whether
to use the landmark-relative or standalone certificate.</t>
        </li>
        <li>
          <t>For downgrade detection, the issuer needs to publish a log of issued
certificates.</t>
        </li>
        <li>
          <t>Batch sizing parameters will need to be carefully chosen to optimize
system efficiency based on the particular use-case.</t>
        </li>
      </ol>
      <section anchor="brief-overview-of-mtc">
        <name>Brief overview of MTC</name>
        <t>A Merkle Tree Certificate is a regular X509 certificate with two
differences:</t>
        <ol spacing="normal" type="1"><li>
            <t>Instead of a single signature, an MTC can contain zero or more signatures:
zero in the case of landmark-relative and one-or-more in case of standalone.
One is by the issuer, and others are added when certificate transparency is required.</t>
          </li>
          <li>
            <t>The contents of the certificate is not signed directly, but instead
a Merkle tree head is signed, together with providing a proof-of-inclusion
of the certificate contents in that Merkle tree.</t>
          </li>
        </ol>
        <t>The use of a Merkle tree allows for batch signing, and the cost of a signature is
amortized over the number of certificates at the leaf notes.</t>
        <t>If a verifier has out-of-band knowledge of the treehead used (which in
that case is called a <em>landmark</em>), then it can be satisfied with
the landmark-relative certificate that leaves out the signatures.</t>
      </section>
      <section anchor="batch-size-trade-offs">
        <name>Batch size trade-offs</name>
        <t>A PKI can make trade-offs when selecting MTC batch sizes for both
checkpoints and landmarks.</t>
        <t>For checkpoints the trade-off is between computational cost of signatures and
the size of standalone certificates. Smaller checkpoint batches require more
frequent signatures, but reduce the size of the inclusion proofs for standalone
certificates. Conversely, larger batches reduce the signature frequency but
increase the size of inclusion proofs for standalone certificates.</t>
        <t>For landmarks the trade-offs are between relying party storage costs and the
size of landmark-relative certificates. Fewer landmarks require less storage on
the relying party, but result in each landmark representing a larger Merkle
tree, which increases the size of the inclusion proof for the landmark-relative
certificate. Conversely, more frequent landmarks would give smaller proofs for
the landmark-relative certificate but require more storage on the relying party.</t>
        <t>Both batch sizes will be influenced by the specifics of the PKI, including the
frequency of certificate signing requests and acceptable issuance latency.</t>
      </section>
    </section>
    <section anchor="conventions-and-definitions">
      <name>Conventions and Definitions</name>
      <t>The key words "<bcp14>MUST</bcp14>", "<bcp14>MUST NOT</bcp14>", "<bcp14>REQUIRED</bcp14>", "<bcp14>SHALL</bcp14>", "<bcp14>SHALL
NOT</bcp14>", "<bcp14>SHOULD</bcp14>", "<bcp14>SHOULD NOT</bcp14>", "<bcp14>RECOMMENDED</bcp14>", "<bcp14>NOT RECOMMENDED</bcp14>",
"<bcp14>MAY</bcp14>", and "<bcp14>OPTIONAL</bcp14>" in this document are to be interpreted as
described in BCP 14 <xref target="RFC2119"/> <xref target="RFC8174"/> when, and only when, they
appear in all capitals, as shown here.</t>
      <?line -18?>

</section>
    <section anchor="use-cases">
      <name>Use cases</name>
      <section anchor="verification-of-landmark-relative-merkle-tree-certificates-outside-the-webpki">
        <name>Verification of LandMark-Relative Merkle Tree Certificates outside the WebPKI</name>
        <t>Merkle Tree Certificates which only contain the inclusion proof
to a signed tree head can only be verified when the verifier contains the
landmark that completes the inclusion proof contained in the Certificate
signature field.  If the certificate is in a non webPKI environment where it has an
online connection it should be possible for the verifier to request a refresh
of its landmarks.  There are different ways this can be accomplished:</t>
        <ol spacing="normal" type="1"><li>
            <t>It can be done dynamically, on demand by the verifier.  A mechanism
that fetches landmarks from a distribution location could be added to
the certificate which could be used to complete this lookup.  Such a
mechanism could be similar to an X.509 CRLDP, except in this case it
could be a "Landmark Distribution Point".</t>
          </li>
          <li>
            <t>The landmarks could be fetched periodically by the verifier (or a
distribution system could push them down to the verifiers).</t>
          </li>
          <li>
            <t>They could be fetched by a locally defined policy.  For example they
could be pre-shared at a location governed by a local policy.</t>
          </li>
        </ol>
        <section anchor="landmark-distribution-point-fetching-mechanism">
          <name>Landmark Distribution Point Fetching Mechanism</name>
          <t>The ldpBaseURIs X509 V3 extension is held by the Issuer of the Signatureless
   Merkle Tree Certificate and contains the SEQUENCE of LandmarkDistributionPoints, each
   which is a LandmarkDistributionPoint of IA5String.  Each refers to a BaseURI location
   indicating where the landmarks are published.</t>
          <artwork><![CDATA[
id-pe-ldpBaseURIs OBJECT IDENTIFIER ::=  { id-pe TBD }

LandmarkDistributionPoints ::= SEQUENCE (1..MAX) OF LandmarkDistributionPoint

LandmarkDistributionPoint ::= IA5String
]]></artwork>
          <t>The Inclusion Proof structure defined in I-D.ietf-plants-merkle-tree-certs
   uses the following structure:</t>
          <artwork><![CDATA[
struct {
    uint64 start;
    uint64 end;
    HashValue inclusion_proof<0..2^16-1>;
    MTCSignature signatures<0..2^16-1>;
} MTCProof;
]]></artwork>
          <t>Note that it contains start and end values which indicate
   the corresponding parameters of the chosen subtree.  To request the
   required landmark, the client simply combines the URL as follows:</t>
          <t>LandmarkDistributionPoint?st=start?ed=end</t>
          <t>This allows the verifier to request the required landmark so the
   inclusion proof can be verified.</t>
          <t>The verifier needs to trust the issuer as per RFC 5280.</t>
        </section>
        <section anchor="format-of-landmark">
          <name>Format of Landmark</name>
          <t>The format of the landmark is defined in section 6.3.3
of I-D.ietf-plants-merkle-tree-certs</t>
          <t>As mentioned above, the verifier may need to request the landmark if it
is not readily available.</t>
          <t>This draft proposes an extension to the landmark format specified in section
6.3.3 of I-D.ietf-plants-merkle-tree-certs which defines a mechanism for
publishing active landmarks.</t>
          <t>The current landmark format describes the tree sizes associated for each
landmark.  However, it does not provide a mechanism for establishing a
cryptographic relationship between a previously published landmark and a
more recent landmark.  This document defines this mechanism as a Landmark
subtree consistency Proof.  It includes carrying the necessary hashes so
that there is a subtree consistency proof from one landmark to the next.
The calculation of the subtree consistency proof from one landmark to the
next can occur when a new landmark is published.  See section
4.4 of I-D.ietf-plants-merkle-tree-certs for information on subtree
consistency proofs.</t>
          <t>This will allow for periodic and incremental updates for clients that need to
request information from the LDP server.</t>
          <section anchor="landmark-subtree-consistency-proof">
            <name>Landmark subtree consistency proof</name>
            <t>A verifier requesting updated landmarks may require a lot of new landmarks.
Requiring the verifier to retrieve and validate every intermediate
landmark would increase both network traffic and signature
verification costs.</t>
            <t>To address this problem, this document defines a
LandmarkSubtreeProof object.  A LandmarkSubtreeProof provides cryptographic
evidence that a source landmark identified by one tree size is incorporated
into a target landmark identified by a larger tree size.</t>
            <t>The LandmarkSubtreeProof does not modify the landmark publication
format defined in Section 6.3.3.  Instead, it is published as a
separate resource by the Landmark Distribution Point Server
(LDP Server).</t>
            <t>The LandmarkSubtreeProof structure is defined as follows:</t>
            <artwork><![CDATA[
struct {
    uint64 source_tree_size;
    uint64 target_tree_size;

    HashValue consistency_proof<0..2^16-1>;
} LandmarkSubtreeProof;
]]></artwork>
            <t>Where:</t>
            <t>source_tree_size (similar to start in MTCProof):
   The tree size corresponding to the source landmark.</t>
            <t>target_tree_size (similar to end in MTCProof):
   The tree size corresponding to the target landmark.</t>
            <t>consistency_proof:
   A proof demonstrating that the source landmark tree is a
   subtree of the target landmark tree.</t>
            <t>The consistency_proof <bcp14>SHALL</bcp14> be constructed so that successful
verification demonstrates that all entries represented by the
source landmark are included in the target landmark and retain
their original ordering and contents.</t>
            <t>A LandmarkProof <bcp14>MAY</bcp14> be generated when a new landmark is
published and <bcp14>MAY</bcp14> be retained by the Landmark Distribution
Point for subsequent retrieval by the verifier as needed.</t>
          </section>
        </section>
        <section anchor="landmark-subtree-proof-retrieval">
          <name>Landmark Subtree Proof Retrieval</name>
          <t>A verifier validating an MTCProof obtains the corresponding
subtree information from the certificate and retrieves the
associated landmark file as described in Section 6.3.3.</t>
          <t>If the verifier possesses a trusted landmark whose tree size is
greater than the retrieved landmark's tree size, the verifier
<bcp14>MAY</bcp14> obtain a set of LandmarkSubtreeProofSet connecting the two
landmarks.</t>
          <section anchor="landmark-subtree-proof-set">
            <name>Landmark Subtree Proof Set</name>
            <t>A LandmarkSubtreeProofSet contains an ordered sequence of LandmarkSubtreeProof values. The first proof <bcp14>SHALL</bcp14> be verified against a trusted landmark root. Each subsequent proof <bcp14>SHALL</bcp14> be verified against the landmark root reconstructed from the preceding proof. Successful verification of all contained proofs establishes a cryptographic path from the trusted landmark to the target landmark.</t>
            <artwork><![CDATA[
struct {
    LandmarkSubtreeProof proofSet<0..2^16-1>;
} LandmarkSubtreeProofSet;
]]></artwork>
            <t>One possible retrieval mechanism is:</t>
            <artwork><![CDATA[
LandmarkDistributionPoint?
    source=<source_tree_size>&
    target=<target_tree_size>
]]></artwork>
            <t>TODO:  Agree on the URI format</t>
            <t>The Landmark Distribution Point Server <bcp14>SHALL</bcp14> return a
LandmarkSubtreeProofSet capable of demonstrating that the source landmark is
incorporated into the target landmark.</t>
          </section>
        </section>
        <section anchor="validation-procedure">
          <name>Validation Procedure</name>
          <t>A verifier <bcp14>SHALL</bcp14> perform the following steps:</t>
          <ol spacing="normal" type="1"><li>
              <t>Extract the <tt>start</tt> and <tt>end</tt> values from the MTCProof.</t>
            </li>
            <li>
              <t>Retrieve the landmark file corresponding to the authenticated
subtree by contacting the LDP server (or retrieving it
from a local cache).</t>
            </li>
            <li>
              <t>Obtain a trusted target landmark if one is not already
cached. For example, a likely candidate would be the latest
landmark referenced by the Landmark File.</t>
            </li>
            <li>
              <t>Verify the signature(s) associated with the trusted target
landmark.  If signature verification fails, the verifier <bcp14>MUST</bcp14>
reject the certificate.</t>
            </li>
            <li>
              <t>If the source subtree landmark and trusted target landmark differ,
retrieve a LandmarkSubtreeProofSet that establishes a
sequence of authenticated subtree transitions between the
source landmark and the trusted target landmark.</t>
            </li>
            <li>
              <t>Verify each LandmarkSubtreeProof contained in the
LandmarkSubtreeProofSet in the order in which it appears.
The first proof <bcp14>SHALL</bcp14> be verified against the source
landmark. Each subsequent proof <bcp14>SHALL</bcp14> be verified against
the landmark root reconstructed from the preceding proof.</t>
            </li>
            <li>
              <t>Successful verification of the complete
LandmarkSubtreeProofSet <bcp14>SHALL</bcp14> establish that the source
landmark tree is a cryptographic prefix of the trusted
target landmark tree.</t>
            </li>
            <li>
              <t>Use the validated source landmark to verify the Inclusion
Proof contained within the MTCProof.</t>
            </li>
            <li>
              <t>Accept the certificate if all verification steps succeed.</t>
            </li>
          </ol>
          <t>Successful completion of this procedure establishes that the
certificate entry is included in the authenticated subtree
identified by the source landmark and that the source landmark
is cryptographically bound via the verified LandmarkSubtreeProofSet
to the trusted target landmark.</t>
        </section>
        <section anchor="efficiency-considerations">
          <name>Efficiency Considerations</name>
          <t>The purpose of LandmarkSubtreeProofs is to reduce the number of
landmarks and signatures that must be processed by a verifier.</t>
          <t>Without LandmarkSubtreeProofs, a verifier may be required to retrieve
multiple intermediate landmarks and validate the signatures
associated with each landmark before reaching a currently
trusted landmark.</t>
          <t>With LandmarkProofs, a verifier requires only:</t>
          <ul spacing="normal">
            <li>
              <t>the source landmark;</t>
            </li>
            <li>
              <t>the trusted target landmark; and</t>
            </li>
            <li>
              <t>a LandmarkSubtreeProofSet connecting the corresponding tree sizes.</t>
            </li>
          </ul>
          <t>As a result, the number of signature verification operations is
independent of the number of intermediate landmarks published
between the source and target landmarks.</t>
          <t>This property is particularly beneficial when signatures are
generated using computationally expensive algorithms,
including post-quantum signature algorithms.</t>
        </section>
        <section anchor="skip-links-for-efficiency">
          <name>Skip links for efficiency</name>
          <t>TODO:  Generating the consistency proof at the LDP server introduces an O(N^2) problem.  For efficiency, we likely want to cache landmark proofs as they are generated between each landmark.  For example 1-&gt;2, 2-&gt;3, 3-&gt;4 but also 1-&gt;3, 1-4, 2-4.  Thus O(n^2).  A better approach is to use a skip link which only generates O(Log(num_landmarks)) for each landmark.  For example, a system that issued a landmark every hour for 10 years would have 87,600 landmarks.  When landmark 87,601 is created, only 17 landmark proofs will need to be created.  It would also reduce the LandmarkSubtreeProofSet from O(num_landmarks) to O(Log(num_landmarks), greatly reducing bandwidth requirements!</t>
        </section>
        <section anchor="more-items-to-be-discussed">
          <name>More items to be discussed:</name>
          <ul spacing="normal">
            <li>
              <t>When a CA issues an MTC certificate, it will decide where the landmark will be published.  It needs to provide the LDP service.</t>
            </li>
            <li>
              <t>Current format uses start and end values from the inclusion proof.  This is nice because no other extension is needed in the EE certs</t>
            </li>
            <li>
              <t>Landmarks should be available in a predictable way.  The above format should meet this requirement.</t>
            </li>
            <li>
              <t>Do Landmark's contain a signature, or is it just the MTH and we use the cumulative landmarks along with the inclusion proof?
              </t>
              <ul spacing="normal">
                <li>
                  <t>A:  No, there is one trusted target that contains a signature.  That trusted target should be cached so that the full PQ signatures doesn't need to be continually downloaded.  This is where MTC gets its efficiency.</t>
                </li>
              </ul>
            </li>
            <li>
              <t>Is there a repository of test landmark certificates that we can use to test this mechanism?
              </t>
              <ul spacing="normal">
                <li>
                  <t>A:  Seems like a good hackathon project!</t>
                </li>
              </ul>
            </li>
          </ul>
        </section>
        <section anchor="landmark-distribution-server">
          <name>Landmark Distribution server</name>
          <t>As mentioned above, the landmarks can be fetched dynamically as needed by
combining the start and end values from the MTCProof.  The LDP server fulfilling
these requests will need to parse the start and end values, aggregate the
require landmark subtrees together, and send the responce back to the client.
The responce format will be:</t>
          <t>TODO:  DEFINE responce format</t>
        </section>
      </section>
      <section anchor="batching-for-performance-optimization">
        <name>Batching for performance optimization</name>
        <t><strong>When</strong>
Signatures are expensive computational operations.  Systems where
high signature throughput is important are good candidates for the use
of batch signing, as it can provide a sizeable performance optimization
(for example, device certificates).  Merkle Trees with leaves of size N
can be computed as hashes of the toBeSigned data, with a single signature
over the root of that Merkle Tree.  For example, a Merkle tree of size
2^12 would have 2^11 leaves and could represent 2048 signatures.  The
verifier would only need to create a single signature for each batch
of 2048 toBeSigned data values.  Larger sizes could be used to meet the
operational requirements of the system.</t>
        <t><strong>Requirements</strong>
The verifier could use the mechanism defined in "Verification of
signatureless Merkle Tree Certificates" above to verifiy the signature
when certificates are used.</t>
        <t>TODO:  If a certificate is not used, the same kind of fetching mechanism
would be needed for the verifier but that would need to be provided by
some out-of-band mechanism.</t>
      </section>
      <section anchor="just-using-transparency">
        <name>Just using transparency</name>
        <t>TODO - discuss advantages of transparency logs
- Track mis-issued certificates in your private key
- CA's already have an audit trail - is there an advantage to using transparency logs
- Need a source of truth for cross checking</t>
      </section>
      <section anchor="code-signing-and-software-supply-chain-integrity">
        <name>Code Signing and Software Supply Chain Integrity</name>
        <t>The verification model for code signing differs fundamentally from TLS.  In a TLS
handshake, the server is present at verification time and format negotiation between
prover and verifier is possible.  A signed artifact is a static object: a binary,
container image or firmware update is signed once and subsequently verified at
deployment or execution time, potentially on a system with no network access and
potentially years after the signing event.  No live channel exists between the signer
and the verifier at the time of verification.</t>
        <t>This distinction has a direct consequence for MTC deployment in code signing contexts.
Landmark-relative certificates require the verifier to hold a cached landmark at the
time of verification.  A verifier operating on an air-gapped system, or validating an
artifact whose issuing CA has since been decommissioned, cannot be assumed to maintain
a current landmark cache.  Standalone MTCs <bcp14>SHOULD</bcp14> be used for code signing artifacts.
A standalone MTC carries the CA signature inline and can be verified using only the CA
public key held as a locally-configured trust anchor, with no network access required.</t>
        <t>The certificate size reduction that motivates landmark-relative certificates in TLS is
not a meaningful consideration in code signing.  A post-quantum CA signature embedded
in a binary of tens to hundreds of megabytes represents negligible overhead.</t>
        <section anchor="batch-signing-for-code-signing-certificate-authorities">
          <name>Batch Signing for Code Signing Certificate Authorities</name>
          <t>A code signing CA serving a large enterprise or a high-throughput CI/CD environment
may issue signing certificates at a volume that places real throughput demands on its
signing infrastructure.  With post-quantum signature algorithms, the per-operation
signing cost increases relative to classical algorithms.  MTC batch signing amortizes
this cost: the CA constructs a Merkle tree over a batch of certificate requests,
produces a single signature over the tree root and issues each certificate with its
inclusion proof.  The number of CA signing operations is reduced by a factor equal to
the batch size, independent of the algorithm used to produce the root signature.</t>
          <t>Code signing CAs <bcp14>SHOULD</bcp14> select batch sizes with reference to peak certificate issuance
volume and acceptable issuance latency.  Guidance on batch size trade-offs is provided
in Section 1.2 of this document.</t>
        </section>
        <section anchor="the-case-for-transparency-in-private-pki-code-signing">
          <name>The Case for Transparency in Private PKI Code Signing</name>
          <t>Private PKI code signing operates without any transparency requirement today.
Certificates issued by an enterprise CA for signing purposes are not recorded in any
independently accessible log.  This differs from Web PKI TLS certificates, which must
be disclosed to public Certificate Transparency logs as a condition of browser trust.
Code signing certificates issued by public CAs are also outside the scope of existing
Certificate Transparency requirements.</t>
          <t>The absence of transparency creates a specific structural vulnerability.  A CA audit
database is an asset under the administrative control of the PKI operator.  An attacker
who has obtained administrative access to the CA, or a privileged insider, can issue
signing certificates to unauthorized entities and subsequently modify the audit database
to suppress evidence of those issuances.  Because the CA and its audit database share
an administrative boundary, the audit database does not constitute an independent check
on CA behavior.</t>
          <t>An MTC transparency log operated independently from the issuing CA addresses this gap.
The Merkle-tree structure of the log means that once a batch tree head is signed and
published, any modification to prior log entries breaks the cryptographic chain.  An
independent party retaining a copy of published tree heads at any point can detect
subsequent modification.  This property holds even when the CA infrastructure is
subsequently compromised, because the log operator and the CA operator are separate
administrative entities.</t>
          <t>Recent software supply chain compromises have followed this pattern: the signing
certificate was valid, the artifact signatures were valid and no PKI mechanism existed
to detect anomalous signing activity prior to discovery through behavioral indicators.
An independently operated transparency log changes this property.  Any use of a
compromised or fraudulently issued signing certificate produces a record that cannot
be erased without detection by any party that has retained log state.</t>
        </section>
        <section anchor="transparency-log-requirements-for-code-signing">
          <name>Transparency Log Requirements for Code Signing</name>
          <t>For the transparency log to support anomaly detection and post-incident forensics in
code signing deployments, the log <bcp14>MUST</bcp14> record the following information per batch: the
signing algorithm used to produce the batch tree head signature, the timestamp of batch
creation and the issuing CA identity.  Per certificate entry, the log <bcp14>MUST</bcp14> record the
subject identity, the subject public key algorithm, key usage extension values and the
certificate validity period.</t>
          <t>Per-certificate algorithm metadata is required for post-quantum migration auditing.  An
organization asserting that its code signing infrastructure issued only post-quantum
certificates from a given date must be able to demonstrate this from the log record,
with cryptographic verifiability that an audit database alone cannot provide.</t>
          <t>The following structures define the information model for a code signing log entry.
Two-level recording is used: one record per batch captures the batch-level signing
metadata, and one record per certificate captures the subject-level metadata needed
for monitor evaluation and forensic queries.</t>
          <artwork><![CDATA[
struct CertMetadata {
    opaque subject_identity<0..2^16-1>;
    PublicKeyAlgorithm subject_key_algorithm;
    uint16 key_usage_flags;
    uint64 not_before;
    uint64 not_after;
    uint64 leaf_index;
}

struct CodeSigningLogEntry {
    uint64 batch_id;
    uint64 timestamp;
    SignatureAlgorithm batch_signing_algorithm;
    HashValue batch_tree_head;
    opaque issuing_ca_identity<0..2^16-1>;
    CertMetadata cert_entries<0..2^32-1>;
}
]]></artwork>
          <t>A signing receipt is the artifact-embedded object that binds a signed binary, container
image or firmware update to a specific log entry.  The receipt travels inside the
artifact's signature container alongside the standalone MTC.  A verifier extracts the
receipt, verifies the batch_root_signature against the locally-held CA trust anchor,
and then verifies the inclusion_proof to confirm that the signing certificate is a leaf
in the identified batch.</t>
          <artwork><![CDATA[
struct SigningReceipt {
    uint64 batch_id;
    uint64 leaf_index;
    HashValue inclusion_proof<0..2^16-1>;
    MTCSignature batch_root_signature;
    uint64 log_commit_timestamp;
    opaque log_operator_id<0..2^16-1>;
}
]]></artwork>
          <t>When a CA transitions its batch signing from one algorithm class to another, it <bcp14>MUST</bcp14>
publish an AlgorithmTransitionEvent to the transparency log before the first batch
signed under the new algorithm is distributed.  The ca_assertion_signature field is
produced by the CA over the remaining fields of the structure, using the signing key
corresponding to the new_batch_algorithm, providing cryptographic proof that the CA
holding the new key has authorized the transition record.</t>
          <artwork><![CDATA[
struct AlgorithmTransitionEvent {
    uint64 effective_batch_id;
    uint64 timestamp;
    SignatureAlgorithm previous_batch_algorithm;
    SignatureAlgorithm new_batch_algorithm;
    opaque ca_identity<0..2^16-1>;
    MTCSignature ca_assertion_signature;
}
]]></artwork>
        </section>
        <section anchor="independent-monitor">
          <name>Independent Monitor</name>
          <t>The transparency log for private PKI code signing <bcp14>MUST</bcp14> be operated independently from
the issuing CA.  A log under the administrative control of the CA operator does not
provide an independent check against the threats described in this section.</t>
          <t>An independent monitor consuming the log <bcp14>SHOULD</bcp14> maintain an authoritative register of
entities authorized to hold signing certificates and the algorithm classes they are
authorized to use.  The monitor <bcp14>SHOULD</bcp14> alert on: issuance of a signing certificate to
an entity absent from the authorization register; issuance of a classical algorithm
signing certificate to an entity recorded as having completed migration to post-quantum
algorithms; and any unexplained reduction in post-quantum algorithm usage across
successive batches.</t>
          <t>The MonitorAlert structure defines the information model for an alert raised by the
independent monitor.  The evidence_log_reference field carries a reference to the
specific CodeSigningLogEntry or AlgorithmTransitionEvent that triggered the alert,
allowing the recipient to independently verify the raw log data.</t>
          <artwork><![CDATA[
enum AlertType {
    UNAUTHORIZED_ISSUANCE,
    ALGORITHM_DOWNGRADE,
    MIGRATION_REGRESSION,
    FROZEN_DEVICE_ANOMALY
}

struct MonitorAlert {
    AlertType alert_type;
    opaque subject_identity<0..2^16-1>;
    uint64 batch_id;
    uint64 leaf_index;
    uint64 detection_timestamp;
    opaque evidence_log_reference<0..2^16-1>;
}
]]></artwork>
        </section>
        <section anchor="archival-obligations">
          <name>Archival Obligations</name>
          <t>Signed artifacts may require verification throughout their operational lifetime, which
in enterprise deployments can span years.  A CA issuing signing certificates <bcp14>MUST</bcp14> retain
accessible archives of all published batch tree heads for a period not less than the
maximum validity period of any certificate in the corresponding batch.  These archives
<bcp14>MUST</bcp14> remain accessible following the decommissioning of the issuing CA and <bcp14>MUST NOT</bcp14>
share infrastructure with the live issuing CA.</t>
        </section>
      </section>
      <section anchor="private-pki-pqc-migration-with-downgrade-resistance">
        <name>Private PKI PQC Migration with Downgrade Resistance</name>
        <t>The first post-quantum cryptographic algorithm standards were published by NIST in 2024,
including ML-DSA (FIPS 204), ML-KEM (FIPS 203) and SLH-DSA (FIPS 205).  Enterprises
operating private PKIs are under increasing regulatory pressure to migrate from classical
algorithms.  This migration cannot be completed instantaneously.  A private PKI
environment typically includes endpoints with varying post-quantum readiness, and some
endpoints may be incapable of post-quantum algorithm support for their operational
lifetime.  The period during which both classical and post-quantum certificates are
simultaneously in active use is the hybrid transition period.</t>
        <t>The hybrid transition period creates attack opportunities that do not exist in a fully
migrated environment.  This section describes those threats and the capabilities MTC
provides to detect them.</t>
        <section anchor="active-downgrade-during-hybrid-deployment">
          <name>Active Downgrade During Hybrid Deployment</name>
          <t>When a server holds a post-quantum certificate and also supports classical algorithm
fallback for legacy clients, a network-positioned adversary may suppress post-quantum
algorithm negotiation during connection establishment.  The server completes the
connection using classical algorithms.  Both endpoints complete the exchange without
error and neither endpoint produces any observable indication that the negotiated
algorithm set differs from what the server would prefer.</t>
          <t>In Web PKI, mechanisms such as strict transport security and browser-enforced algorithm
policy provide partial protection against this class of attack.  Private PKI
deployments, including internal service communication, enterprise VPN infrastructure
and industrial protocol endpoints, do not benefit from equivalent enforcement
mechanisms.  Classical fallback paths persist in private PKI environments for as long
as any endpoint requires classical support, and an adversary aware of this fact can
exploit those paths selectively and systematically.</t>
          <t>MTC transparency provides post-hoc detection capability for this threat.  When the
transparency log records that a server held a post-quantum certificate during a given
period and operational logs from that period show only classical algorithm connections
to that server, this discrepancy constitutes evidence of systematic downgrade.  The
transparency record does not prevent the downgrade in real time, but it enables
detection and scoping of the compromise through records maintained independently of
the endpoints involved.</t>
        </section>
        <section anchor="harvest-now-decrypt-later">
          <name>Harvest Now Decrypt Later</name>
          <t>Adversaries may record encrypted private PKI traffic with the intent to decrypt it
when quantum computing capabilities become sufficient.  For communications whose
confidentiality requirements extend beyond the expected availability of a
cryptographically relevant quantum computer, traffic captured today represents a
future liability.  Private PKI protects communications that may retain sensitivity
for a decade or more: personnel records, financial transactions, intellectual property
and industrial control system telemetry.  The effective migration deadline for such
data is not solely the date of quantum computer availability, but the date by which
the protected data will have lost its sensitivity.</t>
          <t>The MTC transparency log does not prevent traffic capture.  It provides a verifiable
record of when post-quantum algorithm adoption occurred across the PKI, enabling an
organization to demonstrate with cryptographic verifiability that sensitive
communications were protected by post-quantum algorithms from a documented date.
This record is relevant to regulatory compliance frameworks that require evidence of
completed migration rather than assertions about future intent.</t>
        </section>
        <section anchor="unauthorized-classical-certificate-issuance-during-migration">
          <name>Unauthorized Classical Certificate Issuance During Migration</name>
          <t>An entity that has completed migration to post-quantum algorithms should no longer
receive classical algorithm certificates.  During the hybrid transition period,
however, a CA operating both issuance paths may issue a classical certificate to such
an entity through misconfiguration, policy error or deliberate action.  A classical
certificate issued to an entity that accepts only post-quantum certificates can be
used to intercept communications from any relying party that retains classical
certificate trust.</t>
          <t>A transparency log with an independent monitor maintaining an authoritative migration
status register enables detection of this event.  The monitor can identify any
classical certificate issuance to an entity recorded as having completed migration
and raise an alert before the certificate is deployed.</t>
          <t>The MigrationStatusEntry structure defines the information model for a single entry
in the migration status register.  The status field records the current migration
state of the subject.  The status_effective_date field records the date from which
the recorded status applies, enabling the monitor to correctly classify certificate
issuances that predate a status change.  The policy_reference field carries an
opaque reference to the organizational policy or administrative record that authorized
the recorded status, providing an audit trail for register entries.</t>
          <artwork><![CDATA[
enum MigrationStatus {
    CLASSICAL_ONLY,
    HYBRID,
    PQ_ONLY,
    FROZEN
}

struct MigrationStatusEntry {
    opaque subject_identity<0..2^16-1>;
    MigrationStatus status;
    uint64 status_effective_date;
    opaque policy_reference<0..2^16-1>;
}
]]></artwork>
        </section>
        <section anchor="frozen-devices">
          <name>Frozen Devices</name>
          <t>Certain devices in private PKI environments cannot receive updates that would add
post-quantum algorithm support.  Regulatory re-approval requirements, sealed hardware
and immovable service constraints mean that some endpoints will continue to use
classical algorithm certificates for the duration of their service lives, regardless
of the broader migration status of the PKI.</t>
          <t>These devices need not implement MTC.  The transparency log supports a monitoring
pattern for frozen device populations in which the CA records classical certificate
issuances for frozen device identifiers and an independent monitor watches those
identifiers for anomalous activity.  The monitor can alert if a classical certificate
is issued for a frozen device identifier by an unexpected CA or with unexpected
attributes.  The monitoring operates independently of the device and provides detection
capability without requiring any modification to device firmware or software.</t>
          <t>A FrozenDeviceRecord is a signed assertion by the PKI operator that a specific device
identity is designated as a frozen endpoint.  The record identifies the single CA
authorized to issue classical certificates for the device and the specific algorithm
permitted for those certificates.  The monitor <bcp14>MUST</bcp14> reject any classical certificate
issuance for a frozen device identity that does not match the authorized_issuer_ca_identity
and permitted_key_algorithm fields of the corresponding FrozenDeviceRecord.  The
operator_signature field is produced by the PKI operator over the remaining fields of
the structure, using a key whose public counterpart is held in the monitor's trust
configuration.</t>
          <artwork><![CDATA[
struct FrozenDeviceRecord {
    opaque device_identity<0..2^16-1>;
    opaque authorized_issuer_ca_identity<0..2^16-1>;
    PublicKeyAlgorithm permitted_key_algorithm;
    uint64 record_effective_date;
    uint64 record_expiry_date;
    MTCSignature operator_signature;
}
]]></artwork>
        </section>
        <section anchor="algorithm-metadata-requirements">
          <name>Algorithm Metadata Requirements</name>
          <t>For the transparency log to support the use cases described in this section, the log
<bcp14>MUST</bcp14> record the signing algorithm used to produce each batch tree head signature and
the subject public key algorithm for each certificate in each batch.  Per-certificate
algorithm metadata is required because a CA operating during the hybrid transition
period may issue both classical and post-quantum certificates within the same batch.</t>
          <t>A CA transitioning between algorithm classes in batch signing <bcp14>MUST</bcp14> record each
transition as a distinct log event with a timestamp.  These records constitute the
verifiable migration timeline that regulatory compliance requirements may demand.</t>
          <t>The AlgorithmTransitionEvent structure defined in Section 3.3 is reused here for
recording batch signing algorithm transitions in the PQC migration context.  For
migration auditing purposes, a monitor querying the log for AlgorithmTransitionEvent
entries can reconstruct the complete algorithm transition history for any CA, with
each transition cryptographically bound to the batch at which it took effect.</t>
          <t>In addition to batch-level transitions, the log entry for each certificate <bcp14>MUST</bcp14>
carry the subject public key algorithm, as defined in the CertMetadata structure
in Section 3.3.  The monitor evaluates per-certificate algorithm metadata against
the MigrationStatusEntry for each subject to detect unauthorized classical issuance
during the transition period.</t>
        </section>
        <section anchor="migration-staging">
          <name>Migration Staging</name>
          <t>A private PKI operator deploying MTC during the post-quantum transition period should
proceed through distinct stages.  In the first stage, MTC infrastructure is deployed
with classical batch signing.  The transparency log is operational and all certificate
issuances are recorded, establishing the baseline against which migration progress is
measured.  In the second stage, batch tree head signing transitions to hybrid signatures
incorporating both classical and post-quantum algorithms.  Certificate-level algorithm
migration proceeds at a pace determined by endpoint readiness.  In the third stage,
post-quantum-only batch signing is adopted and the transparency log records this
transition with a timestamp that constitutes the verifiable PQC migration completion
date for the batch signing infrastructure.  In the fourth stage, classical algorithm
certificate issuance is discontinued except for designated frozen device populations,
and the log provides ongoing monitoring capability for those populations.</t>
          <t>The duration of each stage depends on the specific PKI deployment, the endpoint
population capabilities and applicable regulatory requirements.</t>
        </section>
      </section>
      <section anchor="constrained-device-certificate-validation">
        <name>Constrained Device Certificate Validation</name>
        <t>Private PKI deployments include endpoint populations with constraints on available
memory, processing capacity and network access.  Access control readers validating
employee identity credentials, sensors on isolated operational technology networks
and embedded controllers in long-lived infrastructure may need to validate
certificates issued over an extended time window, potentially spanning years, without
the ability to maintain a continuously updated landmark cache or retrieve landmarks
on demand.</t>
        <t>This use case is distinct from the landmark distribution use case in Section 3.1,
which addresses endpoints with network connectivity capable of fetching landmarks as
needed.  This section addresses endpoints for which neither real-time landmark
retrieval nor continuous landmark cache maintenance can be assumed.</t>
        <section anchor="the-landmark-accumulation-problem">
          <name>The Landmark Accumulation Problem</name>
          <t>In a traditional X.509 deployment, a constrained verifier typically holds one or more
trust anchor certificates and retrieves revocation data periodically.  Each CRL
supersedes its predecessor and the verifier need not retain prior revocation data.
Storage requirements are bounded and predictable.</t>
          <t>Under MTC, landmark-relative certificate validation requires the verifier to hold the
landmark corresponding to the batch in which the subject certificate was issued.  A
newer landmark does not supersede an older one for the purpose of validating
certificates issued against an older batch.  A device that must validate certificates
issued over a ten-year window must retain every landmark published during that period.
The storage requirement grows linearly with the landmark publication frequency and the
length of the validation window.</t>
          <t>The storage requirement can be bounded as follows.  Let W be the validation window in
days, F be the landmark publication frequency in days per landmark and S be the size
of a single landmark in bytes.  The minimum storage required for landmark retention is:</t>
          <artwork><![CDATA[
  Storage = ceiling(W / F) * S
]]></artwork>
          <t>As an example, a device validating certificates with a ten-year validity window against
daily-published landmarks of 512 bytes each requires approximately 1.83 MB of dedicated
landmark storage.  PKI operators <bcp14>SHOULD</bcp14> calculate this value when evaluating MTC
deployment for constrained device populations and <bcp14>SHOULD</bcp14> select landmark publication
frequency with reference to the storage capacity of the most constrained device in the
target population.</t>
        </section>
        <section anchor="landmark-rebasing">
          <name>Landmark Rebasing</name>
          <t>Where the calculated storage requirement exceeds the available capacity of constrained
devices, a rebasing mechanism may reduce the number of landmarks a device must retain.
A rebase operation produces a new landmark that cryptographically subsumes a range of
prior landmarks, allowing the device to replace that range with a single object.</t>
          <t>For a rebase to be valid, the device must be able to verify that the rebased landmark
correctly represents all certificates included in the prior landmarks it replaces.  A
rebase accompanied only by a new tree head and a CA signature does not provide this
assurance.  The rebased landmark <bcp14>MUST</bcp14> be accompanied by a proof demonstrating that the
prior landmark trees are subtrees of the rebased tree.  The LandmarkSubtreeProof
mechanism defined in Section 3.1.4 of this document provides a suitable proof structure
for this purpose.</t>
          <t>A device accepting a rebased landmark <bcp14>MUST</bcp14> verify the accompanying subtree consistency
proof before discarding any landmark that the rebase replaces.  A device that accepts
a rebased landmark without verification is vulnerable to a history replacement attack
in which an adversary substitutes a fraudulent tree head, potentially causing the
device to reject valid certificates or accept fraudulent ones.</t>
        </section>
        <section anchor="re-anchoring-after-extended-offline-periods">
          <name>Re-anchoring After Extended Offline Periods</name>
          <t>A device that has been without network access for an extended period accumulates a
deficit of landmarks issued during its offline interval.  Upon reconnecting, the
device must obtain those landmarks before it can validate certificates issued during
the offline period.</t>
          <t>A device re-anchoring after an extended offline interval <bcp14>SHOULD</bcp14> use the
LandmarkSubtreeProofSet mechanism defined in Section 3.1.4 to obtain a compact proof
connecting its most recent trusted landmark to the current landmark, rather than
retrieving each intermediate landmark individually.  This minimizes both the bandwidth
required for re-anchoring and the number of signature verifications the device must
perform.  For deployments using post-quantum signature algorithms, the reduction in
signature verification operations is particularly significant given the higher
per-verification cost of those algorithms.</t>
          <t>A device re-anchoring after an offline interval is exposed to rollback attacks in which
an adversary presents an outdated landmark as the current one.  Devices <bcp14>SHOULD</bcp14> implement
a monotonicity check on landmark tree sizes, rejecting any proposed current landmark
with a tree size smaller than that of the most recently validated trusted landmark.</t>
          <t>The monotonicity check depends on the device retaining its most recently validated
landmark state across power cycles and resets.  The LandmarkState structure defines
the minimum persistent state a device must maintain to support this check.  The
max_observed_tree_size field records the largest tree size the device has successfully
validated.  The last_trusted_tree_head field records the hash of the corresponding
landmark, enabling the device to detect inconsistency if a claimed current landmark
has a tree size equal to max_observed_tree_size but a different tree head value.
This state <bcp14>MUST</bcp14> be stored in integrity-protected persistent storage.  Devices without
such storage cannot provide rollback resistance and <bcp14>SHOULD</bcp14> obtain landmarks exclusively
through authenticated channels that provide freshness guarantees.</t>
          <artwork><![CDATA[
struct LandmarkState {
    uint64 max_observed_tree_size;
    uint64 last_update_timestamp;
    HashValue last_trusted_tree_head;
}
]]></artwork>
        </section>
        <section anchor="guidance-for-pki-operators">
          <name>Guidance for PKI Operators</name>
          <t>PKI operators deploying MTC for constrained device populations <bcp14>SHOULD</bcp14> publish landmark
storage requirements as part of deployment documentation.  This documentation <bcp14>SHOULD</bcp14>
include the landmark publication frequency, the expected certificate validity period for
the target population, the per-landmark storage size and the calculated storage bound
using the formula in Section 3.4.2.</t>
          <t>Operators <bcp14>SHOULD</bcp14> also document the procedure for landmark rebasing if that capability
is provided, including the expected rebase frequency and the verification procedure
devices are expected to follow.</t>
          <t>Where a single PKI serves both constrained and non-constrained device populations,
operators <bcp14>SHOULD</bcp14> consider whether separate landmark publication schedules are warranted,
with a lower-frequency schedule for constrained populations.  The LDP infrastructure
defined in Section 3.1 may continue to serve non-constrained populations, while
constrained populations receive pre-provisioned landmark packages through an out-of-band
distribution mechanism suited to their connectivity characteristics.</t>
          <t>A LandmarkPackage is the container format for a pre-provisioned set of landmarks
distributed to constrained devices through out-of-band channels.  The package carries
a contiguous range of landmarks from source_tree_size to target_tree_size, together
with a LandmarkSubtreeProof demonstrating that the source landmark is a cryptographic
prefix of the target landmark.  The package_signature field is produced by the CA
over the remaining fields of the structure.  A device receiving a LandmarkPackage
<bcp14>MUST</bcp14> verify the package_signature before accepting any landmark contained in the
package, and <bcp14>MUST</bcp14> verify the consistency_proof before updating its LandmarkState.
The source_tree_size in the package <bcp14>MUST</bcp14> be greater than or equal to the
max_observed_tree_size recorded in the device's current LandmarkState.</t>
          <artwork><![CDATA[
struct LandmarkPackage {
    uint64 package_version;
    uint64 creation_timestamp;
    uint64 source_tree_size;
    uint64 target_tree_size;
    Landmark landmarks<0..2^16-1>;
    LandmarkSubtreeProof consistency_proof;
    MTCSignature package_signature;
}
]]></artwork>
        </section>
      </section>
    </section>
    <section anchor="security-considerations">
      <name>Security Considerations</name>
      <t>TODO Security</t>
    </section>
    <section anchor="iana-considerations">
      <name>IANA Considerations</name>
      <t>This document requests a new id-pe-ldpBaseURIs extension for use with X.509 certificates
in the "SMI Security for PKIX Certificate Extension" registry (1.3.6.1.5.5.7.1).</t>
    </section>
  </middle>
  <back>
    <references anchor="sec-normative-references">
      <name>Normative References</name>
      <reference anchor="RFC2119">
        <front>
          <title>Key words for use in RFCs to Indicate Requirement Levels</title>
          <author fullname="S. Bradner" initials="S." surname="Bradner"/>
          <date month="March" year="1997"/>
          <abstract>
            <t>In many standards track documents several words are used to signify the requirements in the specification. These words are often capitalized. This document defines these words as they should be interpreted in IETF documents. This document specifies an Internet Best Current Practices for the Internet Community, and requests discussion and suggestions for improvements.</t>
          </abstract>
        </front>
        <seriesInfo name="BCP" value="14"/>
        <seriesInfo name="RFC" value="2119"/>
        <seriesInfo name="DOI" value="10.17487/RFC2119"/>
      </reference>
      <reference anchor="RFC8174">
        <front>
          <title>Ambiguity of Uppercase vs Lowercase in RFC 2119 Key Words</title>
          <author fullname="B. Leiba" initials="B." surname="Leiba"/>
          <date month="May" year="2017"/>
          <abstract>
            <t>RFC 2119 specifies common key words that may be used in protocol specifications. This document aims to reduce the ambiguity by clarifying that only UPPERCASE usage of the key words have the defined special meanings.</t>
          </abstract>
        </front>
        <seriesInfo name="BCP" value="14"/>
        <seriesInfo name="RFC" value="8174"/>
        <seriesInfo name="DOI" value="10.17487/RFC8174"/>
      </reference>
    </references>
    <?line 1000?>

<section anchor="acknowledgments">
      <name>Acknowledgments</name>
      <t>Thanks to David Benjamin, Bas Westerbaan and Mike Ounsworth for their feedback and review of this specification.</t>
    </section>
  </back>
  <!-- ##markdown-source:
H4sIAAAAAAAAA6V963Ib17Xm//0UfZSqiaQCYFGSHYdOnEAkZTOWRIWU7ORM
zWEa6A2wI6Ab6W6QglM5Ne8wLzDPMo8yTzLrW2vtW6NByWfqXCw2uvdl7XW/
7fF4bLqyW9nj7MFr23xY2exdY212YpuuXJTzvLNtdmo3q3q3tlWXvW/pt7y1
7QOTz2aNvcV3707i5/hmWTe746ysFrUxRT2v8jVNUDT5ohsvm3w33qzyqmvH
624+Lnjw8ba14zkGGD95YtrtbF22bVlX3W5DX56fvXuZZb/K8lVb04RlRR9Z
+n9V92CUPbBF2dVNma/wx/n0Bf2nbuhfl+9ePjDVdj2zzbEpaFXHZl5Xra3a
bXucdc3WGlr+M5M3NqdRr+x825Td7oG5q5sPy6bebujp2x/OR9mretmOsmlV
CHCuymWVd9sGu/1gd/R6cWyycQYA7sMPv7yt2y7785Y2vV3z3z+cm1tbbWlJ
Wfa5U2WZQOPBT7S+slpm3+FDPF/n5YqeC1T/WNpuMambJX7Jm/kN/XLTdZv2
+Isv8CIelbd24l77Ag++mDX1XWu/kCHw5bLsbrYz+vbv9U3Fh1bY2y8+7wzx
/Qqo00Vzx+NMZPRJWX/miJ/52uSmW68eGJNvu5u6waHQSjJCRDrwP00IYPmO
HwhC/olWFJ4RKI6zs4rwgs7qVbkuO1vwDw7R9Td+1nZ0OrS7p18+eZJd1bSi
ossu67zI/u///F/Z1ZY+zo4Ik/HunJDqOLvouvwuH2UXVZc3ZS2/1Fsak348
yau8yPVZQUv74ekP2bPvvuQnVo4X8JsAAH+0spDJvF73d/jDKt+2bWWbeJt5
1XvOW32xJQpqi2Y7/2AbW2bfrWffJ/Pl1eSD++yPs6KZFDbZ+w/1ek37psMg
kuqaSXb0dbSDoye//eq30f5f2GZVVum2v7MNjbBLNvFqkr0Dga9W0RZebUFY
0WPewfsfsjd5R1wiX2UnOyLzzNEw0R/NYOPtrGiISff0j9W8nU+W9e1k+yFd
zPsKJ579QJRV9AD73SR7na9W+S6P1vRdXtn2JvmBVzXdbH4s7d1fsvNqnuDP
3g8OkEdPfpNdbRqQ9BU/isB2ZfOO2PMo+ylvb+iNru7B8P3VNN7mklc1Wcuq
/phvNrc050fGFWOqmgDeEfUfm/Px6USICozAExXLgDFWMZ4TDyN2/OzYGHBy
/6WZTCbGjMdj2hltIZ93xhyUHQ9JOjziye6dJrvJ22xmbZUVdlFWdA40Ydbd
WEO0nYG2s3qBv7Of7IwY5cScV/Rn2WYkXrYsmu5sZj8SO2hsdndDAxFqZjf1
XQbxVFbZJsc0NOhiu1rRiBVNl9HgBX4sysWCiKDq/HTthMh6rbPSNJ7FELPd
ZZumvi0LS0NUtNyOF0sHeEtbBm+nt/OlJSAxlNZlUaysMb+ig++autjOgbPG
nBVvahJKRBkLLHppuw4oUFZdzTslfCRMXjb4zyhb2e7XLaEMbSO7I+7Jr2xo
gKoj0edW8qmTIDjfWgfoloQL7Z+ma+sVPe7uauxstrLr1sFf4U2nfjTJHj++
Kn+2k8ePs2n2GDxvnTcfxo1dMWZkB6Z+nBH8WmBkRodcArvrarUjFCZWSPSV
5dlmO1uV84yEKR9brq/HA5bVfLWFSoAl1ouJeYr1nNZ3ECp0FKe2swxYLA9n
DjlPcjNeCY2UVy1hgq3mO6xqQ3J5/A+Ry1kL5kGUhhUohHMmRVoKCUcCmM4A
pEi+LPwqiFjz+YeWjv4FgZdAzKDFsRIs2xTEI14mED8vSIURPqbniBEeP36R
d/Mb1gFoBLevxhIG0cA4nBUkTl3xv0+m9PE8BwIT/OgDglzr1IdMUFjIKs9m
PDBtYx5hCE05ZezFvrN6YxvGGwYFcWklQGziBgcyvyG42GpJrxAzWhWBGJp6
jZVOzDt+PS9uCUy5vEgkJbAFuMb1YtEKatGreuj7iMX7bplmGXE84QpHuLUN
bUFEm2cj2w00Pj3Ixs7BIfzI7eNJdp5+zDja5eC0jKE8ElHGAkua0Znij5y0
mmZJLz+mV0nyrepKFge+UoIu6eXK0rQsD9aWYFSV7Rrf0qJzOnYe0wL6fH6s
JGV+XdnDxi4aiBVCAcMigt54JOAB06G5gZ5+1TJZOlNF6jfxhI75IM3CgKHn
Wz46m+0TLq0+bCjGCaayl/RzwHBPBSMejNT0ra6D4cWUTOsnUNVLoAy/wIpU
imvPJpmgd1v+DPogqiSx2tmmjcAocJsTwYJrE8u4qUl/x+N605GK9jOL+HbX
dnad2QUNXjJpz3LghxIGOH8539LReS5OqP6rX2UvmtIuMgAVMhKLpaMEERxg
ZMCRnJBpyWP95csnv433pHh9VxsnTYhKBbnPST+yoNTFAGmC4TAOAb+VJ2Y/
26bGsawhGfyrLcwF+a2UvTnJuH+mQBM6zXHdjHkQ+sC9HM56gvEuKt7ZbBcd
qHDBGthDe25AxAWoCYI13nPXY6iN/ce2JA7FiAOkxYaI9lonvucpOKu6y1QM
FfTdvFuRqJttO+hdABmzX3ceUBeyGwASxMpfERLWS0ZyAb8IZuBTLnKCWMzY
iw6MNrAOv0YGKvG+aD7CFGxjK5BLl6JyASx1pqjMnFqAx7PA7tNTD5zY5HQi
HSFvwcgnwp7t1D5LJnkiJGvzBWDFTPoc43kOAD5Vbzvsc4ZpP1T13coWS68w
YakMNOaZD+9uSlopaeK8U0aJEryVeDk4ieeRjx8xgVfga6ottYRZLU0qXNUM
85IEOzAFrf3W8hp5OQGZlQgdE7CRTHCSCBOv8w/xT4KDrV2BC9E5g3Jmfgw9
DUJcM7+x8w+busTBAjCeydK8YGnx7wInnYKJwXZ3ECMksDbbzhkZ7jjDHjCy
kW393KOtlN9lVxBuNp5Wlm090TCxmwX+grQKkwhFiNzP4smYXlO9SAAQVmHS
VZzUFWEOQQ8apciysIpofIesuhqw1G1HZsC8sXmbLuITC+irGAB9kHcJ4IXT
ONATRu1UMJAa3HZ1QyoEH0Hr6Mu4NdyLhrTtl/bOxtM6iK9s2/qh64pPMpnX
gb7drsCTMpsTorlx6PmGfoIGzgxHASoswoDuRpkjNwFc+6nj82r33o7ig0zP
kdm7R5uwyTvWypaARqvIF07oM6hXdh5QMwJUtgcoaLxEdQkpshyfYY+LFZCI
GIcKmXZj55jGiwX2fTEsClWWTUC9lCk6Lstrsw4b8vncbjrWsCDBcpqNtSv6
HnxGAFaBjuX9U5iZrHS3wuFhe8CT12YPXr+/egdfIv6bvbngf1+e/fn9+eXZ
Kf599f301Sv/D6NvXH1/8f7VafhX+PLk4vXrszen8jE9zZJH5sHr6V8fiMx4
cPH23fnFm+mrByKLYvsWtCH6EPEO2xDmQb/NW0NWxrwpZ2LJvjh5+3/+99Hz
7J///LfLlydPj45++69/6R9fH/3mOf0B/qniHcq0/EkA35l8s7Gk2NAoOZvI
m5IUYuI+JGFasqQrkr0NBOLj/w7I/I/j7Hez+ebo+bf6ABtOHjqYJQ8ZZvtP
9j4WIA48GpjGQzN53oN0ut7pX5O/Hdyjh7/7w6ok9jU++voP3xqg0HvnGmC5
9SML4HnuDMJXBNHXoKXLT5jDLAphG0bm9T1muzCQ2GAe4huGrRNn0Hs9KTaZ
VGNQJS6xfbwlDrrz3E0UBBKAK9sp5+pzK/1QUI+N0MjvHUmR0q6KSeZsrp4O
CHwj5abK7hgWZLjflk1diVMHKAcVhM3kytBmcCg0b6W2OP1GyCn2J6zytgQP
cGzUb5Hgo/yCVXg2sgykF/GPoBlk0Fmh7dL/eZ9QdpfvWiFGVYSI2QAsZOfY
QjV8ryQVkHnFrsrXJZQq4s81fC3wlDru5xZF002D6cZWGkDO5qGNliUWdU4r
ajsi9C3ve1Ur7jnjW1X0rpaBUjALFvlXWRUkkLjTld2t6vrDdkOrutrSyz0T
1n/bkt0F+wcYV2V/mcAMOrl8dfp2lNmPYMKedYlyydZ0WGT24JVDsNN4P2+h
Ej0g7qKGQ9i9/1YAU2Qbgl9dCHj7MM0ewsGBKRNoqYkoQ222LZvf4rjJ1N3m
Rmgf0SKe8SJ2+3PTdDnDHnM7X+WmXpUkZzI2le3HHEAVlhpvnTj2uL0h1Cqg
1ufhBJewAqpkcDckGA8xm3tARroNrYw1YY9JmJZhWGxe0Bm8vzxvxVz98Rkt
D+56ppyWmMTKY+W5WPIqkH3gCSoSxjtkEwOvY/6RXRHXP3tzcuaYItYdL5tX
TVIFqhQGVg0JpvXB1zHW+fTLqw5OcoLzGdQwomJYp8z5dJsepoZd9wXzZwKN
sJEuQSvQuHorYK+a//zP/zRlMd7YcQy2ixd/Ojt5l52fnr15d/7y/OwyOz7+
fZb9M+NXs3cvTrN/GXN4n/y6B8nDo8nk9fQvj7KLl4c3e89wPJoHBC/ZH/a5
581vmTfTp9s5s1+HpkSXn3TEY7StU1QXNSxcANAPdiyAkr+zf3LoYUsr++q5
+Ka/iZ/YqpC/v8/bmx9zUgKDBLlmCfK7J5PJ0/84+mp89K28SeacR73IBEre
+xfe4k1+IyCg7+BKF/YJe9Xho7jLgaIWXjOsoPUqeaHhWeWWdUPzbOqq6Hmj
nMNAXE/tdsZuAYJ5kCgQmzSMc354JBMX2XxVij1HbAEcZT2j0xAAv798Be1K
4AxnEY1y8PD/0Ha/5w39wRa/p/3oyYNyxBFxSOCJst5bW9bWbt17Ul0kmVMY
Jh7FErcjU55ESyNHIO2G2HNG6mb25dOvnzgG9pLDRzFLEK174Z/HxAluECFt
q6L+q8mzyTMI7U9jsZm22Vr0fbDbGXHYUQofhHGcjzEGVFgDlAOjPiqy3oqS
Ti+/RQSdNAz2C2GZCKEBbqR6sDsgYrAqWPyIulk1fpK9Gd5b9jl7U/wV+LSJ
8xd2nbI0tkjnrIfGjg92yW2bJrYU3bqcHeGscmvVjsvbtp6X7E6HXsWM231M
hPB9fWdv4TIkyitqKwBzEbLe8jICcx4WaObNbtPVyybf0KYyMUPJJLspN94P
AEeevS3rbUvw9ww7rJ6tP8MGqvr5o7W9S0woBzPWTsK68lj2GKVwMJGWSJAt
UGY2UGA7NVIRy8ibZqfGKmHSnORk3uygqN5w2EccbJ0osJhhaGA1+qHfQW8M
ureGAAmZJnJo+QoubGdtsBH9i8czGE+MgjlhgcZJaZa7hPSCVCRVEFigOPp8
8vzzMBQH7UPGWLDnm2Zvsa2jJPYWMCeTcKoqeXy+7D/BEZJmJJEdmURYayuM
X6nZOGqOV8AQAdBIT6X9NISv7H6MdauD8IQ30vMNHR0H72JMQacAU3EuE2hy
zNli8NJuL/l3hzgpvyaGb9V3T8KqxPAZaGsnNv/aFiDDYKKJi8e75eD3pOk6
JDDBrYaACA/mBam5jc1WdqYB/jWMhwbOMCYNjVCOeh4Iz3K8gnIlIBOFo579
nRCFjZrB35UlEOXERG8sHlZzld5EJvW2mcd8GHlewi9JUwVWe9Yk1iNJ7k2N
WGVhOHaeZx0ccd2hIbyjzo+jjHFw1Z6jrQkbF7uUo0vcWjROz0W93LqK5Ra4
h8Q0mFHGZMYMyLQWSkcHLqYgUMX8PuX/ilHZPARay78f3beZoBNGEjZRQA4q
d7ykawx1DZAlep7AO/6xp/VFJDWg9/1rcLGq2/0EBkoL6y8gexgZoqLnlZVX
DB8dO50lIEuq4SmH7WEbAa+/mWQiy8zol0/Tw0iaZg8kPNRUOXhh1zWSqsR8
cZJkjzZ4VggXDoMq/3Jxnx4RRNGsvbkz8cHN5Cc+fkIM1hChsGznkG6L7Spl
H2GRVlkw/IbIvCo5nqDOce/2Nf3l54118tR7kPrLBvsixphzxMqWZKA25bJE
NKZuCst81JmgEAWcxODQSZD+9fSv2NnSVpzRUBwQeyaiRxpQv5Kpg+d6kBiN
ECMHPrazVj3xys6R1NHzURDFQVixap2IIMV/teAu3QCJAFLBIBv3mEjcN5jg
CQp6hWZQHs57pryTQeILjDS/oC2WK4sdJG7nlNVxjDLZMRxztmUNWWyGeMQ7
mFYJVzdLEmgdh0ZzF2yQdYXPft2GT1Ld3uDsBB6QJzaxO2IWc2U770pUeYz4
faww/+qe86HPY2wbGFnzmyrBVZCUxDTsoRWpjSousEXZtF3WI1Dvxs2XGLwb
Aih9QXKYnSQRPn5qoESyYQjo0xE78DizgZ4tZrLoxVeeQWS3Pbc4RxK8l1jj
T94IYHxIbYBNTjqMn2pvawf56Z7gOqSD8OF8hvyht1QEIUHCe5YDVQcDonSS
87DtLgmfzP9+/7u+LPv2v/HPsqnf/64vgb6VZby7OL04JhGxZCZfqQPhXM23
VOof1hUUAWgb26Y6oMox9uYbjqZ9vjAiso2VsZDIuH9YIKoflY+Jw4oQCupp
zOhkoWQHYIN7/ii70eSa7OwjJ6HyG39jTeBvzMr+RsL6b87p4zHKMUzxNDse
mzoHhccNCnJklkOZnOcuPdyx15kGaAIvCbYGe6UVczjHU1J81a8vHt85katV
33N24biXI4A9lXbBqrC6J/IVHBSSx87jFJPYFz3CJOUHC/cTDSB2xZ3zS4dE
NP4+im5rFtO+8HtZsgfkOa2U42C7NG3gYfsodhr4dNV0M8lsEh0KIaOEjyzy
EnHIRKIg4sgjNBZmR1+Y0eq+ChEnRVV3VIlycQjCEv8Z6RzOMjvI7ZksEsYm
2BEx/AR3/GI4hUoi0d7noY65PRJzeUUH1kyb/k04Es5VGOSC/bDdQX6Jjale
xhIMf6j7lJCOw8Ut55D9AnkVzqOHAL9QXgnL/K/KLGO+lkDXIcElepSEx+6F
jyzQn3yfP6Y05RX2vtQjYis/hpQtPt5IKOyp8b+l1b/XTBznKij27YNa9qUR
njgPLuujAqhUzzrikUdPYNBzcsV+7FbEewI5ZsxiMbB6G0FYoenhK44GYfwJ
5TgIxikvbFbs1OBPDIZBqjKpyT8kroSWhmUZ3L7JAUmosd7CMVPmMScqDiGG
cdLvIK1CCp6FpNUTWGUFbJSQlbLZNnAsH1IXWwCEPUc+d8snEgY1NnUBKXzX
cNxzVLLGATnXiI9Nk+VNCIGsvcGJR3EOItxesyjGEPmyzHq76krEQ2MPVpau
zfu6EinSmr4MSbOvZlI30eCpJGCpZ3u1M329UbeTWobpJnT1LSdMkGrxeAgx
vnHPD5zqN5wQSO8cFhQ9g6OnZXiv+4RjGLnmno3Ssz0kKCVpn0UJa2O+TtJx
ljDCgePwRrCJZJGDApNMumHvvkUIxCJTD//2GdeceoKygDmKVCR1M0qeJI0v
mOVbZEanGZf0uf24QTgFsne1JNu/u1m3IxNSxdISDg+W8LIS2tWHckNKUPVB
PMchWdwr1t/JSsLB9N3qyisita7Ugh6J/Fw8fPMfTx8576lLB/ATjVCipGrY
Ha2XEzCgrEX+RCHqnK3vHftHAnzcgSRU0Es6OBp/+3SUPR1/+2yUPRt/+5yT
+FA2i1/o2dH4OX5+zqGRbUtLrmjJ7LOl4WFxk1Rv6lwi8lo0QDa0A16cjuRW
hlFe1cuHhFvXHi0ePfKxogNrBfFpWobEbblQgL2zCg3xfBMPanisoyfZDgqH
aq5cyfT1b0ZfPXmSZPD8BCTzY/ALR5zizC6FYiSLP/rNHtT3yg7kAwn7yJwM
yYjZHqJxVjsuehDBsEOQGmXs7VjtZGTgHzK578qCS1eYK8H/3v6bYPJrTufv
UKQlCy3Kdr4FCz82Y9l+jmogBmjrqwuCLB35WpXCzhGk20+P8LmbcSzovIvq
PDS+FxNEOSfNZJydaHxRHeKcTTAYiPfKWb+2S+N2MG5K+MG1rKmqpSIhzWER
T5rTBs7OMokAj/3htFGCmI/fStYZqV1FOZe00bt8J/lfEi720Vr5dm1Zxw8l
DjgR7Pa09hP9uvUpelHCP1ejYzdd9ncXLH/97nspM7O+Kme+XW81cTASjqsa
2SvOfurBiZ0K42x6jPSHUQg1SowkkU+ay+cL7vzqeMtgbOn7AWJiTnpfMJvh
qKB8++eYkyNKUv26S8inRl70VhKl6rsKtWqMRu5sBeuAmzRjy5l4gVkCtOet
7glSkPg8yvylDC0umkoLJniRd5aDnAzaWt5OQ74R5K4sCAlsmaZZ1jUYy/xD
TqoPQxm25b/dm4UlouBgwkGUxyZpFS6TLMoRDA5hUsKMZIg4MXQ/5XhNXTA3
Ek10SAuiYTiAOy7D8+nSCZ8jUe3y+QcmIh69JOa0VN3M+Lz5Xsy09WU4klnc
WjVURbUBDWsJXUiIkbi2f0HJTfnOsZfKp2cvz9+c9d8zoXYEgNKAMf/GxrZU
h0lgzjx+DKb4+LG5SlSPSLVIyzyCFgUTkUWUYqu5KZc3kZbR3TT1dnmz2XJA
r1xv6qbLNVebccm7W0JBLWElclj6FUOtK7QJmRPQA5k1Hdzaw0UsTwsLFpzQ
A0R7lLmn1ZyuJGch/vY3RlFTwCAhQc1jcBZp/cJeaZ1W3uUjrQrdK2YzvqCJ
jXH+OhRUvZPMqZ4SEJdU6ZLM0/84ehrLefr7yC1bwj34yYeYsqdPnn8dlxYx
ORiv28tILPgd4ot0HyqV9XoLHxHOikfvgcB76oktcDRZcmX2UmxVcBBkHFYR
hsVS3adzMKJx3e9l9DOhbZJ6JRM4qRF80FHc+UEvNz1kYnO9y6FU8wcq+JzT
oOx59Uy/+k+oCBudeHLl4rSBIj+8JQyxzdc2+1BWXA65cMmrIQ3a+yWVI+6l
cs+2Ks/kzUjkKOkwF225ej8qjPMzICcN3ONPkMZidMRljLwTEg6qVcXlyzip
uOBxVS+haLxrwNzWZTtWHTaBER3IDiqs6w/wwe6gJE1/3Tq3raA4kWBOJg1E
MekotIDSi78qLEJ08v6a3UreSDmwmmu83C3CKUiVaWraDFefQSYAACd1YV11
OVPVVb3o7nCmV9sNchVPbqDLnJOliC4EOxNhoiLXmoZYyfgYzJXmiO+UeN62
KnLJ26HhWGq9e3XFqRC0TPqnoSMp2pv8g0pLZ1fBnhTKpnNOZiTuJ4aoCgxX
7Yzf1EIyQ5XSUu3PMRw2d7RWApbqAtEDSdGCDJhrJssxCuXLKm92I+PcZDTO
mkugGng71wwsSQMKNakZyykWg96ZSbsP/svOFKGjEvNCO9/6zY1CV4cV8l2C
mcQ8t6p9hk/OrjX2OMSfiJGULzrlxO5QLAqgJtAVSd255QL+qqLTsx9LqAWJ
vY+NNMa5m0PgWhRAPgMEK6OD8QmRJZKjJBrMRRta2Mv2tHOGA2Gg+EVwQH1y
jEIc0P+IgL5Tu4aL+3y+VT+b6qaGweb01+D2E248uAXghR9C+TUtBWdA/1s2
4yV83oWeByv2STTeeGySkDbYAX4hYwygILKd++YbJGu1xxUYIwlgcElYKPTN
WkUHYRwnPuT7OZu8LagnodCSmyRojZQTQHuU6VZIcJ3GVZpSgN5w5gYgeTKN
S5al6oYFb5obrLyIJat8ZqJeHlxewDigFRNjOtVFudyyk5BTh0mnuamb0SHc
DvXkkriSlAH+bMViFtJhpyaxglvGitX9SEPYRtwHTjIOn5FwyAEecVNHbtg+
WjKKJC6nBFB2PbOowjFsAgrzEIOlYqv5hvhhAwuanq1JrZ7tujhTBlbAclUu
OdAMFoYiLvVfJb1A+FwT9h2XZEy5+1XZlZYLqZPzx3JhqoeCVXjWUU5YtszW
8gw67jjSbE/Ovzg5jauyDPy9LOoCtfaK1kk9qleEx3Ism1U+532S6hMNLFVR
sFe53YUbq6wWTe4z1eDR4cr+T/n5RIAQ0Y69pmUCM+F8UFeE63ECeuCKKA5m
WOwyzJKycqUcLdpvjRQ31ehupqTiQ05tX59lOTTYb8UbZCPIK3Ui7mujXqHm
8VirBh2qc4f11L0mFIDmkE8l9v8q3jL1xl5jdW9pOACsAhKKAL9Cbi0WEkp8
UbK752L2YPQqsG4vmAXB+2DMSYqdnoNJhX+vnri7CVFpHtnmH3raptT+GkW/
/BOlwVn23Zb4NxtWVTRZXJQuzm1WLE2U6nQ0eerjWC5FVmkVkEY3RCbTtOcQ
kh1Cn6iYhI2Jf0mINunFg5AM2vEk+l9kUBBcinw3MUkVqSqmONMqJnjCAs5a
04k03CSKfaXR1Ebda+jUFp033BbMpJlbkQLq0+2d8gd17yc74/2A28ZMwlXG
Iwxl1Ie5qh3CiAg52LkJ2q7IlTniJi6kKD0MG5EskxSz5sPQcDNNtcsJ/Ltx
eW47J9hjbFaScEoHFxXbdCquclL/KqeIR6+K7cnkroXwPjOXyOx2u4JjfVau
SOdmgUOnxKYBuljmM23ZAZWkRXIb+vgJi8iLdVmVkqlzKx64pl5FNfaKSTWX
nlbarYoUPVJXpJHITIPBvZFUGqv/5mQ6EkkBk6Zc2SXjBwtN1mQEvmYQ9DBf
KmnPyA1QoLVCUO3ry1G+tdhFbvMIrLZkoHC+us8e5006pQsEDS7+Qj3HyqaZ
cYJHJ+NlXJRp2MpKds3xXqj/A4sIeeHM+8tuywmUCUNkY8sQbnJrLjLyyhpx
1ak45Pv2m6PyIkuJLHjJgzap2fqulIXUUvGmvQ6lGFGut6uuqpes56iTVKwU
5XkDrXXErnDu/xHzHD4Tb4mBs5do50EDu6zfGaG29vVIMxzmsCUZ7ZK4pHT3
kCxbDeLWG9aZQjquX5yoFrQO6Z8CVJN2VCZKG4nX6FiSD07CKGjZEgpl8AiV
JCoH1MIEFeEXo1Mo2Ycxi3AqHFvd+OQcGi88QxWjJvabHno51CeUuJTCpdbZ
363Y3wyzaPZWPAWSBgfA8N5yxO2q49jWSzIn7oiw2UxRPHY2SuS+v4Obgd/h
XZAeDmYRnEvM/Uj80ZELwOm1ek2Ww7YN+hGqzdB7U5ACrxJPrzmGp0qfpwLi
clp/WSOBaFr1cN6Twh6RYEVLG+pU+FgZrXa+SZOJzost9YZod7uSoZX3DzCn
LFLDRO5p2IRtMwgpWlSruQg166+uISDL1Z0iM38Ebupzx7Fw7uTm9IN4V6/o
x9jht6fbS88cUQF70FBOWDfuQHbRonCSrDWTKsjpMBgZDu857B+TOmy8Ia56
NEbnph4eEnH6ZZxKvnE9hBgDPde/Xw3sc50oWuYcDASw9SZznnLDMtNtq8cO
JdmH8eAtXKT9tKGDWwKZc/agG0G9UPo0bkvptjPiP7nBZxSH1LiMri0hPyYr
pguuaCMUoDWOk7x7D6o1YQw7l6NWahLciK2fdblU65RlkpqllambJZHrz/oT
iYcmJOxC7CUnvsfymCzYkI8nS/pHuYRV9BSqMvZ6uTQi19swqgkRGvXiC+AX
yI8Ma/KpfBCPgmo9smbvEfVCVztKibNElfKJqyTeq1V3JU4aOw0oG7yWeQoU
J8lIfX53V49XJChWumiGmTTRPOYIq2KRR39kTLv8KkVwHcAxZXe6rvtOMkbS
kC4eSZFRx/IYIt5xVJ3RdqqSrTRgYSASR+0ZibFG5EyUJA899rUbTDLm603+
j62f8NrRxF6N/lsmix/sbuoR131DtHHt0TnUiB19Baq5Zqq5XqzyZZvUj9Fp
Xks2195jdmMmT9EL7xri4uM35l/Gb4eOUfklMdQzThZMCtj4QGhPaeGa4zPy
1McHw8bkMz3B/tZCgZu8xhn74GffxPBURnU9zw+DNDkNoMK1KlTy5rOnUqgg
hQDBckdSa7npNFTgRfvY+aHUky3kNCvhbPFdgtS17TNAG3PQtS3NhZypEohE
fApuEUT0hKGtmgLMB92Cft1GHo3gS+f0hmBrJd7I1BlrJce/1Sg0TzhyP0cU
dw3/wnXkHoprW9QHyV5JkhqJA9L5uqt00F67CumZUwE+Ue7ogCrB0QRgqnH9
mqJ8VCw0JUbF3EuF5KcRNyaC/48GG0MwS+epCW/hqe6ue7SiyI0XnLZLi0zr
anwFp2YkxanuEEipg81XrQd5yM456TRUS3YBSQPO/Pd9ZqvME+s7P/zZrThC
hrUmTRztfMq6aBhKF8GcRoFgWIvGNjjvQ/NYwKmvVdASwHsNr7imUHQen4QM
28BHyNGyXXaO10Mg2MmvkYv0RUiG6OFgYQot9lqOM1JVQjvUfrp57ULz6rWH
YRSaGdyJ+x4ulmCqe1iKw0VkV4rHB48iwWi7WFhuTXH9X2TKriFEf8MHPxgA
ToLF97HmhGCGz9ujOpT788i6fS2SWTSUPTzsd41PVBHWVGf2Pq+ASdVg5pgY
93MdQrGh6twZxqefDPgyEnaKLuB516sDZZVP+0WIqyMexCkqcJls1w7dsGR1
+rqIl6h+EsWQpTd2CROUE9uDzyhCTg34DQck1GToMRYb0mxNOhRpeUrgbsm6
wHxF4xKTOg6uZN/ety8DutqIsxUKLbsCu6ANu/lypSXZ3Te9YQeCE0NuNe3F
plN5ny1n8dy6pOoV94sMtgMssljRD+GPb8RtDou6wpUKYsSGUBtuU4jtkdjU
gwaRc66B0bJx9qRJj1lV1ZUqpgzLfpsqJ3cHtfVKD6DJyzaUlQ+gmJ6e8w5e
Q0yFyIGwZxfuzNOYApuFTtcZUitpIYdFjuRSlssll/sK0tGKSb9w5omw/nm5
KVVGpYQd1es0+R0TB5RC5bO2Ingz4N7tNlbZ6vs30/fvvr+4PP/3s9Pr86ur
99M3J2dSuDZ99R09f/f96+vTi5/efHc5PdUfXp/TH+h5eX159t3l2dUV/VN+
eXl58e9nb65Pz348Pzm7nr65eD199ddI005OTxYQFsSbvcY9Rd/8IpPil+g6
+tg7Og5oJsNnP6SggGtP+VYkIrQL0iuWrgTnKk0SSRu8pGkp4uHSLtdlk8Xp
XqtyYSW1g4Me0AmjGEzke2GXJsmISpI4nPPf8fhB5qYuDUkUCAEZveapdUXY
wZ3a8720agiLe4Jd2ivpBCOl92adfyzXhHY9RwYPTDwiUXu1K32ioIi+ywTZ
hnUZXfea2X1Yd7DjMVKcJ8GRsMWeKxy9GrT7rGFPft+14dOnOeslkpeSBhZH
3d7++SR77TkkfxhuGLm0qAfh6KJ4HKTcMeaEqZYV+KKYNmguzJ7W6Cx22Ztz
WjzB4OmTp8/jwpbXr8anV9Ps4cvzt1fIQHw0wqMfzl77R88eSdbWq++TN79E
0ueZx6/WhEyWSNvQ5L1Kqjo5Mi4WJW434ERrDrBspeuwiA0r8stLJZOEzNnT
HuRLSGkJ0gfKA/LYKsvtvCSbIqzJxK1fiYlodrRvuUVMUhu289Hc5tKAKzkC
7tRGYqTVTOR6bU34TivVaMRQ3n5AljnHquYfpiRtHEmroFGSKLaNtJtEaJO7
MUUS3LljPbL0MilJsqNYzgGHQ67SwW0rET/g8M1u1pRFrId7t+K7e34OIUcO
+dFWsLdtJXoUS62iZtpnV79UR/CdG0aPvogzQNxpu858ceu4ug26oVO8GNrw
7GE2XLLhe0GFiAK9t1b/+FS2HV3uI3D9XnYX7iP0xqXmDUp4Jz8IZ1FsEOTV
020HVSxc+sIJ6zj7lV3miNlKq7ERN47hHKUxlyRown+BduzI9gGG+ejksIKV
5CwqykQdjX0prIe0z4tMujGb6ButnRvOZeHG7IEGoqa/cGFLRMUFNYxtGo1l
VbbsuNpGv4ziI7gNaIY1aSlNEcSgmpT+Epoi2jei1Ul2wJ33ocj+JKN3w9Ia
XWQqlz8wCsEori6+4abkpGjNO7WrQKqtu/4Ny9dsgLGFKgkTPJyvNNf1mfZc
roieu03tYyfe0CkVRVjcMfEgyhDxrCR0Etg311dC+GtlFMC+JoITQI1iBeDH
t296Mou9UQTWLbaoK6vn9Sqc4sjRa3LrEjQTEtNgn7ptydfysKO1n3gk8WiO
nivct7NV2o+t0ojsVVVAp+hqaXJBBI8evoA2oKFS2UgNiohMcvYvuvwZjkeS
wDB8gxtyoJmNyLr0ro9b1E0yS+fsSyTqQjoQmuxF0z13Yfq7qedRVMyzop1y
dmasYFeudpDTQ/u2uhhVrs2V5zec4HiY3Shxa8TEKC9m73+sHiKdRS1DZMvJ
W2i5r33f98k64hetFJqjVI0X5br2lcSSLamS812UopAmTARIhguetHSil13E
YYqouadVa8dGN0OVlWb4sabLl/gADcEicElBHJZEWk2kzoV4rY8UO3g7j8Ce
AwQ978G/PFsrq1vcYufyJb/PCRiEzW8IiqeWFbPsFXpKGTNVLCytU+h5e7RV
vMVtigL6uzaKURFep4ZbocOWnZRGeAzgMhpmyLHcm1m+/qzdapFbp6UwCWNo
JXXYsJe5kJxuMeqjCDHHHVEjsatVwKKUiRteaIGjILgEw/f6GKAOBOUEvQUz
6uhuNQJVSDJZnKGam8WW1epVGVKUYh1auWjb35ck6OYu2QM1YhCfSBkwYoEQ
PIFHeu3VMTOkmlPUFRtGpHNXhNFgiYyguVDAiA9lBTaxFW7JaQF9LurcX67q
mMCwtiGO4d2SkRJbkDbJuc/S241sNxee5Zur6pXVxGeOkxC8+yBNDmSktSv6
+myn9iAnrgrYXHUR18FxtseKc1e7NgaYc6QMpRHtU2l6plLI61lk7iOvK46s
gBJoH4zQBzTjvEARWq1dZLmfvVSXaJbZSKhec+KTqHQvQvx5cWC3cVBFSips
THnAzXYHVhxuUNA8TYGynUjJgu6a/6WUwR0svCUktz2wW26BvuDQ/hShnTMg
YqtmyNtG/7lx/ey8B7lFxRVhhFKUcBblX+/jLLkgs+P0w3PnK1T12Fuu7HhV
b6DPRvkMH2AMMa0ArmoW9sQ2OeoGJ/KQNEpuW3Lruc9eGZkb1zY6D45odhdA
W/VuUFEBQsJ57BPteUCZPPNo4yJJ1shCkqoDVb1U/RNNF75vuyLbhRFSGArb
pcHK7ScYi484T0EsWcbtfgZFaudJ/YRxOTGsJXJznR5qC8JWu941WIpzUsY9
vELNfjXTfdagV3kO+uSdoNW+kqn33WOMQRrTtg3ueJXv6eWorIC4cqPYi87J
oRIJ5YwpM3yY/vT/C35tZvrsHw7u4ijg1wvSivLu60s8BV3xNsXf+4s81C6B
nwPkLvgbCK4HPmfdyVNxSwdNM7RqT+HvMzrVrZqMch2iayxk9gctvCMnSB8P
W11KviGGhyxtz8m76Bg5Ct7IdY2KhYvEEWh8Eq6qtCQktNpWxhej0zlPmB4P
++dJhohLt++nz2LZ4i9N4dzkNPAVp/MFtjq08zhm2qvIXHAPP4/3XZRTw275
HvKob/zk1fTq6vxk+ur64s2rv4qL/fu/vrg8P5V/v/1z9IP43mNn+xBC/rJs
nf6yZJ+JK30QcxJnev+IDrnRXzb1z6Q4nHIlems4Wx7KnpSmt/faluowdHLG
9XmPSn3zApWO93nruKOjl9uNHXM7m9teyfWIVIoc913e5E1xlzt7e72uxaER
THZWVMRzaHN1b3BlceyK1BanZbXV8lxrPiUkfVVzoVJJSbps/OTwVtNK0X2h
KfgWHqX6WYNOGs0+Vwl5/sLOOLYgcOciaUAXl5BImYjk2AwGpr1zLHckj/Q1
TTTmpS/knLXjwKbe6N0EbegQqBFmx3kGOX3EJ/ZH9SkzTev8B0OC607vr2SX
gYk/kpChy1N2+ckDIkmkRLk4pF2Y0teMCJM/tFAtsOGwqeikUG30btrw1BAk
JY+kTVeTFPv07V0NiPCU7Ex2KryXvSZybrgk5cZfNzCUwK/D+YQvWDmahM4q
hNCzkPOlV5N9DpnXZF1+S1xj4n0lLpgqkxnHqUT+ShKF1TpRBayjrpBhxjM7
OLtrNFnSnkx7wXtRFAcPMqK7AEcey60xchLaZl127tITcUj19NwYjzSc9XdJ
jt99At/vwSOn5YWLB3J3XXjY57VctxPnFDIP84tOMzF7GUZpfG7/jNUH5PO6
9hObsn5iU3Lw96U4mcEUp1zu3xSvn2Rdz+stu0i5s79eVeb0KYE5dwBH/Vii
36cZSQMInIhPAf1h6amv3Qv5z0mQPXAwiRgWNB8Uw703Pm7KZhf9nOQo7R9b
Gun2a/IJp3H5wedVG+D3rbsP83AKkE+8N/1agk+XCYQWLEN1AuHi5Xty9UMr
l16QOowtJQNxOn4UrxhMx3f1Pz2ztbjH5nWO32DG/qLYYNSZlZunuATSaZpT
ycazuzRpL9OprHrplvGJ8JVOkY2ufRukk4Mk/LIrSbv++IQLH9X3Uj4Uw3W+
AQ/rVJHTgb5eSVo+G7NDbpbE3QmwSa24mmkH028G77xzBbu4YIsPkjGNO6vg
wqyQ3t+r9/YgTNJW5RyQKBCFuqVXhfhzzX55hq+rHQWNirPy/f1RLh3w0M6M
q6+DuhK1OPbucw7oDS05I3Jk6Io2tOPqTb6/nYkgevFQw1u1tQQ60MVdA+iu
rj+o11SCdaSfl06ziAsgIgCGUhy2kIcplDN8+X6t7FMkPpKrKBb9S2g9bwsx
tRQVeuJbaycsh8E+VZ3jOlB3h1wGfldu6SHMnVS/Bg7gC9cjPjIU5OcGkB7B
aM4lV4glaRRRVie7N5ja0W0lDJ0wm/1sAXH+Ge4NzGls4krzHKHlfkjSxyek
UfPTEU+1V13kPS1a++M3nhDdIYMETQ2jgJlE8Q9ZEnkTrPpReuGc4HEr7MfF
eLUQ3QOVdr3k6H3ZGrL6kAJThK22IL7C7XVIPvnmTMoykJoqEiFqbRxuSvA+
z3vEQRLOj1zASl9BaU12MedmnayDb/K5ZQwkLURvs4nitpoxEzZJ8qZxe0ws
7rHcJp0wShgEiAhIyfCw6hD8TwTUCN/6AiVzjSp9vBLDRWKkz3hdS3EjXi1V
XXoL7DcUcVhbbxuaXo9yKBFk0CmpwVW1+At36/GC6c2bMwctZF9qwoDxRlxd
LWtuhBYswb1QNWvHYSSVhrELQZgONwoT47F1N4V4CwcMIuQsCD92uGDC6Gns
kikOPsF5LpegRD6WpO2B9BVTt4kt1BOUhC3CxR9py4s4D1JTvqLck8jFIBwk
8s1A1LrGrkSy6xp1TdrY3AFy7vJC0g5D2t2+bX10EOQA70Ho7GTsmnlXZKHN
iSdIcJadSVVbN9LHpq1XfPwxuyK+f1PVdNo7N3nLOOCrtHTqFaYtKw64jOH+
Kfp8NL601DVNTys0XR2n9D/TSDE+QL+ru7Iq6ru0wRiyTZlKOON05POA2N50
Ubg6ysx3vi5JUuvfgagdrcN1J1EHVONvQnfNwpwJ4YprWLiEitFwFUfUbzV8
E8vzo5ERPh5aI/SyBd25u8wJrlWP0gB9K8Ko/W5r9J6uXr7b0CQgUVmCS5xC
NsSYAe/vFQi3B1VSB6GQ7MOPwW0r5jfu0nlpDBa1mPH9aAmDtXuwXKaD9uOi
kHEfm1LxUO5qj2k/D2Rko155IfVSEupQlKVReRNXze1XWYTrwxp76+43Z50p
vrTd3eB9cvnKkEVJaG/BAhHkRqSA71KNGiok1w5rWxrGRek00JtpYq6IMYED
JkYEtALWZ1VMRa2fCaTvOQ+WNJfR/Z3DPFfgog3Nd0rW6ApRYP6EQx2q2BIh
lfhLnbrYb98gVA1eRQh5R7ME0nBeIg9Hvm5she3UVZCI0UUSEWMbYh3+XjE3
jLOTp06Yhfsj/MUN8UAm4UHofTYGb1HuIx/qAUqH9/Q6Tc6L9qqqz4eSBift
/tFmSyT6oTu95fsGQrp3Mqy7SqiRHoQ7X6u/stWyu3Guseh8Zb0qZIcmVsL0
WOXv0URTWNtlP7nblfYGRf+FIt8Ru30ZbmC6d7WIodAHXCqeXGFy5Qbgvrla
jMSO0XBXFNyzkceyrDifv7cl8XNGtz+xjGCZprebodugfPJ7OvASYcGHP2Vf
ZC8fZY+zK61N1juwfXdfxZmoT+KebyNGEl9koIByplZB4n033r/+mX2aXx49
lR2K/uMJk4M/H8s1zYSW/5Ovn2WvX8iNZnL5exFIVKEBf1BkQfl2ZO7+Ze1q
wP0eJEnGVd2LkRW39lxoqZvjrwPREj7BpOHZ8N2yHg/2e6B1EXZ6RUexeY3c
oYEl6LVP2uw9LKh/H+WlnXFZgF7DqrncColikCigDVuNNIdu+/HCovUYjU+N
uAhL5orazki22P7VNrGIdluK2ApaW/JoNqhhcXOX5OJPMTj2XB/o/0PilqvD
OD+6XhjtduTmHmV5WqoizBGZQ9zwUP1bPrs6UKbelCyu1tytVXoYR5164p1F
LTZ8hZjmTsvngSRMiM3HeXurXiSkf49Sb3dw8OhGWEk2ukpSm8noovNx3UK4
TyBAGqxgthbSzph7F8OzJQidpoGS4wM96VZ8FWw8K0943zW5vYPKpEO99FXS
dvVKH26+ThqTx0pVfKWHGWyzHSmfcjF6elt2lGHXbkvpP7hJb2E2PgNZxTM7
dV1oihOKJDgyDJeoVNDBh309AxeZG5lZE2FgvuZN4YKCKS0EuCTnnwh/TXYy
AytzccekOg4cU7varbSdhHNL6hwMMsmvN14lSjLGQZHOKZBHPZ0C3qWGDbz0
Spsmpk1WsKTXVUIPIEW55ywam1Qod4HQpR2L1otBp9xd+cxZVxeLBbuU3rKq
0kan6NPvuO2vA06vy63WtnpjzeWJO7WebxMs+BalLmV/qmqpulRyN3lZCmeW
0TZxT9xGy/XdxVOjGCjMXvS2XHExhOEVX/RmgkFtL10Cm41uCd5p6aHRxDCU
DtXxvvtrd6JR260dvKv0M8iTjt7fCMykMtcLBk0AC8OPRWYj/dgO3T7b78Y8
itM7TXTPJ6sjgzdtcdEM8Yet2kNaPFfhbgfkiteqxPqbgEyipqWAVDvpU9eD
tX2pYvRiCU1Ejx0wQjuf2XQ3Lg03w3P3mswmN4Sxnw4vQpnn1lIcRSuXBFIs
cZwMxL18fbfH5J6vT+DZHnohS/HjxnUdhQeGy2GEDYVUFpPwoSBRK7QK7bk/
8jRxj/gH8mE1C0fR2efgGI4G1V1dlawcSZOFukpFl3S/HSnrckwbSe688j4y
GqdS+/u023UO31KmFb15l6iHguuoPPfXSA7cnqexkv5ae05GD36XSdqjqHiW
WPWW1FvOId/UsG/nu/nKuxRa27V96cyf7GVmmi6yb7SeSeKCkn0Yszzv0UrC
2qXekaApEOv847VUutkiXMg8kFTJrbTbLoJ6BA9u/u4vwlztjAeCbmuVt7jv
maEeukgNTINbWQazOEzgRUnKZpB8Gn9C4CFcbOdynsr1ECZJ//6wJdcGOjsA
Fr5sTiv8Esks9pKm28thOM0OWoAw7NLdMzEOKf3JGToDzZGTc1VyPWAwgeLm
cIGoG1+9HRtdKhOCxCPzBe2TUGxmXNgrvWFUr03wma0yD1lo7Q2CKNlym5NK
29l+w7UUdZOGOMPgTJsgAEPE2drvdxB6Pw2jUZL94dtdQ4rA0r1wlq4xqeGb
xg4/w5ZVkLrOTB6LBqxE7t7MmT2sxHuL2SnPSfPW5KHOYlyA4NOuE41wuIS8
e1ozcjoAh6/6dnHoLd/3FwhhhDrnPduYvUMmNHKCvKVXUg3l+eQpIctF3+nA
lcreoBAjzV2Y23PWqO1calenEDoyUfvyuD41AYrq+3vOsVSE+8md2e5v0eJB
iC+I/2vi3AXe4AVmMXqrZhNjkjScrcb3Y9fI7Ltk9KIGuGFY+3KNdocRosU9
INuVrvoub5hKXTNKXFFBgmccQODe30P9OAIXrl3rFfAOK6Ls0YhzhRkoe9uP
9w0VZMX1gEM/+2xp0krGfMxyo0gEAtxmJx1zlZtV8bVIJomtBEUaJqt1uR9l
04ua3OToxke4QRbZXDQvf7OuzOf6FYRmf3pfjzYb6S0XleGxYWOiVmvadK+H
HGFD8SVPjjm7ygJdjJYSGA1eLTnk4vw6Effn0JPcnhSJNQCBOUJ4NvIX3jn0
Gbxofdg/sXcV9f6F4KZ3IXjv7uhkd5+TnnkyNZ/fdy429wW/xAvRO2LTd0Ls
r0ftx8iVEbsb9q6h1wFGoalLNHqktlwn3gyWik7ZTKSsxgz65+kcXoocThPh
W1idmhxdesFLO6DxxPcjBHULF4GqLtVbz5BC4CgmUQkcLGF1EIkkuoBrhdxX
BFw1R2+/aXO9HiJ/k9xtH0hhL6d1EL/3zmQgHXUPK7w+Yn4F3igdG/YuP8cl
bO5XfvV8+mY6cEd67HLzV1yKQ7Isxhs7XhWbFyTc3l+et1HDZrAhuBWYeiUw
msaw5DwfXL0+D4tUnekvSTrDmRvzgVYHkY348GjybPLV5GjyJf3PbyZHj+jk
x+Mx34KJvUznH6r6bmWLpeTcviOU+8CZQqc5Sersha3+npMdM8po6dlPFiVH
szyX4vnXuKv0Ylu1d3Wjl7sJj15YW4gBy2bTbUkwcG5Jl/6hbv7/B2I14bv4
tQAA

-->

</rfc>
