<?xml version='1.0' encoding='utf-8'?>
<!DOCTYPE rfc [
  <!ENTITY nbsp    "&#160;">
  <!ENTITY zwsp   "&#8203;">
  <!ENTITY nbhy   "&#8209;">
  <!ENTITY wj     "&#8288;">
]>
<?xml-stylesheet type="text/xsl" href="rfc2629.xslt" ?>
<!-- generated by https://github.com/cabo/kramdown-rfc version 1.7.35 (Ruby 3.3.8) -->
<?rfc compact="yes"?>
<?rfc subcompact="no"?>
<?rfc linkmailto="no"?>
<?rfc editing="no"?>
<?rfc comments="yes"?>
<?rfc inline="yes"?>
<?rfc rfcedstyle="yes"?>
<rfc xmlns:xi="http://www.w3.org/2001/XInclude" ipr="trust200902" docName="draft-ietf-anima-rfc8366bis-32" category="std" consensus="true" obsoletes="8366" updates="8995" tocInclude="true" sortRefs="true" symRefs="true" version="3">
  <!-- xml2rfc v2v3 conversion 3.32.0 -->
  <front>
    <title abbrev="Voucher Artifact">A Voucher Artifact for Bootstrapping Protocols</title>
    <seriesInfo name="Internet-Draft" value="draft-ietf-anima-rfc8366bis-32"/>
    <author initials="K." surname="Watsen" fullname="Kent Watsen">
      <organization>Watsen Networks</organization>
      <address>
        <email>kent+ietf@watsen.net</email>
      </address>
    </author>
    <author initials="M." surname="Richardson" fullname="Michael C. Richardson" role="editor">
      <organization>Sandelman Software</organization>
      <address>
        <email>mcr+ietf@sandelman.ca</email>
        <email>https://orcid.org/0000-0002-0773-8388</email>
        <uri>https://www.sandelman.ca/</uri>
      </address>
    </author>
    <author initials="E." surname="Dijk" fullname="Esko Dijk">
      <organization>IoTconsultancy.nl</organization>
      <address>
        <email>esko.dijk@iotconsultancy.nl</email>
      </address>
    </author>
    <author initials="T." surname="Eckert" fullname="Toerless Eckert">
      <organization>Futurewei Technologies Inc.</organization>
      <address>
        <postal>
          <street>2330 Central Expy</street>
          <city>Santa Clara</city>
          <code>95050</code>
          <country>United States of America</country>
        </postal>
        <email>tte@cs.fau.de</email>
      </address>
    </author>
    <author initials="Q." surname="Ma" fullname="Qiufang Ma">
      <organization>Huawei</organization>
      <address>
        <postal>
          <street>101 Software Avenue, Yuhua District</street>
          <city>Nanjing</city>
          <code>210012</code>
          <country>China</country>
        </postal>
        <email>maqiufang1@huawei.com</email>
      </address>
    </author>
    <date year="2026" month="July" day="05"/>
    <area>Operations</area>
    <workgroup>ANIMA Working Group</workgroup>
    <keyword>voucher</keyword>
    <abstract>
      <?line 135?>

<t>This document defines a strategy to securely assign a candidate device (Pledge) to an  Owner
using an artifact signed, directly or indirectly, by the Pledge's manufacturer.
This artifact is known as a "Voucher".</t>
      <t>This document defines an artifact format as a YANG-defined JSON or CBOR document
that has been signed using a variety of cryptographic systems.</t>
      <t>The Voucher Artifact is normally generated by
the Pledge's manufacturer (i.e., the Manufacturer Authorized Signing
Authority (MASA)).</t>
      <t>This document obsoletes RFC8366: it includes a number of desired extensions into the YANG module.
The Voucher Request YANG module defined in RFC8995 is also updated and now included in this document, as well as other YANG extensions needed for variants of RFC8995.</t>
    </abstract>
    <note removeInRFC="true">
      <name>About This Document</name>
      <t>
        Status information for this document may be found at <eref target="https://datatracker.ietf.org/doc/draft-ietf-anima-rfc8366bis/"/>.
      </t>
      <t>
        Discussion of this document takes place on the
        anima Working Group mailing list (<eref target="mailto:anima@ietf.org"/>),
        which is archived at <eref target="https://mailarchive.ietf.org/arch/browse/anima/"/>.
        Subscribe at <eref target="https://www.ietf.org/mailman/listinfo/anima/"/>.
      </t>
      <t>Source for this draft and an issue tracker can be found at
        <eref target="https://github.com/anima-wg/voucher"/>.</t>
    </note>
  </front>
  <middle>
    <?line 152?>

<section anchor="introduction">
      <name>Introduction</name>
      <t>This document defines a strategy to securely assign a candidate device
(Pledge) to an Owner using an artifact signed, directly or indirectly,
by the Pledge's manufacturer, i.e., the Manufacturer Authorized
Signing Authority (MASA).  This artifact is known as the "Voucher".</t>
      <t>The Voucher Artifact is a JSON <xref target="RFC8259"/> document that
conforms with a data model described by YANG <xref target="RFC7950"/>.
It may also be serialized to CBOR <xref target="CBOR"/>.
It is encoded using the rules defined in <xref target="RFC7951"/> or <xref target="RFC9254"/>, and
is signed using (by default) a CMS structure <xref target="RFC5652"/>.</t>
      <t>The primary purpose of a Voucher is to securely convey a trust anchor
that a Pledge can use to authenticate subsequent interactions.
The trust anchor may be in the form of a certificate (the '<tt>pinned-domain-cert</tt>' Attribute), a hash of a certificate, or it can be a raw public key (in constrained use cases).</t>
      <t>This trust anchor represents the authority of the Owner of a network.
Communicating this trust anchor securely to the Pledge is the job of the Voucher Artifact.
The act of communicating this trust anchor is known as pinning the trust anchor, as the Pledge can then use the resulting anchor to authenticate other actors who are part of the network.
The collection of all these actors is collectively known as the Domain.
(This is not related to the domain name system, but rather the term is of mathematical origin)</t>
      <t>A Voucher may be useful in several contexts, but the driving motivation herein is to support secure Onboarding mechanisms.
This is accomplished by assigning an Owner to the Pledge, enabling it to authenticate the network that it is connected to.</t>
      <t><xref target="RFC8366"/> originally defined the Voucher as the only Voucher Artifact, leaving the Voucher Request that is used in BRSKI to be defined in <xref target="RFC8995"/>.
This document includes both Voucher and Voucher Request obsoleting <xref target="RFC8366"/>, and updating <xref target="RFC8995"/>.</t>
      <t>YANG is not easily extended except by updating the YANG module definition.
Since <xref target="RFC8366"/> was written, the common pattern is to publish YANG modules as two documents: one with only the YANG module, and the other one with usage, motivation and further explanation.
This allows the YANG module to be updated without replacing all of the context.
This document does not follow that pattern, but future documents may update only the YANG module.</t>
      <t>This document introduces a mechanism to support future extensions without requiring the YANG module to be revised.
This includes both a new IETF standard mechanism for extensions modeled after the mechanism present in <xref target="RFC8520"/>, as well as a facility for manufacturer private extensions.</t>
      <t>The lifetimes of Vouchers may vary.
In some Onboarding protocols, the Vouchers may include a nonce restricting them to a single use,  whereas the Vouchers in other Onboarding protocols may have an
indicated lifetime.
In order to support long lifetimes, this document recommends using short lifetimes with programmatic renewal, see <xref target="renewal-over-revocation"/>.</t>
      <t>Some Onboarding protocols using the Voucher Artifact defined in
this document include: <xref target="ZERO-TOUCH"/>, <xref target="SECUREJOIN"/>, <xref target="RFC8995"/> and <xref target="cBRSKI"/>.</t>
    </section>
    <section anchor="terminology">
      <name>Terminology</name>
      <t>This document uses and defines the following terms.
They are used in this document and related documents.</t>
      <dl>
        <dt>(Voucher) Artifact:</dt>
        <dd>
          <t>Used throughout this document to represent a Voucher or Voucher Request as instantiated in the form
of a signed datastructure. The payload of the signed datastructure is called the Voucher Data.</t>
        </dd>
        <dt>Attribute:</dt>
        <dd>
          <t>A single named data element that can be stored in Voucher Data. The element's name and data type are defined by
one of the YANG models as defined in this document.</t>
        </dd>
        <dt>Bootstrapping:</dt>
        <dd>
          <t>The process where a Pledge obtains cryptographic key material to identify
 and trust future interactions within a specific Domain network.
 Bootstrapping is based on imprinted key material provided during the
 manufacturing process (see: Imprint).
 This term was used in <xref target="RFC8366"/>, but has been supplanted by the term Onboarding.</t>
        </dd>
        <dt>Domain:</dt>
        <dd>
          <t>The set of entities or infrastructure under common administrative
control.
The goal of the Onboarding protocol is to enable a Pledge to
join a Domain and obtain domain-specific security credentials.
This term is not related to "DNS domain" <xref target="RFC9499"/> although a Domain might be associated to a specific DNS domain.</t>
        </dd>
        <dt>Imprint:</dt>
        <dd>
          <t>The process where a device obtains the cryptographic key material to
identify and trust future interactions generally as part of the manufacturing.
This term is taken from Konrad Lorenz's work in biology with new ducklings:
"during a critical period, the duckling would assume that anything
that looks like a mother duck is in fact their mother"
<xref target="Stajano99theresurrecting"/>. An equivalent for a device is to
obtain the fingerprint of the manufacturer's root certification authority (root CA)
certificate. A device that Imprints on an attacker suffers a similar
fate to a duckling that imprints on a hungry wolf. Imprinting is a
term from psychology and ethology, as described in <xref target="imprinting"/>.</t>
        </dd>
        <dt>Join Registrar (and Coordinator):</dt>
        <dd>
          <t>A representative of the Domain that is configured, perhaps
autonomically, to decide whether a new device is allowed to join the
Domain. The administrator of the Domain interfaces with a Join
Registrar (and Coordinator) to control this process.
Typically, a Join Registrar is "inside" its Domain. For simplicity,
this document often refers to this as just "Registrar".</t>
        </dd>
        <dt>MASA (Manufacturer Authorized Signing Authority):</dt>
        <dd>
          <t>The entity that, for the purpose of this document, issues and signs the
Vouchers for a manufacturer's Pledges and keeps logs of Pledge ownership.
In some Onboarding protocols, the MASA may have an Internet
presence and be integral to the Onboarding process, whereas in
other protocols the MASA may be an offline service that has no
active role in the Onboarding process.</t>
        </dd>
        <dt>Malicious Registrar:</dt>
        <dd>
          <t>An on-path active attacker that presents itself as a legitimate Registrar.</t>
        </dd>
        <dt>Onboarding:</dt>
        <dd>
          <t>Onboarding describes the process to provide necessary operational data to a Pledge
and to complete the process of bringing the Pledge into an operational state.
This data may include configuration data, but specifically deals with application-specific cryptographic
key material (application-specific security credentials).
Since <xref target="RFC8366"/>, this term has replaced the term Bootstrapping.</t>
        </dd>
        <dt>Owner:</dt>
        <dd>
          <t>The entity that controls the private key of the trust anchor conveyed by the Voucher.
Typically, the Owner is indicated by the '<tt>pinned-domain-cert</tt>' Attribute.</t>
        </dd>
        <dt>Pledge:</dt>
        <dd>
          <t>The prospective component/device attempting to find and securely join a Domain.
When shipped or in factory reset mode, it only trusts authorized representatives of the
manufacturer.</t>
        </dd>
        <dt>Registrar:</dt>
        <dd>
          <t>See Join Registrar. This term is not related to the term DNS Registrar <xref target="RFC9499"/>.</t>
        </dd>
        <dt>TOFU (Trust on First Use):</dt>
        <dd>
          <t>When a Pledge makes no security decisions but rather simply
trusts the first Domain entity it is contacted by.
Used similarly to <xref target="RFC7435"/>.
This is also known as the "resurrecting duckling" model <xref target="Stajano99theresurrecting"/>.</t>
        </dd>
        <dt>Voucher:</dt>
        <dd>
          <t>A Voucher Artifact, not a Voucher Request, that is a signed statement
from the MASA service that indicates to a Pledge
the cryptographic identity of the Domain it should trust.
When clarity is needed, it may be preceded by the type of the signature, such as CMS, JWS or COSE.</t>
        </dd>
        <dt>Voucher Data:</dt>
        <dd>
          <t>The raw (serialized) representation of the YANG data elements of a Voucher (Request) without any enclosing signature.
Current serialization formats include JSON and CBOR.</t>
        </dd>
        <dt>Voucher Request:</dt>
        <dd>
          <t>A signed artifact sent from the Pledge to the Registrar, or from the Registrar to the MASA, for Voucher acquisition.
When clarity is needed, it may be preceded by the type of the signature, such as CMS, JWS or COSE.</t>
        </dd>
        <dt>Pledge Voucher Request (PVR):</dt>
        <dd>
          <t>A signed artifact sent from the Pledge to the Registrar. It is a specific form of Voucher Request.</t>
        </dd>
        <dt>Registrar Voucher Request (RVR):</dt>
        <dd>
          <t>A signed artifact sent from the Registrar to the MASA. It is a specific form of Voucher Request.</t>
        </dd>
      </dl>
    </section>
    <section anchor="requirements-language">
      <name>Requirements Language</name>
      <t>The key words "<bcp14>MUST</bcp14>", "<bcp14>MUST NOT</bcp14>", "<bcp14>REQUIRED</bcp14>", "<bcp14>SHALL</bcp14>", "<bcp14>SHALL
NOT</bcp14>", "<bcp14>SHOULD</bcp14>", "<bcp14>SHOULD NOT</bcp14>", "<bcp14>RECOMMENDED</bcp14>", "<bcp14>NOT RECOMMENDED</bcp14>",
"<bcp14>MAY</bcp14>", and "<bcp14>OPTIONAL</bcp14>" in this document are to be interpreted as
described in BCP 14 <xref target="RFC2119"/> <xref target="RFC8174"/> when, and only when, they
appear in all capitals, as shown here.</t>
      <?line -18?>

</section>
    <section anchor="survey-of-voucher-types">
      <name>Survey of Voucher Types</name>
      <t>A Voucher is a cryptographically protected statement to the Pledge
authorizing a zero-touch Onboarding with the Join Registrar of the
Domain. The specific information a Voucher provides is influenced by the
Onboarding use case.</t>
      <t>The Voucher can convey the following information to
the Join Registrar and to the Pledge:</t>
      <dl>
        <dt>Assertion Basis:</dt>
        <dd>
          <t>Indicates the method that protects
the Onboarding (this is distinct from the Voucher signature that
protects the Voucher itself). Methods include
manufacturer-asserted ownership verification, assured
logging operations, or reliance on Pledge behavior
such as secure or measured boot.
The Join Registrar uses this information to make a determination as to whether to accept the Pledge into the network.
Only some methods are normatively defined in this
document. Other methods are left for future work.</t>
        </dd>
        <dt>Authentication of Join Registrar:</dt>
        <dd>
          <t>Indicates how the Pledge
can authenticate the Join Registrar.  This document defines
a mechanism to pin the Domain certificate, or a raw public key.
Pinning a symmetric key, or CN-ID (<xref target="RFC6125"/>) or DNS-ID
information (as defined in <xref target="RFC9525"/>) is left for future work.</t>
        </dd>
        <dt>Anti-Replay Protections:</dt>
        <dd>
          <t>Time- or nonce-based
information to constrain the Voucher to specific time periods or Onboarding
attempts.</t>
        </dd>
      </dl>
      <t>A number of Onboarding scenarios can be met using differing
combinations of this information. All scenarios address the primary
threat of an on-path active attacker (or MiTM) impersonating the Registrar.
If successful, this would gain control over the Pledge.
The following combinations are "types" of Vouchers:</t>
      <table anchor="voucher-types-table">
        <name>Overview of Voucher types</name>
        <thead>
          <tr>
            <th align="left">Voucher Type</th>
            <th align="right">Assertion</th>
            <th align="right"> </th>
            <th align="right">Registrar ID</th>
            <th align="right"> </th>
            <th align="right">Validity</th>
            <th align="right"> </th>
          </tr>
        </thead>
        <tbody>
          <tr>
            <td align="left"> </td>
            <td align="right">Logged</td>
            <td align="right">Verified</td>
            <td align="right">Trust Anchor</td>
            <td align="right">CN-ID or DNS-ID</td>
            <td align="right">RTC</td>
            <td align="right">Nonce</td>
          </tr>
          <tr>
            <td align="left">Audit Voucher</td>
            <td align="right">X</td>
            <td align="right"> </td>
            <td align="right">X</td>
            <td align="right"> </td>
            <td align="right"> </td>
            <td align="right">X</td>
          </tr>
          <tr>
            <td align="left">Nonceless Audit</td>
            <td align="right">X</td>
            <td align="right"> </td>
            <td align="right">X</td>
            <td align="right"> </td>
            <td align="right">X</td>
            <td align="right"> </td>
          </tr>
          <tr>
            <td align="left">Owner Audit</td>
            <td align="right">X</td>
            <td align="right">X</td>
            <td align="right">X</td>
            <td align="right"> </td>
            <td align="right">X</td>
            <td align="right">X</td>
          </tr>
          <tr>
            <td align="left">Owner ID Voucher</td>
            <td align="right"> </td>
            <td align="right">X</td>
            <td align="right">X</td>
            <td align="right">X</td>
            <td align="right">X</td>
            <td align="right"> </td>
          </tr>
          <tr>
            <td align="left">Bearer Voucher</td>
            <td align="right">X</td>
            <td align="right"> </td>
            <td align="right">wildcard</td>
            <td align="right">wildcard</td>
            <td align="right">optional</td>
            <td align="right">opt</td>
          </tr>
        </tbody>
      </table>
      <t>NOTE: The "RTC" column denotes Voucher validation using a Real-Time Clock.</t>
      <t>NOTE: All Voucher types include a "Pledge ID <tt>serial-number</tt>" (column not shown for space reasons).</t>
      <dl>
        <dt>Audit Voucher:</dt>
        <dd>
          <t>An audit Voucher is named after the logging assertion mechanisms
that the Registrar then "audits" to enforce its local policy. The
Registrar mitigates the risk of a Malicious Registrar by auditing that no unknown Registrar, or
known Malicious Registrar, appears in the MASA's log entries for the Pledge.
This does not directly prevent a Malicious Registrar but provides a response mechanism that
ensures the on-path attack is unsuccessful.
An advantage is that actual ownership knowledge (i.e., sales integration providing an indication of who purchased the device) is not required on the MASA service.</t>
        </dd>
        <dt>Nonceless Audit Voucher:</dt>
        <dd>
          <t>An audit Voucher with a validity period statement, but no guarantee of freshness. Fundamentally,
it is the same as an audit Voucher except that it can be issued in
advance to support network partitions or to provide a permanent
Voucher for remote deployments.
Being issued in advance of the Pledge being online, the Pledge can not rely on a nonce to be included for freshness.
This compromise in reducing the freshness allows for the resulting Voucher to be carried across air-gapped infrastructure.
In addition, if the validity period has been set sufficiently long, the Voucher can be used after the manufacturer (and its delegates) has gone out of business.</t>
        </dd>
        <dt>Ownership Audit Voucher:</dt>
        <dd>
          <t>An audit Voucher where the MASA service has verified the Registrar
as the authorized Owner.
The MASA service mitigates a MiTM Registrar by refusing to generate
audit Vouchers for unauthorized Registrars. The Registrar uses audit
techniques to supplement the MASA. This provides an ideal sharing of
policy decisions and enforcement between the vendor and the Owner.</t>
        </dd>
        <dt>Ownership ID Voucher:</dt>
        <dd>
          <t>Named after inclusion of the Pledge's CN-ID or DNS-ID within the
Voucher. The MASA service mitigates a MiTM Registrar by identifying
the specific Registrar (via PKIX <xref target="RFC5280"/>) authorized to own the Pledge.</t>
        </dd>
        <dt>Bearer Voucher:</dt>
        <dd>
          <t>A bearer Voucher is named after the inclusion of a Registrar ID
wildcard. Because the Registrar identity is not indicated, this
Voucher type must be treated as a secret and protected from exposure
as any 'bearer' of the Voucher can claim the Pledge.
This variation is included in the above table in order to clearly
show how other Voucher types differ.
This specification does not support bearer Vouchers at this time.
There are other specifications in the industry which are equivalent though.
Publishing a nonceless bearer Voucher effectively turns the
specified Pledge into a TOFU device with minimal mitigation
against MiTM Registrars. Bearer Vouchers are therefore out of scope.</t>
        </dd>
      </dl>
    </section>
    <section anchor="changes-since-rfc8366">
      <name>Changes since RFC8366</name>
      <t>This document obsoletes <xref target="RFC8366"/>.</t>
      <section anchor="extendfail">
        <name>Attempts and motivation to extend RFC8366</name>
        <t><xref target="RFC8366"/> was published in 2018 during the development of <xref target="RFC8995"/>,
<xref target="ZERO-TOUCH"/> and other work-in-progress efforts.
Since then the industry has matured significantly, and the in-the-field activity which this document supports has become known as <em>Onboarding</em> rather than <em>Bootstrapping</em>.</t>
        <t>The focus of <xref target="RFC8995"/> was Onboarding of ISP and Enterprise owned wired routing and switching equipment, with IoT devices being a less important aspect.
<xref target="ZERO-TOUCH"/> has focused upon Onboarding of CPE equipment like cable modems and other larger IoT devices, again with smaller IoT devices being of lesser importance.</t>
        <t>Since <xref target="RFC8995"/> was published there is now a mature effort to do application-level Onboarding of constrained IoT devices defined by the Thread Group and the Fairhair Alliance (now OCF) <xref target="fairhair"/>.
The <xref target="cBRSKI"/> document has defined a version of <xref target="RFC8995"/> that is usable over constrained IEEE 802.15.4 6LoWPAN networks using CoAP and DTLS, while <xref target="I-D.ietf-lake-authz"/> provides for using CoAP and EDHOC on even more constrained devices with very constrained networks.</t>
        <t><xref target="PRM"/> has created a new methodology for Onboarding that does not depend upon a synchronous connection between the Pledge and the Registrar.
This mechanism uses a mobile Registrar agent that works to collect and transfer signed artifacts via physical travel from one network to another.</t>
        <t>Both <xref target="cBRSKI"/> and <xref target="PRM"/> require extensions to the Voucher Request and the resulting Voucher. The new Attributes are required to carry the additional data and describe the extended semantics.
In addition, <xref target="cBRSKI"/> uses the serialization mechanism described in <xref target="RFC9254"/> to produce significantly more compact artifacts.</t>
        <t>When the process to define <xref target="cBRSKI"/> and <xref target="PRM"/> was started, there was a belief that the appropriate process was to use the <xref target="RFC7950"/> <em>augment</em> mechanism to further extend both the Voucher Request <xref target="RFC8995"/> and Voucher <xref target="RFC8366"/> artifacts.
However, <xref target="PRM"/> needs to extend an enumerated type with additional values and <em>augment</em> can not do this, so that was initially the impetus for this document.</t>
        <t>An attempt was then made to determine what would happen if one wanted to have a constrained version of the <xref target="PRM"/> Voucher Artifact.
The result was invalid YANG, with multiple definitions of the core Attributes from the <xref target="RFC8366"/> Voucher Artifact.
After some discussion, it was determined that the <em>augment</em> mechanism did not work for this use case,
nor did it work better when the <xref target="RFC8040"/> "yang-data" extension was replaced with the <xref target="RFC8791"/> "structure" extension.</t>
        <t>After significant discussion the decision was made to simply roll all of the needed extensions into this document.</t>
      </section>
    </section>
    <section anchor="updates-to-rfc8995">
      <name>Updates to RFC8995</name>
      <t>This document represents a merge of YANG definitions of the Voucher from <xref target="RFC8366"/>, the Voucher Request from <xref target="RFC8995"/>, and extensions to each of these from <xref target="cBRSKI"/>, <xref target="CLOUD"/> and <xref target="PRM"/>.
The difficulty with this approach is that the semantics of the definitions needed for the other documents are not included in this document, but rather in the respective other documents.</t>
      <section anchor="updates-idevid-issuer">
        <name>Updates to the use of <tt>idevid-issuer</tt></name>
        <t>The <tt>voucher-request</tt> module definition that was in <xref target="RFC8995"/> Sections 3.2 (tree diagram) and 3.4 (YANG module) is now included in this document.
There is a change to it: the '<tt>idevid-issuer</tt>' Attribute <bcp14>MUST</bcp14> be included in a Registrar Voucher Request (RVR).
Like the '<tt>serial-number</tt>' value in the RVR, the '<tt>idevid-issuer</tt>' value in the RVR is to be taken from the Pledge's (IDevID) client certificate.
In some variations of BRSKI, such as <xref target="PRM"/>, there is no direct TLS connection between Pledge and Registrar.  Therefore, the Pledge's IDevID certificate cannot be extracted from the TLS connection, so those variations define a different channel binding process and may deviate from the above requirement.</t>
        <t>A Registrar <bcp14>MUST</bcp14> apply the following rules for the value of the '<tt>idevid-issuer</tt>' Attribute in the given order:</t>
        <ol spacing="normal" type="1"><li>
            <t>If the Authority Key Identifier (AKI) field is present in the Pledge's (IDevID) client certificate, the Registrar
copies the full data element as specified in <xref target="idevid-issuer-format"/>.</t>
          </li>
          <li>
            <t>Otherwise, the Registrar generates the full data element in the format specified in <xref target="idevid-issuer-format"/>, using the
SHA-1 hash of the public key of the Pledge's IDevID client certificate.
This is defined as method 1 in <xref section="4.2.1.2" sectionFormat="of" target="RFC5280"/>.</t>
          </li>
        </ol>
      </section>
      <section anchor="clarifications-on-the-use-of-idevid-issuer">
        <name>Clarifications on the use of <tt>idevid-issuer</tt></name>
        <t><xref target="RFC8366"/> and <xref target="RFC8995"/> define the '<tt>idevid-issuer</tt>' attribute for the '<tt>voucher</tt>' and '<tt>voucher-request</tt>' modules (respectively), but they summarily explain when to use it, and why it is used.</t>
        <t>The '<tt>idevid-issuer</tt>' Attribute is provided so that the serial number to which the issued Voucher pertains can be relative to the entity that issued the Pledge's IDevID.
In most cases there is a one to one relationship between the trust anchor that signs Vouchers (and is trusted by the Pledge), and the Certification Authority that signs the IDevID.
In that case, the '<tt>serial-number</tt>' in the Voucher Data must refer to the same device as the serial number that is in the IDevID certificate (in the '<tt>serialNumber</tt>' element of type '<tt>X520SerialNumber</tt>' per <xref section="2.3.1" sectionFormat="of" target="RFC8995"/>).</t>
        <t>However, there are situations where the one to one relationship may be broken.
This occurs whenever a manufacturer has a common MASA, but different products (on different assembly lines) are produced with identical serial numbers.
A system of serial numbers which is just a simple counter is a good example of this.
A system of serial numbers where there is some prefix relating the product type does not fit into this, even if the lower digits are a counter.</t>
        <t>Another situation occurs when multiple manufacturers share a common MASA.
In this case, any given serial number in the IDevID certificate may not be unique across all manufacturers.</t>
        <t>It is not possible for the Pledge or the Registrar to know which situation applies.
And because one the above situations may apply, or may occur in the future, there needs to be a contingency to allow uniquely identifying a Pledge regardless of the current or future situation.
This is realized by the '<tt>idevid-issuer</tt>' Attribute.</t>
        <t>It is clarified next, whether or not to include the '<tt>idevid-issuer</tt>' in the PVR, in the RVR and in the Voucher.</t>
        <t>Analysis of the situation shows that the Pledge never needs to include '<tt>idevid-issuer</tt>' Attribute in its PVR, because the Pledge's IDevID certificate is available to the Registrar, and the Authority Key Identifier needed to fill this Attribute is contained within that IDevID certificate.
The Pledge therefore has no need to repeat this.</t>
        <t>For the RVR, <xref target="updates-idevid-issuer"/> now normatively requires that the '<tt>idevid-issuer</tt>' Attribute must be included.</t>
        <t>For the Voucher, <xref target="voucher-yang-module"/> normatively requires ("must") that the '<tt>idevid-issuer</tt>' Attribute must be included by a MASA in case the MASA issues a Voucher with a serial number that is known to be not unique within the scope of all the serial numbers represented by the MASA.
If this rule does not apply, the MASA <bcp14>SHOULD NOT</bcp14> include the '<tt>idevid-issuer</tt>' Attribute in order to achieve a smaller Voucher size.</t>
      </section>
      <section anchor="idevid-issuer-format">
        <name>Clarifications on the format of <tt>idevid-issuer</tt></name>
        <t><xref target="RFC8366"/> and <xref target="RFC8995"/> were not fully clear on the required binary format of the '<tt>idevid-issuer</tt>' Attribute.
This gave rise to incompatible implementations.</t>
        <t>This section clarifies the format of the '<tt>idevid-issuer</tt>' Attribute, which contains the full Authority Key Identifier from an IDevID certificate.
The entire Authority Key Identifier object from the certificate i.e. the '<tt>extnValue</tt>' OCTET STRING is to be included, comprising the ASN.1 DER encoding of the '<tt>AuthorityKeyIdentifier</tt>' structure as defined in <xref section="4.2.1.1" sectionFormat="of" target="RFC5280"/>.
This includes the ASN.1 DER encoding of the SEQUENCE as well as the OCTET STRING element (tagged 0) that is named '<tt>keyIdentifier</tt>' with type '<tt>KeyIdentifier</tt>'.</t>
        <t>Note that per <xref target="IDEVID"/>, only the first optional element named '<tt>keyIdentifier</tt>' is expected to be found in an IDevID certificate, not the '<tt>authorityCertIssuer</tt>' or the '<tt>authorityCertSerialNumber</tt>'.
However, because of the above requirement to include the full '<tt>extnValue</tt>' OCTET STRING, even if the non-expected elements would be present, they would be included in the '<tt>idevid-issuer</tt>' value in a Voucher Request or Voucher.</t>
      </section>
      <section anchor="errata-closed">
        <name>Errata closed</name>
        <t>The above updates to <xref target="RFC8995"/> addresses errata <xref target="eid7263"/>.</t>
      </section>
    </section>
    <section anchor="signature-mechanisms">
      <name>Signature mechanisms</name>
      <t>Three signature systems have been defined for Vouchers Artifacts.</t>
      <t><xref target="cBRSKI"/> defines a mechanism that uses COSE <xref target="COSE"/>, with the Voucher Data encoded using <xref target="RFC9254"/>.
However, as the SID <xref target="RFC9254"/> allocation process requires up-to-date YANG, the SID values for this mechanism are presented in this document.</t>
      <t><xref target="jBRSKI"/> defines a mechanism that uses JSON <xref target="RFC8259"/> and <xref target="JWS"/>.</t>
      <t>The CMS signing mechanism first defined in <xref target="RFC8366"/> continues to be defined here.</t>
      <section anchor="cms-voucher">
        <name>CMS Format Voucher Artifact</name>
        <t>An object identifier (OID) [[ITU-T.X680] for JSON-encoded Voucher Data
is allocated in <xref target="iana-contenttype"/>.
This OID is placed in the 'eContentType' field in the EncapsulatedContentInfo:</t>
        <t>```
      id-smime OBJECT IDENTIFIER ::= { iso(1) member-body(2)
           us(840) rsadsi(113549) pkcs(1) pkcs9(9) 16 }</t>
        <artwork><![CDATA[
  id-ct OBJECT IDENTIFIER ::= { id-smime 1 }

  id-ct-animaJSONVoucher OBJECT IDENTIFIER ::= { id-ct 40 } ```
]]></artwork>
        <t>The use of PKCS#7 (cmsVersion=1) is deprecated by this document.</t>
        <t>The signing structure is a CMS SignedData structure, as specified by
Section 5.1 of <xref target="RFC5652"/>, encoded using ASN.1 Distinguished Encoding
Rules (DER), as specified in ITU-T X.690 <xref target="ITU-T.X690.2015"/>.</t>
        <t><xref target="RFC5652"/> mandates that <tt>SignedAttributes</tt> <bcp14>MUST</bcp14> be present when the content type is not '<tt>id-data</tt>'.
This mitigates attacks on CMS as described in <xref target="I-D.vangeest-lamps-cms-euf-cma-signeddata"/>.
Decoders <bcp14>MUST</bcp14> verify that <tt>SignedAttributes</tt> are present.</t>
        <t>To facilitate interoperability, <xref target="vcj"/> the media type "application/voucher-cms+json" and the filename extension ".vcj" were registered by <xref target="RFC8366"/>.</t>
        <t>The CMS structure <bcp14>MUST</bcp14> contain a '<tt>signerInfo</tt>' structure, as
described in Section 5.1 of <xref target="RFC5652"/>, containing the
signature generated over the content using a private key
trusted by the recipient.
Normally, the recipient is the Pledge and the signer is the MASA.
In the Voucher Request, the signer is the Pledge (in the PVR), or the Registrar (in the RVR).</t>
        <t>Note that Section 5.1 of <xref target="RFC5652"/> includes a
discussion about how to validate a CMS object, which is really a
PKCS7 object (cmsVersion=1).  Intermediate systems (such as the
Bootstrapping Remote Secure Key Infrastructures <xref target="RFC8995"/> Registrar)
that might need to evaluate the Voucher in flight <bcp14>MUST</bcp14> be prepared for
such an older format.
No signaling of the format version is necessary, as the manufacturer knows the capabilities of the Pledge and will use an appropriate format Voucher for each
Pledge.</t>
        <t>The CMS structure <bcp14>SHOULD</bcp14> also contain all of the certificates
leading up to and including the signer's trust anchor certificate
known to the recipient.  The inclusion of the trust anchor is
unusual in many applications, but third parties cannot accurately
audit the transaction without it.</t>
        <t>The CMS structure <bcp14>MAY</bcp14> also contain revocation objects for any
intermediate certificate authorities (CAs) between the
Voucher issuer and the trust anchor known to the recipient.
However, the use of CRLs and other validity mechanisms is
discouraged, as the Pledge is unlikely to be able to perform
online checks and is unlikely to have a trusted clock source.
As described below, the use of short-lived Vouchers and/or a
Pledge-provided nonce provides a freshness guarantee.</t>
      </section>
    </section>
    <section anchor="voucher">
      <name>Voucher Artifact</name>
      <t>The Voucher's primary purpose is to securely assign a Pledge to an
Owner.
The Voucher informs the Pledge which entity it should consider to be
its Owner.</t>
      <t>This document defines a Voucher Artifact that is a CMS-signed encoding of the
JSON-encoded Voucher Data as defined by the YANG module <xref target="voucher-yang-module"/>.
Also, this document defines Voucher Data that is CBOR-encoded based on the same YANG model.
The CBOR-encoded (signed) Voucher based on this CBOR Voucher Data is defined in <xref target="cBRSKI"/>.</t>
      <t>The Voucher Data format is described here as a practical basis for some uses (such
as in NETCONF), but more to clearly indicate what Vouchers look like
in practice.
This description also serves to validate the YANG data model.</t>
      <t><xref target="RFC8366"/> defined a media type and a filename extension for the
CMS-encoded JSON type.
The media type for JOSE format Vouchers is defined in <xref target="jBRSKI"/> and the media type for COSE format Vouchers is defined in <xref target="cBRSKI"/>.
Both include respective filename extensions.</t>
      <t>The media type is used by the Pledge (requesting to the Registrar) and by the Registrar (requesting to the MASA) to signal what Voucher format is expected.
Other aspects of the Voucher, such as it being nonceless or which kind of pinned anchor is used, are not part of the media type.</t>
      <t>Only the format of Voucher that is expected is signaled in the form of a (MIME) media
type in the HTTP "Accept" header <xref target="RFC9110"/>.</t>
      <t>For Vouchers stored/transferred via methods like a USB storage device (USB key), the Voucher format is usually signaled by a filename extension.</t>
      <t>In the constrained versions of the voucher and voucher-request (as used by <xref target="cBRSKI"/>), the attributes <tt>pinned-domain-pubk</tt> (<tt>proximity-registrar-pubk</tt> for requests) and <tt>pinned-domain-pubk-sha256</tt> (<tt>proximity-registrar-pubk-sha256</tt> for requests) are involved in the process of pinning a raw public key.
The public keys are to be encoded according to <xref section="3" sectionFormat="comma" target="RFC7250"/> for RSA and EcDSA keys, noting that <xref target="RFC8032"/> extends this to include an OID for EdDSA.
The old (1024-bit) DSA algorithm is not supported.</t>
      <t>When EcDSA is supported, curves secp256r1 and secp384r1 <bcp14>SHOULD</bcp14> be supported.
When EdDSA is supported, curves Ed25519 and Ed448 <bcp14>SHOULD</bcp14> be supported.
When RSA is supported by an implementation, it <bcp14>SHOULD</bcp14> support key lengths between 2048 and 4096 bits.</t>
      <t>Of the above, EcDSA <bcp14>SHOULD</bcp14> be supported by all implementations, until some quantum-safe variant is standardized.</t>
      <t>Should SHA256 need to be replaced, then a new YANG module will be published with a new leaf, obsoleting <tt>pinned-domain-pubk-sha256</tt> and <tt>proximity-registrar-pubk-sha256</tt>.</t>
      <section anchor="voucher-tree-diagram">
        <name>Tree Diagram</name>
        <t>The following tree diagram illustrates a high-level view of a Voucher
document.
The notation used in this diagram is described in <xref target="RFC8340"/>.
Each node in the diagram is fully described by the YANG module in
<xref target="voucher-yang-module"/>.
Please review the YANG module for a detailed description of the
Voucher format.</t>
        <artwork><![CDATA[
module: ietf-voucher

  structure voucher:
    +-- created-on?                      yang:date-and-time
    +-- extensions*                      union
    +-- manufacturer-private?            binary
    +-- assertion?                       enumeration
    +-- serial-number                    string
    +-- idevid-issuer?                   binary
    +-- pinned-domain-cert?              binary
    +-- pinned-domain-pubk?              binary
    +-- pinned-domain-pubk-sha256?       binary
    +-- domain-cert-revocation-checks?   boolean
    +-- last-renewal-date?               yang:date-and-time
    +-- expires-on?                      yang:date-and-time
    +-- nonce?                           binary
    +-- est-domain?                      ietf:uri
    +-- additional-configuration-url?    ietf:uri
]]></artwork>
      </section>
      <section anchor="voucher-examples">
        <name>Examples</name>
        <t>This section provides Voucher Data examples for illustration
purposes.  These examples conform to the JSON encoding rules
defined in <xref target="RFC8259"/>.</t>
        <t>The following example illustrates an ephemeral Voucher (uses a nonce).
The MASA generated this Voucher using the '<tt>logged</tt>' assertion type, knowing
that it would be suitable for the Pledge making the request.</t>
        <artwork><![CDATA[
{
  "ietf-voucher:voucher": {
    "created-on": "2016-10-07T19:31:42Z",
    "assertion": "logged",
    "serial-number": "JADA123456789",
    "idevid-issuer": "base64encodedvalue==",
    "pinned-domain-cert": "base64encodedvalue==",
    "nonce": "base64encodedvalue=="
  }
}
]]></artwork>
        <t>The following example illustrates a non-ephemeral Voucher (containing no nonce, or "nonceless").
While the Voucher itself expires after two weeks, it presumably can
be renewed for up to a year.   The MASA generated this Voucher
using the '<tt>verified</tt>' assertion type, which should satisfy all Pledges.</t>
        <artwork><![CDATA[
{
  "ietf-voucher:voucher": {
    "created-on": "2016-10-07T19:31:42Z",
    "expires-on": "2016-10-21T19:31:42Z",
    "assertion": "verified",
    "serial-number": "JADA123456789",
    "idevid-issuer": "base64encodedvalue==",
    "pinned-domain-cert": "base64encodedvalue==",
    "domain-cert-revocation-checks": true,
    "last-renewal-date": "2017-10-07T19:31:42Z"
  }
}
]]></artwork>
        <t>The final two examples illustrate a Voucher that includes an (example) extension per <xref target="voucher-ext"/>.
The hypothetical YANG module name of the extension is '<tt>example-my-extension</tt>'.
First, a JSON serialization is shown.</t>
        <artwork><![CDATA[
{
  "ietf-voucher:voucher": {
    "created-on": "2016-10-07T19:31:42Z",
    "assertion": "logged",
    "serial-number": "JADA123456789",
    "idevid-issuer": "base64encodedvalue==",
    "pinned-domain-cert": "base64encodedvalue==",
    "nonce": "base64encodedvalue==",
    "extensions": ["example-my-extension"],
    "extension:example-my-extension": {
      "my-ext-leaf1": "my-ext-leaf1-data"
    }
  }
}
]]></artwork>
        <t>Next, a CBOR serialization is shown in CBOR diagnostic notation.
This uses again the extension module '<tt>example-my-extension</tt>' and refers to it using its SID value 305823299950.
Note that for this example, long binary strings are abbreviated using the ellipsis (<tt>...</tt>) notation.</t>
        <artwork><![CDATA[
{
  2451: {                          / ietf-voucher:voucher  /
    2:  "2016-10-07T19:31:42Z",    / created-on            /
    1:  1,                         / assertion (logged)    /
    11: "JADA123456789",           / serial-number         /
    5:  h'04183016 ... 1736C3E0',  / idevid-issuer         /
    8:  h'30820122 ... 12328CFF',  / pinned-domain-cert    /
    7:  h'831D5198A6CA2C7F',       / nonce                 /
    17: [305823299950],            / extensions            /
    47(305823299950): {            / example-my-extension  /
      1: "my-ext-leaf1-data"       / my-ext-leaf1          /
    }
  }
}
]]></artwork>
        <t><xref section="8" sectionFormat="comma" target="jBRSKI"/> contains examples of Vouchers encoded in JSON, and signed with <xref target="JWS"/>.
<xref section="9" sectionFormat="comma" target="cBRSKI"/> contains examples of Vouchers encoded in CBOR, and signed with <xref target="COSE"/>.</t>
      </section>
      <section anchor="voucher-yang-module">
        <name>YANG Module</name>
        <t>During development of this merged YANG module, advice was given to better organize mutually exclusive Attributes such as '<tt>pinned-domain-cert</tt>' vs '<tt>pinned-domain-pubk</tt>', or '<tt>expires-on</tt>' vs '<tt>nonce</tt>'.
Unfortunately, <xref target="CORESID"/> does not explain how and why choice statements are assigned SID values,
and the tooling as of the end of 2025 is inconsistent with both the document, and the intuitive notions as to how this should work.
As the simplest way forward, the choice mechanisms that were introduced have been commented out in the YANG, allowing the SID values to be generated correctly.
As a result, the SID values presented in <xref target="voucher-sid-values"/> and <xref target="voucher-request-sid-values"/> are to be considered normative, rather than relying exclusively on the
".sid" file <xref target="CORESID"/> generated from the YANG modules.
The presented SID values are believed to be correct, but future reprocessing of the YANG module to a ".sid" file could result in changes as the tooling is fixed.
Any such changes will be recorded as errata on this document.</t>
        <sourcecode type="yang" markers="true" name="ietf-voucher@2025-12-18.yang"><![CDATA[
module ietf-voucher {
  yang-version 1.1;
  namespace "urn:ietf:params:xml:ns:yang:ietf-voucher";
  prefix vch;

  import ietf-yang-types {
    prefix yang;
    reference
      "RFC 9911: Common YANG Data Types";
  }
  import ietf-inet-types {
    prefix ietf;
    reference
      "RFC 9911: Common YANG Data Types";
  }
  import ietf-yang-structure-ext {
    prefix sx;
    reference
      "RFC 8791: YANG Data Structure Extensions";
  }

  organization
    "IETF ANIMA Working Group";
  contact
    "WG Web:   <https://datatracker.ietf.org/wg/anima/>
     WG List:  <mailto:anima@ietf.org>
     Author:   Kent Watsen
               <mailto:kent+ietf@watsen.net>
     Author:   Michael Richardson
               <mailto:mcr+ietf@sandelman.ca>
     Author:   Toerless Eckert
               <mailto:tte@cs.fau.de>
     Author:   Qiufang Ma
               <mailto:maqiufang1@huawei.com>
     Author:   Esko Dijk
               <mailto:esko.dijk@iotconsultancy.nl>";
  description
    "This module defines the format for a Voucher, which is
     produced by a pledge's manufacturer or delegate (MASA)
     to securely assign a pledge to an 'owner', so that the
     pledge may establish a secure connection to the owner's
     network infrastructure.

     Copyright (c) 2023-2026 IETF Trust and the persons identified as
     authors of the code.  All rights reserved.

     Redistribution and use in source and binary forms, with or
     without modification, is permitted pursuant to, and subject to
     the license terms contained in, the Revised BSD License set
     forth in Section 4.c of the IETF Trust's Legal Provisions
     Relating to IETF Documents
     (https://trustee.ietf.org/license-info).

     This version of this YANG module is part of RFC XXXX
     (https://www.rfc-editor.org/info/rfcXXXX); see the RFC itself
     for full legal notices.

     The key words 'MUST', 'MUST NOT', 'REQUIRED', 'SHALL', 'SHALL
     NOT', 'SHOULD', 'SHOULD NOT', 'RECOMMENDED', 'NOT RECOMMENDED',
     'MAY', and 'OPTIONAL' in this document are to be interpreted as
     described in BCP 14 (RFC 2119) (RFC 8174) when, and only when,
     they appear in all capitals, as shown here.";

  // RFCEDITOR: please replace XXXX in this entire code fragment
  // with the RFC number assigned and remove this notice.

  revision 2025-12-18 {
    description
      "Updates and additions described by RFC XXXX";
    reference
      "RFC XXXX: A Voucher Profile for Bootstrapping Protocols";
  }
  revision 2018-05-09 {
    description
      "Initial version";
    reference
      "RFC 8366: Voucher Profile for Bootstrapping Protocols";
  }

  grouping voucher-artifact {
    description
      "Grouping to allow reuse/extensions in future work.";
    leaf created-on {
      type yang:date-and-time;
      description
        "A value indicating the date this voucher was created.
         This node is primarily for human consumption and auditing.
         Future work MAY create verification requirements based on
         this node.";
    }
    leaf-list extensions {
      type union {
        type uint64; // when serialized to CBOR with SID
        type string; // when serialized to CBOR or JSON
      }
      description
        "A list of extension names that are used in this Voucher
         file.  Each name is registered with the IANA.  Standard
         extensions are described in an RFC, while vendor proprietary
         ones are not.";
    }
    leaf manufacturer-private {
      type binary;
      description
        "In CBOR serialization, this is a CBOR bstr containing any
         valid CBOR that the manufacturer wishes to share with its
         pledge.  In JSON serializations, this contains additional
         JSON instead, and it is base64URL encoded.";
    }
    leaf assertion {
      type enumeration {
        enum verified {
          value 0;
          description
            "Indicates that the ownership has been positively
             verified by the MASA (e.g., through sales channel
             integration).";
        }
        enum logged {
          value 1;
          description
            "Indicates that the voucher has been issued after
             minimal verification of ownership or control.  The
             issuance has been logged for detection of
             potential security issues (e.g., recipients of
             vouchers might verify for themselves that unexpected
             vouchers are not in the log).  This is similar to
             unsecured trust-on-first-use principles but with the
             logging providing a basis for detecting unexpected
             events.";
        }
        enum proximity {
          value 2;
          description
            "Indicates that the voucher has been issued after
             the MASA verified a proximity proof provided by the
             device and target domain.  The issuance has been
             logged for detection of potential security issues.";
        }
        enum agent-proximity {
          value 3;
          description
            "Mostly identical to proximity, but
             indicates that the voucher has been issued
             after the MASA has verified a statement that
             a registrar agent has made contact with the device.";
        }
      }
      description
        "The assertion is a statement from the MASA regarding how
         the owner was verified.  This statement enables pledges
         to support more detailed policy checks.  Pledges MUST
         ensure that the assertion provided is acceptable, per
         local policy, before processing the voucher.";
    }
    leaf serial-number {
      type string;
      mandatory true;
      description
        "The serial-number of the hardware.  When processing a
         voucher, a pledge MUST ensure that its serial-number
         matches this value.  If no match occurs, then the
         pledge MUST NOT process this voucher.";
    }
    leaf idevid-issuer {
      type binary;
      description
        "The Authority Key Identifier OCTET STRING (as defined in
         Section 4.2.1.1 of RFC 5280) from the pledge's IDevID
         certificate.  In the voucher, it is optional
         as some manufacturers know that all serial-numbers
         are unique within the scope of a MASA.
         In the voucher request, whether it is mandatory or optional depends
         upon which protocol is used, such as RFC8995 and variations.
         When processing a voucher, a pledge MUST ensure that its
         IDevID Authority Key Identifier matches this value.  If no
         match occurs, then the pledge MUST NOT process this
         voucher.
         When issuing a voucher, the MASA MUST ensure that this
         field is populated for serial-numbers that are not
         otherwise unique within the scope of the MASA.";
    }
    // choice pinning {
    //  description "One of these attributes is used by the
    //               MASA to pin the registrar identity";
    leaf pinned-domain-cert {
      type binary;
      description
        "An X.509 v3 certificate structure, as specified by
         RFC 5280, using Distinguished Encoding Rules (DER)
         encoding, as defined in [ITU-T.X690.2015].

         This certificate is used by a pledge to trust a Public Key
         Infrastructure in order to verify a domain certificate
         supplied to the pledge separately by the bootstrapping
         protocol.  The domain certificate MUST have this
         certificate somewhere in its chain of certificates.
         This certificate MAY be an end-entity certificate,
         including a self-signed entity.";
      reference
        "RFC 5280:
         Internet X.509 Public Key Infrastructure Certificate
         and Certificate Revocation List (CRL) Profile.
         ITU-T X.690:
         Information technology - ASN.1 encoding rules:
         Specification of Basic Encoding Rules (BER),
         Canonical Encoding Rules (CER) and Distinguished
         Encoding Rules (DER).";
    }
    leaf pinned-domain-pubk {
      type binary;
      description
        "The pinned-domain-pubk may replace the
         pinned-domain-cert in constrained uses of
         the voucher. The pinned-domain-pubk
         is the Raw Public Key of the registrar.
         This field is encoded as a Subject Public Key Info block
         as specified in RFC7250, in section 3.";
    }
    leaf pinned-domain-pubk-sha256 {
      type binary;
      description
        "The pinned-domain-pubk-sha256 is a second
         alternative to pinned-domain-cert.  In many cases the
         public key of the domain has already been transmitted
         during the key agreement process, and it is wasteful
         to transmit the public key another two times.
         The use of a hash of public key info, at 32-bytes for
         sha256 is a significant savings compared to an RSA
         public key, but is only a minor savings compared to
         a 256-bit ECDSA public-key.
         Algorithm agility is provided by extensions to this
         specification which can define a new leaf for another
         hash type.";
    }
    // }  choice pinning removed
    leaf domain-cert-revocation-checks {
      type boolean;
      description
        "A processing instruction to the pledge that it MUST (true)
         or MUST NOT (false) verify the revocation status for the
         pinned domain certificate.  If this field is not set, then
         normal PKIX behavior applies to validation of the domain
         certificate.";
    }
    leaf last-renewal-date {
      type yang:date-and-time;
      must '../expires-on';
      description
        "The date that the MASA projects to be the last date
         it will renew a voucher on. This field is merely
         informative; it is not processed by pledges.

         Circumstances may occur after a voucher is generated that
         may alter a voucher's validity period.  For instance,
         a vendor may associate validity periods with support
         contracts, which may be terminated or extended
         over time.";
    }
    //choice nonceless {
    //  description "Either a nonce must be present,
    //               or an expires-on header";
    leaf expires-on {
      type yang:date-and-time;
      description
        "A value indicating when this voucher expires.  The node is
         optional as not all pledges support expirations, such as
         pledges lacking a reliable clock.

         If this field exists, then the pledges MUST ensure that
         the expires-on time has not yet passed. A pledge without
         an accurate clock cannot meet this requirement.

         The expires-on value MUST NOT exceed the expiration date
         of any of the listed 'pinned-domain-cert' certificates.";
    }
    leaf nonce {
      type binary {
        length "8..32";
      }
      description
        "A value that can be used by a pledge in some bootstrapping
         protocols to enable anti-replay protection.  This node is
         optional because it is not used by all bootstrapping
         protocols.

         When present, the pledge MUST compare the provided nonce
         value with another value that the pledge randomly
         generated and sent to a bootstrap server in an earlier
         bootstrapping message.  If the value is present, but
         the values do not match, then the pledge MUST NOT process
         this voucher.";
    }
    // } choice nonceless
    leaf est-domain {
      type ietf:uri;
      description
        "The est-domain is a URL from which the pledge should
         continue doing enrollment rather than with the
         cloud registrar.
         The pinned-domain-cert contains a trust-anchor
         which is to be used to authenticate the server
         found at this URI.";
    }
    leaf additional-configuration-url {
      type ietf:uri;
      description
        "The additional-configuration attribute contains a
         URL to which the pledge can retrieve additional
         configuration information.
         The contents of this URL are manufacturer specific.
         This is intended to do things like configure
         a VoIP phone to point to the correct hosted
         PBX, for example.";
    }
  }

  // Top-level statement
  sx:structure voucher {
    uses voucher-artifact;
  }
}
]]></sourcecode>
      </section>
      <section anchor="voucher-sid-values">
        <name>ietf-voucher SID values</name>
        <t><xref target="RFC9254"/> explains how to serialize YANG into CBOR, and for this a series of SID values are required.
The below SID values are assigned to the '<tt>ietf-voucher</tt>' YANG module elements and are considered normative.</t>
        <t>The right column shows the schema-node path expression for the YANG data node to which the SID value is assigned.</t>
        <artwork><![CDATA[
SID  Assigned to
---- --------------------------------------------------
2450 module ietf-voucher
2451 data   /ietf-voucher:voucher
2452 data   /ietf-voucher:voucher/assertion
2453 data   /ietf-voucher:voucher/created-on
2454 data   /ietf-voucher:voucher/domain-cert-revocation-checks
2455 data   /ietf-voucher:voucher/expires-on
2456 data   /ietf-voucher:voucher/idevid-issuer
2457 data   /ietf-voucher:voucher/last-renewal-date
2458 data   /ietf-voucher:voucher/nonce
2459 data   /ietf-voucher:voucher/pinned-domain-cert
2460 data   /ietf-voucher:voucher/pinned-domain-pubk
2461 data   /ietf-voucher:voucher/pinned-domain-pubk-sha256
2462 data   /ietf-voucher:voucher/serial-number
2463 data   /ietf-voucher:voucher/additional-configuration-url
2464 data   /ietf-voucher:voucher/est-domain
2465 data   /ietf-voucher:voucher/manufacturer-private
2466 data   /ietf-voucher:voucher/extensions
]]></artwork>
        <t>The '<tt>assertion</tt>' Attribute is an enumerated type in <xref target="RFC8366"/>, but no values were provided as part of the enumeration.
This document provides enumerated values as part of the YANG module.</t>
        <t>In the JSON serialization, the literal strings from the enumerated types are used so there is no ambiguity.</t>
        <t>In the CBOR serialization, a small integer is used, and the enumeration values are repeated here for convenience.
However, the YANG module should be considered authoritative.
No IANA registry is provided or necessary because the YANG module (and this document) would be extended when there are new entries required.</t>
        <table anchor="assertion-enums">
          <name>CBOR integers for the 'assertion' Attribute enum value</name>
          <thead>
            <tr>
              <th align="left">CBOR Integer</th>
              <th align="left">Assertion Type</th>
            </tr>
          </thead>
          <tbody>
            <tr>
              <td align="left">0</td>
              <td align="left">verified</td>
            </tr>
            <tr>
              <td align="left">1</td>
              <td align="left">logged</td>
            </tr>
            <tr>
              <td align="left">2</td>
              <td align="left">proximity</td>
            </tr>
            <tr>
              <td align="left">3</td>
              <td align="left">agent-proximity</td>
            </tr>
          </tbody>
        </table>
      </section>
      <section anchor="voucher-ext">
        <name>Voucher Extensions</name>
        <t>An unstated assumption in <xref target="RFC8366"/> was that Vouchers could be extended in proprietary ways by manufacturers.
This allows for manufacturers to communicate new things from the MASA to the Pledge, and since both are under control of the same entity, it seemed perfectly fine, even though it would violate the strict definition of the YANG model.</t>
        <t>The JSON serialization of Vouchers implicitly accommodates the above, since the Voucher is just a map (or dictionary).
Map keys are just strings, and creating unique strings is easy to do by including the manufacturer's DNS domain name.</t>
        <t>In CBOR serialization <xref target="RFC9254"/>, the situation is not so easy when SID keys are used.
An extension might need to use "Private range" <xref target="CORESID"/> SID values, or acquire SID values for their own use.</t>
        <t>Where the process has become complex is when making standard extensions, as has happened recently, resulting in this document.
The processes which were anticipated to be useful (the YANG "augment" mechanism), turned out not to be, see <xref target="extendfail"/>.</t>
        <t>Instead, a process similar to what was done by <xref target="RFC8520"/> has been adopted.
In the Voucher Data, any extensions are listed in a list Attribute named '<tt>extensions</tt>'.
In JSON serialization, these extensions each require a unique name, and therefore this name <bcp14>MUST</bcp14> be allocated by IANA.
The name <bcp14>MUST</bcp14> be the same as the YANG extension module name.
The '<tt>extensions</tt>' list Attribute allows for new standard extensions to be defined without changes to the '<tt>ietf-voucher</tt>' YANG module.
Items within that list are either strings (in JSON serialization), or integers (in CBOR serialization using SIDs);
both are always defined in the entries of the Voucher Extensions Registry (see <xref target="voucher-ext-reg"/>).</t>
        <t>Extensions are full YANG modules, which are subject to the SID allocation process described in <xref target="RFC9254"/>.
When an extension is serialized, the extension is placed in a sub-map in the value of a new key/value pair in the '<tt>voucher</tt>' container element.
In JSON serialization, the corresponding key is the name of the extension, prefixed by the string "extension:".
In CBOR serialization, the corresponding key is the SID which is allocated as the YANG extension module SID.
This will typically require the absolute SID value Tag(47) to be applied to this key (see <xref section="4.2.1" sectionFormat="of" target="RFC9254"/>
or the final example in <xref target="voucher-examples"/>).</t>
        <t>Note that this differs from the mechanism described in <xref target="RFC8520"/>: there, a sub-map is not used.
Instead, keys are created by combining the module name and the Attribute as a string, as a result of using the YANG
"augment" mechanism.
The <xref target="RFC8520"/> mechanism uses more bytes, but is also not easily translatable to CBOR.</t>
        <t>As the Voucher Request YANG module is created by YANG augment of the Voucher YANG module, any extension defined for the Voucher is also valid for a Voucher Request.</t>
      </section>
      <section anchor="manufacturer-private-extensions">
        <name>Manufacturer Private Extensions</name>
        <t>A manufacturer might need to communicate content in the Voucher (or in the Voucher Request), which are never subject to standardization.
While they can use the Voucher extensions mechanism defined in <xref target="voucher-ext"/>, it does require allocation of a SID value in order to do minimal-sized encoding in case of CBOR Voucher Data.
Note that <xref target="RFC9254"/> does not strictly require use of SIDs: instead of a SID value, the full string name can always
be used. But this would significantly increase the size of the Voucher Data.</t>
        <t>Instead, a manufacturer <bcp14>MAY</bcp14> use the '<tt>manufacturer-private</tt>' Attribute to put any content they wish.
In CBOR serialization, if a plain CBOR map would be used, it would be subject to delta encoding: so use of this Attribute requires that the contents are bstr-encoded
Section <xref target="RFC8949" section="3.1" sectionFormat="bare"/> of RFC 8949 <xref target="CBOR"/> (Major type 2).
In JSON serialization, delta encoding does not get in the way, and the manufacturer <bcp14>MAY</bcp14> use any encoding that is convenient for them, but base64URL encoding <xref section="5" sectionFormat="comma" target="RFC4648"/> is <bcp14>RECOMMENDED</bcp14>.</t>
      </section>
    </section>
    <section anchor="voucher-request">
      <name>Voucher Request Artifact</name>
      <t><xref section="3" sectionFormat="comma" target="RFC8995"/> defined a "voucher-request" Artifact as an augmented Artifact from the "voucher" Artifact originally defined in <xref target="RFC8366"/>.
That definition has been moved to this document, and translated from the "yang-data" extension <xref target="RFC8040"/> to the "sx:structure" extension <xref target="RFC8791"/>.</t>
      <section anchor="voucher-request-tree-diagram">
        <name>Tree Diagram</name>
        <t>The following tree diagram illustrates a high-level view of a Voucher Request document.
The notation used in this diagram is described in <xref target="RFC8340"/>.
Each node in the diagram is fully described by the YANG module in
<xref target="voucher-request-yang-module"/>.</t>
        <artwork><![CDATA[
module: ietf-voucher-request

  structure voucher:
    +-- created-on?                                yang:date-and-time
    +-- extensions*                                union
    +-- manufacturer-private?                      binary
    +-- assertion?                                 enumeration
    +-- serial-number                              string
    +-- idevid-issuer?                             binary
    +-- pinned-domain-cert?                        binary
    +-- pinned-domain-pubk?                        binary
    +-- pinned-domain-pubk-sha256?                 binary
    +-- domain-cert-revocation-checks?             boolean
    +-- last-renewal-date?                         yang:date-and-time
    +-- expires-on?                                yang:date-and-time
    +-- nonce?                                     binary
    +-- est-domain?                                ietf:uri
    +-- additional-configuration-url?              ietf:uri
    +-- prior-signed-voucher-request?              binary
    +-- proximity-registrar-cert?                  binary
    +-- proximity-registrar-pubk?                  binary
    +-- proximity-registrar-pubk-sha256?           binary
    +-- agent-signed-data?                         binary
    +-- agent-provided-proximity-registrar-cert?   binary
    +-- agent-sign-cert?                           binary
]]></artwork>
      </section>
      <section anchor="voucher-request-yang-module">
        <name>"ietf-voucher-request" Module</name>
        <t>The '<tt>ietf-voucher-request</tt>' YANG module is derived from the '<tt>ietf-voucher</tt>' module.</t>
        <sourcecode type="yang" markers="true" name="ietf-voucher-request@2025-12-18.yang"><![CDATA[
module ietf-voucher-request {
  yang-version 1.1;
  namespace "urn:ietf:params:xml:ns:yang:ietf-voucher-request";
  prefix vcr;

  import ietf-yang-structure-ext {
    prefix sx;
    reference
      "RFC 8791: YANG Data Structure Extensions";
  }
  import ietf-voucher {
    prefix vch;
    description
      "This module defines the format for a Voucher,
       which is produced by a Pledge's manufacturer or
       delegate (MASA) to securely assign a Pledge to
       an 'Owner', so that the Pledge may establish a secure
       connection to the Owner's network infrastructure";
    reference
      "RFC XXXX: A Voucher Artifact for
       Bootstrapping Protocols";
  }

  organization
    "IETF ANIMA Working Group";
  contact
    "WG Web:   <https://datatracker.ietf.org/wg/anima/>
     WG List:  <mailto:anima@ietf.org>
     Author:   Kent Watsen
               <mailto:kent+ietf@watsen.net>
     Author:   Michael Richardson
               <mailto:mcr+ietf@sandelman.ca>
     Author:   Toerless Eckert
               <mailto:tte@cs.fau.de>
     Author:   Qiufang Ma
               <mailto:maqiufang1@huawei.com>
     Author:   Esko Dijk
               <mailto:esko.dijk@iotconsultancy.nl>";
  description
    "This module defines the format for a Voucher Request.
     It is a superset of the Voucher itself.
     It provides content to the MASA for consideration
     during a voucher request procedure and subsequent
     Voucher creation.

     Copyright (c) 2023-2026 IETF Trust and the persons identified as
     authors of the code.  All rights reserved.

     Redistribution and use in source and binary forms, with or
     without modification, is permitted pursuant to, and subject to
     the license terms contained in, the Revised BSD License set
     forth in Section 4.c of the IETF Trust's Legal Provisions
     Relating to IETF Documents
     (https://trustee.ietf.org/license-info).

     This version of this YANG module is part of RFC XXXX
     (https://www.rfc-editor.org/info/rfcXXXX); see the RFC itself
     for full legal notices.

     The key words 'MUST', 'MUST NOT', 'REQUIRED', 'SHALL', 'SHALL
     NOT', 'SHOULD', 'SHOULD NOT', 'RECOMMENDED', 'NOT RECOMMENDED',
     'MAY', and 'OPTIONAL' in this document are to be interpreted as
     described in BCP 14 (RFC 2119) (RFC 8174) when, and only when,
     they appear in all capitals, as shown here.";

  // RFCEDITOR: please replace XXXX in this entire code fragment
  // with the RFC number assigned and remove this notice.

  revision 2025-12-18 {
    description
      "Updates and additions described by RFC XXXX";
    reference
      "RFC XXXX: A Voucher Artifact for Bootstrapping Protocols";
  }
  revision 2021-05-20 {
    description
      "Initial version";
    reference
      "RFC 8995: Bootstrapping Remote Secure Key Infrastructure
       (BRSKI)";
  }

  grouping voucher-request {
    description
      "Grouping to allow reuse/extensions in future work.";
    uses vch:voucher-artifact {
      refine "last-renewal-date" {
        description
          "A last-renewal-date field
           is not valid in a voucher request, and
           any occurrence MUST be ignored";
      }
      refine "domain-cert-revocation-checks" {
        description
          "The domain-cert-revocation-checks field
           is not valid in a voucher request, and
           any occurrence MUST be ignored";
      }
      refine "assertion" {
        description
          "Any assertion included in registrar voucher
           requests SHOULD be ignored by the MASA.";
      }
      refine "idevid-issuer" {
        description
          "The idevid-issuer field MUST be included in
           a Registrar Voucher Request (RVR) (unless
           specified otherwise) per Section 6.1 of
           RFC XXXX.";
      }
    }
    leaf prior-signed-voucher-request {
      type binary;
      description
        "If it is necessary to change a voucher, or re-sign and
         forward a voucher request that was previously provided
         along a protocol path, then the previously signed
         voucher SHOULD be included in this field.

         For example, a pledge might sign a voucher request
         with a proximity-registrar-cert, and the registrar
         then includes it as the prior-signed-voucher-request
         field.  This is a simple mechanism for a chain of
         trusted parties to change a voucher request, while
         maintaining the prior signature information.

         The Registrar and MASA MAY examine the prior signed
         voucher information for the
         purposes of policy decisions. The MASA SHOULD remove
         all prior-signed-voucher-request information when
         signing a voucher for imprinting so as to minimize
         the final voucher size.";
    }
    leaf proximity-registrar-cert {
      type binary;
      description
        "An X.509 v3 certificate structure as specified by
         RFC 5280, Section 4 encoded using the ASN.1
         distinguished encoding rules (DER), as specified
         in [ITU.X690.2015].

         The first certificate in the Registrar TLS server
         certificate_list sequence  (the end-entity TLS
         certificate, see [RFC8446]) presented by the Registrar
         to the Pledge.
         This MUST be populated in a Pledge's voucher request
         when a proximity assertion is requested.";
    }
    leaf proximity-registrar-pubk {
      type binary;
      description
        "The proximity-registrar-pubk replaces
         the proximity-registrar-cert in constrained uses of
         the voucher-request.
         The proximity-registrar-pubk is the
         Raw Public Key of the Registrar. This field is encoded
         as specified in RFC7250, section 3.";
    }
    leaf proximity-registrar-pubk-sha256 {
      type binary;
      description
        "The proximity-registrar-pubk-sha256
         is an alternative to both
         proximity-registrar-pubk and pinned-domain-cert.
         In many cases the public key of the domain has already
         been transmitted during the key agreement protocol,
         and it is wasteful to transmit the public key another
         two times.
         The use of a hash of public key info, at 32-bytes for
         sha256 is a significant savings compared to an RSA
         public key, but is only a minor savings compared to
         a 256-bit ECDSA public-key.
         Algorithm agility is provided by extensions to this
         specification which may define a new leaf for another
         hash type.";
    }
    leaf agent-signed-data {
      type binary;
      description
        "The agent-signed-data field contains a data artifact
         provided by the Registrar-Agent to the Pledge for
         inclusion into the voucher request.

         This artifact is signed by the Registrar-Agent and contains
         data, which can be verified by the pledge and the registrar.
         This data contains the pledge's serial-number and a
         created-on information of the agent-signed-data.

         The format is intentionally defined as binary to allow
         the document using this leaf to determine the encoding.";
    }
    leaf agent-provided-proximity-registrar-cert {
      type binary;
      description
        "An X.509 v3 certificate structure, as specified by
         RFC 5280, Section 4, encoded using the ASN.1
         distinguished encoding rules (DER), as specified
         in ITU X.690.
         The first certificate in the registrar TLS server
         certificate_list sequence (the end-entity TLS
         certificate; see RFC 8446) presented by the
         registrar to the registrar-agent and provided to
         the pledge.
         This MUST be populated in a pledge's voucher-request
         when an agent-proximity assertion is requested.";
      reference
        "ITU X.690: Information Technology - ASN.1 encoding
         rules: Specification of Basic Encoding Rules (BER),
         Canonical Encoding Rules (CER) and Distinguished
         Encoding Rules (DER)
         RFC 5280: Internet X.509 Public Key Infrastructure
         Certificate and Certificate Revocation List (CRL)
         Profile
         RFC 8446: The Transport Layer Security (TLS)
         Protocol Version 1.3";
    }
    leaf agent-sign-cert {
      type binary;
      description
        "An X.509 v3 certificate structure, as specified by
         RFC 5280, Section 4, encoded using the ASN.1
         distinguished encoding rules (DER), as specified
         in ITU X.690.
         This certificate can be used by the pledge,
         the registrar, and the MASA to verify the signature
         of agent-signed-data. It is an optional component
         for the pledge-voucher request.
         This MUST be populated in a registrar's
         voucher-request when an agent-proximity assertion
         is requested.";
      reference
        "ITU X.690: Information Technology - ASN.1 encoding
         rules: Specification of Basic Encoding Rules (BER),
         Canonical Encoding Rules (CER) and Distinguished
         Encoding Rules (DER)
         RFC 5280: Internet X.509 Public Key Infrastructure
         Certificate and Certificate Revocation List (CRL)
         Profile";
    }
  }

  // Top-level statement: called "voucher" to match RFC8995
  sx:structure voucher {
    uses voucher-request;
  }
}
]]></sourcecode>
      </section>
      <section anchor="voucher-request-sid-values">
        <name>ietf-voucher-request SID values</name>
        <t><xref target="RFC9254"/> explains how to serialize YANG into CBOR, and for this a series of SID values are required.
The below SID values are assigned to the '<tt>ietf-voucher-request</tt>' YANG module elements and are considered normative.</t>
        <t>The right column shows the schema-node path expression for the YANG data node to which the SID value is assigned.</t>
        <artwork><![CDATA[
=============== NOTE: '\' line wrapping per RFC 8792 ================

SID  Assigned to
---- --------------------------------------------------
2500 module ietf-voucher-request
2501 data   /ietf-voucher-request:voucher
2502 data   /ietf-voucher-request:voucher/assertion
2503 data   /ietf-voucher-request:voucher/created-on
2504 data   /ietf-voucher-request:voucher/domain-cert-revocation-\
                                                               checks
2505 data   /ietf-voucher-request:voucher/expires-on
2506 data   /ietf-voucher-request:voucher/idevid-issuer
2507 data   /ietf-voucher-request:voucher/last-renewal-date
2508 data   /ietf-voucher-request:voucher/nonce
2509 data   /ietf-voucher-request:voucher/pinned-domain-cert
2510 data   /ietf-voucher-request:voucher/prior-signed-voucher-\
                                                              request
2511 data   /ietf-voucher-request:voucher/proximity-registrar-cert
2512 data   /ietf-voucher-request:voucher/proximity-registrar-pubk-\
                                                               sha256
2513 data   /ietf-voucher-request:voucher/proximity-registrar-pubk
2514 data   /ietf-voucher-request:voucher/serial-number
2515 data   /ietf-voucher-request:voucher/agent-provided-proximity-\
                                                       registrar-cert
2516 data   /ietf-voucher-request:voucher/agent-sign-cert
2517 data   /ietf-voucher-request:voucher/agent-signed-data
2518 data   /ietf-voucher-request:voucher/pinned-domain-pubk
2519 data   /ietf-voucher-request:voucher/pinned-domain-pubk-sha256
2520 data   /ietf-voucher-request:voucher/additional-configuration-\
                                                                  url
2521 data   /ietf-voucher-request:voucher/est-domain
2522 data   /ietf-voucher-request:voucher/extensions
2523 data   /ietf-voucher-request:voucher/manufacturer-private
]]></artwork>
        <t>The '<tt>assertion</tt>' Attribute is an enumerated type, and has values as defined in <xref target="assertion-enums"/>.</t>
      </section>
    </section>
    <section anchor="design-con">
      <name>Design Considerations</name>
      <section anchor="renewal-over-revocation">
        <name>Renewals Instead of Revocations</name>
        <t>The lifetimes of Vouchers may vary.  In some Onboarding protocols,
the Vouchers may be created and consumed immediately, whereas in other
Onboarding solutions, there may be a significant time delay between
when a Voucher is created and when it is consumed.
In cases when there is a time delay, there is a need for the Pledge
to ensure that the assertions made when the Voucher was created are
still valid.</t>
        <t>A revocation artifact is generally used to verify the continued validity
of an assertion such as a PKIX certificate <xref target="RFC5280"/>, web token, or Voucher.  With
this approach, a potentially long-lived assertion is paired with a reasonably
fresh revocation status check to ensure that the assertion is still valid.
However, this approach increases solution complexity, as it introduces the
need for additional protocols and code paths to distribute and process the
revocations.</t>
        <t>Addressing the shortcomings of revocations, this document recommends
instead the use of lightweight renewals of short-lived non-revocable
Vouchers.  That is, rather than issue a long-lived Voucher, where the
'<tt>expires-on</tt>' Attribute is set to some distant date, the expectation
is for the MASA to instead issue a short-lived Voucher, where the
'<tt>expires-on</tt>' Attribute is set to a relatively near date, along with a promise
(reflected in the '<tt>last-renewal-date</tt>' Attribute) to reissue the Voucher again
when needed.  Importantly, while issuing the initial Voucher may incur
heavyweight verification checks ("Are you who you say you are?" "Does the
Pledge actually belong to you?"), reissuing the Voucher should be a
lightweight process, as it ostensibly only updates the Voucher's
validity period.
With this approach, there is
only the one Artifact, and only one code path is needed to process
it; there is no possibility of a Pledge choosing to skip the
revocation status check because, for instance, the OCSP Responder (<xref target="RFC5280"/>) is
not reachable.</t>
        <t>While this document recommends issuing short-lived Vouchers, the
Voucher Artifact does not restrict the ability to create long-lived
Vouchers, if required; however, no revocation method is described.</t>
        <t>Note that a Voucher may be signed by a chain of intermediate CAs
leading up to the trust anchor CA known by the Pledge.  Even
though the Voucher itself is not revocable, it is still revoked,
per se, if one of the intermediate CA certificates is revoked.</t>
      </section>
      <section anchor="voucher-per-pledge">
        <name>Voucher Per Pledge</name>
        <t>The solution described herein originally enabled a single Voucher to
apply to many Pledges, using lists of regular expressions to represent
ranges of serial numbers.  However, it was determined that blocking the
renewal of a Voucher that applied to many devices would be excessive
when only the ownership for a single Pledge needed to be blocked.
Thus, the Voucher format now only supports a single serial number
to be listed.</t>
      </section>
    </section>
    <section anchor="sec-con">
      <name>Security Considerations</name>
      <section anchor="clock-sensitivity">
        <name>Clock Sensitivity</name>
        <t>An attacker could use an expired Voucher to gain control over
a device that has no understanding of time.  The device cannot
trust NTP as a time reference, as an attacker could control
the NTP stream.</t>
        <t>There are three things to defend against this: 1) devices are
required to verify that the '<tt>expires-on</tt>' Attribute has not yet passed,
2) devices without access to time can use nonces to
get ephemeral Vouchers, and 3) Vouchers without expiration times
may be used, which will appear in the audit log, informing the
security decision.</t>
        <t>This document defines a Voucher format that contains time values
for expirations, which require an accurate clock
in order to be processed correctly.  Vendors planning on
issuing Vouchers with expiration values must ensure that devices
have an accurate clock when shipped from manufacturing
facilities and take steps to prevent clock tampering.
If it is not possible to ensure clock accuracy, then
Vouchers with time values for expirations should not be issued.</t>
      </section>
      <section anchor="protect-masa-signing-key-in-hsm">
        <name>Protect MASA Signing Key in HSM</name>
        <t>Pursuant to the recommendation made in Section 6.1 for the MASA to be
deployed as an online Voucher signing service, it is <bcp14>RECOMMENDED</bcp14> that
the MASA's private key used for signing Vouchers is protected by
a hardware security module (HSM).</t>
      </section>
      <section anchor="test-domain-certificate-validity-when-signing">
        <name>Test Domain Certificate Validity When Signing</name>
        <t>If a Domain certificate is compromised, then any outstanding
Vouchers for that Domain could be used by the attacker.  In this case, the Domain
administrator is clearly expected to initiate revocation of any
Domain identity certificates (as is normal in PKIX <xref target="RFC5280"/> solutions).</t>
        <t>Similarly, they are expected to contact the MASA to indicate that
an outstanding (presumably short lifetime) Voucher should be blocked from
automated renewal.
Protocols for Voucher distribution are
<bcp14>RECOMMENDED</bcp14> to check for revocation of Domain identity certificates
before the signing of Vouchers.</t>
      </section>
      <section anchor="yang-module-security-considerations">
        <name>YANG Module Security Considerations</name>
        <t>The YANG modules specified in this document define the schema
for data that is subsequently encapsulated by secure signed-data structures,
such as the CMS signed-data described in <xref target="cms-voucher"/>.  As such,
all of the YANG-modeled data is protected from modification.</t>
        <t>Implementations should be aware that the signed data is only
protected from external modification; the data is still visible.
This potential disclosure of information doesn't affect security
so much as privacy.  In particular, adversaries can glean
information such as which devices belong to which organizations
and which CRL Distribution Point and/or OCSP Responder URLs are
accessed to validate the Vouchers.  When privacy is important,
the CMS signed-data content type <bcp14>SHOULD</bcp14> be encrypted, either by
conveying it via a mutually authenticated secure transport protocol
(e.g., TLS <xref target="RFC8446"/>) or by encapsulating the signed-data
content type with an enveloped-data content type (Section 6
of <xref target="RFC5652"/>), though details for how to do this are outside
the scope of this document.</t>
        <t>The use of YANG to define data structures, via the "sx:structure"
extension <xref target="RFC8791"/>, is relatively new and distinct from the conventional
use of
YANG to define an API accessed by network management protocols such as
NETCONF <xref target="RFC6241"/> and RESTCONF <xref target="RFC8040"/>. For this reason, this
security considerations section does not follow the template described
by Section 3.7 of <xref target="YANG-GUIDE"/>.</t>
      </section>
    </section>
    <section anchor="iana-considerations">
      <name>IANA Considerations</name>
      <section anchor="the-ietf-xml-registry">
        <name>The IETF XML Registry</name>
        <t>This document updates two URIs in the "IETF XML Registry" <xref target="RFC3688"/>.</t>
        <t>IANA is requested to register the following, updating the registration to point to this document:</t>
        <ul empty="true">
          <li>
            <dl spacing="compact">
              <dt>URI:</dt>
              <dd>
                <t>urn:ietf:params:xml:ns:yang:ietf-voucher</t>
              </dd>
              <dt>Registrant Contact:</dt>
              <dd>
                <t>The ANIMA WG of the IETF.</t>
              </dd>
              <dt>XML:</dt>
              <dd>
                <t>N/A, the requested URI is an XML namespace.</t>
              </dd>
            </dl>
          </li>
        </ul>
        <ul empty="true">
          <li>
            <dl spacing="compact">
              <dt>URI:</dt>
              <dd>
                <t>urn:ietf:params:xml:ns:yang:ietf-voucher-request</t>
              </dd>
              <dt>Registrant Contact:</dt>
              <dd>
                <t>The ANIMA WG of the IETF.</t>
              </dd>
              <dt>XML:</dt>
              <dd>
                <t>N/A, the requested URI is an XML namespace.</t>
              </dd>
            </dl>
          </li>
        </ul>
      </section>
      <section anchor="the-yang-module-names-registry">
        <name>The YANG Module Names Registry</name>
        <t>IANA is requested to register the following YANG module in the "YANG Module Names" registry [RFC6020] [RFC9890] within the "YANG Parameters" registry group.</t>
        <ul empty="true">
          <li>
            <dl spacing="compact">
              <dt>name:</dt>
              <dd>
                <t>ietf-voucher</t>
              </dd>
              <dt>namespace:</dt>
              <dd>
                <t>urn:ietf:params:xml:ns:yang:ietf-voucher</t>
              </dd>
              <dt>prefix:</dt>
              <dd>
                <t>vch</t>
              </dd>
              <dt>reference:</dt>
              <dd>
                <t>RFC 8366</t>
              </dd>
            </dl>
          </li>
        </ul>
        <t>This reference should be updated to point to this document and the "File" entry should be updated to point to the
new module revision in <xref target="voucher-yang-module"/>.</t>
        <ul empty="true">
          <li>
            <dl spacing="compact">
              <dt>name:</dt>
              <dd>
                <t>ietf-voucher-request</t>
              </dd>
              <dt>namespace:</dt>
              <dd>
                <t>urn:ietf:params:xml:ns:yang:ietf-voucher-request</t>
              </dd>
              <dt>prefix:</dt>
              <dd>
                <t>vcr</t>
              </dd>
              <dt>reference:</dt>
              <dd>
                <t>RFC 8995</t>
              </dd>
            </dl>
          </li>
        </ul>
        <t>This reference should be updated to point to this document and the "File" entry should be updated to point to the new module revision in <xref target="voucher-request-yang-module"/>.
Please note the change to the "prefix" field.</t>
      </section>
      <section anchor="vcj">
        <name>The Media Types Registry</name>
        <t>IANA is requested to register the media type: <tt>application/voucher-cms+json</tt>, and this registration should be updated to point to this document.</t>
        <ul empty="true">
          <li>
            <dl spacing="compact">
              <dt>Type name:</dt>
              <dd>
                <t>application</t>
              </dd>
              <dt>Subtype name:</dt>
              <dd>
                <t>voucher-cms+json</t>
              </dd>
              <dt>Required parameters:</dt>
              <dd>
                <t>none</t>
              </dd>
              <dt>Optional parameters:</dt>
              <dd>
                <t>none</t>
              </dd>
              <dt>Encoding considerations:</dt>
              <dd>
                <t>CMS-signed JSON vouchers are ASN.1/DER  encoded.</t>
              </dd>
              <dt>Security considerations:</dt>
              <dd>
                <t>See <xref target="sec-con"/></t>
              </dd>
            </dl>
            <t>Interoperability considerations:  The format is designed to be
     broadly interoperable.</t>
            <dl>
              <dt>Published specification:</dt>
              <dd>
                <t>THISDOCUMENT</t>
              </dd>
              <dt>Applications that use this media type:</dt>
              <dd>
                <t>ANIMA, 6tisch, and NETCONF zero-touch imprinting systems.</t>
              </dd>
              <dt>Fragment identifier considerations:</dt>
              <dd>
                <t>none</t>
              </dd>
              <dt>Additional information:</dt>
              <dd>
                <t>Deprecated alias names for this type:  none</t>
              </dd>
              <dt/>
              <dd>
                <t>Magic number(s):  None</t>
              </dd>
              <dt/>
              <dd>
                <t>File extension(s):  .vcj</t>
              </dd>
              <dt/>
              <dd>
                <t>Macintosh file type code(s):  none</t>
              </dd>
              <dt>Person and email address to contact for further information:</dt>
              <dd>
                <t>IETF ANIMA WG</t>
              </dd>
              <dt>Intended usage:</dt>
              <dd>
                <t>LIMITED</t>
              </dd>
              <dt>Restrictions on usage:</dt>
              <dd>
                <t>NONE</t>
              </dd>
              <dt>Author:</dt>
              <dd>
                <t>ANIMA WG</t>
              </dd>
              <dt>Change controller:</dt>
              <dd>
                <t>IETF</t>
              </dd>
              <dt>Provisional registration? (standards tree only):</dt>
              <dd>
                <t>NO</t>
              </dd>
            </dl>
          </li>
        </ul>
      </section>
      <section anchor="iana-contenttype">
        <name>The SMI Security for S/MIME CMS Content Type Registry</name>
        <t>IANA is requested to register the OID 1.2.840.113549.1.9.16.1.40, '<tt>id-ct-animaJSONVoucher</tt>'.
This registration should be updated to point to this document.</t>
      </section>
      <section anchor="voucher-ext-reg">
        <name>The Voucher Extensions Registry</name>
        <t>IANA is asked to create a registry of Voucher extensions as follows:</t>
        <ul empty="true">
          <li>
            <dl spacing="compact">
              <dt>Registry name:</dt>
              <dd>
                <t>Voucher Extensions Registry</t>
              </dd>
              <dt>Registry policy:</dt>
              <dd>
                <t>Expert Review</t>
              </dd>
              <dt>Reference:</dt>
              <dd>
                <t>an optional document</t>
              </dd>
              <dt>Extension name:</dt>
              <dd>
                <t>UTF-8-encoded string, not to exceed 40 characters.</t>
              </dd>
              <dt>Extension SID:</dt>
              <dd>
                <t>the YANG module SID value that defines the extension per <xref target="voucher-ext"/>.</t>
              </dd>
            </dl>
          </li>
        </ul>
        <t>Each extension <bcp14>MUST</bcp14> follow the rules specified in this specification.
As is usual, the IANA issues early allocations in accordance with <xref target="RFC7120"/>.</t>
        <t>Note that the SID module value is allocated as part of a <xref target="CORESID"/> process.
This may be from a SID range managed by IANA, or from any other MegaRange.
Future work may allow for PEN based allocations.
IANA does not need to separately allocate a SID value for this column.</t>
        <t>Extension name strings for standards track documents are single words, given by the YANG Module Name.
They do not contain dots.
For vendor proprietary extensions, the string <bcp14>SHOULD</bcp14> be made unique by putting the extension name in the form a fully-qualified domain name (FQDN) <xref target="RFC3696"/>, such as "fuubar.example.com"</t>
        <t>Vendor proprietary extensions do not need to be registered with IANA, but vendors <bcp14>MAY</bcp14> do so.</t>
        <t>Designated Experts should review for standards track documents for clarity, but the choices are tied to WG and IESG processes:</t>
        <ul spacing="normal">
          <li>
            <t>There are no choices in the extension names (which is always the YANG module name), or SID value (which is from another IANA process).</t>
          </li>
          <li>
            <t>For non-standards track extensions, the Designated Expert should review whatever document is provided, if any.
The stability of the reference may be of concern.  The Designated Expert should determine if the work overlaps with existing efforts; and if so suggest merging/coordinating.
However, as registration is optional, the Designated Expert should not block any vendor registrations.</t>
          </li>
        </ul>
      </section>
      <section anchor="the-ietf-yang-sid-ranges-registry">
        <name>The IETF YANG-SID Ranges Registry</name>
        <t>IANA is requested to register the following entries in the IETF YANG-SID Ranges registry:</t>
        <table anchor="ietf-yang-sid-ranges-table">
          <name>Registered SID ranges</name>
          <thead>
            <tr>
              <th align="center">Entry Point</th>
              <th align="center">Size</th>
              <th align="left">Module Name</th>
              <th align="left">Reference</th>
            </tr>
          </thead>
          <tbody>
            <tr>
              <td align="center">2450</td>
              <td align="center">50</td>
              <td align="left">ietf-voucher</td>
              <td align="left">[This RFC]</td>
            </tr>
            <tr>
              <td align="center">2500</td>
              <td align="center">50</td>
              <td align="left">ietf-voucher-request</td>
              <td align="left">[This RFC]</td>
            </tr>
          </tbody>
        </table>
      </section>
      <section anchor="the-ietf-yang-sid-modules-registry">
        <name>The IETF YANG-SID Modules Registry</name>
        <t>IANA is requested to register the following YANG module in the IETF YANG-SID Modules registry, per
<xref section="6.5.1" sectionFormat="of" target="CORESID"/>:</t>
        <ul spacing="normal">
          <li>
            <t>YANG module name: <tt>ietf-voucher</tt></t>
          </li>
          <li>
            <t>URI for the ".yang" file: a pointer to the file defined in <xref target="voucher-yang-module"/></t>
          </li>
          <li>
            <t>URI for the ".sid" file: a pointer to the file defined in <xref target="voucher-sid-allocations"/></t>
          </li>
          <li>
            <t>Number of SIDs: 17</t>
          </li>
        </ul>
        <t>and also the following YANG module:</t>
        <ul spacing="normal">
          <li>
            <t>YANG module name: <tt>ietf-voucher-request</tt></t>
          </li>
          <li>
            <t>URI for the ".yang" file: a pointer to the file defined in <xref target="voucher-request-yang-module"/></t>
          </li>
          <li>
            <t>URI for the ".sid" file: a pointer to the file defined in <xref target="voucher-request-sid-allocations"/></t>
          </li>
          <li>
            <t>Number of SIDs: 24</t>
          </li>
        </ul>
      </section>
    </section>
    <section anchor="yang-references">
      <name>YANG references</name>
      <t>RFC-editor, please remove.
This section just lists references present in YANG modules which otherwise do not get included in the references, like <xref target="RFC7250"/>.</t>
    </section>
  </middle>
  <back>
    <references anchor="sec-combined-references">
      <name>References</name>
      <references anchor="sec-normative-references">
        <name>Normative References</name>
        <reference anchor="RFC5280">
          <front>
            <title>Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile</title>
            <author fullname="D. Cooper" initials="D." surname="Cooper"/>
            <author fullname="S. Santesson" initials="S." surname="Santesson"/>
            <author fullname="S. Farrell" initials="S." surname="Farrell"/>
            <author fullname="S. Boeyen" initials="S." surname="Boeyen"/>
            <author fullname="R. Housley" initials="R." surname="Housley"/>
            <author fullname="W. Polk" initials="W." surname="Polk"/>
            <date month="May" year="2008"/>
            <abstract>
              <t>This memo profiles the X.509 v3 certificate and X.509 v2 certificate revocation list (CRL) for use in the Internet. An overview of this approach and model is provided as an introduction. The X.509 v3 certificate format is described in detail, with additional information regarding the format and semantics of Internet name forms. Standard certificate extensions are described and two Internet-specific extensions are defined. A set of required certificate extensions is specified. The X.509 v2 CRL format is described in detail along with standard and Internet-specific extensions. An algorithm for X.509 certification path validation is described. An ASN.1 module and examples are provided in the appendices. [STANDARDS-TRACK]</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="5280"/>
          <seriesInfo name="DOI" value="10.17487/RFC5280"/>
        </reference>
        <reference anchor="RFC5652">
          <front>
            <title>Cryptographic Message Syntax (CMS)</title>
            <author fullname="R. Housley" initials="R." surname="Housley"/>
            <date month="September" year="2009"/>
            <abstract>
              <t>This document describes the Cryptographic Message Syntax (CMS). This syntax is used to digitally sign, digest, authenticate, or encrypt arbitrary message content. [STANDARDS-TRACK]</t>
            </abstract>
          </front>
          <seriesInfo name="STD" value="70"/>
          <seriesInfo name="RFC" value="5652"/>
          <seriesInfo name="DOI" value="10.17487/RFC5652"/>
        </reference>
        <reference anchor="RFC6020">
          <front>
            <title>YANG - A Data Modeling Language for the Network Configuration Protocol (NETCONF)</title>
            <author fullname="M. Bjorklund" initials="M." role="editor" surname="Bjorklund"/>
            <date month="October" year="2010"/>
            <abstract>
              <t>YANG is a data modeling language used to model configuration and state data manipulated by the Network Configuration Protocol (NETCONF), NETCONF remote procedure calls, and NETCONF notifications. [STANDARDS-TRACK]</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="6020"/>
          <seriesInfo name="DOI" value="10.17487/RFC6020"/>
        </reference>
        <reference anchor="RFC7950">
          <front>
            <title>The YANG 1.1 Data Modeling Language</title>
            <author fullname="M. Bjorklund" initials="M." role="editor" surname="Bjorklund"/>
            <date month="August" year="2016"/>
            <abstract>
              <t>YANG is a data modeling language used to model configuration data, state data, Remote Procedure Calls, and notifications for network management protocols. This document describes the syntax and semantics of version 1.1 of the YANG language. YANG version 1.1 is a maintenance release of the YANG language, addressing ambiguities and defects in the original specification. There are a small number of backward incompatibilities from YANG version 1. This document also specifies the YANG mappings to the Network Configuration Protocol (NETCONF).</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="7950"/>
          <seriesInfo name="DOI" value="10.17487/RFC7950"/>
        </reference>
        <reference anchor="RFC8259">
          <front>
            <title>The JavaScript Object Notation (JSON) Data Interchange Format</title>
            <author fullname="T. Bray" initials="T." role="editor" surname="Bray"/>
            <date month="December" year="2017"/>
            <abstract>
              <t>JavaScript Object Notation (JSON) is a lightweight, text-based, language-independent data interchange format. It was derived from the ECMAScript Programming Language Standard. JSON defines a small set of formatting rules for the portable representation of structured data.</t>
              <t>This document removes inconsistencies with other specifications of JSON, repairs specification errors, and offers experience-based interoperability guidance.</t>
            </abstract>
          </front>
          <seriesInfo name="STD" value="90"/>
          <seriesInfo name="RFC" value="8259"/>
          <seriesInfo name="DOI" value="10.17487/RFC8259"/>
        </reference>
        <reference anchor="RFC9254">
          <front>
            <title>Encoding of Data Modeled with YANG in the Concise Binary Object Representation (CBOR)</title>
            <author fullname="M. Veillette" initials="M." role="editor" surname="Veillette"/>
            <author fullname="I. Petrov" initials="I." role="editor" surname="Petrov"/>
            <author fullname="A. Pelov" initials="A." surname="Pelov"/>
            <author fullname="C. Bormann" initials="C." surname="Bormann"/>
            <author fullname="M. Richardson" initials="M." surname="Richardson"/>
            <date month="July" year="2022"/>
            <abstract>
              <t>YANG (RFC 7950) is a data modeling language used to model configuration data, state data, parameters and results of Remote Procedure Call (RPC) operations or actions, and notifications.</t>
              <t>This document defines encoding rules for YANG in the Concise Binary Object Representation (CBOR) (RFC 8949).</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="9254"/>
          <seriesInfo name="DOI" value="10.17487/RFC9254"/>
        </reference>
        <referencegroup anchor="CBOR" target="https://www.rfc-editor.org/info/std94">
          <reference anchor="RFC8949" target="https://www.rfc-editor.org/info/rfc8949">
            <front>
              <title>Concise Binary Object Representation (CBOR)</title>
              <author fullname="C. Bormann" initials="C." surname="Bormann"/>
              <author fullname="P. Hoffman" initials="P." surname="Hoffman"/>
              <date month="December" year="2020"/>
              <abstract>
                <t>The Concise Binary Object Representation (CBOR) is a data format whose design goals include the possibility of extremely small code size, fairly small message size, and extensibility without the need for version negotiation. These design goals make it different from earlier binary serializations such as ASN.1 and MessagePack.</t>
                <t>This document obsoletes RFC 7049, providing editorial improvements, new details, and errata fixes while keeping full compatibility with the interchange format of RFC 7049. It does not create a new version of the format.</t>
              </abstract>
            </front>
            <seriesInfo name="STD" value="94"/>
            <seriesInfo name="RFC" value="8949"/>
            <seriesInfo name="DOI" value="10.17487/RFC8949"/>
          </reference>
        </referencegroup>
        <reference anchor="CORESID">
          <front>
            <title>YANG Schema Item iDentifier (YANG SID)</title>
            <author fullname="M. Veillette" initials="M." role="editor" surname="Veillette"/>
            <author fullname="A. Pelov" initials="A." role="editor" surname="Pelov"/>
            <author fullname="I. Petrov" initials="I." role="editor" surname="Petrov"/>
            <author fullname="C. Bormann" initials="C." surname="Bormann"/>
            <author fullname="M. Richardson" initials="M." surname="Richardson"/>
            <date month="July" year="2024"/>
            <abstract>
              <t>YANG Schema Item iDentifiers (YANG SIDs) are globally unique 63-bit unsigned integers used to identify YANG items. SIDs provide a more compact method for identifying those YANG items that can be used efficiently, notably in constrained environments (RFC 7228). This document defines the semantics, registration processes, and assignment processes for YANG SIDs for IETF-managed YANG modules. To enable the implementation of these processes, this document also defines a file format used to persist and publish assigned YANG SIDs.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="9595"/>
          <seriesInfo name="DOI" value="10.17487/RFC9595"/>
        </reference>
        <reference anchor="cBRSKI">
          <front>
            <title>Constrained Bootstrapping Remote Secure Key Infrastructure (cBRSKI)</title>
            <author fullname="Michael Richardson" initials="M." surname="Richardson">
              <organization>Sandelman Software Works</organization>
            </author>
            <author fullname="Peter Van der Stok" initials="P." surname="Van der Stok">
              <organization>vanderstok consultancy</organization>
            </author>
            <author fullname="Panos Kampanakis" initials="P." surname="Kampanakis">
              <organization>Cisco Systems</organization>
            </author>
            <author fullname="Esko Dijk" initials="E." surname="Dijk">
              <organization>IoTconsultancy.nl</organization>
            </author>
            <date day="8" month="June" year="2026"/>
            <abstract>
              <t>   This document defines the Constrained Bootstrapping Remote Secure Key
   Infrastructure (cBRSKI) protocol, which provides a solution for
   secure zero-touch onboarding of resource-constrained (IoT) devices
   into the network of a domain owner.  This protocol is designed for
   constrained networks, which may have limited data throughput or may
   experience frequent packet loss. cBRSKI is a variant of the BRSKI
   protocol, which uses an artifact signed by the device manufacturer
   called the "voucher" which enables a new device and the owner's
   network to mutually authenticate.  While the BRSKI voucher data is
   encoded in JSON, cBRSKI uses a compact CBOR-encoded voucher.  The
   BRSKI voucher data definition is extended with new data types that
   allow for smaller voucher sizes.  The Enrollment over Secure
   Transport (EST) protocol, used in BRSKI, is replaced with EST-over-
   CoAPS; and HTTPS used in BRSKI is replaced with DTLS-secured CoAP
   (CoAPS).  This document Updates RFC 8995 and RFC 9148.

              </t>
            </abstract>
          </front>
          <seriesInfo name="Internet-Draft" value="draft-ietf-anima-constrained-voucher-31"/>
        </reference>
        <reference anchor="jBRSKI">
          <front>
            <title>JWS signed Voucher Artifacts for Bootstrapping Protocols</title>
            <author fullname="Thomas Werner" initials="T." surname="Werner">
              <organization>Siemens AG</organization>
            </author>
            <author fullname="Michael Richardson" initials="M." surname="Richardson">
              <organization>Sandelman Software Works</organization>
            </author>
            <date day="15" month="January" year="2025"/>
            <abstract>
              <t>   This document introduces a variant of the RFC8366 voucher artifact in
   which CMS is replaced by the JSON Object Signing and Encryption
   (JOSE) mechanism described in RFC7515.  This supports deployments in
   which JOSE is preferred over CMS.  In addition to specifying the
   format, the "application/voucher-jws+json" media type is registered
   and examples are provided.

              </t>
            </abstract>
          </front>
          <seriesInfo name="Internet-Draft" value="draft-ietf-anima-jws-voucher-16"/>
        </reference>
        <reference anchor="ITU-T.X690.2015" target="https://www.itu.int/rec/T-REC-X.690/">
          <front>
            <title>Information Technology - ASN.1 encoding rules: Specification of Basic Encoding Rules (BER), Canonical Encoding Rules (CER) and Distinguished Encoding Rules (DER)</title>
            <author>
              <organization>International Telecommunication Union</organization>
            </author>
            <date year="2015" month="August"/>
          </front>
          <seriesInfo name="ITU-T Recommendation X.690," value="ISO/IEC 8825-1"/>
        </reference>
        <reference anchor="ZERO-TOUCH">
          <front>
            <title>Secure Zero Touch Provisioning (SZTP)</title>
            <author fullname="K. Watsen" initials="K." surname="Watsen"/>
            <author fullname="I. Farrer" initials="I." surname="Farrer"/>
            <author fullname="M. Abrahamsson" initials="M." surname="Abrahamsson"/>
            <date month="April" year="2019"/>
            <abstract>
              <t>This document presents a technique to securely provision a networking device when it is booting in a factory-default state. Variations in the solution enable it to be used on both public and private networks. The provisioning steps are able to update the boot image, commit an initial configuration, and execute arbitrary scripts to address auxiliary needs. The updated device is subsequently able to establish secure connections with other systems. For instance, a device may establish NETCONF (RFC 6241) and/or RESTCONF (RFC 8040) connections with deployment-specific network management systems.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="8572"/>
          <seriesInfo name="DOI" value="10.17487/RFC8572"/>
        </reference>
        <reference anchor="RFC8995">
          <front>
            <title>Bootstrapping Remote Secure Key Infrastructure (BRSKI)</title>
            <author fullname="M. Pritikin" initials="M." surname="Pritikin"/>
            <author fullname="M. Richardson" initials="M." surname="Richardson"/>
            <author fullname="T. Eckert" initials="T." surname="Eckert"/>
            <author fullname="M. Behringer" initials="M." surname="Behringer"/>
            <author fullname="K. Watsen" initials="K." surname="Watsen"/>
            <date month="May" year="2021"/>
            <abstract>
              <t>This document specifies automated bootstrapping of an Autonomic Control Plane. To do this, a Secure Key Infrastructure is bootstrapped. This is done using manufacturer-installed X.509 certificates, in combination with a manufacturer's authorizing service, both online and offline. We call this process the Bootstrapping Remote Secure Key Infrastructure (BRSKI) protocol. Bootstrapping a new device can occur when using a routable address and a cloud service, only link-local connectivity, or limited/disconnected networks. Support for deployment models with less stringent security requirements is included. Bootstrapping is complete when the cryptographic identity of the new key infrastructure is successfully deployed to the device. The established secure connection can be used to deploy a locally issued certificate to the device as well.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="8995"/>
          <seriesInfo name="DOI" value="10.17487/RFC8995"/>
        </reference>
        <reference anchor="PRM">
          <front>
            <title>BRSKI with Pledge in Responder Mode (BRSKI-PRM)</title>
            <author fullname="Steffen Fries" initials="S." surname="Fries">
              <organization>Siemens AG</organization>
            </author>
            <author fullname="Thomas Werner" initials="T." surname="Werner">
              <organization>Siemens AG</organization>
            </author>
            <author fullname="Eliot Lear" initials="E." surname="Lear">
              <organization>Cisco Systems</organization>
            </author>
            <author fullname="Michael Richardson" initials="M." surname="Richardson">
              <organization>Sandelman Software Works</organization>
            </author>
            <date day="3" month="June" year="2025"/>
            <abstract>
              <t>   This document defines enhancements to Bootstrapping Remote Secure Key
   Infrastructure (BRSKI, RFC8995) as BRSKI with Pledge in Responder
   Mode (BRSKI-PRM).  BRSKI-PRM supports the secure bootstrapping of
   devices, referred to as pledges, into a domain where direct
   communication with the registrar is either limited or not possible at
   all.  To facilitate interaction between a pledge and a domain
   registrar the registrar-agent is introduced as new component.  The
   registrar-agent supports the reversal of the interaction model from a
   pledge-initiated mode, to a pledge-responding mode, where the pledge
   is in a server role.  To establish the trust relation between pledge
   and registrar, BRSKI-PRM relies on object security rather than
   transport security.  This approach is agnostic to enrollment
   protocols that connect a domain registrar to a key infrastructure
   (e.g., domain Certification Authority).

              </t>
            </abstract>
          </front>
          <seriesInfo name="Internet-Draft" value="draft-ietf-anima-brski-prm-23"/>
        </reference>
        <reference anchor="CLOUD">
          <front>
            <title>Bootstrapping Remote Secure Key Infrastructure (BRSKI) Cloud Registrar</title>
            <author fullname="Owen Friel" initials="O." surname="Friel">
              <organization>Cisco</organization>
            </author>
            <author fullname="Rifaat Shekh-Yusef" initials="R." surname="Shekh-Yusef">
              <organization>Ciena</organization>
            </author>
            <author fullname="Michael Richardson" initials="M." surname="Richardson">
              <organization>Sandelman Software Works</organization>
            </author>
            <date day="9" month="September" year="2025"/>
            <abstract>
              <t>   Bootstrapping Remote Secure Key Infrastructures (BRSKI) defines how
   to onboard a device securely into an operator-maintained
   infrastructure.  It assumes that there is local network
   infrastructure for the device to discover.  On networks without that,
   there is nothing present to help onboard the device.

   This document extends BRSKI and defines behavior for bootstrapping
   devices for deployments where no local infrastructure is available,
   such as in a home or remote office.  This document defines how the
   device can use a well-defined "call-home" mechanism to find the
   operator-maintained infrastructure.

   This document defines how to contact a well-known Cloud Registrar,
   and two ways in which the device may be redirected towards the
   operator-maintained infrastructure.  The Cloud Registrar enables
   discovery of the operator-maintained infrastructure, and may enable
   establishment of trust with operator-maintained infrastructure that
   does not support BRSKI mechanisms.

   This document updates RFC 8995 (BRSKI).

              </t>
            </abstract>
          </front>
          <seriesInfo name="Internet-Draft" value="draft-ietf-anima-brski-cloud-19"/>
        </reference>
        <reference anchor="IDEVID" target="https://1.ieee802.org/security/802-1ar/">
          <front>
            <title>IEEE 802.1AR Secure Device Identifier</title>
            <author>
              <organization>IEEE Standard</organization>
            </author>
            <date year="2018"/>
          </front>
        </reference>
        <reference anchor="RFC8791">
          <front>
            <title>YANG Data Structure Extensions</title>
            <author fullname="A. Bierman" initials="A." surname="Bierman"/>
            <author fullname="M. Björklund" initials="M." surname="Björklund"/>
            <author fullname="K. Watsen" initials="K." surname="Watsen"/>
            <date month="June" year="2020"/>
            <abstract>
              <t>This document describes YANG mechanisms for defining abstract data structures with YANG.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="8791"/>
          <seriesInfo name="DOI" value="10.17487/RFC8791"/>
        </reference>
        <reference anchor="eid7263" target="https://www.rfc-editor.org/errata/eid7263">
          <front>
            <title>Errata 7263, RFC8995</title>
            <author>
              <organization/>
            </author>
            <date>n.d.</date>
          </front>
        </reference>
        <reference anchor="RFC7951">
          <front>
            <title>JSON Encoding of Data Modeled with YANG</title>
            <author fullname="L. Lhotka" initials="L." surname="Lhotka"/>
            <date month="August" year="2016"/>
            <abstract>
              <t>This document defines encoding rules for representing configuration data, state data, parameters of Remote Procedure Call (RPC) operations or actions, and notifications defined using YANG as JavaScript Object Notation (JSON) text.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="7951"/>
          <seriesInfo name="DOI" value="10.17487/RFC7951"/>
        </reference>
        <reference anchor="RFC2119">
          <front>
            <title>Key words for use in RFCs to Indicate Requirement Levels</title>
            <author fullname="S. Bradner" initials="S." surname="Bradner"/>
            <date month="March" year="1997"/>
            <abstract>
              <t>In many standards track documents several words are used to signify the requirements in the specification. These words are often capitalized. This document defines these words as they should be interpreted in IETF documents. This document specifies an Internet Best Current Practices for the Internet Community, and requests discussion and suggestions for improvements.</t>
            </abstract>
          </front>
          <seriesInfo name="BCP" value="14"/>
          <seriesInfo name="RFC" value="2119"/>
          <seriesInfo name="DOI" value="10.17487/RFC2119"/>
        </reference>
        <reference anchor="RFC8174">
          <front>
            <title>Ambiguity of Uppercase vs Lowercase in RFC 2119 Key Words</title>
            <author fullname="B. Leiba" initials="B." surname="Leiba"/>
            <date month="May" year="2017"/>
            <abstract>
              <t>RFC 2119 specifies common key words that may be used in protocol specifications. This document aims to reduce the ambiguity by clarifying that only UPPERCASE usage of the key words have the defined special meanings.</t>
            </abstract>
          </front>
          <seriesInfo name="BCP" value="14"/>
          <seriesInfo name="RFC" value="8174"/>
          <seriesInfo name="DOI" value="10.17487/RFC8174"/>
        </reference>
        <reference anchor="RFC7250">
          <front>
            <title>Using Raw Public Keys in Transport Layer Security (TLS) and Datagram Transport Layer Security (DTLS)</title>
            <author fullname="P. Wouters" initials="P." role="editor" surname="Wouters"/>
            <author fullname="H. Tschofenig" initials="H." role="editor" surname="Tschofenig"/>
            <author fullname="J. Gilmore" initials="J." surname="Gilmore"/>
            <author fullname="S. Weiler" initials="S." surname="Weiler"/>
            <author fullname="T. Kivinen" initials="T." surname="Kivinen"/>
            <date month="June" year="2014"/>
            <abstract>
              <t>This document specifies a new certificate type and two TLS extensions for exchanging raw public keys in Transport Layer Security (TLS) and Datagram Transport Layer Security (DTLS). The new certificate type allows raw public keys to be used for authentication.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="7250"/>
          <seriesInfo name="DOI" value="10.17487/RFC7250"/>
        </reference>
        <reference anchor="RFC8032">
          <front>
            <title>Edwards-Curve Digital Signature Algorithm (EdDSA)</title>
            <author fullname="S. Josefsson" initials="S." surname="Josefsson"/>
            <author fullname="I. Liusvaara" initials="I." surname="Liusvaara"/>
            <date month="January" year="2017"/>
            <abstract>
              <t>This document describes elliptic curve signature scheme Edwards-curve Digital Signature Algorithm (EdDSA). The algorithm is instantiated with recommended parameters for the edwards25519 and edwards448 curves. An example implementation and test vectors are provided.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="8032"/>
          <seriesInfo name="DOI" value="10.17487/RFC8032"/>
        </reference>
        <reference anchor="RFC7120">
          <front>
            <title>Early IANA Allocation of Standards Track Code Points</title>
            <author fullname="M. Cotton" initials="M." surname="Cotton"/>
            <date month="January" year="2014"/>
            <abstract>
              <t>This memo describes the process for early allocation of code points by IANA from registries for which "Specification Required", "RFC Required", "IETF Review", or "Standards Action" policies apply. This process can be used to alleviate the problem where code point allocation is needed to facilitate desired or required implementation and deployment experience prior to publication of an RFC, which would normally trigger code point allocation. The procedures in this document are intended to apply only to IETF Stream documents.</t>
            </abstract>
          </front>
          <seriesInfo name="BCP" value="100"/>
          <seriesInfo name="RFC" value="7120"/>
          <seriesInfo name="DOI" value="10.17487/RFC7120"/>
        </reference>
      </references>
      <references anchor="sec-informative-references">
        <name>Informative References</name>
        <reference anchor="RFC3688">
          <front>
            <title>The IETF XML Registry</title>
            <author fullname="M. Mealling" initials="M." surname="Mealling"/>
            <date month="January" year="2004"/>
            <abstract>
              <t>This document describes an IANA maintained registry for IETF standards which use Extensible Markup Language (XML) related items such as Namespaces, Document Type Declarations (DTDs), Schemas, and Resource Description Framework (RDF) Schemas.</t>
            </abstract>
          </front>
          <seriesInfo name="BCP" value="81"/>
          <seriesInfo name="RFC" value="3688"/>
          <seriesInfo name="DOI" value="10.17487/RFC3688"/>
        </reference>
        <reference anchor="RFC8446">
          <front>
            <title>The Transport Layer Security (TLS) Protocol Version 1.3</title>
            <author fullname="E. Rescorla" initials="E." surname="Rescorla"/>
            <date month="August" year="2018"/>
            <abstract>
              <t>This document specifies version 1.3 of the Transport Layer Security (TLS) protocol. TLS allows client/server applications to communicate over the Internet in a way that is designed to prevent eavesdropping, tampering, and message forgery.</t>
              <t>This document updates RFCs 5705 and 6066, and obsoletes RFCs 5077, 5246, and 6961. This document also specifies new requirements for TLS 1.2 implementations.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="8446"/>
          <seriesInfo name="DOI" value="10.17487/RFC8446"/>
        </reference>
        <reference anchor="RFC6125">
          <front>
            <title>Representation and Verification of Domain-Based Application Service Identity within Internet Public Key Infrastructure Using X.509 (PKIX) Certificates in the Context of Transport Layer Security (TLS)</title>
            <author fullname="P. Saint-Andre" initials="P." surname="Saint-Andre"/>
            <author fullname="J. Hodges" initials="J." surname="Hodges"/>
            <date month="March" year="2011"/>
            <abstract>
              <t>Many application technologies enable secure communication between two entities by means of Internet Public Key Infrastructure Using X.509 (PKIX) certificates in the context of Transport Layer Security (TLS). This document specifies procedures for representing and verifying the identity of application services in such interactions. [STANDARDS-TRACK]</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="6125"/>
          <seriesInfo name="DOI" value="10.17487/RFC6125"/>
        </reference>
        <reference anchor="RFC6241">
          <front>
            <title>Network Configuration Protocol (NETCONF)</title>
            <author fullname="R. Enns" initials="R." role="editor" surname="Enns"/>
            <author fullname="M. Bjorklund" initials="M." role="editor" surname="Bjorklund"/>
            <author fullname="J. Schoenwaelder" initials="J." role="editor" surname="Schoenwaelder"/>
            <author fullname="A. Bierman" initials="A." role="editor" surname="Bierman"/>
            <date month="June" year="2011"/>
            <abstract>
              <t>The Network Configuration Protocol (NETCONF) defined in this document provides mechanisms to install, manipulate, and delete the configuration of network devices. It uses an Extensible Markup Language (XML)-based data encoding for the configuration data as well as the protocol messages. The NETCONF protocol operations are realized as remote procedure calls (RPCs). This document obsoletes RFC 4741. [STANDARDS-TRACK]</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="6241"/>
          <seriesInfo name="DOI" value="10.17487/RFC6241"/>
        </reference>
        <reference anchor="RFC7435">
          <front>
            <title>Opportunistic Security: Some Protection Most of the Time</title>
            <author fullname="V. Dukhovni" initials="V." surname="Dukhovni"/>
            <date month="December" year="2014"/>
            <abstract>
              <t>This document defines the concept "Opportunistic Security" in the context of communications protocols. Protocol designs based on Opportunistic Security use encryption even when authentication is not available, and use authentication when possible, thereby removing barriers to the widespread use of encryption on the Internet.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="7435"/>
          <seriesInfo name="DOI" value="10.17487/RFC7435"/>
        </reference>
        <reference anchor="RFC8040">
          <front>
            <title>RESTCONF Protocol</title>
            <author fullname="A. Bierman" initials="A." surname="Bierman"/>
            <author fullname="M. Bjorklund" initials="M." surname="Bjorklund"/>
            <author fullname="K. Watsen" initials="K." surname="Watsen"/>
            <date month="January" year="2017"/>
            <abstract>
              <t>This document describes an HTTP-based protocol that provides a programmatic interface for accessing data defined in YANG, using the datastore concepts defined in the Network Configuration Protocol (NETCONF).</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="8040"/>
          <seriesInfo name="DOI" value="10.17487/RFC8040"/>
        </reference>
        <reference anchor="RFC8340">
          <front>
            <title>YANG Tree Diagrams</title>
            <author fullname="M. Bjorklund" initials="M." surname="Bjorklund"/>
            <author fullname="L. Berger" initials="L." role="editor" surname="Berger"/>
            <date month="March" year="2018"/>
            <abstract>
              <t>This document captures the current syntax used in YANG module tree diagrams. The purpose of this document is to provide a single location for this definition. This syntax may be updated from time to time based on the evolution of the YANG language.</t>
            </abstract>
          </front>
          <seriesInfo name="BCP" value="215"/>
          <seriesInfo name="RFC" value="8340"/>
          <seriesInfo name="DOI" value="10.17487/RFC8340"/>
        </reference>
        <reference anchor="RFC8366">
          <front>
            <title>A Voucher Artifact for Bootstrapping Protocols</title>
            <author fullname="K. Watsen" initials="K." surname="Watsen"/>
            <author fullname="M. Richardson" initials="M." surname="Richardson"/>
            <author fullname="M. Pritikin" initials="M." surname="Pritikin"/>
            <author fullname="T. Eckert" initials="T." surname="Eckert"/>
            <date month="May" year="2018"/>
            <abstract>
              <t>This document defines a strategy to securely assign a pledge to an owner using an artifact signed, directly or indirectly, by the pledge's manufacturer. This artifact is known as a "voucher".</t>
              <t>This document defines an artifact format as a YANG-defined JSON document that has been signed using a Cryptographic Message Syntax (CMS) structure. Other YANG-derived formats are possible. The voucher artifact is normally generated by the pledge's manufacturer (i.e., the Manufacturer Authorized Signing Authority (MASA)).</t>
              <t>This document only defines the voucher artifact, leaving it to other documents to describe specialized protocols for accessing it.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="8366"/>
          <seriesInfo name="DOI" value="10.17487/RFC8366"/>
        </reference>
        <reference anchor="RFC8792">
          <front>
            <title>Handling Long Lines in Content of Internet-Drafts and RFCs</title>
            <author fullname="K. Watsen" initials="K." surname="Watsen"/>
            <author fullname="E. Auerswald" initials="E." surname="Auerswald"/>
            <author fullname="A. Farrel" initials="A." surname="Farrel"/>
            <author fullname="Q. Wu" initials="Q." surname="Wu"/>
            <date month="June" year="2020"/>
            <abstract>
              <t>This document defines two strategies for handling long lines in width-bounded text content. One strategy, called the "single backslash" strategy, is based on the historical use of a single backslash ('\') character to indicate where line-folding has occurred, with the continuation occurring with the first character that is not a space character (' ') on the next line. The second strategy, called the "double backslash" strategy, extends the first strategy by adding a second backslash character to identify where the continuation begins and is thereby able to handle cases not supported by the first strategy. Both strategies use a self-describing header enabling automated reconstitution of the original content.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="8792"/>
          <seriesInfo name="DOI" value="10.17487/RFC8792"/>
        </reference>
        <reference anchor="RFC9525">
          <front>
            <title>Service Identity in TLS</title>
            <author fullname="P. Saint-Andre" initials="P." surname="Saint-Andre"/>
            <author fullname="R. Salz" initials="R." surname="Salz"/>
            <date month="November" year="2023"/>
            <abstract>
              <t>Many application technologies enable secure communication between two entities by means of Transport Layer Security (TLS) with Internet Public Key Infrastructure using X.509 (PKIX) certificates. This document specifies procedures for representing and verifying the identity of application services in such interactions.</t>
              <t>This document obsoletes RFC 6125.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="9525"/>
          <seriesInfo name="DOI" value="10.17487/RFC9525"/>
        </reference>
        <referencegroup anchor="COSE" target="https://www.rfc-editor.org/info/std96">
          <reference anchor="RFC9052" target="https://www.rfc-editor.org/info/rfc9052">
            <front>
              <title>CBOR Object Signing and Encryption (COSE): Structures and Process</title>
              <author fullname="J. Schaad" initials="J." surname="Schaad"/>
              <date month="August" year="2022"/>
              <abstract>
                <t>Concise Binary Object Representation (CBOR) is a data format designed for small code size and small message size. There is a need to be able to define basic security services for this data format. This document defines the CBOR Object Signing and Encryption (COSE) protocol. This specification describes how to create and process signatures, message authentication codes, and encryption using CBOR for serialization. This specification additionally describes how to represent cryptographic keys using CBOR.</t>
                <t>This document, along with RFC 9053, obsoletes RFC 8152.</t>
              </abstract>
            </front>
            <seriesInfo name="STD" value="96"/>
            <seriesInfo name="RFC" value="9052"/>
            <seriesInfo name="DOI" value="10.17487/RFC9052"/>
          </reference>
          <reference anchor="RFC9338" target="https://www.rfc-editor.org/info/rfc9338">
            <front>
              <title>CBOR Object Signing and Encryption (COSE): Countersignatures</title>
              <author fullname="J. Schaad" initials="J." surname="Schaad"/>
              <date month="December" year="2022"/>
              <abstract>
                <t>Concise Binary Object Representation (CBOR) is a data format designed for small code size and small message size. CBOR Object Signing and Encryption (COSE) defines a set of security services for CBOR. This document defines a countersignature algorithm along with the needed header parameters and CBOR tags for COSE. This document updates RFC 9052.</t>
              </abstract>
            </front>
            <seriesInfo name="STD" value="96"/>
            <seriesInfo name="RFC" value="9338"/>
            <seriesInfo name="DOI" value="10.17487/RFC9338"/>
          </reference>
        </referencegroup>
        <reference anchor="JWS">
          <front>
            <title>JSON Web Signature (JWS)</title>
            <author fullname="M. Jones" initials="M." surname="Jones"/>
            <author fullname="J. Bradley" initials="J." surname="Bradley"/>
            <author fullname="N. Sakimura" initials="N." surname="Sakimura"/>
            <date month="May" year="2015"/>
            <abstract>
              <t>JSON Web Signature (JWS) represents content secured with digital signatures or Message Authentication Codes (MACs) using JSON-based data structures. Cryptographic algorithms and identifiers for use with this specification are described in the separate JSON Web Algorithms (JWA) specification and an IANA registry defined by that specification. Related encryption capabilities are described in the separate JSON Web Encryption (JWE) specification.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="7515"/>
          <seriesInfo name="DOI" value="10.17487/RFC7515"/>
        </reference>
        <reference anchor="SECUREJOIN">
          <front>
            <title>6tisch Zero-Touch Secure Join protocol</title>
            <author fullname="Michael Richardson" initials="M." surname="Richardson">
              <organization>Sandelman Software Works</organization>
            </author>
            <date day="8" month="July" year="2019"/>
            <abstract>
              <t>   This document describes a Zero-touch Secure Join (ZSJ) mechanism to
   enroll a new device (the "pledge") into a IEEE802.15.4 TSCH network
   using the 6tisch signaling mechanisms.  The resulting device will
   obtain a domain specific credential that can be used with either
   802.15.9 per-host pair keying protocols, or to obtain the network-
   wide key from a coordinator.  The mechanism describe here is an
   augmentation to the one-touch mechanism described in
   [I-D.ietf-6tisch-minimal-security], and is a profile of the
   constrained voucher mechanism [I-D.ietf-anima-constrained-voucher].

              </t>
            </abstract>
          </front>
          <seriesInfo name="Internet-Draft" value="draft-ietf-6tisch-dtsecurity-zerotouch-join-04"/>
        </reference>
        <reference anchor="YANG-GUIDE">
          <front>
            <title>Guidelines for Authors and Reviewers of Documents Containing YANG Data Models</title>
            <author fullname="A. Bierman" initials="A." surname="Bierman"/>
            <date month="October" year="2018"/>
            <abstract>
              <t>This memo provides guidelines for authors and reviewers of specifications containing YANG modules. Recommendations and procedures are defined, which are intended to increase interoperability and usability of Network Configuration Protocol (NETCONF) and RESTCONF protocol implementations that utilize YANG modules. This document obsoletes RFC 6087.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="8407"/>
          <seriesInfo name="DOI" value="10.17487/RFC8407"/>
        </reference>
        <reference anchor="Stajano99theresurrecting" target="https://www.cl.cam.ac.uk/research/dtg/www/files/publications/public/files/tr.1999.2.pdf">
          <front>
            <title>The Resurrecting Duckling: Security Issues for Ad-Hoc Wireless Networks</title>
            <author initials="F." surname="Stajano" fullname="Frank Stajano">
              <organization/>
            </author>
            <author initials="R." surname="Anderson" fullname="Ross Anderson">
              <organization/>
            </author>
            <date year="1999"/>
          </front>
        </reference>
        <reference anchor="imprinting" target="https://en.wikipedia.org/w/index.php?title=Imprinting_(psychology)&amp;oldid=1337280821">
          <front>
            <title>Wikipedia article: Imprinting (psychology)</title>
            <author>
              <organization>Wikipedia</organization>
            </author>
            <date year="2026" month="March" day="12"/>
          </front>
        </reference>
        <reference anchor="fairhair" target="https://openconnectivity.org/developer/specifications/fairhair/">
          <front>
            <title>Fairhair Specification</title>
            <author>
              <organization>Open Connectivity Foundation</organization>
            </author>
            <date year="2019" month="November" day="01"/>
          </front>
        </reference>
        <reference anchor="RFC8520">
          <front>
            <title>Manufacturer Usage Description Specification</title>
            <author fullname="E. Lear" initials="E." surname="Lear"/>
            <author fullname="R. Droms" initials="R." surname="Droms"/>
            <author fullname="D. Romascanu" initials="D." surname="Romascanu"/>
            <date month="March" year="2019"/>
            <abstract>
              <t>This memo specifies a component-based architecture for Manufacturer Usage Descriptions (MUDs). The goal of MUD is to provide a means for end devices to signal to the network what sort of access and network functionality they require to properly function. The initial focus is on access control. Later work can delve into other aspects.</t>
              <t>This memo specifies two YANG modules, IPv4 and IPv6 DHCP options, a Link Layer Discovery Protocol (LLDP) TLV, a URL, an X.509 certificate extension, and a means to sign and verify the descriptions.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="8520"/>
          <seriesInfo name="DOI" value="10.17487/RFC8520"/>
        </reference>
        <reference anchor="RFC9499">
          <front>
            <title>DNS Terminology</title>
            <author fullname="P. Hoffman" initials="P." surname="Hoffman"/>
            <author fullname="K. Fujiwara" initials="K." surname="Fujiwara"/>
            <date month="March" year="2024"/>
            <abstract>
              <t>The Domain Name System (DNS) is defined in literally dozens of different RFCs. The terminology used by implementers and developers of DNS protocols, and by operators of DNS systems, has changed in the decades since the DNS was first defined. This document gives current definitions for many of the terms used in the DNS in a single document.</t>
              <t>This document updates RFC 2308 by clarifying the definitions of "forwarder" and "QNAME". It obsoletes RFC 8499 by adding multiple terms and clarifications. Comprehensive lists of changed and new definitions can be found in Appendices A and B.</t>
            </abstract>
          </front>
          <seriesInfo name="BCP" value="219"/>
          <seriesInfo name="RFC" value="9499"/>
          <seriesInfo name="DOI" value="10.17487/RFC9499"/>
        </reference>
        <reference anchor="I-D.ietf-lake-authz">
          <front>
            <title>Lightweight Authorization using Ephemeral Diffie-Hellman Over COSE (ELA)</title>
            <author fullname="Göran Selander" initials="G." surname="Selander">
              <organization>Ericsson AB</organization>
            </author>
            <author fullname="John Preuß Mattsson" initials="J. P." surname="Mattsson">
              <organization>Ericsson AB</organization>
            </author>
            <author fullname="Mališa Vučinić" initials="M." surname="Vučinić">
              <organization>INRIA</organization>
            </author>
            <author fullname="Geovane Fedrecheski" initials="G." surname="Fedrecheski">
              <organization>INRIA</organization>
            </author>
            <author fullname="Michael Richardson" initials="M." surname="Richardson">
              <organization>Sandelman Software Works</organization>
            </author>
            <date day="2" month="March" year="2026"/>
            <abstract>
              <t>   Ephemeral Diffie-Hellman Over COSE (EDHOC) is a lightweight
   authenticated key exchange protocol intended for use in constrained
   scenarios.  This document specifies Lightweight Authorization using
   EDHOC (ELA).  The procedure allows authorizing enrollment of new
   devices using the extension point defined in EDHOC.  ELA is
   applicable to zero-touch onboarding of new devices to a constrained
   network leveraging trust anchors installed at manufacture time.

              </t>
            </abstract>
          </front>
          <seriesInfo name="Internet-Draft" value="draft-ietf-lake-authz-07"/>
        </reference>
        <reference anchor="I-D.vangeest-lamps-cms-euf-cma-signeddata">
          <front>
            <title>Best Practices for CMS SignedData with Regards to Signed Attributes</title>
            <author fullname="Daniel Van Geest" initials="D." surname="Van Geest">
              <organization>CryptoNext Security</organization>
            </author>
            <author fullname="Falko Strenzke" initials="F." surname="Strenzke">
              <organization>MTG AG</organization>
            </author>
            <date day="20" month="October" year="2025"/>
            <abstract>
              <t>   The Cryptographic Message Syntax (CMS) has different signature
   verification behaviour based on whether signed attributes are present
   or not.  This results in a potential existential forgery
   vulnerability in CMS and protocols which use CMS.  This document
   describes the vulnerability and lists best practices and mitigations
   for such a vulnerability.

              </t>
            </abstract>
          </front>
          <seriesInfo name="Internet-Draft" value="draft-vangeest-lamps-cms-euf-cma-signeddata-02"/>
        </reference>
        <reference anchor="RFC9110">
          <front>
            <title>HTTP Semantics</title>
            <author fullname="R. Fielding" initials="R." role="editor" surname="Fielding"/>
            <author fullname="M. Nottingham" initials="M." role="editor" surname="Nottingham"/>
            <author fullname="J. Reschke" initials="J." role="editor" surname="Reschke"/>
            <date month="June" year="2022"/>
            <abstract>
              <t>The Hypertext Transfer Protocol (HTTP) is a stateless application-level protocol for distributed, collaborative, hypertext information systems. This document describes the overall architecture of HTTP, establishes common terminology, and defines aspects of the protocol that are shared by all versions. In this definition are core protocol elements, extensibility mechanisms, and the "http" and "https" Uniform Resource Identifier (URI) schemes.</t>
              <t>This document updates RFC 3864 and obsoletes RFCs 2818, 7231, 7232, 7233, 7235, 7538, 7615, 7694, and portions of 7230.</t>
            </abstract>
          </front>
          <seriesInfo name="STD" value="97"/>
          <seriesInfo name="RFC" value="9110"/>
          <seriesInfo name="DOI" value="10.17487/RFC9110"/>
        </reference>
        <reference anchor="RFC4648">
          <front>
            <title>The Base16, Base32, and Base64 Data Encodings</title>
            <author fullname="S. Josefsson" initials="S." surname="Josefsson"/>
            <date month="October" year="2006"/>
            <abstract>
              <t>This document describes the commonly used base 64, base 32, and base 16 encoding schemes. It also discusses the use of line-feeds in encoded data, use of padding in encoded data, use of non-alphabet characters in encoded data, use of different encoding alphabets, and canonical encodings. [STANDARDS-TRACK]</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="4648"/>
          <seriesInfo name="DOI" value="10.17487/RFC4648"/>
        </reference>
        <reference anchor="RFC3696">
          <front>
            <title>Application Techniques for Checking and Transformation of Names</title>
            <author fullname="J. Klensin" initials="J." surname="Klensin"/>
            <date month="February" year="2004"/>
            <abstract>
              <t>Many Internet applications have been designed to deduce top-level domains (or other domain name labels) from partial information. The introduction of new top-level domains, especially non-country-code ones, has exposed flaws in some of the methods used by these applications. These flaws make it more difficult, or impossible, for users of the applications to access the full Internet. This memo discusses some of the techniques that have been used and gives some guidance for minimizing their negative impact as the domain name environment evolves. This document draws summaries of the applicable rules together in one place and supplies references to the actual standards. This memo provides information for the Internet community.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="3696"/>
          <seriesInfo name="DOI" value="10.17487/RFC3696"/>
        </reference>
      </references>
    </references>
    <?line 1873?>

<section anchor="examples">
      <name>Examples</name>
      <section anchor="key-pairs-associated-with-examples">
        <name>Key pairs associated with examples</name>
        <t>The following Voucher Request has been produced using the IDevID <xref target="IDEVID"/> public (certificate) and private key.
They are included so that other developers can match the same output.</t>
        <t>The private RSA key:</t>
        <artwork><![CDATA[
-----BEGIN EC PRIVATE KEY-----
MHcCAQEEIBHNh6r8QRevRuo+tEmBJeFjQKf6bpFA/9NGoltv+9sNoAoGCCqGSM49
AwEHoUQDQgAEA6N1Q4ezfMAKmoecrfb0OBMc1AyEH+BATkF58FsTSyBxs0SbSWLx
FjDOuwB9gLGn2TsTUJumJ6VPw5Z/TP4hJw==
-----END EC PRIVATE KEY-----
]]></artwork>
        <t>The IDevID certificate (public key):</t>
        <artwork><![CDATA[
-----BEGIN CERTIFICATE-----
MIIBrzCCATWgAwIBAgIEHxj+5zAKBggqhkjOPQQDAjAmMSQwIgYDVQQDDBtoaWdo
d2F5LXRlc3QuZXhhbXBsZS5jb20gQ0EwIBcNMjEwNDI3MTgyOTMwWhgPMjk5OTEy
MzEwMDAwMDBaMBwxGjAYBgNVBAUTETAwLUQwLUU1LUYyLTAwLTAyMFkwEwYHKoZI
zj0CAQYIKoZIzj0DAQcDQgAEA6N1Q4ezfMAKmoecrfb0OBMc1AyEH+BATkF58FsT
SyBxs0SbSWLxFjDOuwB9gLGn2TsTUJumJ6VPw5Z/TP4hJ6NZMFcwHQYDVR0OBBYE
FEWIzJaWAGQ3sLojZWRkVAgGbFatMAkGA1UdEwQCMAAwKwYIKwYBBQUHASAEHxYd
aGlnaHdheS10ZXN0LmV4YW1wbGUuY29tOjk0NDMwCgYIKoZIzj0EAwIDaAAwZQIw
YirbvjT3G8uF3iaOQwD5DYjId6jdPAhAVLzsPbbccCvDf8oZIZqgq8VRjqrfNt6L
AjEAsl1Z+EfH7QOXqMDHqIH6qIbtZ2Q3UXpunKOCTW2tvPM1np1qom1/fyUcA+/w
uptx
-----END CERTIFICATE-----
]]></artwork>
        <t>The Certification Authority that created the IDevID:</t>
        <artwork><![CDATA[
=============== NOTE: '\' line wrapping per RFC 8792 ================

Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 1016146354 (0x3c9129b2)
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: CN = highway-test.example.com CA
        Validity
            Not Before: Apr  5 19:36:57 2021 GMT
            Not After : May  6 05:36:57 2021 GMT
        Subject: CN = highway-test.example.com CA
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (3072 bit)
                Modulus:
                    00:b4:7b:27:42:49:9f:ed:85:47:74:ff:f6:50:cd:
                    5d:22:1a:64:38:22:f8:09:d2:d6:f3:60:d8:98:7f:
                    e5:84:52:1e:d9:ce:96:b4:dc:a6:43:74:67:27:d9:
                    9d:42:7d:bf:1a:43:92:9b:d1:dd:34:9b:41:d2:e3:
                    d5:59:b3:40:fc:b3:c9:e1:58:84:3f:87:f7:06:45:
                    25:26:4c:bf:a1:45:72:a0:0a:5b:86:41:d7:8e:be:
                    d3:38:b5:aa:66:69:bd:3a:fd:e9:b5:b8:a2:79:c4:
                    f0:a5:3c:9e:91:94:32:1e:9c:b0:7f:25:46:5b:76:
                    1d:86:23:85:b0:62:45:5c:a8:6f:fb:c5:26:e1:dd:
                    a8:f2:68:ab:c5:8c:b4:58:b4:2e:96:49:fa:fe:d2:
                    ea:a5:11:68:c2:8d:f4:58:ab:30:bd:dd:1b:29:97:
                    00:18:6f:59:40:9c:3a:2a:e4:96:25:bb:12:f4:1a:
                    11:72:6d:31:f6:b4:e1:cc:d8:9a:0c:aa:a8:aa:a4:
                    64:e3:f1:06:1c:c0:09:df:62:ba:04:cb:70:b0:c4:
                    f7:ca:35:22:ea:a9:c7:52:e1:ce:27:fb:6c:52:39:
                    b7:22:b3:5d:97:cb:0a:9f:75:a3:af:16:ef:e6:b2:
                    1b:6a:c3:0b:1d:15:fd:b8:d8:e7:8a:f6:f4:99:1c:
                    23:97:4b:80:e9:79:a3:85:16:f8:dd:bd:77:ef:3a:
                    3c:8e:e7:75:56:67:36:3a:dd:42:7b:84:2f:64:2f:
                    13:0e:fa:b0:3b:11:13:7e:ae:78:a6:2f:46:dd:4b:
                    11:88:e4:7b:19:ab:21:2d:1f:34:ba:61:cd:51:84:
                    a5:ec:6a:c1:90:20:70:e3:aa:f4:01:fd:0c:6e:cd:
                    04:47:99:31:70:79:6c:af:41:78:c1:04:2a:43:78:
                    84:8a:fe:c3:3d:f2:41:c8:2a:a1:10:e0:b7:b4:4f:
                    4e:e6:26:79:ac:49:64:cf:57:1e:2e:e3:2f:58:bd:
                    6f:30:00:67:d7:8b:d6:13:60:bf
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Basic Constraints: critical
                CA:TRUE
            X509v3 Key Usage: critical
                Certificate Sign, CRL Sign
            X509v3 Subject Key Identifier: 
                33:12:45:B7:1B:10:BE:F3:CB:64:E5:4C:50:80:7C:9D:88:\
                                                             65:74:40
            X509v3 Authority Key Identifier: 
                33:12:45:B7:1B:10:BE:F3:CB:64:E5:4C:50:80:7C:9D:88:\
                                                             65:74:40
    Signature Algorithm: sha256WithRSAEncryption
    Signature Value:
        05:37:28:85:37:39:71:87:ec:5c:f0:51:19:55:4a:b7:e0:2a:
        e6:61:30:d4:e2:2b:ad:7a:db:12:fc:8a:a6:6e:15:82:80:10:
        fa:5d:67:60:e8:54:14:e3:89:d6:4e:60:89:98:5b:ab:fe:32:
        26:aa:02:35:68:4e:c6:2e:ce:08:36:d1:ea:a0:97:3d:76:38:
        6e:9d:4b:6f:33:d2:fa:c2:7e:b0:59:bc:75:97:17:d1:1b:c5:
        c4:58:ae:7b:7e:87:e5:87:2b:8b:6b:10:16:70:7c:c8:65:c7:
        d0:62:5d:f3:b5:06:af:03:8b:32:dd:88:f0:07:2b:5d:61:58:
        61:35:54:a6:ce:95:81:a2:6e:fa:b5:aa:25:e1:41:53:9d:e7:
        4b:7e:93:88:79:6b:dd:a3:6e:9a:0d:bd:85:b4:2d:66:b9:cc:
        01:13:f1:b5:d5:91:cc:86:5e:a7:c8:4a:8f:4d:9d:f8:17:31:
        32:7d:50:d5:c2:79:a0:41:a0:69:83:33:16:14:35:26:10:3b:
        23:eb:60:d9:28:68:99:d5:55:61:89:b5:35:5d:8b:fe:b1:96:
        32:69:3e:8b:c2:a2:4e:e1:d8:76:04:3c:87:91:5d:66:9e:81:
        a5:bf:18:2e:3e:39:da:4f:68:57:46:d2:1d:aa:81:51:3b:33:
        72:da:e9:7d:12:b6:a1:fc:c7:1d:c1:9c:bd:92:e8:1b:d2:06:
        e8:0b:82:2a:4f:23:5a:7a:fa:7b:86:a0:d7:c1:46:e7:04:47:
        77:11:cd:da:7c:50:32:d2:6f:fd:1e:0a:df:cf:b1:20:d2:86:
        ce:40:5a:27:61:49:2f:71:f5:04:ac:eb:c6:03:70:a4:70:13:
        4a:af:41:35:83:dc:55:c0:29:7f:12:4f:d0:f1:bb:f7:61:4a:
        9f:8d:61:b0:5e:89:46:49:e3:27:8b:42:82:5e:af:14:d5:d9:
        91:69:3d:af:11:70:5b:a3:92:3b:e3:c8:2a:a4:38:e5:88:f2:
        6f:09:f4:e5:04:3b
-----BEGIN CERTIFICATE-----
MIIELTCCApWgAwIBAgIEPJEpsjANBgkqhkiG9w0BAQsFADAmMSQwIgYDVQQDDBto
aWdod2F5LXRlc3QuZXhhbXBsZS5jb20gQ0EwHhcNMjEwNDA1MTkzNjU3WhcNMjEw
NTA2MDUzNjU3WjAmMSQwIgYDVQQDDBtoaWdod2F5LXRlc3QuZXhhbXBsZS5jb20g
Q0EwggGiMA0GCSqGSIb3DQEBAQUAA4IBjwAwggGKAoIBgQC0eydCSZ/thUd0//ZQ
zV0iGmQ4IvgJ0tbzYNiYf+WEUh7Zzpa03KZDdGcn2Z1Cfb8aQ5Kb0d00m0HS49VZ
s0D8s8nhWIQ/h/cGRSUmTL+hRXKgCluGQdeOvtM4tapmab06/em1uKJ5xPClPJ6R
lDIenLB/JUZbdh2GI4WwYkVcqG/7xSbh3ajyaKvFjLRYtC6WSfr+0uqlEWjCjfRY
qzC93RsplwAYb1lAnDoq5JYluxL0GhFybTH2tOHM2JoMqqiqpGTj8QYcwAnfYroE
y3CwxPfKNSLqqcdS4c4n+2xSObcis12XywqfdaOvFu/mshtqwwsdFf242OeK9vSZ
HCOXS4DpeaOFFvjdvXfvOjyO53VWZzY63UJ7hC9kLxMO+rA7ERN+rnimL0bdSxGI
5HsZqyEtHzS6Yc1RhKXsasGQIHDjqvQB/QxuzQRHmTFweWyvQXjBBCpDeISK/sM9
8kHIKqEQ4Le0T07mJnmsSWTPVx4u4y9YvW8wAGfXi9YTYL8CAwEAAaNjMGEwDwYD
VR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAQYwHQYDVR0OBBYEFDMSRbcbEL7z
y2TlTFCAfJ2IZXRAMB8GA1UdIwQYMBaAFDMSRbcbEL7zy2TlTFCAfJ2IZXRAMA0G
CSqGSIb3DQEBCwUAA4IBgQAFNyiFNzlxh+xc8FEZVUq34CrmYTDU4iutetsS/Iqm
bhWCgBD6XWdg6FQU44nWTmCJmFur/jImqgI1aE7GLs4INtHqoJc9djhunUtvM9L6
wn6wWbx1lxfRG8XEWK57foflhyuLaxAWcHzIZcfQYl3ztQavA4sy3YjwBytdYVhh
NVSmzpWBom76taol4UFTnedLfpOIeWvdo26aDb2FtC1mucwBE/G11ZHMhl6nyEqP
TZ34FzEyfVDVwnmgQaBpgzMWFDUmEDsj62DZKGiZ1VVhibU1XYv+sZYyaT6LwqJO
4dh2BDyHkV1mnoGlvxguPjnaT2hXRtIdqoFROzNy2ul9Erah/McdwZy9kugb0gbo
C4IqTyNaevp7hqDXwUbnBEd3Ec3afFAy0m/9Hgrfz7Eg0obOQFonYUkvcfUErOvG
A3CkcBNKr0E1g9xVwCl/Ek/Q8bv3YUqfjWGwXolGSeMni0KCXq8U1dmRaT2vEXBb
o5I748gqpDjliPJvCfTlBDs=
-----END CERTIFICATE-----
]]></artwork>
        <t>The private key for the Certification Authority that created the IDevID:</t>
        <artwork><![CDATA[
-----BEGIN RSA PRIVATE KEY-----
MIIG5AIBAAKCAYEAtHsnQkmf7YVHdP/2UM1dIhpkOCL4CdLW82DYmH/lhFIe2c6W
tNymQ3RnJ9mdQn2/GkOSm9HdNJtB0uPVWbNA/LPJ4ViEP4f3BkUlJky/oUVyoApb
hkHXjr7TOLWqZmm9Ov3ptbiiecTwpTyekZQyHpywfyVGW3YdhiOFsGJFXKhv+8Um
4d2o8mirxYy0WLQulkn6/tLqpRFowo30WKswvd0bKZcAGG9ZQJw6KuSWJbsS9BoR
cm0x9rThzNiaDKqoqqRk4/EGHMAJ32K6BMtwsMT3yjUi6qnHUuHOJ/tsUjm3IrNd
l8sKn3Wjrxbv5rIbasMLHRX9uNjnivb0mRwjl0uA6XmjhRb43b137zo8jud1Vmc2
Ot1Ce4QvZC8TDvqwOxETfq54pi9G3UsRiOR7GashLR80umHNUYSl7GrBkCBw46r0
Af0Mbs0ER5kxcHlsr0F4wQQqQ3iEiv7DPfJByCqhEOC3tE9O5iZ5rElkz1ceLuMv
WL1vMABn14vWE2C/AgMBAAECggGAAUF6HHP2sOhkfuPpCtbi9wHIALv9jdPxuu/J
kgYRysHnhQxy7/85CO8eaKCS/4twcPZXZs4nA96wro73RRCCOz/k/7Rl9yszBNAm
WgXer3iUO5jW2jBLF6ssPRDGhr/lmSt7HNCUENTV99BcKhcl4iCk+b2Ap9JCklRc
8cU9Rk/Ft7K/eoLYUhd4Wn+IIbXfPRx2qp89Erj0SaZDNPq79BY9wiRS09iyfkiX
/wRoJwsOLrSfunQYDOdlSs+XAs+NKeKmB6chmPhP+sYTXx+zFj+36NRjq2dxkYSH
hB9peJ5yzTDhLQpagV5D36VXQsqHawvgEu6cQAfcZ4Iqmnura7zYBysfk4YzzizO
rsc9rYGP10UO5W0EpKR/IcNfMGwtDbHe1/7z+0JSVDe/ldht8YrwX3ogd5rNbhlf
lUE+D7rof8E8g6Uz4TWI8dpMDaXCzjgz6q2iiW770R5xCphLFbuNh/SnbkYNYNEo
k8AN+Fx+w3EO7Cg4aaETB76iNXVBAoHBAOibavF4IYurjni39Z/6vIhO31F7VdNj
x9gZ9Om6MmZNFSbU8PLyoQEyI46ygf8TO/BSfiHyUMncohmXWsoUXiFZV412aVqk
HgZg+MWsKuYuTmGk/CouYQzd7RtrLl8TpPncXhsJIZ48ppcVGnMHnWZmTLj/Kqf6
oDfsI7QhZy8fUxgIJ3vWoC5zFeQYzXpID4PKkn6mXczt6YiQHFJuvqVjpflVh9WZ
leIhCBxoI76j1uU3ZiOEWfkmxSWddIPyIwKBwQDGobnHJ1lIJeny/KaHBVt8OECV
wEH6lAxp4jcxYgQCbPVGJzNs+BstjOiY+UDrG2MVyJ+dj+yS2lfDBJcyzo/mE/ox
0odGpKJ9MVk4Mb4m543Jllgb9ZQmJmKzJipqpRetmXV22QB0sJyaYL4M3zroqw17
tEf6HH1vmc9XQwACJOrlm+k41djutwmuCE2JYoNbLdcrCgdfO06Z3bhNkknbrrFD
OrB40xx1H5u38kDU7ifieQ4jvUEWk6a5+sIR+rUCgcEAyp+AJEJyblmObShKhgaE
LvUN4cvfcppL3rqVtvhkqOrizwXVsryadhE4GjjztsAJiYpCp82OhJl2d3Z6NuhR
KxnJg8gvdC7cnM/iRUd5wzN5QePXaeMm1W+I+UZ/iYDySFmnfEOTDmVk9N0EQknS
2f2pPcnBXbybzrscSvCCEvFlj9yikGTg+jV0T1MvwyJ8qWBQBpVjxn1E3poyobgo
yKeqUC0qe24ju2zsxNoOsSXFr7x3c976BWi5ec/UTJAjAoHAYZ+GwRzTwqPvsZ7+
8Yluh0TWaUNOqistVrT5z2mO8uo+OjZ2De563Q5OGzEV+PdC4afy2uurqBlr3Mta
zHu9OaVD6EzCc7PisIkagoXgIRrZEuSzdTpjj8R56fauDjAJzSaJFtpcYP2UWkOF
5KmqOEQpokzeu0xZUgpUX1zsmiEu2Z6hJ2/i6KBJP6GRCh7C1INZJywMp39siC7y
sB1f83qOYK5toVSQvffE/skvl/dc3vAERQh0/vWekfVugIupAoHBAJj9U/aFU/c5
Kc/94hmeR6TljINMSn0EI9nlJ5FkY2BDmzgeAD9/kNBbPHRjIyMa5Ow7rHO4Lt09
U837yytEcbmErNzMuBhOX+nirXXq1Dp5LMNkHP3gnPy0XC2Cu5m2vH/qbFhIlRER
1GXCxBrWOzovXFu090oIjOhwCbxt7GWZH/GMUUJGXJb+s1CzQNz1qiXKng7XpluA
S9jVch5pKqmWvDYYrBXmmCe9Ju0RnBCgOIuGUiCPjEFAy+myLdgQ0A==
-----END RSA PRIVATE KEY-----
]]></artwork>
        <t>The MASA certificate that signs the Voucher:</t>
        <artwork><![CDATA[
-----BEGIN CERTIFICATE-----
MIIBcDCB9qADAgECAgQLhwoxMAoGCCqGSM49BAMCMCYxJDAiBgNVBAMMG2hpZ2h3
YXktdGVzdC5leGFtcGxlLmNvbSBDQTAeFw0yMTA0MTMyMTQwMTZaFw0yMzA0MTMy
MTQwMTZaMCgxJjAkBgNVBAMMHWhpZ2h3YXktdGVzdC5leGFtcGxlLmNvbSBNQVNB
MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEqgQVo0S54kT4yfkbBxumdHOcHrps
qbOpMKmiMln3oB1HAW25MJV+gqi4tMFfSJ0iEwt8kszfWXK4rLgJS2mnpaMQMA4w
DAYDVR0TAQH/BAIwADAKBggqhkjOPQQDAgNpADBmAjEArsthLdRcjW6GqgsGHcbT
YLoyczYl0yOFSYcczpQjeRqeQVUkHRUioUi7CsCrPBNzAjEAhjxns5Wi4uX5rfkd
nME0Mnj1z+rVRwOfAL/QWctRwpgEgSSKURNQsXWyL52otPS5
-----END CERTIFICATE-----
]]></artwork>
        <t>The private key for MASA certificate signs the Voucher:</t>
        <artwork><![CDATA[
-----BEGIN EC PRIVATE KEY-----
MHcCAQEEIFhdd0eDdzip67kXx72K+KHGJQYJHNy8pkiLJ6CcvxMGoAoGCCqGSM49
AwEHoUQDQgAEqgQVo0S54kT4yfkbBxumdHOcHrpsqbOpMKmiMln3oB1HAW25MJV+
gqi4tMFfSJ0iEwt8kszfWXK4rLgJS2mnpQ==
-----END EC PRIVATE KEY-----
]]></artwork>
      </section>
      <section anchor="example-cms-signed-voucher-request">
        <name>Example CMS-signed Voucher Request</name>
        <artwork><![CDATA[
MIIGjQYJKoZIhvcNAQcCoIIGfjCCBnoCAQExDTALBglghkgBZQMEAgEwggOl
BgkqhkiG9w0BBwGgggOWBIIDknsiaWV0Zi12b3VjaGVyLXJlcXVlc3Q6dm91
Y2hlciI6eyJhc3NlcnRpb24iOiJwcm94aW1pdHkiLCJjcmVhdGVkLW9uIjoi
MjAyMi0wNy0xMFQxNzowODoxOC41OTgtMDQ6MDAiLCJzZXJpYWwtbnVtYmVy
IjoiMDAtRDAtRTUtRjItMDAtMDIiLCJub25jZSI6IjR2VHNwcFMyQ2VxQnpo
RWRvaWZNMmciLCJwcm94aW1pdHktcmVnaXN0cmFyLWNlcnQiOiJNSUlDRURD
Q0FaYWdBd0lCQWdJRVlGYTZaVEFLQmdncWhrak9QUVFEQWpCdE1SSXdFQVlL
Q1pJbWlaUHlMR1FCR1JZQ1kyRXhHVEFYQmdvSmtpYUprL0lzWkFFWkZnbHpZ
VzVrWld4dFlXNHhQREE2QmdOVkJBTU1NMlp2ZFc1MFlXbHVMWFJsYzNRdVpY
aGhiWEJzWlM1amIyMGdWVzV6ZEhKMWJtY2dSbTkxYm5SaGFXNGdVbTl2ZENC
RFFUQWVGdzB5TVRFeE1qUXhPVFF6TURWYUZ3MHlNekV4TWpReE9UUXpNRFZh
TUZNeEVqQVFCZ29Ka2lhSmsvSXNaQUVaRmdKallURVpNQmNHQ2dtU0pvbVQ4
aXhrQVJrV0NYTmhibVJsYkcxaGJqRWlNQ0FHQTFVRUF3d1pabTkxYm5SaGFX
NHRkR1Z6ZEM1bGVHRnRjR3hsTG1OdmJUQlpNQk1HQnlxR1NNNDlBZ0VHQ0Nx
R1NNNDlBd0VIQTBJQUJKWmxVSEkwdXAvbDNlWmY5dkNCYitsSW5vRU1FZ2M3
Um8rWFpDdGpBSTBDRDFmSmZKUi9oSXl5RG1IV3lZaU5GYlJDSDlmeWFyZmt6
Z1g0cDB6VGl6cWpQakE4TUNvR0ExVWRKUUVCL3dRZ01CNEdDQ3NHQVFVRkJ3
TWNCZ2dyQmdFRkJRY0RBZ1lJS3dZQkJRVUhBd0V3RGdZRFZSMFBBUUgvQkFR
REFnZUFNQW9HQ0NxR1NNNDlCQU1DQTJnQU1HVUNNUUNkU1pSSjgzTU5SQ3ph
Myt2T0JhMDFoNHFadjJsS2hkK0RmaEI0WURodkdwa1dvbFplSEh3TmI3QXRC
Q010YlV3Q01Ib054b2lrK3hXN0F0MWhYRWhwMy9NY1hpQWR6blpicFZxK3hK
RVppaFhVMzZJQmp2WWdXREY5aXZxeEpwRGJ5dz09In19oIIBszCCAa8wggE1
oAMCAQICBB8Y/ucwCgYIKoZIzj0EAwIwJjEkMCIGA1UEAwwbaGlnaHdheS10
ZXN0LmV4YW1wbGUuY29tIENBMCAXDTIxMDQyNzE4MjkzMFoYDzI5OTkxMjMx
MDAwMDAwWjAcMRowGAYDVQQFExEwMC1EMC1FNS1GMi0wMC0wMjBZMBMGByqG
SM49AgEGCCqGSM49AwEHA0IABAOjdUOHs3zACpqHnK329DgTHNQMhB/gQE5B
efBbE0sgcbNEm0li8RYwzrsAfYCxp9k7E1CbpielT8OWf0z+ISejWTBXMB0G
A1UdDgQWBBRFiMyWlgBkN7C6I2VkZFQIBmxWrTAJBgNVHRMEAjAAMCsGCCsG
AQUFBwEgBB8WHWhpZ2h3YXktdGVzdC5leGFtcGxlLmNvbTo5NDQzMAoGCCqG
SM49BAMCA2gAMGUCMGIq27409xvLhd4mjkMA+Q2IyHeo3TwIQFS87D223HAr
w3/KGSGaoKvFUY6q3zbeiwIxALJdWfhHx+0Dl6jAx6iB+qiG7WdkN1F6bpyj
gk1trbzzNZ6daqJtf38lHAPv8LqbcTGCAQQwggEAAgEBMC4wJjEkMCIGA1UE
AwwbaGlnaHdheS10ZXN0LmV4YW1wbGUuY29tIENBAgQfGP7nMAsGCWCGSAFl
AwQCAaBpMBgGCSqGSIb3DQEJAzELBgkqhkiG9w0BBwEwHAYJKoZIhvcNAQkF
MQ8XDTIyMDcxMDIxMDgxOFowLwYJKoZIhvcNAQkEMSIEIFc4jO6OnilTLkM/
fcc9p5au4ANjvJvjRXsAKK6+RcTvMAoGCCqGSM49BAMCBEcwRQIhAOjoOdgh
Sr+Hk2r2APsfs1+QJba0uRf/+zXA70yb6mRCAiB9aS6Wj8kBcWEvvfsDue41
KWo0ukOBQxdPGpJqg+GAMw==
]]></artwork>
      </section>
      <section anchor="example-cms-signed-voucher-from-masa">
        <name>Example CMS-signed Voucher from MASA</name>
        <artwork><![CDATA[
MIIGPQYJKoZIhvcNAQcCoIIGLjCCBioCAQExDTALBglghkgBZQMEAgEwggOU
BgkqhkiG9w0BBwGgggOFBIIDgXsiaWV0Zi12b3VjaGVyOnZvdWNoZXIiOnsi
YXNzZXJ0aW9uIjoibG9nZ2VkIiwiY3JlYXRlZC1vbiI6IjIwMjItMDctMTBU
MTc6MDg6MTguNzIwLTA0OjAwIiwic2VyaWFsLW51bWJlciI6IjAwLUQwLUU1
LUYyLTAwLTAyIiwibm9uY2UiOiI0dlRzcHBTMkNlcUJ6aEVkb2lmTTJnIiwi
cGlubmVkLWRvbWFpbi1jZXJ0IjoiTUlJQ0VEQ0NBWmFnQXdJQkFnSUVZRmE2
WlRBS0JnZ3Foa2pPUFFRREFqQnRNUkl3RUFZS0NaSW1pWlB5TEdRQkdSWUNZ
MkV4R1RBWEJnb0praWFKay9Jc1pBRVpGZ2x6WVc1a1pXeHRZVzR4UERBNkJn
TlZCQU1NTTJadmRXNTBZV2x1TFhSbGMzUXVaWGhoYlhCc1pTNWpiMjBnVlc1
emRISjFibWNnUm05MWJuUmhhVzRnVW05dmRDQkRRVEFlRncweU1URXhNalF4
T1RRek1EVmFGdzB5TXpFeE1qUXhPVFF6TURWYU1GTXhFakFRQmdvSmtpYUpr
L0lzWkFFWkZnSmpZVEVaTUJjR0NnbVNKb21UOGl4a0FSa1dDWE5oYm1SbGJH
MWhiakVpTUNBR0ExVUVBd3daWm05MWJuUmhhVzR0ZEdWemRDNWxlR0Z0Y0d4
bExtTnZiVEJaTUJNR0J5cUdTTTQ5QWdFR0NDcUdTTTQ5QXdFSEEwSUFCSlps
VUhJMHVwL2wzZVpmOXZDQmIrbElub0VNRWdjN1JvK1haQ3RqQUkwQ0QxZkpm
SlIvaEl5eURtSFd5WWlORmJSQ0g5ZnlhcmZremdYNHAwelRpenFqUGpBOE1D
b0dBMVVkSlFFQi93UWdNQjRHQ0NzR0FRVUZCd01jQmdnckJnRUZCUWNEQWdZ
SUt3WUJCUVVIQXdFd0RnWURWUjBQQVFIL0JBUURBZ2VBTUFvR0NDcUdTTTQ5
QkFNQ0EyZ0FNR1VDTVFDZFNaUko4M01OUkN6YTMrdk9CYTAxaDRxWnYybEto
ZCtEZmhCNFlEaHZHcGtXb2xaZUhId05iN0F0QkNNdGJVd0NNSG9OeG9payt4
VzdBdDFoWEVocDMvTWNYaUFkem5aYnBWcSt4SkVaaWhYVTM2SUJqdllnV0RG
OWl2cXhKcERieXc9PSJ9faCCAXQwggFwMIH2oAMCAQICBAuHCjEwCgYIKoZI
zj0EAwIwJjEkMCIGA1UEAwwbaGlnaHdheS10ZXN0LmV4YW1wbGUuY29tIENB
MB4XDTIxMDQxMzIxNDAxNloXDTIzMDQxMzIxNDAxNlowKDEmMCQGA1UEAwwd
aGlnaHdheS10ZXN0LmV4YW1wbGUuY29tIE1BU0EwWTATBgcqhkjOPQIBBggq
hkjOPQMBBwNCAASqBBWjRLniRPjJ+RsHG6Z0c5weumyps6kwqaIyWfegHUcB
bbkwlX6CqLi0wV9InSITC3ySzN9ZcrisuAlLaaeloxAwDjAMBgNVHRMBAf8E
AjAAMAoGCCqGSM49BAMCA2kAMGYCMQCuy2Et1FyNboaqCwYdxtNgujJzNiXT
I4VJhxzOlCN5Gp5BVSQdFSKhSLsKwKs8E3MCMQCGPGezlaLi5fmt+R2cwTQy
ePXP6tVHA58Av9BZy1HCmASBJIpRE1CxdbIvnai09LkxggEEMIIBAAIBATAu
MCYxJDAiBgNVBAMMG2hpZ2h3YXktdGVzdC5leGFtcGxlLmNvbSBDQQIEC4cK
MTALBglghkgBZQMEAgGgaTAYBgkqhkiG9w0BCQMxCwYJKoZIhvcNAQcBMBwG
CSqGSIb3DQEJBTEPFw0yMjA3MTAyMTA4MThaMC8GCSqGSIb3DQEJBDEiBCBA
77EhoAybh5R6kK89jDefpxRy8Q6rDo1cnlwgvCzXbzAKBggqhkjOPQQDAgRH
MEUCIQD4RnuXwKvYVvwamwVq3VYv7dXcM7bzLg7FXTkhvYqPzwIgXTJxVV5a
cLMAroeHgThS5JU5QA2PJMLGF82UcSNTsEY=
]]></artwork>
      </section>
      <section anchor="example-jws-signed-voucher-from-masa">
        <name>Example JWS-signed Voucher from MASA</name>
        <t>These examples are folded according to the <xref target="RFC8792"/> Single Backslash rule.</t>
        <figure anchor="ExampleVoucherJWSfigure">
          <name>Example JWS Voucher</name>
          <artwork align="left"><![CDATA[
{
  "payload": "eyJpZXRmLXZvdWNoZXI6dm91Y2hlciI6eyJhc3NlcnRpb24iOiJwcm\
94aW1pdHkiLCJzZXJpYWwtbnVtYmVyIjoiY2FmZmUtOTg3NDUiLCJub25jZSI6IjYyYT\
JlNzY5M2Q4MmZjZGEyNjI0ZGU1OGZiNjcyMmU1IiwiY3JlYXRlZC1vbiI6IjIwMjUtMT\
AtMTVUMDA6MDA6MDBaIiwicGlubmVkLWRvbWFpbi1jZXJ0IjoiTUlJQmd6Q0NBU3FnQX\
dJQkFnSUdBV09XZTBSRk1Bb0dDQ3FHU000OUJBTUNNRFV4RXpBUkJnTlZCQW9NQ2sxNV\
FuVnphVzVsYzNNeERUQUxCZ05WQkFjTUJGTnBkR1V4RHpBTkJnTlZCQU1NQmxSbGMzUk\
RRVEFlRncweE9EQTFNalV3T0RRM016QmFGdzB5T0RBMU1qVXdPRFEzTXpCYU1EVXhFek\
FSQmdOVkJBb01DazE1UW5WemFXNWxjM014RFRBTEJnTlZCQWNNQkZOcGRHVXhEekFOQm\
dOVkJBTU1CbFJsYzNSRFFUQlpNQk1HQnlxR1NNNDlBZ0VHQ0NxR1NNNDlBd0VIQTBJQU\
JIOUVCdXVXVjdJS09ya040YjdsYTVJb2J5dFduV1p3Rm5QdHVsMDlhd3dVSEZQZStOWW\
M1WjVwdUo2ZEFuK0FrVzFnY1poQlhWR0JBM0crSXlSV1VXU2pKakFrTUJJR0ExVWRFd0\
VCL3dRSU1BWUJBZjhDQVFBd0RnWURWUjBQQVFIL0JBUURBZ0lFTUFvR0NDcUdTTTQ5Qk\
FNQ0EwY0FNRVFDSURlWlc2SWZjeUsvLzBBVFk2S21NYjRNMFFJU1FTZFVGVjdQNzlLWV\
ZJWVVBaUJRMVYrd0xSM1Uzd2NJWnhHSE1ISGx0N2M3ZzFDaFdNRVkveEFoU1NZaWlnPT\
0ifX0",
  "signatures": [
    {
      "protected": "eyJ4NWMiOlsiTUlJQmNEQ0I5cUFEQWdFQ0FnUUxod294TUFv\
R0NDcUdTTTQ5QkFNQ01DWXhKREFpQmdOVkJBTU1HMmhwWjJoM1lYa3RkR1Z6ZEM1bGVH\
RnRjR3hsTG1OdmJTQkRRVEFlRncweU1UQTBNVE15TVRRd01UWmFGdzB5TXpBME1UTXlN\
VFF3TVRaYU1DZ3hKakFrQmdOVkJBTU1IV2hwWjJoM1lYa3RkR1Z6ZEM1bGVHRnRjR3hs\
TG1OdmJTQk5RVk5CTUZrd0V3WUhLb1pJemowQ0FRWUlLb1pJemowREFRY0RRZ0FFcWdR\
Vm8wUzU0a1Q0eWZrYkJ4dW1kSE9jSHJwc3FiT3BNS21pTWxuM29CMUhBVzI1TUpWK2dx\
aTR0TUZmU0owaUV3dDhrc3pmV1hLNHJMZ0pTMm1ucGFNUU1BNHdEQVlEVlIwVEFRSC9C\
QUl3QURBS0JnZ3Foa2pPUFFRREFnTnBBREJtQWpFQXJzdGhMZFJjalc2R3Fnc0dIY2JU\
WUxveWN6WWwweU9GU1ljY3pwUWplUnFlUVZVa0hSVWlvVWk3Q3NDclBCTnpBakVBaGp4\
bnM1V2k0dVg1cmZrZG5NRTBNbmoxeityVlJ3T2ZBTC9RV2N0UndwZ0VnU1NLVVJOUXNY\
V3lMNTJvdFBTNSJdLCJ0eXAiOiJ2b3VjaGVyLWp3cytqc29uIiwiYWxnIjoiRVMyNTYi\
fQ",
      "signature": "s_gJM_4qzz1bxDtqh6Ybip42J_0_Y4CMdrMFb8lpPsAhDHVR\
AESNRL3n6M_F8dGQHm1fu66x83cK9E5cPtEdag"
    }
  ]
}
]]></artwork>
        </figure>
      </section>
    </section>
    <section removeInRFC="true" anchor="sid-allocations">
      <name>SID Allocations</name>
      <t>It is temporarily included for review purposes, following the guidelines in <xref section="6.4.3" sectionFormat="of" target="CORESID"/>.</t>
      <section anchor="voucher-sid-allocations">
        <name>SID Allocations for Voucher</name>
        <sourcecode type="yang-sid+json" markers="true" name="ietf-voucher@2025-12-18.sid"><![CDATA[
=============== NOTE: '\' line wrapping per RFC 8792 ================

{
  "ietf-sid-file:sid-file": {
    "module-name": "ietf-voucher",
    "module-revision": "2025-12-18",
    "sid-file-version": 5,
    "sid-file-status": "unpublished",
    "dependency-revision": [
      {
        "module-name": "ietf-yang-types",
        "module-revision": "2013-07-15"
      },
      {
        "module-name": "ietf-inet-types",
        "module-revision": "2013-07-15"
      },
      {
        "module-name": "ietf-yang-structure-ext",
        "module-revision": "2020-06-17"
      }
    ],
    "assignment-range": [
      {
        "entry-point": "2450",
        "size": "50"
      }
    ],
    "item": [
      {
        "namespace": "module",
        "identifier": "ietf-voucher",
        "sid": "2450"
      },
      {
        "namespace": "data",
        "identifier": "/ietf-voucher:voucher",
        "sid": "2451"
      },
      {
        "namespace": "data",
        "identifier": "/ietf-voucher:voucher/assertion",
        "sid": "2452"
      },
      {
        "namespace": "data",
        "identifier": "/ietf-voucher:voucher/created-on",
        "sid": "2453"
      },
      {
        "namespace": "data",
        "identifier": "/ietf-voucher:voucher/domain-cert-revocation-\
                                                             checks",
        "sid": "2454"
      },
      {
        "namespace": "data",
        "identifier": "/ietf-voucher:voucher/expires-on",
        "status": "unstable",
        "sid": "2455"
      },
      {
        "namespace": "data",
        "identifier": "/ietf-voucher:voucher/idevid-issuer",
        "sid": "2456"
      },
      {
        "namespace": "data",
        "identifier": "/ietf-voucher:voucher/last-renewal-date",
        "sid": "2457"
      },
      {
        "namespace": "data",
        "identifier": "/ietf-voucher:voucher/nonce",
        "sid": "2458"
      },
      {
        "namespace": "data",
        "identifier": "/ietf-voucher:voucher/pinned-domain-cert",
        "status": "unstable",
        "sid": "2459"
      },
      {
        "namespace": "data",
        "identifier": "/ietf-voucher:voucher/pinned-domain-pubk",
        "status": "unstable",
        "sid": "2460"
      },
      {
        "namespace": "data",
        "identifier": "/ietf-voucher:voucher/pinned-domain-pubk-\
                                                             sha256",
        "status": "unstable",
        "sid": "2461"
      },
      {
        "namespace": "data",
        "identifier": "/ietf-voucher:voucher/serial-number",
        "sid": "2462"
      },
      {
        "namespace": "data",
        "identifier": "/ietf-voucher:voucher/additional-\
                                                  configuration-url",
        "status": "unstable",
        "sid": "2463"
      },
      {
        "namespace": "data",
        "identifier": "/ietf-voucher:voucher/est-domain",
        "status": "unstable",
        "sid": "2464"
      },
      {
        "namespace": "data",
        "identifier": "/ietf-voucher:voucher/manufacturer-private",
        "status": "unstable",
        "sid": "2465"
      },
      {
        "namespace": "data",
        "identifier": "/ietf-voucher:voucher/extensions",
        "status": "unstable",
        "sid": "2466"
      }
    ]
  }
}
]]></sourcecode>
      </section>
      <section anchor="voucher-request-sid-allocations">
        <name>SID Allocations for Voucher Request</name>
        <sourcecode type="yang-sid+json" markers="true" name="ietf-voucher-request@2025-12-18.sid"><![CDATA[
=============== NOTE: '\' line wrapping per RFC 8792 ================

{
  "ietf-sid-file:sid-file": {
    "module-name": "ietf-voucher-request",
    "module-revision": "2025-12-18",
    "sid-file-version": 11,
    "sid-file-status": "unpublished",
    "dependency-revision": [
      {
        "module-name": "ietf-yang-structure-ext",
        "module-revision": "2020-06-17"
      },
      {
        "module-name": "ietf-voucher",
        "module-revision": "2025-12-18"
      }
    ],
    "assignment-range": [
      {
        "entry-point": "2500",
        "size": "50"
      }
    ],
    "item": [
      {
        "namespace": "module",
        "identifier": "ietf-voucher-request",
        "sid": "2500"
      },
      {
        "namespace": "data",
        "identifier": "/ietf-voucher-request:voucher",
        "sid": "2501",
        "status": "unstable"
      },
      {
        "namespace": "data",
        "identifier": "/ietf-voucher-request:voucher/assertion",
        "sid": "2502"
      },
      {
        "namespace": "data",
        "identifier": "/ietf-voucher-request:voucher/created-on",
        "sid": "2503"
      },
      {
        "namespace": "data",
        "identifier": "/ietf-voucher-request:voucher/domain-cert-\
                                                  revocation-checks",
        "sid": "2504"
      },
      {
        "namespace": "data",
        "identifier": "/ietf-voucher-request:voucher/expires-on",
        "sid": "2505"
      },
      {
        "namespace": "data",
        "identifier": "/ietf-voucher-request:voucher/idevid-issuer",
        "sid": "2506"
      },
      {
        "namespace": "data",
        "identifier": "/ietf-voucher-request:voucher/last-renewal-\
                                                               date",
        "sid": "2507"
      },
      {
        "namespace": "data",
        "identifier": "/ietf-voucher-request:voucher/nonce",
        "sid": "2508"
      },
      {
        "namespace": "data",
        "identifier": "/ietf-voucher-request:voucher/pinned-domain-\
                                                               cert",
        "status": "unstable",
        "sid": "2509"
      },
      {
        "namespace": "data",
        "identifier": "/ietf-voucher-request:voucher/prior-signed-\
                                                    voucher-request",
        "sid": "2510"
      },
      {
        "namespace": "data",
        "identifier": "/ietf-voucher-request:voucher/proximity-\
                                                     registrar-cert",
        "status": "unstable",
        "sid": "2511"
      },
      {
        "namespace": "data",
        "identifier": "/ietf-voucher-request:voucher/proximity-\
                                              registrar-pubk-sha256",
        "status": "unstable",
        "sid": "2512"
      },
      {
        "namespace": "data",
        "identifier": "/ietf-voucher-request:voucher/proximity-\
                                                     registrar-pubk",
        "sid": "2513"
      },
      {
        "namespace": "data",
        "identifier": "/ietf-voucher-request:voucher/serial-number",
        "sid": "2514"
      },
      {
        "namespace": "data",
        "identifier": "/ietf-voucher-request:voucher/agent-provided-\
                                           proximity-registrar-cert",
        "status": "unstable",
        "sid": "2515"
      },
      {
        "namespace": "data",
        "identifier": "/ietf-voucher-request:voucher/agent-sign-cert\
                                                                   ",
        "sid": "2516"
      },
      {
        "namespace": "data",
        "identifier": "/ietf-voucher-request:voucher/agent-signed-\
                                                               data",
        "sid": "2517"
      },
      {
        "namespace": "data",
        "identifier": "/ietf-voucher-request:voucher/pinned-domain-\
                                                               pubk",
        "status": "unstable",
        "sid": "2518"
      },
      {
        "namespace": "data",
        "identifier": "/ietf-voucher-request:voucher/pinned-domain-\
                                                        pubk-sha256",
        "status": "unstable",
        "sid": "2519"
      },
      {
        "namespace": "data",
        "identifier": "/ietf-voucher-request:voucher/additional-\
                                                  configuration-url",
        "status": "unstable",
        "sid": "2520"
      },
      {
        "namespace": "data",
        "identifier": "/ietf-voucher-request:voucher/est-domain",
        "status": "unstable",
        "sid": "2521"
      },
      {
        "namespace": "data",
        "identifier": "/ietf-voucher-request:voucher/extensions",
        "status": "unstable",
        "sid": "2522"
      },
      {
        "namespace": "data",
        "identifier": "/ietf-voucher-request:voucher/manufacturer-\
                                                            private",
        "status": "unstable",
        "sid": "2523"
      }
    ]
  }
}
]]></sourcecode>
      </section>
    </section>
    <section numbered="false" anchor="acknowledgements">
      <name>Acknowledgements</name>
      <t>The authors would like to thank the following people for
lively discussions on list and in the halls (ordered
by last name):
<contact fullname="William Atwood"/>,
<contact fullname="Michael H. Behringer"/>,
<contact fullname="Steffen Fries"/>,
<contact fullname="Sheng Jiang"/>,
<contact fullname="Thomas Werner"/>.</t>
      <t>This document received directorate reviews from <contact fullname="Tim Wicinkski"/>,
<contact fullname="Thomas Fossati"/>, and <contact fullname="Michal Vaško"/>.
It was shepherded by <contact fullname="Sheng Jiang"/>.</t>
      <t><contact fullname="Max Pritikin"/> and <contact fullname="Kent Watsen"/> were instrumental in creating the original <xref target="RFC8366"/>.</t>
    </section>
  </back>
  <!-- ##markdown-source:
H4sIAAAAAAAAA+y9+1YbV7Y++n89Rf3IGAfYkYQuiEtlpxMZ5JjEgA04TtK7
R7tUKqEyUpVSVQITx+dZzrOcJzvztm6lEuAke+8e4zQ9OgZp3ddcc801L99s
NpveOIvScB4H/jgPJ2UzictJM0yTedjMJ9FBb29vlBTNXtcryjAd/zOcZSmU
LfNl7CWLnH4rym67fdjuelFYBn5Rjr3lYhyWcRH4B4eHfS8bFdks5r+hPS/K
0iJOiyX8vXkfF5veIgk83y+zSH3g+8X9PI8nhfVBlpfuJ1E2X4RRaRVZjsxn
aYYfzZL0Zh4mszLTH8XjpEzSa/03VJnHaWk1nKRQLTZ/wzrE46K8n+nPyqTE
Pwb+j9kymsa5P8jLZAId+5Ms959lWVmUebhYQD/+qzyDmWWzwgtHozy+DVYq
eWEeh4F/vojzsExgcbw7GN7g7OR04L/N8hts5bs8Wy68m7vAv+XaXrgsp1ke
eE0YLwz+h5b/NixhXWHAvJ8/wKzMZ1kObfJf/llc3kG7Ba4Grk7g30DZL3Hr
v72jIq00LlXLpy3/IommYT4uMtP6KX4Uz/yjyrd5hiuDi5zlqttLoJx4Ng9T
/zKblHcwXd0z/NL051HOnReqYCsK6ZtpWS6KYGcny6Nk3ILGdtrw04T/d5vt
/f1e86B3cAAll3kS6MJ3d3ctu6UdNZNhyz9O3t/oOQyLm0x9QgM9ya6QOJcz
oPXovpXOzArFULY1hrLfJllZKSTNX7X8YXQT56Xu4CqL81lcFOZz6ub5slzm
8V2c+FdxNE2zWXadxIV/kkYtJGOg8xhIuNvrtf0j2Jg8nPnDD4t7JNakvKf1
LEP/aBbmIRHwGAnzsN/ut5mgl1AHir1JkzIe+5clnkU/m/iDeZwntLIyqbKM
v42K1iRctsaxmsbrln8a6im8TpaTEAiQPqLRv1iGMHRroJ12R2+sP7iN02Xc
8H9eTpchLC4USqJSD/0sTN8DPZthdzvtdqfrjPtomqTWIOfhrzyGzrdT6roF
R9bzqB+kn2s8GoFPPAv+5Er017dIVEg1WCopp8uRfNG8u95R58hLs3wO5+6W
Grt4ftTvHrTVr3v9rvy61+6qT/dhqeXXg27/UH497PZ38dejZ+cXsEVXx4e7
+Nf5xfDy5DigEn1ghjDPZxeXP5wAsTWPWxa3RZqCrQbOM26qsfn++/rC7+8K
q9DJ1ZvmVeunvcN2q9vu9HEUwE7D/Bp3xz4VSblsJWm5k8fRzlXzYnjU/KkF
tXa4AjO1zZN0wiuSpYY+7+EwDi7PWh0/TmHnkCXlyxmy9MtFHCUTICuqAFT2
LCySiFr0/aEqfIGF/a1nw4vthn8UplkKNWYr3x/B97BFYyIc+HyZFFMgYVVM
WpXCx1B4kz5SvBB/b8pRTss4T2lQ0M9VPIuR0S9TNVA4HMSvfB+vKjhtsHDN
9gF9UsAxiYsE1iGQHmmF/YuYL4sxN0Fr14CuLs93ToZH/gFQQ7MDNX4ZXpw3
r87fHL2gfT/o73eFXOA6xCZfXZyubOkoL26S5iKfI9W8PH9zvKZENMuWY9z0
4+GPQFi1e92BanF80O4SyyziCPhjeb8DHzQ7Ye5s98lwOPSxZGdw4V9iydg/
jm+TKPZPxsB8YGuJxuoXGStfomAA/N9dzAOZ8f5hB6vEyXi/u9dzh7th0ybc
sk2+NmjQcQ6XYbgj9TbsIW8M6Tsfv2ioZd3wvEQRrj7Kvb2DA3VSd3f31FHu
dPvq1+5uR53q3Z769KC9qw94z/p1T7UAs1J84bDPjR2dXw752O/BX9+/vaSt
3+938MhfDo/eXAy/Pz85szZ1r0yKaNocl2p/mr/FKCvAqW6+zxIkzp8HZ981
v3sDW82EtNvex9bK8D2coMPDEo5/XCxzOM4k0qw999EMrsF5K4xayxs4/EUc
5tF0Z1xe47c7kwSO085iOZrJ4VB/yDdl3uocHh62uq3FeOKwiqtpDIfCjMA/
XkY3M5KuLmVS/klRLOG0omA0GDdfZJH/NsljuhWVHFJ3iPn2eZ6H6Y2asPPN
RQYNDOCSzwvnHONIUYabL3LgdCurokkOZJy75CZZAMmFRHB3Owm09qG1mC6+
ofl9faLb+OfWoriPpsQIt/+vbDZOxl93er19uCkOuh2HODffqlb9EOS7iM6Y
bsi3G1rLu3QTzpHq7jXbvWYHWckkTPIp/H/N3LIFMuk0xU25hT2g+Y3j23gG
3+Q7hc2xix3V2I47j+fyscvg144ZpNfUP7I69Z/Dfc6c0uUMh81Op9nueF6z
2fTDEV56ICB43tU0KXx4jSxRHPfH8QSuwsIPUcyAqnADlZlPRyWe3fthUSTX
KXwbAfNJsG2oQVxr69UsHl/H21gcJE7//C4FBrYscPXh71BJ6lg/Hjf8cYLE
C00CgQIFyF8NfwQdAnlza5sFyBXpEitC/3mLB6vbgt9v0uwOWscBb4iAv9Fa
OylrHMyzuCaddy409r+/PD/DQaFAoZvwyikUnkLpUQwLzpPwZXb+bQgXFyw9
3MJRfr8os2t4hUyTCJ5TRRnPCxpQvPpqgTGSFDSDZbiOU3yHQKuje2/tCvhb
SStuNWiJTu3PB0QayW8oeMLg8NKWj2BcW6eDy8H29sq66Bei5rN+AqNKo9ly
TDSQLucjaBzmBX/DFo39+EMJb0gkYCgHW40DweXz59kYxIOWM9GL+FfgQaVd
wFfLnKTqCsFlCGdF5vPzdUyCCGyrGgiVLe2BN3Db7uLZDP/NkB1zF9bg0jjG
msj+cHdAcidRXLps8SmYJ+PxLPa8L1BsyWF8EQkYH79IrD8//VVHxKscEToh
/mefEO+hE9LwH6UPT+jDr9JHy/fXHy9s0D1g9fQc8vn5+FGk9E+fzMLhGUIt
BB492D94GUDxMYoUQBvwpgUai/JkREeAN5SaQbn/06eWd1LCVO+ZVEYxSYvh
jCge1pNO68eP+I+UhcGQzKzPKU6BhGebBj9+/D/cRQdGCgtNPeKb4tOnBhKi
B804p30Lxgb1Q3iHgsjsH51eIhksaZm5Nr5ecAy0RnADzcP83l8s80VWxEiD
oV44aNumHFia2xgmyMod6B1urJw5TyjbjUQFA4mJhGD/UFKMkMSK5ajA05bi
+QURPCTaLfg82u3RGsLy0ZmKiQ3yoKIYt5Fb28KvNt8tkhSfReMMHndpEwu8
2/QHJTwtR8syhhdFiCxxulK/QSRb0mChq9DPwzufZRv/Bma4BZ1b7y6aUBQW
caFZlDPiPF6g8IRHGMcVarqFfvEDPkg0iJRFm5Z3ZF4dtPXVNvWiCw+T5U24
i/fZSDVeJXJeUaR25PaP9GKfIFxMRYZ2oYY6XtYO48byNiPNxqj0YC5BrVb3
njkgDCnL4VhN4VsgxQUcYzUHvSo49CibzeJIvRrh7sEiRazqw5BViVtcH4cD
HBMltLwt2iS6vkoY34zYtqwkUwuJi3L/waW+hGIhDZOmHwPRJcSQ5/gpPh7w
WQq7ep2k255nNHxCrbAWk+UMibYAeQo1M0A/JfD7ghunjnMQgGCV5hkMnZ+K
KKhDHTlny8Uig0XhrffP01EGzyeqAc9teOsV80IkDGRkESo1Z/wQHim2Lrya
Kc4hnQZwm3CEQjhSfnWLrF0gNkj3LK40CW60eED6zDXhHiZehGtBooFiVzY5
yoZkKXxfJdGGP4vDW0Vr1cuYuy9wSYkDkqYDBzyKXcYodyWyMvcC1ALCCCjP
jAhu7WpfImDgUKy5EWPl2958Iz15xPeFsuKwSGB+dK2PSfiI4kWJu6ErV+QP
nkGCm9+Ciy6NYrtj/w7lBmAd0B7fkXiAgU4WYYlqCyEU4lTA1qx2C1rwu0wv
QhHA2sd8idEmVAbCc6QtIrLXhZdFiMRiESkWnCxzKhZ/WMxCVp8oYXc2y+6K
lXnyfimJCVvO8IzFUD0iIoVzLadfTkp1F8dZzKs8ybALpgtZCD5UE9KXminT
YeQua+e8Il8qMYqEJX3I7LMoXViCm5nKr8skr9tinnoOMhVQsDqwDkniPXDn
nwyvnvuFaEms7lEmtDok2QOlzkkp7MkUlXuHz8M3pFPqtomAjfwZwrMwSmZ4
H03oerWkLrj9b3G1THciFsySCRyLOeuH5dTw+oK0eg/yCzC6bO4wqYUyaDTs
Y82VZPo48QxpHoZN+l9ZPlpyEFfhzxnx0oYP9wTwRuEiui2YJ5NrXb/U0zS8
hW5SDwXSiGhPTYUGneVjZoxqg2cZNKFn23DleBinaPYKka6KKVXSq0NHBkYA
D6o53RJQBfY2nDWAjePZlj+bGdwKTaCJjN/LxEou162gJRCuyLCGBXplHdcL
oFOjaERa+PjR6Jn4b83P6Gx//MiqZxrTF/4VXH4JK3er5wV2pqAq6onBEhoe
Txov1GSJ7p6ueMXB3XFifXUl66MLPW/JVLf1XAMv8N8UdLHk2fKajp3bFmyk
Fr4suRXIvMrpQyQePGxlQj1b4iUaMCZEfiRGo8CvJeaWT0JyeD/LwrFiWHUF
6bYEpla5Bo+hDMxNy6Q4pYEidBRBuBkfTrh+giixtAB5h0fqtEYjkvLwuiI5
hvYE2ynvFzGtvSKTEZqHkLnL2BWjimd0ZVgXqrOyMGbHXInj5udCFqGKjk6n
kfqzUQkyVVHRLqAoDYeC3kG4VQkrjnFEfPuQlCks1n4V0LFK8I2qdFIi2RlJ
EZpw7akw+FGIxAI3lmj54A9nCDD42wTv6fFSMW5sx3BEOYQ0wy04v1pFt00d
suSPsiHe04q6HcEBryWjhQEeA7cl60yMYGlOPKwyz0stbxGTTIzLVKLpj17W
k9wisyWqNpVYEI7hpCb0ygdhmGxleKPNcLTY3HUW6lu2hs+IOEFyobWZJWpU
UdMMH8my427xHov43NQbo7TUsPcx7S+8f7l/tVirYvjG8dmlNLQhF9fh7iG+
xcMZ3q7XU9P1PLmelvRKK4osSlQTNmnoxmA9ZcPW0asoAxW9kvjxEM2iylio
9hGSZf3YjBQszuPGIa+VlSnDG6CUSZ7N/R+yNAcm8xJOffobnGwSxmEFRglb
2uiuQcFhLNr0AjWtG0LM8MCFbaBnygJGn435GlZlobXlbIyLCOeb2UyY3uMp
Q+sZ/T3LspsC7rYbXKg537NY3Sf5xafbBz5McvkS9cJwt6yxOsBt4g9SH6Wk
23CGvA2lD70DRHrImpiqiBdDrTin7VtduziHFcnhxFvveBJOjZKIvj0abOM5
MG99GIXqk2YpBFL4JNn6IE+GaISHwzqZoIiB98A8mYU56dNL1mSYZeTXid2G
P12m1zlsTzabtGydPgrHuLa407TBRsdPtBSX/EeDGbHSLRFLMXYKupW/x9N4
EV/TWc/9Lax+lGV4nEO4Jbb5WtFXIbEDtYZyjtSzCvVbyTUsKBAIEMo0XKC/
ByxjlmZzJB9UcsOcx3C6QGKDg8Ovd6Y8vXkk9vNRJFbBvFTe33T0LOaU5ZXB
0MmBjY21mu17tmw9MEfsSvgb31VytulI3S/U0LkpqyEouQFnHSazAa/aQo/x
OWpZEnxCowtCg06Bo3wGeTuFNSWqoKd0Qlfme+QAG7p9VDaietLfekTfbfSZ
24o7EZ+/p61p0PHAJbI0cRWlcsImM1wYFEEKWXQtHfMBq5wZZupc6yaOF3DC
s2sS69XdjbqCYposcCEfl+tprpakLRb1GH05mPwilkdGzCCvc778V+8g3LyG
lvNp+5npGDnY6XBE3WWTCbphoXrVHGq8cskQGJJaiLyNlIi32inuWIjbni0L
Qyh0hqD9tAmPzKlqSfMHfn4qPR8QUjyb8PNqBi3AawB5hW4MujD9YsvWKNRR
5+mpGwrf9SyfwEnDT1ArmynfL1hDlu8yfU97IkRl5PGGZhKnPdjgEV4M6iGh
FIgpK/ftlgv0BNI3Eyu8rUeb4hjMcPFrlnO0vZB1QHDvy2FeLJTF2IgJzi0L
XTn37FZtlTrJggSxFb2JPNuI0yIpsJpBRHH61JEVcXOQ6GuOoeIwam/4eYyD
FQbmqE9ZIW7EOzmJFY5kVMB0kap3qdR5TIsNg+Wts0QaXCKiTtx5EO7Tckc4
M6pH5gt+V2d4o7K1SmuTHbEOx/kWNbl4+hcoOufqos+A+JDWS3orNFAdyBoV
nH6hbl3kbu6lU8g6eX7FMOo55+wS3sYum249KDDqfURZz7B2W3RExcX58zf+
1hXtEFDq8ySHX+ABSfyWJqpl3DmIXdiLITK871jhYimD6X7A94rMm8UUbFYu
MiEdrS0FZsF7i2tLb1eRJliTz/ai3R6pEuW8Keuia8qyRSktfWyIIepBqcvz
hAxZKFhVvuLahtUHckMLCPohTGyBjMs+yy+aGzu8V1F0UWFOq7I1S9LGLqKE
gRLVKiid0iprqoxg2WhxlbWUyFBuAiC6iCyo6mWFD1/rfR4i3TVAqoumuKZH
p5cN9L4hw/n55dCsEj2q1dlCO9CWMdxtO9TNBgn9iLbf7YVrN9uSRd3W2kKQ
tdHaN8tYi6QGiHM9ws1LS20v5J7Y/K8Vh2y1JJHo2fmFNXrpSekVaOOMpZbE
brV1+nlHf+lTRMYwXcgcLimHG87CiVakRyDTF6LD/p/ZKxl6Vamz9erHi+0/
MXUQ1xXJq0tH2RsrXdkMbHUYF08cRu3iftYgvqDfk1yo7mWYXi9DOG6ktMVr
Ch6NYxB4T99cXm00+F//7Jx+vxi+fnNyMTzG3y9fDF6+1L94UuLyxfmbl8fm
N1Pz6Pz0dHh2zJXhU9/5yNs4Hfy8wSaFjfNXVyfnZ4OXGzWqv1xpx+kBAHRB
7hSF57x+nh29+n//n86umL67nQ4qBviPg87+LppJpmgfIaUEXkr8J6znvQcX
fBzSLYYGhihcJGWIkiuQFfCYO7a4wTr+x99xZf4R+P85ihad3b/JBzhh50O1
Zs6HtGarn6xU5kWs+aimG72azueVlXbHO/jZ+Vutu/Xhf35DonKzc/DN3zwP
qedymd+yMKNoCwSVuLAtmkSKDuMmAQ+FcjYF6nvBNTB6SihgbQQ6LTbJa9GW
fUlAxDqVR5pIDfb7UZ+GxHI8NjxWhOWCharJbIkPD8ViLOFbG+8rTiGoZBWH
BleLbXdXZl7NYEXsNlMPYP2KAnUOUAf9nAvkBifmYiSjDazOWD0jaC0LuSWt
wW6VIhKMydE5spiHGrjmmOyv4uvWnFL8QNlu+afUr75IKoJZM6Rxo+ynnoH+
LVxESr/SII0RyN9QD96N9JrQT4eCrg4Q05IQBXKYu/DZUQyPw4QCPRRTF6M2
GqDgtYct+iOQyZWmsrLCZGjgpXB2g+Q2UiKVZKUQoiDRQ2kqUAqJyA5bffY4
rgY+LDuQNb1257JGyJ+0279l2BZGBnW0ftw/p87smrN4wkouUQ9yP+TmJnZ2
ESHcybqkMiVLZ2zEKKTTFVN9VXb2az3A8IXomjUX8iYWyavqElN1hMFVeiVu
ISHGXsF0c/6Kyh+dNU+O/S2SatF7+tOnbfwYhHT4HFWn1uZthcWK+R6dpLEO
jH3d4sGsmxf4nLuniCl2DKHjdZXMY3QyZZNik5T/lT5ZY8RuPM7pQAOgYi9o
yBOVKSnczWnE9eP3FKoMgEUad0PryBZRnILwkxXKbgOLJAa8cYI6RWwJHmoj
IddCa3asobb8AdxXpqlwPM5JK2BctIAT5XFIqtFwvZpiC2ZwmlydbqOSkpyg
jR+CpZ04meDJREXBZDmT5zNriK9Ddn4iPRtaLS1yZAcdwyqdWeER2EDRrtiw
jcbAG393Lhtffn73Dc/83ffNx4YNAHFZ36jvfwQpeYzCpvrud2+llBR9CSwL
6I2rEVuDv373+Yk44Ef870LGmnBhBFdHqoUzsldDD0Gz5ud382vwe92vNX/W
Fg1wDoMlTEuvlRrBT9Z8rF/Nx+43a4tCD82mJzMiP3vu70/18lP1O9ULKzxM
D6u9/FT38aO9uHPhXmDzrEX7/eGq9X8+OJdnIFLGubsxa1fsLpmNI3ToqPkT
P8gWonWjX7mXr7/2Pgb+FxK51aRD1CzJKschB5vnt/jkju9syY2KbX7yUHof
8vt1Ayh3A/3jlvMUuC289OFKUeVv8dwwY1SO4RdxOGsiI/WPZlmEDJfbQmbk
dGN5cGzIlQqr/o7frE3mi+82/C3pGlUMLG8jSy8WIfl8hMCNyIXSIXTRu4YO
8SeFWMeN14sSP0LNNYxbnDJhVR5Z+DLdoIaBJ5GlE4aD9osSteBkKsvgqrsn
gdOxPszheXutZbc8KW74hV+jNybnuyVHD/Mo0sxfpqzOcV7ZqPakT2taafj8
dCmU2hqfhpukrEclEwaeaQuBYsb62hdHKe2QDQ+rW/aIqB3vsjTSc4hqvgVG
XtuSAguWGIydx8qRT+4bumjIPy81NwiOBfdwfIshqMpPFW2MIGaiDVoLl7gA
TD8SKVCEMyIvshTQtvLYxJNRtEsiOaHz6GKZwzgL0e6y3nPb6AzpdUxeAFV1
FVJ3hfc9RIJimLpVtw2LCOb1w0pw2Gt4gedo5SedxgQWbJqikcF/jnEuWJLU
wCialMp/tyCnDQ74cDoVD0LlgikSBRl+xmwioTWOYtuHSTluotU5EREjtw0K
IQ4exH7W5am+JiS8zzMKAFjMsnvxxPGB4bH9UnrVfYrORkv59BqgqPiG/QWO
WhS492wiZa8v9fSXqAmS9vRyKWpGlTY8eZKCDDiwlctIyS+6sHI6VAfCeCBb
At4IB5LneOOHUY5hYWGSN69D0nS7XhVi+QKhK+FHT8ITre698ewAEQ8NxnC2
YM1gluhG5vi9qa0jLxHLdc+JlcGHJPIidPAjbrNNXVyTv86SRL0Rsmq2WZ3r
Q/QE4iV/hxWFLbZ+q+Qgh1kiZTnu66jbpx7VE81pyPDHkMRNlx3m8UQ82DId
N0RGZmuIvHvL1OpOt1GwBqDyHqTqZFCPpmmCGjF1CLTzlNKoXYl9WHhciqpn
NHRNQ/KVyDBckVm/pfcnmzzfENTcCI4VbjZRQpyOs1z7zMrCWFtiZBDcjzPr
7iJ6LyztsQ6MqcidyuvJseq2PnftlbuKcuywFCmWcf02Cf1XP5z8JBEh3YM2
vsOsvYCVxZvKvm48Vw5ihefIlY1q7m1n/qEj3cMAlXzUAqYThSqkwLLeK5uB
MHhtP2uoJ7ktp/hzFOxHaKaLOVSL9KpxlMfseGi0WKRXiT8sMrzjmPpRSb/J
E9qshleQumgWJvO6G5giuOiOMq6+2sUwHMErymdpLrE8UKNZjGYh1JHgox//
z+ZvV/DiN6TuygnSNFe/ugrc7YApicckO8DSQc7ZQZD7cmM+1ZBhkWEd0adl
mqD6Bj2gjR8Pe2iRboAd0VmWTPXdWqGJGCagojWA8Wm/BekbVsqxTftkxhN7
Jl3C6Ecyh+MrhM+RoyE+VGGz3RNQtCrSOr9LyUoGJ1uz1SLKFjHp049A5kH/
iIKMymJSXh+IaFmdsfoXaKglDQGRl+U1j+ImxQWoNv2PX/AHkzCZfXKDKdCf
ULz6mXAwUt5yU/QlSlccU2wX3obn+vuyWpw2F4WCZgKCG/on48bATgCRFCry
gORjZ7/xfpiTcpFdTIg0Uop7VawP2oN/mrBv6E6mgnqZUFxtv9BkIddmhJo2
beT8p9Gg/NOE3sAh+6djqv+naG0n0GhRmTmtmqWIgW9PLl/RQIdsXkAhAkVP
DEDAKeWw+yxXwvSAtCIiXSTtBUt0RG4n2ZWQXyEyDvp4wPIlc5xPiII1WeBb
1aXHidJIMWYMhOrK6I5eDU1n7GgXEVtAq+68sHZuhqHbuT2SBhM8j7DAkFz3
eyWNTWioyIllsCT32h4TZu0MxdH5YBZ7Ry5EHPVA5ELOYJnj1TFDaqxMzo6X
s8dlHJGJfK5QiTVm3CJNUzqmHN6drEvewoGcHz3fhkGrQHQO9Iktf3VDa1NL
uxiiiKMuHHvOJrKIVp2UW86wNeZFv7Xr773M3r4anCnpWjnlH2UDprHjq5eX
6L6UzHBI32j8hll4EzfxJv0NutQyCAk7bgPD4xfnRygf42MNaCCPndGoBaQd
h6HeO9+qUVFU1quLU6G+SN175K7H2mn2OJw4qk1eC/NyjBdxKjSLit40muZZ
is9GhReQpY48JBxbbaClWSTGaZ6SLLnB7Ea4TpYN5Vq7u/Pqkq6W4vrE0TZM
i4mYOyyLKly2ILospvcFubpCMSRFusxRatYxbOjkRGeJPNlhBS2q4aAHXjR5
MNoBN2IpWIkgkLmuPDZYRMP11k47fOvoxyjODZ4ifALUK0O5dHE8Bds/qYAO
JyviOcYrRAWFrpjXiTUVMZTEFe8Bs/4Vv1IdPCzPQwx+cjm9IkQCTDPLDsv4
Vl0Xlssan7l1i4tMBt7LuYhryGPuSCIbxbMknhidDTCXPFugEGW5bLNZR4mE
Vqi1/89weY3H/p+udcMEqdG9S6FWdTtZDYBR39s3sjXxF9kdxnQ29LTQw6Gw
LvgQ/YCADzE8AsmhrDwwOw2ik3LdNINX7+QxO5c2/CKTE0H+kAl6vEkUGyrz
y6V68bqBGoNUmSl4zXCb5uE45v1hQxk68tJRQxX/FN/AKT5yKeqPIxSgMHt0
OmzG4qS8CbwC9UHHfDJk9PR2Jk8ZuVbneGoWTgik8haDLhEizJwebfS0t2S1
0wE9MsiEN04KuHcLfr3zGPTcx4bQ6ihnnIxpG4hx6AVWZuMGAoFRmUSKAB8s
+YmdWmNs7yJlbtyDNNnEc71hWAqNRvskahM419s/xMj+Da2LsOrh3vIMzQG1
JiqCIT9fqQ+16+y2hl6wMzvQUjAnViEyXHr6wn/DOI3YlJyUqkBshbyjiTG/
JuUQ+0Wtbq/WOOG2Vvw2V4+nVYolXH6ZOww6DqOptF7EqobiQXhSCSrLZUdM
pPieSiKgxXu1E+jwgPwHm1R6S2apwn7VNOyZWfgdpB4lxmMiUdmSXPoPQIRY
boby7EJNrDh2Vtrjp4a1LVh8yU7i7xKUFMZNUtfl7+CZITCbTeeLTyxIv1NG
hpxX+91qYLLNgxxeeSnWV7/X6vpbiPIHqxli6CODs/VAatqyImG3lUS5dhVo
S1jyBL5DLzEKFCsDmuFmZW6WW6xP7jq2OpEcWx9x0mp5L1Hq5rZd48Um82i1
F1C6sWYM1XISRoW3twnmcRQ9WyfH8e3J8Ta8+VFf6ISn6FBarUQgeiNSNj5x
QsLqFqV1FX2/D3JonZhmiWiup4A8hRvuGHmIDsoG8Buk4RGJJHlo1CYkyDu9
yt2FcQvWPEQ6CEWJQVOHTU5BYhuhIscKt6PXc3hPUi/2rfth9UluvN6QK1r7
THSAj5OqHw9DqagDypsmB/khupJ9vU5QKCdlTeB5nZZ/wlUNKM0P8b0Fhedv
DX442fb5WUzKRx2Z/VRSaKxoZGGBF4kKs13OZm6saFhYKhSOGrJn1WTnAuR7
XXFXuUuKai9aP7uuFytQNiyf1mHDxC/jJC5fDJodDcRCAqSBWqnqRBUZ1hwU
3zhM66deofyqOjwgYVH+bgteccClGFKJ9ZvMRBEe1dJ4yTVaz0tdJQ1fJYYd
CnXXE1SoCUpR4KZivfgtNLW5woo3NZjDlrkKZvfbGkLkHvjBfA7jJ9AJkCdQ
IUBiCMvJScl35d1UuaQvCYKAOP+DRK+15WMthJpXhfJ7IScr1vNom5R2x4Od
4hBgtnuQ8z7eZHJZ2TEWUrVm34kbzrOiZLgdw+1CElVRKZ2qtmH3UPFuv0qd
4AzqiuOktC6QLS4CgmOUEoJ7ZZRcR06MoTnzVptYzBq0BG6r87V6u1Q8kI4p
ygaHSxFmapnIMKhiOYq6PRAdhjRXw7W35Cs1hDM1AnWi8cjhG2Xz3U/9bvvS
LbSgd5A6Rt1Wr9WxcMk+fULzvX4QlVqbXCTlUk6UMT2t2zJxCx/lGVyXojHI
omhJ6EDAjm7jahwb6TZCFfbMLul4Jsy9wm9ZkLy2UC2uP0ZngfkIDXRoRdtm
5CF+9ookzgYG1CU4Cw0i10DggUhf7HwnxyCRYMCQBe6YoYqVC+11lqHUGtI3
4vL1SKOxUlVjCyQUwDUyST7I8okuWKbKm2hQUggZr1RPSdIpiRkTIzXxCXOd
iGQaqpHS61EsAWoH7a0wjzZ7NwoypMXuhsgpIBiEguBl7uUSdQl4PeEiWYi8
sST7nrbbwp3k9I9x3qWyCC2gSIL6PNc9wpe/HJ97VD/L5pn5kmYzxr2hqEW2
QmXC2Vn8sMibIN5Q3CAPSPyL1kvfk0sOZuBt1JqCkTyscRPjNKJgIDJiy1Rn
juHOxCnl8XWYj2cS0EdPZQkXMa6SenAGHCqPBXlOB5mt5f16LSO+GEm3+KFs
aH9a8rAkLbDyAapvUUk6KDhbwjFxXIf3EdGFs/si0ZMym4G2MOsNJsvAPEGv
phrII3IckjsNZ2SZFh8SePHc3obJjD2vVuJk1O2wVgaURyFF3s0kStm5ZClC
LEmF96io7NWR8FNVRa1o4xWHuVI3An0Si4EP1vS5Inic8ceP9Y/AT/Qes32c
RbK21vyhVVX2VfXqsvqV3cW+lWBDyhCWaajnml63NrDJje0/1j35XrF1HL1W
w8LyeVDR0lWHnvr7lA1TfFKR3IUDGZM8mwwtSLoq+9YqEXPshC+Ku29Oz2zF
r4WH6OGayJBHzplD4tqaHEbTJCb1nTIOmXiB3+KHRF+R7Gs1CbXy/cNS8V0s
qg98StyzlVt1pRXi6DWc31tdP8qkiLNdo4KSrHrMBFBJXRLvp/t3ruL0CoX0
VYgco3hbUZnxI9025K6QY2s9kdayAHq3YlT8mjONBfMHWEg2eh/bUR8Oe2rF
LRkycOj0R3zSwnDPj66GV/7l1cUJI9O5blYN9qhKNKIUw/UfDy8MZL9eCT0s
GJUZFPRhAGiqbvzui6tTeXG54GcPd385fP1meHY0tMHL8HNnfkqI3SpDcu1u
b+sjzI4nm+9uKmNnNR9LvJV5kUtgKYGsLPoyfj4+YjWEHEf8asddNYR1/cFQ
4HGmYBNxLyYIeU0KqjrC4Ihc3gANZ4IvkBNFkPoF6XztSu6WnULLMJN6DUr1
LieKXk9TrjCZZmlTT0+Hv7JhgWM9C1Jv0nNVf1x1inlAq7YSmmzBeTEfE5x/
jKaNx/y45TkujYLUsfFwMAV8wdkD4EvJHyCQZ5c6pMpyKfbQVG0FqCqwbDaT
kBugOghWdGyhzRNsmjWmao3K7PrZsgkP41xRaw3/IOlpG4HzXHThgi1jnrX3
cmYugcRsax/KmpF2ryWNm76Cl4tmmTUJNZHNNaoBMVppk4gZOD+j1G1XAx72
8eP7p018BY2Z75Pv315qiGKCMBYMFQslkQ7lCiAoX0osaYuHoIUbKtGfeBdC
o8/5HliB2Pv4RTTXeVQ+kYFN2HJi6fvOUYv397+rJCsH7X/QSuGEmmqn7O3z
BDUnUvhzHz8mYUoJXkpoFRmU5pjQNulk2GKkzkx8xEUximZTqRr5u2EahYti
SYAJUuqE8pR479698zj2AE5bMUdf//Nn3w+PrjBTyNnVyfMTYMVB8LX/EXrM
tjrbsMbIUZqjbHy/1d32rBiJZbF1sAscNy/CcZFsdTq9/u7htr+4iQqsiP8e
bsEHnT0flk33Cgu3tks1pk6lBuc2wcVUa/hAE9DBbhsawLkSyQj3e/XD0eUX
+/4WbOePbMj8urPN+kOMSTcwHC7xXk1jTXAOwB/DaV+SRwKdSP1tw9XGju49
dS/2+U60kLcblYMsN2J9Zhsrp01jRePL6Wco3wzeXG66Hzo/Vrf4hBb2iKfv
HU/DGF3faZOK0l1rC6eQKF+i8uxGDk6GTrx62OnD+KVSkABJmLhgq/BW5C1z
i+Ye4O/NWThfFE08c/FyAv+GTXb6wNZxFscxLhewVhog+S/fr52ExZpwKzOF
fkoCFOo8KHx1RICo9FaJ3pNrEPJ+zM5Bc9ywvJ1URigc4Jfviyzd0A9BzINC
+IvG1LvRggY3WArO6ekY50xlruegZmyavmhyImkCpW2+o0XI8RjbAlhjJV7+
IUqT9pQ23lxmJp2DjvFTu6yCgyz0G6+iMIXDkywSWuIzSRDRcL9QkQ4VRyGe
k/rS0hutmIEbNeVfqcgRrWrYbqzqebaM9mHbEfDWL5QRUUPPMrCDVIF4jhiS
m6nwqVi4AN8IDaMKRJ0Lov95yHX21Y3h8p6Wz3BZRGqlESm2lJ0PN8nFtbzg
CA1JwUSvBSd2oXBEHb0K24zLz+iJSmEQ442uYoi1y3bqT2ZUzDr/izBnucbj
kcENOBtzzAhcmbjrLBjNLPldnlXKZYSgQATISssljlIX39yCwRgu+EgmGkHI
ppw71KYgTw9Tx1Vo4l7gBJwMD2FPe6yvnjJ5ZhPijj5sFha1EcsLD56ujCCw
YH+ysZCJekkxcW5WMPWtJjytVXAPDQdUrAQGVKD5vWW6LDB6ClEwUZ1qMSUN
K5/kY477iQtlrw1RHwm9z+49jrjgtsO0YKxKDUqTlPWMaPCzuz4GtlioWqDm
0nsvsanZfquql0pC6dsGxbZtqNHoNSz9a+7gLMCatXOsD+qiP7p4abvP6rgd
I87jeuLJzmBprvFV7CY1oHg29MhlnCZU14oOEG4LAgnmOCcfho03m9iR7Dri
PaU4ZYQBlX4B/aEH7sC+AkfxLLtzxk+w0s1ZcmtkRupjB5dZyLmpLXQcTWWF
8JnAKB2LRu+aGsnWSLVXhgdsFit5QBI39YdOGmOQdMLUkzCYK4ebcPYUa22Z
QxqkLAF7QjezZKxitTxU1qqwmnX5bFbmYzCrgIRFaqjqFby1ErmtyxitoMWv
02PCZsLhqCKFq0E67avhIWaTHoFGKdb2PoPJzGvpFN/iWW3rlq360rTbaVJR
0Fjg3vZGUVlhoIlNnWzTK0gAQIaBprERYppwLC9apejlRneWx15CZ8Oro/Oz
52KpJg9SE+GiY3bYB1HTN+LNkhc8cBHVl9L08XAWbJ9BXoTBT/yc0/ew3i+T
oqeSo8J4hFuyHR7dsE50E/uRh6SkVp+ep1iNd8Zqht56+Gp3L6FiZf3f256x
5WojR09pxGwiOTMr7Y3lMbY6IYXlb/UnHgGu3Ru9DUjkkog9R5pizy4pb8lY
q1UoRxN7H6Jg4Gy2RWhKd9TyGEGFQymqroLG8ykpJbTBxBdlufCUG8Q3hIqM
oGgltcFJNrQTnoPGrBeDIDq115DSCOvgq6k7XLLI0sTMg9zkJto6PTkdbnPj
Hq80F3lxdfXK3xgQHs0GHK1wHGvYwk6HnVKe29ojBn3fUe7vKIWhw7vCmRF0
5jeXz6gkhlqr/Hb4GYjq265TpVl4kiUQ8UbNgmwnq2SDBkH97Ks6Aut9urWy
qlT8WAjqRZGZIV0ZWGi8fCvIl4vl6Oadv/UOLrYPyRwTX+aK3uQ7jlimTgom
zJommsU07Pb3HmpJF6k0SJjet9ns1uyxBae60Eg4VZQcPGXm78LCOVN8BLP1
SOBFpnJ6dfvthn6T9IBB4GguLgccHBIdw2/YGqmHdciG4KC1e/hqYf9zQUqy
lLqYAejkmNobjo/xjYUjBAne3+q0u7vNUVJu+9h+OLtGIW2qMTclZosMe+Tv
z+NA4lffNNAEjbwYhIMFrGLeURCji97BLvwlIjZmMDCtcWPjtY0Nx91+v3PI
cx/v7h480MxFpRGi5LRiAyI3cGlDRUeiwxmQ+3U5LbQ42m1DX9jrbvtwz4eV
oVBrS3PekDWoGQ91DI+HivWpAXJhmcz4rvx1CfLYct4swkmsUv3R6CXxC5rp
MUKLhaLLFwNYUv1gI0cq1gLS6UklsMcWU+hxNIqtaC4xdGJBuIEnDTvN0UMH
hg/UI2cGkZC++MK/Qt34MXv/GrGyiU7BTXEK/qRC93R+EMtj2IdRLzk/IYoa
U3iASliZgjnR4p7neAsjmSoQE1v3rJpd0TVJtl5ktUN08U7hQKrTbdVic6WT
4q8qECapt1YmhKsUrc+Y9Se+W6mpoO/hOTWLx450I0Kqy69hkf9v+PG4euBT
YJn0jGpS81i7VcHYqDn9stlUEWDNLP2mCqTDPzjwAAWoJux3EwODdV0jOvxH
fd2lzo6NxR0gOdEWOZ2ymVeX18gta0amo2jsThw/urpKmElIUoBjeceuVNdR
ZVCr6MvffEZ5PBmfW15O0jf15a2BWPmCmvzuxDqjDM5yaBZoFhZYktMMjatb
4D+y4Qs0Af0hYiF5bN1O1kwMNb08uTWVkMiDZZ4YetHxU00Hg7y5zGffODXo
sLBtkB3uCosniQ9e8aniFKAf0K6RTTWAZ1YzKaRIeRoXrL4pYlNUcoYqSZge
DfoVSn7o3oqhiqxdrSqLVP6CDndM/XgxjeeUVlBDDEtgJe3CNnNG8iMxil3i
i6q8ySi1+W5GqGjohqyhlFBmbZDKBc+Sgp/R5ttimTCAQcXHbh7eqGZzjVHL
u/ERc5PYfCuQfzcC/yNt8YZhVfDZRrfd2Wt22s32/lXnMOh1gt3uLxsNLqkH
igV5+Oorhz/g198Pjgedbm+3v7d/cKhKOVwBS+Erem9XxDMydH79tSq8yhIe
q0G7sLYQlPnkfRIifcJ+s419dcstZT56gWGfpP7e0E+jjW0UkTDS1tHwcrIC
OewKmuMu80EAuilIUEKLyXIeoqdsBLyF5A7gKGLbFgWofx9TCIn/CLF5NrEp
uJkachNHTJZ8CjhkxYTlKclZ8d9DS4bn2SW7nUeoTs3jX4ruHrwsoDKICbEU
XbkmZPb7K+u0Sq6Y55MIRnM8Q6+WWk7g4JUlJfW3pPy2pWVhLxvDm0sVmDe9
X6D2lhVOtvBEz1N5dpp2gNzQZYXab87vm/obtEcS9H9DJXt2Y6MTgYJu/ZtR
rSlkxEAo+feNukXe+Ee1bFBbTC0hlOTPm/gi6eAI7L85YpZKfnLI74xckUNW
c9bvI16p9DUK82lWYBJG9UYQbSLfldcKBdYQkVDYOkKSXIUqA1CibKOoq9YO
Mn6v3T/o9rqHh4f9dssyN2q/GWm8wckmxfeRxVbxxx+Nco57s3OBx7NZskC9
69a7Vqv1btualaHc7m6/A4u8Xgrb8etoGz6n1e4G/jqC5sqG9J1GqTJ07Hca
D/RsGP4Wn4Vtq3Jn9Qg4lesFf67ch56nm+3dzkEPxu7D8vid/d7eUW/Y3mzQ
nO1jVKl8QJV77QOYd7fLlWH/Do6eP+fKq8fKVN6nyge9znG/c3gw2DsadI/2
qZ4Mm40zK2vBc4baf7fJ5R/O6u3YQc4rlXf3t+yq25Vd3/HraFhVps2qOXK6
sv1VtWf3SCqNttFdHYjHFbnI6ivCThyr1GBwAJEjN3QOK6Wt0B5fSl9oWj/8
nNaREdS1zo517PpFd8up2Hi+qHvPe94xQy9VYJfECy5Hx1M3l/KY0aoQvI9i
Xkh3QzABWX4dpslv6LtesgI2/kB231sH8UCpu9ekA7pd/YZUopskACL/UkKN
Kkx0iHfhG3yblMuULMIUGn9+MbxEF1fjjK6CCdHVQQUQRtMM56TxLoVVFbKw
xkGw4Wn7LTxNGaJV39esoO+2u33BRkOrX0F+JrQ1GqTDBMYbpKkSnh24TqgA
JYQ+YsMMkc7sHyVHhgofSLQc6eIKjF8n//K7MJdMiDIfyyTMce4xZ3JUQWHG
u5NT/5KLzFLHwbKHZKhVWq6rJKvsjFQcZTlDstL4QkHIWPGwdFwpjXBUAAfj
EtovsqJqrxTRamdlWyVjsURdNByYLbTq8gNEiJGhOlEVtdGCuhtkGXCoxUxL
e6fbGchFDa6nYs0PB0aQL7darSkr4yTyxggK0rZbTiWVxNqhb48uov0X2BEM
ABEsN7HtK3JE7V7yAdWsg/SeT5oqqZSnmOg5H3NEsTgJZ6tercgASSXiKY2g
dbWSpENcRHnAdFqdr+AzlF8ZAnljmacBKS0WYR7Oi+DDfBakRUBaFrutja8o
rwPF/t1G069Q58eAXtwldcP4gCxfSVn8/Cv6gKQWTImhxK+L50f+4SHeukcc
tEcrSyoPSgFCXX6q9JOkcVnXD375V/ZD89FKTbyJ3P6KDw/0hhAqgdXNpVaO
Do0gy73Cf4QfGyXjBuVhH5ydnA78t8BKkGIInozqSE4vLvn2O/9tPAIJwP/P
aVkuimBnB29RxEa4iXOC/2pB+zt31zvkvrrzNx4n1HsJTA8q/iew7lmZBfT1
t6qCFOPoC2z+B+SPb0N4t6e2/y3+qBZuoMiX2MC3d1SuBVu10s4pPLDDeOZf
4L/5uMjWNjePcm6tAEYTz+Zh2orClfausjgnE+wQJ1yuawwuvm+jojUJl61x
vNLI62Q5gf32T8O1gwl/5TKdb6fL8C5OWsCLV9oZFjeZf5y8v1nXTAwFWmMo
8G2SlcgSgU2EaXTfSmd/o8219PC8wezHagGiuBFDrMbXJmrl+sf967Bisqsu
VJih4/GGSEKC9etvkcGc69a62iwsVxt/kyC0Nxt2eL70q1Rx96hiDckIxKCn
S0aUU8Agop3khmTQCi+tiofM3x5li/ucXAO3om28xHtN+M+eTyfmSpy1+LLm
XBOF8ZCnvE7UCruCWVhP47jlE8Q8tV1QosH8lsxgVOEixuw3JBmR/wci0zEc
NLtTsUuCCSErJGCCENZ9X/u3wUZaiWzQnx7xoEq8nBbLvEDDHCyKiItL9tek
pMQ+A+fOQF5AYHTKa2/FbiapAtG4TdAG9ezyGM43ly1iORUodE1t99zdVqSW
wKwfEMhLIIcZJje5ZRxitQYq4jvj4scKC4i/31IMiP3NYsN8ZNRN9MTaVkvK
MLU2mBf87di2TNJq5Kk/wU+lo7u7u1Y+iZqwOWWWU1fYxQ58hqW3v4K5C3ov
NMA6R70UHGM0o6miNBeRdk+GZmcu20QnVCDzTZWOC39XWbjwd0q1pX/hJqQY
W2jNb6a6zqCFf1aSam2yJgN6HPy8ycSwqXJpbX5GDjNqpJrIzO/s+lu4HpjG
bJt/xSRm27U5zDTp3ftPS2S2QZLBzg4u+fD45Or8IkB+wJZIshvTTupZSPQh
HkEQ4sJrye4IDeiIIxyhvLm1rM9qkDnhGE/ZU4Dx9H0yeBJRoYjf7HSbnQO5
uqvMFdirArAiFywx7hSuzVUR38YDFz5+b6e2hLND4iDSmes8/UplEtZShzXe
zkGz3W+2D9eP94Qx+NTBeWhM6HEW/IERwX+uUdjA75Rwr7MHrh3Yd6qKhhHI
Y2CROw60m5NKScaO73tbp6O0c+SztGrs+0q+Xh0CDGKgY/Y4RYOCKmbfPOQ3
KvDaAJO2zF19xZQ0FvSZRHBtcMmmyzlnZyuW84W+A1SSDauN52aG5LbMvTgZ
zOzAx0I7T5omSjUMtUSf9EI14SotbZ2Ms1pkC9cfqQ+BKeztfkUnaqqxLxSi
Oqkp6aRdEvi5VZHVgQ9WlOAyqffp4a2hoWcTS9dJzxCWHZCHOd4TynCjVwWp
Fy5pdphA/TsFOOhwFs0tTgZnAyh3Kc4spgFr1bA3hy/C3sKRUdi5Aq3PXv1x
qUzG9JOlscbSW92fWgcEd5NYSniQjE/SGu2yuPeyazF+O4INsqNp0PldD5Ox
LqmchjFw5L47dMxhj2pCTmHkGXWX4w9LcRQfUmO0KGQ8Wg9mTOOmCaqGmOhx
OOabhTGgWNX/5uKlUpTVrKTR1DrLZzlkWJSOn5o0EuZzXxhC+yvro7o1l3U3
6RFlzUyaGJ1pY5EVCWNGuFK+7t6CWvC34tZ1C5cqR4R6SS0jiHNudSvfzLZa
DrMkepKsta6ZYuePTlHxRD1BAcMio6w7RgV773AzONJmlTgFOWZqY5+EyhwL
FHEl6wf1JdOZ0DNEculxMgzrZ5GVnGzd5MYWKA1ZXh2LUazUvVUqWY47klA9
cRqYg0R4q9ZimSrP2jUtGARNlsWz6+2WAYCTrNpaXFc/y5TfPZJLGq64JgUK
N/EBARwijRJSH6PWSTExtwWVZsrKQmS5v8uyYVDQmglQ5qXiAZrSDnY1ZNX9
HyArfVr0EQqtMcFv6OqqQk0knarTgIInw5cf4tSX4rOkwpqqZLe6vjU0uJ7s
HlhKAhFvPrSgvSct6GlWlBqBiWDFM7MkpKKsco+nboBbzyRFoQ1wsvGEdl5d
zr9l1/TzCnT6VOH9iobK3Mm8P3XL9qDMgHtnrgG6+cyI3PzvjEqFpwCeIrYo
JSycJD41M3VqTWNxir5Ehdx51iVo5bSiGBLtMCm5etivARoUBxGKWLRkDspX
ZvbEzEbTM06LnPFxBA1UCJjqdkY4BNEgyCVLI21tc80N6pornVtUZDv5iMOw
M0SDz5cPS9i4JW67okBAZd4dcMiWpF+3Rmkp1W6VokrrkuhRbS8TWrKdHkzt
eVhGU5WGl04TSicTdD2irwQnTvySHS5h94avbQ0Yb70KapbQNdp+rhyHi7UW
VsfBkHFT0Zph10PZ+Ihls21OwMIFEDPVbawfkuMsgmmILKZAZEytUJD+XIA9
AqpjWX02c3fIOi8kxz8AVCUB1rq8Oyblsmeg3niMhkCBR2vUG04RYXVOySJY
BbqQR60JvVHmTIlM5jARDQxsDWmFfJ9ItdakGFBn7davp+MKra8Q9IN0vHLM
qpNCMq7MSDPQlRm5LRoU4WzBmB4ce+eQgXnKgZhkPZlKAfp9iDLUQNxDCG9P
MZKqUJeP6nPHZX3jPFWtFE5Ajxtepus6PzR/KxV1vpLqy1ZV1LhifC5fGKT+
T61++9C/7TkRyg9gd+jBquOvEI3rQTp8C6TDvo3420YFMuvvFZyOfyhFKP5w
CkQXklAtqW0RkEhpzsAVIcnbp9zW5TsocSKQhyKxObHquj5l1EtineNeei0Q
FICcCNSba2RrtizuL9xA5MHVrpj8ydDu0r2zPcAUGRFVkBzhHZeQpGjH6Ff1
SU4vg58pkBuzc4ybEn9s426ZuiauHw0ns4kJJcZKRpSqqv5E+YckEtgbAGJe
CnIx053Zo+rWHNUtP7JK6wu0MqjoezQi+ltHFy+3lYbRZu4GDMYZi5UOHRMn
cjagpqDOuF7qVr1LJ88cAtLDGyhaIflniEtjah2FaZaSBF0teAQFOW2SfYRM
zbqzVCMirLrA/CE5oaYZtJ8pnbkrzKyyIM6QrmMjyb3QfgrbkqJf359Fe2xi
vAjvbEoRJp2bxEouoesrQkcYosB+KVYsl+Qyf4RgBK7MYeMI6WhENLGpgMQn
rb7EsvxFm6BaSyRrY5ZaFBLO8FRpUPHVbWGhi5AyNHq4tY0rmPPCmAhaeoZZ
ye755Uaxt2wnNNWtXHzYRHidx/yYEZnAVrjB66eMJ0tLyCOOza0ySzWDkTRV
5F6NKneXpWmEiFAD6Ft10f7WwByPvW5zdF9y0IrFyO3VtFLIFOEtuZ4Sfqbk
pwoprLJuudhFB2VXtFOFqJZCWWS1DWurfOgXo0z94RGGTnJjTYqV1YUGOvY0
vCY0JgeFfnS/kpLLvincNJiC0hkqRD4r+FGQSmiNTXVaSwoCrwpAn/yqDMSG
r7E5BQ863VdOAsdqPWJGscRfVN/i7WDZ69WlLzE5dHdu4dPRkjWy3AipW5Nw
VsTbBicrtgFc8BWu80itcLmay5qF5dLhORQpHLMfm/V+IlezGeeVHcVwvye4
9oyubSE3WIg33F39E2qV/ayEMDzVfEWwwZut1o5xk9x8lD2JHSs0eYVxoxj+
RtK9oF4yRBRC5wLHwCl0K6ORGvEfzk+rwrvnce4othN1Wd/GXwkvIfwCpg8+
FQsdG6OrHSV5tJwXlOyxsCDJWd1kBoAIulbAjq1jIlTzmVN8s6jmvwZSQKwC
pFHsqmEfeLHiUDtFkUUECFSpL7kMRcVj7TrqsBExU7nUSIIATt/FIGUqq5vN
kxm5DDPbVk6xnGCDGLHmHTNMiPWq/OQKXVphmNY/YIifWJGTgupgv1qsL/9i
A6tA8lnGVelLhG2xp1prpN7vocBOA2EKCWldGzWh7Ezycq8qcwqg9OhG4A/i
WULRgIRxZFOiyyniDyC7rL6ni5Xnrys5WauHSySo56V/HyOUB56Dlj9QbFF8
fWzxWQNgCQaTwGLN41iSIbvJhHTNK7dvXnvNVuMPEQXlq0KSgNk5+XhPp1q+
QBMsAgSvSiqb7htmldMxPdYIVZaKm4EM/I2DVqvX1S+UR8zCPClJVmIS1Nuv
y0TyUT3yuuM0bKTJ9TFNWpOE53uVYRvDVFwbfw1NKqBiw+r0aNAt95EB2Hsn
aiSDPezobkRI4c8dFC1Li0Mrw9AJqYYRW1pXgLQIchxspc22DVNlIAxGWA7N
BBi9KBfbN4IiJbY04kwU6LQowmt976rUVUlh5ucYJHQRdFKiRSRt1uNqLLuJ
dXpZkoiq7NRidDqm2yVWFZj96CVrNUBiKlqpSdNqEg0p9QM5+7uXBkL8wqTJ
jz3FbIecm9Byc1+18QFPWI7XvKuqbxJ67Bmbu9gUGWbI1NMIkCwVEAnj/i9x
A0p+xJesyb91fCwIFVxlaH9zcVJnl38gBP4PLvm6Jq2UVWbKZrS4M04CKNmX
iIIJoCZlH6hxS3A7SYw+orL0Aj9aaPdE7BFPreNJoQT/6nuYgkskby4nrEat
57UgJqkx2GoW/8fs5JW/mEqWogWQUalkbolO8KdZ4bwCXz37qcEwkxyHZO/Y
J3HFu8oWgmSiLV7wRfEhWAHtkA0k9UHV94u9wyTm6mMgnq/41G/Ow/wmzouv
N/ARsGF/g546XzuxrN8at7wWSh8bnxgmwQlcsCI1TDyUFVkioGoCJS6xQoXC
RdWeSuxPSjmITBiWDoLkxBscuVUJDVFpITiChNARq0W0K6Js0OY7ewbvNh1f
Vo1KT15jeX04jEAvsHszXCfLuUk+g5ryaTwPm3R1LYCf4KwRQ97CibOw56iY
czhMdChOXQav4jbxS39gZuQ14cdvfvaP193tt/2aUBT8osNDA5Ksi//EEt0H
S+xo6ymW7T1c1ngUYuHdhws/+H7G+v2H6xsZDQvvPVzYsSli+f2Hy6+8MbHO
wcN1WJKAcocPl1u9XKDSXvtzKpHqECo9vLs1lUS1hnUf2XfXHAzlH9n7h64o
rP4INRgJAAs/svV1Dn9Y7REiMJokC9Vg852m8GouxJqE3m6CAdaJpZliURRE
qCXLsHAgBy0nulYF2lRD0FjdKa7nNmLxNwPQt+oo2JCXR0nIISrGXNuuK7Mq
jCcohZWY1LLhfAQbibYP3Vmdk6RkG2J3utiGXpSwENuB0OH4C2IYDDY6YT+2
2zhN0LZSgfi1ObtEfLoRjgpqWNj6WUZeqUrEc9WKmMxMgVI7acHsXrZ49NZG
bRsoHKWG0Oj4kgERdT1Qkq44c6F5tGonsjz+78j2xScFo+G835vwP6/t2z+/
a9cZr1P5gp2nvG7lY+2r5PUq31Q8pFCS+EKTfRN3B+67pJyB2EAjlY00eXM3
dWn7jLAHKO4nChRfGKThoeUsbQEwlZxFY5mSSIQnRHt2VzJ3cAZ7Gwo1Wll5
govV3sIY6Vvgm7GSIpBOGjnH82xcBwuEp83m82XK8nlKoG3uYVGW6lLjHanI
cnycU+AyO2CgcVX8MHVCO4LUJOshuX4UaC0YE5g0xQMjpkosiXVQgXE9NXhL
t0k2028GWPGotJNzV/gBYd5e1fICJ0Yew6KTKMGuEYtyDlV10l+BOeR5lTZw
kE5wOYdH7Ba67CX0tIdl3255p/ChxrukgsJweJ1IKGBXSXJEUNwIjVZhcS9i
+ui+gqpu79Nm4R+fXSqtNIq3zI9q4EAsEVWlDlA5BZXGOuN+6eCiDKbHzlly
B6mNDOIA5yOX2HglDuY5hg5vOKHRVjA86QcjOv+rSXTiJEcPOWyPATaNUoIc
S9h7MEL1C+osZvEHsidRJk6G2lKwkZZ1hBwMpvT/xSJGkRLeLkB7GO3PsdFs
WXBZmgrXZtWySmlKFxllvU8WoUlgBeOdLGf+lqa8jXBJwUMbJp4e8V2XeSrh
8pIycoR0FWMcOZ/eSZjMCIfhRPup68kbn17GDkZWMMbXGcHIImTuQb/bhtXW
PpbhOFtQUEklhQSGAXMG0koYgqjkKMEGRUgYlqayeZkaCJ5Q643fEM8Xq3FM
O6DYPrQtFI9t6rtQcjhyvAmyB5VuwSQFgolSQAXjXNplNE+R0HbahBUcGz4g
LNzY86jO1eKKyPhqaKqSN0lFVKqw+Se8wmDtKLWFneiShoH7ELPiXXGEraRu
mTm3h76RtpLac8+OOXDSiu2vPM2UwxndCpbbDUsjZW5lmKi5tC6U0LDFVGtd
YYiHyvmPhy5RUWijjYSgzBiUGFnHlep3YU0urlXIUpXYixSboc2ZksIKDmqI
Qtr60iSNCrH3JrJumT+/SMmajPsO/G+HP1qEic5ga+cpVzGvuXpTP3QiWGtS
LLKUeDkZqJlaaxG8GhLcb2I4mBxsTKmNVj23f6Q/XGWtlTPH68Gzc4mJvElm
IOMdiMfox2JSlcpNWWQzPEHmfX8VXm/t7m+rrBG26xS0hYMSUnK8S8W3lHfZ
E1mLcdY0JGDq0J9gWH5yU9oI9u2EIKq05GKypFXzLmkmGjBLathEYlTwLcOf
9SUpb3zcLLibRjqpkAPTplPkGl7DjuS58oRTICi4AgbrCvfEq7lUmJs53N9M
jhRn5ChOzg/aUYESBhCsTVhgSCG5XoBIpVJ6ID1hEuLC4QIq22AlKtqaNn0j
Y6zyEBcOyL55nCyBFemKRsrRYw62gBoMAxad2gpQJYUYJgQzcXWkruxii7kq
xVMlGf1Wllc/kgFs27yMszBbHM1gWMvrVmNPEoykrx5XqlHrfrFJ1EJGdXAB
SXImjCJ9sxrWSVzMUrNZXo4gVUrsVLOgCErt5aaSBGPKmGriDBu6zdZ3apAk
lsUtjiCuOXj3BCrwrjIuZlR0Qwh3o2OCi8NXlCcWg5b/bCnHmV8BlsMOpdBA
OpTlxElV6Y9nYItVDkmgL6Tajc13dWoURweC+vBlSXSsc79RPs+kmK5lycmE
jIihuqeRp+hnM6sFXExZTUfwilHpLWGJUNmt1raSQns1WbW2GhDGEKyxSt0h
iUAOdw+/ZW20RtpvdWBXt07D93geUbfT3V57rbkjM7SAUU9yYmAXjb6jdtGJ
HagmVGIJrfAodXwcM7BKuCan+kT+t7u3e2Cmgdm+oBkLyICQ2VfY2WruHwUe
pRM5Hx723UQEJm/KRqXOhmkvJD2ZsEMorL/Q15CqbFXK8uQabzmCWq9L3YkM
P3QevFraJzcsfbNW8MKExdvgVBuEKsQwd4Ybc19tBIRXQtmGbZxZLbt/2FHQ
cWtQ7xUa138H+r3eyH9JFHw18woa/nr0elXjz6LYm58/g2dvfj4T2d78fC7G
vfn5Q2j35udzce/XDvlRBPwn1qzBwv+MmhVU/LU1H8XHt2p+LlK++fkzmPlP
auVR9Py1C/Aojr75+XxE/QfqwjHIcgmMqJ7mR1Ig1KQUWUNmT6i5hsyeWLOG
zKonmFTmMk+8PdYvc21NZWtoPjTttX0+fP5MTbZjwZW0UcddN1bxTes4taiK
6lqomNTpQskpP6G+X1e0P9o89SBOok4T9RfiJep5O7iJeT1u4v8AzqDbq+vu
YcM64t818D6fBUOnvFO0wsMFonu1BohOVavg0T2S9VHVQkS681VEOpMXog6M
TlVexaTjpoo1cHSfgwVlpFAzxUcRmP6NCVnb3L8xIT/3MBq9DXV6IslJiyXC
I8YrSiMGyTOFtTuAfnSb1IrKSk5Wb0OpKjAprEZ1s255vMxjhW9Y4BepbJAa
AhvpCFOePv835OO/IR//Dfn4b8jHf3HIR/ua/xzMx24HMR+77b8G8/HwsB9U
er+ANUP7EKPvrsZ8q3tpi7IcbD+AAmmLyX8tCCQ7HEdT5R9XBZyk6WIYZU3S
ICsApR5OCbEHV+L0KB7IvpLF1sSmDzJVroCShKlTgwJrMLCHtkEbxoFaMWHu
SvyLmsHDGZIen82VjlJcF/D5vzc3k2zoCbuS3tvoTpykiYZnADiUb7A1MpUc
18p+KqOygfdaa4fopjN62nK7MEAcSqaXxAzcWUArNXVVb7p18eMFsOFlOnNi
XnwrBF5jpmxTeip1fe+RndauolhRdcJ2jPwDapLPx6acqNgo7bSIFj3ywrCB
ZSiNcZMfazZpSQKMGumwVB42C+SO2bKY3WsvSVM/pIxFoQH4QV94O7LIVOYZ
m6o6uMAQjkV0JkrQjuJ6biIrLPgfNmfKS7QyD1NXkt6uU7oYE43+3NSl+ejE
ZUmpPAUe2ktrkWkaJg4llCQklo2THwkKwcTqmCS5MclhEiRd3VwbpSmZWQEs
yJMUGqkeLGf3FtwXK9LGVLua2nnccVEYkWjwMy09nlq3tbpNtdquCSWXPJmM
6kfAbWM4aZyS3uQOFMJgIcMmudnDZ8ju+86JPyeTqfMWohyec8R9JMG6yCSF
DJmHk99ihwTE/0LVRStrHQbGGgL763GJngJLpF8aGgfE+FQQwoupNHawi1zg
F8ZbcYGQTE0BLVoLWYQrl8POOLhFqbyXFKVdvbxciYCzKvyTfMP4iYr5s7bY
X0vj9kD12nrsXvh3NG/t7u79Y9tKQCMX1EXNebedequRZOqqMdhbSWrr0dZz
IM7PbeAoHTRFKV6LvrtOWf3HYFXWNSbPg8Il+rX0/BkgN+psVoMp140kqWCz
1GPf6I2rwiYoC7+uvxbP5kEwm4ctBH/p2qvoG3Ok2HjuQtqg96LFRtetHvLs
GvQbU3MFBedJ4DemfhUF50HwG5ILbCiIFRicJ6DfWFT1bxicPwmDg7r3PweD
w5HHVTPYHzoQq63wKbaCqulT9QJ1yN+GIDbcoDm4tlSjYnBwNpwkOXaHTaVY
hWmvQO7pFzBhS5MGZE2/FNkgo7cuV/I4NzhEo3gFoVyk2RUxtHr/0Hro9TE1
NytIraxSsS5Fk9XBFpHkvK9sxMoVzupsFUfNVmLLTQe9cFj/qtQN7lWgtWVK
AIGWiJDIv4uhXGLxwmbRYy3RPWpB/V/CgNTCVuO/WdoCYYuB/CpMcK2Ylf9B
MeupUhYreknnBVLWqpBlKpmRyMkzOxfq86PPts0tDaU/USJbVCSy1ZfZnTjP
V3HCHxbMamEe9ZYEDqTi1XpIRWtNCFvxXwJScZWsgyfDVVpjsijwSXCVpqrg
VrrjQKIKiMKvUE4gy/nL8J5VMYwFvwWk6TbDCokfte9A76E77P/HbKOCilqB
/TGnruEeRX1ujeZEBURayHJa3WAqZzWyQ0uZQlMD/oMiU5ZqgyT+KA95HlBz
5dJ2Z7WGLeiBb65iNGslwqOcwRHV/80i/hdYxNOgVQIfo3Rg742zcakA6sW3
2Xs6+ops9F8EvqKaewoIi6bMWjCWmnS///KgLGs8yf7VwVm+dn/QoDwM/M3/
wiBKEGDvlKEPDQXiFdb1K5W+9v5CjJd+uxbjRUs7UKAeDUSVMJgv/XY99ke1
pI390m/X43+s1LExYPrtetSPlUprTGv/ZbjBH/tRYDL9dj2iyMpAbFCZfrse
T2SlUgVcpt+uB5dZqVcDMtNv14PMrNQVsBlkw08qXwc60+/Ug86sVq5TxP/Z
zTGE23ka4e6sewdiE0+k6LWauT9NagpYp9954kFZNxRs4onHpoLR0+88kcrX
vq//8CqsbsgTz05FNseaTzw9K9Il1n3i6alDU+p3/tBRclCV+t0nnqi1Hvh/
mg7hhxCX+t0nniobeanffeI5sqCUoNITKb4WtukPIjGxBEOpszRQkhNKVoG3
4dAt/zgmA/KR7UCJEtY4ZhLMUgayuWCuXPgnJp7TyKtYQ/FtRB+27iyJ95ol
k5j01w76Cupkb+G1yRD1BK96no4ySaKlEU0bnuUdWigYZBWBLJrHYolAFckc
/ptQOg7K34PRoRQESxpeq3EKWE8khWScx6pVVxdOQLvjeEbflXeYtU3MWVa0
sj0Q+jZRkYw0JgqiZJuDhY1EUqZpvmF/TCHKSmJjTa5HqLJr8nhJxjPVuh6b
lWAWRUoP3jqzGTvgYJy3jX9uK3oZtxWVnAqz03rZKnzRsUax9gje11IeqSRH
IUOe269sks3x7YRRzHfxCBq/Qee/TPunYOqupJx6LIcvgAZCBG0NTSI8GBe6
XzRnFHbh6KwQr0FgOejFGxYZIvHeexOQYaY1eO8kD/kPrS1pvu11s0C4rBHq
SORCU5aCqiGso5D8JxIEQ8IgBDb06X023M/CEWa6FlmejBzaFzhW6kJJuxR7
ZmroTToYj3MrOxs8EfISRkMmGdgtq3Cj4tOZI8rOnDJaqcjt0piZZvjwuIvp
+ZErjgCfUweyISCIyfEfzWJPHVryAyE9esMBoiUZEVFnzI6qAA4+vjQ7hG1R
cmiVFaL/OL7skHngAuGxHZMFnJS4lIyS/cITA9+lVDZqjmoY9kT+2DgIBjzk
1KxwkMNcBsMuQ8YbZ54UsbeVx5MZJcs0KCMrQrDdEcWh5DEP1z7q4TXeV8QB
kKooveAJxdqEjHjESYVV8i2smohHp2oCGSBQ8TL3pnF4ey/b7GRZFde+rY0B
LMh9toRWM/q3gLr4L3CZbzb8jeNMKFzMUHjH0cHF9zJ7ZkLpbza2GzIZNSY1
FgNoF3o20ZmsInSeEIYWLi444Wx+XC4Mepc0tVl4Vbh+7y17+DoMRrFfjxrC
BhBiSfnTWu7J+LE+luyDFgu6rgKQTsqvDDtPEUMXzuKIrZhkrJVliaZZVoin
anGTLCon2WVSgsrHOLs61wCHCR1dvoLbmCBfELbC4rLbOCV0u8wRigmPJAFs
MRxF/cHXRFJzGPi2VKfauBtrAAA4GwzNRkxU5ozuW5yB3Bxzz7SYTLRW5StU
1DB7TTObX8/jcpqNnQBuB/AldMh4FFvWSuNgxn7qIiD4R4PCm8HhJyi2hVLW
SAYxwrKGIpRxMFUa4VcqG/XwFiQBAahbjVxRrq6aDao0h3yR4Mc38bjhoa4E
dxQWINOp46qDdDDxWetK1VsOwOAr/D9LCiRv6UvIuJQjQRIciIYaYJh6yrEK
izAz0ygzDxF77llnmN6rxKIq3xtay+QmuV4iNpnRNBXMocQS5uUMjJWpRKDi
UI/3gb5IE8E0U9ZQTsLByZmEMXjCEF0IAN55Ay1EQ+U0r4WNTElZZG5jZo/m
fOt80eyGKGsgZ9OcamiChsI6vyUfAT0GsQ9jXkpqWZJHFKZBZ+IeN8iAa4xM
oW05K0J4EUdGAj+ipA2XyO/gdkG5C5H5wrKkgDqBg2RYDYnFHlv76V+H7LjE
aIxoBw1VxmJaRs4mwaiNhF+DK48UiXlEJGMdF+e8ER4flLOrVyzqkSirtf8N
BYPhDk/6J3EeawKviMM5azUFL7Sc5hQ7Q7IK2cgnMWpEcfwFI8EEfmdbbzPK
tYp7OKKqCHJrr+zV9BkNr2vaVZFTmBa3YBeTRBBqcJFJ3YQfewh5Ei+m8Zyg
ZQ1Xwwujt21eLapBK0sGPYg8YViMBCNwg8gmTNwL8dIlXGEIdNoQNwZ1MnRa
aOVMSstps3YVnRdWiZbzXWiXCpwfPx49xnK30p/wuDTeUDWZiGfjDI0MfuJY
QcbP8I33IyXDISg2ziFFQhlfNs462Yskz1lKQmNL6bJRHuVLXM1uQmcdT/dC
xWab1zaamOA3vJwSicEpwxu0X8aLgi9ySlcuTZXhHCWH9BpechM7/xBd64yd
JSPjCjyU6F4SQblTs5bZryyzEnuw8VEsqbJbbBR5xflDxEdYPHp/IC8v/8Xl
qee9MnF8YqiUC10u0JCBTWwn/qo0PIq9cbyYZffs1xISs0TtvhbLpF/0pEgi
fa1ZIWS0N55qdBNdthiXCx3S6Dk5yUw7emXYt6tkUXh074U6lbNJe65QiGG2
27IoV2gZOmaXPduS9qOS+AgmUFbLw90LVfFKMlF8q7FQPhY/fgo+WZaKF5pd
5FULdceRjeWkJAXF+FTGY+wiLERe44peOEZ/a4K7yViRMMMcKPfyaGF+xlJ6
6SQr43w6nvSv8sO6ggImcyY6pdxjUIze4pZkaDQguJqXDDI6Y5q9ZzRKaxgq
m7r7eBqrLB6w50gtZrn8LZQAlnN8fbMgqVVA2zVSvlywdFC9cFnCzEoCbKVb
v+Xp4DVafVXfjY2Fi8AhxEwE5wlFgdiL99DCeSOFRxprMrVUVix1kRVNoCTW
XN8shtnwl64vblnDoi0rHnFgUiIqYCwTqUySWxQuCjHvA8kxkIBvOxRqw27R
8JRGBts/Or10ylUAkaJ5ofSVnz5hcHJB+pyGhwEIFshyk0CW0QkWG3HOL3Nb
K+IYAdhQFYJTdTkdPvDuQlvxInK7ahVlKq/SNOpac9SV2H18xd52Uk00Ngnx
Z8Gv1AokpBtg1MSw6VFgnBLwHZNuwq0/QTxqzXu8AoRLWUNiaJGoLClAJUIR
GC78McZGhmQ3RjHhmkB27NbVNvBlqiQN8ybmz23UhcJjpSJ+fnTxkvwVNMW/
otQsUGAny6tvwDcXL1k2YvlFZCNONOhoDlASlyxRNC/ydFSKA1a8VilGR+Gj
u5CJYwKazO8Rd7ihcGyBkROc2z1hDJawHyF6CC9FGWBnAhorEi61p5PShHlb
ceu61SAXPgbs2t3dw5dtlpMfsD4KWt1lmUCcsUoWK6hyC2u+qJ3Plr4gUa/J
/HKv34X+kDPSgw8eKmEirEj8CsaCvoakjFwQ+IDHh1lnFncwpj3Ld5t4BEu6
yAOqh5dWDdty4di8Wji2Bj8QLQXUHYk37D9lg9Axzh4rHT0eiVcZCazU4NWJ
rylodK+BSECWCq9dX/dCp8g7G14dnZ8953HtdXcRVxAHcTG8tL5grLkWBbdJ
+jlU17JC0ki1kfsoUpELWuHAQHL8dI+BySB5a5bmwZANvuG+TztK3Ou7NyfH
Q7KBwAuM8iKsvL4SmGPT7Z5fYlcKt+Cn05caGbkqdGtV1F2GOawKJcdvrNTc
4PXo7R0cMAQ4jsb2ruIXNRaOBRBXgec1uBtF+MroqCBkrNxN1tACz/ub/zEg
1/yo/AR/+JjG6iTg3wL/qehC3t+4hnIFh76OWEzQTeFSCVzMdzbkQ0vVhYXQ
hc92Bg2Zh5o5DEvMXbhiGgGp9VdNQXuL/G9ORUjKFirO8GuLtj6DJiqghEx0
K21vmDwgGCS21+62/0G/HR4cwm8anVzVfYXriAoauybF5tftBc6O18JFOZSl
0pNXZT6T4hgqSlW+jabyuVY/qK/IEam3tyeHU39viR98Tsfrj4t289x4jt53
BJZ+/2gDaNy5U7uggRYcLN8qNuSTV7FCtH94NSvtVFc1f3BV0YHwf35V/UdX
dQ3y5iuGAkkzkX4knFghnfLcN3TotRzJU9TCUkYaCwL/4xe30ftPTzmTpMQl
sSLw35GekmXVHTVYELa/fA+X3jvlTEzNWUz8M1a0joJw5A4ZWYOQ3b1cjspq
qerwpOiFUrMtNDNQNdIsjaXUuXJkfrCU9rB1L1hVEkRO8WRh+OFb9fhGAYuc
hXeOhxe+chxXPPiyXmpQrV4S4LzSqn6SSuTEC2JarswVlcrVOCB2jVC6Yeb4
vj/Ks3BMiNS6NXx5cBfkGEyu605kmhrX1YuTy+Pzozfwcr2SGgOzUYLqzDDV
iLllqErq07XU8PdKeNdMmZSUDPYbDKZZ4uo5Ad/3BSahUMN7Lvg3BrIqX7OC
1g4OjM3aeuOogsdoAZD0ArMk5NQehfGw5UMh7VGN0/A6iURLvlVsw5dn5ktk
Eibij79uwTHUdSN05S2m/oQsW0jQSBhcUA2at4LQuWiNYsQ+Q9t7LhpepeRg
lKa8rIT0q7nZIHjfWUSUcggDCMaq5MuT05Or4bE+P2wboz0liGKr6Nn52VCt
LMO22ZtrOjpixiWa9Fmc26NSc1QIWuHMYSff+FsKmr5g3GV8Xm+bIWjGd3l6
Yg4TLsflzunJ6ZCegkfyXCLmYnFFJS/jl7gDT2KR5yfHfqfVbR3stludTq+/
e9jqtOD/e/DPbruBvtPjZoTJZZN5iKxAnq2YhObqT7JLmavSJtWlO3GSdVGm
EzOpsLgR3RjbNkMjGBmFkZNppxApragTwXWfNid+YGyaqKQaQ0qoisMPC4zs
QVy2+E4XrVzkdtiJWhfFn/Xr0h7Om6vnzQOFJK+zV0hOI8kEvtvGyxXz1pO6
rNrc5cmxak37o5tUI3ZuaRtU0Dx20WZayYeAqWfQBccUohAY62WYr9G/Ody4
hZkvEszUtwxnLL3LVheoq2fVrMm0QC86zBmWj9ESz8qFjx//DwbZd7qEKO4k
JOH5yVSNm72dhUXBzoVOEi2xpQi9i7WI3vGcUIFMrPIi17mSyKWKC6Eem1jZ
aXwdXmDhlvfcoF9Ri4yThQf91fCMoPbH9lRbTPT60a1yaBQxXvJlbBYmdrJP
aHbPsQp2jiBO+KAzMaJRwGJNYXSjKZIvfTGmEjRew79OMEOcjcJuPW4oNONe
Zf0W+xb8WcI8UNtwS2YoJ1eenTWM9DaclMIot8h8IumroNvFstSv7tidkjyb
8NaAtSDg+OavQFFMeVbKNn/r+evjs23JYtDbO6QEmkpHuDFZLkdh3lIZlYFX
bHjejw8NXc1Y7c4o1rxWOcUxaWDE/q3Y4hDgZozuU7A57AxK1Mj8Q+tpc+Ij
j2wTIXHOwpwc3kZLSURBSdJ5D0ux08MDGu/fk+HldybTGvDE//CNHTjNdFWV
pcpZ58LfslIZUVarKj/BYpwsy1CkqSSHg48GkbcMBc0h/0FqKXRlq063Sikr
a1ZZMkzZRvlh9MvHwjHg5CDpPQcTITCwdhJi5YF6Wcmph88jNDznqZjk1/Zu
QssTbouOOtr9Z+FCG1k5+s2PJwjRWXzFIBUTxAMqltfXaFybx/k1FNmJsgz9
ZknXZPlAhpULGDX2cqM8sjxk42RrKTAoOZJ2W0XLVbaR2g438oJdSv6YckSl
OhOaqm1ZXeNAkb/DQwUvV1a1/+5fYugY/GtxG+Nm/ru5YelP7/fAilgK5K/A
+dT8VD6G2j7lsdaN+/TH7y52tvn6v/5O9wOwkv/6B/bdbGILGCX1YAs6wK62
BcyLaiGEgyzGDj1NSRpFKVI3LwyX0RdSsflpzf6dijnsL9Nu1TevdrGBIoNn
8ozttfqcZ0zfsMR5qowDXuwOjDsUQQ2eMplvcMQivTcC8k6mh59SKNAzpDaD
k6OXWGkUVvgPtIn7Yt3W1O4Zg2HoPEydfY9sSZRaa+2SPmUpdADjX7UktSqb
v2hp7AjRx5aou4vGAJq95ryF58F5EKTfhkGURXA2kciUSYIyvbJnnKmuICFw
VI4xWGx9ePsgwqK6uzmBkg0IaF0DcOXMkptYSZlwuEnKxAjKEdxNOPqhJMSj
s4fuIegST9GcWZQQGxbWr4pdOaSg3hsKJFInGdLg+SZE/+Q4voXz9vHjyfHw
R5ZUOf55y7Knb4ununYCEeEszC3gQ4WUz3fxOGbrXM5mVI5ZJqGM0iUuSxC+
xIKm2r24HGDbgcSqEgN9Nvzu5MwfHvmvLk5+HFwN/R+GP3Po6OmL6Gjwejg8
efbibLqXH7yGV9LFMvuyHM6ffR8/f//6h8neaPF8sHN49l02K2+/PCzOskH2
3dHRr99dnu4eeoO74Yvszevj19eD4WDvrPN6N/5tcjr4YZ7FUT4Ztc+fnUad
wf3wxZfPBlc3z/sHz4ury/tnH4r25ejy7csP3vP3x+fLu2eH1y+/S7tXxdWb
75fz7/d+fHXX/2Xn6tXu9Pu7r7/mWQzPjmvnYKKEZBtsf5YtA8+0XbMmR8OL
q5PnJ0fQoCzIycmz/Lcj+ODt9eDu5Nng+mT44sP7L/u/DX54dn396/Tm/fmr
16+PB+8H89PL13cn1z8f/wh/Hz8rs/DtOPPG3ef9lz9dzKLe6+UvP02no5+e
Fb9c9t+Puu3r1+0hNBmdnb4f3p0dn/ROr67vz69O795Or1+dvr/pn18N773T
34Z3p8cD+P+z8PTZ3Yfv3g9+fnZ99uOzwZur4dXg7uWb1/D/N52Xb36+f4l/
Xw3uT5/f3A3vfn7xQ/bLiffb+zbs6c8n+Af8fjx4HX3W9nj2/jy6PXtnv5w+
j+5evIZ1uID2nv089J4P35789n34dvDd617xMnv/y9uLmx8H19+Nnofl6eDm
u0HnzXh49/rodDC4++EORnr387Nnr9+8GFwOYLF/Hnvhd7M0fDGexped9i8/
nbVfzn/c/flt52703Zvlz93D8vz9Tfvs+PTu6FpPcwi7dRxCg7+8Prnzfk7y
0e37q953B8vnvSQ8f3133D/++f3JeO/9+NVgOvjx5W/Fq9Eoio5ujycH0MIv
v17/evDjxftf88lZuffSG7wfDopZ55cvh5MX+6/Pf/r19PjFrycv9n49GZW/
dF/33vy0WKY/nB9dve2Wt69OO+mi82s27+xM7t9Egy937rzlovxg6HaFzgzR
Gmct5JwDyVQvbpsqZMkwmeCvDUK3XMU4tRbmLQl0oKFgpwR+z99qf+gaCIZL
9uTlewOu1HZnr7O71+vvYrledNjpHo7s4hpzVIOZBRIWixEIwLSG7DJh42qc
UNB04B+d+V9TAjR42jRLhPmwXoL+kcFiU75uTpzkGVwlz8iRKfAHCxAT+37n
MOjtBf19Qvv2vzu9WqkwmOCVitrUe9/f89v9dRUuOUPAZwxSalQQMrLAGYP1
pbVgeRHWLJNbpwl1An+r197v+qOk3F4pRkLhsghqg0nb7WC0G+yPgu5+sNsN
dg+Dw0kQj4ODfrC7H+zvBpNJMIGVaAfRuL6F/jjodoNOGOztBr0D/H1yELQP
g3E3GO8Fk16w1w7GB8HhQbA/qW8h7gcHu0EfGomD8WEQxcHhHo5qHAXhXrDb
w2Hs7eMI4dvaFg7HOPj9cTCa4EigymE3OBwF404wHge9Xfx9t4NDinv1LYz7
Qf8wGPWC3XYwifCX6DCIO0H/AMfWmwQH+8FkP2jDePr1LXT7QRe+jXAMYQeL
7XeDsB20w6A/Cg72aAD7wUEcjOI1Y+jhAo76QQiLuRfswXhg8GEwGQfxIX4+
OghCmCYs0W59C5N2EALlRsEhrGEnOISR06oewqjauP4wyN09HM/+Xn0LnTEO
tdtDAoAqe12cSB824iDYA0oYBRFNM6aFrW0BSk66wR4MlQofRLiVsIzw3y7t
LNDYBCYV43bU00OIs+h0sJGoGxyMgwm1AA322rgm0HUHKBZodX8tVXdowLCn
sKEwfVjGbhjEuzgAWITRKOh0sdlOuGYdOrh9e7D+HaR/GDxMOYqIksOgHeEe
wUzxv2v2Ao4DENukgzTTiYKoTYdigks6ghZ2gwh2oY2LvHY394MoDHp9PFO4
JrDv+3hMcCQxHgfYjr0IP+mtORejfawLxAyHFNYKegRqhAO+DzTWC0I4LLCV
cN5hgmv2AtZ5LwyiXtCGFYNl7yM1Ah3COsRAzCEuDizj4SHOsf5c9LDrXTgC
bSRjoN6QqAu6BkYBWwkbur+Pw+it2QugZzg10B0Mu7+HrAB4MxQe86kf4Qnt
TpD/dNdwmA6MP0aqg9XujZC04JP9OAjjYP8AmQxUhHOBDY7W0sPBAdIPdAe3
CZBitxN0YUEmyF5gQ/c6yCH7HRxM/bnoB3FEiwkHsx1027j7QCFAQrCA7Q4u
LNDVXryW0wLNAE+GpQaahLqwkrD7sInAWGAW0CwU6BL3gz9rW4CxHdDRgw3t
jfGcQt3oAGsBy+rAeIAg95Had9es5G6M1AIcAPcxwrMMyx7BQdtHPgMHHGYE
i4nnfc0s4FTCKYYTCvuI/HCE10SHronRZKXG8AMDggX+Xr/f20dho9Nutzvm
mvup3z687Vm6Sbdb+ZpBs44UeHEJT94ILllEyFrp82gQXF28GdY1g/fzGzJd
PlDdeo2gGNQg71X8ra5FJR2QWKBN0IG/0myvhywLuPEzWOpnuFnPhsHzXnD0
DLdgCIz9CK9pOGX7R8HhMZLrn8SP2Ovjzbvbrhu2EVv/1Qf+2ZKoqfAjqs0N
OaFQCAz1ALkX/AJMd7+DcgEca7gh4e6F0w+8oQ8zCvEYwWHqWiwNzg0wCaD9
MdwM3aA7CkLgfMDG+C6K8GgCKwIGAFz2oIsLAmulqwP3Ai4OhwYOSnwQ9OHu
ohvm4BAPEJxL+Bx+BzkLrnfgT3DKexZThyMLnKbdxfsE7lUoH+3heYWbpH2A
DBVkJbxk2sitgTeAgNCzuAiM6pC4Ix7fHl7dMB64nIGJAk9F0SlC9gx1O/vY
VIcuf1094gs8RvYJVXDR+vhfWARgAHsjnClcCMjVImRIsIORdbePSRKB6YM4
CXIQ3KjA9to9rAtzBLYNNAPr36YGcZVIcDOD7+CsYcVgeVG6hK47KEnt8Z1A
AhcIBXCvAjvs93CmsdX7Lo35sIe9INMdYY9wieGawJLSDYbi0i5eCCC4jQ5R
UjBkQ7cNCALQEYiZhyRHgJDVh/tnHycL1HIAXHyM/cKVCAsIDF5X75FgCwcE
6kYk/cEewTjhvyAhHvRwO2DpgBh6JJp16Ioz+94L4hHJ4IdIurD1cIGgtNvH
VToguRIXZ4yLCTQz6qCIZPcOvfRi/BZ6h0XDG6CD9z9QCFw4eDnv46T6NHcQ
PA+swcOlhyL5AVIaNAJHZhzi3QLDgBsDr9wuihWw/lALjg+MvGdJ6CCCQXmU
GsZ4RkZ7eE3BSQHagFp4kUa4+CDsw4kAkoPW2tbg4UMQW+AodalTWIp+iCcO
Nn2fRHJYQ7iCoB0YCew4X7Cm932UFOA2hjEAWcIWILF1SRAe43UHwhQIdHD7
waLBfQ5fHVi9A6WB7Ak9gqQGSw1XJVyMwDEmfewILk/YFziDQMZA9iBFwn87
1tyBKvhuh92BXYbHEGwZSJEg9oIgjxx1EsC5QLoa4dMEu7C4DUh5B3QQ8HjG
uNG7JHrj/Uy3LohOsDJIhBMkHiAJ+3UFG4r7PqZvSdxArkLvKtgjaESkBnrz
4Vn+/6r70h23lSXN/3wKw/1nAI1bXLVc4ALDfZFIivvSblxwk7iTEiVxuTgP
0w8z7zVJVZVdXs8Z+9o9Y6BcJYrMjMiMjPgimBnxQP0fV9xxRrsA1yQPZrHw
z2Jw7N6kabL9GIM7SGzb5aRCnYpzWmT8tocpUus4kvkyDgfNgbg/i8MJ6Usc
jkRks5iU3MKc52uQYpKozFhPF78R6fteB9Dcw+nEZzIJ87Rx5g0xxBiNBSRb
JImLVN6T8/c7shGpk0bDyRjThr+8plYML5e+Bk02nPGVhov3kwRfw8lTMu+4
cFgrXftTG8DYzmdiPqpRH6GP4SbQiF0IxzBcwYKBb20f6mBm023q1BG1ZbqM
eN2wKnO/SHV3d6LLG6/FiXq/yvg1aKsghFfLpEJuO4kYDnR5kFY6VDJiUu+p
pWT5YZyivIg7vVfY0ZlfrgcjTLEgH4Pdncv3unelV45xvCzg27lknZzOj7oH
nSd6i+ldW/akFyIlWTPNmZC88jbsYT7lxtAU0KsqyKjUyOdzdm55M99oXtST
9dG7NCw0YnQ/HI47xdifz1Fs4BFeL9DBUMMo6xDUHfvzMQ7UO3dbVl16Pfd9
F3NHFEfVZLe9Gz4k0Kpr4EybBCrH3fP47h7vaj6qBGY7/uStMEtap/S22A+y
uriQa1ZXFpc6q/ZwGBsDL0KE0Pnnkb0Kk7HyIkRPd24XdLwmCkx+vmvUUhtu
k6YLlcn1iTPeNTenKLplEtHYLTt5C20KQdydWQ3fJ7AJryuprjrDMQ/2gN/w
cevdnU1P8kc323qmt9/QZM+SZKDkMs/2TO8xkK3DJqkJS4q0gMiw1HIi1Tka
LGgbijxugETJc7D3k/grx8iGHkYhu19P0IiapcnR5FFCRd/VSZnaPOKvYq95
MhWQr2/+4l4gvdBr8aX7J/E9aSSnjBmnTOWQLoZow7G+bZ0xnL5UnslYeHa7
JtfOWIrnCgpThz5RzMp14tOK0ywcrx2zoqWKu12WuVidTyISsGt+3+GichXO
jRRt4zy91db1Lm/3K6ivV70TDkg5HHV+47LOjlgfm2OZjrd9MJBOJEyiHx01
r8SmqxbcSbwbMS/vqfEae3aaQoptVFPrUE21Xl2DpsQtzqyTeH9sVTFx7nGD
rgImRLkrjVS3qKfYJY8gviCn5aoe2fMBMn0M5yZ2PNqM3dfVSQuo9jTJDsdY
Fct0+Qpl/B2f+Yhtp1loIa53X3S+Nwbmat+fJRXCwQqimFEobKSqG768D6fb
Ia8DE01d/SrG54bT1UkZ0Vu5ZS9BupSjuPfHbXE7hfApbCAaF8/mqATJvV2n
Z8btrbCm2BhjIyw4cuQIV8utcLocpzV7gptQ1bim9qziHh0t9qLeeYjE6CKi
lN0FZpHTdrB7ulyyxVLbhHfMs87H3OF7tyl5I5HrDN7R7nljIXGlAxLvrEuF
UEOIa3xzOrdMXmYH6U4fzZJiur//pSD366PPL+8xfzDw/cpyzO+6vnylJYo8
QQKrQe5o0mPJq9DVWlEd154txIclaslILKZtodJ7nI73zgZlvEpYliknJmi0
cqCrMlYaptfStoq1Gl3yhWpUWyFWpCsF3w62Eyrkcn+QcDtjD/gRowqrlIpx
2Vj22JBtCKWF4OaXtanunbNfVVv1jrXXMMuSyOxbc0wKXxuFduyPo807mBen
mcp1vMS5u/S+2FgVkBa02VTZZfBG2Nlrt7KoV8vr/tzqXNM3GOzsuv4ew+HO
j0ie3/qa1K92N8ORws7YUo0ORRU8bC9mOilZwOzOzfmsF/iS5QWZlDB0t6Lk
a9/JJjbmVrY614J1E1Rpee2svMLEixJD5abb1cD0XYbwTlzEMOjkvaC725uS
19k9hCu9z0v4Rq7cKk/1EMdCBFtPzSa/xYhdRSikXhE6wbW7T29M5n7u1YE1
j2cCb7Mtj1mdnqn6mg+6dK9v4FslKJZnlGv+QhU01eOrCwyRR1gOO5jViWKI
hLK7wBzea9pZwzI2u6+Zw1GiRvqcsiqNXdmtSmQ+cWHLYkKiZH+T75CzR+4y
SdUIfndYlF6SJxnIBEsDs0uSFrcShAPaqWlxvB1aGkzPthdEcn/f5vFhuN2W
ElScPH3shDrVhnG93BC0ukmCHW0s8WsfHXzX7/Ca3K76S7PGdJ2m1WlZLNd6
uR27iVLICnJObnLBMkslcgfNqT236rqDzvDpZVlWxnUtKLTFKqa93VLRLo1K
PKOLRYiS7Vaii1KPoE1kbfViyV3Xu2XS7D0rjXGnXohi6B4P+oCe2w3QFjls
BD6jHM7rLeVt+0w34G02HovMhZa93kh9p+4vxvFWAxOhxqXRLVyyWyi7ZFdR
qyitDulh0XmmOywmLl9gK0XPz2g8FJ4hQCm1bROJGCeTSfdaG5xsgsFWtqt1
ZyHo7yf2too08hj5QD1V9e0SrCePGrtjgXvTlE0qdOmi7cXjDwgMhsGB2Xan
L8VIOcp8f2VCIUGW62kBS4bNJMsyTq8b79K7WHOKiYsSpuURKi12wawvDbB1
m9PKmnDTETdxKzOBS0/5aVqd0Sxz1mtYJwa6TfdceFPSpVGHhad4CttAxYZU
Ftyw6DFWXdMnPAhYk1qvMsW1KbIRKFLNwuDO4aJ3uwDhxrb+cnUXUxVDuLUd
Kzk0bE/+Vq1WcuUrnBFam8N+bDR2FPHVeDpuTHVJGcdMGC25jpq0cp2usdyM
820cQQP7XEDCyT8tZKfb3bybWfHFkm5unjbFa/162Zcbsz3UkZt2kujjm7aN
bL6WhdrxAVzLl7vzcQU1zLET11rqj5ujNZxECbs7DU1MXKJ5k9uKDH7YARVR
udF0XXmZJnDS7X628/ZY2unW8aEyEVOaGhpxvcqRm4X5mco6x6IaDCeOxcMo
9juq1xi+CWtBQkpRSupxuQsEyr5uVJa2oZ4VViU5tHgeDR4ArOHB5qVJ6RZU
d83VzFtYzIVHZXuUFnG+GA20PDKUFI1Ts6zYZTNAcBPz7U7aynaByyFeETgm
leUpBMqrkqrdJGUtUG/JtXJtFNUouJPGwNvjMjZdmnOPrKErewRLFrlX0dbV
epKW1EtZLQocifPbta9uNItKXqOE+zi60Kf4qMIrHwtTpSjq8HLhGEi9UDg8
DIhA3LBNwVjrOUCl4fndYp1iFRCLTtQXF4s+RSw5tgtSYqUxLCs1NNJdegpY
aH+3FDy6H6O23WOXs329p8VZvWRT79rdZQzilMX5PJ+uHSllXku3G1RNpRKN
MX+l3FId2g21dNqc7jG9jmp5melWTPSTQmjJwQ0SuUKchbiw/GXmMaPBVfWR
VU2msoutArNaURsQekTbQ1RTbjiGE1hZxp2m2TtX5tsxK3jztMht2ETkez9K
m7NDaVRr50ONsFjbjE14aqBxl5wtGj4nKJ7f0KkblEbtDJe7rOd3tusV5WRE
Ei0tUyJzsDZIz1/wvT6Z/flw7/z1AtoA+J7CphNYinrOuqt9MYkJrdTNrVmo
uY8yCbHCNELlJ9ZeHGIaD44A09wuZ6q8YPI1gCbhtlUDm1mxEx2tD1knFsGp
cU+ifvHZmzHFZpvnG51YHYMbk5PSZAQSd20j74BaTqFyELGrziqrtU0xJTd4
8K1Ta7nI1FUZe0P9VSqhy2y1o6TDitfpdE0jouJLYy+32LbL6PUIdRRy3GBn
1dsR18Y2tPvxyC674l4u4wi7k6yupfDy7iTF0b6dxFv70BFSvrWWAWctIwLa
RcstnlaJvjLLXFRko4ZZcVuXEsEVHkB51XRKSGa7LBQqPAh6Lo5yQKj9+iKo
+P4KbyFrg63H8cpGYcVelEm+UanqLurs4rpnhGmJvawUwgE71YcRdmmUvhEV
eheW55BLxVJndQjhXXqgLo46NXeXu8FbuBFzNe3pcLiueccXlrxsWRLvSuGi
Q+hJUybknLm7+rR22/JGQsY2t6OUaHfnyrkznneh3Kqik610g/Waok+qeOOt
jD7kLICWi2rcx8BnJl9vxPkq9PqI9x55UV7vw3mAunn/6ycZCf/qjpyIoant
Gfj6J5YmT9o+7ZtBfrUNafaCZNobJIbMnvbKyDKPpq2PphjkucU15u0ppoky
4blrxA/lvlLuoUExmkkmXA+PsknCsimD31ovm37wuDY9XYNeLsr0aZBysnjp
QXCeevhOB4pmKxT0envOt3bnnE+a3cAGgRcmDox3SA23KhbUSLi0HXQO1Vbe
VZlc1lhDIQLpoIQs2YvTOcOvMnc0JDhj++um6Kaj4+7wy/4kGWhVt4GsySTe
Qwz5cA+fXUmxB0P56Xamk9KSDFXN214u3TXdx3qUOyv+fOp4IQpNyNs3YzR5
JTyqnOFF0dRqeaKfE822CkG3ssbK1nRHXw6UMs2NpEDxdIST4TeXuByLGKpl
FpbrHJkWF1vv1SO5X2pOdNX79sSeDGNn6YrWuc64J9DmejCIH3IrvhC7vyJx
390Xx6VxDCdMPGXtal24wxrdLXYCL2meJCjjpi2yvbSio/sg89/cF/e9qf3W
zEJ/OrXaX9sX928fNkK+Pkn62ebG50GZXacccDbLZnqPFCCbdAOuHXOapupm
HpGBMck9dSpPaXGifE1mwZLsTye1hF5H5qieP4GLDiWKTFF3WeDYsJ8haIjZ
ecDb496Vysi159jZKq62COShaRll4ioZpTTClDKq9TZE8UzNpD6qtnjgIG0s
gMGmpTyq7BQst2LvbG9i3mSQnJOjnMG9MsKDzGmDMjW9yjSDSuOIap6uMqOt
ZKAZwMOT70qt5/TXsLavXmWP0NwC+PKqzz+mdQX6+jp/lhlxfuAWokTuG+JK
zHXUFpQ+4uRRQ+1Bq9sG0h39Hji+IlfRfPNrUq+AzDpwFTiquHHvzCxpMzuK
YZWMbukMpMFc4DkxFcMlrTmxpNsl7wE1Y7PcXqviOnLSS1BsNcvmWM1p6ZhF
DMONOc0u95CGtFLolIEllLKOcLSOSL6GFKPupgJowAMN3I3q2npWe9nD5eQU
HOcUfh0KrQ/Zk31xyhiPudJVhFTTWRYFD6h2IVGmhShy2aI+FyEy+D4UbNnh
pM6bFD22Ww8K+DRzWGlyShkJKmDc+NgBDa58Nt3JjnT10NgIzWLwKsIIeM5V
+NgOzRL1WYWGdI6zNMfm44kiTFvnEhY5W256sDluZVq641k+JgulkhQ2APoA
ELJby3JbRef8FDItX0lY+6zZHO2j212AlqlRdXfDVQIwSoFexbugLC3dbhWt
UgQNja8W3N5DW8OhwE0vmi1dbFjxzCrNQhvwVERDwEtn3SkVMBuCZnK2bnFY
jLTBaxYgRdALHfEBjzIS8rag13quY2ln8ogaV5KllaDHAhG0uhx0RFEUpqR8
2BY0WBmglwsxbIuaSUmaJe2carANtuhjl7yHjFI6lUfEhUJ72bUzHOKuWwjn
ozIGWdXm4nAtA9AzZZgUozNcZVT+zsq2jeGWhM4joo2VfmARvFdKjMGUVeJw
o19dV5CPnOCIoVY2X64ip9WCgsVNS7nrMDvYjr6zLJveY7HuwwitsDGjYWDQ
bDAGhYRBpqOAUY5HIBgcuKB7sE75SCkZWOxr4LNtpTNLmM7HPpgeQ+YoyrJO
d63gdEhnudq3OEVzto9BeB4DWrMQYHOlGvwWbEtRLEspLKQ1DODJmRZhaFib
QvJ4RU1YSmWGaxSBC+Jc6gw0LXawXgWsCDuW3sRF3AdIfA+5tjTYFDMrEdNc
nQarCoG90sbAbzGECTxEy8sOS8FC5GDZST3dSXt53Coekraao6/Css0izh/A
PTsISE4bcKktT76kVS3qOLGrsx4RuP6QsG2v8xIRT/BWrJEtUIxUN+8UDjZA
AbII1DxCsSJNURtveYs+35zaSzlbyLQ4R1/B5z58vckV+touV5FVKNCky5ji
AHTYqEwsLufFJHONx0wioQIRlXN5gJ62C5O9k5ORrDc9Tz5eVXDswPYyjbDg
h1MMhJ+VpEyDn5zyZUrmqfHMQ7O5Akr8g+maLRcJiyRwjPPYUoUOm0i6PQv1
DkO3zMkUFE1OqeVJYwkKSo5UyMLdKQoVtoLLbKN7PfBMyKNHD+22WLMIHbZZ
Upob1TnC00I0ktwxKVemYB6aw9DMSXMoSucyeXTKE1Uoa3olonbhc5pIVYNz
MUnpEe/WganJSTDEHaC0Aw9rFkf17AmMtvOnQMxsCIXRphfICL1gRhI9kTJv
0TIvntE1Dm+H+z6N8SovZHKhoeIoJA1m9qLGGZs1g6KYQF6gHlvueIMPmt2d
s7zVGZvCJOvFgdxLsXNMhWEBM+UqJ4dVRi3OGb92wMpGuFXYjjl0KpDrJZwm
xV/FwVm6HrFNKZCH+2Z/DiOTBwKkzdJEghkBc49/IjTQ51LzLaEBEPnIH9a1
TILBcmjeILkSPKwBWaVamTq9fiUlkRO7/9R2sz3w/F6BgIKDZG0zi+EoMxEQ
xVkcT4PKNf2+/+RGVjZEgJkiPFdXap2V5r6Ql9AxirYtEdxwUsnv0j3X3Y7c
7VYLPTLvn6N4io16XRNTIHyNGp9SyLgshAK9oOShO3bIQpPCAL7px+Vicsk1
PIarSqcB6N8GxsrJNwUVOez9fuyYW4Ij0M5p4FuhUtoQH/hWOp8WPCnPBwr+
CjZ6nIqcEeUrdHT4Cjraz+go+y46sr6GjrgZHZ3cL9GRWvv32FEa3xUzFaAn
4MEoM3CBg2fEE/Lb2geLRMz6zMOk0nP10qeRe5jNOEUE63vGMNFVNikLeC8R
QD+nlWyebsokzucFYDUHCgk8HKH2GDhct3cIJHSkBwQT849nDKDXhwzmB8Jq
C6TMAkBGhONSnyKBMuUCgBtLWgWsXQBtW5lAv8/3QhFf3sJqBmr6PQRGLMyQ
fGZjZsG0SkmDbRYYB8qpuFpzYwkIWm1Ytq9XLAo5pU4ZsFT7GNcEaHuwOE4H
VuWs1bpiFSUG7LRvwEpgALjllABNsLGuFbHhWIoPyQA+6IhOAZxSh3B7ATzu
gnErRUhLAR3P++iwcuwICZDWTQTdtycdt1idUgqphkwwlsA+KYCPIK50VzEp
30YHxORSI+TlyXLtwOHTxitTGjRoKk6bAY1aAziLQEmli0bOZaGj1FYFEwAR
3awqTUEPte3ABGiQ0QpdBxit1OuoTyzEAphNCUoOh0xE15MCYe2Ke0JIbvsV
hITwpptyATCzr0Ee9BrlGVXr26wdmJaU67BSh7ayC1HEUvkSD2DOAJaTcVii
8SoEsCQJELCMWVDYLUAH1AMdWDYVY3HgfMoC7LOxA1hkFGcowSfYg2McCtnh
atZ+ZrPS3KOiwxIRWbFpmhoBgC0HKGA+fAYA1mDZ3rA42iiBawtghCQLdr9H
+8m320p1fUarxEvIAuGBbUV34lxBpPsOSQMN08+aVfQarA1+0VaQUYr3gC2J
xNKvBhcTjlOqeiUZGnwi/LpMo8q/JFXsKQLZJ6XeJjV3tgCSUlmEgUI4pmTb
LoyS47Rsi1lOrGi5PuMVwCkHAI5PxzCSP7A4EAwdfLYcBWDx2IcM64o5lkRb
NgB1gKcY1muASxwrpzQAocQ9LAE0BBATagNIzd1fjwEEBB3gTXb0YU7REZsx
bY7xOSWwigaXYUS1CmXlmfIlLra0Z5JDwOiDU3tjyF4byKevrF+ltMKVbCD4
QsRf3RAdAt9KxRgmshnoaIWixLxkx7CiGPxWTfhtG4xXHCB/4G8AWOWwdhMx
8h2APC+wuCKpiMCrKScyrrhR2EEAkJJtyqhhSee4LGsb1nlIdUo0ctNdxOpZ
4kbbgyFtjwFAQO5ss7heFgX0AwgibwKdsx9AEPRXUNC37BkkU/gLChrkSRwU
hhyUspmvTZ9d63cMW8m09tLBnx8mElmEsmC2d0zSpE7Rc0xEpOb4CPT0QQY6
W6FJ0jhTlJPr+zrTD7m00DuBX/lwRPTJrRrbblX050AcnWNyEqyIgsKw6Et3
RZ/3AHjZADUaokljozEpWz+6ZN2NLPdBkJTNQPZMTsrPQOfxYh96oJ3PrCOJ
FgCveLSs0bcRZa8INyphE5zp3ouHq3K65dKkZK4JibgtpcOklrRC8C1B2YYG
1t0uNfbdrt91GxaT50b4A59MZbDPiGN1Xeho1JvaCCUH97C62gJJbMj7lvJH
RKAr0qAksdUBoBviULzXQQZv98UAsAo7R+jI+Y2rSd6gb4XhvhuF00SWxqMd
sFWfm0/+FJjz+beP1pPW5IH+BHZElAxM6uuNCsCNZQ+PGF5OYvJ8QM4kcdlM
A5nefAJ+KIbNKCCs0HrNpg05himhr4rdZpszybEd9HGjrS5Mg0R12Z/u9OSG
n58DPOlAe7IWLWoMrtc3t9/dPfveB1VvnzHbu69jN5LX4bQ/rTnXLNK7dz5M
vXhyTWmwbSKAor1MXppEOJmpQUgWoZHoQZL3PLdBrchQzI71voJXJOc7eMVM
ky75cLD1ccD02JTz8dKnJC3PdVbmsNhLwlT0jz/eGE95RaggKroymItE3R41
Up5q3EJv3rwFSqRsgvjt3968TUap9V292rsfwMojlPP9SM576JNYzhfhmBka
eChX+ZV1Vc0TpjDWZ1EYb/TM95BUKpNHyKiGy5Wf+zw7KrkI+7yFqLyfKXk0
ypWFfBsfWQAbvYdI8L9tAc9p9fRDBQ9Q9GewpYpXM2yxsBm2vIdegEtM2fDW
9U3K0AuEAtYF+NOcYMEwrFpzXEVRdA7AErelLGBNHijD2Soa2g2K/R7ibnbd
Ahtrz5EWJWF1S7MG2ocJB7SeA7PKmzVVAGuB60JLmS8tAJyiVcMTLineQ6+A
BbtlNRMYFeALm7CuA7uy0l5wBXDlZQs522580Dl2AjiDBriCtQGuSEArnPES
DQphhAkmFrEcAth9zgV2Pwct4TqngyX2woWiaIWvRrwugBbYpOBUDcz0h3gS
HT7Fj4xH9Oc7oZIvIyVgpkXVsunYtV07jyUD3o4BjMNeHneeaUshChxyLr7Z
SIvpFaHFgt3JTJkC7GIbrK/5xlV1nPeQjDi53cdWg/osd9vB3MWeuNpD2kYr
UwcAFkqGo4vhloaN2K6FtjuAry5g1KXnWAkw8O+hp2iJYSEUMP2Un6cMMPXU
N00/XHKfm35tHt3Z9vfebPuB3TcsvXTKCDUcP0+s7r6fKMrmCtRAEcXLdUXm
OMlCONPnbB6MgKZM5d4B8uJLjm1TgSXpsu1dYngwZMSaYlSRnDoVDBYRDX6A
FVTG/IljAi4GvRX3hOUaIDJ+4JT1AawAODu68Nu5UPjbD3XaO7C8/+OxdfOf
zxs4337IOv688nHFkTO17J7XA8BEsAgg3xynjDkN5mrLGpoY3eIz/0AqPxmB
mX+EcQCQAHi+fRV3FOQq7Z1camSk9ALs05AbaOXToJv5OYwGEqPYLDLHFXWA
2yznI4qmZCDCplsqYA45DgN3BEDeGR9LH/P8igbRRr9NwwsF76GPNBBgWAna
tPzLHAxzrHQfIq2UVA1AqRwQivLDZ8DtHETTAerjIifWAS3VprcmCw4QDU4c
/+IVEh47SGGw29wQgL7EuMzEKAXIQms6w01Gt7RspZQ9iYhptc4OjYf3UGDq
MOi/suCmDywbi5n0EmFtZSPpXhEk2YdbU66QW8RzCvDpKEWIWc0uWbsUezB+
ukFv6feQZpWYZn3V56qB5qF0VrpqTstprjTFfCr7nJQHQG51oAUjOBY9VAKr
1bGGe+IoK8fpwZxsgT4ucw9re8tpS6vmSuDd2QGcGrZT3m2nwDSg4aOSos26
pYD/QQV8i7+HwlpGbLSAY/uEzBDe5wlFB7MbVs2QZNfRLiXMRH3KpLe6jSqw
Vcc90CE1kOy9bUuq5SoeGF2slBVTusccZSqGFAM7AicuOVuijy8inBaLxus5
QoFnPVsLZ6hnPa/b8qiYXvYeOmqP5fFYBh+WyLwMun+cJPkf+HmakHBgrud0
5YVZi6PSP+B/eDgtxxeZCzdle+jIlBFsMN0kayj6HqtX8j+4TcxrQoUcb6vV
sMGi3ZYlosOVjYPT2w817f/zVX35f3s2/M/GHpj/R2HYl7wzb1/hghdA8Hau
ZDnnOnoXlIDwv78tk+N1Liz/z789Je3I6ssx+mMuuyQyb8iPGUEgSHykZpqT
iDeX4JI9cnk+J6h4LiEx53Nqb5e26eZUHB+zZsyY4nTL4qR8JKx7JCD5mG4G
/3fsk3QzT3mNPuv+k7oWH7MOfp625AmXvHnJxvOUnfVfdCr+AXYeiV7mXh+Z
Vl7+AFP/pBbfPqUveTenhZnl4XVemGeRebnlJT3vfBsKo8Q7BH2HbF5uemn5
3f3psD24i/j8q6fyd/Pzt7p9yaD60kCctHPCzToaX/f0H89S+88Pu/C/SvFj
/OYcld0HOf8W4Qj2Dl6/Q4i3z/f98T//Whdg5K+/uIsnKXipCDDnQvzTrlD4
Hbx6h6w/dPX4/Z/PYxp082Kfk5Q9pXn6+oA+UjW/e2TgeTSKE/DrfrtsepAI
rn61kwyssK83/CGR9fz4E/mvG/6YnPYbkvciPR+o+s54ftLXXHLh2z19UsP5
b9/tEvmVXS4/1KT9eufoL+38eW/yu2/1jv3S3p9ri8+7HF7Vlv7Z4uBP5Uy/
zg/+S/n5WJPuk95fKbzukWHt67R9V1P8NG3ZXJgmfvdIe/oNOV/9UgK+qID7
dSLWv5SIR4G/r3e8+aUdA1P9qF7zUeJ/RES2v5FGYJuLH6Bx9UsV9Fdo/Fl1
8XRg+kc4/bV24anA6Lun1OlfJ+DX2oaP5ct/aIijpn7g+iedfruUPzLEv9b+
zCkEnyTpR2j7tbbkY11L4DA8bw78ESp/rVX5mJviR2hbfYYlofmvj45i19wu
UTJnJX9XBZcCuBR/fwtwcfL29TczC3//BDf+r49+yVN6yQcg+Pvb2at6+8ef
umkvSRI/umvfyjb5/7Lb9kL0z7pvCPKb/bef9Hz+opP1Fbz//RH6F3pWBPzf
7Vl9JhyfrMqZul+gMV66/J6nRcDIn2iR30DY9/0xAv4lNvcLIr7vlxHwL7GL
X1Dx2j/7EQjwyqf7tlNGwL/EkH7BzDecsw9U/BJD+QUVf+qGEfAvccO+IOQT
d+wnIfSbN9/y5wj4l/hzX3DzTb+OgH+JX/cFAZ/6JT89nj/mIBLwL3EQv2T2
kjWX53f2P8jrX7FEyG+xRICbZsiq7Dr+6LS91De4/KBfTyC/xJP8FzL6kcOH
x/2jLjOB/B7r+S+c0S+iIB9Y+T0m+E+jAATye8xncJph7kuJk/+7gf04Hz+/
VH6PmX7idtZwD0J/Wp8/CPgqP7/H2n/k54c19qt/n1PykZvfY+3/xcb2xyKd
BPL/F7L4Sc39e5DFf3/MkUB/D+r4mdgjgf4ewPAz0T0C/T22/pM46c+pgh+O
shIo9ksimS/M/mlE8w0ZFXXTl0l8Sh5V2+ZOnzBDEv/9bd3Md82nzINHaqru
Tf+o1vUoO/PYPRvUxWflg9qkmTfhHJsLVGb3uRZgnHXRrete6pzONXGeSos9
1bNJg7Ls3vyP5hLPnULh+GZ2MZ/Ktf0N+uc//+lkZZkF1Rvy2jdN/McfQCzA
VTmL0iAp3wj//oZK0rk+X3J5+c64JsdjUr/h5uJeHy6mCSBPyoL69HLJTMFC
6t44yaV+PPzvzzWsPxRnuyRRApiIAQ/gz2szVzd83vrzXDJubiWr3jhZlNVF
V2SfNc01XQeUynz1wfML4eUbO/jf/1U0j07F65s+mIvrJS2YvPipbOMXFAPi
5qeD4c1hzrNcZDW4+NLobqbWCa5d8rjaJ4+COnNMdObjUZT3KZ/Yywal5pKd
srnS59PuZ2y1evQA/R/80Z7R1a4BAA==

-->

</rfc>
