<?xml version='1.0' encoding='utf-8'?>
<!DOCTYPE rfc [
  <!ENTITY nbsp    "&#160;">
  <!ENTITY zwsp   "&#8203;">
  <!ENTITY nbhy   "&#8209;">
  <!ENTITY wj     "&#8288;">
]>
<?xml-stylesheet type="text/xsl" href="rfc2629.xslt" ?>
<!-- generated by https://github.com/cabo/kramdown-rfc version 1.7.39 (Ruby 3.4.9) -->
<rfc xmlns:xi="http://www.w3.org/2001/XInclude" ipr="trust200902" docName="draft-ietf-tls-pake-02" category="info" submissionType="IETF" tocInclude="true" sortRefs="true" symRefs="true" version="3">
  <!-- xml2rfc v2v3 conversion 3.34.0 -->
  <front>
    <title abbrev="TLS 1.3 PAKE">A Password Authenticated Key Exchange Extension for TLS 1.3</title>
    <seriesInfo name="Internet-Draft" value="draft-ietf-tls-pake-02"/>
    <author initials="L." surname="Bauman" fullname="Laura Bauman">
      <organization>Apple, Inc.</organization>
      <address>
        <email>l_bauman@apple.com</email>
      </address>
    </author>
    <author initials="D." surname="Benjamin" fullname="David Benjamin">
      <organization>Google LLC</organization>
      <address>
        <email>davidben@google.com</email>
      </address>
    </author>
    <author initials="S." surname="Menon" fullname="Samir Menon">
      <organization>Apple, Inc.</organization>
      <address>
        <email>samir_menon@apple.com</email>
      </address>
    </author>
    <author initials="C. A." surname="Wood" fullname="Christopher A. Wood">
      <organization>Apple, Inc.</organization>
      <address>
        <email>caw@heapingbits.net</email>
      </address>
    </author>
    <date year="2026" month="July" day="06"/>
    <area>Security</area>
    <workgroup>Transport Layer Security</workgroup>
    <keyword>Internet-Draft</keyword>
    <abstract>
      <?line 71?>

<t>The pre-shared key mechanism available in TLS 1.3 is not suitable
for usage with low-entropy keys, such as passwords entered by users.
This document describes an extension that enables the use of
password-authenticated key exchange protocols with TLS 1.3.</t>
    </abstract>
    <note removeInRFC="true">
      <name>About This Document</name>
      <t>
        The latest revision of this draft can be found at <eref target="https://tlswg.org/tls-pake/draft-ietf-tls-pake.html"/>.
        Status information for this document may be found at <eref target="https://datatracker.ietf.org/doc/draft-ietf-tls-pake/"/>.
      </t>
      <t>
        Discussion of this document takes place on the
        Transport Layer Security Working Group mailing list (<eref target="mailto:tls@ietf.org"/>),
        which is archived at <eref target="https://mailarchive.ietf.org/arch/browse/tls/"/>.
        Subscribe at <eref target="https://www.ietf.org/mailman/listinfo/tls/"/>.
      </t>
      <t>Source for this draft and an issue tracker can be found at
        <eref target="https://github.com/tlswg/tls-pake"/>.</t>
    </note>
  </front>
  <middle>
    <?line 79?>

<section anchor="introduction">
      <name>Introduction</name>
      <t>DISCLAIMER: Much of this text is copied from <xref target="FIRST-DRAFT"/>
and is in the process of being updated. This is a work-in-progress draft and has
not yet seen significant security analysis. See <xref target="security"/> and <xref target="spake2plus-sec"/>
for more information.</t>
      <t>In some applications, it is desirable to enable a client and server
to authenticate to one another using a low-entropy pre-shared value,
such as a user-entered password.</t>
      <t>In prior versions of TLS, this functionality has been provided by
the integration of the Secure Remote Password PAKE protocol (SRP)
<xref target="RFC5054"/>. The specific SRP integration described in RFC 5054
does not immediately extend to TLS 1.3 because it relies on the
Client Key Exchange and Server Key Exchange messages, which no
longer exist in 1.3.</t>
      <t>TLS 1.3 itself provides a mechanism for authentication with
pre-shared keys (PSKs). However, PSKs used with this protocol need
to be "full-entropy", because the binder values used for
authentication can be used to mount a dictionary attack on the PSK.
So while the TLS 1.3 PSK mechanism is suitable for the session
resumption cases for which it is specified, it cannot be used when
the client and server share only a low-entropy secret.</t>
      <t>Enabling TLS to address this use case effectively requires the TLS
handshake to execute a password-authenticated key establishment
(PAKE) protocol. This document describes a TLS extension <tt>pake</tt>
that can carry data necessary to execute a PAKE.</t>
      <t>This extension is generic, in that it can be used to carry key
exchange information for multiple different PAKEs. We assume that
prior to the TLS handshake the client and server will both have
knowledge of the password or PAKE-specific values derived from the
password (e.g. augmented PAKEs only require one party to know the
actual password). The choice of PAKE and any required parameters will
be explicitly specified using IANA assigned values.
This document defines concrete protocols for executing the
SPAKE2+ <xref target="RFC9383"/>, CPACE <xref target="CPACE"/>,
OQUAKE <xref target="PQPAKE"/>, and OQUAKE+ <xref target="PQPAKE"/> PAKE protocols.</t>
    </section>
    <section anchor="terminology">
      <name>Terminology</name>
      <t>The key words "<bcp14>MUST</bcp14>", "<bcp14>MUST NOT</bcp14>", "<bcp14>REQUIRED</bcp14>", "<bcp14>SHALL</bcp14>", "<bcp14>SHALL
NOT</bcp14>", "<bcp14>SHOULD</bcp14>", "<bcp14>SHOULD NOT</bcp14>", "<bcp14>RECOMMENDED</bcp14>", "<bcp14>NOT RECOMMENDED</bcp14>",
"<bcp14>MAY</bcp14>", and "<bcp14>OPTIONAL</bcp14>" in this document are to be interpreted as
described in BCP 14 <xref target="RFC2119"/> <xref target="RFC8174"/> when, and only when, they
appear in all capitals, as shown here.</t>
      <?line -18?>

<t>The mechanisms described in this document also apply to DTLS 1.3
<xref target="RFC9147"/>, but for brevity, we will refer only to TLS
throughout.</t>
    </section>
    <section anchor="setup">
      <name>Setup</name>
      <t>In order to use the extension specified in this document, a TLS client
and server need to have pre-provisioned a password (or derived values
as described by the desired PAKE protocol(s)). The details of this
pre-provisioned information are specific to each PAKE algorithm and
are not specified here.</t>
      <t>Servers will of course have multiple instances of this configuration
information for different clients. Clients may also have multiple
identities, even within a given server.</t>
    </section>
    <section anchor="pake-protocol-classification">
      <name>PAKE Protocol Classification</name>
      <t>This specification defines support for two classes of PAKE protocols:</t>
      <t>Internal PAKEs integrate directly into the TLS handshake, completing authentication
within two messages (ClientHello and ServerHello). These PAKEs execute their protocol
messages within the <tt>pake</tt> extension and derive shared secrets that feed into the TLS
key schedule.</t>
      <t>External PAKEs require out-of-band execution prior to TLS connection establishment.
These PAKEs complete their protocol exchange outside of TLS and import their derived
secrets as PSKs using External PSK Import <xref target="RFC9258"/>.</t>
      <t>The following sections describe both approaches in detail.</t>
    </section>
    <section anchor="internal-pake-integration-in-tls">
      <name>Internal PAKE Integration in TLS</name>
      <t>This section describes how Internal PAKE protocols are integrated and executed
within the TLS handshake using the <tt>pake</tt> extension. Internal PAKEs complete their
authentication exchange within two messages (ClientHello and ServerHello) and integrate
their derived secrets directly into the TLS key schedule.</t>
      <t>For External PAKEs that execute out-of-band prior to TLS connection establishment,
see <xref target="external-pakes"/>.</t>
      <section anchor="client-behavior">
        <name>Client Behavior</name>
        <t>To offer support for a PAKE protocol, the client sends a <tt>pake</tt> extension
in the ClientHello carrying a <tt>PAKEClientHello</tt> value:</t>
        <artwork><![CDATA[
enum {
    pake(0xTODO), (65535)
} ExtensionType;
]]></artwork>
        <t>The payload of the client extension has the following <tt>PAKEClientHello</tt>
structure:</t>
        <artwork><![CDATA[
enum {
    SPAKE2PLUS_V1 (0xXXXX),
    CPACE_X25519_SHA512 (0xXXXX),
    OQUAKE_V1 (0xXXXX),
    OQUAKE_PLUS_V1 (0xXXXX),
} PAKEScheme;

struct {
    PAKEScheme   pake_scheme;
    opaque      pake_message<1..2^16-1>;
} PAKEShare;

struct {
    opaque    client_identity<0..2^16-1>;
    opaque    server_identity<0..2^16-1>;
    PAKEShare client_shares<0..2^16-1>;
} PAKEClientHello;
]]></artwork>
        <t>The <tt>PAKEClientHello</tt> structure consists of an identity pair under which the
client can authenticate alongside a list of PAKE algorithms and the
client's first message for each underlying PAKE protocol.
Concretely, these structure fields are defined as follows:</t>
        <dl>
          <dt>client_shares</dt>
          <dd>
            <t>A list of PAKEShare values, each one with a distinct PAKEScheme algorithm.</t>
          </dd>
          <dt>client_identity</dt>
          <dd>
            <t>The client identity used for the PAKE. It may be empty.</t>
          </dd>
          <dt>server_identity</dt>
          <dd>
            <t>The server identity used for the PAKE. It may be empty.</t>
          </dd>
          <dt>pake_scheme</dt>
          <dd>
            <t>The 2-byte identifier of the PAKE algorithm.</t>
          </dd>
          <dt>pake_message</dt>
          <dd>
            <t>The client PAKE message used to initialize the protocol.</t>
          </dd>
        </dl>
        <t>The client and server identity fields are common to all PAKEShares to prevent
client enumeration attacks; see <xref target="security"/>.</t>
        <t>The <tt>PAKEScheme</tt> field in the <tt>PAKEShare</tt> allows implementations to
support multiple PAKEs and negotiate which to use in the context of
the handshake. For instance, if a client knows a password but not which
PAKE the server supports it could send corresponding PAKEShares for each
PAKE. If the client sends multiple PAKEShare values, then they <bcp14>MUST</bcp14>
be sorted in monotonically increasing order by the NamedPAKE value. Moreover,
the client <bcp14>MUST NOT</bcp14> send more than one PAKEShare with the same NamedPAKE value.</t>
        <t><xref section="9.2" sectionFormat="of" target="TLS13"/> specifies that a valid ClientHello
must include either a <tt>pre_shared_key</tt> extension or both
a <tt>signature_algorithms</tt> and <tt>supported_groups</tt> extension. With the
addition of the <tt>pake</tt> extension specified here, the new requirement
is that a valid ClientHello must satisfy at least one of the
following options:</t>
        <ul spacing="normal">
          <li>
            <t>includes a <tt>pre_shared_key</tt> extension</t>
          </li>
          <li>
            <t>includes <tt>signature_algorithms</tt>, <tt>supported_groups</tt>, and <tt>key_share</tt>  extensions</t>
          </li>
          <li>
            <t>includes <tt>pake</tt>, <tt>supported_groups</tt>, and <tt>key_share</tt> extensions</t>
          </li>
        </ul>
        <t>If a client sends the <tt>pake</tt> extension, then it <bcp14>MUST</bcp14> also send a <tt>supported_groups</tt> and
<tt>key_share</tt> extension. Like PSK-based authentication in psk_dhe_ke mode as defined in
<xref section="4.2.0" sectionFormat="of" target="TLS13"/>, authentication with the <tt>pake</tt> extension
is always combined with the normal TLS key exchange mechanism. See <xref target="key-sched-mods"/> for details.</t>
        <t>Combining the <tt>pake</tt> extension with the normal TLS key exchange mechanism
using a hybrid or PQ key agreement protects against Harvest Now Decrypt
Later Attacks where traffic recorded today may be decrypted by a Cryptographically
Relevant Quantum Computer (CRQC) in the future. This protection covers the
resulting <em>application traffic</em> regardless of which PAKEScheme is negotiated.
It does not, by itself, protect the <em>password</em>: if the negotiated PAKEScheme is
purely classical (e.g., SPAKE2+ or CPace), a future CRQC that breaks the
scheme's underlying classical assumption can still retroactively recover the
password from the harvested <tt>pake</tt> extension messages, independent of whether
the surrounding TLS key exchange was hybrid or PQ. Deployments concerned with
retroactive password recovery, as opposed to only traffic confidentiality,
should select a post-quantum PAKEScheme, such as OQUAKE, OQUAKE+, or
CPaceOQUAKE+; see the Security Considerations of <xref target="PQPAKE"/> for a detailed
treatment of this distinction.</t>
        <t>A client which sends both a <tt>pake</tt> and <tt>signature_algorithms</tt> extension indicates the client
requires both PAKE authentication and standard server certificate authentication.</t>
        <t>The client <bcp14>MAY</bcp14> also send a <tt>pre_shared_key</tt> extension along with the <tt>pake</tt> extension,
to allow the server to choose an authentication mode.</t>
        <t>The server identity value provided in the PAKEClientHello structure
are disjoint from that which the client may provide in the
ServerNameIndication (SNI) field.</t>
      </section>
      <section anchor="server-behavior">
        <name>Server Behavior</name>
        <t>If a server receives a ClientHello with a <tt>pake</tt> extension, but without both
a<tt>supported_group</tt> and <tt>key_share</tt> extension it <bcp14>MUST</bcp14> abort the connection with a
"missing_extension" alert.</t>
        <t>If a server receives a ClientHello with a <tt>pake</tt> extension and <tt>pre_shared_key</tt>
extension then it must choose an authentication mechanism. In cases where client
enumeration is a risk, servers <bcp14>SHOULD NOT</bcp14> inspect the offered <tt>client_identity</tt> fields
in the <tt>pake</tt> extension when deciding between PAKE or PSK authentication since this
could be used as an client enumeration tool.</t>
        <t>A server that receives a <tt>pake</tt> extension examines its contents to determine
if it is well-formed. In particular, if the list of PAKEShare values is not
sorted in monotonically increasing order by PAKEScheme values, or if there are
duplicate PAKEScheme entries in this list, the server aborts the handshake with
an "illegal_parameter" alert.</t>
        <t>If the list of PAKEShare values is well-formed, the server then scans the list
of PAKEShare values to determine if there is one corresponding to a server
supported PAKEScheme. If the server does not support any of the offered PAKESchemes
in the client PAKEShares then the server <bcp14>MUST</bcp14> abort the protocol
with an "illegal_parameter" alert.</t>
        <t>If the server has a PAKEScheme in common with the client then the server uses
the client_identity and server_identity alongside its local database of PAKE
registration information to determine if the request corresponds to a legitimate
client registration record. If one does not
exist, the server <bcp14>MAY</bcp14> simulate a PAKE response as described in <xref target="simulation"/>.
Simulating a response prevents client enumeration attacks on the server's
PAKE database; see <xref target="security"/>.</t>
        <t>If there exists a valid PAKE registration, the server indicates its selection
by including a <tt>pake</tt> extension in its ServerHello. The content of this extension
is a <tt>PAKEServerHello</tt> value, specifying the PAKE the server has selected, and the
server's first message in the PAKE protocol. The format of this structure is as follows:</t>
        <artwork><![CDATA[
struct {
    PAKEShare server_share;
} PAKEServerHello;
]]></artwork>
        <t>The server_share value of this structure is a <tt>PAKEShare</tt>, which echoes
back the PAKE algorithm chosen and the server's PAKE message generated
in response to the client's PAKE message.</t>
        <t>If a server uses PAKE authentication, then it <bcp14>MUST NOT</bcp14> send an
extension of type <tt>pre_shared_key</tt>, or <tt>early_data</tt>.</t>
        <t>Use of PAKE authentication <bcp14>MAY</bcp14> be used with
certificate-based authentication of both clients and servers.
If use of a PAKE is negotiated and the client included the <tt>signature_algorithms</tt> extension,
then servers <bcp14>MUST</bcp14> include Certificate and CertificateVerify messages in the handshake.
The server <bcp14>MAY</bcp14> send a CertificateRequest for client certificate authentication.
See <xref target="security"/> for a discussion on different security considerations
depending on if certificates are used or not.</t>
      </section>
      <section anchor="key-sched-mods">
        <name>Key Schedule Modifications</name>
        <t>When the client and server agree on a PAKE to use, a shared secret derived
from the PAKE protocol is concatenated with the regular <tt>ECDH(E)</tt>
input and used as part of the <tt>ECDH(E)</tt> input to the TLS 1.3
key schedule. Details for the shared secret computation are left to the
specific PAKE algorithm. See <xref target="spake2plus"/> and <xref target="cpace"/> for information about how
the SPAKE2+ and CPace variants operate, respectively.</t>
        <t>As with client authentication via certificates, the server has not
authenticated the client until after it has received the client's
Finished message. When a server negotiates the use of this
mechanism for authentication, it <bcp14>SHOULD NOT</bcp14> send application data
before it has received the client's Finished message, as it would
otherwise be sending data to an unauthenticated client.</t>
      </section>
      <section anchor="simulation">
        <name>Server Simulation</name>
        <t>To simulate a fake PAKE response, the server does the following:</t>
        <ul spacing="normal">
          <li>
            <t>Select a PAKEScheme supported by the client and server, as normal.</t>
          </li>
          <li>
            <t>Include the <tt>pake</tt> extension in its ServerHello, containing a PAKEShare value with
the selected PAKEScheme and corresponding <tt>pake_message</tt>. To generate the <tt>pake_message</tt>
for this <tt>PAKEShare</tt> value, the server selects a value uniformly at random from
the set of possible values of the PAKE algorithm shares.</t>
          </li>
          <li>
            <t>Perform the rest of the protocol as normal.</t>
          </li>
        </ul>
        <t>Because the server's share was selected uniformly at random, the server will reject
the client's Finished message with overwhelming probability.</t>
        <t>A server that performs the simulation of the protocol acts only
as an all-or-nothing oracle for whether a given (identity, password) pair
is correct. If an attacker does not supply a correct pair, they do not learn
anything beyond this fact.</t>
      </section>
    </section>
    <section anchor="internal-pake-protocols">
      <name>Internal PAKE Protocol Specifications</name>
      <section anchor="requirements-for-internal-pakes">
        <name>Requirements for Internal PAKEs</name>
        <t>In order to be usable as Internal PAKEs with the <tt>pake</tt> extension, a PAKE protocol
must specify some syntax for its messages, and the PAKE protocol
<bcp14>MUST</bcp14> produce a shared secret in exactly two messages carried in the ClientHello
and ServerHello. Internal PAKEs complete their authentication exchange within the
TLS handshake and cannot require additional message rounds.</t>
        <t>In addition, to be compatible with the security requirements of TLS
1.3, Internal PAKE protocols defined for use with TLS 1.3 <bcp14>MUST</bcp14> provide
forward secrecy and <bcp14>MUST</bcp14> be able to achieve key confirmation via TLS 1.3
Finished messages.</t>
        <t>A specification describing the use of a particular Internal PAKE protocol with
TLS must provide the following details:</t>
        <ul spacing="normal">
          <li>
            <t>A <tt>PAKEScheme</tt> registered value indicating pre-provisioned parameters;</t>
          </li>
          <li>
            <t>Content of the <tt>pake_message</tt> field in a ClientHello;</t>
          </li>
          <li>
            <t>Content of the <tt>pake_message</tt> field in a ServerHello;</t>
          </li>
          <li>
            <t>How the PAKE protocol is executed based on those messages; and</t>
          </li>
          <li>
            <t>How the outputs of the PAKE protocol are used to create the PAKE portion of the<tt>(EC)DHE</tt> input to the TLS key schedule.</t>
          </li>
        </ul>
        <t>Several current PAKE protocols satisfy these requirements for Internal PAKE usage,
for example:</t>
        <ul spacing="normal">
          <li>
            <t>CPace <xref target="CPACE"/></t>
          </li>
          <li>
            <t>SPAKE2+ (described in <xref target="spake2plus"/>) <xref target="RFC9383"/></t>
          </li>
          <li>
            <t>OPAQUE <xref target="OPAQUE"/></t>
          </li>
          <li>
            <t>OQUAKE (described in <xref target="oquake"/>) <xref target="PQPAKE"/></t>
          </li>
          <li>
            <t>OQUAKE+ (described in <xref target="oquakeplus"/>) <xref target="PQPAKE"/></t>
          </li>
        </ul>
      </section>
      <section anchor="spake2plus">
        <name>SPAKE2+ Integration</name>
        <t>This section describes the SPAKE2+ instantiation of the <tt>pake</tt> extension for TLS.
The SPAKE2+ protocol is described in <xref target="SPAKE2PLUS"/>.
<xref target="spake2plus-setup"/> describes the setup required before the protocol runs,
and <xref target="spake2plus-run"/> describes the protocol execution in TLS.</t>
        <section anchor="spake2plus-setup">
          <name>Protocol Setup</name>
          <t>The TLS client and server roles map to the <tt>Prover</tt> and <tt>Verifier</tt> roles in the
SPAKE2+ specification, respectively. Clients are configured with a client
identity, server identity, and password verifier (w0 and w1 according to <xref target="SPAKE2PLUS"/>).
Similarly, servers are configured with a list of client identity, server identity,
and password registration values (w0 and L according to <xref target="SPAKE2PLUS"/>). Servers
use this list when completing the SPAKE2+ protocol. The values for the password
verifiers and registration records (w0, w1, and L) are not specified here; see
<xref section="3.2" sectionFormat="of" target="SPAKE2PLUS"/> for more information.</t>
          <t>The PAKEScheme value for SPAKE2+ fully defines the parameters associated with
the protocol, including the prime-order group <tt>G</tt>, cryptographic hash function <tt>Hash</tt>,
key derivation function <tt>KDF</tt>, and message authentication code <tt>MAC</tt>. Additionally,
the PAKEScheme value for SPAKE2+ fully defines the constants for M and N
as needed for the protocol; see <xref section="4" sectionFormat="of" target="SPAKE2PLUS"/>.</t>
        </section>
        <section anchor="spake2plus-run">
          <name>Protocol Execution</name>
          <t>The content of one PAKEShare value in the PAKEClientHello structure consists
of the PAKEScheme value <tt>SPAKE2PLUS_V1</tt> and the value <tt>shareP</tt> as computed in
<xref section="3.3" sectionFormat="of" target="SPAKE2PLUS"/>.</t>
          <t>The content of the server PAKEShare value in the PAKEServerHello structure
consists of the PAKEScheme value <tt>SPAKE2PLUS_V1</tt> and the value <tt>shareV || confirmV</tt>,
i.e., <tt>shareV</tt> and <tt>confirmV</tt> concatenated, as computed in <xref section="3.3" sectionFormat="of" target="SPAKE2PLUS"/>.</t>
          <t>Given <tt>shareP</tt> and <tt>shareV</tt>, the client and server can then both compute
K_main, the root secret in the protocol as described in <xref section="3.4" sectionFormat="of" target="SPAKE2PLUS"/>.
The "Context" value for SPAKE2+ is equal to <tt>tls || application_context</tt> where
<tt>application_context</tt> is either an empty string or a string that may be specified by
the protocol using tls to include additional context in the protocol transcript.
See <xref section="3" sectionFormat="of" target="SPAKE2PLUS"/>. The rest of
the values needed for the transcript derivation are as configured in <xref target="spake2plus-setup"/>,
exchanged over the wire, or computed by client and server.</t>
          <t>Using <tt>K_main</tt>, the client and server both compute <tt>K_shared</tt> which is combined with the
<tt>(EC)DHE</tt> shared secret as input to the TLS 1.3 key schedule, where the (EC)DHE shared
secret is as specified in <xref section="7.1" sectionFormat="of" target="TLS13"/> or as the <tt>concatenated_shared_secret</tt>
as specified in <xref section="3.3" sectionFormat="of" target="I-D.ietf-tls-hybrid-design"/>. Specifically, <tt>K_shared || (EC)DHE</tt> is used
as the <tt>(EC)DHE</tt> input to the key schedule in <xref section="7.1" sectionFormat="of" target="TLS13"/>, as shown below.</t>
          <artwork><![CDATA[
                                    0
                                    |
                                    v
                        0 ->  HKDF-Extract = Early Secret
                                    |
                                    +-----> Derive-Secret(...)
                                    +-----> Derive-Secret(...)
                                    +-----> Derive-Secret(...)
                                    |
                                    v
                              Derive-Secret(., "derived", "")
                                    |
                                    v
                K_shared || (EC)DHE -> HKDF-Extract = Handshake Secret
                ^^^^^^^^^^^         |
                                    +-----> Derive-Secret(...)
                                    +-----> Derive-Secret(...)
                                    |
                                    v
                              Derive-Secret(., "derived", "")
                                    |
                                    v
                         0 -> HKDF-Extract = Master Secret
                                    |
                                    +-----> Derive-Secret(...)
                                    +-----> Derive-Secret(...)
                                    +-----> Derive-Secret(...)
                                    +-----> Derive-Secret(...)
]]></artwork>
          <t>Note that the server does compute and send confirmV as defined in <xref section="3.4" sectionFormat="of" target="SPAKE2PLUS"/>
since it can do so within the structure of the TLS 1.3 handshake and the client <bcp14>MUST</bcp14> verify it.
If verification of confirmV fails, clients <bcp14>SHOULD</bcp14> abort the handshake with a "decrypt_error" alert.
The client and server do not additionally compute or verify confirmP
as described in <xref section="3.4" sectionFormat="of" target="SPAKE2PLUS"/>.
See <xref target="spake2plus-sec"/> for more information about the safety of this approach.</t>
        </section>
      </section>
      <section anchor="cpace">
        <name>CPace Integration</name>
        <t>This section describes the CPace instantiation of the <tt>pake</tt> extension for TLS.
The CPace protocol is described in <xref target="CPACE"/>.
<xref target="cpace-setup"/> describes the setup required before the protocol runs, and
<xref target="cpace-run"/> describes the protocol execution in TLS.</t>
        <section anchor="cpace-setup">
          <name>Protocol Setup</name>
          <t>The TLS client and server roles map to the 'initiator' and 'responder' roles in
the CPace specification, respectively. The client and server must share a
password-related string (PRS). The associated data for both parties (<tt>ADa</tt> and
<tt>ADb</tt>) is unused. The client and server may optionally be configured with party
identification strings, a channel identifier, and/or a session identifier, as
described in <xref section="3.1" sectionFormat="of" target="CPACE"/>.</t>
          <t>The PAKEScheme value for CPace specifies a cipher suite for the protocol,
consisting of a group environment <tt>G</tt> and cryptographic hash function <tt>H</tt>.</t>
        </section>
        <section anchor="cpace-run">
          <name>Protocol Execution</name>
          <t>The content of one PAKEShare value in the PAKEClientHello structure consists of
the PAKEScheme value <tt>CPACE_X25519_SHA512</tt> and the value <tt>Ya</tt> as computed in
<xref section="6.2" sectionFormat="of" target="CPACE"/>.</t>
          <t>The content of the server PAKEShare value in the PAKEServerHello structure
consists of the PAKEScheme value <tt>CPACE_X25519_SHA512</tt> and the value <tt>Yb</tt> as
computed in <xref section="6.2" sectionFormat="of" target="CPACE"/>.</t>
          <t>Given <tt>Ya</tt> and <tt>Yb</tt>, the client and server can then both compute <tt>ISK</tt>, the main output
secret of the protocol as described in <xref section="6.2" sectionFormat="of" target="CPACE"/>.
The various optional CPace inputs (party identification strings, channel
identifiers, and session identifiers) may be specified by the application, and
will contribute to the derivation of <tt>ISK</tt>.</t>
          <t>The client and server both combine <tt>ISK</tt> with the <tt>(EC)DHE</tt> shared secret as
input to the TLS 1.3 key schedule, where the (EC)DHE shared secret is as
specified in <xref section="7.1" sectionFormat="of" target="TLS13"/> or as the
<tt>concatenated_shared_secret</tt> as specified in <xref section="3.3" sectionFormat="of" target="I-D.ietf-tls-hybrid-design"/>.
Specifically, <tt>ISK || (EC)DHE</tt> is used as the <tt>(EC)DHE</tt> input to the key
schedule in <xref section="7.1" sectionFormat="of" target="TLS13"/>, as shown above in <xref target="spake2plus-run"/>.</t>
        </section>
      </section>
      <section anchor="oquake">
        <name>OQUAKE Integration</name>
        <t>This section describes the OQUAKE instantiation of the <tt>pake</tt> extension for TLS.
The OQUAKE protocol is a post-quantum symmetric PAKE described in <xref target="PQPAKE"/>.
<xref target="oquake-setup"/> describes the setup required before the protocol runs, and
<xref target="oquake-run"/> describes the protocol execution in TLS.</t>
        <section anchor="oquake-setup">
          <name>Protocol Setup</name>
          <t>The TLS client and server roles map to the 'initiator' and 'responder' roles in
the OQUAKE specification, respectively. The client and server must share a
password-related string (PRS). The client and server may optionally be configured
with a session identifier and client and server identifiers, as described in
<xref section="8.2" sectionFormat="of" target="PQPAKE"/>.</t>
          <t>The PAKEScheme value for OQUAKE specifies the BUA-sKEM instance and KDF used
by the protocol.</t>
        </section>
        <section anchor="oquake-run">
          <name>Protocol Execution</name>
          <t>The content of one PAKEShare value in the PAKEClientHello structure consists of
the PAKEScheme value <tt>OQUAKE_V1</tt> and the output message from <tt>OQUAKE.Init</tt> as
specified in <xref section="8.2.1" sectionFormat="of" target="PQPAKE"/>.</t>
          <t>The content of the server PAKEShare value in the PAKEServerHello structure
consists of the PAKEScheme value <tt>OQUAKE_V1</tt> and the output message from
<tt>OQUAKE.Respond</tt> as specified in <xref section="8.2.2" sectionFormat="of" target="PQPAKE"/>.</t>
          <t>Given these messages, the client runs <tt>OQUAKE.Finish</tt> to derive the session key <tt>SK</tt>.
The OQUAKE response message includes a key confirmation value <tt>h</tt>. The client
<bcp14>MUST</bcp14> verify this value as part of <tt>OQUAKE.Finish</tt>. If verification fails,
clients <bcp14>SHOULD</bcp14> abort the handshake with a "decrypt_error" alert.</t>
          <t>The client and server both combine <tt>SK</tt> with the <tt>(EC)DHE</tt> shared secret as
input to the TLS 1.3 key schedule, where the (EC)DHE shared secret is as
specified in <xref section="7.1" sectionFormat="of" target="TLS13"/> or as the
<tt>concatenated_shared_secret</tt> as specified in <xref section="3.3" sectionFormat="of" target="I-D.ietf-tls-hybrid-design"/>.
Specifically, <tt>SK || (EC)DHE</tt> is used as the <tt>(EC)DHE</tt> input to the key
schedule in <xref section="7.1" sectionFormat="of" target="TLS13"/>, as shown above in <xref target="spake2plus-run"/>.</t>
          <t>The OQUAKE <tt>context</tt> parameter is set to <tt>None</tt> for standalone use.
The OQUAKE <tt>sid</tt> parameter <bcp14>SHOULD</bcp14> be left empty, relying on the TLS
transcript binding via Finished messages for session uniqueness.
Client-to-server key confirmation is provided via TLS 1.3 Finished messages.</t>
        </section>
      </section>
      <section anchor="oquakeplus">
        <name>OQUAKE+ Integration</name>
        <t>This section describes the OQUAKE+ instantiation of the <tt>pake</tt> extension for TLS.
OQUAKE+ is a post-quantum asymmetric PAKE (aPAKE) described in <xref target="PQPAKE"/>.
<xref target="oquakeplus-setup"/> describes the setup required before the protocol runs, and
<xref target="oquakeplus-run"/> describes the protocol execution in TLS.</t>
        <section anchor="oquakeplus-setup">
          <name>Protocol Setup</name>
          <t>The TLS client and server roles map to the 'initiator' and 'responder' roles in
the OQUAKE+ specification, respectively. Clients are configured with a client
identity, server identity, password-related string (PRS), and salt. Clients use
these to derive a verifier and seed via <tt>GenVerifierMaterial</tt> as described in
<xref section="9.1.1" sectionFormat="of" target="PQPAKE"/>.</t>
          <t>Similarly, servers are configured with a list of client identity, server identity,
verifier, public key (pk), and salt values. Servers use the verifier and public key
when completing the OQUAKE+ protocol. The values for the verifier and public key
are generated using <tt>GenVerifiers</tt> as specified in <xref section="9.1.1" sectionFormat="of" target="PQPAKE"/>.</t>
          <t>The PAKEScheme value for OQUAKE+ specifies the BUA-sKEM instance, KEM instance,
KDF, and KSF used by the protocol.</t>
        </section>
        <section anchor="oquakeplus-run">
          <name>Protocol Execution</name>
          <t>The content of one PAKEShare value in the PAKEClientHello structure consists of
the PAKEScheme value <tt>OQUAKE_PLUS_V1</tt> and the output message from <tt>OQUAKE+.Init</tt>
as specified in <xref section="9.2.1" sectionFormat="of" target="PQPAKE"/>, using the verifier as the
password-related string.</t>
          <t>The content of the server PAKEShare value in the PAKEServerHello structure
consists of the PAKEScheme value <tt>OQUAKE_PLUS_V1</tt> and the output message from
<tt>OQUAKE+.Respond</tt> as specified in <xref section="9.2.2" sectionFormat="of" target="PQPAKE"/>, using the verifier
as the password-related string and the client's registered public key.</t>
          <t>Upon receiving the client's PAKEShare <tt>pake_message</tt> (denoted <tt>init_msg</tt>),
the server produces the response message and derives its shared secret by
invoking <tt>OQUAKE+.Respond</tt>, as specified in <xref section="9.2.2" sectionFormat="of" target="PQPAKE"/>:</t>
          <artwork><![CDATA[
state, resp_msg = OQUAKE+.Respond(PRS, public_context, secret_context,
                                   init_msg, pk)
]]></artwork>
          <t>Here, <tt>PRS</tt> is the client's verifier, <tt>pk</tt> is the client's registered public
key, <tt>secret_context</tt> is <tt>None</tt>, and <tt>public_context</tt> is <tt>encode_sid(sid, U, S)</tt>,
where <tt>sid</tt> is the session identifier and <tt>U</tt> and <tt>S</tt> are the client and
server identifiers. This binds the session and party identities into the
key confirmation values that <tt>OQUAKE+.Respond</tt> computes internally.</t>
          <t>The server's PAKEShare <tt>pake_message</tt> is <tt>resp_msg</tt>. The server's PAKE shared
secret is the <tt>server_key</tt> component of <tt>state</tt>. Note that the server does
not invoke <tt>OQUAKE+.Verify</tt> -- which would check <tt>server_confirm</tt> against a
client-sent value -- since the TLS Finished message from the client serves
this confirmation purpose instead. See <xref target="oquakeplus-sec"/> for more information
about the safety of this approach.</t>
          <t>The server <bcp14>SHOULD NOT</bcp14> send application data before receiving a valid Finished
message from the client, which serves as confirmation that the client
derived the correct shared secret.</t>
          <t>Upon receiving the server's PAKEShare <tt>pake_message</tt> (denoted <tt>resp_msg</tt>),
the client derives its shared secret by invoking <tt>OQUAKE+.Finish</tt>, as
specified in <xref section="9.2.3" sectionFormat="of" target="PQPAKE"/>:</t>
          <artwork><![CDATA[
client_key, response = OQUAKE+.Finish(state, seed, resp_msg, public_context)
]]></artwork>
          <t>Here, <tt>state</tt> is the opaque state produced by the client's earlier call to
<tt>OQUAKE+.Init</tt>, <tt>seed</tt> is the seed from <tt>GenVerifierMaterial</tt>, and
<tt>public_context</tt> is <tt>encode_sid(sid, U, S)</tt> as above. The client's PAKE
shared secret is <tt>client_key</tt>; the <tt>response</tt> output value (the server's
confirmation value) is not sent to the server, since the <tt>pake</tt> extension
carries no third PAKEShare message for Internal PAKEs.</t>
          <t>If <tt>OQUAKE+.Finish</tt> raises <tt>AuthenticationError</tt> -- which covers the key
confirmation value included in <tt>resp_msg</tt> not matching, <tt>KEM.Decaps</tt> failing,
or the client confirmation value not matching -- the client <bcp14>MUST</bcp14> abort the
handshake with a "decrypt_error" alert.</t>
          <t>The client and server both combine their PAKE shared secret (<tt>client_key</tt> and
<tt>server_key</tt>, respectively) with the <tt>(EC)DHE</tt> shared secret as input to the
TLS 1.3 key schedule, where the (EC)DHE shared secret is as
specified in <xref section="7.1" sectionFormat="of" target="TLS13"/> or as the
<tt>concatenated_shared_secret</tt> as specified in <xref section="3.3" sectionFormat="of" target="I-D.ietf-tls-hybrid-design"/>.
Specifically, <tt>client_key || (EC)DHE</tt> is used as the <tt>(EC)DHE</tt> input to the key
schedule in <xref section="7.1" sectionFormat="of" target="TLS13"/>, as shown above in <xref target="spake2plus-run"/>.</t>
          <t>The <tt>secret_context</tt> input to <tt>OQUAKE+.Respond</tt> and <tt>OQUAKE+.Finish</tt> is set
to <tt>None</tt> for standalone use of OQUAKE+ as an Internal PAKE; it is not <tt>None</tt>
when OQUAKE+ is composed with CPace, as in <xref target="external-pakes"/>.</t>
        </section>
      </section>
    </section>
    <section anchor="external-pakes">
      <name>External PAKE Integration</name>
      <section anchor="external-overview">
        <name>Overview</name>
        <t>External PAKEs provide an alternative approach for applications requiring:</t>
        <ul spacing="normal">
          <li>
            <t>Multi-round PAKE protocols: Protocols requiring more than two messages to complete authentication</t>
          </li>
          <li>
            <t>Complex hybrid constructions: Sequential combinations of multiple PAKE protocols</t>
          </li>
          <li>
            <t>Application-controlled channels: Direct control over communication channels and timing</t>
          </li>
          <li>
            <t>Separation of concerns: Clear boundary between PAKE execution and TLS connection establishment</t>
          </li>
        </ul>
        <t>External PAKEs execute their complete protocol exchange outside of TLS, then integrate
with TLS through External PSK Import <xref target="RFC9258"/>. This approach enables protocols
that cannot be constrained to the two-message limit of Internal PAKEs.</t>
      </section>
      <section anchor="external-framework">
        <name>General Framework</name>
        <t>External PAKE protocols must satisfy the following requirements:</t>
        <ul spacing="normal">
          <li>
            <t>High-entropy output: Must derive a cryptographically strong shared secret</t>
          </li>
          <li>
            <t>PSK Import compatibility: Output must be suitable for External PSK Import per <xref target="RFC9258"/></t>
          </li>
          <li>
            <t>Secure session binding: Must provide mechanism to correlate out-of-band execution with TLS connection</t>
          </li>
          <li>
            <t>Forward secrecy: Must provide forward secrecy properties appropriate to the application</t>
          </li>
        </ul>
        <t>The integration pattern for External PAKEs follows these phases:</t>
        <ol spacing="normal" type="1"><li>
            <t>Out-of-band PAKE execution: Complete PAKE protocol exchange using application-controlled channels</t>
          </li>
          <li>
            <t>PSK derivation: Use External PSK Import to derive TLS PSK from PAKE output</t>
          </li>
          <li>
            <t>TLS PSK connection: Establish TLS connection using standard PSK mechanisms</t>
          </li>
          <li>
            <t>Session correlation: Verify proper binding between PAKE execution and TLS connection</t>
          </li>
        </ol>
      </section>
      <section anchor="cpaceoquakeplus">
        <name>CPaceOQUAKE+ Integration</name>
        <t>This section describes how CPaceOQUAKE+, the hybrid aPAKE from <xref target="PQPAKE"/>,
can be realized using out-of-band PAKE execution followed by TLS integration
via External PSK Import <xref target="RFC9258"/>. CPaceOQUAKE+ provides best-of-both-worlds
security: it remains secure if either the classical assumptions underlying CPace
or the post-quantum assumptions underlying OQUAKE+ hold.</t>
        <section anchor="cpaceoquakeplus-overview">
          <name>Overview</name>
          <t>CPaceOQUAKE+ cannot be realized within a single TLS handshake because it requires
more than two PAKE messages. This specification describes an out-of-band approach:</t>
          <ol spacing="normal" type="1"><li>
              <t>CPace execution: Client and server execute CPace out-of-band to derive
a shared secret (ISK).</t>
            </li>
            <li>
              <t>OQUAKE+ execution: Client and server execute OQUAKE+ out-of-band using
the CPace ISK as context to derive a hybrid secret.</t>
            </li>
            <li>
              <t>TLS integration: Both parties import the hybrid secret as a PSK using
<xref target="RFC9258"/> External PSK Import and establish a standard TLS PSK connection.</t>
            </li>
          </ol>
          <t>The sequential composition provides hybrid security per the analysis in <xref target="PQPAKE"/>.
The out-of-band approach eliminates complex TLS session binding and allows
applications to control channel configuration.</t>
        </section>
        <section anchor="cpaceoquakeplus-setup">
          <name>Protocol Setup</name>
          <t>The TLS client and server roles map to the 'initiator' and 'responder' roles in
both the CPace and OQUAKE+ specifications, respectively. Clients are configured
with a password, client and server identities, and OQUAKE+ verifier material per
<xref section="9.1.1" sectionFormat="of" target="PQPAKE"/>. Servers are configured with corresponding password
information and OQUAKE+ public key material.</t>
          <t>Both parties must support CPace and OQUAKE+ protocols for out-of-band execution.
Applications configure out-of-band communication channels and TLS endpoints
separately. Servers must implement state management to correlate out-of-band
PAKE execution with subsequent TLS PSK connections.</t>
          <t>The sequential composition follows the CPaceOQUAKE+ construction from <xref target="PQPAKE"/>,
where CPace output serves as context input for OQUAKE+ to achieve hybrid security.</t>
        </section>
        <section anchor="cpaceoquakeplus-execution">
          <name>Protocol Execution</name>
          <t>The protocol execution follows three phases: CPace execution, OQUAKE+ execution
with CPace context, and TLS PSK integration.</t>
          <artwork><![CDATA[
Client                                Server
  |                                    |
  |-- CPace.Init --------------------->|
  |<-- CPace.Respond ------------------|
  | (both derive cpace_isk)            |
  |                                    |
  |-- OQUAKE+.Init ------------------->|
  |<-- OQUAKE+.Respond ----------------|
  | (both derive hybrid_secret)        |
  |                                    |
  | (both: external_psk = Import(hybrid_secret, "TLS 1.3 CPaceOQUAKE+ PSK", context))
  |                                    |
  |-- TLS ClientHello ---------------->|
  |    (with PSK extension)            |
  |<-- TLS ServerHello ----------------|
  |    (PSK selected)                  |
  |-- [TLS handshake completion] ----->|
  |<-- [TLS handshake completion] -----|
]]></artwork>
          <t>The detailed algorithm steps are:</t>
          <t>First, CPace executes. This consists of the following:</t>
          <artwork><![CDATA[
- client_cpace_msg = CPace.Init(password, identities)
- server_cpace_msg = CPace.Respond(client_cpace_msg, password, identities)
- cpace_isk = CPace.Finish(server_cpace_msg)  // Both parties derive ISK
]]></artwork>
          <t>Second, OQUAKE+ executes with the CPace context as input.
This consists of the following:</t>
          <artwork><![CDATA[
- client_oquake_msg = OQUAKE+.Init(verifier, context=cpace_isk, identities)
- server_oquake_msg = OQUAKE+.Respond(client_oquake_msg, verifier, pk, context=cpace_isk)
- hybrid_secret = OQUAKE+.Finish(server_oquake_msg)  // Both parties derive final secret
]]></artwork>
          <t>The CPace ISK serves as context input for OQUAKE+ per the sequential combiner
construction. Both protocols execute completely outside TLS on application-configured
channels, with no intermediate TLS connections required.</t>
          <t>When finished with the PAKE(s), both parties derive a TLS PSK
from the hybrid secret using <xref target="RFC9258"/> External PSK Import.
This consists of the following:</t>
          <artwork><![CDATA[
- external_psk = Import(hybrid_secret, "TLS 1.3 CPaceOQUAKE+ PSK", context) // From RFC9258
- psk_identity = application_defined_identifier
- Standard TLS 1.3 PSK handshake using (external_psk, psk_identity)
]]></artwork>
          <t>The External PSK Import uses the following parameters:</t>
          <ul spacing="normal">
            <li>
              <t>shared_secret: <tt>hybrid_secret</tt> from OQUAKE+.Finish output</t>
            </li>
            <li>
              <t>label: <tt>"TLS 1.3 CPaceOQUAKE+ PSK"</tt></t>
            </li>
            <li>
              <t>context: Application-provided context or empty string</t>
            </li>
            <li>
              <t>hash: Hash function matching the TLS cipher suite</t>
            </li>
          </ul>
          <t>The TLS integration uses standard TLS 1.3 PSK mechanisms per <xref section="4.2.11" sectionFormat="of" target="TLS13"/>.
The PSK identity can be application-defined, with session correlation handled at the
application layer.</t>
        </section>
        <section anchor="cpaceoquakeplus-implementation">
          <name>Implementation Considerations</name>
          <t>Channel Security: Out-of-band channels must provide adequate confidentiality
and integrity for PAKE message exchange. Applications are responsible for
establishing secure communication channels for CPace and OQUAKE+ execution.</t>
          <t>State Management: Applications must correlate out-of-band PAKE execution with
subsequent TLS connections. This includes managing PSK identities and ensuring
proper cleanup of server state.</t>
          <t>Resource Management: Servers should limit concurrent out-of-band PAKE executions
to prevent resource exhaustion attacks. Consider the cumulative computational cost
of CPace and OQUAKE+ when setting limits.</t>
          <t>Dictionary Attack Mitigation: Building on the general guidance in <xref target="security"/>,
servers implementing out-of-band CPaceOQUAKE+ <bcp14>SHOULD</bcp14>:
- Rate-limit CPace initiation attempts per client identity
- Implement exponential backoff for failed out-of-band authentication attempts
- Monitor for repeated failures across the entire out-of-band sequence
- Consider the cumulative cost of CPace + OQUAKE+ execution when setting rate limits</t>
          <t>Failure Handling: CPace and OQUAKE+ failures should be treated as authentication
attempts per the dictionary attack guidance. TLS PSK failures typically indicate
implementation errors rather than authentication failures. Failed out-of-band
sequences should trigger appropriate cleanup to prevent server state leaks.</t>
        </section>
      </section>
    </section>
    <section anchor="privacy">
      <name>Privacy Considerations</name>
      <t>Client and server identities are sent in the clear in the PAKEClientHello extension.
While normally the TLS server identity is already in the clear -- carried in
the SNI extension -- TLS client identities are encrypted under the TLS handshake
secrets. Thus, the PAKEClientHello extension reveals more information to a passive
network attacker than normal, mutually-authenticated TLS handshakes.</t>
      <t>The implications of leaking the client identity to a passive network attacker vary.
For instance, a successful TLS handshake after negotiating use of a PAKE indicates
that the chosen client identity is valid. This is relevant in settings where
client enumeration may be a concern.</t>
      <t>Applications for which this leak is a problem can use the TLS Encrypted ClientHello
(ECH) extension to encrypt the PAKEClientHello extension in transit to the server
<xref target="ECH"/>.</t>
    </section>
    <section anchor="security">
      <name>Security Considerations</name>
      <section anchor="dictionary-attack-mitigation">
        <name>Dictionary attack mitigation</name>
        <t>Because PAKE security is based on knowledge of a low-entropy secret,
an attacker can perform a "dictionary attack" by repeatedly attempting to
guess the low-entropy secret.</t>
        <t>Clients and servers <bcp14>SHOULD</bcp14> apply mitigations against dictionary attacks.
Reasonable mitigations include rate-limiting authentication attempts,
imposing a backoff time between attempts, limiting the
number of failed attempts, or limiting the total number
of attempts.</t>
        <t>Clients <bcp14>SHOULD</bcp14> treat each time they receive an invalid PAKEServerHello
as a failed authentication attempt for the identity in the previously sent PAKEClientHello.
Servers <bcp14>SHOULD</bcp14> treat each time they send a PAKEServerHello extension as a failed
authentication attempt for the selected identity, until they receive a correct Finished
message from the client. Once the server receives a correct Finished message,
the authentication attempt <bcp14>MAY</bcp14> be treated as successful.</t>
      </section>
      <section anchor="protection-of-client-identities">
        <name>Protection of client identities</name>
        <t>Many of the security properties of this protocol will derive from
the PAKE protocol being used. Security considerations for PAKE
protocols are noted in <xref target="internal-pake-protocols"/>.</t>
        <t>If a server doesn't recognize the identity supplied by the
client in the ClientHello <tt>pake</tt> extension, the server <bcp14>MAY</bcp14> abort the handshake with an
"illegal_parameter" alert. In this case, the server acts as an oracle
for identities, in which each handshake allows an attacker
to learn whether the server recognizes a given identity.</t>
        <t>Alternatively, if the server wishes to hide the fact that a client
identity is unrecognized, the server <bcp14>MAY</bcp14> simulate the protocol as
if an identity was recognized, but the password was incorrect.
This is similar to the procedure outlined in <xref target="RFC5054"/>.
The simulation mechanism is described in <xref target="simulation"/>.</t>
      </section>
      <section anchor="ramifications-of-low-entropy-secret-compromise">
        <name>Ramifications of low entropy secret compromise</name>
        <t>As with PSK based authentication, if only PAKE authentication is in use,
then an attacker that learns the low entropy secret could impersonate
either the client or the server. In situations where a notion of stable identity
is available, then certificate-based authentication <bcp14>MAY</bcp14> be used as well to
reduce this risk. For example, requiring the server to authenticate with
a certificate in addition to PAKE authentication means an attacker
that learns the password could only impersonate a client to a server, but could not impersonate a server to a client.
This is an important distinction in situations where
the client sends sensitive data to the server.</t>
      </section>
      <section anchor="internal-pake-security-considerations">
        <name>Internal PAKE Security Considerations</name>
        <t>The following security considerations apply to Internal PAKEs that execute within
the TLS handshake using the <tt>pake</tt> extension.</t>
        <section anchor="spake2plus-sec">
          <name>SPAKE2+ Security Considerations</name>
          <t><xref target="spake2plus"/> describes how to integrate SPAKE2+ into TLS using the <tt>pake</tt>
extension in this document. This integration deviates from the SPAKE2+
protocol in <xref target="SPAKE2PLUS"/> in one important way: the explicit key confirmation
checks required in <xref target="SPAKE2PLUS"/> are replaced with the TLS Finished messages.
This is because the TLS Finished messages compute a MAC over the TLS transcript,
which includes both the <tt>shareP</tt> and <tt>shareV</tt> values exchanged for SPAKE2+.</t>
          <t>OPEN ISSUE: this requires formal analysis to confirm.</t>
        </section>
        <section anchor="cpace-sec">
          <name>CPace Security Considerations</name>
          <t><xref target="cpace"/> describes how to integrate CPace into TLS using the <tt>pake</tt>
extension in this document. Key confirmation is provided via TLS 1.3 Finished messages,
satisfying the requirements in <xref section="9.4" sectionFormat="of" target="CPACE"/>.</t>
        </section>
        <section anchor="oquake-sec">
          <name>OQUAKE Security Considerations</name>
          <t><xref target="oquake"/> describes how to integrate OQUAKE into TLS using the <tt>pake</tt>
extension in this document. The OQUAKE response message includes an explicit
key confirmation value <tt>h</tt> from server to client. The client <bcp14>MUST</bcp14> verify this
value. Client-to-server key confirmation is provided via TLS 1.3 Finished
messages.</t>
        </section>
        <section anchor="oquakeplus-sec">
          <name>OQUAKE+ Security Considerations</name>
          <t><xref target="oquakeplus"/> describes how to integrate OQUAKE+ into TLS using the <tt>pake</tt>
extension in this document. This integration deviates from the full OQUAKE+
protocol in <xref target="PQPAKE"/> in one important way: the client does not send the
final <tt>server_confirm</tt> message (msg3). Instead, client-to-server key
confirmation is provided via TLS 1.3 Finished messages. This is analogous
to how SPAKE2+ integration (<xref target="spake2plus"/>) omits <tt>confirmP</tt> in favor of
TLS Finished.</t>
          <t>The TLS Finished messages compute a MAC over the TLS transcript, which includes
both the OQUAKE+.Init and OQUAKE+.Respond messages. A client that cannot
derive the correct <tt>client_key</tt> (because it does not know the password seed)
cannot compute a valid Finished message, providing the server with equivalent
assurance to the explicit <tt>server_confirm</tt> verification.</t>
          <t>OPEN ISSUE: this requires formal analysis to confirm.</t>
        </section>
      </section>
      <section anchor="external-pake-security-considerations">
        <name>External PAKE Security Considerations</name>
        <t>The following security considerations apply to External PAKEs that execute out-of-band
prior to TLS connection establishment.</t>
        <section anchor="cpaceoquakeplus-sec">
          <name>CPaceOQUAKE+ Security Considerations</name>
          <t><xref target="cpaceoquakeplus"/> describes how to integrate CPaceOQUAKE+ using out-of-band
execution followed by External PSK Import. The security of this composition relies on the sequential
PAKE combiner analysis from <xref target="PQPAKE"/>: by providing the CPace-derived context
to OQUAKE+, the effective password used in OQUAKE+ depends on both the original
password and the CPace session key. This means an attacker must break both CPace
and OQUAKE+ to mount an offline dictionary attack.</t>
          <t>The binding between connections is achieved through the TLS Exporter, which
derives the context from the TLS Master Secret. An attacker that did not
participate in the first CPace handshake cannot predict or influence the
exported context value.</t>
        </section>
      </section>
    </section>
    <section anchor="iana-considerations">
      <name>IANA Considerations</name>
      <t>This document requests that IANA add a value to the TLS
ExtensionType Registry with the following contents:</t>
      <table>
        <thead>
          <tr>
            <th align="left">Value</th>
            <th align="left">Extension Name</th>
            <th align="center">TLS 1.3</th>
            <th align="center">Reference</th>
          </tr>
        </thead>
        <tbody>
          <tr>
            <td align="left">0xTODO</td>
            <td align="left">pake</td>
            <td align="center">CH, SH</td>
            <td align="center">(this document)</td>
          </tr>
        </tbody>
      </table>
      <t>RFC EDITOR: Please replace "TODO" in the above table with the
value assigned by IANA, and replace "(this document)" with the
RFC number assigned to this document.</t>
      <section anchor="pake-scheme-registry">
        <name>PAKE Scheme registry</name>
        <t>This document requests that IANA create a new registry called
"PAKE Schemes" for internal PAKEs (those negotiated with the
PAKE extension) with the following contents:</t>
        <table>
          <thead>
            <tr>
              <th align="left">Value</th>
              <th align="left">PAKEScheme</th>
              <th align="center">Reference</th>
              <th align="left">Notes</th>
            </tr>
          </thead>
          <tbody>
            <tr>
              <td align="left">0xTODO</td>
              <td align="left">SPAKE2PLUS_V1</td>
              <td align="center">(this document)</td>
              <td align="left">N/A</td>
            </tr>
            <tr>
              <td align="left">0xTODO</td>
              <td align="left">CPACE_X25519_SHA512</td>
              <td align="center">(this document)</td>
              <td align="left">N/A</td>
            </tr>
            <tr>
              <td align="left">0xTODO</td>
              <td align="left">OQUAKE_V1</td>
              <td align="center">(this document)</td>
              <td align="left">N/A</td>
            </tr>
            <tr>
              <td align="left">0xTODO</td>
              <td align="left">OQUAKE_PLUS_V1</td>
              <td align="center">(this document)</td>
              <td align="left">N/A</td>
            </tr>
          </tbody>
        </table>
        <t>The SPAKE2PLUS_V1 PAKEScheme variant has the following parameters associated with it:</t>
        <ul spacing="normal">
          <li>
            <t>G: P-256</t>
          </li>
          <li>
            <t>Hash: SHA256</t>
          </li>
          <li>
            <t>KDF: HKDF-SHA256</t>
          </li>
          <li>
            <t>MAC: HMAC-SHA256</t>
          </li>
        </ul>
        <t>Additionally, it uses the M and N values from <xref section="4" sectionFormat="of" target="SPAKE2PLUS"/>, included
below, as compressed points on the P-256 curve, for completeness.</t>
        <artwork><![CDATA[
M =
02886e2f97ace46e55ba9dd7242579f2993b64e16ef3dcab95afd497333d8fa12f

N =
03d8bbd6c639c62937b04d997f38c3770719c629d7014d49a24b4f98baa1292b49
]]></artwork>
        <t>The CPACE_X25519_SHA512 PAKEScheme variant has the parameters for 'CPACE-X25519-SHA512'
as specified in <xref section="4" sectionFormat="of" target="CPACE"/>.</t>
        <t>The OQUAKE_V1 PAKEScheme variant has the following parameters associated with it:</t>
        <ul spacing="normal">
          <li>
            <t>BUA-sKEM: ML-BUA-sKEM1024</t>
          </li>
          <li>
            <t>KDF: HKDF-SHA-256</t>
          </li>
          <li>
            <t>DST: as specified in <xref target="PQPAKE"/></t>
          </li>
        </ul>
        <t>These parameters correspond to the <bcp14>RECOMMENDED</bcp14> configuration in <xref target="PQPAKE"/>.</t>
        <t>The OQUAKE_PLUS_V1 PAKEScheme variant has the following parameters associated with it:</t>
        <ul spacing="normal">
          <li>
            <t>BUA-sKEM: ML-BUA-sKEM1024</t>
          </li>
          <li>
            <t>KEM: X-Wing <xref target="XWING"/></t>
          </li>
          <li>
            <t>KDF: HKDF-SHA-256</t>
          </li>
          <li>
            <t>KSF: Argon2id <xref target="ARGON2"/> (parameters as specified in <xref target="PQPAKE"/>)</t>
          </li>
          <li>
            <t>DST: as specified in <xref target="PQPAKE"/></t>
          </li>
        </ul>
        <t>These parameters correspond to the <bcp14>RECOMMENDED</bcp14> configuration in <xref target="PQPAKE"/>.</t>
      </section>
    </section>
    <section numbered="false" anchor="acknowledgments">
      <name>Acknowledgments</name>
      <t>The authors would like to thank the original authors of <xref target="FIRST-DRAFT"/>
for providing a firm basis for the extension mechanism specified in this
document.</t>
    </section>
    <section numbered="false" anchor="change-log">
      <name>Change Log</name>
      <t>Since draft-ietf-tls-pake-01</t>
      <ul spacing="normal">
        <li>
          <t>Add internal and external PAKE distinction</t>
        </li>
        <li>
          <t>Add OQUAKE and OQUAKE+ from draft-vos-cfrg-pqpake.</t>
        </li>
      </ul>
      <t>Since draft-ietf-tls-pake-00</t>
      <ul spacing="normal">
        <li>
          <t>Add CPace as a second PAKE instantiation</t>
        </li>
        <li>
          <t>Require PAKE protocols to complete in exactly two messages
(ClientHello and ServerHello)</t>
        </li>
        <li>
          <t>Require PAKE protocols to support key confirmation via TLS 1.3
Finished messages</t>
        </li>
        <li>
          <t>Clarify server behavior when both pake and pre_shared_key
extensions are present: server <bcp14>MUST</bcp14> select authentication
mechanism based on preference, not client identity recognition</t>
        </li>
        <li>
          <t>Add explicit requirement that server <bcp14>MUST</bcp14> send missing_extension
alert if pake extension is present without key_share and
supported_groups extensions</t>
        </li>
        <li>
          <t>Specify that SPAKE2+ Context string <bcp14>MUST</bcp14> be prefixed with "tls"
to prevent cross-protocol attacks</t>
        </li>
      </ul>
      <t>Since draft-bmw-tls-pake13-02</t>
      <ul spacing="normal">
        <li>
          <t>Updated boilerplate after WG adoption</t>
        </li>
      </ul>
      <t>Since draft-bmw-tls-pake13-01</t>
      <ul spacing="normal">
        <li>
          <t>Require standard TLS Key exchange to be combined with pake</t>
        </li>
        <li>
          <t>Allow combining PAKEs and certificates</t>
        </li>
      </ul>
    </section>
  </middle>
  <back>
    <references anchor="sec-combined-references">
      <name>References</name>
      <references anchor="sec-normative-references">
        <name>Normative References</name>
        <reference anchor="PQPAKE" target="https://datatracker.ietf.org/doc/draft-vos-cfrg-pqpake/">
          <front>
            <title>Hybrid Post-Quantum Password Authenticated Key Exchange</title>
            <author initials="J." surname="Vos">
              <organization/>
            </author>
            <author initials="C. A." surname="Wood">
              <organization/>
            </author>
            <date year="2026"/>
          </front>
          <seriesInfo name="Internet-Draft" value="draft-vos-cfrg-pqpake-latest"/>
        </reference>
        <reference anchor="XWING" target="https://datatracker.ietf.org/doc/draft-connolly-cfrg-xwing-kem/">
          <front>
            <title>X-Wing: The Hybrid KEM You've Been Looking For</title>
            <author initials="D." surname="Connolly">
              <organization/>
            </author>
            <author initials="P." surname="Schwabe">
              <organization/>
            </author>
            <author initials="B." surname="Westerbaan">
              <organization/>
            </author>
            <date year="2024"/>
          </front>
          <seriesInfo name="Internet-Draft" value="draft-connolly-cfrg-xwing-kem-latest"/>
        </reference>
        <reference anchor="RFC9383">
          <front>
            <title>SPAKE2+, an Augmented Password-Authenticated Key Exchange (PAKE) Protocol</title>
            <author fullname="T. Taubert" initials="T." surname="Taubert"/>
            <author fullname="C. A. Wood" initials="C. A." surname="Wood"/>
            <date month="September" year="2023"/>
            <abstract>
              <t>This document describes SPAKE2+, a Password-Authenticated Key Exchange (PAKE) protocol run between two parties for deriving a strong shared key with no risk of disclosing the password. SPAKE2+ is an augmented PAKE protocol, as only one party has knowledge of the password. This method is simple to implement, compatible with any prime-order group, and computationally efficient.</t>
              <t>This document was produced outside of the IETF and IRTF and represents the opinions of the authors. Publication of this document as an RFC in the Independent Submissions Stream does not imply endorsement of SPAKE2+ by the IETF or IRTF.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="9383"/>
          <seriesInfo name="DOI" value="10.17487/RFC9383"/>
        </reference>
        <reference anchor="CPACE">
          <front>
            <title>CPace, a balanced composable PAKE</title>
            <author fullname="Michel Abdalla" initials="M." surname="Abdalla">
              <organization>Alloc Init Labs - New York</organization>
            </author>
            <author fullname="Björn Haase" initials="B." surname="Haase">
              <organization>Endress + Hauser Liquid Analysis - Gerlingen</organization>
            </author>
            <author fullname="Julia Hesse" initials="J." surname="Hesse">
              <organization>IBM Research Europe - Zurich</organization>
            </author>
            <date day="22" month="April" year="2026"/>
            <abstract>
              <t>   This document describes CPace which is a protocol that allows two
   parties that share a low-entropy secret (password) to derive a strong
   shared key without disclosing the secret to offline dictionary
   attacks.  The CPace protocol was tailored for constrained devices and
   can be used on groups of prime- and non-prime order.

              </t>
            </abstract>
          </front>
          <seriesInfo name="Internet-Draft" value="draft-irtf-cfrg-cpace-21"/>
        </reference>
        <reference anchor="RFC2119">
          <front>
            <title>Key words for use in RFCs to Indicate Requirement Levels</title>
            <author fullname="S. Bradner" initials="S." surname="Bradner"/>
            <date month="March" year="1997"/>
            <abstract>
              <t>In many standards track documents several words are used to signify the requirements in the specification. These words are often capitalized. This document defines these words as they should be interpreted in IETF documents. This document specifies an Internet Best Current Practices for the Internet Community, and requests discussion and suggestions for improvements.</t>
            </abstract>
          </front>
          <seriesInfo name="BCP" value="14"/>
          <seriesInfo name="RFC" value="2119"/>
          <seriesInfo name="DOI" value="10.17487/RFC2119"/>
        </reference>
        <reference anchor="RFC8174">
          <front>
            <title>Ambiguity of Uppercase vs Lowercase in RFC 2119 Key Words</title>
            <author fullname="B. Leiba" initials="B." surname="Leiba"/>
            <date month="May" year="2017"/>
            <abstract>
              <t>RFC 2119 specifies common key words that may be used in protocol specifications. This document aims to reduce the ambiguity by clarifying that only UPPERCASE usage of the key words have the defined special meanings.</t>
            </abstract>
          </front>
          <seriesInfo name="BCP" value="14"/>
          <seriesInfo name="RFC" value="8174"/>
          <seriesInfo name="DOI" value="10.17487/RFC8174"/>
        </reference>
        <reference anchor="RFC9147">
          <front>
            <title>The Datagram Transport Layer Security (DTLS) Protocol Version 1.3</title>
            <author fullname="E. Rescorla" initials="E." surname="Rescorla"/>
            <author fullname="H. Tschofenig" initials="H." surname="Tschofenig"/>
            <author fullname="N. Modadugu" initials="N." surname="Modadugu"/>
            <date month="April" year="2022"/>
            <abstract>
              <t>This document specifies version 1.3 of the Datagram Transport Layer Security (DTLS) protocol. DTLS 1.3 allows client/server applications to communicate over the Internet in a way that is designed to prevent eavesdropping, tampering, and message forgery.</t>
              <t>The DTLS 1.3 protocol is based on the Transport Layer Security (TLS) 1.3 protocol and provides equivalent security guarantees with the exception of order protection / non-replayability. Datagram semantics of the underlying transport are preserved by the DTLS protocol.</t>
              <t>This document obsoletes RFC 6347.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="9147"/>
          <seriesInfo name="DOI" value="10.17487/RFC9147"/>
        </reference>
        <reference anchor="TLS13">
          <front>
            <title>The Transport Layer Security (TLS) Protocol Version 1.3</title>
            <author fullname="E. Rescorla" initials="E." surname="Rescorla"/>
            <date month="August" year="2018"/>
            <abstract>
              <t>This document specifies version 1.3 of the Transport Layer Security (TLS) protocol. TLS allows client/server applications to communicate over the Internet in a way that is designed to prevent eavesdropping, tampering, and message forgery.</t>
              <t>This document updates RFCs 5705 and 6066, and obsoletes RFCs 5077, 5246, and 6961. This document also specifies new requirements for TLS 1.2 implementations.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="8446"/>
          <seriesInfo name="DOI" value="10.17487/RFC8446"/>
        </reference>
        <reference anchor="SPAKE2PLUS">
          <front>
            <title>SPAKE2+, an Augmented Password-Authenticated Key Exchange (PAKE) Protocol</title>
            <author fullname="T. Taubert" initials="T." surname="Taubert"/>
            <author fullname="C. A. Wood" initials="C. A." surname="Wood"/>
            <date month="September" year="2023"/>
            <abstract>
              <t>This document describes SPAKE2+, a Password-Authenticated Key Exchange (PAKE) protocol run between two parties for deriving a strong shared key with no risk of disclosing the password. SPAKE2+ is an augmented PAKE protocol, as only one party has knowledge of the password. This method is simple to implement, compatible with any prime-order group, and computationally efficient.</t>
              <t>This document was produced outside of the IETF and IRTF and represents the opinions of the authors. Publication of this document as an RFC in the Independent Submissions Stream does not imply endorsement of SPAKE2+ by the IETF or IRTF.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="9383"/>
          <seriesInfo name="DOI" value="10.17487/RFC9383"/>
        </reference>
        <reference anchor="I-D.ietf-tls-hybrid-design">
          <front>
            <title>Hybrid key exchange in TLS 1.3</title>
            <author fullname="Douglas Stebila" initials="D." surname="Stebila">
              <organization>University of Waterloo</organization>
            </author>
            <author fullname="Scott Fluhrer" initials="S." surname="Fluhrer">
              <organization>Cisco Systems</organization>
            </author>
            <author fullname="Shay Gueron" initials="S." surname="Gueron">
              <organization>University of Haifa and Meta</organization>
            </author>
            <date day="7" month="September" year="2025"/>
            <abstract>
              <t>   Hybrid key exchange refers to using multiple key exchange algorithms
   simultaneously and combining the result with the goal of providing
   security even if a way is found to defeat the encryption for all but
   one of the component algorithms.  It is motivated by transition to
   post-quantum cryptography.  This document provides a construction for
   hybrid key exchange in the Transport Layer Security (TLS) protocol
   version 1.3.

              </t>
            </abstract>
          </front>
          <seriesInfo name="Internet-Draft" value="draft-ietf-tls-hybrid-design-16"/>
        </reference>
      </references>
      <references anchor="sec-informative-references">
        <name>Informative References</name>
        <reference anchor="ARGON2">
          <front>
            <title>Argon2 Memory-Hard Function for Password Hashing and Proof-of-Work Applications</title>
            <author>
              <organization/>
            </author>
            <date year="2022"/>
          </front>
          <seriesInfo name="RFC" value="9106"/>
        </reference>
        <reference anchor="FIRST-DRAFT">
          <front>
            <title>Usage of PAKE with TLS 1.3</title>
            <author fullname="Richard Barnes" initials="R." surname="Barnes">
              <organization>Cisco</organization>
            </author>
            <author fullname="Owen Friel" initials="O." surname="Friel">
              <organization>Cisco</organization>
            </author>
            <date day="16" month="July" year="2018"/>
            <abstract>
              <t>   The pre-shared key mechanism available in TLS 1.3 is not suitable for
   usage with low-entropy keys, such as passwords entered by users.
   This document describes an extension that enables the use of
   password-authenticated key exchange protocols with TLS 1.3.

              </t>
            </abstract>
          </front>
          <seriesInfo name="Internet-Draft" value="draft-barnes-tls-pake-04"/>
        </reference>
        <reference anchor="RFC5054">
          <front>
            <title>Using the Secure Remote Password (SRP) Protocol for TLS Authentication</title>
            <author fullname="D. Taylor" initials="D." surname="Taylor"/>
            <author fullname="T. Wu" initials="T." surname="Wu"/>
            <author fullname="N. Mavrogiannopoulos" initials="N." surname="Mavrogiannopoulos"/>
            <author fullname="T. Perrin" initials="T." surname="Perrin"/>
            <date month="November" year="2007"/>
            <abstract>
              <t>This memo presents a technique for using the Secure Remote Password protocol as an authentication method for the Transport Layer Security protocol. This memo provides information for the Internet community.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="5054"/>
          <seriesInfo name="DOI" value="10.17487/RFC5054"/>
        </reference>
        <reference anchor="RFC9258">
          <front>
            <title>Importing External Pre-Shared Keys (PSKs) for TLS 1.3</title>
            <author fullname="D. Benjamin" initials="D." surname="Benjamin"/>
            <author fullname="C. A. Wood" initials="C. A." surname="Wood"/>
            <date month="July" year="2022"/>
            <abstract>
              <t>This document describes an interface for importing external Pre-Shared Keys (PSKs) into TLS 1.3.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="9258"/>
          <seriesInfo name="DOI" value="10.17487/RFC9258"/>
        </reference>
        <reference anchor="OPAQUE">
          <front>
            <title>The OPAQUE Augmented PAKE Protocol</title>
            <author fullname="Daniel Bourdrez" initials="D." surname="Bourdrez">
         </author>
            <author fullname="Hugo Krawczyk" initials="H." surname="Krawczyk">
              <organization>AWS</organization>
            </author>
            <author fullname="Kevin Lewi" initials="K." surname="Lewi">
              <organization>Meta</organization>
            </author>
            <author fullname="Christopher A. Wood" initials="C. A." surname="Wood">
              <organization>Cloudflare, Inc.</organization>
            </author>
            <date day="21" month="November" year="2024"/>
            <abstract>
              <t>   This document describes the OPAQUE protocol, an augmented (or
   asymmetric) password-authenticated key exchange (aPAKE) that supports
   mutual authentication in a client-server setting without reliance on
   PKI and with security against pre-computation attacks upon server
   compromise.  In addition, the protocol provides forward secrecy and
   the ability to hide the password from the server, even during
   password registration.  This document specifies the core OPAQUE
   protocol and one instantiation based on 3DH.  This document is a
   product of the Crypto Forum Research Group (CFRG) in the IRTF.

              </t>
            </abstract>
          </front>
          <seriesInfo name="Internet-Draft" value="draft-irtf-cfrg-opaque-18"/>
        </reference>
        <reference anchor="ECH">
          <front>
            <title>TLS Encrypted Client Hello</title>
            <author fullname="Eric Rescorla" initials="E." surname="Rescorla">
              <organization>Independent</organization>
            </author>
            <author fullname="Kazuho Oku" initials="K." surname="Oku">
              <organization>Fastly</organization>
            </author>
            <author fullname="Nick Sullivan" initials="N." surname="Sullivan">
              <organization>Cryptography Consulting LLC</organization>
            </author>
            <author fullname="Christopher A. Wood" initials="C. A." surname="Wood">
              <organization>Cloudflare</organization>
            </author>
            <date day="14" month="June" year="2025"/>
            <abstract>
              <t>   This document describes a mechanism in Transport Layer Security (TLS)
   for encrypting a ClientHello message under a server public key.

Discussion Venues

   This note is to be removed before publishing as an RFC.

   Source for this draft and an issue tracker can be found at
   https://github.com/tlswg/draft-ietf-tls-esni
   (https://github.com/tlswg/draft-ietf-tls-esni).

              </t>
            </abstract>
          </front>
          <seriesInfo name="Internet-Draft" value="draft-ietf-tls-esni-25"/>
        </reference>
      </references>
    </references>
  </back>
  <!-- ##markdown-source:
H4sIAAAAAAAAA+192XYbR7Lge35FNv1g0gYgktoseummSUrilSjRpOTl9OlL
FIAEWC2gCq4qkEJL6m+Zb5kvm9hyqyqAlC177sxpnb7XBFCVGRkZGXtGdLtd
VaXV1OzpfX2alOV1Xoz0/qK6NFmVDpPKjPQzs9RHb4eXSTYx8EdlsjLNMz3O
C/3q+bne6d1VyWBQmKs9+1mf7j87UqN8mCUzGHlUJOOqm5pq3K2mZXeevDHd
7V1VLgaztMSxquUcHjs+evVY4ZSTvFju6TQb50ql82JPV8WirHa3tx/BW0lh
kj19boaLIq2WCuB9MynyxXxPb7wqkqyc50WlnydLU7iHNtSVyRZmT2n4d/PD
+BRDtPETjJ5mE/0EX+JfZkk6hV9gIX/DFfXyYsI/JMXwEn64rKp5uXfnDj6H
X6VXpmcfvINf3BkU+XVp7sAId/jNSVpdLgY86PXkjsUR/zgFhJRVMDA9RKPZ
B++0ILh3Wc2msPA9va3emCVuK2A4q0yRmap7iC8oVVZJNrpIpnkGi12aUs3T
Pf33Kh92dAmYKcy4hL+WM/zjH0olQBZ5AWjsatidck8/7+nvk8UsyQhS3uzn
yaJIwq8B0iRL/5VUsNFAZfP51HQAkmGPfjWMz+nFgN74W4K/94b5DGehSTYO
YRaT/TOZpRmhhOfZOEyu0lH8SzzVxpM8n0yNfv78gH6VqUb43sBkf5vQz9Fc
5z19YrI889Ocw+CF/3LtYmSCEl+5mOErLcs56On9nv4pz0d+koPLIi2rfH4J
dBj8eJvJhsn13y5NMgcqHaRV2YPdVSrLixm8dUUkf/oDnkYmfjnqG0+XgwKQ
d5qXVfeHRZJVi9ltTr+cjaSYGKBIS5CjpEqqIhm+MYWndDj8QpZXedkdjotJ
d/4rESuNAe8AHLvbuw/47FjKon+Cqf/q6R/zMv4uxp4uTZGaEjmFfTcmcct7
ajB0+VDBKz//dPziSYybn7s/ATKBl10aLXh6dnSif8kXn18ZoDeT6ed5Tmzh
cV78JpQM8yzLp9Mlw/T2GsbqvjGzGmrurUYNHIkDGSP+4bSnz4eX18nAxN9/
D0iDFZtikMixvC3qVsBqUahwhIDa9s+evHyxG2N0v5jk2S4cohkw9u7TBGjs
8SIbVlaKOMp7mpSXiFfgSvq0yPNxF/6HPJiIHwkSXik3VsB/9vhgTz/a2X4Q
o3FXKdXtdnUyKHFLAGTc2XlhuuUlCJORBvaoZwYpPC1nOrlCxj0AvpFmTp6l
pc7ySpeLtMKfFEK9KBOQh9fAu/U0v+7CiSny+RJHQ6a5GF7qpNRzWVqpDWIX
Zhss4U1TlD0AA4YFolgAq6j0yJTDIh2YElavjZOy1WVSwbs4awkfDL6s87Gy
A3eT6LTiWoyV1fMiB16eT0uGUhbTE3zM0tEIlqI+w40v8tGCNkSpw+Pzg+f7
xydHZ3v6BJeRj2FiALUCqBATw3yewlTjIp/pd+/++vj47PxV9/Bs//Grb4+7
h71BAkRUOkH04YPC7YT30owWAFANTVnisAODu72Y416NepoQAv9LNEr1bpp1
4dlJgQ8TLRJdXCalwr1YGtgPPIxlOsnSMaw/wy9YiMOTyXRZpiUcB2MASvvD
hw80CHyBsO3Op4uyC78BkLilQJ9GO4LOM0DVMUyQz4xOAgLs6JQQAVuWFkQq
VS57BLAPpynuJ04D+3xlCgW/hruET4PEhSfyCjn+oiSaj6goIM+rZLowHWUp
KiHy6VpysnTAoM6LFJYBcyLtEIph0zu8fWM5cskUEQRoBPQbfCUHeUiEqXB7
Uhh4UtBCeecNq0ZGn8H5BejdaUWx4mhMb56fnW4poAc4hve379/78KFHLLSc
myFuj4bfo8EtwY+QMOAljW+B0mj4rKWzmRmlgK7pko/DCPFmD+TADBM8CbAR
hQGEw1qJutQBYz/SWXErzmkr4u9nQFlwhmE/ry9TwG6WK1CFJvCYeQvyGOHi
8+LYQFWa6diiDPfC8w2kn2CXcYV46lTMaEq9eXr+rNzq6af5tQGIOho/456O
+JTSXjmsZsaMkH4GRm+MF9OpJZCNjkMB7tAgzUYANpGKDAbwqBo8cERwIPoZ
xpzlC6RTPUqZLgo4NlUFQktwiZD11HmO2JnyPE6/P38WLB0AtpyR0IBPloY0
ewWndzGby/TwJT3A6OZDJPRhRnSqAETcfAvlNYBPVNk4VJpwCpACecRHB45z
YSrYtSM8kXi0EGo8g6MR8RLCMGIOAdJmPDZDlF4wUGF+XaSFMFp4S8ECRzDR
Gz7hb+EcVHjE1zHfEvGQlpfI1NUmnpEtt53C4tp4PgHp2X4f2VNfEffHbRsm
BWwPqhVAEsg+cbcimHAmJFWcwI8DHyYmA1EJKn0q0oTRHFICjw7gKyc7Ai5I
WzZbTKsUFFCgFkBYgdDjjCXqFcCWYJMNja6YBcGgll4CHLZu5HU6neoBsEJ4
8sqoN1l+PTWjibHcxyJbo6YAU3YdRxFyB8qH7ROBhDzAvbFpepMenMoJYtsw
xyqZZmSriRHPk6IibOLcNAKoCYtk6qbeYlY2vMzTIcFFrA/XkGRuKOTFBajz
wJdLWpQCDJu3KDZAD1p6QheGf7z/Yh8xB+LLcvkWpWCcgjAFkZshUYciHTeF
dx8HQ6DPEardL0G4/QXY6aO7X9398KGjD073D47wO/qDJHRagKFI6txwngxB
QnfUyx9e45LevWNrAV/E5fHXXwbfx1wfAAb94ZUpwALLp/lkycoVHgTWejZO
Xp+/AmZF/9UvXtLfZ0c/vD4+OzrEv8+f7j9/7v5Q8sT505evnx/6v/ybBy9P
To5eHPLL8K2OvlIbJ/u/bDDsGy9PXx2/fLH/fIMpP8Qrsg7mqiiRijniFjaz
VJFQ+v7g9H//r517gtDdnZ1HsH7+8NXOQ5BwxJ94NiIq/gh7sVSgL5ikwFES
IO8hGGhVMgVJA2K3vMyvMw2S3wD2vvg7YuYfe/qbwXC+c+87+QIXHH1pcRZ9
SThrftN4mZHY8lXLNA6b0fc1TMfw7v8SfbZ4D7785q/AiI3u7nz11+8U04gT
H2WsCdQ2alrmpHvR+Ty0/iYh8Z17D5FSB4uKjgP6oEC3AXFumKsUBlgVbw3r
DsBQi3wxucwXFVHuuakWc9KcgFoNsS0rUj0P9Qe3Dl5H+DYzNRUwNZTbOBqy
NFLmSGfA4ZDOPE/bBLAt/2IWoJIQIWAtIDCkaZqayrVZbgljGpkKjJbSauqq
PmHIzJH0HQdFCZKAKGZ+Np3koCNfzpCg0c/GNo9bvVAsa1LM4nDGYb4oAGe0
UiclwOiskmxoHEzIwsbpZMHKn6qLFy9VGJcgV1iTK/UsWTIZRDMoUMBA8FYp
qm+gSLG2hcdNT1L8yBtBu0yrO7Uq1cEUme5YlCKRmBYjVjVltlsu5uQhJKXm
GuQkvspritngHtIQWs8gNFjIWE0XBWYBCgaQIHzVIhU7gJkZLIjYeKywKVkS
Tm11Vb3JeHlqptM80GzpM5MDbAbDYJUDGDMtHLDKDWWHB5BY3wiIHkdmwtSi
vbJeVbIOMTZEVn5B6GTU5fDSjBZTpBL0EwfocOJ2UaFNP8DhRXrl1mwR9R4d
DoadA5EyhbLRr02QVl+cN35hphJoRGwgWk86o93kN+TUKbssOHaiieNGePBB
0z3m99i2ebR7/yuwbZiJjXPAOrpEEDtkG7qzyyoNsK4ihxNmyPzlc9oTm9vj
hz5Zu4jdDpYuBRNeUwThUXvZ6wRJ4e035DMOybDOYLNjrYwX3EYEPV0j6hjp
dfPCof6jyZZ3xwKuog1ydNd+jmpk9xjoqEZ67EGRoxDS362oDgxvciAYGZR8
GiURwGefCY/S3xvgTTAYbBqY9sjJItaRxPvUCRXhEgxbVP/ruFeyVyHaSE1n
X0EfRwx+67P0AD7073//W5lsMdPvyA2Gw25uv3318vDlVkdvPrh//+79LfXB
x3FeLefma3qL/WLJcponI6t8C5SeL6DfoIoovwGKKqtiAQp0IeDEALGWevr8
9fnFjzsaQPsZ/m116DdSUS9+3r1/f+fRBagy93d2a0+wQtp8U75vDssK6zlQ
yAyWKaAJKP4XQdRFKc9R3GKe/Low7FqkH4WWv9np9Xb/e+dBd+e7r+3wyCHr
o/v3GYkXIrGW32wHA8RPstBa/aSbzI5JvLmMnmOQgg35WjaB9rdJOG638AyU
aVmRfAMD0UIBq4fjuCAPA1vuaG0IZaAlGTm3MJo0Ic4LZjl6UZy5ZNWLko67
H+NzMGbSAp4UBLNpg2oJzTklko9OUE8diEE0XdJpArHglwHKynTEzJAFOWr2
QrAoqSPUKQx8hnAyelkX6zAYaCOSbwZ9JSUI6mEV0o5bWM+NbVGnOIwguHII
tQ4a9rKg4a6PK1J00GSczaslDFWjBRlK9MuPGyqgbRlmtztYwmbxMICwwh74
eKvsu7Iz8XLoUbtn1pWQZqCTJdP0X8Y6e2XH1KtW698tJNg1EDMzdEHlZDu5
TSnxG1Btr1DXtowJGIsRwcnOq/JrXdZcvr2A9HnP+jyddUn33Rx9nBLIBHWF
qUEBwC5fmFpZlu6UXJYvuJjMTPIKnZX2gLAdIcPDuSLfeT4mX5YTvT0MIDlV
uaPTsXcfoyuiDC0FNHJQH6cJFOG+8vQgsJXk3MkX0xEJFvizALzN82xkz5Bg
0h4xJSQzbsqkaJnxqcDjTmauRlsV/RwYLmYDCXYOtjwDZjAlWQ3HNCENgy0s
MWheJDMzokXQmD19khcmR39o6O6zljAvhrzzIM0zOpAeKnGbGgy8NkdWYCye
i2R/1NtFOv8LCPydu9+iGX/v3gMw462NI8pCgq+mo1D2qtmCHMLD6QI4m0nJ
cY9SuzDMSEYXoImECjTao6ABKngIXTwJsqYLzwP7RDd92Td4nfISykj7+kkW
ppLRKA0d8g1tPTbSWMHIzLVVu8kXma5enabVlUDq5RidwHoKe1YRmnlG5cV9
Ts5c5KNfWHyUazERPteOik4LHtir0oeheNS+9iOW0ZCEi9sNEYygjoPDxgTf
hlmh9VRokexQIsakbe/Qbm6dr6efp2/IoQ6qJ3LKmuoM52ZevrkYXRpAHhA6
Ss/SSa80C2j4Xm+3t91GxZ228EPropAUkul1siSNfkBzuIcpd2DqdGvjgyXi
r7EhNfi1S5p3F+AFjZjtePZEwKk7oJFXmRYfMZ+y8bFLDsajG/gHejaZFIZo
m8QM4AeWNUmQn+qnCbBF+O8LsJYOwYBYziv1HPhzofdZSqCvDtlJkYzREQKm
BfInFGEjkJ0iP0f8JvthEn2AH3KwUeaXzN7UmZmaKww82iQKWPV8gdNsHpz9
cLBlJcB4gTQv7n8BlkIiOblS8IRhoGRKToAvglijBfALgHCSFKOpRE5ZzARK
CEaorRAa9RToADaS1kHgOXLVsXMTUF9Y2fLFHooe5hl2iHhsNQfwgZ2TAwTX
zq71jrY+Z9iUg9NkaLbQJcar1YgBZjkDkAFveJmshYDKF+h2flQKJMxdsAp0
LfLiVWhDuxgNIS129FvXP8hW2neAv0FxPtqHwbI5HGKkHMKlQXZOgqdcFHCW
WVw2SPIazmRIhD0grfk0X87IT4U+esyf4LOkAqi9EBfgl+QHzoF9iNbELkqh
RfKUkVpEoVqwQC9Fok9x60AnwLSdX23ajtsnn3XA1lDHuu87AK6i7ZEvWEVy
oV1Uvw5Q9x+JKkUkFvj82Yjls43xSNjOaibYY4eoqMUcM9+3fJWplLkru0Ps
trDwa5WLQfAK9gFtijJQTpSL0dGArK7GfI+0S8xsw0QT0Y9gZyr275na47Fm
erL/S8zkVwt4MnRWM9mOYv2VI0oWDgy2Xeaw7Tq2m4hAge0LNHXlmFQZH6oX
rlIz5bwJRM5b2JN/5imsSQ5HUnnrzS4X+ZyMKoOKexe1qGNGP4K2ef7ieIt1
ZnZ8SDjdOz5InArYQOUGyB7VghA8MaGaIhZVW/wxh/+yzlSXrf3VotzL5oE4
90JfDs+pNijRNJtcuNc2YG+AJnq/B3IGqkYhKszdYdWBtKvV2+4F67ENkrNw
EooPbRzKjinS8k1HQC61j+SgKTG33J3cUMgHayapmD6lWuX5xSAWSr6UmODA
VNeYJkIHDbne+bP6AgCxQ8OBBzY9bGQ5oVymFkutyski3HenAokzwH0DJvMW
czzRicqMtiKOC4dphOFW/EmBBOOEgmvYsi5GFzClCHNiEjj6w8U0KTpWzK2y
9yXPS32MNRPISWseoVFHE8HAMLgaLViem/BhTFdITeliSghTJ2QVRM+ljixG
Fi2A1A0QjKAQTC9czDki6JsWGeAompMotgTRW7ohVNsQIeb9WtOSTIbY6EQu
aBOh3KkOEOGMTwHBJQBZcxtD7GL3WJr2bzsyDnwS1lkgRqoduMYkXDiED/et
UCojXVIaVqggZdZn4cSBwFMHAs5FGVi47lQGLpHgO+dKQ7Kf5qghYQoImhB2
Z0EeTlJMbBQ7wofVWvaI7EFUi/0WlbxBsHKwMGfofRfIo3FZPaatwh22e6Qo
TyqiIBSgZTpbTBOXlaJ5qlJsmiDW++6dPApzoJvmXD6Ruu/eEpdP2cZJxOdj
M5YYiM9L9o9YXLV6hI4t1dIaSmcWC8R+8dHyvEqCW8IaGVpUg6VYpOKerzOw
NKMXgqCHpJQwL3OKVGyjiWPKvyRu/o4Y/EtrXtXdQUihDBwecOtutdipuVsD
bSLKVCJHLJCEA867WNMydqmyg7npXCeeIWRdspNcPOZ+TZF7OnxWtJ722UOf
nc3fA0EKhKkGmMLW9GWiBAatzmLD0Ursx6RsKTSAkLE4EpSAk/NXh6/UVAg8
4W1qac2T4LxaSRZoDLjW5dw0lAqSKX2TgMF0gVTdh0lfl0EqUiyR8RC6FDqU
GIH62+6AwGRc1Kcl+h6wI7DlYXmcdWwPdGRsOoRaLzd7Zvi7m3R8cvdlTpch
1Fgv20Gos8McwecfTQHU76OLQsLesxpq0cSSWJ0PhjgTVoi2jY1lrDESGmnE
YhOl5XBR8t5lQRaDS0QeRnaVYsOTFIgMmXIwJfu+ac9gaOCurGljxuq5BDj1
ST5yWQqlfvdZzQej1E9W3jQ97eQtwWllE9lHjfZ6FOB3gXFnU8d5vpzKgQBn
tPtO4gHPRCVL948ODp9uHm314QTNFwyCVQdRF3NOTPuc5ueCoC6m+ESBXTC0
OcPFpZdGIA/J6+LzW6ZmbMdTLtelFtmwieEuD9ylhktSHM0VZc4M0EC5zK9J
gFvPB1Em2tbAroo0wcOTz4mFdIh/2ORS1HclEd/uTXwEr9IkIodOnaGjwI0T
ToONXsCXU52M0fcEPAafF4V6FLEu9TgFWwPQ6tiXJppx/Msd7PC6AWv365Kd
KXs3MEX4wAWOLGRbamDGlGK/BkBdB5B8JfDGNdoWilLmr1OACqMOcpYoLxb1
mAzwEKOIh42M1nOnc8AJChQQit4HussYFe5IgYm2hJSgKgyFk0/83HppAv3Q
670S/micTloku0J7MMixsMBWA62pS3RIj0jY3ZrU1XUWAQw5qwRR9LIRJuqH
Ib8+aAK5k4oeIPe74iMJbCGMoomaEkaoaG7RswCoRZbi0ZpSvKEAKIDbIMsR
QIlNzHNgrZhVLmZHa4ySeUGJaDs1BY4p7Kh0rMYxrwDJ6vsgf97pAqx4XAfq
Uxug0cIk0/Cf8LRaS8h8+NH/Byb2dIaoBsAGySBFN1/DHp7zYpjGPJk214RY
RQeiYnsbLNVuXnTxcgkbqslQ8vLF0elS5DatpdHxmc4U7FfE5AvMtyGdP7GK
dt0+o+R7eZLe5OxXeIgemYLGkoG5umRQBmaZk66At1EA7JZEKJeldx4m5KGo
S7MgAafrcp4+0Mk+83EulhFx4lKc4UmaEV/WKesZTqvdefUsHo4Iih7Od4TK
JRzCtyw3MHHROZythhQPQMrOnG5emYYUTsnpQflOUR4V5gCl3gUYhihrWVU3
ZG/VxU8jewtkZ5woRpyC72fYdD4bmIQ5LJGT+7zk60j2546gHSGA2RD1Pmhr
NaUi3EPO2lOgCHRWZrvZ8BhfxjPRJTdtkYuuTWRR1+wMBtwO2dimBwAme38r
GV6mYGeSx5888Fbso1y2Skn9SJd8amvJo2ThWtPMac7eD7ViRcyncSoiLeuX
jUSMDbCRqNmPUxrYaDXuzpg1VpnRxBnB/qrC1zDQQWiF1hm8T5WInKIf9V5k
7n2Bd5/aNUubrajZSCGrHr2mFt1fU4jVDwAKGSh+sWDwjLEIbrhgyMIED4E4
9sy0v3l0sHX49KhFFa3lF57jnS3YOKBZdwcmIEkbQq8oJalYy5X4AmlH8UWO
BM8m7Sork+svbKCeIfrnZt2jEii0W9FdEHjp5en+D6/xmsdf+a/a6JyIxk/y
hZD66PmvC7rTuRWEh9zTTWD4cQ+Me4XUMVlBmPwKCpmHf2UObKh/c/oMaqzr
EiSkWAXbhfbVkPJqgP/Fpyl+6xDYU7V7o9ViDnZCDBd96+8EicYbSexikZUd
1biHCl83Rgvymm2yNOcHk0b7WSAvadoQfQIf+1X8LYXQJCxyvFU8S+aW4vsw
Hvwg4RayslP8yA/aCJGgL2J7NWPHZe9zPhen/ltr0eZdKK9/1AJeLDJd2PRK
ANGb19v0y/UO8Gt0SYqH+d07v19AaeRJxPIb06WPk7RDYr3ktRS9JkQqgijy
jop2aoF7vh42YYalYuVTXP8cdgmuAlQthMpeOZnOmsIWJmWxxN6bFv8tgdgB
5DF6n2/p9kse5C8NUk7uctpUuAy94rr0q8soyMFyCJ+1S8FLrEt3wYLhd7fm
YCX5MHVuBRWegE7gYOXv05npslJHMULdf9IHQyjM0UAr89JdfNZ9rC/Q75Br
gbwccv/E/f7s8LFkDVltpn6DFjNz+if7B2AW7TvdB6hMVR+/cHQNVYmVDSc0
7wtU4vHyUJDVaTFg3dguE6i+KXWecOR4RsQXkM9I0NvL7zilzuoP68PMLmFY
BfI3QkA/yvbuO0VYfiWV97SPeji7cOrJTndBk2susuE4d7bYmhUEKkgQKA9T
nn/zCn7U799bnfFHoK+0Z3od+5vwUvdz5D3r1Jaub1r6EzLcPOIojYLnia4V
BEweE2nIycoOXp5MPbuYJanENoo8rwK7o24x10SjB7CFAHFrNg4433Wj5RSg
jvcrXq0FxtivQGMCzAVeogtJle1zBFz1W3/DQSQDM+McZ9xRNnbRkOK/yYiW
RC7P36TKgVuf3H6Zlpy8zG6XwKyxubt1vFRYPgrQMq+sb9jhpYEV4trij1CV
5+C1c+6HDLkTEnNShpKrpuZZPaTjLm+PtM2QAjaK6aDo4rZENlg2aYSiCeT6
YbJYSUshCeHDbLP27YX+lnxC5XXr2MBFp16L3zdSuDs2Sw9+l2FkFGXJlQJR
0Q1NvxMPezut6b5IJZLuGR5GG3Dhoftq9cByNv9C2rOtusWZYV28qjnBaKZ3
YaCA8NhCkvf2BldrUBaedkMkxMmtlhjcMx4YsBx7fC9I3+Lf9q2een+rp65W
PrWtu99p/RQEbvfoLZXl0d/qI1TYMCUN0P8Jofiyi/++04cU2Ojy+Ju9Xm/r
/4HXfy+i+V9t8o7ekCgP3qLf+GMhaaF73Pza3j91bqYV+//f/t9HgvSfDfxE
kGy37NtJgi6n/xza275OmQ4v8oqrpTTiSVa2ssyl0AzrjfF9gPVqmOKMPKnz
MgJ9Nw/venv9XZReK3pjV2+gAZCv9Ipj7mlFCQFsbPrsAQfnGN2THZdIICFB
n3cV57KBurYhWfYXpihyn3P1qlUBkcBCEtheDmdc+QphFGBO1Udqr/WQMJcG
a7V1JRpM+EzGplq6PBV75VtuCJM3L3ZxsRNvrXeLX/sNvi1+cZ1na41bER1c
9Ofv9G2Rl9YO9UncWiFUH+XR+pwvJFZ58Tk997kEOg18tl4t5TG+1qfVTpIc
ByKjM/Fl+QozJT+GGCObp2fnUqwjcHJQ3HosN8U4QIB+pP7+YSKXifYPB/0t
0hIz1BNXwgBmDl/MohMxaHq6qMaRsvc9beYuAYf7pdFyyMw0uBFKu3iHLSou
5hX/WCuWEx4t1knXEtpqT1G0EZQOPEypMirWGDMNr0jH2vBk/2Gghb1BJrtK
izyjawr9J2wqr3cO9df5Tzwtf1rXiTUJm46HlsvwDffDL8ka58kDue148z78
ac6UW61pgGtS7V6R261JvCS/JOIhgSE/yjui+8fnz+QVtIclzmSNzpasghVH
4Vbgsk+3SPNF6Q6xEwAU3trkCmWrTq+cXeWPp8Scm+e23GpzidByAlcLM3BK
bEDSgIUtKpcEGfgmYGmEqZW3uy1S0SfAjwYR9pWOAfU7HAM6dAyo3+oYUOsc
A2s8DrdyDKiaYwDQ0uYT0Df6BNRv9QmA7nJlGn4kEtSstUj0L1ZbJPa3Vm+R
F3+D4iJvhppL7aZbuZzNDBCjpPLVjpwNLaIOw5B+GiVGxvokWkwE1x+jxgga
/wQ95uO0ELlm0cKSWDKvKAxhmVnMYQMh9xVzWL/7qxWLGDWyh9+/3u+WWN/b
lmEgGMDGZb+c8MagjMVKDSEglD9LRXDVcLwQZUnlS6lgEq881zsGGuqvYYuA
S2YdNWz+aerB7daj7HrO+AysY8i4pDqBsHbAKRo+RytQD/D4O6Rxyk+fr9NQ
PTTGAZMxCqU+ScCAh7lrA/6GhauT0Ewv4qVf9sNTpUKLm6xKfixIoa7BR3l6
kVHOhrj63Yb4rUT7fyR7m2T/HybYAxLtu2CaC79TMWZDYPRfAMPqE9Pki9TY
IQRhj8i8X6aj8H2hsIHk31NgDkUPX/LPXe05FQS6sHA1/opJdo3kOgZATtoi
S39dmAw+9aTId7fKu0KMjVPFZRb4tnSQwNecI9R36qlIQfbSLZSej05Fcq81
NJ2kpupsJvifrZtVnk+QlxSpPZ8uL6kB3x+p/vzBuUlrlSOxvJJp5SeCk6NY
3ngpkvisJl65UGr/icls4tUJVixJk2l/jQL0qLfTENp/QPaTBRZWvxiAnUhH
bnP+JlivrWFtE5xcKd1oof511ZbyZDdwbcrTqgFxke4Cn4T2Q3yW6zh8GyJv
0CW/vEmZ7OjokwK9kvH17JwVTP3RCuYflMJzo5LZyIBZo2l+yarmmgj6o7qq
2QnqkPrtZZG94rz9X9JOb4MI5RBxCx31UV1HbcOFzRBYxXviiM3nZZgN7k8I
JnrMOR/QpFd2juhaKyOtlsq9CXwgp6o6yIgvZuWkv9VRAbrlGgPD2NB/fTFh
uTcdKXSDJaiFV9xRqYG3zscgTsqfwmmzt+8QVP2tro2KjNoyMptW1BFw3Ofb
RPosNmCwNxLbe0oF2PowAyl8EX49E+3P3zR/bmwZZipiIlkEGL3HGppUOIsX
wr+bDHMVL0BF24T/6+jXHX2+1e8o1q5ZdUutZtBqkvdfi/cUFpIU9e4Nqmmm
S3krVOnigTlz1nswK657IRc02y0iKVbXPEfiouUK2wV5GqKiOevIGBFjqULs
rfgWeCO5iDQ4uZRO9X9wekA985s+URqMtDKgS62KiLqNXwvfXu7rblcSp+hq
owZmM3zjZhOU9F1Js0RMOdCfMpG1OIKtvsK6VOPOmbvF60rdYYEs5UuyW6zP
FwWWoyJhZZKRvR8b6W2rgqHqNsFQj+0b74la7dSzKVudwa5PrVhfx9WcKqiU
TG2RbotEybM1pukrucYWMad2hnkzpXmG6ehtKyptuY4d6iY7FCu/s8b0RW54
t4UbSqURYiWOM3uWyCNvCs9ENdRzzjqPjFkcE789JVLEmL604qB23xUQhiUM
Ugq7TDEHVMUKA/E6E3ImI7XdWrVitlU+gv1RRSI0kUNfi2yjangZ+h5z/a+Z
E1j89a3Q52O4GRKFajKzLddAjmrC5AERdYID3KjTyJf98FU8TdJyi+ktrJUc
3/PjehR1ytFFkmJliv5+lNF+hK6egBP5goSkULd4qlx5ByA+T9y0OnhuiBc9
Mdnx6KR3aIYJVsVERxR+q0R7t9UWmmOHgyBMwdNx9R71KZ1XFV2HDPi/pYHN
kAKY1gJREFuVW7dxf0WOHvX/vfvLY+9/nBusqVPZuVs0d1SC6seJnWVqnbMM
gbR2Il/Njg7q11KvDImex2CDOHALkbLhOsNRSJirIWQrOhLEvQ9q7qzaC+z4
Amq+Ss11+HMu331odPGwV1Lpljn9QuUtrZDnshBBo0RxN9nSCCdY4LRLF4Tr
/VOcxRu8ExR8jq5A43VOe5W51jDlCyrAOjVvbZ1OumNTcGtL7O+LRV+osKac
fl/uMip37SHDa7Z+RV0Kh+fTKVaW4Kg7dmOlzhRafuPke6wHtsjcvSF5ls20
FO/+U6kIdJ4GGXRYPxSb3OK9eeBRCyxhuYxL8Hl/Gw61rnNFY/fidjAOhTe1
TrGFi1x7DnfPWpop3dwshQ0DRya2nalHsu1zJ73/eNcSSnYUdgAU0LUybwoI
JP27IfiAop+Q/2eqH6NbGvuIhqQ9tl/WaTu4wxvVwsap/eXr8EIvUfTTdHLp
Gg+ySoBNU8vKe/mG9aLBaLFj5dCIrWPxCo88e0+eCkPs6ZfiYMBxMXMj7LXY
hvs50F+IfyI1auFpLTJxuwus9lj7+i50xAp2Mazo2eOowNMfzPM4vmlfm6B+
Dx++nxtOeiPimBdp4hNNAk7CTDvsHgr4wYXXcEB0LmXJJMI3v8SKmrBbOz1E
pFtJfJr2hHFU9Uvk7lBIFer1vEDt9mgjfI7MnsY6XW275F3BiEX8gTRdml7y
je723G8ey3v6yB7z+vlnGF3t26hLZ6nuoU3H+283l4aTYlq8GS4ic2uu49Nc
26MolOd0m1AKdjYKx+GYrDByioDYnsPOUaakkWVhqOWE9fnmK/dZiIMtE1xH
QFMK3e8387Joqa4VLCyA5wTNsgscBius2tIWe9ymFjPJSq53QQUZ5Q4bK7nN
CthRiWya1CrQtVhR6wsWwMtcSvZGsr62J6HIj5bnWbLDsGuzhpie1ptJRX15
uVCzisV4WDrPuoxaC2hwJ+xwK60A4cPMGXLhCW6o+Vbi8aPhUO7woZevXntl
8/j82VYPz7LFw61msQ+H8xA94hy4b5ILjhV0S3exMIwICa1b14Mc/4BE9/T3
Yaawb2gWv8p9opGC3fwhDbcSOXF3x1gSz0WaHMg5c0JlCoiSe1S4I+FB4gIv
cyF225u7HsR8dWlat1sbFPgZlSQbinqHQNWEGa2Au7eoSAklYcaqmc1yjpoR
rs05/xPilmSMevpIgr6r0cEobxfHtJlWNlLQWZlcxc0Tw/lc5GUmPhbctLXB
RhfsawswxnXFXKGC6BpFMHsQWbTzY52ukOJZOZPKwE18xe1xWxWXntoPicOB
HD29RnunPs3ZaI6l1ZHFkwpP22Exwa1ibP8g8YjNgOon/MUq5UrVRBWhsFwM
5Jy1HMRy/UkMFKFYaoVWUVOmsgfC8UxUPSN3qtyHnkvXVTtoUEOpdvJvzKsP
Dplbvhy0lkQDvywsaCn6XV0cdJq8W3kr2i6j47YUERswWrkwK8z+hn+88cBl
39/mchjef3vf7TIg5PfU3bZ/39GD37gnxR/R8jA9qDeJj4gsIbRepOWbrcbU
HwNj6J1tg9LDWPOaNB5ugZGpRJxPW9HUt4aRR9zT1sK7mJdv9Lci0zajGTp6
w3rcosMAO7/RsQSxtfWxKMIxw9B6O4rwjU2iPyQ05+Ft7s43MmQYpG7HJY6I
g9lChVurYfx7rKTZlIs8+4eubeNNT773nSJtO5CwEmNl5iQJQEN7jDWmO9Gx
dPpePdYeVtDE8bu2PDqTMcdw/XnZ9KLNC7IteMuGzhpv2bhvfdiOXjWUO0Bu
DBsoqc0BaL9zJ1bLhL5B0WNsgfSEyescyQTVBiOm5BzF0g3+1thiNloLeRPC
fOBZ5vjWrW8FDlvHqqHRP9MJQtvzNy2z4MjRaWyJQNUnXo3ZcYrKq3hOHEF6
9fo24spqo2XdJQicPJSPPYHAaRZW3bcOtOnSOczw8KBOEzsJrF5m1YgO73uW
cwh7Zkbk9YitatcyGa03qtA7tqFdRzUosDfLrU58fdBZEyLWfCHn2EZgU/km
u+DWNPjJODBu+mMEWeCCsbE3muuK8G1UMEbuRF/4PAR4/jy0XXA6XE+94/Fm
CHEnmmPLE1WbqUQl3mPPoC9iBQjp6iiusqf7ERr6rHLF5G9dPl09TQZmCu+s
xlUfjzxjay/yTruUV9dxsojq4+AhTEoQl0+jq48u5GazCMILl97eCd1vhIKy
Dc3e4SR+yLBx3U5r5IZNP9LA7CaLXyc8SbLTcnrKpieLdpgEEscIw6yCabLk
ZvCghx5HrT3rna+aKmncChRdJGJFnjv/TuhYdNZCVMUzGWHdo8rUu3tRWTnG
LHVBzYu4H4H1P/Z0ZLYkhUuzSsUVrJz1Lv3IF9JKtcWQ8fdsQ+spsJHUOVkt
J85q2Yvn55ZGrS7iFitG1ayY0IJhjcDdkCA7iZqVenIg/zDacFm5IDIWV+Vw
apIMTHUgKVtkGqEG6EFQ5YtiGC/A2mfSTo2jCBh1kVqeqxdRKt95FtHOY5u3
lwmggaxYbkPSc8TEXr0FF22+MmGFehI03FenuQXX3A2honxYghBtvMOUkIXB
IG5fqE8AKxPrElqkU9tSAKedSARkskhHdKOJA6GudUFH2aRgR9l1p2nEcjhb
Zw+Yxxn2j2C82fupqU13R388sBo+9bV8YnjVHTpAGydQocTFVh35eEz0OGZt
MvIA1Rq7yRQw3EkOM+NLOTbtmhtKhcQRFtj6JxkWecksGl+vGfdMiUMDw6ze
Ls6L5lV+2Twh8UZRaXTeLVB8GQqqaDOlIEtzmx2kQosDrP7Fi0DXXRzUjDCL
gI48OTDhua328QI3Q7Wcu+5V3LtGxQxNU8ZEiYtgd3SzRZkdrKcfNzZJWXS6
xYComUxMEYV07FENzlF4ZLFS+BsK4OlTjJwMGw0J33025x+Q/67xZ2nuOJO5
im1DCqauyIP2DVpBx4KVSXX46dKJwnonPmqdCls1WsYTgO3kS3Nzg4gXx8Gt
DzHr4oNh4QX0SZ9R7rJuJ3cqi2QkErdcyGW1lWvRiOAEBVC9Zgm1ekKLBx3f
makoPOoqu9POMwI6wOCrBSKiG7dTiKCy7iekJycZ4NTgZsa5xR5/IQi6AcIV
0HRPxV2xE2xrCeRVjhfTWrSB213YjhU4Za1Pje3WpHziHzcBqoPFN+zSkRVH
qH5La9fUnXPpy9fWe1wu1Sc2io91wUN5yeX3ufsiVnwFDMm9nyIH+T0jhcfe
l8BFHjmSCEu8bx4dPN0KdhqwKbRzA0mkGZcXTGvpZwr0fxjz2yivx5RZKvkk
q/qDvvvMyROK/x02WNLMSSjfaoFzrOyQmCtsy3xju3NgLBPZPdCqXVhdbAcV
NiFAbEl/BMr9qs++geE9KxeocwOxUK7IqyYLI9KhOU/PspeoB5K7PUktD/zS
fMPhBghwOM5MUuaU6xC9YqtMFk6aUvSiXdZ1kFvn0gHZissqnRkXoHVPajcW
ar9AnAPAFKBTBKt/DmgxfBRQUoEs5hdQLbFPBriQ9ZOQosbxDEOFzR6kjQtG
69LMN1ELPFjUmcLB0bpQd7fHH0lbcdNcYWkMTJwwUnE9oPGeOo+3qBVEaf9U
v/0RdPL0AKobAHSNQfxtKW6+EyPD5RPflLLc0y9tAmizC2l9ENcUh0TMCkil
/VegUXgOykkyp74FdeP2FwglpU6Cros+gOfTNWx+d9C7YDp17hnbxiVOpRgY
4dCUXN7aH8vZP8r7W6RGtc1IXNUH5EOtDxtm32efU1vRfJKl/zIxdVH3El/9
xPL0ZluN9pbwdhbqF7zySnWmVjeVxNaknIWf1BoLUUMXThjk5i3UIiAM2aWZ
7XiHZB7IQw6MBJwSDRfqwuKav8R0xqgpXUsYix+UXz7DD7M50+h61TVSI4VW
L12PioQ6zyZV8w4lF7By041Wd4ysLqO6OtjVNfFQUWOecJiB3DpwddmvyXdq
e9coK8xLvhBpZR/MMDQjCfpNfU09dIXd375/z7okgq47PjeqWVItbmJJ/WiS
WdC8BlWi/FrHgoZMQjgoaWl8ZzDU3Nv68xH6qUk4HanauedQOjZz4256oaSk
DSEKcBKvCQhq7SBmgIvmGGZXUWYKnYs8JByiXVAlFrI+DhgmeEqFo5ScoObs
P1R1roC74reST3hjS8KwiWHCLWtReBeG+uXQ0cFGyD3MObMNNDpB9mhAYqh0
BmqsdNGN+v2lvlsNPt6G5pnBvrjR4aoh15Eho5Q2LMCrOxhhU1wmYn6BLgtF
zwcLcK3MLFHjwSCHJGqpQQd20lhruxNePeF+7CVyMzJ2bfe0YIOJiONuJSs0
QbYAvCN0ReND0ZxgllpTIkKhdalzbpFqmD/Bfcg6Nxafnq0vvkZfjas6KlXr
/RfnoVW5T3gNWo3A1whYHRwVK9q4P6N8uJiRdBf/lvedjkChoWQWpwjIBE7o
Sb572G8Bi5BlJtjw62S5xx6Ot2hngGJfv0in6EKZDyS0jMpuxPk0GYZxhbaL
ZKWnu0HQOK31UV/FFA7xgS9GTjnDrvYDJhpQ1XDr+nN5MK3l7e21QF/kPKgr
D1Tw8vTohT4+P399tCfMQfLPuIvt1KcdcT4QokmIh/0zq0nHFp9kqrHtIdcQ
jHWO/RZyefabS1l0lGQt29mi/kO1u2L3blFG7zNfCWw1clxNK8aObRC0Dj2u
SNhvO063qbOTuWOx4n4pVtzhA+hZrNXHX9WuHQV1eBS9bFOvfk8FEhVVIPEl
SG7CdMTBwv5KN2P8D+Rg2N3EzlJjYzaxaA0Ls3ciXWtBIx2rOdDbuBJr93tz
Vk7ubqE6QndWbaZbvC3qt50m7wlCxpFPwARFZRpRG8gDh5LNeuetHL3Bru/H
Kd4wAhX5CtPSxipkmz0fYfutnFTHnNRnFEb5O4ED2qXp+NXu+5b17i6GCipe
WUs0uhO3GeT7ut1DX06sDuE9zi0lycR+SfGVXt/vlTeopsORdEKGBm+hbYF5
zwWFN0R1cXKwQS5hWazfIylqt6s+lUZUu74QaUSho31epDnxqXW3fkKRdjNL
aaa4BjLutswlmquRgK/ac+/bUg3kQr4Aa10MYUZjYabkfchqqRucOmnzN/wG
1nIb93DmmLoI+K69By5xczzo0SUEMx5z2q2nabJLUn9djzt7E2zu+OVFOkEO
5iqYuDIdUuTYV5ETdtOwMeTWT4EOYxqXbwKEwSQAdpYvKCACSBujPdt0RwqX
qd/uCBNOkNVxAufIXe1y7ui31MC4EFaj7PV15gycbOCEAb4Q9QUA7lI3SUcp
mTuKu2Kmc7HBSJZg5phgKEhFY+4xB0UW1qa5N/eUIk8kKsxbabFswWFJTS1m
91/stxzSQMYRCzCY30LA0QtgDrpmxb5gHV0bI0H5ajk3+oy7rC298uwPvhSm
wYyQ9/pHGue9dq/rF8kMv7AC6D2MRc3jYT3v1fs9SfXbq+f+2S/2gp/24AW9
/fbVy8OXmPWnURCFaYD64GlHnz+lfMlItm9hjqA6e3ygjw6PX70829OnYM6W
zijQGzjmht0ZvlfLtr1r8GMrE+IlYD7biL6ONKGTYWrTbvjXcXLxVbsxCN2h
CsJOS2K6XJJHutstb7GP0voz0Zm5du9RAQJQwjaCQcsNafkeseNN7kDq2qIH
rY0kScDlct6OBnAXguJC0b5TIZEy2P8aBUR7bkkk2Pv3OmpX1rLfMMWdfR2/
01KV+5ZvuoKdH/f8zeAFfTrtw1FBpiJFBfIyWZ2HVW8mCCoKXdl8AjTe3b3/
AG9vUi4ULJg/Pjt8vMftTdxXoHTBV/D/7Vcq6vqHao9LBpMGfq5WGYuelc36
bD9DLDKLLZpcKzhQRFC08AUDK+oIZOw6ewX60Tj313e5ICLlq53ob9X27ldf
PTC740cP4djde2Du3x8kj0ajh7v3du8/fDTeffTo7uDBPbPzwIzvjobJ4NH9
ZDy69+jh3bt3R1+Nk53dsVIvcBz4OBiMHgwf3H00fLD76O7Dwfa90aNHD8d3
vxreffhw++EOfT96uL1zDwZIdu8N7o0ffTVIYIxHu4N7j8K8zCZ5rdnMYAtx
oZ/T611+vcuvf76msthtDFtvQ35CwrLF3/b0yfOu/bCzvXuvTlpCfYfnr/Za
Ki74Frmv+P6qn9hfp7EC6ezo4OXJydGLw6PD+E5T/W5VuORPfKDWrhu//rn7
E2ea/vzT8YsndB25DR/PzuG7/WKSZ7spdsbdP3vy8sUuqJ6bEQyr8LX1p6P0
M70/tHFr8rGod3ssyczo241xMi3NhtxiQU8y5thcS+bZG1EpkuxNpCi6B4GG
3717fHx2/qp7eLb/+BUAj4fB664JqkkzDBakvi6iN+J9uCLCBbkwQqmqD/h2
8/N80g79OVWnGRXJuOq6BAEKvW3vUA/y0chLTL5oFdpIgVtaHhbfTZQNhayS
p7jKSz6s819xkt5aALYtAJJgVZLDHHPtbfpHUI8VHj2TrvW1C/9hPYkUHUfJ
sELLLKg5obTeDGOCCH0QSN5aO7i9rra2s7xuGv9YzWKakOvJlq0xl8lVSqkk
tmPF3LZrArlhy7mg00N7YuAQKsoVSoO0YTf0bHEsu55wpgPycRka8L6oKR2y
8usZNBKWC3baGeSBH5L1shgEdEOkJdqNF770keYwKca9aImBf6q0ayE2hIXH
YMEXUrkeDE5tMQ6ooF4wZYALrIVAJ2LJoFhfjvQsteUUCbQBYW2cvrUcbwNo
bwPGD7LYKNOw60OWnPsRk+1gdu2odudud3sX6fb1fESsdJCnsNA5RT85n+mn
J2B7cB399ePQAbR0FyVjoxPZVS4AaKmmRtiZE4fAbUI2Lz9R0i2pvJTF7GNj
pfo/LPyktybAAAA=

-->

</rfc>
