<?xml version="1.0" encoding="UTF-8"?>
  <?xml-stylesheet type="text/xsl" href="rfc2629.xslt" ?>
  <!-- generated by https://github.com/cabo/kramdown-rfc version 1.7.19 (Ruby 3.0.2) -->


<!DOCTYPE rfc  [
  <!ENTITY nbsp    "&#160;">
  <!ENTITY zwsp   "&#8203;">
  <!ENTITY nbhy   "&#8209;">
  <!ENTITY wj     "&#8288;">

]>

<?rfc compact="yes"?>
<?rfc iprnotified="no"?>
<?rfc strict="yes"?>

<rfc ipr="trust200902" docName="draft-irtf-t2trg-security-setup-iot-devices-07" category="info" submissionType="IRTF" tocInclude="true" sortRefs="true" symRefs="true">
  <front>
    <title abbrev="IoT initial security setup">Terminology and processes for initial security setup of IoT devices</title>

    <author initials="M." surname="Sethi" fullname="Mohit Sethi">
      <organization>Aalto University</organization>
      <address>
        <postal>
          <city>Espoo</city>
          <region></region>
          <code>02150</code>
          <country>Finland</country>
        </postal>
        <email>mohit@iki.fi</email>
      </address>
    </author>
    <author initials="B." surname="Sarikaya" fullname="Behcet Sarikaya">
      <organization>Unaffiliated</organization>
      <address>
        <postal>
          <city></city>
          <region></region>
          <code></code>
          <country></country>
        </postal>
        <email>sarikaya@ieee.org</email>
      </address>
    </author>
    <author initials="D." surname="Garcia-Carrillo" fullname="Dan Garcia-Carrillo">
      <organization>University of Oviedo</organization>
      <address>
        <postal>
          <city>Oviedo</city>
          <code>33207</code>
          <country>Spain</country>
        </postal>
        <email>garciadan@uniovi.es</email>
      </address>
    </author>

    <date year="2026" month="July" day="06"/>

    
    
    

    <abstract>


<?line 151?>

<t>This document provides an overview of terms that are commonly used when discussing the initial security setup of Internet of Things (IoT) devices. This document also presents a brief but illustrative survey of protocols and standards available for initial security setup of IoT devices. For each protocol, we identify the terminology used, the entities involved, the initial assumptions, the processes necessary for completion, and the knowledge imparted to the IoT devices after the setup is complete.</t>



    </abstract>



  </front>

  <middle>


<?line 156?>

<section anchor="introduction"><name>Introduction</name>

<t>Initial security setup for a device refers to any process that takes place before a device can become fully operational. The phrase <strong>initial security setup</strong> intentionally includes the term <em>security</em>, as setup of devices without adequate security or with insecure processes is no longer acceptable. The initial security setup process can involve, among other things, network discovery and selection, access authentication, and configuration of necessary credentials and parameters. Not all mechanisms include every aspect; for example, some protocols assume that network connectivity and discovery have been established a priori and focus solely on authentication and credential provisioning.</t>

<t>Initial security setup for IoT devices is challenging because the size of an IoT network varies from a couple of devices to tens of thousands, depending on the application. Moreover, devices in IoT networks are produced by a variety of vendors and are typically heterogeneous in terms of constraints on power supply, communication capability, computation capacity, and available user interfaces. This challenge of initial security setup in IoT was identified by Sethi et al. <xref target="Sethi14"/> while developing a solution for smart displays.</t>

<t>Initial security setup of devices typically also involves providing them with some form of network connectivity, as the functionality of a disconnected device is limited. Many mechanisms assume that some network or supporting infrastructure has already been established a priori. Setting up and maintaining such infrastructure can itself be complex, for example requiring configuration of network identifiers (such as Service Set Identifiers (SSIDs) in Wi-Fi networks), credentials, or backend services. This document does not focus on the procedures for establishing these networks or services. Instead, it focuses on the terminology and processes associated with the initial security setup of devices, while explicitly identifying the roles and assumptions related to any required supporting infrastructure.</t>

<t>Several terms are used in the context of initial security setup of devices:</t>

<t><list style="symbols">
  <t>Bootstrapping</t>
  <t>Provisioning</t>
  <t>Onboarding</t>
  <t>Enrollment</t>
  <t>Commissioning</t>
  <t>Initialization</t>
  <t>Configuration</t>
  <t>Registration</t>
  <t>Discovery</t>
</list></t>

<t>In addition to this variety of terminology, initial security setup mechanisms can rely on several entities. For example, a companion smartphone device may be necessary for some initial security setup mechanisms. Moreover, security setup procedures have diverse initial assumptions about the device being set up. For instance, a mechanism may assume, an initial security setup mechanism may assume that the device is provisioned with a pre-shared key and a list of trusted network identifiers. Finally, initial security setup mechanisms impart different information to the device after completion. Finally, mechanisms differ in the information imparted to the device upon completion. Some provide only credentials for use with an authorization server, while others configure more complex artifacts such as access control policies.</t>

<t>The next section provides an overview of selected standards and protocols for initial security setup of IoT devices. For each mechanism, the following are explicitly identified:</t>

<t><list style="symbols">
  <t>Terminology used</t>
  <t>Entities or "players" involved</t>
  <t>Initial assumptions about the device</t>
  <t>Processes necessary for completion</t>
  <t>Knowledge imparted to the device after completion</t>
</list></t>

</section>
<section anchor="standards"><name>Standards and Protocols</name>

<section anchor="bluetooth-mesh-provisioning"><name>Bluetooth Mesh Provisioning</name>

<t>Bluetooth Mesh <xref target="bt-mesh"/> defines provisioning as the process by which an unprovisioned device is securely added to an existing Bluetooth mesh network and becomes a mesh node. The process is coordinated by a Provisioner, typically a smartphone application or dedicated management tool, which discovers the unprovisioned device, performs an Elliptic Curve Diffie-Hellman (ECDH) key exchange with it, and authenticates that exchange using a selected authentication method such as Output OOB, Input OOB, Static OOB, or No OOB. In user-assisted OOB methods, the user helps authenticate the key exchange by transferring or confirming information through available device interfaces, such as displays, indicators, buttons, or other input and output mechanisms. Furthermore, Bluetooth Mesh version 1.1 introduced certificate-based provisioning, where the device can authenticate itself using a manufacturer-issued certificate. Once the exchange has been authenticated and protected, the Provisioner securely transfers the information required for the device to participate in the mesh.</t>

<t>To support larger or geographically distributed deployments, Bluetooth Mesh supports remote provisioning, where already-provisioned mesh nodes relay messages for devices outside the direct radio range of the Provisioner. At the end of the process, the device is assigned a unicast address and receives the network credentials needed to authenticate and protect mesh communication. Provisioning is intentionally separated from later configuration; it establishes the device as a member of the mesh security domain by distributing the Network Key and creating a device-specific trust relationship through the Device Key. Configuration can then use this Device Key to perform further management actions, such as distributing Application Keys and enabling application-layer communication.</t>

<t>Bluetooth mesh has the following characteristics:</t>

<t><list style="symbols">
  <t><strong>Terms</strong>:
  <list style="symbols">
      <t><em>Provisioning</em>: is the central term used to refer to the complete process of securely adding a new device, called a provisionee, to an existing mesh network with the help of a Provisioner. It includes discovery, authentication, establishment of shared keys, and delivery of network specific credentials and addressing information.</t>
      <t><em>Beaconing and discovery</em>: describe the mechanism by which unprovisioned devices announce their presence to Provisioners so that the provisioning process can be initiated.</t>
      <t><em>Configuration</em>: describes the post provisioning process by which a node is prepared for participation in the mesh network. Configuration includes the distribution of Application Keys for instance. Note, distribution of the Network Key, unicast address, and Device Key is considered essential and is therefore part of provisioning rather than the optional configuration phase.</t>
      <t><em>Reprovisioning</em>: refers to the process of provisioning a device again, either to add it to a new mesh network or to restore it after removal from a previous network.</t>
    </list></t>
  <t><strong>Players</strong>: In deployments where the device being provisioned uses a static asymmetric key pair, the device manufacturer is responsible for equipping each device with that key pair and making the corresponding public key and related metadata available to the user, for example by printing it on the device or its packaging, often encoded as a QR code or URI. In certificate-based provisioning deployments, the manufacturer additionally provisions the device with a unique X.509v3 device certificate. The Provisioner plays a central role in the protocol and is typically implemented as a smartphone application provided by the device manufacturer or system integrator. The device owner/user is responsible for initiating the provisioning process and selecting the correct physical device to add to the mesh network. Depending on the provisioning method, the user may scan a QR code or URI containing the device public key, UUID, or related metadata, or select the device from a list of unprovisioned devices identified by vendor, model, and UUID. If Output OOB, Input OOB, or Static OOB authentication is negotiated, the user is also responsible for transferring the required out-of-band information, for example by observing a blinking LED or numeric display on the device and entering the value into the Provisioner, or vice versa. When certificate-based provisioning is used, the device authenticates itself using its manufacturer-issued certificate, eliminating the need for user-assisted transfer of authentication data. The user may still need to select or confirm the intended physical device, assisted by visual or audio cues emitted by the device.</t>
  <t><strong>Initial beliefs assumed in the device</strong>: Each device must have a unique Device UUID, which is used during discovery to identify the device to a Provisioner. The device may also be provisioned with a device specific static asymmetric key pair that is used in the ECDH key exchange during provisioning. In this case, the public key is typically made available to the Provisioner out-of-band via a QR code or NFC tag printed on the device or its packaging. In deployments that use certificate based provisioning, the device is additionally provisioned at manufacturing time with an X.509 Device Certificate that binds the device public key and the UUID. The corresponding trust anchor CA for validating this certificate is assumed to be available to the Provisioner.</t>
  <t><strong>Processes</strong>: Once an unprovisioned device is powered on, it advertises its presence using unprovisioned beacons. The user or owner then uses a Provisioner application to discover nearby unprovisioned devices. The user may select the correct device based on information such as make, model, and Device UUID displayed by the Provisioner. In deployments that use static public keys or certificate based provisioning, the user may also scan a QR code or URI on the device or its packaging to transfer the device public key and or UUID to the Provisioner prior to authentication. Thereafter, the unprovisioned device and the Provisioner perform a capabilities exchange to determine supported cryptographic algorithms, authentication methods, and available input and output interfaces. At this stage, the user or owner may be assisted by visual or audio cues emitted by the device, as permitted by its reported capabilities, to clearly identify the physical device that is being provisioned. Based on the exchanged capabilities, the Provisioner selects an authentication method and initiates an Elliptic Curve Diffie Hellman key exchange. The key exchange is then authenticated using one of the supported methods, such as Input OOB, Output OOB, or Static OOB, in which case the user assists by transferring or confirming authentication data between the device and the Provisioner. The specification also allows certificate based authentication, where the device presents a manufacturer issued certificate that is verified by the Provisioner, removing the need for user mediated out of band transfer. Upon successful authentication, the Provisioner derives session keys and a Device Key and securely delivers the provisioning data, including the Network Key and unicast address, to the device. After provisioning is complete, the device becomes a node in the mesh network and can securely participate in network communication. Subsequent configuration is performed using the Device Key to distribute Application Keys.</t>
  <t><strong>Knowledge imparted to the device after protocol execution</strong>: After the provisioning process is complete, the device possesses one or more Network Keys that enable it to encrypt and integrity protect mesh network messages. The device is also assigned a unique unicast address that defines its identity and addressing within the mesh network. In addition, the device holds a Device Key that is shared only with the Provisioner or Configuration Manager and is used to authenticate and protect future configuration messages without requiring reprovisioning. The device may also receive one or more Application Keys that allow it to participate in specific application level communication contexts.</t>
</list></t>

</section>
<section anchor="device-provisioning-protocol-dpp"><name>Device Provisioning Protocol (DPP)</name>

<t>The Wi-Fi Alliance Device Provisioning Protocol (DPP) <xref target="dpp"/>, also known as Wi-Fi Easy Connect, defines a mechanism for securely configuring a device, called an enrollee, for access to a Wi-Fi network. The process is coordinated by a configurator, which authorizes the enrollee and provisions it with the information required to join the network. The configurator may be implemented as a smartphone application used by the device owner, as functionality within a Wi-Fi access point that directly configures new devices for its network, or as part of a cloud-connected management service. In cloud-managed deployments, the enrollee may exchange DPP messages through a local relay, such as an access point, which forwards those messages to a remote configurator.</t>

<t>DPP separates the initial establishment of trust from the later delivery of network configuration. It begins with a bootstrapping phase in which one or both parties obtain authenticated bootstrapping information for the other party. In common deployments, the user assists bootstrapping by scanning a QR code or using another out-of-band mechanism to transfer an authenticated copy of the enrollee's bootstrapping public key to the configurator. DPP also supports bidirectional bootstrapping, including mechanisms such as PKEX, where the user enters a short shared secret code on both sides, or NFC, when both parties need to authenticate each other's bootstrapping keys. After bootstrapping, the authentication phase uses a fresh ephemeral key exchange, bound to the authenticated bootstrapping keys, to establish shared key material between the configurator and the enrollee. Once authentication is complete, the configurator provisions the enrollee with a DPP configuration object containing the network parameters and a Connector, which the enrollee uses to authenticate to the Wi-Fi access point and join the network.</t>

<t>DPP has the following characteristics:</t>

<t><list style="symbols">
  <t><strong>Terms</strong>:
  <list style="symbols">
      <t><em>Bootstrapping</em>: refers to the initial establishment of trust between the configurator and the enrollee through an out of band exchange of bootstrapping public keys. Only concerned with public key authentication rather than network configuration.</t>
      <t><em>Discovery</em>: refers to the mechanisms by which devices locate each other and determine how DPP messages should be exchanged.</t>
      <t><em>Enrollment</em>: used informally to refer to the act of authorizing a device to join a specific network domain</t>
      <t><em>Configuration</em>: refers to the phase in which the configurator provisions the enrollee with the information required to join a network domain. This includes delivery of a DPP configuration object containing network parameters and a Connector.</t>
      <t><em>Reconfiguration</em>: refers to the ability of an already provisioned device to obtain updated network configuration information from a configurator without repeating the initial bootstrapping phase.</t>
      <t><em>Provisioning</em>: used more broadly in DPP to describe the overall process of securely configuring a device for network access. It encompasses bootstrapping, authentication, configuration, and access, rather than referring to a single protocol step.</t>
    </list></t>
  <t><strong>Players</strong>: The device manufacturer is responsible for provisioning each device with a bootstrapping asymmetric key pair during manufacturing. In many deployments, the manufacturer is also responsible for encoding the corresponding bootstrapping public key, together with associated metadata, as a QR code printed on the device or its packaging. The device owner/user is responsible for securely transferring this bootstrapping public key information to the configurator. The configurator required to perform the DPP protocol and enable new devices to join the Wi Fi network can be provided through functionality built into mobile operating systems such as Android or iOS, or through a dedicated application supplied by the device manufacturer. In enterprise or cloud managed deployments, the configurator may be part of a remote IoT platform, in which case the local Wi-Fi access point acts as a relay and must be configured with the network location of the remote configurator.</t>
  <t><strong>Initial beliefs assumed in the device</strong>: DPP requires devices to have a bootstrapping asymmetric key pair, which is typically installed in the factory. The corresponding bootstrapping public key is intended to be conveyed securely to the configurator through an out of band mechanism. Depending on the selected DPP variant and the device capabilities, this may require the device to support specific I/O interfaces. For example, devices may present the bootstrapping public key and associated metadata encoded as a QR code or NFC tag, or they may support limited user input to enable password based bootstrapping using PKEX.</t>
  <t><strong>Processes</strong>: DPP provisioning process begins with bootstrapping, during which a user initiates an out-of-band transfer of public keys between the configurator and the enrollee. In a typical unidirectional deployment, the user employs a configurator, such as a smartphone application, to scan a QR code associated with the enrollee, thereby providing the configurator with an authenticated copy of the enrollee bootstrapping public key. Bidirectional variants are also supported, including NFC based exchanges and PKEX, where both the configurator and the enrollee authenticate each other using a short-shared secret input by the user. Once the configurator possesses the enrollee authenticated bootstrapping key, the devices proceed to the authentication phase, performing cryptographic exchanges to verify the bootstrapping keys and establish a secure encrypted channel using derived shared key material. During the subsequent configuration phase, the configurator uses this protected channel to provision the enrollee with a DPP configuration object containing deployment specific network parameters and a Connector. The Connector is a cryptographically protected credential that binds the network identity to a device specific access key and replaces legacy network wide passwords. In the access phase, the enrollee presents the Connector to a Wi-Fi AP to establish secure association with the network. If network settings change or credentials expire, the device can also undergo reconfiguration by using its stored keys to obtain updated configuration information without repeating the initial physical bootstrapping steps.</t>
  <t><strong>Knowledge imparted to the device after protocol execution</strong>: After successful completion of the DPP provisioning process, the enrollee device and the configurator establish shared key material that is used to protect the subsequent information provisioned onto the device. The information includes a Connector, which is a signed and cryptographically protected structure containing a group identifier, a network role, and a network access key. The Connector replaces traditional network wide passwords and allows the device to prove to other peers that it has been authorized by the configurator to join the network. The device also receives and trusts the configurator public signing key, which it uses to verify Connectors presented by other devices such as APs. In addition, the device gains knowledge of deployment specific network parameters, typically including the SSID, supported operating channels, security policies of the domain, and privacy protection keys (used to protect identity of the enrollee when requesting reconfiguration by the configurator).</t>
</list></t>

</section>
<section anchor="enrollment-over-secure-transport-est"><name>Enrollment over Secure Transport (EST)</name>

<t>Enrollment over Secure Transport (EST) <xref target="RFC7030"/> defines a certificate enrollment protocol that allows client devices to obtain operational certificates and associated certification authority (CA) certificates from an EST server. EST uses HTTP <xref target="RFC9112"/> over Transport Layer Security (TLS) as its primary transport, and a companion specification also defines how EST can be used over secure CoAP <xref target="RFC9148"/>. The device acting as an EST client is assumed to already have IP connectivity to the EST server and sufficient information to initiate a TLS connection.</t>

<t>The EST server is authenticated by the client using a trust anchor that is already known to the device, or, in minimally configured deployments, by allowing a human operator to verify the fingerprint of the server's CA certificate before establishing trust. The client authenticates to the server using supported methods such as TLS client authentication with a pre-provisioned credential, HTTP-based authentication with a username and password, or a shared secret provisioned out of band. In many deployments, the device is provisioned during manufacturing with a client credential, such as an IEEE 802.1AR device certificate, which is used for TLS client authentication. Once the secure connection has been authenticated, the client submits a certificate signing request and receives an operational certificate and associated CA certificates, enabling it to authenticate securely in subsequent communications.</t>

<t>EST has the following characteristics:</t>

<t><list style="symbols">
  <t><strong>Terms</strong>:
  <list style="symbols">
      <t><em>Bootstrapping</em>: used for the process when the client device has not been configured with an Implicit Trust Anchor (TA) database and device owner or administrator manually verifies the fingerprint of the EST CA certificate. This manual verification is only needed once, as the device establishes an explicit TA database for subsequent TLS authentication of the EST server.</t>
      <t><em>Enrollment</em>: describes the entire process of obtaining a client certificate from the EST CA. This includes learning the EST CA certificate, discovering required attributes for the Certificate Signing Request (CSR), submitting the CSR, and receiving the final client certificate.</t>
      <t><em>Initialization</em>: term used to refer to the essential initialization data that the device needs for completing the enrollment including the trust anchors, the EST server URI, and credentials for TLS authentication.</t>
    </list></t>
  <t><strong>Players</strong>: The network administrator is responsible for deploying and maintaining the EST CA and EST server before a device can be enrolled into the network. The device manufacturer must install a client identity certificate (such as an IEEE 802.1AR certificate), a shared secret for TLS authentication without certificates, and/or a username and password for HTTP Basic <xref target="RFC7617"/> or Digest <xref target="RFC7616"/> authentication. Additionally, the manufacturer may configure trust anchors for verifying the EST server and set the EST server URI. However, the EST specification allows for manual configuration of all required information, including the manual verification of the EST CA certificate fingerprint.</t>
  <t><strong>Initial beliefs assumed in the device</strong>: A device acting as an EST client is assumed to possess an existing credential for authenticating itself during the TLS handshake with the EST server. This credential may be a previously issued EST client certificate or a certificate from a distinct PKI, such as an IEEE 802.1AR manufacturer-installed certificate. Alternatively, the client may authenticate using a shared secret-based credential, such as a pre-installed symmetric key, or a username and password, either as a standalone method or in combination with TLS authentication. To verify the EST server, the client relies on a trust anchor database, which may be explicit, used to authenticate certificates issued by the EST CA, including the EST server certificate, or implicit, allowing authentication of the EST server when it presents a certificate issued by an external CA. The implicit trust anchor database may initially contain pre-installed CA certificates and can be disabled once the EST CA certificate is obtained. The EST client must also be configured with a Uniform Resource Identifier (URI) to locate the EST server.</t>
  <t><strong>Processes</strong>: Before a device can enroll using EST, the necessary network infrastructure must be in place, including the deployment of the EST server and CA. The device can discover the EST server URI through various methods, such as manual configuration or preconfigured settings from the manufacturer. If the device lacks an explicit Trust Anchor (TA) database, it may require bootstrapping, where the owner or administrator manually verifies the fingerprint of the EST CA certificate. Once the EST server is authenticated, the device retrieves the EST CA certificate, learns the required attributes for generating a Certificate Signing Request (CSR), and submits the CSR to obtain a client certificate. After enrollment, the device can securely authenticate to the network using its newly issued certificate and renew it before expiration.</t>
  <t><strong>Knowledge imparted to the device after protocol execution</strong>: After completing the enrollment process, the device obtains a client certificate issued by the EST CA, which it can use for authentication in subsequent communications. During enrollment, the device also learns the EST CA certificate, along with any intermediate certificates needed to build a complete trust chain to the EST CA trust anchor. The client also discovers the attributes it should include in a Certificate Signing Request (CSR), such as key usage, extended key usage, etc. Depending on the enrollment method, the device may generate its own key pair and submit a CSR or receive both a server-generated key pair and certificate. If the client requested a Full PKI, it may also receive information such as certificate revocation lists (CRLs), policy and name constriants etc. as defined in <xref target="RFC5272"/>.</t>
</list></t>

</section>
<section anchor="open-mobile-alliance-oma-lightweight-machine-to-machine-specification-lwm2m"><name>Open Mobile Alliance (OMA) Lightweight Machine to Machine specification (LwM2M)</name>

<t>The Open Mobile Alliance Lightweight Machine to Machine (LwM2M) specification <xref target="oma"/> defines a management framework in which a device, called an LwM2M client, obtains the information required to communicate securely with one or more LwM2M servers that perform device management functions. A key component of this framework is the LwM2M Bootstrap Server, which is responsible for provisioning the client with the credentials and configuration needed to establish and maintain secure communication with operational LwM2M servers. The specification assumes that the client already has network connectivity and can reach the Bootstrap Server.</t>

<t>During bootstrapping, the LwM2M client establishes a secure connection to the Bootstrap Server using supported security mechanisms such as pre-shared keys, raw public keys, or X.509 certificates. The Bootstrap Server then provisions the client with the security parameters and server information required to register with one or more LwM2M servers. Once bootstrapping is complete, the client registers with these servers and transitions to normal operation, where the servers perform device management tasks such as data collection, control of device functions, and configuration of access control. In deployments that use X.509 certificates, the Bootstrap Server may rely on protocols such as Enrollment over Secure Transport (EST) to provision certificates instead of directly installing keys on the device.</t>

<t>OMA has the following characteristics:</t>

<t><list style="symbols">
  <t><strong>Terms</strong>:
  <list style="symbols">
      <t><em>Bootstrapping</em> and <em>Unbootstrapping</em>: Bootstrapping is used for describing the process of providing an IoT device with credentials and information of one or more LwM2M servers. Interestingly, the transport bindings specification <xref target="oma-transport"/> also uses the term unbootstrapping for the process where objects corresponding to an LwM2M Server are deleted on the client.</t>
      <t><em>Provisioning</em> and <em>configuration</em>: terms used to refer to the process of providing some information to a LwM2M client.</t>
      <t><em>Discovery</em>: term for the process by which a LwM2M Bootstrap-Server or LwM2M Server discovers objects, object instances, resources, and attributes supported by RESTful interfaces of a LwM2M Client.</t>
      <t><em>Register</em> and <em>De-register</em>: Register is the process by which a client device sets up a secure association with an LwM2M Server and provides the server with information about objects and existing object instances of the client. De-register is the process by which the client deletes information about itself provided to the LwM2M server during the registration process.</t>
      <t><em>Intialization</em>: term for the process by which an LwM2M Bootstrap-Server or LwM2M Server deletes objects on the client before performing any write operations.</t>
    </list></t>
  <t><strong>Players</strong>: Device manufacturers or Smartcard manufacturers are responsible for providing client IoT devices with initial information and credentials of LwM2M Bootstrap-Server and/or LwM2M server.</t>
  <t><strong>Initial beliefs assumed in the device</strong>: The client at the very least has the necessary information to trust the LwM2M bootstrap server.</t>
  <t><strong>Processes</strong>: LwM2M does not require any actions from the device owner/user. Once the device is registered with the LwM2M server, various actions related to device management can be performed by device owner/user via the LwM2M server.</t>
  <t><strong>Knowledge imparted to the device after protocol execution</strong>: After the bootstrapping is performed, the LwM2M client can register (Security object and Server object) with the LwM2M servers.</t>
</list></t>

</section>
<section anchor="nimble-out-of-band-authentication-for-eap-eap-noob"><name>Nimble out-of-band authentication for EAP (EAP-NOOB)</name>

<t>Extensible Authentication Protocol (EAP) framework provides support for multiple authentication methods. EAP-NOOB <xref target="RFC9140"/> defines an EAP method intended as a generic bootstrapping solution for IoT devices that do not have pre-configured authentication credentials and are not yet registered with an authentication server. The protocol relies on a user-assisted out-of-band (OOB) channel between the device (peer in EAP terminology) and the server to establish initial trust. The application server may be part of the local deployment environment or a remote service, and may be operated either by the device owner or by a third party such as the device manufacturer. EAP-NOOB operates within the existing Authentication, Authorization, and Accounting (AAA) infrastructure <xref target="RFC2904"/>, allowing authentication exchanges to be routed to the appropriate server.</t>

<t>During bootstrapping, the device and server establish a secure association by combining an ephemeral key exchange with information transferred over the OOB channel, which binds the external user-assisted interaction to the ongoing authentication session. The user transfers the OOB message between the device and the server, for example using QR codes, NFC, or other mechanisms, depending on device capabilities. Once the exchange is complete, the device and server derive shared keying material that can be used both for network access (through the EAP authenticator) and for application-layer security with the server. This approach allows devices without prior credentials to be securely registered and authenticated.</t>

<t>EAP-NOOB has the following characteristics:</t>

<t><list style="symbols">
  <t><strong>Terms</strong>:
  <list style="symbols">
      <t><em>Bootstrapping</em>: used to describe the entire process involved during the initial security setup of an IoT device. The specification does not use separate terms or distinguish the process of obtaining identifier and credentials for communicating with an application server where the user has an account or for network connectivity.</t>
      <t><em>Registration</em>: describes the process of associating the device with a user account on an application server.</t>
    </list></t>
  <t><strong>Players</strong>: The device owner/user is responsible for transferring an OOB message necessary for protocol completion. The application server where the device is registered may be provided by different service providers including the device manufacturer or device owner. The local network needs standard AAA configuration for routing EAP-NOOB sessions to the application server chosen by the device owner/user.</t>
  <t><strong>Initial beliefs assumed in the device</strong>: EAP-NOOB does not require devices to have any pre-installed credentials but expects all devices to use a standard identifier (noob@eap-noob.arpa) during initial network discovery. The devices also populate the PeerInfo JSON object using during the boostrapping process and may contain information such as the MAC Address, Manufacturer name, and model information.</t>
  <t><list style="symbols">
      <t><strong>Processes</strong>: The EAP-NOOB setup process begins when the IoT device (peer) is powered on and performs network discovery, initiating EAP exchanges with one or more candidate networks using the well-known identity (noob@eap-noob.arpa). The device and the server perform an Initial Exchange, during which they negotiate I/O capabilities and perform an ephemeral Diffie-Hellman key exchange. Based on the I/O capabilities, either the peer or the server generates an out-of-band (OOB) message. In the OOB Step, the user transfers the OOB message from one side to the other (e.g., by scanning a QR code or using NFC, as the specification is agnostic to the transfer method). While this manual transfer is pending, the peer and server may execute a Waiting Exchange to proble if the OOB step has completed. Once the OOB information is delivered, the Completion Exchange binds the OOB channel to the ongoing EAP session, confirms the key exchange, and derives shared keying material. Part of this keying material is delivered to the authenticator (e.g., in Wi-Fi networks for performing the 4-way handshake), and part of it is exported as an Application Master Session Key (AMSK) which can be used for application-layer security between the device and server. Lastly, an optional Reconnect Exchange can be used in subsequent sessions to securely re-authenticate the device and refresh keys without repeating the user-assisted OOB step.</t>
      <t><strong>Knowledge imparted to the device after protocol execution</strong>: After the EAP-NOOB bootstrapping process is complete, the peer device (and the server) possess shared keying material, including the EAP Master Session Key (MSK), which can be used by the network authenticator (for example, a Wi-Fi access point) to provide network access, and an Application Master Session Key (AMSK), which can be used for application-layer security between the device and the server. The device and server also establish a persistent association that includes a Peer Identifier (PeerID) assigned to the device for use in subsequent authentication exchanges, along with an optional Network Access Identifier (NAI). In addition, the device stores persistent key material (Kz) and related state, enabling the device and server to re-establish trust and perform future authenticated sessions without repeating the full user-assisted out-of-band procedure.</t>
    </list></t>
</list></t>

</section>
<section anchor="open-connectivity-foundation-ocf"><name>Open Connectivity Foundation (OCF)</name>

<t>The Open Connectivity Foundation (OCF) <xref target="ocf"/> defines the set of procedures required to bring a device from an unowned, factory default state into an operational and managed state as onboarding. A central element of OCF onboarding is ownership transfer, which establishes a legitimate device owner and forms the root of trust for subsequent security configuration and access control. Ownership transfer is performed with the assistance of an Onboarding Tool (OBT), a logical entity under the control of the user or administrator that interacts with the device to authenticate it, establish secure communication, and provision initial security credentials. The OBT may be implemented, for example, as part of a home gateway, smartphone application, or device management tool.</t>

<t>OCF specifies several Ownership Transfer Methods (OTMs) that define how the device and the OBT authenticate each other and establish a secure channel during onboarding. These include Just Works (unauthenticated Diffie-Hellman), Random PIN (DTLS-PSK using a randomly generated PIN entered by the user), and Manufacturer Certificate-based authentication, alongside support for vendor-specific methods. Once ownership has been established, the device can be provisioned with credentials and information about dedicated Access Management Services (AMS) and Credential Management Services (CMS) for ongoing lifecycle management.</t>

<t>OCF has the following characteristics:</t>

<t><list style="symbols">
  <t><strong>Terms</strong>:
  <list style="symbols">
      <t><em>Onboarding</em>: is the umbrella process that transitions a device from an initial unowned state to a fully operational managed state and includes discovery, ownership transfer, credential provisioning, and initialization of access control and credential management services.</t>
      <t><em>Discovery</em>: process by which an Onboarding Tool (OBT) locates unowned or owned devices on the network and learns their basic identifiers, security state, and supported Ownership Transfer Methods.</t>
      <t><em>Enrollment</em>: used in the context of certificate enrollment to obtain a certificate from the CMS after onboarding is complete.</t>
      <t><em>Configuration</em>: refers to the act of setting or modifying the state of device resources through their exposed interfaces. Configuration applies to both functional resources and security related resources such as identity and credentials.</t>
      <t><em>Provisioning</em>: refers to security focused configuration operations performed during and after ownership transfer that establish or modify the trust relationships of a device. Provisioning includes the configuration of ownership information, security credentials, trust anchors, access control policies, and security service endpoints, and defines the security domain in which the device operates.</t>
      <t><em>Registration</em>: act of associating a device with its security domain and management services after ownership transfer. Registration typically includes provisioning the locations and identities of the Access Management Service (AMS) and Credential Management Service (CMS).</t>
    </list></t>
  <t><strong>Players</strong>: The device manufacturer is responsible for provisioning the device during manufacturing with a unique device identity (UUID) and, where certificate based ownership transfer is used, a manufacturer issued X.509v3 certificate and corresponding trust anchors. The Onboarding Tool (OBT) may be implemented as a smartphone application, a home gateway, or a dedicated device management system, and is often provided by the device manufacturer or platform vendor. The device owner/user is responsible for initiating the onboarding process and establishing ownership of the device using the OBT. During the ownership transfer process, the user may be required to input a randomly generated PIN or explicitly approve a Just Works transfer, with the expectation that this occurs in a physically and logically secure environment. For certificate based ownership transfer methods, the user or owner typically selects the correct device from a list presented by the OBT, identified by its Device UUID or additional device metadata. After onboarding is complete and information about the Credential Management Service (CMS) and the Access Management Service (AMS) has been provisioned into the device, these services become responsible for ongoing security provisioning, including credential lifecycle management, access control configuration, and authorization policy updates.</t>
  <t><strong>Initial beliefs assumed in the device</strong>: OCF requires devices to have a unique device identityty (UUID). Depending on the supported Ownership Transfer Methods, the device may also have a manufacturer issued X.509 certificate and corresponding private key. Additionally, the device is initialized with a default, restrictive Access Control List (ACL) that permits anonymous, unauthenticated access only to the specific security resources required for onboarding while blocking access to all other device resources until ownership is established.</t>
  <t><strong>Processes</strong>: OCF onboarding process begins when a device that is in an unowned or reset state is discovered by an Onboarding Tool (OBT) typically by sending a multicast CoAP request. Once discovered, the OBT initiates an Ownership Transfer Method (OTM) to establish a secure relationship between the device and the new owner. Depending on the selected OTM, the device and OBT perform an authenticated or unauthenticated key establishment procedure, such as a Just Works Diffie Hellman exchange, a PIN based authenticated key exchange, or a certificate based authentication using manufacturer installed credentials. During this phase, a secure communication channel is established and ownership of the device is transferred by provisioning an Owner Credential and updating the device ownership state. Upon successful ownership transfer, the device accepts privileged configuration operations from the OBT, regardless of existing access control entries. The OBT then provisions the device with security relevant information required for operational use, including credentials and trust anchors for interacting with the Credential Management Service (CMS) and the Access Management Service (AMS), as well as initial access control policies. After these provisioning steps are completed, the device transitions into an owned and operational state. Subsequent security provisioning and configuration operations are performed through the CMS and AMS, allowing credentials, access control entries, and other security parameters to be updated over the device lifetime without repeating the ownership transfer process.</t>
  <t><strong>Knowledge imparted to the device after protocol execution</strong>: Upon successful completion of the OCF onboarding and Ownership Transfer process, the device transitions from an unowned state to an owned and operational state. The device now possesses an Owner Credential, which cryptographically binds the device to its legitimate owner and allows it to mutually authenticate the Device Ownership Transfer Service (DOTS) in the future. This credential may take the form of a shared secret, a public key certificate, or another credential type defined by the selected Ownership Transfer Method. In addition, the device is provisioned with the identities and network locations of core OCF security services, including the Credential Management Service (CMS) and the Access Management Service (AMS). The device trusts these services to manage security credentials and access control policies on behalf of the owner.</t>
</list></t>

</section>
<section anchor="bootstrapping-remote-secure-key-infrastructures-brski"><name>Bootstrapping Remote Secure Key Infrastructures (BRSKI)</name>

<t>Bootstrapping Remote Secure Key Infrastructures (BRSKI) <xref target="RFC8995"/> defines a bootstrapping solution that enables devices to securely join the device owner's network domain using manufacturer-installed IEEE 802.1AR <xref target="ieee8021ar"/> certificates, together with a manufacturer-provided Internet service called the Manufacturer Authorized Signing Authority (MASA). The solution assumes that an unconfigured device, called a Pledge, has access to the local network and can establish provisional connectivity to a domain Registrar, either directly or via a local proxy (Join Proxy). The goal of the protocol is to securely provide the Pledge with the trust anchor of the owner's domain, allowing it to identify and trust future interactions within that domain.</t>

<t>During bootstrapping, the Pledge presents its manufacturer-installed credential to the Registrar, which authenticates the device and, based on its configured trust in device manufacturers and identifiers, contacts the MASA to obtain a signed voucher. This voucher proves that the Pledge is authorized to join the specific owner's domain. After verifying the voucher, the Pledge accepts the domain trust anchor and establishes trust in the owner network. If the owner network provides additional services such as Enrollment over Secure Transport (EST), the device may subsequently enroll and obtain a locally issued certificate bound to the owner domain, enabling secure communication and management within the network.</t>

<t>BRSKI has the following characteristics:</t>

<t><list style="symbols">
  <t><strong>Terms</strong>:
  <list style="symbols">
      <t><em>Bootstrapping</em>: used to describe the overall process by which a device transitions from an unaffiliated factory state to being a trusted member of an owner network. In BRSKI, bootstrapping encompasses device discovery of the local domain, interaction with the registrar and manufacturer authorized signing authority, validation of a voucher, and establishment of trust in the owner domain. The term broadly covers all protocol steps required before the device can securely operate in the network.</t>
      <t><em>Provisioning</em>: used in a general sense to refer to the act of supplying a device with the information and trust anchors it needs to operate securely in a specific domain. In BRSKI, provisioning primarily occurs when the device accepts the domain trust anchor conveyed in the voucher and optionally receives a locally issued device certificate. The term is not used as a formally distinct protocol phase and is largely interchangeable with bootstrapping in descriptive text.</t>
      <t><em>Enrollment</em>: used to refer specifically to the process of obtaining a locally issued identity within the owner domain. This typically occurs after imprinting and is realized through Enrollment over Secure Transport, where the device enrolls with a local certification authority to obtain a Locally Issued Device Identifier certificate.</t>
      <t><em>Onboarding</em>: not used as a primary or formally defined term. It appears informally to generally refer to the broader act of bringing a device under the control of an owner network.</t>
      <t><em>Join</em>: used to describe the act of a device attempting to attach itself to a specific owner network. It reflects the device intent to become a member of the domain but does not by itself imply trust has been established.</t>
      <t><em>Imprint</em>: used to describe the transition where the device accepts the owner domain trust anchor provided in the voucher. Imprinting marks the point at which the device irrevocably binds itself to the owner domain by trusting the pinned domain certificate.</t>
    </list></t>
  <t><strong>Players</strong>: The device manufacturer is responsible for installing the IEEE 802.1AR IDevID certificate and private key during manufacturing, along with the trust anchor required to verify vouchers signed by the Manufacturer Authorized Signing Authority (MASA) and the MASA service location itself. The manufacturer must also operate the MASA service, which authorizes devices to join specific owner domains by issuing signed vouchers, and maintain sufficient asset tracking to associate device identities such as serial numbers with authorized owners.  <vspace blankLines='1'/>
On the owner side, the network into which the device is deployed must provide initial connectivity, often via a proxy, to allow the device to communicate with the registrar and indirectly with the MASA before it has full network access. The device owner operates a registrar that authenticates devices using their manufacturer installed certificates, maintains a list of trusted manufacturers and corresponding MASA services, and tracks the identities of devices that are permitted to join the domain. If the owner intends to issue locally scoped identity credentials, the owner must additionally deploy and operate an Enrollment over Secure Transport (EST) server to provision domain specific certificates to devices after successful bootstrapping.</t>
  <t><strong>Initial beliefs assumed in the device</strong>: BRSKI requires each device to possess an IEEE 802.1AR Initial Device Identifier (IDevID) certificate and associated private key. In addition, the device must include a built in trust anchor that enables it to validate vouchers signed by the manufacturer's Manufacturer Authorized Signing Authority (MASA). The device is also configured with the MASA service location, typically expressed as a URI embedded in the IDevID certificate.</t>
  <t><strong>Processes</strong>: BRSKI assumes that devices are manufactured with an IEEE 802.1AR Initial Device Identifier certificate and the information required to contact the manufacturer authorized signing authority. When a device is powered on in the owner network, it discovers the owner proxy using link local discovery mechanisms and establishes provisional network connectivity. Through this proxy, the device connects to the domain registrar using a provisional (unauthenticated) TLS connection and presents its IDevID for identification. The device then generates a voucher request and sends it to the registrar, which validates the request and contacts the appropriate MASA. The manufacturer verifies the device identity and issues a signed voucher that authorizes the device to join the owner domain. This voucher is relayed back to the device via the registrar, where the device verifies the manufacturer signature and associated freshness information. Upon successful verification, the device imprints by accepting the owner domain certificate conveyed in the voucher as a new trust anchor. If supported by the owner network, the device then enrolls with a local EST server to obtain a locally issued device identifier certificate for ongoing authentication and management. After these steps are completed, the device is able to securely participate in the owner network. With BRSKI, once the required infrastructure such as the registrar, proxy, and manufacturer services is in place, it enables a bootstrapping experience that requires only physical installation, connectivity, and powering up of the device.</t>
  <t><strong>Knowledge imparted to the device after protocol execution</strong>: After the BRSKI bootstrapping process, the device obtains the CA fingerprint of the owner's network domain, which establishes the basis for trusting future interactions with the owner network. If enrollment is performed, the device additionally obtains a Locally Issued Device Identifier (LDevID) certificate. With this trust anchor and optional local identity in place, the device can securely communicate with domain services, participate in secure routing, and be managed by the owner using domain specific management protocols.</t>
</list></t>

</section>
<section anchor="secure-zero-touch-provisioning-sztp"><name>Secure Zero Touch Provisioning (SZTP)</name>

<t>Secure Zero Touch Provisioning (SZTP) <xref target="RFC8572"/> defines a bootstrapping strategy that enables devices to securely obtain configuration information with minimal installer input, beyond physical placement and cable connections. The goal of SZTP is to allow a device to establish a secure NETCONF <xref target="RFC6241"/> or RESTCONF <xref target="RFC8040"/> connection to a deployment-specific network management system (NMS). The device is provisioned during manufacturing with an initial identity, typically an IEEE 802.1AR certificate, and a set of trust anchors and bootstrap server information that allow it to locate and communicate with bootstrap services.</t>

<t>When the device is powered on, it discovers bootstrap servers using mechanisms such as DHCP, DNS, or preconfigured information, and retrieves an owner certificate and an ownership voucher <xref target="RFC8366"/>. The ownership voucher, signed by the manufacturer, binds the device identity to the intended owner and allows the device to verify that it is communicating with an authorized domain. After verifying the owner certificate and voucher, the device establishes trust in the owner domain and retrieves onboarding information, which may include boot images, configuration data, and scripts required for operation. Using this information, the device securely connects to the designated network management system and transitions into an operational state.</t>

<t>SZTP has the following characteristics:</t>

<t><list style="symbols">
  <t><strong>Terms</strong>:
  <list style="symbols">
      <t><em>Bootstrapping</em>: used to describe the entire process involved during the initial security setup of devices. It involves the device authenticating itself with manufacturer-issued certificates, fetching the owner certificate and ownership voucher, and retrieving the signed or encrypted onboarding information, such as the boot image, initial configuration, and scripts.</t>
      <t><em>Provisioning</em>: refers to the process of providing all the necessary bootstrap information to a device so that it can become functional. In some sense, the terms bootstrapping and provisioning are used interchangeably because, for provisioning the bootstrap information onto the device, it is necessary to bootstrap the device. In fact, the specification also refers to Secure Zero Touch Provisioning (SZTP) as a <em>bootstrapping strategy</em>. Interestingly, even though the title of the protocol specification includes the word provisioning, it is used much less than bootstrapping in the specification text.</t>
      <t><em>Onboarding</em>: used to refer to the information that the device needs to join the owner's network. In particular, the onboarding information includes the boot image the device must run, an initial configuration the device must use, and scripts that the device must successfully execute. Note that in SZTP, onboarding information is not the entire set of information that the device needs for bootstrapping. Prior to obtaining the onboarding information, the device also needs the owner certificate and ownership voucher to verify the onboarding information received later.</t>
      <t><em>Enrollment</em>: describes the process by which the device owner registers with the device manufacturer, ensuring that the manufacturer recognizes the owner and issues the necessary ownership vouchers. This crucial association is later used by the manufacturer to provide the owner with the serial numbers of the devices based on the order. The owner then uses these serial numbers during the bootstrapping process to verify the devices as their own.</t>
      <t><em>Discovery</em>: used for describing the process by which devices discover sources of information, particularly bootstrap servers that are not already known to the device. This discovery typically happens via redirects from trusted bootstrapping servers.</t>
    </list></t>
  <t><strong>Players</strong>: SZTP requires significant involvement of the device manufacturer. The manufacturer is responsible for installing the client identity certificate and trust anchors for verifying bootstrapping server certificates and ownership vouchers during the manufacturing process. Additionally, the device manufacturer must support the enrollment of the owner by verifying the owner certificate and issuing an ownership voucher. After receiving an order for devices from an enrolled owner, the manufacturer needs to inform the owner of the serial numbers corresponding to the ordered devices. This naturally necessitates robust asset tracking systems. Lastly, the manufacturer may also need to operate well-known bootstrapping servers that the device contacts to retrieve the owner certificate and ownership voucher. At the same time, the device owner also carries substantial responsibility, including enrolling in the manufacturer's SZTP program, managing the keys associated with the owner certificate, and maintaining the network infrastructure to authenticate the device's serial number and confirm its association with the order placed with the manufacturer. Once authenticated, the owner is responsible for sending signed and/or encrypted onboarding information to the device.</t>
  <t><strong>Initial beliefs assumed in the device</strong>: SZTP requires devices to have a pre-configured state, including a client X.509 certificate for TLS client authentication to bootstrap servers. While the specification allows the use of HTTP authentication with passwords, it typically relies on X.509 certificates in the form of IDevID certificates, as defined in <xref target="ieee8021ar"/>. Additionally, devices must have a list of trusted bootstrap servers and trust anchor certificates for verifying bootstrap server certificates and ownership vouchers signed by the manufacturer. All this information, including the client TLS certificate and trust anchors, must be installed during manufacturing.</t>
  <t><strong>Processes</strong>: A precursor for the device to bootstrap and join the owner's network is the enrollment of the owner with the manufacturer and the setup of all necessary network infrastructure to authenticate the device. Thereafter, the device can use various sources such as Domain Name System (DNS), Dynamic Host Configuration Protocol (DHCP) options, removable storage (e.g., USB drives), or knowledge of well-known bootstrapping servers to locate the owner certificate and ownership voucher. These methods can be used in parallel to expedite the process. Once the owner certificate and ownership voucher are obtained and verified, the device receives, verifies/decrypts the signed and/or encrypted onboarding information, including boot images, configuration details, and scripts. With the image, configuration, and scripts, the device can securely join the owner's network management system (NMS). Unlike other protocols, once all the infrastructure has been set up, no actions are needed on the device itself other than its physical placement, cabling, and booting up.</t>
  <t><strong>Knowledge imparted to the device after protocol execution</strong>: After the SZTP bootstrapping process, the device possesses all necessary information, called as bootstrapping data, for secure communication with the deployment-specific NMS. This bootstrapping data includes the ownership voucher, the owner certificate, and onboarding information. The owner certificate and ownership voucher are used to verify the onboarding information, which encompasses the boot image and its hash or signature, initial configuration, and pre- and post-configuration scripts to be executed by the device.</t>
</list></t>

</section>
<section anchor="fido-device-onboard-fdo"><name>FIDO Device Onboard (FDO)</name>

<t>The Fast IDentity Online Alliance (FIDO) Device Onboard (FDO) specification <xref target="fidospec"/> defines an automated onboarding protocol that allows an IoT device to be securely transferred from its manufacturer-controlled factory state to an owner-selected management platform. A central feature of FDO is late binding: the final owner and target IoT platform do not need to be known when the device is manufactured. Instead, the device is initialized during manufacturing with device-specific credentials and rendezvous information, while the manufacturer creates an ownership voucher that is transferred separately through the supply chain to the eventual owner. FDO protocol messages are encoded using Concise Binary Object Representation (CBOR) <xref target="RFC8949"/> and may be transported over application-layer protocols such as CoAP <xref target="RFC7252"/>. FDO assumes that the device has IP connectivity when onboarding begins; how this connectivity is established is outside the protocol, although the specification mentions that deployments may use mechanisms such as an HTTP proxy to provide initial reachability.</t>

<t>When the device is later powered on, it uses its stored rendezvous information to locate the onboarding service associated with the current owner. The device and owner authenticate each other using the device credentials and the ownership voucher, allowing the owner to prove legitimate control of the device and the device to attest its identity. After this mutual authentication, the owner's onboarding service establishes cryptographic control of the device and securely provides the operational information needed for use, such as management service endpoints, network or application configuration, and credentials for the selected IoT platform. FDO also supports subsequent ownership transfer by allowing the current owner to update the device's onboarding state and create a new voucher for a future owner.</t>

<t>FIDO has the following characteristics:</t>

<t><list style="symbols">
  <t><strong>Terms</strong>:
  <list style="symbols">
      <t><em>Onboarding</em>: is the central term used in FDO and represents the complete automated process that transitions a device from its factory state to operational use under the owner's management. It covers the discovery of the owner through the rendezvous server, the execution of TO1 and TO2, and the mutual authentication and secure exchange of configuration and credentials between the device and the owner's onboarding service. The ability to determine the final owner and configuration long after the device has been manufactured is referred to as <em>late binding</em>.</t>
      <t><em>Provisioning</em>: used interchangeably with the term onboarding to refer to the entire process of making the device operational. The introduction section of the specification even states <em>FDO is a device onboarding scheme from the FIDO Alliance, sometimes called "device provisioning"</em></t>
      <t><em>Initialization</em>: used to refer to the Device Initialization (DI) protocol, which occurs during device manufacturing and installs on the device all initial information, including the attestation key pair, unique identifier (GUID), rendezvous server information, manufacturer public key hash, and the secret used for computing the device HMAC. During the same phase, the manufacturer's tools generate the ownership voucher that corresponds to the device's credentials.</t>
      <t><em>Resale</em>: refers to the protocol actions that the current device owner can perform to transfer ownership of the device to a new owner without the involvement of the original manufacturer. This is made possible by the ability of the owner to update the device's credentials and generate a new ownership voucher during the onboarding process.</t>
      <t><em>Re-provisioning</em>: refers to the complete onboarding process being executed again for a new owner.</t>
    </list></t>
  <t><strong>Players</strong>: The device manufacturer plays a significant role in FDO. During production, the manufacturer provisions each device with a unique identifier (GUID), an asymmetric key pair used for cryptographic attestation (based on Intel EPID or standard ECDSA), a hash of the manufacturer's public key (used for verifying the ownership voucher chain), and detailed rendezvous information describing how the device can later locate its onboarding infrastructure. These rendezvous instructions may include DNS names, IP addresses, certificate hashes for TLS pinning, and even information such as a Wi-Fi SSID and passphrase to enable initial connectivity to the rendezvous server. The manufacturer also ensures that the device generates a symmetric secret, which is then used to compute an HMAC value over elements such as the device's GUID, rendezvous information, and manufacturer public key. This HMAC, unique to each unit, is embedded into a signed ownership voucher created by the manufacturer and transferred separately through the supply chain, establishing a verifiable link between the physical device and its digital identity. The specification does not prescribe who operates the rendezvous servers and refers to them generically as Internet services; in practice, they are often maintained by the manufacturer but could be hosted by other entities.  <vspace blankLines='1'/>
The final device owner, who seeks long-term management of the device for tasks such as retrieving data and performing software updates, either operates a dedicated onboarding service or delegates this function to another entity. The owner maintains a key pair whose public key is linked to the last entry in the ownership voucher and uses it to register device ownership with a rendezvous server. During the TO2 onboarding protocol, the owner authenticates to the device using its private key and the voucher, while the device attests its identity in return. Once mutual trust is established, the owner's onboarding service securely provisions operational credentials and configuration data, after which the device updates its internal FDO credentials to enable future resale or re-onboarding as needed.  <vspace blankLines='1'/>
FDO can be seen as a more elaborate evolution of SZTP. While both rely on manufacturer-installed credentials and trusted servers for redirection, FDO introduces a tighter cryptographic binding between the device and its ownership voucher through the embedded HMAC mechanism and supports verifiable ownership transfers across multiple entities. This design adds complexity but provides the important advantage that devices remain manageable even if the original manufacturer ceases operation, since ownership and onboarding continuity can be maintained by the last legitimate owner, who can update all information except the device's attestation keys.</t>
  <t><strong>Initial beliefs assumed in the device</strong>: FDO assumes that each device is provisioned during manufacturing with a unique device identifier (GUID), a cryptographic key pair used for device attestation, a hash of the manufacturer's public key for verifying the ownership voucher chain, and the rendezvous information needed to discover onboarding services. The rendezvous information may include DNS names, IP addresses, supported communication protocols, certificate hashes for authenticating the rendezvous server, and even Wi-Fi SSID and passphrase details to enable initial network connectivity. The device also holds a symmetric secret used to compute and verify HMAC values that cryptographically bind the device's internal identity to its ownership voucher.</t>
  <t><strong>Processes</strong>: A precursor for an FDO device to onboard is the DI protocol, which imparts the information stated above. At the same time, the manufacturer creates an ownership voucher linked to the device through a device-generated HMAC value. The final owner, after receiving this voucher, possibly transferred through several intermediaries in the supply chain, registers the address of its onboarding service with a rendezvous server using the device GUID through the TO0 protocol. When the device is powered on, it follows its stored rendezvous instructions and performs the TO1 protocol to contact a rendezvous server, from which it retrieves the signed blob of data containing the network location of the owner's onboarding service. The device may optionally authenticate the rendezvous server through TLS if the rendezvous information specifies HTTPS and includes certificate hashes for pinning. The device then initiates a direct connection to the onboarding service, where the TO2 protocol is executed to perform mutual authentication and ownership transfer. During this process, the owner proves ownership using the ownership voucher, while the device authenticates itself using its attestation credentials. The device also verifies the authenticity of the signed blob received from the rendezvous server using the now-trusted owner key. After successful verification on both sides, a secure communication channel is established through which the owner's onboarding service transfers operational data such as network configuration parameters, addresses and endpoints of management servers or IoT platforms, authentication credentials such as keys, certificates, tokens, or shared secrets. The device applies these configurations and updates its internal FDO credentials with new information provided by the owner, which may include an updated device identifier, new rendezvous information, and a new trust anchor derived from the owner's public key. Similar to SZTP, once the supporting infrastructure such as the ownership voucher and rendezvous server registration has been set up, FDO enables an experience where only the physical installation and powering of the device are required for it to securely join the owner's management system or IoT platform. The specification does mention a <em>Trusted Installer</em> mode where the device is provided with advice and input during the onboarding process from the installer, however this is currently not defined and is left for future releases.</t>
  <t><strong>Knowledge imparted to the device after protocol execution</strong>: After the FDO onboarding process is complete, the device possesses all configuration and credential information necessary for secure operation under the new owner's management domain. This includes data transferred from the owner's onboarding service, which may contain network configuration parameters, the address and endpoint URLs of the final management server or IoT platform, and the credentials such as keys, certificates, tokens, or shared secrets required for the device to authenticate securely to these services. The data may also include instructions for installing required agents, drivers, or firmware updates. In addition, the device may receive and update its internal FDO credentials with new information supplied by the owner, which can include an updated device identifier (GUID), revised rendezvous server information, and a new hash of the owner's public key to establish a renewed trust anchor.</t>
</list></t>

</section>
<section anchor="thread"><name>Thread</name>

<t>Thread Mesh Commissioning Protocol (MeshCoP) <xref target="threadcommissioning"/> defines commissioning as the process by which a new device, called a Joiner, is authorized to join an existing Thread mesh network. The process is coordinated by a Commissioner, which may be implemented as a smartphone application, a border router service, or another management tool controlled by the device owner. The Commissioner first authenticates itself to the existing Thread network using the network's commissioning credential and obtains authority to act as the active Commissioner. It can then authorize selected Joiners to enter the network.</t>

<t>A Joiner does not initially possess the Thread Network Key and therefore cannot yet participate as a trusted member of the mesh. Instead, the Joiner and Commissioner authenticate each other using a device-specific PSKd, typically printed on the device or its packaging and transferred to the Commissioner by the user. They then perform a DTLS J-PAKE handshake, which may be relayed through existing Thread infrastructure, including a Joiner Router and Border Agent, so that the Commissioner does not need to communicate directly over IEEE 802.15.4. Once the Joiner has been authenticated, the Commissioner securely entrusts it with the Thread Network Key and other operational parameters. The device can then attach to the mesh and operate as a Thread node.</t>

<t>Thread has the following characteristics:</t>

<t><list style="symbols">
  <t><strong>Terms</strong>:
  <list style="symbols">
      <t><em>Commissioning</em>: refers to the entire process by which a new device is authorized to join an existing Thread network. It encompasses the discovery of commissioning-capable networks, authentication of the Commissioner, authentication of the Joiner using a device-specific PSKd, and the secure delivery of network credentials to the Joiner.</t>
      <t><em>Petitioning</em>: refers specifically to the process by which a prospective Commissioner requests authority from the Thread network to act as the active Commissioner.</t>
      <t><em>Discovery</em>: used for the mechanisms by which Joiner devices identify Thread networks that are currently accepting new devices.</t>
      <t><em>Provisioning</em>: refer narrowly to the act of delivering credentials to a Joiner once it has been authenticated.</t>
      <t><em>Entrust</em>: protocol step in which the Commissioner securely provides the Joiner with the Thread Network Key and other essential network parameters. Entrusting marks the transition point at which the joining device gains the cryptographic material required to participate as a trusted member of the mesh.</t>
      <t><em>Attach</em>: refers to the process that follows commissioning, in which the newly provisioned device uses the Network Key to perform Mesh Link Establishment (MLE) with a parent router.</t>
      <t><em>Join</em>: act of a device that is not yet a member of the Thread mesh network joining the mesh network</t>
    </list></t>
  <t><strong>Players</strong>: The device manufacturer is responsible for provisioning each device with a unique EUI-64 identifier and a Pre-Shared Key for the Device (PSKd), making this credential available to the user via physical labels or packaging. The device owner/user is responsible for establishing the Thread network infrastructure prior to commissioning. This includes deploying a functioning Thread mesh with at least one Border Router and selecting a human-readable Commissioning Credential (passphrase). This passphrase is used to derive the PSKc (Pre-Shared Key for the Commissioner), which allows the Commissioner to authenticate and communicate securely with the network's Border Agent. Additionally, the user must ensure an existing Thread device is in the vicinity of the new Joiner to serve as the Joiner Router relay. The Commissioner role may be fulfilled by functionality built into mobile operating systems (Android/iOS) or via a manufacturer-supplied application. Once the infrastructure is ready, the user is responsible for inputting the new device's PSKd into the Commissioner to initiate the mutually authenticated joining process.</t>
  <t><strong>Initial beliefs assumed in the device</strong>: Thread mesh commissioning assumes that a device is manufactured with a unique EUI-64 and a Pre Shared Key for the Device (PSKd), which is a short human-readable string intended to be conveyed out-of-band to an authorized commissioner. This PSKd is typically printed on the device itself, on an attached label, or on the original packaging, and may also be encoded in a QR code to facilitate user entry. The commissioning process relies on the assumption that this PSKd is securely transferred by the user to the commissioner, such as a smartphone application, and is used to initiate a mutually authenticated commissioning exchange.</t>
  <t><strong>Processes</strong>: The Thread mesh commissioning process begins when a user authorized Commissioner, commonly implemented as an application or service associated with a border router, discovers the target Thread network via a Border Agent. In parallel, a prospective device, known as a Joiner, is powered on and placed into joining mode, where it actively scans available IEEE 802.15.4 channels and transmits Discovery Request messages. Existing network nodes that are permitted to assist commissioning, such as routers or router eligible end devices, respond with Discovery Responses that advertise network identifiers and Steering Data, enabling the Joiner to identify a compatible network. Before authorizing new devices, the Commissioner must authenticate itself by establishing a mutually authenticated DTLS session with the Border Agent using the network commissioning credential and by petitioning the network Leader to become the active Commissioner for the partition. Once authorized, and after the user supplies the Joiner specific PSKd to the Commissioner, the Joiner initiates a DTLS based authentication exchange that is relayed through a nearby Joiner Router and the Border Agent. This exchange uses a password authenticated key exchange to mutually prove possession of the PSKd. Upon successful authentication, a secure commissioning session is established and the Commissioner performs the Joiner Entrust procedure, securely delivering the Thread Network Key and other operational parameters to the Joiner. With these credentials installed, the Joiner terminates the commissioning session and proceeds to attach to the mesh by executing the Mesh Link Establishment protocol with a parent router, thereby completing commissioning and becoming a fully authenticated and operational node in the Thread network.</t>
  <t><strong>Knowledge imparted to the device after protocol execution</strong>: After completion of the Thread mesh commissioning process, the device possesses all the information required to securely participate as a node in the Thread network. This includes network parameters such as the network name, channel, PAN identifier, and security policy. The device is also provided with the Thread Network Key, which serves as the root of trust for securing link-layer frames and Mesh Link Establishment (MLE) communications, enabling it to mutually authenticate neighboring nodes as legitimate members of the same security domain. In addition, the device acquires addressing and identity information, including the Mesh-Local Endpoint Identifier (ML-EID) and Routing Locator (RLOC), which are used to support efficient IPv6 routing and forwarding within the mesh network.</t>
</list></t>

</section>
</section>
<section anchor="comp"><name>Comparison</name>

<t>This section presents a comparative analysis of the protocols for initial security setup of IoT devices. While the protocols originate from different standards bodies and target diverse deployment environments, they all address the same fundamental challenge of transitioning a device from a factory default state to a secure and operational state within a specific administrative, network, or ownership domain. The comparison is structured along the terminology used by each protocol, the players involved, the initial beliefs assumed on the device, the process steps required to complete onboarding, and finally, the knowledge imparted to the device after protocol execution. The section also discusses broader implications such as privacy considerations, resilience to supply chain attacks, support for resale and reuse, and the trade offs between user involvement and automation.</t>

<section anchor="comp-term"><name>Comparison of terminology</name>

<t>The ten protocols covered in <xref target="standards"/> highlight the lack of a common lexicon for specifying initial security setup mechanisms for IoT devices. While these protocols broadly aim to achieve the same outcome, namely transitioning a device from a factory default state to an operational and trusted network node, the terminology used to describe this process is fragmented and often inconsistent. Although it is difficult to identify strict patterns, several noteworthy observations emerge from a comparison of the terminology used across the protocols.</t>

<t>IETF protocols such as BRSKI, EAP NOOB, and SZTP predominantly rely on <em>bootstrapping</em> as the umbrella term for the entire process of transitioning a device from a factory default state to an operational state. Notably, SZTP includes the word provisioning in its title but explicitly describes itself as a bootstrapping strategy within the specification. In contrast, Wi-Fi DPP uses <em>bootstrapping</em> more narrowly as only the initial step of establishing trust through mechanisms such as QR codes or NFC. This differs from the IETF usage, where bootstrapping typically encompasses the complete process.</t>

<t>OCF and FDO use <em>onboarding</em> as the umbrella term for the entire initial security setup. This terminology reflects a consumer or enterprise management mindset, where a device is brought on board into an administrative or ownership domain. In both protocols, onboarding is closely tied to the concept of ownership transfer, treating the device as an asset that moves between legal or administrative entities such as manufacturers and owners. It is also worth noting a subtle semantic distinction OCF and FDO define onboarding primarily as a verb describing the process of transitioning the device, whereas SZTP defines <em>onboarding information</em> as a noun referring to the payload, such as boot images, configuration, and scripts, that the device receives.</t>

<t>Bluetooth Mesh and Wi Fi DPP use <em>provisioning</em> as the umbrella term for the entire process. This choice is potentially confusing, as provisioning has traditionally referred to a specific sub step involving the delivery of configuration data or credentials. By elevating provisioning to describe the full lifecycle of initial security setup, these protocols blur the conceptual boundary between establishing trust and configuring operational parameters.</t>

<t>Thread uses the term <em>commissioning</em> to describe entire initial setup process. This term has possible roots in building automation and industrial control systems, where it implies a technician physically installing, verifying, and activating equipment. The choice of commissioning reflects Thread's emphasis on local installation and user assisted setup within a constrained network environment.</t>

<t>The term <em>provisioning</em> exhibits the most severe semantic overloading across protocols. In Wi Fi DPP and Bluetooth Mesh, provisioning refers to the entire process of adding a device, including discovery, authentication, and key distribution. In Thread and OCF, provisioning is a more narrowly defined step that refers specifically to the delivery of credentials and security related information after authentication or ownership transfer. SZTP uses the term more loosely and often interchangeably with bootstrapping, further contributing to ambiguity.</t>

<t>The term <em>enrollment</em> is predominantly used in protocols that rely on X.509 certificates. EST and BRSKI use enrollment in its strict PKI sense, referring to the process by which a device obtains a certificate from a Certificate Authority. In contrast, Wi Fi DPP uses enrollment more informally to mean authorizing a device to join a network, largely detached from its PKI origins. SZTP uses enrollment in a completely different manner, referring to the device owner enrolling with the manufacturer, which reverses the more common direction of device enrolling into a network or domain.</t>

<t>While strict harmonization of terminology across diverse standards is impractical, this analysis reveals that much of the ambiguity arises when terms describing atomic actions, such as transferring credentials, are conflated with terms describing broader lifecycle phases, such as transitioning a device from a factory state to an operational state. To improve clarity, it is beneficial to adopt clear umbrella terms such as <em>onboarding</em> or <em>bootstrapping</em> to describe the comprehensive process. <em>Onboarding</em> is preferable when emphasizing ownership or administrative control transitions, as seen in OCF and FDO, while <em>bootstrapping</em> is more suitable for network centric state transitions, as in BRSKI and SZTP. Action oriented terms such as <em>provisioning</em> and <em>authentication</em> should be reserved for specific sub phases within the umbrella process. In particular, provisioning should ideally refer to the secure delivery of configuration data or credentials, rather than the entire initial security setup lifecycle.</t>

</section>
<section anchor="comp-players"><name>Comparison of players</name>

<t>The burden of initial security setup can never truly be eliminated; it is instead shifted between the entities involved. In some protocols, this burden is placed primarily on the user, for example by requiring QR code scanning or PIN entry, while in others it is placed on the manufacturer, for example by requiring the operation of online authorization services. In this section, we compare the protocols based on the players involved and the expectations placed upon them.</t>

<t>One important distinction lies in the role of the manufacturer. At one end of the spectrum are protocols with zero preconfiguration, such as EAP NOOB or Bluetooth Mesh using Just Works, which require minimal manufacturer involvement. These protocols do not demand preinstalled unique credentials or cryptographic secrets. Next are protocols such as Thread, Bluetooth Mesh, and Wi Fi DPP, where the manufacturer responsibility is largely limited to the factory. In these cases, the manufacturer must generate a unique identifier, such as an EUI 64, and provision a static bootstrapping secret or key, such as a PSKd or a bootstrapping public key. This information is typically made available physically on the device or its packaging, for example as a printed label or QR code. OCF similarly requires provisioning a unique device UUID and optionally a manufacturer certificate. Once the device leaves the factory, the manufacturer security role largely ends. At the other end of the spectrum are protocols that require sustained manufacturer involvement. BRSKI, SZTP, and FDO require manufacturers to install specific trust anchors and IEEE 802.1AR IDevID certificates and to operate high availability online services. In BRSKI, this role is fulfilled by the Manufacturer Authorized Signing Authority. In SZTP and FDO, manufacturers issue ownership vouchers and may also operate redirect or rendezvous services. These protocols further require manufacturers to track device serial numbers in order to validate ownership claims, introducing significant logistical and operational complexity.</t>

<t>The user or installer occupies very different positions across the protocols. User centric protocols require active participation, such as scanning QR codes, entering PINs, confirming device identity, or approving commissioning actions. This is common in Wi Fi DPP, Bluetooth Mesh, Thread, and OCF Just Works or Random PIN modes. In contrast, protocols designed for minimal or no user interaction at the device level, such BRSKI, SZTP, and FDO largely front load the user responsibilities to system preparation activities such as configuring backend services and defining policies, after which devices can complete the protocol without further user involvement.</t>

<t>Administrator responsibilities also vary significantly between protocols. Infrastructure centric protocols require the deployment and operation of specific components. BRSKI requires a Registrar and often an EST server. LwM2M requires a Bootstrap Server. FDO requires a Rendezvous Server and an onboarding service. For EAP NOOB, the administrator must configure the AAA infrastructure, such as RADIUS, to route the special NAI noob@eap-noob.arpa to the appropriate application server. In SZTP, the network must support specific DHCP options or DNS records to allow devices to discover bootstrap servers. In BRSKI, a Join Proxy is required to facilitate communication between an unauthenticated pledge and the registrar.</t>

<t>The relationship between owner, user, and administrator is not always clearly delineated. In a home network using Bluetooth Mesh or Thread, the owner, administrator, and user are often the same individual. In contrast, when BRSKI is used for large scale deployments such as ISP provided CPE, the administrator and owner may be the service provider, while the end user has little or no role in the onboarding process beyond physically connecting the device.</t>

<t>Another important dimension of comparison is whether a protocol relies primarily on local actors or remote infrastructure. Protocols such as Thread, Bluetooth Mesh, and Wi Fi DPP are largely local in nature and can operate without continuous Internet connectivity. Others, such as BRSKI, SZTP, EST, and FDO, introduce additional remote players operated by manufacturers or service providers, including certificate authorities, manufacturer authorization services, bootstrap servers, and rendezvous services. EAP NOOB also relies on a remote authentication server, although this server may be colocated with local infrastructure such as an access point. One advantage of EAP based approaches is that devices can communicate securely with remote servers before obtaining full IP connectivity, a capability that is inherent to EAP. A general trend across protocols is the gradual introduction of optional remote components even in traditionally local schemes, such as DPP over TCP or remote provisioning in Bluetooth Mesh, reflecting the practical benefits of centralizing logic and state in backend services.</t>

</section>
<section anchor="comp-beliefs"><name>Comparison of initial beliefs</name>

<t>Protocols can be grouped into four broad categories based on the type and strength of identity and credentials that are imparted to the device during manufacturing or prior to deployment. The choice of category has significant implications for supply chain complexity, user involvement, scalability, and achievable security properties.</t>

<t><list style="symbols">
  <t><strong>The Blank Slate (No Cryptographic Secrets)</strong>: In this category, devices are assumed to have no pre-installed cryptographic secrets or unique credentials. Trust is established entirely through user-assisted mechanisms. Examples include OCF Just Works, OCF Random PIN, and EAP-NOOB. Security in this category relies heavily on the user's ability to correctly associate the physical device in their possession and complete the procedure securely (e.g. using Just Works in a physically secure environment).</t>
  <t><strong>Static Symmetric Secrets</strong>: These protocols assume that a shared secret or password is installed at manufacturing time. In Thread, the device holds a unique EUI-64 and a PSKd (Pre-Shared Key for Device). The trust model assumes that possession of the PSKd, typically obtained by reading a label or scanning a QR code, implies authorization to commission the device. In LwM2M Factory or Smartcard modes, a symmetric key known to both the device and the Bootstrap Server is used, enabling automated bootstrapping without direct user interaction.</t>
  <t><strong>Raw Asymmetric Keys</strong>: Devices in this category possess a unique asymmetric key pair but no certificate signed by a trusted authority. In Wi-Fi DPP, the device holds a bootstrapping key pair and the public key is encoded in a QR code or URI that is transferred to the configurator. Similar approaches are used in Bluetooth Mesh with Static OOB authentication and in LwM2M Raw Public Key (RPK) mode. In these protocols, knowledge of the device public key is sufficient to provision or onboard the device.</t>
  <t><strong>Certificates and Supporting Infrastructure</strong>: The most infrastructure-intensive category assumes that devices are provisioned during manufacturing with X.509 certificates and corresponding trust anchors. BRSKI, SZTP, FDO, EST, OCF in certificate-based modes, and Bluetooth Mesh v1.1 certificate provisioning fall into this category. In BRSKI, the device must possess an IEEE 802.1AR IDevID certificate and a trust anchor to verify vouchers issued by the Manufacturer Authorized Signing Authority (MASA). SZTP similarly assumes an IDevID and trust anchors for verifying manufacturer-signed ownership vouchers and bootstrap servers. FDO assumes a GUID, an attestation key pair, a hash of the manufacturer public key, rendezvous information, and a device-specific HMAC secret used to validate ownership vouchers. EST assumes an existing credential, commonly an IEEE 802.1AR certificate, to mutually authenticate the TLS session with the EST server. OCF certificate-based modes and Bluetooth Mesh v1.1 support optional manufacturer-installed certificates that enable automated device authentication during ownership transfer or provisioning.</t>
</list></t>

<t>The nature of the initial beliefs assumed on the devices by various protocols have other consequences worth considering:</t>

<t><list style="symbols">
  <t><strong>Privacy</strong>: Protocols that expose static identifiers can pose privacy risks. Bluetooth Mesh and Thread often advertise a Device UUID or EUI-64 in the clear during discovery, creating a persistent digital fingerprint that can be passively observed. EAP-NOOB includes a PeerInfo field, which may contain information such as MAC address or device make and model. However, this information is revealed only after the server responds to the initial generic identity noob@eap-noob.arpa, ensuring that disclosure occurs only to a server that actively participates in the EAP exchange rather than continuously via broadcast beacons. Another privacy consideration is protection from the device manufacturer. Vendor-mediated protocols such as FDO, SZTP, and BRSKI achieve convenience and minimal user interaction by requiring the device to contact a manufacturer-operated service such as a Rendezvous Server, MASA, or bootstrap server. As a result, the manufacturer or cloud provider can retain a permanent record of when and from which network a device is onboarded. The owner cannot install the device without the manufacturer becoming aware of its activation. In contrast, local sovereignty protocols operate entirely within the local deployment context and remain invisible to the manufacturer. A user can deploy a device in an isolated environment without the vendor ever learning that it was activated.</t>
  <t><strong>Vulnerability to label swapping</strong>: Protocols in the static symmetric secret and raw asymmetric key categories rely heavily on the physical integrity of device labels. If an attacker can photograph or copy a QR code in the supply chain or replace it with a malicious one, they may be able to claim the device as soon as it comes online or perform a man-in-the-middle attack. Damage to or loss of the label can also render a device unusable unless the manufacturer retains and can recover the associated public key. If the QR code is not attached to the device itself and the device is resold on a secondary market, the new owner may be unable to onboard it. In some ecosystems, devices cannot be transferred to a new owner without cooperation from the previous owner, leading to devices being resold but effectively unusable.</t>
  <t><strong>Raw public keys vs. certificates</strong>: Protocols based on raw public keys, such as Wi Fi DPP with Static OOB authentication, prevent passive eavesdropping but can be vulnerable to misbinding attacks <xref target="Sethi19"/>. An attacker can print a QR code containing their own public key and attach it to a different device. If the user scans this code, the protocol may complete successfully with an attacker controlled device. In contrast, certificate based approaches allow a device to cryptographically prove contextual information such as its manufacturer, model, or serial number, reducing the risk that initial security setup is completed with the wrong or malicious device. Both raw public keys and certificates introduce cost factors, since factory installed credentials require secure manufacturing processes to ensure that keys and certificates are generated, stored, and injected without leakage. While the use of certificates is becoming increasingly common and provides the additional benefit of signed contextual information, the complexity and cost of operating a public key infrastructure cannot always be ignored by manufacturers. Commercial private PKI services, such as those offered by cloud providers like Amazon Web Services (AWS), typically charge per issued certificate, which may be prohibitive for certain types of devices.</t>
</list></t>

</section>
<section anchor="comp-process"><name>Comparison of processes</name>

<t>All protocols solve the same sequence of problems: discovering a device or service endpoint, establishing initial trust, authorizing the device for a specific domain or owner, and delivering the credentials and configuration required for operational use. The protocols differ primarily in where these steps occur, who participates in them, and how much user involvement is required.</t>

<t>A first distinguishing factor is <strong>discovery</strong>. Local and user centric protocols such as Bluetooth Mesh, Thread, and Wi Fi DPP rely on link local discovery mechanisms, including beaconing, active scanning, or out-of-band identifiers such as QR codes or NFC. In these protocols, discovery is tightly coupled to physical proximity and user intent. In contrast, infrastructure centric protocols such as SZTP, BRSKI, FDO, and LwM2M rely on network based discovery mechanisms. Devices locate bootstrap services using DHCP options, DNS records, well known URLs, or rendezvous services. EAP NOOB occupies a hybrid position, where the device uses a well-known identity to trigger bootstrapping with any network willing to route EAP exchange.</t>

<t>The <strong>establishment of initial trust</strong> is another major point of divergence. User assisted protocols typically rely on out-of-band mechanisms such as PINs, QR codes, shared secrets, or visual confirmation to authenticate the first exchange. Examples include Thread PSKd entry, Bluetooth Mesh OOB authentication, Wi-Fi DPP QR code scanning, and OCF Random PIN. These approaches trade automation for user visibility and local control. Infrastructure centric protocols instead rely on manufacturer installed credentials and third-party validation. In BRSKI, the device presents an IDevID certificate and receives a voucher validated by the manufacturer. In SZTP and FDO, ownership vouchers and manufacturer signatures play a similar role. EST assumes the existence of a credential that allows immediate mutual authentication with a server. In these protocols, trust is anchored in a PKI or manufacturer operated service rather than in user mediated actions.</t>

<t>Protocols also differ in <strong>where authorization decisions are made</strong>. In network centric schemes such as Thread, Bluetooth Mesh, and DPP, authorization is implicit in possession of shared credentials or group membership. Once a device demonstrates knowledge of the appropriate key material, it is accepted as part of the network. In contrast, owner centric protocols such as FDO, OCF, and LwM2M explicitly model ownership and administrative domains. Authorization involves verifying ownership artifacts, registering devices with backend services, or associating them with specific management endpoints. BRSKI similarly requires explicit authorization through voucher validation, binding the device to a specific domain before it is allowed to enroll for credentials.</t>

<t>The <strong>delivery of credentials and configuration</strong> also varies in scope and timing. Some protocols deliver only the minimum information required for secure communication, such as a network key or access credential, leaving higher level configuration to later stages. Thread and Bluetooth Mesh are examples of this approach. Other protocols deliver a richer set of information during onboarding itself. SZTP may deliver boot images, configuration files, and scripts. FDO, OCF, and LwM2M provision management service endpoints, access control parameters, and long-term credentials as part of the onboarding flow. In these protocols, initial security setup is tightly coupled with lifecycle management.</t>

<t>Finally, the protocols differ in their <strong>support for repetition, reset, and ownership transfer</strong>. Some protocols treat onboarding as a one time event, with reset and reprovisioning possible but not explicitly modeled. Thread and Bluetooth Mesh fall largely into this category. Others explicitly design for reuse and transfer. FDO and OCF include mechanisms to update internal credentials and ownership state, enabling resale or reassignment without manufacturer involvement. These differences have significant implications for device longevity, secondary markets, and operational flexibility.</t>

</section>
<section anchor="comp-impart"><name>Comparison of knowledge imparted to the device</name>

<t>Although all surveyed protocols aim to securely transition a device into an operational state, they differ significantly in what beliefs are imparted to the device once the protocol has completed. These post execution beliefs define not only how the device authenticates and communicates afterwards, but also how it interprets authority, ownership, and its position within a broader administrative or security domain.</t>

<t><list style="symbols">
  <t><strong>Network centric</strong>: Protocols focused primarily on connectivity impart, at minimum, the cryptographic material required to communicate at the data link or network layer. The device learns how to communicate securely with its neighbors, but not necessarily who manages it or what its long term application behavior should be. For example, Thread imparts the Thread Network Key along with network parameters such as PAN ID and channel, and provides addressing information including ML EID and RLOC, enabling the device to participate in IPv6 routing. Bluetooth Mesh similarly imparts a Network Key and a unicast address, allowing the device to encrypt and authenticate mesh traffic. Wi Fi DPP imparts a Connector, a signed credential containing a group identifier and a network access key, and also provisions the configurator public signing key, which functions as a trust anchor for verifying other network participants. In these protocols, trust is implicitly placed in peers that demonstrate possession of the same credentials. They generally do not encode an explicit concept of ownership, and authorization is derived from membership in a network or group. Bluetooth Mesh partially blurs this boundary by also provisioning Application Keys and a Device Key, enabling continued security provisioning and application level protection beyond basic network access.</t>
  <t><strong>Infrastructure centric</strong>: Protocols in this category focus on imparting trust anchors and embedding the device into a public key infrastructure domain. Examples include BRSKI, EST, and SZTP. These protocols impart the belief that the device is now a member of a specific PKI domain and that trust relationships are mediated through certificates and certificate authorities. After execution, the device typically holds a locally issued certificate, trust anchors for the domain, and in some cases vouchers or ownership related artifacts that bind its identity to the domain. Authorization decisions are derived from PKI membership and policy rather than from direct user interaction or shared secrets. SZTP goes further than most by also imparting onboarding information that can include boot images, configuration scripts, and software updates. In this case, the knowledge imparted to the device is not limited to credentials, but can extend to defining the complete executable and operational personality of the device.</t>
  <t><strong>Service centric</strong>: Protocols such as FDO, OCF, LwM2M, and EAP NOOB impart the belief that the device belongs to a specific owner or administrative entity and should report to a specific service endpoint. Upon completion, the device holds an Owner Credential or ownership related trust anchor that cryptographically binds it to an owner or management domain. This belief is stronger and more persistent than simple network membership and enables fine grained authorization, delegation, and lifecycle management. Rather than binding the device solely to a network, these protocols bind it to a logical service or platform. Crucially, they impart service knowledge: the device completes the protocol knowing exactly which URL or service endpoint to contact for configuration, credential updates, software updates, and access control decisions. In protocols such as OCF and FDO, the device is explicitly provisioned with the identities and endpoints of management services, including Credential Management Services and Access Management Services. The device therefore believes not only who owns it, but also where to obtain policies, credentials, and updates throughout its operational lifetime.</t>
</list></t>

<t>The extent to which a device is prepared for reuse and ownership transfer also varies significantly across protocols. Protocols such as FDO and OCF explicitly update internal state and credentials to support future resale or re-execution of the protocol for initial security setup, imparting the belief that ownership and trust relationships are mutable over time. By contrast, Thread and Bluetooth Mesh generally treat commissioning as a one time event, with reset and reprovisioning possible but not explicitly modeled as ownership transitions. A particularly challenging case arises in protocols that rely on physical labels. If possession of a label or QR code is sufficient to claim a device, then an unauthorized individual with temporary access to the device or its packaging may be able to take control of it. In other cases, a device reset may not be sufficient to make the device reusable until the previous owner explicitly removes it from their management system. These differences have significant implications for secondary markets, device longevity, and long term sustainability.</t>

</section>
</section>
<section anchor="security-considerations"><name>Security Considerations</name>

<t>This draft does not take any posture on the security properties of the different bootstrapping protocols discussed. Specific security considerations of each protocol is present in the respective specifications.</t>

</section>
<section anchor="iana-considerations"><name>IANA Considerations</name>

<t>There are no IANA considerations for this document.</t>

</section>
<section anchor="acknowledgements"><name>Acknowledgements</name>

<t>We would like to thank Gabriel Lopez-Millan, Rafa Marin-Lopez, Tuomas Aura, Hannes Tschofenig, Michael Richardson for providing extensive feedback and support.</t>

</section>


  </middle>

  <back>




    <references title='Informative References' anchor="sec-informative-references">



<reference anchor="RFC2904">
  <front>
    <title>AAA Authorization Framework</title>
    <author fullname="J. Vollbrecht" initials="J." surname="Vollbrecht"/>
    <author fullname="P. Calhoun" initials="P." surname="Calhoun"/>
    <author fullname="S. Farrell" initials="S." surname="Farrell"/>
    <author fullname="L. Gommans" initials="L." surname="Gommans"/>
    <author fullname="G. Gross" initials="G." surname="Gross"/>
    <author fullname="B. de Bruijn" initials="B." surname="de Bruijn"/>
    <author fullname="C. de Laat" initials="C." surname="de Laat"/>
    <author fullname="M. Holdrege" initials="M." surname="Holdrege"/>
    <author fullname="D. Spence" initials="D." surname="Spence"/>
    <date month="August" year="2000"/>
    <abstract>
      <t>This memo serves as the base requirements for Authorization of Internet Resources and Services (AIRS). It presents an architectural framework for understanding the authorization of Internet resources and services and derives requirements for authorization protocols. This memo provides information for the Internet community.</t>
    </abstract>
  </front>
  <seriesInfo name="RFC" value="2904"/>
  <seriesInfo name="DOI" value="10.17487/RFC2904"/>
</reference>

<reference anchor="RFC5272">
  <front>
    <title>Certificate Management over CMS (CMC)</title>
    <author fullname="J. Schaad" initials="J." surname="Schaad"/>
    <author fullname="M. Myers" initials="M." surname="Myers"/>
    <date month="June" year="2008"/>
    <abstract>
      <t>This document defines the base syntax for CMC, a Certificate Management protocol using the Cryptographic Message Syntax (CMS). This protocol addresses two immediate needs within the Internet Public Key Infrastructure (PKI) community:</t>
      <t>1. The need for an interface to public key certification products and services based on CMS and PKCS #10 (Public Key Cryptography Standard), and</t>
      <t>2. The need for a PKI enrollment protocol for encryption only keys due to algorithm or hardware design.</t>
      <t>CMC also requires the use of the transport document and the requirements usage document along with this document for a full definition. [STANDARDS-TRACK]</t>
    </abstract>
  </front>
  <seriesInfo name="RFC" value="5272"/>
  <seriesInfo name="DOI" value="10.17487/RFC5272"/>
</reference>

<reference anchor="RFC6241">
  <front>
    <title>Network Configuration Protocol (NETCONF)</title>
    <author fullname="R. Enns" initials="R." role="editor" surname="Enns"/>
    <author fullname="M. Bjorklund" initials="M." role="editor" surname="Bjorklund"/>
    <author fullname="J. Schoenwaelder" initials="J." role="editor" surname="Schoenwaelder"/>
    <author fullname="A. Bierman" initials="A." role="editor" surname="Bierman"/>
    <date month="June" year="2011"/>
    <abstract>
      <t>The Network Configuration Protocol (NETCONF) defined in this document provides mechanisms to install, manipulate, and delete the configuration of network devices. It uses an Extensible Markup Language (XML)-based data encoding for the configuration data as well as the protocol messages. The NETCONF protocol operations are realized as remote procedure calls (RPCs). This document obsoletes RFC 4741. [STANDARDS-TRACK]</t>
    </abstract>
  </front>
  <seriesInfo name="RFC" value="6241"/>
  <seriesInfo name="DOI" value="10.17487/RFC6241"/>
</reference>

<reference anchor="RFC7030">
  <front>
    <title>Enrollment over Secure Transport</title>
    <author fullname="M. Pritikin" initials="M." role="editor" surname="Pritikin"/>
    <author fullname="P. Yee" initials="P." role="editor" surname="Yee"/>
    <author fullname="D. Harkins" initials="D." role="editor" surname="Harkins"/>
    <date month="October" year="2013"/>
    <abstract>
      <t>This document profiles certificate enrollment for clients using Certificate Management over CMS (CMC) messages over a secure transport. This profile, called Enrollment over Secure Transport (EST), describes a simple, yet functional, certificate management protocol targeting Public Key Infrastructure (PKI) clients that need to acquire client certificates and associated Certification Authority (CA) certificates. It also supports client-generated public/private key pairs as well as key pairs generated by the CA.</t>
    </abstract>
  </front>
  <seriesInfo name="RFC" value="7030"/>
  <seriesInfo name="DOI" value="10.17487/RFC7030"/>
</reference>

<reference anchor="RFC7252">
  <front>
    <title>The Constrained Application Protocol (CoAP)</title>
    <author fullname="Z. Shelby" initials="Z." surname="Shelby"/>
    <author fullname="K. Hartke" initials="K." surname="Hartke"/>
    <author fullname="C. Bormann" initials="C." surname="Bormann"/>
    <date month="June" year="2014"/>
    <abstract>
      <t>The Constrained Application Protocol (CoAP) is a specialized web transfer protocol for use with constrained nodes and constrained (e.g., low-power, lossy) networks. The nodes often have 8-bit microcontrollers with small amounts of ROM and RAM, while constrained networks such as IPv6 over Low-Power Wireless Personal Area Networks (6LoWPANs) often have high packet error rates and a typical throughput of 10s of kbit/s. The protocol is designed for machine- to-machine (M2M) applications such as smart energy and building automation.</t>
      <t>CoAP provides a request/response interaction model between application endpoints, supports built-in discovery of services and resources, and includes key concepts of the Web such as URIs and Internet media types. CoAP is designed to easily interface with HTTP for integration with the Web while meeting specialized requirements such as multicast support, very low overhead, and simplicity for constrained environments.</t>
    </abstract>
  </front>
  <seriesInfo name="RFC" value="7252"/>
  <seriesInfo name="DOI" value="10.17487/RFC7252"/>
</reference>

<reference anchor="RFC7616">
  <front>
    <title>HTTP Digest Access Authentication</title>
    <author fullname="R. Shekh-Yusef" initials="R." role="editor" surname="Shekh-Yusef"/>
    <author fullname="D. Ahrens" initials="D." surname="Ahrens"/>
    <author fullname="S. Bremer" initials="S." surname="Bremer"/>
    <date month="September" year="2015"/>
    <abstract>
      <t>The Hypertext Transfer Protocol (HTTP) provides a simple challenge- response authentication mechanism that may be used by a server to challenge a client request and by a client to provide authentication information. This document defines the HTTP Digest Authentication scheme that can be used with the HTTP authentication mechanism.</t>
    </abstract>
  </front>
  <seriesInfo name="RFC" value="7616"/>
  <seriesInfo name="DOI" value="10.17487/RFC7616"/>
</reference>

<reference anchor="RFC7617">
  <front>
    <title>The 'Basic' HTTP Authentication Scheme</title>
    <author fullname="J. Reschke" initials="J." surname="Reschke"/>
    <date month="September" year="2015"/>
    <abstract>
      <t>This document defines the "Basic" Hypertext Transfer Protocol (HTTP) authentication scheme, which transmits credentials as user-id/ password pairs, encoded using Base64.</t>
    </abstract>
  </front>
  <seriesInfo name="RFC" value="7617"/>
  <seriesInfo name="DOI" value="10.17487/RFC7617"/>
</reference>

<reference anchor="RFC8040">
  <front>
    <title>RESTCONF Protocol</title>
    <author fullname="A. Bierman" initials="A." surname="Bierman"/>
    <author fullname="M. Bjorklund" initials="M." surname="Bjorklund"/>
    <author fullname="K. Watsen" initials="K." surname="Watsen"/>
    <date month="January" year="2017"/>
    <abstract>
      <t>This document describes an HTTP-based protocol that provides a programmatic interface for accessing data defined in YANG, using the datastore concepts defined in the Network Configuration Protocol (NETCONF).</t>
    </abstract>
  </front>
  <seriesInfo name="RFC" value="8040"/>
  <seriesInfo name="DOI" value="10.17487/RFC8040"/>
</reference>

<reference anchor="RFC8366">
  <front>
    <title>A Voucher Artifact for Bootstrapping Protocols</title>
    <author fullname="K. Watsen" initials="K." surname="Watsen"/>
    <author fullname="M. Richardson" initials="M." surname="Richardson"/>
    <author fullname="M. Pritikin" initials="M." surname="Pritikin"/>
    <author fullname="T. Eckert" initials="T." surname="Eckert"/>
    <date month="May" year="2018"/>
    <abstract>
      <t>This document defines a strategy to securely assign a pledge to an owner using an artifact signed, directly or indirectly, by the pledge's manufacturer. This artifact is known as a "voucher".</t>
      <t>This document defines an artifact format as a YANG-defined JSON document that has been signed using a Cryptographic Message Syntax (CMS) structure. Other YANG-derived formats are possible. The voucher artifact is normally generated by the pledge's manufacturer (i.e., the Manufacturer Authorized Signing Authority (MASA)).</t>
      <t>This document only defines the voucher artifact, leaving it to other documents to describe specialized protocols for accessing it.</t>
    </abstract>
  </front>
  <seriesInfo name="RFC" value="8366"/>
  <seriesInfo name="DOI" value="10.17487/RFC8366"/>
</reference>

<reference anchor="RFC8572">
  <front>
    <title>Secure Zero Touch Provisioning (SZTP)</title>
    <author fullname="K. Watsen" initials="K." surname="Watsen"/>
    <author fullname="I. Farrer" initials="I." surname="Farrer"/>
    <author fullname="M. Abrahamsson" initials="M." surname="Abrahamsson"/>
    <date month="April" year="2019"/>
    <abstract>
      <t>This document presents a technique to securely provision a networking device when it is booting in a factory-default state. Variations in the solution enable it to be used on both public and private networks. The provisioning steps are able to update the boot image, commit an initial configuration, and execute arbitrary scripts to address auxiliary needs. The updated device is subsequently able to establish secure connections with other systems. For instance, a device may establish NETCONF (RFC 6241) and/or RESTCONF (RFC 8040) connections with deployment-specific network management systems.</t>
    </abstract>
  </front>
  <seriesInfo name="RFC" value="8572"/>
  <seriesInfo name="DOI" value="10.17487/RFC8572"/>
</reference>

<reference anchor="RFC8949">
  <front>
    <title>Concise Binary Object Representation (CBOR)</title>
    <author fullname="C. Bormann" initials="C." surname="Bormann"/>
    <author fullname="P. Hoffman" initials="P." surname="Hoffman"/>
    <date month="December" year="2020"/>
    <abstract>
      <t>The Concise Binary Object Representation (CBOR) is a data format whose design goals include the possibility of extremely small code size, fairly small message size, and extensibility without the need for version negotiation. These design goals make it different from earlier binary serializations such as ASN.1 and MessagePack.</t>
      <t>This document obsoletes RFC 7049, providing editorial improvements, new details, and errata fixes while keeping full compatibility with the interchange format of RFC 7049. It does not create a new version of the format.</t>
    </abstract>
  </front>
  <seriesInfo name="STD" value="94"/>
  <seriesInfo name="RFC" value="8949"/>
  <seriesInfo name="DOI" value="10.17487/RFC8949"/>
</reference>

<reference anchor="RFC8995">
  <front>
    <title>Bootstrapping Remote Secure Key Infrastructure (BRSKI)</title>
    <author fullname="M. Pritikin" initials="M." surname="Pritikin"/>
    <author fullname="M. Richardson" initials="M." surname="Richardson"/>
    <author fullname="T. Eckert" initials="T." surname="Eckert"/>
    <author fullname="M. Behringer" initials="M." surname="Behringer"/>
    <author fullname="K. Watsen" initials="K." surname="Watsen"/>
    <date month="May" year="2021"/>
    <abstract>
      <t>This document specifies automated bootstrapping of an Autonomic Control Plane. To do this, a Secure Key Infrastructure is bootstrapped. This is done using manufacturer-installed X.509 certificates, in combination with a manufacturer's authorizing service, both online and offline. We call this process the Bootstrapping Remote Secure Key Infrastructure (BRSKI) protocol. Bootstrapping a new device can occur when using a routable address and a cloud service, only link-local connectivity, or limited/disconnected networks. Support for deployment models with less stringent security requirements is included. Bootstrapping is complete when the cryptographic identity of the new key infrastructure is successfully deployed to the device. The established secure connection can be used to deploy a locally issued certificate to the device as well.</t>
    </abstract>
  </front>
  <seriesInfo name="RFC" value="8995"/>
  <seriesInfo name="DOI" value="10.17487/RFC8995"/>
</reference>

<reference anchor="RFC9112">
  <front>
    <title>HTTP/1.1</title>
    <author fullname="R. Fielding" initials="R." role="editor" surname="Fielding"/>
    <author fullname="M. Nottingham" initials="M." role="editor" surname="Nottingham"/>
    <author fullname="J. Reschke" initials="J." role="editor" surname="Reschke"/>
    <date month="June" year="2022"/>
    <abstract>
      <t>The Hypertext Transfer Protocol (HTTP) is a stateless application-level protocol for distributed, collaborative, hypertext information systems. This document specifies the HTTP/1.1 message syntax, message parsing, connection management, and related security concerns.</t>
      <t>This document obsoletes portions of RFC 7230.</t>
    </abstract>
  </front>
  <seriesInfo name="STD" value="99"/>
  <seriesInfo name="RFC" value="9112"/>
  <seriesInfo name="DOI" value="10.17487/RFC9112"/>
</reference>

<reference anchor="RFC9140">
  <front>
    <title>Nimble Out-of-Band Authentication for EAP (EAP-NOOB)</title>
    <author fullname="T. Aura" initials="T." surname="Aura"/>
    <author fullname="M. Sethi" initials="M." surname="Sethi"/>
    <author fullname="A. Peltonen" initials="A." surname="Peltonen"/>
    <date month="December" year="2021"/>
    <abstract>
      <t>The Extensible Authentication Protocol (EAP) provides support for multiple authentication methods. This document defines the EAP-NOOB authentication method for nimble out-of-band (OOB) authentication and key derivation. The EAP method is intended for bootstrapping all kinds of Internet-of-Things (IoT) devices that have no preconfigured authentication credentials. The method makes use of a user-assisted, one-directional, out-of-band (OOB) message between the peer device and authentication server to authenticate the in-band key exchange. The device must have a nonnetwork input or output interface, such as a display, microphone, speaker, or blinking light, that can send or receive dynamically generated messages of tens of bytes in length.</t>
    </abstract>
  </front>
  <seriesInfo name="RFC" value="9140"/>
  <seriesInfo name="DOI" value="10.17487/RFC9140"/>
</reference>

<reference anchor="RFC9148">
  <front>
    <title>EST-coaps: Enrollment over Secure Transport with the Secure Constrained Application Protocol</title>
    <author fullname="P. van der Stok" initials="P." surname="van der Stok"/>
    <author fullname="P. Kampanakis" initials="P." surname="Kampanakis"/>
    <author fullname="M. Richardson" initials="M." surname="Richardson"/>
    <author fullname="S. Raza" initials="S." surname="Raza"/>
    <date month="April" year="2022"/>
    <abstract>
      <t>Enrollment over Secure Transport (EST) is used as a certificate provisioning protocol over HTTPS. Low-resource devices often use the lightweight Constrained Application Protocol (CoAP) for message exchanges. This document defines how to transport EST payloads over secure CoAP (EST-coaps), which allows constrained devices to use existing EST functionality for provisioning certificates.</t>
    </abstract>
  </front>
  <seriesInfo name="RFC" value="9148"/>
  <seriesInfo name="DOI" value="10.17487/RFC9148"/>
</reference>


<reference anchor="Sethi19" target="https://doi.org/10.1145/3321705.3329813">
  <front>
    <title>Misbinding Attacks on Secure Device Pairing and Bootstrapping</title>
    <author initials="M." surname="Sethi" fullname="Mohit Sethi">
      <organization>Aalto University</organization>
    </author>
    <author initials="A." surname="Peltonen" fullname="Aleksi Peltonen">
      <organization>Aalto University</organization>
    </author>
    <author initials="T." surname="Aura" fullname="Tuomas Aura">
      <organization>Aalto University</organization>
    </author>
    <date year="2019" month="July"/>
  </front>
  <seriesInfo name="Proceedings" value="of the 2019 ACM Asia Conference on Computer and Communications Security (AsiaCCS '19), pp. 453-464, Auckland, New Zealand"/>
</reference>
<reference anchor="Sethi14" target="http://dx.doi.org/10.1145/2632048.2632049">
  <front>
    <title>Secure Bootstrapping of Cloud-Managed Ubiquitous Displays</title>
    <author initials="M." surname="Sethi" fullname="Mohit Sethi">
      <organization>Ericsson</organization>
    </author>
    <author initials="E." surname="Oat" fullname="Elena Oat">
      <organization>Aalto University</organization>
    </author>
    <author initials="M." surname="Di Francesco" fullname="Mario Di Francesco">
      <organization>Aalto University</organization>
    </author>
    <author initials="T." surname="Aura" fullname="Tuomas Aura">
      <organization>Aalto University</organization>
    </author>
    <date year="2014" month="September"/>
  </front>
  <seriesInfo name="Proceedings" value="of ACM International Joint Conference on Pervasive and Ubiquitous Computing (UbiComp 2014), pp. 739-750, Seattle, USA"/>
</reference>
<reference anchor="dpp" target="https://www.wi-fi.org/wi-fi-download/35330">
  <front>
    <title>Wi-Fi Easy Connect Specification</title>
    <author >
      <organization>Wi-Fi Alliance</organization>
    </author>
    <date year="2018"/>
  </front>
  <seriesInfo name="Wi-Fi Alliance" value="Version 3.0"/>
</reference>
<reference anchor="bt-mesh" target="https://www.bluetooth.com/wp-content/uploads/Files/Specification/HTML/MshPRT_v1.1/out/en/index-en.html">
  <front>
    <title>Mesh Protocol</title>
    <author >
      <organization></organization>
    </author>
    <date year="2023"/>
  </front>
  <seriesInfo name="v1.1" value=""/>
</reference>
<reference anchor="oma" target="https://openmobilealliance.org/release/LightweightM2M/V1_2_1-20221209-A/OMA-TS-LightweightM2M_Core-V1_2_1-20221209-A.pdf">
  <front>
    <title>Lightweight Machine to Machine Technical Specification: Core</title>
    <author >
      <organization>Open Mobile Alliance</organization>
    </author>
    <date year="2022" month="December"/>
  </front>
  <seriesInfo name="Approved Version" value="1.2.1"/>
</reference>
<reference anchor="oma-transport" target="https://www.openmobilealliance.org/release/LightweightM2M/V1_2_1-20221209-A/OMA-TS-LightweightM2M_Transport-V1_2_1-20221209-A.pdf">
  <front>
    <title>Lightweight Machine to Machine Technical Specification: Transport Bindings</title>
    <author >
      <organization>Open Mobile Alliance</organization>
    </author>
    <date year="2022" month="December"/>
  </front>
  <seriesInfo name="Approved Version" value="1.2.1"/>
</reference>
<reference anchor="ocf" target="https://openconnectivity.org/specs/OCF_Security_Specification.pdf">
  <front>
    <title>OCF Security Specification</title>
    <author >
      <organization>Open Connectivity Foundation</organization>
    </author>
    <date year="2022" month="October"/>
  </front>
  <seriesInfo name="Version" value="2.2.6"/>
</reference>
<reference anchor="ieee8021ar" target="https://1.ieee802.org/security/802-1ar/">
  <front>
    <title>IEEE Standard for Local and metropolitan area networks-Secure Device Identity</title>
    <author >
      <organization>IEEE</organization>
    </author>
    <date year="2018"/>
  </front>
</reference>
<reference anchor="threadcommissioning" target="https://www.threadgroup.org/ThreadSpec">
  <front>
    <title>Thread Specification</title>
    <author >
      <organization>Thread Group</organization>
    </author>
    <date year="2024"/>
  </front>
  <seriesInfo name="Version: 1.4.0" value=""/>
</reference>
<reference anchor="fidospec" target="https://fidoalliance.org/specifications/download-iot-specifications/">
  <front>
    <title>FIDO Device Onboard Specification</title>
    <author >
      <organization>Fast Identity Online Alliance</organization>
    </author>
    <date year="2022" month="April"/>
  </front>
  <seriesInfo name="Fido Alliance" value="Version: 1.1"/>
</reference>


    </references>




  </back>

<!-- ##markdown-source:
H4sIAAAAAAAAA8292XLcZpYueq+nQHRdWFQkqcFD2e6bpiipS21NW6TbO/qm
AswESbQyE9kAkhLL4Yj9DufqvN5+krPmf60fP0ja233OqYhuU2Qm8A9rHr51
eHj4YBjr7erv9brbNj9WY79vHrS7nn4axmdPnvzw5NmDVbfc1hv486qvL8bD
th8vDsdnY395ODTLfd+ON/DDuN8dtt14uGqu22UzHK7rsRnGB8t6/LFqtxfd
g2F/vmmHoe22480OHvb649mrB7v2xwdVNXbLH6uvbprhK/jHstvs6uWYfjHc
bPrmYnC/6Pox/gaWvO3G9qJtVvDLbUefGvs2PWZsxzW89Kuzpt+0227dXd5U
sPFq13ew2qEZqouuh4W2Y1uvK91XRfuquovqdXdWyda+elCfn/fN9Y/0y/JX
HtT78arrf3xwCB+Ahb49qk6b8aqFdfFRvu2u2tF+1/WXP1bH9Xrsqp+37XXT
D/AkPAv4z4/Vy2HXdfCvvrmE04NN8DGtcD9Pnj399gn/e78de/j0q3a7hp3B
r5pN3a5/rDb4qn9pP7VHF62u5zmsp+7bT/VNbUt63lwtm9H/npb187a+uGjX
LdznypZESyitJyyF/iWrGOSx/9I2TXMET9alvDiq/rXul219eFL3fbted7ai
F/W28DdZlR4T3s77a7j5zlaX/smL+vrrZ0/+GlZ2uqvbbVrcJb1kVW//Zb9t
u+v2qBkeINH2m3qE9yCNfnx18uyHJ9/Ij98+++sz+fG7Z988lR//+uTrJ/rj
s2/1A3/97ul36ce/yo/fP/lGP/v919/pB77/1p77/Q/f/GA//vCt/PjD06fP
7Ed7Avz4Pf5I9PSUvgZcVfeXDTDA1Tjuhh8fP151LZ7746dPjp4+/ebbx3Aq
T//65Nsj+O8P3z/9mr/DbPK2Hc7b7ardXlbH41gvPw1Vt4WnA4k31Qtig+pD
3fb4AeSi5103Ar/Vux38hh6k9I8/T3kA/1fiA/zfHC/Yc46Pqg8N/HnbbMOj
jtfNp6HN/3bn486OquN9X4dHne27TT34388/ZgWM8WP17MnTHw6f/JV+MzR9
2wxIPz/Ktz+glGnwPOGFQK/jVUPfqI5P3lbHQ1tXJ932oumbLRwsnPQJyMD9
2PR0uPCPDZAlSFLgtoFvAen+IX7x5OS0+urpDweLarc7qr759uvDb777ZgEr
X35CKbCo3jWfq/9oahEJTCDfTAkE6ePLUU4iz74Dzvnm+yP+7w+eRIQYws3j
1k7W3X51+Lbe1pfNqvr5vP2vfTt2+6F60Q67dX0z/Bnk8RJE+zB0W//9l0fV
+3oM3365bra1++2dtABreNFWr/oa7mFYdnEpIMC60p//36Owbw6f/HBPCkPC
er0FEtoS2YCC+reu3Y4ZnX1o+ut6gJcRobnLYgLEK30Iv8V/0fuFzP769Q+H
f/32yQIuph6BGhbVz6fHsJDVblcWPZ8/fz763B5eMHXRT4er7vN23dWrx19/
+/XXTzxp/dIevmqrl/Vwg8vdNkuggF2zBPXOPFCgIDo8/t7xGnQV7C8e3fcz
5xa/A7ri3/Hg4Wi+PiK1ej4ebprhan5b5+t9MwITXB2B4fL48+5wCQZOsx0f
73e4u+Hxq3bdDI/DBh7/7eztm8dvh6sPH8/+fv306Onjbj8+braPQeY2Xw6b
7dHVuFkHgQxrwDsGS6lbz+w/bPjZ1/mGq6/wTbgnoLzyfrpds91057DgWg6E
7qtv4BdD8/hNe3k1fm7w/7999vbxvz/9+7O/Pz2Edz17+uzJD4fHj9+/PT48
Oz2Mn/v7Sdc3h5MPH+1WF36HX7lvAa8tr9ptA4ah/XjWLK9QCK4jLfxY4eO/
miOJ97AjECK4pTJhPHt2+PTZDG18dbwD8/AaxJgQxVc/Vk+Pnh095TM8BLG3
BdOsH+ep47/nRM/0xf+Nx2rvqJ6zJTD8f3DIy4t5Ql2yaGivQUzSoQ6wgeHx
+5NXf1cV+fewp/xo4JNJmd5LwNBGT9x7q1dgUK7Sd/yGn8xsWLYJH4NdfofO
CxjE34MdX/flzT49kk/wLmXFj+EXh/Cdx35Lr1++fFmdokdX9yvyaN50eLco
3TfN2He7bt3Cn6u6b+pq24yfu/7T8L//1/8VTbvXKxBgqn0K54CvmYrX8Qoe
ugIpKG4e0MyPfnFn9Pf7nbR89l/7DnypcLLfzPIav/8Sv0Inxc/A101FoV3C
06NvWNBftKsOKah8B/jXwMGD38XwWJUZucDZ3/wZvHr94r2e8vvteYfXdK8D
eVUPo90LfHWNzDvHbE++maG9V7CNgrLDYwDNcHh4WNXnaM0txwcPHpxdtUMF
vv9+A29FR/m6XYGfDNQD7NqDi/WZTFlwqAe4+3pEokLvfdNt1zfVfgCW/nwF
DLNqh+UeKAKMCbR7b/GxyV4BFxR+hpeDyKkegot9oI73URWXVK+HDtbVDPAP
WFd1Dtu9qM73YwWe4h73gc5bNez764bcxJ0o0IEYYhA+gX9dgxdYn4P4uncQ
4AhYv68akKL21EX1GXZHV3RxQ1sdXbABz2NBv6U7hIuBF11362v9tb62Hob9
Zkekw39IIQqQO/BD3d/QOjFQsm7wgwvaD37207b7vG5Wl/C4za7uwWVHYY9/
cWuv6gv0LfC3vDU4VHlYc/SAyGDTrlbr5sGDv+Cl9N1qvyTifPC6fDa4nFoe
X/UNWJgDvrfe3ujqmULG+hO8HtwA+Nh5A99q0teWQFjnDawDbmG/BgoCId+L
8Yo3Dwdx1YPSrB49Kt/Qo0dwhmh60VfgAe12ud4jyepdVI/0G4/gyIZ0sXow
n1tgPKCfetX81x74Kb0BNoh/RIOeRWW6FTi9bVetu+0lOmzLZbMbkZZ4zTPE
pKeCmxYygBUB54APBavFy0H6X6iMJiZCtuOo1QD2w1JufkkPQpGBW2cpwgQB
GvKivdzzIeI2E/0s+4YItRZeAFoBtwTOCAj7XYestQaFsbyqt+2wGfQkq4ZX
gAJu/Ge69eZLjYSzqAa8OMdgSMUN37ruwWtsemva1FV9jRQB0qIZ8PTa4QpI
t4YHtl3f0ocvgO3hyrp1g7SxzXbMG7ZdsbgSLXR0K916xkBGuIK9N9tLFFdA
jjXwLXNK+48GzxAuDL+he7quUcZWF323geUuQfesG09RyH0NeO3k9INnBcuE
W101YElQeAVWjk8H/3mtZgqYUn2Dx7JI6wovHUjS7ogt4ZTO4TB5HRwMu4ZH
dz3fK35wvNmhgQendoU33F022wZ9PHgoC2/4DlwNyssWBSksadd9Bhoc9rCq
mwXJdAtAAMnuajD14BDpL+Ampt8v6bf0YhOpcIA9MWZ/USchrsdMhzXDJLLr
z8CpIlZb3i7FA6oGyfSo+vVXCWr89hvoG7RB4dSadUcBiRoJZk/rw7seNiAT
kewoEjFPF/4C7fRI3QizDqIPRaltWDgQD2DUkJltSvUkdfC+L/bbJcspiWDW
zAz0UdikyEQ4qHW7aeE3QBUoTR1Peg6jF+sLO745MN1xdaD+QWqOPUhwFFtX
sIB6jYbRzTy/USSGvg1nQbYjUgb8H/5q2C+v8qeSGBtBKoH6bUSXfFl4AQFa
4b/2HDAsiCVeuF0yEO9Dek2N4a6ejgJWJPaPfOD09PWL4QCJhH14ZY6DhZdu
CzyO83r5qSGx2RcNiVWHyhXEHssY4UmS0SvYHucG7KDkzocm8SMeuT37NbAS
nO8CToQf2Ngjx9nsA9xmt6QYO5PS7ZaSEOdCCL75gtIDLMwbsz/U2upBXooo
SHYFXMa6FtsAqYrvBv49SzfAKqco/GE1LDNQsJCJ1/LOKOrxZbyFm9Oyf3zw
4FEWMoZffHASG/8t5rH86+UWdrLG28J/nXgnA38hfNz+g41o+oijMvzFx+ay
ZZuQ//1ClQ9KAdD4q5bokcwlIA4nUN2tLeZ25xgTmaEXJTXIoanNJ2ajKs2a
s11bfDHJpt1Vt22U+zc18mhm9RGr37kIr0RKpgeTNWndFcUai/YneANoDeH9
ypLOGxIBwIvgZNFewCAa0ZvAzdj7aeksoFAd3Lle93kxFNMr2yEpc+UOFFTN
4XBVI9F+apiZapCVA1EgJS/hLwXBcoT5MRTn97lJtqHhhC4oZjpWlhNSQrFV
skmdTHL3HvdAfpLyjH9abq7LY/c71KzuqadiZqEvVpGj5U05JBA0WPiQtuJI
CleQiEKCYKFBduZg0hjIretNdgN/w4GBHzhUKojF0ERGB1asMJKwRIpGRxGJ
FJh/YKN01ldks7UJrhdLQbEa/4j7ZcfL3tIFiInuM+n+viQZMUWM7H+W+WYs
ZMQzg2f/E5oIcED/ZG6akzO3MokIszt8NvzUT7Pe2gxVPcD//cUiPHx8H+z4
fv2LHexv+MG/VM81Om0RZCdjsz/++qsEu8GQWjUX7bYZghmttov6LmCIASUt
idD2W8+jiXPZWULjabVSfQOXAnyKD0wLwNcau+Km2BMcSKjgn7qVOFT6dvJZ
O9QPpMnICLbtIZU7w83LVmdp4zXDqvBfDdo4mLIiewDWtF7I5tRH4b2X9rmo
wFFFTiZ6f7let0AYy+oEww6gZS6A5A7/1oDygr8+fHny4m8HJLKaL0i3l8Ks
7Sh2c/JqGnGa7YP7QUxaZaPMBQIH7qpbGcO+349gnFfv3z9fAN3aj6dory/5
ZziAdx3+iFYLWeqHQNktCU/4rTxR4hBkyF81613wNtk7ChuCu6DQOIg6MviI
7kHKIMNdRhl61Xf7yyvnLSjpmL+wsP2o2Y6Smy4NnJwFhntGCpXAW9h1bmmv
eJgdn4BXi6/2PX4IZd0i545rSf08PXqKC1D/atmgLKS9Hp7XaPN4rkA6afrG
c+2y3sYTEtNY7w8IYY+yFTijPwQzZh9fcgSmz5IfaEeKZjuZ6/65K5OeRA58
S44HEvfpdQwTvWOmH0ontwfgVJRIIDt3tAPWWMiLKPA7tRSrNQZKezz8y6a7
BHPuSphuhcZWC7dDfLJbdzfIWsPk0OVBaJNuYCPFsxWH5dDznokFtmbRNQIx
eynGunpvQAEDakraGexzOVZ9vWo7+P/ie2ZndlQdjxKlW+mfReQsMqsEOeVy
S24TeccDxo1WPUVj4Mvwsqa9luiTOYNOWW+bRmWiJxZ3p7zJ4H4fBRmOy4gx
r6HBUA4eOoUk0Mzvo8f1z+iXJK9vCPqGBe7mHK/0wq486eJVh64gcrjdr3oa
72SLP4k5BlutRyZ4frrFxdk+YycENehVuzNJgE+S+Dg86Cia8cRZeFQVR2Vg
9+mzRLIsiMG9Ji73Mr1eSkjViZO0gWOnFeBZfIPNFs8Id5D+ekhWQXYnD7wu
pQO7Uj/frBFgZIyrNz3qviX6QFX1qHr0CO2Q4dEjjtDDL/z1PvoRL5jcK9iC
Ol/sd8FuKdCqFoMGcE1Bkr2VtC/fxBYMMdVayKfi9Cv5w28zFR0Us3mmqAU4
ahFY5/WYYq4W21tMYpNGfHQxuE4z5AfWgqtm3VJc0EUHjHry2KUwXaZbjvRA
n4OVKPaLDznC2cIyl0ABjdC5+iJm15SUPb5y2+1FQLe95B9YYrrDwEhlcmWC
GeVjv+fqd2GIR1ccaN6tU8yvbhjLD0wGGQlG9pxQHoh4TwKdPI4k0vWMc3YL
AfTELxy1mbDMhfMGKYoM1JR/KRMUi1xy8vU7piYzb4syHHeBJjXHd/FjzBs9
5xHIU+McTzoZ2AcH01luVN1OimFiDGoH7NrY8X9sdpEHU0LDm7/5uyyRUV+C
iAQqb/ndHe4NZS7+RAwYeKrrmZWHEXcBH2ObH7XhNSxUAstwj9ctBm31pkR6
fGAnBeQHGnBOz06tEnbdPUVTZKpGZwwNwnq42WCOGH5Ea25Xt33QeN5qwaOH
Je/wZjRthoYEV4GRWybfEpEBfKAPlYDiJ9Uby67nR5GI2u1BMizNp9dAFSys
XtVj7SxFuQ60SmOk8RyTTqAVSSCMGnqT9SCNwuns6uWn+pJMjA7OGwTeFmtF
V6wB/8dHqhzFD//88TXZxrcbgdHCIbbyp6XBJdLQ9r2geSWsAezwX/um+p9H
3z754fprMyi9cXiWGXlkE2MkSVQERvyUudWzNnYxn6jFo8L16p5nXCRx5cnB
miMGjErdgM+wIVsEjEAgZV6nHvpnWOhjTgRMCUcEoNJDUbS5pJcnGzCRdlc3
A9WvJMMV+U2oI0q3F3naJbyLnR3n62BQaiBjPqMICoJIONwdSqLdRfXzz69f
kE+SU/CCg8W4Ff9d4XONYJVVT8yCcJ5nUW1gYWsWnPhWINeLOd8PXp3cv9x9
xDxmc9mxMnLHgKYupj7yews+HsWa1ZcAq/uwuwA+QapLKnnCpt05Rc1JeKKl
RTLhzcsXuM7tftOgLBKvL2NjNs/QmpJ3g6zck9vY5RY97Zq+hP5dfVT9ggbk
HfwMe04Je31ncM2DT4ci5Q6vDhQCpnK2idDR/teInfO79VjJvoo3hPTDjJXo
c2zXa34UbF3oKjnc4u+BhEMeznhlUdlLkZzaYQ9/wkz+Hj2k5R522Wzaccy5
X5WPBsPOYWfNhWakLCXAH0bV9NIphA2a/hR4Nmkn6p5Zhi0YOf9qtacbToli
2GQosXBcH23Rs6sQRycKPm+C/hOZK58y+3JeH7Ii07XJNjGiE+MfsuiQgkYd
Qg4LWDuN1HUkVRdE86YGQTPRc17ke/66buson969OqnG+pJ1IDLjrfrvKLcb
aIvoXjnarUphj8wZLqo4VC6j4wwi/XaTAtSk6JQATtwbaRnYgzCUJaxVvLDI
O5sYEuxjgi16BVs+OSZGAyHRrpQB8S7cC9tEvyNRym03cKTem8V5kcwpbHNL
MJSy6nQjlBusV9f4/oGFSXIkWKTEh5yTEzM45sdwF6pV84eHyAFBi8MOlIVA
VtQ9sHNRw+TCJakpVbdqTBJBkIuQYknqWYNx1wS15Bhc5XmSKdGDnCFG4cl0
/xSjvw+J2mZIApTV+e0sQvevQnmeGPFZuMECv1JWPQv0UCznDI10MvgXs+Fl
o/TwRAl01KkcA/MWJoLwwhvOWzYaYkN91N/sRg3TwYlcdj0w4mbIffQU+I21
HJPQqq/roMAZxvxB+jTu8I1SJZ/5x5QOlU7scEf6t5aChrozdwwUxFiugc5d
QpxFbm4sijyf+EZH1XOlcB+HnbxnEnBFhhmqelKeJLF5tojY4Z9PF1SaLvBq
hXkzKBp2gPOgMMsPNOTF4U73b9eqrOpsQ28yBjsR4+2illF5pYvlixzuiPcX
bBg47/EzRrMzi24iDnDHoZqWubjGoNpQYP880jRxgl21aObP5vaa0QbITDO5
J6YluelFgw7OesX1HJgdhJsgba3ndFT9vGOJierjYr+eLD0nrRUsA6PJQ0N1
DywDOe3twiXsJ0nUT6JolrVz7io5IhzemYvfTiIzITUJ7E5xitxq1jBksA9S
Mo/jUtPIE0eM621afJZ9SNVUIRh+ugcXAmzI7ZiFdNpBZaRxRAwti06UHMUk
mmUa/p45WvO0my+wAwrcgUVwbIW2Ra927rx2HZoUXDdE+ohS8+6CNDO4ZalM
sSWwHVC6i4hBPxwD9iGToIeoqZJgJaubF9MaaJ/n2Q16t2aIUQq3WpeehWPR
yiuGGV3BTdj4VbfGpHa4JmFDiRFTyYPFoYNR3GfRS+5B7DX2oVHz2WTLxZ5r
2cJDLKukpcGpjq1vooVf8jgkCRTucRI45eJ5lGlylRntm2fiTbo1FjnmpZlc
hIXE+5e/WJ+upzytFagevvjw4YBLN2IL3D2+Vv3662q3++23Be8Ra863qEym
fXsLIxNfHERlTMrnetw+hJpyExiYw8IvzExQkTkXoZC7F8r+7i4OSPfa9epm
an2MhLj1XUoWGqeDW3FFeYXkKaznPzuh9LAg/1K1f+4beiOCjWE3sqPIEooF
pMJoeiZySjvq+GRupdynO26qTNFckMTuRwsvkwWA9pYE1eH0qK03Fai6zJpU
PnKYlD62ke7fSVTUDhiPwswYoKnEZ1YSUK2pdYmSu8lgQcvK7U4vEtb/mQpi
4D6Hxj0NCUUyy/4ugEPwrZot1bw4xzMm+Sn2JSlEh5/jpGopRxVkB+XDzhtw
IQYNNZyHbmlKOyTjSmTEOSYRSQKg/D/HOGNm4MWneILUJD4XQuBDbvhaqCtn
eh/RjAuPPefYp6Q2nMMkVQxbfocPRSQO9x5TnS9/2e1u1DRVgvjf/+v/zhfg
3CtLcboLJKphn04rCM5bJnNO8YSneWPH1eMpVX346eX/9NYinQvFF4k/r7DS
QRQQCK6+GeU0tnxbmJ7iCpR3r04W3PUUrlHjc0H3UJqETrGwezTv1MbKdoIL
zIxqpiQJAlz0qGub3RWwJyYEvMuwgIftt2bC3EZXnI1Fw0LZweVpgYEx+ErB
v2TKB2mnBr1esZS1TIPO0QQKz8hyJSY+hJ2QBLJq8vP/RFWexeeVPVOXi1jO
oqaSQghvofPMb01OriBo8ZETLcBy5o+XA4Qy6Uku8g6Jde+7SVJ3G9wVE9H4
ixnuHPBiWbMssX1P4qo+OhKv3Cdly4JTN//CJevjxh0PW9ZbdRnqjcBeUlKg
4ZArsLOCygH+3q8xxpb8fFtCqjuHNUjYl+QtxjnzGox6OWrUHq2KkBVWE6FO
5pz1dlFRzVz2P8s+R53x+zjmTvulztYkjRKpqMPpvPux392s5/Luy1u3Ll1H
0oSlTSyFgBl8XvTmfreqfSF45iN6zakNXO4sk8m/a1LaRnmuoMuPZop4iG7I
9j/vu3pFrYl0ehSmc0UoHXULrIs1PCVDmRS+udAkjMjqwGw2eKvkQmbaI48z
hCOReN+Sy908o9JV9BINBRqGn9YuvzyMza5QkxBcotvLB4KDPKkgyE2nUnJG
0i4h20DWzwZ7XG7P0M/lOKksoFypMCcPUWdeNnRyvPTU2ZNywKHM4L6ZGnea
t2fUJ3WfvaU8Zm2sQmtDtLcm7oyXHhqPphgLEHYoPJAwhfc3vMP0S1slP06r
oqzuQDVTdHjO9+165HQvw2totzB2p1AtQjLujrervmspQN++PyUzLTkZqf7b
u17U+dhO3C9PMkRZZCLC9Q10XeT8VLPOT8kXTA6WOCnY47ADBwNPsxR4Zaeo
ZH1Q3HmgJ2G+nAxyNgKS0+eay/S8SVu66qyis/Q7871IAUIdg79ySfveycou
C+wqVrC0jKIC8j68ia6/KSX/5ql8SNlwTvPBRq+bm8aFTQvUP2cfmRlSqC2x
Kn08Dewmq8VGdASVZxPagQhDzi5LcGvJtdkPrx+/DwmY0Fqmx47Pk6g3PW/2
aKRHMJdVs5VRkmcWfiKX4CaVhXPXqjb/YmKBQpQkCFAxAe2tJGgfV8TuJTpk
R6UcqwiXQvGjc7QzlSeKQWsjZU0uCeOdWF9+4dONv8PPweimEi4GT71XmqSC
88CbDf5ymASpLOgxEyIi9yxLaZYaSVMMDdVSc34Tu5enVs/9nPZZWjqqnodN
C/Vz16j32bHCJjnmSFFMEmqHS4OT887Jrb7bn5lxtFMLDbr0h9GlZzIViY/3
4hoxoo1t4fnZdxacaR/oHphsm5Ijbv689RWRvxgyt+l84PuUoLopMLeliJIH
X4uY02wB3iw8adus5Wg4zbQqufog4/ZWbzXMJV5k6ZNDY2f6irs5uWHFXo0G
hPL0H3b0E2dNPaxbvA/SHvZPMgTjYWtFi645YUxkNSqx23S8YUs5ry4SpZ0K
XAkNBbzW5rJe3rhS+1USlIOUDzWm8tMh21FZanMMG3Kh8uMPWTiHSUElBh5r
bh5QMaFV4DMoAIE3UFCgD7X4zZdd28dEFokm5Pc9aNz+kvIh4RqxEMUq6KgE
mtsACj7cvO92u59mOf/IHOixDEd/XpLPpXJTv6ZKzDmtlV1hlgoP/HN7FC4U
pjE7jVq641jVn5p3nLvtGJO7Z1mkwCIAhZgZsYzmDLerW7nHQUYkzq0rAu1y
bdoLF4nAembxSzNXl1VN5F/jpxH7vET/lJmKn8mlBNHSIkA6IkGOozecRMcj
HmMrHiWPzE2IJuNcTkhv2eUHeS0UtBsK+oYVKx6x6RI5+tGClKIF7CS0oEzy
X7wT1T7mGn0Y5pOx2MYwOEQpAnC4j4xdBKvd1xggZsfC1aMkp01UweDgCrTD
XJmIQ1ILSc611yguhbKsIOJhzgAmjHPbhYL0aGg33OhUkEz5RRxwXjWFBCle
o0i4CTDx4cvTs4MHD+73uerXXwU52rVd16ESpUkPMgmUcsYgjsEd247e0RLR
6RC0/AOH3NZPf2s7o2tEGD45Pohf5DDZtoKVC5zAEf1MVPi3s7MPvB1EqYbt
0LbTft9Q61zCLz57c3qAVMjVj+0Gm+QNU1NZ3gFkTAuB9LwwpIvLkOABEQG9
XFTcSXdsK/vm+99+i4zITQWcXKSn8HnGilCNN5IP+/pDBLMS6ZlOhQtx9hcX
SMFT4Aj1PmB/cAj2LGolPIsPaofcsBTC5EWqQRvKXVUb6Jo5Qx9EPLptFF8A
67LlaLaLEoTYBWbPDVOhutpjYRpTFks5Z3/CbVxSQESyEOQG4zYow3VyHEu2
uHEr4urgNsSj5w1mDfGde6hsflLeZuKNznbyGLNzGEXE68FkziyImg9LZWXW
qzMguvJGqgVEq3DmPEsWBlWbwge3BCfL2CelCKeuRvbpd+By5gQMihCiT48/
FrqK8rJ7DCLOHp5zi4S9Ev3ONKovPMnSIIgxF3Kq3UQkxxbqelaW5aIs0hic
pjXxSgeedwwt5INFNt6h8YDrwJLIjvdJ4d0zh2dHPLqSFdJH7pS0IqpmZCo6
0zyOhxe7YYATELMoAI5ZADw8A8GN0RukX0l/pbgxkegKGZ/wkCgaud2TDJBi
x2GOm/Ek4hFLioifIN9PuV0q15JG924rVbyOwH0fOrUd626O0/Ipop1uB+ky
Y0i3OFFKxfRd7KPF7/ehnZO1Jos5ZSdHaVb/wYeQ58aw3tgyztNzWlgFvlI5
xc7rUSoQB6MI3wZxKlzxUbji4cnpx4OFsJC5OvDLhWMY/fVFS8wy2YmdTkTN
ghOaby9Pnbdt+BLX8+aYTXjjQwC8kSU5UyZahl5/iQx0SvDnj68XGcLjYEIq
k07lLJR5DoHuC7kTFsWttIt74Dt3r/gnt7wylKnamqvUllbyA0IeiiL2EulO
VGhGrCfHh3Pi3X3oYDHRReVTMx86Ck/Y52PSZ0VdR88io+95DS62WLLfPf0r
mn599aK9RJLV334Hv80VybHrGipk5TCinPCpAolwPw9ZHv5uvPXVjAUyOqr+
1n1urrXhgv6Y2ZVkU1+YVJziFeLdGAOH/sZI0yWZOCtHvbT93QmX499ny0oA
MwA9uLgWFVq6m+LwDHY7rlIAEGnoCtFMr+pPrrzAOwYM9Jmeq/0f1s2OmpcL
791S/ZkQ7U1kMGFlwrLAvfvw0+t5Oyd2ZFr6KCiv47XMyLhulARlHVTD662F
FDt2/CQWYtHsIvMyvTfkucROnLEhBTuglvb87Yrmc2kTCfVMo2Q9b7fOIi3I
wuosmOfpcsJOeyQvwqjM/AhVwWoeygWqll6Ua6qDwyj3e37jyD7nE8ehQWHi
Pjf6quSC3KH72ZJqR9/rERv9dEVE/nT9a9Hnjb2wfBB0AqIA2WMiPzvec2aC
WmvDOWFoYAaMbaE5QdBq2Se2Iak3qERJi5Je1ok5iINjKA3/sRm6fW9I/hhS
qx6C9DvAy5L6qKnFNEm2PS/oNVZqwgzw/YUoNkW5syh4RIjVVDSeFgbochpw
kaXpjdIUpOOgNXEp1tI4FfOWsMXUE+JmTDqfysKd8FzcuVrI24y/rAbgwps9
a5qUFezYWaucWkB9sjdLWqZi1P8Om/29p7+ZSEPwRHuUXI3CWZXMW7J/B6kh
KFu3iDzdKyjUPcxcDqKwtyh2rotulYx0LZlNduYkH5FAkQplnUq9KSmxbT4n
NZU7nn2DRS3taLEMTIEEM/RPyCzMm9AlYDI+nKHswpSlscWS8Xj24nHldbq3
eciaGJw5dZJXjjxK1IMKTmMZ2xsua5AOuihNE2oa1gBphJCQr1hkg1vebn1E
Dl7lhXmMLlEUMUA8OpptR60NVQB8Irt7OWgsZTBJsx+oHxZVDdWd+N+Ny0Ll
iLthj0nieouEkQhZEOVDBNdhlsGFAr9QToSbkCh3Xgu7H+ozVvHLgZlEvJmd
QHuk1rBXe1ACZH2JGAvtTqWucE+HYP9p2dGaeg8ennx8g8jdFPPnzCiZRYxL
z8UDdFgI3EZBX7KCybfAWYy//XbEgKelWUTVw/dvQfLeMQkpugEP33x+++zt
wQOOxxafesfz5AnZc3/9tdvUIdLvOmkuMIMi2tPKVaYtUfRguZSFMfx4NV/c
m/jVBb2I2XxjGj+XyUPyXVrXl3xVW6vU42GXAlEQsiHOXRS90w5+O7w8foGF
wwjbvfF5xFuLQh0lmruRY8FFdZ5khauAcF59il/6Ljo+FxduDOdSbEom10pn
nHjpojmDwZcgxyEYDBdeSzF3fjjYQMDCtdAF4gkhhtIKkVmRiPkLJkF0y78V
+mQi6jaVCH/2VVJkszOmhxfafGaTN6OCyQvW8wtO2cBYwqE2ywzB9wT2riW4
s0QuhlDWUDVpSVHxx88cbHVDY9xipWMUz6BExZbaBBIleZtOvzbPX2M9fEoH
T1G2JUaTlla2TTDchqqfGHJm+EvE756H2phe36JMOGy8Ms59gvDWFd8z+xlK
f6LnyGMUaIfavShOlhU3hYppYBWQ839arw2d4qOft+dZ9P55TiwWzpf4ssqq
HCiQITi3DsacCSmXYZ6mMSo9T7w0MIvz1xq8sPxpJQN8h5ICSqMLMShHBTpa
zsYh4LjrUrKib6QGa8iBd7qko4RSsOxv1SBDWZE781S5YYJPPm8G4bkTxeB0
8aRlUELIu9ZBZBb7jGj/+X4dsmamww5li/CFsOVkU8opLbRkTSEyUXqKm644
K8nyTOIYXv0ROAXrilKtL5eM8wtP4l4+ipSSU3zRHKrcgs3pH1UhF/YX00/g
/w40BGa2WGxy19o6rbihGpXh6VnpOhg2X2mIu80kFpmflHqycm2V29TsTkIq
DUlvKLxdwpqp2aBzelUW7mKevRshom90yZRCLmWekLb3piRZvZ5UYCB1PF2l
KLpPn0FlNknzDIWkyItp9oEwlU6x0niJcwnjn5CHi+YZMZusxs/SkgtvJWnk
jj7L48DlzhyFpB/8dfzu0Lh39tg4owY2nL86mq5I4au8DYYcx0QTJhZvC5vx
R22okAZ48GIEhTqFkyb9PC42k4oAlNp9Ubc/lYXFufQFbsLP1LbQHhsDSEE8
70ljESLL5S/6E8Ma+OGJ4WVLKhi4bCgL2z+0MiIRFkhVykH0m4PyUQ3iKL5r
N0jGvvQ/C3kghb88/gCGyvGHw3fv3z/Hmi504pkBjuOnE0QGfPzA+T4mDLU3
glJL+/XYIgpmGXfrqNJ3WtVSKA/b0sIkHWANLZQuILcezPGs2tVPQfNcyugQ
HREqlTahie8CoNn6JtjbQNf41ZtmnBDpFAQrJYZc66DPPkQkTH83D/H8rWC8
gB/1EKs0kf3xZNzEpgMrpxV5HrxBlU+u7ij0gSVL1zVr4cO4D8tFrZvtddt3
WzZ4+9TQJegYC3E86UEsmLHPgfM8BZAPQoJA2BLwpPsVQzmYbR2iQT4cbVQj
bxg8BI+p1+OsBfTYTwnihR4vl92eIZQfHh8fH+ThfKLKZz88+YZRYMqpmdCl
cI6zyPZOUNQ493nXt/XYmHC5xdd1tdFyK4WuBm+dnN9IikzM7jIgwtQusZ5J
rSHEt+OZCvFpuCIV/lsSKZIvmWt1cL677WVXOCjB9HLoi3FgB49ioW7126DT
VBd4lF327qU5COxMAqjodFRKcvGzmZSF/rTSWJI5ACt3S9xQ4orWuYLN1637
qk2KUU67mquHfkAEsrg7wq5nJqew9WRUg0UQXEzB5aeJDDH6Iol/b76gicjY
jV7uMTFbGM2JvXyAzwp1jfHknwcCoU5Q6B3P6pl0apW3X+dHawW3tBTiMmuG
0DgFNkfnh/aSkL/cIzdmHlmqqkr1/cVaHheFS6mAkjjOcFquDBYIRRauxtNP
GBMfnaS5AQtp7SZPLEsZwNoJPUdfuy2v9vau+Nv7uEP7Njzdy4E4V8y0qZ8V
N6PNJqCI0cBUZeeA39MAPNFm+td+mKRxi/Dwfre8LtafeklcL6bDyyrQOFn8
CveI6oOSzspQIjYHp1HyvS4RDmpbUrBsbP9uJGt998S6n7Q50+xrXxfg6R2H
lDdfduz6rtf+28hgdToLxzQPt113/i8N+Ef4w1Hd7+oDZW9l7cm8aJ81F5CD
Xbfbr7UE4AOYTa9B/VX/dvr+nRrT0guYJAcoZNfo6UD5pUSLoumlrA9++e3x
CVZ6MYrkW08amOMRywjRgvP5LY+mvtUZi38lAD9LWzuAtZDWxdnIODyIGMwc
qdDJbZNz0/mQSnLOmpnElEGBrRBY2k2ETZCTn5v1+pAr8K2Or3STsSch2qwG
97u1CYQvDdEptDeP2IltMP7UIh4Qgt2mo1GUDaqLyLMBDDd/Zhp1gsKzYY53
i9dE46TVmm16EWjW4ogXezo2O9cfPW8NkR+NV8FTvsTKotU8bI4ujxZ34ZiR
PSR0GjUe2gaX2w41sz7YesPZ8zrAWQKYEhxdBbR9hrxZMqgW6WScYcQQeOgW
I7//UrdMaQ7BGQib4D0vbNvYtEj6Tq2ulbPK8AOhZ8/wetSdPkmNifaeZMY6
Gze3V5H+RdouFNuXvxTBxbjSXIBqixbfUfXBvKh2mNiDfs2F3ujOrnUy9pnV
YAqD4Te/Ofxc36QqRakoUTeupbJIkMIcaGUrwoNzvq0p1HAqiLuIRvrw+O3p
TwcGypHs1jtszxmrXS3RN/CmNU1OTyOKCA4JTZd0V/6FsSDDq0JnmR5OBjW6
l/cNI8VRJqXcQzudCKlAP39qGMgEegYoMAeTS6ykoj2KygMrbi3T36T2ECi7
dM94zYvCPYslYd5JpE3neS2KaJwp4bVqMhdHcgD3JMHS2v4YDUaPqOTCkdHg
ve0dDsocRoqpOo+b285SpzCaFqECkWyNFwcJYjgSi04vjqQ9F1TIaoYS4yhO
8jGfu1/Au+PXB/MNr9R/PvjdhR7rhz/946DyQ6lwKEHjOozKDjAlqw7T8Wkt
0spNK6SYSmzzM44uc+bFfp3HG7xq3emQ76NUFXPiKw9eIQyklLq8P3l14Opc
bv0c5g+XFy4WyeSjo9d0srjPxZ9nkGXSQrpHkwg1k+D44BPr/XrkY+Weiazv
iw1OhlfiT9UYONQ58ViJolOwGobYxWXBst2HqLwWHQAeOynaWtkpFlGswaIc
WySAGJuTYIOowB6ElkOJjd1Kxn3Rn0kwaykh/36yqohibvELvnGqQWLX/X3a
3VmHIej3z8+o9WPdXRL0gZidhMLA2aNUPmBW1qTCVPiZo1ip6sE1ymdTbhdT
cIlQWqO925rvn8QjnIvEwgg2UoBNDiGuRQQqvsK07yWs5zPBBs/g5iSfNBv7
jEUEQC9iChLePmHyuds509t5K+2mD9+fvR0OKgeLTg3JBTmL25mDppkBalGL
TKx8T+1nVIGipYn/htT3C5lCD/fbKEyicQ+k8RHeBmz44fW76uGLszenhx9O
f7IGh57+uE5lhiv6YLPlAIFDyBGLKvh0rjqy2D4rcpsMdp8S4XFmaUispULI
wE0sax2miVdXkyLf0qSn2+osOB2cwOBEd7xNxHHKkY+B9C/rgZPU2lL84Al+
ELemZvS6vWiWN8u1pzohuD8eHEzMn8bF7jfnoKTWtZlQXJnm6pMm4lh5UcSy
yFeqmUBdcxMEcSaEt6uqNPe1JGZdO1Cc1ZMmo1hr4aRoKQsbFkDIh2JNRyn7
XpSZ0hsx2Cl0PLsmjeDrttH+gwWlyua2R/wqoN0UtPGAFmIvcImu1nfMy5Vb
MWhNijdfSPDN4EWEavlSLyvQqBjpUUWqwT07lDbDZmXkW2mX4MDIyvXmMaGk
YjWrfKlcXL/tyRsbNHcisHZxqgOJcUkpUa7AcCHdQ20MCh67mmvpzxqcCnMr
vO6ZwXFNe7aHX3RLupGs3M4qL5z+FglOqp9PfKrweayHaQE7Rwk/5GOzpRBI
w/ZhZkMY3jupBkzvDg2MJU28yJtzM6ZUnJZFPHYNFYNYJ9fHRjt7uzGOFQ+w
xmpxSSZzLnavmMsuUm+yjXN7iCyVvSgZkkF4zN7LUeXfOoG3aYYgzCxBLKJ2
q1Hc0aHZzGqY+yoY1i9/IuiuO/TbgCZkKIzmDiykicPPaNla5zodz1QgeBu0
WR7IpINw88ab+Vl/ajgWxfvvm8CxmJiTlNhPVsLUhGTsWdFmg8wWvucMXYV9
FUvoj0/QdZLch+oD0Eq6ii60sKW4NRxYQPwrXF7oP7JBe+dNcP9kZtycVUmG
PHfLYU/WjrG3am/OOifNEC0pd+LCDhRN7JbA5gM36Sjs25qlu3hC65sEgGj1
Goycei9ytTZC7zXJHEYTCjoFjgVvmJvox/wGfC458UU24xeFl1Tq0XDBzg+T
NkISqFZtfitr8hmbl4yAu+WMuTB3yS0zz7393UZ8OTq+oUlylweETeha7ebU
BBBMxhTJczZhycaeqKwS6LkvgtE+JMYeHH53mhAt+lsAkMsi1IRoCUz4Hvbi
pEuM4nbyylnheodoJaC1sWGovSlcQ8ogm+3euMG6FNChOmfse8cme6WfE7mJ
N8gJD49P3oj/zBMeUWB125tNt4dd5c6s3CVByygelM3uTUafGnsmi5iijDU+
U+rmHPQ0jZ12k6XW6wCX556FJVFrbzsN3gstFoNm0adSsjLNiBDcLrJQvA+C
ksICY8nHsjb2srZLEgmTYEJQNdce0kA3gkWTrj7xs9OjFxaxCFjJs/RHYZCD
rNlKpa03Wm8LRGM7rVQJzANqw3sm1Ua4TpfXjBSDceWMiChvFaamWPTSIzg4
LZSN5nRJL9Jjk1CHvsQ+NwGzKIKLsQKO7FoqIXC6uTVA2LoYdrMYUiRXOrc5
O6AdQiHceZS9RghedeDjSGBmxmR6BRHwdPRlKU7grxc+uGOIwGtg2cvbvC3z
a0mX9s0lcMVainms/jFTBhgxbhsXcBwLfWneo/CeZXNdZ/B+Ud64oMl+aMo6
y6F/Vh7exgoI1fj+k3U1RU6xPIF8YdFtM87dUUrXDdk0S0LSpUpgy0qH+/Nh
J4vqf1a0WH9CQh+nhfB5Rn23kEDd+8p2XzZIsQ4sbn176opWg6dbJg22EFgn
lBoSuSJQgYqtaFRRIcAisaHn00zOvF39pxTb58w2BSfONBRJ06mQL2EN+JvN
0joufnjHbTsvB77qwNULMsaynhOI4cmoePQ8xsGncFLuRko9GRFwsx8ZR2OS
KxfDu3AYxkYv3p+dHthACsrjlXGPRkRJ4gAvaCiK2gQcIZTdbhhDjoOj4/Y8
+vjNrrFeePEgkoqc09Lz2c8MazINjEqhC2rLz+aGkGhdYhUU5U2y6M+Q59v/
RPEVSCdhJ3u/Aq+Xvl0MbBWycA50GJMIV/X6QtmEzZIH3D0Sm0A/cqm/tLhi
kv51KJcfqofPP57+9PrgwYM/+EUuuP/+hx++DdgBM00ebjhwcD+sMsSAqb2K
/spVwXGYbGqLuHLGALX1669t0zTwr6d1DyvMuofjPKT4QAuOUDPrtkk1pgJ4
gMsMCSZtV4C/KfrGcYIsfnt8eiykYecR+vNJRgWs24ivUH0gWbvgumLzCjSm
tw6xf0JEMnPX+IeBhQI+cK2HqpHE3urmrL2546YrHX0Kj/sCO/o3vKwP+LPs
67KrLXNrQr+NN6w1JvgZ3lDi6ABt5ambUHoNZlsVJItJiUvcOFtF6hZcn4Pr
N6G2Ipohd1tXhyzNoLpQZM/BtjnRx9fhTjKN81UJHpQBRSXPtYixpZ5lIwDe
TLtNrnPoe9yuYjqHql01vIPUFpIsUthy3YELYT0G8i/GlXcwEbJ7AV4Smva4
8ebX5tej5lhEQJT3hKNV65lOgykw3H+IDBJuvpyGUUWYBTH5bepvc4EpE8C/
Dw1gEsFIhRRA0oI8RmaEHjcxShmfKQw65SUraVvFTtFbypIDroMqDfUkqfzf
3dGRTwN0Xdq3GmA1OKprhkPW2hqzxs4bDgLQNWO1f7M5b3qpI8mve1vRPheZ
nvHTBTVhoNnWrD9ODty3QpkY0m7qXk88iXjHDooLbaj02Ou6blcpRZzIPtBy
HIUaCDoNtxS8Ax3LKC37cuhptKGLIknDdVZvYHJX0lVVTjG3DIYkQuagOHLO
dmjmBovSWLqbaYqLzLSswzq6kyDDuccCZZUs0aNfu6mkejjp9rPJJQjU3+JW
Odpu9faZuz4ncGzgmhyRCkd2DzS86LC/cyafwpe7m2ytS0lSOzas1TBD7WZ5
lqqkatZ1f8mHAc/hkA0NK5sOFGNVgXy6o4gmpuBvydXbXVp5+ToFLmfQp7Md
W5LNyaKcksOsPLka9gvBaUQ4QPXtKH8kgVr1ju8Sz4tp0xBLY5tszvw+N0jC
a8g3srfXvDdxslyVZgmpOhS5xAvWyRHc9yV3LW4RkgQNRIWba+reICDkBoTp
iNoct5E0oNYuhupH4yUwXbGObiI/de1ov82JeM1eG/OMY7PZcWygw3/VhMxH
KBU8eDVYBE5WY1jhIuWd1KnbjlIGIimW2kl8x6HYj2QtTZx3wldiovRG2LdU
d5XAL5jG5raZ9NSUkLy88EQdpYa5CVFqHFWvE3UDGXySFj4eiTlOywnanrHn
zi1mkE53soJz2bvaV8D9VAvEfw10+n+UhnewRvia4Fm9BgZ5/WKSpXF5mWK2
PlRHT4x+n58VfGA50EEtWIko/F7Py5x3sozVlbMho3zYLK+nwOeUsFL1lD/E
G/m0iODaksmcMQffE9lNKEjJ4Avm+aBd+QoHlwa2oHVDFXOcHULe0yETWd6u
dWbuwJXi2z2ymMrGdGgc6iNiqar3Xo5jNeTCWwwcKZ2S7yCYA41Md1U/T8O3
3u1cSP0B+5TkTS4kwRXLUzOEwBkLDfGkxFG1T9AFiUkks7GoMj2fSe2YQeAN
FKCgdm9h/zw4cXrFVpfQ9rPJkRB00EsdNN2upmAzQbaZJD092QmNECUMeUDM
Cto0tsCxZ5zNkHlyZlV5F4qRO4h+SdOb3gdjeuf1fqzGsu8z07ikrBCHC7Wi
tLgvFltqWEgl2iLrjLMCRJuBy6ip4eLMwWQy+XjvDDo7WJZD9wPBI4B9FJby
+KlR8ZDl6MFEkLrZMSHXPRcmlQkNXHNd2yDqwgAmDcBx/ESclmZO0HqaJEf/
j8W8kpwgYVqa/FyUzH5mW/MF4zFmYCGcNtoMK6d+p1qpDCBOtxjCb0Ywfdiz
m2hzvwvN7zH3gSL8KYVsJud8q5+JzZ0+OR+bh0sBEsLCjWDC/HcO5LEIAy3/
Sb1jc5od1GYej/ExxSKmAVy7prg4hP8l1mbIhy2IKRydpK6W/fs35R0EB9mc
MrFBXNROKILMGbklG0LgNA0eqWsINu/Pj30aGrbLdMV9HudTXkpo4/rVEJzz
CDNI9AWzI2Cn5yWN7C2BXB4mgb2kqsQUidrUxH7BS9MntAzShZr8HHRLltJT
8K2w98xyDosP28LF1txUFkUcdXxuGR8ktdpPkoR+ZElMErG1TTYVG+4hjVkw
jef9/YEGen7OwLlfX0TwwwKXjRk9FV1RB2zvvc9yLKEtyxVfg5aVacQgYcyO
35UQR+GMpn+I19fw2mW7c7GjzMP7BXcnERkbH+HH0Hh8Jg+/4EhIpMMk3mbx
Wi4+0gkNSYflqSasv+zBUNaiJVPUVJVlI3fFOKsNs9bZpiRBUKDi8/ZZ/cmf
jDPHeqjYXVwEz6dM5XFpmEI5U1ZqH6RIQj20MthL/ci5pMlMvN0PzJrA4+kZ
eAsw4f/fGWh5+GZqEwmdkS6Z5AmsxZZZzARlIpm5sOjEvVC70ozsjAG0bowx
X5hazrWmMxMMglaSWaouhG/oxNwNK+bvfzR9V52hNIqNEw9P/+Psw8GDB/f6
mCRmv0UI+vnELDYONJc3dydmRU7dPutaZ3aa79NzkfUCTuimQ7ZS/qNboSPg
ZCVKnaTEh5hOxP1IGpE9xNpptEJN37uXZyfv373iE/ju2TdPeewXotWm33//
hJALIw55XSXgvMPJIOFJOX318F2e7r//YMzU2abk6k3dW2an6QBaaW6O8XQi
xwwLNKLI2XxeMWRk6g4bKRkzxCdxG9uDX7K4erA/M1MzX4r6ywUI9xd/O/mw
qF68O11Mp92EViDudNepLxbdnPhPW1fBpLqdr/7r777TUbuTjyxucX8W02oe
EzUi/Q3zclLUEw0xG37Fs7u5HL6EMpYcgdsSrOUjCGlXDY/fnlJ1fUjpjH3d
vr+JNHxL/U68b9CINcEgRGGBjQDSiUUZirwAWguwwOgbrHw0vM7twsnvzIlo
2MRsVrewrcRNpsV/kyIwELYofP7/jJAn0poi7fLNWGJQHJjH4joUNEwy1XCF
F824vLqdyAoc5KjH+iyZqbCpZktFciQtymTlbcREUIvKhRLzJgkhqbv7I7Pc
lsO/X68lzKnwdUl2TcDalQo7Y2Du7aZMRmr8pGANwb1T9lSA8AmaMOrhgD5A
v+gNTcdn/bCHaVlTvW6xS6685C5vcmGBk3ZKLav6TWfr4vKRPnjhhTHn6Vzv
Z5OQa/WobIM8mowNANmDosnKZEHOrptJfVEGjuWbS2kWaNaaM9pkhA2uci1N
6NtpKnW655BQDZm/Ivr/RO06rrSkd/TIkwFPh8+2535diwwvc0zcdOKYSXSw
3xO7lBlp8mkiMy+v8z3Qp5JzvjbYsKPqXTdq18iW7LfF7No5tefEoNg1d58e
skCM5gLRtZ3zqwuNh3MahehZbuX+si6o8tn7kZKBVYX93veaAV2cGhDyFNOh
L6WkHpYUDapF6kKgEc2sy61FipLVIvGlKBIn+x+sqHi/pCJ9h7pEtQsjuUFl
c8pDTqWXezRcn7MKbviQiubom/1KUaKk5xFtVB0dMkyeFQEkC8he8VotNKxg
CvCSIp7DXRNX7Dr1iTYpUhu5IuEvnARY3xSsaUvuIA/pVCfGdAwyX64pBXaT
p3GFJQhgBGFgD4wxyqRpv4qkpTKBbXD1k9QyGUsWcqHINXLP1iwTP0ezQK6F
QOjdWenbZlGX+1eS7Vza2XRI6pTsPQVF505bJOZ7EqfpZUWbYSGYUmI+JXd+
cy+TX/PJJe9HXYc0jB0/hawjNMs0qfV6NiWcHlSYgm06jCnWrUpWnnHdZByP
sa4FPFWeUJCYyJOFTzvSZfTdOd1lzIGzVT8ktMLJSq3pFJfsS80cBmqRyCea
J8XxO3OQfo/CgDvg5w04RRC7b2Kcj+UvZcjqvucU/jliapHCNk5AhNMb38LA
l+UsF79/sCqIM4E2L/t6s2CXSAmJYBZdKD4L+k0iD/no+ZnBujkKV9rlV1k9
Qmqbwjq5cagms3yMUDhw5NYYpQd1ihZmxUpWeypKtPlU3JOa57rc5aJksvX3
ppCjlJx2YWeTLgSdJ921zUKa9knjnighJoNlYm4g2Pk2rEuhYqcWvsUtEPwQ
ePpvZ2cf8mfSTeiA8IEM7KRb0giN6fA2a06SvqNp5nZYTKZq+maOXMTqQW64
KIyOMi+wmGrQXEPENc5oi9+jKebDSTjkfV2Ic8TGJLlKutXbNNvCjbLWypNS
+LGYDz+mgNu+HwSkPgar0r7xrXMei2J8zWmwIs9aijwh/lOVzh1Tu+eFC5kQ
YAehppuE/ZGOdSBRjrn0giNf71Aun0p498U7bEZ9cbOtN+2y+ltHreneZ0rD
dTB8eSCJCJqgtumuKayN4J3ojAk+8M+nz6sVAREfUKDzkyWSYO93q6MwJf3e
OueMjGDBCMnRerFfFKiFulcwfbZq5fFmyhiS8329orpvbFQ8RyI5I5yP7uZK
6oUljB+vGpK8g48Z3VMoe765LQzZwLLWQwwbaW6p0VDTfIhpPpU0yxezeYOf
t+v2k8KCWy5IsqgakMoo36pd0QTa7xZg+dtsLXIEeLRs9Ocl6McvomgHqtlp
NmZBqZiU14Jj5CTon5z2JA14d9bTtdwGoRBuXdvj8pgax5tZyc8N0+V3TTM+
cD1iiE6fGaMthejnLaZTmXK943o/3tJw052hB8v/us6YLEhEXgNQAxAW4bpZ
icatAVe0USRTPoyHkcUsXkTd5xITykCmZNjZq9cv3ls7M++gevjqxXuB/X2F
YCBgGLBj9x7YZeunZ+O3D4pfn8wWvWhXHf4uDisDHdJt6kymGPGmVBkX9KWx
DdmkHQ9IQd7TpFtQyvHXpc4nddUOrUnaZ4gFe8tDCF80XEIDCgP2qnEWnav6
I1tVLSYxUjhnxC4SnoNocF4yXU19ItgRq568caYNm6FObZqAexvSznzikz+f
eC3ve+4xf/aPa1TROSGLmRrsB/i6IsAUonOCW+MvSGcE4b05DAZuYcK8Tmv2
PQagsQdfkV/wtI06ZNIDS13kLxS7nN0EG2HZgsJ9DpcAN/2eZ5d8bKQuTVCr
T56//2j909/8gANvtzblxubgKm7DFD99OtqYYHPogX999i2OnqcVT4aAy42h
Jnn9IfYD09U7XmA0oH8W2GDKUrpPZ7AtCHS2HwcN5+n6sOLfRfEjZyKRC5YJ
1WCmuc94EHuyWiapYrhrckW4fNFFEVVg0dhyngNyU85Yc2Qyy1tTwJBgGRFw
fY4UcyMsnZbWrpacaRAVNKjIjRpyKEHCqDMIzAn7Tu2OHKKlrImsUzqpJDms
xuNPZJjbGfJREnnYAzTQbFoLtqX6MhQSBFgxQVW2l1P1cOG4fEo6AGjcsrK8
n1y0sUvg+hsTo0hw/FOGcQq16VFB1X6L0wtK2jCfGMYOjUhzL3OFIzG+I0G/
wYOyFyBXsJ7RX2OgIxrLROgu7nwmx2xYyCwrpbpRZSQNZ9DqL8OSIMX852I/
q/riQd7ifNBxkNS3ol36rGEDmoa+J2I0UudExWZoR65PTm11XzL5eqxcpfSk
g1gzDEl3ODmhow5Jfajxi988e/+UNnr2/tnCeKvIMY6+00BDwjLJgfrD4K55
7DLd45T1ZBQbC0ouS+AJpU3RiIgroDau2mx6p1XIPwk19BR6EwVMLUvVI2+z
PLqjDznmwFPrGFKS21WegM3qKuAMN/WnTJQ60uDTaFHkrPZcEzZIbZgGtIPu
ovz0wJHpR2KJGTH6w17iLKsEAUa8pVbsggoEMBA8qCvzT+r+uLP4p0dpnLfH
Ip/LPWtRZQQuf/ji9YHTy+wbSE+uWGyTJIW153JUachcS/TMCsO08ygW6w5e
BbYG7uq2XyjepB8l968INLmYslR8eDABHTwROjGJvRjBKGXlUKrscxS4v709
Pgl4shSZF9y6QiQdhzEM1ipQVr0spFK+Y4he8ldDEdT7YzPU66ZUrsIWp7r5
ZsipLgjJA4xJKOAgPkEVyRygHhW0GLyhYYFx6GGStOv69rIVpP2QtmsH9hNW
7LZThF08PpUvUX4WNFc8F7pGO2e3xnDSLhE3RbN0R3u4u60kyPRNERGTC8vF
ja0v0UNgrZlQIX9Hny3YAjfauKHpUTByGlGHRos7E0OFjJZDAfQtaBEKu8BX
6PQON5sNpq6WxomORYL95bn2oWXcsUxnXb38wLC/NhDy5cmL02Oa7sKhhIsS
9zhefWgvLSQ2wx2TU3agMO0Yv5s3zl3mPZt1gozBZr9Y72gqxLCJC7Rp0DS8
hv9Kp+6rHl+8O6WJkWAzgkNV80RJCj26aA4eimQUMJaPLdsWaCNNUppSqaO6
Tk/hsCncAr7F7qqvGYuDK7aLPbapRykTpIUcO8/RwkKRgpvom6IS5Sg4HKsQ
tvC2popY0FKLJ4pX7IvaM2yMzj8aqunMcCAPpNLFbAhg0h6SqElEEL7N1Aoe
EPIG/BNWis5qahZkzAIpSpwSHBnK5aIVKx69fzxhESHOa4l3091R25033iwq
66w4pNQVCN7RVYvfOgwZjWmuL/181aWe5iJBaNjFycMN37rWog8TDLThnylz
QI0i0l5xw1F/auzWFPHMESKow7Lbr6lz4qob5KjZ2dUeZulGPzM71Gu5Be1r
aJpPA9mhh2QKOncu6jjyyerhU6I6V55KQV3irTSkcYB9fKZIKwNtGySaaw9P
cPsFn5bqKcDHlmPHZhspC+WQn9vrjY//+u5wk86fcViwF50YwAC6SdH3NQZK
0b+6CeXcMXCMMLiD9f1qAVk4V/qCKJGC5HBWEvgxpaCpD39nqGchT8AhjVbQ
cxUwQg03i2CkoJ/DIRmks9O3+cB97vutpKrErZLy9mE6kGneI8oCC6xhvfuY
GyjFIndyiiaFe0JLvHZiKHge+g3ZEHeR6uKS92QVMtj2oYdDHSSsIYxCD+LM
3oCyhLQHTQFu1vV5R0ZUc63Ig9JWo9l/mljDjT7bGLkuj4m27HOzMilCo7Cl
gIzENblE4k0Rx4zt5dXY5EaG+IBzHixp6YKBnUStiXXSNRYvZD9aoyxO5E6j
LIin2IPVyhDkYAkmKSSFc9RWgKpd5xZ8ocmV+zEGoNoNvg0tunqFAMxcheu6
y/uGsswsqWg1rPtvsa7BiqiRbY0KsUUljh7LcksYNmu3eyqGY4qYCmSSGDkI
LYtVypSzbc7eXbJLmi/YWht1dubaDb8fU2ESpfYm7f07qorjC6L1m5He1P4N
YiYNW7mXQXtvUzZ5qDNGrMQrMSCjBaJTUSVdcjOPuJd9mhqaY3LU5aJnTNis
q2QmCma27bwVK/n4gjU7ByoQS7avuvWqZJoWbNGV5kuTTSr0VoZtjmRuEtu3
fBWFU3IGbyuxqTn4mbxwuWENl754PYnUcM590LKA5C2MPH/iHChlrsDw/kmz
aFlYPzvLW41vHaZhOek0j5y1JvKkzipOR4c0sNBIQcyg6qt0wCUdPMiNtqZ6
SO3MCPZ1qoangANTOM/SLmr5ORNnmmpByRG0zdn7J3YxAsURU0tZUomD5/N5
JedTOiN0kHc9denohBdSWPmC44tCKKPr3qPTkiK0dXdOPWNo8tLDpmWcBomV
NZbPRY8txHHjURIn1VnTo9ZDRW9Y9N+MLEtDTzHtdyrhSKnCmBFQ4l9PQT7c
0BABOM6agMtJPQ9zgbavxze22BBm1yT0Nh/an5of2cgMXwljOC3Uh2nfTGRa
SPtNjeZgiEsxULLAvQKfDLr1sjbgethDXWjPk5k1vVjc+zZu23afD9Wg5D3z
YJ8cvckDgBAUOhqumHIefu+QESW/ZKbf4hUkQ9H7AsRG6lE6deUcgjSMYZEU
L+tFTTRyXiIkIulFfcgc4vcjLXl7XBeB9tciq6Edu08NliRirM4j+2cXrOMr
KeoVNsHrvZf3QnIVo6KeffMxc2Zq5t3DZncW8E8W9NjbIkNT0BZ4Sh9JUK/Y
B45O2027rikirZ1qUu4o5tE0OBiCV2VPe0rsvZ/UOCnjw5M0UJOtxzFhucNT
pXx8yGOYRNCSLF3eOzgW6p8Zy5j701yo1itmtDgbepJqDmzyPBNmfq1QEI9w
YmgzBQtS+35lUFur5PvRiL5bQ/zpbg10YoGR3+ZayxKwaoUTJdhO0uko7FWl
ALvNBQ96Nod7TQ6XmXF/UtEj3nBh/W4S3i3Fj7clfzPXQaskXemjCS2X+bbc
RbzxAAmVhiejpJuUud0uND2Hi61xDyHp7TcvJqufP76xJsALdZKj0MzpNPlZ
/8eyMnJQlj7ztk4qCuxElkZ3jU7S+pFU8gUzMOtxszfDZqkuhcrHe14l9sz4
QOUt+IC1YVc7ef4HxDlZ3u2MOF/W23uJc5foBde+KcnLGQHvffGpOM8hYeCx
zecmtkow2A7C0zX1qvr1LyP98BuWnNJv3jbw1ROwIdpB+9dTnT/+8aQjfB3+
3tJ/0JWXht+rrigg5uOetDHfRn0gNDMeankCA+kHmRkma97gmq11/My9iuRL
h5ypKY3abS4q4t83gvacW7IQCilBdYWpQI5DMW1euTLYOHLWVcX5tSF5Dzny
asRFzg9CJYwzLfk3VBYVL8WJ0DS8YYjw4ORuicXLgyL9ArlYqN6ya2FXlYq/
+CIlvDGa6NVxDcfygZS5kegHBqAFS5Q8Dt7cO9ncTylW3jPGLawBv30D1oQH
rKIbnI5UoIAAUExWyitrwSeHW7i9LtFCAlbS++H0p5UHMyKgsklTAlkiwLv1
8hM3I+aZNbnhsBQhG5xwS+RywydvExarF+hO/tvhh+OfXoKo2K5AjH9qMhpX
eEN1AXIaisZebL2TM/rIRI9Lfs5scHxJDRSKCTJZud2w1lt7tKU0aQclX0J+
+vboG9d+I+8227HQ6RheaboIM0N7Tpuk6qkZmupcnovdnKSeg8eQyJ7R4OW6
SBIFnF+kQeVOMAGxvFD++ccLDIN4npRzZIVfRWl7f9nqsezzRopQHRiky+Gy
3lE8U74+deCEEaMwLn9Gbv52hnNlT2j0rZp1qyszuytmmtKjUwFeM5LtEI71
tgkR7nDhV/jJiZRUJFQvWs2AzOT23SL3VuAFpkCrGLfFqZiVNIwNjYpvd4AK
yWVIcKKJeG5HGqq2dd+Dz2BnJdMU5Eai6mFcO10g+Z7tOMPjDjqEGBpeGMbB
YHA0xTPKsiDkq+St95MJ6I1sQ2jeSwZZEidndN6Bm69QGH2ADOdqDi8N4jJm
aTA/1XNZf4JO/j1aTk/tmATVLB4U3b2GawMvL+LBAh34BHGybxVxJBygCwqS
ZfkGKz5ehmlAD9++eXmgQWnYWUMlYXsPFiPDOvK5HNrhoso/H6NRMA/t2E1a
yx/+z2ZFBDCq+Zq0lz+/PvzuG+8JsGn/oW8OT9nl+klyaZQF4Wc8RAl3sEj1
u3GQZX1dt2uFrlX7gBBNLFoCf27WFFUzg2OK/v+YvlfYXKjfKUitLDy0Uxii
QEUTp5q6XViia3VIbtLz4WGmFvO1aISLueEMEDY2+TlXe7inQ/w+HUf0YtyM
y4cpBXcg63JJOYXIoorwvhWIC7iDJdxE+aK8sDmwkRgJQiAIo9xpzsEnTViZ
YJKDBl/Pm1sllBW6QmqF54q2kkb3PWv0JfgnGt4WyEZJL7KRQmX9daMqKRqA
ZEoWHBcq6BRz82K/vmjV6UnocFxAwCj98JJNd45hezG8EqxJ9fB4u+q7dvW4
fX96kEYxhioN88mdi+YMx4w8edLSyh9YEWZntx/H5EWp7oM7QG7kVZeuVjMs
LGBKU2xXJoOyicL3LhnwPJJ72n6m5kwPY1komSSq7pZEVviI83IRvCfjPDht
jhsLHig3WBrmOFDPYXdxeE42W1dFpM9l8DCJOfnEhzudKnaOMYZNzySF16xY
+pFrbohZUmli0lDLKyUydZ6aGgmf/H98rPBfuFg4RCzoxhsm2qG6M+aBeBWq
WBMMCBlDeEE7j+vm9lfsqXVOnyvYdkZzKpedjVZwrFelmpFoPUegcSfah1ME
zzjL9Gz5ELiVkjssa96Lu/LoBOATKOCfR2O2oROts6jLpOUwi84ssvEP0g6c
aTEWLFHAvk4AEYvMxNeoFXcN0/G7uJWbSUHJCQbuIaGhzI8JAc2rgs3Lxj5N
makxDGNKPfjDms8bUrxgg3EEcweqjzJ3QTt0wTZV+a87RT90bjQOHCWixmQG
oBWO0nmSISGBLyDuSxKazdZgrBYiTeU2/NpIyNrLV9cYfx4cilIa6UobPB0b
9hheUGmhTQh1qmj0Q3ApmQDk4TzPo+o5B4mU3jJfphA54AE+XkVL1A1YMatl
nuEfisNg/Kr1YAuetqYhutvDc/DqXXJOw/feNDQXb7RpcjO+owlz8h6ckkyc
KKFmy9oQo4p6DQZAcL5LsaoQU/NVB3Q03E2RefvW7qdmfR6pwgBG3cNJTMNQ
+fGK4rBHkm9SG1RTdl0YOk9vd8PnuVtYYpEuIoG7ns7nyHt/Q0o+3aw+K0vJ
6zbClYWCGNm2+JosW1cUozPF4ZzsPxjlyiIjBg4zxDySVcaGi+b+Sau2L+9b
8H6XCqBXiKCdK5qqbmTOd7QAQMl9XHCI+PxGc4xcHhrsJRpgAL9TR2TKyyma
x0eF0lNNsixG9uelTHXBieTu1LG35E/FCi5OYSrOOuEpMPMbzXy5aUQk1AiY
3qmxHk802KL6cPwulDhY5y/6BrsOFH2seNTpWTFhXiZzNVHJeVHsUiCLzk0N
sBQxHiLW/Qm0xAVugvXP7SGLUGkzOPXENQZF3QCH0V5egXlCaogUcT34UmSO
YFiylwoZ7VTcFOBimrNeCq6eJJGtfTU1C8w2qeJeD9/wlB5NO/uxJG/fHL7E
sST4vI88AISGmYxwjA8/vnl/khxfB9Kj6J6NzXB8/eH6O50gQg+DFX2W5Lmb
pBtyeg8e/AXlItBXOyCizV+QPyhnyVazVNpID72YAcixlO6t1zc48CXDztZU
8xy0fEK8CTCB6eviRYzS3LxqL8Bip3y8NAUigNKqFVISo3NF2WsPvARkc932
3XbD+e2RmolworrUARgVgPO8qvFT2IhxhcJXeuNTnNEHyAXK1PAAVs1FvV+P
DnpH1VMu4fgTchduuG29whEnXMVz3RhEBHtWVgfkx3gv053hRakPvpIxqGSM
k8ro1t3ljWElUwAtNtXsOCynXbmidtoZjzm4hYsQ58wGh0uNdNb+ysKICi00
svLpjwp1qRfSCW0owdAd2ZN01qHG6OqoIDHZSc1BS6ofwSK/XuUMkEW7ljFP
XcTuIV36KRW3S18KNdFwYZYBm0uEeoUkdJEgFDgg4nqfySJkIArczQPGrnLc
iBToLpGZk3rSfmMgK2yKS2xDvkAjkJbGKr/9Vl2BYFxjkwwtbY3T1yjYy/5g
hV0ncBIstokkbzjGUGRglwa5kMKYKTMPnp112nzdbjgPc2XwtsR+ILHQul6Q
GlMf/Q9wXZy04XuJvH+2KDNHHJ6R6mWRvUBvXaq3jBxNzYgg45F6hpEDhopF
xJMAUGQhvvYYvCgM3uBAdqyM7ZHetBZ9240NLHC8wolIqFmFXoFOQLbpzpeR
Mkq7kH6jIE6BsF6/PHtVAHaS6Wovjz9U796/f87UK5C+zQpNt5pSVdrBFUcs
PFLlv9+cwyfWNQNnqC80Rcn4c+6VJ6jgKABE7VjIGKdb5zMgR6Avz5MesLuq
+YJSoR3JsFeEfPFF61sGWjk1GuoUyXCgMpR6GBfSl/Liwwd2j/Jzo/Y5S+bV
Q6rCNJ7DrBscWUwQkHGlPlsBwEqCaRRFePfqxNDZLygtZalRoob9QIiUHCWJ
u3WTUbO0tAl0i68+eH/yisgGa7wQA+dRkvX3I5CymJG1ewK3ee/UY4DqqOfB
LyPNrBsaXxe0wYlK3EmOG/QB23M6v5HLvKkzRub0RC1c1r2vpTY8wGqmXn8Q
wutuICHWJj22xPTrjgzkaZU+yCNsm8n6QyQqx4jk6LVvqFRfdQm2AK+pJCqu
WfsLPRRVNvpZhnLTXB+x+0n0oBBivhz258gnQ7NBfPAlKlX4C2tZf91ckhaL
T8HU7lsmaupHP69mZhZM5IE3K+jSaoEX18q3RxFUQa3tR+pT7bcCBtRuDQZ+
V9+sO6xD0vOYh3CdwLFGvAJFlQWSf77eN2OHVPBWi1J+aavE8NWjAArye8Sk
zr246qzrZ+TAAA+luqDg1oJtGCfgqOIFTI40FzHgIiVLE+5WU/poiKSDT0Ud
09bjihA8XAfH8xsEXLhmqo3jgrIZVDQdfd1eNMubJU/ZKfP7Ymo1rPe95x5s
eznv0FLHIUrCBwX56LunqWq9XHJkxUKWXKdreRQiAI/CfiYCC82heHH0DLwM
A6tBz5jygZiT42IvM/mkGH21R8OgtjpGTdG5GDZZsdzsDGIfPOMW4XgkCY0B
favrXaReUYk5YrySbwpN891GgniNUlleYZQELZ8QVTg2G4QuainbItMw8z4B
zj1QlJsKnPF0zNVBiQ0ESgXyao059+xI7Vm8gsg9zZcrkB7SnrhBrGyympx8
QrMXuZwOlw2gZPygxE7cSYV1gX0XkX5vLfhCo3m18saLd/WtZiuvtuJ7wFAo
SlIgpb2ZDEKD+HeQrNlaWmu1N1tBewyIhWUS7WwpVWDqrMveuA9DwWMTZiGK
w5WXjPXFFjMS0ZGHaMnrjvWgN5gLeGvB8liAuOgpgkqcQAfFMqXenAM/M+xm
IpQECf+I+z280Wo45CZR5LzYlp1ODjiiGcpEITQ+FyW5H0e7lV5LsuE/wAdk
+tpU6UxL2LQaxIbVhukKbACfuF/ZsPuJYVl5w9Itjw5dLlFoYNO4/G8wua0q
MUUa1hhFIQqT3K7BHuJWOSIz+OuOR1ObbYjPsIDNBiOSfeGMArZYmjJSBPPX
6FffUIRHJYGE/1FHKThEGlwYJpcIFpnBbooxhwiureTUl1gb18PDFNMu871F
rmiQKQWiMFq7EcSamkIqyLYaGcMl10p6NBlOPDcj6Ao9ukYSuDzEz1lMNagK
jA8tJUBhwV9NY2dFfwsZw729WDuc2PypGhtJeplw6fLn3+mq3eGinXV0NJjo
WQJ58WgZsjrPm22DUcua2o/rVQfGMSyj7qORlMzY4FXADeYeVW52IDH2DRzp
gFax6WgPICoSAw6RksF0/qLliFkcsN3EzFZF7fBCySYjhJQ2WMnaN5uvGCtH
Omr5a8daa2MsYYm1D2it8QFnb4EXsIRSd/2oOhbyx94+CqDF08vsUfjaoyjd
H2G1iSAnYbC3v5bC12A4MpV4J9iuy444Gy8YFJq8o101yURVgVCoLr7TEAW5
Uo82e+BOnzLR+1Ep1KaBUAmzyT8l0na+71fNdt5+pbL1LXcH9nuaqIkZfM7Z
rf5Z6L7ltgg4iPaCumYcNo25bhqITWM+nbNJ4kUWgwTM5Q/J75L4LNpiPKWg
+VKjXEZlxKFZvAitusGKCLoZ+OCH1++45EYpFq6Y0pmDLF7e1U0HQd3yJioK
sjZBdIAZbV/VkvR+WS/b6y1vcVC0n88a686TBGFSXx7EtjgsNrwuRwmnyQ72
O/7WBsMXW4+u4z3dtUOFoLK7AlALoWJgUVBDVo7FhYAENlwBYsslSfwPnGPq
ZlAr7o7wqQbi8DoyJ5OLGv4NHZxfuOpfdSKF221EeiynTcFmxR1MCxKY/hVa
0TR4IUEySfmatxknGI7W7P2u+TJme9X9sHW7mFjcwWP2CAjZDEk/lYzR1dlG
Qb5yaQJRR0I8lE9nbTZ5JNWfOOzPCaClq/naYvle9d03OphC5Bg600hPy8ko
HYKH6QhhwJeOUR0HwXpmk0lykMFsfGmKwhH6aSpbcm7f7Z1PkS1pMVrdR4V7
+AWRBEeksgZuWV8rAzdZlCGHQvr5ZwHe8QgdOciUGbWucFS+DxpfkUTkDgt3
ljwVZEIlAWC4wTBpFPXuLh4UB4A5ZgBaYH90nmckQM79+xr2MpYLoTWq/iMG
SjozjojE76eSs+OPpdFklRRuapMTZm706gXtluVnkJiyTBKcDPk6xOpgykL7
XR6nEsFTxIuFy40uB9n5ZsLErdIM19JMslDpqVtQ7DaGmgvduNa+HAST+oCz
50wTGpWGsmGQrY6exDE29bpdGQgZLRXs0BYDK4ofR5zrAHPB1qcOMW3d9Ah9
hs8mPijFO1JPNf5judzvUG2QBZO8oF1noPKl/Ez180CcwjZfOgg9AKk4S2Uk
QWmYDtfo/4JD4vgr0Oka5mQAytAwjfY4DyFAJp9W8LDTkVCYxdtqt15457Jd
Zb6ENJzKwnd9hF+DC4G2BlZpDpl767RTI6AvKMJUuaGF3GkeFbZYS+Z3jELl
Gmtg6HiK/KsiBJwZuvF6lSrygs5pGV5SwCpAQ3LlA76RccN8oN2HHM+BPpvt
ymi8YoThC6lNxwKclpBlHKCjtpChHWlpFk8nBqGt/JHnk7HvN7kpXWEzjLaD
8VNH8+sUTQ1Rs1DaP0+cfPJWchG4BsVxGsgDmwJTaYs2A7svpmTq6qOAmPQu
XoQa+PTMQELffH777K3/znMbH3gqH3HSmR9q0oY/wfHQbQFUAr4LB5YSoeSi
h8Mk08HGZ9IHjo+PJz29Sg4fj1+8/vl0QYioWDKXUoZAx++OXwMhd+f/0tS7
Q/zhqO53tXX1IT+CoiYTxZVl60G81tHnvgIsDPy1M8fpgTo8ELkHEfvQ+uyl
PhD7aIzyPCxgYZ5n0jNcj43gBV9uuJo0lXy4Iv4Il6Q0hugN21gHuOPqjwRe
KLQgcpYilLgDFOD6GEGHYD+HrjXclrSu1evPCIpOoQWp4dwSBDMXelVX6F3F
1v7M7kZYbZFoZGkI/Jx/2cJFvw2q2IobEIX0ul3tcQ5EkHUUcGBG0A4ClHUk
nVCorz1fJTnz+vRDqtM7+fCyRKuW5rOxT1dmMeiXA6BXoxvA1AVc38jIsNvO
EORp8yUQ+xusRncmqYKehYweiibBbvDO1gbjMywmYj0TnA19uE7ST5o9gqfL
iQiyHLlyvtl0Y96WdGQoG7/TMaHbNJdDch48Qlpayyzs1ZhwFoxUlDkGbh2R
Jt+TT73IizCYpUHgLZLZZSi3VpNI3aq0SfV4ZQFk5kVLybVx6J0PPl8RZgKK
8UdqKeKSFx31xVRCLEr4VGzhmV9LCii17dS6mSzVYDifacBXa/gtQtJwn90y
xTj1fopwWhgGp1py7hZGR6RxSLpAfrhCKZ1H6YsR8IERMx3IrqjmmXZC2Yri
rJ1zbwRH/PG4KROaDUYj6Fjs55dJOVKe326v2HAEgQorwyF97LRixLHZriZZ
LgX3BOccJY0RjgVddpF4ki7WGQFZ9piPkyfMOFpFriD9cIZ6xRgur7XJ2UoS
iqkEQKLlEgdmrDqZ48TBV7TDl5yoIl2C+dPMqKJ6uWkULy9clGie/PO3Bw+S
NBAQ40tQ0DvtIbro9j3Hxyu848uOwEFDrAkccxkWhpdxOVJM3+qAI4aWawaa
KW4sAg9T37P0+iYlMMna8gJpPE3wYkLNI0VxfSVjcmQWExtyQZqn1kHwnD/G
cj1uPrQa8h7FjsLpE5AGtoms6+2n6pQmMD1811UnIWB0ygGjAyzF1yif7iBN
2caT0lrTUUaXbylmFiDDC5EoPLRp4ArOrADXLnFiN1sBD+LQkteptgqbvCh+
YkX5mVezoH8nv4YPDbj2ECXeEW6bz6zN9qxy8Kqpr7PILWXc3fgsmvhDOC7W
j8eMlM10YD3d9r6vRnqggz/BzS1JftEM6UmIkdN6TrXr8LCUtj/Q6z/lkNip
oSXLbUsfY/Dv+XqFMSIeGvfRSydR63ph0MeLLIIQxC6FHor1Fby52IaL4bhS
tzk34h4wk3HkBl3Udez8LXcseVQiG1BNcXCpSkgBN3PXrfd1kao7gq4Nff7e
mMJdszf0ShJx8NxT7FBdYjnbplPY0jCQh9spsZetG8P8gNTlFf0pNUtd+0Ua
mxdjmWr9SKQn99CVSj7Wn6vjtCo4eSKQF4qeknOIQlXZTZZmDGE5J0gIb80o
XuyNw++oQ3jLCjSLdBM3Z2/Sg4oTM4rtzHAhP398XZUGxaaaQEkBdH0CC3XW
h/V6TBQq2xvCcmRWTdGAWyURPPMPvGCk9IcfP/x0QCTiwuUuvxTmxrujiXse
9tZ0MnYuNt4ZoHw0/un2T/I452nCQY3hBu1+pmqfaNMdUuc7ZXWNTAKDekVy
P4D/aSWICE0ds+ZryyiUmwWGyVYnyx1VAWrY9KxDNh2UJyflR9X106OngXiD
MXXBkxKIZhxnxKhvwlKh5kVlmu1d0WaRiAHadrTp3xbVpXDv7w8jVw/fHp8e
H0jJSEot6G3h+nhJVqlvofI48iBCUswMV+JLK8Qt/BSIWiZBMYZBYXLg/EwG
xwG3T5KawmgRkn02PqAQm9aNSB1SOiaDGUl2jevlz+85TIefbZbD7RVbqX3I
Dcl5hpZnSVljUOZyzI198fzG0zl4TkPSMVOYcaoDEBN5OtM2QwuS8NHWppr7
Avtb+5qodOsafAq84GS4kDHaaX0aD9fFD3P5tPYSwZt/FIn3gduMUJx9iEmo
5suu4zIilOG+OZ/mLNJcJulRAs/mE0qcadGxFA9KtNRa/mvFFKH0HIY1BRuJ
t8h1NjqWM9UsLrUKvcbeaGlssfFgF/AXKrPfSj26OE9orTG6AjeuYGhNjd/U
lQFmV9P0IOTBwWqb9aqE4VuaU4eMY1MXbIrKpv7Esovss6PqbwzLLAmwLI3K
FVh0w8gD1oBv6NlxkqbShwwqS37dNF67YCQg9mprKh7A4n8iNp59ym0d3A8o
swlqh0fh+oKt0gADEdYw76tbUmAJvomIGuSkLhG+6bypl5So0Rhbsb1NELFH
qZSzbpACDtdR9e8g4Lr+kMZjyJTkLIRGSi8lVqQgSVq7CI9my410dFGSwJmk
bia1IqlAMQ2lCBLE4l02Wcsy7ZN4/6JCFURJrlwxwGENFH8a9uuxkHXGeod1
t19Z6IwIvm+IVIlD4OPUEE/hdBQvDMGyXfmJGRpb9v0nYiEhp5xpSFmBVjWF
7I7CT06N4+6su/4zx5156oKUe096kiSkQz2CoEPZi9eGW4limlvsSrz4ey7F
g4+kmg8K922Yd1HqOqC0rEiGLx5PkJ/jzoMyAu3Qcb2i8y3Dxq+JHiuqr0L5
tTWuQ+jR2rbNY8tQ9v77fo0Rs+REswc2fJYCvCCTtaWLxfFk5g/tFOzozP1w
ASI6tMyTd4j68LleYMA0S0m4cXBFFwao9EmOaHfVSXCDqLDb3TjHojCmhgNx
VNtkQKzINJhlRF4A81eanyV0qoh2lAwPniCwd9cR5k5LSDUUpqV6g653YLiI
SNVuD+Gbh5t2tVo3soGj6kW9qRnpA1MZ3WC94Xz6uD2JARNgvJHBfrsfaFn7
7Vpbs7NiIKmclrg7st21iHIHUuSLal7zm+3kJCWk2FUxDKe9f9tV+C3Bl4FX
yNHqAQu3qP8EoSibUVNwn2O2Zb/VE7bZS2Mq5oNnWH+Hiyzj2s6b3FMsjVBe
dinBalJ8h4DndNucoVpL5IECiGLTNNzgQPuhJsiLi0Z1kV6Ad9XTYQ7VNdCq
N9ki/1h8tI9fS5HjlFW53Xld0E6oaIIti4pqhFZ9x844zfhk0+NaOJyPetMO
OvFPWrWrX389bUCMPf3ht99QN2ZcRqZMYqw4tqilZgfv9ZJpz3gqDEJRuwIP
C8xcpFICRptit83aji2dxZaPhOUS0o0mE4JMSOjmLgCUBLv36CY5DE7x+sL/
6VAyKdFmsb7PBj/oBaJuiTWfZH0tJM2UanDQO5LKGsrmgvkqkrpcOOsGVTjg
kc99x3HwJMd0889pqGRGnyQXvEuRcmdLjCJwfdmgMw61gr08htJKxDjgGWMG
O8VoY/D1gasBYH/ldaBqtqFmCxnVJcBx2/9kNHflbGDaTyA+PSgGNqFQcsRv
bUi6H3aDnZLwI+VeqUDH6hW1IdplDyXjQpUZ7EmX730hQSqbSckhkYGbWA1M
sg6BoaxmhIWa5OBxBsDltusLmcojQmZqeqqN0Lmt3GCj2cYEetPRgVw08qBo
pGHyGnyD4039DziHX5pzMgRJ+j08/uX0wMdpERL8kjDaNMIRPOeA7A7PpyY0
lEc0zhw+iZoXU0FD0uqSkyqUlhvNaHE5/+K3Bw+O12tvXWMiJhUPqI8pzwBR
txl+NKcttGa4bK/ONsnmQyv/UahlERqDnMrjCfQWu+BWGWv+0mHpAQvr9tm1
YcKJL6gD0raRElr1RRLVJfkJH1mqg8lfRogR8q54pmjBhZLxLDilnRpuJrAb
rmKFRiXwMAgu/b7cy2GxgMDPPnpkTvKjR0cV4/hYxce0MMry+rcUxiVtqO1o
NK9bTG1D9UtpKJ+3Z3eP+zu5MlBzCowX4yBAfWBhFiSgFAZOa8DoNUKHkHjZ
Y6kOhXzVtoXvfMFq7Jt0JBShHTMllcuG2WNjl1Jim+Rk4oO1+IsPS70q1nal
8zqypAJXCWT+H/2F812+RGrhC6Sw9QB4k9MmOCVoMVvBmur2tQC0rq5uzvt2
ZaWfvsrdo3rX9JZDfosfAQrHc3npK7Es0QIHcmNH8LnlJjerM/MBBImAPXpk
ckCHmAdZ8Ii6kdJwlf9EY59QqlCyIadfohCSOlVLkrq6ahOqekOeCAtAFVyX
mgpW41CkBaMRD/t6rbWrlhGbBDGZe23H03StRMko7yf9LVksrWSFJgSPvFcm
lbampK8WMTvDiwGAXK83ij/BD7eeBnwSM70YefcovNQeotJY7Rl7hr2atl8d
ory80eCzxgimiYQE+LWdyxsoHgLCPMh8Oo1pW64gRgEmVeWzFeS++h+MBgrg
UvcOesKSSaDKtBgqp0q2LxS4ZJVZe6xPjr3J0NSNRLZm5mmKD+0qLicS0qbA
c85CE4DcLJvFkvKQlY/rtQIMZaE2Lbv2lSqCbUXKEb7w6JGgmoR88QpUNg+W
r8loXTWor15vp12FXNZzr2o4SpHG93DHK8HnUH91yIgLJ2etQ1RiowB8cOEK
j2pFMM2G8QFQjU9SkL4g9hOFMXhwg3aT8iQNhjJGAk9o6zpgxWsiibfNKiAi
TWrGT4rHwQVxTUCckZ51h7LNhPHYeG5sgwwus+Ueg9wFVz+kocOpXl+6x/IK
KK7el+CHGGMb/qjZbw4SxyaDav11od1HN5qXIkiVTMbpJCnV647R26kJKQVx
cmXIh2xKcKM2m9WubkdV120gBsHQBC2m9e3SuQdmgVRqjdiIeXlUnYZuSrVj
E/wSxan3mzKkpxt8GEqbfbOXshqSKV4OVx36vB32PBFiCxhVFMy8bvIxjBSs
pNlnI+NMO5SIPA2E9Tiq8Yjs8XBFC0mtaWHDNbjldJEIL0TmQNqv5tcc2A7F
xiSRix6RPmYeTAfU8loT3gKpc1TkrFQ7kI1d9I4MPkhOUhqvw/xbUqLbSwLG
izQS5YHb0gWQX1muz0cpcjOY606thT6tH2j3lQc4nPg3Vqf16FFEE1QgakIi
xPhiAmzymU6U6xkpE4aU3yGRI7amYqEUVXlizTkXqg4a025CsYFh1nBJzTgR
e5yymKNFqlXQeulSzQJXPmfYa6DfZfMY6uBSAMUWodS9GFtqzjlrEt6g0yZ1
0mQuIdLZUR2pK2US6EZ6M5q0lzHpcFcfrcb+UDhTXvjW+ksN+gOVNlz3m4eS
hY69f3yBkRc2FIv96nfiZkqsgf9KoQYpp6YmxX3PIyNcYR7jM8ZZCTxlyeVr
ZuAeJMUgFB77i8iLr8eUdJ8vh7UhyRYpvapdgNC6BTsy+gUI1B4siGRIuyTT
MQjg8xth4KNURmo598DJYQTMxfL2/cjqBB9Bhg6hzDV+2JizYCWgNw7m8CXo
I0XbmMLL5ejDDx5g6P1dNNdipP2iW1IJSeiD8CXlcrALqphkdSaxvLuHX/ni
dm2qQ9QFCk44eApqPQgI0pSTG/i843NikTyekOI0yynz7EKeLoz7wbAOy1LK
QnU90w5+k6FtUcr7vqjzBhiwpdG6AmHB3VyiFzXyIgczP/iSni6jaWdRtxFa
W0qWDG47xFsdPnSoRLDwzds31Ut5AmI7Z7MXkgXlUcOBjjy486QaJFlyusl6
Ak1PRZRULyBLXLAVNn0zSDWklUrwaZO/TcjRQL9Y/HfkgljppSdMidQUZQHm
5IO5JEstTsFkYpelzFnjU70V/cUQytnJyYsoNRI9SCHap4RVrsORBjfSTQve
YqkZh0Dc/fMVkNF8qxeoHhGmU3QkSbVreDAKlSWah1OoIaZgb6xaR2EqTR+o
KBmsgWtNuSZMDPUStuTCri54bWFsfXLGKg8EZd7ahMboMGgxiMwnma0EyHeT
XRDVAjou/UmzI1aeRGDyRvxS39J4pPqAPbANU6jEcHYFLdKKdl4PQASRiESw
lkMrhUoAX4NMAheFLBP5pBaUFoZnucq9IMGdmk+QKKboJGSluLzaDMYYP3kd
PS+I3sj6r8oxKynljdm/NLzP+WUYqhDfjANE+GXamu+4lGiCRifUE5yWy5a7
yY5k7ILp6hBnSoFDLb2maBjKsUJKZlojSo+iLWhGjXPshP+RokoBuk4B78zj
5p2jG8tTy30Q9ird0vEtwZbAWXiujrtIO9DMhRD3EWT7Yr38dE68OF+XOOxX
+7/pMVQircyXSLQMlZoq95TSbvHgDAmVfLjuYpzMgxdGGZp74rhLBYZDbwlY
Tprab77gbDOuXLhIIyUtW86kxLWimcmMhYs6Ay/Ur4sEkGxgmfWnASByUa2h
h0P8d3Md/BosiSGLgnDYaQaxlzW02C/glaFHmOG2Zi6xzMhJ00xKjQzb6j29
1Q1oLLJCrAAnGpkUCSB/DFr6sE3bcW57mk9AGWo6HB5OgH5PLyWbPBdL60uJ
iAeaR5Z62SPzcF3wUJFpfykYokG5YSENIiKnIuyiW159dPxXCFsN3brRgk3D
RRxzWFqWE/wpalOkYEGvSVjQ/iMy3BGc+n7ZWhRATTP7rLHLj34NSuURI4Q+
jKsFm5b6wNiu+fnjm1Le11dPUlgtok05e0y4eTHhb239C0EXk3mM8jZhnIB6
F/ne+fy+KcPKPUTo6kgPC/wgF08DQyEd6oj7bfqk5f3xcce8j8KfgxMz2th7
It5rGaxOniR6JUDzyAHOOZScXidNXw7aI2IyYmqUD1YVKMYYqPHVSS8kWmpr
49gnyUG6zAxFlIELd7UGJVPopFAU72Oi0SufQuUWZaFFYNwd5mEXbtKdtL6m
ITUXe7J4fNDlMLnv2fyYW8bHLLwZlongGJOftWREdXD1IDURPr9x6YH5+Fay
xjnYls8H/e+It9FwgHipraDyHDucRS5nobk1ZEvjsF3BFZ1HwM1mGFP1WnRN
6glO2LT5i4tIEx7yeOVBPqQ5KIFgKCIpokCg3yAiJgsCZUBmeeHqiA0AKpWo
7pkkkrRmMPabcQsfPz5BSizj+qmZwL0bmUkqUcd2Xait9LeE/e/XHKfQSsw2
qESu9PxjQcNCiHAaR9TgN4dFBNOstqjhX1L/8UmYdSMTnlbgzKPiFlE3cmcF
dV5y14yUG08bv82+siLIDN7OBb15Js8KjNhkzsgD4wQeGnnhRxSJrBsEZZgK
ChubFBpGcAy03dfH744LW6VsaU+t5PSJ7LXsS+B5gLcnIXx42PHSlDSBsDx4
8AtOF0EjjerMiGqx5/1f63MQsOvqDZzOPw7ftut1DYr2Y31Rg9Lp2+0h/QGE
yx5MpAFcib5eVH/D8NFQnQ1gdl002/ZyUb0FOV/Dcz7if/vVIGUDHFxi/a/d
jxdNs8KEIFuOLGZh1YeHh5QnfPD/APJhYPfsogEA

-->

</rfc>

