<?xml version='1.0' encoding='utf-8'?>
<rfc xmlns:xi="http://www.w3.org/2001/XInclude" version="3" ipr="trust200902" docName="draft-ietf-lamps-keyusage-crl-validation-latest" category="std" consensus="true" submissionType="IETF" xml:lang="en" number="10007" updates="5280" tocInclude="true" sortRefs="true" symRefs="true" prepTime="2026-06-29T17:12:14" indexInclude="true" scripts="Common,Han,Katakana,Latin" tocDepth="3">
  <link href="https://dx.doi.org/10.17487/rfc10007" rel="alternate"/>
  <link href="urn:issn:2070-1721" rel="alternate"/>
  <link href="https://datatracker.ietf.org/doc/draft-ietf-lamps-keyusage-crl-validation-latest" rel="prev"/>
  <front>
    <title abbrev="CRL Validation Clarification">Clarification to Processing Key Usage Values During Certificate Revocation List (CRL) Validation</title>
    <seriesInfo name="RFC" value="10007" stream="IETF"/>
    <author fullname="Corey Bonnell">
      <organization showOnFrontPage="true">DigiCert, Inc.</organization>
      <address>
        <email>corey.bonnell@digicert.com</email>
      </address>
    </author>
    <author fullname="伊藤 忠彦" asciiFullname="Tadahiko Ito">
      <organization ascii="SECOM CO., LTD." showOnFrontPage="true">セコム株式会社</organization>
      <address>
        <email>tadahiko.ito.public@gmail.com</email>
      </address>
    </author>
    <author fullname="大久保 智史" asciiFullname="Tomofumi Okubo">
      <organization showOnFrontPage="true">Penguin Securities Pte. Ltd.</organization>
      <address>
        <email>tomofumi.okubo+ietf@gmail.com</email>
      </address>
    </author>
    <date month="06" year="2026"/>
    <area>SEC</area>
    <workgroup>lamps</workgroup>
    <keyword>Public Key Infrastructure</keyword>
    <keyword>Certificate validation</keyword>
    <keyword>Security</keyword>
    <abstract pn="section-abstract">
      <t indent="0" pn="section-abstract-1">RFC 5280 defines the profile of X.509 certificates and Certificate Revocation Lists (CRLs) for use in the Internet. Section 4.2.1.3 of RFC 5280 requires CRL issuer certificates to contain the <tt>keyUsage</tt>
extension with the <tt>cRLSign</tt> bit asserted. However, the CRL validation
algorithm specified in Section 6.3 of RFC 5280 does not explicitly
include a corresponding check for the presence of the <tt>keyUsage</tt>
certificate extension. This document updates RFC 5280 to require
that check.</t>
    </abstract>
    <boilerplate>
      <section anchor="status-of-memo" numbered="false" removeInRFC="false" toc="exclude" pn="section-boilerplate.1">
        <name slugifiedName="name-status-of-this-memo">Status of This Memo</name>
        <t indent="0" pn="section-boilerplate.1-1">
            This is an Internet Standards Track document.
        </t>
        <t indent="0" pn="section-boilerplate.1-2">
            This document is a product of the Internet Engineering Task Force
            (IETF).  It represents the consensus of the IETF community.  It has
            received public review and has been approved for publication by
            the Internet Engineering Steering Group (IESG).  Further
            information on Internet Standards is available in Section 2 of 
            RFC 7841.
        </t>
        <t indent="0" pn="section-boilerplate.1-3">
            Information about the current status of this document, any
            errata, and how to provide feedback on it may be obtained at
            <eref target="https://www.rfc-editor.org/info/rfc10007" brackets="none"/>.
        </t>
      </section>
      <section anchor="copyright" numbered="false" removeInRFC="false" toc="exclude" pn="section-boilerplate.2">
        <name slugifiedName="name-copyright-notice">Copyright Notice</name>
        <t indent="0" pn="section-boilerplate.2-1">
            Copyright (c) 2026 IETF Trust and the persons identified as the
            document authors. All rights reserved.
        </t>
        <t indent="0" pn="section-boilerplate.2-2">
            This document is subject to BCP 78 and the IETF Trust's Legal
            Provisions Relating to IETF Documents
            (<eref target="https://trustee.ietf.org/license-info" brackets="none"/>) in effect on the date of
            publication of this document. Please review these documents
            carefully, as they describe your rights and restrictions with
            respect to this document. Code Components extracted from this
            document must include Revised BSD License text as described in
            Section 4.e of the Trust Legal Provisions and are provided without
            warranty as described in the Revised BSD License.
        </t>
      </section>
    </boilerplate>
    <toc>
      <section anchor="toc" numbered="false" removeInRFC="false" toc="exclude" pn="section-toc.1">
        <name slugifiedName="name-table-of-contents">Table of Contents</name>
        <ul bare="true" empty="true" indent="2" spacing="compact" pn="section-toc.1-1">
          <li pn="section-toc.1-1.1">
            <t indent="0" keepWithNext="true" pn="section-toc.1-1.1.1"><xref derivedContent="1" format="counter" sectionFormat="of" target="section-1"/>.  <xref derivedContent="" format="title" sectionFormat="of" target="name-introduction">Introduction</xref></t>
          </li>
          <li pn="section-toc.1-1.2">
            <t indent="0" keepWithNext="true" pn="section-toc.1-1.2.1"><xref derivedContent="2" format="counter" sectionFormat="of" target="section-2"/>.  <xref derivedContent="" format="title" sectionFormat="of" target="name-conventions-and-definitions">Conventions and Definitions</xref></t>
          </li>
          <li pn="section-toc.1-1.3">
            <t indent="0" keepWithNext="true" pn="section-toc.1-1.3.1"><xref derivedContent="3" format="counter" sectionFormat="of" target="section-3"/>.  <xref derivedContent="" format="title" sectionFormat="of" target="name-the-risk-of-trusting-crls-s">The Risk of Trusting CRLs Signed with Non-Certified Keys</xref></t>
          </li>
          <li pn="section-toc.1-1.4">
            <t indent="0" pn="section-toc.1-1.4.1"><xref derivedContent="4" format="counter" sectionFormat="of" target="section-4"/>.  <xref derivedContent="" format="title" sectionFormat="of" target="name-checking-the-presence-of-th">Checking the Presence of the <tt>keyUsage</tt> Extension</xref></t>
          </li>
          <li pn="section-toc.1-1.5">
            <t indent="0" pn="section-toc.1-1.5.1"><xref derivedContent="5" format="counter" sectionFormat="of" target="section-5"/>.  <xref derivedContent="" format="title" sectionFormat="of" target="name-security-considerations">Security Considerations</xref></t>
          </li>
          <li pn="section-toc.1-1.6">
            <t indent="0" pn="section-toc.1-1.6.1"><xref derivedContent="6" format="counter" sectionFormat="of" target="section-6"/>.  <xref derivedContent="" format="title" sectionFormat="of" target="name-iana-considerations">IANA Considerations</xref></t>
          </li>
          <li pn="section-toc.1-1.7">
            <t indent="0" pn="section-toc.1-1.7.1"><xref derivedContent="7" format="counter" sectionFormat="of" target="section-7"/>.  <xref derivedContent="" format="title" sectionFormat="of" target="name-normative-references">Normative References</xref></t>
          </li>
          <li pn="section-toc.1-1.8">
            <t indent="0" pn="section-toc.1-1.8.1"><xref derivedContent="" format="none" sectionFormat="of" target="section-appendix.a"/><xref derivedContent="" format="title" sectionFormat="of" target="name-acknowledgments">Acknowledgments</xref></t>
          </li>
          <li pn="section-toc.1-1.9">
            <t indent="0" pn="section-toc.1-1.9.1"><xref derivedContent="" format="none" sectionFormat="of" target="section-appendix.b"/><xref derivedContent="" format="title" sectionFormat="of" target="name-authors-addresses">Authors' Addresses</xref></t>
          </li>
        </ul>
      </section>
    </toc>
  </front>
  <middle>
    <section anchor="introduction" numbered="true" removeInRFC="false" toc="include" pn="section-1">
      <name slugifiedName="name-introduction">Introduction</name>
      <t indent="0" pn="section-1-1"><xref target="RFC5280" format="default" sectionFormat="of" derivedContent="RFC5280"/> defines the profile of X.509 certificates and certificate
revocation lists (CRLs) for use in the Internet. <xref section="4.2.1.3" sectionFormat="of" target="RFC5280" format="default" derivedLink="https://rfc-editor.org/rfc/rfc5280#section-4.2.1.3" derivedContent="RFC5280"/> requires CRL issuer certificates to contain the <tt>keyUsage</tt>
extension with the <tt>cRLSign</tt> bit asserted. However, the CRL validation
algorithm specified in <xref section="6.3" sectionFormat="of" target="RFC5280" format="default" derivedLink="https://rfc-editor.org/rfc/rfc5280#section-6.3" derivedContent="RFC5280"/> does not explicitly
include a corresponding check for the presence of the <tt>keyUsage</tt>
certificate extension. This document updates <xref target="RFC5280" format="default" sectionFormat="of" derivedContent="RFC5280"/> to require
that check.</t>
      <t indent="0" pn="section-1-2"><xref target="the-issue" format="default" sectionFormat="of" derivedContent="Section 3"/> describes the security concern that motivates this update.</t>
      <t indent="0" pn="section-1-3"><xref target="crl-validation-algo-amendment" format="default" sectionFormat="of" derivedContent="Section 4"/> updates the CRL validation algorithm (<xref section="6.3" sectionFormat="of" target="RFC5280" format="default" derivedLink="https://rfc-editor.org/rfc/rfc5280#section-6.3" derivedContent="RFC5280"/>)
to resolve this concern.</t>
    </section>
    <section anchor="conventions-and-definitions" numbered="true" removeInRFC="false" toc="include" pn="section-2">
      <name slugifiedName="name-conventions-and-definitions">Conventions and Definitions</name>
      <t indent="0" pn="section-2-1">The key words "<bcp14>MUST</bcp14>", "<bcp14>MUST NOT</bcp14>", "<bcp14>REQUIRED</bcp14>", "<bcp14>SHALL</bcp14>", "<bcp14>SHALL NOT</bcp14>", "<bcp14>SHOULD</bcp14>", "<bcp14>SHOULD NOT</bcp14>", "<bcp14>RECOMMENDED</bcp14>", "<bcp14>NOT RECOMMENDED</bcp14>",
"<bcp14>MAY</bcp14>", and "<bcp14>OPTIONAL</bcp14>" in this document are to be interpreted as
described in BCP 14 <xref target="RFC2119" format="default" sectionFormat="of" derivedContent="RFC2119"/> <xref target="RFC8174" format="default" sectionFormat="of" derivedContent="RFC8174"/> when, and only when, they
appear in all capitals, as shown here.</t>
    </section>
    <section anchor="the-issue" numbered="true" removeInRFC="false" toc="include" pn="section-3">
      <name slugifiedName="name-the-risk-of-trusting-crls-s">The Risk of Trusting CRLs Signed with Non-Certified Keys</name>
      <t indent="0" pn="section-3-1">In some Public Key Infrastructures, entities are delegated by
Certification Authorities (CAs) to sign CRLs. CRLs whose scope encompasses
certificates that have not been signed by the CRL issuer are known as
"indirect CRLs".</t>
      <t indent="0" pn="section-3-2">Applications that consume CRLs follow the validation algorithm as
specified in <xref section="6.3" sectionFormat="of" target="RFC5280" format="default" derivedLink="https://rfc-editor.org/rfc/rfc5280#section-6.3" derivedContent="RFC5280"/>. In particular, <xref section="6.3.3" sectionFormat="of" target="RFC5280" format="default" derivedLink="https://rfc-editor.org/rfc/rfc5280#section-6.3.3" derivedContent="RFC5280"/>
contains the following step for CRL validation:</t>
      <blockquote pn="section-3-3">
        <t indent="0" pn="section-3-3.1">(f) Obtain and validate the certification path for the issuer of
      the complete CRL.  The trust anchor for the certification
      path <bcp14>MUST</bcp14> be the same as the trust anchor used to validate
      the target certificate.  If a key usage extension is present
      in the CRL issuer's certificate, verify that the cRLSign bit
      is set.</t>
      </blockquote>
      <t indent="0" pn="section-3-4">This step does not explicitly specify a check for the presence of the
<tt>keyUsage</tt> extension itself.</t>
      <t indent="0" pn="section-3-5">Similarly, the certificate profile in <xref section="4" sectionFormat="of" target="RFC5280" format="default" derivedLink="https://rfc-editor.org/rfc/rfc5280#section-4" derivedContent="RFC5280"/> does not require
the inclusion of the <tt>keyUsage</tt> extension in a certificate if the
certified public key is not used for verifying the signatures of other
certificates or CRLs.</t>
      <t indent="0" pn="section-3-6">CAs can delegate the issuance of CRLs
to other entities by issuing to the entity a certificate that asserts
the <tt>cRLSign</tt> bit in the <tt>keyUsage</tt> extension. The CA
will then sign certificates that fall within the scope of the
indirect CRL by including the <tt>crlDistributionPoints</tt> extension (<xref section="4.2.1.13" sectionFormat="of" target="RFC5280" format="default" derivedLink="https://rfc-editor.org/rfc/rfc5280#section-4.2.1.13" derivedContent="RFC5280"/>) and
specifying the distinguished name (DN) of the CRL issuer in the
<tt>cRLIssuer</tt> field of the corresponding distribution point.</t>
      <t indent="0" pn="section-3-7">The CRL issuer signs CRLs that assert the <tt>indirectCRL</tt> boolean within
the <tt>issuingDistributionPoint</tt> extension.</t>
      <t indent="0" pn="section-3-8">The allowance for the issuance of certificates without the <tt>keyUsage</tt>
extension and the lack of a check for the inclusion of the <tt>keyUsage</tt>
extension during CRL verification can manifest in a security issue. A
concrete example is described below:</t>
      <ol spacing="normal" type="1" indent="adaptive" start="1" pn="section-3-9"><li pn="section-3-9.1" derivedCounter="1.">
          <t indent="0" pn="section-3-9.1.1">The CA signs an end-entity CRL issuer
certificate to subject <tt>X</tt> that certifies key <tt>A</tt> for signing CRLs by
explicitly including the <tt>keyUsage</tt> extension and asserting the
<tt>cRLSign</tt> bit in accordance with <xref section="4.2.1.3" sectionFormat="of" target="RFC5280" format="default" derivedLink="https://rfc-editor.org/rfc/rfc5280#section-4.2.1.3" derivedContent="RFC5280"/>.</t>
        </li>
        <li pn="section-3-9.2" derivedCounter="2.">
          <t indent="0" pn="section-3-9.2.1">The CA signs one or more certificates that
include the <tt>crlDistributionPoints</tt> extension with the DN for subject
<tt>X</tt> included in the <tt>cRLIssuer</tt> field. This indicates that the
CRL-based revocation information for these certificates will be
provided by subject <tt>X</tt>.</t>
        </li>
        <li pn="section-3-9.3" derivedCounter="3.">
          <t indent="0" pn="section-3-9.3.1">The CA signs an end-entity certificate to
subject <tt>X</tt> that certifies key <tt>B</tt>. This certificate contains no key
usage extension, as the certified key is not intended to be used for
signing CRLs and could be a "mundane" certificate of any type (e.g.,
S/MIME, a document signing certificate where the corresponding private
key is stored on the file system of the secretary's laptop, etc.).</t>
        </li>
        <li pn="section-3-9.4" derivedCounter="4.">
          <t indent="0" pn="section-3-9.4.1">Subject <tt>X</tt> signs a CRL using key <tt>B</tt> and publishes the CRL at the
<tt>distributionPoint</tt> field specified in the <tt>crlDistributionPoints</tt>
extension of the certificates signed in step 2.</t>
        </li>
        <li pn="section-3-9.5" derivedCounter="5.">
          <t indent="0" pn="section-3-9.5.1">Relying parties download the CRL published in step 4. The CRL
validates successfully according to <xref section="6.3.3" sectionFormat="of" target="RFC5280" format="default" derivedLink="https://rfc-editor.org/rfc/rfc5280#section-6.3.3" derivedContent="RFC5280"/>,
as the CRL issuer DN matches, and the check for the presence of the
<tt>cRLSign</tt> bit in the <tt>keyUsage</tt> extension is skipped because the
<tt>keyUsage</tt> extension is absent.</t>
        </li>
      </ol>
    </section>
    <section anchor="crl-validation-algo-amendment" numbered="true" removeInRFC="false" toc="include" pn="section-4">
      <name slugifiedName="name-checking-the-presence-of-th">Checking the Presence of the <tt>keyUsage</tt> Extension</name>
      <t indent="0" pn="section-4-1">To remediate the security issue described in <xref target="the-issue" format="default" sectionFormat="of" derivedContent="Section 3"/>, this
document specifies the following amendment to step (f) of the CRL
algorithm as specified in <xref section="6.3.3" sectionFormat="of" target="RFC5280" format="default" derivedLink="https://rfc-editor.org/rfc/rfc5280#section-6.3.3" derivedContent="RFC5280"/>.</t>
      <t indent="0" pn="section-4-2"><em>OLD:</em></t>
      <blockquote pn="section-4-3">
        <t indent="0" pn="section-4-3.1">(f) Obtain and validate the certification path for the issuer of
    the complete CRL.  The trust anchor for the certification
    path <bcp14>MUST</bcp14> be the same as the trust anchor used to validate
    the target certificate.  If a key usage extension is present
    in the CRL issuer's certificate, verify that the cRLSign bit
    is set.</t>
      </blockquote>
      <t indent="0" pn="section-4-4"><em>NEW:</em></t>
      <blockquote pn="section-4-5">
        <t indent="0" pn="section-4-5.1">(f) Obtain and validate the certification path for the issuer of
    the complete CRL.  The trust anchor for the certification
    path <bcp14>MUST</bcp14> be the same as the trust anchor used to validate
    the target certificate.  If the version of the CRL issuer's
    certificate is version 3 (v3), then verify that the key usage
    extension is present and verify that the cRLSign bit is set.</t>
      </blockquote>
      <t indent="0" pn="section-4-6">This change ensures that the CRL issuer's key is certified for
CRL signing. However, this check is not performed if the CRL
issuer's key is certified using a version 1 (v1) or version 2 (v2) X.509
certificate, as these versions do not have an <tt>extensions</tt> field where
the key usage extension can be included.</t>
    </section>
    <section anchor="security-considerations" numbered="true" removeInRFC="false" toc="include" pn="section-5">
      <name slugifiedName="name-security-considerations">Security Considerations</name>
      <t indent="0" pn="section-5-1">If a CA has signed certificates to be used for
CRL verification but do not include the <tt>keyUsage</tt> extension in
accordance with <xref section="4.2.1.3" sectionFormat="of" target="RFC5280" format="default" derivedLink="https://rfc-editor.org/rfc/rfc5280#section-4.2.1.3" derivedContent="RFC5280"/>, then relying party
applications that have implemented the modified verification algorithm
as specified in this document will be unable to verify CRLs signed by
the CRL issuer in question.</t>
      <t indent="0" pn="section-5-2">It is <bcp14>RECOMMENDED</bcp14> that CAs include the
<tt>keyUsage</tt> extension in certificates to be used for CRL verification to
ensure that there are no interoperability issues where updated
applications are unable to verify CRLs.</t>
      <t indent="0" pn="section-5-3">If it is not possible to update the profile of CRL issuer certificates,
then the policy management authority of the affected Public Key
Infrastructure <bcp14>SHOULD</bcp14> update the subject naming requirements to ensure
that certificates to be used for different purposes contain unique DNs.</t>
    </section>
    <section anchor="iana-considerations" numbered="true" removeInRFC="false" toc="include" pn="section-6">
      <name slugifiedName="name-iana-considerations">IANA Considerations</name>
      <t indent="0" pn="section-6-1">This document has no IANA actions.</t>
    </section>
  </middle>
  <back>
    <references anchor="sec-normative-references" pn="section-7">
      <name slugifiedName="name-normative-references">Normative References</name>
      <reference anchor="RFC2119" target="https://www.rfc-editor.org/info/rfc2119" quoteTitle="true" derivedAnchor="RFC2119">
        <front>
          <title>Key words for use in RFCs to Indicate Requirement Levels</title>
          <author fullname="S. Bradner" initials="S." surname="Bradner"/>
          <date month="March" year="1997"/>
          <abstract>
            <t indent="0">In many standards track documents several words are used to signify the requirements in the specification. These words are often capitalized. This document defines these words as they should be interpreted in IETF documents. This document specifies an Internet Best Current Practices for the Internet Community, and requests discussion and suggestions for improvements.</t>
          </abstract>
        </front>
        <seriesInfo name="BCP" value="14"/>
        <seriesInfo name="RFC" value="2119"/>
        <seriesInfo name="DOI" value="10.17487/RFC2119"/>
      </reference>
      <reference anchor="RFC5280" target="https://www.rfc-editor.org/info/rfc5280" quoteTitle="true" derivedAnchor="RFC5280">
        <front>
          <title>Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile</title>
          <author fullname="D. Cooper" initials="D." surname="Cooper"/>
          <author fullname="S. Santesson" initials="S." surname="Santesson"/>
          <author fullname="S. Farrell" initials="S." surname="Farrell"/>
          <author fullname="S. Boeyen" initials="S." surname="Boeyen"/>
          <author fullname="R. Housley" initials="R." surname="Housley"/>
          <author fullname="W. Polk" initials="W." surname="Polk"/>
          <date month="May" year="2008"/>
          <abstract>
            <t indent="0">This memo profiles the X.509 v3 certificate and X.509 v2 certificate revocation list (CRL) for use in the Internet. An overview of this approach and model is provided as an introduction. The X.509 v3 certificate format is described in detail, with additional information regarding the format and semantics of Internet name forms. Standard certificate extensions are described and two Internet-specific extensions are defined. A set of required certificate extensions is specified. The X.509 v2 CRL format is described in detail along with standard and Internet-specific extensions. An algorithm for X.509 certification path validation is described. An ASN.1 module and examples are provided in the appendices. [STANDARDS-TRACK]</t>
          </abstract>
        </front>
        <seriesInfo name="RFC" value="5280"/>
        <seriesInfo name="DOI" value="10.17487/RFC5280"/>
      </reference>
      <reference anchor="RFC8174" target="https://www.rfc-editor.org/info/rfc8174" quoteTitle="true" derivedAnchor="RFC8174">
        <front>
          <title>Ambiguity of Uppercase vs Lowercase in RFC 2119 Key Words</title>
          <author fullname="B. Leiba" initials="B." surname="Leiba"/>
          <date month="May" year="2017"/>
          <abstract>
            <t indent="0">RFC 2119 specifies common key words that may be used in protocol specifications. This document aims to reduce the ambiguity by clarifying that only UPPERCASE usage of the key words have the defined special meanings.</t>
          </abstract>
        </front>
        <seriesInfo name="BCP" value="14"/>
        <seriesInfo name="RFC" value="8174"/>
        <seriesInfo name="DOI" value="10.17487/RFC8174"/>
      </reference>
    </references>
    <section numbered="false" anchor="acknowledgments" removeInRFC="false" toc="include" pn="section-appendix.a">
      <name slugifiedName="name-acknowledgments">Acknowledgments</name>
      <t indent="0" pn="section-appendix.a-1">The authors would like to thank the participants on the LAMPS Working Group mailing list for their insightful feedback and comments. In particular, the authors extend sincere appreciation to <contact fullname="Carl Wallace"/>, <contact fullname="David Hook"/>, <contact fullname="Deb Cooley"/>, <contact fullname="John Gray"/>, <contact fullname="Michael StJohns"/>, <contact fullname="Mike Ounsworth"/>, <contact fullname="Mohamed Boucadair"/>, <contact fullname="Russ Housley"/>, <contact fullname="Serge Mister"/>, and <contact fullname="Tomas Gustavsson"/> for their reviews and suggestions, which greatly improved the quality of this document.</t>
    </section>
    <section anchor="authors-addresses" numbered="false" removeInRFC="false" toc="include" pn="section-appendix.b">
      <name slugifiedName="name-authors-addresses">Authors' Addresses</name>
      <author fullname="Corey Bonnell">
        <organization showOnFrontPage="true">DigiCert, Inc.</organization>
        <address>
          <email>corey.bonnell@digicert.com</email>
        </address>
      </author>
      <author fullname="伊藤 忠彦" asciiFullname="Tadahiko Ito">
        <organization ascii="SECOM CO., LTD." showOnFrontPage="true">セコム株式会社</organization>
        <address>
          <email>tadahiko.ito.public@gmail.com</email>
        </address>
      </author>
      <author fullname="大久保 智史" asciiFullname="Tomofumi Okubo">
        <organization showOnFrontPage="true">Penguin Securities Pte. Ltd.</organization>
        <address>
          <email>tomofumi.okubo+ietf@gmail.com</email>
        </address>
      </author>
    </section>
  </back>
</rfc>
