<?xml version='1.0' encoding='utf-8'?>
<!DOCTYPE rfc [
  <!ENTITY nbsp    "&#160;">
  <!ENTITY zwsp   "&#8203;">
  <!ENTITY nbhy   "&#8209;">
  <!ENTITY wj     "&#8288;">
]>
<?xml-stylesheet type="text/xsl" href="rfc2629.xslt" ?>
<!-- generated by https://github.com/cabo/kramdown-rfc version 1.7.39 (Ruby 3.4.9) -->
<rfc xmlns:xi="http://www.w3.org/2001/XInclude" ipr="trust200902" docName="draft-ietf-ace-coap-est-oscore-11" category="std" consensus="true" submissionType="IETF" tocDepth="2" tocInclude="true" sortRefs="true" symRefs="true" version="3">
  <!-- xml2rfc v2v3 conversion 3.34.0 -->
  <front>
    <title abbrev="EST-oscore">Protecting EST Payloads with OSCORE</title>
    <seriesInfo name="Internet-Draft" value="draft-ietf-ace-coap-est-oscore-11"/>
    <author initials="G." surname="Selander" fullname="Göran Selander">
      <organization>Ericsson AB</organization>
      <address>
        <email>goran.selander@ericsson.com</email>
      </address>
    </author>
    <author initials="S." surname="Raza" fullname="Shahid Raza">
      <organization>RISE</organization>
      <address>
        <email>shahid.raza@ri.se</email>
      </address>
    </author>
    <author initials="M." surname="Furuhed" fullname="Martin Furuhed">
      <organization>Nexus</organization>
      <address>
        <email>martin.furuhed@nexusgroup.com</email>
      </address>
    </author>
    <author initials="M." surname="Vučinić" fullname="Mališa Vučinić">
      <organization>Inria</organization>
      <address>
        <email>malisa.vucinic@inria.fr</email>
      </address>
    </author>
    <date year="2026" month="July" day="02"/>
    <area>Security</area>
    <workgroup>ACE Working Group</workgroup>
    <keyword>Internet-Draft</keyword>
    <abstract>
      <?line 102?>

<t>Enrollment over Secure Transport (EST) is a certificate provisioning protocol over HTTPS <xref target="RFC7030"/> or CoAPs <xref target="RFC9148"/>.
This document specifies how to carry EST over the Constrained Application Protocol (CoAP) protected with Object Security for Constrained RESTful Environments (OSCORE).
The specification builds on the EST-coaps <xref target="RFC9148"/> specification, but uses OSCORE and Ephemeral Diffie-Hellman over COSE (EDHOC) instead of DTLS.
The specification also leverages the certificate structures defined in <xref target="I-D.ietf-cose-cbor-encoded-cert"/>, which can be optionally used alongside X.509 certificates.</t>
    </abstract>
    <note removeInRFC="true">
      <name>Discussion Venues</name>
      <t>Discussion of this document takes place on the
    Authentication and Authorization for Constrained Environments Working Group mailing list (ace@ietf.org),
    which is archived at <eref target="https://mailarchive.ietf.org/arch/browse/ace/"/>.</t>
      <t>Source for this draft and an issue tracker can be found at
    <eref target="https://github.com/EricssonResearch/EST-OSCORE"/>.</t>
    </note>
  </front>
  <middle>
    <?line 109?>

<section anchor="intro">
      <name>Introduction</name>
      <t>One of the challenges with deploying a Public Key Infrastructure (PKI) for the Internet of Things (IoT) is certificate enrollment, because existing enrollment protocols are not optimized for constrained environments <xref target="RFC7228"/>.</t>
      <t>One optimization of certificate enrollment targeting IoT deployments is specified in EST-coaps <xref target="RFC9148"/>, which defines a version of Enrollment over Secure Transport <xref target="RFC7030"/> for transporting EST payloads over CoAP <xref target="RFC7252"/> and DTLS <xref target="RFC9147"/>, instead of HTTP <xref target="RFC9110"/><xref target="RFC9112"/> and TLS <xref target="RFC8446"/>.</t>
      <t>This document describes a method for protecting EST payloads over CoAP with OSCORE <xref target="RFC8613"/>.
OSCORE specifies an extension to CoAP that protects messages at the application layer and can be applied independently of how CoAP messages are transported.
OSCORE can also be applied to CoAP-mappable HTTP, which enables end-to-end security for mixed CoAP and HTTP transfer of application layer data (see <xref section="11" sectionFormat="of" target="RFC8613"/>).
Hence, EST payloads can be protected end-to-end independent of the underlying transport and through proxies translating between CoAP and HTTP.</t>
      <t>OSCORE is designed for constrained environments, building on IoT standards such as CoAP, CBOR <xref target="RFC8949"/>, and COSE <xref target="RFC9052"/> <xref target="RFC9053"/>, and has in particular gained traction in settings where message sizes and the number of exchanged messages need to be kept at a minimum, such as 6TiSCH <xref target="RFC9031"/>, or for securing CoAP group messages <xref target="I-D.ietf-core-oscore-groupcomm"/>.
Where OSCORE is implemented and used for communication security, the reuse of OSCORE for other purposes, such as enrollment, reduces the code footprint.</t>
      <t>Prior to running EST-oscore, the protocol defined in this specification, there must exist a trust relationship between the EST-oscore client and the EST-oscore server.
This trust relationship may be based on the pre-shared OSCORE security context, or on the common root of trust.
In case there is a pre-shared OSCORE security context, the CoAP exchange carrying EST payloads can occur immediately.
In case there is a common root of trust, a security handshake based on the Ephemeral Diffie-Hellman over COSE (EDHOC, <xref target="RFC9528"/>) protocol needs to occur prior to running EST-oscore.
How this trust relationship is established is out of the scope of this document.</t>
      <t>How the EST-oscore server verifies the identity of the client prior to issuing a certificate is also out of the scope of this specification.</t>
      <t>EST-oscore defines a number of optimizations with respect to EST-coaps:</t>
      <ul spacing="normal">
        <li>
          <t>The DTLS record layer is replaced by OSCORE.</t>
        </li>
        <li>
          <t>The DTLS handshake is replaced by the lightweight authenticated key exchange protocol EDHOC <xref target="RFC9528"/>.</t>
        </li>
        <li>
          <t>Compact CBOR representations of X.509 certificates and EST payloads (see <xref target="I-D.ietf-cose-cbor-encoded-cert"/>) are optionally used.</t>
        </li>
        <li>
          <t>Certificates by reference (see <xref target="RFC9360"/>) are optionally used.</t>
        </li>
        <li>
          <t>The EST payloads protected by OSCORE can be proxied between constrained networks supporting CoAP and non-constrained networks supporting HTTP/HTTPs, through a CoAP-HTTP proxy without any security processing at the proxy (see <xref target="proxying"/>).
The concept "Registrar" and its required trust relationship with the EST server as described in Section 5 of <xref target="RFC9148"/> is therefore not applicable.</t>
        </li>
      </ul>
    </section>
    <section anchor="terminology">
      <name>Terminology</name>
      <t>The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL
NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED",
"MAY", and "OPTIONAL" in this document are to be interpreted as
described in BCP 14 <xref target="RFC2119"/> <xref target="RFC8174"/> when, and only when, they
appear in all capitals, as shown here.
<?line -6?>
      </t>
      <t>This document uses terminology from <xref target="RFC9148"/>, which in turn is based on <xref target="RFC7030"/> and, in turn, on <xref target="RFC5272"/>.</t>
      <t>The term "Trust Anchor" follows the terminology of <xref target="RFC6024"/>:
"A trust anchor represents an authoritative entity via a public key and associated data.
The public key is used to verify digital signatures, and the associated data is used to constrain the types of information for which the trust anchor is authoritative."</t>
      <t>Apart from enrolling certificates with keys that are used for signing, this document also specifies how to enroll certificates with keys that are used for Diffie-Hellman (DH) operations (static DH keys).
Instead of signing, possession of the private static DH key may be proved by generating a MAC given the recipient's public DH key.
Therefore, this document extends the definition of the term "Trust Anchor": the corresponding public key can also be used for MAC generation for static DH proof-of-possession procedures.</t>
    </section>
    <section anchor="authentication">
      <name>Authentication</name>
      <t>This specification replaces the DTLS handshake in EST-coaps with the lightweight authenticated key exchange protocol EDHOC <xref target="RFC9528"/>.
The enrollment using EST-oscore is based on the existence of an OSCORE Security Context protecting the messages conveying the EST payloads.
This Security Context is typically established through an EDHOC session preceding the initial enrollment.
Re-enrollment does not require a new EDHOC session.</t>
      <t>The EST-oscore client MUST play the role of the EDHOC Initiator.
The EST-oscore server MUST play the role of the EDHOC Responder.</t>
      <t>The EST-oscore clients and servers perform mutual authentication.
The EST server and EST client are responsible for ensuring that an acceptable cipher suite is negotiated.
The client authenticates the server before accepting any server response.
The server authenticates the client.
These requirements are fulfilled when using EDHOC <xref target="RFC9528"/>.</t>
      <t>The server must also provide relevant information to the CA to support its decision about issuing a certificate.</t>
      <section anchor="edhoc">
        <name>EDHOC</name>
        <t>EDHOC supports authentication with certificates or raw public keys (referred to as "credentials"), and the credentials may either be transported in the protocol, or referenced.
This is determined by the identifier of the credential of the endpoint, ID_CRED_x for x= Initiator/Responder, which is transported in an EDHOC message.
This identifier may be the credential itself (in which case the credential is transported), or a pointer such as a URI of the credential (e.g., c5u, see <xref target="I-D.ietf-cose-cbor-encoded-cert"/>) or some other identifier which enables the receiving endpoint to retrieve the credential.</t>
      </section>
      <section anchor="certificate-based-authentication">
        <name>Certificate-based Authentication</name>
        <t>EST-oscore, like EST-coaps, supports certificate-based authentication between the EST client and server.
The client MUST be configured with an Implicit or Explicit Trust Anchor (TA) <xref target="RFC7030"/> database, enabling the client to authenticate the server.
The requirements on managing the Implicit and Explicit TA databases are discussed in <xref section="9.1" sectionFormat="of" target="RFC9148"/> and <xref section="9.2" sectionFormat="of" target="RFC9148"/> and apply to EST-oscore.</t>
        <t>The EST client and EST server certificate SHOULD conform to <xref target="RFC7925"/>.
The EST client and/or EST server certificate MAY be a (natively signed) CBOR certificate <xref target="I-D.ietf-cose-cbor-encoded-cert"/>.
The EST client indicates its preference for the type of the certificate it supports through the CoAP Accept option included in the request to the EST server.</t>
      </section>
      <section anchor="channel-binding">
        <name>Channel Binding</name>
        <t>The <xref target="RFC5272"/> specification describes proof-of-possession as the ability of a client to prove its possession of a private key which is linked to a certified public key.
In case of a signature key, a proof-of-possession is generated by the client when it signs the PKCS#10 Request during the enrollment phase.
In case of a static DH key, a proof-of-possession is generated by the client when it generates a MAC and includes it in the PKCS#10 request, as per <xref target="static-dh-keys"/>.</t>
        <t>Connection-based channel binding refers to the security binding between the PKCS#10 object and the underlying secure transport layer.
This is typically achieved by including the challengePassword attribute in the PKCS#10 object that is dependent on the underlying security session.
Connection-based proof-of-possession using the challengePassword attribute of the PKCS#10 object is OPTIONAL, see <xref target="security-considerations"/>.</t>
      </section>
      <section anchor="optimizations">
        <name>Optimizations</name>
        <t>This section contains optional behavior that may be used to reduce message sizes or round trips based on the application configuration.</t>
        <ul spacing="normal">
          <li>
            <t>The third message of the EDHOC protocol, message_3, MAY be combined with an OSCORE-protected request <xref target="RFC9668"/>, enabling authenticated Diffie-Hellman key exchange and a protected CoAP request/response (which may contain an enrollment request and response) in two round trips <xref target="RFC9668"/>.</t>
          </li>
          <li>
            <t>The enrolled client certificate MAY be the CBOR-encoded certificates defined in <xref target="I-D.ietf-cose-cbor-encoded-cert"/>.</t>
          </li>
          <li>
            <t>The enrolled client certificate MAY be referenced instead of transported <xref target="RFC9360"/>.
The response to the PKCS#10 request MAY specify a reference to the enrolled certificate rather than the certificate itself (see <xref target="certs-by-reference"/>).</t>
          </li>
          <li>
            <t>The PKCS#10 object MAY request a certificate for a static DH key instead of a signature key.
This may result in a more compact request because the use of static DH keys may imply a proof-of-possession using a MAC, which is shorter than a signature.
Additionally, subsequent EDHOC sessions using static DH keys for authentication have less overhead than key exchange protocols using signature-based authentication credentials.</t>
          </li>
          <li>
            <t>When the EDHOC handshake precedes the enrollment request, it is RECOMMENDED for the EST-client to leverage the information from the EDHOC session on the selected cipher suite when making a decision on which type of credential to enroll.</t>
          </li>
        </ul>
      </section>
    </section>
    <section anchor="protocol-design-and-layering">
      <name>Protocol Design and Layering</name>
      <t>EST-oscore uses CoAP <xref target="RFC7252"/> and Block-Wise transfer <xref target="RFC7959"/> to transfer EST messages in the same way as <xref target="RFC9148"/>.
Instead of the DTLS record layer, OSCORE <xref target="RFC8613"/> is used to protect the messages conveying the EST payloads.
External Authorization Data (EAD) fields of EDHOC messages are intentionally not used to carry EST payloads because EDHOC needs not be executed in the case of re-enrollment.
The DTLS handshake is replaced with EDHOC <xref target="RFC9528"/>.
<xref target="fig-stack"/> below shows the layered EST-oscore architecture.
Protocol design also allows that OSCORE and EDHOC messages are carried within the same CoAP message, as per <xref target="RFC9668"/>.</t>
      <figure anchor="fig-stack">
        <name>The stack diagram of EST protected with OSCORE.</name>
        <artset>
          <artwork type="svg" align="center"><svg xmlns="http://www.w3.org/2000/svg" version="1.1" height="144" width="256" viewBox="0 0 256 144" class="diagram" text-anchor="middle" font-family="monospace" font-size="13px" stroke-linecap="round">
              <path d="M 8,64 L 8,128" fill="none" stroke="black"/>
              <path d="M 112,32 L 112,96" fill="none" stroke="black"/>
              <path d="M 248,32 L 248,128" fill="none" stroke="black"/>
              <path d="M 112,32 L 248,32" fill="none" stroke="black"/>
              <path d="M 8,64 L 248,64" fill="none" stroke="black"/>
              <path d="M 8,96 L 248,96" fill="none" stroke="black"/>
              <path d="M 8,128 L 248,128" fill="none" stroke="black"/>
              <g class="text">
                <text x="144" y="52">EST</text>
                <text x="196" y="52">messages</text>
                <text x="64" y="84">EDHOC</text>
                <text x="172" y="84">OSCORE</text>
                <text x="92" y="116">CoAP</text>
                <text x="124" y="116">or</text>
                <text x="156" y="116">HTTP</text>
              </g>
            </svg>
          </artwork>
          <artwork type="ascii-art" align="center"><![CDATA[
             +----------------+
             |  EST messages  |
+------------+----------------+
|    EDHOC   |    OSCORE      |
+------------+----------------+
|        CoAP or HTTP         |
+-----------------------------+
]]></artwork>
        </artset>
      </figure>
      <t>EST-oscore follows much of the EST-coaps and EST design.
This includes the need to authenticate the EST-server before performing any request on the different EST endpoints specified in this document.</t>
      <section anchor="discovery">
        <name>Discovery and URI</name>
        <t>The discovery of EST resources and the definition of the short EST-coaps URI paths specified in Section 4.1 of <xref target="RFC9148"/>, as well as the new Resource Type defined in <xref section="8.2" sectionFormat="of" target="RFC9148"/> apply to EST-oscore.
In a web link targeting a resource for EST-oscore, it is REQUIRED to indicate that the resource is only accessible using OSCORE, by means of the "osc" target attribute defined in <xref section="9" sectionFormat="of" target="RFC8613"/>.</t>
        <t>Example:</t>
        <artwork><![CDATA[
     REQ: GET /.well-known/core?rt=ace.est.sen

     RES: 2.05 Content
       Content-Format: 40 (application/link-format)
       Payload:
         </est>;rt=ace.est.sen;osc
]]></artwork>
      </section>
      <section anchor="est-functions">
        <name>Mandatory/optional EST Functions</name>
        <t>The EST-oscore specification has the same set of required-to-implement functions as EST-coaps.
The content of <xref target="table_functions"/> is adapted from Section 4.2 in <xref target="RFC9148"/> and uses the updated URI paths (see <xref target="discovery"/>).</t>
        <table anchor="table_functions">
          <name>Mandatory and optional EST-oscore functions.</name>
          <thead>
            <tr>
              <th align="left">EST functions</th>
              <th align="left">EST-oscore implementation</th>
            </tr>
          </thead>
          <tbody>
            <tr>
              <td align="left">/crts</td>
              <td align="left">MUST</td>
            </tr>
            <tr>
              <td align="left">/sen</td>
              <td align="left">MUST</td>
            </tr>
            <tr>
              <td align="left">/sren</td>
              <td align="left">MUST</td>
            </tr>
            <tr>
              <td align="left">/skg</td>
              <td align="left">OPTIONAL</td>
            </tr>
            <tr>
              <td align="left">/skc</td>
              <td align="left">OPTIONAL</td>
            </tr>
            <tr>
              <td align="left">/att</td>
              <td align="left">OPTIONAL</td>
            </tr>
          </tbody>
        </table>
        <section anchor="crts">
          <name>/crts</name>
          <t>EST-oscore provides the /crts operation.
A successful request from the client to this resource will be answered with one or more certificates, subsequently installed in the TA database (once the server is authenticated), resulting in Explicit TAs.</t>
          <t>A trust anchor is commonly a self-signed certificate of the CA public key, of the format indicated by the CoAP Accept option present in the request.
In order to reduce transport overhead, the trust anchor could be a CBOR encoding of an X.509 certificate <xref target="I-D.ietf-cose-cbor-encoded-cert"/>, or a CWT Claims Set (CCS) <xref target="RFC8392"/>, containing the CA public key and associated data without a signature.</t>
        </section>
      </section>
      <section anchor="payload-formats">
        <name>Payload formats</name>
        <t>Similar to EST-coaps, EST-oscore allows transport of DER-encoded objects of a given Media-Type.
When transporting DER-encoded objects, EST-oscore uses the same CoAP Content-Format identifiers as EST-coaps when transferring EST requests and responses.
In addition, EST-oscore allows the transport of CBOR-encoded objects, as indicated by their corresponding Media-Type.</t>
        <t>EST-oscore servers MUST support both the DER-encoded ASN.1 objects and the CBOR-encoded objects, i.e., they MUST support formats detailed in <xref target="der"/> and <xref target="cbor"/>.
It is up to the client to support only DER-encoded ASN.1, only CBOR encoding, or both.
Based on the client encoding of the CSR (DER encoding or CBOR encoding), the server is able to tell whether the client prefers a DER-encoded object (<xref target="der"/>) or a CBOR-encoded object (<xref target="cbor"/>) in response.
In addition, Content-Format negotiation for specific objects happens through the CoAP Accept option present in the requests.
The CoAP Accept option may not be present; this is a case which carries special semantics, see <xref target="der"/> and <xref target="cbor"/>.</t>
        <section anchor="der">
          <name>DER-encoded ASN.1 Objects</name>
          <t><xref target="table_mediatype_asn1"/> summarizes the information from Section 4.3 in <xref target="RFC9148"/> for what concerns the transport of DER-encoded ASN.1 objects.</t>
          <table anchor="table_mediatype_asn1">
            <name>EST functions and the associated ASN.1 CoAP Content-Format identifiers.</name>
            <thead>
              <tr>
                <th align="left">URI</th>
                <th align="left">Media Type</th>
                <th align="left">Type</th>
                <th align="left">#IANA</th>
              </tr>
            </thead>
            <tbody>
              <tr>
                <td align="left">/crts</td>
                <td align="left">N/A</td>
                <td align="left">req</td>
                <td align="left">-</td>
              </tr>
              <tr>
                <td align="left"> </td>
                <td align="left">application/pkix-cert</td>
                <td align="left">res</td>
                <td align="left">287</td>
              </tr>
              <tr>
                <td align="left"> </td>
                <td align="left">application/pkcs7-mime;smime-type=certs-only</td>
                <td align="left">res</td>
                <td align="left">281</td>
              </tr>
              <tr>
                <td align="left">/sen</td>
                <td align="left">application/pkcs10</td>
                <td align="left">req</td>
                <td align="left">286</td>
              </tr>
              <tr>
                <td align="left"> </td>
                <td align="left">application/pkix-cert</td>
                <td align="left">res</td>
                <td align="left">287</td>
              </tr>
              <tr>
                <td align="left"> </td>
                <td align="left">application/pkcs7-mime;smime-type=certs-only</td>
                <td align="left">res</td>
                <td align="left">281</td>
              </tr>
              <tr>
                <td align="left">/sren</td>
                <td align="left">application/pkcs10</td>
                <td align="left">req</td>
                <td align="left">286</td>
              </tr>
              <tr>
                <td align="left"> </td>
                <td align="left">application/pkix-cert</td>
                <td align="left">res</td>
                <td align="left">287</td>
              </tr>
              <tr>
                <td align="left"> </td>
                <td align="left">application/pkcs7-mime;smime-type=certs-only</td>
                <td align="left">res</td>
                <td align="left">281</td>
              </tr>
              <tr>
                <td align="left">/skg</td>
                <td align="left">application/pkcs10</td>
                <td align="left">req</td>
                <td align="left">286</td>
              </tr>
              <tr>
                <td align="left"> </td>
                <td align="left">application/multipart-core</td>
                <td align="left">res</td>
                <td align="left">62</td>
              </tr>
              <tr>
                <td align="left">/skc</td>
                <td align="left">application/pkcs10</td>
                <td align="left">req</td>
                <td align="left">286</td>
              </tr>
              <tr>
                <td align="left"> </td>
                <td align="left">application/multipart-core</td>
                <td align="left">res</td>
                <td align="left">62</td>
              </tr>
              <tr>
                <td align="left">/att</td>
                <td align="left">N/A</td>
                <td align="left">req</td>
                <td align="left">-</td>
              </tr>
              <tr>
                <td align="left"> </td>
                <td align="left">application/csrattrs</td>
                <td align="left">res</td>
                <td align="left">285</td>
              </tr>
            </tbody>
          </table>
          <t>Content-Format 281 and Content-Format 287 MUST be supported by EST-oscore servers.
It is up to the client to support only Content-Format 281, only Content-Format 287, or both.
As indicated in <xref section="4.3" sectionFormat="of" target="RFC9148"/>, the client will use a CoAP Accept Option in the request to express the preferred response Content-Format.
If an Accept Option is not included in the request, the client is not expressing any preference and the server SHOULD choose format 281.
An exception to this "SHOULD" is in the case when the request contains a CBOR-encoded object (e.g. application/cose-c509-pkcs10), when the server SHOULD respond with a CBOR-encoded object (see <xref target="cbor"/>).</t>
          <t>The generated response for /skg and /skc requests contains two parts: certificate and the corresponding private key.
<xref section="4.8" sectionFormat="of" target="RFC9148"/> specifies that the private key in response to /skc request may be either an encrypted (PKCS #7) or unencrypted (PKCS #8) key, depending on whether the CSR request included SMIMECapabilities.</t>
          <t>Due to the use of OSCORE, which protects the communication between the EST client and the EST server end-to-end, it is possible to return the private key to /skc or /skg as an unencrypted PKCS #8 object (Content-Format identifier 284).
Therefore, when making the CSR to /skc or /skg, the EST client MUST NOT include SMIMECapabilities.
As a consequence, the private key part of the response to /skc or /skg is an unencrypted PKCS #8 object.</t>
          <table anchor="table_cft_skg_skc">
            <name>Response Content-Format identifiers for /skg and /skc in case of DER-encoded ASN.1 objects.</name>
            <thead>
              <tr>
                <th align="left">Function</th>
                <th align="left">DER-encoded ASN.1 Response, Part 1</th>
                <th align="left">DER-encoded ASN.1 Response, Part 2</th>
              </tr>
            </thead>
            <tbody>
              <tr>
                <td align="left">/skg</td>
                <td align="left">284</td>
                <td align="left">281</td>
              </tr>
              <tr>
                <td align="left">/skc</td>
                <td align="left">284</td>
                <td align="left">287</td>
              </tr>
            </tbody>
          </table>
        </section>
        <section anchor="cbor">
          <name>CBOR-encoded Objects</name>
          <t><xref target="table_mediatype_cbor"/> presents the equivalent information to <xref target="der"/> when CBOR-encoded objects are in use.</t>
          <table anchor="table_mediatype_cbor">
            <name>EST functions and the associated CBOR CoAP Content-Format identifiers.</name>
            <thead>
              <tr>
                <th align="left">URI</th>
                <th align="left">Media Type</th>
                <th align="left">Type</th>
                <th align="left">#IANA</th>
              </tr>
            </thead>
            <tbody>
              <tr>
                <td align="left">/crts</td>
                <td align="left">N/A</td>
                <td align="left">req</td>
                <td align="left">-</td>
              </tr>
              <tr>
                <td align="left"> </td>
                <td align="left">application/cose-c509-cert</td>
                <td align="left">res</td>
                <td align="left">TBD3</td>
              </tr>
              <tr>
                <td align="left">/sen</td>
                <td align="left">application/cose-c509-pkcs10</td>
                <td align="left">req</td>
                <td align="left">TBD4</td>
              </tr>
              <tr>
                <td align="left"> </td>
                <td align="left">application/cose-c509-cert</td>
                <td align="left">res</td>
                <td align="left">TBD3</td>
              </tr>
              <tr>
                <td align="left"> </td>
                <td align="left">application/multipart-core</td>
                <td align="left">res</td>
                <td align="left">62</td>
              </tr>
              <tr>
                <td align="left">/sren</td>
                <td align="left">application/cose-c509-pkcs10</td>
                <td align="left">req</td>
                <td align="left">TBD4</td>
              </tr>
              <tr>
                <td align="left"> </td>
                <td align="left">application/cose-c509-cert</td>
                <td align="left">res</td>
                <td align="left">TBD3</td>
              </tr>
              <tr>
                <td align="left"> </td>
                <td align="left">application/multipart-core</td>
                <td align="left">res</td>
                <td align="left">62</td>
              </tr>
              <tr>
                <td align="left">/skg</td>
                <td align="left">application/cose-c509-pkcs10</td>
                <td align="left">req</td>
                <td align="left">TBD4</td>
              </tr>
              <tr>
                <td align="left"> </td>
                <td align="left">application/multipart-core</td>
                <td align="left">res</td>
                <td align="left">62</td>
              </tr>
              <tr>
                <td align="left">/skc</td>
                <td align="left">N/A</td>
                <td align="left">req</td>
                <td align="left">-</td>
              </tr>
              <tr>
                <td align="left"> </td>
                <td align="left">N/A</td>
                <td align="left">res</td>
                <td align="left">-</td>
              </tr>
              <tr>
                <td align="left">/att</td>
                <td align="left">N/A</td>
                <td align="left">req</td>
                <td align="left">-</td>
              </tr>
              <tr>
                <td align="left"> </td>
                <td align="left">application/cose-c509-crtemplate</td>
                <td align="left">res</td>
                <td align="left">TBD19</td>
              </tr>
            </tbody>
          </table>
          <t>Please note that <xref section="4.4" sectionFormat="of" target="I-D.ietf-cose-cbor-encoded-cert"/> defines the format and the semantics of the response to /att.</t>
          <t>Content-Format TBD3 MUST be supported by both EST-oscore clients and servers.
A preference for any (future) Content-Format is to be expressed by the EST-client through the Accept option.</t>
          <t>If a CoAP Accept option is not included in the request, the client is not expressing preference and the server SHOULD respond with a response application/multipart-core that includes the reference(s) to the enrolled certificate (e.g., c5t, c5u).
The application/multipart-core response MUST include the reference(s) to the enrolled certificate which allows the client or any other party to retrieve it (e.g., through a coap URI secured with OSCORE).
The application/multipart-core response MAY also include the actual certificate.
The exact contents of the application/multipart-core response are dependent on the application policy.
Because x5u and c5u references are of the same type application/cbor and the corresponding CoAP Content Format (60), mixing them in the same application/multipart-core response is not supported.
An exception to the "SHOULD" is in the case when the request contains a DER-encoded ASN.1 object (e.g., application/pkcs10), when the server SHOULD respond with an appropriate ASN.1 object (see <xref target="der"/>).</t>
          <t>In the case of a request to /skg, the response contains two parts: certificate and the corresponding private key.
The certificate part is encoded as the application/cose-c509-cert object (Content-Format identifier TBD3), while the corresponding private key is encoded as application/cose-c509-privkey (Content-Format identifier TBD10).
The function /skc is not available when using CBOR-encoded objects, and clients MUST use the /skg function for server-side generated keys.</t>
          <t><xref target="table_cft_skg_cbor"/> summarizes the Content-Format identifiers used in responses to the /skg function.</t>
          <table anchor="table_cft_skg_cbor">
            <name>Response Content-Format identifiers for /skg in case of CBOR-encoded objects.</name>
            <thead>
              <tr>
                <th align="left">Function</th>
                <th align="left">CBOR Response, Part 1</th>
                <th align="left">CBOR Response Part 2</th>
              </tr>
            </thead>
            <tbody>
              <tr>
                <td align="left">/skg</td>
                <td align="left">TBD10</td>
                <td align="left">TBD3</td>
              </tr>
            </tbody>
          </table>
        </section>
      </section>
      <section anchor="message-bindings">
        <name>Message Bindings</name>
        <t>Note that the EST-oscore message characteristics are identical to those specified in Section 4.4 of <xref target="RFC9148"/>.
Therefore, the following applies:</t>
        <ul spacing="normal">
          <li>
            <t>EST-oscore endpoints MUST support delayed responses (see <xref section="4.7" sectionFormat="of" target="RFC9148"/>)</t>
          </li>
          <li>
            <t>EST-oscore endpoints MUST support the following CoAP options: OSCORE, Uri-Host, Uri-Path, Uri-Port, Content-Format, Block1, Block2, and Accept.
EST-oscore servers MUST implement Block1 and Block2.
EST-oscore clients MUST implement Block2 and MAY implement Block1.</t>
          </li>
          <li>
            <t>The EST-coaps URLs based on coaps:// are translated to coap://, but with mandatory use of the CoAP OSCORE option.</t>
          </li>
        </ul>
      </section>
      <section anchor="coap-response-codes">
        <name>CoAP response codes</name>
        <t>See Section 4.5 in <xref target="RFC9148"/>.</t>
      </section>
      <section anchor="message-fragmentation">
        <name>Message Fragmentation</name>
        <t>The EDHOC key exchange is optimized for low message overhead, in particular when using static DH keys instead of signature keys for authentication (e.g., method 3 of <xref target="RFC9528"/>).
Together with various measures listed in this document such as CBOR-encoded payloads <xref target="RFC8949"/>, CBOR certificates <xref target="I-D.ietf-cose-cbor-encoded-cert"/>, certificates by reference (<xref target="optimizations"/>), and trust anchors without signature (<xref target="crts"/>), a significant reduction of message sizes can be achieved.</t>
        <t>Nevertheless, depending on the application, the protocol messages may become larger than the available frame size thus resulting in fragmentation and, in resource-constrained networks such as based on IEEE 802.15.4 where throughput is limited, fragment loss can trigger costly retransmissions.</t>
        <t>It is recommended to prevent 6LoWPAN fragmentation, since it involves an error-prone datagram reassembly.
To limit the size of the CoAP payload, this document specifies the requirements on implementing the CoAP options Block1 and Block2 (see <xref target="message-bindings"/>).</t>
      </section>
      <section anchor="delayed-responses">
        <name>Delayed Responses</name>
        <t>See <xref section="4.7" sectionFormat="of" target="RFC9148"/>.</t>
      </section>
      <section anchor="static-dh-keys">
        <name>Enrollment of Certificates with Static DH Keys</name>
        <t>This section specifies how the EST client enrolls a static DH key.
In general, a given key pair should only be used for a single purpose, such as key establishment, digital signature, or key transport.</t>
        <t>The EST client attempting to enroll a DH key for a key usage operation other than digital signature can use an alternative proof-of-possession algorithm.
The EST client SHOULD prepare the PKCS#10 object and compute a MAC, replacing the signature, over the certification request information by following the steps in <xref section="6" sectionFormat="of" target="RFC6955"/>.
The Key Derivation Function (KDF) and the MAC MUST be set to the HDKF and HMAC algorithms used by OSCORE.
The KDF and MAC is thus defined by the hash algorithm used by OSCORE in HKDF and HMAC, which by default is SHA-256.
When EDHOC is used, then the hash algorithm is the application hash algorithm of the selected cipher suite.</t>
        <t>In some cases, it may be beneficial to exceptionally use the static DH private key associated with the public key used in enrollment for a one-time signing operation of the CSR.
While a key pair should only be used for a single purpose (e.g., key establishment or signing), this exceptional use for one-time signing of the CSR is allowed, as discussed in Section 5.6.3.2 of <xref target="SP-800-56A"/> and Section 5.2 of <xref target="SP-800-57"/>.</t>
        <t>To generate a MAC according to the algorithm outlined in <xref section="6" sectionFormat="of" target="RFC6955"/>, the client needs to know the public DH key of the proof-of-possession recipient/verifier, i.e., the EST server.
In the general case, the EST client MAY obtain the CA certs including the CA's DH certificate using the /crts function using an explicit request/response flow.
The obtained certificate indicates the DH group parameters which MUST be respected by the EST client when generating its own DH key pair.</t>
        <t>As an optimization, when EDHOC precedes the enrollment and the optimized workflow based on the EDHOC + OSCORE combined request is being used as per <xref section="3" sectionFormat="of" target="RFC9668"/>, the client MUST use the ephemeral public key of the EDHOC Responder, G_Y, as the recipient public key in the algorithm outlined in <xref section="6" sectionFormat="of" target="RFC6955"/>.
When generating its DH key pair, the client uses the group parameters as indicated by the selected cipher suite used in the EDHOC session.</t>
      </section>
      <section anchor="certs-by-reference">
        <name>Enrollment of Certificates by Reference</name>
        <t>The EST client may indicate preference for enrolling a certificate by reference.
There are two cases to distinguish: 1) any certificate reference, or 2) a specific Content-Format.
In the first case, the EST client indicates preference for receiving any certificate by reference by sending a CBOR-encoded request without the CoAP Accept option.
In the second case, the EST client includes a Content-Format identifier in the CoAP Accept option indicating preference for receiving a specific reference (e.g., application/cose-certhash, application/cose-certhash;usage=c509, application/cbor containing a URI <xref target="I-D.ietf-cose-cbor-encoded-cert"/>).
It is out of the scope of this specification how the certificate by reference gets resolved to the actual certificate by other parties participating in the communication with the EST client.</t>
      </section>
    </section>
    <section anchor="proxying">
      <name>HTTP-CoAP Proxy</name>
      <t>As noted in Section 5 of <xref target="RFC9148"/>, in real-world deployments, the EST server will not always reside within the CoAP boundary.
The EST-server can be outside the constrained network in a non-constrained network that supports HTTP but not CoAP, thus requiring an intermediary CoAP-to-HTTP proxy.</t>
      <t>Since OSCORE is applicable to CoAP-mappable HTTP (see <xref section="11" sectionFormat="of" target="RFC8613"/>) the messages conveying the EST payloads can be protected end-to-end between the EST client and EST server, irrespective of the transport protocol or potential transport layer security that may need to be terminated at the proxy, see <xref target="fig-proxy"/>.
Therefore, the concept "Registrar" and its required trust relationship with EST server as described in Section 5 of <xref target="RFC9148"/> is not applicable.</t>
      <t>The mappings between CoAP and HTTP referred to in Section 8.1 of <xref target="RFC9148"/> apply, and additional mappings resulting from the use of OSCORE are specified in Section 11 of <xref target="RFC8613"/>.</t>
      <t>OSCORE provides end-to-end security between the EST Server and EST Client.
If a secure association is needed between the EST Client and the CoAP-to-HTTP Proxy, this may also rely on OSCORE <xref target="I-D.ietf-core-oscore-capable-proxies"/>.</t>
      <figure anchor="fig-proxy">
        <name>CoAP-to-HTTP proxy at the CoAP boundary.</name>
        <artset>
          <artwork type="svg" align="center"><svg xmlns="http://www.w3.org/2000/svg" version="1.1" height="272" width="520" viewBox="0 0 520 272" class="diagram" text-anchor="middle" font-family="monospace" font-size="13px" stroke-linecap="round">
              <path d="M 8,48 L 8,80" fill="none" stroke="black"/>
              <path d="M 16,112 L 16,160" fill="none" stroke="black"/>
              <path d="M 72,112 L 72,160" fill="none" stroke="black"/>
              <path d="M 88,48 L 88,80" fill="none" stroke="black"/>
              <path d="M 152,112 L 152,160" fill="none" stroke="black"/>
              <path d="M 272,48 L 272,104" fill="none" stroke="black"/>
              <path d="M 272,200 L 272,240" fill="none" stroke="black"/>
              <path d="M 296,112 L 296,160" fill="none" stroke="black"/>
              <path d="M 384,112 L 384,144" fill="none" stroke="black"/>
              <path d="M 480,112 L 480,144" fill="none" stroke="black"/>
              <path d="M 512,48 L 512,240" fill="none" stroke="black"/>
              <path d="M 8,48 L 88,48" fill="none" stroke="black"/>
              <path d="M 272,48 L 512,48" fill="none" stroke="black"/>
              <path d="M 8,80 L 88,80" fill="none" stroke="black"/>
              <path d="M 16,112 L 72,112" fill="none" stroke="black"/>
              <path d="M 152,112 L 296,112" fill="none" stroke="black"/>
              <path d="M 384,112 L 480,112" fill="none" stroke="black"/>
              <path d="M 80,128 L 144,128" fill="none" stroke="black"/>
              <path d="M 304,128 L 376,128" fill="none" stroke="black"/>
              <path d="M 384,144 L 480,144" fill="none" stroke="black"/>
              <path d="M 16,160 L 72,160" fill="none" stroke="black"/>
              <path d="M 152,160 L 296,160" fill="none" stroke="black"/>
              <path d="M 48,192 L 440,192" fill="none" stroke="black"/>
              <path d="M 272,240 L 512,240" fill="none" stroke="black"/>
              <polygon class="arrowhead" points="448,192 436,186.4 436,197.6" fill="black" transform="rotate(0,440,192)"/>
              <polygon class="arrowhead" points="384,128 372,122.4 372,133.6" fill="black" transform="rotate(0,376,128)"/>
              <polygon class="arrowhead" points="312,128 300,122.4 300,133.6" fill="black" transform="rotate(180,304,128)"/>
              <polygon class="arrowhead" points="152,128 140,122.4 140,133.6" fill="black" transform="rotate(0,144,128)"/>
              <polygon class="arrowhead" points="88,128 76,122.4 76,133.6" fill="black" transform="rotate(180,80,128)"/>
              <polygon class="arrowhead" points="56,192 44,186.4 44,197.6" fill="black" transform="rotate(180,48,192)"/>
              <g class="text">
                <text x="364" y="36">Constrained-Node</text>
                <text x="464" y="36">Network</text>
                <text x="44" y="68">CA</text>
                <text x="48" y="100">|</text>
                <text x="108" y="116">HTTP</text>
                <text x="340" y="116">CoAP</text>
                <text x="40" y="132">EST</text>
                <text x="220" y="132">CoAP-to-HTTP</text>
                <text x="408" y="132">EST</text>
                <text x="452" y="132">Client</text>
                <text x="44" y="148">Server</text>
                <text x="112" y="148">(TLS)</text>
                <text x="224" y="148">Proxy</text>
                <text x="272" y="180">|</text>
                <text x="204" y="212">OSCORE</text>
              </g>
            </svg>
          </artwork>
          <artwork type="ascii-art" align="center"><![CDATA[
                                       Constrained-Node Network
  .---------.                      .-----------------------------.
  |   CA    |                      |                             |
  '---------'                      |                             |
       |                           |                             |
   .------.  HTTP   .-----------------.   CoAP   .-----------.   |
   | EST  |<------->|  CoAP-to-HTTP   |<-------->| EST Client|   |
   |Server|  (TLS)  |      Proxy      |          '-----------'   |
   '------'         '-----------------'                          |
                                   |                             |
       <------------------------------------------------>        |
                        OSCORE     |                             |
                                   |                             |
                                   '-----------------------------'
]]></artwork>
        </artset>
      </figure>
    </section>
    <section anchor="security-considerations">
      <name>Security Considerations</name>
      <section anchor="server-generated-private-keys">
        <name>Server-generated Private Keys</name>
        <t>This document enables the EST client to request the generation of private keys and the enrollment of the corresponding public key through /skg and /skc functions.
As discussed in <xref section="9" sectionFormat="of" target="RFC9148"/>, the transport of private keys generated at the EST-server is inherently risky.
The use of server-generated private keys may lead to the increased probability of digital identity theft.
Therefore, implementations SHOULD NOT use server-generated private key EST functions.</t>
        <t>A cryptographically-secure pseudo-random number generator is required to be available to generate good quality private keys on EST-clients.
A cryptographically-secure pseudo-random number generator is also a dependency of many security protocols.
This includes the EDHOC protocol, which EST-oscore uses for the mutual authentication of EST-client and EST-server.
If EDHOC is used and a secure pseudo-random number generator is available, the EST-client MUST NOT use server-generated private key EST functions.
However, EST-oscore also allows pre-shared OSCORE security contexts to be used for authentication, meaning that EDHOC may not necessarily be present in the protocol stack of an EST-client.
If EDHOC is not used for authentication, and the EST-client device does not have a cryptographically secure pseudo-random number generator, then the EST-client MAY use the server-generated private key functions.</t>
        <t>Although hardware random number generators are becoming dominantly present in modern IoT devices, it has been shown that many available hardware modules contain vulnerabilities and do not produce cryptographically secure random numbers.
It is therefore important to use multiple randomness sources to seed the cryptographically secure pseudo-random number generator.</t>
      </section>
      <section anchor="considerations-on-channel-binding">
        <name>Considerations on Channel Binding</name>
        <t><xref section="3" sectionFormat="of" target="RFC9148"/> specifies that the use of connection-based channel binding is optional, and achieves it by including the tls-unique value in the CSR.
As a special case, when used with EDHOC for the enrollment of static DH keys, this specification achieves connection-based channel binding by using the EDHOC ephemeral public key of the Responder as the public key in the proof-of-possession algorithm that generates a PKCS#10 MAC.
Therefore, connection-based channel binding is in this case achieved without any additional overhead.</t>
        <t>Other cases include pre-shared OSCORE security contexts and the case where the signature key used for signing the CSR is different from the key used in the EDHOC session.
In these other cases, this specification makes explicit channel binding based on the challengePassword attribute in PKCS#10 requests OPTIONAL.
For example, the challengePassword attribute could be used for freshness in the case of pre-shared OSCORE security contexts and of a re-enrollment request.</t>
        <t>EST-servers MUST support the challengePassword attribute in PKCS#10 requests.
How challengePassword is processed is outside of the scope of this specification and can be specified by an application policy.</t>
      </section>
    </section>
    <section anchor="iana">
      <name>IANA Considerations</name>
      <t>This document does not require any IANA registrations.</t>
    </section>
  </middle>
  <back>
    <references anchor="sec-combined-references">
      <name>References</name>
      <references anchor="sec-normative-references">
        <name>Normative References</name>
        <reference anchor="RFC2119" target="https://www.rfc-editor.org/info/rfc2119" xml:base="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.2119.xml">
          <front>
            <title>Key words for use in RFCs to Indicate Requirement Levels</title>
            <author fullname="S. Bradner" initials="S." surname="Bradner"/>
            <date month="March" year="1997"/>
            <abstract>
              <t>In many standards track documents several words are used to signify the requirements in the specification. These words are often capitalized. This document defines these words as they should be interpreted in IETF documents. This document specifies an Internet Best Current Practices for the Internet Community, and requests discussion and suggestions for improvements.</t>
            </abstract>
          </front>
          <seriesInfo name="BCP" value="14"/>
          <seriesInfo name="RFC" value="2119"/>
          <seriesInfo name="DOI" value="10.17487/RFC2119"/>
        </reference>
        <reference anchor="RFC6955" target="https://www.rfc-editor.org/info/rfc6955" xml:base="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.6955.xml">
          <front>
            <title>Diffie-Hellman Proof-of-Possession Algorithms</title>
            <author fullname="J. Schaad" initials="J." surname="Schaad"/>
            <author fullname="H. Prafullchandra" initials="H." surname="Prafullchandra"/>
            <date month="May" year="2013"/>
            <abstract>
              <t>This document describes two methods for producing an integrity check value from a Diffie-Hellman key pair and one method for producing an integrity check value from an Elliptic Curve key pair. This behavior is needed for such operations as creating the signature of a Public-Key Cryptography Standards (PKCS) #10 Certification Request. These algorithms are designed to provide a Proof-of-Possession of the private key and not to be a general purpose signing algorithm.</t>
              <t>This document obsoletes RFC 2875.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="6955"/>
          <seriesInfo name="DOI" value="10.17487/RFC6955"/>
        </reference>
        <reference anchor="RFC8949" target="https://www.rfc-editor.org/info/rfc8949" xml:base="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.8949.xml">
          <front>
            <title>Concise Binary Object Representation (CBOR)</title>
            <author fullname="C. Bormann" initials="C." surname="Bormann"/>
            <author fullname="P. Hoffman" initials="P." surname="Hoffman"/>
            <date month="December" year="2020"/>
            <abstract>
              <t>The Concise Binary Object Representation (CBOR) is a data format whose design goals include the possibility of extremely small code size, fairly small message size, and extensibility without the need for version negotiation. These design goals make it different from earlier binary serializations such as ASN.1 and MessagePack.</t>
              <t>This document obsoletes RFC 7049, providing editorial improvements, new details, and errata fixes while keeping full compatibility with the interchange format of RFC 7049. It does not create a new version of the format.</t>
            </abstract>
          </front>
          <seriesInfo name="STD" value="94"/>
          <seriesInfo name="RFC" value="8949"/>
          <seriesInfo name="DOI" value="10.17487/RFC8949"/>
        </reference>
        <reference anchor="RFC7252" target="https://www.rfc-editor.org/info/rfc7252" xml:base="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.7252.xml">
          <front>
            <title>The Constrained Application Protocol (CoAP)</title>
            <author fullname="Z. Shelby" initials="Z." surname="Shelby"/>
            <author fullname="K. Hartke" initials="K." surname="Hartke"/>
            <author fullname="C. Bormann" initials="C." surname="Bormann"/>
            <date month="June" year="2014"/>
            <abstract>
              <t>The Constrained Application Protocol (CoAP) is a specialized web transfer protocol for use with constrained nodes and constrained (e.g., low-power, lossy) networks. The nodes often have 8-bit microcontrollers with small amounts of ROM and RAM, while constrained networks such as IPv6 over Low-Power Wireless Personal Area Networks (6LoWPANs) often have high packet error rates and a typical throughput of 10s of kbit/s. The protocol is designed for machine- to-machine (M2M) applications such as smart energy and building automation.</t>
              <t>CoAP provides a request/response interaction model between application endpoints, supports built-in discovery of services and resources, and includes key concepts of the Web such as URIs and Internet media types. CoAP is designed to easily interface with HTTP for integration with the Web while meeting specialized requirements such as multicast support, very low overhead, and simplicity for constrained environments.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="7252"/>
          <seriesInfo name="DOI" value="10.17487/RFC7252"/>
        </reference>
        <reference anchor="RFC7925" target="https://www.rfc-editor.org/info/rfc7925" xml:base="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.7925.xml">
          <front>
            <title>Transport Layer Security (TLS) / Datagram Transport Layer Security (DTLS) Profiles for the Internet of Things</title>
            <author fullname="H. Tschofenig" initials="H." role="editor" surname="Tschofenig"/>
            <author fullname="T. Fossati" initials="T." surname="Fossati"/>
            <date month="July" year="2016"/>
            <abstract>
              <t>A common design pattern in Internet of Things (IoT) deployments is the use of a constrained device that collects data via sensors or controls actuators for use in home automation, industrial control systems, smart cities, and other IoT deployments.</t>
              <t>This document defines a Transport Layer Security (TLS) and Datagram Transport Layer Security (DTLS) 1.2 profile that offers communications security for this data exchange thereby preventing eavesdropping, tampering, and message forgery. The lack of communication security is a common vulnerability in IoT products that can easily be solved by using these well-researched and widely deployed Internet security protocols.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="7925"/>
          <seriesInfo name="DOI" value="10.17487/RFC7925"/>
        </reference>
        <reference anchor="RFC7959" target="https://www.rfc-editor.org/info/rfc7959" xml:base="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.7959.xml">
          <front>
            <title>Block-Wise Transfers in the Constrained Application Protocol (CoAP)</title>
            <author fullname="C. Bormann" initials="C." surname="Bormann"/>
            <author fullname="Z. Shelby" initials="Z." role="editor" surname="Shelby"/>
            <date month="August" year="2016"/>
            <abstract>
              <t>The Constrained Application Protocol (CoAP) is a RESTful transfer protocol for constrained nodes and networks. Basic CoAP messages work well for small payloads from sensors and actuators; however, applications will need to transfer larger payloads occasionally -- for instance, for firmware updates. In contrast to HTTP, where TCP does the grunt work of segmenting and resequencing, CoAP is based on datagram transports such as UDP or Datagram Transport Layer Security (DTLS). These transports only offer fragmentation, which is even more problematic in constrained nodes and networks, limiting the maximum size of resource representations that can practically be transferred.</t>
              <t>Instead of relying on IP fragmentation, this specification extends basic CoAP with a pair of "Block" options for transferring multiple blocks of information from a resource representation in multiple request-response pairs. In many important cases, the Block options enable a server to be truly stateless: the server can handle each block transfer separately, with no need for a connection setup or other server-side memory of previous block transfers. Essentially, the Block options provide a minimal way to transfer larger representations in a block-wise fashion.</t>
              <t>A CoAP implementation that does not support these options generally is limited in the size of the representations that can be exchanged, so there is an expectation that the Block options will be widely used in CoAP implementations. Therefore, this specification updates RFC 7252.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="7959"/>
          <seriesInfo name="DOI" value="10.17487/RFC7959"/>
        </reference>
        <reference anchor="RFC9052" target="https://www.rfc-editor.org/info/rfc9052" xml:base="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.9052.xml">
          <front>
            <title>CBOR Object Signing and Encryption (COSE): Structures and Process</title>
            <author fullname="J. Schaad" initials="J." surname="Schaad"/>
            <date month="August" year="2022"/>
            <abstract>
              <t>Concise Binary Object Representation (CBOR) is a data format designed for small code size and small message size. There is a need to be able to define basic security services for this data format. This document defines the CBOR Object Signing and Encryption (COSE) protocol. This specification describes how to create and process signatures, message authentication codes, and encryption using CBOR for serialization. This specification additionally describes how to represent cryptographic keys using CBOR.</t>
              <t>This document, along with RFC 9053, obsoletes RFC 8152.</t>
            </abstract>
          </front>
          <seriesInfo name="STD" value="96"/>
          <seriesInfo name="RFC" value="9052"/>
          <seriesInfo name="DOI" value="10.17487/RFC9052"/>
        </reference>
        <reference anchor="RFC9053" target="https://www.rfc-editor.org/info/rfc9053" xml:base="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.9053.xml">
          <front>
            <title>CBOR Object Signing and Encryption (COSE): Initial Algorithms</title>
            <author fullname="J. Schaad" initials="J." surname="Schaad"/>
            <date month="August" year="2022"/>
            <abstract>
              <t>Concise Binary Object Representation (CBOR) is a data format designed for small code size and small message size. There is a need to be able to define basic security services for this data format. This document defines a set of algorithms that can be used with the CBOR Object Signing and Encryption (COSE) protocol (RFC 9052).</t>
              <t>This document, along with RFC 9052, obsoletes RFC 8152.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="9053"/>
          <seriesInfo name="DOI" value="10.17487/RFC9053"/>
        </reference>
        <reference anchor="RFC8613" target="https://www.rfc-editor.org/info/rfc8613" xml:base="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.8613.xml">
          <front>
            <title>Object Security for Constrained RESTful Environments (OSCORE)</title>
            <author fullname="G. Selander" initials="G." surname="Selander"/>
            <author fullname="J. Mattsson" initials="J." surname="Mattsson"/>
            <author fullname="F. Palombini" initials="F." surname="Palombini"/>
            <author fullname="L. Seitz" initials="L." surname="Seitz"/>
            <date month="July" year="2019"/>
            <abstract>
              <t>This document defines Object Security for Constrained RESTful Environments (OSCORE), a method for application-layer protection of the Constrained Application Protocol (CoAP), using CBOR Object Signing and Encryption (COSE). OSCORE provides end-to-end protection between endpoints communicating using CoAP or CoAP-mappable HTTP. OSCORE is designed for constrained nodes and networks supporting a range of proxy operations, including translation between different transport protocols.</t>
              <t>Although an optional functionality of CoAP, OSCORE alters CoAP options processing and IANA registration. Therefore, this document updates RFC 7252.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="8613"/>
          <seriesInfo name="DOI" value="10.17487/RFC8613"/>
        </reference>
        <reference anchor="RFC9148" target="https://www.rfc-editor.org/info/rfc9148" xml:base="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.9148.xml">
          <front>
            <title>EST-coaps: Enrollment over Secure Transport with the Secure Constrained Application Protocol</title>
            <author fullname="P. van der Stok" initials="P." surname="van der Stok"/>
            <author fullname="P. Kampanakis" initials="P." surname="Kampanakis"/>
            <author fullname="M. Richardson" initials="M." surname="Richardson"/>
            <author fullname="S. Raza" initials="S." surname="Raza"/>
            <date month="April" year="2022"/>
            <abstract>
              <t>Enrollment over Secure Transport (EST) is used as a certificate provisioning protocol over HTTPS. Low-resource devices often use the lightweight Constrained Application Protocol (CoAP) for message exchanges. This document defines how to transport EST payloads over secure CoAP (EST-coaps), which allows constrained devices to use existing EST functionality for provisioning certificates.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="9148"/>
          <seriesInfo name="DOI" value="10.17487/RFC9148"/>
        </reference>
        <reference anchor="RFC9528" target="https://www.rfc-editor.org/info/rfc9528" xml:base="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.9528.xml">
          <front>
            <title>Ephemeral Diffie-Hellman Over COSE (EDHOC)</title>
            <author fullname="G. Selander" initials="G." surname="Selander"/>
            <author fullname="J. Preuß Mattsson" initials="J." surname="Preuß Mattsson"/>
            <author fullname="F. Palombini" initials="F." surname="Palombini"/>
            <date month="March" year="2024"/>
            <abstract>
              <t>This document specifies Ephemeral Diffie-Hellman Over COSE (EDHOC), a very compact and lightweight authenticated Diffie-Hellman key exchange with ephemeral keys. EDHOC provides mutual authentication, forward secrecy, and identity protection. EDHOC is intended for usage in constrained scenarios, and a main use case is to establish an Object Security for Constrained RESTful Environments (OSCORE) security context. By reusing CBOR Object Signing and Encryption (COSE) for cryptography, Concise Binary Object Representation (CBOR) for encoding, and Constrained Application Protocol (CoAP) for transport, the additional code size can be kept very low.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="9528"/>
          <seriesInfo name="DOI" value="10.17487/RFC9528"/>
        </reference>
        <reference anchor="RFC8446" target="https://www.rfc-editor.org/info/rfc8446" xml:base="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.8446.xml">
          <front>
            <title>The Transport Layer Security (TLS) Protocol Version 1.3</title>
            <author fullname="E. Rescorla" initials="E." surname="Rescorla"/>
            <date month="August" year="2018"/>
            <abstract>
              <t>This document specifies version 1.3 of the Transport Layer Security (TLS) protocol. TLS allows client/server applications to communicate over the Internet in a way that is designed to prevent eavesdropping, tampering, and message forgery.</t>
              <t>This document updates RFCs 5705 and 6066, and obsoletes RFCs 5077, 5246, and 6961. This document also specifies new requirements for TLS 1.2 implementations.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="8446"/>
          <seriesInfo name="DOI" value="10.17487/RFC8446"/>
        </reference>
        <reference anchor="RFC9147" target="https://www.rfc-editor.org/info/rfc9147" xml:base="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.9147.xml">
          <front>
            <title>The Datagram Transport Layer Security (DTLS) Protocol Version 1.3</title>
            <author fullname="E. Rescorla" initials="E." surname="Rescorla"/>
            <author fullname="H. Tschofenig" initials="H." surname="Tschofenig"/>
            <author fullname="N. Modadugu" initials="N." surname="Modadugu"/>
            <date month="April" year="2022"/>
            <abstract>
              <t>This document specifies version 1.3 of the Datagram Transport Layer Security (DTLS) protocol. DTLS 1.3 allows client/server applications to communicate over the Internet in a way that is designed to prevent eavesdropping, tampering, and message forgery.</t>
              <t>The DTLS 1.3 protocol is based on the Transport Layer Security (TLS) 1.3 protocol and provides equivalent security guarantees with the exception of order protection / non-replayability. Datagram semantics of the underlying transport are preserved by the DTLS protocol.</t>
              <t>This document obsoletes RFC 6347.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="9147"/>
          <seriesInfo name="DOI" value="10.17487/RFC9147"/>
        </reference>
        <reference anchor="RFC9360" target="https://www.rfc-editor.org/info/rfc9360" xml:base="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.9360.xml">
          <front>
            <title>CBOR Object Signing and Encryption (COSE): Header Parameters for Carrying and Referencing X.509 Certificates</title>
            <author fullname="J. Schaad" initials="J." surname="Schaad"/>
            <date month="February" year="2023"/>
            <abstract>
              <t>The CBOR Object Signing and Encryption (COSE) message structure uses references to keys in general. For some algorithms, additional properties are defined that carry parameters relating to keys as needed. The COSE Key structure is used for transporting keys outside of COSE messages. This document extends the way that keys can be identified and transported by providing attributes that refer to or contain X.509 certificates.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="9360"/>
          <seriesInfo name="DOI" value="10.17487/RFC9360"/>
        </reference>
        <reference anchor="RFC8392" target="https://www.rfc-editor.org/info/rfc8392" xml:base="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.8392.xml">
          <front>
            <title>CBOR Web Token (CWT)</title>
            <author fullname="M. Jones" initials="M." surname="Jones"/>
            <author fullname="E. Wahlstroem" initials="E." surname="Wahlstroem"/>
            <author fullname="S. Erdtman" initials="S." surname="Erdtman"/>
            <author fullname="H. Tschofenig" initials="H." surname="Tschofenig"/>
            <date month="May" year="2018"/>
            <abstract>
              <t>CBOR Web Token (CWT) is a compact means of representing claims to be transferred between two parties. The claims in a CWT are encoded in the Concise Binary Object Representation (CBOR), and CBOR Object Signing and Encryption (COSE) is used for added application-layer security protection. A claim is a piece of information asserted about a subject and is represented as a name/value pair consisting of a claim name and a claim value. CWT is derived from JSON Web Token (JWT) but uses CBOR rather than JSON.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="8392"/>
          <seriesInfo name="DOI" value="10.17487/RFC8392"/>
        </reference>
        <reference anchor="RFC9668" target="https://www.rfc-editor.org/info/rfc9668" xml:base="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.9668.xml">
          <front>
            <title>Using Ephemeral Diffie-Hellman Over COSE (EDHOC) with the Constrained Application Protocol (CoAP) and Object Security for Constrained RESTful Environments (OSCORE)</title>
            <author fullname="F. Palombini" initials="F." surname="Palombini"/>
            <author fullname="M. Tiloca" initials="M." surname="Tiloca"/>
            <author fullname="R. Höglund" initials="R." surname="Höglund"/>
            <author fullname="S. Hristozov" initials="S." surname="Hristozov"/>
            <author fullname="G. Selander" initials="G." surname="Selander"/>
            <date month="November" year="2024"/>
            <abstract>
              <t>The lightweight authenticated key exchange protocol Ephemeral Diffie-Hellman Over COSE (EDHOC) can be run over the Constrained Application Protocol (CoAP) and used by two peers to establish a Security Context for the security protocol Object Security for Constrained RESTful Environments (OSCORE). This document details this use of the EDHOC protocol by specifying a number of additional and optional mechanisms, including an optimization approach for combining the execution of EDHOC with the first OSCORE transaction. This combination reduces the number of round trips required to set up an OSCORE Security Context and to complete an OSCORE transaction using that Security Context.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="9668"/>
          <seriesInfo name="DOI" value="10.17487/RFC9668"/>
        </reference>
        <reference anchor="I-D.ietf-cose-cbor-encoded-cert" target="https://datatracker.ietf.org/doc/html/draft-ietf-cose-cbor-encoded-cert-20" xml:base="https://bib.ietf.org/public/rfc/bibxml3/reference.I-D.ietf-cose-cbor-encoded-cert.xml">
          <front>
            <title>CBOR Encoded X.509 Certificates (C509 Certificates)</title>
            <author fullname="John Preuß Mattsson" initials="J. P." surname="Mattsson">
              <organization>Ericsson AB</organization>
            </author>
            <author fullname="Göran Selander" initials="G." surname="Selander">
              <organization>Ericsson AB</organization>
            </author>
            <author fullname="Shahid Raza" initials="S." surname="Raza">
              <organization>University of Glasgow</organization>
            </author>
            <author fullname="Joel Höglund" initials="J." surname="Höglund">
              <organization>RISE AB</organization>
            </author>
            <author fullname="Martin Furuhed" initials="M." surname="Furuhed">
              <organization>IN Groupe</organization>
            </author>
            <author fullname="Lijun Liao" initials="L." surname="Liao">
              <organization>NIO</organization>
            </author>
            <date day="30" month="June" year="2026"/>
            <abstract>
              <t>This document specifies a CBOR encoding of X.509 certificates. The resulting certificates are called C509 certificates. The CBOR encoding supports a large subset of RFC 5280 and common certificate profiles, and it is extensible. Two types of C509 certificates are defined. One type is an invertible CBOR re-encoding of DER-encoded X.509 certificates with the signature field copied from the DER encoding. The other type is identical except that the signature is computed over the CBOR encoding instead of the DER encoding, thereby avoiding the use of ASN.1. Both types of certificates have the same semantics as X.509 while providing comparable size reduction. This document also specifies CBOR-encoded data structures for certification requests and certification request templates, new COSE headers, as well as a TLS certificate type and a file format for C509. This document updates RFC 6698 by extending the TLSA selectors registry to include C509 certificates.</t>
            </abstract>
          </front>
          <seriesInfo name="Internet-Draft" value="draft-ietf-cose-cbor-encoded-cert-20"/>
        </reference>
        <reference anchor="RFC8174" target="https://www.rfc-editor.org/info/rfc8174" xml:base="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.8174.xml">
          <front>
            <title>Ambiguity of Uppercase vs Lowercase in RFC 2119 Key Words</title>
            <author fullname="B. Leiba" initials="B." surname="Leiba"/>
            <date month="May" year="2017"/>
            <abstract>
              <t>RFC 2119 specifies common key words that may be used in protocol specifications. This document aims to reduce the ambiguity by clarifying that only UPPERCASE usage of the key words have the defined special meanings.</t>
            </abstract>
          </front>
          <seriesInfo name="BCP" value="14"/>
          <seriesInfo name="RFC" value="8174"/>
          <seriesInfo name="DOI" value="10.17487/RFC8174"/>
        </reference>
      </references>
      <references anchor="sec-informative-references">
        <name>Informative References</name>
        <reference anchor="RFC5272" target="https://www.rfc-editor.org/info/rfc5272" xml:base="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.5272.xml">
          <front>
            <title>Certificate Management over CMS (CMC)</title>
            <author fullname="J. Schaad" initials="J." surname="Schaad"/>
            <author fullname="M. Myers" initials="M." surname="Myers"/>
            <date month="June" year="2008"/>
            <abstract>
              <t>This document defines the base syntax for CMC, a Certificate Management protocol using the Cryptographic Message Syntax (CMS). This protocol addresses two immediate needs within the Internet Public Key Infrastructure (PKI) community:</t>
              <t>1. The need for an interface to public key certification products and services based on CMS and PKCS #10 (Public Key Cryptography Standard), and</t>
              <t>2. The need for a PKI enrollment protocol for encryption only keys due to algorithm or hardware design.</t>
              <t>CMC also requires the use of the transport document and the requirements usage document along with this document for a full definition. [STANDARDS-TRACK]</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="5272"/>
          <seriesInfo name="DOI" value="10.17487/RFC5272"/>
        </reference>
        <reference anchor="RFC6024" target="https://www.rfc-editor.org/info/rfc6024" xml:base="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.6024.xml">
          <front>
            <title>Trust Anchor Management Requirements</title>
            <author fullname="R. Reddy" initials="R." surname="Reddy"/>
            <author fullname="C. Wallace" initials="C." surname="Wallace"/>
            <date month="October" year="2010"/>
            <abstract>
              <t>A trust anchor represents an authoritative entity via a public key and associated data. The public key is used to verify digital signatures, and the associated data is used to constrain the types of information for which the trust anchor is authoritative. A relying party uses trust anchors to determine if a digitally signed object is valid by verifying a digital signature using the trust anchor's public key, and by enforcing the constraints expressed in the associated data for the trust anchor. This document describes some of the problems associated with the lack of a standard trust anchor management mechanism and defines requirements for data formats and push-based protocols designed to address these problems. This document is not an Internet Standards Track specification; it is published for informational purposes.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="6024"/>
          <seriesInfo name="DOI" value="10.17487/RFC6024"/>
        </reference>
        <reference anchor="RFC7228" target="https://www.rfc-editor.org/info/rfc7228" xml:base="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.7228.xml">
          <front>
            <title>Terminology for Constrained-Node Networks</title>
            <author fullname="C. Bormann" initials="C." surname="Bormann"/>
            <author fullname="M. Ersue" initials="M." surname="Ersue"/>
            <author fullname="A. Keranen" initials="A." surname="Keranen"/>
            <date month="May" year="2014"/>
            <abstract>
              <t>The Internet Protocol Suite is increasingly used on small devices with severe constraints on power, memory, and processing resources, creating constrained-node networks. This document provides a number of basic terms that have been useful in the standardization work for constrained-node networks.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="7228"/>
          <seriesInfo name="DOI" value="10.17487/RFC7228"/>
        </reference>
        <reference anchor="RFC7030" target="https://www.rfc-editor.org/info/rfc7030" xml:base="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.7030.xml">
          <front>
            <title>Enrollment over Secure Transport</title>
            <author fullname="M. Pritikin" initials="M." role="editor" surname="Pritikin"/>
            <author fullname="P. Yee" initials="P." role="editor" surname="Yee"/>
            <author fullname="D. Harkins" initials="D." role="editor" surname="Harkins"/>
            <date month="October" year="2013"/>
            <abstract>
              <t>This document profiles certificate enrollment for clients using Certificate Management over CMS (CMC) messages over a secure transport. This profile, called Enrollment over Secure Transport (EST), describes a simple, yet functional, certificate management protocol targeting Public Key Infrastructure (PKI) clients that need to acquire client certificates and associated Certification Authority (CA) certificates. It also supports client-generated public/private key pairs as well as key pairs generated by the CA.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="7030"/>
          <seriesInfo name="DOI" value="10.17487/RFC7030"/>
        </reference>
        <reference anchor="RFC9031" target="https://www.rfc-editor.org/info/rfc9031" xml:base="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.9031.xml">
          <front>
            <title>Constrained Join Protocol (CoJP) for 6TiSCH</title>
            <author fullname="M. Vučinić" initials="M." role="editor" surname="Vučinić"/>
            <author fullname="J. Simon" initials="J." surname="Simon"/>
            <author fullname="K. Pister" initials="K." surname="Pister"/>
            <author fullname="M. Richardson" initials="M." surname="Richardson"/>
            <date month="May" year="2021"/>
            <abstract>
              <t>This document describes the minimal framework required for a new device, called a "pledge", to securely join a 6TiSCH (IPv6 over the Time-Slotted Channel Hopping mode of IEEE 802.15.4) network. The framework requires that the pledge and the JRC (Join Registrar/Coordinator, a central entity), share a symmetric key. How this key is provisioned is out of scope of this document. Through a single CoAP (Constrained Application Protocol) request-response exchange secured by OSCORE (Object Security for Constrained RESTful Environments), the pledge requests admission into the network, and the JRC configures it with link-layer keying material and other parameters. The JRC may at any time update the parameters through another request-response exchange secured by OSCORE. This specification defines the Constrained Join Protocol and its CBOR (Concise Binary Object Representation) data structures, and it describes how to configure the rest of the 6TiSCH communication stack for this join process to occur in a secure manner. Additional security mechanisms may be added on top of this minimal framework.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="9031"/>
          <seriesInfo name="DOI" value="10.17487/RFC9031"/>
        </reference>
        <reference anchor="RFC9110" target="https://www.rfc-editor.org/info/rfc9110" xml:base="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.9110.xml">
          <front>
            <title>HTTP Semantics</title>
            <author fullname="R. Fielding" initials="R." role="editor" surname="Fielding"/>
            <author fullname="M. Nottingham" initials="M." role="editor" surname="Nottingham"/>
            <author fullname="J. Reschke" initials="J." role="editor" surname="Reschke"/>
            <date month="June" year="2022"/>
            <abstract>
              <t>The Hypertext Transfer Protocol (HTTP) is a stateless application-level protocol for distributed, collaborative, hypertext information systems. This document describes the overall architecture of HTTP, establishes common terminology, and defines aspects of the protocol that are shared by all versions. In this definition are core protocol elements, extensibility mechanisms, and the "http" and "https" Uniform Resource Identifier (URI) schemes.</t>
              <t>This document updates RFC 3864 and obsoletes RFCs 2818, 7231, 7232, 7233, 7235, 7538, 7615, 7694, and portions of 7230.</t>
            </abstract>
          </front>
          <seriesInfo name="STD" value="97"/>
          <seriesInfo name="RFC" value="9110"/>
          <seriesInfo name="DOI" value="10.17487/RFC9110"/>
        </reference>
        <reference anchor="RFC9112" target="https://www.rfc-editor.org/info/rfc9112" xml:base="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.9112.xml">
          <front>
            <title>HTTP/1.1</title>
            <author fullname="R. Fielding" initials="R." role="editor" surname="Fielding"/>
            <author fullname="M. Nottingham" initials="M." role="editor" surname="Nottingham"/>
            <author fullname="J. Reschke" initials="J." role="editor" surname="Reschke"/>
            <date month="June" year="2022"/>
            <abstract>
              <t>The Hypertext Transfer Protocol (HTTP) is a stateless application-level protocol for distributed, collaborative, hypertext information systems. This document specifies the HTTP/1.1 message syntax, message parsing, connection management, and related security concerns.</t>
              <t>This document obsoletes portions of RFC 7230.</t>
            </abstract>
          </front>
          <seriesInfo name="STD" value="99"/>
          <seriesInfo name="RFC" value="9112"/>
          <seriesInfo name="DOI" value="10.17487/RFC9112"/>
        </reference>
        <reference anchor="I-D.ietf-core-oscore-groupcomm" target="https://datatracker.ietf.org/doc/html/draft-ietf-core-oscore-groupcomm-28" xml:base="https://bib.ietf.org/public/rfc/bibxml3/reference.I-D.ietf-core-oscore-groupcomm.xml">
          <front>
            <title>Group Object Security for Constrained RESTful Environments (Group OSCORE)</title>
            <author fullname="Marco Tiloca" initials="M." surname="Tiloca">
              <organization>RISE AB</organization>
            </author>
            <author fullname="Göran Selander" initials="G." surname="Selander">
              <organization>Ericsson AB</organization>
            </author>
            <author fullname="Francesca Palombini" initials="F." surname="Palombini">
              <organization>Ericsson AB</organization>
            </author>
            <author fullname="John Preuß Mattsson" initials="J. P." surname="Mattsson">
              <organization>Ericsson AB</organization>
            </author>
            <author fullname="Rikard Höglund" initials="R." surname="Höglund">
              <organization>RISE AB</organization>
            </author>
            <date day="23" month="December" year="2025"/>
            <abstract>
              <t>This document defines the security protocol Group Object Security for Constrained RESTful Environments (Group OSCORE), providing end-to-end security of messages exchanged with the Constrained Application Protocol (CoAP) between members of a group, e.g., sent over IP multicast. In particular, the described protocol defines how OSCORE is used in a group communication setting to provide source authentication for CoAP group requests, sent by a client to multiple servers, and for protection of the corresponding CoAP responses. Group OSCORE also defines a pairwise mode where each member of the group can efficiently derive a symmetric pairwise key with each other member of the group for pairwise OSCORE communication. Group OSCORE can be used between endpoints communicating with CoAP or CoAP- mappable HTTP.</t>
            </abstract>
          </front>
          <seriesInfo name="Internet-Draft" value="draft-ietf-core-oscore-groupcomm-28"/>
        </reference>
        <reference anchor="I-D.ietf-core-oscore-capable-proxies" target="https://datatracker.ietf.org/doc/html/draft-ietf-core-oscore-capable-proxies-06" xml:base="https://bib.ietf.org/public/rfc/bibxml3/reference.I-D.ietf-core-oscore-capable-proxies.xml">
          <front>
            <title>OSCORE-capable Proxies</title>
            <author fullname="Marco Tiloca" initials="M." surname="Tiloca">
              <organization>RISE AB</organization>
            </author>
            <author fullname="Rikard Höglund" initials="R." surname="Höglund">
              <organization>RISE AB</organization>
            </author>
            <date day="2" month="March" year="2026"/>
            <abstract>
              <t>When using the Constrained Application Protocol (CoAP), messages exchanged between two endpoints can be protected end-to-end at the application layer by means of Object Security for Constrained RESTful Environments (OSCORE), also in the presence of intermediaries such as proxies. This document defines how to use OSCORE for protecting CoAP messages also between an origin application endpoint and an intermediary, or between two intermediaries. Also, it defines rules to escalate the protection of a CoAP option, in order to encrypt and integrity-protect it whenever possible. Finally, it defines how to secure a CoAP message by applying multiple, nested OSCORE protections, e.g., both end-to-end between origin application endpoints; and between an application endpoint and an intermediary or between two intermediaries. Therefore, this document updates RFC 8613. Furthermore, this document updates RFC 8768, by explicitly defining the processing with OSCORE for the CoAP Hop-Limit Option. The approach defined in this document can be seamlessly employed also with Group OSCORE, for protecting CoAP messages when group communication is used in the presence of intermediaries.</t>
            </abstract>
          </front>
          <seriesInfo name="Internet-Draft" value="draft-ietf-core-oscore-capable-proxies-06"/>
        </reference>
        <reference anchor="SP-800-57" target="https://doi.org/10.6028/NIST.SP.800-57pt1r5">
          <front>
            <title>Recommendation for Key Management</title>
            <author initials="E." surname="Barker">
              <organization/>
            </author>
            <date year="2020" month="May"/>
          </front>
          <seriesInfo name="NIST" value="Special Publication 800-57 Revision 5"/>
        </reference>
        <reference anchor="SP-800-56A" target="https://doi.org/10.6028/NIST.SP.800-56Ar3">
          <front>
            <title>Recommendation for Pair-Wise Key-Establishment Schemes Using Discrete Logarithm Cryptography</title>
            <author initials="E." surname="Barker">
              <organization/>
            </author>
            <author initials="L." surname="Chen">
              <organization/>
            </author>
            <author initials="A." surname="Roginsky">
              <organization/>
            </author>
            <author initials="A." surname="Vassilev">
              <organization/>
            </author>
            <author initials="R." surname="Davis">
              <organization/>
            </author>
            <date year="2018" month="April"/>
          </front>
          <seriesInfo name="NIST" value="Special Publication 800-56A Revision 3"/>
        </reference>
      </references>
    </references>
    <?line 508?>

<section anchor="example-enrollment-with-optimizations">
      <name>Example Enrollment With Optimizations</name>
      <t>The message flow starts with the EST client sending EDHOC message_1.
The EDHOC handshake follows and concludes with the EDHOC message_3.
EDHOC message_3 is carried in the same message as the OSCORE enrollment request, as specified in <xref target="RFC9668"/>.
The OSCORE enrollment request contains a CoAP POST to the /sen endpoint.
This POST request includes the Content-Format option set to the value application/cose-c509-pkcs10, and the Accept option set to the value application/cose-c509-cert, indicating the support for CBOR-encoded objects.
In response, the client receives the application/cose-c509-cert object that contains the certificate.</t>
      <figure anchor="fig-sen-optimizations">
        <name>Enrollment EST-oscore flow with optimizations.</name>
        <artset>
          <artwork type="svg" align="center"><svg xmlns="http://www.w3.org/2000/svg" version="1.1" height="368" width="320" viewBox="0 0 320 368" class="diagram" text-anchor="middle" font-family="monospace" font-size="13px" stroke-linecap="round">
              <path d="M 8,48 L 8,336" fill="none" stroke="black"/>
              <path d="M 312,48 L 312,336" fill="none" stroke="black"/>
              <path d="M 8,80 L 304,80" fill="none" stroke="black"/>
              <path d="M 16,112 L 312,112" fill="none" stroke="black"/>
              <path d="M 8,176 L 304,176" fill="none" stroke="black"/>
              <path d="M 16,288 L 312,288" fill="none" stroke="black"/>
              <polygon class="arrowhead" points="312,176 300,170.4 300,181.6" fill="black" transform="rotate(0,304,176)"/>
              <polygon class="arrowhead" points="312,80 300,74.4 300,85.6" fill="black" transform="rotate(0,304,80)"/>
              <polygon class="arrowhead" points="24,288 12,282.4 12,293.6" fill="black" transform="rotate(180,16,288)"/>
              <polygon class="arrowhead" points="24,112 12,106.4 12,117.6" fill="black" transform="rotate(180,16,112)"/>
              <g class="text">
                <text x="16" y="36">EST</text>
                <text x="60" y="36">Client</text>
                <text x="248" y="36">EST</text>
                <text x="292" y="36">Server</text>
                <text x="72" y="68">EDHOC</text>
                <text x="136" y="68">message_1</text>
                <text x="72" y="100">EDHOC</text>
                <text x="136" y="100">message_2</text>
                <text x="72" y="132">EDHOC</text>
                <text x="136" y="132">message_3</text>
                <text x="112" y="148">+</text>
                <text x="76" y="164">OSCORE</text>
                <text x="136" y="164">request</text>
                <text x="180" y="164">to</text>
                <text x="212" y="164">/sen</text>
                <text x="116" y="196">POST</text>
                <text x="220" y="196">/.well-known/est/sen</text>
                <text x="128" y="212">Accept:</text>
                <text x="180" y="212">TBD3</text>
                <text x="160" y="228">Content-Format:</text>
                <text x="244" y="228">TBD4</text>
                <text x="132" y="244">Payload:</text>
                <text x="236" y="244">cose-c509-pkcs10</text>
                <text x="76" y="276">OSCORE</text>
                <text x="140" y="276">response</text>
                <text x="116" y="308">2.04</text>
                <text x="168" y="308">Changed</text>
                <text x="160" y="324">Content-Format:</text>
                <text x="244" y="324">TBD3</text>
                <text x="132" y="340">Payload:</text>
                <text x="228" y="340">cose-c509-cert</text>
              </g>
            </svg>
          </artwork>
          <artwork type="ascii-art" align="center"><![CDATA[
EST Client                   EST Server
|                                     |
|     EDHOC message_1                 |
+------------------------------------>|
|     EDHOC message_2                 |
|<------------------------------------+
|     EDHOC message_3                 |
|            +                        |
|     OSCORE request to /sen          |
+------------------------------------>|
|           POST /.well-known/est/sen |
|           Accept: TBD3              |
|           Content-Format: TBD4      |
|           Payload: cose-c509-pkcs10 |
|                                     |
|     OSCORE response                 |
|<------------------------------------+
|           2.04 Changed              |
|           Content-Format: TBD3      |
|           Payload: cose-c509-cert   |

]]></artwork>
        </artset>
      </figure>
    </section>
    <section numbered="false" anchor="acknowledgments">
      <name>Acknowledgments</name>
      <t>The authors would like to thank Timothy Claeys for his work on the initial versions of this document.</t>
      <t>The authors would also like to thank
<contact fullname="Esko Dijk"/>,
<contact fullname="Marco Tiloca"/>, and
<contact fullname="John Mattsson"/>
for providing a review of the document.</t>
      <t>Work on this document has in part been supported by the Horizon Europe Framework Programme project OpenSwarm (grant agreement No. 101093046).</t>
    </section>
  </back>
  <!-- ##markdown-source:
H4sIAAAAAAAAA9193XbjSHLmPZ8iV3XRkpuk/kqqKvX0zLAkVZfc9aOV1O6d
qzogmBRhgQAHACXRknzrK7+D9yX2AWzve2385R8AUqzqnnO85unTRRFAZmRk
ZMQXkZGBXq/XqZIq1UfqvMgrHVdJdq1OL6/UebRI82hUqrukmqjPl8efL047
0XBY6NsjvKGXl3Fe6M4oj7NoCs+Pimhc9RJdjXtRrHtxHs16uqzkvt7ubqeT
zIojVRXzstrb2Xmzs9eJo+pIldWoU86H06QskzyrFjNo7Oz06l0nKnR0pC51
PC+SatG5y4ub6yKfz47U4PhU/Qp/IrE/4U+dG72A6yN4Mqt0kemqd4L0dOJ8
BDcdqTmQ9bozS47UCxVHmZqXWkVFES3UZjJWUZqqhS63VF6oSVRO1ETD0JSq
8vgIL8DXMi+qQo9L+/di6v8Jd470rJocqb1OJ5pXk7w4gp/x05N/lUoyuP+n
PgwpjbKRLuwF5uBP//F/CiCtcTUvYACnRRKXZZ6pwVt7QU+jJD1S1zk81i/l
sT9rubMf59N2Ei776iL6p6jW/eUkmiSj8Ap1fXF2eVrvs6Sb+wXc/Ocigc7b
e/rYV+/mxXyiR7XOPkYFiFrjIvX3Sd/Py3qHU3qgP+YH/pzhPSQNy4cJnf/D
/D//NcmS//yXRvdp8n//d9RynSg4y4okalKQJmXUv53H8ET85wTv6Y+LTifL
i2lUJbf6qAPPXLw73tvdfXPEXw/fHBzI19dvXppfX+0d7Jmvb/YO7NcDc8Ob
HXsDfN03LRzumq9vdl++Nl8P9szX1y9fHrobXpmv+4c75ob9N7bdw0N67Kx3
0qdVG+clLNthXvR0BstGj3qxLioYU5KN6yM82Htl2jnc2Xtph2UpebWzv2MH
sL9ridrdcV/3at2DlhBlQRML8zpdekcczaJhqnuzIr9PdEl0XZ73Xu/s9A5e
8cqrouJag36ZVNWsPNreHuVJH2Z3e3enDzS/3v50dnnVvzzv8zOzarc44OdY
H15oJEBnIxg4LDtggfpZL0Bysuhaw+8V3VzCatMlcsgs9w1sd+NIbVzOdJxE
qTqfD9Mk5la4L2j7NkFlpw426KmVCuO0r95GxY0oBCCH5Heh9nb2dvxhHw6+
YdyHg2L/mVGfR0nR+zUBhQnj752WFTA+KSfIAnUZT4AXpfqlRFV8kpRxoSut
PuTXEejsyVQdF4tZlV8X0Wyy+GaGHQ4cx/a/mmONyx/66niis/aLA9CN+TV8
vVksveEfIjBVqb5tv+Gir04ioNabrsGsSFKYsN3XnU6n1+upaFhWRRRXnc5p
VuRpSszMb3XB5k6rK1Dp5QxsjtoEY7ulklJFCtdjMkbWaAWCzxxBxsMfYIDy
lJt4f3V1fqkeHmQZPj2hWTvOB+cl/4i64+mp37maQKtgv+fUe4ncH8PcqEl+
B/YMzGRRLAgLUKvVREMjGdKdZHoEY5rZWTo3/W9iN1tED2AJuIvRw/Af4S9r
yUmq/KYuoJPxPFWn2W1S5BmSU6pNxhxbSKc21El/w3mSAjSBb0gVohGEG8Hw
wie68EiFRr8UKKPAVqrTGUpvASJ3koxh6L33GqYCTDAN+Pjz5Slw/+T95+Mt
nNlKRyOVj9XJ1YfLNqKitMwVSAU0eA39IGX+hMFo53EFcws812MaNxjAh4dn
9O/TU1fdTZJ4QrBlqFU+w94AsSxwPCPoNs+uy2Sk1f/qH+y88fss+yxt02Q0
SnWn8wLRUZGPgA4kWD28SPDvp07nc6ZxaETzBNrWGQ6BJg9gTZovUMoiWZmk
B8+ycRHZManN85/PtmhisQ0DwrBNkDKgT22e5SzGPk+0FX6YIB1HiMr0fVIS
CnUXrXzDIoC+srwiLkyTf4LxY5+xJ0zaFyJeBGCWUN55lPwgTxmQ106OKFEk
A+gWHnCTMASzVGgGW6XPzBnPNK5dEItSunx2yftLl1hqrhhwPjPgnAUV1pwZ
6cEePIOyjVJqKXqFFHkijBrCXNyFXsxX87B9FgEFsS7UFSMNij4Z0sCmGjQx
T8MsdCFaqPScCekAIA12IL85JQTCru8rnRHTQBvR49UkqkwvJfRclrTU4EeU
usjTSGm0gD5xLLJs6CLNGEwm2DcYBqwg4AVqO2rcNQeTYVmuR5Y4bIkWudec
UNabwg8ISIi1ZvZ1hj+V8O+oV+WwrEdg/jwdOE3uoQnqHCmlWaGOx0A7kNYc
EJiTSG2WWgP3LjUv491dvNfyEhTme1AguhvOgbDBaWaPKI8nRgvM0ZVIadlb
VhCR1QSw2fVECfDiq2lEkz7U1Z3WWTgiXHfMP5QgMP3X2TOrtsv6HVuE4eH6
A8wBiKSAYZRz4GtUUhdddfz284XIEYBrFHLslRQ3i/QOrQfzfd/cAT4eLt0Z
+hTxPI0Kdc1kkFFGpsLVUlcVqa479AaNeKgStE4prABdNJ8OebL0PWhOUJsj
J0iZZgkBvt+Ac4hyCusFvIfpfNq1Qzm8Si6P3xsi93eRSOAOcoilBfhAHCVU
7FoPTEcLdsZl9SuR7vifTGcpgVc0HDAEsiA8F9PpPDPCZqS0S2MsNOplGKK0
g/fncAEW/LyYgdUq3WB8jV5osDTGEoJBgwfzCpBQVoFMnBcJarZcFfMsE40h
Q+BeLabxrGU1cdrXGPaKZ2deVmw6gMUUYoDuU7qlnCQzK5oGL3BPKoZFnFV2
Nr0rgFNBawlIamlwCggc5nUYIQcFiMyA/eAYw7gNq+xyB1mvQJ/RzMrdyHL4
WuQ5rzrso985y2CpArt5WAT71mmW0RkIiRFDhm8NVYxqII/haRCFqR4lYPbS
RWuvbeTB6nF9QzcjIOumxoS1QVVXRP4ArfOWm29cNSVKBtM5Wy4ooOkQqi6Z
IfhVG2cFxQfs0NzqN3h+JpDHM2wgl9xiiyigBWfThJcTVJbIBYOaWJAssUlZ
zhkz+QADGYsGZCkhgWwDNR4VDko4neODGYFrgC9nCLaBBotMwDv+O4WAlUBB
AS5eMRKDAn0WAG6iGDg0XIh89f3b3TTX7kXq0+R6AgsL/08uGTIFRzoChbdw
smjnliben3fs6jifzkDtsjaHHmAI0I4MCkbZxLWM3n25Fpv4LJjeIutew9BE
hN88jK7QYITRjpqmJZCyookrFhtHlDO2lrWeHb5H/GD0km8LAThjrBON3cyg
PmtSszzrPXczmt1t/F/ZtfY6YpxCGAM7X5C4oCBG2cItargEKpu8eUFVfLMw
gf6AiwQzrkiJAYvAtG1c6OsEiSo2iMykQmH56zwpyKo2FifJqqwzs8Ci0gJL
0vYG4BygEPiuXVKyohrn4g0IUAKw1Ucv50oXYGXzNL9eKPRyKvf3U4fIRunE
eHGpNj7+cnm10eV/1afP9P3i9H/+cnZxeoLfL98PPnywXzpyx+X7z798OHHf
3JPHnz9+PP10wg/Dryr4qbPxcfCXDUYhG5/Pr84+fxp82LC2zSJswqCEHBL0
pWYYVgGTXXYCDr09Pv/3f9t9Ccz5HxJ2JLSDf7zeffUS/gDsknFveQaiyn8C
8xYd4JkG4JNkFP2Oo1lSgW7q4iyUgIkzioH3O3/4UwpypnqHf/pjp+4GkD/t
MVeNi3za5gbh8OZFhhNnbYXv5AB9XXNT117EIKM4H5q6URtXJEmDLJ7kIGhj
gBr5HStknwwjLhiafHo66mwMRAQjetDpGHIzOJSUVBTgVKLWb5MILS/7uygt
yMKoLPM4IfWGQJxXgHcPDI8AFUwcGYuFGiXXyFaFqDci579rwUatNf9pu8B5
aIuZJkVoA7ESmWPm0i3+8NDK+GPqb3Q6A8S6PD8M0XCFByqVViSMomQvCwXQ
okMkHx7o1oUUbVkjbsTtr994DSZsnrzfAu0KCIINwGaJo4jVyXtqYAvBinVk
LWEAQ0tdGg+b9VZyy3EX73ED2zB6xmr5WmfUFdnqj4NjdQ0cywT3xskMzfp3
pZllboUmntVPnSXks45YJMliJ5VHU4sQHwkWLNBw5xl5PZ5I+T6n5RiRKXSL
KLhRwtDycQ/+81hCWn2E4kf6ceAsNVyVVR0Gs8TQ80DqOMAPelhF/jtAAVxO
XgxmXoZwL1Af2CXhfbLR6CxnxsTaOOMxo2M/LoGPWQ8KltmtXpiffdMtuL/R
ElqexQzGhXbfR5fWzGYyMMd6Daw3fZA8gD5wo+x3LnTPG/QoR8cxr4z1RLyn
78JGRSU2/RiyYTBxDM6gTRvV4+fPqPsqL/r1BsQEP9fABQspOkbtJDA049Zg
1egCNRZ4Z9UcRh0FcmdpsPZfQJ1xygqteFGUCUZWUMx1VrJDzGoE1kaM8IMi
L7BY0ScF3M1IO9PXeUX6VaCKNOvJJou3dD9kPMEtkj4gYETXhA4tcV+ht9ES
d0E3ldrMIIcNcTTjeTpO0hTD4vCgke/mOvA7IceWNABF/EfYbKpvIxiJbw5A
75ILOMBvAgUJhI1gVZMgRkMEe61+CSqFF0wIuBwsadxEWZszXu6Bakd7Gt15
OgtUNoHngm0Z4ImNGL5jIzCOjS1nAb2fSTHrhKIKwyD8phLjXLPiIBfaovOR
rFSKLTEGcN4JO2lgXArrptkezS+grWd5guGKs5Mvx4D5vtyTpN3/6FbLthV7
C2jKOol24Yt2MXQ5EsT01MiAOdLpWG1CEybMXzZvCrrbIhYAOskJG9rYS6R+
uThrGemm7l/3uyo+mHfV2m4S2pR8qiXQ4w0jDG2KndTJLYfsmZnkruuqSPRt
fSwsa5631WOVXrdJfjgoTW68XZ6uE8640UxNXGthHz/e4wI8ofocklMzTq7n
hdm/grk9m6KHkVTIl9N7+e4bcrV5NdgKQC2COiSqy8wyJkD6wpXh6Q9PETFJ
gfKAkUxx39m0YakhlWnJGdg+Wd+MkjKel6XZaTL+1Ju+iRiLP4Wt+Jf3mpfR
w1qYoIKJvlgF7rHV0+d+5EO8JOQsGgRoiFn1Zu/AWP6woW1kdHtb4EFRCF5t
ZoRvgTCOKm9xCMG/dw1Zb/SeAApj3YYKdOYiAWZ7CwG5XWd+eKdyomkAgQ3M
DciuSNwA+ojT+chpN5xuwBNGj7uRy3oB8JTpVL1NGCE+vIj5l96QfxG/1vOb
aoDObdm0AcSIV3I0TFIJakWeoBJaZmYEMDuyIJv8aaMZQdRvRPcb9sCfzkC4
cCO1YX0jvNalRpsEQrOCeJ16FwLJliLroR0exvnPx5cvdncArTBTRwYzBPBy
NonQoIe0+M7Cb6DFXC/FqaCQCE85SpWZdUOozD4534CZYBqZkN5o0kOLSqAA
MGjGS1R0nYiAEhFgo1gaEbIhHXPZ14Wm45x35o1B9nZ9St6UdJs/FC901tbB
4CieoJ4nVvAYraozW8nn4OtiuEVFFRiF4bzSdQ4IIQTryJbb/aislTIcmEXD
Dc60zRqjrefIklVdIwsoMrEaY0INFRSMA/Mo7irNFCzYz0Fk9uFFEKl9Mi6X
aFyM4oOzX9qgIszVJLqlUDIyRJCDiQ7wvkptQwpBUT7HeSySWc1P8vcRjW0z
EWYOW4ITW9iNqxDyO9wll7/sd40KjvPpkACXMZPsgfVc4NPoNca3h4cUFLL2
MPQTa4GAwG0kG+QFVEmlSuPbBp2rTdZByC/hKe0juzVvyMHmzFNbJIt3ecA/
j17LJG4HFx4v9habRNoebJAxMSFU/rq8j6/p1+Fhf5vfh6heANsADGGa6Iua
LqKW2YTAEvfC4XK7I8qjBqRqQqlCUdZiHBno8vLBK2VvuOjZhimkLCOuLT8k
xc5c0OiYgHAY4vEYUDMuor1QPGD085T0cKSm5L7KJoTpx6SjkPJh8xAGoqgZ
3E9dLDETrHBI/3tuQznB+RAeefT1O4PRKDF7CohxhyWSAvMd+P6ltFsjhhgR
Yl/QIFoBRuf8iwmyhDptDcfYZg097Xja89hosn6dGHBNNLoYEYc9xEFoLsAu
GcHSj41bdEVA32IPk1Al4RMvAIqxTNe1hSWZWL+UFUUQFSDzPI1ueGKsa5wb
38sAO895sgFNipzZRLcTSmQgPfIBDSO0GOzWUWi8NTHnbZrHN5xPaXM9BAsf
YPge15f5HWGgjVaJxSwj8MruQPaiWjqfFxa1QTt/r6/bknjjB51Fua4fIju9
xywv4NGAo82SVHVCOSqng5MtBeqc8vTGoW/M3gk6r5ndRMOQlw1/28xDu5Vm
liO3w1vE+MgQo4Bgir1AgUFzhR9XY523YkOTLFhLLObhAcxlD1ZbfAPsGuo0
v6P9EZZsYqwe+XGwqAA8hIykRX3ushhYYDCSE5ltC7Dtfjpik0fIiUSo8+ff
T1jyUKNvs/7ZfVQUlbfXNkuVPt/3ap/vw+uPKpQ+9dgJHml5/hGf40HQ88oM
jhtc73n80OhyTmR1BHUaj9Se90bceThSL+zEcXLzjxsUVqMfRkl0XURTkkwU
s1q+Ku+CbzxhM1FBG6y9KIX5+3EjxuSZAi75q91sRE0xEmPQkw2RG7eYRcBA
aOMN4L0mUagREcBGwvCkhFRNfNKYK1F7I4BQaE4r6tCEY2oZi/WUB4CrmLmN
VoL3uTCMpGjndGR+F//S/m04B3Y0nxexlxHV3PUgk+fxA5ufAVKokWXiDy85
PBFsI4KE3wEsNH4qRsQvpGd1hUo7gFampdeNSEZbFOMM7fCdHpLf6iV+RnZw
ZJr8gJQxXrxLTPkeEjPgRc0evTyMiScZ+Um0s46hara1LGZd9JumOuJcB3xy
A7rZEEI816R1iG+C3D/MGLmPMMfrKFAAHV7bQPCR+un0Sm33kZu9myy/y7Zx
SH8qqh9BDfZBlPqlzuz9l0dqr79zwPsfcuSBFij92XtH1vhIvdxRm56TsY2c
7LGp3jLPyIGyI6dm/rAN3f3xh7DrH2DwIekgnh8x/a/Ki8W29ZBQ+N7Ns9g4
WHjUbGz+fmrsToTBkInIEenSkvOUTbYCJkXaNDllm0TRsyJscx8qSZl8eKA9
iC+OAjKt0SiaoVYhrOLke4/nMIyw8WY6os3ZiNwht0wEM7vFSFD5kXjgCFSP
wV6ZGQKPGPXno9qOMTTl6XiKeC750AMwI+rrHij8J9Z54OY66ME42iseiL/u
AVhCX/EAWo7aZCoEyD9upCrdMKbESiTnVnhSaW2CeRrtCAjxC+H+wwv8J7Qf
srXD88+32R1wcAwwwo+6A89IGIVv4a+DyqTXrdq5S9KUwqRZeadtKDvHFPhC
XB7PN/UdjpR9qIjcO0EdXmxZbebkB7o9qqQMPfmtrvhXqOVwt9hFqNFtGDTS
FTjXkDwpdBJ7kiTse3qiG48HXiCxa35lVWOVsI3KtQReJfOjFnclKwBIWRde
gMXFvowD1W0mW8T5PB1xOJqCz+TDU+oybUk3ctfWO/FBbu3xr1fqOI2SKW5E
V2rz+PhSdhjwGB/eJkEOA88D5rRlrLicL9/xRA0r2lk4WXY6l8k0wcRoP4+w
G+BcAbGOSWN1cuoiH+y7l+yGc1LFR0w47aG9pszkLDzY0PJw0KFVkA4Bh3bI
26UK1TX7fcarKkxSrMx9GUSDSgYE4ou3jniiw1EHAR9LOaWYh/KYFLVED58h
vj4w++ekPM1u7jCXTAufUYPLTwiXhNcGg7VTlPR1n5O/woZlznEDNUpSgzBg
LditIZRRcjEJ98xnJgjkdI9pi1Zxg8Au/x4sEBJyHFO/89YPVkqb/jqiIV1e
qE1o2LtQhA1udes6CaEWUorIEURAYlNesi4HzKMW0VObwoEtWYtNjuItzBiK
ILoUgUB+aiJqkhJs3o7gEjuFE8zLy57dP2pXYwJMWu7HYJX4y/LoD2wvONcb
1brZfkaPU6A5Zq7paYR6vTSB7za5IPPWFMvPMibwI+ChTsegJE48B6n/EpXZ
Lm5VzafTqKA4dmuYx0Gn/Tp04jw44CxlohZZy/pcul4IRLG388hrkZ2JNT6P
fOejenE2+DTwwNWj+rQ9WKcF2xDMHXnLPcEr5ncfUM9uknsyDivbwd7V3utX
q9qJy1e9aTLVP5T4/x7Owo8cjKUl6rez62PAZju7O2uNa+/14X/VcSFU/e84
LkTUf5txTRHUYSopHTlaOS51uOcD9v9C9JA/8LdZp3FZoMNerm5H5usgdDdC
rdjic4TuXksaMSu3Z5ARuSO1yyg7dHKu/vMrmxMjBp6xTBOqrI0Nmj13l1x4
5SGEgQ+mggAImgQ/xtMNtuPRB6JSL4FN/GxyMOqpF/oejWMp+WYmic3ulIUk
wpAJ4tca5bj0kvyOgDq5VTo1ET0v38RMsUAak0MzycFvMD4PMBDYg4dlKW3R
pAJC2+aMAp3780LjdxMdDtxuPy+BOZg+Fko5+S3g2PR4HW91XaMhrYJ1ZX+4
vXnZEGQkJUlFLr/CMh8NPak25ArpFIvf7QBwFxe1QXkUuFw23zDMsna5Kxjm
dwL1OgwaugR3G9vz01486Ies9ykzG/eS10hb0TEWxIBxbeIep3rxivDlPGtc
eL3FHi5nQshZWB/EIiA2/Vhpu/x49vH0GGujYCJPQvneJ3O7aRuc4zSbkvY8
NbPIPwe6In0uzFLyThOb6CjuhCaCwAtNxz/qrDPssjNL5zF8ZggvrKwsVWuw
Dl5uBXn5/l6f4Vetw259YOYMkGFoGz8HfDgy42BJbE+rumHRUQtxWxqiYcaa
PDNWwqYmwAn2ogliL6TpLjjv0OHuOjfthTG3R2Qb/X83jK25C68CGxWPqy/w
8Be8r2mgLtoVZeCXN5dx4hKwliN1E0MLNIjzL0h7tDkYrFaUPe9D29F/ncNk
pbqZQm28G5KdNidaNi5xIf3/4zw4db0MkRpQcvX2ZH856K+r/eX0QDsvf196
2tr5NjDaBP3/PcbVBP2/17h+C+j/veT569spg3b+pqDfzTsA5OksRUPQSg/w
effNEtCPmupbQD/FwNbB/OepRjULkFN2KX3M8xLV77OBaXsI3Qu6O5AqgaJW
0wfs7zfcDloGrQ4GxTpXHy7CfZFabjbC583xHKPaWw1ulHKeVuC22yTw8428
oFsQPwPaEey3ZnL/FsD/LNivAWjL0xXrk3No/fQC28lmubUyf8+eFKnouIic
8V7Rl6WHZtGgpq/qk0GoF1sXZsl8SqER6HERnCpJKkOtO+GOwX6yyJy8HGRz
fM1YBn/hPB1/PFFMR9iCU1OUnHmPWYOyFWxlf51u6IRGPc/ZT9Wd5fAVfJO3
kvt0fzDnikbwr2UvQxKTaYE7I5TEFuinYV4s8YF8vaFkpWweokM3Te4FOU+D
zLN1RiZybld0m4Oqv8k/XQYQjSw0Y0zr+qYZPlvkgONRKMO2vcA3OqhnYZ5Z
5EcQnFthufE7eKdXtVxa8jCwvomwwhzfWA5GnnegUBkTs5JUr6an1vMSyAH3
472re4T54dEZEycuAQtQdBslKe3ieOcll+y2ZSNrJEgXmdxdAka2dS6qhFLQ
o5J5Ls6AWbR950EYR0f8h9oGxQr/Zi7Hrex+ohH3gJC6d0dGvOHQ1S8s8eGI
jwZVtnlrS6DFV7lrnpfWNgPioIEjxEcI5KAS+maSQmhOKmHqw6fcz5Ty7Lw5
gRBPIqzEpQusBRiL2zXiBIOUOYoxsCX5Yy9r+WO18/omX48iblTHjevH/p1P
icudC/ZKRxpTPr3t4no1tpf9V0H4aGvNhkOyOAOS1CVoCxOv+aVIeu9zBBX4
7TyqJvINGqjvNHY50XhX/t3jJcLQpU85WMv2m13yE7fgspb3Gg8GS6724B49
iMa03mKfeGIytExS4Afv1AqXLdredrX4UlqlVBsjmsEVruhJuntqc3EkvmX3
TCX/1GI4DCDwwRGrmwEjdTqXMIVuAg9qe4z9QLLfFdG1zauSPDPKeQ3y6pOy
VqIS84bt+RqbThIWofO0XC29PwlLXtgTDa2J/2ILpTDjvlsMXGkLVkN+zXFE
Yt8tKLZ8juUUo5LKk6ZYVaGZKepq7/nr32ZoB2X46ucwy/XSXoInwiJMDw/h
Eaonc47cS8YpbX6LYxJu0mO+Fd3P9UKwAzqKYAqhAoPCw1SmZqScbAMB+ITH
EIBneJ6iFpStWd5a9TqbQM2x4BjPVKeY2ukdk3F2blxQRiIQARfmZZhGNfYl
z9bMMQlfy6pC8ZzZlXV2enqqXu/s9XcPQE9yaUNB0DOqDwDTP01g/ru2P5Dd
knkC2PsaKYcZxCwxBOOwNKVyP5pP3gQqTBFpc7AAmAfNHH7Ifz0ffArH0YXR
4gTTocjbPL2V2p9FAfIBXMw0ZS5RtnYBEgpu5hAr1l3lTCgDO2SYv/BFKuvV
WfxQfvOItVVTNmTsaeGmMjSav2HfCCRiQoTYigtrKzARgn7rWfvxxNpnuQGR
4gxezdhxWKyMFvGl1Rc/o1Z4eFE7QFo7cVgr2hNGwdlNK+sHqyixhQFT2rU5
XRzwTgrM8sZMONrL84vV4KLLrlNtikW6WpGkMP1y4t1mvSTaA6S9ApPR0XLs
vMKoC8+aLT8UmeNgTAN+m7PyNYmV4lrSKmz0614SgWc26JwLlYdqPTydXudU
7bxxklw8DVgAMzJkk9aTt3j0DBO85agYH0kxMuhzwpThdmoyoVI9ZhPIxbKH
Cw9MUDOVnpXhzumhiBm+osAcCsTKzieaoD7eYhHq5s8n77asp4Inmm3YRttD
6+9Pfn7HZV/pyLPhimBir7og9XTyTvDBMddzm7vzkRKYoTdx2GZqreBY3ptG
3ntn7OAOaCei030lzMCgt3dwKPmGbKjlzBMp6qytp6ThTtXvMP522ykz9hCp
eAYi5pI2xEy5UFg+MHHmYJlxiU0ZQZkqV8rJ+VxexM+WXPKSPY3b4R21Y8EH
BdoDu6lNqSxf/m1mHbIH3b7o65ezQRuNxaxc3bAt0cPeeGm0VEi2QZ/L96Ny
mSDEOFdYHNAvZ2GLA/YP+/t8zgNE274KQVLU3F21O15xnZ3ceoDmoH6MB+ZE
lZAQuDmfV2nzAEa4ioJwny1kiucs/AkTzWQLlTVVii09ti1VRwsvfTOoDiHB
CNHLJHHNbU3A4PmwMvXkjgekQcwZJJc9/F2JpPmBBndonjeorCMth1sxrCO5
3Y3D2GOYOV7r3Hct7ueqbGDz0C+XNwZFCRCoQm+E17NRNFLYNIjbBmUXvEpu
WKoCSxgKo1GgMe+ckIUPIyU2ZA66tx9ZNVrP4XmEVji6WuFbauV7W+jTnI23
+hlPMSJ1XLbfnNkzgmTTWOSQvCdIQUBD2/q63vJvL9LVVT99+UvXRIesTAUl
C7NvkHLRpjWGe8wOqLd5240JbkmRXnJw16g3N0hXCm01OoJmL6wX8fCi5dx5
A0/QwW5znqu2xeCKJ4YH0X1nRcIN7Lve5WwFUA+M+M0Gc9CQR2p3i+LbwfF5
0wKhnr0tVLYmP7iRe8TMGCcFRkjbVr1bYLUxuHpNdQICl2uIFTbYy6ll7hiJ
Nt6Wxcq1PZMzE3aNcyrE30qk7FNEy6NQZuJby+jQGGtbKbVBOiZ6/mQzXsxu
KXp5YOtXXPqBcOSPGOXsNuPs3pEMrse1TrUtkz23Xl1oi9mXTh2493wSKL1l
F6x9BwMfcvsr6A1wMCKZRcbnbOYEBZV7TcG7zgs6rNujKTqnisEPL2yxYFK9
uO+4sqyveLNR2gP9CtDDe+lG3exxYh+FiNO7aEFjxXCud0yaKBliRY+oWLhy
h6aclLxLZV7RczzKhvvM5SGWVFzm+KWt90RnlTEkhVTx2wnEg0cnU4wl1Wuj
Ld9iwfWYq9wrydzHYzc4f65gv6ts3P6qiedeBkFDW+M0/8r3Q6xIA3NzAtNX
iI1GR8lUPLWJ+O4dRSBueWXKK4T1hVxxH1v4xnuJAtf3I2vhF6c2JxPwvDf9
0BLx/U11qr+xRnWjMjUKIc4eBcZbX5ah/MqJXvOvG2ei+Swzx8AiWznENe8i
R/akYPgWh6hYEj/fdV3ZU8XyjD2n2PZGk7qUXIZVPY9FVdA+ulSXMk6N2UeH
qdZNcTsOsw6DdXPOAlCZui60b1tgSbg8c/Uu1nmF3DpFE5Z/vNdZ9T7huy4+
sZaA5/u2REG//dn+iqoG8FCHiykcD3i3Z0miyqrPIzTxnW3wu29t4tnb1mii
bzkhxR2ag0cu0aIIL/ZNE3zuWT3+QS788VGFMuFdw4tOhB5tEyyb8Pfm1YfL
LUs5W676WL7zqPjONPFdnZn+XSsZHbBzJcOeZyd+/tDo+JnPH5+nwivcsSYV
v8NAVn2a3A043Vr7g99cIJudTWtrbEiIFJ4p+gFAxy8K7VV+w3IZy4rCkZPC
MtdzW87nEt7BiG29tL5fX9UzuZQBI8kG1us3wRwvXOQyxXTgGrXs6ztf0CTS
hOm57hw7orhlJUVbzmAEZ/AC2hwLvB1gd24zySZUwwR3GJLyRtCbKcJV52LQ
MpqAlCpdMeYFNIWbBlwScOiVtzQBX/seF7h7XAWwIaygUCr3ogeiZRUhYWUG
OvIeuxdhct3EntjAWanno7wHzBqBnZZ3u0irubygxeATfvWY3S2qvPDVdZ6P
1F8B4PNbPDye5JmX4kZpc7+BFq5fZPOWYmLmtP4KES4p1lbppl5TkGM89VPe
phRYa91wKT3TC1FozwbExmGYV0oHrj9Cw17rdPTqpwO+dvrf53eaEHJwmNwV
gnr+BU8medGFYQOWdKmAjK2LLoWk5MhvprF2RFQk6cI7/lsvqy2FkbhqgRt0
yE9bpKuNBP8lWsKxkb5NwJ2xNe2pJF3UlL/1ZscL2PuzMviLC52vmpRgPaYY
uQBdB1wf3VGl+fY+OfWE9m2RvSP8JyLV5PFxCoCvyORNkThijvljlZkhAll+
n4p4NLBU3Aq23UMT81Tbo0zqdp4iBebYCTF3lBMTZ/QGT72ci8FQ7Mm8yr4x
BxQbaOWIzQmyjvP4UvNkhkfgTFknPL9HHthkRY+r580kXgTWEtZxrahxp9MS
DF16BEvMQfxcUdzEVVUVZ4k39akMb6NibZWWvXmWgIVVt1E6t2VqaY+ETv6Y
c/EczZKMjbB+nNFeoekNMzq6bXEdS9qzoxouvNA897oqLmwjwiYW3IwAr9zY
ZLb7RY3NNubHwXFgNNeZD5NYQvlktnqw/zoqz6E1uTLohFKoiqOpJjV3HdVp
Eywlu1R2YoNEmsa7bvxNKFdVzfrS/p5bS1CaI5+lKZ8v+4AtUz6NbtCdNpso
jXkOKmOsLqdcK+DqShb3O+8wcs2FwbrPNmUr2liWjEHVTUgr1Eosrst9yZLt
NQuBSt2T1oIn3zBmfiNg86GkNG820+ZNgBT4WyPY6r1D1oVLhgvJGG4ka+NL
lvFQV9M5SKIsemq8SbfxuhcQf2qgkECVMVng5oA4xDfYgxR58/c9fqVUdz9F
SuJNkthE+1WggzBW2RLCtaH+oAjll92+l+DmCmeaeoecvWDwnWs2aGO/36n9
QCWfpLKln1tuaBUlJSLVVj02qtUODEpfXq16NjjtTNHqz8AEm6OrM5ugKfCV
rtcO2rZmAcuWhJcQwSZk1ZEsh5rCfY01G8FYftffBCFWurI+7am6qJ0Km2vs
7dTxnoleN5m8krIrkt0ebki0BtM6Xjiv+XFBw87qiIGLHPB9NZltuW916VAT
F2lvb6+t37WCLt+3tre/dBzy+f658YpwB8cOgqp7Xzle/pCgB5UhcTsfGw7v
Y0k9kkOMy8dRLxLJhwyb95nCkKpxXvHxK+XA8kUyEFru+6p5489ef+clYVV8
t/PXjXd/zfHKedHHTnsNW531wje9mrOBTrv5hQdR03OxP/+h5yJbL2BicdpT
PaLszBLvZiivRz9uZPmG7JTzuwVB3RNOoHfzkKqKsht1lUwB8SywbJ1JTkYd
SvtlgmLMK9DQ3ie5qXoaVqRtdkPuctAXeAsPp+VNrk6Sf7x5enrq4g8foyLO
gYo0j6Mneds3/v73+SRTHwE6lGWewYWOvK7+NhmZUq+3ib4zeMAj5VdLum+2
vReIi4vnn17EJt5jQWwMvcwLxBbvMOmB2HBeoAc1nRLkJj36eaazS/ACp2oT
rmBI47rQnC//Ke+r3Z3dnTf7Oy8PtwQFjNP5eNzpdP4fGvNqHL2LAAA=

-->

</rfc>
