<?xml version='1.0' encoding='utf-8'?>
<!DOCTYPE rfc [
  <!ENTITY nbsp    "&#160;">
  <!ENTITY zwsp   "&#8203;">
  <!ENTITY nbhy   "&#8209;">
  <!ENTITY wj     "&#8288;">
]>
<?xml-stylesheet type="text/xsl" href="rfc2629.xslt" ?>
<!-- generated by https://github.com/cabo/kramdown-rfc version 1.7.39 (Ruby 3.4.9) -->
<rfc xmlns:xi="http://www.w3.org/2001/XInclude" ipr="trust200902" docName="draft-ietf-keytrans-architecture-09" category="info" consensus="true" submissionType="IETF" tocInclude="true" sortRefs="true" symRefs="true" version="3">
  <!-- xml2rfc v2v3 conversion 3.34.0 -->
  <front>
    <title>Key Transparency Architecture</title>
    <seriesInfo name="Internet-Draft" value="draft-ietf-keytrans-architecture-09"/>
    <author fullname="Brendan McMillion">
      <organization/>
      <address>
        <email>brendanmcmillion@gmail.com</email>
      </address>
    </author>
    <date year="2026" month="June" day="30"/>
    <area>Security</area>
    <workgroup>Key Transparency</workgroup>
    <keyword>key transparency</keyword>
    <abstract>
      <?line 37?>

<t>This document defines the terminology and interaction patterns involved in the
deployment of Key Transparency in a general secure group messaging
infrastructure, and specifies the security properties that the protocol
provides. It also gives more general, non-prescriptive guidance on how to
securely apply Key Transparency to a number of common applications.</t>
    </abstract>
    <note removeInRFC="true">
      <name>About This Document</name>
      <t>
        The latest revision of this draft can be found at <eref target="https://ietf-wg-keytrans.github.io/draft-arch/draft-ietf-keytrans-architecture.html"/>.
        Status information for this document may be found at <eref target="https://datatracker.ietf.org/doc/draft-ietf-keytrans-architecture/"/>.
      </t>
      <t>
        Discussion of this document takes place on the
        Key Transparency Working Group mailing list (<eref target="mailto:keytrans@ietf.org"/>),
        which is archived at <eref target="https://mailarchive.ietf.org/arch/browse/keytrans/"/>.
        Subscribe at <eref target="https://www.ietf.org/mailman/listinfo/keytrans/"/>.
      </t>
      <t>Source for this draft and an issue tracker can be found at
        <eref target="https://github.com/ietf-wg-keytrans/draft-arch"/>.</t>
    </note>
  </front>
  <middle>
    <?line 45?>

<section anchor="introduction">
      <name>Introduction</name>
      <t>Before any information can be exchanged in an end-to-end encrypted system, two
things must happen: First, participants in the system must provide the service
operator with any public keys they wish to use to receive messages. Second, the
service operator must somehow distribute these public keys amongst the
participants that wish to communicate with each other.</t>
      <t>Typically this is done by having users upload their public keys to a simple
directory where other users can download them as necessary, or by providing
public keys in-band with the communication being secured. If the service
operator is simply trusted to correctly forward public keys between users, this
means that the underlying encryption protocol can only protect users against
passive eavesdropping on their messages.</t>
      <t>However, most messaging systems are designed such that all messages are
exchanged through the service operator's servers, which makes it extremely easy
for an operator to launch an active attack. That is, the service operator can
take public keys for which it knows the corresponding private keys, and
associate those public keys with a user's account without the user's knowledge
to impersonate or eavesdrop on conversations with that user.</t>
      <t>Key Transparency (KT) solves this problem by requiring the service operator to
store user public keys in a cryptographically protected append-only log. Any
malicious entries added to such a log will generally be equally visible to both
the affected user and the user's contacts. This allows users to detect whether
they are being impersonated by viewing the public keys attached to their
account. If the service operator attempts to conceal some entries of the log
from some users but not others, this creates a "forked view" which is permanent
and easily detectable.</t>
      <t>The critical improvement of KT over related protocols like Certificate
Transparency <xref target="RFC6962"/> is that KT includes an efficient
protocol to search the log for entries related to a specific participant. This
means users don't need to download the entire log, which may be substantial, to
find all entries that are relevant to them. It also means that KT can better
preserve user privacy by only showing entries of the log to participants that
genuinely need to see them.</t>
    </section>
    <section anchor="conventions-and-definitions">
      <name>Conventions and Definitions</name>
      <t>The key words "<bcp14>MUST</bcp14>", "<bcp14>MUST NOT</bcp14>", "<bcp14>REQUIRED</bcp14>", "<bcp14>SHALL</bcp14>", "<bcp14>SHALL
NOT</bcp14>", "<bcp14>SHOULD</bcp14>", "<bcp14>SHOULD NOT</bcp14>", "<bcp14>RECOMMENDED</bcp14>", "<bcp14>NOT RECOMMENDED</bcp14>",
"<bcp14>MAY</bcp14>", and "<bcp14>OPTIONAL</bcp14>" in this document are to be interpreted as
described in BCP 14 <xref target="RFC2119"/> <xref target="RFC8174"/> when, and only when, they
appear in all capitals, as shown here.</t>
      <?line -18?>

<dl>
        <dt><strong>End-to-End Encrypted Communication Service:</strong></dt>
        <dd>
          <t>A communication service that allows end-users to engage in text, voice,
video, or other forms of communication over the internet, and uses public key
cryptography to ensure that communications are only accessible to their
intended recipients.</t>
        </dd>
        <dt><strong>End-User Device:</strong></dt>
        <dd>
          <t>The device at the final point in a digital communication, which may either
send or receive encrypted data in an end-to-end encrypted communication
service.</t>
        </dd>
        <dt><strong>End-User Identity:</strong></dt>
        <dd>
          <t>A unique and user-visible identity associated with an account (and therefore
one or more end-user devices) in an end-to-end encrypted communication
service. In the case where an end-user explicitly requests to communicate with
(or is informed they are communicating with) an end-user uniquely identified
by the name "Alice", the end-user identity is the string "Alice".</t>
        </dd>
        <dt><strong>User / Account:</strong></dt>
        <dd>
          <t>A single end-user of an end-to-end encrypted communication service, which may
be represented by several end-user identities and end-user devices. For
example, a user may be represented simultaneously by multiple identities
(email, phone number, username) and interact with the service on multiple
devices (phone, laptop).</t>
        </dd>
        <dt><strong>Service Operator:</strong></dt>
        <dd>
          <t>The primary organization that provides the infrastructure for an end-to-end
encrypted communication service and the software to participate in it.</t>
        </dd>
        <dt><strong>Transparency Log:</strong></dt>
        <dd>
          <t>A specialized service capable of securely attesting to the information (such
as public keys) associated with a given end-user identity. A transparency
log is usually run either entirely or partially by the service operator, but
could also be operated externally.</t>
        </dd>
        <dt><strong>Transparency Log Configuration:</strong></dt>
        <dd>
          <t>The fixed, public parameters of a Transparency Log such as the log's cipher
suite and public key. Configuration is pre-distributed to users through a
trustworthy channel and used for proof verification.</t>
        </dd>
      </dl>
    </section>
    <section anchor="protocol-overview">
      <name>Protocol Overview</name>
      <t>From a networking perspective, KT follows a client-server architecture with a
central <em>transparency log</em>, acting as a server, which holds the authoritative
copy of all information and exposes endpoints that allow users to query or
modify stored data. Users coordinate with each other through the server by
uploading their own public keys and downloading the public keys of other
users. Users are expected to maintain relatively little state, limited only
to what is required to interact with the log and ensure that it is behaving
honestly.</t>
      <t>From an application perspective, KT can be thought of as a versioned key-value
database. Users insert key-value pairs into the database where, for example, the
key is their username and the value is their public key. Users can update a key
by inserting a new version with new data. They can also look up the most recent
version of a key or any previous version. From this point forward, the term
<strong>label</strong> will be used to refer to lookup keys in the key-value database that a
transparency log represents to avoid confusion with cryptographic public or
private keys.</t>
      <t>Users are considered to <strong>own</strong> a label if they are understood to either
initiate all changes to the label's value, or if they must be informed of all
changes to the label's value. The latter situation may occur if, for example, KT
is deployed in a way where the service operator makes automated modifications to
stored data. The owning user would then be informed, after the fact, of
modifications to verify that they were legal.</t>
      <t>KT does not require the use of a specific transport protocol. This is intended
to allow applications to layer KT on top of whatever transport protocol their
application already uses. In particular, this allows applications to continue
relying on their existing access control system.</t>
      <t>With some small exceptions, applications may enforce arbitrary access control
rules on top of KT. This may include requiring a user to be logged in to make KT
requests, only allowing a user to lookup the labels of another user if they're
"friends", or applying a rate limit. Most applications will likely want to, at
minimum, prevent users from
modifying labels they do not own. The exact mechanism for rejecting requests,
and possibly explaining the reason for rejection, is left to the application.</t>
      <section anchor="user-operations">
        <name>User Operations</name>
        <t>The operations that can be executed by a user are as follows:</t>
        <ol spacing="normal" type="1"><li>
            <t><strong>Search:</strong> Looks up the value of a specific label in the most recent version
of the log. Users may request either a specific version of the label or the
most recent version available. If the label-version pair exists, the server
returns the corresponding value and a proof that the search operation was
executed correctly.</t>
          </li>
          <li>
            <t><strong>Update:</strong> Adds a new label-value pair to the log. The server returns a
proof that the label-value pair was added correctly. Note that this means
that new values are added to the log immediately and no provisional proof,
such as an Signed Certificate Timestamp (SCT) as defined in <xref section="3" sectionFormat="of" target="RFC6962"/>, is provided.</t>
          </li>
          <li>
            <t><strong>Monitor:</strong> While Search and Update are run by the user as necessary,
monitoring is done in the background on a recurring basis. It can both check
that the log is continuing to behave honestly (all previously returned labels
remain in the tree) and that no changes have been made to labels owned by the
user without the user's knowledge.</t>
          </li>
        </ol>
        <t>These operations are executed over an application-provided transport layer.
The transport layer enforces access control by blocking queries which are
not allowed:</t>
        <figure anchor="request-response">
          <name>Example request and response flow. Valid requests receive a response while invalid requests are blocked by the transport layer.</name>
          <artset>
            <artwork type="svg"><svg xmlns="http://www.w3.org/2000/svg" version="1.1" height="336" width="456" viewBox="0 0 456 336" class="diagram" text-anchor="middle" font-family="monospace" font-size="13px" stroke-linecap="round">
                <path d="M 24,48 L 24,320" fill="none" stroke="black"/>
                <path d="M 384,48 L 384,320" fill="none" stroke="black"/>
                <path d="M 152,96 L 376,96" fill="none" stroke="black"/>
                <path d="M 32,112 L 208,112" fill="none" stroke="black"/>
                <path d="M 136,144 L 376,144" fill="none" stroke="black"/>
                <path d="M 32,160 L 208,160" fill="none" stroke="black"/>
                <path d="M 192,192 L 376,192" fill="none" stroke="black"/>
                <path d="M 32,208 L 208,208" fill="none" stroke="black"/>
                <path d="M 144,288 L 320,288" fill="none" stroke="black"/>
                <path d="M 176,304 L 320,304" fill="none" stroke="black"/>
                <polygon class="arrowhead" points="384,192 372,186.4 372,197.6" fill="black" transform="rotate(0,376,192)"/>
                <polygon class="arrowhead" points="384,144 372,138.4 372,149.6" fill="black" transform="rotate(0,376,144)"/>
                <polygon class="arrowhead" points="384,96 372,90.4 372,101.6" fill="black" transform="rotate(0,376,96)"/>
                <polygon class="arrowhead" points="328,304 316,298.4 316,309.6" fill="black" transform="rotate(0,320,304)"/>
                <polygon class="arrowhead" points="328,288 316,282.4 316,293.6" fill="black" transform="rotate(0,320,288)"/>
                <polygon class="arrowhead" points="40,208 28,202.4 28,213.6" fill="black" transform="rotate(180,32,208)"/>
                <polygon class="arrowhead" points="40,160 28,154.4 28,165.6" fill="black" transform="rotate(180,32,160)"/>
                <polygon class="arrowhead" points="40,112 28,106.4 28,117.6" fill="black" transform="rotate(180,32,112)"/>
                <g class="text">
                  <text x="24" y="36">Alice</text>
                  <text x="372" y="36">Transparency</text>
                  <text x="440" y="36">Log</text>
                  <text x="116" y="68">(Valid</text>
                  <text x="152" y="68">/</text>
                  <text x="196" y="68">Accepted</text>
                  <text x="272" y="68">Requests)</text>
                  <text x="88" y="100">Search(Alice)</text>
                  <text x="296" y="116">SearchResponse(...)</text>
                  <text x="80" y="148">Search(Bob)</text>
                  <text x="296" y="164">SearchResponse(...)</text>
                  <text x="88" y="196">Update(Alice,</text>
                  <text x="164" y="196">...)</text>
                  <text x="296" y="212">UpdateResponse(...)</text>
                  <text x="120" y="260">(Rejected</text>
                  <text x="168" y="260">/</text>
                  <text x="208" y="260">Blocked</text>
                  <text x="280" y="260">Requests)</text>
                  <text x="84" y="292">Search(Fred)</text>
                  <text x="336" y="292">X</text>
                  <text x="80" y="308">Update(Bob,</text>
                  <text x="148" y="308">...)</text>
                  <text x="336" y="308">X</text>
                </g>
              </svg>
            </artwork>
            <artwork type="ascii-art"><![CDATA[
Alice                                   Transparency Log
  |                                            |
  |        (Valid / Accepted Requests)         |
  |                                            |
  | Search(Alice) ---------------------------->|
  |<---------------------- SearchResponse(...) |
  |                                            |
  | Search(Bob) ------------------------------>|
  |<---------------------- SearchResponse(...) |
  |                                            |
  | Update(Alice, ...) ----------------------->|
  |<---------------------- UpdateResponse(...) |
  |                                            |
  |                                            |
  |       (Rejected / Blocked Requests)        |
  |                                            |
  | Search(Fred) ----------------------> X     |
  | Update(Bob, ...) ------------------> X     |
  |                                            |
]]></artwork>
          </artset>
        </figure>
      </section>
      <section anchor="credentials">
        <name>Credentials</name>
        <t>While users are generally understood to interact directly with the transparency
log, many end-to-end encrypted communication services require the ability to
provide <em>credentials</em> to their users. Credentials convey a binding between an
end-user identity and public keys or other information, and can be verified with
minimal network access.</t>
        <t>In particular, credentials that can be verified with minimal network access are
often desired by applications that support anonymous communication. These
applications provide end-to-end encryption with a protocol like the Messaging
Layer Security Protocol <xref target="RFC9420"/> (with the encryption of handshake messages
required) or Sealed Sender <xref target="sealed-sender"/>. When a user sends a message, these
protocols have the sender provide their own credential in an encrypted portion
of the message.</t>
        <t>Encrypting the sender's credential allows the sender to submit messages over an
anonymous channel by specifying only the recipient's identity. The service
operator can deliver the message to the intended recipient, who can decrypt it
and validate the credential inside to be assured of the sender's identity. Note
that the recipient does not need access to an anonymous channel to preserve the
sender's anonymity.</t>
        <t>At a high level, KT credentials are created by serializing one or more Search
request-response pairs. These Search operations correspond to the lookups the
recipient would do to authenticate the relationship between the presented
end-user identity and their public keys. Recipients can verify the
request-response pairs themselves without contacting the transparency log.</t>
        <t>Any future monitoring that may be required <bcp14>SHOULD</bcp14> be provided to recipients
proactively by the sender, as this is the most robust way to preserve the
sender's anonymity. If required future monitoring isn't provided, either
accidentally or because the system was intentionally designed that way, the
recipient will need to perform the monitoring themself over an anonymous
channel.</t>
        <figure anchor="anonymous">
          <name>Example message flow in an anonymous deployment. Users request their own label from the transparency log and provide the serialized response, functioning as a credential, in encrypted messages to other users. Required monitoring is provided proactively.</name>
          <artset>
            <artwork type="svg"><svg xmlns="http://www.w3.org/2000/svg" version="1.1" height="192" width="504" viewBox="0 0 504 192" class="diagram" text-anchor="middle" font-family="monospace" font-size="13px" stroke-linecap="round">
                <path d="M 8,48 L 8,176" fill="none" stroke="black"/>
                <path d="M 272,48 L 272,176" fill="none" stroke="black"/>
                <path d="M 432,80 L 432,88" fill="none" stroke="black"/>
                <path d="M 496,48 L 496,176" fill="none" stroke="black"/>
                <path d="M 16,64 L 144,64" fill="none" stroke="black"/>
                <path d="M 184,80 L 264,80" fill="none" stroke="black"/>
                <path d="M 448,96 L 488,96" fill="none" stroke="black"/>
                <path d="M 16,128 L 136,128" fill="none" stroke="black"/>
                <path d="M 192,144 L 264,144" fill="none" stroke="black"/>
                <path d="M 456,160 L 488,160" fill="none" stroke="black"/>
                <polygon class="arrowhead" points="496,160 484,154.4 484,165.6" fill="black" transform="rotate(0,488,160)"/>
                <polygon class="arrowhead" points="496,96 484,90.4 484,101.6" fill="black" transform="rotate(0,488,96)"/>
                <polygon class="arrowhead" points="272,144 260,138.4 260,149.6" fill="black" transform="rotate(0,264,144)"/>
                <polygon class="arrowhead" points="272,80 260,74.4 260,85.6" fill="black" transform="rotate(0,264,80)"/>
                <polygon class="arrowhead" points="24,128 12,122.4 12,133.6" fill="black" transform="rotate(180,16,128)"/>
                <polygon class="arrowhead" points="24,64 12,58.4 12,69.6" fill="black" transform="rotate(180,16,64)"/>
                <g class="text">
                  <text x="52" y="36">Transparency</text>
                  <text x="120" y="36">Log</text>
                  <text x="272" y="36">Alice</text>
                  <text x="416" y="36">Anonymous</text>
                  <text x="480" y="36">Group</text>
                  <text x="208" y="68">Search(Alice)</text>
                  <text x="96" y="84">SearchResponse(...)</text>
                  <text x="332" y="84">Encrypt(Anon</text>
                  <text x="408" y="84">Group</text>
                  <text x="376" y="100">SearchResponse)</text>
                  <text x="204" y="132">Monitor(Alice)</text>
                  <text x="100" y="148">MonitorResponse(...)</text>
                  <text x="332" y="148">Encrypt(Anon</text>
                  <text x="412" y="148">Group,</text>
                  <text x="380" y="164">MonitorResponse)</text>
                </g>
              </svg>
            </artwork>
            <artwork type="ascii-art"><![CDATA[
Transparency Log               Alice           Anonymous Group
|                                |                           |
|<---------------- Search(Alice) |                           |
| SearchResponse(...) ---------->| Encrypt(Anon Group,       |
|                                |     SearchResponse) ----->|
|                                |                           |
|<--------------- Monitor(Alice) |                           |
| MonitorResponse(...) --------->| Encrypt(Anon Group,       |
|                                |     MonitorResponse) ---->|
|                                |                           |
]]></artwork>
          </artset>
        </figure>
      </section>
      <section anchor="detecting-forks">
        <name>Detecting Forks</name>
        <t>It is sometimes possible for a transparency log to present forked views of data
to different users. This means that, from an individual user's perspective, a
log may appear to be operating correctly in the sense that all of a user's
requests succeed and proofs verify correctly. However, the transparency log has
presented a view to the user that's not globally consistent with what it has
shown other users. As such, the log may be able to change a label's value
without the label's owner becoming aware.</t>
        <t>The protocol is designed such that users always require subsequent queries to
prove consistency with previous queries. As such, users always stay on a
linearizable view of the log. If a user is ever presented with a forked view,
they hold on to this forked view forever and reject the output of any subsequent
queries that are inconsistent with it.</t>
        <t>This provides ample opportunity for users to detect when a fork has been
presented but isn't in itself sufficient for detection. To detect forks, users
require either a <strong>trusted third party</strong>, <strong>anonymous communication</strong> with the
transparency log, or <strong>peer-to-peer communication</strong>.</t>
        <t>With a trusted third party, such as a Third-Party Auditor or Manager as
described in <xref target="third-party-auditing"/> and <xref target="third-party-management"/>, an outside
organization monitors the operation of the transparency log. This third party
verifies, among other things, that the transparency log is growing in an
append-only manner. If verification is successful, the third party produces
a signature on the most recent tree head. The transparency log provides this
signature to users inline with their query responses as proof that they are not
being shown a fork. This approach relies on an assumption that the third party
is trusted not to collude with the transparency log to sign a fork.</t>
        <t>With anonymous communication, a single user accesses the transparency log over
an anonymous channel and checks that the transparency log is presenting the same
tree head over the anonymous channel as it does over an authenticated channel.
The security of this approach relies on the fact that, if the transparency log
doesn't know which user is making the request, it will show the user the wrong
fork with high probability. Repeating this check over time makes it
overwhelmingly likely that any fork presented to any user will be detected.</t>
        <t>With peer-to-peer communication, two users gossip with each other to establish
that they both have the same view of the transparency log. This gossip is able
to happen over any supported out-of-band channel even if it is heavily
bandwidth-constrained, such as scanning a QR code. However, this approach is
only secure if gossip can be implemented such that gossipping users are
reasonably expected to form a connected graph of all users. If not, then the
transparency log can attempt to partition users into subsets that do not gossip
and can present each subset of users with different forks.</t>
        <t>Regardless of approach, in the event that a fork is successfully detected, the
user is able to produce non-repudiable proof of log misbehavior which can be
published.</t>
        <figure anchor="out-of-band-checking">
          <name>Users receive tree heads while making authenticated requests to a transparency log. Users ensure consistency of tree heads by either comparing amongst themselves, or by contacting the transparency log over an anonymous channel. Requests that require authentication do not need to be available over the anonymous channel.</name>
          <artset>
            <artwork type="svg"><svg xmlns="http://www.w3.org/2000/svg" version="1.1" height="304" width="584" viewBox="0 0 584 304" class="diagram" text-anchor="middle" font-family="monospace" font-size="13px" stroke-linecap="round">
                <path d="M 8,48 L 8,288" fill="none" stroke="black"/>
                <path d="M 232,48 L 232,288" fill="none" stroke="black"/>
                <path d="M 576,48 L 576,288" fill="none" stroke="black"/>
                <path d="M 344,96 L 568,96" fill="none" stroke="black"/>
                <path d="M 240,112 L 328,112" fill="none" stroke="black"/>
                <path d="M 16,224 L 72,224" fill="none" stroke="black"/>
                <path d="M 392,224 Q 394,220.8 396,224 Q 398,227.2 400,224 Q 402,220.8 404,224 Q 406,227.2 408,224 Q 410,220.8 412,224 Q 414,227.2 416,224 Q 418,220.8 420,224 Q 422,227.2 424,224 Q 426,220.8 428,224 Q 430,227.2 432,224 Q 434,220.8 436,224 Q 438,227.2 440,224 Q 442,220.8 444,224 Q 446,227.2 448,224 Q 450,220.8 452,224 Q 454,227.2 456,224 Q 458,220.8 460,224 Q 462,227.2 464,224 Q 466,220.8 468,224 Q 470,227.2 472,224 Q 474,220.8 476,224 Q 478,227.2 480,224 Q 482,220.8 484,224 Q 486,227.2 488,224 Q 490,220.8 492,224 Q 494,227.2 496,224 Q 498,220.8 500,224 Q 502,227.2 504,224 Q 506,220.8 508,224 Q 510,227.2 512,224 Q 514,220.8 516,224 Q 518,227.2 520,224 Q 522,220.8 524,224 Q 526,227.2 528,224 Q 530,220.8 532,224 Q 534,227.2 536,224 Q 538,220.8 540,224 Q 542,227.2 544,224 Q 546,220.8 548,224 Q 550,227.2 552,224 Q 554,220.8 556,224 Q 558,227.2 560,224 " fill="none" stroke="black"/>
                <path d="M 88,240 L 224,240" fill="none" stroke="black"/>
                <path d="M 248,240 Q 250,236.8 252,240 Q 254,243.2 256,240 Q 258,236.8 260,240 Q 262,243.2 264,240 Q 266,236.8 268,240 Q 270,243.2 272,240 Q 274,236.8 276,240 Q 278,243.2 280,240 Q 282,236.8 284,240 Q 286,243.2 288,240 Q 290,236.8 292,240 Q 294,243.2 296,240 Q 298,236.8 300,240 Q 302,243.2 304,240 Q 306,236.8 308,240 Q 310,243.2 312,240 Q 314,236.8 316,240 Q 318,243.2 320,240 Q 322,236.8 324,240 Q 326,243.2 328,240 Q 330,236.8 332,240 Q 334,243.2 336,240 Q 338,236.8 340,240 Q 342,243.2 344,240 Q 346,236.8 348,240 Q 350,243.2 352,240 Q 354,236.8 356,240 Q 358,243.2 360,240 Q 362,236.8 364,240 Q 366,243.2 368,240 Q 370,236.8 372,240 Q 374,243.2 376,240 Q 378,236.8 380,240 Q 382,243.2 384,240 Q 386,236.8 388,240 Q 390,243.2 392,240 Q 394,236.8 396,240 Q 398,243.2 400,240 Q 402,236.8 404,240 Q 406,243.2 408,240 Q 410,236.8 412,240 Q 414,243.2 416,240 Q 418,236.8 420,240 Q 422,243.2 424,240 Q 426,236.8 428,240 Q 430,243.2 432,240 Q 434,236.8 436,240 Q 438,243.2 440,240 Q 442,236.8 444,240 Q 446,243.2 448,240 Q 450,236.8 452,240 Q 454,243.2 456,240 Q 458,236.8 460,240 Q 462,243.2 464,240 Q 466,236.8 468,240 Q 470,243.2 472,240 Q 474,236.8 476,240 Q 478,243.2 480,240 Q 482,236.8 484,240 Q 486,243.2 488,240 Q 490,236.8 492,240 Q 494,243.2 496,240 " fill="none" stroke="black"/>
                <path d="M 344,272 Q 346,268.8 348,272 Q 350,275.2 352,272 Q 354,268.8 356,272 Q 358,275.2 360,272 Q 362,268.8 364,272 Q 366,275.2 368,272 Q 370,268.8 372,272 Q 374,275.2 376,272 Q 378,268.8 380,272 Q 382,275.2 384,272 Q 386,268.8 388,272 Q 390,275.2 392,272 Q 394,268.8 396,272 Q 398,275.2 400,272 Q 402,268.8 404,272 Q 406,275.2 408,272 Q 410,268.8 412,272 Q 414,275.2 416,272 Q 418,268.8 420,272 Q 422,275.2 424,272 Q 426,268.8 428,272 Q 430,275.2 432,272 Q 434,268.8 436,272 Q 438,275.2 440,272 Q 442,268.8 444,272 Q 446,275.2 448,272 Q 450,268.8 452,272 Q 454,275.2 456,272 Q 458,268.8 460,272 Q 462,275.2 464,272 Q 466,268.8 468,272 Q 470,275.2 472,272 Q 474,268.8 476,272 Q 478,275.2 480,272 Q 482,268.8 484,272 Q 486,275.2 488,272 Q 490,268.8 492,272 Q 494,275.2 496,272 " fill="none" stroke="black"/>
                <polygon class="arrowhead" points="576,96 564,90.4 564,101.6" fill="black" transform="rotate(0,568,96)"/>
                <polygon class="arrowhead" points="568,224 556,218.4 556,229.6" fill="black" transform="rotate(0,560,224)"/>
                <polygon class="arrowhead" points="504,272 492,266.4 492,277.6" fill="black" transform="rotate(0,496,272)"/>
                <polygon class="arrowhead" points="256,240 244,234.4 244,245.6" fill="black" transform="rotate(180,248,240)"/>
                <polygon class="arrowhead" points="248,112 236,106.4 236,117.6" fill="black" transform="rotate(180,240,112)"/>
                <polygon class="arrowhead" points="232,240 220,234.4 220,245.6" fill="black" transform="rotate(0,224,240)"/>
                <polygon class="arrowhead" points="24,224 12,218.4 12,229.6" fill="black" transform="rotate(180,16,224)"/>
                <g class="text">
                  <text x="24" y="36">Alice</text>
                  <text x="232" y="36">Bob</text>
                  <text x="500" y="36">Transparency</text>
                  <text x="568" y="36">Log</text>
                  <text x="272" y="68">(Normal</text>
                  <text x="324" y="68">reqs</text>
                  <text x="364" y="68">over</text>
                  <text x="440" y="68">authenticated</text>
                  <text x="532" y="68">channel)</text>
                  <text x="288" y="100">Search(Bob)</text>
                  <text x="396" y="116">Response{Head:</text>
                  <text x="492" y="116">6c063bb,</text>
                  <text x="548" y="116">...}</text>
                  <text x="52" y="196">(OOB</text>
                  <text x="96" y="196">check</text>
                  <text x="140" y="196">with</text>
                  <text x="184" y="196">peer)</text>
                  <text x="284" y="196">(OOB</text>
                  <text x="328" y="196">check</text>
                  <text x="372" y="196">over</text>
                  <text x="432" y="196">anonymous</text>
                  <text x="508" y="196">channel)</text>
                  <text x="152" y="228">DistinguishedHead</text>
                  <text x="312" y="228">DistinguishedHead</text>
                  <text x="48" y="244">6c063bb</text>
                  <text x="536" y="244">6c063bb</text>
                  <text x="288" y="276">Search(Bob)</text>
                  <text x="512" y="276">X</text>
                </g>
              </svg>
            </artwork>
            <artwork type="ascii-art"><![CDATA[
Alice                      Bob                          Transparency Log
|                           |                                          |
|                           | (Normal reqs over authenticated channel) |
|                           |                                          |
|                           | Search(Bob) ---------------------------->|
|                           |<----------- Response{Head: 6c063bb, ...} |
|                           |                                          |
|                           |                                          |
|                           |                                          |
|                           |                                          |
|   (OOB check with peer)   |    (OOB check over anonymous channel)    |
|                           |                                          |
|<------- DistinguishedHead | DistinguishedHead ~~~~~~~~~~~~~~~~~~~~~> |
| 6c063bb ----------------->| <~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 6c063bb |
|                           |                                          |
|                           | Search(Bob) ~~~~~~~~~~~~~~~~~~~> X       |
|                           |                                          |
]]></artwork>
          </artset>
        </figure>
      </section>
    </section>
    <section anchor="deployment-modes">
      <name>Deployment Modes</name>
      <t>In the interest of satisfying the widest range of use-cases possible, three
different modes for deploying a transparency log are supported. Each mode has
slightly different requirements and efficiency considerations for both the
transparency log and the end-user.</t>
      <t><strong>Third-Party Management</strong> and <strong>Third-Party Auditing</strong> are two deployment modes
that require the transparency log to delegate part of its operation
to a third party.</t>
      <t>With both third-party modes, all requests from end-users are initially routed to
the transparency log and the log coordinates with the third party
itself. End-users never contact the third party directly, although they will
need a signature public key from the third party to verify its assertions.</t>
      <t>With Third-Party Management, the third party performs the majority of the work
of actually storing and operating the service, and the transparency log only
signs new entries as they're added. With Third-Party Auditing, the transparency
log performs the majority of the work of storing and operating the service, only
obtaining signatures from a third-party auditor at regular intervals
asserting that the tree has been constructed correctly.</t>
      <t>To reduce the probability of collusion between the transparency log and the
third party, a transparency log can have two or more independent third parties
coordinate as one and produce threshold signatures. In this scenario, the
threshold for a valid signature <bcp14>MUST</bcp14> be at least a majority of the third
parties, to prevent different subsets from authenticating forked views.</t>
      <t><strong>Contact Monitoring</strong>, on the other hand, supports a single-party deployment
with no third party. The cost of this is that, when a user looks up a version of
a label that was inserted very recently, the user may need to retain some
additional state and monitor the label until it is included in a <em>distinguished
log entry</em> (defined in <xref target="PROTO"/>). If a user
looks up many label-version pairs that were inserted very recently, monitoring
may become relatively expensive.</t>
      <t>Additionally, applications that rely on a transparency log deployed in Contact
Monitoring mode <bcp14>MUST</bcp14> regularly attempt to detect forks through anonymous
communication with the transparency log or peer-to-peer communication, as
described in <xref target="detecting-forks"/>.</t>
      <t>Applications that rely on a transparency log deployed in either of the
third-party modes <bcp14>MAY</bcp14> allow users to enable a "Contact Monitoring Mode". This
mode, which affects only the individual client's behavior, would cause the
client to behave as if its transparency log was deployed in Contact Monitoring
mode. As such, it would start retaining state about previously looked-up labels
and regularly engaging in out-of-band communication. Enabling this
higher security mode allows users to double check that the third party is not
colluding with the transparency log.</t>
      <section anchor="contact-monitoring">
        <name>Contact Monitoring</name>
        <t>With the Contact Monitoring deployment mode, the monitoring burden is split
between both the owner of a label and those that look up the label. Stated as
simply as possible, the monitoring obligations of each party are:</t>
        <ol spacing="normal" type="1"><li>
            <t>On a regular basis, the label owner verifies that the most recent version of
their label has not changed unexpectedly.</t>
          </li>
          <li>
            <t>When a user that looked up a label sees that it was inserted very recently,
they check back later to see that the label-version pair they observed was
not removed before it could be detected by the label owner.</t>
          </li>
        </ol>
        <t>This ensures that if a malicious value for a label is added to the log, then
either it is detected by the label owner, or if it is removed/obscured from the
log before the label owner can detect it, then any users that observed it will
detect its removal.</t>
        <figure anchor="contact-monitoring-fig">
          <name>Contact Monitoring. Alice searches for Bob's label. One day later, Alice verifies the label-version pair she observed remained in transparency log. Another day later, Bob comes online and monitors his own label. Note that Alice does not need to wait on Bob to make his Monitor request before making hers.</name>
          <artset>
            <artwork type="svg"><svg xmlns="http://www.w3.org/2000/svg" version="1.1" height="272" width="584" viewBox="0 0 584 272" class="diagram" text-anchor="middle" font-family="monospace" font-size="13px" stroke-linecap="round">
                <path d="M 8,48 L 8,256" fill="none" stroke="black"/>
                <path d="M 296,48 L 296,256" fill="none" stroke="black"/>
                <path d="M 576,48 L 576,256" fill="none" stroke="black"/>
                <path d="M 120,64 L 288,64" fill="none" stroke="black"/>
                <path d="M 16,80 L 120,80" fill="none" stroke="black"/>
                <path d="M 128,144 L 288,144" fill="none" stroke="black"/>
                <path d="M 16,160 L 112,160" fill="none" stroke="black"/>
                <path d="M 304,224 L 456,224" fill="none" stroke="black"/>
                <path d="M 480,240 L 568,240" fill="none" stroke="black"/>
                <polygon class="arrowhead" points="576,240 564,234.4 564,245.6" fill="black" transform="rotate(0,568,240)"/>
                <polygon class="arrowhead" points="312,224 300,218.4 300,229.6" fill="black" transform="rotate(180,304,224)"/>
                <polygon class="arrowhead" points="296,144 284,138.4 284,149.6" fill="black" transform="rotate(0,288,144)"/>
                <polygon class="arrowhead" points="296,64 284,58.4 284,69.6" fill="black" transform="rotate(0,288,64)"/>
                <polygon class="arrowhead" points="24,160 12,154.4 12,165.6" fill="black" transform="rotate(180,16,160)"/>
                <polygon class="arrowhead" points="24,80 12,74.4 12,85.6" fill="black" transform="rotate(180,16,80)"/>
                <g class="text">
                  <text x="24" y="36">Alice</text>
                  <text x="284" y="36">Transparency</text>
                  <text x="352" y="36">Log</text>
                  <text x="568" y="36">Bob</text>
                  <text x="64" y="68">Search(Bob)</text>
                  <text x="208" y="84">SearchResponse(...)</text>
                  <text x="108" y="116">(1</text>
                  <text x="136" y="116">day</text>
                  <text x="180" y="116">later)</text>
                  <text x="68" y="148">Monitor(Bob)</text>
                  <text x="204" y="164">MonitorResponse(...)</text>
                  <text x="108" y="196">(1</text>
                  <text x="136" y="196">day</text>
                  <text x="180" y="196">later)</text>
                  <text x="516" y="228">Monitor(Bob)</text>
                  <text x="388" y="244">MonitorResponse(...)</text>
                </g>
              </svg>
            </artwork>
            <artwork type="ascii-art"><![CDATA[
Alice                        Transparency Log                        Bob
|                                   |                                  |
| Search(Bob) --------------------->|                                  |
|<------------- SearchResponse(...) |                                  |
|                                   |                                  |
|           (1 day later)           |                                  |
|                                   |                                  |
| Monitor(Bob) -------------------->|                                  |
|<------------ MonitorResponse(...) |                                  |
|                                   |                                  |
|           (1 day later)           |                                  |
|                                   |                                  |
|                                   |<------------------- Monitor(Bob) |
|                                   | MonitorResponse(...) ----------->|
|                                   |                                  |
]]></artwork>
          </artset>
        </figure>
        <t>Importantly, Contact Monitoring impacts how the server is able to enforce access
control on Monitor queries. While Search and Update queries can enforce access
control on an arbitrary "point in time" basis, where a user is allowed to
execute the query at one point in time but maybe not the next, users are
sometimes required by the protocol to make Monitor queries based on the Search
and Update queries they made in the past. These Monitor queries <bcp14>MUST</bcp14> be
permitted, regardless of whether or not the user is still permitted to execute
such Search or Update queries.</t>
      </section>
      <section anchor="third-party-auditing">
        <name>Third-Party Auditing</name>
        <t>With the Third-Party Auditing deployment mode, the transparency log obtains
signatures from a third-party auditor attesting (at minimum) to the fact that
the tree has been constructed correctly. These signatures are provided to users
as part of the responses for their queries.</t>
        <t>When running synchronously, the auditor can easily become a bottleneck for the
transparency log. It's generally expected that third-party auditors run
asynchronously, downloading and authenticating a log's contents in the
background. As a result, signatures from the auditor may lag behind the view
presented by the transparency log. The maximum amount of time that the auditor
may lag behind the transparency log without its signature being rejected by
users is set in the transparency log's configuration.</t>
        <figure anchor="auditing-fig">
          <name>Third-Party Auditing. A recent signature from the auditor is provided to users. The auditor is updated on changes to the tree in the background.</name>
          <artset>
            <artwork type="svg"><svg xmlns="http://www.w3.org/2000/svg" version="1.1" height="208" width="584" viewBox="0 0 584 208" class="diagram" text-anchor="middle" font-family="monospace" font-size="13px" stroke-linecap="round">
                <path d="M 8,48 L 8,192" fill="none" stroke="black"/>
                <path d="M 336,48 L 336,192" fill="none" stroke="black"/>
                <path d="M 576,48 L 576,192" fill="none" stroke="black"/>
                <path d="M 176,64 L 328,64" fill="none" stroke="black"/>
                <path d="M 160,80 L 328,80" fill="none" stroke="black"/>
                <path d="M 176,96 L 328,96" fill="none" stroke="black"/>
                <path d="M 24,110 L 64,110" fill="none" stroke="black"/>
                <path d="M 24,114 L 64,114" fill="none" stroke="black"/>
                <path d="M 464,160 L 568,160" fill="none" stroke="black"/>
                <path d="M 344,176 L 432,176" fill="none" stroke="black"/>
                <polygon class="arrowhead" points="576,160 564,154.4 564,165.6" fill="black" transform="rotate(0,568,160)"/>
                <polygon class="arrowhead" points="352,176 340,170.4 340,181.6" fill="black" transform="rotate(180,344,176)"/>
                <polygon class="arrowhead" points="336,96 324,90.4 324,101.6" fill="black" transform="rotate(0,328,96)"/>
                <polygon class="arrowhead" points="336,80 324,74.4 324,85.6" fill="black" transform="rotate(0,328,80)"/>
                <polygon class="arrowhead" points="336,64 324,58.4 324,69.6" fill="black" transform="rotate(0,328,64)"/>
                <polygon class="arrowhead" points="32,112 20,106.4 20,117.6" fill="black" transform="rotate(180,24,112)"/>
                <g class="text">
                  <text x="20" y="36">Many</text>
                  <text x="64" y="36">Users</text>
                  <text x="324" y="36">Transparency</text>
                  <text x="392" y="36">Log</text>
                  <text x="552" y="36">Auditor</text>
                  <text x="72" y="68">Update(Alice,</text>
                  <text x="148" y="68">...)</text>
                  <text x="64" y="84">Update(Bob,</text>
                  <text x="132" y="84">...)</text>
                  <text x="72" y="100">Update(Carol,</text>
                  <text x="148" y="100">...)</text>
                  <text x="156" y="116">Response{AuditorSig:</text>
                  <text x="264" y="116">66bf,</text>
                  <text x="308" y="116">...}</text>
                  <text x="400" y="164">AuditorUpdate</text>
                  <text x="504" y="180">AuditorTreeHead</text>
                </g>
              </svg>
            </artwork>
            <artwork type="ascii-art"><![CDATA[
Many Users                        Transparency Log               Auditor
|                                        |                             |
| Update(Alice, ...) ------------------->|                             |
| Update(Bob, ...) --------------------->|                             |
| Update(Carol, ...) ------------------->|                             |
| <===== Response{AuditorSig: 66bf, ...} |                             |
|                                        |                             |
|                                        |                             |
|                                        | AuditorUpdate ------------->|
|                                        |<----------- AuditorTreeHead |
|                                        |                             |
]]></artwork>
          </artset>
        </figure>
        <t>Given the long-lived nature of transparency logs and the potentially short-lived
nature of third-party auditing arrangements, KT allows third-party auditors to
start auditing a log at any arbitrary point. This allows a new third-party
auditor to start up without ingesting the transparency log's entire
history. The point at which an auditor started auditing is provided to users in
the transparency log's configuration. When verifying query responses, users
verify that the auditor started auditing at or before the point necessary for
the query to be secure.</t>
      </section>
      <section anchor="third-party-management">
        <name>Third-Party Management</name>
        <t>With the Third-Party Management deployment mode, a third party is responsible
for the majority of the work of storing and operating the log. The service operator
focuses mainly on enforcing access control and authenticating the creation of new
versions of labels. All user queries are initially sent by users directly to the
service operator, and the service operator proxies them to the third-party
manager if they pass access control.</t>
        <figure anchor="manager-fig">
          <name>Third-Party Management. Valid requests are proxied by the service operator to the manager. Invalid requests are blocked.</name>
          <artset>
            <artwork type="svg"><svg xmlns="http://www.w3.org/2000/svg" version="1.1" height="208" width="520" viewBox="0 0 520 208" class="diagram" text-anchor="middle" font-family="monospace" font-size="13px" stroke-linecap="round">
                <path d="M 8,48 L 8,192" fill="none" stroke="black"/>
                <path d="M 248,48 L 248,192" fill="none" stroke="black"/>
                <path d="M 512,48 L 512,192" fill="none" stroke="black"/>
                <path d="M 136,64 L 240,64" fill="none" stroke="black"/>
                <path d="M 264,64 L 504,64" fill="none" stroke="black"/>
                <path d="M 16,80 L 232,80" fill="none" stroke="black"/>
                <path d="M 256,80 L 336,80" fill="none" stroke="black"/>
                <path d="M 176,112 L 240,112" fill="none" stroke="black"/>
                <path d="M 264,112 L 504,112" fill="none" stroke="black"/>
                <path d="M 16,128 L 232,128" fill="none" stroke="black"/>
                <path d="M 256,128 L 336,128" fill="none" stroke="black"/>
                <path d="M 128,160 L 208,160" fill="none" stroke="black"/>
                <path d="M 160,176 L 208,176" fill="none" stroke="black"/>
                <polygon class="arrowhead" points="512,112 500,106.4 500,117.6" fill="black" transform="rotate(0,504,112)"/>
                <polygon class="arrowhead" points="512,64 500,58.4 500,69.6" fill="black" transform="rotate(0,504,64)"/>
                <polygon class="arrowhead" points="264,128 252,122.4 252,133.6" fill="black" transform="rotate(180,256,128)"/>
                <polygon class="arrowhead" points="264,80 252,74.4 252,85.6" fill="black" transform="rotate(180,256,80)"/>
                <polygon class="arrowhead" points="248,112 236,106.4 236,117.6" fill="black" transform="rotate(0,240,112)"/>
                <polygon class="arrowhead" points="248,64 236,58.4 236,69.6" fill="black" transform="rotate(0,240,64)"/>
                <polygon class="arrowhead" points="216,176 204,170.4 204,181.6" fill="black" transform="rotate(0,208,176)"/>
                <polygon class="arrowhead" points="216,160 204,154.4 204,165.6" fill="black" transform="rotate(0,208,160)"/>
                <polygon class="arrowhead" points="24,128 12,122.4 12,133.6" fill="black" transform="rotate(180,16,128)"/>
                <polygon class="arrowhead" points="24,80 12,74.4 12,85.6" fill="black" transform="rotate(180,16,80)"/>
                <g class="text">
                  <text x="24" y="36">Alice</text>
                  <text x="216" y="36">Service</text>
                  <text x="284" y="36">Operator</text>
                  <text x="488" y="36">Manager</text>
                  <text x="72" y="68">Search(Alice)</text>
                  <text x="424" y="84">SearchResponse(...)</text>
                  <text x="72" y="116">Update(Alice,</text>
                  <text x="148" y="116">...)</text>
                  <text x="424" y="132">UpdateResponse(...)</text>
                  <text x="68" y="164">Search(Fred)</text>
                  <text x="224" y="164">X</text>
                  <text x="64" y="180">Update(Bob,</text>
                  <text x="132" y="180">...)</text>
                  <text x="224" y="180">X</text>
                </g>
              </svg>
            </artwork>
            <artwork type="ascii-art"><![CDATA[
Alice                  Service Operator                  Manager
|                             |                                |
| Search(Alice) ------------->| ------------------------------>|
|<--------------------------- |<---------- SearchResponse(...) |
|                             |                                |
| Update(Alice, ...) -------->| ------------------------------>|
|<--------------------------- |<---------- UpdateResponse(...) |
|                             |                                |
| Search(Fred) ----------> X  |                                |
| Update(Bob, ...) ------> X  |                                |
|                             |                                |
]]></artwork>
          </artset>
        </figure>
        <t>The security of the Third-Party Management deployment mode comes from an
assumption that the service operator and the third-party manager do not collude
to behave maliciously. If the third-party manager behaves honestly, then any
improper modifications to a label's value that were requested by the
service operator will be properly published such that the label owner will
detect them when monitoring. If the service operator behaves honestly, the
third-party manager will be unable to add any new unauthorized versions of a
label such that a user will accept them, or remove any authorized version of a
label without the label owner detecting it.</t>
        <t>The service operator <bcp14>MUST</bcp14> implement some mechanism to detect when forks are
presented by the third-party manager. Additionally, the service operator <bcp14>MUST</bcp14>
implement some mechanism to prevent the same version of a label from being
submitted to the third-party manager multiple times with different associated
values.</t>
      </section>
    </section>
    <section anchor="combining-logs">
      <name>Combining Logs</name>
      <t>There are many cases where it makes sense to operate multiple cooperating
transparency log instances, for example:</t>
      <ul spacing="normal">
        <li>
          <t>A service operator may wish to gradually migrate to a transparency log that
uses different cryptographic keys, a different cipher suite, or different
deployment mode.</t>
        </li>
        <li>
          <t>A service operator may operate multiple logs to improve their ability to scale
or provide higher availability.</t>
        </li>
        <li>
          <t>A federated system may allow each participant in the federation to operate
their own transparency log for their own users.</t>
        </li>
      </ul>
      <t>Client implementations <bcp14>SHOULD</bcp14> generally be prepared to interact with multiple
independent transparency logs, as quickly migrating to a new transparency log is
the  generally recommended way to recover from log failure. When multiple
transparency logs are used as part
of one application, all users <bcp14>MUST</bcp14> have a consistent policy for executing
Search, Update, and Monitor queries against the logs in a way that maintains the
high-level security model of KT:</t>
      <ul spacing="normal">
        <li>
          <t>If all transparency logs behave honestly, then users observe a globally
consistent view of the data associated with each label.</t>
        </li>
        <li>
          <t>If any transparency log behaves dishonestly, this will be detected in a timely
manner by background monitoring or out-of-band communication.</t>
        </li>
      </ul>
      <section anchor="gradual-migration">
        <name>Gradual Migration</name>
        <t>In the case of gradually migrating from an old transparency log to a new one,
this policy may look like:</t>
        <ol spacing="normal" type="1"><li>
            <t>Search queries are executed against the old transparency log first, and
then against the new transparency log only if the most recent version of a
label in the old transparency log is a special application-defined
'tombstone' entry.</t>
          </li>
          <li>
            <t>Update queries are only executed against the new transparency log, with
the exception of adding a tombstone entry for the label to the old
transparency log if one hasn't been added already.</t>
          </li>
          <li>
            <t>Both transparency logs are monitored as they would be if they were run
individually. Once the migration has completed and the old transparency log
has stopped accepting modifications, the old transparency log <bcp14>MUST</bcp14> stay
operational long enough for all users to complete their monitoring of it,
keeping in mind that some users may be offline for a significant amount of
time. If the old transparency log is shut down before a user is able to
complete their monitoring of it, that user will be unable to detect some
forms of misbehavior by the old transparency log.</t>
          </li>
        </ol>
        <t>Placing a tombstone entry for each label in the old transparency log gives users
a clear indication as to which transparency log contains the most recent version
of a label. Importantly, it prevents users from incorrectly accepting a stale
version of a label if the new transparency log is unreachable.</t>
      </section>
      <section anchor="immediate-migration">
        <name>Immediate Migration</name>
        <t>In some situations, the service operator may instead choose to stop adding new
entries to a transparency log immediately and provide a new transparency log
that is pre-populated with the most recent versions of all labels. In this case,
the policy may look like:</t>
        <ol spacing="normal" type="1"><li>
            <t>Search queries must be executed against the new transparency log.</t>
          </li>
          <li>
            <t>Update queries must be executed against the new transparency log.</t>
          </li>
          <li>
            <t>The final tree size and root hash of the old transparency log is provided to
users over a trustworthy channel. Users issue their final Monitor queries to
complete monitoring up to this point. Label owners initiate monitoring state
for the new transparency log by processing an Update for the migrated
versions of their labels and verifying that the migration was done correctly.
From then on, users will monitor only the new transparency log.</t>
          </li>
        </ol>
        <t>The final tree size and root hash of the prior transparency log need to be
distributed to users in a way that ensures that all users have a globally
consistent view. This can be done by storing them in a well-known label of the
new transparency log. Users <bcp14>MUST</bcp14> process this well-known label as if they own
it, so that they continue to monitor it for unexpected changes for the duration
of the migration period. Alternatively, the final tree size and root hash may be
distributed with the application's code distribution mechanism.</t>
      </section>
      <section anchor="federation">
        <name>Federation</name>
        <t>In a federated application, many servers that are owned and operated by
different entities will cooperate to provide a single end-to-end encrypted
communication service. Each entity in a federated system provides its own
infrastructure (in particular, a transparency log) to serve the users that rely
on it. Given this, there <bcp14>MUST</bcp14> be a consistent policy for directing KT requests
to the correct transparency log. Typically in such a system, the end-user
identity directly specifies which entity requests should be directed to. For
example, with an email end-user identity like <tt>alice@example.com</tt>, the
controlling entity is <tt>example.com</tt>.</t>
        <t>A controlling entity like <tt>example.com</tt> <bcp14>MAY</bcp14> act as an anonymizing proxy for its
users when they query transparency logs run by other entities (in the manner of
<xref target="RFC9458"/>), but <bcp14>SHOULD NOT</bcp14> attempt to 'mirror' or combine other transparency
logs with its own. This ensures that all transparency logs can consistently
enforce their access control policies as intended, manage compliance with
privacy laws, and modify label values quickly and without interference from
third-party caches.</t>
      </section>
    </section>
    <section anchor="pruning">
      <name>Pruning</name>
      <t>As part of the core infrastructure of an end-to-end encrypted communication
service, transparency logs are required to operate seamlessly for several years.
This presents a problem for general append-only logs, as even moderate usage can
cause the log to grow to an unmanageable size in that time frame. This issue is
further compounded by the fact that a substantial portion of the entries added
to a log may be fake, having been added solely for the purpose of obscuring
short-term update rates (discussed in <xref target="privacy-considerations"/>). Given this,
transparency logs need to be able manage their footprint by pruning data which
is no longer required by the communication service.</t>
      <t>Broadly speaking, a transparency log's database will contain two types of data:</t>
      <ol spacing="normal" type="1"><li>
          <t>Serialized user data (the values corresponding to labels in the log), and</t>
        </li>
        <li>
          <t>Cryptographic data, such as pre-computed portions of hash trees or commitment
openings.</t>
        </li>
      </ol>
      <t>The first type, serialized user data, can be pruned by removing entries that
have either expired or have become permanently inaccessible due to the service operator's
access control policy. A version of a label expires when it is no longer
possible to produce a valid search proof for the label-version pair, which
happens when all of the necessary log entries have passed their <strong>maximum
lifetime</strong> (as defined in <xref target="PROTO"/>).</t>
      <t>Notably, the greatest version of a label is the only version that never expires
through the maximum lifetime mechanism. However, service operators may define
arbitrary access control policies that permanently block access to the greatest
(or any other versions) of a label. The values corresponding to these
label-version pairs may also be deleted without consideration to the rest of the
protocol.</t>
      <t>The second type of data, cryptographic data, can also be pruned, but only after
considering which parts are no longer required by the protocol for producing
proofs. For example, even though a particular version of a label may have been
deleted, the corresponding VRF output and commitment may still need to exist in
the latest version of the transparency log's prefix tree to produce valid search
proofs for other versions of the label. The exact mechanism for determining
which data is safe to delete will depend on the protocol and implementation.</t>
      <t>The distinction between user data and cryptographic data provides a valuable
separation of concerns since <xref target="PROTO"/> does not provide a way for a service
operator to convey its access control policy to a transparency log. That is, it
allows the pruning of user data to be done entirely by application-defined code,
while the pruning of cryptographic data can be done entirely by KT-specific code
as a subsequent operation.</t>
    </section>
    <section anchor="security-considerations">
      <name>Security Considerations</name>
      <t>A user that correctly verifies a proof from the transparency log and does any
required monitoring afterwards receives a guarantee that the transparency log
operator executed the operation correctly, and in a way that's globally
consistent with what it has shown all other users. That is, when a user searches
for a label, they're guaranteed that the result they receive represents the same
result that any other user searching for the same label at roughly the same time
would've seen. When a user modifies a label, they're guaranteed that other users
will see the modification within a bounded amount of time, or will
themselves permanently enter an invalid state as discussed below.</t>
      <t>If the transparency log does not execute an operation correctly, then either:</t>
      <ol spacing="normal" type="1"><li>
          <t>The user will detect the error immediately and reject the proof, or</t>
        </li>
        <li>
          <t>The user will permanently enter an invalid state.</t>
        </li>
      </ol>
      <t>Depending on the exact reason that the user enters an invalid state, it will
either be detected by background monitoring or by the mechanisms described in
<xref target="detecting-forks"/>. Importantly, this means that users must stay online for
a bounded amount of time after entering an invalid state for it to be
successfully detected.</t>
      <t>Alternatively, instead of executing a lookup incorrectly, the transparency log
can attempt to prevent a user from learning about more recent states of the log.
This would allow the log to continue executing queries correctly, but on
stale versions of data. To prevent this, applications configure an upper
bound on how stale a query response can be without being rejected.</t>
      <t>The security of a transparency log depends naturally on the security of the
cryptographic primitives that it's configured to use, as well as the deployment
mode that the transparency log relies on:</t>
      <ul spacing="normal">
        <li>
          <t>Third-Party Management and Third-Party Auditing require an assumption that the
transparency log and the third-party manager or auditor do not collude
to trick users into accepting malicious results.</t>
        </li>
        <li>
          <t>Contact Monitoring requires an assumption that the user that owns a label and
all users that look up the label do the necessary monitoring afterwards.</t>
        </li>
      </ul>
      <t>In short, assuming that the underlying cryptographic primitives used are secure,
any deployment-specific assumptions hold (such as non-collusion), and that user
devices don't go permanently offline, then malicious behavior by the
transparency log is always detected within a bounded amount of time. The
parameters that determine the maximum amount of time before malicious behavior
is detected are as follows:</t>
      <ul spacing="normal">
        <li>
          <t>The configured maximum amount of time by which a query response can be stale.</t>
        </li>
        <li>
          <t>The configured Reasonable Monitoring Window (described in
<xref section="7.1" sectionFormat="of" target="PROTO"/>), weighed against how frequently users execute
background monitoring in practice.</t>
        </li>
        <li>
          <t>For logs that use the Contact Monitoring deployment mode: how frequently users
engage in anonymous communication with the transparency log, or peer-to-peer
communication with other users.</t>
        </li>
        <li>
          <t>For logs that use the Third-Party Auditing deployment mode: the configured
maximum acceptable lag for an auditor.</t>
        </li>
        <li>
          <t>For logs that use the Third-Party Management deployment mode: the amount of
lag, or potential inefficacy, of the service operator's approach to detecting
forks.</t>
        </li>
      </ul>
      <section anchor="state-loss">
        <name>State Loss</name>
        <t>The security of KT often depends on the ability of users to maintain robust
local state. Users that lose their state in a Contact Monitoring or Third-Party
Auditing deployment will have a correspondingly reduced ability to detect if
they were shown a fork, or if the transparency log later obscured data that they
consumed.</t>
        <t>In a Contact Monitoring deployment mode, this can happen when a user loses their
state after consuming a version of a label that was created either within the
Reasonable Monitoring Window, or within a portion of the log that was
insufficiently gossipped. In a Third-Party Auditing deployment mode, this can
happen when a user loses their state after consuming a version of a label that
was created within the auditor's maximum acceptable lag.</t>
        <t>Applications should consider the nature of possible state loss in their clients
when configuring a transparency log and <bcp14>MUST</bcp14> ensure that the relevant protocol
parameters are set in a way that appropriately mitigates this risk.
For example, in a Contact Monitoring deployment, the Reasonable Monitoring
Window and the duration between out-of-band communication attempts <bcp14>SHOULD</bcp14> be
much less than the typical time between state loss events. Similarly, in a
Third-Party Auditing deployment, the maximum acceptable lag for an auditor
<bcp14>SHOULD</bcp14> be much less than the typical time between state loss events. This
minimizes the likelihood that a state loss event could be useful to a
misbehaving transparency log.</t>
        <t>In applications where client state is typically ephemeral (like a web page), or
where state loss could possibly be triggered adversarially, a Third-Party
Management deployment mode is <bcp14>RECOMMENDED</bcp14>. Alternatively, applications could
also consider implementing a policy of not consuming label-version pairs that
were inserted too recently. Once a label-version pair is outside of the
Reasonable Monitoring Window in a Contact Monitoring deployment, or beyond the
maximum acceptable auditor lag in a Third-Party Auditing deployment, the risks
associated with state loss are often already sufficiently mitigated.</t>
      </section>
      <section anchor="privacy-considerations">
        <name>Privacy Considerations</name>
        <t>For applications deploying KT, service operators expect to be able to control
when sensitive information is revealed. In particular, a service operator can
often only reveal that a user is a member of their service, and information
about that user's account, to that user's friends or contacts.</t>
        <t>KT only allows users to learn whether or not a label exists in the
transparency log if the user obtains a valid search proof for that label.
Similarly, KT only allows users to learn about the value of a label if
the user obtains a valid search proof for that exact version of the label.</t>
        <t>When a user was previously allowed to lookup or change a label's value but no
longer is, KT prevents the user from learning whether or not the label's value
has changed since the user's access was revoked. This is true even in Contact
Monitoring mode, where users are still permitted to perform monitoring after
their access to perform other queries has been revoked.</t>
        <t>Applications determine the privacy of data in KT by
relying on these properties when they enforce access control policies on the
queries issued by users, as discussed in <xref target="protocol-overview"/>. For example if
two users aren't friends, an application can block these users from searching
for each other's labels. This prevents both users from learning about
each other's existence. If the users were previously friends but no longer are,
the application can prevent the users from searching for each other's labels and
learning the contents of any subsequent account updates.</t>
        <t>Service operators also expect to be able to control sensitive population-level
metrics about their users. These metrics include the size of their user base, the
frequency with which new users join, and the frequency with which existing users
update their labels.</t>
        <t>KT allows a service operator to obscure the size of its user base by batch
inserting a large number of fake label-version pairs when a transparency log is
first initialized. Similarly, KT also allows a service operator to obscure the
rate at which "real" changes are made to the transparency log by padding "real"
changes with the insertion of other fake label-version pairs, such that it
creates the outside appearance of a constant baseline rate of insertions.</t>
        <section anchor="leakage-to-third-party">
          <name>Leakage to Third-Party</name>
          <t>In the event that a third-party auditor or manager is used, there's additional
information leaked to the third-party that's not visible to outsiders.</t>
          <t>In the case of a third-party auditor, the auditor is able to learn the total
number of distinct changes to the log. It is also able to learn the order and
approximate timing with which each change was made. However, auditors are not
able to learn the plaintext of any labels or values. This is because labels
are masked with a VRF, and values are only provided to auditors as commitments.
They are also not able to distinguish between whether a change represents a label
being created for the first time or being updated, or whether a change
represents a "real" change from an end-user or a "fake" padding change.</t>
          <t>In the case of a third-party manager, the manager generally learns everything
that the service operator would know. This includes the total set of plaintext
labels and values and their modification history. It also includes traffic
patterns, such as how often a specific label is looked up.</t>
        </section>
      </section>
    </section>
    <section anchor="privacy-law-considerations">
      <name>Privacy Law Considerations</name>
      <t>Consumer privacy laws often provide a <em>right to erasure</em>. This means that when a
consumer requests that a service operator delete their personal information, the
service operator is legally obligated to do so. This may seem to be incompatible
with the description of KT in <xref target="introduction"/> as an "append-only log". Once an
entry is added to a transparency log, it indeed can not be removed. The
important caveat here is that user data is not directly stored in the
append-only log. Instead, it primarily contains privacy-preserving VRF outputs
and cryptographic commitments.</t>
      <t>The value corresponding to a label is typically some serialized user account
data, like a public key or internal identifier. KT uses cryptographic
commitments to ensure that users interacting with a transparency log are unable
to learn anything about a label's value until the transparency log explicitly
provides the commitment's opening. A transparency log responding to an erasure
request can delete the commitment opening and the associated data. This can be
done immediately and permanently prevents recovery of the associated value.</t>
      <t>Labels themselves are typically serialized end-user identifiers, like a username
or email address. All labels are processed through a Verifiable Random Function,
or VRF <xref target="RFC9381"/>, which uses a private key to deterministically map each label to a fixed-length
pseudorandom value. The set of all labels stored in a transparency log is
committed to by a prefix tree, and each version of the prefix tree is committed
to by a log tree.</t>
      <t>While all the VRF outputs corresponding to labels affected by an erasure request
can be deleted from the most recent version of the prefix tree immediately,
previous versions of the prefix tree will still contain the VRF outputs and will
still be needed by the protocol for a bounded amount of time. This bound is
defined by the log entry maximum lifetime discussed in <xref target="PROTO"/>. As such, the
VRF outputs can only be fully purged from the transparency log once all log
entries that contain them have passed their maximum lifetime. After this point,
they are no longer necessary for the protocol to operate.</t>
    </section>
    <section anchor="implementation-guidance">
      <name>Implementation Guidance</name>
      <t>Fundamentally, KT can be thought of as guaranteeing that all the users of a
service agree on the contents of a key-value database (noting that this document
refers to these keys as "labels"). It takes special care to turn the guarantee
that all users agree on a set of labels and values into a guarantee that the
mapping between end-users and their public keys is authentic. Critically, to
authenticate an end-user identity, it must be both <em>unique</em> and <em>user-visible</em>.
However, what exactly constitutes a unique and user-visible identifier varies
greatly from application to application.</t>
      <t>Consider, for example, a communication service where users are uniquely
identified by a fixed username, but KT has been deployed using each user's
internal UUID as their label. While the UUID might be unique, it is not
necessarily user-visible. When a user attempts to lookup a contact by username,
the service operator translates the username into a user UUID under the hood. If
this mapping (from username to UUID) is unauthenticated, the service operator
could manipulate it to eavesdrop on conversations by returning the UUID for an
account that it controls. From a security perspective, this would be equivalent
to not using KT at all.</t>
      <t>However, that's not to say that the use of internal UUIDs in KT is never
appropriate. Many applications don't have a concept of a fixed explicit
identifier, like a username, and instead rely on their UI (underpinned
internally by a user's ID) to indicate to users whether a conversation is with a
new person or someone they've previously contacted. The fact that the UI behaves
this way makes the user's ID a user-visible identifier even if a user may not be
able to actually see it written out. An example of this kind of application
would be Slack.</t>
      <t>A <strong>primary end-user identity</strong> is one that is unique, user-visible, and unable
to change. (Or equivalently, if it changes, it appears in the application UI as
a new conversation with a new user.) An example of this type of identifier would
be an email address on an email service. A primary end-user identity <bcp14>SHOULD</bcp14>
always be a label in KT, with the end-user's public keys and other account
information as the associated value.</t>
      <t>A <strong>secondary end-user identity</strong> is one that is unique, user-visible, and able
to change without being interpreted as a different account due to its
association with a primary end-user identity. These identities are used solely
for initial user discovery, during which they're converted into a primary
end-user identity (like a UUID) that's used by the application to identify the
end-user from then on. An example of this type of identity would be a username,
since users can often change their username without disrupting existing
communications. A secondary end-user identity <bcp14>SHOULD</bcp14> be a label in KT with the
primary end-user identity as the associated value, such that it can be used to
authenticate the user discovery process.</t>
      <t>While likely helpful to most common applications, the distinction between
handling primary and secondary end-user identities is not a guaranteed rule.
Applications must be careful to ensure they fully capture the semantics of
identity in their application with the labels and values they store in KT.</t>
    </section>
    <section anchor="iana-considerations">
      <name>IANA Considerations</name>
      <t>This document has no IANA actions.</t>
    </section>
  </middle>
  <back>
    <references anchor="sec-combined-references">
      <name>References</name>
      <references anchor="sec-normative-references">
        <name>Normative References</name>
        <reference anchor="RFC2119">
          <front>
            <title>Key words for use in RFCs to Indicate Requirement Levels</title>
            <author fullname="S. Bradner" initials="S." surname="Bradner"/>
            <date month="March" year="1997"/>
            <abstract>
              <t>In many standards track documents several words are used to signify the requirements in the specification. These words are often capitalized. This document defines these words as they should be interpreted in IETF documents. This document specifies an Internet Best Current Practices for the Internet Community, and requests discussion and suggestions for improvements.</t>
            </abstract>
          </front>
          <seriesInfo name="BCP" value="14"/>
          <seriesInfo name="RFC" value="2119"/>
          <seriesInfo name="DOI" value="10.17487/RFC2119"/>
        </reference>
        <reference anchor="RFC8174">
          <front>
            <title>Ambiguity of Uppercase vs Lowercase in RFC 2119 Key Words</title>
            <author fullname="B. Leiba" initials="B." surname="Leiba"/>
            <date month="May" year="2017"/>
            <abstract>
              <t>RFC 2119 specifies common key words that may be used in protocol specifications. This document aims to reduce the ambiguity by clarifying that only UPPERCASE usage of the key words have the defined special meanings.</t>
            </abstract>
          </front>
          <seriesInfo name="BCP" value="14"/>
          <seriesInfo name="RFC" value="8174"/>
          <seriesInfo name="DOI" value="10.17487/RFC8174"/>
        </reference>
      </references>
      <references anchor="sec-informative-references">
        <name>Informative References</name>
        <reference anchor="sealed-sender" target="https://signal.org/blog/sealed-sender/">
          <front>
            <title>Technology preview: Sealed sender for Signal</title>
            <author>
              <organization/>
            </author>
            <date year="2018" month="October" day="29"/>
          </front>
        </reference>
        <reference anchor="RFC6962">
          <front>
            <title>Certificate Transparency</title>
            <author fullname="B. Laurie" initials="B." surname="Laurie"/>
            <author fullname="A. Langley" initials="A." surname="Langley"/>
            <author fullname="E. Kasper" initials="E." surname="Kasper"/>
            <date month="June" year="2013"/>
            <abstract>
              <t>This document describes an experimental protocol for publicly logging the existence of Transport Layer Security (TLS) certificates as they are issued or observed, in a manner that allows anyone to audit certificate authority (CA) activity and notice the issuance of suspect certificates as well as to audit the certificate logs themselves. The intent is that eventually clients would refuse to honor certificates that do not appear in a log, effectively forcing CAs to add all issued certificates to the logs.</t>
              <t>Logs are network services that implement the protocol operations for submissions and queries that are defined in this document.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="6962"/>
          <seriesInfo name="DOI" value="10.17487/RFC6962"/>
        </reference>
        <reference anchor="RFC9420">
          <front>
            <title>The Messaging Layer Security (MLS) Protocol</title>
            <author fullname="R. Barnes" initials="R." surname="Barnes"/>
            <author fullname="B. Beurdouche" initials="B." surname="Beurdouche"/>
            <author fullname="R. Robert" initials="R." surname="Robert"/>
            <author fullname="J. Millican" initials="J." surname="Millican"/>
            <author fullname="E. Omara" initials="E." surname="Omara"/>
            <author fullname="K. Cohn-Gordon" initials="K." surname="Cohn-Gordon"/>
            <date month="July" year="2023"/>
            <abstract>
              <t>Messaging applications are increasingly making use of end-to-end security mechanisms to ensure that messages are only accessible to the communicating endpoints, and not to any servers involved in delivering messages. Establishing keys to provide such protections is challenging for group chat settings, in which more than two clients need to agree on a key but may not be online at the same time. In this document, we specify a key establishment protocol that provides efficient asynchronous group key establishment with forward secrecy (FS) and post-compromise security (PCS) for groups in size ranging from two to thousands.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="9420"/>
          <seriesInfo name="DOI" value="10.17487/RFC9420"/>
        </reference>
        <reference anchor="PROTO">
          <front>
            <title>Key Transparency Protocol</title>
            <author fullname="Brendan McMillion" initials="B." surname="McMillion">
         </author>
            <author fullname="Felix Linker" initials="F." surname="Linker">
         </author>
            <date day="16" month="April" year="2026"/>
            <abstract>
              <t>   While there are several established protocols for end-to-end
   encryption, relatively little attention has been given to securely
   distributing the end-user public keys for such encryption.  As a
   result, these protocols are often still vulnerable to eavesdropping
   by active attackers.  Key Transparency is a protocol for distributing
   sensitive cryptographic information, such as public keys, in a way
   that reliably either prevents interference or detects that it
   occurred in a timely manner.

              </t>
            </abstract>
          </front>
          <seriesInfo name="Internet-Draft" value="draft-ietf-keytrans-protocol-04"/>
        </reference>
        <reference anchor="RFC9458">
          <front>
            <title>Oblivious HTTP</title>
            <author fullname="M. Thomson" initials="M." surname="Thomson"/>
            <author fullname="C. A. Wood" initials="C. A." surname="Wood"/>
            <date month="January" year="2024"/>
            <abstract>
              <t>This document describes Oblivious HTTP, a protocol for forwarding encrypted HTTP messages. Oblivious HTTP allows a client to make multiple requests to an origin server without that server being able to link those requests to the client or to identify the requests as having come from the same client, while placing only limited trust in the nodes used to forward the messages.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="9458"/>
          <seriesInfo name="DOI" value="10.17487/RFC9458"/>
        </reference>
        <reference anchor="RFC9381">
          <front>
            <title>Verifiable Random Functions (VRFs)</title>
            <author fullname="S. Goldberg" initials="S." surname="Goldberg"/>
            <author fullname="L. Reyzin" initials="L." surname="Reyzin"/>
            <author fullname="D. Papadopoulos" initials="D." surname="Papadopoulos"/>
            <author fullname="J. Včelák" initials="J." surname="Včelák"/>
            <date month="August" year="2023"/>
            <abstract>
              <t>A Verifiable Random Function (VRF) is the public key version of a keyed cryptographic hash. Only the holder of the secret key can compute the hash, but anyone with the public key can verify the correctness of the hash. VRFs are useful for preventing enumeration of hash-based data structures. This document specifies VRF constructions based on RSA and elliptic curves that are secure in the cryptographic random oracle model.</t>
              <t>This document is a product of the Crypto Forum Research Group (CFRG) in the IRTF.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="9381"/>
          <seriesInfo name="DOI" value="10.17487/RFC9381"/>
        </reference>
      </references>
    </references>
  </back>
  <!-- ##markdown-source:
H4sIAAAAAAAAA+1965LcxrHm/3oK7OgHZya6h5bko2MzbPlQJGUzRIo65Mg+
jo2NMLqB7oaJBtq4zLBN08+yz7JPtvnlpapw6eHoEt7diGU4LHIGKFRlZeX1
y6zlcum6oivzR8nZN/kxuW7Sqj2kTV6tj8njZr0runzd9U1+5tZpl2/r5vgo
KapN7VxWr6t0Ty9mTbrplkXebZZv82OHEZZp9OryF792bb/aF21b1FV3PNA7
z59df+2qfr/Km0cuo5EfuXVdtXnV9u2jpGv63N08Sj53NJOUpvYmX/dN0R3P
3G3dvN02dX+YmfCZo+/TA9kjlywT+nvSRb91N3nV03eS5PT7SSLTO/sTfaao
tsnv8Sh+vk+Lkn5uC/wPLPeqbrb4HRZLv9t13aF99PAhHuX13+RX9thD/ODh
qqlv2/yhDfIQL2+Lbtev6HUm4O3W0/Ch0BUv4rmSiNR20WfGz1/JSFdFHb35
8GObc7Xr9uWZc2nf7eoGhKNvJcmmL0vZ3a+INFlaJS/XL4uypA3k3+dCj5X8
cr/ey+/+Y4ufX63rvXNV3ezTjojwyDlwjP9XkrR5WubZkrY7w/5jwC5ttjkt
z1bXFtsqLZl0q7LePhy88lBeUb69zte7qqaHjsmhyW+K/PZR8oYfT+TxhD6e
vOEBz/hNZrjks198+qvlp79YfvZr59xyuUzSVUsEWnfOXe+KNiEG7/d51SVZ
vimqvE26XZ50ebMv9GtpldFZoJ/QO7T45JB29I+qpR/e1OVNjt/iJZflh7I+
8lj1JpmcM3oqTbZ5RQOVNGVi9Vx4NNnnbZtuiRFBwSal6fW8awv+dnvI18Wm
0Jm1ekaICPUhbzr5edrxL+lnXb2uS0d/uSmyvL1KnndJWrY1MeANPbmv8VGZ
wyKp6mpJtGzXTXHApiXbvqB9XucJLXNX3yZd7WSiJZHhcKD/n6yqq2lVcsSx
auKJPb2MhwsSJUSv9krIvi+yrMyd+yR5XnVNnfVMTee+yjeYVFodE88/NMKa
mHGVJ/m79S6ttkJk+hHt9LKrl/Qf+uu6OR467P+x7fL9Iulua9ftiI600L7t
kh1NI68eJV8XTdstaOOIXOvikFZdq3umr8rjSjQlc3NTrHMHGqcdMdYtHTue
5KFf0dIgd3hDjvSbdgcy9G2O/zT5OgctZVOxBSTW6ipbMI/ouIkfl7/c1vsc
9M4K2vti1Xc8CRov/lhKhN22vNFusBTefpsFNqCvQPtc5pyn611S00sNbcT1
8UC/KmkjO/A+s3+VJ6sj0eoGkpAW0bRJT4ycZvhS0QwXjN1ui/2BdjIraKm0
BKIADZ7LN3QA7F5W31Y2zD5J26QiyhBNmuMioYWvjkpw8H38jaJarsD3PHvs
RVgSGGOVY57Clhnx92Z+v2hpPE9oByIxcQkTp8Gc6YfEaLdpkw0Wt8q72zyv
ZAkLppDb58Tr4YD1EDTlETNQ9mOJoMeOl11XJa8MklepkW7Tomo72jXSjcQa
eUpnMaPze8BAdaWE9hzj3B/q2/wmbxZ0YGnHvXxQdqURid50vEnYgf379U6m
SDvrR8EzLhyfbkeiZruLieWZ8EHLP+JV3+4KGm2fvqURio7OX9fke5z/PG2P
DiIWazQqE03LtK/WOBoJ5COtjsRjun57lVxjRgUTcvpJkMp19JXBDmB4mQB9
+m1FalQZgLatPdAhAg0OTXED7sYbLCEdkbVeFymfmnp0auTc8kbQMtP1uu6r
jn9a97qn8it8jpTJNne0KOIcokZdYUyak98wbBYdZpBKhJtxaSp7TVs3kZDn
31xf0Akvb1hSE18Sc6xKOhJ0Apr8b33RYFWzRIL87SAdMXYyPCS0KGbAetuk
h52eauU72m8WfdmSuZHU2FXyuDq6fUoDFHXfEveSoAGTZJkcDWaiFI/SkoiN
VEnQ25DCf+v5rzdFW9DU8fyKjrvDpNPNRr7Ic8TBjYhKtCJm6FpwA62cBsGe
yqmgQbKcTwnJD8gOx+IUrC1nPNqEDMSCzjdSDQQjGG4ny+CT5HSbx9IhEBYq
fH/oWhEKpPGgkkkIe7rU8iKRw22aei+/lHmTeCbN2Ym8UzlBW5HDciMKnhET
v6XJYLZnxs206WRRpBUN70AiOkwF0VPWnxJJIZvB6aTasZVYOwnH3BsT1wn9
qyF+KZkaJnHapCzoDD2BIbBhoe8GvPf+/euvn3zx6y8++/ABk2A+pbGKal32
GaZLGnVDLxaYmBdjYIcc5qPRgA+mkcbmILpAjJN1rFxls1V0Cs1IyzwgquXy
WqwZMCwpEnwlCB9mOnIm2o6GK2Cq0Ekg6yxjCWcTEZFH79KM8ht6UhlgH6ye
SHzTssWmgPXmYPZA5OnJgkghchGT8YFpSRmLjB9zAz4xUb6ODktPtiO9aUts
81ym4mDxPIHIqERgYPufwtQs+N+y7/Bi4NK0ydnL799cny3kv8m3r/jvr5/9
5/fPXz97ir+/+cPjFy/8X5w+8eYPr75/8TT8Lbz55NXLl8++fSov00+TwY/c
2cvHfz4TQ/Ps1XfXz199+/jFmVhHsXEMMuPU52IKE/lYyLRk9MJ8XImB9tWT
7/7X//z0l8R2/4347rNPP/018Z3841ef/vsv6R901Cv5GhNa/olz7yCw0oYF
WwlNeig62sIFDAdsBxmkZGQQOS//OyjzPx4lv1mtD5/+8kv9ARY8+KHRbPBD
ptn0J5OXhYgzP5r5jKfm4OcjSg/n+/jPg38b3aMf/uZ3JTFUsvz0V7/7kljo
8vKZGL70n+SZN3yfDCyjNyLlHl1eukfJ45HZZCLQ7ATIYSgIL4vzaktmA+88
Kf1FclPT4wtypGAT12yyiYUHG701Wz98gOUTTgkzSJV3ss00fhtJaxov0lpH
+XALV4gnNhhSzBzmExLoZNaY7hEhn/CXKugvMuqKA2QYbCeh1fc410/zQBAc
s4z/nagxR2eQJO2hpmFEn2bFFkw3nEUslfKC9VTCHicoYsZ+8EXI6Uzv8lUG
Y/NIvC/DeT/PIC26o20lvfC3Pjd6NkvTw4U+l3gLKDNHxZs656qSG/az6Isw
+OF4wK4wDlDKtBc/Zurk0ImZlpLtJb6ADsFD5+/gCxawumHu5K2p3aGjQgOe
i90ubiDbrGoPRF+utvz0xeATQh/6gBCEnOWMhlsdeVoIcCRnj2kO+dlCVY6+
5+lXqHPdsS2mD/Oe8H48TB4LNW1DWnqsjAai03AvqhnNIqbCRKHCWCNVauq0
sP7TcjJTNtl4+OG+XSVf1+DL/F0K32yhFq+p0nh08or6kvRqTmZgySoP/y4O
gZ3oI9gMDv6Q17wDw4iHv+BRQdCLQVgk+Gre0qr8sDSWzjI558EW5DOQBDhc
MIFVaiWv1DYLp5W08p68RWLWbVoVfxcCspiw8IbKmzhmkqiLEvYCZLl7N7zV
2tab7lZVndfyHQvFouPZDqyrF/XWMwTsILKu/87hKBmVdBhMOzBHiKJ0iO+x
FVvb7H3M4xxGOCKNscSkMzk53RzNqaZ8TFb+MBiasM1SwAwTC77pK5VianiV
oK8sVqz946zFvIDZC+Fd92UmttXKfkvTIo0BvqABZqkEA2hTbPuG1xl2eFO8
y7OFLZZeIM7qoI9wnpLJKOKjtGaLwb8oDiqQ+6KTfQyUuxp+lq3wJl+GIEum
YRsoQHWPUwSHETAga6wj/QT3mQw7E70ZsxexH02QTqjY3DS2mHnfmQH96gbk
y2+d+xrOQ0pmIQbkWDN8GmIWuMoLGKWbWpQxuXMlVNhSXPEkDt/qtrs1DFIS
C5fxJoMUlwv2vmn4FCPJECZkdnWZCdEk/Es6Dl936/pwZEqTvRWzIQuYd4ca
mptYjBVkGxkOwX8jocvn0+3rrNiQ2IKzKjrwKvleIkE1mbVFNROOmoQkcgSF
nMSe1M8rSLSS6Tfw9mh25kDMeYO0IB7e8SxtGjjUtCbxVGnmJNvIM6Vzzd4M
UQNuctF1JZQATZZkVLEv8DDsD4QEbiWcoS67jDKVfzhuIqCDUVPwe6tcQmwO
IrDt+KQIdwzCpRP+0EAo4hXbHTuDvMUIQdDjNA9a9fImLfscGZZ0RUrYFl1U
9J8uPEAnrOAfq+yx50VpL8TLMw2CMCPcElGNReNFv5eWMqb/fXzwvvdRwP6A
MDxNGMbf6qhzYk6lU3Fr6xAK4gfCPNdQ/XifRU1Z129pJP4qR8Rgd5HHai+z
uMBkWfZrggBhDn2A1CMoLdEXtvc0/rfw0X6SWmW6ysvLS4l/rHI57xzR3eQS
6qJp0CwsANOJ46a09cSUg+LGRzQoYQmjkn0NdVRt+rD+QUDHCFrDWw0hL2Kb
wNLIppHwV3a8vKRzQQtIE15KUmyCCcWRSzqfNT+phiw7obw9cLk4UtiaYuIh
SMTy6tj8t+E4ZL3Kg50mMsTdNQDvKLJbRGsyQbpemB32Sb0m3UiDj/jvm2sH
B5RzKhr+T25TCzbPRnUkaklCrt6zVmKp5J0JC6ZlgcUgXCzqTf43VBsNXMWL
I8G66dSz2dBRJ0ps3Hhg0QVHHyemWWKSZb5NS4QEr0li0cwQNVLxYUEyYV0f
RRGmIdXjIzwaOWOzWLwdCCORw3GWRUKxR5opYkXEnAhWblhq5eyZTUa2WFkk
e9KyydPsyE4bm/ViBPVl2micSz3H8ZcR5ysqEkEwKAZB7fxdIfaOuHD8ZEMf
l0g2EedPYHwOr7V7ju68W+ccVofvH3+GHTDsCgy2ZlXQiprjaFjX9CXiNX79
31wrAfG2hr2iqKuayRLZoEOqiSZWEG9z8KC5LAt1RLH+4ZsqFTzLi/VShXSI
HZwH5H6dbRpS8ll7xieKc2oyGuwo0TlXyUuIuMHaWSQh1IeYiUS6iDqd29MJ
3vf7BUs8xGlENSNkqToZo+u0mDGzWoKXt5WcADpva2QYcHiLds9nsMn/mos1
4VfPUUsyCeB3HtmlI+Vp6peYpiWSR6/CbSail/nGgnLxemjXP/mEdYRa/SEQ
Vvt/a0DA0oBkQKtvpJSHUEtbM58eOffpVQJvgtP0JARf0La0pjRERA/PmsrI
aqxVTGkghxwCf6bTwEdKFTOkozEjheT5ARsNZUrDzXyFFAGABAgBW7Sa31ra
76Gz5RRFqRS2eWkkMg6ruRyJrBd7lqq16lNYGtn1hCZ+grsXSOyTZFfuM5D0
e9bgIOnjLGtVbescvVXhhT4odR0MOpsi7OrxTCZj3KaWkAhzSL6tu9zewTlG
RBeD8Y/YgsAAog59NsNMsWJPIhwarpQ8flWL7wjKIvaDCSHG5V0LYrc3klWL
YurJdbGn/SbFlJy/eXINh0zRAiwt3r9/IzyffA7lQKP9zkfdF+J1sLuaXbnP
QdCXNalddnSTP+0KsjiFaXmC36u5hKg2uWrqjQnDxxlU4SYeh1MlmshVbl6l
a4bPcJgVwgXuJz9IFkohqAA+WTWMjl2+fusp6inXmlBXZ5Xt1zwx6zU5h7A2
Q4tjO9hpoohIG+FPmNk2qa7JNWwgW1d7i4MHXiH1uk+zXDSZCNLbSs68nh/R
03fk7iSN0g7kiJj+ytwcpRxa3EvbnkhHsia9Yok0+qGpoHas0GiWq7Jes48H
vwihGvG/kIiFzGXdkWckqv75z3+maXuzdRxoSj7+Z+wKEzH+cY/X/J9/xC+c
/zEtyfbkoFbOUZHXKuYv5l+4/xeEk895WRfJ8o4/X/ILv5n/pY7zmgVam59f
XV1d/MQpfVWv7p7Qv3BKcsiFSouER/pRU5JxfpYp/cgXzl+zvs/BTV+B++eY
6adt3NdksZ+iz5fJf0UvKFlpp08SdfjCD5oSnVn3/lHyiSr/ZaNkF4Dab8+e
iePijQMIOv/Mhk7+VSLnzmwqZ8mDNDx3y/qgqG4GT0pOXMmrKmEsq86SD2xV
PSFy5Zw0JYtK1Evv3cWQ1B+6gz6OIZgeGJkW0BiEEzlJu4eHff9QdztwedJV
USLgTs6Ywa0u12HKlz69k2j4JlqPIC9gAK4KMXMMsZNWbhrTHwYD25DAimJd
kqNSI1MCehpkFdOabAQN3am4JwUzcoui2Q9M1sFoyfxorBpq8i8rRvM0auAO
nCsM2fYH3mryKqrjHoGNAanZ4mpzN3jRyDvdKR9uSIMvyDACbNBLj0V8werO
MLkhuPn+PcybX//ys198+JCce0aJBicjjzR71u7gQxkeyVng7AI7ocjNN4Lc
fP9+APz88OGKLCPsq2h8/BSGpw7FZjAtN4Ag2IAQ45bHi5B8GkEMu+QzXMa1
oCzMfbXZ9SO00ZpnDegcjP2gjcdSdzj6NENpVuTGBSCW2hwu2j2NKiPTw66D
+szlUf0pTWfSx0Jo36zqAcyNgXZ5WVjyVT8asgvjDCmCwrW+xstLCoGksMgR
DFU+JFdbZJb8T1uENTPzbzxJwixhrjtvSfrPhgAIIySU/RHJqJIpXZB+MYBG
x6hJ/Y48ig8595jOQ7IrtjtyM2/yUoKl0WHk+BjDcjSl1nCCRigdUqCiZtxE
rHOsVE+WWeiRVRn8reBvIA7AzODCuiWqRF431tojutSJTyHkKWW4XXHwwowD
2pauOyHXxhFXmuhrnwPn3fURqfzE0hie0uYMSzOTWuFaxvHjECaITrJ/03NO
InI/eL99rlHj4wqYWOVJMLDrKFWP8yuQwTjthI1eSJJHwl7BO69XCDwiBngP
/oAz7acynXHRApBkE1tYQJT4kunMOhIg1XydMq43QIXhpPKx6tiHZBSXAjEF
iJseF2MeQPTGkEHEQlA/uq6IhLwbm+Ch2KlweiquIr9hkhob/hm7FY/9CeNK
B/dR0+euB/7hpgbpyPD/yOuztnRs9BrE5RwTlzkvotfvNfnhN3T8L+/9+r3X
nqg7f9+16+MnFv/zrH30DRn/p6/dTOAgsEe2r2kfmLuqZ8OzoTxCY2kmmCI1
LQGzjSRrpgJIbLohTF+z7s6k24JOe8XhGJ8ODVphgVkF1e9VNJ3LCL5+5V6b
5BjGWLwgi0SXt7yfMpgTT35NFh5Z388574fQdof4kYVPFaIwXZxJNUlPGYaU
w8nIWCDunxWbTd74QK/Ftj3KcSG0SxF0yQqaa08aXIMkg8RiClueRbbi7roo
oY81BKi8VUrkVRvgYxJLlZF9jBxRtDWrd9mmetOaHooCeh7bPrvDu7R1AayS
MglMw0rEnWbwQEyJbVmvWAJzGqztckV2a66248EEPBjvbvKYZ7pb+GCXqq5U
8WUSl7I0mqWwXBx4st8gQsVqot4zuwE9olheb1tzGmuC1VevrCR9EVwkYF5B
TFqIxZDUU8rDItfqnvkspz4aLWwweNshy1Zhz4uK9rr4Oy+UKRsHuJ/blmLG
nDQKG6H+QsSXC4FrA1wg+RbR2NET+Ht+o6BwSQzwx4iGh14y2WRNhCU7v2QD
9hbVeGcZhnO9C2cRdTEQPTV7SOQSdVzcMYcxr3QBYAsON0aMBlC32ASM9WFN
3PYGjeYRZSBxt/ywGK9VepuHE/ICl5e++GRXoNqE/Mbj5eWCfnHCleP0s3hU
kwwyp4wuLw953sCjw3/HL1s+LU1mPrwIUW7IjSZbfocfJ4/7DDIOo79MK5KH
zQTY+/49j7PkcZYpXiB2J/8PWzv85Z6HgJhH9BvFIn0HD8INYFwqV8W8C7kI
ZceJ4SlyLlqLU/caSULURXlICaq/FiGUPZEvNMy2kRQeKygXF0rsYWg1fBJi
dA+L8Z5dlk1fquAKcwErZj391qE2alulbGzW08QSIuDJLk8zceYmc4tgbQUJ
Lj+URykVFaOCjUNIaQoCx3Rfy9CxQZZFsv8kLZ0WTrE4lINgVRkHVmc7uCOF
ZE+huMnV2x8C5m60aCTnjccgizkJXHJ6dTZ2ZBoOq7LPG7POH4UFl5oxzlLy
H7wBVqA5Hhpms5t1JjnCgxxHezdbqDDw7n66xxHUHQvw5pkPcKUUO7jeeI88
vSzxBvx1XMDJmzRPfgMbqE4v5k+FwychspD+0FyDie99+jZkZ1k7LzBJ9kRa
Lu0M+pR2rKEj5Fg28uaxV40yJQ3XwbskK0Fpg9QQ6Kk0IdvG14s5/IhEbQlt
yJAqTlmLQK+OIn6D1GX//2hpHUHdiGBFsky447S444JPPRlb2FaHKcSsTpC4
Ize53blwJDjvFYJGADXF2vCE+NFvYMtIf8IckwJT2/WjxekQIOm7Zb2RQkbj
E2TosZeCByOuuinKo8Mjt0XW7ZbQdfRppBWDqG7JmRdLNvnP17T+LB9YUDH/
kMyQ6hWpLaYv6Yw1Isllm3tFAXs7RJ45hOJPxCQlo59qrt+j5thxTWGJVPIz
hioZhlCtKxKeJBBYSlazekxwXVKB5ZG2LGhMykkQrc0NdqigBZmqs5CtGcu8
3/I8piKDMCcEc5n1NLHU63ybNlmJ4BNmraRbmJErIAphV2HWgej3JVu5lvPa
cTPLUTUBV1Y3+YH0JP9GRDL9j43NohUsoC92lP2RIth2x6x/nwzhV/XqtLc2
yRje6dp9zC+MvcC7Bzr/FrH1ElLHxOGcLLz46EA/24zumwD8iH88cPwTc63f
/4GUw6Pki/Uvvvh8JXmnD/+6pf0/P9D5q1dfqTK5NWF/YQNFv1QJO9K8Fz/3
jGyLk6cCWuv5OGKLaaDpz/459+dLnpEyxJThvvxH8pvZ98If//L/kSMyu6T/
uudAP2BGFkyKNOWSN5uNDIkrCeTK8qTeGGs1TypGjhsKmLjGaBpkMRiX4rNj
nxrKn77g5Asrq/aCzUEDsAoOHRg0cm6dDO4InDuzTmdTHVc+XS5ax1zIaE1Q
jKoAEUN2mokx2NgdlqmGppKnoTHJSzIgWs5hWnqoQQQOJSr0pVYSUWwSwhGh
+XAkRLTqEgVeIYwFDQh6BSW7x+DqK+OLYrZMg3gc6FBL6Sp5BvWNVyVcU5Lt
ibBTGFZpsufcBoPr1S9fHz0AWrMy+DYbd7N2hwHXLacitSqRJ/zS+65AUdPT
w18/Vr8Xv4RbdltHQU1ZvRvs4iknKMsBDe5yNn1A3YJW5r1gJ5wbfC0zhXVl
3teWTy7Y+PJszwHAUNkpYZRCq3uaWste3MnwqsXEQuFGG3l0sQPIURLaP/+t
iqM9ehYmXrJhCzBfqWYQYxyGv5OsYOQ+h9xWFA6ORguga9COnNW8sW4zTKv5
bZ3x3SUdo3mm9K918M1ylGS/RV6YliPlU63GgrmA2cdKDZXJcB6j4dRDRSEJ
FtgybNF3YBBg7gODL14lk/kb301DpixcProEPt4fnzlPsF51iuz1e6E8lQ5Y
L9WgEXP7FlAIkSY3AJ7odlhm0NB/PvCWiKvTr0d4U3eNBCFb0JIF9R6o1BuX
pRRLxKnSU0zsBpGvGTEEq1t8QDrHlg0uKjrRyCayG2ADoCIyKmRKW84ga5Rb
p0t04lhoIJsWxsKDWOcVqZB6oROzZyURIGCfwPpczr7iMuWS/DC4IuNd5ak5
ndpCMwfsuwSxaR6UbF6kT6rtIL/AUvCJHtqXPt+BMKWGIsSXBqRjYYK79cEZ
5YcgCJ2U8tQDCcYBr3UtqiakdlPGIwSkR2mg7TSCUjurZ9H8qhU2YQES/UJ0
rZS0a6h7tYRrk3OhF/Iwjk5YIXlbKfPiPdRYZIjrJz1RqlQ/XYsGtALlMout
QD5+OMjHy+R8gAj+3XevX12/+u3z5dOrYVc2ywp8+HARRdydXzijq6YIcOvy
lDOPzq8+5KqcJDTWqKqICtzgylfoQIREvqcES+QJ5EgqQ6u5gxPX5CjfuMA3
osqZh1UwaNmrevtx4DzxZZch2T3AkJ0OJaIM847I0DSAnVl6bsmf/vABRPix
y1bTUE6jm6jk5OXjP49rJfOKrbU0OZueNTbLzqxvCv3dSjeluU4boEFRWk/K
RR9YZSFqdAVs4iELTh6J0Ns4O2JtTJZ3m7ZzOxvNkmcWJZkKQ7fQUWo6PWes
OeRorZAsixDi4PGcbIWDQcQlL2Q8wg0oNC4/CJ8NoW7PQEcLRDpEKhkhpkFV
Zr5Jm6G6B+nFlZwLZuOcI0QuEWzrMTAfCxSU5ZQ4YnbglZn9HZmJizH6Y9U3
WS55BuJIxOpFwZktq3lGTrqKiBItV1tKNq6Q5Aeukjddqj1atBFaOrTdBxOo
iaZbPQj0FQ6pqaJvcimueSWVBKLruY5gEYlMmaBlZQKV50pepEhCEhjyNgwD
ODjWrayvLOyoZSgxHNAvGA8ePEXa3L5b3Kkl9NtH5QfUSnDbzSb07RkWqMSF
OPxivWLoUWalM1LXt6/xo5W0Myw6LZWPItoGcooIZslMcUdt+hvW+NaqSwpk
xFTQmqV2Uuki4Vanckk01x3ftXrOQkuaee4PaV3cVc9b3KzfdEXjrRYIIcvy
wqK9FszXhXg6aebB+ef1m2l5z1DnNJ556rmv6tXHYS73i1UEpNIdwcMv7zfQ
EDU0X0xwvxnd46kfOtD5p0mWHuUQXMRP/YtnZEiqk9T+McSeB1z9f2Lf46m5
upPhJt13RneD3u6HTUvuuTQLLGocYhm03HJT+NDiVElfKWxSCiQ1kEWrfNA6
1aivqjzs3UIfj1TerMZoob1VEDqpiNMi40lo8rEWDUffQI4HZjybgEU1cFhg
/bQBNheXSsrUhphr9LBISRLTxDCq1ThjDCWCB+SpyNckMtocSijx+R6+Xyru
xoyZQ3YGuj0mlmDWItAoQeYLuDml5qx4juakwwQw06naSEMJrRnFf2o4BFt9
kfiZb/KFbPWZWS/aq8onzbVAD+ExLRjkVQjGAvqM6D8YiWFD5GutcsFA0MMV
N08LmdQA//NoZFXHcbtF3okRBTDLPDMfXGHqM3Rgk4QLJzWJeUjbzoDr4zE1
tuDQjrLoOI/ZDFKi2osT9oEtychDji9KPu1N3k4hk+N0soHkm9EMxWSeC2hF
RvPcr+fN5qkryCGrCDDzkYCVdWA6B2hdCugvzJTyqAt336CVEjr6OEKuMeRd
wGGwvjXaK6gMg+xsJPRQNBG92Nxtesn8t8dqTX5yxV6U0MAWw2dAeomqu5/C
ZyAJV8G21aEnkXAUAJPjGMrBQpJfC63HZGsxG1rDcCpxHx4uNh9GmVLr0lQz
Xt6aprhQnszeJNe/9SUdm/EOxkvds1CEOborrAENWiwN+qadQm9Alr3DRiOH
00tPVT7A3tbXz7iZz0xdZQWCwo4NYTvBVzVWEIlWRgJnQHflLlRBDwcT8oQu
VbFB/BL2tOSrTvz5WB2ALureibm7H4SSvl/t6kcMtWigu6o1f9BAT1KS/D9p
Rr/5Lf6E1L5S702xfZR88cVqY9n9jw50zz//Nw6ka1YBPqLgDxhoAJbQQa9J
mkou/edbmi9JUJURm3hzKgUd8jQaEU6ud3dN1sRQfxPgIkaiJ6SzFSvoUecj
VhtFxSokknVsQv2eO/eJ107TReVelhhkdDMRD63PJx3qTmoYpD9x08m7Lnp3
LLZZBjecwuXkKZfI+ZLFGRnPLZKgpMLrklIR9F4wqNgKGjb1lr4g0bCemgir
8Kj9IYhO0OtkodmDVrsTwsLFFQNCfLG9EAaX4Gjlt4PHR7DL5j23g7YlHxXB
Em2S9KK1c4hAtgb3HjV9Oj0ZmI5NHEeRhfhuHtDTLliakuAXFN/UdgrJzBPW
U3hgaj8N0soS+uFFISbo1Fr4ESnEQdeXuCUXjbnmDsBweySyLib7TEeoGQOi
22kJp2LDicOs5xsbqxJHhuMm6ENv5g6z3owSXFloyte4y2mdXMkRUriTBmPE
Uu/U5N77wx5x/F7h89YpDRc+jJZ5j4DXuCPq9AmF6X9EjH682svd2bGDVOas
Th5ohBO9KUTwx7890UDjZ1jCHSbJz7yE+YYbP98ujHtdMPDqh9BgbE3df4Cf
uATTw3oCTqnhIJvG3TDMa3pXhI4/k/OnR04/gvz66UYZom6vJ4j7+wpLDbto
PZ2bK4eYzM9jP+KEoMoEhXBpkYQLOTkf6S+PvgXY3ADyeOs7MIWYu+PbIg7I
e48bE45q2KIsstLsDmobIl/GLvXqI+S9I/j4OC0Qx/lZTHJ6fx9F2U7dyTG7
PjdHCd+gs7KwUpplbKHABKGfSpvbv0vqx2uL1GmiKNyXE5UepNwMiee8kNbu
SIqI3TMZLx5uUhaolPAJZytam1kzh2M8Ll/aIIZefKPqNUmZI6g09XmnVLpK
hin+WZrj++6u7xuspPN1EnHL1ahcl71fuQDQgkOnGNn3G5e42AipH5pdO+ns
diU3aOxXklwmL1d6BTbSJo0BE4JMlHgeWm9wOYpWrNbWpjp8eF17+2WKEsRV
TbgErR00JH3k3BJ9vqc9R8MNYNsmzQQnti+2/MVZDKrElxK5GiEsfNj8VW83
in/Pva6l0zVzqP8Vd1gfCK+r05OdEIO9DLnziOtMJRYVGvWgBIW7uNehsYqm
3RWEKjVC/MlNnmlLcLtZLdWmmSGnrHenWEREXymkiFSn5yw/jPD2hIAhZIZf
a822eyJoB8/OKgW1D8XgQiNia4w308TZd60fIMHGXhl3qPhbX6zf+s3WNnnq
Bk3ry9jAj2bRIF63l+4s2tMCP0K8nA8Ur5PICydAHBI/tRknsdF2xRplBGiR
IWoB4LIINToidgQQEtdOH2p6+Khcj8AuzoeYJgu1MMQ4HkeV9YIz8wXa0K1X
O4NIs23pjQLeWXLLliFso5R+rXzQnktF0XShoy6EqgNlVZplQXt8LQznhvV+
eXGJF1/TMe6rzxwquRSdQ3WcbqXpqYxOfTSNop2UsAkZIOV4KlJdyo0CQ3/G
GIPR3IF7YT/w9yJgkpfCcbg+Mb57g9Y2FkEM9tOWAEAczqGRhWVxMYPTDtnM
BhwJBawERXwCAdEIf+xl+c6KMQ/MfmkjtzCmfCOD2i7RO7PHhnFPWv44jySR
zqKDXq6zXy9a69OKtk1R90eF7WGUBx1pGfJyq/yBoPoYejJKt/g7aWZXPreK
hd1vwk/4/sY8+SxTkLx9WT5sEs6Aj7UtjEeZrE0O+y7lalDOVQg+RPs5c9/R
rxhKNCs5lAdFfLDjemvYFfNkxWTsuSluwKDBYn1VKVp3b0zJGRNUTZRySZQa
xXPbguHwNC39cNC+UNJxa2DJLk7vK4sydDjgdr0Goac9RniNiMnwQgbPeOkn
l8/w7FSLxIcQoBjGCL3N84PC0faFdS2N7oHTphH1ZsOJWQHoIKjI84YlY6kG
3jSSAt72PcWh7a7vOKliwaIoNymWLob62OQT319ixlJWg5LRsDSWv8wprkpU
o3JuliSHvivT9WmmDTL0zuMo19FqZixZl3L1V+YbkfMuSZhvCtyugzaZbdwc
bFOieJyyLjozaA0dyLIRbSas20ngwBRsRdp2xuJViXRC0xO1G5BB7/Ujuf3c
2hCPJLe0Pbdu+KeuypTW5aTDUpRP1rUYtTgyJj8QF/O34s2anONGyGbIzZsr
UsWi96Uc6kNfBiV5guitVQFbTM6w79BM3Cvk/nrFLhi4t4Sdk9M/YpDPr/RW
GsgPDuK35PRJ+5K65nYyOzMgTh3hKOpsHYutDnbuYhl/VUfb9nag5ftjG2t0
9qNTD9indl/RuPyL4Ia2ib/kIXqFEbp6/k+zslzRyzevcdjXSOwDxeLlsFKK
2SBCdkr+IoTSAy7UawsGHkOIRIUgNKDe2IHy+mrhi7pxwa0SxmOi5zfT3Xsr
Dw2E3mT1BppZocRt5sqgoY07QHAGXaNGtjdIR+aoplC0QN/uYrZAO8dP5DN5
WS7R5sFaZCnyfHbpylKsGXX/1D4djyJwcFbw9EMH3dHWfo+O/loHhqgo2Qvp
hhMQuj77ZWyRaR7Fd9T0W00SraiR9C/5uigpSxCpd/dOia4d7IMXRpExx5kc
kmr+OW41Y/EMkcVfe3eTRXAauawDb4njCgJgijoSSUfykAGRRH9w0v0tbcyq
Fmew3gAqcqPb48Y9dN1sD10tkrTL6oazVkfbN4/hWkLs5vBetPNi2Ld2qiQu
BACtTRVjIC+qIlzNl6AllsBU+Hdcr3TCl5SECxj6m+vQ/VhtWj30c6gNf1c5
qnfkemJ/0/suVHE63xnTZ3b0PgbfgV1/H/qU7Tw2m1/hYy136Pn7Z+weRb4G
b+bKQO6Y+xfEbvP/0JeuaPP+ImFLzfZwoUK4Y/Av8YOoP0lmnpOB4yelnGTd
6QUF2uSSO5kiYi5Upm1XwMmtNt44Wj5xYvTr1QKCNvQse253YYifSnartfr9
t199+HDBV8Al4RrUuKjnwb5omrp5AB92zaE6qxobVyu21sertTtIxvD3eccf
IjKwF7GjQf80XDXMJTL3aXWl9cBdaABSdGiBEJ84Znb7b5neyoXiiV5nJkJS
75ewaI9dTS9ZbJJjfPLXgiIYhKvXuJW6tavh+ooBb4+HMLC1FB0OTup9L5O0
iP3ihFsX31RmcqjN0z2gfqUwjd0zeSQDrL2yxmp6S1XqbyrHoxq5Gl8sLqEw
bm2DIA5/pOcmkLjhPXRP1VgDem9p29++kv1gz4RlfmG5FSCzNrgM0N9+1PJN
Y27TN53V5CN8EiLgHrgHKRFujrbuzkbvPL73XAqtowaAm/QtUVPuaYv96LYu
8zI45Ye+we14fNUcl0xw6JsxGbhKzO48a7h2+pyU0bpvW6tDU25bDivXuRww
Eq0zMb5gj4gzqNysNiOpShpZ8twHYTYJcrEEdFzgxD4xX8oyRKLO6xznvmrq
NBNxykjgOaVBKjdcIyc6Ty7WQ1Vtdzzkvn+lmfrWsVM8VJ7jOaP55JwNL7IJ
d4EUhprZXkgQ6TM0h49D5hgqNE6C6wI26aMe3620Jke0vkG1kEirfdHtJYqO
YwLKtd58bOAw0CoWUavRMPGFWW6guNCT00ZFdHc4B/vZDLR7N98dmPh1Yxef
MHDTXxDPCi+68DjrfTvvsWv4oHVzgo/vAZ1xW+XLqiCk9MczhfPdSaM2Rr42
WfwzaWM0CE0NsO5ateikLZZ+R5uFiqFugBermy3s9hcgJXLra315qWhNVxYb
Rk9fXibn40t3uMIW58a5b2v0+FJLcss9v9tujgLaT5qFl/1aLxK68VuDUH24
mdKAozaVyJ4MjbjGGyPRIZmuO3VZWdBScqltxACcw466pMfrcud6y6EoWHO8
LpI47HF9x4HquHv+XI2xJGvkblf0qDA7W3uDB3llc7LmITB5/I11PuvOzdHp
8JgEWIxyXOEI2UflHImlIfet4fI9Z9/myky26KBDW21teEqseYC93tlKLA1B
LY1p2doLtw3mInmlGDmyk+eYCFTyVxY5pdMiWLOe1n98/bU1O7WAvogaHkLg
9CbV+YYvQ6iVEwbu5nFrJOQ2xTtxm6JzG59aXS8TYcgxg1vKTt8Gh4hhs+fk
qxPiyx3nZEanm9zamXQq/iVpZlULfgv4tuhBYk7ZROrp5fosq3oNioHJNuGZ
qPcrMzm342uR0fNIMeKYdY6Lx8jXIoJ4aRFqYoI7Bh9eo7fj6xXkakNcOsJd
RuZk7ak+Q9cSQlvw/QrhmgjTzdqoTtYjWj3TSKrcyjy8CMTSFOzfLpz0PxqN
N0OoOLAQj/zN9dLfWYcRnVwbHLoP+0i6mK/+FpAnA6sFHkwoyQ1BVF8TZbfP
3d3Rm/cEOJZmpu02SwDc1eobQWHYbU+bTdZ3hOCfBDH9LvoQIMt+32zWz3eh
l5lH8RxUR8zEbMbdpa2dKnRcF3WY9pt/O7jGRArLXFTLy2KDm7/4FWVhSVIX
Ib6cdcGKr5FVUIbzzylQN7p7Uj6qPT8CjEPjP7hVgUSeBtL4N9BxjvM/D24g
xfNqWH0tiRnehI+sIKKIk8ajuWaKotwOk5RJv1KDflihwUgHBhV14b6KWFUC
B9NIx3MVe532aAmGN02zvsXVPfOCNAgFK/tCtnSOTzgeKXacmLPXVh+lws9w
T0kOf3gSdo+6YMvdg7jd97PxMB9fHq3lKQvawt+1qrJb7+L0LMSj8iDtZBTf
EtbqxkfF6ifT1KpgvZ7gBue+2Yaba7YxTMR0w7b1llFDyF67lVtOzZ1iDL2X
l5em4ekhB0hQRCO4sz08EYEZRiItzYIWCIaAYBeRr3iN8kTzpWhu3NlU0VN6
dATXQQdSGrpyfwzuOmQVCR17jFFPdvHIJRsrKJrIl/bR2TBVXxsZ5immlONc
1kD16y3IMcarGN+5a7h4PhE9WfWNW9m1kijylFHTEULe1I6ZjsPKqKspKnO+
2wrf+sTlDXIdi91DMEBzutGd2Q2u0GUloa0gInS/j95zzALRcE14x92LGPt5
ulG0b9LMOJUTUFIc9dmCRt/eb7a/tpvJ7d8FKYUa0ZqDEbo0YQO9KciJiHrq
Rtl1311CVEcLwMtMQa/Otz3VEDwof1KDXiUoxiPKuM+2KOFbkQZu4azalyvX
OLyykEkMEkl8k53conySFQQa1VhRBW4zjjtWBVsorLGVmw3OLZyAjr6+AdmF
1Qio6CInQK66I0PrAfoUD0S4IgRUewTSj/LtM0hEf4WDl8of0ZasSdAXjDR5
5ylvFnw+cGhH4tTXfI+n5+JWIun41uWldvbyJ+zU8Eer2jkhLFiUXE3He22t
qPOYMf9UVBnJn/OB3kmiq3j//epTfNuCBGSJ5cAshjQwxNemEXO3tNoQq2dO
Tug+5FCAFeT42JJdSIFPKicwgT/e/+fR7Nfpq9wDKZebCWab4p9uTLQYt8Ri
8Nvk1cE1N6dWcJ9i7Efq8NpGMcBNt57lDG8ZSmnZ3PW1Wvf76mlcvnw3xtbQ
N2TxViFH9OMWoema9F89Dzd/EDVO97AYuLiJ7xX+ySfSQyl5UbftVGl9c53Y
1Y2iqlRBRR0LPd7IEJB6iZkr67W1oLN0rcrI1iK6YsTwWZ9hKFpuRC43t0ls
SnqQZxSXYPAp4gRZjPK13jwbudeFAV/xZRHWMmhWK0r/JN8/SJxaSyOzA9Xv
WfM/P7GemUp/zYtrj/1hl0C9BqJonFr7bAvKd8Rkm4nb+PaBdiugWr0qUyGC
7xI26omo/B3lFQzWzS2hSL74q2OI2NphH609efn3bXUgBHB3EyD5gQRwMQHC
yu10PmhPnOJxtzxNoVpkThS5L0X1wWSZHc3XAvg0Y+lKRz7hTpoqsAA51SsY
aGPkl7Vhc+Qal/kNUHYWYoq1nqj6bgTR4PNOVoG4Y7ANtmxvM6Wbon175QYx
wVNnL2yVeAGzTONUQ5n9ZqAIH+Q6CfU1B6INNyi6PayQUoAcqTYSkPS4KW8Z
NCK3wNyukjdkBXGDPVmQ+wj3LYY2wl2S3IUbHn/C/KTnIdpwFH+3Ljq4NaTY
8eXEmtEbvReaq9F5IKeOg3DOYxhhH04BQc+roXMj5SLaI1HFbWvzhut92JEG
Qs7znHPygOGskgPppQv22+X9aGoyKeV9TiiSCb4lSx2SNsOBTJtCG24OxPcd
VWg0o9fPnrx6+fLZt0+fPZ1AZ0beGn3fcSzdn0sfdJUDpjHLeqPugsmLUx1H
3bDjaFfXvpGeQn/TuaZH6Esk1z6Zm3anGXefk8YVYsdam/vOMKi5QmDU4h5y
Vjgd554bFg8qAaJNZdQP63lFUycD4W5iJBOD4TvFEozjpBAsg70KHdK/uZ7L
Hwm6Ks73qsffkKhjyYnyJvZv4gutpab7hm9TZnUzhPxMsKVQMLI6TrfIq3bq
PPY42ef7le93CqUTd7uOPu8kqOEdowccNIeptpCUUfj5pinEavIdw2Fzwaji
vM+ohSdHTcbNiUJes2hDd5k5eLz3VbVX0F2ZTZhhUgMSic6752Wr1pzbECrs
fuDHJY43yv3ojFwcib2VLLe1Vw3dqyxeBdLOXmXIQaGqdpo4K6QzhIdG+wkP
A1YzraGGFyQy7l87eErexUZ64JMnmDR9B807PbgDwNhcr0c62VLY2nWFtvYz
/ajsct1xIMENUELRg+IOWdjMt3qyGY6MnqEjbbghjaVh7kTFFdIY5TEEZlur
oBVcoAdnDXuXTZPC8ra/FJExMJlvY7AYRrgVWiKm0BJ4Y8BLEXeNTBpmRn9l
Fk7Ig87OIV/VF0koccs5DS1riPDyPqfgPOKf6Ui7bOhvQxIJQ3Eb22iAYQzU
DUbgwwxAla+WUFRbzgXint1NfggrWw44bRRsPl5KXMg6t5TkxFI4luXnqy6v
dLOaXGBpsk4BQJBnbyaCndXzXdI9EuwKvUf+jwvmHNm3TbFug8ApopQTdske
0K7l4voCW+VFNx9swHUEqKhBCLtTVGI0XEbNRPprXVShIcbsw7xhhV0f5hT8
1EUYcJHrvk/MXFm/uo6D+RZapcGzlXxEByhTZZcLQKo1JN2q3rQTAFyztox6
T3N1mQLy0W4hwPcMbGaeOO3YfWfvGAHne9SckclQnnmItBQsZx7QMwu516IO
edXZqz7wo+sX3SDy69SyF1Gte9E5cfsUAqPmmVz/y2BI1lrc5A5+FYjOSRhe
ELbDviuxkU+SF3n6lhFo9cCYtZLEwV1qc534uLRFG6ZIjFYRxQ8Yn6e16y62
buggvp0vLo+uBb4pPJBJV9loEJmPr1ZKzs5p2F0v6lspep4/Wnc0qcByBmAY
N4HSNnsSxAUDTUaqm0wux3XsmZJBywen2PsG5HrAIJVUkUN9goEi7JHv3mQX
fU6/dCgRf8rf+Ut3VbbRGrXG3qtiu/HeWrQzw7Zvc38F8B9ffy0CQeFFvh4y
7rcU5tRGsBdGmOqNpEwTNuKsMC1crODdRbM4Ult+lPxWk0avNbWIhiW5FbkH
35MdB6mT4YZdEscZjewGIw9Ora+f9RhwTt+f4dCd+dMqz36MzZTfzckW5g81
4bxjcvfyka+y9XdWTsWOJAVRzWGbJyK/DVya6I2IfvtdXJOj21cZ6m6Qlfd9
t553slVh9CaF++MOCFM0VRsQl4hpq6eU+IyKx935hu0GiBbj6UV6O3GWnki8
sEliZLYOHWA7lw1uimLsVJMiOHQ5uQ5dxb4FIJvocjCNK4ypqlAmoQhuTOda
0kgEidacvIcF5lvJU0orfTkIWZ20tc0LoK9cOket5HLrPVGRe2956S4JDV8g
TOqHTbsCpkHWc24D1y5zRu5shMU+M5e8clKQGTeKnyo/Tv+jzUEu92niNK5y
6wYvqaTCsvb0BLmGXSItNqK0vUeD4fVQgSH1xOqSjeYJx5Tz7FqRSYKvKcpj
KOw0jDQfyeZmiKWTeyOGub6BjOFIvfg5E+xjDAT1gR4pwxzhe9WWcwJS1ABQ
dCtVrRceMX9wUcimQNcV2jFu7DGYoIsmKG2QQzTTJ2i5C4WX/ScuTpNKXhdc
z0okhZqEY0dPbrKZNTXIBoWngVqK6OLpPKLlg9YA0QAUz6TCB5St7Bz6NtJy
RYAdqBj/qMN6wzKKvygsIZTFOUavTQpYowSr9zO0gYbv9BQNy+Qg3nghErAL
YCK+yi3wQmCDUc0Ptrf1nIBfVMBewW3gEiE6aUQR7UZnglaaWvHF1Vip3naT
/JEBcqz6XtNqSL983QsIcoEBwexae/P5rz7FPer+dmfB1NHxIKKCDTVzwwDN
ttNF7NNDXIjNfL8p3uUZuRHVFiUvbd5ndSOfFtJo/75uWMcbHeR561k2VaUd
MIsxJlUMBZ7JKJ4RA1cLsxE6vd3wqFUZ+C3HPAB25LIgejMSBCdrBeTaHPGW
A1+a9HeGilSEswcnnugwMZlvYMWFM490gqqN3xD0WzcojxgtRcqKytLJY+go
TnL5BJj5rvQ/bDhOWxe4AklAo3YBiN1WNQW1jyIJmjaPLvuBGB+QPtWQIcpm
GFV16JttTM2ZZh5r2UYgpeLyiJgo+5l6gPFsaVqc7golzwtJWg7x4IP+mkMi
hooosUaeD6DJye/7IoNL5BwdyyzlX5TqDSrzCFZcTksboI8emmLsqgXg6FNi
RkO6BU9otngQTcCJXorg9kU156RXI8ALwBj1umeoEnGYhiElRIOeUZjNmRyD
sws23zpphqWtT9Ys7uiNXn0DP3U3Kl3200xNLEytR4EVzaBxHYmgg1RRiSkf
3UjpLc6gTdn18M0/UdhTqCxD3Hhww+vAErdqTDYkrOKfo02XfVXQaddrPPHw
Uv3CyyvnfadbH3AV84MOX9d3LGTlfX49fjtSBkQEsLDjwoxS76mM406gTfjn
lRi2MHQHncUW7HXPVGBNAp4yJdLXfg4i4US2e5UkmL9vrkM409/r1XMlPwtk
Ccs6b8N8//3zpwqHs8CN3cEANuFf79niXtlMFr6IqHN22ApFsxi9huBhn9oM
QerUXxiqoU1egpv1eViklD6GYU8bG/IneKIMCuNnkEVEJFFaGxlXnvNe+ffp
bbx2Ic07BvcJz/fkcJLqIwukkOYYijTN0Rkqa+oDd4VG5UDTauyYa8Nw6iyO
yBOVjKqzwKFdX6WhQFSpyE0GHngCnwSxw+LGMAK+Vw+wenQuIRk68a1luxHC
4oNNHOg5P4qXoOo7jfoY963GeyLOaDW6Xegtry5Kpl8l3Kh+mN5iIFxoMca9
FVnECa+a8RlYuZmYVpZdEkiu3cwn/Pn98+ScN5m2E92bbLJaOGFJB+wpt3jL
RHb45g2R/x/tUlJonC3lzgri/8HSh4dQS9j/CFh8FIdW7lWHKapD5T1+bu3C
hP+ARZDmhFFmBOfupIyRrIjdEykXW7Kf5sM84XLanNnwtoElxQADXCnjg/92
8eZbNDPCVoT9cp6H3pTp+i1Xpl9eimN2nErby0tO8FYq7vnQiDyIVyHbF/wV
jZAk56+aiFUZl8AXkWn8jIWKRCV90WcsVImkKXoGYYMGe6dek8Wury7mFm/l
aBGFee1ulYdif7Xk9RoZ+ZnvxPA4OUkXBWw4BW2u8uBuVpzm9V6+vYoSrkgJ
cl8J4Uv1PuPgp2KVZ5wa7JbU2/3k/Rru1gjCzaeMeF/uFUzi7pQmwbRaFd0I
bKLR5pwkneUv9N/WaI2Bu1J9zbkmjdJr4IFsVnb3FkDXhNrATutRhDukDx/r
B/26m26cATxEC6hs5I+r6TxS68o+gtv1w22iljWzR2/IfV3UZy2Sek5SpyKn
2MzmwJduSEjisOay/SFaNL1guy0fM2wlAr80uYNHAthoyLSeZ91ptj/BmMPs
gxnOTNWxTeczzn5PzW32/h+Dgo7JLi8PCvhhdw2LrIfAHlHZM4WFDlcYl9I2
Q9YCjj9NFEm7KtQgqm5qeiCVB5lhsz1hXuv0fIwHV5izh7ROD51PcpFYweph
+IcOJh4jF/OblxpT+5sHZxdddku9mcffPp4EVa9j10Ev3JQn07Vmdf433hCm
NCfIAAA=

-->

</rfc>
