<?xml version="1.0" encoding="UTF-8"?>
  <?xml-stylesheet type="text/xsl" href="rfc2629.xslt" ?>
  <!-- generated by https://github.com/cabo/kramdown-rfc version 1.7.29 (Ruby 3.4.5) -->


<!DOCTYPE rfc  [
  <!ENTITY nbsp    "&#160;">
  <!ENTITY zwsp   "&#8203;">
  <!ENTITY nbhy   "&#8209;">
  <!ENTITY wj     "&#8288;">

]>

<?rfc rfcedstyle="yes"?>
<?rfc tocindent="yes"?>
<?rfc strict="yes"?>
<?rfc comments="yes"?>
<?rfc inline="yes"?>
<?rfc text-list-symbols="-o*+"?>
<?rfc docmapping="yes"?>
<?rfc toc_levels="4"?>

<rfc ipr="trust200902" docName="draft-ietf-suit-update-management-13" category="std" consensus="true" submissionType="IETF" tocInclude="true" sortRefs="true" symRefs="true">
  <front>
    <title abbrev="SUIT Update Management Extensions">Update Management Extensions for Software Updates for Internet of Things (SUIT) Manifests</title>

    <author initials="B." surname="Moran" fullname="Brendan Moran">
      <organization>Arm Limited</organization>
      <address>
        <email>Brendan.Moran.ietf@gmail.com</email>
      </address>
    </author>
    <author initials="K." surname="Takayama" fullname="Ken Takayama">
      <organization>SECOM CO., LTD.</organization>
      <address>
        <email>ken.takayama.ietf@gmail.com</email>
      </address>
    </author>

    <date year="2026" month="July" day="03"/>

    <area>Security</area>
    <workgroup>SUIT</workgroup>
    <keyword>Internet-Draft</keyword>

    <abstract>


<?line 53?>
<t>This specification describes extensions to the SUIT manifest format. These extensions allow an update
author, update distributor or device operator to more precisely control
the distribution and installation of updates to devices. These
extensions also provide a mechanism to inform a management system of
Software Identifier and Software Bill Of Materials information about an
updated device.</t>



    </abstract>



  </front>

  <middle>


<?line 61?>

<section anchor="introduction"><name>Introduction</name>

<t>Full management of software updates for unattended, connected devices requires a cooperation between the update author(s) and management, distribution, policy enforcement, and auditing systems. This specification provides the extensions to the SUIT manifest <xref target="I-D.ietf-suit-manifest"/> that enable an author to coordinate with these other systems. These extensions enable authors to instruct devices to examine update priority, local update authorisation, update lifetime, and system properties. They also enable devices to report and distributors to collect Software Bill of Materials (SBOM) information.</t>

<t>Extensions in this specification are OPTIONAL to implement and OPTIONAL to include in manifests. A Recipient that encounters a command or parameter it does not implement MUST reject the manifest as defined in <xref target="I-D.ietf-suit-manifest"/> Section 8.4.2, ensuring that update behaviour is never ambiguous. Conversely, when a deployment relies on update-management behaviour defined here, the manifest author MUST ensure that targeted recipients advertise support for the required extensions (for example via enablement policy or capability negotiation) before shipping such manifests so that required commands will be honoured rather than rejected.</t>

</section>
<section anchor="conventions-and-terminology"><name>Conventions and Terminology</name>

<t>The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL
NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED",
"MAY", and "OPTIONAL" in this document are to be interpreted as
described in BCP 14 <xref target="RFC2119"/> <xref target="RFC8174"/> when, and only when, they
appear in all capitals, as shown here.
<?line -6?></t>

<t>This draft makes use of terminology defined in <xref target="RFC9019"/> and <xref target="I-D.ietf-suit-manifest"/>.</t>

<t>This document uses semantic versioning terminology from <xref target="semver"/>, including major, minor, patch, pre-release, and build metadata. The machine-readable version encoding defined in <xref target="suit-parameter-version"/> is a constrained integer encoding based on that terminology: it encodes release versions as one to three non-negative integers, supports only the pre-release classes defined in <xref target="suit-parameter-version"/>, and excludes build metadata from machine-readable comparisons.</t>

</section>
<section anchor="extension-metadata"><name>Extension Metadata</name>

<t>Some additional metadata makes management of SUIT updates easier:</t>

<t><list style="symbols">
  <t>A semantic version number for the update represented by the manifest</t>
  <t>Concise Software Identifiers (CoSWID) <xref target="RFC9393"/></t>
  <t>Text descriptions of requirements</t>
  <t>Text description of the current versions of components</t>
</list></t>

<section anchor="suit-set-version"><name>suit-set-version</name>

<t>This metadata encodes a semantic version for the component set that the manifest updates, including any dependencies. This enables version comparisons to be performed on manifests. Non-manifest images encode their versions independently of the manifest.</t>

<t>Manifest Authors SHOULD encode suit-set-version whenever the release can be represented by the constrained version encoding defined in <xref target="suit-parameter-version"/> so that Recipients can compare manifests deterministically. Deployments that cannot supply such a version without loss of fidelity MUST omit suit-set-version and convey any human-facing numbering via suit-text-current-version (<xref target="text-current-version"/>). Because suit-set-version is a machine-readable parameter for determining compatibility and build metadata is ignored for semantic-version precedence, build metadata MUST NOT be included.</t>

<t>The composition of suit-set-version is the same as suit-parameter-version (<xref target="suit-parameter-version"/>).</t>

<t>If build metadata is desired, the manifest author MAY include it via suit-text-current-version (<xref target="text-current-version"/>).</t>

</section>
<section anchor="manifest-digest-coswid"><name>suit-coswid</name>

<t>A CoSWID can enable Software Bill of Materials (SBOM) use-cases. Tightly coupling update and attestation ensures that verification infrastructure always knows what software to expect on each device.</t>

<t>suit-coswid is a member of the suit-manifest. It contains a Concise Software Identifier (CoSWID) as defined in <xref target="RFC9393"/>. This element SHOULD be made severable so that it can be discarded by the Recipient or an intermediary if it is not used by the Recipient while preserving the manifest signature. Implementations that cannot support severable elements MAY include suit-coswid non-severably, but MUST ensure that Recipients can still process the manifest.</t>

<t>suit-coswid is RECOMMENDED to implement and RECOMMENDED to include in manifests because management systems commonly need a durable software identity after update installation. CoSWID and related Software Bill of Materials metadata can support inventory, vulnerability management, compliance checks, and reconciliation between the installed update state and management-system records. This recommendation is scoped to the operational and security value of identifying installed software; it does not imply that the presence of SBOM metadata proves that the software is free of vulnerabilities or policy issues. Other extension metadata is not generally RECOMMENDED unless required by deployment policy or by a SUIT profile.</t>

<t>Recipients that do not use suit-coswid are not required to interpret the CoSWID content. When suit-coswid is severable, such Recipients or intermediaries can discard it without invalidating the manifest signature. When suit-coswid is not severable, a Recipient MUST NOT fail solely because a well-formed, policy-permitted suit-coswid field is present.</t>

<t>Recipients that use or validate suit-coswid MAY still fail or reject the manifest when the suit-coswid field or its digest is malformed, when local policy rejects the metadata, when processing would exhaust available resources, when validation of processed CoSWID metadata fails, or when a manifest relies on unsupported critical behaviour. These requirements do not imply that every Recipient implements CoSWID processing.</t>

</section>
<section anchor="text-version-required"><name>suit-text-version-required</name>

<t>suit-text-version-required is used to represent a version-based dependency on suit-parameter-version as described in <xref target="suit-parameter-version"/> and <xref target="suit-condition-version"/>. When a Manifest Author needs to communicate such a dependency to operators, the author SHOULD populate the suit-text map with a SUIT_Component_Identifier key for the dependency component, and place in the corresponding map a suit-text-version-required key with a free text expression that is representative of the version constraints placed on the dependency so that field personnel can validate compliance. Deployments that provide operator guidance exclusively through other channels MAY omit this field. This text SHOULD be expressive enough that a device operator can be expected to understand the dependency; predefined tokens MAY be used when supporting documentation ensures equivalent clarity. Expressions in this field MUST be encoded as UTF-8 text limited to printable characters (Unicode general categories L, N, P, or Zs) and SHOULD use simple relational operators (for example <spanx style="verb">&gt;</spanx>, <spanx style="verb">&gt;=</spanx>, <spanx style="verb">&lt;</spanx>, <spanx style="verb">&lt;=</spanx>, <spanx style="verb">=</spanx>) so that automated tooling can perform lint checks. Implementations that render this text SHOULD escape or filter it to prevent markup or control-code injection. This is a free text field and there are no additional specific formatting rules beyond the requirements above.</t>

<t>By way of example only, to express a dependency on a component "['x', 'y']", where the intended version is any v1.x later than v1.2.5, but not v2.0 or above, the author would add the following structure to the suit-text element. Note that this text is in cbor-diag notation.</t>

<figure><sourcecode type="CDDL"><![CDATA[
['x','y'] : {
    7 : ">=1.2.5,<2"
}
]]></sourcecode></figure>

</section>
<section anchor="text-current-version"><name>suit-text-current-version</name>

<t>suit-text-current-version is used to provide human-readable version information equivalent to suit-set-version (<xref target="suit-set-version"/>). This metadata MAY have a version listed for each or any component. The Manifest Processor MUST NOT consume this version; it is for human readability only.</t>

<t>To describe a version, a Manifest Author SHOULD populate the suit-text map with a SUIT_Component_Identifier key for the dependency component, and place in the corresponding map a suit-text-current-version key with a free text version that is representative of the version of the component so that operators can reconcile machine and human-readable records. Deployments that provide human-facing version information through other configuration channels MAY omit this text. This text SHOULD be expressive enough that a device operator can be expected to understand the version; environments that rely on catalog identifiers MAY use those identifiers when supporting documentation provides the necessary context. Values in this field MUST be encoded as UTF-8 text limited to printable characters, and implementations MUST treat suit-set-version and suit-parameter-version as authoritative when a discrepancy exists. Recipients MUST NOT interpret this text as executable code or markup and MUST treat it as display-only information. Implementations that render this text SHOULD sanitize, escape, or otherwise filter it before presentation. This is a free text field and there are no additional specific formatting rules beyond the requirements above.</t>

<t>It is RECOMMENDED that the Manifest Author use a Semantic Version (<xref target="semver"/>) in the free-text field to keep human-readable and machine-readable versions aligned. Unlike suit-set-version (<xref target="suit-set-version"/>), the full semantic version specification can be used.</t>

</section>
</section>
<section anchor="extension-parameters"><name>Extension Parameters</name>

<t>Several parameters are needed to define the behaviour of the commands specified in Extension Commands (<xref target="extension-commands"/>). These parameters follow the same considerations as defined in Section 8.4.8 of <xref target="I-D.ietf-suit-manifest"/>.</t>

<texttable>
      <ttcol align='left'>Name</ttcol>
      <ttcol align='left'>CDDL Structure</ttcol>
      <ttcol align='left'>Reference</ttcol>
      <c>Use Before</c>
      <c>suit-parameter-use-before</c>
      <c><xref target="suit-parameter-use-before"/></c>
      <c>Minimum Battery</c>
      <c>suit-parameter-minimum-battery</c>
      <c><xref target="suit-parameter-minimum-battery"/></c>
      <c>Update Priority</c>
      <c>suit-parameter-update-priority</c>
      <c><xref target="suit-parameter-update-priority"/></c>
      <c>Version</c>
      <c>suit-parameter-version</c>
      <c><xref target="suit-parameter-version"/></c>
      <c>Wait Info</c>
      <c>suit-parameter-wait-info</c>
      <c><xref target="suit-parameter-wait-info"/></c>
      <c>Component Metadata</c>
      <c>suit-parameter-component-metadata</c>
      <c><xref target="suit-parameter-component-metadata"/></c>
</texttable>

<section anchor="suit-parameter-use-before"><name>suit-parameter-use-before</name>

<t>An expiry date for the use of the manifest encoded as the non-negative integer number of seconds since 1970-01-01. Implementations that use this parameter MUST use a 64-bit internal representation of the integer. Used with <xref target="suit-condition-use-before"/>.</t>

</section>
<section anchor="suit-parameter-minimum-battery"><name>suit-parameter-minimum-battery</name>

<t>This parameter sets the minimum battery level in mWh. This parameter is encoded as a non-negative integer. Used with suit-condition-minimum-battery (<xref target="suit-condition-minimum-battery"/>).</t>

</section>
<section anchor="suit-parameter-update-priority"><name>suit-parameter-update-priority</name>

<t>This parameter sets the priority of the update. This parameter is encoded as an integer. It is used along with suit-condition-update-authorized (<xref target="suit-condition-update-authorized"/>) to ask an application for permission to initiate an update. This does not constitute a privilege inversion because an explicit request for authorization has been provided by the Update Authority in the form of the suit-condition-update-authorized command.</t>

<t>Numerically smaller values indicate higher update priority. Recipients and applications that compare suit-parameter-update-priority values MUST use this ordering. Local policy MAY assign deployment-specific meanings to particular values or ranges. For example, critical reliability and vulnerability fixes might be given negative numbers, while bug fixes might be given small positive numbers, and feature additions might be given larger positive numbers, which allows an application to make an informed decision about whether and when to allow an update to proceed.</t>

</section>
<section anchor="suit-parameter-version"><name>suit-parameter-version</name>

<t>Indicates allowable versions for the specified component. One version comparison can be made with each suit-parameter-version. This parameter is compared with the version asserted by the current component when suit-condition-version (<xref target="suit-condition-version"/>) is invoked. The current component can assert the current version in many ways, including storage in a parameter storage database, in a metadata object, or in a known location within the component itself.</t>

<t>Each suit-parameter-version contains a comparison operator and a version, according to the following CDDL:</t>

<figure><sourcecode type="CDDL"><![CDATA[
SUIT_Parameter_Version_Match = [
    suit-condition-version-comparison-type:
        SUIT_Condition_Version_Comparison_Types,
    suit-condition-version-comparison-value:
        SUIT_Condition_Version_Comparison_Value
]
]]></sourcecode></figure>

<t>The comparison type can be:</t>

<t><list style="symbols">
  <t>Greater.</t>
  <t>Greater or Equal.</t>
  <t>Equal.</t>
  <t>Lesser or Equal.</t>
  <t>Lesser.</t>
</list></t>

<t>The version comparison value is encoded as a CBOR list of integers. Comparisons are done on each integer in sequence. Comparison stops after all integers in the list defined by the manifest have been consumed OR after an non-equal comparison has occurred. For example, if the manifest defines a comparison, "Equal [1]", then this will match all version sequences starting with 1. If a manifest defines both "Greater or Equal [1,0]" and "Lesser [1,10]", then it will match versions 1.0.x up to, but not including 1.10.</t>

<section anchor="suit-parameter-version-semantic-versioning-encoding-guidelines"><name>suit-parameter-version Semantic Versioning encoding guidelines</name>

<t>The encoded versions use the constrained semantic-versioning encoding summarized in <xref target="conventions-and-terminology"/>. Manifest Authors SHOULD keep their encoding aligned with semantic versioning so that Recipients can compare versions deterministically; if another numbering scheme is required, the sequence of integers encoded here MUST still preserve release ordering (for example, <spanx style="verb">[2025,12,6]</spanx> for a calendar-based release).</t>

<t>Versions are composed of:</t>

<t><list style="numbers" type="1">
  <t>A release version encoded as a sequence of 1 to 3 non-negative integers (allowing zero values)</t>
  <t>An optional pre-release indicator encoded as a negative integer, followed by zero or more non-negative integers</t>
</list></t>

<t>Semantic Versioning permits arbitrary pre-release identifiers and build metadata. This specification only defines encodings for alpha, beta, and release-candidate pre-release classes. Because suit-parameter-version exists solely to enable the Manifest Processor to make a decision about version compatibility, and because build metadata is ignored for semantic-version precedence, build metadata MUST NOT be included.</t>

<t>In semantic versioning terminology:</t>

<t><list style="numbers" type="1">
  <t>The first integer represents the major number. This indicates breaking changes to the component.</t>
  <t>The second integer represents the minor number. This is typically reserved for new features or large, non-breaking changes.</t>
  <t>The third integer is the patch version. This is typically reserved for bug fixes.</t>
</list></t>

<t>The pre-release indicator MUST NOT appear as element 0. The pre-release indicator is encoded as:</t>

<t><list style="symbols">
  <t>-1: Release Candidate (RC)</t>
  <t>-2: Beta</t>
  <t>-3: Alpha</t>
</list></t>

<t>This allows these releases to compare correctly with final releases. For example, Version 2.0, RC1 is lower than Version 2.0.0 and higher than any Version 1.x. By encoding RC as -1, this works correctly: [2,0,-1,1] compares as lower than [2,0,0]. Similarly, beta (-2) is lower than RC and alpha (-3) is lower than RC.</t>

<t>Pre-release identifiers other than alpha, beta, and release candidate cannot be represented directly in this encoding. Deployments that need other identifiers MUST either map them to one of the defined classes while preserving the intended ordering or omit the machine-readable version field and convey the identifier as suit-text-current-version (<xref target="text-current-version"/>).</t>

<t>For example:</t>

<t><list style="symbols">
  <t>1.2.3 = [1,2,3].</t>
  <t>1.2-rc.3 = [1,2,-1,3].</t>
  <t>1.2-beta = [1,2,-2].</t>
  <t>1.2-alpha = [1,2,-3].</t>
  <t>1.2.3-alpha.4 = [1,2,3,-3,4].</t>
</list></t>

</section>
</section>
<section anchor="suit-parameter-wait-info"><name>suit-parameter-wait-info</name>

<t>suit-directive-wait (<xref target="suit-directive-wait"/>) directs the manifest processor to pause until a specified event occurs. The suit-parameter-wait-info encodes the parameters needed for the directive.</t>

<t>The exact implementation of the pause is implementation-defined. For example, this could be done by blocking on a semaphore, registering an event handler and suspending the manifest processor, polling for a notification, or aborting the update entirely, then restarting when a notification is received.</t>

<t>suit-parameter-wait-info is encoded as a map of wait events. All wait events MUST be satisfied before the Manifest Processor continues. The wait events currently defined are described in the following table.</t>

<texttable>
      <ttcol align='left'>Name</ttcol>
      <ttcol align='left'>Encoding</ttcol>
      <ttcol align='left'>Description</ttcol>
      <c>suit-wait-event-authorization</c>
      <c>int</c>
      <c>Same as suit-parameter-update-priority</c>
      <c>suit-wait-event-power</c>
      <c>int</c>
      <c>Wait until power state</c>
      <c>suit-wait-event-network</c>
      <c>int</c>
      <c>Wait until network state</c>
      <c>suit-wait-event-other-device-version</c>
      <c>See below</c>
      <c>Wait for other device to match version</c>
      <c>suit-wait-event-time</c>
      <c>uint</c>
      <c>Wait until time (seconds since 1970-01-01)</c>
      <c>suit-wait-event-time-of-day</c>
      <c>uint</c>
      <c>Wait until seconds since 00:00:00 Local Time</c>
      <c>suit-wait-event-time-of-day-utc</c>
      <c>uint</c>
      <c>Wait until seconds since 00:00:00 UTC</c>
      <c>suit-wait-event-day-of-week</c>
      <c>uint</c>
      <c>Wait until days since Sunday Local Time</c>
      <c>suit-wait-event-day-of-week-utc</c>
      <c>uint</c>
      <c>Wait until days since Sunday UTC</c>
</texttable>

<t>Local Time means the Recipient's configured local civil time zone at the time the wait event is evaluated, including any daylight-saving-time rules available to the Recipient. If the local time zone changes while a Recipient is waiting, the Recipient reevaluates the wait event using the updated time-zone configuration. During daylight-saving-time transitions, a skipped local time is treated as satisfied at the first representable local time after the skipped interval, and a repeated local time is satisfied at its first occurrence. Recipients that do not have configured local-time and daylight-saving-time information MUST treat local-time wait events as unsupported. Manifest Authors SHOULD use the UTC wait events when a deployment does not have a common local-time policy.</t>

<t>suit-wait-event-other-device-version reuses the encoding of SUIT_Parameter_Version_Match. It is encoded as a sequence that contains an implementation-defined bstr identifier for the other device, and a list of one or more SUIT_Parameter_Version_Match. For interoperable use, the deployment profile or management system MUST define the namespace and byte-string encoding of other-device identifiers, the mechanism by which the Recipient obtains the referenced device's version, and the version encoding used by that referenced device. A Recipient MUST treat suit-wait-event-other-device-version as unsupported unless those deployment-specific definitions are available.</t>

</section>
<section anchor="suit-parameter-component-metadata"><name>suit-parameter-component-metadata</name>

<t>In some instances, a system needs to know the file metadata for a component. This metadata can include:</t>

<t><list style="symbols">
  <t>creator</t>
  <t>creation time</t>
  <t>modification time</t>
  <t>default permissions (rwx)</t>
  <t>a map of user/permission pairs</t>
  <t>a map of role/permission pairs</t>
  <t>a map of group/permission pairs</t>
  <t>file type</t>
</list></t>

<t>Unless otherwise stated, all string values in this structure MUST be encoded as UTF-8 without control characters (Unicode general categories Cc or Cf) and SHOULD be limited to human-readable identifiers such as names or POSIX-style paths. Binary values conveyed via <spanx style="verb">bstr</spanx> MUST be well-formed for the consuming platform (for example, a UUID or permissions bitmap) and MUST NOT exceed the minimum length required to represent the value canonically.</t>

<t>Component metadata is applied at time of fetch, copy, or write; see <xref target="I-D.ietf-suit-manifest"/>, Sections 8.4.10.4, 8.4.10.5, and 8.4.10.6. Therefore, the component metadata parameter MUST be set in advance of the component being fetched, copied into, or written.</t>

<section anchor="suit-meta-creator"><name>Creator</name>

<t>Sometimes, management of file systems requires that the creator of each file is correctly recorded. Because the default creator of files will be the update agent, this can obscure the actual creator of each file. The Creator metadata element allows overriding the default behaviour and setting the correct creator.</t>

<t>The creator is defined as follows:</t>

<figure><sourcecode type="CDDL"><![CDATA[
SUIT_meta_actor_id = UUID_Tagged / bstr / tstr / int
UUID_Tagged = #6.37(bstr)
]]></sourcecode></figure>

<t>The actor ID can be whatever is most appropriate for any given system. For example, the actor ID might be a string (e.g., username), integer (e.g., POSIX userid), or UUID (e.g., TEEP TA UUID).</t>

</section>
<section anchor="creation-modification-time"><name>Creation &amp; Modification Time</name>

<t>The creation and modification times are defined by CBOR time types. These are defined in <xref target="RFC8949"/>, Section 3.4.2. The CBOR tag is REQUIRED when either creation or modification time are provided.</t>

<figure><sourcecode type="CDDL"><![CDATA[
suit-meta-modification-time => #6.1(uint)
suit-meta-creation-time => #6.1(uint)
]]></sourcecode></figure>

</section>
<section anchor="component-default-permissions"><name>Component Default Permissions</name>

<t>Typical permissions management systems require read, write, and execute permissions that are applied to all users who do not have their own explicit permissions. These are the default permissions for the current component. Default permissions are described by the following CDDL:</t>

<figure><sourcecode type="CDDL"><![CDATA[
SUIT_meta_permissions = uint .bits SUIT_meta_permission_bits
SUIT_meta_permission_bits = &(
    write_attr_ex: 13,
    read_attr_ex: 12,
    sync: 11,
    delete: 10,
    recurse_delete: 9,
    write_attr: 8,
    change_owner: 7,
    change_perm: 6,
    read_perm: 5,
    read_attr: 4,
    createdir_append: 3,
    list_read: 2,
    create_write: 1,
    traverse_exec: 0,
    * $$SUIT_meta_permission_bits_extensions
)
]]></sourcecode></figure>

</section>
<section anchor="user-role-group-permissions"><name>User, Role, Group permissions</name>

<t>Many filesystems have users and groups. Additionally some have roles. Actors that have these associations can have specific permissions associated with them for each component. Each of these sets of permissions is defined the same way: with a map of actor identifiers to permissions.</t>

<figure><sourcecode type="CDDL"><![CDATA[
SUIT_meta_permission_map = {
    + SUIT_meta_actor_id => SUIT_meta_permissions
}
]]></sourcecode></figure>

<t>The SUIT_meta_actor_id is the same as defined for Creator, <xref target="suit-meta-creator"/>.</t>

</section>
<section anchor="file-type"><name>File Type</name>

<t>File Type typically identifies whether a file is a directory, regular file, or symbolic link. If not specified, File Type defaults to regular file.</t>

<t>This enables specific management operations for SUIT command sequences:</t>

<t><list style="symbols">
  <t>To create a directory  <list style="symbols">
      <t>Set the Component Index to the Component Identifier of the directory to be created</t>
      <t>Set the Component metadata, including the file type for directory</t>
      <t>Set suit-parameter-content to an empty bstr</t>
      <t>Invoke suit-directive-write</t>
    </list></t>
  <t>To create a symbolic link  <list style="symbols">
      <t>Set the Component Index to the Component Identifier of the link to be created</t>
      <t>Set the Component metadata, including the file type for symbolic link</t>
      <t>Set suit-parameter-content to the link target</t>
      <t>Invoke suit-directive-write</t>
    </list></t>
</list></t>

<t>For example, the following Payload Fetch &amp; Install sequences will create a new /usr/local/bin directory, download https://cdn.example/example3.bin into a new file: /usr/local/bin/example3, then create a symlink at /usr/bin/example that points to /usr/local/bin/example3.</t>

<t><list style="symbols">
  <t>Common has components for:  <list style="symbols">
      <t>/usr/bin/example</t>
      <t>/usr/local/bin</t>
      <t>/usr/local/bin/example3</t>
    </list></t>
  <t>Payload fetch:  <list style="symbols">
      <t>set component index = 1</t>
      <t>set parameters:      <list style="symbols">
          <t>content = h''</t>
          <t>metadata = {file-type: directory}</t>
        </list></t>
      <t>write</t>
      <t>set component index = 2</t>
      <t>set URI = "https://cdn.example/example3.bin"</t>
      <t>fetch</t>
      <t>condition image digest</t>
    </list></t>
  <t>Install:  <list style="symbols">
      <t>set component index = 0</t>
      <t>set parameters:      <list style="symbols">
          <t>content = "/usr/local/bin/example3"</t>
          <t>metadata = {file-type: symlink}</t>
        </list></t>
      <t>write</t>
    </list></t>
</list></t>

</section>
</section>
</section>
<section anchor="extension-commands"><name>Extension Commands</name>

<t>The following table defines the semantics of the commands defined in this specification in the same way as in the Abstract Machine Description, Section 6.4, of <xref target="I-D.ietf-suit-manifest"/>.</t>

<t>All commands defined in this specification are OPTIONAL to implement. A Recipient that encounters a command it does not implement MUST reject the manifest as defined in <xref target="I-D.ietf-suit-manifest"/> Section 8.4.2, ensuring that update behaviour is never ambiguous.</t>

<texttable>
      <ttcol align='left'>Command Name</ttcol>
      <ttcol align='left'>CDDL Identifier</ttcol>
      <ttcol align='left'>Semantic of the Operation</ttcol>
      <c>Use Before</c>
      <c>suit-condition-use-before</c>
      <c>assert(now() &lt; current.params[use-before])</c>
      <c>Check Image Not Match</c>
      <c>suit-condition-image-not-match</c>
      <c>assert(not binary-match(digest(current), current.params[digest]))</c>
      <c>Check Minimum Battery</c>
      <c>suit-condition-minimum-battery</c>
      <c>assert(battery &gt;= current.params[minimum-battery])</c>
      <c>Check Update Authorized</c>
      <c>suit-condition-update-authorized</c>
      <c>assert( isAuthorized( current.params[priority]))</c>
      <c>Check Version</c>
      <c>suit-condition-version</c>
      <c>assert(version_check(current, current.params[version]))</c>
      <c>Wait For Event</c>
      <c>suit-directive-wait</c>
      <c>until event(arg), wait</c>
      <c>Override Multiple</c>
      <c>suit-directive-override-multiple</c>
      <c>components[i].params[k] := v for-each k,v in d for-each i,d in arg</c>
      <c>Copy Params</c>
      <c>suit-directive-copy-params</c>
      <c>current.params[k] = components[i].params[k] for k in l for i,l in arg</c>
</texttable>

<section anchor="suit-condition-use-before"><name>suit-condition-use-before</name>

<t>Verify that the current time is BEFORE the specified time. suit-condition-use-before is used to specify the last time at which an update is to be installed. The recipient evaluates the current time against the suit-parameter-use-before parameter (<xref target="suit-parameter-use-before"/>), which MUST have already been set as a parameter, encoded as seconds after 1970-01-01 00:00:00 UTC. Timestamp conditions MUST be evaluated in 64 bits, regardless of encoded CBOR size. suit-condition-use-before is OPTIONAL to implement.</t>

</section>
<section anchor="suit-condition-image-not-match"><name>suit-condition-image-not-match</name>

<t>Verify that the current component does not match the suit-parameter-image-digest (Section 8.4.8.6 of <xref target="I-D.ietf-suit-manifest"/>). If no digest is specified, the condition fails. suit-condition-image-not-match is OPTIONAL to implement.</t>

</section>
<section anchor="suit-condition-minimum-battery"><name>suit-condition-minimum-battery</name>

<t>suit-condition-minimum-battery provides a mechanism to test a Recipient's battery level before installing an update. This condition is primarily for use in primary-cell applications, where a primary cell is a single-use, non-rechargeable battery and energy budgeting is therefore a one-way operation. For batteries that are charged, suit-directive-wait is more appropriate, since it defines a "wait" until the battery level is sufficient to install the update. suit-condition-minimum-battery is specified in mWh. suit-condition-minimum-battery is OPTIONAL to implement. suit-condition-minimum-battery consumes suit-parameter-minimum-battery (<xref target="suit-parameter-minimum-battery"/>).</t>

</section>
<section anchor="suit-condition-update-authorized"><name>suit-condition-update-authorized</name>

<t>Request authorization from the application and fail if not authorized. This can allow a user to decline an update. suit-parameter-update-priority (<xref target="suit-parameter-update-priority"/>) provides an integer priority level that the application can use to determine whether or not to authorize the update. Smaller integer values indicate higher priority; deployment policy defines the action taken for a given priority. suit-condition-update-authorized is OPTIONAL to implement.</t>

</section>
<section anchor="suit-condition-version"><name>suit-condition-version</name>

<t>suit-condition-version allows comparing versions of firmware. Verifying image digests is preferred to version checks because digests are more precise. suit-condition-version examines a component's version against the version info specified in suit-parameter-version (<xref target="suit-parameter-version"/>).</t>

</section>
<section anchor="suit-directive-wait"><name>suit-directive-wait</name>

<t>suit-directive-wait directs the manifest processor to pause until a specified event occurs. Some possible events include:</t>

<t><list style="numbers" type="1">
  <t>Authorization</t>
  <t>External power</t>
  <t>Network availability</t>
  <t>Other device firmware version</t>
  <t>Time</t>
  <t>Time of day</t>
  <t>Day of week</t>
</list></t>

</section>
<section anchor="suit-directive-override-multiple"><name>suit-directive-override-multiple</name>

<t>This directive enables setting parameters for multiple components at the same time. This allows a small reduction in encoding overhead:</t>

<t><list style="symbols">
  <t>without override-multiple, the encoding for each component consists of:  <list style="symbols">
      <t>set-component-index (2 bytes)</t>
      <t>override-parameters (1 byte + parameter map)</t>
    </list></t>
  <t>with override-multiple, the encoding for each component consists of:  <list style="symbols">
      <t>the component index key (1 byte)</t>
      <t>the parameter map</t>
    </list></t>
</list></t>

<t>Override-multiple requires the command (1-2 bytes) and one additional map to hold the parameter sets (1 byte). For one component, there is no savings. For multiple components, there is an encoding savings of 2 bytes per component.</t>

<t>Implementations can structure code so that override-multiple follows a code-path nearly identical to set-component-index + override-parameters.</t>

<t>This command is purely an encoding alias for set-component-index and override-parameters. The component index is set to the last component listed in the override-multiple argument when override-multiple completes.</t>

<t>The following CDDL defines the argument for suit-directive-override-multiple:</t>

<t><spanx style="verb">CDDL
SUIT_Override_Mult_Arg = {
    + uint =&gt; {+ $$SUIT_Parameters}
}
</spanx></t>

</section>
<section anchor="suit-directive-copy-params"><name>suit-directive-copy-params</name>

<t>suit-directive-copy-params enables a manifest author to specify one or more components to copy parameters from, and a list of parameters to copy from each specified source component.</t>

<t>The behaviour is exactly the same as override parameters, but with parameter values defined in existing components. Parameters are only copied between identical keys (no copying from URI to digest, for example).</t>

<t>For each entry in the map, the manifest processor sets the source component to be the component identified by the index contained in the map key. For each parameter identified in the copy list, the manifest processor copies the parameter from the source component to the current component.</t>

<t>The following CDDL defines the argument for suit-directive-copy-params:</t>

<t><spanx style="verb">CDDL
SUIT_Directive_Copy_Params = {
    + uint =&gt; [+ int]
}
</spanx></t>

</section>
</section>
<section anchor="iana"><name>IANA Considerations</name>

<t>IANA is requested to allocate the commands, parameters, and metadata values shown in the following tables.</t>

<section anchor="suit-envelope-elements"><name>SUIT Envelope Elements</name>

<texttable>
      <ttcol align='left'>Label</ttcol>
      <ttcol align='left'>Name</ttcol>
      <ttcol align='left'>Reference</ttcol>
      <c>14</c>
      <c>CoSWID</c>
      <c><xref target="manifest-digest-coswid"/></c>
</texttable>

</section>
<section anchor="suit-manifest-elements"><name>SUIT Manifest Elements</name>

<texttable>
      <ttcol align='left'>Label</ttcol>
      <ttcol align='left'>Name</ttcol>
      <ttcol align='left'>Reference</ttcol>
      <c>6</c>
      <c>Set Version</c>
      <c><xref target="suit-set-version"/></c>
      <c>14</c>
      <c>CoSWID</c>
      <c><xref target="manifest-digest-coswid"/></c>
</texttable>

</section>
<section anchor="suit-commands"><name>SUIT Commands</name>

<texttable>
      <ttcol align='left'>Label</ttcol>
      <ttcol align='left'>Name</ttcol>
      <ttcol align='left'>Reference</ttcol>
      <c>4</c>
      <c>Use Before</c>
      <c><xref target="suit-condition-use-before"/></c>
      <c>25</c>
      <c>Image Not Match</c>
      <c><xref target="suit-condition-image-not-match"/></c>
      <c>26</c>
      <c>Minimum Battery</c>
      <c><xref target="suit-condition-minimum-battery"/></c>
      <c>27</c>
      <c>Update Authorized</c>
      <c><xref target="suit-condition-update-authorized"/></c>
      <c>28</c>
      <c>Version</c>
      <c><xref target="suit-condition-version"/></c>
      <c>29</c>
      <c>Wait For Event</c>
      <c><xref target="suit-directive-wait"/></c>
      <c>34</c>
      <c>Override Multiple</c>
      <c><xref target="suit-directive-override-multiple"/></c>
      <c>35</c>
      <c>Copy Params</c>
      <c><xref target="suit-directive-copy-params"/></c>
</texttable>

</section>
<section anchor="suit-parameters"><name>SUIT Parameters</name>

<texttable>
      <ttcol align='left'>Label</ttcol>
      <ttcol align='left'>Name</ttcol>
      <ttcol align='left'>Reference</ttcol>
      <c>4</c>
      <c>Use Before</c>
      <c><xref target="suit-parameter-use-before"/></c>
      <c>26</c>
      <c>Minimum Battery</c>
      <c><xref target="suit-parameter-minimum-battery"/></c>
      <c>27</c>
      <c>Update Priority</c>
      <c><xref target="suit-parameter-update-priority"/></c>
      <c>28</c>
      <c>Version</c>
      <c><xref target="suit-parameter-version"/></c>
      <c>29</c>
      <c>Wait Info</c>
      <c><xref target="suit-parameter-wait-info"/></c>
      <c>30</c>
      <c>Component Metadata</c>
      <c><xref target="suit-parameter-component-metadata"/></c>
</texttable>

</section>
<section anchor="suit-component-text-values"><name>SUIT Component Text Values</name>

<texttable>
      <ttcol align='left'>Label</ttcol>
      <ttcol align='left'>Name</ttcol>
      <ttcol align='left'>Reference</ttcol>
      <c>7</c>
      <c>Component Version Required</c>
      <c><xref target="text-version-required"/></c>
      <c>8</c>
      <c>Current Version</c>
      <c><xref target="text-current-version"/></c>
</texttable>

</section>
</section>
<section anchor="security-considerations"><name>Security Considerations</name>

<t>This document extends the SUIT manifest specification. The extensions defined here are optional and do not make support for update-management extensions mandatory for implementations of the base SUIT manifest specification. A detailed security treatment can be found in the architecture <xref target="RFC9019"/> and in the information model <xref target="RFC9124"/> documents.</t>

<t>The free-text fields introduced in Sections <xref target="text-version-required"/> and <xref target="text-current-version"/> are intended solely for human consumption. Recipients MUST treat those values as untrusted input: they MUST NOT evaluate the text, execute embedded markup, or override machine-readable decisions derived from suit-set-version or suit-parameter-version. Implementations SHOULD bound the length of displayed text to mitigate interface flooding and log injection.</t>

<t>The suit-coswid element can expose detailed software identity and SBOM information. Such information can help authorized operators assess inventory, vulnerability exposure, and compliance, but the same information can also help an attacker or unauthorized observer quickly identify software components and versions on a device. Deployments SHOULD treat manifests containing suit-coswid as sensitive metadata, limit access to authorized parties, and consider using severable suit-coswid content so that intermediaries and Recipients that do not need this metadata can discard it without invalidating the manifest signature.</t>

<t>Component metadata (<xref target="suit-parameter-component-metadata"/>) can expose operator identifiers, file paths, or other locally meaningful strings. Deployments SHOULD validate these values against local policy before applying them, and MUST handle missing or malformed metadata defensively so that the update agent does not escalate privileges or disclose sensitive information inadvertently.</t>

</section>


  </middle>

  <back>


<references title='References' anchor="sec-combined-references">

    <references title='Normative References' anchor="sec-normative-references">



<reference anchor="RFC9393">
  <front>
    <title>Concise Software Identification Tags</title>
    <author fullname="H. Birkholz" initials="H." surname="Birkholz"/>
    <author fullname="J. Fitzgerald-McKay" initials="J." surname="Fitzgerald-McKay"/>
    <author fullname="C. Schmidt" initials="C." surname="Schmidt"/>
    <author fullname="D. Waltermire" initials="D." surname="Waltermire"/>
    <date month="June" year="2023"/>
    <abstract>
      <t>ISO/IEC 19770-2:2015 Software Identification (SWID) tags provide an extensible XML-based structure to identify and describe individual software components, patches, and installation bundles. SWID tag representations can be too large for devices with network and storage constraints. This document defines a concise representation of SWID tags: Concise SWID (CoSWID) tags. CoSWID supports a set of semantics and features that are similar to those for SWID tags, as well as new semantics that allow CoSWIDs to describe additional types of information, all in a more memory-efficient format.</t>
    </abstract>
  </front>
  <seriesInfo name="RFC" value="9393"/>
  <seriesInfo name="DOI" value="10.17487/RFC9393"/>
</reference>

<reference anchor="I-D.ietf-suit-manifest">
   <front>
      <title>A Concise Binary Object Representation (CBOR)-based Serialization Format for the Software Updates for Internet of Things (SUIT) Manifest</title>
      <author fullname="Brendan Moran" initials="B." surname="Moran">
         <organization>Arm Limited</organization>
      </author>
      <author fullname="Hannes Tschofenig" initials="H." surname="Tschofenig">
         <organization>University of Applied Sciences Bonn-Rhein-Sieg</organization>
      </author>
      <author fullname="Henk Birkholz" initials="H." surname="Birkholz">
         <organization>Fraunhofer SIT</organization>
      </author>
      <author fullname="Koen Zandberg" initials="K." surname="Zandberg">
         <organization>Inria</organization>
      </author>
      <author fullname="Øyvind Rønningstad" initials="O." surname="Rønningstad">
         <organization>Nordic Semiconductor</organization>
      </author>
      <date day="18" month="June" year="2026"/>
      <abstract>
	 <t>   This specification describes the format of a manifest.  A manifest is
   a bundle of metadata about code/data obtained by a recipient (chiefly
   the firmware for an Internet of Things (IoT) device), where to find
   the code/data, the devices to which it applies, and cryptographic
   information protecting the manifest.  Software updates and Trusted
   Invocation both tend to use sequences of common operations, so the
   manifest encodes those sequences of operations, rather than declaring
   the metadata.

	 </t>
      </abstract>
   </front>
   <seriesInfo name="Internet-Draft" value="draft-ietf-suit-manifest-37"/>
   
</reference>
<reference anchor="RFC8949">
  <front>
    <title>Concise Binary Object Representation (CBOR)</title>
    <author fullname="C. Bormann" initials="C." surname="Bormann"/>
    <author fullname="P. Hoffman" initials="P." surname="Hoffman"/>
    <date month="December" year="2020"/>
    <abstract>
      <t>The Concise Binary Object Representation (CBOR) is a data format whose design goals include the possibility of extremely small code size, fairly small message size, and extensibility without the need for version negotiation. These design goals make it different from earlier binary serializations such as ASN.1 and MessagePack.</t>
      <t>This document obsoletes RFC 7049, providing editorial improvements, new details, and errata fixes while keeping full compatibility with the interchange format of RFC 7049. It does not create a new version of the format.</t>
    </abstract>
  </front>
  <seriesInfo name="STD" value="94"/>
  <seriesInfo name="RFC" value="8949"/>
  <seriesInfo name="DOI" value="10.17487/RFC8949"/>
</reference>
<reference anchor="RFC2119">
  <front>
    <title>Key words for use in RFCs to Indicate Requirement Levels</title>
    <author fullname="S. Bradner" initials="S." surname="Bradner"/>
    <date month="March" year="1997"/>
    <abstract>
      <t>In many standards track documents several words are used to signify the requirements in the specification. These words are often capitalized. This document defines these words as they should be interpreted in IETF documents. This document specifies an Internet Best Current Practices for the Internet Community, and requests discussion and suggestions for improvements.</t>
    </abstract>
  </front>
  <seriesInfo name="BCP" value="14"/>
  <seriesInfo name="RFC" value="2119"/>
  <seriesInfo name="DOI" value="10.17487/RFC2119"/>
</reference>
<reference anchor="RFC8174">
  <front>
    <title>Ambiguity of Uppercase vs Lowercase in RFC 2119 Key Words</title>
    <author fullname="B. Leiba" initials="B." surname="Leiba"/>
    <date month="May" year="2017"/>
    <abstract>
      <t>RFC 2119 specifies common key words that may be used in protocol specifications. This document aims to reduce the ambiguity by clarifying that only UPPERCASE usage of the key words have the defined special meanings.</t>
    </abstract>
  </front>
  <seriesInfo name="BCP" value="14"/>
  <seriesInfo name="RFC" value="8174"/>
  <seriesInfo name="DOI" value="10.17487/RFC8174"/>
</reference>



    </references>

    <references title='Informative References' anchor="sec-informative-references">



<reference anchor="RFC9124">
  <front>
    <title>A Manifest Information Model for Firmware Updates in Internet of Things (IoT) Devices</title>
    <author fullname="B. Moran" initials="B." surname="Moran"/>
    <author fullname="H. Tschofenig" initials="H." surname="Tschofenig"/>
    <author fullname="H. Birkholz" initials="H." surname="Birkholz"/>
    <date month="January" year="2022"/>
    <abstract>
      <t>Vulnerabilities with Internet of Things (IoT) devices have raised the need for a reliable and secure firmware update mechanism that is also suitable for constrained devices. Ensuring that devices function and remain secure over their service lifetime requires such an update mechanism to fix vulnerabilities, update configuration settings, and add new functionality.</t>
      <t>One component of such a firmware update is a concise and machine-processable metadata document, or manifest, that describes the firmware image(s) and offers appropriate protection. This document describes the information that must be present in the manifest.</t>
    </abstract>
  </front>
  <seriesInfo name="RFC" value="9124"/>
  <seriesInfo name="DOI" value="10.17487/RFC9124"/>
</reference>
<reference anchor="RFC9019">
  <front>
    <title>A Firmware Update Architecture for Internet of Things</title>
    <author fullname="B. Moran" initials="B." surname="Moran"/>
    <author fullname="H. Tschofenig" initials="H." surname="Tschofenig"/>
    <author fullname="D. Brown" initials="D." surname="Brown"/>
    <author fullname="M. Meriac" initials="M." surname="Meriac"/>
    <date month="April" year="2021"/>
    <abstract>
      <t>Vulnerabilities in Internet of Things (IoT) devices have raised the need for a reliable and secure firmware update mechanism suitable for devices with resource constraints. Incorporating such an update mechanism is a fundamental requirement for fixing vulnerabilities, but it also enables other important capabilities such as updating configuration settings and adding new functionality.</t>
      <t>In addition to the definition of terminology and an architecture, this document provides the motivation for the standardization of a manifest format as a transport-agnostic means for describing and protecting firmware updates.</t>
    </abstract>
  </front>
  <seriesInfo name="RFC" value="9019"/>
  <seriesInfo name="DOI" value="10.17487/RFC9019"/>
</reference>

<reference anchor="semver" target="https://semver.org">
  <front>
    <title>Semantic Versioning 2.0.0</title>
    <author >
      <organization></organization>
    </author>
    <date year="2013" month="June" day="18"/>
  </front>
</reference>


    </references>

</references>


<?line 529?>

<section anchor="full-cddl"><name>Full CDDL</name>

<t>To be valid, the following CDDL MUST be appended to the SUIT Manifest CDDL. The SUIT CDDL is defined in Appendix A of <xref target="I-D.ietf-suit-manifest"/>.</t>

<figure><sourcecode type="CDDL"><![CDATA[
$$unseverable-manifest-member-extensions //= (
    suit-set-version =>
        bstr .cbor SUIT_Condition_Version_Comparison_Value
)
$$SUIT_severable-members-extensions //= (
    suit-coswid => bstr .cbor concise-swid-tag)

$$severable-manifest-members-choice-extensions //= (
    suit-coswid => bstr .cbor concise-swid-tag / SUIT_Digest
)

SUIT_Condition //= (
    suit-condition-image-not-match,   SUIT_Rep_Policy)
SUIT_Condition //= (
    suit-condition-use-before,        SUIT_Rep_Policy)
SUIT_Condition //= (
    suit-condition-minimum-battery,   SUIT_Rep_Policy)
SUIT_Condition //= (
    suit-condition-update-authorized, SUIT_Rep_Policy)
SUIT_Condition //= (
    suit-condition-version,           SUIT_Rep_Policy)

SUIT_Directive //= (
    suit-directive-wait,              SUIT_Rep_Policy)

SUIT_Directive //= (
    suit-directive-override-multiple, SUIT_Override_Mult_Arg)
SUIT_Directive //=(
    suit-directive-copy-params,       SUIT_Directive_Copy_Params)


SUIT_Override_Mult_Arg = {
    + uint => {+ $$SUIT_Parameters}
}
SUIT_Directive_Copy_Params = {
    + uint => [+ int]
}

SUIT_Wait_Event = { + SUIT_Wait_Events }

SUIT_Wait_Events //= (suit-wait-event-authorization => int)
SUIT_Wait_Events //= (suit-wait-event-power => int)
SUIT_Wait_Events //= (suit-wait-event-network => int)
SUIT_Wait_Events //= (suit-wait-event-other-device-version
    => SUIT_Wait_Event_Argument_Other_Device_Version)
SUIT_Wait_Events //= (suit-wait-event-time => uint); Timestamp
SUIT_Wait_Events //= (suit-wait-event-time-of-day
    => uint); Time of Day (seconds since 00:00:00)
SUIT_Wait_Events //= (suit-wait-event-day-of-week
    => uint); Days since Sunday
SUIT_Wait_Events //= (suit-wait-event-time-of-day-utc
    => uint); Time of Day UTC (seconds since 00:00:00)
SUIT_Wait_Events //= (suit-wait-event-day-of-week-utc
    => uint); Days since Sunday UTC

SUIT_Wait_Event_Argument_Other_Device_Version = [
    other-device: bstr,
    other-device-version: [ + SUIT_Parameter_Version_Match ]
]

$$SUIT_Parameters //= (suit-parameter-use-before => uint)
$$SUIT_Parameters //= (suit-parameter-minimum-battery => uint)
$$SUIT_Parameters //= (suit-parameter-update-priority => int)
$$SUIT_Parameters //= (suit-parameter-version =>
    bstr .cbor SUIT_Parameter_Version_Match)
$$SUIT_Parameters //= (suit-parameter-wait-info =>
    bstr .cbor SUIT_Wait_Event)
$$SUIT_Parameters //= (suit-parameter-component-metadata =>
    bstr .cbor SUIT_Component_Metadata)

SUIT_Parameter_Version_Match = [
    suit-condition-version-comparison-type:
        SUIT_Condition_Version_Comparison_Types,
    suit-condition-version-comparison-value:
        SUIT_Condition_Version_Comparison_Value
]
SUIT_Condition_Version_Comparison_Types /=
    suit-condition-version-comparison-greater
SUIT_Condition_Version_Comparison_Types /=
    suit-condition-version-comparison-greater-equal
SUIT_Condition_Version_Comparison_Types /=
    suit-condition-version-comparison-equal
SUIT_Condition_Version_Comparison_Types /=
    suit-condition-version-comparison-lesser-equal
SUIT_Condition_Version_Comparison_Types /=
    suit-condition-version-comparison-lesser

suit-condition-version-comparison-greater = 1
suit-condition-version-comparison-greater-equal = 2
suit-condition-version-comparison-equal = 3
suit-condition-version-comparison-lesser-equal = 4
suit-condition-version-comparison-lesser = 5

SUIT_Condition_Version_Comparison_Value = [+int]


SUIT_Component_Metadata = {
    ? suit-meta-default-permissions => SUIT_meta_permissions,
    ? suit-meta-user-permissions => SUIT_meta_permission_map,
    ? suit-meta-group-permissions => SUIT_meta_permission_map,
    ? suit-meta-role-permissions => SUIT_meta_permission_map,
    ? suit-meta-file-type => SUIT_Filetype,
    ? suit-meta-modification-time => #6.1(uint),
    ? suit-meta-creation-time => #6.1(uint),
    ? suit-meta-creator => SUIT_meta_actor_id,
    * $$SUIT_Component_Metadata_Extensions
}

suit-meta-default-permissions = 1
suit-meta-user-permissions = 2
suit-meta-group-permissions = 3
suit-meta-role-permissions = 4
suit-meta-file-type = 5
suit-meta-modification-time = 6
suit-meta-creation-time = 7
suit-meta-creator = 8

SUIT_meta_permissions = uint .bits SUIT_meta_permission_bits
SUIT_meta_permission_bits = &(
    write_attr_ex: 13,
    read_attr_ex: 12,
    sync: 11,
    delete: 10,
    recurse_delete: 9,
    write_attr: 8,
    change_owner: 7,
    change_perm: 6,
    read_perm: 5,
    read_attr: 4,
    createdir_append: 3,
    list_read: 2,
    create_write: 1,
    traverse_exec: 0,
    * $$SUIT_meta_permission_bits_extensions
)

SUIT_meta_permission_map = {
    + SUIT_meta_actor_id => SUIT_meta_permissions
}

SUIT_meta_actor_id = UUID_Tagged / bstr / tstr / int
UUID_Tagged = #6.37(bstr)

SUIT_Filetype /= suit-filetype-regular
SUIT_Filetype /= suit-filetype-directory
SUIT_Filetype /= suit-filetype-symlink

suit-filetype-regular = 1
suit-filetype-directory = 2
suit-filetype-symlink = 3



$$suit-text-component-key-extensions //= (
    suit-text-version-required => tstr)
$$suit-text-component-key-extensions //= (
    suit-text-current-version => tstr)

suit-set-version = 6
suit-coswid = 14
suit-condition-use-before        = 4
suit-condition-image-not-match          = 25
suit-condition-minimum-battery          = 26
suit-condition-update-authorized        = 27
suit-condition-version                  = 28

suit-directive-wait                     = 29
suit-directive-override-multiple        = 34
suit-directive-copy-params              = 35

suit-wait-event-authorization        = 1
suit-wait-event-power                = 2
suit-wait-event-network              = 3
suit-wait-event-other-device-version = 4
suit-wait-event-time                 = 5
suit-wait-event-time-of-day          = 6
suit-wait-event-day-of-week          = 7
suit-wait-event-time-of-day-utc      = 8
suit-wait-event-day-of-week-utc      = 9

suit-parameter-use-before         = 4
suit-parameter-minimum-battery    = 26
suit-parameter-update-priority    = 27
suit-parameter-version            = 28
suit-parameter-wait-info          = 29
suit-parameter-component-metadata = 30

suit-text-version-required      = 7
suit-text-current-version       = 8
]]></sourcecode></figure>

</section>


  </back>

<!-- ##markdown-source:
H4sIAAAAAAAAA+19aXPcyJXgd/yKXMoxTboLJR462VZ7JEqaYYzU0uqwd7Zb
QaFQWUWYKKAGiSJVLdG/ZX/L/rJ9Vx5IoEhK3Y51bKzCbpWAPF5mvnz3e0jT
NGmLttSH6v1ymrVavcyqbK4XumrVs0+trkxRV0bN6ka9rWftRdZoackPj6tW
N5VuVT1T706Lam7U9tv3x+92cKBipk1rkmwyafT5ocLnV06TTOu8yhYAzLTJ
Zm1a6HaWmlXRpivqlS5cr3TvIMnh0bxu1ofKtNPEtI3OFofq+Nm750lSLJtD
1TYr0+7v7j7c3U8A8AxA0PmqKdp1clE3Z/OmXi0ZrORMr+HR9NAtKH2KICQw
bFZNT7KyrgCstTbJsjhMlGpmuZ6adl3KU6XaOg9+FtUUoLQPTN0AdDPj/r1e
dP7ZNkXuGuf1Alfo3hZVWVR+Gv2pTcvCtCkMMqlLaJbWf/we3sDmLbLlEs4g
gOOk1OcaG91JkmzVntYNQJ/CO/xTVPDiyVi9rJuskme8/08aXU2zqvOmbuZw
pL9mLRzVoXrcLNSLYlG0eirv9SIrStd1TF3HeIT/Osc3Y1hXNPV/jNW77Cxb
Z4usM/t/6Cp+0Z387bOjVy/V0avxSL1493TcBeBMV+NWesfzJ1XdLGCQc42H
+Ob50cODhwf48zh9OvbothDclUYPHt55eAg4Vc3i3nv7d+zP3b2H+NPoxbnG
TYY/crO23gJkVVvk6i+6QUSHI1L7493x7hY1c+cCfxDND9X+7t5Bunsv3XvA
42TNXAN+nLbt0hzevs1zjGFPkiRNU5VNAIOyvE3gBhplljovZkVOe6Wm2uRN
MYHrqv11bmvVnmq+kHatihcHR3KqjQ5bZ2VZXyjABr6Fgkcj+aeaFoi/k1UL
5AD+N9XnRa5VvdRNho9grkUNVGPZAFhGl2tA8Kpt6jJBEFxnhBVuGiJGCxMy
8EBUVkJsYBge2QiESQdCU8ME9Xkx1SpTC52fwqrMAnvxqeFTT3LM2rR6AcMn
jqgd432FbdMNgeGePynKUr2aAcECulDARMqhAUI8qVctdEgYzKnAOOZzWRTT
aamT5JZCstLU01WOvZLk+QoGDeCBdRo74Sqgrqsqa2GRUz0d4a5VOvdzGNXo
/1oVDfzI4CXvN8I00e2FhhuE2ytHxCe2bXZobX7iUWf/R2pZl0W+VhpXmEsL
7JGtpkWLWMsbR0fQwzTZf0MTX4dsnz8P37jLS2ictQBCNik1Ih3DjqPAIptp
UeGCLor2FEcFRK3hryYELMJeOxINYxgjYM1wFG4j4Zn+lC2AytoNWzZFjXxi
pMo6z8ruPhYm4+2SpyVA3hYLzXsluAW7ASfSFoKva8ZRASaYuNFLYA7UM7hI
htdblnDiES7WIS5uv33y6uVOiJKAegHfLhANeieFY716/e741U+PX9CGLJYl
IyKC0XlT5eUK7hSMY08I1vNYvYHhlgX2kNPK6xUyTsbFxQLHgUNbZg0QdHiu
CtjtGlZc1W0w3cv3b9/BDvwNV4k44tAjM7BHMzgQJAhXIQswdFrSg/Gd8f4I
ADHA3wFRCSw5n4k+zc6LegVQAADAD+GKLybFfFWvYDFHdQVPkDCN1MUp3JsM
pl6W9ZogbHQJR6hqS/wCESQY18IKmAhY0F0Joy+tlKDTDBvTdOjT2K2EvZue
I8oA/prVktACiQAOJ1d9GiL2Nr5EvIXdVOdFJshFoMlFhgZ5tswmRQm4DEuf
121BKLADwM+QKpvTgkQGmDE/9WcM5IjBdBPLqRq4eoCEE61O6wqWjgvI6AZC
80rOUk/HRPRoa6uWSTRgxDvdwCWry3q+Vp9v5f5tCm/T1r+9TICVaeDka4VS
mVFbuH9bI/5b/fSKfr959t/fH7959hR/v/33xy9euB+JtHj776/ev3jqf/me
ID+8fPbTU+4MT1XnUbL18vF/bvF93rL3YcvdJpC0Vnxd8DRr3I0CsR9YHJ5o
BoKscF1C3ydHr//3/9q7A2j830BQ2N/bewiIy/94sHf/DvwD8Y5nqytgkPxP
2NV1AgKdzhocBZgiHmYB3NGM8IKY0/qiIpQbJ3/6M8qIKr335x+ThMUAEqHh
RM8AfVdIJ2cq2OHu9RL5BSBBGDZft7Ed224ADGxQ5GHx5tyLN+FUs6ZewKAs
tVxejoSqYLNF9jeUJLAp/LXM2vx0hJJCCvdOZ0ZI6mRVlMC2dJvBFcyInkLP
HNQNbAgPkabK5ESLaOzOCmkhjhyl0hgWXDDJQpaQSXPQKgCf3TgTgAMPRu6t
X9ghUjVqRsyYALZgGDwh0BmY+zVaA+WrUriBJD7aSeAg5aYbPnm868HyVV5m
Brf4RmvhzdKfiGSbaNf4FHq7BtcaRioMQEx31vEO9VI6JiAjLYD1TVEEqCtg
hm5IRq6uHENs3sowsIYCheHkj8AzYjRR1WoxgY22NE6oNTBEkGlgNFjuZN0h
pjAMkBSUItWA3AYU8ah++9fjpzuC0SDaX15Cn3dANEUOXjIxAjiFsJGmNdCG
rgtMDepigytzxwrPcc/gaLFjcuuWouMwoDHadX2+FT+6lHvjds5iTdbfFbsd
bhZoImy2w1hkj8PblFV4r5coMMIuaSumMV8wbobgzIV6gaSCAgSjecDofwKc
dRMWCzhmI6AjLEXjtwX1XZ64BTSWzbNdAbOsNUA9FjlMCLKM1ttDJIHEqZn7
yW3IULodwpDwAn8jIbAc743nxzgfb5YOWONUMw0AaQ0EqrJcj9VTJzAYHgR6
oqSDlxu2g3hr5gBD4RXVhrI2hE8zkJqJQRNzq0Gn7u8H3mximGs65dMVwJPO
shzXx/cIf6EUQF3JSiC468bY/vx56Pnl5c5YPdF5tjIDB0H0sUc2vGA3I5VP
dgRAoP1qCxE5+tQbByzmQO7hQLCvxX83IeqJGhEYiH/U1TJ/ZrhE5qZjFhXo
tpjCXt2hZSCemAxJmVHDWIA7tAk/dmCi49nAYuAao4C0Qex7/J9ehm6//Xw8
oclrc1EAj75lp0qnxRz/4hdAaR4rJoOEvqJwXK9CwOGnOVwyJBrF/LQlPX21
LPFMrfaDmiDoo6Cgt3zBUJwVjAdgvYIB+kiTsZKFAm9WXmRro86q+gLkR2zt
tF1SvZYo/+OAgGZegw6Xy1ioiV8IcemIJmN13JJdAUgANr2CTXguESsZjmdY
uinCtJCqCR4v0iqkS7SrlmQUrSVNoMLlWTP1hMkrSjUaFlhOBEJbZM1aFTPs
WrBWtDJDvS5Oi5JEAqObc1ZsAiwzcJMy3GJYv1WqMmZxMRlCbcJDLkszHQQN
NxylFdt8jRex7aswEaUEcgi4BXovaLYmpv/RYQbSdl8BjV8O6KCw10yvekYd
Q5oKCVOVRmFcTVf2tAQXCsIFpE4zpGCC3aHhaWyvEIID3IdMO1fcIUcPaB9k
twtSb+oGtu98VVa4lUwUQ/sL0q2yyIDaqfxU52dmJHPmiMFl0TfpCJwAkACO
11FHhp1UrBA4DuhPgtD4L7QtT+WWAh3M6yWMJCYaZ0MCIY9MGWItV+dZuSIN
grdutkZM9IDYnf2hp+avveDCPDunYZDk+E1Dw5ElI3Sz3UEZkFo19Qh3kBTy
xuq4hTErpFqvSAt1+nGHRiM4c40DALvu4NeqKhFbnZo7WYfav1ej4XnGsi1A
O4M7CTgd4D/BPq3tRe5cJVwJPndzEE6LukgLtvQa6BeMNlZ/RTNEdGPc3R2x
OBFMXjchWcHdQTQUUoRHYgUOwMisLPD0ryAkQ5MTEfEAZAGBcjx5lhUlHF2J
Fl57OzN1ocsyZdnSmhfTJQoLLV6pcBqgzSVNJsLdwAaTGtsoWUR3l5GQMQUi
QKDZkF2JDDyOe3Rmxl1E6Y64KcKxyEoLOHVjS6CgBA8uZE4wTdoJBcQ9vqhX
JWpkp7AbQNvOATIiRbDCetXkKL1TF3ssLLzIALA/ghheh4MBoA+AKpYqt7DA
TlUJAUKjDdxelFG9qcoaSEP1xyJucGHxrNfBKTsCbSxMfpWBcELii4gtqcP3
z7cGn18KVxjuVBjmiGwiZZTwMnTKSrlTdta48g1CHbH5wBxzhQ7A1g/BjYoV
Xv9a7kamImWGGI1YbBeLVYVSkLZCfwAiNLBeEcPiokiJImAs6+UKWY1HUNwa
OOMl27uZAJ0cWcXwJBBq0FRmNcdgSqdEMltZllmu2YyFIjOImWaJ6yRLzFJl
V50iGeMYDCLKBBvIbg1igbWOEJOR02JLh0hrXvcURQ0wiaARy0oHaitX8cWE
LTPo+yiJrLnL7znngP5lfUHOCzVfQS/kPmQeMQAZoXpTr+an4kJAnxHMwjIR
aWFk7CMghIHSmr04aFcPy9QVjUSTZz0fmEiHLOkyUq9grQ05l6PV/4AE0Mql
bX0G7Iwggv50IS6YPtMVJ+1WbHFdmRxPDbYKL01eZsjEx+qZOyzvGOAtJiKO
AJI2jhZM9f7d8/QBL7hkNy9CvQQ1s2XD0WmGLkcyu7wHlEctXlisEsc8EqQX
I/XTSL0mmvU/xf8kG0h8kggLi1gsd7gb0rVvf/zx4wj+8wj/+yf6D/189HHH
YQtcpnqRMaA16S247WLagEXgVpCItUFYRr81GRyigwbakS2J8QDfF18GbYVG
+Q4uTnO2WpKpnf2aKe1FUf2NXROCOqTB+IvD+y6njyoSCQmhlc26bMQvS2fd
rNCOM9HrWtCmQ8azCchRQI2fwEXNyAhjdw/F4ZHoWogCXbqENDIwN2398vN3
n74bqe/W3/3yYYs4VKNF9GRnpAqNAxWIh3vjTwopl3gB4N/747usNSBjOd8f
75L+gwB2KB8zSFg1PZzV6Gkmb4TTHUU09eRQVBc0TrXWl+KOrCDMzid1A2px
NsfZrVfs73//+9HTpy8SWhys7YM6VJ/JvX4ffm39+IiB/tP+VnKJjSOuFivr
wtRiXT3kaXGXgKVZ+sR2nJ4NO3QxBzcZOvYMG9ZkEVob0aDTtTciAQEJQAdW
KIwhERsM6d2knwYcg83sjtW9Zn5vXVko8SEtB9LD2y/D/iAaLQ5Li1O8ONZ8
EA/RYFM7juwBGg0w1n9Gxhif6iBftC9vxhStrdlbfIWkeWKY006yUuicHwR6
hEJO49vIEzu2wyGMi9hiXc2K+UqCCzYwSVz0P5xHOhTT1XnR1FWwtgbZOYIH
yF7Wc6unklcAIUVeAxhldOfN1ay0E89QacR+NNqQloar/Qsqxb8rJ2VcLCLm
RENicNsGs/BmsVfCFQTprHMb9EJAxwxvgf5UkJ0/ULTc7Q5VVHusGUYR6Xwl
gCOfg5MTDoiwBLAW7MUvDNytdUoGmTBM4et4sAHC0Ba/AvNgbkzyBOHnBZr5
PGMWt7a/bf83GPBx27NxWdtGTOFYS44DxIiqi7t0x5IlhD0NYAckOtN6GRMA
NgQNO0cxUgo0fQ3y7PuqLM4G7P3D/ISZ9gzDlnoOq25siVxjZHSRQ/G1RVED
zNPZaTzmGmCeb8nIUHr/guGDAQWLrw0LxgSND7/w9JNDFAQiVvc8AEf2PazR
z297CddE5TiYnUUS7ztAngdEoRGk7ZqQw2CUBwjVlZ70n3C8LwqFEvXWyTtf
4DLOACFBV8EYsi/y/+Q9wPWEkftLfOXRdj+x73rqrX97eZm8LKpisVqoJ2jI
B2rWG2vBDUDBtg16A0ZNYFQJ6n0tUVMDEHLwzNI36IPZbQKj2svQG+3cvdis
yyd/zYAcHAPF6fe/gFdpwa96I7iXMIaTKJw3vD+Y49rpwrfpjdpvBcM7CXPw
KMWNPHiQSfK4QlZZwAnR1jsnutGx9zXkRcTKBgIRrC8eXWcoZeAlKlBd3nt4
fzfd3YP/baDYzFnRbOdcgsQEmLDdu5NOUCCkoGq416Ec5AUfAQKIEim4KEz1
rDAhFo+Hdi7CSvG4e6iAoIm5Tq6AxXCKkCbvwl9PhVcEcWsm3L5scPNCuCOo
49u03VtX7zLtDK4uuh2bV+eumOwtd7xuXZVfCzMvUlQw6n0+uC4BRwSMX6Ft
f2W9NsjLgIRn5oziOpfL0jINxF6yCospCQ3kBYaqaR92LEtw7gWyJBXtCtvg
qs9BMJ5r8rowdXBGaLopMFfBNniJdbbSEceUg3aEfF07sc/54oS2PRZZau3Y
MVoVQl/kVbsjTAapPkiYDccNKLNA/0nD7hWKoWDT4WkxP/WOKXuiHTGNfLF+
B62/T4IVrqG+Mp+7p3R/QWugIIKxehEaulF6zgz6BwLHSOpko4XOKsr6QJE2
AzE6B03NrQit8Fk1R/fMc2/MGXm7NJqtsyBWoOsomxWfML4I3dEoU8zhzlXK
3T4mWWRCR51ospoPd6BdVhwdEHbD+WY6Yw+1iH29ziWGaTYDvWFStO+idGBi
dMaQ9+xM87WSwJopRr8XLmQchHHSrhAIdkrUcZy92AlyzZJUjyRE4UZ9HgiC
qGCUxPB3RUHLMry0FOj+ryo9EC9kpTvygxNdINPB8PxDNEcQdOoCuJVXV4xu
wogeCbzySvFF4JiKbPMD1MfLrmwUOq/P9JRtGv2hcVkMwFDQl3ieyarWibcy
oLdmRHOQBHlaLI+Ry08oiJEaOPGgnqBpcMR+O3iBcRHsXmpteJCzRFgIi9bo
cobB3Zs3PAyACM7MadhEMwJzS55TPP3c2ti8+Q1l0kNvMiPrihPfT0QuO3mJ
4ZrqkfqZrGjD+596QNJ2vdSHkqujrMlG2rtBj1z7k3fQ3oxuODhRnK8ZndT3
5AOb+mwIkWwZQiq4TsGL/4YaLTBH/xMP79l/rbISn7kfL9Bt133HjyRKaeBG
sWs9FjOOnrx6QxY6crpLsChGJfjIPaTzU4wwtYEzVpQD3DHI5sgz4nsgWi6N
xDwgRbTDWoZG01ltJoq8ZOMh8Uex+k0VQCiDVSQWaVxyuDRkqXVOl2kaMYAi
ElF52i7ijtQW7aL65ec9MkS37LwtJAZ9QeiHK3GaqCzbYEwEm3SIzqDsOgu9
pXa6SQ1vt+IjxQlHuzAlx3/LoeLDvV0PCPnVHRiOqu6Nd8efgILDpfIGcE8y
9sZ7u0TNN5LzoWQxF8qIbiyNod6GEcoijZue2Xk3IDIOseuMCGe5yFhIId/o
VVH5l+PYfuHiOMkSwTGhbmixNYgAORAkfk3IpVtUL+LyB0SgrGIDpQ9/NPkp
6Cdsb2WvJdstLF6El8ltHVl/SBSyAUwUa+WjTq1g1HFIjdTHn/d39++O9vZH
9z58ZIESoC8xuqYR97SMgBL9X5wBprHBiuj6nAF52cOEmih8vEsNQvj3kFof
DEeTq+3MUvBfdVOLFLaT7MMMyAfEsBUGmIvMWTeRmhMNPRLmwJSBBkfDX91s
iGtHS04fjTnwA/cAlMIGjakdUALL7HDUfy+RiayK9jJbvGPJJiuXp9kII6cy
G1JF06SAYdNCBOteoH0UCNu/nWwxtXEurcvo6tj2vK/ESYKx/NfhBDZcVrId
BIJ/eNzscXVd6gZjJxKaWdGY1rEYp8bbOL+/1fYeWmurkzwnQF3PyBt7SqqA
lTa8sIn4+Y6uKXL4jZNgjkg0iUFOLcqUXFvenUpfWNmetBAS40eEqzE84+SA
pwfO0vjZJWB4GVL3a6d1Oojw++Gb5o5DknsyH2q6y6AM9+sICSSXpHuHQDy5
3ZHD6+03Rzv4cv8QsLnN8OfBoXqMF0LsBqK2tBIKRAPYAJYlUyhg2jkGARPx
hgvGyprmCOEOL7dmuv3x7ki9OdpDOJFUiDM4eD3eZY8Vq7f0FsVq22Jv/Anu
39ozkDdHuDfp3ki4ft2cGQ/aIbDk/dHuCN6DfGBBJ5tsMD23Ab49Vm+LRQGI
QPGssC9qO93fiYDFGVFKxr2C9wf993CyrzcQrdrnwW2iPspTH4nNjfIZpoXs
u3Ur2c0YcOhRfCtP2vF3UZxuQc/ReQk/KBGaZMWZOEJZyrPpRYNRxs7b7xgg
+lzY5XdF/pV3rEi+Ao0VZFebbw2BD7COsB8d9gegf6Bktj86gCPmh2mTB88B
PYJXdPDu1b5/wUfu3vgu4wN+N77jp4L3ozvYYkAtd/ZjCQXgEwXmSG+cptp9
jGoqP+lGTtswO2YlS+ILK9jJEqUCp7dzIAqJ2kZI6SaDt008Ytrm3BziYHGO
cguc0DHY9byNHJMWlxgoJIud16ngWEQsCKdzivqYiP4CAsUElF+iyRSKgkxp
CcIlNG/0HMMUGs5ukoXCBZuWYjsxK4M+/V5Aq9s3ijqlaCAW0eDOOflhJEEp
jQuIFcsLImtDGcEk6jfa6xPsRA1HYXkz17BdUxvpPrT1sY6HdxP2kLCCFoaZ
1SCABg+cOxkzzg2dtTgHNsgbaAEoqpUknXeGkitV+tRP0iDDyMiuEYCcvN5P
9cxS5S9AiVyeXMdHRUunBdOcadfC+gUpCvz37XAOTmzhjgdbEhW2g5B3h28C
v6Ao+F6nSrfINYa62VfDHYmsphyjEPib3mrUgtFMJ2PNrB/axjOQxBfIDL2R
sVIA9F71AKIX25vcLzuDA6X1LJ1m68HxuiPt7h7S/8S6+w46XzViumrzrxn1
/buj3nA4DIx2ofXZ4FBTTAricd6uKlzGFbAFg22ErT8ggpX4UclczcTP6Zzf
GRfiAreAg7xz9CbwgfyKJEqc9/Sg7dwrutWoZ2HgYS8XM1uXaE5OTYZclY+e
Qwh8LLiIww4eslWQPYZA8UBY+ZmZdRiDj7JRRgU6Rt2xgC5Z4EwM+Mp0id6U
pkp5qjDmByQPrqkwuBzQ4yrOu0OTujJnxXLp9pFaoLhMFhaie56SyaayZuEd
g7gnQW82MZEWL0OTMxFWJaVJsCuP3p2zMxFqnTyRGKTIOLYhgYNsXTFO8Gqp
TMfQNoTxU0EQTNA1pMWwD0GY/marirXmABp3+vfrVDi3mET5cRJUOD/7cyyD
uo7UNZpS+1trYyLmzNndmyzB1nU4bLoQ/5Q1UFcbxAWFpYxCcdGKJCGRtSdv
DaQk2Yo54moIn9tcGTKKI6qtjESkhmk/nOLDsU1x0SA63SAMBUtWmSWGD5Ly
vgYehmVcQhsbghhsciitS9qoK1g0WYtnqXuP6wnvG4ccSXyIrQT0nQmM+t1Y
OQ+DTy+kMKtoiG5Nlzji7Dpk6aKzzanieLshpyHtnvjbUAhxxHBQoB4IsOi5
vAbCK9i+US8kY66ibJvMnqJL2UDni9ChUgeZNmzPC4NhiyjPTywppIrkuFl1
Y3+RExC52B8BKadeUpRnsP5sVbaBy9uo7ebiE2rtTi6EA2tuB07xZQb0K2zQ
1KW+sgHVtxtqQUtFH0eSvOez8qF0JA4BJ0O7uuDxeTfQ0cdmbwx2tAlnEhF/
02SBoxyv3NGskyYw0WHYZBTsFuq9nHBj+ELiQK9fvT3+HykV6UM7zila94oK
zY6yIlZQ0XxeZOojUp6Pbk1B4lpQkgFdH2TJLLOWAgC6NuFMvX9//FR1ohmM
mhQtnMiOD5BE24/+hI7dTkBKqat5e9rJE/SpT3SpyVcEuFdXUnkgCUKUQksh
eaOFxyLxxyoDmoqr5PVyzRlkIGXrH4BA6yvC1EY2ps1QUNve7vjOyP66y9RG
/nWPNI6GtJNR5Lz0mZ7dGCFUbHRLTtDpeSYG7m7XiSbVDWHnImhLDutD74os
otUY3q/Ip3LE99ASCJw4lbt5yYVMcDuAEHSLltCFsPnDrqyaC9qUESijAj1t
1LwITFESdY2s3NqPxcxC9zzoj119DaVA5QRoMBid9WOgLvXE5CtR9ODqkGtt
AAzW8+yyfX0Rm07Nhr4aKHVTOC3ZwuUjKDnbt3V6sKzMTmmLLMg0hY96zGyI
pGF/sfIOYwTmBECvm5Niqh7R1Th5l83n0O028/nbquW/4ECT8P0jdeve+OD+
Nrba8S5aGk1JaQO8pHBCVCUEaXONKZZLrLvWFDYkDqVwiQKh0+1ZI4IxXeRH
Zgnfth7PxyOixEhUdkbOOixviMLQ+2K6QwhJ91/evnv27LV695ieof3KYygS
439RL0PWQEqP32Ub3N1jH+L49W5achWzKI7+chvDGray1Q2wjmVwp9UBFk0T
DKJRsjkHLnNdLRYzxZLooCJBKwKKZrOBU+MAEfwtDPuwQProRzzkvW3U43aS
6L5uaCV5ObeUJ3tPBZlfe4oL+8j2+Q4ZHigVIFedclRGTBFtESWMcted/py3
gOKKEFcO2aHjR5G87ugP7AvFwA4XfBYMFp5SeCPD+RzXicNVxm7NYfOuNUf8
90MhHfEVDQd5xFr1eIIK01CTE3wz2JnewAD/sk1BGLSZJ1nbNif606HaO+BA
Dtzp4Om+hHesqxz+tcf/mgL1wiqoe7u2Dxo29Yl9/nAUzXCoHvAjVpFPYNc1
PLzfeYiQHqp7ARj85G4E2KG6I/1YaS2aE/TTVNNDJWtAteME2x+q/bDpCUEE
cPND0IypsOAJItOhksX8Uf3hDxu378SX90sCZH9v0AP7pkaS9W8o1IUHT7WV
1sxYBK0JARktEZlJDkTjosttwNhDlIypIcqR+DbnupOI5RaDEUONqfNCggyR
7NI7J8p3MFCaBuFdC59fFqAvxTAxqzeaQ1cx7T0YKuAwLvT+Ilsf2kwrkXCZ
dodCIFrJg2sWxTDFe47DPJIswO/VENf6cfAWGJsiiKRzoFtUbcguBfdCWPXI
Rjh3RJRLyyWeo4TxjiR09zNwOroVGx9I6KSSTMz3VHmk0XMKyMSXxKC4ajSc
XFlUZ2RrouIO1pcw8lNboiRlSv04tgqgrSvmg0EDoWrpciSodjhWzrCFQV2Y
DqlO72q5PiHgidyVt65ChiX3x9VUf7JGs+CxtxhYH5cdS2qcyXXeOLCv4uCN
eE4vpIAwKnXlIPTj9HRRKuNB7AGo/2LZrknakR7HFIqoYicQko54Ozpn9Tts
CQ7zu+5GF8Cb7IgHg+qfqptsSk9k81ztdbYu62yqnqOCACLVMdekCSLBSNR2
O4pxAbdXprlNhrHbk6IKL8sUGAcNZwtt59NqLDPflr8PxtgJFRAZDnfkMBrU
NRYHUniitHqgsdQjaMuUd1lTaQQYfcOI44SqIJJ1DwPsfDFCPJFDiyXx6OFj
N+jgQzcTTmT3lxQwNzgqbUFoKqHfI7UXvPWuRenErywiPFKn330XPHd6CxBj
3E8OFfVHc2lnZoy4Cor94O37N8fwZOu609ySLrTIxEHKzJLLHkpZGNwSQbFr
NmP3azZja8MJbF2/RYJQ0QZ18u5s2htzq8i/56KnOE6Oo4FML6Mu0CQG6kmL
69ByaWR58uixVKZXLyVjOXAdej3kHloVrkuXQ9foDeHZWN/6pqWr/2mrVSfJ
F3ueKswfDGj9Fx9BKqf4yvLiBL20gcM2hdGCvEKb2zaUdAXvOEB+u6ovtnfU
n6xaMibsNr/87Nv+8mEHwcRaG+qYbs9PNWIAkujeFHS9UtjodCEN3DygjJO5
jt9s8xXclnlB3Y4h4AYwu59+Q7rj5gQtN7198OOj3jxRn3C53WQhDKrt72kv
OcjNCSfue2735rWu8c4KoyTJfmqEG10enFARFLuN/V2UZjIJeVeRAT8jp+GX
HovG91/E/0ougm1g7HA4+AL6v2LLk1YvQZIskM31hhDjlE4Xvonnar/8XPzy
wQF39ssHdfhInSOvS0mtOBud46Wb+ifFiK4hgEGXZbnmzGPTnxltoSym4Mt4
I3CuR1dCgiLQGc5V0s9iVNqJw3qd/ctE4cDFLCiOZ3V867x88uz5qzfPovQc
fDm+4ooG9UW4E9sAyszIwFlr05ZcjlFhSwC7an5sD3JV6VXXgdwBNJujU0qK
9m3MY/VG33551TCrc8cmVRGdZT9miWr2mhMPkJWST9F1H4WeBxuYwA5jHzjR
iVEYk50NVrpYehbvw2ycJx/P8d4dtNwb0qGyZsp+kpmbkixmBm7qNUcyzIiG
ECQihZuxxIsbjksx8Rw4CB5UqtptdzLUx/euZro7oh4GNfECPVEcIiIlUWW6
3k7ExP2rtqOX0HsN6Xb1OqIPwLTEojsBH93UX3tWfAMk1KyTdBpIg1ifsMCM
iZLrylDwWyUP12muQUwJEzNt/aTMNlHUhPR0jMAASY5c0BXVWkNH2VyTYGZh
JHNkpZs5XIPVFHQmqr1Jt5G9LTAQIENKJZ8sp2c7Nw9R6MB2yRNMR4N0nKzo
bOC0VvSRxNMUYY7OFrbesmFLpzpOpUZf3AyksUKUPtnZwN3Rw5T4MIuoigPl
Zl/fZ4PUd01HSWnqhaRtyt6+ohTCziAq93g+1rbkTORujBwV6SevRJBOSomq
WNSyYGONH8aiJ0UcU/Iomf24UEZecomg7pZvzgoeoM5xSYad4JK5lHGfcs7H
78hVuAYEkdxitcvm0c52hQH7NRtM7NI6uPJW8qTthBvypS0cPwyUcA3VnIxp
YJud6Uoc/ewj8pnW18psX0XJbChgTMFc/AR76ST1zVdlkurwzQKr4Y4VswO6
/oFOaqRm6kw34jR2uSVU7c7lk9jmVM0++CJXb7U+14W+iWTCQAgfa9Lh/mEZ
qe7F3ZBHc02ldbuHEYESt24UOz0caP17hVPT1y+WtTEFFc7mACwf+4HZW+EV
xmQW1L2p3AWFpmJ+yU8SbCqRLpTtk9yxRYslLMietAsdvcviSnKP/0ZsmGbr
5P5YPeX6fhgNObRZPZHafrfFtvC2W3H6dkreNMqJ4oF5yVZnRrWTRdEwlyST
PHvAQf7KGR6+j4ACgE7RY4IWFBsd0oNy1I0367sOuPyOIX8B2VLIwBJE/7D5
ZXuf4rDMDrVw0wRr3N6jFur7QDrFGA0L3u8DWzeUgWHDcnEy+45r1AEiSV71
NKIgJsFZZWCY1C5Uvh3U/UwL5n7U6rQup9Ek5HGxQLCowFGfriYeCRdc+Vlx
mKNk/QwgRtA6C45cuiGaCpTomQnTvpK4oAxXkbfRRfxhEFsJr7clEnZAxIkO
F06t0pjeI+4RCgatBxHk+yGksG4NZwQCgFdUWC5cVlYWmZEMvP7AdAwDQ3Pd
gQgVqKq3t4qjmuabSHlGsaP1lw9iHH+CiZz0/fdUHhcmt6loXU9wlx/aoWhV
11ASQO2PHz96l5rF1RNU8E8eN/PAoUa+5Ec/qs/fW6enrwF2mVziQEPUK1DL
e6Q9VNktDQsSu/3HAq0GHMaGBsSMct2W6w7dA9krjiwNXtseJKJx2QvHMbia
dwe3cc87pjzKoZFPPFnHoN3dYB5OGica5C+sCDyBkZHyUO33VnhN47DCGrIR
yo6ViCn7BQF/NYAQARGoeFVE0nBhaDJvrcY3UkF0m8vAwqXDII2rhAOEZrSJ
zbq6RPEWidkhIpHWjOkCGPimSNywvw9I22ABEs6DEAVlRvwgrowGnBse6UYw
aZeirCgvjA/BPhyZ8ZvuWoDb8S17ahudoEHrRAxa/Zv28/coJH9wd0up48c/
4QdhOlXrPt8qsooiZPGlpMtr07qYljq31VatxX3UQVGKTLIOCUFO/hzdcBaR
YZGOvMDPKlASQFFVz6SifJK8yCagN3yxFu3hAnh7d9DYzcXnscDahu/fXPqZ
XFT9V850j2zobWBaHaqJ+A0AeU/MjeDA8Ttl/64sipbs34UmfXt7r1NklMGe
uOK+qfz6WmXJ/n2EccDofZNqYMn+A2jZ2+WBGj7J/kM1YIvekEqZHODODVme
ex167A1731Wx3bjXL7iq4QF7Avwbj3hD9carD+qqCo3hQb3+qiqMw4c0VHHR
H9LxDWorHuzSNg8UWLx58UR7q2QM+ogfl+W94f7f78BgV/nGRmAjLMPfrrhM
cFuOhAGE2zOcv0y02H59PqLH8Uc1KQhsyvyi+9XkjpuThcrgg7DhV2hZALAV
PyhtqRZD8Vn387L979oGQyK5yiiIhhwckbwu/kUsdnI1oI/R6AOarw6+KUT5
JTSfBPPO6lXlWHbW5KdFq1kTiD9QWtgvIfmcqwXoAKU03NvHb6ra7XQCcLd8
Lurw/EnuTu1Ws/nE5esgw+dL++0y5qU8iC+CzhbGJe9GXG2ZM204XUaYKWXU
gCYkOsBy1R7iktdB/oC4KjgxEWAauaBV/EzaFMHgwsxcK9lSw17evi1MgvjT
FFTJAuWeXmFgK68M1HmL9TibuUEHSroNZzag/YLrQaOkgUeB2bJA6+f8AS4Y
dIaJVLOyFmWrwuy7efAxBT5L4RP09R4b6p5znUfOObLI1v/kFyaW4NenOrWo
366ofpZHJwp01OUysLUGxdipaILZ/IEvAmPVSCyx/1AJy/ZOAYgnpC+E86wV
fmgvy8/YOLqqQjAmVHCkUYCX+ZkPBlz71YZGmyooDlVXru56t5yEHBgjov/I
mojdXCbK7zg52yopiOgDxShLB6vKUfJXHW4dVYbUxu4HEz/JQA0+pxfMYYNj
3Cf2uh+4os/EDWdvVpxWE2drfePnsAYTbPrGyyEOtROipCvC18n9o2g6Sk3y
Bc05ZxPOVUprzlY2EcsMHpr7IA5H01oCIsbZzkerxNGFdvm1rFk0XnG5Yl0F
RTGuXO3DfQLLrx2YDJ49fT/HHk6cxuLdklitvZQiplyglTKz8DDKmmJ/LR6F
l6Go+EvoGssVYEgssGrgMvkZcdHnWIWcFKvPt7AieZpPp+UlfVVionk74jBB
am2dvBzNrd1X77q6AjZlzsrCBfYsOqr3Y+pffAKudl3Mkou2/8MfVpVDdNcm
5S9apgHDvX37kdr2JQ9DAvzoRxcORskzY/zMyY0LHe4kYoIJwKDZzRXTy2UE
xTKYMedva6b4Km2z+U4CQ29cnEnz0xqTRX/jLOq2Ek2YAvFg0u7K+4Nu0HdG
tjrkG708eU0XY+fGY3lpfNSpNPktY0VC+m+DK9auRt8+lssl9n96Y0VWiXiw
rkYWjvSbBhswyg/bIHcGhhwcMdDjRiF4g/YWgPS32zy/0ZzD/VC5OmHtFxrb
lAX/1Kh+S7luV9dmgbkov+pmfbniytf1seVWvq7XULo57ZFNzPAj4DmQwH9C
TrWTp9TJEsSbTmhzzijd7AcfLfQV3aWCigUzGAn5BXrutoeLqNwUxqAUSjTJ
07gAyteDjcVVrgAdK1H8fuAPTNZbAtdw+arDdjWJQ/Q5JO4y6j23aHWofrYX
alOp4w/JhyTp3epglYPxb3ZtN+wZB518Zfc4qsPet5v1jmSNWM7YsDE3Hd3X
wtowvj/gmw45UBxiw9j+62DW1GQ5z/+rla1vCIe6/eiGkMy5UPI/bGAuIf37
D/8PGrakwtD/2NE3xQwN7B6l4HzlXlPCzA03ENoe3KBtuCvQ5c6Nu0Dju7FU
vxG98XJ+T7KR6xJfbydP/Vn5TEvJaUw7Sc8bkjxHvd4YXHeTrphY2u9Nebjf
3h3zdL+9t8sZct0w0RMf9Ntek6vf73BFyv6GxnXTBd+mzkZJ0v1TPXnmU6Rt
5Nfmk7U3YsPpWeTfdDwW4Tfsv0XueIMBj6/cTHVvc7kDdT9+h1ulHiT/P2P/
nz9j//fPMv+9S6kknasP3Igv5kwepJLnfV0znwZ9TUPJT5SLGk/jL2h/ZH87
48HoXiZkdcLX7JBxcuCZXl9haxr+tjkcQEvb881DxoWM3YhJ345nr7+1e6m9
HpMM1Af5M8BJ4+wK5dvu370uWyJsfK83fS/e2Te+vymKufcHGj8Yjs0d+gOt
H8aN+2FtrvHBnatCw6KRD+72yx52DSCu6d6GwrN9aDcWm40nv1nFRXfAsTWi
P/XdK2vBBg3vXVmTNWh4/9pasNLwwbWFWaXhw14l5D5O+zVvVn9ViKGb1VwV
4mZfn+2e3IPNRZoH0PFqZVMd7Ibf/O6Rlu4GD9IKv7dYU+T/AJA8tkWTnwAA

-->

</rfc>

