<?xml version='1.0' encoding='utf-8'?>
<!DOCTYPE rfc [
  <!ENTITY nbsp    "&#160;">
  <!ENTITY zwsp   "&#8203;">
  <!ENTITY nbhy   "&#8209;">
  <!ENTITY wj     "&#8288;">
]>
<?xml-stylesheet type="text/xsl" href="rfc2629.xslt" ?>
<!-- generated by https://github.com/cabo/kramdown-rfc version 1.7.39 (Ruby 3.4.9) -->
<?rfc rfcedstyle="yes"?>
<?rfc tocindent="yes"?>
<?rfc strict="yes"?>
<?rfc comments="yes"?>
<?rfc inline="yes"?>
<?rfc text-list-symbols="-o*+"?>
<?rfc docmapping="yes"?>
<rfc xmlns:xi="http://www.w3.org/2001/XInclude" ipr="trust200902" docName="draft-ietf-tls-extended-key-update-13" category="std" consensus="true" submissionType="IETF" updates="9261, 8446" tocInclude="true" sortRefs="true" symRefs="true" version="3">
  <!-- xml2rfc v2v3 conversion 3.34.0 -->
  <front>
    <title abbrev="Extended Key Update for TLS">Extended Key Update for Transport Layer Security (TLS) 1.3</title>
    <seriesInfo name="Internet-Draft" value="draft-ietf-tls-extended-key-update-13"/>
    <author initials="H." surname="Tschofenig" fullname="Hannes Tschofenig">
      <organization>Siemens</organization>
      <address>
        <email>hannes.tschofenig@gmx.net</email>
      </address>
    </author>
    <author initials="M." surname="Tüxen" fullname="Michael Tüxen">
      <organization>Münster Univ. of Applied Sciences</organization>
      <address>
        <email>tuexen@fh-muenster.de</email>
      </address>
    </author>
    <author initials="T." surname="Reddy" fullname="Tirumaleswar Reddy">
      <organization>Nokia</organization>
      <address>
        <email>kondtir@gmail.com</email>
      </address>
    </author>
    <author initials="S." surname="Fries" fullname="Steffen Fries">
      <organization>Siemens</organization>
      <address>
        <email>steffen.fries@siemens.com</email>
      </address>
    </author>
    <author initials="Y." surname="Rosomakho" fullname="Yaroslav Rosomakho">
      <organization>Zscaler</organization>
      <address>
        <email>yrosomakho@zscaler.com</email>
      </address>
    </author>
    <date year="2026" month="July" day="04"/>
    <area>Security</area>
    <workgroup>Transport Layer Security</workgroup>
    <keyword>Internet-Draft</keyword>
    <abstract>
      <?line 86?>

<t>TLS 1.3 ensures forward secrecy by performing an ephemeral Diffie-Hellman key exchange
during the initial handshake, protecting past communications even if a party's
long-term keys (typically a private key with a corresponding certificate) are later
compromised.</t>
      <t>While the built-in KeyUpdate mechanism allows application traffic keys to be refreshed
during a session, it does not incorporate fresh entropy from a new key exchange and
therefore does not provide post-compromise security. This limitation can pose a security
risk in long-lived sessions, such as those found in industrial IoT or telecommunications
environments.</t>
      <t>To address this, this specification defines an extended key update mechanism that
performs a fresh execution of the key exchange negotiated during the initial handshake
within an active session, thereby ensuring post-compromise security.</t>
      <t>By forcing attackers to exfiltrate new key material repeatedly, this approach mitigates
the risks associated with static key compromise. Regular renewal of session keys helps
contain the impact of such compromises. The extension is applicable to both TLS 1.3
and DTLS 1.3.</t>
    </abstract>
    <note removeInRFC="true">
      <name>Discussion Venues</name>
      <t>Discussion of this document takes place on the
    Transport Layer Security Working Group mailing list (tls@ietf.org),
    which is archived at <eref target="https://mailarchive.ietf.org/arch/browse/tls/"/>.</t>
      <t>Source for this draft and an issue tracker can be found at
    <eref target="https://github.com/hannestschofenig/tls-key-update"/>.</t>
    </note>
  </front>
  <middle>
    <?line 108?>

<section anchor="introduction">
      <name>Introduction</name>
      <t>The Transport Layer Security (TLS) 1.3 protocol provides forward secrecy by using
fresh ephemeral key exchange during the initial handshake. In the base protocol,
this key exchange is performed with (EC)DHE. By registering new NamedGroup codepoints,
TLS specifications also define hybrid and post-quantum key exchange mechanisms for
the same purpose. This ensures that encrypted communication remains confidential even
if an attacker later obtains a party's long-term private key, protecting against passive
adversaries who record encrypted traffic for later decryption.</t>
      <t>TLS 1.3 also includes a KeyUpdate mechanism that allows traffic keys to be refreshed
during an established session. However, this mechanism does not provide
post-compromise security, as it applies only a key derivation function to the
previous application traffic key as input. While this design is generally sufficient
for short-lived connections, it may present security limitations in scenarios where
sessions persist for extended periods, such as in industrial IoT or telecommunications
systems, where continuous availability is critical and session renegotiation or resumption
is impractical.</t>
      <t>Earlier versions of TLS supported session renegotiation, which allowed peers to negotiate
fresh keying material, including performing new Diffie-Hellman exchanges during the
session lifetime. Due to protocol complexity and known vulnerabilities, renegotiation
was first restricted by <xref target="TLS-RENEGOTIATION"/> and ultimately removed in TLS 1.3. While the
KeyUpdate message was introduced to offer limited rekeying functionality, it does
not fulfill the same cryptographic role as renegotiation and cannot refresh
the TLS main secret and consequently cannot derive new secrets from fresh key
exchange input. This limitation applies regardless of whether the session was
established with traditional (EC)DHE, a post-quantum/traditional (PQ/T) hybrid exchange,
or a post-quantum KEM exchange.</t>
      <t>Security guidance from national agencies, such as ANSSI (France <xref target="ANSSI"/>), recommends the
periodic renewal of cryptographic keys during long-lived sessions to limit the
impact of key compromise. This approach encourages designs that force an
attacker to perform dynamic key exfiltration, as defined in <xref target="CONFIDENTIALITY"/>. Dynamic
key exfiltration refers to attack scenarios where an adversary must repeatedly
extract fresh keying material to maintain access to protected data, increasing
operational cost and risk for the attacker. In contrast, static key exfiltration,
where the TLS main secret is extracted once and reused, poses a greater long-term
threat, especially when session keys are not refreshed with fresh key exchange input
rather than key derivation.</t>
      <t>This specification defines a TLS extension that introduces an extended key update
mechanism for sessions established with traditional (EC)DHE, hybrid
PQ/T hybrid key exchange, or post-quantum KEM exchange. Unlike the
standard key update, this mechanism allows peers to inject fresh key exchange
input from the negotiated mechanism into an active session. By periodically
rerunning the negotiated key exchange, this extension enables the derivation of
new traffic keys that are independent of main secrets from prior epochs. As noted in
<xref section="F" sectionFormat="of" target="TLS"/>,
this approach mitigates the risk of static key exfiltration and shifts the attacker
burden toward dynamic key exfiltration.</t>
      <t>The proposed extension is applicable to both TLS 1.3 <xref target="TLS"/> and DTLS 1.3  <xref target="DTLS"/>. For clarity,
the term "TLS" is used throughout this document to refer to both protocols unless
otherwise specified.</t>
    </section>
    <section anchor="term">
      <name>Terminology and Requirements Language</name>
      <t>The key words "<bcp14>MUST</bcp14>", "<bcp14>MUST NOT</bcp14>", "<bcp14>REQUIRED</bcp14>", "<bcp14>SHALL</bcp14>", "<bcp14>SHALL
NOT</bcp14>", "<bcp14>SHOULD</bcp14>", "<bcp14>SHOULD NOT</bcp14>", "<bcp14>RECOMMENDED</bcp14>", "<bcp14>NOT RECOMMENDED</bcp14>",
"<bcp14>MAY</bcp14>", and "<bcp14>OPTIONAL</bcp14>" in this document are to be interpreted as
described in BCP 14 <xref target="RFC2119"/> <xref target="RFC8174"/> when, and only when, they
appear in all capitals, as shown here.</t>
      <?line -18?>

<t>To distinguish the key update procedure defined in <xref target="TLS"/>
from the key update procedure specified in this document, we use the terms
"standard key update" and "extended key update", respectively.</t>
      <t>For terminology regarding traditional and PQ/T hybrid algorithms please
see <xref target="RFC9794"/>.</t>
      <t>In this document, we use the term post-compromise security, as defined in
<xref target="CCG16"/>. We assume that an adversary may obtain
access to the application traffic keys.</t>
      <t>Unless otherwise specified, all references to traffic keys in this document
refer to application traffic keys and because the Extended Key Update procedure
occurs after the handshake phase has completed, no handshake traffic keys
are involved.</t>
      <t>In this document, send key refers to the [sender]_write_key, and receive key
refers to the [receiver]_write_key. These keys are derived from the active
client_application_traffic_secret_N and server_application_traffic_secret_N,
as defined in (D)TLS 1.3 <xref target="TLS"/>, and are replaced with new ones
after each successful Extended Key Update.</t>
    </section>
    <section anchor="negotiating-the-extended-key-update">
      <name>Negotiating the Extended Key Update</name>
      <t>Client and servers use the TLS flags extension
<xref target="TLS-FLAGS"/> to indicate support for the functionality
defined in this document.  We call this flag "Extended_Key_Update"
flag.</t>
      <t>The "Extended_Key_Update" flag proposed by the client in the
ClientHello (CH) <bcp14>MUST</bcp14> be acknowledged in the EncryptedExtensions
(EE), if the server also supports the functionality defined in this
document and is configured to use it.</t>
      <t>If the "Extended_Key_Update" flag is not set, servers ignore any of the
functionality specified in this document and applications that
require post-compromise security will have to initiate a full
handshake.</t>
    </section>
    <section anchor="ext-key-update">
      <name>Extended Key Update Messages</name>
      <t>If the client and server agree to use the extended key update mechanism,
the standard key update <bcp14>MUST NOT</bcp14> be used. In this case, the extended key
update fully replaces the standard key update functionality.</t>
      <t>Implementations that receive a classic <tt>KeyUpdate</tt> message after
successfully negotiating the Extended Key Update functionality <bcp14>MUST</bcp14>
terminate the connection with an <tt>"unexpected_message"</tt> alert.</t>
      <t>The extended key update messages are signaled in a new handshake message named
<tt>ExtendedKeyUpdate</tt> (EKU), with an internal uint8 message subtype indicating its role.
This specification defines three ExtendedKeyUpdate message subtypes:</t>
      <ul spacing="normal">
        <li>
          <t><tt>key_update_request</tt> (0)</t>
        </li>
        <li>
          <t><tt>key_update_response</tt> (1)</t>
        </li>
        <li>
          <t><tt>key_update_finish</tt> (2)</t>
        </li>
      </ul>
      <t>New ExtendedKeyUpdate message subtypes are assigned by IANA as described in <xref target="iana-eku-registry"/>.</t>
      <t>A TLS peer which receives a ExtendedKeyUpdate with an unexpected message subtype <bcp14>MUST</bcp14>
abort the connection with an <tt>"unexpected_message"</tt> alert.</t>
      <t>The extended key update process can be initiated by either peer after it has
sent a <tt>Finished</tt> message. Implementations that receive an <tt>ExtendedKeyUpdate</tt>
message prior to the sender having sent <tt>Finished</tt> <bcp14>MUST</bcp14> terminate the connection with
an <tt>"unexpected_message"</tt> alert.</t>
      <t>The <tt>KeyShareEntry</tt> carried in a <tt>key_update_request</tt> and in
a <tt>key_update_response</tt> <bcp14>MUST</bcp14> use the group that was negotiated by the client
and server during the initial handshake. An implementation that receives an
algorithm other than previously negotiated <bcp14>MUST</bcp14> terminate the connection
with an <tt>"illegal_parameter"</tt> alert.</t>
      <t><xref target="fig-key-update"/> shows the interaction graphically. First, support
for the functionality in this specification is negotiated in the
<tt>ClientHello</tt> and the <tt>EncryptedExtensions</tt> messages. Then, the
<tt>ExtendedKeyUpdate</tt> exchange is sent to update the application traffic
secrets.</t>
      <t>The extended key update exchange is performed between the initiator
and the responder; either the TLS client or the TLS server may act
as initiator.</t>
      <figure anchor="fig-key-update">
        <name>Extended Key Update Message Exchange in TLS 1.3.</name>
        <artwork><![CDATA[
       Client                                           Server

Key  ^ ClientHello
Exch | + key_share
     | + signature_algorithms
     v + extended_key_update   -------->
                                                  ServerHello  ^ Key
                                                  + key_share  | Exch
                                                               v
                                        {EncryptedExtensions   ^ Server
                                       + extended_key_update}  | Params
                                         {CertificateRequest}  v
                                                {Certificate}  ^
                                          {CertificateVerify}  | Auth
                                                   {Finished}  v
                               <--------
     ^ {Certificate}
Auth | {CertificateVerify}
     v {Finished}              -------->
       [Application Data]N     <------->  [Application Data]N
                                  ...
  [EKU(key_update_request)]N   -------->
                               <--------  [EKU(key_update_response)]N
   [EKU(key_update_finish)]N   -------->
                                  ...
       [Application Data]N+1   <------->  [Application Data]N+1

Legend:

    +   Indicates noteworthy extensions sent in the
    previously noted message.

    -   Indicates optional or situation-dependent
    messages/extensions that are not always sent.

    () Indicates messages protected using keys
    derived from a client_early_traffic_secret.

    {} Indicates messages protected using keys
    derived from a [sender]_handshake_traffic_secret.

    []N Indicates messages protected using keys
    derived from [sender]_application_traffic_secret_N.
]]></artwork>
      </figure>
      <t>The <tt>ExtendedKeyUpdate</tt> wire format is:</t>
      <artwork><![CDATA[
enum {
   key_update_request(0),
   key_update_response(1),
   key_update_finish(2),
   (255)
} ExtendedKeyUpdateType;

struct {
   ExtendedKeyUpdateType eku_type;
   select (eku_type) {
      case key_update_request: {
          KeyShareEntry key_share;
      }
      case key_update_response: {
          KeyShareEntry key_share;
      }
      case key_update_finish: {
          /* empty */
      }
   };
} ExtendedKeyUpdate;
]]></artwork>
      <t>Fields:</t>
      <ul spacing="normal">
        <li>
          <t><tt>eku_type</tt>: the subtype of the <tt>ExtendedKeyUpdate</tt> message.</t>
        </li>
        <li>
          <t><tt>key_share</tt>: key share information. The contents of this field is
determined by the specified group and its corresponding definition
(see <xref section="4.2.8" sectionFormat="of" target="TLS"/>).</t>
        </li>
      </ul>
    </section>
    <section anchor="TLSC">
      <name>TLS 1.3 Considerations</name>
      <t>The following steps are taken by a TLS 1.3 implementation; the steps
executed with DTLS 1.3 differ slightly.</t>
      <ol spacing="normal" type="1"><li>
          <t>The initiator sends <tt>ExtendedKeyUpdate(key_update_request)</tt> carrying a
<tt>KeyShareEntry</tt>. While an extended key update is in progress, the
initiator <bcp14>MUST NOT</bcp14> initiate another key update.</t>
        </li>
        <li>
          <t>Upon receipt, the responder sends its own <tt>KeyShareEntry</tt> in a
<tt>ExtendedKeyUpdate(key_update_response)</tt> message. While an extended
key update is in progress, the responder <bcp14>MUST NOT</bcp14> initiate another
key update. The responder <bcp14>MAY</bcp14> defer sending a response if system load or resource
constraints prevent immediate processing. In such cases, the response <bcp14>MUST</bcp14>
be sent once sufficient resources become available.</t>
        </li>
        <li>
          <t>After the responder sends the <tt>ExtendedKeyUpdate(key_update_response)</tt> it
<bcp14>MUST</bcp14> update its send keys.</t>
        </li>
        <li>
          <t>Upon receipt of an <tt>ExtendedKeyUpdate(key_update_response)</tt> the initiator
derives the new secrets from the exchanged key shares. The initiator then updates
its receive keys and sends an empty ExtendedKeyUpdate(key_update_finish) message to
complete the process. The initiator <bcp14>MUST NOT</bcp14> defer derivation of the secrets and
sending the ExtendedKeyUpdate(key_update_finish) message as it would stall the
communication.</t>
        </li>
        <li>
          <t>After sending <tt>ExtendedKeyUpdate(key_update_finish)</tt>, the initiator <bcp14>MUST</bcp14> update its
send keys.</t>
        </li>
        <li>
          <t>Upon receiving the initiator’s <tt>ExtendedKeyUpdate(key_update_finish)</tt>,
the responder <bcp14>MUST</bcp14> update its receive keys.</t>
        </li>
      </ol>
      <t>Both initiator and responder <bcp14>MUST</bcp14> encrypt their <tt>ExtendedKeyUpdate</tt> messages
using the old keys. The Responder <bcp14>MUST</bcp14> ensure that it has received <tt>ExtendedKeyUpdate(key_update_finish)</tt>,
encrypted with the old key, before accepting any messages encrypted with the new keys.</t>
      <t>If TLS peers independently initiate the extended key update and the
requests cross in flight, the <tt>ExtendedKeyUpdate(key_update_request)</tt> with the
lower lexicographic order of the <tt>key_exchange</tt> value in
<tt>KeyShareEntry</tt> <bcp14>MUST</bcp14> be ignored. This prevents each
side from advancing keys by two generations. If the tie-break comparison yields
equality (an event that should be impossible for genuine
asymmetric key pairs), the endpoint <bcp14>MUST</bcp14> treat this as a protocol violation,
send an "unexpected_message" alert, and close the connection.</t>
      <t>The handshake framing uses a single <tt>HandshakeType</tt> for this message
(see <xref target="fig-handshake"/>).</t>
      <figure anchor="fig-handshake">
        <name>TLS 1.3 Handshake Structure.</name>
        <artwork><![CDATA[
      struct {
          HandshakeType msg_type;    /* handshake type */
          uint24 length;             /* bytes in message */
          select (Handshake.msg_type) {
              case client_hello:          ClientHello;
              case server_hello:          ServerHello;
              case end_of_early_data:     EndOfEarlyData;
              case encrypted_extensions:  EncryptedExtensions;
              case certificate_request:   CertificateRequest;
              case certificate:           Certificate;
              case certificate_verify:    CertificateVerify;
              case finished:              Finished;
              case new_session_ticket:    NewSessionTicket;
              case key_update:            KeyUpdate;
              case extended_key_update:   ExtendedKeyUpdate;
          };
      } Handshake;
]]></artwork>
      </figure>
      <section anchor="tls-13-extended-key-update-example">
        <name>TLS 1.3 Extended Key Update Example</name>
        <t><xref target="fig-key-update"/> shows the high-level interaction between a TLS 1.3 client
and server, while <xref target="fig-key-update2"/> illustrates an example message exchange
including the updated keys. Similar to the <tt>key_update message</tt>, the
<tt>extended_key_update</tt> message can be sent by either peer after sending its
Finished message.</t>
        <figure anchor="fig-key-update2">
          <name>Extended Key Update Example.</name>
          <artwork><![CDATA[
       Client                                           Server

Key  ^ ClientHello
Exch | + key_share
     | + signature_algorithms
     v + extended_key_update
                             -------->
                                                  ServerHello  ^ Key
                                                  + key_share  | Exch
                                                               v
                                        {EncryptedExtensions   ^ Server
                                       + extended_key_update}  | Params
                                         {CertificateRequest}  v
                                                {Certificate}  ^
                                          {CertificateVerify}  | Auth
                                                   {Finished}  v
                               <--------
     ^ {Certificate}
Auth | {CertificateVerify}
     v {Finished}              -------->
                                  ...
                              some time later
                                  ...
 [EKU(key_update_request       -------->
       (with key_share))]
                               <-------- [EKU(key_update_response
                                           (with key_share))]
                                        # Server derives new secrets
                                        # and updates SEND keys here
# Client derives new secrets
# and updates RECEIVE keys here
     [EKU(key_update_finish)]  -------->
# Client updates SEND keys here
                                    # Server updates RECEIVE keys here
]]></artwork>
        </figure>
      </section>
    </section>
    <section anchor="DTLSC">
      <name>DTLS 1.3 Considerations</name>
      <t>Unlike TLS 1.3, DTLS 1.3 implementations must take into account that handshake
messages are not transmitted over a reliable transport protocol.</t>
      <t>EKU messages <bcp14>MUST</bcp14> be transmitted reliably, like other DTLS handshake messages.
If necessary, EKU messages <bcp14>MAY</bcp14> be fragmented as described in <xref section="5.5" sectionFormat="of" target="DTLS"/>.
Due to the possibility of an <tt>ExtendedKeyUpdate</tt> messages being
lost and thereby preventing the sender of that message from updating its keying
material, receivers <bcp14>MUST</bcp14> retain the pre-update keying material until receipt
and successful decryption of a message using the new keys.</t>
      <t>Due to packet loss and/or reordering, DTLS 1.3 peers <bcp14>MAY</bcp14> receive records from an
earlier epoch. If the necessary keys are available, implementations <bcp14>SHOULD</bcp14> attempt
to process such records; however, they <bcp14>MAY</bcp14> choose to discard them.</t>
      <t>The exchange has the following steps:</t>
      <ol spacing="normal" type="1"><li>
          <t>The initiator sends an <tt>ExtendedKeyUpdate(key_update_request)</tt> message, which contains a
key share. While an extended key update is in progress, the initiator <bcp14>MUST NOT</bcp14>
initiate further key updates. This message is subject to DTLS handshake
retransmission, but delivery is only confirmed when the initiator either receives the
corresponding <tt>ExtendedKeyUpdate(key_update_response)</tt> or an ACK.</t>
        </li>
        <li>
          <t>Upon receipt, the responder sends its own <tt>KeyShareEntry</tt> in a
<tt>ExtendedKeyUpdate(key_update_response)</tt> message. While an extended key update
is in progress, the responder <bcp14>MUST NOT</bcp14> initiate further key updates. The responder <bcp14>MAY</bcp14> defer
sending a response if system load or resource constraints prevent immediate processing.
In such cases, the responder <bcp14>MUST</bcp14> acknowledge receipt of the key_update_request with an ACK and, once
sufficient resources become available, retransmit the key_update_response until it is acknowledged by the
initiator. key_update_response and ACK message <bcp14>MAY</bcp14> be received out of order; a late ACK <bcp14>MUST</bcp14> be ignored and <bcp14>MUST NOT</bcp14> affect the extended key update state machine.</t>
        </li>
        <li>
          <t>On receipt of <tt>ExtendedKeyUpdate(key_update_response)</tt> the initiator derives a secret key based on the
exchanged key shares. This message also serves as an implicit acknowledgment of the
initiator's <tt>ExtendedKeyUpdate(key_update_request)</tt>, so no separate ACK is required. The initiator <bcp14>MUST</bcp14>
update its receive keys and epoch value. The initiator <bcp14>MUST NOT</bcp14> defer derivation of the secrets.</t>
        </li>
        <li>
          <t>The initiator transmits an <tt>ExtendedKeyUpdate(key_update_finish)</tt> message. This message is subject to DTLS
retransmission until acknowledged.</t>
        </li>
        <li>
          <t>The responder <bcp14>MUST</bcp14> acknowledge the received message by sending an ACK message.</t>
        </li>
        <li>
          <t>After the responder receives the initiator's <tt>ExtendedKeyUpdate(key_update_finish)</tt>,
the responder <bcp14>MUST</bcp14> update its send key and epoch value. With the receipt of
that message, the responder <bcp14>MUST</bcp14> also update its receive keys.</t>
        </li>
        <li>
          <t>On receipt of the ACK message, the initiator updates its send key and epoch
value. If this ACK is not received, the initiator re-transmits its
<tt>ExtendedKeyUpdate(key_update_finish)</tt> until ACK is received. The key update is
complete once this ACK is processed by the initiator.</t>
        </li>
      </ol>
      <t>The handshake framing uses a single <tt>HandshakeType</tt> for this message
(see <xref target="fig-dtls-handshake"/>).</t>
      <figure anchor="fig-dtls-handshake">
        <name>DTLS 1.3 Handshake Structure.</name>
        <artwork><![CDATA[
       enum {
           client_hello(1),
           server_hello(2),
           new_session_ticket(4),
           end_of_early_data(5),
           encrypted_extensions(8),
           request_connection_id(9),
           new_connection_id(10),
           certificate(11),
           certificate_request(13),
           certificate_verify(15),
           finished(20),
           key_update(24),
           extended_key_update(TBD),  /* new */
           message_hash(254),
           (255)
       } HandshakeType;

       struct {
           HandshakeType msg_type;    /* handshake type */
           uint24 length;             /* bytes in message */
           uint16 message_seq;        /* DTLS-required field */
           uint24 fragment_offset;    /* DTLS-required field */
           uint24 fragment_length;    /* DTLS-required field */
           select (msg_type) {
               case client_hello:          ClientHello;
               case server_hello:          ServerHello;
               case end_of_early_data:     EndOfEarlyData;
               case encrypted_extensions:  EncryptedExtensions;
               case certificate_request:   CertificateRequest;
               case certificate:           Certificate;
               case certificate_verify:    CertificateVerify;
               case finished:              Finished;
               case new_session_ticket:    NewSessionTicket;
               case key_update:            KeyUpdate;
               case extended_key_update:   ExtendedKeyUpdate;
               case request_connection_id: RequestConnectionId;
               case new_connection_id:     NewConnectionId;
           } body;
       } DTLSHandshake;
]]></artwork>
      </figure>
      <section anchor="dtls-13-extended-key-update-example">
        <name>DTLS 1.3 Extended Key Update Example</name>
        <t>The following example illustrates a successful extended key update,
including how the epochs change during the exchange.</t>
        <figure anchor="dtls-key-update">
          <name>Example DTLS 1.3 Extended Key Update: Message Exchange.</name>
          <artwork><![CDATA[
Client                            Server
(Initiator)                       (Responder)

  /---------------------------------------\
 |           Initial Handshake             |
  \---------------------------------------/

[C: tx=3, rx=3]                   [S: tx=3, rx=3]
[Application Data]               -------->
[C: tx=3, rx=3]                   [S: tx=3, rx=3]

[C: tx=3, rx=3]                   [S: tx=3, rx=3]
                                  <--------   [Application Data]
[C: tx=3, rx=3]                   [S: tx=3, rx=3]

  /---------------------------------------\
 |           Some time later ...           |
  \---------------------------------------/

[C: tx=3, rx=3]                   [S: tx=3, rx=3]
[EKU(key_update_request)]  -------->
                                  # no epoch change yet

                           <-------- [EKU(key_update_response)]
# Sent under OLD epoch. Server does NOT bump yet.

# Step 3: initiator bumps RECEIVE epoch on
# receiving key update response-in:
# (rx:=rx+1; tx still old)
[C: tx=3, rx=4]                   [S: tx=3, rx=3]

[EKU(key_update_finish)]   -------->
# Sender's Fin is tagged with OLD tx (3).

# Epoch switch point:
# Step 6: responder bumps BOTH tx and rx on Fin-in:
[C: tx=3, rx=4]                   [S: tx=4, rx=4]

                           <-------- [ACK] (tag=new)

# Step 7: initiator bumps SEND epoch on ACK-in:
[C: tx=4, rx=4]                   [S: tx=4, rx=4]

[Application Data]         -------->
[C: tx=4, rx=4]                   [S: tx=4, rx=4]

                           <--------   [Application Data]
[C: tx=4, rx=4]                   [S: tx=4, rx=4]
]]></artwork>
        </figure>
        <t><xref target="dtls-table"/> shows the steps, the message in flight, and the epoch changes on both sides.
The A/B -&gt; X/Y notation indicates the change of epoch values for tx/rx before and after
the message transmission.</t>
        <figure anchor="dtls-table">
          <name>Example DTLS 1.3 Extended Key Update: Epoch Changes.</name>
          <artwork><![CDATA[
+--------------------+----------------+--------------+
| Message            | Client tx/rx   | Server tx/rx |
+--------------------+----------------+--------------+
| APP ------------>  | 3/3 -> 3/3     | 3/3 -> 3/3   |
| <------------ APP  | 3/3 -> 3/3     | 3/3 -> 3/3   |
| req -------------> | 3/3 -> 3/3     | 3/3 -> 3/3   |
| <------------ resp | 3/3 -> 3/4     | 3/3 -> 3/3   | <- step 3
| Fin  ------------> | 3/4 -> 3/4     | 3/3 -> 4/4   | <- step 6
| <------------- ACK | 3/4 -> 4/4     | 4/4 -> 4/4   | <- step 7
| APP -------------> | 4/4 -> 4/4     | 4/4 -> 4/4   |
| <------------- APP | 4/4 -> 4/4     | 4/4 -> 4/4   |
+--------------------+----------------+--------------+
]]></artwork>
        </figure>
      </section>
    </section>
    <section anchor="key_update">
      <name>Updating Traffic Keys</name>
      <t>When the extended key update message exchange is completed both peers
have successfully updated their application traffic keys. The
key derivation function described in this document is used to perform
this update.</t>
      <t>The design of the key derivation function for computing the next
generation of application_traffic_secret is motivated by the desire
to include</t>
      <ul spacing="normal">
        <li>
          <t>a secret derived from the negotiated key exchange, whether (EC)DHE, post-quantum KEM, or a PQ/T hybrid mechanism,</t>
        </li>
        <li>
          <t>a secret that allows the new key exchange to be cryptographically
bound to the previously established secret,</t>
        </li>
        <li>
          <t>a transcript hash that is updated after each Extended Key Update exchange by
hashing the previous transcript hash together with the current
ExtendedKeyUpdate(key_update_request) and
ExtendedKeyUpdate(key_update_response) messages. This binds any
encapsulation ciphertext and public key used in PQ/T hybrid or post-quantum key exchanges
to the IKM and cryptographically binds the newly derived secrets to the
original handshake transcript, all prior EKU exchanges, the current EKU
exchange, and the corresponding KEM public key and encapsulation ciphertext, and</t>
        </li>
        <li>
          <t>new label strings to distinguish it from the key derivation used in
TLS 1.3.</t>
        </li>
      </ul>
      <t>The transcript_hash_N denotes the transcript hash value associated with
generation N. During each Extended Key Update exchange, the transcript
hash value for the next generation is computed as follows:</t>
      <artwork><![CDATA[
 transcript_hash_N+1 = Transcript-Hash(transcript_hash_N ||
                                       EKU(key_update_request) ||
                                       EKU(key_update_response))
]]></artwork>
      <t>Once transcript_hash_N+1 has been computed, transcript_hash_N can be deleted.
No prior transcript hash values need to be retained for future EKU exchanges.
transcript_hash_0 denotes the transcript hash of the initial TLS handshake,
covering all messages from the ClientHello up to and including the
client Finished message.</t>
      <t><xref target="key-hierarchy"/> shows the key derivation hierarchy.</t>
      <figure anchor="key-hierarchy">
        <name>Key Derivation Hierarchy.</name>
        <artwork><![CDATA[
       main_secret_N
             |
             v
       Derive-Secret(., "derived", "")
             |
Shared       v
Secret -> HKDF-Extract = main_secret_N+1
             |
             +-----> Derive-Secret(., "c ap traffic",
             |                     transcript_hash_N+1)
             |                = client_application_traffic_secret_N+1
             |
             +-----> Derive-Secret(., "s ap traffic",
             |                     transcript_hash_N+1)
             |                = server_application_traffic_secret_N+1
             |
             +-----> Derive-Secret(., "exp master",
             |                     transcript_hash_N+1)
             |                = exporter_secret_N+1
             |
             +-----> Derive-Secret(., "res master",
             |                     transcript_hash_N+1)
                              = resumption_main_secret_N+1
]]></artwork>
      </figure>
      <t>During the initial handshake, the Main Secret is generated (see
<xref section="7.1" sectionFormat="of" target="TLS"/>). Since the main_secret
is discarded during the key derivation procedure, a derived value is
stored. This stored value then serves as the input salt to the first
key update procedure that incorporates the shared secret as input
keying material (IKM) to produce main_secret_N+1. The derived value
from this new main secret serves as input salt to the subsequent key
update procedure, which also incorporates a fresh shared secret as
IKM. This process is repeated for each additional key update procedure.</t>
      <t>The shared secret is determined by the negotiated key exchange mechanism.
In the base protocol, this mechanism is (EC)DHE (see <xref section="7.4" sectionFormat="of" target="TLS"/>). Post-quantum and hybrid key exchange mechanisms derive the
shared secret as specified by their respective definitions. See also
<xref target="pqc-cons"/>.</t>
      <t>The traffic keys are re-derived from
client_application_traffic_secret_N+1 and
server_application_traffic_secret_N+1, as described in
<xref section="7.3" sectionFormat="of" target="TLS"/>.</t>
      <t>Once client_/server_application_traffic_secret_N+1 and its associated
traffic keys have been computed, implementations <bcp14>SHOULD</bcp14> delete
client_/server_application_traffic_secret_N and its associated
traffic keys as soon as possible. Note: The
client_/server_application_traffic_secret_N and its associated
traffic keys can only be deleted by the responder after receiving the
<tt>ExtendedKeyUpdate(key_update_finish)</tt> message.</t>
      <t>Once client_/server_application_traffic_secret_N+1 and the corresponding traffic
keys are in use, all subsequent records, including alerts and post-handshake
messages <bcp14>MUST</bcp14> be protected using those keys.</t>
      <t>When using this extension, it is important to consider its interaction with
PSK-based resumption using PSKs established via the NewSessionTicket mechanism
defined in <xref target="TLS"/>.</t>
      <t>EKU provides post-compromise recovery for the TLS connection in which it is performed.
The recovery guarantees depend on the assumed compromise model. In typical deployment
environments, PSKs established via the NewSessionTicket mechanism are generated and
reside in memory within the rich operating system. Although such PSKs may subsequently
be stored in secure storage, they are exposed during this initial processing window,
and compromise of endpoint memory during this period is sufficient to reveal them.
Consequently, later protection using secure storage does not prevent their prior
compromise. These PSKs are sufficient to establish new authenticated TLS connections.
Even if an implementation invalidates previously issued PSKs upon completion of the
EKU exchange, an attacker that has already obtained such a PSK may initiate and
complete a resumed session prior to that invalidation. In such environments, EKU does
not prevent the use of previously issued PSKs.</t>
      <t>Accordingly, endpoints that enable EKU <bcp14>MUST</bcp14> disable resumption using PSKs established
via the NewSessionTicket mechanism.</t>
    </section>
    <section anchor="pqc-cons">
      <name>Post-Quantum Cryptography Considerations</name>
      <t>The shared secret used by the Extended Key Update mechanism is derived according
to the negotiated key exchange method. As a result, this specification supports
the same classes of key establishment mechanisms as TLS itself, including traditional
Diffie-Hellman-based key exchanges, post-quantum key encapsulation mechanisms (KEMs),
and hybrid combinations thereof.</t>
      <t>In the base TLS protocol, the shared secret is typically established using (EC)DHE
(see <xref section="7.4" sectionFormat="of" target="TLS"/>). Recent extensions have introduced support for post-quantum
and hybrid key establishment mechanisms to facilitate the transition to post-quantum
cryptography. The rationale for this transition and the associated terminology are
discussed in <xref target="RFC9958"/> and <xref target="RFC9794"/>, respectively.</t>
      <t>For hybrid mechanisms such as SecP256r1MLKEM768, defined in <xref target="I-D.ietf-tls-ecdhe-mlkem"/>,
the shared secret is derived by combining the outputs of the constituent algorithms;
specifically, it is the concatenation of the ECDHE and ML-KEM shared secrets. For
ML-KEM-only key exchange, as defined in <xref target="I-D.ietf-tls-mlkem"/>, the ML-KEM shared
secret is provided directly to the TLS key schedule in place of the (EC)DHE shared
secret.</t>
      <t>The Extended Key Update protocol reuses the key exchange representation defined by the
negotiated mechanism. Consequently, the exchange of fresh key shares during an Extended
Key Update follows the same encoding and shared-secret derivation rules as the
corresponding TLS handshake.</t>
    </section>
    <section anchor="sslkeylogfile-update">
      <name>SSLKEYLOGFILE Update</name>
      <t>As a successful extended key update exchange invalidates previous secrets,
SSLKEYLOGFILE <xref target="TLS-KEYLOGFILE"/> needs to be populated with new
entries. As a result, two additional secret labels are utilized in the
SSLKEYLOGFILE:</t>
      <ol spacing="normal" type="1"><li>
          <t><tt>CLIENT_TRAFFIC_SECRET_N+1</tt>: identifies the
client_application_traffic_secret_N+1 in the key schedule</t>
        </li>
        <li>
          <t><tt>SERVER_TRAFFIC_SECRET_N+1</tt>: identifies the
server_application_traffic_secret_N+1 in the key schedule</t>
        </li>
        <li>
          <t><tt>EXPORTER_SECRET_N+1</tt>: identifies the
exporter_secret_N+1 in the key schedule</t>
        </li>
      </ol>
      <t>Similar to other entries in the SSLKEYLOGFILE, the label is followed by the
32-byte value of the Random field from the ClientHello message that
established the TLS connection, and the corresponding secret encoded in
hexadecimal.</t>
      <t>SSLKEYLOGFILE entries for the extended key update <bcp14>MUST NOT</bcp14> be produced if
SSLKEYLOGFILE was not used for other secrets in the handshake.</t>
      <t>Note that each successful Extended Key Update invalidates all previous
SSLKEYLOGFILE secrets including past iterations of <tt>CLIENT_TRAFFIC_SECRET_</tt>,
<tt>SERVER_TRAFFIC_SECRET_</tt> and <tt>EXPORTER_SECRET_</tt>.</t>
    </section>
    <section anchor="exporter">
      <name>Exporter</name>
      <section anchor="post-compromise-security-for-the-initial-exporter-secret">
        <name>Post-Compromise Security for the Initial Exporter Secret</name>
        <t>The TLS 1.3 Key Schedule, see Figure 5 of <xref target="TLS"/>, derives the exporter_secret from the main secret. This
exporter_secret is static for the lifetime of the connection and is not updated by a standard key update.</t>
        <t>A core design goal of this specification is not met if the exporter_secret does not change.
Therefore, this document defines an exporter interface that derives a fresh exporter secret
whenever new application traffic keys are updated through the EKU.</t>
        <t>If the initial exporter secret for this new interface were identical to exporter_secret,
then compromising exporter_secret at any point during the lifetime of the connection
would enable an attacker to recompute all exporter outputs derived from it.
This would break post-compromise security for exported keying material.</t>
        <t>Therefore, the initial exporter secret used by the exporter interface defined in
this document, i.e., the exporter output available prior to the first Extended
Key Update, <bcp14>MUST</bcp14> be distinct from the exporter_secret. This separation
ensures that compromise of the TLS exporter interface does not compromise outputs
derived from the exporter interface defined in this document.</t>
        <t>Prior to the first Extended Key Update, the exporter interface provides an
initial exporter secret, denoted exporter_secret_0. This secret is derived
from the TLS main secret and the handshake transcript, but is cryptographically
independent of the TLS exporter_secret. It is computed as follows:</t>
        <artwork><![CDATA[
exporter_secret_0 =
Derive-Secret(Main Secret,
"exporter eku",
Transcript-Hash(ClientHello..server Finished))
]]></artwork>
        <t>Applications that require post-compromise security <bcp14>MUST</bcp14> use the exporter
interface defined in this document. This exporter interface is independent of
the TLS exporter defined in <xref section="7.5" sectionFormat="of" target="TLS"/>, which continues to use a
static <tt>exporter_secret</tt> for the lifetime of the connection for compatiblity with "legacy" applications.</t>
      </section>
      <section anchor="exporter-usage-after-extended-key-update">
        <name>Exporter Usage After Extended Key Update</name>
        <t>Protocols such as DTLS-SRTP and DTLS-over-SCTP rely on TLS or DTLS for
key establishment, but reuse portions of the derived keying material for
their own specific purposes. These protocols use the TLS exporter defined
in <xref section="7.5" sectionFormat="of" target="TLS"/>. Exporters are also used for deriving
authentication related values such as nonces, as described in <xref target="RFC9729"/>.</t>
        <t>Once the Extended Key Update mechanism is complete, such protocols would
need to use the newly derived exporter secret to generate Exported Keying Material
(EKM) to protect packets. The "sk" derived in the <xref target="key_update"/> will be
used as the "Secret" in the exporter function, defined in
<xref section="7.5" sectionFormat="of" target="TLS"/>, to generate EKM, ensuring that
the exported keying material is aligned with the updated security context.
The newly derived exporter secret is cryptographically independent of
previous exporter secrets.</t>
        <t>When a new exporter secret becomes active following a successful Extended
Key Update, the TLS or DTLS implementation would have to provide an
asynchronous notification to the application indicating that:</t>
        <ul spacing="normal">
          <li>
            <t>A new epoch has become active, and the (D)TLS implementation can
include the corresponding epoch identifier. Applications receiving an
epoch identifier can use it to request keying material for that
specific epoch through an epoch-aware exporter interface.
In TLS, this identifier represents a local logical counter that may differ between peers.</t>
          </li>
        </ul>
        <t>Applications are notified that a new epoch is active only after both peers have completed
the Extended Key Update exchange and switched to the new traffic keys.</t>
        <ul spacing="normal">
          <li>
            <t>In TLS, the initiator triggers notification after Step 5 in <xref target="TLSC"/>,
and the responder triggers notification after Step 4 in <xref target="TLSC"/>.</t>
          </li>
          <li>
            <t>In DTLS, the initiator triggers notification to the application
after Step 7 in <xref target="DTLSC"/>, and the responder triggers notification
after Step 9 in <xref target="DTLSC"/>.</t>
          </li>
        </ul>
        <t>The corresponding EKM is obtained by the application through the TLS/DTLS exporter
interface using its chosen label and context values as defined in <xref section="4" sectionFormat="of" target="RFC5705"/>.</t>
        <t>To prevent desynchronization, the application will have to retain both the
previous and the newly derived exporter secrets for a short period. For TLS,
the previous exporter secret would be discarded once data derived from the
new exporter has been successfully processed, and no records protected with
the old exporter secret are expected to arrive. For DTLS, the previous exporter
secret needs to be retained until the retention timer expires for the prior epoch,
to allow for processing of packets that may arrive out of order.  The retention policy
for exporter secrets is application-specific. For example, in DTLS-SRTP,
the application might retain the previous exporter secret until its
replay window no longer accepts packets protected with keys derived from that
secret, as described in Section 3.3.2 of <xref target="RFC3711"/>.</t>
      </section>
    </section>
    <section anchor="exported">
      <name>Use of Post-Handshake Authentication and Exported Authenticators with Extended Key Update</name>
      <t>EKU provides fresh traffic secrets, but EKU alone does not authenticate that both endpoints
derived the same updated keys. An attacker that temporarily compromises an endpoint
may later act as an active MitM capable of interfering with the EKU exchange.
Such an attacker can cause the peers to transition to divergent traffic secrets without detection,
but cannot compromise the endpoint to derive secrets after the new epoch is established.
To confirm that both peers transitioned to the same new key state, TLS 1.3 provides two
mechanisms: Post-Handshake Certificate-Based Client Authentication and
Exported Authenticators <xref target="RFC9261"/>.</t>
      <section anchor="post-handshake-certificate-based-client-authentication">
        <name>Post-Handshake Certificate-Based Client Authentication</name>
        <t>When Post-Handshake Certificate-Based Client Authentication (Section 4.6.2 of <xref target="TLS"/>) is
performed after an Extended Key Update (EKU) is complete, the Handshake Context used for
the transcript hash is updated. It consists of transcript_hash_N+1 concatenated
with the CertificateRequest message. The Finished message is computed using a
MAC key derived from the Base Key of the new epoch (client_application_traffic_secret_N+1).
This confirms that both peers are operating with the same updated traffic keys
and completes an authenticated transition after the EKU.</t>
      </section>
      <section anchor="exported-authenticators">
        <name>Exported Authenticators</name>
        <t>This document updates Section 5.1 of <xref target="RFC9261"/> to specify that, after an
Extended Key Update has completed, the Handshake Context and Finished MAC Key used for
Exported Authenticators <bcp14>MUST</bcp14> be derived from the exporter secret associated with the current epoch.
Implementations that support the epoch-aware Exported Authenticators interface <bcp14>MUST</bcp14> provide a means
for applications to request the generation or validation of Exported Authenticators using
the exporter secret for a specific epoch.</t>
        <t>The Handshake Context and Finished MAC Key used in both the CertificateVerify message
(Section 5.2.2 of <xref target="RFC9261"/>) and the Finished message (Section 5.2.3 of <xref target="RFC9261"/>)
are derived from the exporter secret associated with the current epoch.
If a MitM interferes with the EKU exchange and causes the peers to derive different traffic
and exporter secrets, their Handshake Contexts and Finished MAC Keys will differ.
As a result, validation procedures specified in Section 5.2.4 of <xref target="RFC9261"/> will fail, thereby
detecting the divergence of key state between peers.</t>
        <t>A new optional API <bcp14>SHOULD</bcp14> be defined to permit applications to request or verify
Exported Authenticators for a specific exporter epoch. As discussed in Section 7
of <xref target="RFC9261"/>, this can, as an exception, be implemented at the application
layer when the epoch-aware TLS exporter is available. The APIs defined in <xref target="RFC9261"/>
remain unchanged, so existing applications continue to operate without
modification. The epoch-aware API accepts an epoch identifier; when present,
the (D)TLS implementation <bcp14>MUST</bcp14> derive the Handshake Context and Finished MAC Key
from the exporter secret associated with that epoch. When Exported Authenticators
are generated using the epoch-aware Exported Authenticators interface, the
epoch identifier used for their derivation can be conveyed in the
certificate_request_context field, allowing the peer, particularly in
DTLS where records may be reordered, to determine the correct exporter
secret for validation.</t>
      </section>
      <section anchor="interaction-of-extended-key-update-and-post-handshake-authentication">
        <name>Interaction of Extended Key Update and Post-Handshake Authentication</name>
        <t>EKU and Post-Handshake Authentication may both occur during the lifetime
of a (D)TLS connection.  Post-Handshake Certificate-Based Client
Authentication (PHA) is bound to the handshake transcript and computes
its <tt>Finished</tt> message as specified in Section 4.4 of <xref target="TLS"/>, using a key
derived from the application traffic secret that is active at the time
the <tt>CertificateRequest</tt> is sent. Therefore, specific ordering constraints
are required to preserve cryptographic consistency.</t>
        <section anchor="post-handshake-certificate-based-client-authentication-1">
          <name>Post-Handshake Certificate-Based Client Authentication</name>
          <t>An endpoint <bcp14>MUST NOT</bcp14> complete an EKU exchange in a manner that
transitions to new application traffic secrets while a PHA exchange
is in progress.</t>
          <t>The following constraints apply to both TLS 1.3 and DTLS 1.3:</t>
          <ul spacing="normal">
            <li>
              <t>An endpoint <bcp14>MUST NOT</bcp14> initiate PHA while an EKU exchange is in progress.</t>
            </li>
            <li>
              <t>If PHA has been initiated and the corresponding authentication exchange
has not yet completed, neither endpoint <bcp14>MUST</bcp14> initiate an EKU exchange.</t>
            </li>
            <li>
              <t>In a cross-flight condition, if a (D)TLS client sends an EKU request and,
before receiving a response, receives a <tt>CertificateRequest</tt> from the
(D)TLS server, the endpoints <bcp14>MUST</bcp14> defer completion of the EKU exchange
and proceed with the Post-Handshake Authentication exchange. The endpoints
<bcp14>MUST NOT</bcp14> transition to new application traffic secrets until the
authentication exchange has completed.</t>
            </li>
          </ul>
          <t>In DTLS, deferred EKU request is acknowledged as specified in <xref target="DTLSC"/>.</t>
        </section>
        <section anchor="exported-authenticators-1">
          <name>Exported Authenticators</name>
          <t>Because the exporter interface defined in this document is epoch-aware,
the exporter secret used for an Exported Authenticator exchange is
explicitly determined by the epoch selected by the application.</t>
          <t>As a result, cross-flight exchanges of EKU and <tt>AuthenticatorRequest</tt>
messages do not introduce cryptographic ambiguity. Therefore, no
serialization requirement is imposed between EKU and Exported Authenticator
exchanges.</t>
        </section>
      </section>
    </section>
    <section anchor="security-considerations">
      <name>Security Considerations</name>
      <t>This section discusses additional security and operational aspects introduced by the Extended Key Update mechanism. All security considerations of TLS 1.3 <xref target="TLS"/> and DTLS 1.3 <xref target="DTLS"/> continue to apply.</t>
      <section anchor="scope">
        <name>Scope of Key Compromise</name>
        <t>Extended Key Update (EKU) assumes a transient compromise of the current application
traffic keys, rather than a persistent attacker with ongoing access to key material.
The EKU procedure does not rely on long-term private keys, which may be stored in a
secure element (e.g., a Hardware Security Module (HSM)) or within the rich OS.
Moreover, in security‑critical scenarios, these long‑term private keys are typically stored separately from the primary secret or the traffic keys.</t>
        <t>Two threat scenarios are relevant:</t>
        <ol spacing="normal" type="1"><li>
            <t>The long-term private key remains secure, while application traffic keys in the
rich operating system are temporarily exposed. EKU addresses this case for the current
TLS connection.</t>
          </li>
          <li>
            <t>If the long-term private key in the rich OS is compromised, EKU can still protect
the current TLS connection by updating the main secret and traffic keys. However, all
future TLS connections are at risk, as the attacker can impersonate the endpoint using
the stolen private key.</t>
          </li>
        </ol>
        <t>Extended Key Update can restore confidentiality only if the attacker no longer
has access to either peer. If an adversary retains access to current application traffic
keys and can act as an active attacker during the Extended Key Update, then the
update cannot restore security unless <xref target="exported"/> is used.</t>
        <t>If one of the mechanisms defined in <xref target="exported"/> is not used, the attacker can
impersonate each endpoint, substitute EKU messages, and maintain control
of the communication. When Post-Handshake Certificate-Based Client Authentication
or the modified Exported Authenticator mechanism is used, the authentication messages
are bound to the keys established after the EKU. Any modification or substitution of
EKU messages therefore becomes detectable, preventing this attack.</t>
        <t>If a compromise occurs before the handshake completes, the ephemeral key exchange,
client_handshake_traffic_secret, server_handshake_traffic_secret, and the initial
client_/server_application_traffic_secret could be exposed. In that case, only the
initial handshake messages and the application data encrypted under the initial
client_/server_application_traffic_secret can be decrypted until the Extended Key
Update procedure completes. The Extended Key Update procedure derives fresh
application_traffic_secrets from a new ephemeral key exchange, ensuring that all
subsequent application data remains confidential.</t>
      </section>
      <section anchor="post-compromise-security">
        <name>Post-Compromise Security</name>
        <t>Extended Key Update provides post-compromise security for long-lived TLS sessions.
To ensure post-compromise security guarantees each update <bcp14>MUST</bcp14> use freshly generated
ephemeral key exchange material. Implementations <bcp14>MUST NOT</bcp14> reuse ephemeral key
exchange material across updates or across TLS sessions.</t>
      </section>
      <section anchor="denial-of-service-dos">
        <name>Denial-of-Service (DoS)</name>
        <t>The Extended Key Update mechanism increases computational and state-management overhead. A malicious peer could attempt to exhaust CPU or memory resources by initiating excessive update requests.</t>
        <t>Implementations <bcp14>SHOULD</bcp14> apply the following mitigations:</t>
        <ul spacing="normal">
          <li>
            <t>Limit the frequency of accepted Extended Key Update requests per session.</t>
          </li>
          <li>
            <t>A peer that has sent an Extended Key Update <bcp14>MUST NOT</bcp14> initiate another until the previous update completes.
If a peer violates this rule, the receiving peer <bcp14>MUST</bcp14> treat it as a protocol violation, send an "unexpected_message" alert, and terminate the connection.</t>
          </li>
        </ul>
      </section>
      <section anchor="operational-guidance">
        <name>Operational Guidance</name>
        <t>Deployments <bcp14>SHOULD</bcp14> evaluate Extended Key Update performance under load and fault conditions, such as high-frequency or concurrent updates. TLS policies <bcp14>SHOULD</bcp14> define explicit rate limits that balance post-compromise security benefits against potential DoS exposure.</t>
      </section>
    </section>
    <section anchor="iana-considerations">
      <name>IANA Considerations</name>
      <section anchor="tls-flags">
        <name>TLS Flags</name>
        <t>IANA is requested to add the following entry to the "TLS Flags"
extension registry <xref target="TLS-Ext-Registry"/>:</t>
        <ul spacing="normal">
          <li>
            <t>Value: TBD1</t>
          </li>
          <li>
            <t>Flag Name: extended_key_update</t>
          </li>
          <li>
            <t>Messages: CH, EE</t>
          </li>
          <li>
            <t>Recommended: Y</t>
          </li>
          <li>
            <t>Reference: This document</t>
          </li>
        </ul>
      </section>
      <section anchor="tls-handshaketype">
        <name>TLS HandshakeType</name>
        <t>IANA is requested to add the following entry to the "TLS HandshakeType"
registry <xref target="TLS-Param-Registry"/>:</t>
        <ul spacing="normal">
          <li>
            <t>Value: TBD2</t>
          </li>
          <li>
            <t>Description: extended_key_update</t>
          </li>
          <li>
            <t>DTLS-OK: Y</t>
          </li>
          <li>
            <t>Reference: This document</t>
          </li>
        </ul>
      </section>
      <section anchor="iana-eku-registry">
        <name>ExtendedKeyUpdate Message Subtypes Registry</name>
        <t>IANA is requested to create a new registry "TLS ExtendedKeyUpdate Message Subtypes", within the existing "Transport Layer Security (TLS) Parameters" registry group
<xref target="TLS-Param-Registry"/>.
This new registry reserves types used for Extended Key Update entries.
The initial contents of this registry are as follows.</t>
        <table>
          <thead>
            <tr>
              <th align="left">Value</th>
              <th align="left">Description</th>
              <th align="left">DTLS-OK</th>
              <th align="left">Reference</th>
            </tr>
          </thead>
          <tbody>
            <tr>
              <td align="left">0</td>
              <td align="left">key_update_request</td>
              <td align="left">Y</td>
              <td align="left">This document</td>
            </tr>
            <tr>
              <td align="left">1</td>
              <td align="left">key_update_response</td>
              <td align="left">Y</td>
              <td align="left">This document</td>
            </tr>
            <tr>
              <td align="left">2</td>
              <td align="left">key_update_finish</td>
              <td align="left">Y</td>
              <td align="left">This document</td>
            </tr>
            <tr>
              <td align="left">3-255</td>
              <td align="left">Unassigned</td>
              <td align="left"> </td>
              <td align="left"> </td>
            </tr>
          </tbody>
        </table>
        <t>New assignments in the "TLS ExtendedKeyUpdate Types" registry will be administered by
IANA through Specification Required procedure <xref target="RFC8126"/>.  The role of the
designated expert is described in <xref section="17" sectionFormat="of" target="RFC8447"/>.  The designated expert
<xref target="RFC8126"/> ensures that the specification is publicly available.  It is sufficient to
have an Internet-Draft (that is posted and never published as an RFC) or to cite a
document from another standards body, industry consortium, or any other location.
An expert may provide more in-depth reviews, but their approval should not be taken as an
endorsement of the ExtendedKeyUpdate Message Subtype.</t>
      </section>
      <section anchor="sslkeylogfile-labels">
        <name>SSLKEYLOGFILE labels</name>
        <t>IANA is requested to add the following entries to the "TLS SSLKEYLOGFILE Labels"
extension registry <xref target="TLS-Ext-Registry"/>:</t>
        <table>
          <thead>
            <tr>
              <th align="left">Value</th>
              <th align="left">Description</th>
              <th align="left">Reference</th>
              <th align="left">Comment</th>
            </tr>
          </thead>
          <tbody>
            <tr>
              <td align="left">CLIENT_TRAFFIC_SECRET_N+1</td>
              <td align="left">Secret protecting client records after Extended Key Update</td>
              <td align="left">This document</td>
              <td align="left">N represents iteration of Extended Key Update</td>
            </tr>
            <tr>
              <td align="left">SERVER_TRAFFIC_SECRET_N+1</td>
              <td align="left">Secret protecting server records after Extended Key Update</td>
              <td align="left">This document</td>
              <td align="left">N represents iteration of Extended Key Update</td>
            </tr>
            <tr>
              <td align="left">EXPORTER_SECRET_N+1</td>
              <td align="left">Exporter secret after Extended Key Update</td>
              <td align="left">This document</td>
              <td align="left">N represents iteration of Extended Key Update</td>
            </tr>
          </tbody>
        </table>
      </section>
    </section>
  </middle>
  <back>
    <references anchor="sec-combined-references">
      <name>References</name>
      <references anchor="sec-normative-references">
        <name>Normative References</name>
        <reference anchor="TLS">
          <front>
            <title>The Transport Layer Security (TLS) Protocol Version 1.3</title>
            <author fullname="Eric Rescorla" initials="E." surname="Rescorla">
              <organization>Independent</organization>
            </author>
            <date day="13" month="September" year="2025"/>
            <abstract>
              <t>   This document specifies version 1.3 of the Transport Layer Security
   (TLS) protocol.  TLS allows client/server applications to communicate
   over the Internet in a way that is designed to prevent eavesdropping,
   tampering, and message forgery.

   This document updates RFCs 5705, 6066, 7627, and 8422 and obsoletes
   RFCs 5077, 5246, 6961, 8422, and 8446.  This document also specifies
   new requirements for TLS 1.2 implementations.

              </t>
            </abstract>
          </front>
          <seriesInfo name="Internet-Draft" value="draft-ietf-tls-rfc8446bis-14"/>
        </reference>
        <reference anchor="DTLS">
          <front>
            <title>The Datagram Transport Layer Security (DTLS) Protocol Version 1.3</title>
            <author fullname="E. Rescorla" initials="E." surname="Rescorla"/>
            <author fullname="H. Tschofenig" initials="H." surname="Tschofenig"/>
            <author fullname="N. Modadugu" initials="N." surname="Modadugu"/>
            <date month="April" year="2022"/>
            <abstract>
              <t>This document specifies version 1.3 of the Datagram Transport Layer Security (DTLS) protocol. DTLS 1.3 allows client/server applications to communicate over the Internet in a way that is designed to prevent eavesdropping, tampering, and message forgery.</t>
              <t>The DTLS 1.3 protocol is based on the Transport Layer Security (TLS) 1.3 protocol and provides equivalent security guarantees with the exception of order protection / non-replayability. Datagram semantics of the underlying transport are preserved by the DTLS protocol.</t>
              <t>This document obsoletes RFC 6347.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="9147"/>
          <seriesInfo name="DOI" value="10.17487/RFC9147"/>
        </reference>
        <reference anchor="RFC2119">
          <front>
            <title>Key words for use in RFCs to Indicate Requirement Levels</title>
            <author fullname="S. Bradner" initials="S." surname="Bradner"/>
            <date month="March" year="1997"/>
            <abstract>
              <t>In many standards track documents several words are used to signify the requirements in the specification. These words are often capitalized. This document defines these words as they should be interpreted in IETF documents. This document specifies an Internet Best Current Practices for the Internet Community, and requests discussion and suggestions for improvements.</t>
            </abstract>
          </front>
          <seriesInfo name="BCP" value="14"/>
          <seriesInfo name="RFC" value="2119"/>
          <seriesInfo name="DOI" value="10.17487/RFC2119"/>
        </reference>
        <reference anchor="RFC8174">
          <front>
            <title>Ambiguity of Uppercase vs Lowercase in RFC 2119 Key Words</title>
            <author fullname="B. Leiba" initials="B." surname="Leiba"/>
            <date month="May" year="2017"/>
            <abstract>
              <t>RFC 2119 specifies common key words that may be used in protocol specifications. This document aims to reduce the ambiguity by clarifying that only UPPERCASE usage of the key words have the defined special meanings.</t>
            </abstract>
          </front>
          <seriesInfo name="BCP" value="14"/>
          <seriesInfo name="RFC" value="8174"/>
          <seriesInfo name="DOI" value="10.17487/RFC8174"/>
        </reference>
        <reference anchor="TLS-FLAGS">
          <front>
            <title>A Flags Extension for TLS 1.3</title>
            <author fullname="Yoav Nir" initials="Y." surname="Nir">
              <organization>Dell Technologies</organization>
            </author>
            <date day="17" month="March" year="2026"/>
            <abstract>
              <t>   A number of extensions are proposed in the TLS working group that
   carry no interesting information except the 1-bit indication that a
   certain optional feature is supported.  Such extensions take 4 octets
   each.  This document defines a flags extension that can provide such
   indications at an average marginal cost of 1 bit each.  More
   precisely, it provides as many flag extensions as needed at 4 + the
   order of the last set bit divided by 8.

              </t>
            </abstract>
          </front>
          <seriesInfo name="Internet-Draft" value="draft-ietf-tls-tlsflags-17"/>
        </reference>
        <reference anchor="RFC9729">
          <front>
            <title>The Concealed HTTP Authentication Scheme</title>
            <author fullname="D. Schinazi" initials="D." surname="Schinazi"/>
            <author fullname="D. Oliver" initials="D." surname="Oliver"/>
            <author fullname="J. Hoyland" initials="J." surname="Hoyland"/>
            <date month="February" year="2025"/>
            <abstract>
              <t>Most HTTP authentication schemes are probeable in the sense that it is possible for an unauthenticated client to probe whether an origin serves resources that require authentication. It is possible for an origin to hide the fact that it requires authentication by not generating Unauthorized status codes; however, that only works with non-cryptographic authentication schemes: cryptographic signatures require a fresh nonce to be signed. Prior to this document, there was no existing way for the origin to share such a nonce without exposing the fact that it serves resources that require authentication. This document defines a new non-probeable cryptographic authentication scheme.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="9729"/>
          <seriesInfo name="DOI" value="10.17487/RFC9729"/>
        </reference>
        <reference anchor="RFC5705">
          <front>
            <title>Keying Material Exporters for Transport Layer Security (TLS)</title>
            <author fullname="E. Rescorla" initials="E." surname="Rescorla"/>
            <date month="March" year="2010"/>
            <abstract>
              <t>A number of protocols wish to leverage Transport Layer Security (TLS) to perform key establishment but then use some of the keying material for their own purposes. This document describes a general mechanism for allowing that. [STANDARDS-TRACK]</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="5705"/>
          <seriesInfo name="DOI" value="10.17487/RFC5705"/>
        </reference>
        <reference anchor="RFC3711">
          <front>
            <title>The Secure Real-time Transport Protocol (SRTP)</title>
            <author fullname="M. Baugher" initials="M." surname="Baugher"/>
            <author fullname="D. McGrew" initials="D." surname="McGrew"/>
            <author fullname="M. Naslund" initials="M." surname="Naslund"/>
            <author fullname="E. Carrara" initials="E." surname="Carrara"/>
            <author fullname="K. Norrman" initials="K." surname="Norrman"/>
            <date month="March" year="2004"/>
            <abstract>
              <t>This document describes the Secure Real-time Transport Protocol (SRTP), a profile of the Real-time Transport Protocol (RTP), which can provide confidentiality, message authentication, and replay protection to the RTP traffic and to the control traffic for RTP, the Real-time Transport Control Protocol (RTCP). [STANDARDS-TRACK]</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="3711"/>
          <seriesInfo name="DOI" value="10.17487/RFC3711"/>
        </reference>
        <reference anchor="RFC9261">
          <front>
            <title>Exported Authenticators in TLS</title>
            <author fullname="N. Sullivan" initials="N." surname="Sullivan"/>
            <date month="July" year="2022"/>
            <abstract>
              <t>This document describes a mechanism that builds on Transport Layer Security (TLS) or Datagram Transport Layer Security (DTLS) and enables peers to provide proof of ownership of an identity, such as an X.509 certificate. This proof can be exported by one peer, transmitted out of band to the other peer, and verified by the receiving peer.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="9261"/>
          <seriesInfo name="DOI" value="10.17487/RFC9261"/>
        </reference>
      </references>
      <references anchor="sec-informative-references">
        <name>Informative References</name>
        <reference anchor="I-D.ietf-tls-ecdhe-mlkem">
          <front>
            <title>Post-quantum hybrid ECDHE-MLKEM Key Agreement for TLSv1.3</title>
            <author fullname="Kris Kwiatkowski" initials="K." surname="Kwiatkowski">
              <organization>PQShield</organization>
            </author>
            <author fullname="Panos Kampanakis" initials="P." surname="Kampanakis">
              <organization>AWS</organization>
            </author>
            <author fullname="Bas Westerbaan" initials="B." surname="Westerbaan">
              <organization>Cloudflare</organization>
            </author>
            <author fullname="Douglas Stebila" initials="D." surname="Stebila">
              <organization>University of Waterloo</organization>
            </author>
            <date day="26" month="May" year="2026"/>
            <abstract>
              <t>   This draft defines three hybrid key agreement mechanisms for TLS 1.3
   - X25519MLKEM768, SecP256r1MLKEM768, and SecP384r1MLKEM1024 - that
   combine the post-quantum ML-KEM (Module-Lattice-Based Key
   Encapsulation Mechanism) with an ECDHE (Elliptic Curve Diffie-
   Hellman) exchange.

              </t>
            </abstract>
          </front>
          <seriesInfo name="Internet-Draft" value="draft-ietf-tls-ecdhe-mlkem-05"/>
        </reference>
        <reference anchor="I-D.ietf-tls-mlkem">
          <front>
            <title>ML-KEM Post-Quantum Key Agreement for TLS 1.3</title>
            <author fullname="Deirdre Connolly" initials="D." surname="Connolly">
              <organization>SandboxAQ</organization>
            </author>
            <date day="24" month="June" year="2026"/>
            <abstract>
              <t>   This memo defines ML-KEM-512, ML-KEM-768, and ML-KEM-1024 as
   NamedGroups and and registers IANA values in the TLS Supported Groups
   registry for use in TLS 1.3 to achieve post-quantum (PQ) key
   establishment.

              </t>
            </abstract>
          </front>
          <seriesInfo name="Internet-Draft" value="draft-ietf-tls-mlkem-08"/>
        </reference>
        <reference anchor="RFC9958">
          <front>
            <title>Post-Quantum Cryptography for Engineers</title>
            <author fullname="A. Banerjee" initials="A." surname="Banerjee"/>
            <author fullname="T. Reddy.K" initials="T." surname="Reddy.K"/>
            <author fullname="D. Schoinianakis" initials="D." surname="Schoinianakis"/>
            <author fullname="T. Hollebeek" initials="T." surname="Hollebeek"/>
            <author fullname="M. Ounsworth" initials="M." surname="Ounsworth"/>
            <date month="June" year="2026"/>
            <abstract>
              <t>The advent of a cryptographically relevant quantum computer (CRQC) would render state-of-the-art, traditional public key algorithms deployed today obsolete, as the mathematical assumptions underpinning their security would no longer hold. To address this, protocols and infrastructure must transition to post-quantum algorithms, which are designed to resist both traditional and quantum attacks. This document explains why engineers need to be aware of and understand post-quantum cryptography (PQC), and it details the impact of CRQCs on existing systems and the challenges involved in transitioning to post-quantum algorithms. Unlike previous cryptographic updates, this shift may require significant protocol redesign due to the unique properties of post-quantum algorithms.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="9958"/>
          <seriesInfo name="DOI" value="10.17487/RFC9958"/>
        </reference>
        <reference anchor="ANSSI" target="https://cyber.gouv.fr/sites/default/files/2012/09/NT_IPsec_EN.pdf">
          <front>
            <title>Recommendations for securing networks with IPsec, Technical Report</title>
            <author>
              <organization>ANSSI</organization>
            </author>
            <date year="2015" month="August"/>
          </front>
        </reference>
        <reference anchor="TLS-Ext-Registry" target="https://www.iana.org/assignments/tls-extensiontype-values">
          <front>
            <title>Transport Layer Security (TLS) Extensions</title>
            <author>
              <organization>IANA</organization>
            </author>
            <date year="2023" month="November"/>
          </front>
        </reference>
        <reference anchor="TLS-Param-Registry" target="https://www.iana.org/assignments/tls-parameters">
          <front>
            <title>Transport Layer Security (TLS) Parameters</title>
            <author>
              <organization>IANA</organization>
            </author>
            <date year="2023" month="November"/>
          </front>
        </reference>
        <reference anchor="CCG16" target="https://doi.org/10.1109/csf.2016.19">
          <front>
            <title>On Post-compromise Security</title>
            <author>
              <organization>IEEE</organization>
            </author>
            <date year="2016" month="August"/>
          </front>
        </reference>
        <reference anchor="TLS-RENEGOTIATION">
          <front>
            <title>Transport Layer Security (TLS) Renegotiation Indication Extension</title>
            <author fullname="E. Rescorla" initials="E." surname="Rescorla"/>
            <author fullname="M. Ray" initials="M." surname="Ray"/>
            <author fullname="S. Dispensa" initials="S." surname="Dispensa"/>
            <author fullname="N. Oskov" initials="N." surname="Oskov"/>
            <date month="February" year="2010"/>
            <abstract>
              <t>Secure Socket Layer (SSL) and Transport Layer Security (TLS) renegotiation are vulnerable to an attack in which the attacker forms a TLS connection with the target server, injects content of his choice, and then splices in a new TLS connection from a client. The server treats the client's initial TLS handshake as a renegotiation and thus believes that the initial data transmitted by the attacker is from the same entity as the subsequent client data. This specification defines a TLS extension to cryptographically tie renegotiations to the TLS connections they are being performed over, thus preventing this attack. [STANDARDS-TRACK]</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="5746"/>
          <seriesInfo name="DOI" value="10.17487/RFC5746"/>
        </reference>
        <reference anchor="CONFIDENTIALITY">
          <front>
            <title>Confidentiality in the Face of Pervasive Surveillance: A Threat Model and Problem Statement</title>
            <author fullname="R. Barnes" initials="R." surname="Barnes"/>
            <author fullname="B. Schneier" initials="B." surname="Schneier"/>
            <author fullname="C. Jennings" initials="C." surname="Jennings"/>
            <author fullname="T. Hardie" initials="T." surname="Hardie"/>
            <author fullname="B. Trammell" initials="B." surname="Trammell"/>
            <author fullname="C. Huitema" initials="C." surname="Huitema"/>
            <author fullname="D. Borkmann" initials="D." surname="Borkmann"/>
            <date month="August" year="2015"/>
            <abstract>
              <t>Since the initial revelations of pervasive surveillance in 2013, several classes of attacks on Internet communications have been discovered. In this document, we develop a threat model that describes these attacks on Internet confidentiality. We assume an attacker that is interested in undetected, indiscriminate eavesdropping. The threat model is based on published, verified attacks.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="7624"/>
          <seriesInfo name="DOI" value="10.17487/RFC7624"/>
        </reference>
        <reference anchor="RFC9794">
          <front>
            <title>Terminology for Post-Quantum Traditional Hybrid Schemes</title>
            <author fullname="F. Driscoll" initials="F." surname="Driscoll"/>
            <author fullname="M. Parsons" initials="M." surname="Parsons"/>
            <author fullname="B. Hale" initials="B." surname="Hale"/>
            <date month="June" year="2025"/>
            <abstract>
              <t>One aspect of the transition to post-quantum algorithms in cryptographic protocols is the development of hybrid schemes that incorporate both post-quantum and traditional asymmetric algorithms. This document defines terminology for such schemes. It is intended to be used as a reference and, hopefully, to ensure consistency and clarity across different protocols, standards, and organisations.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="9794"/>
          <seriesInfo name="DOI" value="10.17487/RFC9794"/>
        </reference>
        <reference anchor="TLS-KEYLOGFILE">
          <front>
            <title>The SSLKEYLOGFILE Format for TLS</title>
            <author fullname="Martin Thomson" initials="M." surname="Thomson">
              <organization>Mozilla</organization>
            </author>
            <author fullname="Yaroslav Rosomakho" initials="Y." surname="Rosomakho">
              <organization>Zscaler</organization>
            </author>
            <author fullname="Hannes Tschofenig" initials="H." surname="Tschofenig">
              <organization>University of Applied Sciences Bonn-Rhein-Sieg</organization>
            </author>
            <date day="9" month="June" year="2025"/>
            <abstract>
              <t>   A format that supports logging information about the secrets used in
   a TLS connection is described.  Recording secrets to a file in
   SSLKEYLOGFILE format allows diagnostic and logging tools that use
   this file to decrypt messages exchanged by TLS endpoints.  This
   format is intended for use in systems where TLS only protects test
   data.

              </t>
            </abstract>
          </front>
          <seriesInfo name="Internet-Draft" value="draft-ietf-tls-keylogfile-05"/>
        </reference>
        <reference anchor="RFC8126">
          <front>
            <title>Guidelines for Writing an IANA Considerations Section in RFCs</title>
            <author fullname="M. Cotton" initials="M." surname="Cotton"/>
            <author fullname="B. Leiba" initials="B." surname="Leiba"/>
            <author fullname="T. Narten" initials="T." surname="Narten"/>
            <date month="June" year="2017"/>
            <abstract>
              <t>Many protocols make use of points of extensibility that use constants to identify various protocol parameters. To ensure that the values in these fields do not have conflicting uses and to promote interoperability, their allocations are often coordinated by a central record keeper. For IETF protocols, that role is filled by the Internet Assigned Numbers Authority (IANA).</t>
              <t>To make assignments in a given registry prudently, guidance describing the conditions under which new values should be assigned, as well as when and how modifications to existing values can be made, is needed. This document defines a framework for the documentation of these guidelines by specification authors, in order to assure that the provided guidance for the IANA Considerations is clear and addresses the various issues that are likely in the operation of a registry.</t>
              <t>This is the third edition of this document; it obsoletes RFC 5226.</t>
            </abstract>
          </front>
          <seriesInfo name="BCP" value="26"/>
          <seriesInfo name="RFC" value="8126"/>
          <seriesInfo name="DOI" value="10.17487/RFC8126"/>
        </reference>
        <reference anchor="RFC8447">
          <front>
            <title>IANA Registry Updates for TLS and DTLS</title>
            <author fullname="J. Salowey" initials="J." surname="Salowey"/>
            <author fullname="S. Turner" initials="S." surname="Turner"/>
            <date month="August" year="2018"/>
            <abstract>
              <t>This document describes a number of changes to TLS and DTLS IANA registries that range from adding notes to the registry all the way to changing the registration policy. These changes were mostly motivated by WG review of the TLS- and DTLS-related registries undertaken as part of the TLS 1.3 development process.</t>
              <t>This document updates the following RFCs: 3749, 5077, 4680, 5246, 5705, 5878, 6520, and 7301.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="8447"/>
          <seriesInfo name="DOI" value="10.17487/RFC8447"/>
        </reference>
      </references>
    </references>
    <?line 1128?>

<section anchor="acknowledgments">
      <name>Acknowledgments</name>
      <t>We would like to thank the members of the "TSVWG DTLS for SCTP
Requirements Design Team" for their discussion. The members, in
no particular order, were: Marcelo Ricardo Leitner, Xin Long,
John Mattsson, Claudio Porfiri, Bertrand Rault, K Tirumaleswar Reddy,
Zaheduzzaman Sarker, Hannes Tschofenig, Michael Tüxen, and
Magnus Westerlund.</t>
      <t>Additionally, we would like to thank the chairs of the
Transport and Services Working Group (tsvwg) Gorry Fairhurst and
Marten Seemann as well as the responsible area director Martin Duke.</t>
      <t>Finally, we would like to thank David Benjamin, Joe Birr-Pixton,
Matthijs van Duin, Scott Fluhrer, Dennis Jackson, Benjamin Kaduk,
Ilari Liusvaara, Eric Rescorla, Rifaat Shekh-Yusef, Martin Thomson,
Mathy Vanhoef, and Thom Wiggers for their review comments.</t>
    </section>
    <section anchor="state-machines">
      <name>State Machines</name>
      <t>The sections below describe the state machines for the extended key update
operation for TLS 1.3 and DTLS 1.3.</t>
      <t>The state machine diagrams in the Appendix are provided for illustrative
purposes only to aid understanding of the protocol flow. They are not normative.
In case of any discrepancy between the Appendix diagrams and the protocol
behavior specified in the main body of this document, the text in the
draft takes precedence.</t>
      <t>For editorial reasons we abbreviate the protocol message types:</t>
      <ul spacing="normal">
        <li>
          <t>Req - ExtendedKeyUpdate(request)</t>
        </li>
        <li>
          <t>Resp - ExtendedKeyUpdate(response)</t>
        </li>
        <li>
          <t>Fin - ExtendedKeyUpdate(key_update_finish)</t>
        </li>
        <li>
          <t>ACK - Acknowledgement message from <xref section="7" sectionFormat="of" target="DTLS"/></t>
        </li>
        <li>
          <t>APP - application data payloads</t>
        </li>
      </ul>
      <t>In the (D)TLS 1.3 state machines discussed below, the terms SEND and RECEIVE keys
refer to the send and receive key variables defined in <xref target="term"/>.</t>
      <t>The TLS state machine diagrams use the following notation:</t>
      <ul spacing="normal">
        <li>
          <t>Numbered labels (1), (2), … denote normal protocol transitions in the order they occur.</t>
        </li>
        <li>
          <t>Lettered labels (A), (B), … denote exceptional or conditional transitions.</t>
        </li>
        <li>
          <t>Self-loops indicate that the state does not change as a result of the event.</t>
        </li>
      </ul>
      <section anchor="tls-13-state-machines">
        <name>TLS 1.3 State Machines</name>
        <t>This section describes the initiator and responder state machines.</t>
        <section anchor="initiator-state-machine">
          <name>Initiator State Machine</name>
          <artset>
            <artwork type="svg"><svg xmlns="http://www.w3.org/2000/svg" version="1.1" height="576" width="536" viewBox="0 0 536 576" class="diagram" text-anchor="middle" font-family="monospace" font-size="13px" stroke-linecap="round">
                <path d="M 8,32 L 8,112" fill="none" stroke="black"/>
                <path d="M 8,192 L 8,496" fill="none" stroke="black"/>
                <path d="M 8,528 L 8,560" fill="none" stroke="black"/>
                <path d="M 192,32 L 192,112" fill="none" stroke="black"/>
                <path d="M 192,192 L 192,240" fill="none" stroke="black"/>
                <path d="M 192,528 L 192,560" fill="none" stroke="black"/>
                <path d="M 8,32 L 192,32" fill="none" stroke="black"/>
                <path d="M 8,112 L 192,112" fill="none" stroke="black"/>
                <path d="M 8,192 L 192,192" fill="none" stroke="black"/>
                <path d="M 8,240 L 192,240" fill="none" stroke="black"/>
                <path d="M 8,528 L 192,528" fill="none" stroke="black"/>
                <path d="M 8,560 L 192,560" fill="none" stroke="black"/>
                <path d="M 28,248 L 72,336" fill="none" stroke="black"/>
                <circle cx="96" cy="352" r="6" class="closeddot" fill="black"/>
                <circle cx="96" cy="368" r="6" class="closeddot" fill="black"/>
                <g class="text">
                  <text x="40" y="52">START</text>
                  <text x="88" y="68">send_key=current,</text>
                  <text x="96" y="84">receive_key=current</text>
                  <text x="60" y="100">updating=0</text>
                  <text x="56" y="132">|</text>
                  <text x="16" y="148">(1)</text>
                  <text x="52" y="148">send</text>
                  <text x="88" y="148">Req</text>
                  <text x="124" y="148">with</text>
                  <text x="168" y="148">local</text>
                  <text x="248" y="148">KeyShareEntry</text>
                  <text x="48" y="164">set</text>
                  <text x="108" y="164">updating=1</text>
                  <text x="56" y="180">v</text>
                  <text x="56" y="212">WAIT_RESP</text>
                  <text x="60" y="228">updating=1</text>
                  <text x="64" y="276">(A)</text>
                  <text x="100" y="276">recv</text>
                  <text x="140" y="276">peer</text>
                  <text x="176" y="276">Req</text>
                  <text x="228" y="276">(crossed</text>
                  <text x="304" y="276">updates):</text>
                  <text x="96" y="292">compare</text>
                  <text x="200" y="292">peer.key_exchange</text>
                  <text x="284" y="292">to</text>
                  <text x="372" y="292">local.key_exchange</text>
                  <text x="80" y="308">-</text>
                  <text x="100" y="308">if</text>
                  <text x="132" y="308">peer</text>
                  <text x="160" y="308">&lt;</text>
                  <text x="196" y="308">local:</text>
                  <text x="252" y="308">IGNORE</text>
                  <text x="300" y="308">peer</text>
                  <text x="336" y="308">Req</text>
                  <text x="376" y="308">(send</text>
                  <text x="436" y="308">nothing)</text>
                  <text x="80" y="324">-</text>
                  <text x="100" y="324">if</text>
                  <text x="132" y="324">peer</text>
                  <text x="164" y="324">==</text>
                  <text x="204" y="324">local:</text>
                  <text x="256" y="324">ABORT</text>
                  <text x="364" y="324">"unexpected_message"</text>
                  <text x="88" y="340">-</text>
                  <text x="108" y="340">if</text>
                  <text x="140" y="340">peer</text>
                  <text x="168" y="340">&gt;</text>
                  <text x="204" y="340">local:</text>
                  <text x="264" y="340">ABANDON</text>
                  <text x="320" y="340">local</text>
                  <text x="376" y="340">update:</text>
                  <text x="120" y="356">set</text>
                  <text x="180" y="356">updating=0</text>
                  <text x="120" y="372">act</text>
                  <text x="148" y="372">as</text>
                  <text x="204" y="372">RESPONDER:</text>
                  <text x="268" y="372">send</text>
                  <text x="308" y="372">Resp</text>
                  <text x="348" y="372">with</text>
                  <text x="428" y="372">KeyShareEntry,</text>
                  <text x="132" y="388">derive</text>
                  <text x="176" y="388">new</text>
                  <text x="228" y="388">secrets,</text>
                  <text x="284" y="388">then</text>
                  <text x="336" y="388">proceed</text>
                  <text x="380" y="388">as</text>
                  <text x="404" y="388">in</text>
                  <text x="456" y="388">responder</text>
                  <text x="516" y="388">flow</text>
                  <text x="40" y="420">(2)</text>
                  <text x="76" y="420">recv</text>
                  <text x="116" y="420">Resp</text>
                  <text x="156" y="420">with</text>
                  <text x="220" y="420">key_share:</text>
                  <text x="84" y="436">derive</text>
                  <text x="128" y="436">new</text>
                  <text x="176" y="436">secrets</text>
                  <text x="76" y="452">send</text>
                  <text x="112" y="452">Fin</text>
                  <text x="172" y="452">(encrypted</text>
                  <text x="240" y="452">under</text>
                  <text x="280" y="452">old</text>
                  <text x="320" y="452">keys)</text>
                  <text x="84" y="468">update</text>
                  <text x="132" y="468">SEND</text>
                  <text x="168" y="468">key</text>
                  <text x="224" y="468">(send_key</text>
                  <text x="276" y="468">:=</text>
                  <text x="308" y="468">new)</text>
                  <text x="84" y="484">update</text>
                  <text x="144" y="484">RECEIVE</text>
                  <text x="192" y="484">key</text>
                  <text x="260" y="484">(receive_key</text>
                  <text x="324" y="484">:=</text>
                  <text x="356" y="484">new)</text>
                  <text x="72" y="500">set</text>
                  <text x="132" y="500">updating=0</text>
                  <text x="64" y="516">v</text>
                  <text x="52" y="548">FINISHED</text>
                </g>
              </svg>
            </artwork>
            <artwork type="ascii-art"><![CDATA[
+----------------------+
| START                |
| send_key=current,    |
| receive_key=current  |
| updating=0           |
+----------------------+
      |
(1) send Req with local KeyShareEntry
    set updating=1
      v
+----------------------+
| WAIT_RESP            |
| updating=1           |
+----------------------+
|  \
|   \ (A) recv peer Req (crossed updates):
|    \  compare peer.key_exchange to local.key_exchange
|     \  - if peer < local: IGNORE peer Req (send nothing)
|      \ - if peer == local: ABORT "unexpected_message"
|       \ - if peer > local: ABANDON local update:
|          * set updating=0
|          * act as RESPONDER: send Resp with KeyShareEntry,
|            derive new secrets, then proceed as in responder flow
|
|  (2) recv Resp with key_share:
|      derive new secrets
|      send Fin (encrypted under old keys)
|      update SEND key (send_key := new)
|      update RECEIVE key (receive_key := new)
|      set updating=0
       v
+----------------------+
| FINISHED             |
+----------------------+
]]></artwork>
          </artset>
          <t>Notes:</t>
          <ul spacing="normal">
            <li>
              <t>Fin message is sent under old keys.</t>
            </li>
            <li>
              <t>If a classic KeyUpdate arrives (EKU negotiated), ABORT "unexpected_message".</t>
            </li>
            <li>
              <t>Crossed-requests: ignore the request with LOWER lexicographic key_exchange; if equal, abort.</t>
            </li>
          </ul>
        </section>
        <section anchor="responder-state-machine">
          <name>Responder State Machine</name>
          <artset>
            <artwork type="svg"><svg xmlns="http://www.w3.org/2000/svg" version="1.1" height="544" width="360" viewBox="0 0 360 544" class="diagram" text-anchor="middle" font-family="monospace" font-size="13px" stroke-linecap="round">
                <path d="M 8,32 L 8,112" fill="none" stroke="black"/>
                <path d="M 8,192 L 8,320" fill="none" stroke="black"/>
                <path d="M 8,352 L 8,400" fill="none" stroke="black"/>
                <path d="M 8,496 L 8,528" fill="none" stroke="black"/>
                <path d="M 192,32 L 192,112" fill="none" stroke="black"/>
                <path d="M 192,192 L 192,224" fill="none" stroke="black"/>
                <path d="M 192,352 L 192,400" fill="none" stroke="black"/>
                <path d="M 192,496 L 192,528" fill="none" stroke="black"/>
                <path d="M 8,32 L 192,32" fill="none" stroke="black"/>
                <path d="M 8,112 L 192,112" fill="none" stroke="black"/>
                <path d="M 8,192 L 192,192" fill="none" stroke="black"/>
                <path d="M 8,224 L 192,224" fill="none" stroke="black"/>
                <path d="M 32,320 L 48,320" fill="none" stroke="black"/>
                <path d="M 8,352 L 192,352" fill="none" stroke="black"/>
                <path d="M 8,400 L 192,400" fill="none" stroke="black"/>
                <path d="M 8,496 L 192,496" fill="none" stroke="black"/>
                <path d="M 8,528 L 192,528" fill="none" stroke="black"/>
                <polygon class="arrowhead" points="56,320 44,314.4 44,325.6" fill="black" transform="rotate(0,48,320)"/>
                <g class="text">
                  <text x="40" y="52">START</text>
                  <text x="88" y="68">send_key=current,</text>
                  <text x="96" y="84">receive_key=current</text>
                  <text x="60" y="100">updating=0</text>
                  <text x="56" y="132">|</text>
                  <text x="16" y="148">(1)</text>
                  <text x="52" y="148">recv</text>
                  <text x="88" y="148">Req</text>
                  <text x="48" y="164">set</text>
                  <text x="108" y="164">updating=1</text>
                  <text x="56" y="180">v</text>
                  <text x="48" y="212">RESPOND</text>
                  <text x="44" y="244">send</text>
                  <text x="84" y="244">Resp</text>
                  <text x="124" y="244">with</text>
                  <text x="200" y="244">KeyShareEntry</text>
                  <text x="44" y="260">(may</text>
                  <text x="88" y="260">defer</text>
                  <text x="144" y="260">sending</text>
                  <text x="188" y="260">if</text>
                  <text x="224" y="260">under</text>
                  <text x="272" y="260">load;</text>
                  <text x="52" y="276">must</text>
                  <text x="92" y="276">send</text>
                  <text x="132" y="276">once</text>
                  <text x="192" y="276">resources</text>
                  <text x="256" y="276">free)</text>
                  <text x="52" y="292">derive</text>
                  <text x="96" y="292">new</text>
                  <text x="144" y="292">secrets</text>
                  <text x="52" y="308">update</text>
                  <text x="100" y="308">SEND</text>
                  <text x="140" y="308">keys</text>
                  <text x="200" y="308">(send_key</text>
                  <text x="252" y="308">:=</text>
                  <text x="284" y="308">new)</text>
                  <text x="100" y="324">WAIT_I_FIN</text>
                  <text x="56" y="340">v</text>
                  <text x="60" y="372">WAIT_I_FIN</text>
                  <text x="60" y="388">updating=1</text>
                  <text x="56" y="420">|</text>
                  <text x="16" y="436">(2)</text>
                  <text x="52" y="436">recv</text>
                  <text x="88" y="436">Fin</text>
                  <text x="148" y="436">(encrypted</text>
                  <text x="216" y="436">under</text>
                  <text x="256" y="436">old</text>
                  <text x="296" y="436">keys)</text>
                  <text x="60" y="452">update</text>
                  <text x="120" y="452">RECEIVE</text>
                  <text x="172" y="452">keys</text>
                  <text x="244" y="452">(receive_key</text>
                  <text x="308" y="452">:=</text>
                  <text x="340" y="452">new)</text>
                  <text x="48" y="468">set</text>
                  <text x="108" y="468">updating=0</text>
                  <text x="56" y="484">v</text>
                  <text x="52" y="516">FINISHED</text>
                </g>
              </svg>
            </artwork>
            <artwork type="ascii-art"><![CDATA[
+----------------------+
| START                |
| send_key=current,    |
| receive_key=current  |
| updating=0           |
+----------------------+
      |
(1) recv Req
    set updating=1
      v
+----------------------+
| RESPOND              |
+----------------------+
|  send Resp with KeyShareEntry
|  (may defer sending if under load;
|   must send once resources free)
|  derive new secrets
|  update SEND keys (send_key := new)
|  --> WAIT_I_FIN
      v
+----------------------+
| WAIT_I_FIN           |
| updating=1           |
+----------------------+
      |
(2) recv Fin (encrypted under old keys)
    update RECEIVE keys (receive_key := new)
    set updating=0
      v
+----------------------+
| FINISHED             |
+----------------------+
]]></artwork>
          </artset>
          <t>Notes:</t>
          <ul spacing="normal">
            <li>
              <t>Responder may defer Resp under load (no status reply), then must send it once resources are free.</t>
            </li>
            <li>
              <t>If a classic KeyUpdate arrives (EKU negotiated), ABORT "unexpected_message".</t>
            </li>
          </ul>
        </section>
      </section>
      <section anchor="dtls-13-state-machines">
        <name>DTLS 1.3 State Machines</name>
        <t>This section describes the initiator and responder state machines.</t>
        <section anchor="terms-and-abbreviations">
          <name>Terms and Abbreviations</name>
          <t>The following variables and abbreviations are used in the state machine diagrams.</t>
          <ul spacing="normal">
            <li>
              <t>rx - current, accepted receive epoch.</t>
            </li>
            <li>
              <t>tx - current transmit epoch used for tagging outgoing messages.</t>
            </li>
            <li>
              <t>E - initial epoch value.</t>
            </li>
            <li>
              <t>updating - true while a key-update handshake is in progress.</t>
            </li>
            <li>
              <t>old_rx - the previous receive epoch remembered during retention.</t>
            </li>
            <li>
              <t>retain_old - when true, receiver accepts tags old_rx and rx.</t>
            </li>
            <li>
              <t>tag=... - the TX-epoch value written on an outgoing message.</t>
            </li>
            <li>
              <t>e==... - the epoch tag carried on an incoming message (what the peer sent).</t>
            </li>
            <li>
              <t>FINISHED / START / WAIT_RESP / WAIT_I_FIN / WAIT_R_FIN / ACTIVATE RETENTION / RESPOND / WAIT_ACK - diagram states; FINISHED denotes the steady state after success.</t>
            </li>
          </ul>
          <t>Crossed requests. If both peers independently initiate the extended key update and the key_update_request messages cross in flight, compare the KeyShareEntry.key_exchange values. The request with the lower lexicographic value must be ignored. If the values are equal, the endpoint must abort with an "unexpected_message" alert. If the peer's value is higher than the local one, the endpoint abandons its in-flight update and processes the peer's request as responder.</t>
        </section>
        <section anchor="state-machine-initiator">
          <name>State Machine (Initiator)</name>
          <t>The initiator starts in the START state with matching epochs (rx := E; tx := E). It sends a Req and enters WAIT_RESP (updating := 1). While waiting, APP data may be sent at any time (tagged with the current tx) and received according to the APP acceptance rule below.</t>
          <t>Once the responder returns Resp with a tag matching the current rx, the initiator derives new key material. It then sends Fin still tagged with the old tx. The initiator activates retention mode: the old epoch is remembered, the receive epoch is incremented, and application data is accepted under both epochs for a transition period. Initiator moves to WAIT_ACK.</t>
          <t>If a peer key_update_request arrives while in WAIT_RESP (crossed updates), apply the crossed-request rule above. If the peer's key_exchange is higher, abandon the local update (updating := 0) and continue as responder: send key_update_response, derive new secrets, then proceed with the responder flow. If lower, ignore the peer's request; if equal, abort with "unexpected_message".</t>
          <t>Upon receiving the responder's ACK matching the updated epoch, the initiator completes the transition by synchronizing transmit and receive epochs (tx := rx), disabling retention, and clearing the update flag. The state machine returns to FINISHED, ready for subsequent updates.</t>
          <t>Throughout the process:</t>
          <ul spacing="normal">
            <li>
              <t>Duplicate messages are tolerated (for retransmission handling).</t>
            </li>
            <li>
              <t>Temporary epoch mismatches are permitted while an update is in progress.</t>
            </li>
            <li>
              <t>Application data flows continuously, subject to epoch acceptance rules.</t>
            </li>
          </ul>
          <artset>
            <artwork type="svg"><svg xmlns="http://www.w3.org/2000/svg" version="1.1" height="832" width="536" viewBox="0 0 536 832" class="diagram" text-anchor="middle" font-family="monospace" font-size="13px" stroke-linecap="round">
                <path d="M 8,32 L 8,80" fill="none" stroke="black"/>
                <path d="M 8,160 L 8,192" fill="none" stroke="black"/>
                <path d="M 8,512 L 8,576" fill="none" stroke="black"/>
                <path d="M 8,640 L 8,672" fill="none" stroke="black"/>
                <path d="M 8,784 L 8,816" fill="none" stroke="black"/>
                <path d="M 16,200 L 16,432" fill="none" stroke="black"/>
                <path d="M 56,200 L 56,400" fill="none" stroke="black"/>
                <path d="M 56,680 L 56,720" fill="none" stroke="black"/>
                <path d="M 88,464 L 88,504" fill="none" stroke="black"/>
                <path d="M 96,200 L 96,368" fill="none" stroke="black"/>
                <path d="M 184,512 L 184,576" fill="none" stroke="black"/>
                <path d="M 192,200 L 192,256" fill="none" stroke="black"/>
                <path d="M 256,160 L 256,192" fill="none" stroke="black"/>
                <path d="M 256,640 L 256,672" fill="none" stroke="black"/>
                <path d="M 280,32 L 280,80" fill="none" stroke="black"/>
                <path d="M 352,784 L 352,816" fill="none" stroke="black"/>
                <path d="M 8,32 L 280,32" fill="none" stroke="black"/>
                <path d="M 8,80 L 280,80" fill="none" stroke="black"/>
                <path d="M 8,160 L 256,160" fill="none" stroke="black"/>
                <path d="M 8,192 L 256,192" fill="none" stroke="black"/>
                <path d="M 192,256 L 208,256" fill="none" stroke="black"/>
                <path d="M 96,368 L 112,368" fill="none" stroke="black"/>
                <path d="M 56,400 L 72,400" fill="none" stroke="black"/>
                <path d="M 16,432 L 32,432" fill="none" stroke="black"/>
                <path d="M 8,512 L 184,512" fill="none" stroke="black"/>
                <path d="M 8,576 L 184,576" fill="none" stroke="black"/>
                <path d="M 8,640 L 256,640" fill="none" stroke="black"/>
                <path d="M 8,672 L 256,672" fill="none" stroke="black"/>
                <path d="M 8,784 L 352,784" fill="none" stroke="black"/>
                <path d="M 8,816 L 352,816" fill="none" stroke="black"/>
                <polygon class="arrowhead" points="200,200 188,194.4 188,205.6" fill="black" transform="rotate(270,192,200)"/>
                <polygon class="arrowhead" points="104,200 92,194.4 92,205.6" fill="black" transform="rotate(270,96,200)"/>
                <polygon class="arrowhead" points="96,504 84,498.4 84,509.6" fill="black" transform="rotate(90,88,504)"/>
                <polygon class="arrowhead" points="64,200 52,194.4 52,205.6" fill="black" transform="rotate(270,56,200)"/>
                <polygon class="arrowhead" points="24,200 12,194.4 12,205.6" fill="black" transform="rotate(270,16,200)"/>
                <g class="text">
                  <text x="40" y="52">START</text>
                  <text x="28" y="68">rx</text>
                  <text x="52" y="68">:=</text>
                  <text x="76" y="68">E;</text>
                  <text x="100" y="68">tx</text>
                  <text x="124" y="68">:=</text>
                  <text x="148" y="68">E,</text>
                  <text x="196" y="68">updating</text>
                  <text x="244" y="68">:=</text>
                  <text x="264" y="68">0</text>
                  <text x="56" y="100">|</text>
                  <text x="16" y="116">(1)</text>
                  <text x="52" y="116">send</text>
                  <text x="88" y="116">Req</text>
                  <text x="140" y="116">[tag=tx]</text>
                  <text x="48" y="132">set</text>
                  <text x="100" y="132">updating</text>
                  <text x="148" y="132">:=</text>
                  <text x="168" y="132">1</text>
                  <text x="56" y="148">v</text>
                  <text x="56" y="180">WAIT_RESP</text>
                  <text x="232" y="260">(A)</text>
                  <text x="268" y="260">recv</text>
                  <text x="308" y="260">peer</text>
                  <text x="344" y="260">Req</text>
                  <text x="404" y="260">(crossed):</text>
                  <text x="236" y="276">if</text>
                  <text x="268" y="276">peer</text>
                  <text x="296" y="276">&lt;</text>
                  <text x="328" y="276">local</text>
                  <text x="372" y="276">-&gt;</text>
                  <text x="412" y="276">IGNORE</text>
                  <text x="488" y="276">(Self-Loop)</text>
                  <text x="236" y="292">if</text>
                  <text x="268" y="292">peer</text>
                  <text x="300" y="292">==</text>
                  <text x="336" y="292">local</text>
                  <text x="372" y="292">-&gt;</text>
                  <text x="408" y="292">ABORT</text>
                  <text x="472" y="292">(Error)</text>
                  <text x="236" y="308">if</text>
                  <text x="268" y="308">peer</text>
                  <text x="296" y="308">&gt;</text>
                  <text x="328" y="308">local</text>
                  <text x="372" y="308">-&gt;</text>
                  <text x="416" y="308">ABANDON</text>
                  <text x="480" y="308">update;</text>
                  <text x="420" y="324">updating</text>
                  <text x="468" y="324">:=</text>
                  <text x="492" y="324">0;</text>
                  <text x="400" y="340">act</text>
                  <text x="428" y="340">as</text>
                  <text x="480" y="340">RESPONDER</text>
                  <text x="136" y="372">APP</text>
                  <text x="172" y="372">send</text>
                  <text x="232" y="372">(anytime)</text>
                  <text x="400" y="372">(Self-Loop)</text>
                  <text x="96" y="404">APP</text>
                  <text x="136" y="404">recv:</text>
                  <text x="204" y="404">retain_old</text>
                  <text x="260" y="404">&amp;&amp;</text>
                  <text x="280" y="404">e</text>
                  <text x="300" y="404">==</text>
                  <text x="340" y="404">old_rx</text>
                  <text x="432" y="404">(Self-Loop)</text>
                  <text x="56" y="436">APP</text>
                  <text x="96" y="436">recv:</text>
                  <text x="128" y="436">e</text>
                  <text x="148" y="436">==</text>
                  <text x="172" y="436">rx</text>
                  <text x="440" y="436">(Self-Loop)</text>
                  <text x="116" y="468">recv</text>
                  <text x="156" y="468">Resp</text>
                  <text x="188" y="468">[e</text>
                  <text x="212" y="468">==</text>
                  <text x="240" y="468">rx]</text>
                  <text x="124" y="484">derive</text>
                  <text x="184" y="484">secrets</text>
                  <text x="52" y="532">ACTIVATE</text>
                  <text x="128" y="532">RETENTION</text>
                  <text x="60" y="548">old_rx=rx;</text>
                  <text x="72" y="564">retain_old=1;</text>
                  <text x="148" y="564">rx++</text>
                  <text x="88" y="596">|</text>
                  <text x="16" y="612">(2)</text>
                  <text x="52" y="612">send</text>
                  <text x="88" y="612">Fin</text>
                  <text x="140" y="612">[tag=old</text>
                  <text x="192" y="612">tx]</text>
                  <text x="88" y="628">v</text>
                  <text x="52" y="660">WAIT_ACK</text>
                  <text x="128" y="660">(updating</text>
                  <text x="176" y="660">=</text>
                  <text x="196" y="660">1)</text>
                  <text x="88" y="708">APP</text>
                  <text x="144" y="708">send/recv</text>
                  <text x="216" y="708">allowed</text>
                  <text x="16" y="740">(3)</text>
                  <text x="52" y="740">recv</text>
                  <text x="88" y="740">ACK</text>
                  <text x="136" y="740">[e==rx]</text>
                  <text x="60" y="756">tx=rx;</text>
                  <text x="144" y="756">retain_old=0;</text>
                  <text x="236" y="756">updating</text>
                  <text x="284" y="756">:=</text>
                  <text x="304" y="756">0</text>
                  <text x="56" y="772">v</text>
                  <text x="52" y="804">FINISHED</text>
                </g>
              </svg>
            </artwork>
            <artwork type="ascii-art"><![CDATA[
+---------------------------------+
| START                           |
| rx := E; tx := E, updating := 0 |
+---------------------------------+
      |
(1) send Req [tag=tx]
    set updating := 1
      v
+------------------------------+
| WAIT_RESP                    |
+------------------------------+
 ^    ^    ^           ^
 |    |    |           |
 |    |    |           |
 |    |    |           +-- (A) recv peer Req (crossed):
 |    |    |                if peer < local  -> IGNORE (Self-Loop)
 |    |    |                if peer == local -> ABORT  (Error)
 |    |    |                if peer > local  -> ABANDON update;
 |    |    |                                    updating := 0;
 |    |    |                                    act as RESPONDER
 |    |    |
 |    |    +-- APP send (anytime)           (Self-Loop)
 |    |
 |    +-- APP recv: retain_old && e == old_rx   (Self-Loop)
 |
 +-- APP recv: e == rx                           (Self-Loop)

          | recv Resp [e == rx]
          | derive secrets
          v
+---------------------+
| ACTIVATE RETENTION  |
| old_rx=rx;          |
| retain_old=1; rx++  |
+---------------------+
          |
(2) send Fin [tag=old tx]
          v
+------------------------------+
| WAIT_ACK (updating = 1)      |
+------------------------------+
      |
      |  APP send/recv allowed
      |
(3) recv ACK [e==rx]
    tx=rx; retain_old=0; updating := 0
      v
+------------------------------------------+
| FINISHED                                 |
+------------------------------------------+
]]></artwork>
          </artset>
        </section>
        <section anchor="state-machine-responder">
          <name>State Machine (Responder)</name>
          <t>The responder starts in the START state with synchronized transmit and receive epochs (rx := E; tx := E) and no update in progress. Application data can be transmitted at any time using the sender's current transmit epoch. A receiver must accept application data if the epoch tag on the DTLS record equals the receiver's current receive epoch. If the receiver has retention active (retain_old == true), the receiver must also accept DTLS records whose epoch tag equals the remembered previous epoch.</t>
          <t>Upon receiving an <tt>ExtendedKeyUpdate(key_update_request)</tt> (Req), the responder transitions to RESPOND. The responder may defer sending <tt>ExtendedKeyUpdate(key_update_response)</tt> under load; in that case it must acknowledge the request with an ACK and retransmit the response until it is acknowledged by the initiator, as specified in DTLS considerations. When sent, <tt>ExtendedKeyUpdate(key_update_response)</tt> is tagged with the current tx.</t>
          <t>After an <tt>ExtendedKeyUpdate(key_update_finish)</tt> (Fin) is received with the correct epoch, the responder:</t>
          <ol spacing="normal" type="1"><li>
              <t>activates retention (old_rx := rx; retain_old := 1),</t>
            </li>
            <li>
              <t>increments both epochs (rx++, tx++),</t>
            </li>
            <li>
              <t>sends ACK tagged with the new tx (which now equals the new rx),</t>
            </li>
            <li>
              <t>clears updating and enters FINISHED.</t>
            </li>
          </ol>
          <t>Retention at the responder ends automatically on the first APP received under the new rx (then retain_old := 0). APP traffic is otherwise permitted at any time; reordering is tolerated by the acceptance rule.</t>
          <t>APP acceptance rule (receiver): accept if e == rx or (retain_old &amp;&amp; e == old_rx). If retain_old is set and an APP with the new rx arrives, clear retain_old.</t>
          <artset>
            <artwork type="svg"><svg xmlns="http://www.w3.org/2000/svg" version="1.1" height="624" width="536" viewBox="0 0 536 624" class="diagram" text-anchor="middle" font-family="monospace" font-size="13px" stroke-linecap="round">
                <path d="M 8,32 L 8,80" fill="none" stroke="black"/>
                <path d="M 8,160 L 8,192" fill="none" stroke="black"/>
                <path d="M 8,288 L 8,336" fill="none" stroke="black"/>
                <path d="M 8,400 L 8,480" fill="none" stroke="black"/>
                <path d="M 8,560 L 8,608" fill="none" stroke="black"/>
                <path d="M 56,200 L 56,280" fill="none" stroke="black"/>
                <path d="M 136,288 L 136,336" fill="none" stroke="black"/>
                <path d="M 184,400 L 184,480" fill="none" stroke="black"/>
                <path d="M 192,160 L 192,192" fill="none" stroke="black"/>
                <path d="M 280,32 L 280,80" fill="none" stroke="black"/>
                <path d="M 352,560 L 352,608" fill="none" stroke="black"/>
                <path d="M 8,32 L 280,32" fill="none" stroke="black"/>
                <path d="M 8,80 L 280,80" fill="none" stroke="black"/>
                <path d="M 8,160 L 192,160" fill="none" stroke="black"/>
                <path d="M 8,192 L 192,192" fill="none" stroke="black"/>
                <path d="M 8,288 L 136,288" fill="none" stroke="black"/>
                <path d="M 8,336 L 136,336" fill="none" stroke="black"/>
                <path d="M 8,400 L 184,400" fill="none" stroke="black"/>
                <path d="M 8,480 L 184,480" fill="none" stroke="black"/>
                <path d="M 8,560 L 352,560" fill="none" stroke="black"/>
                <path d="M 8,608 L 352,608" fill="none" stroke="black"/>
                <polygon class="arrowhead" points="64,280 52,274.4 52,285.6" fill="black" transform="rotate(90,56,280)"/>
                <g class="text">
                  <text x="40" y="52">START</text>
                  <text x="28" y="68">rx</text>
                  <text x="52" y="68">:=</text>
                  <text x="76" y="68">E;</text>
                  <text x="100" y="68">tx</text>
                  <text x="124" y="68">:=</text>
                  <text x="148" y="68">E,</text>
                  <text x="196" y="68">updating</text>
                  <text x="244" y="68">:=</text>
                  <text x="264" y="68">0</text>
                  <text x="56" y="100">|</text>
                  <text x="16" y="116">(1)</text>
                  <text x="52" y="116">recv</text>
                  <text x="88" y="116">Req</text>
                  <text x="136" y="116">[e==rx]</text>
                  <text x="48" y="132">set</text>
                  <text x="100" y="132">updating</text>
                  <text x="148" y="132">:=</text>
                  <text x="168" y="132">1</text>
                  <text x="56" y="148">v</text>
                  <text x="48" y="180">RESPOND</text>
                  <text x="84" y="228">send</text>
                  <text x="124" y="228">Resp</text>
                  <text x="180" y="228">[tag=tx]</text>
                  <text x="84" y="244">(may</text>
                  <text x="132" y="244">defer;</text>
                  <text x="172" y="244">if</text>
                  <text x="224" y="244">deferred,</text>
                  <text x="280" y="244">ACK</text>
                  <text x="312" y="244">Req</text>
                  <text x="344" y="244">and</text>
                  <text x="384" y="244">later</text>
                  <text x="452" y="244">retransmit</text>
                  <text x="516" y="244">Resp</text>
                  <text x="96" y="260">until</text>
                  <text x="172" y="260">acknowledged</text>
                  <text x="236" y="260">by</text>
                  <text x="264" y="260">the</text>
                  <text x="324" y="260">initiator)</text>
                  <text x="60" y="308">WAIT_I_FIN</text>
                  <text x="68" y="324">(updating=1)</text>
                  <text x="56" y="356">|</text>
                  <text x="16" y="372">(2)</text>
                  <text x="52" y="372">recv</text>
                  <text x="88" y="372">Fin</text>
                  <text x="136" y="372">[e==rx]</text>
                  <text x="240" y="372">(assert</text>
                  <text x="312" y="372">accepted)</text>
                  <text x="56" y="388">|</text>
                  <text x="52" y="420">ACTIVATE</text>
                  <text x="128" y="420">RETENTION</text>
                  <text x="60" y="436">old_rx=rx;</text>
                  <text x="72" y="452">retain_old=1;</text>
                  <text x="40" y="468">rx=rx</text>
                  <text x="76" y="468">1;</text>
                  <text x="120" y="468">tx=tx+1</text>
                  <text x="56" y="500">|</text>
                  <text x="16" y="516">(3)</text>
                  <text x="52" y="516">send</text>
                  <text x="88" y="516">ACK</text>
                  <text x="140" y="516">[tag=tx]</text>
                  <text x="48" y="532">set</text>
                  <text x="100" y="532">updating</text>
                  <text x="148" y="532">:=</text>
                  <text x="172" y="532">0;</text>
                  <text x="212" y="532">assert</text>
                  <text x="268" y="532">tx==rx</text>
                  <text x="56" y="548">v</text>
                  <text x="52" y="580">FINISHED</text>
                  <text x="72" y="596">(retain_old=0</text>
                  <text x="152" y="596">after</text>
                  <text x="200" y="596">first</text>
                  <text x="240" y="596">APP</text>
                  <text x="268" y="596">at</text>
                  <text x="296" y="596">new</text>
                  <text x="328" y="596">rx)</text>
                </g>
              </svg>
            </artwork>
            <artwork type="ascii-art"><![CDATA[
+---------------------------------+
| START                           |
| rx := E; tx := E, updating := 0 |
+---------------------------------+
      |
(1) recv Req [e==rx]
    set updating := 1
      v
+----------------------+
| RESPOND              |
+----------------------+
      |
      | send Resp [tag=tx]
      | (may defer; if deferred, ACK Req and later retransmit Resp
      |  until acknowledged by the initiator)
      v
+---------------+
| WAIT_I_FIN    |
| (updating=1)  |
+-------+-------+
      |
(2) recv Fin [e==rx]      (assert accepted)
      |
+---------------------+
| ACTIVATE RETENTION  |
| old_rx=rx;          |
| retain_old=1;       |
| rx=rx+1; tx=tx+1    |
+----------+----------+
      |
(3) send ACK [tag=tx]
    set updating := 0; assert tx==rx
      v
+------------------------------------------+
| FINISHED                                 |
| (retain_old=0 after first APP at new rx) |
+------------------------------------------+
]]></artwork>
          </artset>
        </section>
      </section>
    </section>
    <section anchor="overview-of-security-goals">
      <name>Overview of Security Goals</name>
      <t>A complete security analysis of the EKU is outside the scope of this document. This appendix provides an informal description of the primary security goals that EKU is designed to achieve.</t>
      <section anchor="post-compromise-security-pcs">
        <name>Post-Compromise Security (PCS)</name>
        <t>Extended Key Update supports post-compromise security under the assumptions described in <xref target="scope"/>. If an attacker temporarily compromises an endpoint and obtains the traffic keys in use before an Extended Key Update takes place, but the compromise does not persist after the EKU completes, the attacker cannot derive the new keying material established by EKU. This property follows from the use of fresh ephemeral key exchange material during each Extended Key Update, which produces new traffic keys that are independent of the previous ones. This
property provides only best-effort post-compromise security, as it assumes the attacker is not acting as a MiTM
during the Extended Key Update.</t>
        <t>As a result, confidentiality of application data encrypted after the Extended Key Update is preserved even if the earlier traffic keys were exposed.</t>
      </section>
      <section anchor="key-freshness-and-cryptographic-independence">
        <name>Key Freshness and Cryptographic Independence</name>
        <t>Each Extended Key Update derives new traffic keys from ephemeral key exchange material. This ensures strong separation between successive traffic keys:</t>
        <ul spacing="normal">
          <li>
            <t>The new traffic keys established by an Extended Key Update are independent of the previous traffic keys.</t>
          </li>
          <li>
            <t>Compromise of one of traffic keys does not allow recovery of any earlier or later traffic keys.</t>
          </li>
          <li>
            <t>Application data protected under one of the traffic keys cannot be decrypted using keys from another.</t>
          </li>
        </ul>
      </section>
      <section anchor="elimination-of-standard-keyupdate">
        <name>Elimination of Standard KeyUpdate</name>
        <t>Once Extended Key Update has been negotiated for a session, peers rely exclusively on EKU rather than the standard TLS 1.3 KeyUpdate mechanism. Relying solely on Extended Key Update helps maintain PCS properties throughout the lifetime of the TLS session.</t>
      </section>
      <section anchor="detecting-divergent-key-state">
        <name>Detecting Divergent Key State</name>
        <t>As described in <xref target="exported"/>, both Post-Handshake Certificate-Based Client Authentication and Exported Authenticators can be used after an Extended Key Update to confirm that both endpoints derived the same
traffic keys. Because the authentication messages produced by these mechanisms depend on values
derived from the updated traffic keys, any divergence in those traffic keys causes validation to fail,
revealing interference by an active attacker.</t>
      </section>
    </section>
  </back>
  <!-- ##markdown-source:
H4sIAAAAAAAAA+1923Ib55ng/f8U/9BVM6QFQKIOlk1FTmiSsjiSKA1JxfE6
DtUEGkCHjW6ku0ESkZiaV9jLvdurfYq52nmTeZL9Tv+pDyAoO1M1W8NUZBLo
/o/f+djv91WVVGm8ow+uqzgbxSP9Kl7q9/NRVMV6nBf6tIiycp4XlX4dLeNC
n8TDRZFUS715+vpkS28PHikVnZ8X8eWKMV6fqFE+zKIZTDQqonHVT+Jq3K/S
sh/LO/2LeNlf0Dv97UdqCP+d5MVyR5fVSPHn5Y7+5uFX2z399ePHXymVzIsd
XRWLsnr44ME3Dx6qcnE+S8oyybNqOYeZDg9OX6ioiKMdvWGWvaGu8uJiUuSL
OXzatbkNBauBB0cwSFbFRRZX/X1ct1JlFWWjsyjNM5hhGZdqnuworYvxMB6V
1TKVT7Wu8qH3awJ7zCrzQQlTFvG4tH8vZ8GfVZEM7cPDfDaDd+23SZYmmZsG
DrCfJmXVh0HO8xQe6+df3oNv4MRn0XyeZBN+NlpU07yAxfbhS/xJMnj45UCf
lsNpPo6zZCJf8EW9jLIsLpvfxrMoSXf0lL4eVPbr301m1wM4KXksL2DekySG
tZe1Od/AnP/+b9dxFsz3JhlOozgNv5LJqkUMn/1uPO3PFjAeXMlgFPsTvfn3
f6OP9fssuRzofKx35/M0AVg8GSZxNozrazgd6ON4NFoGSzhNisUsSuPyKiqC
r2UZF3k2qpICdgp/DuBi/CUc5RdJVJvlZKBfFAldlJvlpIrHcGLBNzJByV8N
xvjV70o+vfpE7Ye68SPsKC/zWXQxzTfkm/EiTXnSH6MiL9Po0j3jhoyy5K9R
BXizo/9HOYT9F+GqloV553d/5e9pSSrLixm8dxnvADZmY/eX1of9/YHD8eFo
Gvdn6UU8a3xnPz1+sffNN0++xl93j05ODnd4DRZqtXcC9AB/JOTrOGY0GdE+
SiI7JWFzNtEAlIj1pb5Kqqk+fAdf9PRpPJxmCewG3kUSIMNFxSQG1JtW1bzc
uX9/uDyH3U7yxSXcyf0yASp0fxSPo0Va3R8nACn3Hz7Yfnj/wTf3j07PaOSz
g6PBfDTm4ZBswXIXE6BSGp58Ah8DNewDpewfxxNAWyBxKzZ6uHu0G+zzFnJM
FBgpYNm+naurq0ESZdEARr8fAa2cZERb7ltSbMhn/zJKFwY8eRtH+WU8g+OA
jTx8JBt5FxXR7O+yFRo5BpT+nK3May+3b2Bv7/vtr1au+eDgIFjzxttMv8uB
2AK0zYsc2E3sMY3WdY7yhJa4/WCwvQ1wMizHA4CErwbb37TDCLA21e/3dXQO
RxoNgefAeSCj1XA7iyIm4AYCNUIAL+LhUp8v9TwuEP8Q2qNMx/MpkIgCYHs/
GY+TuP8yTtMZfAFsTcfXQGezSaxGjB3VNAYKklQJPA5fjMppdBH3NGyviocV
PjGPYGWIXwtEGEaw+BIoWDLWEXxbVMt/KhWwxEkfjnyGs5R6E6AI0Std4jNF
conSAM5PSBjBeAXsZQ4UFacYxkWVjHH0eEsDz9Yp/FYod8yjgVI/TAHjaL3n
iyQFISJDSUMEjVmM20rKmYY586tSR8gAeLkgJkRwDkNeWZXr81gDw4X5p/HI
nEME50nSQ08nFXBPOOgsr+BoYKUApiTM4BtwDVWRz5fwVw6TAXW5Cs4VLmCk
YJEwQQ4bsQPBRi6TUaznNfgpBX6AKU6TUqfJLKl41UO4MXg6pqXxQ6pIygtY
k6bTToHajsyyy54uF0M4WtjhFN8a54tshM+C8LFAmQIu+DA/BdAGqSGNwwtV
cXaZFDnjEJz1aa6j0Qj2i6MlMDb+q8t5PORrwvUBIUxQRECIM6IfnsSifiPV
NKqUgCg8bs7xGjZFAwG7xlsNTjED+Q9gsoIxVwGqQnCCPcIaAFfgPNwt0h0A
bhDaEBx3nbxS3y0Rq4YEB1UVDS+AdCCgxNdA5Su6fHPPM4RMXEMRz2NcX7qU
0wGIK/IIrgBuMJmgxIpwoPHK4MuyBDGQ9kMYUOIlE0RqtyQUSiaLFKSPIob5
YBI4GtkQA+80Tucl4EVWRbBrOpLZHHZOD+L1u8FKhKhYW7KuE4sU54hHgAY5
LESoi4IT1fvyx4BJ0CwZjdJYqS80ysFFPloM8b4AOmDc2zUDoiH5ME8N7LeS
rkUJp64EJCzhCmBhFQAMYGlMEyK4UjNjT9GNBKPA3wKD5g42D/a29l8eDDRc
f0E8LBaB4UofAQMZfY+KAhzpCESEBBCjR7Q4wAI407TMBRf0dHleJCMkAQxt
f1lEWbWYhQuxiEHnQTBSwmx6vigQ3YUQGGqPyAN/DIvlHIEnQFtYNYhosAYA
iHGCKgaeDdJmhbQ5s8DM9FTn5xU9bqm2dlTbo9EB9Y8m+EqFXKAE/FLR6BKQ
I0IJVV9Nc1gCEMiRt0JDbFEG42lHMX0HCx44bkbHBtQ1XSBgRK2knPYu9Hwt
Gg6UCBDrHBSiqaOMA/0yv4JDKQRP3fh14qy6SEQPySqwBcIfeCfPiK/htY5i
Oji8jfEiGzK/yREk1RzU4iRfdPIiGjSbL6qBNrwNlgfHAcIMgusEiEBBLLRc
4DugyVSKRFuQVSoh/3D1WUzTlsS5ZhGIA3As8KxdvsdVcEZdDuMMbjDHGwQi
qQwLQQQpAQ3o7ixNhw+TfOTxl3V5SrkEjJrBizQLrhQgakEHcgmaRXSepLg4
2OkQVknCOGKOIXhIA5kJEJNAolguZgRHCt4BwofyEb4GYHUQFXAzhUbgpK0A
QSRkXcyRSMUdw+LaEtwVAhntVSi/5T9CmuC6EMIM9e8J6BJfccIXUo6azGXQ
vvTImDlwuJdxXCUzwPn9BZFkSzIRCNP4Gs8Hz+Qiy68yfblIESLo3AAMe+Fe
1BXczTgp4P5gyWREgB0Bif348bcorB8fHB18//b0cPf08O3Rc1C4njx9/NXN
DY0PCk2Ce0uREs5yBCy4ZcMOLHjGykfTsoyAnF0RRDB7QPTP4ejHSHIQ5uCD
IpazM+gRpYRRImUpxD9QVIHRptrSQiIY+aSI5nA9ushhdpgmhAhcN8hI+L5Q
AqKluGikisxkKn4MICL+ywJwAjYo7xDiMl/nJ0sW6ex9K8c6GEnrApqhBsA7
gKmlKCwB1AGwo+jBe5F7hjNSPmUi9gOUYJTwgRhW1EPS7DGO+8Ez7/7l/umW
4TFmcT0FmBG+pV8dvLHfA25Y1jxZJKMoG8a80SySgeEWsyHBk8Fw0rD15ouC
nv74kf6+udnqEbknTbtkEke0Aa/ICSzh3RG9FtBvkVoRXuhIaTgnzNQFo9NA
woL15osiIqwicil8EoU4lMCVZXyIU4yferTMoplQXivYEQ2ISmHgBPWALntv
j14c7h8cAbK8Pjz9EZHl6VcPH9/cAKLyKKo+CsKg0A6evE5liR8L8wQxckFo
akRIgDXS9nQrtcFBEaRJ6IuGQxLLc8OlUUSOqohIUhFHJE/lsGlzvUMADcIC
Uh6QtCNomhMiAQpJcwFqXs+XS4MzUryHNgRDYYVXDyvJM7oARPsFqG090mCQ
v0+KmIQBK3EAsuJHPWDZKFARn4NJslDgRWXQw3CDO/aYdIikCpbLyCfqrmPP
KHusUGJoW05YJnCyZK1LyVFOlmCTkwD1erjOmKwQrQ1W+zvqIc/rxmv9PkuT
C6bKZJZGwdotrSHsiBxlOVyS/Tn2Ac5ZBugkmUbgfXuqmBsNjiZval0kShua
gDeqirhYZJkR372hwp3SWt3pA+KAjkIkxhew8rFCch2KgiQjFnj/IKbHZGhH
AuJBqBB2kHBRrJnnwynoRrsk+RHGKyBwc3w1udYv8N1/AFh4Htgpi/EQ3Q7n
SXlzI8pFU93TRt0jbawdkVjCmSbjqgzQUJ0vClg6XAwpSF20asDKF8yMeDVa
V7sDmga/Ca83Wp6GT/8B/0Dy9s3246dI3l7AEQ1BA0UWTeyUlIMNeGoDp0Cc
hnWDXjSZ5otKJNZ8uEDDAc5KVNBOb8QZeDFD/qhyxM4rEq0ZDcmy84U+jVGA
ytN8wvLOMXDrpIjJHAEKZjZZoKjx8QtczQ2fARmTQPUo9cab9yenGz3+rz56
S78fH/zL+8Pjg338/eTl7uvX9hclT5y8fPv+9b77zb259/bNm4OjfX4ZPtXB
R2rjze6P8A2uc+PtO5Smdl9vaNLH/dNAoGRFJUEvEgjlCG4gCQDLAoH3nLnN
d3vv/u//3n6MdwHX8HB7+xu4Jv7j6+2nwHKIKPJspHbwn3COSwUXHkcFjgK4
BnLNHCSTtCR+BioCCIxIs+F8v/wJT+bnHf2b8+F8+/G38gFuOPjQnFnwIZ1Z
85PGy3yILR+1TGNPM/i8dtLhend/DP425+59+JvfomdM97e//u23ikxYI9Bl
gPQsgBBbC5NYpwAyQVpdoIXO5/yEJcqSvtYXLOQ2rhy0iRhRRBvEKdVGC2ne
YNBp4ScbKGDh+EhUU7RMvSDVyiEHy5pETz2WguP5bCRKJzmg8HQG9D4FkQA1
DpTjfouY/vQbFGSUOrxt9Z0Ws5rEBPSTbOlIP35AQR3UtFgIcyDzgGrKJgjl
hBgigh22Wljk+4zl6ibd6BHQE70hDx8N5nOG+u0oS5s6bcN4jufxMDKn0ObS
toCg8iEcB7w0rkTct1YpPZ+iOQr+EUWuwvVmufeEP69i/nWZp5dED5s3A+o8
w4mTMnHCP/6EX8TFH38+u4KLic/IesPi1zBGxox6TP0d+S54i4yFZeyELlaP
Rk4MYE6vhimaIc68IzyTrZwxtz07Ei2+gClWPtdToeC9ub9V41e8F1wOiMpp
NDTiFEoBeYZebTr7GNkw6C4IU6BKtl0bcZkjoz2KONLynFJ7tEFvD6VFClzd
OI0mnqgCsI/SQv/F693vazID/J8eBhJO4taI/BvGImEF8UAtVt5xBCAw0Iha
KFPx5ziy3jAbOIMNnPEGNhR+JXJC6wP8rhUhzpe0DL5XnjeWQ0AbRq43915u
aeIX5wgFaIpI49HELBKO0dj+PP/j5sEBaIvJWNRgPEc2+cn2y+bedW3vynFS
dGSIlXMCmEdWBryUpEJs4UlW7DVhK18ZEybxnYLSmJNSthT/gwoX003lGSYd
XLMMClhGIksn0QTITdFwfRkzOCQkCKM7ZJGmyhm0EVDb6M4btreUIAVh0IcL
mLmxRzCsgy6o9kUcm9OqjDugy1PDEl8Lx9JGXEAQQBlQzO54KUDoeo2hJWaH
9rY0yMt33jZ8cPR4pUgz8ay9A7YkLUIBFdSNof5grVEfrDmKKIJyxACmz25H
+xok4nYVs138ks7W2lnFhZnpDxuLLL6ekwp+JvNvfNAYIVEJArYft1wk0jU0
XsALBGXsTHQswmwJQzhG6oNZtrfpzYNX7wHNzIJIzkR5YAG/fW3fLxfn6NM3
JAiPIQEERKvaYJVOjAq6O62m5U/GLXeU6usPsMMz3uEZogKowLC+B1uNr9Dp
W+Lat+vfwawgqcE3D7eUOoKjuH1qOkN2/zMpwzgDlk48GfvjRwwV6McXi34h
sQokAe0SRUeNWMzAAmJoDmjObU7ZXXrjhAluonMk778uzJDQUZbkEz6PLfWg
LccJmTxoG8wPkwpFD0U+gEh/eEHnGo8skgD2rkQwWGYT2JTZLOvRIk2w/IFk
DcGKZvTmI7KxEo/UemeCmH4yhcs+yODyPsA5FEVisKYV9IhngKDZAX20MkMU
KSCQzwCt2Z6VImCOyiOsq32Suxm6J7wTDg64JAulEdFZtmWLlfEYeUQLFrHy
FJWDLOAvoB2kZzb8xTvEjx+BdfpM44ZUxFJ2AA9HfClit0XjzUC/QG9Cz/Bs
1SqyWP4YEpEkOEcRKz54cgVfEQ73oUWAsLDKbmzWeFtpoO/gLcUKIVjToVso
MQutwLd2r/F5XF3FcebdepUXymxD4lni4plBSSMzCl/O3ScCRagRYYwPuVBk
PFjV3/72NxOJJNLo+j8nNLJCR43Wf9LegasD2JT+pO/hRs9KxCaeBT8iPlSB
bHXmdEf+9hK+NUd05nAJvunLz7dqxXpWLpMFTFgmrPYzBvF2grvA/X3GKMHP
5doDfGyBWo17kRtYc5jWw73B7VAIXLn+hj7uuSiqYyaDN3fZUNs4MMCf7jCA
/+rvQYEcL2knu4vqsy7mo+Ek6+zjNwYc+cE/hftQuAZYSssKDZj7s/k/DTD/
adejKftRFf18FKzg29ZH1jiAwWAAT/0EQt1mk6Vt0Sxr45w9jrYBmQtu8aLq
X7MYdsfp7Oq7Tuje9q0ndG9bqdfxBJABJEoc5p7GyCPWm9lcfwVsaLp06reQ
fGEv+I7PQnNPRhvwkP1gyHwuBjR03iTVglbTt34EesPwofvepNbpgGpllF5F
S16ITLK55c1hxX3nrqOYJ7b84OOBqSUSbnEWR0W6rNlMZPyPN79kfLEZ/Xxm
BZb2WX4CCPjsaewkqwxAA+J0H3f0F6FwwvG2zzdWqMFE7MXvZ+MUNsQ10CYm
XKFuzkHqwNR3mMnG2WKmP+Lqm/gGukuv8Q0jDqgu9a8YaUBzoS82Hz55sqVu
mkrEKWgJzzCNpFgMK5659RkNuspZRQ/DIyXG1lR603y4xW/CD2rfLWvfsQ/g
TyA7O5b5TB656RyLd/urDMbnEw51/0sdz+YgQX5533/75lnbyT2jC1Mvkjgd
4fV9qT+Y4/iww6qIKGESTtoGBJYWfMlqAS0dXkfJj8UIm8iAzsxTlrQr8kLR
sGh5wxVoNE/FLJM7NcHZjFijIB2kKmvBzqRek+VebbJZ/kQUoseDh4OvJXLp
5maLPWNiEd2Dq0hG4tVHIxB8sSfwPs7Rt0sKWBXPWSmuAK8zXFhkhwhVkmdi
jYEXFMfiGuuqdRCOEorkKdNkMq3IHbHNh2KFVdL/ypazbmNgrLZRZEOkahqd
iTHqCCZOyJwPpGeCMcmsDLhFWOuUs6plrFW5IXjx7+cUqQFq2LzqhVK7bAXv
C11ndY0TNc0W/aOVr3qKdmNXavWuvPV07sobgq/De2f3R4Qv2Q3HtZtloTWW
Q/J0mkcjiajLF8UwxohiTDfAIFfioMRUZ6DzJJ71AYYjux8HGgOCB0suxfxx
HjNPpkgQF7ho5yrRw5LPYhMEmMrV7Fo3Sv1K2rG54+STSrFuL0dcldZ5UjZh
AJGt1dzRMXqo+THHKyW0oRZHxiZRZlIjR2HKOgZVGPMiKY6K7HLOdVOKLRdP
AWGIqOXKtYrwZi1TVa6MB4pWJFdZX4SFNQaeIOZC7Dy8NcxuMKDl21LXWgwH
0V7lCyCgZcW+DIQ9L2rUhwUzz+rbkUk+9MLL0TUoUJ1QcBkacuDd//jX/3Ub
TbOzqhak9WDPv0xMNMCoCLdG9tQF70ogNS4oKVYxsVKx/IXz56lsja71uD4i
RpJLRBNZBs2qRmtv0oV3cziTm7MH6EyZLujSnXPIeLZ04mLLm5JKUbLvxphg
Sz+CJ106qtflthC7ixL2glHEeUkUdUwMq7cW4TCsyaxOYSBwoTH2dmiDGPMC
T9MIFvi+wewPmjLl0NRY5xjGZcaeppHEMAp1LclpqZCli1w+uoyyoRGoSaK4
yiUEnFg+kF6ev0ri/nkRRxfkW46KpARIXpJcpGA7bJTbRHJBZJzuvZwS0p1T
vgicUoJBQmjOgwkWIMKoqFwCucegYTrieZQU5Zb4dbIRpT+IHRKD9lgSiiiT
wEQsg9aVSqwgoRosoM2uyxZJduwO07ys2zPFKOe8IOMiotjqBccRIszD2j+8
NA+guPxBvKmJ1VOMaIWKhR2LZSpnXfPFcPkJhtWzcsJSuIirnvsev7ZyK/6g
z+XhYwCcbFJNnwWaMbx5vkQlCmDT0MLgXSPg29kHZuatYHVWshYdcYr2sx33
nWfte9b2mjjl6695xrjW1+A6z/KxaKQYa8rvHmSjt2MMvF+i/t7xpmD/mdOe
d3Sbx7j1dS8v0Kk2sM2Goeu2t73N+m/fOuklmYh2aq+x4aj15bHYkHbC74xp
qfUdoIdnEkB5ViXDi5g2qY/iqxP+9JQ+bH3X0bJgRk9taruVpsUR327RudyL
N1bDczjyLNDfPeRg9d2oEfZ5fUIIB9yIVPUvnHbTpukfXEcouNziu5gCqe+n
QOrSwI1hTPVO+2n4cCj3IzVEwg3/EMZP0hTzW8jyQcI7LcUirxcqa7JAcC38
vmHFJ8kswVw+8ZR5figzzgfxarTch3Noi8uPZOpWb58Rk1DIMXDmWb3+KzgT
VlsX/9vP8N9+hu5X///1M6z48WztHT8lqtiYWya59GuO2eF86FriJonNFju2
tn5e3y/R5Za4yw3efX7784UgkDZavKfB32EQyp5j7V2fHBztmzxtoIdfGILb
NkP45vHB3sHh7w+8l2n4LteMfxN2lo5V3OksutfTbql/uMpULwyceb12ZsWG
KXNfbJmS0SLP9dwbSS1chbKn0MIpeSjDYb4wqo6rDRAEWqGnpsKc9VlSUaIS
hceBJpwmnDFh89mNRoNZpa/eO03W6HP+KPI6aMG0cjY60rIbYVyg7oICB1oO
/lnAG+Hguz/i2KDsTHCflChQD2IyZuIngyeoi+6TlXigJHWUrDuk2nFabZdl
yxkQYELMFUtNflglFRNERTVSjYT4kPYL52vkEtJaCQpMQNkFZa0plyNrAo3l
7ADuTdUCmML4ei5quW5wkUlq7HMsrrnIXpdKTvuzi3GmEM+4YHJqMcGm0ika
B2C4+2T3JI0e3vGAjI0QeBHGaMO57WLPizIVS5Ix5RBZfdxeqQuetqbNXgN0
JSciAvCZwf44jY9iu8isKlM+01OXsw4YhasaTnNSlymvYYgRlPDVzAaxiDts
GklobegT2Om03a9h/jQ2EjltkzQtZShgCHGGsYXz7qb8FkMkjmgtQONFUbPm
l2JNMfePsT+Lc0pog/MJERCHAtBjrJXiIOcLpMqYilpQAjpl1lB8MZeHmNaj
fIzcbUO4xN8cunbWtiOT7U/v7r36VdwSsI5fwTPh5zXi6d/ROdFxSa3eCXZq
3sFBodd2UODQnT4Ku3IvjN13BUjOT134MSF2cF9IQXrk26A9rOPe6Dnoq5oz
yNaZ6iWUTRvE2LNr0UOHvBi0joCUEhdoUEI4ijX1YroebJEI3zM4dRQL6YWa
nZIGstcbjceEVB02WMxyBA4XDadJJn6ct4Fz5fM8K1ZiikySMc6JJV4wCc4c
SJd3xaMLnHKAsg2bKzkuE66s8k55Jimj9XP+p7Udmz0QtzG9p4wx9lLONUE7
O+UEjNrcLThVh6OAroCYDFuXP9db0+awNZC4BuE35n9HM26huU1KK3DtQ7Rb
1AqcZJQVyDUTAipYopH5sN7tQPTJ9R0u1jk+YEerHTw2M6txZz8Yf4dDBx7O
CVHttAlhttuFBDut4RiO4Z1GnaUamb59taQfyIoPJcRBoJfz7vkS6oOC/OYg
KRGNaU1wYpiwKMITMEgEcgKNab2X5E/2lydE34Vf+CG0v7YPYYQZXZ2OBO0C
icyPb6E38ULmxzfDm5Ah89M0Bm8+Dp9oWOM3n9QfaBrdN78OnxHSdeYcL2fJ
aPOb5lrCB7YfhE94tvLN7e3O72xM1faj7mfY1r65XduNsahvPqzN7UBr82H9
iJqmrs3T7/a3euSLQRUhcL+YCz8D4Xm6+fBJbTSO5pI/bkIX0TNlvmhxJv0C
b9IvcifRy9tf2W2V8V+eeS8jqe4b1iTxTK2TG20UwG1cxtWzz37f28Va7xt/
WLcX7HPdYJ/rB/sFjrBf6gn7ha6wz/WF/TJn2Gd5w36RO+zz/GGf7xBzb7fS
0h0t97FnPz1cseHau7Lhzndv9Hk+cod+QzjV4ZcLWZcx2O2v4Z3bX8s9F0Yg
GldZ4EHzTTgtakTP86NN8yvWNqhOi26WgPQKW+Eub/dpiZ9k89CIB1sdD27a
wJktpOr3++v9/FHpT94oh5IO5s7V//kEA/9xzYHvK/XT3o6urp8/Ah0S/v25
ZdE/nQRPqGZcfe0FZzm+++Cf8UrntdgfL1OhJSvgc1b52Xd3EjpN0CXiffv3
v7uuzI+7OYe+QFWUVRFBn2VcqVUv3u6U2fpZoZMA3Qykqbx9vW/MoMaNgsU0
KUV8MZvjjBS+fFLFc/1ox9Mc8GvnYOBl5hk86oLxPC3AzN9Psh14ZrO43nle
XN/bfgYHByIXptTn6WgrPOzH68Fyp3Ml8K6ckPkbVMYXCWU1VtFkYqLZ8BRg
HZuPOFb7gDZTwlfwH4qZ2jFH8NWOp+bxEXz39vQlvk1BgNdo14AZaJ9rb+ax
PLHu5YLm9LPehB08B56zZe/nafN+yIlkLgc1Ln9hj++wsBX0qEGJ7jLuWhte
RVDuMJnhpsRJL1rSVJjlrWKXO43EFWKyHz/SmFgtLgxrIaM9K93W3uICG03K
qY/kaMTmqlvoXCsHxJd373+n+9/qP9z/EbV5ycy1OT0UeccUIh/7xgvuoFBd
3we4NOGdGNJHtRX8Nfm2HmHI99rIYePD2gf31Cd7QN7PJ+Pb5KXgB0Jt+INP
nz/b7rt32v/sWxz80f1HeFz4H54++OATvPYb/x0aZK3XgJIHs8GXd58NCYj/
1OPW1+Algh79CAZAmqWb8z5uHeAxfeAG+Kq+gj6ZXuwAj+0Aj/0P3ABPW86Z
VvB49QAt88Iot7/2mcAQoHfF3uC7YDaT/T3GQkJrIKzvjWf0VAo9vULD7scv
vOAbbGkgfqYVdUKCXHRbTUrq66HLUlFNmaDiiQlE4yDyzvJaaHKjZJK2ItaB
8zksgGMLAdriqlwS0WbaIOmROtZecf+2WZDO4KYWlXPgXlfKxT2Tn7czhxCX
MssrKl1u7YA4cxGrytYXx2wx60loFLbqLEppKvnagp31YpxUoTMKKq95tXS8
OYNC5s5J7a6W6wQGlXOpfOY5NXEw3n2X2hqWOcc5eD6ix3Btc4rzn0rQf2kB
wquX1abT2fWcLxW+b+7EVjJvjJ9P+IxscP9wURQYZ7mW44TSSdbzEAX1IGBH
5wk7r5eYmxDNy0UqXTOSOawH+2JxGf4FHBPHtBPIAiz711WvsOpfSqnk3A9f
veFw9fr1yCLkRtOlhS2TLSOF4PMimSSZXyLEO0iuY8dFVTAkxE7f888Tv1IO
NI0AELqfsT6st2Gy8XccDg2h2BaaRudxSm3Hskkp8QW2bmLiVYKtIbEcqCnp
L3jvdkbm1LMjeAUzsfmc6gDE2RO17hg++h9hbXRS/m+F2l5tBuXNYEqXIHXx
sioMTV1IxA3bMUx6sGpu5t62fs69L+jT/ku0GDe3/OnTuiFkHSrfLxlBMGaL
9/CW/CYt+8BIkXOMkTYH0Gu5O4k+HsXEdQbqKDf1f9ouEkPcmC+Q5xmjQ5DS
wuPjBRqWQgAfqPp8D1bCirASU28nCPLoqSFGdJFvENDJhjhZ2PUr2mGxn1wq
BHnx21LbULcEUX/8iGL/NAGwKYbTZSCq17DCPhR6iLAesU18D6+2dtM2AnWf
qEn/hF7aHPT0htAXLEu7sVUfhMJCRnYQfg3Fo5ev9l9gzzEqMP48XMm97ZVr
uSciW3MpQ+DKRprY6NUGaYXTFhis76H+ynO9RrnJz95C+Z+zhTUqYX72FuLr
OdwnNq75O24AJsEWGsUvXy42tPl1l9v4ee61CTmrg7qR9ANkNsI+cpR9h8cv
LR6jRL+/slsafvwGYxtPrFQqPAYQEr3IykVvPh1seyn++iRhv3bs4yX2N5Eg
v7ABVo3W2Fq02DjCCB+SkFiqsvLyDvkP+bLiOvsmLIZ3hUXfyyitjLhJrUT8
dHVXAlmq49vWaGKzYAJk+m5IcxtVD/DcBHlqS/oXYHH9OkHiSIBgN6Yic8Ix
1H73AbeL5g7Kxbm0/fBrUnqHZpq/cCsitxvTo6y+IwVLt3mcHLVJIQzcxoHb
5qCUEo1saea28xNJKRydWv/UK0p06CZOzRio1v5Xulb8H/4QLUbXak48HTzG
wBQDju98aRg5ZEtjAr+DlXRRQe7ZuH5XDoN3kxRedWuvDAbmSsUcqwV4Mv/L
sI/RflShUQRKr0Iz1QLu+0rcOiWJQdzhzPU1SHGvHnodIO8ji7wDka1k+vtr
DW5rgjiRVwUbJGW+JpZ1xBCzUKbuMP+ts+Ot5diloNQmTXigj3K0cpxOf92p
ULKksFsnXhqod5Zy1leDNP1binA0gtY++5aa+pWpH2ghMSEliDU4j9hIELff
JIqynkvXGa4lS8HEYdYLLHE7R4n+IouR+dzvmdGT4FHM7y6qiOsgDiXTgi7C
T48kLevdyas+x1Q6liljw1dhF5PLJKIDqXvhHS1QzUL6kkFh2//VSyPjOVEE
ttHOqFiiKxAKIzGF5q3ZQoxs27ZvTxYRyAlVTN2AsICAxIhKJfqR10hIz3KA
Na5ezA1K8ZU0X1KBeL8JZu9zzoCAwnF+JDlwtJjjT6E6s7zgBqiSBVHg3qRV
DwbqU+zzQO+mcOWLyZSDmGkZWCjSARgahmLD0ZkVUmMC+MDE/y1pKSi5lb4E
kZRWfHEx07CkbJRf9RS3yrJnhT4Bk/svi/cH4j4vHAZqw6CpBchlHKWSnLDn
dd7qiVfVdBe00Bau32/LZ0oYIO8gvVOFTaGwZD0dENVSDpZhb45EBmzwizkt
Q7qYEM4Arw5MP9tG4dYkAwkk4QhKzwCXAGjBQDT3AqP3xTLrgnCVr+v2gm6M
kqeEvSOLOBqZrgjxSBpw4bB05V7ln5Gr4xIxvsaup51XkpcEM1kyFbEywfAh
cOPibPs175ypJi5soH2rWDN5iLQNAyjhPg142DaVZDzHsYmYgQhLH9xKXtTt
qEUOVpJO/kWkkz1njls2c8qsGNEmay28qNE2i1IgOBlZIzI7N3bBbuEM8HdE
LYb4qtKqtYGuKYXvWoBSYfO4NA3Q7AmR1d2TugB0EISBqsfp2GczXlMQFTYi
FEofGDh7LcbPwF7oTbn56uBNucU0QmRCAMjzJLMVpOMizseme4UIpFTcxRNK
W4Re1yjap7UMJyKz1uukscxqVahjEA/gfLz6jCREeU0J/Z4L/pZVXcLtOnC4
8XE0xMS6SCrSkGqamHafwaCenXgpke7Siy12Mcbe+0bY8KygfssXTK1HZXBR
loa7YhuXb558LQ2d+G9q69LaP6bumihtnz840HcPn3xVbL95Ddf79Kuve2E7
nKCfRTwcTeP+LL2IZ9wEq1WDYVw5Xwp02ApFiwqE2dLY8CidJ6lIWnI1Ap4p
iyBpujQSjTyPlDsLshwO9lCfoXSV1320fQfLKamZleKv+iRphu6dete/YLNm
m6za+8Mrt1sRbIC/JiCMYNEioQwI9pSTMgRYXqTE/qkFglm6UcaCIUXf6Wg6
w1V2qK2esztamgM6KDd99Uv42+yhthZuAx3yZj+2DpfpGsNxZo12TXbNCpW3
QrGca0vLsEej5GqMZJ993wUnXRMXqbVBqFDaDuy7HEx0AmD64+u33784fH1g
G7bs3h5g6HcJbLJzAzA9FU4gfVPdJ2F/Fxge8HOcUOQG2r1NX+J5PkcCGrtm
NQqbxidxWecJV7lvKpDTIXcMSzSLCkjOX1399GB9nNL5Ye/14cHR6dnp8e6L
F4d7ZycHe8cHp6jEfNjR3BN6nEi+4nqKsginPvzyTCcHx78/OF5rpvW0rM6Z
Dv7w7u3xKcy1ao4Ws2T7iF4hFk7QltswTwenyojALrHEOIQcJj162MfYe7Gj
CTYfA5Ri51iKZG/1ONh4GewU4/O5ptbT5dwT6CC0YrPENL6ORkAvZ9QBOYRd
s0WjWbUhhd/UZW5YZTKujUQdEXKRmXA4PkPj4pQz9BEV7QUiEN7emCnASPaE
MlbWluHms32XoxIL2lmZD7MN25HhQ091AC83IWjA2wfpwsMARrHQJHruOeXI
NtU1J2zifs1bYgtmmm7iR3DfJwKY2Iso1i+oo5GmjH7b9covLFkDcwdfnhWU
bZJ1jCDVjNtQmkWahtMeHzbKtjRZoquWaAGqHtvSr4dapwzzwgZ5THJu/dvR
ByJHWaoy3aDqq7TqnonrPkVREoPOerW4E9usNbODsFVjHA0F4lziKPMv+5wY
1jGzG/PqWSns7ANXxF4MDXW7ZInj1XvXcMoo0rUpnIiHU7jlXWH/XCZhQ27p
WzsIEqkyp4BzNH14VtRSb8mxpb5foPteFZfbFNUs0EJz7uaMRkbCPLsRI6wF
oTLYa4ss3zwgVyDsbHbFHeSl9XrNA8Byjrvi7qP09bSWG/daENb65SWDeNAL
X+NNubTssI8N901vEWx61i7HURHDyi/vGtyO8bRwEjCePZfeFO04tKwYwt+2
LYsQ3ht8JaoRvbTyWEL8gXN/171n7e+5Y2RryYsy1XFnPXHhjxpuwwf2fGra
guu32da7PeAuQdwMFnHA+I1G1FStFXD9qO11HVYr4z/+1hAxHujnKvRqel6/
ntqwZxFfLDZ6qh4n4kkEg4G0gDHBBhyu8TegrPXOcvrWznJBMyOzBrUGQPCF
tFx0ElRjRQdRA14D3clp5k+sZu6XCUmyBXfoxFVGSrjSh9r5fliHT5mIQRjh
POW+eiBkb2Dro+FyI2jMNyDObRnyexLBOE28tfXjO9uu2CjIlKp4cnz6znZO
7qPNuX+yBx8VoGKjqRmPJZeyP7A61bAkMKiS6qZxLUZcqTw/Z91LigOx3RPL
fhiequeLgjqqG+On12HZa1JZvyTVeUkDezxSuYaSz42oR4tDi5dnPiWtLWb9
RoJ+zGllmKNdNvxn0s74m6cPv3Fes7VMb8bk2eMp3GaJBykTbGS2Hgbh1ZlJ
ZcvpxmbTNDMe+xs5drV54JzTaKSW6kFSymSjvNiw44vkS6FBJqT3hrs8nseK
zlB86xtMIDbMK3ZlJgzWN7uoLmwK1v/qTY8LO7MEAFqFN3ATmrCqSMpN8myk
phFwLBmhVgfXFXtXVp9lG9mtUwyrXtdetm4s7ndYH5rLp5Sms7zLLIzaNAlV
51o+MtZM+Sy4mA6cwsuoF1u5zIYg5mW4WmBeTnptaVDsdVHEc6dWFLu8E4oD
57A6LgFDW3AKnTS4rS1rCCvQJlS5RfHjYa3yWwx0wCKcc5TGqT9NflbulcoS
H5e0aSE3DEba0Roeysi/KHTjB/3oyriWQqaBpXcOiRqK3O4twpqnUDJPcxSA
03xCgjCVbjNOEXR6SNcJU8GVYtwHNb4oFd04uoCjq70rSCz0kNmPncguYJ5B
wIbSqy5SZI1GZMGirK7YBmPjbLVe1V962w9LriSTCc4bgBavivKvnlif6R5a
VrUFGOcIv3WMx/4YA17L/tqLacI5rsKN/pRH35clrrvAcJBvgkHE2hnCOtA1
Ksdl/GEi+weKmqePwUj3932G5wk97EGg9ivoQM/EpsM+TiJ0hn3VDcG2HQsS
X+RcT54+eMILzq2vDBicEI3kr1z2vLHSoOGvFL8jKERDkqWO5ihXElw25EQY
dYoVCsnzSvZtgjeC4C5ya/S12Isoo1oqWL+gkQ2hApJsQ4SD7BJbeIXhIMtt
oTwXukABBmT4T5vcQ+gHP4mRuAUugvfjYLaxIWN5922tNsiYi8owTGLDHgIV
kCBJDU0KzxTGeh9Rih668igvg11DziWOLlDm/I4w8TKDQloDLZWMzJTzHK5/
qTz11zOVlT549A2d5X1L3jw685zUyTfrw9QMEwBrlRTbr91UFCsVtV9eipcf
ryvNgaoV0rGhtBsNb48tITX4AAZh1Ly6kGew5tHg0eAhW7MQdx493d4m3MGc
KFZ9yZTm0uN3Q9kSQcqKZ953OdAWWlcbqcae2PzKTS3mhM1AhlIbSz8J5Phc
BGfhadx+mABfPCGs9XNb/du6OcKa37t1Lz9WecyLqEiovqBR3diEJYMqhC2O
jMAAbS5TJvzrTVK9AQ4+J4MFHB2TN45zt4KcH2gwUCckjHvrQAFgGBkZmTkg
0vvAgTnCUogTCgIIj4qmyalcogRt9BQeHoxaM1GQAGriRXBIDg20nWNsea6A
UXvG8AHSVynC6B2+rNgu1/FgugCTS0Wl6HrW0moBoLrKlXN97tShz6tk0v+O
XOSSctoES9UFlqLfPPyKId1Yi+88icjFn7nCTddG7CuDgewix2Bg18WWL8Jz
4/mIRB3FQ9ULT9pbjfBOoyMq6wz3MjVcxhkZWSgMrRTvb0smivPugjRmwbpZ
2sYvRBc30jQCWw5z/0i92d1zQdO+3QxPkjaej2tAubmWm2xLrKECr2UDYJHJ
udguu6uAaPgCpI2+wlNnGhDELPkBAxaV2CDtjBx10FS8SGtBtzWibSnhbUeq
GYARuZg1LWlPPQswqg1gUESwonQXsODW7HXhlbwy+XgIQV1oZQ2vnTZPG2sc
pI+xDiV5c1ykQrU2PDdhITSmp9t0LcgJl7Q0q0ECBMLdENOPAuud07dwCj+p
tdAuRgtvoGtKgmPVtmkRCANlTWTqu1yAJ5M2qzq5SngOYB763J1BZssKsQ2c
DF581HhRRcWvdL9YDZq4pWGRcdnOIVkDiGwYhWWIwq9Y/fQ4ISFmXZgjSE+K
5lGXrWddsjLAYw9UEAXgAYLNEPCD5z3ZCg/xcQNhaehxlHCEFZbwVsKsxTtk
mDvHn1hm2VSxiQrapri77w5NqPm5MyJz0jfWsu2CdQRuAp9OzK7DrjWbc0WZ
Xc5+sQFP1h6malsXQwPIIj2Rm+CW4zmrY9zsirEe2V7VUHFBKsbUZZuE75GA
0DVTes0KiffA0dSURrcokLfJh7HIpDwtVYeNrzmpNjw1Yxun2IQ52/ZE4FKz
fGQVaZ7VXyBejhHgjWnGs7g8422J1YX1iHbzE0dq2jSONYmHugOyRgZLNYk3
XawqjJ12Fd3vRJm5o07DCGYt2oy1XgCSJLjCRVzGSxdp01Ju78yYDSjOo8d6
o82Qj7FW+zyCt4aLFEsBoimXbBNXiJNWRUZhn/RW0h+JZeYu8ceZ/4ZVQ+8d
B1yD+f6hF9RPbKTJofH6VqpcrDHd+hgvHXlFPgTq2+Z+VlSUX+DM6+mm15Vp
VV2mffdyl8TRoBBCmztQG/FpYfpofjAw63opRR109bGhqmJqF+mRssYa3Kkt
asCv8+Csj0Jy6GTwlw9NkfYDBWmIL876xC1lNG0K/PrninOgpHwmWbJjciaG
JnkjdQPZXxKsfL5WspvVmgBi0JALR89C/ool6QFW4PLFpOwkV2ITXZEXVuHk
wvQart5rtBVUox/Uqw765eFxbIrEJFg1+qDx3+EfbLNv25QNuMfJr0yF/HB7
9ZV8iXWT8XlrLTOjjDpCuWreNLtJTUOgWr2MK1+qzqT7QLhgLzugZgNg82/E
HTH7XDUKz4hDDXuU6WDRlO/cNoPAkQwnx2L3sCopAeV5GmxdNtvkAyWaVvi2
lkVtZjTt13yDQWn4EJr+G7kUwfbEPk6yki8RriZe9nCYk1qDjnaXH1pEbgNT
a3DE9bTPFSpHHBrP9k3aJ6Kvf9r10v91auWbzr9YpfN9Fzt7zx3iQ8gc45ht
r1XtsJw06uLkPqpgBAWV2yfTdj27ldk0F/ttNfYPVCgqB/Bs0xiI8QkH+xAs
xQChS7Ib5YRfNjegRjOj2XkyWSTVMiDHWY4BrQmw3r8a/zdRX3No1FMVNyDy
tFlM+/korwAG9kWykYRhDouo7qWwKCMQl7WIYX4VZxNjA30RURJA6edArJPu
grlnaeAQ9pNq2BVN1FQ4ZUBVUQjG35+jJLz9+Cl87Yu3RJZZaDkZwlpxOFyD
F1P58YsSv0ETbqdpinP6SlPriGhXM7LKaIe+tO8bW3qYkjFlBoWEEo6OeWXl
7KZEWPJskhPFI/8H7gPVJxfJdirEyeXGW1uyCQ9Ba3sfQR89D1ioSlbA0TEi
D7pkvkhJOlzMUrrejAeTASb4v4yKEUnBFmLe5JRdsPny5M3WFupd9eTCtycD
9QZGzongmlRBePU//vV/gtjEoYjlMM6iIslZqYVDxBXDA401k03L5evImk3T
C/jEykjw1gw7IgnREM9LzV96eoXiHPUTtkuQBO80voyweqZpFdF6hpoVrVLy
B00/z86oThHtW7MueWuesV5SJweMzKMRMnuyGJC+WbqKQqbgVU3kVeqh7RDV
vvrwnoz1kuF4xBl6qJxwkVPxzSgfuGvZsudL146rCuODWQ4JSr+9NP2l4CqV
VOeppUVyQBAAclJe9EwsS+BWAMIHiJNnJinKyifObAVAkpIiajc+aEdvHA8O
GWGKjaqkvXE3a3LjS/iwXYB1ZClKpbQI6nVIpRtABB9hFzIESPac+Y+3kIpa
ojfZi7Kmc8auxNOEuqIpGfQWdqtMIHi3lt4ushQX9fGjdWbdmFp7HHaMviqh
cEENBs8OEb5qAvd7jbtT/t1RnL65vB5lGmN2VhUHTerY3YtgRd5HJO5Fniob
ojebLTJrr/gFngwlmMUGkLiLj4ahYt4ua1qrrJ7UpkCNpNv1kzFCuzpoCEvt
G2GQjNmjYeE07BBYGZHBBjGxHY67QAVt9VDWo9vgi40CHobqdWmk7lDhtQ4C
EZ/nU2AShdQZsbltJtPHvldzYPRsB4TOB4zmImG+65d+wIAejjewJJQyQjEC
OkKFgZAZsaFRSMedpE2J9JCS4hVsGwWpQ/2ZSzRVzdxgJnrAR2Dlsu+Eudvj
Z7bUkapnJAHJRSAXtOpejmkwKD6o1hsNg/2IaHsFJxrHZDijT0gHK/NY2oly
Z+mGINCf+FtKVhLW7yiDuyR/LofAd7/vFW8gKuTnJqEOQ4cHAGMtg6r9hJxM
puu+HqvgcQRu8L5qvA/UHbUM6ypDVYc/CfdGDRLiDN7o5+M+liVOhmhjzU+2
uvM4PZIFgBxjfzoxWlnJHWPN0Drfn0UZ4AI3JwN4nsYR5pTDOlGhwogP6gHO
2CbtJDmrZBphe9S9d+81EUkq3OC1p7NlBTjBhCJeLmNXcJ1UJtxg/RxN60q2
rwT2lxkMOOHHyLjyOjHN7sY0YDbkhqRksCaK3jwbMzMK4+acBxRcSRu1RROo
E3qH+7ppyIkyzldzGG4jZgw3tjiNAYxj0gbgBXgmldJWWOOJErZIXrNWEHqM
ZqxIiE1YPnDJujwEWVyo8RYsemORmcinM6F2G1wcRkguqchGngrkSYC3t56K
9/0iGUXYh1Dt2wom9o5iDG3jQOcWpOZQAHxZqCi1W8TpxxHo2c5SVPZsbPcU
dO6+d5kFee1FdnL9HjHfH0OgMPfQlilC8UQbS4AmJ0eaUOcwdppHKa2lk0ac
A+6PqZbQBKlaBU9WTNM0oBvzGS6r9YU+3D3abWjScHS4shdpNIG/6BHpzgcA
JzFoo1ENpjGF0mZ0b9j3N5QtNAAjTEBrhKdIH8Yai/1j+ejmhhBB/x5jDHf0
6Xf72/gnDqGPohl81NJ0Bp+QMujljt57CVrAAX52jOLEjJ7e0T/yJ+SkHFJh
Js+GY/catJ76BXsOxtlQtR1T7/gVe36If+7HbKKHE+vcNYW8vX21zu4a5Z9s
5fiTxTl2iyr1sV3lFwlQ0X58seibld90HAaSYyquglzYbpPO4PYZN3q+6m19
fRuntqv0a/I1Ws19E8bd0nR8aBYrN9yUkyJfzFX7+UrQSbBEsf5TJY24dAa6
1pBmyUMnBmXkL/JrZaY4A52LDE0KoM2KAvz6xHerP/mXin/x9cFv9uqojDvW
bm/5F755AL83697Chz/C/8OgFXx8u/64dD3tev5h+DxXBet8+lH/4ZMn8M37
LCpLTpP4hP9T6gitwPQZ01e54Q6wOCVYcOcnySCAaDNcQIUOP6ytTQBoAplP
gnzZY+PYcXLkx4+/PX6x9/X2w68wX4cDTvPUaIKKc3AjSbkDTsKpda2tw7ef
4ls03GO00MlwjSEU1RThKXWQxUg6fT3Dl4tOY6i9c5NLdl1QlIlL1QMbJLdl
Flf9fZCEK71pHGfIAsRtwmm6NDIrZ6R6w6rI0IUImyC6KnuR0qVb0tMla7mk
Rllo+hot6ErQpokpWIsZV28HHY/fwKwE5rS7mTlINM6ZKJ9ZTgXf+iOQYLBP
92USX0kgaWXK7MOjaE+bkkyGuje2iwfamfHqFYBLXpSx13D2dtoiJtMgGZ5L
RNyJqidxGdD1cMDXNOBdWFsXJfDwH027FsW6KUFnAQvq9kH6mqkYhp6+VNot
szs96srma+K5PvLTUGzhgC63OS6ts+JF69Iko/M/Z2ktJTJgnIN6MMbfcQ0K
L/A8Gl6g2LUbdFMG0PwhlsSDNLmIpTRZdiGmq9k5xlwJBmycnvz+h+9t+qTG
3Ep17DwsJUIYVhk4jaPZhh/FwS4RGx4j4yKyqyz3gjHYjd6jFPwd/SYCPSjN
9XGC2RC5fh0nVYZf/wFI5WtQZXvqn/NphjmBVVmi8L6XRotRkoPuXIyTIunp
74A4FEikjiPyS73Sp0mxAM0sLq9guuN4BDRH/Y8ICz389a8RiNr6JCoucJKX
6BgHXbIcTvMxqI+Tnn6TgFIYp/r03//tOub6H+pNNMlARfkBsbpIQUpHV5h1
/GC9nqvuA4bhEnu+yskguGJRVGHovLhAqP0exQ2gwOXl1WRLf58XgPMv4P3p
omAPMKwFQAqDJWL06iMpu4rT1BiEhRUnVF4AZCgphoRtqvECMr2/oKogL5LV
C9+PgMzCyWZ/xl69Pf3Peay/S4qi/y65rjDqHO9jmvy51JcRDorPnAzzqgKZ
ejEt8GxBHQcuq/8ZYJLuzQymX0WjxUVPHQIsJKCbLsrLCAQrkK6LZAi3VQLC
pvDncTKOgA+dTOOLaf9HEKTGPbOJ02k+K2UV0yXQvmya49d4pPid/kHSnxx4
MovQLLlXpbRDIwrP/dJLKU1nzO1AgvMry7mZ0/r91VdWc1HW/UdPtYU9mLLD
/phwW9EEZEwr2ezOMYUzuSbZzxa4wiFtR8fkMlYmD1msecB1EjHJEeeVFBpW
t0UbHsPuCFGXJn0P/g9qKI5HZYzJrYJWgmxJuA3kKEJd07hVg+XZdRtToZlH
nccgZWCKT+A8tx4RlAespOsqRpB/CqO7xEs0IsEEmTcVigJRDJmaVFSLARFz
MhahDQfvDoA6Oj/HKze6u923rf2DwiFwTv0lCnm632T9m6b7Az9TzjsekgYP
+BQ2eGp7qFkRF5/G9k19j1bHUueOF0gClJd9jKe0T35eehcbOTUtjfNoidaD
0tb9kyAPBL4a9LqYToJ0c+YYPE/t5oigSl9AiogvKBrEJHuwBWXk90MHUgC3
cJ7GNScIDmozDMls1w7zJkjCiUqmSxopskcLZCgwqJTkwj7eGht26//41/8j
dS4YhlN33X60k8AdsR/8bcm2fbRqvY6rKhh7F8f+LhzbRrNieZ3C2WWiYBoc
7iROx/00z+el7e/myeu0+1qdHbZVcWSFwVVyUAysDQHvsEmx/KAEoVWmhLxJ
MuVrMqmhIRhI8IrtxhrOQIU3dBSVl5P2dl7cve3kdPf4tF76H8UihBI0LTwX
01TPfCFQ43/HXxif6fMHwVCdk5sHABgYJhGZKVaA85oBB6kTxwGaUujpMq7c
LKZ1wuWq7f2we3h6dnxw8q6+PTfMeov9pPUf8R/9RwQwPIRLNlviojfJrI3e
Dzbfbe3Qo/AsF9goOKx1gLTE71RF+ww+5ffwxT66aWmG3/BzO/rw+6O3xwfe
tHRqqKfBRrbkVXjXvfr8uXl39zsQcluNpua94MVv3Xu7R/tvj+RKpKOz8ppM
fBneyoPwO3H14g28Pdo/ON4xNw0kma46uOSeCrpXSCw12mj8ZIHMRqxRrwIP
P5AxKrxdpC18R24mPGaqnmiX3xzffEOLRI6wWXeTYRYuklR73GL7JrqLhHTT
II7eea6pOWj4oEeX9aaHS/XHa6eq1wD2F4dHhycvD/ZruNz5BlXJwRpzyEz7
tF8vA4y8A+GmB/AU+1ixvC634jOx0QW76DC2yKvnC1S4G/JwuD3GnL7xWexo
UFCMt9bYsuj+Xr/94eBYp/F1MrRRZj7qPEPghReiFITJc5DShT7aXtT/lemj
wPJfPpMMCv7Vd7GK2q3CU8IwqjBBcgU+SiUCxp4X5BkB8gwdaCVXkh/GnvNs
XMQxwXo7EtawqmxHK+yNQxT+8Axgf21+QE/XrvOu/MBejiE0t1CLdgpQtpOA
Tvz/e6K/wxN3s3T/nmdrM8tJCFlQr5Z0uSUE2V1zUtVvGrkf3vavTjzIb/z3
lq5OSarGB3eNVmJiSn1p14nP1N7Xf5RrIJZOeWoXoQd4B8U18GBLUKyT1wjq
kqLXx2bX9jnTOlhyg7wMnWgyIfVxUXHopW38CCMcILM3hedcv2L8ysa+wTzF
IrZpBBeuX7MLNKkH8fcR5s9oH4GLONgCRlXEohFIyJct/IBDcGzZGWJPX7LK
YCE2Qt4VXIAtlmZC7v5NpxNNnmPDeV7C6R/63gb1VZFUaIShTPTG2eDr8XPv
bSndE01AqQYojUfyInY5mnkv6s0roySQAIXccwtHs1h5X3jJfU8ove8TJPOF
/LG7d3r4+93TA6AXpwdHp4dv8UNDyOVZVkMFhBiwymduSr8HYFlRgwQGPrZm
Si0SgDzhwi5mATHVS8H2ClKlXjOFDguKtSS0uKVsYBJHgnituI2kjC8G3CYU
m7nUjFSD9+UDjg+9QlIVyAh87UShMJGRpIuRjSg1lWswTJhlhyD8kl4jaYIn
WRl4YAfFQ/un0vYPI5e/CZHmZaIwnWdxbbboHOsfo7pLDjITn++dqqkYU/rz
2CST0lEzIV8BWdSbVleUyBpHCgEuCueVY0hlWKF9z6JqOLU1tJBtXSO3OniG
pAh/2aL6BJL7QtoJN02lengO4DctcYGXtrcwuhGJy1WU4Ic9so2QNcREc3Mg
OVmyqIzhJlK1tvTl6nrLN2p4XSaM3QPHZsJBQRIYiML2E7+SnmMHQIQWRVZ6
MlBEdMAehT97cV0vD2Vi1kxVDS+qqmKmyYeFcgNHJtd3huSvumZI93jWkJs0
l16tHOzFs2PfsRVBHJX1A25i9wCFTnFWLxtgG0appHRciOUALuPCUMDZx162
j6mn5GwSs/yS/WWGXpkwTaKSLQTCyALMdeBwPOCpq9k9L4RqGCoSfL2AuVgO
KUTLgJxY7OwZ7PMwVBAvANoHW7byFSVk+Egn2m2Le713uzJr7z3UZ2n1RNd6
vmoUon5D95Fanu1y0/s5uSW9VmBuThgTmUoA5KbIBld6qsG5K7RRTYNmHufA
bGxhL2mpwnKKb3s09ITJSHENd8rNbgKhgKFzmMZRES4KjiiaMIqEYpXBXoA8
ww5RfkAWOJboYwn5NCFXSBEpjiBfVMbujLSWDJj7C0YMP7IWbyJPTW9KHBUm
5T1yMyGUknAfW2hXPJWUiKWgHzxEhywjcSUAyvU2yZKyw7qE9aVftZCxdEwN
IwQkqdcQhZ7/GXOfMZCRJqyRvnKwhgZc0zBaleGaIlVnDD0dYE+3QtKuXvm2
wZ9QsKuuf27oR8RMblOR/I20mgVvVZm85f0JH3T/yM+fFLdfdf/YIe/6BSxh
haFxa6frPfqpWQ419i4W4+Em2bdf5/l8a60hjAURh2BlDLS0okAJYp3Xv/VW
YEyJDNfPVr7f9hPA0d1fr5sigwH8P/DoUVYguNsEyQMFjy1vpJYzVOGreGs7
vhrzj/+oYzxL0VXqY6jam/QsPdf147/vNfL95Fk9f5JRfg6+D4uJeV91IQ7i
S4suQsjO23leXD/zpiAbmNn58+1nsIR797rR6p6/PLKnWOsrITyLQT+vsdIm
iiMrc9wbJU4zz+0oLg+ac7MgcZ9OOOJuJo5QPRJcxSl/AhXSnHvFx+OdyINn
ISivS7jqO2y197T9rENyvZHJLtSiPFgDkSgPgeVklfLgxABTfatLCmhoFaYu
puGFHiNsskFJRjEzSK0aqzq4Qih4jSTqtJtQMDnAmhpYAyTe2SIej2tGAhEf
ySzF4UsslpW+AO7PHJp2jKRqZ59Gvpwv6XKbHmEBDEfbyFYvfI9XjSXIZene
ilC2zkt/1cESrWXGFcSUilg1uRFOe3UHWeOE/4Cw8xe7RFfoNqhmIYTZaPZN
Y6QxM982qTj1P/jGaIZNyZxCI6Vcq/XfN/0NsD3EZQZTCyBeoE5sK4M2Cg5I
iriVknuNEgT7kiLqRddLqh+VGVp/k0nZUBydSoyxTqZI4ZrdfjeB8G6x9iiK
tBvXlNNxeoBTfSjDuE053RSeR+K9TwjZBNDD96wiWgb65SZyDpgI/uXnWGXG
a6nvmapIX6MVDrOA4SZ8oKYo72segpSI0lFgz0xhCCqc2rHDuaoGtmziWFQ5
Btxw/rZgPbcBES7OZ+dy63gNGKAbZ7VDeLA1oLdMXjHWbcZI2ivM3XCKgUfL
npmyR+R2KT09xJR+CIV9hIMW64dxPhRbO4ZOoB4pwgcoNJudIswW0SrvazK3
M1VHzIHZgrtBAy1r9j2+Au/d/zKaiPHCBQz+zorI5zjk6tKI884FShF+5Rxz
ZBUwBVJ6hDbGMMdVcj26hmM5WYcJ20qSttW5zaafDW/DimHPUQhzW73X2GPg
UpOT5u82salrUVmT1JZ95+8luvrQBM/e20ZoguO+t92Y1/81EAvprkgsXKW/
glQou4MJYKr/BKnwk4/fzx+IV8BRsagylPOzREj1hX57iUGyWApx7DJ2vs8j
DLnfdYWvvOorUbosk9KvVoR/LSrq/U2ymyl50taAJzJBjV5/JQDZMUeWjbz4
ehtTactrSBZtzkwjqszknNIhGQEgCseX8eoEYL35bg9TV9uCvU2n4u4UPccx
qEDLnOWjWhYKV3e5sVUZbKXs24tkc4Wbcy7eICa7oLIHhvJJxnxHbqjEcqZU
JVDSNvy0e9d2nIvBhOUA6pn3fi0FfMmroCi286C/hl9mAGgS1Regu4fZMdVk
aRuo2hoq0olb+titTno2/khKoW6tQcEShrR5LBvtKxh2IkpxaTTPsiJ1nrEP
C+tJm3VbmKVI4HPYaD8ej6lNQQewkFhJybJcyic4TilaEXFKBcUovklO36jV
NTYahaLqBUTGq0oJeBfd1qCytBX2RhQhafWnqEgT1gjcOVKbP1P5gBAOh3qB
l5hhcQ+E472g5tShPXBM5j3ouMHAMxPMSABza1I8d/qSTK6yAr124nWqszHW
4lwlUPYmIWvy6bTZ9qQO2B24dxtghZWBvvSLQuWu7Ik/ryvZT+0bUEcEqr00
8ePmbrA6AQkN9RkaarjrfiBBMK7WSjCx4HtYPoJ0dHcbkoUmpbkx19l1rj4x
/TStQiN+vK7q2lRS0OvgLMVzOUG+J65uKjYF154uSmr9jcI91ZbzylxJFAfP
7nUkbVYBO4YRKKMJBHQZq21xcTovXT0YYB+GmnGL3sAtUe/o5hVTMLUUTB7V
vu1FgJOROYfQu8ZNXKWbHqtfn1/Zv7OurNhmuJnXqrr5VVvnAlfcsN42IihG
NtB+wb6O8jWuQy+LtGWtBNCco9UkMqBZtbSt5HxPUi1sdWgyN6CRpQbxVCzb
q1MNu6V60wpL2kTk9LJlt3EcJgS1MkkD9f8A/RlConECAQA=

-->

</rfc>
