<?xml version='1.0' encoding='utf-8'?>
<!DOCTYPE rfc [
  <!ENTITY nbsp    "&#160;">
  <!ENTITY zwsp   "&#8203;">
  <!ENTITY nbhy   "&#8209;">
  <!ENTITY wj     "&#8288;">
]>
<?xml-stylesheet type="text/xsl" href="rfc2629.xslt" ?>
<!-- generated by https://github.com/cabo/kramdown-rfc version 1.7.39 (Ruby 3.2.3) -->
<rfc xmlns:xi="http://www.w3.org/2001/XInclude" ipr="trust200902" docName="draft-liu-cross-domain-txn-token-00" category="info" consensus="true" submissionType="IETF" tocInclude="true" sortRefs="true" symRefs="true" version="3">
  <!-- xml2rfc v2v3 conversion 3.34.0 -->
  <front>
    <title>Cross-domain Transaction Tokens</title>
    <seriesInfo name="Internet-Draft" value="draft-liu-cross-domain-txn-token-00"/>
    <author initials="C. P." surname="Liu" fullname="Chunchi Peter Liu">
      <organization>Huawei</organization>
      <address>
        <email>liuchunchi@huawei.com</email>
      </address>
    </author>
    <author initials="Y." surname="Ni" fullname="Yuan Ni">
      <organization>Huawei</organization>
      <address>
        <email>niyuan1@huawei.com</email>
      </address>
    </author>
    <date year="2026" month="June" day="30"/>
    <keyword>Identity Chaining</keyword>
    <keyword>Transaction Tokens</keyword>
    <keyword>Cross-Domain</keyword>
    <abstract>
      <?line 55?>
<t>This document describes a mechanism for Cross-Domain Transaction Tokens, which enables the safe maintenance and propagation of user identity, workload identities, and authorization context across multiple trust domains.</t>
    </abstract>
    <note removeInRFC="true">
      <name>About This Document</name>
      <t>
        The latest revision of this draft can be found at <eref target="https://NiYuan224.github.io/draft-liu-cross-domain-txn-token/draft-liu-cross-domain-txn-token.html"/>.
        Status information for this document may be found at <eref target="https://datatracker.ietf.org/doc/draft-liu-cross-domain-txn-token/"/>.
      </t>
      <t>Source for this draft and an issue tracker can be found at
        <eref target="https://github.com/NiYuan224/draft-liu-cross-domain-txn-token"/>.</t>
    </note>
  </front>
  <middle>
    <?line 59?>

<section anchor="introduction">
      <name>Introduction</name>
      <t>Due to the rise of collaborative service ecosystems and AI agents, services frequently interact across domain boundaries and involve multiple service operators (e.g., enterprises, cloud providers, SaaS
platforms, etc.). As illustrated in <xref target="I-D.kiliram-agent-trust-auth-framework"/>, workflows spanning multiple domains require workloads within each domain to perform subtasks and pass results to cooperatively accomplish an overall task. Moreover, to ensure end-to-end accountability, the entities and actions must remain auditable throughout the entire call chain.</t>
      <t>This requires the secure preservation and propagation of user identity, workload identities and authorization context across different domains.</t>
      <t>Transaction Token (Txn-Token) <xref target="I-D.ietf-oauth-transaction-tokens"/> defines a short-lived, signed JWT that preserves immutable user identity, workload identity, and authorization context within a single trust domain's call chain. While this mechanism effectively preserves context, its applicability is currently limited to single-domain call chains. Conversely, Identity Chaining <xref target="I-D.ietf-oauth-identity-chaining"/> provides a framework for cross-domain delegation but does not specify how to leverage the rich, structured context carried by Txn-Tokens (i.e., the claims of <tt>txn</tt>, <tt>tctx</tt>, <tt>rctx</tt>, and <tt>req_wl</tt> in <xref target="I-D.ietf-oauth-transaction-tokens"/>) .</t>
      <t>This document bridges this gap by defining a mechanism to use a Txn-Token (from domain I) as the input of Identity Chaining, in order to create another Txn-Token at the other domain II. This approach enables the propagation of workflow-related claims, i.e., claims of <tt>txn</tt>, <tt>tctx</tt>, <tt>rctx</tt>, and <tt>req_wl</tt>, across multiple trust domains, ensuring the integrity and auditability of the entire call chain.</t>
    </section>
    <section anchor="conventions-and-definitions">
      <name>Conventions and Definitions</name>
      <t>The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP 14 <xref target="RFC2119"/> <xref target="RFC8174"/> when, and only when, they appear in all capitals, as shown here.</t>
      <t>This document uses the terms "Workload", "Trust Domain", "External Endpoint", "Call Chain", and "Transaction Token Service" (TTS) defined by <xref target="I-D.ietf-oauth-transaction-tokens"/>, as well as "Authorization Server" (AS) defined by <xref target="RFC6749"/>. Moreover, the following terms are extended or defined in this document.</t>
      <ul spacing="normal">
        <li>
          <t>Single-domain Transaction Token. A short-lived, signed JWT that provides immutable information about the user, workloads, and specific contextual attributes of the call within a trust domain, as defined in <xref target="I-D.ietf-oauth-transaction-tokens"/>.</t>
        </li>
        <li>
          <t>Cross-domain Transaction Token. A Txn-Token that preserves and propagates workflow-related claims from an upstream trust domain to a downstream domain via identity chaining as defined in <xref target="I-D.ietf-oauth-identity-chaining"/>.</t>
        </li>
        <li>
          <t>Transaction JWT Authorization Grant (Txn-JAG). A newly defined, specialized JWT acting as an OAuth 2.0 authorization grant (as defined in <xref target="RFC7523"/>), which carries the workflow-related claims, ensuring the integrity and auditability of the cross-domain call chain.</t>
        </li>
        <li>
          <t>Workflow-related Claims: <tt>txn</tt>, <tt>tctx</tt>, <tt>rctx</tt>, and <tt>req_wl</tt> claims, as defined in <xref target="I-D.ietf-oauth-transaction-tokens"/>.</t>
        </li>
      </ul>
    </section>
    <section anchor="workflow">
      <name>Workflows of Cross-Domain Transaction Token</name>
      <t>By combining Identity Chaining <xref target="I-D.ietf-oauth-identity-chaining"/> and Transaction Token <xref target="I-D.ietf-oauth-transaction-tokens"/>, this section describes two workflow modes to securely preserve and propagate workflow-related claims across different trust domains. Both modes utilize the newly defined Txn-JAG as the secure carrier between domains but differ in how the downstream domain processes it.</t>
      <ul spacing="normal">
        <li>
          <t>Mode A: Indirect Txn-Token Exchange via Intermediate Access Token. Workload A in Trust Domain I first exchanges its local Txn-Token with its own AS for a Txn-JAG that targets the AS in Trust Domain II. Then, Workload A presents that Txn-JAG to the AS in Trust Domain II to obtain an access token, and uses the access token to invoke Endpoint B in Trust Domain II. Finally, Endpoint B exchanges the access token with the local TTS to acquire a new Txn-Token in Trust Domain II.</t>
        </li>
        <li>
          <t>Mode B: Direct Txn-Token Exchange. Workload A in Trust Domain I exchanges its local Txn-Token with its own AS for a Txn-JAG that targets the TTS in Trust Domain II. Then, Workload A presents the Txn-JAG directly to Endpoint B, and Endpoint B exchanges the Txn-JAG with the local TTS to obtain a new Txn-Token in Trust Domain II, thereby eliminating the intermediate round trips for the access token.</t>
        </li>
      </ul>
      <t>The following subsections focus on the logical orchestration and context propagation of these workflows. Definitions for the request and response formats are detailed in <xref target="reqs"/>.</t>
      <section anchor="modea">
        <name>Mode A: Indirect Txn-Token Exchange</name>
        <t>This mode follows the classic identity chaining workflow <xref target="I-D.ietf-oauth-identity-chaining"/>. The workflow is illustrated in Figure 1.</t>
        <artwork><![CDATA[
+----------+ +--------+ +---------+ +----------+ +---------+
|Workload A| |   AS   | |    AS   | |Endpoint B| |   TTS   |
|Domain I  | |Domain I| |Domain II| |Domain II | |Domain II|
+----------+ +--------+ +---------+ +----------+ +---------+
 |                 |          |      |                 |
 |(1)Token Exchange Request   |      |                 |
 |---------------->|          |      |                 |
 | <Txn-Token I>   |          |      |                 |
 |                 |          |      |                 |
 |(2)Token Exchange Response  |      |                 |
 |<----------------|          |      |                 |
 |     <Txn-JAG>   |          |      |                 |
 |                 |          |      |                 |
 |(3)Present Txn-JAG          |      |                 |
 |--------------------------->|      |                 |
 |                 |          |      |                 |
 |(4)<Access Token>           |      |                 |
 |<---------------------------|      |                 |
 |                 |          |      |                 |
 |(5)Invoke with Access Token |      |                 |
 |----------------------------|----->|                 |
 |                 |          |      |                 |
 |                 |          |      |(6)Txn-Token Request
 |                 |          |      |---------------->|
 |                 |          |      | <Access Token>  |
 |                 |          |      |                 |
 |                 |          |      |(7)Txn-Token Response
 |                 |          |      |<----------------|
 |                 |          |      | <Txn-Token II>  |

]]></artwork>
        <t><em>Figure 1: Indirect Txn-Token Exchange</em></t>
        <t>(1) Workload A in Trust Domain I sends a token exchange request to the local AS to exchange the local Txn-Token for a cross-domain Txn-JAG. See <xref target="exchangeforJAG"/> for the request format.</t>
        <t>(2) The AS in Trust Domain I validates the request, generates and responds with the Txn-JAG, transcribing the workflow-related claims from the local Txn-Token into the Txn-JAG's claims. See <xref target="exchangeforJAG"/> for the response format.</t>
        <t>(3) Workload A in Trust Domain I presents the Txn-JAG to the AS of Trust Domain II to request an access token. See <xref target="exchangeforAT"/> for the request format.</t>
        <t>(4) The AS of Trust Domain II validates the Txn-JAG and responds with an access token, transcribing the workflow-related claims from the Txn-JAG into the access token. See <xref target="exchangeforAT"/> for the response format.</t>
        <t>(5) Workload A in Trust Domain I invokes Endpoint B of Trust Domain II with the received access token.</t>
        <t>(6) Endpoint B presents the inbound access token to the TTS of Trust Domain II to request a Txn-Token. See <xref target="exchangeforTxn"/> for the request format.</t>
        <t>(7) The TTS of Trust Domain II mints a local Txn-Token, transcribing the workflow-related claims from the access token into the new Txn-Token. See <xref target="exchangeforTxn"/> for the response format.</t>
      </section>
      <section anchor="modeb">
        <name>Mode B: Direct Txn-Token Exchange</name>
        <t>While Mode A provides a straightforward integration of Identity Chaining procedures with Transaction Tokens procedures, which does not create protocol-level changes, it introduces multiple cross-domain round trips that can significantly increase latency. As illustrated in Figure 1, steps (3) through (5) require at least three cross-domain round-trips: presenting the Txn-JAG to the downstream AS to obtain an access token, invoking the target endpoint with that token, and subsequently exchanging it for a local Txn-Token. In distributed and high-throughput environments, this operational overhead can become prohibitive.</t>
        <t>An opportunity for optimization arises from the flexibility defined in Section 5.1 of the Transaction Token<xref target="I-D.ietf-oauth-transaction-tokens"/>, which allows the subject_token to be "any other format that is understood by the TTS". This enables a TTS to directly accept a Txn-JAG issued by the upstream AS as the subject token in a Txn-Token request.</t>
        <t>Thus, Mode B reduces cross-domain round trips from three to one by allowing the TTS in Trust Domain II to accept the Txn-JAG directly as the subject token in a Txn-Token request. This requires a pre-established trust relationship between the AS in Trust Domain I and the TTS in Trust Domain II. The workflow is illustrated in Figure 2.</t>
        <artwork><![CDATA[
+----------+   +--------+ +----------+     +---------+
|Workload A|   |   AS   | |Endpoint B|     |   TTS   |
| Domain I |   |Domain I| |Domain II |     |Domain II|
+----------+   +--------+ +----------+     +---------+
     |                 |        |                 |
     |(1)Token Exchange Request |                 |
     |---------------->|        |                 |
     |<Txn-Token I>    |        |                 |
     |                 |        |                 |
     |(2)Token Exchange Response|                 |
     |<----------------|        |                 |
     |<Txn-JAG>        |        |                 |
     |                 |        |                 |
     |(3)Present Txn-JAG        |                 |
     |------------------------->|                 |
     |                 |        |                 |
     |                 |        |(4)Txn-Token Request
     |                 |        |---------------->|
     |                 |        | <Txn-JAG>       |
     |                 |        |(5)Txn-Token Response
     |                 |        |<----------------|
     |                 |        | <Txn-Token II>  |

]]></artwork>
        <t><em>Figure 2: Direct Txn-Token Exchange</em></t>
        <t>Steps (1) and (2) are the same as those in Mode A.</t>
        <t>(3) Workload A in Trust Domain I presents the Txn-JAG to Endpoint B of Trust Domain II. See <xref target="transmission"/> for the transmission method.</t>
        <t>(4) Endpoint B uses Txn-JAG as the subject token to exchange for a local Txn-Token at its local TTS.</t>
        <t>(5) The TTS of Trust Domain II mints a local Txn-Token, transcribing the workflow-related context from the Txn-JAG into the local Txn-Token's claims.</t>
      </section>
    </section>
    <section anchor="reqs">
      <name>Requests and Responses</name>
      <t>The formats of requests and responses included in <xref target="workflow"/> are detailed in this section. To avoid redundancy, all illustrative examples are provided in Appendix A.</t>
      <section anchor="mode-a-indirect-txn-token-exchange">
        <name>Mode A: Indirect Txn-Token Exchange</name>
        <t>This section defines the requests and responses for Mode A as described in <xref target="modea"/>.</t>
        <section anchor="exchangeforJAG">
          <name>Token Exchange for Txn-JAG</name>
          <t>Workload A in Trust Domain I performs token exchange with the AS in Trust Domain I to obtain a Txn-JAG that can be used at the AS in Trust Domain II.</t>
          <section anchor="txn-jag-request">
            <name>Txn-JAG Request</name>
            <t>The parameters for the Txn-JAG request build upon the definitions in Section 2.3.1 of <xref target="I-D.ietf-oauth-identity-chaining"/> and <xref target="RFC8693"/>. While parameter types remain consistent with these specifications, the values of certain parameters are required as follows:</t>
            <t><strong>resource</strong><br/>
              <strong>REQUIRED</strong> if audience is not set. It MUST be the URI of the AS in Trust Domain II.</t>
            <t><strong>audience</strong><br/>
              <strong>REQUIRED</strong> if resource is not set. It MUST be the well-known/logical name of the AS in Trust Domain II.</t>
            <t><strong>subject_token</strong><br/>
              <strong>REQUIRED.</strong> MUST be a valid local Txn-Token issued within Trust Domain I.</t>
            <t><strong>subject_token_type</strong><br/>
              <strong>REQUIRED.</strong> MUST be urn:ietf:params:oauth:token-type:txn_token.</t>
          </section>
          <section anchor="txn-jag-response">
            <name>Txn-JAG Response</name>
            <t>The processing rules and response format defined in Sections 2.3.2 and 2.3.3 of <xref target="I-D.ietf-oauth-identity-chaining"/> apply, with the following modifications:</t>
            <ul spacing="normal">
              <li>
                <t>The AS in Trust Domain I SHOULD transcribe the workflow-related claims from the Txn-Token to the Txn-JAG's claims. During this transcription, The AS in Trust Domain I MAY add, remove, or change the claims. See Claims Transcription (<xref target="trans"/>).</t>
              </li>
            </ul>
          </section>
        </section>
        <section anchor="exchangeforAT">
          <name>Cross-Domain Assertion</name>
          <t>Workload A in Trust Domain I uses the Txn-JAG obtained from the AS in Trust Domain I as an assertion to request an access token from the AS in Trust Domain II.</t>
          <section anchor="access-token-request">
            <name>Access Token Request</name>
            <t>The parameters described in Section 2.4.1 of <xref target="I-D.ietf-oauth-identity-chaining"/> apply here with the following requirements:</t>
            <t><strong>assertion</strong><br/>
              <strong>REQUIRED.</strong> The Txn-JAG returned by the AS in Trust Domain I.</t>
          </section>
          <section anchor="access-token-response">
            <name>Access Token Response</name>
            <t>The processing rules and response formats defined in Sections 2.4.2 and 2.4.3 of <xref target="I-D.ietf-oauth-identity-chaining"/> apply, with the following modifications:</t>
            <ul spacing="normal">
              <li>
                <t>The AS in trust domain II SHOULD transcribe the workflow-related claims from the Txn-JAG to the access token's claims. See Claims Transcription (<xref target="trans"/>).</t>
              </li>
            </ul>
          </section>
        </section>
        <section anchor="exchangeforTxn">
          <name>Token Exchange for Txn-Token</name>
          <t>Workload A in Trust Domain I performs a token exchange with the TTS in Trust Domain II to obtain a local Txn-Token in Trust Domain II.</t>
          <section anchor="txn-token-request">
            <name>Txn-Token Request</name>
            <t>The parameters for the Txn-Token request follow the definitions in Section 12.1 of <xref target="I-D.ietf-oauth-transaction-tokens"/>, the following requirements apply to the subject_token and subject_token_type:</t>
            <t><strong>subject_token</strong><br/>
              <strong>REQUIRED.</strong> MUST be the access token issued by the AS in Trust Domain II, as obtained <xref target="exchangeforTxn"/>.</t>
            <t><strong>subject_token_type</strong><br/>
              <strong>REQUIRED.</strong> MUST be urn:ietf:params:oauth:token-type:access_token.</t>
          </section>
          <section anchor="txn-token-response">
            <name>Txn-Token Response</name>
            <t>The processing rules and response formats defined in Sections 12.3 and 12.4 of <xref target="I-D.ietf-oauth-transaction-tokens"/> apply, with the following modifications:</t>
            <ul spacing="normal">
              <li>
                <t>For subject token validation, the TTS in Trust Domain II MUST validate the access token issued by its local AS.</t>
              </li>
              <li>
                <t>The TTS in trust domain II SHOULD transcribe the workflow-related claims from the subject token to the claims of the issued Txn-Token.  See Claims Transcription (<xref target="trans"/>).</t>
              </li>
            </ul>
            <t>Domain II will proceed to use the obtained Txn-Token II normally, as defined in <xref target="I-D.ietf-oauth-transaction-tokens"/>.</t>
          </section>
        </section>
      </section>
      <section anchor="mode-b-direct-txn-token-exchange">
        <name>Mode B: Direct Txn-Token Exchange</name>
        <t>This section defines the requests and responses for Mode B as described in <xref target="modeb"/>.</t>
        <section anchor="token-exchange-for-txn-jag">
          <name>Token Exchange for Txn-JAG</name>
          <t>Workload A in Trust Domain I performs token exchange with the AS in Trust Domain I to obtain a Txn-JAG that can be used with the TTS in Trust Domain II.</t>
          <section anchor="txn-jag-request-1">
            <name>Txn-JAG Request</name>
            <t>The request follows the same format as defined in <xref target="exchangeforJAG"/>, except for the resource or audience parameter:</t>
            <t><strong>resource</strong><br/>
              <strong>REQUIRED.</strong> if audience is not set. It MUST be the URI of the TTS in Trust Domain II.</t>
            <t><strong>audience</strong><br/>
              <strong>REQUIRED.</strong> if resource is not set. It MUST be the well-known/logical name of the TTS in Trust Domain II.</t>
          </section>
          <section anchor="txn-jag-response-1">
            <name>Txn-JAG Response</name>
            <t>The processing rules and response format are identical to those described in <xref target="exchangeforJAG"/>, with the exception that the <tt>aud</tt> claim in the issued Txn-JAG MUST identify the TTS of Trust Domain II.</t>
          </section>
          <section anchor="transmission">
            <name>Txn-JAG Transmission Methods</name>
            <t>When a Txn-JAG is presented directly to an endpoint, the workload MUST include the Txn-JAG parameter in HTTP named <tt>Txn-JAG</tt>. This dedicated parameter avoids ambiguity with the Authorization header, which is conventionally associated with access tokens per <xref target="RFC6750"/>.</t>
            <t>In <xref target="RFC7523"/> and <xref target="I-D.ietf-oauth-identity-chaining"/>, the JAG is carried by the <tt>assertion</tt> field in HTTP, but it is used to request an access token. These drafts have not listed the usage of <tt>assertion</tt> field to request a Txn-Token, as described in this document. As a result, this document has designed a new HTTP parameter <tt>Txn-JAG</tt>. But alternatively, it could also be transmitted as a HTTP header field. The most appropriate design should subject to Working Group's discretion.</t>
          </section>
        </section>
        <section anchor="token-exchange-for-txn-token">
          <name>Token Exchange for Txn-Token</name>
          <t>Endpoint B performs a token exchange with the TTS in Trust Domain II to obtain a local Txn-Token in Trust Domain II, using the Txn-JAG as the subject_token.</t>
          <section anchor="txn-token-request-1">
            <name>Txn-Token Request</name>
            <t>The parameters for the Txn-Token request follow the definitions in Section 12.1 of <xref target="I-D.ietf-oauth-transaction-tokens"/>. The following requirements apply:</t>
            <t><strong>subject_token</strong><br/>
              <strong>REQUIRED.</strong> MUST be the Txn-JAG issued by the AS in Trust Domain I, as obtained in Section 4.2.1 and presented to Endpoint B via the method in Section 4.2.1.3.</t>
            <t><strong>subject_token_type</strong><br/>
              <strong>REQUIRED.</strong>  MUST be urn:ietf:params:oauth:token-type:jwt-bearer.</t>
          </section>
          <section anchor="txn-token-response-1">
            <name>Txn-Token Response</name>
            <t>The processing rules and response format are identical to those described in <xref target="exchangeforTxn"/>, with the following modification for subject token validation:</t>
            <t>For subject token validation, the TTS in Trust Domain II MUST validate the Txn-JAG issued by the AS in Trust Domain I. This requires a pre-established trust relationship between the AS in Trust Domain I and the TTS in Trust Domain II. Such a trust relationship typically manifests as the exchange of key material.</t>
            <t>The transcription of workflow-related claims from the subject token (the Txn-JAG) to the issued Txn-Token follows the same rules defined in <xref target="trans"/>.</t>
          </section>
        </section>
      </section>
      <section anchor="trans">
        <name>Claims Transcription</name>
        <t>Claims transcription across trust domains SHOULD ensure that the workflow-related claims are preserved for auditability and accountability. This builds upon the principles defined in Section 2.5 of <xref target="I-D.ietf-oauth-identity-chaining"/>. Specific transcription rules for workflow-related claims are defined as follows:</t>
        <ul spacing="normal">
          <li>
            <t>Preserving the <tt>txn</tt> claim. The <tt>txn</tt> claim serves as the immutable unique identifier for the cross-domain transaction. Both the AS and TTS SHOULD NOT modify or regenerate the <tt>txn</tt> value during transcription. It SHOULD be copied from the subject_token to the issued token to ensure auditability and accountability across different domains. To avoid collisions without a centralized namespace, the <tt>txn</tt> value can be generated as a high-entropy string or prefixed with a domain identifier.</t>
          </li>
          <li>
            <t>Evolving the <tt>req_wl</tt> claim. The <tt>req_wl</tt> SHOULD identify all the workloads that requested or exchanged tokens throughout the cross-domain transaction. Specifically, the AS in Trust Domain I SHOULD add the identifier of Workload A to the <tt>req_wl</tt> in the issued Txn-JAG. The TTS in Trust Domain II SHOULD add the identifier of Endpoint B to <tt>req_wl</tt> in the issued Txn-Token in Trust Domain II. This ensures that every point where claims may change is recorded, providing a trail of how the claims reached its current state.</t>
          </li>
          <li>
            <t>Data Minimization. The processing or <tt>req_wl</tt> may exist privacy concerns that exposing topology of Domain I. The AS in Trust Domain I MAY apply security and privacy strategies to workflow-related claims when issuing the Txn-JAG. Such measures include but not limited to Removal.  </t>
            <ul spacing="normal">
              <li>
                <t>Removal. Claims related to completed tasks or not required by downstream trust domains COULD be removed or redacted. If certain claims are required for end-to-end auditing, Domain I MAY take proper logs before removal.</t>
              </li>
            </ul>
          </li>
        </ul>
      </section>
    </section>
    <section anchor="ops">
      <name>Operational Considerations</name>
      <ul spacing="normal">
        <li>
          <t>AS and TTS may be operated by the same service, or not. In the former case, some procedures listed in <xref target="workflow"/> and <xref target="reqs"/> could be merged.</t>
        </li>
      </ul>
    </section>
    <section anchor="security-and-privacy-considerations">
      <name>Security and Privacy Considerations</name>
      <ul spacing="normal">
        <li>
          <t>As Domain I and II may have public Internet in between, the correct and confidential passing of <tt>tctx</tt> and <tt>rctx</tt> may require encryption or masking techniques.</t>
        </li>
      </ul>
    </section>
    <section anchor="iana-considerations">
      <name>IANA Considerations</name>
      <t>This document has no IANA actions.</t>
    </section>
  </middle>
  <back>
    <references anchor="sec-combined-references">
      <name>References</name>
      <references anchor="sec-normative-references">
        <name>Normative References</name>
        <reference anchor="RFC2119">
          <front>
            <title>Key words for use in RFCs to Indicate Requirement Levels</title>
            <author fullname="S. Bradner" initials="S." surname="Bradner"/>
            <date month="March" year="1997"/>
            <abstract>
              <t>In many standards track documents several words are used to signify the requirements in the specification. These words are often capitalized. This document defines these words as they should be interpreted in IETF documents. This document specifies an Internet Best Current Practices for the Internet Community, and requests discussion and suggestions for improvements.</t>
            </abstract>
          </front>
          <seriesInfo name="BCP" value="14"/>
          <seriesInfo name="RFC" value="2119"/>
          <seriesInfo name="DOI" value="10.17487/RFC2119"/>
        </reference>
        <reference anchor="RFC8174">
          <front>
            <title>Ambiguity of Uppercase vs Lowercase in RFC 2119 Key Words</title>
            <author fullname="B. Leiba" initials="B." surname="Leiba"/>
            <date month="May" year="2017"/>
            <abstract>
              <t>RFC 2119 specifies common key words that may be used in protocol specifications. This document aims to reduce the ambiguity by clarifying that only UPPERCASE usage of the key words have the defined special meanings.</t>
            </abstract>
          </front>
          <seriesInfo name="BCP" value="14"/>
          <seriesInfo name="RFC" value="8174"/>
          <seriesInfo name="DOI" value="10.17487/RFC8174"/>
        </reference>
        <reference anchor="RFC6749">
          <front>
            <title>The OAuth 2.0 Authorization Framework</title>
            <author fullname="D. Hardt" initials="D." role="editor" surname="Hardt"/>
            <date month="October" year="2012"/>
            <abstract>
              <t>The OAuth 2.0 authorization framework enables a third-party application to obtain limited access to an HTTP service, either on behalf of a resource owner by orchestrating an approval interaction between the resource owner and the HTTP service, or by allowing the third-party application to obtain access on its own behalf. This specification replaces and obsoletes the OAuth 1.0 protocol described in RFC 5849. [STANDARDS-TRACK]</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="6749"/>
          <seriesInfo name="DOI" value="10.17487/RFC6749"/>
        </reference>
        <reference anchor="RFC7523">
          <front>
            <title>JSON Web Token (JWT) Profile for OAuth 2.0 Client Authentication and Authorization Grants</title>
            <author fullname="M. Jones" initials="M." surname="Jones"/>
            <author fullname="B. Campbell" initials="B." surname="Campbell"/>
            <author fullname="C. Mortimore" initials="C." surname="Mortimore"/>
            <date month="May" year="2015"/>
            <abstract>
              <t>This specification defines the use of a JSON Web Token (JWT) Bearer Token as a means for requesting an OAuth 2.0 access token as well as for client authentication.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="7523"/>
          <seriesInfo name="DOI" value="10.17487/RFC7523"/>
        </reference>
        <reference anchor="RFC8693">
          <front>
            <title>OAuth 2.0 Token Exchange</title>
            <author fullname="M. Jones" initials="M." surname="Jones"/>
            <author fullname="A. Nadalin" initials="A." surname="Nadalin"/>
            <author fullname="B. Campbell" initials="B." role="editor" surname="Campbell"/>
            <author fullname="J. Bradley" initials="J." surname="Bradley"/>
            <author fullname="C. Mortimore" initials="C." surname="Mortimore"/>
            <date month="January" year="2020"/>
            <abstract>
              <t>This specification defines a protocol for an HTTP- and JSON-based Security Token Service (STS) by defining how to request and obtain security tokens from OAuth 2.0 authorization servers, including security tokens employing impersonation and delegation.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="8693"/>
          <seriesInfo name="DOI" value="10.17487/RFC8693"/>
        </reference>
        <reference anchor="RFC6750">
          <front>
            <title>The OAuth 2.0 Authorization Framework: Bearer Token Usage</title>
            <author fullname="M. Jones" initials="M." surname="Jones"/>
            <author fullname="D. Hardt" initials="D." surname="Hardt"/>
            <date month="October" year="2012"/>
            <abstract>
              <t>This specification describes how to use bearer tokens in HTTP requests to access OAuth 2.0 protected resources. Any party in possession of a bearer token (a "bearer") can use it to get access to the associated resources (without demonstrating possession of a cryptographic key). To prevent misuse, bearer tokens need to be protected from disclosure in storage and in transport. [STANDARDS-TRACK]</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="6750"/>
          <seriesInfo name="DOI" value="10.17487/RFC6750"/>
        </reference>
      </references>
      <references anchor="sec-informative-references">
        <name>Informative References</name>
        <reference anchor="I-D.kiliram-agent-trust-auth-framework">
          <front>
            <title>A Trust and Authentication Framework for Cross-Domain Agent-to-Agent Communications</title>
            <author fullname="Daniel King" initials="D." surname="King">
              <organization>Lancaster University</organization>
            </author>
            <author fullname="Rajiv Ramdhany" initials="R." surname="Ramdhany">
              <organization>BBC</organization>
            </author>
            <author fullname="Peter Chunchi Liu" initials="P. C." surname="Liu">
              <organization>Huawei Technologies</organization>
            </author>
            <date day="15" month="March" year="2026"/>
            <abstract>
              <t>   AI-based agent-to-agent communication increasingly occurs across
   trust domains (e.g., between enterprises, service providers, SaaS
   platforms, and application third parties).  While many agent
   protocols and platforms can provide transport security and local
   permission models, deployments lack a coherent, interoperable
   baseline for verifiable agent identity, credentialing, cross-domain
   authorisation, delegation, revocation, and auditability.

   This document defines an architectural framework for a cross-domain
   trust substrate for AI-based agent ecosystems.  The framework is
   intended to be agent protocol-agnostic and to provide a consistent
   trust baseline that existing and emerging AI agent protocols can
   build upon.

              </t>
            </abstract>
          </front>
          <seriesInfo name="Internet-Draft" value="draft-kiliram-agent-trust-auth-framework-00"/>
        </reference>
        <reference anchor="I-D.ietf-oauth-transaction-tokens">
          <front>
            <title>Transaction Tokens</title>
            <author fullname="Atul Tulshibagwale" initials="A." surname="Tulshibagwale">
              <organization>CrowdStrike</organization>
            </author>
            <author fullname="George Fletcher" initials="G." surname="Fletcher">
              <organization>Practical Identity LLC</organization>
            </author>
            <author fullname="Pieter Kasselman" initials="P." surname="Kasselman">
              <organization>Defakto Security</organization>
            </author>
            <date day="2" month="March" year="2026"/>
            <abstract>
              <t>   Transaction Tokens (Txn-Tokens) are designed to maintain and
   propagate user identity, workload identity and authorization context
   throughout the Call Chain within a trusted domain during the
   processing of external requests (e.g. such as API calls) or requests
   initiated internally within the trust domain.  Txn-Tokens ensure that
   this context is preserved throughout the Call Chain thereby enhancing
   security and consistency in complex, multi-service architectures.

              </t>
            </abstract>
          </front>
          <seriesInfo name="Internet-Draft" value="draft-ietf-oauth-transaction-tokens-08"/>
        </reference>
        <reference anchor="I-D.ietf-oauth-identity-chaining">
          <front>
            <title>OAuth Identity and Authorization Chaining Across Domains</title>
            <author fullname="Arndt Schwenkschuster" initials="A." surname="Schwenkschuster">
              <organization>Defakto Security</organization>
            </author>
            <author fullname="Pieter Kasselman" initials="P." surname="Kasselman">
              <organization>Defakto Security</organization>
            </author>
            <author fullname="Kelley Burgin" initials="K." surname="Burgin">
              <organization>MITRE</organization>
            </author>
            <author fullname="Michael J. Jenkins" initials="M. J." surname="Jenkins">
              <organization>NSA-CCSS</organization>
            </author>
            <author fullname="Brian Campbell" initials="B." surname="Campbell">
              <organization>Ping Identity</organization>
            </author>
            <author fullname="Aaron Parecki" initials="A." surname="Parecki">
              <organization>Okta</organization>
            </author>
            <date day="26" month="June" year="2026"/>
            <abstract>
              <t>   This specification describes a mechanism for preserving identity and
   authorization information across trust domains that use the OAuth 2.0
   Framework.  A JSON Web Token (JWT) authorization grant, obtained
   through an intra-domain OAuth 2.0 Token Exchange, facilitates the
   cross-domain acquisition of an access token.  The relevant identity
   and authorization information is chained throughout the flow by being
   conveyed in the respective artifacts exchanged at each step of the
   process.  Chaining across multiple domains is achieved by using the
   same protocol every time a trust domain boundary is crossed.

              </t>
            </abstract>
          </front>
          <seriesInfo name="Internet-Draft" value="draft-ietf-oauth-identity-chaining-16"/>
        </reference>
      </references>
    </references>
    <?line 338?>

<section anchor="examples">
      <name>Examples</name>
      <t>Two examples are provided in Appendix A, including the protocol framing and decoded JSON payloads.</t>
      <section anchor="example-mode-a-indirect-txn-token-exchange">
        <name>Example Mode A: Indirect Txn-Token Exchange</name>
        <section anchor="txn-jag-request-and-response">
          <name>Txn-JAG Request and Response</name>
          <t>Workload A in Trust Domain I performs token exchange with the AS in Trust Domain I (https://as.domain1.example/auth) to receive a Txn-JAG targeted at the AS in trust domain II (https://as.domain2.example/auth).</t>
          <artwork><![CDATA[
   POST /auth HTTP/1.1
   Host: as.domain1.example
   Content-Type: application/x-www-form-urlencoded

   grant_type=urn%3Aietf%3Aparams%3Aoauth%3Agrant-type%3Atoken-exchange
   &resource=https%3A%2F%2Fas.domain2.example%2Fauth
   &subject_token=[Encoded Txn-Token-I]
   &subject_token_type=urn%3Aietf%3Aparams%3Aoauth%3Atoken-type%3Atxn_token
]]></artwork>
          <t><em>Figure 3: Txn-JAG Request</em></t>
          <t>The subject_token in the prior request is the Txn-Token issued by the TTS in Trust Domain I, and the decoded JWT payload is shown here.</t>
          <artwork><![CDATA[
{
    "iat": 1777724800,
    "exp": 1777724860,
    "aud": "https://domain1.example",
    "iss": "https://tts.domain1.example",
    "txn": "97053963-771d-49cc-a4e3-20aad399c312",
    "sub": "john_doe@a.org",
    "req_wl": "apigateway.domain1.example",
    "rctx": {
        "req_ip": "69.151.72.123",
        "authn": "urn:ietf:rfc:6749"
    },
    "scope": "trade.stocks",
    "tctx": {
        "action": "BUY",
        "ticker": "MSFT",
        "quantity": "100",
        "customer_type": {
            "geo": "US",
            "level": "VIP"
        }
    }
}
]]></artwork>
          <t><em>Figure 4: Txn-Token-I Payload</em></t>
          <t>The <tt>access_token</tt> parameter of the token exchange response contains the Txn-JAG requested by Workload A.</t>
          <artwork><![CDATA[
HTTP/1.1 200 OK
   Content-Type: application/json
   Cache-Control: no-cache, no-store

   {
     "access_token":[Encoded Txn-JAG],
     "token_type":"N_A",
     "issued_token_type":"urn:ietf:params:oauth:token-type:jwt",
     "expires_in":60
   }
]]></artwork>
          <t><em>Figure 5: Txn-JAG Response</em></t>
          <artwork><![CDATA[
{
  "iat": 1777724830,
  "exp": 1777728430,
  "aud": "https://as.domain2.example/auth",
  "iss": "https://as.domain1.example",
  "sub": "john_doe@a.org",
  "txn": "97053963-771d-49cc-a4e3-20aad399c312",
  "req_wl": "apigateway.domain1.example,workload_a",
  "rctx": {
    "authn": "urn:ietf:rfc:6749"
    [Encrypted_Information]
  },
  "scope": "trade.stocks",
  "tctx": {
    "action": "BUY",
    "ticker": "MSFT",
    "quantity": "100"
    [Encrypted_Information]
  }
}
]]></artwork>
          <t><em>Figure 6: Txn-JAG Payload</em></t>
          <t>As shown in Figure 4 and Figure 6, the AS in Trust Domain I protects and evolves the claims during Txn-JAG issuance: for immutability, the <tt>txn</tt> claim is copied verbatim; for evolution, workload_a is appended to <tt>req_wl</tt> to record the exchange point; and for security, sensitive information like <tt>req_ip</tt> and <tt>customer_type</tt> are encrypted.</t>
        </section>
        <section anchor="access-token-request-and-response">
          <name>Access Token Request and Response</name>
          <t>Workload A presents the Txn-JAG as an assertion to the AS of Trust Domain II to request an access token.</t>
          <artwork><![CDATA[
    POST /auth HTTP/1.1
    Host: as.domain2.example
    Content-Type: application/x-www-form-urlencoded

    grant_type=urn%3Aietf%3Aparams%3Aoauth%3Agrant-type%3Ajwt-bearer
    &assertion=[Encoded Txn-JAG]
]]></artwork>
          <t><em>Figure 7: Access Token Request</em></t>
          <artwork><![CDATA[
   HTTP/1.1 200 OK
   Content-Type: application/json
   Cache-Control: no-cache, no-store

   {
     "access_token":"ey...",
     "token_type":"N_A",
     "issued_token_type":"urn:ietf:params:oauth:token-type:jwt",
     "expires_in":60
   }
]]></artwork>
          <t><em>Figure 8: Access Token Response</em></t>
          <artwork><![CDATA[
{
  "iat": 1777724890,
  "exp": 1777728490,
  "aud": "https://endpointb.domain2.example",
  "iss": "https://as.domain2.example",
  "sub": "john.doe.123",
  "txn": "97053963-771d-49cc-a4e3-20aad399c312",
  "req_wl": "apigateway.domain1.example,workload_a",
  "rctx": {
    "authn": "urn:ietf:rfc:6749"
    [Encrypted_Information]
  },
  "scope": "trade.stocks",
  "tctx": {
    "action": "BUY",
    "ticker": "MSFT",
    "quantity": "100"
    [Encrypted_Information]
  }
}
]]></artwork>
          <t><em>Figure 9: Access Token Payload</em></t>
        </section>
        <section anchor="txn-token-request-and-response">
          <name>Txn-Token Request and Response</name>
          <t>Upon receiving the access token, Workload A in Trust Domain II exchanges it for a local Txn-Token from its TTS. The payload of the Txn-Token in Trust Domain II is shown below.</t>
          <artwork><![CDATA[
{
    "iat": 1777724900,
    "exp": 1777724960,
    "iss": "https://tts.domain2.example",
    "aud": "https://domain2.example",
    "txn": "97053963-771d-49cc-a4e3-20aad399c312",
    "sub": "john_doe@a.org",
    "req_wl": "apigateway.domain1.example,workload_a,endpoint_b",
    "rctx": {
        "req_ip": "69.151.72.123",
        "authn": "urn:ietf:rfc:6749"
    },
    "scope": "trade.stocks",
    "tctx": {
        "action": "BUY",
        "ticker": "MSFT",
        "quantity": "100",
        "customer_type": {
            "geo": "US",
            "level": "VIP"
        }
    }
}
]]></artwork>
          <t><em>Figure 10: Txn-Token-II Payload</em></t>
          <t>As can be seen from Figure 10, the TTS preserves the <tt>txn</tt> claim verbatim and evolves the <tt>req_wl</tt> claim, appending the identifier of Endpoint B.</t>
        </section>
      </section>
      <section anchor="example-mode-b-direct-txn-token-exchange">
        <name>Example Mode B: Direct Txn-Token Exchange</name>
        <section anchor="txn-jag-request-and-response-1">
          <name>Txn-JAG Request and Response</name>
          <t>Workload A in Trust Domain I exchanges its local Txn-Token for a Txn-JAG, where the resource is set to the TTS of Domain II.</t>
          <artwork><![CDATA[
POST /auth HTTP/1.1
Host: as.domain1.example
Content-Type: application/x-www-form-urlencoded

grant_type=urn:ietf:params:oauth:grant-type:token-exchange
&resource=https://tts.domain2.example
&subject_token=[Encoded Txn-Token-I the same in Figure 4]
&subject_token_type=urn:ietf:params:oauth:token-type:txn_token
]]></artwork>
          <t><em>Figure 11: Txn-JAG Request</em></t>
          <t>The AS in Domain I transcribes the claims. In the issued Txn-JAG, the <tt>aud</tt> is set to the Domain II TTS.</t>
          <artwork><![CDATA[
{
  "iat": 1777724830,
  "exp": 1777728430,
  "aud": "https://tts.domain2.example",
  "iss": "https://as.domain1.example",
  "sub": "john_doe@a.org",
  "txn": "97053963-771d-49cc-a4e3-20aad399c312",
  "req_wl": "workload_a",
  "rctx": {
        "req_ip": "69.151.72.123",
        "authn": "urn:ietf:rfc:6749"
  },
  "scope": "trade.stocks",
  "tctx": {
        "action": "BUY",
        "ticker": "MSFT",
        "quantity": "100",
        "customer_type": {
            "geo": "US",
            "level": "VIP"
        }
    }
}
]]></artwork>
          <t><em>Figure 12: Txn-JAG Payload</em></t>
          <t>As defined in <xref target="trans"/>, the AS in Trust Domain I applies an removal strategy to the <tt>req_wl</tt> claim. The internal path preceding workload_a is removed to protect the internal topology of Domain I.</t>
        </section>
        <section anchor="txn-token-request-and-response-1">
          <name>Txn-Token Request and Response</name>
          <t>Workload A presents the Txn-JAG directly to Endpoint B. Endpoint B then uses this Txn-JAG as the <tt>subject_token</tt> to request a local Txn-Token from the TTS in Trust Domain II.</t>
          <artwork><![CDATA[
POST /token HTTP/1.1
Host: tts.domain2.example
Content-Type: application/x-www-form-urlencoded

grant_type=urn:ietf:params:oauth:grant-type:token-exchange
&requested_token_type=urn%3Aietf%3Aparams%3Aoauth%3Atoken-type%3Atxn-token
&subject_token=[Encoded Txn-JAG]
&scope=trade.stocks
&subject_token_type=urn:ietf:params:oauth:token-type:jwt-bearer
]]></artwork>
          <t><em>Figure 13: Txn-Token Request</em></t>
          <t>The TTS validates the cross-domain Txn-JAG based on the pre-established trust relationship with AS in Trust Domain I. It transcribes the claims and evolves the <tt>req_wl</tt> to include Endpoint B.</t>
          <artwork><![CDATA[
{
  "iat": 1777724900,
  "exp": 1777724960,
  "iss": "https://tts.domain2.example",
  "aud": "https://domain2.example",
  "txn": "97053963-771d-49cc-a4e3-20aad399c312",
  "sub": "john_doe@a.org",
  "req_wl": "workload_a,endpoint_b",
  "rctx": {
        "req_ip": "69.151.72.123",
        "authn": "urn:ietf:rfc:6749"
  },
  "scope": "trade.stocks",
  "tctx": {
        "action": "BUY",
        "ticker": "MSFT",
        "quantity": "100",
        "customer_type": {
            "geo": "US",
            "level": "VIP"
        }
    }
}
]]></artwork>
          <t><em>Figure 14: Txn-Token-II Payload</em></t>
        </section>
      </section>
    </section>
    <section numbered="false" anchor="acknowledgments">
      <name>Acknowledgments</name>
      <t>TODO acknowledge.</t>
    </section>
  </back>
  <!-- ##markdown-source:
H4sIAAAAAAAAA+09aXMbx5Xf8Su6oIoj0gDES5KJ2F5Dlw3HOlaEVuXacomN
mQbR1mAGmYNHZPq373uvj+meCyBF27VVUSXhYKbPd1/dGQ6HvVzmkRiz/tM0
ybJhmKy4jNks5XHGg1wm8Jx8FHHW7wU8F2dJejVmMl4kvV6YBDFfQdcw5Yt8
GMliGDhjDPNL+C/2He7t9bJivpJZBuPlV2voM30+e8HYPcajLIHJZRyKtYD/
ifP+gPVFKPMklTzCH9PJE/iTpPD0dvai34uL1Vyk414I6xn3giTOYHlFNmZ5
Woje+Zgd9mDcVPAxm7x9PoEfF0n68SxNivWYvZ4U+ZK9hxcyPmPf48te76O4
gibhuMfYkE1xETK/Yk+XsAtoRW/rAKHXCmjPaMO93rmIC1jSPcbc2fC32rQ/
LbyGbtGYJRxafSdFvhgl6Rm+52mwHLNlnq+z8YMH4pKv1pEYBcnqwfvvYd4z
mS+LOYDtlfy54PHBwdGDTTjoQ7cIAJbl0M0MbLuP1IgjmWwcaGOD0TJfRf1e
DzeVAJrYEKZWhPJ0WcTBUrI3Ihcp+0kW8AV2zGP5b46QHbMfCn4hJLwWCjQw
TaA6fbekTwiEnjsm7oC9khtHiuUVtNz3hun14iRdQYdzgbh/++Lpwf7+sX78
av/xkX589PjIvH388ODQNHh0fGgbPNwb93rIF8540+Gz0UcZyZSvhvwMqGoI
FJrlQ4TMcAFvBRKmaYn4HxIpQDNLbAqmWUMjqel0GGg6hQWMRqNebzgcMj7P
YJAg782WMmPAqcUKWrNQZEEq5yJjnK0EdIxltmKwaI+QG4h9wC6WMlgyEfN5
BN3zpWAZXwik4DiHt3EgGI9Dtk6TNT8jHLBkwYoMEG1WOiBGjBIemldSwMjY
TRGLRh4Dns7FZc44URhbFVEugQEYgY8pgstgp7TVlQzDSPSAbaZxniZhQevu
9Z4V0CGhlaYyE7iaIIkiPk9SwhCDpZ1LWLYIkuwqy8Uqo6VMpoyQBSvTLTK2
SMW/CngXXTHcLkLWLE4LzHlSxCFPpVCDyPg8iWAOu3QzWbKG3iDbMnZfjM5G
A4AojLfGFcKEQZQUBMNzAFAKL044P+mtgXGRsOC3yIPRzohNMiajqEAc5wJn
Y58+/dd25HZ9rdCwiJKLjGVrHiPtlAvV0GW4Y5kKi7KMXYCMgJkEBzrQuwb4
wn5wbQwEfM6zj2r7a57hCBkMmmGjIFH7BrADCHkA3LeOZLaExiw5hy9RxLD3
iL1MUoFvBtgN5TosAfQCsMFQIJ1A1yLO+Rz2iQSF2DWUpAiJsI80A5SSClol
L0CdIN1Cc5C8Z8ukyG1PGD/A6YmLgKaIYfTmNZ2LAFexht+AREWhtyL1zZQe
ysVCpMSplshrzMjuz0DW0uOOwXun8Li+BsZfyJjYPoPZUXyfixAIXJ7FQD8/
vp/BTnlu9ggN5WpVKJht2NdVFwNrkoFZgcYqDPz3zAU8e7+UhCCAfimZBIAj
0FRTrk2PPmASqIuvgZICTRAMegOyUsWqkVxJZA+gJDW/sW7KebMRe5rEQG8Z
TDGo6/4G+NbkLoBXcyzC1zIaiVVXRQISIqHpZV4gGKBDnOTAhCKQiyu2TC5w
rZFAjjgTWnQFS8ATAC7IgQpDC9qApyBtQja/YpYcQKjIkRgptggiLkGkAWWe
gm4+HcCfIL/Ev6n6i2g7BUr/cBGdOiJkAyntMMMkVqvMUxmeEbPA2zO+xjUR
wSEAXUUDmwNqgld2xez+Ik1WRpxMdxhXPCfjNUAI1l7DyACXCsYaECUKFjDz
ctQ8CfRKnXG54nD12gw/HTFaOdBMmvCKOquws5GRw1REJGQVPGF6gvCNoDvo
1mQDJegQWmrvYGenuGfFWCS8FHnDdG1yC/QfUXKs5B92fUY4oN+IMsHAzsV9
gSzvv3x3MkPjGv+yV6/p+e3z/343ffv8GT6f/DD56Sf7YFqc/PD63U/Pyqey
59PXL18+f/VMdYa3rPLq5eTnvgJK//Wb2fT1q8lPfcRk7lESWO2I1bkCAqhF
gZAHmjCGC+m6J0/fsP0joFdtsAED0jNabPB8sRSxmiqJQQqonwC2K8S74CkO
QZDja4BshBZIhmLxImZALKJG3kCyikJgRYDy/nstAXFbM8KjMpvw9/NLaBTz
iD2Pw3UilTfzFGcj+jUgqMv0E2Uf9EG4z052tLwm7t6OLWkTFwImgr/9iSeN
cWyRwtCT6sjatr2+9hQvbHUBllJyQRRJm0bEgNRBDy1EV8yMUsUgAG+XnXjC
trZXMF82aSEtTUslZC1r1L1zo79RNZUaSZuSSprKwEjKArDB8xyopwD3x7AQ
8Y5VTy47DhS92f1tB3/aeLcLjfsuBVRF37oGBfxskT6MpCUYTcUaVILgK2/l
yDocni9i/VG/PpfcamtmtNbGXTboOdqkuy9EmU9r38PXXFkoP06+R1OVxeIi
ujJzDRR+eCT/rVGOQ6nlwL6Ue34w2qsYFGdq2OqatUMGWsk4KEotKn5tFeE3
FLeeEveE7i659N4cT2mO8VZK16znlgR3z85OZN3twrFP9ww8rnu9J0AIyWqu
KOG2Vg/upWGeLeUVyY1MqK6lY5pfJBZxbJWgGED7jWxwxwr0GaaVX2p2te9C
sidgIOhZilwiURLGPZJlmpiNbaL9AUVpKSir/ELAvo3jRKYdzYfIJJtuKRq4
EhYPriXqFqnE5ktYBpuMwY0NQbuDh1kKi+eXaEKBSYisPEXVuBKhxI1PAhzE
CBijmoDriAZK5cSmbCFT+Cn0UBlZz1EC9OxMhBKRPqA2nJyQDcstAEhm5Tw9
E7kCBbSozUNGFqpcZzGEtZg68bwcLmkfBD8m4FGieI7R7cNdEvEoHrJK2f2E
ndDz/iis/mVPGlf4QoKSRovfaVdCpjYugQXfanjNTkjWBspF5kgvDhAbJrT4
fTJmz9qwuwF/d4o53MJNUSfscIpAgUUACiUEFWZaIWo6NwPTIHsjLMlASQXY
LwIdvJjnriS3jJFiQAbYXa4zgkUVpyNlEpeGTlbMtTTCDkEBkIz1Ms8kLjRJ
g6WgkIuJABhfrOI6QKesFEkgZRxD3K6FIkqwLxwHQLzGMDZTRo4yt0IBAImM
SoDmWujf20pQfLqHUo1fa2MWf+i9ZsY7zDIwkup2gRW+25kESDFlH1kLTL2Q
Zygt92Hpv//+e+/Lof33Jfuy4dF79j/0fivp8jf2G2NI54ypR/tc0p/6gPQF
H3q/WUbCVuaH8+g9M+/D5y1brc/791vtsaENdLy/v1NB7FtNNxs6Div/vt12
RvZ1SU3Tb2+w1Nvv8aC+R80P3R2/rm7yRkv9WsujP2ePhztvlCC1YnC7jtUt
NqD0rpd6tPO1a1V8Wx9jS3TUMXPXS324M1XqnnSKu+pbQ3X4W41f7mKp23S8
/2in5D3N51t2rdPGtout4vqP3+Vjb5eK07fsW+f4rbfpSLUpbZPUUW/X6KdO
dbrb64Ek7jbPgLlDDAAri9GYPlbPa2NX2TwTMnlsG8cYslMr+81zPbXkGLET
AQr+k+kOLeEt+GNV00JZE6B4QcKSmm6ytNk5+OIhBR2cvgN2JmLM2OjQhLJQ
dBLItebAGkPvDp03Y4Z1xi6atgrKOnHHxMwAddlip57hhFs93ICmRnu29ETA
fGvwREpjzbch6+ubzDoRcWQR0TCRjwnrddbAX3OIbo4CM7gF/c22VYP6ww1Q
V15Z5joHDQCwxAVsKDA2WLXYQUK6Q3i4lDHlYGsOofF2NmC2pMeG7cO3TrQ+
VmhtmQacFLTpq3R/G7x5m7PI81ymLZZfRZ/xKbqcU+1RzK97KlOnnBA384VG
vzxbYqr6gqehDqxZr6geZaIISFhgnpUwXy87cJqYAJ/NmunUD7TIkyCJhpg2
o8gcOpyYG8QFUD2AcBIvnkB1fUTykANgLYxGY/yY63Q/zgPAQnzEwVVT7t2o
EMzTCRgKZZDONDPkDJNKhwkiGAtj16loWsqQljI2dG2ooiKlnFDS5KQrTkJM
ZwZRzj/m0hX3aF7DsEAZVSEf2FQ6aALCAWSu9VGFhEegNFkoMx1dD2mQJRDB
UO8fs3giPpdpEq9UTQWF/XQ1QIKZEkw6LAXIDQT+XATJipC6BK7AzC+Q5wTo
Z71O0ryIkX5wJck6B99fB4c5VU+UTLKIxKXUIVwnrnqiY40PR/smslujuG2D
l4oWeelPA+R+hfE/WLEzF6zP4yudgVSspuAN+wdcizTLk4TyMFpC9XV20iQl
uQmN2GgLonedO2EdmWWFsGPYpACQBfeWZQWGl3vVcowiIQWgRskAeK14ppVV
NKCRhpH6YoEL4DZh1BpdUjEz2kJjMOkma2Z+nQZHnhnCBwCdzJaY9E9VBUhE
NJIt5dpGatuCjkS9G4JjW4Q6DjAbW4t1sOawAX1h7VEO5sU53NiGMW9tfKPc
B3VrinBoe7g1srH9ItucgAYb3LzRfdpDGu196u7N5nmqcYxt1nar/bSGLzrW
VvNjttyPjldsu7Zb7ac1VLE9fhoQdSdr6+gDpnWD87ypV329W6yuioltVvew
0end1K3J391ueR2u7kGHlQeO7omyYcDdRXGIriNVZVDBJ6hmEtJJhva2tgE/
x+vq9AeMJUsqWFePO3as+5qtBKwq1C6WMyrliaoJPE/BuI54o5GDdpuTcZmd
aIfnD7L4dU6h3VWrDFp6y5gR1pSvvHZDaBkY75RA0CkPlWSAdadu69S2BqM3
KkKTerBp4+taXsLN4YJ6BPV+nsiQLIg45GAuD6jSxupJLLvV1ewqyaHdBxps
ssYTAPKSKGq7NIfObpRZZFXl6Dhp1a0hhrXrUi0r+vRJpUxUluUeq0h17GkF
4qd7lZhEr5v8VZFsVg0OWYe30Rxxs2JeIk9ZykjboSl0a87E0kbu2c5GLCIV
rDkWKuZghlqGMs2MfzsvZBSCVanzYKGTxXLM6YPRoTKoty8aUNVaj44PMX+k
3Em7HDoqkZnSXTzdAe6FKB0WTK2ZEh9l2qmKpXMeFaq8JxApAc3ZIZKathWp
nExnwsYgFHeBNpIiDcTu7tfz9Ft4YcrgdneZXFBBiMDqdqmLNQUYn9OcUeHc
XAnGd2+nxqNow8PurhmoZR6zjK55sL5r+DEG/++BSUriIYjNc3veSW0BI1iB
mYarKFQ9Rqc8DV0x5c9Rn+IDIrFzniKNx0gpY8JSNiaCGavjQnRYJr+MP5iw
T5WKtfqcqapNdHlRnKZFJLKmfGqDE5gR2R5Qa3w6vAEBr9dYOGBZt8wgg/go
qXJMtVJtrK3LJ606ENuH7WZeYKsWMX1mKpuAjszwa1zRoH01Lyc/Mx6GA+Q6
cMfpsJUTmnaDsaq8STnOZmR2X+vo6+sdLTu9WqRJlgFLYkNPbE5m171usWmL
PAzqlTgEwFiINPtxVEvG7bTtEdzugawA9TJLRopWxainTErpeHQj6YjERWWo
TQSmRRhFUkh22S028trMk+k5sFwZK2jabstub8htWQu7HVl2O/rj2c0ri5x+
Fr85kTeXcipJii34osuoMCV6laDtBv6wZkUt61SmaVojMda0qKdjuuyIbh5w
TQkvYKPx1mVI7B+0cUpbAWEbb2g20ljzQ3M6zFnRVeObacl6KN4LxDXKEirz
tAKsHp//Q7SoWqRVpDUs3glvA+IOqTU8HG2PwRux9gsgLN9v09ky0mwdlE6g
Mpm1LsSVLt7kZGSkiR70jsRJzfEstaux4fR6nAj7tuLFTaOBz0XoVIef8MwN
jm2Jzw0QMDoCS7WQty1D3iJ79BmO2pMWR22+haP2l3llG+Rvl2PmC0xz1HZl
jdkqlqrJ8QFuBGPsTr5PeRYY3DDejJXZ3T7Q6FZOUOumO7yg0Z25Qa2zf64b
gV6kMlFwSmJfDIRVaLOOD0sMCjFkkS61334KANEHAVRAxRMBuE7auZp2YXNF
TdGyyv5mbnjsJYXHMA7kBdPAvliK2EsomVAdrMCt8gXaNqnDgRV2xFlqfSpi
5BlNpUsP6/thNntDWArZqW5wqpM4oQhR1IvQ6UFxJMDCai7PCszjlTzpnQvB
xCGdAaJ8nKSzofoMHMo09AGSQNLgqnTCkf0ZCgBzCOrhHomTqXeqRAcrtjBT
FUw0BJ2jmQrFxko/ZQspotDAY0BnBaTKCGZKVrdWmswo8kGXL2Rsyc8FsUeE
wRGVtCoyPDOKBxJr8zXXOQxqgtU/yoWZbq5PcQ/8b7AA6qoObqmabcJwiUEH
y09glzyig3HqLC9l54OkgKXh/R/E14osc33ej6vhFHrVLlT6bZXgJvD85jql
Om+1CjxQhsOVGta/bOPveAYEdiooUrnZFO+5VSZ/kpU9ABRWU/68Ibvcbo3/
Zca4wk2XMX4LA7s5yd2kk33T2tkF+JywDXVUyEg1P+uAB2pwWJU/qPUdHd7E
LN/eLv/1Ih/OBSiU9A6s8psrJnI4NlreREBtRjcg9A5t8u1x/ddk/k8KLPdo
GhrQiVAHXbPisVwoSzYz6l7JCeAjPHoNqBJ4qZE+euJF5zqOnLf5D/cdwO0Y
b6LqP9TNSEVGngmpvQhlyze6GtpuAINBf/YXr4/ZeYfrjJOkL/GwFk/rUb3y
jg0M8Glj1Z7F5LXbPzQlUJYiK9MUoBfiQK4rmyzjcQ+3jj0B2s1ZYn+7CoS4
xK7NmNm9fAP4lW/UJo2op4Oiqp8So84LZk4H6xLH8lKOWIIkN2ahVBVGyp10
q3YcWa3POmoOoKObQOvlMX7F+VfoJKTCFP86C6T8Cgt1dNkFB9nneiCQfUGy
lm6EtlYZ5ZBpmYFVRLIB4+3XpJS5R7zjR2akzlC84VFxzgJom+ozx2iEZmse
iEFtd9qDM7vXlgjVs+EAyfoKixwRAAAloNWFvLSGpYkOlCihIMJzvAfIoto7
+Kuxbd5pCFpLn+7EWboX8BALaRWujuEbCRMai7ZywU07MRjKVp5/q1zUi+Kh
Eo8OvQETOc61Rqt7nUjdlRm5IZWqTuicyVHYMFPHLK0RTFNalxXqWh+AJF6z
csV0NSSF3DXzrviVSX+QpgnwupFwoJPV6lITrHWNcGnmgK/um+L1SChycnsT
DdAMEBNRwzOec/YSxIupXVQgcZQ8INVuD9chLsHCR5l2zgM8sw2ucxqbDVyu
E2UxJusEPGE6sO7qya50D0VI6Siz4TUziapoO5Pq5HWbhMNrNQjyFZNV68qV
4ArUxjNEV0d5LPZSnreYbSJ1iIUru/a3UUFmRrpACmsG6AddMgVgwsFsThdv
nCnLYn099NRIJpXdCpWIC4ETBDgV0zJh7MhuOzCKVff+KRRQdAuNB82cf1QX
yAC5AiJAKaGVpWekHd5jr52a16eY1g71b/TKkzXq1l1XNCP25+bCsNImIh2u
bxMbaDhQGW6uSztgCQHP4FumK2lNjbX2FWs1HeTjqvOl2imboz2cglihhZ+4
RPJGE4m/A1p65ptTWAYDWyBXdV2AcRaok+uxwMpsY5Lpu4qSlAKH+lDtQnE/
AAovEiO2WOibFPQFCvSIw5vaahEH6ZW2pFL4kqnCZxEsSVNm6oac6eTVpLb0
Wc2zjRPVUl8mhn3pqrk5Dz7iMM91CUtvdpFsU88y0FxgWMXUrNNlUSRPYFMh
yBns+ePJ61ew7yuS+cok0/NtVxHTEFf0ioH+iJjofXOjJM9Giu32RxouD9C6
2lEhCDrU4YZNqSa9WsRSDbbXBz/wB9dHi0GGvHkNjgW9pPjBg/3RPr7+IcFr
L+trw29Psd4qzoczuqFT3yaGaH9wOby4uBgiNIZFGgGBIXpIVtFtJOQGfgOe
3t8OJ2hHwh/l7cEDmZTwlxqSxwc/lPtnIIrjfGGind/QFqHN3w5ewH/qG8WX
eJUodvIMqm/+97laWEkLw+kv9XbbrLb0T/GHqb8g2JrawcNxlbZ2lTPjW3nS
muIkaxURyjKX79WUlBXwjZ699swse7yfGe7AEb17m3Cln0iZ9CXP+2O2/xj+
HRx9tbc3UK9BZTqvH5nXINb7zr2oFTLp61awXrdVntcIyrQE4GHL48d7Dw+P
Hx0OHz/eD4dHx0Ew5EficHiwx3l4eHwcHO4fmC4AQOzya7KMP4SJ+I7jXbDm
o7II8DtfS7zw5IJftc2NshFaKjjY3hL33X90PNp/uD96fDDaPzjUHTQA8iUt
2UYu0kUwxruh+tTo2qwSrHuB7cBGCMUoAzH2MbO7rs2sBCi2f/LuZ3e+XAYf
RYofXp68mLlf/lVw8sPw2/7envspAMoAnZYSLXsT0eczkWCndydOH/pAJ4Pw
0/9M3/Ttp2u1sd61R+BHY5eR2BtFaZrIT9106qkT7NSZh9rRTx2mwZpOMkXc
UEdpyAMDlDJZk7ERX+xgb4+9/me3pPo1S2JqgbbnENulCV55mwwDfDPAJwBd
Kkh6abD13c30x54cgfX9ooHYL8VHf9x/9WFioNtX7PvB+75N4MsOAMyIIZwP
EqZ/tNcjbLi4eDiuJWt2SyavsPgh8bLH4F8d6ZcV9m7RI7SuKpPXlYZq1s6u
N2b+rbh7YNzAD1x3cpltI/8idtE+AnxNy6vUUE9cq+208rXP1Y0c3czNNU7e
tJAKJz4qsV9y4cRIfGmP2xyRijCdOnxZtLpARakQqqD7eTPXddOxDTcUidca
j8kH0KEX59pZN0xDiScKe4BPOYctrf6hPAeYpVDh0BJ/TN1Aqe7Sc91ZZSOB
s+lHD8lD/QetmgKy2hzH64nBkKWaavd6vEh+1I64XGtz2ROcp+oyP4MGnQxp
qnBrNRsbq/kbiu40Km52ptoac23WXNWcO3DNuVvZc7c06MogPg3yhd37NzVh
6lH243EjuHftzv904d8XV6PRqP/Xi/yvaqDZJPePm+T+caPcNwnseZVwuiX/
QavkhwbCWlL/kft3I/ePKyRQCv/GpKcvpN5hFkA5msbZ9s9Edzm//hVrLYeB
KK6N0T08CKSid9obMeUnHWHI0mOZiyi56HBZjptdlmPrsrQ6IwdVh6DRuam1
+itcFoe4B4Y5P8z/48jchSOzv+d5MlPfiNKZjkwYira9ysRteTlt1dwxRk7N
kvITHANt5tj7+Vpi+g1Bru5awo0hru4YV/dFit7FiQOdGfDq6KiQ0d7oo6ux
3DosxEOT8dIah7qx0eIbLA36tzRUxpW4UyXo1Cw7eltEmcpwtGOM/9JriTtt
edrHp+H9tnCTMvDLmkxbiOta9DYs7qehBk7hnY/KUk6rU56f72q2ieW/1s3s
tCnuRtLezLz4/ypjD1p81Kbqig7PlBieantMxsgk4a5qmVUndUz3ncaUJQEp
s0azJzQ3eJaupsl64f9Xi/KAFU+Yzo3Jw62MrY0uYfM1sSMvnYtpRH3OS9ZO
ap96suTUL2RstMw6C4BLuawidRXB3CQH/2TJrEOCt4/Zq5K8TvFN/ugXxJrf
uHx5O8ntOMEeaxyO6+SjhTfix7/rrOmaOzbnWBNrq3o2FnmpOyAbS8ameYuK
aLdg6Cpplbr2LJVmnaDN9UZjfVtTfRtD/eZSv0ODNCmEqh3+H91wW91w1Gp/
Y7QNjy9EIjyjEtnep7H6PzUU4Tf9BY8y0ceLm18/ew3eq2kpRr3/Az2aofWv
cQAA

-->

</rfc>
