<?xml version='1.0' encoding='utf-8'?>
<!DOCTYPE rfc [
  <!ENTITY nbsp    "&#160;">
  <!ENTITY zwsp   "&#8203;">
  <!ENTITY nbhy   "&#8209;">
  <!ENTITY wj     "&#8288;">
]>
<?xml-stylesheet type="text/xsl" href="rfc2629.xslt" ?>
<!-- generated by https://github.com/cabo/kramdown-rfc version 1.7.39 (Ruby 3.2.3) -->
<rfc xmlns:xi="http://www.w3.org/2001/XInclude" ipr="trust200902" docName="draft-liu-oauth-cross-domain-txn-token-00" category="info" consensus="true" submissionType="IETF" tocInclude="true" sortRefs="true" symRefs="true" version="3">
  <!-- xml2rfc v2v3 conversion 3.34.0 -->
  <front>
    <title>Cross-domain Transaction Tokens</title>
    <seriesInfo name="Internet-Draft" value="draft-liu-oauth-cross-domain-txn-token-00"/>
    <author initials="C. P." surname="Liu" fullname="Chunchi Peter Liu">
      <organization>Huawei</organization>
      <address>
        <email>liuchunchi@huawei.com</email>
      </address>
    </author>
    <author initials="Y." surname="Ni" fullname="Yuan Ni">
      <organization>Huawei</organization>
      <address>
        <email>niyuan1@huawei.com</email>
      </address>
    </author>
    <date year="2026" month="July" day="03"/>
    <keyword>Identity Chaining</keyword>
    <keyword>Transaction Tokens</keyword>
    <keyword>Cross-Domain</keyword>
    <abstract>
      <?line 55?>
<t>This document describes a mechanism for Cross-Domain Transaction Tokens, which enables the safe maintenance and propagation of user identity, workload identities, and authorization context across multiple trust domains.</t>
    </abstract>
    <note removeInRFC="true">
      <name>About This Document</name>
      <t>
        The latest revision of this draft can be found at <eref target="https://NiYuan224.github.io/draft-liu-oauth-cross-domain-txn-token/draft-liu-oauth-cross-domain-txn-token.html"/>.
        Status information for this document may be found at <eref target="https://datatracker.ietf.org/doc/draft-liu-oauth-cross-domain-txn-token/"/>.
      </t>
      <t>Source for this draft and an issue tracker can be found at
        <eref target="https://github.com/NiYuan224/draft-liu-oauth-cross-domain-txn-token"/>.</t>
    </note>
  </front>
  <middle>
    <?line 59?>

<section anchor="introduction">
      <name>Introduction</name>
      <t>Due to the rise of collaborative service ecosystems and AI agents, services frequently interact across domain boundaries and involve multiple service operators (e.g., enterprises, cloud providers, SaaS
platforms, etc.). As illustrated in <xref target="I-D.kiliram-agent-trust-auth-framework"/>, workflows spanning multiple domains require workloads within each domain to perform subtasks and pass results to cooperatively accomplish an overall task. Moreover, to ensure end-to-end accountability, the entities and actions must remain auditable throughout the entire call chain.</t>
      <t>This requires the secure preservation and propagation of user identity, workload identities and authorization context across different domains.</t>
      <t>Transaction Token (Txn-Token) <xref target="I-D.ietf-oauth-transaction-tokens"/> defines a short-lived, signed JWT that preserves immutable user identity, workload identity, and authorization context within a single trust domain's call chain. While this mechanism effectively preserves context, its applicability is currently limited to single-domain call chains. Conversely, Identity Chaining <xref target="I-D.ietf-oauth-identity-chaining"/> provides a framework for cross-domain delegation but does not specify how to leverage the rich, structured context carried by Txn-Tokens (i.e., the claims of <tt>txn</tt>, <tt>tctx</tt>, <tt>rctx</tt>, and <tt>req_wl</tt> in <xref target="I-D.ietf-oauth-transaction-tokens"/>) .</t>
      <t>This document bridges this gap by defining a mechanism to use a Txn-Token (from domain I) as the input of Identity Chaining, in order to create another Txn-Token at the other domain II. This approach enables the propagation of workflow-related claims, i.e., claims of <tt>txn</tt>, <tt>tctx</tt>, <tt>rctx</tt>, and <tt>req_wl</tt>, across multiple trust domains, ensuring the integrity and auditability of the entire call chain.</t>
    </section>
    <section anchor="conventions-and-definitions">
      <name>Conventions and Definitions</name>
      <t>The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP 14 <xref target="RFC2119"/> <xref target="RFC8174"/> when, and only when, they appear in all capitals, as shown here.</t>
      <t>This document uses the terms "Workload", "Trust Domain", "External Endpoint", "Call Chain", and "Transaction Token Service" (TTS) defined by <xref target="I-D.ietf-oauth-transaction-tokens"/>, as well as "Authorization Server" (AS) defined by <xref target="RFC6749"/>. Moreover, the following terms are extended or defined in this document.</t>
      <ul spacing="normal">
        <li>
          <t>Single-domain Transaction Token. A short-lived, signed JWT that provides immutable information about the user, workloads, and specific contextual attributes of the call within a trust domain, as defined in <xref target="I-D.ietf-oauth-transaction-tokens"/>.</t>
        </li>
        <li>
          <t>Cross-domain Transaction Token. A Txn-Token that preserves and propagates workflow-related claims from an upstream trust domain to a downstream domain via identity chaining as defined in <xref target="I-D.ietf-oauth-identity-chaining"/>.</t>
        </li>
        <li>
          <t>Transaction JWT Authorization Grant (Txn-JAG). A newly defined, specialized JWT acting as an OAuth 2.0 authorization grant (as defined in <xref target="RFC7523"/>), which carries the workflow-related claims, ensuring the integrity and auditability of the cross-domain call chain.</t>
        </li>
        <li>
          <t>Workflow-related Claims: <tt>txn</tt>, <tt>tctx</tt>, <tt>rctx</tt>, and <tt>req_wl</tt> claims, as defined in <xref target="I-D.ietf-oauth-transaction-tokens"/>.</t>
        </li>
      </ul>
    </section>
    <section anchor="workflow">
      <name>Workflows of Cross-Domain Transaction Token</name>
      <t>By combining Identity Chaining <xref target="I-D.ietf-oauth-identity-chaining"/> and Transaction Token <xref target="I-D.ietf-oauth-transaction-tokens"/>, this section describes two workflow modes to securely preserve and propagate workflow-related claims across different trust domains. Both modes utilize the newly defined Txn-JAG as the secure carrier between domains but differ in how the downstream domain processes it.</t>
      <ul spacing="normal">
        <li>
          <t>Mode A: Indirect Txn-Token Exchange via Intermediate Access Token. Workload A in Trust Domain I first exchanges its local Txn-Token with its own AS for a Txn-JAG that targets the AS in Trust Domain II. Then, Workload A presents that Txn-JAG to the AS in Trust Domain II to obtain an access token, and uses the access token to invoke Endpoint B in Trust Domain II. Finally, Endpoint B exchanges the access token with the local TTS to acquire a new Txn-Token in Trust Domain II.</t>
        </li>
        <li>
          <t>Mode B: Direct Txn-Token Exchange. Workload A in Trust Domain I exchanges its local Txn-Token with its own AS for a Txn-JAG that targets the TTS in Trust Domain II. Then, Workload A presents the Txn-JAG directly to Endpoint B, and Endpoint B exchanges the Txn-JAG with the local TTS to obtain a new Txn-Token in Trust Domain II, thereby eliminating the intermediate round trips for the access token.</t>
        </li>
      </ul>
      <t>The following subsections focus on the logical orchestration and context propagation of these workflows. Definitions for the request and response formats are detailed in <xref target="reqs"/>.</t>
      <section anchor="modea">
        <name>Mode A: Indirect Txn-Token Exchange</name>
        <t>This mode follows the classic identity chaining workflow <xref target="I-D.ietf-oauth-identity-chaining"/>. The workflow is illustrated in Figure 1.</t>
        <artwork><![CDATA[
+----------+ +--------+ +---------+ +----------+ +---------+
|Workload A| |   AS   | |    AS   | |Endpoint B| |   TTS   |
|Domain I  | |Domain I| |Domain II| |Domain II | |Domain II|
+----------+ +--------+ +---------+ +----------+ +---------+
 |                 |          |      |                 |
 |(1)Token Exchange Request   |      |                 |
 |---------------->|          |      |                 |
 | <Txn-Token I>   |          |      |                 |
 |                 |          |      |                 |
 |(2)Token Exchange Response  |      |                 |
 |<----------------|          |      |                 |
 |     <Txn-JAG>   |          |      |                 |
 |                 |          |      |                 |
 |(3)Present Txn-JAG          |      |                 |
 |--------------------------->|      |                 |
 |                 |          |      |                 |
 |(4)<Access Token>           |      |                 |
 |<---------------------------|      |                 |
 |                 |          |      |                 |
 |(5)Invoke with Access Token |      |                 |
 |----------------------------|----->|                 |
 |                 |          |      |                 |
 |                 |          |      |(6)Txn-Token Request
 |                 |          |      |---------------->|
 |                 |          |      | <Access Token>  |
 |                 |          |      |                 |
 |                 |          |      |(7)Txn-Token Response
 |                 |          |      |<----------------|
 |                 |          |      | <Txn-Token II>  |

]]></artwork>
        <t><em>Figure 1: Indirect Txn-Token Exchange</em></t>
        <t>(1) Workload A in Trust Domain I sends a token exchange request to the local AS to exchange the local Txn-Token for a cross-domain Txn-JAG. See <xref target="exchangeforJAG"/> for the request format.</t>
        <t>(2) The AS in Trust Domain I validates the request, generates and responds with the Txn-JAG, transcribing the workflow-related claims from the local Txn-Token into the Txn-JAG's claims. See <xref target="exchangeforJAG"/> for the response format.</t>
        <t>(3) Workload A in Trust Domain I presents the Txn-JAG to the AS of Trust Domain II to request an access token. See <xref target="exchangeforAT"/> for the request format.</t>
        <t>(4) The AS of Trust Domain II validates the Txn-JAG and responds with an access token, transcribing the workflow-related claims from the Txn-JAG into the access token. See <xref target="exchangeforAT"/> for the response format.</t>
        <t>(5) Workload A in Trust Domain I invokes Endpoint B of Trust Domain II with the received access token.</t>
        <t>(6) Endpoint B presents the inbound access token to the TTS of Trust Domain II to request a Txn-Token. See <xref target="exchangeforTxn"/> for the request format.</t>
        <t>(7) The TTS of Trust Domain II mints a local Txn-Token, transcribing the workflow-related claims from the access token into the new Txn-Token. See <xref target="exchangeforTxn"/> for the response format.</t>
      </section>
      <section anchor="modeb">
        <name>Mode B: Direct Txn-Token Exchange</name>
        <t>While Mode A provides a straightforward integration of Identity Chaining procedures with Transaction Tokens procedures, which does not create protocol-level changes, it introduces multiple cross-domain round trips that can significantly increase latency. As illustrated in Figure 1, steps (3) through (5) require at least three cross-domain round-trips: presenting the Txn-JAG to the downstream AS to obtain an access token, invoking the target endpoint with that token, and subsequently exchanging it for a local Txn-Token. In distributed and high-throughput environments, this operational overhead can become prohibitive.</t>
        <t>An opportunity for optimization arises from the flexibility defined in Section 5.1 of the Transaction Token<xref target="I-D.ietf-oauth-transaction-tokens"/>, which allows the subject_token to be "any other format that is understood by the TTS". This enables a TTS to directly accept a Txn-JAG issued by the upstream AS as the subject token in a Txn-Token request.</t>
        <t>Thus, Mode B reduces cross-domain round trips from three to one by allowing the TTS in Trust Domain II to accept the Txn-JAG directly as the subject token in a Txn-Token request. This requires a pre-established trust relationship between the AS in Trust Domain I and the TTS in Trust Domain II. The workflow is illustrated in Figure 2.</t>
        <artwork><![CDATA[
+----------+   +--------+ +----------+     +---------+
|Workload A|   |   AS   | |Endpoint B|     |   TTS   |
| Domain I |   |Domain I| |Domain II |     |Domain II|
+----------+   +--------+ +----------+     +---------+
     |                 |        |                 |
     |(1)Token Exchange Request |                 |
     |---------------->|        |                 |
     |<Txn-Token I>    |        |                 |
     |                 |        |                 |
     |(2)Token Exchange Response|                 |
     |<----------------|        |                 |
     |<Txn-JAG>        |        |                 |
     |                 |        |                 |
     |(3)Present Txn-JAG        |                 |
     |------------------------->|                 |
     |                 |        |                 |
     |                 |        |(4)Txn-Token Request
     |                 |        |---------------->|
     |                 |        | <Txn-JAG>       |
     |                 |        |(5)Txn-Token Response
     |                 |        |<----------------|
     |                 |        | <Txn-Token II>  |

]]></artwork>
        <t><em>Figure 2: Direct Txn-Token Exchange</em></t>
        <t>Steps (1) and (2) are the same as those in Mode A.</t>
        <t>(3) Workload A in Trust Domain I presents the Txn-JAG to Endpoint B of Trust Domain II. See <xref target="transmission"/> for the transmission method.</t>
        <t>(4) Endpoint B uses Txn-JAG as the subject token to exchange for a local Txn-Token at its local TTS.</t>
        <t>(5) The TTS of Trust Domain II mints a local Txn-Token, transcribing the workflow-related context from the Txn-JAG into the local Txn-Token's claims.</t>
      </section>
    </section>
    <section anchor="reqs">
      <name>Requests and Responses</name>
      <t>The formats of requests and responses included in <xref target="workflow"/> are detailed in this section. To avoid redundancy, all illustrative examples are provided in Appendix A.</t>
      <section anchor="mode-a-indirect-txn-token-exchange">
        <name>Mode A: Indirect Txn-Token Exchange</name>
        <t>This section defines the requests and responses for Mode A as described in <xref target="modea"/>.</t>
        <section anchor="exchangeforJAG">
          <name>Token Exchange for Txn-JAG</name>
          <t>Workload A in Trust Domain I performs token exchange with the AS in Trust Domain I to obtain a Txn-JAG that can be used at the AS in Trust Domain II.</t>
          <section anchor="txn-jag-request">
            <name>Txn-JAG Request</name>
            <t>The parameters for the Txn-JAG request build upon the definitions in Section 2.3.1 of <xref target="I-D.ietf-oauth-identity-chaining"/> and <xref target="RFC8693"/>. While parameter types remain consistent with these specifications, the values of certain parameters are required as follows:</t>
            <t><strong>resource</strong><br/>
              <strong>REQUIRED</strong> if audience is not set. It MUST be the URI of the AS in Trust Domain II.</t>
            <t><strong>audience</strong><br/>
              <strong>REQUIRED</strong> if resource is not set. It MUST be the well-known/logical name of the AS in Trust Domain II.</t>
            <t><strong>subject_token</strong><br/>
              <strong>REQUIRED.</strong> MUST be a valid local Txn-Token issued within Trust Domain I.</t>
            <t><strong>subject_token_type</strong><br/>
              <strong>REQUIRED.</strong> MUST be urn:ietf:params:oauth:token-type:txn_token.</t>
          </section>
          <section anchor="txn-jag-response">
            <name>Txn-JAG Response</name>
            <t>The processing rules and response format defined in Sections 2.3.2 and 2.3.3 of <xref target="I-D.ietf-oauth-identity-chaining"/> apply, with the following modifications:</t>
            <ul spacing="normal">
              <li>
                <t>The AS in Trust Domain I SHOULD transcribe the workflow-related claims from the Txn-Token to the Txn-JAG's claims. During this transcription, The AS in Trust Domain I MAY add, remove, or change the claims. See Claims Transcription (<xref target="trans"/>).</t>
              </li>
            </ul>
          </section>
        </section>
        <section anchor="exchangeforAT">
          <name>Cross-Domain Assertion</name>
          <t>Workload A in Trust Domain I uses the Txn-JAG obtained from the AS in Trust Domain I as an assertion to request an access token from the AS in Trust Domain II.</t>
          <section anchor="access-token-request">
            <name>Access Token Request</name>
            <t>The parameters described in Section 2.4.1 of <xref target="I-D.ietf-oauth-identity-chaining"/> apply here with the following requirements:</t>
            <t><strong>assertion</strong><br/>
              <strong>REQUIRED.</strong> The Txn-JAG returned by the AS in Trust Domain I.</t>
          </section>
          <section anchor="access-token-response">
            <name>Access Token Response</name>
            <t>The processing rules and response formats defined in Sections 2.4.2 and 2.4.3 of <xref target="I-D.ietf-oauth-identity-chaining"/> apply, with the following modifications:</t>
            <ul spacing="normal">
              <li>
                <t>The AS in trust domain II SHOULD transcribe the workflow-related claims from the Txn-JAG to the access token's claims. See Claims Transcription (<xref target="trans"/>).</t>
              </li>
            </ul>
          </section>
        </section>
        <section anchor="exchangeforTxn">
          <name>Token Exchange for Txn-Token</name>
          <t>Workload A in Trust Domain I performs a token exchange with the TTS in Trust Domain II to obtain a local Txn-Token in Trust Domain II.</t>
          <section anchor="txn-token-request">
            <name>Txn-Token Request</name>
            <t>The parameters for the Txn-Token request follow the definitions in Section 12.1 of <xref target="I-D.ietf-oauth-transaction-tokens"/>, the following requirements apply to the subject_token and subject_token_type:</t>
            <t><strong>subject_token</strong><br/>
              <strong>REQUIRED.</strong> MUST be the access token issued by the AS in Trust Domain II, as obtained <xref target="exchangeforTxn"/>.</t>
            <t><strong>subject_token_type</strong><br/>
              <strong>REQUIRED.</strong> MUST be urn:ietf:params:oauth:token-type:access_token.</t>
          </section>
          <section anchor="txn-token-response">
            <name>Txn-Token Response</name>
            <t>The processing rules and response formats defined in Sections 12.3 and 12.4 of <xref target="I-D.ietf-oauth-transaction-tokens"/> apply, with the following modifications:</t>
            <ul spacing="normal">
              <li>
                <t>For subject token validation, the TTS in Trust Domain II MUST validate the access token issued by its local AS.</t>
              </li>
              <li>
                <t>The TTS in trust domain II SHOULD transcribe the workflow-related claims from the subject token to the claims of the issued Txn-Token.  See Claims Transcription (<xref target="trans"/>).</t>
              </li>
            </ul>
            <t>Domain II will proceed to use the obtained Txn-Token II normally, as defined in <xref target="I-D.ietf-oauth-transaction-tokens"/>.</t>
          </section>
        </section>
      </section>
      <section anchor="mode-b-direct-txn-token-exchange">
        <name>Mode B: Direct Txn-Token Exchange</name>
        <t>This section defines the requests and responses for Mode B as described in <xref target="modeb"/>.</t>
        <section anchor="token-exchange-for-txn-jag">
          <name>Token Exchange for Txn-JAG</name>
          <t>Workload A in Trust Domain I performs token exchange with the AS in Trust Domain I to obtain a Txn-JAG that can be used with the TTS in Trust Domain II.</t>
          <section anchor="txn-jag-request-1">
            <name>Txn-JAG Request</name>
            <t>The request follows the same format as defined in <xref target="exchangeforJAG"/>, except for the resource or audience parameter:</t>
            <t><strong>resource</strong><br/>
              <strong>REQUIRED.</strong> if audience is not set. It MUST be the URI of the TTS in Trust Domain II.</t>
            <t><strong>audience</strong><br/>
              <strong>REQUIRED.</strong> if resource is not set. It MUST be the well-known/logical name of the TTS in Trust Domain II.</t>
          </section>
          <section anchor="txn-jag-response-1">
            <name>Txn-JAG Response</name>
            <t>The processing rules and response format are identical to those described in <xref target="exchangeforJAG"/>, with the exception that the <tt>aud</tt> claim in the issued Txn-JAG MUST identify the TTS of Trust Domain II.</t>
          </section>
          <section anchor="transmission">
            <name>Txn-JAG Transmission Methods</name>
            <t>When a Txn-JAG is presented directly to an endpoint, the workload MUST include the Txn-JAG parameter in HTTP named <tt>Txn-JAG</tt>. This dedicated parameter avoids ambiguity with the Authorization header, which is conventionally associated with access tokens per <xref target="RFC6750"/>.</t>
            <t>In <xref target="RFC7523"/> and <xref target="I-D.ietf-oauth-identity-chaining"/>, the JAG is carried by the <tt>assertion</tt> field in HTTP, but it is used to request an access token. These drafts have not listed the usage of <tt>assertion</tt> field to request a Txn-Token, as described in this document. As a result, this document has designed a new HTTP parameter <tt>Txn-JAG</tt>. But alternatively, it could also be transmitted as a HTTP header field. The most appropriate design should subject to Working Group's discretion.</t>
          </section>
        </section>
        <section anchor="token-exchange-for-txn-token">
          <name>Token Exchange for Txn-Token</name>
          <t>Endpoint B performs a token exchange with the TTS in Trust Domain II to obtain a local Txn-Token in Trust Domain II, using the Txn-JAG as the subject_token.</t>
          <section anchor="txn-token-request-1">
            <name>Txn-Token Request</name>
            <t>The parameters for the Txn-Token request follow the definitions in Section 12.1 of <xref target="I-D.ietf-oauth-transaction-tokens"/>. The following requirements apply:</t>
            <t><strong>subject_token</strong><br/>
              <strong>REQUIRED.</strong> MUST be the Txn-JAG issued by the AS in Trust Domain I, as obtained in Section 4.2.1 and presented to Endpoint B via the method in Section 4.2.1.3.</t>
            <t><strong>subject_token_type</strong><br/>
              <strong>REQUIRED.</strong>  MUST be urn:ietf:params:oauth:token-type:jwt-bearer.</t>
          </section>
          <section anchor="txn-token-response-1">
            <name>Txn-Token Response</name>
            <t>The processing rules and response format are identical to those described in <xref target="exchangeforTxn"/>, with the following modification for subject token validation:</t>
            <t>For subject token validation, the TTS in Trust Domain II MUST validate the Txn-JAG issued by the AS in Trust Domain I. This requires a pre-established trust relationship between the AS in Trust Domain I and the TTS in Trust Domain II. Such a trust relationship typically manifests as the exchange of key material.</t>
            <t>The transcription of workflow-related claims from the subject token (the Txn-JAG) to the issued Txn-Token follows the same rules defined in <xref target="trans"/>.</t>
          </section>
        </section>
      </section>
      <section anchor="trans">
        <name>Claims Transcription</name>
        <t>Claims transcription across trust domains SHOULD ensure that the workflow-related claims are preserved for auditability and accountability. This builds upon the principles defined in Section 2.5 of <xref target="I-D.ietf-oauth-identity-chaining"/>. Specific transcription rules for workflow-related claims are defined as follows:</t>
        <ul spacing="normal">
          <li>
            <t>Preserving the <tt>txn</tt> claim. The <tt>txn</tt> claim serves as the immutable unique identifier for the cross-domain transaction. Both the AS and TTS SHOULD NOT modify or regenerate the <tt>txn</tt> value during transcription. It SHOULD be copied from the subject_token to the issued token to ensure auditability and accountability across different domains. To avoid collisions without a centralized namespace, the <tt>txn</tt> value can be generated as a high-entropy string or prefixed with a domain identifier.</t>
          </li>
          <li>
            <t>Evolving the <tt>req_wl</tt> claim. The <tt>req_wl</tt> SHOULD identify all the workloads that requested or exchanged tokens throughout the cross-domain transaction. Specifically, the AS in Trust Domain I SHOULD add the identifier of Workload A to the <tt>req_wl</tt> in the issued Txn-JAG. The TTS in Trust Domain II SHOULD add the identifier of Endpoint B to <tt>req_wl</tt> in the issued Txn-Token in Trust Domain II. This ensures that every point where claims may change is recorded, providing a trail of how the claims reached its current state.</t>
          </li>
          <li>
            <t>Data Minimization. The processing or <tt>req_wl</tt> may exist privacy concerns that exposing topology of Domain I. The AS in Trust Domain I MAY apply security and privacy strategies to workflow-related claims when issuing the Txn-JAG. Such measures include but not limited to Removal.  </t>
            <ul spacing="normal">
              <li>
                <t>Removal. Claims related to completed tasks or not required by downstream trust domains COULD be removed or redacted. If certain claims are required for end-to-end auditing, Domain I MAY take proper logs before removal.</t>
              </li>
            </ul>
          </li>
        </ul>
      </section>
    </section>
    <section anchor="ops">
      <name>Operational Considerations</name>
      <ul spacing="normal">
        <li>
          <t>AS and TTS may be operated by the same service, or not. In the former case, some procedures listed in <xref target="workflow"/> and <xref target="reqs"/> could be merged.</t>
        </li>
      </ul>
    </section>
    <section anchor="security-and-privacy-considerations">
      <name>Security and Privacy Considerations</name>
      <ul spacing="normal">
        <li>
          <t>As Domain I and II may have public Internet in between, the correct and confidential passing of <tt>tctx</tt> and <tt>rctx</tt> may require encryption or masking techniques.</t>
        </li>
      </ul>
    </section>
    <section anchor="iana-considerations">
      <name>IANA Considerations</name>
      <t>This document has no IANA actions.</t>
    </section>
  </middle>
  <back>
    <references anchor="sec-combined-references">
      <name>References</name>
      <references anchor="sec-normative-references">
        <name>Normative References</name>
        <reference anchor="RFC2119">
          <front>
            <title>Key words for use in RFCs to Indicate Requirement Levels</title>
            <author fullname="S. Bradner" initials="S." surname="Bradner"/>
            <date month="March" year="1997"/>
            <abstract>
              <t>In many standards track documents several words are used to signify the requirements in the specification. These words are often capitalized. This document defines these words as they should be interpreted in IETF documents. This document specifies an Internet Best Current Practices for the Internet Community, and requests discussion and suggestions for improvements.</t>
            </abstract>
          </front>
          <seriesInfo name="BCP" value="14"/>
          <seriesInfo name="RFC" value="2119"/>
          <seriesInfo name="DOI" value="10.17487/RFC2119"/>
        </reference>
        <reference anchor="RFC8174">
          <front>
            <title>Ambiguity of Uppercase vs Lowercase in RFC 2119 Key Words</title>
            <author fullname="B. Leiba" initials="B." surname="Leiba"/>
            <date month="May" year="2017"/>
            <abstract>
              <t>RFC 2119 specifies common key words that may be used in protocol specifications. This document aims to reduce the ambiguity by clarifying that only UPPERCASE usage of the key words have the defined special meanings.</t>
            </abstract>
          </front>
          <seriesInfo name="BCP" value="14"/>
          <seriesInfo name="RFC" value="8174"/>
          <seriesInfo name="DOI" value="10.17487/RFC8174"/>
        </reference>
        <reference anchor="RFC6749">
          <front>
            <title>The OAuth 2.0 Authorization Framework</title>
            <author fullname="D. Hardt" initials="D." role="editor" surname="Hardt"/>
            <date month="October" year="2012"/>
            <abstract>
              <t>The OAuth 2.0 authorization framework enables a third-party application to obtain limited access to an HTTP service, either on behalf of a resource owner by orchestrating an approval interaction between the resource owner and the HTTP service, or by allowing the third-party application to obtain access on its own behalf. This specification replaces and obsoletes the OAuth 1.0 protocol described in RFC 5849. [STANDARDS-TRACK]</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="6749"/>
          <seriesInfo name="DOI" value="10.17487/RFC6749"/>
        </reference>
        <reference anchor="RFC7523">
          <front>
            <title>JSON Web Token (JWT) Profile for OAuth 2.0 Client Authentication and Authorization Grants</title>
            <author fullname="M. Jones" initials="M." surname="Jones"/>
            <author fullname="B. Campbell" initials="B." surname="Campbell"/>
            <author fullname="C. Mortimore" initials="C." surname="Mortimore"/>
            <date month="May" year="2015"/>
            <abstract>
              <t>This specification defines the use of a JSON Web Token (JWT) Bearer Token as a means for requesting an OAuth 2.0 access token as well as for client authentication.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="7523"/>
          <seriesInfo name="DOI" value="10.17487/RFC7523"/>
        </reference>
        <reference anchor="RFC8693">
          <front>
            <title>OAuth 2.0 Token Exchange</title>
            <author fullname="M. Jones" initials="M." surname="Jones"/>
            <author fullname="A. Nadalin" initials="A." surname="Nadalin"/>
            <author fullname="B. Campbell" initials="B." role="editor" surname="Campbell"/>
            <author fullname="J. Bradley" initials="J." surname="Bradley"/>
            <author fullname="C. Mortimore" initials="C." surname="Mortimore"/>
            <date month="January" year="2020"/>
            <abstract>
              <t>This specification defines a protocol for an HTTP- and JSON-based Security Token Service (STS) by defining how to request and obtain security tokens from OAuth 2.0 authorization servers, including security tokens employing impersonation and delegation.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="8693"/>
          <seriesInfo name="DOI" value="10.17487/RFC8693"/>
        </reference>
        <reference anchor="RFC6750">
          <front>
            <title>The OAuth 2.0 Authorization Framework: Bearer Token Usage</title>
            <author fullname="M. Jones" initials="M." surname="Jones"/>
            <author fullname="D. Hardt" initials="D." surname="Hardt"/>
            <date month="October" year="2012"/>
            <abstract>
              <t>This specification describes how to use bearer tokens in HTTP requests to access OAuth 2.0 protected resources. Any party in possession of a bearer token (a "bearer") can use it to get access to the associated resources (without demonstrating possession of a cryptographic key). To prevent misuse, bearer tokens need to be protected from disclosure in storage and in transport. [STANDARDS-TRACK]</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="6750"/>
          <seriesInfo name="DOI" value="10.17487/RFC6750"/>
        </reference>
      </references>
      <references anchor="sec-informative-references">
        <name>Informative References</name>
        <reference anchor="I-D.kiliram-agent-trust-auth-framework">
          <front>
            <title>A Trust and Authentication Framework for Cross-Domain Agent-to-Agent Communications</title>
            <author fullname="Daniel King" initials="D." surname="King">
              <organization>Lancaster University</organization>
            </author>
            <author fullname="Rajiv Ramdhany" initials="R." surname="Ramdhany">
              <organization>BBC</organization>
            </author>
            <author fullname="Peter Chunchi Liu" initials="P. C." surname="Liu">
              <organization>Huawei Technologies</organization>
            </author>
            <date day="15" month="March" year="2026"/>
            <abstract>
              <t>   AI-based agent-to-agent communication increasingly occurs across
   trust domains (e.g., between enterprises, service providers, SaaS
   platforms, and application third parties).  While many agent
   protocols and platforms can provide transport security and local
   permission models, deployments lack a coherent, interoperable
   baseline for verifiable agent identity, credentialing, cross-domain
   authorisation, delegation, revocation, and auditability.

   This document defines an architectural framework for a cross-domain
   trust substrate for AI-based agent ecosystems.  The framework is
   intended to be agent protocol-agnostic and to provide a consistent
   trust baseline that existing and emerging AI agent protocols can
   build upon.

              </t>
            </abstract>
          </front>
          <seriesInfo name="Internet-Draft" value="draft-kiliram-agent-trust-auth-framework-00"/>
        </reference>
        <reference anchor="I-D.ietf-oauth-transaction-tokens">
          <front>
            <title>Transaction Tokens</title>
            <author fullname="Atul Tulshibagwale" initials="A." surname="Tulshibagwale">
              <organization>CrowdStrike</organization>
            </author>
            <author fullname="George Fletcher" initials="G." surname="Fletcher">
              <organization>Practical Identity LLC</organization>
            </author>
            <author fullname="Pieter Kasselman" initials="P." surname="Kasselman">
              <organization>Defakto Security</organization>
            </author>
            <date day="2" month="March" year="2026"/>
            <abstract>
              <t>   Transaction Tokens (Txn-Tokens) are designed to maintain and
   propagate user identity, workload identity and authorization context
   throughout the Call Chain within a trusted domain during the
   processing of external requests (e.g. such as API calls) or requests
   initiated internally within the trust domain.  Txn-Tokens ensure that
   this context is preserved throughout the Call Chain thereby enhancing
   security and consistency in complex, multi-service architectures.

              </t>
            </abstract>
          </front>
          <seriesInfo name="Internet-Draft" value="draft-ietf-oauth-transaction-tokens-08"/>
        </reference>
        <reference anchor="I-D.ietf-oauth-identity-chaining">
          <front>
            <title>OAuth Identity and Authorization Chaining Across Domains</title>
            <author fullname="Arndt Schwenkschuster" initials="A." surname="Schwenkschuster">
              <organization>Defakto Security</organization>
            </author>
            <author fullname="Pieter Kasselman" initials="P." surname="Kasselman">
              <organization>Defakto Security</organization>
            </author>
            <author fullname="Kelley Burgin" initials="K." surname="Burgin">
              <organization>MITRE</organization>
            </author>
            <author fullname="Michael J. Jenkins" initials="M. J." surname="Jenkins">
              <organization>NSA-CCSS</organization>
            </author>
            <author fullname="Brian Campbell" initials="B." surname="Campbell">
              <organization>Ping Identity</organization>
            </author>
            <author fullname="Aaron Parecki" initials="A." surname="Parecki">
              <organization>Okta</organization>
            </author>
            <date day="26" month="June" year="2026"/>
            <abstract>
              <t>   This specification describes a mechanism for preserving identity and
   authorization information across trust domains that use the OAuth 2.0
   Framework.  A JSON Web Token (JWT) authorization grant, obtained
   through an intra-domain OAuth 2.0 Token Exchange, facilitates the
   cross-domain acquisition of an access token.  The relevant identity
   and authorization information is chained throughout the flow by being
   conveyed in the respective artifacts exchanged at each step of the
   process.  Chaining across multiple domains is achieved by using the
   same protocol every time a trust domain boundary is crossed.

              </t>
            </abstract>
          </front>
          <seriesInfo name="Internet-Draft" value="draft-ietf-oauth-identity-chaining-16"/>
        </reference>
      </references>
    </references>
    <?line 338?>

<section anchor="examples">
      <name>Examples</name>
      <t>Two examples are provided in Appendix A, including the protocol framing and decoded JSON payloads.</t>
      <section anchor="example-mode-a-indirect-txn-token-exchange">
        <name>Example Mode A: Indirect Txn-Token Exchange</name>
        <section anchor="txn-jag-request-and-response">
          <name>Txn-JAG Request and Response</name>
          <t>Workload A in Trust Domain I performs token exchange with the AS in Trust Domain I (https://as.domain1.example/auth) to receive a Txn-JAG targeted at the AS in trust domain II (https://as.domain2.example/auth).</t>
          <artwork><![CDATA[
   POST /auth HTTP/1.1
   Host: as.domain1.example
   Content-Type: application/x-www-form-urlencoded

   grant_type=urn%3Aietf%3Aparams%3Aoauth%3Agrant-type%3Atoken-exchange
   &resource=https%3A%2F%2Fas.domain2.example%2Fauth
   &subject_token=<Encoded Txn-Token-I>
   &subject_token_type=urn%3Aietf%3Aparams%3Aoauth%3Atoken-type%3Atxn_token
]]></artwork>
          <t><em>Figure 3: Txn-JAG Request</em></t>
          <t>The subject_token in the prior request is the Txn-Token issued by the TTS in Trust Domain I, and the decoded JWT payload is shown here.</t>
          <artwork><![CDATA[
{
    "iat": 1777724800,
    "exp": 1777724860,
    "aud": "https://domain1.example",
    "iss": "https://tts.domain1.example",
    "txn": "97053963-771d-49cc-a4e3-20aad399c312",
    "sub": "john_doe@a.org",
    "req_wl": "apigateway.domain1.example",
    "rctx": {
        "req_ip": "69.151.72.123",
        "authn": "urn:ietf:rfc:6749"
    },
    "scope": "trade.stocks",
    "tctx": {
        "action": "BUY",
        "ticker": "MSFT",
        "quantity": "100",
        "customer_type": {
            "geo": "US",
            "level": "VIP"
        }
    }
}
]]></artwork>
          <t><em>Figure 4: Txn-Token-I Payload</em></t>
          <t>The <tt>access_token</tt> parameter of the token exchange response contains the Txn-JAG requested by Workload A.</t>
          <artwork><![CDATA[
HTTP/1.1 200 OK
   Content-Type: application/json
   Cache-Control: no-cache, no-store

   {
     "access_token":<Encoded Txn-JAG>,
     "token_type":"N_A",
     "issued_token_type":"urn:ietf:params:oauth:token-type:jwt",
     "expires_in":60
   }
]]></artwork>
          <t><em>Figure 5: Txn-JAG Response</em></t>
          <artwork><![CDATA[
{
  "iat": 1777724830,
  "exp": 1777728430,
  "aud": "https://as.domain2.example/auth",
  "iss": "https://as.domain1.example",
  "sub": "john_doe@a.org",
  "txn": "97053963-771d-49cc-a4e3-20aad399c312",
  "req_wl": "apigateway.domain1.example,workload_a",
  "rctx": {
    "authn": "urn:ietf:rfc:6749"
    <Encrypted_Information>
  },
  "scope": "trade.stocks",
  "tctx": {
    "action": "BUY",
    "ticker": "MSFT",
    "quantity": "100"
    <Encrypted_Information>
  }
}
]]></artwork>
          <t><em>Figure 6: Txn-JAG Payload</em></t>
          <t>As shown in Figure 4 and Figure 6, the AS in Trust Domain I protects and evolves the claims during Txn-JAG issuance: for immutability, the <tt>txn</tt> claim is copied verbatim; for evolution, workload_a is appended to <tt>req_wl</tt> to record the exchange point; and for security, sensitive information like <tt>req_ip</tt> and <tt>customer_type</tt> are encrypted.</t>
        </section>
        <section anchor="access-token-request-and-response">
          <name>Access Token Request and Response</name>
          <t>Workload A presents the Txn-JAG as an assertion to the AS of Trust Domain II to request an access token.</t>
          <artwork><![CDATA[
    POST /auth HTTP/1.1
    Host: as.domain2.example
    Content-Type: application/x-www-form-urlencoded

    grant_type=urn%3Aietf%3Aparams%3Aoauth%3Agrant-type%3Ajwt-bearer
    &assertion=<Encoded Txn-JAG>
]]></artwork>
          <t><em>Figure 7: Access Token Request</em></t>
          <artwork><![CDATA[
   HTTP/1.1 200 OK
   Content-Type: application/json
   Cache-Control: no-cache, no-store

   {
     "access_token":"ey...",
     "token_type":"N_A",
     "issued_token_type":"urn:ietf:params:oauth:token-type:jwt",
     "expires_in":60
   }
]]></artwork>
          <t><em>Figure 8: Access Token Response</em></t>
          <artwork><![CDATA[
{
  "iat": 1777724890,
  "exp": 1777728490,
  "aud": "https://endpointb.domain2.example",
  "iss": "https://as.domain2.example",
  "sub": "john.doe.123",
  "txn": "97053963-771d-49cc-a4e3-20aad399c312",
  "req_wl": "apigateway.domain1.example,workload_a",
  "rctx": {
    "authn": "urn:ietf:rfc:6749"
    <Encrypted_Information>
  },
  "scope": "trade.stocks",
  "tctx": {
    "action": "BUY",
    "ticker": "MSFT",
    "quantity": "100"
    <Encrypted_Information>
  }
}
]]></artwork>
          <t><em>Figure 9: Access Token Payload</em></t>
        </section>
        <section anchor="txn-token-request-and-response">
          <name>Txn-Token Request and Response</name>
          <t>Upon receiving the access token, Workload A in Trust Domain II exchanges it for a local Txn-Token from its TTS. The payload of the Txn-Token in Trust Domain II is shown below.</t>
          <artwork><![CDATA[
{
    "iat": 1777724900,
    "exp": 1777724960,
    "iss": "https://tts.domain2.example",
    "aud": "https://domain2.example",
    "txn": "97053963-771d-49cc-a4e3-20aad399c312",
    "sub": "john_doe@a.org",
    "req_wl": "apigateway.domain1.example,workload_a,endpoint_b",
    "rctx": {
        "req_ip": "69.151.72.123",
        "authn": "urn:ietf:rfc:6749"
    },
    "scope": "trade.stocks",
    "tctx": {
        "action": "BUY",
        "ticker": "MSFT",
        "quantity": "100",
        "customer_type": {
            "geo": "US",
            "level": "VIP"
        }
    }
}
]]></artwork>
          <t><em>Figure 10: Txn-Token-II Payload</em></t>
          <t>As can be seen from Figure 10, the TTS preserves the <tt>txn</tt> claim verbatim and evolves the <tt>req_wl</tt> claim, appending the identifier of Endpoint B.</t>
        </section>
      </section>
      <section anchor="example-mode-b-direct-txn-token-exchange">
        <name>Example Mode B: Direct Txn-Token Exchange</name>
        <section anchor="txn-jag-request-and-response-1">
          <name>Txn-JAG Request and Response</name>
          <t>Workload A in Trust Domain I exchanges its local Txn-Token for a Txn-JAG, where the resource is set to the TTS of Domain II.</t>
          <artwork><![CDATA[
POST /auth HTTP/1.1
Host: as.domain1.example
Content-Type: application/x-www-form-urlencoded

grant_type=urn:ietf:params:oauth:grant-type:token-exchange
&resource=https://tts.domain2.example
&subject_token=<Encoded Txn-Token-I the same in Figure 4>
&subject_token_type=urn:ietf:params:oauth:token-type:txn_token
]]></artwork>
          <t><em>Figure 11: Txn-JAG Request</em></t>
          <t>The AS in Domain I transcribes the claims. In the issued Txn-JAG, the <tt>aud</tt> is set to the Domain II TTS.</t>
          <artwork><![CDATA[
{
  "iat": 1777724830,
  "exp": 1777728430,
  "aud": "https://tts.domain2.example",
  "iss": "https://as.domain1.example",
  "sub": "john_doe@a.org",
  "txn": "97053963-771d-49cc-a4e3-20aad399c312",
  "req_wl": "workload_a",
  "rctx": {
        "req_ip": "69.151.72.123",
        "authn": "urn:ietf:rfc:6749"
  },
  "scope": "trade.stocks",
  "tctx": {
        "action": "BUY",
        "ticker": "MSFT",
        "quantity": "100",
        "customer_type": {
            "geo": "US",
            "level": "VIP"
        }
    }
}
]]></artwork>
          <t><em>Figure 12: Txn-JAG Payload</em></t>
          <t>As defined in <xref target="trans"/>, the AS in Trust Domain I applies an removal strategy to the <tt>req_wl</tt> claim. The internal path preceding workload_a is removed to protect the internal topology of Domain I.</t>
        </section>
        <section anchor="txn-token-request-and-response-1">
          <name>Txn-Token Request and Response</name>
          <t>Workload A presents the Txn-JAG directly to Endpoint B. Endpoint B then uses this Txn-JAG as the <tt>subject_token</tt> to request a local Txn-Token from the TTS in Trust Domain II.</t>
          <artwork><![CDATA[
POST /token HTTP/1.1
Host: tts.domain2.example
Content-Type: application/x-www-form-urlencoded

grant_type=urn:ietf:params:oauth:grant-type:token-exchange
&requested_token_type=urn%3Aietf%3Aparams%3Aoauth%3Atoken-type%3Atxn-token
&subject_token=<Encoded Txn-JAG>
&scope=trade.stocks
&subject_token_type=urn:ietf:params:oauth:token-type:jwt-bearer
]]></artwork>
          <t><em>Figure 13: Txn-Token Request</em></t>
          <t>The TTS validates the cross-domain Txn-JAG based on the pre-established trust relationship with AS in Trust Domain I. It transcribes the claims and evolves the <tt>req_wl</tt> to include Endpoint B.</t>
          <artwork><![CDATA[
{
  "iat": 1777724900,
  "exp": 1777724960,
  "iss": "https://tts.domain2.example",
  "aud": "https://domain2.example",
  "txn": "97053963-771d-49cc-a4e3-20aad399c312",
  "sub": "john_doe@a.org",
  "req_wl": "workload_a,endpoint_b",
  "rctx": {
        "req_ip": "69.151.72.123",
        "authn": "urn:ietf:rfc:6749"
  },
  "scope": "trade.stocks",
  "tctx": {
        "action": "BUY",
        "ticker": "MSFT",
        "quantity": "100",
        "customer_type": {
            "geo": "US",
            "level": "VIP"
        }
    }
}
]]></artwork>
          <t><em>Figure 14: Txn-Token-II Payload</em></t>
        </section>
      </section>
    </section>
    <section numbered="false" anchor="acknowledgments">
      <name>Acknowledgments</name>
      <t>TODO acknowledge.</t>
    </section>
  </back>
  <!-- ##markdown-source:
H4sIAAAAAAAAA+09aXMbx5Xf8Su6oEoiMgDES5KJ2F5Dlw2vdawIrcufxMZM
k2hrMIPMwSMS89v3vdfHdM+FIU3btVVRJeFgpo/X7+p3dWc8Hg9ymUdiyobP
0yTLxmGy5jJmi5THGQ9ymcBz8knE2XAQ8FycJ+n1lMn4LBkMwiSI+Rq6hik/
y8eRLMYJL/LVOHBGGudX8F8cYby3N8iK5VpmGYyaX2+g5/zl4hVjDxiPsgRA
kHEoNgL+J86HIzYUocyTVPIIf8xnz+BPksLT+8Wr4SAu1kuRTgchQDUdBEmc
AZBFNmV5WojBxZQdDmDcVPApm71/OYMfl0n66TxNis2UvZ0BnOxneCHjc/Y9
vhwMPolraBJOB4yN2RyBkPk1e76CVUAreltHC71WqHtBCx4MLkRcAEgPGHNn
w99q0f608Bq6RVNGuPtOivxskqTn+J6nwWrKVnm+yaaPHokrvt5EYhIk60c/
fw/znst8VSwBbW/kLwWPDw6OHvWjxBA6R4C2LIfOZng7yESNO5FJz+F6Npus
8nU0HAywSQKEY2MAQzHQ81URByvJ3olcpOwnWcAXwAGP5b844nrKfij4pZDw
WihkwWSB6vTdij4hWgbumLga9kZuHSmW19By3xtmMIiTdA0dLgRyw/tXzw/2
94/141f7T4/045OnR+bt08cHh6bBk+ND2+Dx3nQwQHlxxpuPX0w+yUimfD3m
58BnY+DZLB8T8s7grUBWNS2RIzRi85L9FE6zhkZSc+440JwLAEwmk8FgPB4z
vsxgkCAfLFYyYyDBxRpas1BkQSqXImOcrQV0jGW2ZgC0x9oN7D9ilysZrJiI
+TKC7vlKsIyfCeTpOIe3cSAYj0O2SZMNPycasOSMFRkQ2kA6ItGMEh6aV1LA
yNhNMYsmHgMpz8VVzjhxGFsXUS5BJBihjymGy2CltNS1DMNIDECQ5nGeJmFB
cA8GLwrokBCkqcwEQhMkUcSXSUoUYgDahQSwRZBk11ku1hmBMpszIhZApltk
7CwV/yzgXXTNcLmIWQOcVqTLpIhDnkqhBpHxRRLBHBZ0M1mygd6g7TL2UEzO
JyPAKIy3QQhhwiBKCsLhBSAohRcnnJ8MNiDEyFjwW+TBZGfCZhmTUVQgjXOB
s7HPn/+rH7vd3CgynEXJZcayDY+Rd0pANXYZrlimwpIsY5egL2AmwYEP9KoB
v7AehI2Bys959kktf8MzHCGDQTNsFCRq3YB2QCEPQPo2kcxW0JglF/Alihj2
nrDXSSrwzQi7oaYHEGCnADEYC+QT6FrEOV/COpGhkLqGkxQjEfWRZ4BTUkFQ
8gI2GORbaA66+HyVFLntCeMHOD1JEfAUCYxevOZzESAUG/gNRFQceidW387p
oTw7EylJqmXymjCyhwvQtfS4Y+jeqTxubkDwz2RMYp/B7KjEL0QIDC7PY+Cf
H39ewEp5btYIDeV6XSicbVnXdZcAa5aBWYHHKgL8t8xFPPt5JYlAgP1SMwlA
R6C5poRNjz5iEriLb4CTAs0QDHoDsVIlqpFcSxQP4CQ1v7F6ynmzCXuexMBv
GUwxqlsDDfit6V1Ar5ZYxK8VNFKr7hYJRIiE5pdlgWiADnGSgxCKQJ5ds1Vy
ibBGAiXiXGjVFayAToC4IAcuDC1qA56CtgnZ8ppZdgClIidiosQiiLgElQac
eQp78+kI/gT5Ff5N1V8k2ylw+sfL6NRRIVtYaYcZIbG7yjKV4TkJC7w95xuE
iRgOEehuNLA44CZ4ZSFmD8/SZG3UyXyHcSVzMt4AhgD2GkVGCCqYb8CUqFjA
8Mtx50mgV+qMy5WEq9dm+PmEEeTAM2nCK9tZRZyNjhynIiIlq/AJ0xOGb4Xd
UfdONlKKDrGl1g72d4prVoJFykuxN0zXprdg/yNOjpX+w64viAb0G0kmGFi+
uC7Q5cPXH04WaG7jX/bmLT2/f/k/H+bvX77A55MfZj/9ZB9Mi5Mf3n746UX5
VPZ8/vb165dvXqjO8JZVXr2e/TJUSBm+fbeYv30z+2mIlMw9TgI7Hqm6VEiA
bVEg5oEnjOFCe92z5+/Y/hHwqzbYQADpGS02eL5ciVhNlcSgBdRPQNs10l3w
FIcgzPENYDZCCyRDtXgZM2AWUWNvYFnFIQARkHz4s9aAuKwF0VGZTfj75RU0
innEXsbhJpHKv3mOsxH/GhTUdfqJsg+GoNwXJztaX5N09xNLWsSlgIng73Dm
aWMcW6Qw9Kw6srZtb268jReWegaWUnJJHEmLRsKA1kGfLUTnzIxSpSAgb5ed
eMq2tlYwX7btQlqblpuQtaxx712a/Ru3pnJH0qak0qYyMJqyAGrwPAfuKcAV
MiJEsmO3J1ccR4rf7Pr64Z8W3u1a47pLBVXZb12DAn62aB9G2hKMpmIDW4Lg
aw9yFB0Oz5ex/qhfX0hud2tmdq2tq2zY52iR7rqQZD6vfQ9fc2Wh/Dj7Hk1V
FovL6NrMNVL04ZH8lyY5DqXAgXUph/1gslcxKM7VsFWYtUMGu5JxUNS2qOS1
VYXfUt16m7indHfJyffmeE5zTHttugaeOzLcAzs7sXW3C8c+PzD4uBkMngEj
JOul4oS7Wj24loZ5euor0huZUF1LxzS/TCzh2DpBNYD2G9ngjhXoC0yrvNTs
at+FZM/AQNCzFLlEpiSKeyzLNDMb20T7A4rTUtis8ksB6zaOE5l2NB8Sk2y6
lWiQSgAeXEvcW6RSm68BDDabghsbwu4OHmapLF5eoQkFJiGK8hy3xrUIJS58
FuAgRsGYrQmkjnig3JzYnJ3JFH4KPVRG1nOUAD87E6FGpA+4G85OyIblFgGk
s3KenotcoQJa1OYhIwu3XAcYolpMnXheDpe0D4IfE/AoUT3H6PbhKol5lAzZ
Tdn9hJ3Q8/4k7P7LnjVC+ErCJo0Wv9OuxExtXEILvtX4WpyQrg2Ui8yRXxwk
Nkxo6ftsyl60UXcL/e6VcriE25JO2OEUg4KIABZKDCrKtGLUdG5GpiH2VlyS
gZIKsF8EOngxz11NbgUjxYAMiLvcZISLKk0nyiQuDZ2sWGpthB2CAjAZazDP
JQKapMFKUMjFRACML1ZxHaBTVqok0DKOIW5hoYgSrAvHARRvMLDNlJGjzK1Q
AEIisyVAc630H/RSFJ8foFbjN9qYxR96rZnxDrMMjKS6XWCVbz+TADmm7CNr
galX8hy15T6A/u9//3vw97H993f294ZH79n/MPhS8uUX9oUx5HPG1KN9LvlP
fUD+gg+DL1aQsJX54Tx6z8z78NvAVvB5/77UHhvaQMeH+zsVwr7XfLOl47jy
79u+M7KvS26af3sLUO++xoP6GrU8dHf8urrIW4H6tdZHf8waD3feKUVq1WC/
jtUlNpD0vkE92vnatSq+rY/Rkxx1ytw3qI935mq7pz3FhfrOWB1/qcnLfYDa
p+PDJzul7Gk579m1zht9ga3S+vdf5VNvlUrSe/atS3zvZTpabU7LpO1osGv2
p87tdHcwAE3cbZ6BcIcYAFYWozF97D6vjV1l88zI5LFtHGPITq3sN8/11Jpj
wk4EbPCfTXdoCW/BH6uaFsqagI0XNCxt002WNrsAXzykoIPTd8TORYwZGx2a
UBaKTgK51hxYY+jdofNmzLDO2EXTUmGzTtwxMTNAXXqs1DOccKmHW8jUaM+W
ngiYbw2eSGms+TZkHb7ZopMQR5YQDRP5lLBeZw39NYfo9iQwg1vU325ZNaw/
3oJ15ZVlrnPQgADLXCCGAmODVYsdNKQ7hEdLGVMOtuYQGm9nC2VLfmxYPnzr
JOtTRdaWacBJQZu+yvd3oZu3OEs8z2XqAX6VfMan6HJOtUexvBmoTJ1yQtzM
Fxr98nyFqepLnoY6sGa9onqUiSIgYYF5VqJ8vezAaWICfDZrplM/0CJPgiQa
Y9qMInPocGJuEAGgegDhJF48her6iOQhByBaGI3G+DHX6X6cB5CF9IiD66bc
u9lCME8nYCjUQTrTzFAyTCodJohgLIxdp6IJlDGBMjV8bbiioqWcUNLspCtO
QkJnBlHOP+bSlfRoWcOwQBlVIR/YVDpoBsIBZK73owoLT2DTZKHMdHQ9pEFW
wARjvX7M4on4QqZJvFY1FRT209UACWZKMOmwEqA3EPlLESRrIuoKpAIzv8Ce
M+CfzSZJ8yJG/kFIkk0Ovr8ODnOqniiF5CwSV1KHcJ246omONT6e7JvIbo3j
+gYvFS/y0p8GzP0K43+0amcp2JDH1zoDqURN4RvWD7QWaZYnCeVhtIYa6uyk
SUpyExqx0RYk7yZ3wjoyywphx7BJAWAL7oFlFYaXe9V6jCIhBZBG6QB4rWSm
VVQ0opGHkftigQBwmzBqjS6pmBktoTGYdBuYmV+nwVFmxvABUCezFSb9U1UB
EhGPZCu5sZHatqAjce+W4FiPUMcBZmNrsQ7WHDagL6w9ysG8OIcb2zDmrY1v
lOugbk0RDm0Pt0Y2+gPZ5gQ02ODmje7THtJo71N3b7bPU41j9IHtTutpDV90
wFbzY3quR8cr+sJ2p/W0hir606eBUPcCW0cfMK0bnOdtverw9oCuSok+0D1u
dHq3dWvyd/uB1+HqHnRYeeDonigbBtxdVIfoOlJVBhV8wtZMSjrJ0N7WNuBv
8bo6/QFjydIWrOvJHTvWfc3WAqAKtYvljEp5omoCz9tgXEe80chBu83JuCxO
tMPzO1n8OqfQ7qpVBi29ZcwIa85XXrthtAyMd0og6JSHSjIA3KnbOrWtweiN
itCkHmza+KaWl3BzuLA9wvZ+kciQLIg45GAuj6jSxu6TWHar69tVkkO7DzTY
bINnAuQVcVS/NIfObpRZZFXl6Dhp1aUhhbXrUi0r+vxZpUxUluUBq2h17GkV
4ucHlZjEoJv9VZFsVg0OWYe30Rxxs2JeIk9ZysjboSl0a87E0kIe2M5GLSIX
bDgWKuZghlqBMs2Mf7ssZBSCVanzYKGTxXLM6YPJoTKo+xcNqGqtJ8eHmD9S
7qQFhw5PZKZ0F897gHshSocFU2umxEeZdqpi6YJHhSrvCURKSHNWiKymbUUq
J9OZsCkoxV3gjaRIA7G7+/Uy/RZemDK43V0mz6ggRGB1u9TFmgKMz3nOqHBu
qRTjh/dz41G00WF31wzUMo8Bo2serO8af4rB/3tkkpJ4CGL73J53UgNgAhCY
abiKQtVjdMrT0BVT/hz1KT4iETvnKdJ4ipwyJSplU2KYqTpARMdn8qv4own7
VLlYb58LVbWJLi+q07SIRNaUT21wAjNi2wNqjU+Ht2DgzQYLB6zolhlkUB8l
V06pVqpNtHX5pN0ORP+w3cILbNUipi9MZRPwkRl+gxCN2qF5PfuF8TAcodSB
O07Hr5zQtBuMVeVNynE2I7OHeo++udnRutOrRZplGYgkNvTU5mxxM+hWm7bI
w5BeqUNAjMVIsx9HtWTcTtsewe0eyCpQL7NktGhVjXqbSakdj26lHZG5qAy1
icG0CqNICukuu8RGWVt4Oj0HkStjBU3LbVntLaUtaxG3IytuR7+/uHllkfPf
JG9O5M3lnEqSoodcdBkVpkSvErTdIh/WrKhlnco0TWskxpoW9XRMlx3RLQOu
KeEFbDTdugyJ/YM2SWkrIGyTDS1Gmmp+aE6HOSt71fR2u2Q9FO8F4hp1CZV5
WgVWj8//LruoAtJupDUq3otsA+EOqTU8HPWn4K1E+xUwlu+36WwZ7WwdnE6o
Mpm1LsKVLt7sZGK0iR70ntRJzfEsd1djw2l4nAh7X/XiptHA5yJyqsNPeOYG
x7bM5wYIGB2BpVrIu5Yh98ge/QZH7VmLo7bs4aj9aV7ZFv3b5Zj5CtMctV1b
Y7ZKpWpyfIQLwRi7k+9TngUGN4w3Y3V2tw80uZMT1LroDi9ocm9uUOvsv9WN
QC9SmSg4JYkvBsIqvFmnh2UGRRiySFfabz8FhOiDACqg4qkAhJNWrqY9s7mi
pmhZZX0LNzz2msJjGAfygmlgX6xE7CWUTKgOIHCrfIG3TepwZJUdSZaCT0WM
PKOpdOkBvh8Wi3dEpZCd6ganOokTihBVvQidHhRHAiqsl/K8wDxeKZPeuRBM
HNIZIMrHSTobqs/AoU5DHyAJJA2uSicc3Z+hAjCHoB7vkTqZe6dKdLCih5mq
cKIx6BzNVCQ2VvopO5MiCg0+RnRWQKqMYKZ0dWulyYIiH3QFQ8ZW/EKQeEQY
HFFJqyLDM6N4ILE2X3Odw6imWP2jXJjp5voU98j/BgBQV3VwS9VsE4VLCjpU
fgar5BEdjFNneSk7HyQFgIY3gpBcK7bM9Xk/roZT5FWrUOm3dYKLwPObm5Tq
vBUUeKAMhyt3WP/6jb/hGRBYqaBI5XZTfOBWmfxBVvYISFhN+fOG7HK7Nf6n
GeOKNl3G+B0M7OYkd9Oe7JvWzirA54RlqKNCRqv5WQc8UIPDqvxBre/k8DZm
eX+7/NfLfLwUsKGk92CV335jIodjq+VNDNRmdANB79Em70/rPyfzf1JguUfT
0EBOxDrsNWseyzNlyWZmu1d6AuQIj14DqQRec6SPnnjRuY4j523+w0MHcTvG
m6j6D3UzUrGRZ0JqL0LZ8o2uhrYbwGDQn33g9TE773CdcZL0JR7W4mk9qlfe
sYEBPm2s2rOYvHb7h+YEylJkZZoC9oU4kJvKIst43OPesScguzlL7C9XoRBB
7FqMmd3LN4Bf+U4t0qh6Oiiq+ik16rxg5nSwLnEsL+WIJWhyYxZKVWGk3Em3
asfR1fqso5YAOroJvF4e41eSf41OQipM8a8DIOVXWKijyy46yD7XA4HuC5KN
dCO0tcooh03LDKxiki0Ub78mpcw94h0/MqPtDNUbHhXnLIC2qT5zjEZotuGB
GNVWpz04s3ptiVA9Gw6QbK6xyBERAFgCXj2TV9awNNGBkiQURHiJ9wBZUnsH
fzW1zTuNQWvp0504K/cCHhIhvYWrY/hGw4TGoq1ccNPODIazleffqhc1UDxU
6tHhNxAix7nWZHWvE6m7MhM3pFLdEzpncjZsmKljltYIpimtywp1rQ9gEq9Z
uWa6GpJC7lp41/zapD9opwnwupFwpJPV6lITrHWNEDRzwFf3TfF6JFQ5ub2J
BngGmIm44QXPOXsN6sXULiqUOJs8ENUuD+EQV2Dho0674AGe2QbXOY3NAq42
ibIYk00CnjAdWHf3ya50D0VI6SizkTUziapoO5fq5HWbhsNrNQjzFZNV75Vr
wRWqjWeIro7yWOylPO8x20TbIRau7NrfZgsyM9IFUlgzQD/okilAEw5mc7p4
40xZFuvvQ8+NZlLZrVCpuBAkQYBTMS8Txo7utgOjWnXvn0IFRbfQeNjM+Sd1
gQywKxACNiW0svSMtMIH7K1T8/oc09qh/o1eebLBvXXXVc1I/aW5MKy0iWgP
17eJjTQeqAw316UdAELAM/iW6UpaU2OtfcVaTQf5uOp8qXbKlmgPp6BWCPAT
l0neaSbxV0CgZ745hWUwsARyVTcFGGeBOrkeC6zMNiaZvqsoSSlwqA/Vninp
B0ThRWIkFmf6JgV9gQI94vCmtlrEQXqtLakUvmSq8FkEK9opM3VDznz2ZlYD
fVHzbONEtdSXiWFfumpuyYNPOMxLXcIyWFwmfepZRloKjKiYmnW6LIr0CSwq
BD2DPX88efsG1n1NOl+ZZHq+fhUxDXFFrxjo94iJPjS3S/JsosRuf6Lx8git
qx0VgqBDHW7YlGrSq0Us1WB7ffADf3B9tBh0yLu34FjQS4ofPNqf7OPrHxK8
ArMOG357jvVWcT5e0J2d+jYxJPujq/Hl5eUYsTEu0ggYDMlDuopuIyE38Bvw
9P5yOEM7Ev4obw8eyKSEv9SQPD74odw/g1Ec568m2vkNLRHa/OXgFfynvlB8
iZeLYifPoPrm65cKsJIXxvNv6+36QFv6p/jD1F8Qbk3t4OG0ylu7ypnxrTxp
TXHStYoJZZnL92pKygr4Rs9ee2ZWPH5eGOnAEb17mxDSz7SZDCXPh1O2/xT+
HRx9tbc3Uq9hy3RePzGvQa0PnTtSK2wy1K0AXrdVntcYyrQE5GHL46d7jw+P
nxyOnz7dD8dHx0Ew5kficHywx3l4eHwcHO4fmC6AQOzya7KKP4aJ+I7j7bDm
o7II8DvfSLzw5JJft82NuhFaKjzY3hLXPXxyPNl/vD95ejDZPzjUHTQC8hWB
bCMX6VkwxbuhhtToxkAJ1r3AdmAjhGKSgRr7lNlV12ZWChTbP/vwiztfLoNP
IsUPr09eLdwv/yw4+WH4bX9vz/0UAGfAnpYSL3sT0edzkWCnDydOH/pAJ4Pw
0//O3w3tpxu1sMGNx+BHU1eQ2DvFaZrJT9106qkT7NSZh9rRTx2mwZpOMkXc
UEdpyIMAlDpZs7FRX+xgb4+9/e9uTfVrlsTUAm3PMbZLE7zyNhkH+GaET4C6
VJD20mgbuosZTj09gsXNGonDUn0Mp8M3H2cGu0Mlvh+9730CX3YAEEYM4XyU
MP2TvQFRw6XF42ktWbNbCnlFxA9Jlj0B/+pIv6yId8s+QnBVhby+aahm7eJ6
a+HvJd0j4wZ+5LqTK2xb5Repi/YR0GteXqWG+8SNWk6rXPtS3SjRzdJck+Rt
gFQk8UlJ/VIKZ0bjS3vc5oi2CNOpw5dFqwu2KBVCFXQ/b+a6bjq24YYi8Vrj
KfkAOvTiXDvrhmko8URhD/Apl7Ck9T+U5wCzFCocWtKPqRso1V16rjurbCRw
Nv3oIXmo/yCoKSCrzXG8nhgMWaqpdq/Hi+Qn7YjLjTaXPcV5qi7zM2TQyZCm
CrdWs7Gxmr+h6E6T4nZnqq0x12bNVc25A9ecu5M9d0eDrgzi0yB/tWv/pqZM
Pc5+Om1E965d+R+u/IfiejKZDP98lf9VDTXb9P5xk94/btT7JoG9rDJOt+Y/
aNX80EBYS+o/ev9+9P5xhQVK5d+Y9PSV1AfMAihH0zjb/pnoLufXv2Kt5TAQ
xbUxuocHgVT0TnsjpvykIwxZeixLESWXHS7LcbPLcmxdllZn5KDqEDQ6N7VW
f4bL4jD3yAjnx+V/HJn7cGT29zxPZu4bUTrTkQnD0bZXmbgtL6etmjvGyKlZ
Un6CY6TNHHs/X0tMvyHI1V1LuDXE1R3j6r5I0bs4caQzA14dHRUy2ht9dDWW
W4eFdGgyXlrjULc2WnyDpWH/LQ2VaSXuVAk6NeuOQY8oUxmOdozxbwctcaee
p318Ht5vCzcpA7+sybSFuK5Fb8Pifhpq5BTe+aQs9bQ65fnbXc02tfznupmd
NsX9aNrbmRf/X3XsQYuP2lRd0eGZksBTbY/JGJkk3HUts+qkjum+05iyJKBl
Nmj2hOYGz9LVNFkv/P9qUR6wkgnTuTF52MvY2uoSNl8TO/HSuZhG1Oe8ZO2k
9qmnS079QsZGy6yzALjUyypSV1HMTXrwD9bMOiR495i9KsnrVN/kj/6VRPMb
Vy7vprkdJ9gTjcNpnX208kb6+HedNV1zx5Yca2JtVc/WIi91B2Rjydg8b9ki
2i0Yukpapa49S6V5T9DmeqOx3tdU72Oo317rd+wgTRtC1Q7/z95w173hqNX+
xmgbHl+IRHhOJbKDz1P1f3Mowm+GZzzKxBAvbn774i14r6almAz+Dx1/NHDH
cQAA

-->

</rfc>
