<?xml version='1.0' encoding='utf-8'?>
<!DOCTYPE rfc [
  <!ENTITY nbsp    "&#160;">
  <!ENTITY zwsp   "&#8203;">
  <!ENTITY nbhy   "&#8209;">
  <!ENTITY wj     "&#8288;">
]>
<?xml-stylesheet type="text/xsl" href="rfc2629.xslt" ?>
<!-- generated by https://github.com/cabo/kramdown-rfc version 1.7.39 (Ruby 3.4.9) -->
<?rfc tocindent="yes"?>
<?rfc strict="yes"?>
<?rfc compact="yes"?>
<?rfc comments="yes"?>
<?rfc inline="yes"?>
<?rfc docmapping="yes"?>
<rfc xmlns:xi="http://www.w3.org/2001/XInclude" ipr="trust200902" docName="draft-richer-oauth-httpsig-02" category="std" consensus="true" tocInclude="true" sortRefs="true" symRefs="true" version="3">
  <!-- xml2rfc v2v3 conversion 3.34.0 -->
  <front>
    <title>OAuth Proof of Possession Tokens with HTTP Message Signatures</title>
    <seriesInfo name="Internet-Draft" value="draft-richer-oauth-httpsig-02"/>
    <author initials="J." surname="Richer" fullname="Justin Richer" role="editor">
      <organization>MongoDB</organization>
      <address>
        <email>ietf@justin.richer.org</email>
      </address>
    </author>
    <author initials="A." surname="Parecki" fullname="Aaron Parecki">
      <organization>Okta</organization>
      <address>
        <email>aaron@parecki.com</email>
      </address>
    </author>
    <date year="2026" month="July" day="01"/>
    <area>Security</area>
    <workgroup>OAUTH</workgroup>
    <keyword>Internet-Draft</keyword>
    <abstract>
      <?line 47?>

<t>This extension to the OAuth 2.0 authorization framework defines a method for using
HTTP Message Signatures to bind access tokens to keys held by OAuth 2.0 clients.</t>
    </abstract>
    <note removeInRFC="true">
      <name>Discussion Venues</name>
      <t>Discussion of this document takes place on the
    Web Authorization Protocol Working Group mailing list (oauth@ietf.org),
    which is archived at <eref target="https://mailarchive.ietf.org/arch/browse/oauth/"/>.</t>
      <t>Source for this draft and an issue tracker can be found at
    <eref target="https://github.com/jricher/draft-richer-oauth-httpsig"/>.</t>
    </note>
  </front>
  <middle>
    <?line 52?>

<section anchor="introduction">
      <name>Introduction</name>
      <t>The OAuth 2.0 framework provides methods for clients to get delegated access tokens from an
authorization server for accessing protected resources.</t>
      <t>OAuth access tokens can be bearer tokens, or bound to a variety of mechanisms including mutual TLS, DPoP, or other presentation mechanisms.
Bearer tokens are simple to implement but also have the significant security downside of
allowing anyone who sees the access token to use that token.</t>
      <t><xref target="HTTPSIG"/> defines a generic mechanism that is used to sign HTTP requests and responses.</t>
      <t>This specification defines means to bind access tokens to a key held by the client, a token type
value, a token response for indicating that a token is meant to be used with <xref target="HTTPSIG"/>
presentation, and a method for presenting bound access tokens in HTTP requests using <xref target="HTTPSIG"/>.</t>
      <t>This work complements and builds on experience with <xref target="DPOP"/> and <xref target="MTLS"/>, as well as
implementations of <xref target="I-D.ietf-oauth-signed-http-request"/>, a spiritual predecessor to this
specification and other forms of OAuth proof-of-possession work.</t>
      <t>[[ Editor's note: we want to give developers clear guidance on when to use HTTPSig vs. DPoP vs. mTLS vs. Bearer vs. whatever else ]]</t>
      <section anchor="terminology">
        <name>Terminology</name>
        <t>The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL
NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED",
"MAY", and "OPTIONAL" in this document are to be interpreted as
described in BCP 14 <xref target="RFC2119"/> <xref target="RFC8174"/> when, and only when, they
appear in all capitals, as shown here.
<?line -6?>
        </t>
        <t>This document contains non-normative examples of partial and complete HTTP messages, JSON structures, URLs, query components, keys, and other elements. Some examples use a single trailing backslash '' to indicate line wrapping for long values, as per <xref target="RFC8792"/>. The <tt>\</tt> character and leading spaces on wrapped lines are not part of the value.</t>
      </section>
    </section>
    <section anchor="binding">
      <name>Requesting an HTTP Message Signature Bound Access Token</name>
      <t>To bind an access token to a key, the AS needs to know which key to bind to which token. This specification defines two common methods depending on the needs of the client:</t>
      <ul spacing="normal">
        <li>
          <t>A static method that depends on key material available as part of the client registration</t>
        </li>
        <li>
          <t>A runtime method that allows a client to introduce key material during the token request phase of <xref target="OAUTH"/></t>
        </li>
      </ul>
      <t>As part of its registration, a client MUST indicate which method it will use, using either the <tt>httpsig_key_binding_method</tt> client registration metadata parameter defined (TBD) in <xref target="IANA"/> when using Dynamic Client Registration (<xref target="DYNREG"/>) or Client ID Metadata Document (<xref target="I-D.ietf-oauth-client-id-metadata-document"/>), or via an out of band method.</t>
      <t>[[ Editor's note: do we want to add an AS/RS metadata parameter to signal support for each type? ]]</t>
      <t>[[ Editor's note: Are there any other patterns of key introduction we should cover? I put PAR in the appendix as a note. ]]</t>
      <section anchor="preregister">
        <name>Pre-Registration of Keys</name>
        <t>A client pre-registering its keys for <xref target="HTTPSIG"/> binding MUST include the key in its registered <tt>jwks</tt> value or make it available from its <tt>jwks_uri</tt> endpoint. The JWK MUST have a <tt>kid</tt> field and MUST indicate a signing algorithm in its <tt>alg</tt> field. The key ID for the public key used for HTTP Message Signature bound access tokens MUST be identified using the <tt>httpsig_bound_access_token_kid</tt> field in the client's metadata.</t>
        <t>[[ Editor's note: do we want to have a client field for the signing alg or just leave that to the key all the time? I prefer to keep it in the key. ]]</t>
        <t>A pre-registered key MAY be a shared secret (such as for use in an HMAC signature), but public key cryptography is RECOMMENDED.</t>
        <t>Note that pre-registration can occur statically or dynamically (such as by using <xref target="DYNREG"/>), as long as the key is associated with the client's <tt>client_id</tt> before the token request is made.</t>
        <section anchor="example-client-registration">
          <name>Example Client Registration</name>
          <t>A client can publish the key binding parameters as part of a <xref target="I-D.ietf-oauth-client-id-metadata-document"/> alongside its <tt>jwks</tt> or <tt>jwks_uri</tt> values. For example, a client with the <tt>client_id</tt> value <tt>https://client.example.com/client-metadata.json</tt> would publish the following document at that URL, indicating that it uses a pre-registered key:</t>
          <sourcecode type="json"><![CDATA[
{
    "client_id": "https://client.example.com/client-metadata.json",
    "client_name": "Example Client",
    "jwks": {
        "keys": [
            {
                "kty": "OKP",
                "use": "sig",
                "crv": "Ed25519",
                "kid": "j-0Ny45NWmqGq6GQ",
                "x": "iuemcj_GhRHmY_yCsMlDNp3BQgPZDdG00VRsg_BgU3s",
                "alg": "EdDSA"
            }
        ]
    },
    "httpsig_bound_access_token_kid": "j-0Ny45NWmqGq6GQ",
    "httpsig_key_binding_method": "preregistered"
}
]]></sourcecode>
        </section>
      </section>
      <section anchor="runtime">
        <name>Token Request Key Introduction</name>
        <t>Instead of pre-registering a key, a client can introduce its key during the token request in the same fashion as <xref target="DPOP"/>.</t>
        <t>The client MUST present its public key in the Signature-Key header field. The field is an HTTP Structured Field consisting of a Binary value containing the bytes of the <xref target="JSON"/> serialized <xref target="JWK"/> form of the key material.</t>
        <t>The JWK MUST have a <tt>kid</tt> field. The key MUST be a public key (and neither a private key nor a shared secret key). The JWK MUST have an <tt>alg</tt> value that indicates a signature algorithm.</t>
        <t>For example, the following JWK public key:</t>
        <sourcecode type="json"><![CDATA[
{
    "kty": "OKP",
    "use": "sig",
    "crv": "Ed25519",
    "kid": "j-0Ny45NWmqGq6GQ",
    "x": "iuemcj_GhRHmY_yCsMlDNp3BQgPZDdG00VRsg_BgU3s",
    "alg": "EdDSA"
}
]]></sourcecode>
        <t>Can be encoded to the following Signature-Key field value (this example uses a compact JSON serialization that removes whitespace):</t>
        <artwork><![CDATA[
NOTE: '\' line wrapping per RFC 8792

Signature-Key: :eyJrdHkiOiJPS1AiLCJ1c2UiOiJzaWciLCJjcnYiOiJFZDI1NTE5I\
  iwia2lkIjoiai0wTnk0NU5XbXFHcTZHNFV4TGpHak51bG9rdHVndE9XNGpmR0NDZ2Vm\
  USIsIngiOiJpdWVtY2pfR2hSSG1ZX3lDc01sRE5wM0JRZ1BaRGRHMDBWUnNnX0JnVTN\
  zIiwiYWxnIjoiRWREU0EifQ==:
]]></artwork>
        <t>[[ Editor's note: this is a really awkward way to encode a JWK. We could try to break apart the JSON but there's not a 1:1 map to HTTP Structured Fields we can rely on. We could just put the minified JSON into a string but the double quotes would need to be escaped. This is the least bad version I could come up with right now. ]]</t>
      </section>
      <section anchor="request">
        <name>Token Request</name>
        <t>The presence of an HTTP Message Signature with the tag <tt>httpsig-oauth-token-request</tt> indicates that the client is requesting a bound token. The client MUST include a message signature of the indicated key.</t>
        <t>Additionally, the client MUST calculate and include the digest of the request body and include it as the Content-Digest header defined in <xref target="DIGEST"/>.</t>
        <t>For example, a form-encoded request body consisting of:</t>
        <artwork><![CDATA[
NOTE: '\' line wrapping per RFC 8792

grant_type=authorization_code&code=SplxlOBeZQQYbYS6WxSbIA\
&redirect_uri=https%3A%2F%2Fclient%2Eexample%2Ecom%2Fcb
]]></artwork>
        <t>Would create the following Content-Digest header:</t>
        <artwork><![CDATA[
Content-Digest: sha-256=:4fEzRVTGqfZg7lqf/d3oxXu837pvb3L0GN24+F1VkZk=:
]]></artwork>
        <t>A client using this method MUST sign the token endpoint request using <xref target="HTTPSIG"/> with the appropriate key. The covered components MUST include:</t>
        <ul spacing="normal">
          <li>
            <t><tt>@method</tt> the HTTP method of the request</t>
          </li>
          <li>
            <t><tt>@target-uri</tt> the full request URI of the request (note that this includes the scheme, authority, path, and query)</t>
          </li>
          <li>
            <t><tt>content-digest</tt> the digest of the request body</t>
          </li>
        </ul>
        <t>If a signature key is presented at runtime as described in <xref target="runtime"/>, the covered components MUST include:</t>
        <ul spacing="normal">
          <li>
            <t><tt>signature-key</tt> the encoded public key used to sign this request</t>
          </li>
        </ul>
        <t>The covered components MUST include the client's authentication, if available. If using HTTP Basic, this means including the <tt>authorization</tt> field.</t>
        <t>The signature MUST include the following parameters:</t>
        <ul spacing="normal">
          <li>
            <t><tt>created</tt> a timestamp for signature creation; this MUST be within a small number of seconds of issuance (e.g. 30 seconds to account for clock skew)</t>
          </li>
          <li>
            <t><tt>nonce</tt> a random unique value that the AS can use to prevent signature replay within the small validity time window</t>
          </li>
          <li>
            <t><tt>tag</tt> a string indicating that this is being used for requesting a bound token, MUST be the value "httpsig-oauth-token-request"</t>
          </li>
          <li>
            <t><tt>keyid</tt> the <tt>kid</tt> value for the key to be used for binding the token; if client uses pre-registered keys as in <xref target="preregister"/>, the value MUST match the <tt>httpsig_bound_access_token_kid</tt> value; if the key is presented at runtime as in <xref target="runtime"/>, the value MUST match the <tt>kid</tt> of the JWK in the Signature-Key field</t>
          </li>
        </ul>
        <t>The signature algorithm MUST be derived from the indicated key. The <tt>alg</tt> signature parameter MUST NOT be used.</t>
        <t>An example request to the token endpoint (using a runtime-provided key here) can look like the following:</t>
        <sourcecode type="http-message"><![CDATA[
POST /token HTTP/1.1
Host: server.example.com
Authorization: Basic czZCaGRSa3F0MzpnWDFmQmF0M2JW
Content-Type: application/x-www-form-urlencoded
Signature-Key: :eyJrdHkiOiJPS1AiLCJ1c2UiOiJzaWciLCJjcnYiOiJFZDI1NTE5I\
  iwia2lkIjoiai0wTnk0NU5XbXFHcTZHNFV4TGpHak51bG9rdHVndE9XNGpmR0NDZ2Vm\
  USIsIngiOiJpdWVtY2pfR2hSSG1ZX3lDc01sRE5wM0JRZ1BaRGRHMDBWUnNnX0JnVTN\
  zIiwiYWxnIjoiRWREU0EifQ==:
Content-Digest: sha-256=:4fEzRVTGqfZg7lqf/d3oxXu837pvb3L0GN24+F1VkZk=:
Signature-Input: sig1=("@method" "@target-uri" "content-digest" \
  "signature-key" "authorization");created=1618884473\
  ;keyid="j-0Ny45NWmqGq6G4UxLjGjNuloktugtOW4jfGCCgefQ"\
  ;nonce="b3k2pp5k7z-50gnX1b06";tag="httpsig-oauth-token-request"
Signature: sig1=:AWyxebrJ6u8CMi0B3TyX9G1G3XT45UW5zIn8mhsyXdmjTUtGS+1M\
  XiydKv5z0GLCrMhVSFe691jF98DRNNSPAg==:

grant_type=authorization_code&code=SplxlOBeZQQYbYS6WxSbIA&\
redirect_uri=https%3A%2F%2Fclient%2Eexample%2Ecom%2Fcb
]]></sourcecode>
      </section>
    </section>
    <section anchor="issuing">
      <name>Issuing an HTTP Message Signature Bound Access Token</name>
      <t>The AS MUST validate the signature of the token request sent in <xref target="request"/> against the identified key and the algorithm associated with that key.</t>
      <t>The request MUST fail with an error if any of the following occur:</t>
      <ul spacing="normal">
        <li>
          <t>The key named in <tt>kid</tt> cannot be found or is not associated with the requesting client</t>
        </li>
        <li>
          <t>There is more than one signature with the tag "httpsig-oauth-token-request"</t>
        </li>
        <li>
          <t>The <tt>created</tt> value of the signature is too far in the past</t>
        </li>
        <li>
          <t>The <tt>nonce</tt> value is used more than once within the validity window of the signature</t>
        </li>
      </ul>
      <t>When issuing an access token bound to a key using HTTP Message Signatures, the AS associates the granted token with the key used in the requesting signature. All presentations of this token at any RS MUST contain an HTTP message signature as described in <xref target="presenting"/>.</t>
      <t>An HTTP Message Signature bound access token MUST have a <tt>token_type</tt> value of <tt>httpsig</tt>.</t>
      <artwork><![CDATA[
HTTP 200 OK
Content-Type: application/json

{
    "access_token": "2340897.34j123-134uh2345n",
    "token_type": "httpsig"
}
]]></artwork>
      <t>The client MUST associate this returned access token with the key used to make the requst.</t>
      <t>[[ Editor's note: we should define confirmation methods for access tokens here, including JWT values and introspection response values to allow the RS to verify the signature w/o the client's registration information. Leaving the following sections as placeholders. ]]</t>
      <section anchor="encoding-confirmation-in-a-jwt">
        <name>Encoding Confirmation in a JWT</name>
      </section>
      <section anchor="returning-confirmation-in-token-introspection">
        <name>Returning Confirmation in Token Introspection</name>
      </section>
    </section>
    <section anchor="presenting">
      <name>Presenting an HTTP Message Signature Bound Access Token</name>
      <t>HTTP Message Signature bound access token MUST be presented in an HTTP Authorization field using the <tt>HTTPSig</tt> authorization scheme.</t>
      <artwork><![CDATA[
Authorization: HTTPSig 2340897.34j123-134uh2345n
]]></artwork>
      <t>Note that HTTP authorization schemes defined in <xref target="HTTPAUTH"/> are case-insensitive, and so all the following are equivalent:</t>
      <artwork><![CDATA[
Authorization: HTTPSig 2340897.34j123-134uh2345n
Authorization: httpsig 2340897.34j123-134uh2345n
Authorization: HTTPSIG 2340897.34j123-134uh2345n
Authorization: Httpsig 2340897.34j123-134uh2345n
Authorization: hTtPsIg 2340897.34j123-134uh2345n
]]></artwork>
      <t>When presenting an HTTP Message Signature bound access token to an RS, the client MUST include a signature compliant with <xref target="HTTPSIG"/>. The covered components MUST include:</t>
      <ul spacing="normal">
        <li>
          <t><tt>@method</tt> the HTTP method of the request</t>
        </li>
        <li>
          <t><tt>@target-uri</tt> the full request URI of the request (note that this includes the scheme, authority, path, and query)</t>
        </li>
        <li>
          <t><tt>authorization</tt> the access token value being presented</t>
        </li>
      </ul>
      <t>The RS MAY require additional components to be covered by the signature, and the client MUST include any additional fields or components of the HTTP request that are relevant to the security of the RS. For example, if the API being served by the RS declares that incoming content type makes a material difference, the RS SHOULD require signing of the Content-Type header in addition to the above.</t>
      <t>The request MAY include multiple signatures to serve different needs.</t>
      <t>If the request includes an entity body (such as a POST, PUT, or QUERY), the client SHOULD calculate the digest as per <xref target="DIGEST"/> and also sign the digest header (such as Content-Digest).</t>
      <t>The signature MUST include the following parameters:</t>
      <ul spacing="normal">
        <li>
          <t><tt>created</tt> a timestamp for signature creation; this MUST be within a small number of seconds of issuance (e.g. 30 seconds to account for clock skew)</t>
        </li>
        <li>
          <t><tt>nonce</tt> a random unique value that the AS can use to prevent signature replay within the small validity time window</t>
        </li>
        <li>
          <t><tt>tag</tt> a string indicating that this is being used for requesting a bound token, MUST be the value "httpsig-oauth"</t>
        </li>
        <li>
          <t><tt>keyid</tt> the <tt>kid</tt> value for the key used to sign the request</t>
        </li>
      </ul>
      <t>The client MUST NOT include an <tt>alg</tt> signature parameter.</t>
      <t>For example, the following signed request includes a signature with the needed parameters:</t>
      <sourcecode type="http-message"><![CDATA[
NOTE: '\' line wrapping per RFC 8792

GET /foo HTTP/1.1
Host: example.com
Date: Mon, 20 Apr 2026 02:07:55 GMT
Authorization: HTTPSig 2340897.34j123-134uh2345n
Signature-Input: sig1=("@method" "@target-uri" "authorization")\
  ;created=1776650875;keyid="j-0Ny45NWmqGq6G4UxLjGjNuloktugtOW4jfGCCg\
  efQ";nonce="k9Jyxempel2305Nmx7Rk";tag="httpsig-oauth"
Signature: sig1=:kFJC2WoBbrQc8tsKiowIb8oeIA533qmKvzdKf8kndJ7kaLxGmm2v\
  9+IPB8kLE0WUea8KryJGSV7ji1apLkeKBg==:
]]></sourcecode>
    </section>
    <section anchor="validating">
      <name>Validating an HTTP Message Signature Bound Access Token Request</name>
      <t>In order for a request protected by an HTTP Message Signature bound access token to be considered valid, the RS MUST perform the following checks:</t>
      <ul spacing="normal">
        <li>
          <t>The presented signature validates using the key associated with the token</t>
        </li>
        <li>
          <t>The signature validates using the algorithm associated with the key</t>
        </li>
        <li>
          <t>The <tt>created</tt> value is not too far in the past (e.g. 30 seconds to account for clock skew and network delays)</t>
        </li>
        <li>
          <t>The <tt>nonce</tt> value has not been previously used within the time validity window of this request</t>
        </li>
        <li>
          <t>The <tt>tag</tt> value is "httpsig-oauth"</t>
        </li>
        <li>
          <t>The covered components and parameters include all items enumerated in <xref target="presenting"/></t>
        </li>
      </ul>
      <t>If the request includes an entity body (such as a POST, PUT, or QUERY) and a digest as per <xref target="DIGEST"/>, the RS MUST validate the digest.</t>
      <t>If the request includes multiple signatures tagged "httpsig-oauth", all signatures MUST be validated.</t>
      <t>For example, to validate the request:</t>
      <sourcecode type="http-message"><![CDATA[
NOTE: '\' line wrapping per RFC 8792

GET /foo HTTP/1.1
Host: example.com
Date: Mon, 20 Apr 2026 02:07:55 GMT
Authorization: HTTPSig 2340897.34j123-134uh2345n
Signature-Input: sig1=("@method" "@target-uri" "authorization")\
  ;created=1776650875;keyid="j-0Ny45NWmqGq6G4UxLjGjNuloktugtOW4jfGCCg\
  efQ";nonce="k9Jyxempel2305Nmx7Rk";tag="httpsig-oauth"
Signature: sig1=:kFJC2WoBbrQc8tsKiowIb8oeIA533qmKvzdKf8kndJ7kaLxGmm2v\
  9+IPB8kLE0WUea8KryJGSV7ji1apLkeKBg==:
]]></sourcecode>
      <t>The RS determines the key bound to the token and validates the <tt>kid</tt> value against that key. The RS determines the algorithm from the key and performs signature validation per <xref target="HTTPSIG"/> on the</t>
      <t>In this example, the client has a key with the <tt>kid</tt> value of <tt>test-key-rsa-pss</tt> which uses the JWA <tt>alg</tt> value of <tt>PS512</tt>. The signature input string is:</t>
      <artwork><![CDATA[
"@request-target": get /foo
"host": example.org
"authorization": HTTPSig 2340897.34j123-134uh2345n
"@signature-params": ("@request-target" "host" "authorization")\
  ;created=1618884475;keyid="test-key-rsa-pss"
]]></artwork>
      <t>This results in the following signed HTTP message, including the access token.</t>
      <sourcecode type="http-message"><![CDATA[
NOTE: '\' line wrapping per RFC 8792

GET /foo HTTP/1.1
Host: example.com
Date: Tue, 20 Apr 2021 02:07:55 GMT
Authorization: HTTPSig 2340897.34j123-134uh2345n
Signature-Input: sig1=("@request-target" "host" "authorization")\
  ;created=1618884475;keyid="test-key-rsa-pss"
Signature: sig1=:o+Fy/a6IIWhHwnMFhsHqfXEpheWGBMOU3pheT50zA8rL5F8Nur\
  xBKAPylMGBWYCKH5Bd+TB0Co6vqANlXyOCM9Zr5c/UmR5WGex5/OgJJmfN7gOVOH5\
  pB2Zxa233xsohfwo9liBlctukN5//E3F04rKjIkoeTFJiS+hMcOzn29esgFSEl4Jy\
  oO5Q8snMIsC56ZAPYwU7rJis1Wvl6Y9/9tpW6gIn/SHwArhPQSAb0zZy6mCiw654n\
  CaKw5NYJ9S0DZlnV4T7nJtdZsHOkddF6kH4WVka3ev0xONI5kYkEdR1Gw0VAE9thi\
  p+3/aFoUVTJ/1J6JfehZpXqehwv3KNoQ==:
]]></sourcecode>
      <t>An RS receiving such a signed message and a bound access token MUST verify the HTTP Message Signature as described in <xref target="HTTPSIG"/>. The RS MUST verify that all required portions of the HTTP request are covered by the signature by examining the contents of the signature parameters.</t>
    </section>
    <section anchor="Acknowledgements">
      <name>Acknowledgements</name>
    </section>
    <section anchor="IANA">
      <name>IANA Considerations</name>
      <t>[[ TBD: register the token type and new parameters into their appropriate registries, as well as the JWT and introspection parameters needed for confirmation methods. ]]</t>
    </section>
    <section anchor="Security">
      <name>Security Considerations</name>
      <t>[[ TBD. ]]</t>
      <ul spacing="normal">
        <li>
          <t>All requests have to be over TLS or equivalent as per <xref target="BCP195"/>.</t>
        </li>
        <li>
          <t>Leakage of a private key alongside a token allows for re-presentation of that token.</t>
        </li>
        <li>
          <t>Insufficient coverage of a message allows a signature to be attached to a different message.</t>
        </li>
        <li>
          <t>Failure to check derived attributes allows a signature to be replayed.</t>
        </li>
        <li>
          <t>Signatures could be replayed outside of their vailidty window if not checked.</t>
        </li>
      </ul>
    </section>
    <section anchor="Privacy">
      <name>Privacy Considerations</name>
      <t>[[ TBD. ]]</t>
      <ul spacing="normal">
        <li>
          <t>Re-use of a public-key for tokens at multiple RS's can allow tracking of a client/user combination based on the key identity.</t>
        </li>
      </ul>
    </section>
  </middle>
  <back>
    <references anchor="sec-combined-references">
      <name>References</name>
      <references anchor="sec-normative-references">
        <name>Normative References</name>
        <referencegroup anchor="BCP195" target="https://www.rfc-editor.org/info/bcp195">
          <reference anchor="RFC8996" target="https://www.rfc-editor.org/info/rfc8996">
            <front>
              <title>Deprecating TLS 1.0 and TLS 1.1</title>
              <author fullname="K. Moriarty" initials="K." surname="Moriarty"/>
              <author fullname="S. Farrell" initials="S." surname="Farrell"/>
              <date month="March" year="2021"/>
              <abstract>
                <t>This document formally deprecates Transport Layer Security (TLS) versions 1.0 (RFC 2246) and 1.1 (RFC 4346). Accordingly, those documents have been moved to Historic status. These versions lack support for current and recommended cryptographic algorithms and mechanisms, and various government and industry profiles of applications using TLS now mandate avoiding these old TLS versions. TLS version 1.2 became the recommended version for IETF protocols in 2008 (subsequently being obsoleted by TLS version 1.3 in 2018), providing sufficient time to transition away from older versions. Removing support for older versions from implementations reduces the attack surface, reduces opportunity for misconfiguration, and streamlines library and product maintenance.</t>
                <t>This document also deprecates Datagram TLS (DTLS) version 1.0 (RFC 4347) but not DTLS version 1.2, and there is no DTLS version 1.1.</t>
                <t>This document updates many RFCs that normatively refer to TLS version 1.0 or TLS version 1.1, as described herein. This document also updates the best practices for TLS usage in RFC 7525; hence, it is part of BCP 195.</t>
              </abstract>
            </front>
            <seriesInfo name="BCP" value="195"/>
            <seriesInfo name="RFC" value="8996"/>
            <seriesInfo name="DOI" value="10.17487/RFC8996"/>
          </reference>
          <reference anchor="RFC9325" target="https://www.rfc-editor.org/info/rfc9325">
            <front>
              <title>Recommendations for Secure Use of Transport Layer Security (TLS) and Datagram Transport Layer Security (DTLS)</title>
              <author fullname="Y. Sheffer" initials="Y." surname="Sheffer"/>
              <author fullname="P. Saint-Andre" initials="P." surname="Saint-Andre"/>
              <author fullname="T. Fossati" initials="T." surname="Fossati"/>
              <date month="November" year="2022"/>
              <abstract>
                <t>Transport Layer Security (TLS) and Datagram Transport Layer Security (DTLS) are used to protect data exchanged over a wide range of application protocols and can also form the basis for secure transport protocols. Over the years, the industry has witnessed several serious attacks on TLS and DTLS, including attacks on the most commonly used cipher suites and their modes of operation. This document provides the latest recommendations for ensuring the security of deployed services that use TLS and DTLS. These recommendations are applicable to the majority of use cases.</t>
                <t>RFC 7525, an earlier version of the TLS recommendations, was published when the industry was transitioning to TLS 1.2. Years later, this transition is largely complete, and TLS 1.3 is widely available. This document updates the guidance given the new environment and obsoletes RFC 7525. In addition, this document updates RFCs 5288 and 6066 in view of recent attacks.</t>
              </abstract>
            </front>
            <seriesInfo name="BCP" value="195"/>
            <seriesInfo name="RFC" value="9325"/>
            <seriesInfo name="DOI" value="10.17487/RFC9325"/>
          </reference>
        </referencegroup>
        <reference anchor="DIGEST">
          <front>
            <title>Digest Fields</title>
            <author fullname="R. Polli" initials="R." surname="Polli"/>
            <author fullname="L. Pardue" initials="L." surname="Pardue"/>
            <date month="February" year="2024"/>
            <abstract>
              <t>This document defines HTTP fields that support integrity digests. The Content-Digest field can be used for the integrity of HTTP message content. The Repr-Digest field can be used for the integrity of HTTP representations. Want-Content-Digest and Want-Repr-Digest can be used to indicate a sender's interest and preferences for receiving the respective Integrity fields.</t>
              <t>This document obsoletes RFC 3230 and the Digest and Want-Digest HTTP fields.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="9530"/>
          <seriesInfo name="DOI" value="10.17487/RFC9530"/>
        </reference>
        <reference anchor="HTTP">
          <front>
            <title>HTTP Caching</title>
            <author fullname="R. Fielding" initials="R." role="editor" surname="Fielding"/>
            <author fullname="M. Nottingham" initials="M." role="editor" surname="Nottingham"/>
            <author fullname="J. Reschke" initials="J." role="editor" surname="Reschke"/>
            <date month="June" year="2022"/>
            <abstract>
              <t>The Hypertext Transfer Protocol (HTTP) is a stateless application-level protocol for distributed, collaborative, hypertext information systems. This document defines HTTP caches and the associated header fields that control cache behavior or indicate cacheable response messages.</t>
              <t>This document obsoletes RFC 7234.</t>
            </abstract>
          </front>
          <seriesInfo name="STD" value="98"/>
          <seriesInfo name="RFC" value="9111"/>
          <seriesInfo name="DOI" value="10.17487/RFC9111"/>
        </reference>
        <reference anchor="JWK">
          <front>
            <title>JSON Web Key (JWK)</title>
            <author fullname="M. Jones" initials="M." surname="Jones"/>
            <date month="May" year="2015"/>
            <abstract>
              <t>A JSON Web Key (JWK) is a JavaScript Object Notation (JSON) data structure that represents a cryptographic key. This specification also defines a JWK Set JSON data structure that represents a set of JWKs. Cryptographic algorithms and identifiers for use with this specification are described in the separate JSON Web Algorithms (JWA) specification and IANA registries established by that specification.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="7517"/>
          <seriesInfo name="DOI" value="10.17487/RFC7517"/>
        </reference>
        <reference anchor="OAUTH">
          <front>
            <title>The OAuth 2.0 Authorization Framework</title>
            <author fullname="D. Hardt" initials="D." role="editor" surname="Hardt"/>
            <date month="October" year="2012"/>
            <abstract>
              <t>The OAuth 2.0 authorization framework enables a third-party application to obtain limited access to an HTTP service, either on behalf of a resource owner by orchestrating an approval interaction between the resource owner and the HTTP service, or by allowing the third-party application to obtain access on its own behalf. This specification replaces and obsoletes the OAuth 1.0 protocol described in RFC 5849. [STANDARDS-TRACK]</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="6749"/>
          <seriesInfo name="DOI" value="10.17487/RFC6749"/>
        </reference>
        <reference anchor="OAUTH-BEARER">
          <front>
            <title>The OAuth 2.0 Authorization Framework: Bearer Token Usage</title>
            <author fullname="M. Jones" initials="M." surname="Jones"/>
            <author fullname="D. Hardt" initials="D." surname="Hardt"/>
            <date month="October" year="2012"/>
            <abstract>
              <t>This specification describes how to use bearer tokens in HTTP requests to access OAuth 2.0 protected resources. Any party in possession of a bearer token (a "bearer") can use it to get access to the associated resources (without demonstrating possession of a cryptographic key). To prevent misuse, bearer tokens need to be protected from disclosure in storage and in transport. [STANDARDS-TRACK]</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="6750"/>
          <seriesInfo name="DOI" value="10.17487/RFC6750"/>
        </reference>
        <reference anchor="STRUCTURED">
          <front>
            <title>Structured Field Values for HTTP</title>
            <author fullname="M. Nottingham" initials="M." surname="Nottingham"/>
            <author fullname="P-H. Kamp" surname="P-H. Kamp"/>
            <date month="September" year="2024"/>
            <abstract>
              <t>This document describes a set of data types and associated algorithms that are intended to make it easier and safer to define and handle HTTP header and trailer fields, known as "Structured Fields", "Structured Headers", or "Structured Trailers". It is intended for use by specifications of new HTTP fields.</t>
              <t>This document obsoletes RFC 8941.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="9651"/>
          <seriesInfo name="DOI" value="10.17487/RFC9651"/>
        </reference>
        <reference anchor="MTLS">
          <front>
            <title>OAuth 2.0 Mutual-TLS Client Authentication and Certificate-Bound Access Tokens</title>
            <author fullname="B. Campbell" initials="B." surname="Campbell"/>
            <author fullname="J. Bradley" initials="J." surname="Bradley"/>
            <author fullname="N. Sakimura" initials="N." surname="Sakimura"/>
            <author fullname="T. Lodderstedt" initials="T." surname="Lodderstedt"/>
            <date month="February" year="2020"/>
            <abstract>
              <t>This document describes OAuth client authentication and certificate-bound access and refresh tokens using mutual Transport Layer Security (TLS) authentication with X.509 certificates. OAuth clients are provided a mechanism for authentication to the authorization server using mutual TLS, based on either self-signed certificates or public key infrastructure (PKI). OAuth authorization servers are provided a mechanism for binding access tokens to a client's mutual-TLS certificate, and OAuth protected resources are provided a method for ensuring that such an access token presented to it was issued to the client presenting the token.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="8705"/>
          <seriesInfo name="DOI" value="10.17487/RFC8705"/>
        </reference>
        <reference anchor="HTTPSIG">
          <front>
            <title>HTTP Message Signatures</title>
            <author fullname="A. Backman" initials="A." role="editor" surname="Backman"/>
            <author fullname="J. Richer" initials="J." role="editor" surname="Richer"/>
            <author fullname="M. Sporny" initials="M." surname="Sporny"/>
            <date month="February" year="2024"/>
            <abstract>
              <t>This document describes a mechanism for creating, encoding, and verifying digital signatures or message authentication codes over components of an HTTP message. This mechanism supports use cases where the full HTTP message may not be known to the signer and where the message may be transformed (e.g., by intermediaries) before reaching the verifier. This document also describes a means for requesting that a signature be applied to a subsequent HTTP message in an ongoing HTTP exchange.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="9421"/>
          <seriesInfo name="DOI" value="10.17487/RFC9421"/>
        </reference>
        <reference anchor="DPOP">
          <front>
            <title>OAuth 2.0 Demonstrating Proof of Possession (DPoP)</title>
            <author fullname="D. Fett" initials="D." surname="Fett"/>
            <author fullname="B. Campbell" initials="B." surname="Campbell"/>
            <author fullname="J. Bradley" initials="J." surname="Bradley"/>
            <author fullname="T. Lodderstedt" initials="T." surname="Lodderstedt"/>
            <author fullname="M. Jones" initials="M." surname="Jones"/>
            <author fullname="D. Waite" initials="D." surname="Waite"/>
            <date month="September" year="2023"/>
            <abstract>
              <t>This document describes a mechanism for sender-constraining OAuth 2.0 tokens via a proof-of-possession mechanism on the application level. This mechanism allows for the detection of replay attacks with access and refresh tokens.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="9449"/>
          <seriesInfo name="DOI" value="10.17487/RFC9449"/>
        </reference>
        <reference anchor="RAR">
          <front>
            <title>The Time Zone Information Format (TZif)</title>
            <author fullname="A. Olson" initials="A." surname="Olson"/>
            <author fullname="P. Eggert" initials="P." surname="Eggert"/>
            <author fullname="K. Murchison" initials="K." surname="Murchison"/>
            <date month="October" year="2024"/>
            <abstract>
              <t>This document specifies the Time Zone Information Format (TZif) for representing and exchanging time zone information, independent of any particular service or protocol. Two media types for this format are also defined.</t>
              <t>This document replaces and obsoletes RFC 8536.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="9636"/>
          <seriesInfo name="DOI" value="10.17487/RFC9636"/>
        </reference>
        <reference anchor="PAR">
          <front>
            <title>OAuth 2.0 Pushed Authorization Requests</title>
            <author fullname="T. Lodderstedt" initials="T." surname="Lodderstedt"/>
            <author fullname="B. Campbell" initials="B." surname="Campbell"/>
            <author fullname="N. Sakimura" initials="N." surname="Sakimura"/>
            <author fullname="D. Tonge" initials="D." surname="Tonge"/>
            <author fullname="F. Skokan" initials="F." surname="Skokan"/>
            <date month="September" year="2021"/>
            <abstract>
              <t>This document defines the pushed authorization request (PAR) endpoint, which allows clients to push the payload of an OAuth 2.0 authorization request to the authorization server via a direct request and provides them with a request URI that is used as reference to the data in a subsequent call to the authorization endpoint.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="9126"/>
          <seriesInfo name="DOI" value="10.17487/RFC9126"/>
        </reference>
        <reference anchor="DYNREG">
          <front>
            <title>OAuth 2.0 Dynamic Client Registration Protocol</title>
            <author fullname="J. Richer" initials="J." role="editor" surname="Richer"/>
            <author fullname="M. Jones" initials="M." surname="Jones"/>
            <author fullname="J. Bradley" initials="J." surname="Bradley"/>
            <author fullname="M. Machulak" initials="M." surname="Machulak"/>
            <author fullname="P. Hunt" initials="P." surname="Hunt"/>
            <date month="July" year="2015"/>
            <abstract>
              <t>This specification defines mechanisms for dynamically registering OAuth 2.0 clients with authorization servers. Registration requests send a set of desired client metadata values to the authorization server. The resulting registration responses return a client identifier to use at the authorization server and the client metadata values registered for the client. The client can then use this registration information to communicate with the authorization server using the OAuth 2.0 protocol. This specification also defines a set of common client metadata fields and values for clients to use during registration.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="7591"/>
          <seriesInfo name="DOI" value="10.17487/RFC7591"/>
        </reference>
        <reference anchor="JSON">
          <front>
            <title>The JavaScript Object Notation (JSON) Data Interchange Format</title>
            <author fullname="T. Bray" initials="T." role="editor" surname="Bray"/>
            <date month="December" year="2017"/>
            <abstract>
              <t>JavaScript Object Notation (JSON) is a lightweight, text-based, language-independent data interchange format. It was derived from the ECMAScript Programming Language Standard. JSON defines a small set of formatting rules for the portable representation of structured data.</t>
              <t>This document removes inconsistencies with other specifications of JSON, repairs specification errors, and offers experience-based interoperability guidance.</t>
            </abstract>
          </front>
          <seriesInfo name="STD" value="90"/>
          <seriesInfo name="RFC" value="8259"/>
          <seriesInfo name="DOI" value="10.17487/RFC8259"/>
        </reference>
        <reference anchor="HTTPAUTH">
          <front>
            <title>Hypertext Transfer Protocol (HTTP/1.1): Authentication</title>
            <author fullname="R. Fielding" initials="R." role="editor" surname="Fielding"/>
            <author fullname="J. Reschke" initials="J." role="editor" surname="Reschke"/>
            <date month="June" year="2014"/>
            <abstract>
              <t>The Hypertext Transfer Protocol (HTTP) is a stateless application- level protocol for distributed, collaborative, hypermedia information systems. This document defines the HTTP Authentication framework.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="7235"/>
          <seriesInfo name="DOI" value="10.17487/RFC7235"/>
        </reference>
        <reference anchor="RFC2119">
          <front>
            <title>Key words for use in RFCs to Indicate Requirement Levels</title>
            <author fullname="S. Bradner" initials="S." surname="Bradner"/>
            <date month="March" year="1997"/>
            <abstract>
              <t>In many standards track documents several words are used to signify the requirements in the specification. These words are often capitalized. This document defines these words as they should be interpreted in IETF documents. This document specifies an Internet Best Current Practices for the Internet Community, and requests discussion and suggestions for improvements.</t>
            </abstract>
          </front>
          <seriesInfo name="BCP" value="14"/>
          <seriesInfo name="RFC" value="2119"/>
          <seriesInfo name="DOI" value="10.17487/RFC2119"/>
        </reference>
        <reference anchor="RFC8174">
          <front>
            <title>Ambiguity of Uppercase vs Lowercase in RFC 2119 Key Words</title>
            <author fullname="B. Leiba" initials="B." surname="Leiba"/>
            <date month="May" year="2017"/>
            <abstract>
              <t>RFC 2119 specifies common key words that may be used in protocol specifications. This document aims to reduce the ambiguity by clarifying that only UPPERCASE usage of the key words have the defined special meanings.</t>
            </abstract>
          </front>
          <seriesInfo name="BCP" value="14"/>
          <seriesInfo name="RFC" value="8174"/>
          <seriesInfo name="DOI" value="10.17487/RFC8174"/>
        </reference>
        <reference anchor="RFC8792">
          <front>
            <title>Handling Long Lines in Content of Internet-Drafts and RFCs</title>
            <author fullname="K. Watsen" initials="K." surname="Watsen"/>
            <author fullname="E. Auerswald" initials="E." surname="Auerswald"/>
            <author fullname="A. Farrel" initials="A." surname="Farrel"/>
            <author fullname="Q. Wu" initials="Q." surname="Wu"/>
            <date month="June" year="2020"/>
            <abstract>
              <t>This document defines two strategies for handling long lines in width-bounded text content. One strategy, called the "single backslash" strategy, is based on the historical use of a single backslash ('\') character to indicate where line-folding has occurred, with the continuation occurring with the first character that is not a space character (' ') on the next line. The second strategy, called the "double backslash" strategy, extends the first strategy by adding a second backslash character to identify where the continuation begins and is thereby able to handle cases not supported by the first strategy. Both strategies use a self-describing header enabling automated reconstitution of the original content.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="8792"/>
          <seriesInfo name="DOI" value="10.17487/RFC8792"/>
        </reference>
      </references>
      <references anchor="sec-informative-references">
        <name>Informative References</name>
        <reference anchor="I-D.ietf-oauth-signed-http-request">
          <front>
            <title>A Method for Signing HTTP Requests for OAuth</title>
            <author fullname="Justin Richer" initials="J." surname="Richer">
         </author>
            <author fullname="John Bradley" initials="J." surname="Bradley">
              <organization>Ping Identity</organization>
            </author>
            <author fullname="Hannes Tschofenig" initials="H." surname="Tschofenig">
              <organization>ARM Limited</organization>
            </author>
            <date day="8" month="August" year="2016"/>
            <abstract>
              <t>   This document a method for offering data origin authentication and
   integrity protection of HTTP requests.  To convey the relevant data
   items in the request a JSON-based encapsulation is used and the JSON
   Web Signature (JWS) technique is re-used.  JWS offers integrity
   protection using symmetric as well as asymmetric cryptography.

              </t>
            </abstract>
          </front>
          <seriesInfo name="Internet-Draft" value="draft-ietf-oauth-signed-http-request-03"/>
        </reference>
        <reference anchor="I-D.ietf-oauth-client-id-metadata-document">
          <front>
            <title>OAuth Client ID Metadata Document</title>
            <author fullname="Aaron Parecki" initials="A." surname="Parecki">
              <organization>Okta</organization>
            </author>
            <author fullname="Emelia Smith" initials="E." surname="Smith">
         </author>
            <date day="1" month="March" year="2026"/>
            <abstract>
              <t>   This specification defines a mechanism through which an OAuth client
   can identify itself to authorization servers, without prior dynamic
   client registration or other existing registration.  This is through
   the usage of a URL as a client_id in an OAuth flow, where the URL
   refers to a document containing the necessary client metadata,
   enabling the authorization server to fetch the metadata about the
   client as needed.

              </t>
            </abstract>
          </front>
          <seriesInfo name="Internet-Draft" value="draft-ietf-oauth-client-id-metadata-document-01"/>
        </reference>
        <reference anchor="SIGNED-INTROSPECTION">
          <front>
            <title>JSON Web Token (JWT) Response for OAuth Token Introspection</title>
            <author fullname="T. Lodderstedt" initials="T." role="editor" surname="Lodderstedt"/>
            <author fullname="V. Dzhuvinov" initials="V." surname="Dzhuvinov"/>
            <date month="January" year="2025"/>
            <abstract>
              <t>This specification proposes an additional response secured by JSON Web Token (JWT) for OAuth 2.0 Token Introspection.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="9701"/>
          <seriesInfo name="DOI" value="10.17487/RFC9701"/>
        </reference>
      </references>
    </references>
    <?line 409?>

<section anchor="history">
      <name>Document History</name>
      <ul spacing="normal">
        <li>
          <t>-02
          </t>
          <ul spacing="normal">
            <li>
              <t>Editorial fixes</t>
            </li>
            <li>
              <t>Added example of client registration metadata parameter in CIMD</t>
            </li>
          </ul>
        </li>
        <li>
          <t>-01
          </t>
          <ul spacing="normal">
            <li>
              <t>Added key binding semantics</t>
            </li>
            <li>
              <t>Updated references</t>
            </li>
            <li>
              <t>Updated presentation requirements</t>
            </li>
            <li>
              <t>Added appendix for potential future work</t>
            </li>
            <li>
              <t>Added some basic security and privacy considerations, to be expanded upon group discussion</t>
            </li>
          </ul>
        </li>
        <li>
          <t>-00
          </t>
          <ul spacing="normal">
            <li>
              <t>Initial individual draft.</t>
            </li>
          </ul>
        </li>
      </ul>
    </section>
    <section anchor="potential-other-work">
      <name>Potential Other Work</name>
      <t><xref target="HTTPSIG"/> provides a generic mechanism for signing arbitrary HTTP messages, both requests and responses. While this specification is focused solely on OAuth access token issuance and usage, <xref target="HTTPSIG"/> could be used in other places in the OAuth ecosystem and this appendix exists to capture some of those ideas.</t>
      <section anchor="client-authentication">
        <name>Client Authentication</name>
        <t>Similarly to <xref target="MTLS"/>, <xref target="HTTPSIG"/> could be used as a generic client authentication mechanism for the client calling the AS for any authenticated call, including token PAR, the token endpoint. Since <xref target="HTTPSIG"/> allows for multiple signatures with different usage parameters (including <tt>tag</tt>), this could be layered on top of even the runtime token request key binding, allowing a client to use one key for authentication and another for token use.</t>
      </section>
      <section anchor="as-responses">
        <name>AS Responses</name>
        <t>Since <xref target="HTTPSIG"/> can be used to sign responses, an AS could sign its responses from backend endpoints (including the token endpoint, revocation endpoint, discovery endpoint, introspection endpoint, etc) with an issuer-based key, providing a layer of protection in addition to the TLS transport. Signed response mechanisms like <xref target="SIGNED-INTROSPECTION"/> could be replaced with this method in many use cases.</t>
      </section>
      <section anchor="non-repudiation-of-requests">
        <name>Non-Repudiation of Requests</name>
        <t>Since <xref target="HTTPSIG"/> allows a signed response to contain elements of the request that triggered the response, an AS or RS could use this mechanism to provide non-repudiation of a response to bind it to a particular request parameter set.</t>
      </section>
      <section anchor="par-key-introduction">
        <name>PAR Key Introduction</name>
        <t>Keys for this purpose could be introduced during a <xref target="PAR"/> request phase, as part of the call to the PAR endpoint.</t>
      </section>
      <section anchor="accept-signature-support">
        <name>Accept-Signature Support</name>
        <t>The <tt>Accept-Signature</tt> mechanism in <xref target="HTTPSIG"/> allows for runtime discovery of not only the applicability of signatures but also the expected coverage, for particular uses.</t>
      </section>
    </section>
  </back>
  <!-- ##markdown-source:
H4sIAAAAAAAAA+1c6XLbSJL+z6eolWOm7WiR4iHqYK93mrqpg5JJSrLVnrBA
oEhCBAEYAEXRCs+z7LPsk20eVQWApNx278xG7M50dHRTAKoqK88vs45isVhI
3MSTDfHTZXOajMRVFAQDAf9eBXEs49gNfNELxtKPxcyF9ye93pW4gBfWUIqu
O/StZBrJ+KeCE9i+NYGOnMgaJMXItUcyKgYWdFocJUkYu8NiuVqwrUQOg2je
EHHiFApuGDVEEk3jpFou78J7K5JWQ3SlPY3cZF6YBdF4GAXTsCEum9e9k8JY
zuGZ0xAtP5GRL5PiAY5XKMSJ5TufLC/wgYa5jAuh2xC/JYG9LuA/ru9IP1kX
cRAlkRzE8Gs+UT8SoBVe2cEktNSPCXwMr1zfc325LmBuEysMXX/410IBZxRE
jYIQRfggbojTkujQbOGREMyEU5iR62efB9HQ8t0vVgIcbYiLwB8GB3v0Rk4s
12sIVyaDXx+oXYm5V4I29EUUoISk4yZBlI7bLIkrYJc9djMDN60IJJZ9nh/4
cpxY2VEt/P7XkL8vwdQLBT+IJvD1o2zQh3v7V5XdOv8+aB0fdnsN0Tna363X
yvQMNYKfVCoVenJ6e0YPtuuVbXpAoqNHW9ubu+mj4t5hs3PYUW/q3F+317ne
7113Dg+4160693rRO+/Sk53tct2M3G0d82ebVf7s4OpSkbOphuo0O6qn2hY9
uNIPKlV+cPCh3Tk8VjTvqkl0L9s8XLW+a4YzE9mu1uqgvv4gz6xW8aCEglSK
D0rvS4f0vxjJz1MZJyu/sz0XNK7oOsWJTCzHSqwi6NwU1ZC/h2m2Dw+KrXav
c9m9OtzvtRR1u9vlSqFQLBaF1QdNBgUuFHojNxbyKQGjRfNNApGMpGD7rpbK
gjVYqYQYRKA4aGfCkQNQ91hYAqgYBY6AyYlpDGpfeMHsse8+2JawbBtewp/k
KeAp2GksRtJzRH+eGZonGpeY5InrOJ4sFF6hNUeBM7WRIpxAltyUwDAKHl0H
hmX6YiJQdYmDDmUCk/DkEJzMIk2DKJgIyy/kJx/L6FFG1A9/DpPFYRJpYxcw
xWAawXMgmAnKd2pbvuhL+BfsJ1IP18HiRD+YAleAJEs8WhFIeo4+dSLtEdhi
PInBgm1v6uBok2kytTwB2r0OyhtcUfsAJBYBITKGuTGpaeNSYS87oIDfInYn
oSdxRPqBmiP600RYXhyIkfUoSQdQH92BC2QnMHX2seDdZqAojgQKC5bnBTOk
yvLn4EnFbBTAhyhoaJ2dO440jbFXK+EnwKLnZ2WSX79mlGkofQkOLZ0ANwId
hQ6ISUgWRxZlJNDMJ+6HgR8T90mn41DaRD4xRI8wkZb/DU20UBeNKuI8WGPW
4Y2ayjyUhUfLm8r0mR6bVAP6pUGBL0S6/sjlwRMaXPJ0KEpmGFHICnGd5pWz
L/Ua+2alyU/AXWQM2WN2AM0cshAMYix9ZmF/6npgJ8At+RSCFKRvS00iekoQ
FH72/Ize9etXoA86kp4H/y8YRSLSY1Tg5+ffd3DUC4jKBeVCxYYJOhKnFETs
ity4kBckUsAKj96UBmJjCxGMFOHfMAUjOE2Y8sffPv4mDiki/hQLHwy2AYSL
mZLGEDwyKMij9AKYNhiqBxYjhlPXsZAD2M8oVWLipTsUj3GJTJB+TIAj9EMZ
G/6cgfQlOgzpQbOPf/0IeODVK9GT0cT1Ay8Yztl5ocYhTInF2sV1t7e2zv8X
7Uv63Tl8d92CAIe/uyfN83Pzo6C+6J5cXp8fpL/SlvuXFxeH7QNuDE9F7lFh
7aL5YY3VbO3yCsNE83wNtQj5LnRQIZfBSusijgIZkceMC+Bd7cjtwx/QBkL/
f/1nZRPE/m8QaqqVyi7oC/+xU9nehD+Qizxa4Htz9SeIcl4AvIQsh17Ap4Cj
DN0EfBEpWDwCjwMWGclS4d//ghBLFLf+8h8FpciGSDsA3QOoA+L1iwaVgCZb
qJmkJwBcEheUDClg3U9YnGBiFKxgRIzkiPIgumDMWhfXnXP4LyhrNKdG4OgI
7mHMWs9oo1SWVBLdYJIZF1UGNBzsED1uBDiKrNeyx7FnxSPx08efyBGz15CC
ZjiLGEGS0QNKBW1Dj8McAR3VfN3erYJNC9Si+4/3AlwmBnV4j3SBFlPMiAGp
SjJr6hak5bGzBbGCLRBbkD3o7WiYEgbZDhsou/cXkLzYIyfUZCdEyF88v0LP
Cs2+goS0m/WXwgE5WpK+aHaFL6XDSMAPZqAYgGjJLLSfhv/zQw4e4hsOPpkF
BMopCHLgd2QoiSTkAY7Iw6kps4NvAMgQTZA89GZrl0v+m1sT/5Ak0CtwjahF
jyBLqw9SRZlkeMgdghMeugiyCKVg39EUPDeoRrZzCqEY91Qj0gRGNzI/nAPx
l0KKNEGHBCTCkRVL9reEkyGKFJopRS449ywp6+lg5GWM4jGDFXFuAo4fTBG0
d11FEemSniMB9ypH+wQUflLi/sQt71dNX2igilQBPkMNZXk54nVv7+ANWj6E
i2a7qdyEGvNgDokKyGOf++xk+3wNQYmg+NevbxAFqW9aB6CnarQD7RxeL8Wi
b4Bo6I9g1aNroeYGU+JjH02K5/hCRHGCbFCxHNL7Znej0101f4VkQLLxNAwh
0yRblxYqOUCMv6iAsWqgZkQADf4LwEujPyvBFJe0GvXGzWBkJAvc6NRDtwcB
6S+iJUKYFaQ27Oyho5BM5Al12aJhSmnEuopkMcd6GOMMIfvzK4gFLGgZodpp
4cPjon6OckQlJJCPc8wCP6U8WhUR5jL45DlktBfGccT9w2wc37OXQhFNrLFE
XU1tkZA7tqJPP4HR3AuYWRgAQ9hRQsLJwxHQtcT92AWtHbiI+VDGeauwGAaj
F/SGkAoko4mm6x6eqIbcM9IM6odzxCmE074HuotPCezh8xf86CowR3RgzMVi
BPg56IGNImeB1PITt/xELT9l5qOky1L5KTZ6+F0arPijRMod6rllmIJywEoE
xptHg/GNEDGgk9MC10eKF8kBq/9YyhCFp4iEj7XONXMKBBPHjgCrIDtAIBDl
4BmkJABExOt4CiZjxSr/lAQiIGBdNPfZwJDBYNCY32QkYkfzMAmGEBBHc4Tm
GWAEzGkDO3gmKSFK9zGLC2zIhlSsgPnNkQUOuyr609DUnxsIbnwVxXCK6Vac
qjqYHYBe26VklDB3TnD3/OsTirYvYapyRSTADMNyKHyD1R4yAlnlOzOWitMh
tsQjQ4w2SuOs4myIs5aB/TedqcAy25ByRmOX98ixjIUyuimJI3SBTHcmThl2
ZLnAPoDtoLGxwW9KqjHWptQjQ1LpIQ78e0Da6AezUx4EOo9NEW/C0gfwt76U
0IHKgp6hn1zWUoARf/vb3wQOVXimYsyaoXmtIdZ+kFzA6Nk+sGqHveRFqz9C
dsJbHpaeoMuFJ7+ZJ/jPc+4v/i6ZY7eXZ1eqr9xbmCy+BWNa9daOHokkp1qv
V3ZXfTHmqT8Uy+35Zr19O/l8/Hnr+N2qT5/wQ3cqJ/bDp+NR52Ty4dN8P77w
Dtphbe/d8OruwDkul2868fDT3vC6Fq/qA1wSE3TQba7lXn81f/2Vfn1VjPu2
L/0G7Wsv4yBslQmO0lkrfEXV4BSQzFYhbAyluZIWhFUFFSGktnxobjmUviwE
VQWhrawpp+BRhdyXcaNyuzHolBhAJkLJdWxS/RInp1moqKoP1HXGlaqOTDQr
nlEJBTxRlI2OKiLFJp3o6izLEUf0DlK42OWUg/zMnutbkHWxpav8Ts+lP0+k
gfDPz5i2gauJCSu7XyRWKSDQwyOsEujvsoBaze8baCAN6joUW9lpv0aw4CtU
jL7AfUTAgK98rBAuxCl4/mYlAPEVkOBpsodR6CNW8INBggEgQHrOUeadGHaf
krnCIS1Z+7KFr7bq37HkP2q9CxarzGSfq6XStwOHC3/5aebVjZWLWfg64ZI2
+0jlqtWCjcrvlZpwRCeWR3IC0DjGLAj4jhnzG2YdFlkOG5Sm51NzTMMhBxeY
hBcKOXIaoiHnp5FzMnYv3dOrbqXpnu+fVuzqNf79xbq18e8H2/+Afx/dHbQq
7d5hvfUR+OHOXKvqjVsPgWu55VnPH5fb1/X3/fdHJ3bv7qR9dLPZOw5PrHG9
0j/ehTFufOdw9337OJx0yu2Du+rNBLu57rbilj/E/kPn9ib5UA0Hneqo2z2u
3L2veQd2uRJ3Duuzi/Jp566yZ3WOOycXB3u3137bf18+9W96bezmSwvo+XD7
5CM9ndvO4XX50B28e/u2wVJahSKJ/WjnwFSCQ9ZsPLMigDUWZfQsUngNmloS
t2jaGJKTiPN9aDSGfATRBkqcBIbgjTIeHgTaVhoVMOUQW6x0JliZJI8YScRn
fmYgAqsh9ygmrs/YmsYB94mlCVzlwyKN+sYJpphafJ4GaJIMILCEoIpiMrat
UDqqKuEyqAMwDKP0wXNDwkW1yJYa3sby0DRkVBO5w1ECU5pl0q18dIBgoEql
7LDYCduU8b9cmDGQKbGGJllQaI3CgC7A3mecDUP31Om7sQ4WHG70OoUqwciF
OgInb5YupmU8l3K/eiRCSuDEmg4oDrAGlWQ9OzB1CFDannqUg/lOLjd03CFy
RvWq41k/cOa5TzEvZGHsQ+xAbHXADVVs0hUIqj3wYiWFvQUQigGkqN1QbrBc
vPohbwF5B8A5zPPf5paYPuEof8b/vO2G3pN3uSfv3r370P/Q3bp96vZbzY+F
P4OKu5G0E0TOb0myf6o1/1Q9gn+ZfX+qHiry4RdoG77os7nesgaCiSVywZ+u
5JGaVP5dAyNbsVrfetvYHBx+6dz0jj8P7obb3ufBhlMLnt5Pd2rb4WO/dl4+
blc3fz6q3IzvxtpjmMxDJ7OuXqFjsdPyTopWdO5uOL+0pJHqOrA6CiAOqzCs
dBQrHtLJ1G5z+kp1v/tfdfEKu1EVYSIpr2P0aWJFQ5kUKW8hFk4hw9XUXXda
i3r52jfJJHtGHpg1M7ZHcoJqxlqQgB2EVjLiwjIVnd/goLYSAGv+/e9YAaDG
QQ45qAxT4Tes3SemGmlhfTRTxn9+1uDzq7LJ72GgGasIYzF92mQWyyB6CY+Y
oRlb+A5R5TNi5BgWRmxV1XQHaRWoJIABrCgkzD0rdnFrx8jVC4DpiirllTkj
1PCPiUq5uERLajxppszsYAsDfbKo7hEnYI5UoEh7o09gtF+YLA0xUZmxgiHi
CVZO/OmkD54DhAwwMvC5au3G8ZRWpl7L0rAkamXzEqOXDWHGT9Rqd2CPRTyW
M9IiP4BGSBN4HyeYiKnvAvezwFOV4zFu0nptgDrziNaaEh7J0INArgglJSZS
oRvXwSViUitgixPMcFSIQPdpTF1MpjVY6Et8ZOpkL8WddcMos1phsrBV4W0N
KQDVc5VtM7zndrqWpRcaZDq8roAYP/QL6pdxXDJekfpTkYQMKFsUVUbEIxLt
kIDYo+8r4lErGjpTJ3rJilfZ7uphqW/lNzBbWJnAkQ0smkBaA9VigCDhPiLX
sO66HOR5aYrym7SXtAiu1zk18xEU+Aa6a5+msP9CQHjNBm5pHhTVhg9HLeFH
8g0pshcEYwjG4wWbVYkRLUYrxFK4ugRyNngcdBwblVKlcBJQyKO9H9mCTaGZ
dRoNdjLC/nK3bx13ulbtqHzxJfRvD44m7ybwu3p6a+JoDwJ/A8OVp9zXxlNx
NpsVCWpMI0+5zn/CpOLvhDRSxrV8QPoNVL7K29drKs6vibVMGIe/8vF1TSCV
a7mYBh/lgsTam1+Uk39b2ars7Oxsbm7XsNkv5G3eLibJm9dP5w/HD+2pF4yT
6TC5vN18GBzv7w/l4N0atSPv/HatXxtXw7A+3v5SrJeH/vtKv7y19gs40bff
9nNmymqyjebt/En2o9Ot6c7+hVveq/Xm73ePK8e1973N+vVt/UvL35mM4vl7
Z/LQu06Ouz9XLpCQ9+7cOXusfykfn+9HF6Ob7pHc2q08HO3uHHTa7e5Vc4iC
+uMQ9s8fC/8TCPtKtCD8/YFlaZebqTQKohw5H4paGg0vZSz5ihkXv8jN6t0r
whripgOOnJmVGlr5wKA1yjrN5RK/lahcqJfBcETYALAMfwXzlFGEO4sGvOA3
WEAftBxBwEMXrLBQTGiOfT24Qcya+9gIOYN9qUR6xaJDJvayNLhj4ArCJ156
wEUQP8uwXML5exGZgoLBSGo1b7AgAkykgwD4EOkAFVpxolsrLMNt9e6wLHG2
zEIUA04YlyyNBqnRiPZoGdXKbVjI7NBjHGug5fI2R7OpwfCWoT4ZjFQ4JuWX
wcWK0gz3DXUl0fS83AY/Vfp0NYG4lQBUo6O0WhVLjYksp+TLsD/dW0ZZcPNF
61perMxXUBnAoGfIyFZjnfsSp5TUd7VcFpdn3wiLVLbUdcssPsJ6YbW2Wd7Z
3S7VNh8q1VqxUtucjuBZ3ayapISYpRd3aAqMiwUMIy6dmcBk/YWdoSvEBkpB
q9BadnHy8oYztQjPhQcU0sClfUqZvSrp5lK9DoyWt55JWE5ve2q9TFU7kijA
rTDUjdmJqL5AlUU3QeSBdsDfAGPcwXzB2GYbQT69yq15mp3LWEc7l9ajxsap
D4qZAF4p9CxbjgIPsGGcqWsdIqpRpYZ04pTswJzokw4xfdU37MVb2cliLLhK
N0T+YDjIqHvhhR3LL2p6X2ZQeMbMmvm90lSTzqzZq52D9wt7qrkGoOxiAVTq
zYYv6jrrcrpeTXSs6j/O17v0/nQMYZiNWrEsQiDDXeC4b44LEHFglu9TSePn
oOcuaBjvm/pDZC80UMb5/Q1U+ecHGvzoCKNechW3fpf1FDfC71HDFdqE5umD
XS5XP9NyaqZkgHsWXUuviGe39f7/KXUtlGKSxa3kHFG4XGCMkL05Rr/mB6LG
xRBnystZjnCmr1nVX3CE6wa1rRQGhNhMrwNeaMBCS9q/Ykl2H7ba6ke1E08+
qu01NK7eVq9adboLeyBU6t+8aqkpUx5q6IYZO9L2rEhX74HSYELIjWMq7SWj
AEUnNcxmQncwgPkDSFrX/aitw5p5eoOPIiwbonX9HB2fYoaej9UHvi6iWRCJ
ZuBk6iUupvaG4SQQmpQhKuH9mSUqY2bVy6gTImKwNuAb1eHNdhtLYAa/Lq6u
e7SD7931YefDm5xxqWmmiwuZUqrZW6sXA3gDPh6KMFVpJ7eEYEbO561v/lU7
/D9ZO/zeauFCHVsulLEzngNrW6n3eLkS9u0lfT44scIOViVgaDxYds+q1VKl
6/uWqY4Pe2JjEASLxbBsFezAQnB7gSX4alk0wwj+V90S5WqjvN2o18XxRe/H
0cGP1m8WSjNUTzHlme3tra16eWe7/qOlGewGyzO6NDPePZ0/yUkovWqtXG9P
nrY741WlmRXFmPHR6X71NtjrR+/snSQ+c4NZq78TyFazXqt9npw9fnHOBjtj
3zndHlvnT8eTSfURh9/9uXW1tzM+PyzfXktr5yyanx53b7Yf3IoVno/l2d7Q
LMW/Ejdcy/hhMJwuNT+aHmjrEfhQRx94S/ebmwNv/fkPox0KvXSADKMvDWci
EO8xkhHt2MkbAEAHexybEkcKvlP914WcOIO4qQqzosJB5Ki+vt3Dt2o31P8L
1QxVXllRwPgBxyt4h1GizluC54zfrKx/jCweri8Ziz66wTT25ukZMzU+edeV
pZDMUpwagFyvmcyyn3wBcCLJmX2jxveBk3cTOYkhcE8nMrKSVWWHv1fEVwfn
XgrreY3LVQC5yTegx0oEYw2HMJ0FHq3TpDOf6eijB3SWnH6QJ8YcAv6X//4n
8N89jecTOiAo083hpvqYlqRRwVN/tYhV0qK0qi+L1Z2n3s0s3+nCtfLD8bJ/
RLjP9pRuweBzVRQyspvvcsh7ROZKhx3Nfu4MzVgjhLkkuNhSjGKrGMbxvTqU
RCuuvFrZzO2WxEZX3Xqlel9acOYu6p0BjgoDFdZ+VTZVZPVba9AxcLSRwtoI
bGMtNQ68T2FBMb9H9dd+TdeNyBHiDuzXSwMLHu53VF+vLBnVX+TQmtYdcuAx
OKdYB5sl+JitBGcLiospdul/wd/08Ph06m8q/yh/84/i+pKDCH4+mm9YW63W
7ehk5l8cjeKTz4P3h+FI3h7vXVxe1+BXr17+0tyJzutHO+1phGM+7Z01r+be
xfHe7Yf9s5P6nvNzb6+8H2w9fm62vffzy/2L3buobm9cTzr122P5VN+4HJ6e
Tgbt7eHlzeVJHTsJ96p3T1a1VnuKg9FgFux67p5nJ9Nxu76xcVg7Km9GZw+t
cSB7R6du9+fRhX35xa/uynh41D30Nk/n2ElwWX+3E/sXrXi/vnXXvPowu96O
Tt24cvvobX3Y3dhNwtutYcvf6J7MmtHo6l232S9/uZtvTfbd2VZ908dO9q2z
Wb394XS3Wz648/ybzd62f5o4d/HJ5dhxjrbGJ5u3N2OrJh/LT5ftVn38YXzo
dCrHs/JN83AXPAdN5+fahnUUXN/0Tjcqp1unAzm6C99/lqPZY+2sHaR7T5tY
OQOtt6VLBWnGBFrb9ZIHQ4GXKrmZYvgLOHZ5oWSh6mZwhO6Kj3XqSgq40iDK
LNkslIao+PpCMQofoOmku95VVSdeXi1LMReYL+QCTRuP0nrSGaoD/s+vFh99
pcXUZruJ1QuC5Gpp6fkVncRUyxi9vYOGOYOXCUFUWWKEOstDPo5UbpTbkKcW
FFx1iFndG6C8em/FUkamS5XSEjpesWhi1hjMVUDLM9JvMrPSzYq0umbuTOD7
LyhVQbngXRuILNOSdwoo+bYbXC4r4rLIGDWHTi5kDwOkx5/0TRDq0C/XKoq5
eztIruklGUXR8uPpYODafMIDCTKDGA3XZ4hTbWDyrSSxIHNSC5dpeU01xO6P
LNdTDSjHMvt5oC2o/JTOILzUP1dzEMcWs9e88DbnzHs8QqvuDFGKgRv1XCfN
QdwB5S9EAuFiXNkBFtorJKlerBRkRxansZYB7TtEt821G3X9SZJC+E73J76V
RS2RRZY9NodPGLVsQHdU3u27Pkuob2FSFZgzi2rVP5mra2rwZD/Sb84en4Da
B9EcKB/xr69IKV5vhYuURbVM6FI9+UnG6mnTQY3XO6GCwfceqwYPtd+6OOAh
KrnOskf7YjmxcPOkHu46pIxE0OFMrAsvvshpqXJt5EVyQ5hjxHRZSYC+iiY2
5RIV5LG5z2PcCt+nfVOmEk7gU8nezsl+Xe+3fwrhIzwOC0mnoAu/QLlje0p3
fvDMy2qclu8SBTjtR9fBK0boyjFWMUPgZYKHeG6Rvty9NOYOoVUX0+iaLC+K
9V2QCoh54T6JfoC7/FdfVCNuR66nlpvzlxm46B1sSt/jwOMTDGL5TqG0mosd
TxnYZek3pqh3GKjD4h7dCKGAIvcr7SCeg4ufqBUQPMChpSmf3JiXTmwrJFGS
5Micg5g2vlgxHTvVp02bud25eDxm4npW5NFOy/QCmZdptbI8V7qf3/K7IIlM
poGHcHXEbHa5fIUrN2lzrFnARzkUTAy9anbWV2w2LIF/QzZn6c148VVFAUpy
Up9LwsnGtNfp0FRreaP2Jxs2oOuMlKsJQmQ2VtO5MKB2fea3J2Xse12kdzNl
rpYg3+iz2yKu5BlKUMk3l+uo7qERixZY2dG6ixJdZIi63ypXHDfKvs6XIajp
0Ts+26/ecwaKzhN4bvieY9OyWNah/WOgqE8fojPASDnPPMtji/S5TOw3ZpsV
mpOMiuzi6XAlOwDmIwmED2JSBVTvXlhYA0O8AK7AjxH3lSgwytTqs9d60abU
5+dV17Vl7YHCqJ3WHdMDEzD6BDUb5Yor+MoG24Ff7MgQuGZAhSrxrpRbLr5n
SUV7VxuJ9O02iyu+DFYidzgkXeVX3FxLHBSpo+XOl4DRBMz1XoH2snRzT5Sn
28pRQ3fBuHy9Bt/mg4t4ZsUnEwZjmTAv8I6LxQO2hcKZvouCiAmnUYhuzHDc
nKJ19PFZPPQOXQG3cteurC/d/UL7JVgRcGjjQNiCwHeHSTFNLrp89QcXf+4X
X99n2JTPPHIQUjmDVOsDRlN0yRIl97yjqg+Yi5eaM27KXPuGH+K1X1TZ10Bz
nQN5yukpKdl/A+g3RFIKVAAA

-->

</rfc>
