<?xml version='1.0' encoding='utf-8'?>
<!DOCTYPE rfc [
  <!ENTITY nbsp    "&#160;">
  <!ENTITY zwsp   "&#8203;">
  <!ENTITY nbhy   "&#8209;">
  <!ENTITY wj     "&#8288;">
]>
<?xml-stylesheet type="text/xsl" href="rfc2629.xslt" ?>
<!-- generated by https://github.com/cabo/kramdown-rfc version 1.7.39 (Ruby 3.4.9) -->
<rfc xmlns:xi="http://www.w3.org/2001/XInclude" ipr="trust200902" docName="draft-schwenkschuster-wimse-trust-domain-discovery-00" category="std" submissionType="IETF" tocInclude="true" sortRefs="true" symRefs="true" version="3">
  <!-- xml2rfc v2v3 conversion 3.34.0 -->
  <front>
    <title abbrev="WIMSE Trust Domain Discovery">WIMSE Trust Domain Discovery</title>
    <seriesInfo name="Internet-Draft" value="draft-schwenkschuster-wimse-trust-domain-discovery-00"/>
    <author initials="A." surname="Schwenkschuster" fullname="Arndt Schwenkschuster">
      <organization>Defakto Security</organization>
      <address>
        <email>arndts.ietf@gmail.com</email>
      </address>
    </author>
    <author initials="Y." surname="Rosomakho" fullname="Yaroslav Rosomakho">
      <organization>Zscaler</organization>
      <address>
        <email>yrosomakho@zscaler.com</email>
      </address>
    </author>
    <date year="2026" month="July" day="03"/>
    <area>Applications and Real-Time</area>
    <workgroup>Workload Identity in Multi System Environments</workgroup>
    <keyword>workload</keyword>
    <keyword>identity</keyword>
    <keyword>trust domain</keyword>
    <keyword>discovery</keyword>
    <abstract>
      <?line 60?>

<t>The WIMSE architecture scopes workload identifiers to a trust domain. To validate a workload identity credential, a relying party must securely obtain the cryptographic trust anchors associated with the credential's trust domain. The WIMSE architecture requires that this mapping between a trust domain and its trust anchors is obtained through a secure mechanism, but leaves that mechanism undefined.</t>
      <t>This document defines such a mechanism for open environments in which no prior trust relationship exists between the relying party and the trust domain. It specifies the WIMSE Trust Bundle, a document that conveys the trust anchors of a trust domain for both JWT-based and X.509-based workload identity credentials, and a discovery mechanism based on a well-known HTTPS endpoint that allows a relying party to resolve a trust domain name to its trust bundle on demand.</t>
    </abstract>
    <note removeInRFC="true">
      <name>About This Document</name>
      <t>
        Status information for this document may be found at <eref target="https://datatracker.ietf.org/doc/draft-schwenkschuster-wimse-trust-domain-discovery/"/>.
      </t>
      <t>
        Discussion of this document takes place on the
        Workload Identity in Multi System Environments Working Group mailing list (<eref target="mailto:wimse@ietf.org"/>),
        which is archived at <eref target="https://mailarchive.ietf.org/arch/browse/wimse/"/>.
        Subscribe at <eref target="https://www.ietf.org/mailman/listinfo/wimse/"/>.
      </t>
    </note>
  </front>
  <middle>
    <?line 66?>

<section anchor="introduction">
      <name>Introduction</name>
      <t>Workload identity credentials, such as the Workload Identity Token (WIT) and the Workload Identity Certificate (WIC) defined in <xref target="WIMSE-CREDS"/>, carry a Workload Identifier <xref target="WIMSE-ID"/> that is scoped to a trust domain. A relying party that receives such a credential can only validate it if it possesses the trust anchors of the issuing trust domain: a set of JWT signing keys for WITs, or a set of certification authority (CA) certificates for WICs.</t>
      <t>The WIMSE architecture <xref target="I-D.ietf-wimse-arch"/> states that a trust domain maps to one or more trust anchors and that this mapping "<bcp14>MUST</bcp14> be obtained through a secure mechanism that ensures the authenticity and integrity of the mapping is fresh and not compromised", while declaring the mechanism itself out of scope. In closed environments this mapping is typically provisioned out of band, for example through static federation configuration or through a local workload API. In open environments, where workloads from previously unknown trust domains present credentials, no such prior provisioning exists. Today a relying party in this situation has no interoperable way to obtain the trust anchors for a trust domain such as <tt>example.com</tt> and therefore cannot validate the credential at all.</t>
      <t>This document closes that gap with two components:</t>
      <ul spacing="normal">
        <li>
          <t>The WIMSE Trust Bundle (<xref target="trust-bundle"/>), a JSON document that conveys the trust anchors of a trust domain for both WIT and WIC validation, together with freshness metadata.</t>
        </li>
        <li>
          <t>A discovery mechanism (<xref target="discovery"/>) that derives, from the trust domain name alone, the location of a Trust Domain Metadata document served from a well-known URI <xref target="RFC8615"/> under the trust domain name. The metadata document in turn references the trust bundle endpoint. This follows the well-established pattern of OpenID Connect Discovery <xref target="OIDC-DISCOVERY"/> and OAuth 2.0 Authorization Server Metadata <xref target="RFC8414"/>.</t>
        </li>
      </ul>
      <t>The mechanism defined in this document authenticates the mapping between a trust domain name and its trust anchors. It deliberately does not establish that the trust domain itself should be trusted; see <xref target="discovery-not-trust"/>.</t>
      <section anchor="relationship-to-existing-mechanisms">
        <name>Relationship to Existing Mechanisms</name>
        <t>The trust bundle defined in this document is conceptually similar to the SPIFFE trust bundle and the SPIFFE bundle endpoint <xref target="SPIFFE-FEDERATION"/>. SPIFFE Federation, however, requires that the bundle endpoint URL, endpoint profile, and trust domain name are configured out of band prior to bundle retrieval. This document removes that requirement by making the location of the trust domain's metadata derivable from the trust domain name itself. Deployments already operating a SPIFFE bundle endpoint can expose the same key material through the mechanism defined here.</t>
        <t>Existing provisioning mechanisms remain valid and take precedence over discovery; see <xref target="precedence"/>.</t>
      </section>
    </section>
    <section anchor="conventions-and-definitions">
      <name>Conventions and Definitions</name>
      <t>All terminology in this document follows <xref target="I-D.ietf-wimse-arch"/> and <xref target="WIMSE-ID"/>.</t>
      <dl>
        <dt>Relying Party:</dt>
        <dd>
          <t>An entity that receives a workload identity credential and needs to validate it. This corresponds to the Consumer role in <xref target="WIMSE-ID"/>.</t>
        </dd>
        <dt>Discoverable Trust Domain:</dt>
        <dd>
          <t>A trust domain that participates in the discovery mechanism defined in this document.</t>
        </dd>
      </dl>
      <t>The key words "<bcp14>MUST</bcp14>", "<bcp14>MUST NOT</bcp14>", "<bcp14>REQUIRED</bcp14>", "<bcp14>SHALL</bcp14>", "<bcp14>SHALL
NOT</bcp14>", "<bcp14>SHOULD</bcp14>", "<bcp14>SHOULD NOT</bcp14>", "<bcp14>RECOMMENDED</bcp14>", "<bcp14>NOT RECOMMENDED</bcp14>",
"<bcp14>MAY</bcp14>", and "<bcp14>OPTIONAL</bcp14>" in this document are to be interpreted as
described in BCP 14 <xref target="RFC2119"/> <xref target="RFC8174"/> when, and only when, they
appear in all capitals, as shown here.</t>
      <?line -18?>

</section>
    <section anchor="requirements">
      <name>Requirements on Discoverable Trust Domains</name>
      <t><xref target="WIMSE-ID"/> states that a trust domain <bcp14>SHOULD</bcp14> be a fully qualified domain name (FQDN) belonging to the organization defining the trust domain. This document strengthens that requirement for participation in discovery:</t>
      <ul spacing="normal">
        <li>
          <t>A Discoverable Trust Domain <bcp14>MUST</bcp14> be a fully qualified DNS name.</t>
        </li>
        <li>
          <t>The DNS name <bcp14>MUST</bcp14> be under the administrative control of the trust domain owner, and the owner <bcp14>MUST</bcp14> be able to serve HTTPS content for that exact name.</t>
        </li>
      </ul>
      <t>Trust domains that do not meet these requirements (for example, names that are not registered in the public DNS) are simply not discoverable and <bcp14>MUST</bcp14> rely on out-of-band provisioning of their trust anchors. This document does not change the requirements of <xref target="WIMSE-ID"/> for such trust domains.</t>
      <t>Note that these requirements are largely self-enforcing: an entity that does not control the DNS name of a trust domain cannot serve the corresponding well-known resource, and discovery for that trust domain will either fail or return material published by the legitimate name owner.</t>
      <t>Discovery operates on the exact trust domain name only. A relying party <bcp14>MUST NOT</bcp14> fall back to a parent domain if discovery for the trust domain name fails. For example, discovery for the trust domain <tt>prod.example.com</tt> is performed against <tt>prod.example.com</tt> only, never against <tt>example.com</tt>. This prevents a parent zone or parent host operator from implicitly answering for trust domains it does not operate.</t>
    </section>
    <section anchor="trust-bundle">
      <name>The WIMSE Trust Bundle</name>
      <t>A WIMSE Trust Bundle conveys the trust anchors of a single trust domain. It is a JSON document based on the JWK Set format <xref target="RFC7517"/> with additional top-level members for freshness. The media type of a trust bundle is <tt>application/wimse-trust-bundle+json</tt>.</t>
      <t>A trust bundle contains the following top-level members:</t>
      <ul spacing="normal">
        <li>
          <t><tt>keys</tt>: <bcp14>REQUIRED</bcp14>. A JWK Set <tt>keys</tt> array as defined in <xref section="5.1" sectionFormat="of" target="RFC7517"/>. The interpretation of each JWK is determined by its <tt>use</tt> member as defined below.</t>
        </li>
        <li>
          <t><tt>refresh_hint</tt>: <bcp14>OPTIONAL</bcp14>. A JSON number indicating, in seconds, how often a consumer <bcp14>SHOULD</bcp14> re-fetch the bundle. See <xref target="freshness"/>.</t>
        </li>
        <li>
          <t><tt>sequence_number</tt>: <bcp14>OPTIONAL</bcp14>. A strictly monotonically increasing JSON integer, incremented whenever the contents of the bundle change. Consumers use this value to compare the recency of two bundles.</t>
        </li>
      </ul>
      <section anchor="bundle-entries">
        <name>Bundle Entries</name>
        <t>Each element of the <tt>keys</tt> array is a JWK <xref target="RFC7517"/> and <bcp14>MUST</bcp14> contain a <tt>use</tt> member with one of the following values:</t>
        <ul spacing="normal">
          <li>
            <t><tt>wimse-jwt</tt>: The entry carries a public key used to verify the signature of JWT-based workload identity credentials (such as the WIT defined in <xref target="WIMSE-CREDS"/>) issued by this trust domain. The key type and parameters follow <xref target="RFC7517"/> and <xref target="RFC7518"/>. Entries with this use value <bcp14>SHOULD</bcp14> contain a <tt>kid</tt> member to support key selection during rotation.</t>
          </li>
          <li>
            <t><tt>wimse-x509</tt>: The entry carries a CA certificate used as a trust anchor for validating X.509-based workload identity credentials (such as the WIC defined in <xref target="WIMSE-CREDS"/>) issued by this trust domain. The entry <bcp14>MUST</bcp14> contain an <tt>x5c</tt> member whose value contains exactly one base64-encoded DER certificate. The certificate <bcp14>SHOULD</bcp14> be self-signed. The JWK key parameters <bcp14>MUST</bcp14> represent the public key of that certificate.</t>
          </li>
        </ul>
        <t>Consumers <bcp14>MUST</bcp14> ignore entries with an unrecognized <tt>use</tt> value. A trust domain that issues only one credential type publishes only the corresponding entries.</t>
      </section>
      <section anchor="freshness">
        <name>Freshness and Rotation</name>
        <t>Trust bundle contents change over time as trust domains rotate their keys. Publishers <bcp14>MUST</bcp14> publish new keys in the bundle before using them to issue credentials, and <bcp14>SHOULD</bcp14> do so sufficiently in advance that consumers refreshing at the <tt>refresh_hint</tt> interval obtain the new keys before they are needed.</t>
        <t>Consumers <bcp14>SHOULD</bcp14> re-fetch the bundle at the interval indicated by <tt>refresh_hint</tt>, or at a locally configured default interval if the hint is absent. Consumers <bcp14>MUST NOT</bcp14> accept a newly fetched bundle whose <tt>sequence_number</tt> is lower than that of the currently cached bundle for the same trust domain.</t>
        <t>Removal of a key from the bundle indicates that the key is no longer a valid trust anchor. Consumers <bcp14>MUST</bcp14> stop using removed keys after refresh. The refresh interval therefore bounds the time during which a compromised and subsequently removed key is still accepted; see <xref target="sec-revocation"/>.</t>
      </section>
    </section>
    <section anchor="discovery">
      <name>Trust Domain Discovery</name>
      <section anchor="metadata">
        <name>Trust Domain Metadata</name>
        <t>A Discoverable Trust Domain publishes a Trust Domain Metadata document. The media type of this document is <tt>application/wimse-trust-domain-metadata+json</tt>. It is a JSON object with the following members:</t>
        <ul spacing="normal">
          <li>
            <t><tt>trust_domain</tt>: <bcp14>REQUIRED</bcp14>. The trust domain name this metadata describes.</t>
          </li>
          <li>
            <t><tt>trust_bundle_endpoint</tt>: <bcp14>REQUIRED</bcp14>. An HTTPS URL from which the current WIMSE Trust Bundle (<xref target="trust-bundle"/>) of this trust domain can be retrieved.</t>
          </li>
        </ul>
        <t>Additional members <bcp14>MAY</bcp14> be present and <bcp14>MUST</bcp14> be ignored if not understood. Future specifications may register additional metadata members, for example to describe supported credential types or federation policy.</t>
        <t>The <tt>trust_bundle_endpoint</tt> URL is not required to share an origin with the trust domain name. Its authority derives from the authenticated metadata document that references it, analogous to the <tt>jwks_uri</tt> member of <xref target="RFC8414"/>. This permits serving the bundle from shared infrastructure such as a content delivery network.</t>
      </section>
      <section anchor="well-known">
        <name>Well-Known URI</name>
        <t>The Trust Domain Metadata document is retrieved from the following URL, constructed from the trust domain name:</t>
        <artwork><![CDATA[
https://<trust-domain>/.well-known/wimse-trust-domain
]]></artwork>
        <t>For example, for the trust domain <tt>prod.example.com</tt> the metadata URL is:</t>
        <artwork><![CDATA[
https://prod.example.com/.well-known/wimse-trust-domain
]]></artwork>
        <t>The path suffix <tt>wimse-trust-domain</tt> is registered in the "Well-Known URIs" registry; see <xref target="iana-well-known"/>.</t>
      </section>
      <section anchor="procedure">
        <name>Discovery Procedure</name>
        <t>To discover the trust anchors of a trust domain, a relying party performs the following steps:</t>
        <ol spacing="normal" type="1"><li>
            <t>Verify that the trust domain name is a syntactically valid fully qualified DNS name. If it is not, discovery fails.</t>
          </li>
          <li>
            <t>Construct the metadata URL as defined in <xref target="well-known"/> and retrieve it with an HTTP GET request <xref target="RFC9110"/> over TLS. The TLS server certificate <bcp14>MUST</bcp14> be validated according to <xref target="RFC9525"/> against the trust domain name, using the relying party's Web PKI trust store. The request <bcp14>MUST NOT</bcp14> require client authentication.</t>
          </li>
          <li>
            <t>Parse the response as a Trust Domain Metadata document (<xref target="metadata"/>). The relying party <bcp14>MUST</bcp14> verify that the <tt>trust_domain</tt> member is byte-wise identical to the trust domain name for which discovery was initiated. If it is not, discovery fails. This check prevents mix-up attacks in which a document intended for one trust domain is served for another.</t>
          </li>
          <li>
            <t>Retrieve the trust bundle from the <tt>trust_bundle_endpoint</tt> URL with an HTTP GET request over TLS. The TLS server certificate <bcp14>MUST</bcp14> be validated according to <xref target="RFC9525"/> against the host component of the <tt>trust_bundle_endpoint</tt> URL, using the relying party's Web PKI trust store.</t>
          </li>
          <li>
            <t>Parse the response as a WIMSE Trust Bundle (<xref target="trust-bundle"/>) and associate its contents with the trust domain name from step 1 as that trust domain's trust anchors, subject to the precedence rules of <xref target="precedence"/> and local policy (<xref target="discovery-not-trust"/>).</t>
          </li>
        </ol>
        <t>Servers <bcp14>MAY</bcp14> respond with HTTP redirects at either step; clients following redirects <bcp14>MUST</bcp14> apply the respective TLS validation rules of the step to every URL in the redirect chain, and all URLs in the chain <bcp14>MUST</bcp14> use the <tt>https</tt> scheme.</t>
        <t>If any step fails, discovery for the trust domain fails and the relying party <bcp14>MUST NOT</bcp14> use partially retrieved material. A discovery failure is indistinguishable from the trust domain not participating in discovery; in either case, credentials from that trust domain cannot be validated through this mechanism and are handled according to local policy (for example, validated against out-of-band configured anchors, or rejected).</t>
      </section>
      <section anchor="precedence">
        <name>Precedence of Locally Provisioned Trust</name>
        <t>Deployments frequently provision trust anchors through existing mechanisms, such as a local workload API, static federation configuration, or the mechanisms described in <xref target="WIMSE-CREDS"/>. These mechanisms take precedence over discovery:</t>
        <ul spacing="normal">
          <li>
            <t>If a relying party has trust anchors for a trust domain provisioned through a local mechanism, it <bcp14>MUST</bcp14> use those anchors and <bcp14>MUST NOT</bcp14> perform discovery for that trust domain.</t>
          </li>
          <li>
            <t>Discovered trust anchors <bcp14>MUST NOT</bcp14> override, replace, or be merged with locally provisioned trust anchors for the same trust domain.</t>
          </li>
          <li>
            <t>If an implementation nevertheless finds itself holding both locally provisioned and discovered material for the same trust domain, this condition <bcp14>SHOULD</bcp14> be surfaced as an operational error.</t>
          </li>
        </ul>
        <t>This rule ensures that a workload operating inside a trust domain, whose trust anchors are delivered through a local channel, never resolves its own or a locally federated trust domain through the public mechanism defined here, even if discovery is enabled by default. Implementations <bcp14>MAY</bcp14> enable discovery by default; the precedence rule bounds the effect of misconfiguration to trust domains for which no local trust exists.</t>
      </section>
    </section>
    <section anchor="security-considerations">
      <name>Security Considerations</name>
      <section anchor="discovery-not-trust">
        <name>Discovery Is Not Trust</name>
        <t>Successful discovery proves that the retrieved trust anchors were published by the entity controlling the trust domain's DNS name and its Web PKI identity. It does not establish that credentials from that trust domain should be accepted for any purpose. The decision whether to trust a given trust domain, and for what, is an authorization decision of the relying party and is out of scope for this document. Deployments may implement this decision through allowlists, trust-on-first-use with key continuity, gradual trust establishment, or any other local policy.</t>
        <t>Relying parties <bcp14>MUST NOT</bcp14> treat the mere existence of a discoverable trust bundle as authorization to accept credentials from that trust domain.</t>
        <t>Conversely, an attacker that mints credentials carrying a trust domain name it does not control gains nothing from this mechanism: discovery for that name either fails or returns the legitimate owner's trust anchors, under which the forged credentials do not verify.</t>
      </section>
      <section anchor="sec-webpki">
        <name>Reliance on DNS and the Web PKI</name>
        <t>This mechanism anchors the trust domain to trust anchor mapping in the DNS and the Web PKI. An attacker that can obtain a fraudulently issued Web PKI certificate for the trust domain name, or that gains control of the DNS name (for example through registrar compromise or domain expiry and re-registration), can publish attacker-controlled trust anchors and thereby impersonate every workload in the trust domain towards relying parties that bootstrap trust through discovery.</t>
        <t>This trade-off is inherent to the design and identical to that accepted by OpenID Connect Discovery. Publishers <bcp14>SHOULD</bcp14> employ standard mitigations, including CAA records, Certificate Transparency monitoring, DNSSEC <xref target="RFC9364"/> for their zones, and registrar security controls. Deployments with stronger requirements can restrict discovery to specific trust domains, pin discovered material, or continue to use out-of-band provisioning, which always takes precedence (<xref target="precedence"/>).</t>
        <t>After first discovery, consumers retain the cached bundle and its <tt>sequence_number</tt>. Implementations <bcp14>MAY</bcp14> apply key-continuity policies across refreshes, for example flagging bundle replacements that discard all previously seen keys, to reduce the impact of a temporary compromise of the discovery channel.</t>
      </section>
      <section anchor="sec-revocation">
        <name>Revocation and Compromise Recovery</name>
        <t>This mechanism has no online revocation protocol. The removal of a compromised key from the published bundle propagates to relying parties only upon refresh. The effective revocation latency is therefore the consumers' refresh interval. Publishers <bcp14>SHOULD</bcp14> choose a <tt>refresh_hint</tt> that reflects their tolerance for this latency, and consumers <bcp14>SHOULD</bcp14> honor it. Trust domains <bcp14>SHOULD</bcp14> additionally keep the lifetime of issued credentials short, as recommended in <xref target="WIMSE-CREDS"/>, so that both the credential lifetime and the bundle refresh interval bound the exposure after a compromise.</t>
      </section>
      <section anchor="trust-domain-name-handling">
        <name>Trust Domain Name Handling</name>
        <t>The trust domain name used for discovery is taken from an unauthenticated position, namely the authority component of the workload identifier in a not-yet-validated credential. Implementations <bcp14>MUST</bcp14> treat it as untrusted input: it <bcp14>MUST</bcp14> be parsed with a standards-compliant URI parser as required by <xref target="WIMSE-ID"/>, and <bcp14>MUST</bcp14> be validated as a DNS name before any network request is made. Implementations <bcp14>MUST NOT</bcp14> perform discovery for trust domains represented by IP addresses.</t>
      </section>
      <section anchor="denial-of-service">
        <name>Denial of Service</name>
        <t>Because discovery is triggered by inbound credentials, an attacker can present credentials with arbitrary trust domain names to induce outbound requests. Implementations <bcp14>SHOULD</bcp14> rate-limit discovery attempts, cache negative results, and bound concurrent discovery operations.</t>
      </section>
    </section>
    <section anchor="privacy-considerations">
      <name>Privacy Considerations</name>
      <t>Performing discovery reveals to the network, to DNS resolvers, and to the operators of the contacted endpoints that the relying party is processing credentials of the queried trust domain. Deployments for which this metadata is sensitive can pre-fetch and cache bundles for expected peer trust domains, use encrypted DNS transports, or restrict discovery to an allowlist.</t>
      <t>Publishing a trust bundle reveals the existence of the trust domain and its current trust anchor material. Publishers should not include information in bundle or metadata documents beyond what is required for validation.</t>
    </section>
    <section anchor="iana-considerations">
      <name>IANA Considerations</name>
      <section anchor="iana-well-known">
        <name>Well-Known URI Registration</name>
        <t>IANA is requested to register the following entry in the "Well-Known URIs" registry <xref target="IANA.WELL.KNOWN"/>:</t>
        <ul spacing="normal">
          <li>
            <t>URI Suffix: wimse-trust-domain</t>
          </li>
          <li>
            <t>Change Controller: IETF</t>
          </li>
          <li>
            <t>Specification Document: RFC XXX, <xref target="well-known"/></t>
          </li>
          <li>
            <t>Status: permanent</t>
          </li>
        </ul>
      </section>
      <section anchor="media-type-registration">
        <name>Media Type Registration</name>
        <t>IANA is requested to register the following entries in the "Media Types" registry <xref target="IANA.MEDIA.TYPES"/>:</t>
        <ul spacing="normal">
          <li>
            <t>application/wimse-trust-domain-metadata+json, per <xref target="metadata"/>.</t>
          </li>
          <li>
            <t>application/wimse-trust-bundle+json, per <xref target="trust-bundle"/>.</t>
          </li>
        </ul>
        <t>Registration templates to be completed in a future revision of this document.</t>
      </section>
      <section anchor="json-web-key-use-values">
        <name>JSON Web Key Use Values</name>
        <t>IANA is requested to register the values <tt>wimse-jwt</tt> and <tt>wimse-x509</tt> in the "JSON Web Key Use" registry established by <xref target="RFC7517"/>, per <xref target="trust-bundle"/>.</t>
      </section>
    </section>
  </middle>
  <back>
    <references anchor="sec-combined-references">
      <name>References</name>
      <references anchor="sec-normative-references">
        <name>Normative References</name>
        <reference anchor="RFC7517">
          <front>
            <title>JSON Web Key (JWK)</title>
            <author fullname="M. Jones" initials="M." surname="Jones"/>
            <date month="May" year="2015"/>
            <abstract>
              <t>A JSON Web Key (JWK) is a JavaScript Object Notation (JSON) data structure that represents a cryptographic key. This specification also defines a JWK Set JSON data structure that represents a set of JWKs. Cryptographic algorithms and identifiers for use with this specification are described in the separate JSON Web Algorithms (JWA) specification and IANA registries established by that specification.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="7517"/>
          <seriesInfo name="DOI" value="10.17487/RFC7517"/>
        </reference>
        <reference anchor="RFC7518">
          <front>
            <title>JSON Web Algorithms (JWA)</title>
            <author fullname="M. Jones" initials="M." surname="Jones"/>
            <date month="May" year="2015"/>
            <abstract>
              <t>This specification registers cryptographic algorithms and identifiers to be used with the JSON Web Signature (JWS), JSON Web Encryption (JWE), and JSON Web Key (JWK) specifications. It defines several IANA registries for these identifiers.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="7518"/>
          <seriesInfo name="DOI" value="10.17487/RFC7518"/>
        </reference>
        <reference anchor="RFC8615">
          <front>
            <title>Well-Known Uniform Resource Identifiers (URIs)</title>
            <author fullname="M. Nottingham" initials="M." surname="Nottingham"/>
            <date month="May" year="2019"/>
            <abstract>
              <t>This memo defines a path prefix for "well-known locations", "/.well-known/", in selected Uniform Resource Identifier (URI) schemes.</t>
              <t>In doing so, it obsoletes RFC 5785 and updates the URI schemes defined in RFC 7230 to reserve that space. It also updates RFC 7595 to track URI schemes that support well-known URIs in their registry.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="8615"/>
          <seriesInfo name="DOI" value="10.17487/RFC8615"/>
        </reference>
        <reference anchor="RFC9110">
          <front>
            <title>HTTP Semantics</title>
            <author fullname="R. Fielding" initials="R." role="editor" surname="Fielding"/>
            <author fullname="M. Nottingham" initials="M." role="editor" surname="Nottingham"/>
            <author fullname="J. Reschke" initials="J." role="editor" surname="Reschke"/>
            <date month="June" year="2022"/>
            <abstract>
              <t>The Hypertext Transfer Protocol (HTTP) is a stateless application-level protocol for distributed, collaborative, hypertext information systems. This document describes the overall architecture of HTTP, establishes common terminology, and defines aspects of the protocol that are shared by all versions. In this definition are core protocol elements, extensibility mechanisms, and the "http" and "https" Uniform Resource Identifier (URI) schemes.</t>
              <t>This document updates RFC 3864 and obsoletes RFCs 2818, 7231, 7232, 7233, 7235, 7538, 7615, 7694, and portions of 7230.</t>
            </abstract>
          </front>
          <seriesInfo name="STD" value="97"/>
          <seriesInfo name="RFC" value="9110"/>
          <seriesInfo name="DOI" value="10.17487/RFC9110"/>
        </reference>
        <reference anchor="RFC9525">
          <front>
            <title>Service Identity in TLS</title>
            <author fullname="P. Saint-Andre" initials="P." surname="Saint-Andre"/>
            <author fullname="R. Salz" initials="R." surname="Salz"/>
            <date month="November" year="2023"/>
            <abstract>
              <t>Many application technologies enable secure communication between two entities by means of Transport Layer Security (TLS) with Internet Public Key Infrastructure using X.509 (PKIX) certificates. This document specifies procedures for representing and verifying the identity of application services in such interactions.</t>
              <t>This document obsoletes RFC 6125.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="9525"/>
          <seriesInfo name="DOI" value="10.17487/RFC9525"/>
        </reference>
        <reference anchor="WIMSE-CREDS">
          <front>
            <title>WIMSE Workload Credentials</title>
            <author fullname="Brian Campbell" initials="B." surname="Campbell">
              <organization>Ping Identity</organization>
            </author>
            <author fullname="Joseph A. Salowey" initials="J. A." surname="Salowey">
              <organization>CyberArk</organization>
            </author>
            <author fullname="Arndt Schwenkschuster" initials="A." surname="Schwenkschuster">
              <organization>Defakto Security</organization>
            </author>
            <author fullname="Yaron Sheffer" initials="Y." surname="Sheffer">
              <organization>Intuit</organization>
            </author>
            <author fullname="Yaroslav Rosomakho" initials="Y." surname="Rosomakho">
              <organization>Zscaler</organization>
            </author>
            <date day="2" month="July" year="2026"/>
            <abstract>
              <t>   The WIMSE architecture defines authentication and authorization for
   software workloads in a variety of runtime environments, from the
   most basic ones up to complex multi-service, multi-cloud, multi-
   tenant deployments.

   This document defines the credentials that workloads use to represent
   their identity.  They can be used in various protocols to
   authenticate workloads to each other.  To use these credentials,
   workloads must provide proof of possession of the associated private
   key material, which is covered in other documents.  This document
   focuses on the credentials alone, independent of the proof-of-
   possession mechanism.

              </t>
            </abstract>
          </front>
          <seriesInfo name="Internet-Draft" value="draft-ietf-wimse-workload-creds-02"/>
        </reference>
        <reference anchor="WIMSE-ID">
          <front>
            <title>Workload Identifier</title>
            <author fullname="Yaroslav Rosomakho" initials="Y." surname="Rosomakho">
              <organization>Zscaler</organization>
            </author>
            <author fullname="Joseph A. Salowey" initials="J. A." surname="Salowey">
              <organization>CyberArk</organization>
            </author>
            <date day="2" month="March" year="2026"/>
            <abstract>
              <t>   This document defines a canonical identifier for workloads, referred
   to as the Workload Identifier.  A Workload Identifier is a URI that
   uniquely identifies a workload within the context of a specific trust
   domain.  This identifier can be embedded in digital credentials,
   including X.509 certificates and security tokens, to support
   authentication, authorization, and policy enforcement across diverse
   systems.  The Workload Identifier format ensures interoperability,
   facilitates secure identity federation, and enables consistent
   identity semantics.

              </t>
            </abstract>
          </front>
          <seriesInfo name="Internet-Draft" value="draft-ietf-wimse-identifier-02"/>
        </reference>
        <reference anchor="RFC2119">
          <front>
            <title>Key words for use in RFCs to Indicate Requirement Levels</title>
            <author fullname="S. Bradner" initials="S." surname="Bradner"/>
            <date month="March" year="1997"/>
            <abstract>
              <t>In many standards track documents several words are used to signify the requirements in the specification. These words are often capitalized. This document defines these words as they should be interpreted in IETF documents. This document specifies an Internet Best Current Practices for the Internet Community, and requests discussion and suggestions for improvements.</t>
            </abstract>
          </front>
          <seriesInfo name="BCP" value="14"/>
          <seriesInfo name="RFC" value="2119"/>
          <seriesInfo name="DOI" value="10.17487/RFC2119"/>
        </reference>
        <reference anchor="RFC8174">
          <front>
            <title>Ambiguity of Uppercase vs Lowercase in RFC 2119 Key Words</title>
            <author fullname="B. Leiba" initials="B." surname="Leiba"/>
            <date month="May" year="2017"/>
            <abstract>
              <t>RFC 2119 specifies common key words that may be used in protocol specifications. This document aims to reduce the ambiguity by clarifying that only UPPERCASE usage of the key words have the defined special meanings.</t>
            </abstract>
          </front>
          <seriesInfo name="BCP" value="14"/>
          <seriesInfo name="RFC" value="8174"/>
          <seriesInfo name="DOI" value="10.17487/RFC8174"/>
        </reference>
      </references>
      <references anchor="sec-informative-references">
        <name>Informative References</name>
        <reference anchor="RFC8414">
          <front>
            <title>OAuth 2.0 Authorization Server Metadata</title>
            <author fullname="M. Jones" initials="M." surname="Jones"/>
            <author fullname="N. Sakimura" initials="N." surname="Sakimura"/>
            <author fullname="J. Bradley" initials="J." surname="Bradley"/>
            <date month="June" year="2018"/>
            <abstract>
              <t>This specification defines a metadata format that an OAuth 2.0 client can use to obtain the information needed to interact with an OAuth 2.0 authorization server, including its endpoint locations and authorization server capabilities.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="8414"/>
          <seriesInfo name="DOI" value="10.17487/RFC8414"/>
        </reference>
        <reference anchor="RFC9364">
          <front>
            <title>DNS Security Extensions (DNSSEC)</title>
            <author fullname="P. Hoffman" initials="P." surname="Hoffman"/>
            <date month="February" year="2023"/>
            <abstract>
              <t>This document describes the DNS Security Extensions (commonly called "DNSSEC") that are specified in RFCs 4033, 4034, and 4035, as well as a handful of others. One purpose is to introduce all of the RFCs in one place so that the reader can understand the many aspects of DNSSEC. This document does not update any of those RFCs. A second purpose is to state that using DNSSEC for origin authentication of DNS data is the best current practice. A third purpose is to provide a single reference for other documents that want to refer to DNSSEC.</t>
            </abstract>
          </front>
          <seriesInfo name="BCP" value="237"/>
          <seriesInfo name="RFC" value="9364"/>
          <seriesInfo name="DOI" value="10.17487/RFC9364"/>
        </reference>
        <reference anchor="IANA.MEDIA.TYPES" target="https://www.iana.org/assignments/media-types">
          <front>
            <title>Media Types</title>
            <author>
              <organization>IANA</organization>
            </author>
          </front>
        </reference>
        <reference anchor="IANA.WELL.KNOWN" target="https://www.iana.org/assignments/well-known-uris">
          <front>
            <title>Well-Known URIs</title>
            <author>
              <organization>IANA</organization>
            </author>
          </front>
        </reference>
        <reference anchor="SPIFFE-FEDERATION" target="https://github.com/spiffe/spiffe/blob/main/standards/SPIFFE_Federation.md">
          <front>
            <title>The SPIFFE Federation Standard</title>
            <author>
              <organization>CNCF SPIFFE Project</organization>
            </author>
            <date>n.d.</date>
          </front>
        </reference>
        <reference anchor="OIDC-DISCOVERY" target="https://openid.net/specs/openid-connect-discovery-1_0.html">
          <front>
            <title>OpenID Connect Discovery 1.0</title>
            <author>
              <organization>OpenID Foundation</organization>
            </author>
            <date>n.d.</date>
          </front>
        </reference>
        <reference anchor="I-D.ietf-wimse-arch">
          <front>
            <title>Workload Identity in a Multi System Environment (WIMSE) Architecture</title>
            <author fullname="Joseph A. Salowey" initials="J. A." surname="Salowey">
              <organization>CyberArk</organization>
            </author>
            <author fullname="Yaroslav Rosomakho" initials="Y." surname="Rosomakho">
              <organization>Zscaler</organization>
            </author>
            <author fullname="Hannes Tschofenig" initials="H." surname="Tschofenig">
              <organization>University of Applied Sciences Bonn-Rhein-Sieg</organization>
            </author>
            <date day="2" month="March" year="2026"/>
            <abstract>
              <t>   The increasing prevalence of cloud computing and micro service
   architectures has led to the rise of complex software functions being
   built and deployed as workloads, where a workload is defined as
   software executing for a specific purpose, potentially comprising one
   or more running instances.  This document discusses an architecture
   for designing and standardizing protocols and payloads for conveying
   workload identity and security context information.

              </t>
            </abstract>
          </front>
          <seriesInfo name="Internet-Draft" value="draft-ietf-wimse-arch-07"/>
        </reference>
      </references>
    </references>
    <?line 282?>

<section anchor="document-history">
      <name>Document History</name>
      <t><cref>RFC Editor: please remove before publication.</cref></t>
      <section anchor="draft-schwenkschuster-wimse-trust-domain-discovery-00">
        <name>draft-schwenkschuster-wimse-trust-domain-discovery-00</name>
        <ul spacing="normal">
          <li>
            <t>Initial version.</t>
          </li>
          <li>
            <t>Define the WIMSE Trust Bundle format (JWK Set with <tt>wimse-jwt</tt> and <tt>wimse-x509</tt> use values, refresh hint, sequence number).</t>
          </li>
          <li>
            <t>Define discovery through a Trust Domain Metadata document at the <tt>/.well-known/wimse-trust-domain</tt> URI, referencing the trust bundle endpoint.</t>
          </li>
          <li>
            <t>Require Discoverable Trust Domains to be DNS names under the owner's control; exact-match resolution only.</t>
          </li>
          <li>
            <t>Normative precedence of locally provisioned trust anchors over discovered ones.</t>
          </li>
          <li>
            <t>Security considerations: discovery is not trust, Web PKI/DNS reliance, revocation latency, untrusted input handling, denial of service.</t>
          </li>
        </ul>
      </section>
    </section>
    <section numbered="false" anchor="acknowledgments">
      <name>Acknowledgments</name>
      <t>TBD.</t>
    </section>
  </back>
  <!-- ##markdown-source:
H4sIAAAAAAAAA7Vc63bbRpL+z6fAyj9iZ0jKSuxclExmGEmeaGLLGkmO492z
xwKBJokIBDhoQDSjo3mWfZZ9sq2vqrvRDZCWZ3Y3JyehwEZ3dXVdvro0R6PR
oM7qXB1Ge29PX12eRFdVo+vouFzGWREdZzopb1W12RvE02mlbh8clsS1mpfV
5jDSdToYpGVSxEuaPa3iWT3SyWKtihv6H72tqtE6W2o1qjHXKOW5Rqmda/T0
6UA302WmdVYW9WZFs5yeXL0YFM1yqqrDQUpLHQ6SstCq0I0+jGZxrtWAaPxy
EFcqJlonq1WeEUk0gY7iIo0uVJyPrrKl2husy+pmXpXNCnuiz3kZp9Fpqgri
xyaiXb1q8jqLLjdE6TI6KW6zqiyW9LXeG9yoDb2eHg6iUbQ27+JzZl7HZ95V
JLvC325jg1tVNER5FP2ry0eRsINfzIp59BdMhOe0WE7Pma9/zlQ9G5fVHF/E
VbKgLxZ1vdKH+/sYh0fZrRrbYft4sD+tyrVW+zzD/t5gEDf1oqywU5olIsKI
0ZNxdBmeJH83a/JcTntvUhVp3R20x6NopbjIfudDOYyO1Sy+qcvoUiVNxZyj
f5RsI8Ykmun78xyPxkm5DAh5N44uSk0svlmU/FSWfxdXpc7j286XZtpNZZ/+
+XedxLmqZF6h7TD6d3k4GBRltSQyb/msLl4cff384Ov24zfm4zdfHTw3H789
OHhqPz7/gp4OsmLWmeSbZwfP7Jgvv+KPp5OzyfjVyfHpZHz17vzk8lCeLFWa
xSOctLaD3p68fDn++ez12zMzZq3yfHRTlOtiROzDuMvz0xcvTkYvTo5PLiZX
p6/PDnlnRsmvFsqMiF6oVFV8CtFlTboRV6mMjKu5qg8jKyrzrF40U7BoX6+y
2UzZ/03zcgpBKva1eV/vy9zv27nHS5nViVHk+Hx0dvTCEnNelb+ppKavX58e
H42OTy+PXv9ycvEuIP71ShWnx9FRWRQ0trU60cH46VbSS3ohS8eFqolmlWjz
YJTIDJ6tOXj/dLyol/kuWs3SL8qGNop9DQaj0SiKp7quYqJ7AMaKZWS1qmn6
plIRzU/H52yEMRCzTFU6IqmPAysxjq7K6DbOM1g2+q7zFpmFpFL8Mc6H9H2l
8g20fxVX9N0SE2moET2OymkNy1wTWUm1WdXlvIpXiywxC8ZFQlskm6h1mWS0
XBqt6ZzNeLvIZ7pL3/ZdVurvTVbRPutFXNN/Mk2GaLUCbVNVr5UqOjtlW5zV
ukMNvSd0Ezn1gmzafEEvyp6ipUoWZDj0chhNmzrKVXxrV3RfRXQ8aob3xzgS
mo8cUAOrGclzHekmwaTtK6SgEeQiUp6NhQFeE7sWUVFGqyqjMUIqMVfcySJb
RepDpmms3SOYF54JtomnIRdP6ZxIHCEGmr/2XeqPtIVc4Xgd6bxHktlbtdHe
dJZr5azLXWxpWtJx/vXt1Wgaa2InKPl1/Pzpt+bvj8mWHvLwuHVZHrvk9RIn
2hqf6Kerq/NL4mC6KjNLcZzn5Ep6ckpiT6JS5reqSzaMN75uBWPKzMBqKRnv
AqcKtVtmKT0eDB5Fp0VdlWmTiEq+/fim5OgNy3su96q8oTN8/Pb06ok7t/6o
I1VBfwFzMPboiRGsFBJzd/dvfJSjo4uT48s/no6O2XkZmGNZPgJR+v5+GCVx
RbyNu8vAPLRznR53J2qNyP29sJoEnS1Nus2oTLoHgDcqlajsttWHllFEVUEc
JxviTFFGK8zw31WptcK/28UQDwmuNVjLp+GQtbjGEJLISGfzAkNuIM+QVeI5
HQ99cMMSx2b4JzHIYP/jo8kT70tl3z/S4502+O7uTx0G4mtiHbmt2pqQjiiS
+WIDXRYKdC3LqrtdEZGuudt79ebyigzCp9gxeR3YtTIMxT5xCElmbAfpkprz
xg137Tq05IzeWvCoooR5WK6qksCySveGMF2kNqlKCOTxYSz8dUm/VD6LyoZZ
zYJDRqmIkryEbgd2MNgdfSQ4QozPSTpoudsM0BzmQKaaEjVDPhH1IV6uiAS7
e7CanM+sxRxkz2bZvDF/wb46RuUlrdBaqMn5KZPXM9LYpyKO2pHgSbkkwtRt
VjaaaGwKMU/+2WoM0LCrgXEgO8+qIMbebQ7bFjMP75zGm549Yy8LBczqRjaz
IBtD0+HwKiK6iqfEiXXMps/zy6E8zVj8AyG09uracBMY7NrapkrNIJSkrDh+
p6qhA4/EDPecIZ+0kfx5vDK+f12yGNGJEnMJvH7u+XvfOUWP7+4kZhP7fH//
BP7qr5evz/4vnBZZA94kabXdF3F1SNwjcEcbF2pZ/Mmhk3SqOqYx8RgUT7Y6
LSLYPSZqhTgSRVjAoUhN102LN4pz4saQv4RUiqyC9CD+fWUoaHevVXVLesEz
B47yzcUpGSQTNpANAmCpti8ucGvZmxvi01QFieGMpKBIAmtsPKb1xJgDtqIU
X4xxTIwihZzmmV4Qkau4JkHlfe1E2Hd3IS4nynFErydksaIvxk+jiZjo301A
ge1XLV9kxxT53N8bO92ejec/60BInTU0Vlo9BCrlxLYhS8ZcqcqzKcwP8HFa
Ks2G03HCWvPOSRhjqRdlk6ew7PytSr+jM4ZvaWMImk1SGbzJR4+iCx8rku6f
wI6A/ld281qYERzdTn7QZ9KnRK3IzsAA62yJIB4z121YF8xlcYz5riMcRH0v
WiTa+wHiMFqUa0WbHPagvupN+ubi5bD9iwzpLGM8C1L6pwUTZjxB6Ecs6i7t
ApWqq0yRQTAy7fhSqWXpQgFDH38xJRMQ31j/5+tv95Q/056ewSywyf6IXRCp
GEfHapWXG3GVcV6pON1EbPL5nONdjAfEUh8ITYnB1piS0BCRS5oIu22dYb1V
VWD9ScScPAXeyg3X4AwoZiMqBxDfKLi/BA4iIZQCLXUSbEW6HSCSDHtwC020
WbRj0JHx34PBJCdyVbXMijIv55u+3FrjsxOHYcq7O4t2ec0L42LP4WIPB4fR
BK6fEXgIXz8eJQs8UgS3IUgenjUylJQVyTJ5PBkAbtNeNdFdRVVJJ8agPqDM
2kSWEN8LMJWhqDCpQAmE6FZsxYzr3+ajdum9MZgQD+QctWBMAnmCNc9e8+eL
k7+9OaWoA58vf5q8fOk+DMyIy59ev3l53H5q3zx6/erVydmxvExPo+DRYO/V
5N2eKPDe63MYicnLvS3muuLgbaoE+JAQIasQ60GqdFKR5eWt/Xh0/t//dfAM
4Q25hC8ODr4lAZA/vjn4mvwDMF0hq3EQIn8S0zYDsv6K7B3SBznClFVWS7Cq
YZ7JuRq9+Pw/wJn/PIy+nyarg2c/mAfYcPDQ8ix4yDzrP+m9LEzc8mjLMo6b
wfMOp0N6J++Cvy3fvYff/ykneYlGB9/86YcBtPSiNX0aIfNOSSVVfOTZSX0/
GPhC/rG4yGxxitgd6d5N9HdyRohF08A+Pn7xt+OzJzSO8NOcLbBol5/8FYm3
5rmbaPJFS9eEc+ZAA1usPHBjq2OYl4hwCnYooHAnLyIbsPX3c3x2KTjMImH7
wL3Tgrc4JfuXIRmIVC9cWk32Y5uriUhQ4Uita+Y/WypAH/GK8aPJqmAyu1EJ
GT/EBM4MaVdBaCPAtmRks1SKPbRWPr909NgL0IY8jT1r0mC8WKl5hny9NUbk
MhqCSAkY8IRHEfRYEa8wOPU5i03xViQHWcChj8rZyDh0z0sJZ7Kqi9M6STuL
0mAk58pk2HwxnwX2mXnEYVMQ8RGbzkoOjuKtHMGWcuSOgarIr48U0vYJ0XkY
xaHjaSkyR1z7gtGPakx8JufJwZlzOWCDFxkgKdZUiYFKrYdwxx7Mu87IBKqM
46FZnOWIoMniIi5wIIJPjSH+dCMQiA62zvC9IRey5/k0i10U2w+8IaLWxz8w
zf3MkrWyqMTlhOKSG8lH0bdymoKoZ73dbYNY2BUJxAtfWB9475pELB0H0TJJ
E20JRRg4ozmkod42DhsiZQDIbYf5I4xoIrkgMmN39bvJEZk/FyW9KWykhwwh
oSzI6eRI6ui14pTMzKWUre5mnnSZc2D0tSMIv3sUxOAExLaNeiAC10RKviU/
neleQO8Sv5jqr29/piCPbRKJk8R3KI/BfyM6j9OU8SGgbLka5cS0nAwSCreS
6nDhu41y0yzmqqavQwY2EzHXcVvJ3ferxjLkD7/psrgegwfBm1BSYxeVwaHi
jDoksZe4Rj7y+jCysADybfcp35GhqJAB0mHS91Jx/jl6Pj4A9Y4VsjWHhlz0
oeJkwTPD1CnBzqKkCFyvG62uDWH+UvCla/ZF1xT5g33vFzQ3EWzBAROMM5MK
Oa2cMsuK+RCEapUA6HIwR2TUHEAnFu4az16p0UzVycIL7Sgg5LDAHRnjYCJD
kw1FlPBe1utQQs4wSyDzy5Ikmqy+pA2zguB5DLkTWjnFCYfIX0DSUJ0gV8+q
KBaT/Z/LMNuzZZcwdoBdRw2HU8RUAvoNu1GksxiXst9IiFjJpK5tVKklUjfK
clIgxKSY5gQnpHIBGGbZQAREP+gIfcl33s+IHQ0JDpM1g63FrCOQTLCRQpHu
39Y4WcgPkUD2DqWCjOMd44sRDzRaMv7EqWwmJh659ZjT3pJs/5RyT/Q4qIyc
XoXi7ZU0kDtDgt+6lGxbgRCUsSaz048rMua1qD222+OY/fsbKIw5AVuMzORQ
5TyNhHrMvclSx1yApma1KquaCSA3brQybdjeVqUo4Nhj8ofnT7/dweWjiV9m
EE7H2lkmMaJsyWyKktb45AJbl+NH/zuOC/Gh6JE3/PA8aWVvUTpGOqvI3p2B
mmLz/tUzQj5JmQL8nlz4DJB1fI60kQAjJsidSmUY9AJn4J29AYU28+5hSgxk
fUC62FtwMGgVm9+mBZDwVr6E0C6bghS7nFNQQVSLuvEux1uDcWallsgSu/ZS
BSyyFjKZIX3AZpYXs/HC5aC5t8hIGHnm1lRagO45JLZlBtByAoYgmWJZCOAA
C6wyKBm2ZxydG+osSwy1BFvWUkwzcN0sNpUSQaNNjLXk4io40C/2muOk0EFD
kWZ0ChkNYINN3vw2RrrI5vTNsRg3xJkuOdPQM4nro9Pwqx6OVkMdInuJPBSR
lAbnvtsn2QXdCsbXiZqEZEhlsbaFJdqSl3EkvYubvPYmEtuMN9nKTyGwvpdx
IDdOkIulaWlLNCmTiPWFQFG4no/EnGQF2bXFRiiNO0iaqhKWJ7E/k4W6nCUM
lB95smXJDAZogiq5nKXFToYvXsIWwzKuUCE4B8gwGULftPV2rAk0GVGShGsq
xxgTkKisKIj+mz9anrblqikaaAwahdQb4yytFrFfxWSp1M1UGAiueMtywbtG
CCSH0KbjCeSMCKKbXK/JX25vViQ9bYtCrM/bizp3j2xumEH27lRCazweqg9t
A729ZP9OzGs6JS1VBvyGsL2cop+qbeppsUYAeXnC9zJhAH3bskTQnMHV4DZT
Lok9PfbmErl7b1PdIZ62jSJvLl6KpMrBe9L/aeVGx69urA1/ZAoFbEsmbRxi
o49Xk3cYZV2RA21IXLKLSWEDEIRxeofknmLF6EUj/VzSt2NbSpfxxmVL/JjH
scgs2imKl451FrPQoh1XpGG1vHr5qiRZ2Jhk8A5eM18zbZI4nOBgfKgXMLBo
66iyOScPjFRsqTmeIrZ1/RamRtqaFb8ol24pTpr0nKtMZjX8S5yX87JxOfbr
39Y3+j2pvoMnnMdpa4Qm1kZkROQgeWLThNYmgh7eFiDTrIop2mhMy51BVrFL
nKHwxwpfqBqwTJz3W6Refm6Lso/aXMy9cPmBGm+mW1FrGdQqGhfC4C2ZNH9M
j+2kjP/4xz8Gtm/xe1/Pf9j3ujy32AF+cxCkST41OVL79WWRnQ4l3Xc+iRbw
bhWTiDGO+GDRtj/wWrjXzTPuhYei98yYtjaVkTCNvJMypdbWqJ9XZaJS7vt5
tLKfcaClyx59SjtCv7/SpJG6uQTawApcOxhHv9gwbFsdWcqGEEu9Ifid1CYe
Fte7M/ccnXLjlSh1kADj9Nhg8IV4apax/oF2UxU+59j0WQnGIhZSw0ZHfzm5
YhuitEnvoLmZXmIGXr28FBdBHyS3WQXBgTWotuKWwk+XVWoqATLf8y/QAGGT
bVsZNmzBa3gan2nS32l0/vOpeYnMdKUs/BCqHVAzpjBK8qzTVyDx4Jdj1Bm1
TRMA62slJuQBE0CeyWGD+yd2+V5K9LYjGKHbtTaQzni6qdVoTfDHRI0J5892
JUjLyvjPVirWMYIAckNg+kPCY2qgC5XctHnNZfZh1KwIL5OM3nh9sEEDCplV
BIncOlt0Gya0634B7qaVF5xkfjaOLqyw9fpVnGn8mGfbKZ//nzLJ+VzXFuWS
QbvJ/GdldjB4vlv+Pg0Ncbeu7eTmJKKLM3e7euNDyXxFB5KJ6NQYPus00aCB
VlClEUmvkaBqcmWqMX73AFMm7XyCX4JOLL9j5gnxQbqGBKGZkFvo5wMnN0FK
nACe1LbyAeq/M3qtPaPcjuVTB5DeOO4iL3QrYtK2l7U74FALXKFdKtYW9oy2
vVsmRvyemTI1ah00xEXf/JUs3JhDvWZ/eh1pUjau2pFixsVG1mFlfLC2waNc
1XBH3QXrcS2UXUuLTmxJaBz0x2FKOMpMc5jIvSQNBTAfa34p/YYG7gkt/AYS
+sscTRJrMt9+zsvM2K1kmQpZoJlt+wvHG7ZFgrlNBNOfJPkdBQ7FLKhxeipv
NNuvS3rZACfpXE2DrKv0iSCMc69rZha9NJmEc68JVrQUqMMpwGDgNwjNKhfL
ulpoB4fYjSvb2tN28ww9ZNvvkB0+1GI7jIxUef1BQWdGJ+3ItlQHwz/ePcQB
JeS6I5yLuGNHtrW6+s3E3UZg7+JHVvt6hQSL347t1MBAtYeKqBy2WuSo0g6V
bjZ8W5E/RvPbKo9RoUWrKlhTze3FGZtaCjbS2/WuNI4wruBKIRcd5AC5BkLv
5EgxEopLtW1HXJQ5yz03zG5b268hewZgNxVDUTaUiDLp4WwTvE01o21LAryw
/W0c6BJnysq2F8OEev3snHJzMtp2xZECEjd7eFsSZp0m+0rZ6G2LYEAsCpXb
sq25VcI8QmlbLhRY5hi9UJ0uRL/RzmSkt/fbDeEMOsVr2rMqYC0562hSiYS6
glMUfybjvHfbF77b5kz9TJmazeByyOws8brfNw9PHGSNW1BYWJMoA0wTO9Jh
9q4lBw6ZNRe6E0id6uiM7LK1atu8NrnsJqEoX1P44m0NcugnHFs/FJ7uGs37
vSYFWy2R/op8W38QIRPXcmH7fS20suUWafnd0eX7CW6pbfi1KUaDZ2l/TYXW
TUGbqUrEkK8X0p3ujiSO5hlEphNWFqk5pJggecYaFQfN025GA0b6V8pwT867
vGGU2u8ZDBpTkaVylsUMtGs4nQJ0yiEiQyF4VBajWVbRBxhbtnFIvOJYsqIh
Bg+jeRWnTStglsVYRXLuxCtG/4Fv9ro7GUkoz9TWlYptFItaD2TWutw4bDUK
+5x1h4doO5H0/MNHLSUHIE+FHhCcBwc/yriMZcYFG28evrclDb7bWoP7TUKM
OvCEiyWGDB/aHG7zVTyd1+Oj2yYf3e3n4VaePmKXDrU2y0pzz4Nco7bdYhKj
usb1jAs+6CIkRXPX4YyO3T1Cmn2tpqub7N4Yfx+lWSzTAY+tZkj11F0rKlwX
VWclThmHp8G306amAjyr4iYlaymFKimTWiL92G9nl5FBRXwNBkfUadxzVuZx
kL81OmNyU3Hl1S0wn5lffVhl1cZkWUZ2MMTzyZC3Yct3doMja/N6ltLd+Zmy
JpOokvelfUl80paai21MX+NmdmBFMmudp2VZg6iVecfuzAmjde00JlWEmGcS
LICUwsWBBCOzubnTG6YtAAGs9STSd10vCSqbBneoJQxYZK+WkxbW2VwcFfeK
5A0DoKMJmtAQBtBj/3LmVRUXmnuyEm5BySjY5k4YOtPLkyMT73/51TPTNSh1
VjRzmYpoe7ra+ktzPjo0r2wbaaQU04LGQpwywRLuhPE0HCl5U0gI3fcwWnnx
lIfbWE6N7eUCAozyrubKoU3Z5Ot4I7Bd+/jicRikI8CZcBWP7X1L5zCo9bb3
yYPqpPW/vUrndhwkoTh5klHrScQxcN9FUpXaFZZVp24yy+M5NxO7GyEMx+1F
xVhIh7AgJPeuAWpcFkK1cii3j9MmkbicdCkWZEWWnCSupOPeBNosdqA9OoM5
rZ20hUZmw1H73oVyNcZORbJnLs1twbLgdu52JI60LpMyt2lFr9Lr10mDqq+H
poRHNGxFQS8XgMueEeAmh2ZVFmEBVwAnkiQeOXlcsy5l2qvnmv4sEZLPepXf
bYpNFo0Dt26zgK0c5Zy3EXWsy5zcPWTWQRxDhuho0m0VWJQFDeT7HQEsNl+3
JToWQiR54EazmeJqdDmzTsR3kIQEq5pvGcDQLJeS++xHzEO0Thiz2vsphXYR
6+KcEHeK5Qz8BQnjhhASNFJj94993K9Xn8FP/YTMCJ2wf6/MByfcxwReBkEM
LERhLiuioyYs8hERmWQQMIVJpLUlwl5udMuPXXATCWDGaKPqUZuOafmzxVoA
FAogJEhF3G8Kc/WOZls19aHLBkw56aVtKB47p6FHIA5YpuYaH4+q5CRNdXS6
CRrIh0E92MsbIevi0IBpXQG+NSVFl4rm29Kp2rGdjyQnwt4f2yklFJ6eQ3Ir
vnlv6l2qyMQYIGmaJWow+FElMbxCeLJVNp8rs9GsENnqNP+0AItBSf9ytGFr
Nc1qto89sWLbkhVsVskpySqGI7rPCtvWQ5wd5dky810j7qIuV4hC2M0Qf+ex
sUSaYmXjm80+ysJ2DbQTuOyExLrnuMyX9EPdczkFGMP2XdRAsF+Da8zZstPA
2ZsEQ2WIsFdaTK+3Sx5zex0XfG1dIIiFg7vj8MslImg881lu5iIWVlknZxGi
jzbgD5szuAxTQHNvlT1Y00bFlpO5a5pgjZddcb6TBFRVXVgCwSKzi1+SMdXJ
mvEVWUabLd2GcuKiDSzpOIwz8CMnZwUN5xedqK+HZy3esCffiShsntvzOyaS
R5AjuBFdUeZnmeS2kP2Zkarf0IA+tQ0XIszvbDjL4fd+chnxEf8k07akSqfV
4MILBQggdEvagwHPY9ZSbPHYd5s+k7D+LL2fD9bPycp1fkHq/p4ztiDokuv0
h9GWgv7n0ZF0Kh7Z2KQyP8P2eXTpN8OQGxKOHaIBPvr111+HnXoz3iATgF9q
Q2dHDJ/B7HnFfVBX6IPyWfPP8yFrb1jutZNu4YL3Y1uGDf9Mr9UQ9Ed+6Xf8
kRm8Gwr2xbB+xwkRTyJgAHOL2KaKHWyuxO/xNTXzm0u3XpYovC9KPOUmMITC
PxM8fEPa+wu3mH8KT6UZ3W9EZ6Xze6Ydl7vLeKz2f2KAvaxr+97JBvy2D24N
QZesOEU/ZaiTbgbfk3mc/QDZOkkRzJEU5SrWBhk7pyxJXNHJ7/f5HWbIv/YD
hMjMczk9R4JEs6J/LvefBfxuKdCaOzGP7d0R9p4f5abrcddDhwcBiglRmqDK
XOl44q3uGVqXF3+gXcG2HzzQxYMy9unQdXGFGdjuD0wQQebi6ccunIokWwCl
vZuTNnFlYuvvpCl9RBxMFuJxG7k3gxtntNiZ/T29oBI1+4QCTFCu4qtMQFOf
t+nwJLDchyGSgvvg+YY2w7QvmEBSZcMtodKwC1mlcMkReuoAnBYAxw5kkuBM
cpXO2fcM7g7l3FX6xz3+dcs9xI8/Ho8H/wOSCNHmuVMAAA==

-->

</rfc>
