<?xml version='1.0' encoding='utf-8'?>
<!DOCTYPE rfc [
  <!ENTITY nbsp    "&#160;">
  <!ENTITY zwsp   "&#8203;">
  <!ENTITY nbhy   "&#8209;">
  <!ENTITY wj     "&#8288;">
]>
<?xml-stylesheet type="text/xsl" href="rfc2629.xslt" ?>
<!-- generated by https://github.com/cabo/kramdown-rfc version 1.7.39 (Ruby 3.2.3) -->
<rfc xmlns:xi="http://www.w3.org/2001/XInclude" ipr="trust200902" docName="draft-seralathan-radext-persistent-devid-01" category="std" consensus="true" submissionType="IETF" tocInclude="true" sortRefs="true" symRefs="true" version="3">
  <!-- xml2rfc v2v3 conversion 3.34.0 -->
  <front>
    <title abbrev="persistent-devid">RADIUS Chargeable-Device-Identity and Persistent Device Identification in MAC-Randomized Environments</title>
    <seriesInfo name="Internet-Draft" value="draft-seralathan-radext-persistent-devid-01"/>
    <author initials="P." surname="Seralathan" fullname="Premanand Seralathan">
      <organization>Cisco Systems</organization>
      <address>
        <postal>
          <street>170 West Tasman Drive</street>
          <city>San Jose</city>
          <code>95134</code>
          <country>US</country>
        </postal>
        <email>pseralat@cisco.com</email>
      </address>
    </author>
    <author initials="L." surname="Mukund" fullname="Laxmi Mukund">
      <organization>Cisco Systems</organization>
      <address>
        <postal>
          <street>Cessna Business Park, Kadubeesanahalli</street>
          <city>ORR Bangalore</city>
          <code>560103</code>
          <country>IN</country>
        </postal>
        <email>lmukund@cisco.com</email>
      </address>
    </author>
    <author initials="A." surname="Milton" fullname="Antoni Milton">
      <organization>Hewlett Packard Enterprise (HPE)</organization>
      <address>
        <postal>
          <street>6280 America Center Dr</street>
          <city>San Jose</city>
          <code>95002</code>
          <country>US</country>
        </postal>
        <email>antoni.milton@hpe.com</email>
      </address>
    </author>
    <date year="2026" month="June" day="30"/>
    <area>general</area>
    <workgroup>RADEXT Working Group</workgroup>
    <keyword>Internet-Draft</keyword>
    <keyword>RADIUS</keyword>
    <keyword>Device-Id</keyword>
    <abstract>
      <?line 120?>

<t>This document defines a Chargeable-Device-Identity (CDI) -- a privacy-
preserving, rotating device correlator carried in existing RADIUS Class
attributes -- that enables Network Access Control (NAC) systems to maintain
device session correlation across Media Access Control (MAC) address changes.
Modern operating systems randomize MAC addresses by default, disrupting
RADIUS-based authentication, authorization, and accounting workflows that
rely on the Calling-Station-Id attribute as a persistent device identifier.</t>
      <t>CDI is modeled after the Chargeable-User-Identity (CUI) defined in RFC 4372,
providing an analogous device-level correlator with explicit privacy controls:
epoch-based rotation limits long-term tracking, HMAC construction prevents
identifier reversal by intermediate systems, and transport within the Class
attribute ensures immediate deployability on existing infrastructure.</t>
      <t>This document additionally defines a new RADIUS attribute,
Persistent-Device-Id, for deployments that require explicit device identity
semantics beyond what the opaque Class attribute can provide. The Class-based
CDI mechanism is the RECOMMENDED approach for immediate deployment; the
dedicated attribute provides a migration path for future interoperability.</t>
    </abstract>
  </front>
  <middle>
    <?line 142?>

<section anchor="intro">
      <name>Introduction</name>
      <t>The RADIUS protocol <xref target="RFC2865"/> uses the Calling-Station-Id attribute (Type 31)
to carry the Media Access Control (MAC) address of the connecting device. This
attribute serves as the de facto device identifier in Network Access Control
(NAC) deployments, used for device identification, profiling, policy assignment,
license counting, and regulatory audit trails.</t>
      <t>MAC address randomization as a privacy feature was first introduced during
active scanning in iOS 8 (2014). Since 2020, major operating system vendors
have adopted randomized MAC addresses by default for network association.
<xref target="RFC9724"/> provides a comprehensive taxonomy of MAC address selection policies
and documents current OS practices: per-network randomization (PNGM),
per-connection randomization (PSGM), periodic rotation (PPGM), and scan-time
randomization are now widely deployed across Android <xref target="ANDROID-MAC"/>, iOS
<xref target="APPLE-MAC"/>, Windows <xref target="WINDOWS-MAC"/>, and Linux.</t>
      <t>Current versions of all major mobile operating systems transmit randomized
MAC addresses by default when connecting to wireless networks, disrupting
network services that depend on the MAC address as a stable device identifier.</t>
      <t>The impact on RADIUS-based NAC systems is significant:</t>
      <ul spacing="normal">
        <li>
          <t>A single physical device may present different Calling-Station-Id values
across connections, creating multiple unrelated endpoint records.</t>
        </li>
        <li>
          <t>Device profiling data becomes fragmented across records keyed by different
MAC addresses.</t>
        </li>
        <li>
          <t>RADIUS Accounting records <xref target="RFC2866"/> cannot be correlated across sessions
for the same device.</t>
        </li>
        <li>
          <t>License management systems produce inflated device counts.</t>
        </li>
        <li>
          <t>Regulatory audit trails required by frameworks such as <xref target="HIPAA"/> and <xref target="FISMA"/>
lose device-level continuity.</t>
        </li>
      </ul>
      <t>IEEE 802.11bh-2024 <xref target="IEEE80211BH"/> addresses session continuity at Layer 2 but
does not extend to the AAA layer. This document addresses the gap by defining
a RADIUS attribute that carries a persistent device identifier above the MAC
address layer.</t>
      <section anchor="mechanism-overview">
        <name>Mechanism Overview</name>
        <t>The mechanism works as follows:</t>
        <ol spacing="normal" type="1"><li>
            <t>During device enrollment (via MDM or self-service portal), a UUID (version 4,
per <xref target="RFC9562"/>) is generated and embedded in the device's X.509 certificate,
in the Subject Alternative Name (SAN) URI field using the urn:uuid: namespace.</t>
          </li>
          <li>
            <t>When the device connects to the network, it authenticates using a
certificate-based EAP method (EAP-TLS, EAP-TTLS, or TEAP). The device
presents its certificate inside the encrypted EAP tunnel.</t>
          </li>
          <li>
            <t>The RADIUS server extracts the UUID from the certificate's SAN URI field
and includes it as the Persistent-Device-Id attribute in the Access-Accept
message returned to the Network Access Device (NAD).</t>
          </li>
          <li>
            <t>The NAD caches the Persistent-Device-Id for the duration of the session
and includes it in all subsequent Accounting-Request messages. The NAD also
shares the identifier with integrated platforms (profiling engines, location
services, SIEM, compliance systems) for endpoint correlation.</t>
          </li>
          <li>
            <t>When the device reconnects with a different randomized MAC address, it
presents the same certificate. The RADIUS server extracts the same UUID and
returns the same Persistent-Device-Id. All sessions are correlated by the
server regardless of MAC address changes.</t>
          </li>
        </ol>
        <t>The NAD does not need to correlate the device across connections -- the
correlation happens entirely at the RADIUS server based on the certificate.
The NAD's role is limited to per-session caching and forwarding of the
identifier, analogous to the handling of the Class attribute but with
persistence across sessions.</t>
      </section>
      <section anchor="privacy-model">
        <name>Privacy Model</name>
        <t>This mechanism applies exclusively to devices that have voluntarily
enrolled and present a certificate during authentication. The device
owner (or their organization) has explicitly consented to identification
by completing the enrollment process and provisioning a certificate
containing a persistent identifier.</t>
        <t>The following device categories are completely unaffected by this
specification:</t>
        <ul spacing="normal">
          <li>
            <t>Guest devices using open or captive portal access</t>
          </li>
          <li>
            <t>Unenrolled BYOD devices without certificates</t>
          </li>
          <li>
            <t>Devices authenticating via MAC Authentication Bypass (MAB)</t>
          </li>
          <li>
            <t>Any device that does not present a certificate during EAP authentication</t>
          </li>
        </ul>
        <t>These devices continue to benefit fully from MAC address randomization
privacy protections. No passive tracking, fingerprinting, or correlation
is introduced for unenrolled devices.</t>
        <t>This is enterprise device management, not surveillance. The mechanism is
analogous to an employee voluntarily enrolling a device with their
organization's MDM system -- identification follows from a deliberate
enrollment action, not from passive network observation. The
Persistent-Device-Id is visible only within the administrative domain
that provisioned the certificate and MUST NOT leak to external networks
(see <xref target="privacy-considerations"/>).</t>
      </section>
      <section anchor="Requirements">
        <name>Requirements Language</name>
        <t>The key words "MUST", "MUST NOT", "REQUIRED", "SHALL",
"SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT
RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be
interpreted as described in BCP 14 <xref target="RFC2119"/> <xref target="RFC8174"/>
when, and only when, they appear in all capitals, as shown here.</t>
      </section>
      <section anchor="Terminology">
        <name>Terminology</name>
        <t>Persistent-Device-Id (PDID):</t>
        <ul empty="true">
          <li>
            <t>A unique identifier carried within the device's certificate, typically
provisioned during device enrollment by a Mobile Device Management (MDM)
system or the NAC server's own registration process. The RADIUS server
extracts this identifier during certificate-based authentication and includes i
t in the RADIUS Access-Accept to provide a persistent device identity that
survives MAC address changes.</t>
          </li>
        </ul>
        <t>RADIUS Client:</t>
        <ul empty="true">
          <li>
            <t>A network device (switch, wireless controller, VPN concentrator) that acts
as a RADIUS authenticator per <xref target="RFC2865"/>.</t>
          </li>
        </ul>
        <t>RADIUS Server:</t>
        <ul empty="true">
          <li>
            <t>A server that processes RADIUS Access-Request messages, performs authentication
and authorization, and returns Access-Accept or Access-Reject messages. In this
context, the RADIUS server is also the entity that assigns and manages
Persistent-Device-Id values.</t>
          </li>
        </ul>
        <t>MAC Address Randomization:</t>
        <ul empty="true">
          <li>
            <t>The practice of replacing a device's hardware-assigned MAC address with a
locally-administered, randomly-generated alternative, as described in <xref target="RFC9724"/>.</t>
          </li>
        </ul>
        <t>Locally-Administered MAC Address:</t>
        <ul empty="true">
          <li>
            <t>A MAC address with the locally-administered bit (bit 1 of the first octet) set
to 1. Unlike globally-assigned (burned-in) MAC addresses, a locally-administered
address has local significance only, can be assigned by any entity, and is not
guaranteed to be globally unique. Randomized MAC addresses use
locally-administered addresses.</t>
          </li>
        </ul>
        <t>Identity Correlation Source:</t>
        <ul empty="true">
          <li>
            <t>A piece of information available during the RADIUS exchange that can be used
to associate a new MAC address with a previously assigned Persistent-Device-Id.
Examples include certificate Common Name (from certificate-based EAP methods
such as EAP-TLS, EAP-TTLS, or TEAP), MDM device identifier, and IEEE 802.1X
authenticated username.</t>
          </li>
        </ul>
      </section>
    </section>
    <section anchor="Problem">
      <name>Problem Statement</name>
      <section anchor="calling-station-id-as-device-identifier">
        <name>Calling-Station-Id as Device Identifier</name>
        <t>Section 5.31 of <xref target="RFC2865"/> defines the Calling-Station-Id attribute as
carrying "the phone number" of the user. In practice, for IEEE 802 networks,
this attribute carries the MAC address of the connecting device, formatted as a
string of hex digits (e.g., "AA-BB-CC-DD-EE-FF").</t>
        <t>NAC systems use Calling-Station-Id as the primary key for:</t>
        <ol spacing="normal" type="1"><li>
            <t>Endpoint record lookup and creation</t>
          </li>
          <li>
            <t>Device profiling and classification</t>
          </li>
          <li>
            <t>Authorization policy evaluation</t>
          </li>
          <li>
            <t>RADIUS Accounting session correlation</t>
          </li>
          <li>
            <t>License and compliance tracking</t>
          </li>
        </ol>
      </section>
      <section anchor="impact-of-mac-address-randomization">
        <name>Impact of MAC Address Randomization</name>
        <t>When a device randomizes its MAC address, the Calling-Station-Id value changes.
From the RADIUS server's perspective, each randomized MAC appears to be a new,
unrelated device. This causes:</t>
        <ol spacing="normal" type="1"><li>
            <t>Endpoint Record Proliferation: A single device generates N endpoint records
for N different MAC addresses, fragmenting device state.</t>
          </li>
          <li>
            <t>Profiling Data Loss: Attributes collected from network probes (DHCP, HTTP,
SNMP, DNS) are stored against a MAC-keyed record. When the MAC changes, the
accumulated profiling data is inaccessible for the new session.</t>
          </li>
          <li>
            <t>Accounting Discontinuity: Accounting Start and Stop records <xref target="RFC2866"/> for
the same device carry different Calling-Station-Id values, preventing session correlation.</t>
          </li>
          <li>
            <t>License Count Inflation: License management based on unique
Calling-Station-Id values produces artificially high counts.</t>
          </li>
          <li>
            <t>Compliance Gaps: Regulatory frameworks requiring device-level audit trails
(HIPAA <xref target="HIPAA"/>, FISMA <xref target="FISMA"/>, PCI-DSS <xref target="PCI-DSS"/>) cannot be satisfied
when device identity is ephemeral.</t>
          </li>
        </ol>
      </section>
      <section anchor="limitations-of-existing-mechanisms">
        <name>Limitations of Existing Mechanisms</name>
        <t>No existing standard RADIUS attribute provides a persistent device identifier
independent of the MAC address. The following existing attributes are insufficient:</t>
        <t>Calling-Station-Id (Type 31):</t>
        <ul empty="true">
          <li>
            <t>Carries the MAC address, which is now unstable.</t>
          </li>
        </ul>
        <t>User-Name (Type 1):</t>
        <ul empty="true">
          <li>
            <t>Identifies the user, not the device. A user may have multiple devices, and
conversely, a single device may be shared by several individuals.</t>
          </li>
        </ul>
        <t>NAS-Port-Id (Type 87):</t>
        <ul empty="true">
          <li>
            <t>Identifies the network port, not the device.</t>
          </li>
        </ul>
        <t>Class (Type 25):</t>
        <ul empty="true">
          <li>
            <t>An opaque value sent by the RADIUS server in Access-Accept and echoed by the
NAS in subsequent Accounting-Request messages <xref target="RFC2865"/>. The Class attribute
is server-generated per session for accounting grouping and policy context.
It is opaque to the NAS, has no defined structure for device identification,
and is not guaranteed to persist across sessions or MAC address changes. It
cannot serve as a stable device identifier.</t>
          </li>
        </ul>
        <t>Chargeable-User-Identity (CUI) <xref target="RFC4372"/>:</t>
        <ul empty="true">
          <li>
            <t>Provides a stable user-level identity for inter-domain roaming and billing.
While CUI carries an opaque identifier, it is semantically a user identity,
not a device identity. A single user may have multiple devices, and a shared
device may serve multiple users. CUI cannot distinguish between devices
belonging to the same user. Furthermore, RFC 4372 specifies that the CUI
binding lifetime should be temporary (e.g., one billing period), whereas
persistent device identification requires a stable identity across the device's
entire enrollment lifecycle. Overloading CUI to carry device identity would
violate its defined semantics and conflict with existing CUI deployments used
for roaming billing.</t>
          </li>
        </ul>
        <t>Certificate-based EAP fields (EAP-TLS, EAP-TTLS, TEAP):</t>
        <ul empty="true">
          <li>
            <t>Available only for certificate-based authentication methods, not for MAC
Authentication Bypass (MAB) or credential-based EAP methods.</t>
          </li>
        </ul>
        <t>The absence of a standard attribute has led to vendor-specific workarounds that
are mutually incompatible, as described in the following section.</t>
      </section>
      <section anchor="current-vendor-specific-approaches">
        <name>Current Vendor-Specific Approaches</name>
        <t>In the absence of a standard RADIUS attribute for persistent device identity,
network access control vendors have independently implemented proprietary
solutions to address the MAC address randomization problem. These approaches
differ in their choice of RADIUS attribute, encoding format, and client-side
parsing requirements.</t>
        <t>Some implementations repurpose existing standard RADIUS attributes such as
User-Name (Type 1) to carry device identifiers in the Access-Accept message.
This approach violates the semantic definition of User-Name in RFC 2865, which
specifies it as "the name of the user to be authenticated." Overloading
User-Name with device identity creates ambiguity for downstream consumers of
RADIUS data, including accounting systems, billing platforms, and compliance
audit tools that expect User-Name to contain an actual user identity. It also
requires RADIUS clients (NAS devices) to implement vendor-specific logic to
distinguish between a true user name and an encoded device identifier.</t>
        <t>Other implementations use Vendor-Specific Attributes (Type 26) to carry the
persistent device identifier within a vendor-allocated attribute space. While
VSAs are a legitimate RADIUS extension mechanism, they are inherently
non-interoperable: a RADIUS client from one vendor cannot interpret the
VSA encoding of another vendor's RADIUS server. In multi-vendor enterprise
deployments -- where network access devices, RADIUS servers, and policy
engines may come from different manufacturers -- VSA-based approaches result
in fragmented device identity that cannot be correlated across the infrastructure.</t>
        <t>Both approaches share a common deficiency: they require modifications to RADIUS
client firmware for each vendor's proprietary encoding, creating a fragmented
ecosystem where persistent device identity is available only within
single-vendor deployments. Enterprise networks that use equipment from multiple
vendors -- a common scenario in large organizations -- cannot achieve
onsistent device identity across their infrastructure.</t>
        <t>A standard RADIUS attribute for persistent device identity, as defined in this
document, would eliminate this fragmentation by providing a single,
interoperable mechanism that all vendors can implement without proprietary
extensions or semantic overloading of existing attributes.</t>
      </section>
    </section>
    <section anchor="Attribute">
      <name>Persistent-Device-Id Attribute</name>
      <section anchor="attribute-format">
        <name>Attribute Format</name>
        <t>The Persistent-Device-Id attribute is a standard RADIUS attribute with the
following format:</t>
        <figure anchor="attr-pdevid">
          <name>Encoding Persistent-Device-Id Attribute</name>
          <artwork><![CDATA[
0                   1                   2                   3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|     Type      |    Length     |           Value ...
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|                    Value (variable length string)             |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+


]]></artwork>
        </figure>
        <t>Type</t>
        <ul empty="true">
          <li>
            <ul empty="true">
              <li>
                <t>TBD1 (to be assigned by IANA)</t>
              </li>
            </ul>
          </li>
        </ul>
        <t>Length</t>
        <ul empty="true">
          <li>
            <ul empty="true">
              <li>
                <t>Variable (2 octets for Type and Length, plus the length of the string value)</t>
              </li>
            </ul>
          </li>
        </ul>
        <t>Data Type</t>
        <ul empty="true">
          <li>
            <ul empty="true">
              <li>
                <t>String</t>
              </li>
            </ul>
          </li>
        </ul>
        <t>Value</t>
        <ul empty="true">
          <li>
            <t>A string containing the persistent device identifier extracted from the
device's certificate. Implementations SHOULD use UUID version 4 <xref target="RFC9562"/>
in the standard 36-character string representation (e.g.,
"f47ac10b-58cc-4372-a567-0e02b2c3d479"). The identifier is provisioned into
the certificate during device enrollment and is not generated by the RADIUS
server.</t>
          </li>
        </ul>
      </section>
      <section anchor="string-representation">
        <name>String Representation</name>
        <t>When UUID version 4 is used as the Persistent-Device-Id, it MUST use the
standard string format defined in Section 4 of <xref target="RFC9562"/>:</t>
        <ul empty="true">
          <li>
            <t>xxxxxxxx-xxxx-4xxx-yxxx-xxxxxxxxxxxx</t>
          </li>
        </ul>
        <t>where "x" is a lowercase hexadecimal digit and "y" is one of 8, 9, a, or b.
The "4" indicates UUID version 4. This string representation is carried
directly in the RADIUS attribute value field.</t>
        <t>Example:</t>
        <ul empty="true">
          <li>
            <t>Persistent-Device-Id = "f47ac10b-58cc-4372-a567-0e02b2c3d479"</t>
          </li>
        </ul>
      </section>
      <section anchor="attribute-properties">
        <name>Attribute Properties</name>
        <t>The following table summarizes the properties of the Persistent-Device-Id
attribute:</t>
        <table>
          <thead>
            <tr>
              <th align="left">Attribute Name</th>
              <th align="left">Persistent-Device-Id</th>
            </tr>
          </thead>
          <tbody>
            <tr>
              <td align="left">Attribute Type</td>
              <td align="left">TBD1</td>
            </tr>
            <tr>
              <td align="left">Value Type</td>
              <td align="left">String</td>
            </tr>
            <tr>
              <td align="left">Length</td>
              <td align="left">Variable</td>
            </tr>
            <tr>
              <td align="left">Allowed in</td>
              <td align="left">Access-Accept, Accounting-Request, Accounting-Response, CoA-Request</td>
            </tr>
            <tr>
              <td align="left">Forbidden in</td>
              <td align="left">Access-Request, Access-Reject, Access-Challenge</td>
            </tr>
            <tr>
              <td align="left">Presence</td>
              <td align="left">OPTIONAL</td>
            </tr>
            <tr>
              <td align="left">Maximum Occurrences</td>
              <td align="left">1</td>
            </tr>
            <tr>
              <td align="left">Encrypted</td>
              <td align="left">Yes (as per RADIUS shared secret)</td>
            </tr>
          </tbody>
        </table>
      </section>
    </section>
    <section anchor="security-and-deployment-model">
      <name>Security and Deployment Model</name>
      <t>This section defines the security and deployment model for the
Persistent-Device-Id specification. A clear understanding of the actors,
threats addressed, explicit non-goals, and security invariants is essential to
evaluate the privacy and security properties of this mechanism.</t>
      <section anchor="actors">
        <name>Actors</name>
        <t>The following actors are relevant to this specification:</t>
        <ol spacing="normal" type="1"><li>
            <t>Device Owner/User: The individual who owns or operates the device. In
enterprise environments, this may be an employee using a corporate-issued or
BYOD device. The device owner has a legitimate expectation of privacy from
passive observers and external networks, while accepting that their employer's
network may identify their device for security and compliance purposes.</t>
          </li>
          <li>
            <t>Enterprise Administrator: The network operator responsible for device
enrollment, certificate provisioning, NAC policy enforcement, and compliance
auditing. The administrator has a legitimate need to persistently identify
enrolled devices for security operations.</t>
          </li>
          <li>
            <t>Passive Observer: An entity that can observe Layer 2 frames on the wireless
medium or local network segment. This includes any device within radio range of
a wireless network. The passive observer is the primary adversary that MAC
address randomization is designed to defeat.</t>
          </li>
          <li>
            <t>Rogue Access Point / Man-in-the-Middle: An attacker operating an
unauthorized access point to intercept or manipulate network traffic. This
actor can observe Layer 2 frames and may attempt to intercept authentication
exchanges.</t>
          </li>
          <li>
            <t>External Network: A network operator outside the device's home
administrative domain. External networks should not be able to learn the
Persistent-Device-Id or correlate device activity across domains.</t>
          </li>
        </ol>
      </section>
      <section anchor="threats-addressed">
        <name>Threats Addressed</name>
        <t>MAC address randomization was introduced to mitigate the following threats.
This specification is designed to preserve these protections:</t>
        <ol spacing="normal" type="1"><li>
            <t>Passive Device Tracking: A passive observer monitors Layer 2 frame headers
to track a device's location and movement patterns using its MAC address.
MAC randomization defeats this by changing the MAC address. The
Persistent-Device-Id does NOT reintroduce this threat because it is never
present in any Layer 2 frame. The identifier value originates from the
device certificate exchanged within the encrypted EAP tunnel, and the
Persistent-Device-Id RADIUS attribute is carried only in RADIUS messages
between the server and authenticator, protected by RADIUS/TLS
<xref target="I-D.ietf-radext-radiusdtls-bis"/>.</t>
          </li>
          <li>
            <t>Cross-Network Correlation: An adversary correlates a device's activity
across multiple networks using a stable identifier. MAC randomization limits
this by using different MAC addresses on different networks. The
Persistent-Device-Id does NOT enable cross-network correlation because:
(i) the identifier is scoped to the administrative domain that provisioned the
certificate, (ii) external networks never see the identifier, and (iii) the
RADIUS server MUST NOT share it with external entities.</t>
          </li>
          <li>
            <t>Device Fingerprinting: An attacker combines observable characteristics
(probe requests, timing patterns, supported capabilities) to fingerprint a
device. The Persistent-Device-Id does not contribute to fingerprinting
because it is not observable by any entity other than the RADIUS server and
the authenticated NAS.</t>
          </li>
        </ol>
      </section>
      <section anchor="explicit-non-goals">
        <name>Explicit Non-Goals</name>
        <t>This specification explicitly does NOT:</t>
        <ol spacing="normal" type="1"><li>
            <t>Enable tracking of unenrolled devices. Devices without certificates
(guest, unauthenticated, MAB-only) are completely unaffected by this
specification and continue to benefit fully from MAC randomization privacy.</t>
          </li>
          <li>
            <t>Provide a mechanism for cross-network tracking. The Persistent-Device-Id
is administratively scoped and MUST NOT be shared across administrative domains.</t>
          </li>
          <li>
            <t>Enable surveillance or monitoring of user behavior. The identifier
correlates a device for NAC, compliance, and licensing purposes only. It does
not reveal user activity, browsing history, or application usage.</t>
          </li>
          <li>
            <t>Undermine the user's choice to use MAC randomization. The MAC address
continues to randomize at Layer 2 as the device vendor intended. The
Persistent-Device-Id operates at a different layer (AAA/RADIUS) and is
visible only to the enterprise network the device has voluntarily enrolled with.</t>
          </li>
          <li>
            <t>Introduce a covert or hidden identifier. The identifier is explicitly
provisioned into the device's certificate during a transparent enrollment
process that requires device owner or administrator action.</t>
          </li>
        </ol>
      </section>
      <section anchor="security-invariants">
        <name>Security Invariants</name>
        <t>The following security properties MUST hold for any conforming implementation:</t>
        <ol spacing="normal" type="1"><li>
            <t>The Persistent-Device-Id MUST NOT appear in the clear in any Layer 2 frame
(Ethernet, Wi-Fi management, or data frames).</t>
          </li>
          <li>
            <t>The Persistent-Device-Id value is derived from the device certificate
exchanged within the encrypted EAP tunnel (device to RADIUS server). The
Persistent-Device-Id RADIUS attribute MUST only be transmitted within RADIUS
messages protected by RADIUS/TLS <xref target="I-D.ietf-radext-radiusdtls-bis"/>
(RADIUS server to NAS).</t>
          </li>
          <li>
            <t>The Persistent-Device-Id MUST NOT be derivable from the device's MAC
address (randomized or real).</t>
          </li>
          <li>
            <t>The Persistent-Device-Id MUST NOT be observable by passive observers on
the wireless medium or local network segment.</t>
          </li>
          <li>
            <t>The Persistent-Device-Id MUST NOT be shared with entities outside the
administrative domain without explicit device owner consent.</t>
          </li>
        </ol>
      </section>
    </section>
    <section anchor="device-consent-and-control">
      <name>Device Consent and Control</name>
      <t>A central concern raised by device vendors and privacy advocates is whether
a persistent device identifier undermines the user's control over their device
identity. This section specifies the consent and control requirements that
ensure the Persistent-Device-Id respects device owner autonomy.</t>
      <section anchor="consent-model">
        <name>Consent Model</name>
        <t>The Persistent-Device-Id is NEVER assigned to a device without explicit action
by the device owner or an authorized administrator. The identifier exists only
because a certificate containing it was provisioned onto the device through
one of the following consent-based mechanisms:</t>
        <ol spacing="normal" type="1"><li>
            <t>Corporate Device Enrollment (Administrator Consent): An enterprise
administrator enrolls the device in a Mobile Device Management (MDM) system.
The MDM system generates a certificate containing the Persistent-Device-Id and
pushes it to the device. The administrator acts on behalf of the organization,
and the device is corporate-owned. The employee is informed of the enrollment
through the organization's acceptable use policy.</t>
          </li>
          <li>
            <t>BYOD Self-Enrollment (User Consent): The device owner voluntarily connects
to a provisioning portal (captive portal or onboarding SSID) and follows an
enrollment workflow. During this process, the portal generates a certificate
containing the Persistent-Device-Id and installs it on the device. The user
explicitly initiates and approves this enrollment. On most operating systems
(iOS, Android, Windows, macOS), installing a certificate profile requires the
user to accept a system-level prompt.</t>
          </li>
          <li>
            <t>MDM-Initiated BYOD Enrollment (User Consent with MDM): The device owner
installs an MDM agent application and enrolls their personal device in the
organization's MDM. The MDM provisions the certificate. The user must
explicitly install the MDM profile and grant the required permissions,
providing informed consent.</t>
          </li>
        </ol>
      </section>
      <section anchor="user-control-and-opt-out">
        <name>User Control and Opt-Out</name>
        <t>The device owner retains full control over the Persistent-Device-Id at all
times:</t>
        <ol spacing="normal" type="1"><li>
            <t>Certificate Removal: The device owner can remove the certificate (and with
it, the Persistent-Device-Id) at any time by deleting the certificate
profile from the device settings. On iOS, this is under
Settings &gt; General &gt; VPN &amp; Device Management. On Android,
Settings &gt; Security &gt; Credentials. On Windows, certmgr.msc. On macOS,
Keychain Access. Once the certificate is removed, the device will no longer
present a Persistent-Device-Id during authentication, and the RADIUS server
will treat it as a new, unidentified device.</t>
          </li>
          <li>
            <t>MDM Unenrollment: For MDM-managed devices, the device owner can unenroll
from the MDM system, which removes the MDM profile and all associated
certificates, including the one containing the Persistent-Device-Id.</t>
          </li>
          <li>
            <t>Network Disconnection: The device owner can choose not to connect to the
enterprise network. No identifier is transmitted unless the device actively
authenticates to the network using the provisioned certificate.</t>
          </li>
          <li>
            <t>No Silent Re-provisioning: The RADIUS server or NAS MUST NOT provision or
re-provision a certificate containing a Persistent-Device-Id without the device
owner's or administrator's explicit action. If a certificate expires or is
revoked, a new enrollment process requiring consent is needed.</t>
          </li>
        </ol>
      </section>
      <section anchor="transparency-requirements">
        <name>Transparency Requirements</name>
        <t>Organizations deploying the Persistent-Device-Id SHOULD:</t>
        <ol spacing="normal" type="1"><li>
            <t>Inform device owners, through an acceptable use policy or enrollment
notification, that a persistent device identifier will be embedded in the c
ertificate and used for network access control, compliance, and licensing
purposes.</t>
          </li>
          <li>
            <t>Clearly describe what data is associated with the Persistent-Device-Id
(MAC address history, session records, compliance state) and how long it is
retained.</t>
          </li>
          <li>
            <t>Provide a documented procedure for device owners to request deletion of
their Persistent-Device-Id records, in compliance with applicable privacy
regulations (e.g., the General Data Protection Regulation <xref target="GDPR"/> Article 17,
the California Consumer Privacy Act).</t>
          </li>
        </ol>
        <t>The above recommendations are expressed as SHOULD to accommodate deployments
where equivalent transparency is already provided through existing enterprise
acceptable use policies, device management agreements, or where jurisdictional
requirements impose alternative notification obligations that satisfy the same
intent.</t>
      </section>
    </section>
    <section anchor="certificate-provisioning-lifecycle">
      <name>Certificate Provisioning Lifecycle</name>
      <t>The provisioning of the Persistent-Device-Id into the device's certificate is
outside the scope of the RADIUS protocol. This section provides an informational
overview of the lifecycle:</t>
      <ol spacing="normal" type="1"><li>
          <t>Enrollment: The device is enrolled through an MDM system or a NAC
registration portal. During enrollment, the system generates a UUID
version 4 using a CSPRNG and embeds it in the certificate's Subject
Alternative Name (SAN) URI field using the URN format defined in <xref target="RFC9562"/>,
e.g., "urn:uuid:f47ac10b-58cc-4372-a567-0e02b2c3d479". The certificate is
signed by the organization's CA and pushed to the device.  </t>
          <ul spacing="normal">
            <li>
              <t>The SAN URI field is chosen over the X.509v3 subjectUniqueId field for the
following reasons. First, <xref target="RFC5280"/> Section 4.1.2.8 states that conforming
CAs "MUST NOT generate certificates with unique identifiers", effectively
deprecating subjectUniqueId for new deployments. Second, the SAN extension is
the standard mechanism for carrying additional identity forms in X.509
certificates and is universally supported by certificate tooling, MDM systems,
and SCEP/EST enrollment protocols. Third, the urn:uuid: namespace is already
registered <xref target="RFC9562"/>, requiring no new URI scheme registration. The RADIUS
server extracts the UUID from the SAN URI by parsing the urn:uuid: prefix and
using the remaining string representation directly as the RADIUS attribute
value.</t>
            </li>
          </ul>
        </li>
        <li>
          <t>Consent: Certificate installation requires explicit action -- either by an
administrator (corporate MDM push) or by the device owner (accepting a
certificate profile prompt during BYOD onboarding). The identifier is never
provisioned silently.</t>
        </li>
        <li>
          <t>Authentication: When the device connects to the network, it presents the
certificate inside the encrypted EAP tunnel (e.g., EAP-TLS, EAP-TTLS, TEAP).
The RADIUS server extracts the Persistent-Device-Id from the SAN URI field
and includes it in the Access-Accept message.</t>
        </li>
        <li>
          <t>Renewal: When the certificate approaches expiration, the MDM or NAC system
renews it. The renewed certificate must contain the same Persistent-Device-Id
as the original, preserving identity continuity.</t>
        </li>
        <li>
          <t>Revocation: When a device is decommissioned, lost, or stolen, the
administrator revokes the certificate. The RADIUS server rejects subsequent
authentication attempts. The Persistent-Device-Id record may be retained for
 audit or deleted per the organization's data retention policy.</t>
        </li>
        <li>
          <t>Re-enrollment: If a device is re-enrolled after revocation, a new
certificate with a new Persistent-Device-Id should be provisioned. Reuse of a
previously revoked identifier is not recommended.</t>
        </li>
      </ol>
    </section>
    <section anchor="protocol-sequence-diagrams">
      <name>Protocol Sequence Diagrams</name>
      <t>The following diagram illustrates the complete lifecycle: certificate
provisioning, initial authentication with identifier extraction, and
re-authentication after MAC address rotation.</t>
      <figure anchor="figlifecycle">
        <name>Persistent-ID Lifecycle Management</name>
        <artwork><![CDATA[
Device        MDM/Portal    CA        NAS         RADIUS Server
  |               |          |          |               |
  |  PHASE 1: CERTIFICATE PROVISIONING (one-time)       |
  |               |          |          |               |
  |-- Enroll ---->|          |          |               |
  |  (user consent)          |          |               |
  |               |--CSR---->|          |               |
  |               | (UUID in |          |               |
  |               |  SAN URI)|          |               |
  |               |<-Cert----|          |               |
  |<--Push Cert---|          |          |               |
  | (user accepts |          |          |               |
  |  cert prompt) |          |          |               |
  |               |          |          |               |
  |  PHASE 2: FIRST AUTHENTICATION (certificate-based EAP)|
  |               |          |          |               |
  |-- 802.1X Start -------------------->|               |
  |  (MAC_1 in L2 header)    |          |               |
  |               |          |          |--Acc-Request->|
  |               |          |          | Calling-Stn-Id|
  |               |          |          | = MAC_1       |
  |<============ EAP Tunnel (e.g., EAP-TLS) ============>|
  |  (cert with UUID_A exchanged inside tunnel)         |
  |               |          |          |               |
  |               |          |          |  Server:      |
  |               |          |          |  1.Extract    |
  |               |          |          |    UUID_A     |
  |               |          |          |    from cert  |
  |               |          |          |  2.Store:     |
  |               |          |          |    UUID_A ->  |
  |               |          |          |    MAC_1      |
  |               |          |          |               |
  |               |          |          |<-Acc-Accept---|
  |               |          |          | PDID=UUID_A   |
  |<-- EAP-Success ---------------------|               |
  |               |          |          |--Acct-Req---->|
  |               |          |          | MAC_1,UUID_A  |
  |               |          |          |               |
  |       PHASE 3: RE-AUTH AFTER MAC ROTATION           |
  |               |          |          |               |
  |  [MAC rotates: MAC_1 -> MAC_2]      |               |
  |               |          |          |               |
  |-- 802.1X Start -------------------->|               |
  |  (MAC_2 in L2 header)    |          |               |
  |               |          |          |--Acc-Request->|
  |               |          |          | Calling-Stn-Id|
  |               |          |          | = MAC_2       |
  |<============ EAP Tunnel (e.g., EAP-TLS) ============>|
  |  (same cert, same UUID_A)           |               |
  |               |          |          |               |
  |               |          |          |  Server:      |
  |               |          |          |  1.Extract    |
  |               |          |          |    UUID_A     |
  |               |          |          |  2.Find       |
  |               |          |          |    existing   |
  |               |          |          |    record     |
  |               |          |          |  3.Add MAC_2  |
  |               |          |          |    to UUID_A  |
  |               |          |          |               |
  |               |          |          |<-Acc-Accept---|
  |               |          |          | PDID=UUID_A   |
  |               |          |          | (same as      |
  |               |          |          |  before)      |
  |<-- EAP-Success ---------------------|               |
  |               |          |          |--Acct-Req---->|
  |               |          |          | MAC_2,UUID_A  |


]]></artwork>
      </figure>
      <t>Key observations: (1) The UUID is provisioned with user/admin consent during
enrollment. (2) The UUID originates from the device certificate exchanged
within the encrypted EAP tunnel -- it never appears in any Layer 2 frame.
The Persistent-Device-Id RADIUS attribute is carried only in RADIUS messages
protected by RADIUS/TLS. (3) After MAC rotation, the same UUID is extracted
from the same certificate, allowing the RADIUS server to unify device records
across MAC changes. (4) Unenrolled devices (no certificate) are unaffected and
receive no Persistent-Device-Id.</t>
    </section>
    <section anchor="attribute-assignment-procedures">
      <name>Attribute Assignment Procedures</name>
      <section anchor="identifier-extraction-from-certificate">
        <name>Identifier Extraction from Certificate</name>
        <t>When a RADIUS server receives an Access-Request containing a certificate-based
authentication (e.g., EAP-TLS, EAP-TTLS, TEAP), and the device's certificate contains a
persistent device identifier, the server MUST:</t>
        <ol spacing="normal" type="1"><li>
            <t>Extract the persistent device identifier from the device's certificate.</t>
          </li>
          <li>
            <t>Store or update the identifier in association with the device's current
Calling-Station-Id (MAC address) for correlation purposes.</t>
          </li>
          <li>
            <t>Include the Persistent-Device-Id attribute in the Access-Accept message.</t>
          </li>
        </ol>
      </section>
      <section anchor="correlation-and-retrieval">
        <name>Correlation and Retrieval</name>
        <t>When a RADIUS server receives an Access-Request and the Calling-Station-Id does
not match any stored device record, but the device authenticates via a
certificate-based method, the server SHOULD attempt to correlate the request
with an existing Persistent-Device-Id by extracting the identifier from the
certificate and looking up the stored records.</t>
        <t>The primary identity correlation source is the device certificate. If the
authentication method is certificate-based (e.g., EAP-TLS, EAP-TTLS, TEAP), the
server extracts the persistent device identifier from the certificate and
uses it to look up an existing device record. If a matching record is found,
the server associates the new MAC address with the existing record.</t>
        <t>Note: External device management systems (e.g., MDM) provision the persistent
identifier into the device's certificate during enrollment. The identifier
reaches the RADIUS server through the certificate-based authentication
exchange, not through a separate channel. Therefore, MDM-managed devices are
covered by the certificate-based extraction above.</t>
        <t>For authentication methods that do not involve certificates (e.g., MAB,
credential-based EAP methods, guest access), no persistent device identifier
is available in the authentication exchange. In these cases, the RADIUS server
does not assign a Persistent-Device-Id, and MAC address randomization continues
to result in separate device records per MAC address.</t>
        <t>This document does not define alternative mechanisms for persistent device
identification in non-certificate-based authentication scenarios. Such
mechanisms are outside the scope of this specification.</t>
        <t>If the extracted identifier matches an existing record, the server MUST:</t>
        <ol spacing="normal" type="1"><li>
            <t>Associate the new Calling-Station-Id (MAC address) with the existing
Persistent-Device-Id record.</t>
          </li>
          <li>
            <t>Include the existing Persistent-Device-Id in the Access-Accept message.</t>
          </li>
        </ol>
        <t>If the device authenticates via a non-certificate-based method, or if the
certificate does not contain a persistent device identifier, the server
MUST NOT include a Persistent-Device-Id attribute in the Access-Accept.</t>
      </section>
      <section anchor="immutability">
        <name>Immutability</name>
        <t>The Persistent-Device-Id value is determined by the identifier provisioned in
the device's certificate. It MUST NOT be modified by the RADIUS server. If
administrative action requires re-identification of a device (e.g., device
decommissioning and re-enrollment), a new certificate with a new identifier
must be provisioned to the device. The old identifier MUST be retired and MUST
NOT be reassigned to a different device.</t>
      </section>
      <section anchor="uniqueness">
        <name>Uniqueness</name>
        <t>The persistent device identifier provisioned in each device's certificate MUST
be globally unique. The enrollment system (MDM or NAC registration portal) is
responsible for ensuring uniqueness during certificate provisioning. The use of
UUID version 4 with a CSPRNG during provisioning provides sufficient uniqueness
guarantees.</t>
      </section>
      <section anchor="concurrency">
        <name>Concurrency</name>
        <t>In deployments where multiple RADIUS server instances process authentication
requests concurrently, implementations MUST ensure that the extracted
Persistent-Device-Id and its associated MAC address mappings are consistently
replicated across all server instances. Since the identifier originates from
the certificate (not generated by the server), concurrency risks are limited
to MAC address association updates.</t>
        <t>Recommended approaches include:
1. Advisory locking on the Calling-Station-Id or identity correlation key before
checking for existing assignments.
1. A check-then-act pattern with lock acquisition: acquire lock, re-query for
existing assignment, create if absent, release lock.
1. Distributed coordination across server instances in clustered deployments.
The lock hold time SHOULD NOT exceed 5 seconds to prevent processing delays.</t>
      </section>
      <section anchor="nad-and-platform-integration">
        <name>NAD and Platform Integration</name>
        <t>After receiving the Persistent-Device-Id in the Access-Accept message, the
Network Access Device (NAD) caches the identifier for the duration of the
authenticated session. The NAD does not perform cross-connection correlation --
correlation across MAC address changes is handled entirely by the RADIUS server
based on the device's certificate. The NAD's role is analogous to its handling
of the Class attribute: receive, cache, and echo.</t>
        <t>Beyond caching and echoing in RADIUS Accounting-Request messages, the NAD
distributes the Persistent-Device-Id to integrated platforms, enabling several
downstream use cases:</t>
        <ol spacing="normal" type="1"><li>
            <t>Device Profiling and Fingerprinting: The NAD or RADIUS server can share
the Persistent-Device-Id with endpoint analytics and profiling systems.
These systems build device fingerprint profiles -- aggregating attributes
such as DHCP options, HTTP user-agent, and CDP/LLDP data -- indexed by the
persistent identifier rather than the transient MAC address. This ensures
profiling data survives MAC rotation.</t>
          </li>
          <li>
            <t>Location and Presence Analytics: The NAD can include the
Persistent-Device-Id in location telemetry messages (e.g., via streaming
telemetry or location service protocols) sent to location analytics
platforms. This allows location services to track device presence and
movement patterns using a stable identifier, even as the MAC address
changes between sessions.</t>
          </li>
          <li>
            <t>Cross-Platform Distribution: The RADIUS server or NAD can distribute the
Persistent-Device-Id to network management, assurance, and third-party
platforms through integration mechanisms such as publish-subscribe
frameworks, REST APIs, or event streaming. This enables a consistent device
identity across the ecosystem of network services -- including compliance
engines, network assurance dashboards, and third-party security tools --
without requiring each platform to independently resolve MAC address
changes.</t>
          </li>
        </ol>
        <t>In all cases, the Persistent-Device-Id MUST be treated with the same access
control and privacy protections described in this specification. Platforms
receiving the identifier MUST NOT expose it to entities outside the
administrative domain without explicit device owner consent.</t>
      </section>
      <section anchor="deployment-considerations">
        <name>Deployment Considerations</name>
        <t>The Persistent-Device-Id mechanism is designed to be deployable without
changes to existing NAD firmware or software. The NAD behavior required
by this specification -- receiving a new attribute in Access-Accept, caching
it for the session, and echoing it in Accounting-Request messages -- is
identical to how RADIUS clients already handle the Class attribute per
<xref target="RFC2865"/>. Any NAD that correctly implements Class attribute handling can
support Persistent-Device-Id without modification.</t>
        <t>The primary changes required for deployment are:</t>
        <ol spacing="normal" type="1"><li>
            <t>Enrollment System: The certificate enrollment system (MDM, SCEP/EST server,
or NAC self-service portal) must generate and embed a UUID in the device
certificate's SAN URI field during provisioning.</t>
          </li>
          <li>
            <t>RADIUS Server: The RADIUS server must be updated to extract the UUID from
the SAN URI field of the client certificate during EAP-TLS, EAP-TTLS, or
TEAP authentication, and to include it as the Persistent-Device-Id attribute
in the Access-Accept.</t>
          </li>
          <li>
            <t>Backend Systems: Profiling engines, compliance systems, and analytics
platforms must be updated to consume the Persistent-Device-Id as the
primary device correlation key instead of (or in addition to) the MAC address.</t>
          </li>
        </ol>
        <t>No changes are required at the NAD layer, which reduces the barrier to
deployment in existing network infrastructure.</t>
      </section>
    </section>
    <section anchor="usage-in-radius-messages">
      <name>Usage in RADIUS Messages</name>
      <section anchor="access-accept">
        <name>Access-Accept</name>
        <t>When a RADIUS server extracts a Persistent-Device-Id from a device's
certificate during authentication, it SHOULD include the Persistent-Device-Id
attribute in the Access-Accept message sent to the RADIUS client (authenticator).</t>
        <figure anchor="figaccess-accept">
          <name>Persistent Device ID in Access Accept</name>
          <artwork><![CDATA[
RADIUS Server                          RADIUS Client
     |                                        |
     |<--- Access-Request --------------------|
     |     (Calling-Station-Id = random MAC)  |
     |                                        |
     |  [Correlate or assign PDID]            |
     |                                        |
     |---- Access-Accept -------------------->|
     |     (Persistent-Device-Id = UUID)      |
     |     (other authorization attributes)   |
     |                                        |

]]></artwork>
        </figure>
      </section>
      <section anchor="accounting-request">
        <name>Accounting-Request</name>
        <t>When a RADIUS client has received a Persistent-Device-Id in an Access-Accept,
it SHOULD include the Persistent-Device-Id attribute in all subsequent
Accounting-Request messages (Accounting-Start, Interim-Update, and
Accounting-Stop) for that session.</t>
        <t>This enables the RADIUS server to correlate accounting records across sessions
where the Calling-Station-Id may differ due to MAC address randomization.</t>
        <figure anchor="figaccounting-request">
          <name>Persistent Device ID in Accounting Request</name>
          <artwork><![CDATA[
RADIUS Client                          RADIUS Server
     |                                       |
     |---- Accounting-Request (Start) ------>|
     |     (Calling-Station-Id = MAC_1)      |
     |     (Persistent-Device-Id = UUID_A)   |
     |                                       |
     |     [Device reconnects with new MAC]  |
     |                                       |
     |---- Accounting-Request (Start) ------>|
     |     (Calling-Station-Id = MAC_2)      |
     |     (Persistent-Device-Id = UUID_A)   |
     |                                       |

]]></artwork>
        </figure>
        <t>The RADIUS server can now correlate both sessions as belonging to the same
device (UUID_A) despite different MAC addresses.</t>
      </section>
      <section anchor="coa-request">
        <name>CoA-Request</name>
        <t>A RADIUS server MAY include the Persistent-Device-Id attribute in a
Change-of-Authorization (CoA) Request RFC5176 to identify the target device
session. The RADIUS client MUST use the Persistent-Device-Id, if present, to
identify the session to which the CoA applies, in preference to
Calling-Station-Id when both are present.</t>
      </section>
      <section anchor="Access-Request">
        <name>Access-Request</name>
        <t>The Persistent-Device-Id attribute MUST NOT appear in Access-Request messages.
The identifier is extracted from the device's certificate by the RADIUS server
during authentication processing, not supplied by the RADIUS client.</t>
        <t>Exception: If a RADIUS client has cached a Persistent-Device-Id from a
previous Access-Accept for the same device, and the server's deployment
policy explicitly permits it, the client MAY include the cached
Persistent-Device-Id in the Access-Request as a hint to assist correlation.
When present in an Access-Request, the server MUST validate the hint against
its own records and MUST NOT trust it as authoritative.</t>
      </section>
      <section anchor="access-reject-and-access-challenge">
        <name>Access-Reject and Access-Challenge</name>
        <t>The Persistent-Device-Id attribute MUST NOT appear in Access-Reject or
Access-Challenge messages. A Persistent-Device-Id is only included upon
successful certificate-based authentication where the certificate contains a
valid persistent device identifier.</t>
      </section>
    </section>
    <section anchor="interaction-with-existing-attributes">
      <name>Interaction with Existing Attributes</name>
      <section anchor="calling-station-id-type-31">
        <name>Calling-Station-Id (Type 31)</name>
        <t>The Persistent-Device-Id attribute supplements but does not replace
Calling-Station-Id. The Calling-Station-Id continues to carry the MAC address
(randomized or not) as observed by the RADIUS client. Systems that need the
current MAC address for network-level operations (e.g., VLAN assignment, ACL
application) continue to use Calling-Station-Id for that purpose.</t>
        <t>The Persistent-Device-Id provides the stable device-level correlation that
Calling-Station-Id can no longer guarantee.</t>
      </section>
      <section anchor="user-name-type-1">
        <name>User-Name (Type 1)</name>
        <t>The Persistent-Device-Id identifies a device, not a user. A single User-Name
may be associated with multiple Persistent-Device-Id values (one per device),
and a single Persistent-Device-Id MAY be associated with multiple User-Name
values (if different users authenticate on the same device).</t>
      </section>
      <section anchor="acct-session-id-type-44">
        <name>Acct-Session-Id (Type 44)</name>
        <t>The Acct-Session-Id attribute identifies a single session. The
Persistent-Device-Id identifies the device across sessions. Together,
they enable both session-level and device-level accounting correlation.</t>
      </section>
      <section anchor="class-type-25">
        <name>Class (Type 25)</name>
        <t>The Class attribute and the Persistent-Device-Id share a similar operational
pattern: both are assigned by the RADIUS server in Access-Accept and echoed
by the NAS in subsequent messages (Accounting-Request for both; Access-Request
for Class per <xref target="RFC2865"/>). However, they differ in key respects:</t>
        <ol spacing="normal" type="1"><li>
            <t>Persistence: Class is session-scoped. The NAS echoes it during a single
session, and the value is not guaranteed to persist across sessions or MAC
address changes. Persistent-Device-Id is designed to remain stable across
sessions, MAC changes, and certificate renewals.</t>
          </li>
          <li>
            <t>Semantics: Class is opaque to the NAS and has no defined meaning -- the
server may use it for any purpose. Persistent-Device-Id has a defined
semantic: it identifies a device. This allows downstream systems (profiling,
compliance, SIEM) to consume the value with a shared understanding of its
meaning.</t>
          </li>
          <li>
            <t>Origin: Class is generated by the RADIUS server at its discretion.
Persistent-Device-Id is extracted from the device's certificate, provisioned
during enrollment. The server does not create the identifier -- it reads it
from the certificate.</t>
          </li>
        </ol>
        <t>Implementations familiar with Class attribute handling will find the NAS-side
behavior of Persistent-Device-Id analogous: receive in Access-Accept, cache
for the session, include in Accounting-Requests.</t>
      </section>
      <section anchor="chargeable-user-identity-rfc4372">
        <name>Chargeable-User-Identity <xref target="RFC4372"/></name>
        <t>The Chargeable-User-Identity (CUI) attribute defined in <xref target="RFC4372"/> provides a
stable user-level identity for inter-domain roaming and billing. While both
CUI and Persistent-Device-Id carry opaque identifiers in RADIUS messages, they
serve fundamentally different purposes and cannot be used interchangeably. The
key differences are:</t>
        <ol spacing="normal" type="1"><li>
            <t>Semantic Scope: CUI identifies a user (or chargeable entity) for billing
purposes. Persistent-Device-Id identifies a physical device. These are
orthogonal concepts: a single user may own multiple devices (each requiring
a distinct Persistent-Device-Id), and a shared device may authenticate multiple
users (each receiving a distinct CUI). Overloading one attribute to serve
both purposes would create ambiguity and prevent independent user and device correlation.</t>
          </li>
          <li>
            <t>Identifier Origin: CUI is generated by the home RADIUS server as an opaque
token. Persistent-Device-Id is extracted from the device's certificate (SAN
URI field), provisioned by the enrollment system. The RADIUS server does not
generate the Persistent-Device-Id; it reads it from the certificate presented
during certificate-based EAP authentication. These are different data flows requiring
different handling semantics.</t>
          </li>
          <li>
            <t>Binding Lifetime: RFC 4372 explicitly states that the CUI binding
"should be temporary -- long enough to be useful for the external applications
and not too long such that it can be used to identify the user." A typical CUI
lifetime is one billing period. In contrast, the Persistent-Device-Id MUST
remain stable for the entire duration the device's certificate is valid,
potentially spanning years, to enable persistent device identification
across MAC address changes.</t>
          </li>
          <li>
            <t>Deployment Scope: CUI is designed for cross-network roaming scenarios
involving visited and home networks with intermediary proxies.
Persistent-Device-Id is scoped to a single administrative domain for NAC,
compliance, and audit purposes. A deployment may legitimately need both
attributes simultaneously -- CUI for roaming billing and Persistent-Device-Id
for device identification -- in the same RADIUS message.</t>
          </li>
          <li>
            <t>Opaqueness Constraint: <xref target="RFC4372"/> mandates that "RADIUS entities other than
the Home RADIUS server MUST treat the CUI content as an opaque token, and
SHOULD NOT perform operations on its content other than a binary equality
comparison test." Any scheme to differentiate user vs. device identity within a
CUI value (e.g., using a class prefix or structured encoding) would require
intermediaries to inspect and interpret CUI content, directly violating this
requirement.</t>
          </li>
        </ol>
        <t>In roaming scenarios, both CUI and Persistent-Device-Id MAY be present in the
same RADIUS message, providing independent user-level and device-level
correlation without ambiguity or attribute overloading.</t>
      </section>
      <section anchor="eap-message-type-79">
        <name>EAP-Message (Type 79)</name>
        <t>When certificate-based EAP authentication is used (e.g., EAP-TLS, EAP-TTLS,
TEAP), the device's certificate is the source of the Persistent-Device-Id.
The RADIUS server extracts the identifier from the certificate during the
EAP exchange and includes it in the Access-Accept. This is the primary and
intended use case for this specification.</t>
      </section>
    </section>
    <section anchor="operational-considerations">
      <name>Operational Considerations</name>
      <section anchor="replication">
        <name>Replication</name>
        <t>In deployments with multiple RADIUS servers, the Persistent-Device-Id
assignments and the associated MAC address mappings MUST be replicated across
all servers. This ensures that a device authenticating to any server in the
deployment receives the same Persistent-Device-Id.</t>
        <t>The replication mechanism is implementation-specific and outside the scope of
this document. Implementations SHOULD provide eventual consistency with a
convergence time appropriate for the deployment's authentication rate.</t>
      </section>
      <section anchor="proxy-environments">
        <name>Proxy Environments</name>
        <t>When a RADIUS proxy forwards an Access-Request to an upstream RADIUS server,
and the upstream server includes a Persistent-Device-Id in the Access-Accept,
the proxy MUST forward the Persistent-Device-Id attribute to the RADIUS client
without modification.</t>
        <t>Within an administrative domain, RADIUS proxies that forward Access-Accept
messages MUST pass the Persistent-Device-Id attribute through unchanged.</t>
        <t>Enterprises SHOULD strip the Persistent-Device-Id attribute before sending
RADIUS packets outside of the administrative domain. This prevents the
persistent identifier from leaking to external organizations or roaming
partners. The stripping requirement applies at the administrative domain
boundary, not to all RADIUS proxies in the forwarding path.</t>
      </section>
      <section anchor="incremental-deployment">
        <name>Incremental Deployment</name>
        <t>RADIUS clients that do not support the Persistent-Device-Id attribute will
ignore it in Access-Accept messages per standard RADIUS behavior (unknown
attributes are silently discarded). This allows incremental deployment where
RADIUS servers begin including the attribute before all clients are upgraded.</t>
      </section>
      <section anchor="pre-existing-device-records">
        <name>Pre-Existing Device Records</name>
        <t>When a RADIUS server implementing this specification receives an Access-Request
for a device that has an existing record (created before Persistent-Device-Id
support was deployed), and the device authenticates via a certificate containing
a persistent identifier, the server SHOULD:</t>
        <ol spacing="normal" type="1"><li>
            <t>Extract the Persistent-Device-Id from the certificate and associate it with
the existing device record.</t>
          </li>
          <li>
            <t>Associate it with the existing device record, preserving all historical data.</t>
          </li>
          <li>
            <t>Include the Persistent-Device-Id in the Access-Accept.</t>
          </li>
        </ol>
        <t>This provides a seamless deployment path for existing deployments.</t>
      </section>
      <section anchor="mixed-mode-operation">
        <name>Mixed-Mode Operation</name>
        <t>During deployment, some device records will have Persistent-Device-Id values
and some will not. Implementations MUST support lookups by both
Calling-Station-Id (for legacy records) and Persistent-Device-Id
(for migrated records) until deployment is complete.</t>
      </section>
      <section anchor="transition-via-class-attribute">
        <name>Transition via Class Attribute</name>
        <t>In deployments where RADIUS clients do not yet recognize the
Persistent-Device-Id attribute, the RADIUS server MAY additionally convey
the persistent device identifier in the Class attribute (Type 25) as defined
in <xref target="RFC2865"/>. Since all compliant RADIUS clients already cache the Class
attribute from Access-Accept and echo it in subsequent Accounting-Request
messages, this provides an immediate deployment path without requiring any
client-side changes.</t>
        <t>This approach has limitations compared to a dedicated attribute:</t>
        <ol spacing="normal" type="1"><li>
            <t>Semantic Ambiguity: The Class attribute is opaque and may already be in
use for other purposes (e.g., VLAN assignment, policy tagging). Embedding
the persistent device identifier requires a convention (e.g., a structured
prefix) that all consuming systems must understand.</t>
          </li>
          <li>
            <t>Session Scope: The Class attribute is session-scoped. It is not
guaranteed to persist across re-authentications or MAC address changes
unless the server re-populates it in every Access-Accept.</t>
          </li>
          <li>
            <t>No Interoperability Guarantee: Because Class has no defined semantic,
third-party systems cannot consume it as a device identifier without
deployment-specific configuration.</t>
          </li>
        </ol>
        <t>Despite these limitations, the Class attribute provides a practical
deployment mechanism. Deployments MAY use Class to carry the persistent
device identifier as an interim measure while migrating to the dedicated
Persistent-Device-Id attribute. Servers implementing this approach
SHOULD include both the Class attribute (for backward compatibility) and
the Persistent-Device-Id attribute (for clients that support it) in the
same Access-Accept message.</t>
      </section>
    </section>
    <section anchor="CDI">
      <name>Chargeable-Device-Identity (CDI)</name>
      <section anchor="concept-and-motivation">
        <name>Concept and Motivation</name>
        <t>The Chargeable-User-Identity (CUI) defined in <xref target="RFC4372"/> established the
pattern of using an opaque, server-generated identifier to correlate RADIUS
sessions for a user without exposing the user's real identity to visited
networks. This specification defines an analogous concept for devices:
the Chargeable-Device-Identity (CDI).</t>
        <t>CDI is a privacy-preserving, rotating identifier that correlates RADIUS
sessions belonging to the same physical device across MAC address changes,
without exposing a static device identifier on the wire.</t>
        <t>The CDI mechanism is designed to:</t>
        <ol spacing="normal" type="1"><li>
            <t>Work with equipment deployed in production today (no NAS changes required).</t>
          </li>
          <li>
            <t>Preserve MAC randomization privacy by avoiding static identifiers.</t>
          </li>
          <li>
            <t>Provide time-bounded correlation suitable for operational and compliance needs.</t>
          </li>
          <li>
            <t>Be deployable immediately using the existing Class attribute as transport.</t>
          </li>
        </ol>
      </section>
      <section anchor="cdi-format-and-construction">
        <name>CDI Format and Construction</name>
        <t>The CDI value is constructed by the RADIUS server using the following
formula:</t>
        <artwork><![CDATA[
CDI = "cdi:" + Base64(HMAC-SHA-256(server-secret, device-id + epoch))
]]></artwork>
        <t>Where:</t>
        <ul spacing="normal">
          <li>
            <t>server-secret: A secret key known only to the RADIUS server (or cluster
of servers sharing the key). This secret MUST NOT be the RADIUS shared
secret; it is a separate key dedicated to CDI generation.</t>
          </li>
          <li>
            <t>device-id: The stable device identifier known to the server (e.g., the
UUID extracted from the device certificate's SAN URI field during
certificate-based EAP authentication).</t>
          </li>
          <li>
            <t>epoch: A time-based rotation value. The epoch boundary is configurable
by the operator (e.g., daily, weekly, monthly). All sessions within the
same epoch for the same device produce the same CDI value.</t>
          </li>
          <li>
            <t>"cdi:": A fixed prefix that allows consuming systems to identify the
Class value as a CDI (as opposed to other uses of the Class attribute).</t>
          </li>
        </ul>
        <t>The resulting CDI value is opaque to the NAS and to any intermediate RADIUS
proxy. Only the originating RADIUS server (possessing the server-secret)
can reverse the mapping from CDI to device-id.</t>
      </section>
      <section anchor="cdi-rotation-and-privacy-properties">
        <name>CDI Rotation and Privacy Properties</name>
        <t>The CDI rotates at epoch boundaries. This provides the following privacy
properties:</t>
        <ol spacing="normal" type="1"><li>
            <t>Time-Bounded Correlation: Sessions can be correlated within an epoch
(e.g., one week) for operational purposes such as compliance auditing
and session accounting. Cross-epoch correlation is not possible without
access to the RADIUS server's mapping table.</t>
          </li>
          <li>
            <t>No Static Identifier on Wire: Unlike a raw UUID, the CDI changes
periodically. An observer who captures CDI values from different epochs
cannot correlate them to the same device.</t>
          </li>
          <li>
            <t>Server-Only Reversibility: The HMAC construction ensures that only the
server possessing the server-secret can determine which device-id produced
a given CDI. Intermediate systems (proxies, accounting servers, SIEM) can
perform equality comparisons within an epoch but cannot reverse the mapping.</t>
          </li>
          <li>
            <t>Epoch Configuration Flexibility: Operators can tune the rotation period
based on their privacy/utility tradeoff. Shorter epochs (daily) provide
stronger privacy but limit the correlation window. Longer epochs (monthly)
provide broader correlation but with reduced privacy. The RECOMMENDED
default is weekly rotation.</t>
          </li>
        </ol>
      </section>
      <section anchor="cdi-transport-via-class-attribute">
        <name>CDI Transport via Class Attribute</name>
        <t>The CDI is transported using the existing RADIUS Class attribute (Type 25)
as defined in <xref target="RFC2865"/>. This is the RECOMMENDED transport mechanism
because:</t>
        <ol spacing="normal" type="1"><li>
            <t>All compliant RADIUS clients (NAS devices) already implement Class
attribute handling: receive in Access-Accept, cache for the session, echo
in Accounting-Request messages.</t>
          </li>
          <li>
            <t>No NAS firmware changes are required.</t>
          </li>
          <li>
            <t>The mechanism works with equipment deployed in production today.</t>
          </li>
        </ol>
        <t>The RADIUS server includes the CDI value as one of potentially multiple
Class attribute instances in the Access-Accept. The NAS echoes all Class
values in subsequent Accounting-Request messages per <xref target="RFC2865"/>.</t>
        <t>Example Access-Accept containing CDI:</t>
        <artwork><![CDATA[
  Access-Accept
    User-Name = "alice@example.com"
    Class = "cdi:dGhpcyBpcyBhIGJhc2U2NCBlbmNvZGVkIGhtYWM="
    Class = "vlan:employee"   (other use of Class)
    ... (other attributes)
]]></artwork>
        <t>Consuming systems (accounting servers, compliance platforms, SIEM) identify
CDI values by the "cdi:" prefix and use them for device session correlation.</t>
      </section>
      <section anchor="cdi-server-side-correlation-service">
        <name>CDI Server-Side Correlation Service</name>
        <t>For systems that require correlation beyond the current epoch, or that
need to resolve a CDI back to a device identity, the RADIUS server SHOULD
provide an authorized query interface. This interface allows authorized
consumers to:</t>
        <ol spacing="normal" type="1"><li>
            <t>Query by CDI value to retrieve the associated device identity (subject
to access control and audit logging).</t>
          </li>
          <li>
            <t>Query by device identity to retrieve all associated CDI values across
epochs (for compliance audits spanning multiple rotation periods).</t>
          </li>
          <li>
            <t>Query by MAC address and time to retrieve the CDI and/or device
identity that was active at that point in time.</t>
          </li>
        </ol>
        <t>This server-side correlation service provides an "opt-in" model for device
tracking: only systems authorized to access the mapping can perform
cross-epoch or cross-MAC correlation. Systems that only receive CDI values
via accounting records can correlate within an epoch but cannot identify
the underlying device without querying the authoritative service.</t>
        <t>The correlation service:</t>
        <ul spacing="normal">
          <li>
            <t>MUST require authentication and authorization for all queries.</t>
          </li>
          <li>
            <t>MUST log all access to the mapping data (who, when, what was queried).</t>
          </li>
          <li>
            <t>SHOULD support time-bounded queries to limit data exposure.</t>
          </li>
          <li>
            <t>MAY provide event-stream interfaces (e.g., publish-subscribe) for
real-time notification of device state changes to authorized consumers.</t>
          </li>
        </ul>
      </section>
      <section anchor="cdi-and-the-persistent-device-id-attribute">
        <name>CDI and the Persistent-Device-Id Attribute</name>
        <t>CDI (transported via Class) and the Persistent-Device-Id attribute
(defined in this document) serve complementary purposes:</t>
        <table>
          <thead>
            <tr>
              <th align="left">Property</th>
              <th align="left">CDI (Class)</th>
              <th align="left">Persistent-Device-Id</th>
            </tr>
          </thead>
          <tbody>
            <tr>
              <td align="left">Transport</td>
              <td align="left">Class attribute</td>
              <td align="left">Dedicated attribute (TBD1)</td>
            </tr>
            <tr>
              <td align="left">NAS changes required</td>
              <td align="left">None</td>
              <td align="left">Attribute recognition</td>
            </tr>
            <tr>
              <td align="left">Identifier stability</td>
              <td align="left">Rotates per epoch</td>
              <td align="left">Stable across certificate lifetime</td>
            </tr>
            <tr>
              <td align="left">Privacy</td>
              <td align="left">Time-bounded correlation</td>
              <td align="left">Persistent correlation</td>
            </tr>
            <tr>
              <td align="left">Reversibility</td>
              <td align="left">Server-only</td>
              <td align="left">Any system with the value</td>
            </tr>
            <tr>
              <td align="left">Semantic clarity</td>
              <td align="left">Opaque (prefix convention)</td>
              <td align="left">Explicit device identity semantic</td>
            </tr>
            <tr>
              <td align="left">Deployability</td>
              <td align="left">Immediate (today)</td>
              <td align="left">Requires NAS support</td>
            </tr>
          </tbody>
        </table>
        <t>The RECOMMENDED deployment approach is:</t>
        <ol spacing="normal" type="1"><li>
            <t>Deploy CDI via Class immediately for all environments.</t>
          </li>
          <li>
            <t>When NAS implementations add support for the Persistent-Device-Id
attribute, deploy it alongside CDI for systems that require explicit
device identity semantics.</t>
          </li>
          <li>
            <t>Servers SHOULD include both CDI (in Class) and Persistent-Device-Id
(when supported by the NAS) in the same Access-Accept during the
transition period.</t>
          </li>
        </ol>
      </section>
    </section>
    <section anchor="security-considerations">
      <name>Security Considerations</name>
      <section anchor="identifier-provisioning">
        <name>Identifier Provisioning</name>
        <t>The Persistent-Device-Id is provisioned into the device's certificate by the
enrollment system (MDM or NAC registration portal) during device onboarding.
The enrollment system MUST use a Cryptographically Secure Pseudo-Random Number
Generator (CSPRNG) when generating the identifier to ensure unpredictability.
Use of predictable or sequential identifiers would allow an attacker to
enumerate devices or anticipate future identifiers. The RADIUS server does
not generate identifiers; it extracts them from certificates presented
during authentication.</t>
      </section>
      <section anchor="transport-security">
        <name>Transport Security</name>
        <t>The Persistent-Device-Id benefits from two layers of transport protection.
First, the identifier value originates from the device's certificate, which is
exchanged inside the encrypted EAP tunnel (e.g., EAP-TLS, EAP-TTLS, TEAP)
between the supplicant and the RADIUS server. This ensures the identifier
is never transmitted in cleartext over the air (wireless) or on the wire
(wired), and is not visible to passive observers, neighboring devices, or
any entity not party to the authenticated EAP session. This is in stark
contrast to the MAC address, which appears in plaintext in every Layer 2
frame header. Second, the Persistent-Device-Id RADIUS attribute is carried
within RADIUS messages between the server and the authenticator, protected
by the RADIUS shared secret mechanism or, for stronger security, by
RADIUS/TLS (RadSec) <xref target="I-D.ietf-radext-radiusdtls-bis"/>.</t>
        <t>For deployments requiring stronger transport security, RADIUS/TLS (RadSec)
<xref target="I-D.ietf-radext-radiusdtls-bis"/> SHOULD be used.
<xref target="I-D.ietf-radext-deprecating-radius"/> further deprecates RADIUS over UDP and
MD5-based security mechanisms, mandating TLS-based transport for all RADIUS
deployments. When RadSec is in use, the Persistent-Device-Id receives the
same TLS protection as all other RADIUS attributes.</t>
      </section>
      <section anchor="access-control">
        <name>Access Control</name>
        <t>The Persistent-Device-Id mapping table (associating UUIDs with MAC addresses
and device attributes) contains sensitive information. Access to this table
MUST be restricted to authorized administrators and audit systems. All access
to the mapping table SHOULD be logged.</t>
      </section>
      <section anchor="identifier-spoofing">
        <name>Identifier Spoofing</name>
        <t>If the Access-Request hint mechanism <xref target="Access-Request"/> is implemented, the
RADIUS server MUST validate any client-provided Persistent-Device-Id against
its authoritative records. A RADIUS client MUST NOT be trusted as the source
of truth for Persistent-Device-Id values.</t>
      </section>
      <section anchor="replay-protection">
        <name>Replay Protection</name>
        <t>The Persistent-Device-Id does not introduce new replay attack vectors beyond
those inherent in the RADIUS protocol. Standard RADIUS replay protections
(Request Authenticator, Message-Authenticator attribute <xref target="RFC3579"/>) apply.</t>
      </section>
    </section>
    <section anchor="privacy-considerations">
      <name>Privacy Considerations</name>
      <section anchor="persistent-identification">
        <name>Persistent Identification</name>
        <t>The Persistent-Device-Id is explicitly designed to enable persistent device
identification within an administrative domain. This is its intended purpose
for NAC, compliance, and auditing. However, this capability must be balanced
against user privacy expectations.</t>
      </section>
      <section anchor="scope-limitation">
        <name>Scope Limitation</name>
        <t>The Persistent-Device-Id SHOULD be scoped to a single administrative domain.
Enterprises SHOULD strip the Persistent-Device-Id attribute before sending
RADIUS packets outside of the administrative domain. A Persistent-Device-Id
assigned by one organization's RADIUS server MUST NOT be shared with other
organizations without explicit user consent, except as required by
applicable law.</t>
      </section>
      <section anchor="data-retention">
        <name>Data Retention</name>
        <t>Organizations deploying Persistent-Device-Id SHOULD establish data retention
policies that define:
1. Maximum retention period for Persistent-Device-Id records.
1. Procedures for deleting Persistent-Device-Id records when a device is
decommissioned.
1. Procedures for honoring data deletion requests from device owners, where
required by applicable privacy regulations (e.g., GDPR Article 17, <xref target="GDPR"/>).</t>
      </section>
      <section anchor="relationship-to-mac-randomization-goals">
        <name>Relationship to MAC Randomization Goals</name>
        <t>MAC address randomization was introduced to prevent cross-network tracking of
devices at Layer 2. A key privacy concern is whether introducing a
Persistent-Device-Id undermines the privacy benefits of MAC randomization.
This specification preserves MAC randomization privacy because the
Persistent-Device-Id value originates from the device certificate exchanged
within the encrypted EAP tunnel during certificate-based authentication, and
the RADIUS attribute is carried only in RADIUS messages protected by
RADIUS/TLS. Unlike the MAC address, which
is transmitted in plaintext in Layer 2 frames and is visible to any passive
observer on the wireless medium or local network segment, the
Persistent-Device-Id is never exposed in cleartext over the air or on the wire.
Specifically:</t>
        <ol spacing="normal" type="1"><li>
            <t>Transport Protection: The Persistent-Device-Id value originates from the
device's certificate, which is exchanged within the encrypted EAP tunnel
(e.g., EAP-TLS, EAP-TTLS, TEAP). The TLS handshake encrypts the certificate
exchange, ensuring the identifier is never visible to passive observers,
neighboring devices, or any entity not participating in the authenticated
session. The Persistent-Device-Id RADIUS attribute is then carried in RADIUS
messages protected by the shared secret or by RADIUS/TLS. In contrast, the MAC address is present in every Layer 2
frame header in plaintext and can be captured by any device within radio range
(wireless) or on the same network segment (wired). MAC randomization exists
precisely because the MAC address lacks this transport protection. The
Persistent-Device-Id does not share this vulnerability.</t>
          </li>
          <li>
            <t>Explicit Enrollment and Consent: The Persistent-Device-Id is only present on
devices that have been explicitly enrolled through an MDM system or NAC
registration portal. The device owner or administrator has voluntarily
provisioned the certificate containing the identifier. This is fundamentally
different from MAC address tracking, which occurs without the device owner's
knowledge or consent. Unenrolled devices (guest, BYOD without certificates) are
not affected by this specification and continue to benefit fully from MAC
randomization privacy.</t>
          </li>
          <li>
            <t>Domain-Scoped Visibility: The Persistent-Device-Id is scoped to the
administrative domain that provisioned the certificate. It is visible only to
the RADIUS server and the authenticator within that domain. It cannot be used
for cross-network tracking because external networks never see the identifier
-- it is not broadcast, not included in probe requests, and not present in any
Layer 2 frame. The MAC address, even when randomized, is visible to every
network the device encounters. The Persistent-Device-Id has strictly
narrower visibility than even a randomized MAC address.</t>
          </li>
          <li>
            <t>RADIUS Transport Encryption: When the Persistent-Device-Id is included in
the RADIUS Access-Accept message from the server to the authenticator,
it is protected by the RADIUS shared secret mechanism. For deployments requiring
stronger protection, RADIUS/TLS (RadSec) <xref target="I-D.ietf-radext-radiusdtls-bis"/>
provides full encryption of the RADIUS transport. Together, the encrypted
EAP tunnel protects the certificate exchange (device to server), and
RADIUS/TLS protects the attribute transport (server to authenticator),
ensuring the identifier is never exposed in cleartext at any point.</t>
          </li>
        </ol>
        <t>Organizations MUST NOT use the Persistent-Device-Id to correlate device
activity across independent administrative domains unless the device owner has
provided explicit consent.</t>
      </section>
    </section>
    <section anchor="IANA">
      <name>IANA Considerations</name>
      <section anchor="radius-attribute-type">
        <name>RADIUS Attribute Type</name>
        <t>This document requests IANA to allocate a new RADIUS Attribute Type from the
"RADIUS Attribute Types" registry (https://www.iana.org/assignments/radius-types/):</t>
        <table>
          <thead>
            <tr>
              <th align="left">Type</th>
              <th align="left">Name</th>
              <th align="left">Data Type</th>
              <th align="left">Reference</th>
            </tr>
          </thead>
          <tbody>
            <tr>
              <td align="left">TBD1</td>
              <td align="left">Persistent-Device-Id</td>
              <td align="left">string</td>
              <td align="left">[this document]</td>
            </tr>
          </tbody>
        </table>
        <t>Note: The Chargeable-Device-Identity (CDI) mechanism defined in <xref target="CDI"/> does
not require a new IANA allocation. CDI is transported using the existing Class
attribute (Type 25) and is identified by the "cdi:" prefix convention defined
in this document.</t>
      </section>
    </section>
  </middle>
  <back>
    <references anchor="sec-combined-references">
      <name>References</name>
      <references anchor="sec-normative-references">
        <name>Normative References</name>
        <reference anchor="RFC2119">
          <front>
            <title>Key words for use in RFCs to Indicate Requirement Levels</title>
            <author fullname="S. Bradner" initials="S." surname="Bradner"/>
            <date month="March" year="1997"/>
            <abstract>
              <t>In many standards track documents several words are used to signify the requirements in the specification. These words are often capitalized. This document defines these words as they should be interpreted in IETF documents. This document specifies an Internet Best Current Practices for the Internet Community, and requests discussion and suggestions for improvements.</t>
            </abstract>
          </front>
          <seriesInfo name="BCP" value="14"/>
          <seriesInfo name="RFC" value="2119"/>
          <seriesInfo name="DOI" value="10.17487/RFC2119"/>
        </reference>
        <reference anchor="RFC2865">
          <front>
            <title>Remote Authentication Dial In User Service (RADIUS)</title>
            <author fullname="C. Rigney" initials="C." surname="Rigney"/>
            <author fullname="S. Willens" initials="S." surname="Willens"/>
            <author fullname="A. Rubens" initials="A." surname="Rubens"/>
            <author fullname="W. Simpson" initials="W." surname="Simpson"/>
            <date month="June" year="2000"/>
            <abstract>
              <t>This document describes a protocol for carrying authentication, authorization, and configuration information between a Network Access Server which desires to authenticate its links and a shared Authentication Server. [STANDARDS-TRACK]</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="2865"/>
          <seriesInfo name="DOI" value="10.17487/RFC2865"/>
        </reference>
        <reference anchor="RFC2866">
          <front>
            <title>RADIUS Accounting</title>
            <author fullname="C. Rigney" initials="C." surname="Rigney"/>
            <date month="June" year="2000"/>
            <abstract>
              <t>This document describes a protocol for carrying accounting information between a Network Access Server and a shared Accounting Server. This memo provides information for the Internet community.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="2866"/>
          <seriesInfo name="DOI" value="10.17487/RFC2866"/>
        </reference>
        <reference anchor="RFC3579">
          <front>
            <title>RADIUS (Remote Authentication Dial In User Service) Support For Extensible Authentication Protocol (EAP)</title>
            <author fullname="B. Aboba" initials="B." surname="Aboba"/>
            <author fullname="P. Calhoun" initials="P." surname="Calhoun"/>
            <date month="September" year="2003"/>
            <abstract>
              <t>This document defines Remote Authentication Dial In User Service (RADIUS) support for the Extensible Authentication Protocol (EAP), an authentication framework which supports multiple authentication mechanisms. In the proposed scheme, the Network Access Server (NAS) forwards EAP packets to and from the RADIUS server, encapsulated within EAP-Message attributes. This has the advantage of allowing the NAS to support any EAP authentication method, without the need for method- specific code, which resides on the RADIUS server. While EAP was originally developed for use with PPP, it is now also in use with IEEE 802. This memo provides information for the Internet community.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="3579"/>
          <seriesInfo name="DOI" value="10.17487/RFC3579"/>
        </reference>
        <reference anchor="RFC5176">
          <front>
            <title>Dynamic Authorization Extensions to Remote Authentication Dial In User Service (RADIUS)</title>
            <author fullname="M. Chiba" initials="M." surname="Chiba"/>
            <author fullname="G. Dommety" initials="G." surname="Dommety"/>
            <author fullname="M. Eklund" initials="M." surname="Eklund"/>
            <author fullname="D. Mitton" initials="D." surname="Mitton"/>
            <author fullname="B. Aboba" initials="B." surname="Aboba"/>
            <date month="January" year="2008"/>
            <abstract>
              <t>This document describes a currently deployed extension to the Remote Authentication Dial In User Service (RADIUS) protocol, allowing dynamic changes to a user session, as implemented by network access server products. This includes support for disconnecting users and changing authorizations applicable to a user session. This memo provides information for the Internet community.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="5176"/>
          <seriesInfo name="DOI" value="10.17487/RFC5176"/>
        </reference>
        <reference anchor="RFC5280">
          <front>
            <title>Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile</title>
            <author fullname="D. Cooper" initials="D." surname="Cooper"/>
            <author fullname="S. Santesson" initials="S." surname="Santesson"/>
            <author fullname="S. Farrell" initials="S." surname="Farrell"/>
            <author fullname="S. Boeyen" initials="S." surname="Boeyen"/>
            <author fullname="R. Housley" initials="R." surname="Housley"/>
            <author fullname="W. Polk" initials="W." surname="Polk"/>
            <date month="May" year="2008"/>
            <abstract>
              <t>This memo profiles the X.509 v3 certificate and X.509 v2 certificate revocation list (CRL) for use in the Internet. An overview of this approach and model is provided as an introduction. The X.509 v3 certificate format is described in detail, with additional information regarding the format and semantics of Internet name forms. Standard certificate extensions are described and two Internet-specific extensions are defined. A set of required certificate extensions is specified. The X.509 v2 CRL format is described in detail along with standard and Internet-specific extensions. An algorithm for X.509 certification path validation is described. An ASN.1 module and examples are provided in the appendices. [STANDARDS-TRACK]</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="5280"/>
          <seriesInfo name="DOI" value="10.17487/RFC5280"/>
        </reference>
        <reference anchor="RFC8174">
          <front>
            <title>Ambiguity of Uppercase vs Lowercase in RFC 2119 Key Words</title>
            <author fullname="B. Leiba" initials="B." surname="Leiba"/>
            <date month="May" year="2017"/>
            <abstract>
              <t>RFC 2119 specifies common key words that may be used in protocol specifications. This document aims to reduce the ambiguity by clarifying that only UPPERCASE usage of the key words have the defined special meanings.</t>
            </abstract>
          </front>
          <seriesInfo name="BCP" value="14"/>
          <seriesInfo name="RFC" value="8174"/>
          <seriesInfo name="DOI" value="10.17487/RFC8174"/>
        </reference>
        <reference anchor="RFC9562">
          <front>
            <title>Universally Unique IDentifiers (UUIDs)</title>
            <author fullname="K. Davis" initials="K." surname="Davis"/>
            <author fullname="B. Peabody" initials="B." surname="Peabody"/>
            <author fullname="P. Leach" initials="P." surname="Leach"/>
            <date month="May" year="2024"/>
            <abstract>
              <t>This specification defines UUIDs (Universally Unique IDentifiers) --
also known as GUIDs (Globally Unique IDentifiers) -- and a Uniform
Resource Name namespace for UUIDs. A UUID is 128 bits long and is
intended to guarantee uniqueness across space and time. UUIDs were
originally used in the Apollo Network Computing System (NCS), later
in the Open Software Foundation's (OSF's) Distributed Computing
Environment (DCE), and then in Microsoft Windows platforms.</t>
              <t>This specification is derived from the OSF DCE specification with the
kind permission of the OSF (now known as "The Open Group"). Information from earlier versions of the OSF DCE specification have
been incorporated into this document. This document obsoletes RFC
4122.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="9562"/>
          <seriesInfo name="DOI" value="10.17487/RFC9562"/>
        </reference>
        <reference anchor="I-D.ietf-radext-radiusdtls-bis">
          <front>
            <title>RadSec: RADIUS over Transport Layer Security (TLS) and Datagram Transport Layer Security (DTLS)</title>
            <author fullname="Jan-Frederik Rieckers" initials="J." surname="Rieckers">
              <organization>Deutsches Forschungsnetz | German National Research and Education Network</organization>
            </author>
            <author fullname="Margaret Cullen" initials="M." surname="Cullen">
              <organization>Painless Security</organization>
            </author>
            <author fullname="Stefan Winter" initials="S." surname="Winter">
              <organization>Fondation Restena | Restena Foundation</organization>
            </author>
            <date day="5" month="May" year="2026"/>
            <abstract>
              <t>   This document defines transport profiles for running RADIUS over
   Transport Layer Security (TLS) and Datagram Transport Layer Security
   (DTLS), allowing the secure and reliable transport of RADIUS
   messages.  RADIUS/TLS and RADIUS/DTLS are collectively referred to as
   RadSec.

   This document obsoletes RFC6614 and RFC7360, which specified
   experimental versions of RADIUS over TLS and DTLS.

              </t>
            </abstract>
          </front>
          <seriesInfo name="Internet-Draft" value="draft-ietf-radext-radiusdtls-bis-16"/>
        </reference>
      </references>
      <references anchor="sec-informative-references">
        <name>Informative References</name>
        <reference anchor="RFC4372">
          <front>
            <title>Chargeable User Identity</title>
            <author fullname="F. Adrangi" initials="F." surname="Adrangi"/>
            <author fullname="A. Lior" initials="A." surname="Lior"/>
            <author fullname="J. Korhonen" initials="J." surname="Korhonen"/>
            <author fullname="J. Loughney" initials="J." surname="Loughney"/>
            <date month="January" year="2006"/>
            <abstract>
              <t>This document describes a new Remote Authentication Dial-In User Service (RADIUS) attribute, Chargeable-User-Identity. This attribute can be used by a home network to identify a user for the purpose of roaming transactions that occur outside of the home network. [STANDARDS-TRACK]</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="4372"/>
          <seriesInfo name="DOI" value="10.17487/RFC4372"/>
        </reference>
        <reference anchor="RFC9724">
          <front>
            <title>State of Affairs for Randomized and Changing Media Access Control (MAC) Addresses</title>
            <author fullname="JC. Zúñiga" initials="JC." surname="Zúñiga"/>
            <author fullname="CJ. Bernardos" initials="CJ." role="editor" surname="Bernardos"/>
            <author fullname="A. Andersdotter" initials="A." surname="Andersdotter"/>
            <date month="March" year="2025"/>
            <abstract>
              <t>Internet users are becoming more aware that their activity over the Internet leaves a vast digital footprint, that communications might not always be properly secured, and that their location and actions can be tracked. One of the main factors that eases tracking of Internet users is the wide use of long-lasting, and sometimes persistent, identifiers at various protocol layers. This document focuses on Media Access Control (MAC) addresses.</t>
              <t>There have been several initiatives within the IETF and the IEEE 802 standards committees to address some of the privacy issues involved. This document provides an overview of these activities to help coordinate standardization activities in these bodies.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="9724"/>
          <seriesInfo name="DOI" value="10.17487/RFC9724"/>
        </reference>
        <reference anchor="I-D.ietf-radext-deprecating-radius">
          <front>
            <title>Deprecating Insecure Practices in RADIUS</title>
            <author fullname="Alan DeKok" initials="A." surname="DeKok">
              <organization>InkBridge Networks</organization>
            </author>
            <date day="15" month="March" year="2026"/>
            <abstract>
              <t>   RADIUS crypto-agility was first mandated as future work by RFC 6421.
   The outcome of that work was the publication of RADIUS over TLS (RFC
   6614) and RADIUS over DTLS (RFC 7360) as experimental documents.
   Those transport protocols have been in wide-spread use for many years
   in a wide range of networks, and have recently been standardized in
   [I-D.ietf-radext-radiusdtls-bis].  TLS has proven to be a useful
   replacment for UDP (RFC 2865) and TCP (RFC 6613) transports.  With
   that knowledge, the continued use of insecure transports for RADIUS
   has serious and negative implications for privacy and security.

   The publication of the "BlastRADIUS" exploit has also shown that
   RADIUS security needs to be updated.  It is no longer acceptable for
   RADIUS to rely on MD5 for security.  It is no longer acceptable to
   send device or location information in clear text across the wider
   Internet.  This document therefore deprecates many insecure practices
   in RADIUS, and mandates support for secure TLS-based transport
   layers.  Related security issues with RADIUS are discussed, and
   recommendations are made for practices which increase both security
   and privacy.

              </t>
            </abstract>
          </front>
          <seriesInfo name="Internet-Draft" value="draft-ietf-radext-deprecating-radius-09"/>
        </reference>
        <reference anchor="IANA-RADIUS" target="https://www.iana.org/assignments/radius-types/">
          <front>
            <title>RADIUS Attribute Types</title>
            <author initials="" surname="IANA">
              <organization/>
            </author>
            <date>n.d.</date>
          </front>
        </reference>
        <reference anchor="ANDROID-MAC">
          <front>
            <title>MAC Randomization Behavior</title>
            <author initials="" surname="Google">
              <organization/>
            </author>
            <date year="2023"/>
          </front>
        </reference>
        <reference anchor="APPLE-MAC">
          <front>
            <title>Use private Wi-Fi addresses on Apple devices</title>
            <author initials="" surname="Apple">
              <organization/>
            </author>
            <date year="2024"/>
          </front>
        </reference>
        <reference anchor="WINDOWS-MAC">
          <front>
            <title>MAC address randomization in Windows</title>
            <author initials="" surname="Microsoft">
              <organization/>
            </author>
            <date year="2024"/>
          </front>
        </reference>
        <reference anchor="HIPAA">
          <front>
            <title>Health Insurance Portability and Accountability Act of 1996</title>
            <author initials="U. S." surname="Department of Health and Human Services">
              <organization/>
            </author>
            <date year="1996" month="August"/>
          </front>
        </reference>
        <reference anchor="FISMA">
          <front>
            <title>Federal Information Security Modernization Act of 2014</title>
            <author initials="U. S." surname="Congress">
              <organization/>
            </author>
            <date year="2014" month="December"/>
          </front>
        </reference>
        <reference anchor="PCI-DSS">
          <front>
            <title>Payment Card Industry Data Security Standard (PCI DSS)</title>
            <author initials="" surname="PCI Security Standards Council">
              <organization/>
            </author>
            <date year="2024" month="June"/>
          </front>
        </reference>
        <reference anchor="GDPR">
          <front>
            <title>Regulation (EU) 2016/679 - General Data Protection Regulation</title>
            <author initials="" surname="European Parliament and Council">
              <organization/>
            </author>
            <date year="2016" month="April"/>
          </front>
        </reference>
        <reference anchor="IEEE80211BH" target="https://standards.ieee.org/ieee/802.11bh/10525/">
          <front>
            <title>Wireless LAN Medium Access Control (MAC) and Physical Layer (PHY) Specifications</title>
            <author initials="" surname="IEEE">
              <organization/>
            </author>
            <date year="2024"/>
          </front>
        </reference>
      </references>
    </references>
    <?line 1658?>

<section anchor="use-case-examples">
      <name>Use Case Examples</name>
      <section anchor="cdi-based-session-correlation-class-attribute">
        <name>CDI-Based Session Correlation (Class Attribute)</name>
        <t>This example demonstrates the RECOMMENDED CDI approach using the existing
Class attribute. No NAS changes are required.</t>
        <artwork><![CDATA[
  Epoch: 2026-W26 (week 26)

  Session 1:
    Access-Accept includes:
      Class = "cdi:a1b2c3d4e5f6..."  (HMAC of device-id + epoch)

    Accounting-Start: Calling-Station-Id=MAC_1,
                      Class="cdi:a1b2c3d4e5f6..."
                      Acct-Session-Id=SES_1
    Accounting-Stop:  Calling-Station-Id=MAC_1,
                      Class="cdi:a1b2c3d4e5f6..."
                      Acct-Session-Id=SES_1

  Session 2 (same device, new MAC, same epoch):
    Access-Accept includes:
      Class = "cdi:a1b2c3d4e5f6..."  (same HMAC - same device, same epoch)

    Accounting-Start: Calling-Station-Id=MAC_2,
                      Class="cdi:a1b2c3d4e5f6..."
                      Acct-Session-Id=SES_2

  Correlation: Accounting server identifies SES_1 and SES_2 as the
               same device by matching the CDI value in Class.
               No knowledge of the underlying device-id is needed
               for within-epoch correlation.

  Session 3 (same device, next epoch 2026-W27):
    Access-Accept includes:
      Class = "cdi:x7y8z9w0v1u2..."  (different HMAC - new epoch)

    The accounting server cannot correlate Session 3 with Sessions 1-2
    without querying the RADIUS server's correlation service.
]]></artwork>
      </section>
      <section anchor="byod-with-certificate-based-authentication">
        <name>BYOD with Certificate-Based Authentication</name>
        <t>A personal device is onboarded via a provisioning portal and issued a device
certificate. The certificate contains a persistent device identifier
provisioned during enrollment. The following example uses EAP-TLS, but the
same flow applies to any certificate-based EAP method (EAP-TTLS, TEAP).</t>
        <t>Step 1: Device connects with MAC_1, authenticates via certificate-based EAP
   Step 2: RADIUS server extracts Persistent-Device-Id from certificate
   Step 3: No existing record found for this identifier
   Step 4: Server stores: PDID -&gt; {MAC_1, cert identity}
   Step 5: Access-Accept includes Persistent-Device-Id = PDID</t>
        <t>[Later, device reconnects with randomized MAC_2]</t>
        <t>Step 6: Device connects with MAC_2, authenticates via certificate-based EAP
   Step 7: RADIUS server extracts same Persistent-Device-Id from certificate
   Step 8: Server finds existing record for this identifier
   Step 9: Server adds MAC_2 to the PDID record
   Step 10: Access-Accept includes same Persistent-Device-Id = PDID</t>
      </section>
      <section anchor="mdm-managed-device">
        <name>MDM-Managed Device</name>
        <t>A corporate device is enrolled in a Mobile Device Management system. The MDM
provisions a device certificate containing a persistent device identifier.</t>
        <artwork><![CDATA[
  Step 1: Device connects with MAC_1, authenticates via certificate-based EAP
  Step 2: RADIUS server extracts Persistent-Device-Id from MDM-provisioned certificate
  Step 3: No existing record found for this identifier
  Step 4: Server stores: PDID -> {MAC_1, cert identity}
  Step 5: Access-Accept includes Persistent-Device-Id = PDID

  [Later, device reconnects with randomized MAC_2]

  Step 6: Device connects with MAC_2, authenticates via certificate-based EAP
  Step 7: RADIUS server extracts same Persistent-Device-Id from certificate
  Step 8: Server finds existing record
  Step 9: Access-Accept includes same Persistent-Device-Id = PDID
]]></artwork>
      </section>
      <section anchor="accounting-correlation-across-mac-changes">
        <name>Accounting Correlation Across MAC Changes</name>
        <artwork><![CDATA[
  Session 1:
    Accounting-Start: Calling-Station-Id=MAC_1,
                      Persistent-Device-Id=UUID_A,
                      Acct-Session-Id=SES_1
    Accounting-Stop:  Calling-Station-Id=MAC_1,
                      Persistent-Device-Id=UUID_A,
                      Acct-Session-Id=SES_1

  Session 2 (same device, new MAC):
    Accounting-Start: Calling-Station-Id=MAC_2,
                      Persistent-Device-Id=UUID_A,
                      Acct-Session-Id=SES_2
    Accounting-Stop:  Calling-Station-Id=MAC_2,
                      Persistent-Device-Id=UUID_A,
                      Acct-Session-Id=SES_2

  Correlation: Sessions SES_1 and SES_2 both belong to device UUID_A
               despite different Calling-Station-Id values.
]]></artwork>
      </section>
      <section anchor="guest-access-limitations">
        <name>Guest Access Limitations</name>
        <t>For unauthenticated guest access (e.g., open hotspot), no identity correlation
source is available. In this scenario:
      Step 1: Device connects with MAC_1, no certificate-based authentication
      Step 2: RADIUS server has no certificate to extract identifier from
      Step 3: No Persistent-Device-Id included in Access-Accept
      Step 4: Device is treated as a new endpoint keyed by MAC_1</t>
        <artwork><![CDATA[
  [Device reconnects with randomized MAC_2, no certificate-based authentication]

  Step 5: Server has no way to correlate MAC_2 with MAC_1
  Step 6: Device is treated as a new endpoint keyed by MAC_2
]]></artwork>
        <t>This limitation is inherent: without an identity assertion from the device,
persistent identification across MAC changes is not possible without resorting
to fingerprinting techniques that undermine the privacy goals of MAC
randomization.</t>
      </section>
    </section>
    <section anchor="future-work">
      <name>Future Work</name>
      <section anchor="alternative-identity-derivation">
        <name>Alternative Identity Derivation</name>
        <t>This specification relies on extracting the Persistent-Device-Id from the
device's X.509 certificate. An alternative approach would be to derive a
persistent device identifier from keying material produced during EAP
authentication -- specifically from the Master Session Key (MSK) or Extended
Master Session Key (EMSK) as defined by the applicable EAP method. Such a
derivation could provide persistent device identity without requiring changes
to the certificate enrollment process. However, this approach introduces
additional complexity in key management and requires careful analysis of the
cryptographic binding properties. Investigation of MSK/EMSK-based device
identity derivation is left for future work.</t>
      </section>
    </section>
    <section numbered="false" anchor="Changelog">
      <name>Changelog</name>
      <ul spacing="normal">
        <li>
          <t>01 - Addressed feedback from RADEXT mailing list review (Alan DeKok,
Alexander Clouter):
          </t>
          <ul spacing="normal">
            <li>
              <t>Added Mechanism Overview subsection to Introduction for early
end-to-end clarity.</t>
            </li>
            <li>
              <t>Added Privacy Model subsection to Introduction, explicitly
distinguishing enrolled devices (subject to identification) from
guest, unenrolled BYOD, and MAB-only devices (unaffected).</t>
            </li>
            <li>
              <t>Clarified NAD role: per-session caching only, no cross-connection
correlation; added Class attribute analogy.</t>
            </li>
            <li>
              <t>Added Deployment Considerations subsection explaining that no NAD
changes are required.</t>
            </li>
            <li>
              <t>Added Chargeable-Device-Identity (CDI) section defining a privacy-
preserving, rotating device correlator modeled after CUI (RFC 4372),
transported via the existing Class attribute for immediate
deployability without NAS changes.</t>
            </li>
            <li>
              <t>Defined CDI format: HMAC-SHA-256 construction with epoch-based
rotation providing time-bounded correlation and server-only
reversibility.</t>
            </li>
            <li>
              <t>Defined CDI server-side correlation service for authorized
cross-epoch queries, providing opt-in device tracking with
access control and audit logging.</t>
            </li>
            <li>
              <t>Repositioned the Persistent-Device-Id attribute as complementary
to CDI: CDI for immediate deployment via Class; dedicated attribute
for explicit semantics when NAS support is available.</t>
            </li>
            <li>
              <t>Updated proxy language: enterprises SHOULD strip the attribute
before sending packets outside the administrative domain (rather
than placing the requirement on all RADIUS proxies).</t>
            </li>
            <li>
              <t>Added Class (Type 25) comparison in Interaction with Existing
Attributes section.</t>
            </li>
            <li>
              <t>Added Future Work section discussing alternative identity derivation
from MSK/EMSK keying material.</t>
            </li>
            <li>
              <t>Updated title and abstract to reflect the dual CDI + Persistent-
Device-Id approach.</t>
            </li>
          </ul>
        </li>
        <li>
          <t>00 - initial draft.</t>
        </li>
      </ul>
    </section>
    <section numbered="false" anchor="Acknowledgements">
      <name>Acknowledgements</name>
      <t>The authors thank Suresh Krishnan, Juan Carlos Zuniga, Jerome Henry,
Mark Grayson, Eric Vyncke, Alan DeKok, and Alexander Clouter for their
valuable technical review, feedback, and contributions to the development
of this specification.</t>
      <t>The authors acknowledge the work of the IETF MADINAS working group in
documenting the impacts of MAC address randomization, which motivated this
specification.</t>
      <t>Disclosure of AI Use: The authors used AI-assisted tools for drafting and
language editing of this document. All technical concepts and protocol
specifications presented are the original intellectual contributions of the
authors, developed through years of hands-on engineering work on network
access control systems. The authors reviewed, edited, and verified all content
and take full responsibility for the accuracy and integrity of this publication.</t>
    </section>
  </back>
  <!-- ##markdown-source:
H4sIAAAAAAAAA929e3MbV5Iv+P/5FCfkiDUwA0Ai9bLZbcdAJCVxWqJ4Scnu
vh0dHUWgCNYIqMJUFUhhJO1n33yeRz1Aynb03V1NTJsEUXVeefL5y8zxeGzq
rF6mB/Z8enTy4cIeXiflIk0ul+n4KL3JZun4ZJ7m8J2tTfK5PUvLKqtq+MTy
ny3/+SqbJXVW5DbL7dvp4fgcvlyssv9J5/Y4v8nKIl/B1yqTXF6W6c2BXbv3
jOfwnrmZF7M8WcE85mVyVY+rtEyWSX2d5OMymaef6nHzifGjPTNPanhi/9H+
s/GjZ+PHjwxMIl0U5fbAVvXcVJvLVVZVMK16u4Yvnhy/f2mMydblga3LTVXv
P3r046N9k5RpcmAXaY6Dmtui/Lgoi82a9uT4r+/tr/BJli/sK/zUmI/pFr4z
PzDWju1JXqdlntbjI5w3fcQ7ST+6LTSmqmFL/pksixxmsk0rs84O7N/rYjay
VVHWZXpVwU/bFf7wD2OSTX1dlAfGjOFFWV4d2LOJvXC7Ah/ydp2V6SrJ8Wii
PxblIsmz/6EzObCHWTUr7MUWtm9VwV8rGC6tD+ze80f217Sq7fukgrfYozK7
SeHvMzjuA3sBn/xnUdEHxRzG+vHp3uMn9Nsmr3GTaZUwfraEE5Uj+48ZDjaZ
Fatg7m8m9u3m4yafu3m/ST6tMv/h/eZ7mFZVntgXmyrL4Ud7lpQfR/YvyXxz
maYVbMN1slxmbgHvzs/tiyRfwKaXfhVPnz3ae/Q4XMbJqV/GckVT6lzFFFaR
LevC7/40h98y/2m8jNfp7TKta5jm7GNS4k0AWlmXWZXaweuz42Gwsmf7Pzyy
01Vawj2CZeIX4TR2HcUjINyeo0hoVpMVzeo/rtcpryMvyhXM7CZFyj1/ebi/
t/ej/vjDs6f+x2fy4+Onz/ULT/ee66dPYary4w97z5/Ijz8+fbaPP56MjyZZ
Wl/ptYX/ZJtqXi+r8WVWAT1n+VVjHk8eP9/Xtzzff9L1lnm6LlPkMPlC3kjf
mp5Ox3zb8FdrY1Y2resyu9zUqX0P17/ibyB3g/2+rut1dfDw4e3t7SQDwpnA
yT1MgFcsmFE95FHGyDiqh/So3khL/4ggcALw+/T06PzdydEYGF80D/jdKiNk
7vgivU5usqIM50I/O072uG+sV0WxWCIBTM/O3hy3xvoARAWkdQPvsb9m45eZ
TebzEi5JWlkYeLpeL1M7J3ZUxSM+6RuRnoEPfj05PXr360Xn8mQQW0bLBCHw
awYf3N53qLfZrCyqghjo65Oz6TQa6HWaLOtrYLXVBsYBmXMGDDO5zJYqlaYz
ugf60XRW2+LK7v3447Ng/OlmASzff9oxjQ+Tiwnw7HVS1kgF+BIZG0d5vUEe
CWxWN/HlycXbeKYv0zlyQZiqEHmBD8w2JU7rLdzcUrmDTnL/0d6TaJP2noz3
9ndO8LDIF7jp8IezQ7gpFzH1nyVbmvwhspyTfA6LLrf2KKkTP5ULFEb49wG8
wcIbho2DAnnaNwd8ovWiCma1yWfZEr756ujsPL6P6WKz5FUPjj8McZHPHj57
/iMIyFcsdHl6Z2VRpzP6nn8k3hwQ9L1EdLwpi3UKRwRiYZkltAl4bjoz5BjH
x8c/PALG9+J1NMNfszJdIh2/mZ7atylc/RUSFX4Cu12XxdIOgNyHrANdbytg
00uQYVtg04Oz138b2ot1OnNaUDevqXSvgLWlKXEc/OEhTGiyt3d5/XDv0dP9
pw/veWVwKaDMmPF4bJNLOONkVhvz/jqrLOhSG1r9PL1CQWmTXWrd4PDoZGjx
LcxAZtuxAW5bIZ3ni5GFQyHGK9wDRE4Jm5XURWlnSVlmoOLBfU8/gXKG31I9
cgnc1CTKgiscAHST2qY5zqKyp2mNmlZrm09xmysW/bYuLIg0uNlZbmR4YGio
0blp4M8Jco+KDi7pOTfhUzNQjxZpNTF8GS0QTMmr0yGVk6Uhf4P5Xm5xO5PN
sh7ZeVaVmzU+Zni548ukgn3AY8JdZSoYybHJjR8R8STMqnBEXP7VEpgkbYyB
1WyRVcMr4O6CHgOy7qKmR+GwrNtKm+CBenVYzyUTRTwtJ8bAmVqghBWscokT
u0KFgt7sCQFERhmSwQcgA6YYOlEQxxZF8wiooQCFG6cMlwuE5bJYFJtKxh0v
05t0GVLFbQYMM/20XmagvChNwRfoPEBwp+tidi07xsQFq15mq6yuLKjHizHM
dWWRoD8SAb7Gg4DHgcY3zB2APG/InPBrtvhRWcGthIPKUH9aITXAdsnB8vbD
W/NqDeKDZpnJbse0CiQKggaOPFvpO0D/WBZblS9FQO6gzpQJzwyemTRvINBP
hlOG89wG1zFPb/WiuGFHxhtX/pKOLEgSGZ80E75FZfrfG+BZfpsjIqi3pkKz
ACgRCDfdFrDyW3wMV1usk//eyKIDqpoluK940OnEvtdd4WMiclqleHmyaoWE
hS86Pz589/bt8enR8ZFN1vBsMrum2Tb3Def9J3wE7vAcL0cakrMMituyyhYl
k8MaDBl619UG95VPlC4rn8GEGd8qm89BRzEnSFtzoQ759/m7DD/9an4K/uH5
pLr1MDLYX8AjPn8WHfjrV7vBy37nHRygSmkf7w0NsChkg1t65h4cCGQ+fhPo
OUdZ5/gqbnoWUiEyYNwVns08tVfA4Yv2bce72s1MDTPTgHhGuLy5kFT0HmVZ
sCdX2ZLu3boA0gIFy2nFIwMfwOVIrfIwvlQlC2uwu4HjAb3jLcuWwGRNv4rI
TEx4w1Wa0CnfwqdXWQlaWiYHCpOdg6YBjBYWDyaDrYBOc754Nnt3YX+wA9SZ
hmAcZ6gagsh8NAKh8V+wxCZzt8A05kVZGVDCgY3OizVSYuldFX0cnzYslz2G
/ShmGa1iYohy0GoBygkIGewt4FEgCyqcc518KvJitcWzD3ekAt4sDA23OgOl
ErdTmQdIqw0wVeAi75BWcQPgdMl3MtbJxJs6ODt99XYIDBu+oQQGHze/dIFf
wtdkBVxHz4MHZ2f0F5wE7vO4zlapaZwbHFNe3AL7nKfE0pC28D6zCJ7m87LI
5nCjAqPo69cRnhVslrNd8CMxEeC7gYWBf8Dx32T55hMKMtkCZO6oWeEewsWU
E14VwA7SDilOfB4kSnC6pvd0b+GgwgsJt+xWFULZ6CoS+rr7ldgCzJNhL4C+
VISHB03EDurfpbPBYmmNPClbrRM0CXIbqRRwg92igO/iVaTbmoPhaP7NTuGT
HOxCu1alVN6/SraWtDhUELKrq7Rkm6DF026S5QYJj8/PUw2seFamvKsr2KUM
DchNTkIe5gUrXRdwS+Hyg+if42X/N3UJOh6CamwCAgiuA2wSCMoF0rWnFnnW
fkyRhPBEdKbxYdHL1ar3CpQ+ruz7GVxCZA9FDWM6jcQPJ6pjZfA64xlVYCQo
+8Uh3gh7Q4/aIiUBrnu/ZnaE8p7f6bRhmIxMsJsNqqymBcIerFIiKFttQFwm
OHuyeGHuSPefP5NV+fWrWRZV2tSxcN0bFn8GDQCrtsMYTQV4ODBw8IWO2r3W
rK8AYSYGzL4FeWPmBXwNty79VCMZwyXALZpOp3aJX2P5FGk28m782iJZy43K
cuLWLfWG7whbDHcpsGDQFMg3+RoZvUY8D5AqThN5d4M3ML1FZUD/8XXy2grv
NkqWYonaNtybPbDySaro0GkO4nJJ6xrcgAR/e/TWAo0Ag74ayyW3qDUmS2SP
9sOHkyP4IrMk+4QYLlMhusG+fh3iVWV/MpEfbGe6ukznc9asWZ7jS7+v7F8n
Tx/9aGdpKVIY9ED5ysXm8r/gLtrpEl3M5DGzp0ixg4vp6dB+OD8BYZku5xbd
oQt6ZFPmB5tNNj8g/2QFHAUJG5b7K7I4P67e80qPWTga8Ok6tGLgpPjliQlm
KKzpeHoG2wwWzhzM+unZ+P2bi5GlH+gn2L/38NuQtUke1whLAl6G4s2/Em1a
OH+aS5rPyi2JZhyh3sBMl7yKQHcj7ahEYkXByERIx3JVFivWsPzbYZthy/yO
kZgFdWG5QXGNS+YXdCngAQXLubCSNcb/rGsD21wBs4BbDioMmk6yow2VTFgj
aGRHQ78Y+A2uxOw63TG+MivQg1gEiwYpV7q1FpglCshqc1kB40GS9ixzfI4f
gX4ls678NJJlVZgKrEOZS3AbyaBDDXzB9LwGLof+rcoOPKtP8wUaNyMw4ViX
NCodR/bi5PjtiJSiZUYOPOGqQ1qcEyWBSd9NtcjwhW5pTkkg2rrVOCRoT3SO
5we0cSdV0QNEWjCC4WMO/tJ1ZhO4s0snbkhnCqTRJdkKRsYC5Tkp50sxDUKt
wfkqjJ6R49F5yoTm3hruUluUs/MlNaHP5BpMNhB2Fk+ZXA9iHsY7wTddVJpw
13ROcLWAdabI8MiE53mhAupEDtA3+w6Ilm9htfgrU3FgwY8C14LcIdiA+dJ/
uWWzwv8QIRgnTPzydfdh+87EzECfz7IpKtBL4mQF7MkSxVP6Ce4T6u6wL87m
EjWPjIebYokO5zJbbg0LD+HzqnMlEXdjG6bhH4oYY3Gboy+R73pWRpGkIYxZ
OVN/Sb6UihUpmFxswZnLLV+0tFahEAg3uK7EjXimYK7gFtHMwuka1BKSTP4Q
COqW0soiNXQOcgCWRDxRPc0Et3GTJ3BVZ+4CgK1bhT5TDHXaV8ScdLtZ9IBy
n1tyNq5JBLIcRkca+sDH9kPuDuDF394duaeRMAogkGBh+PUj+XN4FjAKSX24
fNPoiOyL7RpJDkz4F0N4eJpvdaWs8uuF3HnsKMbio6fdc+pdpWpZiud5CXrD
FfDxqw36jEic9ZrRRi3otXOdA0s/hQuIVjuqUM6LBorZgqKPYrjjjnp2YOAa
BDY3suWN31eZpnq3MuIaGsp0BofqzCPakWoDDCRbLpHfM6WHDiQT3fUkB/2I
DMnoZgnlMhnKMMT36YqY8IoAG0KdTex8YHfxrVDdj7cTX7bMLkk7M8HtSGbs
A8Hp0xd1F9XeKy6RLfrL2+mxw+3Bi4XGXpHDKgJPYzJfwbVCZz2RMhwkeraJ
lNx1xFsdM1u6rm8/XLy3p+/e22WafMRNQz0d1MKlM1HNoIL9+/xZvfjIJbJ5
ylpDBVopnN852yLsXngD8mWDuov1PrPwC18jXolHCIYa6tNgcz3A+TwY8X9x
Xvjz+fH/+nByfnyEP1+8nr5582Bk+Af9xsXrdx/eHPmf/JPOl4i/wqem8dHb
6d8esGvgwbuz9yfvTqdvHrBGFlklpdwhkzGFpqSAo7O6moHUYAX8xeGZ3Xsi
duPe3o9gKtHPGM8Gywv9ATwUnx/9CmeyRfmQJqWqWMCRMmBF6FoGeXMNLNxe
p+QENu/TEk66ABLfhrsbfBxvrukmpcHZ0cnREFjjz1O4jxn6bQO9TMMvAYE5
syI0KGy9XaNvAGRVSGXzPhMI+DMwQ3atiN761lvEA7hoQyM3TXRT8lKQxgBD
4z6AViNkTu56kjodmpYJNC1kLH5tMrm21REzUhtrv6ZWJd17C7yuTpoJO+l2
GKD1luMxyMAy9MB262QuzpWl5IuBE1I2Ia8bVHAws+uRdyZJDGSJys4vZ6f4
+wyeLtFpMGSJgpthyF+kBrRfL2y2MzTZW+3ncUH7eWAtzUS0N2UsMzbU4z1p
mgLkEWS1viGsKG7VDmWpKhzvMUzSDUDmqzc1Tvi2knoBBz/q0DeBCNAQEb3F
HYY4oVlxYUlTdd8YdmeJ63kqpxaBMPCskBDVo4rKZZmCTTMLBQ3QMdhCc9BW
0zEPHhsWYoAYtHbgYo2Vs8P9n49ESMPHgRPAW/GjFkMK3Mgw9TfyzmnwThus
h6mtNRncs67p2EvQJgb4P3uqSLOTvQBtrB7C1tcYxQB760O+zD6mdrEsLvkt
uvDBJdm24wx00cgzh96QrjGdzwY1V/pC4LqcsWAcUczpMrVuGGQ8+VYOnoks
I/3KgJyCPa3F7Ln0cxS2OLHnfW78TZV2nlLkXnRh0MPARLooNuUs5d1eZymT
ShZAO5KbJFuyV5fZVUDQYEIQr1C/F60Uoy+41xpDSCUW2CYsinFmoB8tt35/
Om1Nc/wpQS27Uj4YqQ6HxWoFM2W/ESk1uxw5oJOLV3KHQ2dEqlbLacfn5b2S
fzWhIwm9VEj/q5QMsgI2bYXokZqFyufv5LM4XEcRu65AXNWEn4IsGXf9M+ZC
oiBPJ4+J/sNgn0Zk7xFzNxTlw0N+gN9eX4MMtflmBWrkA71WuERic8pbOHqr
e+KDCYbEXRh8ZbdoM3DQFyyk9wIRinKTGJC1Yidfp5/sPFugf22QThYTUJ2m
0/GLF+PDw/HR0fj4ePzy5QNUBcPIAky8c/08I1AoV0m5Je3vikCpwCuO4wAA
XPLi42ZNNMBxAxAc6GdthgToC2jHe5MVvjYNxYtGHlNk5u4rbf9/BxQEv6he
fBrJ+5zUFELXucRarmyvlOijJnJJOWvEOZ3YoRk5nnpoigSU1yNeqrsykoMg
fVA9WaczlhcphtabHi7SRSvhh8RHRsYHaMKoMtAXhrUbB3fOBwcXb5ldiZlw
4CNKskSVYJU9bQV9KJByGjjhGrJBIz6BmlnV5D2CeZw5kiDw15uiQsyhBwzN
UFEifwGxLVWugJIu4a+Do9eHZyP7+v37s5G5OH0LPx+dXgzJAKhAU8KLsQDj
qkKbHBHpHGPiiQeeRcKW8GHQkZlkBqbEhvewEcgiG5n9DmTdqWcWObjQIq0s
INEjhBFryOUg/AuQRMn4tIu6WHfGsuD9phGmEqzBPSJ6I0XJ9NyUSXhVECJX
I2pxKVTQEQlzrkCWuF1smUfWWBm6gEjSZCSor7PFtQuX7SGM0V3NV8m6Ogjj
Z0GYjKNnnoIkFhZG2MyAImg+kjZiaKYPpo0UKQkfyU8YpfHBwgrWUIEUmZPx
1zII0OOxvoZ9KBMMRbxBTyeb1chEjhUM5AJTVTf7YBZyWnj4kGIC2+GyAE2w
K1QGdi7HnQWv2pAgbHN5N50bOEDmJYSvqTZXeFRszHScrUO8oD502C2vwNS5
zoBTkdJ2C4TCMW/YMcKasRJC7+HXOOFdOfHJ3hdvysJtos8poE2uVxeMFq8U
6R1oU2A8LkW1MmmwMHwUzxiDG6RkVogVA5UU9i6DTd4kBFY5nV6MEVnsV/vD
865pOk4E321NF/aOnNT8gv2nbLznirpi7l+Jld1h/+QNc4pih7PrwscNYJr4
tfvFdyJj0cO6/PGj44/HDmwVtDKVZSCTC0CLlBmjclzktNhzE3NS49HLUjUO
NgXVEa2AvHDoQoeX24FEMl77t7H2L9eh6ehH/bTLVLcntZGLTgu9E41xB0SS
dhSBkV+/4tme+Xsq70RyFS7lGAjB4tAjNWafny2LZKXbeJnRbZuAcoEuFxjF
x8kd5YSKdkb7rBA/4q4J3xIdcGRwvUmTkU28eL/HpcIl0Z0xwUXiPfSIEPgd
9pjnTJs8Zw6zyapruHX1ber4aWUuUwR4CsbGiTZWm19uSvikXIHsHjnwqZUY
gQZfSKn6cGIu8erCa1BzQZQSut82yzlec1Bo4Waivir6LyrqssUCehoiowL5
CVp9P28VB5OgN4LzdYcqBBj63QyH00JvGk5xtp0BGyS4wrJIaOa4Yw472JQ3
t7gYA/YfxfZQtXRXx+E6Wb0FkZ3NasXcCnPHd4eQUTI7kQSV6hzFmcNOa5Ci
5FVnWJ9MQGJqzvglLym+/k5vnViZ4mLnC2t2hFwoSgEEiH9Olm1zlVyt6FcH
XpizfZ54meqFKXkhmHswBnCssSeChyTA1PK54LBRHK429YauFZjUoKbAxGCd
bbdNHcnWig3NALT2C4+luQGYUUMo2XSHfsA6wonECzrX1dIVrtgz2OPOHDm8
Guuu6oZUOCRzgECPwHWjR0HAWjBnsABT0Fe3piqWG9Z70IshnLZptcaIwTUb
9iR90Crze8BarGxkBid9XYg/roWNRlBIQfeGDd+R2JGor4wxymHWYAsxKMwH
MOAoLopV6lcjOluZrjflGvFVdytiDqjVocP0XGBk0lUnWkTl8oQDaQ41LTdd
YAVyxQVNpZgPP7yA81Gqi8ZlPJtkNAv5KNDbErom1FQM3TKTByFXCtZIHKXJ
l8iyR164uswWGxVs8+IWwflpsqLI9GaFyy+u1DWNttNInFMk8gILXrH5jj8r
tGTUMN+NKPxFsRRRkH5C8zjYFsJDUOCa8hRmeIVjqYi6AANdHFeXOTIlVYjP
uVBpRcfrSKfFOJbFAv63LkyXwEswwVh2nY6BxGnOZOzRg5He8Q7FX4tW0TXT
4iOeOEXPfBbQIiqJO9F1Ei9KdEnA6YomKp+xY5Y0EvPLxZTNhAS46AIocoVi
yTk6a8Q5E3cX80ejZWRYXJOhutyCRpKPAxw/5l0l8f6zpY/ymmemKoWL5dHa
YDaeHSBnhK/gzvEz31exSk3+OFJXxvJSH7s2oZAcj1kpsA1u6TSi6LVCoKwB
GwE/kYKEYFdeiLfS4UJvEL4PKm9JI8EaVEI6fghsqYJ5IvwvgMp2xaZ2olwJ
vNXMSnlRoFPZD0V6HQPV0T2MnAZtv9n2gI9O80tWsMsuqw1JTJLb9byycoUh
EsZxESfTQwikhjutAFKcBGs06ayQeCKfwI7QHHLNWPFgajas1uoZBwc7CfOu
1QPL24h3Cxe6XjniU8XWqHCkxDjZpmqW5gkokMiBl2gkRDAd+q6cDGKewAIw
GILvXog/raxsn9f0t0t71lJcGhdF3DQ+PmLN0qaI1coZN5Z5ZDYL7MutDTK+
xF4YmejqBmAOjs8tvTqBsQ7PNhWGE2oRjmVUjLIVeVcE6jHc6w5fBep73XE/
n+z9+Tv3cyuYQPEE47/7kpQJE+te7++BBK126mMajjNeOWS1BfTm/9v9M49s
+99ex2f7HZ89hqf34C+P7RP71D6zz+0P9kf7DZ+Zfx//zv8zX2gmJIDoH/3+
BnghrN79Lv9+IcfHZDL5w8Zt/OMBBjdwP4lAlzwPDowMo69++QPmEB3k5wP7
HZ7+eE2lSTir+KcHxyqkdlPsg69Ac7CJYFP9bN+/ONqzA1HUgrgolhoYGsO7
S9/8RVc62OdIbkWcgY6DMmjoqyNQqTYsFGRHFD7MESNySMGLyQfvZnFBfzSG
NhU+seg34AcCbCDFhnYpGoLuUBd+TRmAbYAKiOiG0iPgIOTPhLx1UPsQZa84
eXcPHz8bA1OiEUudbpkKNE9SnMglYB5cPXmezPYeXY6f/jCbjdHTME6ePns+
fpQ+2r/cnz2eP3n+4wOBroepdlWE0wKWWJgmWKsXVhM6tJyrLfICCiYYzRae
/Xk0+wafohhGY3syNvZ3AdrJfUSoLdxeQiLrBsqeMa8KhYjGUJ+4ACofAfoB
7Cf5N6b/eYL/s9Vf9Z8xLNkffHrAzBPYYlrOQAPCgGUyB8V2hclLGLhkkNeW
voi6IAz5w8j+CIKNYtCXjD1+8OQB+W85SyHeBol6dZMAhcMIOAWaewkLIzM/
9MV6Rs7uWvKGwKFIoJ0W3Xmlf7L3I6xQBJ2RTK2zhk+gia9l1xPYViu49v+T
amBWn9Vb3TUtn1MKM/8SSEqymoBLd67lC3y14ZawrU/k4+itXh7gu4mfwReY
PYd/478Lp/kSS474O47TfaHvTXFPmC6jr0WW9qjDK974rFojjHpkD4up85vz
CKAWXGZzuPbRGF8ayKlRDHRyvx5iFaIUoR/8tjOivlm0cHybwhjla2+TT9lq
s7LvZpz2iQE0/Nqe/P3YpcXEr/kbWoEJBYydicKRjioFdbsewvOEguCKHXi5
jpx2LJj4LjWJr5Bc/BAoUYWv8oo2FxvQoGi3lhYhvtEZPVsinnKTz+HbyIUC
sD9mO5cElUCboXJxZWBgLusdTcpFwRDMfO5nluWkB1CiUWXxKXIgorUuoIJU
kQ0En44ebt6qMEMAVXOaVzvjzN9VnjmZvwj8u4F5sL8bN7SBefcQiXeYAfAQ
3RkHLHZccAqsogJRlaQtc65rGrqd0cQ1ASI7DSqujWQBHAILgdaS2IUWJPrL
63ScVdUGQ7ylCYD0YZaC5SyFa4qgBJ4AdsW47CSX1g1C3yiGmrHTaP5SSKsJ
XiZH1jIlo3stqQvs7wfzSOYMZqVzZeKCRDBv5VsyxysyKQISDTAg4vbjAHRg
Fk49LruQ7XeYb9pv9J0zw3CRf0nc8AJ+FKkBYXrFiACyimpBANlMkPJdTi50
zNMUknBW7V3P43iYOG5lT0wTvB/vi2RMU34MYjHkkN7JIWFlswh/iTadnKDL
GqUgfaXJQQpyNSsunwOjMe7PJ0uTjSmy2WF2E59SIX4pLL1VoBMZ7esrk7SS
sXl3moSlZSkUrZTMqSBIKSsIE0kb1arIq8+aNiX7YDkC2pbzYrFRD649I+TL
Q4RCj7N8DEON31L5CdoskLHJ7GMaFh1IcrPJFTdL/hl6DyNo0LWI9KeYWTCB
szXBTtyGwbljSF4LQ8y44k7vOTA0FvO4MALWGKGB6FVwolwEvYySs4ggoBb5
gw3vMjQ9RLZYAdF2JTUEb3U+F4nRieeKJDpMEiVA3i8ygjyVIMMNRgqcKDwk
56ewsJiqsIj5dH+UAktPBAkwWHgI7tlCBUWgiPEI4sGP2HmTkqSKEr2ByrO5
HB1m/HrrRAC8F4Aabn+LuFfASEiqRKcOynOCohMxpYRvC/HLmojJlFHcsD9m
jfRR5ppd1YCtTWiL4q3hCyEQfUwvQ9JR+6+JNek+RMqTwuSVMnWbzO/j7cQa
AQhRk8h2jvgMTdukbAtgEtHCW5YZa+pw0xbk16qaFmfEm5X8o9SJrrRjKRrU
t6yWveBtC/ZNZlrNwQEyjEYIWJOis1V8vYP5j5RW2EDkVzx8/wZLaOwusIj4
ccRW4bUYawpygGlmXuU4o7tZVUg4er20KIQL9rubrLpDFBGnMIZt0w+XdjJK
PvxsD2YQpYn/k453H8riumKWZuzKo4QJr0JiB2aQDZsZzniTZ8DqXPZ2J0+z
XYlaJsq0GWTw8pZywwRtMT0rHpjpCx7iKZkYDORSvthbn7kwv7yeBHQmTFyY
yMsozS8WTaBoXJIWL3lstF/qMEFf66wyA8JXkv8fTBxUHzNCDCjbGIENukbk
E6x+lqy5HFMmwbIgx9AmJtQf+88OpQEFpKVKRNHIVDQN1gBfD6YfZQxYjgNh
CdwOaBWixOhoI1T66fSCLHsxKE7BoHiFBkVHmnDM64N0XKVBxdeyZBNujgpx
Ryqly0PtTFMdLNjAZP3BzXYEl+XFGDnL8FvTaxUucleaaTN2T5q84nUlc8r7
/gn0Ed04XXb/sSPiLL5eML7cvijR0UP2hA91XkrV5cU/4pNOSatiqanHgNHY
SynB2pQgpoMX0vpAdQ9rF/CV5UJYdDHEpCCGTwFmJAeCXyH+VkPQylNH9rIs
bulJOCMEu5JTixLP5aQ2jBCgfJw5JQymLoSPjlNGScAR4q1onRmvK2CqRk+d
4ne+vGFQ/yUJrUmNvaLyCOPPdzBfZ4smdVSLYcmFMafT6UO+g0NxfpooMbZ2
eV6N8Fw4GzR72jnBIrppl06cRoHGLFx1UqivxYETiKa2M9dfYtP06/amU7pk
fikmmNCSvRloNMk+LNRXxRY0nnhk3CUKHXJ+mhPnwtjlauhyWtAFui6WnMaN
7BFhYkVJfDyGFxy4SiSd5+uuos97JW/3UpNgm2qZGRwjC4ZjHEkV4jAtHI1m
DDOwwTKc7BybFTrSqLEquQ8h2LZCZ+6t0NmBpu8XsXgY7iDzlppH+0IkfJm6
UmO1H128+Q6E26PN2bu1OTOIhRhMGyTWHVsXclDaPeKNjf37vopM4kGQXULO
jmT5DaPEErnt8ilyE/oI7F0+gnsPLAKC9SJRh0JTtds4dUK3WT6Tb6eU18Bg
s2hVh/yJlBPm4opdPtOp5XzeJaf2lujMyCqpbRZyVy3BIe7H+U3BcQyg99vr
FO+QuaNE1kZlQxUJB4H2FZz+691ixmOgIsduiK9NdeVOWcBXhYA6RkhyfdTe
eAN5yqhIT7SroMlQFUTcVt3PzoosPW+FSZ8e/3J87sOiCEEMfUfRiTJHNRJf
a3Hf3IaemZAXt+QE4RBYvjtlNK7zEcREUUlP4ihhEUsTNHmLzeLaSGwrdi/I
CQg4yGla4jE4VF+tqvvHQeGyyImpJDtUV55CnmK5w2IrEv+EDNud/S+4PQ7E
BXU3fK5Y7/70Eg2q5+tNdc0QxmjHuryhVDSArLrrZHml+xjCcTiDIFxYFfi6
kRJYtfEecXJLoqDEQ7sSGeLEuhxbaxwymNHJpuB/cfQSEyNH+gWWkQtPCp38
wQG1HOyhvqMVryhtOC7aI5VwBo3KOOisyy8LqbN0cXFyNJTiS1wDJcnDoida
hdqVxCM7XXQYzmKU9/acrrnn6WKOEbxmSedb5K3zRQ5mAquKoK88XC4wuZtU
vFB+/hP7Lgc1H7PZm0VAwdB/dzHSkqSu3ihWh529uxiOdEKt+keS95d65Q0l
iSJoE0nMkWEk0wMeWa1ZcMGFGJ/I5KUmUd/hs+DCK9WmAuP2C5gVXjK4gsia
A0uBIin+BmeMC8Nq08Flxrm3S+WImQCvdSQlIqBZGo0TRTZVHR8OzY1dgPwS
2jGc0aKkgNd16itfrlFUcZpOWE7c3TYvcXV3SPTg296t6/G7Td0WEtGNKVMk
wYqs2ZYQ7ENzIWrNYPaIcteABM7TVQEqaMflRBd8iX9Nm/tlBzhhKkiWSXWL
rpGHNDSozpS4QppBUK0rvFm6q03Vt0pr/H5FxE9EXktdJtIKwIjgv9ufXYOF
n6ngyP/V5uj0Dr0j4ZPOEvnZHroUDB7S3SSc7GpRTlbVjC8i3qyR+Uu6Bbnl
ctnwT7P2bmWV7ON8FC7uFux3TBbDTKHAC5z0+JC6Kqs5t22j2gy9uiaHM8Pk
OWsaM1pV3LvEabnJrrwY7tUBIgPofrNZ49w5o7aSgWSifh/jDtALS82V5C2o
Om8S3jBXKmIeehqrEFBPEim/l5ilZalfmJOTpUhgD6XPrgvMk6Asx0KFkYjn
MObsQnOnRcPGDu2jTb5Mo4wp9oukoFnFVUfjsqRBhdNQsYrqEe7R0BewdZTa
Pg4l5UFHjUfy7Fx4Y8J9H+PfZfB8vy7TQ5KqivpVcnW/76uW3f991VRYJ/bk
qjEifIOEEPpkKpjaTfERrwxXDuko7uczplWdp5BKir4cYJ3OaQGGR1jtK+aw
7yJgM6M8dkp4huwxI+X2NxEx0RVhBYqSMzoUJuv0UdK3gOSCuvSMMt5tEtH1
vkxbtXZnplFLzRXB706M2uHuMxGC4BAdIVQFnZPCuMmC1grwN9fX5+l0iA7C
sKTzCmoCrlQGiOunYhUF1uqui1tilewfNywI03nDZasAcE7nmqXzRvItnxE5
CAUJxUKJAB2GdYseW09ml+XhBLmIDasqeMpi6ZrS9fVx5UlwW+5uA2Q/f8a+
Ql+/2imc5Qxeufd8RE6Fw2SZwUryLCGtCrOPrFb8nM7q4URTBFFi43RXsBFz
mUPCPTQ4VowSQZCnrOch6n8e97GoBMiIFwf0AyTEOrxRVMAKJMxcQfQUJWLC
d4D20BzruAkZsneXcutMr2RRpqmAerDNCs3jv0D+VfNsxk1GTGSsZyvKcQsq
T9nwUtnicokRblH9gHK5CgJbzJiZS5h/UstC1egstEHeaHZrD4YsBsLsgine
4XUF2g4hCBQw0Nc1+nk0XBy+kkIeVm+C3SqkfLi+x6XqaiTHC/5AODr7Izha
UdF9VbwE4wYmLoNHZpSzs0LgEK2obUMjqtV4cK9GXQ8vzs5PX/my4lr2uaFg
YdVrLiFuvqGE+Ifz0w4AcID5HRkpK+SKjd8L88rGRONEPb69w6o+nLKTDJ0C
84ZHwFArrH+jd0alvcnKvwayz736TyXWbx5jyQTcjQ9UvwQra9MDClj0PhhM
DKdCqi+xTNqIF49tD4H7OCT0ZG+yP/mBObFcH+9mN4fTypfGdGcaBfmYR7aq
OlYPRjalUB7rRUHrw/YCSITdxtlOF1gkW1Rq3Bqfn5dVXE5G4d6NOJ7Wt/I9
i6L6BStKaaW9jDRRxbXDSrgDE4bzXIwY8SLBmWP+JgHi/G2p2FFzcXh89vD4
4n1Do6ELTQCArJRFdRS5D9iu3Dmq8BZSbaAWgXGBu4Y0U82wqktUrjIsU6lF
uneUmVfqI7932VGJH47vKvtE/i1/y7BrKyuR3SB1h0yX0FwzBGEoPALXYH+i
voSDyH4VA71Rw6ChbGLCWppR0JwC6Q3n4MC5y9gygYtIGfldPtWBB25GvQKc
PcMOErXXyCvivVSdmRaKAvIKf0Xa/RJdyI8njVLNB9/U4yAsCR9N944+BKq0
9BVGmIT9pbqIp7vEf5OYursU7M4oN08moC8BYaPXwu1FVEbY53+STeFU61Qb
XviacHCN4FU4LB8N/RrbXOQUcinXqjP0pCBUwuEJn7UcWd9hMMguD/ubPMXV
3BTR4SaBCJ6TJsdOJTSHlkXFIUZQn5dSsLdBz2w69bi54jMrCdJfBVV2TLPw
LMMsqx2BKqmMJ9hr1cyprJfUryIFfJlqzZ0OIUjGBFYxzoPKeLA9zyYWrdzQ
N0GGo9+gUv+aav+/0u2nWI8R5UvdSeSM3dh9V2EluJJ4SKi3Yhq2CUpWipXa
vNFF7TVwskbPtAXbBe0yzPwoAz03WVW9+mRQc56/asHs29AZuygWw2ICfa7p
Vgug2exnXjZLlXDTi1Yum3qX0EXQpAja5AhiKp21JlG2oAYV5R9cvYdn7GGH
f6D0yD/0Tui/qMiviTMrOQvkjh/5d37y7PX04tjugbw4Pn9/8vLkcPr+2J6d
v/vl5OLk3ekJaJYDOFpq/jWMn/ytY4KYYV2a8od+/qbZDsj/LJ6M4bc8GX82
Hh9enO8Yvv9JOyCJDzzum59Uhj781if/PEZhjtO968k/j8dnIJitfP9b9nYg
yCSUI9W30RBeJxHpw297Mv7sW55kut0/sC9PzkFPnH54//r49D2SL5AtKCtd
lYyGv59yuZit1Gvsyn/7uWe+6Nb55x7SzZt9AWoP/7g9GqMCoKloMIdvWKev
7oeV/b7lyZ8srymY7Z9DDk2a0vsuTWlow+/pdOnQmNXiHfvnNIBmqyZGb/MX
/3eT0f2edPXUv/nJvckxi4rfMFvZhN/wpCvt/I1P7k8usFrqwW8ZU2Y7/vmb
nwyo6F9ynn+my8IaMzLJbxgTOzD85M5FWS6R9cWG3cZdTGH8O2ZLV7vGu83s
5RtmSxs70un+MXvLfPfxgT0/HiPTtdOX74/PSdE5f/eeue9vWmf3mH8nSGtB
fpUDoRQgMfxh/x93z/Y3jPm7mfz+/w+ZvBYd+QOYvGu5NvLN1P45HXZP5Vu3
6Pc8+f8tJr8/eZnlmv39jWO60MM3PylG7DeP+Xgync+Vkr5xzLqwfywLu+PJ
P1Y83PNJvhZJ9c2ztWCDX4HMHgZP/r9cJO0HIqlVOecqWzhDXUvnBB4IML1c
kCnArWDVnL+k27AnF4iLwd6Q/DFsscU4TPa3w7cfklvIRcelwXiIKRvsB6/p
SCrswKB7zdXchUHH9mS15IRpFf/OJMd+MOxvyTzsQaHDah8P7dQ5L9RpMfIu
Pd1NV8/HA1qa7TRHCFrRTNmmVw1zVnJM2Jft0zYCkt8T1OKHST0Zhq39NIt9
kBfhcJwHFSQ/sWtmlnKwswcDE9Zfmbr29hjY5Mh4t/PJ+F4j9th5g5gmAtd7
jKMQv2XTu0gTpIhkoxtTBC9pmbRNJ+Qd3miPg+oMqcpY2D9kF65iFOaqYkxL
oqMiAAmVswuW0U48aAJ3yARBZ+hmPdeM69BzmDsshfPMxe/jerudZesDfxy3
mw1zQiM0x4m0z9mBGNzVCTjwxJuwixAewXkKT2Llkd9HHHqaHet0SWerpMZy
tcBLpA1GdNdG1DM1xF9FsCvsgtnV6pnLLUeEIECJoNpA3IxWcCSG3cq510A6
txY4kjpYhXN0EFDkriZYTlFQiuVmzTPjBfuO9Aw/4HIQQZTBn01FHZ60ckSb
qRMaiwIJXXWsiem29urOO1n75r9RaOh+l6ixBwhLVsQ8boelHjx+t6PTF3AZ
kQgHHUm3wwqQWACb8TSaLqvoJW160NGliiScjiRDYH+LOj3w5R/aQBbtOiQ7
RRkFHm4Xb4WJ+MA90vJCMR7HFEEu+FbbDcEUYPvvKmLuks2094MgQOBd64Sj
/PBn7FmO45ekqo26QKMougwlLHoIRHtwH3dgCBNsMIJQuwurW+lKa7lq7k2x
vGmADnTPpy9GZldl9ZFdMMshDjTEtd7RhyQszKrtTuNJ6sZJJ0CsiYEV4KqO
RoDG5YZztk8P1pIFXH9VD5f6agjZhuV1qXeGnlSsh1AMLiqGwYnfrruomxQj
YyJklU/V6S7Q6ghZa4XkVL3qzpL5WnMWkR2b2bUJxkHVpwcT1UxXxxZ3ktHi
ajIGN4s4Aoucxn3uEf5T18BOmcOdsrfFMbqTLZWNNATybvFxhzyWpfeLvJ6j
ULGHyNurlgSKyhdQ1fGdNyTcSeOgQdqzrwdLvFvlwKWtVpuaqzBs75lIF2TW
1pxC6NhPQBJxPrTp1d8w4z3MyOSK0c3Klr4Y91UzJVOYm8OolOm4cVWKILAt
/EvuVAgCyKSbShlGxYeKk+6JdAcMjNAMcXS7Kw0N86qDbaKlc3SfMl20goGR
7UAsWZSu6JLkHZKN4Vw5dTNvHuBOnSA+Iq6/3SkaaUJdTTPfX0cVSgWCOAjQ
IB0IxiHjjONqaJQTSrqYW01HD98IDOrSixBi3KhjKkckSEd5UZz8pqhO37gq
GNs3DEUufljkUlOxcUdO8qhPCkNqXbmbZmsmBM7NUpcc19QLtGYK5f6yRYLd
qJoF/YliXAqt9LTxlnV/+lwdQcpDobdK1mvK2uGiIFpzfIlgOM4WC4poLJet
FYFoyTRDJ6CvhuOjVel20FnKVvLpR34bZltbZtVHnh5VA+IuqOESQgOPrUBq
suzBIiF6SZjmAUmiOdAE9oxbFlJvJe+zkYqy2wrAvpbsUjPwen4L0bQrQO58
BGwpTi19D2vA5WO0gaU6DpMtTgR2G9hZlTF4iX4pqTvvRwQijoFQSgJVmo4x
pEp+ijKHGsDUI6ojicVy8Q1c7gdvJUkGzJ4rEEUn5qZ2xWoQLTq8ECaTsk3o
AaPEZ2jOVDOCktJ8c3ZU2rDO4FOEUxfUJKfQzoJ6EdjOWCZb7qJ2ROR6Jp08
sDxHuihbBYyNmQooCc3dnaklu6Q7m1Oa0SSl+gRgM4C5YJM/p/SH9pT0bgTW
4oRMw9CjCqrc1ZE4Fa7MyXzplS3Vb3waVURYsMrw18DN1WhShtIYfpqjpyul
DlJYW6JDgBrXhbFfIMtcv0f80ZKhsWCHFYtiQ4eHfITGQhVMgO+NpnAH6oQY
8e6NXBs6bCWRbgssD5CwDal/4XzOdpfWjj7jNU+QGqdoH5Pew5cyhgvpTOf7
w1DBL66BQt38TNCGZqOmRVRh9SxqQtuslKVHXJQNxo9pcFRnwvROUupPSHdU
3O6t69Hlm4iK3Us3rkqdGXy5yZbOTROW0BLoLPegWCxAFCeNfgiuXTN2Q7XF
miQMd0XlNnSUM8zHd3h09vDNm6MzhhSiDxrY6iffVzBQNYJ7Atse1dSiZBcS
to3Kf5QVUZHztNE2FYsykUMr9C5P6GDehCUKXZ3kqe6fPxTqKeHNgW4piV05
9IV1ikK3Bi7rqrCI6ogKP5MJXgD/PSlGwkYXQlO5bTED0Ifcs5GcLG7KMkvj
iFL2IeE8++bbGIhMVRrlsNe6YnTk9FVo7KiyB8R/g57DVusto/xEqwxqc0Te
bi4L6DizkyEu/bMjRZL33l/V/u2vC+ur8/qqP8BZgMe6VLoagfxjsL/BXnEb
57womRcWoUWtZL7ewJWvrscIy6WMO+M7xY7sOaYPTM9OOD+KRZQ7aUejuJdU
wqDZm8WVSAk76fjWNMAqfZkaOVC6RZqGG9TxlX5AI59gqJsAV6K6Jth71doP
X82J21yB+NBcUp+8QFq+bhxzx7BxG1ABOX06iGJC+i7qf4HXpb/CDpU2SuP0
RQ5ZkpA1syBJXwvZBCVOm53yWh4JpyFUJtYBmtYVayGUysZ+zvSPL/QTVETH
dAp4qZRHvqdN7VNpGjVgLzV5kK6wTMdd0zpoBYxXzfVTQhx7cVXjz1750NJ1
rq6CkVJ/jdKEQJV+R9nOjfwIjUL5IslNVjutSNjGKJbutTzc22wWr0Ml12hG
5dYpPbXRY03zI1nh6dI/ULsyUefaab6lLZA8q1L7NqhtVbVeoSoOsi8j+Ui7
87XDXleN4IGelytocRX1mELDppkyaC+IbRy00t667e2RT4Bi7jsymo+B1WOc
QBILnJwVLq3MZQJKzqBqzMLXGjmBUbpch2nNsiKCnHdJB/WXsLU2Z1r2IUGX
JUVaUzyoaJ3SRKzDid8RPAFbCeMn3ZUeCqcccF2Hu0N4psefhjV7sFoqZqSx
fnYQ6I2Or4e52NrDkFv8tZSCro2SNok75smZSUp/LqMpNlrRuoOrhPs5KDhO
Krl7MMiwqRxQaMaRMncnEHIWLwTeMKrd6ItTcCN3/OMlwQtK6njoKT8LPMYq
7FrdzD4gewisg7cKSegMs0dHco+AqQui9fhQKXTmyxubDnprEhVQkZjA2R1B
YXO/oLBTHwOLTsh/EJV+HjZyRaJraHv/ydcO6ZWmCcLZ/e+LfP/PsMXNiHMn
jCh8/6DDz/KTRGGQ+Ib+/d86H2v/fuhCykWpkSBEXP2j+/vf9v5xsF45ra7l
/hyvt6fxD7K7Yfx+/j7XJNZicy53TAy44W+afweCipWysRSnaqGo1ARm2SBu
El40AqnaQn3XvRPCxcqs4ieY99097sUaKxzm/rcr1lvIdekT8nZpIoPgjwTq
HZEfCtjp+AOxYU7iir5VrIeiAGEpBPH8SAhQzYZOTJMHPgStbTWm2OhSL+Uj
ejyUmCooXZHnXKa5N7bZzSeYAfTTTjOR7Bvornltmns/oH0e2s5b08klCNvd
eWl2XDIGDn/jnYm+/vcjH/WVDGEycATi8I/f/PY/dmf2/0U7081MdA1aDuZu
jqKEL6tGttKRDI3OhBxsAn9nLrE1rV4PVHwuU6xnQ9Zg4axObeMw0JWCkbXO
UIJ3NxKgqM+0m5tNG3N6O/3bt3Iic0hq1Li4Gk8j1j6AUYe6B9im++ne82ek
oAbNimyNzWOd3yHyMsc8NuzT19fN70qz2Ueom0XjaA0hGJ8VOuI7xZRL83AV
MSpQkFLDMXy+gx5vkfvTMaHSKINNvKamq/38XfzB13saz43CynHB6cYYyuE5
bNGs5t1sN9kdDu10rHdqgkGEg9E+aEgu29FtPi1qJEBVENCfRlCrtsQkh3qv
vGRd1WVSN9QTZ56jG4aX5iGevI7vq8AuNdpyyhdupEqMWBtIqs4onTWuAM+y
180a6LkOm4j697W0NkJVrapDe2XCOkTU06XVT68BNUGkQuYAofTuZIGA1drg
Eorb3EvZsHEAWB6Vq/DHt7Mmr9AkIFnM76fHml37/lCipVHAdG21BnR0bKe9
5Y4FyE2nMgfzsUBHBr3oarO8E6dmvabRA/ql7d0JMcBLTnqTgDRITh6rvefb
0Hcacl2IIGoA+Xhv+M2bTBdPXD0IYXWBOIxwJ8BE26MxP+2YRdQQgcretPzo
jXLoMNAQqUkqmvdcf/UYsAbJ7dkQM8RYgEiVC4rPSQFZ35FNAxW/vJmeRmHh
6eEbE5R/HUb9PFBIdKzVKbQCdZ7s2G0HqaB7yEEHJgmZY+h/oErgXZtLAl6q
d1oHw5DSrmOuPkVkcG8qcPToO3MwN04oyIVXiJuUWzeE0YaHjRp8DtvRj4yq
qPwBYQF5rCEXKNJO6D0uc2Cgu8bzM9NBQG573QXXEQFKUo3xBrx+yPyrHl+w
WPc36smTjr1sfjXQYMINlVWFSkgP3/dPhWi62L6B54sFFbAnNPFW+zKFWp5Q
E7cPDcgrsJ4iyWHYt8tL3X/asdSm81dlYk8hE1RjcOGrbJmU/uYlSyOxtwOv
7oRNuNvWX9Ob7hzm6pxPqY4HYk6d4dptpaocxQuLg/+pIR0N/oHXiaQZeMeH
E/u6uMUgOElQZ0Fm7CTUavzSc053ZJYeyOsyd3pjbsOjEYcLXgnBy13TEyYX
E0UIcJkOVUigIL32YYPKJqkgYw1bULjUnz55GMZVuICWcil+s06qGoWpRNJk
MxCBJVdJkqDoBbwp52iz249infw3s1U9QSq1meDqXFm8VZoQEg2MvtpD+pHx
SLsqbb+irLd7YdzXU14Kb+HZHFC4pc344hBzAHlwoHoXfR+ZsIzpxcnx22HT
98yHJmA76aXRasaLzdtkrbxj7wgXFmxXTztzl0pQE+hknlXYj5iudN8R31OF
H4XYR9OD/JfRPUyXUVWNECMn42FECuncdOVZEMw2BvFdJcA7sqTkveuNPVFF
2qtMrgjQ0RhDi8YF8mB3e/B+AthxSJyeuF1qWiE7FwnpitWRXXyN1ifemzFJ
pRMNexNPwfKNXzsst96nBocfTobB4ptVI/mFQRVOU7l6p6Vw/rDOIHctHUsA
tywoek/37zIjbWNif6VWwcglDQzO4JGubWTdTi5zUGKxIzuSWSdfYnsFdyCh
00awrJfSrtcXcZQkl06mVE6Ye60Sy4HVbVmOfkz945LxcRAxHXuBHBeuEiwj
uu1UmgeDOjO379Lljp2Ushe+HvE9VKf19baiuGyAZ8b6sCU2CAAzaUE1H6lz
zRrkhdcNuAUAMDY0uZxK41IyCZLgEAomIbQIkGF3vFWyEh2/cflB21j/0XEM
60Y6io9ru1GQAIErwWVfFglzLUzOqIOegnSuhoS6O8RbqmcmXCFZXWaLjbaM
VoBjgK2QNm5OZ4lVFMxW8DzFMUg81Q72iG1zmzySki+YVE1dfEzzfjl4Xz8H
Fnk1Luo6jJimTqUVje6qhqcs1LiIc59y9aeQmXYnrYkLwPPtzsJNDWM2oNUQ
Qk/dxEgSevLzf3ZsWIUqo3dfZCzaMKsc0a4H6KazyKZCR0lY2JW8ZnCWl/yk
eeBr4WH2Y1FijBYECdXhTnNOJSuENaCtrkzate4MzLiKrAsusM92E8OdaOSM
W28rk2n6Ecn8eQD2T71d082GWZqlrItdCKmyClTDsmJOyVeE3UmqHU0qOGcg
1rLcKgih6qGzvQQIEyAfw8isC6pgyMVh18A5cUJbzHwfMaKHq4T3uiIEYt+P
oJUeqC4uHfLVQHNsN6xUAePyrAznzeFneFkkqZzvrGvoytUBkeVjKzM8frhb
n6gXa9+t9Q1mHV/txixp00nTrELPNSM9x5+GEBTkn745PGwz+R9IRvpwI9o8
wFaTPOUyjUCzuEM4ou6DUkufUDVB1fhGng6h4bzRGktYOqB3xN8oOQRhVrDw
DCtXhnrCCosTu5v3QF7iIV8Ojkq4ktdtTkruOG7yofcWyZ1gOgGTtcRkOQwY
wN0V1x24YzBZj7M66CVBk9kEOQIePjCfhDKw8MiAiipCoFY13k3MxOYqw9hc
XpkT5c6RSLmBk4z2E2SQVJBISL1hJV2cQooJnbElyLWFqeqpwC0QQD4rqKiu
SDhBeZiAXDP2fWU5mYbSnYlq0qd1uGMjX4gY9NVlItnZlP/jCs0zrrB1j0Zs
Q+9U0MRrEniFyZJqU4/ILukaFAvlHndCBL1XjJcX82ibOQ2h8LoDOvGnZ2OB
qIjT4fmPw46A+H0EF1XG3pkWbnxaeC8XpTvFueo7KujfWXz4rnzyuXYAS3EP
XL6uvU8hYjFMZbIKXMLbpY1kHSpfBElHjqp5530xTSBml4v5PHVidHdiV+SL
i3ZoBw7WBHk/zs9xVwqWTwhsZF4Zn3nVAMxbaW7Szk+VIChVc3AOp5qa2jvG
7+pFOMbbU/QEiaP0GxZjVuMstbEeDC27K8eY27lrZjQoFQ0DWViqWH0Mxt6w
dSH+p634HRBIDCtbcAAS9RbK9AIKQpJ0eTpuwd83E+8wRyHlWsKftvY4v8nK
Iu9oaRODWNb0bXj9bcIBpGZAi/bdbtbiX4mIxvcWdH935yPXpB8Q07o6XHeB
J0TkI7O6TzC6C1JmehCtv4pUybsVj1G4NZmSpc4lRuU5FybNFxu+3muygvLf
5FIqCZmt64XiiAZTDdb3eR8n7SG2jtRynT7iN2uPDheO2blmuYhi71U7EmGI
YS7T5KPcSafKF1GnJK9JGcT053LZU17UmpFBTnRqHF4BmJ1zBLMV/RHYE0ja
cCEnaZyV0JWcFqn7CfbHBk4447GwvY6PDEc3owHQDotIKHL6HqeBzi4D/BKP
xGHF21BI9l+7JhQytnOJDTb5x7y4zUOtFa0+rf1PbkR4MJ0PY19oFiw0YI8U
BTUxy4fRwD5vdFBrkRVlSihmHatMrRfYpZnLlqdjFwYVIMy5FLPawXOURyiv
VG2qgd/vrwBEyrcTFHRO10lX2QY7mEnuhiymU77p4WLHWt6ydN4qGtVZL6G7
I1rcs7inglTYKCysIbW7M0Kz9I8Tw9RxF1susn3dWfYmrlghD9j+B6L2BEgG
3JSLfWdJndyvXFQPwlwYjnpDYVuSFXXFC4gW726cghxl7Jq32ad0PsbuydZp
TDHhSZMh/9gIFEgXSXS4CXJQw83bGRAlYUdPS2/GDnlPckDpCQsRgWBEHxM7
aTuQALg6sFcxa0gmM+y3Oenbq0ySQN330bcdXXZq8cvF/7XVHcPhkWrZS+9A
C/eoBNDgi8IStyl3MVgA19+RDuf4SUd5GzJ8fJ8dbvN7k25ZEdhV80GIqhlx
cLFRS1eZY0nqgdckGk7yJ7YmnoW6LzeHYgt+pADlTjeyO+YpXD+IdHbgikOH
e3QRgB+vyDqN+q3xVWinwYFKbHjSFFLxbiC+X1osgNgjlRwQOmUD3TcPn6uO
7nKfY//8VA1GToFp7ruPFeImkA9bdvASIzDou6Z7zE4D53ruQ3gIXqtOFoh/
BAF3TK0MKVH1LspwBVQSJqY8rBCYBA4Cw16DoZgd3DC32qyCFGXOWfGRQI2U
MppQfGs9+9GMJZ/UEhU2O6PCrX4aGh9uevpM0ETUlcwbr4s1dgp09imGw7dd
2T2nBSPBycHDdXPsK53YgX0hDd55YY2Ir/qRUWEPsjZlzyQgpPFV7TDbPinN
AvRU7u0t7CEGBFeqzn4kMNea3N8BJY+6E+e8XFkTaGuGifGBl1BtvtBZWhE7
8quOUFFBKbb2ShJpqkfIegyIU1WTWwrPMbsOYLzust3BLycCT686FCW916aR
QECupk7GSMEysAjIiKHbX2d87CRv+nP6G++IlGMVdFk9jJxW/QUhffTUjeDi
p0cnQ/v5O/jP124cHQfkGONYgGHQIe7vEaHticum5NzPuMceWj9SygSsJvE1
qsd0JNdt7ONZASlEeRCue5ogPVhtJXdnkJFb+G5pFSFXgXMGsWB4ozjgjfrd
tbNjpC7zwogSfaELiWIGPU6rA24XesdJYID8iIIGiaY1j702OJICBq5tFa/d
ZaUyC2ouvxPR3gzH7igPMjKtXaOqACig2pdSIjK3WaloP1xQX4Yyy7tfMRTC
VSxAiqy52p1YBIwRL+abmWQWzkHMYR1exMU0M2OH0ng25Ug6lXyISvJpqjg2
nLsp2KMrSwki9FH7WnQKjckIpmI3QflOEMwuMhXAuDg+71M0MRQisb8oHdsp
HFgSyxGj07lbqDJpZo1XX8jkJXfKpPoaFNDgTeq4nEcnHiI106/2IWb8ZFy3
KzT9ViDiDqKEDXztT/bBbJ4dPLD/bl8kVfrsyeA1bPv44vV0vP/02UAubZUi
+EYrp42zOXw9XRez6+EwSiT6FTVfGGRsowcPEGRJPxGojEx0BijHHihZACEX
uNyQschL1PLGoL+uDV6kNry8OiwkF76UkALwIv7an7jXcVhyk4AWTpmDKeHG
CJ9iQTr2Kz8Qh0wAcA3vD69Nb6qsx/UqNlzAvz8I32zB2pFubey9YgdDmjYd
Em4/XwP6rlZRYZKSOm74Pau+IiEz1iVgnTCkdlmle1K4Nc2TDMuU3abpR/zv
Cqz56yUezJT81cLCfE1zPAZkXzxeR0qCMIvUf+6InxbE1IorukIzVoNYqo2i
L6etkDYi3zAJvp18p0jRwlEGCNJeo5JNVMBqN5XI7a50NHR+cawNSpc+vKjd
OEDxyPt4mpd45MSd2Hd0Ma5dw0NOjIpvCEyykuJZntDktg0NRv3RKVlK7o/E
F6TaOMwRg4lK0MKMzpUquJoO89kz0nQxdtrNlKTTCnogIwrCWLaNfRURP3It
vdduABYl75FMXwi3DgphH6j9UCmkwUnMuQt45jwJI7SJ8AUkzGGLwztTSkvD
BOye4uTkjspdCa8AXKx1cHi5oTwR9CqeTBaW65D28F2c7nsX+rHET5yRccEy
7SSSy79m2GrpQ77MPiICuUxuiZmILg+noTYOYzVQO0Ao2TTXzANs+43a+bqm
wJEjVmlN4LEvtLjKOJskKM29irQQV4ZyT/XuMVHvORGfqMrMMV8TqjYQc3EA
qxCiVyTsLgLnokJaf1SS07xoEg4yN4ldZFjqCBY6YbtNL1yId/1EqWwBfNyF
9hj1iiVANLCvoXrrQ/VVk/wow0S2ruMS8mYd0zcPQ3vNvlyC8qBb9k4YLdN7
vcmlMLreUj7jqKJbVuq1erip2Tat0edcXF3B6VxjS+VSjtYOiHEP9XoaOBXO
uXAaFiyCDEZ2oEbRcNDIbrH8Fj2gL1TWbzRqdwm21jyNS+bjW0lR5NoQrvaP
4MaOD9+9fXt8enR8BObiVUIFlysRLmHxL6Tc96pM3e2eU26VBSpYOu9S2lwi
dI+DzHgHmW06yMIIdrASP6TXos0lOwqkHPIun9oA5YbYIEPnH3K2bcvDprC1
O7G/7XI96IUzu4v0OAaFs3L1hrqqgvA3cee97RCgn+5nKEy6koBdkFTZnpPi
yPBBUodwMYcDbfmawtqWnXiEKIkBHV281cIx73JVxgGrkFAwzzPB82sY/EHz
DlhVrKnbRgQVk699RhTo8MCVZul/pPziCVDTA/oOr1p0/Pmr6/Vs+wL///rk
1X9ez/Y/7J8evlherk5v/verXz6evLqu//br258aj94sk/wgXdEppQ+sq0oh
nXvpe0N6ZDKZuJIVvkhFZCActnSzQRfnDeRxULSR+bFqciaQX6Kdiinjm6Zr
9vMqMOWdUG+kCcHbRIRdIPsKu3BccAGlmKtgIf0qzNkT0o8ZHte7JB4qmXzE
MKnIHGXB5anmpHDtNVZF0emkXuYI3dUVD2B3lmO86MqQtHJ4NVeLJXXzKnEp
IO53VZr9E0Z8kGXlDPz/Re+ATfbXjWZMfUnSJrKliUcbwEXBVFas2ivKUFj+
jYGJy0K81vGAzXeFw+KdDIYNyEEwMyqauHFLrOFVHknqoD0N4Vo1JxOVHM6l
2m1zI3Aa8MeHjt58ZUCiEgyXom8VF1DzR1z4E/lQtko1CKEaD8UnQreFry7p
Yh8PinU9zvIHiNlIlwGtG6oYSeKAFCyl14A+/KGElgIqHaL0mFmg8DoELGtz
/gLF6as0mAogfzCG4r/tMic4mtcyd+hT7u6T3w8jDMttEIBVRxfRvAvNh0nc
un0iWTo2lrwX5ErQ+9zs1J3PGxV5yEEJxIjDEopXXgA0zUQaWQC6xYQ/H4BG
PqIaCfi/Qh78HvSGjR2qRZEUoTdLxqPCoqSq0SvJy0els8bkmo9QVGMBHLn7
78JJreqYQ+41T35V6ueN5k1UV1/5aa19S6QqYUBdjpcIh92ZW9mjvpFpHipu
TuEb7n6fr9c2CJS2CHs25HsmgV8KSZcu5w5t0i9qA2+xLSbOREb+0j3mF3hC
p26/hDWh4t+Cj+EJr8x+aSmfX+xRO9AIKumLo70hPdzlSYWnTlEd+uI3VcPO
dHr4XGBdVtoFAh44F5t+rco9fHYRZkpGcAqXL/CFtoqNhy9sx3d5XcNti/8A
z0dmIw7LPJC4yRcGQ3PRQwfBYGGEz7qg62yZlPw4A8bRyCN9wAc28fSOG0U9
HZfWOB299Uj8vTqjExdlHpCGim8619gpHoRe1C+iugaGQFjyUSPMmSsyjX9j
VunMmdDDrDwmDRCK5JQmkBClCTdAFSCp3GxU199dhG4kU6ToIwYdSPjgnK76
dB3NeTF9u8iT1JhcV+CNLhXcy+BGd8M4qJKMrMj7vmHpGkazHWG0AJVce0SH
ZLMYYy60au49AMPBhTkLSl7etxBB3FBydz8qKav9G9przBW7Q+dR5FQumPwO
77sytnyRIKA67DZZLMpkfc3OI0u7A+up0s28GJ9zYb7TzeoyLc0rdpCjL5g7
bQy51o86ztsFeSlXh4K8mxzuJDA1ZTsTrO9Atpt+vOQytmxfZS6yxxmYnJpA
mitpu3WNqE2qLpnmKG58eyYCAhAlZmuCBG/Q+RVFi3py1kzYoCJ8gCIIITR+
5Ruou1ZZrUS1RkqaAIzodioN3pOQLmFOV6jBcuzgtuCym+yldi/11ZQn5mVW
arpWcBzMO/sblDazptnPllWuhxkSscN2dzYrvaOdndFK43R5N5zWlvtWhY32
Pw3Ye7ODGPdEpR0AZahmaT9bpgmwi081pWmwQpgByWKAc0mtpYoo6GnoLwpk
FJ8uXlqkSASeIOIGFAZ1qVKZ7mxxfVkE145qiBt08ws3JMcw4T3k0sedInDH
ghIa7Efi1Lnyo9F8O302MEP0UIJGsGAvo3L3KQCySF9YLncufcaRJ2NLjh1J
fDvaxGqX2kYetI3OU3JTNfUhLFQ6UvL0lS6iaJ2G9LzvCJ+54lQl9jtqufMR
8ErjG9LawXkyh6UN7efPJ+OjSZbWV2P0gn6q8T/ZpprXy2p8mVXkinkZlWIO
MkH9QP5K+SE7xjN3j6fiTxIyJx2PwFxATUu4eh49Do9dbUpyqugfHUiAafrD
0RmBUd4ePZUInysF76vgjyQ3DpcG05Yv+rWpfiGhqBAxyioGL1MIE6a/g3DC
pBKGtuBGeYZEETcYi11FTTKrXKEtlMnoJoj4Yi9bjCIpGMuTnkDwEYZJxPEY
1fkzQUZ2WFbVlbkCFo4aA3lRryhaT1d0Ghh06PGlGKnP3UG0/kxCyYEtFODz
0a/vfR/a2oM8wVIgv2Es8qI8/aC7hJysgU5ysS6Kq5Y+Iu3rGvkpVA/N367P
nxvF975GaT0pswnTgKFGVdaQ2wmmUizOnrS9sApbbJtr71U7jb3gcWQf67Ol
WuRaEtuoFU25EdzzDjTyhNO+EgptCjneU+y6UiAZEiXFqLHoZ8mvYx3E3sAr
C8oRQL+fgdVhNZf8muNqoqb67AvqD4ItjON8Bnln0BDBDPTkpjEflVTDcfRx
wLPJ8/z46fMfv34dUsIIOtWNGmr3UHoDc01prStnbpfaGyTGh1V4+vK2m80u
b3dnHgUSs2bHJhmdYsMbTYi2nQnRFNENCiCRiFurvafF1y+TJT4HphLTLoPR
NFQGy4NT4i2EzSWAq33jwJb33Cd/t++b6z35P57+1F190IRVrygmEyQ5fV81
wezB3RbhT4yahIOJ86NaDTnoHKQRx4i6ja0JOOvcIKAbSLUEJLVlcouoWPSS
nac1+wKi43kXDcdCMOvrGyo77jCQ7H4r3YsJj+1S4dgDRV3n3iafstVm5b8q
9mg/83JdqRnYJo3mxdG7TPt7m7pUDU4lUiu9ippfpvOuF18Xuei0uCweRlpt
UqNCxgyImYkdUUgbxXypYPdtsPt6X8Bs3SzjaoWvjs7O7RRsDVDX7d7zEbAt
/AjLkyHDlm9fI2VzVevzCBb4qkiWDYRKf1tf9LA6Fj4PO9LFtR3UdY75qmpL
wjmKMo3Ej7gxXRRBRktCgcAmkGKjg5D11w1bJhf2igCoBJfW4LtaeHD9WiDI
iemAsQrIVPtkdYMmBZ1e9yWd3GUQxp1I1Ag0Ht3VbQT2Vmrp6MZhAvnYZXho
WdOW5eHsidgcmChepttwMgoJ8AZjZD/JYVuynCo1CQNzkCq0sUloHMomMCcp
2QC9eJuV9ghbBp2gFpy50XsizqrlFka7LNqigd29UPpYLreCrXLKvtd9GJvz
bdRgdrsHPGXYOyjD3OEeYM8M2g6IagDh8NG9p2rm9QWN1V032Ya/w23mTnPe
9JjztsOcZ6cSl5Vom/Vxae57m9g1VYcQcneUbjopnVXgyGTGjIWtDW9Aq2RP
yBsz56ra7S+Ir4aUMCMcHsPJmNnn2zAUhxXYwIYtkB8txLPS9LmQedi4EFZ8
MJMOZkZQHewSCNRdUaNLz9WihS2Be1din3U5xfpLlTpFn2t90ituNsvcpfxM
OPtUdJCga5MiuVOsS7NLIyYupvsOqoLKF0nKvUH1LM1DxZkdt5RmwWnwsPvo
Ctb+cqTkmg6PMFNfKKeJmENblDKVborlBqNf2XJroi7W150loNv3y+vhUQW8
oKQWMZDwjFTEKvMoZrNN6dW8ujHx7yuD8GrYhQV5h7UDG/B4tz2urtyCq4K/
+Nu7I/fC0EM7pNJ1VAgY5ufvU0u0cjqAr5UswhlWiR5yXZPplLlcWIq05fEF
q/W/ZDEu8u6KT3VvgzpGD/QflubPKcMTyH0oZHd56Tz/ppR+1vlP6kbxQtMu
i+VUJ72crt6Bq4HFnLhKmyU1DZfUFMcrYQhnxLjY8pZy5owVu0ydNsomHfHl
sEj81kQSnO9CpAZQL0zSjn3R7lFDyBNXNG5xniqxWNIGbbBqB4/Hy8UeIbgM
OfB1sDZFBglIE6tBcU/OYBJx8y3fU81L8WMWhSTFyUXXa/VlVbh14fF395ty
ep9vU9N24Ro+ppY42u3Indhel2sIQlU23elqvYdr1zh4DF5T1Roy16pZZ+lT
cnzp6VhfMYEmK/NqKR++2NFAqysUvpU5qrXBKqKXBOVN3LkO/K7H3b1G5k7V
plNPpByjLcOMwJ6KjVxnf+9qFBIn6ImbhlBMQcfTsLRWJ7+qbJB9G0kkuCPG
eQ2dde87bPK/k+nptOGysp+/w0+7cx+Vxt0eI4w3NBNDt0wACvE2Lo3INVMK
rh5BPr/OF3v9+EHn36sHGrDd2sF1Xa+rg4cPb29vJ1mSJ5OiXDwMKkY9ZIIe
1/jgw+EBLv8LD4PQDlSa2t14LHk26EuIStC+LF/MF17mly78SePz4Gd8EFEm
tg/rAp8jYwNypNH/HiFr/vEFOwbWmup9Vwqr90VH+GrMa/3qw7EOkkXHQKcj
R0Mq3f1A3k3IdFD+gO07d7Hm3cDSIEM+qJYQ17SC88ItRBwnNS+wh1i7TJC/
PS0vjk7GL8gw1lz5EIM6aEDch21C1nZjAi+epysuk6gt0kMwCoGxFIXS3qQm
XtqBvnuw3kyBx5xttv9o/9n41/1noMen6Ue7/2yoX9CF7R0YpdpYAim42/+9
AWJO9i73Z4/nT9KnV88mk8kDaylh0cPRwuREE44SdXQ76Gh38RO1FBsFIzf/
0Ux+6pzHjqcarRR+uji++Ode98yK9YH9Pz6zxlntg0AKWwZJp7NRkMg3/COP
k15LZzqOexUF4/2Gg93/12zfvk4tSl6bNjHuYW1t2nXiPfQCbd/aMWCYJwmc
aZXU1Hy5kQmhWKpJ1yvgGgc2FOtCLSAt3iFSKdI5Zc62/l0546CdCDdpEtDj
FgF90nRB4RTPfzsBfXq+/eF/frx9dLO32RcC8ganUBFSbJNuUCi1Mg9sK+PN
r4GCEi4JcW+8717ViTpu5vl1II1ho5x1ag8D7ygLgWnkHe3i9lOKnVFGo3Ps
K+JLYLJJ1JxZXAIi56oNtRITbS4yG993G/1U1mBHGZnIcdDTWMHngKqcogxb
5wO8ZMOfcQNXhPCSMnfibu1Ofl6B7l7M7aDpQqQTv6jTNcgcLbYWd25k3tpR
qKxzIPe6/YO+Yqn9tchCf6W+5/EB3slmBbYrhM76UqfBFutzTw60ry9WF0ux
0/TRyZEd/2w/y4pwNAfI/OoefHrQc8e6J/4TvZe28e9vYOKlVgFotcCMbdd/
7v/D7/2zHXu//+17/7x373tLmPYfwA9uI7HXRtVxFP2H8KN7Fiz1ipej1jId
B7/D0+Cj3s3vn7mewNujt+O3YCugZ53/2s0UYESsKl+nAVdw/jF0i9i3xSUW
2ZEj4Xe2qvjDcP4+B7WIepyBuzmDFwp/7FX8PbcR9zNkWA3i+B0X9Pfc0d9/
TX/rTf3jL+sffV/veWXDr/74Oy5coLWFltjUl9o5lIz7jnsY60CxwfMHmCJd
E/+J29vueuxfYYv8oVO7nzEy/A3bu9Mg+APXsP/t2/uvm1qXseKU3KZhQuka
XI7KVxCR7tFdI7e7LHfU8nS4vFcMb2NopYdPdV4u9CFv8hhEveBOsvy8lgBZ
p7m9LupqXdRDjCH4BJVAITdSHR+rAt0k2ZJKcWDYlKNB0pPg4BskGAx0F9xh
p/SS0oGhqOWq0VTwtlFYui2seirK+uBJO5vcS6wjpzTUUgWYCuSQEZXPOVf1
Y7pl5xit10mdo/uJm3vtTyyTnjqOL1tzm2xjpzTrXv4QuiXa/Ve1L940XzWR
wygM5TzwTSFyT1Ngl+KqMCU0Rs6MuuqCa3zRixN1rvWUkqEc8ZLcc7B0hPoS
+k8qHKaz6zz7741GkR20KEIWLRApJbAi04AVwbXi5Bis59bpoZwuKYxHLn3n
vz1Ky56qgh21qcmQozA+kbJayzvLN3u8yV8nTx/9GAc4p7CBwaycS/PW9VhC
RlXS38wuDZWHAxKglHBUnzDrSGvJqDWLik0jH3g89qt0EWFCIyRYwcyJrr+k
Wzt4e/EXQj8cf2KYqun60jF9Kyg1Il7oAEvnTd6JvaAiRmbuzgFuBS5eE3/7
Vi2tYuLSuFpDSIyYKMjlgQ7S2bwJnfVpjYqvq4wvVCxJtp9wYGkvuvKmB4oZ
V4V2lpTU+gpLMm6rTAtwmVmYoaYdtawvIoVc+wbEQLZwScqwlw9xQ4XJNHPy
g13Dy55ecSqEpIlhwFfDT9+JtodZ3Z+/cz9/NZ8PbE4pcen8pwdXcL/SB1+N
+TdrH+3ZsZ1KsgHQc5rOqa4DUQgw/OO/vocdoHabwGYqKheUAUMaTJfAVY7S
vxQfSaJPYdMSvM72cAmnlZas7sAI8HJkqi52gm3s6BVUm0QrqWDtI19ZhSqD
J+VyKxwS6HBcF+MUYQ6cOjuJ3q5Y8bdUW6D/xaMAriKv5iZ7i01WXXtXUAjS
kMoQQYE21546kGwC5dh4lAf6zTjk/3b6gvOD3TtBLxBAx1AXcojronjO6RRs
8mKZHuCtGLtKIAn7UfFFLJwIziBSzAvrQGf4E1r8WHWi1TwYi4g2tjBoLdYI
XwbbibvngDXYAhwDLkc6cmfYJRzjzgibjkNMRSx2KVEqg3RWKlWrX5aOpdSR
EFCAXiHnwhZNA+2BN1QNtJmu3w7ABXtGfTs111lJJ0q8Vj4VRKB09UfCIyVN
GTj3gQ1LWMY1x7j4EPqCmR/IaL7yh2sU1Vs3lOvCucR0fUOYut41t7vqeVAC
li/CIscelN6Qag9hMysu++E6Oijqhjoa8AvuqreiMz1PsTRs7VFEd2QPaM08
LZmgx061Mw9cznhnUXaX4P6nrhLq8ibuXyBAAJdMzkidMM8+0tllMR/Wc3on
N8UBXrrYgJQ5QPRmf7pEcwJxfkQrMaI3K8IO4Ndr5wcicA9c7JmqOmEDF6Sm
VjeWYeNex+3Lg8pzKESpql0S0LY2FpHhXbi40vsfvz3Q+DyDyKrZhkvvhapV
h8jUsyJvmsjZpgrVPBR4xVK6cFxW0sADS+hcLVPp5THHVk9IQf8eUqGMFRCj
KBsTErWPLPYPzChVfF4Ca5qgxJ7OXLCLwUafv2t+1Ce/37vSMaRQ5x9BzwL+
eG3/Apt/nScg7/5zA2d7CKK0qOz/3uSgdMBnaYm9Ll6DqNqOQLuDfX1VJtsK
5eNxCUrLL9scKGlkAxlPu9ES8lq0ISup5hipfazkI4acVYWRUypGDqdI503C
xRcYAEWFqq1RnlxX77RwtYnfIcaTI3FIqPDk+P1LkLlHJ3gH8Q941Iuy2KwR
WKboB4dQAlKd+TSGznwMxX6uuDg5sZ+sMs0JHgFRLqmuDb5teoLlzxhaotOm
RnnTkzGiaCrOviyWkiODBJFxX0qj/MCmnP9ldU98PzLMw/RbrT2NpbkvJ+3F
Ewzy/S1jhh1yfkkpaUukbmlhFpyQqLWyhJEeVQDzpTan+D2CwI+pbCa8Nk1J
W+ejyRVWaRrs3iWWhvvElIMoR9wA/C+uC2QTa0jS0oFq9hMqFFH3BKKDFa5R
exGZrDVFEgTtooKojSAXlHqsu0p1hfQY/x/pp5oVM0IBAA==

-->

</rfc>
