<?xml version='1.0' encoding='utf-8'?>
<!DOCTYPE rfc [
  <!ENTITY nbsp    "&#160;">
  <!ENTITY zwsp   "&#8203;">
  <!ENTITY nbhy   "&#8209;">
  <!ENTITY wj     "&#8288;">
]>
<?xml-stylesheet type="text/xsl" href="rfc2629.xslt" ?>
<!-- generated by https://github.com/cabo/kramdown-rfc version 1.7.39 (Ruby 2.6.10) -->
<rfc xmlns:xi="http://www.w3.org/2001/XInclude" ipr="trust200902" docName="draft-tudor-asdf-proxy-privacy-00" category="std" consensus="true" submissionType="IETF" tocInclude="true" sortRefs="true" symRefs="true" version="3">
  <!-- xml2rfc v2v3 conversion 3.34.0 -->
  <front>
    <title abbrev="SDF proxy privacy">Enhanced privacy for SDF proxy operations</title>
    <seriesInfo name="Internet-Draft" value="draft-tudor-asdf-proxy-privacy-00"/>
    <author fullname="Valentin Tudor">
      <organization>Ericsson</organization>
      <address>
        <email>valentin.tudor@ericsson.com</email>
      </address>
    </author>
    <author fullname="Ari Keränen">
      <organization>Ericsson</organization>
      <address>
        <email>ari.keranen@ericsson.com</email>
      </address>
    </author>
    <author fullname="Martina Stein">
      <organization>Ericsson</organization>
      <address>
        <email>martina.stein@ericsson.com</email>
      </address>
    </author>
    <date year="2026" month="July" day="02"/>
    <area>ART</area>
    <workgroup>ASDF</workgroup>
    <keyword>SDF</keyword>
    <keyword>Privacy</keyword>
    <abstract>
      <?line 40?>

<t>The Semantic Definition Format (SDF) enables ecosystem-independent
descriptions of IoT device interaction capabilities. When a proxy
mediates communication between applications and devices, it requires
SDF definitions and ecosystem-specific mappings for translation.
These definitions may contain privacy-sensitive information about
devices and their interactions. This document defines an SDF
extension for marking sensitive definitions and specifies mechanisms
for generating privacy-preserving SDF documents that enable proxy
operation without exposing sensitive information.</t>
    </abstract>
  </front>
  <middle>
    <?line 53?>

<section anchor="introduction">
      <name>Introduction</name>
      <t>The Semantic Definition Format (SDF) <xref target="RFC9880"/> describes IoT device
interaction capabilities and data models in an ecosystem-independent
manner. SDF defines interaction affordances classified as properties,
events, and actions, grouped into Objects and Things.</t>
      <t>In deployments where a proxy mediates communication between
applications and constrained devices, the proxy uses SDF definitions
to translate application-level affordance API calls into
device-specific ecosystem characteristics (e.g., Bluetooth Low Energy
GATT services and characteristics). While payload values can be
end-to-end encrypted, the SDF definitions and ecosystem
characteristics mappings <xref target="I-D.ietf-asdf-sdf-protocol-mapping"/>
 used by the proxy are typically in plaintext.</t>
      <t>SDF definitions can describe sensitive aspects of devices. For
example, a medical sensor's SDF model reveals the nature of health
data being collected. When communicating directly, both endpoints are
within the same trust domain. However, a mediating proxy may not be
equally trusted and should not have visibility into the type of
interaction performed through it.</t>
      <t>This document defines:</t>
      <ul spacing="normal">
        <li>
          <t>An "sdfPrivacy" extension for marking sensitive SDF definitions
with privacy-preserving algorithm and parameter information.</t>
        </li>
        <li>
          <t>A mechanism for generating privacy-preserving SDF definitions and
ecosystem characteristics mappings for proxy use.</t>
        </li>
        <li>
          <t>Procedures for proxy operation with privacy-preserving SDF
definitions.</t>
        </li>
      </ul>
    </section>
    <section anchor="conventions-and-definitions">
      <name>Conventions and Definitions</name>
      <t>The key words "<bcp14>MUST</bcp14>", "<bcp14>MUST NOT</bcp14>", "<bcp14>REQUIRED</bcp14>", "<bcp14>SHALL</bcp14>", "<bcp14>SHALL
NOT</bcp14>", "<bcp14>SHOULD</bcp14>", "<bcp14>SHOULD NOT</bcp14>", "<bcp14>RECOMMENDED</bcp14>", "<bcp14>NOT RECOMMENDED</bcp14>",
"<bcp14>MAY</bcp14>", and "<bcp14>OPTIONAL</bcp14>" in this document are to be interpreted as
described in BCP 14 <xref target="RFC2119"/> <xref target="RFC8174"/> when, and only when, they
appear in all capitals, as shown here.</t>
      <?line -18?>

<t>In addition to terms defined in <xref target="RFC9880"/> the following terms are used in this document:</t>
      <dl>
        <dt>Ecosystem Characteristics:</dt>
        <dd>
          <t>Protocol-specific parameters and identifiers for communicating
with a device in a particular ecosystem (e.g., BLE service and
characteristic UUIDs).</t>
        </dd>
        <dt>Privacy-Preserving SDF Definitions:</dt>
        <dd>
          <t>SDF definitions processed by a privacy algorithm to obfuscate
sensitive information while remaining valid SDF that enables
proxy translation.</t>
        </dd>
        <dt>Padding Affordances:</dt>
        <dd>
          <t>Additional affordances inserted into privacy-preserving SDF
definitions to resist correlation with known SDF documents based
on the number and type of affordances.</t>
        </dd>
        <dt>SDF Proxy:</dt>
        <dd>
          <t>A system that translates application-level SDF affordance API
calls into device-specific ecosystem characteristics.</t>
        </dd>
      </dl>
    </section>
    <section anchor="system-architecture">
      <name>System Architecture</name>
      <t>The system consists of:</t>
      <ul spacing="normal">
        <li>
          <t>Application: Accesses device information via SDF affordance
APIs.</t>
        </li>
        <li>
          <t>SDF Proxy: Translates SDF affordance API calls to
device-specific ecosystem characteristics. May optionally include
a Trusted Execution Environment (TEE).</t>
        </li>
        <li>
          <t>Device: A (typically constrained) device communicating using
ecosystem-specific protocols.</t>
        </li>
      </ul>
      <t>In normal operation, the Application sends SDF definitions and
ecosystem characteristics to the SDF Proxy, which translates API
calls into ecosystem-specific calls toward the Device and translates
responses back.
With the privacy extension defined in <xref target="privacy-extension"/>, the
Application instead performs privacy-preserving processing of the
original SDF definitions and ecosystem characteristics before
transmitting them to the SDF Proxy. The SDF Proxy operates as in
normal mode, but without visibility into the sensitive original
definitions.</t>
      <t>The entities performing setup and data retrieval <bcp14>MAY</bcp14> differ. For
example, a management entity may perform setup while a separate
application performs data retrieval.</t>
    </section>
    <section anchor="privacy-extension">
      <name>Privacy Extension for SDF</name>
      <t>This section defines the "sdfPrivacy" quality that can be included
within an sdfObject or sdfThing grouping to indicate privacy-sensitive
definitions and specify how they should be protected.</t>
      <section anchor="the-sdfprivacy-quality">
        <name>The sdfPrivacy Quality</name>
        <t>The "sdfPrivacy" quality contains the following sub-qualities:</t>
        <dl>
          <dt>sensitive:</dt>
          <dd>
            <t>Boolean indicating whether the enclosing definitions are
privacy-sensitive. When true, definitions <bcp14>MUST</bcp14> be processed by
the specified privacy algorithm before sharing with untrusted
intermediaries.</t>
          </dd>
          <dt>sensitiveDefinitions:</dt>
          <dd>
            <t>Array of sensitive definition names within the enclosing grouping.
If absent, ALL definitions in scope <bcp14>MUST</bcp14> be considered sensitive.</t>
          </dd>
          <dt>privacyAlgorithm:</dt>
          <dd>
            <t>String identifying the algorithm used to transform sensitive
definitions into privacy-preserving versions.</t>
          </dd>
          <dt>privacyAlgorithmParameters:</dt>
          <dd>
            <t>Object containing algorithm-specific parameters.</t>
          </dd>
          <dt>key:</dt>
          <dd>
            <t>Cryptographic key used by the privacy algorithm, or an indication
that the key is distributed out-of-band.</t>
          </dd>
        </dl>
        <t>The following example shows an SDF object with the sdfPrivacy
extension:</t>
        <sourcecode type="json"><![CDATA[
{
  "info": {
    "title": "Example health sensor",
    "version": "1.0"
  },
  "namespace": {
    "example": "https://example.com/sensors/"
  },
  "defaultNamespace": "example",
  "sdfObject": {
    "HeartSensor": {
      "sdfProperty": {
        "heartRate": {
          "sdfRef": "#/sdfObject/HeartSensor/sdfData/heartRate",
          "description": "Current heart rate measurement",
          "writable": false
        },
        "maxRate": {
          "sdfRef": "#/sdfObject/HeartSensor/sdfData/heartRate",
          "description": "Maximum measured heart rate"
        },
        "minRate": {
          "sdfRef": "#/sdfObject/HeartSensor/sdfData/heartRate",
          "description": "Minimum measured heart rate"
        }
      },
      "sdfAction": {
        "calibrate": {
          "description": "Calibrate the sensor",
          "sdfInputData": {
            "sdfRef": "#/sdfObject/HeartSensor/sdfData/heartRate"
          }
        }
      },
      "sdfData": {
        "heartRate": {
          "type": "number",
          "minimum": 0,
          "maximum": 250
        }
      },
      "sdfPrivacy": {
        "sensitive": true,
        "sensitiveDefinitions": [
          "heartRate", "calibrate", "maxRate", "minRate"
        ],
        "privacyAlgorithm": "obfuscate-names-v1",
        "privacyAlgorithmParameters": {
          "removeMeta": true
        },
        "key": "base64-encoded-key-here"
      }
    }
  }
}
]]></sourcecode>
      </section>
      <section anchor="processing-sensitive-definitions">
        <name>Processing Sensitive Definitions</name>
        <t>When "sensitive" is true and "sensitiveDefinitions" lists only some
definitions, the document is split into:</t>
        <ol spacing="normal" type="1"><li>
            <t>A document containing the sensitive definitions with the
namespace modified according to the privacy algorithm.</t>
          </li>
          <li>
            <t>A document retaining the original namespace with only the
non-sensitive definitions.</t>
          </li>
        </ol>
        <t>A document with the original namespace may leak information about
sensitive definitions (e.g., through missing entries). It is
<bcp14>RECOMMENDED</bcp14> that all definitions within a grouping be treated as
sensitive by default (i.e., by omitting "sensitiveDefinitions").</t>
      </section>
      <section anchor="privacy-algorithm-requirements">
        <name>Privacy Algorithm Requirements</name>
        <t>A privacy algorithm transforms sensitive SDF definitions into a
privacy-preserving version. The output <bcp14>MUST</bcp14> be valid SDF usable by
an SDF Proxy for translation.</t>
        <t>A privacy algorithm <bcp14>SHOULD</bcp14>:</t>
        <ul spacing="normal">
          <li>
            <t>Replace definition names with obfuscated versions (e.g., using
encryption with a shared key).</t>
          </li>
          <li>
            <t>Remove human-readable qualities ("label", "description").</t>
          </li>
          <li>
            <t>Remove or sanitize the "info" block.</t>
          </li>
          <li>
            <t>Replace the namespace with a non-conflicting, non-revealing URI.</t>
          </li>
        </ul>
        <t>A privacy algorithm <bcp14>MAY</bcp14> additionally:</t>
        <ul spacing="normal">
          <li>
            <t>Retain non-sensitive qualities that affect communication (e.g.,
data type information).</t>
          </li>
          <li>
            <t>Transform rather than remove quality values.</t>
          </li>
          <li>
            <t>Add padding affordances (see <xref target="padding-affordances"/>).</t>
          </li>
        </ul>
      </section>
      <section anchor="namespace-considerations">
        <name>Namespace Considerations</name>
        <t>The namespace in a privacy-preserving SDF document <bcp14>MUST NOT</bcp14> conflict
with other namespaces in use and <bcp14>MUST NOT</bcp14> reveal information about
the device or its capabilities. Options include:</t>
        <ul spacing="normal">
          <li>
            <t>A special sub-domain/path from the manufacturer's domain (e.g.,
"https://private.example.com/asfdbvex").</t>
          </li>
          <li>
            <t>A common domain designated for privacy-preserving SDF namespaces,
when the manufacturer's domain should not be disclosed.</t>
          </li>
        </ul>
      </section>
      <section anchor="padding-affordances">
        <name>Padding Affordances</name>
        <t>Padding affordances <bcp14>MAY</bcp14> be added to privacy-preserving SDF
definitions to hinder correlation with known SDF documents based on
affordance count and type. Padding affordances can be:</t>
        <ol spacing="normal" type="1"><li>
            <t>Unused (present only to alter document structure).</t>
          </li>
          <li>
            <t>Used to invoke fake activity that the device ignores.</t>
          </li>
          <li>
            <t>Used to map multiple SDF affordances to a single device
affordance, hiding activity patterns from the SDF Proxy.</t>
          </li>
        </ol>
      </section>
      <section anchor="indicating-privacy-preserving-processing">
        <name>Indicating Privacy-Preserving Processing</name>
        <t>A privacy-preserving SDF document <bcp14>MAY</bcp14> include an sdfPrivacy quality
to indicate it has been processed. The block could contain:</t>
        <ul spacing="normal">
          <li>
            <t>A "processed" quality set to true.</t>
          </li>
          <li>
            <t>A "description" quality with non-sensitive processing information
(e.g., for debugging).</t>
          </li>
        </ul>
        <t>An SDF Proxy can use "processed: true" as a hint that definition
names are obfuscated and not useful for UI display.</t>
      </section>
      <section anchor="example-privacy-preserving-output">
        <name>Example: Privacy-Preserving Output</name>
        <t>The following shows the result of applying a privacy algorithm to
the example in <xref target="privacy-extension"/>. Definition names are obfuscated,
human-readable qualities removed, namespace replaced, info block
cleared, and padding actions ("foo4", "foo5") added:</t>
        <sourcecode type="json"><![CDATA[
{
  "namespace": {
    "foons": "https://private.example.com/asfdbvex"
  },
  "defaultNamespace": "foons",
  "sdfObject": {
    "fhnbjskla": {
      "sdfProperty": {
        "xartd": {
          "sdfRef": "#/sdfObject/fhnbjskla/sdfData/rfxct",
          "writable": false
        },
        "foo1": {
          "sdfRef": "#/sdfObject/fhnbjskla/sdfData/rfxct"
        },
        "foo2": {
          "sdfRef": "#/sdfObject/fhnbjskla/sdfData/rfxct"
        }
      },
      "sdfAction": {
        "foo3": {
          "sdfInputData": {
            "sdfRef": "#/sdfObject/fhnbjskla/sdfData/rfxct"
          }
        },
        "foo4": {
          "sdfInputData": {
            "sdfRef": "#/sdfObject/fhnbjskla/sdfData/rfxct"
          }
        },
        "foo5": {
          "sdfInputData": {
            "sdfRef": "#/sdfObject/fhnbjskla/sdfData/rfxct"
          }
        }
      },
      "sdfData": {
        "rfxct": {
          "type": "number"
        }
      }
    }
  }
}
]]></sourcecode>
        <t>This example retains the data type ("number") to allow the SDF Proxy
to handle different data types. A stricter algorithm could remove
this as well.</t>
      </section>
    </section>
    <section anchor="operation-modes">
      <name>Operation Modes</name>
      <t>Privacy-preserving SDF translation can operate with or without a
Trusted Execution Environment (TEE) at the SDF Proxy. In both modes,
the Application first performs a setup phase where the SDF Proxy
receives privacy-preserving SDF definitions and ecosystem
characteristics, and the Device receives algorithm-dependent means for mapping between original
and privacy-preserving identifiers. Affordances not marked as
sensitive operate normally using plaintext mappings regardless of the
mode.</t>
      <t>In the mode without a TEE, the SDF Proxy translates
privacy-preserving affordance API calls to their corresponding
privacy-preserving ecosystem characteristics and forwards them to
the Device. The Device then maps the privacy-preserving
characteristics back to its actual resources using the mapping
received during setup. The SDF Proxy never sees the original
definitions. The mapping between ecosystem characteristics and their
privacy-preserving counterparts <bcp14>MAY</bcp14> be updated at any time by
repeating the setup phase, allowing periodic rotation of obfuscated
identifiers.</t>
      <t>In the mode with a TEE, the SDF Proxy hosts a trusted enclave that
holds the plaintext SDF definitions and performs the translation
internally. The TEE communicates with the Device via a tunneled
channel, providing stronger privacy since the untrusted portion of
the SDF Proxy never observes the actual ecosystem characteristics.
If a tunnel is used, plaintext ecosystem characteristics <bcp14>MAY</bcp14> be
employed within it since the tunnel provides confidentiality.</t>
    </section>
    <section anchor="security-considerations">
      <name>Security Considerations</name>
      <t>The privacy mechanisms protect against an SDF Proxy learning the
nature of interactions between an application and a device.</t>
      <t>The mechanisms depend on the secrecy of the privacy algorithm key.
A compromised key allows an attacker to reverse the obfuscation.</t>
      <t>Padding affordances provide limited traffic analysis protection. An
adversary observing patterns over time may still infer interaction
types despite obfuscated names.</t>
      <t>Without a TEE, the device must handle privacy-preserving ecosystem
characteristics, and the mapping must be protected during setup
(e.g., via end-to-end encryption between Application and Device).</t>
      <t>With a TEE, security guarantees depend on TEE implementation
integrity and tunnel confidentiality between TEE and Device.</t>
    </section>
    <section anchor="iana-considerations">
      <name>IANA Considerations</name>
      <t>TBD</t>
    </section>
  </middle>
  <back>
    <references anchor="sec-normative-references">
      <name>Normative References</name>
      <reference anchor="RFC9880">
        <front>
          <title>Semantic Definition Format (SDF) for Data and Interactions of Things</title>
          <author fullname="M. Koster" initials="M." role="editor" surname="Koster"/>
          <author fullname="C. Bormann" initials="C." role="editor" surname="Bormann"/>
          <author fullname="A. Keränen" initials="A." surname="Keränen"/>
          <date month="January" year="2026"/>
          <abstract>
            <t>The Semantic Definition Format (SDF) is a format for domain experts to use in the creation and maintenance of data and interaction models that describe Things, i.e., physical objects that are available for interaction over a network. An SDF specification describes definitions of SDF Objects/SDF Things and their associated interactions (Events, Actions, and Properties), as well as the Data types for the information exchanged in those interactions. Tools convert this format to database formats and other serializations as needed.</t>
          </abstract>
        </front>
        <seriesInfo name="RFC" value="9880"/>
        <seriesInfo name="DOI" value="10.17487/RFC9880"/>
      </reference>
      <reference anchor="I-D.ietf-asdf-sdf-protocol-mapping">
        <front>
          <title>SDF Protocol Mapping</title>
          <author fullname="Rohit Mohan" initials="R." surname="Mohan">
            <organization>Cisco Systems</organization>
          </author>
          <author fullname="Bart Brinckman" initials="B." surname="Brinckman">
            <organization>Cisco Systems</organization>
          </author>
          <author fullname="Lorenzo Corneo" initials="L." surname="Corneo">
            <organization>Ericsson</organization>
          </author>
          <date day="29" month="June" year="2026"/>
          <abstract>
            <t>   This document defines protocol mapping extensions for the Semantic
   Definition Format (SDF) to enable mapping of protocol-agnostic SDF
   affordances to protocol-specific operations.  The protocol mapping
   mechanism allows SDF models to specify how properties, actions, and
   events should be accessed using specific non-IP and IP protocols such
   as Bluetooth Low Energy, Zigbee or HTTP and CoAP.  This document also
   describes a method to extend SCIM with an SDF model mapping.

            </t>
          </abstract>
        </front>
        <seriesInfo name="Internet-Draft" value="draft-ietf-asdf-sdf-protocol-mapping-09"/>
      </reference>
      <reference anchor="RFC2119">
        <front>
          <title>Key words for use in RFCs to Indicate Requirement Levels</title>
          <author fullname="S. Bradner" initials="S." surname="Bradner"/>
          <date month="March" year="1997"/>
          <abstract>
            <t>In many standards track documents several words are used to signify the requirements in the specification. These words are often capitalized. This document defines these words as they should be interpreted in IETF documents. This document specifies an Internet Best Current Practices for the Internet Community, and requests discussion and suggestions for improvements.</t>
          </abstract>
        </front>
        <seriesInfo name="BCP" value="14"/>
        <seriesInfo name="RFC" value="2119"/>
        <seriesInfo name="DOI" value="10.17487/RFC2119"/>
      </reference>
      <reference anchor="RFC8174">
        <front>
          <title>Ambiguity of Uppercase vs Lowercase in RFC 2119 Key Words</title>
          <author fullname="B. Leiba" initials="B." surname="Leiba"/>
          <date month="May" year="2017"/>
          <abstract>
            <t>RFC 2119 specifies common key words that may be used in protocol specifications. This document aims to reduce the ambiguity by clarifying that only UPPERCASE usage of the key words have the defined special meanings.</t>
          </abstract>
        </front>
        <seriesInfo name="BCP" value="14"/>
        <seriesInfo name="RFC" value="8174"/>
        <seriesInfo name="DOI" value="10.17487/RFC8174"/>
      </reference>
    </references>
    <?line 450?>

<section numbered="false" anchor="acknowledgments">
      <name>Acknowledgments</name>
      <t>TBD</t>
    </section>
  </back>
  <!-- ##markdown-source:
H4sIAONXRmoAA8Vb23LkRnJ9r68o9zx4xtHdM5RGtpaxF7eGlMXwXLgczio2
NvahGqjuhohLLwog2TtBfYsf/CW7P+aTmQVUoRtNUWuHrIcRCaCq8p4nM4uz
2Uw1WZPbUz05LzemTGyqt3V2a5KdXlW1/nj2LX6v7ne62traNFlVuokyy2Vt
b7EmvPaLJioxjV1X9e5UuyZVKq2S0hTYP63Nqpk1bVrVM+PS1YzXzfy62atX
yrXLInMORzS7LVZcnF9/q8q2WNr6VKXY9lQlON6WrnWnuqlbq0DDl8rU1pzq
xdW1uqvqm3VdtVv8CtLUjd3hUXqq9Iw4of9dynlKmbbZVDW9Uhr/rdo8F0L/
YHJbNlmpr4lWflnVa1Nmf2X2T/V5nSXOVSW/soXJ8lN96xfNmcF/t/6TeVIV
hycs6kz/p63//t+lLZ+4v6mz+Q0UgBU/sfk7U4MOoz82Nnvq7oWsmTtaM9xf
qbKqC6y9hfi1vvr2za++/vrVqVJZuQov1Hw+V2o2m2mzdE1tkkap643VH3EA
xJLoM7vKyowo0N/yMv0cCnmhbWmWuXXaJpXb4fhilpWp3Vr8UzYqtS6psy1b
na5W+qK61qm9zRKrs7KxdA7tmJitWWY5trdurr/f2FIbMUtV2DSD5TgNXoq2
zBKWgl7a5s7SZ9tt7p85bcrU7+6mOmt0bf/SZrV1iqw87RmQDwPBbmuTbAUe
C+yWlWvHjgMhlC7nneckCmcHWxRmB5LKxsDOOhcgy85InrqXLUg1y6olSTBd
fHSzsVkdCwBMX28yp+FrbQG5yUn8NZu9vW9oa2xGlEHZNyBTh+P2efMcYYPC
JggKmSucoqVrW3IQwOqO6C0EZOtbesRi8iQ4UAkli3q9LvoIou8y+F6L1/fb
yg1piViHRbFJFVma5lapZ/qibOoqbZnpJxrY58/eZB8etJjTEnwFQ1LHDEnM
wTRGF1VqcwfKSJ7jhgoiIJm57i3FuoGFmhW4Sim8whJzgyAH8abaOBINxEIH
TpW9JclN+WSv2anmeIZvsV2lPyx/sEkjtEHlMDYI6aLEmdu82ong7za2tp0D
6McdQB04AEVY2C44iJwBFue3ax222vMHBcI6c7exS81ycJRHzOvF5QWEnLM0
m8pbdfCgXrgaZkeyQyhy0K7Tz+18PZ/qb/LWNlXVbPTb6k6fQ+brnfqPxfW1
ZiPsPGRv9QsKChnZodnllUkpWrckEkOCUNDhrKlmlry6TOrdtrGp8Pyo46t9
Gnv///z5ny5mZ/PMNitJdT7dNVVS5TP/2cODImmmermL5ItcppH9MhLSjkxu
mxsypPsGit4nh+jvbDpyIUPybDhgeg3OyScQBkyxzS3si60CR/Ciqv5nUSnb
OaLerTW5Y5pK07QgCBtt8KzZKPaHpSWXBSs5jrGpj7iRfeFtisCZNPluqpek
Lch2W2VknWBQkfuDNTrBIWdRKncIWhWSUTnX31V3IKHuyOzCDRszomZZNay0
v7QsIl5LrkRxC0ElT/mLjYEgbjOXsTvvxHvoQIIWYGjg9nBACjqWQiu8bb1B
9J9TfBmJqch1M70o9QQ69Vhion8qwO47jOYIOBZDTQ7shHcFM7SFgRUWhO6F
RVAQQrN+YmQe2jFoOO5tg0zWOz4ffFlXwIiwivjlMLIfoQAnRjRQcH+m31Ql
xbzeuc4iIXF8B4LTBOGcnrz79PF6MpX/6/cf+Oer899/urg6P6OfP363ePu2
/0H5Lz5+9+HT27PwU1j55sO7d+fvz2QxnurBIzV5t/jjRGLx5MPl9cWH94u3
E81mG5sFO2wFi5R4D5bZGp3qHJMit/7mzeXf/uvkNUUGpKMvTk5+hXQkv3x9
8m+v8QuidimnVSXMWn6Fwe4oRFtTc/rJc0pRWQP/nFLygMHflZriPcT5L38i
yfz5VP96mWxPXv/WPyCGBw87mQ0esswOnxwsFiGOPBo5ppfm4PmepIf0Lv44
+L2Te/Tw17/L4YZ6dvL1736rOPeZNJW8Tx5u68J5V2XBx+mf3H+FqFXdkUXK
p6Q+jsL7ioWfn/f+8WboH6fqlPxAwnmfvHpnFVPOCBhQmq/FUwbxsYsAJsBZ
ytgEw5M2h7aDb3aZ7+15l+O8+w6dVn/6dHGGTKeUj0qzy6H/R65F9O+HhC35
tfP5yPQ1YIhHkG61XLWO6jucPg5W7zjN1lRWlHQwEm2W8lkRHKT4J3FjAJLV
JWkSixYBLBGlC69fkw9gVIZKsG46YPSUkEMs4DXEBWXUtc2jkHVTkicNEezS
QBzYopJUJZWoIHBJIjE9Pj1fEl9Mtfb6Y8Z7eORG8BGtG2Ik0m6PkvSTUZLE
1I/yblEnm6xBEkaslljaLYIo8D3hA0lmgSCQnbAVuGCXQbm3mdmjFXSCWseJ
IXCvrwO3h7x5zoD+9M/gDGUtpRmxA0ZGSd6mRIDBcQIBzu9t0jKl5+VtVlcl
B+jn1+fnL5jCMz6NVPM8QKwI777omB5CmdaJw45UfB2m8yicK+U8ZEMBkZF8
yWvSA/zM/nw8GXvg0st3Sl6WbGKbIpOJDGaE0k7od6bmAtILQ6y530jBPbbU
YiHjT27m6nvyDUGnEg8C0hkE2c79+tcPD8y8ipmHxzYW6NvDLTfmtD4M0Y/w
L9oB4WedkfM/CsYPpLa0OMMq5q3IGtYktisOxEm1c/Sr1x45KklTeZ0SNgaW
Rc3a1a5j4DIExY5qNYQ8dBSlBS4wvRwEKjbtNlScABF1ZhE8NTIisPRqRcXl
PoY3pVlbtnHeUuCx39TvKPHY4DfKTgjcUfQJehieKVHEZxE4VQxtSUyfnx1q
24NlZwVQdyUwyWQAlAm0E6UcFKX86lw57coCPMUSqXQhR/qFS12phFmPFRZR
AdPYw+aJGu9m7DSwEgOqrkxYcs3VSA0Dlp+xIQRq9e+FWNHaKBu+g+P2oIVr
lzP5JOOCoaeNEsM3VZVbU3Yc0PcAe9ig5l1QgebSExnwUVtOmnu8+tKLWqHT
wfcM/ITBPqtjA7ZR39xJR3K8OA0EZGqmi7y/LX2JhfUMcbkoqzNOeT0le+hi
UdcUr1ejTSZNjUqnoyowMN3peI7TLlbUTYRtTzVB0Zg/rHMJPLVnlJNaCiCc
hiNBn2dx0XHIyKdh5jw+2/nAEEmB8WDX0/DO1BmX3iNjHHqgfHXe4/cpuOxR
ItHirdzb0aAAHAOW2A8FES18Q22Kal2bLXIBV0nDXsKeZqfkSJHRcftXkIkv
sgj6InSiYmkplyLCzarVbAkH8mErmLePQVx9dD1GYEPm5K5LGMFdQvsRrvDj
jz/qH6j7/BkETAhdTE71Z+5FT3gQMaFJhD9Amg6+SYGSjL/ysqXvTuavJnj4
QG8mbFRbk9iwoSeUPt00zdadvnzpH1Fr+6Xs616GPaBb0+bN+2irfhP+oA9M
4ZDvUJw1H4XE7qH24YJbe7voMV5s6PsrhK7BY1lxZVd05LOX/Tkvo+3p6RlC
9cuwxTTeIOqW0y5vWmBcJAf+WlP014U1DnCQcsZw6R2shKA51q1QXNr+3UP4
bFKY+1+C7nfmPivaoiM2jRiYjNOVlb8IXXDQn6ZL7dFHZCwSv0dkBgBk2bIe
IXtfi913PcDoXSEccFFu24ZY2dvsH5RCtMPD45wdnHncvKlmIjKkjBqyUIho
8frV8LmYAp5/8dWrxynpcvOAmD5uT2ReOB15FWUufPWn+PjILmKFTYMrTIP1
9Qv/HJ2yH/1JAH0VPeOQNbs9mTyyIuSLfYHCj6tb+86yBnga2gso2g+xnQ6l
WvZfX8+QaAFk0xmezqht1FEtIqV/H9QDBWnGQ5cBjH/s8/igRcfwIxIzpREi
RdpmozLWuRSf1OVyVTHAa1Iw9b01QpSAqw3nWSSPkzlqt/5tlDSH2DvO0F0+
Iv76DEFo3g9gkgSlqceUo5kT2e+LwbHAydGpfXUSNucjmb3uXFT6o9Rh72jj
PnWO7EnIHqjxZmQyOM637xp1/Wyeq1PqLgnk00DkgsSrokacwAFqMe7Lj3tT
PfheUr/eGt/lDKcDevj0qZ9nc4vD8aTqSq9xW3gx93YmQu+NXl/J6JX7MCSk
kXZUB87c8T674DOjjiM0Kf4gRsTPHkuGplXreHwJ7OxRjpSIB/PdUQqlL8ot
liu7zUmNoxg4tNXSHjh2+ut7DzKX6ttVhjE6FsCRpblxxdFAb1qUhTPoJ2XK
+ypEP5/kZmlzilhxhhkspmLLEH1/lWwj+Ewv84p6AREfMhsaGLxhM4dPrlBf
ksqn/ECmSSTxT1cXRwRFNa7pm3z5zouMZ+ND3wnsiLGiLmb0HE82RXIE1Kmq
5U5d5DTC73WP7BHQpfKCgiWg9sWdDAll2pLSLEa6k3EP8rmzlrof8moWvXp4
8LbdY0madXCJYqLxRhCiNIAfH6rrrp+vOzkrMSDmod+LyyOUAxyE+yWiiZEA
wiFXukEwgKxxe/cpPmw7Z+I6XXqGUkbSBBG1rkzuXm4hS72qq4LtA3bYrgy3
H2nAKN8E7fSInHlu7DxG5sat0uWtvffmuWAVU19BNoEBZ+uSHUZmUKNSC/Kg
8+64UD5KVzQ6RARAJUQFadcXGGlMUxdkROuhiR2bCRk4dsUbKSyPNKv3WtUb
umBQ/4xWNZKOinqtSdXSfMq3q+d6jDJpwUhq/VRyCfmcqcJKSWGInzkNIHsb
RI3YsvReSGr85KvlrLytblAmGvxDc9Xbvs8TGRjUVtXsVF+GlYXZ6gJ5I6Oa
b9gwZkEg2IHuvNuEUmr4Ygo5CVvdmTBDEAwZ9qYYen2szovQeRmZlQTQE0Wr
4x4J1XrH8I2rLpn5MKLiZlVGg2nqTdoytGYkB3GQJZ3laYdsvKdN+i9D48nZ
RjoUrfUeMojq/XdsMMMYGnVYo1gAofqUQx6V2mW7BgZZk44Xceojg6HQEogS
7Dmhdqkhm21E6cGYlaQ6mrRFmY7skrwNm63anE/9dEGOhwzj9eTbAKdjWvrA
KXu/MyEdCVI5viQkQjOa7TbnJs/4UIvDX9fRONbLnsfXi8bYmaqjiVeySjqN
Yn0taRTPSAOiepUA39X0TAb/aW/UDAcmq6p6Tckb//9q8kJiyUE/ZaQHgu+5
sHlavH20EyJbHeuDrDbl8gd3k8f14PEuyD0qq/RpFXu/cV+p1qv75B9pYICB
k//dmce2/eL/atuntg9w5pcjZ/7sRsBPUjRoAQyZfv3/TcBXvzwBT2uCyA6P
N0AO9zyswXmo0gUnKTwlvAVs+7zb74Xk6lymHCFkUwICuk0pf/IgiS8zdesd
1bbU9qXRWRQYJRFJ7FJ8MQLx/c7mNB16BkjY3fd5VyHvhDsHe2kyKpI4c/jZ
mi976n6WZtQTZrjaQ4locndRyvUyms4B5e1PW1dZ7Zow5jJ+KLZFDrb+muRQ
VLVNLHLk6GTyZ90FnHYXdbs5a79z6O/3t0epo1g6f3Vs64tsuZ/cjxE5KRwS
FV0ymQ/gKaVWuoe2X6V3GpCxZr6TCjPcMgxXv2q7NjWsxrluEktSlkE342j8
FhSooaHpUJrxXHnsptv4rQB/u5lRL82iKQ2OLT8++SVRYWuadLtu5KuCKgRu
ebU0VBWAZRc3f6JjDu540lic0S5dZQQMNnRh0lVtTUIXWUqRwVLsDCrVaVv3
c979iXNJ1x3xyg9MR0fHvGTfOh6XAQtyTHRcGNiabhv1tUm7TQWWUcUA1WUF
tz2AVKzpZuex+0wl1LDt4NQKAFfXVSN+B3sJ0EjFNnpoPeOms6moR2j62500
IKQbnQQt1abKU6+w3mzHvLN3fL73GUKR3P3kVoPIFQRETQQbuoadmdDNFxDT
lqXNwRFdvMRPU8LSt1J9IIRW5dr2xSiVLL5R0g9Q9baqvXxUM2IB1ZI05K3A
G9cjd31oPOppok4pFW/TSCLHjUNUrmxBd8ZBlu/xoTgJRPt9hUG+PV6uRJFc
WPibRojVNZUZY62NThDhTwi6cbs2a0pkjR401Qj+dm1VFS4ex3/mEP5sY/CX
G3Jf3leHfloZnSpxtrvF5WwCp9z5mDZSEtxYcMcdB5BbZE6abGLuPO1EeYkg
QE2jipsqtRORdSY/vMwW17JemjrPiozsATa5ogGvgS3uXNYLiBuTCxTzKe1u
6p03Dfa2rrqtyGTYT6k5DM3m3Nyxg78MUZzjqWGyxYlx/cWlAuj8/jCC+1q9
oEvZHjk8FoCP574uXvFO8XWLQThUvvAkJzu8ih//tc5iT+finS88Fx0LrrPK
dQu6IAsb2wD5ekZ4ioBFCAdrXsGEi+XvGXxPA60PZ4sfXCzeLw594Jsz//cr
lDPos0VCrRsEkLX0tT+fCnSz6W8mXLRMHmTZ/wD1YfX6ljcAAA==

-->

</rfc>
