<?xml version='1.0' encoding='utf-8'?>
<!DOCTYPE rfc [
  <!ENTITY nbsp    "&#160;">
  <!ENTITY zwsp   "&#8203;">
  <!ENTITY nbhy   "&#8209;">
  <!ENTITY wj     "&#8288;">
]>
<?xml-stylesheet type="text/xsl" href="rfc2629.xslt" ?>
<!-- generated by https://github.com/cabo/kramdown-rfc version 1.7.39 (Ruby 3.4.9) -->
<rfc xmlns:xi="http://www.w3.org/2001/XInclude" ipr="trust200902" docName="draft-usama-tls-fatt-extension-08" category="info" consensus="true" submissionType="IETF" tocInclude="true" sortRefs="true" symRefs="true" version="3">
  <!-- xml2rfc v2v3 conversion 3.34.0 -->
  <front>
    <title>Proposed Document Template for TLS FATT Process</title>
    <seriesInfo name="Internet-Draft" value="draft-usama-tls-fatt-extension-08"/>
    <author fullname="Muhammad Usama Sardar">
      <organization>TU Dresden</organization>
      <address>
        <email>muhammad_usama.sardar@tu-dresden.de</email>
      </address>
    </author>
    <date year="2026" month="July" day="02"/>
    <area>Security</area>
    <workgroup>Transport Layer Security</workgroup>
    <abstract>
      <?line 83?>

<t>This document applies only to non-trivial extensions of TLS, which require formal analysis.
FATT process has successfully discovered CVEs of <strong>CVSS 7.5</strong> and most recently expected <strong>CVSS 9.1</strong> in the <strong>production</strong> implementations of the drafts proposed for adoption in the TLS WG.
To achieve high cryptographic assurances, this document proposes the drafts specify a clear threat model and informal security goals in the Security Considerations section, as well as motivation and a protocol diagram in the draft.</t>
    </abstract>
    <note removeInRFC="true">
      <name>About This Document</name>
      <t>
        The latest revision of this draft can be found at <eref target="https://muhammad-usama-sardar.github.io/tls-fatt-extension/draft-usama-tls-fatt-extension.html"/>.
        Status information for this document may be found at <eref target="https://datatracker.ietf.org/doc/draft-usama-tls-fatt-extension/"/>.
      </t>
      <t>
        Discussion of this document takes place on the
        Transport Layer Security Working Group mailing list (<eref target="mailto:tls@ietf.org"/>),
        which is archived at <eref target="https://mailarchive.ietf.org/arch/browse/tls/"/>.
        Subscribe at <eref target="https://www.ietf.org/mailman/listinfo/tls/"/>.
      </t>
      <t>Source for this draft and an issue tracker can be found at
        <eref target="https://github.com/muhammad-usama-sardar/tls-fatt-extension"/>.</t>
    </note>
  </front>
  <middle>
    <?line 89?>

<section anchor="introduction">
      <name>Introduction</name>
      <t>While the TLS FATT process <xref target="TLS-FATT"/> marks a historic change in achieving high cryptographic assurances by tightly integrating formal methods in the working group (WG) process, it would be helpful to adapt the way in which drafts are typically written to get the benefits.</t>
      <section anchor="motivation">
        <name>Motivation</name>
        <t>Unverified protocol designs, imprecisely stated threat model and security goals have led to high and critical severity vulnerabilities of the extensions proposed in the drafts.</t>
        <section anchor="sec-mot-example">
          <name>Concrete Motivational Example: Practical Exploits in Production Systems</name>
          <t>As an illustrative example, authors of <xref target="I-D.fossati-tls-attestation-08"/> asked for adoption in IETF 121, explicitly requesting us (by name) for formal analysis <xref target="Intra-handshake-attestation"/>. We carried out formal analysis of draft in support for FATT process. The formal analysis led to three orthogonal issues:</t>
          <ul spacing="normal">
            <li>
              <t>Formal analysis <xref target="ID-Crisis-repo"/> found <strong>diversion</strong> attacks for <xref target="I-D.fossati-tls-attestation-08"/>. For technical details, please see the corresponding paper <xref target="ID-Crisis"/>.</t>
            </li>
            <li>
              <t>Formal analysis <xref target="Intra-handshake.fail-repo"/> of several <strong>production</strong> implementations of <xref target="I-D.fossati-tls-attestation-09"/> led to discovery of <xref target="CVE-2026-33697"/> of <strong>CVSS 7.5</strong> for <strong>relay</strong> attacks. For technical details, please see the corresponding paper <xref target="Intra-handshake.fail"/>.</t>
            </li>
            <li>
              <t>Further formal analysis of <strong>production</strong> implementation of <xref target="I-D.fossati-tls-attestation-09"/> has led to discovery of another class of attacks and will potentially lead to two CVEs (currently under <em>responsible</em> disclosure) each with an expected <strong>CVSS 9.1</strong>.</t>
            </li>
          </ul>
          <t>This shows the value of FATT process in the design of secure protocols to find subtle vulnerabilities, which could otherwise be missed.</t>
        </section>
      </section>
      <section anchor="proposal">
        <name>Proposal</name>
        <t>To produce high-quality specifications, this document outlines the corresponding changes in the way drafts are typically written.
For the draft to be useful for the formal analysis, this document proposes that it would be helpful for the formal analysis if the draft contains four main items, namely:</t>
        <ul spacing="normal">
          <li>
            <t>motivation,</t>
          </li>
          <li>
            <t>a threat model,</t>
          </li>
          <li>
            <t>informal security goals, and</t>
          </li>
          <li>
            <t>a protocol diagram (<xref target="sec-prot-diagram"/>).</t>
          </li>
        </ul>
        <t>Each one of these is summarized in <xref target="sec-res-authors"/>. Future versions of this draft will include further concrete examples.</t>
      </section>
      <section anchor="scope">
        <name>Scope</name>
        <t>The scope of this document is only non-trivial extensions of TLS, which require formal analysis.</t>
      </section>
    </section>
    <section anchor="conventions-and-definitions">
      <name>Conventions and Definitions</name>
      <t>The key words "<bcp14>MUST</bcp14>", "<bcp14>MUST NOT</bcp14>", "<bcp14>REQUIRED</bcp14>", "<bcp14>SHALL</bcp14>", "<bcp14>SHALL
NOT</bcp14>", "<bcp14>SHOULD</bcp14>", "<bcp14>SHOULD NOT</bcp14>", "<bcp14>RECOMMENDED</bcp14>", "<bcp14>NOT RECOMMENDED</bcp14>",
"<bcp14>MAY</bcp14>", and "<bcp14>OPTIONAL</bcp14>" in this document are to be interpreted as
described in BCP 14 <xref target="RFC2119"/> <xref target="RFC8174"/> when, and only when, they
appear in all capitals, as shown here.</t>
      <?line -18?>

<section anchor="sec-prot-diagram">
        <name>Protocol Diagram</name>
        <t>In the context of this document, a Protocol Diagram specifies the proposed cryptographically-relevant changes compared to the standard TLS protocol <xref target="I-D.ietf-tls-rfc8446bis"/>. This is conceptually similar to the Protocol Model in <xref target="RFC4101"/>. However, while <xref target="RFC4101"/> only recommends diagrams, we consider diagrams to be essential to reduce the gap between:</t>
        <ul spacing="normal">
          <li>
            <t>the specifications and formal analysis</t>
          </li>
          <li>
            <t>the specifications and implementation</t>
          </li>
        </ul>
      </section>
    </section>
    <section anchor="sec-res-authors">
      <name>Contents of Drafts</name>
      <t>The following contents are expected in drafts:</t>
      <section anchor="motivation-1">
        <name>Motivation</name>
        <t>Drafts are expected to provide the motivation of the work (i.e., the proposed extension of TLS).</t>
      </section>
      <section anchor="sec-th-model">
        <name>Threat Model</name>
        <t>A threat model identifies which threats are in scope for the protocol design. So it can answer questions like:</t>
        <ul spacing="normal">
          <li>
            <t>What are the capabilities of the adversary? What can the adversary do?</t>
          </li>
          <li>
            <t>Whether post-quantum threats are in scope?</t>
          </li>
          <li>
            <t>What can go wrong in the system? etc.</t>
          </li>
          <li>
            <t>What are the computational and memory resources available to the adversary?</t>
          </li>
        </ul>
        <section anchor="typical-dolev-yao-adversary">
          <name>Typical Dolev-Yao adversary</name>
          <t>A typical threat model assumes the classical Dolev-Yao adversary, who has full control over the communication channel.</t>
          <t>Any additional adversary capabilities and assumptions ought to be explicitly stated.</t>
        </section>
        <section anchor="keys">
          <name>Keys</name>
          <t>This is particularly relevant for proposals of hybrid key establishment or hybrid authentication.
This section ought to specify any keys in the system (e.g., long-term keys of the server) in addition to the standard TLS key schedule. Theoretically and arguably practically, any key may be compromised (i.e., become available to the adversary).</t>
          <t>For readability, we propose defining each key clearly as in Section 4.1 of <xref target="ID-Crisis"/>. Alternatively, present as a table with the following entries for each key:</t>
          <ul spacing="normal">
            <li>
              <t>Name (or symbol) of the key</t>
            </li>
            <li>
              <t>Purpose of the key</t>
            </li>
            <li>
              <t>(optionally but preferably -- particularly when the endpoint is not fully trusted) Which software in the system has access to the key?</t>
            </li>
          </ul>
          <t>If more than one servers are involved (such as migration cases), the keys for servers ought to be distinguished in an unambiguous way.</t>
        </section>
      </section>
      <section anchor="informal-security-goals">
        <name>Informal Security Goals</name>
        <t>Knowing what you want is the first step toward achieving it. Hence, informal security goals such as integrity, authentication, freshness, etc. ought to be outlined in the draft.</t>
        <t>Examples:</t>
        <ul spacing="normal">
          <li>
            <t>Integrity of message X holds unless some key Y is leaked.</t>
          </li>
          <li>
            <t>(stated differently) Integrity of message X holds as long as some key Y is protected.</t>
          </li>
          <li>
            <t>Freshness of message X holds unless some key Y or some key Z is leaked.</t>
          </li>
          <li>
            <t>Server Authentication holds unless some key Y or some key Z is leaked.</t>
          </li>
        </ul>
        <t>See Section 5.1 of <xref target="ID-Crisis"/> for concrete examples.</t>
      </section>
      <section anchor="protocol-diagram">
        <name>Protocol Diagram</name>
        <t>A Protocol Diagram ought to clearly mention the initial knowledge of the protocol participants, e.g., which authentic public keys are known to the protocol participants at the start of the protocol. An example of a Protocol Diagram for <xref target="I-D.fossati-tls-attestation-08"/> is provided in Figure 5 in <xref target="ID-Crisis"/>.</t>
      </section>
    </section>
    <section anchor="document-structure">
      <name>Document Structure</name>
      <t>While the needs may differ for some drafts, we propose the following baseline template, with examples of <xref target="I-D.wang-tls-service-affinity"/> and <xref target="I-D.sheffer-tls-pqc-continuity"/>:</t>
      <t>The template is:</t>
      <ul spacing="normal">
        <li>
          <t>Easy for readers</t>
        </li>
        <li>
          <t>Easy for reviewers</t>
        </li>
        <li>
          <t>Easy for formal analysis</t>
        </li>
      </ul>
      <t>TODO: Currently it is almost a copy of the <eref target="https://mailarchive.ietf.org/arch/msg/tls/LfIHs1OVwDKWmDuCEx0p8wP-KPs/">guidance email</eref> to the authors. We request feedback on what to add in next versions.</t>
      <section anchor="introduction-1">
        <name>Introduction</name>
        <ul spacing="normal">
          <li>
            <t>Problem statement: Say in general what the problem is.</t>
          </li>
          <li>
            <t>For <xref target="I-D.wang-tls-service-affinity"/>, we believe this
 may preferably <em>not</em> include CATS. Anyone unfamiliar with CATS ought to be
 able to understand the problem statement.</t>
          </li>
        </ul>
      </section>
      <section anchor="terminology">
        <name>Terminology</name>
        <ul spacing="normal">
          <li>
            <t>Define any terms not defined in RFC8446bis or point to other drafts from where the definition is used.</t>
          </li>
        </ul>
      </section>
      <section anchor="motivation-and-design-rationale">
        <name>Motivation and design rationale</name>
        <ul spacing="normal">
          <li>
            <t>We really like how the author of <xref target="I-D.ietf-tls-8773bis"/> motivates the problem statement. Use it as a sample.</t>
          </li>
          <li>
            <t>Here authors can address all the concerns from WG, including
 justification with compelling arguments and authentic references
 why authors think it ought to be done within TLS WG (and within handshake).</t>
          </li>
          <li>
            <t>For <xref target="I-D.wang-tls-service-affinity"/>, authors could put CATS here as a motivational use case.</t>
          </li>
          <li>
            <t>For <xref target="I-D.sheffer-tls-pqc-continuity"/>, it should clarify why the problem is specific to PQ-only and why did the WG do such a thing for the transition for other primitives, as requested by several WG participants.</t>
          </li>
        </ul>
      </section>
      <section anchor="proposed-solution-one-or-more-sections">
        <name>Proposed solution (one or more sections)</name>
        <ul spacing="normal">
          <li>
            <t>Protocol design with Protocol Diagram: we work on the formal analysis of TLS 1.3 exclusively. Please contact someone else if your draft relates to older versions.</t>
          </li>
        </ul>
      </section>
      <section anchor="security-considerations">
        <name>Security considerations</name>
        <section anchor="threat-model">
          <name>Threat model</name>
        </section>
        <section anchor="desired-security-goals">
          <name>Desired security goals</name>
          <t>As draft proceeds these desired security goals will become what the draft actually achieves.</t>
          <ul spacing="normal">
            <li>
              <t>For <xref target="I-D.sheffer-tls-pqc-continuity"/>, it should clarify which property of the TLS protocol is broken and how does the proposal improve the security.</t>
            </li>
          </ul>
        </section>
        <section anchor="other-security-implicationsconsiderations">
          <name>Other security implications/considerations</name>
        </section>
      </section>
    </section>
    <section anchor="sec-sec-cons">
      <name>Security Considerations</name>
      <t>The whole document is about improving security considerations. As mentioned in <xref target="sec-mot-example"/>, unverified specifications have led to high and critical severity exploits.</t>
      <t>Like all security proofs, formal analysis is only as strong as its assumptions and model. The scope is typically limited, and the model does not necessarily capture real-world deployment complexity, implementation details, operational constraints, or misuse scenarios. Formal methods should be used as complementary and not as subtitute of other analysis methods.</t>
    </section>
    <section anchor="iana-considerations">
      <name>IANA Considerations</name>
      <t>This document has no IANA actions.</t>
    </section>
  </middle>
  <back>
    <references anchor="sec-combined-references">
      <name>References</name>
      <references anchor="sec-normative-references">
        <name>Normative References</name>
        <reference anchor="TLS-FATT" target="https://github.com/tlswg/tls-fatt">
          <front>
            <title>TLS FATT Process</title>
            <author>
              <organization>IETF TLS WG</organization>
            </author>
            <date year="2025" month="June"/>
          </front>
        </reference>
        <reference anchor="RFC2119">
          <front>
            <title>Key words for use in RFCs to Indicate Requirement Levels</title>
            <author fullname="S. Bradner" initials="S." surname="Bradner"/>
            <date month="March" year="1997"/>
            <abstract>
              <t>In many standards track documents several words are used to signify the requirements in the specification. These words are often capitalized. This document defines these words as they should be interpreted in IETF documents. This document specifies an Internet Best Current Practices for the Internet Community, and requests discussion and suggestions for improvements.</t>
            </abstract>
          </front>
          <seriesInfo name="BCP" value="14"/>
          <seriesInfo name="RFC" value="2119"/>
          <seriesInfo name="DOI" value="10.17487/RFC2119"/>
        </reference>
        <reference anchor="RFC8174">
          <front>
            <title>Ambiguity of Uppercase vs Lowercase in RFC 2119 Key Words</title>
            <author fullname="B. Leiba" initials="B." surname="Leiba"/>
            <date month="May" year="2017"/>
            <abstract>
              <t>RFC 2119 specifies common key words that may be used in protocol specifications. This document aims to reduce the ambiguity by clarifying that only UPPERCASE usage of the key words have the defined special meanings.</t>
            </abstract>
          </front>
          <seriesInfo name="BCP" value="14"/>
          <seriesInfo name="RFC" value="8174"/>
          <seriesInfo name="DOI" value="10.17487/RFC8174"/>
        </reference>
      </references>
      <references anchor="sec-informative-references">
        <name>Informative References</name>
        <reference anchor="I-D.ietf-tls-rfc8446bis">
          <front>
            <title>The Transport Layer Security (TLS) Protocol Version 1.3</title>
            <author fullname="Eric Rescorla" initials="E." surname="Rescorla">
              <organization>Independent</organization>
            </author>
            <date day="13" month="September" year="2025"/>
            <abstract>
              <t>   This document specifies version 1.3 of the Transport Layer Security
   (TLS) protocol.  TLS allows client/server applications to communicate
   over the Internet in a way that is designed to prevent eavesdropping,
   tampering, and message forgery.

   This document updates RFCs 5705, 6066, 7627, and 8422 and obsoletes
   RFCs 5077, 5246, 6961, 8422, and 8446.  This document also specifies
   new requirements for TLS 1.2 implementations.

              </t>
            </abstract>
          </front>
          <seriesInfo name="Internet-Draft" value="draft-ietf-tls-rfc8446bis-14"/>
        </reference>
        <reference anchor="I-D.fossati-tls-attestation-08">
          <front>
            <title>Using Attestation in Transport Layer Security (TLS) and Datagram Transport Layer Security (DTLS)</title>
            <author fullname="Hannes Tschofenig" initials="H." surname="Tschofenig">
         </author>
            <author fullname="Yaron Sheffer" initials="Y." surname="Sheffer">
              <organization>Intuit</organization>
            </author>
            <author fullname="Paul Howard" initials="P." surname="Howard">
              <organization>Arm Limited</organization>
            </author>
            <author fullname="Ionuț Mihalcea" initials="I." surname="Mihalcea">
              <organization>Arm Limited</organization>
            </author>
            <author fullname="Yogesh Deshpande" initials="Y." surname="Deshpande">
              <organization>Arm Limited</organization>
            </author>
            <author fullname="Arto Niemi" initials="A." surname="Niemi">
              <organization>Huawei</organization>
            </author>
            <author fullname="Thomas Fossati" initials="T." surname="Fossati">
              <organization>Linaro</organization>
            </author>
            <date day="21" month="October" year="2024"/>
            <abstract>
              <t>   The TLS handshake protocol allows authentication of one or both peers
   using static, long-term credentials.  In some cases, it is also
   desirable to ensure that the peer runtime environment is in a secure
   state.  Such an assurance can be achieved using attestation which is
   a process by which an entity produces evidence about itself that
   another party can use to appraise whether that entity is found in a
   secure state.  This document describes a series of protocol
   extensions to the TLS 1.3 handshake that enables the binding of the
   TLS authentication key to a remote attestation session.  This enables
   an entity capable of producing attestation evidence, such as a
   confidential workload running in a Trusted Execution Environment
   (TEE), or an IoT device that is trying to authenticate itself to a
   network access point, to present a more comprehensive set of security
   metrics to its peer.  These extensions have been designed to allow
   the peers to use any attestation technology, in any remote
   attestation topology, and mutually.

              </t>
            </abstract>
          </front>
          <seriesInfo name="Internet-Draft" value="draft-fossati-tls-attestation-08"/>
        </reference>
        <reference anchor="I-D.fossati-tls-attestation-09">
          <front>
            <title>Using Attestation in Transport Layer Security (TLS) and Datagram Transport Layer Security (DTLS)</title>
            <author fullname="Hannes Tschofenig" initials="H." surname="Tschofenig">
         </author>
            <author fullname="Yaron Sheffer" initials="Y." surname="Sheffer">
              <organization>Intuit</organization>
            </author>
            <author fullname="Paul Howard" initials="P." surname="Howard">
              <organization>Arm Limited</organization>
            </author>
            <author fullname="Ionuț Mihalcea" initials="I." surname="Mihalcea">
              <organization>Arm Limited</organization>
            </author>
            <author fullname="Yogesh Deshpande" initials="Y." surname="Deshpande">
              <organization>Arm Limited</organization>
            </author>
            <author fullname="Arto Niemi" initials="A." surname="Niemi">
              <organization>Huawei</organization>
            </author>
            <author fullname="Thomas Fossati" initials="T." surname="Fossati">
              <organization>Linaro</organization>
            </author>
            <date day="30" month="April" year="2025"/>
            <abstract>
              <t>   The TLS handshake protocol allows authentication of one or both peers
   using static, long-term credentials.  In some cases, it is also
   desirable to ensure that the peer runtime environment is in a secure
   state.  Such an assurance can be achieved using attestation which is
   a process by which an entity produces evidence about itself that
   another party can use to appraise whether that entity is found in a
   secure state.  This document describes a series of protocol
   extensions to the TLS 1.3 handshake that enables the binding of the
   TLS authentication key to a remote attestation session.  This enables
   an entity capable of producing attestation evidence, such as a
   confidential workload running in a Trusted Execution Environment
   (TEE), or an IoT device that is trying to authenticate itself to a
   network access point, to present a more comprehensive set of security
   metrics to its peer.  These extensions have been designed to allow
   the peers to use any attestation technology, in any remote
   attestation topology, and mutually.

              </t>
            </abstract>
          </front>
          <seriesInfo name="Internet-Draft" value="draft-fossati-tls-attestation-09"/>
        </reference>
        <reference anchor="RFC4101">
          <front>
            <title>Writing Protocol Models</title>
            <author fullname="E. Rescorla" initials="E." surname="Rescorla"/>
            <author>
              <organization abbrev="IAB">Internet Architecture Board</organization>
            </author>
            <date month="June" year="2005"/>
            <abstract>
              <t>The IETF process depends on peer review. However, IETF documents are generally written to be useful for implementors, not reviewers. In particular, while great care is generally taken to provide a complete description of the state machines and bits on the wire, this level of detail tends to get in the way of initial understanding. This document describes an approach for providing protocol "models" that allow reviewers to quickly grasp the essence of a system. This memo provides information for the Internet community.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="4101"/>
          <seriesInfo name="DOI" value="10.17487/RFC4101"/>
        </reference>
        <reference anchor="ID-Crisis">
          <front>
            <title>Identity Crisis in Confidential Computing: Formal Analysis of Attested TLS</title>
            <author fullname="Muhammad Usama Sardar" initials="M." surname="Sardar">
              <organization>TU Dresden, Dresden, Germany</organization>
            </author>
            <author fullname="Mariam Moustafa" initials="M." surname="Moustafa">
              <organization>Aalto University, Espoo, Finland</organization>
            </author>
            <author fullname="Tuomas Aura" initials="T." surname="Aura">
              <organization>Aalto University, Espoo, Finland</organization>
            </author>
            <date month="June" year="2026"/>
          </front>
          <seriesInfo name="Proceedings of the ACM Asia Conference on Computer and Communications Security" value="pp. 547-560"/>
          <seriesInfo name="DOI" value="10.1145/3779208.3785387"/>
          <refcontent>ACM</refcontent>
        </reference>
        <reference anchor="ID-Crisis-repo" target="https://github.com/CCC-Attestation/formal-spec-id-crisis">
          <front>
            <title>Identity Crisis in Confidential Computing: Formal Analysis of Attested TLS</title>
            <author initials="M. U." surname="Sardar">
              <organization/>
            </author>
            <author initials="M." surname="Moustafa">
              <organization/>
            </author>
            <author initials="T." surname="Aura">
              <organization/>
            </author>
            <date year="2025" month="November"/>
          </front>
        </reference>
        <reference anchor="I-D.ietf-tls-8773bis">
          <front>
            <title>TLS 1.3 Extension for Using Certificates with an External Pre-Shared Key</title>
            <author fullname="Russ Housley" initials="R." surname="Housley">
              <organization>Vigil Security, LLC</organization>
            </author>
            <date day="5" month="September" year="2025"/>
            <abstract>
              <t>   This document specifies a TLS 1.3 extension that allows TLS clients
   and servers to authenticate with certificates and provide
   confidentiality based on encryption with a symmetric key from the
   usual key agreement algorithm and an external pre-shared key (PSK).
   This Standards Track RFC (once approved) obsoletes RFC 8773, which
   was an Experimental RFC.

              </t>
            </abstract>
          </front>
          <seriesInfo name="Internet-Draft" value="draft-ietf-tls-8773bis-13"/>
        </reference>
        <reference anchor="I-D.wang-tls-service-affinity">
          <front>
            <title>Service Affinity Solution based on Transport Layer Security (TLS)</title>
            <author fullname="Wei Wang" initials="W." surname="Wang">
              <organization>China Telecom</organization>
            </author>
            <author fullname="Aijun Wang" initials="A." surname="Wang">
              <organization>China Telecom</organization>
            </author>
            <author fullname="汪宗斌" initials="P." surname="汪宗斌">
              <organization>Beijing Infosec Technologies Co., LTD.</organization>
            </author>
            <author fullname="Mohit Sahni" initials="M." surname="Sahni">
              <organization>Palo Alto Networks</organization>
            </author>
            <author fullname="Ketul Sheth" initials="K." surname="Sheth">
              <organization>Palo Alto Networks</organization>
            </author>
            <date day="25" month="June" year="2026"/>
            <abstract>
              <t>   This draft proposes a service affinity solution between client and
   server based on Transport Layer Security (TLS).  An extension to
   Transport Layer Security (TLS) 1.3 to enable session migration.  This
   mechanism is designed for network architectures, particularly for
   multi-homed servers that possess multiple network interfaces and IP
   addresses.

   This document also introduces a Reliable Framing Layer that operates
   above the TLS record layer to provide message framing, sequence
   numbering, acknowledgment tracking, and automatic retransmission.
   The Framing Layer ensures zero application data loss during TLS
   session migration by buffering unacknowledged data frames and
   retransmitting them to the new server endpoint after migration
   completes.

              </t>
            </abstract>
          </front>
          <seriesInfo name="Internet-Draft" value="draft-wang-tls-service-affinity-03"/>
        </reference>
        <reference anchor="I-D.sheffer-tls-pqc-continuity">
          <front>
            <title>PQC Continuity: Downgrade Protection for TLS Servers Migrating to PQC</title>
            <author fullname="Yaron Sheffer" initials="Y." surname="Sheffer">
              <organization>Intuit</organization>
            </author>
            <author fullname="Tirumaleswar Reddy.K" initials="T." surname="Reddy.K">
              <organization>Nokia</organization>
            </author>
            <date day="9" month="June" year="2026"/>
            <abstract>
              <t>   As the Internet transitions toward post-quantum cryptography (PQC),
   many TLS servers will continue supporting traditional certificates to
   maintain compatibility with legacy clients.  However, this
   coexistence introduces a significant vulnerability: an undetected
   rollback attack, where a malicious actor strips the PQC or composite
   certificate and forces the use of a classical certificate once
   quantum-capable adversaries exist.

   To defend against this, this document defines a TLS extension that
   allows a TLS client to cache a server's declared commitment to
   present PQC or composite certificates for a specified duration.  On
   subsequent connections, the client enforces that cached commitment
   and rejects traditional-only certificates that conflict with it.
   This mechanism, inspired by HTTP Strict Transport Security (HSTS) but
   operating at the TLS layer, provides PQC downgrade protection without
   requiring changes to certificate authority (CA) infrastructure.

              </t>
            </abstract>
          </front>
          <seriesInfo name="Internet-Draft" value="draft-sheffer-tls-pqc-continuity-02"/>
        </reference>
        <reference anchor="Intra-handshake.fail" target="https://www.researchgate.net/publication/408219182_Intra-handshakefail_CVE-2026-33697_High-severity_CVE_in_Attested_TLS">
          <front>
            <title>Intra-handshake.fail (CVE-2026-33697): High-severity CVE in Attested TLS</title>
            <author initials="M. U." surname="Sardar">
              <organization/>
            </author>
            <author initials="V." surname="Dubeyko">
              <organization/>
            </author>
            <author initials="J.-M." surname="Jacquet">
              <organization/>
            </author>
            <date year="2026" month="June"/>
          </front>
        </reference>
        <reference anchor="Intra-handshake.fail-repo" target="https://github.com/CCC-Attestation/formal-spec-KBS">
          <front>
            <title>Intra-handshake.fail (CVE-2026-33697): High-severity CVE in Attested TLS</title>
            <author initials="M. U." surname="Sardar">
              <organization/>
            </author>
            <author initials="V." surname="Dubeyko">
              <organization/>
            </author>
            <author initials="J.-M." surname="Jacquet">
              <organization/>
            </author>
            <date year="2026" month="June"/>
          </front>
        </reference>
        <reference anchor="Intra-handshake-attestation" target="https://datatracker.ietf.org/meeting/121/materials/slides-121-tls-tls-and-attestation-00.pdf">
          <front>
            <title>Attestation and TLS</title>
            <author initials="" surname="Hannes Tschofenig">
              <organization/>
            </author>
            <date year="2024" month="November"/>
          </front>
        </reference>
        <reference anchor="CVE-2026-33697" target="https://www.cve.org/CVERecord?id=CVE-2026-33697">
          <front>
            <title>CoCoS attested TLS is vulnerable to relay attacks via extracted ephemeral TLS keys</title>
            <author>
              <organization>CVE</organization>
            </author>
            <date year="2026" month="March"/>
          </front>
        </reference>
      </references>
    </references>
    <?line 267?>

<section numbered="false" anchor="appendix">
      <name>Appendix</name>
      <section numbered="false" anchor="document-history">
        <name>Document History</name>
        <t>-08</t>
        <ul spacing="normal">
          <li>
            <t>Focused on document structure only</t>
          </li>
          <li>
            <t>Motivational examples</t>
          </li>
        </ul>
        <t>-07</t>
        <ul spacing="normal">
          <li>
            <t>Failure of current process</t>
          </li>
          <li>
            <t>Students of FATT</t>
          </li>
          <li>
            <t>Lead FATT Person for Contact</t>
          </li>
          <li>
            <t>Feedback from the WG</t>
          </li>
        </ul>
        <t>-06</t>
        <ul spacing="normal">
          <li>
            <t>Solution for ML-KEM: FATT analysis</t>
          </li>
          <li>
            <t>Solution for FATT contact: new mailing list</t>
          </li>
          <li>
            <t>Replaced responsibilities by expected contributions</t>
          </li>
          <li>
            <t>Clarified Verifier even further that it is just a WG member; no formal role</t>
          </li>
          <li>
            <t>s/pure/non-hybrid</t>
          </li>
        </ul>
        <t>-05</t>
        <ul spacing="normal">
          <li>
            <t>Removed process-related stuff</t>
          </li>
          <li>
            <t>Moved discussion at meeting to solutions</t>
          </li>
          <li>
            <t>Added ML-KEM</t>
          </li>
        </ul>
        <t>-04</t>
        <ul spacing="normal">
          <li>
            <t>Extended threat model <xref target="sec-th-model"/></t>
          </li>
          <li>
            <t>Helpful discussions on formal analysis in meetings</t>
          </li>
          <li>
            <t>Pointer to formal analysis and costs</t>
          </li>
        </ul>
        <t>-03</t>
        <ul spacing="normal">
          <li>
            <t>Limitations of formal analysis in security considerations</t>
          </li>
          <li>
            <t>Proposed solutions section</t>
          </li>
          <li>
            <t>More guidance for authors: Threat Model and Informal Security Goals</t>
          </li>
        </ul>
        <t>-02</t>
        <ul spacing="normal">
          <li>
            <t>Added document structure</t>
          </li>
          <li>
            <t>FATT-bypass by Other TLS-related WGs</t>
          </li>
          <li>
            <t>FATT process not being followed</t>
          </li>
        </ul>
        <t>-01</t>
        <ul spacing="normal">
          <li>
            <t>Pain points of Verifier <xref target="sec-prot-diagram"/></t>
          </li>
          <li>
            <t>Small adjustment of phrasing</t>
          </li>
        </ul>
      </section>
    </section>
    <section numbered="false" anchor="acknowledgments">
      <name>Acknowledgments</name>
      <t>We thankfully acknowledge the following for their valuable input:</t>
      <ul spacing="normal">
        <li>
          <t>Eric Rescorla for review of -02, -05, and -06.</t>
        </li>
        <li>
          <t>John Mattsson for proposing text for security considerations.</t>
        </li>
        <li>
          <t>David Benjamin for review of -06.</t>
        </li>
        <li>
          <t>Mike Ounsworth for review of -07.</t>
        </li>
        <li>
          <t>Songbo Bu</t>
        </li>
      </ul>
      <t>We gratefully acknowledge the valuable contributions of co-authors of papers for their instrumental contributions in formal analysis: Mariam Moustafa, Tuomas Aura, Viacheslav Dubeyko, and Jean-Marie Jacquet.</t>
      <t>We sincerely thank the contributors of the formal analyses <xref target="ID-Crisis-repo"/> and <xref target="Intra-handshake.fail-repo"/> mentioned in the respective repositories.</t>
      <t>We express our appreciation to Yaakov Stein and Ilari Liusvaara for their substantial technical guidance, valuable feedback, and contributions in early attempts to formally model ML-KEM.</t>
      <t>The research work is funded by German Research Foundation ("Deutsche Forschungsgemeinschaft.")</t>
    </section>
  </back>
  <!-- ##markdown-source:
H4sIAAAAAAAAA71b7XLbOJb9z6fAuv/YLlGO89FxvDOTcdtO4k6cZGIn2d6u
qRREQhLHFMnmhxRNyu+yz7JPtudcABQpyU7PdtWkqjs2CQIX9+Pccy+QMAyD
OqlTc6x23pd5kVcmVmd51MxMVqtrMytSXRs1zkt1/eZKvTi5vlYYF5mq2gki
vJrk5fJYJdk4D4I4jzI9w1Rxqcd12FR6psM6rcKxruvQfK1NViV5Fj44Cqpm
NEsq/lYvC3xxcX79QqkflE6rHKIkWWwKg/9l9c5A7Zg4qfMy0Sl/uTj5CX9B
oJ2LD9cvdoKsmY1MeRzEkOY4iPKswjJNdazqsjHB/Fg9CnRpNGa9MlFTJvVy
J1jk5c2kzJsCT69LnVVFXtbqjV6aUq1GzU3WYEqlvj9UKbuPnc+YOckm6iU/
4fOZTlI8hxr+mph6PMzLCR/rMpri8bSui+r44ICj+CiZm6EfdsAHB6MyX1Tm
AN8f8LtJUk+bEb6cNVM9m+nYqbnSZazLg01t8yPasKq7y237eGjnHib5lmkO
7rfpcFrP0p0g0E09zWEMFWJZpcZNmlqX2Ll0S6qPnEJdyZI7Mgp71VnyT11j
omN1/VGdlaaC7eWlcQr0In8REYZW5L/WTRjbwcPYYP0sL2eYZy5mg8eG9Nhj
mUi1srk/WNY5Hl3780v7wkXDure7l7qcGCjS69FpLMpnVNli0irODheXVD83
mVEPHzx8EgSMk46AF+GZWFsUWo6jo8ePfxwllX81zqsKY+Ut5oQJRUWIn++O
eMYRH16cPj58cCiDz8LTMqkwtzp7dzE8fDA8PHz85ODR06fPHj44Gj56evTk
0dHT7sCwNEVuleUB4oLxCHdXdgSiXp3m2TiRxzrFL7OiqeH9x+oFt5mqk0yn
Sw7Nx+pE5AO8QLXW7lY9b/O5YQSLigbBd9R8enoanqx2eiD6TMOqMFGYxGEk
kgWb5g4hLTZ/OVQfh875Nt5c5g2mHev+i+uhOmlKvW6uo6dPH3VstdDZRJ5X
ppwnkQn1eJxkUJYfUE3NeGxKGVP8FoUAKqiq8SOyutThVGdxNdU3Zjim0/eV
v2WE2j39dB5Cbz+Gjx79+Ozp3rF6lUymkGFuSjHUp3Na6S7Ve8/8cbvaF4vF
EMFliEMTfDDMTH1QNKM0iazyHz84enj47PDo4Zc16Sjcl75sX3qS8eWXJPvi
JfsCyf4/Vvs0VGfNyCxv8v7zn0N887OOfmtMfYd6tzn4v1/Hv9O1X//0b1RP
F0r6CuqIpzB6fa9HvWB+vH3HGKqxXHRjylWqmxlD4Dg4fHiIXFgbJvvqoEqB
LVWIhxI2gnJZ3Ee6B8MiHt+tm1c6y0ylrqtomo9Nlkzwum/Q+7IDRvaywml+
ml8p3TG1ArjNmzQzpR6lRtW5Kk2qlxyDLeJdohWyJPbLD0wxNTMMTeXTG7O8
I68w8iJQAaoGMnwwUV7Gz5P4z33Ru1nmklEqjhbgTxiGSo8qWTcIrqeQMvas
ThdFmkAneZYuKXAGNdZlMieEtwldIBtCDtRimmDi0vzWJKUwQQK7dsA+DCRJ
FjZJqqmuVNVE/Jmpf6nipIrgEiX2DtFl0v39009XV+rp8Mn+vjjRLK9qzB9B
NnxhvsLfqSs37tnwEOMQYPXU4BlWipuIpudT0FPDPYkvyOwcJVSlolCWz5K9
6jgvxG3dTDblD4PrXGnQLgSzmiKsVVQuizqflLrAtpWuKkB/hv0M8FVXiW7y
qrsgIzUZw/YqSgGaeAXeWWN/sUllpy79p6pyxFFNcvi5l8nTSWbVCp5fum1h
NH8YQBy1MGnKv2c5SMQqEDUFqvMoT6FyDfFnflKRbWg9YpbEcWqC4AeJeK/I
4PM0oes6rfQM+u2bJ1G3t6CyJTxaQ1EV6XikIkDGxHAlq0MS33u1qEbwOAyg
oZMM1QO3iI+cWmYGMRi3+lg4Li30W+1+frnn5RqopMbrJo3VCIYzaQF3oy/r
WBe1/VhzCee9zkCoA8jTkb7omwvoGt7OzxB88tHIZGac1HBrKOkHEAKv5OBj
RrgfJ3CnlaZNlUwyCjMr4L9JZTArgQmDNmy/ZvKphselHJhblXEM2EtN4VSb
XDy0JCnemNbDO2HaennX3tzAD9gAHCkqDQq41U4w+/lXzcA5BrcFPMiC51+L
NMfGOcv71jPU1RI4N6uCb8fqB2wghNeB88vX6jYITqBSRFSaNkQaslrl3g4c
norE377dz2bhWrq62RKoQs6B/gOiAlhHQr8hEuFjOkZTqV14FCuMPfl4DZ24
8t2p7fZ2qD4bFemypFnzpt74HsKLPilM1RRS+nGdbowM1fV0Axe9aekGBrkE
upiI7lH0QvpjxKPnyF1he+QbahnnTUYkjKHasrKg5zML5fi+ZodcRtUmmmZi
6NjUIDXwWRhJVwaeZiMfCQZUr8izmIotdGHKrkCY6A6R72JWkB7aE0fGF98H
7u9s5Rnmczr1OWVpP+unRLtsL8dQUfv7kpZX6vuDetmya6+iBsY2m64oUt2j
hN+pA2bYbXrQWS7LRinQVh44NyGuLBCiqshrW6chhrBH656L3OblXYBTaRMw
PA7z7NtdVwlYzb4sleZAccSZAdZjxpqQtT1bDx3jqKb5wibIuU4bQ6l6ycUj
lsCo9RaIYVqArSgiqiiAZzMC/1pHQ89NIkkEsv8FQJgpgc0lEwsKKtvX0ilz
vTWAzfXhb41OCbI2b7uiZiPTAxfSJHOZvu8ONv+t8hVSzn2ZBmSJPudBmruD
qE1lmLzG7tWa39zDO5BetmXBOyZSSYccKVafGgSZCFOyRwW8JdIPBExT1KTB
fodjDPCb7uU0PrmDzgzoc/LBBifZ/faNaYTPQ/fs9nYPZjqnU+WZcQkORqT/
NDNQjuSfNrnZT6H90KUWAbempsc4dHT5kfqSXYrfJ1mUNjH04QIz8jnRpSqb
K9VVlBcmIJRX/Gk1k9d84hjzH6PLgSTlOSORXzE6z4x0Cvh7IAKgLiD3ARHa
ufx4dc2mJ/9Wb9/Jzx/O//bx4sP5GX++enXy5k37Q+BGXL169/HN2eqn1Zen
7y4vz9+e2Y/xVPUeBTuXJ7/siP3Uzrv31xfv3p682bHu3asgSuOclySuLKhO
cNAqQCiDw4yswX46ff+//3P4GIb7jw8vTh8eHhK/7C9Hh08f45fF1GR2NdGs
/RVGWgaoUcigySxhwkgXSW09y6JKBm8vDbS5/ys18/dj9adRVBw+/ot7wA33
Hnqd9R6KzjafbHxslbjl0ZZlWm32nq9pui/vyS+9373eOw//9JwIpMLDo+d/
CTym2cg6s1HUMrRuaJGiXWQOt2Cor/WGV0OjG3N5PHSQ1xLMHqknriEYUzPX
cAgPhFE+K3TpqY8hGc5iXdpKuUUDm+a2ND4Z0ZI5kkrC1BR1IwBaJTP2x/20
rcSXQq8FHFyzk1O8yhekHRKLyBqdd9bPwNXzGXaPAHOaYioRJUnZ1T51To5c
5TqcUt5LAqEYE13gdb0wJhO8lB33con49hoG3D2wTwgChxXM2gIvZ5JaWkt3
kJCGtiQ0TfOFZCb/HUO1TdJQlM1Px+vlzdkqbbWja0mXc2hEBO5UnK4KYX2m
dpOhGQ76ntLCokPFPQux1zZ/iNHabdTT0BZJrCf6ZZNtLIsjWlS1b62YZOQC
1D7frZVlQ3WVMz9GmhVytYBZbd1AbafJjRGTfWYWFThjkOhio9LSMXOLLpfP
7VhO13uOUHouExnJLlBATWKR1c1sq7zP/aqcaZKDG+Swl2MQldRbz5Wpo+GG
dNJd9zWcNE7MLC/pzhWSOKtrPecxkutD9aW39eC1pSTqLEfghr/ofDWCyndv
+7UrCpaZZz8kl3dNwHDLhZ+y9SMeWMIaZKhe/lmTOYcXxMhMCsc4yZaYJE78
xlrF9swhTQ6KUriKoZlMPYPqFIe2+nbV72v21zyeAJdQ6jZAEUEAB1x0nsLx
Q7H5dDkqk1hSMIn3KE2qqaWBpX/HoKNj2p0MHde1PZqVXG0zCNtjo69vYrVr
hhOETZrz2MCUMzvGOR3PEEy5J+nPaWYrolLKKpoCkVIjZWiOTOw4pyisnDTY
whJbdIV+uhx4icD6ltQe/arMQZgRuC6YRwRIc487MaDJZeEnsbXRUhDUIQBC
kJQGfi3FAheTjhjFEkVcOW09Hh66uqdTaKqTFBrJpJ9AeQueQZB1sPdUizxS
ftQ9xMOIko5Ci/pVJcTfgtCqXTytlrNRnu55JeM93r5vSpG493DXtiBEj6OG
pNuMpcG7VGHY9yRyFtuSyeIiTyxPRC2mbP+zLht2ivcQygSwKh/XC4cGHWdg
0GjpmnpNQw6E7MUYQSjhD6wgO7aO4QFlnqdzGq1qMDV7gsmkdNGFErbaG/ip
rFb8x93QQWHHTkoDL7f5AQs1KAFGyaTJm4oljcXuC8/12yblS3L94HVm1b8g
VC3zBl9YHYh1krKq4bKmwHILeu2qT5jUSNQGOX5wZ1vU78t2CsXH+rE3UGP4
xjSTjiAxs7c3V7jF653QX12skmD9Re1eZG4h0ZrV2QVpbWbqUPIiKSeLLJp1
tKIJQnklBJa9zpVEIlzKbiLy9RndZhXgbqNRv9PrUtlJwcsPydfhHiojV6WI
L194TXAioHKlJ0b9l5rmKbhMk6X0oIqhy5D7RUkfSt8QEOHUrjMZJzyHlFp/
7/4J2WpgctLrkzLVCkfgvC+8CX6fTHRE/9t/9yW8EgdVJz0b/+sTBVfGtAjz
ZAvCiLXuKAM3iPXJJj9uncyD2syWc2I7KeXgyzcIjNTEkxZaWn5i8SMpECh0
W8kDlt+03q3sKauNXQY7Z2tzwNaZlK59glj5mR8JTM38RqU5tLmp39dOdNYn
KZS4egGcgHhPLAfvtwt/WF0kugIORqzUO2cNmTGwK5OQ9UiLUbSo5ai9hNLH
+hECVSqi2l1QGtiM4E256qXdeSzPnjMypB1199n87e2xpdZ+JZXYSDzXlY16
xj9Qtf9onpjF2sP1KiC4fnf27lidtn23RGBTp3IcBjDKi6U3468A6JgHKPY2
zN93v39taFbJZZSDN+OLV9Xhu0+Ls9efZ2fN6fnXB8XR4n34+n11sNfmdVtG
SDvctdfVGOYZ6egGeceCu5yuiNEzVpK+5eLTQ+c8SSm1TwdDpp5ZRkYnOFZX
9khmYjLpCdtZrZfKUPZH5NsXrS/eYz/xjxH8gGd3LGrd0S09qpOw94Ha+20T
6PTk+orBsGQ2bbKxRl2ZoLAU9+HLbgZxE3oGJI1R4V89qdsNuiIHZC7J8jSf
LO1mpL1jhHWR6Fl2IATJhhDbIbb8JaRZDoHVbDvXtRPHIGikGq4UiNuOEV2m
aTudl/1DQddYLV3NYKw8YmPbBUYVBHhddHxgFTnrF114/menX/UF1vavPrJv
54haJaHoDPqKkvtiVSqymNe2KunuuP5EhIzrdvr55cBZDNHurPAPEKm2Xrb2
InM1aUpEINOd2YI36zB0JX5AluG9YzFdtoLAabIbCtxjRPQMTg/T2ENitWt7
6PKo7fnv/Wu+2m5e6AAKOettYlLR16x7QgeTChvZWOM+pJJDUUdVUKmVrD64
3X6ItY0H7vf930LpiMgGp0Ri69vYdJx7WsR9T9oyu+YdSOt7fGTdtCiTWUK+
blt0DkPg36NlewSEObv5qtubx8AqTxuZdFe6wKUlvo6pVXstpnRLfOsF65ns
mLggrQmXkbecxNCwh8NHSBhwskrqjKF6b09+pDUe1ZKKKItJ6dVjklsXj3LF
Q8IAYZqyYdQHw6vt7M6V4J3i2j45w2ZIJvvsV05X7XJyXsJkaTvj8dbxttnt
KrcWWu0E2I7to7mrDpTzDzsWCQvTsynrNlH12nxQ9ajMb4wFI+JMnPd6ijwO
Ze05Nz1S7Kr3d+JZ7SbZHPPdsoN1xQa/2o5e7Ti9lOSSSIlxbNqL/oRdRHle
Alc6ONJNgXvkLXdcxGh7VvyPIvi+2wIc1fROCvSIx8l2d4yeOwg/UlHl2WP3
lKNzzk71N6vLB2ttw995jcC4432o9g1Bn7DbigQZ8zECd+PAyB14kP7XpSsE
eEeg24exF3jgy/YY3LbkWP61h18pocHEts9vG4nsK4kvMBVmhoUvvCqVlo+c
5zBBhYjhlEkMoi9Fr8T71HyVQnDt8LQ9vqU/ehSlrgFXifBsQkpSEViryGRY
LrdnwN17J87H7aGcVHd2SVmntDBJkeWW06hO6qYWOm1BsFWcm04ukaiLk7cn
6360diGL5X+W25HaAt7Q3eEiA+MsviKECzaZvfFu4ltBm5Zkv5JrOcv1Ibxu
zzINw7gpKst/UXlaLobGoN41Ec+mOcVTmQIqlsFj5Y6L/VEui7e6iX2nmqe8
ePSGp8z2EjXw0SWMUwuvnM4zTMn5Nu1w2w9+5GJXPiHwo8s34evzy2M7WaeR
3hskLx16H8OtFnL3ntGXQjMY/QGupCPooD3b9t3FUefemTQuk1FjTbWvTgXx
GHufbBCWCmGVteeJ/iAWFiVHQcJEppvJLcj/pFldWJWACMxWHRRQ4QEPEW07
kRt+Eoh0s3xurxdRpaFNMoj4uhmPxTZzqd4r2FF668wi9tqk9BudKijySczy
zCqN8z+WioVN+Xj9apLFG9+Ev70NSNbsQfJqKQLBJjxkfnku+T6Xo0A5sV8b
KJAELBZHekRR3hASVlc/tsx8B14G+5uMoe29io7gnm2xJE0Zi+vHvcMHEemu
jhaEfBi0StyMFXouPC0cLQtetYDr2EzFi3LeZp9fVm5Ye9nBNo8sk2Ida8Ty
h1zpPY/fhfiLOlo323ZYTqefEb51TG+zremxKqalrkiWiRWR7z0IIwYeeDT4
884YOzQ7t8Fn21S8sV1KHa26Ff1K27G+pJQrHFIJJRnYq62BeQfwgwHml6nu
VL4UCEoc4H9PLOwjptng+TmfZupS13Xl0cASAXFhFpW2Tbk9VeL7Mz0HQf3J
ZP9A3ZZtrChrXDK/vWuyasFbVxtjnkqjCclslKufmoCKYNPUbFdEu+keKAgA
5mHnhpvcC6o62kqYecRxdLr2cbIRSnJ5N9Gz9h8gDNR1k8+QFfgPDwbqUwLe
ZqpUz/1tbqvVn43OQn5q/F3uoWwI+kQxRdojNm4PgEUGJ/EGMTZbL6C5Hsk9
l7x67IWzElwZkHP+SOPyrqhQzs9yVCN1H7m0LuTWpPbHG79ofZPPkUhMYinj
BZEXYNFUc61L3VEvsi8LcXsm297h8oE/WNnNdzEGDoXWDOHOJGp2d+pqBV7s
6QlQWAwdWprn/y2ErS4SHnQJoAICXqKyR1n7wY94wYt7dme7O2emqXlMQ7qB
vxsg5gScAj4STdmS3tkL/g/FmWTkiDcAAA==

-->

</rfc>
