<?xml version='1.0' encoding='utf-8'?>
<!DOCTYPE rfc [
  <!ENTITY nbsp    "&#160;">
  <!ENTITY zwsp   "&#8203;">
  <!ENTITY nbhy   "&#8209;">
  <!ENTITY wj     "&#8288;">
]>
<?xml-stylesheet type="text/xsl" href="rfc2629.xslt" ?>
<!-- generated by https://github.com/cabo/kramdown-rfc version 1.7.39 (Ruby 3.2.3) -->
<?rfc rfcedstyle="yes"?>
<?rfc tocindent="yes"?>
<?rfc strict="yes"?>
<?rfc comments="yes"?>
<?rfc inline="yes"?>
<?rfc text-list-symbols="-o*+"?>
<?rfc docmapping="yes"?>
<rfc xmlns:xi="http://www.w3.org/2001/XInclude" ipr="trust200902" docName="draft-yusef-tls-pqt-dual-certs-03" category="std" consensus="true" submissionType="IETF" xml:lang="en" updates="RFC9261, RFC8446" tocInclude="true" sortRefs="true" symRefs="true" version="3">
  <!-- xml2rfc v2v3 conversion 3.34.0 -->
  <front>
    <title abbrev="PQ/T Dual Certs in TLS">Post-Quantum Traditional (PQ/T) Hybrid Authentication with Dual Certificates in TLS 1.3</title>
    <seriesInfo name="Internet-Draft" value="draft-yusef-tls-pqt-dual-certs-03"/>
    <author initials="R." surname="Shekh-Yusef" fullname="Rifaat Shekh-Yusef">
      <organization>Ciena</organization>
      <address>
        <postal>
          <country>Canada</country>
        </postal>
        <email>rifaat.s.ietf@gmail.com</email>
      </address>
    </author>
    <author initials="T." surname="Reddy" fullname="Tirumaleswar Reddy">
      <organization>Nokia</organization>
      <address>
        <postal>
          <country>India</country>
        </postal>
        <email>kondtir@gmail.com</email>
      </address>
    </author>
    <author initials="H." surname="Tschofenig" fullname="Hannes Tschofenig">
      <organization abbrev="UniBw M.">University of the Bundeswehr Munich</organization>
      <address>
        <postal>
          <city>Neubiberg</city>
          <region>Bavaria</region>
          <code>85577</code>
          <country>Germany</country>
        </postal>
        <email>hannes.tschofenig@gmx.net</email>
      </address>
    </author>
    <author initials="M." surname="Ounsworth" fullname="Mike Ounsworth">
      <organization abbrev="Cryptic Forest">Cryptic Forest Software</organization>
      <address>
        <postal>
          <city>Sioux Lookout, Ontario</city>
          <country>Canada</country>
        </postal>
        <email>mike@ounsworth.ca</email>
      </address>
    </author>
    <author initials="Y." surname="Rosomakho" fullname="Yaroslav Rosomakho">
      <organization>Zscaler</organization>
      <address>
        <email>yrosomakho@zscaler.com</email>
      </address>
    </author>
    <date year="2026" month="July" day="03"/>
    <area>sec</area>
    <workgroup>TLS Working Group</workgroup>
    <keyword>PKI</keyword>
    <keyword>Post-Quantum Traditional (PQ/T) Hybrid Authentication</keyword>
    <keyword>PQC</keyword>
    <keyword>TLS</keyword>
    <abstract>
      <?line 65?>

<t>The anticipated emergence of cryptographically relevant quantum
computers (CRQCs) poses a threat to the authentication mechanisms used
in TLS 1.3. This document defines a hybrid authentication mechanism
that uses two independent certificates, one traditional and one
post-quantum, ensuring that an attacker must break both algorithms to
compromise a TLS connection. The two certificate chains are carried in a
single <tt>Certificate</tt> message and two independent signatures are encoded
in the <tt>CertificateVerify</tt> message.</t>
    </abstract>
  </front>
  <middle>
    <?line 76?>

<section anchor="introduction">
      <name>Introduction</name>
      <t>There are several potential mechanisms to address concerns related to
the anticipated emergence of cryptographically relevant quantum
computers (CRQCs). While the encryption-related aspects are covered in
other documents, this document focuses on the authentication component
of the <xref target="TLS"/> handshake.</t>
      <t>One approach is the use of dual certificates: issuing two distinct
certificates for the same end entity — one using a traditional
algorithm (e.g., <xref target="ECDSA"/>), and the
other using a post-quantum (PQ) algorithm (e.g.,
<xref target="ML-DSA"/>).</t>
      <t>This document defines how TLS 1.3 can utilize such certificates to
enable dual-algorithm authentication, ensuring that an attacker would
need to break both algorithms to compromise the session.</t>
      <t>It also addresses the challenges of integrating hybrid authentication
in TLS 1.3 while balancing backward compatibility, forward security,
and deployment practicality.</t>
      <t>This method exemplifies a PQ/T hybrid protocol with non-composite
authentication as defined in <xref section="4" sectionFormat="of" target="PQT-TERMS"/>, where two
single-algorithm schemes are used in parallel: when the certificate
type is X.509, each certificate chain uses the same format as in
standard PKI, and both chains together provide hybrid assurance without
modifying the X.509 certificate structure. While this approach does not
produce a single cryptographic hybrid signature, it ensures that both
certificates are presented, validated, and cryptographically bound to
the TLS handshake transcript. This specification is also compatible
with other certificate types defined in the TLS Certificate Types
registry defined in <xref section="14" sectionFormat="of" target="IANA-TLS"/> provided that
both components of the dual are of the same type. This document assumes
X.509 certificates for all explanatory text.</t>
      <t>This document defines new <tt>SignatureScheme</tt> code points that identify
pairs of traditional and post-quantum signature algorithms. Negotiation
uses the existing <tt>signature_algorithms</tt> extension without modification.
When a dual code point is selected, the <tt>Certificate</tt> message carries
two independent certificate chains, and the <tt>CertificateVerify</tt>
        <tt>signature</tt> field encodes two independent signatures. No new TLS
extensions or changes to existing TLS structures are required.</t>
      <t>A key advantage of defining explicit code points per algorithm pair is
that it restricts combinations to known good configurations. This
follows the emerging consensus in protocol design that explicit
enumeration of vetted pairs is safer than allowing arbitrary
combinations of any two algorithms. Each code point defined in this
document represents a specific, vetted pair of traditional and
post-quantum algorithms.</t>
      <t>This document is distinct from the composite ML-DSA approach defined
in <xref target="TLS-COMPOSITE-MLDSA"/>. In that
approach, a single composite certificate contains both public keys and
produces a single composite signature. In this document, two
independent certificates and two independent signatures are used, each
verifiable on its own.</t>
    </section>
    <section anchor="conventions-and-definitions">
      <name>Conventions and Definitions</name>
      <t>The key words "<bcp14>MUST</bcp14>", "<bcp14>MUST NOT</bcp14>", "<bcp14>REQUIRED</bcp14>", "<bcp14>SHALL</bcp14>", "<bcp14>SHALL
NOT</bcp14>", "<bcp14>SHOULD</bcp14>", "<bcp14>SHOULD NOT</bcp14>", "<bcp14>RECOMMENDED</bcp14>", "<bcp14>NOT RECOMMENDED</bcp14>",
"<bcp14>MAY</bcp14>", and "<bcp14>OPTIONAL</bcp14>" in this document are to be interpreted as
described in BCP 14 <xref target="RFC2119"/> <xref target="RFC8174"/> when, and only when, they
appear in all capitals, as shown here.</t>
      <?line -18?>

</section>
    <section anchor="scope">
      <name>Scope</name>
      <t>The approach described herein is also compatible with FIPS-compliant
deployments (FIPS 140-2 and FIPS 140-3), as it supports the continued
use of FIPS-approved traditional signature algorithms during the TLS
handshake.</t>
      <t>The proposed mechanism is fully backward compatible: traditional
certificates and authentication methods remain functional with existing
TLS 1.3 implementations. As cryptographically relevant quantum
computers (CRQCs) emerge, deployments can transition by gradually
disabling traditional authentication and enabling post-quantum-only
authentication. This strategy offers a smooth migration path, ensuring
long-term cryptographic agility, regulatory compliance, and operational
continuity without disrupting existing infrastructure.</t>
    </section>
    <section anchor="design-overview">
      <name>Design Overview</name>
      <t>This document introduces new <tt>SignatureScheme</tt> code points to enable
dual-certificate authentication in TLS 1.3. The primary objective is
to allow each TLS peer to present two certificate chains requiring an
attacker to break both authentication algorithms to impersonate a peer.
Typically one of the certificate chains uses a traditional cryptographic
algorithm while the second leverages post-quantum (PQ) cryptography.</t>
      <t>The design requires no changes to existing TLS structures or
extensions. It reuses the existing <tt>signature_algorithms</tt> extension for
negotiation, the existing <tt>Certificate</tt> message structure with a
delimiter to carry two chains, and the existing <tt>CertificateVerify</tt>
structure with a defined encoding for two signatures within the
<tt>signature</tt> opaque field. It is applicable to both client and server
authentication and is compatible with the Exported Authenticators
mechanism <xref target="EXPORTED-AUTH"/>.</t>
      <t>A full set of informal design requirements for this specification can
be found in <xref target="sec-design-requirements"/>.</t>
      <section anchor="signature-algorithms-negotiation">
        <name>Signature Algorithms Negotiation</name>
        <t>Dual code points are advertised and negotiated using the existing
<tt>signature_algorithms</tt> extension defined in <xref section="4.2.3" sectionFormat="of" target="TLS"/>,
exactly as for any other <tt>SignatureScheme</tt>. A client that supports dual
authentication includes the relevant dual code points in its
<tt>signature_algorithms</tt> list. The server selects one code point from
the client's list, just as in standard TLS 1.3 negotiation.</t>
        <t>A client that wishes to mandate dual authentication includes only dual
code points in <tt>signature_algorithms</tt>. A client willing to accept
either dual or single-algorithm authentication includes both dual and
single-algorithm code points.</t>
      </section>
      <section anchor="certificate-chain-encoding">
        <name>Certificate Chain Encoding</name>
        <t>TLS 1.3 defines the <tt>Certificate</tt> message to carry a list of
certificate entries representing a single chain. This document reuses
the same structure to convey two certificate chains by concatenating
them and inserting a delimiter in the form of a zero-length certificate
entry.</t>
        <t>A zero-length certificate is defined as a <tt>CertificateEntry</tt> with an
empty <tt>cert_data</tt> field and omitted <tt>extensions</tt> field. TLS 1.3
prohibits the use of empty certificate entries, making this delimiter
an unambiguous boundary between the two certificate chains.
Implementations <bcp14>MUST</bcp14> treat all entries before the zero-length delimiter
as the first certificate chain (typically traditional), and all entries
after it as the second certificate chain (typically post-quantum).</t>
        <t>This encoding applies equally to the <tt>CompressedCertificate</tt> message
defined in <xref target="COMPRESS-CERT"/> and to the <tt>Certificate</tt> message
of Exported Authenticators as defined in <xref section="5.2.1" sectionFormat="of" target="EXPORTED-AUTH"/>.</t>
        <t>Since TLS 1.3 supports only a single certificate type in each
direction, both certificate chains <bcp14>MUST</bcp14> either contain X.509
certificates or certificates of type specified in:</t>
        <ul spacing="normal">
          <li>
            <t><tt>server_certificate_type</tt> extension in a <tt>EncryptedExtensions</tt>
message for Server certificates</t>
          </li>
          <li>
            <t><tt>client_certificate_type</tt> extension in a <tt>EncryptedExtensions</tt>
message for Client certificates</t>
          </li>
        </ul>
        <t>Note that according to <xref section="5.2.1" sectionFormat="of" target="EXPORTED-AUTH"/> Exported
Authenticators support only X.509 certificates.</t>
      </section>
      <section anchor="certificateverify-signatures">
        <name>CertificateVerify Signatures</name>
        <t>The <tt>CertificateVerify</tt> message is not modified. When a dual code point
has been negotiated, the <tt>signature</tt> field encodes two independent
signatures:</t>
        <ol spacing="normal" type="1"><li>
            <t>One computed using the traditional algorithm component of the
negotiated code point.</t>
          </li>
          <li>
            <t>One computed using the post-quantum algorithm component of the
negotiated code point.</t>
          </li>
        </ol>
        <t>Both signatures are computed over the same transcript hash specified in
<xref section="4.4.3" sectionFormat="of" target="TLS"/>, covering the complete <tt>Certificate</tt> message,
and using the same context string.</t>
        <t>This encoding applies equally to the <tt>CertificateVerify</tt> message of
Exported Authenticators as defined in <xref section="5.2.2" sectionFormat="of" target="EXPORTED-AUTH"/>.</t>
        <t>The order of the signatures in the message <bcp14>MUST</bcp14> correspond to the order
of the certificate chains in the <tt>Certificate</tt> message: the first
signature <bcp14>MUST</bcp14> correspond to the traditional algorithm component of the
negotiated code point, and the second signature <bcp14>MUST</bcp14> correspond to the
post-quantum algorithm component.</t>
      </section>
    </section>
    <section anchor="protocol-changes">
      <name>Protocol Changes</name>
      <t>This section defines the normative behaviour of TLS 1.3 peers when a
dual code point is negotiated. No new TLS extensions or
modifications to existing TLS structures are introduced. This document
defines new <tt>SignatureScheme</tt> code points that, when negotiated, govern
the encoding of the <tt>Certificate</tt> and <tt>CertificateVerify</tt> messages.</t>
      <section anchor="sec-codepoints">
        <name>SignatureScheme Code Points</name>
        <t>This document defines new <tt>SignatureScheme</tt> values for use in the
<tt>signature_algorithms</tt> extension defined in <xref section="4.2.3" sectionFormat="of" target="TLS"/>.
These values <bcp14>MUST NOT</bcp14> be sent in <tt>signature_algorithms_cert</tt>: a dual
code point identifies a pair of end-entity keys and the two signatures
in <tt>CertificateVerify</tt>, not an algorithm for the signatures appearing
in certificates:</t>
        <figure>
          <name>Dual SignatureScheme code points</name>
          <artwork><![CDATA[
enum {
    ecdsa_secp256r1_sha256_mldsa44 (TBD1),
    ecdsa_secp384r1_sha384_mldsa65 (TBD2),
} SignatureScheme;
]]></artwork>
        </figure>
        <t>Each code point identifies a vetted pair of algorithms: a traditional
algorithm and a post-quantum algorithm. The traditional component names
match the existing TLS SignatureScheme IANA registry entries exactly.
The naming order <tt>&lt;traditional&gt;_&lt;pq&gt;</tt> reflects the order in which the
two signatures appear in the <tt>CertificateVerify</tt> <tt>signature</tt> field, as
defined in <xref target="certificate-verify"/>.</t>
        <t>These code points are distinct from the composite ML-DSA
<tt>SignatureScheme</tt> values defined in
<xref target="TLS-COMPOSITE-MLDSA"/>, which use a
single certificate and a single composite signature, and which use the
opposite naming order <tt>&lt;pq&gt;_&lt;traditional&gt;</tt>.</t>
        <t>When a code point defined in this document is negotiated, the
authenticating peer <bcp14>MUST</bcp14> send two certificate chains in the
<tt>Certificate</tt> message as described in <xref target="certificate"/>, and <bcp14>MUST</bcp14> encode
two independent signatures in the <tt>signature</tt> field of the
<tt>CertificateVerify</tt> message as described in <xref target="certificate-verify"/>.</t>
        <t>These code points <bcp14>MUST NOT</bcp14> be used in TLS 1.2. A peer that receives a
<tt>CertificateVerify</tt> message in a TLS 1.2 connection with a code point
defined in this document <bcp14>MUST</bcp14> abort the connection with an
<tt>illegal_parameter</tt> alert.</t>
      </section>
      <section anchor="certificate">
        <name>Certificate Message Encoding</name>
        <t>TLS 1.3 defines the <tt>Certificate</tt> message as follows:</t>
        <figure>
          <name>TLS 1.3 Certificate message</name>
          <artwork type="ascii-art"><![CDATA[
struct {
    opaque certificate_request_context<0..2^8-1>;
    CertificateEntry certificate_list<0..2^24-1>;
} Certificate;
]]></artwork>
        </figure>
        <t>This document re-uses the <tt>Certificate</tt> structure as-is and extends
the semantics of <tt>certificate_list</tt> to support two logically distinct
certificate chains, encoded sequentially and separated by a delimiter.</t>
        <section anchor="delimiter">
          <name>Delimiter</name>
          <t>The delimiter is a zero-length certificate entry encoded as 3 bytes of
0x00. TLS 1.3 prohibits empty certificate entries, so this delimiter
is unambiguous. The delimiter <bcp14>MUST NOT</bcp14> be sent to peers that did not
negotiate a dual code point.</t>
          <t>This specification expands the CertificateEntry structure from
<xref section="4.4.2" sectionFormat="of" target="TLS"/> in the following way:</t>
          <figure>
            <name>Updated CertificateEntry structure definition</name>
            <artwork type="ascii-art"><![CDATA[
struct {
    select (is_delimiter) {
        case Delimiter: uint24 delimiter = 0;
        case Non_Delimiter:
          opaque cert_specific_data<1..2^24-1>;
          Extension extensions<0..2^16-1>;
    };
} CertificateEntry;
]]></artwork>
          </figure>
          <t>Certificate parsing logic <bcp14>MUST</bcp14> reject messages that contain more than
one zero-length delimiter, or that place the delimiter as the first or
last entry in the certificate list.</t>
          <t>All entries before the delimiter form the first certificate chain
(traditional) and all entries after the delimiter form the second
certificate chain (post-quantum). As specified in
<xref section="4.4.2" sectionFormat="of" target="TLS"/>, the end-entity certificate <bcp14>MUST</bcp14> be the first
in each chain. The algorithm requirements for the end-entity
certificates and for the certificates within each chain are specified
below.</t>
          <t>A peer receiving this structure <bcp14>MUST</bcp14> validate each chain independently,
using the algorithms permitted for that chain. Implementers <bcp14>MAY</bcp14>
wish to consider performing this verification in a timing-invariant way
so as not to leak which certificate failed, for example if it failed
for policy reasons rather than cryptographic reasons, however since
this information is not hidden in a single-certificate TLS handshake,
implementers <bcp14>MAY</bcp14> decide that this is not important.</t>
          <t>The first certificate chain <bcp14>MUST</bcp14> contain an end-entity certificate
whose public key is compatible with the traditional algorithm component
of the negotiated code point. The second certificate chain <bcp14>MUST</bcp14> contain
an end-entity certificate whose public key is compatible with the
post-quantum algorithm component of the negotiated code point.
End-entity certificates of both chains <bcp14>MUST</bcp14> use different public keys.</t>
          <t>The negotiated code point constrains only the end-entity public keys,
as specified above, together with the two signatures in
<tt>CertificateVerify</tt>. It does not constrain, and cannot express, the
algorithms of the signatures appearing in the certificates of either
chain: a dual code point is not a usable certificate signature
algorithm (<xref target="sec-codepoints"/>). Consequently, when either chain contains 
CA-issued certificates, the peer <bcp14>MUST</bcp14> advertise the acceptable 
certificate signature algorithms in <tt>signature_algorithms_cert</tt> 
(<xref section="4.2.3" sectionFormat="of" target="TLS"/>).</t>
          <t>Each certificate in the traditional chain <bcp14>MUST</bcp14> be signed with a
traditional signature algorithm, and each certificate in the
post-quantum chain <bcp14>MUST</bcp14> be signed with a post-quantum signature
algorithm. Different algorithms of the same category 
(traditional or post-quantum) <bcp14>MAY</bcp14> be mixed within a chain, 
for example an ML-DSA certificate signed with SLH-DSA. A chain that 
mixes traditional and post-quantum signature algorithms <bcp14>MUST</bcp14> be 
rejected with a <tt>bad_certificate</tt> alert. <tt>signature_algorithms_cert</tt> 
cannot enforce this, as it is a single list that does not 
distinguish the two chains.</t>
          <t>Both end-entity certificates <bcp14>MUST</bcp14> identify the same peer. A relying
party <bcp14>MUST</bcp14> verify that both match the reference identity it is
authenticating (<xref target="RFC9525"/>) and <bcp14>MUST</bcp14> abort with a <tt>bad_certificate</tt>
alert otherwise. The two certificates <bcp14>MAY</bcp14> also be bound using the
<tt>RelatedCertificate</tt> extension <xref target="RELATED-CERTS"/>; a receiver
that processes this extension <bcp14>MUST</bcp14> verify it references the end-entity
certificate of the other chain.</t>
          <t>This encoding applies equally to the <tt>CompressedCertificate</tt> message
and to <tt>Certificate</tt> message of Exported Authenticators.</t>
        </section>
      </section>
      <section anchor="certificate-verify">
        <name>CertificateVerify Message</name>
        <t>TLS 1.3 defines the <tt>CertificateVerify</tt> message as follows:</t>
        <figure>
          <name>TLS 1.3 CertificateVerify message</name>
          <artwork><![CDATA[
struct {
     SignatureScheme algorithm;
     opaque signature<0..2^16-1>;
} CertificateVerify;
]]></artwork>
        </figure>
        <t>This document does not modify this structure. When a code point defined
in <xref target="sec-codepoints"/> has been negotiated, the <tt>algorithm</tt> field
carries that code point and the <tt>signature</tt> field encodes two
independent signatures as follows.</t>
        <t>Both signatures are computed over the single signing input defined in
<xref section="4.4.3" sectionFormat="of" target="TLS"/>, that is over <tt>Transcript-Hash(Handshake
Context, Certificate)</tt>, where <tt>Certificate</tt> is the <tt>Certificate</tt>
handshake message as sent and carries both certificate chains. This
document does not introduce any per-chain or otherwise modified signing
input.</t>
        <artwork><![CDATA[
first-signature  = Sign(traditional-private-key, signing-input)
second-signature = Sign(pq-private-key, signing-input)
]]></artwork>
        <t><tt>first-signature</tt> is produced with the traditional algorithm component
and <tt>second-signature</tt> with the post-quantum algorithm component of the
negotiated code point.</t>
        <t>These are encoded in the signature field as:</t>
        <artwork><![CDATA[
signature = uint16(len(first-signature)) || first-signature
                                         || second-signature
]]></artwork>
        <t>The first two bytes encode the length of the traditional signature
as a uint16, followed by the traditional signature (<tt>first-signature</tt>)
of that length, followed by the post-quantum signature
(<tt>second-signature</tt>) occupying the remaining bytes.</t>
        <t>The context string used in the signing input is unchanged from
<xref section="4.4.3" sectionFormat="of" target="TLS"/>.</t>
        <t>Before verifying either signature, the receiver <bcp14>MUST</bcp14> validate the
encoding of the <tt>signature</tt> field and <bcp14>MUST</bcp14> abort the connection with a
<tt>decrypt_error</tt> alert if the field is shorter than the two-byte length
prefix, if the length prefix is zero, or if the length prefix leaves no
bytes for <tt>second-signature</tt>. <tt>second-signature</tt> consists of all bytes
following <tt>first-signature</tt>.</t>
        <t>The receiver <bcp14>MUST</bcp14> verify both signatures. Failure to verify either
signature <bcp14>MUST</bcp14> be treated as an authentication failure and <bcp14>MUST</bcp14> cause
the connection to be aborted with a <tt>decrypt_error</tt> alert.</t>
        <t>This encoding applies equally to the <tt>CertificateVerify</tt> message of
Exported Authenticators <xref section="5.2.2" sectionFormat="of" target="EXPORTED-AUTH"/>.</t>
      </section>
      <section anchor="dual-certificate-policy-enforcement">
        <name>Dual Certificate Policy Enforcement</name>
        <t>Policy enforcement regarding the use of dual certificates is
implementation-defined and driven by the authenticating peer. When
dual certificate authentication is required by local policy, the client
<bcp14>MUST</bcp14> include only dual code points in <tt>signature_algorithms</tt>. A server
that cannot satisfy this will be unable to complete the handshake.</t>
        <t>When a client is willing to accept either dual or single-algorithm
authentication, it <bcp14>MAY</bcp14> include both dual code points and
single-algorithm schemes in <tt>signature_algorithms</tt>.</t>
        <t>A single composite certificate chain and signature such as defined by
<xref target="TLS-COMPOSITE-MLDSA"/> <bcp14>MAY</bcp14> be an
acceptable alternative during the post-quantum transition period as
long as the corresponding signature scheme is listed in
<tt>signature_algorithms</tt>.</t>
        <t>Additional policy examples are given in <xref target="sec-policy-examples"/>.</t>
      </section>
    </section>
    <section anchor="performance-considerations">
      <name>Performance Considerations</name>
      <t>The use of dual certificates increases the size of the certificate and
certificate verify messages, which can result in larger TLS handshake
messages. These larger payloads may cause packet fragmentation,
retransmissions, and handshake delays, especially in constrained or
lossy network environments.</t>
      <t>To mitigate these impacts, deployments can apply certificate chain
optimization techniques, such as those described in <xref section="6.1" sectionFormat="of" target="PQ-RECOMMEND"/>, to minimize transmission
overhead and improve handshake robustness.</t>
    </section>
    <section anchor="security-considerations">
      <name>Security Considerations</name>
      <section anchor="weak-non-separability">
        <name>Weak Non-Separability</name>
        <t>This dual certificate scheme achieves Weak Non-Separability as defined
in <xref target="HYBRID-SIGS"/>, which
is defined as:</t>
        <ul empty="true">
          <li>
            <t>the guarantee that an adversary cannot simply "remove" one of the
component signatures without evidence left behind.</t>
          </li>
        </ul>
        <t>As defined in <xref section="4.4" sectionFormat="of" target="TLS"/>, <tt>CertificateVerify</tt> contains
signatures over the value <tt>Transcript-Hash(Handshake Context,
Certificate)</tt>. In the dual certificate context, <tt>Certificate</tt> will
contain both certificate chains, which is sufficient to cause the
client to abort and therefore achieves Weak Non-Separability.</t>
      </section>
      <section anchor="signature-validation-requirements">
        <name>Signature Validation Requirements</name>
        <t>Implementations <bcp14>MUST</bcp14> strictly associate each signature in the
<tt>CertificateVerify</tt> <tt>signature</tt> field with the corresponding
certificate chain, based on their order relative to the zero-length
delimiter in the <tt>Certificate</tt> message. Failure to properly align
signatures with their intended certificate chains could result in
incorrect validation or misattribution of authentication.</t>
        <t>Both signatures in the <tt>CertificateVerify</tt> message <bcp14>MUST</bcp14> be validated
successfully and correspond to their respective certificate chains.
Implementations <bcp14>MUST</bcp14> treat failure to validate either signature as a
failure of the authentication process. Silent fallback to
single-certificate verification undermines the dual-authentication
model and introduces downgrade risks. Implementations <bcp14>MAY</bcp14> short-circuit
if the first signature or certificate chain fails, or <bcp14>MAY</bcp14> process both
regardless to achieve timing invariance if the implementer deems it
valuable to hide which signature or certificate validation failed, for
example if one of the certificates was rejected for policy reasons
rather than cryptographic reasons.</t>
      </section>
      <section anchor="side-channel-resistance">
        <name>Side-Channel Resistance</name>
        <t>Some implementations <bcp14>MAY</bcp14> wish to treat a dual signature as an atomic
signing oracle and thus hide side-channels that would allow an attacker
to distinguish the first algorithm from the second algorithm, for
example if the first signature fails, still perform the second
signature before returning an alert. However, in most cases this does
not have practical value, for example if all algorithms offered as dual
are also offered as single.</t>
      </section>
      <section anchor="cryptographic-independence-of-the-two-chains">
        <name>Cryptographic Independence Of The Two Chains</name>
        <t>The two end-entity certificates contain keys of different algorithms,
one traditional and one post-quantum. As required in <xref target="certificate"/>,
the traditional chain is signed only with traditional signature
algorithms and the post-quantum chain only with post-quantum signature
algorithms, so the two chains rely on cryptographically independent
primitives.</t>
      </section>
      <section anchor="certificate-usage-and-trust">
        <name>Certificate Usage and Trust</name>
        <t>Certificate chains <bcp14>MUST</bcp14> be validated independently with the same logic
as if they were each presented in isolation, including trust anchors,
certificate usage constraints, expiration, and revocation status.</t>
      </section>
      <section anchor="preventing-downgrade-attacks">
        <name>Preventing Downgrade Attacks</name>
        <t>TLS clients that are capable of accepting both traditional-only
certificates and dual certificate configurations may remain vulnerable
to downgrade attacks. In such a scenario, an attacker with access to a
CRQC could forge a valid traditional certificate to impersonate the
server and indicate no support for dual certificates. To mitigate this
risk, clients should progressively phase out acceptance of
traditional-only certificate chains once dual certificate deployment is
widespread and interoperability with legacy servers is no longer
necessary. During the transition period, accepting traditional-only
certificate chains may remain necessary to maintain backward
compatibility with servers that have not yet deployed dual certificates.</t>
      </section>
    </section>
    <section anchor="iana-considerations">
      <name>IANA Considerations</name>
      <t>This document requests new entries in the TLS SignatureScheme registry
<xref target="TLSIANA"/>.</t>
      <table>
        <name>New TLS SignatureScheme values</name>
        <thead>
          <tr>
            <th align="left">Value</th>
            <th align="left">Description</th>
            <th align="left">Recommended</th>
            <th align="left">Reference</th>
          </tr>
        </thead>
        <tbody>
          <tr>
            <td align="left">TBD1</td>
            <td align="left">ecdsa_secp256r1_sha256_mldsa44</td>
            <td align="left">N</td>
            <td align="left">This document</td>
          </tr>
          <tr>
            <td align="left">TBD2</td>
            <td align="left">ecdsa_secp384r1_sha384_mldsa65</td>
            <td align="left">N</td>
            <td align="left">This document</td>
          </tr>
        </tbody>
      </table>
      <t>These values are distinct from the composite ML-DSA SignatureScheme
values defined in
<xref target="TLS-COMPOSITE-MLDSA"/>, which use
a single certificate and a single composite signature.</t>
    </section>
    <section anchor="acknowledgments">
      <name>Acknowledgments</name>
      <t>We would like to thank Suzanne Wibada (Université de Sherbrooke) for
her reviews and comments during the work on the initial version of this
document, and her willingness to implement the recommendation of this
document.</t>
      <t>We also want to thank Anthony Hu from WolfSSL for his review and
feedback on the initial version of this draft.</t>
      <t>Thanks to Songbo Bu and Eric Rescorla for the review and suggestions.</t>
    </section>
  </middle>
  <back>
    <references anchor="sec-combined-references">
      <name>References</name>
      <references anchor="sec-normative-references">
        <name>Normative References</name>
        <reference anchor="TLS">
          <front>
            <title>The Transport Layer Security (TLS) Protocol Version 1.3</title>
            <author fullname="Eric Rescorla" initials="E." surname="Rescorla">
              <organization>Independent</organization>
            </author>
            <date day="13" month="September" year="2025"/>
            <abstract>
              <t>   This document specifies version 1.3 of the Transport Layer Security
   (TLS) protocol.  TLS allows client/server applications to communicate
   over the Internet in a way that is designed to prevent eavesdropping,
   tampering, and message forgery.

   This document updates RFCs 5705, 6066, 7627, and 8422 and obsoletes
   RFCs 5077, 5246, 6961, 8422, and 8446.  This document also specifies
   new requirements for TLS 1.2 implementations.

              </t>
            </abstract>
          </front>
          <seriesInfo name="Internet-Draft" value="draft-ietf-tls-rfc8446bis-14"/>
        </reference>
        <reference anchor="RFC2119">
          <front>
            <title>Key words for use in RFCs to Indicate Requirement Levels</title>
            <author fullname="S. Bradner" initials="S." surname="Bradner"/>
            <date month="March" year="1997"/>
            <abstract>
              <t>In many standards track documents several words are used to signify the requirements in the specification. These words are often capitalized. This document defines these words as they should be interpreted in IETF documents. This document specifies an Internet Best Current Practices for the Internet Community, and requests discussion and suggestions for improvements.</t>
            </abstract>
          </front>
          <seriesInfo name="BCP" value="14"/>
          <seriesInfo name="RFC" value="2119"/>
          <seriesInfo name="DOI" value="10.17487/RFC2119"/>
        </reference>
        <reference anchor="RFC8174">
          <front>
            <title>Ambiguity of Uppercase vs Lowercase in RFC 2119 Key Words</title>
            <author fullname="B. Leiba" initials="B." surname="Leiba"/>
            <date month="May" year="2017"/>
            <abstract>
              <t>RFC 2119 specifies common key words that may be used in protocol specifications. This document aims to reduce the ambiguity by clarifying that only UPPERCASE usage of the key words have the defined special meanings.</t>
            </abstract>
          </front>
          <seriesInfo name="BCP" value="14"/>
          <seriesInfo name="RFC" value="8174"/>
          <seriesInfo name="DOI" value="10.17487/RFC8174"/>
        </reference>
        <reference anchor="EXPORTED-AUTH">
          <front>
            <title>Exported Authenticators in TLS</title>
            <author fullname="N. Sullivan" initials="N." surname="Sullivan"/>
            <date month="July" year="2022"/>
            <abstract>
              <t>This document describes a mechanism that builds on Transport Layer Security (TLS) or Datagram Transport Layer Security (DTLS) and enables peers to provide proof of ownership of an identity, such as an X.509 certificate. This proof can be exported by one peer, transmitted out of band to the other peer, and verified by the receiving peer.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="9261"/>
          <seriesInfo name="DOI" value="10.17487/RFC9261"/>
        </reference>
      </references>
      <references anchor="sec-informative-references">
        <name>Informative References</name>
        <reference anchor="ECDSA">
          <front>
            <title>Digital Signature Standard (DSS)</title>
            <author>
              <organization/>
            </author>
            <date month="February" year="2023"/>
          </front>
          <seriesInfo name="DOI" value="10.6028/nist.fips.186-5"/>
          <refcontent>National Institute of Standards and Technology (U.S.)</refcontent>
        </reference>
        <reference anchor="ML-DSA">
          <front>
            <title>Use of ML-DSA in TLS 1.3</title>
            <author fullname="Tim Hollebeek" initials="T." surname="Hollebeek">
              <organization>DigiCert</organization>
            </author>
            <author fullname="Sophie Schmieg" initials="S." surname="Schmieg">
              <organization>Google</organization>
            </author>
            <author fullname="Bas Westerbaan" initials="B." surname="Westerbaan">
              <organization>Cloudflare</organization>
            </author>
            <date day="18" month="June" year="2026"/>
            <abstract>
              <t>   This memo specifies how the post-quantum signature scheme ML-DSA
   (FIPS 204) is used for authentication in TLS 1.3.

              </t>
            </abstract>
          </front>
          <seriesInfo name="Internet-Draft" value="draft-ietf-tls-mldsa-04"/>
        </reference>
        <reference anchor="PQT-TERMS">
          <front>
            <title>Terminology for Post-Quantum Traditional Hybrid Schemes</title>
            <author fullname="Flo D" initials="F." surname="D">
              <organization>UK National Cyber Security Centre</organization>
            </author>
            <author fullname="Michael P" initials="M." surname="P">
              <organization>UK National Cyber Security Centre</organization>
            </author>
            <author fullname="Britta Hale" initials="B." surname="Hale">
              <organization>Naval Postgraduate School</organization>
            </author>
            <date day="10" month="January" year="2025"/>
            <abstract>
              <t>   One aspect of the transition to post-quantum algorithms in
   cryptographic protocols is the development of hybrid schemes that
   incorporate both post-quantum and traditional asymmetric algorithms.
   This document defines terminology for such schemes.  It is intended
   to be used as a reference and, hopefully, to ensure consistency and
   clarity across different protocols, standards, and organisations.

              </t>
            </abstract>
          </front>
          <seriesInfo name="Internet-Draft" value="draft-ietf-pquip-pqt-hybrid-terminology-06"/>
        </reference>
        <reference anchor="IANA-TLS">
          <front>
            <title>IANA Registry Updates for TLS and DTLS</title>
            <author fullname="J. Salowey" initials="J." surname="Salowey"/>
            <author fullname="S. Turner" initials="S." surname="Turner"/>
            <date month="August" year="2018"/>
            <abstract>
              <t>This document describes a number of changes to TLS and DTLS IANA registries that range from adding notes to the registry all the way to changing the registration policy. These changes were mostly motivated by WG review of the TLS- and DTLS-related registries undertaken as part of the TLS 1.3 development process.</t>
              <t>This document updates the following RFCs: 3749, 5077, 4680, 5246, 5705, 5878, 6520, and 7301.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="8447"/>
          <seriesInfo name="DOI" value="10.17487/RFC8447"/>
        </reference>
        <reference anchor="TLS-COMPOSITE-MLDSA">
          <front>
            <title>Use of Composite ML-DSA in TLS 1.3</title>
            <author fullname="Tirumaleswar Reddy.K" initials="T." surname="Reddy.K">
              <organization>Nokia</organization>
            </author>
            <author fullname="Tim Hollebeek" initials="T." surname="Hollebeek">
              <organization>DigiCert</organization>
            </author>
            <author fullname="John Gray" initials="J." surname="Gray">
              <organization>Entrust Limited</organization>
            </author>
            <author fullname="Scott Fluhrer" initials="S." surname="Fluhrer">
              <organization>Cisco Systems</organization>
            </author>
            <author fullname="Daniel Van Geest" initials="D." surname="Van Geest">
              <organization>CryptoNext Security</organization>
            </author>
            <date day="13" month="May" year="2026"/>
            <abstract>
              <t>   Compositing the post-quantum ML-DSA signature with traditional
   signature algorithms provides protection against potential breaks or
   critical bugs in ML-DSA or the ML-DSA implementation.  This document
   specifies how such a composite signature can be formed using ML-DSA
   with RSA-PKCS#1 v1.5, RSA-PSS, ECDSA, Ed25519, and Ed448 to provide
   authentication in TLS 1.3, including use in certificates.

              </t>
            </abstract>
          </front>
          <seriesInfo name="Internet-Draft" value="draft-reddy-tls-composite-mldsa-10"/>
        </reference>
        <reference anchor="COMPRESS-CERT">
          <front>
            <title>TLS Certificate Compression</title>
            <author fullname="A. Ghedini" initials="A." surname="Ghedini"/>
            <author fullname="V. Vasiliev" initials="V." surname="Vasiliev"/>
            <date month="December" year="2020"/>
            <abstract>
              <t>In TLS handshakes, certificate chains often take up the majority of the bytes transmitted.</t>
              <t>This document describes how certificate chains can be compressed to reduce the amount of data transmitted and avoid some round trips.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="8879"/>
          <seriesInfo name="DOI" value="10.17487/RFC8879"/>
        </reference>
        <reference anchor="RFC9525">
          <front>
            <title>Service Identity in TLS</title>
            <author fullname="P. Saint-Andre" initials="P." surname="Saint-Andre"/>
            <author fullname="R. Salz" initials="R." surname="Salz"/>
            <date month="November" year="2023"/>
            <abstract>
              <t>Many application technologies enable secure communication between two entities by means of Transport Layer Security (TLS) with Internet Public Key Infrastructure using X.509 (PKIX) certificates. This document specifies procedures for representing and verifying the identity of application services in such interactions.</t>
              <t>This document obsoletes RFC 6125.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="9525"/>
          <seriesInfo name="DOI" value="10.17487/RFC9525"/>
        </reference>
        <reference anchor="RELATED-CERTS">
          <front>
            <title>Related Certificates for Use in Multiple Authentications within a Protocol</title>
            <author fullname="A. Becker" initials="A." surname="Becker"/>
            <author fullname="R. Guthrie" initials="R." surname="Guthrie"/>
            <author fullname="M. Jenkins" initials="M." surname="Jenkins"/>
            <date month="June" year="2025"/>
            <abstract>
              <t>This document defines a new Certificate Signing Request (CSR) attribute, relatedCertRequest, and a new X.509 certificate extension, RelatedCertificate. The use of the relatedCertRequest attribute in a CSR and the inclusion of the RelatedCertificate extension in the resulting certificate together provide additional assurance that two certificates each belong to the same end entity. This mechanism is particularly useful in the context of non-composite hybrid authentication, which enables users to employ the same certificates in hybrid authentication as in authentication done with only traditional or post-quantum algorithms.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="9763"/>
          <seriesInfo name="DOI" value="10.17487/RFC9763"/>
        </reference>
        <reference anchor="PQ-RECOMMEND">
          <front>
            <title>Post-Quantum Cryptography Recommendations for TLS-based Applications</title>
            <author fullname="Tirumaleswar Reddy.K" initials="T." surname="Reddy.K">
              <organization>Nokia</organization>
            </author>
            <author fullname="Hannes Tschofenig" initials="H." surname="Tschofenig">
              <organization>University of Applied Sciences Bonn-Rhein-Sieg</organization>
            </author>
            <date day="2" month="July" year="2025"/>
            <abstract>
              <t>   Post-quantum cryptography presents new challenges for applications,
   end users, and system administrators.  This document highlights the
   unique characteristics of applications and offers best practices for
   implementing quantum-ready usage profiles in applications that use
   TLS and key supporting protocols such as DNS.

              </t>
            </abstract>
          </front>
          <seriesInfo name="Internet-Draft" value="draft-reddy-uta-pqc-app-08"/>
        </reference>
        <reference anchor="HYBRID-SIGS">
          <front>
            <title>Hybrid signature spectrums</title>
            <author fullname="Nina Bindel" initials="N." surname="Bindel">
              <organization>SandboxAQ</organization>
            </author>
            <author fullname="Britta Hale" initials="B." surname="Hale">
              <organization>Naval Postgraduate School</organization>
            </author>
            <author fullname="Deirdre Connolly" initials="D." surname="Connolly">
              <organization>SandboxAQ</organization>
            </author>
            <author fullname="Flo D" initials="F." surname="D">
              <organization>UK National Cyber Security Centre</organization>
            </author>
            <date day="20" month="June" year="2025"/>
            <abstract>
              <t>   This document describes classification of design goals and security
   considerations for hybrid digital signature schemes, including proof
   composability, non-separability of the component signatures given a
   hybrid signature, backwards/forwards compatibility, hybrid
   generality, and simultaneous verification.

              </t>
            </abstract>
          </front>
          <seriesInfo name="Internet-Draft" value="draft-ietf-pquip-hybrid-signature-spectrums-07"/>
        </reference>
        <reference anchor="TLSIANA">
          <front>
            <title>IANA Registry Updates for TLS and DTLS</title>
            <author fullname="J. Salowey" initials="J." surname="Salowey"/>
            <author fullname="S. Turner" initials="S." surname="Turner"/>
            <date month="August" year="2018"/>
            <abstract>
              <t>This document describes a number of changes to TLS and DTLS IANA registries that range from adding notes to the registry all the way to changing the registration policy. These changes were mostly motivated by WG review of the TLS- and DTLS-related registries undertaken as part of the TLS 1.3 development process.</t>
              <t>This document updates the following RFCs: 3749, 5077, 4680, 5246, 5705, 5878, 6520, and 7301.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="8447"/>
          <seriesInfo name="DOI" value="10.17487/RFC8447"/>
        </reference>
      </references>
    </references>
    <?line 615?>

<section anchor="sec-design-requirements">
      <name>Informal Requirements for Dual TLS Certificate Support</name>
      <t>This section documents the design requirements that drove the
development of this specification.</t>
      <t>This section is primarily intended to ease WG review and could be
removed or simplified prior to RFC publication.</t>
      <section anchor="dual-algorithm-security">
        <name>Dual-Algorithm Security</name>
        <section anchor="weak-non-separability-1">
          <name>Weak Non-Separability</name>
          <t>The dual certificate authentication achieves, at least, Weak
Non-Separability <xref target="HYBRID-SIGS"/> at the time of verification 
of the <tt>CertificateVerify</tt> message.</t>
        </section>
      </section>
      <section anchor="dual-certificate-semantics">
        <name>Dual Certificate Semantics</name>
        <section anchor="independent-chain-usability">
          <name>Independent Chain Usability</name>
          <t>Each certificate chain (e.g., traditional and PQ) must be
independently usable for authentication, allowing endpoints to fall
back to traditional or PQ-only validation if necessary.</t>
        </section>
        <section anchor="unambiguous-chain-separation">
          <name>Unambiguous Chain Separation</name>
          <t>The mechanism must clearly distinguish and delimit multiple certificate
chains to prevent ambiguity or misinterpretation.</t>
        </section>
      </section>
      <section anchor="use-case-and-deployment-flexibility">
        <name>Use Case and Deployment Flexibility</name>
        <section anchor="backward-compatibility">
          <name>Backward Compatibility</name>
          <t>When only one certificate chain is used, the mechanism must remain
compatible with existing TLS 1.3 endpoints unaware of dual-certificate
support or willing to use only a single certificate.</t>
        </section>
        <section anchor="forward-compatibility">
          <name>Forward Compatibility</name>
          <t>The mechanism must be capable of negotiating algorithms requiring dual
certificates as well as algorithms that are acceptable standalone.</t>
        </section>
        <section anchor="minimal-protocol-changes">
          <name>Minimal Protocol Changes</name>
          <t>Any additions or modifications to the TLS protocol must be minimal to
ease deployment, reduce implementation complexity and minimize new
security risks.</t>
        </section>
      </section>
      <section anchor="non-goals">
        <name>Non-Goals</name>
        <section anchor="multiple-identities">
          <name>Multiple Identities</name>
          <t>This mechanism is specific to cryptographic algorithm migration. It is
not a generic mechanism for using multiple identities in a single TLS
handshake. In particular, this mechanism does not allow for negotiating
two certificates with the same algorithm but containing different
identifiers, or for negotiating two independent sets of
<tt>certificate_authorities</tt>.</t>
        </section>
      </section>
    </section>
    <section anchor="compatibility-with-composite-certificates">
      <name>Compatibility with composite certificates</name>
      <t>Clients and servers may choose to support composite certificate
schemes, such as those defined in <xref target="TLS-COMPOSITE-MLDSA"/>. In these
schemes, a single certificate contains a composite public key, and the
associated signature proves knowledge of private keys of all
components. However, from the perspective of the TLS protocol, this is
a single certificate producing a single composite signature.</t>
      <t>If a composite signature algorithm appears in the <tt>signature_algorithms</tt>
extension, it can fulfill the client's requirements for both traditional
and PQ authentication in a single certificate and signature. It is up
to the client policy to decide whether a composite certificate is
acceptable in place of a dual-certificate configuration. This allows
further deployment flexibility and compatibility with hybrid
authentication strategies.</t>
      <t>The advantages of dual certificates over composites are operational
flexibility for both Certification Authority operators and TLS server
and client operators because two CAs and end-entity certificates, one
traditional and one PQ, allow for backward-compatible and dynamic
negotiation of pure traditional, pure PQ, or dual.</t>
      <t>The advantages of composites over dual certificates are that the
certificate chains themselves are protected by dual-algorithms, which
can be of great importance in use cases where trust stores are not
easily updatable.</t>
      <t>A client may include both composite and dual code points in
<tt>signature_algorithms</tt>, leaving the server to select whichever it can
satisfy.</t>
    </section>
    <section anchor="sec-policy-examples">
      <name>Policy Examples</name>
      <t>This section provides non-normative examples of how a client populates
<tt>signature_algorithms</tt> to express different authentication policies.
For client authentication, the same principles apply with roles
reversed: the server drives requirements via <tt>CertificateRequest</tt>.</t>
      <section anchor="example-1-single-certificate">
        <name>Example 1: Single-certificate</name>
        <t>Client requires only one traditional, PQ or a composite signature.
Client either does not support or is not configured to accept dual
certificates.</t>
        <t>Client behavior:</t>
        <ul spacing="normal">
          <li>
            <t>Includes only single-algorithm and/or composite code points in
<tt>signature_algorithms</tt> and optionally <tt>signature_algorithms_cert</tt>.</t>
          </li>
        </ul>
        <t>To satisfy this client, the server <bcp14>MUST</bcp14> send a single certificate chain
with compatible algorithms and include a single signature in
<tt>CertificateVerify</tt>.</t>
      </section>
      <section anchor="example-2-dual-compatible-traditional-primary-pq-optional">
        <name>Example 2: Dual-Compatible, Traditional Primary, PQ Optional</name>
        <t>Client supports both traditional and PQ authentication. It allows the
server to send either a traditional chain alone or both chains.</t>
        <t>Client behavior:</t>
        <ul spacing="normal">
          <li>
            <t>Includes both traditional single-algorithm code points and dual code
points in <tt>signature_algorithms</tt> and optionally
<tt>signature_algorithms_cert</tt>.</t>
          </li>
        </ul>
        <t>To satisfy this client, the server <bcp14>MUST</bcp14> either:</t>
        <ul spacing="normal">
          <li>
            <t>Provide a single certificate chain with compatible traditional
algorithms and include a single signature in <tt>CertificateVerify</tt>, or</t>
          </li>
          <li>
            <t>Provide a traditional certificate chain followed by a PQ certificate
chain as described in <xref target="certificate"/> and encode two signatures in
<tt>CertificateVerify</tt> as described in <xref target="certificate-verify"/>.</t>
          </li>
        </ul>
      </section>
      <section anchor="example-3-strict-dual">
        <name>Example 3: Strict Dual</name>
        <t>Client requires both traditional and PQ authentication to be performed
simultaneously.</t>
        <t>Client behavior:</t>
        <ul spacing="normal">
          <li>
            <t>Includes only dual code points in <tt>signature_algorithms</tt>.</t>
          </li>
        </ul>
        <t>To satisfy this client, the server <bcp14>MUST</bcp14> provide a traditional
certificate chain followed by a PQ certificate chain as described in
<xref target="certificate"/> and encode two signatures in <tt>CertificateVerify</tt> as
described in <xref target="certificate-verify"/>. If the server cannot satisfy this,
the handshake will fail.</t>
      </section>
      <section anchor="example-4-dual-compatible-pq-primary-traditional-optional">
        <name>Example 4: Dual-Compatible, PQ Primary, Traditional Optional</name>
        <t>Client supports both traditional and PQ authentication. It allows the
server to send either a PQ chain alone or both chains.</t>
        <t>Client behavior:</t>
        <ul spacing="normal">
          <li>
            <t>Includes both PQ single-algorithm code points and dual code points
in <tt>signature_algorithms</tt> and optionally <tt>signature_algorithms_cert</tt>.</t>
          </li>
        </ul>
        <t>To satisfy this client, the server <bcp14>MUST</bcp14> either:</t>
        <ul spacing="normal">
          <li>
            <t>Provide a single certificate chain with compatible PQ algorithms and
include a single signature in <tt>CertificateVerify</tt>, or</t>
          </li>
          <li>
            <t>Provide a traditional certificate chain followed by a PQ certificate
chain as described in <xref target="certificate"/> and encode two signatures in
<tt>CertificateVerify</tt> as described in <xref target="certificate-verify"/>.</t>
          </li>
        </ul>
      </section>
    </section>
  </back>
  <!-- ##markdown-source:
H4sIAAAAAAAAA+Vd2XobR3a+r6eocC5GmgAYkZZlmV40FEVb/KKFEqnxOPkS
sdFdAGrY6IZ7IQXLmi8PkQfIbV4jeZM8Sc5Say8Q5ZnkJr6xCHTXcuqs/zl1
MJ1OxfWh/ExkZVoka3UosypZNNNtW6vFtMnr6eanZpq1ST5NVdXU0zxpVN2I
Rjc5PLx3VtbN9FWbFE27lhdVkulGl0WSyztnr35/cVc+3c4rncmjtlmpotFp
gl/LG92s5BMYVB7DoHqBn6ta6kJePDuX+7PP9kQyn1fqGmeAcfyz9qE9Aa8c
yrrJhN5Uh7Kp2ro5uHfvy3sHIi2LWhV1Wx/K38Ln6reibudrXdcwdbPdwLJP
Ty6+E3lSLA+lKkQGkx+Kol3PVXUoNvpQSFktUpXVzRY3uVU1fNKUafBPXWSw
H/tBXVZNpRa1+3u7jv5sKp26h9NyvYZ33be6yHXhp1HvmmmugaowyLzM4bFp
+bu/h2/ghNbJZqNx1fhsUqkE6FOrdE/cwGdIuh/K6goekN9XZbsRV2p7U1YZ
7Gcqz/7hlP73a86LXnx1jP+DSUTdJEX2NslLu+oEni4rmkbifmDNr2fyfKWu
VtMfkZGEpP8WbZ4zk73WiyRpBh4pq2VS6J9p2kN5rFWRmG/Ssi2aagsfJkWS
2U/VOtH5oaxovFk906pZ/GGJH86AzuGKLmbytcqybW8tF7pq10mu6pukih6J
1/KivNK9tZwWme4s5aosskZXfhFShst4OpMXdboqF6rQy95aniZFAYLQeyJe
yptCX6uq1s1WlgsJJyUft8CP9Y1aVfJ5W+h0Zd6zUgRvPL6Rz2d2/fAq7Ei1
cw08byep1JKGf5xcJ1V/r9+rap0UW/dxBut9+PnnX3wR739FW5g1bgtAiXez
QjUhFZ7P5Mu2qIE7m1WPCM/1lep9DRSAo6+2G2BK+V1ZgRKS5+WigUNTnc3G
T0VbPtdl+04+K8ursm0m8mXRwE7L23DYGhb1h9IuapYm4Xb2fgTmKutynVyt
yr3ehn5MqrLOk2v/zOCx/mOdAhtW8bzbyr7zh5/5e2LsdoNaCwXtu+MvDx7s
T/AfD+/ffyDEdDoFUoDOSdJGiAvgjgQlWW/ghQyGhQNXRaqQdVKkVLmsks0K
RD3Pt8ADubqG5+VPrCNAma43bQPcJu8cv351XN+Vm7IGFk2A70ABNaAMiQOT
WMOvVQqMoOt1LUG6QUk71Q78v9I1arMW1aDM1EIXNOCKdc/YSKJZwXQtTt7c
lBI18EaRGpZpYEUmEvQS2AOv2kBb4Wdig7rP7Gsi0UJUqCtp2KSQSdMk6ZWq
5BpMiQRWSq7kvARDleTLsgKLBXtpSiJIVYI5gT3TnsDcFCrFuXBrihYXLEjC
8oFJJPCpTJOq0nAIQI1E1DB5ruRlYAIvYbd1nSwVrbm7y1ovi6RpK8WDwSGC
DBJp8QDCcf6oQCFu3WgzZoq1zrJcCfEbCXqrqcqspVUTj8B4OGatQLEAyTZl
g0cA/woOEk46yTKYvsY9wxZhV8AvxFZAmOZvzWkz+cNKA4VwYBiHpLospnbK
pN4A2Q1hS1g3EVbAicEZWvYCdmgidlvAP5CFymKIbXENwCpFI4xiff/+7+CM
vzmdPiHTQh4R+AYoaXNdf/iA6i6rV8kVEvklMB5Y6KpM0pWESXEAmAz3jx5U
xKaH8EDdEv/BMWdg8HUB8ho+AmutaIwatAhQAEgKKwWl/9//+m/E5C2yEEqi
Z3bhmFXeUbPlbAI7eHRy/OT86JsnL09n+/dmD+4dPPz9i9Pzi9l3p2fns/2H
D6aff/hwd8Ist1KGgHbsUGjQSbgruzMImOH5sylOEZFpnWd1AiPPkMGGJH5V
3lilAJJRyLbRuf4ZttsC+SJCAHeBIzAHXiBP1K8gPr5dQn1TtnkmCkW8Oird
MpBuorwirxG2cArD5bWTAMWnC7KR56pYIkMtgPsaBSze4AIGlVmgBuUN8fY8
ATc0xRfmsE4wZhktAZ6eAzGa7QSZgD4GPw+2Bp8IPCjQCnm5JXJuUNGjUMGX
ltZrBR4Z8Ms7td7kQEbSr+RJm3XBJsGLLXN2xQsQK2J98CmU6MhEUpsTI731
/v05Kzt5H7YsHp29uphenLx+HsjI5qdWbyhu4MmmINRrXZR5udx++DCBnaO6
AbY3KjA4T3AaQG2wTKPdwBk3SYVEBlsIL7LUBswh0KNHYfvT7PN7XwIHJDHz
sPo1ZsPKEtB0jfyB0QS7s0hhcJFZCogvjNoGpaVIIIBi1zpT7mBBeqsEtRtS
ELwJsS4zULrMfIqXEy0ELDIoXFDfXq/Bsp2+yEpYYVE2YkOaGa2LsRCR7rTz
O2MwkbphvqcdwrZw+bEiQXJu4Hs4VZVN5DXwCroPGW+3r5vn4Og4nY4M67Qc
6pqiTiu9aYwhRy3MEyFT4I5QTCwTg70hDmOlEpIDzy3iLDtXYMfkBT4k0DEF
6m2H+XAfGVE+Oj16cTRFXc2O0Begm82RZUQWwadqFXxtXWfSzEgg8zcxCC6u
66jgiQNvit7JsqIGwoG8bUCck6aEtWIgN6r6CnUjL8/tEZ4T11+STw0KV+Pq
6CQ12n1gKrFJdMUr7vg1kXp2PBEotRm4+csSTDnpHycG6h1ZnKW8dC+99S9d
wvfgANQ2Vgf2lsTe5phn4gcUxcSYNbdsPP4a7HpKvNX1Srx3w35QLXb4cUb+
nFka8m+EX/ylBCWXZ8Yp6nuI3ncCgpREfwxl3TaBuBVOSaoc7ICjD3Kkk1yW
pEqBggNvA073SEKMDTYBHRncGFp6PGJ8E5kBnKEmOtaNqgIDiscKNGPPFp7E
eAWhAnSw1nNdELFpPVdFeVPIZVmifSgWetlW/CVzqViUeV7emLNFxwtX4IAQ
UqNW4wN5gBjMYHaNYF6BQXlI3MS1atDFYrbDQ00WCn0RtKg4EfkG1VwDO1Zb
ES0W3oYokQ4g5MIT0sueUyLBhw04EamU0VRosqxymYQrGpCDyLcP5+0KIP7b
+FpyAYaezYk1fZL9mEAp8yoFKZxHwAvT45fPz16en16cTJ8/sy5PhaAB+Txu
JOv9zMDVZvVjx5wEit3NGzF+CbyEpocU1qadwwkhm9W8UbYO9dAojsnNrMHG
J2Rvx2Km24QbaI7ZvIprFD9N/hiqfNSlN+gj/UYel8U1qixkBBzzCQkD/c2h
KIoLYlK13Hv+5vxib8L/ly9e0r9fn7x6c/r65An++/zp0bNn7h/CPHH+9OWb
Z0/8v/ybcDLPT1484ZfhUxl9JPaeH/24x+pk7+XZxenLF0fP9iz7BVoeXRNw
EBV5cxXwIscaAsQGzN6cWfbx8dl//jsYHggPwNwc7O9/CeaG/3i4/8V9+AN9
lYkJPcGi8p/AbFtkBJVUFAOCyUiTjW7AZE7QG6lXKOXoHgE1f/dPSJl/PpRf
z9PN/v1vzQe44ehDS7PoQ6JZ/5Pey0zEgY8GpnHUjD7vUDpe79GP0d+W7sGH
Xz9C9FNO9x8++lYgC52n5UYZ3MKLoaU90kYPuRnsyGJIQ0KYa1AFwnvJEFTi
d+As3Jse0LG4Pz+7S7QH9Vu3m01ZNca1BzHURQvCb0I4GpuWdI0uRaCAhuwu
mMbK+oJoacI4EfcGwyCQkvkAGzeFmNG2HwogCh0GeT3Z7WEm6P5jdL5G53fR
FqlZKlHJGjdhYxENBFNIJmtTjupfhw1xzD+RIeExtCOvkVYv51sJg6LjkG8F
6GJQI0SnUKF3AhCKfM1zoaKfomh1whXrlcJ4EIwhQLrABYK2XJeoT9d6acwc
UHblI0aRl8WSIpWOv50sTSAGXmibs29nOSxVRsQ3xnbi2TDfYJxuXSfYZdVu
GnYKjF+hi0WV+JCAWP8JW+aXoF+vtbrp2S4D2tzOfyyZZkq45I01MB3yxtAc
cqZeg1WX5fzP6GFfK/JQSjb8HF/h8xuFHkFp44ox2IudJfIXCuGi8U4I3jnv
KCIH3oQDBNLiymnWmYCwwPAkwiDGcR+YvDVIZcBb0eEGaMmNg5og0C7hTHOC
wtAd7EMgwSBbI8/GqzK+IUZyt3EnyypwQcFqo/vzK3x0iD9E4d38Sef1QR/c
rYJ1QgLKMtdrcCPodNBDZyeu64cPDmsd8u6gzs0jvxzfIkwLhg28C3yU47/I
oS83yU+tYr+eSMPRMnhD5HkgC1FEl2uy2wVCJBWcWQ+/gG903TMVuJeTd6jv
VZTvKqtaeJ0MNv3kT2cvX1+cPJkevbl4+o3B28GzQ+8f9TVM2zD6Q7BC3mEF
VoIM5fXCZdCNYo54BMbb5GQC9015gGk4AM33G7COztQceSkJIzzxJA7J2HmD
CAUPC+0NksPyCvzJOF94sOKj7DYMB80OwJIAHYDFP3yYAF8naQMSmpjwGGIC
BgF6egvMjT1FCkqcGUbN1T1N8NzzNjMS4ixS1t20Jr90bCuYX2Vlxyxjgtaa
1EkQpGCEQBgIL++3Nb05kX/GDAGhR9KhR9aWBnJILBLu7EbXK1YIa3yrsejD
yBbJcyQidLY2vK2Ajjc6Z6sKajtN1QYCPM24OM4Hx9FD3sbWQDLGq4Too/da
sDBm0BC9OSbo7cSIvnDuhkVBxgECp4ESojgijaF6h4UifuBjRcaqbUCE03bR
G9arwiE8XlMR6gthy3bMhM23lO+ATwrCdnGQNasViK8rM7lXnwbLQm1A0bD8
WVXlFGHiJoImBW5jS0wy8gSFq0bYErRkIbVO8O1Lo2gLodYbcDku8e23wFqJ
RUTIP4GFobBfemNzaRWrORQMLFd6rpsobcGDDpB+Ahx8xZqD1mj2LhDGL5L1
XC/bsq0ZSERnYq6aG2XQ22Eyz8Rp7IVKinYaSjISuGYOfa6AsmyqQ7IFa+At
LHRVD0BK8k7jvIfAMTAJkGAikSzoNEnSA8dg54ihr+AyH874kfmCLYBi5/lL
IwOYdcCsQjYkDSLSt48QgXh9cn4+PT55fUFo58MvMPwkA12OCxWmtEYM3ijG
/zko9X2UvsgIkjE61wh+W5F2Opt0lhfFDuCLoxOEkIFhS9lXYSveFzs6fqO2
DCbCqHoc/pRVDGWgN4gzGUNLOzoUYgpKk3T92+Dpt/hkaNkwKJeXJ5xsVNmJ
FxchnXJCc3bOdiOcGadg9fu3meKYVXk0hXhRIiUpuZWmZZUZJd8/Mdk5MXf0
onP05uT44PrYdk+rs6vnHRED7OxIP6MWK0qLIKsM8x9D6DHEyCjd8JX3TwyK
fFucV3i3Es58fyZfFgyQtbGvE0WbgTEzyQETUmAlRuAq+ZXOdgw9jER+ytji
MUpEB35zM2GmO0hUuHSMBOqtIq4XoXN2P3TOOF9uV0zRrGpG1AbnG/3+aFqU
R2BpqmwrljN5a0U3ziSoZH6FdjoY4HUTkoF4qMqldTw5jX22E5OeAVmCrzal
16H0thiPLQfKLtxmDr0B8hw5NtEteXGQWXxYZozTx2YbAcr9dATjntlcwTGH
sOZ4a0P30H8rKJWKKMFcrZJrXbaV4TOyCxiv15y4TcRAtsjvKszLyCgvI8LU
00ezMw4lyTouoPi05NuEVx2qoiVKTSFMPQpzumGQmA3wUHbwet2J5XgJ8hhX
cMYreP8bDARxTbykD5+WSbxO8tbkJdGT60XXvz6wm6FowZBmBotII2BeM0g1
HJ2QTbw8NFpfhFzASU6uUbD5HVDnU1PtYlMfznf0oox5mQE6T8jcJAGS5Etp
Aq1KODz68zBKXJojxF/+8hfKicn3VI6n0qxO3sKRbA4+f1Dtv61XCfzjLSV5
7t+Xdy4eP9m/O+k8+tnD+/wo/IMfffA5PXoAj37oHv9XNOd7UB1YWv3NHsXx
XRYJmHQPWKKbVItI2cmY+aM4HC0ZIg94xIKZ4rYQSnMqCsscawF6IF3FGBHK
Z3cPmKiXLqVvvXoDFxB74XgkW6TAL78OJv327debn769hPcXHLE7VY2cd7PS
vALRgZh8zmXMDPVcjAknfQKBCHhkSimwrTU1teohLh/PMopRsfWzil+XdZwY
SqDsu0LDCAKmgx5PILJd8YNQXdjGPNU5HTiPt9ERXQJRjIc3nvCNUrIdfy/C
fBDzR6iZNE2tTKJy1CCLkXrKWkYJvOg0kWC4X444yLPslSb0/Ye+U2os9S4v
Z+c6dnNVqGptbRSb2QNEfhiPx8gAIisFBhn4cOdSKBAxAwRFrBa5Dfzy0aOj
JSVzDB9MyiwepBCXOs/VMsnfYhXXGpzMCqxjDovqo0XPzbosXgQ2MDyjT4GP
CHOkgohDUuXmP/g81XqaVI0Bqo12N0hzGLUh9qpqiOTY0f363mx28C8Pp/vf
fkVvdGGY6F1ErPiFg/v0xofw+a+CBQXq3m4upIjZzl7P+Fdq6rIEMQU8rJXU
U812k+x7ZrAvtaYaXYqTL7urvkTnygaEKAF5uTTAxlCFqssNmFJkGB2oRnXD
CAIQIo/njmZovg0xMjp9THhZzMbkUByEVo/DZmQytm5OOOvPYHQO/cW9d/fu
zbz36TCtHUBWXXZBLPgjALHY8Pm19VweTIKRm0vSl+mMyvicTusHuhYXinMB
6t0Gc8R0qD3+8udKmHQc2R0478xjj7ZK5ybZ3koGGAGXd3T91m31rvmOLkck
oI7ceR3KFvZxcD8gyzfy3lfx0y/K4q1/w30XydtbSwPCLL/eD6TGP+8wkiAu
YAHbf+Ae/dCRM6LbiLC9odsT2S4yZ65yBcUvlErgaAqGSTaYGyqFqVLn3jMj
WMxqzWglKEPMLgxClhNZGt29yZOUsU1P2QjPhHAoT+rGCIHu1cNybkOIo2HE
1I9K8PQOnFTcCdHRLjgqGRwdGZKD0b6qkHdifBTrDHYgFgcBYsFBlwsKwqHp
COYqiLkNyugzAUFlxlBeLhy6X1xhn4m+MElLPw3fn7CbEXMFAkjYPhlmtskO
MPd8Rou3BbnhcIHzkW8nwgMwQXp8g4XV5OUvLAOZLTssHfXS86MfBaaeTKqj
1ui4wbt4Xm5JXNTlawIgRtD47VQXdB0Ms0rJVmAJPMN5MFiOKXz2EsMDWSQ6
R1cOFwV+PS5F6gUi6fyNwC82Za5TLCpJaozqwUqsbIlhXIBhnpjgfQFFyTpE
ngUt2uRcbekxLmulM6AZ78Ckq8K1RdXME6E7dAJuTrHKm2jJU/Cw8CAYxcQo
7/HsgoFdWPRhL8M8K25WJWhIX9w3lqH+CDhk8alhJNFkOEeyFuFKxehK5S1X
+lFgSe5cqjgZnJ3clLAcnxaNEUmmsbCH7j/4CklzNoNTEOcDOXEUwro7GiUY
ZoIpJK+XwMG9hojI3QTwhxMHmUDGAX+bShdscb9fhCm9Twr8FEw/pn9M8OPl
u49dOtBiQPXT85wwEUSuw+EKbQJHgIhURhHdULDzhLeIuCQhQKI+gN4+xspi
8vVANzFQZjM1xFuuhlUcH03xopOKOJB3GsR1rj6BNRylrGl5YnB9oQ7cDThJ
cWcMycL03En3toihagRzeGmZ8xpgM6Zm5iNVgHzIvSspJlKNJGbHLCNF/iKA
Zp44aRjgHgLssRoOS9cisy5JDwcWmVQgzL/W78z0pEdpcRMpQoUOGsNUS3eP
yC78/NlT/J7KEmh3pFQFjl1/+kUGRxvB3pYnz+U8ycKUm40wd/OFFT20IClf
xrF1oDqorqbyA3bsrQwLjoWWLZlUm9A2SWxO3gzrUrMHe6vDnw5VtUlExXK8
QCTAxYQ32TXgdJu72CM9ylYpOnNYPI8Ir9Diu/AJSMAjLFv6/AAv+nmkgwP3
MSIKIiLX7IDzoAYvt7LNpFJcOBm+NuQ8FXH5mq9qRhGqR5txWSfPjjBvg6ls
urnz5RcPPvvw4StYkEExKr4cAZFcaq/dYaLJDRISiW5QGJrUO9w6Kxml11if
kMLanas3WfhhXGI8Az+WZrWgSISFWJzo45DIAPwUASNxDNiDap3UmGjMBG5O
rKIg7EN/+V1MewDkMPschTqc1PH1uo777FLJfaBRuHK60HbJ8Ryz26yB84S5
pWSjOTeBu5G0Kystxq5SuBO4faKXNRE+x4Z/0zYxRjyW5uV7RTUPdXnhcsXT
p0m9uvPUusHimFGuSXgwdy/tTc2Yl/UA7OSr20NOq21dpiXkSKWHucLUP3KX
yqPqQQhYpmxHwAo5teSqCix9BNFnZnI45KZPvT2R3xCTh0Zwuqn0NUoVuH4T
O8qURrkr2HsOBjDvb37a+RpOLS47kxPtzP2d7PYuPiUTu+u49O/ftuBgJEaQ
FmsOegpYN8hv29SSObUR0AORoP0Hd3JV3Ols+O5d+csvsvNhgOt85D94t7tt
JqyPv9AcMfbHK6dVG3TFKPlBF01QNR2vfGIEkkHK0Vfknd553uXwC2SMp+yP
NOK53emf511Zpmm7cfeH+eoGXQzfchnOxapbd+HSAPasvHogCJML0LMhyDBI
6AIDPGaAiM0KXVNgZz7IB/Ga2CR3QAtkrl4+vKcbO27HYL5AXEL4jcH/W1VV
pU0VIHbA2A6Oo+maVNVYsMA4YFMkkzkHAQZ6od9N7IuGIfhTHABBOMLcBh/I
VXJNGkgwa6HX2z+w2ZBQErpS8+ViRMtoAOHR2B4Lsd/RIy0bxXlsHmbyu0Tn
pmTVPGLCvU7ZB4JhWDdpykaLbnXvwozjziRNgJVE50z4GhwdV+BsD53Q7Qsd
f1X9z60qfjCd0OkoJs8YYzphH5+KQIT5TPnPMBmdmFK61XjHDvSs44tSU1eb
ix0ZwByowgr+QAaTfRXRHbdXeV27C8Y4WF6m1I8FF81SyDWGgkMJLtP2leLd
IvjxSnFzWYKdG46FalhBbX0sLCGnVGNhr1u4OjFcRXifzfpgXLBo3o3Kz+VH
ys9Ft5EHuPIYWdj9+Sr0KM8+VJFuW0iMbx5B2d03cBnPjcqpqClJUIg23/7K
3LwNsfE6lMc5khwUWsGFVMHNwch+BJfowBfSJV1LxWtrNkPgq73w/WDt7M1r
vr7ATuM4bTJn+wxEayJ+dk+XxOXOt+ZHpvYRlkR5xtgytcc4NoBzEtwCHhex
IkW41/bqwG4wAxV4SSe3cB3FELWtfsCLh0CPNqeqpDyplsCBEf4rXEGWZB/I
PLRJtnmZZDUE21vWjfBReqWwmiNZOvmfiErRoZjmguaWlHeGM4h/t5gfJTCR
NCGDY4wBopNfwQnW9RbCETBi1RXopWtdlQVlJ1CtlnINx7E0dhZrudawFOxr
1L1jiTp3O5DHKTcI5HOTMdmodFVozG1PHEs3hPB2yhKsxn3A9d+Pzl5N3S3f
gMXbJplufkrxXiwFHLjcAqczpamGMgIjkJVKWFXqNV2iDQhVlfO2biCCpUAY
AlHT7KbHPaDlf8CkwwvQvueUXOY+OTZs7CpXw/pJutIKjfrgy4Fcm5v+T398
/Pr0yfT89PteXxvT08aJz5TaUFXtunZ1NyK6tgEu87fEwssWZgT/zRZwFwx7
1ng/wmpgNDBbuQfeHxBoL7jeCGN4j75zeQ7vmCrsdILylqtFg7WYEH+iNI81
75ndD+LEIbtsIdygpNqHpFSotCOilDaiFFFEafoSqP45pTYCjYNNNCTCZlNG
wkcr7ugYtgv4SpukPAsu0s7ewSqN82ki+Ird3t3M0b1390d2e5GIr4NMohi+
vsL9POgaXF2m2uX4vHIeKFsarUnzQV+k6vuJ1omcJxgbcJczLACkYi1qnYYm
xvhjQTJa9O4vDUJYkQ+Kd9hVhZvLYaGiw5VmZmyjUGRqIAOFeaQWNuV0NAgf
7SttbHBB7Ugq0CngmgAl561tUNK59N2HUj7eFc+5yq4dkgCNiCgj38In5KJb
P62RiCTxSMZPvMW0CNx3l/HtRFrksAv7pDF+HRfRgKEz4Moc+XoBlgV7BmDH
poGUZ5TZxUahmPU1Jpb7qcVNytbgYuXmfpu7cZ6VNwXe2wddreurOsgw232C
W0OB2TTVVdrqRriwDSN1v8H4wo5xtnDDNYVkOI7ZIHeyYu88x7/JnyRhNclp
aZPTqbKxXJDRBdWnMEPUCNRX1o1dYX6XVcboogL2C5LZIkhmD188B85PaukS
FP08t/hontvqm0xNj6mXag56BoNK3KQQ5+Vadfs1EM1sgt9cmGMVG7MVtsMr
1zoVFisoqyTNTbPJVVszadDeItCGUxvwk5rnmQYAQVM97ArQzYXwaQeF17b8
1eShg9xYh6JDvGLYAqaAYMRULIQVJv5JU+MCDllbFdxuwKaBnnLdwERSMQ5m
7ROXSECsUVDZAMT8vpUeG7heBQOG9FGCbUFdJxN7VZkSVnUZfsHyaOD96LxP
HUAMzPtyQemVi5uSb80aRxnxrbFckjWLVB+P3vRADnAiRpqhRpEF1eG4oHOg
OlYM50TR4nK+j3vckNIfhts80Sx6PpD99KN8LONpy/bC3Btlz9Di9TuXhDfE
sL2FRu09cGH5jeu9eoH9xOO6r7ACIbQacaWON9GU2aMiMUQbmcHha0TUyQVw
Dfnosnpd5jb0pZiXe6LQPfMiBbUKRxkqqJb7qNlIAuMB9W6jKzMGbqFS16VR
+qA8mtbs9ww+NzemnzidfkQSXXNCib0lI/rctnbDzZ4WJpwnWLKMT5ubsfSK
p4Y8vaB9GUVYpk3NdZsX4OljzxJULG5xrG5qch45ZgG3XhXYuXkS9/gkiIpM
OJkKgV1pjJMBkoxHy8cW83J4RzXuN4KOmekQwOYw48cKXyWLGqIXx0I4GcVt
GvQ+WM2JIy0YSlwU2Lkl5hKBG/Hu8AqrJtGZN8AA984VXSIPeVLYj7dP66BL
KCzhBhR7DVxnozA0kdS5xkRBRD6s1gZzxbs21U8SQQaFLUaQtBCuzOQTj1H0
YIlJwCW7GMSuPWABNwP3SNDG8Tf9kETUGpXXaxdKzEpKHLX5VjVm86rPgibG
pHsofXQirrOmKnC+ZWUrH4NWld18qb3VYqAhnMG3o4RZf8HoAQKnX7DVD8VN
SLWx9AfYff6tAPSe8S+b7qdvxS9T/s/+f+d/v+z4C/6GleEVJpz0I1edeGUv
onXGRDODHcSDDV6Gus1gPnv8wlwO7FKdb81w6ji4mna7Wzjd0cT/wh0cMXgf
/mN3cIhLj1Ls/AgO6NJEmT8o443l2CWfgpKkuJLn7c/osMkf9DzJEnnH/UTA
f/0HbAV/aKGaV2V5pe6S27WiYBCbTNUmzuHfpAixR4KjTJtsKoVGtwjH5Ags
6tpogC/SwQT9FkYHO0/VJpCYoV2jyWiUGW2PPKibpGj87o6KZlUWW/m05YP8
ocwX5+fPSPmuCDDHrRAuuFAqo1ho98r5Z04obwET0FLPQcnNS/m4pb2cQNyO
jjdEgHniSoD9RGAAlkvQDZpdduyvjtPimZ3aRkCvu5XGlKDo9rg9N5aEr3wO
9f7pXr+1vc1N+XW/2xDXKxHGhiYsA4ufl5u1SwZ37x7MOjNQnhq7gGlynkwA
jxdv0UL98H1IBzavcyUYs8oY3jdtp9HE6ZI6SoEeNDWWdkqTsZm6TkYO9uPb
IaNA34Cl6/Z8MpAO8CUmZxNs2oPDiR709/59gPVhFw3mVAgvFTdCDWJnW227
u9X+YCbq3N674a2dBsUh3CUHXE+7wV5Roqmd537uXWce+5HxLxYoEXuipsKT
ui910iuuiSs87BvGIY4gDJAgO2WCZ6/Y9wgiY3BpvUfA+3oT9H7hfTGxuTUV
npxvrUWLhvAzqdz1Ig4jub85oVHwUN7oTaw5hWvNjT70NUU8NCv9IAqhRa53
Z8Brb4B1j5F/uTGp84y+y9U7bWmPm3hs2y8eh+6GSXMREahNVO+AdG2apDb9
fbJ/I7qF09FFWayM8ufRFsmNaUvd7eAnXM+OKky1UVZlrP2KOaDvTDf5ztYG
TmYe+f2uqxVG1j6Y8939+FZ35P3XEOxgwFxHHf1sUBEkv7iHFv6ekFnlc8wh
AN/1+xAcFdhumRmTer/0egNY38z1O7a7WZtB8ccEkjp0jrG3I5UZxbiKSXi+
owwB8IzLbIA3KGw7fgOHEYehcvm+BPtldmF595TLM7VrpBD1/LSamCDruPWk
U4yua6VphCe4hnupIGCCB/14fOMfD8RJjnazh5ciOk1JMbbCqlOdtnlSmR/N
8MO6kizGgHCWgCNEryo0DoL9PuatuxdFTGMhC+FurleMAnZm6DcnVlRkIaIr
jPw7VLTVS9OOuBcvDGZ84VyOTWTm+wia7N+qxOxYcC9ycARh0s79rFqQfBnw
Il2HaHBc/RiD/qKrqU+CJfhbC/4HPFyqIcxfU8atltabJKE2FWwOQUoo2WIb
5AfAmfOeMTS24LcxhqGsGb7BEuShHXDtW9yrbdDvPV1EmxwoBzcXIQYuY4fp
bN9ckyoKMEu6aPMFgom+kuK3texdCeuCG4It7UDr1FHXPmzGzfVYG2HUk0lH
GWQYsQ6+dHSz4gsmyUhdAtLVa03s6U63BanHXK/La4SzmFYoJL21WLQVV2N4
I7jwRtAGBF3J4cRntx+jabSrXYmaa4ZfD6f4KYfo9sdhWtg/N1yJOwrvSuGc
R0bOt+ZF6hFUcAtG2wMU98Bk9s/MlUkJIsp6ZC5HD6Or9CtSYgg4PXs1CbSg
hSamgWUn/2WLXRLSsCsrSRylf/yoE/4ExzQ40iAVA3IR+fpUTSp3Z00NYSzw
8bpW+bX7MZCy4RTFfNv5TR2bT8ULEmg2YfolpRTsDbiUWA/pyDi6+TkXwirr
prR1zHgHGuwsRhD0Y2XIs2FDTFSuUXmP53mPG0bFTCM1KxMq2HPtqRiuQ33N
N5ppM3RvkDWAMFVOXKhiCsRshQvHYN2ilk50ZH5WpKafzfH9j1yZDFAMf9oo
8XK+aelnM8ca8FBHI7pUEIL4nZwfromk7DvMVZmmtx233llc0OxFqrloh8pC
SIKrMqdfU0HjprLDkF5UvdZRhNc6bjj5mtGwS3Z2DM3kPv6qXjfnaO2p74fs
/OaI+0GlltWwrp/ZIWzpmHVBAudXu0t1pOo4RjUVZz2HdOYWZTpVVdQW8DTq
ttrvi1pkvy+rUCHHPCnHujNzX3DeKAy84y4Sl/lExXd8vpPwhHz/k2HvgGp9
nItjVVGcd7Hy5kYIyxAGLy9GR31wyAH7sZtgEv2G6Bl3DqdjfWm27ojuOkR2
basctK1kNRP3oyYilGtU29pYyn5WigIJaS2Hu5e18+x7a9rV6DbWT8ABHyu3
7PDCGM98MjcwEWgnZ+bXqcZ5Q3Z5I3Rv5CdxynDPrbKK1jGWYjH5/qBQHn+Z
LPKlpT3J3U17jP3muv/eVVw5CNPcuv9OwPafgYajMh7i/r5qux1Dm3Jqk8TG
YhONIVpSqLKtsfHVLbTTJ1T43p6LNkNHNtC7YdeRDR+Y+JQDGzkucZvjkqeL
cFsD5cycwvYFh1TdjNUF8VHfH9BwsFOn2EJt93+l4ZDSf51igxFur8/Mh/TD
1P+ntu2v02ZI3kiF0Qb+fyux/wF+ciaT3X0AAA==

-->

</rfc>
