Internet-Draft Erik Synchronization Protocol for RPKI December 2025
Snijders, et al. Expires 7 June 2026 [Page]
Workgroup:
SIDROPS
Published:
Intended Status:
Standards Track
Expires:
Authors:
J. Snijders
BSD
T. Bruijnzeels
RIPE NCC
T. Harrison
APNIC
W. Ohgai
JPNIC

The Erik Synchronization Protocol for use with the Resource Public Key Infrastructure (RPKI)

Abstract

This document specifies the Erik Synchronization Protocol for use with the Resource Public Key Infrastructure (RPKI). Erik Synchronization can be characterized as a data replication system using Merkle trees, a content-addressable naming scheme, concurrency control using monotonically increasing sequence numbers, and HTTP transport. Relying Parties can combine information retrieved via Erik Synchronization with other RPKI transport protocols. The protocol's design is intended to be efficient, fast, easy to implement, and robust in the face of partitions or faults in the network.

Status of This Memo

This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79.

Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet-Drafts is at https://datatracker.ietf.org/drafts/current/.

Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress."

This Internet-Draft will expire on 7 June 2026.

Table of Contents

1. Introduction

This document specifies the Erik Synchronization Protocol for use with the Resource Public Key Infrastructure (RPKI) [RFC6480]. Erik Synchronization can be characterized as a data replication system using Merkle trees [M1987], a content-addressable naming scheme [RFC6920], concurrency control using monotonically increasing sequence numbers [RFC0677], and HTTP transport [RFC9110]. Relying Parties can combine information retrieved via Erik Synchronization with other RPKI transport protocols ([RFC5781] and [RFC8182]). The protocol's design is intended to be efficient, fast, easy to implement [RFC1925], and robust in the face of partitions or faults in the network.

1.1. Background

The notion of cache-to-cache data replication of unvalidated data was documented in Section 3 of [RFC7115].

Validated caches may also be created and maintained from other validated caches. Network operators SHOULD take maximum advantage of this feature to minimize load on the global distributed RPKI database. Of course, the recipient relying parties should re-validate the data.

— RFC7115, section 3

Historic records show that experiments have been performed in this space using, for example, peer-to-peer file sharing technology (see [P2P]), but no standardised and widely-deployed mechanism for cache-to-cache replication emerged since then. The authors hope that the Erik Synchronization protocol might be suitable to fill this gap and improve propagation speed of validly signed repository data as well as help reduce load on the global RPKI.

1.2. Requirements Language

The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all capitals, as shown here.

1.4. Glossary

This section describes the terminology and abbreviations used in this document. Though the definitions might not be clear on a first read, later on the terms will be introduce with more detail.

Erik relay
An intermediate between CA publication repositories and Relying Parties.
FQDN
The fully qualified domain name of a RPKI repository instance referenced in an end-entity certificate's Subject Information Access (SIA) extension's id-ad-signedObject accessDescription.
Hash
A message digest calculated for an object using the SHA-256 algorithm.
ErikIndex
The relay's Merkle root for a given FQDN. An ErikIndex is an ordered listing of ErikPartition object hashes.
ErikPartition
An ordered listing of the manifest objects' hashes, manifestNumber values, thisUpdate values, and their certificates' SIA extension values.

2. Informal Overview

Erik Synchronisation is an architecture to reliably distribute RPKI repository data from cache to cache using so-called Erik relays. Relays maintain a validated cache themselves and can be clients of other relays. While this property suggests that a group of relays should converge to the exact same state, the distributed nature of the RPKI prevents relays from achieving strict synchronization.

In this synchronization protocol, Merkle trees are used to determine whether differences exist between client and relay. Merkle trees are hierarchical data structures: the hash value of each node is computed recursively by hashing the concatenated hash values of the node's children. The hash of the ErikIndex represents the entire dataset related to a given FQDN. If the ErikIndex hash is not the same between two replicas, the relay provides the client with hashes of smaller and smaller portions of the to-be-replicated dataset until the exact list of out-of-sync or missing objects is identified. Sequence numbers are then used to determine whether these differences are relevant enough for the client to fetch. All data, except for ErikIndex objects, is fetched using static addresses derived from object hashes. This approach reduces unnecessary data transfer between caches which contain mostly similar data.

The client starts by querying an Erik relay for the relay's current ErikIndex for a given FQDN. If the ErikIndex is different compared to the previous run (or compared to the Index calculated from the locally cached objects). With the ErikIndex in hand, the client can determine which ErikPartition are missing and fetch accordingly. The client then can compare the manifestNumber sequence number and thisUpdate for each manifest listed in the ErikPartition, and proceed to fetch (purportedly) newer versions of manifests of interest. Whenever a relay has manifests with a lower sequence number on offer, the client can ignore those. The client now has sufficient information to proceed to fetch any missing Certificates, Signed objects, and CRLs. With the information contained within manifests, clients can fetch addressed by content (by hash) and store by name (or some other scheme).

3. Erik Synchronization Data Structure Definitions

In this synchronization protocol the signal layer makes use of DER-encoded messages [X.690].

Design note: DER encoding was selected for its canonical properties and because RPKI cache implementations already support ASN.1 encoding.


RpkiErikSynchronization-2025
  { iso(1) member-body(2) us(840) rsadsi(113549)
    pkcs(1) pkcs9(9) smime(16) mod(0)
    id-mod-rpkiErikSynchronization-2025(TBD) }

DEFINITIONS EXPLICIT TAGS ::=
BEGIN

-- EXPORTS ALL --

IMPORTS
  CONTENT-TYPE, Digest, DigestAlgorithmIdentifier
  FROM CryptographicMessageSyntax-2010 -- in [RFC6268]
  { iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1)
    pkcs-9(9) smime(16) modules(0) id-mod-cms-2009(58) }

  AccessDescription, KeyIdentifier
  FROM PKIX1Implicit-2009 -- in [RFC5912]
  { iso(1) identified-organization(3) dod(6) internet(1) security(5)
    mechanisms(5) pkix(7) id-mod(0) id-mod-pkix1-implicit-02(59) }
;

ContentInfo ::= SEQUENCE {
  contentType      CONTENT-TYPE.&id({ContentSet}),
  content      [0] EXPLICIT
                     CONTENT-TYPE.&Type({ContentSet}{@contentType}) }

ContentSet CONTENT-TYPE ::= {
  ct-rpkiErikIndex | ct-rpkiErikPartition, ... }

ct-rpkiErikIndex CONTENT-TYPE ::=
  { TYPE ErikIndex IDENTIFIED BY id-ct-rpkiErikIndex }

id-ct-rpkiErikIndex OBJECT IDENTIFIER ::=
  { iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1)
    pkcs-9(9) id-smime(16) id-ct(1) erikindex(55) }

ct-rpkiErikPartition CONTENT-TYPE ::=
  { TYPE ErikPartition IDENTIFIED BY id-ct-rpkiErikPartition }

id-ct-rpkiErikPartition OBJECT IDENTIFIER ::=
  { iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1)
    pkcs-9(9) id-smime(16) id-ct(1) erikpartition(56) }

ErikIndex ::= SEQUENCE {
  version [0]      INTEGER DEFAULT 0,
  indexScope       IA5String,
  indexTime        GeneralizedTime,
  hashAlg          DigestAlgorithmIdentifier,
  partitionList    SEQUENCE (SIZE(1..ub-Partitions)) OF PartitionRef
}

ub-Partitions INTEGER ::= 256

PartitionRef ::= SEQUENCE {
  hash             Digest,
  size             INTEGER (100..MAX) }

ErikPartition ::= SEQUENCE {
  version [0]      INTEGER DEFAULT 0,
  partitionTime    GeneralizedTime,
  hashAlg          DigestAlgorithmIdentifier,
  manifestList     SEQUENCE (SIZE(1..MAX)) OF ManifestRef }

ManifestRef ::= SEQUENCE {
  hash             Digest,
  size             INTEGER (1000..MAX),
  aki              KeyIdentifier,
  manifestNumber   INTEGER (0..MAX),
  thisUpdate       GeneralizedTime,
  locations        SEQUENCE (SIZE(1..MAX)) OF AccessDescription }
END

3.1. General Syntax

At the top level the content of an Erik object is an instance of ContentInfo.

3.1.1. contentType

The contentType is an OID specifying the type of payload in the object, in this profile either id-ct-rpkiErikIndex or id-ct-rpkiErikPartition.

3.1.2. content

The content field contains an instance of ErikIndex or ErikPartition.

3.2. ErikIndex

An ErikIndex represents all current manifest objects available under a given FQDN and thus the complete state of the repository as it is known to the relay.

3.2.1. The version field

The version number of the ErikIndex object MUST be 0.

3.2.2. The indexScope field

The indexScope field contains the fully qualified domain name of the Signed Object location of the manifests referenced through this particular ErikIndex. The FQDN MUST be in the "preferred name syntax", as specified by Section 3.5 of [RFC1034] and modified by Section 2.1 of [RFC1123].

3.2.3. The indexTime field

The indexTime is the most recent partitionTime value among the ErikPartitions referenced from this ErikIndex. The field's value roughly indicates when the ErikIndex was generated and can be used for troubleshooting and measurement purposes.

For the purposes of this profile, GeneralizedTime values MUST be expressed UTC (Zulu) and MUST include seconds (i.e., times are YYYYMMDDHHMMSSZ), even where the number of seconds is zero. GeneralizedTime values MUST NOT include fractional seconds. See Section 4.1.2.5.2 of [RFC5280].

Design note: using the most recent partitionTime, rather than the local system's notion of "now", helps reduce churn in distributed systems.

3.2.4. The hashAlg field

This field contains the OID of the hash algorithm used to hash the ErikPartitions. The hash algorithm used MUST conform to the RPKI Algorithms and Key Size Profile specification [RFC7935].

3.2.5. The partitionList field

This field is a sequence of PartitionRef instances. There is one PartitionRef for each current ErikPartition. Each PartitionRef is a tuple consisting of the hash of the partition object and the size of the partition object.

Information elements are unique with respect to one another and sorted in ascending order of the hash.

3.3. ErikPartition

An ErikPartition represents a subset of manifest objects available under a given FQDN. Each ErikPartition is an ordered listing of the manifest objects' hashes, manifestNumber values, thisUpdate values, and their end-entity certificates' SIA extension values.

3.3.1. The version field

The version number of the ErikPartition object MUST be 0.

3.3.2. The partitionTime field

The partitionTime is the most recent thisUpdate value among the manifests contained within this ErikPartition. The field's value roughly indicates when the ErikPartition was generated and can be used for troubleshooting and measurement purposes.

For the purposes of this profile, GeneralizedTime values MUST be expressed UTC (Zulu) and MUST include seconds (i.e., times are YYYYMMDDHHMMSSZ), even where the number of seconds is zero. GeneralizedTime values MUST NOT include fractional seconds. See Section 4.1.2.5.2 of [RFC5280].

Design note: using the most recent manifest thisUpdate value, rather than the local system's notion of "now", helps reduce churn in distributed systems.

3.3.3. The hashAlg field

This field contains the OID of the hash algorithm used to hash the manifest objects referenced in this ErikPartition. The hash algorithm used MUST conform to the RPKI Algorithms and Key Size Profile specification [RFC7935].

3.3.4. The manifestList field

This field is a sequence of ManifestRef instances. There is one ManifestRef for each current manifest. A manifest is nominally current until the time specified in nextUpdate or until a manifest is issued with a greater manifestNumber, whichever comes first (see Section 4.2.1 of [RFC9286]).

A ManifestRef is a structure consisting of the hash of the manifest object, the size of the manifest object, the manifest issuer's key identifier, the manifestNumber, and the thisUpdate contained within the object, and a sequence of AccessDescription instances from the manifest's End-Entity certificate's Subject Information Access extension.

Information elements are unique with respect to one another and sorted in ascending order of the hash.

4. Client-side Processing

Clients start by fetching an ErikIndex, which is represents the relay's current Merkle tree head for a given FQDN. A client MUST verify the requested FQDN exactly matches the indexScope value in the ErikIndex, and if not proceed to use a different relay.

Then, clients can decide whether or not to fetch ErikPartition objects listed on the ErikIndex, for instance, by checking whether the object associated with the hash was already fetched at some point in the client's past.

Before using a ErikPartition, the client MUST verify that all URIs in the accessLocations in the id-ad-signedObject accessMethod instances in the ErikPartition are encompassed in the requested indexScope. A client can then decide whether or not to fetch a given manifest object, by comparing the manifestNumber and thisUpdate with what's locally cached and what's offered by the remote relay.

A client can compute which products listed in the manifest's fileList need to be fetched from one relay or another in order to achieve a successful fetch. A client MUST verify that the URI in the accessLocation in one of the id-ad-signedObject accessMethod instances in the manifest's Subject Information Access (SIA) is encompassed in the requested indexScope.

As there is no concept of 'sessions' (like in RRDP), clients can interchangeably use different Erik relays. When one Erik relay generates a HTTP error, the client can try fetching the requested object from another Erik relay. To improve reliability, clients should alternate among different relays in successive query and fetch attempts.

5. Querying an Erik Relay

5.1. Fetching objects by hash

This specification uses "Named Information" identifiers mapped to .well-known HTTP/HTTPS URLs for object retrieval, as described in [RFC6920].

For example, issuance #54 of ripe-ncc-ta.mft has the following SHA256 digest: c2d0427bc5a32c42eea1ab5663d592b1fc29c7d4ef16ab0b5e1d631d039dcc21.

To fetch the aforementioned object from an relay hosted at relay.example.net, a client would access the following HTTP URL: https://relay.example.net/.well-known/ni/sha-256/wtBCe8WjLELuoatWY9WSsfwpx9TvFqsLXh1jHQOdzCE

5.2. Fetching ErikIndex objects

The URIs to fetch ErikIndex objects can be constructed using the following Well-Known URI template with the erik keyword as suffix and the FQDN as parameter: https://{relay_host}/.well-known/erik/index/{FQDN}.

For example, the URI to fetch an ErikIndex for the rpki.ripe.net FQDN from a relay at relay.example.net would be: https://relay.example.net/.well-known/erik/index/rpki.ripe.net.

A client MAY use the If-Modified-Since HTTP header when fetching ErikIndex objects.

6. Transport Error Detection and Handling

The client MUST calculate the hashes of fetched objects and verify they are the same as the expected hashes (which are embedded in the URIs through which the objects were retrieved). If there is a hash mismatch, the client may try fetching the object from a different Erik relay or treat this as a failed fetch (see Section 6.6 of [RFC9286]) and try again at a later point in time in a next validation run.

7. Setting Up an Erik Relay

Erik relays can be operated by any party, without permission from or coordination with publication point operators or CAs. Relays are made accessible via either HTTP or HTTPS or both.

Relays generate and make accessible ErikIndexes and ErikPartitions derived from their current validation state, the client then cherry-picks which objects (if any) it wishes to fetch. In turn, relays fetch fresh data from other relays, or from CA-designated publication points accessible via Rsync ([RFC5781]) and RRDP ([RFC8182]).

Design notes: a decision must be made on a deterministic "manifest-to-partition" assignment scheme. Job's proof-of-concept relay (see Appendix A) uses the first few octets of the the Manifest's AKI as a stable partition assignment scheme. Other strategies could be to assign manifests to ErikPartitions based on the "hour-of-day" of the CMS signing timestamp, or the first few octets of the SHA-256 of the manifest object.

8. Comparison with other RPKI transport protocols

Ignoring obvious mechanical "on the wire" differences between Erik, Rsync, and RRDP; there are a number of concept differences between the protocols. Rsync and RRDP can be described as "general purpose" synchronisation protocols: they could be used to transfer any arbitrary set of files, on the other hand the Erik protocol is RPKI-specific: part of its signaling layer are RPKI manifest objects, which RPs require as recourse for validation anyway. This property by itself causes a small deduplication in the data to be transferred.

8.1. Comparison with Rsync

In Rsync, the server and the client construct and transfer a full listing of all available objects, and then transfer objects as necessary. In effect, this allows clients to 'jump' to the latest repository state, regardless of the state of the local cache.

A major downside of Rsync is that the list of files itself can become a burden to transfer. As of June 2025, in order to merely establish whether a client is synchronized or not with the RIPE NCC repository at rpki.ripe.net, as much as 5.8 megabytes of data are exchanged without exchanging any RPKI data.

Experimentation suggests that when synchronizing once an hour, Erik consumes less network traffic than Rsync generally would consume which, in turn, is less network traffic than RRDP would.

8.2. Comparison with RRDP

The key concept in RRDP is that the client downloads a "journal", containing all add/update/delete operations and replays this journal to arrive at the current repository state.

A major downside of RRDP is that (depending on the RRDP polling interval) clients end up downloading data which has become outdated. Imagine a hypothetical CA which issues and revokes a ROA every 10 minutes and a client that synchronizes every 60 minutes; in effect the client must fetch 5 outdated states, wasting bandwidth.

Experimentation suggests that when synchronizing every 15 minutes, Erik consumes less network traffic than RRDP generally would consume which, in turn, is less network traffic than Rsync would consume.

8.2.1. Garbage Collection

In contrast to RRDP, the Erik protocol has no concept of server-specific "stateful" sessions that persist across polling attempts. This obviates the need for withdraw instructions as part of the protocol exchange: clients can simply delete objects that are no longer referenced from their current validation state and refetch them later on if needed.

9. Open Questions

This section is to be removed before publishing as an RFC.

10. Operational Considerations

10.1. Scaling considerations

As of July 2025, the global Internet's RPKI churn rate appears to be 2 new objects per second. The ecosystem is estimated to be composed of ~ 5000 RPKI cache instances and ~ 50 repository servers. Assuming 10 minute fetching intervals and 150 metadata requests per synchronization run (for exchange of Merkle tree data), an Erik relay serving all the Internet's RPKI cache instances would probably need to be able to sustain serving an average of at least 11,000 HTTP requests per second. This order of magnitude in terms of scaling requirements can easily be handled by a single commodity server.

10.2. HTTP Compression

Using gzip compression on average tends to yield a 20% reduction in RPKI object size, therefore it is RECOMMENDED for clients and relays to offer support for compressed content coding, as described in Section 8.4.1 of [RFC9110].

Using a previous version of a RPKI object as a compression dictionary for a newer version enables delivery of a delta-compressed version of the changes, usually resulting in significantly smaller responses than what can be achieved by compression alone. Clients can facilitate delta compression by sending an Available-Dictionary request header, using a previously fetched version of the RPKI object as the dictionary. It is RECOMMENDED for clients and relays to make use of Compression Dictionary Transport ([RFC9842]).

11. Security Considerations

This document makes no changes to RPKI certificate validation procedures.

Paraphrasing Section 11 of [RFC6810]: The RPKI relies on object, not server or transport, trust. That is, the Regional Internet Registry root trust anchors are distributed through some out-of-band means, and can then be used by each relying party to validate certificate chains and Signed Objects. The inter-cache relationships are based on this object security model; hence, any cache-to-cache transport is assumed to be unreliable at times. See Section 5 of [RFC8182] for more security considerations.

To avoid certain forms of replay attack, clients MUST verify purported indexScope, ManifestRef location values, and manifest Subject Information Access (SIA) extensions match the expected FQDN.

Byzantine events or faults in relay-to-client communication can be overcome by the client rotating requests for objects among different Erik relays.

12. IANA Considerations

12.1. S/MIME Module Identifier

The IANA is requested to add an item to the "SMI Security for S/MIME Module Identifier" registry as follows:


Decimal  Description                          References
----------------------------------------------------------
  TDB    id-mod-rpkiErikSynchronization-2025  [this-draft]

12.2. SMI Security for S/MIME CMS Content Type (1.2.840.113549.1.9.16.1)

The IANA has allocated for this specification in the "SMI Security for S/MIME CMS Content Type (1.2.840.113549.1.9.16.1)" registry as follows:


Decimal  Description              References
----------------------------------------------
   55    id-ct-rpkiErikIndex      [this-draft]
   56    id-ct-rpkiErikPartition  [this-draft]

Upon publication of this document, IANA is requested to reference the RFC publication instead of this draft.

12.3. Well-Known URI

An URI Suffix in the Well-Known URIs registry specific to Erik synchronization will be requested. See https://github.com/protocol-registries/well-known-uris/issues/67 for the request.

The proposed suffix is erik.

13. References

13.1. Normative References

[RFC1034]
Mockapetris, P., "Domain names - concepts and facilities", STD 13, RFC 1034, DOI 10.17487/RFC1034, , <https://www.rfc-editor.org/info/rfc1034>.
[RFC1123]
Braden, R., Ed., "Requirements for Internet Hosts - Application and Support", STD 3, RFC 1123, DOI 10.17487/RFC1123, , <https://www.rfc-editor.org/info/rfc1123>.
[RFC2119]
Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, DOI 10.17487/RFC2119, , <https://www.rfc-editor.org/info/rfc2119>.
[RFC5280]
Cooper, D., Santesson, S., Farrell, S., Boeyen, S., Housley, R., and W. Polk, "Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile", RFC 5280, DOI 10.17487/RFC5280, , <https://www.rfc-editor.org/info/rfc5280>.
[RFC6810]
Bush, R. and R. Austein, "The Resource Public Key Infrastructure (RPKI) to Router Protocol", RFC 6810, DOI 10.17487/RFC6810, , <https://www.rfc-editor.org/info/rfc6810>.
[RFC6920]
Farrell, S., Kutscher, D., Dannewitz, C., Ohlman, B., Keranen, A., and P. Hallam-Baker, "Naming Things with Hashes", RFC 6920, DOI 10.17487/RFC6920, , <https://www.rfc-editor.org/info/rfc6920>.
[RFC7935]
Huston, G. and G. Michaelson, Ed., "The Profile for Algorithms and Key Sizes for Use in the Resource Public Key Infrastructure", RFC 7935, DOI 10.17487/RFC7935, , <https://www.rfc-editor.org/info/rfc7935>.
[RFC8174]
Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174, , <https://www.rfc-editor.org/info/rfc8174>.
[RFC9110]
Fielding, R., Ed., Nottingham, M., Ed., and J. Reschke, Ed., "HTTP Semantics", STD 97, RFC 9110, DOI 10.17487/RFC9110, , <https://www.rfc-editor.org/info/rfc9110>.
[RFC9286]
Austein, R., Huston, G., Kent, S., and M. Lepinski, "Manifests for the Resource Public Key Infrastructure (RPKI)", RFC 9286, DOI 10.17487/RFC9286, , <https://www.rfc-editor.org/info/rfc9286>.
[X.690]
ITU-T, "Information technology - ASN.1 encoding rules: Specification of Basic Encoding Rules (BER), Canonical Encoding Rules (CER) and Distinguished Encoding Rules (DER)", ITU-T Recommendation X.690, ISO/IEC 8825-1:2021, , <https://www.itu.int/rec/T-REC-X.690-202102-I/en>.

13.2. Informative References

[M1987]
Merkle, R., "A Digital Signature Based on a Conventional Encryption Function", Advances in Cryptology -- CRYPTO '87 Proceedings, Lecture Notes in Computer Science, Vol. 293, DOI 10.1007/3-540-48184-2_32, , <https://doi.org/10.1007/3-540-48184-2_32>.
[P2P]
Austein, R., Bush, R., Elkins, M., and L. Johansson, "RPKI Over BitTorrent", , <https://www.ietf.org/proceedings/83/slides/slides-83-sidr-9.pdf>.
[RFC0677]
Johnson, P. and R. Thomas, "Maintenance of duplicate databases", RFC 677, DOI 10.17487/RFC0677, , <https://www.rfc-editor.org/info/rfc677>.
[RFC1925]
Callon, R., "The Twelve Networking Truths", RFC 1925, DOI 10.17487/RFC1925, , <https://www.rfc-editor.org/info/rfc1925>.
[RFC5781]
Weiler, S., Ward, D., and R. Housley, "The rsync URI Scheme", RFC 5781, DOI 10.17487/RFC5781, , <https://www.rfc-editor.org/info/rfc5781>.
[RFC6480]
Lepinski, M. and S. Kent, "An Infrastructure to Support Secure Internet Routing", RFC 6480, DOI 10.17487/RFC6480, , <https://www.rfc-editor.org/info/rfc6480>.
[RFC7115]
Bush, R., "Origin Validation Operation Based on the Resource Public Key Infrastructure (RPKI)", BCP 185, RFC 7115, DOI 10.17487/RFC7115, , <https://www.rfc-editor.org/info/rfc7115>.
[RFC8182]
Bruijnzeels, T., Muravskiy, O., Weber, B., and R. Austein, "The RPKI Repository Delta Protocol (RRDP)", RFC 8182, DOI 10.17487/RFC8182, , <https://www.rfc-editor.org/info/rfc8182>.
[RFC9842]
Meenan, P., Ed. and Y. Weiss, Ed., "Compression Dictionary Transport", RFC 9842, DOI 10.17487/RFC9842, , <https://www.rfc-editor.org/info/rfc9842>.
[rpkitouch]
Snijders, J., "rpkitouch", , <https://www.github.com/job/rpkitouch>.

Appendix A. Implementation status

This section is to be removed before publishing as an RFC.

This section records the status of known implementations of the protocol defined by this specification at the time of posting of this Internet-Draft, and is based on a proposal described in RFC 7942. The description of implementations in this section is intended to assist the IETF in its decision processes in progressing drafts to RFCs. Please note that the listing of any individual implementation here does not imply endorsement by the IETF. Furthermore, no effort has been spent to verify the information presented here that was supplied by IETF contributors. This is not intended as, and must not be construed to be, a catalog of available implementations or their features. Readers are advised to note that other implementations may exist.

According to RFC 7942, "this will allow reviewers and working groups to assign due consideration to documents that have the benefit of running code, which may serve as evidence of valuable experimentation and feedback that have made the implemented protocols more mature. It is up to the individual working groups to use this information as they see fit".

A few experimental Erik relays are available, each running on slightly different schedules. Client implementers are encouraged to round-robin between these instances to observe results.

http://relay.rpki-servers.org/
Dublin, Montreal, Osaka, São Paulo, Sydney - anycasted distributed computing cluster
http://dub.rpki-servers.org/
Dublin, Ireland, - distributed computing cluster (6 machines, NFS backend)
http://atl.rpki-servers.org/
Atlanta, USA, - distributed computing cluster (2 machines, NFS backend)
http://miso.sobornost.net/
Amsterdam, NL, single node
http://nyc.rpki-servers.org/
New York, USA, - single node
http://fnllwqoupfrhso6643whm6lpkgsftjtc6crpehmyz2o7pffirnqy7rad.onion/
Erik relay service via Tor

An experimental Erik static content generator was developed by Job Snijders in the form of [rpkitouch] using C.

Appendix B. Example objects

Included in this section are an ErikIndex for rpki.ripe.net and an ErikPartition referenced from the aforementioned ErikIndex, both Base64 encoded.

B.1. Example ErikIndex

This object was retrieved from http://miso.sobornost.net/.well-known/erik/index/rpki.ripe.net.

MIIoRgYLKoZIhvcNAQkQATeggig1MIIoMRYNcnBraS5yaXBlLm5ldBgPMjAyNTEyMDQxN
TUwMjlaMAsGCWCGSAFlAwQCATCCKAAwJgQg4x/oKSpJWMYfiwmxlXsIihgYTHlw7JG/Xl
JIBr85aF8CAj5fMCYEIMobcoUB80mqesZ86of8vdvUHU+IN/Lv36xYLdsG5YWyAgJFjjA
mBCCqYaG3CBGrgisIby+kjmrMCmxkM1xRX5h8ySkpbi+YzAICPZcwJgQgnJq0yJdD4sPe
/GtzgVElsLXAMgagucbr0xF9ROC7nPgCAkZbMCYEIIR2TnjK1AB/t8ayJgf/iq04FJNPe
Mljb1leJ/tedYvLAgI8yzAmBCBFiyaGABNV7VukoKDMU+LlSv5I6vMVdV+IMBgs188oaw
ICS+8wJgQgKixW27oZqi19K526VpGlZ+0XAQDsVGknwNLDdNg+oV8CAkDGMCYEIPZtvf6
KEIPf/UyHxTN7ypbDovmhcBeyZf6wypAZcvN3AgJIvTAmBCBaryJe+uBlcLB0dLPQsS46
GA3XKUIcMBdWBFn5gCNWMgICSlYwJgQgklyrCIkF2N7trfYE2d8K7HIaiFSG+Y+EW6Imu
GdrxU4CAkpXMCYEIFN2PuEDxaS8Hgl1TTUWLAGzc4tzhDHyjKlaw7PMLJJOAgI6ZTAmBC
CTocRYi5ZYYx+H/WTzAY2TDKX5tv9ERa7N0llUqpx7MwICRlswJgQgt/tI2qNsSmxUtAt
KfUVbjVlM51s6lArVlXzq7E991BsCAjmbMCYEIEHlKn1Y9XU3FMQpoQ6VOzEk33YkfBfu
VaUbqSNB4E7VAgJKVzAmBCB4X6f/hN0fOVLJ41rfduCjNWOtAhA/+hlaC3xHOOVOYgICQ
ykwJgQgx1lUblpQQSwopLIWIgg532kTyS61EYHziHmNdl+Ufm0CAj8rMCYEIGADEKt/5p
qBqV5sY4Drm3c4e4Xu8iDZeh6siGQ0MVmgAgJCXzAmBCBPAVLtveq6vWiWP4t3Z1YMqfB
WfnZYiaJexvnZdhJCQAICRY8wJgQgkkxXQwzVeUbM7QiAf5lFha9sN8Yb+1+zjmOC3lk9
CVQCAkDGMCYEIC9QE9ANo0jFeOT5DBQl7112OjyYHVF01Bsk6yWpvfBRAgJD9jAmBCBI9
WxfgjCrZLA4zOmlamVT7fO/k8+QuIYzr5O5O7dqcwICMaIwJgQgCdEsYGKw3zh0CZg1+q
3Jf/Ezvqnw7kTf1TKY13AlJ4oCAkWNMCYEIJMykWJkE5jvTwuYUx14EBUzyRl0xJHAfiS
ZxMxgmXCBAgJIvzAmBCBq4Uan/5q5axCWRQ/E6j8MjyMNtWpft/qyDuRk7DJRdQICT+ow
JgQgRnTIHGqCEczZNqIHqLz3Cg4aAfCI/eIBArHUQEwkkf0CAjZoMCYEIG3EQ7dFpc712
c7pghGggSyzcl9f10ZyCVYxtRUYRoLHAgJMuTAmBCBECs+7SNPtDdJeOjmOW7LUudpuXS
G5/iwnU57tpnEBSwICTk8wJgQgiE+SNWwGyyWk3UHpdfZVU/cJLmniTYj+Qx5Q/Pg070w
CAkP3MCYEIInS7jtJG95+/QHU4B7BzXiCxLJGROQzAGVgP/KTSLUdAgJLIjAmBCB+BtWf
llMd6ljeOSVMeWL6XlVupWpmnEdzASHQ8UUEawICRlcwJgQgh+9Wgieq8uWJPWuk1zcHQ
tfAzcEtSLu6cFiizLB/FVECAki+MCYEIALfQ6cn1lFUUauKtQWfnAKyip0xavUyTPqyZx
4SKM0bAgJHJzAmBCAhDGSV1JsMYA/0uma1NM8jzhfDFZhVfmVAT290/unlRAICRlswJgQ
giXYk6DZycnPrY45Me8jeutomw9j7R7dMp+TAkTlDI+ACAjpkMCYEIK29pj6RIPa4vXrG
ZmczHnbGFhkDZWMvtPsb01SMxsh4AgI6ZTAmBCDX9v1Zo/HzOAk/9UBIk7/Rh2iKRxjks
fLlZRkSfU80PAICT+kwJgQgzko+CaHpqidtAwCkmgVjjE4yxHwoiR2frTLcof6FbHMCAj
zLMCYEIEwbZty1WPIBWZao2qHO882KxcJZ2GBdFxKQZpVgdpOBAgJBkDAmBCBYqw2PTol
eEktObKpm2FNcGY5Rtt5H1sxtv3keeKam2wICQZMwJgQgGbxgwo+P90tG/fijIccclzHg
08OI36ywxGAriqp5zt0CAk8fMCYEIB1IaNV+Ur3jGWJdt8nB0JP4EqWph0HzfvLesD8do
6loAgI7MzAmBCD0G+ZuuiYJuO9PUYI3m1IvdjjFq6buMzmMjHRm/MkwmAICVxYwJgQgu6
/IK6huz1bQRFpHRVKwJPr8mCpJTiNQjHlsz2n4qE4CAjyjMCYEIDDvXbCF/QIznVr/82G
vLuSerQxYfNjFzk+ADaTmaR8zAgI9kzAmBCDNR60L+r1YrVeecsceLh+r4ZD+RvxL2TdF
IeAtaG/ulAICOmYwJgQgQHopBzjK6FHz07A/+gxzp3mfchu1txXIEKyDnIdfiuoCAjgCM
CYEIDeyYAHLFhrug/c5UtCmnbYekwutqFLPKwHC262ZFdi/AgJDKzAmBCACtf5OZDKT5K
SrDnca+N1PEzE9vUq4m+MWs6s9loxCYQICS+8wJgQgA8jyuvhd7MMbXzxmnFHW/2n96T2
pVEMQyu52XZqRUe0CAkZZMCYEIA8p78+/SITzJVMdg5PC4OAZfg3cRs/fDerB/eyYMaKS
AgI+XzAmBCBhmqyqzBYgBCN+cBE2zS5q0ruGxfk8UMUcYNEYIZBkfgICR/EwJgQgJ6mSf
oaQQ7V4LDD2eH/mVyVd2Tjcb5erYGFiIJyQCccCAjsxMCYEIDrz2cjTrEVBsunv8BoP+I
uo+hq6SMdYYRLFrwmgj1OJAgJIvTAmBCDt+HVE/jz3ENTOPKFAmWPxn+tTHawZHh+rp7d
zJPPWBgICPMowJgQgjy7mcvPGelL8IqFiOybwcLN70vvPCmod80FLzwfHRt8CAkpXMCYE
IIpl8t92Wdl3Hxtmyo7P56i3iFH+qs+bK/oxdJx4f/IKAgI8yzAmBCCbYaynY0966Y6Nc
jVVwbw1KTgHl2nZxiZo7v5Or6/OsAICRY8wJgQgW0VidFJyAhev/M3Ok0HCbvLkB0aU+P
cBT5DzUAd4TswCAkTCMCYEII2rRGW333DGPqlsJGDi9JoQj237xGAw1Ot/EKcn/2nwAgJ
D9TAmBCD3JPoboP6sGE8/DGW3iGXOK4I3SYKTA90HCAbv9HtJFAICPy8wJgQgo0PstHri
9Zf8NlQBnsikihoCOIgfCNGh2eYKajPUPHMCAjzJMCYEIJHuvkdaX/dACFlrwd4kNxe1j
edljz1ZfVGrgXwWN5khAgI9ljAmBCCqRvR92um/FWyUHc6xiwXxZDLzXvKg0v6y+hP3tJ
OylwICTLkwJgQghdHSyhKnQ6mONyEiAWXS+7/mLgmWqxkCJiUTmcQ1oAkCAjgCMCYEIJr
DVbCc9hcwuJ/Ip95x3d0QkZQ67H43bxHbAwfagaqoAgJLIjAmBCCkBAtAhf0mE/oa1l+P
3fe9j7zo9k6WemIIlqFaSRFwTQICR/EwJgQgbmq5I+ZgR1775kSHEcXnOQLKjYEUHF+rX
BSvhRS7iGgCAkWOMCYEIAmSQuvMuE31r+W0fktmUIAJJVxqVjyE+wseOcAwPJilAgJDKT
AmBCBlgenBE2JcY1T7yvT4fubh1y2y6cxPkKnxgX6BXhv3YAICSyMwJgQgW6LQnSLgFvA
FIWPBaClqFB684DSyXYmYryNd20IQYCECAjZqMCYEIJQhsD7l6CkaD9wvela9pNirzGCs
2KvyMIMqRAgCY6gPAgJEwjAmBCCA5LS4RSCvfTbsg/e/u680U+CaHQzqf05gAzb/dYj7e
wICQMcwJgQg9GKlbPIQMTXrXNkSACtRLtU/YR7K+IwtVU2PP+Ht6EICAjzLMCYEIGVHk2
v0JZaQDEb46YWCzq+v6h54XdwZG7njcNmODtj5AgJFjzAmBCAm+h6Ozp0wrtsuNNVZ4Ho
WCPonDyz48bztA3mAPW1XaAICPZcwJgQguN84WoVJRbzWHxXI6+jfqBoT+nHl4z1tcaR3
dhur78UCAkWNMCYEIBXef5zKL6wQq9HpQGoy2clKNeaG2SCbc8uTeRw+6x3GAgJMujAmB
CBE3HHOWIOxlPyxl+Ntxfz0OwIU7YE5cUX2YsiVgCTIbQICRY0wJgQgYVIRXX1SiDri8j
UBNdfzh4tAO9c9FEgbcfcovkeASyUCAkpWMCYEIEU/0TOZq6WswMy3R/GDZ8E6fvWRt0h
ruH3D8SqTwxunAgI9ljAmBCA96mh+VUbEdl7anhyu2o+R/Nq17FPlLybZx41f6K2+HAIC
Ql0wJgQgzetWrgTL3lvU052dpUlnpYvpZpZkdNb0/d9Ch7bI3U0CAjv8MCYEIPFjJ84Ro
2rqgrSO7GEG5P6SEdmPgCHj1XXMLQd0YwrsAgJGWzAmBCBLxWFOySITGB9+bVw2mCfUVH
SHTNqUHJMbgrRw4MmougICUxowJgQgdrh5rk4vAS2mDHPPzU0bZTu9LFoO1OR0pJo2mRH
x4cECAkmJMCYEIDjWKGcGrHuWmsSAN66PrJ1GdB6iOCEwVl8wX2CRXdk1AgJAxzAmBCC8
GJe8nPS4biUwc+tVWdx50oxpIsnGXOZ8zDcmhXbbDAICMaIwJgQgpMU1RPwde6nUKGzCU
fJBsjI0FmuAPqIHcmncDtbyVO8CAk/oMCYEIL0bhIL0Mv/W08Y33ER2i+fAb9vnpZeAZt
fRaXzzlRF4AgJJiTAmBCAUcBWpSH+rULDd8F+VhXBbl8UhKXLufo+qxb/J+yMsLwICPy4
wJgQgrVfKoxFh/O10s2WFWEfwp5UjjqAsPQho8mju04dxJWgCAkJfMCYEIIUbqmWEy+/F
A2Bmw/PknIWV/ProvTNA8TirzDxMSmuBAgI/LzAmBCAKX8FQOqNZZBwj4fl8m2zt/B4by
5Uk/Dp5I3jG5odACgICOZswJgQg5XFjDH2PiTa3zA+zHEFE2ZEz2FCFyR5JVJrKk6GZee
wCAkGSMCYEIL5cu7mhhCoBDxVOSKKy4S4KkUv4BXot70lTvIIPS6cYAgJH8zAmBCCkbj/
zk66eAZq40ESpZiqRslBAIpGb+e/A5FD1H8HNIwICPmIwJgQgVfcD2Ar+9FjbAfUoP1fT
nxF6vvcnitD9dtdeQsbT4A4CAkvvMCYEIF+lCjfkxb3I/1pD+HaA+Uz+k2JysW7RG+CAY
9Xgzl+2AgJBkzAmBCDbhOqNBPRZknT3PHIIwRXkYT6krqee6s28uCz7+BdQrQICQygwJg
Qgg2tkk28Zc/y9ajHTABYoz4U70mwtvolE9nPfJG/kxV4CAj5kMCYEIIQhZOMCG310Bfy
o9t+yz8z/c3C9XnEyIACN1fGSJV+SAgI/+jAmBCBXtrgcr97BR/ldgoD5DaeSgiCQud/n
QLarn+Ii+PoDjAICP/swJgQgDSQ5xCutZkAR8n2aVJioqXLlbBX3lr9b/LqF7QAptecCA
kshMCYEIH8dA6UQFwFx4Ja4JQ9jooo6Y7fRuMFF7VaTGTdJ38g8AgJGWTAmBCA0qhqusv
mdYzgmPyaJ7uU8qXqI4SiOb5GSBGbrGpchBAICSyEwJgQg8mziFZicz3gCcJQlsoElaw0
rG7sRThxGTqHDlZz7UM0CAlGDMCYEIHO2yUhm3/iHidqqiSTiG7eiRgw6jvWYq50aILSw
/SAUAgI00jAmBCDC6EVgfiSGyalDKi/IJqV758ux8eZRU+tQJhJONH8EyQICSyEwJgQg3
0LTyNbgjGHuQBRdrRhNaIcxEmW6RpECZIrx6XI+ahcCAkMqMCYEIEMEM3X/ZDwYUNRHSl
Io4IUVHmRafZoQam9bmpbhg57sAgI/LjAmBCAbuenguFontLUzo53mGjeTC6WL965Vhj4
dM7e79HLxIwICNzYwJgQgGdK/YD8SLdHLTD8uZkW75SLOZ5TnypmwxS/nKHsrsWkCAk2F
MCYEIAGrCRDxSWi+I+4JsRp43c4oDGVZLGb9ElKuKMM8KEykAgJMuDAmBCAhZgpSawt+o
gpkFVFs3nkqA1rcuJgv/wd0sWE6sII2hAICNmkwJgQgWOnhiVcU3/eZ/rRKNQZZcOodt+
f9+vT4iHozUuDSQEUCAky3MCYEIHkhy9yGqafB2PueCoTucb4rbeQTkSf0mIZ87Jwh1Oq
LAgI8yjAmBCCAKzGm73IwY8qkZ0+PuSjqHpQSuQAmLTQ/kSF5nGXZlwICTYYwJgQgzsO3
FlLCAo0NS0Sn5D30B9/OzXYCPUU8OQN4oAPJ0kYCAkDHMCYEIFrglpwf9ty+daYdpQ4HK
lHcsoQDVtFbswXE8VkUZgE0AgI/LzAmBCBm50p62KeXnutNHrH7W2A64qPkOygS/bt/vM
VnW5m9LAICTYUwJgQgBNjqEK50W5r4N8ZoDhCE4o+T1+Wt4jpNc7lK5mrbxqUCAkGSMCY
EIBF0xJLV1E7obtFGYgnzIlt9TpHV8D923dRzRJNIQrxlAgJKVTAmBCArhWP57bsqvLfk
cNVSDlbZMsaSpgchJA8MudTaFs052AICQZEwJgQg24oKFWlVfxVF/JG4AqlnxhtH6MVoZ
bsQrEWirIn0t/4CAkGTMCYEIN/lj6dTPZ5CoHkB36AB5nYmGJWnp79ESeMJRDMojSDQAg
I8yTAmBCCDDxAH68UiuM2M/8lwFNE1IgAD7iDj02ZVdfuuxpKpIAICRMEwJgQgLY8RJzD
LqMd3b39duwPy9sGs7SNkuaIi1n6ypeo/7skCAkDGMCYEIP4vxPtViJ0bfMvG+zwOceLl
NZiYuhssqcF9DfDdGDRtAgIvPTAmBCCp3Dh8bxDaR1RO0nULrVBRQtGNfkBtI1eDeio+r
DtKQgICNzMwJgQgXfNe8W9TqCUNjiRgm2Qad0NqL9P0PApp2BfAq4uQrJgCAjmZMCYEIF
iVADAOnlYoqnXQn5YsnYbvLc9xIbJ3ANOi5qR21a3yAgI9lzAmBCD5S2gwoQ93W3hgEH2
UGsJ+zCW9iyqM4XXqB004ttnAYAICS+4wJgQg+AtLpyI/11sXB+wfyQOLKtFtbybh7WZH
DjKwj/D/dnsCAkJfMCYEICXUfPECIBOTdi97KUK7rNBmbcSET0hDOKDFrsGM5nMqAgJD9
jAmBCCwQ88xfgpyEyAQEDLHlK1dn9lo1WwnCDsb3oKQJv7EgAICPy4wJgQgqBdlKM+0SB
inwuEWLGzQWxYGlFnNrXFl+jm5Zz3Nn6gCAj5hMCYEIFBgaunZerApwsFUAo1yR2lGvvA
Xq9/9+ujZ8JjU0smcAgJD9jAmBCC4kogNf8/ixq2OMQmKnbnmZa9bYgXKTKyzQCxeTNIt
4gICPmMwJgQgpHaEW/yBLT7Ov6voW42VvoULe1ElBodkhfKy2cLk+rYCAksjMCYEIJSot
RDbW5tq7yj1fxgeWhv8zoBvgv/PI7qtG68Dsu1CAgI/LzAmBCD82iIe/5q4LEVwCCUxDC
0KCvouOIWGBOUQ/p28B6ZwsAICOZkwJgQgbmMk0zGC2W2BWxsI5JrNMXlWeIqDxDTd6md
T790OwZICAki8MCYEIBpl1R12qiQkIqyS0MJxEgmjPSQAwNLHa2/76OGBJxnaAgJIvTAm
BCBboykRJ8LgZPDDH3XRrKAgD9y5f2X3Mh/oUWXuKdNKKQICSL0wJgQgGMaUl5lmiraPE
n/Dy4LMDEC1y9ZKIuSiltY345kYqwcCAjgBMCYEIKMU8mSY3VaDe2OUSMqQljO9pBOOUf
qHaZhXr/W9P16UAgI1njAmBCBIVFaif9OaLLsEyoozVHBuY4usCebsHsxoFdy9gVdOzwI
CTLswJgQg4BPZtxSjMNlDAKNfywsKnRR0i1/eTamhuL+sIfHP8msCAki9MCYEIPemzsZd
gSMJfoCw138KI29jhz4vyEy7TcV6pDQe67chAgI6ZzAmBCARX3LYNiDjUsn5gQe1AWNTF
vXVJKpnRNMYEeA+zbsJkQICPy4wJgQgJQbTN6bSga5W+5i7BaT+RT4JjBlV+lCyuKTlW4
o9S0cCAkWPMCYEIEmr1s3jwOenh9RoVPFXcNFQePCe8nbAERKrKyapWzSoAgI/LzAmBCA
rVG5vjeRsa4RDnVpOekadVMVlhnAwwEBNN5fGvAMBAAICOM8wJgQgVjT0UBl6u2/LnVzM
uegzxjlAtPDACnWdO2jQ2J3IpKgCAkseMCYEIIAR2VegdynTimpRoFXhwYecP46WgWsOh
W1/5XszgfdGAgJIvjAmBCAn1brvvPX//9sM6SXrRCNDImNHrey0c7mU3xXQSW7FoAICPZ
UwJgQgPQeqNYTxJ1pEfneXkPhvoMiSQUp2aV7NzuHLOFd4ebsCAj2WMCYEIMYgsgE7Emg
F9wzxLpwXYMDiVKOMmxY3azev/8gGxi8tAgJDKTAmBCBBzmZ6wcIbV0VpyM6n0M/qRl6y
nH6IfEYgfKTOA26z9gICTLowJgQguthNljocxUcIGMHnuvWYyL6tBsq/8R1ei/RsQKahT
msCAkZZMCYEIC7Ks7X/jb+isMNyUpRQEOHcDpr8pDuXeY0aVzl4xesfAgI/LTAmBCA7RY
HzFRNmJYdnwCVb0jU77cR9JQB8HqHCv6AiQ8SlogICP/kwJgQgnh9lnmv6KSL3ny2aWcN
PQD9/fqRxydUKT4bepF11s8MCAjgCMCYEILJTBb/33UUkY6DOdinhSSqHG+hT8p2zMliq
kwUu2rItAgJEwDAmBCAM4bqBDe1v4ZfffMuU7oj6kkkgtd0t+zXNgQufo12giwICS+8wJ
gQgueoq/RQW14ZGgyW/VdGg2M5EzqoW7mvnUjQIOAFb77ACAkTCMCYEIAJvtz6Eb3dPpP
k3q0mPOkP1VRBYa/GgY/rXYzfetrO2AgI+YjAmBCD2ys9+Gzi6tA3MDq2g2t9z+sdVngk
KD4OdXl6NDg03/gICPmMwJgQg88ymxXKkq1NeKsg25UFsMhVcOO+mXqqRjrFClzIhEIQC
AkDHMCYEIGaxs2DRUI7NvCzWyJxdQNC7isr+kHriD7SE/FXlqO64AgI8yzAmBCC8ORrVW
K3G+jOQk8Uvpb0Wy8Hey/XvtBapYuAUIK9dGQICQ/QwJgQgbCh7NIxB0CYFuRXiZcGf/C
a8rf+Qdf+QpgivLE8i/tsCAj8vMCYEIA8jsS5wh4WDmiBy8xz9nr5nD5MT99QcCeHqM9l
4MnhrAgJJiTAmBCAnaKsbEE0G4GDicwfz9sDx9Cw1KER/vGIZOXGkDnH/egICQMcwJgQg
3zZIcB7DIrxb4Q3zevgFjmRArwPceMi6e8yWUrQHn20CAkP2MCYEIInswVJqKRddPe8Y9
iSGQyBxK/Lf0rwURctIu/CGyJOpAgJSTjAmBCDdy6WhOSuoYZDNh59NfTbkauSm1uyS5c
/XvkBfkxGn4wICPZYwJgQgWlPx0zYnwBShJxszztasKd49A3Il8cfqqT5FQZMWf38CAkm
KMCYEIJjq08N/JX5NFFVdJmgvxmG5Q66KMm0QF1Vhn1lCuCx6AgJAxjAmBCDwQM8JvwPQ
vlCyw6WqA4DtUgzfAsSvQt+tPtt8wRC/QQICO/8wJgQgzjsw75K1vrKh7uEEljRyJlJr8
a90QvkWSjLRg2vhmwYCAkvvMCYEIEnuAEb1foxUnpWzZ23HqOPcN1MIcTfOj3PSCdmBAd
csAgJMuTAmBCB3C/cPEYA8tW9GmQYIpPWax5EKc/Zz9XNhpQlweQWZ3QICPZUwJgQg9AV
QrKWCVHGE7GZ67jE10Yf7AoS9qzv/uAUeBWg1OnMCAkMoMCYEIBVAH0wPkeI3wXvFQRob
zp0qLKUnEc1aZ3Fh5j5kpfpJAgI/LjAmBCCnmKBkVlqYi1JCGsiIJePpEu+sqlhhrog/D
ma/2XqqgAICSyEwJgQgI2gf7h21qgaeC71D72B9VskQSmc1jnw6JDY7JRwfT/ACAkDGMC
YEIGthUkNF8cObA7zJlGekoWfamGu9lOGXSDBQctwHZOc/AgI/LzAmBCCEMVbli7ike1Z
2yRlUBqPw/8wd/TkC6TTqR0owbRjOMQICR/MwJgQg1ZOPRJhUzEFXtCV/arZnp4uGqHNW
H6JFNQ8UhoswbngCAkDEMCYEIOndmi/+jQ2++O5gRTEjjLBszmVi7pBCMCMrUs2wB8f+A
gI+XzAmBCD8dQm7VCK52xokiFkgJRJL3/U7JceOQ21vu8FBB1r1wgICRlgwJgQgSO6a2V
qH4vXsgXkD13LGCOjwAhSTYjUlrUBXOWUWmWgCAkJfMCYEIKBLFgUB3lJ5T6yZBCk7dom
M3OW4XKJZh02GUJCm4SF6AgJRgTAmBCA2exdb0uH32yIPWFxwogpaERMkC4vj0sxmEgUw
EIPrLgICQl4wJgQgX0xFcorirB+SK2SUXyYPLhoPSYXzLWE5o8wVHVbhB2UCAjszMCYEI
FRTaqDdkVZcVHBW4TGgQtpTtCd8DIBUyDRW9np6M7euAgI/LjAmBCCRSk4M59k8rhUqcP
PA6f2lVS8qhaRAb2NbFCN2M/uHWQICR/IwJgQgGJJ8cBg0iNM6/QdQILsMbTquhxF5arP
6ZgwYEwfk8+0CAj2XMCYEINYrOXjqnB8EQn0d1IQ1Ipn0gZjo6krGh2EYOwn7Hen5AgJE
wDAmBCAyXckAVX2/Dz57+iJFs5Icf8eUMT9I0b2MWDG0gRKDXQICP/swJgQgSVgbBx/4X
T/2hPogXV8MPA5dwA1m0q2gGZzVKH68P8wCAj/7MCYEIClfwSrqY4RnPniQdrNMzH7AKe
JMVbNPxkWPi/qE363dAgJJizAmBCA544gg0rS9GU4gG4p2wr6FfwtrUVufS+/9rIHvili
ncgICSYswJgQg9FRuesNlpRek7jXdLVVYunwcRLb9doA62yyEbvNTXX0CAjQHMCYEIMAA
faQwhdKlsWFz9RzvTQh2/ESGaQF0Q0tjMih31NddAgJH8zAmBCCl9P1vxLv+VIxDI6Eam
imf/5BR8AcmvOF+bxuP4vRGfAICRMEwJgQgfoaXT2mGxLY/Ob3Tl0wIHCNGZdvOSlssAE
Nv4R3BvZ0CAkMqMCYEIHlof9g+o9SUgSAGQ2EtVXbtDACiqScJ/IhNan2KRnNHAgJHJDA
mBCCXjPliITDIuhUM3ZqrAvNX2E+vEmZ031YvQJqDjSrsvQICQMcwJgQgm+0Vx416esms
pxxKD4c0S2McWdLqmz4xnypt90x45lgCAk5TMCYEIJ0KCRIm35/pVY17REipoIi0K/goM
XhM5mmjtHmtuT1+AgJDKjAmBCD7lJmSu9YsXcxIy+1gmUYxuwc5vc/NpYgq2g8lTDBqng
ICRY8wJgQgZG9TqRGWnuQ1qfcE2lUUDJNXhgbduDiQTqd4e1AlXEUCAkGTMCYEIAqqVPh
0do6/dmHHOZhhdJ2KnqA1E0oVgZmZ3/OkjOOLAgI7/TAmBCAmxQMBjHFMHHgokuF59mNZ
oFbl41DV0qi3rh3EoqjdXAICPZYwJgQg8yXQ6vY/KdrQEO7xs26S7isiDtGQC3k9JgmPK
12G6loCAkJcMCYEIJHMC6//KuoppKAHO8sXbBYxDl6Bn/cUuhP4GpvvZ13ZAgJDKjAmBC
BXdOTQ4Uc3ihk2XzeThCv0eSO5hicUQ98pTfRCq6xXqQICR/EwJgQgUPJfy+Xq7rkjwCv
JK6ru2yRxNtywwwIy65JfYLR/j84CAj/6MCYEIASsv2w0ToqnMDJKL/Va1RrOuLK5/6ll
4k21fZoiiPlCAgJP6zAmBCDT0n+sCMW4PhdcQiYu0y678KjlDjkeVBMJaUlEfL2IcgICO
mUwJgQgU3HEjdkO7XLMG2bmuU+eroMdsUD7IJjVd/mWXKlHUmECAkpVMCYEIExE8Vi+T+
3Zxh9wwI3mqUl5kpO/7kPViONQmv/2fVPdAgI1nTAmBCB6NS2c7hHgUfF6zYWLTVbDnAU
ztPpmELB/6PcknrQRvgICQMUwJgQgN5+qsgtkVs1DoznIHCRFGems4vF/8MXvELJ/JR3m
fhwCAkfyMCYEINPEOBxHx1i8QTz8dTY7ztC3Ut1OkXS79v41vJ7rBfAdAgJPHjAmBCD5q
pWCh+lIHiW3MPHq/5f6Z+dZ8TfTgEJ5MqhjR1NjJgICPy0wJgQgdqWrpRWM0Kmk7Cw5Dq
6ClVRT+3T8tKPA2ZXLifuTn/QCAj/7MCYEIM9qgtaQC9RyRBu1WdM/XSUCtFfXqSFadcm
q0dAryrUgAgI/+jAmBCAF3xizmbQIrHpSID3SzV/LB4UoYjdhEGOG+/TgP2ImDAICPZYw
JgQgzAsIDe3o9/TCB5w1ftflaiDfO049Wmt9BTDJCOLu+GgCAkP2MCYEIHaOTcw7oC+2H
k/NI6Eh1vsJRvo2RWD5sWURZ0F0qLwhAgJODzAmBCBsSfcTsZXq9EEtXAYrerJS9zDA39
RxLDloOpbKrhBA9QICQl8wJgQgnNoobYKqzBglJ5Pw1mkBCQweT4iZyjzJPDuM/uG559g
CAjjOMCYEIJ0p9rSsg2lYMUa8VFqVZplkqlEn9bvkAMVp5x18Y364AgI3NzAmBCBQd16c
NsSwy30XuCtI3M9j6Q5bnZdqjHIUZozG+QzOcwICOKIwJgQgkmLBowUIE8wYO4P9bpeKc
rlitxZWuS+w5Ln6KlRPbrYCAj5hMCYEIGMd6IiQEHcKfij2FrnKTvYkDhJ5g8uCFDdgA+
Jr5yJ2AgI/+TAmBCCPcWuPpPKFAILCyrtvUj05K52MGVzQCLEXyQW0n2OCewICQl4wJgQ
gu/1jZk6dg8MNt3UpFZmV0hg90+qKXeypSK4416AjbuACAj2WMCYEINCrhwbUxtD83LrE
58NPGpjXsfoDInyjJKE6LbBCtJdZAgI4zzAmBCA6hMsuP177KE2buf1VcoN4fXuCh0yjS
VAFRK7ytTUkNgICPMowJgQg9YxJU0NKjXXQoljQkOLY3ZqYMWiIikyKUu0hkhUa7KACAj
mbMCYEIJ0NVZs9o7FnwHnygniUvAWYtJR1VMOiJJ1TYHLDOL+6AgI4AzAmBCDFekPZ2Qg
ESuQ+xRhauGsTvTgsclIsoga/8HCms+TIggICP/owJgQg9iWTgRml1RJRE3u0q5Q6zl8C
oKMooD+Q7oz1kdNf75gCAj/5MCYEIMs7/eck6d/VeSQzlyrroLOagyV2QLXxXENsFXqYH
gJJAgI6ZjAmBCAkqjhrUQ+9qofaokuSF+Jz7LWAyBvUYSOn89qv7tuxdgICP3wwJgQg/C
7mvz0TEDzSIVxau2non3Z5yE0RhXQAF1ThJj9p48kCAjXiMCYEIIaU/06NcQnr+eeraHr
l3Bco5mTopnT7o0gai1Qiv369AgJESjAmBCBgqkUMpsRvQl9gldMoaRtHflNWW0YEMzmp
g1GwRcObLQICQEkwJgQgC5JjhUueyDrBi1CX+6DYsmx3P1fgZWNgx8R0EiTPny0CAkWMM
CYEINi6PvXaOO/wWCRyEmINw2gTnPqJKZeXpek+/RsVHbnzAgI3NTAmBCAJTdNkxQDuAl
sgy3jH0YjDDyEzAqHN4se8ua9JNhhwFAICPmEwJgQgke6G46FoYOQ06Gv5Wno621xoLZt
3enSh9VwB599H/bgCAkTC

B.2. Example ErikPartition

This object was retrieved from http://miso.sobornost.net/.well-known/ni/sha-256/_i_E-1WInRt8y8b7PA5x4uU1mJi6GyypwX0N8N0YNG0.

MIIvOQYLKoZIhvcNAQkQATiggi8oMIIvJBgPMjAyNTEyMDQxNTAyMDhaMAsGCWCGSAFlA
wQCATCCLwIwgckEIAAuJaN8fwRVh+BM2iQU8zwmQ0o+2bRk7aThmHrNmZYSAgIHzgQUf/
yCWF32m3yUsWphky/8i24zUVYCAhM0GA8yMDI1MTIwNDEzMDIyOVowdjB0BggrBgEFBQc
wC4ZocnBraS5yaXBlLm5ldC9yZXBvc2l0b3J5L0RFRkFVTFQvZTQvNTMxZDJiLWUxNzAt
NDlhNS04NDA0LTkyZjczZjU2ZmM2Mi8xL2ZfeUNXRjMybTN5VXNXcGhreV84aTI0elVWW
S5tZnQwgckEIARfyrvCkwvGfG5+Bnlv9ZPVC+mpSDNaOoEeLrEKI8jSAgIIpQQUfz4LJ7
jk15j5K53hV/HaWkPNSeUCAhGZGA8yMDI1MTIwNDExMDA0MVowdjB0BggrBgEFBQcwC4Z
ocnBraS5yaXBlLm5ldC9yZXBvc2l0b3J5L0RFRkFVTFQvNWYvYTBjOWFjLTNhNDctNGQ2
Yy1hYTE1LWE0MmVjODc3NmZiYi8xL2Z6NExKN2prMTVqNUs1M2hWX0hhV2tQTlNlVS5tZ
nQwgckEIASOuTJhwS/R5SCAryuRoUMtud9WKyjk8QuPAwfUp+4nAgIHzgQUf9GKakmRDM
Mx3JERSuWbcYXV8w0CAhddGA8yMDI1MTIwNDEzMDAyOFowdjB0BggrBgEFBQcwC4ZocnB
raS5yaXBlLm5ldC9yZXBvc2l0b3J5L0RFRkFVTFQvYmEvMDk0N2YyLTIyY2EtNDdjYi04
OWFkLTNlNTBhNWYwMTk5OC8xL2Y5R0tha21SRE1NeDNKRVJTdVdiY1lYVjh3MC5tZnQwg
ckEIAn+REFBkuOombiOjqMzWBPv1ZOv4G9Es10+CrKkEhFvAgIHzgQUf5tM/cmw2ePDHg
67gebxscu9yeQCAg08GA8yMDI1MTIwNDExMDA0MFowdjB0BggrBgEFBQcwC4ZocnBraS5
yaXBlLm5ldC9yZXBvc2l0b3J5L0RFRkFVTFQvNWIvODI0NmViLTg0NjktNDJkZi1hMDhm
LTkwYzQyMWY1NWFkYi8xL2Y1dE1fY213MmVQREhnNjdnZWJ4c2N1OXllUS5tZnQwgckEI
BPL0xOSi2ax+UmPYqJpAp7fbvj7+q5bP13SDWtbiC2GAgIIXwQUf1byiUjIMvLUNLtE1d
4OoSJgGwUCAhddGA8yMDI1MTIwNDEzMDEzOFowdjB0BggrBgEFBQcwC4ZocnBraS5yaXB
lLm5ldC9yZXBvc2l0b3J5L0RFRkFVTFQvM2EvMjFmYmNhLTgwZTAtNGI4Yy04NjIyLTRl
ODZhZDY0Zjc3NC8xL2YxYnlpVWpJTXZMVU5MdEUxZDRPb1NKZ0d3VS5tZnQwgckEIBi5m
euqRnbENZo8+6a+7cuE8rM0N+CC1RKoU/3F3I0YAgIHzgQUf9YuQsCOFgHEVx4NiKNJoF
Cd6l4CAhLkGA8yMDI1MTIwNDA5MDA0N1owdjB0BggrBgEFBQcwC4ZocnBraS5yaXBlLm5
ldC9yZXBvc2l0b3J5L0RFRkFVTFQvNzgvYjkzNGVlLWM0YmEtNDM5MS04MGIwLWU3NWE1
ZWE4OWZkMS8xL2Y5WXVRc0NPRmdIRVZ4NE5pS05Kb0ZDZDZsNC5tZnQwgckEICFoZHl/u
Qsrstxg5jVsF0o66a2URqYEMxsstCBR6ayzAgIHzgQUf5LfdhDwSPQ79EwzbUHGwRV+8O
ICAhbvGA8yMDI1MTIwNDA4MDA1N1owdjB0BggrBgEFBQcwC4ZocnBraS5yaXBlLm5ldC9
yZXBvc2l0b3J5L0RFRkFVTFQvMTcvNThiZTE4LTJmMzUtNGM2YS1hYTZhLTdmNzJmNDRi
ODk4Mi8xL2Y1TGZkaER3U1BRNzlFd3piVUhHd1JWLThPSS5tZnQwgckEICJ/nn7xrOg89
rSC9x8XbrMpnzbgswNkXhjpyNpNg7xcAgIHzgQUf6gWozONMnQc1P/49J3bLMg4/cUCAg
TNGA8yMDI1MTIwNDE0MDA0OFowdjB0BggrBgEFBQcwC4ZocnBraS5yaXBlLm5ldC9yZXB
vc2l0b3J5L0RFRkFVTFQvNTMvYTQ1MjhhLTkwZTYtNGQ5MS1hNTJjLWYwNzE3ZWE0ODVj
Ni8xL2Y2Z1dvek9OTW5RYzFQXzQ5SjNiTE1nNF9jVS5tZnQwgckEICQswPX3MVLYQZFbS
l9SvftV8NECr6wRKoRko58Wx6ApAgIHhAQUfwdXwzGYHgQrdHE3NSfQ9koTVrQCAhMAGA
8yMDI1MTIwNDEzMDAxNFowdjB0BggrBgEFBQcwC4ZocnBraS5yaXBlLm5ldC9yZXBvc2l
0b3J5L0RFRkFVTFQvNzgvNGY5NmY5LTU2OWYtNDMzYy1iOWE4LTZhMjYxMmQ0MGY1MC8x
L2Z3ZFh3ekdZSGdRcmRIRTNOU2ZROWtvVFZyUS5tZnQwgckEICYTBJJUQ+3w2gdXgi1HA
Jjk2s9bQz5PRmBs7DERRx6QAgIHzgQUf1Eig3R0LfVEqpMFjFo709FkIZkCAg7NGA8yMD
I1MTIwNDE0MDAzNlowdjB0BggrBgEFBQcwC4ZocnBraS5yaXBlLm5ldC9yZXBvc2l0b3J
5L0RFRkFVTFQvMGEvOTM4NWFhLTFiNzktNGEwMi1hMDkyLTAxZWIwMzY4NGYwOS8xL2Yx
RWlnM1IwTGZWRXFwTUZqRm83MDlGa0laay5tZnQwgckEIC/IQ9FAvMaiWcF/A1bZhKB/K
fg74+e/3Zie2YQJWF6TAgIIGAQUf/G4HP5quxGOl+AyW2Yur5hPL2oCAg3IGA8yMDI1MT
IwNDA5MDAzMFowdjB0BggrBgEFBQcwC4ZocnBraS5yaXBlLm5ldC9yZXBvc2l0b3J5L0R
FRkFVTFQvNzUvMTg2YTE4LTVkN2YtNDNlZC1iMDZhLWNlYTdlYjM1MDUzNy8xL2ZfRzRI
UDVxdXhHT2wtQXlXMll1cjVoUEwyby5tZnQwgckEIDklLMNoL6OCi5h03aH7ugigQwxCL
LSnJc4vCdXALsLKAgIIGAQUfwOh+MM0/b9LeN7wxZL/BJDd9LACAhcUGA8yMDI1MTIwND
A5MDEwN1owdjB0BggrBgEFBQcwC4ZocnBraS5yaXBlLm5ldC9yZXBvc2l0b3J5L0RFRkF
VTFQvNjYvM2ZlMWEwLWM2ZmQtNGJjNC1hYWUxLTllZTAwNjk0MmI0Yi8xL2Z3T2gtTU0w
X2I5TGVON3d4WkxfQkpEZDlMQS5tZnQwgckEID+yS/tG0LHqjZhYiFes2AulvPEr2jvxX
6JafPugnT66AgIIpQQUf1FerQle7ZrEyrxatK0LWGfZ8BsCAhdyGA8yMDI1MTIwNDE1MD
E1M1owdjB0BggrBgEFBQcwC4ZocnBraS5yaXBlLm5ldC9yZXBvc2l0b3J5L0RFRkFVTFQ
vYTcvNWMyYTU5LTYwMjUtNDAwZS1hYjI4LWYwYTYyNGQ0MDkxMi8xL2YxRmVyUWxlN1py
RXlyeGF0SzBMV0dmWjhCcy5tZnQwgckEIEAJIGXKzi5KGpg9za9IYPb9rNuRdp0Xq0hpf
jWdkseGAgIHhAQUfxTOgQO3hfNQS8SzLx9Mm3DOP38CAhAZGA8yMDI1MTIwNDEzMDIwN1
owdjB0BggrBgEFBQcwC4ZocnBraS5yaXBlLm5ldC9yZXBvc2l0b3J5L0RFRkFVTFQvYjY
vZjY5ZGJlLWUwNzUtNDQzOC1iNTNiLWY2MTYwZmExZmIwMi8xL2Z4VE9nUU8zaGZOUVM4
U3pMeDlNbTNET1AzOC5tZnQwgckEIEJDHaQBqaPqUOmcWhoXHmh3rsqoX7YJvabsaFaGJ
6rIAgIHzgQUf0OdlCQm/Gc7J5zJirNf29fql/UCAhL0GA8yMDI1MTIwNDA4MDAwOVowdj
B0BggrBgEFBQcwC4ZocnBraS5yaXBlLm5ldC9yZXBvc2l0b3J5L0RFRkFVTFQvMmEvNjl
hMDlmLTU4MDktNDY1Ni1iMzU1LTE0NmYyNTRhYzEzMS8xL2YwT2RsQ1FtX0djN0o1ekpp
ck5mMjlmcWxfVS5tZnQwgckEIEhlydQkfZ5hlO8WFKMoq4jVWC1ibENRvls7Mk/LDNRdA
gIHhAQUf3NriKAkBNQwS92tX/VQSmgz57cCAhdZGA8yMDI1MTIwNDEzMDAyNFowdjB0Bg
grBgEFBQcwC4ZocnBraS5yaXBlLm5ldC9yZXBvc2l0b3J5L0RFRkFVTFQvOTkvMGYyNWN
lLWI5NzctNDg1My05ZWMzLTllNTZjYjU0ZmVmNy8xL2YzTnJpS0FrQk5Rd1M5MnRYX1ZR
U21nejU3Yy5tZnQwgckEIEkvZOd3R7XuMXNDeK0KvwD0xuGRuIn68D+LMvUdExSrAgIHz
gQUf/F65Ue58mQeYFd/5VPdtvdJoIcCAgSbGA8yMDI1MTIwNDExMDAyNFowdjB0BggrBg
EFBQcwC4ZocnBraS5yaXBlLm5ldC9yZXBvc2l0b3J5L0RFRkFVTFQvYTUvMWJjMGY5LWJ
kN2MtNGY3YS1hNDA0LWE0M2ZmMjVkNDQ3ZC8xL2ZfRjY1VWU1OG1RZVlGZF81VlBkdHZk
Sm9JYy5tZnQwgckEIElWmkxQ5zDn9kEarEVcGzsErwGm3tzMoTxHPecasDNTAgIHzgQUf
xiK2rW1UggeysghybCQOUhzsxUCAhHMGA8yMDI1MTIwNDEwMDAxOVowdjB0BggrBgEFBQ
cwC4ZocnBraS5yaXBlLm5ldC9yZXBvc2l0b3J5L0RFRkFVTFQvOTAvYTY1NTIyLWY3YzU
tNDg3Yi1iN2I4LTJlNDYxNDE0MWFhNC8xL2Z4aUsyclcxVWdnZXlzZ2h5YkNRT1VoenN4
VS5tZnQwgckEIEtpn6WHoN8NxcWAH8mINTC00JjclA2iob0AXGaoyitsAgIHzgQUf4Xpk
DVDl+NsDKkDoMYgx3Ce/c0CAgOLGA8yMDI1MTIwNDE1MDA1MVowdjB0BggrBgEFBQcwC4
ZocnBraS5yaXBlLm5ldC9yZXBvc2l0b3J5L0RFRkFVTFQvNWUvNGFlMTc1LTU1ZDAtNDg
0ZC04ZDExLThjOWQ1ODIzYmFkOS8xL2Y0WHBrRFZEbC1Oc0RLa0RvTVlneDNDZV9jMC5t
ZnQwgcgEIEw7N0lIjFqhAU+x7UhDiLTztgGCkJjcM1aExmZ+/IVEAgIHgwQUfzdyg9fCN
ak9x70rgxeydI8oX/cCAU4YDzIwMjUxMjA0MTQwMDQ4WjB2MHQGCCsGAQUFBzALhmhycG
tpLnJpcGUubmV0L3JlcG9zaXRvcnkvREVGQVVMVC85Mi8wZmFkZmMtZjQ5Yi00M2U4LWI
2MjEtODMxZTI5NDRmOGZhLzEvZnpkeWc5ZkNOYWs5eDcwcmd4ZXlkSThvWF9jLm1mdDCB
yQQgTdA6hGjvJpvIMPMWoYa7GkUWCpYRzqgfLiUxTPHP/0oCAgfOBBR/WLwIZBL00sVPo
HAtks4lSWzkeQICFNUYDzIwMjUxMjA0MDkwMDQ5WjB2MHQGCCsGAQUFBzALhmhycGtpLn
JpcGUubmV0L3JlcG9zaXRvcnkvREVGQVVMVC9jYy81MzA5MzMtNTkxNS00ZmYyLWIxZjk
tNTAxMGQwNWY5OWE4LzEvZjFpOENHUVM5TkxGVDZCd0xaTE9KVWxzNUhrLm1mdDCByQQg
U2ajfTLVQztCItG4YsnY6d/RR7JsEdVY0XXJdMVsMTcCAgeEBBR/mRjKtvHzXvG15YPLK
Dnpt0ixWAICFDEYDzIwMjUxMjA0MTMwMDM3WjB2MHQGCCsGAQUFBzALhmhycGtpLnJpcG
UubmV0L3JlcG9zaXRvcnkvREVGQVVMVC8yNi9kZjgyZmEtMTE4ZC00MjE5LWJhMTYtMWE
5NjgzYzlkNmNiLzEvZjVrWXlyYng4MTd4dGVXRHl5ZzU2YmRJc1ZnLm1mdDCByQQgU3Q3
3ZpCBQ9QzulCZ/QmDp2KvNQyeNnef/nECRuq+awCAghgBBR/K6ht94eIj2+FkqgGpv/qM
EbAegICF2AYDzIwMjUxMjA0MDgwMDQyWjB2MHQGCCsGAQUFBzALhmhycGtpLnJpcGUubm
V0L3JlcG9zaXRvcnkvREVGQVVMVC82MC81ZTY3ODYtNjM3Ny00MjI0LWJhMDYtZGM0NzY
5ZWZmMWY1LzEvZnl1b2JmZUhpSTl2aFpLb0JxYl82akJHd0hvLm1mdDCByQQgVnzJtl+K
o+oJONvoZGMHz3kRyeB9lRMKBAQ6qxSKsiwCAgfOBBR/+wEVxKzd0bStxAc3gHJqz8Aa+
QICDGYYDzIwMjUxMjA0MTUwMTUyWjB2MHQGCCsGAQUFBzALhmhycGtpLnJpcGUubmV0L3
JlcG9zaXRvcnkvREVGQVVMVC82MS81MjY4ZmMtY2ZlZS00YWE4LTk3YmYtY2JlMDIwNjY
1ZWZlLzEvZl9zQkZjU3MzZEcwcmNRSE40Qnlhc19BR3ZrLm1mdDCByQQgY0ifWJ2GsfuX
IMj9nN1WaHuqDVhN3K68pHV4NTZfuuECAggYBBR/4OdZNU6DzBkyA4EQneItoPGnAAICF
2IYDzIwMjUxMjA0MTAwMDE1WjB2MHQGCCsGAQUFBzALhmhycGtpLnJpcGUubmV0L3JlcG
9zaXRvcnkvREVGQVVMVC80Yy8wYzcyNDMtMWZmYi00OWQyLWI1YzEtYjQwMmU4YTFkOTM
0LzEvZi1EbldUVk9nOHdaTWdPQkVKM2lMYUR4cHdBLm1mdDCByQQgd2zljs3nkCt8UVyi
os6rkkzEKWDoYADAKt6+BKg2+8YCAgeEBBR/SuV+5uCpxRAfwUqHpTNBULurRgICBqsYD
zIwMjUxMjA0MDgwMDU1WjB2MHQGCCsGAQUFBzALhmhycGtpLnJpcGUubmV0L3JlcG9zaX
RvcnkvREVGQVVMVC8yYi8xMWZhNDQtODg3OS00ZDE5LWI0NjgtNWI1ZDk4ZjUzNjFlLzE
vZjBybGZ1YmdxY1VRSDhGS2g2VXpRVkM3cTBZLm1mdDCByQQgeUGGVlrsbtS7J84seSOi
9pC1lVUD47HrY5uru1+ZobYCAgfOBBR/dzTf6hIGV0EuqGfdvHuE0TK/eAICEAoYDzIwM
jUxMjA0MTMwMTQwWjB2MHQGCCsGAQUFBzALhmhycGtpLnJpcGUubmV0L3JlcG9zaXRvcn
kvREVGQVVMVC83ZS82ODAzMjQtZWUxZi00MGYyLTg4ZGYtMTk2OTMxOTYyZDNjLzEvZjN
jMDMtb1NCbGRCTHFobjNieDdoTkV5djNnLm1mdDCByQQgi+WJ0QBPQdU2YnA1Zw3In5jt
9/YyT1/HgWXUL0pQSBACAgfOBBR/7j84IHPyw+T8z/yjhMWwzYJsJgICAy0YDzIwMjUxM
jA0MTEwMDI2WjB2MHQGCCsGAQUFBzALhmhycGtpLnJpcGUubmV0L3JlcG9zaXRvcnkvRE
VGQVVMVC9hNy84Y2NlYmYtZjlmYS00YzQ2LWFlZTgtY2NiZmE3MzQyNGE3LzEvZi00X09
DQno4c1BrX01fOG80VEZzTTJDYkNZLm1mdDCByQQgkcSCxNhKVQ6BvKI16mfKJFlL9l0D
IlQSi4IMrUzpygQCAgfOBBR/MSsJ0faQ8lcAvV3PB8kYDF6WYwICAIUYDzIwMjUxMjA0M
TEwMDEyWjB2MHQGCCsGAQUFBzALhmhycGtpLnJpcGUubmV0L3JlcG9zaXRvcnkvREVGQV
VMVC9iYy8yOWRhYzktOWExNS00NjYxLWFmNzgtMTUyMmUyOTY0ZmNlLzEvZnpFckNkSDJ
rUEpYQUwxZHp3ZkpHQXhlbG1NLm1mdDCByQQgltZvAuRIJ/xDUXp93kNCzDxYLudEfOCq
acXiUGBBwJICAgfOBBR/KjK6QhloDc3Vj2EB5ceuwVQKcwICF10YDzIwMjUxMjA0MTMwM
TA4WjB2MHQGCCsGAQUFBzALhmhycGtpLnJpcGUubmV0L3JlcG9zaXRvcnkvREVGQVVMVC
81NS8xNDNlOWUtOTZlNi00NzRlLWFkMmMtMjJlNmRmNDU4NGFmLzEvZnlveXVrSVphQTN
OMVk5aEFlWEhyc0ZVQ25NLm1mdDCByQQgmtm8K2eMiRRnahwOexCQWF1Pbn/kfh7yuFFX
PQ1sNzkCAgfOBBR/NdWuQX9F7oUF12zqobNMRYOUoAICEDcYDzIwMjUxMjA0MTMwMTQwW
jB2MHQGCCsGAQUFBzALhmhycGtpLnJpcGUubmV0L3JlcG9zaXRvcnkvREVGQVVMVC9lNi
9jNTQ2N2ItMzk2Mi00Yjc0LWFlMGQtMzQ0NzNiYzkxZDgwLzEvZnpYVnJrRl9SZTZGQmR
kczZxR3pURVdEbEtBLm1mdDCByAQgnH4HVrP8PwRGFCkScCL5br/0bjjEzQr9e0AzckDu
dkoCAgfNBBR/tQ59O3/SiUz7cOSUYIsyDMIVwQIBcRgPMjAyNTEyMDQxMTAwMjdaMHYwd
AYIKwYBBQUHMAuGaHJwa2kucmlwZS5uZXQvcmVwb3NpdG9yeS9ERUZBVUxULzk2L2E5MT
hjYi0yMDQ0LTRmMWMtOTcwMC05MzYwMWEzNGY2MmYvMS9mN1VPZlR0XzBvbE0tM0RrbEd
DTE1nekNGY0UubWZ0MIHJBCCeJ6QFC5ZmQ3/7vRs/OWVTILJZf36LiIafxWbxA6hJQQIC
B84EFH8dWNYt3X5HryGW/XVLs/8meYkqAgIXWhgPMjAyNTEyMDQxMzAwMjdaMHYwdAYIK
wYBBQUHMAuGaHJwa2kucmlwZS5uZXQvcmVwb3NpdG9yeS9ERUZBVUxULzQ2LzI5MGE2MC
03OTJmLTQ0NzUtYTlmNC1lM2I5ZTBiYWU2YWIvMS9meDFZMWkzZGZrZXZJWmI5ZFV1el9
5WjVpU28ubWZ0MIHJBCClvw/fQEKWORP7i2VDQTPvks4urdw7SYu+gMiCAhRU9AICB4QE
FH+LIYNYmDp9eiU4qdqbofNJTXGrAgIBghgPMjAyNTEyMDQxMDAxMDNaMHYwdAYIKwYBB
QUHMAuGaHJwa2kucmlwZS5uZXQvcmVwb3NpdG9yeS9ERUZBVUxUL2Q5Lzc2Y2QwMy1lYW
EyLTQ5NjUtOTRlZi05OGRiYjY0MDJjZGQvMS9mNHNoZzFpWU9uMTZKVGlwMnB1aDgwbE5
jYXMubWZ0MIHJBCCmWr1WUFj93xFgtJksPmNi/3mZFCpyG8Ol93vskWc2IgICB4QEFH8X
tvkyOZ1YUJPRhzOU6/4bKfmMAgIO3RgPMjAyNTEyMDQxMDAwNDZaMHYwdAYIKwYBBQUHM
AuGaHJwa2kucmlwZS5uZXQvcmVwb3NpdG9yeS9ERUZBVUxULzMxL2NjMDIwMC1iYjJjLT
Q1ZjYtYWM3NS04Mjc1NzdkZjhlZGMvMS9meGUyLVRJNW5WaFFrOUdITTVUcl9oc3AtWXc
ubWZ0MIHJBCCv+kiA2AMtfiPp5MDsM9paEAw7fvlOjVRQZTYXLFDE+gICB84EFH9NWRwj
rSxpR31/eh1M6OvO6VlsAgIFthgPMjAyNTEyMDQxMTAwMzhaMHYwdAYIKwYBBQUHMAuGa
HJwa2kucmlwZS5uZXQvcmVwb3NpdG9yeS9ERUZBVUxULzNlLzBkNjdhMi1iYzM2LTRiOT
MtYjYwNC1kNGY1YzkyZDkwOTUvMS9mMDFaSENPdExHbEhmWDk2SFV6bzY4N3BXV3cubWZ
0MIHJBCCzpImTAdJ2HceoQv8KjfS6oCbuIsMTQHSsGnoDGtF9DwICB84EFH9Wid5KfOdo
vzq12fhUboVsyxk2AgIXXBgPMjAyNTEyMDQwOTAxMTJaMHYwdAYIKwYBBQUHMAuGaHJwa
2kucmlwZS5uZXQvcmVwb3NpdG9yeS9ERUZBVUxULzc3LzY0ZDUwNS0yMjA0LTRkY2EtYT
k1ZS04YjUzNzI1ODRhY2QvMS9mMWFKM2twODUyaV9PclhaLUZSdWhXekxHVFkubWZ0MIH
JBCC2u0zcRDg/uLDop0zKZHTp3gieFrxul3EA+/D3OsWY8AICB84EFH8Xj69kAeLzcW4x
dkVp33Md9Y8iAgIR0BgPMjAyNTEyMDQxNTAyMDhaMHYwdAYIKwYBBQUHMAuGaHJwa2kuc
mlwZS5uZXQvcmVwb3NpdG9yeS9ERUZBVUxULzY2LzFiNzk2OC1jYTRkLTQ1ZjQtYjY3MS
0yZTdmNzg0ODljZDMvMS9meGVQcjJRQjR2TnhiakYyUlduZmN4MzFqeUkubWZ0MIHJBCC
4mKVCEz8nRv88uU7VdtvjP8PHaRPxyN1lc8HZUFxAIQICB84EFH9qjl1VwkmKgmNvmfj8
njGeB3ceAgIQXRgPMjAyNTEyMDQwNzAwNDlaMHYwdAYIKwYBBQUHMAuGaHJwa2kucmlwZ
S5uZXQvcmVwb3NpdG9yeS9ERUZBVUxULzc0LzI3ZmNlMS0xMWNlLTRhMzItYTY0OS1lMD
c2YjUxNzIxYWQvMS9mMnFPWFZYQ1NZcUNZMi1aLVB5ZU1aNEhkeDQubWZ0MIHJBCC+TTG
9Y4u4V/ZR0lzDibQ0mXzOo57fCyjHc0NZC1Q4zAICB84EFH8RQWrjkp3ze/ZqRZzTrKY4
kelGAgIXWBgPMjAyNTEyMDQwOTAwNDZaMHYwdAYIKwYBBQUHMAuGaHJwa2kucmlwZS5uZ
XQvcmVwb3NpdG9yeS9ERUZBVUxULzJmLzZiMjJlOC0zZGNkLTQ0ZGQtOTUxNC02NzU2Zj
diMGMwZGIvMS9meEZCYXVPU25mTjc5bXBGbk5Pc3BqaVI2VVkubWZ0MIHJBCC++Jit9K2
F1/XjfaJTH6xPtMLHpiJaHX8llKtSsECDoAICB84EFH8dDjKYvtOn85+zskTtkYv2xNe/
AgIVMhgPMjAyNTEyMDQwODAwMzFaMHYwdAYIKwYBBQUHMAuGaHJwa2kucmlwZS5uZXQvc
mVwb3NpdG9yeS9ERUZBVUxUL2Y3L2U2NTA2ZS03Njg1LTQ4ZTctYTU4My0yMWFmM2RlZT
hlZTkvMS9meDBPTXBpLTA2ZnpuN095Uk8yUmlfYkUxNzgubWZ0MIHJBCC/O0jiSEwGtsd
oyjEJLvSxofM64OqPL10SVvrDu4/QvgICB84EFH/j1jtKW0BLX/g8vysVJaMEd/ZcAgIE
nhgPMjAyNTEyMDQxNTAxMDBaMHYwdAYIKwYBBQUHMAuGaHJwa2kucmlwZS5uZXQvcmVwb
3NpdG9yeS9ERUZBVUxUL2Y2LzgxYTY3Mi1mZTk4LTRkM2YtOWI4My0yY2I3YTNiNmU0Mm
YvMS9mLVBXTzBwYlFFdGYtRHlfS3hVbG93UjM5bHcubWZ0MIHJBCDDnlIkB2AHFnjoeuu
RmURoPcEZp2HB7xpFjvD93UGOxAICB84EFH/3TavU6xqhFHFE4VsCZp6YL95NAgIHCBgP
MjAyNTEyMDQxNDAwNDRaMHYwdAYIKwYBBQUHMAuGaHJwa2kucmlwZS5uZXQvcmVwb3Npd
G9yeS9ERUZBVUxULzdkLzBmYmJmNS1jODNkLTRiOTctOWNlYS0wNTVjNDlhYzY4MjgvMS
9mX2ROcTlUckdxRVVjVVRoV3dKbW5wZ3YzazAubWZ0MIHJBCDIhBaSdTsKqyeZOGQU/75
eJhg79XTzm3XVAWTd1ZQkOgICB84EFH8z/EDS4DM7vHveqyvYWZVDAcDxAgIGphgPMjAy
NTEyMDQxNDAwMzNaMHYwdAYIKwYBBQUHMAuGaHJwa2kucmlwZS5uZXQvcmVwb3NpdG9ye
S9ERUZBVUxUL2I0LzY1YmYxZC1lYzFkLTQwZTYtODQ5ZC03OTc5MGQ2NmQ3ZDMvMS9mel
A4UU5MZ016dThlOTZySzloWmxVTUJ3UEUubWZ0MIHJBCDXLjn63163Ca3eKPJ4GN73t/v
GOvBRQZNoR+QZ0npD4gICB84EFH8km5VEYgaD+Us4inVRpopkk+0SAgIDjBgPMjAyNTEy
MDQxMDAwNDlaMHYwdAYIKwYBBQUHMAuGaHJwa2kucmlwZS5uZXQvcmVwb3NpdG9yeS9ER
UZBVUxULzhiLzdhYTA0ZS00ODA3LTQ5ODgtOTEwMy04NDIzOTdlMzA2NDMvMS9meVNibF
VSaUJvUDVTemlLZFZHbWltU1Q3UkkubWZ0MIHJBCDXa3ekyz4n1eIin/xnA8d0la2km47
PIvC1ft6ktr7efwICB4QEFH9R3x306IZ+QeXn+S3n+dH6DBVNAgIMQhgPMjAyNTEyMDQx
NTAxNDdaMHYwdAYIKwYBBQUHMAuGaHJwa2kucmlwZS5uZXQvcmVwb3NpdG9yeS9ERUZBV
UxUL2ZhLzVlNzMxZi01MjhiLTRlMDItYWQ2OC02ZDkwMzVhZjE1MzUvMS9mMUhmSGZUb2
huNUI1ZWY1TGVmNTBmb01GVTAubWZ0MIHJBCDa9IYTxSSV2A0NrBtCs+pEMNVvdBr82u0
ZR5Uq5MY0VgICCBgEFH8WgCjsDatmimfVv29TWMqr4zeoAgILyxgPMjAyNTEyMDQwOTAw
NTZaMHYwdAYIKwYBBQUHMAuGaHJwa2kucmlwZS5uZXQvcmVwb3NpdG9yeS9ERUZBVUxUL
2NjL2IxNTI4Ni1mZDRkLTQ5ZmUtYTY5ZS03ZmFkZjUwYTJlMzcvMS9meGFBS093TnEyYU
taOVdfYjFOWXlxdmpONmcubWZ0MIHJBCDcnDayEa5hgjfhBtjmq2nvGXYR1i3/QESlKZg
Ei3hK9AICB84EFH/JVqUrc1BKTx/zRUcZkpen9d6dAgILEBgPMjAyNTEyMDQxNDAxMDFa
MHYwdAYIKwYBBQUHMAuGaHJwa2kucmlwZS5uZXQvcmVwb3NpdG9yeS9ERUZBVUxUL2FhL
zcxYWI2OS02OTY1LTRiNzAtOTY4ZC1iYjU3YTRlZjcxNTMvMS9mOGxXcFN0elVFcFBIX0
5GUnhtU2w2ZjEzcDAubWZ0MIHJBCDc/EzRgTf4Q9/QnJb4beTDyzGlMtLVUHCz5Og5/zR
kyQICCF8EFH9QB30t2KZ6Gui2q9a7s0iQKKW7AgIXYxgPMjAyNTEyMDQxMDAwNDlaMHYw
dAYIKwYBBQUHMAuGaHJwa2kucmlwZS5uZXQvcmVwb3NpdG9yeS9ERUZBVUxULzVjL2MxY
zFjZS1lYTU5LTRkY2YtYmNjYy0zZTdjYWRkODhjNzAvMS9mMUFIZlMzWXBub2E2TGFyMX
J1elNKQW9wYnMubWZ0MIHJBCDe6iYEgYQQo9TRkKLeQE9J5KtPmTlAiqB67zx/5MO/DgI
CB84EFH+0PeI3/QtqKHOJIwkh0losLtGoAgIW7hgPMjAyNTEyMDQxMTAwNTVaMHYwdAYI
KwYBBQUHMAuGaHJwa2kucmlwZS5uZXQvcmVwb3NpdG9yeS9ERUZBVUxULzA5L2Q0ZDEyY
S1hYjRlLTRkYmEtOTVkZS1iYzYzNzEzMGRlNmUvMS9mN1E5NGpmOUMyb29jNGtqQ1NIU1
dpd3UwYWcubWZ0MIHJBCDicOM2K/zhxfbkbS3nPiK8mgUzMZo7+gpnWqMgT84LJAICB4Q
EFH8pZlevjQDCX9dfVuzIoos1FQV1AgIQkRgPMjAyNTEyMDQwNzAwMzhaMHYwdAYIKwYB
BQUHMAuGaHJwa2kucmlwZS5uZXQvcmVwb3NpdG9yeS9ERUZBVUxUL2QwL2U4MGIzMy0zY
mVlLTQ2ZWMtYjM1ZC1iYWY5NWE1MDZkMTkvMS9meWxtVjYtTkFNSmYxMTlXN01paWl6VV
ZCWFUubWZ0MIHJBCDtUhQI96etZFj7+yPFh9/sjVYzqGwv+WgIYGmaPanWRAICB4QEFH9
+Xr1vpGnF43C/wQbE1KrR4duUAgIPxRgPMjAyNTEyMDQxNTAxMzdaMHYwdAYIKwYBBQUH
MAuGaHJwa2kucmlwZS5uZXQvcmVwb3NpdG9yeS9ERUZBVUxULzIzL2MzZThlZC01OTdhL
TQ4NWEtOTRhMy05ODJjZmIzNTlhZWUvMS9mMzVldlcta2FjWGpjTF9CQnNUVXF0SGgyNV
EubWZ0MIHJBCDthtT5Zt25vilW+Nm/NmioBji8LrE5W+jpL7p7g1nCGQICB84EFH9C0nw
h2obH6fv0SuDlbJjz0vgLAgIO+hgPMjAyNTEyMDQxMzAxMTNaMHYwdAYIKwYBBQUHMAuG
aHJwa2kucmlwZS5uZXQvcmVwb3NpdG9yeS9ERUZBVUxUL2E5Lzk4YjAyNC05ZDhmLTQ4N
jktYTJhOS0wYWZiN2MzZmJmMzAvMS9mMExTZkNIYWhzZnAtX1JLNE9Wc21QUFMtQXMubW
Z0MIHJBCDup/9OUMMEskDq4ejhRGOl/NuOf352P0Vumb24WVg32wICCKUEFH/K2J3xv5m
jbykMw+8PHntNAnUzAgIXOBgPMjAyNTEyMDQwODAwNThaMHYwdAYIKwYBBQUHMAuGaHJw
a2kucmlwZS5uZXQvcmVwb3NpdG9yeS9ERUZBVUxULzU1LzlmOGIxNi0yODRmLTQ1MTItY
jNkYy0wMTVkOWYxYjRiNTAvMS9mOHJZbmZHX21hTnZLUXpEN3c4ZWUwMENkVE0ubWZ0MI
HJBCDxY2vdGydm1KSBwPAftN8mEtoSyEL0Q0RGBV1uVpX2SgICCo8EFH9r0aawRiXFcdg
w+HixwCOCR0CMAgIGARgPMjAyNTEyMDQxNTAxNDBaMHYwdAYIKwYBBQUHMAuGaHJwa2ku
cmlwZS5uZXQvcmVwb3NpdG9yeS9ERUZBVUxULzQ4L2JjNjZkNy01N2FiLTQ3NWQtOTZiY
S04OWI2YzMyMzE1YzIvMS9mMnZScHJCR0pjVngyREQ0ZUxIQUk0SkhRSXcubWZ0MIHJBC
D1SG9gKO19W3/LSTHfYvgigrWc8AI/2XMDL5sRP/Q2LgICB84EFH/mixIjS9cDQwG8lrE
4quJ3hgo+AgIFyBgPMjAyNTEyMDQxMjAwMjBaMHYwdAYIKwYBBQUHMAuGaHJwa2kucmlw
ZS5uZXQvcmVwb3NpdG9yeS9ERUZBVUxULzhiLzRhMTExMS04ZjNjLTRlZGYtYjc3Yy0yZ
mEyNjMxYmMzMWMvMS9mLWFMRWlOTDF3TkRBYnlXc1RpcTRuZUdDajQubWZ0MIHJBCD1oD
abbCroFrO3IcIz0FpMLzFnoyyAFoppbxl/VwXyUwICB84EFH/v69FfvGUUh6yvZ0JPR4P
UPrQgAgIXWBgPMjAyNTEyMDQxMjAwMTlaMHYwdAYIKwYBBQUHMAuGaHJwa2kucmlwZS5u
ZXQvcmVwb3NpdG9yeS9ERUZBVUxULzlhLzI2ZWY2My1iNzJmLTRiM2MtOGRmYy0yYmM4N
DUxOTIyN2EvMS9mLV9yMFYtOFpSU0hySzluUWs5SGc5US10Q0EubWZ0MIHJBCD6zXkqe+
S/j+pkybBCNfNcQk+OqU0Ppvg0LCsfes02zgICB84EFH8+CHSJ7iOpQk1T+sIW7kuOASg
OAgIW7xgPMjAyNTEyMDQwODAxMDZaMHYwdAYIKwYBBQUHMAuGaHJwa2kucmlwZS5uZXQv
cmVwb3NpdG9yeS9ERUZBVUxUL2M2L2MyYzk5ZC1jZjkxLTRkZmItOTRkZS1hN2M2M2Q1N
jJlNTYvMS9mejRJZEludUk2bENUVlA2d2hidVM0NEJLQTQubWZ0MIHJBCD7cg8rfmItI9
AKiqK+yXBusjLAUYvAQbN5kRdd7g/VFAICB84EFH8xNg/8Gv1fHaZtgUBORmNRLUlnAgI
U5RgPMjAyNTEyMDQxMTAwNDJaMHYwdAYIKwYBBQUHMAuGaHJwa2kucmlwZS5uZXQvcmVw
b3NpdG9yeS9ERUZBVUxULzJkL2ZlZjVkZC0zOGVlLTRiYzUtODJmZi01ODRkNzhhMjVmO
GMvMS9mekUyRF93YV9WOGRwbTJCUUU1R1kxRXRTV2MubWZ0

Acknowledgements

The authors wish to thank George Michaelson, Theo de Raadt, Bob Beck, Theo Buehler, and William McCall for the lovely conversations that led to this proposal. The authors wish to thank Sean Turner and Russ Housley for their review of the ASN.1 notation.

This protocol is named after Erik Bais, who passed away in 2024, as a small token of appreciation for his friendship.

Authors' Addresses

Job Snijders
BSD Software Development
Amsterdam
The Netherlands
URI: https://www.bsd.nl/
Tim Bruijnzeels
RIPE NCC
The Netherlands
Tom Harrison
APNIC
Australia
Wataru Ohgai
JPNIC
Japan