<?xml version='1.0' encoding='utf-8'?>
<!DOCTYPE rfc [
  <!ENTITY nbsp    "&#160;">
  <!ENTITY zwsp   "&#8203;">
  <!ENTITY nbhy   "&#8209;">
  <!ENTITY wj     "&#8288;">
]>
<?xml-stylesheet type="text/xsl" href="rfc2629.xslt" ?>
<!-- generated by https://github.com/cabo/kramdown-rfc version 1.7.39 (Ruby 3.4.9) -->
<rfc xmlns:xi="http://www.w3.org/2001/XInclude" ipr="trust200902" docName="draft-ietf-cose-split-signing-algs-01" category="std" consensus="true" submissionType="IETF" xml:lang="en" tocInclude="true" sortRefs="true" symRefs="true" version="3">
  <!-- xml2rfc v2v3 conversion 3.34.0 -->
  <front>
    <title abbrev="Split Signing Algorithms for COSE">Split Signing Algorithms for COSE</title>
    <seriesInfo name="Internet-Draft" value="draft-ietf-cose-split-signing-algs-01"/>
    <author fullname="Emil Lundberg" role="editor">
      <organization>Yubico</organization>
      <address>
        <postal>
          <street>Gävlegatan 22</street>
          <city>Stockholm</city>
          <country>SE</country>
        </postal>
        <email>emil@emlun.se</email>
      </address>
    </author>
    <author initials="M. B." surname="Jones" fullname="Michael B. Jones">
      <organization>Self-Issued Consulting</organization>
      <address>
        <postal>
          <country>United States</country>
        </postal>
        <email>michael_b_jones@hotmail.com</email>
        <uri>https://self-issued.info/</uri>
      </address>
    </author>
    <date year="2026" month="July" day="05"/>
    <area>Security</area>
    <workgroup>COSE</workgroup>
    <keyword>COSE</keyword>
    <keyword>Signing</keyword>
    <keyword>Algorithms</keyword>
    <keyword>Split Algorithms</keyword>
    <keyword>Split Signing</keyword>
    <keyword>HashEdDSA</keyword>
    <keyword>Ed25519ph</keyword>
    <keyword>Ed448ph</keyword>
    <abstract>
      <?line 146?>

<t>This specification defines COSE algorithm identifiers
for negotiating how to split a signature algorithm between two cooperating parties.
Typically the first party hashes the data to be signed
and the second party finishes the signature over the hashed data.
This is a common technique, useful for example when the signing private key is held in a smart card
or similar hardware component with limited processing power and communication bandwidth.
The resulting signatures are identical in structure to those computed by a single party,
and can be verified using the same verification algorithm
without additional steps to preprocess the signed data.</t>
    </abstract>
    <note removeInRFC="true">
      <name>About This Document</name>
      <t>
        Status information for this document may be found at <eref target="https://datatracker.ietf.org/doc/draft-ietf-cose-split-signing-algs/"/>.
      </t>
      <t>
        Discussion of this document takes place on the
        COSE Working Group mailing list (<eref target="mailto:cose@ietf.org"/>),
        which is archived at <eref target="https://mailarchive.ietf.org/arch/browse/cose/"/>.
        Subscribe at <eref target="https://www.ietf.org/mailman/listinfo/cose/"/>.
      </t>
      <t>Source for this draft and an issue tracker can be found at
        <eref target="https://github.com/cose-wg/draft-ietf-cose-split-signing-algs"/>.</t>
    </note>
  </front>
  <middle>
    <?line 158?>

<section anchor="introduction">
      <name>Introduction</name>
      <t>CBOR Object Signing and Encryption (COSE) <xref target="RFC9052"/>
algorithm identifiers are used for algorithm negotiation
and to annotate cryptographic objects with how to interpret them,
for example which algorithm to use to verify a signature or decapsulate a shared key.
Existing COSE algorithm identifiers omit some internal details of how the object was constructed,
since those details are typically irrelevant for the recipient.</t>
      <t>The algorithm identifiers defined in this specification are meant for a complementary use case:
to divide responsibilities during <em>construction</em> of a cryptographic object,
instead of describing how to <em>consume</em> the object.
Specifically, they provide an interoperable way to negotiate
how a signing operation is split between two cooperating parties,
for example, a smart card and a software application,
while the verification algorithm for the resulting signature remains the same
as if the signature was created by a single party.
These split algorithm identifiers are therefore not meant for annotating signature objects,
since the verification algorithm is better indicated using already existing algorithm identifiers.</t>
      <t>As mentioned above, a primary use case for this is for algorithm negotiation
between a software application and a smart card or other hardware security module (HSM) holding the signing private key.
Since the HSM may have limited processing power and communication bandwidth,
it may not be practical to send the entire original message to the HSM.
Instead, since most signature algorithms begin with digesting the message
into a fixed-length intermediate input, this initial digest can be computed by the software application
while the HSM performs the rest of the signature algorithm on the digest.
This is a common technique used in standards such as OpenPGP <xref target="OPENPGPCARD"/>,
PKCS #11 <xref target="PKCS11-Spec-v3.1"/>, and PIV <xref target="NIST-SP-800-73-5"/>.</t>
      <t>Since different signature algorithms digest the message in different ways
and at different stages of the algorithm,
it is not possible for a cryptographic API to specify that, for example, "the hash digest is computed by the caller"
generically for all algorithms.
Security considerations for this split may also differ between algorithms.
Instead, the algorithm identifiers defined in this specification
enable the parties of that cryptographic API to signal precisely, for each signature algorithm individually,
which steps of the algorithm are performed by which party.
We thus define two roles:
the <em>digester</em> (e.g., a software application) that initializes the signing procedure,
and the <em>signer</em> (e.g., an HSM) that holds exclusive control of the signing private key.</t>
      <t>Note that these algorithm identifiers do not define new "pre-hashed" variants of the base signature algorithm,
nor an intermediate "hash envelope" data structure, such as that defined in <xref target="I-D.COSE-Hash-Envelope"/>.
Rather, these identifiers denote existing signature algorithms
that would typically be executed by a single party,
but split into two stages.</t>
      <t>Some signature algorithms,
such as PureEdDSA <xref target="RFC8032"/>,
by their design, cannot be split in this way, and therefore cannot be assigned split signing algorithm identifiers.
However, if such a signature algorithm defines a "pre-hashed" variant,
that "pre-hashed" algorithm can be assigned a split signing algorithm identifier,
enabling the pre-hashing step to be performed by the <em>digester</em>
and the remaining steps by the <em>signer</em>.
For example, this specification defines Ed25519ph-split (<xref target="eddsa-split"/>) as a split variant of Ed25519ph <xref target="RFC8032"/>.
Note that Ed25519 and Ed25519ph have distinct verification algorithms,
but Ed25519ph and Ed25519ph-split use the same verification algorithm.</t>
      <section anchor="requirements-notation-and-conventions">
        <name>Requirements Notation and Conventions</name>
        <t>The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP 14 <xref target="RFC8174">RFC2119</xref> when, and only when, they appear in all capitals, as shown here.</t>
      </section>
      <section anchor="prior-art">
        <name>Prior Art</name>
        <t>Split signing is a common technique used in existing smart card standards.
The following subsections expand on how the technique is applied in OpenPGP <xref target="OPENPGPCARD"/>,
PKCS #11 <xref target="PKCS11-Spec-v3.1"/>, and PIV <xref target="NIST-SP-800-73-5"/>.</t>
        <section anchor="openpgp">
          <name>OpenPGP</name>
          <t>The OpenPGP smart card protocol <xref target="OPENPGPCARD"/>
defines the format of signing commands in section "7.2.10 PSO: COMPUTE DIGITAL SIGNATURE":</t>
          <ul empty="true">
            <li>
              <t><strong>7.2.10 PSO: COMPUTE DIGITAL SIGNATURE</strong></t>
              <t>The command for digital signature computation is shown in the table below.
The hash value (ECDSA) or the DigestInfo is delivered in the data field of the command. [...]</t>
            </li>
          </ul>
          <t>The "Data field" parameter is subsequently defined as "Data to be integrated in the DSI: hash value (ELC) or DigestInfo (RSA)".
Thus both ECDSA and RSA signatures are computed jointly by the host computing the digest of the signed data
and the smart card finalizing the signature on the digest;
the host acts as <em>digester</em> and the smart card acts as <em>signer</em>.</t>
          <t>TODO: Spec 3.4.1 only covers ECDSA and RSA, but some implementations also support Ed25519.
Identify and include good references for how OpenPGP smart cards handle Ed25519.</t>
        </section>
        <section anchor="pkcs-11">
          <name>PKCS #11</name>
          <t>PKCS #11 <xref target="PKCS11-Spec-v3.1"/>
defines signing commands in sections "5.13 Signing and MACing functions" and "5.14 Message-based signing and MACing functions".
These sections define <tt>C_SignInit</tt> and <tt>C_MessageSignInit</tt> functions that both take a <tt>pMechanism</tt> parameter indicating the signature mechanism.
Mechanisms are defined in section "6 Mechanisms", which notably includes the subsections
"6.3.12 ECDSA without hashing" and "6.3.13 ECDSA with hashing":</t>
          <ul empty="true">
            <li>
              <t><strong>6.3.12 ECDSA without hashing</strong></t>
              <t>[...]</t>
              <t>The ECDSA without hashing mechanism, denoted <strong>CKM_ECDSA</strong>, is a mechanism for single-part signatures and verification for ECDSA.
(This mechanism corresponds only to the part of ECDSA that processes the hash value, which should not be longer than 1024 bits;
it does not compute the hash value.)</t>
              <t>[...]</t>
            </li>
          </ul>
          <ul empty="true">
            <li>
              <t><strong>6.3.13 ECDSA with hashing</strong></t>
              <t>[...]</t>
              <t>The ECDSA with SHA-1, SHA-224, SHA-256, SHA-384, SHA-512, SHA3-224, SHA3-256, SHA3-384, SHA3-512 mechanism,
denoted <strong>CKM_ECDSA_[SHA1|SHA224|SHA256|SHA384|SHA512|SHA3_224|SHA3_256|SHA3_384|SHA3_512]</strong> respectively,
is a mechanism for single- and multiple-part signatures and verification for ECDSA.
This mechanism computes the entire ECDSA specification, including the hashing with
SHA-1, SHA-224, SHA-256, SHA-384, SHA-512, SHA3-224, SHA3-256, SHA3-384, SHA3-512 respectively.</t>
              <t>[...]</t>
            </li>
          </ul>
          <t>Thus PKCS #11 supports both split signing using the <strong>CKM_ECDSA</strong> mechanism
and "non-split" signing using the <strong>CKM_ECDSA_SHA*</strong> mechanisms;
when using <strong>CKM_ECDSA</strong>,
the PKCS #11 caller acts as <em>digester</em> and the Cryptoki implementation acts as <em>signer</em>.</t>
        </section>
        <section anchor="piv-fips-201-nist-sp-800">
          <name>PIV: FIPS-201, NIST SP 800</name>
          <t>NIST Special Publication 800 <xref target="NIST-SP-800-73-5"/>
contains technical specifications for the Personal Identity Verification (PIV) standard <xref target="FIPS-201"/>,
and defines the format of signing commands in section "3.2.4. GENERAL AUTHENTICATE Card Command":</t>
          <ul empty="true">
            <li>
              <t><strong>3.2.4. GENERAL AUTHENTICATE Card Command</strong>
[...]</t>
              <t>The GENERAL AUTHENTICATE command SHALL be used with the digital signature key ('9C') to
realize the signing functionality on the PIV client application programming interface. Data to be
signed is expected to be hashed off-card. Appendix A.4 illustrates the use of the GENERAL
AUTHENTICATE command for signature generation.</t>
              <t>[...]</t>
            </li>
          </ul>
          <t>Appendix A.4 gives examples of RSA and ECDSA signature generation commands.
For RSA the command needs to be sent in two parts,
giving the "Data Field" argument first as "'7C' – L1 { '82' '00' '81' L2 {first part of the PKCS #1 v1.5 or PSS padded message hash value }}"
and then "{second and last part of the PKCS #1 v1.5 or PSS padded message hash value}";
for ECDSA the "Data Field" argument is given as "'7C' – L1 { '82' '00' '81' L2 {hash value of message}}".</t>
          <t>Thus both ECDSA and RSA signatures are computed jointly by the host computing the digest of the signed data
and the smart card finalizing the signature on the digest;
the host acts as <em>digester</em> and the smart card acts as <em>signer</em>.</t>
        </section>
      </section>
    </section>
    <section anchor="split-algs">
      <name>Split Signing Algorithms</name>
      <t>This section defines divisions of signing algorithm steps between a <em>digester</em> and a <em>signer</em>
in a split signing protocol,
and assigns algorithm identifiers to these algorithm divisions.
The <em>digester</em> performs the first part of the split algorithm and does not have access to the signing private key,
while the <em>signer</em> performs the second part of the split algorithm and has access to the signing private key.
For signing algorithms that format the message to insert domain separation tags,
as described in <xref section="2.2.5" sectionFormat="of" target="RFC9380"/>,
this message formatting is also performed by the <em>signer</em>.</t>
      <t>How the digest, and any related <tt>COSE_Sign_Args</tt> structure (see <xref target="cose-sign-args"/>),
are transported from <em>digester</em> to <em>signer</em> is out of scope for this specification,
but it is expected that the digest will usually be transmitted as the "data to be signed" argument.</t>
      <t>The algorithm identifiers defined in this specification with "-split" in their names
MAY appear in COSE structures used internally between the <em>digester</em> and the <em>signer</em> in a split signing protocol,
but SHOULD NOT appear in COSE structures consumed by signature verifiers.
COSE structures consumed by signature verifiers
SHOULD instead use the corresponding conventional algorithm identifiers for the verification algorithm.
These are listed in the "Verification algorithm" column in the tables defining split signing algorithm identifiers.</t>
      <t>The following subsections define an initial set of split signing algorithm identifiers.
The last subsection provides guidance for defining additional identifiers beyond this initial set.</t>
      <section anchor="ecdsa-split">
        <name>ECDSA</name>
        <t>ECDSA <xref target="FIPS-186-5"/> split signing uses the following division between the <em>digester</em> and the <em>signer</em>
of the steps of the ECDSA signature generation algorithm <xref target="FIPS-186-5"/>:</t>
        <ul spacing="normal">
          <li>
            <t>The signing procedure is defined in Section 6.4.1 of <xref target="FIPS-186-5"/>.</t>
          </li>
          <li>
            <t>The <em>digester</em> performs Step 1 of the signing procedure - hashing the message, producing the value <em>H</em>.</t>
          </li>
          <li>
            <t>The message input to the <em>signer</em> is the value <em>H</em> defined in the signing procedure.</t>
          </li>
          <li>
            <t>The <em>signer</em> resumes the signing procedure from Step 2.</t>
          </li>
        </ul>
        <t>The following algorithm identifiers are defined:</t>
        <table anchor="tbl-ecdsa-split">
          <name>ECDSA split signing algorithm values.</name>
          <thead>
            <tr>
              <th align="left">Name</th>
              <th align="left">COSE Value</th>
              <th align="left">Verification algorithm</th>
              <th align="left">Description</th>
            </tr>
          </thead>
          <tbody>
            <tr>
              <td align="left">ESP256-split</td>
              <td align="left">TBD</td>
              <td align="left">ESP256</td>
              <td align="left">ESP256 <xref target="RFC9864"/> split signing as defined in <xref target="ecdsa-split"/></td>
            </tr>
            <tr>
              <td align="left">ESP384-split</td>
              <td align="left">TBD</td>
              <td align="left">ESP384</td>
              <td align="left">ESP384 <xref target="RFC9864"/> split signing as defined in <xref target="ecdsa-split"/></td>
            </tr>
            <tr>
              <td align="left">ESP512-split</td>
              <td align="left">TBD</td>
              <td align="left">ESP512</td>
              <td align="left">ESP512 <xref target="RFC9864"/> split signing as defined in <xref target="ecdsa-split"/></td>
            </tr>
          </tbody>
        </table>
        <t>Note: This is distinct from the similarly named Split-ECDSA (SECDSA) <xref target="SECDSA"/>,
although SECDSA can be implemented using this split procedure as a component.</t>
      </section>
      <section anchor="eddsa-split">
        <name>HashEdDSA</name>
        <t>Split HashEdDSA <xref target="RFC8032"/> uses the following division between the <em>digester</em> and the <em>signer</em>
of the steps of the HashEdDSA signing algorithm <xref target="RFC8032"/>:</t>
        <ul spacing="normal">
          <li>
            <t>HashEdDSA is a combination of the EdDSA signing procedure and the PureEdDSA signing procedure.
The EdDSA signing procedure is defined in the first paragraph of <xref section="3.3" sectionFormat="of" target="RFC8032"/>.
The PureEdDSA signing procedure is defined in the second paragraph of <xref section="3.3" sectionFormat="of" target="RFC8032"/>.</t>
          </li>
          <li>
            <t>The <em>digester</em> computes the value <tt>PH(M)</tt> defined in the EdDSA signing procedure.</t>
          </li>
          <li>
            <t>The message input to the <em>signer</em> is the value <tt>PH(M)</tt> defined in the EdDSA signing procedure.
This value is represented as <tt>M</tt> in the PureEdDSA signing procedure.</t>
          </li>
          <li>
            <t>The <tt>context</tt> input MAY be conveyed to the <em>signer</em> using the <tt>COSE_Sign_Args</tt> structure defined in <xref target="cose-sign-args"/>.
If not given, <tt>context</tt> defaults to an empty octet string.</t>
          </li>
          <li>
            <t>The <em>signer</em> executes the PureEdDSA signing procedure,
where the value denoted <tt>M</tt> in the PureEdDSA signing procedure
takes the value denoted <tt>PH(M)</tt> in the EdDSA signing procedure.</t>
          </li>
        </ul>
        <t>PureEdDSA <xref target="RFC8032"/> cannot be divided in this way
since such a division would require that the <em>digester</em> has access to the private key.</t>
        <t>The following algorithm identifiers are defined:</t>
        <table anchor="tbl-eddsa-split">
          <name>HashEdDSA algorithm values.</name>
          <thead>
            <tr>
              <th align="left">Name</th>
              <th align="left">COSE Value</th>
              <th align="left">Verification algorithm</th>
              <th align="left">Description</th>
            </tr>
          </thead>
          <tbody>
            <tr>
              <td align="left">Ed25519ph</td>
              <td align="left">TBD</td>
              <td align="left">Ed25519ph</td>
              <td align="left">EdDSA using the Ed25519ph parameter set in <xref section="5.1" sectionFormat="of" target="RFC8032"/></td>
            </tr>
            <tr>
              <td align="left">Ed25519ph-split</td>
              <td align="left">TBD</td>
              <td align="left">Ed25519ph</td>
              <td align="left">EdDSA using the Ed25519ph parameter set in <xref section="5.1" sectionFormat="of" target="RFC8032"/> and split as defined in <xref target="eddsa-split"/></td>
            </tr>
            <tr>
              <td align="left">Ed448ph</td>
              <td align="left">TBD</td>
              <td align="left">Ed448ph</td>
              <td align="left">EdDSA using the Ed448ph parameter set in <xref section="5.2" sectionFormat="of" target="RFC8032"/></td>
            </tr>
            <tr>
              <td align="left">Ed448ph-split</td>
              <td align="left">TBD</td>
              <td align="left">Ed448ph</td>
              <td align="left">EdDSA using the Ed448ph parameter set in <xref section="5.2" sectionFormat="of" target="RFC8032"/> and split as defined in <xref target="eddsa-split"/></td>
            </tr>
          </tbody>
        </table>
        <ul spacing="normal">
          <li>
            <t>The <tt>context</tt> input MUST be the empty octet string
when the signature result is used in COSE structures without a way to convey a <tt>context</tt> argument.
This includes the <tt>COSE_Sign1</tt> and <tt>COSE_Signature</tt> structures.</t>
          </li>
        </ul>
        <t><xref target="tbl-cose-args-hasheddsa"/> defines a HashEdDSA-specific parameter for the <tt>COSE_Sign_Args</tt> structure defined in <xref target="cose-sign-args"/>.
The parameter -1 conveys the <tt>context</tt> input to HashEdDSA signing,
and is REQUIRED for all the relevant <tt>alg</tt> values.</t>
        <table anchor="tbl-cose-args-hasheddsa">
          <name>HashEdDSA algorithm parameters for COSE_Sign_Args.</name>
          <thead>
            <tr>
              <th align="left">Name</th>
              <th align="left">Label</th>
              <th align="left">Type</th>
              <th align="left">Required?</th>
              <th align="left">Algorithm</th>
              <th align="left">Description</th>
            </tr>
          </thead>
          <tbody>
            <tr>
              <td align="left">context</td>
              <td align="left">-1</td>
              <td align="left">bstr</td>
              <td align="left">Required</td>
              <td align="left">Ed25519ph, Ed25519ph-split, Ed448ph, Ed448ph-split</td>
              <td align="left">
                <tt>context</tt> argument to HashEdDSA signing. <xref target="RFC8032"/></td>
            </tr>
          </tbody>
        </table>
      </section>
      <section anchor="defining-split-algs">
        <name>Defining Split Signing Algorithms</name>
        <t>Future definitions of additional split signing algorithm identifiers
SHOULD follow the conventions established in <xref target="split-algs"/> as far as possible.
For example, if a signature algorithm prescribes insertion of domain separation tags
in a way that requires processing the entirety of the data to be signed,
it might be necessary to delegate the domain separation responsibility to the <em>digester</em>.
Per the considerations in <xref target="sec-cons-trusted-roles-comp"/>,
split signing algorithm identifiers SHOULD be defined in ways that minimize
how much responsibility is delegated to the <em>digester</em>.</t>
        <t>As a concrete example, consider ML-DSA and HashML-DSA <xref target="FIPS-204"/>.
ML-DSA and HashML-DSA prefix the input data with a 0 octet and a 1 octet respectively,
which enforces domain separation between ML-DSA and HashML-DSA signatures.
<xref section="D" sectionFormat="of" target="RFC9881"/> describes a mode of ML-DSA
that could be assigned a split signing algorithm identifier
where the <em>digester</em> performs <tt>Computeμ</tt> and the <em>signer</em> performs <tt>Signμ</tt>.
Note that this puts the <em>digester</em> in control of the domain separation tags;
this is necessary if the hash step is not performed by the <em>signer</em>.
Therefore with this construction, it is the <em>digester</em> that decides
whether the signing protocol will produce an ML-DSA signature or a HashML-DSA signature.
In contrast, HashML-DSA first hashes the input data alone and then another time with domain separation tags;
therefore HashML-DSA can be assigned a split signing algorithm identifier
that keeps the <em>signer</em> in control of the domain separation tags
and ensures that the signing protocol can only produce HashML-DSA signatures.</t>
      </section>
    </section>
    <section anchor="cose-sign-args">
      <name>COSE Signing Arguments</name>
      <t>While many signature algorithms take the private key and data to be signed as the only two parameters,
some signature algorithms have additional parameters that must also be set.
For example,
Ed25519ph and Ed25519ctx <xref target="RFC8032"/> have a <tt>context</tt> parameter in addition to the message <tt>M</tt>.
Similarly the ML-DSA <xref target="FIPS-204"/> signing function has a <em>ctx</em> parameter,
although the algorithm identifiers in <xref target="RFC9964"/> are defined to take a constant empty value for <em>ctx</em>.</t>
      <t>While such additional arguments are simple to provide to the API of the signing procedure in a single-party context,
in a split signing context these additional arguments also need to be conveyed from the <em>digester</em> to the <em>signer</em>.
For this purpose, we define a new COSE structure <tt>COSE_Sign_Args</tt> for "COSE signing arguments".
This enables defining a unified, algorithm-agnostic protocol between the <em>digester</em> and the <em>signer</em>,
rather than requiring a distinct protocol for each signature algorithm for the sake of conveying algorithm-specific parameters.</t>
      <t><tt>COSE_Sign_Args</tt> is built on a CBOR map.
The set of common parameters that can appear in a <tt>COSE_Sign_Args</tt>
can be found in the IANA "COSE Signing Arguments Common Parameters" registry established in <xref target="common-params-reg"/>.
Additional parameters defined for specific signing algorithms
can be found in the IANA "COSE Signing Arguments Algorithm Parameters" registry established in <xref target="alg-params-reg"/>.</t>
      <t>The CDDL <xref target="RFC8610"/> grammar describing <tt>COSE_Sign_Args</tt>, using the CDDL fragment defined in <xref section="1.5" sectionFormat="of" target="RFC9052"/>, is:</t>
      <sourcecode type="cddl"><![CDATA[
COSE_Sign_Args = {
    3 ^ => tstr / int,  ; alg
    * label => values,
}
]]></sourcecode>
      <section anchor="cose-sign-args-common">
        <name>COSE Signing Arguments Common Parameters</name>
        <t>This document defines a set of common parameters for a COSE Signing Arguments object.
<xref target="tbl-cose-sign-args-common"/> provides a summary of the parameters defined in this section.</t>
        <table anchor="tbl-cose-sign-args-common">
          <name>Common parameters of the COSE_Sign_Args structure.</name>
          <thead>
            <tr>
              <th align="left">Name</th>
              <th align="left">Label</th>
              <th align="left">CBOR Type</th>
              <th align="left">Value Registry</th>
              <th align="left">Description</th>
            </tr>
          </thead>
          <tbody>
            <tr>
              <td align="left">alg</td>
              <td align="left">3</td>
              <td align="left">tstr / int</td>
              <td align="left">COSE Algorithms</td>
              <td align="left">Signing algorithm to use</td>
            </tr>
          </tbody>
        </table>
        <ul spacing="normal">
          <li>
            <t>alg: This parameter identifies the signing algorithm the additional arguments apply to.
The signer MUST verify that this algorithm matches any key usage restrictions set on the key to be used.
If the algorithms do not match, then the signature operation MUST be aborted with an error.</t>
          </li>
        </ul>
        <t>Definitions of COSE algorithms MAY define additional algorithm-specific parameters for <tt>COSE_Sign_Args</tt>.</t>
        <t>The following CDDL <xref target="RFC8610"/> example conveys the <tt>context</tt> argument
for signing data using the Ed25519ph-split algorithm (see <xref target="eddsa-split"/>):</t>
        <sourcecode type="cddl"><![CDATA[
example = {
  3: -303,    ; alg: Ed25519ph-split (registration pending)

              ; Ed25519ph context (byte string of 0 to 255 octets)
  -1: 'Split Signing Algorithms for COSE',
}
]]></sourcecode>
      </section>
    </section>
    <section anchor="security-cons">
      <name>Security Considerations</name>
      <section anchor="sec-cons-trusted-roles-protocol">
        <name>Protocol-Level Trusted Roles</name>
        <t>This specification assumes that both the <em>digester</em> and <em>signer</em> roles
described in <xref target="split-algs"/> are trusted and cooperate honestly.
This is because a similar division between "application" and "secure element"
typically exists already:
even if all steps of the signing algorithm are executed in a trusted secure element,
the inputs to the secure element are provided by some outside component such as a software application.
If the application can provide any input to be signed,
then for all practical purposes it is trusted with possession of any private keys
for as long as it is authorized to exercise the secure element.
The application can in practice obtain a signature over any chosen message
without needing to perform a forgery attack.
The same relationship exists between <em>digester</em> and <em>signer</em>.
Applications that cannot trust an external <em>digester</em> -
for example a hardware security device with an integrated secure display of what data is about to be signed -
by definition have no use for split signing algorithm identifiers.</t>
        <t>Similarly from a verifier's perspective,
these split signing procedures are implementation details.
When a signature is generated by a single party,
that single party takes on both the <em>digester</em> and the <em>signer</em> roles,
and obviously trusts itself to perform the <em>digester</em> role honestly.
From the verifier's perspective,
a malicious <em>digester</em> in the split signing model would have the same powers
as a malicious signature generator in a single-party signing model.
Thus, on the application or protocol level,
assuming an honest <em>digester</em> is no more restrictive than assuming an honest signature generator.</t>
      </section>
      <section anchor="sec-cons-trusted-roles-comp">
        <name>Component-Level Trusted Roles</name>
        <t>The reasoning in <xref target="sec-cons-trusted-roles-protocol"/> does not hold on the component level.
A <em>signer</em> implementation MUST NOT assume that the <em>digester</em> implementation
it interoperates with is necessarily honest.
Split signing algorithms MUST NOT be defined in a way
that enables a malicious <em>digester</em> with access to an honest <em>signer</em> to produce forgeries -
any that could not be produced by simply requesting a signature over the desired message -
or extract secrets from the <em>signer</em>.</t>
        <t>For example, for ECDSA (<xref target="ecdsa-split"/>), a malicious <em>digester</em> can choose <em>H</em>
in such a way that the <em>signer</em> will derive any <em>digester</em>-chosen value of <em>e</em>,
including zero or other potentially problematic values.
Fortunately, in this case, this does not enable the <em>digester</em> to extract the signature nonce or private key.
It also does not make forgeries easier,
since the <em>digester</em> still needs to find a preimage of <em>e</em> for the relevant hash function.
Definitions of other algorithms need to ensure that similar chosen-input attacks
do not enable extracting secrets or forging protocol-level messages.</t>
        <t>For example, a naively prehashed version of FALCON <xref target="FALCON"/> would allow such a key compromise:
A FALCON signature is a value <tt>s</tt> such that both <tt>s</tt> and <tt>s * h - hash(r || m)</tt> are short,
where <tt>h</tt> is the public key and <tt>r</tt> a randomizer.
If the digester gets to query the signer for signatures of arbitrary stand-ins for <tt>hash(r || m)</tt>,
they can extract the private key by for example asking for repeated signatures of 0.
Therefore, definitions of split signing algorithms need to be reviewed and potentially have security proofs adjusted.</t>
      </section>
      <section anchor="sec-cons-invalid-alg-use">
        <name>Incorrect Use of Split Signing Algorithm Identifiers</name>
        <t><xref target="split-algs"/> recommends against exposing split signing algorithm identifiers -
including those defined in this specification with "-split" in their names -
to signature verifiers.
For example, they should not appear as the "alg" parameter of a COSE_Key public key sent to a signature verifier.
If a split signing algorithm identifier is encountered in an invalid context like this,
the recipient SHOULD reject the message with a fatal error.</t>
        <t>This is because the purpose of these split signing algorithm identifiers
is to enable more flexible production of signatures that can be verified by existing implementations of existing verification algorithms.
A prevalence of these identifiers appearing outside the split signing context would defeat this purpose;
we therefore recommend such use SHOULD NOT be tolerated.</t>
        <t>This recommendation is the opposite of the oft-cited "robustness principle" stated in paragraph 3.9 of <xref target="RFC1958"/>.
Implementations MAY choose to instead follow the robustness principle and tolerate incorrect use of split signing algorithm identifiers,
instead interpreting the identifier as referencing the defined corresponding verification algorithm.
Note however that this is no longer considered a best practice and is likely to harm interoperability <xref target="RFC9413"/>.</t>
        <t>A verifier's choice to tolerate or not tolerate incorrect use of split signing algorithm identifiers
is expected to not affect security,
assuming a split algorithm identifier is interpreted as an alias representing the same verification algorithm as a non-split algorithm identifier.</t>
      </section>
    </section>
    <section anchor="impl-cons">
      <name>Implementation Considerations</name>
      <section anchor="impl-cons-non-split-algs">
        <name>Using Non-Split Signing Algorithm Identifiers in a Split Signing Protocol</name>
        <t>A protocol designed to use split signing algorithm identifiers such as those defined in this specification
MAY also allow use of algorithm identifiers that do not represent split signing algorithms.
In this case, the <em>signer</em> performs all steps of the signing procedure as usual.
For example, if the <em>signer</em> receives a signature request with an the algorithm identifier "ESP256",
then the <em>digester</em> passes the input data through unmodified
and it is the <em>signer</em> that computes the SHA-256 digest of the input data as defined in the ESP256 definition <xref target="RFC9864"/>.</t>
      </section>
    </section>
    <section anchor="IANA">
      <name>IANA Considerations</name>
      <section anchor="cose-alg-reg">
        <name>COSE Algorithms Registrations</name>
        <t>This section registers the following values in the IANA "COSE Algorithms" registry <xref target="IANA.COSE"/>:</t>
        <ul spacing="normal">
          <li>
            <t>Name: ESP256-split
            </t>
            <ul spacing="normal">
              <li>
                <t>Value: TBD (Requested Assignment -300)</t>
              </li>
              <li>
                <t>Description: ESP256 split signing</t>
              </li>
              <li>
                <t>Capabilities: [kty]</t>
              </li>
              <li>
                <t>Change Controller: IETF</t>
              </li>
              <li>
                <t>Reference: <xref target="ecdsa-split"/> of this specification</t>
              </li>
              <li>
                <t>Recommended: Yes</t>
              </li>
            </ul>
          </li>
          <li>
            <t>Name: ESP384-split
            </t>
            <ul spacing="normal">
              <li>
                <t>Value: TBD (Requested Assignment -301)</t>
              </li>
              <li>
                <t>Description: ESP384 split signing</t>
              </li>
              <li>
                <t>Capabilities: [kty]</t>
              </li>
              <li>
                <t>Change Controller: IETF</t>
              </li>
              <li>
                <t>Reference: <xref target="ecdsa-split"/> of this specification</t>
              </li>
              <li>
                <t>Recommended: Yes</t>
              </li>
            </ul>
          </li>
          <li>
            <t>Name: ESP512-split
            </t>
            <ul spacing="normal">
              <li>
                <t>Value: TBD (Requested Assignment -302)</t>
              </li>
              <li>
                <t>Description: ESP512 split signing</t>
              </li>
              <li>
                <t>Capabilities: [kty]</t>
              </li>
              <li>
                <t>Change Controller: IETF</t>
              </li>
              <li>
                <t>Reference: <xref target="ecdsa-split"/> of this specification</t>
              </li>
              <li>
                <t>Recommended: Yes</t>
              </li>
            </ul>
          </li>
          <li>
            <t>Name: Ed25519ph
            </t>
            <ul spacing="normal">
              <li>
                <t>Value: TBD</t>
              </li>
              <li>
                <t>Description: EdDSA using the Ed25519ph parameter set in <xref section="5.1" sectionFormat="of" target="RFC8032"/></t>
              </li>
              <li>
                <t>Capabilities: [kty]</t>
              </li>
              <li>
                <t>Change Controller: IETF</t>
              </li>
              <li>
                <t>Reference: <xref section="5.1" sectionFormat="of" target="RFC8032"/></t>
              </li>
              <li>
                <t>Recommended: Yes</t>
              </li>
            </ul>
          </li>
          <li>
            <t>Name: Ed25519ph-split
            </t>
            <ul spacing="normal">
              <li>
                <t>Value: TBD (Requested Assignment -303)</t>
              </li>
              <li>
                <t>Description: Ed25519ph split as defined in <xref target="eddsa-split"/></t>
              </li>
              <li>
                <t>Capabilities: [kty]</t>
              </li>
              <li>
                <t>Change Controller: IETF</t>
              </li>
              <li>
                <t>Reference: <xref target="eddsa-split"/> of this specification</t>
              </li>
              <li>
                <t>Recommended: Yes</t>
              </li>
            </ul>
          </li>
          <li>
            <t>Name: Ed448ph
            </t>
            <ul spacing="normal">
              <li>
                <t>Value: TBD</t>
              </li>
              <li>
                <t>Description: EdDSA using the Ed448ph parameter set in <xref section="5.2" sectionFormat="of" target="RFC8032"/></t>
              </li>
              <li>
                <t>Capabilities: [kty]</t>
              </li>
              <li>
                <t>Change Controller: IETF</t>
              </li>
              <li>
                <t>Reference: <xref section="5.2" sectionFormat="of" target="RFC8032"/></t>
              </li>
              <li>
                <t>Recommended: Yes</t>
              </li>
            </ul>
          </li>
          <li>
            <t>Name: Ed448ph-split
            </t>
            <ul spacing="normal">
              <li>
                <t>Value: TBD (Requested Assignment -304)</t>
              </li>
              <li>
                <t>Description: Ed448ph split as defined in <xref target="eddsa-split"/></t>
              </li>
              <li>
                <t>Capabilities: [kty]</t>
              </li>
              <li>
                <t>Change Controller: IETF</t>
              </li>
              <li>
                <t>Reference: <xref target="eddsa-split"/> of this specification</t>
              </li>
              <li>
                <t>Recommended: Yes</t>
              </li>
            </ul>
          </li>
        </ul>
      </section>
      <section anchor="common-params-reg">
        <name>COSE Signing Arguments Common Parameters Registry</name>
        <t>This specification establishes the "COSE Signing Arguments Common Parameters" registry.
The registry uses the "Expert Review Required" registration procedure.
Guidelines for the experts are the same as those in <xref section="11.6" sectionFormat="of" target="RFC9052"/>.
It should be noted that, in addition to the expert review,
some portions of the registry require a specification,
potentially a Standards Track RFC, be supplied as well.</t>
        <t>The columns of the registry are:</t>
        <dl>
          <dt>Name:</dt>
          <dd>
            <t>A descriptive name that enables easier reference to the item.
It is not used in the encoding.</t>
          </dd>
          <dt>Label:</dt>
          <dd>
            <t>The value used as the CBOR map label for this parameter.
Labels MUST be unique.
The label can be a positive integer, a negative integer, or a string.
Integer values between 0 and 255 and strings of length 1 are designated as "Standards Action".
Integer values from 256 to 65535 and strings of length 2 are designated as "Specification Required".
Integer values of greater than 65535 and strings of length greater than 2 are designated as "Expert Review".
Integer values in the range -65536 to -1 are
"used for signing arguments specific to a single algorithm delegated
to the COSE Signing Arguments Algorithm Parameters registry".
Integer values less than -65536 are marked as private use.</t>
          </dd>
          <dt>CBOR Type:</dt>
          <dd>
            <t>The CBOR type of the parameter's value.</t>
          </dd>
          <dt>Value Registry:</dt>
          <dd>
            <t>The registry that values come from, if one exists.</t>
          </dd>
          <dt>Description:</dt>
          <dd>
            <t>A brief description for the parameter.</t>
          </dd>
          <dt>Reference:</dt>
          <dd>
            <t>A pointer to the public specification for the parameter, if one exists.</t>
          </dd>
        </dl>
        <section anchor="initial-contents">
          <name>Initial Contents</name>
          <t>The initial contents of this registry are the values in <xref target="tbl-cose-sign-args-common"/>.
All of the entries in the "References" column of this registry point to this document.</t>
        </section>
      </section>
      <section anchor="alg-params-reg">
        <name>COSE Signing Arguments Algorithm Parameters Registry</name>
        <t>This specification establishes the "COSE Signing Arguments Algorithm Parameters" registry.
The registry uses the "Expert Review Required" registration procedure.
Guidelines for the experts are the same as those in <xref section="11.6" sectionFormat="of" target="RFC9052"/>.</t>
        <t>The columns of the table are:</t>
        <dl>
          <dt>Name:</dt>
          <dd>
            <t>A descriptive name that enables easier reference to the item.
It is not used in the encoding.</t>
          </dd>
          <dt>Algorithms:</dt>
          <dd>
            <t>The algorithm(s) that this registry entry is used for.
Values are taken from the "COSE Algorithms" registry.
Multiple algorithms can be specified in this entry.
For the table, the algorithm/label pair MUST be unique.</t>
          </dd>
          <dt>Label:</dt>
          <dd>
            <t>The value used as the CBOR map label for this parameter.
The label is a negative integer value in the range -65536 to -1.
Labels are expected to be reused for multiple algorithms.</t>
          </dd>
          <dt>CBOR Type:</dt>
          <dd>
            <t>The CBOR type of the parameter's value.</t>
          </dd>
          <dt>Required:</dt>
          <dd>
            <t>"Required" if the parameter is required for this algorithm, otherwise "Optional".</t>
          </dd>
          <dt>Description:</dt>
          <dd>
            <t>A brief description for the parameter.</t>
          </dd>
          <dt>Reference:</dt>
          <dd>
            <t>A pointer to the public specification for the parameter, if one exists.</t>
          </dd>
        </dl>
        <section anchor="alg-params-reg-initial">
          <name>Initial Contents</name>
          <t>The initial contents of this registry are as follows.</t>
          <section anchor="context">
            <name>context</name>
            <dl>
              <dt>Name:</dt>
              <dd>
                <t>context</t>
              </dd>
              <dt>Algorithms:</dt>
              <dd>
                <t>Ed25519ph, Ed25519ph-split, Ed448ph, Ed448ph-split</t>
              </dd>
              <dt>Label:</dt>
              <dd>
                <t>-1</t>
              </dd>
              <dt>Cbor Type:</dt>
              <dd>
                <t>bstr</t>
              </dd>
              <dt>Required:</dt>
              <dd>
                <t>Required</t>
              </dd>
              <dt>Description:</dt>
              <dd>
                <t>context argument to EdDSA signing and verification.</t>
              </dd>
              <dt>Reference:</dt>
              <dd>
                <t><xref target="eddsa-split"/></t>
              </dd>
            </dl>
          </section>
        </section>
      </section>
    </section>
    <section anchor="impl-status">
      <name>Implementation Status</name>
      <t>This section is to be removed from the specification by the RFC Editor before publication as an RFC.</t>
      <t>There are currently two known implementations using features defined by this specification:</t>
      <ul spacing="normal">
        <li>
          <t><eref target="https://github.com/wwWallet">wwWallet</eref>, an EU Digital Identity pilot project.
wwWallet was entered into the
<eref target="https://www.sprind.org/en/actions/challenges/eudi-wallet-prototypes">"EUDI Wallet Prototypes" competition held by SprinD GmbH</eref>,
and a branch of the wallet was submitted in the competition.
The competition entry implements ARKG <xref target="I-D.bradleylundberg-ARKG"/>
for efficiently generating single-use hardware-bound holder binding keys.  </t>
          <t>
The <eref target="https://github.com/gunet/funke-s3a-wallet-frontend/blob/stage-3/src/services/keystore.ts">implementation</eref>
uses the <tt>COSE_Key_Ref</tt> data structure defined in version 01 of this specification
in order to send ARKG inputs to a WebAuthn authenticator,
and uses the placeholder value for the experimental split algorithm identifier ESP256-split-ARKG
defined in Section 5.2 of <xref target="I-D.bradleylundberg-ARKG"/>
to negotiate creation and usage of ARKG-derived keys for signing operations.
Thus wwWallet assumes the <em>digester</em> role while the WebAuthn authenticator assumes the <em>signer</em> role.</t>
        </li>
        <li>
          <t><eref target="https://www.yubico.com/">Yubico</eref>, a hardware security key vendor,
has produced limited-availability prototypes of their YubiKey product
with an ARKG implementation interoperable with wwWallet.
The YubiKey implementation uses the <tt>COSE_Key_Ref</tt> data structure defined in version 01 of this specification
to receive ARKG inputs from a WebAuthn Relying Party,
and uses the placeholder value for the experimental split algorithm identifier ESP256-split-ARKG
defined in Section 5.2 of <xref target="I-D.bradleylundberg-ARKG"/>
to negotiate creation and usage of ARKG-derived keys for signing operations.
Thus the YubiKey assumes the <em>signer</em> role while the WebAuthn Relying Party assumes the <em>digester</em> role.</t>
        </li>
      </ul>
      <t><xref target="tbl-impl-status-matrix"/> summarizes implementation status for individual features.</t>
      <table anchor="tbl-impl-status-matrix">
        <name>Implementation status of individual features.</name>
        <thead>
          <tr>
            <th align="left">Feature</th>
            <th align="left">Defined by</th>
            <th align="left">Digester</th>
            <th align="left">Signer</th>
          </tr>
        </thead>
        <tbody>
          <tr>
            <td align="left">ESP256-split</td>
            <td align="left">This specification</td>
            <td align="left">-</td>
            <td align="left">-</td>
          </tr>
          <tr>
            <td align="left">ESP384-split</td>
            <td align="left">This specification</td>
            <td align="left">-</td>
            <td align="left">-</td>
          </tr>
          <tr>
            <td align="left">ESP512-split</td>
            <td align="left">This specification</td>
            <td align="left">-</td>
            <td align="left">-</td>
          </tr>
          <tr>
            <td align="left">Ed25519ph-split</td>
            <td align="left">This specification</td>
            <td align="left">-</td>
            <td align="left">-</td>
          </tr>
          <tr>
            <td align="left">Ed448ph-split</td>
            <td align="left">This specification</td>
            <td align="left">-</td>
            <td align="left">-</td>
          </tr>
          <tr>
            <td align="left">ESP256-split-ARKG</td>
            <td align="left">
              <xref target="I-D.bradleylundberg-ARKG"/></td>
            <td align="left">wwWallet</td>
            <td align="left">Yubico</td>
          </tr>
          <tr>
            <td align="left">ESP384-split-ARKG</td>
            <td align="left">
              <xref target="I-D.bradleylundberg-ARKG"/></td>
            <td align="left">-</td>
            <td align="left">-</td>
          </tr>
          <tr>
            <td align="left">ESP512-split-ARKG</td>
            <td align="left">
              <xref target="I-D.bradleylundberg-ARKG"/></td>
            <td align="left">-</td>
            <td align="left">-</td>
          </tr>
          <tr>
            <td align="left">
              <tt>COSE_Sign_Args</tt></td>
            <td align="left">This specification</td>
            <td align="left">wwWallet</td>
            <td align="left">Yubico</td>
          </tr>
        </tbody>
      </table>
      <section anchor="impl-status-dependents">
        <name>Dependent Specifications</name>
        <t>As indicated in the previous section,
the Internet-Draft of ARKG <xref target="I-D.bradleylundberg-ARKG"/> extends this specification with definitions for ARKG:</t>
        <ul spacing="normal">
          <li>
            <t>Its section "5.2 COSE algorithms" defines COSE algorithm identifiers ESP256-split-ARKG, ESP384-split-ARKG
and ESP512-split-ARKG based on the ECDSA identifiers defined in this specification (<xref target="ecdsa-split"/>).</t>
          </li>
          <li>
            <t>Its section "5.3 COSE signing arguments" defines a representation for ARKG arguments
using the <tt>COSE_Sign_Args</tt> data structure defined in this specification (<xref target="cose-sign-args"/>).</t>
          </li>
        </ul>
      </section>
    </section>
  </middle>
  <back>
    <references anchor="sec-combined-references">
      <name>References</name>
      <references anchor="sec-normative-references">
        <name>Normative References</name>
        <reference anchor="FIPS-186-5" target="https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.186-5.pdf">
          <front>
            <title>Digital Signature Standard (DSS)</title>
            <author>
              <organization>National Institute of Standards and Technology</organization>
            </author>
            <date year="2023" month="February"/>
          </front>
        </reference>
        <reference anchor="IANA.COSE" target="https://www.iana.org/assignments/cose/">
          <front>
            <title>CBOR Object Signing and Encryption (COSE)</title>
            <author>
              <organization>IANA</organization>
            </author>
            <date>n.d.</date>
          </front>
        </reference>
        <reference anchor="RFC2119">
          <front>
            <title>Key words for use in RFCs to Indicate Requirement Levels</title>
            <author fullname="S. Bradner" initials="S." surname="Bradner"/>
            <date month="March" year="1997"/>
            <abstract>
              <t>In many standards track documents several words are used to signify the requirements in the specification. These words are often capitalized. This document defines these words as they should be interpreted in IETF documents. This document specifies an Internet Best Current Practices for the Internet Community, and requests discussion and suggestions for improvements.</t>
            </abstract>
          </front>
          <seriesInfo name="BCP" value="14"/>
          <seriesInfo name="RFC" value="2119"/>
          <seriesInfo name="DOI" value="10.17487/RFC2119"/>
        </reference>
        <reference anchor="RFC8032">
          <front>
            <title>Edwards-Curve Digital Signature Algorithm (EdDSA)</title>
            <author fullname="S. Josefsson" initials="S." surname="Josefsson"/>
            <author fullname="I. Liusvaara" initials="I." surname="Liusvaara"/>
            <date month="January" year="2017"/>
            <abstract>
              <t>This document describes elliptic curve signature scheme Edwards-curve Digital Signature Algorithm (EdDSA). The algorithm is instantiated with recommended parameters for the edwards25519 and edwards448 curves. An example implementation and test vectors are provided.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="8032"/>
          <seriesInfo name="DOI" value="10.17487/RFC8032"/>
        </reference>
        <reference anchor="RFC8174">
          <front>
            <title>Ambiguity of Uppercase vs Lowercase in RFC 2119 Key Words</title>
            <author fullname="B. Leiba" initials="B." surname="Leiba"/>
            <date month="May" year="2017"/>
            <abstract>
              <t>RFC 2119 specifies common key words that may be used in protocol specifications. This document aims to reduce the ambiguity by clarifying that only UPPERCASE usage of the key words have the defined special meanings.</t>
            </abstract>
          </front>
          <seriesInfo name="BCP" value="14"/>
          <seriesInfo name="RFC" value="8174"/>
          <seriesInfo name="DOI" value="10.17487/RFC8174"/>
        </reference>
        <reference anchor="RFC8610">
          <front>
            <title>Concise Data Definition Language (CDDL): A Notational Convention to Express Concise Binary Object Representation (CBOR) and JSON Data Structures</title>
            <author fullname="H. Birkholz" initials="H." surname="Birkholz"/>
            <author fullname="C. Vigano" initials="C." surname="Vigano"/>
            <author fullname="C. Bormann" initials="C." surname="Bormann"/>
            <date month="June" year="2019"/>
            <abstract>
              <t>This document proposes a notational convention to express Concise Binary Object Representation (CBOR) data structures (RFC 7049). Its main goal is to provide an easy and unambiguous way to express structures for protocol messages and data formats that use CBOR or JSON.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="8610"/>
          <seriesInfo name="DOI" value="10.17487/RFC8610"/>
        </reference>
        <reference anchor="RFC9052">
          <front>
            <title>CBOR Object Signing and Encryption (COSE): Structures and Process</title>
            <author fullname="J. Schaad" initials="J." surname="Schaad"/>
            <date month="August" year="2022"/>
            <abstract>
              <t>Concise Binary Object Representation (CBOR) is a data format designed for small code size and small message size. There is a need to be able to define basic security services for this data format. This document defines the CBOR Object Signing and Encryption (COSE) protocol. This specification describes how to create and process signatures, message authentication codes, and encryption using CBOR for serialization. This specification additionally describes how to represent cryptographic keys using CBOR.</t>
              <t>This document, along with RFC 9053, obsoletes RFC 8152.</t>
            </abstract>
          </front>
          <seriesInfo name="STD" value="96"/>
          <seriesInfo name="RFC" value="9052"/>
          <seriesInfo name="DOI" value="10.17487/RFC9052"/>
        </reference>
        <reference anchor="RFC9864">
          <front>
            <title>Fully-Specified Algorithms for JSON Object Signing and Encryption (JOSE) and CBOR Object Signing and Encryption (COSE)</title>
            <author fullname="M.B. Jones" initials="M.B." surname="Jones"/>
            <author fullname="O. Steele" initials="O." surname="Steele"/>
            <date month="October" year="2025"/>
            <abstract>
              <t>This specification refers to cryptographic algorithm identifiers that fully specify the cryptographic operations to be performed, including any curve, key derivation function (KDF), and hash functions, as being "fully specified". It refers to cryptographic algorithm identifiers that require additional information beyond the algorithm identifier to determine the cryptographic operations to be performed as being "polymorphic". This specification creates fully-specified algorithm identifiers for registered JSON Object Signing and Encryption (JOSE) and CBOR Object Signing and Encryption (COSE) polymorphic algorithm identifiers, enabling applications to use only fully-specified algorithm identifiers. It deprecates those polymorphic algorithm identifiers.</t>
              <t>This specification updates RFCs 7518, 8037, and 9053. It deprecates polymorphic algorithms defined by RFCs 8037 and 9053 and provides fully-specified replacements for them. It adds to the instructions to designated experts in RFCs 7518 and 9053.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="9864"/>
          <seriesInfo name="DOI" value="10.17487/RFC9864"/>
        </reference>
      </references>
      <references anchor="sec-informative-references">
        <name>Informative References</name>
        <reference anchor="FALCON" target="https://falcon-sign.info/">
          <front>
            <title>FALCON: Fast-Fourier Lattice-based Compact Signatures over NTRU</title>
            <author fullname="Pierre-Alain Fouque">
              <organization/>
            </author>
            <author fullname="Jeffrey Hoffstein">
              <organization/>
            </author>
            <author fullname="Paul Kirchner">
              <organization/>
            </author>
            <author fullname="Vadim Lyubashevsky">
              <organization/>
            </author>
            <author fullname="Thomas Pornin">
              <organization/>
            </author>
            <author fullname="Thomas Prest">
              <organization/>
            </author>
            <author fullname="Thomas Ricosset">
              <organization/>
            </author>
            <author fullname="Gregor Seiler">
              <organization/>
            </author>
            <author fullname="William Whyte">
              <organization/>
            </author>
            <author fullname="Zhenfei Zhang">
              <organization/>
            </author>
            <date year="2017"/>
          </front>
        </reference>
        <reference anchor="FIPS-201" target="https://csrc.nist.gov/pubs/fips/201-3/final">
          <front>
            <title>Personal Identity Verification (PIV) of Federal Employees and Contractors</title>
            <author>
              <organization>National Institute of Standards and Technology</organization>
            </author>
            <date year="2022"/>
          </front>
        </reference>
        <reference anchor="FIPS-204" target="https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.204.pdf">
          <front>
            <title>Module-Lattice-Based Digital Signature Standard</title>
            <author>
              <organization>National Institute of Standards and Technology</organization>
            </author>
            <date year="2024" month="August"/>
          </front>
        </reference>
        <reference anchor="I-D.COSE-Hash-Envelope">
          <front>
            <title>COSE Hash Envelope</title>
            <author fullname="Orie Steele" initials="O." surname="Steele">
         </author>
            <author fullname="Steve Lasker" initials="S." surname="Lasker">
         </author>
            <author fullname="Henk Birkholz" initials="H." surname="Birkholz">
              <organization>Fraunhofer SIT</organization>
            </author>
            <date day="15" month="November" year="2025"/>
            <abstract>
              <t>   This document defines new COSE header parameters for signaling a
   payload as an output of a hash function.  This mechanism enables
   faster validation, as access to the original payload is not required
   for signature validation.  Additionally, hints of the hashed
   payload's content format and availability are defined, providing
   references to optional discovery mechanisms that can help to find
   original payload content.

              </t>
            </abstract>
          </front>
          <seriesInfo name="Internet-Draft" value="draft-ietf-cose-hash-envelope-10"/>
        </reference>
        <reference anchor="I-D.bradleylundberg-ARKG">
          <front>
            <title>The Asynchronous Remote Key Generation (ARKG) algorithm</title>
            <author fullname="Emil Lundberg" initials="E." surname="Lundberg">
              <organization>Yubico</organization>
            </author>
            <author fullname="John Bradley" initials="J." surname="Bradley">
              <organization>Yubico</organization>
            </author>
            <date day="5" month="July" year="2026"/>
            <abstract>
              <t>   Asynchronous Remote Key Generation (ARKG) is an abstract algorithm
   that enables delegation of asymmetric public key generation without
   giving access to the corresponding private keys.  This capability
   enables a variety of applications: a user agent can generate
   pseudonymous public keys to prevent tracking; a message sender can
   generate ephemeral recipient public keys to enhance forward secrecy;
   two paired authentication devices can each have their own private
   keys while each can register public keys on behalf of the other.

   This document provides three main contributions: a specification of
   the generic ARKG algorithm using abstract primitives; a set of
   formulae for instantiating the abstract primitives using concrete
   primitives; and an initial set of fully specified concrete ARKG
   instances.  We expect that additional instances will be defined in
   the future.

              </t>
            </abstract>
          </front>
          <seriesInfo name="Internet-Draft" value="draft-bradleylundberg-cfrg-arkg-11"/>
        </reference>
        <reference anchor="NIST-SP-800-73-5" target="https://doi.org/10.6028/NIST.SP.800-73pt2-5">
          <front>
            <title>Interfaces for Personal Identity Verification: Part 2 – PIV Card Application Card Command Interface</title>
            <author fullname="Hildegard Ferraiolo">
              <organization>National Institute of Standards and Technology, Gaithersburg, MD</organization>
            </author>
            <author fullname="Ketan Mehta">
              <organization>National Institute of Standards and Technology, Gaithersburg, MD</organization>
            </author>
            <author fullname="Salvatore Francomacaro">
              <organization>National Institute of Standards and Technology, Gaithersburg, MD</organization>
            </author>
            <author fullname="Ramaswamy Chandramouli">
              <organization>National Institute of Standards and Technology, Gaithersburg, MD</organization>
            </author>
            <author fullname="Sarbari Gupta">
              <organization>National Institute of Standards and Technology, Gaithersburg, MD</organization>
            </author>
            <date year="2024"/>
          </front>
          <refcontent>NIST Special Publication (SP) NIST SP 800-73pt2-5</refcontent>
        </reference>
        <reference anchor="PKCS11-Spec-v3.1" target="https://docs.oasis-open.org/pkcs11/pkcs11-spec/v3.1/os/pkcs11-spec-v3.1-os.html">
          <front>
            <title>PKCS #11 Specification Version 3.1.</title>
            <author fullname="Dieter Bong">
              <organization/>
            </author>
            <author fullname="Tony Cox">
              <organization/>
            </author>
            <date year="2023" month="July" day="23"/>
          </front>
          <annotation>Latest stage: <eref target="https://docs.oasis-open.org/pkcs11/pkcs11-spec/v3.1/pkcs11-spec-v3.1.html">https://docs.oasis-open.org/pkcs11/pkcs11-spec/v3.1/pkcs11-spec-v3.1.html</eref>.</annotation>
          <refcontent>OASIS Standard</refcontent>
        </reference>
        <reference anchor="OPENPGPCARD" target="https://gnupg.org/ftp/specs/OpenPGP-smart-card-application-3.4.1.pdf">
          <front>
            <title>Functional Specification of the OpenPGP application on ISO Smart Card Operating Systems</title>
            <author fullname="Achim Pietig">
              <organization/>
            </author>
            <date year="2020" month="March"/>
          </front>
          <refcontent>Version 3.4.1</refcontent>
        </reference>
        <reference anchor="RFC1958">
          <front>
            <title>Architectural Principles of the Internet</title>
            <author fullname="B. Carpenter" initials="B." role="editor" surname="Carpenter"/>
            <date month="June" year="1996"/>
            <abstract>
              <t>The Internet and its architecture have grown in evolutionary fashion from modest beginnings, rather than from a Grand Plan. While this process of evolution is one of the main reasons for the technology's success, it nevertheless seems useful to record a snapshot of the current principles of the Internet architecture. This is intended for general guidance and general interest, and is in no way intended to be a formal or invariant reference model. This memo provides information for the Internet community. This memo does not specify an Internet standard of any kind.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="1958"/>
          <seriesInfo name="DOI" value="10.17487/RFC1958"/>
        </reference>
        <reference anchor="RFC9380">
          <front>
            <title>Hashing to Elliptic Curves</title>
            <author fullname="A. Faz-Hernandez" initials="A." surname="Faz-Hernandez"/>
            <author fullname="S. Scott" initials="S." surname="Scott"/>
            <author fullname="N. Sullivan" initials="N." surname="Sullivan"/>
            <author fullname="R. S. Wahby" initials="R. S." surname="Wahby"/>
            <author fullname="C. A. Wood" initials="C. A." surname="Wood"/>
            <date month="August" year="2023"/>
            <abstract>
              <t>This document specifies a number of algorithms for encoding or hashing an arbitrary string to a point on an elliptic curve. This document is a product of the Crypto Forum Research Group (CFRG) in the IRTF.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="9380"/>
          <seriesInfo name="DOI" value="10.17487/RFC9380"/>
        </reference>
        <reference anchor="RFC9413">
          <front>
            <title>Maintaining Robust Protocols</title>
            <author fullname="M. Thomson" initials="M." surname="Thomson"/>
            <author fullname="D. Schinazi" initials="D." surname="Schinazi"/>
            <date month="June" year="2023"/>
            <abstract>
              <t>The main goal of the networking standards process is to enable the long-term interoperability of protocols. This document describes active protocol maintenance, a means to accomplish that goal. By evolving specifications and implementations, it is possible to reduce ambiguity over time and create a healthy ecosystem.</t>
              <t>The robustness principle, often phrased as "be conservative in what you send, and liberal in what you accept", has long guided the design and implementation of Internet protocols. However, it has been interpreted in a variety of ways. While some interpretations help ensure the health of the Internet, others can negatively affect interoperability over time. When a protocol is actively maintained, protocol designers and implementers can avoid these pitfalls.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="9413"/>
          <seriesInfo name="DOI" value="10.17487/RFC9413"/>
        </reference>
        <reference anchor="RFC9881">
          <front>
            <title>Internet X.509 Public Key Infrastructure -- Algorithm Identifiers for the Module-Lattice-Based Digital Signature Algorithm (ML-DSA)</title>
            <author fullname="J. Massimo" initials="J." surname="Massimo"/>
            <author fullname="P. Kampanakis" initials="P." surname="Kampanakis"/>
            <author fullname="S. Turner" initials="S." surname="Turner"/>
            <author fullname="B. E. Westerbaan" initials="B. E." surname="Westerbaan"/>
            <date month="October" year="2025"/>
            <abstract>
              <t>Digital signatures are used within X.509 certificates and Certificate Revocation Lists (CRLs), and to sign messages. This document specifies the conventions for using FIPS 204, the Module-Lattice-Based Digital Signature Algorithm (ML-DSA) in Internet X.509 certificates and CRLs. The conventions for the associated signatures, subject public keys, and private key are also described.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="9881"/>
          <seriesInfo name="DOI" value="10.17487/RFC9881"/>
        </reference>
        <reference anchor="RFC9964">
          <front>
            <title>ML-DSA for JSON Object Signing and Encryption (JOSE) and CBOR Object Signing and Encryption (COSE)</title>
            <author fullname="M. Prorock" initials="M." surname="Prorock"/>
            <author fullname="O. Steele" initials="O." surname="Steele"/>
            <date month="May" year="2026"/>
            <abstract>
              <t>This document specifies JSON Object Signing and Encryption (JOSE) and CBOR Object Signing and Encryption (COSE) serializations for the Module-Lattice-Based Digital Signature Standard (ML-DSA), a Post-Quantum Cryptography (PQC) digital signature scheme defined in US NIST FIPS 204.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="9964"/>
          <seriesInfo name="DOI" value="10.17487/RFC9964"/>
        </reference>
        <reference anchor="SECDSA" target="https://eprint.iacr.org/2021/910">
          <front>
            <title>SECDSA: Mobile signing and authentication under classical "sole control"</title>
            <author fullname="Eric Verheul">
              <organization/>
            </author>
            <date year="2021" month="July"/>
          </front>
        </reference>
      </references>
    </references>
    <?line 824?>

<section numbered="false" anchor="acknowledgements">
      <name>Acknowledgements</name>
      <t>We would like to thank
David Dong,
Ilari Liusvaara,
Lucas Prabel,
Sophie Schmieg,
and
Falko Strenzke
for their reviews of and contributions to this specification.</t>
    </section>
    <section numbered="false" anchor="document-history">
      <name>Document History</name>
      <t>-01</t>
      <ul spacing="normal">
        <li>
          <t>Moved reference FIPS-186-5 from informative to normative references.</t>
        </li>
        <li>
          <t>Fixed subtly incorrect CDDL syntax in example in section "COSE Signing Arguments Common Parameters".</t>
        </li>
        <li>
          <t>Added missing references to RFC 8610 and RFC 9864.</t>
        </li>
        <li>
          <t>Removed unused reference SEC1.</t>
        </li>
        <li>
          <t>Fixed digester referred to as host in "Prior Art" subsection "PKCS #11".</t>
        </li>
        <li>
          <t>Reverted import of COSE Algorithms registrations from draft-bradleylundberg-cfrg-arkg made in individual-draft -07:
ESP256-split-ARKG, ESP384-ARKG, ESP384-split-ARKG, ESP512-ARKG, ESP512-split-ARKG, ESP256K-ARKG.</t>
        </li>
        <li>
          <t>Removed placeholder section "ECDSA with ARKG" added in individual-draft -07.</t>
        </li>
        <li>
          <t>Replaced ARKG examples with Ed25519ph and ML-DSA examples.</t>
        </li>
        <li>
          <t>Removed COSE_Sign_args registry definitions for ARKG.</t>
        </li>
        <li>
          <t>Moved draft-bradleylundberg-cfrg-arkg from normative to informative references.</t>
        </li>
        <li>
          <t>Defined context input for Ed25519ph and Ed448ph.</t>
        </li>
        <li>
          <t>Added COSE_Sign_Args member for context argument for Ed25519ph-split and Ed448ph-split.</t>
        </li>
      </ul>
      <t>-00</t>
      <ul spacing="normal">
        <li>
          <t>Created initial working group draft from draft-lundberg-cose-two-party-signing-algs-07</t>
        </li>
      </ul>
    </section>
  </back>
  <!-- ##markdown-source:
H4sIAAAAAAAAA+V92XIbSZLge35FGPSgw5AgQUoqibWtbRYPiV2ixCWpKqtV
ackAMgBkM5GJyYMUSmLb/MP8wnzGvu37fsR+yfoRVx6AKFXVWI9NWbcIIDPj
cPfw2z3DMAyKUqbRhUyyVO2IMq9UEC9y+lSUW5ubzze3gqCMywSu9s4WSVyK
s3iaxulU7CbTLI/L2bwQkywXe2/PDnqBHI1ydX23exOZTneESoOxLBVcX+6I
ooyCIMrGqZzDhFEuJ2UYq3ISjrNChQWOGRY8ZiiTaRFuDoOiGs3jooiztFwu
4Kmjg/NDIe4JmRQZLCROI7VQ8E9a9vqip6K4hKXIBL8c7f4Af2BBvaPT88Ne
kFbzkcp3gggWtBOMs7RQaVEVGjCwre1A5kri9tS4gg0te8FNll9N86xawK+8
ryu1hB+jnUCEtFP8qwGBHx0s6ALBqes375FXspgdRPtnu/jlINp68mT4fDHj
L48fP4OPwbVKK1izEPW1CMFA6f0My0RMvMTL+Ptcxgn8joD9K4J4kOVT/F3m
4xn8PivLRbGzsYG34U/xtRqY2zbwh41Rnt0UagMH2MAHp7D+aqSHDG+mG19G
Xy8IAlmVswxgHoo8QypjBMF4kypJmA4O5nEiXldpBMgBeADCpjKNf5Ml4HxH
/FKN4nEGPxdlrlS5I17+n3+/TtRUAmWLrS24MAZE7YizMhtfzbJkjr9kVVoi
wSF2hGJYKJjmr2qeVOmgUAEsyK3gOB7PpErEDwPxNzgpgCURp0AXxwPvl/qy
zlQyCY+KolKR2ANKqpKSsGlmm/OQF6OLv+Pzf51lJV4YjDNcIBDXjjA4KHCo
mIYaxOkk2/B38C6NS5jirASaLYIgzfI5rOCaaOHw6OQsHD57Gj7Bb0ALMp8i
hMzA6XWyqEbFII2LcjDNrjfwA/6ygU9uvDk6Ox/gpwGNMVhEEx6G+cF+DCiX
CRGqLKtc4SLSSOaReLB/dvaQ7jXoxc8hgmhHvCEIwYNHaQFDVaUS2cQ+Wwj4
K87VeJZmSTZd0pN0IMWhGuWVzJdia3NrG34/2n2zO0A6797dzc3NIJapZJIt
kPDmwAUKJll/J3s/vD0Vb0d/V2PHsnAVB+k4Xy5wteIBzrNyS7gS+H56uLc1
HD7f4Y/PNre3zMfhd4/Nx6fDTf3x+eYTc8PzZ0/hhgCx6+Nv9/Xe2zfdu5vI
BBgUHSdLFHZD9/WT4lAWZXiYATmpXLyWZRmPVTiSBRHlfCH1hgl9hciu4a43
56fv7nds1J2GExgsV+FuIuNUwOD/Asyxec/f1GSSq6V4lU0mRanitD2KrBLx
YwysJFV56+pPMorn4vWygsXO1HVxtWzdcj7L5rIQJ1medgxvrsK+ylUXT4Fx
FIVqX3+Zo0CCMxwnHWv7OU6SWM7Fz7Nl2d75/5ypdKJi+CvpvBvq3docfmfO
JHzuxuq4yMfuONJRnMSLYgMeCLfhIxybGp5PVF7wWUIBB3xO/KTyeBKPJVPt
ydFPD/F0HapI5XDbwXyRZEul+JQBXypzoIEsL7ow/vtOKxzSLbffx7+TA8EI
Tf5znEVVokJD1T8QVa9mSn/4BnerKShJuM/HyIzCfeJFIQrr8CC9VklG6gj8
3pSEM7xF6Vv0s6NcRolaJlrMhbunP770n25eH0/gHwm6BzyPYArPTsJnm5vh
d9uruH2UxcQKh5uDp5tbzxi4ZycDfmpRboVParR1lJYqn8ixYqVtPanhec4B
GOL//eu/CaA6sYdyYHcBMl/TIv0ATGeOALVjr+c0r+IkAkkODx4Cy5ExoIDu
Ed+Cur54KUFHgW2MqnzaF8f7rfl+VKg0HKtZKf/Uec5kci3h2ClxmMsURL4c
y/zP3dqpBI53I+dLsQeMCWhqnlVJ/CfvMh/JPBYvq8WfAE/LZR7T11xNQB6W
QJo7dB5Ai1Zj0PPFSTWyNPjg7OShvnoi6nR/8uPe2XAY4lPh9fZgBX8G26QY
ZLKIixCObkrnaXE1LoZD/Qe0XDXewAE2ssL/jQYNs2IwK+cNHg4zi3vDIa/Y
8m44XWjUCHhssP6U7ANnAcH9Q6blTU3SZSlgPPtYB9l2uPldSDpUHXBvd8+O
zhocM4Wzff81apclqNhyCiP8t28BRxMWBIgXtLW3JwdvTl6e7O2e7neDfZpW
iymNPikXGzhEsfEWJoSHwmIOjCeE8xOF0rGbcHvwGOZoiIzDKh1r0qsDG8gP
KEzoMYU3kID/HZ29FWc4DTMxuCuXqM2LsyXoNmi0rcHOLhhPc9SZythXB47R
iEJcbLaw4DAPW2D9cPj8yTOjKm4/swrk4+G2VSCfDc3H509J2p4d7IHJ2A1Q
tcjjtAT1eJwTWGEdw43nw80aYeoBQNCOQA8ShacZ42ZRCmgYgVACAhwnqGWP
Abi9Amw5gRsCo663nnoP8niMW56pKvHg87cqIUV/CDZiGIZCjgrSVYLgfBYX
oqihL1KgGoGcQgEMhr82pkVMkmoC6moRoAhLQasrY0bdLLsRZSbIKBWSNsf6
gnt8pMobpVJR3mSwl8xifQGUEKtiEJwvF7hdWCgSzyTO4YjgxaVACQ/rwZ9h
OxJnGjEEVRQgAPFKoQBCkX4CNhDbZ9xqSCXHn2jEiEYbMAjgfxLWNZ8DAErk
ljEo4n1RFQqASyJbfZSg7ylxM8NdzBwKAfsgf5S4Ag0dhpmpJAKDFsFAVI6H
KYDni3iO1j/MnUc3MkeMzhdgraaluAEIiQSuo/G5yDPQEgoaObuBBeMOcWVV
ajA0gp9u4qic4eIVkLs2iN1WYTcwA6MMaQjWAxivxgQGgB9QT8ErqHDO0ZKw
lk5hfwTBPsF1DPIbIH1NqgncVtGqaO9Abfp3vSaL6QB3k1VAB1EUa/4AB3tR
4LyLXOn9WRBaPBBlzuMINLMg+LRDzoMdUYC9NVZ/6aHfoncbBPdQ3clBWyXe
EwR3NjfFe20lfgg6iZogVqHai9h2t1g6h9mI2DJk4xm6CARNkU1zuZjBucto
FQWjUx+JGHUz2HWJ+533gzolxcC13ExwO8yPfwiyy9pJguciNZYLQDXODJeA
kGCxQHWD4OAjaPq489VnVmRAXgBNwButCdESgYYWJwUybFouYIT3IG7AoEOX
HdGMivoBYH6sNNmYxxBgpT21MZixibqWQM+4yZIIcxwvYljCICBC7V4Y8xs6
M2WbG+Ekc2VGpTMKsEPfAzovEF5jsFV2AoBaFF/DuHgc4FwVMfDZGFmLiMBi
B9hc2A3BuBe4admJwH4Qw31KRnhLpIpxDkM5JkfDVHN14cFrEFgJCKDo45Ul
HmRaDxwigjjxvBHiXS5xIENYKsCRpeUnmjfC3gkYyFK/wDxrZNWvcR4WMID3
SUlMxxPG/QAIMFG0je6j7CGyxWHgt7kEQFl2EADJxJMGxyU6ypXsZDLEvQCB
WmysPJSorqoJKvhw7Hxi4GNYX5Y+hI5iV24OoAtwRWUvTiO8bDmcTGDJ0RIg
qo9V59qAqHcLgZQI48KzcgTyBaEPAmHuE6cGI0uZ1czFILkbWwaRDrMwUIag
cRKl0I50MSdrXjx4dXb8EOg2iSzfbsssoF0LKbhfzCVK3Gv1TQIJzk5JIyCm
QHQsUMsgCYTqgdKyGkFGLC2eohMGYFgUoAuzYKJVDIIjPoN9wXicZ6gxt/UK
xCEMwjw3iqeKEYbD6FHhNCPLBp3go4rCRKVTuJMO5FxFePzgC0jBvsZQCjwD
WSMNZSSgLygJjB0I8k4TghHOKLofC3N+SqMWdylHGWsUPOk6jYQFFElzY98V
FQqRwqrb7z0D4EM/sAbR+6ZR9qFPmET/wvum0+MDEDeTRRRPJnD80hXQ13Dy
4I2rcw8BrytIbMrSHwpNn8JAxA5H1AP7RuJZZEByyC01268x6t2TI9Y3keki
SiTgr8YDe0bNMyuMixYWkVmrvBdMVQocgqUYH8/E2yKcD3OskPPHkebOhTvW
zMCQ7DFOpvdpmbY/lKXq8tvEYaBSEiH4uGb+DEUAbzeIEGkJ6l3juFAomwhM
EmimixCRE4LQqkiMBaygsPLWxBVxZk3kDFK+W3P2n3GNldkNCS4MSRUgqGGU
C0aKyi/EAzWYDvormN5D3pk+lPFvnkbPXAw4E0h31bdmwAWplN64qSAmSOMg
JyyARsYJ8Plra1P5J7PFHIM3Wan48ZKk1QqsZUS1erupuhE9gHnIhkZPXMs8
BrFlwYhRgy4E9DHmZDUGw6B6RMjGx9ljK8jq833LAmiVHv287/ajwuE+lSg5
+npLdfJLccNW9HWd+oAmuskqsHScAjjCp+CorDAoRmAS8EEhhowUwWwAWQ2q
pV0zgRjXezuBCxS2JT0ew0HA3Pggx6ga49N95Nda8pip+BABG2Ju53QJdyuH
s2DV/Iw1zbuF/iuQgdcIO1B2eHGdJ8lY0bKTEPoMwtol96yWOnZd8g4r6zNr
MMLPDEwohAOsjebaga2fRHuEWLEzDxb2Tn2yBsGhz2g7VHazdRtc52i1ePDp
k4qiQvLX29uHiFezNw0YPCD2OYfqgXcM9WW28uytpLJERLRgv3SrfAVToXuo
NoReJZlg601coNjg3j1xqv6lAj2G4qDiDamiWk/by+CokV5YsOWDvgHMYyhE
7/jd2TnmS+Bf8eYtfT49+B/vjk4P9vHz2avd16/tB3PH2au3717vu0/uyb23
x8cHb/b5YfhVNH463v2lx7Tfe3tyfvT2ze7rnj0XUTaucP2sZxOJWIsVCa8w
BhAzlB/2TsTwMaEFY7MfGEHD7x5/ILcIT5OlyVJ/JTsI+LmSOblEQLCCCYsx
paKPgxdg+aQCj6QG6UkeA3Ht5iXwhBrJr9eGHLdy6rHVkNhJMsmSJLuhe6oR
KMoswtXHBS/ZGsBucJwSRRFP8YerV7Dde2ZUJhIzhbcJkHBlNgYRVZs2MCeM
PGUU5MZzY2A15rhQQXoi71T0vhtsDYab4uTs7Y4A+jh5d34g9o9eHp3vvhZn
Ry/f7J6/Oz3o7QTBi0eP7nTvo0fBi+AFrlvPR5pFpEOGjiWy1uUMWkJ5zApv
ScrMCKTSzYDHIkl3LROA/wPymD4U2gbdJ0Z1lE4yHCZSCUjw3OhJ2jMIjDCJ
jIzVyxqIX98PBoNfPzCQe/v2xh6KJjjlZAIWTBeA+LQE+jVSFIiUn3CHAzSs
0s27f3a0U1/16z1as7feB6ewjx7SIWhEIzDaBG2N6AMuNd12Vk/9exbTYjQH
nqENxBcNm9fKrafAaHea84s6YqKId/ybbwtqm9k3P74P7FwSvVkAAU9d6xjW
3mUFRHD+dh9IB48C+92ZJ4zR/1rU994XpBeQW8o6dvhski5dVItFllueDRo0
S7wlDQC8PqkiJaZZFqHXH60LE2LFA90+UYXAgB0QnR2QD6I5x8G6E23P3ZqT
BvTyZDDcrvkij3f38ONEB0yKHrNjuO+xOGarSeeRFOuesv4SM5PWNi/3LnC2
I9CSL+lJ+EEP6363w7AQJSos5RV6Ei8Xx8D0ZBoX80v/SLBXpE0uc3P3ILAP
MuV6uqdlPE+FuwkEEVsJ6LgZodOQEajVeseYg97TAUB8SxOLcSlrjUbDj27Z
9m6x15mNrRuCuZfhDJqRdd7pttvXynEkHj3a+/H4gm5/9KjPwsneRtTHum+I
um/teMO6azoF3kvjAP97QHa/G2ec5ezLBAKjA6T9IzQo6km0XEKn9tFoQDp2
ZOANXBeVda3wJlk6pUgI6JnDza3HYhSXxffBC5C3UabY/tZMqDHe4KEPNgvk
LiR8AcIC1Jtw2Kc/W1uP9YcnT/nD9jP9y5PhFn3Ytjdt27u27W3beJ+HqOBF
B6Yufn0Ptw4/wz8wFv158hT/wCj4B4agbxf6KnzQ1y/0HdsXcM+vHx49Ih8z
kuo1mtQAuJUEQBifo/N08bXk0KIGQkjhe9AYnDXtu6/PlDm2hooR5sGLPx7o
PiQGNeIgaWe5qWbkWv7V7RkXV6odLLd5kma9FFP08MHe+icvYHG/PvKfB+Km
sB3fXj+9JO7sMtkntE7y7ZGb5SpuyKsuMciS5einHZuo1vcTJoJgZW4FXO3Q
GjGLumSnO2mp6FetIb+wHvs75bIZFVm8N+v7wJ6Ub9Avt0FnfDwQLw/eHJyC
mrj77vzVwZvzo71d0B39bCXNm+96O3KRBg/pfMbooGw0jbRpQIxGqzYNtRQt
sgf3n+/dfwhsNXiRK/Iv1fxAE5vggPDTShLq8+MkJpvJ884DAwa9cD4nW8Xk
Yw2EUx2DF1o7i8nqUBhW00qljkZnkwllXgww00uB8P0odgePRZwkFUbrzdFH
+1TrexoSwYtOUDAXMvslJyettX5Ka3NN4RgXxrYnZ9WpVtU0p+kYzpIDOwZO
SSQ5oyBVKipMyB6hFnMYC1kh2OMwoznBrGcfsmYu8ykbppwIgGr4/e/27lNG
3Ouh+CTuP9u6L+5vbsI/z4b3xest8cnlDBgA6WMtroeDJ6iTn5ydwfUoAmgb
b7Wnut/e9ozaDAT9SWcU4C+J/D0D3/a+DyxjX7NVoAxEQHq33XoLh0XpWWEL
g+C/jp0R3BMra2M+3eMaCayNuDWJLppbGf6Gzu6C+KbH3px3Tfu/bFyusT5p
lxJwvkdNqBnTnTkq+/KKFd5jVuxqzmW7NHZfeFPXIkttmm9GU4mfG62OvGRy
zAkY2Sqvtx8Ztg712rRets26eWfo4PvSbMw3WtDXhooWP36AidIqCpWjtoqu
SlgNWi2E2VJOgas0/VafPp1pzG+B3HlCjI2Tv25vUQEgRYsH5/lK43NCG7Tt
NHUU+Eq7jRg97PKR6RLUooS8BJfofifz7GI3nxaXXhrOg0IpWBmX88ANITCC
4vb2YT8gZ1wu0wI1JkxIybO5TwGYhWDQAotEYwXpd5wtlB+U8rVCcnxydM1J
Hx3UMKf7BkQNiJfKePNpCfO41J5AYlytBCzHv35HkgfJ6Z5R7tizEucCc9qK
4Hj3F8+HSBkuFoiFcQFyRgutW6dK1A9NKz609sQisJyfdc3sOheEKMPxOZ0w
hdGCr3wg0LOaDBTjjHamICtgxr0skxXwNnrgKgc2exKQ0JK48NxZvZ86H+jB
nEk1rzvuNFbJp3qXyMkaP6z2ZFDgiwPwhWKivsvAOC6JaDekyb4BkVrFkcRI
NrknzYK95DQfbCO1zIhSvFQAWIn2TrM0/XRPjV0UIwj41/euPuxDy7yxqrTZ
u+HudyXXwDBZPxa7RidzgPLXtYOFeOddAVR2qdojarjlU3beTWqjDPQgXSLp
DENNw3ZA1UwTWnvUY+h9vCGqxuZnVmouXl2YmVxmAagkRpL4HLD2VJ3XdKzC
bsCMgOlN81WxZea+tLGtFg2vTlrSi9jBVEZxrxwloUc1nBX8l56x37tpnHZU
DHq3wWfxBqNR5r/PzId+oh1/Ft1HFi7skwzkJMjPMEjo/Sf8r6J+bdUFGuTg
7GTryVO9j8/i/Id9tyy+Jpr/2QvvdXVe84TIGvV9+uQfsFuec/vZ45VzwrXu
OfHC75jzyXBr5Zzo++icEy9825yca4AFdZz+Y6OZRIFMnJRDDGIORWPEym/I
VPTgTMdL3vMHNOUT9GROZzp73cSVrePCS+m1WSyO7qUOuXGSsmaBtnoa2WDk
s0FWxN11G7v90/ifm6t9duzsxPPcnSaOOAIbxS9WqI/jAUEvxKUfdLATQexk
1RBx0eRIVmmXlK2Da3Aa6vZgW+unuP7bWzP8mhV0TOEU9LvN0WLpNXcj89bL
k1cPjh9eNqdaCZavZt5fO4Hgo8IPwwdMLlcFEzZQ7+XxpRliLfp4nZdUMvKx
vNQrRbWTUv9A11qyr6a2cud6XKPj1057U9PHDRxNyC4ju7/vrQEelFVSFpxu
LtR8gS4oUNsxeQ7TmVtCTOfeFF/abx9mvcGQuwd44y2/G8SwEYK8qpGGHUBj
8EuYCzrSebyMHM7kdtbCjVzqfF6dcWP5Bych5ZyJ4Swaj5DbNmg9v+t3CPSo
JdAdo7mDGP+DJPnvEuY2Fcaspy7nGpe9C7hHdwTcjS5+iBp8zfZ+wrqk5Tr1
FayQtH/uCpC9a8dFUzT7mUp6pdQexFtDY6X1y2tWyjeuXedWF6ToOQ2n/9j5
7w6nVdwUs51GzHPazIxZklPXTYUBVh0gYzd5Pk1r2pYamZoK5tYY07bzO/eE
Fhe1mLPj3UMTOzc/0CI8Zo4W7KdPePCJkSMP17l7AAHYu8v4s1wgNG4OD9jG
Mv92qXHOMWA9XjjUu9YbagAegNLSk9glCaAweWc27RlHsGU8l8CBLg37cmyv
Y/fr2J9dqWtX5HZd54qfxWs5UglS9nKB/FBn2EX/HT7vrmaHlqd9rv/97LG7
VZ/hG6xAAw055JBXghWS3gpqvKjf5Fp9c6j6jVP6uYMQO1Ey8OTgZ1a1942v
Yo2L2/gzwpqv+7ByZBSXxr/t1+N92atiPFEsGrUTymY1ChCumG1KgSsiU28B
t8gkJjLHPyaNv5E1Gk9WpM2iAkd+20L7eLWO3u3pZb87nX2U/FoNKPySFRct
R54zcblivhOTy1bi6Yy0j1Thw1jBg0VlitofMedqr6JWbGYzNJz6MQhOdM1p
o3iAgabGIf4eUoswFYWUIx+i7o2O6TugybgpRzWugVUXDJI5UMA8/o1rzOao
PDVWzLl0tMWoa/lY44QWUzrGlFCHQbMdcfw6NDEmpGr91USUH38YBN13AKYn
8UeajzkVYYU8wVJsavHAYZah/lbPuuDMFoVdfjDnq40bY1t2z++CYQNg6zYM
um+CA8+eDYmpG3KUWFVFsTYegDO4x6R/fm2yduAU8C4v2uUeG1//939fth3X
7i7kCHDLoFaiAPiER4vm2HHarHboPlHfB6ZQzZ0CXdVHAUfKJTclOqvjIuc2
zV6H4GOvnpSzVEpj+/mBDS5gGKPjFmFUzvThabroOVbBbkNyGzeRKqhqqAvd
WITDsJAYsPFuYbPcqzb36JKa+gkbHZYpl96V8VxvcTU4DSS8mb4lwZ/p7UpR
JXUjknEn1JLQxx58uSqcpdSCLK6Nss0MdFecGQy+kj5mBZOWbyiXGkpLEPxM
AcU5hsY668goFbFhnHHossmrTSiKM+I4k0ArGMAxVxWS6MinE4GeWsKMEtsP
UbiPEhXKusAKOmsGxuVHT2zzDJ7A91Mp7dSGxxq3CJjcWIFp/Hp4qcVCWxkp
bNSKC1jAhZvGc/iVKwNxWBak+1p8qOVs4ro4H5QOKiqArKizhY+6G803MMhk
U9xBVFr8Uy0qeRm55p/roPXGsTBtZXyAo3Iud3JpNLN+V4jdaG06dt65FMQo
5qBoGrLuHOtTrcdV62zs0ARTF1UOmgymUyobq6Iqr7pF0lbqEWw9vsmcbbO2
ni705JI+L5gmRZVSw4W+w2Eop2lWlGhJmIN6R9dpP8il5qMy1SoSz2L9y3bI
tbWBxnApkEoAgwzKGrvqsHeQU7SggqXXVQy2Hbo5uGPgXC7YstGBP13r0Tym
yJ28gpIWwAPNWidZlVoHInYU1FhoM6s9nujETtQDIE0BNCD5WlouryqkVRUh
3If22G4nVzHnitKwDFjaWQ5fv2BnCN1tzTBXY8EE5739/dfMvZ4ONz8Iyl6T
ud/woAnbvudEoKcnuZySRVMzWI0TYegSLTafbIE+C2jfCYJ//OMf4yhKgvrg
4i/iEzWs2Rb/S/zlhSjR/NrAwH5fiO8RXnT1kUjIQoQ72C7tB7c4IltMd8Vw
S0CFjFeTJmSropxJv5IquTx5xcymO4TnNmjNeetC1TBNNafWAZpBdpCTTaBg
KDft8ubwxjLfay1cT9FAg2VlnmXuzHI6qWSbo7OS5MKpobsVXkrjdPyCi7LD
Nwk4x0G3tRvLUYTxmnqW8GdXb9Fsp0IuKfhVx9U8oWykYj3w6w0wWyVUFgvK
xjehGea07OPSrVucNu7Gm8tyPKOs7yWpNxUpANgbII91HgSRGfMAvINlFnq/
dKygJtdt1TEN3GfNtO5Cc71EjANOjjiniA2tVKg8z3Kgov26s6DeSKagaIgR
fB5I1jF+OhpNHtJyuDfYkOmN0+3SMigIJl7GGGmIHY7gsJmRphOu6jWoHkcy
czMr2t4R4fbmdh+p73smoFZBq2a6OgVYUXbOwyCoe2C/93zTRmN5MFqWSjs/
EdybiGq4iQ3dAnvjhkPsGvalzt/3PQYobKOCvbqv4dM90xmEvA23utSShX74
WoE9Lc7ZAyFO0QPBT3S5JoyqcNvZOgwMGp1IYUuM2sqJS7vAEYNGol7dj0SJ
cLww7jrCBI15o8CXy2TpmmWM1FjieZe201YryNzzMrZ1DREBRgnFAfFe4MrZ
qaa0ML1gdgKFmbnot0qSehi6zThw2bYUntQUs4n6dFx7QFamS5Cs3cFdFlg+
cM4YGjgZ3I8atesgZqrku9sogMmrWYeXsY56h2tRtHTuYs8rRhzF+IZdLxet
DRfGiNebI5aCDj9FHeTJ55gufYuOO8fBOrECCf/yANzNLv6NtXSAXI7NKjrA
wRpicxdxataG7X+wQKLeOeuaetaAKYHdq1LbF8YED9A6IOZhMz2xW0yWTxVI
NVmWcnylNVMUhpTYiadqFi8MjRj6WkHog8Br3er0WOTcBDpiwx91Ty5vjLDW
LUx29PmJ1DVu2vByrzpVww1U/EUiSZ+4Id8K8kqE+ChrIBtmGy09lzGbsynL
UNZh75Li5yxZMrCkTW28XyB0jf+OSMu2fmrZgbp9Xb3ARrcdG4D5qeoYxsR5
zn3rbj1BEPd/0vFrZA0rmFTNw0KMioMm2eg6zqoCxT+iDikYO8r7xNMYDR/2
2NWhsTtXAUaCOAdiwVkaDjw6DzWAoUcy0TFwwldpyJQ6NRUBsQQ3XitXMMs7
TO7a6Fy13DdaSa2ZZ+4sxwSFCCZegwDgAla959oe0G8Iw+ae1kOLllp01J/s
WK3OQtozjO/rhBf51QPdM1EWGXcWWOOIt9Lu1kuhz5LIQMMxYNo/HHTPLVen
XtPuQcvIzlSF+iMBt0rRjeNKHe70XbMxkCHDatBol+BrbmbieoiAwiZ8MowD
YgXlMXexGRQeZs1W2clDzkLmm6hThwHyXM9JbluC0Z06A3qOmjQ6JXTjrhbj
Jn+mKigGZ3xmYUB8kVqYIqfLQWXyHDouO78Wc3IlOA8amXcP+6v2juIFxAZ2
Pbx4RWUeOgHFxpxqjIK80qB3IVXj7t1IoRY+tmDnQl2gT8uUav4GaHYd3RYZ
Nq+NSQ8BeAF28D0GYxuLhX2VFUCJGjoZixBbzel+LJZYvXZRdT+XgV7dXEgz
zLGhc+2lyBxpx6gddY4eIIdpOErUgMZ13PPmArQCTGwVGNBfRC3yVDxHVDIk
vEaDOvZMwQbj7hw0rROGkkfkxsPH7m2hGT6rgQz5kPUbluegdWY+fDQ0KCtd
k1NGkfqp7xoP6ZAbKiya9CVFKik0hbvTNX3XuvswvjWA3iIh3vPfD5prS4qu
aqJCkw9ZClByjD0td81DNVEnTbYc5gzgg07bxp8oiaEQj8RMZ1s/yMXnz2L+
8JL9sqBplX0dgLqcXZoozIKqT63b/TKH20UOHzMMH+ZWhTSYBZ7MSisc3Xxp
6UgnOLhAAWmB+SgGAMNtVHEaxrpQ9bK2PNIJlnTkfOr0AwKjZa0VryzoNTz4
U64W3GWyPvOmF4rqNwPiKzSawvcX56BhqRttfvjHksStVcQAZdkEUBP9ncSH
FlNHKdVtwEbecdHmCnNOF+myg96TXnEKmI4jtIZCUMNuMf+kZh/B2NkcBAa2
eZ9iYXCJ1T1ZcceSDGCkfrE493b91jodGMz0m2sWwTQaRgEivX4E2ptrCoxg
oX5fFurSSj6EH7GlqiPSQmdSyI4piVjvElOjcqiUXv9jesmQGk1gt8Z6ElNs
Ki7YXrNdbU3sPVfUM9eP6ugw9kRi0bFxsTQtVT52ZEppW7KlEXenZsQF8zri
XaROTRIwRfDbwrZGNiWN+jBY77nf0Hnk9Thttl+Bx+21Fe20UN8BXgfQUiQ3
zB5qqZOEXnJzaKu1rcYaQDNLBBJULpRN4Pk+uPHbwFqyZ/6HsPSqtTDLDLQ3
sgYM1O0Ttg8RhRAXeFZKW08NpnM4pp6nPRC6cJJT1Hmwu/sY2zf0kH1pk94l
Vm8PnlOFjG4s/wGIrwFJ9J1pJYJLF6m0y0us6ZqMrRC9D8xZ05xEl3/fgUxc
H2Pb0sv4yLwTIAvbOMcW+2oeUC86W1VJRskHM26K57k9WdfXnUZMsgiFukeo
O1qDXWei4RnjDidg5c79hsmcpvJed+jHzlm7vu0EgMVh0HtigIXN6dG2/j3A
Cxpl+sSpJhPFCicxfd/aWdPDWFDKYa2nGpo7SSy9hHVbK7266Ry7d2wPjM65
OCpfp7+2MxBPuucIfEfi4g0MfBfxRKZD/UbjSfSHDu1CTVLarjMWuVsjA7a6
G8/zelx+UUxxxShqrKxdaayvKL0mtwgj2KJjpWpAySM1bbsrM2eli7BWXEOV
tu28uLrnASw96sngizltLlm3z6pgv+hx2VVPO/Ka6UbSNgzyEl3KWU4ZBFUK
5j9JCU4Wdek61upj084rE9HdZBrdAvwsmladii4M8/xOtnZKEzOGQlskjL/e
upif5xg/9VzyNtCHChTGPhttANh9z1TgxyTYzOoIxrp5vIDre/vqPC42esNv
4vDK5NCbz+GyHcrZfnDKGAQw7NpX6WG0YZMc/34czQxUp0i6a08upOlxvyN+
fX9VLn/9wFfwbWmK30iWYT8bfpEnXTs1XdJ2mvVnjK/WYeKHtPhU0Y74BV+N
6G3TVubdeZvD7m1itd4/7zZtMeCdt7nVvU0sEPxn3aZ7HWptjx37+CPKL/6o
ja8d/w67/Uq8bnfh1e7/DmUSfxjCo9+PcH7l7dej+6trSP54ZHeM/8WdfiWq
H3eimvf+nwLRX5UWY3M5UGw2E506A74u2Uib71+fZGXeYaSntsXCvQNQv/MS
FoUeGFuIYR+0fbdMTeHLKsausKly3S8UDWHfIsLqtVUi69lKw8HTWroS+T21
n2JErx7RLVP6XemcPJN2F+k8VOzeYkzp0t+jKVeUzSYtvoNJeu/wOwdr6QqX
1qeAXaXbEsNOblSS6JwK7tDRng02D3oJnYJgR+zqDK8FhV7QcyNqQQB25rpm
qmaDYBbPKQnFvqHBFGXR9sHEiqgqNaBcIZwJ18SeSrpTO3hMsp9O5LLtaiwn
wUlojMLmrFTUkNlk2/CDJoVakAmPe6HoJzZmx8zMqaz/RllapnJW0Csz0TDV
mp4J4G6SOYp5GFTwRrcTQPVrQ4Y6Y5Z1cd0e2KFpl0ip1zEBBSdQjQNoPn3y
ZHvVBFudE9SOnD0IHdPAQFN6247O9lw3Ve3GznlrB7BrOo38nLhYiJPRBkMC
E9zes6/TaiW/upRI7cOj4KzfPl/XpGCxcWYz1e6YDmmJv2vVCb99DHatl0yv
mJL5FW/b+Jth7QP9ejHMeDMUTT/ge+BbOXr3dSU6PFVPjTOP2hNJB06vZoyc
AsmDjD8sMuCkAkrJclKHTu4oj9XEnV/dL7S2CHjMSQ56aJGR98EWP7MLtc7G
W8O0F0O9LI90S5w9fruibm5vGuXody4WVkD5LIhj3pZu1mZEDoLdxBYzwIgU
ZTINiuz2CtuUqDUf7Zl37KVzDtaKw0468iRiI432d4nD9Sm8/7wSsUvOcA/3
/2Ah4wxxc7gs63hQPPTckC4tOsV/TS3xJCM58xPTIwFDXmGukwkir7b38blj
3dDXDxppgaQJwvNN0cz41KHGAUGs8QqgDZZqCxnnLbH3h4hUJzkphNiUkKaJ
xiqO7kllzm6rdTDNleX08zZovpmNGgrHh3qO3OPGE9z6Q9fp2t27d+pwuPgG
U8p6bxecutr7T8FfW2wn1Lz29ms4L1bjkm/LzHPPRFzcibU/1E/W15c8e9Qa
DgHxI9i6QTzWVNexaj63kGFCQn7RdKPXT6N3dhMzTVOswzMOmltZWY94Qd+a
PsK4sDQ+z679wqE6inUJJDBLWGeMiVUjDlYtvLbO7PuHe5iV5tyBb1zlOb91
AsvZrlJ6QUYjhsSmNwbGKJpnTE6atSmGyAv5/ubmZ+xlXX54YF/8DGitRgOQ
shvm4kN6Q9bBO3xbBTVItu2iF3GSUWUQVzAIYR6hdzoqGzBlsofr73sH7/aP
hL6JYgJ4vklKzxeq1FmF+IIOWPUZBrr2xcv56JVb4M3NzaDACxG9R1mlG5Lz
4jfGMxwWmFKxoaooDm9oFs7PolkeYlsbrhYe4VvgZ4av3LhFF9VId7OMXfqW
Xphhkf5atcgwmACxffrjS36pFswRJWqZVGk0Uvk0xCto01N2wgQQETNCTUs+
jMdzih0GI0wiZziioh/MKMP3xcUcaMM82UGg1/O+TgidyJxWqSo3JlV6BcrU
tjTAAUJFrhBtjJJstEHv2gq3N4p8vFGoHPNGiw2cCkhVDTjl3GoalybifgFH
6rLxvjHf32HyWzaHK70SMSYKRswg6Q2QBEWX9CzFz2q0W5Wz1H8RdpYbhNpF
LRI5VhpWribRKjUxASlZF4nzffKEMpiio+uh9iytRbT//lZ+w2ms3/3EVR3w
PN4acjIYvaa3qFlCtjKjYNIDPmRPmEujb2eSus683WCrP+xnsA6ILfxSjeJx
Vj9zS/qNaIlS4dqJxphxcQ3IY7TMyEzSaXz6NaGhvJZxYsK17mDqcwhqDc78
ozJ1xeiDMwEspog6b268MhfvNPAxZ9UM2HjyT6FiwLeOxdXoVyc5W1ScqoQq
Ik848fi/GgWXHlZW0mEXCdfgto7+bQ8eT2SHcwkm4sfbW10+R++JbBAF30nr
d++4tPLUq6Jrj2tK6I46RwQwdQ1I1XOH/I0q46y8/qzfDKVyXbWGH1xLr1V1
cvZjZxPOtikKt/P/O9pnfvHuWuPLL9zd7t/1pQfqDXK+vJo6xcOV1XQNFy0X
/SyY17VAcKdhuuHxlY+2Cp9XbLdrzboHEFaVUa5Z/T0fNZ0Vzqi+jRItCuFe
aK01HczS4goA5hCcyXZEbbNBVdjP5aQ0J37d5rBMBbMNV+UG+hmWeNbwKVJH
j0qnUveQPTUKDHu21nbNK+xbtNBv41Xz3DbS+AVbOnGf88Dv3qC8lTE+aO9p
W6yo8/fKiG2GibMLaXH2ZtLCVjaWXC3Cutfc6i2PBiDykJEcX6FBtDtGcyNR
0ZRVXGSDaTUfoXL/l95EJoXqYfcOpXPzOBUyI/fpVbAvge2J/Qw7ih0lwHjF
67gqriWYq/3gdTXG17bmaA32g7NsMYuVOBvP5rHiBmTBoUyuMjDCwPj57UoF
WhbGuY6icOpwynmYeTyqdPlU1rFZzhXZN3Xbr2JUa5crdhNugmH6SByTOed8
UK7FNYv1OOV3AVCJCiYImS/uRXMDGOYQ3yuOtkXJ7zPTqWZU11osAdMfBb2h
klOW/Vfm3DlWhtPs8stFYu5q5b3rDpaGRieWz/KLPuAL5s/gQ6faZq1S8s+4
vZ4d7A3d4m1ON92Qs1sHkEcv54AV9+xrOXt+i/WeeWtSj+cCNYpYzpze2GeK
iL3cnLyWm0NAjpDzhE1mM57APzK/moq5jAhoTsaG9IgIN7/bgcOymiWs4A99
wxpqXxrXYcgf6ZsPRF97syDwXmiG9/cEvwRmxYp5OBpI20H2XTs0RL3LjO4D
Y27x1+IYAx5s5+7p4r8DS+tfAjZhJPWJ3j8DdbLft0mi7KjhLC+qsWm0yiFx
70i40XBgrvB80oMtn09tNJP26MbkX9CswXdpPRJ7udIyj71iN1lO9QHTPKsW
vHmf6BwAkEuWNxmXv4WagVPeIuAs+P/nHzSS2pkAAA==

-->

</rfc>
