<?xml version='1.0' encoding='utf-8'?>
<!DOCTYPE rfc [
  <!ENTITY nbsp    "&#160;">
  <!ENTITY zwsp   "&#8203;">
  <!ENTITY nbhy   "&#8209;">
  <!ENTITY wj     "&#8288;">
]>
<?xml-stylesheet type="text/xsl" href="rfc2629.xslt" ?>
<!-- generated by https://github.com/cabo/kramdown-rfc version 1.7.39 (Ruby 3.4.9) -->
<?rfc strict="yes"?>
<?rfc comments="yes"?>
<?rfc docmapping="yes"?>
<rfc xmlns:xi="http://www.w3.org/2001/XInclude" ipr="trust200902" docName="draft-ietf-uta-pqc-app-03" category="std" consensus="true" submissionType="IETF" tocInclude="true" sortRefs="true" symRefs="true" version="3">
  <!-- xml2rfc v2v3 conversion 3.34.0 -->
  <front>
    <title abbrev="PQC Recommendations for TLS-based Applications">Post-Quantum Cryptography Recommendations for TLS-based Applications</title>
    <seriesInfo name="Internet-Draft" value="draft-ietf-uta-pqc-app-03"/>
    <author fullname="Tirumaleswar Reddy">
      <organization>Nokia</organization>
      <address>
        <postal>
          <city>Bangalore</city>
          <region>Karnataka</region>
          <country>India</country>
        </postal>
        <email>k.tirumaleswar_reddy@nokia.com</email>
      </address>
    </author>
    <author initials="H." surname="Tschofenig" fullname="Hannes Tschofenig">
      <organization abbrev="UniBw M.">University of the Bundeswehr Munich</organization>
      <address>
        <postal>
          <city>Neubiberg</city>
          <region>Bavaria</region>
          <code>85577</code>
          <country>Germany</country>
        </postal>
        <email>hannes.tschofenig@gmx.net</email>
      </address>
    </author>
    <date year="2026" month="July" day="04"/>
    <area>Applications and Real-Time Area</area>
    <workgroup>uta</workgroup>
    <keyword>PQC</keyword>
    <keyword>DNS</keyword>
    <keyword>WebRTC</keyword>
    <keyword>HPKE</keyword>
    <keyword>ESNI</keyword>
    <keyword>PQ/T Hybrid</keyword>
    <abstract>
      <?line 60?>

<t>Post-quantum cryptography presents new challenges for device manufacturers, application developers, and service providers. This document highlights the unique characteristics of applications and offers best practices for implementing quantum-ready usage profiles in applications that use TLS and supporting protocols such as DNS.</t>
    </abstract>
    <note removeInRFC="true">
      <name>About This Document</name>
      <t>
        Status information for this document may be found at <eref target="https://datatracker.ietf.org/doc/draft-ietf-uta-pqc-app/"/>.
      </t>
      <t>
        Discussion of this document takes place on the
        uta Working Group mailing list (<eref target="mailto:uta@ietf.org"/>),
        which is archived at <eref target="https://mailarchive.ietf.org/arch/browse/uta/"/>.
        Subscribe at <eref target="https://www.ietf.org/mailman/listinfo/uta/"/>.
      </t>
    </note>
  </front>
  <middle>
    <?line 64?>

<section anchor="introduction">
      <name>Introduction</name>
      <t>The visible face of the Internet predominantly comprises services operating on a client-server architecture, where a client communicates with an application service. When using protocols such as TLS 1.3 <xref target="RFC8446"/>, DTLS 1.3 <xref target="RFC9147"/>, or protocols built on these foundations (e.g., QUIC <xref target="RFC9001"/>), clients and servers perform ephemeral public-key exchanges, such as Elliptic Curve Diffie-Hellman (ECDH), to derive a shared secret that ensures forward secrecy. Additionally, they validate each other's identities through X.509 certificates, establishing secure communication.</t>
      <t>The emergence of a Cryptographically Relevant Quantum Computer (CRQC) would render current public-key algorithms insecure and obsolete. This is because the mathematical assumptions underpinning these algorithms, which currently offer high levels of security, would no longer hold in the presence of a CRQC. Consequently, there is an urgent need to update protocols and infrastructure with post-quantum cryptographic (PQC) algorithms. These algorithms are designed to remain secure against both CRQCs and classical computers. The traditional cryptographic primitives requiring replacement are discussed in <xref target="I-D.ietf-pquip-pqc-engineers"/>, and the NIST PQC Standardization process has standardized algorithms such as ML-KEM, SLH-DSA, and ML-DSA for deployment in protocols.</t>
      <t>Historically, the industry has successfully transitioned between cryptographic protocols, such as upgrading TLS versions and deprecating older ones (e.g., SSLv2), and shifting from RSA to Elliptic Curve Cryptography (ECC), which improved security and reduced key sizes. However, the transition to PQC presents unique challenges, primarily due to the following:</t>
      <ol spacing="normal" type="1"><li>
          <t>Algorithm Maturity: While NIST has finalized a set of PQC algorithms, ensuring the correctness and security of implementations remains critical. Even the most secure algorithm is vulnerable if implementation flaws introduce security risks. Updates to protocol stacks and cryptographic libraries to support PQC algorithms introduces a substantial amount of new code.</t>
        </li>
        <li>
          <t>Key and Signature Sizes: Many PQC algorithms require significantly larger key and signature sizes, which can inflate handshake packet sizes and impact network performance. For example, ML-KEM public keys are substantially larger than ECDH keys (see Table 5 in <xref target="I-D.ietf-pquip-pqc-engineers"/>). Similarly, public keys for SLH-DSA and ML-DSA are much larger than those for P256 (see Table 6 in <xref target="I-D.ietf-pquip-pqc-engineers"/>). Signature sizes for algorithms like SLH-DSA and ML-DSA are also considerably larger compared to traditional options like Ed25519 or ECDSA-P256, posing challenges for constrained environments (e.g., IoT) and increasing handshake times in high-latency or lossy networks.</t>
        </li>
        <li>
          <t>Performance Trade-Offs: While some PQC algorithms exhibit slower operations compared to traditional algorithms, others provide specific advantages. For instance, ML-KEM requires less CPU than X25519, and ML-DSA offers faster signature verification times compared to Ed25519, although its signature generation process is slower.</t>
        </li>
      </ol>
      <t>Any application transmitting messages over untrusted networks is potentially vulnerable to active or passive attacks by adversaries, including those equipped with CRQCs. The degree of vulnerability varies depending on the application, the underlying systems, the value of the data being transmitted, and the attractiveness of attacking a particular individual, device, or flow. This document outlines quantum-ready usage profiles for applications designed to protect against passive and on-path attacks leveraging CRQCs. It also discusses how TLS client and server implementations, together with essential supporting protocols (e.g., DNS), can address these challenges using various techniques detailed in subsequent sections.</t>
    </section>
    <section anchor="conventions-and-definitions">
      <name>Conventions and Definitions</name>
      <t>The key words "<bcp14>MUST</bcp14>", "<bcp14>MUST NOT</bcp14>", "<bcp14>REQUIRED</bcp14>", "<bcp14>SHALL</bcp14>", "<bcp14>SHALL
NOT</bcp14>", "<bcp14>SHOULD</bcp14>", "<bcp14>SHOULD NOT</bcp14>", "<bcp14>RECOMMENDED</bcp14>", "<bcp14>NOT RECOMMENDED</bcp14>",
"<bcp14>MAY</bcp14>", and "<bcp14>OPTIONAL</bcp14>" in this document are to be interpreted as
described in BCP 14 <xref target="RFC2119"/> <xref target="RFC8174"/> when, and only when, they
appear in all capitals, as shown here.</t>
      <?line -18?>

<t>This document adopts terminology defined in <xref target="RFC9794"/>. For the purposes of this document, it is useful to categorize cryptographic algorithms into three distinct classes:</t>
      <ul spacing="normal">
        <li>
          <t>Traditional Algorithm: An asymmetric cryptographic algorithm based on integer factorization, finite field discrete logarithms, or elliptic curve discrete logarithms. In the context of TLS, an example of a traditional key exchange algorithm is Elliptic Curve Diffie-Hellman (ECDH), which is almost exclusively used in its ephemeral mode, referred to as Elliptic Curve Diffie-Hellman Ephemeral (ECDHE).</t>
        </li>
        <li>
          <t>Post-Quantum Algorithm: An asymmetric cryptographic algorithm designed to be secure against attacks from both quantum and classical computers. An example of a post-quantum key exchange algorithm is the Module-Lattice Key Encapsulation Mechanism (ML-KEM). Such algorithms rely on mathematical problems (e.g., lattices) that are believed to be hard for both classical and CRQCs to solve efficiently.</t>
        </li>
        <li>
          <t>Hybrid Algorithm: We distinguish between key exchanges and signature algorithms:  </t>
          <ul spacing="normal">
            <li>
              <t>Hybrid Key Exchange: A key exchange mechanism that combines two component algorithms - one traditional algorithm and one post-quantum algorithm. The resulting shared secret remains secure as long as at least one of the component key exchange algorithms remains unbroken.</t>
            </li>
            <li>
              <t>PQ/T Hybrid Digital Signature: A multi-algorithm digital signature scheme composed of two or more component signature algorithms, where at least one is a post-quantum algorithm and at least one is a traditional algorithm.</t>
            </li>
          </ul>
        </li>
      </ul>
      <t>Digital signature algorithms play a critical role in X.509 certificates, Certificate Transparency Signed Certificate Timestamps, Online Certificate Status Protocol (OCSP) statements, remote attestation evidence, and any other mechanism that contributes signatures during a TLS handshake or in context of a secure communication establishment.</t>
      <t>This document adopts terminology from <xref target="RFC9958"/>. As described there, terms such as "post-quantum," "quantum ready," "quantum resistant," and "quantum secure" are often used interchangeably to describe algorithms intended to resist attacks by CRQCs.</t>
    </section>
    <section anchor="timeline">
      <name>Timeline for Transition</name>
      <t>The timeline and driving motivations for transitioning to quantum-ready cryptography differ between data confidentiality and data authentication (e.g., signatures). The risk of "Harvest Now, Decrypt Later" (HNDL) attacks demands immediate action to protect data confidentiality (see Section 7 of <xref target="I-D.ietf-pquip-pqc-engineers"/>), while the threat to authentication systems, although less urgent, requires forward-thinking planning to mitigate future risks.</t>
      <t>Encrypted payloads transmitted using Transport Layer Security (TLS) are vulnerable to decryption if an attacker equipped with a CRQC gains access to the traditional asymmetric public keys used in the TLS key exchange along with the transmitted ciphertext. TLS implementations typically use Diffie-Hellman-based key exchange schemes. If an attacker obtains a complete set of encrypted payloads, including the TLS setup, they could theoretically use a CRQC to derive the private key and decrypt the data.</t>
      <t>The primary concern for data confidentiality is the "Harvest Now, Decrypt Later" scenario, where a malicious actor with sufficient resources stores encrypted data today to decrypt it in the future, once a CRQC becomes available. This means that even data encrypted today is at risk unless quantum-safe strategies are implemented. The window of vulnerability - the effective security lifetime of the encrypted data - can range from seconds to decades, depending on the sensitivity of the data and how long it remains valuable. This highlights the immediate need to adopt quantum-resistant cryptographic measures to ensure long-term confidentiality.</t>
      <t>For data authentication, the concern shifts to potential on-path attackers equipped with CRQCs capable of breaking certificate-based authentication mechanisms that rely on traditional algorithms. Such attackers could impersonate legitimate entities, tricking victims into connecting to the attacker's device instead of the intended target, resulting in impersonation attacks. While this is not as immediate a threat as "Harvest Now, Decrypt Later" attacks, it remains a significant risk that must be addressed proactively.</t>
      <t>In client/server certificate-based authentication, the security window between the generation of the signature in the CertificateVerify message and its verification by the peer during the TLS handshake is typically short. However, the security lifetime of digital signatures on X.509 certificates, including those issued by root Certification Authorities (CAs), warrants closer scrutiny. Root CA certificates can have validity periods of 20 years or more, while root Certificate Revocation Lists (CRLs) often remain valid for a year or longer. Delegated credentials, such as CRL Signing Certificates or OCSP response signing certificates, generally have shorter lifetimes but still present a potential vulnerability window.</t>
      <t>While data confidentiality faces the immediate and pressing threat of "Harvest Now, Decrypt Later" attacks, requiring urgent quantum-safe adoption, data authentication poses a longer-term risk that still necessitates careful planning. Both scenarios underscore the importance of transitioning to quantum-resistant cryptographic systems to safeguard data and authentication mechanisms in a post-quantum era.</t>
    </section>
    <section anchor="confident">
      <name>Data Confidentiality</name>
      <t>As explained in the previous section, data that is only temporarily in transit may nevertheless require protection for many years. However, uncertainties regarding the security of PQC algorithm implementations, evolving regulatory requirements, and the ongoing development of cryptanalysis justify a transitional approach where well-established traditional algorithms are used alongside new PQC primitives.</t>
      <t>Applications utilizing (D)TLS that are vulnerable to "Harvest Now, Decrypt Later" attacks <bcp14>MUST</bcp14> transition to (D)TLS 1.3 and adopt one of the following strategies:</t>
      <ul spacing="normal">
        <li>
          <t>Hybrid Key Exchange: Hybrid key exchange combines traditional and PQC key exchange algorithms, offering resilience even if one algorithm is compromised. As defined in <xref target="I-D.ietf-tls-hybrid-design"/>, this approach ensures robust security during the migration to PQC. For TLS 1.3, hybrid post-quantum key exchange groups are introduced in <xref target="I-D.ietf-tls-ecdhe-mlkem"/>:  </t>
          <ol spacing="normal" type="1"><li>
              <t>X25519MLKEM768: Combines the classical X25519 key exchange with the ML-KEM-768 post-quantum Key Encapsulation Mechanism.</t>
            </li>
            <li>
              <t>SecP256r1MLKEM768: Combines the classical SecP256r1 key exchange with the ML-KEM-768 post-quantum Key Encapsulation Mechanism.</t>
            </li>
            <li>
              <t>SecP384r1MLKEM1024: Combines the classical SecP384r1 key exchange with the ML-KEM-1024 post-quantum Key Encapsulation Mechanism.</t>
            </li>
          </ol>
        </li>
        <li>
          <t>Pure Post-Quantum Key Exchange: For deployments that require exclusively post-quantum key exchange, <xref target="I-D.ietf-tls-mlkem"/> defines the following standalone NamedGroups for post-quantum key agreement in TLS 1.3: ML-KEM-512, ML-KEM-768, and ML-KEM-1024.</t>
        </li>
      </ul>
      <t>Hybrid Key Exchange is generally preferred over pure PQC key exchange because it provides defense-in-depth by combining the strengths of both classical and PQC algorithms. This ensures continued security, even if one algorithm is compromised during the transitional period.</t>
      <t>However, Pure PQC Key Exchange may be required for specific deployments with regulatory or compliance mandates that necessitate the exclusive use of post-quantum cryptography. Examples include sectors governed by stringent cryptographic standards.</t>
      <t>In practice, applications that rely on TLS typically depend on the underlying TLS library. Upgrading to a library version that supports TLS 1.3 and PQC key exchange extensions is a necessary first step, but it may not be sufficient, as it is not known whether PQC groups are enabled by default across different implementations. Applications that configure protocol versions or cipher suites explicitly <bcp14>MUST</bcp14> update these settings to ensure that hybrid or pure PQC key exchange groups are enabled. Applications that rely on library defaults <bcp14>SHOULD</bcp14> review the library documentation or perform interoperability testing to confirm that PQC groups are negotiated as intended. Operators should also consider potential interoperability issues with legacy peers that do not yet support TLS 1.3 and PQC key exchange extensions.</t>
      <section anchor="optimizing-clienthello-for-hybrid-key-exchange-in-tls-handshake">
        <name>Optimizing ClientHello for Hybrid Key Exchange in TLS Handshake</name>
        <t>The client initiates the TLS handshake by sending supported key agreement methods in the "supported_groups" extension and one or more corresponding key shares in the "key_share" extension. One of the important challenges during the migration to PQC is that the client may not know whether the server supports hybrid key exchange. To address this uncertainty, the client can adopt one of the following three strategies:</t>
        <ol spacing="normal" type="1"><li>
            <t>Send Both Traditional and Hybrid Key Exchange Algorithms: In the initial ClientHello message, the client can include both traditional and hybrid key exchange algorithm key shares. This eliminates the need for multiple round trips but comes with its own trade-offs.  </t>
            <ul spacing="normal">
              <li>
                <t>Advantage: Reduces latency since the server can immediately select an appropriate key exchange method.</t>
              </li>
              <li>
                <t>Challenges:
                </t>
                <ul spacing="normal">
                  <li>
                    <t>The size of the hybrid key exchange algorithm key share may exceed the Maximum Transmission Unit (MTU), potentially causing the ClientHello message to be fragmented across multiple packets. In TLS, this results in multiple TCP segments. In DTLS, handshake messages are explicitly fragmented at the record layer as specified in <xref target="RFC9147"/>, with each fragment sent in its own UDP datagram. In both cases, larger ClientHello messages increase latency and the risk of handshake delay, especially in lossy networks.</t>
                  </li>
                  <li>
                    <t>Middleboxes that do not handle fragmented ClientHello messages properly may drop them, as this behavior is uncommon. More generally, middleboxes may also mishandle fragmented IP/UDP packets, which makes this issue particularly significant for DTLS deployments.</t>
                  </li>
                  <li>
                    <t>The server's ServerHello and associated traditional public key and PQC ciphertext may also exceed the MTU, leading to fragmentation in both TLS and DTLS, further compounding the risk of delays due to packet loss and retransmissions.</t>
                  </li>
                  <li>
                    <t>Additionally, this approach requires more computational resources on the client and increases handshake traffic.</t>
                  </li>
                </ul>
              </li>
            </ul>
          </li>
          <li>
            <t>Indicate Support for Hybrid Key Exchange: Alternatively, the client may initially indicate support for hybrid key exchange and send a traditional key exchange algorithm key share in the first ClientHello message. If the server supports hybrid key exchange, it will use the HelloRetryRequest to request a hybrid key exchange algorithm key share from the client. The client can then send the hybrid key exchange algorithm key share in the second ClientHello message. However, this approach has a disadvantage in that the roundtrip would introduce additional delay compared to the previous technique of sending both traditional and hybrid key exchange algorithm key shares to the server in the initial ClientHello message.</t>
          </li>
          <li>
            <t>Use Server Key Share Preferences Communicated via DNS: <xref target="I-D.ietf-tls-key-share-prediction"/> defines a mechanism where servers communicate their key share preferences through DNS responses. TLS clients can use this information to tailor their initial ClientHello message, reducing the need for additional round trips. By leveraging these DNS-based hints, the client can optimize the handshake process and avoid unnecessary delays.</t>
          </li>
        </ol>
        <t>Clients <bcp14>MAY</bcp14> also use information from completed handshakes to cache the server's key exchange algorithm preferences, as described in Section 4.2.7 of <xref target="RFC8446"/>. To minimize the risk of the ClientHello message being split across multiple packets, clients should avoid duplicating PQC KEM public key shares. Strategies for preventing duplication are outlined in Section 4 of <xref target="I-D.ietf-tls-hybrid-design"/>. By carefully managing key shares, the client can reduce the size of the ClientHello message and improve compatibility with network infrastructure.</t>
      </section>
    </section>
    <section anchor="use-of-external-psk-with-traditional-key-exchange-for-data-confidentiality">
      <name>Use of External PSK with Traditional Key Exchange for Data Confidentiality</name>
      <t>TLS 1.3 <xref target="RFC8446"/> provides an alternative approach for ensuring data confidentiality by combining an external pre-shared key (PSK)
with a traditional key exchange mechanism, such as ECDHE, using the "psk_dhe_ke" PSK key exchange mode. Guidance for external PSK usage in TLS is provided in <xref target="RFC9257"/>. The external PSK is incorporated into the TLS 1.3 key schedule,
where it is mixed with the (EC)DHE-derived secret to strengthen confidentiality.</t>
      <t>While using an external PSK in combination with (EC)DHE can enhance confidentiality, it has the following limitations:</t>
      <ul spacing="normal">
        <li>
          <t>Key Management Complexity: External PSKs require a key distribution system that ensures confidentiality of the exchanged secrets.</t>
        </li>
        <li>
          <t>Limited Forward Secrecy: If an external PSK is static and reused across sessions, its compromise can retroactively expose
past communications if the traditional key exchange is broken by a CRQC.</t>
        </li>
        <li>
          <t>Scalability Challenges: Distributing unique PSKs for many clients may be challenging. While there are successfully large-scale deployments of PSK-based authentication systems, their management requires good operational security practices.</t>
        </li>
        <li>
          <t>Impersonation Risk: Because PSKs are symmetric, any party in possession of the PSK can authenticate as either the client or the server. This differs from certificate-based authentication, where compromise of a private key only enables impersonation of the corresponding entity. Whether this is a problem depends on the specific deployment.</t>
        </li>
        <li>
          <t>Quantum Resistance Dependence: While PSKs can provide additional secrecy against quantum threats, they must be
generated using a cryptographically secure random number generator. If a weak PSK is used, it may not offer sufficient security against
brute-force attacks.</t>
        </li>
      </ul>
      <t>Despite these limitations, external PSKs can serve as a complementary mechanism in PQC transition strategies, providing additional
confidentiality protection when combined with traditional key exchange.</t>
    </section>
    <section anchor="authentication">
      <name>Authentication</name>
      <t>Although CRQCs could potentially decrypt past TLS sessions, client/server authentication based on certificates cannot be retroactively compromised. However, the multi-year process required to establish, certify, and embed new root CAs presents a significant challenge. If CRQCs emerge earlier than anticipated, responding promptly to secure authentication systems would be difficult. While the migration to PQ X.509 certificates allows for more time compared to key exchanges, delaying these preparations should be avoided.</t>
      <section anchor="quantum-ready-authentication">
        <name>Quantum Ready Authentication</name>
        <t>The quantum-ready authentication property becomes critical in scenarios where an on-path attacker uses network devices equipped with CRQCs to break traditional authentication protocols. For example, if an attacker determines the private key of a server certificate before its expiration, they could impersonate the server, causing users to believe their connections are legitimate. This impersonation leads to serious security threats, including unauthorized data disclosure, interception of communications, and overall system compromise.</t>
        <t>The quantum-ready authentication property ensures robust authentication through the use of either a pure post-quantum certificate or a PQ/T hybrid certificate:</t>
      </section>
      <section anchor="post-quantum-x509-certificates">
        <name>Post-Quantum X.509 Certificates</name>
        <t>Post-quantum certificates contain only a PQC public key and are signed using a post-quantum algorithm. They are suitable for deployments capable of fully embracing post-quantum cryptography.</t>
        <ul spacing="normal">
          <li>
            <t>ML-DSA Certificates: Defined in <xref target="I-D.ietf-lamps-dilithium-certificates"/>, these use the Module-Lattice Digital Signature Algorithm (ML-DSA). <xref target="I-D.ietf-tls-mldsa"/> explains how ML-DSA is applied for authentication in TLS 1.3.</t>
          </li>
          <li>
            <t>SLH-DSA Certificates: Defined in <xref target="I-D.ietf-lamps-x509-slhdsa"/>, these use the SLH-DSA algorithm. SLH-DSA is supported for use with TLS through registered SignatureScheme values in the IANA TLS Parameters registry. SLH-DSA produces significantly larger signatures than ML-DSA, which increases TLS handshake sizes, but it offers strong security properties and flexibility across multiple parameter variants. Its performance impact is typically negligible for long-lived TLS connections and large data transfers, particularly in low-loss network environments. An advantage of SLH-DSA is that it is used as a pure post-quantum signature algorithm and does not require a PQ/T hybrid composite.</t>
          </li>
        </ul>
      </section>
      <section anchor="hybrid-composite-x509-certificates">
        <name>Hybrid (Composite) X.509 Certificates</name>
        <t>A composite certificate contains both a traditional public key algorithm (e.g., ECDSA) and a post-quantum algorithm (e.g., ML-DSA) within a single X.509 certificate. This design enables both algorithms to be used in parallel: the traditional component preserves a traditional security assumption during the transition and supports compatibility with existing infrastructure, while the post-quantum component introduces resistance against future quantum attacks.</t>
        <t>Composite certificates are defined in <xref target="I-D.ietf-lamps-pq-composite-sigs"/>. These combine post-quantum algorithms like ML-DSA with traditional algorithms such as RSA-PKCS#1v1.5, RSA-PSS, ECDSA, Ed25519, or Ed448, to provide additional protection against vulnerabilities or implementation bugs in a single algorithm. <xref target="I-D.reddy-tls-composite-mldsa"/> specifies how composite signatures, including ML-DSA, are used for TLS 1.3 authentication.</t>
      </section>
      <section anchor="using-certificates-with-an-external-pre-shared-key">
        <name>Using Certificates with an External Pre-Shared Key</name>
        <t><xref target="I-D.ietf-tls-8773bis"/> allows certificate-based authentication to be combined with a strong external PSK. The external PSK contributes to the TLS key schedule, providing confidentiality protection against HNDL attacks by a CRQC, provided that the PSK is generated and distributed securely. As described in <xref target="RFC8446"/>, PSK-based authentication occurs as a side effect of the key exchange through proof of possession of the PSK. Consequently, even if a CRQC were able to recover the private key used for certificate-based authentication, it could not successfully complete the handshake without also possessing the external PSK. However, the external PSK does not make the certificate infrastructure itself quantum-resistant, since the certificates and their signatures continue to rely on traditional public-key algorithms.</t>
      </section>
      <section anchor="trust-anchors-for-pqc-certificate-validation">
        <name>Trust Anchors for PQC Certificate Validation</name>
        <t>Deploying a PQC or PQ/T hybrid end-entity certificate is not sufficient by itself to provide quantum-ready authentication. The certificate path has to validate to a trust anchor that is appropriate for the intended security property. In TLS, the trust anchor is local client configuration, typically provisioned through an operating system, browser, application, device-management system, or private PKI trust store. It is not established by the server during the TLS handshake.</t>
        <t>For a certification path to provide post-quantum authentication, each validation-critical signature from the end-entity certificate up to the configured trust anchor needs to be protected by a PQC or PQ/T hybrid signature scheme. A PQC end-entity certificate issued under a purely traditional CA hierarchy does not by itself provide post-quantum authentication, because an attacker equipped with a CRQC could potentially forge signatures made with traditional CA keys.</t>
        <t>During migration, deployments may use separate PQC trust anchors, composite trust anchors, or parallel traditional and PQC certification paths. Clients need local policy to determine which trust anchors are acceptable for a given application and whether a traditional-only path is still permitted as fallback. Such fallback policies should be explicit, because accepting a traditional-only certification path can silently downgrade the authentication security property.</t>
        <t>Trust-anchor provisioning and update mechanisms are therefore a central part of PQC authentication migration. Long-lived or difficult-to-update systems, such as embedded devices and industrial deployments, may need PQC or hybrid trust anchors provisioned early, potentially at manufacture, because later field updates may be infeasible. The trust anchor must be in place before the PQC end-entity certificates that chain to it come into use.</t>
      </section>
      <section anchor="negotiation-of-authentication-schemes">
        <name>Negotiation of Authentication Schemes</name>
        <t>During the transition, clients and servers may be configured to support multiple authentication schemes (e.g., traditional, composite, and PQC-only). Clients indicate supported signature schemes in the "signature_algorithms" extension <xref target="RFC8446"/>, listed in decreasing order of preference.</t>
        <t>For migration, clients <bcp14>SHOULD</bcp14> give higher precedence to composite and PQC-only schemes over traditional ones. Within that set, clients may prefer PQC-only to satisfy regulatory or compliance requirements, or prefer
composite if they want defense-in-depth security.</t>
      </section>
      <section anchor="transition-considerations">
        <name>Transition Considerations</name>
        <t>Determining whether and when to adopt PQC certificates or PQ/T hybrid schemes depends on several factors, including:</t>
        <ul spacing="normal">
          <li>
            <t>Frequency and duration of system upgrades</t>
          </li>
          <li>
            <t>The expected timeline for CRQC availability</t>
          </li>
          <li>
            <t>Operational flexibility to enable or disable algorithms</t>
          </li>
        </ul>
        <t>Deployments with limited flexibility benefit significantly from hybrid signatures, which combine traditional algorithms with PQC algorithms. This approach mitigates the risks associated with delays in transitioning to PQC and provides an immediate safeguard against zero-day vulnerabilities.</t>
        <t>Composite certificates enhance resilience during the adoption of PQC by:</t>
        <ul spacing="normal">
          <li>
            <t>Providing defense-in-depth: they maintain security as long as at least one component algorithm remains secure.</t>
          </li>
          <li>
            <t>Reducing exposure to unforeseen vulnerabilities: including potential weaknesses in PQC algorithms or their implementations.</t>
          </li>
        </ul>
        <t>However, composite certificates come with long-term implications. Once the traditional algorithm is no longer considered secure due to the availability of CRQCs, it will have to be eventually deprecated. To complete the transition to a fully quantum-resistant authentication model, it will be necessary to provision a new root CA certificate, that uses only a PQC public key and PQC signature algorithm. This new root CA would issue a hierarchy of intermediate certificates, each also signed using PQC algorithms, and ultimately issue end-entity certificates that contain only PQC public keys and are signed with PQC algorithms. This ensures that the entire certification path from the root of trust to the end entity is cryptographically resistant to quantum attacks and does not depend on any traditional algorithms.</t>
        <t>Alternatively, a deployment may choose to continue using the same hybrid certificate even after the traditional algorithm has been broken by the advent of a CRQC. While this may simplify operations by avoiding immediate re-provisioning of trust anchors, it affects certain security properties of the composite signature.</t>
        <t>As discussed in the security considerations of <xref target="I-D.reddy-tls-composite-mldsa"/>, TLS treats composite ML-DSA as an opaque signature algorithm, and the detailed cryptographic properties of the construction are defined in the composite signature specification. If one component becomes forgeable, the composite construction no longer achieves Strong Unforgeability under Chosen-Message Attack (SUF-CMA). However, SUF-CMA is not required for TLS authentication.</t>
        <t>For TLS, the relevant requirement is Existential Unforgeability under Chosen-Message Attack (EUF-CMA): an attacker must not be able to produce a valid signature over a TLS handshake transcript. In the composite construction, verification succeeds only if all component signatures verify. Therefore, even if a CRQC can forge the traditional component, an attacker must still forge the PQC component to produce a valid composite signature over a new transcript. As long as the PQC component remains EUF-CMA secure, impersonation in TLS remains infeasible.</t>
        <t>As a result, the continued use of composite certificates after the traditional algorithm is broken can provide operational flexibility. Even when the arrival of CRQCs is considered imminent and the timeline is known with high confidence, this situation does not necessarily require an emergency migration. Instead, it allows organizations a limited but sufficient transition window to execute a phased and carefully planned migration to certificates that rely exclusively on PQC.</t>
      </section>
      <section anchor="deployment-realities">
        <name>Deployment Realities</name>
        <t>Centralized networks, which are characterized by strong administrative control, internal CAs, and close relationships with vendors, are generally well-positioned to manage the overhead of larger PQC keys and signatures. Such networks can adopt PQC signature algorithms earlier due to their ability to coordinate and deploy changes effectively. For example, telecom networks fit this model and may be able to transition more quickly than more distributed environments.</t>
        <t>Conversely, the Web PKI ecosystem may delay adoption until more efficient and compact PQC signature algorithms, such as MAYO, UOV, HAWK, or SQISign, become available. This is due to the broader, more decentralized nature of the Web PKI ecosystem, which makes coordination and implementation more challenging.</t>
      </section>
      <section anchor="optimizing-pqc-certificate-exchange-in-tls">
        <name>Optimizing PQC Certificate Exchange in TLS</name>
        <t>To address the challenge of large PQ or PQ/T hybrid certificate chains during the TLS handshake, the following mechanisms can help optimize the size of the exchanged certificate data:</t>
        <ul spacing="normal">
          <li>
            <t>TLS Cached Information Extension (<xref target="RFC7924"/>): This extension enables clients to indicate that they have cached certificate information from a prior connection. The server can then signal the client to reuse the cached data instead of retransmitting the full certificate chain. While this mechanism reduces bandwidth usage, it introduces potential privacy concerns: the client includes fingerprints of cached objects in the ClientHello, which are visible to eavesdroppers. These values can be used to correlate independent TLS sessions from the same client, potentially compromising anonymity. While this is not a concern for many industrial IoT scenarios, it may be unacceptable for smart home deployments.</t>
          </li>
          <li>
            <t>TLS Certificate Compression (<xref target="RFC8879"/>): This specification defines compression schemes to reduce the size of the server's certificate chain. While effective in many scenarios, its impact on PQ or PQ/T hybrid certificates is limited due to the larger sizes of public keys and signatures in PQC. These high-entropy fields, inherent to PQC algorithms, constrain the overall compression effectiveness.</t>
          </li>
          <li>
            <t>Abridged TLS Certificate (<xref target="I-D.ietf-tls-cert-abridge"/>): This approach minimizes the size of the certificate chain by omitting intermediate certificates that are already known to the client. Instead, the server provides a compact representation of the certificate chain, and the client reconstructs the omitted certificates using a well-known common CA database. This mechanism significantly reduces bandwidth requirements while preserving compatibility with existing certificate validation processes. Additionally, it explores potential methods to compress the end-entity certificate itself, though this aspect remains under discussion within the TLS Working Group.</t>
          </li>
          <li>
            <t>Trust Anchor Identifiers (<xref target="I-D.ietf-tls-trust-anchor-ids"/>): This extension allows a client to signal a compact list of locally configured trust anchors using unique trust anchor identifiers rather than Distinguished Names. This reduces the size of the "certificate_authorities" extension and helps the server select an appropriate certificate chain, especially when multiple hierarchies are used (e.g., separate traditional, composite, and PQC roots). Trust Anchor Identifiers are an optimization and chain-selection mechanism; they do not establish trust anchors, change the client's trust-store policy, or by themselves make a certification path quantum-ready. The client still has to validate the path presented by the server against its locally configured trust anchors and local policy.</t>
          </li>
        </ul>
        <t>These techniques aim to optimize the exchange of certificate chains during the TLS handshake, particularly in scenarios involving large PQC-related certificates, while balancing efficiency and compatibility.</t>
      </section>
    </section>
    <section anchor="informing-users-of-pqc-security-compatibility-issues">
      <name>Informing Users of PQC Security Compatibility Issues</name>
      <t>When the server detects that the client does not support PQC or hybrid key exchange, it may send an "insufficient_security" fatal alert to the client. The client, in turn, can notify service providers via device management systems or generate logs indicating that the server they are attempting to access requires a level of security that the client cannot provide due to the lack of PQC support. Additionally, the client may log this event for diagnostic purposes, security auditing, or reporting the issue to the application developers for further analysis.</t>
      <t>Conversely, if the client detects that the server does not support PQC or hybrid key exchange, it may present an alert or error message to the end-user or record the event in diagnostic logs. This message or record should explain that the server is incompatible with the PQC security features supported by the client.</t>
      <t>It is important to design such alerts thoughtfully to ensure they are clear and actionable, avoiding unnecessary warnings that could overwhelm or confuse users. In some environments, such as EAP deployments, supplicants may provide little or no diagnostic feedback to end-users beyond a generic failure message. In such cases, implementers would have to ensure sufficient diagnostic logging or telemetry is available for administrators to diagnose PQC-related interoperability problems. Notifications to end-users may also not be applicable or necessary in all scenarios, particularly in the context of machine-to-machine communication.</t>
    </section>
    <section anchor="pqc-transition-for-critical-application-protocols">
      <name>PQC Transition for Critical Application Protocols</name>
      <t>This document primarily focuses on the transition to PQC in applications that utilize TLS, while also covering other essential protocols, such as DNS, that play a critical role in supporting application functionality.</t>
      <section anchor="encrypted-dns">
        <name>Encrypted DNS</name>
        <t>The privacy risks associated with exchanging DNS messages in clear text are detailed in <xref target="RFC9076"/>. To mitigate these risks, Transport Layer Security (TLS) is employed to provide privacy for DNS communications. Encrypted DNS protocols, such as DNS-over-HTTPS (DoH) <xref target="RFC8484"/>, DNS-over-TLS (DoT) <xref target="RFC7858"/>, and DNS-over-QUIC (DoQ) <xref target="RFC9250"/>, safeguard messages against eavesdropping and on-path tampering during transit.</t>
        <t>However, encrypted DNS messages transmitted using TLS may be vulnerable to HNDL attacks if an attacker gains access to the public keys used in the TLS key exchange. If an attacker records a complete set of encrypted DNS messages, including the TLS handshake details, they could store this data today and later use a CRQC to determine the ephemeral private key used in the key exchange, thereby decrypting the content.</t>
        <t>To address these vulnerabilities, encrypted DNS protocols <bcp14>MUST</bcp14> support the quantum-ready usage profile discussed in <xref target="confident"/>.</t>
        <t>It is important to note that the post-quantum security of DNSSEC <xref target="RFC9364"/>, which provides authenticity for DNS records, is a distinct issue separate from the requirements for encrypted DNS transport protocols.</t>
      </section>
      <section anchor="hybrid-public-key-encryption-hpke-and-encrypted-client-hello">
        <name>Hybrid public-key encryption (HPKE) and Encrypted Client Hello</name>
        <t>Hybrid Public-Key Encryption (HPKE) is a cryptographic scheme designed to enable public key encryption of arbitrary-sized plaintexts using a recipient's public key. HPKE employs a non-interactive ephemeral-static Diffie-Hellman key exchange to derive a shared secret. The rationale for standardizing a public key encryption scheme is detailed in the introduction of <xref target="RFC9180"/>.</t>
        <t>HPKE can be extended to support both pure PQC KEMs and PQ/T hybrid KEMs, as described in <xref target="I-D.ietf-hpke-pq"/>. These extensions ensure compatibility with PQC, while allowing deployments to choose between pure PQC KEM or PQ/T KEM.</t>
        <t>Client TLS libraries and applications can utilize Encrypted Client Hello (ECH) <xref target="RFC9849"/> to prevent passive observation of the intended server identity during the TLS handshake. However, this requires the concurrent deployment of Encrypted DNS protocols (e.g., DNS-over-TLS), as passive listeners could otherwise observe DNS queries or responses and deduce the same server identity that ECH is designed to protect. ECH employs HPKE for public key encryption.</t>
        <t>To safeguard against HNDL attacks, ECH deployments <bcp14>MUST</bcp14> incorporate support for either pure PQC KEM or PQ/T hybrid KEM. PQ/T hybrid KEM is generally preferred, as it provides defense-in-depth by combining the strengths of both classical and PQC algorithms, ensuring continued security even if one is later found to be weak. Pure PQ KEMs may be required for deployments subject to regulatory or compliance mandates that necessitate the exclusive use of PQC. In hybrid mode, the public_key field in the HpkeKeyConfig structure accommodates a concatenation of classical and PQC KEM public keys, whereas in pure PQ mode only the PQC KEM public key is included.</t>
      </section>
    </section>
    <section anchor="operational-considerations">
      <name>Operational Considerations</name>
      <t>The adoption of PQC in TLS-based applications will not be a simple binary decision but rather a gradual transition that demands a careful evaluation of
trade-offs and deployment considerations. Application providers will need to assess algorithm selection, performance impact,
interoperability, and security requirements tailored to their specific use cases. While the IETF defines cryptographic mechanisms for TLS and
provides guidance on PQC transition strategies, it does not prescribe a one-size-fits-all approach. Instead, this document outlines key
considerations to assist stakeholders in adopting PQC in a way that aligns with their operational and security requirements.</t>
    </section>
    <section anchor="security-considerations">
      <name>Security Considerations</name>
      <t>The security considerations outlined in <xref target="I-D.ietf-pquip-pqc-engineers"/> must be carefully evaluated and taken into account.</t>
      <t>Post-quantum algorithms selected for standardization are relatively new, and their implementations are still in the early stages of
maturity. This makes them more susceptible to implementation bugs compared to the well-established and extensively tested cryptographic
algorithms currently in use. Furthermore, certain deployments may need to continue using traditional algorithms to meet regulatory
requirements, such as Federal Information Processing Standards (FIPS), NIST Special Publications such as <xref target="SP-800-56C"/>, or Payment Card Industry (PCI) compliance.</t>
      <t>Hybrid key exchange provides a practical and flexible solution, offering protection against "Harvest Now, Decrypt Later" attacks while
ensuring resilience to potential catastrophic vulnerabilities in any single algorithm. This approach allows for a gradual
transition to PQC, preserving the benefits of traditional cryptosystems without requiring their immediate replacement.</t>
      <section anchor="mitm-attacks-with-crqc">
        <name>MITM Attacks with CRQC</name>
        <t>A MITM attack is possible if an adversary possesses a CRQC capable of breaking traditional public-key signatures. The attacker can generate
a forged certificate and create a valid signature, enabling them to impersonate a TLS peer, whether a server or a client. This completely undermines the authentication
guarantees of TLS when relying on traditional certificates.</t>
        <t>To mitigate such attacks, several steps need to be taken:</t>
        <ol spacing="normal" type="1"><li>
            <t>Revocation and Transition: Both clients and servers that use traditional certificates will have to revoke them and migrate to PQC authentication.</t>
          </li>
          <li>
            <t>Client-Side Verification:  Clients should avoid establishing TLS sessions with servers that do not support PQC authentication.</t>
          </li>
          <li>
            <t>PKI Migration: Organizations should transition their PKI to post-quantum-safe certification authorities and discontinue issuing certificates based on traditional cryptographic methods.</t>
          </li>
        </ol>
      </section>
    </section>
    <section numbered="false" anchor="acknowledgements">
      <name>Acknowledgements</name>
      <t>Thanks to Dan Wing for suggesting a broader scope for the document, and to Mike Ounsworth, Scott Fluhrer, Russ Housley, Loganaden Velvindron, Bas Westerbaan, Richard Sohn, Andrei Popov, Alan DeKok, and Thom Wiggers for their helpful feedback and reviews.</t>
    </section>
  </middle>
  <back>
    <references anchor="sec-combined-references">
      <name>References</name>
      <references anchor="sec-normative-references">
        <name>Normative References</name>
        <reference anchor="RFC8446">
          <front>
            <title>The Transport Layer Security (TLS) Protocol Version 1.3</title>
            <author fullname="E. Rescorla" initials="E." surname="Rescorla"/>
            <date month="August" year="2018"/>
            <abstract>
              <t>This document specifies version 1.3 of the Transport Layer Security (TLS) protocol. TLS allows client/server applications to communicate over the Internet in a way that is designed to prevent eavesdropping, tampering, and message forgery.</t>
              <t>This document updates RFCs 5705 and 6066, and obsoletes RFCs 5077, 5246, and 6961. This document also specifies new requirements for TLS 1.2 implementations.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="8446"/>
          <seriesInfo name="DOI" value="10.17487/RFC8446"/>
        </reference>
        <reference anchor="RFC9147">
          <front>
            <title>The Datagram Transport Layer Security (DTLS) Protocol Version 1.3</title>
            <author fullname="E. Rescorla" initials="E." surname="Rescorla"/>
            <author fullname="H. Tschofenig" initials="H." surname="Tschofenig"/>
            <author fullname="N. Modadugu" initials="N." surname="Modadugu"/>
            <date month="April" year="2022"/>
            <abstract>
              <t>This document specifies version 1.3 of the Datagram Transport Layer Security (DTLS) protocol. DTLS 1.3 allows client/server applications to communicate over the Internet in a way that is designed to prevent eavesdropping, tampering, and message forgery.</t>
              <t>The DTLS 1.3 protocol is based on the Transport Layer Security (TLS) 1.3 protocol and provides equivalent security guarantees with the exception of order protection / non-replayability. Datagram semantics of the underlying transport are preserved by the DTLS protocol.</t>
              <t>This document obsoletes RFC 6347.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="9147"/>
          <seriesInfo name="DOI" value="10.17487/RFC9147"/>
        </reference>
        <reference anchor="RFC2119">
          <front>
            <title>Key words for use in RFCs to Indicate Requirement Levels</title>
            <author fullname="S. Bradner" initials="S." surname="Bradner"/>
            <date month="March" year="1997"/>
            <abstract>
              <t>In many standards track documents several words are used to signify the requirements in the specification. These words are often capitalized. This document defines these words as they should be interpreted in IETF documents. This document specifies an Internet Best Current Practices for the Internet Community, and requests discussion and suggestions for improvements.</t>
            </abstract>
          </front>
          <seriesInfo name="BCP" value="14"/>
          <seriesInfo name="RFC" value="2119"/>
          <seriesInfo name="DOI" value="10.17487/RFC2119"/>
        </reference>
        <reference anchor="RFC8174">
          <front>
            <title>Ambiguity of Uppercase vs Lowercase in RFC 2119 Key Words</title>
            <author fullname="B. Leiba" initials="B." surname="Leiba"/>
            <date month="May" year="2017"/>
            <abstract>
              <t>RFC 2119 specifies common key words that may be used in protocol specifications. This document aims to reduce the ambiguity by clarifying that only UPPERCASE usage of the key words have the defined special meanings.</t>
            </abstract>
          </front>
          <seriesInfo name="BCP" value="14"/>
          <seriesInfo name="RFC" value="8174"/>
          <seriesInfo name="DOI" value="10.17487/RFC8174"/>
        </reference>
        <reference anchor="I-D.ietf-tls-hybrid-design">
          <front>
            <title>Hybrid key exchange in TLS 1.3</title>
            <author fullname="Douglas Stebila" initials="D." surname="Stebila">
              <organization>University of Waterloo</organization>
            </author>
            <author fullname="Scott Fluhrer" initials="S." surname="Fluhrer">
              <organization>Cisco Systems</organization>
            </author>
            <author fullname="Shay Gueron" initials="S." surname="Gueron">
              <organization>University of Haifa and Meta</organization>
            </author>
            <date day="7" month="September" year="2025"/>
            <abstract>
              <t>   Hybrid key exchange refers to using multiple key exchange algorithms
   simultaneously and combining the result with the goal of providing
   security even if a way is found to defeat the encryption for all but
   one of the component algorithms.  It is motivated by transition to
   post-quantum cryptography.  This document provides a construction for
   hybrid key exchange in the Transport Layer Security (TLS) protocol
   version 1.3.

              </t>
            </abstract>
          </front>
          <seriesInfo name="Internet-Draft" value="draft-ietf-tls-hybrid-design-16"/>
        </reference>
        <reference anchor="I-D.ietf-tls-ecdhe-mlkem">
          <front>
            <title>Post-quantum hybrid ECDHE-MLKEM Key Agreement for TLSv1.3</title>
            <author fullname="Kris Kwiatkowski" initials="K." surname="Kwiatkowski">
              <organization>PQShield</organization>
            </author>
            <author fullname="Panos Kampanakis" initials="P." surname="Kampanakis">
              <organization>AWS</organization>
            </author>
            <author fullname="Bas Westerbaan" initials="B." surname="Westerbaan">
              <organization>Cloudflare</organization>
            </author>
            <author fullname="Douglas Stebila" initials="D." surname="Stebila">
              <organization>University of Waterloo</organization>
            </author>
            <date day="26" month="May" year="2026"/>
            <abstract>
              <t>   This draft defines three hybrid key agreement mechanisms for TLS 1.3
   - X25519MLKEM768, SecP256r1MLKEM768, and SecP384r1MLKEM1024 - that
   combine the post-quantum ML-KEM (Module-Lattice-Based Key
   Encapsulation Mechanism) with an ECDHE (Elliptic Curve Diffie-
   Hellman) exchange.

              </t>
            </abstract>
          </front>
          <seriesInfo name="Internet-Draft" value="draft-ietf-tls-ecdhe-mlkem-05"/>
        </reference>
        <reference anchor="I-D.ietf-tls-mlkem">
          <front>
            <title>ML-KEM Post-Quantum Key Agreement for TLS 1.3</title>
            <author fullname="Deirdre Connolly" initials="D." surname="Connolly">
              <organization>SandboxAQ</organization>
            </author>
            <date day="24" month="June" year="2026"/>
            <abstract>
              <t>   This memo defines ML-KEM-512, ML-KEM-768, and ML-KEM-1024 as
   NamedGroups and and registers IANA values in the TLS Supported Groups
   registry for use in TLS 1.3 to achieve post-quantum (PQ) key
   establishment.

              </t>
            </abstract>
          </front>
          <seriesInfo name="Internet-Draft" value="draft-ietf-tls-mlkem-08"/>
        </reference>
        <reference anchor="I-D.ietf-tls-key-share-prediction">
          <front>
            <title>TLS Key Share Prediction</title>
            <author fullname="David Benjamin" initials="D." surname="Benjamin">
              <organization>Google LLC</organization>
            </author>
            <date day="19" month="March" year="2026"/>
            <abstract>
              <t>   This document defines a mechanism for servers to communicate
   supported key share algorithms in DNS.  Clients may use this
   information to reduce TLS handshake round-trips.

              </t>
            </abstract>
          </front>
          <seriesInfo name="Internet-Draft" value="draft-ietf-tls-key-share-prediction-04"/>
        </reference>
        <reference anchor="RFC9257">
          <front>
            <title>Guidance for External Pre-Shared Key (PSK) Usage in TLS</title>
            <author fullname="R. Housley" initials="R." surname="Housley"/>
            <author fullname="J. Hoyland" initials="J." surname="Hoyland"/>
            <author fullname="M. Sethi" initials="M." surname="Sethi"/>
            <author fullname="C. A. Wood" initials="C. A." surname="Wood"/>
            <date month="July" year="2022"/>
            <abstract>
              <t>This document provides usage guidance for external Pre-Shared Keys (PSKs) in Transport Layer Security (TLS) 1.3 as defined in RFC 8446. It lists TLS security properties provided by PSKs under certain assumptions, then it demonstrates how violations of these assumptions lead to attacks. Advice for applications to help meet these assumptions is provided. This document also discusses PSK use cases and provisioning processes. Finally, it lists the privacy and security properties that are not provided by TLS 1.3 when external PSKs are used.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="9257"/>
          <seriesInfo name="DOI" value="10.17487/RFC9257"/>
        </reference>
        <reference anchor="I-D.ietf-lamps-dilithium-certificates">
          <front>
            <title>Internet X.509 Public Key Infrastructure - Algorithm Identifiers for the Module-Lattice-Based Digital Signature Algorithm (ML-DSA)</title>
            <author fullname="Jake Massimo" initials="J." surname="Massimo">
              <organization>AWS</organization>
            </author>
            <author fullname="Panos Kampanakis" initials="P." surname="Kampanakis">
              <organization>AWS</organization>
            </author>
            <author fullname="Sean Turner" initials="S." surname="Turner">
              <organization>sn3rd</organization>
            </author>
            <author fullname="Bas Westerbaan" initials="B." surname="Westerbaan">
              <organization>Cloudflare</organization>
            </author>
            <date day="30" month="September" year="2025"/>
            <abstract>
              <t>   Digital signatures are used within X.509 certificates, Certificate
   Revocation Lists (CRLs), and to sign messages.  This document
   specifies the conventions for using FIPS 204, the Module-Lattice-
   Based Digital Signature Algorithm (ML-DSA) in Internet X.509
   certificates and certificate revocation lists.  The conventions for
   the associated signatures, subject public keys, and private key are
   also described.

              </t>
            </abstract>
          </front>
          <seriesInfo name="Internet-Draft" value="draft-ietf-lamps-dilithium-certificates-13"/>
        </reference>
        <reference anchor="I-D.ietf-tls-mldsa">
          <front>
            <title>Use of ML-DSA in TLS 1.3</title>
            <author fullname="Tim Hollebeek" initials="T." surname="Hollebeek">
              <organization>DigiCert</organization>
            </author>
            <author fullname="Sophie Schmieg" initials="S." surname="Schmieg">
              <organization>Google</organization>
            </author>
            <author fullname="Bas Westerbaan" initials="B." surname="Westerbaan">
              <organization>Cloudflare</organization>
            </author>
            <date day="18" month="June" year="2026"/>
            <abstract>
              <t>   This memo specifies how the post-quantum signature scheme ML-DSA
   (FIPS 204) is used for authentication in TLS 1.3.

              </t>
            </abstract>
          </front>
          <seriesInfo name="Internet-Draft" value="draft-ietf-tls-mldsa-04"/>
        </reference>
        <reference anchor="I-D.ietf-lamps-x509-slhdsa">
          <front>
            <title>Internet X.509 Public Key Infrastructure: Algorithm Identifiers for SLH-DSA</title>
            <author fullname="Kaveh Bashiri" initials="K." surname="Bashiri">
              <organization>BSI</organization>
            </author>
            <author fullname="Scott Fluhrer" initials="S." surname="Fluhrer">
              <organization>Cisco Systems</organization>
            </author>
            <author fullname="Stefan-Lukas Gazdag" initials="S." surname="Gazdag">
              <organization>genua GmbH</organization>
            </author>
            <author fullname="Daniel Van Geest" initials="D." surname="Van Geest">
              <organization>CryptoNext Security</organization>
            </author>
            <author fullname="Stavros Kousidis" initials="S." surname="Kousidis">
              <organization>BSI</organization>
            </author>
            <date day="30" month="June" year="2025"/>
            <abstract>
              <t>   Digital signatures are used within X.509 Public Key Infrastructure
   such as X.509 certificates, Certificate Revocation Lists (CRLs), and
   to sign messages.  This document specifies the conventions for using
   the Stateless Hash-Based Digital Signature Algorithm (SLH-DSA) in
   X.509 Public Key Infrastructure.  The conventions for the associated
   signatures, subject public keys, and private keys are also specified.

              </t>
            </abstract>
          </front>
          <seriesInfo name="Internet-Draft" value="draft-ietf-lamps-x509-slhdsa-09"/>
        </reference>
        <reference anchor="I-D.ietf-lamps-pq-composite-sigs">
          <front>
            <title>Composite Module-Lattice-Based Digital Signature Algorithm (ML-DSA) for use in X.509 Public Key Infrastructure</title>
            <author fullname="Mike Ounsworth" initials="M." surname="Ounsworth">
              <organization>Entrust Limited</organization>
            </author>
            <author fullname="John Gray" initials="J." surname="Gray">
              <organization>Entrust Limited</organization>
            </author>
            <author fullname="Massimiliano Pala" initials="M." surname="Pala">
              <organization>OpenCA Labs</organization>
            </author>
            <author fullname="Jan Klaußner" initials="J." surname="Klaußner">
              <organization>Bundesdruckerei GmbH</organization>
            </author>
            <author fullname="Scott Fluhrer" initials="S." surname="Fluhrer">
              <organization>Cisco Systems</organization>
            </author>
            <date day="21" month="April" year="2026"/>
            <abstract>
              <t>   This document defines combinations of US NIST Module-Lattice-Based
   Digital Signature Algorithm (ML-DSA) in hybrid with traditional
   algorithms RSASSA-PKCS1-v1.5, RSASSA-PSS, ECDSA, Ed25519, and Ed448.
   These combinations are tailored to meet regulatory guidelines in
   certain regions.  Composite ML-DSA is applicable in applications that
   use X.509 or PKIX data structures that accept ML-DSA, but where the
   operator wants extra protection against breaks or catastrophic bugs
   in ML-DSA, and where existential unforgeability (EUF-CMA) level
   security is acceptable.

              </t>
            </abstract>
          </front>
          <seriesInfo name="Internet-Draft" value="draft-ietf-lamps-pq-composite-sigs-19"/>
        </reference>
        <reference anchor="I-D.reddy-tls-composite-mldsa">
          <front>
            <title>Use of Composite ML-DSA in TLS 1.3</title>
            <author fullname="Tirumaleswar Reddy.K" initials="T." surname="Reddy.K">
              <organization>Nokia</organization>
            </author>
            <author fullname="Tim Hollebeek" initials="T." surname="Hollebeek">
              <organization>DigiCert</organization>
            </author>
            <author fullname="John Gray" initials="J." surname="Gray">
              <organization>Entrust Limited</organization>
            </author>
            <author fullname="Scott Fluhrer" initials="S." surname="Fluhrer">
              <organization>Cisco Systems</organization>
            </author>
            <author fullname="Daniel Van Geest" initials="D." surname="Van Geest">
              <organization>CryptoNext Security</organization>
            </author>
            <date day="13" month="May" year="2026"/>
            <abstract>
              <t>   Compositing the post-quantum ML-DSA signature with traditional
   signature algorithms provides protection against potential breaks or
   critical bugs in ML-DSA or the ML-DSA implementation.  This document
   specifies how such a composite signature can be formed using ML-DSA
   with RSA-PKCS#1 v1.5, RSA-PSS, ECDSA, Ed25519, and Ed448 to provide
   authentication in TLS 1.3, including use in certificates.

              </t>
            </abstract>
          </front>
          <seriesInfo name="Internet-Draft" value="draft-reddy-tls-composite-mldsa-10"/>
        </reference>
        <reference anchor="I-D.ietf-tls-8773bis">
          <front>
            <title>TLS 1.3 Extension for Using Certificates with an External Pre-Shared Key</title>
            <author fullname="Russ Housley" initials="R." surname="Housley">
              <organization>Vigil Security, LLC</organization>
            </author>
            <date day="5" month="September" year="2025"/>
            <abstract>
              <t>   This document specifies a TLS 1.3 extension that allows TLS clients
   and servers to authenticate with certificates and provide
   confidentiality based on encryption with a symmetric key from the
   usual key agreement algorithm and an external pre-shared key (PSK).
   This Standards Track RFC (once approved) obsoletes RFC 8773, which
   was an Experimental RFC.

              </t>
            </abstract>
          </front>
          <seriesInfo name="Internet-Draft" value="draft-ietf-tls-8773bis-13"/>
        </reference>
        <reference anchor="RFC7924">
          <front>
            <title>Transport Layer Security (TLS) Cached Information Extension</title>
            <author fullname="S. Santesson" initials="S." surname="Santesson"/>
            <author fullname="H. Tschofenig" initials="H." surname="Tschofenig"/>
            <date month="July" year="2016"/>
            <abstract>
              <t>Transport Layer Security (TLS) handshakes often include fairly static information, such as the server certificate and a list of trusted certification authorities (CAs). This information can be of considerable size, particularly if the server certificate is bundled with a complete certificate chain (i.e., the certificates of intermediate CAs up to the root CA).</t>
              <t>This document defines an extension that allows a TLS client to inform a server of cached information, thereby enabling the server to omit already available information.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="7924"/>
          <seriesInfo name="DOI" value="10.17487/RFC7924"/>
        </reference>
        <reference anchor="RFC8879">
          <front>
            <title>TLS Certificate Compression</title>
            <author fullname="A. Ghedini" initials="A." surname="Ghedini"/>
            <author fullname="V. Vasiliev" initials="V." surname="Vasiliev"/>
            <date month="December" year="2020"/>
            <abstract>
              <t>In TLS handshakes, certificate chains often take up the majority of the bytes transmitted.</t>
              <t>This document describes how certificate chains can be compressed to reduce the amount of data transmitted and avoid some round trips.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="8879"/>
          <seriesInfo name="DOI" value="10.17487/RFC8879"/>
        </reference>
        <reference anchor="RFC8484">
          <front>
            <title>DNS Queries over HTTPS (DoH)</title>
            <author fullname="P. Hoffman" initials="P." surname="Hoffman"/>
            <author fullname="P. McManus" initials="P." surname="McManus"/>
            <date month="October" year="2018"/>
            <abstract>
              <t>This document defines a protocol for sending DNS queries and getting DNS responses over HTTPS. Each DNS query-response pair is mapped into an HTTP exchange.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="8484"/>
          <seriesInfo name="DOI" value="10.17487/RFC8484"/>
        </reference>
        <reference anchor="RFC7858">
          <front>
            <title>Specification for DNS over Transport Layer Security (TLS)</title>
            <author fullname="Z. Hu" initials="Z." surname="Hu"/>
            <author fullname="L. Zhu" initials="L." surname="Zhu"/>
            <author fullname="J. Heidemann" initials="J." surname="Heidemann"/>
            <author fullname="A. Mankin" initials="A." surname="Mankin"/>
            <author fullname="D. Wessels" initials="D." surname="Wessels"/>
            <author fullname="P. Hoffman" initials="P." surname="Hoffman"/>
            <date month="May" year="2016"/>
            <abstract>
              <t>This document describes the use of Transport Layer Security (TLS) to provide privacy for DNS. Encryption provided by TLS eliminates opportunities for eavesdropping and on-path tampering with DNS queries in the network, such as discussed in RFC 7626. In addition, this document specifies two usage profiles for DNS over TLS and provides advice on performance considerations to minimize overhead from using TCP and TLS with DNS.</t>
              <t>This document focuses on securing stub-to-recursive traffic, as per the charter of the DPRIVE Working Group. It does not prevent future applications of the protocol to recursive-to-authoritative traffic.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="7858"/>
          <seriesInfo name="DOI" value="10.17487/RFC7858"/>
        </reference>
        <reference anchor="RFC9250">
          <front>
            <title>DNS over Dedicated QUIC Connections</title>
            <author fullname="C. Huitema" initials="C." surname="Huitema"/>
            <author fullname="S. Dickinson" initials="S." surname="Dickinson"/>
            <author fullname="A. Mankin" initials="A." surname="Mankin"/>
            <date month="May" year="2022"/>
            <abstract>
              <t>This document describes the use of QUIC to provide transport confidentiality for DNS. The encryption provided by QUIC has similar properties to those provided by TLS, while QUIC transport eliminates the head-of-line blocking issues inherent with TCP and provides more efficient packet-loss recovery than UDP. DNS over QUIC (DoQ) has privacy properties similar to DNS over TLS (DoT) specified in RFC 7858, and latency characteristics similar to classic DNS over UDP. This specification describes the use of DoQ as a general-purpose transport for DNS and includes the use of DoQ for stub to recursive, recursive to authoritative, and zone transfer scenarios.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="9250"/>
          <seriesInfo name="DOI" value="10.17487/RFC9250"/>
        </reference>
      </references>
      <references anchor="sec-informative-references">
        <name>Informative References</name>
        <reference anchor="SP-800-56C" target="https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-56Cr2.pdf">
          <front>
            <title>Recommendation for Key-Derivation Methods in Key-Establishment Schemes</title>
            <author>
              <organization/>
            </author>
            <date/>
          </front>
        </reference>
        <reference anchor="RFC9001">
          <front>
            <title>Using TLS to Secure QUIC</title>
            <author fullname="M. Thomson" initials="M." role="editor" surname="Thomson"/>
            <author fullname="S. Turner" initials="S." role="editor" surname="Turner"/>
            <date month="May" year="2021"/>
            <abstract>
              <t>This document describes how Transport Layer Security (TLS) is used to secure QUIC.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="9001"/>
          <seriesInfo name="DOI" value="10.17487/RFC9001"/>
        </reference>
        <reference anchor="I-D.ietf-pquip-pqc-engineers">
          <front>
            <title>Post-Quantum Cryptography for Engineers</title>
            <author fullname="Aritra Banerjee" initials="A." surname="Banerjee">
              <organization>Nokia</organization>
            </author>
            <author fullname="Tirumaleswar Reddy.K" initials="T." surname="Reddy.K">
              <organization>Nokia</organization>
            </author>
            <author fullname="Dimitrios Schoinianakis" initials="D." surname="Schoinianakis">
              <organization>Nokia</organization>
            </author>
            <author fullname="Tim Hollebeek" initials="T." surname="Hollebeek">
              <organization>DigiCert</organization>
            </author>
            <author fullname="Mike Ounsworth" initials="M." surname="Ounsworth">
              <organization>Entrust Limited</organization>
            </author>
            <date day="25" month="August" year="2025"/>
            <abstract>
              <t>   The advent of a cryptographically relevant quantum computer (CRQC)
   would render state-of-the-art, traditional public key algorithms
   deployed today obsolete, as the mathematical assumptions underpinning
   their security would no longer hold.  To address this, protocols and
   infrastructure must transition to post-quantum algorithms, which are
   designed to resist both traditional and quantum attacks.  This
   document explains why engineers need to be aware of and understand
   post-quantum cryptography (PQC), detailing the impact of CRQCs on
   existing systems and the challenges involved in transitioning to
   post-quantum algorithms.  Unlike previous cryptographic updates, this
   shift may require significant protocol redesign due to the unique
   properties of post-quantum algorithms.

              </t>
            </abstract>
          </front>
          <seriesInfo name="Internet-Draft" value="draft-ietf-pquip-pqc-engineers-14"/>
        </reference>
        <reference anchor="RFC9794">
          <front>
            <title>Terminology for Post-Quantum Traditional Hybrid Schemes</title>
            <author fullname="F. Driscoll" initials="F." surname="Driscoll"/>
            <author fullname="M. Parsons" initials="M." surname="Parsons"/>
            <author fullname="B. Hale" initials="B." surname="Hale"/>
            <date month="June" year="2025"/>
            <abstract>
              <t>One aspect of the transition to post-quantum algorithms in cryptographic protocols is the development of hybrid schemes that incorporate both post-quantum and traditional asymmetric algorithms. This document defines terminology for such schemes. It is intended to be used as a reference and, hopefully, to ensure consistency and clarity across different protocols, standards, and organisations.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="9794"/>
          <seriesInfo name="DOI" value="10.17487/RFC9794"/>
        </reference>
        <reference anchor="RFC9958">
          <front>
            <title>Post-Quantum Cryptography for Engineers</title>
            <author fullname="A. Banerjee" initials="A." surname="Banerjee"/>
            <author fullname="T. Reddy.K" initials="T." surname="Reddy.K"/>
            <author fullname="D. Schoinianakis" initials="D." surname="Schoinianakis"/>
            <author fullname="T. Hollebeek" initials="T." surname="Hollebeek"/>
            <author fullname="M. Ounsworth" initials="M." surname="Ounsworth"/>
            <date month="June" year="2026"/>
            <abstract>
              <t>The advent of a cryptographically relevant quantum computer (CRQC) would render state-of-the-art, traditional public key algorithms deployed today obsolete, as the mathematical assumptions underpinning their security would no longer hold. To address this, protocols and infrastructure must transition to post-quantum algorithms, which are designed to resist both traditional and quantum attacks. This document explains why engineers need to be aware of and understand post-quantum cryptography (PQC), and it details the impact of CRQCs on existing systems and the challenges involved in transitioning to post-quantum algorithms. Unlike previous cryptographic updates, this shift may require significant protocol redesign due to the unique properties of post-quantum algorithms.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="9958"/>
          <seriesInfo name="DOI" value="10.17487/RFC9958"/>
        </reference>
        <reference anchor="I-D.ietf-tls-cert-abridge">
          <front>
            <title>Abridged Compression for WebPKI Certificates</title>
            <author fullname="Dennis Jackson" initials="D." surname="Jackson">
              <organization>Mozilla</organization>
            </author>
            <date day="16" month="September" year="2024"/>
            <abstract>
              <t>   This draft defines a new TLS Certificate Compression scheme which
   uses a shared dictionary of root and intermediate WebPKI
   certificates.  The scheme smooths the transition to post-quantum
   certificates by eliminating the root and intermediate certificates
   from the TLS certificate chain without impacting trust negotiation.
   It also delivers better compression than alternative proposals whilst
   ensuring fair treatment for both CAs and website operators.  It may
   also be useful in other applications which store certificate chains,
   e.g.  Certificate Transparency logs.

              </t>
            </abstract>
          </front>
          <seriesInfo name="Internet-Draft" value="draft-ietf-tls-cert-abridge-02"/>
        </reference>
        <reference anchor="I-D.ietf-tls-trust-anchor-ids">
          <front>
            <title>TLS Trust Anchor Identifiers</title>
            <author fullname="Bob Beck" initials="B." surname="Beck">
              <organization>OpenSSL</organization>
            </author>
            <author fullname="David Benjamin" initials="D." surname="Benjamin">
              <organization>Google LLC</organization>
            </author>
            <author fullname="Devon O'Brien" initials="D." surname="O'Brien">
         </author>
            <author fullname="Kyle Nekritz" initials="K." surname="Nekritz">
              <organization>Meta</organization>
            </author>
            <date day="30" month="April" year="2026"/>
            <abstract>
              <t>   This document defines the TLS Trust Anchors extension, a mechanism
   for relying parties to convey trusted certification authorities.  It
   describes individual certification authorities more succinctly than
   the TLS Certificate Authorities extension.

   Additionally, to support TLS clients with many trusted certification
   authorities, it supports a mode where servers describe their
   available certification paths and the client selects from them.
   Servers may describe this during connection setup, or in DNS for
   lower latency.

              </t>
            </abstract>
          </front>
          <seriesInfo name="Internet-Draft" value="draft-ietf-tls-trust-anchor-ids-04"/>
        </reference>
        <reference anchor="RFC9076">
          <front>
            <title>DNS Privacy Considerations</title>
            <author fullname="T. Wicinski" initials="T." role="editor" surname="Wicinski"/>
            <date month="July" year="2021"/>
            <abstract>
              <t>This document describes the privacy issues associated with the use of the DNS by Internet users. It provides general observations about typical current privacy practices. It is intended to be an analysis of the present situation and does not prescribe solutions. This document obsoletes RFC 7626.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="9076"/>
          <seriesInfo name="DOI" value="10.17487/RFC9076"/>
        </reference>
        <reference anchor="RFC9364">
          <front>
            <title>DNS Security Extensions (DNSSEC)</title>
            <author fullname="P. Hoffman" initials="P." surname="Hoffman"/>
            <date month="February" year="2023"/>
            <abstract>
              <t>This document describes the DNS Security Extensions (commonly called "DNSSEC") that are specified in RFCs 4033, 4034, and 4035, as well as a handful of others. One purpose is to introduce all of the RFCs in one place so that the reader can understand the many aspects of DNSSEC. This document does not update any of those RFCs. A second purpose is to state that using DNSSEC for origin authentication of DNS data is the best current practice. A third purpose is to provide a single reference for other documents that want to refer to DNSSEC.</t>
            </abstract>
          </front>
          <seriesInfo name="BCP" value="237"/>
          <seriesInfo name="RFC" value="9364"/>
          <seriesInfo name="DOI" value="10.17487/RFC9364"/>
        </reference>
        <reference anchor="RFC9180">
          <front>
            <title>Hybrid Public Key Encryption</title>
            <author fullname="R. Barnes" initials="R." surname="Barnes"/>
            <author fullname="K. Bhargavan" initials="K." surname="Bhargavan"/>
            <author fullname="B. Lipp" initials="B." surname="Lipp"/>
            <author fullname="C. Wood" initials="C." surname="Wood"/>
            <date month="February" year="2022"/>
            <abstract>
              <t>This document describes a scheme for hybrid public key encryption (HPKE). This scheme provides a variant of public key encryption of arbitrary-sized plaintexts for a recipient public key. It also includes three authenticated variants, including one that authenticates possession of a pre-shared key and two optional ones that authenticate possession of a key encapsulation mechanism (KEM) private key. HPKE works for any combination of an asymmetric KEM, key derivation function (KDF), and authenticated encryption with additional data (AEAD) encryption function. Some authenticated variants may not be supported by all KEMs. We provide instantiations of the scheme using widely used and efficient primitives, such as Elliptic Curve Diffie-Hellman (ECDH) key agreement, HMAC-based key derivation function (HKDF), and SHA2.</t>
              <t>This document is a product of the Crypto Forum Research Group (CFRG) in the IRTF.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="9180"/>
          <seriesInfo name="DOI" value="10.17487/RFC9180"/>
        </reference>
        <reference anchor="I-D.ietf-hpke-pq">
          <front>
            <title>Post-Quantum and Post-Quantum/Traditional Hybrid Algorithms for HPKE</title>
            <author fullname="Richard Barnes" initials="R." surname="Barnes">
              <organization>Cisco</organization>
            </author>
            <author fullname="Deirdre Connolly" initials="D." surname="Connolly">
              <organization>Selkie Cryptography</organization>
            </author>
            <date day="2" month="March" year="2026"/>
            <abstract>
              <t>   Updating key exchange and public-key encryption protocols to resist
   attack by quantum computers is a high priority given the possibility
   of "harvest now, decrypt later" attacks.  Hybrid Public Key
   Encryption (HPKE) is a widely-used public key encryption scheme based
   on combining a Key Encapsulation Mechanism (KEM), a Key Derivation
   Function (KDF), and an Authenticated Encryption with Associated Data
   (AEAD) scheme.  In this document, we define KEM algorithms for HPKE
   based on both post-quantum KEMs and hybrid constructions of post-
   quantum KEMs with traditional KEMs, as well as a KDF based on SHA-3
   that is suitable for use with these KEMs.  When used with these
   algorithms, HPKE is resilient with respect to attacks by a quantum
   computer.

              </t>
            </abstract>
          </front>
          <seriesInfo name="Internet-Draft" value="draft-ietf-hpke-pq-04"/>
        </reference>
        <reference anchor="RFC9849">
          <front>
            <title>TLS Encrypted Client Hello</title>
            <author fullname="E. Rescorla" initials="E." surname="Rescorla"/>
            <author fullname="K. Oku" initials="K." surname="Oku"/>
            <author fullname="N. Sullivan" initials="N." surname="Sullivan"/>
            <author fullname="C. A. Wood" initials="C. A." surname="Wood"/>
            <date month="March" year="2026"/>
            <abstract>
              <t>This document describes a mechanism in Transport Layer Security (TLS) for encrypting a message under a server public key.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="9849"/>
          <seriesInfo name="DOI" value="10.17487/RFC9849"/>
        </reference>
      </references>
    </references>
  </back>
  <!-- ##markdown-source:
H4sIAAAAAAAAA7V925IbR5LlO74iu/TQZBsAiRQpUrWz01Mqks0yssgSq9ia
trExWQIIADlMZEJ5qSJaxn/Zb9kvWz9+iUsCIKnd2YdusYBERoSHh1+Pe0wm
k1FXdKU7zU6u6rab/NznVddvsvNmt+3qVZNv17vsnZvXm42rFnlX1FWbLesm
u3l9PZnlrVtkZ9ttWczlq5NRPps17hav+/n8D/2Q/uFWdbM7zdpuMRot6nmV
b2heiyZfdpPCdctJ3+WT7W/zSb7dTr77ftT2s03RtvTzbrelJy+e37wYVf1m
5prTEQ3pTkdzerWr2r49zbqmdyOa2PejvHE5TTAePsurBc02Lyc3xcZlZ/TE
yeiubj6smrrf0sM09Mnog9vRZ4vTUTbJaHn4z7M31/jPL2727oY/eHn16jn+
+/z6zYU89+1N9nI3awpa1K2reppVliWvzTKZ/8kvNGBRrbK/4Vt8vsmLUp76
NxBgWjcrfJw38zV9vO66bXv67bd4Ch8Vt25qj32LD76dNfVd676l3397MhqN
2o6W+Wte1hWNtnPtaFucZv/R1fNx1tZN17hlS//abfQfXVPMu3EmW9jRJ7Qn
G6I9TfE/R6O879Z1A1rQjLJs2ZelbNhN0fSbvHTtXd4QTReLHT9Ak8qr4p9M
79PsTf2hyPnzedHRnv+UVyuaWOP4s8at+KlXeVPlXf5Bn6z7qgODXFQL/bFT
Cn2YdtGovzYY9d8qjDGl6Z/YJIuKGOHlNLtp5+t66apixR/LvF/mVeXa4Xfp
tN9XROSmpSln9TLr1i77qa8WNKhbN9llXxXzNf/KTgE9/9NddjmNVvrG9bOC
WHSVrPSn/DZvisE6/+aaTV7t9MMFzfHp48dPnsQrX/Okp52f9L+tNh+nletG
o6qmX3c039PRqKiW4a8su76aPP3uu8njH85P+WWZyYD0wPJ5feV2k2euKW7l
o0tH275oiZT8zXPiqVlZtGuwSHY9X7uNa0/0pXmzch3NUfm0ui23/aydVkXb
TVf17bf4Bz759nrr5kVeXvUzfyK/fXNxfTO9vprqRJuH0+1iKS/ms50t87J1
owlJMPwfkZwYNp/TwlmQ/aaCbB4Lsm3jWrByVrm7bL7Oy9JVKydyaeFui7mj
I1f1S3pN39A+j7M8CAk84cp6K5+TvGhdwz/ZNvVtsaCPibHWRYtj0jM51sVq
XdL/aECwCrHHb73DuJgnkbTtinkLRsqHoqheLul92cy1Hb2enqZxZJrFZls6
vB2CQhc5IXG12GV9m694NsuCzgF2KHlvt847esZBAsv8++2Wjj1eRD8iMVCX
LX04X2d5C8E2FcJuisWidKPRN3TuuqZe9HO8bzS6oSXdFm0xKx3tBdFBTwQ9
5RriQFB7UW+KiuZY7iBGtrRkmpjSjVZOtMx5fKJuns3LgtY1wdeuYSFXdI53
YpzdrV3j/DMsk3DaiBHa7K7oaMrJam2MafbL2lW06sOLBCUeTL/Pfv/9r+9e
nD999OiHT5/G2bP04x8fPHqCj4n44Q2zvig7TJtWTCRd0pE1JXfPTVfTcfbz
+4tze8N33z349On+WGffeu7BHhMNcDYzt8XZafIy2/IxmJC2ydxH4haw6NjP
+XlZFlvih+y8pxdkz4rlsnCTl64siXWze8/Pn72kkbqa2JUOLWjWEsM5DDhv
aFeYDaATG+Eokpf63Xw3zc4WiwLLoKOxG2Nxu+w2LwucuMzlNIOaPmv+TNy1
AA92hQNjkb5arbN/nz7+7sds7oillrI148yZfMAG0Cg0arR5NNBUGAlLX7lK
uCiPzQ96juZCiqR0t8RJmbdQiJ964rTs3vm7n8/vZ3d1Xy5InpI4bjIapwGf
RKTMS7IuiFM2OBk6Ez5qs7YuXef08BY4dfMc5wTMTDKTtoVmSrMg6rf9Ziu7
DLHfkCqssDBhgjAC+JVUgU2j3MmBZoGQlRAjfOx5FqQUxjr5qs5IN6/wYE1/
FsxdKrQ8ZWixU1o8LYGECd7N20SLKcBXWQ8ydiTgaMeJCfotb11gXCyZtEGT
k7Ts+XDJ+dkeEZrEaPeuQN+wOlAqXS8dVkf81harSoZtoJ4q2/B8RX+QJJsR
8/ACZBrzkgjKhJ3rXsqryVTLjQsHUyEJsimgxVoa4re+aED9xm1Lkj8scnki
RTvvW1iYNAU6gReTZ2wXke3YF1u2IEnsF0SipsXBxlxAaGgc2HXZNewkOhaq
9kE9ElctKVsSHf47en9EATuel68nr55fjrPr1y8nz67P5O30If1b1cy2rHc8
16IK+0LH4CXpA3rb3B89emDR0zbtZOB+jknAztqBQlXLJKJZzFx350jKDUml
rw6io9+uQFkiGSQcGzKmcGhaJABUGJc4QjWMIZVl19evbx/eV623Lpb82LKp
N9k7Whbt90AoJd4DiaTz+3YiSH2RthRpxLzP7yTx1M/pQ5zTlihLfPCyvqNz
0gghwnIxGLbIa/KgVFWZj5lJyJgiMi3oG/oBXrGsy7K+o3mTNUQmxAMSdbZ5
2WXe8VxOSVuQ6hRGAM2XpLxK2WmacIcTiMHjg86SVGUA8TGd93lXgVlExusi
6YdecauakCPS0q4VLF2m2XNyD0To0Fn0Z8fPks73bV9WpCKgcYvhG7Nlmd9B
tomOdmFw0rofiKLvWRS0IIjxBrh5/kFPY8I9ZTFriIbyuBoKg7WHoVqQh+w4
OhpdATm5gQWLRbOdRZbrlIn+cAqbkUe7JlGRs/S5xn6f0h5Uu+EAcsRpJfQw
qxQWpSXMyoZ5hWns38Sc40UvyUKScyWkH6nQBSnBDyQHabm0j/ykiMINfQRx
2cHbM2WcVzAdXtBxdR9zUHms51oVCgYXoRctO0yNVGyVQRHLc/daR0YX79rj
rxJJ96dElQ2cOkiCeEhIEJUssWDBTDY45PEEyE5ny6TJrh4+/iGexQ9fP4uE
tvyyaH/Kgkh6ZDpknNcZ3G9YxjSqJw5kPdsjOJiRoK9VsfJLny8ePn784EfY
XETH67MJljCGksJRG1juGIXeVEAWuuq2aOqKHVaTXhf1zX3Ve2Tl5PyKwBId
OfxsLEM5T8Av1XyHgcu6bXfGGa1w8PfT7CqwSHZD83eTt8tla6KjrTduyMbu
47qYFcR1JIAgWMXqxVqP0SIWMGxwteZkZC1cJToLWb6AOUQWfyucCg2LSXlW
1dNDFIU4Or96L2zx70zZRC+pt7Ekm4DmFw4UyV+x5FjwMp3iGesm0atK4jVY
gAURPfycDBFdqdegJMOECkTOMzrwscnOQp60OysXGgveDJlJ8AXgD5MmpGFt
O/Cmbd05O3mRZKSZwWEiNQSLHSYGrOBOJN1sB8LRalm4jcESZb8Q+Y3jAppt
tzQQG0Vsq4hNsnCrxrENZkMVJYTrrUhJ0p9keaorAxkerWys3h8dhHLHdvCO
1oK9xedkXvfedyIJnZM+5/kYOdwimCi0jEYWxzoGFiEvDD/IabFkes97Omgw
HQrilz4vx+rZsgOzJOIPvdS678oCyv6z3iQf/didjM096BPSe97Q81SHfV1N
tjkcNN0BmL9NvsKMlbwXnUgLs9vI0Krv2ERRby+4S0MtCkdn5XBCZMOIKMIS
h51bFQjk28IZg8u4WDQgpBjwkVwRjxGbW/f0tZuv2c7AsrucCMK2JYS/WOFQ
tjyhKfxkss5vMQ0zrp45MiT4bLfi7UB3IZLYZieX769vTsby3+zNW/73u+fk
PL57/gz/vn559vq1/8dIn7h++fb962fhX+GX528vL5+/eSY/pk+z5KPRyeXZ
P06En07eXt1cvH1z9vpEPI2YJyDBaV9nsEFJJpC1hcOXtyPadTJYZrL+n86v
/vf/evCIVMmfyMt9+ODBj58+6R9PHzx5RH+Q216NlQ3olMqf8CpHxEuO+ZT2
nqz8fFt0OWxVWLq0/SSOyachav7lP0CZ/zzN/mU23z549K/6ARacfGg0Sz5k
mu1/svdjIeKBjw4M46mZfD6gdDrfs38kfxvdow//5a84gtnkwdO//usIPJJs
xoJ0I5iw2RRVXdYrMmzBUd7BQYjhyY9Eb9EE7DT2DSlL14pgid5GIq+D8CQH
l1wJbLIG3knBD2zA1NSDGQ0JuEDYqqLDzu4bmW60R6wITXl5u/o0O6PdbXeb
jUMo+djbM8kG1BXzGkwExN8wIZWefHjIkikcOcUQEuBGUs+r3OtIMtTMA5mz
B3LgMRI0lVrpNM5Htk9JyIA9zcwTFzvWxHEQJrXFvy4Oo14PyYGSrXp6V9lD
NpaQsLKD0Joh+rMhc3lMyptUsurZLwZ9nvsf87DP7+PcZEk+5w9vSizeZ27o
yZswZx+Q3XoLHRx17M8GVE4CDsfJjA27JC+jdJPXNCrirfAhnlckMlpSdRqU
xk+LdpPdE+MHtis7vbEzgTBMlUZ0SDWQybDxmqGUIdr7EiaDGJw5UkK3nhBr
hMugDHnVYaVYt4Q24DDVJe2So02aFxyj4Q2RLFC8Fb/YcVr1Rbv2jnwS+Rs4
OWFF7MhO7K1MFP0N7XFK0Y2nDy+LdmXGGp9sKd4i8vUhZwKxJnD/D5ukKs1d
uoH+a7GWSKn2JSvfNPhoTq+xU8sBL/yXplWSbd7xq9UaClM7zB/Bie6rWVN/
cNVUaBIl3eisrKBagi8D6mwwu0nE7fpQ5ExyKkOmwOJpydSijd/UTTy1Q1vj
49XxoiAEjhCNabr/8EH60xKf7c02Ism2zHcIlGtYIWtqRAuqg9HZ8/AXRHjV
wraH+3MtZz/5HvZ/RweYfve2YnUVf31NFhlZSlcWWbj39vz66j4CDJ3T9CFt
FpmJkB14ER9cB5+GnRamAHkE7O7sMyw5AMWsR/jCL5p0mkRecrYVg0fHzlAs
5fODkecQm8b8pl+hdVnaqb798fFT6NszNoTVJOI47Jh/EgKCJ/GWj0+yE9t9
NrPTD9qCgwn0IRto9oXM/oTFUb3sOKHBqoNGkjPBDjbH/GUuA92NoLjGZTFE
7A2JDQ6rFRvM28pZ+hBx+/2bTr/5JNar/SmBw4b8DDhsdacpQvEVQsiOnZl6
4F0kablFwdFxE3/sBNH2LSXHkJcWJuQvkHfGx7qJKrgDV9xXCVS0H7D3Jy9z
0pi05jf1HVn+jgfOSJW45iS79/LNs9f3PTkWJE0q5DZJOS4KcHU+t6CjuTgH
J8exlWtxAbInGPbL0RW2DUrJMsCyIjaHrk9X5z1F72KzMy9B/nFw8TWPMyFT
r2JnkKRAZZRHxHyF1Sx7FhYSDxyNSIeCGMQZ23xX1jmtPHI61QUSsYDo3+t8
R5t0bVHFe3To7jNLpr73QkiM2RdLTssxdemnqW8tqYyMDQqiM4cHNFabyL1g
qsSBMLOd8DhO/0BBQKnwKD56rIuaF2QrNRAMU/7dMCrb7baacEIGKLWzFLaS
DCVqArZlutZ61snCWFMgv2QBZLdH9TQKIeuhh/utJuDmnByif5Li6aLZKQVD
qk+yRTiGzodHdTt8dEHzbRIjx7tJ+jaS6T/I2mqCffYYtXNXwVMOadoN/XjO
rjOb8rIXbW8GEeRQ3TeIHCPnQf8JVOFZdPUi30XcxE6L7LYwMdn8CMApCWaA
LcBUugUUhhhRYxwbl1vi292aZAlDySgFGx8sL/qKj5eJqjZfOsBg4CAhyANm
9wzjFiJo7opqUd/tB4YmPFuyAZ0Eo3w4viyWDiLUrJzB0iccmGiYu1jh0A9r
SCWhRr6A4t4LNwHlhMRYhEwRaUksgGgKn4giGGCIOkWEGiAVggC0PCJrw0iG
q6YauA9Eb8kr0y8kxcwDT6ARh5xFjPjCmC6VemPz0pgzOd8kWQuL9w1iSohd
HojbIajAQonoMSP5ynIxsn/0OA8krrc8lG/MbTgcnjU3w89DzioxCf1Bz8IB
Jd6h7eYEumbMaYEkz3g+twVxhznYtOQK3CJiW+N9/OI/t4ZPgftFGtQ2OSh3
BtuMI8sbnqWfB5amam6qoepO091V3cFOiZSe6SNYL5879/rCccxYeZytkVPF
dNz0SAA7i7hB/DW1hDLZPSLfXKJ932qk70s7NVa+11Olx9BsCHwXxZ+VWsFg
VmESWbB/R7B7Z4FnyRcQ3yUxcLKXWMaSCjfj0wR2MD+LWIu0a1Kdg2zmQUmw
54G04LpDRvswZF20bY8s8I5MfdrKsCTM+IxReoLTuHd+1sLsyBuSLrS0eUk/
b0h6Nz0xzG6avePfnyXjsTRa57dOcCCYNvFUAQgYzfrhd9nO5cT36heZUTOY
icveudtap/SaRAcm8+41udlizipcgEeQSDO/VrIwAERMifXoIOWswsmfFDkQ
pbbpbey0cFg5nj69Ap4IzsUWoAlhz1QS0HuEV7BjvFbeNqKN7RAAP+TqdUVZ
WuqZnTkTSKnoF14kppaDdlCvAjE1FLbgOby9lc3lM/glE9afwYCHUAhIosVY
fvOpOWRES6gwV2KLuA5HV5ZNkgkz65QpGg4fmpk5zX5COMQMAYXHtHO4yrJG
mJC5olg+4xsc1itqBnNohVaz6hGE8frtuARHdDl1uWmT2Nl5hh+fD/bk92/8
LpGrc4bMHS3QAq2Kxblls0bj/UpOJlPRSpCbZkqLFQBCUdliySRCMpGEAL2H
rQzLbqtnYXhLID7lUEVio4cuhEXJB7mhk9B4czEGGSSZx/1kCR3C8lYgMyvE
zmqyAHUa6qNbookYocaDinmURNFStiUnHbijjcr+i2Q6ZGYe7SjU45ZF+1qt
wTuynife14aqOqhK2bpis57Nd+SNGT4gaA+D/SBvGGehSHKVxT8x03vP7kMO
+7hd6pV8zRnKOLGQYk30rUADMquxGRSFqDysJLITT6NgXxqW0w8TDyIE42Ky
0FhY+JG411hStrKTbQG9SSeLTVzyuTC9JIbK0Mt6U7SwWTliEWUP/uT91K5s
J2ue4USivwBHsZXgd9Rwg0096w2jAtaLlOGmWKnSFaiO5CSUiONMBvhM9Jeh
8WprG8Dk4FTdfLF2k035wW0+ffKoHklvX75+9fzyyQ9PTwETVPLCpvThWnks
Hdk7jBJDntDv03l+JvA8VXwLuceAKjQPvjgD/+R/8yS+l0l8//SRTuLBdw8f
fXYW/OjnZ4F3/IFpIPsAKytJQaRH4UWChfPGtojEOEtylFPGexyhvKD83e4d
UCD3UPyQvclJ5f5NGA0yd2+MHMl+A+kp754aMR4/eDiOtsdDKYxQwPLtn34c
xGBlbH2ChwEOW6bW8MAbELXoDP7BZ5cOoZsUFR3SLe3SbKcixOuDrnHVqluz
gXYgS5GiU9QBtIONqGlR9RFAb/xVciWWAIkyEGMRJDFddmVrTagD9ThzxgFi
BXqsS8wozJqR/qoFUlQWbF0ggCcoN/BTZLOIq218xfETIs8x1CsZw88lWdWq
vc16lgakTcSOVWJxo0amYmtrYLAoSrQVz8Yg/OMDiHxzMFl5eb9BHHzz7iPs
CB4TcN4OkD4DdMJFt88N2anWmwAhAtj9oG5xHztEEDArTj0I5fCyZdFA0ndu
O2Yj2EyZmt25ENPh1L3klvHdhwpJfLIAOJ6P8SLBTlbirBQKEj/n5LBm+byp
ySiSUDAfvNR4mSblYj4tsCxWfRPwzQHUCrbgWB9NsQBDwJajmQJByHpekdGC
/Ggdw47iwAWPoNqqPnZC99d0aJ62xbY/uuY2U5ABjEqydLDT/hFNQ6j72vgy
AQ76M4RMnQ0kU5QDmB6N5kwGJK/cqu6KXGAcPmwwzd4yGg18TT4PYhcJcC9y
cfYGZr9TzyN8s/mOHWNd86JmNtg5z4Ffy4B0ZEbffEMTI8dLTLtzDgwgCluz
XDgoXeUEvTQ3XMKcCiBi9I2KhaG7jlOssTSdqMZ4gw7YhJonjoX6534VAp+E
2fvsaEgUNuJ68ggMcEZGNLyMPvqVP4reQtsSTEzznboYn/QZg0tCtnmnmp4J
YCcWp9IfSnEeONjihcR630IlDVFHQClgR7w3okB1q8phRNVRC1nwI4mdTAYb
mSBEMnYfbwYW8KF9Pgv5b8NzyO6WCZtoGGdveibMWS8OLe4Di48UXtg705ll
geomYysOlbIHhwDclqMgPdyppthK/ECC1HxgEFqCgOwYQUrWvAJMs79kZwbs
PEX1JMOrDZXaFtBx0b7xkix+gHATuZbA4VVispPfZLmACAsAZp7qYOeepbQS
kD67WQve13bwK8nCTEYPOMmEZpf5x2JDavVG0i9cqIuCyC67d3nz/v44wW/C
0DGGPrCPCr5YNvlKYu+mLzytBdktIB9G9TCnSjSUD5t/8ub8iujE75HHn/Hz
QSJ47CmL9aA24tHldDWOjveCtgeZMSDXxGDx/kpUPSbwRPhQ9pqsVfvSeOH9
sysOJ9Bx3vDExHjLWwSoFD19gDat4Zqd5xPz4i0JGta2cDRZlGVJxaWEKIZI
Z2OES678m9UfXSrU8boy2Y2D09qyuqAhwBgL+gNz2rCdwJszc+v8tkC2nkVK
vdlA8l3WHjrMhTCbaBJ4EesnYqf9SVxcfQsSKicY9mpDy24t2E0aK0LJ4sBE
wWqcXa79i8zNaXoq+NT9mRQ3/0PWy3GBtq3nol1joRIyll7phQRkWE18aG7e
jwEDMaPOlicCvlCesApO4dxl37A8Z0xKX/nAkO0+73lrxTBaAoE919qbLjqg
0YKHpYBxHMAnnj0YppcpAnDic3tqvUYoXuPUNgbgNzlsSJJ/D6dc2i14EjUa
juj7U1IEKDPNJYEwHio71QnM3/rGNnrjQZHGKGNs5tcgAIPYs7wk28kHDgLn
hr9S13Iq5Q7hVitA5Fe9oz3avQPUuO0ExiH/zL9aNnMmMdBIUpeRXkQEVVb/
RyR+YclHZCgPrz3KfMQMhOqqHOA3X8YgLzPBCj6G4tTKyFDVlHuuFL5Oayji
EK0HbUuppZyL/ye9b0MYFv2L5gfx9PfkpbVOBQaz8DWT7ooDAIjbtYjNWDXz
IrstcgDUT/eiGzSPCc9jgsLqgiPGUbAjj0BTEni1CuOoWBoTLppoB7fRNKyO
l0b36ZJ2GgHxJRkknAlxak0FxPQELl7Qx0XzeZuMy/1MSnmzKdrZyHCaZj/t
4poB8ddoipoUXBcctx6YebU4D3KEovIvLUNhkX1b0573VfB0RU7Snp3rai/P
/iECmoMw0Wr5NBmwYxEGaAVPPV/HRhqpiyOcFRGftWICrjc40aPpw6lCiv7k
i9TZJifjMyzShP0xA0qKSloyZrpjtlOoTzdXkEm06NWfpd9z2CYpg/Mm8XXA
SXBIrXG32qXAvwDuESBsUnCSrlJX+LlgNLOCZp7YqqiEJcIs9vhACks19xss
2kME0mpAVKeKTOkKn84jmWEVgmntNOeS3kss6flHVkhldnX9Sn4T+zOJE8OW
xoEMFDmtvvVA2OwQ/INdH9RekKZ4ny9EPZhuTKKEDHjXydI+TRSjCzreo8nf
HylA66ga9JImaksA4Pk4C1b8ybb98Oti7X79QJ4tSJK+AUWh2d/6YsFhO15A
TD+pPlKnvvDlb7Fh/fDxEz4Ia5f+lCUT2eVIwnUCk6y93w/aMr/QGQWofDwS
WSmBq03x0SAk+MG95+f3aVUTgVeFDgq1j7G66gCsRbK+QomY1Dy5SvdBjgMP
pcMww7pqzQQZvJXtgnU+DGnDAdX4GCedwGSXOBYStzhnCfWRK5tj7gy5x5yJ
AQw6w2sD5DBL2kQMucmQS7qbRhmSnX/JXmNO9NELbS1xLa0lThUhN9wqRgLP
1RKV9J9Ip9aJQTpm/yiEmvVcdwE9Ah+tbtE5aAv4dALybRG4HmIKE06EI8LY
ca4NlP4KtIzreV5apCtykrNnnlbItIt9wST1uVsTohrRtqANZ8kNecMoOS4f
jor62cWbtDSwSyLeyOtevzoMV4pLCYtGZKJsvjfRV3W9CEWngJhY1s53lsGC
LxKs0DtSJ6fZT5qA4AXyfA2MOWawNlwp9iCJ/rpfxhvYXo4Hhfky3t8VPvak
crqOI1FWnFhoSSor2i8igeQMRzwiFSYRFJIz8xKibQewKF9sEAfqGKq14/Yx
Ot9CI+NaMqIReu/kHMhVgKqW/HqnyAY62s/4h9D6VjTM5AWxrMg3MoW0M4uv
vLFkhcBDWoWIKroKncUE9OTxu3mamRBQkqDhye1bEHmlY5r9sG4Ey5rdufyD
HVKcy3Ec+Zd2JhGgM7RzkHnSTGZNTxtGx2Luy29Ru0A0LnzcPRJg40Q0CD2Y
J7g6RK0tdoWbXWTqEvPBKImy9iHAOFaCMh08SUdDaRYBMO5EonOq1BTBEcHB
qv8sYcTR6Mxg2opAZDMqjnMZnpUllQB9Tcyl8LfBOfc1ckNsluZhUoGYJPwT
7JkUvjC4yoxhn3JD7sNgGmMdaCfZTbeZcfH1nSK7ztrQgSNF/PkYNbORkEGa
+2Q0KC1RuxOgZ8K82OZc3hwdPMx720k1g1UJHRR56hnOHAsLBHS6SL4Oo+IH
kHQoPK3vVHAzUKnQgh9zJwcdmNg/CD4IEYCeVC2jFjMAjjCaHTKe33wTHX8U
PQy5BaZLWhYxxGVxBA3mmwKcfVUPqo892EpR19UeLhYHt/WmqyBID2NlEV8F
Rjb1jfdmo81q0tYYA5j/wknNjIbFEykstThDfCctb1mzEcZpuqIJAE9Dv8eI
2qAtxj5uTAttZBVSrqf60BC1XIndxGBca/eUqAIE3gRl5hqDeYlY8+I2oC/7
Slogcn8YNrpRdFrWLcPTpTjHbU3FpFaJ1kTfcpDTTK5waqd/hDcGmJzBY+bU
cxpZNKOq4FxymmkKPNoUhmFyJZ3GR6IvT5m7E3iHHLAYeznsxJdIrrpCAkn0
ci4grzRYmmvjl0iTfabicKfmVNEx4ms5QJdEUHCxtUigkfHDAucoBAAJmb9Y
j4x4YadS0b8PSypRHjdZwGpcF7Rx8ZIFTAXBYaG9QVnrXqFi1KHonszi/vQA
5mXR5uQjKlRReifonCXgVhYWYEk5IyBbprxQa+TyB1b6kbZ80pZrnsJweb4x
TNgo+wh2v8+1Ymr4jbjMDOETlkVvTHQkcVG7IOkwKU0zfA714uzNGf/yiuTx
BuKn1R8DJGGDbq1Z0cF2QhHumvWTkNAXcPu4dZo81pZDiovQPio0bG3d7tS+
wEkttJZ3CZdMPYv9SIwugFtP5JKh6tq4L5G1LEpg5pVblcQ+xvpcdFGyz8rR
u1gKVgtZsiJXYTctuaVlkhfhrNDdhLMEpj/i3jpczx1it3Suor0VOKy1GViI
AbcvbA6Ur0rJUu0EQxK81EQMcUku2ZCiYjU5cO/cPr5/UBSdhd8lUk4FUSuR
4fxo+iYcRSk45LZE0lboaFWvPqpnlxmcEckQZ7RTeyaJOT8c7/Leikws4GQl
FWoFcOAYMrjK0z0vN5Qos6kG+OtgfcFo940ND+O44nah7aHoGHF0q0UncXgs
rnFM5ayfW9RErAk+knk7WrHoSevdiPNDm2l9CD8jsba/TTwfTIjMrYaQWg/E
PbKZ2phKJeueZ3CgE+A7tK16dX79zYPbB9PHY/n7+lpZZxzaJ6HJ1eLRo6dj
rTMduoCRf2J0iesNCqlyGHSDm/Urxb8rt0ViWMnCXZJZiQSSmDqxTLbok3B0
gpiMTSETlh7CvQyQ34HakUP7vt0r1LAuriFQ1bjJtUQmX7ndaDTUfE+fPPl+
VtAGmiH/xdouOTmpe5ebuI69zwNRxbgEPYonJrHEyN38jI9pe4ja46QvFZvi
4xDq9Nkw9cKDa89S0gJRhtVEHVVaj+67w1hn26NhpHpOL2hFUDPyXuoWLTaS
BMxMPdM86WsBUe4Hf4Y9Sg1EqhWbd+yxKDgfMIpbDQrF7oJnpS9HgIpOHQXo
jSSq5utv01QQNr/utfOUrUAFX8oKif+c8IRXVBvOY69TzTLoskrOjSuX+6Uu
4wjVk8oyScYWiW1i+Fwh235p4sGGt3LmbtBCjdT2fA20H/cFpI2Ii7T+Lp1+
2Td9xtaz2N14jh8PSthVi4nEyNI1t7oBPjBEjK0rj4Tb5xwbTU1HL2WXloPf
dWhGzIBX7gpHhMKSMivCiZFPSw0u+jLJoVG2iwFDLn1hge4k3MXGmk4L3NS8
U2998bLA/3xo5XRwEtLaW4uDN86kH38zTrvDiV8+iWK39jzn0eQ8XL260Nlx
xTR3TVNqx7U1WqGoPvaxGkWtvc0jMrNLCUJH25RqwsGJYyzTreeYiQ9NBLPO
gw6OcEu/NVHqkbyLdAuQHDaLR0WoLPIgUw67t5A45MeOMisXTjK4Wg1Uaa3r
T9P5WbYuaBObObpU2GkPLP1VhDIU/xdbIexHC4l9V7HOJUGzcPvGxzm3++Ho
qmy4D36NEy8Y0due0c4cuHIaOQ30bseRqh98wc0UxdY8WKq0z0rkJFgmnZP8
cpi2NXG+1vZroEidrGRAaSI6RwTFe/R5tkLnw6RrJIY3QGti3U44tMAszWkm
Lt3EeJ1ioJe0lhlth9Zw258yQVg+IaZnIMBoM3lmIh73Bj1wqjiaTaYwu5yL
+q4CcF+E/jC8uSehRiMW3RM9E17aSH5xYUj2qO4xbzTJxGE1HHMyXkB7cvF8
meCgatJYZpq9Dt4jwigWXZ109USH8lkns3U5Pgz5ajFGAXtx++qCoTqeC8da
CekWdoT19KbbH8tUp41wo5OBivJwU0PYFyAgG20V12vDY03EkT5G81dtejCQ
9VaeDo8KzcQtJMnWzFERYnUIa4SyiKMLwfhKyrlv1UN9o9B7NZDSKLDdmeHP
bup5Hb4zwFKLkdQMXZp9MGHIWDKQeaUR10anfmznmTn5fjjBQxid2xe3EUDe
vvk1GCExSD5GN4zJsWolT8/ZEW3QWzfchHwZgWRUa0XCzWijdRSQDtzKwjH+
ZO44yyaVESbV4uX5eYv1GTcjxqUq2S/isEsZDZorxKldmVd4F9cmd0W73B2v
TkprbQUlQy8ZhelJtpq8auRS9mq9TDaYQef983NrtMxBHlhvIlpBSS8dRVJW
oZ1HKrbFjUz0qZInSnW2jMQqtUVj7ASejkaT7AUjEw2CvOhD+wWNcUsLemL3
ibpYW1HpXdx8irWh9nLhIAM9/TZKYMcRNC7Ykdhuw3jCWezrtmbIRrVjpQIU
4rfMyLVaFt0gNMj2y9C2CB3GNV5wJAzAYx2stfOwHWvM1HoEVxsjifkNCt4N
heSFr5rnl3PLgAAPCs0EQqG8OZz/dE09QcebQfTgeDjF0ChRkXFkUlpPAdMo
sx3zwJV3gof8e6rJalSO+OshJP50uA/ggd6EgxaCUxrwncEJGQfSS+vaHnA9
16IXyGC5p1HgIpQ3Id2NnsoixQYdvAOscVCUFpU1HgwvtqIPhO98Jxy8xTJB
KPVR7+9wu0U28u1eEKvL8j5/fMVBfGKwJ5zZC4hibmwhpjRD83orNOSLH7id
UZ16y2kpfK6pk/1mDUNToiamDePOXFRNaN6F1ErFGeWYbOPMLitqP5MhwkcH
Ysh6yuJXK4iY4f95ZNLjWgbk6ezMDO6uybmDaFuneajhDRBsgpWSVSy1LO4L
9kKc/EoX1g5zX8fFiOX9fJgI4zXukPXpHTEmCHfg6AVJrt6Z4l24qHcPLhI2
OrTq8IGrJGAfqlaBDjrSMolREjF0P48vRYFqJYsMjW2kolHCHQFX2OYbdyAj
KQGmfNlpHOnwYUIUYQaZECBfIslutcGFXbATtUjCjFo+sqTao+b98EKR6+ew
txe7DM+ODHRPbO9IAYDL0TWJWCaCMEoVxT1Q09DrlHuTJLfcdHEfkHliDETA
2s8EfMeSeeMkdzSmXejQSjwjB9rtwJELfUN8e/S9y2j21lVJbMxQwVHY/si6
PcZK/ZSL5UBJGEqC3WYYAuPBq5JBg1Slcw7MQAsMM9TQ+0rfIKJUAgTnaLZU
TS4VLnzG/J/du37/YnJ+icys1wT6kYVnkpJ2rtwZBsS1QYbMtrGLriJjkftN
I8WiyuqPTPC5TvA0CUCwv6PYIQvDbq3EQhsxBcKzfTxss8raYd4U2y7qrH2I
0uO0iRZHZ91CJTtCwmWcrIqiHfyzHXtr4sruhZHhVkuQ5Gj2a7y/bgkGhN+x
HewncIASh5hRaQI1E1PiLJgy+68220X3RHX4eIBC0cS8PRz5rXzwc61q9G3y
tGGDojuO2CFfkowBBhsDEevDVrfeVSTeBORngyhl6Y0OaQ7hTRWSjkVlJWA8
BbP26TltFAA1x9ejWeZk7rRmiNbS6wWMpmfMnijKXUgSV/4SuV0czbiQhnki
dyVRFN/pyW2v1CPgHl8hdB2ZP9pdDs7GR9ozbpK3XUsmAg3PfVECN8SiTxP4
2b4F0AhsOXQ5qdnmFL8ueCx8JS0brWSiSwyH0UZWqmmuCORnuFbyn743BTPi
An4ggyKLW+GXpi4VoCTRQzViuB8cpiaEWaNsmfeF9nrBqiuPSzOlsRPzmoa+
a8Uf8x7jfKy1U6FiLLTof9DS3Joo+qtdQhn5EQuv9VDCYP2ScZ4Hl3Be12iQ
ZU3VxL7IrKO6b8qJjFkCZetQPw1MrM0FTqFYATBq+WUafDGpGXEJowiJG+cf
EA8AioQ/iTN1CYYCfleFgI6vYPzFzTjST5NQh5lrZ7nQzbtbPZ34Ul7tW8zL
BtYCDTlGthCvuzz7x9tx9v7t38fZy7NfXnEs4vrnC8BsxqpG95qpFm3sbJCw
ID+etJ0s0c1j9lQJuTy8prQy12+VRXMHiWypMI1A9MPuEMMs1qAlxGiUtC+I
bnnxnAl86CD0kUBE1iyHjyVTxoOijCgOy70TXblN69HiSqRQQhGPCGiO3KtB
A52jnmxBcizUnz33kbR7Ekp78uPDR58+kY4Xz8B/bRgSC1whRmmBPPMbtOXh
XIYZZDDTkjfG1NcxrHIa1UVHhaRgvjIG+XO60pBhOhQDkKJ+pr4SWa6AYqr2
sA2Ge5Ga5x4K3mi3hBntzF2xIMHVS71hkcBMgs/PubW5b4LcnsYz1k4RfAng
ClfgFFqLobOvZ//FNrx1Eg0lZbFUtgtyoTmIyi3K4Ld20WXrgWygnIF6WHw1
LIb5CkgtF0jh4sGlY39I5jxoqWBwUskT1NVuoyUNe91fkzbQXMQSxe4v6puA
NfZVAJhtNcjPtBvkF9YQHkkJvTFytI8IODUKGlAefvr0yY+BhxNb3xe5zqOf
WXSSWetgmZ+vvzzKQaE9MzpEYOHJSlsD27F6/oyMYFKaGRFJSQ8u/Kd4PkNH
PzJ2JepkfMGX0UGk1tudpDM41rqW3kgW/Isku78EzytfM6uNXn6tCHPxppxh
GSsFCca7cy9uX8/+In05yeXxsEdRIFMqUdu9LdijPCyT2o740eBL5ts45qWA
BMRMtHSxFrF72y7KeYdoqNeHjdNihbTgZzi14MWqCAAuRd0YWVltXeTjqRo6
mc0hmab0skDkCTIOiBXfkNyEVRpp3hddcapAUXQK4xN40XEIXryukJ+3cg+Y
W2lnh6Lj/Ca3YQ+y0XoeafLEa89juXROiGMjFG0O9sAZDk6PeKkatii0+DFq
4f8LGVyYP/flE6ERIVayC0ZT0VFo2n3+7KIE6aRYtId0oRr/eaSSVE8FTkEq
is2Ceq4y9CAuwTZd6/9S1Eg0zybv1lbw8ixc9ENvQwdCC+TZ5g/PzklE4F/z
0Mh52G4KFkYbH4HDXYAO8HvUBoZ9OZ86tBCpdb1nxWRXbRh64AsZRA428nUc
x7Yx16oVMY6CBcizm8gqirij7/8Qe0Xb0Hjcyx6GwYBqdpL/3MojE8bOKASB
jV4JAG5orFvOFH9wh1ExCWIp6Z4hwYQ9eNJacUsqefagOZaUgZL5IrcxaDtC
T0h9CKypcDFhXmwwg8TS9Jg9mC1/xKIdYsFDrVFRWQ9hM53PJ2KrLAbhcxFa
s5w8YsnOqK+iycFEhHExnVi4ePQ9V/NoWsnfOHKeCL0Lbj+HamtXxYQFqmTe
RWFx3ScfPIhvMz7cCsYbOdIOpspOiFo+LvCrBVpPsmXecRCF1j1UTYFDxmwi
9k0lV07SFBBIZkk+d6auaLlo/KFN/vegYJyCMvwn7rTzCXnZQF2qkqCzehhc
tbTZWntAvWTFFwbnchV9fBP9HtW0wtDiQYlpM/9gW6QkHWqW6D2gJk1bFAOn
n6RGp8hXVd12fLuL3Fg4jtKCPd5WrfikkhLX+zwZ0MdZFkt8RXggbVjtFOJo
vZGsZ/XA59bicGORIesYS/1fsI7vEl8pfyDM0DSwr0NLM1OoqF6TNXI/Mf74
VpyQmETYd29IyEvCjxStpHVAe2vQrghygsqowy/vn1F86dQaDSgPFVvK16OR
4A5DU0K5dQoFCxJcwGJbtQM6va0+aqqpnDkvUYLKuS6W8RKt9/mUuC3LXd5U
0ptTcmdYJexb0ljlRgAW1bKXwqNGOrrxLcxxqCXqU3F2laKRsNKS7TDDdQir
k5DpBFVQ1fEmLJ1bME6MVyV7h6TSruZSED6keCwvSqw4NIFSAmk/t3CPTGOl
rJagVVpFkciUB1aCj+FgFarx5Qobi9ZoLx0f9KulLlJfkQrsvZ6edh/iNHtT
BxXYpmv1fcssfyAEVAxG2Di92zXyqIZqxQLYek/bBomYygFopv9MyyZZS4Bf
I+QL40UMehq1XvU30bXDi93k6qOC4ZVzTTEfSHdzJ83qQMNeaTnvJGMjSk57
pt5KS3a5wi5cRezrZgMXPntzrTnuY9f1RfcXx+Jt2VdyXkoPAwrXeNFb/e1O
HNg4DClRWYVXo9VT1EZQjyXvh+TkwmXHeu/dd09C+yG9VqxjU4THGn/pvjBI
/w1On7OLowVAqxPmxjhvrgfVstN0jUcIOgH9Jy9vbq6us3vP6pf3Pczs6SMk
OP0jsHXogRt74MlT3OUndqt/6Of3F+d46uf7od/Md3gq4GpCn0i15UKEx6CZ
VpCNexOFOczmEl6LASQuWaN/+YEr2Wj+GoJJLzlIKkoGVdmH7ln72gvV9m43
E5Xz+dvN4kUcuuEs7kkJLmuTem8x1OXm4nAhmBQvdlLYntx/ZkhiVp3+Oty9
YhJdYKqxGSk7870ZbJIsmORiyHpwUfgAUTTcu3DhOHeaNquh2yvpTu5YTzP6
v/8e7iL5dFjtVnUUxR2UVkZ3gtCMrp+f2/n9/gc+DBKhDLESS0mzEaCHUHd5
LH1P/L3PYnp5LzBgS+KIhXSkionSecEQ+gjEBZxR5Yr+kGODL69ePZcyyyAD
JNYqrRF9r/0r+b3eSzD4Pa9g0KJdKonje44VSBjBjKKZABzSzIoO7bknLec5
2NKCsAxBIKJZsVWXM7xnmmEaKvm4vToJBla+0rIjsOxE+yENbnhOC7D8hX95
er2u3nypCVuNyWonesmV5EcWp8Qo0vvtu3W4g8NooGz04Ol3zJa8Lo1ec1Ri
kYKRuXjV905/9fyy1fBACKPiw/32d3GEZ7394Cbb30KpZtStXo2lAwGxKxTT
mX7W3Exy40RtQCO7NCyepw/20r99S8Co+75Vcyf2AbdHVPPgMLui2RdrJqbi
00c/fvokelDs/S0uaqCNrWcw25NwZVTCJAb9QsNwR4t8Br03vd+nwo0kRCNe
j083o4vdEUmmwZ9Yid7nXbMpM4q7CnfgsRV0x82YZtLHBy/8rXeNFqz6FpOa
og0hfGQ0hqtkOUe0y3yBtLcg4LRN+Ts7YMyV3IXwELeLRN/Hx8bqc8zvi9mF
RXnUWC7pJ6stNQ4yUGDz6fCDI3eC2FUK/98u/RiHboH7F34k930UrZVUSEtO
ho8CKzu1ezzkUB+6viOmXttzukySNf89d3dwtoS8KiUnEvTjyKz5FZsuhSAq
yl6SGCH1wD0X+b4mrcwkowjxehlbcmHoo+1P3z4l0xaYdt0336tgPMDz0QvB
1u7Ar9QjR46RmwUlCPchnv/mANxa0ttWDxuLIYbdmnMm2EUSckUlTU7nAr4F
2EXj0+S1Nvmiz8vEBeKG33ojcu5vfHN8c6jOYxTa10c4i40WS0YrSG7FiGJe
MlO7Y5SLcCNMko8Ajw80wBiPht7rWGtklI0Te0Sa0/ouwUV0uUzPPQU5MRLa
R108v3kRso6DS059ft8j+qrFyB/WlTW1rD/bmqyIQpIIFum93Th1bF5MlkXX
TuBAW5otyXfFHq02VOU+s6MB+lPoWjDqjZTCui6Z8IVCbAxAwZ0C7nKVs+Rd
rqrWx4iIWjEQ7CiVmY2jcO0+Dx/FqEYtYb94dbYv1gqwK+VKhWNhoZUUYeFs
92zEXx1p6yBMpiIrWEuhXa0AohilVbk7nyTcrwYQ2DanA1TiOOkx37EjR8dl
g+gaJ+EliKet6QHzqTni03JVobpzhzo6DLtd712ux93axDziKeN6mCEcdxQt
X60AicegZC17ISFTuc7TEMrDMlI7s0OA9uFaGCDDnOsi0T9KS6HMjX/hFuy4
xWCXK0lc4vXXdq1Sdu/FxRUMkDcXpJWvJYulLoB1ZNNX/v779dXk6XffTR7/
cA7PB2o5Fxl1Du1/IUgHtL49v7gf6aNwjVdifUf5Ze2fqUdC8JG0dW1d9iK1
/C19B9o/fNWNhGy+jryyjupwkvuQac3oNFCzfBr2BikEjb/fBiTN4Ufd8Lw+
GO2FxMZxFppxYFI51eq9ngF/ywzne/Vpt4VwSamdoICb57pL6ZsJt/Dy4uZS
Qcxt6FSHRj78jVCIWwPXrWBsNOKxQHQfqk67OvBWKVp4/0LoI80TYnQiK18L
fcDEt0TMKBcQcYqa4uQWgPQHkNRj8TGVABs95b6znUCscYvSOCpqVlNYCvZ9
eknvX0PwpVQIeGi6l0LMR7BzSfA5AaFgDE73AoXKAcu0h0ScxhNb2Yf62nDb
NSdqpBgQl4O1XiSQYGYBLNf7RBf/gjAhcnsqd/4cKm+14p+js0oLmsh3qqX/
hvSPEuyt8yiZAdz+oRW1Tq4Revx7hE0/zXy9a9IC3QtYC795GJZcbB/PW5PT
capoOIPvpwyIvDSM8Gn2NkEk69iJMYbTwj0g6iTSI7f7pgnrCCpgnWK8mEbw
ZgASaUNz0f0DHIwehoNI09M5UC6lW0iKsh39fio9ZN3if54s87J1J5+g7vPq
A4v+Z3RkfsGgrGH71UpvLMsNRJrR/LahWYfZNapqayIUbe/bvmrviKLrcXY9
r7sue1H26wYn5V1PVuPLum9LRzbg65pISW+taGeRqF40kMQ/kSb4BaqwmeU5
/f2uAF56kV3Xa/rrjJ5yRXZVb+tb+qsEXMO9qj/IDG7W9YYWQPPWpKLsBmAX
sIh9Qkh6WOMqN6LT/wGIXbpaWqUAAA==

-->

</rfc>
