<?xml version='1.0' encoding='utf-8'?>
<!DOCTYPE rfc [
  <!ENTITY nbsp    "&#160;">
  <!ENTITY zwsp   "&#8203;">
  <!ENTITY nbhy   "&#8209;">
  <!ENTITY wj     "&#8288;">
]>
<?xml-stylesheet type="text/xsl" href="rfc2629.xslt" ?>
<!-- generated by https://github.com/cabo/kramdown-rfc version 1.7.21 (Ruby 3.3.6) -->
<?rfc rfcedstyle="yes"?>
<?rfc tocindent="yes"?>
<?rfc strict="yes"?>
<?rfc comments="yes"?>
<?rfc inline="yes"?>
<?rfc text-list-symbols="o-*+"?>
<?rfc compact="yes"?>
<?rfc subcompact="yes"?>
<?rfc consensus="no"?>
<rfc xmlns:xi="http://www.w3.org/2001/XInclude" ipr="trust200902" docName="draft-ietf-uta-tls13-iot-profile-22" category="std" consensus="true" submissionType="IETF" updates="7925" tocInclude="true" sortRefs="true" symRefs="true" version="3">
  <!-- xml2rfc v2v3 conversion 3.25.0 -->
  <front>
    <title abbrev="TLS/DTLS 1.3 IoT Profiles">TLS/DTLS 1.3 Profiles for the Internet of Things</title>
    <seriesInfo name="Internet-Draft" value="draft-ietf-uta-tls13-iot-profile-22"/>
    <author initials="H." surname="Tschofenig" fullname="Hannes Tschofenig">
      <organization abbrev="UniBw M.">University of the Bundeswehr Munich</organization>
      <address>
        <postal>
          <city>Neubiberg</city>
          <region>Bavaria</region>
          <code>85577</code>
          <country>Germany</country>
        </postal>
        <email>hannes.tschofenig@gmx.net</email>
      </address>
    </author>
    <author initials="T." surname="Fossati" fullname="Thomas Fossati">
      <organization>Linaro</organization>
      <address>
        <email>Thomas.Fossati@linaro.org</email>
      </address>
    </author>
    <author initials="M." surname="Richardson" fullname="Michael Richardson">
      <organization>Sandelman Software Works</organization>
      <address>
        <email>mcr+ietf@sandelman.ca</email>
      </address>
    </author>
    <author initials="D." surname="Migault" fullname="Daniel Migault">
      <organization>Ericsson</organization>
      <address>
        <postal>
          <country>Canada</country>
        </postal>
        <email>daniel.migault@ericsson.com</email>
      </address>
    </author>
    <date year="2026" month="July" day="04"/>
    <area>Security</area>
    <workgroup>UTA</workgroup>
    <keyword>Internet-Draft</keyword>
    <abstract>
      <?line 144?>

<t>RFC 7925 offers guidance to developers on using TLS/DTLS 1.2 for Internet of
Things (IoT) devices with resource constraints. This document is a
companion to RFC 7925, defining TLS/DTLS 1.3 profiles for IoT devices.
Additionally, it updates RFC 7925 with respect to the X.509 certificate
profile and ciphersuite requirements.</t>
    </abstract>
    <note removeInRFC="true">
      <name>Discussion Venues</name>
      <t>Source for this draft and an issue tracker can be found at
  <eref target="https://github.com/thomas-fossati/draft-tls13-iot"/>.</t>
    </note>
  </front>
  <middle>
    <?line 152?>

<section anchor="introduction">
      <name>Introduction</name>
      <aside>
        <t>Note to RFC Editor: Once RFC 9846 (RFC 8446bis) is published, all references to RFC 8446 must be updated to refer to RFC 9846.
All section references must also be updated accordingly.</t>
      </aside>
      <t>In the rapidly evolving Internet of Things (IoT) ecosystem, communication security
is a critical requirement. The Transport Layer Security (TLS) and Datagram Transport
Layer Security (DTLS) protocols have been foundational for ensuring encryption,
integrity, and authenticity in communications. However, the constraints of a certain
class of IoT devices render conventional, off-the-shelf TLS/DTLS implementations
suboptimal for many IoT use cases. This document addresses these limitations by specifying TLS 1.3 and DTLS 1.3 profiles that are optimized for resource-constrained IoT devices.</t>
      <t>Note that IoT devices vary widely in terms of capabilities. While some are highly
resource-constrained, others offer performance comparable to regular desktop computers
but operate without end-user interfaces. For a detailed description of the different
classes of IoT devices, please refer to <xref target="RFC7228"/> and <xref target="I-D.ietf-iotops-7228bis"/>.
It is crucial for developers to thoroughly assess the limitations of their IoT devices
and communication technologies to implement the most suitable optimizations.
The profiles in this document aim to balance strong security with the hardware and
software limitations of IoT devices.</t>
      <t>TLS 1.3 has been re-designed and several previously defined extensions are not
applicable to the new version of TLS/DTLS anymore. The following features changed
with the transition from TLS 1.2 to 1.3:</t>
      <ul spacing="compact">
        <li>
          <t>TLS 1.3 introduced the concept of post-handshake authentication messages, which
partially replaced the need for the re-negotiation feature <xref target="RFC5746"/> available
in earlier TLS versions. However, the rekeying mechanism defined in <xref section="4.6.3" sectionFormat="of" target="RFC8446"/>
does not provide post-compromise security (see <xref section="E.1.5" sectionFormat="of" target="RFC8446"/>).
Furthermore, post-handshake authentication defined in
<xref section="4.6.2" sectionFormat="of" target="RFC8446"/> only offers client authentication (client-to-server).
The "Exported Authenticator" specification, see <xref target="RFC9261"/>, added support
for mutual post-handshake authentication, but this requires the Certificate,
CertificateVerify and the Finished messages to be conveyed by the application
layer protocol, as it is exercised for HTTP/2 and HTTP/3 in <xref target="I-D.ietf-httpbis-secondary-server-certs"/>.
Therefore, the application layer protocol must be enhanced whenever this feature is required.</t>
        </li>
        <li>
          <t>Rekeying of the application traffic secret does not lead to an update of the
exporter secret (see <xref section="7.5" sectionFormat="of" target="RFC8446"/>) since the derived export secret is
based on the exporter_master_secret and not on the application traffic secret.</t>
        </li>
        <li>
          <t>Flight #4, which was used by EAP-TLS 1.2 <xref target="RFC5216"/>, does not exist in TLS 1.3.
As a consequence, EAP-TLS 1.3 <xref target="RFC9190"/> introduced a placeholder message.</t>
        </li>
        <li>
          <t><xref target="RFC4279"/> introduced PSK-based authentication to TLS, including the
"PSK identity hint", which allowed a server to help the client select a PSK
identity. TLS 1.3 removed this separate server-provided hint. Instead, the
client offers one or more PSK identities in the <tt>pre_shared_key</tt> extension, and
the server selects one of them as part of the handshake. As a result, TLS 1.3
clients need sufficient local or application-provided context, such as the
intended server name, the application protocol, or
local configuration, to determine which PSK identities to offer.</t>
        </li>
        <li>
          <t>Finally, ciphersuites were deprecated and the RSA-based key transport is not
supported in TLS 1.3. As a consequence, only a Diffie-Hellman-based key exchange
is available for non-PSK-based (i.e., certificate-based) authentication. (For PSK-based authentication the
use of Diffie-Hellman is optional.)</t>
        </li>
      </ul>
      <t>The profiles in this specification are designed to be adaptable to the broad spectrum
of IoT applications, from low-power consumer devices to large-scale industrial
deployments. It provides guidelines for implementing TLS/DTLS 1.3 in diverse
networking contexts, including reliable, connection-oriented transport via TCP
for TLS, and lightweight, connectionless communication via UDP for DTLS. In
particular, DTLS is emphasized for scenarios where low-latency communication is
paramount, such as multi-hop mesh networks and low-power wide-area networks,
where the amount of data exchanged needs to be minimized.</t>
      <t>This document offers comprehensive guidance for deploying secure
communication in resource-constrained IoT environments. It outlines best practices
for configuring TLS/DTLS 1.3 to meet the unique needs of IoT devices, ensuring
robust security without overwhelming their limited processing, memory, and power
resources. The document aims to facilitate the development of secure and efficient IoT
deployments and promote the broad adoption of secure communication standards.</t>
      <t>This document updates <xref target="RFC7925"/> with respect to the X.509 certificate profile (<xref target="certificate_profile"/>) and ciphersuite requirements (<xref target="ciphersuites"/>).</t>
      <t>This document is organized as follows.
The sections from <xref target="credential_types"/>
through <xref target="zerortt"/> profile TLS/DTLS credentials and protocol features relevant
to constrained IoT deployments, including credential types, session resumption,
compression, forward secrecy, server name indication (SNI), record sizing,
crypto agility, key lengths, and 0-RTT data. <xref target="certificate_profile"/> updates
and clarifies the X.509 certificate profile from <xref target="RFC7925"/>.</t>
      <t>TLS protocol compatibility is a required basis, but it is insufficient to permit interoperability at the level of authentication and authorization.
<xref target="trust_anchor_update"/> and <xref target="certificate_overhead"/> discuss trust-anchor update
and certificate-size overhead. <xref target="ciphersuites"/> updates the ciphersuite
requirements.</t>
      <t>The remaining sections discuss fault attacks, post-quantum
cryptography, privacy, and security considerations.</t>
    </section>
    <section anchor="conventions-and-terminology">
      <name>Conventions and Terminology</name>
      <t>The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL
NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED",
"MAY", and "OPTIONAL" in this document are to be interpreted as
described in BCP 14 <xref target="RFC2119"/> <xref target="RFC8174"/> when, and only when, they
appear in all capitals, as shown here.
<?line -6?>
      </t>
      <t>This document uses TLS terminology from <xref target="RFC8446"/>, DTLS terminology from
<xref target="RFC9147"/>, and X.509 certificate and certification path terminology from
<xref target="RFC5280"/>. IoT device-class terminology follows <xref target="RFC7228"/> and
<xref target="I-D.ietf-iotops-7228bis"/>. The DevID, IDevID, and LDevID terms used in the
certificate profile are introduced in <xref target="IEEE-802.1AR"/> and described in
<xref target="certificate_profile"/>.</t>
    </section>
    <section anchor="credential_types">
      <name>Credential Types</name>
      <t>TLS/DTLS allow different credential types to be used. These include X.509
certificates and raw public keys, pre-shared keys (PSKs), and passwords.
The extensions used in TLS/DTLS differ depending on the credential types
supported.
Self-signed X.509 certificates are still X.509, not raw public keys; raw
public keys are conveyed via the raw_public_key extension.</t>
      <t>Password-authenticated key exchange (PAKE) mechanisms allow two endpoints to
authenticate and establish keys from a low-entropy shared secret, such as a
user-entered password, without using that secret directly as a TLS PSK. Such
mechanisms have been defined for earlier versions of TLS, and new work is
underway to add PAKE authentication to TLS 1.3 <xref target="I-D.ietf-tls-pake"/>. The
deployment model for PAKE mechanisms in constrained IoT environments is
still evolving. This profile therefore does not cover password-authenticated
TLS deployments.</t>
      <t>This profile considers three authentication modes for IoT devices:
(1) certificate-based, (2) raw public key-based and (3) external PSK-based.
TLS/DTLS 1.3 supports both PSK-only and PSK with (EC)DHE key exchange modes.
For PSK use, endpoints SHOULD use (EC)DHE where possible; see
<xref target="forward_secrecy"/>.</t>
      <t>TLS/DTLS 1.3 supports PSK-based authentication,
wherein PSKs can be established via session tickets from prior
connections or via some external, out-of-band mechanism. To distinguish
the two modes, the former is called resumption PSK and the latter
external PSK. For performance reasons the support for resumption PSKs
is often found in implementations that use X.509 certificates for
authentication.
Implementations that only support external PSKs are common in constrained
devices; implementations using certificates often also support resumption
PSKs for performance.</t>
      <t>Endpoints that use external PSKs as their only long-term credential still
follow the TLS/DTLS 1.3 extension requirements according to their
applicability; see <xref target="_table-mandatory-extensions"/>. This profile differs from
certificate-based and raw-public-key-based deployments only in that endpoints
that exclusively support external PSK authentication do not need to implement
certificate-authentication extensions or signature algorithm support. When
such endpoints offer or negotiate <tt>psk_dhe_ke</tt>, the <tt>supported_groups</tt> and
<tt>key_share</tt> extensions are required as specified by TLS 1.3. When <tt>psk_ke</tt> is
used without (EC)DHE, those extensions are not needed for that handshake.</t>
      <t>For external pre-shared keys, <xref target="RFC9258"/> recommends that applications
SHOULD provision separate PSKs for (D)TLS 1.3 and prior versions.</t>
      <t>Where possible, the importer interface defined in <xref target="RFC9258"/> MUST be used
for external PSKs. This ensures that external PSKs used in (D)TLS 1.3
are bound to a specific key derivation function (KDF) and hash function.</t>
      <t>An implementation supporting authentication based on certificates and
raw public keys MUST support digital signatures with ecdsa_secp256r1_sha256. A
compliant implementation MUST support the key exchange with secp256r1 (NIST
P-256) and SHOULD support key exchange with X25519.</t>
      <t>Entities deploying IoT devices may select credential types based on security
characteristics, operational requirements, cost, and other factors.
Consequently, this specification does not mandate a single credential type
but provides guidance on considerations relevant to the use of particular types.</t>
      <t>TLS/DTLS 1.3 implementations conforming to this profile MUST follow the
mandatory-to-implement extension requirements in <xref section="9.2" sectionFormat="of" target="RFC8446"/>.
This section summarizes those requirements and the additional extension
requirements established by this profile. The table does not replace the
normative requirements in the referenced sections.</t>
      <table align="left" anchor="_table-mandatory-extensions">
        <name>Mandatory and Profile-Specific Extension Requirements</name>
        <thead>
          <tr>
            <th align="left">Extension</th>
            <th align="left">Applicability</th>
            <th align="left">Reference</th>
          </tr>
        </thead>
        <tbody>
          <tr>
            <td align="left">
              <tt>supported_versions</tt></td>
            <td align="left">TLS/DTLS 1.3 negotiation</td>
            <td align="left">
              <xref section="9.2" sectionFormat="of" target="RFC8446"/></td>
          </tr>
          <tr>
            <td align="left">
              <tt>cookie</tt></td>
            <td align="left">HelloRetryRequest and DTLS use</td>
            <td align="left">
              <xref section="9.2" sectionFormat="of" target="RFC8446"/></td>
          </tr>
          <tr>
            <td align="left">
              <tt>signature_algorithms</tt></td>
            <td align="left">Certificate authentication and other signature-based authentication mechanisms</td>
            <td align="left">
              <xref section="9.2" sectionFormat="of" target="RFC8446"/></td>
          </tr>
          <tr>
            <td align="left">
              <tt>signature_algorithms_cert</tt></td>
            <td align="left">Certificate authentication where certificate signature algorithms are negotiated separately</td>
            <td align="left">
              <xref section="9.2" sectionFormat="of" target="RFC8446"/></td>
          </tr>
          <tr>
            <td align="left">
              <tt>supported_groups</tt></td>
            <td align="left">DHE/ECDHE key exchange, including <tt>psk_dhe_ke</tt></td>
            <td align="left">
              <xref section="9.2" sectionFormat="of" target="RFC8446"/></td>
          </tr>
          <tr>
            <td align="left">
              <tt>key_share</tt></td>
            <td align="left">DHE/ECDHE key exchange, including <tt>psk_dhe_ke</tt></td>
            <td align="left">
              <xref section="9.2" sectionFormat="of" target="RFC8446"/></td>
          </tr>
          <tr>
            <td align="left">
              <tt>server_name</tt></td>
            <td align="left">Applications capable of using SNI</td>
            <td align="left">
              <xref target="sni"/></td>
          </tr>
          <tr>
            <td align="left">
              <tt>pre_shared_key</tt></td>
            <td align="left">PSK authentication and resumption</td>
            <td align="left">
              <xref section="9.2" sectionFormat="of" target="RFC8446"/></td>
          </tr>
          <tr>
            <td align="left">
              <tt>psk_key_exchange_modes</tt></td>
            <td align="left">PSK authentication and resumption</td>
            <td align="left">
              <xref section="9.2" sectionFormat="of" target="RFC8446"/></td>
          </tr>
          <tr>
            <td align="left">
              <tt>application_layer_protocol_negotiation</tt></td>
            <td align="left">Application protocol selection</td>
            <td align="left">
              <xref target="alpn"/></td>
          </tr>
          <tr>
            <td align="left">
              <tt>record_size_limit</tt></td>
            <td align="left">Constrained endpoints</td>
            <td align="left">
              <xref target="record_size_limit"/></td>
          </tr>
        </tbody>
      </table>
    </section>
    <section anchor="error-handling">
      <name>Error Handling</name>
      <t>TLS 1.3 simplified the Alert protocol but the underlying challenge in an
embedded context remains unchanged, namely what should an IoT device do when it
encounters an error situation. The classical approach used in a desktop
environment where the user is prompted is often not applicable with unattended
devices. Hence, it is more important for a developer to find out from which
error cases a device can recover from.</t>
    </section>
    <section anchor="session-resumption">
      <name>Session Resumption</name>
      <t>TLS 1.3 has built-in support for session resumption by utilizing PSK-based
credentials established in an earlier exchange.</t>
    </section>
    <section anchor="compression">
      <name> Compression</name>
      <t>TLS 1.3 does not define compression of application data traffic, as offered by
previous versions of TLS. Applications are therefore responsible for transmitting
payloads that are either compressed or use a more efficient encoding otherwise.</t>
      <t>With regards to the handshake itself, various strategies have
been applied to reduce the size of the exchanged payloads. TLS and DTLS 1.3 use less
overhead, depending on the type of key confirmations, when compared to previous versions of the
protocol.</t>
    </section>
    <section anchor="forward_secrecy">
      <name> Forward Secrecy</name>
      <t>RFC 8446 has removed Static RSA and Static Diffie-Hellman cipher suites, therefore all public-key-based key exchange mechanisms available in TLS 1.3 provide forward secrecy.</t>
      <t>Pre-shared keys (PSKs) can be used with (EC)DHE key exchange to provide forward secrecy or can be used alone, at the cost of losing forward secrecy for the application data.
For PSK use, endpoints SHOULD use (EC)DHE to achieve forward secrecy; PSK-only
SHOULD be avoided unless the application can tolerate the loss of forward secrecy.</t>
    </section>
    <section anchor="keep-alive">
      <name>Keep-Alive</name>
      <t>The discussion in <xref section="10" sectionFormat="of" target="RFC7925"/> is applicable.
When a TLS/DTLS-level keep-alive or path MTU discovery mechanism is needed,
use of the Heartbeat Extension defined in <xref target="RFC6520"/> is RECOMMENDED.</t>
    </section>
    <section anchor="timers-and-acks">
      <name>Timers and ACKs</name>
      <t>Compared to DTLS 1.2 timeout-based whole flight retransmission, DTLS 1.3 ACKs sensibly decrease the risk of congestion collapse which was the basis for the very conservative recommendations given in <xref section="11" sectionFormat="of" target="RFC7925"/>.</t>
      <t>The recommendations in <xref section="7.3" sectionFormat="of" target="RFC9147"/> regarding ACKs apply.
In particular,</t>
      <blockquote>
        <t>When DTLS 1.3 is used in deployments with lossy networks, such as low-power, long-range radio networks as well as low-power mesh networks, the use of ACKs is recommended.</t>
      </blockquote>
      <t>ACKs provide explicit feedback on which handshake messages have been received.
This enables endpoints to detect a lack of progress more quickly and to trigger selective or early retransmission, leading to more efficient use of bandwidth and memory.</t>
      <t>Due to the vast range of network technologies used in IoT deployments, from wired LAN to GSM-SMS, it's not possible to provide a universal recommendation for an initial timeout.
Therefore, it is RECOMMENDED that DTLS 1.3 implementations allow developers to explicitly set the initial timer value.
Developers SHOULD set the initial timeout to be twice the expected round-trip time (RTT),
but no less than 1000ms, which is a conservative default aligned with the guidance in
<xref section="11" sectionFormat="of" target="RFC7925"/>.
For specific application/network combinations, a sub-second initial timeout MAY be set.
In cases where no RTT estimates are available, a 1000ms initial timeout is suitable for the general Internet.</t>
      <t>Regarding the timers used by the Return Routability Check (RRC) functionality, the recommendations in <xref section="5.5" sectionFormat="of" target="I-D.ietf-tls-dtls-rrc"/> apply.
Just like the handshake initial timers, it is RECOMMENDED that DTLS 1.2 and 1.3 implementations offer an option for their developers to explicitly set the RRC timer.</t>
    </section>
    <section anchor="random-number-generation">
      <name> Random Number Generation</name>
      <t>The discussion in <xref section="12" sectionFormat="of" target="RFC7925"/> is applicable with one exception:
the ClientHello and the ServerHello messages in TLS 1.3 do not contain
gmt_unix_time component anymore.
For entropy generation and randomness considerations, implementers should also
consult <xref target="RFC8937"/>.</t>
    </section>
    <section anchor="sni">
      <name>Server Name Indication</name>
      <t>TLS 1.3 requires implementations to support the Server Name Indication (SNI)
extension when used with applications capable of using it
(<xref section="9.2" sectionFormat="of" target="RFC8446"/>). This profile does not change that requirement.</t>
      <t>IoT clients SHOULD send SNI when connecting to a named service, in particular
when the peer is a cloud service, a multi-tenant endpoint, or any server that
uses SNI for certificate or application-context selection. IoT clients MAY omit
SNI when the peer identity is established by other application-specific
configuration, such as a configured IP address and port, a pinned certificate,
a raw public key, or an external PSK identity. When no DNS name is used, SNI
is not applicable.</t>
      <t>Deployments that require confidentiality of SNI and other ClientHello metadata
can use Encrypted ClientHello (ECH) <xref target="RFC9849"/>. ECH is most applicable to
IoT deployments that use named cloud services or shared service infrastructure
and have explicit privacy requirements. Since ECH does not protect DNS lookups
or other metadata outside the TLS handshake, deployments that rely on ECH for
privacy also need to protect DNS resolution, for example using encrypted DNS
mechanisms; see <xref target="I-D.ietf-iotops-iot-dns-guidelines"/> for IoT-specific DNS
guidance. The applicability, deployment requirements, and limitations of ECH
are described in <xref target="RFC9849"/>.</t>
      <t>IoT servers MAY use SNI for certificate or application-context selection.
Authorization decisions are outside the scope of SNI and are based on the
authenticated peer credentials and local policy. If constrained clients are not
expected to send useful SNI values, deployments SHOULD prefer separate IP
addresses or port numbers when different server identities or certificates need
to be distinguished.</t>
    </section>
    <section anchor="alpn">
      <name>Application-Layer Protocol Negotiation</name>
      <t>The Application-Layer Protocol Negotiation (ALPN) extension <xref target="RFC7301"/> is
independent of the credential type used for TLS authentication.</t>
      <t>Implementations conforming to this profile MUST support ALPN. Endpoints SHOULD
use ALPN when more than one application protocol, application protocol version, or
application context can be served by the same TLS endpoint, certificate, raw
public key, or PSK identity. When a deployment is restricted by configuration
to a single application protocol, ALPN MAY be omitted.</t>
      <t>Use of ALPN helps prevent cross-protocol confusion attacks and follows the
guidance in <xref section="3.8" sectionFormat="of" target="RFC9325"/>.</t>
    </section>
    <section anchor="record_size_limit">
      <name>Maximum Fragment Length Negotiation</name>
      <t>The Maximum Fragment Length Negotiation (MFL) extension has been superseded by
the Record Size Limit (RSL) extension <xref target="RFC8449"/>. Implementations in
compliance with this specification MUST implement the RSL extension and SHOULD
use it to indicate their RAM limitations.</t>
    </section>
    <section anchor="crypto-agility">
      <name>Crypto Agility</name>
      <t>The recommendations in <xref section="19" sectionFormat="of" target="RFC7925"/> are applicable.
The third bullet point in that section anticipated the evolution of cryptographic
hardware support in IoT devices. Today, chip manufacturers commonly provide
hardware acceleration for AES-CCM, as well as for other AES modes, including
AES-GCM. Note that the ciphersuite recommendations in this document now
include GCM, in addition to CCM, as described in <xref target="ciphersuites"/>.</t>
    </section>
    <section anchor="key-length-recommendations">
      <name>Key Length Recommendations</name>
      <t>The recommendations in <xref section="20" sectionFormat="of" target="RFC7925"/> apply with the following
update. The recommendation for 112 bits of security strength, described there
as equivalent to a 112-bit symmetric key and a 233-bit ECC key, is raised to at
least 128 bits of security strength. Using the comparison in RFC 7925, this
corresponds to a 128-bit symmetric key and a 283-bit ECC key. For the
prime-field curves used by this profile, secp256r1 provides the intended
128-bit security strength. This update is consistent with the transition to
128-bit security strength discussed in <xref target="NIST-SP-800-131Ar3"/>.</t>
    </section>
    <section anchor="zerortt">
      <name>0-RTT Data</name>
      <t><xref section="E.5" sectionFormat="of" target="RFC8446"/> establishes that:</t>
      <blockquote>
        <t>Application protocols MUST NOT use 0-RTT data without a profile that
defines its use.  That profile needs to identify which messages or
interactions are safe to use with 0-RTT and how to handle the
situation when the server rejects 0-RTT and falls back to 1-RTT.</t>
      </blockquote>
      <t>For any application protocol, 0-RTT MUST NOT be used unless a protocol-specific
profile exists.</t>
      <t>At the time of writing, no such profile has been defined for CoAP <xref target="CoAP"/>.
Therefore, 0-RTT MUST NOT be used by CoAP applications.</t>
      <t>No specific recommendations are given for non-IETF IoT protocols such as MQTT.</t>
    </section>
    <section anchor="certificate_profile">
      <name>Certificate Profile</name>
      <t>This section contains updates and clarifications to the certificate profile
defined in <xref target="RFC7925"/>. The content of Table 1 of <xref target="RFC7925"/> has been
split by certificate "type" in order to clarify exactly what requirements and
recommendations apply to the certificates that make up a certification path
from a trust anchor to an end entity certificate.</t>
      <t>This profile does not define a specific certificate policy OID; deployments
MAY define one if needed for local policy enforcement.</t>
      <t>The terminology used in this section is not intended to restrict the scope of this profile to IEEE 802.1AR deployments.
Terms from <xref target="IEEE-802.1AR"/> are used because it conveniently distinguishes between manufacturer-provisioned and operational credentials, which is important in many IoT deployments.</t>
      <t>A Device Identifier (DevID) consists of:</t>
      <ul spacing="compact">
        <li>
          <t>a private key,</t>
        </li>
        <li>
          <t>a certificate containing the public key and the identifier certified by the
certificate issuer, and</t>
        </li>
        <li>
          <t>a certificate chain leading up to a trust anchor (typically the root certificate).</t>
        </li>
      </ul>
      <t>The IEEE 802.1AR specification <xref target="IEEE-802.1AR"/> introduces the concept of DevIDs and
defines two specialized versions:</t>
      <ul spacing="compact">
        <li>
          <t>Initial Device Identifiers (IDevIDs): Provisioned during manufacturing to
provide a unique, stable identity for the lifetime of the device.</t>
        </li>
        <li>
          <t>Locally Significant Device Identifiers (LDevIDs): Provisioned after deployment
and typically used for operational purposes within a specific domain.</t>
        </li>
      </ul>
      <t>The IDevID is typically provisioned by a manufacturer and signed by the
manufacturer CA. It is then used to obtain operational certificates,
the LDevIDs, from the operator or owner of the device. Some protocols
also introduce an additional hierarchy with application instance
certificates, which are obtained for use with specific applications.</t>
      <t>IDevIDs are intended for device identity and initial onboarding or bootstrapping
protocols, such as the Bootstrapping Remote Secure Key Infrastructure (BRSKI)
protocol <xref target="RFC8995"/> or LwM2M Bootstrap <xref target="LwM2M-T"/> <xref target="LwM2M-C"/>. The use of
IDevIDs is intentionally limited to such onboarding scenarios even though they
often have a long lifetime, or do not expire at all.</t>
      <t>There are, however, multiple onboarding and bootstrapping approaches in use.
Some of them use TLS and therefore use the IDevID for client authentication,
while others, such as FIDO Device Onboarding (FDO) <xref target="FDO"/>, do not use TLS/DTLS
for client authentication. In many cases, the IDevID profile and content are
defined by those specifications. For these reasons, this specification focuses
on the description of operational certificates such as LDevIDs.</t>
      <t>This document uses the terminology and some of the rules for populating certificate
content defined in IEEE 802.1AR. However, this specification does not claim
conformance to IEEE 802.1AR, which is broader and mandates hardware, security,
and process requirements outside the constraints of many IoT deployments. This
profile borrows terminology and selected certificate fields from IEEE 802.1AR
but intentionally omits those broader requirements.</t>
      <section anchor="all-certificates">
        <name>All Certificates</name>
        <t>This section outlines the requirements for X.509 certificates that apply to all PKI entities.
These requirements apply to certificates issued within the IoT device PKI (i.e., root, subordinate and end entity certificates used to authenticate IoT devices), rather than to public WebPKI server certificates.
The section focuses on X.509 v3 certificates.</t>
        <section anchor="version">
          <name>Version</name>
          <t>Certificates MUST be of type X.509 v3.</t>
        </section>
        <section anchor="serial-number">
          <name>Serial Number</name>
          <t>The serial number MUST be unique
for each certificate issued by a given CA (i.e., the issuer name
and the serial number uniquely identify a certificate).
<xref target="RFC5280"/> limits this field to a maximum of 20 octets.
To reduce the risk of predictable serial numbers, CAs SHOULD generate serial
numbers containing at least eight (8) octets of unpredictable output from a
cryptographically secure pseudo-random number generator. The random value MAY
be combined with a counter or other information that ensures uniqueness.</t>
        </section>
        <section anchor="signature">
          <name>Signature</name>
          <t>The signature MUST be ecdsa-with-SHA256 or stronger <xref target="RFC5758"/>.</t>
          <t>Note: In contrast to IEEE 802.1AR this specification does not require
end entity certificates, subordinate CA certificates, and CA
certificates to use the same signature algorithm. Furthermore,
this specification does not utilize RSA for use with constrained IoT
devices and networks.
For certificates expected to be validated by constrained IoT devices, CAs
SHOULD select signature algorithms supported by those devices to ensure
successful validation (e.g., ECDSA P-256). Different certificates in the same
chain MAY use different signature algorithms when the relying devices support
validation of the resulting chain.</t>
        </section>
        <section anchor="issuer">
          <name>Issuer</name>
          <t>The issuer field MUST contain a non-empty distinguished name (DN)
of the entity that has signed and issued the certificate in accordance
with <xref target="RFC5280"/>.</t>
        </section>
        <section anchor="validity">
          <name> Validity</name>
          <t>Vendors must determine the expected lifespan of their IoT devices. This
decision directly affects how long firmware and software updates are
provided for, as well as the level of maintenance that customers can expect.
It also affects the maximum validity period of certificates.</t>
          <t>Constrained devices often lack precise UTC time; implementations SHOULD treat
time checks with coarse granularity (e.g., day- or hour-level) and ignore leap
seconds when validating notAfter. For devices without a reliable source of time
we advise the use of a device management solution, which typically includes a
certificate management protocol, to manage certificates used by the device over
their lifecycle. While this approach does not utilize certificates to its widest
extent, it is a solution that extends the capabilities offered by a raw public
key approach.</t>
          <t>In many IoT deployments, IDevIDs are provisioned with an unlimited lifetime,
as described in <xref target="IEEE-802.1AR"/>. This helps prevent devices from being
accidentally bricked due to certificate expiration. A real-world example
occurred in 2018, when Oculus Rift headsets became unusable after an Oculus
certificate expired <xref target="Toms-Hardware-Oculus-Rift-2018"/>. Oculus later issued
a manual patch, as the expired certificate also blocked the standard software
update path.</t>
          <t>For this purpose, the special GeneralizedTime
value 99991231235959Z is used in the notAfter field, as described in
<xref section="4.1.2.5" sectionFormat="of" target="RFC5280"/>. However, the CA certificate and subordinate CA
certificates in the certification path may still have finite validity periods.
Careful consideration is therefore required before issuing IDevID certificates
with no maximum validity period, since an effectively unlimited certificate
lifetime is only useful if the relevant certification path remains usable for
the intended lifetime of the device.</t>
          <t>LDevID certificates are, however, issued by the operator or owner,
and may be renewed at a regular interval using protocols, such
as Enrollment over Secure Transport (EST) <xref target="RFC7030"/> or
Certificate Management Protocol (CMP) <xref target="RFC9810"/> <xref target="RFC9483"/>.
It is therefore RECOMMENDED to limit the lifetime of these LDevID certificates
using the notBefore and notAfter fields, as described in <xref section="4.1.2.5" sectionFormat="of" target="RFC5280"/>. Values MUST be expressed in Greenwich Mean Time (Zulu) and
MUST include seconds even where the number of seconds is zero.</t>
          <t>Note that the validity period is defined as the period of time from notBefore
through notAfter, inclusive. This means that a hypothetical certificate with a
notBefore date of 9 June 2021 at 03:42:01 and a notAfter date of 7 September
2021 at 03:42:01 becomes valid at the beginning of the :01 second, and only
becomes invalid at the :02 second, a period that is 90 days plus 1 second. So
for a 90-day, the time portion of notAfter is 03:42:00.</t>
        </section>
        <section anchor="subject-public-key-info">
          <name> Subject Public Key Info</name>
          <t>The subjectPublicKeyInfo field indicates the algorithm and any associated
parameters for the ECC public key. This profile uses the id-ecPublicKey
algorithm identifier for ECDSA signature keys, as defined and specified in
<xref target="RFC5480"/>. This specification assumes that devices support one of the
following algorithms:</t>
          <ul spacing="compact">
            <li>
              <t>id-ecPublicKey with secp256r1,</t>
            </li>
            <li>
              <t>id-ecPublicKey with secp384r1, and</t>
            </li>
            <li>
              <t>id-ecPublicKey with secp521r1.</t>
            </li>
          </ul>
          <t>TLS 1.3 certificate-based authentication requires end-entity certificates
containing public keys suitable for digital signatures. TLS 1.2 also defined
static DH/ECDH certificate-based key exchange modes in which the end-entity
certificate contains a key-agreement public key rather than a signature public
key. This specification prohibits the use of such static DH/ECDH end-entity
certificates with TLS 1.2.</t>
          <t>There is no requirement for CA certificates to use the same algorithm as the
end entity certificate.
Certificates with longer lifetime may well use a cryptographically stronger
algorithm. However, CAs (or their administrators) that issue certificates
intended to be validated by constrained IoT devices SHOULD select algorithms
supported by those devices to ensure successful validation. Longer-lived CA
certificates MAY intentionally use stronger or different algorithms if the
target devices are expected to validate such chains successfully.</t>
        </section>
        <section anchor="certificate-revocation-checks">
          <name>Certificate Revocation Checks</name>
          <t>Constrained IoT devices often lack the resources to perform traditional
Certificate Revocation List (CRL) or Online Certificate Status Protocol (OCSP)
checks. Consistent with the guidance in <xref section="4.4.3" sectionFormat="of" target="RFC7925"/>, neither
OCSP nor CRLs are used by constrained IoT devices during the TLS handshake.</t>
          <t>Instead, IoT deployments generally rely on short-lived end-entity certificates
managed via automated onboarding and management protocols (such as Lightweight
Machine-to-Machine <xref target="LwM2M-T"/> <xref target="LwM2M-C"/>).  Because these protocols can
distribute and update certificates on demand, they make real-time revocation
checks largely unnecessary.</t>
          <t>Since these checks are bypassed, the CRL Distribution Points extension and
the Authority Information Access (AIA) extension for OCSP SHOULD NOT be
included in IoT device certificates.  If they are present, they MUST NOT be
marked critical.  However, the AIA extension MAY be used to provide the
caIssuer access method, enabling peers with sufficient resources to fetch
certificate chains.</t>
          <t>When designing the application layer, developers must account for the fact that
updating a certificate does not automatically affect existing, long-lived TLS
sessions.  TLS alone does not mandate continuous validity checks once a
connection is established.  Furthermore, TLS 1.3 natively supports only
client-to-server post-handshake authentication.  Achieving mutual
post-handshake authentication requires Exported Authenticators
<xref target="RFC9261"/>, which requires the application-layer protocol
to carry the authentication payload.  Therefore, if continuous validation is strictly required
for a long-lived connection, it is the application's responsibility to enforce
this policy by actively triggering re-authentication or tearing down and
re-establishing the TLS session.</t>
          <t>Ultimately, instead of attempting to perform revocation checks directly on the
constrained device, it is RECOMMENDED to delegate this responsibility to the
IoT device operator, who can take the necessary administrative actions (such as
deploying updated certificates) to keep the network secure and operational.
While the above recommendation is valid in most cases, it should be considered
carefully on a case-by-case basis, taking into account the security risks
associated with not re-authenticating peers and the cost/complexity of
implementing an application-layer solution.</t>
        </section>
      </section>
      <section anchor="root-ca-certificate">
        <name>Root CA Certificate</name>
        <t>This section outlines the requirements for root CA certificates.</t>
        <section anchor="subject">
          <name>Subject</name>
          <t><xref section="4.1.2.6" sectionFormat="of" target="RFC5280"/> requires that, when the subject is a CA,
the subject field be populated with a non-empty distinguished name.
Therefore, Root CA certificates MUST have a non-empty subject field.
This is because a CA's Subject DN becomes the subordinate certificate's Issuer DN, which MUST NOT be empty.
The subject field
MUST contain the commonName, the organizationName, and the countryName
attribute and MAY contain an organizationalUnitName attribute.
If a subjectAltName extension is present, it SHOULD be set to a value
consistent with the subject and SHOULD NOT be marked critical.</t>
        </section>
        <section anchor="authority-key-identifier">
          <name>Authority Key Identifier</name>
          <t><xref section="4.2.1.1" sectionFormat="of" target="RFC5280"/> defines the Authority Key Identifier as follows:
"The authority key identifier extension provides a means of identifying the
public key corresponding to the private key used to sign a certificate. This
extension is used where an issuer has multiple signing keys."</t>
          <t>The Authority Key Identifier extension SHOULD be set to aid path construction.
If it is set, it MUST NOT be marked critical, and MUST contain the
subjectKeyIdentifier of this certificate.</t>
        </section>
        <section anchor="subject-key-identifier">
          <name>Subject Key Identifier</name>
          <t><xref section="4.2.1.2" sectionFormat="of" target="RFC5280"/> defines the SubjectKeyIdentifier as follows:
"The subject key identifier extension provides a means of identifying
certificates that contain a particular public key."</t>
          <t>The Subject Key Identifier extension MUST be set, MUST NOT be marked critical,
and MUST contain the key identifier of the public key contained in the subject
public key info field.</t>
          <t>The subjectKeyIdentifier is used by path construction algorithms to identify which CA has signed a subordinate certificate.</t>
        </section>
        <section anchor="key-usage">
          <name>Key Usage</name>
          <t><xref section="4.2.1.3" sectionFormat="of" target="RFC5280"/> defines the key usage field as follows: "The key usage extension defines
the purpose (e.g., encipherment, signature, certificate signing) of the key contained
in the certificate."</t>
          <t>The Key Usage extension SHOULD be set; if it is set, it MUST be marked
critical, and the keyCertSign purpose MUST be set. If the Root CA issues CRLs,
the cRLSign purpose MUST also be set. Additional key usages MAY be set
depending on the intended usage of the public key. The digitalSignature purpose
is not required for a Root CA certificate.</t>
        </section>
        <section anchor="extended-key-usage">
          <name>Extended Key Usage</name>
          <t><xref section="4.2.1.12" sectionFormat="of" target="RFC5280"/> defines the extended key usage as follows: "This extension indicates
one or more purposes for which the certified public key may be used, in addition to
or in place of the basic purposes indicated in the key usage extension."</t>
          <t>This extendedKeyUsage extension MUST NOT be set in CA certificates.</t>
        </section>
        <section anchor="basic-constraints">
          <name>Basic Constraints</name>
          <t><xref section="4.2.1.9" sectionFormat="of" target="RFC5280"/> states that "The Basic Constraints extension identifies whether the subject
of the certificate is a CA and the maximum depth of valid certification paths that include
this certificate. The cA boolean indicates whether the certified public key may be used to
verify certificate signatures."</t>
          <t>For the pathLenConstraint RFC 5280 makes further statements:</t>
          <ul spacing="compact">
            <li>
              <t>"The pathLenConstraint field is meaningful only if the cA boolean is asserted and the
key usage extension, if present, asserts the keyCertSign bit. In this case, it gives the
maximum number of non-self-issued intermediate certificates that may follow this
certificate in a valid certification path."</t>
            </li>
            <li>
              <t>"A pathLenConstraint of zero indicates that no non-self-issued intermediate CA
certificates may follow in a valid certification path."</t>
            </li>
            <li>
              <t>"Where pathLenConstraint does not appear, no limit is imposed."</t>
            </li>
            <li>
              <t>"Conforming CAs MUST include this extension in all CA certificates that contain public
keys used to validate digital signatures on certificates and MUST mark the extension as
critical in such certificates."</t>
            </li>
          </ul>
          <t>The Basic Constraints extension MUST be set, MUST be marked critical, the cA flag MUST
be set to true and the pathLenConstraint MUST be omitted.</t>
          <t>Omitting pathLenConstraint follows common root CA practice but is not meant to
encourage arbitrarily deep certification hierarchies in IoT deployments.
Shallow hierarchies remain preferable for constrained devices.</t>
        </section>
      </section>
      <section anchor="subordinate-ca-certificate">
        <name>Subordinate CA Certificate</name>
        <t>This section outlines the requirements for subordinate CA certificates.</t>
        <section anchor="subject-1">
          <name>Subject</name>
          <t>The subject field MUST be set and MUST contain the commonName, the organizationName,
and the countryName attribute and MAY contain an organizationalUnitName attribute.</t>
        </section>
        <section anchor="authority-key-identifier-1">
          <name>Authority Key Identifier</name>
          <t>The Authority Key Identifier extension MUST be set, MUST NOT be marked critical, and
MUST contain the subjectKeyIdentifier of the CA that issued this certificate.</t>
        </section>
        <section anchor="subject-key-identifier-1">
          <name>Subject Key Identifier</name>
          <t>The Subject Key Identifier extension MUST be set, MUST NOT be marked critical, and MUST
contain the key identifier of the public key contained in the subject public key info
field.</t>
        </section>
        <section anchor="key-usage-1">
          <name>Key Usage</name>
          <t><xref section="4.2.1.3" sectionFormat="of" target="RFC5280"/> defines the key usage extension. The Key Usage
extension MUST be set, MUST be marked critical, and the keyCertSign purpose MUST
be set. If the subordinate CA issues CRLs, the cRLSign purpose MUST also be set.
The digitalSignature purpose SHOULD be set.</t>
          <t>Subordinate certification authorities SHOULD NOT have any extendedKeyUsage.
<xref section="4.2.1.12" sectionFormat="of" target="RFC5280"/> reserves EKUs to be meaningful only in end
entity certificates.</t>
        </section>
        <section anchor="basic-constraints-1">
          <name>Basic Constraints</name>
          <t>The Basic Constraints extension MUST be set, MUST be marked critical, the cA flag
MUST be set to true and the pathLenConstraint SHOULD be omitted.</t>
        </section>
        <section anchor="crl-distribution-point">
          <name>CRL Distribution Point</name>
          <t>The CRL Distribution Point extension SHOULD NOT be set. If it is set, it MUST NOT
be marked critical and MUST identify the CRL relevant for this certificate.</t>
        </section>
        <section anchor="authority-information-access">
          <name>Authority Information Access</name>
          <t>The Authority Information Access (AIA) extension SHOULD NOT be set. If it is set, it MUST
NOT be marked critical and MUST identify the location of the certificate of the CA
that issued this certificate and the location it provides an online certificate
status service (OCSP).</t>
        </section>
      </section>
      <section anchor="end-entity-certificate">
        <name>End Entity Certificate</name>
        <t>This section outlines the requirements for end entity certificates.</t>
        <section anchor="subject-2">
          <name>Subject</name>
          <t>This section describes the use of end entity certificates primarily for (D)TLS
clients running on IoT devices. Operating (D)TLS servers on IoT devices is
possible but less common.</t>
          <t><xref section="2" sectionFormat="comma" target="RFC9525"/> mandates that the subject field not be used to identify a service.
However, certain IoT applications (for example, <xref target="I-D.ietf-anima-constrained-voucher"/>,
<xref target="IEEE-802.1AR"/>) use the subject field to encode the device serial number.</t>
          <t>The requirement in <xref section="4.4.2" sectionFormat="of" target="RFC7925"/> to only use EUI-64 for end
entity certificates as a subject field is lifted.</t>
          <t>Two fields are typically used to encode a device identifier, namely the
Subject and the subjectAltName fields. Protocol specifications tend to offer
recommendations about what identifiers to use and the deployment situation is
fragmented.</t>
          <t>It is common to use serial numbers as identifiers for IoT devices, but the
term "serial number" is overloaded. This profile distinguishes between a
manufacturer-assigned device serial number and a link-layer identifier such as
an EUI-48, EUI-64, or MAC address.</t>
          <t>A manufacturer-assigned device serial number is an identifier assigned to a
device by its manufacturer. When this identifier is included in the certificate
subject distinguished name (Subject DN), <xref section="A.1" sectionFormat="of" target="RFC5280"/> provides
the X520SerialNumber attribute:</t>
          <artwork><![CDATA[
id-at-serialNumber   OBJECT IDENTIFIER ::= { id-at 5 }
X520SerialNumber    ::= PrintableString
]]></artwork>
          <t>This value is part of the Subject DN. Section 8.6 of <xref target="IEEE-802.1AR"/> mandates
that the Subject DN is not null and encourages use of
the X520SerialNumber attribute as the primary name for the device.</t>
          <t>An EUI-48 or EUI-64 identifies a link-layer interface or, depending on the
allocation scheme, a device. It has defined binary semantics and is not
inherently the same concept as a manufacturer's product serial number. A
deployment may use an EUI-64 as its device serial number, but that does not
make the concepts identical. A device serial number can be an arbitrary
manufacturer-defined string, while a device can have multiple MAC addresses,
and those addresses can change when interfaces are replaced or reconfigured.
Many constrained IoT devices, however, do not have more than one network
interface; for those devices it can be convenient for manufacturers to reuse an
existing unique MAC address or EUI as the device identifier.</t>
          <t><xref section="4.4.2" sectionFormat="of" target="RFC7925"/> requires the identifier in a client certificate
to be an EUI-64 and permits that identifier to appear either in the
subjectAltName or in the leftmost commonName component of the Subject DN. This
profile updates that guidance by distinguishing manufacturer-assigned device
serial numbers from EUI-48 and EUI-64 link-layer identifiers.</t>
          <t><xref section="2.3.1" sectionFormat="of" target="RFC8995"/> uses a device serial number to identify a BRSKI
pledge. Consistent with <xref target="IEEE-802.1AR"/>, <xref target="RFC8995"/> identifies the device
serial-number field as the X520SerialNumber attribute defined in
<xref section="A.1" sectionFormat="of" target="RFC5280"/>. The registrar extracts this certified device
serial number from the pledge's IDevID and uses it in voucher processing. The
important semantic point is that BRSKI needs a stable manufacturer device
identifier; <xref target="RFC8995"/> does not require this value to be an EUI-48 or EUI-64.</t>
          <t>A manufacturer-assigned device serial number included in the Subject DN MUST be
encoded in the X520SerialNumber attribute. If an EUI-48 or EUI-64 is used to
identify a device, it SHOULD be encoded in the subjectAltName extension using
the MACAddress otherName defined in <xref target="I-D.ietf-lamps-macaddress-on"/>. An
EUI-64 that serves as the manufacturer-assigned device serial number MAY
instead be encoded in the X520SerialNumber attribute.</t>
          <t><xref target="RFC5280"/> defines: "The subject alternative name extension allows identities
to be bound to the subject of the certificate. These identities may be included
in addition to or in place of the identity in the subject field of the certificate."</t>
          <t>The subject alternative name extension MAY be set. If it is set, it MUST NOT be
marked critical, except when the subject DN contains an empty sequence.</t>
          <t>The MACAddress otherName carries the value as an OCTET STRING. An EUI-48 is
encoded as exactly 6 octets and an EUI-64 is encoded as exactly 8 octets.
<xref target="I-D.ietf-lamps-macaddress-on"/> also defines how this name form is used with
the <xref target="RFC5280"/> Name Constraints extension, allowing a CA certificate to
constrain permitted or excluded MAC address ranges, for example by an
Organizationally Unique Identifier (OUI).</t>
          <t>The CA needs to validate the identifier's relationship to the subject. For a
MACAddress value, <xref target="I-D.ietf-lamps-macaddress-on"/> requires the CA to ensure
that the address is owned by, or expected to be owned by, the subject device for
the certificate's lifetime. This requirement can be difficult for replaceable
interfaces, virtual interfaces, locally administered addresses, and MAC address
randomization.</t>
          <t>Both manufacturer-assigned device serial numbers and EUI-48 or EUI-64 values
can expose stable identifiers to certificate recipients. TLS 1.3 encrypts
certificates during the handshake, but the
peer still learns the identifier. An EUI-48 or EUI-64 can reveal
organizational allocation information and can enable correlation across
networks or application contexts. A stable device serial number has similar
correlation risks. Environments that are concerned about such traffic analysis
SHOULD use an enrollment protocol to migrate from identifiable IDevID
certificates to less identifiable operational LDevID certificates.</t>
          <t>Per <xref target="RFC9525"/> domain names MUST NOT be encoded in the subject commonName. Instead they
MUST be encoded in a subjectAltName of type DNS-ID. Domain names MUST NOT
contain wildcard (<tt>*</tt>) characters. The subjectAltName MUST NOT contain multiple
names.</t>
          <t>Note: The IEEE 802.1AR recommends to encode information about a Trusted
Platform Module (TPM), if present, in the HardwareModuleName (<xref section="5" sectionFormat="of" target="RFC4108"/>). This
specification does not follow this recommendation.</t>
        </section>
        <section anchor="authority-key-identifier-2">
          <name>Authority Key Identifier</name>
          <t>The Authority Key Identifier extension MUST be set, MUST NOT be marked critical,
and MUST contain the subjectKeyIdentifier of the CA that issued this certificate.</t>
        </section>
        <section anchor="subject-key-identifier-2">
          <name>Subject Key Identifier</name>
          <t>The Subject Key Identifier MUST NOT be included in end entity certificates, as it can be calculated from the public key, so it just takes up space.
End entity certificates are not used in path construction, so there is no ambiguity regarding which certificate chain to use, as there can be with subordinate CAs.</t>
        </section>
        <section anchor="key-usage-2">
          <name>Key Usage</name>
          <t>The key usage extension MUST be set and MUST be marked as critical. For
signature verification keys the digitialSignature key usage purpose MUST
be specified. Other key usages are set according to the intended usage
of the key.</t>
          <t>As specified in <xref target="IEEE-802.1AR"/>, the extendedKeyUsage SHOULD NOT be present in
IDevID certificates, as it reduces the utility of the IDevID.
For locally assigned LDevID certificates to be usable with TLS,
the extendedKeyUsage MUST contain at least one of the following:
id-kp-serverAuth or id-kp-clientAuth. The selected EKUs MUST match the
intended TLS role of the device or service using the certificate.</t>
        </section>
      </section>
    </section>
    <section anchor="trust_anchor_update">
      <name>Update of Trust Anchors</name>
      <t>Since the publication of RFC 7925 the need for firmware update mechanisms
has been reinforced and the work on standardizing a secure and
interoperable firmware update mechanism has made substantial progress,
see <xref target="RFC9019"/>. RFC 7925 recommends to use a software / firmware update
mechanism to provision devices with new trust anchors. This approach only
addresses the distribution of trust anchors and not end entity certificates
or certificates of subordinate CAs.</t>
      <t>As an alternative, certificate management protocols like CMP and EST
have also offered ways to update trust anchors. See, for example,
<xref section="2.1" sectionFormat="of" target="RFC7030"/> for an approach to obtaining CA certificates
via EST.</t>
    </section>
    <section anchor="certificate_overhead">
      <name>Certificate Overhead</name>
      <t>In certificate-based authentication, certificates and public keys are a major
contributor to the size of the overall handshake. For example, in a regular TLS
1.3 handshake with minimal ECC certificates and no subordinate CA using
the secp256r1 curve with mutual authentication, around 40% of the entire
handshake payload is consumed by the two exchanged certificates.</t>
      <t>Deployments should first apply the certificate-profile recommendations in this
document, since they reduce both bandwidth use and certificate processing cost
without requiring additional TLS extensions:</t>
      <ul spacing="compact">
        <li>
          <t>Use elliptic curve cryptography (ECC) instead of RSA-based certificates. This
document recommends the use of elliptic curve cryptography only.</t>
        </li>
        <li>
          <t>Avoid deep and complex CA hierarchies to reduce the number of subordinate CA
certificates that need to be transmitted and processed. See
<xref target="I-D.irtf-t2trg-taxonomy-manufacturer-anchors"/> for a discussion about CA
hierarchies. Most security requirements can be satisfied with a PKI depth of
3 (root CA, one subordinate CA, and end entity certificates).</t>
        </li>
        <li>
          <t>Include only the certificate fields and extensions needed for the intended
deployment. The profile in <xref target="certificate_profile"/> identifies certificate
content that can be omitted in constrained IoT deployments.</t>
        </li>
        <li>
          <t>Transmit only the certificates needed by the peer to build a path to one of
its configured trust anchors. Trust anchors are intended to be provisioned
out of band and a trust anchor received in a TLS Certificate message cannot
be assumed trustworthy. A trust anchor therefore SHOULD NOT be included in
the Certificate message.</t>
        </li>
      </ul>
      <t>TLS and DTLS also provide mechanisms that reduce how often large certificate
chains have to be exchanged. Session resumption reduces the size of subsequent
handshakes after an initial authenticated exchange. DTLS Connection IDs
<xref target="RFC9146"/>, when applicable, help preserve long-lived associations across
address or path changes and can therefore avoid handshakes that would otherwise
be needed to re-establish the connection.</t>
      <t>Omitting trust anchors from the Certificate message is the preferred baseline,
but the sender still has to provide enough information for the peer to validate
the presented end entity certificate. In some deployments the sender cannot
infer which trust anchor the peer has configured. For example, the peer's trust
anchor might be an intermediate CA rather than a root CA, or a root key
transition might mean that different devices have different old or new trust
anchors installed. In these cases, the peer MAY use the Trusted CA Indication
extension <xref target="RFC6066"/> to help the sender select an appropriate certificate
chain. During trust-anchor updates, deployments may also need transitional
cross-certificates, such as the newWithOld and oldWithNew certificates
described by <xref section="4.4" sectionFormat="of" target="RFC9810"/>. Such certificates can help bridge the
transition, but they do not replace out-of-band provisioning of trust anchors.</t>
      <t>Additional techniques are available, but they are more deployment-specific and
are not uniformly supported by TLS/DTLS stacks:</t>
      <ul spacing="compact">
        <li>
          <t>The TLS cached info <xref target="RFC7924"/> extension can avoid sending certificates
with every full handshake. This mechanism is particularly useful when a
client has a pinned server certificate, or has otherwise cached the server
certificate or certificate chain, because it gives the client a standardized
way to indicate that retransmitting the cached information is unnecessary.</t>
        </li>
        <li>
          <t>The client certificate URL mechanism defined in <xref section="5" sectionFormat="of" target="RFC6066"/> can
replace client certificates in the handshake with references to external
certificate objects. When
applications perform TLS client authentication via DNS-Based Authentication
of Named Entities (DANE) TLSA records, then
<xref target="I-D.ietf-dance-tls-clientid"/> may be used to reduce the packets on the
wire. The term "TLSA" does not stand for anything; it is the name of the
RRtype, as explained in <xref target="RFC6698"/>.</t>
        </li>
        <li>
          <t>Certificate compression <xref target="RFC8879"/> can reduce the size of certificates
that still have to be transmitted.</t>
        </li>
        <li>
          <t>Alternative certificate formats, such as raw public keys <xref target="RFC7250"/> or
CBOR-encoded certificates <xref target="I-D.ietf-cose-cbor-encoded-cert"/>, can reduce
credential size where the application and provisioning model support them.</t>
        </li>
        <li>
          <t>Certificate handles, where available, are another form of caching.</t>
        </li>
      </ul>
      <t>These additional mechanisms can be useful, but they can also introduce side
effects, such as reliance on DNS or directory infrastructure, cache
invalidation requirements, privacy exposure to retrieval services, changes to
the credential provisioning model, and additional implementation code. A
deployment SHOULD evaluate these trade-offs and use such mechanisms only when
the baseline certificate-profile recommendations, shallow certification paths,
session resumption, and long-lived DTLS associations do not provide the desired
reduction in handshake size or frequency.</t>
    </section>
    <section anchor="ciphersuites">
      <name>Ciphersuites</name>
      <t>According to <xref section="4.5.3" sectionFormat="of" target="RFC9147"/>, the use of AES-CCM with 8-octet
authentication tags (CCM_8) is considered unsuitable for general use with DTLS.
This is because it has low integrity limits (i.e., high sensitivity to
forgeries) which makes endpoints that negotiate ciphersuites based on such AEAD
vulnerable to a trivial DoS attack. See also Sections <xref target="I-D.irtf-cfrg-aead-limits" section="5.3" sectionFormat="bare"/> and <xref target="I-D.irtf-cfrg-aead-limits" section="5.4" sectionFormat="bare"/> of <xref target="I-D.irtf-cfrg-aead-limits"/> for further discussion on this topic, as well as
references to the analysis supporting these conclusions.</t>
      <t>Specifically, <xref target="RFC9147"/> warns that:</t>
      <blockquote>
        <t>TLS_AES_128_CCM_8_SHA256 MUST NOT be used in DTLS without additional
safeguards against forgery. Implementations MUST set usage limits for
AEAD_AES_128_CCM_8 based on an understanding of any additional forgery
protections that are used.</t>
      </blockquote>
      <t>Since all the ciphersuites required by <xref target="RFC7925"/> and <xref target="CoAP"/> rely on CCM_8,
there is no alternate ciphersuite available for applications that aim to
eliminate the security and availability threats related to CCM_8 while retaining
interoperability with the larger ecosystem.</t>
      <t>In order to ameliorate the situation, it is RECOMMENDED that
implementations support the following two ciphersuites for TLS 1.3:</t>
      <ul spacing="compact">
        <li>
          <t><tt>TLS_AES_128_GCM_SHA256</tt></t>
        </li>
        <li>
          <t><tt>TLS_AES_128_CCM_SHA256</tt></t>
        </li>
      </ul>
      <t>and offer them as their first choice.  These ciphersuites provide
confidentiality and integrity limits that are considered acceptable in the most
general settings.  For the details on the exact bounds of both ciphersuites see
<xref section="4.5.3" sectionFormat="of" target="RFC9147"/>.  Note that the GCM-based ciphersuite offers
superior interoperability with cloud services at the cost of a slight increase
in the wire and peak RAM footprints.</t>
      <t>TLS 1.3 enforces deterministic nonce generation for all AEAD cipher suites.
However, this is not the case for TLS 1.2.
Therefore, when using the GCM-based cipher suite with TLS 1.2, the recommendations in <xref section="7.2.1" sectionFormat="of" target="RFC9325"/> relating to deterministic nonce generation apply.
In addition, the integrity limits on key usage detailed in <xref section="4.4" sectionFormat="of" target="RFC9325"/> also apply.</t>
      <t><xref target="tab-cipher-reqs"/> summarizes the recommendations regarding ciphersuites:</t>
      <table align="left" anchor="tab-cipher-reqs">
        <name>TLS 1.3 Ciphersuite Requirements</name>
        <thead>
          <tr>
            <th align="left">Ciphersuite</th>
            <th align="left">Requirement</th>
          </tr>
        </thead>
        <tbody>
          <tr>
            <td align="left">
              <tt>TLS_AES_128_CCM_8_SHA256</tt></td>
            <td align="left">MUST implement for compatibility with <xref target="RFC7925"/> and <xref target="CoAP"/> deployments; not recommended for new deployments</td>
          </tr>
          <tr>
            <td align="left">
              <tt>TLS_AES_128_CCM_SHA256</tt></td>
            <td align="left">SHOULD implement</td>
          </tr>
          <tr>
            <td align="left">
              <tt>TLS_AES_128_GCM_SHA256</tt></td>
            <td align="left">SHOULD implement</td>
          </tr>
        </tbody>
      </table>
    </section>
    <section anchor="fault-attacks-on-deterministic-signature-schemes">
      <name>Fault Attacks on Deterministic Signature Schemes</name>
      <t>A number of passive side-channel attacks as well as active fault-injection
attacks (e.g., <xref target="Ambrose2017"/>) have been demonstrated to be successful in allowing a malicious
third party to gain information about the signing key if a fully deterministic
signature scheme (e.g., ECDSA <xref target="RFC6979"/> or EdDSA <xref target="RFC8032"/>) is used.</t>
      <t>Most of these attacks assume physical access to the device and are therefore
especially relevant to smart cards as well as IoT deployments with poor or
non-existent physical security.</t>
      <t>In this security model, it is recommended to combine both randomness and
determinism, for example, as described in
<xref target="I-D.irtf-cfrg-det-sigs-with-noise"/>.</t>
    </section>
    <section anchor="post-quantum-cryptography-pqc-considerations">
      <name>Post-Quantum Cryptography (PQC) Considerations</name>
      <t>This section is informational and provides deployment guidance only; it does
not add normative requirements to this profile.</t>
      <t>The recommendations and ciphersuites in this profile are based on classical
cryptography and are not quantum-resistant.</t>
      <t>As detailed in <xref target="I-D.ietf-pquip-pqc-engineers"/>, the IETF is actively working to address the challenges of adopting PQC in various protocols, including TLS. The document highlights key aspects engineers must consider, such as algorithm selection, performance impacts, and deployment strategies. It emphasizes the importance of gradual integration of PQC to ensure secure communication while accounting for the increased computational, memory, and bandwidth requirements of PQC algorithms. These challenges are especially relevant in the context of IoT, where device constraints limit the adoption of larger key sizes and more complex cryptographic operations <xref target="PQC-PERF"/>. Besides, any choice need to careful evaluate the associated energy requirements <xref target="PQC-ENERGY"/>.</t>
      <t>The work of incorporating PQC into TLS <xref target="I-D.ietf-uta-pqc-app"/> <xref target="I-D.ietf-pquip-pqc-hsm-constrained"/> is still ongoing, with key exchange message sizes increasing due to larger public keys. These larger keys demand more flash storage and higher RAM usage, presenting significant obstacles for resource-constrained IoT devices. The transition from classical cryptographic algorithms to PQC will be a significant challenge for constrained IoT devices, requiring careful planning to select hardware suitable for the task considering the lifetime of an IoT product.</t>
      <t>As a transitional measure, <xref target="I-D.ietf-tls-8773bis"/> allows certificate-based
authentication to be combined with a strong external PSK that is incorporated
into the TLS 1.3 key schedule. This provides confidentiality protection against
a future cryptographically relevant quantum computer, provided that the
external PSK is generated and distributed securely. It does not make the
certificate-based authentication quantum resistant. Deployments can use this
mechanism as a migration path while PQC algorithms are being introduced, at
certificate-based authentication quantum resistant.</t>
    </section>
    <section anchor="privacy-considerations">
      <name>Privacy Considerations</name>
      <t>The privacy considerations in <xref section="22" sectionFormat="of" target="RFC7925"/> largely continue to
apply. However, compared to TLS 1.2 and DTLS 1.2, TLS 1.3 and DTLS 1.3 encrypt
a larger portion of the handshake, which reduces the amount of identity and
credential metadata observable on the wire by passive attackers. Extensions,
such as the encrypted ClientHello, further increase privacy protection.</t>
      <t>Certificate fields can expose stable device identifiers and other metadata.
In particular, IDevIDs and LDevIDs may reveal manufacturer identity, device
serial numbers, or other information to peers. Protection against passive
observers is, however, substantially improved since certificates are not
transmitted in the clear in TLS 1.3 and DTLS 1.3.</t>
      <t>Manufacturer-assigned device serial numbers and EUI-48 or EUI-64 values can
enable correlation across networks or application contexts. EUI-48 and EUI-64
values can also reveal organizational allocation information. Deployments that
are concerned about such traffic analysis SHOULD use an enrollment protocol to
migrate from identifiable IDevID certificates to less identifiable operational
LDevID certificates.</t>
      <t>Some deployments use the mechanisms discussed in the Certificate Overhead section,
such as certificate URLs or external certificate retrieval, instead of always
transmitting full certificates in the handshake. In these cases, the privacy
properties differ because stable identifiers may be exposed to retrieval
services, directories, or to observers of those retrieval transactions.</t>
      <t>Where privacy is a deployment requirement, implementations and PKI profiles
should include only the minimum identity information needed for authorization
and interoperability.</t>
      <t>When Connection IDs are used with DTLS 1.3, CID negotiation in post-handshake
messages is encrypted and integrity protected. In addition, record sequence
numbers are encrypted. Compared to DTLS 1.2 CID, this makes tracking by on-path
adversaries more difficult and improves privacy in multi-home and mobile
deployments (<xref section="11" sectionFormat="of" target="RFC9147"/>).</t>
    </section>
    <section anchor="security-considerations">
      <name>Security Considerations</name>
      <t>This entire document is about security.</t>
      <t>This profile does not specify authentication- or integrity-only cipher suites.
Deployments considering such cipher suites, such as defined in <xref target="RFC9150"/>,
need application-specific analysis outside the scope of this
document.</t>
    </section>
    <section anchor="iana-considerations">
      <name>IANA Considerations</name>
      <t>This document makes no requests to IANA.</t>
    </section>
  </middle>
  <back>
    <references anchor="sec-combined-references">
      <name>References</name>
      <references anchor="sec-normative-references">
        <name>Normative References</name>
        <reference anchor="RFC9147">
          <front>
            <title>The Datagram Transport Layer Security (DTLS) Protocol Version 1.3</title>
            <author fullname="E. Rescorla" initials="E." surname="Rescorla"/>
            <author fullname="H. Tschofenig" initials="H." surname="Tschofenig"/>
            <author fullname="N. Modadugu" initials="N." surname="Modadugu"/>
            <date month="April" year="2022"/>
            <abstract>
              <t>This document specifies version 1.3 of the Datagram Transport Layer Security (DTLS) protocol. DTLS 1.3 allows client/server applications to communicate over the Internet in a way that is designed to prevent eavesdropping, tampering, and message forgery.</t>
              <t>The DTLS 1.3 protocol is based on the Transport Layer Security (TLS) 1.3 protocol and provides equivalent security guarantees with the exception of order protection / non-replayability. Datagram semantics of the underlying transport are preserved by the DTLS protocol.</t>
              <t>This document obsoletes RFC 6347.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="9147"/>
          <seriesInfo name="DOI" value="10.17487/RFC9147"/>
        </reference>
        <reference anchor="RFC8446">
          <front>
            <title>The Transport Layer Security (TLS) Protocol Version 1.3</title>
            <author fullname="E. Rescorla" initials="E." surname="Rescorla"/>
            <date month="August" year="2018"/>
            <abstract>
              <t>This document specifies version 1.3 of the Transport Layer Security (TLS) protocol. TLS allows client/server applications to communicate over the Internet in a way that is designed to prevent eavesdropping, tampering, and message forgery.</t>
              <t>This document updates RFCs 5705 and 6066, and obsoletes RFCs 5077, 5246, and 6961. This document also specifies new requirements for TLS 1.2 implementations.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="8446"/>
          <seriesInfo name="DOI" value="10.17487/RFC8446"/>
        </reference>
        <reference anchor="RFC6520">
          <front>
            <title>Transport Layer Security (TLS) and Datagram Transport Layer Security (DTLS) Heartbeat Extension</title>
            <author fullname="R. Seggelmann" initials="R." surname="Seggelmann"/>
            <author fullname="M. Tuexen" initials="M." surname="Tuexen"/>
            <author fullname="M. Williams" initials="M." surname="Williams"/>
            <date month="February" year="2012"/>
            <abstract>
              <t>This document describes the Heartbeat Extension for the Transport Layer Security (TLS) and Datagram Transport Layer Security (DTLS) protocols.</t>
              <t>The Heartbeat Extension provides a new protocol for TLS/DTLS allowing the usage of keep-alive functionality without performing a renegotiation and a basis for path MTU (PMTU) discovery for DTLS. [STANDARDS-TRACK]</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="6520"/>
          <seriesInfo name="DOI" value="10.17487/RFC6520"/>
        </reference>
        <reference anchor="I-D.ietf-lamps-macaddress-on">
          <front>
            <title>Media Access Control (MAC) Addresses in X.509 Certificates</title>
            <author fullname="Russ Housley" initials="R." surname="Housley">
              <organization>Vigil Security, LLC</organization>
            </author>
            <author fullname="Corey Bonnell" initials="C." surname="Bonnell">
              <organization>DigiCert, Inc.</organization>
            </author>
            <author fullname="Joe Mandel" initials="J." surname="Mandel">
              <organization>AKAYLA, Inc.</organization>
            </author>
            <author fullname="Tomofumi Okubo" initials="T." surname="Okubo">
              <organization>Penguin Securities Pte. Ltd.</organization>
            </author>
            <author fullname="Michael StJohns" initials="M." surname="StJohns">
              <organization>NthPermutation Security LLC</organization>
            </author>
            <date day="12" month="March" year="2026"/>
            <abstract>
              <t>   This document defines a new GeneralName.otherName for inclusion in
   the X.509 Subject Alternative Name (SAN) and Issuer Alternative Name
   (IAN) extensions to carry an IEEE Media Access Control (MAC) address.
   The new name form makes it possible to bind a layer-2 interface
   identifier to a public key certificate.  Additionally, this document
   defines how constraints on this name form can be encoded and
   processed in the X.509 Name Constraints extension (NCE).

              </t>
            </abstract>
          </front>
          <seriesInfo name="Internet-Draft" value="draft-ietf-lamps-macaddress-on-07"/>
        </reference>
        <reference anchor="RFC2119">
          <front>
            <title>Key words for use in RFCs to Indicate Requirement Levels</title>
            <author fullname="S. Bradner" initials="S." surname="Bradner"/>
            <date month="March" year="1997"/>
            <abstract>
              <t>In many standards track documents several words are used to signify the requirements in the specification. These words are often capitalized. This document defines these words as they should be interpreted in IETF documents. This document specifies an Internet Best Current Practices for the Internet Community, and requests discussion and suggestions for improvements.</t>
            </abstract>
          </front>
          <seriesInfo name="BCP" value="14"/>
          <seriesInfo name="RFC" value="2119"/>
          <seriesInfo name="DOI" value="10.17487/RFC2119"/>
        </reference>
        <reference anchor="RFC8174">
          <front>
            <title>Ambiguity of Uppercase vs Lowercase in RFC 2119 Key Words</title>
            <author fullname="B. Leiba" initials="B." surname="Leiba"/>
            <date month="May" year="2017"/>
            <abstract>
              <t>RFC 2119 specifies common key words that may be used in protocol specifications. This document aims to reduce the ambiguity by clarifying that only UPPERCASE usage of the key words have the defined special meanings.</t>
            </abstract>
          </front>
          <seriesInfo name="BCP" value="14"/>
          <seriesInfo name="RFC" value="8174"/>
          <seriesInfo name="DOI" value="10.17487/RFC8174"/>
        </reference>
        <reference anchor="RFC5280">
          <front>
            <title>Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile</title>
            <author fullname="D. Cooper" initials="D." surname="Cooper"/>
            <author fullname="S. Santesson" initials="S." surname="Santesson"/>
            <author fullname="S. Farrell" initials="S." surname="Farrell"/>
            <author fullname="S. Boeyen" initials="S." surname="Boeyen"/>
            <author fullname="R. Housley" initials="R." surname="Housley"/>
            <author fullname="W. Polk" initials="W." surname="Polk"/>
            <date month="May" year="2008"/>
            <abstract>
              <t>This memo profiles the X.509 v3 certificate and X.509 v2 certificate revocation list (CRL) for use in the Internet. An overview of this approach and model is provided as an introduction. The X.509 v3 certificate format is described in detail, with additional information regarding the format and semantics of Internet name forms. Standard certificate extensions are described and two Internet-specific extensions are defined. A set of required certificate extensions is specified. The X.509 v2 CRL format is described in detail along with standard and Internet-specific extensions. An algorithm for X.509 certification path validation is described. An ASN.1 module and examples are provided in the appendices. [STANDARDS-TRACK]</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="5280"/>
          <seriesInfo name="DOI" value="10.17487/RFC5280"/>
        </reference>
        <reference anchor="RFC9258">
          <front>
            <title>Importing External Pre-Shared Keys (PSKs) for TLS 1.3</title>
            <author fullname="D. Benjamin" initials="D." surname="Benjamin"/>
            <author fullname="C. A. Wood" initials="C. A." surname="Wood"/>
            <date month="July" year="2022"/>
            <abstract>
              <t>This document describes an interface for importing external Pre-Shared Keys (PSKs) into TLS 1.3.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="9258"/>
          <seriesInfo name="DOI" value="10.17487/RFC9258"/>
        </reference>
        <reference anchor="RFC7925">
          <front>
            <title>Transport Layer Security (TLS) / Datagram Transport Layer Security (DTLS) Profiles for the Internet of Things</title>
            <author fullname="H. Tschofenig" initials="H." role="editor" surname="Tschofenig"/>
            <author fullname="T. Fossati" initials="T." surname="Fossati"/>
            <date month="July" year="2016"/>
            <abstract>
              <t>A common design pattern in Internet of Things (IoT) deployments is the use of a constrained device that collects data via sensors or controls actuators for use in home automation, industrial control systems, smart cities, and other IoT deployments.</t>
              <t>This document defines a Transport Layer Security (TLS) and Datagram Transport Layer Security (DTLS) 1.2 profile that offers communications security for this data exchange thereby preventing eavesdropping, tampering, and message forgery. The lack of communication security is a common vulnerability in IoT products that can easily be solved by using these well-researched and widely deployed Internet security protocols.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="7925"/>
          <seriesInfo name="DOI" value="10.17487/RFC7925"/>
        </reference>
        <reference anchor="I-D.ietf-tls-dtls-rrc">
          <front>
            <title>Return Routability Check for DTLS 1.2 and DTLS 1.3</title>
            <author fullname="Hannes Tschofenig" initials="H." surname="Tschofenig">
              <organization>University of Applied Sciences Bonn-Rhein-Sieg</organization>
            </author>
            <author fullname="Achim Kraus" initials="A." surname="Kraus">
         </author>
            <author fullname="Thomas Fossati" initials="T." surname="Fossati">
              <organization>Linaro</organization>
            </author>
            <date day="14" month="July" year="2025"/>
            <abstract>
              <t>   This document specifies a return routability check for use in context
   of the Connection ID (CID) construct for the Datagram Transport Layer
   Security (DTLS) protocol versions 1.2 and 1.3.

   Implementations offering the CID functionality described in RFC 9146
   and RFC 9147 are encouraged to also provide the return routability
   check functionality described in this document.  For this reason,
   this document updates RFC 9146 and RFC 9147.

              </t>
            </abstract>
          </front>
          <seriesInfo name="Internet-Draft" value="draft-ietf-tls-dtls-rrc-20"/>
        </reference>
        <reference anchor="RFC9325">
          <front>
            <title>Recommendations for Secure Use of Transport Layer Security (TLS) and Datagram Transport Layer Security (DTLS)</title>
            <author fullname="Y. Sheffer" initials="Y." surname="Sheffer"/>
            <author fullname="P. Saint-Andre" initials="P." surname="Saint-Andre"/>
            <author fullname="T. Fossati" initials="T." surname="Fossati"/>
            <date month="November" year="2022"/>
            <abstract>
              <t>Transport Layer Security (TLS) and Datagram Transport Layer Security (DTLS) are used to protect data exchanged over a wide range of application protocols and can also form the basis for secure transport protocols. Over the years, the industry has witnessed several serious attacks on TLS and DTLS, including attacks on the most commonly used cipher suites and their modes of operation. This document provides the latest recommendations for ensuring the security of deployed services that use TLS and DTLS. These recommendations are applicable to the majority of use cases.</t>
              <t>RFC 7525, an earlier version of the TLS recommendations, was published when the industry was transitioning to TLS 1.2. Years later, this transition is largely complete, and TLS 1.3 is widely available. This document updates the guidance given the new environment and obsoletes RFC 7525. In addition, this document updates RFCs 5288 and 6066 in view of recent attacks.</t>
            </abstract>
          </front>
          <seriesInfo name="BCP" value="195"/>
          <seriesInfo name="RFC" value="9325"/>
          <seriesInfo name="DOI" value="10.17487/RFC9325"/>
        </reference>
        <reference anchor="RFC8449">
          <front>
            <title>Record Size Limit Extension for TLS</title>
            <author fullname="M. Thomson" initials="M." surname="Thomson"/>
            <date month="August" year="2018"/>
            <abstract>
              <t>An extension to Transport Layer Security (TLS) is defined that allows endpoints to negotiate the maximum size of protected records that each will send the other.</t>
              <t>This replaces the maximum fragment length extension defined in RFC 6066.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="8449"/>
          <seriesInfo name="DOI" value="10.17487/RFC8449"/>
        </reference>
        <reference anchor="RFC5758">
          <front>
            <title>Internet X.509 Public Key Infrastructure: Additional Algorithms and Identifiers for DSA and ECDSA</title>
            <author fullname="Q. Dang" initials="Q." surname="Dang"/>
            <author fullname="S. Santesson" initials="S." surname="Santesson"/>
            <author fullname="K. Moriarty" initials="K." surname="Moriarty"/>
            <author fullname="D. Brown" initials="D." surname="Brown"/>
            <author fullname="T. Polk" initials="T." surname="Polk"/>
            <date month="January" year="2010"/>
            <abstract>
              <t>This document updates RFC 3279 to specify algorithm identifiers and ASN.1 encoding rules for the Digital Signature Algorithm (DSA) and Elliptic Curve Digital Signature Algorithm (ECDSA) digital signatures when using SHA-224, SHA-256, SHA-384, or SHA-512 as the hashing algorithm. This specification applies to the Internet X.509 Public Key infrastructure (PKI) when digital signatures are used to sign certificates and certificate revocation lists (CRLs). This document also identifies all four SHA2 hash algorithms for use in the Internet X.509 PKI. [STANDARDS-TRACK]</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="5758"/>
          <seriesInfo name="DOI" value="10.17487/RFC5758"/>
        </reference>
        <reference anchor="RFC5480">
          <front>
            <title>Elliptic Curve Cryptography Subject Public Key Information</title>
            <author fullname="S. Turner" initials="S." surname="Turner"/>
            <author fullname="D. Brown" initials="D." surname="Brown"/>
            <author fullname="K. Yiu" initials="K." surname="Yiu"/>
            <author fullname="R. Housley" initials="R." surname="Housley"/>
            <author fullname="T. Polk" initials="T." surname="Polk"/>
            <date month="March" year="2009"/>
            <abstract>
              <t>This document specifies the syntax and semantics for the Subject Public Key Information field in certificates that support Elliptic Curve Cryptography. This document updates Sections 2.3.5 and 5, and the ASN.1 module of "Algorithms and Identifiers for the Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile", RFC 3279. [STANDARDS-TRACK]</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="5480"/>
          <seriesInfo name="DOI" value="10.17487/RFC5480"/>
        </reference>
        <reference anchor="RFC9525">
          <front>
            <title>Service Identity in TLS</title>
            <author fullname="P. Saint-Andre" initials="P." surname="Saint-Andre"/>
            <author fullname="R. Salz" initials="R." surname="Salz"/>
            <date month="November" year="2023"/>
            <abstract>
              <t>Many application technologies enable secure communication between two entities by means of Transport Layer Security (TLS) with Internet Public Key Infrastructure using X.509 (PKIX) certificates. This document specifies procedures for representing and verifying the identity of application services in such interactions.</t>
              <t>This document obsoletes RFC 6125.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="9525"/>
          <seriesInfo name="DOI" value="10.17487/RFC9525"/>
        </reference>
      </references>
      <references anchor="sec-informative-references">
        <name>Informative References</name>
        <reference anchor="RFC9146">
          <front>
            <title>Connection Identifier for DTLS 1.2</title>
            <author fullname="E. Rescorla" initials="E." role="editor" surname="Rescorla"/>
            <author fullname="H. Tschofenig" initials="H." role="editor" surname="Tschofenig"/>
            <author fullname="T. Fossati" initials="T." surname="Fossati"/>
            <author fullname="A. Kraus" initials="A." surname="Kraus"/>
            <date month="March" year="2022"/>
            <abstract>
              <t>This document specifies the Connection ID (CID) construct for the Datagram Transport Layer Security (DTLS) protocol version 1.2.</t>
              <t>A CID is an identifier carried in the record layer header that gives the recipient additional information for selecting the appropriate security association. In "classical" DTLS, selecting a security association of an incoming DTLS record is accomplished with the help of the 5-tuple. If the source IP address and/or source port changes during the lifetime of an ongoing DTLS session, then the receiver will be unable to locate the correct security context.</t>
              <t>The new ciphertext record format with the CID also provides content type encryption and record layer padding.</t>
              <t>This document updates RFC 6347.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="9146"/>
          <seriesInfo name="DOI" value="10.17487/RFC9146"/>
        </reference>
        <reference anchor="RFC7228">
          <front>
            <title>Terminology for Constrained-Node Networks</title>
            <author fullname="C. Bormann" initials="C." surname="Bormann"/>
            <author fullname="M. Ersue" initials="M." surname="Ersue"/>
            <author fullname="A. Keranen" initials="A." surname="Keranen"/>
            <date month="May" year="2014"/>
            <abstract>
              <t>The Internet Protocol Suite is increasingly used on small devices with severe constraints on power, memory, and processing resources, creating constrained-node networks. This document provides a number of basic terms that have been useful in the standardization work for constrained-node networks.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="7228"/>
          <seriesInfo name="DOI" value="10.17487/RFC7228"/>
        </reference>
        <reference anchor="RFC9810">
          <front>
            <title>Internet X.509 Public Key Infrastructure -- Certificate Management Protocol (CMP)</title>
            <author fullname="H. Brockhaus" initials="H." surname="Brockhaus"/>
            <author fullname="D. von Oheimb" initials="D." surname="von Oheimb"/>
            <author fullname="M. Ounsworth" initials="M." surname="Ounsworth"/>
            <author fullname="J. Gray" initials="J." surname="Gray"/>
            <date month="July" year="2025"/>
            <abstract>
              <t>This document describes the Internet X.509 Public Key Infrastructure (PKI) Certificate Management Protocol (CMP). Protocol messages are defined for X.509v3 certificate creation and management. CMP provides interactions between client systems and PKI components such as a Registration Authority (RA) and a Certification Authority (CA).</t>
              <t>This document adds support for management of certificates containing a Key Encapsulation Mechanism (KEM) public key and uses EnvelopedData instead of EncryptedValue. This document also includes the updates specified in Section 2 and Appendix A.2 of RFC 9480.</t>
              <t>This document obsoletes RFC 4210, and together with RFC 9811, it also obsoletes RFC 9480. Appendix F of this document updates Section 9 of RFC 5912.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="9810"/>
          <seriesInfo name="DOI" value="10.17487/RFC9810"/>
        </reference>
        <reference anchor="RFC8937">
          <front>
            <title>Randomness Improvements for Security Protocols</title>
            <author fullname="C. Cremers" initials="C." surname="Cremers"/>
            <author fullname="L. Garratt" initials="L." surname="Garratt"/>
            <author fullname="S. Smyshlyaev" initials="S." surname="Smyshlyaev"/>
            <author fullname="N. Sullivan" initials="N." surname="Sullivan"/>
            <author fullname="C. Wood" initials="C." surname="Wood"/>
            <date month="October" year="2020"/>
            <abstract>
              <t>Randomness is a crucial ingredient for Transport Layer Security (TLS) and related security protocols. Weak or predictable "cryptographically secure" pseudorandom number generators (CSPRNGs) can be abused or exploited for malicious purposes. An initial entropy source that seeds a CSPRNG might be weak or broken as well, which can also lead to critical and systemic security problems. This document describes a way for security protocol implementations to augment their CSPRNGs using long-term private keys. This improves randomness from broken or otherwise subverted CSPRNGs.</t>
              <t>This document is a product of the Crypto Forum Research Group (CFRG) in the IRTF.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="8937"/>
          <seriesInfo name="DOI" value="10.17487/RFC8937"/>
        </reference>
        <reference anchor="RFC9483">
          <front>
            <title>Lightweight Certificate Management Protocol (CMP) Profile</title>
            <author fullname="H. Brockhaus" initials="H." surname="Brockhaus"/>
            <author fullname="D. von Oheimb" initials="D." surname="von Oheimb"/>
            <author fullname="S. Fries" initials="S." surname="Fries"/>
            <date month="November" year="2023"/>
            <abstract>
              <t>This document aims at simple, interoperable, and automated PKI management operations covering typical use cases of industrial and Internet of Things (IoT) scenarios. This is achieved by profiling the Certificate Management Protocol (CMP), the related Certificate Request Message Format (CRMF), and transfer based on HTTP or Constrained Application Protocol (CoAP) in a succinct but sufficiently detailed and self-contained way. To make secure certificate management for simple scenarios and constrained devices as lightweight as possible, only the most crucial types of operations and options are specified as mandatory. More specialized or complex use cases are supported with optional features.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="9483"/>
          <seriesInfo name="DOI" value="10.17487/RFC9483"/>
        </reference>
        <reference anchor="RFC7452">
          <front>
            <title>Architectural Considerations in Smart Object Networking</title>
            <author fullname="H. Tschofenig" initials="H." surname="Tschofenig"/>
            <author fullname="J. Arkko" initials="J." surname="Arkko"/>
            <author fullname="D. Thaler" initials="D." surname="Thaler"/>
            <author fullname="D. McPherson" initials="D." surname="McPherson"/>
            <date month="March" year="2015"/>
            <abstract>
              <t>The term "Internet of Things" (IoT) denotes a trend where a large number of embedded devices employ communication services offered by Internet protocols. Many of these devices, often called "smart objects", are not directly operated by humans but exist as components in buildings or vehicles, or are spread out in the environment. Following the theme "Everything that can be connected will be connected", engineers and researchers designing smart object networks need to decide how to achieve this in practice.</t>
              <t>This document offers guidance to engineers designing Internet- connected smart objects.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="7452"/>
          <seriesInfo name="DOI" value="10.17487/RFC7452"/>
        </reference>
        <reference anchor="RFC6066">
          <front>
            <title>Transport Layer Security (TLS) Extensions: Extension Definitions</title>
            <author fullname="D. Eastlake 3rd" initials="D." surname="Eastlake 3rd"/>
            <date month="January" year="2011"/>
            <abstract>
              <t>This document provides specifications for existing TLS extensions. It is a companion document for RFC 5246, "The Transport Layer Security (TLS) Protocol Version 1.2". The extensions specified are server_name, max_fragment_length, client_certificate_url, trusted_ca_keys, truncated_hmac, and status_request. [STANDARDS-TRACK]</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="6066"/>
          <seriesInfo name="DOI" value="10.17487/RFC6066"/>
        </reference>
        <reference anchor="I-D.ietf-iotops-7228bis">
          <front>
            <title>Terminology for Constrained-Node Networks</title>
            <author fullname="Carsten Bormann" initials="C." surname="Bormann">
              <organization>Universität Bremen TZI</organization>
            </author>
            <author fullname="Mehmet Ersue" initials="M." surname="Ersue">
         </author>
            <author fullname="Ari Keränen" initials="A." surname="Keränen">
              <organization>Ericsson</organization>
            </author>
            <author fullname="Carles Gomez" initials="C." surname="Gomez">
              <organization>Universitat Politecnica de Catalunya</organization>
            </author>
            <date day="29" month="June" year="2026"/>
            <abstract>
              <t>   The Internet Protocol Suite is increasingly used on small devices
   with severe constraints on power, memory, and processing resources,
   creating constrained-node networks.  This document provides a number
   of basic terms that have been useful in research and standardization
   work for constrained-node networks.

   This document obsoletes RFC 7228.

              </t>
            </abstract>
          </front>
          <seriesInfo name="Internet-Draft" value="draft-ietf-iotops-7228bis-09"/>
        </reference>
        <reference anchor="I-D.ietf-iotops-iot-dns-guidelines">
          <front>
            <title>IoT DNS Security and Privacy Guidelines</title>
            <author fullname="Abhishek Kumar Mishra" initials="A. K." surname="Mishra">
              <organization>Inria</organization>
            </author>
            <author fullname="Andrew Losty" initials="A." surname="Losty">
              <organization>UCL</organization>
            </author>
            <author fullname="Anna Maria Mandalari" initials="A. M." surname="Mandalari">
              <organization>UCL</organization>
            </author>
            <author fullname="Jim Mozley" initials="J." surname="Mozley">
              <organization>Infoblox</organization>
            </author>
            <author fullname="Mathieu Cunche" initials="M." surname="Cunche">
              <organization>INSA-Lyon &amp; Inria</organization>
            </author>
            <date day="8" month="May" year="2026"/>
            <abstract>
              <t>   This document outlines guidance for Internet of Things (IoT)
   manufacturers regarding the implementation of DNS stub resolver
   software on devices, and for the management zones used for purposes
   such as device configuration and software upgrades.  It aims to
   mitigate security threats, enhance privacy, and to address
   operational security challenges.

   DNS resolution between devices and management zone servers depends
   upon DNS services within operator networks, and these services and
   operator networks can be impacted by device behavior.  Hence this
   document also provides guidance to network operators that deploy IoT
   devices to mitigate the specific risks identified in this document
   and take advantage of improved DNS security mechanisms provided by
   manufacturers.

              </t>
            </abstract>
          </front>
          <seriesInfo name="Internet-Draft" value="draft-ietf-iotops-iot-dns-guidelines-03"/>
        </reference>
        <reference anchor="I-D.ietf-pquip-pqc-engineers">
          <front>
            <title>Post-Quantum Cryptography for Engineers</title>
            <author fullname="Aritra Banerjee" initials="A." surname="Banerjee">
              <organization>Nokia</organization>
            </author>
            <author fullname="Tirumaleswar Reddy.K" initials="T." surname="Reddy.K">
              <organization>Nokia</organization>
            </author>
            <author fullname="Dimitrios Schoinianakis" initials="D." surname="Schoinianakis">
              <organization>Nokia</organization>
            </author>
            <author fullname="Tim Hollebeek" initials="T." surname="Hollebeek">
              <organization>DigiCert</organization>
            </author>
            <author fullname="Mike Ounsworth" initials="M." surname="Ounsworth">
              <organization>Entrust Limited</organization>
            </author>
            <date day="25" month="August" year="2025"/>
            <abstract>
              <t>   The advent of a cryptographically relevant quantum computer (CRQC)
   would render state-of-the-art, traditional public key algorithms
   deployed today obsolete, as the mathematical assumptions underpinning
   their security would no longer hold.  To address this, protocols and
   infrastructure must transition to post-quantum algorithms, which are
   designed to resist both traditional and quantum attacks.  This
   document explains why engineers need to be aware of and understand
   post-quantum cryptography (PQC), detailing the impact of CRQCs on
   existing systems and the challenges involved in transitioning to
   post-quantum algorithms.  Unlike previous cryptographic updates, this
   shift may require significant protocol redesign due to the unique
   properties of post-quantum algorithms.

              </t>
            </abstract>
          </front>
          <seriesInfo name="Internet-Draft" value="draft-ietf-pquip-pqc-engineers-14"/>
        </reference>
        <reference anchor="I-D.ietf-tls-pake">
          <front>
            <title>A Password Authenticated Key Exchange Extension for TLS 1.3</title>
            <author fullname="Laura Bauman" initials="L." surname="Bauman">
              <organization>Apple, Inc.</organization>
            </author>
            <author fullname="David Benjamin" initials="D." surname="Benjamin">
              <organization>Google LLC</organization>
            </author>
            <author fullname="Samir Menon" initials="S." surname="Menon">
              <organization>Apple, Inc.</organization>
            </author>
            <author fullname="Christopher A. Wood" initials="C. A." surname="Wood">
              <organization>Apple, Inc.</organization>
            </author>
            <date day="2" month="March" year="2026"/>
            <abstract>
              <t>   The pre-shared key mechanism available in TLS 1.3 is not suitable for
   usage with low-entropy keys, such as passwords entered by users.
   This document describes an extension that enables the use of
   password-authenticated key exchange protocols with TLS 1.3.

              </t>
            </abstract>
          </front>
          <seriesInfo name="Internet-Draft" value="draft-ietf-tls-pake-01"/>
        </reference>
        <reference anchor="I-D.ietf-tls-8773bis">
          <front>
            <title>TLS 1.3 Extension for Using Certificates with an External Pre-Shared Key</title>
            <author fullname="Russ Housley" initials="R." surname="Housley">
              <organization>Vigil Security, LLC</organization>
            </author>
            <date day="5" month="September" year="2025"/>
            <abstract>
              <t>   This document specifies a TLS 1.3 extension that allows TLS clients
   and servers to authenticate with certificates and provide
   confidentiality based on encryption with a symmetric key from the
   usual key agreement algorithm and an external pre-shared key (PSK).
   This Standards Track RFC (once approved) obsoletes RFC 8773, which
   was an Experimental RFC.

              </t>
            </abstract>
          </front>
          <seriesInfo name="Internet-Draft" value="draft-ietf-tls-8773bis-13"/>
        </reference>
        <reference anchor="PQC-ENERGY">
          <front>
            <title>Energy Consumption Evaluation of Post-Quantum TLS 1.3 for Resource-Constrained Embedded Devices</title>
            <author fullname="George Tasopoulos" initials="G." surname="Tasopoulos">
              <organization>Industrial Systems Institute, R.C. ATHENA, Patras, Greece</organization>
            </author>
            <author fullname="Charis Dimopoulos" initials="C." surname="Dimopoulos">
              <organization>Industrial Systems Institute, R.C. ATHENA &amp;amp; Electrical and Computer Engineering, Dpt, University of Patras, Patras, Greece</organization>
            </author>
            <author fullname="Apostolos P. Fournaris" initials="A." surname="Fournaris">
              <organization>Industrial Systems Institute, R.C. ATHENA, Patras, Greece</organization>
            </author>
            <author fullname="Raymond K. Zhao" initials="R." surname="Zhao">
              <organization>CSIRO's Data61 Sydney, Australia</organization>
            </author>
            <author fullname="Amin Sakzad" initials="A." surname="Sakzad">
              <organization>Monash University, Melbourne, Australia</organization>
            </author>
            <author fullname="Ron Steinfeld" initials="R." surname="Steinfeld">
              <organization>Monash University, Melbourne, Australia</organization>
            </author>
            <date month="May" year="2023"/>
          </front>
          <seriesInfo name="Proceedings of the 20th ACM International Conference on Computing Frontiers" value="pp. 366-374"/>
          <seriesInfo name="DOI" value="10.1145/3587135.3592821"/>
          <refcontent>ACM</refcontent>
        </reference>
        <reference anchor="PQC-PERF">
          <front>
            <title>Performance Evaluation of Post-Quantum TLS 1.3 on Resource-Constrained Embedded Systems</title>
            <author fullname="George Tasopoulos" initials="G." surname="Tasopoulos">
              <organization/>
            </author>
            <author fullname="Jinhui Li" initials="J." surname="Li">
              <organization/>
            </author>
            <author fullname="Apostolos P. Fournaris" initials="A." surname="Fournaris">
              <organization/>
            </author>
            <author fullname="Raymond K. Zhao" initials="R." surname="Zhao">
              <organization/>
            </author>
            <author fullname="Amin Sakzad" initials="A." surname="Sakzad">
              <organization/>
            </author>
            <author fullname="Ron Steinfeld" initials="R." surname="Steinfeld">
              <organization/>
            </author>
            <date year="2022"/>
          </front>
          <seriesInfo name="Lecture Notes in Computer Science" value="pp. 432-451"/>
          <seriesInfo name="DOI" value="10.1007/978-3-031-21280-2_24"/>
          <seriesInfo name="ISBN" value="[&quot;9783031212796&quot;, &quot;9783031212802&quot;]"/>
          <refcontent>Springer International Publishing</refcontent>
        </reference>
        <reference anchor="NIST-SP-800-131Ar3" target="https://doi.org/10.6028/NIST.SP.800-131Ar3.ipd">
          <front>
            <title>Transitioning the Use of Cryptographic Algorithms and Key Lengths</title>
            <author initials="E." surname="Barker" fullname="Elaine Barker">
              <organization/>
            </author>
            <author initials="A." surname="Roginsky" fullname="Allen Roginsky">
              <organization/>
            </author>
            <date year="2024" month="October"/>
          </front>
        </reference>
        <reference anchor="CoAP">
          <front>
            <title>The Constrained Application Protocol (CoAP)</title>
            <author fullname="Z. Shelby" initials="Z." surname="Shelby"/>
            <author fullname="K. Hartke" initials="K." surname="Hartke"/>
            <author fullname="C. Bormann" initials="C." surname="Bormann"/>
            <date month="June" year="2014"/>
            <abstract>
              <t>The Constrained Application Protocol (CoAP) is a specialized web transfer protocol for use with constrained nodes and constrained (e.g., low-power, lossy) networks. The nodes often have 8-bit microcontrollers with small amounts of ROM and RAM, while constrained networks such as IPv6 over Low-Power Wireless Personal Area Networks (6LoWPANs) often have high packet error rates and a typical throughput of 10s of kbit/s. The protocol is designed for machine- to-machine (M2M) applications such as smart energy and building automation.</t>
              <t>CoAP provides a request/response interaction model between application endpoints, supports built-in discovery of services and resources, and includes key concepts of the Web such as URIs and Internet media types. CoAP is designed to easily interface with HTTP for integration with the Web while meeting specialized requirements such as multicast support, very low overhead, and simplicity for constrained environments.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="7252"/>
          <seriesInfo name="DOI" value="10.17487/RFC7252"/>
        </reference>
        <reference anchor="IEEE-802.1AR">
          <front>
            <title>ISO/IEC/IEEE International Standard for Telecommunications and exchange between information technology systems--Requirements for local and metropolitan area networks--Part 1AR:Secure device identity</title>
            <author>
              <organization/>
            </author>
            <date month="March" year="2020"/>
          </front>
          <seriesInfo name="DOI" value="10.1109/ieeestd.2020.9052099"/>
          <seriesInfo name="ISBN" value="[&quot;9781504465885&quot;]"/>
          <refcontent>IEEE</refcontent>
        </reference>
        <reference anchor="FDO" target="https://fidoalliance.org/specifications/download-iot-specifications/">
          <front>
            <title>FIDO Device Onboard Specification 1.1</title>
            <author>
              <organization>FIDO Alliance</organization>
            </author>
            <date year="2022" month="April"/>
          </front>
        </reference>
        <reference anchor="LwM2M-T" target="https://www.openmobilealliance.org/release/LightweightM2M/V1_2_2-20240613-A/">
          <front>
            <title>Lightweight Machine to Machine (LwM2M) V.1.2.2 Technical Specification: Transport Bindings</title>
            <author>
              <organization>OMA SpecWorks</organization>
            </author>
            <date year="2024" month="June"/>
          </front>
        </reference>
        <reference anchor="LwM2M-C" target="https://www.openmobilealliance.org/release/LightweightM2M/V1_2_2-20240613-A/">
          <front>
            <title>Lightweight Machine to Machine (LwM2M) V.1.2.2 Technical Specification: Core</title>
            <author>
              <organization>OMA SpecWorks</organization>
            </author>
            <date year="2024" month="June"/>
          </front>
        </reference>
        <reference anchor="Toms-Hardware-Oculus-Rift-2018" target="https://www.tomshardware.com/news/oculus-rift-runtime-error-fix%2C36629.html">
          <front>
            <title>How To Patch Your Oculus Rift</title>
            <author initials="S." surname="Colaner" fullname="Seth Colaner">
              <organization/>
            </author>
            <date year="2018" month="March"/>
          </front>
        </reference>
        <reference anchor="Ambrose2017" target="https://eprint.iacr.org/2017/975.pdf">
          <front>
            <title>Differential Attacks on Deterministic Signatures</title>
            <author initials="C." surname="Ambrose" fullname="Christopher Ambrose">
              <organization/>
            </author>
            <author initials="J. W." surname="Bos" fullname="Joppe W. Bos">
              <organization/>
            </author>
            <author initials="B." surname="Fay" fullname="Björn Fay">
              <organization/>
            </author>
            <author initials="M." surname="Joye" fullname="Marc Joye">
              <organization/>
            </author>
            <author initials="M." surname="Lochter" fullname="Manfred Lochter">
              <organization/>
            </author>
            <author initials="B." surname="Murray" fullname="Bruce Murray">
              <organization/>
            </author>
            <date year="2017"/>
          </front>
        </reference>
        <reference anchor="RFC5746">
          <front>
            <title>Transport Layer Security (TLS) Renegotiation Indication Extension</title>
            <author fullname="E. Rescorla" initials="E." surname="Rescorla"/>
            <author fullname="M. Ray" initials="M." surname="Ray"/>
            <author fullname="S. Dispensa" initials="S." surname="Dispensa"/>
            <author fullname="N. Oskov" initials="N." surname="Oskov"/>
            <date month="February" year="2010"/>
            <abstract>
              <t>Secure Socket Layer (SSL) and Transport Layer Security (TLS) renegotiation are vulnerable to an attack in which the attacker forms a TLS connection with the target server, injects content of his choice, and then splices in a new TLS connection from a client. The server treats the client's initial TLS handshake as a renegotiation and thus believes that the initial data transmitted by the attacker is from the same entity as the subsequent client data. This specification defines a TLS extension to cryptographically tie renegotiations to the TLS connections they are being performed over, thus preventing this attack. [STANDARDS-TRACK]</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="5746"/>
          <seriesInfo name="DOI" value="10.17487/RFC5746"/>
        </reference>
        <reference anchor="RFC9261">
          <front>
            <title>Exported Authenticators in TLS</title>
            <author fullname="N. Sullivan" initials="N." surname="Sullivan"/>
            <date month="July" year="2022"/>
            <abstract>
              <t>This document describes a mechanism that builds on Transport Layer Security (TLS) or Datagram Transport Layer Security (DTLS) and enables peers to provide proof of ownership of an identity, such as an X.509 certificate. This proof can be exported by one peer, transmitted out of band to the other peer, and verified by the receiving peer.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="9261"/>
          <seriesInfo name="DOI" value="10.17487/RFC9261"/>
        </reference>
        <reference anchor="I-D.ietf-httpbis-secondary-server-certs">
          <front>
            <title>Secondary Certificate Authentication of HTTP Servers</title>
            <author fullname="Eric Gorbaty" initials="E." surname="Gorbaty">
              <organization>Apple</organization>
            </author>
            <author fullname="Mike Bishop" initials="M." surname="Bishop">
              <organization>Akamai</organization>
            </author>
            <date day="17" month="June" year="2026"/>
            <abstract>
              <t>   This document defines a way for HTTP/2 and HTTP/3 servers to send
   additional certificate-based credentials after a TLS connection is
   established, based on TLS Exported Authenticators.

              </t>
            </abstract>
          </front>
          <seriesInfo name="Internet-Draft" value="draft-ietf-httpbis-secondary-server-certs-02"/>
        </reference>
        <reference anchor="RFC5216">
          <front>
            <title>The EAP-TLS Authentication Protocol</title>
            <author fullname="D. Simon" initials="D." surname="Simon"/>
            <author fullname="B. Aboba" initials="B." surname="Aboba"/>
            <author fullname="R. Hurst" initials="R." surname="Hurst"/>
            <date month="March" year="2008"/>
            <abstract>
              <t>The Extensible Authentication Protocol (EAP), defined in RFC 3748, provides support for multiple authentication methods. Transport Layer Security (TLS) provides for mutual authentication, integrity-protected ciphersuite negotiation, and key exchange between two endpoints. This document defines EAP-TLS, which includes support for certificate-based mutual authentication and key derivation.</t>
              <t>This document obsoletes RFC 2716. A summary of the changes between this document and RFC 2716 is available in Appendix A. [STANDARDS-TRACK]</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="5216"/>
          <seriesInfo name="DOI" value="10.17487/RFC5216"/>
        </reference>
        <reference anchor="RFC9190">
          <front>
            <title>EAP-TLS 1.3: Using the Extensible Authentication Protocol with TLS 1.3</title>
            <author fullname="J. Preuß Mattsson" initials="J." surname="Preuß Mattsson"/>
            <author fullname="M. Sethi" initials="M." surname="Sethi"/>
            <date month="February" year="2022"/>
            <abstract>
              <t>The Extensible Authentication Protocol (EAP), defined in RFC 3748, provides a standard mechanism for support of multiple authentication methods. This document specifies the use of EAP-TLS with TLS 1.3 while remaining backwards compatible with existing implementations of EAP-TLS. TLS 1.3 provides significantly improved security and privacy, and reduced latency when compared to earlier versions of TLS. EAP-TLS with TLS 1.3 (EAP-TLS 1.3) further improves security and privacy by always providing forward secrecy, never disclosing the peer identity, and by mandating use of revocation checking when compared to EAP-TLS with earlier versions of TLS. This document also provides guidance on authentication, authorization, and resumption for EAP-TLS in general (regardless of the underlying TLS version used). This document updates RFC 5216.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="9190"/>
          <seriesInfo name="DOI" value="10.17487/RFC9190"/>
        </reference>
        <reference anchor="RFC4279">
          <front>
            <title>Pre-Shared Key Ciphersuites for Transport Layer Security (TLS)</title>
            <author fullname="P. Eronen" initials="P." role="editor" surname="Eronen"/>
            <author fullname="H. Tschofenig" initials="H." role="editor" surname="Tschofenig"/>
            <date month="December" year="2005"/>
            <abstract>
              <t>This document specifies three sets of new ciphersuites for the Transport Layer Security (TLS) protocol to support authentication based on pre-shared keys (PSKs). These pre-shared keys are symmetric keys, shared in advance among the communicating parties. The first set of ciphersuites uses only symmetric key operations for authentication. The second set uses a Diffie-Hellman exchange authenticated with a pre-shared key, and the third set combines public key authentication of the server with pre-shared key authentication of the client. [STANDARDS-TRACK]</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="4279"/>
          <seriesInfo name="DOI" value="10.17487/RFC4279"/>
        </reference>
        <reference anchor="RFC9849">
          <front>
            <title>TLS Encrypted Client Hello</title>
            <author fullname="E. Rescorla" initials="E." surname="Rescorla"/>
            <author fullname="K. Oku" initials="K." surname="Oku"/>
            <author fullname="N. Sullivan" initials="N." surname="Sullivan"/>
            <author fullname="C. A. Wood" initials="C. A." surname="Wood"/>
            <date month="March" year="2026"/>
            <abstract>
              <t>This document describes a mechanism in Transport Layer Security (TLS) for encrypting a message under a server public key.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="9849"/>
          <seriesInfo name="DOI" value="10.17487/RFC9849"/>
        </reference>
        <reference anchor="RFC7301">
          <front>
            <title>Transport Layer Security (TLS) Application-Layer Protocol Negotiation Extension</title>
            <author fullname="S. Friedl" initials="S." surname="Friedl"/>
            <author fullname="A. Popov" initials="A." surname="Popov"/>
            <author fullname="A. Langley" initials="A." surname="Langley"/>
            <author fullname="E. Stephan" initials="E." surname="Stephan"/>
            <date month="July" year="2014"/>
            <abstract>
              <t>This document describes a Transport Layer Security (TLS) extension for application-layer protocol negotiation within the TLS handshake. For instances in which multiple application protocols are supported on the same TCP or UDP port, this extension allows the application layer to negotiate which protocol will be used within the TLS connection.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="7301"/>
          <seriesInfo name="DOI" value="10.17487/RFC7301"/>
        </reference>
        <reference anchor="RFC8995">
          <front>
            <title>Bootstrapping Remote Secure Key Infrastructure (BRSKI)</title>
            <author fullname="M. Pritikin" initials="M." surname="Pritikin"/>
            <author fullname="M. Richardson" initials="M." surname="Richardson"/>
            <author fullname="T. Eckert" initials="T." surname="Eckert"/>
            <author fullname="M. Behringer" initials="M." surname="Behringer"/>
            <author fullname="K. Watsen" initials="K." surname="Watsen"/>
            <date month="May" year="2021"/>
            <abstract>
              <t>This document specifies automated bootstrapping of an Autonomic Control Plane. To do this, a Secure Key Infrastructure is bootstrapped. This is done using manufacturer-installed X.509 certificates, in combination with a manufacturer's authorizing service, both online and offline. We call this process the Bootstrapping Remote Secure Key Infrastructure (BRSKI) protocol. Bootstrapping a new device can occur when using a routable address and a cloud service, only link-local connectivity, or limited/disconnected networks. Support for deployment models with less stringent security requirements is included. Bootstrapping is complete when the cryptographic identity of the new key infrastructure is successfully deployed to the device. The established secure connection can be used to deploy a locally issued certificate to the device as well.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="8995"/>
          <seriesInfo name="DOI" value="10.17487/RFC8995"/>
        </reference>
        <reference anchor="RFC7030">
          <front>
            <title>Enrollment over Secure Transport</title>
            <author fullname="M. Pritikin" initials="M." role="editor" surname="Pritikin"/>
            <author fullname="P. Yee" initials="P." role="editor" surname="Yee"/>
            <author fullname="D. Harkins" initials="D." role="editor" surname="Harkins"/>
            <date month="October" year="2013"/>
            <abstract>
              <t>This document profiles certificate enrollment for clients using Certificate Management over CMS (CMC) messages over a secure transport. This profile, called Enrollment over Secure Transport (EST), describes a simple, yet functional, certificate management protocol targeting Public Key Infrastructure (PKI) clients that need to acquire client certificates and associated Certification Authority (CA) certificates. It also supports client-generated public/private key pairs as well as key pairs generated by the CA.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="7030"/>
          <seriesInfo name="DOI" value="10.17487/RFC7030"/>
        </reference>
        <reference anchor="I-D.ietf-anima-constrained-voucher">
          <front>
            <title>Constrained Bootstrapping Remote Secure Key Infrastructure (cBRSKI)</title>
            <author fullname="Michael Richardson" initials="M." surname="Richardson">
              <organization>Sandelman Software Works</organization>
            </author>
            <author fullname="Peter Van der Stok" initials="P." surname="Van der Stok">
              <organization>vanderstok consultancy</organization>
            </author>
            <author fullname="Panos Kampanakis" initials="P." surname="Kampanakis">
              <organization>Cisco Systems</organization>
            </author>
            <author fullname="Esko Dijk" initials="E." surname="Dijk">
              <organization>IoTconsultancy.nl</organization>
            </author>
            <date day="8" month="June" year="2026"/>
            <abstract>
              <t>   This document defines the Constrained Bootstrapping Remote Secure Key
   Infrastructure (cBRSKI) protocol, which provides a solution for
   secure zero-touch onboarding of resource-constrained (IoT) devices
   into the network of a domain owner.  This protocol is designed for
   constrained networks, which may have limited data throughput or may
   experience frequent packet loss. cBRSKI is a variant of the BRSKI
   protocol, which uses an artifact signed by the device manufacturer
   called the "voucher" which enables a new device and the owner's
   network to mutually authenticate.  While the BRSKI voucher data is
   encoded in JSON, cBRSKI uses a compact CBOR-encoded voucher.  The
   BRSKI voucher data definition is extended with new data types that
   allow for smaller voucher sizes.  The Enrollment over Secure
   Transport (EST) protocol, used in BRSKI, is replaced with EST-over-
   CoAPS; and HTTPS used in BRSKI is replaced with DTLS-secured CoAP
   (CoAPS).  This document Updates RFC 8995 and RFC 9148.

              </t>
            </abstract>
          </front>
          <seriesInfo name="Internet-Draft" value="draft-ietf-anima-constrained-voucher-31"/>
        </reference>
        <reference anchor="RFC4108">
          <front>
            <title>Using Cryptographic Message Syntax (CMS) to Protect Firmware Packages</title>
            <author fullname="R. Housley" initials="R." surname="Housley"/>
            <date month="August" year="2005"/>
            <abstract>
              <t>This document describes the use of the Cryptographic Message Syntax (CMS) to protect firmware packages, which provide object code for one or more hardware module components. CMS is specified in RFC 3852. A digital signature is used to protect the firmware package from undetected modification and to provide data origin authentication. Encryption is optionally used to protect the firmware package from disclosure, and compression is optionally used to reduce the size of the protected firmware package. A firmware package loading receipt can optionally be generated to acknowledge the successful loading of a firmware package. Similarly, a firmware package load error report can optionally be generated to convey the failure to load a firmware package. [STANDARDS-TRACK]</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="4108"/>
          <seriesInfo name="DOI" value="10.17487/RFC4108"/>
        </reference>
        <reference anchor="RFC9019">
          <front>
            <title>A Firmware Update Architecture for Internet of Things</title>
            <author fullname="B. Moran" initials="B." surname="Moran"/>
            <author fullname="H. Tschofenig" initials="H." surname="Tschofenig"/>
            <author fullname="D. Brown" initials="D." surname="Brown"/>
            <author fullname="M. Meriac" initials="M." surname="Meriac"/>
            <date month="April" year="2021"/>
            <abstract>
              <t>Vulnerabilities in Internet of Things (IoT) devices have raised the need for a reliable and secure firmware update mechanism suitable for devices with resource constraints. Incorporating such an update mechanism is a fundamental requirement for fixing vulnerabilities, but it also enables other important capabilities such as updating configuration settings and adding new functionality.</t>
              <t>In addition to the definition of terminology and an architecture, this document provides the motivation for the standardization of a manifest format as a transport-agnostic means for describing and protecting firmware updates.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="9019"/>
          <seriesInfo name="DOI" value="10.17487/RFC9019"/>
        </reference>
        <reference anchor="I-D.irtf-t2trg-taxonomy-manufacturer-anchors">
          <front>
            <title>A Taxonomy of operational security considerations for manufacturer installed keys and Trust Anchors</title>
            <author fullname="Michael Richardson" initials="M." surname="Richardson">
              <organization>Sandelman Software Works</organization>
            </author>
            <date day="28" month="June" year="2026"/>
            <abstract>
              <t>   This document provides a taxonomy of methods used by manufacturers of
   silicon and devices to secure private keys and public trust anchors.
   This deals with two related activities: how trust anchors and private
   keys are installed into devices during manufacturing, and how the
   related manufacturer held private keys are secured against
   disclosure.

   This document does not evaluate the different mechanisms, but rather
   just serves to name them in a consistent manner in order to aid in
   communication.


   // This document is a product of the Internet Research Task Force
   // (IRTF).  The IRTF publishes the results of Internet-related
   // research and development activities.  These results might not be
   // suitable for deployment.

              </t>
            </abstract>
          </front>
          <seriesInfo name="Internet-Draft" value="draft-irtf-t2trg-taxonomy-manufacturer-anchors-20"/>
        </reference>
        <reference anchor="RFC7924">
          <front>
            <title>Transport Layer Security (TLS) Cached Information Extension</title>
            <author fullname="S. Santesson" initials="S." surname="Santesson"/>
            <author fullname="H. Tschofenig" initials="H." surname="Tschofenig"/>
            <date month="July" year="2016"/>
            <abstract>
              <t>Transport Layer Security (TLS) handshakes often include fairly static information, such as the server certificate and a list of trusted certification authorities (CAs). This information can be of considerable size, particularly if the server certificate is bundled with a complete certificate chain (i.e., the certificates of intermediate CAs up to the root CA).</t>
              <t>This document defines an extension that allows a TLS client to inform a server of cached information, thereby enabling the server to omit already available information.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="7924"/>
          <seriesInfo name="DOI" value="10.17487/RFC7924"/>
        </reference>
        <reference anchor="I-D.ietf-dance-tls-clientid">
          <front>
            <title>TLS Extension for DANE Client Identity</title>
            <author fullname="Shumon Huque" initials="S." surname="Huque">
              <organization>Salesforce</organization>
            </author>
            <author fullname="Viktor Dukhovni" initials="V." surname="Dukhovni">
              <organization>OpenSSL Corporation</organization>
            </author>
            <date day="17" month="September" year="2025"/>
            <abstract>
              <t>   This document specifies a TLS and DTLS extension to convey a DNS-
   Based Authentication of Named Entities (DANE) Client Identity to a
   TLS or DTLS server.  This is useful for applications that perform TLS
   client authentication via DANE TLSA records.

              </t>
            </abstract>
          </front>
          <seriesInfo name="Internet-Draft" value="draft-ietf-dance-tls-clientid-07"/>
        </reference>
        <reference anchor="RFC6698">
          <front>
            <title>The DNS-Based Authentication of Named Entities (DANE) Transport Layer Security (TLS) Protocol: TLSA</title>
            <author fullname="P. Hoffman" initials="P." surname="Hoffman"/>
            <author fullname="J. Schlyter" initials="J." surname="Schlyter"/>
            <date month="August" year="2012"/>
            <abstract>
              <t>Encrypted communication on the Internet often uses Transport Layer Security (TLS), which depends on third parties to certify the keys used. This document improves on that situation by enabling the administrators of domain names to specify the keys used in that domain's TLS servers. This requires matching improvements in TLS client software, but no change in TLS server software. [STANDARDS-TRACK]</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="6698"/>
          <seriesInfo name="DOI" value="10.17487/RFC6698"/>
        </reference>
        <reference anchor="RFC8879">
          <front>
            <title>TLS Certificate Compression</title>
            <author fullname="A. Ghedini" initials="A." surname="Ghedini"/>
            <author fullname="V. Vasiliev" initials="V." surname="Vasiliev"/>
            <date month="December" year="2020"/>
            <abstract>
              <t>In TLS handshakes, certificate chains often take up the majority of the bytes transmitted.</t>
              <t>This document describes how certificate chains can be compressed to reduce the amount of data transmitted and avoid some round trips.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="8879"/>
          <seriesInfo name="DOI" value="10.17487/RFC8879"/>
        </reference>
        <reference anchor="RFC7250">
          <front>
            <title>Using Raw Public Keys in Transport Layer Security (TLS) and Datagram Transport Layer Security (DTLS)</title>
            <author fullname="P. Wouters" initials="P." role="editor" surname="Wouters"/>
            <author fullname="H. Tschofenig" initials="H." role="editor" surname="Tschofenig"/>
            <author fullname="J. Gilmore" initials="J." surname="Gilmore"/>
            <author fullname="S. Weiler" initials="S." surname="Weiler"/>
            <author fullname="T. Kivinen" initials="T." surname="Kivinen"/>
            <date month="June" year="2014"/>
            <abstract>
              <t>This document specifies a new certificate type and two TLS extensions for exchanging raw public keys in Transport Layer Security (TLS) and Datagram Transport Layer Security (DTLS). The new certificate type allows raw public keys to be used for authentication.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="7250"/>
          <seriesInfo name="DOI" value="10.17487/RFC7250"/>
        </reference>
        <reference anchor="I-D.ietf-cose-cbor-encoded-cert">
          <front>
            <title>CBOR Encoded X.509 Certificates (C509 Certificates)</title>
            <author fullname="John Preuß Mattsson" initials="J. P." surname="Mattsson">
              <organization>Ericsson AB</organization>
            </author>
            <author fullname="Göran Selander" initials="G." surname="Selander">
              <organization>Ericsson AB</organization>
            </author>
            <author fullname="Shahid Raza" initials="S." surname="Raza">
              <organization>University of Glasgow</organization>
            </author>
            <author fullname="Joel Höglund" initials="J." surname="Höglund">
              <organization>RISE AB</organization>
            </author>
            <author fullname="Martin Furuhed" initials="M." surname="Furuhed">
              <organization>IN Groupe</organization>
            </author>
            <author fullname="Lijun Liao" initials="L." surname="Liao">
              <organization>NIO</organization>
            </author>
            <date day="30" month="June" year="2026"/>
            <abstract>
              <t>   This document specifies a CBOR encoding of X.509 certificates.  The
   resulting certificates are called C509 certificates.  The CBOR
   encoding supports a large subset of RFC 5280 and common certificate
   profiles, and it is extensible.

   Two types of C509 certificates are defined.  One type is an
   invertible CBOR re-encoding of DER-encoded X.509 certificates with
   the signature field copied from the DER encoding.  The other type is
   identical except that the signature is computed over the CBOR
   encoding instead of the DER encoding, thereby avoiding the use of
   ASN.1.  Both types of certificates have the same semantics as X.509
   while providing comparable size reduction.

   This document also specifies CBOR-encoded data structures for
   certification requests and certification request templates, new COSE
   headers, as well as a TLS certificate type and a file format for
   C509.  This document updates RFC 6698 by extending the TLSA selectors
   registry to include C509 certificates.

              </t>
            </abstract>
          </front>
          <seriesInfo name="Internet-Draft" value="draft-ietf-cose-cbor-encoded-cert-20"/>
        </reference>
        <reference anchor="I-D.irtf-cfrg-aead-limits">
          <front>
            <title>Usage Limits on AEAD Algorithms</title>
            <author fullname="Felix Günther" initials="F." surname="Günther">
              <organization>IBM Research Europe - Zurich</organization>
            </author>
            <author fullname="Martin Thomson" initials="M." surname="Thomson">
              <organization>Mozilla</organization>
            </author>
            <author fullname="Christopher A. Wood" initials="C. A." surname="Wood">
              <organization>Cloudflare</organization>
            </author>
            <date day="4" month="December" year="2025"/>
            <abstract>
              <t>   An Authenticated Encryption with Associated Data (AEAD) algorithm
   provides confidentiality and integrity.  Excessive use of the same
   key can give an attacker advantages in breaking these properties.
   This document provides simple guidance for users of common AEAD
   functions about how to limit the use of keys in order to bound the
   advantage given to an attacker.  It considers limits in both single-
   and multi-key settings.

              </t>
            </abstract>
          </front>
          <seriesInfo name="Internet-Draft" value="draft-irtf-cfrg-aead-limits-11"/>
        </reference>
        <reference anchor="RFC6979">
          <front>
            <title>Deterministic Usage of the Digital Signature Algorithm (DSA) and Elliptic Curve Digital Signature Algorithm (ECDSA)</title>
            <author fullname="T. Pornin" initials="T." surname="Pornin"/>
            <date month="August" year="2013"/>
            <abstract>
              <t>This document defines a deterministic digital signature generation procedure. Such signatures are compatible with standard Digital Signature Algorithm (DSA) and Elliptic Curve Digital Signature Algorithm (ECDSA) digital signatures and can be processed with unmodified verifiers, which need not be aware of the procedure described therein. Deterministic signatures retain the cryptographic security features associated with digital signatures but can be more easily implemented in various environments, since they do not need access to a source of high-quality randomness.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="6979"/>
          <seriesInfo name="DOI" value="10.17487/RFC6979"/>
        </reference>
        <reference anchor="RFC8032">
          <front>
            <title>Edwards-Curve Digital Signature Algorithm (EdDSA)</title>
            <author fullname="S. Josefsson" initials="S." surname="Josefsson"/>
            <author fullname="I. Liusvaara" initials="I." surname="Liusvaara"/>
            <date month="January" year="2017"/>
            <abstract>
              <t>This document describes elliptic curve signature scheme Edwards-curve Digital Signature Algorithm (EdDSA). The algorithm is instantiated with recommended parameters for the edwards25519 and edwards448 curves. An example implementation and test vectors are provided.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="8032"/>
          <seriesInfo name="DOI" value="10.17487/RFC8032"/>
        </reference>
        <reference anchor="I-D.irtf-cfrg-det-sigs-with-noise">
          <front>
            <title>Hedged ECDSA and EdDSA Signatures</title>
            <author fullname="John Preuß Mattsson" initials="J. P." surname="Mattsson">
              <organization>Ericsson</organization>
            </author>
            <author fullname="Erik Thormarker" initials="E." surname="Thormarker">
              <organization>Ericsson</organization>
            </author>
            <author fullname="Sini Ruohomaa" initials="S." surname="Ruohomaa">
              <organization>Ericsson</organization>
            </author>
            <date day="3" month="March" year="2025"/>
            <abstract>
              <t>   Deterministic elliptic-curve signatures such as deterministic ECDSA
   and EdDSA have gained popularity over randomized ECDSA as their
   security does not depend on a source of high-quality randomness.
   Recent research, however, has found that implementations of these
   signature algorithms may be vulnerable to certain side-channel and
   fault injection attacks due to their deterministic nature.  One
   countermeasure to such attacks is hedged signatures where the
   calculation of the per-message secret number includes both fresh
   randomness and the message.  This document updates RFC 6979 and RFC
   8032 to recommend hedged constructions in deployments where side-
   channel attacks and fault injection attacks are a concern.  The
   updates are invisible to the validator of the signature and
   compatible with existing ECDSA and EdDSA validators.

              </t>
            </abstract>
          </front>
          <seriesInfo name="Internet-Draft" value="draft-irtf-cfrg-det-sigs-with-noise-05"/>
        </reference>
        <reference anchor="I-D.ietf-uta-pqc-app">
          <front>
            <title>Post-Quantum Cryptography Recommendations for TLS-based Applications</title>
            <author fullname="Tirumaleswar Reddy.K" initials="T." surname="Reddy.K">
              <organization>Nokia</organization>
            </author>
            <author fullname="Hannes Tschofenig" initials="H." surname="Tschofenig">
              <organization>University of the Bundeswehr Munich</organization>
            </author>
            <date day="4" month="July" year="2026"/>
            <abstract>
              <t>   Post-quantum cryptography presents new challenges for device
   manufacturers, application developers, and service providers.  This
   document highlights the unique characteristics of applications and
   offers best practices for implementing quantum-ready usage profiles
   in applications that use TLS and supporting protocols such as DNS.

              </t>
            </abstract>
          </front>
          <seriesInfo name="Internet-Draft" value="draft-ietf-uta-pqc-app-03"/>
        </reference>
        <reference anchor="I-D.ietf-pquip-pqc-hsm-constrained">
          <front>
            <title>Adapting Constrained Devices for Post-Quantum Cryptography</title>
            <author fullname="Tirumaleswar Reddy.K" initials="T." surname="Reddy.K">
              <organization>Nokia</organization>
            </author>
            <author fullname="Dan Wing" initials="D." surname="Wing">
              <organization>Citrix</organization>
            </author>
            <author fullname="Ben S" initials="B." surname="S">
              <organization>UK National Cyber Security Centre</organization>
            </author>
            <author fullname="Kris Kwiatkowski" initials="K." surname="Kwiatkowski">
              <organization>PQShield</organization>
            </author>
            <date day="24" month="June" year="2026"/>
            <abstract>
              <t>   This document provides guidance on integrating Post-Quantum
   Cryptography (PQC) into resource-constrained devices, such as IoT
   nodes and lightweight Hardware Security Modules (HSMs).  These
   systems often operate with strict limitations on processing power,
   RAM, and flash memory, and may even be battery-powered.  The document
   emphasizes the role of hardware security as the basis for secure
   operations, supporting features such as seed-based key generation to
   minimize persistent storage, efficient handling of ephemeral keys,
   and the offloading of cryptographic tasks in low-resource
   environments.  It also explores the implications of PQC on firmware
   update mechanisms in such constrained systems.

              </t>
            </abstract>
          </front>
          <seriesInfo name="Internet-Draft" value="draft-ietf-pquip-pqc-hsm-constrained-06"/>
        </reference>
        <reference anchor="RFC9150">
          <front>
            <title>TLS 1.3 Authentication and Integrity-Only Cipher Suites</title>
            <author fullname="N. Cam-Winget" initials="N." surname="Cam-Winget"/>
            <author fullname="J. Visoky" initials="J." surname="Visoky"/>
            <date month="April" year="2022"/>
            <abstract>
              <t>This document defines the use of cipher suites for TLS 1.3 based on Hashed Message Authentication Code (HMAC). Using these cipher suites provides server and, optionally, mutual authentication and data authenticity, but not data confidentiality. Cipher suites with these properties are not of general applicability, but there are use cases, specifically in Internet of Things (IoT) and constrained environments, that do not require confidentiality of exchanged messages while still requiring integrity protection, server authentication, and optional client authentication. This document gives examples of such use cases, with the caveat that prior to using these integrity-only cipher suites, a threat model for the situation at hand is needed, and a threat analysis must be performed within that model to determine whether the use of integrity-only cipher suites is appropriate. The approach described in this document is not endorsed by the IETF and does not have IETF consensus, but it is presented here to enable interoperable implementation of a reduced-security mechanism that provides authentication and message integrity without supporting confidentiality.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="9150"/>
          <seriesInfo name="DOI" value="10.17487/RFC9150"/>
        </reference>
      </references>
    </references>
    <?line 1232?>

<section numbered="false" anchor="acknowledgments">
      <name>Acknowledgments</name>
      <t>We would like to thank
Henk Birkholz,
Hendrik Brockhaus,
Menachem Dodge,
Martin Duke,
Russ Housley,
Ben Kaduk,
Achim Kraus,
John Mattsson,
Tiru Reddy,
Scott Rose,
Rich Salz,
Martin Thomson, and
Marco Tiloca.</t>
      <t>Finally, we would like to thank our security area director Deb Cooley for her detailed review comments.</t>
    </section>
    <section anchor="contributors" numbered="false" toc="include" removeInRFC="false">
      <name>Contributors</name>
      <contact initials="J." surname="Sosinowicz" fullname="Juliusz Sosinowicz">
        <organization/>
        <address>
      </address>
      </contact>
      <contact initials="A." surname="Kraus" fullname="Achim Kraus">
        <organization/>
        <address>
      </address>
      </contact>
    </section>
  </back>
  <!-- ##markdown-source:
H4sIAAAAAAAAA8W963bc2JEm+n8/Baxas0x6ElkkdaXquN0pkqqiS5RkkrLb
84cFZoIkLCSQBpCkslQ1z9JPcR6gz4tNfBGxbwBIyR6v017dtpgA9iV27Lhf
0jQ1XdGV+cvk/M3Zt4f0X8nu9HHyvqmvijJvk6u6SbqbPDmuuryp8i6pr5Lz
m6K6bk12ednkt70Pj+tz97FZ1PMqW9LYiya76tIi767SdZelXdnuPk6LuktX
8mq6t2fmWZdf183mZdJ2C7NeLejv9mXyfH/vqZnXVZtX7Zr+7pp1btr15bJo
26Kuus2Kxj8+On9tTLFq+Hnb7e3s7O/smazJs5fJWT5fN0W3MXd18/G6qder
l8mH85n5mG/ol8VLt7f0EMs0pu2yanGRlXVFQ29oH6vipUmS5mqeL9puU+qv
SdLV8+CfRbXIq87+0NZN1+RXrft7s4z+7Jpi7l6e18slfeueFlVZVH6a/FOX
lkXbpTTIZV3Sa3X6u/8p360yPwyBpfdLALirrGxzY7J1d1M3tJ+UHmMmevTD
NDlv5zf1VV4V1/yzHNsPWVURDvSe1c11VhU/Zx2BnyBZFbd50xJ8gRpAlVdr
AkR7l980ycm6KuY3/JXFFnr/1V1yMuUf5/TZy+Rtvr4sLvNGhm/yax74VXab
NUUm79XrqgNqfJ83y6za6I8LWuOLp0+fP+e/82VWlC+TG170tHOL/vfr5acp
Ha+J9nw+TV7XbUu7CDZ8flMvszZ6EO/20Zuiypr6UTihfDTVj/695Dem9F08
4ck0OSVgZM2iratgzhP8mJf9h715zwgl85L2npzVV90dYXbyF0LnNlrJct78
T1yyf2/t29N5Fq/icEoTXmfrsguWcEgz0QrCB/H0R4SsrV2ZO4yDrMoWWbiA
BQ80XcpA/57rZ1PCSoNLTEh/ue766PfHKW2qLar6rpj/HCzrj+uyWLc/Rw+D
z2bT5McmW7fBF7P5TbHUX01VE650hJ24vKevD/Z3nzynvRKl2n0sv7x48uQZ
0y/7w7Onezt4+zg9nDK1KrPlqk2X2TxbLJq8bVOCBhGa6mo49jP95/O9vRf2
1xe7Oy+T+XKl0+0/fm6fPHnx+GVS3qXu4fMnT/f04bOdZ8+iVRClrGkZGPmy
aMcegZYuqja9Xhd08EQ74rdWf18XK/rveZpX1/SULmz0nAhyuso+5oMfXzx/
/linfP+ng/To7dHp938lIL47nu7uTHd3nzz99vHTF893Hz+dPn66v/dib1ff
fH90+tq/t7Pz/Nv95y/Sx+nO4910b3fvxU66d7H3hF5+e3x2np69T1/s7KS7
j3dnzeOXfKCJI1T8n1TO/GhKdKH5mDf6sz34ozKjbcXPUocmpzVtuv246X00
K8u86j1UZvjovMkqImqE/cTrmKx9aHNQuINms+rq6yZb3RRzGoJYVtHdLNuE
rlzyY75J3hCIuxu9mEmXNdc5keObrlu1L7/9dlEXIA3fElSe7ey9+Bbbn569
n/rtT4vVQr4FB3yZvJt3NRHHZG+H4XVQz96/FDx7uofjOjo6IuDtTXdnp8HB
7Ox/iydn54dT+nBnur9DqL2/Tx+8Pnw3CmG+8y+T18eH7wCZIqvmeQQTfnKY
3xbzPHlXXdZErJKzVT4vroo50wkSAHbHd31VLOpMx+Ttt+F3LUHlrirrbMF4
3HsWwmK2aooSkMDO39yd7J2k5w9t5t3JjJfIpDI+4DfF9U13l+O/k5OM6Aah
T1e7f27x6NvJn6e7073pXnKez2+Il2VlvGWiHkCUFTH75BUJABCM7jn5u7u7
ab3Kq2V9SRJPBI0mpx/a/NtgTTT5t3/evaBLkuLgd56RwDSLYPHHNS1TkUJA
cfDfDIqDusn/GzZ/Xi/b9AfCRnDF9N18Xa7b9LQggXNvZ5dJcQQRJQtnU1pv
mVWOXAhNOMu7m/CBhdEP9R1NlLzPuvlN8td63SQyUYKJeNNjW+5oaTe6MjDB
b6v8rv22liU2WGJDvLRY5mneNHWTXhWf/sfeweNnz/b2pzfdsjRuwydZQxNj
Q/TbbHnZ1G1Ofz2XPY3s72BqX4v2d3DTkCBZr26IooTPU8eK/0Iktm6jj/5Y
r1Z5+EDffkUyVLaJXn31t//v/20q93PqZJ8/1pt4JdiR/9W/+Kae33S9UznJ
qqsmX0TP/BpO1k3TX0azJioVPBAoAmJmDD9zIixVNy2yecNIiReJYz2drhZX
Jrgrvz0srq7yhmT1gvB/1nXZ/GObEOk7zGldy6Ii4BJbOCuuq6xbk8TwW2PS
NCXplwR+ksuNIcrNOg3xEhqoTcCxcRdw4xb5bV7SNWl4yHUL1hNoV3usjQWa
mBFNLNkirWsbXxNpbpM74kckRbeEpDQsNACamnbXTqG5tQlpZWtoGwn9OzOs
MFSg3rQAu7gJDXZVVL35HyerUC2EqqdzTs1ssWBuSVd7M0mKLlEFzg3plkU0
o8Nc4Kn/MX26s5/M86YTMpIbnYG56bwAmrbrosvpQxJhmpy1pKnAdFksFiVp
NN8AJE29WM+xAGM+v8xakoJ+Nf+WvK273O7riBZId4RYF0EFP+y/ePIs2cK/
IAeSlLMNiKzWl6Rq3eSLSUJ7oXn5uAFXHQcvJ0tSMpPLXHe5wDN+076Esae0
AGKkSZvzwsKh+HPSx+pwjGw+J3WUYF5uaIfHFUOI5IxiUW6S/LYub3EeQ0Vc
jz+f1+2m7fLlhNVJaF7ClVur/+K8kzn9k4l3AFEgRh5wsjfZhrZi9eZki45/
m0/kMOsyEn2W/l3Tf/eQX6ZjJI2YVFVSx25z2iUJWlekNywyQRJGICimDfZE
QIFURU8mJFt3+TWGmvCMoGy4bdAU6cLHWyOMJrpMl6aZMLACXAd4MsYs+tPM
y6zlnwKcJQCQktTgo1vMgGVNcCtTGiolDCivPPIXy1XJoJJ5YYCoacFL3Ql0
Uh57TULinLjZ4K6p/gA0usnppbJYFjpYcrlJRObZ6IXju8bwHly87iajwUj7
4+mLnwlvsAB73VMHAnoQXVAjdwGfh0AgHXtDV5OUBgYviBgDap6tMmLVhCvY
y19ucCfbepnz3DfEpMuNGZuUINjdMAEDeUuIlrGqVDElIkrTZJdlLtflel1m
DS2k/Uj8iJ+uafrWkIaYgAjSpWCiUdPfdFQpwbZJgB7NVYYtkZre0Bkvcjri
krZLIxFyMxpZU8TCUmvBgLyPA5NkxcKHv7yfP6sK9+uvfAKfP9+jhf3669Qc
Mw2dE68pFBECCs4krm7qNWCV8Ox8+NHRyzqLiJgapn3RFe4gctUlaSpChxw6
8oDLmqgJyCTDVhFDL4jBzXbYgxOO0ZLUZRrvMiv5iOgUa0JBSzGEZmMKK8QA
Jqa1FojeTmJ8s6h7k7Vy/0k4oyMizghaR1tscXEJbquGvqnXLUGJuQ49zj91
RBx4XMxT1Z3JVquSwKHYgzWRLJWw6UnO291VuotLkkSFqF3VZVnf4V5d5cKR
k/lNVl3nC+M21zldL7lq6mViuS3NQxsgfT91l7JQTgOSLwRnnq+YFq/oEFIa
eUEC38fc0y05wCUdfnYNhLu7gUWMLgIkCNpyk6/KzI5HmvnCmVwJXlV+XdN7
sjRZP2HkHwhFnz5/8gwoeku4D6AQ3UzyrCkLQmMsVgHTp5BN/jFnKrPMAYai
XTqY0wCfP58pr3oyfUa7pW2lbB359VezqAl0dBBApluiF7Jh3FoCWUFXyCHN
VptjlTOSGUkh+kQ6++70aTjW9tS8XjcgEzinyRdA59dn4vXthWOSwFRurEw1
JzAAueOBtuTntKtToiQEkm25HY+OPoGT0RQz/0HdPEoiRXSSyLYA/P29Z7u/
/joBUaev2vWKOSEzgnW3Bko/tKNJAgrH91B5sNCFAy8GTUzwx59z0hQ2fGXw
2msImSSfOJziC5wLH9vQ78RO8J5eGJaJSmbSlinTwluIaLSA/FPezOn0BOt+
OD9//+0ez8T/fCxI8QdHAiEuE+0j+NFsC2IdCskUjJZJIgGUaCkfa28RSbwI
J0Ll1Q1oz4JuRl4BUwU0Ft09lBaQ+5JTi8FK4sMZ6CJfEcyAig1JSA5licaz
iJZVKmzpxyaXk2/sF4q6Fsue9/A2IYkckjo4Cx3KLVMqlpj0+4K4VwZo1iK9
2fEvllmL/9HXAGCsS9+6fwu849cla+bfPFHikdzR8a1bOemj2fvU0iulDHu7
z4Ccbvf5J1JKcJJKxEhYZ0EQroG/ryGQToJhHlsc393foWsVELwsYUp1U5cQ
mxT7eIXyxZO95/vxF+/PfkwFHr2rSGdBs5GeUM3L9UItbOYRvZ8UcKKAjJBs
2z2yW85AxXkNgnAYgSS0lVBhue5tXkK1yDCtscNMHekmUbe+ZTpLKNXmEEW6
XIdLlagteNYpCdl0XNmCcdjo8Epb6oqwh7ZPKJ4E6y0sd82Tn4ihXUDtzxcX
hKs/eW7GIq3BO7oLWbIOyii5xN0Ed7D47agI6fM4NqIW67Kb2G3p6lphHe0a
yMPLLWsI+ZCQPHb5bcIWT8siorYGdJkAsehdMUWT1UGVHl5jT0XqxsgsNNpV
cb1ulLyxJivqcK7n14MUvcHgFPwuVGsM9D3SYomO0DAEy7loR0r+Ts9milME
W2HdfAMLRnajxFj4mUX4ZIjwzC6yBOp8kac/5CW8JcHA+ScRE1hpskyWiWRF
cPSIvVVM8+kkVGHlwXYP5afJFsTV+28EwX8tFuZ4TdhYvRL1ZLptxuW5iFOx
yOQkLWEO2SJbdaHwdNnURBNZGW/WS6PSW3DOJKqwMET3Ll3R3WNFqSWpsXG6
Aw1Vwo6StoQERKmrxRpuzaw0dG5lvRFlPTl2MoNYO8Q/wbB0cuzA0kA7W7Bj
MTek7MJzi1cUbduQcjQ0HnYGtbeqhHKndYNLgO07BLktsuT84D2zaSY+wKjS
Gx3D70vI6rEIjs8/HL7nZWOVIBIixs2hx0xEVwNLXa5I5HWaWTvPq6wp6hb8
DTIzwbMkNKnmm94MxDxAlJZwr/mLuaTbXqQ3pCERxb1JFBjibvBnAw0uhbvb
vTAxMh9fXx4TuEXML3O4vWCiYeUHGK9YoYTsHikJVqqCrJffgJSRSu/sVqL2
4LwLqzrkprez6n4FNa9uC1I6PK6QuicIcpm3wJyMTgRaEeaxhGaALrSFZZ6L
OkTz0i3XvfX1PWtzME19CQEkUnWgaRKPaAhy5VK5EulmrObQcgmLaQxY5SY0
G3EAtVHwEThtuBXFI1SxGMSktEKfzjorQLCmqABWuPFwuaPhtPLwKslkdClr
HUMucbaondKrw/QMQIhngGt5cLLWSCda7/7eU+LfX2WnsyQo2fr8Ofj5Qn+G
rPSQBY8/C6g96wRmYJ1UJzSoZauanGq0alNrhUbRYMRsxSh7gYgQGpDYLOve
9PDnvCEC0NHe7Kod7vjvHHRFOnXaItwTt1nVGQLF0LjiziakSH7QhBcD1YGD
VZh5L9XQJdepFbmAkPsO/jQW++abSciCQVidDnP29nh7QuPAVEji6M9ARsPW
MxJvr4Fg9DEYWCluSMHQnfT0/Jwv/zS558AsLoj1gSgavaGKyf2nr9B3yKNq
v4Mim3y6gg1JG7Y3O2E+ITZYtKILiS5SVIH4QttZQYLoxOLD9iAdJpNrXuIC
sZkv5qTWakgsQIwgU9IbOSrogugV/XwhO3UGnhAcuP03JPnRw0XRztcw2eDT
VD5VIAmMApYPcp/YbxnEEXK7e8bSqn9kelbtc9bQl5lY3h2O25VcIaiCts9O
B1Wb/74m3CQGPvduaUKAFSkn2VzJkyNxQF/iE401DZlvkgNn/BT8P2epDZam
jSwHqIQoqTZ5dPLh7JwEcv7f5O07/vfp0Z8+HJ8eHeLfZz/M3rxx/zD6xtkP
7z68OfT/8l8evDs5OXp7KB/Tr0n0k3l0MvvrI9nBo3fvz4/fvZ29eTRiwWpy
ZWCMKHSlWFpsjZgDL0USfHXw/r/+c/cJncxvCFn3dnehqcgfL3afPwHZIxyS
2Vg0lD/pvDawPOUZLI/sEJhnKyLiZctKdHtT31UJ+OzU/D9/ANtK0md/+Dcz
oLMwPeJmdB6+9vJY7VIliP4bhLzpoXsF6xtexxgdWUjPYNsaDvUbVhBfkGY3
DfhiKvbx6H2htn17qHnIHsp87zC/PT6cJMf6v1jaG/632pZZcRVNyYyRFJxn
oEKyASKMcdBrG56uuYekCYZ7YnwOYmw+v0y+GbALpltqPsTGveV4QM0V27AP
3nGbK+lXQhnuSi5Vk92JW2mO64Sb28DBAAWRf0i2SC1ot1WYoJPgCyeMLrCE
Wsi5lcoawYVyjjyw9oT+ir1SNDVneXmVqmowQCSxtrZdQXjODydsQOit/zv8
YIIf+CtnfoKgLJ6ruwt56UIUKt0Incp73WMakO6e3kUwmf14tO3tlK0eDEm3
8AasavbydLUJxxD5qYWmU5CwzIvja5axrJwDr1abRGEvNhYvamfQwBq8leOx
PYmJkw3FI8s+FGtiIuo979i+T3PgUOgop8kZjWiCpXsnmLVmsv9L7bXWVqtW
bMEDWLchyEMtQEAlyQcbtmEtFglAM25SUQPOILBLb2cgTSbLmjQxXgcPF6yW
3Wz3S+lYkeCIdUqqs8te4c7aAL0Nag7m6CAanzuLDKHGqNTTDmfZFthnkw9N
6/Vi6JB+abZ2t4da+STZ2tvu4bPVxwnmW4+3GU8beCidqj41kaqhl4n0k7pj
w0YqtoSK7V0iPm8dHWwf/nAUYzQvdGrUDIDrPAkwWbkjbAD2a1HgiM23Bem3
38EATaRORcULFRWt0DWywPuMDaoa0jGD7hBHq9gOa6+N3mErs9JXH/NO7xEJ
FnVjvKIMGV3ehm/Qwm4CJS6tr2j2auExa4oImgUiJCrSHtsbtoThPjNkxNIE
byHcfFhWCa+eF5kZatYMRCo0AkHC0xKHYOhxJH24xRrZ4iZQsd7SYMwWNp76
qrMuauB/z98rdx5nM0IzaUTTM/aY47HvGU/sOsKVWwq6XIqyHNw+owj93WBJ
QoyilcgmOK7ATuO3aniiqxhEhDtHnpjaTfbW1qoezOsv6+o6BSsP2QyTAyMy
A0M7QkhH+mMd0MU7qJZZNM7Jx4L+d+pxYbtVuoQO25HOnXqWKFQtIBXCEQVX
zeD2W2acyuVP/eUPlWzeJQsoWefvp5E/PxGjh/njnoMc+K5qpn5smw3dttHa
et8EHB/mIxtJRMeqoaZ2Zrjl88ow9/J0RPzusFOq7xAG6fbjxeImJz78k9yy
n5xEcMEJEe1PLNz9RBARy/VPfResU9syZ20UB4SzsWIxMhVNw1wLkLWsU2ka
pq/bfMTBy0By3k+CtTd8G6aZDs496WmicjwpoBBSoRojmWJhYyUCk6ZRIsvm
yFZiY9QP4C7H1uF2GIHBBM97U435S0SUBZx0ruJGctEJsVc1WB4rTyo+skkr
umuKzmykssEe8WW0QqBfJrJciBeBcEE8cLZgZj7splL/8boSr9bWj4evxTxz
k5GQZH+nvc36hM+iGi5pD02dn6sv7pqeuChbtrdlUVxDffJ4rfFq+XzRZuBp
q72nz5pdYCH9Y5rM2E6CcNGuv7Zo3E51VcdteVQ3XrKFQGvzPqW/ZO+KCvb7
4bf/sff06e4+E0j1WngrZxhBsyS5TF1PA1XBAcnFYCHHI5vTiXKgICGvRLpI
UFRIHmGObjvVSCFRwYBI9I9w8MA6Mjp4TUYcAE7sEqKZAysQVzZQDTjWJjLO
M9+sq56twFnBrEFQXRXe/i0b7osifZ4F+23dLB3ND0g3n6bnIMbT+65OfbzL
PbwkCl7Yj0MDpiJO2jA84ofLrCl+5vtVtz3DpJUvMhfP6KeMzDWRvMQud78Z
0YTF3+LOQgM9eHMuNWWwCwnS0EDBhbMBEWB/SY7c3n9JZiGnpL9P7TfJL+aX
NE3d/9N3AbW3hOwn+iQ6qTDS5Jf7YZnwePO6/ljkGANOqvo075rNKTCy7XzY
GlDkiyM5MnDh2Buv7SC0bgzte3Ih3MfjLrVAo/mn1nEByvaFxYiIHtoxRhi2
8jjLjxeO65Sbr1jZgFP/khAj/fbooK9ghCbokOV/eY6A7f/rBxdL9gUs2T95
xFV6gCjDkkmJiLNnb495xLYq7Pd9b/ovY4IWS3Zeqv/iokRM2VzY7V2wCvIv
GjwQOS446OXCGsQvgmvWA4Y3mgszsTNl5aqyA4vZ/wLW5gt2SjF2Bqq6FwPx
6eB1Hgf2r/tFasJaQuDfPyrzq+6RRL3//tGJfVG0XM3ZtdkfAV06DajZo19h
fjtCXgMSSRclvG4uKrAFSRchEiRvVtIV8iCQACm48ogFlcxy6ZyQrnWdsyG2
MvnyMl8EoQxqOCcJqVLv5oS9J2zLhcGGxNASKkDAvCGfw9CbFJ0h2gknKbQH
eofTMWiR3Vq99+ccZ5KR1IeABzrhps5I7rbiWGbjWE1gKUm8B1ZiV5lBEBbh
G6utgTUEsY0seqwraLcIxbDq35QoLcctiKuEo09E6gRTvtJAWI09ZW9jATJJ
YGS1XYIOZVMcniyvAwTQ/oEosM/gXTaanqnuf+q1xziec12UXVpUkVY9dHKB
L65JNWQ3lTdHmNDrFrJRPllnFrN3Eyv6r/888O4yvxbHXEXcTgKfGnuGguvF
nm+NrmLbPStKzLuNjUDtW+KmMbXKmtC2BRcphCQbF8KRBnTJICybVbZBPlsQ
r50XzLPsCiEWNswjMzlN7/UFJoo5F1/cFS0g8Bfxyl7DjWuFMB9gWHRENK4m
iObmfYAgdDlHC8P0aNj0yNCwuQqwrotdhF1XVxquZgMD7PolfCoKRceaER9h
rL9rMrRAQxjEoOAg7LNncYeDSvi+SSi4rGUU+BCSLDWQ83+tHtIzMXsln7/p
G8Ikt4bTM4CjNt7rDMLnHHFDIvfLn70gG3HKJeKwmwSnDJfPwFwQm/UCC7UL
FPLBRy5etufihRl81A1g7XFOfR63JjLkRkdO+JL7MbiQwcS6TaFVAMJlzQy3
/60NPu5fnX/Ebgk1dH5TEDnqD/+ds5daVRyxSbc1x6StJeymPzu20tWl5AOw
6a+WXI4hQIly/Zjnq3RWkmgt/kv1nWoUimfcuzsY4jc+7AHOaUeGp4atGZmT
kVPxNn/E6BlGB5DZyXZy/oEnwW3YBGHVRasWjYmN68LafyDi1l3mdBaeaUam
Ak1ClwUFDlEmy+fFUvjTIpkd/NgacxDcI5ckhnxC2F8FV+9uahAoiSFtcqVS
GnbgLjWGS1ApgsgZrAbzhtMiWBsp2o+cEVIT2rVyJKSmZas2D+JRORwFHn2H
QQwPjrlrbq2uo6YZpafX9GP/WHbjY3FO8fjL6JvnGqluvaRKJoHdvC0cK2HH
cRWoqxOkiSV/X9cd54nxaXut1ZtZQsMg30Ug38YHWTnfkQvFmoiFtOFL2mSL
og5ithDWSAQlfD8O65qE2jWvnuOfdfccm8W/2quffwLKklBwRbh2mc0/JqyU
4FQ8d3CB4t4NRUPmiF9W3TivgPVt5FjjGE6Opy153CtMeg3eJQyLJL35R3V8
gCE1xfW1C2nVGwJWvhlgHcKx1QTQY326cbgN7ooFgVv8Bwi1op0frl344m3W
wi8JGNP7Cr04TcYe4SBQRyQiNma+mb3FiN+fnaRnJ4hH7n6rSQ5q3wvJbIbI
MjApttSECCkCGFC5ENOK3MAoGl4Et+BGi2hwr6lE3dBRPpE9bVifNdgtnLIh
sJRrIl6H/itr5hp5HdKh+LK7u0KlAZqBTg9uFxgUUzrUFb+bbJ2en29P2F5U
1YkS6gx0dGdnadNaJMInuvNE3CRqpRSfs0u6ccamKK9jeP/BdpxJM+AL39pD
p4O4LCorXmQogqP5CYPdnsz+iu22CKw/rlQSFiGdNoUQKRC4pfOEO36OcWWn
gzFhWbKpV5b0XecVZzbZXE3C3VNHk1g+EkJug/g5rjnv1g2qUaw7a9U5uMnp
4m2dnh5sOyttJhFe3ZeI4lNJXfhN5Ale4L+aZo4YCiGKf0QMZFl8zPsCZYhW
7ZewV1JGxrBYvBGEJxqiqBAq+plyI5hN25bpRf47pSno3r5dL1EM43uGsCom
D7H5vYfYvGAjgu9JrMp5hS/ZKXnAQfVs3HIWwTO2Y8hvjqIGcp76eqCOIuX0
etldEL34dMHXBwIvzYN4Jc1OE5+GBiRcu+2ojwp7rSQIObTDTjyAATir05Zt
zSWycNFYhEClGY1/kWUnbxFIeOwDCT9/AxOL16RcJtLA81lHNvZ7huO4ROON
syzlewk2e9DoQ9r31r0mle2+i8+FFKgcDDwMc5mNAcW3aRGO/kH0f3ts1Q/x
XwsPythOIFkPBevYoaRg+AtsfZWLDk8UrqzXwfuZBmnT5rPK+wwnnH1RbVzK
Cq3UcCQYFsLhzIHdsJepYa0azhgk8Vp2W6BkNSmbxu3Jr9Am0BQDG7WYTcNp
LGU1vRQOFxLjQq4RCPLepjFr2HMD/0SyKipQ9nmYvpb1giwUFrGz1OfosPxF
JPjw7ZmGvApxnABURlI7IvGcWJwXzEIUkPWqdUGLkgFG3moc3u1l3mXQbgyU
DAgfR5KJTtsJXyPF5odtmxf14sk+/M70k1hi2sh+09WmJ3B4t7qgWYQ84uO1
4Uj8E6HfVUPiTbOew4xsxFF3G8h6Gt0Z10RIzjg3DcsKUzVZhANYy7r+uF6R
1t4oHOzeYSUCibF+e88FJsNtNLCn0SXFNIh7sEvhmAPr5g6nRVR8ue5skDNt
IgOB0ZufO3DTu0HAlHX9f7nMFZF0Df1xuMxjWfFCLHdRXEG4rZ7LTVJCoqRm
2qnRhBofThqhghAcueRyM3HY/9QdN7MwcBl6WOGd5OE5kb4pFhaL2+wEDlIP
TRxax5ShH+wuyVurmhZEd/D4Kor6spTG5l87yRAMAdSUNnm1LnkBLHa2Mbo4
Vztn1js/+/F740shQIcGY6mYqbdCyHzkpdLNIG8shqdo2EZk2CCuiNWkb0Lb
XSpVKt5b+/LbwNv1+Rs2sYsc8ZXfbM3evH+7HTgjBSGeP97ZZRnDoBYkbGKa
3TESlSncUZOR+sliZhBA9CXPqeXRWBgRp555hk0QeCQgZq2LxXfIPuPJfWO/
WhMdp/5FNhrFZDU78cE5ybYFQccmPWMMeUUvmpQ5xQh3yMJby0qxlNCUeSL2
ZSQOQjze47tjWKg6AD7KsbFGS7zxQ2SXtmyclCBgUgjTIK+hulrzwWs0Pt8n
GzON6xeoN4E4+nj6AhMw8Xis9o1vkpPsU7FcL5PXTXbN25MScj0sHXpzBGW/
5uutk9dvQnR1NRkIbZBjtxA7uOghnFpyBrPwG0xDCsjZmxjXfyO1E5kP9hEV
1VY0YmOeW3VvEKHAOBtXsaBZgkl8iAbjbsGqqibC5KpCnM5OQmqt4d6cCjOT
VJivsB7t7vc0BFb8AlGDXfk3BcHkcl2WOWwDRdW5CDEbVpBxkZqVVAOCJn2r
fI9tZ2HRQOOKadhLW1RR7YzkvF5kyIe9Ie17mVVrRH6QKCA5eEsOUFOjhB8r
m8/z0ioRICuzo7P04OBkElqdrhz3p6c27NI5dg0++f7gZJr4WjG9jJUxWMb5
GFV9Z2w8/PeYHk4dDabAGdol9fhpnDAzFVOuLabISBnM+hXHute377LC680P
ri6IVhoWOWHErLNLKuRlIQWFXCYNkR5e2CTYBvsMDO0MEgVxRM1iyjBCSiOg
AjDJXI1GZjHTTvYeP+ZnRwcHQvxA2TIuyIBvO4PyNB2psS/uX8Q0+dBaw4I4
VopW9GBfzgtnRPeyEaeVuJAyDHv/yl5EK5PgWnHLoF7dVZGT5kkruc1DO4Zn
S5Mg+MpFGIkJSl2bbvbhhljj01INhSrBbccu1ZGiLSRz3zuWtQxYPBuWG1Vs
kxQ5FLhiD7nNGTQmqmQS1YMI1CsRj1/GVuUx776GwyHdCXTNJ+a5SMksiKMn
BPg39Q+gYgdDepoQeLLOveVyeIVhXm3UFudsFMSr/00iE7O5d2S22RVbN7EK
BqoshbUNhGDVrAdIND9971zhXttU8azJ/8Y1DPz3V1lZIvZt/pFL6OB3jeGE
NjzOkOVrBxvru1KfUObe9Bqr3T+XtwDxn3XOtoZTukOhM6TqVrWos/YDx/zC
XAyUVSX0wP/0ypjcszJCd/4mNG1wlS1vrewTKIBdfB62jgDqljPp9+hhNe+T
PzHUvomijzT0gqSBsYQnEwe6qSWqddmHQWantcWoOX0kEcsMIljVIiuhEBD4
RLY9Z72X7bbhew7MpiUAdSykBbM8ggzM6XwkbUjIgiwNLs6MU2ruepYdjS7t
A5Xp+nAfqrAuYc1cr7QWXJwgZzQ1iDM8E83wlDIxUHDUjBKM2c9M6YcfBMG3
EURZw0reHR9+F6pIBvKnfgk5vLgKY6BD5YyWQj/NrX2LJZIgV8+n1AWnr0YT
V9ODvf4iMscaZKRL0FtItks02S5OyznnBD5NW+zn5DX2XuTzTCU2qaxXcJxq
pJ8BMbo7XMFQukldWLaG6oehsYHuGjgbfAhMUfkifHEu0czWLD4W+ojQki3O
SNy2jAV8lct8ZWJb6TiWeMI/hAepN8oyW6+0OCNx4efQD50eFGU7Fm27hq8Q
GD2Y5YbmcE4ywl3m1RGSbtHtQSBSKRpWU8Me6ofYViSJjjIWwAcH6HIuNUvZ
VzZjWMnls6wISTs8XlZyer4N3WAgHqvvYAB2VKqUwbZfgpS5w15IRQePDKLm
msjz9vc1ZApxtDgbp/W4lMVVbgl/J9UVCmS3pCgZy3BCSVbePiHL2MrejK4s
u+ryJkAotsZ54DsdPkTV1bpZ1a0GtnNsmKMKixoxavZ0JC2W0NgPGF6BSxSo
CS+IZHOLH01xKnp8MOMCGgWfoJrfUWnnEkgb36aATk5Y7dPtq3cUv8j7NeeS
1HcVkkoi2CZnSPlyjMuwCdBhEYhoEEN9Q0BGBePNwB+AtP+Oa41Hi7J1n2D3
4vUroJ24MuYTxHU/tujaeFHTlmZk66pFnSxwENZSzpwjmJrkkq4T7GCrFYdy
2R1GxZKSV+FLpKBwUY4zKb8BzeU4suImW69Oz3483najqcXoxf4+eCVNykW2
/aj0XOubc6K6Fvi27Ff85G6vXDyhy7WIKZK0tGJJp6JPsD9fjwaWDYTAo0hG
h0R3CUhkW3PGUQzuWrFRRh1c+acV7OwIaytLQeWG07YnEByl1CD7Q2DmDSYG
vCPIuihK8aNBtDWMU7YSFnZpw898RNZa41L0+rCNdazeH7IcwdKkHqk/vJEy
9ljM1uvDd7Dx0/9I9TTerC6BY4DMvVOhFpCwH3YpT8L1RQWNVWoiYDnxii8y
0hDisvdO32pdGuNoqscV6d00pdHAu14N1PvuvAOGXvthYRitVBvJGUx+/AEl
zdqWgl7Vq3WZdb2ERGP3G4iSIUuKalPen8RCcmGxNGoAtaWyw3ECgYAr4iil
1OSX1hUvnTj1cGK02Avq+cQyZmhl79UTHhUwWFd1ysglqdhsAuyDjU38sZcs
YR1aBapwPxxlEV9o2ChtvordY694yDffcLXpQF1oewqBq6wk0QPBpnGGI5mt
LoFOMs9p9Pc/HifWGs9a0iB/xr4dDcTizsIyRL4dPggbY2oZNQgyuKmXnBjq
EvpHhfHWMbioAkBgSEOhnIytXWzrhmdKJLa/5JeYVBXYcMyoupC9XHCpCHRu
H/feJqh/k/xZpB8TFu1sXaYfLgvs/XYE/egsR6U0jWcwOi3/JN4QnynIoo/k
CiLkfCBGqqQgmuXBzMKSxVEWM9nxaKyIGs8ioyPj1VoPsp4kGRYNEcbSynUV
ExALp0u1QdNeYXgjTGd9IQo0tnGEK/qNlBCW46K1EIE7mDnHkYZE2HeM9REF
MnjGlT1JKpbWFVsvtnVqDi2owokI9Vc2GD4zkTmW75fWzVq1+XpRpxJ/YUGk
K6kbtRHKQ/Z5wYVguPYqYpBctEOiqQSJM7e6jkG1SyyWFE+BP0I9LF7Y/CHF
CZdOZPGBMyVTTJSe/TDbe/qMXchcuJkm0tN6jmRTLfqNBmcMNsgjAw3vIcqr
N9vccwHjm0qYFz8Ewh3M4nIoanBybqGRbCnifEFxYPPQ+iS3gGtCxsJhr3yF
zaLQwhoSaikRONHqQh/nJYIMy0JK84uHaaywOuOscVEmnAY6mgLmC1M6jh/U
URR0QC43OBL8qjo5e2/y6TVd6KODQ9qnpLBOk0NfoCaitJUDrhFF0jqkA7/q
2PqcWQ8uftwuuzpb3jhYkOX/XIpUk3NYrQECHzPNEexV+iOUghFYry+Cbuoq
zZerLjYNLCT+Y+vw7baxWQmCeZoU3iZBCXGlf30TFsbn4gKsVzBGRKWPeKH/
9Z9/xo7YS/RnwvC60b4MvnZpFBEJWbhdZXb3cc12FQOswz6oC0NAh3UUNlUW
qZELYSupJ66SujPRNbnVellribw3XVj1DIokBxzN1VNDrKqrOaxwzoE2WDaX
qGfFzK4DY1hqfav7R0GIol6woyrmbmFumcUH0RI4JhjFWVH6+8O5hOoNi1To
xehIhO2MRMIhqLG11zRr6HMixBVCrbh4uOD6ItukoGuknTQSey9Z23T00AGI
7K+MBHkq5lrsJAgTZZhBbRcROuyKIuZ1WzA00Q4pOE9amblD1u9t0bqMLekh
oVIKCX/ZtXgrfUSLyJ1efVfHF/dVCfAx+NZbvBH9zL+PCDXqOdepkVpgOi1F
Sce4mSPFWHoyMHl06WgDytgnvgXHsdMKOwnW62xoZ+Z2lbiqA1JDIY96QQRp
U0kY5GXYCqbrkPYlY+KyLQwm+nlo7RDOWcHir8qrUz7N0F0YG6/UYRS77O3B
M8+/zKHKE1FgMYfP6rJBYRsYn/KevCoqrmp2M6hfZUoso1zY6CVTz0lcaGQx
6MmkaU1BS6gEmVEtZBEYRJcQ49YtY52YlDL7thlMnKMo4cNNrbBlnQy1ZBsl
hEbsRbBBoU/VxBINO2xUM467z5Q1w4BZhlYJdURJPaNsKlf/jdiKxb4lEqZa
ATUgl62ByFIxIh7t03929x7T/z3df7r/v8LMCnxsb6owiIFbOKr3j95jT61P
15awi3obxAKI0NdIPjFjnHKkbh5XdOACV2wLQSOkLu9TS9RhICCBVUcxump+
c0mCttql/I1z4gISYhwIFyR8qqrvI88TrT4P4s7EXMrQ+PsSat7OHlpoQRuN
1ios59ZyDiO7d3m0rY1pN6Hb9l5Tq3kz3FPPLOTVlVEDo2jlgP4llljlXPFd
SLY0i2EvJsFFwwd7pjnQiaOqqctSqure2sZEYW+jraOzcxvL+Xzn8Q5b30LN
Dc3GLLV2wV9bByfv8RX6dbJBLpXenb4LjD/zKEq+FpVpzEjdWqtrjAZr58yn
6/FKsxClYUBwWdqxIIrhbTHhbfkzh+l5ReKTzUSlj79v8ry6Azc7yQnDzjnn
438RhWG+ayReR8M6LONlA6LPcVZ1SUIU+AUCC/zoUfOh7mZwlfCeNREpxfIS
CQOMabgDhyvta0GiMSwozKSsYEmbsPaL5GazghYmba9CEiE8x3g4294Q+67B
4C4QcOfxyyd7L3d2NTTCnYR9/Tmh2arLWZMffHMJhyV3WqJN2yzMy/y6qKqg
jQXeFLD5IqTGflpU0ccvd/b8uxZUvFfa+f4OhCei0mAOdkwY641kie/vpBxc
5FzlXN9HhHq3MRpH179jheWz9SX8/Ml7MaGoibtWLVUeyjN6hCcq9duYLU3s
dEWsGJQVN0aq51wWQ6qf55zZYP06iD7xbrZeKoAzUhaLNJ+7yY2fJHDHYUTR
oLz6I+WjsgD7qkVQ3Yo5EF+gJ3KBzkdq7beoia+o1lOZgrYOxvch8joXe8vi
tffKFk0eeOHxiyf0gnoQ73vp6d5usxs0YxqpiRbXunB5IOi4NaLzm8D+EhZ5
inKghkWepq6pEssdCm90Wudk7B+44sjI6oYFFEGsVOxm3dCuMpKjXOhDxhUe
s2uibiJ+e5dtaBrMAqTw8uzogRPy3RSXhapSqiWwOb23mfGlqeaj0HDuE/bW
h5ZUCUqZDQT4yHoS3CaJOr0vbOFgsIBSzEWOJYHrsp4pJQlGLGRqYTKBocaJ
X7DbbbnUrmwhjTCZu7fbljQR749RKYxN+EpzSxJbWvxdMl9jX0lG7StoOYqd
pSV39OnLibCfxMZ4gMgZ3BjdrWUlsKeIpGWk0ahbCleCCKxMds+CQWxGaYNV
cidIGFVC+eQ0v60VGTlDsI319BBaga6uBhtpUaDl1WGTRCCdddOae6Z5gwZC
Wwenb7ax3XcVF7oO30VRBWI3Xlx6d3D2ftuIrj/lEjX9+L3xAOkn0yeSze3i
iCZJJaUzDMakW0LX4vRNGwSc3I8sGlfQ9RNbWD/VDj/9bB3N3eS0Zcl1aW8I
rxQ57qOKoslL4VSiqPWS8bjn/RwxA9C1ca4434rEaOtllD6zXZjv8QdvT5Pk
lYbciEzph55nlYFtjSTEtSpEqtLFVUMRCQdnmdQ7l5ApVnqZMjQOD/Q8pekL
qx5VDkTNODv7zPbGap2Rh5NSNqj6my9URzt9kxzaJeHA30uaQhT4zfqGZsJ0
ImZY2/mMb0ayNTuehSHpIJaMHr7GPFEUG4ccpIFLyZvQyJUg8YX3LRYJWj6s
IvxLEPRHJ9xAU7btU+m7SPmkBQXr0cwC66CycSwcBZSJgZQDtpFLn9M+FxNJ
wWeumnMqDHNw3w8hurpEs0nbGcQMaXnKSpv/WNQf9GCbhMm30op2zh4LJ3Yh
pETCTxlhGIEjydkZmhTZlUmIlVFCMjn2kmshyNWBB11LBAHqUmodEtKgWiG4
d1GtuSaM1RQUo2rWgIMCxL0sRxo4ai3oyttlXVS1VbRi0+8I+HDjPhp8xnVN
OFiJO/2Zh3sXOmlqvMVga+J+giLXRE0Bw3yxuIEeNyTJmka7/cUTa/0ejhX2
JQiuBqB1JguJDCxdUuFC1YXgAD3QrdGwt8Dftr4okmSwM+fl0EXx42g4I2yH
1n6hdSOkk1O/Fi7QMc/44QKdFiQANHUHHlJ3xS2k8ZSSxM+dqIXOsym36+Bv
0BQqy/48ebM45mz3mkk3HxjBR/PhIdWW+bWkpxRjoMBgARmy9g+cey1lbjJN
xHd0NZSlUE7BRnBbrmF8TVLbRjqkbtuYFkVrdFSpmBD0GgoCRFDzRqu3J9ll
PajXgg2LGopYS6S9arBL4YqrXfpi7ajyJeYxAWTGb6eXmxT/a5u/0IY5Abzi
kkFCg8RHrWH8cBq3xuuIiRrJuj6yOMJp3dyoc/QtZyIRNeI8YBN1G8uqkbtl
beASTnGKsEqSwQNJ5x+KqGj0+5GQAdWmzcDE+Sw2cYbEIOsmQfC9quNsuj+Y
SRCf/VE078vcxuV4x/RDTrco6v10ZO3CDzU+zI8UzaoFZYrWBQJjeUQZrP3g
8K2ziOiSnYU2mIs+UDZ5+NbSxTAEn2eehrYHmd5ETkbBA2RMvXWtDLWnFJ+6
/OoxhtCv2bzlYIkulJrAzp3jsoqGyMoPVdFxOQT3zdQcX0khEixsVspjLx2w
CUPlDLo8vhIWl75APAVbz81Y2ovdbVDCWEHSF1AE0bwYxRYbZw+JMW+PcG+3
h3ku1jcSxuJRgr5cL82jc+VD8iZ07MD+4rfvsoEyNdPRvDb6xLYCDfR0n7Xk
S8WHYdpOyoLME4sp6pWNIC9FKSRmsbIO6hvbaA8xi1Z2gl1j+kjzgu8DgB97
eIzFQizqwkDWmuJNuCHco83l/EO87h2iIGcfp40iAQxtfiU2lD/OVwiIzRcx
YO8BDDgbm3Jw+hY7/9mz7wWLsFvbBQwExaYDk6Ae0PgeQ5Fcrd4M9YdAbsZA
3t+RWm0jNK00TLmIKHSIyoUzi04ju2kM1cI7gQfoE1oYhilfRK/DAIn7iKui
BUD1ASliQ0x4/AAmyJWD31rYTIAECSOBfyHv1bhrjQCN/YfW1Z9Xkvu5ZHro
7HBRkri9k9sW8BHEzcCVl1u0cHu876J+B6l45D46xDDxXdTJIRIgUsttJkCv
qWqUjocykWnZbCF8en76ZvixOGR1hJkPnXfgbIP6VWZQctMZ0wT0AwTVrpRi
mT0LrJ28BFtjxfkrRfofkQIUebh8IaZ7AIt2HyIouR3Ao0sPk4rQLODcCCZs
wOxSLbBcbxX2qTfB5VO/opSViZOSURQFRX+4PrtCDhLq3E9g53fXewTLBens
smlvBJs+8oWUB3yiqO6REF/x/Ac+AnkI3/0eeGGAtmSTb+JgjBCgluBwAI2a
wj3VskUromBTluXcNbB+akJFVNG6Uu1g6FLWJak1xgy4lGQUzpAdUOZZcNbR
yr50qDhHUuFBDUfrsTMv16B6XtabvPKg4VxpwJHNX4RQYkUQmLJIz94aBuvw
Y3V1id+RLiUMzNJHRsEYbA5lINu8CXpamxFcYm3dSYnyRTugPpcFNytXxp+1
opkiElj8AfaIvGsWYjtqBafqi2eP+jJfFAOzoKZP2laAiaSQ96Ls7j1zAjZB
azYCK1oEnMKRYzDjqoIPrq1vlg9W9hUL0a4tg8V4OxY3eeRkYXHYa3Yh+n/x
CAe+AAu8HZFDvOvTKo6VH3hvQnHGe5l8HLtzBow0SamHjVZkDeBSnqCKCbV1
TCvhGt1x1LgTah8iD0NxaUw6Vdy+KrNrfsl46ZckltyRiiHgXXS8K77yTmtn
j10vLayiHbKsXm17Q0sPWbUh5tKlROq5N8xWGromTdYUXNk2X/WQxKamFeJb
HCSQnt1IKc7wPYmR0eJGzu05NBRpXsZZHCb9z9oTHoi27psVBopxeKCjSsWX
FWUzoign/5eK8peU1K/Uvb5auPfBLOHW79enGNDef7n4R1Wsf61q4g7O/EtU
k6SnmhirmvxLtAMvFiWRJG7+USLzJbHb9MTu3jUJpe/kq6Rv85CkHKsP8HuN
KllMhxVxC++3xsGKAa3aDMTE6ZclaAgEXHLl6McPthPtQObg8gVmxE15v2j5
L2cHJqQ3X2YHHqieIbDfe9RfKOsdfzZU9Ly0zSgybnwxw/14MunUbOvCdPGT
VzYodkgSHnJg9gnbV7g4v3YzZpx23LOZ0vo+RuR9RwDNQwTQd+S0QxVBSzEu
McfhAmF0aivhArbgpUQLCKs8otGOBHP/WTZ5T7bSkEUGI9pAyiiq5768Q1RA
EnHCNww0tl5is9a4vl5Nr3fiaUGmsbTuswUj4xdRPNAVH4dcU0oVYPDmqdF4
tP2nqOnkSl0RXXC5ri7GMub+EI0Ch3SQ7KeHMDXOnY29ZioJRYV7t4ICnui6
+AdXnpMI0DJLA/knva1J6sybX3+dmH60/rYPYorWyM7Cea25t+okizIEXTcA
HyY1iB7pF3xGAQQNgE6OPhynz55YJBmjkFLzNl4XoUlZXAlNOr+rbdoud4OJ
K0H4Hbi0Ec+YXTsiKGZngRk/gIT1FcgUUx9QEyeHJ+AbvDMEHg1L4lwi0YXL
5xRBiQuNHrNTBuUUfXEnwr4rrSPI+5XYZpW7dYA4aRMQC2fpNWKe2F5OhnvG
Poo+fsTh6YR08FVLO/WometYxZgsqnmRoiPTtRe4e9mtEq9LtOKjOvgCOcl6
UIlEAS+evJgofnCxg5PZgS12zDVk/oFJCyZ7RWgm19fhFNBcRFh3EUQYjquV
LpnCFpE9OAxk6ZFp6wwYzaLzTrdtXFhXyGw28PZYis32yf94urcj+clabt1J
7C+N+d/0H1Ms0qxL2/CdJHn36o9HB+fJ8eHR2/Pj18dHp8nLl79PPif8cvI0
+dUMBqb/4J33DXFu6FFnHZz9ModQaEkkAVpkjaul6vc1dWTwhfhOB4VtLGk0
jjQGrkjVGqt1WWqquWqNra2x8TA8XLw6s4SNgN1G0bjMiJlFMWCWEqHA/hZj
qGshWzfDzkoGuqjy2ZYILPsvXUWWY0mQdKUlSChtkNu85OKUraZMcjnforrh
kMUyqNFqa/4wDQwR87d8KRfredejx8ks6iifbZTC2E1mUrVu7JpYwpB5I4xZ
2vgHXYm9BhxvNRu/bVpyFu581fM3MYWw0GgZtdiZXAYEGt+zRO78f8HVR3Uc
oZeQ/H3hYnxke8Vy/zh7aLZZMpuSucUXiLOtoD41J1wk5L5UYpcoo9VHZF1R
sV6N4TBuxu8U3cKA18JV4vUluPi1uJgolwSTAzM2ZEsT0kMgKNJaVB8wtmms
IQ5ZcBTQFBI2dtdKQZWQoolaE2ARanUgJddWIQ/GAEll051tsBa7SC1Dre2D
BI0NJXrF2TuC7gwj9CWq72HzdHkZLoT1MgqniEtZDdmF6TFQTm5R+oCt6q5H
uVYbAXtv+lgIeVBKaB1194vvSiz5cUUiQxi/INVzEKPbp6OTuGJRQL48UujO
Up3O+Qe/QEN9eRjzEI+yJVqvORyKDSgwALaRSnIPlH1ZK9kv4ksk9yqTUuZ8
aQhFVG61tWHoLHla4yvNWXJq6wArMjA0tRhnZuuUReW5dF3+ML+LQdovuyD7
Ev4XXYmQj/zDwklPkgh4oWrsRkRY98b9B8ca6MianAe7q02Ab0HsnFf3e5Pd
GzPDWXHMjIkyzSxhwo3nF6NilU4tKUlVadNlNldKltYV0GhWGV2oVnBmi0pm
k+O/GpYo/mHjC4dbeQBuJi6qovYzdZ+7CJ+SW2Vw2F8VAyMTc7gvjK8k03WB
D5WroWbPGN3mwffWj2axw/SKNo/4R32bkdimKJd+ZNJHsVX6ge0FbZruN9iM
xGRPtI3PMEqOsNunBFWJxq1xD/V5rlrlKF4hwNbSOLmJGY/w7uD86Dw5Oz89
fvs9EMreAUQbKRqgErRWMn1m69JI0ltwTUZefuHq53wJk8NcKqkwwRTDyqBL
H+5EBJ3vToR2vMFRc99EMEzCvntp1V3tA2KVK3ci6RDwhbSEsgP3aGvj3h8I
/63Mu8g5QBv/IJJHWKbz3YdjW8uSluEqHTtHWSxQcPxxKUowSqfHF0HKQWQm
OGc+0ckXKUYswMAh4Aq2OJ3C7hcK7Z3UdZsIUKKSMv5ZiJ5KXWyqdRwHaVO0
VDsOjR8q5CH/CIFRIuOp8An+46VEOoHbokHEehL+VmpxTBtlzJUdvOyrPh13
mkZqH+mh0cG8qjld/mspZuvkm4hdSPsQo2VLuBZeWObTWS9CNETlkVWhFdg0
yF+7ybSxozhIAgo621irBDdGkWT/kqTIqi+khpfbr1iaJt/mWWliH1cS6Gdh
zSeu/sd1hXljHNNY6iPuLWFck8i4SYxtrdFCAVKwjDIjCfxaFmhZFQ7PEdTo
COLaUgdNiVnPajhYjG1GbBPRJsm05qzckExoghavvAWXYe+KWaKWSXHN5bpY
0LLw4+WKoDWoA8WGzejFsFrhSGY8Oua6ClcwgbLMxI5YkLw2cp2NyxWB0I+4
CWHdHWpfuqR4/90ggtdWcjt8e5YeH06Tw7HJnWvurigXc9TT2Prpdz9tQ12E
tAoRPjkfSjpu7fZzq44aHt6V8sKnUf0uZ/xrA/NjhHqXUvbmHAWEibW/J8Rg
7nBCGj1Bfev8/cl2HG6iQLPlR+RFXmbQp+2pVTye7O68cH3azD2luoIgkl5e
wf//TuDxCM//FidwuMxQNL+34loWafdZOdf4fq/fBJ10UJC3S/6GDK+Oo5rW
q6RdZRB5ju7xbWi7J1emZRCByqN2QdJytrwsSO9FsobrcSmheMOi1mJBtnVp
mtxuRLPdQr9tO/RDn98TXDoa2uDPnSbzWXskAxif683xYhZXORans67fIvT9
+lkHjmdbLWCavGP7QxCuyW0W8k5rkQXR63GspvExrdDm2qgCwYge7oJ9wgjD
2D2oNxka9UilGYtFUpxRXV5dYdvl4U/5SkrkOSHBsvaxQi8i3mjNGJviLtGu
g7XGheBsEUdfLME3Z3kJQ/PHlWbngQawKsK/ieEIvylBtSVW2TWusVGdRIT6
VHPICk1d9qrXcAlF9Ub6+iu9G558WNmCH0xLSTJAMfaW+4VwefYLKc9+IVai
X4OcWL2WztdqO7PwM+6bB9HN1YbTNF3fEM+4phVNXkhGnQsfTDipCwZhreBU
/CySu8/zEkGQ+SsHK903jyRCZAumhhiOq2Pbvs8TI135OGVxZ5fbP7mNxHxI
En9cebtv+1P6Xn8uP1bjxH21NoLLXVT2Xqvs+XJnnMPprbJyd4OAAJxx+L2t
o3MfeTX9gpBc2qFPlWasAQb6axyqPprlzS12D07eiwBMpEOCQKC/2YJqd6ja
AtDJmfQ2fpbnkRI1icyAzgioFY20H7UDlKsCL+GL8aaRs05LGjQbeUdXDlXM
GL+DLy5qffArl3n7UkmRSY/BVIuocAiXQiSg/a1uWHTiw5M+HMyVUcVO7yrm
zbgql83jZ5XOeaRZZrOlouCTh1Lgc3MZp6DnLAmnUVhmsC7uFBMFD3mzk+9m
xE2PdDROAh5sOOPu2cmTnf9hl46nDbp12cVogq7tbrRe+rpYaK5ga54s+hJw
2PdUsy7parWuTHNMtlJrt76nbZexBb9tcTHIwrZo7yWUO9+K3fqOQ1z3VlLO
tzS2yKIoqUyFfCIDtwC0TBvh1L9L0HAvL0sULJ8rXIPKIxs0Xj3YDnN4T89m
imRxEj+LnomvXx5SoyCg44GpQEumtKTZbV0sJE5USrZzBimn1gQBoF1U2jio
fBUXnEtGIoBtl9RL7WGlBpSgIDmECbrv9LWNsWjQwHuva67TLvtUV/Vyk8Za
t5AJe/PDdtgi/vNagg1MSfpvg3ZZURCN7eJIuNKyGKLJo6iZbYP9abjHyZZG
4k6Yecd7nzxUunsbkD7W6GkOz+gHH9kgC3zvcCbsjxPKUTh5dy9EGrCIL83l
AuJlmyVFLozQ+5S4Mv0SsC3A0LA0jDd03wXRwr+TUnOIIB/bl9uC3nU2PwAZ
1gVcJSJuc8hKLkCGzytowdxnhzF3C1teCIYFFTZpMGACIemlmCEX/a4ydGly
zvRnQorrGrID7ScGgMBXm7BDohXKxcOQGNLdbGCniBsqucJ4sYwaqDs0GGtZ
w9m0dBUWeygVI1pfTsOLR4k2J+YbCUOoLXzTxOVVjVbYYe4rEHKUFndOrgzq
Gi9XWsDBi8iWFUE0YtNx5+l568t62p4icQNeO81U9nHgC1gcH6IMBESq3SfP
pApEXgUdKCdc11REelCtoCKDzYuXqB+xIwVOW9HdeNrWWaD8cWRM6YItMBDv
mKewBfyuaHPoOIqyTPN87QXrqK9s72IfwR8LXU41HcOmwsZPIJKeC2USdUdw
38SoiY67DTsjHQTUoKJKXnEhwNDeYYmDvVrWWGx0npZjm+7r8IVsGu5xEbe+
dqtQ7KcJc5dx1sN2mRkLDTz/saRi3/ptK18b/XrJhezF09fLfunVK/OUt7F/
kThlgq6IMhaCgzXKwlWpskI23wL/c12yGd9J3cYeIHfoKUvsgnONuMKPb3TC
27VVxvGDWpqw6GNJ8qH1BGHfjO3Pdp49k/A8Ru/woLW2l8qvq6afmyS3mG6S
WnYxnbJA66CPe1HDuxV0KHcwykojjX1j7Ths80PQ+Atxv3eltiQrF/jzLcEo
kqF9IU4i7FE0BDeMlEqhyVk/E0eiT7D/y6ZYXEuFIL8+Z6be2IgQNe6Dkqf1
VXqpUoPQeFtOMuIRpK94EawjisleFpW7b7OiFBrjJsLvHHLiAeg7q0OVdBai
qsCl8zV1ZPO2Ww600flHEfPAkPHTHM1+FpIGrRVY9/eeoJGmww0ARAhTq4FP
EZwTkUUQJbNJUFwkVAa08qdVLDVmTFLGfQlcIa9g8xJ5csPhTqui4iChQUsQ
vmF4x5FEuw1BWbwfy3m9LuVi+pqEjfFcgp5rJxTo7sypSRnsNTxm/uYERmei
8BC19A9Ov7Awl4B/GGaTfDh9E0Ar8qBHNl5/WVFQLHE4OBzSFVXuKV1M3OFq
FRv1J9acyz7U2EDaShAkPYtCj221HsaisRZMXHkNhvlXrB3MoocQfa7Y36nB
5ZD5tg5nb4+2MeIskd7aQs+qQO6GS5BDfNKubNXiVCw4qDDMOw11gRVhPbcg
kTgkIGyjKa4SAYsJH3nDOB+8KuwbtMe5/i6orlRlrlwwDXV6Cv/DRLzFdAj+
wHCXnj3b56Yfv4sYLRSYRgUbDTd58XxfDjNct5VuetdNIiR8MeyB4sI6U+DL
j4R4RsqAovp68aL8KxHYe6plmJPk4NW709Q6YSLUCs+ElM08nZO6YV9lCg7h
ye8K6OWaRsr2fK3i0MM2oKGoM1q6Iq70+rIPVGmNy13q8piOSmcHafrCGAuQ
cgm/a3FkSxyhJciBCKuKhlCpgCAzRYx766HCkpEi4CFwc226TnuimyCVKVHK
qm44vytoRzcRwmG0sHBUrEzr9HOFFbQehUcWZkRG864pctTfVmNpO3HyZVeL
79qDfAhT0QmD7cftIhIcZS+mVHUGTLpWj3/L+LfIiQFetTZ+S6AQgJO1L9B6
XpaVKr/GOEIQ1ZTPkVT2ia1hF2gJsq1ALhdVJRTOlX0HhQC5SB/KZDG2qsM4
IJxyHxG4JmEqG7HPBW3S0QU47JpOnD50NIRSyFPJ2UsPtXP1JLSKaKN4IdUv
Uo4+MT3q2mXXRDHprYsX264jN5f5ImYT1f7V+pm+Fw/mHFaFKoTxSvp2l1+z
FUK7S2kDqxsSYCEFQBa6lRJqKEqHYnGobKZdrllzobNbSSFJNbFc151IjSG8
xHBUa0b07Gh2aG7XZaVGce2ySlOhd2l9hngtouVsipEL6CDaJgAoDv0pC3jG
W2nmV811muXZIpXNqEnGlhMIDDO1Rvp39aqYh31eTMwumVypK94SJWX/rXjw
Uflcml+eWedridp3nz+7AyeBoqlGm5TTCxeEARe7ey8u+HwvtKvUoOM1oScj
tuuk4u4x+oNnV/n1mgQYupHX0LE5GIXOakNKQ68pDI8Mx5i41PTUr7hPOU4l
Xo8/Nu4OQkjHLFOFXS4h7gmKzkkDwfZuT8vFO2AfrlQpTMlMskIc8Q0bNqKn
aAwzDtu2B3eVYXl97OTy3lBlhdGwnkEIow8lG1lbseScdYCisoFNzjjHRFNG
0FqCN+ino9FOIoEIqCS2nci0mPpDt4986eqIsWmENFLipBtS1pbSssX14kam
UlE3bik2QWi08iHqhPYb/wTc07vz2LQdgRvg0PAd1hR+CtHxe9qTIONP/UcH
wSN257MXhXm1am5Fo4ZxUoM4OUKDHqPplR5zc8lC+ZbvDdsjS2HUjCV+KOK6
0mAlEX0RW24sESQkx11FvVNbeWSBwymtfChRfxK4ye4mNrpHa2zz3DxEy2ns
uLsCgc3ayAMUZABxmWz0C9A8kwFqzMt6vXDc3TYcgG1fmiG1JVsV6P6gKWlu
Ky/dFVpPcpVnH5PT2QkdbN2tkNXTBtXntRZo61psIWh+jrofdB21zZ414eB2
ghjoJhKBRpCm2ClHAV8VVajNA3zai8oZ3klDZKs29UEko0el2YVFjvhN/Fk8
n+75GPX9x5rroH1QuR7og7tkj80U184SsImzakeIJ7EJSi0Ff/qKmhoagoVI
1y+ZgvCHcDSVvaZE4sCWSHpBFuvPLo023qkP5gixkS7pL6EQkvySnAYBib+Y
X9IU/0dvDe6r5Sw/0UeSiWxphlbPWJKEVYTYeC8BDow736ldRFev3gEYsUIL
0OiC/HJUyvQLGrz//Zfe5yCAGMh0BsV19ftHSDl5lJDaWea/f2TvQgjEAITt
o18h573OEM45YwmEEeAwwiUfmXLGSWAtsgC8FwoVt6GLgUqlkIgr0mcyHSxo
KCdFeJMrTJYW1d8EmYx9Uwu0ff48W142pHHt7ew+R/ouK4IcjLDIl+IM8RGu
QYn9ogrjiJcEjXlRr5GIVzQLts2wkQPiwkjEmvAdV4oRAWpZIvVko4sVhPNI
RlzcL1F1433WeRHBufC/vth5vIcNaZw0XZQTpXQiXHmQwc2RrG5IBuNceknR
V+FMQ0iYS4t6KVTH5NocS2rJS8EA1KlcIpNxLrKSP4x+IXq+Aaua+yMZrrb6
SfNz3DqshCDMu9OEdhEaVOESdh1eDwTSSrtSYTYS04sOpGze87BdxgEHI925
emIvfZrSYbTSnLSqizaXZovJe1TJ/tOaALBeJgeRh/f9nw62JfnIdtDqty3m
/FeHHVrKwFUYCHRFl48F3Y+tKLCyGC7vtIB3n4e47ZUM4FP0accux7yXU10t
YrasHnTf37vJvaQ6L3ED52xfDjZrUQQr+rtAgwgF0q7o3xJZEpN3Z/BY0YJX
9N/zNK+u6ehyOHu1z/jR+WvOObYVtREOpBzIOoOYP0KpzVlXBytf1FIKm+DP
eU/oCb9uw5Za4qDDO9DgpHyg9a9DN2NRoOW7mQHTkUFgFydl5a2g5G0UvmOJ
WPmZ6alxT7pBEBNgqwZgFaaoM5G5Ztf1cYcMDlIfHfOy2VmSnkLQXthI9+vG
xVxhp0ErEAmOwimvK6vmam6oVKLGzr2nWQQeCQhYd4qKk2RJFLDZyHJ9rETc
UVym9pU7bf5NcCLcF2SEXLjaTBwEjqGITFizk81gDVI4fLMxOWDZuQr7OCmB
GXejqGX7HN4Q9XvxgdiwutHa0/dHp68hab7KcZ58OhsVrF08g5b7jkw1QXen
BILPdS/SQEY/ent0+v1fmVScu3C2K8C8bla1Vs0QPKV5wEBDWyAdBl8MknW4
NcYfRi7NTbsMq1PA+d+qVbOurmvJCwa9jfsNqY9SYKYowLXoJSNPwRoYNO3J
eoC32ltDwH1FdAGNgmopTEY/4yLRmxCZWb6bWBcl5mH2B3Ue3jnE481L1Zls
O4j0nlxiNTh7byA7YR1Z6p13XFQWkL4DaC5zbYxk1+AQdlDuLEpj9tE/FidW
ZSZVUcD+xL13o8Hlcecojn/K2o+OdFiJPeydl0ltEk1J14i8yK0Ht2fLds6A
hsKE/+L588eXRcvysZSU60evDSxfdTLS4Fva/zhXRvL+7EcbIR7gLSfSqZRg
5T6+hHDarMvcF7wQXtZXQ70NwxpVDEQglnWGHZoc0VDWoqQK5Ne1FLZKoolW
XrSu3bq4OX3XmIUSynLDdDfo1fFR+5l8qaOYXY1ndEkYxAbztjiOizaICpUa
BIUl3xzKINQ5pqXCd3PtIiD2cbTF6/6ZhbGoonbvWCRJPn+jBvE06vYJq6uE
G8lX8cNYR9vr58XbPjralINz60Rj871lWCtqhMK6Fmo2GobVVItYwa8uFYrQ
xRIp3+UvctD5piM+0CVbciMGV5pbDCImMO0vSUohySgDVUJDTs7eCUwBXLpa
dBCRoTnt5cgFck1M6GPXxSJigD1sP5BEXE+czdTyXgdkfy3QonoYNDZMJBvU
LBAWKG4auxlWxb3HOGhVXNmYdwklkMyvOLnbQmoynuTPXuRat+M1He5DwrB5
P7jqFoJGYIw1F2GNiCBCG0XflrjjuK5s2xzL6TBhuKEVLJD0hj/GsAj60L8m
t489x/fmviVfzn0blEcwfmAxdeihfFU6XkyB2H751dlwyddkw5kvZcMNkice
zIYba60LM3Y/TskG4ARuMHU4+BMfi/C2qpa/lr04gVZSWZVlxHmY6hKMW+2U
iGY3UbgCR2s8GCxwT3iR3HqU4Fjha+h8HLPkfEkj2aLqnxcqsIh8l8b7Lq17
tMjlgnKYvKvLBkoJGuK9nrwfbcEjvbYaT5UKKbvhNJZA0J0kffM4EBnhtKo9
tkZjuYt+TCzHq6+XYbq9Jx9BOKzWmhTEN9Z+HRp4bXOwOPTQ99Fzzjpc/Uly
QPhm/WjqnIx7XRkVj1vNY1cSHpvOlVRr6Ji3c0rAhUvBN46GNAE7QFESz/0s
x8PK1Porzj9UAWGF9xJOmRSigskWOMOMc/clmsnlSPMChVq2/vA04TK9wZ0S
eZ3AlpvwegXJj7u7kQ2eixdKr2muXDhmzpAUAK9CF7ZQW2DFieufuRAR9upt
evJLmqgVnyGdMsb0bOWRnBUI1FIROnzXa+hRHBBn+uwiOmNiWM8LWyYFUWFK
Gmk3rXVvt3PCPduUxOUZMJyOZ29n4zBywJGT1ZaoeStmGnxHA6RpSqr2/COG
ms0/VvUdSrrwLs3nl+tKcClHespfco1n5fwblsSz6qP5Ia8+Jq+K5uNNXf48
wZ+LpqBfmnr+8YZIysScELOCMTE5rBeklBEfhNM1OVyTxGROiaCShLZuy3wz
Ma/oTv2YLdYfJwbd4ZbJjw0P8cf6pkpOSPwhFZgo63nRrJPTfLGgT87mddcl
p0RcaDBIX2cZ1qGTnBMOthpVgN/mJPkVYGO099dFJb7du9Gd0Qk0gd+QxCZH
44jlXRLQa1ozEwz2RltjEzHPAiGNbPKCy+b/AGHm0DEY9gAA

-->

</rfc>
