<?xml version='1.0' encoding='utf-8'?>
<!DOCTYPE rfc [
  <!ENTITY nbsp    "&#160;">
  <!ENTITY zwsp   "&#8203;">
  <!ENTITY nbhy   "&#8209;">
  <!ENTITY wj     "&#8288;">
]>
<?xml-stylesheet type="text/xsl" href="rfc2629.xslt" ?>
<!-- generated by https://github.com/cabo/kramdown-rfc version 1.7.39 (Ruby 3.4.9) -->
<rfc xmlns:xi="http://www.w3.org/2001/XInclude" ipr="trust200902" docName="draft-mcguinness-oauth-ai-agent-instance-00" category="std" consensus="true" submissionType="IETF" version="3">
  <!-- xml2rfc v2v3 conversion 3.34.0 -->
  <front>
    <title abbrev="oauth-ai-agent-instance">OAuth 2.0 AI Agent Instance Profile</title>
    <seriesInfo name="Internet-Draft" value="draft-mcguinness-oauth-ai-agent-instance-00"/>
    <author fullname="Karl McGuinness">
      <organization>Independent</organization>
      <address>
        <email>public@karlmcguinness.com</email>
      </address>
    </author>
    <date year="2026" month="July" day="04"/>
    <area>Security</area>
    <workgroup>Web Authorization Protocol</workgroup>
    <keyword>OAuth</keyword>
    <keyword>AI agent</keyword>
    <keyword>agent identity</keyword>
    <keyword>client instance</keyword>
    <keyword>attestation</keyword>
    <abstract>
      <?line 59?>

<t>This specification profiles the OAuth 2.0 Client Instance Assertion
for AI agent deployments, where a single OAuth client identifier
represents an agent platform running many concurrent agent
instances. It defines claims that convey an attested agent instance
identifier and agent provenance (platform, model, runtime
environment) from an agent attester to the authorization server,
rules for surfacing that identity in issued access tokens, and
delegation-chain semantics for agents that spawn sub-agents. The
claims are carrier-independent: they may be conveyed in a Client
Instance Assertion or in a Client Attestation defined by OAuth 2.0
Attestation-Based Client Authentication.</t>
    </abstract>
    <note removeInRFC="true">
      <name>About This Document</name>
      <t>
        The latest revision of this draft can be found at <eref target="https://mcguinness.github.io/draft-mcguinness-oauth-client-instance-assertion/draft-mcguinness-oauth-ai-agent-instance.html"/>.
        Status information for this document may be found at <eref target="https://datatracker.ietf.org/doc/draft-mcguinness-oauth-ai-agent-instance/"/>.
      </t>
      <t>
        Discussion of this document takes place on the
        Web Authorization Protocol Working Group mailing list (<eref target="mailto:oauth@ietf.org"/>),
        which is archived at <eref target="https://mailarchive.ietf.org/arch/browse/oauth/"/>.
        Subscribe at <eref target="https://www.ietf.org/mailman/listinfo/oauth/"/>.
      </t>
      <t>Source for this draft and an issue tracker can be found at
        <eref target="https://github.com/mcguinness/draft-mcguinness-oauth-client-instance-assertion"/>.</t>
    </note>
  </front>
  <middle>
    <?line 73?>

<section anchor="introduction">
      <name>Introduction</name>
      <t>AI agent platforms are OAuth clients. A platform registers a single
<tt>client_id</tt> and then runs many concurrent agent instances under it:
one per user session, task, or delegated workflow. Resource servers
receiving access tokens from these platforms see only the
platform's <tt>client_id</tt>; this includes Model Context Protocol
servers (<xref target="MCP"/>), which use OAuth for authorization. Every agent
session collapses into one identity, defeating per-agent
authorization, audit attribution, incident response, and abuse
containment.</t>
      <t>The OAuth 2.0 Client Instance Assertion specification <xref target="CIA-CORE"/>
defines the general mechanism this profile builds on: a client
instance proves its identity to the authorization server (AS) at
the token endpoint, and the validated instance identity surfaces in
the issued access token as <tt>act.sub</tt> (when the agent acts on a
user's or another principal's behalf) or top-level <tt>sub</tt> (when the
agent acts as itself), sender-constrained to a key the instance
holds.</t>
      <t>This profile adds what agent deployments need beyond a bare
instance identifier:</t>
      <ul spacing="normal">
        <li>
          <t><strong>A stable, attester-minted agent instance identifier</strong>
(<xref target="agent-claims"/>). The instance subject is an identifier the
agent attester mints for the agent session rather than a key
thumbprint, so it survives key rotation and names something an
audit record can act on.</t>
        </li>
        <li>
          <t><strong>Attested agent provenance</strong> (<xref target="agent-claims"/>): optional claims
conveying the agent platform, the model an agent instance runs,
and evidence about its runtime environment, so resource servers
can apply provenance-aware policy.</t>
        </li>
        <li>
          <t><strong>A uniform agent classification</strong>: surfacing rules that mark
agent actors with the <tt>ai_agent</tt> entity profile registered by
<xref target="ENTITY-PROFILES"/>, so resource servers can distinguish agent
actors from other workload actors with a single signal
(<xref target="surfacing"/>).</t>
        </li>
        <li>
          <t><strong>Attested delegation chains</strong> (<xref target="chains"/>): when an agent
spawns a sub-agent, each hop presents its own instance evidence,
producing an <tt>act</tt> chain in which every actor was attested rather
than merely asserted.</t>
        </li>
      </ul>
      <t>The claims defined here are carrier-independent (<xref target="carriers"/>).
Workload-style deployments convey them in a Client Instance
Assertion per <xref target="CIA-CORE"/>; deployments using OAuth 2.0
Attestation-Based Client Authentication <xref target="ATTEST-CLIENT-AUTH"/>
convey them in the Client Attestation. The claims, the subject
derivation, and the access-token surfacing are identical in both
cases.</t>
      <t>This profile does not define agent capability or tool-permission
semantics; deployments expressing fine-grained agent permissions
compose this profile with Rich Authorization Requests (<xref target="RFC9396"/>)
or deployment-specific scope design.</t>
    </section>
    <section anchor="conventions-and-definitions">
      <name>Conventions and Definitions</name>
      <t>The key words "<bcp14>MUST</bcp14>", "<bcp14>MUST NOT</bcp14>", "<bcp14>REQUIRED</bcp14>", "<bcp14>SHALL</bcp14>", "<bcp14>SHALL
NOT</bcp14>", "<bcp14>SHOULD</bcp14>", "<bcp14>SHOULD NOT</bcp14>", "<bcp14>RECOMMENDED</bcp14>", "<bcp14>NOT RECOMMENDED</bcp14>",
"<bcp14>MAY</bcp14>", and "<bcp14>OPTIONAL</bcp14>" in this document are to be interpreted as
described in BCP 14 <xref target="RFC2119"/> <xref target="RFC8174"/> when, and only when, they
appear in all capitals, as shown here.</t>
      <?line -18?>

<t>This document uses the terms "Client Instance Assertion", "client
instance", "instance issuer", and "OAuth client" as defined in
<xref target="CIA-CORE"/>, and "Client Attestation", "Client Attester", and
"DPoP combined mode" as defined in <xref target="ATTEST-CLIENT-AUTH"/>.</t>
      <dl>
        <dt>Agent:</dt>
        <dd>
          <t>An autonomous or semi-autonomous software actor, typically driven
by a machine-learning model, that performs tasks by calling APIs,
optionally on behalf of a user or another principal.</t>
        </dd>
        <dt>Agent Platform:</dt>
        <dd>
          <t>The OAuth client under which agent instances run. The platform
holds the client registration and operates the control plane that
spawns, supervises, and terminates agent instances.</t>
        </dd>
        <dt>Agent Instance:</dt>
        <dd>
          <t>A client instance (<xref target="CIA-CORE"/>) that is an agent: a specific
agent session, task execution, or runtime.</t>
        </dd>
        <dt>Agent Attester:</dt>
        <dd>
          <t>The authority that authenticates agent instances and mints the
agent instance claims defined in <xref target="agent-claims"/>. Depending on
the carrier (<xref target="carriers"/>), the Agent Attester is a <xref target="CIA-CORE"/>
instance issuer or an <xref target="ATTEST-CLIENT-AUTH"/> Client Attester. It is
typically the agent platform's control plane, but <bcp14>MAY</bcp14> be a
distinct party (see <xref target="trust"/>).</t>
        </dd>
        <dt>Agent Instance Evidence:</dt>
        <dd>
          <t>The carrier artifact conveying the agent instance claims of
<xref target="agent-claims"/> to the AS: either a Client Instance Assertion,
or a Client Attestation with its proof of possession.</t>
        </dd>
      </dl>
    </section>
    <section anchor="relationships">
      <name>Relationship to Other Specifications</name>
      <t>This profile depends normatively on <xref target="CIA-CORE"/> for token-endpoint
processing, sender-constraint binding, access-token representation,
refresh-token semantics, and resource-server processing. It
surfaces the <tt>ai_agent</tt> entity profile defined and registered by
<xref target="ENTITY-PROFILES"/>, profiling its use for attested agent
instances. When the Client Attestation carrier is
used, it depends on <xref target="ATTEST-CLIENT-AUTH"/> for attestation
validation, including DPoP combined mode (<xref target="RFC9449"/>).</t>
      <t>Delegation-chain construction follows the <tt>act</tt> semantics of
<xref target="RFC8693"/> as profiled by <xref target="CIA-CORE"/>.</t>
      <t>Runtime-environment evidence is conveyed using the Entity
Attestation Token (<xref target="RFC9711"/>) via the <tt>agent_runtime</tt> claim
(<xref target="agent-claims"/>); this profile does not define an evidence
format of its own.</t>
      <t>Transaction Tokens (<xref target="TXN-TOKENS"/>) address propagation of
immutable context across workloads within a trust domain after
initial authorization; this profile addresses agent instance
identity at initial token issuance. The two are complementary: a
deployment may derive transaction tokens from access tokens issued
under this profile, carrying the agent instance identity into the
transaction context.</t>
      <t>Identity and authorization chaining (<xref target="ID-CHAINING"/>) enables an
authorization server in one domain to issue tokens redeemable in
another, the pattern underlying enterprise cross-application
access deployments in which an enterprise identity provider
brokers agent access to third-party resources. That work moves
identity across domains; it does not define agent claims. The two
compose naturally: an authorization server applying this profile
at issuance carries the agent instance identity and provenance
into the chained tokens it brokers.</t>
      <t><xref target="ATTEST-CLIENT-AUTH"/> authenticates a client instance at the
token endpoint but defines no representation of it in issued
tokens; the design rationale appendix records why this profile
builds its representation layer on <xref target="CIA-CORE"/> rather than over
<xref target="ATTEST-CLIENT-AUTH"/> alone.</t>
      <t>Agent identity is an active topic in multiple communities. This
profile deliberately limits itself to two things: conveying
attested agent instance identity and provenance to the OAuth token
endpoint, and representing that identity in issued access tokens.
It does not define agent-to-agent authentication protocols, agent
discovery, capability or tool description, or model governance,
and is designed to compose with, rather than compete with,
specifications that do. In particular, fine-grained permission
description composes via Rich Authorization Requests
(<xref target="RFC9396"/>), and hardware-rooted runtime evidence composes via
Entity Attestation Token formats (<xref target="RFC9711"/>).</t>
    </section>
    <section anchor="agent-claims">
      <name>Agent Instance Claims</name>
      <t>The following claims are conveyed in the Agent Instance Evidence
by the Agent Attester. Claim names are registered in the JSON Web
Token Claims registry (<xref target="iana-claims"/>). The claims are validated
by the AS as part of carrier validation (<xref target="carriers"/>); unknown
members within object-valued claims <bcp14>MUST</bcp14> be ignored unless a
profile of this document defines their processing.</t>
      <dl>
        <dt><tt>agent_instance_id</tt> (<bcp14>REQUIRED</bcp14>):</dt>
        <dd>
          <t>A StringOrURI (<xref target="RFC7519"/>) identifying this agent instance,
minted by the Agent Attester. The value <bcp14>MUST</bcp14> be unique among all
instances attested by this Attester (across every OAuth client
the Attester serves, so that resource servers evaluating the
identifier need not qualify it by <tt>client_id</tt>) and <bcp14>MUST</bcp14> be
stable for the lifetime of the agent instance. The value
<bcp14>MUST NOT</bcp14> be derived from a proof-of-possession key: keys are
binding material, not identity (<xref target="subject"/>). The Attester <bcp14>MUST
NOT</bcp14> reassign an active or audit-relevant value to a different
instance; see <xref target="security-lifecycle"/>. Attesters <bcp14>SHOULD</bcp14> mint
URI-shaped values within a namespace they control (for example,
<tt>https://attester.example.com/instances/sess-9f2c</tt>), which makes
the minting authority evident to consumers of the identifier.</t>
        </dd>
        <dt><tt>agent_platform</tt> (<bcp14>OPTIONAL</bcp14>):</dt>
        <dd>
          <t>A StringOrURI identifying the agent platform or orchestration
runtime under which the instance executes (for example, an
identifier naming the orchestrator product and its major
version). The value identifies software operated by the Agent
Platform, not the OAuth client identity, which continues to be
conveyed by <tt>client_id</tt>.</t>
        </dd>
        <dt><tt>agent_model</tt> (<bcp14>OPTIONAL</bcp14>):</dt>
        <dd>
          <t>A JSON object characterizing the primary model configured for
the agent instance, as determined by the Agent Attester at
evidence issuance. The object contains an <tt>id</tt> member (<bcp14>REQUIRED</bcp14>,
a StringOrURI model identifier) and <bcp14>MAY</bcp14> contain a <tt>version</tt>
member (a string). The claim describes the instance's
configuration, not each individual operation: an agent instance
may route individual operations to other models (for example,
routing, fallback, or auxiliary models) without invalidating the
claim. A change to the primary configured model, however, means
previously issued evidence no longer describes the instance, and
the Attester <bcp14>MUST</bcp14> issue fresh evidence before the instance
obtains further tokens under this profile
(<xref target="security-freshness"/>). A registry of model identifiers is out
of scope; <tt>agent_model.id</tt> interoperability is an agreement
between the Attester and the resource servers that consume it.</t>
        </dd>
        <dt><tt>agent_runtime</tt> (<bcp14>OPTIONAL</bcp14>):</dt>
        <dd>
          <t>A JSON object conveying evidence about the runtime environment of
the agent instance, such as confidential-computing or
trusted-execution attestation results. This document defines one
member: <tt>eat</tt> (<bcp14>OPTIONAL</bcp14>), containing an Entity Attestation Token
(<xref target="RFC9711"/>), carried as the JWT compact serialization when the
EAT is in JWT form or base64url-encoded when in CWT form. The two
forms are distinguishable by structure: a JWT compact
serialization contains period separators, while a
base64url-encoded CWT does not. Additional
members <bcp14>MAY</bcp14> be defined by deployments or companion profiles;
unknown members <bcp14>MUST</bcp14> be ignored. <tt>agent_runtime</tt> is consumed by
the AS for policy and is not surfaced to resource servers by
default (<xref target="surfacing"/>).</t>
        </dd>
      </dl>
      <t>An AS that receives Agent Instance Evidence for a client
registered for this profile (<xref target="metadata"/>) <bcp14>MUST</bcp14> reject evidence
that omits <tt>agent_instance_id</tt> (<xref target="errors"/>). Evidence whose
object-valued claims are malformed (for example, <tt>agent_model</tt>
without an <tt>id</tt> member) <bcp14>MUST</bcp14> be rejected the same way.</t>
    </section>
    <section anchor="carriers">
      <name>Evidence Carriers</name>
      <t>The claims in <xref target="agent-claims"/> are carried in exactly one of the
following artifacts per token request. The claims, their
validation, and all downstream processing are identical regardless
of carrier.</t>
      <section anchor="carrier-cia">
        <name>Client Instance Assertion Carrier</name>
        <t>The Agent Attester acts as a <xref target="CIA-CORE"/> instance issuer and
includes the claims of <xref target="agent-claims"/> in the Client Instance
Assertion. All <xref target="CIA-CORE"/> requirements for assertion format,
presentation, and validation apply unchanged, including the
<tt>(iss, jti)</tt> replay check and sender-constraint verification.</t>
        <t>The assertion's <tt>sub</tt> <bcp14>MUST</bcp14> equal the <tt>agent_instance_id</tt> value;
the AS <bcp14>MUST</bcp14> reject an assertion where the two differ. The
assertion's <tt>sub_profile</tt> <bcp14>SHOULD</bcp14> include the value <tt>ai_agent</tt>;
regardless of what the evidence carries, surfacing follows
<xref target="surfacing"/>.</t>
        <t>This carrier suits workload-style agent platforms that operate (or
integrate with) an instance issuer, and inherits <xref target="CIA-CORE"/>'s
per-client trust delegation: the platform's client metadata lists
the Agent Attester in <tt>instance_issuers</tt>, bounding which authority
may attest its instances.</t>
      </section>
      <section anchor="carrier-attest">
        <name>Client Attestation Carrier</name>
        <t>The Agent Attester acts as an <xref target="ATTEST-CLIENT-AUTH"/> Client Attester and
includes the claims of <xref target="agent-claims"/> in the Client Attestation
JWT. The client authenticates per <xref target="ATTEST-CLIENT-AUTH"/> using
DPoP combined mode; the DPoP key is the instance binding key for
<xref target="CIA-CORE"/>'s sender-constraint requirement, and the issued
access token <bcp14>MUST</bcp14> be DPoP-bound to that key.</t>
        <t>Because the Client Attestation's <tt>sub</tt> names the OAuth client
under <xref target="ATTEST-CLIENT-AUTH"/>, the instance subject on this carrier
comes exclusively from the <tt>agent_instance_id</tt> claim.</t>
        <t>Applying this carrier changes the shape of the client's issued
access tokens. Whether the AS applies it for a given client is
established through the client's registered metadata
(<xref target="metadata"/>) or by out-of-band agreement; an AS <bcp14>MUST NOT</bcp14> apply
it to a client that has not agreed to receive instance
representation in its tokens.</t>
        <t>This carrier is available on the grants covered by
<xref target="CIA-CORE"/>'s access-token classification (<tt>authorization_code</tt>,
<tt>client_credentials</tt>, <tt>refresh_token</tt>, JWT bearer, and
token-exchange); grants outside that classification are refused
per <xref target="CIA-CORE"/>. Because this carrier presents no request
parameter, its activation (per the client's profile registration)
substitutes for <xref target="CIA-CORE"/>'s parameter-presence trigger: on
token-exchange in particular, it applies even when no
<tt>actor_token</tt> is present.</t>
        <t>The <xref target="CIA-CORE"/> validation steps that depend on a presented
assertion (token-type matching, descriptor lookup, signature
verification, claim validation, <tt>client_id</tt> binding, and replay
checking) are satisfied on this carrier by the completed
<xref target="ATTEST-CLIENT-AUTH"/> validation together with the claim
requirements of <xref target="agent-claims"/>. Replay protection is provided by
<xref target="ATTEST-CLIENT-AUTH"/> validation, including the DPoP proof
freshness rules of <xref target="RFC9449"/>; <xref target="CIA-CORE"/>'s <tt>(iss, jti)</tt>
replay cache does not apply because no Client Instance Assertion
is presented. Trust for this carrier is the AS-to-Attester trust
of <xref target="ATTEST-CLIENT-AUTH"/>; <xref target="CIA-CORE"/>'s <tt>instance_issuers</tt>
metadata is not consulted.</t>
        <t>For delegation cases on this carrier, the AS <bcp14>MUST</bcp14> set <tt>act.iss</tt> to
the issuer identifier of the validated Client Attestation JWT. For
self-acting cases, the Attester issuer is not represented as a
standard access-token claim; the AS <bcp14>MUST</bcp14> retain it with token
state for revocation, introspection, audit, and issuer-aware
resource-server policy; in particular, per-instance revocation
keyed on the issuer-and-subject pair per <xref target="CIA-CORE"/> depends on
it.</t>
      </section>
      <section anchor="carrier-precedence">
        <name>Carrier Precedence</name>
        <t>A token request that presents a Client Instance Assertion while
also authenticating via <xref target="ATTEST-CLIENT-AUTH"/> uses the Client
Instance Assertion as the Agent Instance Evidence: its claims are
authoritative for instance identity and provenance. To ensure the
two artifacts describe the same instance, the AS <bcp14>MUST</bcp14> verify that
the assertion's <tt>cnf</tt> binding key and the DPoP key matched against
the Client Attestation's <tt>cnf</tt> identify the same key material (for
<tt>cnf.jkt</tt>, thumbprint equality); if they differ, the AS <bcp14>MUST</bcp14>
reject the request with <tt>invalid_grant</tt>. If both artifacts carry
<tt>agent_instance_id</tt>, the values <bcp14>MUST</bcp14> be equal; the AS <bcp14>MUST</bcp14> reject
the request with <tt>invalid_grant</tt> otherwise.</t>
      </section>
    </section>
    <section anchor="metadata">
      <name>Client and Authorization Server Metadata</name>
      <t>This document defines one client metadata parameter (registered
per <xref target="RFC7591"/>, applicable to any registration model supported by
<xref target="CIA-CORE"/>) and one authorization server metadata parameter
(registered per <xref target="RFC8414"/>):</t>
      <dl>
        <dt><tt>ai_agent_instance_profile</tt> (client metadata):</dt>
        <dd>
          <t><bcp14>OPTIONAL</bcp14>. Boolean, default <tt>false</tt>. When <tt>true</tt>, the client is
registered for this profile. The AS <bcp14>MUST</bcp14> require Agent Instance
Evidence on every token request from the client on the grants
covered by <xref target="CIA-CORE"/>'s access-token classification, except
<tt>refresh_token</tt> requests, which follow <xref target="refresh"/>; a covered
request presenting no evidence <bcp14>MUST</bcp14> be rejected (<xref target="errors"/>).
Without this requirement, an instance could omit evidence and
obtain tokens indistinguishable from an ordinary client's,
silently escaping the attribution this profile provides. The
client's registration or AS policy <bcp14>MAY</bcp14> exempt designated grant
types whose requests are not made by agent instances (for
example, <tt>client_credentials</tt> used by the platform's control
plane); exempted requests are processed as ordinary OAuth
requests and receive no instance representation. The AS <bcp14>MUST</bcp14>
require <tt>agent_instance_id</tt> in the client's Agent Instance
Evidence (<xref target="agent-claims"/>) and <bcp14>MUST</bcp14> apply the surfacing rules
of <xref target="surfacing"/>; when the Client Attestation carrier is used,
this registration constitutes the client's agreement required by
<xref target="carrier-attest"/>. Deployments without access to
this parameter <bcp14>MAY</bcp14> establish the same registration by
out-of-band agreement.</t>
        </dd>
        <dt><tt>ai_agent_instance_profile_supported</tt> (AS metadata):</dt>
        <dd>
          <t><bcp14>OPTIONAL</bcp14>. Boolean. Indicates that the AS supports this profile:
validating agent instance claims, deriving the instance subject
per <xref target="subject"/>, and surfacing per <xref target="surfacing"/>. An AS
implementing this profile <bcp14>MUST</bcp14> include this parameter, set to
<tt>true</tt>, in any authorization server metadata it publishes.
Clients <bcp14>SHOULD</bcp14> verify it before depending on agent
instance surfacing, since an AS without support may process the
underlying carrier without applying this profile's
representation.</t>
        </dd>
      </dl>
    </section>
    <section anchor="subject">
      <name>Instance Subject Derivation</name>
      <t>The instance subject used for access-token surfacing is the
<tt>agent_instance_id</tt> value, scoped to the Agent Attester that
minted it. The AS <bcp14>MUST NOT</bcp14> derive the instance subject from a
proof-of-possession key thumbprint: keys are binding material, not
identity, and key rotation <bcp14>MUST NOT</bcp14> change the agent instance's
identity. Consumers needing key-level correlation can use the
access token's <tt>cnf</tt> confirmation claim directly.</t>
      <t>Because the subject is Attester-minted and key-independent:</t>
      <ul spacing="normal">
        <li>
          <t>the identity is stable across DPoP or binding-key rotation
within an instance's lifetime: access tokens obtained with a
rotated key carry the same instance subject, so resource-server
policy state and audit trails keyed on the subject survive
rotation (<xref target="refresh"/> covers the refresh-token interaction);</t>
        </li>
        <li>
          <t>audit records name an identifier the Agent Attester can resolve
to session context, rather than an opaque key fingerprint.</t>
        </li>
      </ul>
      <t>When a client lists multiple Agent Attesters, the subject-collision
requirements of <xref target="CIA-CORE"/> apply: the client <bcp14>MUST</bcp14> ensure the
Attesters' <tt>agent_instance_id</tt> spaces do not collide. Attesters
that follow the URI-shaped minting recommendation of
<xref target="agent-claims"/> satisfy this structurally, since each mints within
a namespace it controls.</t>
    </section>
    <section anchor="surfacing">
      <name>Access Token Surfacing</name>
      <t>Access-token representation follows <xref target="CIA-CORE"/>: the instance
subject appears as <tt>act.sub</tt> in delegation cases and as top-level
<tt>sub</tt> in self-acting cases, and the issued access token is
sender-constrained per <xref target="CIA-CORE"/>.</t>
      <t>This profile additionally specifies:</t>
      <ul spacing="normal">
        <li>
          <t>The surfaced <tt>sub_profile</tt> (top-level in self-acting cases,
<tt>act.sub_profile</tt> in delegation cases) <bcp14>MUST</bcp14> include both the
value <tt>ai_agent</tt> (defined by <xref target="ENTITY-PROFILES"/>) and the value
<tt>client_instance</tt> (registered by <xref target="CIA-CORE"/>), per the list
syntax of the underlying registry. Every agent instance is a
client instance; including both values lets resource servers
that implement <xref target="CIA-CORE"/> but not this profile continue to
classify the actor correctly. Other applicable registered
values <bcp14>MAY</bcp14> additionally be included.</t>
        </li>
        <li>
          <t>The AS <bcp14>MAY</bcp14> surface <tt>agent_platform</tt> and <tt>agent_model</tt> subject to
local policy and the privacy considerations of
<xref target="security-privacy"/>. Surfaced provenance claims appear within
the <tt>act</tt> object in delegation cases (they describe the actor)
and at top level in self-acting cases (the instance is the
subject). An AS <bcp14>MUST NOT</bcp14> surface provenance claims that were not
present in validated Agent Instance Evidence.</t>
        </li>
        <li>
          <t><tt>agent_runtime</tt> evidence is consumed by the AS for policy and
<bcp14>MUST NOT</bcp14> be surfaced to resource servers verbatim. Deployments
that expose a runtime-assurance signal to resource servers
<bcp14>SHOULD</bcp14> surface a coarse assurance tier (<xref target="trust"/>) via a
deployment-defined claim rather than raw evidence.</t>
        </li>
      </ul>
      <t>For opaque (reference) access tokens, the same surfaced claims
appear in introspection responses, per <xref target="CIA-CORE"/>'s
introspection requirements.</t>
    </section>
    <section anchor="chains">
      <name>Attested Delegation Chains</name>
      <t>When an agent instance spawns a sub-agent that requires its own
access token, the sub-agent obtains it via token exchange
(<xref target="RFC8693"/>) using <xref target="CIA-CORE"/>'s token-exchange presentation,
presenting its own Agent Instance Evidence (either carrier). The
resulting <tt>act</tt> chain nests the spawning agent's actor entry per
<xref target="CIA-CORE"/>'s chain merging, and scope attenuation at each
exchange follows <xref target="RFC8693"/>.</t>
      <t>Whether a given instance is permitted to perform such an exchange
is AS authorization policy under <xref target="RFC8693"/> and <xref target="CIA-CORE"/>;
this profile defines no separate spawn-permission mechanism.
Because chain merging preserves the spawning agent's entry,
spawning cannot be used to shed identity: a compromised instance
that spawns sub-agents remains visible in every descendant chain.</t>
      <t>The property this profile targets: every actor entry the AS
introduces into a chain corresponds to an instance that presented
Agent Instance Evidence at the hop where it was introduced. An AS
<bcp14>MUST NOT</bcp14> introduce an actor entry for an agent instance that did
not present such evidence. Inner actor entries preserved verbatim
from a <tt>subject_token</tt> were attested at the hop (and by the AS)
that introduced them; the attested-at-every-hop property
therefore spans exactly the hops processed under this profile.</t>
      <t>Chains that cross agent platforms or authorization servers (a
sub-agent running on a different platform, under a different
OAuth client, possibly at a different AS) compose through
cross-domain token exchange and are governed by the trust and
federation policy of the domains involved; this profile defines
no additional cross-domain rules.</t>
    </section>
    <section anchor="refresh">
      <name>Refresh Tokens</name>
      <t>Refresh-token handling follows <xref target="CIA-CORE"/>, with the derived
instance subject, the Agent Attester, and any surfaced provenance
claims recorded as originating instance state. Fresh Agent
Instance Evidence presented on refresh <bcp14>MUST</bcp14> be issued by the same
Agent Attester and carry the same <tt>agent_instance_id</tt> recorded at
original issuance; the AS <bcp14>MUST</bcp14> reject a refresh presenting
evidence from a different Attester or for a different instance
with <tt>invalid_grant</tt>. A refresh processed without fresh evidence
re-surfaces the provenance recorded at original issuance; see
<xref target="security-freshness"/> for the staleness this implies across
refresh chains.</t>
      <t>Refresh tokens remain bound to the binding key present at their
issuance, per <xref target="CIA-CORE"/>; this profile does not relax that
binding. An instance that rotates its binding key (for example,
after migrating between nodes) therefore cannot use a
previously issued refresh token with the new key; it obtains new
tokens through a fresh grant or token exchange, presenting fresh
evidence that carries its unchanged <tt>agent_instance_id</tt>. The
instance's identity, and everything resource servers key on it,
is unaffected by the rotation (<xref target="subject"/>).</t>
    </section>
    <section anchor="trust">
      <name>Trust Model and Assurance Tiers</name>
      <t>The strength of agent instance claims depends on who the Agent
Attester is relative to the agent platform:</t>
      <dl>
        <dt>Platform self-attestation:</dt>
        <dd>
          <t>The Attester is the agent platform's own control plane. The
claims reflect the platform's internal bookkeeping; assurance
rests on organizational separation between the control plane and
the agent runtime, comparable to a workload identity provider
attesting its own workloads.</t>
        </dd>
        <dt>Hardware-rooted attestation:</dt>
        <dd>
          <t>The Attester incorporates evidence from a trusted-execution or
confidential-computing environment (conveyed via
<tt>agent_runtime</tt>, aligned with <xref target="RFC9711"/>). Claims about the
runtime are rooted in hardware rather than platform assertion.</t>
        </dd>
        <dt>Independent attestation:</dt>
        <dd>
          <t>The Attester is a party distinct from the platform operator (for
example, an enterprise attesting agent instances it runs on a
third-party platform). Claims reflect a trust relationship
independent of the platform.</t>
        </dd>
      </dl>
      <t>Authorization servers and resource servers <bcp14>MAY</bcp14> condition policy on
the tier. Deployments <bcp14>SHOULD</bcp14> document which tier their Attester
provides and <bcp14>MUST NOT</bcp14> represent platform self-attestation as
hardware-rooted or independent attestation.</t>
    </section>
    <section anchor="local-agents">
      <name>Local and Public-Client Agent Instances</name>
      <t>Agent instances do not necessarily run on platform
infrastructure: command-line and desktop agents execute on
end-user machines, typically as public clients (<xref target="RFC6749"/>) using
the <tt>authorization_code</tt> grant with PKCE (<xref target="RFC7636"/>) and without
a client-level credential. This profile applies to such
deployments with the following pattern:</t>
      <ul spacing="normal">
        <li>
          <t>The local agent instance generates its per-instance
proof-of-possession key locally and authenticates to the agent
platform's control plane (how is out of scope; typically the
user's platform login). The control plane, acting as the Agent
Attester, mints Agent Instance Evidence whose <tt>cnf</tt> binds the
key the local instance presented and whose <tt>agent_instance_id</tt>
names the local session.</t>
        </li>
        <li>
          <t>The instance presents the evidence at the token endpoint per
the Client Instance Assertion carrier (<xref target="carrier-cia"/>)
alongside its normal public-client interaction. Presenting a
Client Instance Assertion does not require confidential-client
authentication; only <xref target="CIA-CORE"/>'s instance-assertion
authentication method does, and public clients do not use that
method.</t>
        </li>
        <li>
          <t>The issued access token is sender-constrained to the locally
held key per <xref target="CIA-CORE"/>, and the instance subject, surfacing,
and chain semantics of this profile apply unchanged.</t>
        </li>
      </ul>
      <t>Attestation of a local session is platform self-attestation
(<xref target="trust"/>) with a narrower meaning: the Attester vouches that it
issued the session to an authenticated platform account and bound
the presented key, not for the integrity of the end-user host the
instance runs on. Resource servers applying tier-conditioned
policy <bcp14>SHOULD</bcp14> treat locally executing instances accordingly;
deployments needing runtime-integrity claims for local instances
can convey hardware-rooted evidence from the host via
<tt>agent_runtime</tt> (<xref target="agent-claims"/>) where available.</t>
    </section>
    <section anchor="errors">
      <name>Error Responses</name>
      <t>Errors are returned per <xref target="RFC6749"/> Section 5.2, inheriting the
error taxonomy of <xref target="CIA-CORE"/> and, on the Client Attestation
carrier, of <xref target="ATTEST-CLIENT-AUTH"/>. This profile adds the
following <tt>invalid_grant</tt> cases (returned as <tt>invalid_client</tt>
when, per <xref target="CIA-CORE"/>, the evidence is the client authentication
credential):</t>
      <ul spacing="normal">
        <li>
          <t>a token request on a covered grant other than <tt>refresh_token</tt>
presents no Agent Instance Evidence, and neither the client's
registration nor AS policy exempts the grant type
(<xref target="metadata"/>);</t>
        </li>
        <li>
          <t>the Agent Instance Evidence omits <tt>agent_instance_id</tt> and the
client is registered for this profile (<xref target="metadata"/>);</t>
        </li>
        <li>
          <t>an object-valued agent claim is malformed
(<xref target="agent-claims"/>);</t>
        </li>
        <li>
          <t>on the Client Instance Assertion carrier, the assertion's <tt>sub</tt>
does not equal <tt>agent_instance_id</tt> (<xref target="carrier-cia"/>);</t>
        </li>
        <li>
          <t>under carrier precedence, the binding keys or
<tt>agent_instance_id</tt> values of the two artifacts do not match
(<xref target="carrier-precedence"/>);</t>
        </li>
        <li>
          <t>on refresh, presented evidence is issued by a different Agent
Attester or carries a different <tt>agent_instance_id</tt> than
recorded at original issuance (<xref target="refresh"/>).</t>
        </li>
      </ul>
    </section>
    <section anchor="conformance">
      <name>Conformance</name>
      <t>An AS conforms to this profile by supporting at least one evidence
carrier (<xref target="carriers"/>); requiring evidence from registered clients
per <xref target="metadata"/>; validating the agent instance claims per
<xref target="agent-claims"/>; deriving the instance subject per <xref target="subject"/>;
surfacing per <xref target="surfacing"/>, including the <tt>ai_agent</tt> and
<tt>client_instance</tt> values in the surfaced <tt>sub_profile</tt>; applying
the refresh rules of <xref target="refresh"/>;
applying carrier precedence (<xref target="carrier-precedence"/>) when both
artifacts are presented; and advertising support via
<tt>ai_agent_instance_profile_supported</tt> (<xref target="metadata"/>). An AS
supporting the Client Instance Assertion carrier conforms to
<xref target="CIA-CORE"/>; an AS supporting the Client Attestation carrier
conforms to <xref target="ATTEST-CLIENT-AUTH"/> and to the activation-policy
requirement of <xref target="carrier-attest"/>.</t>
      <t>An Agent Attester conforms by meeting the minting requirements of
<xref target="agent-claims"/> (in particular the uniqueness, stability,
non-reassignment, and key-independence of <tt>agent_instance_id</tt>)
and, per carrier, the obligations of a <xref target="CIA-CORE"/> instance
issuer or an <xref target="ATTEST-CLIENT-AUTH"/> Client Attester.</t>
      <t>An Agent Platform (OAuth client) conforms by registering for this
profile (<xref target="metadata"/>) and for exactly the carriers it uses,
listing its Agent Attester per <xref target="carrier-cia"/> where applicable,
and ensuring the Attester is authorized to attest its instances.</t>
      <t>A resource server conforms by processing delegated and self-acting
tokens per <xref target="CIA-CORE"/>'s resource-server rules, treating actors
whose <tt>sub_profile</tt> includes <tt>ai_agent</tt> as agent instances, and
treating surfaced provenance claims subject to the assurance-tier
considerations of <xref target="trust"/> and <xref target="security-provenance"/>.</t>
    </section>
    <section anchor="security">
      <name>Security Considerations</name>
      <t>This document inherits the security considerations of <xref target="CIA-CORE"/>
and, when the Client Attestation carrier is used,
<xref target="ATTEST-CLIENT-AUTH"/> and <xref target="RFC9449"/>.</t>
      <section anchor="security-freshness">
        <name>Attestation Freshness and Model Drift</name>
        <t>Agent Instance Evidence describes the instance as of evidence
issuance. The claim most exposed to drift is <tt>agent_model</tt>: a
platform that hot-swaps or upgrades the model serving a session
invalidates previously issued evidence. <xref target="agent-claims"/> requires
fresh evidence after a model change, but the AS cannot detect a
violation in-band; resource servers applying model-version policy
are trusting the Attester's issuance discipline.</t>
        <t>On the Client Instance Assertion carrier, <xref target="CIA-CORE"/>'s short
assertion lifetimes bound the drift window. On the Client
Attestation carrier, the window is bounded by the Client
Attestation's lifetime, which some Attester ecosystems set to
hours or days, plus DPoP proof freshness; the DPoP proof
establishes recent possession of the bound key, not recent
Attester endorsement. Deployments requiring current provenance
<bcp14>SHOULD</bcp14> use short-lived evidence and <bcp14>SHOULD</bcp14> require fresh evidence
on refresh rather than permitting refresh from stored originating
instance state.</t>
        <t>Surfaced provenance is additionally static for the lifetime of
each issued access token: a token surfacing <tt>agent_model</tt> remains
valid after the platform upgrades the instance's primary model,
until the token expires. Refresh processed from stored originating
state (<xref target="refresh"/>) extends this window across the refresh-token
lifetime. Resource servers gating sensitive operations on
provenance <bcp14>SHOULD</bcp14> account for the access-token TTL in their policy
assumptions, and ASes serving such resource servers <bcp14>SHOULD</bcp14> keep
access-token lifetimes short relative to the deployment's model
upgrade cadence.</t>
      </section>
      <section anchor="security-lifecycle">
        <name>Instance Identifier Lifecycle</name>
        <t>The value of <tt>agent_instance_id</tt> to audit and containment depends
on the Attester honoring its minting obligations
(<xref target="agent-claims"/>). An Attester that reassigns an identifier to a
different instance destroys audit attribution and can redirect
per-instance policy (including revocation) at the resource server
and AS. An Attester that mints one identifier for many instances
(for example, a pool identifier) silently collapses per-agent
containment back to the aggregate. These obligations are
operational: the AS verifies the evidence signature and claims but
cannot verify in-band that the Attester's minting practice is
sound. Clients <bcp14>SHOULD</bcp14> list only Attesters whose practices they
have audited, mirroring <xref target="CIA-CORE"/>'s issuer-trust guidance.</t>
      </section>
      <section anchor="security-provenance">
        <name>Provenance Assurance</name>
        <t><tt>agent_platform</tt>, <tt>agent_model</tt>, and <tt>agent_runtime</tt> are only as
trustworthy as the Attester tier that produced them (<xref target="trust"/>).
Under platform self-attestation, a model claim is the platform's
statement about itself; resource servers <bcp14>MUST NOT</bcp14> treat it as
independently verified. Policy that gates sensitive operations on
provenance (for example, minimum model version) <bcp14>SHOULD</bcp14> take the
assurance tier into account, and deployments needing verifiable
runtime claims <bcp14>SHOULD</bcp14> use hardware-rooted attestation via
<tt>agent_runtime</tt> and <xref target="RFC9711"/>-aligned evidence.</t>
      </section>
      <section anchor="security-shared-root">
        <name>Shared Trust Root on the Client Attestation Carrier</name>
        <t>On the Client Attestation carrier, the AS-to-Attester trust that
authenticates the client also underpins the instance identity and
provenance surfaced to resource servers. Compromise of the
Attester's signing key therefore affects client authentication,
instance identity, and provenance simultaneously. Operators <bcp14>SHOULD</bcp14>
evaluate Attester key custody and rotation accordingly and ensure
incident response covers access-token revocation for all three.</t>
      </section>
      <section anchor="security-carrier-asymmetry">
        <name>Carrier Trust Asymmetry</name>
        <t>The two carriers place control over the Attester set with
different parties. On the Client Instance Assertion carrier, the
<em>client</em> controls which authorities may attest its instances, by
listing them in its <tt>instance_issuers</tt> metadata (<xref target="carrier-cia"/>);
the AS accepts only Attesters the client has endorsed. On the
Client Attestation carrier, Attester trust is AS-configured
(<xref target="carrier-attest"/>); the client has no in-band mechanism to bound
which Attesters the AS will accept for it, and a
mistakenly-trusted or compromised Attester at the AS can mint
agent identities under the client's <tt>client_id</tt> without any
client-published endorsement being violated.</t>
        <t>The same claims therefore arrive under two different trust models
depending on carrier. The registration-time agreement required by
<xref target="carrier-attest"/> is the client's control point on the
attestation carrier: clients <bcp14>SHOULD</bcp14> establish the acceptable
Attester set as part of that agreement. Deployments in which the
client requires in-band, auditable control over its attestation
surface <bcp14>SHOULD</bcp14> use the Client Instance Assertion carrier.</t>
      </section>
      <section anchor="security-dcr">
        <name>Attester Trust from Client-Asserted Metadata</name>
        <t>In deployments where the client's metadata originates from the
client itself rather than from a vetted registration process,
the <tt>instance_issuers</tt> list and the <tt>ai_agent_instance_profile</tt>
flag arrive from a party the AS has no prior relationship with.
This is the case for unauthenticated dynamic registration
(<xref target="RFC7591"/>) and equally for clients identified by a Client ID
Metadata Document (<xref target="CIMD"/>), where the metadata document is
authored and hosted by the client at a URL it controls; both
occur when agent applications register with an authorization
server discovered at run time. An unauthenticated registrant
naming an Attester it controls gains nothing against other
clients (the Attester attests only that client's instances), but
the AS is nonetheless accepting a trust root and a token-shape
obligation from an unvetted source.</t>
        <t>An AS accepting client-asserted metadata <bcp14>SHOULD NOT</bcp14> honor
<tt>instance_issuers</tt> entries from such a source unless each listed
Agent Attester is validated against AS policy, for example an
AS-side allowlist of recognized platform Attesters, or, for
dynamic registration, a signed software statement (<xref target="RFC7591"/>)
from an authority the AS trusts. Software statements do not exist
in the <xref target="CIMD"/> model; there, the allowlist applies unchanged, and
the AS <bcp14>MAY</bcp14> additionally condition acceptance on the provenance of
the client identifier itself, which is a URL the client
demonstrably controls. The <tt>ai_agent_instance_profile</tt> flag in
metadata listing no <tt>instance_issuers</tt> implicates the Client
Attestation carrier, whose Attester trust is AS-configured
(<xref target="carrier-attest"/>); honoring the flag there accepts a
token-shape obligation but no new trust root. AS-operated
allowlists of well-known agent platform Attesters are the expected
deployment pattern for resource ecosystems serving dynamically
registered or <xref target="CIMD"/>-identified agent clients.</t>
      </section>
      <section anchor="security-local-keys">
        <name>Local Instance Keys and Evidence Minting</name>
        <t>For locally executing instances (<xref target="local-agents"/>), the instance
binding key is held on an end-user machine rather than on platform
infrastructure. A process that extracts the key and current
evidence can act as the instance until they expire. Local
instances <bcp14>SHOULD</bcp14> generate and hold binding keys in a platform
keystore or hardware-backed key store where the host provides one,
and Attesters <bcp14>SHOULD</bcp14> issue short-lived evidence to locally
executing instances.</t>
        <t>The Attester's evidence-minting interface is part of the identity
boundary: whoever can authenticate to it obtains evidence binding
a key they control, so possession of a user's platform credentials
suffices to mint agent instances attributed to that account.
Attesters <bcp14>SHOULD</bcp14> bind evidence minting to the authenticated
session through which the instance was established, <bcp14>SHOULD</bcp14> audit
minting events with the same rigor as token issuance, and <bcp14>SHOULD</bcp14>
rate-limit minting per account.</t>
      </section>
      <section anchor="security-privacy">
        <name>Privacy</name>
        <t>Agent provenance claims reveal implementation details
(orchestrator, model identity and version, and indirectly the
platform's upgrade cadence) to every resource server that
receives them. Surfacing is therefore selective (<xref target="surfacing"/>):
the AS surfaces only what local policy requires, and
<tt>agent_runtime</tt> evidence is never surfaced verbatim.</t>
        <t><tt>agent_instance_id</tt> is a per-instance identifier linkable across
every request the instance makes for its lifetime. Platforms
<bcp14>SHOULD</bcp14> scope instance lifetimes to the task or session they
represent; long-lived instances accumulate long linkable
histories at every resource server they touch. Where instances
act on behalf of users, the identifier's granularity <bcp14>SHOULD NOT</bcp14> be
chosen such that it becomes a stable pseudonym for the user across
contexts the user would consider separate.</t>
      </section>
      <section anchor="security-scope">
        <name>Scope of Protection</name>
        <t>Instance identity supports attribution, per-agent policy, and
containment; it does not constrain what a compromised or
prompt-injected agent does within the scope it was granted. An
attested chain records which instance acted; it does not make
the action safe. Least-privilege composition (scope design,
<xref target="RFC9396"/> authorization details, per-exchange attenuation as in
<xref target="chains"/>) remains the containment mechanism; this profile makes
its enforcement and audit per-agent rather than per-platform.</t>
        <t>Similarly, the <tt>ai_agent</tt> classification is a policy-routing
signal whose membership is determined by the Agent Attester; this
profile defines no test for what constitutes an agent, and the
boundary (autonomous agent versus script versus assistive tool) is
inherently a judgment of the attesting party. Resource servers
<bcp14>MUST NOT</bcp14> derive security guarantees from the classification
itself, as distinct from the attested identity and provenance
that accompany it.</t>
      </section>
    </section>
    <section anchor="iana">
      <name>IANA Considerations</name>
      <section anchor="iana-claims">
        <name>JSON Web Token Claims Registration</name>
        <t>IANA is requested to register the following claims in the "JSON
Web Token Claims" registry established by <xref target="RFC7519"/>.</t>
        <section anchor="agentinstanceid">
          <name>agent_instance_id</name>
          <dl>
            <dt>Claim Name:</dt>
            <dd>
              <t><tt>agent_instance_id</tt></t>
            </dd>
            <dt>Claim Description:</dt>
            <dd>
              <t>Attester-minted identifier of an AI agent instance</t>
            </dd>
            <dt>Change Controller:</dt>
            <dd>
              <t>IETF</t>
            </dd>
            <dt>Specification Document(s):</dt>
            <dd>
              <t><xref target="agent-claims"/> of this document</t>
            </dd>
          </dl>
        </section>
        <section anchor="agentplatform">
          <name>agent_platform</name>
          <dl>
            <dt>Claim Name:</dt>
            <dd>
              <t><tt>agent_platform</tt></t>
            </dd>
            <dt>Claim Description:</dt>
            <dd>
              <t>Identifier of the agent platform or orchestration runtime of an
AI agent instance</t>
            </dd>
            <dt>Change Controller:</dt>
            <dd>
              <t>IETF</t>
            </dd>
            <dt>Specification Document(s):</dt>
            <dd>
              <t><xref target="agent-claims"/> of this document</t>
            </dd>
          </dl>
        </section>
        <section anchor="agentmodel">
          <name>agent_model</name>
          <dl>
            <dt>Claim Name:</dt>
            <dd>
              <t><tt>agent_model</tt></t>
            </dd>
            <dt>Claim Description:</dt>
            <dd>
              <t>Model identifier and version an AI agent instance is operating
with</t>
            </dd>
            <dt>Change Controller:</dt>
            <dd>
              <t>IETF</t>
            </dd>
            <dt>Specification Document(s):</dt>
            <dd>
              <t><xref target="agent-claims"/> of this document</t>
            </dd>
          </dl>
        </section>
        <section anchor="agentruntime">
          <name>agent_runtime</name>
          <dl>
            <dt>Claim Name:</dt>
            <dd>
              <t><tt>agent_runtime</tt></t>
            </dd>
            <dt>Claim Description:</dt>
            <dd>
              <t>Runtime-environment evidence for an AI agent instance</t>
            </dd>
            <dt>Change Controller:</dt>
            <dd>
              <t>IETF</t>
            </dd>
            <dt>Specification Document(s):</dt>
            <dd>
              <t><xref target="agent-claims"/> of this document</t>
            </dd>
          </dl>
        </section>
      </section>
      <section anchor="iana-client-metadata">
        <name>OAuth Dynamic Client Registration Metadata</name>
        <t>IANA is requested to register the following parameter in the
"OAuth Dynamic Client Registration Metadata" registry established
by <xref target="RFC7591"/>.</t>
        <dl>
          <dt>Client Metadata Name:</dt>
          <dd>
            <t><tt>ai_agent_instance_profile</tt></t>
          </dd>
          <dt>Client Metadata Description:</dt>
          <dd>
            <t>Boolean indicating that the client is registered for the OAuth
2.0 AI Agent Instance Profile</t>
          </dd>
          <dt>Change Controller:</dt>
          <dd>
            <t>IETF</t>
          </dd>
          <dt>Specification Document(s):</dt>
          <dd>
            <t><xref target="metadata"/> of this document</t>
          </dd>
        </dl>
      </section>
      <section anchor="iana-as-metadata">
        <name>OAuth Authorization Server Metadata</name>
        <t>IANA is requested to register the following parameter in the
"OAuth Authorization Server Metadata" registry established by
<xref target="RFC8414"/>.</t>
        <dl>
          <dt>Metadata Name:</dt>
          <dd>
            <t><tt>ai_agent_instance_profile_supported</tt></t>
          </dd>
          <dt>Metadata Description:</dt>
          <dd>
            <t>Boolean indicating authorization server support for the OAuth
2.0 AI Agent Instance Profile</t>
          </dd>
          <dt>Change Controller:</dt>
          <dd>
            <t>IETF</t>
          </dd>
          <dt>Specification Document(s):</dt>
          <dd>
            <t><xref target="metadata"/> of this document</t>
          </dd>
        </dl>
      </section>
      <section anchor="oauth-entity-profiles-registry">
        <name>OAuth Entity Profiles Registry</name>
        <t>This document requests no registration in the "OAuth Entity
Profiles" registry: the <tt>ai_agent</tt> entity profile this document
surfaces (<xref target="surfacing"/>) is registered by <xref target="ENTITY-PROFILES"/> as
part of that registry's initial contents.</t>
      </section>
    </section>
  </middle>
  <back>
    <references anchor="sec-combined-references">
      <name>References</name>
      <references anchor="sec-normative-references">
        <name>Normative References</name>
        <reference anchor="RFC6749">
          <front>
            <title>The OAuth 2.0 Authorization Framework</title>
            <author fullname="D. Hardt" initials="D." role="editor" surname="Hardt"/>
            <date month="October" year="2012"/>
            <abstract>
              <t>The OAuth 2.0 authorization framework enables a third-party application to obtain limited access to an HTTP service, either on behalf of a resource owner by orchestrating an approval interaction between the resource owner and the HTTP service, or by allowing the third-party application to obtain access on its own behalf. This specification replaces and obsoletes the OAuth 1.0 protocol described in RFC 5849. [STANDARDS-TRACK]</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="6749"/>
          <seriesInfo name="DOI" value="10.17487/RFC6749"/>
        </reference>
        <reference anchor="RFC7519">
          <front>
            <title>JSON Web Token (JWT)</title>
            <author fullname="M. Jones" initials="M." surname="Jones"/>
            <author fullname="J. Bradley" initials="J." surname="Bradley"/>
            <author fullname="N. Sakimura" initials="N." surname="Sakimura"/>
            <date month="May" year="2015"/>
            <abstract>
              <t>JSON Web Token (JWT) is a compact, URL-safe means of representing claims to be transferred between two parties. The claims in a JWT are encoded as a JSON object that is used as the payload of a JSON Web Signature (JWS) structure or as the plaintext of a JSON Web Encryption (JWE) structure, enabling the claims to be digitally signed or integrity protected with a Message Authentication Code (MAC) and/or encrypted.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="7519"/>
          <seriesInfo name="DOI" value="10.17487/RFC7519"/>
        </reference>
        <reference anchor="RFC7591">
          <front>
            <title>OAuth 2.0 Dynamic Client Registration Protocol</title>
            <author fullname="J. Richer" initials="J." role="editor" surname="Richer"/>
            <author fullname="M. Jones" initials="M." surname="Jones"/>
            <author fullname="J. Bradley" initials="J." surname="Bradley"/>
            <author fullname="M. Machulak" initials="M." surname="Machulak"/>
            <author fullname="P. Hunt" initials="P." surname="Hunt"/>
            <date month="July" year="2015"/>
            <abstract>
              <t>This specification defines mechanisms for dynamically registering OAuth 2.0 clients with authorization servers. Registration requests send a set of desired client metadata values to the authorization server. The resulting registration responses return a client identifier to use at the authorization server and the client metadata values registered for the client. The client can then use this registration information to communicate with the authorization server using the OAuth 2.0 protocol. This specification also defines a set of common client metadata fields and values for clients to use during registration.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="7591"/>
          <seriesInfo name="DOI" value="10.17487/RFC7591"/>
        </reference>
        <reference anchor="RFC8414">
          <front>
            <title>OAuth 2.0 Authorization Server Metadata</title>
            <author fullname="M. Jones" initials="M." surname="Jones"/>
            <author fullname="N. Sakimura" initials="N." surname="Sakimura"/>
            <author fullname="J. Bradley" initials="J." surname="Bradley"/>
            <date month="June" year="2018"/>
            <abstract>
              <t>This specification defines a metadata format that an OAuth 2.0 client can use to obtain the information needed to interact with an OAuth 2.0 authorization server, including its endpoint locations and authorization server capabilities.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="8414"/>
          <seriesInfo name="DOI" value="10.17487/RFC8414"/>
        </reference>
        <reference anchor="RFC8693">
          <front>
            <title>OAuth 2.0 Token Exchange</title>
            <author fullname="M. Jones" initials="M." surname="Jones"/>
            <author fullname="A. Nadalin" initials="A." surname="Nadalin"/>
            <author fullname="B. Campbell" initials="B." role="editor" surname="Campbell"/>
            <author fullname="J. Bradley" initials="J." surname="Bradley"/>
            <author fullname="C. Mortimore" initials="C." surname="Mortimore"/>
            <date month="January" year="2020"/>
            <abstract>
              <t>This specification defines a protocol for an HTTP- and JSON-based Security Token Service (STS) by defining how to request and obtain security tokens from OAuth 2.0 authorization servers, including security tokens employing impersonation and delegation.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="8693"/>
          <seriesInfo name="DOI" value="10.17487/RFC8693"/>
        </reference>
        <reference anchor="RFC9449">
          <front>
            <title>OAuth 2.0 Demonstrating Proof of Possession (DPoP)</title>
            <author fullname="D. Fett" initials="D." surname="Fett"/>
            <author fullname="B. Campbell" initials="B." surname="Campbell"/>
            <author fullname="J. Bradley" initials="J." surname="Bradley"/>
            <author fullname="T. Lodderstedt" initials="T." surname="Lodderstedt"/>
            <author fullname="M. Jones" initials="M." surname="Jones"/>
            <author fullname="D. Waite" initials="D." surname="Waite"/>
            <date month="September" year="2023"/>
            <abstract>
              <t>This document describes a mechanism for sender-constraining OAuth 2.0 tokens via a proof-of-possession mechanism on the application level. This mechanism allows for the detection of replay attacks with access and refresh tokens.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="9449"/>
          <seriesInfo name="DOI" value="10.17487/RFC9449"/>
        </reference>
        <reference anchor="RFC9711">
          <front>
            <title>The Entity Attestation Token (EAT)</title>
            <author fullname="L. Lundblade" initials="L." surname="Lundblade"/>
            <author fullname="G. Mandyam" initials="G." surname="Mandyam"/>
            <author fullname="J. O'Donoghue" initials="J." surname="O'Donoghue"/>
            <author fullname="C. Wallace" initials="C." surname="Wallace"/>
            <date month="April" year="2025"/>
            <abstract>
              <t>An Entity Attestation Token (EAT) provides an attested claims set that describes the state and characteristics of an entity, a device such as a smartphone, an Internet of Things (IoT) device, network equipment, or such. This claims set is used by a relying party, server, or service to determine the type and degree of trust placed in the entity.</t>
              <t>An EAT is either a CBOR Web Token (CWT) or a JSON Web Token (JWT) with attestation-oriented claims.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="9711"/>
          <seriesInfo name="DOI" value="10.17487/RFC9711"/>
        </reference>
        <reference anchor="ATTEST-CLIENT-AUTH">
          <front>
            <title>OAuth 2.0 Attestation-Based Client Authentication</title>
            <author fullname="Tobias Looker" initials="T." surname="Looker">
              <organization>MATTR</organization>
            </author>
            <author fullname="Paul Bastian" initials="P." surname="Bastian">
              <organization>Bundesdruckerei</organization>
            </author>
            <author fullname="Christian Bormann" initials="C." surname="Bormann">
              <organization>SPRIND</organization>
            </author>
            <date day="25" month="May" year="2026"/>
            <abstract>
              <t>   This specification defines an extension to the OAuth 2.0 protocol
   [RFC6749] that enables a client instance to include a key-bound
   attestation when interacting with an Authorization Server or Resource
   Server.  This mechanism allows a client instance to prove its
   authenticity verified by a client attester without revealing its
   target audience to that attester.  It may also serve as a mechanism
   for client authentication as per OAuth 2.0.

              </t>
            </abstract>
          </front>
          <seriesInfo name="Internet-Draft" value="draft-ietf-oauth-attestation-based-client-auth-09"/>
        </reference>
        <reference anchor="CIA-CORE">
          <front>
            <title>OAuth 2.0 Client Instance Assertion</title>
            <author fullname="Karl McGuinness" initials="K." surname="McGuinness">
              <organization>Independent</organization>
            </author>
            <date day="24" month="June" year="2026"/>
            <abstract>
              <t>   This specification defines the Client Instance Assertion: a signed
   JWT identifying a concrete runtime instance of an OAuth 2.0 client.
   It registers the client_instance_assertion request parameter for
   carrying the assertion at the OAuth 2.0 token endpoint on the
   authorization_code, client_credentials, refresh_token, and JWT bearer
   (RFC 7523) grants; on the token-exchange grant (RFC 8693), the same
   assertion is presented as actor_token with actor_token_type set to
   urn:ietf:params:oauth:token-type:client-instance-jwt, also registered
   by this specification.

   This specification does not introduce a new client_instance
   identifier in protocol messages.  Instead, it defines client metadata
   parameters (applicable to clients identified by a Client ID Metadata
   Document (CIMD) or registered via OAuth Dynamic Client Registration
   (RFC 7591)) that let a client_id identify a logical client whose
   concrete runtime instances are authenticated by one or more trusted
   instance issuers (for example, workload identity systems).

   The Authorization Server validates the instance assertion and
   represents the instance either as an act claim, when another
   principal is present (e.g., a user delegating to the instance), or as
   the access token's sub, when the instance itself is the principal
   (e.g., a client credentials grant).  The issued access token is
   sender-constrained to a key the instance possesses.

              </t>
            </abstract>
          </front>
          <seriesInfo name="Internet-Draft" value="draft-mcguinness-oauth-client-instance-assertion-01"/>
        </reference>
        <reference anchor="ENTITY-PROFILES">
          <front>
            <title>OAuth 2.0 Entity Profiles</title>
            <author fullname="Sreyantha Chary Mora" initials="S. C." surname="Mora">
              <organization>Microsoft Corporation</organization>
            </author>
            <author fullname="Pamela Dingle" initials="P." surname="Dingle">
              <organization>Microsoft Corporation</organization>
            </author>
            <author fullname="Karl McGuinness" initials="K." surname="McGuinness">
              <organization>Independent</organization>
            </author>
            <date day="15" month="April" year="2026"/>
            <abstract>
              <t>   This specification introduces Entity Profiles as a mechanism to
   categorize OAuth 2.0 entities—clients and subjects—based on their
   operational context.  Entity Profiles provide structured descriptors
   for the client initiating the OAuth flow and the subject represented
   in tokens.  This document defines new JWT Claim names and metadata
   parameters for use in JWTs issued or consumed in OAuth flows,
   including but not limited to access tokens, ID tokens, JWT
   authorization grant assertions, and transaction tokens, as well as in
   token introspection responses, dynamic client registration, and
   Authorization Server metadata.  It also defines vocabulary for
   classifying acting entities within delegation chains.

              </t>
            </abstract>
          </front>
          <seriesInfo name="Internet-Draft" value="draft-mora-oauth-entity-profiles-01"/>
        </reference>
        <reference anchor="RFC2119">
          <front>
            <title>Key words for use in RFCs to Indicate Requirement Levels</title>
            <author fullname="S. Bradner" initials="S." surname="Bradner"/>
            <date month="March" year="1997"/>
            <abstract>
              <t>In many standards track documents several words are used to signify the requirements in the specification. These words are often capitalized. This document defines these words as they should be interpreted in IETF documents. This document specifies an Internet Best Current Practices for the Internet Community, and requests discussion and suggestions for improvements.</t>
            </abstract>
          </front>
          <seriesInfo name="BCP" value="14"/>
          <seriesInfo name="RFC" value="2119"/>
          <seriesInfo name="DOI" value="10.17487/RFC2119"/>
        </reference>
        <reference anchor="RFC8174">
          <front>
            <title>Ambiguity of Uppercase vs Lowercase in RFC 2119 Key Words</title>
            <author fullname="B. Leiba" initials="B." surname="Leiba"/>
            <date month="May" year="2017"/>
            <abstract>
              <t>RFC 2119 specifies common key words that may be used in protocol specifications. This document aims to reduce the ambiguity by clarifying that only UPPERCASE usage of the key words have the defined special meanings.</t>
            </abstract>
          </front>
          <seriesInfo name="BCP" value="14"/>
          <seriesInfo name="RFC" value="8174"/>
          <seriesInfo name="DOI" value="10.17487/RFC8174"/>
        </reference>
      </references>
      <references anchor="sec-informative-references">
        <name>Informative References</name>
        <reference anchor="RFC7636">
          <front>
            <title>Proof Key for Code Exchange by OAuth Public Clients</title>
            <author fullname="N. Sakimura" initials="N." role="editor" surname="Sakimura"/>
            <author fullname="J. Bradley" initials="J." surname="Bradley"/>
            <author fullname="N. Agarwal" initials="N." surname="Agarwal"/>
            <date month="September" year="2015"/>
            <abstract>
              <t>OAuth 2.0 public clients utilizing the Authorization Code Grant are susceptible to the authorization code interception attack. This specification describes the attack as well as a technique to mitigate against the threat through the use of Proof Key for Code Exchange (PKCE, pronounced "pixy").</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="7636"/>
          <seriesInfo name="DOI" value="10.17487/RFC7636"/>
        </reference>
        <reference anchor="RFC9396">
          <front>
            <title>OAuth 2.0 Rich Authorization Requests</title>
            <author fullname="T. Lodderstedt" initials="T." surname="Lodderstedt"/>
            <author fullname="J. Richer" initials="J." surname="Richer"/>
            <author fullname="B. Campbell" initials="B." surname="Campbell"/>
            <date month="May" year="2023"/>
            <abstract>
              <t>This document specifies a new parameter authorization_details that is used to carry fine-grained authorization data in OAuth messages.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="9396"/>
          <seriesInfo name="DOI" value="10.17487/RFC9396"/>
        </reference>
        <reference anchor="CIMD">
          <front>
            <title>OAuth Client ID Metadata Document</title>
            <author fullname="Aaron Parecki" initials="A." surname="Parecki">
              <organization>Okta</organization>
            </author>
            <author fullname="Emelia Smith" initials="E." surname="Smith">
         </author>
            <date day="1" month="March" year="2026"/>
            <abstract>
              <t>   This specification defines a mechanism through which an OAuth client
   can identify itself to authorization servers, without prior dynamic
   client registration or other existing registration.  This is through
   the usage of a URL as a client_id in an OAuth flow, where the URL
   refers to a document containing the necessary client metadata,
   enabling the authorization server to fetch the metadata about the
   client as needed.

              </t>
            </abstract>
          </front>
          <seriesInfo name="Internet-Draft" value="draft-ietf-oauth-client-id-metadata-document-01"/>
        </reference>
        <reference anchor="TXN-TOKENS">
          <front>
            <title>Transaction Tokens</title>
            <author fullname="Atul Tulshibagwale" initials="A." surname="Tulshibagwale">
              <organization>CrowdStrike</organization>
            </author>
            <author fullname="George Fletcher" initials="G." surname="Fletcher">
              <organization>Practical Identity LLC</organization>
            </author>
            <author fullname="Pieter Kasselman" initials="P." surname="Kasselman">
              <organization>Defakto Security</organization>
            </author>
            <date day="2" month="March" year="2026"/>
            <abstract>
              <t>   Transaction Tokens (Txn-Tokens) are designed to maintain and
   propagate user identity, workload identity and authorization context
   throughout the Call Chain within a trusted domain during the
   processing of external requests (e.g. such as API calls) or requests
   initiated internally within the trust domain.  Txn-Tokens ensure that
   this context is preserved throughout the Call Chain thereby enhancing
   security and consistency in complex, multi-service architectures.

              </t>
            </abstract>
          </front>
          <seriesInfo name="Internet-Draft" value="draft-ietf-oauth-transaction-tokens-08"/>
        </reference>
        <reference anchor="ID-CHAINING">
          <front>
            <title>OAuth Identity and Authorization Chaining Across Domains</title>
            <author fullname="Arndt Schwenkschuster" initials="A." surname="Schwenkschuster">
              <organization>Defakto Security</organization>
            </author>
            <author fullname="Pieter Kasselman" initials="P." surname="Kasselman">
              <organization>Defakto Security</organization>
            </author>
            <author fullname="Kelley Burgin" initials="K." surname="Burgin">
              <organization>MITRE</organization>
            </author>
            <author fullname="Michael J. Jenkins" initials="M. J." surname="Jenkins">
              <organization>NSA-CCSS</organization>
            </author>
            <author fullname="Brian Campbell" initials="B." surname="Campbell">
              <organization>Ping Identity</organization>
            </author>
            <author fullname="Aaron Parecki" initials="A." surname="Parecki">
              <organization>Okta</organization>
            </author>
            <date day="26" month="June" year="2026"/>
            <abstract>
              <t>   This specification describes a mechanism for preserving identity and
   authorization information across trust domains that use the OAuth 2.0
   Framework.  A JSON Web Token (JWT) authorization grant, obtained
   through an intra-domain OAuth 2.0 Token Exchange, facilitates the
   cross-domain acquisition of an access token.  The relevant identity
   and authorization information is chained throughout the flow by being
   conveyed in the respective artifacts exchanged at each step of the
   process.  Chaining across multiple domains is achieved by using the
   same protocol every time a trust domain boundary is crossed.

              </t>
            </abstract>
          </front>
          <seriesInfo name="Internet-Draft" value="draft-ietf-oauth-identity-chaining-16"/>
        </reference>
        <reference anchor="MCP" target="https://modelcontextprotocol.io/specification/">
          <front>
            <title>Model Context Protocol Specification</title>
            <author>
              <organization>Anthropic</organization>
            </author>
            <date year="2025"/>
          </front>
        </reference>
      </references>
    </references>
    <?line 989?>

<section numbered="false" anchor="design-rationale">
      <name>Design Rationale</name>
      <t>This appendix records design choices that motivated the normative
text.</t>
      <section numbered="false" anchor="why-attester-minted-identifiers-rather-than-key-derived-subjects">
        <name>Why Attester-minted identifiers rather than key-derived subjects</name>
        <t>Deriving the instance subject from a proof-of-possession key
thumbprint is superficially attractive, since it requires no
minting infrastructure, but fails as identity. A key thumbprint carries
no semantic content an audit record or policy can act on; key
rotation silently mints a new actor, orphaning audit trails and
resource-server policy state at exactly the moments (migration,
key hygiene) rotation is routine; and key-level correlation is
already available to every consumer via the access token's <tt>cnf</tt>
confirmation claim, so a thumbprint-shaped subject adds no
information. This profile therefore requires an Attester-minted,
key-independent identifier and forbids key-derived subjects
(<xref target="subject"/>).</t>
      </section>
      <section numbered="false" anchor="why-carrier-pluggable">
        <name>Why carrier-pluggable</name>
        <t>The interoperable surface of this profile is the claims, the
subject derivation, and the token surfacing, not the transport
that conveys the claims to the AS. Workload-style agent platforms
already operate instance issuers and fit <xref target="CIA-CORE"/>'s assertion
carrier; platforms in ecosystems deploying
<xref target="ATTEST-CLIENT-AUTH"/> already present Client Attestations and
should not need a second artifact carrying the same facts. Binding
the agent claims to a single carrier would fragment the profile by
deployment style without any interoperability gain.</t>
      </section>
      <section numbered="false" anchor="why-the-profile-is-not-defined-over-attestation-based-client-authentication-alone">
        <name>Why the profile is not defined over Attestation-Based Client Authentication alone</name>
        <t>A natural question is why this profile does not depend solely on
<xref target="ATTEST-CLIENT-AUTH"/>, a working-group document, and omit
<xref target="CIA-CORE"/>. Attestation-based client authentication
authenticates a client instance at the token endpoint and
deliberately stops there: it defines no representation of the
instance in issued access tokens, no instance identifier (the
attestation's <tt>sub</tt> is the <tt>client_id</tt>; the instance is identified
only by its key, the key-as-identity model that <xref target="subject"/>
rejects), no token-exchange or delegation-chain semantics, no
introspection content, and no identity continuity across key
rotation. Everything a resource server sees under this profile is
machinery imported from <xref target="CIA-CORE"/> on both carriers. Removing
the <xref target="CIA-CORE"/> dependency would not remove that machinery; it
would relocate it into this document, coupling a general
instance-representation layer to the AI-agent use case. The
Client Instance Assertion carrier additionally serves deployments
the attestation carrier structurally cannot: platforms that keep
an existing client authentication method and add instance
evidence rather than replacing their credential, clients
requiring in-band control over their Attester set, SPIFFE-based
workload reuse, mTLS sender constraint, and short-lived
per-issuance evidence. <xref target="ATTEST-CLIENT-AUTH"/> answers whether a
genuine instance of the client is authenticating; <xref target="CIA-CORE"/>
defines what the resource server sees afterward. This profile is
a profile of the second question.</t>
      </section>
      <section numbered="false" anchor="why-flat-claims-rather-than-one-structured-agent-claim">
        <name>Why flat claims rather than one structured agent claim</name>
        <t>A single structured <tt>agent</tt> claim object was considered. Flat
claims were chosen because individual JWT claim registrations are
the established practice of the JWT Claims registry, selective
surfacing (<xref target="surfacing"/>) operates naturally per claim, and
consumers can adopt <tt>agent_instance_id</tt> without parsing a
container whose other members they ignore. The two object-valued
claims (<tt>agent_model</tt>, <tt>agent_runtime</tt>) group members that are
only meaningful together.</t>
      </section>
      <section numbered="false" anchor="why-both-sub-and-agentinstanceid-on-the-assertion-carrier">
        <name>Why both <tt>sub</tt> and <tt>agent_instance_id</tt> on the assertion carrier</name>
        <t>On the Client Instance Assertion carrier the assertion's <tt>sub</tt>
must equal <tt>agent_instance_id</tt>, which is deliberately redundant.
Carrying the claim on both carriers gives implementations a single
code path for subject derivation regardless of carrier, and the
equality check on the assertion carrier is a cheap integrity
cross-check. Making the claim optional where <tt>sub</tt> already carries
the value was considered and rejected as an invitation to
carrier-conditional bugs.</t>
      </section>
      <section numbered="false" anchor="why-no-standardized-assurance-tier-claim">
        <name>Why no standardized assurance-tier claim</name>
        <t>This document names three assurance tiers (<xref target="trust"/>) but does not
register a claim conveying them, directing deployments to a
deployment-defined claim instead (<xref target="surfacing"/>). The tiers are
policy vocabulary between an AS and its resource servers, not
attested facts: which tier a given Attester provides is an
operational judgment the AS makes when it configures trust, and a
standardized claim would present that judgment with the same
apparent authority as the attested claims it summarizes.
Registering a tier claim before deployments demonstrate convergent
semantics would freeze the wrong thing; one can be added by a
later document without disturbing anything defined here.</t>
      </section>
      <section numbered="false" anchor="why-generic-agent-claim-names-are-registered-now">
        <name>Why generic <tt>agent_*</tt> claim names are registered now</name>
        <t>Agent identity claims are being invented independently across the
industry. Registering <tt>agent_instance_id</tt>, <tt>agent_platform</tt>,
<tt>agent_model</tt>, and <tt>agent_runtime</tt> early is intended to converge
that activity on one vocabulary before divergence hardens, not to
claim the namespace for this document; the semantics here are
deliberately minimal so that other specifications can profile
them. Coordination with related work in other bodies is invited,
and the names are open to revision during working group review.</t>
      </section>
      <section numbered="false" anchor="why-refresh-tokens-keep-cia-cores-key-binding">
        <name>Why refresh tokens keep <xref target="CIA-CORE"/>'s key binding</name>
        <t>Allowing a refresh token to be re-bound to a rotated key on
presentation of fresh evidence was considered, since the
Attester-minted identity makes "same instance, new key" provable.
It was rejected for this version: it would relax a <xref target="CIA-CORE"/>
          <bcp14>MUST</bcp14> and enlarge the refresh-token replay surface to the Attester
trust boundary. Identity continuity across rotation is preserved
without it, since new grants and exchanges under the unchanged
<tt>agent_instance_id</tt> carry the same subject (<xref target="refresh"/>), at
the cost of one extra grant round-trip after a rotation.</t>
      </section>
    </section>
    <section numbered="false" anchor="appendix-example-mcp">
      <name>Worked Example: Agent Calling an MCP Server</name>
      <t>Alice uses an AI assistant operated by an agent platform to triage
issues in her project tracker. The tracker's API is fronted by a
Model Context Protocol server (<xref target="MCP"/>) that acts as an OAuth
resource server. The example uses the Client Instance Assertion
carrier (<xref target="carrier-cia"/>); the Client Attestation carrier would
convey the same claims with the flow otherwise unchanged.</t>
      <t>Deployment:</t>
      <ul spacing="normal">
        <li>
          <t>User: <tt>alice@example.com</tt></t>
        </li>
        <li>
          <t>OAuth client (agent platform): <tt>https://agents.example.com/assistant</tt></t>
        </li>
        <li>
          <t>Agent Attester (the platform's control plane):
<tt>https://attester.agents.example.com</tt></t>
        </li>
        <li>
          <t>AS: <tt>https://as.example.com</tt></t>
        </li>
        <li>
          <t>MCP resource server: <tt>https://mcp.example.org</tt> (fronting the
project tracker)</t>
        </li>
      </ul>
      <t>The platform's registered client metadata lists its control plane
as a trusted instance issuer per <xref target="CIA-CORE"/>:</t>
      <sourcecode type="json"><![CDATA[
{
  "client_id": "https://agents.example.com/assistant",
  "jwks_uri": "https://agents.example.com/assistant/jwks.json",
  "token_endpoint_auth_method": "private_key_jwt",
  "ai_agent_instance_profile": true,
  "instance_issuers": [
    {
      "issuer": "https://attester.agents.example.com",
      "jwks_uri": "https://attester.agents.example.com/jwks.json",
      "subject_syntax": "uri"
    }
  ]
}
]]></sourcecode>
      <section numbered="false" anchor="delegation-and-instance-spawn">
        <name>Delegation and Instance Spawn</name>
        <t>Alice authorizes the assistant through a standard
<tt>authorization_code</tt> flow with PKCE (<xref target="RFC7636"/>); her consent
covers the client as
a whole, per <xref target="CIA-CORE"/>'s authorization-time consistency rules.
To handle her request, the platform's control plane spawns agent
instance <tt>sess-9f2c</tt>, provisions it a per-instance DPoP key, and,
acting as the Agent Attester, mints a Client Instance Assertion
carrying the claims of <xref target="agent-claims"/>:</t>
        <sourcecode type="json"><![CDATA[
{
  "iss":       "https://attester.agents.example.com",
  "sub":
    "https://attester.agents.example.com/instances/sess-9f2c",
  "aud":       "https://as.example.com",
  "client_id": "https://agents.example.com/assistant",
  "sub_profile": "ai_agent",
  "agent_instance_id":
    "https://attester.agents.example.com/instances/sess-9f2c",
  "agent_platform": "urn:example:orchestrator:v5",
  "agent_model":
    { "id": "urn:example:model:atlas", "version": "7.3" },
  "iat": 1770000000,
  "exp": 1770000300,
  "jti": "ag-1a2b3c",
  "cnf": { "jkt": "0ZcOCORZNYy...iguA4I" }
}
]]></sourcecode>
        <t>Per <xref target="carrier-cia"/>, the assertion's <tt>sub</tt> equals
<tt>agent_instance_id</tt>. The identifier names the session in the
Attester's namespace; it is not derived from the DPoP key.</t>
      </section>
      <section numbered="false" anchor="token-issuance">
        <name>Token Issuance</name>
        <t>The instance redeems the authorization code, presenting the
assertion and a DPoP proof signed with its instance key:</t>
        <sourcecode type="http-message"><![CDATA[
POST /token HTTP/1.1
Host: as.example.com
Content-Type: application/x-www-form-urlencoded
DPoP: <DPoP proof bound to sess-9f2c's key>

grant_type=authorization_code
&code=SplxlOBeZQQYbYS6WxSbIA
&code_verifier=...
&client_id=https%3A%2F%2Fagents.example.com%2Fassistant
&client_assertion_type=
  urn%3Aietf%3Aparams%3Aoauth%3Aclient-assertion-type%3Ajwt-bearer
&client_assertion=eyJhbGciOiJFUzI1NiIs...
&client_instance_assertion=eyJhbGciOiJFUzI1NiIs...
]]></sourcecode>
        <t>The AS validates per <xref target="CIA-CORE"/>, classifies the request as
delegation, and issues a DPoP-bound access token. Local policy
surfaces <tt>agent_model</tt> (but not <tt>agent_platform</tt>) per
<xref target="surfacing"/>:</t>
        <sourcecode type="json"><![CDATA[
{
  "iss":       "https://as.example.com",
  "aud":       "https://mcp.example.org",
  "sub":       "alice@example.com",
  "client_id": "https://agents.example.com/assistant",
  "scope":     "projects.read issues.write",
  "iat":       1770000005,
  "exp":       1770001805,
  "cnf":       { "jkt": "0ZcOCORZNYy...iguA4I" },
  "act": {
    "iss":         "https://attester.agents.example.com",
    "sub":
      "https://attester.agents.example.com/instances/sess-9f2c",
    "sub_profile": "ai_agent client_instance",
    "agent_model":
      { "id": "urn:example:model:atlas", "version": "7.3" },
    "cnf":         { "jkt": "0ZcOCORZNYy...iguA4I" }
  }
}
]]></sourcecode>
      </section>
      <section numbered="false" anchor="resource-server-processing">
        <name>Resource Server Processing</name>
        <t>The MCP server validates the JWT and the accompanying DPoP proof,
then applies agent-aware policy that is impossible when it sees
only <tt>client_id</tt>:</t>
        <ul spacing="normal">
          <li>
            <t><tt>act.sub_profile</tt> containing <tt>ai_agent</tt> routes the request
through the server's agent policy tier (for example, requiring
human-in-the-loop confirmation for destructive tools).</t>
          </li>
          <li>
            <t>Local policy requires <tt>agent_model.version</tt> of at least <tt>7</tt> for
<tt>issues.write</tt>; a token surfacing an older attested model would
be limited to read-only tools. (The attested model characterizes
the instance's primary configuration at evidence issuance, not
each individual operation, and is static for the token lifetime;
see <xref target="agent-claims"/> and <xref target="security-freshness"/> for the limits
of such policy.)</t>
          </li>
          <li>
            <t>Rate limits and anomaly detection are keyed on
<tt>(client_id, act.sub)</tt>: one runaway session is throttled
without affecting the platform's other agents.</t>
          </li>
          <li>
            <t>The audit record attributes the action end to end:
"<tt>alice@example.com</tt> via agent instance <tt>sess-9f2c</tt> (model
<tt>atlas</tt> 7.3) updated issue 4711."</t>
          </li>
        </ul>
        <t>If <tt>sess-9f2c</tt> misbehaves, the MCP server reports <tt>act.sub</tt>; the
platform terminates the session, and the AS applies per-instance
revocation keyed on <tt>(act.iss, act.sub)</tt> per <xref target="CIA-CORE"/>,
containing one agent without revoking the platform's client
registration.</t>
      </section>
      <section numbered="false" anchor="sub-agent-spawn-attested-chain">
        <name>Sub-Agent Spawn (Attested Chain)</name>
        <t>The agent delegates a subtask (summarizing a long issue thread)
to a specialized sub-agent. The platform spawns instance
<tt>sess-a114</tt> running a smaller model, with its own DPoP key and its
own assertion (<tt>agent_instance_id</tt> <tt>.../instances/sess-a114</tt>,
<tt>agent_model</tt> <tt>{"id": "urn:example:model:scout", "version": "2.0"}</tt>).
The sub-agent exchanges the parent's access token per <xref target="CIA-CORE"/>'s
token-exchange presentation, presenting its assertion as
<tt>actor_token</tt>. The resulting token nests the chain:</t>
        <sourcecode type="json"><![CDATA[
{
  "iss":       "https://as.example.com",
  "aud":       "https://mcp.example.org",
  "sub":       "alice@example.com",
  "client_id": "https://agents.example.com/assistant",
  "scope":     "projects.read",
  "cnf":       { "jkt": "QrS...XyZ" },
  "act": {
    "iss":         "https://attester.agents.example.com",
    "sub":
      "https://attester.agents.example.com/instances/sess-a114",
    "sub_profile": "ai_agent client_instance",
    "agent_model":
      { "id": "urn:example:model:scout", "version": "2.0" },
    "cnf":         { "jkt": "QrS...XyZ" },
    "act": {
      "iss":         "https://attester.agents.example.com",
      "sub":
        "https://attester.agents.example.com/instances/sess-9f2c",
      "sub_profile": "ai_agent client_instance"
    }
  }
}
]]></sourcecode>
        <t>The chain reads outward-in: sub-agent <tt>sess-a114</tt> (scout 2.0)
acting for agent <tt>sess-9f2c</tt> (atlas 7.3), acting for Alice. Every
actor entry corresponds to an instance that presented Attester
evidence at its hop (<xref target="chains"/>); scope was attenuated to
<tt>projects.read</tt> at the exchange.</t>
      </section>
      <section numbered="false" anchor="key-rotation">
        <name>Key Rotation</name>
        <t>Mid-session, the platform migrates <tt>sess-9f2c</tt> to another node and
rotates its DPoP key. The Attester mints a fresh assertion with the
same <tt>agent_instance_id</tt> and the new <tt>cnf.jkt</tt>. Access tokens
obtained with the new key carry the same <tt>act.sub</tt>: the MCP
server's per-agent rate-limit state, policy decisions, and audit
trail continue uninterrupted. Had the subject been derived from the
key thumbprint, the rotation would have silently minted a new actor
identity, orphaning the audit trail. (Refresh tokens remain bound
to the key present at their issuance per <xref target="CIA-CORE"/> and
<xref target="refresh"/>; the migrated instance obtains new tokens through a
fresh grant or exchange under its unchanged identity.)</t>
      </section>
    </section>
    <section numbered="false" anchor="document-history">
      <name>Document History</name>
      <t><em>RFC EDITOR: please remove this section before publication.</em></t>
      <section numbered="false" anchor="history-00">
        <name>-00</name>
        <ul spacing="normal">
          <li>
            <t>Initial version.</t>
          </li>
        </ul>
      </section>
    </section>
    <section numbered="false" anchor="acknowledgments">
      <name>Acknowledgments</name>
      <t>The author thanks participants in the OAuth Working Group for
discussions on client instance identity and agent identity that
informed this document.</t>
    </section>
  </back>
  <!-- ##markdown-source:
H4sIAAAAAAAAA919/3LbRpbu//0UuErtjeQiaTvxJBNpZ+9qbGeinTj2WEpl
M1tbFkhCEmIS4AKgZI7L+yz3We6T3fO7TwOg7Gy29m7dqakZmSSARvfp8/M7
X0+n09CV3ao4zg5enm67m+yL2aPs9Cw7vS6qLjur2i6vFkX2qqmvylVxEPL5
vClu4dd1Dr+e5uU0x19OS/nlQVjkXXFdN7vjrO2WISzrRZWv4f7LJr/qpuvF
9basqqJtp3vuMH30KLTb+bps27Kuut0Grj17fvFtwK+Xb/JVXcEnu6INS3jS
cfbFoy++mj76evroSSg3zXHWNdu2++LRo28efRHypshhrOfFYtuU3e4g3NXN
2+um3m7g05+KeYavXDfl3/IOnoVv2dWLenUQ3hY7+OnyOGTTjOYF/4BpoaHi
3/RHVi7hf+HG+MliVdJH8hr0o64r4F947xBui2pbwA2zT3l+lvGLH/wEAy6r
6+xPeBF+vs7LlU7/P5ZFdzWrm2v8Im8WN/DFTddt2uOHD/F3+FF5W8z0Zw/x
g4fzpr5ri4d0h4d45XXZ3WzncG1cnId7VotfMq5V3rZFg2PH+6xyfF0/Brt8
xs+YlfWvvvO+CwaCM7vp1jB1Iac5xaWDMWXZ1Xa1Ygn8c96ssheLP8l96FuY
lbyS+Qc5q5bFpqiWtMjwn4Jne7Odr8rFP76F690rLep1CFXdrOHiW1rZ198+
/errJ9/In1//7nH885vH8ufvnzx+on9+9c2X8uc3T+yyb75+TL89vbh4fn4x
ffr92fMfLqanP158B+ObPqPF1CmI8jWd522x1FnMSWKzp2en06cvXz/nCz99
yuFSeObZxc/TV69ffnv2/fNzuUPd5HIty/10w3qhDaGsrnpT8fVXX36l7/Tl
N/Tn07MXzwZvocNYTtdFl8OmzqegNLZrXoSLf/5hevHyz89/OB9c2DV51eYL
ev2ufltUuKRnz6ZPvzs9++Hshz8NLtDtOl3c5GUF2wp+/+Lpq2Naa1WDL+pl
scqeguop3nW2JbPzTbEor8pFrtIOV+TNdQHybuKOVy74wo1chxLf+ksf0qUm
o5kI4XF2WnU3Tb0pF/Sh6bbfhTCdgiqZt/C6iy6Ei5uyzZJbZroKWXdTZFGN
P2WNZEr81NYXlsq0WQYiv6p3ON3tJLu7KZoiy7MWZmelN1PVRtN3VRZNaIpN
U7R4SZZXcp8N7H+UgazZVji5oKqqXQbzAcq3wR+w8lRxa2fZGT78qgSRhEfk
5RpfIO/wkttiRzcmAS+Wqm5Vt8aRwK/0W5gF0LH0poc6lklGizLBMXXlughF
dVs2dYVve5RdNfU6jl8e1mRdTROZJ7oZpu62aCah2eJE4wS22+YqX+CL0qhV
uGCUGdiuLY56Aa8JL0WyOcGhBhhMcc07loQQ7gvT1JULvieNRKah3eR38P12
znoO5uvipggyUWDZskXeNDAFsIFNax3jyHcw87tsXshEwkDgObmIQxiKA8if
/0V2GtWKrM8ym++iYAX3g+kfUe/YlfALnAWWyxmL7rpcLldFCJ+BJHZNvdwu
2CCaAOpi8Vt5kYN3PnVyVVyXuECtyWe45N+9KZeXJAn4eFzrdlz4TILabAvz
Ba/dHQfwJ7IN/L2F6YDlILdjApu7fTvBmZEVg5dE5+FqVd/NstdFW28bmEOW
ihb2w6Iob1EWkjVnCYNBtYV7y7Yosrpa7fCLoB9/3mbuZU7gO9jmZbVYbZcw
2nGlFOTx2eH796DHPnw4wg1cLm7wXWQiSaq8JM+y53DNTnajvC/M1GqVb+Bf
8EyQf5wTFegJCkEB18LbwTyxNIbkniDb22VJW6gp51v+CAZPt4B1azd11RYT
3qxzGFxANQnij/twhjrtk/RWT+29f68G7sOHoIoEdy4MsGjyVbYuYI9VZbvm
2RQ1mc235WrZZmjwcxE000qsRWAWYBfajr5HIWSHp+dH8N4Bf0CLnsFO3NQw
ixOVyOw2X5VLEiF7jN2btQjNO91jRHVkOcgG6P4Z6ILL7PAOZZzGw2pr0eG7
ZHlAAQYxwgWvavhBAy+Di7DJV/DxvLjJV1dH+HVXb6ar4hYk6jK9ZXC3zGkS
CrhkAu+Ku2UKi4ZWiBQCzEmegZtMIzHFfFPDzM7ESOl850uY7TtUaQODk1UF
KpdiV6NkZHNQAKE3R6jlj0N4kD14cAohRT5foSCJrp6uYaIH9sFd+eABmFPY
HuwqsvKEfUK6NP4eZuGXYgE3IHPmrAvOSda3D/hMVtdxFXQfNTlNPCjwiucH
Xfmb7XqOSwEi0dYwq7jotyWKGU4gbGaWKBQX9FRBQ9TgCt2QOkFnjDcX6BgI
SUDrV7hAGepXmpTURkYr+ODByIsfZ/UGHwa7gz+D27OZYENW9HTyhD4jIxot
pc0batoJDhBGXtzivMGH+bzedrSBxOhmzujSDDR99ZnxW202oBTjC0zzOzQI
mxqc7528LOjtkowBjwTeAeZdNcKDB8fOKrOlJlO6zpu3cR0XXQ068w4iEnq5
y7x8Q99cZrInVXDV4JD9g+vfv++5xR8+jL4Pvc0SLoVhbMv2RsNGfTRZBd6h
aFNWdb5MRmXuV1tew0qxBNuLofimKx+dioycipaXnv+mRacNrusH9yPfguyo
uheTrMjBcNzUm8xcO1zDGnwQW29dY1zzDZlyllFST5f8cHQl2AgVbGfwxbI7
UCfmzfEmoZ0B165hgmHdOfoolmIOxM9R/4Pd0nGnh96VP6a9HX6SSZ223Q5m
0esb8S3h+evE51FjE6KxQZ/Am5iT5EZbXKJf7xPBHYeBHZiv3rhQLofeGGst
nhnemKK4wPo15a2aYrE6bEI4MnLbAieRNdwClAA8aw6SGBYw5IHiXtawgcCU
yCronss3+bxc4UYhW1KvpjBVkq8J5s+m01W8Q6miOcNbTa/FjIi2setbmIn1
pgb3JTHZtC1eo1ClGZPXxb9tYXbIA5I4EyQgkNumD5+q15C1i3qD4oDbaoYO
6VOc9Qrv1NK0PcP3LOnfLIWonzER1EJc+OP5xcGE/z/74SX9/fr5X348e/38
Gf59/t3p99/bH0F+cf7dyx+/fxb/ilc+ffnixfMfnvHF8GmWfBQOXpz+fMCL
efDy1cXZyx9Ovz9g0YB50QCZVhNM8RyNGWgqmGQyBS1IRLsAX4yd/z8+ffV/
/vfjJyB8/wNm6YvHj7/58EH+8fvHXz+Bf6CC4KeRZ8r/xFgigFYucg4QVitc
/LLLVxjNgJm6Qe2AWxNm88G/4Mz863H29/PF5vGTf5AP8IWTD3XOkg9pzoaf
DC7mSRz5aOQxNpvJ572ZTsd7+nPyb5139+Hf/68V7oTp49//r38Isl1sMbat
OKCwEqC7DvY6srjkPccTP4r+CzqBjS2/i4gOcN5VKYLL6BWU/HyoN/Deyad6
73Dw7FX9CpTiek43RDvfe8IehQULTini44CZC3SN66pe11tyP0EHlFP3UVtf
dWTKyRZMMLeJygfkbAlqq0AXB+LLHMz04gaVwwoEjjMIHLyTDQcdweETRmYt
XoC3wF+dvjojL0Q9G7gvqAb2d7P6Cm5Mod2YX6yvkb0SfwffJ0YjkvjgWJGN
Wj+OBB+H1bJ6TDAQ8oJJEOQG7Eg00c0DPdRgtpR/VGNcvMI7VAW9rFlocC+2
8NPbEiRLNDuqyoqu7Q3F3kXljdamn5dGTRlF5khyFzGNgzGRKkxzmZKoGHR5
sZAYD+ZUnDx7ukqYzqRETRhGUQgQzeHwFegN2b32nreNvecUkHSmDu4MdDi6
BSgXlMikCWbnoOcnsAVNB00zkQaWWdbblixIe/ZF1ttnlOQqW07oi9APvezP
21QIJhCjdhmoI1TsOVzMziR4/Zu8gZk8xBTC+/dU6iCPp7fyEOKzo6aLoDMA
V5dXGD2M+fz9aa6vyOdNJ1iD4dPz46woaTcNnKio6GhbNuOpJbLp6GKCka9p
o4LdF0kj6/y6WNEv25tyg499SU9LErFt9v6zxv2s/dB3YUga0IuR5DQrB7/C
HMmhlzTV0D3A5Qt2V4bBb5eBslzSV4mLZTlR9sNCU1zBv2/UAVO/iLexhgxT
SSPEB6LEBMsK3B+g6EbgO/pgZTRU4ctw0UvyYAvODiUBpM/P/qSZhpHVU4kC
2YYbLScY1upk73Vz3fO4KiaZEc0Xrba0cYdGSf27J0++YXl/1s+j8vJwbhEe
s1rVdzp7GJrENCtINd0Lqy8wotxkhZKcXjDgMa9ZuU1dBBsD3bKNGVYOB/B5
z7ki6OfqgiRAXuHrx49R796WuQwPZ/2NaNFL3nthGLifpA7xwDWvbFyBCzG4
oSSAQ78+1kp4OOQyx+IKDilfLtFHx2dscoknYbbK9XpLaZdMahsg9g3sVItd
OWqlaIo0EgxujUuSX4E4BnKoIdJIsme9t5EnDwxCsDQZGim5Ee8n1MVU9SP9
1t3VHB1C8LAqcJlyrEDnIYYBlBSnOAl+7mbDZ2rT5C2n4gJbfz/eCUn/Pu3p
CgGsK4N/nMwhLMmZvRvmvpKwRutTuEauoIWLVFS4FGgpw2g+EuYdk7eyBDAA
egt9JdAOBewEXExwHsUdYkO4wX3ZVOzsrOjlCg4pwPnIaMWnmKERzRtkrnyQ
Z5E/SmO81iYEUzvwjybMGxhO01pCRmYdJ7lZTtnGqYakugcsP0ob6ILbonVS
wYLILwsRJ+qg8ZiVtpHJigWZ4EhtGzTKx+QAjU0oZaV4qaMEBHKaWAJFFbb3
ygKuccxsBRUNXmlKp7LIgXHhuQEB2aNDex7UwMGDoZHQJclocig0R17VPWPF
uiJWrvji9oSGyPFyxt5rjrt1Qx7WO8lIYm53l86OZNgpB5g+aJXv0IPqWWCf
NYU5ava+OoI/zNuJG43d10VHextrqPgq6+2qKzektkCDofJgWQKLFe3nCkJk
9MTBLViV67LTpDdJ4x1JZHXdHkd/KeypSe5bavWXOKCgeQ1phcBm6JNLibNw
tkfQwdmYyqZK005aj0b3g8w8eJQLnOrdZCShk3H2YGNOPieAr/ECeqtJwJFj
7EvCwfUA3VRoDSbJmuI3RSffhDb14OiVlzX4PRW5t+Viu8pBKSV5IpdhcmPT
R7ZkTu/JD4UkP8TzfpM3S4xKp+B+UlZSs9Vq3/3NA5v1bGjW2dq2qXkn/7Xn
kz9lr/r9Z4ll5zwTOywoAL6+68q3MVQZ+PhhvhuJZGb8PCko4O2cgyg3/Kfz
lz9kPxXzwG8iA5RgdYdvVOZV3q+auBFaYcvGcE4OFawiqhT1EaOX1wvBTsDa
vK3AQwnrYj0vGvMkakprTuFCFH55IqWTMNN1Dd48+lzVCvdEbtsZHplmx1xR
sEx87BDE79LtSxXkQ81NHXHofN418OOXzY+vz2R5EdODVlhKRNEupMoAwx6p
TO1ZnAsuC4Jl1rcCDQWymuXrGpO0q5ULPF3qfC6a1gLWQ7GBnGz3aQsJfu2X
ZM9aKljQlhtULQocUC5qCKNvVwijOh1qm3/bwmJe7chS7XzJ+og2lbwNJjDY
Z9QyGVxU0PaiReobSjchiMmRvCFOC3tsS/HPOFacwn9jrIhJ2mP8H5JJzCVx
eAYOH7w2eIwTGrgpVaqlkHyZSNsc4ZPhDvjspsDS0nXlTAuV0pdlN4WQEyYL
xs9LSLXQZXl1VTQ87/paJxkH6q0AEKc4C4vdYlVgpkKf2maSw0SRgatB3Kbt
Tb6Bt6b7O/+advMmR7OCOA9NGhziLBfvcnR+UfYuFZKkNcuZfImgtYcmVg9x
BqffXH2xuDTkwDp/W7QiOjgeKhlYCod1Y8favmphlzWtrmiUlri9NMEBe0uT
qSN7K91N/eQITnvdLG4KzaDB6FRX+8ycL0RLjgqmLpkaLqd6sc7X+tD4iLqR
4lZHIo1OwTr/pcaCFe4TGMGR38B2O5folPxeuv3h+ldWVkWRjH5BgrBCyAW/
Eq5vWaEEUI7farV8Y7f54oyTpR5ON6l61qrocyKUDPbG3/TlwVFfQ8Qkdh4e
clVeb1HHXtWNCENPw3GWmLOR+9RcRplMFy/7kE0Hw0AQ8uAuUQmzJYi6mOrL
ibjwIOMqiuY5/VlvBr+/lJW6RE0sd8xBJ+FdvB3LtE7SJvLzudTFaRokP4Er
RjVSVC/wTqAIZZ0JOzqojhNYF8v7IIej19CqckKaXqkd7GO8lhJNV2AQ5vmC
EUn59h14a7Zc7RHpByq6V2pqTYfTWyKMCqEw1+aO6oK7pZZk+019h7ZkAtOW
E6ISvNPbst62q506o7aiEEiAR35dNHumkYsMPTtE2p2jUkqQxdvNC3j/IkWU
ZCAoLCBX24Y9Sg6VhmG51MlV19LNEe5Kav40+jWgr/oihMF+BjOIj7viOuFJ
5nfUDEWTSmy0fOIua968KQqBq86L7q6QrFncBlKRHVhchTuiIgU9E3expYPu
3ceWw+1hL+hZQ+wFJ3TH9nK7xaC9ZWmgSclXU3R/Sfwy1gGY2imWU8v++0Qe
vhqEWxJfDR0wCNtsIx5nl0Xe+Veb6MYVNME+X5sXOHrZE/EwseDJDu1PF+S1
Y4a7JduvgYAhnLLs+SmKH/rA+HO1MIif/urJtllNYSJhxZd8CfzqqfwqZg+y
LMIVHcyD/B1QhJyHhD2FtRQ3JHSKkkGZ7gORKuslfAueM9ofAuJSYgxFajAy
HJGGfyDZy2XJoblNcau1Awff9IkaeF8aU+XRwydwubjj8Tapyz0bpCs5B4ry
KxgZiQJQkTFwJ5NIEdWnpLUpWhxsBrocBpyDIA0BL+G0wvuK54poS3j/PRER
p5nVDXZxDzujLvEIj1HQObr19LpNQbvL0qn0yJpyA6NBw/v3RdPUDD2JQ7i7
gdAxjMYxKDbrfIUyBB+mDkpixYPq9dQ2Htmy8FAL1i4t+IbZXb6j2NPG8VSi
LYg7LfBKEDYjRTQHtKFYEUa36Khwou57iAGrlpRIijMthVDYPcCrlE2S8afE
52oFsnyHyfsiX7sYrQdUgVWEeB0DvhAjS3zVz+7Bi8rLx3efLspcXr/vqgjm
Ma3+DWp/aM8MldvduFrZcBZTHM8QYQRbF14+TYTBxJVNwbuUpNjehfMMk5AU
mWgKXXjNELptxcZ+6YsquGqXh/Aak+yXrjy6xLzTCvwT8HoXb+k+w0IX7EtL
1AguywaEgGVCj5IwFhgX+oJGskdI/k+C6Aa/y9B82ity80En+XwOqBj13n/q
G9nAlxo6yZoo3Hbrq2YnIQoPLhRBUfGHMdPDGdyJg0lJCSkkekgBUprYaLeo
Fe5SuFkf1M76gwOC7LDGikhXXNO/cH8fEeQ0FTNe17KC+cAHeBEBzxRB2BIw
SL3FimHH7Ny5sjL/TpUchOGYDRsrfKOKsTWjUbSXkwz8CQ6mJbGvkWBA15Yd
AMZKOxRC3JLegg/3Il/+ke34qYX237Az3SgDmGvVWmUvjVq0AgkcHQ4VAMOw
csk5dPocwWRl6iBbrgK/w1grXeqRLek0RIT6SdY+AY2rjcBHT2kZ2fcHYYSH
wTL9sVjk27bYMxO2vTmB2A9VpSo2PhmT9B0VXV0LeE3WH4swBSIDYc1arsxr
u8SoEuFIBhyBpCCjW5E1Hg+UkiealuDxft6OTRLXuCVPzdlLrHAR/l+ciGsE
KFl83oaC8lrg7ZHVhQDt+iZ9jHM3dNeFnpuB7uYOww1MZM25g0lCiBOUeNWR
mIYijR7KjpNMuu1xFW9ydqroWnGpyC+KwVOv+ILlhC4WEVJdhrHMLTaNohdb
8wYBLcWg2duIK0jkMwFApGDs7PAyqae9Qd/1cmItOwusRVKkgXrmUtASb+hW
8AH6zfMCfABWhkEAGu94nY9OdGwwi225LCSUSkfAWe8rxCeEPpp3lkX5d7Ng
2GeqkZEXE9ApX2OqY0LTR8lAecWNSI6tfgod5zj/CPuZIUroKCGFYtWbRXvA
lB+P6b2mvL7GWAl0UvrquIq+TIJtNyK0BYoqhS1VHS4JbCfzmZHPS68mdjxx
O5wHAaK70ZoMwTmot0Qvxv1j5vqQB4adyphrReze9cRKR/Caq7p+u91MGMaO
AVHwDsVEMjDeI/T9XBFlw0UycFYCOSuYwqG1beGq9gqd1J5q0XQUwwFw1Hu0
tnvxrr5mTWCNAQzFSFyyEWOC3WDkSGGJreAiP0cY6F3IpvnIw3t+GpsLSnUH
y2JIPwONwKAwJ31R8h5eUA8vX9w4xAj7iHORfpDz/X2iUWow9rsgZ8NiKKc4
WHli8dHMMXkmgUY79vLDgQ+cj2BOi0SPFGiuuEXg29iZx2iklrIMycgmmXc4
26LjLiq4/yWsduy2anxGWKxGbNkacWXISYARBKwUT1EfYOEuJ4xmkvjR2/P4
TRtzwiJnRgNwTAdqtFyfJGNvCkprwlZn4aRkCI6GQ92muK0XJkhdU2OF1fXl
iTtJg+GmmjDAn1GsftJXLhvqtNBuH3sM8iPorivsxhV4wGLqNznW23oq1+HD
AiW70FEUIXqFtoud8eggbuxDcBJP09hSQMHWhXxPFEiplAB2pk6q4rBmWDXe
68+JM7G/bVaSTvugl2QsYsivcJ2OYIi0bh/DDsCWqzMw1VuOigKjnDTc1pRr
DP5jQs8LD+lcRt+SzCex1KK6ukycUHUpzWMlzU5wB0xV8S3G3UW6l9Zy4qjk
JpT5omxHwF/OfnnbXeJAtTeOQ0iYBLDt5RXXtzgETF4nSODI+VQWBdoUl5L8
fkOOweUsO7ui1hY3Y4TaGqv8TmLcGHNeNJ7+PqRum489m5P6d2VbcJeJhBIw
syk64Zz33gvVc+8/My+x31rgEqmDmM7ch+wwOp/i8Aj5BDUHMHgL3Tv0Jatd
CkvnlHi73Wzqphs6e0fSHLKnDXY4mOAGk9lgkP4CO9Iw0y3xeVwJC+oPe69I
yW9NF4PnVterIq8mli28vILdXVwKYvUSbE8haxod9yy7JxEoZWBbZjL5vZ2N
qWNNGNSVFNxTnWTxizw2caOpoqSOdN/83eNITzBEKjaYPu55yfrcVuuFnLSA
e8vv0M7m+lSaAR6nAxyB/bc0yCCtmOQ24fqfJB9JU9eLRB18vN6ulpQxdYUJ
qgNxKcfAblU/ea6EDHUD+ojKU+JXYzGshXWqMA0Jei/fWK04tpynqV1xwIQ2
IesHaCL1SIRxrplqTJoX74r1phNcEzkAtHrCyNNyXtcmntxQtO3rfEm5/35D
wyEXUGN+dyT6QVtjFdRhSwCW4LApAPQiDw6xSv75kjNlr8KmTmiL3E/JjeYI
EVbdmXUfJCY7QS7HvTAWkUsaxWZ2/34Z4pkjWoT9UTIXae8uF+OSBNyJFXLu
x6TTlE6oHFH2VpxyKRKLJaO3GFzf2bp+ewkrbjKxYool6TWxoI+NepkESxMH
0TIm46JnjeYEZvcpyzemsS+Ri+AjKhNBdktJZnWaBoWr5CZtsoWQnsbVk0eb
RCYM0NHd2M/5oOyS6jfEDfuicaX165hjzajSgzgNxXL30bdSQraUr5/rCTn6
tAhqBxAQANbufrsFyopontobzGFmIl4GzREnClFPXKReujYja6t2ry/vg8Ev
6z+cZhUVmW7CB8juleKkQ1+rNJt8jQGRP2fDluxgplqRkZyLR/7MOoTBzdDV
4FTAIFFH+ojSX+MtxBzxjULoyIeacAV9ab1CaW6XPFGBx5Vdanox5aUg/bGh
sYUIe2Bgzp2MiLBxPFiIWBsUyISIwUaimIlByfzzCEKfYRexIKEQJSeOtBBs
LOpG+5OIFUASrkkW0nxnKr9Tn1JdKTwF9BDW3nr5WkdYodNqVBj8NgkrENJn
RIgWAxcEnyfwQXL3MS/JczX18wESpgC0ys2AQfqOe30TbOWxgk5kBoRj6ciU
4l3JCR/GLPpKCaGCRKeoRdhCc8zLDRPIiYFJ8RXRaMRwVOdGSDb08YI+Nc+I
3aJWAgnfqkUwD27XODqBmfP0Gy3lw4csIX0Zx7XGt1jRAGAfRKId6v9I8dHo
8mxyhH9SHaBESA1JMSw7ubSW+aX6TYS2p09NSQGmyOlTEmR6mMNyUTnplWPv
tnJFL8addv/PR90AAiRirCJZGnjqsnDwRq6gi2+Kj3EAR4UY4uyuYXxLazsa
FG042yf4V8VYYO+G6lgCZ3H3KMtr8IDJslOHqmV0NsssQ5/PTbehclRbFMLp
/gY/azLzk3mcgpdUFLmHvk2JfMpqmMEiyW4jQU+41J+OpJrS6k9KGQQBzwhp
zyAJPmTqKa2HWmD6RUvq48L8M7hPWoI9jHxCowNFUyxvHS8aefuj1K5T8M5W
sV/RzQ4dsGWk1fHIUy8RpNgSy7I0lz5W7sdjR5NME/u43zD22MGqv9PkoDPS
CipLWLV8OZf0X69F58Sle+ktJfOwKqhhZkCOw00h6g2luxf7ehhL6tZRcaPs
B0k4KY3HRMdCZonsinTVuuSAyyFklhMBBzYRDiKcoHVazkQ60ITDz0RIsgEC
GJckBanq9qBRrmqEeTjMkMAUb/MFwRSxyqO4SelMNqif/Aydx3OVUdeCo0k4
ZrIQ3ZBJoRG7QwVQN7YjDzkR5XNtNIVHQnuEPnS9yfaLP90hkQiWaXn5I/F3
o9OhEzh8AZKDu4JDTkZmtixXLl+9Jx2Jq9QHb/U6WRXFNY7h6uHy74Vywf/M
YRLXSaCkgly8oy6hXCGKyDsKipx8AOI7GrslXCyeuE4P5jVAp1I+Uy7vpMlf
++Ipv0vt85EMRhUHu1feCDf5nc2IVBjEKIOqIGj/ojjqczqaH2PzIbRakTYl
ycgbGV47GWhjdCp7v41mm22WtoHE9ufsKbE8Ydac6Z7UYxiQdQ05nxRNR08x
uqfENzWPQq5QMC5YU+pg5iZDKU1KlxV3Vh9JT3Qv0dUrZqYt8y4vpdxT+yB+
h0I+IFESY7oDw1Dxes9IVVH+g14E58CCWcq7oTqEv0F3b4oB/oKvB9/+2iqR
TCKEqYBqK2VmxoUHe6noGdhssCPHqlYwBV4lUHtb1/F2EqYTQeW66UVv/7wX
x8oGVTiGa2yHsSb0VSFtII+9oAI7ldlxZE6RQHFm0UcyI7x82FY0Prs0r9jw
J5+DV4y2CrudWn5XwlFoWEJ8jPUahggDcGyJIfKhto4QFSSX+n5BEtuSW5ol
K4vqGn3JquPxSs17Q+DtLm1WFRrf9jjhK2OJYEXIu3K5XSg7Zp4p50DD23nZ
cko9rqmvToEh3SfFkoFB1jUGv2GJL28ze+JS0yGme+0raUyywV4xL0lv13Ml
v1wGnHg1GCRZputgXBVDruReiCXQlV2aMg/SgnUplkuT0GSQYldsfKNDFEEz
J0e8ivHN8HOpc+rV07yb0ipMmYeOlwvrLQ1nXUAGqtbwqPKg1mVAh10BsPai
IhkiQuFuH6PXJ0k1S3aYh6j8lNiYEBHW7+W4EvnpvhfMY6YmRHACkkp0Bv4O
yCEaec8IVBS44976+L2eZccDpoMbcqPRZjggGuurQr0l1RDiu0qvPLaKYHC6
7PNKsFoAaXH+XpaMhXKzQtDCDRxCKIFULBxch/A6iahh1MuVQ1VmKW2VIS6k
2S8MkwLDEFvgw9Uuml7XYL/QXlYM2jUzXl4jcxJZF3sAJhRm2bf0HtylNdyl
sWxPRplf2qDxHH3NY06jR4RE4+xlPcbC6DjWLshYV9YzNVaHRBdKBhMNZzCn
TrarkzIdEEg7g9vid6Zqx2upp+5JutU0L5k28YAJnibsNc6NdW+YjbxhWxRh
vH/HukhhkKui4nQp9nCsGfjESSxl3BESzJlJYWS/IAF2YMgUgKnqkXVY2QQd
29BX20fHgsm+d5zhlDuTAk/VMafD2OHyz0/bv4g+JVuXCBWmSFFaiyoInlok
7lKlKFYVrTNmRvvdWo2fhLjXquIOH0qkGerVwWdC/aBqCISEryZJyJQpyVTR
xNcS6ZdRAFnfCjkGMQ4pLn1M/tmBc+nFNEFLZoE5cQfhBs4doq66CbpI2yoH
qV647kuf/3Otv6jCGNP0Qvhtl4jukGDiQromOJhgBwKbFKprmEBkldtDTWYU
SHc3LvsdHCYo44zwrTXjpdboOARtE5VoMpa4lM/L3214h8/ZdU4oxWIZVBTj
1UphFO4ySn3irpzX9du3RYFl1pMYYVGtoWW+aX9yBlwgTiRVslwPXMptF7sB
zaBiBDjhbqTGsAmRFnfIHZOJt+CDBGMigjX9rkfrcO/sVaCQNjVT8fUV57Dh
jUq5e3rkfJ/doXXpInNE1o+7QaBXTJpBmzHhjVASBmvkc83OBGfllyoro69I
YljrmTaQDxINOarcj8hSLgRzxjdniIbYjU2dDKAI+qXtlPQnLlK/JF52zNBP
nOVUKjXOH31InAeVU6WW8mRvVHCLryYOjt4DkeKjLp2nX7MPpXuYPR5zmZiS
HdMKaclXUhGGzpEGdKkFlI3NaVAUQix3M7eAmprNvp2OHK59hhKCjI2uJemy
7ymDhg96RQfWTLVEngQfqNMo1yZR1Aej07EfSCa/KtDS500JtgRWDBfMSC7L
6qrJXaMjZu8RALhiMjLkpG7fYmJMQjXpx8cphdFPiZBT6D5bTwiK7CE0eD0B
Qjo+8VwdyykEztwN0eVipWhbvfrz0+fK2vHVl19pUli8lqAVFa3TGR5DWlgt
JS7YaoxVIWoKy17ln2QudsMJi5alzDmr2bMV13Q+gXoAHmPJvNqjpU260yqy
hRXWleKtCINFRkkls8Ob+k76nF2Xc8JLiRVoPkXABHNVg5+mLfMpSaWkOT0O
Em4QHXSuxeyLfRlJExGImhjVQwV46tzBDIadxWXki4duBNwgdqzwLYxT8kHK
+m/gUfxp0QvJe/RZm0J5EPbjTIc0o9Ru+IFSxdgnT40KZSdslCuR9KlVB6zs
OEM8rHpVuaERxh7qPE8G6qT2SZlgUjqoE2Z57iW7dGKSg6B6PFJ4LkG9pKey
X9bbraI6uE5N9A98hU3+aK1qzwETtoQrxMbcFCuuIPd9cVcJGxaTDYgh+fr+
qTvKGeT3u+ugRCvilDKxCSdSRdm7fUo8+GS0UPtXIBr1HUFPcswmcMnQjPBt
vUUeEqn5dEEmjIIfeSKnmrwOWDrDv1hAeMNoUwp0AgdhunlgApnKQkMq7kYk
8i82oKafYYuxC5Kc94AHTwwOwHHglJLXkS0p4lDZlorJxC7fznSZuFYuICck
JGHYrle7k9A/KoSxYVw2iAMXn/aKWk680mjDgtjHiFu/b01Tf49zSS2ltYcs
DEP4mhyUpR1T3HSNWEmcG87wg6EV9GQI9JXycIHJjNVYM27ZuaT9fzf7YqLN
n9q5SzfKuvwdcmrvhjX8ajlR/MNIV6M1ROztx+hbvaWo42jZ+hhnKW7Z2+Rt
/Alrg8vANPLD/Zoo3DKhyk71TYh2+YhsqpYcFMlKqTiF1UqMGt3hHl42lswo
773HMLE6qaS+4CGChiGWQKdK0KMMzpQTiGgkiBhlzgrX/XciWJx9ZnE/04Bo
OVdPTroNP0JuQEiWPrOaY8fEuxkrQRg7NAfvUI/2tA+NIK/xoFkca3FqsLhl
fA+lQmpA8cmcW3V9etIaMumncVqO0/ai04ywqtdOUQuQt1vc8OuPtKHYJIhg
TZxm9QIdk4JJAq7nIREPh+RH/O/Gho7yTPJ3TwotwTcd6QkXRBwgjTXxXx+U
UUM+U/5Vd0zWTnGK5IWA1i5y2nFx74ahy8O0fuyMJNQ0pGWduIrHIH0KUVBP
spTDaE+ihYt1qYSe3A9G7UNRT8I9MNR+S54Dn2AWY4gnEdkqFYQ2BpU5MTsZ
HOzMd/ZF4H4wkzqU+b3SyfBoOtElSjZjxEVMTziAWN7ixqQCrYJR2fB9Es44
USxaoXLC8ml+spO8kOZWGS07fsMRwHfwMryPOjamfGMD75RVt8fH8TIMEN+8
W3oYP30q7JR1UdhAI6YtQd0NEW2HSbedQIuQBRIz3BNCaBLP1CRUMFYlJIyt
/ynMc0Et7yO64yiQe7CJ6pN1Zg2e+7UhavYxn4T/yKkHbrosl3noa2FHyeyp
WuASEZuxMG7G6MUlT25FQNU9mFvaEuRsVcYMYW/ZeKsnBka9OQNBMb8tQSB1
VZM0maQeOEzZQ4Nx2s8yJa/siG7iCZPMwmIAIs3FD4Eig/MDSIVM2L0mdU3H
iQUJk3vIOyHJ8CptcBSHdN3r/UZqbKqJI4pLbT4ni6edbM0UuRXPrRCIgkNx
6a1pw32W6bndhLB2N3n/mV4z6JMzzhQOmOT6sUG4Iz5oe/yqxpJ7lIzrzuYW
V3+jb62bm/KBVHZ41pRXnXsnV/jae67HHr49KnNeRfOcMi6ym7fGIIcxWCS9
S3p82abYPOTOt5iS6Sbqbtre5Rsqlm834OEq0Yp0DuIxNSh5GqcGYyNkOMEe
EsHZkJ5FEUmhxw/IFbFcWSqlADXfWhuLVMKQlxJzxgEeuVLqC2qqORlmfs3M
0l2nwhspTn2g87VQXPtqQAhFaNaRS7vcYOoTVvzlJ3vIfa4XUCmdo1dQeH2r
BUsskNNiQTy2xGNok0eFEYFlPc8/xyWmG8W62PBCh+rXnkI8izIqP3A/2x38
RcfYEnLzBqaTZGKZ7xDUttq2jr8gM2F2RDjMbBCZVKhOT9nwmPIUH51f3ZIW
/LtYTAPDB2qOu6SSDH10QPUAYAcOkFwEJqlo0qcrohj2zYqar9CsWq/I7XAA
SfmFYVxs/PlrcnvbjgirHQLBQRwIgRDCGHAVTU0CycZVWoxxKgdmJh1m144t
ZI7OborCFRQVM7PJHksqPslmdwXahDR2EjBZsvK503cb3MQzg4lE6MC+SeH2
jiSKgdt0BSeHy1ZFWZpWnA/NQJOgMzKSoboWQwYGtWQ258jDCsrKzbosvWbS
7KBX3wtwcfG9uPplY7oCZn9NvPSSGz09R05g0YuEuRpoH3kWllpD8oC4+0lE
BzXjmBmDlaAVCLJOsPkVw/qZawQ7i/0q3ysLtbc6kZqaa92MuR/3KMnr4ROf
MaUaz3LW+neoexSoN3VVN+qQqYPsHNCRE284rvBNY8bJPTimt8ajXgZgFrSS
XVNjG1j/eGoB5eA25harkFBdSErnMMaAkfziSEsEvcUMvOQjw+Y6SDxTm8aM
YkWHlMdkZY+rGkZRpzzH1gIdj+uOJ3L7ZUCu4FgXum7IvyQvoE39fiSmsI2Q
r47VkjJRT9GrjRiRD08f+38woUEMr3ZJsrHNYodpNJq69hsqdZCOCy0q+Vm/
5RJdeK5TRKJ09mf1WhrdLtzktwWvMDIerktMlY4gj4WmhOvI11twTGyTvIqb
PwJA3N5wnumQ2rxH2jnxjQ6WQSZS8IoKnIFGcAeb+mZntTOTl1KFZuNhkh7V
Pgs/Uipsb9VhEl0kTeylMA/Ws3x+qB7WDPcYcY6sYs15e9xDCFK3GjS8kEgK
rN8r3jQ0+mvy+j5B2aYyD9JRrrdrGb6yrVvxIH8r3ZMp5J9BuayuJ1J9HtYN
eKAY3QVFVIgEO3+gXyTwFfmxykD0+AnAMVVkh2skAPk6h9vChww2eg133p+r
dzyJJn4tXU5D+tB3MPd6fWN8TFyT61WPXe4dKXIoz7phvKzvW3EUNX797usD
wdZYRXMrcaxTBahNFPoW0WwM3mrH6wGT/unwCg/zIyqxPTKvCgo3wEsWwIqu
c5BzLtyuo75UmJ96yfX1eCR7LEZllhHAgtiCz0HQbg5tJu0dCKgmg+GWK/SO
mqJImY9YKE7b3XpdIIzbrbtlofRLMc2YuLaUB2zrRazM4zBSjYJuOpYenX2k
nBN6Zp8eq+DSPeAleWB9lD1SUDQX+2hBJ8hvoEmZTk65pkLHgPcr9uSP1AHE
POE8b8imJubByTKyI0p0sNQXDfftmd5OoV6LaaTHD4fDrODRSf+JxKvBxs96
J+jsBqrE8nSlwyVWAJAMfiOmhRIllgfYOKjz4CWngkZT6m5tkXBHLbggmE8S
yf0pWbg4Co53pBeecC+yTe+CgGOUEmHpI61sXjB5FgbXdmA74ZqtUc12c0O9
/PJkY/XFu/A88xEGIaFTUHZnylr4ituUcXCjRB3D5Ukrix4OQ5AOVsEhHwrD
scEZxDKk3B28VGRIkl3mTj7io26NwCMJTe2UPHy6HRCsPVgsPULcZqcu2tYm
AkpX2dVuOGfCPmlH+9SUKSEKy/jSKV8BU+vYqUwxLRfNB8QVJnY2sjfbhNtO
1iCvaK3arq8u5635MFoAmLdFx1w3ruQqMeSEIWBD3UFOo8JB7qGYCler/Fql
U88Wyrk3iHaR7GaIcYlgz51Ei9tkxmlHFbBcjlLdVikqY7nDA2YWySuEQ8fK
xelsqoSuuINHJc/cfqki6oo+C7YgzzTpSUc6v3hGjctxFWzyY3K0FRI6STUj
3iFmg9TgItjyx9ff+4b5Ey4p1QtYf06UyiFz8TzIWIoWoEvvOMUgiWo9d45L
mAgr5Hj9tBrMns4aqDI5pyd3kZUbXnbN6PWa8eHCVMdAgGA4wsQq8h4SAyLc
scoTrDbriHKLanKIxLHCFj4+dYyUACc8BZqKfh3pbWlyJIqDEKMto7faViLa
7C7Z4QbxnqJ+c92EtpbxtHsOqcPIHiikhYuzLNREKE/SI9MoWYRbxVrTfHUj
9hLrTBrIYZI5dx1PUwIbSai2HGEiHLFdUZEaXLu/eVyS46jAI+AROzy2OzB2
kRMF7TClGK0kWyfodPoTxmmpaD3AvTkf3MHK/MU7bOyXYq1uHzZGJ2y+BMFg
76VAUEeunwu6Sjrfk1RdBBOLuagWRqvsnNX6Kri959IDrBY1CUvQbNyU8cdg
MtcMl5uv7CQwOeL0Pm49UnxlFRJKeGGCGxEmarGJkcJ9uWYOzv9jfpTlh/Ah
NMSOS3Li6OXB7SmXwRD+A+pmidtwhs/UM7iCrSGz/xer1ZRPOemdMxYds1xU
aPFuQ40k/hhhPSeXiVdlXyVpcc73iXQTeNHBHoT9GcVt6nS8AnFIV7FxZji3
mfA/E50RqBerAb2QVIpP4hGwG0EwH7iD/T6kHaxEAgRH8+FjvuB7k2AdCYBJ
qbOsj+FOT3DdixPHRrLId0VcAF1DGAV8rtKPSsY+NhItuNNVkyUWAlrGeSfJ
5hlPWjzDXPWlIq7F7MF7JIAhOjLMxowfYW4a18ryAZhREwYj/jIaWoINGtAf
bARXjwfH+/GZV6MVh642oOvISomH7UJnvXCq6TQCD5MnWHovNIbJgUIQOhUb
9mlxKxxF3uLSadGxGSwey8VTFXKN1E3dEFlTWrTJBwByR3UI7urVFSfuaopR
Bs0hmqIt4mkFktiZhcGE4sDiMHUqNO3pfYlg2Flpaxs5MhD7rh27/8TqAOiJ
B707cqx76D8T+ZXXdFZL72zyiaskBRS/KZ0xHHOg1HUtb8d5SKY7SVKPTG2i
peBh/b2BISEIzE4+Z1w4UkbDjB/6cw0nycFnwjcsWTY9c0QZx8hHd70EverC
Ec4zd8z3YQ6UZLIzmjDYnzmCpdKHh2DjCj5bs3fg07EaVuslJU+Njm5JmGI0
cmJrfB/DSUVCb/kq4ygZPwuWm6F8TcAZ51VZvXXsaUHnQZmpnVTReZoS1sfi
6sxgMa1WI5lXwq6L9R+R5y5v36JGipJc7OIBDyd0EJ+olQRMvV1vMUyn723g
AaIXkAcCHnZ7lxF3O8LRiVe3KVylIufjPObFTQ6xG2x73PRChxLnCaQGgbAI
bkJhc77rHMI/9BYq9k8F7I6k9HQmSK7sdJu22C7rare2KhxZHZl24VJr4xd3
RD2rcA9jtpAsLM0wDPZVZOr3WVb8msLafsrT2DFdAWkSKy/mG6MEuipMeh69
9TawEKdMFzV1iq03HYibcO/yrelyYd8jdcNSwiwRhDJmioh4LDk3OMSj2cl9
NHzIgiCAflwooEFhcdgml1+hHUWsJykfcBqv9SxsdmgPeRBMkYtYGDtZu0ei
IDqIpyqSF3jqFLS9mLph7hqIh5XTo5N2I61oWTqt13nN59Xi3ioQXLWQsoYx
BMZV6hXqp65R8BzUMggpUskleYPL/okirBVouadyOGcQ0iL2fuXgPMwTlB8/
IPUkRbo5ThbKoKLM3+kRkcpZqxQf1vVilj07hOnH/oB6q3Au1O3wDz6RQ/+F
b9RKLbleHWFagGBTXM/Js1+2y2uFQpJgWCsnZUiGtfXQp+404NX1NicZdXmf
3pQGDXTwPNlB16lJ9R6G/GAeAp5muOMzND/Lzk5/OB2CxvAw8w+kCfTg8yw5
+Py1TzTxz+Mp7XRLYb3mIVHBQ1IeFLX0z3CXLXuATwv9px0YdZx3OpiJzg4a
J731WTYwTyHw4e4/gPOBbbxjfXDyk2dyHIs0/PbZQtOTLzC/ctY/xhbpU3Df
PmWfb1U0eKOz5xffwsZhjkDZHZqQOmyJfXiA6+qfz+7fzrzv8Vezauue9zpL
3qMz2PjeQ6Stq5peG0H5/49enLEb428tx0COv/KL3hm23pkbXUnq/eQ6LKgt
JnX9L3pJmew9r6nu2p4XfS0NX77FPrYVMC75v3r15DC0Z5LCkuxsokFc4lxU
CeX03BEPv0anRDJxVivh4NNHMK5rQtQ1mE9DniShf9WBx2Xan0cfXNRbPCEe
p8BioU0dUqy6p42pMP76L2aPcHV7QNhXcuTzb1jlCCq/b4U/dmIHLW3e/mcv
672P3Ws7gjtjA9bzVyyka+9w1318LUdJ1bWj5L/ZUj5nD0KeZ/Z+18eQ24kJ
VZ0Wn9Sg+9sFvV1clOO+E1kYhQkTziXjswC3FwH3tsU40S3CcZKao46B6hgl
Jl2YcZqzitPplKBh6CM9I/c9ey3IL8Q7sUc/VTAYBEPvj6stOrTF8g8HdMbK
gSLukd8SxOCdRRp8MYQftSCzEPhWU6eN9C9T1zv6nQGjNo7JfrrZ3eOTtInT
ju0uwhCmTQft+Aif3dsGpuW+caKF4I4kws70LdIxlouSyRc6ylfCEJR0unTF
26oOMR/n854MUr8irvI8MhthOjRlrdd2wEC0jNyjrgvIpY5IRZ5FelZNkGJn
P76C4VcMMMgQxJzy5NQbgmWYzU3OdI2eSx2D2PHTwZR9vUt6b9Y1F1YOhakK
QTr4Uje7a9DuxVEE06BAU8xUnFj70pAlH4uUq6bIEYpj51FarkloahtmHzVU
bkqkH4ZE+pSpzN1MKwG5UXRjxzMsYMkdkszCkPREx6yVLbirR4rw0rt77v2+
gwY3mJfLdlyYB/xUvEGs1W+1vb6m9M2efcnd/ESbSNOm6IA+yYEBI+xkbqMq
X9o5EZFWoYcfnwjhNHZG5FWLqp7jMG60T07f1RMgzmfZT/cek2yLriclO6+V
SlE8e2XXh3VGsgqZphPH64iMoLE0w1UcdH739e/IGJSdZ4gX4v3R3lCeiUly
MFeDEW9NpIzcdMl8f6qBKEdMvZiz7I+STI8hSpwpLH1W1yvrZ5N0FmgSjsel
dijdub4oxVPqADxeEKiHkGrkUaT8reR4QmVGJpyJe+XpH3NMUelcpHwgyGuy
RxxPM8IKgwUicyoa4O6mR79qiSg5brQFH4POmt+zSBOhB8NTKq5Bn2zMlLLA
Yv980k46S15mTi8zTjaQAiPtzIWYPRulhkGBgEisnJPcUpdGvZEk9zGl2mJa
p3eEgGAio6hXYy0c7SQ5r8kplMMegMkObZYN7tBdJz04p0eYBMqtz3eUoqZe
GynHoWNrmRcuHdBGd2pKzuNDsASmrVJ25+SQzmmPemXC6tYTXoulEwaGOmZ9
hNCeEkDc++HNnJDvC/pjkMhuC4d9S7RgkPIlGJZyLefekXeQdMLW3FFtkEtM
gK3rW93FI0dcQmS6k83LXUvwc+FDtCdiFjbwb8D21VSAKzvGMiceIrLjbTcr
fjcuZMYK57QnUat8x/0QpHXPJPVJxM0g+EwC+PHO7LTpiAmeHdQrxNRc2h/p
T+WQZrxjp43l8HFsdakYgRGxLnuIhrhZ3VFBW+CfULfjQbcLUbdl40qOE+MZ
iB1hitDsY2Ydbxvi+SbZ+auzb799ziojGCVhU8B0TrL1xffnwlsUc/siuq7G
y30l2inomx73dJC2d9zoIGThARZwixV227rJuebajawzh3SNSW+rKp+7m/Gu
Fd4d1PV1lzfLns+Dzpj9Qx4spk6VerQpV6vcrFmKByhMMlLOkX2GQ8ygu+gy
5uPLtZ7XgDUQrfVgGeRbGIAy/xIrtdSY9KxjNL2wAEg7gseLyxEALsLjfhhC
fri42lpVZALwWqMn5HBrEiuZjlSiH9GJa9OqYVwxl5U4qFI9kqOkyKVf1ptx
NhC19BD7tcwRJrUSdBqoEMEsOFKO4FoehGd1I73ACMVNqGB03g57zSy9FN1R
xjY33hjz79hEhCZEKK2utis7TjuKB+lQNk+uQyZ5LcFH5X2FNC4nn4peT+9p
VDRrRAvtJaFxyKvEuMMQtsQsPwtPvY8ngtkzFUT13/Zq8605egFZCxFRdEO5
kqEPjgIGu5JAeyB9BrXS0o+emZvRweh754/rVvCbfBP5voRhnK6cZS/yt71X
2bAFEKCLLJw4yBqmdtYomO5FIdnUUib361W3pdiLrg4G7FecHJLObq/bKC8Y
And8QDZBCVNigfsUSJrOUTrApuifFdImh4VgiK7OqCG2yAvE6eDYRrsXJnIw
G9M3RAw0NyLuO20E5Qumr68XZEeWgjxTxjRsHplj7XxnjLrMi0I4jZGTgvhc
OyuZUcBx7LlJ9eSJSIWhoCWUj8o3AsYioOAwGMdA2F9G3jKer2XUnTYsJAvG
L80ujkZUpC/s3gmKBglv8kZdAQZ0CuIrFrelsoZHGKzXOVJwgMS8dvQheRal
w53VaCtkqMmu4DVtqHkyEgJqzFUUf2N4111T86GLaFvp/OUcTQq6JQLODgiw
aBwdrGhnrGduIdwn5LK4pyoRuKmirJNbVy5UET1QQ8eyy6xxlgqs6rs9htM3
fBgtHh2BWLDjg+AlAoj4Dr7YTY2tfVs+zsrP6ah6HLRBhp7lGGuDLLDITsEH
OvpLTo3rMmgxF6wo0RGy55BsA17Okldtwe16EiARGQHPGiUb7eA340XT9TkR
N0ZXnIGmsPESRU+tiMjzKDA0NqitT0SzlRb3KDDQ6WnNJ/CSniP5pswWkj2D
A4kRHt9oXi9L3nikFzFzpOmWuOiwISsuHtzSQX7ZkvloJP4VW4zfFndRmJqU
9R4d7n7SBBN0CusbFyUtUOTp7aiZCaVxaiz6eXK8I3V3piFuj8UjtRSaR+1c
b2CaCMbQk5TPQe+Qe2GwPyA1xiSMZ+wUmuWxtZe6KMXjFnTl73qkRwxk4Ea/
FR4LIx6zP8uCYg07dMJCLSV8ZhCyQjJmUpgeDWF9YtSOWwmqPLALjKcG35OP
EOehSXTt+7kMlD6KZesdPqFuRsKzMMFjJxh0wyB+4nlDeK6QGTb4StOuKTfG
w2LxN9YTML0HM/6cewOOpcrzFLxc6dx48fSVFrLef6blg6n0EkzXi82ecsPp
Cn3vbSv51jPBrxDVo0C8SQsP8Ny4NE2ZXwuFFWUDb9jqMWFRg5heaTOTf+Ap
1q/OcEWumrrSWweutT9lvBnhx+pFvdIQCiYSXg59CNVgrfg8XPnqGWp+oDZR
0Ivd68eOsOxpP6S/cIywiEQ9CAGqCYCGSEZfjQdzklq6w05dT34bG9eIfvPH
FrvjLnNckn+UN5gt6vUlfOfpvbLDdC2O4KKbrtu0xw8fMtp85q5+aCuK9+k1
pFDfzj5O6yM8ozreWenHho+gG5/7UQy+RvnsrZT7PcinXVA315fZIQmI8rNm
fak6kiOn4sAH3IdZ0oLBZODJ2wUUIj2HoJ8QH7CCwQL9+7//e/ZLi6lTGNCB
Jf8OjrODT5n9AyRJPvjl7m37BuzMp171EC+Y4WP5elKTbzQ9+gaduTeczcE7
Ep65K96A4n7zy508cm9ZGq7AQ7zpR/3eFPjuX+DzLHtP/4u/oC+Sce+XCHoy
XTb6wvsv7L0v3UKPxOJzQvFGeD/69gP877+GD7g2ZKHd0X2ozW27n+PxZvdp
QCOdazXIEy0Yj2pR9zuMkuPTNt/DjX9CmhHNckFUIre9duocE0F3N/Vq5Cyc
z9sUBsBdumTiYQoxFSpHRl3UfBJUQQ+TMjsnm/eS1uupheSl2xa4xILt9Jur
LxaXE45iWvLHkKAiRW0T4RTltLGtNoxQ1g8I6/OPqOI05hc6uRQzNNiLIJog
FSItnyqdKFYHx+FTr3lo+OyHNj2yv7bLkaePPPA/qDIcvyBeqNtZHt53SP5z
XimJPnjHVcdy6bFveji+/Z2/hMITGcJ7WJhl/1r6wXHerfL2YJIdiOeIv/p6
9uVB9oGVUd7BJ4+//voR/4c+LN5t4odfyoe/dKRY8uvp4/yL+Zcy/EV1BZ/C
8395izc6ePTXxUvYTX/94efdbDaD0Pr0yRk8S/XGqyFn5R6GZc5otWN+IPsd
rnwUD0owMvsqccQ/b2McRahxKxVy4dpwurrLOAhhnOuZJL3vK1bL/sJ0fbEW
vZYgilBzJWdMdUz/Ivktbrd1dHOtO1jHE1Dg4GRTothN13iyCXiGr16Cw/+Q
PfvvLi5ePXw8exy+Axf4OEv3R3jKtanpxW6DJ97HzueH76Z3d3dTFMPptlmB
woMxLwMO6jj7ezc2i5hMlDkS+4cQyMV+g3zhfxhq7vA/8X//cL5ZvVu9/GPx
17/85ef5z+df/fTufH52yl++ERae5g8gPfCRbuM/0B77uy9P/+6Lb+G/ww2G
H+petutsfnlEeChIU8FNyqK7gv8jzBretMaxwv8n3cpkAOAy+Bzs+3QOIT+E
RYNb/6HY/dPN/E+L8mX5T9/++Lezxz+UZ20yeJXcj19CW+SC81SOcnJAO6/I
80Kp47hfJ0f6CTXK0gbFAQOLloS6viQrjYbK/GYYrpRZ71AP5+7nSo6Evtpl
AT/RYozo7FHl3nNXnTnRXw58+N9mAbAlRG5+IK5wO8Nksczl7K4pu+LAKU/+
j6nQ3zkV6r96/Hv5ilUm/+ejipNnZoE/Yfcwmc9fYYMTK/wbjdZ+S5n1hF5/
PjRZv8Fo9ebwE2YxZNEEffZZ7PuQMP6VcRjv1/EYVUmYHLemVtE042UNHKjh
o8Yklo/KOu/Zxcqpo3/juMb4IEg+WrWwFDXWNbkq5VAQFMTi0dCzhBJZimec
6zTYJoLVUlVBRwCxs81WE9/rcztOVsZEoXpCa2a1ZzzGZrvOK/BPp3CH6aqu
N1mCVrsizARXPrVFpz3C43O+H2t7TDTOTJb9kpoalLD/8uvLjI9qu/RbEcno
B8ygWK1dLY0fA5knKPPBeYQMU3/UwqqY5nw5ZQaNmrgHDi98st5oerF+WlDk
ImcojZCIakVBIqPOt25qNy2fes9Mp7GUa1ULVd19mtSUUPMEbgGyMYT599io
x44fpXfHl0BPAxsXeTVmR7A8r6nJkn4gJ9PW63y1EzJieqmG3BA6RhZX49Dk
ko7SQpE8ujymxFuzrUDOd/6QIRS8rlvR2RwG9CKuNA1H/PGPDB5g1SRHLyXY
UeuzFqeLR1iwfwL/h8rmYCTPQ7jLXluJC8ayQ25nweM3UBddZqB+jrLthvlE
uAP+ydePH88OQji7Si5dly32k94W0kfqNEdTcP+l7lxGMzmCauqyM9UisxYB
jFg0EyWSnLbmGNp0YWBZ8CElEvDbogx9ieBUBi4YT4muC9737ciyCHOHhxxI
a+p2PuVglNIA2eGpbiI6u/pov36VNlGhkKfS8nZOvcKHWiLjND71//ICYC00
Xx4FhhxiRQMW+m8MRGXEEIcKkWGSg3CbN162/PHjJ5d2KDbcCeR9haAD4gOO
PjhSbWiAoMXLQPwb5scfjqWtL8EU9W0pPbNXasou3++1iOCXbLueRfxi9ujg
w+XRjGnL7HTvmFenVaNS5Odt4vaNpD5CD/Lmix9J4EJ6IQYuGKEhDluOJlKu
s3a7EhIDfFxFbQiUakAx+P/WRzy4x8H7S3MOcvDPu7/+N/PqUBL/a7y6fTL8
Ua+uP3W9yfst09ebwN/sGP+KSbSsqrmmF7pByCOhAy4RywZ6/tjtb6+0DmlO
sSHpSFOC1Ejofij2jMwYWTE77xJ/SSlZwZ0G2shEu7XjVgYkBV22clCf2Umh
9dXzoqxk6I+eRC1xAz7hoeuJP5Guf6xsavM8OWDhMtlFlwpQVmXEtuXPoHVf
S6Vu3I68KJdTs5neZMnp4+hmujmh12IPA88i544Rd6S5JYPS44U1ucrl4KgK
tQwVqDZ1z8FnVAjFBo8ZyDceSu8x0oFpazT3oz8nZte0/GlOxLG6GcEc+YQt
QOlaqO1lop73EswlJZsnkWUgUO+MlnjpFB+E3zfbDdEzfJfLAY5SeJ0jlqef
QwtpJxAvhJWIuWZNTNdJTw81H1hTT4ikuLG7pzPfj0YJXvrrFCDAlAt6WmSt
4G/D7LBUlU088KJvBkkE/OFV3BnEwuMqV+6ceX24FS9C75x5s6hc5U7Pj7cO
qiNqZVPgzXfEarIbl/IHr799mj1/dnbx8jWCkgskbTRkNp1Byk6woEz4YFP2
0R7QRpo+epS9/4yZU3bwjz316gfZmXTeib6m8vjpAjnHwH2/Zgj1foeO8n+E
nH3byvFQ5SYX5tBO2ymp3o7L+yfCgBCfXtkuti0XQqjvKe1eSCgUEm5YjqOl
9Yma9RxaZhb+L233NwQl5AAA

-->

</rfc>
