<?xml version='1.0' encoding='utf-8'?>
<!DOCTYPE rfc [
  <!ENTITY nbsp    "&#160;">
  <!ENTITY zwsp   "&#8203;">
  <!ENTITY nbhy   "&#8209;">
  <!ENTITY wj     "&#8288;">
]>
<?xml-stylesheet type="text/xsl" href="rfc2629.xslt" ?>
<!-- generated by https://github.com/cabo/kramdown-rfc version 1.7.39 (Ruby 3.4.9) -->
<rfc xmlns:xi="http://www.w3.org/2001/XInclude" ipr="trust200902" docName="draft-mcguinness-oauth-domain-authorized-issuer-00" category="std" consensus="true" submissionType="IETF" tocInclude="true" sortRefs="true" symRefs="true" version="3">
  <!-- xml2rfc v2v3 conversion 3.34.0 -->
  <front>
    <title abbrev="Domain-Authorized Issuer Trust Method">OAuth Domain-Authorized Issuer Trust Method</title>
    <seriesInfo name="Internet-Draft" value="draft-mcguinness-oauth-domain-authorized-issuer-00"/>
    <author initials="K." surname="McGuinness" fullname="Karl McGuinness">
      <organization>Independent</organization>
      <address>
        <email>public@karlmcguinness.com</email>
      </address>
    </author>
    <date year="2026" month="July" day="04"/>
    <area>Security</area>
    <workgroup>Web Authorization Protocol</workgroup>
    <keyword>OAuth</keyword>
    <keyword>JWT authorization grants</keyword>
    <keyword>identity assertion</keyword>
    <keyword>issuer discovery</keyword>
    <keyword>DNS authority</keyword>
    <abstract>
      <?line 68?>

<t>This document defines the Domain-Authorized Issuer (DAI) Trust
Method: a <tt>subject_namespace_authorization</tt> Trust Method for the
OAuth Identity Assertion Trust Framework in which the owner of a
subject namespace (typically a DNS domain) publishes a policy
listing the OAuth authorization servers it authorizes to assert
identities in that namespace. The mechanism uses the DNS-based
authority-publication pattern operators already deploy for CAA,
MTA-STS, SPF, and DKIM. A Resource Authorization Server uses the
published policy to verify that an identity assertion's issuer is
authorized for the asserted subject namespace.</t>
      <t>The lookup defined by this document is verifier-side: given an
identity assertion in hand, the Resource Authorization Server
locates the Subject Authority's issuer authorization policy.
Client-side discovery of which Assertion Issuer to use before an
assertion exists is a separate use case and is deferred to future
work.</t>
      <t>This document also defines the Issuer Authorization Policy wire
format that the Trust Method consumes. The parent trust framework
specification owns the generic Trust Policy document, Trust Method
category structure, cross-category combination rule, and Subject
Authority Determination concept.</t>
    </abstract>
    <note removeInRFC="true">
      <name>Discussion Venues</name>
      <t>Discussion of this document takes place on the
    Web Authorization Protocol Working Group mailing list (oauth@ietf.org),
    which is archived at <eref target="https://mailarchive.ietf.org/arch/browse/oauth/"/>.</t>
      <t>Source for this draft and an issue tracker can be found at
    <eref target="https://github.com/mcguinness/draft-mcguinness-oauth-id-assertion-framework"/>.</t>
    </note>
  </front>
  <middle>
    <?line 94?>

<section anchor="introduction">
      <name>Introduction</name>
      <t>OAuth deployments using identity-assertion grants (e.g., ID-JAG, or
generic JWT-bearer assertions carrying an identity claim; see
<xref target="TRUST-FRAMEWORK"/>) need to answer "is this Assertion Issuer
authorized to assert about subjects in this namespace?". An issuer authenticated by federation
membership is not, by that membership alone, entitled to assert
about subjects in any particular namespace; the namespace owner is
the only authoritative source of that delegation.</t>
      <t>The Domain-Authorized Issuer (DAI) Trust Method lets the owner of a
DNS-namable subject namespace publish, in DNS, the set of Assertion
Issuers it authorizes for its namespace. The DNS record can carry
the authorized issuers inline (for simple deployments) or point at
an HTTPS-hosted JSON document containing richer policy (validity
windows, format restrictions, tenant binding, multiple issuers).
Authority is established by control of the publication channel:
whoever can publish at <tt>_oauth-issuer-policy.{domain}</tt> is itself
the Subject Authority for <tt>{domain}</tt>. The pattern follows CAA
<xref target="RFC8659"/>, MTA-STS <xref target="RFC8461"/>, SPF, and DKIM
(<xref target="dns-authority-patterns"/>).</t>
      <t>DAI is consumed by Resource Authorization Servers at assertion
verification time: given an identity assertion, the RAS uses the
Subject Authority's published policy to decide whether the
asserting issuer is authorized for the subject's namespace.</t>
      <t>DAI is non-transitive by design. The Issuer Authorization Policy is
a flat list of Assertion Issuer identifiers; a Subject Authority
that wants to authorize an Assertion Issuer publishes its identifier
directly. The depth-1 bound and its security implications are
covered in <xref target="TRUST-FRAMEWORK"/> §Open-World Delegation and Bounded
Transitivity and §Transitive Authorization is Bounded.</t>
      <t>DAI is also independent of OpenID Federation: a Subject Authority
can publish DAI records and a Resource Authorization Server can
evaluate them without any federation infrastructure.</t>
      <section anchor="relationships">
        <name>Relationships</name>
        <t>DAI is a concrete profile of <xref target="TRUST-FRAMEWORK"/> for OAuth
identity assertions: the Subject Authority is the Authority
Holder; the Issuer Authorization Policy is the Delegation
Artifact; the DNS record (or DNS pointer plus HTTPS document) is
one publication channel; the Assertion Issuer is the Delegate.
Lookup state classification and fail-closed requirements follow
<xref target="TRUST-FRAMEWORK"/> §Lookup States and Fail-Closed.</t>
        <t>DAI extends <xref target="TRUST-FRAMEWORK"/>, which owns the Trust Policy
document format, Trust Method machinery, Subject Authority
Determination, and OAuth grant-profile bindings. This document
defines the Issuer Authorization Policy document
(<xref target="dii-document"/>), the DNS and HTTPS publication channels
(<xref target="publication-profiles"/>), the lookup procedure (<xref target="dii-lookup"/>),
the verification rules (<xref target="dii-verification"/>), the
<tt>domain_authorized_issuer</tt> Trust Method, and an HTTPS-only
deployment variant (<xref target="trust-method-https-authorized-issuer"/>).
A bridge to the Email Verification Protocol's DNS records and a
client-side discovery use case are sketched as future extensions
in <xref target="future-extensions"/>.</t>
      </section>
      <section anchor="conventions">
        <name>Conventions</name>
        <t>The key words "<bcp14>MUST</bcp14>", "<bcp14>MUST NOT</bcp14>", "<bcp14>REQUIRED</bcp14>", "<bcp14>SHALL</bcp14>", "<bcp14>SHALL
NOT</bcp14>", "<bcp14>SHOULD</bcp14>", "<bcp14>SHOULD NOT</bcp14>", "<bcp14>RECOMMENDED</bcp14>", "<bcp14>NOT RECOMMENDED</bcp14>",
"<bcp14>MAY</bcp14>", and "<bcp14>OPTIONAL</bcp14>" in this document are to be interpreted as
described in BCP 14 <xref target="RFC2119"/> <xref target="RFC8174"/> when, and only when, they
appear in all capitals, as shown here.</t>
        <?line -18?>

</section>
    </section>
    <section anchor="terminology">
      <name>Terminology</name>
      <t>This document uses terminology from <xref target="TRUST-FRAMEWORK"/>: Resource
Authorization Server, Assertion Issuer, Subject Authority, Trust
Policy, Issuer Authorization Policy, Authority Holder, Delegate,
Delegation Artifact, and Validator. Subject Identifier formats
follow <xref target="RFC9493"/>.</t>
      <t>One term is specific to this document:</t>
      <dl>
        <dt>Domain-Authorized Issuer (DAI):</dt>
        <dd>
          <t>The Trust Method defined by this document, in which a Subject
Authority publishes, over DNS and HTTPS, the set of Assertion
Issuers it authorizes for its namespace.</t>
        </dd>
      </dl>
    </section>
    <section anchor="dii-document">
      <name>Issuer Authorization Policy Document</name>
      <t>The Issuer Authorization Policy is a Delegation Artifact: a Subject
Authority (Authority Holder for a subject namespace) uses it to
delegate the right to assert identities in its namespace to one or
more named Assertion Issuers. Each <tt>authorized_issuers</tt> entry is a
delegation; <tt>valid_from</tt> and <tt>valid_until</tt> bound the delegation in
time; <tt>tenant</tt> constrains the delegation to a specific tenant of a
shared issuer; <tt>subject_identifier_formats</tt> constrains the
delegation to specific Subject Identifier formats. The verification
procedure (<xref target="dii-verification"/>) validates whether a given identity
assertion is covered by a current delegation; absent a matching
delegation, the Assertion Issuer is not authorized for the asserted
namespace regardless of any other property of the assertion.</t>
      <t>The Issuer Authorization Policy is a JSON object served over HTTPS.
Publishers <bcp14>MUST</bcp14> serve it with media type <tt>application/json</tt>;
consumers additionally accept any media type using the structured
<tt>+json</tt> suffix (<xref target="dii-failures"/>). It has the following members:</t>
      <dl>
        <dt><tt>subject_authority</tt></dt>
        <dd>
          <t><bcp14>REQUIRED</bcp14>. String. The Subject Authority identifier this policy
applies to. For DNS-domain Subject Authorities the publisher <bcp14>MUST</bcp14>
write this value in A-label (ASCII) form per <xref target="RFC5891"/>, mirroring
the <tt>authority=</tt> directive (<xref target="dii-dns-record"/>). Consumers <bcp14>MUST</bcp14>
verify this value matches the Subject Authority computed in
<xref target="TRUST-FRAMEWORK"/> §Subject Authority Determination after applying
the comparison rules for that Subject Authority form.</t>
        </dd>
        <dt><tt>authorized_issuers</tt></dt>
        <dd>
          <t><bcp14>REQUIRED</bcp14>. JSON array of authorized issuer objects, which <bcp14>MAY</bcp14> be
empty. An empty array is an explicit denial: the Subject Authority
authoritatively authorizes no issuer. The retrieval of such a policy
is Affirmative (<xref target="dii-failures"/>); the denial takes effect at
verification, where no entry can match (<xref target="dii-verification"/>),
subject to <tt>mode</tt>. Consumers <bcp14>MUST NOT</bcp14> fall through to any other
channel on encountering a denial. Each object has:
</t>
          <dl>
            <dt><tt>issuer</tt></dt>
            <dd>
              <t><bcp14>REQUIRED</bcp14>. String. The Assertion Issuer identifier. For OAuth
authorization server issuer identifiers, this value <bcp14>MUST</bcp14> be an
absolute HTTPS URL with no fragment component. The URL <bcp14>MAY</bcp14> contain a
path component. No normalization is applied before comparison: the
value and the JWT <tt>iss</tt> claim are compared by exact case-sensitive
string equality (octet-for-octet), consistent with <xref target="RFC8414"/>
issuer-identifier comparison. Consequently <tt>https://a</tt> and
<tt>https://a/</tt> are distinct issuers, and no trailing-slash or
percent-encoding normalization is performed. Query components are
<bcp14>NOT RECOMMENDED</bcp14> because many issuer metadata profiles do not use
them. Issuer identifiers whose string form contains a <tt>;</tt> cannot be
expressed in the inline DNS form (<xref target="dii-dns-record"/>) and <bcp14>MUST</bcp14> be
published via the HTTPS document instead.</t>
            </dd>
            <dt><tt>tenant</tt></dt>
            <dd>
              <t><bcp14>OPTIONAL</bcp14>. Non-empty string. The issuer-side tenant identifier
authorized for this Subject Authority, corresponding to a top-level
<tt>tenant</tt> claim carried by the assertion (in ID-JAG, <xref target="ID-JAG"/> §6.1).
When present, the assertion's top-level <tt>tenant</tt> claim <bcp14>MUST</bcp14> be
present and <bcp14>MUST</bcp14> exactly match this value using case-sensitive
string comparison; an assertion that lacks the <tt>tenant</tt> claim or
carries a different value does not match this entry. When absent,
no tenant constraint applies. Grant profiles that do not carry a
<tt>tenant</tt> claim (e.g., the generic JWT-bearer grant of <xref target="RFC7523"/>)
match only entries that omit <tt>tenant</tt>. Tenant values are
issuer-specific and <bcp14>MUST NOT</bcp14> be compared across issuers. To
authorize multiple tenants of the same shared issuer, publish one
entry per (issuer, tenant) pair. Guidance for shared-issuer
multi-tenant Identity Providers is in <xref target="dii-multi-tenant"/>.</t>
            </dd>
            <dt><tt>subject_identifier_formats</tt></dt>
            <dd>
              <t><bcp14>OPTIONAL</bcp14>. JSON array of Subject Identifier format names
(<xref target="RFC9493"/>) this Assertion Issuer is authorized for. If omitted,
the Assertion Issuer is authorized for any format that resolves to
this Subject Authority.</t>
            </dd>
            <dt><tt>valid_from</tt></dt>
            <dd>
              <t><bcp14>OPTIONAL</bcp14>. <xref target="RFC3339"/> date-time. The delegation <bcp14>MUST NOT</bcp14> be treated
as valid before this time. A consumer <bcp14>MAY</bcp14> apply a small clock-skew
tolerance (≤5 minutes), consistent with JWT <tt>nbf</tt> conventions
(<xref target="RFC7519"/> Section 4.1.5). This tolerance applies only to
<tt>valid_from</tt>; it <bcp14>MUST NOT</bcp14> be applied to <tt>valid_until</tt> to extend a
delegation past its stated end.</t>
            </dd>
            <dt><tt>valid_until</tt></dt>
            <dd>
              <t><bcp14>OPTIONAL</bcp14>. <xref target="RFC3339"/> date-time. The delegation <bcp14>MUST NOT</bcp14> be treated
as valid at or after this time. No clock-skew tolerance is permitted
on this bound.</t>
            </dd>
          </dl>
        </dd>
        <dt><tt>mode</tt></dt>
        <dd>
          <t><bcp14>OPTIONAL</bcp14>. String, either <tt>enforce</tt> or <tt>monitor</tt>; default <tt>enforce</tt>
when absent. In monitor mode the policy is provisional: consumers
evaluate it and log the outcome but do not reject assertions on the
basis of a mismatch (<xref target="monitor-mode"/>). A policy whose <tt>mode</tt> value
is any other string is malformed; an unrecognized future mode <bcp14>MUST
NOT</bcp14> be silently treated as either defined value.</t>
        </dd>
        <dt><tt>last_updated</tt></dt>
        <dd>
          <t><bcp14>OPTIONAL</bcp14>. <xref target="RFC3339"/> date-time at which the policy was last published.</t>
        </dd>
        <dt><tt>signed_policy</tt></dt>
        <dd>
          <t><bcp14>OPTIONAL</bcp14>. Signed JWT containing policy members as claims, using the
representation defined in <xref target="TRUST-FRAMEWORK"/> §Signed Policy Metadata. This member
follows the signed metadata pattern used by <xref target="RFC8414"/> and
<xref target="RFC9728"/>.
Its presence does not by itself require all consumers to support
signed policy processing; consumers apply the requirements in
<xref target="TRUST-FRAMEWORK"/> §Signed Policy Metadata and any local policy
that requires object-level integrity. A Subject Authority that needs
to force signature processing lists <tt>signed_policy</tt> in <tt>crit</tt>.
Per the key-resolution requirement of <xref target="TRUST-FRAMEWORK"/> §Signed
Policy Metadata, the verification key for this profile <bcp14>MUST</bcp14> be
resolved through one of: a key published under DNSSEC-signed
records for the Subject Authority, or a key configured out of
band at the consumer. Both channels are independent of the
DNS/HTTPS path that carries the policy document; the trust
assumption is, respectively, DNSSEC validation to the Subject
Authority's zone, or the consumer's own key-provisioning process.
This document does not define a DNS record format for key
publication; deployments using the DNSSEC-published-key option do
so via a mechanism agreed with their consumers until one is
standardized.</t>
        </dd>
        <dt><tt>crit</tt></dt>
        <dd>
          <t><bcp14>OPTIONAL</bcp14>. Array of member names a consumer <bcp14>MUST</bcp14> understand to process
the policy safely, as defined in <xref target="TRUST-FRAMEWORK"/> §Critical
Members. A consumer that fails to recognize, or does not implement
processing for, one or more listed members <bcp14>MUST</bcp14> treat the policy as
malformed.</t>
        </dd>
      </dl>
      <t>Consumers <bcp14>MUST</bcp14> ignore unrecognized members, except those named in
<tt>crit</tt>. A document containing duplicate member names (at the top level
or within an <tt>authorized_issuers</tt> entry object) is malformed and <bcp14>MUST</bcp14>
be rejected. The following validation rules apply; a policy failing
any of them is malformed:</t>
      <table>
        <thead>
          <tr>
            <th align="left">Member</th>
            <th align="left">Required type / structure</th>
            <th align="left">Additional rule</th>
          </tr>
        </thead>
        <tbody>
          <tr>
            <td align="left">
              <tt>subject_authority</tt></td>
            <td align="left">string, required</td>
            <td align="left">matches the computed Subject Authority</td>
          </tr>
          <tr>
            <td align="left">
              <tt>authorized_issuers</tt></td>
            <td align="left">array of objects, required (<bcp14>MAY</bcp14> be empty for explicit denial)</td>
            <td align="left">each element has <tt>issuer</tt></td>
          </tr>
          <tr>
            <td align="left">
              <tt>issuer</tt></td>
            <td align="left">string, required</td>
            <td align="left">syntactically valid issuer identifier for the applicable grant profile</td>
          </tr>
          <tr>
            <td align="left">
              <tt>tenant</tt></td>
            <td align="left">string, optional</td>
            <td align="left">non-empty (see member definition)</td>
          </tr>
          <tr>
            <td align="left">
              <tt>subject_identifier_formats</tt></td>
            <td align="left">array of strings, optional</td>
            <td align="left"> </td>
          </tr>
          <tr>
            <td align="left">
              <tt>valid_from</tt>, <tt>valid_until</tt>, <tt>last_updated</tt></td>
            <td align="left">
              <xref target="RFC3339"/> date-time, optional</td>
            <td align="left"> </td>
          </tr>
          <tr>
            <td align="left">
              <tt>mode</tt></td>
            <td align="left">string, optional</td>
            <td align="left">exactly <tt>enforce</tt> or <tt>monitor</tt>; any other value is malformed</td>
          </tr>
          <tr>
            <td align="left">
              <tt>signed_policy</tt></td>
            <td align="left">string, optional</td>
            <td align="left">signed JWT as defined in <xref target="TRUST-FRAMEWORK"/> §Signed Policy Metadata</td>
          </tr>
          <tr>
            <td align="left">
              <tt>crit</tt></td>
            <td align="left">array of strings, optional</td>
            <td align="left">non-empty; every listed member recognized and implemented, else malformed (<xref target="TRUST-FRAMEWORK"/> §Critical Members)</td>
          </tr>
        </tbody>
      </table>
      <t>For OAuth authorization server issuer identifiers, a non-HTTPS URL,
a relative URL, or a URL with a fragment component is a malformed
<tt>issuer</tt> value.</t>
      <t>Example:</t>
      <sourcecode type="json"><![CDATA[
{
  "subject_authority": "example.com",
  "authorized_issuers": [
    {
      "issuer": "https://idp.example.com",
      "subject_identifier_formats": ["email"],
      "valid_until": "2027-01-01T00:00:00Z"
    },
    {
      "issuer": "https://accounts.shared.example",
      "tenant": "example.com",
      "subject_identifier_formats": ["email"]
    }
  ],
  "last_updated": "2026-05-01T00:00:00Z"
}
]]></sourcecode>
    </section>
    <section anchor="publication">
      <name>Publication</name>
      <t>A Subject Authority publishes the Issuer Authorization Policy
through one of the publication channels defined in
<xref target="publication-profiles"/>. Throughout this document, <tt>{A}</tt> denotes
the Subject Authority rendered as a DNS name (A-label form,
<xref target="dii-dns-record"/>). DNS publication uses the TXT record at
<tt>_oauth-issuer-policy.{A}</tt>, following the pattern of CAA, MTA-STS,
SPF, and DKIM (<xref target="dns-authority-patterns"/>). HTTPS publication uses
the default well-known URL on the Subject Authority's own host.</t>
      <section anchor="publication-profiles">
        <name>Publication Channels</name>
        <t>This document defines three publication channels. A Subject
Authority chooses based on operational constraints; all produce
semantically equivalent policy validated by the same lookup procedure
(<xref target="dii-lookup"/>). The canonical lookup procedure consults DNS first
and uses the HTTPS well-known channel only when DNS authoritatively
indicates absence.</t>
        <table>
          <thead>
            <tr>
              <th align="left">Channel</th>
              <th align="left">DNS form</th>
              <th align="left">Document</th>
              <th align="left">Authority binding</th>
              <th align="left">When to use</th>
            </tr>
          </thead>
          <tbody>
            <tr>
              <td align="left">1: DNS-Inline</td>
              <td align="left">TXT with <tt>issuer=</tt> (<xref target="dii-dns-record"/>)</td>
              <td align="left">None (carried in TXT)</td>
              <td align="left">DNS control of <tt>{A}</tt></td>
              <td align="left">Common case: authorize an issuer for a namespace with no rich policy</td>
            </tr>
            <tr>
              <td align="left">2: Authority-Hosted HTTPS</td>
              <td align="left">TXT with <tt>uri=</tt></td>
              <td align="left">HTTPS-hosted JSON under Subject Authority's operational control</td>
              <td align="left">DNS control of <tt>{A}</tt> AND TLS on the authority-operated host</td>
              <td align="left">Rich policy (validity windows, format restrictions, tenant binding) at a controlled origin</td>
            </tr>
            <tr>
              <td align="left">3: Default HTTPS Well-Known</td>
              <td align="left">No DNS record</td>
              <td align="left">HTTPS-hosted JSON at <tt>https://{A}/.well-known/oauth-issuer-policy</tt></td>
              <td align="left">TLS on <tt>{A}</tt></td>
              <td align="left">Subject Authority has well-known HTTPS infrastructure but no DAI DNS record</td>
            </tr>
          </tbody>
        </table>
      </section>
      <section anchor="default-https-well-known-url">
        <name>Default HTTPS Well-Known URL</name>
        <t>A Subject Authority <bcp14>MAY</bcp14> publish a JSON document at the default
HTTPS well-known URL on its own host (<xref target="dii-https-url"/>), either
as the sole publication (Channel 3) or alongside a DNS record. A
Subject Authority with no DAI DNS record relies on the natural
<tt>negative-authoritative</tt> DNS response to bring consumers to the
well-known URL (<xref target="dii-lookup"/>).</t>
        <t>Operators are encouraged to publish the DNS record where
practical because it matches the operational model of the
prior-art mechanisms in <xref target="dns-authority-patterns"/> and because
consumer lookup behavior is DNS-first.</t>
      </section>
      <section anchor="dii-dns-record">
        <name>DNS Record</name>
        <t>The Subject Authority publishes one or more DNS TXT records at
<tt>_oauth-issuer-policy.{A}</tt>, where <tt>{A}</tt> is the Subject
Authority rendered as a DNS name. Internationalized names are converted
to A-labels per <xref target="RFC5891"/> before the prefix is prepended. DNS lookup
names are formed without a trailing dot for comparison purposes; the
wire-format root label is not part of the Subject Authority value.</t>
        <t>The string segments of a TXT record (<xref target="RFC1035"/>) are concatenated
without separator and interpreted as ASCII text (a record containing
a non-ASCII octet is malformed, since all defined directive values
are ASCII by construction).</t>
        <t>A record is <em>recognized</em> if the version token <tt>v=oauth-issuer-policy1</tt>
(case-sensitive) appears at the start, terminated by end of record, by
optional whitespace, or by a <tt>;</tt> separator; leading whitespace before
the token is permitted. The version token matches only that exact
string: a different token (for example, a future
<tt>v=oauth-issuer-policy2</tt>) is not recognized, so the record is treated
as unrecognized (not malformed) and is ignored by the recognition
rule. Records that do not begin with a supported version token <bcp14>MUST</bcp14> be
ignored. A <tt>v=</tt> directive appearing anywhere other than the start of
a recognized record makes the record malformed (<xref target="dii-failures"/>).</t>
        <t>The remainder of a recognized record is a sequence of <tt>name=value</tt>
directives separated by <tt>;</tt>. Parsing rules:</t>
        <ul spacing="normal">
          <li>
            <t>Whitespace (space and horizontal tab) immediately before and after
each directive is ignored. A value <bcp14>MUST NOT</bcp14> contain whitespace or
non-ASCII characters; the directive values defined here (domain
names in A-label form and absolute HTTPS URLs) are ASCII by
construction.</t>
          </li>
          <li>
            <t>Directive names are case-insensitive ASCII. Values are
case-sensitive and preserved as written.</t>
          </li>
          <li>
            <t>A directive splits into name and value at the first <tt>=</tt>. Subsequent
<tt>=</tt> characters are part of the value.</t>
          </li>
          <li>
            <t>The value runs to the next <tt>;</tt> or end of record. The character <tt>;</tt>
              <bcp14>MUST NOT</bcp14> appear in a value (see the issuer-identifier constraint in
<xref target="dii-document"/>).</t>
          </li>
          <li>
            <t>CR, LF, and NUL <bcp14>MUST NOT</bcp14> appear in a value.</t>
          </li>
          <li>
            <t>An empty directive (two consecutive <tt>;</tt> separators with no
intervening <tt>name=value</tt>) makes the record malformed
(<xref target="dii-failures"/>).</t>
          </li>
          <li>
            <t>Unrecognized directives <bcp14>MUST</bcp14> be ignored.</t>
          </li>
        </ul>
        <t>The parsing rules above are summarized in the following ABNF
(<xref target="RFC5234"/> with the case-sensitive string extension of <xref target="RFC7405"/>)
for implementer convenience; the prose above is normative if any
disagreement exists.</t>
        <sourcecode type="abnf"><![CDATA[
record        = OWS version OWS *( ";" directive ) [ ";" OWS ]
version       = %s"v=oauth-issuer-policy1"
directive     = OWS name "=" value OWS
name          = 1*( ALPHA / DIGIT / "_" / "-" )
value         = *vchar-no-semi
vchar-no-semi = %x21-3A / %x3C-7E   ; VCHAR (%x21-7E) minus ";"
OWS           = *( SP / HTAB )
]]></sourcecode>
        <t>The following directives are defined:</t>
        <dl>
          <dt><tt>authority=A</tt></dt>
          <dd>
            <t><bcp14>REQUIRED</bcp14>. The Subject Authority identifier this record claims to
bind. The publisher <bcp14>MUST</bcp14> write this value in A-label (ASCII) form
per <xref target="RFC5891"/>; consumers compare it against the Subject Authority
computed from the query name (also in A-label form) using the
case-insensitive ASCII comparison rules in <xref target="TRUST-FRAMEWORK"/> §Subject Authority Determination.
Records whose <tt>authority=</tt> value does not match are discarded (see
the lookup procedure in <xref target="dii-lookup"/>). A recognized record
containing more than one <tt>authority=</tt> directive is malformed
(<xref target="dii-failures"/>).</t>
          </dd>
          <dt><tt>uri=URL</tt></dt>
          <dd>
            <t><bcp14>OPTIONAL</bcp14>. An HTTPS URL identifying an Issuer Authorization Policy
document. The URL <bcp14>MAY</bcp14> be on a different host than <tt>A</tt>. <bcp14>MUST</bcp14> use the
<tt>https://</tt> scheme and <bcp14>MUST NOT</bcp14> contain a fragment component.</t>
          </dd>
          <dt><tt>issuer=ISSUER_URL</tt></dt>
          <dd>
            <t><bcp14>OPTIONAL</bcp14>. An Assertion Issuer identifier authorized by the Subject
Authority for <tt>A</tt>. For OAuth authorization server issuer identifiers,
the value <bcp14>MUST</bcp14> be an absolute HTTPS URL and <bcp14>MUST NOT</bcp14> contain a
fragment component. <bcp14>MAY</bcp14> appear multiple times within a record and
across records.</t>
          </dd>
          <dt><tt>mode=MODE</tt></dt>
          <dd>
            <t><bcp14>OPTIONAL</bcp14>. Either <tt>enforce</tt> or <tt>monitor</tt>; default <tt>enforce</tt> when
absent (<xref target="monitor-mode"/>). At most one <tt>mode=</tt> directive per record;
a second is malformed. If any remaining record after <tt>authority=</tt>
filtering carries <tt>mode=</tt>, all remaining records <bcp14>MUST</bcp14> carry <tt>mode=</tt>
with the same value; a mix of differing or partially present <tt>mode=</tt>
directives across records is malformed. A <tt>mode=</tt> value other than
the two defined values is malformed.</t>
          </dd>
        </dl>
        <t>A recognized record <bcp14>MUST</bcp14> contain at least one <tt>uri=</tt> directive or at
least one <tt>issuer=</tt> directive. Recognized records containing neither
<bcp14>MUST</bcp14> be treated as malformed (see <xref target="dii-failures"/>).</t>
        <t>A Subject Authority <bcp14>MUST</bcp14> publish records for at most one version of
this mechanism at a time. This document defines only
<tt>oauth-issuer-policy1</tt>. Future versions that are not
understood by a consumer are ignored by the recognition rule above.</t>
      </section>
      <section anchor="dii-https-url">
        <name>HTTPS Document URL</name>
        <t>The default Issuer Authorization Policy URL is:</t>
        <artwork><![CDATA[
https://{A}/.well-known/oauth-issuer-policy
]]></artwork>
        <t>where <tt>{A}</tt> is the Subject Authority value rendered as a host (A-label
form for internationalized names). The URL uses the <tt>https</tt> scheme,
the host <tt>{A}</tt>, the default HTTPS port (443), and the well-known path
<xref target="RFC8615"/>; it has no userinfo, port, query, or fragment component. A
Subject Authority whose form has no host representation (none is
defined in this document beyond the <tt>email</tt>-derived DNS domain) cannot
use the default well-known channel. Consumers fetch this URL with an
HTTP GET over HTTPS with TLS server authentication and interpret the
response body as the JSON document defined in <xref target="dii-document"/>.</t>
        <t>A URL obtained from a DNS <tt>uri=</tt> directive is fetched the same way;
the host serving the URL is responsible for TLS server authentication
of itself, not of <tt>A</tt>.</t>
        <t>For every policy fetch defined here (the default well-known URL, a
<tt>uri=</tt> target, and the HTTPS-only mode of
<xref target="trust-method-https-authorized-issuer"/>), and for any redirect
followed from one, the consumer <bcp14>MUST NOT</bcp14> connect to a host that
resolves to a non-globally-routable address; see <xref target="dos-ssrf"/>.</t>
        <t>HTTP redirect handling is fixed so that two consumers reach the same
outcome and so that a redirect cannot silently move the authority
anchor to a host the Subject Authority does not control:</t>
        <ul spacing="normal">
          <li>
            <t>Consumers <bcp14>MUST</bcp14> follow HTTPS redirects up to a limit of 5 hops; a
request that would exceed 5 hops, or that loops, is classified as
Indeterminate (<xref target="dii-failures"/>).</t>
          </li>
          <li>
            <t>Every redirect target <bcp14>MUST</bcp14> use the <tt>https</tt> scheme and <bcp14>MUST NOT</bcp14>
contain a fragment component.</t>
          </li>
          <li>
            <t>Every redirect target <bcp14>MUST</bcp14> remain within the same registrable
domain as the initial fetch host (the Subject Authority <tt>{A}</tt> for
the default well-known channel; the <tt>uri=</tt> pointer's host for the
pointer channel), where the registrable domain is computed with
the Public Suffix List algorithm of <xref target="TRUST-FRAMEWORK"/> §Subject
Authority Determination (ICANN and PRIVATE divisions) applied to
the A-label host. A redirect to a different registrable domain
<bcp14>MUST NOT</bcp14> be followed and is classified as Indeterminate;
cross-registrable-domain policy hosting is expressed only through
the <tt>uri=</tt> pointer, where the delegation is published in DNS and
visible to the Subject Authority.</t>
          </li>
          <li>
            <t>The final response <bcp14>MUST</bcp14> have HTTP status 200 and a media type of
<tt>application/json</tt> or any media type using the structured <tt>+json</tt>
suffix (media type parameters ignored); any other final status is
classified per <xref target="dii-failures"/>.</t>
          </li>
        </ul>
      </section>
      <section anchor="https-policy-document-contract">
        <name>HTTPS Policy Document Contract</name>
        <t>The document retrieved from either the default well-known URL or a
DNS <tt>uri=</tt> pointer is the Issuer Authorization Policy defined in
<xref target="dii-document"/>; consumers <bcp14>MUST NOT</bcp14> interpret any other JSON shape
as an Issuer Authorization Policy. Consumers <bcp14>MUST</bcp14> validate the
complete policy as a unit; a malformed entry makes the whole policy
malformed, not just the offending entry.</t>
        <t>Bounds (a response exceeding any bound is classified per
<xref target="dii-failures"/>): consumers <bcp14>MUST</bcp14> accept a policy document of at least
64 KiB and <bcp14>MAY</bcp14> reject one larger; publishers <bcp14>MUST</bcp14> keep the document
within 64 KiB. Consumers <bcp14>MUST</bcp14> accept at least 100 <tt>authorized_issuers</tt>
entries and <bcp14>MAY</bcp14> reject more. Consumers <bcp14>SHOULD</bcp14> apply an overall fetch
timeout and <bcp14>SHOULD</bcp14> limit JSON nesting depth (the defined document has a
fixed shallow structure). Consumers <bcp14>SHOULD</bcp14> send a conditional request
(for example, <tt>If-None-Match</tt>) when they hold a cached policy, treating
a 304 response per <xref target="dii-failures"/>.</t>
        <t>The document's shape and members are defined, with an example, in
<xref target="dii-document"/>.</t>
      </section>
    </section>
    <section anchor="dii-lookup">
      <name>Lookup Procedure</name>
      <t>To retrieve the Issuer Authorization Policy for a Subject Authority <tt>A</tt>,
a Resource Authorization Server performs the following steps. The
procedure consults DNS first and falls back to the HTTPS well-known
URL only on <tt>negative-authoritative</tt> outcomes.</t>
      <t>DNS at <tt>_oauth-issuer-policy.{A}</tt> and HTTPS at the default well-known
URL are two publication channels of the same Subject Authority.
Consulting HTTPS after DNS returns <tt>negative-authoritative</tt> is NOT an
Authority Source fallback in the sense forbidden by
<xref target="TRUST-FRAMEWORK"/> §Lookup States and Fail-Closed; the
abstract Negative state is reached only when both channels return
absence (<xref target="dii-failures"/>). The abstract no-fallback rule continues
to forbid falling through to a DIFFERENT Subject Authority's policy.</t>
      <t>This is the canonical procedure used by the
<tt>domain_authorized_issuer</tt> Trust Method. The HTTPS-only lookup mode
defined in <xref target="trust-method-https-authorized-issuer"/> skips DNS
entirely and retrieves only from the HTTPS well-known URL.</t>
      <ol spacing="normal" type="1"><li>
          <t>Query the DNS TXT resource record set at
<tt>_oauth-issuer-policy.{A}</tt>. Classify the response as:  </t>
          <dl>
            <dt><tt>negative-authoritative</tt></dt>
            <dd>
              <t>NXDOMAIN, or NOERROR with an empty answer section or with no
recognized records after parsing.</t>
            </dd>
            <dt><tt>indeterminate</tt></dt>
            <dd>
              <t>SERVFAIL, REFUSED, timeout, truncation with no successful retry,
or any other failure that prevents a definitive negative result.</t>
            </dd>
            <dt><tt>affirmative</tt></dt>
            <dd>
              <t>NOERROR with at least one recognized record after parsing.</t>
            </dd>
          </dl>
        </li>
        <li>
          <t>If the DNS response is <tt>affirmative</tt>:  </t>
          <t>
a. Discard recognized records whose <tt>authority=</tt> directive does
   not match <tt>A</tt> under the Subject Authority comparison rules in
   <xref target="TRUST-FRAMEWORK"/> §Subject Authority Determination. If any recognized record is missing an
   <tt>authority=</tt> directive, treat the response as <tt>malformed</tt>. If
   all recognized records are discarded because of <tt>authority=</tt>
   mismatch, treat the response as <tt>malformed</tt>. (A <tt>malformed</tt>
   outcome is classified as Indeterminate, <xref target="dii-failures"/>.)  </t>
          <t>
Before continuing, validate the remaining recognized records
   against the directive rules in <xref target="dii-dns-record"/>. This includes
   rejecting malformed <tt>uri=</tt> or <tt>issuer=</tt> values, and records with
   neither <tt>uri=</tt> nor <tt>issuer=</tt>. Any such condition is a <tt>malformed</tt>
   outcome.  </t>
          <t>
b. If any remaining record contains a <tt>uri=</tt> directive:  </t>
          <ul spacing="normal">
            <li>
              <t>If more than one distinct <tt>uri=</tt> value is present across the
remaining records, treat as <tt>malformed</tt>.</t>
            </li>
            <li>
              <t>Otherwise fetch the JSON policy from that URL per
<xref target="dii-https-url"/>. The fetched document is the Issuer
Authorization Policy, including its <tt>mode</tt>. All <tt>issuer=</tt>
and <tt>mode=</tt> directives across all records are ignored:
their values do not contribute to the policy, but the
directive-validity rules of <xref target="dii-dns-record"/> (including
<tt>mode=</tt> consistency) were already applied in step 2a, so a
record set malformed under those rules never reaches this
step.</t>
            </li>
          </ul>
          <t>
c. Otherwise (no <tt>uri=</tt> present), construct a virtual Issuer
   Authorization Policy with <tt>subject_authority</tt> set to <tt>A</tt> and
   one entry in <tt>authorized_issuers</tt> for each distinct <tt>issuer=</tt>
   value across the remaining records. Entry order carries no
   semantics (<xref target="dii-verification"/>); the deduplicated values form
   a set. The virtual policy's <tt>mode</tt> is the common <tt>mode=</tt> value
   of the remaining records, or <tt>enforce</tt> when none carries
   <tt>mode=</tt> (<xref target="dii-dns-record"/>). Entries have no <tt>tenant</tt>,
   <tt>subject_identifier_formats</tt>, <tt>valid_from</tt>, or <tt>valid_until</tt>.
   The virtual policy is processed identically to one fetched over
   HTTPS, except that its cache lifetime is derived from DNS TTLs
   as described in <xref target="dii-caching"/>.</t>
        </li>
        <li>
          <t>If the DNS response is <tt>negative-authoritative</tt>, fetch the policy
from the default HTTPS well-known URL per <xref target="dii-https-url"/>.</t>
        </li>
        <li>
          <t>If the DNS response is <tt>indeterminate</tt>, lookup has failed.
Consumers <bcp14>MUST NOT</bcp14> fall back to HTTPS, since an attacker who
suppresses DNS responses could otherwise force the consumer onto a
path the attacker has compromised separately.</t>
        </li>
      </ol>
      <t>Two distinct situations remove DNS from the picture, with different
outcomes. A deployment whose Trust Policy selects the HTTPS-only
lookup mode (<xref target="trust-method-https-authorized-issuer"/>) never consults
DNS by design; note that a Subject Authority publishing only inline
DNS records (a common pattern) is unfindable under that mode. By
contrast, under the canonical DNS-first mode specified here, a
Resource Authorization Server that cannot resolve DNS (resolver
failure, untrusted resolution path) treats the lookup as
<tt>indeterminate</tt> and rejects the assertion, fail-closed; it <bcp14>MUST NOT</bcp14>
improvise a fallback to the HTTPS channel.</t>
      <section anchor="dii-failures">
        <name>Failure Handling</name>
        <t>DAI lookup outcomes map onto the Affirmative / Negative /
Indeterminate lookup states of the Authority Delegation Model
(<xref target="TRUST-FRAMEWORK"/> §Lookup States and Fail-Closed). The normative
requirements (fail closed on Negative and Indeterminate; no
fallback to a different Authority Source; bounded cache reuse on
transient Indeterminate) apply unchanged; this section maps the
concrete DAI outcomes onto those states.</t>
        <table>
          <thead>
            <tr>
              <th align="left">State</th>
              <th align="left">DAI outcomes</th>
            </tr>
          </thead>
          <tbody>
            <tr>
              <td align="left">Affirmative</td>
              <td align="left">A well-formed Issuer Authorization Policy was retrieved (inline DNS, DNS pointer + HTTPS fetch, or HTTPS well-known URL), its <tt>subject_authority</tt> matches <tt>A</tt>, and its structural validation succeeds; this includes a policy whose <tt>authorized_issuers</tt> array is empty (explicit denial, evaluated in <xref target="dii-verification"/>). HTTPS responses, when applicable, are 200 OK with a media type of <tt>application/json</tt> or a <tt>+json</tt>-suffixed type. A 304 (Not Modified) response to a conditional request validating a held cached policy within the absolute ceiling of <xref target="dii-caching"/> renews its freshness and is classified as the held policy's state; it does not reset the absolute cache-entry age.</td>
            </tr>
            <tr>
              <td align="left">Negative</td>
              <td align="left">DNS <tt>negative-authoritative</tt> followed by HTTPS 404 or 410 at the well-known URL; HTTPS 404 or 410 reached from a DNS <tt>uri=</tt> pointer; or, under the HTTPS-only lookup mode (<xref target="trust-method-https-authorized-issuer"/>), HTTPS 404 or 410 at the well-known URL. No policy is published at the location(s) the lookup consults.</td>
            </tr>
            <tr>
              <td align="left">Indeterminate</td>
              <td align="left">Any other outcome, fail-closed by default. See enumeration below.</td>
            </tr>
          </tbody>
        </table>
        <t>The Indeterminate state covers:</t>
        <ul spacing="normal">
          <li>
            <t><strong>DNS-side</strong>: SERVFAIL, REFUSED, timeout, truncation with no
successful retry.</t>
          </li>
          <li>
            <t><strong>HTTPS transport</strong>: TLS error, connection failure, redirect loop,
non-HTTPS redirect target.</t>
          </li>
          <li>
            <t><strong>HTTPS response</strong>: 5xx; 4xx other than 404 and 410 (for example
401, 403, 405, 429, 451); 2xx other than 200; a 3xx that is not a
followed redirect (<xref target="dii-https-url"/>) and not a 304 validating a
held cached policy; unsupported media type; a body larger than the
size limit, or containing more <tt>authorized_issuers</tt> entries than
the consumer's entry limit (<xref target="https-policy-document-contract"/>).</t>
          </li>
          <li>
            <t><strong>DNS record validation</strong>: <tt>authority=</tt> missing from any recognized
record; all recognized records discarded for <tt>authority=</tt> mismatch;
more than one <tt>authority=</tt> or <tt>mode=</tt> in a record; differing or
partially present <tt>mode=</tt> values across remaining records; a
<tt>mode=</tt> value other than <tt>enforce</tt> or <tt>monitor</tt>; a recognized
record with neither <tt>uri=</tt> nor <tt>issuer=</tt>; multiple distinct <tt>uri=</tt>
values; an empty or otherwise malformed directive.</t>
          </li>
          <li>
            <t><strong>HTTPS document validation</strong>: body that is not a syntactically
valid Issuer Authorization Policy; a <tt>mode</tt> value other than
<tt>enforce</tt> or <tt>monitor</tt>; <tt>subject_authority</tt> that does
not match <tt>A</tt>.</t>
          </li>
        </ul>
        <t>Any outcome not explicitly mapped to Affirmative or Negative above
<bcp14>MUST</bcp14> be treated as Indeterminate.</t>
        <t>The following deterministic conflict rules apply:</t>
        <ul spacing="normal">
          <li>
            <t>Multiple recognized TXT records containing no <tt>uri=</tt> directive
are merged into a single virtual policy. <tt>issuer=</tt> values across
records are deduplicated into a set; order carries no semantics
(<xref target="dii-lookup"/>, step 2c).</t>
          </li>
          <li>
            <t>If any recognized record contains a <tt>uri=</tt> directive after
<tt>authority=</tt> filtering, the HTTPS document at the single <tt>uri=</tt>
target is authoritative and all <tt>issuer=</tt> directives across all
records are ignored (<xref target="dii-lookup"/>, step 2b). More than one distinct
<tt>uri=</tt> value is <tt>malformed</tt>.</t>
          </li>
          <li>
            <t>If both DNS and the HTTPS well-known URL are populated with differing
content, DNS is authoritative when it returns an Affirmative response.
Consumers do not consult or reconcile the HTTPS well-known URL in
that case.</t>
          </li>
          <li>
            <t>Multiple <tt>authorized_issuers</tt> entries for the same <tt>issuer</tt> value but
different <tt>tenant</tt> values are independent authorizations. Entries with
<tt>tenant</tt> do not shadow entries without <tt>tenant</tt> for the same <tt>issuer</tt>.</t>
          </li>
          <li>
            <t>Only the Subject Authority computed by the extraction procedure for
the assertion's Subject Identifier applies. Another Subject Authority's
policy cannot grant authority over that subject.</t>
          </li>
          <li>
            <t>If the assertion's claims conflict with the matched policy entry, the
assertion fails the Trust Method.</t>
          </li>
        </ul>
        <t>Consumers <bcp14>MUST</bcp14> treat both Negative and Indeterminate as
assertion rejection. A fresh cached Affirmative policy <bcp14>MAY</bcp14> be
used during transient Indeterminate on the live channel, subject
to <xref target="dii-caching"/>; the cache lifetime <bcp14>MUST NOT</bcp14> be extended by
repeated Indeterminate retrievals.</t>
      </section>
    </section>
    <section anchor="dii-verification">
      <name>Verification</name>
      <t>When the <tt>domain_authorized_issuer</tt> Trust Method is evaluated, the
Resource Authorization Server <bcp14>MUST</bcp14>:</t>
      <ol spacing="normal" type="1"><li>
          <t>Determine the Subject Authority from the assertion's Subject
Identifier per <xref target="TRUST-FRAMEWORK"/> §Subject Authority Determination. If the format is not registered
in <xref target="TRUST-FRAMEWORK"/> §Subject Authority Extraction Procedures Registry, reject the assertion.</t>
        </li>
        <li>
          <t>Retrieve the Issuer Authorization Policy by applying the
procedure in <xref target="dii-lookup"/>. Negative and Indeterminate
outcomes (<xref target="dii-failures"/>) <bcp14>MUST</bcp14> result in rejection, except
that a fresh cached policy <bcp14>MAY</bcp14> be used when the live retrieval
is Indeterminate.</t>
        </li>
        <li>
          <t>Verify the policy's <tt>subject_authority</tt> matches the computed
Subject Authority. (Virtual policies satisfy this by
construction.)</t>
        </li>
        <li>
          <t>Determine whether any entry in <tt>authorized_issuers</tt> matches. An
entry matches when ALL of the following hold:  </t>
          <t>
a. <tt>issuer</tt> equals the JWT <tt>iss</tt> claim under case-sensitive URL
   string comparison (the comparison rule fixed in
   <xref target="dii-document"/>).  </t>
          <t>
b. If the entry contains a <tt>tenant</tt> member, its value exactly
   matches the assertion's top-level <tt>tenant</tt> claim (in ID-JAG,
   <xref target="ID-JAG"/> §6.1) under case-sensitive string comparison. An
   entry with <tt>tenant</tt> does not match an assertion that lacks the
   <tt>tenant</tt> claim; an entry without <tt>tenant</tt> matches regardless of
   any <tt>tenant</tt> claim in the assertion. Under a grant profile that
   carries no <tt>tenant</tt> claim, any <tt>tenant</tt> claim physically present
   in the assertion <bcp14>MUST</bcp14> be ignored for entry matching.  </t>
          <t>
c. If the entry contains <tt>subject_identifier_formats</tt>, the Subject
   Identifier format of the assertion's subject is listed.  </t>
          <t>
d. If <tt>valid_from</tt> or <tt>valid_until</tt> are present, the current time
   is within the validity window (with the skew rules of
   <xref target="dii-document"/>).  </t>
          <t>
Under a policy whose <tt>mode</tt> is <tt>enforce</tt> (the default), the Trust
Method is satisfied when step 3 succeeds and at least one entry
matches under (a)-(d); under <tt>monitor</tt>, see <xref target="monitor-mode"/>.
Entry order in <tt>authorized_issuers</tt> carries no semantics: the
outcome is the boolean "does any entry match," so two consumers
evaluating the same policy against the same assertion reach the
same result regardless of array order or of which matching entry
they examine first.</t>
        </li>
      </ol>
      <t>Steps 1 and 2 are prerequisites; their failure causes assertion
rejection per <xref target="dii-failures"/> unconditionally and is not classified
as a Trust Method satisfaction outcome. When the Trust Method is not
satisfied and, as a result, the cross-category combination rule
(<xref target="TRUST-FRAMEWORK"/> §Cross-Category Combination Rule) is not met,
the Resource Authorization Server <bcp14>MUST</bcp14> reject the assertion with an
OAuth <tt>invalid_grant</tt> error.</t>
      <section anchor="monitor-mode">
        <name>Monitor Mode</name>
        <t>A Subject Authority deploying its first policy cannot easily know
whether its issuer list is complete; an omission breaks sign-in for
its users. Monitor mode, following the deployment pattern of the
DMARC <xref target="RFC7489"/> <tt>p=none</tt> policy, lets the Subject Authority
publish, observe, and then enforce.</t>
        <t>When the retrieved policy's <tt>mode</tt> is <tt>monitor</tt> (<xref target="dii-document"/>):</t>
        <ul spacing="normal">
          <li>
            <t>The consumer <bcp14>MUST</bcp14> evaluate steps 3 and 4 normally, and <bcp14>SHOULD</bcp14> log
every evaluation under the monitored policy (Subject Authority,
assertion issuer, matched or mismatched, timestamp) so the Subject
Authority can be informed out of band.</t>
          </li>
          <li>
            <t>If no entry matches (including the empty-array explicit-denial
case), the Trust Method is nevertheless satisfied: the consumer
<bcp14>MUST NOT</bcp14> reject the assertion on the basis of the mismatch.</t>
          </li>
          <li>
            <t>If an entry matches, the outcome is identical to enforce mode.</t>
          </li>
        </ul>
        <t>Monitor mode affects only the evaluation of a successfully retrieved
policy. It does not alter lookup-state classification: Indeterminate
outcomes still fail closed (the consumer cannot know the mode of a
policy it could not retrieve), and Negative outcomes are unchanged.</t>
        <t>Monitor mode provides no protection: while it is in effect, any
authenticated issuer is accepted for the namespace exactly as if no
policy were enforced, with logging as the only difference. It is a
transitional state; Subject Authorities <bcp14>SHOULD</bcp14> move to enforce mode
promptly once the observed mismatches are resolved (see
<xref target="operational"/> for the rollout sequence and <xref target="monitor-security"/>
for the downgrade risk).</t>
        <t>An aggregate reporting mechanism by which consumers deliver
monitored-mismatch reports to the Subject Authority (analogous to
DMARC's <tt>rua</tt>) is deferred; see <xref target="future-extensions"/>.</t>
      </section>
    </section>
    <section anchor="dii-caching">
      <name>Caching</name>
      <t>Cache lifetimes for the Issuer Authorization Policy:</t>
      <ul spacing="normal">
        <li>
          <t>Consumers <bcp14>SHOULD</bcp14> respect HTTP <tt>Cache-Control</tt> on HTTPS documents
and DNS TTL on records. The DNS inline form's virtual-policy
lifetime is the minimum TTL of the constructing records. For
the DNS pointer form, the effective lifetime is the lesser of
the pointer's DNS TTL and the fetched document's HTTP cache
lifetime.</t>
        </li>
        <li>
          <t>Subject Authorities <bcp14>SHOULD</bcp14> publish records and HTTPS policies
with a steady-state TTL of at most 1 hour, reducing further
during an active revocation.</t>
        </li>
        <li>
          <t>Consumers <bcp14>MUST</bcp14> enforce an absolute local cache ceiling on the age
of any cached policy entry (recommended: 24 hours) regardless of TTL
or <tt>Cache-Control</tt>. A cached entry older than the ceiling <bcp14>MUST NOT</bcp14> be
used and <bcp14>MUST</bcp14> be re-fetched.</t>
        </li>
        <li>
          <t>Serving stale cache during outages is separately bounded. Consumers
<bcp14>MAY</bcp14> serve a fresh cached Affirmative policy (one within its normal
TTL/<tt>Cache-Control</tt> lifetime) when a live retrieval is
Indeterminate. Independently of the absolute ceiling above,
consumers <bcp14>MUST NOT</bcp14> serve a cached policy across a continuous run of
Indeterminate live results lasting longer than 1 hour: once the
most recent successful (Affirmative or Negative) live retrieval is
more than 1 hour old, the consumer <bcp14>MUST</bcp14> stop serving the cached
policy and treat the lookup as Indeterminate (reject). Any successful
live retrieval resets this 1-hour outage window. This bound prevents
an attacker who can sustain denial of service against the policy
endpoint from extending revocation latency up to the 24-hour ceiling.</t>
        </li>
        <li>
          <t>Negative results <bcp14>SHOULD</bcp14> be cached, subject to the same ceiling,
to bound lookup work under load (<xref target="dos-ssrf"/>). Consumers whose
threat model includes brief publication-channel takeover <bcp14>SHOULD</bcp14>
cap negative-cache lifetime at a shorter value (recommended: 5
minutes) so that a Negative cached during a takeover does not
hide the legitimate Authority Holder's later publication; the
same shorter cap <bcp14>SHOULD</bcp14> apply to a cached explicit-denial policy
(<xref target="dii-document"/>).</t>
        </li>
        <li>
          <t>Indeterminate outcomes <bcp14>MAY</bcp14> be cached for a short period
(recommended: no more than 5 minutes) to absorb retry storms;
an Indeterminate cache entry <bcp14>MUST NOT</bcp14> be treated as a policy and
never satisfies the Trust Method.</t>
        </li>
      </ul>
    </section>
    <section anchor="trust-methods">
      <name>Trust Methods</name>
      <t>This document defines <tt>domain_authorized_issuer</tt> as a
<tt>subject_namespace_authorization</tt> Trust Method of <xref target="TRUST-FRAMEWORK"/>.
DNS at <tt>_oauth-issuer-policy.{authority}</tt> is the primary publication
channel, with the HTTPS well-known URL as fallback. The Trust Method
registers in the Identity Assertion Issuer Trust Methods registry
(<xref target="TRUST-FRAMEWORK"/> §Identity Assertion Issuer Trust Methods Registry).</t>
      <section anchor="trust-method-domain-authorized-issuer">
        <name>domain_authorized_issuer</name>
        <t>The <tt>domain_authorized_issuer</tt> method indicates that the Assertion
Issuer is acceptable if the Subject Authority identified by the
assertion's Subject Identifier authorizes the Assertion Issuer to
assert identities in that namespace, using the publication channels
(<xref target="publication-profiles"/>), lookup procedure (<xref target="dii-lookup"/>), and
verification rules (<xref target="dii-verification"/>) of this document.</t>
        <t>This Trust Method natively expresses authorization for either form of
multi-tenant Assertion Issuer:</t>
        <ul spacing="normal">
          <li>
            <t><strong>Per-tenant issuer identifiers</strong> (for example,
<tt>https://login.microsoftonline.com/{tenant-id}/v2.0</tt>): the
<tt>authorized_issuers[].issuer</tt> field accepts any absolute HTTPS URL
issuer identifier, and case-sensitive comparison against the JWT
<tt>iss</tt> claim distinguishes tenants under the same host. Each
authorized tenant is one <tt>authorized_issuers</tt> entry.</t>
          </li>
          <li>
            <t><strong>Shared issuer with a tenant claim</strong> (for example,
<tt>https://accounts.google.com</tt> serving every Google Workspace tenant
via the top-level <tt>tenant</tt> claim of <xref target="ID-JAG"/> §6.1): the
<tt>authorized_issuers[].tenant</tt> field binds the authorization to a
specific tenant of the shared issuer, with the security properties
described in <xref target="dii-multi-tenant"/>.</t>
          </li>
        </ul>
        <sourcecode type="json"><![CDATA[
{
  "method": "domain_authorized_issuer"
}
]]></sourcecode>
        <t>With no additional members, the Resource Authorization Server
retrieves the Issuer Authorization Policy by applying the canonical
lookup procedure in <xref target="dii-lookup"/>: a DNS query at
<tt>_oauth-issuer-policy.{A}</tt> with HTTPS well-known URL fallback when the
DNS response is <tt>negative-authoritative</tt>. The optional <tt>lookup</tt>
member is used only for the HTTPS-only deployment variant in
<xref target="trust-method-https-authorized-issuer"/>.</t>
      </section>
      <section anchor="trust-method-https-authorized-issuer">
        <name>HTTPS-Only Deployment Variant</name>
        <t>Some deployments cannot or will not depend on DNS-published
authority. Those deployments can use the same Issuer Authorization
Policy document format with direct HTTPS retrieval from the Subject
Authority's well-known URL. This is a deployment variant of the DAI
mechanism, not a second Trust Method registered by this document.</t>
        <t>Under this variant, the Assertion Issuer is acceptable if the Subject
Authority identified by the assertion's Subject Identifier publishes
an HTTPS well-known Issuer Authorization Policy authorizing the
Assertion Issuer.</t>
        <sourcecode type="json"><![CDATA[
{
  "method": "domain_authorized_issuer",
  "lookup": "https_only"
}
]]></sourcecode>
        <t>The <tt>lookup</tt> member is <bcp14>OPTIONAL</bcp14>. If present, its value <bcp14>MUST</bcp14> be
<tt>https_only</tt>. This variant reuses the Issuer Authorization Policy
document format (<xref target="dii-document"/>), Subject Authority determination
rules (<xref target="TRUST-FRAMEWORK"/> §Subject Authority Determination), HTTPS
document URL (<xref target="dii-https-url"/>), verification rules
(<xref target="dii-verification"/>), and caching rules (<xref target="dii-caching"/>), but it
does not perform the DNS lookup defined in <xref target="dii-lookup"/>.</t>
        <t>When evaluated, the Resource Authorization Server <bcp14>MUST</bcp14>:</t>
        <ol spacing="normal" type="1"><li>
            <t>Determine the Subject Authority <tt>A</tt> from the assertion's Subject
Identifier per <xref target="TRUST-FRAMEWORK"/> §Subject Authority Determination. If the format is not registered in
<xref target="TRUST-FRAMEWORK"/> §Subject Authority Extraction Procedures Registry, reject the assertion.</t>
          </li>
          <li>
            <t>Fetch the Issuer Authorization Policy directly from the default
HTTPS well-known URL <tt>https://{A}/.well-known/oauth-issuer-policy</tt>
per <xref target="dii-https-url"/>. The Resource Authorization Server <bcp14>MUST NOT</bcp14>
query <tt>_oauth-issuer-policy.{A}</tt> as part of this Trust Method and
<bcp14>MUST NOT</bcp14> use a DNS <tt>uri=</tt> pointer.</t>
          </li>
          <li>
            <t>Classify HTTPS retrieval and document validation outcomes per
<xref target="dii-failures"/>. Negative and Indeterminate states <bcp14>MUST</bcp14> result
in rejection, except that a fresh cached policy <bcp14>MAY</bcp14> be used
when the live retrieval is Indeterminate.</t>
          </li>
          <li>
            <t>Verify the fetched policy and match the Assertion Issuer against
<tt>authorized_issuers</tt> using steps 3 and 4 of <xref target="dii-verification"/>,
including <xref target="monitor-mode"/> when the policy's <tt>mode</tt> is <tt>monitor</tt>.</t>
          </li>
        </ol>
        <t>A Resource Authorization Server uses this variant when it requires
authority publication via HTTPS only and explicitly does not accept
DNS-published authority (inline or DNS pointer). Compared to
canonical DNS-first lookup, this mode:</t>
        <ul spacing="normal">
          <li>
            <t>Eliminates dependence on DNS resolution integrity for the
authority lookup. The Subject Authority is determined per
<xref target="TRUST-FRAMEWORK"/> §Subject Authority Determination, but the authorization itself is retrieved
only over TLS-authenticated HTTPS.</t>
          </li>
          <li>
            <t>Rejects the inline DNS form (where the policy is carried in the
TXT record itself) and the DNS pointer form (where DNS points
at a different HTTPS host). Both require trusting DNS for the
authoritative selection of either issuers or policy host.</t>
          </li>
          <li>
            <t>Forces the Subject Authority to control the apex web origin
identified by the well-known URL.</t>
          </li>
        </ul>
      </section>
      <section anchor="combining-dai-methods">
        <name>Choosing the Lookup Mode</name>
        <t>Within <tt>domain_authorized_issuer</tt>, a Resource Authorization Server
selects one lookup mode:</t>
        <ul spacing="normal">
          <li>
            <t><strong>Canonical DNS-first lookup</strong> is the default. The Resource
Authorization Server queries <tt>_oauth-issuer-policy.{A}</tt> first and
falls back to the HTTPS well-known URL on <tt>negative-authoritative</tt>
DNS responses (<xref target="dii-lookup"/>). The "no DNS record, only HTTPS
document" Subject Authority case is therefore already covered
without the HTTPS-only variant.</t>
          </li>
          <li>
            <t><strong>HTTPS-only lookup</strong> is an explicit deployment variant. Use it
when local policy distrusts DNS-published authority entirely and
requires authority retrieval over TLS-authenticated HTTPS only.
Inline DNS records and DNS pointer forms are rejected.</t>
          </li>
        </ul>
        <t>Resource Authorization Servers <bcp14>MUST NOT</bcp14> evaluate both lookup modes
as alternatives for the same assertion. Doing so creates an
availability-driven fallback: an attacker who can drive the DNS
lookup to <tt>indeterminate</tt> (resolver denial-of-service, BGP
disruption) could force fallthrough to HTTPS-only evaluation,
defeating the fail-closed property of the DNS-first lookup.</t>
      </section>
    </section>
    <section anchor="dii-security">
      <name>Security Considerations</name>
      <t>The Issuer Authorization Policy is a security-critical document. Its
integrity determines which Assertion Issuers can assert identities in
the Subject Authority's namespace.</t>
      <section anchor="namespace-authority-bootstrap">
        <name>Namespace Authority Bootstrap</name>
        <t>DAI's authority binding is DNS control of the registrable domain
(or corresponding HTTPS well-known URL), the bootstrap model used
by CAA <xref target="RFC8659"/> and MTA-STS <xref target="RFC8461"/>. Pre-existing DNS
realities (typosquatting, expired-domain takeover, registrar
account compromise) apply unchanged and are not introduced by
this document. The registrable-domain default contains
subdomain-takeover impact (<xref target="TRUST-FRAMEWORK"/> §Subject Authority
Determination); identity binding beyond DNS control (legal-entity
verification) requires out-of-band mechanisms.</t>
      </section>
      <section anchor="transport-integrity">
        <name>Transport Integrity</name>
        <t>HTTPS retrieval integrity rests on TLS server authentication of
the policy host; the inline DNS form rests on DNS resolution
alone; the pointer form rests on both. Subject Authorities
concerned about TLS misissuance are encouraged to publish CAA
records <xref target="RFC8659"/> for the policy-hosting domain and to monitor
Certificate Transparency logs.</t>
      </section>
      <section anchor="https-only-trust-model">
        <name>HTTPS-Only Authority Trust Model</name>
        <t>The HTTPS-only lookup mode
(<xref target="trust-method-https-authorized-issuer"/>) substitutes TLS-server
authentication for DNS-published authority. The threat surfaces
differ from the canonical DNS-first lookup of
<tt>domain_authorized_issuer</tt>:</t>
        <ul spacing="normal">
          <li>
            <t>DNS-record attacks (<xref target="dns-integrity-and-compromise"/>) do NOT
affect authority retrieval; the TXT record is not fetched.</t>
          </li>
          <li>
            <t>Apex-hostname resolution still uses DNS. A DNS-redirect of the
apex combined with TLS misissuance substitutes the policy;
CAA records and Certificate Transparency monitoring are the
primary defenses (<xref target="transport-integrity"/>).</t>
          </li>
          <li>
            <t>The DNS pointer form's policy-host risk
(<xref target="third-party-policy-hosts"/>) does not apply; the policy is
served from the Subject Authority's own apex origin.</t>
          </li>
          <li>
            <t>Subject Authorities that cannot control the apex web origin
(apex hosted on a marketing CDN with no path control) cannot
participate via this mode.</t>
          </li>
        </ul>
        <t>The trade-off between the two lookup modes is discussed in
<xref target="rationale-https-only"/>.</t>
      </section>
      <section anchor="dns-integrity-and-compromise">
        <name>DNS Integrity and Compromise</name>
        <t>An adversary who can substitute a forged DNS response (off-path
resolver spoofing, authoritative nameserver hijack, registrar
account compromise, BGP hijack, recursive cache poisoning) can
substitute the Subject Authority's policy: add an attacker-
controlled Assertion Issuer to the inline form, redirect a <tt>uri=</tt>
pointer, or force <tt>indeterminate</tt> outcomes to benefit a cached
attacker-friendly policy. The pointer form additionally depends on
TLS authentication of the pointed-at host: TLS does not mitigate
the DNS compromise that selected that host.</t>
        <t>Absent DNSSEC or an authenticated resolver path, the inline DNS form's
integrity is no stronger than the recursive resolver path between
consumer and authoritative server. Deployments needing a stronger
guarantee <bcp14>SHOULD</bcp14> sign the zone with DNSSEC or use the HTTPS document
form with the controls of <xref target="TRUST-FRAMEWORK"/> §Shared Infrastructure
and Hosted Well-Known Paths; the inline form's "common case"
simplicity (<xref target="publication-profiles"/>) is an operability tradeoff, not
an integrity guarantee.</t>
        <t>Required framework defenses:</t>
        <ul spacing="normal">
          <li>
            <t>Consumers <bcp14>MUST</bcp14> discard records whose <tt>authority=</tt> does not match
the queried Subject Authority. This is the wildcard mitigation:
a permissive parent-zone wildcard cannot authorize subdomains
because consumers reject records lacking the matching
<tt>authority=</tt> directive.</t>
          </li>
          <li>
            <t>Consumers <bcp14>MUST</bcp14> verify TLS for any host named by <tt>uri=</tt>.</t>
          </li>
          <li>
            <t>Consumers <bcp14>MUST</bcp14> bound cache lifetimes (<xref target="dii-caching"/>;
recommended absolute ceiling 24 hours).</t>
          </li>
          <li>
            <t>Consumers performing DNSSEC validation <bcp14>MUST</bcp14> treat validation
failure as <tt>indeterminate</tt>, not <tt>negative-authoritative</tt>, to
prevent signature-strip downgrade to HTTPS fallback.</t>
          </li>
          <li>
            <t>Subject Authorities <bcp14>SHOULD</bcp14> sign <tt>_oauth-issuer-policy.{A}</tt> with
DNSSEC, and consumers that do not validate DNSSEC <bcp14>SHOULD</bcp14> use a
trustworthy resolver path (DoH/DoT to a vetted resolver).</t>
          </li>
        </ul>
        <t>Forged-Negative downgrade: a <tt>negative-authoritative</tt> DNS result
(NXDOMAIN/NODATA) triggers the HTTPS well-known fallback
(<xref target="dii-lookup"/>). A consumer that does not validate DNSSEC cannot
distinguish a forged negative answer from a genuine one, so an
attacker able to both spoof a negative DNS response and serve (or
redirect to) the victim's apex HTTPS origin can suppress a
legitimately published inline record and substitute an
attacker-controlled HTTPS policy. Consumers that do not validate
DNSSEC and expect a Subject Authority to publish inline records
<bcp14>SHOULD NOT</bcp14> honor a Negative-to-HTTPS transition for that authority
without an authenticated resolver path; where the Subject Authority's
publication channel is configured or discoverable, treat an
unexpected Negative with the same suspicion as Indeterminate.</t>
        <t>Operational defenses Subject Authorities are encouraged to apply:
registrar account lock; monitoring of the record set and policy
document for unexpected changes; cross-region/cross-resolver
checks to detect localized substitution; avoiding wildcard TXT
records in zones participating in this mechanism.</t>
      </section>
      <section anchor="third-party-policy-hosts">
        <name>Policy Hosts</name>
        <t>The DNS pointer form lets the Subject Authority move rich policy
from DNS into an HTTPS document. In this version, the pointed-to
host is expected to be under the Subject Authority's operational
control. General shared-infrastructure risks (multi-tenant CDNs,
cache rules, dangling origins) are covered in <xref target="TRUST-FRAMEWORK"/>
§Shared Infrastructure and Hosted Well-Known Paths. Three
DAI-specific points:</t>
        <ul spacing="normal">
          <li>
            <t>The pointer target is trusted fully for the policy contents and
is appropriate only when the host is operated for, or otherwise
controlled by, the Subject Authority.</t>
          </li>
          <li>
            <t>Both the DNS-side <tt>authority=</tt> directive and the JSON-side
<tt>subject_authority</tt> member <bcp14>MUST</bcp14> match the queried Subject
Authority. Each binding is published through a different control
path; one missing check would let a compromise of either party
claim arbitrary namespaces.</t>
          </li>
          <li>
            <t>The <tt>uri=</tt> pointer is a long-lived trust delegation. Subject
Authorities <bcp14>SHOULD</bcp14> reduce DNS TTLs in advance of any planned
change of policy host.</t>
          </li>
        </ul>
      </section>
      <section anchor="monitor-security">
        <name>Monitor-Mode Downgrade</name>
        <t>An attacker who can modify the published policy has a stealthier
option than adding their own issuer: flipping <tt>mode</tt> from <tt>enforce</tt>
to <tt>monitor</tt>. The policy remains present and superficially intact,
but enforcement is silently off (<xref target="monitor-mode"/>). A variant
targets signed policies: because unsigned members absent from the
signed JWT are not conflict-checked (<xref target="TRUST-FRAMEWORK"/> §Signed
Policy Metadata), an attacker who can edit the outer document but
not the JWT can inject an unsigned <tt>mode: monitor</tt> beside an intact
signature. Subject Authorities publishing <tt>signed_policy</tt> <bcp14>SHOULD</bcp14>
therefore include <tt>mode</tt> among the signed claims, so that an
injected outer value is rejected as a conflict. Consumers <bcp14>SHOULD</bcp14>
surface mode transitions for a given Subject Authority in their
logs, and Subject Authorities <bcp14>SHOULD</bcp14> monitor their published records
for unexpected <tt>mode</tt> changes with the same rigor as for issuer-list
changes (<xref target="operational"/>). Because monitor mode accepts any
authenticated issuer for the namespace, a policy observed in monitor
mode for an extended period <bcp14>SHOULD</bcp14> be treated by operators on both
sides as a misconfiguration signal.</t>
      </section>
      <section anchor="policy-conflicts">
        <name>Policy Conflicts and Determinism</name>
        <t>The lookup procedure (<xref target="dii-lookup"/>) is deterministic across the
common conflict scenarios that arise when multiple records or
sources coexist. Determinism is a security property: two verifiers
receiving the same DNS and HTTPS responses <bcp14>MUST</bcp14> reach the same
conclusion about what (if any) policy applies. An attacker with
partial control of one publication channel cannot exploit
interpretive ambiguity at the consumer.</t>
        <t>Common conflict scenarios and their deterministic dispositions are
specified in <xref target="dii-failures"/>.</t>
      </section>
      <section anchor="mechanism-limits">
        <name>Mechanism Limits</name>
        <ul spacing="normal">
          <li>
            <t><strong>Authentication.</strong> The inline DNS form has no signing mechanism;
its authority binding is DNS control. The HTTPS document form
relies on DNS selection plus TLS to the selected policy host.</t>
          </li>
          <li>
            <t><strong>Scope.</strong> A Resource Authorization Server <bcp14>MUST NOT</bcp14> use a
matched Issuer Authorization Policy to establish trust for
subjects outside that Subject Authority's namespace.</t>
          </li>
          <li>
            <t><strong>Inline-form features.</strong> The inline DNS form expresses only
"issuer X is authorized for Subject Authority A." Deployments
needing <tt>tenant</tt>, <tt>subject_identifier_formats</tt>, <tt>valid_from</tt>,
<tt>valid_until</tt>, or explicit denial (an empty <tt>authorized_issuers</tt>
array, <xref target="dii-document"/>) <bcp14>MUST</bcp14> use the HTTPS or DNS pointer form;
a recognized inline record with no <tt>issuer=</tt> is malformed, so the
inline form cannot publish an empty delegation set.</t>
          </li>
        </ul>
      </section>
      <section anchor="email-local-part">
        <name>Email Local-Part Is Not Authenticated</name>
        <t><tt>domain_authorized_issuer</tt> evaluates only the email's registrable
domain. The local-part is unauthenticated by this Trust Method: it
attests that the Assertion Issuer may assert about emails in the
namespace, not that any specific local-part is correct. Resource
Authorization Servers that normalize local-parts (case folding,
plus-address stripping, alias collapsing) inherit those assumptions
from the Assertion Issuer; an attacker controlling an
issuer-accepted alias can land on a different normalized user.
Either disable local-part normalization or verify the local-part
through a mechanism outside this document. See also
<xref target="TRUST-FRAMEWORK"/> §Scope of Namespace Authorization.</t>
      </section>
      <section anchor="dii-multi-tenant">
        <name>Single-Issuer Multi-Tenant Identity Providers</name>
        <t>The shared-issuer case and its <tt>tenant</tt> binding are demonstrated
in the Shared Issuer Variant of the End-to-End Example. Two
security points apply:</t>
        <ul spacing="normal">
          <li>
            <t><strong>Unconstrained-listing risk.</strong> A Subject Authority that lists
a shared issuer with no <tt>tenant</tt> value authorizes every tenant
of that Identity Provider, almost never the intent. Subject
Authorities listing a shared issuer <bcp14>SHOULD</bcp14> include <tt>tenant</tt>.
Resource Authorization Servers <bcp14>SHOULD</bcp14> log a warning when
accepting under an unconstrained entry and <bcp14>SHOULD</bcp14> consider
rejecting as a matter of local policy.</t>
          </li>
          <li>
            <t><strong>Tenant-isolation dependency.</strong> The <tt>tenant</tt> binding is a
wire-format expression of trust, not a cryptographic guarantee.
The Resource Authorization Server verifies match against the
Subject Authority's chosen tenant value, but cannot verify the
Identity Provider's tenant-isolation implementation. A
tenant-isolation defect (cross-tenant minting bug,
misconfigured admin operation) defeats the wire-format check.
Subject Authorities <bcp14>SHOULD</bcp14> prefer per-tenant issuer identifiers
where offered and treat shared-issuer listings as long-lived
delegations requiring due diligence on the Identity Provider's
tenant-isolation guarantees.</t>
          </li>
          <li>
            <t><strong>Grant profiles without a <tt>tenant</tt> claim.</strong> Under a grant
profile that carries no <tt>tenant</tt> claim (e.g., the generic
JWT-bearer grant, <xref target="TRUST-FRAMEWORK"/> §Generic JWT-Bearer
Assertion Grant), only entries that omit <tt>tenant</tt> can match, so
tenant-scoped authorization is not expressible. A Subject
Authority relying on a shared multi-tenant Assertion Issuer
<bcp14>SHOULD NOT</bcp14> authorize that issuer for such a grant unless
per-tenant issuer identifiers are used.</t>
          </li>
        </ul>
      </section>
      <section anchor="dos-ssrf">
        <name>Denial of Service, Amplification, and SSRF</name>
        <t>The <tt>domain_authorized_issuer</tt> lookup can be triggered before the
Assertion Issuer is known to be trustworthy: the assertion signature
validates against the issuer's own key, which an attacker operating
their own authorization server controls. An attacker can therefore
drive lookups at will, creating three risks:</t>
        <ul spacing="normal">
          <li>
            <t><strong>Reflection/amplification and cache exhaustion.</strong> A flood of
assertions carrying distinct Subject Authorities
(<tt>email: x@{random}.example</tt>) makes the Resource Authorization
Server issue a live DNS query, and on a Negative result an HTTPS
fetch, per distinct authority, turning it into a request amplifier
aimed at third-party DNS/HTTPS infrastructure and filling its own
cache with distinct-authority entries. Consumers <bcp14>MUST</bcp14> bound lookup
work: enforce per-Subject-Authority and global rate limits and
bound concurrent outstanding lookups. Consumers <bcp14>SHOULD</bcp14> cache
Negative and Indeterminate outcomes per <xref target="dii-caching"/>, and <bcp14>MAY</bcp14>
impose a maximum number of distinct-authority lookups per unit
time, shedding load by treating excess as Indeterminate
(fail-closed).</t>
          </li>
          <li>
            <t><strong>Server-Side Request Forgery.</strong> Every HTTPS policy fetch resolves
a host the attacker may control: the Subject Authority <tt>{A}</tt> for
the default well-known fetch (the attacker presents an assertion
whose namespace is a domain it owns, then points that domain's apex
A/AAAA records at an internal address), the <tt>uri=</tt> pointer's host,
the well-known host under the HTTPS-only mode, and any redirect
target. The fetch occurs regardless of whether the body validates,
enabling blind internal probing through timing and error
differentials. For every such fetch, consumers <bcp14>MUST NOT</bcp14> connect to
a host that resolves to a private-use, loopback, link-local,
unique-local, or otherwise non-globally-routable IPv4 or IPv6
address, <bcp14>MUST</bcp14> cap redirects and response size (<xref target="dii-https-url"/>,
<xref target="https-policy-document-contract"/>), and <bcp14>SHOULD</bcp14> apply a fetch
timeout. The same-registrable-domain constraint on redirects
(<xref target="dii-https-url"/>) further limits redirect-based SSRF.</t>
          </li>
          <li>
            <t><strong>Cost asymmetry.</strong> A single small assertion can cause a full
DNS+HTTPS round trip. Consumers <bcp14>SHOULD</bcp14> prefer cached results and
<bcp14>SHOULD NOT</bcp14> perform a live lookup until the assertion has passed the
cheaper grant-profile validation checks (signature, audience,
expiry; <xref target="TRUST-FRAMEWORK"/> §Resource Authorization Server
Processing step 2).</t>
          </li>
        </ul>
      </section>
    </section>
    <section anchor="privacy">
      <name>Privacy Considerations</name>
      <t>The lookup is verifier-side and per-verification, so it leaks metadata
in two directions:</t>
      <ul spacing="normal">
        <li>
          <t><strong>To the resolver path.</strong> A DNS query for
<tt>_oauth-issuer-policy.{A}</tt> exposes the Subject Authority <tt>{A}</tt> being
evaluated (and its timing) to every resolver and on-path observer.
It does not carry the full subject identifier for formats such as
<tt>email</tt>, but the authority plus timing can reveal organizational
relationships and login activity. Resource Authorization Servers
<bcp14>SHOULD</bcp14> use a privacy-preserving resolver path (DoH/DoT to a vetted
resolver) and <bcp14>SHOULD NOT</bcp14> perform the lookup until it is needed for a
concrete verification decision.</t>
        </li>
        <li>
          <t><strong>To the Subject Authority.</strong> For the HTTPS well-known and <tt>uri=</tt>
channels, the Subject Authority's own server (or its chosen policy
host) observes the Resource Authorization Server's egress IP address
and the timing of each fetch, learning which Resource Authorization
Servers its namespace's users are authenticating to; the
authoritative DNS operator for <tt>{A}</tt> observes per-lookup timing over
DNS. An employer acting as its own Subject Authority can thereby
obtain a near-real-time signal of where employees sign in. Caching
(<xref target="dii-caching"/>) is the primary mitigation: it coarsens timing and
collapses repeated lookups, so consumers <bcp14>SHOULD</bcp14> cache to the bounds
permitted rather than re-fetching per verification.</t>
        </li>
      </ul>
    </section>
    <section anchor="operational">
      <name>Operational Considerations</name>
      <t>Publishing a DAI record makes DNS/HTTPS control a real-time input to
sign-in authorization: a lapse in the record or its host can stop
legitimate assertions from being accepted, and an unauthorized change
can authorize an attacker. Subject Authorities <bcp14>SHOULD</bcp14> operate the
record and any policy host with the same rigor as other sign-in-path
infrastructure. Specific guidance:</t>
      <ul spacing="normal">
        <li>
          <t><strong>Rollout.</strong> Deploy in three phases: publish with <tt>mode=monitor</tt>
(<xref target="monitor-mode"/>); observe logged mismatches until the issuer
list is known complete (forgotten regional tenants and departing
Identity Providers surface here rather than as sign-in outages);
then switch to <tt>enforce</tt>. Before enforcing, Subject Authorities
<bcp14>SHOULD</bcp14> sign the zone with DNSSEC or publish via the HTTPS document
form, since enforce-mode decisions carry the full weight of the
publication channel's integrity (<xref target="dns-integrity-and-compromise"/>).</t>
        </li>
        <li>
          <t><strong>Change management and TTLs.</strong> Reduce DNS TTLs in advance of any
planned change to the record or <tt>uri=</tt> pointer (<xref target="third-party-policy-hosts"/>),
and choose steady-state TTLs balancing propagation speed against
resolver load and the consumer cache bounds of <xref target="dii-caching"/>.</t>
        </li>
        <li>
          <t><strong>Rotation.</strong> To rotate an authorized issuer, publish the new
<tt>authorized_issuers</tt> entry alongside the old one and remove the old
entry only after the old issuer is decommissioned and caches have
expired; overlapping validity windows (<tt>valid_from</tt>/<tt>valid_until</tt>)
make the transition observable and bounded.</t>
        </li>
        <li>
          <t><strong>Monitoring.</strong> Monitor the record set and any HTTPS policy document
for unexpected changes, and perform cross-region/cross-resolver
checks to detect localized substitution (<xref target="dns-integrity-and-compromise"/>).</t>
        </li>
        <li>
          <t><strong>Availability.</strong> Because Negative and Indeterminate outcomes fail
closed (<xref target="dii-failures"/>), loss of the record or policy host blocks
sign-in for the namespace; provision the authoritative DNS and any
policy host for availability accordingly.</t>
        </li>
        <li>
          <t><strong>Zone hygiene.</strong> Avoid wildcard TXT records in zones participating
in this mechanism (<xref target="dns-integrity-and-compromise"/>); a wildcard
with a non-matching <tt>authority=</tt> causes recognized-but-discarded
records and can push a lookup to Indeterminate.</t>
        </li>
      </ul>
    </section>
    <section anchor="iana-considerations">
      <name>IANA Considerations</name>
      <section anchor="well-known-uri-for-issuer-authorization-policy">
        <name>Well-Known URI for Issuer Authorization Policy</name>
        <t>Registers the following well-known URI in the IANA "Well-Known URIs"
registry <xref target="RFC8615"/>, for use by this document:</t>
        <dl>
          <dt>URI Suffix:</dt>
          <dd>
            <t><tt>oauth-issuer-policy</tt></t>
          </dd>
          <dt>Change Controller:</dt>
          <dd>
            <t>IETF</t>
          </dd>
          <dt>Specification Document:</dt>
          <dd>
            <t>This document</t>
          </dd>
          <dt>Status:</dt>
          <dd>
            <t>permanent</t>
          </dd>
          <dt>Related Information:</dt>
          <dd>
            <t>None</t>
          </dd>
        </dl>
        <t>The suffix names the document rather than the consuming framework;
see <xref target="rationale-generic-name"/>.</t>
      </section>
      <section anchor="underscored-dns-node-name">
        <name>Underscored DNS Node Name</name>
        <t>Registers the following entry in the IANA "Underscored and Globally
Scoped DNS Node Names" registry per <xref target="RFC8552"/> and <xref target="RFC8553"/>, for
use by this document:</t>
        <dl>
          <dt>RR Type:</dt>
          <dd>
            <t>TXT</t>
          </dd>
          <dt>_NODE NAME:</dt>
          <dd>
            <t><tt>_oauth-issuer-policy</tt></t>
          </dd>
          <dt>Reference:</dt>
          <dd>
            <t>This document, <xref target="dii-dns-record"/></t>
          </dd>
        </dl>
      </section>
      <section anchor="trust-method-registrations">
        <name>Trust Method Registrations</name>
        <t>This document registers the following entry in the Identity
Assertion Issuer Trust Methods registry
(<xref target="TRUST-FRAMEWORK"/> §Identity Assertion Issuer Trust Methods Registry):</t>
        <table>
          <thead>
            <tr>
              <th align="left">Identifier</th>
              <th align="left">Categories</th>
              <th align="left">Parameters</th>
              <th align="left">Change Controller</th>
              <th align="left">Reference</th>
            </tr>
          </thead>
          <tbody>
            <tr>
              <td align="left">
                <tt>domain_authorized_issuer</tt></td>
              <td align="left">
                <tt>subject_namespace_authorization</tt></td>
              <td align="left">
                <tt>lookup</tt> (string, <bcp14>OPTIONAL</bcp14>; value <tt>https_only</tt> selects the HTTPS-only lookup variant)</td>
              <td align="left">IETF</td>
              <td align="left">This document</td>
            </tr>
          </tbody>
        </table>
      </section>
      <section anchor="iana-dii-directives">
        <name>Issuer Authorization Policy Directives Registry</name>
        <t>IANA is requested to establish a new registry titled "OAuth Issuer
Authorization Policy DNS Directives" under the "OAuth Parameters"
registry group, for the <tt>name=value</tt> directives carried in the DNS
TXT record (<xref target="dii-dns-record"/>).</t>
        <t>Registration policy: Specification Required <xref target="RFC8126"/>.</t>
        <t>Each entry contains a Directive Name (character set <tt>[a-z0-9_-]</tt>), a
Description, a Change Controller, and a Reference. Designated Expert
instructions: the expert verifies the directive name is unique, its
value syntax is specified within the ABNF value production of
<xref target="dii-dns-record"/> (ASCII, no <tt>;</tt>, no whitespace), and its
multiplicity and duplicate-handling rules are stated.</t>
        <t>Initial entries:</t>
        <table>
          <thead>
            <tr>
              <th align="left">Directive Name</th>
              <th align="left">Description</th>
              <th align="left">Change Controller</th>
              <th align="left">Reference</th>
            </tr>
          </thead>
          <tbody>
            <tr>
              <td align="left">
                <tt>v</tt></td>
              <td align="left">Version token; <bcp14>MUST</bcp14> appear first</td>
              <td align="left">IETF</td>
              <td align="left">This document</td>
            </tr>
            <tr>
              <td align="left">
                <tt>authority</tt></td>
              <td align="left">Subject Authority this record binds (A-label)</td>
              <td align="left">IETF</td>
              <td align="left">This document</td>
            </tr>
            <tr>
              <td align="left">
                <tt>uri</tt></td>
              <td align="left">HTTPS URL of an Issuer Authorization Policy document</td>
              <td align="left">IETF</td>
              <td align="left">This document</td>
            </tr>
            <tr>
              <td align="left">
                <tt>issuer</tt></td>
              <td align="left">An authorized Assertion Issuer identifier</td>
              <td align="left">IETF</td>
              <td align="left">This document</td>
            </tr>
            <tr>
              <td align="left">
                <tt>mode</tt></td>
              <td align="left">Enforcement mode: <tt>enforce</tt> (default) or <tt>monitor</tt></td>
              <td align="left">IETF</td>
              <td align="left">This document</td>
            </tr>
          </tbody>
        </table>
      </section>
      <section anchor="iana-dii-members">
        <name>Issuer Authorization Policy Members Registry</name>
        <t>IANA is requested to establish a new registry titled "OAuth Issuer
Authorization Policy Members" under the "OAuth Parameters" registry
group, for the JSON members of the Issuer Authorization Policy
document (<xref target="dii-document"/>).</t>
        <t>Registration policy: Specification Required <xref target="RFC8126"/>.</t>
        <t>Each entry contains a Member Name, a Description, a Change Controller,
and a Reference. Designated Expert instructions: the expert verifies
the member name does not collide with an existing member, its JSON
type and semantics are specified, and any decision-affecting member
states how a consumer that does not recognize it behaves (the default
is to ignore unrecognized members; a member requiring fail-closed
handling uses the <tt>crit</tt> mechanism of <xref target="TRUST-FRAMEWORK"/> §Critical
Members).</t>
        <t>Initial entries:</t>
        <table>
          <thead>
            <tr>
              <th align="left">Member Name</th>
              <th align="left">Description</th>
              <th align="left">Change Controller</th>
              <th align="left">Reference</th>
            </tr>
          </thead>
          <tbody>
            <tr>
              <td align="left">
                <tt>subject_authority</tt></td>
              <td align="left">Subject Authority this policy applies to</td>
              <td align="left">IETF</td>
              <td align="left">This document</td>
            </tr>
            <tr>
              <td align="left">
                <tt>authorized_issuers</tt></td>
              <td align="left">Array of authorized issuer objects</td>
              <td align="left">IETF</td>
              <td align="left">This document</td>
            </tr>
            <tr>
              <td align="left">
                <tt>issuer</tt></td>
              <td align="left">Authorized Assertion Issuer identifier (within an entry)</td>
              <td align="left">IETF</td>
              <td align="left">This document</td>
            </tr>
            <tr>
              <td align="left">
                <tt>tenant</tt></td>
              <td align="left">Issuer-side tenant identifier (within an entry)</td>
              <td align="left">IETF</td>
              <td align="left">This document</td>
            </tr>
            <tr>
              <td align="left">
                <tt>subject_identifier_formats</tt></td>
              <td align="left">Permitted Subject Identifier formats (within an entry)</td>
              <td align="left">IETF</td>
              <td align="left">This document</td>
            </tr>
            <tr>
              <td align="left">
                <tt>valid_from</tt></td>
              <td align="left">Delegation start time (within an entry)</td>
              <td align="left">IETF</td>
              <td align="left">This document</td>
            </tr>
            <tr>
              <td align="left">
                <tt>valid_until</tt></td>
              <td align="left">Delegation end time (within an entry)</td>
              <td align="left">IETF</td>
              <td align="left">This document</td>
            </tr>
            <tr>
              <td align="left">
                <tt>mode</tt></td>
              <td align="left">Enforcement mode: <tt>enforce</tt> (default) or <tt>monitor</tt></td>
              <td align="left">IETF</td>
              <td align="left">This document</td>
            </tr>
            <tr>
              <td align="left">
                <tt>last_updated</tt></td>
              <td align="left">Policy publication time</td>
              <td align="left">IETF</td>
              <td align="left">This document</td>
            </tr>
            <tr>
              <td align="left">
                <tt>signed_policy</tt></td>
              <td align="left">Signed JWT of the policy members</td>
              <td align="left">IETF</td>
              <td align="left">This document; <xref target="TRUST-FRAMEWORK"/> §Signed Policy Metadata</td>
            </tr>
            <tr>
              <td align="left">
                <tt>crit</tt></td>
              <td align="left">Names decision-affecting members a consumer <bcp14>MUST</bcp14> understand or reject the document</td>
              <td align="left">IETF</td>
              <td align="left">This document; <xref target="TRUST-FRAMEWORK"/> §Critical Members</td>
            </tr>
          </tbody>
        </table>
      </section>
    </section>
  </middle>
  <back>
    <references anchor="sec-combined-references">
      <name>References</name>
      <references anchor="sec-normative-references">
        <name>Normative References</name>
        <reference anchor="RFC1035">
          <front>
            <title>Domain names - implementation and specification</title>
            <author fullname="P. Mockapetris" initials="P." surname="Mockapetris"/>
            <date month="November" year="1987"/>
            <abstract>
              <t>This RFC is the revised specification of the protocol and format used in the implementation of the Domain Name System. It obsoletes RFC-883. This memo documents the details of the domain name client - server communication.</t>
            </abstract>
          </front>
          <seriesInfo name="STD" value="13"/>
          <seriesInfo name="RFC" value="1035"/>
          <seriesInfo name="DOI" value="10.17487/RFC1035"/>
        </reference>
        <reference anchor="RFC3339">
          <front>
            <title>Date and Time on the Internet: Timestamps</title>
            <author fullname="G. Klyne" initials="G." surname="Klyne"/>
            <author fullname="C. Newman" initials="C." surname="Newman"/>
            <date month="July" year="2002"/>
            <abstract>
              <t>This document defines a date and time format for use in Internet protocols that is a profile of the ISO 8601 standard for representation of dates and times using the Gregorian calendar.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="3339"/>
          <seriesInfo name="DOI" value="10.17487/RFC3339"/>
        </reference>
        <reference anchor="RFC5234">
          <front>
            <title>Augmented BNF for Syntax Specifications: ABNF</title>
            <author fullname="D. Crocker" initials="D." role="editor" surname="Crocker"/>
            <author fullname="P. Overell" initials="P." surname="Overell"/>
            <date month="January" year="2008"/>
            <abstract>
              <t>Internet technical specifications often need to define a formal syntax. Over the years, a modified version of Backus-Naur Form (BNF), called Augmented BNF (ABNF), has been popular among many Internet specifications. The current specification documents ABNF. It balances compactness and simplicity with reasonable representational power. The differences between standard BNF and ABNF involve naming rules, repetition, alternatives, order-independence, and value ranges. This specification also supplies additional rule definitions and encoding for a core lexical analyzer of the type common to several Internet specifications. [STANDARDS-TRACK]</t>
            </abstract>
          </front>
          <seriesInfo name="STD" value="68"/>
          <seriesInfo name="RFC" value="5234"/>
          <seriesInfo name="DOI" value="10.17487/RFC5234"/>
        </reference>
        <reference anchor="RFC5891">
          <front>
            <title>Internationalized Domain Names in Applications (IDNA): Protocol</title>
            <author fullname="J. Klensin" initials="J." surname="Klensin"/>
            <date month="August" year="2010"/>
            <abstract>
              <t>This document is the revised protocol definition for Internationalized Domain Names (IDNs). The rationale for changes, the relationship to the older specification, and important terminology are provided in other documents. This document specifies the protocol mechanism, called Internationalized Domain Names in Applications (IDNA), for registering and looking up IDNs in a way that does not require changes to the DNS itself. IDNA is only meant for processing domain names, not free text. [STANDARDS-TRACK]</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="5891"/>
          <seriesInfo name="DOI" value="10.17487/RFC5891"/>
        </reference>
        <reference anchor="RFC7405">
          <front>
            <title>Case-Sensitive String Support in ABNF</title>
            <author fullname="P. Kyzivat" initials="P." surname="Kyzivat"/>
            <date month="December" year="2014"/>
            <abstract>
              <t>This document extends the base definition of ABNF (Augmented Backus-Naur Form) to include a way to specify US-ASCII string literals that are matched in a case-sensitive manner.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="7405"/>
          <seriesInfo name="DOI" value="10.17487/RFC7405"/>
        </reference>
        <reference anchor="RFC7519">
          <front>
            <title>JSON Web Token (JWT)</title>
            <author fullname="M. Jones" initials="M." surname="Jones"/>
            <author fullname="J. Bradley" initials="J." surname="Bradley"/>
            <author fullname="N. Sakimura" initials="N." surname="Sakimura"/>
            <date month="May" year="2015"/>
            <abstract>
              <t>JSON Web Token (JWT) is a compact, URL-safe means of representing claims to be transferred between two parties. The claims in a JWT are encoded as a JSON object that is used as the payload of a JSON Web Signature (JWS) structure or as the plaintext of a JSON Web Encryption (JWE) structure, enabling the claims to be digitally signed or integrity protected with a Message Authentication Code (MAC) and/or encrypted.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="7519"/>
          <seriesInfo name="DOI" value="10.17487/RFC7519"/>
        </reference>
        <reference anchor="RFC8414">
          <front>
            <title>OAuth 2.0 Authorization Server Metadata</title>
            <author fullname="M. Jones" initials="M." surname="Jones"/>
            <author fullname="N. Sakimura" initials="N." surname="Sakimura"/>
            <author fullname="J. Bradley" initials="J." surname="Bradley"/>
            <date month="June" year="2018"/>
            <abstract>
              <t>This specification defines a metadata format that an OAuth 2.0 client can use to obtain the information needed to interact with an OAuth 2.0 authorization server, including its endpoint locations and authorization server capabilities.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="8414"/>
          <seriesInfo name="DOI" value="10.17487/RFC8414"/>
        </reference>
        <reference anchor="RFC8126">
          <front>
            <title>Guidelines for Writing an IANA Considerations Section in RFCs</title>
            <author fullname="M. Cotton" initials="M." surname="Cotton"/>
            <author fullname="B. Leiba" initials="B." surname="Leiba"/>
            <author fullname="T. Narten" initials="T." surname="Narten"/>
            <date month="June" year="2017"/>
            <abstract>
              <t>Many protocols make use of points of extensibility that use constants to identify various protocol parameters. To ensure that the values in these fields do not have conflicting uses and to promote interoperability, their allocations are often coordinated by a central record keeper. For IETF protocols, that role is filled by the Internet Assigned Numbers Authority (IANA).</t>
              <t>To make assignments in a given registry prudently, guidance describing the conditions under which new values should be assigned, as well as when and how modifications to existing values can be made, is needed. This document defines a framework for the documentation of these guidelines by specification authors, in order to assure that the provided guidance for the IANA Considerations is clear and addresses the various issues that are likely in the operation of a registry.</t>
              <t>This is the third edition of this document; it obsoletes RFC 5226.</t>
            </abstract>
          </front>
          <seriesInfo name="BCP" value="26"/>
          <seriesInfo name="RFC" value="8126"/>
          <seriesInfo name="DOI" value="10.17487/RFC8126"/>
        </reference>
        <reference anchor="RFC8552">
          <front>
            <title>Scoped Interpretation of DNS Resource Records through "Underscored" Naming of Attribute Leaves</title>
            <author fullname="D. Crocker" initials="D." surname="Crocker"/>
            <date month="March" year="2019"/>
            <abstract>
              <t>Formally, any DNS Resource Record (RR) may occur under any domain name. However, some services use an operational convention for defining specific interpretations of an RRset by locating the records in a DNS branch under the parent domain to which the RRset actually applies. The top of this subordinate branch is defined by a naming convention that uses a reserved node name, which begins with the underscore character (e.g., "_name"). The underscored naming construct defines a semantic scope for DNS record types that are associated with the parent domain above the underscored branch. This specification explores the nature of this DNS usage and defines the "Underscored and Globally Scoped DNS Node Names" registry with IANA. The purpose of this registry is to avoid collisions resulting from the use of the same underscored name for different services.</t>
            </abstract>
          </front>
          <seriesInfo name="BCP" value="222"/>
          <seriesInfo name="RFC" value="8552"/>
          <seriesInfo name="DOI" value="10.17487/RFC8552"/>
        </reference>
        <reference anchor="RFC8553">
          <front>
            <title>DNS Attrleaf Changes: Fixing Specifications That Use Underscored Node Names</title>
            <author fullname="D. Crocker" initials="D." surname="Crocker"/>
            <date month="March" year="2019"/>
            <abstract>
              <t>Using an underscore for a prefix creates a space for constrained interoperation of resource records. Original uses of an underscore character as a domain node name prefix were specified without the benefit of an IANA registry. This produced an entirely uncoordinated set of name-creation activities, all drawing from the same namespace. A registry for these names has now been defined by RFC 8552. However, the existing specifications that use underscored naming need to be modified in order to be in line with the new registry. This document specifies those changes. The changes preserve existing software and operational practice, while adapting the specifications for those practices to the newer underscore registry model.</t>
            </abstract>
          </front>
          <seriesInfo name="BCP" value="222"/>
          <seriesInfo name="RFC" value="8553"/>
          <seriesInfo name="DOI" value="10.17487/RFC8553"/>
        </reference>
        <reference anchor="RFC8615">
          <front>
            <title>Well-Known Uniform Resource Identifiers (URIs)</title>
            <author fullname="M. Nottingham" initials="M." surname="Nottingham"/>
            <date month="May" year="2019"/>
            <abstract>
              <t>This memo defines a path prefix for "well-known locations", "/.well-known/", in selected Uniform Resource Identifier (URI) schemes.</t>
              <t>In doing so, it obsoletes RFC 5785 and updates the URI schemes defined in RFC 7230 to reserve that space. It also updates RFC 7595 to track URI schemes that support well-known URIs in their registry.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="8615"/>
          <seriesInfo name="DOI" value="10.17487/RFC8615"/>
        </reference>
        <reference anchor="RFC9493">
          <front>
            <title>Subject Identifiers for Security Event Tokens</title>
            <author fullname="A. Backman" initials="A." role="editor" surname="Backman"/>
            <author fullname="M. Scurtescu" initials="M." surname="Scurtescu"/>
            <author fullname="P. Jain" initials="P." surname="Jain"/>
            <date month="December" year="2023"/>
            <abstract>
              <t>Security events communicated within Security Event Tokens may support a variety of identifiers to identify subjects related to the event. This specification formalizes the notion of Subject Identifiers as structured information that describes a subject and named formats that define the syntax and semantics for encoding Subject Identifiers as JSON objects. It also establishes a registry for defining and allocating names for such formats as well as the JSON Web Token (JWT) "sub_id" Claim.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="9493"/>
          <seriesInfo name="DOI" value="10.17487/RFC9493"/>
        </reference>
        <reference anchor="ID-JAG" target="https://datatracker.ietf.org/doc/draft-ietf-oauth-identity-assertion-authz-grant/">
          <front>
            <title>Identity Assertion JWT Authorization Grant</title>
            <author>
              <organization/>
            </author>
            <date/>
          </front>
        </reference>
        <reference anchor="TRUST-FRAMEWORK" target="https://datatracker.ietf.org/doc/draft-mcguinness-oauth-id-assertion-framework/">
          <front>
            <title>OAuth Identity Assertion Trust Framework</title>
            <author>
              <organization/>
            </author>
            <date/>
          </front>
        </reference>
        <reference anchor="RFC2119">
          <front>
            <title>Key words for use in RFCs to Indicate Requirement Levels</title>
            <author fullname="S. Bradner" initials="S." surname="Bradner"/>
            <date month="March" year="1997"/>
            <abstract>
              <t>In many standards track documents several words are used to signify the requirements in the specification. These words are often capitalized. This document defines these words as they should be interpreted in IETF documents. This document specifies an Internet Best Current Practices for the Internet Community, and requests discussion and suggestions for improvements.</t>
            </abstract>
          </front>
          <seriesInfo name="BCP" value="14"/>
          <seriesInfo name="RFC" value="2119"/>
          <seriesInfo name="DOI" value="10.17487/RFC2119"/>
        </reference>
        <reference anchor="RFC8174">
          <front>
            <title>Ambiguity of Uppercase vs Lowercase in RFC 2119 Key Words</title>
            <author fullname="B. Leiba" initials="B." surname="Leiba"/>
            <date month="May" year="2017"/>
            <abstract>
              <t>RFC 2119 specifies common key words that may be used in protocol specifications. This document aims to reduce the ambiguity by clarifying that only UPPERCASE usage of the key words have the defined special meanings.</t>
            </abstract>
          </front>
          <seriesInfo name="BCP" value="14"/>
          <seriesInfo name="RFC" value="8174"/>
          <seriesInfo name="DOI" value="10.17487/RFC8174"/>
        </reference>
      </references>
      <references anchor="sec-informative-references">
        <name>Informative References</name>
        <reference anchor="RFC7033">
          <front>
            <title>WebFinger</title>
            <author fullname="P. Jones" initials="P." surname="Jones"/>
            <author fullname="G. Salgueiro" initials="G." surname="Salgueiro"/>
            <author fullname="M. Jones" initials="M." surname="Jones"/>
            <author fullname="J. Smarr" initials="J." surname="Smarr"/>
            <date month="September" year="2013"/>
            <abstract>
              <t>This specification defines the WebFinger protocol, which can be used to discover information about people or other entities on the Internet using standard HTTP methods. WebFinger discovers information for a URI that might not be usable as a locator otherwise, such as account or email URIs.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="7033"/>
          <seriesInfo name="DOI" value="10.17487/RFC7033"/>
        </reference>
        <reference anchor="RFC7489">
          <front>
            <title>Domain-based Message Authentication, Reporting, and Conformance (DMARC)</title>
            <author fullname="M. Kucherawy" initials="M." role="editor" surname="Kucherawy"/>
            <author fullname="E. Zwicky" initials="E." role="editor" surname="Zwicky"/>
            <date month="March" year="2015"/>
            <abstract>
              <t>Domain-based Message Authentication, Reporting, and Conformance (DMARC) is a scalable mechanism by which a mail-originating organization can express domain-level policies and preferences for message validation, disposition, and reporting, that a mail-receiving organization can use to improve mail handling.</t>
              <t>Originators of Internet Mail need to be able to associate reliable and authenticated domain identifiers with messages, communicate policies about messages that use those identifiers, and report about mail using those identifiers. These abilities have several benefits: Receivers can provide feedback to Domain Owners about the use of their domains; this feedback can provide valuable insight about the management of internal operations and the presence of external domain name abuse.</t>
              <t>DMARC does not produce or encourage elevated delivery privilege of authenticated email. DMARC is a mechanism for policy distribution that enables increasingly strict handling of messages that fail authentication checks, ranging from no action, through altered delivery, up to message rejection.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="7489"/>
          <seriesInfo name="DOI" value="10.17487/RFC7489"/>
        </reference>
        <reference anchor="RFC7523">
          <front>
            <title>JSON Web Token (JWT) Profile for OAuth 2.0 Client Authentication and Authorization Grants</title>
            <author fullname="M. Jones" initials="M." surname="Jones"/>
            <author fullname="B. Campbell" initials="B." surname="Campbell"/>
            <author fullname="C. Mortimore" initials="C." surname="Mortimore"/>
            <date month="May" year="2015"/>
            <abstract>
              <t>This specification defines the use of a JSON Web Token (JWT) Bearer Token as a means for requesting an OAuth 2.0 access token as well as for client authentication.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="7523"/>
          <seriesInfo name="DOI" value="10.17487/RFC7523"/>
        </reference>
        <reference anchor="RFC8461">
          <front>
            <title>SMTP MTA Strict Transport Security (MTA-STS)</title>
            <author fullname="D. Margolis" initials="D." surname="Margolis"/>
            <author fullname="M. Risher" initials="M." surname="Risher"/>
            <author fullname="B. Ramakrishnan" initials="B." surname="Ramakrishnan"/>
            <author fullname="A. Brotman" initials="A." surname="Brotman"/>
            <author fullname="J. Jones" initials="J." surname="Jones"/>
            <date month="September" year="2018"/>
            <abstract>
              <t>SMTP MTA Strict Transport Security (MTA-STS) is a mechanism enabling mail service providers (SPs) to declare their ability to receive Transport Layer Security (TLS) secure SMTP connections and to specify whether sending SMTP servers should refuse to deliver to MX hosts that do not offer TLS with a trusted server certificate.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="8461"/>
          <seriesInfo name="DOI" value="10.17487/RFC8461"/>
        </reference>
        <reference anchor="RFC8659">
          <front>
            <title>DNS Certification Authority Authorization (CAA) Resource Record</title>
            <author fullname="P. Hallam-Baker" initials="P." surname="Hallam-Baker"/>
            <author fullname="R. Stradling" initials="R." surname="Stradling"/>
            <author fullname="J. Hoffman-Andrews" initials="J." surname="Hoffman-Andrews"/>
            <date month="November" year="2019"/>
            <abstract>
              <t>The Certification Authority Authorization (CAA) DNS Resource Record allows a DNS domain name holder to specify one or more Certification Authorities (CAs) authorized to issue certificates for that domain name. CAA Resource Records allow a public CA to implement additional controls to reduce the risk of unintended certificate mis-issue. This document defines the syntax of the CAA record and rules for processing CAA records by CAs.</t>
              <t>This document obsoletes RFC 6844.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="8659"/>
          <seriesInfo name="DOI" value="10.17487/RFC8659"/>
        </reference>
        <reference anchor="RFC9728">
          <front>
            <title>OAuth 2.0 Protected Resource Metadata</title>
            <author fullname="M.B. Jones" initials="M.B." surname="Jones"/>
            <author fullname="P. Hunt" initials="P." surname="Hunt"/>
            <author fullname="A. Parecki" initials="A." surname="Parecki"/>
            <date month="April" year="2025"/>
            <abstract>
              <t>This specification defines a metadata format that an OAuth 2.0 client or authorization server can use to obtain the information needed to interact with an OAuth 2.0 protected resource.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="9728"/>
          <seriesInfo name="DOI" value="10.17487/RFC9728"/>
        </reference>
        <reference anchor="OIDC-DISCOVERY" target="https://openid.net/specs/openid-connect-discovery-1_0.html">
          <front>
            <title>OpenID Connect Discovery 1.0</title>
            <author>
              <organization/>
            </author>
            <date>n.d.</date>
          </front>
        </reference>
        <reference anchor="I-D.hardt-email-verification" target="https://datatracker.ietf.org/doc/draft-hardt-email-verification/">
          <front>
            <title>Email Verification Protocol</title>
            <author>
              <organization/>
            </author>
            <date/>
          </front>
        </reference>
      </references>
    </references>
    <?line 1486?>

<section anchor="design-rationale">
      <name>Design Rationale</name>
      <t>This appendix is non-normative.</t>
      <section anchor="dns-authority-patterns">
        <name>Following Existing DNS Authority Patterns</name>
        <t>The Domain-Authorized Issuer Trust Method applies the same
authority-publication pattern that domain owners already use for
CAA <xref target="RFC8659"/>, MTA-STS <xref target="RFC8461"/>, SPF, DKIM, DMARC, and the Email
Verification Protocol <xref target="I-D.hardt-email-verification"/>. <xref target="TRUST-FRAMEWORK"/>
§Authority Delegation Model covers the abstract pattern; this
document chooses DNS at <tt>_oauth-issuer-policy.{domain}</tt> as the
authoritative publication channel. The <tt>name=value</tt> record syntax is
closest to DMARC's, and DMARC's operational experience with the Public
Suffix List and the organizational-domain boundary informs the Subject
Authority Determination approach in <xref target="TRUST-FRAMEWORK"/> §Subject
Authority Determination (see also the DBOUND discussion there).</t>
        <t>Unlike CAA (deployment-time), SPF/DKIM (spam-score signal), and
MTA-STS (inbound mail), the <tt>_oauth-issuer-policy</tt> record is
consumed during user sign-in; the operational consequences of that
are covered normatively in <xref target="operational"/>.</t>
        <t>Relationship to issuer discovery. WebFinger <xref target="RFC7033"/> and OpenID
Connect Discovery answer a different question: given a user
identifier, where does a client go to authenticate the user? This
Trust Method is verifier-side and authorization-oriented: given an
assertion already in hand, is its issuer authorized for the subject's
namespace? DAI is published per namespace (not per user), over a DNS
channel whose control establishes the authority binding, and it
carries authorization semantics (validity windows, tenant binding,
format restrictions) that a discovery record does not. A deployment
could layer client-side discovery on top (see
<xref target="assertion-issuer-discovery-client-side"/>), but that is out of scope
here.</t>
        <t>Relationship to the Email Verification Protocol. EVP
<xref target="I-D.hardt-email-verification"/> also publishes, in DNS, issuers
associated with an email domain, but for a different purpose: it names
issuers that can <em>verify control</em> of an email address (an issuance-time
question), whereas DAI names issuers <em>authorized to assert</em> identities
in a namespace (a verification-time authorization question). The
records differ accordingly: DAI uses full issuer identifiers
(including path components) and PSL-normalized Subject Authorities, and
carries authorization constraints. Convergence with EVP on a shared
record or node name is possible future work; <xref target="email-verification-protocol-bridge"/>
sketches a bridge.</t>
      </section>
      <section anchor="rationale-generic-name">
        <name>Why a Generic Record Name</name>
        <t>The DNS node name, well-known URI suffix, and version token name the
document they locate (the Issuer Authorization Policy), not the
identity framework consuming it. The wire format is
subject-class-agnostic: no member or directive is specific to email
or identity assertions; the subject class is expressed through
<tt>subject_identifier_formats</tt> (<xref target="RFC9493"/>), and the identity-specific
machinery lives in <xref target="TRUST-FRAMEWORK"/>, whose own well-known URI is
identity-scoped for that reason. A future Subject Identifier format
with a DNS-publishable Subject Authority reuses
<tt>domain_authorized_issuer</tt> and this same record
(<xref target="TRUST-FRAMEWORK"/> §Future Extensions); an identity-scoped name
would force a second record at a second DNS name. One per-domain
policy surface, extended through registered members rather than new
names, follows the <tt>oauth-authorization-server</tt> metadata precedent.</t>
      </section>
      <section anchor="why-first-class-tenant-binding">
        <name>Why First-Class Tenant Binding</name>
        <t>Shared-issuer multi-tenant Identity Providers (Google Workspace,
Auth0 in some configurations, Microsoft Entra B2B in some flows)
serve many customer tenants under a single issuer URL. The
deployment reality is that these Identity Providers are common;
authorizing them without tenant binding effectively authorizes
every tenant of the Identity Provider for the namespace, which is
almost never the intent.</t>
        <t>The <tt>tenant</tt> member on <tt>authorized_issuers[]</tt> entries binds
authorization to the specific tenant identifier the Identity
Provider populates in the top-level <tt>tenant</tt> claim defined in
<xref target="ID-JAG"/> §6.1. The binding makes the Subject Authority's choice
of authorized tenant observable on the wire and verifiable per
assertion. It does not eliminate the trust assumption on the
Identity Provider's tenant-isolation enforcement; it makes the
assumption explicit and auditable. See <xref target="dii-multi-tenant"/>.</t>
        <t>A generic claim-matching mechanism (matching arbitrary JWT claims
against publisher-specified values) was considered as an
alternative. First-class <tt>tenant</tt> was preferred because the claim
name is standardized in <xref target="ID-JAG"/>, the deployment intent is
unambiguous, and the wire-format expression is simpler than a
generic claim-matching object.</t>
      </section>
      <section anchor="rationale-https-only">
        <name>Choosing Between DNS-Published and HTTPS-Only Authority</name>
        <t>Canonical DNS-first lookup and HTTPS-only lookup are not strictly
ordered by security strength; they trade different risks.
HTTPS-only lookup is resilient to TXT-record attacks but depends on
apex-hostname resolution plus the public CA trust system; a DNS
redirect combined with TLS misissuance defeats it.
<tt>domain_authorized_issuer</tt> in the inline form is resilient to TLS
misissuance against the apex because the authority artifact is the
TXT record itself; an attacker needs DNS-write or DNSSEC-bypass
capability. The DNS pointer form and HTTPS fallback inherit
TLS-misissuance risk on the pointed-at host while also depending
on DNS for selection.</t>
        <t>A Subject Authority with strong DNSSEC and weak TLS-issuance
controls favors the inline DNS form. A Subject Authority with
strong CAA/CT monitoring and limited DNS control favors HTTPS-only.</t>
      </section>
      <section anchor="why-https-fallback">
        <name>Why HTTPS Fallback</name>
        <t>The framework supports an HTTPS-hosted Issuer Authorization Policy
at a well-known URL on the Subject Authority's host. This serves
two purposes:</t>
        <ul spacing="normal">
          <li>
            <t><strong>Backward-compatibility runway.</strong> Subject Authorities that
cannot or do not yet operate the DNS record can participate via
HTTPS publication only. The lookup procedure consults the HTTPS
well-known URL when the DNS query returns
<tt>negative-authoritative</tt> (<xref target="dii-lookup"/>).</t>
          </li>
          <li>
            <t><strong>Richer policy expression.</strong> The HTTPS form supports the full
Issuer Authorization Policy JSON schema (validity windows, tenant
binding, format restrictions) that the inline DNS form cannot
express.</t>
          </li>
        </ul>
        <t>DNS remains the entry point; HTTPS is consulted only as fallback
when the DNS query returns <tt>negative-authoritative</tt>. This preserves
the DNS-authority pattern as the primary channel while
accommodating deployment variations.</t>
      </section>
    </section>
    <section anchor="future-extensions">
      <name>Future Extensions</name>
      <t>This appendix is non-normative. It sketches features intentionally
deferred from this document; future specifications may register them.</t>
      <section anchor="monitoring-reports">
        <name>Monitoring Reports</name>
        <t>Monitor mode (<xref target="monitor-mode"/>) relies on consumer-side logging with
out-of-band delivery to the Subject Authority. A future extension can
define an aggregate reporting mechanism, analogous to DMARC's <tt>rua</tt>:
a policy member naming a reporting endpoint, a report format
(observed issuers, match/mismatch counts, time window), and delivery
requirements. It is deferred because report formats and transport
carry privacy and abuse considerations (a reporting endpoint learns
which Resource Authorization Servers a namespace's users sign in to,
concentrating the metadata discussed in <xref target="privacy"/>) that deserve
their own document.</t>
      </section>
      <section anchor="audience-scoped-delegations">
        <name>Audience-Scoped Delegations</name>
        <t>An <tt>authorized_issuers</tt> entry authorizes an issuer for a namespace
without constraining which Resource Authorization Servers may accept
the resulting assertions; a compromised-but-listed issuer can assert
the namespace's users to any consumer (<xref target="TRUST-FRAMEWORK"/> §Scope of
Namespace Authorization). A future <tt>permitted_audiences</tt> member on
entries would let a Subject Authority bound that blast radius by
enumerating or pattern-matching acceptable audiences. It is deferred
because audience identifiers are grant-profile-specific and an
enumerable audience set does not exist for the open-world deployments
this mechanism targets; a workable design likely needs audience
patterns and an interaction rule with the assertion's <tt>aud</tt> claim.</t>
      </section>
      <section anchor="email-verification-protocol-bridge">
        <name>Email Verification Protocol Bridge</name>
        <t>The Email Verification Protocol <xref target="I-D.hardt-email-verification"/>
defines a DNS TXT record at <tt>_email-verification.{domain}</tt> whose
<tt>iss=</tt> value names an authorized issuer for the namespace, using
a bare hostname rather than a full HTTPS issuer identifier. A
future Trust Method (provisionally <tt>email_verification_dns</tt>)
could let a Resource Authorization Server honor those records
without requiring the Subject Authority to also publish an
<tt>_oauth-issuer-policy</tt> record.</t>
        <t>The bridge is deferred because it forces the reader to learn a
second record format, a different issuer-identifier shape
(bare-origin only, no path component), and a different
email-domain semantics (the Email Verification Protocol parses
the email's raw domain part, whereas this document normalizes to
the registrable domain via the Public Suffix List). It is also
deferred because <xref target="I-D.hardt-email-verification"/> is progressing
on its own timeline independent of this document. Deployments wanting the bridge can either publish
both records (an <tt>_oauth-issuer-policy</tt> record satisfying
<tt>domain_authorized_issuer</tt> plus their existing
<tt>_email-verification</tt> record for other consumers) or wait for the
future Trust Method specification.</t>
      </section>
      <section anchor="assertion-issuer-discovery-client-side">
        <name>Assertion Issuer Discovery (Client-Side)</name>
        <t>The same DAI records that let a Resource Authorization Server
verify an assertion can also let a client discover which Assertion
Issuer is authoritative for a subject identifier's namespace
before any assertion exists: given <tt>alice@acme.example</tt>, a client
can query <tt>_oauth-issuer-policy.acme.example</tt>, retrieve the Issuer
Authorization Policy, and resolve an authorized issuer's
authorization server metadata to find its token endpoint (entry
order carries no semantics, so issuer selection would need to be
specified by the profiling document).</t>
        <t>This client-side use case is deferred from the first version of
DAI because it adds a second mental model (back-channel discovery
vs. verification at token exchange), introduces privacy concerns
distinct from verification (the discovery query reveals the
queried Subject Authority to DNS resolvers and to the policy
host before any user interaction), and is not on the Resource
Authorization Server implementer's critical path. A future
specification can profile the discovery flow with appropriate
privacy guidance and integration with OAuth Authorization Server
Metadata <xref target="RFC8414"/> and OpenID Connect Discovery
<xref target="OIDC-DISCOVERY"/>.</t>
      </section>
    </section>
    <section anchor="dns-based-domain-authorized-issuer-end-to-end-example">
      <name>DNS-Based Domain-Authorized Issuer End-to-End Example</name>
      <t>This appendix is non-normative.</t>
      <t>This example walks through an end-to-end verification flow: the
Subject Authority publishes a DAI record, an Assertion Issuer issues
an identity assertion, and the Resource Authorization Server uses
the record to verify that the issuer is authorized for the asserted
namespace.</t>
      <section anchor="cast">
        <name>Cast</name>
        <ul spacing="normal">
          <li>
            <t><strong>Subject Authority</strong>, <tt>acme.example</tt>. A small organization that owns
its DNS but does not operate an authorization server capable of
issuing identity assertions.</t>
          </li>
          <li>
            <t><strong>Assertion Issuer</strong>, <tt>https://idp.example.net</tt>. A managed
authorization server service <tt>acme.example</tt> has contracted with.</t>
          </li>
          <li>
            <t><strong>Resource Authorization Server</strong>, <tt>https://api.resource.example</tt>.</t>
          </li>
          <li>
            <t><strong>Client</strong>, a backend SaaS integration.</t>
          </li>
          <li>
            <t><strong>End user</strong>, Alice (<tt>alice@acme.example</tt>).</t>
          </li>
        </ul>
      </section>
      <section anchor="publication-1">
        <name>Publication</name>
        <t>The Subject Authority publishes a single DNS TXT record:</t>
        <artwork><![CDATA[
_oauth-issuer-policy.acme.example. IN TXT ( "v=oauth-issuer-policy1;"
    "authority=acme.example;"
    "issuer=https://idp.example.net" )
]]></artwork>
        <t>The quoted segments are concatenated without a separator, yielding
<tt>v=oauth-issuer-policy1;authority=acme.example;issuer=https://idp.example.net</tt>.
No HTTPS endpoint is operated on <tt>acme.example</tt>.</t>
        <t>The Resource Authorization Server publishes a trust policy that accepts
domain-authorized issuer delegations with DNS-based discovery:</t>
        <sourcecode type="json"><![CDATA[
{
  "resource_authorization_server": "https://api.resource.example",
  "authorization_grant_profiles_supported": [
    "urn:ietf:params:oauth:grant-profile:id-jag"
  ],
  "subject_identifier_formats_supported": ["email"],
  "issuer_trust_methods": [
    {
      "method": "domain_authorized_issuer"
    }
  ]
}
]]></sourcecode>
      </section>
      <section anchor="issuance-and-token-request">
        <name>Issuance and Token Request</name>
        <ol spacing="normal" type="1"><li>
            <t>The Client is configured, by a deployment-specific mechanism
outside DAI, to use <tt>https://idp.example.net</tt> for Acme users. It
authenticates Alice at that issuer
and requests an ID-JAG with audience
<tt>https://api.resource.example</tt> carrying Alice's email:  </t>
            <sourcecode type="json"><![CDATA[
{
  "iss": "https://idp.example.net",
  "aud": "https://api.resource.example",
  "exp": 1780166400,
  "iat": 1780166100,
  "jti": "5a17...",
  "sub": "user-9241ab",
  "email": "alice@acme.example",
  "email_verified": true
}
]]></sourcecode>
          </li>
          <li>
            <t>The Client posts to the Resource Authorization Server's token
endpoint with <tt>private_key_jwt</tt> client authentication:  </t>
            <sourcecode type="http"><![CDATA[
POST /token HTTP/1.1
Host: api.resource.example
Content-Type: application/x-www-form-urlencoded

grant_type=urn:ietf:params:oauth:grant-type:jwt-bearer
&assertion=eyJhbGciOiJSUzI1NiIs...
&client_assertion_type=urn:ietf:params:oauth:client-assertion-type:jwt-bearer
&client_assertion=eyJhbGciOiJFUzI1NiIs...
]]></sourcecode>
          </li>
        </ol>
      </section>
      <section anchor="verification-resource-authorization-server-side">
        <name>Verification (Resource Authorization Server Side)</name>
        <ol spacing="normal" type="1"><li>
            <t>The Resource Authorization Server validates the ID-JAG:
signature (via
<tt>https://idp.example.net/.well-known/openid-configuration</tt>
JWKS), <tt>aud</tt>, <tt>exp</tt>, <tt>iat</tt>, replay protection.</t>
          </li>
          <li>
            <t>The Resource Authorization Server evaluates the
<tt>domain_authorized_issuer</tt> Trust Method.  </t>
            <t>
a. It extracts the Subject Authority from the top-level <tt>email</tt>
   claim (with <tt>email_verified=true</tt>): <tt>acme.example</tt>.  </t>
            <t>
b. Applying the canonical lookup procedure (<xref target="dii-lookup"/>), the
   Resource Authorization Server queries DNS TXT at
   <tt>_oauth-issuer-policy.acme.example</tt> and parses the record
   published earlier in this example.  </t>
            <t>
c. The <tt>authority=acme.example</tt> directive matches. No <tt>uri=</tt> is
   present. The Resource Authorization Server constructs a
   virtual policy for <tt>acme.example</tt> with one
   <tt>authorized_issuers</tt> entry for <tt>https://idp.example.net</tt>.  </t>
            <t>
d. The ID-JAG <tt>iss</tt> value <tt>https://idp.example.net</tt> matches
   the single entry's <tt>issuer</tt> value. Verification succeeds.</t>
          </li>
          <li>
            <t>The Resource Authorization Server validates <tt>private_key_jwt</tt>,
then issues an access token in the response body.</t>
          </li>
        </ol>
      </section>
      <section anchor="migration-variant-pointer-form">
        <name>Migration Variant: Pointer Form</name>
        <t>If <tt>acme.example</tt> later wants to express validity windows, format
restrictions, or tenant binding, it can switch to the pointer form
without changing any consumer behavior:</t>
        <artwork><![CDATA[
_oauth-issuer-policy.acme.example. IN TXT ( "v=oauth-issuer-policy1;"
    "authority=acme.example;"
    "uri=https://acme.example/.well-known/oauth-issuer-policy" )
]]></artwork>
        <t>and publish the richer JSON document at the pointed-at URL:</t>
        <sourcecode type="json"><![CDATA[
{
  "subject_authority": "acme.example",
  "authorized_issuers": [
    {
      "issuer": "https://idp.example.net",
      "subject_identifier_formats": ["email"],
      "valid_until": "2027-05-30T00:00:00Z"
    },
    {
      "issuer": "https://idp-backup.example.net",
      "subject_identifier_formats": ["email"]
    }
  ],
  "last_updated": "2026-05-29T00:00:00Z"
}
]]></sourcecode>
        <t>Resource Authorization Servers transparently follow the <tt>uri=</tt>
directive and consume the JSON document. No verifier software
changes are required.</t>
      </section>
      <section anchor="shared-issuer-variant-multi-tenant-identity-provider">
        <name>Shared Issuer Variant: Multi-Tenant Identity Provider</name>
        <t>The simple example above uses a per-tenant issuer identifier
(<tt>https://idp.example.net</tt> is dedicated to Acme). Some Identity
Providers serve every tenant under a single shared issuer (for
example, <tt>https://accounts.google.com</tt>) and distinguish tenants via
the ID-JAG top-level <tt>tenant</tt> claim (<xref target="ID-JAG"/> §6.1). For these,
the <tt>authorized_issuers[].tenant</tt> member binds the authorization to
a specific tenant of the shared issuer.</t>
        <t>Suppose Acme uses a multi-tenant Identity Provider with shared
issuer <tt>https://accounts.shared.example</tt> and Acme's tenant
identifier in that Identity Provider is <tt>acme-corp</tt>. Acme publishes
the pointer form pointing at the richer JSON:</t>
        <sourcecode type="json"><![CDATA[
{
  "subject_authority": "acme.example",
  "authorized_issuers": [
    {
      "issuer": "https://accounts.shared.example",
      "tenant": "acme-corp",
      "subject_identifier_formats": ["email"]
    }
  ],
  "last_updated": "2026-05-29T00:00:00Z"
}
]]></sourcecode>
        <t>Verification adds one check to the simple flow: in addition to
matching <tt>iss</tt>, the Resource Authorization Server requires the
ID-JAG's top-level <tt>tenant</tt> claim to equal <tt>"acme-corp"</tt>. An
assertion from <tt>https://accounts.shared.example</tt> with a different
<tt>tenant</tt> value (or no <tt>tenant</tt>) does not match this entry. The
security properties and operational guidance for this case are in
<xref target="dii-multi-tenant"/>.</t>
      </section>
      <section anchor="failure-variants">
        <name>Failure Variants</name>
        <ul spacing="normal">
          <li>
            <t>A DNS SERVFAIL at <tt>_oauth-issuer-policy.acme.example</tt> is
classified as <tt>indeterminate</tt> (<xref target="dii-failures"/>). The Resource
Authorization Server does not fall back to
<tt>https://acme.example/.well-known/oauth-issuer-policy</tt>; it
returns <tt>invalid_grant</tt>.</t>
          </li>
          <li>
            <t>A wildcard record at <tt>*.example</tt> covering <tt>acme.example</tt> would
have to carry <tt>authority=acme.example</tt> to be accepted. A wildcard
with a different <tt>authority=</tt> is discarded; if no other recognized
record remains, the response is <tt>malformed</tt> (Indeterminate) and
the assertion is rejected with no fallback to the well-known URL.</t>
          </li>
          <li>
            <t>If <tt>acme.example</tt> rotates its authorized Assertion Issuer and the
Resource Authorization Server has a cached virtual policy, the
Resource Authorization Server may continue accepting assertions
from the old issuer until its cache expires. Subject Authorities
are encouraged to use short DNS TTLs during rotation; consumers
enforce a local cache ceiling per <xref target="dii-caching"/>.</t>
          </li>
        </ul>
      </section>
    </section>
    <section anchor="document-history">
      <name>Document History</name>
      <t>This appendix is non-normative and will be removed before publication.</t>
      <t>-00</t>
      <ul spacing="normal">
        <li>
          <t>initial draft</t>
        </li>
      </ul>
    </section>
  </back>
  <!-- ##markdown-source:
H4sIAAAAAAAAA8296XIcR5Yu+N+fwgeyO8pkZyQJLlqAq1sNAqCEKnG5ACRV
dVkZMzIzAISYiMiKiCSIIln/71vMjzG779GPMk8yZ/UllgSknm6bXigSyPTw
cD9+/Czf+U6SJKbJm1W2Z3deH2yaK3tUXqd5keDfyyr/R7a0J3W9ySp7Xm3q
xr7M4OfLHZPO51X2Hr51z88vy0WRXsNjllV60STXi8tNXhRZXSdlCl9NljxM
6oZJchomefTILNMGvvj40eOvkkdfJ4+emgX84LKsbvds3SxNvZlfw4fzsmhu
1/DBk+PzFwam9sSYfF3t2QYn8vjRo28fPTZplaUw6bNssany5nbH3JTVu8uq
3Kzhp79kc6vvkTYwnn1TlU25KFc75l12Cx9d7hlrE0srRX/74y/nNo2+clml
RVPTL/NlVsDi3tq0rrMKf8s/5vVZ5vWifJ9Vt/TDo1dnOlBza0zdpMXybboq
i4xeIDPrfM/+FSYzsXVZNVV2UcPfbq/xL38zhr9Ks4P/t5bX+k9ptbIvF9/L
UtNvyuoyLWSysFbFMltnBU6UfpvBLqz27HozX+WLf30H3/c7NV2U18YUZXUN
X36f4cNOXxzuPnryTP765MmTb+Wvzx4/eap//ebbXfnr108f6We/frarn/3m
6a5+9pvdx1/pX589e+z/+kT/+tWujvDt02/ppydHyR8Pvt+j6ason+jKH+jK
007Fm/s97tQOfy+tLrNmz141zbree/gQJC5tqnTxLqumedZcTGHVHoIIP2Tp
xR+J3OoeJ26PSYb/kZAcPKTRWX4v0lWdwb/PT386O09enB68PP7l9emf4onz
GeyZPp+mFxXsK4rs75p259Dly2DaFzp2d9ImLy5a2/71oydP3K5+863b1cdu
p55+tes27Zl+4NuvH3+Df319cnSYHJ2cHb7++fj0L601AIE8ObKHJUx10dgj
PSd2d/qo/71L+Ea+nBZZ87BeZ4tafpAseIjEHbVk9+2j6VVzvUK5SY6mV2m1
bBIS+gR+n1/kCz4Y0YSO8ff25+D3gWL4Hfsw9NSehU9AP+MfNp3XOGJjzPlV
XlsYbHMNQmKX2UUOO2qbq2xYdY+ODk7GLEKGFfKeTe0MFOevsDxvUVnU63SR
vY1U2SxS4RYkAJ9i7iuiNi/szVW+uKK5lTcFTKS8sKmRx1r3WDsCxQ1rsFqB
qiRNyLfBmPVQfQXvl9p1CSrp1sC/m7y4pEF5KrH+hdnAmtY2b9wvcHlKUcJG
DmwOP4QJNldpMJGpPYdRr7PFFajI+tpual3ZV2fJPK2zpXE6OmEdyQ9dp02T
VYUFuavSpoTHpyu4aZa3sD/rVXlLi3d4cDAxL88PkrPzs4k9e/NiYkHJ26M/
nbyc2gN7mtXlpoLViLXUGb2Pm4rRJVnKguCrkRDd8sukRc+982Wtt05eG3/H
6p7KB+EHnb2ZosBldlWW7zZrkbalnePDQjGEv7Mkw41dw/P37CXoigJmY7qz
wYWHFV5O6Nlb39usSrzseRfOZHIHugf+tWIZ4JWZmsNVDs+mCfnrFoWQ5dKL
rpwTWEpYZzvPYF0ynLufcvYB5A4fB5JYZ+sUtjmjDy9ALGgfcTmyi6yqYH1g
oItNs6kysi+m7UMLZ7uMTq48v2V88P7e5DAMq1/eYfxCdDJBzdUwcM3iC3PD
Z5DVY51SN6gYvf6C48hPvszgXOYLGVAeqROdRM9xZhdYXdVmga83sYuqhOvE
/QZMhHle8DOqzSpjEZeNM27j7FEG5+VaPwkvsMjWzZRV3XW+XK5A930B1klT
lUt4FJpOonj4QOHsalh/1ATdK1iMMDvKppfTiVgIEzB9jL4uWAPJPIOVqrxY
1rCXVXWLQ4aHaLFK8+t92PTMfPzYurw/fx7bIuMNT4v6BobbyWs+G23pCs+d
U0eg18tNo8dOVBJ82Z2/P+yAbihCMcdp4XrTKbzIlqhxcH2us+s5KL6rfI2i
WJSwe3PRCcGvyKScWHq3VTgT051JWtyiNMHjNqu08nPaJ8nx6pt1O2gWUvQF
anHZaLIYrJxvOHc0m2W2yi5pzqJc7nNvqayvsqZuXyionWE26XyVdRWY3iET
fCP4JCudOmvwu26PDD+xfW2gfsybun1D4BVVZQvwB0BkChYbevlgi3MdsFjB
MbcjHKrOr9cwx0CExyCUoK5yVAqwBYX94fz8zVlyVda4wX88e/3Kaw04JQ2s
E8oniPBVVukNMHqfrvIl+g03ebEsb8AzEH1RZXBUczo/8MMmK+BYWDigSxhk
Yq83qybHCclcx9PghIIMwZdTvWzmt/T8qlzxPsq6ijrBC7PIVnvm5qrM8LrC
ZZGFhxezs7dicLJPJ/r5I1/zn2f4MFjmbHVhevU87cPMfVz1HN+5F+VqBe+M
1yscUDE3P3+eWLlqLf8QzFH8YXTtmtHHj8uiToJLnQet4WCDcIL44dREv9Ii
bL2tanxX7+yFth0Yk9fBrdhzR8tteHDm7/q+C6/v/l+Caocr7uYKzkjGVpoM
i+pRL37bc/HLcfmyjm58ee8CvAIwOos6p2M8R2umzi8LXv9tdxZaGfZiBauB
5lp00vR7vABoMNT7cKd2XtWQrrghPY5KSueOi9cZzNuJeFr90GYJl+eiWd3y
lOHggRDuWtB0IAF0acPHawkGWDydsl2wWHDrksGAZ7mwParf/vv/Rlcl+aWs
ViBPTqvRwM/xEWAvnuv60V7DL/79f5/7JY0XD5Zcvub3gEyF3HvpuJbiIL1w
un+vdwHDM4ijscaqaRbpHeYmfNdkoFY2aOaAoFyDGQIf2zR0KfhbB6YGJoaz
B2DeX3wBQ694EeHCqe3HL6rw35/9q9G9X4ElYNdVeZGv6IroW2iUVo65dI9N
vddvG9qc7wm/Hj+UK5j2/p0Gl3zRb6g5gCddgPO1r86Aav8RTAz/SRoc5XC1
qVmFO7U9xsMAd26fvuTxukcjmgAs6o9sfYM6hrUCe6SuvV7B3bxAT3KxKsFB
gZn9fQNCzwYS68Y+uwXkUEY9a8jAxnFe4DiHNI5IYPYBLg2QmZ4RJmJFO1My
NCGNu7X4JootSXudLq7gVqxuJz1yG9mGrKzZ9COrLlFZkWuMrN7AuDb3tavd
F/ASyPNE/w2qf+L2GR/O+9mzfTV+Nfi5Tq12Q4jbBD9fZEs4H1aexT/Hj9GF
F10UaDbX+sHwNzqqmfFF+Nbr87es5GOPnZfO2RRomBlvetj3aZWjOQBPIl8h
uaZvJRTE6AZi6UY8sPMqX15mqJFx4lsiI3Cl+IMiSscseh0y70bBCtXvsmaB
11taiw/FQojx3dqQJuYfJ/7Hnz+z4jksi/eoH/CTZFm+y8B/oufvvATx3Znw
f+2r1/T30+P/+dPJ6fER/v3sh4Mff3R/MfKJsx9e//Tjkf+b/+bh65cvj18d
8Zfhpzb6kdl5efCXHd6Bnddvzk9evzr4cceZ994TrGgt52CDoQJZozbEV4eN
qhdVPufL5/nhm3//v3afwqv/H2DKPN7dBftG/vHN7tdP4R9w9ctRIfub/wk7
dGvS9Rr8HDLnVytY5jVY5SswBmF56ys4uxYsBtTbD/6KK/O3Pfvf54v17tP/
IT/AF45+qGsW/ZDWrPuTzpd5EXt+1PMYt5rRz1srHc/34C/Rv3Xdgx/+9z+Q
NZ7sfvOH/2HQxTwnVVOuysvbtpfOZpj/PTjT5XWfJtxzl6npu0wnHQ3fo/VE
QRpWTpNtmmsSXHJ8p03cXTExgR2i1xYLxs/oJGBwauqefuIMJVHTteEbg21m
jLDT0XoNS4YLgTeTxhFYBQTrtQc3xlZHbs/skRUW3QRDEaWJDx+mPfEDZ/CB
V4/2SqSr/4MuHkUetlwcRyogH7+I7g1WOXdYFqnt2aC93ncctbeZ5pp2Xdwx
iyq8V1Ma8a7JagM/8fKqCaINcfAzem38FJopZWWuMfqFv1h2JBdu22O4u+2s
c/fUMwwqVPySxvv4+3ZG7ulbPD0z2iT5wQamspqJMd6Qee5WJi8MOkzwZXZa
Z+SEgTOSi7ERfBZfLxBLdnI50nyVVs4V3/cBb+8gvBW5b49v4vHd6MMnhz2M
8L42nWu/dZvb93wkYTfUdUvFQ1Q7N4hAkiPK/sgc4+TgtFScAfBLnc5rulXA
wGrQwroM3mMyaGwWZdPnG2pQ2HgZqWCsagn2SU0LDK5ASdOGN13DZ281NuBm
Pb3noaBIR8lrSxH8JZ9rOs9T80aOO5xeupToIyjw6JVYENQ8tZj8BblcOx/u
4a91Wcz2jbjv6J0vlzn+hjMNC4w50ksEA3BIkfSHOjVLM/sXGgpO3sVF/kF3
E61u+DXFCuxJY69SFk1WoTiMxN1AMzrRc6GGGWhDvUtBIzcVfIFlqMeV8dJG
SlJSIdbS21J6Y2pfsC8imfTOKLmYxKo5K1pJGOMGfpnxuOjwoSViD5JVOs9W
oILODk9OxiTjFnaY7wXM6KL9f51XVYnzhlFw6Jl7ue9mlj1vdHLVvi7qhK1B
WrBDtysyD5fEcBMhIR6K/WOoeb1pyECCb/e7ON1vxYHn9AK9NlzFW/8aODDY
xrWzxflApE1/YOoaZLxPHUb7S/KdVlVKR6QTJhTRr9WnAksGbEKTXa+bW4r/
0t9kADwwmJBAQc/x/Bd5uhrwgl2+iiKxPjKLN19RytNZ7MD0rHL0+XGG9YYu
XhE0jGaD5EsGuEf+90Un40xsk76D0bOLC5xJ2kRhMHzBDG+XUm4LDFLQPg95
PC5dCGp4dl0us1lbdtB2xHwpPPmqKjeXVxyNF91kxFmzmMQpFnDZwJZTjF/m
KzeaKB84xHBcrZ2JRwV/HTqnW0JafBoVJtKXoHRhOR8Gm4SyTy82pySURbVe
rkDWxRX96fRHVnywihdVeinR4es13N9Fw5PDz6AUSdAYLkOLEdOr8HOvSkto
jlUQgGKNstQcmD8LJGB4TGl6qVzZiKrApZpxmoT8Gf4OX1PZBzBvyLlL6kyi
XjBITctos79v4OFo6pSLJmsSeGRCfwNHF7V2Xjf4avSuEsXdBW8HBpBAcqAY
/UxZPmBs+B1I/Eyz8ilZH7i37icPZzTjJeWUF40GwtlghtVFgwAchsukXqX1
FdpGFtXgAp1YFCYMQHTXED6BeiFbTu3/3GScFeM157CitS0vBlZ7kaIXfI1i
K5IB7niKQAINjqFtTFf1hmAkGJSb9gRT4YCVdaYrTIpbZADv2dn+DI8cDjPH
UUCLwAmu2c3EDZV0BdrT9N0+5U2rIwKKC+Ii0u/xFr3KWhEwGBP2McWQknX2
HJ0rddBQFIuEdVwdnDDZZQoXiF0XxHZt12iBxe/xrGDa8JKwA7RdZC425TpZ
ZaARgymJCGM2J1ePJDBl7AiWSFOJHz/y3+iW+Wq6O57CQL+A121xPcl/ib78
Ze0f2X5gsJL8Xb++dHxAhllDBuqBzZShc+XPwj5eFf4V6BZbpYt3fKm2JkLi
za+PsrLMQYVXHCrCZy7LjG3FYDakxKf85mx8TmAMPDm8Xc6qbtRWmTLuyks1
5wRZtCmTRrqqNTXJ5IYZ6yCFS4FBDh4LCAmkFAbhiVJEBCea69PKa7g39Qkg
ajxXeks9oSp6avi7LcGjOw+UXEoZcNUcMFgZCqbPsfHTarWQa7CpbeSfTFyw
HlQFHk26H9HoGukHeIwxKPIcrpjvN+A8FIuMZJ+Hklgdvjo+N5FdcGCdN1X5
Hk5QRUAGiqXh4Q4/S/6+3eoqtY5ubNoMOkjsacJ3R0FsYdyfKu8mq0DTXdC2
gcE3ETvt7m9xsiKATsD5KlfvyWCmQfr0Bb9/4LO23pemj1BHOPvovCXoqGp+
yTmNoaw0VYb5epSLmn0+vV5pBvz9A00zVnRvk02Kfu01he1W5eJdUr/LbnDa
5SqraONH/8//+r+fgRlegG1Q99yZdDsX8wvybl1kVLcAIZjwDmcZ5Yft0+nu
9NlYoun+Gepi0CmiZQvXZh+dsPBd1X5Aay1y8+EHnEyg4x2s1DqtG87DNYRq
gI+EW8Bf/8/YA1QElbgAwUaAVeSXO1gIvthZBGGYUkK5FL5AF4BsUxPOko3F
ic1ycpJnGaIoF9kMHwsfL/KmrGAFl9lFCifQ/97ceHUKgg8GMn/W4iPYiXOu
8xpPdE0+7Z6ToNrn7nK+TVYlO7XlpgHNldn5xuncKiP5D2Aw9GqZmacgTOSu
gIjVzkiXySQ4GfLkDnQ6bHnwQrA2NeSraJRAbif4GQg1W0h0P20KNC0uCz62
HPOnVyXPUDawhsuC7DnZSdxHWViNIdIjcSvAWGvebtYoGct4S3oFByXBIxX1
ZWB8HMebNzgypr/Bx+PPtHabfkVnLkBqyGgSCcBJ04UGJqaLNIAwVZlc/Sy4
+kKDeWd5lkRQXoqlKGeXnwWjKjKC7hv+hjcqBT2xqdnUCcxrsZJZTX/9+Bu8
Eqw9aWqxTxaBKQDfZOCG5h05y+D8M4ydbdbrskJ4ucxBloSiYzUuwn7wBdZ7
FLsME5nbfPzetZDc161FAOHKR0zkGqCha3H6xCzDDMwl3QAg0l1Xn6GiWbas
SQdbOqv0TilJrH8fAj3UtiUsuJuzBQw1w+V8wzgNzFAldCttOPnnX3ooGa5v
jIPE78z2UZRMxASYM401c+oNTrkPl85zpgjwBcaj8ZveskdUAoWXzo4Pk1qf
r8k9jRj22N4UscaxYIsv8ksMp6ESgofA9+e0SY1EXVgEpvZ5iW6qpFjJP2vh
H/jMwGQeSmoW/VraHjVeg3OsXgiHKCjTSZcAPGwtDtsE12HN0aoVzJlfU6Oz
EgIO3g++HyJy/kGIOlkCfQ34OSbXcHudiiZ9wFKCItACcuuR4sMvQGjBGYgN
g+sMI6rPtZCobxcSKelr3Cy3hwnuQsnvvMR7vC7JYUsDwHN6WSGakYwHGCOv
gpNJFzEJSF6TqwGbl1ZLVNqoGUmyI4V4oDYhKyQ2ABn1IXYOyiFJFg2GqyzL
IxaebGGdXtC+pPXdmvEQQ51w4mGEl6xzI9OKpAQDV6Sa3LVD2+d2gFB611wS
E5xqWP2JpEgspUjwmJNOZd1Or0O3Uzj5tCZHRO47WKlW8ArOEo4V3YEyIlgO
HyhG3dDFyhkZ0ISiReC9+rCByw1HwLN43UcyLXBDLXu+8Bq40QT03JbQYSU5
ju5t5w+ZeSYWBIY7zqPwd3CAOJBKyn3fxRVpIzDuSibCBeOMwqfsGfNJttF+
sqesG5ccqH/oA/TwuwMX2adH2U/mU0L/CwP0xN7hG7UYZ5WO+imKN7vocvci
oDH7luuTd4NcPNcNP+KYrkRy8SS3Irhj+H6GkciMhY/yCRqG5Ie6f/TNvr4F
EVg0UkfBJm4nyOiTO5wnQcjsZeiP84PU+fYPYsUBy/uJYIH8FqM6c1JGJ5P2
YGyjVe9LtgUrxQ+ooyfQ9wMvYxI7A/DPyMKDb/Tadd0x2TTtfSsNtQxZ6d6M
lSxJeBr4hePrvvcptTcS76PNBmwbehwpgbtW0u3Vvs0IaxPpLBvoHEJDquID
JxvEkAKS+oqj7fpWtS1uvnHB7/uHvlOaqotvT0xqGTb4nmLZYki4yHfaE/jm
TKKbsXHHRf2C4w8pviBolX/+858WU3rmIyjnnY5+2NmzOxl/GIsedzDisNM9
8fCxv1LJ1kf60yL2H3+BX9cQc75cT9tD0UeHjwcOu0PVYTt/cx8P5B+Hf/zo
8dfJo134v/NHj/bo//6Na9E+T+6aUrqgLEg95ZiRTs9PjU9/3yL8hpnzZOBP
eoed8MDKC3yVPHrWeoHPuDOIv3jj7Rtj+qxxj/i9A+dnYtN2CLoeHkYzhOrD
C44GQwu2BVeZfTz4PENVXjZZPQBjr9CGrdh3ZfsO72Y70nQrLuPE9KZLCWUa
TNuVpp3/+VytxLQxA0B7mNokuJibAD4PS4KFaYqWn5gIIW+3IuR7oJE4L8PJ
QI5q3GSrVfKuQGMYTy/HFnpLuQiMVtYNY/kCCbCHukcfv+jdmOGiSDBne3c7
cPECxM3iqixxXanUD6fK9XysTH0oGwHr4OWuqTYpMzVIfKH3Lt7HcFZxFmLk
KMjDZRQo9NtGhpo2MpSNqUUKapH0awdKSjbtqmGY5UUONrTBXXOCwXsTLL9P
hApCMCo6lwSxQVQtl9xRAIrwUJ90B+BGcZmhTx4I9SmQcYHlws8oKSAldc4e
E5tsd4+wCiecbfpEUkyKXZT2d7P+zNMnzBTBidEkDdyc8NWxzCuoUOHjCBMv
r69x32FH9+IiArmFGFPlIS6aWMUSG91CnPHjPf+SyQ9cn8NLHM5+U+Xf4WO7
ZTzsQffKfSxk9AYD73Pw6sie/3imp8ifSh4DnoWPRFs5mL0rD7K/pTxoTLUs
OgUsFYMnXcJ642I8ge2T881r8AuK2Z9IzHCLQt+1bzGwJEivI3ixh1Mvpg97
FBiuqLy27mtXuaK5HEg7zysuT6CwJ+wtItvDGZLCGXwhUFv9dxBa9K7IqVWs
Jd6WaEHTOYyiCzHurXpPJZ4B2JtqRYBvjnEawRbV5SpWaCM9mU+olAzL+y4p
XxrGD0DbdWuJnKS3VgPMLo73S5UfLBy407OCourvsyRSGDP5JmZXa4YySwYy
iABivKb16h1tZ8xrXzuNmG+EaoCJx6kEXeVW+QVhScy6ErfHpdHzJvLlwgOG
HoCWsME387JK0qrxIRBNiw3ceXQxymMcsEx18zy7St/nJSWiULuRUubbDCd9
ypMW1KhXawyR22bihEEHHMnf+fVdlz7DbfjU5BGUytxll2DqAV9blo68BInh
8PXznuGBsD9iwNRtjJjPc2F8NEPwHMUhOZq3ZLOGV8/4ocXjcBVHDoYBx4uD
YAFEa72p1nhp77OYgTOcqHYrS0x2o2ElIEcsZlUbsLve6iacXzn4RJ1dcliN
siCBqcUZNOQ+ITwErwdemwVlmXTqUilOmchlC+JvCVsHWvcDnPzU1ZO6QI5h
l4g/RaiYyOecgC9J+TmwRNR09Zg7zmUj3Y08hus3WROijz5FlSbPhGEfeE/w
gc0vNJBcc/DzHVzks/ff9UjZ7syMYhTC2HLFQa0qsG5g1SdWYXeCC8JKhQuZ
ABYqG+e03lzlDd/F5PQR1hVhK24t9+0qS8nG8B8VQTMc4cL5huk6h80N3kcV
BOc1MSxIEQDDO78X4R/4GyMO2pBHhA6rVPj3L8zj2Vilzi8tcvdIbkMXXvOS
aR2HAEcMtJDNHivDAEcLnSkpXyA3CeNeU1EyMapinuG9LX6zpGMwXRathyYF
5AloIMObhThO3lcuj79lvVJKvWla+K3G0H4aRhbkZa8JFhi8fRRbaANq+RhW
6EyS4UQHsDuo8DEg1osrzGeoRr4j8Z8ZN/facTbQ0oE4Te0bkFGqpcbQ5J4x
CRisTpxG/B9cdbIY8VQisnEOu3pNcOEG0ZSOKWLJeWSEbWAIzy+a3zNc0QDb
h2lNBecFckwYHH/u4VbC242KZMmeaJ1wd/RpO0aM/TVW9HSA5CWTnebZwRLW
rMBUTyAGKNAUU1iYI/fUQP/jqc8Ld+75+1MsM/Eomlg10PMph0gAb7TXKjyf
9IyD4N3q9YrqeAu4WshDxi8K8JCVCl2tdvbdjIpZBOyHoAGQWL9mNNFQ6YuK
T1gf0IDVplAjxRaoi1HX4EEPNZQ4YzowfgYTDLqPQY2VjEqR0cZD2CKgooNE
SVazVX2I8zs8ndgfxQ9/9dOPWx5Fa6cA4QB03dyU9KhssaEfRCq0VuMPkU54
K73PKHcQnp7xlhPLGJLOmU3sT6EOC46fwln1LPDxXodHEKkw3ksN4Ob6OhV8
dNHC1B88f/XC8PWLJGNY+ybZqra0KchUywQ9QOzpI7y2DZX+uJBnJSCZHFXJ
vpgsmHfheZEyVwR0TsUPoF9qypiRxc8MMVMOLqbz4sLIqsn/fGdf/3LmlC7+
/cHI7uzvBJs2tn+ln+Av/2b0o/r1/1bv9N/BO17RBU+ig7Pz3Y5IJPyITCxr
/YR2YQYHP7754cA+tEcn35+cw3933u7gn8mOHRv+pv/8g/d4BJKihFW+zk30
L5zgh8e7yRMc7L99eHKYfH0MX9q3Px/+cHBqR/TLr4/HBFeq8TUNzjKcDszm
7A18+4fzg+fwdAoFxhmlQKIIt8vKb88D8Jvb7w5i5P39KirU+iJsBsOc0A8W
pomoZOLeBROMFQ7N4RDoIABCAuhcIjq3GUDwW5+LogJE/NTfCVbMwUNhCIg0
/ThCl/Sr6m6dw3AaYnsZBSaz1e4QDFBYCdKLHhXY9SKtlmgAILuO7S+ZdjDF
IDR20DUF+NrSJOg1ex1gl6DvNFCYEprTAxrNUEQHLslWarsIoPgiS0octC0W
bV2AIEbpz5E3JzI5KSBALzA7gEuOU+V1Jjvqgieg08GKlRuyY1f0ZUnwnSTG
dnJ29tPx6du+t9tS2xBiLMUM7XqURNiCE//tqSDjLuqgCKKvBKL/lU1fRYQg
KvHm9IDcHE0ZzYC7GHoBtjhDesXDVmzfdy9fHx3HC3X8G4F9FHU1UqTXC6WD
44EbT0JLDw3ldS0Zu2q5b9DqhXdeRkJMKFlMVLLdTFervBahHMNzYC7ylVTC
KGpGnjghn7I9hNzhjNCWTxp39VJMmzZtn+CCH/CyZWnGIZDkCImkKESuKHcd
JFTq0cq33u3ALQlLh3c+2O27KWMkYOv76vDGDgS/lApPg66lrj/Hcv3yoxff
mOADLlTtPsP+V/SEOlRLhUTzVLADLGPgDaHt2KeLemOQOJKGx0I8VhqIkloS
JfIrEULQAX4ovCLg2b4UCrFGzHo9fzjcjNWU4cXpTKm8qzEC7ClLrVfVaBnd
eoN+LOM3yObi0BkfeJdrwJPPITQfJ2UzQY/btmJT0tc1Z4DNb4hAszEyHExr
h5FaITUO78oNTWR+XHfeH18b+8vBZXNY46u6ZyVJo844zhem3CQrB16+HT19
+mQ8ceVaQRQWQXPKl7X7DG2TnCEnBWVsKqR8ndAgEzY3KBrTp1x7Y8tkBtCL
ypg02RbOdVQInCwAQsT8GPPstpS5zyixPEtgWXN0H0OeUC5pMnJB9uUeJfkV
1g5eZK6MxeMKCgrV2++Pz4MCZP4dZiDk2gp4+JSDxwX36Ip2EfF5uUQMGBfL
RRmCCPwRu4B01ilDMEfNoZYfh2Y7eimXV8mWXhXfpLf7XkZw1pr35ROgIfsc
AUAoioMvZ0CRM8R3QuYbxljgYmeQB2NKFM1F6xkHJIYzwSCURl6F6XO9lHq+
GoaBg9q6N0cNj6K1H3AAaZmE1kIXkgCbIVozsiMKqTZNnRHWmKBwRKAql6ty
jtdZUpWbhnBU6XKJtXREFYlbWtZJXVcXtJ0kVDobIj9dCRT+Iv+AvKslK0/1
2llCKwom6aYaBe/jG+oXUj+q1PU5oPw1uq1RmtCkxeKqrKKX61NhzlaX7B9F
x1q4RSEK4fOhc6gtmO40+irHGisQlmfwoDVmzAkvDJpEltTelJvVkhCO8P78
KUHR4jVc0j/z2tFdMS2OJcZyF0seiEIck1i6hWH5imzolj6NbEnvSQwY0Fsf
wHaT2pXuQFbZZY5hHxAU8gLoQ6IXCDeXruQA8V3RvzF89VxQkHC7ouMAhhww
oSf7subBlcnZOt4y+dJY80V8J7sZ63zz2vui+IIyC4ZqwHSJHeFHZPxLV5c4
46vrLSj2Lpi6VZ0/Ojk8ePWK9ubN6cnPB+fHoPUYSl2Pg0ojrQcTB5gwJOQi
6vaUkWvVfbEwljfXeINi4loiGAvgPgoLUeAGoyoFg+hFnI8cdl9uK2kHQhMp
fUK0WeFWhMQoIQNkXijxDRZm56zNY6x6WNfGYU9Qz4iS1QuKXvwqfc9ql4qw
NrV9/OiR8AQG3BiE2e8ybFhRtnewaFhh0UDsuPBoBN/AwOR1RkFbsQ3HIeaS
Jy2TI/x5sCkcZYn1QGg7tnl7DlGrYV36xy/4IuGNchdwspAPqGGpXxSKBL1G
pPxoG9qpYnra1t6q8biVni6Eo8XmQRhGcnLr7Q+/amRw1FfpGvlA74hNdFgV
FLdEqgKP/YqYGhXVDqKxAb21H0IuBTDu48ZgBq70OyZIXeLd8utG7p8SDiZj
hria2Bhiwaw5KypiyveEJJ+EMyg+miAFpnMb7LWXSllf2uUhlGAS98989dT+
KX/Ol8LBX7RCDm3VFWr6at+HBGXYd1m2ZkFQVkG5AHiozuLqNNTh3IXz1ksi
onXLrblgfCscVFjUpGq0INsVvXi6UohKibk7l/pJvp9JQMDNI/1E7KjOZOOE
sq4OGvGpEVvlKqWr3x3tcc9Maqr0xNX3wHy+/U2cR52dXCSI6UpeYlxwNmZk
GkwCFeeKxkgXnu52wj4z58efPHrqJWRAC4QH+MuaTwMthCvJ84HkiToBfno9
x48IwoQ8840LU7JPKjFKeGzptMWdR50haD23/cEMcdDbmVqFbKJNPVQ32Zo5
qcw2yKDQh65WCHpcvNPLow1XMgxXAtlCCNYQFEjsU4yY0bU0yPuMRoxn1oyh
Uu2nEkPiTdmP2Q2L6XsuvEN+X1wPeRSFwRhBBJJb1MMvA8qF8m1FENU8433A
9aLVUgMvK9jZnefLJQjv/Pb3MK4ygEX7fNhXMi9hfc3FG8gChkdQg2GlHL+S
EdhmL0sVHgb3hKJM3JtQ0AWvvbxA3AiXN8Lr0LvyXe6pdezRyYsXx6fHr857
8YzafYFBuXLVeSCrF0etPW3uz2nKrxA4iJIuQD/RRB71/fxFW79DjmKQCNS0
YC6umKVZz67gQ1zipQ/HB2+6q0wvClBjqJCcWwk1IiFhSm2Who8FaFK+0TQu
JspNWIkGxRV/t2df/fno9cuDk1fkR716fXx6+vrUqzSmkOIuBbUU/UsNGGeC
u+HRWk6MJGqnPIc8tIDl0WfHpz+/ODgBt/70+MVPZ8dHEyu3DmrsTSEnVzGH
9WaBZXUXmxUt9S0VF4gdKRYfyy27g2DXvGf6HFdnhGAEPSKwTHDMZXapZ6rS
ZYlWIozxduPB7fd9TDF1jzuU/QCpjh7Eu5NOqVtRWi37lrInNeaDOOhyS4GF
T5LBBSC44X53sCeDJ2P8vjyeTx/04GyoxxrZX/KM/jeZBCWQgfjamTP/Zvgc
GYMzDV2pi7KDCuvE0FOYweAhlJvgXg8eHYT/lhE0rrLd1Zt0rYuxkRGeK1sW
KVAq+grN51YyJX5ZXYkgCezFIkjMtsHwErHPi8Vqs3TCw/YhpUCdVS7OByan
XMqCMyQTUXYioOzSkwwqZwV/tQi/iwnCW2aIc+YdA7EGl5aP5nw4PxVSVLXi
m3u6yAl+O07sOuIu+ZIrzXNMSpxQ4miHrlArsaWC05IV/9jXuBQ3Od7xEjKW
WK4GPvl2SDk5sSYYmB7DFqBbSmQlXBu2T/JGovt2P/kvbzgFFJraUeIdwEFy
O+RGILbVdh7Rpdn08OmJE8d7z329oRJwRZqVPiSYzzEVK8aiGubzTRMttHtg
4goQWJwpJNQWZ6TXkhdzI+jUHa/N4hb8g4xYJri9lgaB4ISgxWsfp4SxTIPd
dnevPxCqU1Ef85QK6lrCFhb373Ej4LgsDItpIAojuMXUq2dhEwIe8ooQnZVX
zQbsnWhTe+1/Lh3pqVLGWSORzoEy19GRKjJl2h0o2yb/imGIejxakiFYOnc4
uodiao+5+LtaUjsIzhCzmYCLIjVPQ0T1SgjpitFdTlaQMSSd+IKCzZXFYln6
UuXaWY9cxRPlf3U5LvpfgGygOPNuKd0k76KXmAzZT1J6LN43xcdww6UwWmsh
txU5T1olzDidsIp5KmN0X194fRZCzLfMXHWZcDSr/kAvX0YR4mtHGJAypxL5
zuDswzdyvuE0fUZKi0zV8x/dHYS/DnjneU0W1KzhkhzfJ8Pm0IBlOgmUpmNh
8QZ1nLNshc+8Sx+qUGOeDs8itk0n6h9g/AIvbsQBwOOHCETVB5bVFIQ9AgMa
6uaINhx+H0HUFMitoxlgeByTGqW/MIgkJko1lYhqJQUlvCWZHx6niUYdrE6O
e6+o5RW5Uwhw0BNd5yAwTNcEoo+ZHvLpdVnXufRnI93iYt/GueiIt/W9INg0
jXrA1dmKEjpxQs4E/tZv6Bwh+lXjDxQecO2E9vFeyTSdNVgHQzgSdMaYotKE
3SVGqaoIKdUh8P2mAFdhSXF+1fiEilhmU/v81nCUtwYHxdvY3k11BTz8rkIE
KIlNTF5uD8sIHU3BBQCUPKQdGsk/KiN2JD6dVpEsQkcEhLIxZsOkDnFxaW1a
Mi4m3K9ut4KOUkFjmIipzeTXzEqDdWIuCBAFfzRhTnH0F+KM/aCJS452OVOY
m8XIFFXG4MJds7RTdiYgEH7ooxsPTZzQWwWtblx8J/RXPLsbVnKZAVqCrZEW
CYQ4OK+JqKZG+FZWuunAc9xUcZQ4+YP3Ybh6YZapHTXa56B1thSdXGXk0hSG
O2zhV6LBxxLMBdcZduKS40N57Tx3WNxaQvPSRAm3wK29rDtTweIiUBkvrQcW
l4Yfldpc+HW4R/AvVsdiM21tUZnWQW5k5DlkJ1F3pH8R0aILgS7EPq0PZhQZ
tj32kNbsYGDUt++SMDSc2YBwhgIM2bKWVVMvyQf+Y288sp8czbawnLSIWuCW
FXa94JJs2T9TlxiXm2HCFoinXZmQyY15ttd/0tqcKNc2lGnTPFrCWTThw0GF
juHw0StQOHA0SFeNo8rM3mi8WzNixL7KVss43h4msh0Gc5FxOZ4z5J2JgLin
7IbbsF3Aw6+w23R/HpXQKfg8Z/ORoJKecgAEtKyb1sNxeglbwOklvDhKrjuk
XDg9GNV1qV24fXiHnsKiwbI+3X2kgehYHPe7n9NAbBeUI5K+b5Eqyt8q/fHK
33B/Tu45WWKvDIxIlymWT1M3Xdj/UT0OLxW9l3ktY4X8ibx9jsmJyojuFb7H
yYibwuWHvgmaOXwK5xmsNo7KXSCigaWbGdqwXH714AHeuVi8/ODBbw0oUlI5
DilOaUheN9KxiGXDkRHqlGHngomifXAgdx072ABiUCZSjRXDXATwET5BDxo+
4NmHD/v26YcPYXkc7hweA9y6MAEG4z99tDuBP57gH8/gj8ffwh/PdsGHehyP
AcoC061P4Kds4EvrDkf1SCaETLGnmFxYzdHKQlURnnwYonv290GEfbmgV044
CcK1cTbUav0fUTz+I+PcIun3NiJ/kGVMqJkLYyNj+UthmJZ0JbzTHQl7xv+Q
JKnr7y8F3JsoaKkhTT7IUeDTsRvuD8UofXySwO6tcemqQnTIlkoERouT+xlA
0Pcj3DSCdIaQ046xWlHTLReYQVdDoOlhpqu+ZZCDtiUsuO+h9a2wnJGAQ73v
8xDwTe8l+ciMR1IHZ8uFyeKtJBGMDkLMgcaPzbeaLvsUtfSEtSGo3A6uUJ9t
IgW3FFiIIvgI5kQNKkFm/J0aFMTsvl4zx0FofGH6xpmdCIXuQ4xH6nTaKZWS
3+FWLIh9Ex7ZhER8pHRf6p4FEh7SC4Tg9bITm0UmTSTrzapLMoa4FRN8eNWO
aUw7sWcRW+NpRDkTH4SMdMCs2e8EonwIypfuaIXQRIKBC0TNJ8NZjS1RZ1fP
G51YVzMxCTylNueHvL+TfUEHenbyxvsTaRi27Q/RthZIkfMDrzwH0/Nlb4wc
36UVJY/D3bRQlFLWbmpDGU+uqy3Xm1WqUECvtAQ+SaRYOFDnvckQzhuXgseG
voHs602KgRofp/HRZ7RU8IDgohQLpCwcnGbO90nKHUimkbxvvYpce2QEFsQ8
chjmRgSnc/QcWaLvHxAR1kZ1T7WPKUq2xX1d3rC+SpfljZuJMkm4j/VOjV7t
dbGKyrH6eiVJvUX2ga5LCjS4dLyHlYZtK3oI/V0nh4OC1WUPCoDApWSHShCE
WSbdYWJ0Pe2NKFOVwPYEpCbTaTBXc8TeoHNUyFCYiB3iW14I2etV3Hewy8PK
OSAS/2GPH8MvfmjJtWHi9IC9HbWfQnmW6UlLJ8I8wHITpqLf81fqnRV+W8Iw
E10lhGa0fK59iVxFkd4Qz8q8+7T7BqlX6NDGj3TNn2pCN0UdXTnWEzm4xvwi
KC17T+AGudPqNvMubQ+g4QvsEbJCc9TZgHC7oGeP2GKYNZBcDij/3tQ4I6yI
W8ZReyDoF+t88EG/oX722B9AByGr7SljiG8nCvOL3orRCKf3RZXNb11jM03L
bSmqnW6ReuMTuXUPrEhx76SY8+BYaDrCWKvR3eiURCeD0UAK/mPhd1JJq9u1
eJ5MWVJvg+zCl9tDR5JNIm2Io3ZRY3b0c2i5oBKuYWFq7U1HDBkxRcaYUhJe
Tl03x+L2jlSdTAtVKY6q+FmeKy0GttEtVfbUuENkpIOcuPuJ2mlJqVGrLxfH
IloECUhspjnOVt8ghoG28CVSqxKATDrMFT7NT9cMt3gLrCy9xRh8yZE+vlaF
f1dBHcF23auJUtCcyc2u1aKpfxE6r6574baD07P+mo7r2IfbK2mOMJoou0Bu
3Ohq15eOumxqag5EqfXKGpVz+sH+RC+YthidqYCJRwnM53iwSd8D1le3tSQe
xfOUYdpPbtN7cAbay7KDji2GRGN7IjXQ+zKDbnuhdudRjCfK2YZDy7THPAku
k4660rZzs2zghp28tNsqXq66CnUYHG2RLNqRr43GPjKKfNh+dHQD+xqqoL3u
/NGwsE56zZ9La4PgwmW9lateJQ/hiQuNW+m+4OFwtCkmOH58YkbpOBlhPQb/
0znCE6l0i8vYKcEaggeGdF+fL6ddBkNMFr7cvCxhmoXdoePn9Sojv3aoHC4s
nSNlyuaGq0RBg1nLFwKwFf08NOqk5o7yvFy6RTdbq/cts27TC5ZET8UdZFTe
/VoSlB2jfXgzKCXgGcKz7S5twWOVNkpD1UgFtS/QGwVBEv6t9rM07o7thb1j
0siH+gXSKiaLD8JTTUhspLHAiGGi2C3rbL22QYc1t17G4CETLgzhFZODQ9VR
6M9fltwKca71XXgmhhJ4h/S1Q/3aYfC1U/iaI1e7zhouhr7bmuw1qlzZL5NU
zPKC9QCp0BnHiTkH+lKaMGHeEWziSOj7a/M5wa5ILU4mx04RnLwctgc9VqNG
AzFfsV2HWkuL7rD6hi6PkqKWGFwHUYWbBlPoCZwxdN9y6gBCTS9eBj2j2tzP
QeY/oIFGmT96eXB6qCxJ3yCb/mz9HcJmZg7mBRMZKH03km+Y2HJOtcSupBev
PNJc08Bz8BnDHtSPUzIOmeN1JQWuzq/a5buu5xXVPoCio3i7tOek/iFB+UuJ
cQouX1Y9gezVLmUjj/dW6qjb3CbyM7VHn3qluPQSBiaHB9lGmvR6PVYOwL76
R+yGi9doIeFQ7pRDfXKm7B27xrmqoj1sju9VjK4mrJ00zJhw3tIwE1B4XYRn
GRcDfkEKzh3qvSgcH9ZJ9h4m8Vxd5zBaSVmFqUbi4hfg2QTq3uGdqGUciw2D
NowJhdqm1GHYMThm4UYSXaDPCK1uvbQZDUieBHnGFON6kg5LJDMlipJd3r2W
S+T8oRrshZUNMQOjCO4jJx2PuAgWVbTb1GierhHUEDuUPEupY3c+mXtcSr1i
BBLQXpE1t3ekKxX+3vAVsYdX04qYprjrI7dmJpPPBMX+me8XUkuBWua7wXuG
bO2UAao+R4HUFyFgpmyYllLBObukBJMw8eJWaehskdEe4MMEBCGpackD93Uw
l+PLpe2xeGCdEwg/1SgJ5krU0NKfRF5A1/aKeKc+fgwIgkHj6Rsj7TWTuAq9
JO6It3aQWQ8P7efPRr8Bdl8BFwfsBHgS74iyBdyDy0s0HSjIgqk0bgyvBCzz
WzEcfJ3iMkPntzJOBSWu/R6PUA/W+IKpBu9QXpYbIjEjbY5qtdqkzEcKJiNc
aQgmYdONOUwTx5EnlbP2kINLEvvRUJMxh1GUyQdKtwQiWuQBsoPScYuLjmc0
bHLIbAMzVCNxaB3tOWpJwHhFS3aa4FTPBQYoqBPUnPDKkn1IHOQwxECyWiry
6801D3fh1Bz79CEO9oULi4ZYFmrVwFqHThMe0vYjUJUSdanRdlZahq/voUH2
NiAcPkILQ4GSYPKoQ7ccizYPkK+x01AGjKU8sNiS+VZ0nSyCcgbtWnBMK0qF
bxaUIN3g1YDrIKFLdHulQiF7L6CCaZckQs9nSODFDfk4XOmAJOJQXuLLlpyu
iYNEfGeM8M2urymauWcfP6V51uOWbQ5vY6iaqCVX1AmMR5XOVqtlSF+rswli
pzAOxaWCjtcWGaZ5v2g7hFsFFnKlUVhZJCQGuWQaKg/kVBhYUDOL1+rBX5h+
pR0j64kkj9BVE88TDT42cGAQeO+H7aOkkiN1tWkrsMa19HFcjf4p2YvVrXOs
2+AfyktOONvTBtPqq8R7qDktrZNBLVVtCj4gLRigL+viNpzUVrEsHNyARXTP
6XrKtBPDEDZnD8Ego4HE6rh3KXy6np+AMtLHFVNjH7WQV4df1ac96Gi7giSH
3mzzl7AZNXY1NTJrOvPR7AgJxaUJdjfhqZF8ScBByoG4Ml7r5UhtRuhlMjFr
MP2QoILtQuodhW+CBzVwjJ3qBFEg1SWsB5RNYBWpR99iIrCAt2b6F/z246c8
SREXPCqv4no9p7bmunouy6GDkP8tI1Db51JeUNbzpqzeidG+KlNOijranags
nUIppIdpT7gNgEMFzmGRL8IS40SbpTTpu4xSVTxXsqHXrvIwaWVdKMZdXyFg
RvuExSrrGYqY9GsOOHzcysiBUS3rH6+WKgJ1cukCvMouQf1foxx5C+AHUmpf
1rQlVdwoUjA63HqcJ4lvE5EHMFBQtGTsQHiJ6PpkZN3HWSw1WSW+L2NysTs9
HmMXeUnUm9EigfXqj6Hvb01TAy1UzRnghWewuq73Wcjjh/O+sJbvaQPNYQp/
UhGzQQh1dXx6M4ZfRD/AbkQhfG+4DdGWFBnRKrjgp7Ox3Udp41qZtH5Gnekd
NfcuF+K569YVCE91G8qIcflGF77sBwDUDjbOFlg4Q6NpsVojxa4BfYdXNF5R
IdG5HYoK3XccTaSNOXQztP6tHRTenh4EJoNrtuzjtfjRrnkSs3ldBV3qzUnL
uaLChHyoG4ULhLsS+buy8jqrOn6urhD4AzyCDE2GYy5JCyd5QV/qXsoF3Jn+
5mjjSZe7t93mhbxaE3Uo5sB4fxUZ2x7BkVJSgeg8FNK6yrEr1S2uWcpGMHCN
GAnB3iCoWiIdj9pLJWjUN3B65BNdmtoHD+J+ECYg5QUHLC+m1zmaO+VFU5Jj
gj30Hn7k8ZJ8+fnh+8fTR7OxBrx7IuR//dtUxQseiVQoJDYc/u7y4RrbnSZH
EVoZryCrF173f/wFmc/CpCEjhy430mePpl4HMTK6SJht6xj0LephTw3sVi7C
PXbby055sc+oF6G+gfgoMgbNZtuCu46Gl2V5ye0KZ8444yDf9/Qb+wsYDBzF
4LERI4io1qtsOLVI+raVS9y+bQ6rQ9uGROKSyYzEUsrApLJooW+rnCbhggTq
WMMOeMrWKLbk1PWU7YUiTl593PSSNRa2YhzSaq4d4y9C2pD6JruuQ/GdoXfj
qTR+I2LBF2OZu0nB9wSIz8zoW5si8Vr2XmuumEdxCOa+ZY58C7omNjOe18xI
o9W8Zj+S2UTKTllAEJF/D2cz5eYQ960PCMjOEkKBHfnhfpbhWlfd0FjGnGEc
NmwpLhFMogpZraRH+Zr6YxD/nG8xbpyRgcuBucvWOI5+kVRHnywYpT9TI0rS
u4IxrDRmdBa4Rg4A1OEh/7LuFEgoKU3at+Zy9o4OTowL0U0UW8x829HV4/E/
fEnHV9VPoimpUQA9YNJ/NW8zCcwWk+AuoJ7rIGbSoivw246iCoaCh9pT/j3q
hPvA0rlw7WjfovQ7RUNGlpwc60+OJ1w/ufBZeQ8d0dZFMz/kTDZaN5aq7e7u
FduWuq6fM+nN8wVIMeMMmt8BM9NCHz+RoFle3Bewa0SZfiNKbQAO6EbmloMQ
jpm9IW+My4gIr5gLfIoK7rAWOwCZZPZikN890rL3A/khB8L/L4B+An/6zwf6
vXBl81tpIkklhhRV2nJSSQHad9xvarxJqMHeKny67+6RdGdCXbmXt/HB1UGn
praJL+wXzpPf1NrgMi68Y0ygo9BqXxR4EHqKSXyoQrhbOkQ/2yDBUqocgCAF
C9rBQd4TBIlfH8BB9oEgn0YgSM0kBFFITh31Xjxi/+MTey109gXjfLor+oz1
zITfWnPRbVSQf6NtyX4iPt8uVKLHA93u6wmoirv2VkjkwaKdzwJBFhe+TFCH
4zPBdBGbyK4JYOta3FxWYTqIQo3Uz4f4iPtYBFhPTnjq+ObkZR5jYVtBAqQx
90UmdlVIB4BPuXSdVdj38JPisQd7HdXuhhKa1N/JD+YoflqODNPDM0WhJtmt
0EXilp3/eJbEeWbaB/L8TgPiAl83zn76yDMg+5rWoPMzL0PQlZMnMnZptXbC
Tkd0P6cAeRPV7bOIoFcLm/ocywFErizZzyjbMsHWNghbI9FmCARBgg5ynKgL
iqeEptd/gemxoU4STek6QNOir7MPoMzn0ogZ/f2OQdhhJgS/4BC7mqtPJcQI
AmJiNBb8LlmmeRDH/IWzS8MBL+x/ud3tU/4QYs31Rc8SWzkcPCHg50t40lUV
hzeNaXMoiVrA+4V62AzfMI7wFMa4m/JUOzRvYVyMqV/6G7jvFGEz7AmfCrbx
fDOonb6SnbTWRHIlXSaF84pKpumIKYK45UyKYpTISqf4nFeYSG4dr0HbE5ra
n6iPspGriJO2ypmMtguchdoOacmQS9NYp5mDT/grbZuKoOWaUnbQqYYwud0+
4ArvwLUkeMxWGQ0Slg47RgVAgbzWhJJcSZ+W9+3asAB8fVTSXQlnlnIMOEGT
vgcbIp3nK+wivUTipcLFGPZ6U3P0IVVeGvdADrAW6YvjkZEkXlJeJJLEm9jn
37/B3oTVhsIRY8EXcSoeHx+QuQbS4eFTE6RSzTx0Niz3l7CTywu3zy/lSc40
SIUJONBSlVAVMZzEIWeEFmCLeSv9XfnzyQLhDiiIvovaCehwfzm6e64WVE3b
4uEoRF8c3PTqYDBTXGictekrh4PyZ/V5WTZIqrsmHpwvQznH4J+Q/6Owqj53
rGWdVgQjKpuvWK8sPXVxhySlYVg0P1gSmmQ+wlVweHBgpbfPs2+la/nL84Pk
7PxMfv70q120a98Q+Cd395oB2V3xkoya23VZ/x0koqGCV9AWOYKRpLmBZiYn
7iUqI3HYgMKqw2LDoHNuEYVWTVUuNwsuTYvDJ6Q9e5oqKGGYlg6YejOXvI1L
luZgijEFwr2sHBP74PsqGH73pA1RuIMjJCJaJfzBKKUx9voOlDMezDnzjWuL
eRakc+WkoDbrLL8YpJOfJk6qP3P7mNCR8RIPT6FLdkt3Iur6lYWmx36vueWG
im1Pk67gDt8PEUytz6POnPbhkoibCDQnbvscLyqcJIgFXs4pIeoIMQhCU6WX
XAWvECaQYKOaPpRk1b7CAKG9NbShSkGDiDthDvHs07ZkstxpRTCFVXlZd4Km
/jyL70lHSntEoIpMJISKvxDlNUBF/Ruo0UB+4R0aTHHTNcibaFqbeMEOR99t
y0dFgA31proA5VQbtmh9WGDYJ0EBGbb0yGDDryhBMt1YbO4UtZfSBNY+8Qcf
32xZivfPSN2+25/FKjTh2QsLAFYHYPbSPhdSjKE+ESNvN0LCh+AunqZEiQXR
btluZktXi9XbchjugZcuRBagJg0tjkGREpkj2EalkCTNsON1qkZi3wln/MR5
j8vi+NQTbqCW1+8YfwHaslomGDK5TYJP1Lzw6syi8t2PPShMOTEqth03j649
vGho5djbGEIehjx3252VEf0I58i8atg3pHqX0fE9PHrlqMGJFVGGcp3dhAVl
ka9x4TllJ360MF80iLsFZXsByrq5ySTYgEVBoTVHznBeLzZMrYkpFkX+Zok/
6JpSwd3w2pn230k4GjPbDgCDf5doZ6IIeOyVihpGgkoizoiSTCN4h4S68zkT
D35TXtAlHDubZJqwzr/Kf4Vjuf0yJsMw+CRYVbUDHaHU1SX6grToJpjnkIiw
SO1hXjC0ZRMju7dC/GIXhhBePgyjdWdWeTiMa4JUVmK3tg1gF7NDTFhWZBfY
SFlReG4qF6BmiuVKe9RJP+fwFvNJTU7DZZishVsPVUTnIg0uwWWScpdeJpTy
ZaEwGqK9jQYg/PrzYWHHGG+7KxkBo17cExY+f3Z8yET4NvaHnDCgaEz6LvAv
Q0s457o62IYipGgKdj0aUA+N8V06i2UntIGSNg2Si1g1Ik153KPM5SbF2qks
c61g8kt+9j8UuBq8pyYEY7w3t8j0jd1ZnuotzcQ4W35SXCCjp/SlMYR/ZoXz
C5rPfyLz+Q28b73flkKQ5x3hEEXXe8fU2Boe3eNbO4x5EU+aCgjYzWNFBGeY
8oaYePOb4paGPFOyEVELwykmIKPeEn3t9pZBX4GhZgJRZbJgzjkusuyrcw/b
c9zkqyWNL+KLZSN4dWK4kOrN3lOLLuTakl2Uz4vqd3aDdeY4XjTK3B+2NKRp
6GtgsbR6mVo6aYZaC/QAzN9z5BtPoPZ8pHsSNSMFxVif9HyTcaSLVj1DOzG2
b5h9R7CJXRS0w6DHj5DsmXhVKOtBuiHgG/E/paAUV3umPTzGuMjDFMvUA09A
v3TeUirrwNr2dVCVov6+x+5tryegk3sHkILjYPCGkmd0SyCEWDRz1wxBFkPG
pzQOCiqaynAEmqvblloaHZU/PDwqzxmW+j5rQlU45i6kcIMmLj/jXhYBIYM0
kHLhYq5mpE1THr56fXRwfoCku/nlJb9BT1hQl850430HHiPu2MB6X1+MmgBf
5W2BwmeaqFOLkExeZthXIuPWpchwX7hLzqbS9o9iV2QrYI9SHScyLqh1KIHz
RyVCc1yHROaDfJ/DQUNVSLaahODIgBPbhWmvYdM89nh1G3UkJIXqm6lH9o6f
cxKYCEGFStSFrk+AjKygZG/YZuiNnKsjGc2oNiJ5GPO7KgvCIqvsJE2ZBHSR
ufO7OG3nogUadd1+Re8H/Rv7+JF6wJVc6ltc5JfULxGejFqfWrkRYay0qSjM
puB3z4IKwbgVe72p13B3lUUfUdxrX+7mPZM+NdB1z4U4zlmZVq3MVbl4tx86
QS7C5XsfFZqWjHAWNngbDhLB5ex7apbFQ/2HEGeDxiaGjZLCfUTUuZD22U7Y
CO6evi9zsk7cbQWOposqgEzjVVYHngUF6qQFtQvXsCcg8Ui0Jgj4PeR9sTPS
STwNF01zLWOFwUpZHMfMz/R37Vo4rM+RBCj3XZ9EVilcBXQDcrdRsTRLyi0P
dxJCf88LhdrvU/s9GNZIrMxgRPB1QvOKnFG4MiMsLXhy9cQIxTViTSZ2CXvK
VV6kSbB1a5VpFmOANMkMmHR2i0mHFk2VZRiCTRyoktN8rmJcN8Vz8in3OlcJ
x+ElJbKrJY+RE3NiVYJbzzxd2ogNv6KrzgvJlQ6TiOeSa6VU7c1vJ/2bgZcy
JR41vI4R9KG+UZrqxH409EFj+/mPGE1FpocHBLSsw7AWnTG9Yfzaa3nNH4R5
U3kzY0X7oZWo/Kp0YqXh8yojP807RT5PSsfJWIHdptU8RxVz6yPwtUZJuu1U
U6oOS1bU24L2NOiaO+15wcDMoTLHzDXDIDLW5XsKDEkt4nqFChpFgDUU/jxO
5XqCiIRyq0fO6PJUEUHe46An9XONrN23HnlfBzgO6r9JNZsrOPqgBBlpyn4d
urBsQ+cVxW3YVNuzF6t8vcZfCdSCNIsjkUEqOY+8kONBT2Mm2aCLEt3jaNOC
niRHOSee1YlBQICMp42MXP9xjMWM2jgQMpMkyWj4FDKFhb4r7Mue8xs2hfzK
NetkP1kjV0Z+jXRXmlRQosCEpI6ZMntdRvqq4k1fZk0KBkZKcLnu3oChJM1q
Nw1VY8n9hWSQ+FAB0NNn84LOM6Jddfq0/nvWcVrMMzrT7BzCQhpns/fG0cMW
GDMe8q0AtLQuzaeJpahN9zyFhwoBDs+F+RQnvvqsMDxj5ptwhWu5OmtaLqUL
2+32aiTqzCwE3nqqpdrrkhKfPciUgoXWYDxe+Dm2Ff0z1QHLuT8iatq1bAl5
fzEpWvYR3EQ4M56geDbItmL046MWKwCCQUQoryMSCl+T0c+l0OFPmPjKM8dP
kBcuZ0Gjsi/riRu5UC6ol9Q6NvBweZpl5VIxpiYOCNqzazQg2aKUvggoaKvI
pjmUfZWUuuMNvgbVJbaNbr3aN3cW+oSgI2YgDjqxaZhFGT3rBdgO8IJi8mNt
irDEXofsxGi0wQJxQh8tZUpcTqMZR/lil6veozgw5+iw3hqLhHNXuUsCoZS3
rbYNCusTTij6LGW1Vhvi4OG01g1Oe5TTXTF20DvPkhroE/SYhdA7TAbjbdnn
EShP0If1qswb45p809V/PYd9pcB0o2EyOpZEbjq0xGIw5FVrf8DVWJd6bEGX
Gt/xxmF92+3VXzoaix+Rnx0NY2c2J0TZjgKDIJSDKJI6ffCArpt2BhJvOYxa
goxGLBkYhcHh70qrB91h4wICiuLgbmh608O01rCTFD/SkmMNz0b3O5UoLUCa
cOp3QRRjmKqxjhNoG9IB2UxqLABAp5UNGCbkFWOOksk1l/7Cft+BVMD5MmaG
+rdYRHPgzg2tvC+doy5P1u6I+vpzwN/8Dynf7Sryg+lOGBamcloODLuOab+l
VxrasCEdH5nRrS4sSHUiXPK9jdMtU7RNulR7vD9x4DmGc9KaUF1xSBoexzY0
XeXZu9Fp9C3umeUJBdfHmPU4a2zCvYE3VaklHh2u42vkFPoRfdvkDSKjT2qL
zV0Oolvm4xdoq60S8oHJIYUTt6VQVYFOIW0SDvClK77FWIPhAfg8+aG5qVZ8
zWndS4jX3kPkGBKL1U1fJayeg+v0VqE4rEdpJlo0bIIbk00sMlZufcFcPDEC
zaB14qCC/ZgvrnclzgxqVuEGgUufQHcX5WpJfAOoGhIwrinkRbHUNSfhVjn1
aVut0nVNCbO8APOLLMSSms6CGib7vDYux9p++/3IzlS/UBrsikXiSJjkiSkS
LRSSPfWul3uZJZG/Tc0x+1Og0ik0GKyTflQSWpUG0Jton4138DxTkVc/EUwH
W76kq7ocaHlOShNvuA5u6h9CGoOyfkaU+YnIBXG0J+ccUHAl32+Y3KpSFFlU
38hmiYYpeBjaTO0S5Wo69ebgZgPXRPmDgmykVF3DDjzGz3Fh2HGBAZYE/mOP
uQ4VjshNabzFQeGGoL/Cgwc/FcwrlCL8gIxMqsPJ63d8l/REL4lGFj5I8OS4
EtTrnYh2Pqz+5oJXV99KU097FhIFmThTmPqA82ENb2qvu6xzb09JzFLneMjM
ELd5B/7Ss/HBoDdpRdc+Wn744iT8+AMOXJE/FSylsDsEpH4LARuasA0ym8HE
cohLEQJZBSB7LjXZdbni2Tkk/q1elx3pIdIyBOBWfMGmjV6hmihGdailg4vq
dt2Ul1W6vgK1FWQB7T2qaMRsrZVw2Jdsmx76aiTMRyVUaDkxiQcj9+X28Ufe
2K5UfKmV3sGCYCaU/HuJphxgzqa7agTyGXG0Vp4O5iXtwnxD/C2BO4JabQm/
9oHHsWXUqWYk/dKSJz/ted2Q+6pCajP0lIaL9hnNXKE+uqDgoyfpiVWHSDo5
UT6uRHXWelHXgvIj9NkG22ys8kut3sAX6FnZvmVz0lCLOH4fkjf7BhBpqywd
RTPie6YMoGd8HuZ6tqNsejnl4OMlBnjzBXz3j7+cJ/MMFqHi4SYDmfbv+Rv0
+ef0edQS7nKj2Y8F5x50dmqQtzTguqaAF7dtr0u/LjVeF8t2fUmtXXPogM1X
1O2ujz8TMefCJ+aU1FaqB5QpnxHyWWxpK+Q8eOp2rsTamwKZxozdLmxM1VgT
DB2hRI5r6Uxh2gcIMFDUqIQ/zk5f4P2mJEZ3Eo9oBzcmDpXUJZplHAxqemp3
cT05l8l5gSD7ynSfns/ThaWMJuDqiDOCZyFosXfZ7URg16FpI+e7uDQ+QBnv
r0CYFOURe8wLBq5wcMswPJ5furZUF75aTRhyz/58lUliQq7f0+xCXL2Habje
rioWCS2vUiztYcf0wF7A+EtmJXNLwYVHJFyuu1Uf4tXa0YzM2D374V8/grjA
1n2eCmnFbAwy/04whv1aHwWSl4PWVgnbHLUBiwnJd4tOy2WKEEnAHTbXbATy
bJ3zDCd/wzdt3miLJe0GKUtEBwNURSadA12yCyfykF2mvJuYAeWzUrpj2GYi
y1pcZVq8zxNJvBcv+mHaj83gXUadXVbv9hyXIB46WfnEn3x8/OWqnCNTGhPI
UUCC8zaC9SgLZXFHW7ZJ+SoXYepGNR374pbiz7BytN2Xhbfq5cFf0Am8XpNn
APv/gWgniw3lY0Ad9KyLyjcOuimoCgfhKaAqr7KlTDpl10sFHytM67qT7UV5
DKo3pDseS1hyhub8qew8ASkqsniOyYAM0/LSw1tSsGyWUr6L1IUeVfTn5BDv
DSQ7Z1yJ5Sg1Fc0fAizoUaNoZElE1FG7BbrNcVU9NS3zOjAWHIQbhmOKkkIN
c8EU4AcE5YD3x8ODgxDm20hgHmt+VlYcQKm4iDNPMAYuw0TeJngLWp3eDqBM
yE3wOmpKxrk8o33C2OfmRSgXCNZrsVsqTzjXfyxvHTainhBXH4aQ0OKCP5f+
LcA0mIuC5NKf/Jp9zSVznJugpVWObYBQIMSVoMtPVEoP2aM00WQQkpOL1PW9
rhm8swbVDbNMNghExd6ac4KhwjTfcfQCpw/SDuIo/46bBGIbTj7hq9ukQu5D
9G1P3rynlqjw36/w8bxZE54dktvpAtfSJ1uAMNSoskusMKHa2DubTEZc4lzh
kvIKyVGF6fFGYsA46SljcY5Mw2S2MknPrRc17hT+VdVq+vFkniKMGY0GPtiH
uPZpfXt9TR1Q6TaTdnQ1kqAHVzveq5zPSCn3zTiuf5H4NylMjHj0qEWxtKV+
XbkcWdMGxpQSSMgNJoYKBfRaVsYV1f4TIpudEhg4XashqnDLEEEnEJCRs08Q
Gb3M0fymQ4ClSrf7Axbs9rpVyzwNtat8t4+JRQ5+DPK76ClpW/Mv4tQIwzPo
Kk0k10dpnKhqnqKEOXXgeIeIE05BUiTiptQkPzxETJnzUiA1AcyI99gzH7Fq
3YLZg7UplQplSD/PM4Zh+j7XI42jsN4gLkZWDm42bJcQcl0TWxWVbgZAOLKh
uKQQRM43aIm6uQj1Ri1GN54JNqlmnQJ0jLhg/F60Gco0giDRzq4u00K2NuUe
iuxw1Vf5mnUB0bQxjTHhHbbHKrxw85mRXU/oamKmsbuhizQPAS+GKiQ8L81V
67AwbzsG1JU+k4Ek3PU94oFZZou8zpmK2clLF2ACMvMi5KAKLy6clWtdqax/
A0gVMfzFfsfKRRQRiT84slCqpVeR2Gb7ylJj099LirmevFGFbqxDusheI2wk
9fcSHCGNHqEDcodxzQ3Knd3wpXTNIJctBP3jhVkqb2qMhscjp6lX7gBMR8e9
Jp51Ld+VGbN64Volivyvyls8OC5QJXZzbzW4eEHUfaycE30vgjzTKsGSzYTo
Zzm5K0ZClekjMkZYWAzoC7G7v2c8B1CbFjSAgnOTgrRCEsHAdCA5pCg4da2S
zoJivZJyW/Ta1JprI7tcHGl4GmEo08Y1KFaibXza2kXClGwcVHIIZOyo5TB9
b8wbj6BIkd9L0zjsj3mvRnOy6BLpsubFekPmjbZaidxXBBrTEijZqYwsp4HM
IQLPNuU6gM2GriUlCUjpur4LaiFKvkWyb4xOMIu0CGIVgbPdjx6RpRdgGklz
ANAlfJPPdQ4BJbjTp6wA1yfFHiA8WxMzlxu4qOEuVhecGymg2uEkIa8Ueupr
uPsR8KMZMe61Rh2rFSzDotpCEe3rQaMOE3GHB29i5Brj0UY6rOK0nQ4RSl6W
IHeFZagpNh0RmkviCsooVU/HpScPoagXOmuh4Ka+K49wwI/32UUAMYBXXFDp
vQNiIbSEojX8A8ox9ccW7lNRo0upvJatyhorNVdg3yxcuw5aVnd71O17+ibL
L6+CisoepMKXdVDncndtqJirDKa7TgtYo2tFmiEGD2Xl9C5YHs6EgXkKy2vK
1glsAQW3101O5JZZIGFK1umQgHwh8DhqiIDIklQztusM4ySOSsmZAeSk67UV
NIRZONXnyZScGp7KkWk8UqIEe5wmER57Tw2qG04oo+zGDHA5SboEw9m1MoiX
qyVBT9g14q4q/GOj3Q+ZLOmiEY8Tv+G7xCypNIb7UUk4nV4P1F5K3cGFNGCf
Lj/QkoRGbLXKAzs+zP4/jFL/Y4JPvON5Bbh8Pv7kAuJTtakCLd5Lh0LH5Xvp
YWNtNDqqvijMEZ+SHmT6RO14TudvQalbe0+c+r1Py0FAJoIvpni0+4SnMAZE
yFruUNTp4YoeeV23QPsxX5GdI8afyod9x7EY2rbPHYjqXPt5dCwmWXVjo5HJ
qA3ejqoKKgx0rW753f8NpfTq9hJcPIbgILQ/wvXb7bh+Y7vI/nus/D7mJeUp
xvVOwVCEa/QXAbOlUZ9HjSTgsSRSvCf2vy8mx3t8vaHqH8/00q7W+MKeHLw6
aNk3lFIIAPA/nZ7QKm4jtzSnjpadNLtrCRdRi5w4znZ86k78jHpHSz9ulZVh
9xlGOi+klLPNggoWAA55trm4yD/smT0762UZNHITHCo8vsLPnhyfvzBGrQp+
lyM38J6N2Paxp2LabGr8BZqTaUE/PM1W0u6avUoqbNyzr0BCBDNAU2MZ5pCk
AsfCG91rcGqHoyWb+4bbKPkackmoJTiewuQoTVcvqJscHoJXeNkiHmJ4S1zX
YL8T4SgoPN9LLMyccc4sGrnecVz6EprGzXr27LGQwei/n8jmmYHNOz2157fr
jFb7z+fGvH31+ujYvjp4eUyb2RdmmOFbSYOvzi45OFZRC6HEZzDOmQ4l4HsU
fkyV9bitQnWvNRNzrZv9+k/uOACL9ilkIv1kpYklWuKf7JsUZYdmD79pSz38
zK2d/WQ+Je5/YdAtWcBP9u4eEp88te6Imx5PHLPuvqBIQgZdqwxurfi1aCrB
8I9hXDyn8J94lz7Rrm5DPB5pEYtfPXDbYNA0IRFxvwYJoSOQ15qn4pomj5dE
T/jGSzxsGFbY7HBPT8n09s8BDo2fx04QsZcv+/0KVN9lVSKVo95/M1zz72gF
g9KcNlUh0SsFTCej7kkYT1UjCFpbGRZiHehKx/kU7z7+ijQN1eu0+iqn/u1I
L9gR3H0YxEZfDqyg2V/T5B+Pkm/fJn+bYVTbHBGR/Foy0l0JFb/UiynirzkM
myEoCvHWJve90bmjL5WiVY3HspCidTMjZhfCFmL0n6idDQtkfQsv8oHKShwc
OWi6fPD81QsR3TUxSSnhUXdt7ejg7PDkZEJ4iH2qqMZYUcOHRSL6+GDBnHPl
P3mBmzV5O1kCi7FceRZljBaRd4Ap/hOwMjHBLzlNUgOttf9kg9X9LccfD/97
PME/c8UfCP+7rNjnJAcY1VlaCbvh4GH8FNgpOFIf6iyvVTa5ZcHoIAGLLFtt
OeOfyMPCAV0fCnbOtpMWuwG2jOt120Hk9nThDKGyHR6Py0E+2eOgXInLcoK2
2tpSm3xHV67zu1XcSylb6tNvUtL0n6jc5OnbtZq/AVtaDSsKXd2VOAb34k7v
aw71/7la43ejc4V66k61Ze5WW/ZOtUWcLlJJSTrLJzYQu7vMtJu0dZx6/Glm
q8cVNQ2YU1KGLz3PWY+oevOpYQ3HJEyf5UczQjl9Vd5wWVYf54BzQTB2O8/Q
H6+jtvEmJ98U1qCknrIB0l12fZ/wv/S2HusWoAmM04eOXH+GFI2zEDU8xNhy
KFyORqR0PKBDg43+jynQnqLYQTUYl/DgMt1DsUbRFtBa3CH+ohuysaVUdNxT
/d1P943kXtQGy9u1tuLwPslInKRUMNvvHXVLiQfavi7K39OrQpN+v+2BQdyI
pMOXUTQId6fw/e8ZkYNP8ZDY8eR3DPifce+gLZ/WzdvNGoEfS1pcFtkwNEuT
3bpdcSkpHAdfTuvIrmhYvQf6RxvKtMtwrRJbfjYrik/srQ7rujrUcFy4Q35w
Q+nmKuyfcIdVMTRJVUTusoZrPUkSIofG6AvfE/ZUXXxxR9HsKpb5B0anFklR
So9R9vlfOLf0OKBXDfTMG4KkMyduUXvwF6ZW6BdKJcHcpoES6PE/vabSGsVg
vEAiZOwQBoUJR1pmYZfeUAVMZVoUspM+/tiJPXvzYmKP/nTyEv7EZtMTF++m
8iXzc5idflOVTQk3JbbTSo6m4Igsm4TLl+JeAtMBSgi/esGxZJpOopOQLlvz
mnA6+rb7pNO9fcLhfS4cHO6XyKvDjSkw6xHHMnsyIIz3iXxBDTerE2Po3qyp
van05uYF00bdQc6SbQ+CtPiUHGUxF4bDafbHnPnMOTAfAR4UZkRx8ZTCIsyP
HeTxTbicAQEuc1yg1dXPzeEpdAdHwL7qVBXEju/z1z+9OlLeRQkOV9mYWiSt
8ncZsWyOPAs5pV3HJF0PUbhgvHV6nVDwS5Lc0kpQhXKUFwzyRGlSqF5vdMoT
jSrXnWu3ihgADW4zP1y4H/hp6QRfa1GNCZlMnAYgfgTbKiCfSixSIChkevFB
VpKf26n9JZu/yImwj07Z14+ePJGA3WvQNidH5lCwdkf6HaWJCuvByIugzDQX
3qf0ZiZsC8j4ADIWQb+C6oCvXZYEVQmq+2gN8Lt/IFVqIpXTi3CKYk4JBr2Q
lMZNpPBNLJ3CyREAVoDdmzMAQlalVXNKio2l7svalwb+gXL5ETnJWoxzRoSO
pJcRvQbWJRBUiWIxWmPNIFJN/Du/K4t69vmaY40UGC2waIPZ1awftfNcE7Wv
dCQj9S3IpFzl7HiMpdDRi4VKrJr2WPzgz4phcvdVilAS3kneDv99Chis6VCa
jx/dDujBcB9Mgq+7nlBSCYGpJGoUjcFmg9LTI9BO79tevT+1xz+/MXcpf9Yb
rnXZBAUEtmuibTRQhMpFTo6bc7fooazzeNpMPOHPxHpTIe6NkCwkHUa7ciiD
rX0ghVEiCQ8kkMFjaxkoVh0rbTCpKaOnbSynCu4LlElOKOhDHgTijIeM9uBB
wEBvGM/j5TaN4C4MRIklzT2Ybh7HayXEz0EKbY8mRD4apfN7CqNGvnOP8O9e
r0vMoNSMU3tz9mMSlJn2oBNYH/efCQ92ZZg9vNmlv9hAKMKCHeOzjwWmMzQ4
CNtHtT/wDlRwQPkX0JNdGULEKAlcMq/y5SXIsqnfZQwOSS3/jK20X64QuKsl
Taf8YHI1P34xkNPxBF9udpN2Bo1zSqwo3ochO34ZNCecNQL/uKXMMOJR7oix
jLUSOjOOot7Th/r8VC7gY6yh843MjOhPOOYgf0kKjj8yP3C/bfayiXJOY5Y+
6LqggBQZdGXl2fE9gmk/1M+WxhcCMmIVcIxRZquHOKJL79un3z5xEGtC8cjz
HKmXuSawBKq2FQXa++2UiWh23JV2irM2flROnzmiPzzBVOSogjborBpJBwe8
7ARI6AYVuP3gtrp8fllccmY5R0kcykm94HkdIzsM4XXGVEzefiOUNXMTtP5w
PSwdlbv/EQk0fGFqXxdcYyP9KMQBFKzTxHPSaCVB0BpPXbYwc4qIFFJrE0nV
SaCIbbPYXmAg6cwhoRFqvsjwtfxxfYFx7oRavFkpEX/O16kxZ1ERZ1T41wPf
GrV7Ak/Inn2E4lRjE9SIOQdrCrSjM/jyoM7s88fP3Wcv8M3GhjFp1xi+A1u3
KSkuFzVOThWQL7OUpqSgEXwTHm7CccuATGZPqHsKSmsh0kOql311ULRl57Xv
DhQZHTZjD5vMVF81bsKqcRfubT+xj82IAbdwooaqyaWGUSNOqmqK/ubJM1c1
SkkIE98kStLS6pkcBKyi5K+b97pcb1YUNJXM0WC3Z9/g0rS7PrNS1XX0lXwD
Rdj5IjNx+E9X12OXBChDilpuC3gN+hU2agvaC4Uw+ky7xgkqakNVH0o6IYOa
e5V2B+Rt+2gbubcywYCOeoVNfLBpUyrCPSPwQ2+z6QMtLeZl9XCZAH3jfuap
/ohDjQjKjNaZqiVYJT4FSP41mCY3xMPBwBihKcN+Ja5b01TUBd9Ibqfxa1zF
wqWyjKMijAc+26jJQVEmMFSF/iVoAz6R6jV3ZFnW8RhsCiZmKje1v8MGiAKI
Lg/BqAocNQOrxhHjVj+359LoAO+fN74viLJYtbuahCZN0OrAmOFmbMFgYe5f
qfbYa1ndglWw1CbIjgoDfpkVl0gFSSYO0aIHBjnV6E5Nd3BKhNU5+6Rw3s//
fN7uPYIGfkDVnw51COHakCsN19jDAzks9S3cWNf74gg6GuTtTUKUnQCsq203
uSiYkPan80o/npmoDU5QUk3My6FIegcU8WwXGNhioL7pdD6MOWWwYoRbtN3A
17Vl5dnxYTK/xXIrMNbXCifs7T0SEKK5xujCdIPtEZLwFXA7VZu1GiTgDbGS
cBDvGl7WQsRFxfVKxkV6o2s90W5wfwHFOePMbrL0HXXM0Ukoby3CHd+XVW9T
yWkv4wrRsskTDg8OHh6eR/1csFgIK++yuAWUPMWLsLdSeNVeKFc43YDeUkce
7bLiclb+trRF2ZZfJWut259w6AIi3jKOgHNFisGaMnGDtaLsOUzuBhQcgR7h
aQK/rDbFTUoY06GWL1TarW3hhaP7NmvCGoOgWR8DHeMGLkbbE4ehVFpEG5TR
eYZB8m5WIRwJ8ZjxcjguXl8PV2VY7E41ZENk8B0id6laALMmcwhYr7SVE0YO
Bp4Tt5+KmMd6gS2wAEqt1zD8dTocJcK6dY04DceJekTc98yRScML8V4wqysl
timfTgd1X96Eycdxjak/D1qHtWe7H17awYUV6ZMCOcmeozoKivckH5HGlUc+
MgeKgxrZgIm75Hqsdq9KWowpYghtxy+CK499uCRzP/t8Z/4GTS0XL1DiPLng
c24UQ/0RK+7eQfxeUZ5J/MY6RDfUVB2vvhIZ6BFrML7aaUZSZMzLkGG0W/wS
cBlqaoxDflgLw3znoM7C3nPLDB3l6lbt555uIM7ddUtFbYDYHKZ75fISC9Eb
vGFxnpExh5ZOCo8vN3WQ3LCzapPO9kwapxHRe+BCLD8S7AVJ48T9VJ3skWdJ
ZR9hwsQxD7XkxxIDPZ4bjJHxKZLwgb63kY58xE5IG0zFCy0DMHquMGVqsy7D
JTFS9cmG8FxbmwR1Z6O+l+LqxNpsq010lYlpT12ilO/B0k64p17RVKlrz+nc
5bCzFRirWpj8WXTFkg9iwMPiaNxIFA+khDpRRLEnOyLG6m1lJZ5+LFX+aYnB
urdxjRNcOPCuek23JsQUyI25uT4B1RQXTfoQVMgqzrh7LPvyqAvf+dNELqxb
ZWLbv/Xp5iHiaKG0MwOUduPgMM1cZeNbLVCvAxfYqK8bcqN3zRNObdEezjHv
b8GWzuGkzW9hAJwqy0JZqUL1jgOvGtfJ6ATaB8DoAdBPdGiMokJ8T67PSCWd
Q/gMApd6fxVT4C52AKtXJGAHrZaBMq9NqzZDuMGpAANsJm6Ryql4TBnC9cT2
rT7RaN5cCyfJjk0ZEYp4TZ9FdUKDGgq+r4xaAe1mf976OYWOHefm1pgz23zb
RrsrESK6t2YvJWySSFnr7leCpDVFPg2CiL5ThkBOSPSVkPVFdTboYYLinuP2
e98qLHLkZIIaD62UApLEyRmIsoYjVyFEPPJc2P82fIu3y6KejTWtRSdiO0Ee
93Fh6k3lAldV43FrvdceHfkg3YTSvDVtLMEs3uPeSyRvONpaSyVVStDLkq8A
cPDjECzfNZMoVSUPDmJa9RV4hWaEe5FwEw0y0CZBu0RJ14wVn+2GMywnggcI
spN3JOvQXq/FaHMMsemNokbQmvcJr8gA8nykqFJFYbf7HLvyVIY02ADSMFb9
RLSinQW+M39INmdJDALiaGpdPRoIZCpjdy3meJRYZ0RpGja4u0kLd8/KrlM/
AOlYwWJjqPOSJuAwRbgde1DDVOsLJBPbFkjQ6EVeOTip6Tv2s0CYpEzbld0T
oOwmzZ327T2UkaUqtkAbaegRB6NDThMjfdQYlOE9E8pSbkVk667+XgLc9zjm
RrKzIQMUX+l4fqWrCEdY9PntHuDG89/FaB42VLpsJCGnthFGPbQQ/ARoY2rF
N8xA6hfZv6aL68xRvk3cvKhsn12nfsxR63vSJDcLkNe9OO+JMhth4Wmvgv+y
HUYXxg5nOIJ+usiV4YUSlc50HZGBxxG+kFPSaRImseGV9bTqbNDgFc0sgwGd
/Fx6nJA1QS6dnLzxVHyzEMZANjYy+YbK1rEqc7BSc6xgk6FoBao4XS5rn+Qi
CtOV9EofoV+bqKvpZNa8B/soIlVBL5vX5ANXAY8nvnN57VwC6XVdG8e4R7OM
hmL8tTtJ6kcjYw2H9AbbNZJXpX252U/gXtcepMl9nwIxJTxTYAZpkQsbZRI7
2sqW7Zlf6TAsFCpJzEPOyjWR/uBgj2MiDd8Xk2SC2fBtlIwuoLJG8CSpJpcH
pG9w4UKvZnDAUoEm7j6NQFO2A5oyHz++Pjk6TI5Ozg5f/3x8+hdKWRjq95s8
J06tQdhllwL6HoBQ+oCcbFDHKywLV4ptOms4ZObyP9rzG5aL6hBMVxwcPiai
M6HmNT18n/Cf2gQpYq/BfIpiu5G1UVtA7pqm9DzCaUgG2tMvwNvc4GsETQoo
mQHuDMfbOu/44MEENGqoE1HkmMcsRDvyDJDrT9pE4DmhFIH6HxqVTIsOWIuZ
RzEQvsqY8hNfg0AUXZiD1OG31pfmSQmVvYcP8+VapzstsoamzPwWS08hFD+9
Zj7Y1rsSK5pSzklKQrghtm1UNJl0nU8r+bRfRKbeIBWLn04J6YzCd5amZ+HB
40+ipKMmwc8e4P1mR3333Fh6yvhoLl/420VXcuGxf7NnzD//+U9z5x0JduIr
+trI7rz/rufTu/s7sOjW7vgS/fD7+lvp4DCwhTt2TNOht/n7psTNqLNLNg85
AV8geqdwiDSma66RPAbZoSb2Ns+opYCZDUxzYH7bJwY7+UoburrrOmxARyn2
6PzwS2w/6eH2cLZMgneMS+R+R9IgIun6kiFDtjLTCE+huwh4g+2vNQjJR2w2
okIa1yy/5QOys2d3tkn0DvK27MTfpIDFWyXRfisB+mwJY/2VN31TFXt51lzs
4S5d13u0L3tRoGMvXya/ppcoJX+jZwyDl+In7JCRvsNf4nV5S0v59prLxd00
PtKf8Cn+Bb7qkEPAwvoZJ2M+s0RK9aG7NM/JTBFGV2MEsMBHPW4uOkErLA3i
Lz6o40Iw+Dxt+gBXDHYZJmtsUNeRsj8AgeN4GrpxOEaIKK5FhaQOWCoMTWLD
0swpSsGZdrEWNMYDn9uu3DxLMz0HqeSIjNngV53M+YXH3Qnlq332J/IxmMG9
xBA/m31Yw2d3v/7m0e5XXz199Eh/DsaO//mu//mvTY5jP0t3v55Op24YEDb8
MS5l8u3jp7vp3D+BxAt+2dXD8WcksEJSCQJIC/hZlsKYx5F8rKm1qViUdxH0
kUGMAznFw8xdQvL69l12+/bXGwLV0OAhqR4ycOh24ILi39+8Pju3D9nMRo32
cHe6iz/HVp97tm+58beH3J4zIYoKroHhBzz8kNzc3BDgAilUsYctsq/gd1gz
YBXmd9tUAH5gD95AOPHxm/+nMwS+y27/eDX/fpG/zv949tM/TnZf5Sc17B19
it/4rfvwtmeJo+M96L7HtgcMn/6i9XRVC1FIZ7Rd4ZMfb8yT6X2aUTgaeHJK
6Yxio3jPFG9HnNwdVBMPpz5r+xBjwfkyiZB2yPhm//jLn87GEw7Pwn/gTOF/
4AiRY7xepdTdrXG4gaf3mb1vftRcsTIZjr6EAZIpSU5KcansA1lkQwSqzjMN
AGZMXiqaXlow8HGJD+l3eERn473urQ3fm4MliUTDGoxaONDOnc34Jvq69o6G
LNIPtnb2GCX68X/uEbBgZiwKGlrvKMj3fXkGyPUqJ7+Uw24qGfSSCymi6reH
wr63QvY3tWACCclbXuvDmC38PhLBqagN0UPLt9/nVbNxPWKY2jOeBe0dEgjJ
2gynxejLw+YbDrDkacp1hxH7WUTG0nfPysvL8wkQyXY0PRWzGirFNNI0Vgf1
Bmy4bIlJ82e/7cx31DtdNqjZxcckD2tBTPSsyx0lptBuI2G55L1zde+lx9Ke
fSPYoxfYsc+cXLTXHQGcFUVk6Z4SdEOHTk7hEiaESxCZeKv8hlhN05CS0aOX
GAHlU5YY+GEsUJAgpLL6vKz+qx0WlHdnigS/j1Vrd3jnytBRDWgDK8a6EC7F
hfHFrQ/QXD+d/tgx3Ttl9WSXtC2Sne4Z6drAYufebY5ts8Tb9jd9PCjqxuEf
P3r8dfLoWfLk0fmjR3v0f/8m5vXkHlNK0GHe/Idm5m15Wp2wmFsm+BVO8PG3
4QTF6r8jV86QhRRzP9TQHDH3DLlnVue4d7jIMn0g2n7SrFrgZxH1foNdQbU/
Ljq+AqqQBje9jdP27mjmJkkBCjO6AFk6RyJKqldKt/bYMaNhHUnh4qU0KYSj
jX7JeGrPEKzfwYcLRi5qndbG68c9z5A61sgDw4jLgsEo00uqLZguyusZV1Bx
VPhyQ0dOKgLQUvJ21DAmfdRGoo+nSuBdZxMaohdLP21h7pnWJwCVOlS9STuY
eqkBiF4bdvoMHV3Q5OrnUXu1rZUWgt/k4i5Zvu6C8e9jawKf4UDrQf0qXyt9
Pe1w2+nWAJOyWmP0DafpQhqmreD5H6TYm7Ym/K9VdQML4RULr4I+kt7vv1Lr
RCYEpVWQkpM4Tl1VBh9jDlvn3Jde5cvTZaKFM7lHxFm0C9vqLP7keA6cETQI
/o522yxYHxSAsOaYrPO7ZU/qunwOvdVscUS1iW4GYx9pZkAaG7Zoi3FpT7sh
NVVIIn9FUF7ush8cMcdoDfWvpI7uZqDKAokmmMRVFW6NwXRuCHF2fPrzi4OT
H4dJDmLziuxnqpTgPF2KdmRIRjrrIY6NDUhj+/fSrQ/iSSnezN1iZr/Hiplh
oQoxqQr+NC/4fifPfTblFXDcsAFm5kEQJ8JAJNO3xrY95i2xaUH6nuikGfY3
6JBwBzUlbZ8Gz/VssR7ZEVHF4gWlvLDwRhcoUZy990xMji9WwbuT2JxGbed6
DsP2RNyxY6HojyBPXIvwa+ZyCvhYh+6XgxzDqmlBu9Y4c1LXYWPuXooiyS+Z
u3zPK+rUKV1lYidscq8BtP1UXmyyoHuoT98gq7O65wGPtXbZqF07OOSsrnu5
9DGHQ0TtoDkqTOpoULS+Quio4yoXRolKaLz3PSKDiLW1HpO7kfJjFxlnw3s6
iRELsDLf2h/Akiir27vSjlwjkeN5y4Tc27UFDDD3uLuPHqEr+gAUDfNvLav0
ojH/L3rRJDQcXgEA

-->

</rfc>
