<?xml version='1.0' encoding='utf-8'?>
<!DOCTYPE rfc [
  <!ENTITY nbsp    "&#160;">
  <!ENTITY zwsp   "&#8203;">
  <!ENTITY nbhy   "&#8209;">
  <!ENTITY wj     "&#8288;">
]>
<?xml-stylesheet type="text/xsl" href="rfc2629.xslt" ?>
<!-- generated by https://github.com/cabo/kramdown-rfc version 1.7.39 (Ruby 3.4.9) -->
<rfc xmlns:xi="http://www.w3.org/2001/XInclude" ipr="trust200902" docName="draft-mcguinness-oauth-id-assertion-framework-00" category="std" consensus="true" submissionType="IETF" tocInclude="true" sortRefs="true" symRefs="true" version="3">
  <!-- xml2rfc v2v3 conversion 3.34.0 -->
  <front>
    <title abbrev="Identity Assertion Trust Framework">OAuth Identity Assertion Trust Framework</title>
    <seriesInfo name="Internet-Draft" value="draft-mcguinness-oauth-id-assertion-framework-00"/>
    <author initials="K." surname="McGuinness" fullname="Karl McGuinness">
      <organization>Independent</organization>
      <address>
        <email>public@karlmcguinness.com</email>
      </address>
    </author>
    <date year="2026" month="July" day="04"/>
    <area>Security</area>
    <workgroup>Web Authorization Protocol</workgroup>
    <keyword>OAuth</keyword>
    <keyword>JWT authorization grants</keyword>
    <keyword>identity assertion</keyword>
    <keyword>issuer discovery</keyword>
    <keyword>trust policy</keyword>
    <keyword>authority delegation</keyword>
    <abstract>
      <?line 78?>

<t>Issuer authentication alone does not prove an OAuth authorization
server's authority over the subject namespace its identity assertions
claim. A federated authorization server can mint an identity assertion
naming any email domain; federation membership establishes that the
server is a recognized member of an ecosystem, not that the server is
entitled to assert about subjects in any particular namespace. Nothing
in OAuth today lets a namespace owner declare which authorization
servers are authorized to assert identities in its namespace.</t>
      <t>This document defines an Identity Assertion Trust Framework with two
parts. First, an Authority Delegation Model: an abstract pattern
(Authority Holder, Delegate, Delegation Artifact, Validator) with
independent trust-evaluation categories, a cross-category combination
rule, and a lookup-state taxonomy that profiles instantiate. Second,
the Identity Assertion Issuer Trust Policy: a JSON policy document
that a Resource Authorization Server publishes to declare which trust
methods it requires of an Assertion Issuer, including
issuer-authentication methods (such as OpenID Federation) and
subject-namespace authorization methods defined by separate
profiles.</t>
      <t>The Domain-Authorized Issuer Trust Method is defined separately as one
subject-namespace authorization profile usable by this framework.</t>
    </abstract>
    <note removeInRFC="true">
      <name>Discussion Venues</name>
      <t>Discussion of this document takes place on the
    Web Authorization Protocol Working Group mailing list (oauth@ietf.org),
    which is archived at <eref target="https://mailarchive.ietf.org/arch/browse/oauth/"/>.</t>
      <t>Source for this draft and an issue tracker can be found at
    <eref target="https://github.com/mcguinness/draft-mcguinness-oauth-id-assertion-framework"/>.</t>
    </note>
  </front>
  <middle>
    <?line 104?>

<section anchor="introduction">
      <name>Introduction</name>
      <t>OAuth assertion-based authorization grants <xref target="RFC7521"/> <xref target="RFC7523"/> allow
identity-bearing assertions issued by one authorization server to be
presented to another. The Identity Assertion JWT Authorization Grant
(ID-JAG) <xref target="ID-JAG"/> is one such profile, and the cross-domain delivery
of such assertions is specified in <xref target="I-D.ietf-oauth-identity-chaining"/>.
Those documents define how an assertion is constructed, presented, and
consumed; they do not define whether the Resource Authorization Server
should accept the issuer in the first place. The Resource Authorization
Server needs to decide whether the issuer of an identity assertion is
acceptable for subject resolution, account linking, or delegated access,
and base specs leave that decision to local policy.</t>
      <t>In many deployments the set of acceptable Assertion Issuers cannot be
enumerated in advance. It may be large, dynamic, or governed by external
trust frameworks. A static issuer allowlist also cannot express the
conditions under which an Assertion Issuer is acceptable: for example,
whether the Assertion Issuer is a member of a recognized federation, or
whether the Assertion Issuer has authority for the subject namespace
being asserted.</t>
      <t>This is an open-world issuer-trust problem: the Resource Authorization
Server may receive identity assertions from issuers that were not
individually configured in advance, but whose acceptability can be
evaluated from published evidence at request time. The purpose of this
framework is not to remove policy from the Resource Authorization
Server, but to give it a standard way to express which evidence it
requires and how that evidence is evaluated.</t>
      <t>This document defines an Identity Assertion Issuer Trust Policy
that a Resource Authorization Server publishes to describe its trust
criteria. The Resource Authorization Server does not say "these are
all the Assertion Issuers I trust"; it says "these are the conditions
an Assertion Issuer must satisfy." Conditions are evaluated by
validating concrete evidence (a federation trust chain or a
domain-authorized issuer record) when an assertion is presented.</t>
      <t>This document defines the Authority Delegation Model
(<xref target="delegation-model"/>) and uses it to profile OAuth identity
assertions. It is consumed by <xref target="DAI"/>, which defines one
Subject-Authority publication mechanism. The two documents together
are described in <xref target="family"/>. The assertion-bearer grant and chaining
mechanics of <xref target="ID-JAG"/> and <xref target="I-D.ietf-oauth-identity-chaining"/>
remain unchanged; this document adds only the issuer-trust
evaluation layer.</t>
      <section anchor="minimal-deployment">
        <name>Minimal Deployment</name>
        <t>The smallest deployment has three moving parts:</t>
        <ol spacing="normal" type="1"><li>
            <t>A Resource Authorization Server publishes a Trust Policy
(<xref target="trust-policy-document"/>) saying which issuer-trust evidence it
requires.</t>
          </li>
          <li>
            <t>A Subject Authority publishes a DAI policy (<xref target="DAI"/>) saying which
Assertion Issuers it authorizes for its namespace.</t>
          </li>
          <li>
            <t>At the token endpoint, the Resource Authorization Server validates
the assertion and requires one successful Trust Method in each
applicable trust-evaluation category.</t>
          </li>
        </ol>
        <t>For the common case, the Resource Authorization Server lists
<tt>domain_authorized_issuer</tt>; the Subject Authority publishes a DNS TXT
record at <tt>_oauth-issuer-policy.{domain}</tt>; and the Resource
Authorization Server checks that the assertion's <tt>iss</tt> appears in
that policy for the asserted subject namespace.</t>
      </section>
      <section anchor="two-trust-questions">
        <name>Trust Evaluation Categories</name>
        <t>This document defines two independent trust-evaluation categories
for OAuth identity assertions (<xref target="categories"/>):</t>
        <ul spacing="normal">
          <li>
            <t><strong><tt>issuer_authentication</tt></strong> is the Authenticity category. It
asks: is the JWT <tt>iss</tt> claim a recognized signer?</t>
          </li>
          <li>
            <t><strong><tt>subject_namespace_authorization</tt></strong> is the Delegation Authority
category. It asks: has the namespace owner authorized this
issuer to assert about subjects in its namespace?</t>
          </li>
        </ul>
        <t>Each Trust Method belongs to one or more of these categories, and
evidence is required from each applicable category
(<xref target="combination-rule"/>).</t>
      </section>
      <section anchor="motivation">
        <name>Motivating Use Cases</name>
        <t>Deployments where the gap between issuer authentication and
namespace authorization has practical consequences include:</t>
        <ul spacing="normal">
          <li>
            <t>Workforce SSO into multi-vendor SaaS: per-customer bilateral
issuer configuration, with no wire-format check that the
configured Assertion Issuer is the one the customer authorizes.</t>
          </li>
          <li>
            <t>AI agent platforms acting across tool boundaries: the tool needs
to know the platform is entitled to assert about users in the
customer's namespace (<xref target="example-agent-platform"/>).</t>
          </li>
          <li>
            <t>B2B integrations carrying end-user identity: today these either
accept any authenticated Assertion Issuer or maintain manual
allowlists.</t>
          </li>
          <li>
            <t>Shared-issuer multi-tenant Identity Providers: the customer's
choice of authorized tenant becomes observable on the wire
(<xref target="DAI"/> §Single-Issuer Multi-Tenant Identity Providers) rather
than implicit.</t>
          </li>
        </ul>
        <t>Today's alternatives are bilateral OAuth configuration, federation
membership treated incorrectly as a proxy for namespace authority,
or implicit trust in tenant-domain bindings; this document provides
a wire-format alternative.</t>
      </section>
      <section anchor="relationship-to-existing-mechanisms">
        <name>Relationship to Existing Mechanisms</name>
        <t>This policy is complementary to OpenID Federation: OpenID Federation
can authenticate that an issuer belongs to a trusted ecosystem, while
the Domain-Authorized Issuer Trust Method lets the namespace owner say
which issuers may assert about subjects in that namespace. This document also
follows existing DNS authority-publication patterns such as CAA,
MTA-STS, SPF, DKIM, and the Email Verification Protocol. Background and
positioning details are in <xref target="relationship-to-oidf"/> and
<xref target="DAI"/> §Following Existing DNS Authority Patterns.</t>
        <t>This framework is distinct from issuer <em>discovery</em> mechanisms such as
WebFinger <xref target="RFC7033"/> and OpenID Connect Discovery <xref target="OIDC-DISCOVERY"/>,
which answer "given a user identifier, which issuer should a client
use?" before authentication. This framework answers the verifier-side
question "may this issuer, having already produced an assertion, be
trusted for this subject's namespace?" Its answer is published per
namespace, expresses authorization rather than routing, and is
consumed at verification time. See <xref target="DAI"/> §Following Existing DNS
Authority Patterns.</t>
      </section>
      <section anchor="family">
        <name>Documents in the Family</name>
        <t>This document and <xref target="DAI"/> form a two-document set:</t>
        <ul spacing="normal">
          <li>
            <t><strong>This document</strong>: the Authority Delegation Model
(<xref target="delegation-model"/>) and the Identity Assertion Issuer Trust
Policy (<xref target="trust-policy-document"/>) published by a Resource
Authorization Server, plus the Trust Method machinery, OAuth
grant profile bindings, and the Subject Authority Determination
concept.</t>
          </li>
          <li>
            <t><strong><xref target="DAI"/></strong>: the OAuth Domain-Authorized Issuer Trust Method, defining
the <tt>domain_authorized_issuer</tt> Trust Method and the Issuer Authorization
Policy wire format it consumes.</t>
          </li>
        </ul>
        <t>This document does not define the Issuer Authorization Policy
wire format; that lives in <xref target="DAI"/>. This document defines what an
Assertion Issuer must satisfy to be accepted; DAI defines one
class of evidence supplying that satisfaction.</t>
      </section>
      <section anchor="scope">
        <name>Scope</name>
        <t>The scope of this document is:</t>
        <ul spacing="normal">
          <li>
            <t>The Authority Delegation Model (<xref target="delegation-model"/>): vocabulary,
trust-evaluation categories, combination rule, lookup states,
and the bounded-transitivity property profiles inherit.</t>
          </li>
          <li>
            <t>The Trust Policy document (<xref target="trust-policy-document"/>).</t>
          </li>
          <li>
            <t>The Trust Method machinery (categories, registry).</t>
          </li>
          <li>
            <t>The Subject Authority Determination concept and registry.</t>
          </li>
          <li>
            <t>The OAuth grant-profile bindings.</t>
          </li>
        </ul>
        <t>Concrete publication mechanisms for specific Trust Methods are
out of scope and live in dedicated specifications such as <xref target="DAI"/>.</t>
        <t>The Authority Delegation Model accommodates attribute
authorities whose authority is not a namespace owner
(government-issued credentials, professional certifications,
employment attestations, decentralized credentials). This document
does not register Trust Methods for attribute attestation;
implementers needing such evaluation should look to W3C Verifiable
Credentials, OpenID for Verifiable Credentials, and domain-specific
frameworks. Where their attestations are conveyed as OAuth identity
assertions whose subject is namespace-bound, this document's
issuer-trust evaluation applies regardless of the
attribute-attestation layer beneath it.</t>
        <t>The <tt>email</tt> Subject Identifier extraction registered in this
document is user-identity-oriented. The Authority Delegation Model
(<xref target="delegation-model"/>) supports any Subject Identifier format with
a registered extraction procedure; identity chaining for workload
identities, agent identities, or other non-user subjects can be
supported by registering additional extractions with no changes to
the trust evaluation model (<xref target="future-extensions"/>).</t>
      </section>
      <section anchor="conventions">
        <name>Conventions</name>
        <t>The key words "<bcp14>MUST</bcp14>", "<bcp14>MUST NOT</bcp14>", "<bcp14>REQUIRED</bcp14>", "<bcp14>SHALL</bcp14>", "<bcp14>SHALL
NOT</bcp14>", "<bcp14>SHOULD</bcp14>", "<bcp14>SHOULD NOT</bcp14>", "<bcp14>RECOMMENDED</bcp14>", "<bcp14>NOT RECOMMENDED</bcp14>",
"<bcp14>MAY</bcp14>", and "<bcp14>OPTIONAL</bcp14>" in this document are to be interpreted as
described in BCP 14 <xref target="RFC2119"/> <xref target="RFC8174"/> when, and only when, they
appear in all capitals, as shown here.</t>
        <?line -18?>

</section>
    </section>
    <section anchor="terminology">
      <name>Terminology</name>
      <t>This document uses OAuth 2.0 <xref target="RFC6749"/> terminology. Subject
Identifier formats follow <xref target="RFC9493"/>; Trust Method identifiers are
registered in <xref target="iana-trust-methods-registry"/>.</t>
      <t>The following terms define the Authority Delegation Model used
throughout this document.</t>
      <dl>
        <dt>Authority:</dt>
        <dd>
          <t>The right to attest claims that a Validator will rely on, within
a specified namespace, claim type, scope, or registration. This is
distinct from "authority" in the access-management sense (the right
to perform actions or access resources). The IAM access-rights
sense of "authority" is out of scope.</t>
        </dd>
        <dt>Authority Holder:</dt>
        <dd>
          <t>An entity holding authority over a namespace, claim type, scope,
or registration. An Authority Holder may delegate that attestation
authority to one or more Delegates. Examples: a DNS domain owner
for an email namespace; a federation operator for federation
membership.</t>
        </dd>
        <dt>Delegate:</dt>
        <dd>
          <t>An entity that has received attestation authority from an
Authority Holder and may issue Assertions within the delegated
scope. In this document the Delegate is the Assertion Issuer.</t>
        </dd>
        <dt>Delegation Artifact:</dt>
        <dd>
          <t>A profile-defined representation of a delegation: a signed
document, a DNS record, a JSON document at a well-known HTTPS URL,
an entry in published metadata, or any other profile-defined
publication form. The Delegation Artifact <bcp14>MUST</bcp14> carry sufficient
information to identify the Authority Holder, the Delegate, the
delegated claim type or scope, and (when applicable) the validity
bounds.</t>
        </dd>
        <dt>Assertion:</dt>
        <dd>
          <t>A signed statement made by a Delegate about a Subject within the
delegated scope. In OAuth contexts this is typically a JWT
<xref target="RFC7519"/>.</t>
        </dd>
        <dt>Validator:</dt>
        <dd>
          <t>The component that performs the trust evaluation: retrieves the
Delegation Artifact, validates the Assertion, applies the
combination rules, and produces an accept-or-reject result. In
this document the Validator is the Resource Authorization Server.
The Validator and Relying Party are conceptually distinct,
paralleling the analogous distinction in the RATS Architecture
(<xref target="RFC9334"/>).</t>
        </dd>
        <dt>Authority Source:</dt>
        <dd>
          <t>A trust root, registry, publication channel, or configured source
from which a Validator accepts Delegation Artifacts. In many cases
the Authority Source and the Authority Holder are the same entity
(for example, a domain publishing its own DNS record). In others
they differ (for example, a federation trust anchor as the
Authority Source for Subordinate Statements issued by
intermediates).</t>
        </dd>
      </dl>
      <t>The following terms are specific to OAuth identity assertions.</t>
      <dl>
        <dt>Resource Authorization Server (RAS):</dt>
        <dd>
          <t>The OAuth authorization server that receives an identity
assertion as a grant, evaluates the Trust Policy, and issues
access tokens for a protected resource. Not a new OAuth protocol
role; OAuth readers may read it as "the authorization server
receiving the assertion grant." The RAS is the Validator.</t>
        </dd>
        <dt>Assertion Issuer:</dt>
        <dd>
          <t>The service issuing an identity-bearing assertion, identified by
the JWT <tt>iss</tt> claim. The same string is the <tt>issuer</tt> value in
OAuth Authorization Server Metadata <xref target="RFC8414"/>, OpenID Connect
Discovery <xref target="OIDC-DISCOVERY"/>, and the federation entity identifier
in <xref target="OIDF-FEDERATION"/>. The Assertion Issuer is the Delegate.</t>
        </dd>
        <dt>Subject Authority:</dt>
        <dd>
          <t>The Authority Holder for a Subject Identifier namespace. For
<tt>email</tt>, the registrable domain.</t>
        </dd>
        <dt>Trust Policy:</dt>
        <dd>
          <t>The JSON document defined in <xref target="trust-policy-document"/>, published
by a Resource Authorization Server to declare its trust criteria.</t>
        </dd>
        <dt>Trust Method:</dt>
        <dd>
          <t>A registered, named evaluation procedure by which a Validator
tests one category of trust evidence about an Assertion Issuer
(<xref target="trust-methods"/>). A Trust Policy names the Trust Methods it
requires.</t>
        </dd>
        <dt>Issuer Authorization Policy:</dt>
        <dd>
          <t>The Delegation Artifact by which a Subject Authority declares the
Assertion Issuers it authorizes for its namespace. Concrete
representations (wire format, publication channel) are supplied by
individual <tt>subject_namespace_authorization</tt> Trust Method specifications.</t>
        </dd>
        <dt>Consumer:</dt>
        <dd>
          <t>Any party that retrieves and processes a policy document (Trust
Policy or Issuer Authorization Policy): a Resource Authorization
Server evaluating an assertion, or a client reading a Trust Policy
for capability discovery. Requirements addressed to consumers apply
to both roles unless a narrower role is named.</t>
        </dd>
      </dl>
    </section>
    <section anchor="delegation-model">
      <name>Authority Delegation Model</name>
      <t>This section is the explanatory model that the Trust Policy
machinery (<xref target="trust-policy-document"/>, <xref target="trust-methods"/>) and
profiles such as <xref target="DAI"/> instantiate. The vocabulary
(Authority Holder, Delegate, Delegation Artifact, Assertion,
Validator, Authority Source) is defined in <xref target="terminology"/>.</t>
      <section anchor="pattern-overview">
        <name>Pattern Overview</name>
        <t>Four roles cooperate around one delegation:</t>
        <artwork><![CDATA[
Authority Holder
   |  delegates authority via
Delegation Artifact
   |  identifies
Delegate
   |  signs
Assertion
   |  presented to
Validator
]]></artwork>
        <t>The Authority Holder publishes the Delegation Artifact through a
profile-defined channel: a DNS record under its domain, an HTTPS
document at a well-known URL on its host, a signed subordinate
statement in a federation, or another profile-defined form.
Control of that publication channel is itself the authority binding:
whoever can publish at the channel is the Authority Holder for
the namespace, claim type, or scope. The Validator validates the
Delegation Artifact (which says "Authority Holder authorized
Delegate") and the Assertion (which says "Delegate asserts
something about Subject"). Both validations are required.</t>
        <t>A delegation has a lifecycle: the Authority Holder establishes
the artifact, publishes it, the Delegate uses it to mint
Assertions, and revocation occurs by removing or expiring the
artifact. The framework provides no remote cache-invalidation
mechanism; revocation latency is bounded by the profile's cache
lifetime. Subject Authorities that need fast revocation operate
with short steady-state cache lifetimes. Planned transfers
(provider migrations, acquisitions) and unplanned revocations
(security incidents) follow the same publication path: update the
artifact, accept latency bounded by the cache window.</t>
      </section>
      <section anchor="categories">
        <name>Independent Trust Evaluation Categories</name>
        <t>A Validator combines two independent trust evaluations to accept
an Assertion. Each category answers a distinct question:</t>
        <ul spacing="normal">
          <li>
            <t><strong>Authenticity</strong>: is the entity that signed the Assertion
cryptographically authentic and recognized as a member of some
ecosystem? Satisfied by evidence that signers and their keys
belong to a recognized population (federation membership,
trust-mark issuance, signed attester key).</t>
          </li>
          <li>
            <t><strong>Delegation authority</strong>: has the Authority Holder for the
asserted scope delegated to this signer? Satisfied by a
Delegation Artifact from the appropriate Authority Holder.</t>
          </li>
        </ul>
        <t>The OAuth Trust Method categories defined in this document
(<xref target="trust-method-categories"/>) instantiate these:
<tt>issuer_authentication</tt> realizes Authenticity, and
<tt>subject_namespace_authorization</tt> realizes Delegation authority
for namespace-bound Subject Identifiers.</t>
        <t>Local policy (risk scoring, scope grants, account linking, business
rules) applies on top of these two categories and remains the final
decision layer (<xref target="rasp"/> step 6).</t>
        <section anchor="combination-rule">
          <name>Cross-Category Combination Rule</name>
          <t>When more than one category is applicable to a request, the
Validator <bcp14>MUST</bcp14> require at least one satisfying evidence item from
each applicable category. Within a single category, or-semantics
apply: satisfying any one applicable evidence item is sufficient.
The rule is: <em>and</em> across independent categories, <em>or</em> within a
category.</t>
          <t>Satisfying one category <bcp14>MUST NOT</bcp14> be treated as satisfying
another. A signer authenticated by federation membership has not
been delegated namespace authority by that fact; an Authority
Holder's delegation to a signer does not authenticate the
signer's identity beyond what the Delegation Artifact attests.</t>
          <section anchor="category-applicability">
            <name>Category Applicability</name>
            <t>Category applicability is a property of the Validator's published
Trust Policy, not of the incoming Assertion. If the Trust Policy
declares one or more Trust Methods in a given category, that
category is applicable to every Assertion the Validator evaluates
within the profile's scope. The Assertion itself <bcp14>MUST NOT</bcp14> be able
to waive the category: an Assertion lacking satisfying evidence
for an applicable category <bcp14>MUST</bcp14> be rejected. Profiles <bcp14>MUST NOT</bcp14>
define applicability conditions that depend on properties of the
Assertion under evaluation. This prohibition is directional:
assertion properties may never <em>relax</em> what the policy requires;
rejection rules keyed on assertion properties (such as the
federation-only rule in <xref target="rasp"/> step 5e) only tighten it and are
permitted.</t>
            <t>A <tt>subject_namespace_authorization</tt> method therefore does not
become inapplicable merely because an Assertion omits a Subject
Identifier. A profile that admits such a method <bcp14>MUST</bcp14> require, in
its grant-profile binding, that every Assertion in scope carry a
Subject Identifier from which a Subject Authority is determinable,
and <bcp14>MUST</bcp14> require rejection otherwise (see the processing rule in
<xref target="rasp"/> and <xref target="applicability-bypass"/> for the attack this
prevents).</t>
          </section>
        </section>
        <section anchor="multiple-sources">
          <name>Multiple Authority Sources Within a Category</name>
          <t>A Validator <bcp14>MAY</bcp14> accept Delegation Artifacts from multiple
Authority Sources within the same category (multiple Subject
Authorities for different namespaces, multiple federation trust
anchors). Selection of which Authority Source applies to a given
Assertion happens before the Assertion is authenticated against
any delegation, so a profile <bcp14>MUST</bcp14> define deterministic source
selection: a binding function from Assertion + request context to
exactly one Authority Source (or deterministic failure), invariant
under attacker-controlled inputs outside the binding function. The
attack against ad-hoc or fallback selection logic and the
deterministic-selection requirement are detailed in
<xref target="unverified-claim"/>.</t>
          <t>A Validator <bcp14>MUST NOT</bcp14> fall through to a different Authority Source
if the originally-applicable Authority Source's evaluation fails
or is indeterminate (<xref target="exception-handling"/>).</t>
        </section>
      </section>
      <section anchor="open-world">
        <name>Open-World Delegation and Bounded Transitivity</name>
        <t>This document targets <strong>open-world delegation</strong>: the Authority
Holder is an entity independent of the Validator (a customer's
domain, a federation operator) and the Validator retrieves
Delegation Artifacts through the profile's publication channel at
evaluation time. Open-world does not mean open acceptance; the
Validator publishes (or locally configures) which Authority
Sources it accepts. Closed-world delegation (Validator and
Authority Holder are the same party, evidence is local
configuration) is the degenerate case and remains compatible with
the model.</t>
        <t>The Trust Methods defined in this document and in <xref target="DAI"/> are
bounded at depth one: the Authority Holder directly lists every
authorized Delegate; no further delegation is permitted. Depth-1
keeps revocation latency bounded by one cache and prevents
compromise of any non-Authority-Holder party from expanding the
authorized set. OpenID Federation <xref target="OIDF-FEDERATION"/> is the
notable chained-delegation profile in the OAuth ecosystem; the
cross-category combination rule still applies independently of
transitivity (a federation chain establishes Authenticity, not
Delegation authority).</t>
      </section>
      <section anchor="exception-handling">
        <name>Lookup States and Fail-Closed</name>
        <t>A Validator's lookup of a Delegation Artifact produces exactly
one of three abstract states. Profiles <bcp14>MUST</bcp14> map every concrete
outcome of the lookup operation onto exactly one of these states.</t>
        <section anchor="lookup-states">
          <name>Lookup States</name>
          <ul spacing="normal">
            <li>
              <t><strong>Affirmative</strong>: a well-formed Delegation Artifact was
retrieved through the authoritative publication channel, its
signature (where applicable) verified, and its validity bounds
hold at evaluation time. The Validator proceeds to evaluate the
Assertion against the artifact's contents.</t>
            </li>
            <li>
              <t><strong>Negative</strong>: the publication channel authoritatively reports
the absence of a Delegation Artifact. Examples include DNS
NXDOMAIN or NODATA with a valid (possibly DNSSEC-signed)
authoritative answer where DNS is the profile's sole or final
publication channel, and HTTPS 404 from the authority-bound
origin. A profile with multiple publication channels for the
same Authority Source reaches Negative only when the channels
its lookup procedure consults authoritatively report no
delegation (see, for example, <xref target="DAI"/>). A profile <bcp14>MAY</bcp14> additionally
define an explicitly published denial; whether it maps to
Negative or to an Affirmative retrieval whose evaluation yields
no matching delegation is the profile's choice under its state
mapping. A
Negative state is itself a decision by the Authority Holder
(the namespace exists but no delegation is in effect) and
carries the same normative weight as any other published
decision.</t>
            </li>
            <li>
              <t><strong>Indeterminate</strong>: the lookup did not produce an authoritative
Affirmative or Negative result. Examples include DNS SERVFAIL,
resolver timeout, network partition, HTTPS 5xx, TLS handshake
failure, malformed publication-channel response, and structural
validation failure on a retrieved artifact (invalid signature,
unparseable payload, validity bounds outside the acceptable
window). An Indeterminate state carries no information about
the Authority Holder's intent.</t>
            </li>
          </ul>
          <t>The Affirmative / Negative / Indeterminate taxonomy is
structural: Negative is the Authority Holder's affirmative
non-delegation; Indeterminate is information the Validator could
not obtain.</t>
        </section>
        <section anchor="fail-closed-requirements">
          <name>Fail-Closed Requirements</name>
          <t>A Validator <bcp14>MUST</bcp14> classify every lookup outcome into exactly one
of the three states above before producing an accept-or-reject
decision. Profiles <bcp14>MUST</bcp14> enumerate the concrete signals on their
publication channel that map to each state.</t>
          <t>A Validator <bcp14>MUST</bcp14> fail closed on both Negative and Indeterminate
states: the access decision <bcp14>MUST</bcp14> be reject. Profiles <bcp14>MUST NOT</bcp14>
permit any condition under which an Indeterminate state is
treated as Affirmative; doing so converts the fail-closed
property into an availability-driven downgrade attack surface.</t>
          <t>A Validator <bcp14>MAY</bcp14> rely on a fresh cached Affirmative Delegation
Artifact during a transient Indeterminate state on the live
publication channel, but only if the cached artifact is within
the cache lifetime bound the profile specifies. Repeated
Indeterminate states across consecutive lookups <bcp14>MUST NOT</bcp14> extend
the effective cache lifetime beyond the profile's stated maximum;
if the cache expires while the live channel remains
Indeterminate, the Validator <bcp14>MUST</bcp14> transition to a reject
decision.</t>
          <t>A Validator <bcp14>MUST NOT</bcp14> fall through to a different Authority Source
on Negative or Indeterminate states from the
originally-applicable Authority Source (<xref target="multiple-sources"/>).
Fallthrough on non-Affirmative states is the same downgrade as
extended-cache-on-Indeterminate: both convert a hard denial into
a soft one driven by adversary-controllable availability of the
authoritative publication channel.</t>
          <t>Profiles <bcp14>MAY</bcp14> define additional lookup states (for example, a
"stale-but-signed" state for transparency-log-bound artifacts)
but <bcp14>MUST</bcp14> place any such state on the Affirmative-or-reject side
of the decision boundary. Profiles <bcp14>MUST NOT</bcp14> introduce a state
that relaxes the Indeterminate-rejects-hard requirement.</t>
        </section>
      </section>
    </section>
    <section anchor="trust-policy">
      <name>Trust Policy</name>
      <section anchor="metadata-publication">
        <name>Metadata Publication</name>
        <t>A Resource Authorization Server publishes the location of its Identity
Assertion Issuer Trust Policy in its authorization server metadata
<xref target="RFC8414"/> using the following member:</t>
        <dl>
          <dt><tt>identity_assertion_trust_policy_uri</tt></dt>
          <dd>
            <t><bcp14>OPTIONAL</bcp14>. HTTPS URI identifying the Identity Assertion Issuer Trust
Policy document.</t>
          </dd>
        </dl>
        <t>A Protected Resource that publishes OAuth 2.0 Protected Resource
Metadata <xref target="RFC9728"/> <bcp14>MAY</bcp14> include the same member to advertise the
policy applied by its Resource Authorization Server. Clients that
obtain the URI from Protected Resource Metadata <bcp14>MUST</bcp14> verify that the
policy document's <tt>resource_authorization_server</tt> value identifies an
authorization server listed in the Protected Resource's
<tt>authorization_servers</tt> array. If the same member appears in both
metadata documents, the authorization server metadata value is
authoritative.</t>
        <t>A Resource Authorization Server may additionally publish the trust
policy at the well-known URI registered in
<xref target="iana-trust-policy-well-known"/>. The well-known URI is derived from
the Resource Authorization Server's issuer identifier by the
transformation of <xref target="RFC8414"/> Section 3: the well-known path component
<tt>identity-assertion-trust-policy</tt> is inserted between the host (and
port, if any) and any path component of the issuer identifier. For an
issuer with no path component this yields
<tt>https://{host}/.well-known/identity-assertion-trust-policy</tt>. If both
the metadata member and the well-known URI are available and identify
different documents, the metadata member is authoritative.</t>
        <t>A consumer retrieving a Trust Policy document (from either source)
fetches it with an HTTP GET over HTTPS with TLS server
authentication, subject to the following rules. The consumer <bcp14>MUST NOT</bcp14>
act on a policy it could not retrieve and validate; such a retrieval
failure is distinct from a successfully retrieved policy that rejects
an assertion.</t>
        <ul spacing="normal">
          <li>
            <t>The response <bcp14>MUST</bcp14> have status 200 and a media type of
<tt>application/json</tt> or a <tt>+json</tt>-suffixed type.</t>
          </li>
          <li>
            <t>Consumers <bcp14>MUST</bcp14> follow HTTPS redirects up to a limit of 5 hops;
every redirect target <bcp14>MUST</bcp14> use the <tt>https</tt> scheme and <bcp14>MUST</bcp14> remain
within the issuer's origin. A redirect to a different origin, or
exceeding the hop limit, is a retrieval failure.</t>
          </li>
          <li>
            <t>Any other status, a TLS failure, an unparseable body, or a body
exceeding a consumer-chosen limit (which <bcp14>MUST</bcp14> allow at least
64 KiB) is a retrieval failure.</t>
          </li>
        </ul>
        <t>Example authorization server metadata:</t>
        <sourcecode type="json"><![CDATA[
{
  "issuer": "https://api.resource.example",
  "token_endpoint": "https://api.resource.example/token",
  "grant_types_supported": [
    "urn:ietf:params:oauth:grant-type:jwt-bearer"
  ],
  "authorization_grant_profiles_supported": [
    "urn:ietf:params:oauth:grant-profile:id-jag"
  ],
  "identity_assertion_trust_policy_uri":
    "https://api.resource.example/.well-known/identity-assertion-trust-policy"
}
]]></sourcecode>
      </section>
      <section anchor="trust-policy-document">
        <name>Trust Policy Document</name>
        <t>The Identity Assertion Issuer Trust Policy is a JSON object served
over HTTPS with media type <tt>application/json</tt> (or a media type using
the structured <tt>+json</tt> suffix). Consumers <bcp14>MUST</bcp14> reject a policy whose
required members are absent or wrong-typed, <bcp14>MUST</bcp14> reject a document
containing duplicate member names at any object level, and <bcp14>MUST</bcp14> ignore
unrecognized members except those named in <tt>crit</tt> (<xref target="critical-members"/>).
The policy <bcp14>MAY</bcp14> include a <tt>crit</tt> member and a <tt>signed_policy</tt> member as
defined in <xref target="signed-policy-metadata"/> and <xref target="critical-members"/>. Members
are registered in <xref target="iana-trust-policy-members-registry"/>.</t>
        <t>Example:</t>
        <sourcecode type="json"><![CDATA[
{
  "resource_authorization_server": "https://api.resource.example",
  "authorization_grant_profiles_supported": [
    "urn:ietf:params:oauth:grant-profile:id-jag"
  ],
  "subject_identifier_formats_supported": ["email"],
  "issuer_trust_methods": [
    {
      "method": "openid_federation",
      "trust_anchors": ["https://federation.example.org"]
    },
    {
      "method": "domain_authorized_issuer"
    }
  ]
}
]]></sourcecode>
        <section anchor="members">
          <name>Members</name>
          <dl>
            <dt><tt>resource_authorization_server</tt></dt>
            <dd>
              <t><bcp14>REQUIRED</bcp14>. The issuer identifier of the Resource Authorization Server.
<bcp14>MUST</bcp14> exactly match the authorization server metadata <tt>issuer</tt> value
<xref target="RFC8414"/>.</t>
            </dd>
            <dt><tt>authorization_grant_profiles_supported</tt></dt>
            <dd>
              <t><bcp14>REQUIRED</bcp14>. JSON array of identity assertion grant profile identifiers
supported by this policy. This member uses the same name and identifier
space as the OAuth Authorization Server Metadata parameter defined in
<xref target="ID-JAG"/> §7.2; each value <bcp14>MUST</bcp14> match a profile identifier listed in
the authorization server metadata's
<tt>authorization_grant_profiles_supported</tt> parameter, where present.</t>
            </dd>
            <dt><tt>subject_identifier_formats_supported</tt></dt>
            <dd>
              <t><bcp14>OPTIONAL</bcp14>. JSON array of Subject Identifier format names that the
Resource Authorization Server accepts. Values are defined by
<xref target="RFC9493"/>, by grant profile specifications, or by other
specifications. This member applies to all Trust Methods; an
individual Trust Method <bcp14>MAY</bcp14> constrain the formats it evaluates (for
example, <tt>domain_authorized_issuer</tt> evaluates only formats registered
in <xref target="iana-authority-registry"/>).</t>
            </dd>
            <dt><tt>issuer_trust_methods</tt></dt>
            <dd>
              <t><bcp14>REQUIRED</bcp14>. Non-empty JSON array of Trust Method objects (see
<xref target="trust-methods"/>). This member states the trust REQUIREMENTS the
Resource Authorization Server enforces against incoming identity
assertions, not a list of capabilities. An assertion is rejected
unless an Assertion Issuer satisfies the Trust Method combination
rule in <xref target="rasp"/> against the methods listed here; an issuer that
happens to satisfy a method not listed here is not acceptable. The
member is deliberately named without the <tt>_supported</tt> suffix used
by capability-style OAuth metadata parameters
(<xref target="RFC8414"/>) to signal that distinction. Local policy may add
requirements per client, subject, or scope; see <xref target="downgrade"/>.</t>
            </dd>
            <dt><tt>signed_policy</tt></dt>
            <dd>
              <t><bcp14>OPTIONAL</bcp14>. Signed JWT containing policy members as claims, using the
representation defined in <xref target="signed-policy-metadata"/>. This member
follows the signed metadata pattern used by <xref target="RFC8414"/> and
<xref target="RFC9728"/>.</t>
            </dd>
          </dl>
        </section>
      </section>
      <section anchor="trust-methods">
        <name>Trust Methods</name>
        <section anchor="trust-method-structure">
          <name>Trust Method Object Structure</name>
          <t>A Trust Method object is a JSON object with a string-valued <tt>method</tt>
member naming a Trust Method identifier registered in
<xref target="iana-trust-methods-registry"/> plus any members required by that
identifier. An object whose required members are absent, wrong-typed,
or out-of-constraint is malformed. How an unrecognized or malformed
object is handled depends on the consumer's role: a client reading the
policy for capability discovery <bcp14>MAY</bcp14> skip objects it does not recognize
(it cannot satisfy them), but a Resource Authorization Server
evaluating an assertion <bcp14>MUST</bcp14> apply <xref target="rasp"/> step 5a and reject the
assertion, because ignoring the object would silently evaluate a
strict subset of the operator's declared requirements.</t>
        </section>
        <section anchor="trust-method-categories">
          <name>Trust Method Categories</name>
          <t>Each Trust Method belongs to one or more of the categories below
(registered in <xref target="iana-trust-method-categories-registry"/>) and is
itself registered in <xref target="iana-trust-methods-registry"/>. Evidence is
combined across categories per <xref target="combination-rule"/>; a single
evidence item is never counted toward more than one category, even
if its method is registered in several (<xref target="rasp"/> step 5a).</t>
          <dl>
            <dt><tt>issuer_authentication</tt></dt>
            <dd>
              <t>Is the entity identified by the JWT <tt>iss</tt> claim authentically a
member of a recognized ecosystem?</t>
            </dd>
            <dt><tt>subject_namespace_authorization</tt></dt>
            <dd>
              <t>Is this Assertion Issuer entitled to assert about subjects in the
named namespace? When a policy lists a method in this category, every
in-scope assertion must carry a resolvable Subject Identifier and
fails closed if it does not (<xref target="rasp"/> step 5c).</t>
            </dd>
          </dl>
          <t>Deployments accepting assertions about namespace-bound subjects
<bcp14>SHOULD</bcp14> list at least one <tt>subject_namespace_authorization</tt>
method; federation membership alone does not establish namespace
authority. Future specifications <bcp14>MAY</bcp14> register additional categories
(<xref target="iana-trust-method-categories-registry"/>).</t>
        </section>
        <section anchor="trust-method-spec-requirements">
          <name>Requirements on Trust Method Specifications</name>
          <t>A specification defining a new Trust Method (whether in this document
or a companion such as <xref target="DAI"/>) <bcp14>MUST</bcp14> provide all of the following, so
that the deferral from this framework to the method is testable:</t>
          <ul spacing="normal">
            <li>
              <t>The Trust Method identifier and the category or categories it
belongs to (<xref target="iana-trust-methods-registry"/>).</t>
            </li>
            <li>
              <t>The evidence the method consumes and the exact procedure by which a
Validator decides the method is satisfied for a given (issuer,
subject) pair, precise enough for interoperable implementation.</t>
            </li>
            <li>
              <t>The mapping of the method's retrieval and evaluation outcomes onto
the Affirmative / Negative / Indeterminate lookup states
(<xref target="exception-handling"/>), including which conditions fail closed.</t>
            </li>
            <li>
              <t>For methods in <tt>subject_namespace_authorization</tt>, the deterministic
binding from the assertion's Subject Identifier to the Subject
Authority whose evidence is consulted, consistent with the
single-source-selection rule (<xref target="multiple-sources"/>).</t>
            </li>
            <li>
              <t>Cache-lifetime bounds for any retrieved evidence, or an explicit
statement that the method caches nothing.</t>
            </li>
            <li>
              <t>Any method-specific parameters, their JSON types, and whether each
is <bcp14>REQUIRED</bcp14> or <bcp14>OPTIONAL</bcp14>.</t>
            </li>
          </ul>
          <t>A Trust Method specification <bcp14>MAY</bcp14> define provisional (monitoring)
enforcement semantics under which the Authority Holder's own
published policy directs Validators to log rather than reject a
mismatch (see, for example, <xref target="DAI"/> §Monitor Mode). Because the waiver is
published by the Authority Holder, not carried by the Assertion,
this does not conflict with <xref target="category-applicability"/>.</t>
        </section>
        <section anchor="issuer-authentication-methods">
          <name>Issuer Authentication Methods</name>
          <t><tt>issuer_authentication</tt>-category methods are satisfied by evidence
that the Assertion Issuer belongs to a recognized ecosystem.
Membership alone does not establish authority over any particular
subject namespace.</t>
          <section anchor="trust-method-openid-federation">
            <name>openid_federation</name>
            <t>The <tt>openid_federation</tt> method indicates that the Assertion Issuer is
acceptable if its OpenID Federation <xref target="OIDF-FEDERATION"/> trust chain
validates to a listed trust anchor and (when required by the policy)
the leaf holds the required Trust Marks.</t>
            <sourcecode type="json"><![CDATA[
{
  "method": "openid_federation",
  "trust_anchors": ["https://federation.example.org"],
  "trust_marks": [
    {
      "id": "https://federation.example.org/marks/loa3",
      "issuer": "https://federation.example.org"
    }
  ]
}
]]></sourcecode>
            <dl>
              <dt><tt>trust_anchors</tt></dt>
              <dd>
                <t><bcp14>REQUIRED</bcp14>. Non-empty JSON array of OpenID Federation trust anchor
entity identifiers.</t>
              </dd>
              <dt><tt>trust_marks</tt></dt>
              <dd>
                <t><bcp14>OPTIONAL</bcp14>. JSON array of Trust Mark requirement objects. When
present, the leaf's Entity Configuration <bcp14>MUST</bcp14> include at least one
Trust Mark satisfying every requirement object listed. Each
requirement object has:
</t>
                <dl>
                  <dt><tt>id</tt></dt>
                  <dd>
                    <t><bcp14>REQUIRED</bcp14>. String. The Trust Mark identifier.</t>
                  </dd>
                  <dt><tt>issuer</tt></dt>
                  <dd>
                    <t><bcp14>REQUIRED</bcp14>. String. The Entity Identifier of the Trust Mark
Issuer expected to have signed the Trust Mark.</t>
                  </dd>
                </dl>
              </dd>
            </dl>
            <t>The Resource Authorization Server <bcp14>MUST</bcp14> validate the federation
trust chain, metadata policy, and Trust Marks per
<xref target="OIDF-FEDERATION"/>; failure of any is failure of this Trust
Method.</t>
            <t>Lookup states (<xref target="exception-handling"/>): a fully validated chain
terminating at a listed trust anchor is Affirmative. A chain that
validates but establishes non-membership (no path to any listed
trust anchor, or an Entity Statement that authoritatively excludes
the leaf) is Negative. Any retrieval or validation failure that
prevents a definitive answer (an Entity Statement fetch failing or
timing out, a signature that cannot be verified because key material
is unavailable, an expired statement that cannot be refreshed) is
Indeterminate; both Negative and Indeterminate fail closed. Entity
Statement caching follows the statements' own <tt>exp</tt> values per
<xref target="OIDF-FEDERATION"/>, bounded by the consumer's local cache ceiling;
a cached chain <bcp14>MUST NOT</bcp14> be used past the earliest <tt>exp</tt> in the
chain.</t>
            <t>In addition to the procedures in <xref target="OIDF-FEDERATION"/>, the Resource
Authorization Server <bcp14>MUST</bcp14> apply the following framework-specific
requirements:</t>
            <ol spacing="normal" type="1"><li>
                <t><strong>Trust anchor match.</strong> The terminal trust anchor of the
validated chain <bcp14>MUST</bcp14> exactly match one of the listed
<tt>trust_anchors</tt> values.</t>
              </li>
              <li>
                <t><strong>Entity type constraint.</strong> The leaf's policy-applied federation
metadata <bcp14>MUST</bcp14> declare one of the entity types <tt>openid_provider</tt>
or <tt>oauth_authorization_server</tt> (<xref target="OIDF-FEDERATION"/> §5). The
presence of other entity types alone does not satisfy this
requirement.</t>
              </li>
              <li>
                <t><strong>Federation-bound JWKS resolution.</strong> The signing key for the
identity assertion JWT <bcp14>MUST</bcp14> be resolved from the leaf's
policy-applied federation metadata (the <tt>jwks</tt> or <tt>jwks_uri</tt>
value in <tt>metadata.openid_provider</tt> or
<tt>metadata.oauth_authorization_server</tt>). The Resource
Authorization Server <bcp14>MUST NOT</bcp14> use a JWKS retrieved outside the
federation (for example, fetched from the assertion <tt>iss</tt> URL
via <xref target="RFC8414"/> Authorization Server Metadata) unless that
JWKS exactly matches the federation-resolved JWKS. This
prevents a downgrade attack in which an attacker compromises
the AS metadata endpoint without compromising the federation
infrastructure.</t>
              </li>
              <li>
                <t><strong>Trust Mark satisfaction.</strong> If the Trust Method object
contains <tt>trust_marks</tt>, the leaf's Entity Configuration <bcp14>MUST</bcp14>
include Trust Marks satisfying every requirement object: each
requirement is satisfied when at least one Trust Mark in the
leaf's <tt>trust_marks</tt> array matches both <tt>id</tt> and <tt>issuer</tt> and
validates per <xref target="OIDF-FEDERATION"/> §7.</t>
              </li>
            </ol>
            <t>For OpenID Federation deployments, this Trust Method is the primary
integration point between the federation and this framework; see
<xref target="relationship-to-oidf"/> for positioning.</t>
          </section>
        </section>
        <section anchor="subject-namespace-authorization-methods">
          <name>Subject Namespace Authorization Methods</name>
          <t><tt>subject_namespace_authorization</tt>-category methods are satisfied
by evidence originating from the Subject Authority itself (typically
a DNS or HTTPS record published under the Subject Authority's
domain). The namespace-authorization trust graph is bounded to depth
one (<xref target="transitive-authz-bounded"/>). Concrete methods in this category
are defined by companion specifications and registered in the
Trust Methods registry (<xref target="iana-trust-methods-registry"/>).</t>
        </section>
        <section anchor="example-federation-dai">
          <name>Worked Example: OpenID Federation + DAI</name>
          <t>This non-normative example shows the two trust-evaluation
categories used together. A SaaS Resource Authorization Server
(<tt>api.saas.example</tt>) accepts identity assertions from federation
member Assertion Issuers about users in any customer namespace;
the customer authorizes which specific Assertion Issuer serves
its users.</t>
          <t>The Resource Authorization Server publishes:</t>
          <sourcecode type="json"><![CDATA[
{
  "resource_authorization_server": "https://api.saas.example",
  "authorization_grant_profiles_supported": [
    "urn:ietf:params:oauth:grant-profile:id-jag"
  ],
  "subject_identifier_formats_supported": ["email"],
  "issuer_trust_methods": [
    {
      "method": "openid_federation",
      "trust_anchors": ["https://federation.example.org"]
    },
    {
      "method": "domain_authorized_issuer"
    }
  ]
}
]]></sourcecode>
          <t>Customer <tt>acme.example</tt> publishes a DAI record naming
<tt>https://idp.example.net</tt> as its authorized Assertion Issuer.
That Assertion Issuer is also a federation member of
<tt>https://federation.example.org</tt>.</t>
          <t>A token-request flow with an ID-JAG carrying
<tt>email: alice@acme.example</tt>, <tt>email_verified: true</tt>,
<tt>iss: https://idp.example.net</tt>:</t>
          <ol spacing="normal" type="1"><li>
              <t>The Resource Authorization Server determines that both Trust
Methods are applicable (the Trust Policy lists one in each
category).</t>
            </li>
            <li>
              <t><strong>Authenticity</strong> (<tt>issuer_authentication</tt> category): the
Resource Authorization Server validates the OpenID Federation
trust chain from <tt>https://idp.example.net</tt> to
<tt>https://federation.example.org</tt>. This proves the Assertion
Issuer is an authentic federation member but says nothing
about its authority over <tt>acme.example</tt>.</t>
            </li>
            <li>
              <t><strong>Delegation authority</strong> (<tt>subject_namespace_authorization</tt>
category): the Resource Authorization Server extracts
<tt>acme.example</tt> from the <tt>email</tt> claim, looks up the DAI record
at <tt>_oauth-issuer-policy.acme.example</tt>, and confirms
<tt>https://idp.example.net</tt> appears in <tt>authorized_issuers</tt>. This
proves Acme delegated naming authority over its namespace to
this specific Assertion Issuer.</t>
            </li>
            <li>
              <t>The cross-category combination rule (<xref target="combination-rule"/>) is
satisfied: one Trust Method succeeded in each applicable
category. The Resource Authorization Server proceeds with
<tt>private_key_jwt</tt> client authentication and access-token
issuance.</t>
            </li>
          </ol>
          <t>If the Assertion Issuer were federation-authenticated but Acme
had not listed it in its DAI record, step 2 would succeed and
step 3 would fail; the Resource Authorization Server rejects with
<tt>invalid_grant</tt>.
Federation membership alone does not establish namespace
authority; the combination rule is what enforces this. A deeper
walkthrough including federation trust-chain validation and Trust
Mark satisfaction is in <xref target="example-federation-walkthrough"/>.</t>
        </section>
      </section>
      <section anchor="subject-authority-determination">
        <name>Subject Authority Determination</name>
        <t>Determining the Subject Authority has two steps: first identify which
registered Subject Identifier format the assertion carries, then apply
that format's extraction procedure. The grant-profile binding
(<xref target="bindings"/>) designates which claim conveys the Subject Identifier
and thus which format applies; for the bindings in this document, a
top-level <tt>email</tt> claim (with <tt>email_verified</tt>) is the <tt>email</tt> format.
A format is "used by the assertion" when the designated claim for that
format is present. If the designated claim maps to no registered
format, the <tt>subject_namespace_authorization</tt> category cannot be
evaluated and processing follows <xref target="rasp"/> step 5c.</t>
        <t>The Subject Authority associated with a Subject Identifier is then
determined as registered in <xref target="iana-authority-registry"/>. This
document registers the <tt>email</tt> extraction as the initial entry. The
extraction-procedure pattern (Subject Identifier format to Subject
Authority) is open: future specifications register additional
formats for service identities, decentralized identifiers,
federated handles, and other namespaces by adding entries to the
same registry without changes to the rest of the framework. See
<xref target="future-extensions"/>.</t>
        <t>Initial extractions:</t>
        <dl>
          <dt><tt>email</tt></dt>
          <dd>
            <t>The Subject Authority is derived from the assertion's top-level
<tt>email</tt> claim, which <bcp14>MUST</bcp14> be accompanied by a top-level
<tt>email_verified</tt> claim with the boolean value <tt>true</tt>. If the
<tt>email_verified</tt> claim is absent or has any value other than
<tt>true</tt>, consumers <bcp14>MUST</bcp14> treat the <tt>email</tt> Subject Identifier as
invalid for Subject Authority determination and <bcp14>MUST</bcp14> reject the
assertion when <tt>email</tt> is the Subject Identifier being evaluated.
Consumers <bcp14>MUST NOT</bcp14> treat an unverified <tt>email</tt> claim as though the
assertion carried no Subject Identifier.
</t>
            <t>The domain is the substring after the single <tt>@</tt>. Consumers <bcp14>MUST</bcp14>
reject an <tt>email</tt> claim value that does not contain exactly one <tt>@</tt>
character or whose domain part is empty; this document uses the
simple single-<tt>@</tt> rule rather than the full <xref target="RFC5321"/> addr-spec
grammar, and quoted local-parts or address forms that do not reduce
to a single unquoted <tt>@</tt> are out of scope for the <tt>email</tt> extraction.
The local-part is not used. A trailing dot on the domain, if present,
is removed. The domain is converted to A-label form per <xref target="RFC5891"/>
(applying IDNA processing, including Unicode normalization) before
any Public Suffix List matching, so that comparison operates on a
single canonical form.</t>
            <t>The A-label domain is then normalized to its registrable domain
("eTLD+1") by applying the Public Suffix List matching algorithm
<xref target="PSL"/>, including its wildcard <tt>*</tt> and exception <tt>!</tt> rules: the
Subject Authority is the shortest suffix of the domain that is one
label longer than the longest matching public suffix. Consumers
<bcp14>MUST</bcp14> use both the ICANN and PRIVATE divisions of the list (a
delegated namespace listed in the PRIVATE division, such as
<tt>team.example-pages.example</tt>, resolves to that namespace; using
only the ICANN division would compute a coarser Subject Authority
and query a different name). The result is compared using
case-insensitive ASCII comparison of A-labels. Consumers <bcp14>MUST</bcp14>
reject an email whose domain is itself a public suffix (no
registrable domain exists) and <bcp14>MUST</bcp14> reject a domain that is not a
valid A-label or U-label sequence. Registrable-domain
normalization prevents an attacker who controls a subdomain (for
example, via subdomain takeover) from overriding the legitimate
record at the registrable domain.</t>
          </dd>
        </dl>
        <t>A Subject Identifier whose format is not registered in
<xref target="iana-authority-registry"/> yields no Subject Authority; processing
follows <xref target="rasp"/> step 5c.</t>
        <t>Subject Authority extraction <bcp14>MUST</bcp14> be exact-match: wildcard, suffix,
regular-expression, and substring matching against Subject Authority
values are forbidden unless explicitly specified by the relevant
Subject Identifier format's extraction procedure.</t>
        <section anchor="psl-versioning">
          <name>Public Suffix List Versioning</name>
          <t>Deriving a registrable domain from a DNS name has no protocol
solution: the IETF DBOUND working group examined the problem of
determining administrative (organizational) boundaries in the DNS and
concluded without a standard, and the Public Suffix List remains the
de facto mechanism (it is used the same way by DMARC <xref target="RFC7489"/> organizational-
domain discovery and by cookie same-site rules). This framework
inherits the PSL's limitations knowingly.</t>
          <t>The PSL <xref target="PSL"/> is updated continuously, and snapshots taken at
different times can yield different registrable domains for the same
email. Because the Subject Authority is the DNS name queried, two
Resource Authorization Servers using different PSL snapshots can
compute different Subject Authorities for the same assertion and thus
query different names and reach different decisions; this is a
deterministic-source-selection hazard (<xref target="multiple-sources"/>) and a
security consideration, not merely an operational one, during the
window in which a label's public-suffix status is changing. Consumers
<bcp14>SHOULD</bcp14> use a snapshot of the <xref target="PSL"/> no older than 30 days.
The determinism property this framework claims holds for a given
computed Subject Authority; parties that require identical Subject
Authority computation across verifiers (for example, a Subject
Authority and the Resource Authorization Servers that consume its
policy) <bcp14>SHOULD</bcp14> agree on, or pin, a PSL snapshot. Subject Authorities
<bcp14>SHOULD</bcp14> monitor PSL changes affecting their namespace.</t>
        </section>
        <section anchor="subdomain-authority">
          <name>Subdomain Authority</name>
          <t>The registrable-domain default prevents subdomain-takeover from
capturing parent-domain authority. A subdomain-exact variant is
sketched in <xref target="future-extensions"/> and would require the parent
registrable-domain authority to explicitly delegate to the
subdomain.</t>
        </section>
      </section>
      <section anchor="signed-policy-metadata">
        <name>Signed Policy Metadata</name>
        <t>The Trust Policy and Issuer Authorization Policy documents <bcp14>MAY</bcp14> include
a <tt>signed_policy</tt> member that provides cryptographic integrity for
signed policy claims. When the signed JWT contains all recognized
decision-affecting policy members, <tt>signed_policy</tt> can provide
object-level integrity for the policy document. This member follows
the signed metadata pattern defined for authorization server metadata
in <xref target="RFC8414"/> and protected resource metadata in <xref target="RFC9728"/>.</t>
        <t>The <tt>signed_policy</tt> value is a JWT <xref target="RFC7519"/> in JWS Compact
Serialization <xref target="RFC7515"/> containing policy members as claims. The
JWT <bcp14>MUST</bcp14> be digitally signed using an asymmetric algorithm, <bcp14>MUST</bcp14>
contain an <tt>iss</tt> claim identifying the party attesting to the signed
policy claims, and <bcp14>MUST</bcp14> contain <tt>iat</tt>. It <bcp14>MUST</bcp14> contain <tt>exp</tt>, so that
a superseded signed policy cannot be replayed indefinitely (relevant
in the shared-infrastructure scenario for which signing is
recommended, <xref target="shared-infrastructure"/>); consumers <bcp14>MUST</bcp14> reject an expired
<tt>signed_policy</tt>. The JOSE header <bcp14>SHOULD</bcp14> contain a <tt>kid</tt> identifying
the signing key. The JWT payload <bcp14>SHOULD NOT</bcp14> contain a <tt>signed_policy</tt>
claim.</t>
        <t>Algorithms: <xref target="RFC8725"/> (JWT Best Current Practices) applies
unchanged. In addition, the JWT <bcp14>MUST NOT</bcp14> use a MAC algorithm
(HS256/384/512); verification keys are widely distributed and a
MAC scheme would require sharing the signing key with every
Validator, defeating the authority binding. Implementations <bcp14>MUST</bcp14>
support ES256 and <bcp14>SHOULD</bcp14> support EdDSA and ES384; RS256 with
&gt;=2048-bit keys <bcp14>MAY</bcp14> be supported for compatibility.</t>
        <t>Per <xref target="RFC8725"/> §3.11 (cross-context confusion), the JWT <tt>typ</tt>
header <bcp14>MUST</bcp14> be <tt>trust-policy+jwt</tt> for Trust Policy documents or
<tt>issuer-authorization-policy+jwt</tt> for Issuer Authorization Policy
documents. These are the registered media subtypes with the
<tt>application/</tt> prefix omitted, per the <xref target="RFC8725"/> §3.11 convention;
the corresponding media types are registered in
<xref target="iana-media-types"/>.</t>
        <t>The acceptable signer depends on which policy document is signed:</t>
        <ul spacing="normal">
          <li>
            <t>For the Trust Policy document, the JWT <tt>iss</tt> claim <bcp14>MUST</bcp14> equal the
<tt>resource_authorization_server</tt> claim. The verification key <bcp14>MUST</bcp14> be
controlled by that Resource Authorization Server. Consumers <bcp14>MAY</bcp14>
resolve the key from the Resource Authorization Server's
authorization server metadata <tt>jwks_uri</tt>, federation entity
configuration, or local configuration, except in the
shared-infrastructure trust model of <xref target="shared-infrastructure"/>,
where the <tt>jwks_uri</tt> typically traverses the same shared edge as
the policy document and the key <bcp14>MUST</bcp14> instead be resolved through
a channel independent of that edge (federation or local
configuration).</t>
          </li>
          <li>
            <t>For an Issuer Authorization Policy document, the JWT payload <bcp14>MUST</bcp14>
contain the member that identifies the Subject Authority in the
profile's wire format (<tt>subject_authority</tt> in <xref target="DAI"/>). The JWT
<tt>iss</tt> claim <bcp14>MUST</bcp14> either equal that Subject Authority identifier or
identify a signing authority that local policy or an applicable
Trust Method establishes as controlled by the Subject Authority.
Consumers <bcp14>MUST NOT</bcp14> treat a signature by an Assertion Issuer the
policy authorizes as proof of Subject Authority authorization
unless such a relationship is explicitly established.  </t>
            <t>
The verification key for an Issuer Authorization Policy signer <bcp14>MUST</bcp14>
be resolved through a channel independent of the one that carried
the policy document. A profile that admits <tt>signed_policy</tt> on the
Issuer Authorization Policy <bcp14>MUST</bcp14> specify at least one of the
following key-resolution mechanisms and state its trust assumptions:  </t>
            <ul spacing="normal">
              <li>
                <t>a key published under DNSSEC-signed records for the Subject
Authority;</t>
              </li>
              <li>
                <t>a key resolved through a federation or trust-anchor relationship
established by an <tt>issuer_authentication</tt> Trust Method; or</t>
              </li>
              <li>
                <t>a key configured out of band at the consumer.</t>
              </li>
            </ul>
            <t>
Rationale: an attacker who controls the publication channel can
substitute both the policy and, if the key is fetched over that same
channel, the key. Absent an independent channel, the signature
provides integrity no stronger than channel control (which already
establishes authority), and consumers <bcp14>MUST NOT</bcp14> rely on it to defend
against compromise of that channel.</t>
          </li>
        </ul>
        <t>If both unsigned policy members and <tt>signed_policy</tt> are present, the
signed policy claims <bcp14>MUST</bcp14> be used as the policy values for all claims
present in the JWT. Unsigned members that are not represented as claims
in the JWT <bcp14>MAY</bcp14> be used subject to the normal processing rules for
unrecognized members. A conflict exists when a member name appears in
both the unsigned outer document and the signed JWT payload AND the
two values are not equal when compared as parsed JSON values (member
order and insignificant whitespace ignored; equivalently, their JCS
<xref target="RFC8785"/> serializations differ). Consumers <bcp14>MUST</bcp14> reject a policy
that contains any such conflict; an attacker who can modify the outer
document but not the signed JWT otherwise has a lever to inject
visible-but-ignored members that may mislead operators or downstream
tooling.</t>
        <t>A publisher that needs to require <tt>signed_policy</tt> processing by all
conforming consumers lists <tt>signed_policy</tt> in the document's <tt>crit</tt>
member (<xref target="critical-members"/>); a consumer that does not implement
<tt>signed_policy</tt> processing then rejects the document rather than
silently ignoring the signature. Absent a <tt>crit</tt> entry, the presence
of <tt>signed_policy</tt> provides integrity only for consumers that support
and verify it, or for deployments where local policy requires signed
policy processing.</t>
        <t>If a consumer requires object-level integrity by local policy, the
consumer <bcp14>MUST</bcp14> verify the signed JWT before acting on the policy, and
the JWT payload <bcp14>MUST</bcp14> contain every recognized decision-affecting
member used by that consumer. The consumer <bcp14>MUST NOT</bcp14> use unsigned
recognized decision-affecting members that are absent from the JWT
payload. If signature verification fails, if the verification key is
unacceptable, if the JWT is malformed, if the required issuer binding
above is not satisfied, or if the JWT omits a recognized
decision-affecting member required for evaluation, the consumer <bcp14>MUST</bcp14>
reject the policy as malformed.</t>
      </section>
      <section anchor="critical-members">
        <name>Critical Members</name>
        <t>The Trust Policy and Issuer Authorization Policy documents <bcp14>MAY</bcp14> include
a <tt>crit</tt> member: a JSON array of strings naming other members of the
same document whose correct processing is <bcp14>REQUIRED</bcp14> for safe
interpretation. A consumer that does not recognize, or does not
implement processing for, any member named in <tt>crit</tt> <bcp14>MUST</bcp14> reject the
document as malformed rather than ignoring the unrecognized member.
Members not named in <tt>crit</tt> retain the default handling: unrecognized
members are ignored.</t>
        <t><tt>crit</tt>, when present, <bcp14>MUST</bcp14> be a non-empty array of strings; each string
<bcp14>SHOULD</bcp14> name a member that is actually present in the document. A
consumer <bcp14>MUST</bcp14> reject the document if <tt>crit</tt> is present but not a
non-empty array of strings, and <bcp14>MUST</bcp14> reject if <tt>crit</tt> names <tt>crit</tt>
itself. This is the same fail-closed pattern JWS (<xref target="RFC7515"/>
Section 4.1.11) uses for critical header parameters.</t>
        <t>Publishers <bcp14>MUST</bcp14> place <tt>crit</tt> in the outer (unsigned) document: a
<tt>crit</tt> present only in a <tt>signed_policy</tt> JWT payload is invisible to
consumers that do not process signatures and therefore has no effect
on them. It <bcp14>MAY</bcp14> additionally be duplicated as a claim in the signed
JWT so that its value is integrity-protected.</t>
        <t>This mechanism is defined in the base specification, with no member
named critical by default, so that a future extension can mark a new
decision-affecting member critical and have already-deployed
consumers honor it; an extension that omitted it from the base could
not retrofit fail-closed behavior onto the deployed base. The DNS
record form does not carry <tt>crit</tt>; see <xref target="crit-dns-form"/>.</t>
      </section>
    </section>
    <section anchor="trust-policy-processing">
      <name>Trust Policy Processing</name>
      <t>The trust policy governs whether an Assertion Issuer's identity
assertion is acceptable to the Resource Authorization Server. It does
not, by itself, authorize any particular access, scope, role, or
attribute. The Resource Authorization Server's local policy continues
to determine, for an accepted assertion, which scopes are granted,
which subject claims are honored for account linking, and which local
authorization decisions follow. The trust policy is necessary but not
sufficient: passing trust policy evaluation only means the Resource
Authorization Server is willing to consider the assertion as input to
its access-control logic.</t>
      <section anchor="client-processing">
        <name>Client Processing</name>
        <t>A client that wants to obtain an identity assertion JWT for a Resource
Authorization Server:</t>
        <ol spacing="normal" type="1"><li>
            <t>Discovers the Resource Authorization Server metadata <xref target="RFC8414"/>.</t>
          </li>
          <li>
            <t>Confirms that the desired grant profile is supported by checking
the <tt>authorization_grant_profiles_supported</tt> parameter
(<xref target="ID-JAG"/> §7.2) in the authorization server's metadata.</t>
          </li>
          <li>
            <t>Fetches the <tt>identity_assertion_trust_policy_uri</tt> document.</t>
          </li>
          <li>
            <t>Determines whether an available Assertion Issuer can satisfy the
Trust Method combination rule in <xref target="rasp"/>. For namespace-bound
Subject Identifiers, this usually means satisfying both an
<tt>issuer_authentication</tt> method (such as federation membership) and
a <tt>subject_namespace_authorization</tt> method (such as authorization
by the Subject Authority).</t>
          </li>
          <li>
            <t>Determines whether the Assertion Issuer can produce a Subject
Identifier in a format listed in
<tt>subject_identifier_formats_supported</tt>, if that member is present,
and required by the applicable grant profile.</t>
          </li>
          <li>
            <t>Requests an identity assertion JWT from the selected Assertion
Issuer.</t>
          </li>
        </ol>
        <t>The client <bcp14>MUST NOT</bcp14> treat the Trust Policy as a guarantee that a
particular assertion will be accepted. The Resource Authorization
Server always applies local policy at token request time.</t>
      </section>
      <section anchor="rasp">
        <name>Resource Authorization Server Processing</name>
        <t>This section specifies the normative processing procedure. It is the
OAuth-identity-assertion instantiation of the Authority Delegation
Model (<xref target="delegation-model"/>): each Trust Method category in the
applicable Trust Policy is evaluated under the cross-category
combination rule (<xref target="combination-rule"/>); lookup outcomes are
classified per <xref target="exception-handling"/>; source selection is
deterministic per <xref target="multiple-sources"/>.</t>
        <t>When evaluating an identity assertion JWT presented in a token
request, the Resource Authorization Server <bcp14>MUST</bcp14>:</t>
        <ol spacing="normal" type="1"><li>
            <t>Select and parse the Trust Policy that applies to the token request.
If the policy document is malformed, reject the assertion.
(Recognition of individual Trust Method objects is handled in
step 5a.)</t>
          </li>
          <li>
            <t>Validate the assertion per the applicable grant profile
(<xref target="RFC7521"/>, <xref target="RFC7523"/>, <xref target="ID-JAG"/>). This validation is
provisional with respect to signing-key resolution: a Trust
Method evaluated in step 5 <bcp14>MAY</bcp14> constrain the source of the key
used to verify the assertion signature (for example,
<tt>openid_federation</tt> requires a federation-resolved JWKS,
<xref target="trust-method-openid-federation"/>). The Resource Authorization
Server <bcp14>MUST NOT</bcp14> accept the assertion until the signature has been
verified with a key permitted by each key-source-constraining
Trust Method that it relies on to satisfy the combination rule in
step 5 (not every listed method: under the or-semantics of
<xref target="combination-rule"/>, a category may be satisfied by one of
several alternative methods, and only the constraints of the
method actually relied on apply). A signature validated only
against an unconstrained source, such as the <tt>iss</tt> URL's
authorization server metadata, does not satisfy this step when the
relied-on Trust Method constrains the key source.</t>
          </li>
          <li>
            <t>Verify that the applicable grant profile is listed in
<tt>authorization_grant_profiles_supported</tt>.</t>
          </li>
          <li>
            <t>If <tt>subject_identifier_formats_supported</tt> is present, verify that
the Subject Identifier format used by the assertion is listed,
unless the applicable grant profile defines a different format
selection rule.</t>
          </li>
          <li>
            <t>Verify that the Assertion Issuer identified by <tt>iss</tt> satisfies the
Trust Method combination rule:  </t>
            <t>
a. Partition the Trust Method objects in <tt>issuer_trust_methods</tt> by
   category (see <xref target="trust-method-categories"/>). A Trust Method
   registered with multiple categories belongs to each. If any
   object in <tt>issuer_trust_methods</tt> is not recognized, is
   malformed, or cannot be assigned to a category known to the
   Resource Authorization Server, the Resource Authorization
   Server <bcp14>MUST</bcp14> reject the assertion: it cannot determine whether
   it is evaluating the full set of requirements the operator
   declared, and silently ignoring the object would evaluate a
   strict subset (a fail-open category downgrade). A single
   evidence item <bcp14>MUST NOT</bcp14> be counted toward more than one category
   even when its Trust Method is registered in several.  </t>
            <t>
b. Each category present in the partitioned policy is applicable to
   every assertion evaluated under this policy; applicability is a
   property of the policy, not the assertion (<xref target="category-applicability"/>).
   For each present category, the Assertion Issuer <bcp14>MUST</bcp14> satisfy at
   least one Trust Method from that category.  </t>
            <t>
c. When the policy contains a <tt>subject_namespace_authorization</tt>
   Trust Method, the assertion <bcp14>MUST</bcp14> carry a Subject Identifier from
   which a Subject Authority can be determined per
   <xref target="subject-authority-determination"/> or an equivalent registry.
   If the assertion carries no such Subject Identifier, or no
   Subject Authority can be determined, the Resource Authorization
   Server <bcp14>MUST</bcp14> reject the assertion. The Resource Authorization
   Server <bcp14>MUST NOT</bcp14> treat the <tt>subject_namespace_authorization</tt>
   category as inapplicable because the assertion omits a Subject
   Identifier, and <bcp14>MUST NOT</bcp14> consume any subject or identity claim
   from the assertion for account linking, authorization, or
   subject resolution when the namespace category is present but
   cannot be evaluated.  </t>
            <t>
d. Local policy <bcp14>MAY</bcp14> require satisfaction of additional Trust
   Methods for specific clients, subjects, or scopes.  </t>
            <t>
e. When the policy lists only <tt>issuer_authentication</tt> methods and
   the assertion carries a namespace-bound Subject Identifier (one
   whose format has a registered Subject Authority extraction
   procedure, <xref target="iana-authority-registry"/>, so that the Resource
   Authorization Server can determine this without running a
   namespace method), the Resource Authorization Server <bcp14>MUST</bcp14>
   reject the assertion unless local policy independently
   establishes authority over the subject namespace: federation
   membership alone does not establish authority over a particular
   subject namespace.</t>
          </li>
          <li>
            <t>Apply local policy (account-linking, consent, authorization,
risk) and the applicable grant profile's client authentication
and sender-constraining; this document does not specify either.</t>
          </li>
        </ol>
        <t>Failure to satisfy issuer trust, subject identifier, or assertion
claim requirements in the Trust Policy <bcp14>MUST</bcp14> result in an OAuth
<tt>invalid_grant</tt> error unless another error is defined by the
applicable grant profile. Detailed trust-evaluation failure state
<bcp14>MUST NOT</bcp14> be returned to public clients in the OAuth error response;
it is a reconnaissance target.</t>
      </section>
    </section>
    <section anchor="bindings">
      <name>Grant Profile and Token Bindings</name>
      <t>This section defines bindings for ID-JAG (<xref target="id-jag-profile"/>) and
the generic JWT-bearer assertion grant (<xref target="jwt-bearer-profile"/>).
Other assertion-bearing grant profiles would supply analogous
bindings, naming their grant profile identifier, their Subject
Identifier-bearing claim, and any profile-specific JWT claims that
participate in Trust Method evaluation.</t>
      <t>Both bindings arrive at the token endpoint with
<tt>grant_type=urn:ietf:params:oauth:grant-type:jwt-bearer</tt>. The
Resource Authorization Server determines which binding governs a
given assertion from the assertion's JWT <tt>typ</tt> header: an assertion
typed per <xref target="ID-JAG"/> is evaluated under <xref target="id-jag-profile"/>; other
JWT-bearer assertions are evaluated under <xref target="jwt-bearer-profile"/>.</t>
      <section anchor="id-jag-profile">
        <name>ID-JAG</name>
        <t>For ID-JAG <xref target="ID-JAG"/>, <tt>authorization_grant_profiles_supported</tt> contains the value
<tt>urn:ietf:params:oauth:grant-profile:id-jag</tt>. The Subject Identifier
for ID-JAG is the top-level <tt>email</tt> claim, accompanied by
<tt>email_verified=true</tt>, extracted per <xref target="subject-authority-determination"/>.
When the Trust Policy contains a <tt>subject_namespace_authorization</tt>
method, <xref target="rasp"/> step 5c requires the ID-JAG to carry that Subject
Identifier and requires rejection if it is absent or unresolvable.</t>
        <t>In addition to the processing in <xref target="rasp"/>, the Resource Authorization
Server <bcp14>MUST</bcp14>:</t>
        <ol spacing="normal" type="1"><li>
            <t>Validate the ID-JAG per <xref target="ID-JAG"/>.</t>
          </li>
          <li>
            <t>Verify that the <tt>email</tt> Subject Identifier, when the assertion
carries one, uses a format listed in
<tt>subject_identifier_formats_supported</tt>, if that trust policy member
is present. (Whether the assertion is required to carry the Subject
Identifier at all is governed by <xref target="rasp"/> step 5c.)</t>
          </li>
          <li>
            <t>Use the email attribution only for subject resolution and Subject
Authority evaluation. The Resource Authorization Server <bcp14>MUST NOT</bcp14>
treat the mere presence or value of the email claim as proof
that the ID-JAG issuer is authoritative for the subject; issuer
acceptability is established only by evaluating the Trust Methods.</t>
          </li>
        </ol>
      </section>
      <section anchor="jwt-bearer-profile">
        <name>Generic JWT-Bearer Assertion Grant</name>
        <t>This section provides the binding for the JWT-bearer authorization
grant of <xref target="RFC7523"/> Section 2.1 when the assertion carries an
identity claim to which Subject Authority Determination applies.
Other identity-carrying grant profiles (e.g., ID-JAG,
<xref target="id-jag-profile"/>) supply their own bindings.</t>
        <t>A Resource Authorization Server that accepts generic RFC 7523
JWT-bearer assertion grants advertises
<tt>urn:ietf:params:oauth:grant-type:jwt-bearer</tt> in
<tt>grant_types_supported</tt>. RFC 7523 defines no distinct grant-profile
identifier, so this framework reuses that grant-type URN as the
grant-profile identifier; a deployment accepting this grant <bcp14>MUST</bcp14> list
it in <tt>authorization_grant_profiles_supported</tt> so <xref target="rasp"/> step 3
applies uniformly.</t>
        <t>As with ID-JAG, the Subject Identifier for this binding is the
top-level <tt>email</tt> claim, accompanied by <tt>email_verified=true</tt>,
extracted per <xref target="subject-authority-determination"/>. The <tt>sub</tt> claim is
not a Subject Identifier source under this binding, even when its
value is in email form: <tt>sub</tt> is an issuer-scoped identifier
(<xref target="RFC7519"/>) that may merely resemble an email, and no verification
signal attests it (<tt>email_verified</tt> attests the <tt>email</tt> claim).
Fixing a single source preserves the deterministic
single-source-selection requirement of <xref target="multiple-sources"/>; an
Assertion Issuer whose subject identifiers are email-form <tt>sub</tt>
values participates by also emitting the <tt>email</tt> and <tt>email_verified</tt>
claims. A future extension <bcp14>MAY</bcp14> register an additional extraction
procedure (<xref target="iana-authority-registry"/>) for other claim sources.</t>
        <t>In addition to the processing in <xref target="rasp"/>, the Resource
Authorization Server <bcp14>MUST</bcp14>:</t>
        <ol spacing="normal" type="1"><li>
            <t>Validate the JWT per <xref target="RFC7523"/>.</t>
          </li>
          <li>
            <t>Verify that the <tt>email</tt> Subject Identifier, when the assertion
carries one, uses a format listed in
<tt>subject_identifier_formats_supported</tt>, if that trust policy
member is present.</t>
          </li>
          <li>
            <t>Treat the identity claim only as input to Subject Authority
evaluation. Issuer acceptability is established only by
evaluating the Trust Methods.</t>
          </li>
        </ol>
        <t>Because the generic JWT-bearer grant carries no <tt>tenant</tt> claim,
tenant-scoped authorization is not expressible for assertions
delivered under this grant; the resulting constraint on Subject
Authorities that rely on shared multi-tenant Assertion Issuers is
specified in <xref target="DAI"/> §Single-Issuer Multi-Tenant Identity Providers.</t>
        <t>This binding does not apply to JWT client authentication
(<xref target="RFC7523"/> Section 2.2), where the Subject Identifier is the
<tt>client_id</tt> registered with the authorization server and no
external namespace-owner delegation exists.</t>
      </section>
    </section>
    <section anchor="security-considerations">
      <name>Security Considerations</name>
      <section anchor="rfc9700-alignment">
        <name>Alignment with OAuth Security BCP</name>
        <t>This document complements the OAuth 2.0 Security Best Current
Practice (<xref target="RFC9700"/>); it does not duplicate or override it. The
<tt>subject_namespace_authorization</tt> category is the wire-format
analog of <xref target="RFC9700"/> §4.4 (AS mix-up mitigations): to the extent the
Subject Authority's publication channel provides integrity, a Resource
Authorization Server will not accept an assertion from an AS that the
Subject Authority has not listed. This guarantee is only as strong as
the integrity of that channel: a Trust Method whose evidence is
published over unauthenticated DNS or a compromisable HTTPS origin can
be defeated by an attacker who controls that channel (see the
per-Trust-Method security analysis, e.g. <xref target="DAI"/>, and <xref target="multiple-sources"/>).
It is not an unconditional guarantee. Other
<xref target="RFC9700"/> topics (redirect URI validation, bearer-token replay,
client authentication) apply at the grant-profile and
client-authentication layers and are not addressed here.
Implementations <bcp14>SHOULD</bcp14> follow <xref target="RFC9700"/> at those layers.</t>
      </section>
      <section anchor="unverified-claim">
        <name>Unverified Claim Exploitation</name>
        <t>Source selection (<xref target="multiple-sources"/>) chooses which Authority
Source's delegation applies to the incoming Assertion. At the
point of selection, the Assertion's signature has not yet been
validated against any Delegation Artifact; the Assertion is an
untrusted payload. A profile whose source-selection algorithm
considers multiple claims, applies preference ordering, or falls
back from one input to another gives an attacker a selection lever.</t>
        <t>The attack: the attacker constructs an Assertion whose claims
satisfy multiple potential bindings. The Validator's selection
algorithm picks the weakest (or most attacker-favorable) Authority
Source's policy. The Assertion is evaluated against a Delegation
Artifact that the legitimate Authority Holder for the target
namespace never authorized.</t>
        <t>Worked example: an Assertion carries <tt>sub: alice@victim.example</tt> AND
<tt>tenant_context: attacker-tenant.example</tt>. A loosely written
profile selects the Authority Source by tenant context when
present, falling back to subject domain. The Validator selects
attacker-tenant.example, fetches that Authority Holder's
Delegation Artifact (which the attacker controls), validates the
Assertion against it, and accepts a claim about a victim.example
subject.</t>
        <t>The mitigation is <strong>deterministic source selection</strong>
(<xref target="multiple-sources"/>): a binding function from Assertion +
request context to exactly one Authority Source. Profiles <bcp14>MUST</bcp14>
define that function explicitly and the function <bcp14>MUST</bcp14>:</t>
        <ul spacing="normal">
          <li>
            <t>Use explicitly defined inputs (a single named claim, header,
request parameter, or fixed tuple).</t>
          </li>
          <li>
            <t>Produce exactly one Authority Source for any valid input, or
fail deterministically (no preference ordering, no fallback
across candidates).</t>
          </li>
          <li>
            <t>Be invariant under attacker-controlled inputs outside the
binding function: the presence, absence, or value of any other
claim <bcp14>MUST NOT</bcp14> alter the selected Authority Source.</t>
          </li>
        </ul>
        <t>The <tt>email</tt> extraction registered by this document derives the
Subject Authority deterministically from a single claim and does
not fall back; profiles registering additional extractions <bcp14>MUST</bcp14>
preserve this property.</t>
      </section>
      <section anchor="applicability-bypass">
        <name>Applicability Bypass</name>
        <t>The cross-category combination rule (<xref target="combination-rule"/>)
requires the Validator to evaluate every applicable category. A
profile that lets category applicability depend on the incoming
Assertion gives the attacker a way to waive the category by
constructing a matching Assertion.</t>
        <t>The attack: the profile (or local configuration) declares "the
delegation-authority category is not applicable when the
Assertion is from a legacy issuer" (or carries a legacy-flag
claim, or fails some heuristic that signals "legacy"). The
attacker constructs an Assertion matching the legacy condition.
The Validator silently skips the entire delegation-authority
evaluation; the open-world defense layer is bypassed and the
Validator falls back to authenticity alone, which the
cross-category combination rule was explicitly designed to forbid
as sufficient.</t>
        <t>The mitigation: category applicability <bcp14>MUST</bcp14> be a property of the
Validator's published Trust Policy, not of the incoming
Assertion. Migration scenarios where some traffic legitimately
predates a category's availability are handled at the policy
layer, not by silently waiving the category. Per-deployment-phase
policy is a configuration boundary; Assertion-driven waiver is an
attacker-controlled boundary.</t>
      </section>
      <section anchor="authority-source-compromise">
        <name>Authority Source Compromise</name>
        <t>The authority binding (publication channel) is the highest-value
target. A compromise of the publication channel (DNS hijack, TLS
misissuance plus DNS redirect, registrar account takeover,
compromise of the federation operator's signing key) substitutes
the Authority Holder's voice with the attacker's. Delegation
Artifacts published through the compromised channel are
indistinguishable from legitimate ones.</t>
        <t>This framework does not provide cryptographic recovery from
publication-channel compromise. Recovery is operational. Profiles
<bcp14>SHOULD</bcp14> recommend operational defenses appropriate to their
publication channel (DNSSEC, registry-lock, CAA records,
Certificate Transparency monitoring, federation key rotation).
See <xref target="DAI"/> §Security Considerations for the DNS+HTTPS
publication-channel compromise model.</t>
      </section>
      <section anchor="transitive-authz-bounded">
        <name>Transitive Authorization is Bounded</name>
        <t>The two trust categories make different transitivity choices, both
permitted within the taxonomy of <xref target="open-world"/>:</t>
        <ul spacing="normal">
          <li>
            <t><tt>issuer_authentication</tt> permits chained transitivity. The
<tt>openid_federation</tt> Trust Method accepts a chain from a leaf entity
to a trust anchor; the trust anchor's signature on intermediate
Subordinate Statements transitively authenticates the leaf.</t>
          </li>
          <li>
            <t><tt>subject_namespace_authorization</tt> requires depth-1 (no chaining).
A Subject Authority lists specific Assertion Issuers directly; it
cannot delegate further to whoever Issuer X federates. Revocation
latency is bounded by the Subject Authority's own cache lifetime
and does not compound across delegations.</t>
          </li>
        </ul>
        <t>The two categories are independent: federation membership does not
establish namespace authority, and namespace authorization does not
establish authenticity. The cross-category combination rule
(<xref target="rasp"/>) enforces this independence at evaluation time. See
<xref target="relationship-to-oidf"/> for positioning against OpenID Federation.</t>
      </section>
      <section anchor="scope-of-namespace-authorization">
        <name>Scope of Namespace Authorization</name>
        <t>Trust-policy evaluation establishes that the Assertion Issuer is
authorized to assert this class of Subject Identifiers under the
namespace. Resource Authorization Servers <bcp14>MUST</bcp14> still validate the
assertion (signature, audience, expiration, replay protection,
client binding) per the applicable grant profile, and <bcp14>MUST NOT</bcp14>
infer any of the following
from a successful trust-policy evaluation:</t>
        <ul spacing="normal">
          <li>
            <t>The named subject exists at the Assertion Issuer or controls
the email local-part (<xref target="DAI"/> §Email Local-Part Is Not Authenticated).</t>
          </li>
          <li>
            <t>The subject's current employment, enrollment, or organizational
status.</t>
          </li>
          <li>
            <t>The strength, freshness, or method of the Assertion Issuer's
authentication.</t>
          </li>
          <li>
            <t>Account-linking semantics (case sensitivity, plus-address or
alias handling) compatible with this Resource Authorization
Server's.</t>
          </li>
          <li>
            <t>Suitability for any specific risk class, scope sensitivity, or
compliance regime.</t>
          </li>
        </ul>
        <t>These properties are out of scope and obtained, if needed, through
mechanisms outside this framework (authentication-method/AAL
claims, fresh-authentication signals, account-status attestations,
out-of-band verification). In particular, <tt>email_verified=true</tt> is
a prerequisite for deriving namespace authority from the email's
domain; it is not evidence of current mailbox control.</t>
        <t>The authorization is also not audience-scoped: the
<tt>subject_namespace_authorization</tt> category constrains which
Assertion Issuers may assert about a namespace, not which Resource
Authorization Servers an authorized issuer may target, so a
compromised-but-authorized issuer can mint assertions about the
namespace's subjects for any consumer. Audience binding is enforced
by the assertion's <tt>aud</tt> claim and the applicable grant profile,
not by the Subject Authority; a future extension may let Authority
Holders constrain acceptable audiences (see <xref target="DAI"/> §Future
Extensions).</t>
      </section>
      <section anchor="per-assertion-revocation">
        <name>Per-Assertion Revocation Is Out of Scope</name>
        <t>This framework decides whether an Assertion Issuer is authorized;
it does not revoke individual assertions. JWT bearer tokens are
stateless and remain valid until <tt>exp</tt> regardless of session
termination, credential revocation at the Assertion Issuer, or
Subject Authority withdrawal of the issuer's authorization via
DAI (which prevents NEW assertions but does not invalidate
already-issued ones). Deployments requiring synchronous revocation <bcp14>MUST</bcp14> use OAuth
2.0 Token Revocation <xref target="RFC7009"/>, Token Introspection <xref target="RFC7662"/>,
or short assertion lifetimes at the grant-profile layer.</t>
      </section>
      <section anchor="integrity">
        <name>Policy Document Integrity</name>
        <t>The trust policy <bcp14>MUST</bcp14> be served over HTTPS with TLS server
authentication. Deployments needing integrity beyond TLS use the
<tt>signed_policy</tt> member (<xref target="signed-policy-metadata"/>), with the
signer binding rules defined there. Mirrored or cached copies
<bcp14>MUST NOT</bcp14> be relied on beyond their HTTP cache lifetime
(<xref target="caching"/>).</t>
      </section>
      <section anchor="shared-infrastructure">
        <name>Shared Infrastructure and Hosted Well-Known Paths</name>
        <t>Many deployments host <tt>/.well-known/</tt> resources behind third-party
Content Delivery Networks (CDNs), shared edge platforms, or
multi-tenant cloud hosting systems. TLS server authentication proves
that the client reached an endpoint serving the requested host name;
it does not prove that every routing rule, origin-pull rule, cache
rule, or tenant boundary inside the shared platform is controlled by
the namespace owner.</t>
        <t>This matters for both the Resource Authorization Server trust policy
and the Subject Authority's Issuer Authorization Policy. If an
attacker can exploit shared infrastructure to serve a forged
<tt>/.well-known/oauth-issuer-policy</tt> response for a victim domain, the
attacker can attempt to authorize an Assertion Issuer for that
victim's namespace even though the HTTPS connection itself succeeds.
Similar risks arise from misconfigured path routing, dangling origins,
tenant takeover, cache poisoning, or origin authentication failures.</t>
        <t>Administrators <bcp14>SHOULD</bcp14> avoid delegating security-critical well-known
paths to multi-tenant infrastructure unless they can ensure exclusive
control over routing for those paths, authenticated origin access,
cache invalidation, and tenant isolation. Deployments that host policy
documents on shared infrastructure and treat the shared edge as
outside their trust boundary <bcp14>MUST</bcp14> use object-level cryptographic
integrity for the policy document itself, such as the <tt>signed_policy</tt>
member (<xref target="signed-policy-metadata"/>), rather than relying on the TLS
channel to the shared edge. The signing key <bcp14>MUST</bcp14> be controlled by the
Subject Authority or Resource Authorization Server independently of CDN
tenant configuration, and <bcp14>MUST</bcp14> be resolvable through a channel
independent of the shared edge (see the key-resolution requirement in
<xref target="signed-policy-metadata"/>).</t>
        <t>Because the <tt>crit</tt> member (<xref target="critical-members"/>) is itself carried in
the unsigned document, an attacker who can strip <tt>signed_policy</tt> can
strip <tt>crit</tt> with it; publisher-side criticality therefore does not
defend against stripping by an on-path or edge attacker. A
<tt>signed_policy</tt> member is only effective against such an attacker if
consumers are configured to require it: the attacker can otherwise
serve an unsigned document, which a consumer not configured to require
signatures would accept (a signature-stripping downgrade). A consumer
operating in a shared-infrastructure trust model therefore <bcp14>MUST</bcp14> require
and verify <tt>signed_policy</tt> before acting on the policy, <bcp14>MUST</bcp14> reject a
policy that omits it, and <bcp14>MUST</bcp14> treat a valid TLS connection to a shared
edge as insufficient by itself.</t>
      </section>
      <section anchor="downgrade">
        <name>Downgrade Attacks</name>
        <t>A Resource Authorization Server that supports multiple Trust Methods
<bcp14>SHOULD</bcp14> define local precedence rules. Because or-semantics apply
within a single Trust Method category and the client cannot observe
per-subject local requirements, Resource Authorization Servers <bcp14>MUST</bcp14>
enforce differentiated requirements at token request time rather than
relying on the policy document alone; a client's choice of a weaker
listed Trust Method is not a protocol violation the client can be
held to but a condition the Resource Authorization Server rejects. The
cross-category combination rule in <xref target="rasp"/> prevents downgrade across
categories (for example, satisfying only an <tt>issuer_authentication</tt>
method when a <tt>subject_namespace_authorization</tt> method is also
applicable).</t>
      </section>
      <section anchor="caching">
        <name>Trust Policy Caching</name>
        <t>Consumers cache the Trust Policy using ordinary HTTP caching (see
<xref target="RFC9111"/> for the mechanism), bounded by a local maximum cache
lifetime. Independent of any policy-document cache expiration,
revocation status of validated trust evidence <bcp14>MUST</bcp14> be checked at the
cadence required by the applicable Trust Method specification. Transport integrity is addressed in <xref target="integrity"/>.</t>
      </section>
      <section anchor="observability">
        <name>Observability</name>
        <t>Trust-policy evaluation is a security-critical decision; deployments
are encouraged to log, for each processed assertion, at minimum the
Assertion Issuer identifier, the Trust Policy URI with its retrieval
time and cache validator (for example, its ETag), the Trust Methods
that succeeded, the matched trust
anchor or Issuer Authorization Policy origin, the Subject Identifier
format, and the accept/reject outcome, and to support correlation
across the issuance and verification halves of an identity-chain
transaction.</t>
      </section>
    </section>
    <section anchor="privacy-considerations">
      <name>Privacy Considerations</name>
      <t>Trust policies are typically published as unauthenticated HTTPS
resources. Adversaries can scrape them across many Resource
Authorization Servers to map federation deployment landscapes:
which RASes participate in which federations, which trust anchors
are accepted, which Subject Identifier formats are honored. This
information aids targeted attacks (for example, prioritizing
compromise of a heavily-relied-upon trust anchor). Operators
should publish only what clients need to determine whether they
can attempt issuance, and prefer trust-anchor or federation
expression over enumerating individual issuers.</t>
      <t>Subject Authority lookup at the RAS reveals the queried Subject
Authority to DNS resolvers and, for HTTPS retrieval, to the policy
host. RASes verifying with <tt>domain_authorized_issuer</tt> should treat
the Subject Authority and Assertion Issuer relationship as
sensitive operational data and avoid sending full subject
identifiers in policy URLs, query parameters, logs, or telemetry.</t>
    </section>
    <section anchor="internationalization-considerations">
      <name>Internationalization Considerations</name>
      <t>The <tt>email</tt> Subject Identifier format carries an internationalized
domain. Consumers convert the domain to A-label form per <xref target="RFC5891"/>
(applying IDNA2008 processing, including Unicode normalization) before
Public Suffix List matching and before comparison, and compare A-labels
using case-insensitive ASCII comparison
(<xref target="subject-authority-determination"/>). Performing all comparison on the
A-label form means two visually distinct Unicode domains that map to
different A-labels are correctly treated as different Subject
Authorities; conversely, this mechanism does not by itself defend
against homograph confusion presented to a human at account-linking or
display time, which is out of scope and left to the consuming
application. Comparison operates on the mechanism level, not the visual
level.</t>
      <t>The <tt>email</tt> extraction uses the simple single-<tt>@</tt> rule and does not
implement the full <xref target="RFC5321"/> addr-spec grammar; internationalized
email addresses (SMTPUTF8, <xref target="RFC6530"/>) whose local-part requires
UTF-8 are outside the scope of the <tt>email</tt> extraction defined here,
though the domain of such an address is handled normally once isolated.
A future Subject Identifier format may define richer address handling
by registering its own extraction procedure (<xref target="iana-authority-registry"/>).</t>
    </section>
    <section anchor="iana-considerations">
      <name>IANA Considerations</name>
      <section anchor="trust-policy-registrations">
        <name>Trust Policy Registrations</name>
        <section anchor="oauth-authorization-server-metadata-registry">
          <name>OAuth Authorization Server Metadata Registry</name>
          <t>Registers <tt>identity_assertion_trust_policy_uri</tt> in the IANA "OAuth
Authorization Server Metadata" registry:</t>
          <dl>
            <dt>Metadata Name:</dt>
            <dd>
              <t><tt>identity_assertion_trust_policy_uri</tt></t>
            </dd>
            <dt>Metadata Description:</dt>
            <dd>
              <t>HTTPS URI identifying the Resource Authorization Server's Identity
Assertion Issuer Trust Policy document.</t>
            </dd>
            <dt>Change Controller:</dt>
            <dd>
              <t>IETF</t>
            </dd>
            <dt>Specification Document:</dt>
            <dd>
              <t>This document</t>
            </dd>
          </dl>
        </section>
        <section anchor="oauth-protected-resource-metadata-registry">
          <name>OAuth Protected Resource Metadata Registry</name>
          <t>Registers the same parameter in the IANA "OAuth Protected Resource
Metadata" registry <xref target="RFC9728"/>:</t>
          <dl>
            <dt>Metadata Name:</dt>
            <dd>
              <t><tt>identity_assertion_trust_policy_uri</tt></t>
            </dd>
            <dt>Metadata Description:</dt>
            <dd>
              <t>HTTPS URI identifying the Identity Assertion Issuer Trust Policy
document applied by the Resource Authorization Server associated
with this Protected Resource.</t>
            </dd>
            <dt>Change Controller:</dt>
            <dd>
              <t>IETF</t>
            </dd>
            <dt>Specification Document:</dt>
            <dd>
              <t>This document</t>
            </dd>
          </dl>
        </section>
        <section anchor="iana-trust-policy-well-known">
          <name>Well-Known URI for Trust Policy</name>
          <t>Registers the following well-known URI in the IANA "Well-Known URIs"
registry <xref target="RFC8615"/>:</t>
          <dl>
            <dt>URI Suffix:</dt>
            <dd>
              <t><tt>identity-assertion-trust-policy</tt></t>
            </dd>
            <dt>Change Controller:</dt>
            <dd>
              <t>IETF</t>
            </dd>
            <dt>Specification Document:</dt>
            <dd>
              <t>This document</t>
            </dd>
            <dt>Status:</dt>
            <dd>
              <t>permanent</t>
            </dd>
            <dt>Related Information:</dt>
            <dd>
              <t>None</t>
            </dd>
          </dl>
        </section>
        <section anchor="iana-trust-method-categories-registry">
          <name>Identity Assertion Issuer Trust Method Categories Registry</name>
          <t>IANA is requested to establish a new registry titled "Identity
Assertion Issuer Trust Method Categories" under the "OAuth Parameters"
registry group. This registry backs the category values used by the
Trust Methods registry and referenced by the combination rule
(<xref target="combination-rule"/>).</t>
          <t>Registration policy: Specification Required <xref target="RFC8126"/>.</t>
          <t>Each registry entry contains a Category Name (character set <tt>[a-z0-9_]</tt>),
a Description of the trust question the category answers, a Change
Controller, and a Specification Document.</t>
          <t>Designated Expert instructions: the expert verifies that the proposed
category answers a trust question genuinely distinct from existing
categories (so that the cross-category AND semantics of
<xref target="combination-rule"/> remain meaningful) and that the description makes
clear what evidence satisfies it. Categories that merely rename or
subdivide an existing category <bcp14>SHOULD</bcp14> be rejected.</t>
          <t>Initial entries:</t>
          <table>
            <thead>
              <tr>
                <th align="left">Category Name</th>
                <th align="left">Description</th>
                <th align="left">Change Controller</th>
                <th align="left">Specification Document</th>
              </tr>
            </thead>
            <tbody>
              <tr>
                <td align="left">
                  <tt>issuer_authentication</tt></td>
                <td align="left">Establishes that the Assertion Issuer is an authentic, recognized entity</td>
                <td align="left">IETF</td>
                <td align="left">This document</td>
              </tr>
              <tr>
                <td align="left">
                  <tt>subject_namespace_authorization</tt></td>
                <td align="left">Establishes that the Assertion Issuer is authorized by the subject's namespace owner</td>
                <td align="left">IETF</td>
                <td align="left">This document</td>
              </tr>
            </tbody>
          </table>
        </section>
        <section anchor="iana-trust-methods-registry">
          <name>Identity Assertion Issuer Trust Methods Registry</name>
          <t>IANA is requested to establish a new registry titled "Identity
Assertion Issuer Trust Methods" under the "OAuth Parameters"
registry group.</t>
          <t>Registration policy: Specification Required <xref target="RFC8126"/>.</t>
          <t>Each registry entry contains:</t>
          <dl>
            <dt>Identifier:</dt>
            <dd>
              <t>Short string used as the <tt>method</tt> value in a Trust Method object.
Identifiers <bcp14>MUST</bcp14> use the character set <tt>[a-z0-9_]</tt> and <bcp14>SHOULD</bcp14>
describe the trust evaluation procedure.</t>
            </dd>
            <dt>Categories:</dt>
            <dd>
              <t>One or more values registered in the Trust Method Categories
registry (<xref target="iana-trust-method-categories-registry"/>).</t>
            </dd>
            <dt>Parameters:</dt>
            <dd>
              <t>Additional JSON members defined for this Trust Method, with their
JSON types and whether each is <bcp14>REQUIRED</bcp14> or <bcp14>OPTIONAL</bcp14>.</t>
            </dd>
            <dt>Change Controller:</dt>
            <dd>
              <t>The party responsible for change control.</t>
            </dd>
            <dt>Reference:</dt>
            <dd>
              <t>A reference to the specification defining the Trust Method.</t>
            </dd>
          </dl>
          <t>Designated Expert instructions: the expert verifies that the
identifier is unique and descriptive; that each listed category is
registered; that the Trust Method's evidence and evaluation procedure
are specified precisely enough for interoperable implementation
(including its mapping onto the Affirmative/Negative/Indeterminate
lookup states and any cache-lifetime bounds, per
<xref target="trust-method-spec-requirements"/>); and that parameter names do not
collide in meaning with parameters of other methods in a way that
would be ambiguous when methods are combined.</t>
          <t>Initial entries:</t>
          <table>
            <thead>
              <tr>
                <th align="left">Identifier</th>
                <th align="left">Categories</th>
                <th align="left">Parameters</th>
                <th align="left">Change Controller</th>
                <th align="left">Reference</th>
              </tr>
            </thead>
            <tbody>
              <tr>
                <td align="left">
                  <tt>openid_federation</tt></td>
                <td align="left">
                  <tt>issuer_authentication</tt></td>
                <td align="left">
                  <tt>trust_anchors</tt> (array of string, <bcp14>REQUIRED</bcp14>); <tt>trust_marks</tt> (array of object, <bcp14>OPTIONAL</bcp14>)</td>
                <td align="left">IETF</td>
                <td align="left">This document</td>
              </tr>
            </tbody>
          </table>
        </section>
        <section anchor="iana-trust-policy-members-registry">
          <name>Trust Policy Members Registry</name>
          <t>IANA is requested to establish a new registry titled "Identity
Assertion Issuer Trust Policy Members" under the "OAuth Parameters"
registry group.</t>
          <t>Registration policy: Specification Required <xref target="RFC8126"/>.</t>
          <t>Each registry entry contains:</t>
          <dl>
            <dt>Member Name:</dt>
            <dd>
              <t>JSON member name used in the Trust Policy document.</t>
            </dd>
            <dt>Member Description:</dt>
            <dd>
              <t>A short description of the member's semantics.</t>
            </dd>
            <dt>Change Controller:</dt>
            <dd>
              <t>The party responsible for change control.</t>
            </dd>
            <dt>Specification Document:</dt>
            <dd>
              <t>A reference to the specification defining the member.</t>
            </dd>
          </dl>
          <t>Designated Expert instructions: the expert verifies that the member
name does not collide with an existing member, that its semantics and
JSON type are specified, and that any decision-affecting member states
how a consumer that does not recognize it behaves (the default is that
unrecognized members are ignored; a member requiring fail-closed
handling needs the criticality mechanism of <xref target="critical-members"/>).</t>
          <t>Initial entries:</t>
          <table>
            <thead>
              <tr>
                <th align="left">Member Name</th>
                <th align="left">Member Description</th>
                <th align="left">Change Controller</th>
                <th align="left">Specification Document</th>
              </tr>
            </thead>
            <tbody>
              <tr>
                <td align="left">
                  <tt>resource_authorization_server</tt></td>
                <td align="left">Resource Authorization Server issuer identifier</td>
                <td align="left">IETF</td>
                <td align="left">This document</td>
              </tr>
              <tr>
                <td align="left">
                  <tt>authorization_grant_profiles_supported</tt></td>
                <td align="left">Supported identity assertion grant profile identifiers</td>
                <td align="left">IETF</td>
                <td align="left">This document</td>
              </tr>
              <tr>
                <td align="left">
                  <tt>subject_identifier_formats_supported</tt></td>
                <td align="left">Supported Subject Identifier formats</td>
                <td align="left">IETF</td>
                <td align="left">This document</td>
              </tr>
              <tr>
                <td align="left">
                  <tt>issuer_trust_methods</tt></td>
                <td align="left">Trust Method requirements enforced for incoming identity assertions</td>
                <td align="left">IETF</td>
                <td align="left">This document</td>
              </tr>
              <tr>
                <td align="left">
                  <tt>signed_policy</tt></td>
                <td align="left">Signed JWT containing policy members as claims</td>
                <td align="left">IETF</td>
                <td align="left">This document</td>
              </tr>
              <tr>
                <td align="left">
                  <tt>crit</tt></td>
                <td align="left">Names decision-affecting members a consumer <bcp14>MUST</bcp14> understand or reject the document</td>
                <td align="left">IETF</td>
                <td align="left">This document</td>
              </tr>
            </tbody>
          </table>
        </section>
      </section>
      <section anchor="iana-authority-registry">
        <name>Subject Authority Extraction Procedures Registry</name>
        <t>IANA is requested to establish a new registry titled "Subject
Authority Extraction Procedures" under the "OAuth Parameters"
registry group.</t>
        <t>Registration policy: Specification Required <xref target="RFC8126"/>.</t>
        <t>Each registry entry contains:</t>
        <dl>
          <dt>Subject Identifier Format:</dt>
          <dd>
            <t>The Subject Identifier format identifier (typically registered in
the "Security Event Subject Identifier Formats" registry per
<xref target="RFC9493"/>).</t>
          </dd>
          <dt>Subject Authority Form:</dt>
          <dd>
            <t>A short description of the form taken by the Subject Authority for
this format (for example, "DNS domain", "URL host").</t>
          </dd>
          <dt>Extraction Procedure:</dt>
          <dd>
            <t>A reference to the specification text that defines how the Subject
Authority is computed from a Subject Identifier of this format.</t>
          </dd>
        </dl>
        <t>Designated Expert instructions: the expert verifies that the format
has a well-defined namespace authority, that the extraction procedure
is deterministic (two consumers compute the same Subject Authority
from the same Subject Identifier), and that it specifies exact-match
comparison semantics per <xref target="subject-authority-determination"/>.</t>
        <t>Future specifications that define new Subject Identifier formats are
expected to register additional entries here when those identifiers
have a well-defined namespace authority.</t>
        <t>Initial entries:</t>
        <table>
          <thead>
            <tr>
              <th align="left">Subject Identifier Format</th>
              <th align="left">Subject Authority Form</th>
              <th align="left">Extraction Procedure</th>
            </tr>
          </thead>
          <tbody>
            <tr>
              <td align="left">
                <tt>email</tt></td>
              <td align="left">DNS domain</td>
              <td align="left">
                <xref target="subject-authority-determination"/> of this document</td>
            </tr>
          </tbody>
        </table>
      </section>
      <section anchor="iana-media-types">
        <name>Media Type Registrations</name>
        <t>IANA is requested to register the following media types in the "Media
Types" registry for the signed document forms
(<xref target="signed-policy-metadata"/>). Following <xref target="RFC8725"/> §3.11, the JWT
<tt>typ</tt> header value is the media subtype with the <tt>application/</tt>
prefix omitted (<tt>trust-policy+jwt</tt> and
<tt>issuer-authorization-policy+jwt</tt>, respectively), as required in
<xref target="signed-policy-metadata"/>.</t>
        <t>For <tt>application/trust-policy+jwt</tt>: Type name <tt>application</tt>; Subtype
name <tt>trust-policy+jwt</tt>; Required parameters none; Optional parameters
none; Encoding considerations 8bit (the value is a JWT in JWS Compact
Serialization, a sequence of base64url-encoded values separated by
periods, per <xref target="RFC7519"/> Section 10.3.1);
Security considerations <xref target="signed-policy-metadata"/> and the Security
Considerations of this document; Interoperability considerations none;
Published specification this document; Applications OAuth Resource
Authorization Servers; Fragment identifier considerations none; Change
controller IETF.</t>
        <t>For <tt>application/issuer-authorization-policy+jwt</tt>: as above, with
Subtype name <tt>issuer-authorization-policy+jwt</tt> and Applications OAuth
Subject Authorities and Resource Authorization Servers.</t>
      </section>
    </section>
  </middle>
  <back>
    <references anchor="sec-combined-references">
      <name>References</name>
      <references anchor="sec-normative-references">
        <name>Normative References</name>
        <reference anchor="RFC6749">
          <front>
            <title>The OAuth 2.0 Authorization Framework</title>
            <author fullname="D. Hardt" initials="D." role="editor" surname="Hardt"/>
            <date month="October" year="2012"/>
            <abstract>
              <t>The OAuth 2.0 authorization framework enables a third-party application to obtain limited access to an HTTP service, either on behalf of a resource owner by orchestrating an approval interaction between the resource owner and the HTTP service, or by allowing the third-party application to obtain access on its own behalf. This specification replaces and obsoletes the OAuth 1.0 protocol described in RFC 5849. [STANDARDS-TRACK]</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="6749"/>
          <seriesInfo name="DOI" value="10.17487/RFC6749"/>
        </reference>
        <reference anchor="RFC7515">
          <front>
            <title>JSON Web Signature (JWS)</title>
            <author fullname="M. Jones" initials="M." surname="Jones"/>
            <author fullname="J. Bradley" initials="J." surname="Bradley"/>
            <author fullname="N. Sakimura" initials="N." surname="Sakimura"/>
            <date month="May" year="2015"/>
            <abstract>
              <t>JSON Web Signature (JWS) represents content secured with digital signatures or Message Authentication Codes (MACs) using JSON-based data structures. Cryptographic algorithms and identifiers for use with this specification are described in the separate JSON Web Algorithms (JWA) specification and an IANA registry defined by that specification. Related encryption capabilities are described in the separate JSON Web Encryption (JWE) specification.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="7515"/>
          <seriesInfo name="DOI" value="10.17487/RFC7515"/>
        </reference>
        <reference anchor="RFC7519">
          <front>
            <title>JSON Web Token (JWT)</title>
            <author fullname="M. Jones" initials="M." surname="Jones"/>
            <author fullname="J. Bradley" initials="J." surname="Bradley"/>
            <author fullname="N. Sakimura" initials="N." surname="Sakimura"/>
            <date month="May" year="2015"/>
            <abstract>
              <t>JSON Web Token (JWT) is a compact, URL-safe means of representing claims to be transferred between two parties. The claims in a JWT are encoded as a JSON object that is used as the payload of a JSON Web Signature (JWS) structure or as the plaintext of a JSON Web Encryption (JWE) structure, enabling the claims to be digitally signed or integrity protected with a Message Authentication Code (MAC) and/or encrypted.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="7519"/>
          <seriesInfo name="DOI" value="10.17487/RFC7519"/>
        </reference>
        <reference anchor="RFC7521">
          <front>
            <title>Assertion Framework for OAuth 2.0 Client Authentication and Authorization Grants</title>
            <author fullname="B. Campbell" initials="B." surname="Campbell"/>
            <author fullname="C. Mortimore" initials="C." surname="Mortimore"/>
            <author fullname="M. Jones" initials="M." surname="Jones"/>
            <author fullname="Y. Goland" initials="Y." surname="Goland"/>
            <date month="May" year="2015"/>
            <abstract>
              <t>This specification provides a framework for the use of assertions with OAuth 2.0 in the form of a new client authentication mechanism and a new authorization grant type. Mechanisms are specified for transporting assertions during interactions with a token endpoint; general processing rules are also specified.</t>
              <t>The intent of this specification is to provide a common framework for OAuth 2.0 to interwork with other identity systems using assertions and to provide alternative client authentication mechanisms.</t>
              <t>Note that this specification only defines abstract message flows and processing rules. In order to be implementable, companion specifications are necessary to provide the corresponding concrete instantiations.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="7521"/>
          <seriesInfo name="DOI" value="10.17487/RFC7521"/>
        </reference>
        <reference anchor="RFC7523">
          <front>
            <title>JSON Web Token (JWT) Profile for OAuth 2.0 Client Authentication and Authorization Grants</title>
            <author fullname="M. Jones" initials="M." surname="Jones"/>
            <author fullname="B. Campbell" initials="B." surname="Campbell"/>
            <author fullname="C. Mortimore" initials="C." surname="Mortimore"/>
            <date month="May" year="2015"/>
            <abstract>
              <t>This specification defines the use of a JSON Web Token (JWT) Bearer Token as a means for requesting an OAuth 2.0 access token as well as for client authentication.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="7523"/>
          <seriesInfo name="DOI" value="10.17487/RFC7523"/>
        </reference>
        <reference anchor="RFC8414">
          <front>
            <title>OAuth 2.0 Authorization Server Metadata</title>
            <author fullname="M. Jones" initials="M." surname="Jones"/>
            <author fullname="N. Sakimura" initials="N." surname="Sakimura"/>
            <author fullname="J. Bradley" initials="J." surname="Bradley"/>
            <date month="June" year="2018"/>
            <abstract>
              <t>This specification defines a metadata format that an OAuth 2.0 client can use to obtain the information needed to interact with an OAuth 2.0 authorization server, including its endpoint locations and authorization server capabilities.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="8414"/>
          <seriesInfo name="DOI" value="10.17487/RFC8414"/>
        </reference>
        <reference anchor="RFC8615">
          <front>
            <title>Well-Known Uniform Resource Identifiers (URIs)</title>
            <author fullname="M. Nottingham" initials="M." surname="Nottingham"/>
            <date month="May" year="2019"/>
            <abstract>
              <t>This memo defines a path prefix for "well-known locations", "/.well-known/", in selected Uniform Resource Identifier (URI) schemes.</t>
              <t>In doing so, it obsoletes RFC 5785 and updates the URI schemes defined in RFC 7230 to reserve that space. It also updates RFC 7595 to track URI schemes that support well-known URIs in their registry.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="8615"/>
          <seriesInfo name="DOI" value="10.17487/RFC8615"/>
        </reference>
        <reference anchor="RFC8725">
          <front>
            <title>JSON Web Token Best Current Practices</title>
            <author fullname="Y. Sheffer" initials="Y." surname="Sheffer"/>
            <author fullname="D. Hardt" initials="D." surname="Hardt"/>
            <author fullname="M. Jones" initials="M." surname="Jones"/>
            <date month="February" year="2020"/>
            <abstract>
              <t>JSON Web Tokens, also known as JWTs, are URL-safe JSON-based security tokens that contain a set of claims that can be signed and/or encrypted. JWTs are being widely used and deployed as a simple security token format in numerous protocols and applications, both in the area of digital identity and in other application areas. This Best Current Practices document updates RFC 7519 to provide actionable guidance leading to secure implementation and deployment of JWTs.</t>
            </abstract>
          </front>
          <seriesInfo name="BCP" value="225"/>
          <seriesInfo name="RFC" value="8725"/>
          <seriesInfo name="DOI" value="10.17487/RFC8725"/>
        </reference>
        <reference anchor="RFC8785">
          <front>
            <title>JSON Canonicalization Scheme (JCS)</title>
            <author fullname="A. Rundgren" initials="A." surname="Rundgren"/>
            <author fullname="B. Jordan" initials="B." surname="Jordan"/>
            <author fullname="S. Erdtman" initials="S." surname="Erdtman"/>
            <date month="June" year="2020"/>
            <abstract>
              <t>Cryptographic operations like hashing and signing need the data to be expressed in an invariant format so that the operations are reliably repeatable. One way to address this is to create a canonical representation of the data. Canonicalization also permits data to be exchanged in its original form on the "wire" while cryptographic operations performed on the canonicalized counterpart of the data in the producer and consumer endpoints generate consistent results.</t>
              <t>This document describes the JSON Canonicalization Scheme (JCS). This specification defines how to create a canonical representation of JSON data by building on the strict serialization methods for JSON primitives defined by ECMAScript, constraining JSON data to the Internet JSON (I-JSON) subset, and by using deterministic property sorting.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="8785"/>
          <seriesInfo name="DOI" value="10.17487/RFC8785"/>
        </reference>
        <reference anchor="RFC9493">
          <front>
            <title>Subject Identifiers for Security Event Tokens</title>
            <author fullname="A. Backman" initials="A." role="editor" surname="Backman"/>
            <author fullname="M. Scurtescu" initials="M." surname="Scurtescu"/>
            <author fullname="P. Jain" initials="P." surname="Jain"/>
            <date month="December" year="2023"/>
            <abstract>
              <t>Security events communicated within Security Event Tokens may support a variety of identifiers to identify subjects related to the event. This specification formalizes the notion of Subject Identifiers as structured information that describes a subject and named formats that define the syntax and semantics for encoding Subject Identifiers as JSON objects. It also establishes a registry for defining and allocating names for such formats as well as the JSON Web Token (JWT) "sub_id" Claim.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="9493"/>
          <seriesInfo name="DOI" value="10.17487/RFC9493"/>
        </reference>
        <reference anchor="RFC9728">
          <front>
            <title>OAuth 2.0 Protected Resource Metadata</title>
            <author fullname="M.B. Jones" initials="M.B." surname="Jones"/>
            <author fullname="P. Hunt" initials="P." surname="Hunt"/>
            <author fullname="A. Parecki" initials="A." surname="Parecki"/>
            <date month="April" year="2025"/>
            <abstract>
              <t>This specification defines a metadata format that an OAuth 2.0 client or authorization server can use to obtain the information needed to interact with an OAuth 2.0 protected resource.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="9728"/>
          <seriesInfo name="DOI" value="10.17487/RFC9728"/>
        </reference>
        <reference anchor="RFC5891">
          <front>
            <title>Internationalized Domain Names in Applications (IDNA): Protocol</title>
            <author fullname="J. Klensin" initials="J." surname="Klensin"/>
            <date month="August" year="2010"/>
            <abstract>
              <t>This document is the revised protocol definition for Internationalized Domain Names (IDNs). The rationale for changes, the relationship to the older specification, and important terminology are provided in other documents. This document specifies the protocol mechanism, called Internationalized Domain Names in Applications (IDNA), for registering and looking up IDNs in a way that does not require changes to the DNS itself. IDNA is only meant for processing domain names, not free text. [STANDARDS-TRACK]</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="5891"/>
          <seriesInfo name="DOI" value="10.17487/RFC5891"/>
        </reference>
        <reference anchor="RFC8126">
          <front>
            <title>Guidelines for Writing an IANA Considerations Section in RFCs</title>
            <author fullname="M. Cotton" initials="M." surname="Cotton"/>
            <author fullname="B. Leiba" initials="B." surname="Leiba"/>
            <author fullname="T. Narten" initials="T." surname="Narten"/>
            <date month="June" year="2017"/>
            <abstract>
              <t>Many protocols make use of points of extensibility that use constants to identify various protocol parameters. To ensure that the values in these fields do not have conflicting uses and to promote interoperability, their allocations are often coordinated by a central record keeper. For IETF protocols, that role is filled by the Internet Assigned Numbers Authority (IANA).</t>
              <t>To make assignments in a given registry prudently, guidance describing the conditions under which new values should be assigned, as well as when and how modifications to existing values can be made, is needed. This document defines a framework for the documentation of these guidelines by specification authors, in order to assure that the provided guidance for the IANA Considerations is clear and addresses the various issues that are likely in the operation of a registry.</t>
              <t>This is the third edition of this document; it obsoletes RFC 5226.</t>
            </abstract>
          </front>
          <seriesInfo name="BCP" value="26"/>
          <seriesInfo name="RFC" value="8126"/>
          <seriesInfo name="DOI" value="10.17487/RFC8126"/>
        </reference>
        <reference anchor="OIDF-FEDERATION" target="https://openid.net/specs/openid-federation-1_0.html">
          <front>
            <title>OpenID Federation 1.0</title>
            <author>
              <organization/>
            </author>
            <date>n.d.</date>
          </front>
        </reference>
        <reference anchor="ID-JAG" target="https://datatracker.ietf.org/doc/draft-ietf-oauth-identity-assertion-authz-grant/">
          <front>
            <title>Identity Assertion JWT Authorization Grant</title>
            <author>
              <organization/>
            </author>
            <date/>
          </front>
        </reference>
        <reference anchor="PSL" target="https://publicsuffix.org/">
          <front>
            <title>Public Suffix List</title>
            <author>
              <organization/>
            </author>
            <date>n.d.</date>
          </front>
        </reference>
        <reference anchor="RFC2119">
          <front>
            <title>Key words for use in RFCs to Indicate Requirement Levels</title>
            <author fullname="S. Bradner" initials="S." surname="Bradner"/>
            <date month="March" year="1997"/>
            <abstract>
              <t>In many standards track documents several words are used to signify the requirements in the specification. These words are often capitalized. This document defines these words as they should be interpreted in IETF documents. This document specifies an Internet Best Current Practices for the Internet Community, and requests discussion and suggestions for improvements.</t>
            </abstract>
          </front>
          <seriesInfo name="BCP" value="14"/>
          <seriesInfo name="RFC" value="2119"/>
          <seriesInfo name="DOI" value="10.17487/RFC2119"/>
        </reference>
        <reference anchor="RFC8174">
          <front>
            <title>Ambiguity of Uppercase vs Lowercase in RFC 2119 Key Words</title>
            <author fullname="B. Leiba" initials="B." surname="Leiba"/>
            <date month="May" year="2017"/>
            <abstract>
              <t>RFC 2119 specifies common key words that may be used in protocol specifications. This document aims to reduce the ambiguity by clarifying that only UPPERCASE usage of the key words have the defined special meanings.</t>
            </abstract>
          </front>
          <seriesInfo name="BCP" value="14"/>
          <seriesInfo name="RFC" value="8174"/>
          <seriesInfo name="DOI" value="10.17487/RFC8174"/>
        </reference>
      </references>
      <references anchor="sec-informative-references">
        <name>Informative References</name>
        <reference anchor="RFC5321">
          <front>
            <title>Simple Mail Transfer Protocol</title>
            <author fullname="J. Klensin" initials="J." surname="Klensin"/>
            <date month="October" year="2008"/>
            <abstract>
              <t>This document is a specification of the basic protocol for Internet electronic mail transport. It consolidates, updates, and clarifies several previous documents, making all or parts of most of them obsolete. It covers the SMTP extension mechanisms and best practices for the contemporary Internet, but does not provide details about particular extensions. Although SMTP was designed as a mail transport and delivery protocol, this specification also contains information that is important to its use as a "mail submission" protocol for "split-UA" (User Agent) mail reading systems and mobile environments. [STANDARDS-TRACK]</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="5321"/>
          <seriesInfo name="DOI" value="10.17487/RFC5321"/>
        </reference>
        <reference anchor="RFC6530">
          <front>
            <title>Overview and Framework for Internationalized Email</title>
            <author fullname="J. Klensin" initials="J." surname="Klensin"/>
            <author fullname="Y. Ko" initials="Y." surname="Ko"/>
            <date month="February" year="2012"/>
            <abstract>
              <t>Full use of electronic mail throughout the world requires that (subject to other constraints) people be able to use close variations on their own names (written correctly in their own languages and scripts) as mailbox names in email addresses. This document introduces a series of specifications that define mechanisms and protocol extensions needed to fully support internationalized email addresses. These changes include an SMTP extension and extension of email header syntax to accommodate UTF-8 data. The document set also includes discussion of key assumptions and issues in deploying fully internationalized email. This document is a replacement for RFC 4952; it reflects additional issues identified since that document was published. [STANDARDS-TRACK]</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="6530"/>
          <seriesInfo name="DOI" value="10.17487/RFC6530"/>
        </reference>
        <reference anchor="RFC7009">
          <front>
            <title>OAuth 2.0 Token Revocation</title>
            <author fullname="T. Lodderstedt" initials="T." role="editor" surname="Lodderstedt"/>
            <author fullname="S. Dronia" initials="S." surname="Dronia"/>
            <author fullname="M. Scurtescu" initials="M." surname="Scurtescu"/>
            <date month="August" year="2013"/>
            <abstract>
              <t>This document proposes an additional endpoint for OAuth authorization servers, which allows clients to notify the authorization server that a previously obtained refresh or access token is no longer needed. This allows the authorization server to clean up security credentials. A revocation request will invalidate the actual token and, if applicable, other tokens based on the same authorization grant.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="7009"/>
          <seriesInfo name="DOI" value="10.17487/RFC7009"/>
        </reference>
        <reference anchor="RFC7033">
          <front>
            <title>WebFinger</title>
            <author fullname="P. Jones" initials="P." surname="Jones"/>
            <author fullname="G. Salgueiro" initials="G." surname="Salgueiro"/>
            <author fullname="M. Jones" initials="M." surname="Jones"/>
            <author fullname="J. Smarr" initials="J." surname="Smarr"/>
            <date month="September" year="2013"/>
            <abstract>
              <t>This specification defines the WebFinger protocol, which can be used to discover information about people or other entities on the Internet using standard HTTP methods. WebFinger discovers information for a URI that might not be usable as a locator otherwise, such as account or email URIs.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="7033"/>
          <seriesInfo name="DOI" value="10.17487/RFC7033"/>
        </reference>
        <reference anchor="RFC7489">
          <front>
            <title>Domain-based Message Authentication, Reporting, and Conformance (DMARC)</title>
            <author fullname="M. Kucherawy" initials="M." role="editor" surname="Kucherawy"/>
            <author fullname="E. Zwicky" initials="E." role="editor" surname="Zwicky"/>
            <date month="March" year="2015"/>
            <abstract>
              <t>Domain-based Message Authentication, Reporting, and Conformance (DMARC) is a scalable mechanism by which a mail-originating organization can express domain-level policies and preferences for message validation, disposition, and reporting, that a mail-receiving organization can use to improve mail handling.</t>
              <t>Originators of Internet Mail need to be able to associate reliable and authenticated domain identifiers with messages, communicate policies about messages that use those identifiers, and report about mail using those identifiers. These abilities have several benefits: Receivers can provide feedback to Domain Owners about the use of their domains; this feedback can provide valuable insight about the management of internal operations and the presence of external domain name abuse.</t>
              <t>DMARC does not produce or encourage elevated delivery privilege of authenticated email. DMARC is a mechanism for policy distribution that enables increasingly strict handling of messages that fail authentication checks, ranging from no action, through altered delivery, up to message rejection.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="7489"/>
          <seriesInfo name="DOI" value="10.17487/RFC7489"/>
        </reference>
        <reference anchor="RFC7662">
          <front>
            <title>OAuth 2.0 Token Introspection</title>
            <author fullname="J. Richer" initials="J." role="editor" surname="Richer"/>
            <date month="October" year="2015"/>
            <abstract>
              <t>This specification defines a method for a protected resource to query an OAuth 2.0 authorization server to determine the active state of an OAuth 2.0 token and to determine meta-information about this token. OAuth 2.0 deployments can use this method to convey information about the authorization context of the token from the authorization server to the protected resource.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="7662"/>
          <seriesInfo name="DOI" value="10.17487/RFC7662"/>
        </reference>
        <reference anchor="RFC9700">
          <front>
            <title>Best Current Practice for OAuth 2.0 Security</title>
            <author fullname="T. Lodderstedt" initials="T." surname="Lodderstedt"/>
            <author fullname="J. Bradley" initials="J." surname="Bradley"/>
            <author fullname="A. Labunets" initials="A." surname="Labunets"/>
            <author fullname="D. Fett" initials="D." surname="Fett"/>
            <date month="January" year="2025"/>
            <abstract>
              <t>This document describes best current security practice for OAuth 2.0. It updates and extends the threat model and security advice given in RFCs 6749, 6750, and 6819 to incorporate practical experiences gathered since OAuth 2.0 was published and covers new threats relevant due to the broader application of OAuth 2.0. Further, it deprecates some modes of operation that are deemed less secure or even insecure.</t>
            </abstract>
          </front>
          <seriesInfo name="BCP" value="240"/>
          <seriesInfo name="RFC" value="9700"/>
          <seriesInfo name="DOI" value="10.17487/RFC9700"/>
        </reference>
        <reference anchor="OIDC-DISCOVERY" target="https://openid.net/specs/openid-connect-discovery-1_0.html">
          <front>
            <title>OpenID Connect Discovery 1.0</title>
            <author>
              <organization/>
            </author>
            <date>n.d.</date>
          </front>
        </reference>
        <reference anchor="DAI" target="https://datatracker.ietf.org/doc/draft-mcguinness-oauth-domain-authorized-issuer/">
          <front>
            <title>OAuth Domain-Authorized Issuer Trust Method</title>
            <author>
              <organization/>
            </author>
            <date/>
          </front>
        </reference>
        <reference anchor="I-D.ietf-oauth-identity-chaining" target="https://datatracker.ietf.org/doc/draft-ietf-oauth-identity-chaining/">
          <front>
            <title>OAuth Identity and Authorization Chaining Across Domains</title>
            <author>
              <organization/>
            </author>
            <date/>
          </front>
        </reference>
        <reference anchor="RFC9334">
          <front>
            <title>Remote ATtestation procedureS (RATS) Architecture</title>
            <author fullname="H. Birkholz" initials="H." surname="Birkholz"/>
            <author fullname="D. Thaler" initials="D." surname="Thaler"/>
            <author fullname="M. Richardson" initials="M." surname="Richardson"/>
            <author fullname="N. Smith" initials="N." surname="Smith"/>
            <author fullname="W. Pan" initials="W." surname="Pan"/>
            <date month="January" year="2023"/>
            <abstract>
              <t>In network protocol exchanges, it is often useful for one end of a communication to know whether the other end is in an intended operating state. This document provides an architectural overview of the entities involved that make such tests possible through the process of generating, conveying, and evaluating evidentiary Claims. It provides a model that is neutral toward processor architectures, the content of Claims, and protocols.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="9334"/>
          <seriesInfo name="DOI" value="10.17487/RFC9334"/>
        </reference>
        <reference anchor="RFC9111">
          <front>
            <title>HTTP Caching</title>
            <author fullname="R. Fielding" initials="R." role="editor" surname="Fielding"/>
            <author fullname="M. Nottingham" initials="M." role="editor" surname="Nottingham"/>
            <author fullname="J. Reschke" initials="J." role="editor" surname="Reschke"/>
            <date month="June" year="2022"/>
            <abstract>
              <t>The Hypertext Transfer Protocol (HTTP) is a stateless application-level protocol for distributed, collaborative, hypertext information systems. This document defines HTTP caches and the associated header fields that control cache behavior or indicate cacheable response messages.</t>
              <t>This document obsoletes RFC 7234.</t>
            </abstract>
          </front>
          <seriesInfo name="STD" value="98"/>
          <seriesInfo name="RFC" value="9111"/>
          <seriesInfo name="DOI" value="10.17487/RFC9111"/>
        </reference>
      </references>
    </references>
    <?line 2113?>

<section anchor="design-rationale">
      <name>Design Rationale</name>
      <t>This appendix is non-normative. It records the design choices that
shaped the framework, for reviewers and implementers who want to
understand why specific decisions were made.</t>
      <section anchor="relationship-to-oidf">
        <name>Relationship to OpenID Federation</name>
        <t>OpenID Federation <xref target="OIDF-FEDERATION"/> and this framework address
distinct questions: federation answers "is this issuer an
authentic ecosystem member?" via trust chains; this framework
adds "is this issuer authorized for <em>this</em> namespace?" via Subject
Authority publication. Federation membership feeds the
<tt>issuer_authentication</tt> category through the <tt>openid_federation</tt>
Trust Method (<xref target="trust-method-openid-federation"/>); namespace
authority comes from the orthogonal
<tt>subject_namespace_authorization</tt> category. This document does
not duplicate or replace federation mechanisms; it composes with
them.</t>
      </section>
      <section anchor="why-bounded-depth-1-namespace-authorization">
        <name>Why Bounded-Depth-1 Namespace Authorization</name>
        <t>The <tt>subject_namespace_authorization</tt> category is bounded at
depth one: the Subject Authority lists each authorized Assertion
Issuer directly, with no provision for "and whoever issuer X
federates further." This is deliberate:</t>
        <ul spacing="normal">
          <li>
            <t>A Validator never has to compute a multi-hop authorization
chain to evaluate a namespace claim; a single customer-published
policy names the Assertion Issuer.</t>
          </li>
          <li>
            <t>Revocation latency is bounded by the Subject Authority's own
cache lifetime, not by the depth of a delegation chain.</t>
          </li>
          <li>
            <t>Compromise at any intermediate party (a federation operator, a
delegated issuer) cannot expand the namespace authorization of
any issuer the Subject Authority did not list directly.</t>
          </li>
        </ul>
        <t>Federation chains for issuer authentication remain in scope under
the <tt>issuer_authentication</tt> category; only the
namespace-authorization graph is bounded.</t>
      </section>
    </section>
    <section anchor="future-extensions">
      <name>Future Extensions</name>
      <t>This appendix is non-normative. It sketches directions intentionally
deferred from this document; future specifications may register them.</t>
      <section anchor="additional-subject-identifier-formats">
        <name>Additional Subject Identifier Formats</name>
        <t>This document registers one Subject Authority extraction procedure
(<tt>email</tt>, <xref target="subject-authority-determination"/>). The policy model
accommodates additional Subject Identifier formats. A future
specification adding a new format would register a Subject Authority
Extraction Procedure in <xref target="iana-authority-registry"/> defining how a
Subject Authority is computed from values of the new format, and
either reuse <tt>domain_authorized_issuer</tt> (when the computed Subject
Authority is a DNS-publishable domain) or register a new
<tt>subject_namespace_authorization</tt> Trust Method. The Trust Policy
document format, Issuer Authorization Policy document format, Trust
Method category structure, combination rule, and bounded-transitivity
property remain unchanged across such extensions.</t>
        <t>Candidate formats considered as future work include URL-host
Subject Identifiers (<tt>url_host</tt>), Decentralized Identifiers (<tt>did</tt>),
and a subdomain-exact email variant that requires an explicit
delegation from the registrable-domain authority to prevent
subdomain takeover.</t>
      </section>
      <section anchor="presented-delegation-credentials">
        <name>Presented Delegation Credentials</name>
        <t>The <tt>subject_namespace_authorization</tt> methods defined so far are
declarative and fetched: the Validator retrieves the Authority
Holder's published policy at verification time. The complementary
shape is a presented credential: the Authority Holder signs a
delegation ("issuer X may assert for namespace A until time T",
optionally audience-scoped), gives it to the Assertion Issuer, and
the issuer presents it with the assertion, in the manner of an
<tt>x5c</tt> chain or an OpenID Federation Subordinate Statement.
Verification becomes offline once the Authority Holder's key is
known, removing the per-verification lookup from the token path and
enabling constraints a flat record cannot express, such as audiences
and scopes (and delegation chains, should a future revision relax
the depth-1 bound of <xref target="transitive-authz-bounded"/>). The costs are
the mirror image: the Authority
Holder needs key management and signing automation, key discovery
recurses to a DNS- or HTTPS-anchored channel, and revocation
requires status checking or short-lived credentials. Nothing in
this framework precludes such a method: it would register as a
<tt>subject_namespace_authorization</tt> Trust Method whose evidence is
carried in-band, satisfy the checklist in
<xref target="trust-method-spec-requirements"/>, and compose with existing
methods under the combination rule. It is deferred as an
assurance-tier extension for deployments whose requirements justify
the operational cost.</t>
      </section>
      <section anchor="crit-dns-form">
        <name>Critical Directives for the DNS Record Form</name>
        <t>The JSON document forms carry a <tt>crit</tt> member defined in the base
specification (<xref target="critical-members"/>), so an extension that adds a
decision-affecting member to the Trust Policy or Issuer Authorization
Policy can mark it critical and have already-deployed consumers honor
it. The DNS record form has no analogous per-directive criticality
mechanism today; its version token (<xref target="DAI"/>) prevents
misinterpretation of incompatible future syntax by making
unrecognized versions ignored (which steers the lookup to the HTTPS
channel or a Negative outcome, not to a hard rejection). A future
extension that needs true per-directive fail-closed semantics in the
DNS form would define a <tt>crit=</tt> directive and its recognition rules
at that time.</t>
      </section>
      <section anchor="actor-identity-trust-evaluation">
        <name>Actor Identity Trust Evaluation</name>
        <t>OAuth assertions can carry an <tt>act</tt> object expressing actor
delegation (a service acting on behalf of a user). A future
extension can apply the trust-evaluation categories of
<xref target="delegation-model"/> to actor identities: a Resource Authorization
Server would evaluate, in addition to the assertion's <tt>iss</tt> and
<tt>sub</tt>, whether the asserting issuer is entitled to attest the
<tt>(act.iss, act.sub)</tt> pair. This requires registering a Subject
Authority extraction procedure applicable to actor-carried
Subject Identifiers and is therefore tied to the OAuth Actor
Profile being progressed separately. Until that extension lands,
trust evaluation of actor identities is governed by local policy
at the Resource Authorization Server.</t>
      </section>
      <section anchor="trust-policy-discovery">
        <name>Trust Policy Discovery</name>
        <t>This document specifies how a Resource Authorization Server
publishes its Trust Policy (via authorization server metadata or
protected resource metadata) but assumes a client or peer that
already knows the Resource Authorization Server's identity. In
open-world deployments (agent runtimes, AI tools, cross-organization
integrations), a peer may need to discover a Resource Owner's
Trust Policy before any prior bilateral relationship exists.</t>
        <t>A future Trust Policy Discovery extension can let a Resource
Owner publish a DNS-named pointer at
<tt>_oauth-trust-policy.{resource-domain}</tt> to its Trust Policy
document, mirroring the DNS-authority pattern of <xref target="DAI"/> for the
resource-side. The Resource Owner's domain becomes the
publication channel for "where do I trust assertions from?", the
dual of DAI's "who do I authorize to assert about me?".</t>
        <t>The extension is deferred because the open-world first-contact
case is not yet a deployed need for the namespace and federation
profiles defined here; bilateral configuration plus the metadata
endpoints suffice for the current target deployments.</t>
      </section>
    </section>
    <section anchor="frequently-asked-questions">
      <name>Frequently Asked Questions</name>
      <t>This appendix is non-normative.</t>
      <t><strong>Q: I have OpenID Federation. Why do I need DAI?</strong></t>
      <t>Federation answers "is this issuer authentically a member of an
ecosystem?". It does not answer "is this issuer authorized to
assert about subjects in <em>my</em> namespace?". A federation member can
mint an identity assertion naming any email domain; federation
membership doesn't constrain which namespace. DAI lets the
namespace owner publish that constraint. <xref target="example-federation-dai"/>
shows the two together.</t>
      <t><strong>Q: What's the difference between Trust Policy and DAI?</strong></t>
      <t>Trust Policy is what a <strong>Resource Authorization Server</strong> publishes
to declare what evidence it requires of an Assertion Issuer
(metadata at <tt>/.well-known/identity-assertion-trust-policy</tt>). DAI
is what a <strong>Subject Authority</strong> publishes to declare which
Assertion Issuers it authorizes for its namespace (records at
<tt>_oauth-issuer-policy.{domain}</tt> and the corresponding HTTPS
well-known URL). RAS-published vs Subject-Authority-published.</t>
      <t><strong>Q: Why two independent trust categories?</strong></t>
      <t>To stop "federation member" from being silently treated as
"authoritative for any namespace." Each category answers a
different question and the cross-category combination rule
(<xref target="combination-rule"/>) requires evidence from both when both are
configured. Conflating them is the bug
(<xref target="applicability-bypass"/>, <xref target="unverified-claim"/>).</t>
      <t><strong>Q: What if my Subject Authority cannot publish DNS TXT records?</strong></t>
      <t>Publish only the HTTPS well-known document at
<tt>https://{authority}/.well-known/oauth-issuer-policy</tt>: the canonical
lookup finds it when DNS authoritatively reports no record (<xref target="DAI"/>
§Lookup Procedure). Deployments that must avoid DNS on the verifier
side instead select the HTTPS-only lookup mode in the Trust Policy
(<xref target="DAI"/> §HTTPS-Only Deployment Variant). A Subject Authority with
no DNS-named authority at all cannot participate in DAI.</t>
      <t><strong>Q: Does this work for path-bearing issuer identifiers
(<tt>https://login.example.com/{tenant}/v2.0</tt>)?</strong></t>
      <t>Yes. <tt>domain_authorized_issuer</tt> uses case-sensitive URL string
comparison and accepts any absolute HTTPS issuer identifier
including paths.</t>
      <t><strong>Q: How do I revoke a delegation?</strong></t>
      <t>Remove the entry from the Issuer Authorization Policy or set
<tt>valid_until</tt> to the past. Revocation latency is bounded by cache
lifetime; see <xref target="DAI"/> §Caching.</t>
    </section>
    <section anchor="example-agent-platform">
      <name>Agent Platform IdP Walkthrough</name>
      <t>This appendix is non-normative. It walks through how the framework
prevents an unauthorized provider from impersonating users in a
customer's email namespace. Protection rests on a single deliberate
choice by the customer: publishing an Issuer Authorization Policy
that lists the specific agent platforms permitted to assert
identities about its users.</t>
      <t><strong>Cast:</strong> customer <tt>example.com</tt> (owns the email domain); agent
platform <tt>https://agentprovider.example</tt> (mints ID-JAGs after
federated SSO from the customer's primary IdP); tool provider
<tt>https://toolprovider.example</tt> (the Resource Authorization Server);
end user <tt>alice@example.com</tt>.</t>
      <t><strong>Publication.</strong> The customer publishes:</t>
      <artwork><![CDATA[
_oauth-issuer-policy.example.com. IN TXT ( "v=oauth-issuer-policy1;"
    "authority=example.com;"
    "issuer=https://agentprovider.example" )
]]></artwork>
      <t>The tool provider publishes a Trust Policy listing
<tt>domain_authorized_issuer</tt>. After Alice signs in to the agent
platform (the user-side SSO is out of scope), the agent platform
mints an ID-JAG:</t>
      <sourcecode type="json"><![CDATA[
{
  "iss": "https://agentprovider.example",
  "aud": "https://toolprovider.example",
  "exp": 1780166400, "iat": 1780166100, "jti": "b9c1...",
  "sub": "user-3f81a2",
  "email": "alice@example.com", "email_verified": true
}
]]></sourcecode>
      <t><strong>Verification.</strong> The tool provider validates the ID-JAG per
<xref target="ID-JAG"/>, extracts the Subject Authority <tt>example.com</tt> from the
email claim, queries <tt>_oauth-issuer-policy.example.com</tt>, confirms
the <tt>iss</tt> value matches an authorized issuer in the policy, and proceeds
with <tt>private_key_jwt</tt> client authentication and token issuance.</t>
      <t><strong>What this protects against.</strong> Suppose <tt>attacker.example</tt> mints
its own assertion claiming <tt>email: alice@example.com,
email_verified: true</tt>. The signature validates against the
attacker's own JWKS; the audience is correct; the email claim is
self-asserted. The tool provider extracts Subject Authority
<tt>example.com</tt>, looks up the customer's policy, and finds that
<tt>https://attacker.example</tt> is not in <tt>authorized_issuers</tt>. The
Trust Method fails; the tool provider rejects with <tt>invalid_grant</tt>.
The attacker's <tt>email_verified: true</tt> self-claim has no force;
trust derives from the <tt>iss</tt>-vs-policy check, not from the
assertion's own statements. <tt>attacker.example</tt> has no path to
impersonate users in <tt>example.com</tt> unless the customer publishes
them in DAI (the policy shown being in enforce mode, the default).</t>
    </section>
    <section anchor="example-federation-walkthrough">
      <name>OpenID Federation Walkthrough</name>
      <t>This appendix is non-normative. It expands the high-level
<xref target="example-federation-dai"/> into a concrete walkthrough including
trust-chain validation, Trust Mark satisfaction, and
federation-bound JWKS resolution.</t>
      <t><strong>Cast:</strong> Resource Authorization Server
<tt>https://api.resource.example</tt>; Federation Trust Anchor
<tt>https://federation.example.org</tt>; Federation Intermediate
<tt>https://sector.example.org</tt> (chained under the Trust Anchor);
Assertion Issuer <tt>https://idp.partner.example</tt> (federation leaf
holding a Level-of-Assurance-3 Trust Mark); end user
<tt>alice@partner.example</tt>; Subject Authority <tt>partner.example</tt>.</t>
      <t><strong>Publication.</strong> The Resource Authorization Server's Trust Policy:</t>
      <sourcecode type="json"><![CDATA[
{
  "resource_authorization_server": "https://api.resource.example",
  "authorization_grant_profiles_supported": [
    "urn:ietf:params:oauth:grant-profile:id-jag"
  ],
  "subject_identifier_formats_supported": ["email"],
  "issuer_trust_methods": [
    {
      "method": "openid_federation",
      "trust_anchors": ["https://federation.example.org"],
      "trust_marks": [
        {
          "id": "https://federation.example.org/marks/loa3",
          "issuer": "https://federation.example.org"
        }
      ]
    },
    { "method": "domain_authorized_issuer" }
  ]
}
]]></sourcecode>
      <t>The Assertion Issuer's federation Entity Configuration (decoded,
illustrative) declares its authority hint and its Trust Mark:</t>
      <sourcecode type="json"><![CDATA[
{
  "iss": "https://idp.partner.example",
  "sub": "https://idp.partner.example",
  "authority_hints": ["https://sector.example.org"],
  "metadata": {
    "openid_provider": {
      "issuer": "https://idp.partner.example",
      "jwks_uri": "https://idp.partner.example/jwks"
    }
  },
  "trust_marks": [
    {
      "id": "https://federation.example.org/marks/loa3",
      "trust_mark": "eyJ...(JWT signed by federation.example.org)"
    }
  ]
}
]]></sourcecode>
      <t>The Federation Intermediate's Subordinate Statement about the leaf
constrains <tt>issuer</tt> and required auth methods via <tt>metadata_policy</tt>
(<xref target="OIDF-FEDERATION"/> §6):</t>
      <sourcecode type="json"><![CDATA[
{
  "iss": "https://sector.example.org",
  "sub": "https://idp.partner.example",
  "metadata_policy": {
    "openid_provider": {
      "issuer": { "value": "https://idp.partner.example" },
      "jwks_uri": { "essential": true }
    }
  }
}
]]></sourcecode>
      <t>The Subject Authority publishes a DAI record:</t>
      <artwork><![CDATA[
_oauth-issuer-policy.partner.example. IN TXT ( "v=oauth-issuer-policy1;"
    "authority=partner.example;"
    "issuer=https://idp.partner.example" )
]]></artwork>
      <t><strong>Verification.</strong> When an ID-JAG arrives with
<tt>iss: https://idp.partner.example</tt>, <tt>email: alice@partner.example</tt>,
the Resource Authorization Server:</t>
      <ol spacing="normal" type="1"><li>
          <t><strong><tt>issuer_authentication</tt> (openid_federation).</strong> Walks the
federation chain per <xref target="OIDF-FEDERATION"/>: fetches the leaf
Entity Configuration, the Intermediate's Subordinate Statement
about the leaf, and the Trust Anchor's Subordinate Statement
about the Intermediate. Validates all signatures, applies
<tt>metadata_policy</tt>, and verifies the Trust Mark signature.</t>
        </li>
        <li>
          <t><strong>Framework-specific checks (<xref target="trust-method-openid-federation"/>).</strong>
The terminal trust anchor matches <tt>trust_anchors</tt>; the
policy-applied metadata declares entity type <tt>openid_provider</tt>;
the <tt>loa3</tt> Trust Mark satisfies the requirement; the ID-JAG
signing key is taken ONLY from the federation-resolved JWKS,
not from the assertion <tt>iss</tt> URL's <tt>.well-known/oauth-authorization-server</tt>.</t>
        </li>
        <li>
          <t><strong><tt>subject_namespace_authorization</tt> (domain_authorized_issuer).</strong>
Extracts <tt>partner.example</tt> from the email claim, queries
<tt>_oauth-issuer-policy.partner.example</tt>, confirms
<tt>https://idp.partner.example</tt> is an authorized issuer.</t>
        </li>
        <li>
          <t><strong>Cross-category combination rule.</strong> Both categories succeed;
the Resource Authorization Server issues an access token.</t>
        </li>
      </ol>
      <t><strong>Selected failure variants.</strong> A chain not terminating at the
listed trust anchor → <tt>invalid_grant</tt>. A leaf without the required
Trust Mark → <tt>invalid_grant</tt>. A federation-resolved JWKS that
doesn't match the ID-JAG signing key → <tt>invalid_grant</tt> (a separate
JWKS at <tt>.well-known/oauth-authorization-server</tt> is not consulted,
preventing AS-metadata downgrade). <tt>partner.example</tt> not listing
the Assertion Issuer in DAI → <tt>invalid_grant</tt> even though
federation membership is valid.</t>
    </section>
    <section anchor="document-history">
      <name>Document History</name>
      <t>This appendix is non-normative and will be removed before publication.</t>
      <t>-00</t>
      <ul spacing="normal">
        <li>
          <t>initial draft</t>
        </li>
      </ul>
    </section>
  </back>
  <!-- ##markdown-source:
H4sIAAAAAAAAA+y963IbSXYu+j+fokz9EKkBoFtfyW2P2ZQ0w3HrskX2tB0O
h1gEimSNABRcVSDFUcvPcv7Ne8yTnXXPlVUFkD2e7dgn4oTD0xSAysrLynVf
3xqPx6Et23mxn+28PVy3V9nxrFjCJ7fZYdMUdVtWy+y0Xjdt9qrOF8VNVX/c
Cfn5eV1cwyP3+fGsmi7hH/vZrM4v2vFierkul8uiacZVDi8cl7Nxrk+PL/S5
8ZMnYZa38NizJ8++GT/5dvzkqzCFDy6r+nY/a9pZaNbni7Jp4LH2dgU/PH55
+irArJ6HUK7q/azFmTx78uT7J89CXhc5zPekmK5rmO9OwHdc1tV6BZ/+XJxn
uPaqLv+c0yLe1VVbTav5TvhY3MJPZ/shy8YZ7RD99YefT7M8eeSyzpdtQ1+W
uiu2Lv64adZFnc3KZlpdF/UtfUiTzFbVvJzyBzIqPD0r5sUlDR5C0+bL2Yd8
Xi0LWlgRVuV+9u8wyVHWVHVbFxcN/HW7wD/+IwQehWYN/59lfAL/ktfz7PX0
d3IA9E1VX+ZLWQTs4XJWrIolLoC+LRZ5Od/PVutzmOA/f4Tn4/lNptUihGVV
L+Dh6wJf9v7V0TfffvW9/Pnt10+/jn/GT589jX8+lz+/++rpV/rnN/bYd98+
i39+p39+/9X3+tj33z77Tv78+rvvddzvnj77Bv98e/zi1fjVyxcv3x+eHr99
s09LMnKHdR6/yF4Vs6LmI3w6ebLDP8nry6Ldz67adtXsP35cwU/L2WRZtI+b
VTFt5IPxhT07fvrhyeSqXczh+eMX4z8c/i592cBFQRJKqe53SELDM4CrkLd1
Pv1Y1JOyaC8mcGyP4WY95kuFH9l14je5S4Wf/3lMBPqYRueLdZHPmwL+/e7k
x3Sy7+i0s5P1xUX5KfuxbDZMiqmioZ/RhODiLS869PD1czvub75+/kRPHq6l
/flcT/Pbr76zT7/55pmd8ZMncppH4xfHJ0dv//jy/b8NHuZRBZQ5bbMXesd+
/ZlOeYixXVN/tC8OjzvvJZ75ooJrshzraRaz7JjvOjPD1wV8PvubDrbHLWf8
qtxeNWa2MnSwx+MXkyHKmF7BEOXycmgpRqjAbzrkeSSPZYfTumoaWXXzdyNY
ndbQUpAMnj8HDhHGILHwf7L8vMEXtCHIZuNoONSUp0vMMptVRZMtK2CxNZwm
rIqZeMq8A9wUOOqHjeO+ePYZDJiBmPkT0hSy0GaVT4usbJsBHt+E6TwvF5Ps
MBO+AHSQygh+TTaFWSzKZYuzGZAV8CLc5Xx5y+w34zM/yCK7yRbF4ryom6ty
lRUgG+AeNlew0PYqb3HSsiAQOVme1cW0ulwSWfJjWXWBr4aPm9umLRYj2iB9
NrNnA01tDs+1lcwPdr1at7onsA1Lmucqh6lP1/O8jts0yd5U7RWsBJiCbHpb
zfLbbF60OK24n9XNEuViAftXF9nNVTkdPh94Cr6PpO+mJdtYFjQlPKA4jxBO
r2AjgPjWC/gVvOiihBuFW3C3/pLdlDjxmyrgGptJ9qqsm3aEDx8arbwwSZ29
rkBs7+PXSp+wOW1b1MuwGx/4fTWHoxzpg8XID3EIE7mAB0fZH/N5Cfegqvdo
GrCRJp1ZcRgX1/l8zY+JcgRbALPL6IqOVWHKQFSfl0vezHo9L0Z0v/NsXlUf
16sxkFBbwB3+VC2rxS2TAlyYi3JOG4raR1vCTyYZaFDVcjYKSCgDu5fwvXek
1cBmZH84eftGlBw7h0BvybP3RVOtayCDlNucMBWSjGHarjokQjsQFsRcYZYt
EPp/rssafsr03Z3VCFYyna9nRJL0ybjDMnSs3WaNJNhkPR1hD/ctCPmPIwmn
91zHYUqbZee3cKmAfmAHg24rkWVxP9GB91jH0oHmyDIyYHF3zkbemK0b4BMF
TqbF+2Cq9oT56aKczeZFCA9ACWzraraesuop/NK0ifO86TE2Vn6zz59Fv/vy
xf5+Dn/n83l1E4zRnxd5TRzOWCfrxrRRyLQHuSac/zluX9HAMHL5gW9dgYDJ
ToepcYOKFXZZRduDSfJfMMeSNjOjk5cd40uClM63ifkw6uUl6e9AZkIobh0Z
ahPlRQkzhN/CC+4Qwl++TIAQqqawi6FnnV1VN8RIbD0wOtw+YCtwNsVslNlm
0EwDfgcjzA5wznjRiK/LYDdXBe4VLWfrlQvNVbWewwlPp8WKJYJYLrAe/NcF
csBsNScef7pxuCA3eFkUM729sPpkIjIw39e+KEQZxNMgygXV0qQxrLyar/FH
I5xptQaWOC+XH2FHR2DTqPFU8DqaZhTwLJF26YAakEI56APEg3BiaEbiJOfV
NJ8Lq4KLcQyXGQUc8N15dcunwzKypVnHyXW5TYNiHvcfiLZYwrGwQoACc3ad
L3HvjlsY/BZ+kM1Rexpls1uU/VNawCUqIMI8ik8oQPJ5YGvRbm6DygbybtDW
ZSvpqgHHBM46byqdQ/EJSYWmjlQyK5la1yBKahW4fYZJ6oOtcJ/2v/iUL1Zw
NYI/xsEHvbLhdZCoxeA6t49zlXuVDN8/qJGF8yLyk2KmEr8kGY96/Rh2az6T
PRqLzV1XsKrF/pYboSSMpwQrKODaDyl+cCDVQgYXHeymADEFO48iu7wuZ2s4
F5TCy4vycl0ndDDKzkGjuiEWoLtdzvENqCci9bCMx63D96hEnGXFNU4G+T3L
PtAEQZtfyK1cresVjgn7j/w+GNXgvpDCV8FTC9SKRTLT8HfuBs8XHr6k7UAR
Tt6JvJ5lN7BR8I2SG1OWTbNsg4lovI3I32i34i+azFb7K/W2Ac3jb9Iwmmld
nrOOzwoG/BtuX5lv43U6llkbDWzEDmwlnmldBDj9QQJvsmN+y84B7iQ81bjH
WPTYdQ1DV3SBy21gEs3F7WQHDWC93DhAJJ3z23DN2iTeFBh0WhdtEXd+N/fm
Bd8QElHIi/LQMzuV3+DFrmd7yNWXPWFl8mnjWdKmbNSjw+7nz9ELNl7gZ1++
kA4G2kxBSh8cmio4rKnoBQ3xghKrFeGJAhJ56ufPYMx/+TISItUJoUJ1IgpV
nBh7OlS5g31Zls2CCQJMAye52+qS2Bk6HI2YRBO4AN4+vwV5T885hQrUIdhJ
0qFoaaoaBHnVlDRap6vgj+6jWcB1I41lvcRxLlkz8MeQz2a45Pmtk8bMHoOz
LOb5LShZoBk+yF7DyAsQkC9MHrIa28CHc+Q/UVAS826v6qLIgMkg1ZEFBSb8
UxRb972UeXqlsywDomDjh9nWWFeDlAE3CN/EZ5qwe8+FYBBlRLCsZzgdOfOs
c+YyBSAVZZK7Qjjpu3DI/uVG5qg3piHx1bVMn8O7Wcdqq49wg8C4W1XlEmy/
O/W0TO5zQX7c1pMUEUi0hlitRS3oYj3vGBbwypynn69WSOOoy2yyLVEjeiVC
GCzKBX3TFPeZLKokTThjPvIh8pEPfEhnpLPedQpvTrLTfz0NzHNQ6p19ENrn
kxa17TO/5QsMqgq8Ti4MTm56VUw/Ru9J3MiHTXYGY5/h5sAtRVuYhYpKTNkM
1Tz6qglfG97zl3FDj8xYzz4/ABbCRDomGY4c68tGhgns5p5ugICzS3miV1qA
kONvgZ7Rt5Y9enTGe/khNY3PHj1CBqrsmr5gFUUIAzgsEFHefGz29YdoffHu
kWMs1QKb8nJZ1L+Vd8q2fbBt+5CYgO7t3k+iRAIv9vOQWTD7KXp+Ju8/Qr0o
U1G2zcmV3FuY9Uu4NOlNOi/m1fKSlAi8cLD1i6oW7QvleeKeAWPN6zxyVUXB
wwvpb6OuDaWh8+OM0Y8D5yaMuWrLaxbuP8HbjvKGSGshH1dLoKgXzogBeS0K
xmW+gsm3N0WxNCOi40mF6W5yLuAur9DNVaLdhAIWFVFYVyPeloLo6mfQO4Ec
4fGTk7fwDezSYj1vy/E10DHs1Umen+xnK7jDU9jTCqylDJRgWHidz+MJqf4s
1gO55pYV/Lcuxhx34Ksc/aCZ17mHzBTcATwvYmn66si0JzB34P35Jd41MHlb
fA1aRbTTOTvC26qaZ0AyqAPD+e4LP4cPyfaFScByPy5J2y1sFFJ2NzlYQbsh
bqOLkJk9dFSIF1issTHNb6wjE1GMsx+e/YA7XVzyfqFBWtcksmDPx/gG4wv7
4pplUi1KUmEydQGgAexIYmgnkdyB5baobYDBvKZTM1uUtvHkCtQcDVfI6bfF
EpUeU+ff1RVei1r2MC4b9+CqKqd0ofwN5gHOgbEsUNSdo7OIbk3FzgqkjZCZ
1M7++pcT2AHYMpn4a5rH6aZ57GWwebwZQFNwQRZ4LcsWFVrcMQwZzMk4x5AX
K91GuMJ8O1Qb1ezgvPhtXYh/AGQb8MmW/Xs5KrefWND0rmB7OwqoU8icRGtH
oqHlqL/qHG1QYE1d5W/FiwS7IrlBbj3MWt4XcyYgmmeVvfwER4pk9Fo14Uak
lUhF0rSRLvE1eU0mYc+Tut//KKDB6wmN73FufMnx2JxXi1ZwDGOAKjYvyDV9
P7cqRSKGZASodsHrkA25ADZKB5qmC3ykohsdMSCL8TLAjdfNQ2XGznHsDQyJ
FzTqXMyODg9H4fXp4fjk9GSUnbx7Ncpe/Mvx6+iefElhoj+ClXqhg2gGwyT7
IZ9SpgP6+4GRr6qGDEScw6yACztnqiUTpXZHPW6rcVXOLtjeCPECvaKl4PMv
/WKizvZOFqBWX+J5mNEj09Y7TbJHFm19FO0r24Dwc3H+Cl4DP2Sv8pPnz8UK
2hj3/fw5DReDpRfU0dXcwEg76L4AcsscI7wo0b3hDz5TZyjoMCVaO/Dr3+4A
IV5UEoqKclLOPa6W38QUdk2HA/KtgVcF1fOynUUu7vhSYhRXOdlK+RwYwuwW
L+lsPUU3prOtR+gWUvpnHRQdz0yRXkbAVI8x2MZLxhtqziOQtVGoj9RlUzQd
+c7sj5kfEFFL/lXcedCczJwG6r/2xMdOqBOw/O6imjBINcB0XphJLV7nV2Q9
g0ojZnRXQWabmN9G4jVHXdmMQ/TYioabPPfo0f5dTgiSHpvcEPeIg2GKhdmO
Gy3XeDLnt85nBQ8PmSwjUCPWTFkJR1uA7gh2Qn07smQl9iuoj0SFQWQefZvr
RQEHsdBwIalQqAdMaPdkj3XffkUCxIiNGHRssL262RpMF2X7zGOmTknbXJRh
mcgwEIZCnE3f9aQ+OgmMbBpZPQ5u3APm9HMS9cQwaS+6DF9ttRuWXmGr047j
WqJqoYcGfQ3eGwXGU0MOILMYmjUYB6TI0XR4oJzCdXx5TqbVCu7egwb/+0U8
NPSZOIPjXMuGbsXp1iuw4QLsZ9cVmCgY9gdNJNseknaWS8YRaI49U/wCfoD6
opwzqdKgKrZAuSisrskRUMP8a/5D49LAmUoiy1O7B+/SIPO2K5c+2L1A2a6f
fV1cAtOqb+2hO26N3hnxxPDD+izfGbqX4+69hAM8UufsoNeR/UgSZJwmkydB
HlA5wcgknTe+fk5+eoxbzkR916fFLlA9Q8mZCWYLOWDAbQFUgAcHzL+ty/N1
WwRVZ0qifYpn2BgSc+ilfYRdDnThmYwlCgyrJ44KitOIjrugLE+0L/Ee2cRH
oViYtxGlB4XC8AsM6cGHoIMTM3ID7nUuazB2wKfU4Vm827ZE/5aDUKqOi0Ie
TT28krSZ7g6IAoHEjlf95+dHoqihlRKO/FJFmcE3xp9kyU/wPMUXr4cYfDjw
ZzXryzrZEVLxgCavi1uU181mX7mcnDqySqdNjOlijlIOArZZx89qSycfRoHu
jcu8ns0LZmNo0dqGjt0k2c8MzHAJphDMrRVCPKMsqDO7csemq2FgtGbGZ8fH
3nby7DgmR1pedJHjraa4xB2Mb1MAAjlwVZNmdTs0LxFDlLST+6m5CQNhg163
rouD6J5T1z3RAB7pvMpnmjjBriPyRPhP4JeUBQFEvGSr3kwTCSDKbFm10MmQ
kjnjYBHcrDixxvwqHDRAc4tsqt75LlQ2XKxbWMcYw9TLhtyX6pY6QpJbcviK
DvNjcYsLg4u18/qnk9OdEf83e/OW/n7/8n//dPz+5Qv8++T3hz/+aH8E+cXJ
79/+9OOL+Fd88ujt69cv37zgh+HTLPko7Lw+/LcdvkE7b99hPvDhjztKK06P
xPtDIhl9J/UKOTHemJBEc344evfX/+fpV8Ay/wEMkmdPn35PKS//QMnH334F
/8CAGL+N4iv8T8zLCOxLpgjwHFhavipbvtsNMoubZYZ3GLbv0b/jzvzHfva/
zqerp1/9k3yAC04+1D1LPqQ963/Se5g3ceCjgdfYbiafd3Y6ne/hvyX/1n13
H/6v385RCxs//e63/xQw++iUpGg1ry5R22/jv3oqP4UAmZE9mzxh2xDTz2H3
3WMTvaChd0GRu6NVwo9iWvmXLwedAIk9w9I1ZTOfP5f5MhfnvWR9jVXcmyS9
MNMHp9V4xXOLkIXVzeDegdF1eYUyPSFTGNke3Q/7xMbq8vKK4qHMU9nrLlGN
POYSwvUGsqsxgUydqOUSuFTMW3JmIXvusb5ixBoF8RtZobd6kd0mlv2Oyf4d
NeE4E2e8gC27LMQoW4Ks2W119gGjuUXN9ptwI5S/9CDl/KBNxEIctPbD1zom
Pd0EHg+ETPJ2GMPpRH7rJBETd/BwmQkTvoLPiDumucD59n0JvX059Cmi/CJy
I2lqkpxMFIAhvrETRdA8UZDwL9nl2+xLQEycfKxMkbKylLRhm+5BlgT3UY8m
QsBfD3ojJxgr4DemW0MzRpe/ZMPM/PR9pg5SAFo+3fUjP8Q9IJUh2suNkCGR
iaVuBT6v7LjLo10gqLCwVMfIimsoXU4tLUdNiLHmVNaFZCrIBmHGUhT7uNMU
rpqZRjGSzedI5EgzXKMQwRt3U8znY3T7L7Pfn56+O8l+ev8jpqHhZoJ9AauN
Nj/wjhxT5ul6oVLBIr0z0eAtArwkfA8G1pmRpCCHf0YFGlPyXll5Bie7CXO7
7bAizU7220z/CjGrLl4AnLGwBjzdXc4EsfDVHru/kPugokkqJFo5dl58JLzB
bAzSFi7yWcGuEDtpdrzmpnBFmnETizRj3vcWFJNGvWw4Z4xVoX8dQ5RBElVR
gsO0jE0qV0VPNlzFpSTIC3dimutqRPtAEKDYFtec2TJEgKMYtk/JdmTqMifp
pdayqP7iDaQcKPYYgCoLAkdTItfzFpce+tclsn+5L1vD9ROSW/EZfPf7gn0O
73K0wsWewClwbpty/xEmymMyyJwdFGiD5iCHq3X0/VJ6EF/294enJ7A5YHS3
sAbQIlHllmoP1iIjXZ7QhJleeOvrqmqjcT5KLGbUXpfFnG6UCwKKW404lDiE
/UJpU5uhK9UQUVE2KCY9NCG9NDw582H0OZ+EWxvgysJOw67PqESew7xc2ALu
H8adkYFEZrNH0yD2QFPAnb+4gBd0B+ulc+XL6RUukSmsN3N8HG4WvAIJr8hO
9Cq67OxAOvECLF0k4L0N+g0u1RwUGPvZlIMAz2/PGtl9f3iypzdxoHDHcsOv
KAWSZFLjc4mDy4nBaBo5XUaWF+c9qOw5Uuc2LJhzjym++7FYiicAryBSKkkN
njoVuqB6UNzIHFcSfAl1NQfpyx+iP18jSfg3ZQdxut/gogKvx26RLYTWMNnh
dMTDE73QRsSeuYow1C3EkcspZ3pxjZHtVD8rfxSVXzr7gZwOlj9E0nABiWB5
MmfqyMWNRlNKyggGT/m1CD9Ww7ESFPPy0tBO2BrasWvniF6oLSrwgRT2Tk2o
puNtyg1Q4QOb2nP56a727jpTyoBfwMUIX1V1EM8GS1pVHtHnw4wAr5cvpJHX
paqG6jC0uA2uzlHUNEISXRg+D1dpY2mwmaXB6qTYQGJuHK2iEa1x5t0E5uhA
cd5juQH1R05Ss2ol9BKlSXsi+vsJsMEcvGJ+odCAGSXeYNr2XrCk8QnJEysj
HAoC6NYPaVpuUX2nsOyjsNxfnSCYqS84pCpqA2pWDEsMyr09ZsNrUiqEd2sq
enZnwlVqBKf+YnZRY3BFDCeu/7tVLqwakCgsUwkrduu/sl2OjskZwdq3HMDe
/kaq1SR9pThma46L0WXk8C0xXvpFmlWKOz/NV5p4b9HoCbyT6IPlYD6bUZCU
8nUkwIR+AQzHoOl6XiGfrzA4sV6SvxONxrquMPqKn6s7FROiH2wz/j8/6Lkd
xfvRFKI/MUEXn1ZzULBavDbsj7MsxmSFLq6xhU307xLnDGjIpRMpSEsD8YLE
gNDfUO4YdeGoho96Ktaer4Zjrud8RF/Y7yjB5OztNUq84gbzVte1nM20YhMY
k+wpL4IKhaO9F8J//dd/9WxXzJH9JTPr1BemXJf5kK4vT5gEasyqlm/Q6Gki
W5BPfYlb3AiaUxgUN66CYQOPEjdSloeu6SvcYj8xaKUwCHkRSyKqdyUjNmy0
ccG6xaQrfOiqohJZM+qiVhmigYf+z04xkBb09Qx0snWR67RwghxEQFusz/WQ
NmAGxfwic3oVbJXE1/bDzVVVaBG2bFwmF8aNMajCX6C08tlCqR9I7WC+CdGm
SAy+ITpBmxkFCJd/9C0HC48b/ezE5IMoVJJRotFM3zehqfBSE+8jWSqyagek
5Q/ItrQ6RINFmpOK2qS7HFySlc3Li2J6O8WqsMGtckXptGW5XfJIrGWbuhh8
SQeWx8eLIdZvXSB7YRfNdLoGzkvxDKkuIOtnVdaiMAd9JR9HzMrRtDeMcODD
LSoe06tiXC7jHgSLtx7412Ji35Iz3CRIzeW0hVLsw4YHC7hBkgbTUQpKrdPH
iGF2kaMZ6xbGnClQDKaBB1rQrDETSGq0afRMRweb9N0ciRZoAYPlF2gU7soK
a9hFzf3EIkk4T079aqSCZrmSZ+P74elGMHIwFZFYF/xc3ORmv3bS1a72s/Vq
xi7NuPEjzR/VXetsGS8F7MZZdcNc26HP3JEy7zLXkT7jZWPHyaZEeaeWchYh
TTAprJpklNttuqgmceUxc02ztySfyCfEY1qMSmbnMhVGmNxXTKypb1dtBWe0
ulKXlI4lBG/58nlaUYm3GQaw3MffZieUBVJKwajqzfHtdaMso6wxCocptZxP
yemU7l2rarXmPMBsdxBzIiZ7LHLK6mvWXMko62SncEHvQScB7pLje8aVcbc0
TX/QiOLs51hdQTkN0dcHE+fMNy4mSPcgR7yWAWZrVY6gttXVqkblpfd28Wyw
0ZrowpHyvBKSONy6NsnYUStoVE5p4oTr/bCh6ALV1TmZBp7GuH7gbhXeHh7a
+pBkFHNkf8BiRWX/R1cSne3WZfMRD6KmTEA+ES7/HyjEPl83JSFNkQ9zz1yc
5H5exeIIvKxuY5n2CV2GrfoSi5+tTJvzBGCT67xZgRYKpLbKvuGI84PsiGr1
j/T+HjlP6nuYBTKPbhFFCD+j05pCLZTpmFijZZPURvFlIR7ATvHIfMjpLoIT
lYp5gdyd6q842YuS72MhWrEgagybKj4m2c/s4kZVCrPW7RvUNsYNbBHSRBPI
Atn3b6EYwrLwo6YvpoRRDQywvxf3AhPCskdwAI+0usEzUZ8S9aiqH6kLPjdo
NvSTxFkk+6jBa4yta7o7xrzt58HwHCQeUHfKDuBWD2PgIBPBautzLGKJ/GEg
Y56FD5wN8oKDBMYl8NV/2Hh1h45bJmOpQp0cddBq6QcPHSzQeXFbARXfqDE2
xImYTXLCKxKubtShnBkboybsbse5/wKo1p5IvuDqe8uX40sWReRDlwUcUtcn
rk1+jnUIBEPkBOPxRd+uNAeHD1d2vCxIv5xtHckXzyBsvmIFefqibpuGMMx9
G1zYMGpgTguPI4hV4ImQMrDgZTd5eS0VQAYwmLia5vn0I+V29W+xhlwHbi+/
6xxV6T+Rx3iCWflsSOs0guQCpAfoIBoEoAIvYMa+NDzVsrBUqjhLNtqihiOR
eXjkqjwv1WkwK2v2IOTzfecddwOjg3pJNtIjrAf49ChSsQgBdZodBF6aRalQ
4Bc00cGRDVcHJ+7A8yhDhrkPVSE4tv412PtcoIwRfixR45xKzMVYod3ftmKj
3C0QWRrjy2vO39cLHbh+CN7ujnFRUI4EfJWvmyIlCLgahGHVzyyZxPCyxPdn
9FteuU7BCwqEJQr4k8GEUL4pvfsA+8Sil0O8eRhKQvMhrr5rkrwokrJ6joge
uK2JBIuHS2z5psRcjaYo9LqhZw/vgpxcsJPjXPyEpsfntyugCU7OZ/WrbXMq
1SsbRPW5JktDZDhVZa3m/fhaEyWiMb/PDxby87Hkh3RsgteH/6amyFBcjzdK
x+gFxpLcBLJ+7ILv6kNGCN7Iw4VybA5Fp1EliE57rBujCxyjwwSXE5jpVNMR
+BT7wUaNGFfKYR07uMI8M+AgUquS+grKpiNa80vUtnACHngUwUVZlhBNEnUI
x1LaQaNoqlHVRieN/iSh4OxiLSFf2uc4h98YaInE6NHfVXzKqfYNxUlvvbsE
7OPfe5GX83Vd7OElus5Bl8cSHeKDTF5YUMpeozkp6qt1S9lAWIXDueadSZLY
CEKbsilwh8dX1RTF2wVYaef4la00m1eXYq5xIoKb3jj+qo5+5IyxIbD0iuYE
92a9lPogsBXQo0RuzISEVWxdMJQIu/Po3COJdfcrlCyw4bNL1KDnUYMYuFoP
Gx+0wY1tAqcLoAaoue1SdoqXCTk3KMuzOWFNSMInRu3GPxPajjc7YHd+EOv/
1Gf1f34Q4Xl6+X2MKdmA8egwfCJx9kp3RIET3B+N/zn1tasKIeqJqzE1X+dQ
tlT0uMXHLdYx5NVr4jEl2smQ1zJP8DbYb/TWrVkVz0UhgEaKFLTE7K7UCIkO
NrwuhGfloYeavS43CcrnULRy/sMkO5pXDVBjd8+z3SQpZCDBy6c5UFholMD7
0HxCUhK7px6TWXFZLNkxjxkWiRmIaTjwayRcyqrG31O8Qyz1VOXcZJlzcN8K
d0iLUK8U61lg7jPG8pBLgnUn2E0qamahHKJ71jyZB+hbvFjX5Mt2m4famOks
iKHSXo2fho9FsWqGvIzOX8aG1PSqkKgai0tMEwLCWpSc9Ii8G5PAbd5jDRBQ
eI7BBT6tcuZ45KqLc2+KdtIvyR0KmMtxBSBI1ncxaR1oxS1UBYZITXajmLOK
KXYzQiUrFMBAgdWpiHPXGKXDRUiKg1L0IsYt8rioqfsENb4hn4iwsB+5Lony
X9gX8QqY4ZhvBHCsAe6XMOuHjZY2USLhkOVneVwi7gJZT8idEC7HkEO5NKpr
NizyleiDCuOENT+kwAqD09evjIktCZUrilbzvMgrWO1KVi7OzYuLUgCdkd9K
xAfjMcVscGk3OXoWlTPOEiaoO03DDSdrlYShjvZ0jtlglE5YF0k+oYpKSdWB
i6jZhXxjcADM4c3ypFohIqM5XolKrMATqlEpTseop6gW4OMYDxtWWpZkvuNG
vaGd4F0ihj/E5v360eQpqIpEyiHh2IlLbqKamPur0BpUQZtlb/71xdvXh8dv
UEF58/bF4ekhl3DkvDHZ7gpuGrDOW/z9ycujMbtp99C1mpyI1AnzlmM4UBiz
M60xiI16EHnksuEzxGPhjNevnnzl/K3GluiYQiaKiTeZaN6mHg+M3ji/MMmY
npJYozcN9kgPJNZf+CAf4b60dlNjjgqF9edts+GwgHmELBGIYBCNEmhElS57
fmFkg1i5zfyWBmHTf0lBfORN81uXEgysrsznB4aXWWJO7IqqcTK3OMatASqJ
F1VvXz6XYi53C27LYk43BCQU/Hp6xTgAXkR1wlkMuxEjwsQxYACYzAoehkX6
+XCUKkZh84iueT6cZ4z11UlUlTESGoIZXFadySFjB3132nJmQkYGsGTNMkFY
QwJgVVQRkTc+o9pcX5nNTG7wsVdz9RoLfczgGgmKODLuLF+m9IEMwx0AXkTd
EU3LHbq82cnL9398dXj844h4Jtwuyr8CTgUcHQRV0XLIEtkO22N8r77+9GmU
nf54kqEEaq7yjzgBsYXAvMznwqDdBRorE4LXrBCmh+8pg8muGWYnxj91MHLl
OG6u/C/blWhpZNW4hPUSptoUpBas8lusXht1uXNifkV4UXiaQ4F7VDmRHEam
sU8+6iVG9mIiO8WzhYd2iQtdssSmtajVHdLjeEaPO+8zJOyyCXGH9uMDG1IE
EA4mviGgMhbJ96DzEqJml4+fSKYpVo0Gcsiet5wLiBLaayJJahLiIsBXU1bb
nbXZc4ZQYQDWlGPiP+sRqi+IFlF2tIUgagVrJ43oReeIHCrOBb4WmnrVSUy3
wE1XkTFYXGbMWvZMFDVvBMGnrMOQKCWvGGpCOFUMn9C0hqxm3JeM9wWHpBwt
O0e8AsmpcIKK4A9J/q9xsNShO+TOZfWe+I05cbswu0OkDXTmQiKOSg/AdiHX
c8Xlu7Ug1rjTDubqp4PDE7iGb9XxNqvJ9Q43a3lZY1GFODeadX3BAHVdX5nU
hqEdDMziig2PWXJ3onoSTPMD8cmpdayao7k1tFQhdaxKHzpZhpclmS3uC3m9
sZ5SPXIhZhFoQgTzGC/CrK6twWS+Fe1xGJhXo/EuwjCbrmmZfDHi+RIS83JG
L2YxhL/qToFDPx3FqaXDXeSfysV6cRD82jhvhYrm2W3Mu5NFjk02cDrrUYdh
0BTVKNLAVfcC/j2cSjC21z4Gt1J1vnA/1xP6lHo+XPQovYIndV7wXjJuHRXK
20on/R2ZN4FPC51qlOADTyez3WdmIPcKVn2FGMasd9FdwqrI6oIjuHKNMLFg
hr0o8vrWXIu0KH/prM79LoMHTiQyEbh6qhPGwuwEJaNb5BF24HPYM7gyotTv
yC0jLRmpAQQyOhPG8+pSovx6kZq9gFeNqIDQ3IltUaAiualux121EeEYiWCI
Kh6D4N0OsEbcUFWeRIeUfOF5/kn0t+R05EXNmE7FSTTKnU2CkASAqEUE7+Iu
I7nfG/yZlD3NwrogVVeBffoILkl6ueBDDlamaGFfcLUN2brRqo5YOsPR7P0Q
zjSG/MFiaB8oOPCBo28fgM2ehf1Ma6knVl14bAV9Ovy9kYl8XTFhh3GJi21e
zLekzYpF1/3fhrScAzt0wZKRuFXxtcsq+UzIcfBOtejHwmsjYcbcctdpf7dX
rGVHlOHNEdPAShO9CfeF+NHAsmyqRKXkWLi1BOrQSVhHMFit+UlDix/4sK3a
xRJ+sQZ2kCzQgaj+yWJgZg+bcDb0CoSirev81oLxfh8jSC0xtqC0F/GpR94Q
HyZUXUOTMq/J3XeJIPKciWvptaQ7Er3pwbIzJUkePk4RPEJSWi+p6vEBLdvp
DEExzZoKkymxBt+yddIPFXjN1QmJocoexqifEwR3vMMnEth5vt9dCyZExrLR
eJ9dRza/qjM2BCTFTZFYcUxMo852GbSvBnOwJBcvByK465J/kWVudNdDtUZI
ifKNwnt0HidHubgHzrSN12ecw5fHk7i8x3cth0iT6I989EpWSqOiGXUOjho7
sQCds1aurCxEVaRDxt2hy47PhkhWqzTUhu0Xf7iCFPaQE/qpRDT3Aih1U85W
FqcaJ8Jnv3t5yrgAzH3pO7TIpXgvzeQbGZ4OpSx6vk95ExMpNZa5mjmB6i4p
4oqs2bJhKIBFbJXTdmmS+YFmGpgPKKgp3wNfzB0sODm41MqXt4l8JikcfE3N
RCHD1JfAM77KRSdbN9mzJ0+kxRRVi0ql+AVInDNRBHGgx39qMDGDKnTOfkP/
GHM/QfQc3yJYwzg7skIbtuc4F5m3HZgFxWSabL1izXVeogEGd+FruD+r5gCz
ZMnI1Z9KWJEHW7PEyZjgz7IGznrBOyqpEKh6k2/CcgD4Gj1snPsyjp0qz/wL
6nMC0/g0FYwovtwrnutIu7Spz07Oi6CHzW/F24qxSSQyc/Xky8Tncl7NbqXg
Cf9MXpobfY2n6BVcylZJ2QAtlxB7LXMRHv/mq+xfyh/2Nk4xiFdru0zhipoM
zzd8hlF3eAt39rMdZTT5qpxYQa0ouDvoUtqh6tsPCox/1zOP6ef8JCXUfEAy
aj4YBhIM8O/UYHBnXS/3sX/CPhasL5p9gpLf5ywc6ij7p5tWmjNgj8P/oDFT
ocxv0PKoX/sSeW6/nI3/lF/Gd9xDAdzh3o3bt+JXcO2d8IULjB6kqrXhcCIU
z2DVGPvV7teQhcmI6lcrZodEKLPQZaSOZwywi10icPcb0qdJ3KizDtiH8BPO
cv20N+nyEbFjjLeSqzwYFLtkl7JkwsgM3ubspq6Wl0Qds1FnGMv+RqtQYLxm
a567qWhciZqzh0j2YA78SaImNCLYcVVdhPWy17ixyTj2CAwE3fpcaQtc6QyL
c88I0R9zj6b5fCwPkBV9GjP3vBqe63NONMNnbEd+UOVEv2xCUnPHv1Jq0Itu
uV/9eUxA2aY/A1cXbYRRsiHp1ymaknCbHj/Zqpbfj838T1xszVCMutkHAaJK
37BDdeE7wg24NIA5gBRm2jQ+0//Cr/gLXCr3sf0Q4+G0PvoRjyE5ZvQi3Zf4
a90VbNi68x/05JfRpndtAnDlnrBfcOGRsTwwCgh32FFg3SqoGWtGfR1dlN07
UEzYzSyebAp33cMASrELvOEOFHh2PzpJl0Acj+w28iz0+9ylGL0OcyzF7msj
yLok98rtpMq5GAHLF4kOjdgHkgbfuHyM7VgMRNbojXHJNMH1IPrrX76dPDtg
3zubjJKc0JL62V9LtHnDnWfQN383bnSc6EgC11I/i4d1nwuX+lLSo9oM7aiQ
AuIq2G4ZW1bVH3GjGkkA1N6gwaHPjfCYU2pIi+9JuzsXrTB0CvMTmvDJofO0
7U9zQOZgxANIKpxQRnCbSXWhKFpe2TrkFHRFBnNFbsFyjo+QV18HiyIgRBEQ
cwQi38e0nLMhLphesjeg0hSLFdyr9AyTtVWCjIlR+zCEHOF3UHyu5r7Ql71+
+eb05B7HXiyp5UljGSRWVDGAuzoSfFzq3QjTNjgCilwcdjqraUlBUJyBgdZw
jVTDDcCEd9sBJ3n3Pt9FO9nK3cX7deAaMpCvTRONgdAU09oS3XFN7lmDAbaw
L+fbRgsem6ueF9LglhUc1AgZABG0QX/zWbNjoMTzWwfgMG7aW+sHt+hxtEYw
ppip79HEKeYo1RYRpWqSJcVv4uEKPryKGX2CLmFWfqwFB3OcUPAtLMFCJNWx
EgZ0wiWUCLTjFEmdgCqljaA7jqIvmTIIEhy7eylsCcljFoE0qiBpwnNxO8io
Crjj3EMv+sM4G8O5fH3nK83LVCNCbxyrBQlpvmWOe6KKfOeZsWn4FNceuNx9
I0OSoRihaEzCCswDHu8sRM3c+4Z68J/b3JN95E+G50clX4/MDAspQAveQQfX
W+dKmv0WK2SU2CCYoQ13Y1xdjI1l0w5YDsgk+z23EU7sCerXI78Icd8ooZFy
jzDXUkPw5jh42BCCxn4fT8W5yzdhqZBcaT6WK2PCpQPjt7mFXXRycdtag8i/
KhZ7HBi+A7sobECBEfcGlkl2C4xyyTNm9xwG7XybDS7+IZNMPTd6UuSIa0BE
U0qqpQ/mmDFSTqlDjLQJpqckj5zKC6lmLglqaQpmQn1pl7gNFcW/uhmZr7TF
H96E3TtRbd0LvWTWTiCS7PXrwHGzlzEvXAAPMcwvUfg4xxX1fel3PjuwstjQ
K23l+jWqRqY68RuMIQ7X92J+erHEgDwGmRbWcD1dTIMD5vNu1fHXuddOOuXb
wNePEyyABE+Nvuj1yLMRCA0gbOihHOv+w92F4DoNWFNPRyg2NSBL2xsVgUVx
bCyTUcW0OU84Id7EvubdJ3tcIwTVWPoS2ESoF4ZUsUkKHLkyB1RvFDFUl6Lp
PHRmkYd0z2a6N0mb3rHa0Wk9z+vtlsLr+oOgYXNLbV/Sffe+82YcbKhZzueU
VqCTt3R119batOFJ9oog1rudGzhbR/oWuKQB1wRy9/63WVhQklcGc044y0k6
ga5whm/7yWfJpK0JjCAmJqPvWrJrF1KBQbywCGRJ9mIKRLUnWQwMfEL2jvA6
C7RgKVswbCyYRFHjfZZMlaRvk8RoIito+XAKa5WySUfQ6FZEsqs9J6PWs443
D51N50T4fQ7Pw+alDW7speTnGETbg7fGrB9M1piJURCXqMbCTMALuV57V7pS
YbI1U/seKIElth+qMecDORsl5xB0HWKDkpjD+2vNMdirJAuRpGE9HX4/qhUW
WsDVuHxlyUlsqIRBkzzvl8SZZM5wF6fBwrWReERj42BXf+2yB3ENGElVmwgd
r3fxgJFQmysKRBLQokNLjXcNZwcYnxCkFplmLoFKE7xjhZUksKODGv9E3rAU
HVjS5rkBImtRvkQRDcFNmVhjUEYwhypNtBNQ1KUPHupcBNDLktvxzQb+ZRdR
iZlz9hH/AXPKJfTluAphyUYLbsSpoazmU4SHHejKP6SpMWyHOghwNmZl9UyH
lEW5TCxiKdJ9ZndRLcuWFMG9IMa9wNgLEEeS6rkhQRgsweDasEkMWqKYdk2J
P8yry7QBm8QawqJs2NG2ufog++tfXvN0CVIQYb5EmaXwO0IeoMEdkr5jQ1Nm
xwTnXscfRag+4dMixrCyb16q0WUthrvYFV9E1jjIx6g4OXNRWsukipUzHzdo
XrGsTC8rgWHmAxBJUSb0lKOk3eSQ9jUJr+8hzyP2CPcRELzMcoo4iWG4YzRs
Tc+P3xW2/INx/IHE4s56T55FvYxbQLle1wPAtyG6ZzJRi+9XGChIsVh+Fxzq
XSVuLUIp80jUBhefGscardojRzFoXBdUz8Uiy34q9zfHvkfdeNBd0ZC/IRLi
HkPQq4EQTDnzkabhcR7Ts4/nVf48hmX60fANk+hHVc6ShdzPIdo/S38qoYeb
jNt75la+zWEeDyWpeBeLn/pTLYM4qVg24vECV3zJbz3yhcESDtVwpVO+g3tP
AsrCiR7dFwv1MbRbGPj+Ksc2eBmYYrMz+I/fxRPyGk282keYZ9F7ww+ys3vL
w7LC414MK44KT6td9mnFCYFweTitJiLIxd9LUct2LzSnNsptZJ049vxwN3bk
/HwOCt1dM+oZOnDvD2K1EBchl43/hAQE55syYydMsSSreYNmho4mzk3S+c+E
u1irPbQj2g38pUwqKTBPhyuDyf0W+RO6lXyx8JIkjPH1XU2Vo9qKW3lT8G9S
VUeO+CRVc7qFhLBUJOjGuBul16gaOyHNJ+rDEUDUl2XRErQMnIrs0KjyRZy7
Q/OhZDYahBEzA6hy9Nfa8Fq57JYmLl64c+teOzOHGLbxgm1FQPB5wPZqS8ve
G4nSR0y6o/HFEeuCakuKGS4+rWw4uKtGJ1HKZZEhLnKac1Vj4sm2ZgYPqZ/C
GUxQArwbyXrUA6yMblCCMZDqjWlB23kQci1VYTLzUFPkMV/lElUp8hpDc61M
Q1ws9BTikC/NlFfN34w6aTs6MFcfDQ+bGQG7QNMURLN8Y09Bb8MDZ3w6wb65
/m6R+jl59IhYm5zMPL1+UgORZd3bmw2E5WNRul4weK4j3eS8YIue4XyEuikD
KDq/dU4iVyTeoankjvXB+Isk/Vsx791UiviKxvQqhVdFZo/X84xSPzZkhO8O
6Ul//cvX3MIKR2BpyHXfnOuXvLWjVkaXeIk2bacu4jnuSxTs4sv6w8//csKu
tTWpFLJDeNvx+PEux6LqofQE9FLG2jeqUp1F45V3mpayabPjTlOp79mfbkCN
oL3Dv7iigemEmkVQcIZ+P+nuOadS+h9s3nxpE+ZaKW+RkHhRCedLt0vtWVeu
iiO4RaXFOJwoPBsw6sXD+9P7H2mRZdLoYnsaxp4CyRPDh6dpcsnVEVeOg1Oz
I8Ifc3xPCM3ERbcYEPbc6hMVOSmL6CL0PFkLJ/EoNSXTArT2e6tuSW5buQRG
Y+E7oNavIldxmpw0MgYiTfAGkxgfDifR0SZLdNP7KZU8HdYrvYJzD11yX30L
yXeJB407YHlfsVccl0pJMslk+qJJ68GSIESllISgJSZxrNUBi3OIZIjRfDtB
6Pt6QOmfRcf4yOlo5tVUIIBykdfc+EfApDM+dV+p4C4FeyO9P5Vi4AgOVzCo
MGpV47YaV+XsQvDgVhVXLZLvhxwD6gV7Y6gA6T2JLgIxoMfRg58wA+8suMtb
d4fbIHhkZalsbBM/3gDKHkfGdq3rWGCg/aq2DHZC3I9uGHYhDY5mGFXC2TYs
WcQw4Up7qHLq67JqrwhthjCKBUKHn//zWH5IiTDWhdq5O5OYTkizmLxzPo0R
xBbYsTtvkTSR0WAbd6e4yyVO9PEzEBYMpgmhA/T9G+qkjnA99BPnJxnP8lLB
xlDZj4gR8lvqwyqJPzdVr695cC79NXcDuSS3I5oYJ3l+ckeMevcM01CbPG/U
uj/bs85jA22ymL56nRp7rhuNZWETYIZdxTJ0wTdz7SC5blo/dw1opIGAulv7
GUU4f4r28jvuZX9a1eB/L2vXb9f/n7H7P5Gxe6QUcpZPF5YtfebKQHO6YsLB
OIEmlo6Vs5XNbFm0Zxiu82WyiCjQ69l5ilbiUC+ufE5IlL1QKtYUnW3fkzNy
91NdyFgRJy+wzkXruTinlYPQtAQ6zH14Zzkt/jlZ/Ei6kX9Qi3gfuQN8Tp7o
/WzT4tmGuvuyqJWrHlpSALRW17hlniBisU6d1FlwOB7ZPOLliL6ijHtPDai0
cUG2uwmF3h7cV9Vl+yLSDpc9zky6ZPQ7MXfbTDYU9svuPGMDO77udtbExx0h
LV2ThT45oTOIOqhIKAofZq7qaFdd+enFUPtruNMBbO+dCQP+kPbvzm/Xpu2k
nXcuqakk0mOO80tGFBTlYjn4Lt5eWmabnX0gpjiWsIukmnduAMpzAnCsF01y
NP0bHwuSz3ocpznzpgkd2+F04ds7aEpeuulJhzShDu4CsUlusalBFZZ3YA7u
DuUZkYcqy6IeuO91eokfYiFlMWP1pgPn74/1PjzAQOkI6BI3GJTwaxjgA1jq
H/50055p9l16UbmAh/thE7cjK0d6c6Bf6WI44HODiblOO+pg7gPp47mEqzxJ
5y1bxT2IVDTixJtnmhvHm0LmCn3xXL5A/93BPehbak95I84EcYolPdy2V//t
tJoDcet1qAABZgh0W/O3kbxQt5sVBfoKb/L5R0UliakDXSznMXM357w1d3ro
mbsCbYZ+8J626l5HcdPgzKNoaLww/yiHCtUsihn1M/+LL5gZJVkJYq33x6Te
LKAA4+GBcIMbj0ns2jSatMXgNPvN1RKpO0RwvMhUX2r3POrJQL9GIGJmbGXl
ukfy1RkEScckJ/mTOqzMCvZkm0rLyXUE9HLbJIuNcw1sua71GZm6lFEcGG65
vqiXo4R4LG21GlM9X8p3sV0jWvKp7nBmyLf6Y37nBNQVeTt8v6PZ1skm7kRE
Q1utduXmmeZtiINoTYz6VHrPCLQgN8WywgztL0lzvBNfP/JVdfNrOi4zAY8Z
r875bsqemBR9WoSVV9OShpJ87gFy4+1cGgo3w2kNpqUOVZqIQDJAAH0wPSRH
nFJPRaGXfM6N3dmxG380jhlZmj+/u+WmVD0s+VsiEzQS4AoOpgEOpAAGLbNB
YrC2v2xb0t2bFVOcLrUI8jlszUg7M2DNBuWDS24NO6cjjj1jIRHvw5Gk1gg1
RKpCM5Pe3IMw2qX9CB3JlhxtviLEvUdfEa9zTABOmH3TEOc71n22zUWjUs5F
WrRuaHQQQUF6CVd2ZzGOm2pLrjT+nODg2MchDaYGnox3W+6V5l2BJl/NEb2b
fdxnZDXoddz8OCqsVnx8JUiWPERleUEhk/FGrimp4IEVwn11YUNptYSFKnCO
0gW818bWCxeHjmBJ85nj78SZ9IXlJn4LO8p+VuEQExijU6KNPnleAtUvWBQy
5a10CRVjOJmIJi0tq4H3U9weKUa6riuK2PpcWlnnF6044qT50tk/n3WryKno
hpOylp1p8SlxRZHLjiJcIg/FDKPCKHA5kKTRoK0lqU+7wec1sXBK5ThIRY4V
flJaH7uuOLsPRmVlxueP0VVbz+ccf/j6+bOnWLgzm9UU+IMxQLouFnnN9/0/
1xXyAAp1jnEWDYW5uQcu8SttT1NJCQeie2GOZhUbVq2XMgxOiKJra7r1nAau
MrXPWidyOPHtWju2pqjvIaKbcRh7VrVaqKII/uWFSrwRZwFSl0h8Lj1wgX5j
3+jheJ6fg+TGlYlHHXfpu+9hlzB9lBQVfOHxizeHTpb5/NGfluW0mgkI7Vwk
457AZCJtwvVlgDKgSKpe+xETyxWJl/ptcKQcOU1dNpW1hKRc7NzyN1HIVkv0
KUt3VNkwXUVC1UubEC+1tPpL328cF7lTnP744jdPd/aIw+mKcW+3TBuUbnSH
tlcLKgF7d/IjRqTjrpSkw89nU6zCOHvE0QzL+MjO/oFptVH/wiAPp4t4hR63
ptXSP8Wf47XSxpXk94BBeBswg8+TP/3bT51B+WRAd71hBEOIIS8MPn18dPjm
Dc3+3fvjPx6evsywhJYElI9eA62ELBvqQ9bB/eoMMtK8duLoRb5QcxouAMza
2eAS4hNhmrv0wQNBw8ikbZLNWl8iNhgS2BrLleAvxI8ZYPtEr8gHCirOSHvZ
SAiC0Y35LiHFYgBD3o89HMYIbCVBhuzw5Oj4OKHsCyXXZitjJe6QckWPMJ0c
Iebr0MNd6hZY6b2e+Mq79EMVqkHia3ahgFX9JH826EVEoxrsV3vN2C5Rcvld
2NWFVmEtmaBHNoTDdC5zoKrqLEaVMVocv23zjwU6QfZYk8E/69IghYDcYKMX
DM8tXlkR//3tIKfogFTmXY6WA3P2gdLHIQVa8MO8wD2MxnZkmWGL+t+//E7h
VlWMBOiYLvG+sZaRkMAIjVJMrgX9EcUAX62cq3pEuEfWJdXOfeq/jsX6sB3n
5Qw2ScPxDrFd8WXNRqvh3l9jI6KNWv4mC5dDWwOM9o9wLTg8Cpb9qpmPr+0D
MuRBu+WKmgGyF6gvDDoSMAT3SsS3ttW0mgdNC2GH4/HL01fZix/e/vTmRYYK
OQ57WVfrFZFkqTmI8DS8YoHe95lzI2CzsyVNgC78blVfgrrMFyGf7yk+KDf0
YBckTAv9Q4j+jOH4WO5NKKH4a2n0sEEGuT6hMBVq61hl1r05w2rSUsN0VwKQ
cZNTH8gXrw/fH7GU//ar774HKkznO5Zoq6thxYlQrLP6WPJgY2Bu3DqzUfgA
s2ZCuQTdqxTIZhCLmDmGoFtityE0EwrzW7F64RcqPmnSK0maAkZRLtfVuplL
UmazBHP9qsKBgSMgX3EwedQYmvqb0210fLtPHdZOgdYSiNGmlQIbZbERFMoH
asfR3lTbEREaqVaPM8IVx8XAnIPKpfiboQbaftZO4VcXTmCZ1em+JpFo9M46
UEHBrm1EtUaLq9vFq1spc5X/GTWZ4VoZdsMGa6NNRTixyz23cSKI7XwZW7Rg
pucS+L2AaCM1Mxy+S81hlcZaSAlSniLuoQhGC5sSjqMaI/WLnNqkW63KihIb
8APuFER60vMn2Sy/bRg4Km7FIvYU7RTMMRaBJOm7+jE9zNmgNMjr2AtdWw6y
HwKV2p4XRDQWMUG5SlgswroHjDzwuPKQOyhUtG/aPupGI7UImWxkfokg+BWB
+mUrbhfmqXiw4bueghQQ0QPqDskZR5wPvay7hSA4nLChuBZy7/KnUQ5L+Ufd
U0kwSyNHLc1Ukfi0ahSMlzrNVy0TIMFGtzqAK0Q9dA9zxaH03aNeCR8lCY78
bANOHC7SIgVUj5zECb0tDEw9Bn+oJ4FJXVWuzeWkk2LYCUHRkHBoRCR+sAEG
wzcRk4co7TiWJ0VK6cCGNh5ULWwEUGMEZU5jbNLO7xknV+EiUfuTVH+pDOO7
xZUT4ozoAoQ0VPAaC5QM730caSsFEBn1ZoniQmYneBDix07mxofVgYxOMHNE
sQtupj34EE0aIk6xFTSbyCjBGCG9hUsjNH0kvkB/bgAkp+S3Tleq+MaU6Xkq
4v/rpyj+S0x1PcGW4XD/QH+j9Hadm/7wa/jhPZBZ2A3sM2dnJajnVNcvG8PC
kGAqbhcLTDidRkua4QUVTJDcSw4noAv0zR3euKE0fVY5WgkJKTmkQR38rMxb
dEa2nY8xO91cEgiGvwb231CYs0OkLq9/he3ZqdSMaxJQ0u2aTqx9VK/QVByn
KaFZMy2WwEwqogxJRpIkZWAuSOCwTZihhlWOg0OA/D3oOkGdHclVCV38HbZk
//D25GV2VeQoBoVd2+ZnZx8xCdPtuhG4ZFDLGHDc0vdGx0Afphung/xDR4Km
mB57sy8U/+0zJLRdHPEHdFgcrWvWmMhsmGIfRwlNhfWSZckMjjDWDnDUxggw
5je/PjxyDpvd3588+/qbx8+/++rx10+fwe6xTJWQ8keMl6EFdANrnxOaC5Dp
+VojOnnA0QQ1N+XreD5Knj7VnDziDAdh1a4jKsjPVQr6du0cbYOVJfXk4iSQ
HKzsJa6BJiS7bl/MXpwc0hcvT2CJB9l7+iUFlP/pH589+eq78TlYCLRMZOPn
RRYR9wjJRvpOUtkqdmtQv6Ac0F//8nzy9Gm2K5kF0sgW0yPWyIH34imctber
syAEpjzhzGNe/oZi+/jWQXxqdL9qwWsnx7X7/Ba5ZdEt5lBIESKEnZXP2Kog
U7kGwYrHEzDWM9QnyAvHHS1H5DRltbK3QeRpXeJzkn5Y1QwePePmB4rlytQ2
6HCgHxHuUWPM3VWq0s2qPXQRc5COuKJUbbqEhObwSoTa4I67w3O8l6tX/nNN
eGEUu7mjKwBfcmIQ3culhBAydQfNI0TUnR0PIp87/LdgDcRo0lTUodGuOyDw
Q3YXIqZVaYx8moNg2GXWXFZMHG072/1cwGstA35YCHBqGPV2Zcz9DYwePfsM
+NhqSQlNMbNUawwRoE7vsTF5sKyYXRbsZx3QaMxUsANCDxFc3KT+RVIycPOs
U0+v2TBmkeCrdn1HYdme7sbtTZQg8+W9NM9InipzxHOq8ga/9uqna0yxwbTX
o4mNi27K2tyBMYXNGPSZa6e7Z0JQKmLTG8O4+npx8gGXWwLwim5QyzXJTYQ4
gwDHmHt8Pt66JPMqydLyVZ5507txAzuyPSjpCibPbwcxGGU3xaKImdY5pSpi
xdfFUK6DP/WQqdPRkP1jHQUFBqNVFBc4s4BQj+Vc3E1hwkuFnAaofhvNcwWd
1HtSAHb4mvn2mFwoO1ugr6yrsFdKlNtmTEfDrtjbtPbGyhBjwSPswjjWw0Vv
YSMtEakjGzrXuJwRXrtYabZBlo1h8biP3ZKNpLmq+N+jpyqCtzj4lgM33MAW
p0yDVQUprvREQGO6oxdi3JTO66/EAd8znYN1CZ9pnPactLxWEuX4IhBpvRe3
FaIBbgps0KEPNO+bUs4COePLFp19FmBbme090vZvOC/0NolngZwVRC7kscxi
3zj5MZAVZ0wgTKmjzeR3dnGZ17FRHk3dJea81S50aDPnpWnThHyOAIjUZ8Gz
FkvcsWTZLgPRFntly1U5FwWVdGkwIu3rzVfJGoZJexWgutQIMxMUS8U6dyiP
uMgj9pcMOBlMKyVvueQ2yS8kGEK8Yz6XBxTJQZ35wPkn2U9Ls/t5Pny360JC
SfIMv0HGic+rFk5T6DRN4biazyIjtzs5TYbQ8qniX/FopKks1+Z5OH6XpRyM
Dm1v4RqgUtnVDJwTRmXv4ZsXtLOYMOlCR5SESjKPXm1RUpQAGHedMYKGPLEr
OKzAOgROrKSZEAfHUssrMKg5lMxtAuAGo70FjxMMpeEiHZ0IcPm336EW3nhX
RiPu7zt7IgR1hoqXSdvD6aYe9K8+fACqG7fRKnj3Yj4dd/RtuztImUw3SOyU
4UQNEQj0qlwSy8S49bl0uZNVp8SFuLxwWeaooinOJiWrYJ1rg8J6EdqqmnN5
4aFxbmEkS20BrqZr9/Y4ikPWOp+jWwZ1Ivwk3m6uuug+XGpqSuwiRm0XtIpr
uGvDgevX0kkiMmS1rh/Dz7NlWB3On/bv9wlBwdBLE4BTY46RlWqrCMpwHEkI
kOvWsQngwES6LFWxv91+MRdnc5uyb6UBW8kAyhcEVhfRG1nZTxQ+ObCm4+iK
+8Ds0m2lPbHByXl+m7yBmWXamMnaxCVELJ1wc3a3Sj6SA1IJQ7p6TAiTamNj
YX0XbohY/9FCNJE83ECKPD7Ky8LW4fvsWhIPzYpEvV4mT4mLUflNVExC6DTp
3dM+S/RXRbPdfohb43GL7QsDfBLMcc355gbEpYdFoCgkAr/EIStSKfM7vOOy
tfYqCiZZveco0X5YK46pj6azeNBlCkIcybXWvhfZ5we9m/73DDz4bi77ioFt
0Eyc+NBoVQ2nj+qhi5IsLVSFU3AqCHlqFFiSmYuH1aP84vyioArxGpiCAD5m
h5v4lx3FiFk0fxyMraVp4pSMeOsFtm95001DjYLanUaSA5lwugGtwTDdaK7d
9+HylKFLUE3xivaT0YJH7hahhThaNMyIdQFTyCzBmMqRGbOre24H2uYa/6Xx
RNZfUhsfYW7bNTdgTNUzZ3h1WJqj5ugnu9BFx/oBk+B52DxTF2CQceNQHIcX
AcgJXBI/8k18XXNrCxphYGbXxWCCNmD8avJ08vTpHqfCkoDRaye+1ogaif5b
Ff2Nb3yrC11GrSXbVb65Z3sCl0pO0DaEG1UPuPYTXk/VPaLGYMlaRwZKAq3Q
fWSshu1as3CR1B3uPB1Yxiw4bgOcIOm9ifEmbT5FymaukSMfRaT4lKacIqO0
4JhJxLEF3CZSMh+Tayiz3noM4LDnedOpThhZv0lRbflK2SGd3+pNismvudY5
WOiYFUusmiLU4C083AbGrSPoNDHSxqxLFDO3+1fVEsUFK7LxZTQJ8WqjiWYi
kJZHHRiDdmCsLvAHjmDPC3hrifhHS7Fb9MX0OEvqF29OgmToUbpxzBAnJGwm
Mm0egf8Yz5bNGH/K0JmpxHgXE+tInLDfQuTSJVrMy8agUQfcVA+bgY4kzEnM
vS5rucMlfcx8HndnJH174YqPouurA38p9YojzgcfUXsBapcIt57jTPeomDQ8
LrVmOV8KEdaqWFE9UscXL4puhQH9S7ARJ8Esm+rMsMGCfCOWqBjK+AuiHY1i
TwlqHiyA5UdK42YsWnySXb2pf91yjsQnxWtMTo0w7HFrciAH4bqBEn6mJXGi
VS6Kvn/KAycjY1oUOafG3QENVlJ+9lwix5qxxKG4mFyFXGGFjVgqgoCQUlN1
icyry3Iqig+Xp3qyPNSaVbpbNzl1aq4y6dOMcnkYdoqzibbOnmvrX0iOXnM3
mcbARtrb69mEoYKssIEvb0MqYadFV5MlnbmmV8X0o5SLUzjiV3evwid3u/21
9pSvDsVnHja2EC49f1VEOKh7dRH3bb+/mlgJaZEwi9iWt+fdRqbsenTgEja1
Gcq6bYa4K3EHdh9H6GfNKj7RumG1hqnaYTWR24Z8ihudngKAu6vA8YOY/HuK
rJTfo9qxO2LXab8xpoBxnq8Hdxt/PrjJQDlYW+Py2hDTwNU9ogIiQZrYZg23
414d0MTWQk+KNWJy9TOSN5lC9Dr8ieRqwOK+mVAPgaLhpPdNN1uFKudVejiQ
iNggYV7hHZ34Sy9uS2rO5Ton3q1BheClTaxRA3YnNX0kDLaJmaBt3OY3iAyh
jdUSmUOlmx8FyhjzNTALl7nhdl4UmSSYh3Q1RM1qRL/V/PIm+kApudpZSa5G
+rgVTTpQ96txv+8rBTMRrlzkhKACuEJyha8IrykIC1xpZp+NKTBL2KxFr+2M
FQBLHNHRSLcNbCwMjnhXKTpDuCc6w4EC/VurAJDOmFgDe0Np+VzKNQQweyBd
vrOY2ovlvz75V57u5/nC2VJKXtpwaAOtR5833VRGZxBKGd1DYCHhs5g7oZly
Jhy6j/uXgKk+Nv/DHySkOaHrdTEY+U49MM4sdL2/UVC9Z0NXKWhTK0Hr9BRb
SzFfkuY5kz2Sun/06MRx5zSdZBOrEZFJJiGWMo40R+/Zc/6HClNNzHdYDBF3
RNH9yUzBnBSJOEjAeWyxOamSyLt4PI6WsVEQrWygiaKcb2VRLRxB4MO8TzGu
PzrYkuxm4usDGO/m2sw3gkHSs2nbwwEY+S97W7khyugOcCZz0c70QSEu56lD
mSzY84KhSaycV+r5KaaKN68VpYoYDMZqJQHf9lMUrYTUxITFyFrJtZKuHyH7
73rKSKRErBprxQsrApS3Z9/xp6oex04P1Mt+sC8VZoRHIMGcbPGk9QBHpenl
0lUqn6OPg/m6AIZJzb3W8EWA28YB64oOYg4fWvyMCkWxdHOP0rWjm9ZgeHFY
EuwSb6TyansFRt5ox60eUVRKQTFlsNetKUOjYcRa3m1FrggEookzHlfLruYo
c2ksBixNm0nT/aNeF8UW2cAhkPGk+tA99XJWiI8v7qlAeYUp3mVGbPU6YB/v
YRDcI06bLqxBwG5ZKPthmqRMk1/BdOabvLD+2d3DPupa0q2MTz/pKXqnvk/p
Elk+yd6hCtaWEhUZFhExYSFt8oodchnGzi7VLvtFNnXE+0J0798iA7i0Qm4z
L1K92xFPmn4g/yEiyJc6BW2VuHGyZcfHjXGMRh52kpX6QmnONGoqjO5fedaB
1WGKAC4jbNUStikS8rzn20PCfT+LzRfNcaLmiYzBBXVO7cERCFVAuh0m3VGJ
b0pIVgbQ9odSyjYYgkx6LLrWijxC2mBxN2f/GwqyuHsGcSxMkPoE8uNpt0AP
036vhoE2SiFQF+gM6WLnDnYPpMSZ7Jz7UMSpdtz0K70sMT+jbPzNZ8wznkLt
Vc2+Um39wg+ypAEPl7nxKFbVVXmdcGSR+jj+7uZ+PnsTGQ2tehLcuqrYA3CQ
y3DilsgI5lZZ1odO5o0VmzGPo/KWTl19jHMCctbCPTr18Uv9q0adpXO0VtoU
DrFzLJ/iYbRar5/Xh6b8eSypY9tEnvr8+S7Eri/aUMvyPQxjRzdftPoe1BYl
NKEo78+ceNFSKeoec/47sJm71MsBDdMh2dzzNO16kd/SXZ9zV90ad0oDxT5P
L0v2yaJaUtJBFYKcE8ObVtXR/iNHsQwygAg/7DT2yxhlxjB1fJeyaOBfEVoi
Gt9JuM52Q6WNA9zB72adHtfcUlJKODxCHfZ2iR0mzQbKIiwphYIVhJFdNo31
xG5iU+yG31z0L63ils5v73DkNeqpEwWrT/F5r6XnwK3dZagQvrUO94DzkAag
7YZACSIbZSfMaBvEWAxyJV55HmLQ9scLGGUxsXQtka/XS86JlucjMfAu7d3X
t2D6Uf+uqvaZeLtcXuXc5OFQBqSmaxZGxDbH/U57gCy7F4xjZ+jc91JLr4sv
pP0GlADqfJIsY1eu4NiuIF5rhvJL7iJZKmXzcc8SADcp4g+bYXBOdaM2uGt1
Ysp2MZ2i5STpzJw5j0D+2v0nWraSFENaqN01l0fPrYnMscox4ERDK71S7rOp
FdqFwjPkTexicGZFXcPwQiH5UtqX0IcuNszmTdjoMUZXOKysmPWQ1q3fEeVk
B6+q1QXYtKI0CwCMsBxdEU1ZZsO1Rk1xEEppEI8a+nKZw/7l1Fg1ry+LlkKr
v6PJvRPDikA7yX32gwI/fn5gYJMdX61aYYYRScVYDC+NyPaELq7olYIVQIlh
l8WywPLPP/x8Oj4vQDv2vmreLXj+TzetfOvGmIS3HKrR39NPGLfD7XJjoKx0
D4A/zavLat0EnetIM4NayiDt2NGOoPh7lZORm9p7BTyPMseXtzpGbONJpcsc
SOU+VnSDyxWl3XccAZEW4Gx+wDiP7S0y+utCk9PZxZn0JAlnbN9jydg/bkN/
xx/sx83lgtDtUBYeqZsVPm3qqvH2PHAPXSf0h9AHrTRQ0lX2k771AaemLmyL
DQ74z/vEdcApXmGIpDiC3R9jiMA4iCFE/PlB5zXcXUS/tSmO7h8BNUWd0gUx
/ySc3R+qX4p3B+Bc3dWT3KIN4KyjDrBj6GAx/qNgK4rEt+O4U1+fBNNvEu76
q0yThZgjXaSk6O7F8WWhGLwnG8XXV7kr6iN5jYh78jddiFkfwSYxmU2bsW9p
SiYJgTGuu9U86IUzEs+/LCIldo7Ld51Vm+EsR1E3zn08UfVCQlmhXLG/T8Q0
yb+QFKcsSzB3d3928d3EyWdBVXdwxYYYL0Z15nN8ijkMC9YegNYeOUh/EvuG
kdM0mcbyQkhT71sVedSSQ+a7TDsufA8AcxXT5P00uw1Bb1yzs1phTC/cRA3Q
k4rj2Hsqj9tVNiB/mR17zQ0QiKd/ID8ktUuSmMzx4UulaDvOb7v+rKQ7DXPA
3zkR/QPz0+jMYJ3h84MBBtpRESw1nvLJtBG4zN7z6uTisDSmcliLcGWaAfls
8nSA6KMltAypWYrUxjLrLhhxCSOqimHBZG2V0VUxdovJ5WQkZzUKQxqP6B+s
RKCDU+U5VWZsJywObUqjHFWZYD8y3JBBQccThD2YIc4ndTLbKly6mgAyBadF
JCECe7OpfcuKABLK5bRNgcqD15/IAEzwk+pCcFxzfY6aGv70/o3EXkIKex5H
O6Den1ojIXvDRIyMgk6HriPyuMCY/feWzDDRlL08DxpXXi9LZIqEXHYoAAFy
6lsCHjwrJXrJU7inVO4iJItUDr9eKhMHQzYfQZYpm3PQryfk6PypMv1R6gAO
LnNWmBlu0L68iBuPCHYDOUE85nbYdSg0e1msaWKcMOSZi3OyRXho1q2XVVJd
QSV9+VxAYBAeM9vtoUrrl16G0iaAGfGq/MQgggIwK0snll1rV5UkOSII2HAP
IC1pm3cxmD+BKbeh34uCvDB9M1YUVpwwZcHytipEozMgGJUcmwUVGEhWfq5r
pdrIzqYEBew57KcdszdM0dWX3gPmHEAR4X13i+tnj64A28hMeLIZf7t6tbnR
64B6RYkoCl/CIuT/S8pVMAeRV65I2zk1JaMj6Ei6u7zVQYzbRLsROryPzuAf
3aA2eCDFAROf+bPz0Z8B3ZFjhVlg4H8qw0gj7hJpVIhT5A8X3teDiUxzUI3q
NBxE7+TGJ+zg0RpGzi7A3IEudp5D6eOqZQHRoEs95jkONKNDPDjDRo0oEdlf
/3LCbEMjQDTMKQ9zrAf4Tjq+Nlp2oGLD3GPSyrgSf8KQ0213WF16tjdy0CEb
+0iEMx71A2I/dWPH7YasXGHNKJcwpWPu3NCg7ZDjwNpDcU0yOZ1OFC7yyMNF
NqR5Hs6Bs3NFFr6Z/Vr2wA9H7zBz8GL6/bdPnoxz/a3qneZWRGE6d1FZHubZ
5IkbygFNBQWakhQrHJ2y7UrnobQSE9TnBY0Yw6rsQPkVHUPEQkewkbGkLbCH
ynRefj8Qz1eTr7Jd7ENbfhqvV/CftuTtbLBnFvNOYuBcETbQRHMQk6Bfsjq6
K/Gck0iJFDn/Ke95e7DY4sQ46wC2MZf0KJuUPLWYwlo2xsMYkABBa4jRxcLa
FCDAEtTUg8YiNca8mxCBK8iFvl6mHZ+kPWkeUQjIZ8vtSitqe0oIDhQVRNQu
Q5zYhAIRZ8epG7gVIInGNM+xttBSKsSDv23KBjQssCaUbbDOM4i4OgnHEbdb
MplMTNteTjIyYoKnJtA9MZdrF251SUWOP70/dlmCo0xsOc2fRGy7URjkNXvC
j0QQpQo7IRzTU+P0qQzB8gSzQdECpMMC7CqyKFhcB/lMav+4dCS5HPRuPG0e
le3Wn2LfjCMSii8/gb0gGMTAOWJfjTFJHWAcJ92s2A1It9OrqmrMARplKj//
sPG8rpORCjZSRd7mwxgUPuRLwg5crCfU93dSBx42nYxC3LXbouXMwpjlFrPb
fFZzdgiDYFDzoJOQQDp6WC9J6aDKQ6l1jjA1op521d2IpqelM43LLVLURdkA
BE3D/CxygmBjGrQlsNw9n8+bcI7duBncnbo3it6isRV0KadI8rk7JgJOUGQ0
+gGDeruO3ktG0GrSMjCp9GUwDg0t2QpWFXJTbLxjtjrZUAbfhweikwi2GRnc
rY/C14v8I8qWXVjnosIjkRmNL/LrigBf94boRxoQcmMLf1Cur5Qesk9c1yOO
Om3ExnfM9/cMeqzeF44BhRhFXRIQhdWuYcRc+g4X2nc42UbV5FDwafvQ6xK2
ZREbMx6+eRFEzfsgcIH7cTv4i9hSEmhvjncMGMtNjYmxZGwQLfKOS69LW5Jc
XQy5sUKlkISouAfLUURio8oZJDcMJ4pgEgzd9Hj1VWHDNEcCziOsvru/D5sw
cPsUQqdLnyQzQD9Lmog6Q1HPG0EitOHhqo31rdysM8/SfQ+yQLkcUWlAYnr0
KE357xYFPHoUhhkgylpz4YHYiXI/zvc3mudvJ0FAxrH/T/fsJhp6FIxLdi7x
1tpLHOaXRqTtOzH/xuQETiCTtVQXmEqDaXNi6EtFLntdOAo1CplVsliJGrOp
8hP6q0HxK0DwjnGyVJq0bUlSeXkrHTVoApLfggHe1KlAicy71KFggFHC50i7
SLeIl8Qw4KCNzJhYaEo/FNTOilGp2fQxynWYb7IPQC7IsiXLsnuc+2KLs9t6
xAGSKUMXmAMbl1ZJiqRDvKPM+Lk1kbIyp+6BC05xv72csznOb7tZAtTSrNmg
VvZ3VNpAaPMgvitAOlquS9tK/OAg+nN1AtzbYcD1ITSqPiLJOJSEQtY/DpO8
wx9usXAV1I4kf3B8Th8LGsbf1qU1JAGxyLzwumkCqSRMxkSE2Jf10Bgr4woW
beNSyJI1cO6LYryoJuN41KWejBfT2HQCHe95KRCdNvr5bTDBzB44604StaO+
VNf57g7jbe5pom2T7bTUHMNquGIOjTfA1KaWrbEs/UTwChnhUFPNPtmhKcTE
K/5yfDHPL4NwFdJvSjAGmgpbkBSg6ROrZQggclzCNPnBHS4/CXdqLbZLIuBz
jq0ymXL3AifDNM+4+Viu+HBQqamLbGhjQvQJsZqIycXjm6rGfhqI1qZKNu4J
E68gIuOOxbeSUmdS1nR/MnPm5C0zKRjuIvubvEnZecwa5/40Aa1EKxHvibr9
TfQc4Uc6qcDBa3jRavTBbE4TliBe/ypMstflpdTZKrq3IjkRKQAjwQk7/Wx+
i+yERX/MhocJSCEyz5kq8KWkLPc4PIGOhad1fhuPHe+d0kq89e9AJMT4yXgF
1kQRXNJ1eqW0f83tQaTC8aymNA+619JhPAyJG31WuGJXRB5FyD9gjuY+ttIn
/VZ4ZA8hO9sd8GpYg9mr8hL0s3bM+RWS7EQQPSnQ4DBe4y66BK7KP8GaRtnp
jycBHtDG0tlqvm7IZ6BG9MhaUMQcV20zMQr9N3qUS6kUEAtPsDr3HFQkez/6
KmZ2XaGvKrrm5AQeNpMhw8CTs+JttlwkJrOb2eqxnBT3mJD11/AMsUdihM6q
gMtsrsoY2TNPmbiXOo0fMAmNRBKlj7utH0fASZ0QFlXLr7kdrDaOiQqjwgIZ
Un7SX0b4FpUSwD2vy9g+o6zDpnM/eXlkB3o7BjkDJHB0eKj4pqNwhPfggr2A
p3W+bKiZByZDcLMTUtvcGVM9ZcXuB1DXTqiUxzzDw25QM9FgQr8hR9Qdm8X4
0XzVaFLSga7rQf8BLyWc9ecHrf2KpMCfOWm4mMl9Q1RHjka4WqEFULWrt7Ih
SLJeIUGC3Y/gBCHWNSKFSoJim3+qltXiln2cUcJ8+ULq+6YMaB6Luv1wPy73
Wpacw/WhiVfQmU1XrkvYvMgvIq431SMJCC7BzrIs9J8kvhgqLkfFE5HaW+nk
CFSCYqzITjCHU/zPttnzW+9HE60JZ0Fg2Hd7kE3pAy7eXo2fkuVASwK6o6KU
w4EsB84zt4TEfuyCOdn8Ft3dwbLnrenMxbrmhB5MpKjISyDBjH9VUgduABf2
urL03zl8tmSxIqS1ESECNhUzI6b5FDejBOu6XHD30JnvJbtYUV67GEFRjWkm
kWYdtRISWUzc3h/GwIiAbDHnOnpETOxICLr7hQLc9Mfwuo+gFW7Xd9Dm5pjn
HlAkMIApUQdF2HURU0r/dPnChLogPaQ9RPK4rcZVObsAJoOsZFU1pCT6BoBv
YcjjF9kr2xTpJESNauGGvrG1plzk8wMKz42ri3EM9STbgSzEtXnw8/VJ81sq
MZsQnVB0K+kXvBuEdOBxxB1wSixejl6tyV0dsLgiq8XYxrWLHztkqF278pgo
PyvZIqbuKuI3Z1e5NuvBj9RrLurK3p3V/WnBDUjgi4KdCKo2KJx3UNN2TYBE
F+t51g5vN7HV0yv1eKjTS6CBN+1+Ff1SAmTO+R2uNfFulGAv6TsqqRlj2SuM
kr2p+HJbjIXcFKcxXQ2rBqS/S7FQbRR2dIm6I/+NAbakOyEiaFPnNxurhQEu
2yuQtsAQr5aEq1XVWiSuQB897K+QdUIZOOBhWhmRxcL33SlhvBUmc0akAo61
MTS5dYBu8sagEfesjcrcVDTEkNxUAKawXjiRk3VpcXh1IxnjxpoMvgCCIJbO
i6ZCcc+SVFVUYxbib2kKtXaUNyadqan4nsCpBIoUQYK5+I3bPjjQ+OhBSnS/
3XRXpVD58eHhj0FjAnRQ3ZCQmMMjVZ7H0uCPc3eYpY0CvBRZzrnh5mocipoA
xaKY0XDiFPEU9GuRAKUeloy3K61EB1h+zF+nAYFw2Ft8ILnDjKAgYUbYSKVo
/PF59Ukv0SQxYKIqRkk75IMQjiJpD9wU+lfEkh12ABnXvSyjhpKrhIeqv9jG
ZdORzfKt4V+Ow0S+LKmpODYbWJTqlzuLZ0YQ1v1HCNywJNTSmKBP80o498PG
iunsKkQA4EPZNp9fJ3JzFroIA4hCDft85hyBW3lxEHN6UF05GAJsxG2YFz7T
hk21xsGiOHhBPfRGi/uVn76igcNLayK4x3IZLfd4sFHTQn77lm8yi+7PDzDU
HKtjavvpl765BnxlVmzFSnSpx3CCVE/kkG2vq4+FR8OJBzoRlGhK/KF4MgMV
UWWT1E/NpJut+MkZQIW6sCHryusZ/Y4io9TUOLjExhHoU8VM4nRxjZukGjHH
vmKMzHlW5zf53Hw6ihCZXtjrMg9wRBrFsc6Sb17+7KkYkQsjcPlS9YmgmJw0
+oyM5z001CPaNyv2JHpuwdKowVJaN35h1p2dS9MwkYXrtBwtcPrPkyffY/4A
f3uMTIhAfuIPvvnmGfYTQi/hFXYNi5qOKt/NcFyffE1Cj6xsvFD//LElaHx+
YMkaXwbwOdX7Rg50ScngXAuSlKc/nkhmUehI6WS7UDxxqqAhmRe3FdauwfOS
gtbDi48I9BvaYn7ZG8XmX9IURtkL917QoFJLuQrZ6xLL7XAZNZsvCAqywiZ1
ae2ewtTIJMkFQavuGj0EOUBeXkr0II2cs8+O07ZReHt+X1Hg/udiPh//C6Fn
vMvbK4w2DPeQCuE18lAPMn+F0emzx5MbHIMQOB6fWadJRAeBqeB8y3pGqt9t
OMKwHhz4C862u83eFC0yE+BkRy/eYCjT95wCtbjFBCdSzUKSQTedV+sZTYCp
HtZCbSSNADpqGvmUyCGm/VlYw6YOx+SNjuVwOIB6PyWuV/C7SPClbIzGZXNE
cOlBFOmRjyQFaLxCyA/+hM4s6LcaeVaHJ7Ww4ACbboXuAjUt9l2YyLsXdQ/K
mDPcYUKCZtFnjTruKBjw+aMq5IbM7S1464IA48IR3EkSc2h0Pd0WZhWfGGfB
XmLHyYSiqOJgLNngehm1RFUgTzl+LQF5bkOQzAA3Y7FqNayg4Lp9ecWusxzb
aOCIDxu3v5TCjrXk4v5kvoOFsVoYRvi9bFoVmNJ6Ui5KRFJEzRsFGPraSC9c
IP6qdQ8CZf9KyWaUzfLlJaUbMOk0mtga3cJy7YFYG7LKxd6hXLMO1UtJMNWL
xHbz2PBDOzRfg6Vv7hCyXdipODZs6HgWYUUcAnvG+7vYOdCIwMSAGCC8WduZ
guUDtz4oCC5xb70uvPOYWUMvGSWerpktjxGQA++AyUgS6USyMqOmmg/wfbql
dI9XnfaOLlG37LPKWJfV6YjnwuGlXiC7ySZzk+4ZiU873Nkw2EChE3CxTmPU
e4kmj+uPucmu8wZGKdQtrM1w40LZAeW7kqoU7vWEG1CSYFnb2U4Cj4CKFAiC
EPNxfE9E83FYkzWG+Om2WQsDbdb8yWleZbe3ma/EoFaaG7ezk66edJPY0KSG
yl2YQ0inN3wHPm39k2KvwqFWQQjktBrqRR3kG54EqSCI0m6Ne8YNB1N4StwN
UFHyzfnIbbXMwUdDrrSJD1ZCjolNIWAREb/MDnMBNmhKmo7LCPxUfa6DEy27
JZYXDmce3QuOO7pWQ2XbTdHDmbXSECmIGFkObajiDFkrB/YKD7wluI4CjAIg
Ccu7roXhOO5Pip2l4wcJJnFBSn6P9p3xTARQgmfjWv1093lrF52kRZVGaQ2r
v7GUMPqdtmhkUwqVKCfWKLDB8w/C+FBLsdh5hK5nlfOFbkh2SOeEKqVt0pd7
Fi5KgYtLDU3KRTR4J/leAlRSF9OCPSqkb08yvaMJGCWlHgcJLVmSzzA2r6pB
oi1KaKM6J1KjtGz1i/IUPFjI6D6+4yBehxgZK3Pu1+5QRwbxkpPeVB2G3uvR
iukT1CWL1oEeVIq4UT4WJ5zWQYqPuuBsXO2HzulqCkL7uhTR2tkX7Mt7Vczp
Jp2Tk8iyS+6he0rzLY7I3ZXb4Sq8oi1tFCYhnuCCOQkirMdC53KBjd0fBU9A
++DdG+ZcHHQOxGVPo6sO2eCITTVsdCRGWwixxRxrOO1VBw5h3bBqiGFC2Buz
AimpoaFQzm8xx/3p06cSvmmpnFz8r3sjH0/LhWoX+adysV6IaaLmJPpGEzFK
+CQsCmOhDE3TRTOC8zqILxYejXnmzPLM9WmqBPYEsPQUODy5x5uB1BM6Tbqo
TCS0jt6JqGDhoVixAJFQ9DQIbsdbutfiQN8ch6Jcl76erI0qDryNHKgUczkF
2s8vWc7Mq0turyHIf1S5mHbYwJJWUNbxTNKksi7aqOBYJiSCZRmiBDTUdaXE
uQfiGdRhk47s2tKu0tuBD708zS/3/MjKdYU1k32j4HaUWKYHG6Tj6va26qLN
b6p+DlzUNIqeVhLAj0WaCXS5fF1Z+3rqvcW8KUiYV31yFNDoOv+zq3yOqYdE
2a5cH+PhgYLunLZJJWfv6vIaU+a6FWen0WjW0EhsqR3TZvKmVznEmRnmLQHl
Acvum5w4Ful7UzASiAUsNGy9wCt4h58drbN85ePVruZ9DpvQTGHYZl+atbw/
PEmLgvFu8FdxiMZS71w2A9O29gQYdVASeui9SSMYrt3COCVD9KPvtcS+khQL
ID7AqkNKnKu6pBrLP2MkM02OyjEZ+7qco0JPKMnrFUoeN1/Qz95qv8vQXJFq
JyfEguCGaq8EFwt9hJlvieMbT9wG71VQCmOK5EzstAExJjdG/DatQsUcLhR+
xRJZviqL5g5nmYSm+0BOBqP4KzLeISaUXRe5tBEGJYHsi25tKuXUcvYZ4Zxz
LRUzI/ZmGLsYWWU1W8poNU+EWFgdxdkSmzljt8uH6Oj/wFM/y2SXSb0Mg+4k
2rIef0u6doOdrYHKIs3Rwq40VNZATgxEi+NsdITXlaX7qngg7JWyyB+BpHGb
bl3HsxGy5ka8clhF1nICIrmn66W8Vu9bjxNsLQbXCu+IM8LZP3FUbLYoBSVO
C6iw4EybzVG4A87lcDzPzwsGTYhV6l9/9z3I/LBL+i1uxPGLN4fPnjz5zlXH
j6QFIn7907KcguUhnYJlWXtiVXDvtymsBNT8T9mPJdopmkKMey7GB7foRUeU
tm+mlr06xSawwoJhcDB+4jkenhwdH7un0Xd9JxrFHuWgai9Zaq1sA2jn82Rv
pKUTNhkupR+OYY7o8nlbrTnuChGDY5qarkOs0poznZiima/H3w6Ugh/ICWJR
kjTmiR3hzIdsBpQ2t1ZD+apasKuITNV1w45sbY9BhtnVekGsKOvAM6LHHNZK
mSUo+pU/l00/dj8vLqxvNBuw1DOUdS3WqI7cRq84ZUuNjbgg8nBFLGTe80Cf
bq7bEDQX9DAhkxd7bHz2z2es7fs8Ltf3krJa8KYz7T/Hnhak4BF0HoaeFou8
Phi4ZQLzJLogiJiT16fvfjp99Z20xPjm6+dYvC11fi5xRdPnAvx4/J2mQUR3
vSY/tcML1egP2vmj4BzJcrGri+gYkfQQ1wqEbynVDFFhMlphWGRnOBybeQ5G
l8VQroEEMDYi42vOCYa8ffkKKoEYEXKzvydsB/PLwzeHQ7X5iZr6XvKe7esH
UmU/DNOhXcjkMVDP38uEm3v275JEUprcDsdBt75qxzJ590Ow92Nm237Yv987
3XMvCtDnyhVnVu2LuEVVXSTUrUac7urep6APfasg2V7XrewIjvkSk+bFW1vj
BI5fnr4CzcLbTRaPxe8TPAR/PO+0xWWc6dbDoauBjUpN0A6cxMCooX8OWr/9
7DvK+v2fOxMD2ti6566hLpUvm9W63fcBc62m5PUJMd2rvx9/x4N0MV9cLap/
Ce18fkAX3CcGjmMU6Ev3dC250IWKeBv9OacvbXZCeqrffYONauFU8UHWOpIj
dUkpfl5nf59dOSFPBX6BCeP5kj58XxCPxeC5Win4izeIg037eBdZiHPiKHqi
3tua/Rb3unJEjhoC7Z7AH3IkGov0YqowtniNNwSmg9Ji5y4u0Zvajuvdo3fS
NGN3WJd1tV4J9IZ9eJ5r8bp57QRtyrVsCYkvIT7MqTxSvWp3ZijDeaCQcaLE
KLYuU8V+lp78e3UjMak9ffYNuXyos4TNAzasTvBGj3QtyF+yXdByCDytpt4d
Z/+ej//8ZPz9h/842xuFhJeoDsDGJ52a+UujY7m5IZMDXkP0GyL9Sq12Nky9
MO8XBQciYEEvP2FWJrWpo4pIkKUcIyn4C0lkdAnTmMiJvXdDdy5WvmAzvgTL
FLQGrzVT+JpygMkEdz5WD9Xe8eAevnmRJc2gho5S07lQZ4exQbdTAPHYXNR2
GItJmjCdF3nNZrs5FGPTHUTWcVdPWjYKSBw1AwcVGWwOMrgZL07WFY9JwgwU
b/yTNnY+xl5uWNm7RGMZuEb4pUMrvyTk8EvWY1Hw2fDpZr+EX8byfzDsprKW
X7KX90yG17xLenrkeu1I5QoMhbwS/pMiINHb73R4/5p5xExOueIxn7uTxLJ5
Tr+C7W5ntv9jLPZXMtb/U+wMiDQaBijFTih5j7vQM5fW5ALeoDNtb77sYiRV
Ag7hSycs14Fu/yZGyZi5dKUC3+bzwnFK52KPTTpBvtsdxnm/XRJ+FnUbEhmT
tg/qeq0dD4ibrTbMnfKXJEw8L5zBYazt/8PJ2zdaDmT2nWF3pi1yNDWwrAM9
RhCp0vuaHYsUD8BU/5f/+6fj9y9f4Drfvjs9fvvm8MdN2h8a1ZRapylRhm03
5Z/HRPL3KmNpEVHkWspHQmO0miGovv+m/HEeOVzrelnCnWMjX1nmdXEgCXW4
IRKWdMX3IR74QeQ5fo4PmygQcOghyiLvdcTcw+BxSdgxxZIsc9xDch6QvwN3
tUywpcJudKWhvbzIOR/AOtkfXmB37BzX8/gNpVfBHxhSU59WEcSNS2nNjfUA
oADNWMNwHLADTWFFeFwJxeL0xz5UTKBzJjWjxUUMFhgpOVGmQD0EPWfClokz
ekJRg2EMJe0gQ2yAUBkwO47zIrAKHqT45RqTjSlGav1malXgNgpM56b4xYvp
Xxx33CA5jZC9sGRxOVDJuU2InrF1KPGMs2w3r+uckpCYMY7sLsK2yo8Xef0x
+Snzw5Fd1b07xFfaPESYx7CsssQj+tH/eZGVTur/GsnF8zEz33FdImwWX0Ot
WZwTRMbomPyHksQ+62vv/AJC6xLN9e/AgzcbpL+OIfPk/rumgCDw0x66Ulnm
Dtxo1inF/OtRJs1j3cYQZJ8JtSxhrKPIjjh9nIPk45yzwmxcYYLhqrrxaVr0
oKsZEe0Vq6jOi6sc47e7bBxc5NSAR9qkYEcG03RVQlNR7yUFIDEZRl4ciyeo
M+J0TtaRukYpECi2rcugi05vqkcfyPfbwPccLWf2r7+XtaDR5FRN/8AZ8WfE
OremYnazC7YaB/dFRofJ6z+GWn5v6p3T3Msy2d5p1r96S2B624uGO5f+kqqY
SbaW1pGJBiHQjf2V37HANNcPVsIpjYTfy6yRutn7XhoN6vDSLGjb2Jwo+gtX
aW++ko2/iKzhozyAi7qkmhXXAS2Ov0X0DUR/X8YAwztVzPrCcCDS8LdKwH5I
fHAK/9eIvgGqfUVUq4Jnc9jHXePdmJOSGEsUk98xHJGX1y6M2X9l4zzxKwOH
/er758zt+qeLj90hZSlMi5UNy40Vk/ibwOXCvLA0J2QHExo4hLYD//rp/Y+U
4r+DUxo623sJW8YeJNkj7SpQLrnpOQKispzFao0kKNX1A1tI67U1/Hclt8A+
c+tF8rqr9TkIP2HPDQX0AnWf85iOuwSG4ZIQaHUxktMHhrdq5+T7uPw9pwaU
rWkHDSMhjimzILhgflQt7t0+KnDxa3qQjT9E4gjb85MwN4fDLpQQrr0MHJof
i3IK4irqG4aJndwKqJbc41g2KAgbr1/2y8DdwK/QCzdA6FE5QJ4v8ehfsnhd
4B/3aqQrlNth5q8RtyY7RYUvCeUq0yZcG+rN0mzi1rbBaRSJnhT/iGj1O/S2
gG/zXMgaGaXp/nSiTdhWDzOBndP3MUP+9tnXVEP9fPL0KWcmgqgNvtucesQa
UZ5xlrB9pPMaltaZS5t4fIbobJg/Uwmg0e6ZN+x+86eblpxiQdSMFArF/2pE
tgXXUcxv8Tq5hlhba1Um3HUumVdvEvt8kGQJ+F+eHSDN4QrZSuhP/yAKNuc/
WFK++duV3Jr4TeBvXoJaNNNmCg666rtz7MTSXhVxr3NSeYAO/vDzCaehAPcF
hbW0nKURpeMCXQmWwnneFN98ta7nY0y8xVxncRQ2BU6EIdgxeb+sxK+SuZYy
1vrg6ZMJ0MLeQTD52Jns5j23zFV9NHQgurp36oBzzNjVxPgdnZfRvnFWFmWU
duRVOthhPMFGwvbbs0YPsld1fsmFT5HvDE1Bw1XTaJ2gxjdEZXfR9D4ScX5e
XRfsHQ1CakKGdz3OqYO9lfb0kFJca9urMRBCazymSCamsLB0zt5L4lAhZbWw
PMwy/MSFEcvxshIP3yQ7bhXmTaNVOIAgm7FR2lzlq0IAiBVGgbMv6+K6LG4U
3N4cjfgBln/dUP1nFZz+fXPloF1UhYdfo1xaALfijPb3PpESOG4Ptwm7YQxB
P4Uw8NPPb49fvBq/evni5ftD9HUZoSe4EJJcFCxmqPHEJkHR0qjjTqlIVdJN
Zhlr9zPYUK7tFpPktzsIpqDgcpip3Rx03h/g/QOjxugT7vcj/O5RlMoybl+5
c8h5E78XDgPsQh0EYZOj0XzXHj1xwFeZRMgxRpE4e/n34/h7cvbaEoJJcFTY
iiYi0IDqfVVdEgzS/ZFhJh0LzqCPkzYmBF01LVJ0NMX6IawbQl6jvgd4wzGZ
nSnzZ6BfARQcvxA4ug2oYZI6+KsapGiVS46VjSssXFwW+xvsCwa4o2CDIxNz
kQZxkSrMnYRyCHS7uqZ7RzS1w9eSEe6E7P41GMKd4uBNdnhnSeuel+f0LYFt
HToEXkbTR/0eu12KAp5L3fVVteq0PMwEmdDjN+e+3z06BQ4cpDXQFRBJPbYS
BRhCfAkcKxgK4yLElAMM+dUgfQQO6BErDHmWOSad0wV16TMIfFoXvthhvoov
0cMnigN2Nx9CSB1R03cFJFQkoT0t5wOdX+X1Jow+6q9J75QW4oOENCtn1p/G
yAUlY5wS8yx2DUXO5Cr2JQuiXEo+KbF8stPv4i4HXMXQehSkVHpmnEscz4uy
NcVuiqBBIBM4p3RsCEXWvHu7APx/O7u6JDduI/yOU0zRDyJZJKW1HMfhlkrZ
SE4sR2XJlmzFlXKJoyV3NRLJ2eJQP1tbq8ccIJfwPXyUnCTor7uBxgxIrp2H
RFkOMBigAfTv9zVvhduAPx6dVUD8wC26vESZ8WajlnJLbTnLWnCUvmotBTlA
TBh2t8eizeuk/YB9LbOCWftYmAFno5uYS4zHHfxyVNrrQM7o/8lRvr3jFls0
8uu5VNGj1kA9J1tW/CEcjYvWasY+z9qHXAS3K5U3Bhzgks+4dzqOD1GzxbUT
Rwjj3y0qRBTB37mvaKQfaPNC71mnS0mmrB5gCNBynwO+mMJs+HHc4N5LQtxY
wnxqp37RvvK2zsPoyrWLi0Md+KiT7cbuEtmlYwta6wLsuJwU79YcZQrYpkgi
jzsXGRRC+RBcHarZc9qH7DtobxzUJj7Vx2Pyo2U8kI03Y7119ZJ+nnlT9OHi
lBwYnF7fes6/F/lxSGijZCss0RhuH4GGVPIJYc0TiNoy8nYYNP6o1Chstl/3
sbgzogK0rbUw2IV3BvwUgaAKZRSGb+VBQAVrbqp0aMhbHT0NcW5s4EtiSoGS
oQ/8BDDxC2P0mateaq70zm1BwCVg8nKqlNu0kJGrdZ/LjpEchc0l2xu8VWLV
SEQ+m6YvVIYfslt8Ezvr/Z7qMxYNkC6xeGGeCAQbchae90auvtBTv41S6GWG
WR+qUHbShVyjI0PrN/2b5QPQJgKXx5JZcRStCABkwzWdbvbxT6cz0YwAAZix
f7KgyxP3k53fVwvWqOuzsyX5EVGCkZs7v1iEj1I1DknQ5LRZ1QFLiuACknWT
9I8g01zkD5wNHJhrimUkjJPgCl2WamoaDWYDBFNFiQkIgdh5mHUisVnPO6oV
NeIqvYBLSMZow7rIsvzogm7mNXScSBzy3IkBrlegN93EqYqFAdiZN23L88U0
K+kSaaUJ9KvoH+NUehq/YM/499QrcfnQY3OCUSLQLbchP0vDjGl8LxRa0yg1
mBGjfiQZxwFuOpw5Uq+OWnQuoeLAxZjAyuzO8ffzd/X2NRdsupb9S5lEdITK
SVzKETGF5Lauatpnv+9uylAURjgZIJwGhANJxvMfA4UUXsJD6UOxio/ego0W
sn31qIuhsfa1BSUQho1oeSUzPPgtvKEK2fGWdJyIe8koqhGgib8tiaa+8eOt
zhjrzBZ/knTxSf5AC/AfstJJB4uBwAcTgN8q8JRffUaxz/F83YA5UyAGkbqQ
Oo9RqEkICSm0T6SFQvfkaWwpaHnwH0Y3XZtP54wIclXQSbsrKUJOxySpZUdt
vZOfgY9a0k2+DRkLWFQOSwiWJM86EAc1zIPSbCd8pFImjJlDjI6pAwsmGqWE
LzrN5jrjNjciov364c9LwMKjaJi/G2ecYkAPAoAHaDLIoPN/2KrRxeFzBUNW
8+DS324fyWpclbRN01wPeU+jiR4Kuun3m9aryLErc8t1+Ap/BTg5zdaLUAMo
aUS5ZbmZS+C7An5w0NNbSytpI5t3i9ZMmSQTE+ZigXI065huPigkbiVSeG9W
xG7gJwTAAz49bEEinpN4H8M3k6l0SnpGSJtmafo65EQ6xy5ik5lAQiQ7YF3M
vK42kzS3QKFMxzF1m6gJJWMnnlpQIkrTWZ6xXe81/01+zlBPzxzFmg88Nlmb
ptAA5QOGhggmFuhJeUCaaUHxNENK29osSkqLaVaXCbSINrV4AgPslREJ2BCl
+shiAuiDABPWpHeMZCm1uoCkZkdh3w91UjXArd5OfF+Dmb/3q00orJEbKeEU
y5hB2QJNA5KikzKWOyKrzUOUsDUEgGpb8Yjpq6QmE0st1Cl+SZF6sqnPBU5F
AyvLy0nxI2uByN8NywvciZHr5HmTVLQWjYZyTrf6mv1Jgu0ksJQCeLDPlZ+B
2nkYFIWWPyAGojnvbG/HgQsYQG7pG/rkPk6dLYJDqlEhqja5CFV9mqkVfh4w
alJDh3ETkJroPLpYSB6cAgEXpFw2hyfCC6xmHRGWj0toueKl2/eqFrlGSH1f
EQnLySO/+DWBqnMdj4XSF8RCds1QGJKHR1ZBQMyQybbT+YTKOm41LpkzxS8j
WCEC9iheVeRS3ABHy8QtAvN3qHXOL26RHicEqG1IqTGEAPjBSiJTGwD1lca7
dbOXDDdqw5yTK10sMTSvZ/SZbREILoKR6Lqq9tOLoml6AWDWNevQjNstykrA
ggFeH9/C7QnUyL1aJNQsR0YEfzQzh83r4pHioMQDnmyO+z2GSgXaiB+PH41/
Q48CTmgUoVIjiwYjra8W93tS0R/n3Op9rww4ohG7s2rjpxXpTf4YAzdCFRmJ
yyJoJZAlVeKMUxZWdABSCdSLtrT+2IhRSkgG8i0O3fOecwr5q1Rwi/BOxeNn
QBq7X9hnijwGIFaeNIRb9b3GuA76SZ0bDr+f+umFPtYlUkFkBPOPSfCLcn84
THzIOyNnwTEMm1t1SLaFQyTNrxxp6SGnlnvbFzDb1i5Z/YCr7wVxuLpMwmi4
3NthMoBUMmb/OpcC6tszrMiluISUK8GsdYt0Z31ra7DxWcUzrC2Etg5WysQb
LtVlegYw13qwrYk9XbLKTJBtPC+r62vCC5IjF+RW9TnufV3MF76nWxL3FTgQ
4hZYbD8svLKbnFYkwrqmyQ9Vw5WMZTEc7j3Wh8PgEWocEIrAXNmqg6yML40R
rtouFtcPV1PZhvE+VHU9wBQ7O+aOf9iOs0jGmeeZqLZR6CRCsrWlgX0Nr5tz
OoGFnlyF8zngNhJiC+Xkw2vOqn5SpP54AFSjGAcr3jeqZ43Dp8Sf44pfQhIs
0myb8ozXuPamR31R9Dq7oseOH1amAvViRJZxPb012BhRFoso5r0C2aPdQl4D
YBOKecOUHGaSytRZR2EKEsajJ2xxOOzxL/L2RFRVIBmRu0quwpXmTr16d07v
ydLaXlOY5d1aGVjGCF1yhmnYa8Qxs7rMxG/EH6Y7nMyp5/96rokZWJCnFvIr
GIAWuiDCOHhBe73dXjTT27evwhV+fRCenP1bfiz1mg5jLfPyd9Sc/Zc0XzS2
ZIGRnMugp+tabW81lN1vvz7mXkL8ZpABt17hmgccFvUvVecylxvXcNmXvwbK
uXAsxykYY0ZkrGRV5UpqnGFv4lZPqFUcSPETu/Nh5uU5M9y6NtpXVI3oICFM
J1nDFJLOv1Ql4GGt5Gbwt4GjrPSLQHwh1vwyKZn9sI7L+rxaK9P5xEv67SsG
m76+/f7zyZ3ZAELyMwHy7YlRAbQIoFYR0ooyj7lszGayJrTrfveWrwA3rWLX
GauLVYUAQteP/sbbJ9AKhDfFBskx5B/I1cwaF2eRB7fyfiRGKtJ1M8BBvoQH
fxag30pgvh0K+KeoocdFSkkjKKfQmk5gaDxVPoNH86fFi3L5VrNirj7T6xcW
yViJD24We/7ge2pCho2ma8e0oIAUC4Boo94I2+iGJ6xaXXiBqdd8aJHDgosf
naZMUG0plBSjbjwN1G1k2DGcfMi1iFkeTlB3FeJCepzqecVK0L71YgROTlix
WesF23CBMKOIHJpBd3fGxmZFju5XfCGE7IFf7qm/tHVYRKYTdsms6PvTTqig
jY5G5ab0ahdYKsJOw991cnXH+X5WULgfPRx/e/IPP5KzLSF+SpbMvHj27EmU
XDPn3kJcEeKtFxr/TrJPw8LFQ5r+nHnjQUt5cEymAOaimPmdcLr4q/12TM9T
kwnmZ+m5GV7Uc6bOffr0yWW1E9OjF9jvcDH1i977e5mHj457rvD/CSrA5T3T
XH/kJvf2TnivGGBIzKVjp81oZ2Wqoy7F4b/7APSHO61bcUJzJRHDKrrMUonA
/NPcMhA9rXALhU7AZlMhdiwotCEgKzy3xRtCC7xy/Pm9adHb//kjh1mc2ydz
YsIPLj5e+AeP/vzVnaMvv/zizp2Rf0u5jX86wp/ebCvq7tVfTo8mkwm39EYR
/Q2feffsq6Pyc+mRNgv90hErqlZJ2eb8Y+Qwdte8YsOhjUKq0KVrqMDKvDN5
oqQ4h/8P6VPiJWx2pC2l+1w3n+DkCSc9Q4o2RV7xth2M2OqmBHzNWlIsCYYK
3kEFV6X49QylWoNJhXGxZheEwbtdvHy7uHyJBGDxkbUyqBgWmKIMCsyK/fuC
a2CqRok2G+UjoJlFnSDlpQRig3B8QAydQuJFqxUzQ0c2pwdNi84Kj1y6vry8
s0iowUzAcQ0V93FrCGyE3/bbF/98xozCGtvl/BsgUh6bc5lJ6ioCTV2eif22
kJSWVHaCWHTzhWbpipJS6K+Ki86hbBaLtVv4KeMV0JnMStnNYv1oOFUanpk0
C5bCJY1QKSejF8h4waAVKhguQ/UHNn2tmcFZdiEKTBFPmMS3ULp5LI5qEDza
TFoI8/h9o6DgCK5ydChsGxsvoIVrApPzJCdd8l4E/be1i+rHIiof6QaN/DqZ
C8ixmQV9mQ9eGSo5MNZibFZrLVKFnj+S9EtUUDOCYzdPIq+oGT/Jh/jAzRQ2
TrvkD3ldnb9mghy32wlDqYQ116SebhZ+gswrI64trx3DeBeWH0jEikKjHCDn
wAlnmph3cY4D7bcicsMkGtL+KEGU/otqoj7dsODHdlJ5SCdIUIjt4ljCwVpv
ztOWjyx1eGjZLCiYkrQCbhmcozFsb1/rVZ8OGETor5pfTMgOWyfqlPFkEPm4
e10vJSnxMa0gMa2ehIj/XTPvXnFTNcuJmtXu/Th3P7Uf2qWPHYqGWCWno03s
rZ1P9IzMsqqacZOKeN/Xv1l/e7dZT6vF9myK+qhmiqt1mrAmTqv5+E15Tgrf
L6pnHCx8pzeI4sGNckXsYRhX+G//FP9An9opTcD34aEEMQUv2i+2PALTFPgp
4eV2AKzTJppavs/b6MOb8uXdMDCjEB/uoBcaXcu/fsH/XnNvV3YudunAPbT9
RZW155kkNi9yZq98zW7vB0lMoj9foERt5Krl8h0XUb5fDNRZypHG6CJ5XUlK
VIw+0cY6pBpn9nGitR58LozgJY0gXffuoSNSp+5l/zQvscqV3uHhh+zS7RoM
Hn/z4W1DcK4HGtym53i1abWwvlk5jOP4g/JneqUOFpffetOgT6WLUpzqjf58
b4M4vkSadpz2t5p8zmIkQeZT2TA7z9RtxYlvUq5JaxrSVyl8PdMFC8Ry/VzJ
12+/fjk4JHAZmfhd8tYaye+TIL99YW8cepNu91ScfGtKakCenxhkckpAguwK
da8qa1KTBsZe3H1egdag/ohnoNXFDu9AdgYGuyzNF6A8UtO7oOyR91rEReI0
LfbpCKOWTdT53R10yfg5O5oUw+Guqpd+544aYNziBVzQHJy16m6k1Lcj0lNJ
zW7i7vGtc+c1q8o32Y7UQ7ojI5+N1b9u1t6+caK54yRlRHUR+OpGAjzdUOPO
bh4ZBhz5VKsSay9eufqcJv7v6jkdBycjzJ3mRoWJfi1oEDA6uTxmmZCxBF9A
C4LtWNdOaqoVSTuEKsPFKFFkFAzPWsfC7Ji6gMVGh/Ssq/vrDJhc02PjQqHm
lvGS4lYAKXny3eOfoz1orAahVGHDAeeKtQqN24AdIj/+8JjM0m4kKS13FuQm
vyZ3sRkOpgr3d6kruiJfq9Hf0arjYHOeH4jUTU4w6wCiNnttiSrvDPLf+wV9
74P9sUra8H+jsKNJDxR2qiAAN0C84jGAWZYdR7AvniE8tpgrh67WqTT01hM5
UJAXquVfZAKx70YwKxOB/99//ttxU/h+6GTAsapbXe9nZ2R2R9td4sdeGE2T
wE6z7kEr2JmeOY2TE/ocuqP0gBtKqjp4kFa8JF4oDbzQG0+ejeNGNryZXVnU
MkoY9BnVWl0cufEbombXibojg8QPEi3g6whgat/499UhR3Cn84IxW726zrDQ
FHULdDi2XNy58Z07zsvh0A+WcV7mm/Js6/4P8GpUa0i4AQA=

-->

</rfc>
