<?xml version="1.0" encoding="UTF-8"?>
  <?xml-stylesheet type="text/xsl" href="rfc2629.xslt" ?>
  <!-- generated by https://github.com/cabo/kramdown-rfc version 1.7.39 (Ruby 3.1.7) -->


<!DOCTYPE rfc  [
  <!ENTITY nbsp    "&#160;">
  <!ENTITY zwsp   "&#8203;">
  <!ENTITY nbhy   "&#8209;">
  <!ENTITY wj     "&#8288;">

<!ENTITY RFC2119 SYSTEM "https://bib.ietf.org/public/rfc/bibxml/reference.RFC.2119.xml">
<!ENTITY RFC3339 SYSTEM "https://bib.ietf.org/public/rfc/bibxml/reference.RFC.3339.xml">
<!ENTITY RFC8174 SYSTEM "https://bib.ietf.org/public/rfc/bibxml/reference.RFC.8174.xml">
<!ENTITY RFC9421 SYSTEM "https://bib.ietf.org/public/rfc/bibxml/reference.RFC.9421.xml">
<!ENTITY RFC7942 SYSTEM "https://bib.ietf.org/public/rfc/bibxml/reference.RFC.7942.xml">
<!ENTITY RFC8126 SYSTEM "https://bib.ietf.org/public/rfc/bibxml/reference.RFC.8126.xml">
]>


<rfc ipr="trust200902" docName="draft-morrison-ot-command-authority-00" category="info" submissionType="independent">
  <front>
    <title abbrev="OT Command Authority">Consented and Attributable Agent Authority for Operational-Technology Control Actions</title>

    <author fullname="Blake Morrison">
      <organization>Alter Meridian Pty Ltd</organization>
      <address>
        <email>blake@truealter.com</email>
      </address>
    </author>

    <date year="2026" month="July" day="03"/>

    <area>Security</area>
    <workgroup>Independent Submission</workgroup>
    <keyword>operational technology</keyword> <keyword>industrial control systems</keyword> <keyword>agent identity</keyword> <keyword>authorization</keyword> <keyword>audit</keyword>

    <abstract>


<?line 95?>

<t>This memo specifies a binding profile by which a control action issued
to an operational-technology (OT) or industrial control system on the
authority of a software agent is refused unless it carries a verifiable
statement of who the agent is, which human principal it acts for,
whether that principal consented to this specific action on this
specific asset, whether a human authorised the action where the action's
risk class requires it, and an append-only record sufficient to attribute
the action afterward.  The profile does not invent new cryptography or a
new identity mechanism.  It composes primitives defined elsewhere,
DNSSEC-rooted agent discovery, scoped and revocable consent, a
human-in-the-loop binding moment, and a provenance-labelled audit record,
into a single structure, the Command Authority Envelope, that an OT
conduit evaluates and, on any missing or invalid binding, refuses.  The
profile is availability-first and fails closed on authority, never on
safety: it MUST NOT be placed in the trip path of a safety function.  The
memo maps the profile onto the identification, use-control, and audit
requirements that <xref target="IEC62443"></xref> and <xref target="NERCCIP"></xref> state but do not give a wire
mechanism for.  The methods by which a principal's identity is inferred
are out of scope by construction.</t>



    </abstract>



  </front>

  <middle>


<?line 117?>

<section anchor="introduction"><name>Introduction</name>

<t>Two bodies of standards work are moving quickly in parallel, and they
do not meet.</t>

<t>One is agent identity for the enterprise cloud.  A software agent that
acts for a person or an organisation is being given a verifiable
identity and a way to authenticate itself, composing existing web and
workload-identity primitives.  The <xref target="WEBBOTAUTH"></xref> effort standardises how
an automated agent authenticates itself over HTTP, and its charter
deliberately declines to bind that key to a human principal.  This work
is real and useful, and it is scoped to general information systems.  It
does not address operational technology.</t>

<t>The other is operational-technology security.  Frameworks such as
<xref target="IEC62443"></xref>, <xref target="SP80082"></xref>, and the <xref target="NERCCIP"></xref> reliability standards govern
the industrial control systems that run the electric grid, water,
pipelines, and manufacturing.  They require that actors be identified
(the identification and authentication control family), that use be
controlled (the use-control family), and that consequential actions be
auditable.  They state these as requirements.  They do not specify a
wire mechanism by which an agent-originated command carries the proof
that satisfies them, and the installed base of control protocols
(Modbus, DNP3, and their peers) authenticates a command largely by its
position on the network rather than by anything the sender proved.</t>

<t>The gap between the two is specific and, at present, unserved: there is
no interoperable way for a command issued to a control system on the
authority of an agent to carry a revocable, auditable, principal-bound
statement of the authority under which it is issued, such that a conduit
can refuse the command when that statement is absent or invalid.  An
agent that can write a setpoint to a turbine, open a breaker, or change
a treatment dose is a workload whose authority to do so must be
provable, scoped, revocable, and attributable after the fact, at stakes
where a wrong action is a physical event rather than a corrupted record.</t>

<t>This memo specifies that binding.  It introduces no new identity
mechanism.  It composes primitives specified in separate memos into one
envelope, the Command Authority Envelope (CAE), that accompanies an
agent-originated OT control action, and it specifies the fail-closed
behaviour of a conduit that evaluates it.</t>

</section>
<section anchor="conventions-and-terminology"><name>Conventions and Terminology</name>

<t>The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and
"OPTIONAL" in this document are to be interpreted as described in
BCP 14 <xref target="RFC2119"/> <xref target="RFC8174"/> when, and only when, they appear in all
capitals, as shown here.</t>

<t>This document uses the following terms.</t>

<dl>
  <dt>Agent:</dt>
  <dd>
    <t>A software actor that issues a control action to an OT system.  An
agent is a workload with a discoverable identity, not a human.</t>
  </dd>
  <dt>Principal:</dt>
  <dd>
    <t>The human, or the organisation acting through a human, on whose
authority the agent issues an action.</t>
  </dd>
  <dt>Control action:</dt>
  <dd>
    <t>A request that changes, or commands the change of, the state of a
physical process or of a device that governs one: a setpoint write,
a breaker operation, a mode change, a dose change.  A read-only
observation is not a control action for the purposes of this memo,
though a deployment MAY apply the profile to reads.</t>
  </dd>
  <dt>Conduit:</dt>
  <dd>
    <t>In the sense of <xref target="IEC62443"></xref>, the communication path between zones
across which a control action travels, and the point at which this
profile is enforced.</t>
  </dd>
  <dt>Command Authority Envelope (CAE):</dt>
  <dd>
    <t>The structure defined in this memo that a control action MUST carry to
be accepted by a conduit that implements this profile.</t>
  </dd>
  <dt>Risk class:</dt>
  <dd>
    <t>The category assigned to a control action by its potential physical
consequence, which determines which bindings the CAE MUST carry.</t>
  </dd>
  <dt>Safety function:</dt>
  <dd>
    <t>A function whose purpose is to bring or hold the process in a safe
state, including a safety-instrumented system (SIS).  Safety functions
are explicitly outside the authority path of this profile
(Section 6).</t>
  </dd>
</dl>

</section>
<section anchor="the-command-authority-envelope"><name>The Command Authority Envelope</name>

<t>A control action issued on the authority of an agent to a conduit that
implements this profile MUST carry a Command Authority Envelope.  The
CAE is a signed structure carried alongside the control action.  Its
encoding and transport binding are specified in Section 7.  The CAE
binds five things.</t>

<section anchor="agent-identity"><name>Agent identity</name>

<t>The CAE MUST identify the issuing agent by a discoverable identifier
whose key material is resolvable and verifiable independently of the
conduit.  A deployment reachable from public DNS SHOULD resolve the
agent identifier per <xref target="MCPDNS"></xref>, for which verification is DNSSEC-rooted
and fails closed when DNSSEC is absent.  The agent's request signature
MUST be verifiable per <xref target="RFC9421"></xref>, consistent with <xref target="WEBBOTAUTH"></xref>.  This
binding answers "which machine issued this", and nothing more; on its
own it is insufficient, which is the gap <xref target="WEBBOTAUTH"></xref> leaves open by
design.</t>

</section>
<section anchor="principal-reference"><name>Principal reference</name>

<t>The CAE MUST carry a reference to the principal on whose authority the
agent acts.  The reference is a resolvable identity handle, not a bare
string.  This binding is the one the agent-authentication layer
deliberately omits: it names the human behind the machine.  A control
action whose CAE names no principal MUST be treated as principal-less
and refused at any risk class above the lowest (Section 5).</t>

</section>
<section anchor="consent-grant"><name>Consent grant</name>

<t>The CAE MUST carry a reference to a scoped, revocable consent grant,
per <xref target="CONSENT"></xref>, issued by the principal, that covers this action.  The
grant MUST name the specific asset (the zone, conduit, device, or point)
and the specific control verb it authorises, and it MUST carry an
expiry.  A grant that names a broader scope than the action does not
satisfy this requirement more strongly; it satisfies it exactly to the
overlap, and a conduit MUST evaluate coverage against the specific
action, not against the grant's breadth.  Consent is captured against
the action, not inferred from an operator's one-time enrolment.</t>

</section>
<section anchor="binding-moment"><name>Binding moment</name>

<t>For a control action whose risk class requires it (Section 5), the CAE
MUST carry a binding-moment envelope, per <xref target="BINDINGMOMENT"></xref>, recording
that a human authorised this action, with the two-way veto that memo
specifies: neither the agent nor the human can railroad the other.  The
binding moment records a human decision at the moment of consequence; it
is distinct from the consent grant, which records a prior, standing
authorisation of a scope.</t>

</section>
<section anchor="audit-record"><name>Audit record</name>

<t>The CAE MUST carry, or commit to, an append-only audit record of the
action, labelled with a provenance term from the closed vocabulary of
<xref target="PROVENANCE"></xref>.  The record MUST be sufficient to attribute the action
afterward: which agent, on which principal's authority, under which
consent grant, with which binding moment if any, against which asset, at
which time per <xref target="RFC3339"></xref>.  The audit record is the artefact that the
evidence requirements of <xref target="IEC62443"></xref> and <xref target="NERCCIP"></xref> ask for and that no
agent-authentication layer today produces.</t>

</section>
</section>
<section anchor="conduit-evaluation-and-fail-closed-behaviour"><name>Conduit Evaluation and Fail-Closed Behaviour</name>

<t>A conduit that implements this profile MUST evaluate the CAE of every
agent-originated control action before the action reaches the process,
and MUST refuse the action if any binding required for the action's risk
class is absent, malformed, expired, revoked, or unverifiable.</t>

<t>Refusal is the default and the safe state for authority.  A conduit MUST
NOT accept a control action on the ground that the CAE could not be
evaluated (for example because a revocation status could not be
reached); an unevaluable authority is a refused authority.  This is the
same posture as the <xref target="COMPUTELOC"></xref> gate: the conduit refuses the request
rather than attempting to prove, cryptographically, that the agent
lacked authority.  That is an honest and contestable trust boundary, and
Section 8 states it as such.</t>

<t>Refusal of a control action on authority grounds MUST NOT itself be able
to prevent, delay, or gate a safety function (Section 6).  The authority
path and the safety path are separate, and the profile lives only in the
former.</t>

</section>
<section anchor="risk-classes"><name>Risk Classes</name>

<t>A conduit assigns each control action a risk class by its potential
physical consequence.  The mapping from action to class is a property of
the deployment and its process hazard analysis, not of this memo; this
memo specifies only which bindings each class requires.  A deployment
SHOULD align its classes with the Security Levels of <xref target="IEC62443"></xref>.</t>

<t>Three classes are defined; a deployment MAY define finer gradations
between them.</t>

<dl>
  <dt>Observe (lowest):</dt>
  <dd>
    <t>A read of process state.  The CAE, if required at all, MUST carry
agent identity and an audit record.  Principal reference, consent, and
a binding moment are OPTIONAL.</t>
  </dd>
  <dt>Adjust (middle):</dt>
  <dd>
    <t>A change within a bounded, pre-authorised safe envelope, for example a
setpoint move within an interlocked range.  The CAE MUST carry agent
identity, principal reference, a consent grant covering the asset and
verb, and an audit record.  A binding moment is RECOMMENDED and MAY be
required by the deployment.</t>
  </dd>
  <dt>State-change (highest):</dt>
  <dd>
    <t>A change of process or device state with safety or reliability
consequence, for example a breaker operation, a mode change, or a
change that leaves an interlocked envelope.  The CAE MUST carry all
five bindings, and the binding moment MUST be present and valid.</t>
  </dd>
</dl>

<t>A conduit MUST refuse a State-change action whose CAE lacks a valid
binding moment, without exception, and MUST NOT downgrade an action's
class to avoid a binding requirement.</t>

</section>
<section anchor="safety-carve-out"><name>Safety Carve-Out</name>

<t>This is the requirement the profile refuses to compromise, and it is
stated first among the security considerations because it is the one an
OT engineer will test first.</t>

<t>A safety function MUST NOT be gated on any binding in this profile.  A
safety-instrumented system, an emergency shutdown, a hardware interlock,
a protective relay operating on its own criteria: none of these is an
agent-originated control action in the sense of this memo, and none of
them MAY be made to depend on the resolution, verification, or
revocation status of a CAE.  A safety action that a plant would take
autonomously MUST remain takeable when every network, every DNS
resolver, and every consent endpoint is unreachable.</t>

<t>The profile constrains who may command a process to move.  It has no
authority over the process's own right to protect itself.  A design that
allowed an identity check to block a trip would be a safety regression
introduced in the name of security, and this memo forbids it.</t>

</section>
<section anchor="encoding-and-transport-binding"><name>Encoding and Transport Binding</name>

<t>[This section is deliberately thin in this -00 and is the first place a
co-author with OT protocol depth is invited to shape the work.]</t>

<t>The CAE is a signed structure.  This memo does not mandate a single
encoding; it states the requirements an encoding MUST meet and lists the
bindings a deployment is expected to specify.</t>

<t>An encoding MUST be verifiable offline against a cached trust anchor,
because many OT environments are segmented from public networks for
long, declared intervals (Section 8).  An encoding MUST carry a
freshness element (a nonce and an <xref target="RFC3339"></xref> timestamp with a declared
maximum age) to bound replay.  An encoding SHOULD ride above, and MUST
NOT weaken, the transport security of the underlying session; where the
session is <xref target="OPCUA"></xref>, the CAE rides above the OPC-UA secure channel, which
proves the channel while the CAE proves the authority.</t>

<t>Transport bindings for specific control protocols are out of scope for
this revision and are the natural content of a companion document or a
future revision.</t>

</section>
<section anchor="security-considerations"><name>Security Considerations</name>

<t>This section is written to be attacked.  Several of the boundaries below
are honest and contestable rather than closed, and they are marked as
such.  Independent review from an operational-technology and critical-
infrastructure background is the review this document most needs.</t>

<t>Availability over authentication.  In OT the priority order is
availability, then integrity, then confidentiality, the inverse of the
usual information-systems order.  This profile is built to that order:
it fails closed on authority and never on safety (Section 6), and it
refuses rather than blocks.  The reviewer should test whether any path
in a deployment could let an authority check stall a time-critical
control loop; if one exists, the deployment has mis-placed the gate.</t>

<t>Refuse, do not prove.  A conduit refuses an action whose authority it
cannot verify.  It does not prove the agent lacked authority.  This is a
deliberate, contestable boundary inherited from <xref target="COMPUTELOC"></xref>.  An
adversary who can make a valid CAE unevaluable can cause refusal, which
in an availability-first setting is itself a denial-of-control concern;
the mitigation is the offline-verifiable trust anchor and cached
revocation state below, and the reviewer is invited to find the residue.</t>

<t>Revocation latency versus plant time.  A consent grant revoked mid-
session MUST stop future actions it covered within a bounded, declared
latency.  In a plant, that latency competes with real-time control
constraints and with intervals of network segmentation.  The trade
between revocation freshness and offline operability is real and is not
fully closed here; a deployment MUST declare its revocation latency
budget and its maximum trust-anchor staleness, and MUST NOT let either
gate a safety function.</t>

<t>Key distribution in segmented plants.  DNSSEC-rooted discovery per
<xref target="MCPDNS"></xref> assumes the resolver is reachable.  A segmented or air-gapped
plant is not.  This profile therefore requires offline verification
against a cached trust anchor with a declared staleness bound.  The
management of that anchor, its rotation, and its revocation across a
fleet of long-lived devices is the same lifecycle problem that current
OT security guidance identifies as largely unsolved, and this memo does
not claim to solve it; it requires only that a deployment state its
bound and fail closed on authority when the bound is exceeded.</t>

<t>Confused deputy and compromised agent.  A valid CAE proves authority,
not intent.  A compromised agent holding a valid grant can issue any
action the grant covers.  The mitigations are scope minimality (a grant
naming the exact asset and verb, Section 3.3), the binding moment for
consequential classes (Section 3.4), and the audit record (Section 3.5)
that makes the action attributable after the fact.  None of these
prevents a first malicious action within scope; they bound its blast
radius and guarantee its attribution.</t>

<t>Operator as adversary.  Consistent with the wider architecture this
profile belongs to, the operator of the identity and consent
infrastructure is treated as a potential adversary.  The consent grant,
the audit record, and the standardised, independently verifiable
bindings exist so that no single operator is structurally required and
every action is visible and attributable, rather than trusting the
operator to behave.</t>

<t>Scope and the deliberate omission.  This memo specifies only the binding
and refusal semantics over already-specified discovery, consent, binding-
moment, and provenance primitives.  The methods by which a principal's
identity or trustworthiness is inferred are out of scope by
construction, and no such method is described, referenced in detail, or
required here.  A reviewer does not need those methods to judge the trust
model, the fail-closed behaviour, or the safety carve-out, which are the
parts that matter for this document.</t>

</section>
<section anchor="iana-considerations"><name>IANA Considerations</name>

<t>This document has no IANA actions in this revision.  A future revision
that specifies a concrete CAE encoding is expected to register a media
type and MAY request registries for binding types and risk-class
identifiers, per <xref target="RFC8126"></xref>.</t>

</section>
<section anchor="implementation-status"><name>Implementation Status</name>

<t>This section records the status of known implementations per <xref target="RFC7942"></xref>.
There are no interoperable implementations at the time of this revision.
An independent implementation of CAE evaluation at a conduit, against
one concrete control-protocol binding, is the strongest near-term signal
this document could receive and is explicitly solicited.</t>

</section>
<section anchor="contributors"><name>Contributors</name>

<t>A named co-author with chartered-engineer standing in operational
technology and critical-infrastructure cybersecurity is being invited to
shape the transport binding (Section 7), the risk-class mapping
(Section 5), and the security considerations (Section 8).  That
invitation is open and pending the invitee's consent; no such person is
listed as an author of this revision.</t>

</section>


  </middle>

  <back>


<references title='References' anchor="sec-combined-references">

    <references title='Normative References' anchor="sec-normative-references">

&RFC2119;
&RFC3339;
&RFC8174;
&RFC9421;


    </references>

    <references title='Informative References' anchor="sec-informative-references">

&RFC7942;
&RFC8126;
<reference anchor="MCPDNS" target="https://datatracker.ietf.org/doc/draft-morrison-mcp-dns-discovery/">
  <front>
    <title>Discovery of Model Context Protocol Servers via DNS TXT Records</title>
    <author fullname="Blake Morrison">
      <organization>Alter Meridian Pty Ltd</organization>
    </author>
    <date year="2026"/>
  </front>
</reference>
<reference anchor="CONSENT" target="https://datatracker.ietf.org/doc/draft-morrison-consent-settlement/">
  <front>
    <title>Consent-Bound Identity Disclosure with Subject Settlement for HTTP-Native Agent Payments</title>
    <author fullname="Blake Morrison">
      <organization>Alter Meridian Pty Ltd</organization>
    </author>
    <date year="2026"/>
  </front>
</reference>
<reference anchor="BINDINGMOMENT" target="https://datatracker.ietf.org/doc/draft-morrison-binding-moment-envelope/">
  <front>
    <title>The Binding-Moment Envelope: A Machine-Checkable Shape for Returning a Consequential Decision to a Human Principal</title>
    <author fullname="Blake Morrison">
      <organization>Alter Meridian Pty Ltd</organization>
    </author>
    <date year="2026"/>
  </front>
</reference>
<reference anchor="PROVENANCE" target="https://datatracker.ietf.org/doc/draft-morrison-substrate-provenance-grammar/">
  <front>
    <title>A Closed Vocabulary for the Provenance of Machine-Generated Statements</title>
    <author fullname="Blake Morrison">
      <organization>Alter Meridian Pty Ltd</organization>
    </author>
    <date year="2026"/>
  </front>
</reference>
<reference anchor="COMPUTELOC" target="https://datatracker.ietf.org/doc/draft-morrison-compute-location-gate/">
  <front>
    <title>The Compute-Location Gate: Constraining Where an Identity Inference May Run by the Provenance of Its Input</title>
    <author fullname="Blake Morrison">
      <organization>Alter Meridian Pty Ltd</organization>
    </author>
    <date year="2026"/>
  </front>
</reference>
<reference anchor="WEBBOTAUTH" target="https://datatracker.ietf.org/wg/webbotauth/">
  <front>
    <title>Web Bot Authentication</title>
    <author >
      <organization>IETF web-bot-auth Working Group</organization>
    </author>
    <date year="2026"/>
  </front>
</reference>
<reference anchor="IEC62443" >
  <front>
    <title>IEC 62443, Security for Industrial Automation and Control Systems</title>
    <author >
      <organization>International Electrotechnical Commission</organization>
    </author>
    <date year="2018"/>
  </front>
</reference>
<reference anchor="NERCCIP" >
  <front>
    <title>NERC Critical Infrastructure Protection (CIP) Reliability Standards</title>
    <author >
      <organization>North American Electric Reliability Corporation</organization>
    </author>
    <date year="2026"/>
  </front>
</reference>
<reference anchor="SP80082" >
  <front>
    <title>NIST SP 800-82 Rev. 3, Guide to Operational Technology (OT) Security</title>
    <author >
      <organization>National Institute of Standards and Technology</organization>
    </author>
    <date year="2023"/>
  </front>
</reference>
<reference anchor="OPCUA" >
  <front>
    <title>OPC Unified Architecture, Part 2: Security Model</title>
    <author >
      <organization>OPC Foundation</organization>
    </author>
    <date year="2022"/>
  </front>
</reference>


    </references>

</references>



  </back>

<!-- ##markdown-source:
H4sIAAAAAAAAA81cXXPcNrJ9x69AOQ+2qoaOY2cTr/xyZVlJVGt9XEve3Fsu
P2BIzAzXHHKWH5Jnt/a/3z7dDRDkSEnuW6r2YzRDgkCjcfr06aazLDN92Vf+
2D45berO170vrKsLe9L3bbkceresvD1Z0w/2ZOg3TVv2e7tqWnu1863ry6Z2
VXbr803dVM16b2mUvm0qe5Ljt+6Jcctl6+9o/Ktb+nG75cHDSE9M0eS129Lz
i9at+mzbtG3ZNXXW9FkuV2cuXJ29eGEK19PFL1+8/CF78WP24pXJ6Yt10+6P
bVmvGtMNy23ZdfTs2/3O48vC7zz9T92bctce274duv7lixd/ffHSuNY7mtmN
zweZzX3Tflm3zbCjb8/HO+1NHPWJ+eL3dFlxbKzNbDNawfbRCvwTPZme1Jb0
S65G6fZd77cd/+zYpiWGp0fLV7LQf/GA+k1R9sbID/xE+q+1q6GqxGpvK/fF
2wu1Gv/YtGtX6yDH9qTqfWsvfFsWpavtNe3e+77gC/3WldWxXWKI/yKzeIdr
n5PZjambdksj3Hk89MNPpy+/++6v+vHVq1fh4+vvfvxeP/71+5ffHRuDPZje
+SP9Ei9/+QM+Xpxev7u8OeZJBO97V3Z5c+fbvW1WtJ7CV+xK/mtvr9umb3Iy
341v6YrO3pXO0gD29n9u7Qef02aQn2Gw0U6/a6X/h5161659f2w3fb/rjr/9
llzQ9a3Lv5CxSt+vntNI35Iffztz4W2+y4q6y4qwtG95uNGD6c/Tq8ubs8vb
qS30JGZvm4EOy7m6iIWJqqYbWm/vy34Dp/yHz8k5fU/3beFOOJi/3N5eZ5e8
BXpwr90ev/4pjZTrWru4iAes9Pb88t355c8XVxcHtrrdePuWjlpZr7OLho1w
Vt/5qsHhP7EXLt+Utc9ONz7/wlh2s3E7z4b64PuhrelG6yyb/J8DLE3n9Z3P
Sxx22zf02y/DFottyzovd676M1pxqRbYsgUyrxZ4wJTXH67+fnZ5cnl6NrXj
iT0l3yLw/3uTu+VQuVZgvif70gG887Wrc8+HU036s6+BfXTLDU3S/2k9jCIC
wTDNMNvFdWTr1lFwaR88kRfXH2/P3l+dHjoaxa/dQAO9JxthvvZnvhPOQ08o
2Zd+3Xg6oDT3eG7P6xV9BetduL39MNR2uX/Arud9R5fS+H9GI+a68kpXnq1p
5Q9Y79ezt2+vbk8+3v4ytd6vfmnfNsIhYBYZ5aGVTpdyfnb7k733y2xJhAAX
2l8pRMPOPyNM//E13dN//JJGwSAPTPz87PSHl99//2o6bfrW8tcLG0gCn4rz
MbbTipqteAOoTeA/NxLq/8AKKci1deAQZxUhOsU7UAkyUsWUSZjHZM7fvaY/
L88+nJ6eX0+njC/tKc2Ubyffax3NdMh7xI1rHpon+4zuPCIMrEq3LCssjI5x
XbhHgul00pdNS1txsiUXy8nDZNZlPhnutGl3TRu4zMzcN9evX7x4/XI29fOb
W/rF0k/Z65c02N1zS5b/eSCWBChOKKdNKOezq9sjO3K43517GOKcTm3Zk1fj
9MXF8y7eplQumfor+vPq+vTjyXTi9JX9WJerksDwpCV4hJHJ3gsKvW1vXx6P
3sPU5vcniRF/Qvh/wH4vjcky4oYMaznRw9tN2dmt3za221HkomnQKqzGBEuo
tyop8BHo3G/KfEM/BT7qxBXIvwZfGAS7OmW0WT8zMnn+o6zWIlxuvIlsHVZ1
tmtW/b0DIgrf7WzrVwMCzVBXvuts2dvcEcrwnIkl0fQRp00XggrGud80jJhh
kIUuZcOheRdCMwajNXU4owtzv/F0D0KY65Nr8pjn9BiUZqRWy4M9eCVlZ8bv
O6IneKYM6PS5ulQshicnd99zABi/eNoZuuaLzSsahlb/z6FsPda9YFfDODvk
GVlTV3v6HXzWdsOKHlxitdgWTca8SZ5D+OxbMm3x3FoEp7DPRUOj14S1JbEA
ur/29zZv97u+oaC32+yxi87g25B8kO/kG3K+bktDndN+ENgTF+hgtG0JItnZ
wq8o6BfWV53nFS4MUfCbs9OsbRpOGnlrItddWPqw02SSEkCwCpqcGp+WbtiG
WVlntCaKK80ueqywGDWPTaJ25Za+qjAo8iK11YKSDuZpHd1Lj4hot+BNOMg5
Iz9ciGfQBlzdGppYMdCY/s5VA3ke48DCMqqTgQDBNDM+AHRFWYTJLtSfO9kF
E3aB3MrdUX6laJityrbreUUr+razubCtJnpRTyarPZmOvjOdW/keKW1vLz4S
KF5S8rykLa5cTjeVfNIoky13ducIiOWk8T3EFGr2D50Pw8LW7Tq+JcyuqXs5
UOICK43HC0sryfRcq/05A1WvZY4nVvsUAuZnvuyTxqLPls+tJWclR2Q3XCMR
cZSytJiNOhpOqPrtlg5VQ7ib4FM8rE+70UnJoiWYVEtQBUBpBoYGdjPcnDML
G2TxApHbsigISsw3iLJtU8iPBJj3jV02BTAHI0ToR/pvMfa2ucN206LzL3Qo
yeA71zpyPbUKmW5vdH1b73t63lUtmz5J6yOFBuC0O2AFdn7AmT2ZYyPsagJ8
wQqU6wKNWoZlDg+dU8Amb8AEYdt6ipvx0XJ67oly4nSMvIum2Xe+Wi30nGMc
/7WkWEgfiCPhRhZCqsYVWRxuxALdt08j1/ts/Yrm3EdTlkCPTXNvBCVBkCJE
pFPpdC4WmMGZq9iXvrXkKS0ZzVC8LJecadBOFD6vCIc6rAknUJzxi5dFzuMB
z7SUfTUcegj/MT65OTHq8CzYU9GKRllzXlPZKGWQwVW4YXg0EWBdUbQIYQ+L
QM8RmMlNOWSU3WOBtVNmQGP/REmJx1xpOgMOQmfGY7awn5Q0fY4+mBy7NmFe
o0OvYdeao8bjcpTYsB0EVXzgcmtKHyjmkd0plu7KnWfDy7PJysPKAWXJacQf
9iG0KarmfdPCTSPE0LF9dgg5CjJpVhDnt3LbstofKU7TntFwRn9EFODhEsQa
b3DBM/JJXi+RE7MyjGs4MGH2gls0Ij3GxTjNiBcu0QMvtIAOmAGmjcEzQbBa
fD0jXF+XNTu/qpmR7CgcNyvDE8XJ7lb6w3bc4ZJAzfFql65jphoWu1NZrDPP
iFQuB9qad5fXr+KtZUsIQhByNDtxLk6lQuJEh4rmTQfOAAtG/uMpGvUMiOS1
SqM4c6V4SOyIsALXdBBIW4nRhXr82lEop3u91zhFaDthWQisTMm8cIGB9qil
+49xeQsYNTXdAsjkQwPiABwTWAyzF9Yq5/6PUNE6wGzDe0ALGXnJwkZ/WIzw
QUknMfApE2UCFscdePWy6YIjMquFHGA5CVa5hUGqJGyBhwkLITpVy6XjkxBJ
lh0/M1IOxIzajLHCYrx7mgfCKxHUXVMqXbR0MAkdaS1kP8SHJSEfpcMLjAZv
XZNxiD941/PTCuIi/EgbcB+Mu0tXSsOS+3fEJQhFcICw5WIvgc7FxJo41GkF
gckqrxqwwdtPi/3iOyN0mZ7cNlDiQkaC+LfZd5zEeuaxqRvCpm077HCwhAU+
fzgNYjspVRNyWyoTYAy3KQ02f4AGh5GZhHUerKD3/FCwEzJSU3vjE4L5WwSU
cvCTswBvLsfz6PFMPc0BfhADnKZtMXqlq/VMLzNhl2bpN+6ubIZWGGLguPy8
keiWoC/fQLmAnRkgJQdut6UmwXyuEWVR+ejsE5DSJwv5f5BTfP5w9t8fzz+c
vcPnm19O3r+PH+QKQ39cfXyvv+PTeOfp1cXF2eU7uRlkd/bVxcn/PuH1Gsq1
b8+vLk/ePxEaTFteNPnAbgwqBV7gBTsIX5h1IHnpcvJF3jXz9vTafve9/fe/
tazxn//IZxQz6DNOo5iW8zH5E3yP0zSH02gJkOkw7wgwKgREcgviOrWFJwc/
jJNCbiAbQ0GruWfgJMt2dCGr88fmeEIFETdlhxhKusN0XfJ0MpKgncCCHRPs
9BSjTuBiVsZHMbj7QjiMcCaaTRS4MSPsN//AkIHpTwgoZsIRoG2G9SYMwukS
A4exKXQkibusqNal0FNPJ2sTYyD2+i6AHMNVJ9AlR0nsKT+QZ8sxk/gNP6eH
R+gglMqZoukRKPxdmStFEXLU4cgepwjKkLrAEgJujtyNdpuSgyI8HX8yeMqf
zOrpFsnlaYRmicgWSbsYfLadIUXYDa3ADUcZhTJMg+woRi78rmq4lGPpQMAf
q/0krSPPwNM7sSvOOgx6XodQLQQi5ZQhDg11IF+cUIbw/S+yDcqVLm8bsuIj
+lHfOgK0biQtYkcysdzAYoq1SWrswa1zZgy/B4/BG0cRM0gR4fwz5I+hNp0Z
45NE+76hKSxxwHLPcQNUZgqJ5XZXxRy37MKEaZIfooATphPKztCGynU9JyL6
fGFWZI9eGWhwTJpLpKa5D3JW4XsGXR9MrZFLHJ6skSyIZnUzzfjl8IS/NIKr
V8HogMZWVYxNUxXBdfiAANVYQqCZ8VFa0Fd5NRRSHxNxISs5xd6KfKZk69nN
+c0Ref5sNuw2tFv+664q87InV6WMvWMpd8KhgoKRmpzufXajQvUPRxyebn8z
lBKYPqxqBjL7KBec+oB5xAdST3K/MQ9VXbBVjMTqG6PzCv2nqFQR3YnWmE6d
6UdHNCJvxPw4Vq2rux1y7KCSwbgTOhIM9qMm6DQJg4s7u4IEw6Qd0PDNN1oX
jsTH3KbupQmaQAusyE/jO/jMPBBNaAqtEYcDS0C6z5km59xdU90JCaR1jEpF
2ppR7ZVbBx2OkTTBO4I1gljctWqbLXn1kpyKmwCUSshjvPD+ZHWYGZQU+0m6
DgjzALhyvGQyecTniaJpDsQ6JupyzUjQ1dj8zKddjF3YeIcdN2xTAp5k5Twf
bZr4vGAkKDtAhATsVFlRCcPEXa+7e/RAPJEVbKUYG5MhulSIEmLNRsTU1r/B
KUCKB5aieUo9SswBfkrBGeRvE3Gn8g7cl3OJ5d4Qm6LFiSNF0oDERqqcM28a
c61QBVXpcVTkI1hNOINuIwQxtfE4BJ+txLOiSkVhuEACIpF2SWfEQPRQkQK6
mdpR10rxbeQn2UyHqNx+rj81lAh0rMuiGitjiOhEXLvU8Kebwj6sJ9u4FJRh
HLmfUpDRDsFTODET5jrmoiiWGBHTpX7C0vXeJrUFt2zkBFgimnDCiKF/OZLt
0s4SuyY06f/IRrnD7C5o+DLIwrAzax8LObN64nI/3eRF0GO4g4eh1aU6NQ8m
E4FlhLFM6i8i94CRLAJkL5TPMTlk0nFkAgeJNwdspQcvuUAUqjZdzKDS9deG
IlbZ7nn3ZFY8c9kvUEIi1rRk0Z05G02KMkEbNKLn7GWliZjE5xHxgOC/2r/h
/C1KP6g/fKWRqr0eEgNzVW4XaiEhVPGEQwYnRiUPJi92iNCT9ZuQLfKRSC7g
tRFigeMW/YbWG7yDZkzZDcCrCHckhaeFFpdEihc8jnXDpn3KhDrryy1UbzI8
Vi3e93ZS3zHmJ9VzJmFbTsjDFbPUoReBE5mJ9047YeyYirObThqJPi9UO6Dr
jfLHBwp70VMXgs4qaWVQpO58r9QTJNTETPzY1r5UuSIkP7XyfHkEa0EUXOBN
gkS4XA/DtBCms+zi9IrQnuRkJ/Uy0QYDp4RrQfMuWNnPe9koJRvJ+VXsH59B
R7ZpFyIiwzLBGIKJUmqC7yuTSCpxDwFKzNtAsJrFvNyZFvICBQjWjtU+zWLH
QiBn0MmCJDzfjZ1Lzcp8GjudPsf4wY8JMPtIjTU5zibWWI9D7rPmeMl+ir/T
SlVSyEt0QTM3NxYzYfdh/0oQU7o5HFJ9otSeiZpqMoWDFQgEejHD6iam1PCG
CgoEN/FRGJfwsmBwn5T0JlnhrKDn6CSy8ho09boxj4dLMmXhUC0SjS0oS4xa
ZwJYQfX/CUqVdp29DUqVEvnfTcpmEBjyI1oIaqj7Q/1snpn5VTMp0wvFHIV5
ZEULjib8pES3DfkFb1fcRLVnEfP5UP1nLDOCZZE1LogkVKgvIbRywAkx9gs+
0BBDPRJGZKB4vjBqDE45sBuqPmbcyM9UAuG9Cq4YOEiMGgbqmuTAh9iruRI6
oMNmB8PmzVAxqYT2G8xe2Gd4GsUsbBL9kjsYKQjrUjqjSQ3d9H4xdXH0BnAw
1DIcZwiRACrDU6qTLIdZnFiBgizOQtNxZuXEMp/GBr7Pds09Mwp6bAOt1vN3
ytXNRFnuKafdibrVCOQs0vYJJO/VfjEahx3NVGg3m0/UiRxXU7Zde63+w+L0
mVfLreiWiwwOSAl9MwS417KbHPWc1AMTLwhy7mzzRvPJFnZj94DWWSGAoErM
a2NdHRyKTi77HMx12EkwScUD1uiDDGfvqReGjJ7TUxXIE2VIT2/FajqHAOlm
MHwYWsYLVltOcWB8l+KBSC2dhffMV+9SyjCXXUzUA5MAGdoPKBxht4XHRIV1
PK+YM+EtKwdGzl5MS0OtOqgoG/cvChb0tavogZ1QpVTPeyNi2KxKoUrzRPGR
RU4Y0CwpNpr6uoqsIiVzsdnIU2Lb2XsPhW6K8yxVt97H29worr05lBvlF4v/
aRHMpDWNMtOx1LdFHwRLnt4+kxzkKEi6juN7MBQ796hTLICmEUHBxCrKGEYW
Mcrbk+6GehL0aLgH0tFF0nNUF6LqTuMulh2qClDli3/gWD6T5hGdv4rNMCwr
ZXxogdR0irKELjIOj6QzRUfo0lFj3iJTC6PVUq+oGsaQVpXkh5IzxhqbSPi7
hxbsphRP8oNQsZVcSkyBlGjxiClPDuhJl1Zl+C64xRJiXdw6TftG14FMib3O
1ILPNuV6M/pFFPFTpV5Fegln7MsKLPRb0ucw11Anxv4D0j33wdkwBQZ0VTpm
O+In4t7BplRQc1liC4d3xLuZDQP11NK3KGJc201xLiUczk7MdyAjIPBw5yRG
MfMOOhgPfVL+KwJ+LBrGqFA09zWOsh9rMk875SrgxHdNWSQHJuGMDNQq+Z46
OvDZ1RBaUcsxvIasN8X+GIIbLrES7tLRSXpxpOBOREpa5rZN7DVQMGO9rNBt
7SLtEGErqDqUyNMCfU38z4OLlxWac2hAHpbtPY9zaavdmqeg7X9RNKqnhQE6
JeZxZZyTHVp+S6c239tuM/SwN/xwQ1GCy33RzYhqckcHIu0dbEQxOfguJHsB
eOh3OcpTbekox8Q6JWnS+v0DdeO5Kj4rBo2VJlUNeUjEua0eb4qQ0n4tam0g
iay+DeJTqY6Kc2UO+R8zFnJYaXwTw4doK6n3rgJW3TNPRGsAEs+mbrbN0FF0
1DOxdVgA/SpNIRBkme+HZpWF/vnu8saoJNzKyuT7AIy0EAFiWv1QR3VZO1iC
p+bhxY6OO5C3bh+bNlwELLIM0Fx6Bjau4/xorDbcqQiglz+VTaT92fTKMLHn
ys80woPmSDnCoWbMXbRj6MvxLhNXc+A46PZAI6gYbpnwt9av0Z6GPDY2PcTm
URbZ0PyohypAVqinEZguyyI2B5yltYjbWItQRceYT3zwOx/bNyaqKYe5cHiy
Fy/krGtZnE85d7YSHOeNRlPBfTqLoc0J7tdvRLq+K7V9u+OXuTAMNv/551GB
eLD6EtIHXmFs48N+KvHlDuJYeBF1Tmj4DNA4RsQCDTsn+kB5YVXZ9ZKfRDI3
IVOof34l7hfWIO1kQKT5kNOqQbNaoQUv6gMU5jmN0jzC1fkGbe8BDrdALobA
u7Jtap01s/K14lRaS9EDxM2nBsWpBTdbupZ9pkcZmwhkTAVeH3HfwWzCGhHN
ihxvU+N0eH0z8ZkDtuQ+sI2oXrCgQUbe7mK3gj7WbN3XcjtsQXuO2N85LW3J
km4/e3qoAqGgxjL4GOg4470HGZBGjqSUFiOKNnaxbFPtMWAnJ+fN2M5v9Cvs
3yd+CeRz1CD5wakAT79nH0/kAcI4avQOiyLEWeXYxEC/4IdqVDGSC8aMknx7
XgOUTuEDpTt2BtqDPmlsrkrSd6ohYj9UCeGKlTaIqqLI/XZoS2JxW3tamDmt
Bk67w0BCCIJBTychWnlBAg/oseh9re06lHRz/owqMnBaMlzmT5IcI0laEge7
587vR9LpNI0XSXBs1paubtdykk4MA+m0tekr3liHv5/J2QfduvxMfbkqw9vO
6dtVS1qEaieRAvGg0zalbdPhrQzPfRonyUsCEiymqhrPEsdYqykaVdqCm4pN
+o4Be6Mw13U7/k0mWknscPEqfjekDQzAm6Ebph3PWegN5icF3Ew6OJZDWfU2
qN981bEhuHz07QahF/qCQwhRibIQCKAJ9HDSdopIN5YBYVSUYDZCFjyLpfpu
Ti36g+E0LUFdEaAqxuhkVhJMuccWkZSwKAv7G1qNLV5OeYMMFeSIW+W7xSzN
4cBPPDbTVzSkjtpH5Y7wSLuH+WxPZLmw4EjBD6qh0juKuzkc7IVrxADGQyaV
hgfFKOHlLilnLianJ8hQ5AVkxzKGh1RP0w7UAr6DS0GKUMjY4pVUzUEYwFJN
L+dqByJSK+pVgEFJfR94SwbvgmuNVmUr7GRN/ps1q9jsnSOctPUb1mTQn7mO
dXzOASRaZkkATeOknGSOn3O26gVqxiQuOtyUfKzK+Dth3SB7HUeqaCDQftiK
+K+wW/hX2PskQVfdF++rZDHMcEDt+mZnFWlD93qpGb1WRqZ6RAye+nzBD2XX
KluGqQHZfR/0IrwcIWW7ULOO9LeXjlC+bOQChB2hRVwpRUCsW4myhY/iUGLi
kRtwk6WSGmn0FhhM39SQrjmD95/3AVYQkecCFYyla+dMqT3YCbMcirUfNbvA
LtgrMvUKAIHH5GaJMnBDKnrmYZGUNv9veEWg7KSMpLnWyLV4AwBh09fm4gtz
qOmY0KQClWbYRtopeYzaRTMVzqPi6HDoss3WqK0VRpxNTDfHbqxBah+xsBr2
IE3jzG+yzDlVG+0mnhhePnM1IdLYOu8iS5U9ano3ihKzXdOWQ+IZFYg13Q9S
mkE4LlQhikoD1wGqcuXzfV5xqkUW2mrHwdC2UM3QLxvYyXooC64jxh6hDiJ7
eB9iqNngxTwnAuAaAC4tutwyd+eeo7LnTGG0Z805D2e1iY8KtqANR4hs6C96
MFrqSwGKy5Iz5MQZtGeylsIIjT5oaB2lFH3Rij1khGTllGOR0kgZvw+XHgzA
TYLS/ifDqJrotLcOsdbEHN6nYmMI1SMsa+rBJHRb1uWWyQjSAulFoXw0KJTc
AjHqlKpSBqbw6vkrrf3PtDVQ2+nrPkHXfjbe+/3RCOuTgmlyzV+OpBsAUa1L
K36/8UYDrfcyVWOMVleQ+klQw4Lzshm6GOQFu9kkb4Sk6l7TXUuaOgpTRTkI
Tq4HBzt5QbcwEwGeK229gA/H4Kz9HGlfGefJYOW0F+NL6lKRiG+Je25M5Fo9
h9EwthLyiQCvUWzOg3EqxxYml7S/prO7PWhFMPNdGfcqebGwWMw6B5OXH8fq
CVgaXlfRinV4OTguB+mIThgFvaT4UBdGtKLxXRRkOKGBMXWCxYSkMkCqE5v4
IM5wNu4O9OCG3T+saWRiaCvjoD8RKGb1ocTlxz4wsmnnCWaJsHaaPlSoteyz
sTU0eSc7lkJCm4xJ37VOGiwO3vb87bd0x7dOsWLY4R7/QkTJESF5cfcwIV3u
TfriblAh5f0peajISfoGx2IsdLCWVfieIFRFR91Cfg9DWvGVuEWqjLSLLAl6
HVZEG/QPMAPVBmjuBmWCaqGHO75OY+PrNPGlCCUBOQvgtK7QTaMJtdm5Nrww
vUVludXugCQd5Lz5/OTy5OGcOWaNoizKlZEJqqQWc3DLDeCTvFxfL0z+YQgQ
Z7waw2EhKigzVar1a0AHGrS2viid6ffqulCFQ5erXMXpORYWEBnXCmyhKJsx
DpuxH7dbxAYW/JNgn8UEoc9Dwv8Ny8Yz4SA0KSkiqK78pea21sn9XXwC/v0x
esKtvGZG/z14tXB+pxb2mQoHhXxUOU7qFH5mN+N6tmrS6ZK8ARh7ewxiRdwH
5dtZlDrjvy0Q+A23C3qWDVybcfcTNxhXZiotSJJLZvL80n0gDrEDn/gKPjGJ
+Eb+rRpgWdNynR2aMEB9IsHqa9i+yGItJbSGwf8SncQ8ppPMwkO+X0J7UC4W
32UfMyszyrqHbe8xUP+oNGB0sVDLN5M2wRhCHikfTSXNW34JAFOJ2aS8Qwl8
9OreIqDQbP3TLmDqm4ha+t4+BVUowRoEA7d7wKP+D1/YndmFUQAA

-->

</rfc>

