<?xml version='1.0' encoding='utf-8'?>
<!DOCTYPE rfc [
  <!ENTITY nbsp    "&#160;">
  <!ENTITY zwsp   "&#8203;">
  <!ENTITY nbhy   "&#8209;">
  <!ENTITY wj     "&#8288;">
]>
<?xml-stylesheet type="text/xsl" href="rfc2629.xslt" ?>
<!-- generated by https://github.com/cabo/kramdown-rfc version 1.7.39 (Ruby 3.4.9) -->
<rfc xmlns:xi="http://www.w3.org/2001/XInclude" ipr="trust200902" docName="draft-ritz-seat-proxies-00" category="std" consensus="true" submissionType="IETF" tocInclude="true" sortRefs="true" symRefs="true" version="3">
  <!-- xml2rfc v2v3 conversion 3.34.0 -->
  <front>
    <title abbrev="SEAT Proxies">Bridging Remote Attestation with Secure Channel Protocol Proxies</title>
    <seriesInfo name="Internet-Draft" value="draft-ritz-seat-proxies-00"/>
    <author fullname="Nathanael Ritz">
      <organization>Independent</organization>
      <address>
        <email>ietf@nritz.com</email>
      </address>
    </author>
    <author fullname="Ionuț Mihalcea">
      <organization>ARM</organization>
      <address>
        <email>ionut.mihalcea@arm.com</email>
      </address>
    </author>
    <author fullname="Hannes Tschofenig">
      <organization abbrev="UniBw M.">University of the Bundeswehr Munich</organization>
      <address>
        <postal>
          <city>Neubiberg</city>
          <region>Bavaria</region>
          <code>85577</code>
          <country>Germany</country>
        </postal>
        <email>hannes.tschofenig@gmx.net</email>
      </address>
    </author>
    <author fullname="Tirumaleswar Reddy">
      <organization>Nokia</organization>
      <address>
        <email>kondtir@gmail.com</email>
      </address>
    </author>
    <date year="2026" month="July" day="05"/>
    <area>Security</area>
    <workgroup>Secure Evidence and Attestation Transport</workgroup>
    <keyword>remote attestation</keyword>
    <keyword>TLS-terminating proxy</keyword>
    <keyword>HPKE</keyword>
    <keyword>extended key update</keyword>
    <keyword>CMW</keyword>
    <keyword>RATS Privacy Framework</keyword>
    <abstract>
      <?line 58?>

<t>This document specifies a transport-layer mechanism to establish an
end-to-end cryptographic channel across a cooperative secure channel
protocol intermediary, such as a TLS-terminating proxy.</t>
      <t>The mechanism enables Remote Attestation Evidence to remain bound to the
true end-to-end endpoints even when the initial secure channel handshake
is mediated by an intermediary.  It uses an ephemeral HPKE challenge
exchange, intra-handshake Evidence delivery, and an attestation-bound key
update to evict the intermediary from Layer 7 visibility before
application data is exchanged.</t>
    </abstract>
    <note removeInRFC="true">
      <name>Discussion Venues</name>
      <t>Discussion of this document takes place on the
    Secure Evidence and Attestation Transport Working Group mailing list (seat@ietf.org),
    which is archived at <eref target="https://mailarchive.ietf.org/arch/browse/seat"/>.</t>
      <t>Source for this draft and an issue tracker can be found at
    <eref target="https://github.com/telephonicrobotics/seat-proxies"/>.</t>
    </note>
  </front>
  <middle>
    <?line 71?>

<section anchor="introduction">
      <name>Introduction</name>
      <t>This document operates within the Remote ATtestation procedureS
(RATS) architecture <xref target="RFC9334"/> and addresses a specific deployment
constraint: the presence of a TLS-terminating intermediary in the
path between a RATS Attester and its Relying Party.</t>
      <t>A prominent class of deployments where this condition fails is the
enterprise environment.  Organizations deploying MDM-enrolled,
enterprise-controlled devices routinely route device-to-service
traffic through TLS-terminating infrastructure -- corporate reverse
proxies, API gateways, mobile device management policy enforcement
points, and enterprise web application firewalls.  In these
environments, the device holds a TLS connection to enterprise-managed
infrastructure, not to the remote attested origin with which it
ultimately communicates.</t>
      <t>Major platform vendors, including cloud productivity and device
management providers, regularly publish lists of endpoints for which
TLS inspection must be disabled, sometimes referred to as compliance
modes.  These exclusions are necessary to prevent the intermediary
from interfering with the trust mechanisms those endpoints depend on.
These existing modes provide an opportunity to integrate Remote
Attestation, replacing "administrative trust" with cryptographic proof
that an intermediary is not party to sensitive application data.</t>
      <t>When a TLS-terminating intermediary is present, the client
establishes a TLS connection to the intermediary, and the
intermediary establishes a separate connection to the origin.  The
two connections have independent handshake transcripts.  Intra-
handshake attestation protocols that cryptographically bind Evidence
to the connection transcript are therefore binding to the client-to-
intermediary connection, not to the connection to the origin.  Any
attestation produced by the origin references a different
cryptographic context than the one the client holds.  The end-to-end
binding on which transport-layer attestation depends is severed at
the proxy boundary.</t>
      <t>This document defines a cryptographic transport and proxy eviction
mechanism. It does not define attestation Evidence profiles, claim
formats, or identity document structures.</t>
      <t>The mechanism establishes binding for both intra-handshake attestation
(for example, Early Attestation
<xref target="I-D.fossati-seat-early-attestation"/>) and post-handshake attestation
(for example, EXPAT <xref target="I-D.fossati-seat-expat"/>).</t>
      <t>These are named as examples; the mechanism is agnostic to the specific
attestation protocol. For intra-handshake Evidence delivery, this
document uses the <tt>attestation</tt> extension defined in
<xref target="I-D.fossati-seat-early-attestation"/>.</t>
    </section>
    <section anchor="terminology">
      <name>Terminology</name>
      <t>The key words "<bcp14>MUST</bcp14>", "<bcp14>MUST NOT</bcp14>", "<bcp14>REQUIRED</bcp14>", "<bcp14>SHALL</bcp14>", "<bcp14>SHALL
NOT</bcp14>", "<bcp14>SHOULD</bcp14>", "<bcp14>SHOULD NOT</bcp14>", "<bcp14>RECOMMENDED</bcp14>", "<bcp14>NOT RECOMMENDED</bcp14>",
"<bcp14>MAY</bcp14>", and "<bcp14>OPTIONAL</bcp14>" in this document are to be interpreted as
described in BCP 14 <xref target="RFC2119"/> <xref target="RFC8174"/> when, and only when, they
appear in all capitals, as shown here.</t>
      <?line -18?>

<t>This document uses the following terms.</t>
      <dl>
        <dt>Cooperative intermediary:</dt>
        <dd>
          <t>A TLS-terminating proxy that forwards the signalling defined in this
document during connection establishment and that honours the
transition to Layer 4 forwarding upon key rotation.  A cooperative
intermediary is not part of the origin's Trusted Computing Base.</t>
        </dd>
        <dt>Client (Relying Party, RP):</dt>
        <dd>
          <t>The endpoint that verifies the origin's attested properties.</t>
        </dd>
        <dt>Origin (Attesting Server):</dt>
        <dd>
          <t>The endpoint whose attested properties the client wishes to verify,
reachable only through one or more intermediaries.</t>
        </dd>
        <dt>Ephemeral KEM key pair (skE / pkE):</dt>
        <dd>
          <t>A Key Encapsulation Mechanism key pair generated fresh by the client
for a single session and never reused, used as the recipient key for
HPKE Base Mode (Mode 0) <xref target="RFC9180"/> operations.</t>
        </dd>
        <dt>Origin KEM key (pkR):</dt>
        <dd>
          <t>The origin's KEM public key, distributed in an Identity Document and
authenticated by the client prior to the handshake as described in the
Origin Key Provisioning section.</t>
        </dd>
        <dt>Identity Document:</dt>
        <dd>
          <t>A signed document such as an EAT Attestation Result (EAR)
<xref target="I-D.ietf-rats-ear"/>.  The Identity Document carries pkR.  The signature
provides a self-contained integrity guarantee, allowing the document
to be fetched over untrusted channels.</t>
        </dd>
        <dt>Challenge nonces (cnC, cnR):</dt>
        <dd>
          <t>Ephemeral random values exchanged between client and origin under
HPKE. cnC is generated by the client and sealed to pkR; cnR is
generated by the origin and sealed to pkE.</t>
        </dd>
        <dt>psk_attest:</dt>
        <dd>
          <t>A symmetric secret derived from cnC and cnR.  It is injected into
the Extended Key Update key schedule to rotate traffic keys, evicting
the intermediary from the session.</t>
        </dd>
        <dt>Attestation Binder:</dt>
        <dd>
          <t>The cryptographic value bound into the attestation Evidence,
ensuring per-session freshness and end-to-end connection binding. In
this document, it is derived from the ephemeral KEM public keys
exchanged during the HPKE challenge, replacing the severed TLS
transcript hash as the session anchor.</t>
        </dd>
      </dl>
    </section>
    <section anchor="overview">
      <name>Overview</name>
      <t>A TLS-terminating intermediary severs the RA+TLS channel binding on
which attestation depends, regardless of when attestation occurs.  Major
platform vendors already define endpoint sets for which TLS inspection
must be disabled in order to preserve endpoint-specific trust
properties.  This document reuses that operational pattern and replaces
administrative exclusion with a cryptographic mechanism: the proxy
cooperates during handshake-time signalling, forwards encrypted
Evidence without decrypting it, and is then mechanically evicted from
Layer 7 visibility by an attestation-bound key update.</t>
      <t>The mechanism is designed against the trust-boundary requirements
identified for proxy-fronted attested channels. An implementation
conforming to this document:</t>
      <ol spacing="normal" type="1"><li>
          <t><bcp14>MUST</bcp14> establish a channel identity that is cryptographically bound
to the attested origin endpoint even though connection
establishment traverses a TLS-terminating intermediary.</t>
        </li>
        <li>
          <t><bcp14>MUST</bcp14> use object-layer encryption for Evidence payloads to maintain
confidentiality from the Layer 7 intermediary.</t>
        </li>
      </ol>
      <section anchor="architectural-advantages">
        <name>Architectural Advantages</name>
        <t><strong>No nested encryption.</strong>  Post-eviction, application data flows over
standard TLS traffic keys on the origin-bound channel.  No outer tunnel
wraps an inner tunnel; the attested connection carries application data
without additional encapsulation overhead.</t>
        <t><strong>Broad deployment without per-application modification.</strong>  Attestation
is handled at the proxy and TLS library layer.  Every application
communicating through a cooperative intermediary receives attestation
coverage without modification, extending equally to legacy and modern
software in the same estate.</t>
        <t><strong>Evidence privacy.</strong>  Evidence is encrypted independently of the TLS
session using object-level encryption.  The privacy motivation for
object-level protection in RATS deployments is discussed in
<xref target="I-D.ounsworth-rats-privacy-framework"/>.  The cooperative intermediary
can read plaintext CMW routing headers but cannot access the Evidence
payload, maintaining confidentiality of an Attester's measurements from
infrastructure outside the broader network of trust.</t>
      </section>
      <section anchor="state-machine">
        <name>State Machine</name>
        <t>A session proceeds through the following states:</t>
        <figure>
          <name>Session state transitions</name>
          <artwork><![CDATA[
L7 Proxy Negotiation   Client and origin exchange HPKE-sealed
       |               challenge nonces via nonce_challenge_ext;
       |               the intermediary forwards the signalling
       |               at Layer 7 and retains termination.
       v
Intra-HS Attestation   End-to-end Evidence delivery via the
       |               early-attestation TLS extension. Evidence
       |               is wrapped in a CMW and COSE_Encrypt0.
       |               The Proxy reads CMW headers and routes.
       v
Handshake Complete     Standard TLS 1.3 handshake completes.
       |
       v
EKU Key Rotation       Immediately upon Finished, the client
       |               initiates the Extended Key Update. This
       |               step is unconditional and blind.
       v
Proxy Eviction / L4    The intermediary cannot derive the
       |               rotated keys and steps down to Layer 4
       |               transparent forwarding.
       v
Application Data       Application data flows over the E2E
                       encrypted channel.
]]></artwork>
        </figure>
      </section>
      <section anchor="proxy-handshake-behavior">
        <name>Proxy Handshake Behavior</name>
        <t>The following diagram and algorithm define the complete behavior of a
cooperative intermediary executing a proxy-traversal session under the
Background Check Model.  The diagram borrows the message notation of
<xref target="I-D.fossati-seat-early-attestation"/> Figure 5; content fully specified
by that document is shown as <tt>...</tt>.  In the diagram, <tt>[EA §6
extensions]</tt> denotes the attestation negotiation extensions defined in
Section 6 of
<xref target="I-D.fossati-seat-early-attestation"/>.</t>
        <figure>
          <name>Proxy handshake message flow (Background Check Model)</name>
          <artwork><![CDATA[
Relying Party            TLS Proxy              Attesting Server
     |                       |                         |
     | ClientHello           |                         |
     | + nonce_challenge_ext |                         |
     |     (pkE, ctC)        |                         |
     |---------------------->| [DETECT]                |
     |                       | ClientHello             |
     |                       | + nonce_challenge_ext   |
     |                       |     (pkE, ctC) [fwd]    |
     |                       |------------------------>|
     |                       |                         |
     |<======= ServerHello, both legs ================>|
     |                       |                         |
     |                       | {EncryptedExtensions}   |
     |                       | + nonce_challenge_ext   |
     |                       |       (ctR)             |
     |                       |<------------------------|
     | {EncryptedExtensions} |                         |
     | + nonce_challenge_ext |                         |
     |       (ctR) [relayed] |                         |
     |<----------------------|                         |
     |                       | {Certificate*}          |
     |                       | + attestation*          |
     |                       |<------------------------|
     | {Certificate*}        |                         |
     | + attestation*        |                         |
     |   [cmw routed]        |                         |
     |<----------------------|                         |
     |                       |                         |
     |<===== {CertVerify*} + {Finished}, both legs ===>|
     |                       | [ARMED]                 |
     | {Certificate*}        |                         |
     | + attestation*        |                         |
     |---------------------->|                         |
     |                       | {Certificate*}          |
     |                       | + attestation*          |
     |                       |   [cmw routed]          |
     |                       |------------------------>|
     |<===== {CertVerify*} + {Finished}, both legs ===>|
     |                       |                         |
     | ExtendedKeyUpdate     |                         |
     | [psk_attest]          |                         |
     |---------------------->| [TRIGGERED]             |
     |                       | ExtendedKeyUpdate       |
     |                       |   [fwd, Buffer Drain]   |
     |                       |------------------------>|
     |                       |                         |
     |   [Application Data -- end-to-end encrypted]    |
     |<===============================================>|
     |         (proxy: opaque L4 forwarder)            |

]]></artwork>
        </figure>
        <t>The proxy <bcp14>MUST</bcp14> execute the following steps:</t>
        <ol spacing="normal" type="1"><li>
            <t>Receive ClientHello from the RP.  If the ClientHello contains an
<tt>nonce_challenge_ext</tt> extension alongside one or more of the
attestation negotiation extensions defined in Section 6 of
<xref target="I-D.fossati-seat-early-attestation"/>, enter DETECT state.
Otherwise, process as a standard TLS connection.</t>
          </li>
          <li>
            <t>Initiate the Leg B connection to the Attesting Server.
Construct a ClientHello carrying all negotiation extensions from the
RP's ClientHello. The <tt>nonce_challenge_ext</tt> extension <bcp14>MUST</bcp14> be
forwarded with <tt>pkE</tt> and <tt>ctC</tt> unchanged.</t>
          </li>
          <li>
            <t>Relay the ServerHello received from the Attesting Server to the
RP without modification.</t>
          </li>
          <li>
            <t>Relay the <tt>EncryptedExtensions</tt> received from the Attesting
Server to the RP.  The <tt>nonce_challenge_ext</tt> extension carrying
<tt>ctR</tt> <bcp14>MUST</bcp14> be forwarded unchanged.</t>
          </li>
          <li>
            <t>Receive the <tt>Certificate</tt> message from the Attesting Server.
Inspect the plaintext CMW <tt>ind</tt> header of the <tt>cmw_payload</tt> carried
in the <tt>attestation</tt> extension to determine routing.  Forward the
<tt>cmw_payload</tt> to the RP without decrypting the Evidence payload.</t>
          </li>
          <li>
            <t>Relay <tt>CertificateVerify</tt> and <tt>Finished</tt> from the Attesting
Server to the RP.  Enter ARMED state.</t>
          </li>
          <li>
            <t>Receive the <tt>Certificate</tt> message from the RP.  Inspect the
plaintext CMW <tt>ind</tt> header and route the <tt>cmw_payload</tt> to the
Attesting Server.  The Evidence payload <bcp14>MUST NOT</bcp14> be decrypted.</t>
          </li>
          <li>
            <t>Relay <tt>CertificateVerify</tt> and <tt>Finished</tt> from the RP to the
Attesting Server.</t>
          </li>
          <li>
            <t>Receive <tt>ExtendedKeyUpdate</tt> from the RP.  Enter TRIGGERED state.
Forward the <tt>ExtendedKeyUpdate</tt> to the Attesting Server.  Execute
the Buffer Drain procedure defined below.  Activate Layer 4
transparent forwarding for all subsequent records on both
connections.</t>
          </li>
        </ol>
      </section>
      <section anchor="mechanical-eviction">
        <name>Mechanical Eviction</name>
        <t>Before the key update, the intermediary holds the application traffic
keys of the terminated connection and can read and rewrite application
records at Layer 7.  After the key update, the live traffic keys are
derived from <tt>main_secret_N+1</tt>, which is a function of <tt>combined_ikm</tt>
and therefore of <tt>psk_attest</tt>.  An entity that cannot derive <tt>cnR</tt>
cannot derive <tt>psk_attest</tt>, cannot compute <tt>main_secret_N+1</tt>, and cannot
derive any traffic key from it.</t>
        <t>The DETECT, ARMED, and TRIGGERED state transitions governing eviction
are defined in the Proxy Handshake Behavior section.</t>
        <dl>
          <dt>Buffer Drain:</dt>
          <dd>
            <t>Before activating Layer 4 forwarding, the intermediary <bcp14>MUST</bcp14> complete
the following steps in the order given:
</t>
            <ol spacing="normal" type="1"><li>
                <t>The intermediary <bcp14>MUST</bcp14> cease reading from both the client-facing
and origin-facing transport connections.</t>
              </li>
              <li>
                <t>Any bytes received from the client-facing connection that have
been buffered beyond the final Extended Key Update record boundary
<bcp14>MUST</bcp14> be written to the origin-facing connection in order, without
modification or decryption.</t>
              </li>
              <li>
                <t>Any bytes received from the origin-facing connection that have
been buffered beyond the final Extended Key Update record boundary
<bcp14>MUST</bcp14> be written to the client-facing connection in order, without
modification or decryption.</t>
              </li>
              <li>
                <t>Only upon confirming that both transport directions have been
fully drained <bcp14>MUST</bcp14> the intermediary activate Layer 4 transparent
forwarding for all subsequent records on both flows of that
session.</t>
              </li>
            </ol>
            <t>The intermediary <bcp14>MUST NOT</bcp14> activate Layer 4 forwarding before
completing steps 1 through 4.  Bytes forwarded in steps 2 and 3 are
post-rotation ciphertext that the intermediary cannot decrypt; they
<bcp14>MUST</bcp14> be treated as opaque octets.</t>
          </dd>
        </dl>
      </section>
    </section>
    <section anchor="the-ephemeral-hpke-challenge-exchange">
      <name>The Ephemeral HPKE Challenge Exchange</name>
      <t>The challenge exchange is carried in a single TLS extension,
<tt>nonce_challenge_ext</tt>, which appears with distinct contents in the
ClientHello and in the EncryptedExtensions.  Its presence is the
capability signal for this mechanism; an intermediary that does not
recognise it forwards it unmodified, and an origin that does not support
it omits the EncryptedExtensions variant.</t>
      <section anchor="origin-key-provisioning">
        <name>Origin Key Provisioning</name>
        <t>Before initiating the handshake, the client <bcp14>MUST</bcp14> obtain and
authenticate the origin's KEM public key <tt>pkR</tt>.  Clients <bcp14>MUST</bcp14>
maintain a trust anchor store from which the Identity Document can be
authenticated; trust anchors <bcp14>MAY</bcp14> be self-signed certificates, raw
public keys, or JWK keys <xref target="RFC7517"/>.  The details of trust anchor
maintenance and path validation are outside the scope of this document.</t>
        <t><tt>pkR</tt> is distributed in an Identity Document, such as an EAR
<xref target="I-D.ietf-rats-ear"/> whose <tt>ear_managed_keysets</tt> claim carries <tt>pkR</tt>
as a JWK <xref target="RFC7517"/> with <tt>key_ops</tt> set to <tt>["encrypt"]</tt>, under the
keyset name <tt>"hpke-kem-key"</tt>.  Because the EAR's Verifier signature
provides a self-contained integrity guarantee, the fetch <bcp14>MAY</bcp14> occur
over untrusted channels.</t>
        <t>The client <bcp14>MUST</bcp14> verify the EAR signature against its trust anchor
store and extract <tt>pkR</tt> from the <tt>"hpke-kem-key"</tt> entry of
<tt>ear_managed_keysets</tt> before proceeding with ClientHello processing.</t>
      </section>
      <section anchor="clienthello-processing">
        <name>ClientHello Processing</name>
        <t>Prior to the handshake the client obtains <tt>pkR</tt> as described in the
Origin Key Provisioning section above.  The client generates a fresh,
single-use ephemeral KEM key pair (<tt>skE</tt>, <tt>pkE</tt>), generates a random
challenge nonce <tt>cnC</tt>, and seals it to the origin using HPKE Base Mode
(Mode 0) as defined in Section 5.1 of <xref target="RFC9180"/>.</t>
        <artwork><![CDATA[
aad_ct = Hash(pkR || ClientHello.random || NegotiationOffer)

/* HPKE Base Mode (RFC 9180, Section 5.1) */
ctC = HPKE-Base-Seal(pkR, aad_ct, cnC)
]]></artwork>
        <t>The client places <tt>pkE</tt> and <tt>ctC</tt> in the <tt>nonce_challenge_ext</tt>
extension of the ClientHello.  <tt>aad_ct</tt> binds the ciphertext to the
target origin's KEM key, the client's fresh random, and the negotiated
key-exchange parameters, so the ciphertext cannot be replayed to a
different origin or across sessions.</t>
        <t>The intermediary forwards the ClientHello to the origin.  Because the
intermediary does not hold <tt>skR</tt>, it cannot recover <tt>cnC</tt>.</t>
      </section>
      <section anchor="encryptedextensions-processing">
        <name>EncryptedExtensions Processing</name>
        <t>The origin recovers the nonce by decapsulation using HPKE Base Mode:</t>
        <artwork><![CDATA[
aad_ct = Hash(pkR || ClientHello.random || NegotiationOffer)

/* HPKE Base Mode (RFC 9180, Section 5.1) */
cnC = HPKE-Base-Open(skR, aad_ct, ctC)
]]></artwork>
        <t>Successful opening proves the origin's possession of <tt>skR</tt>.  The
origin generates its counter-challenge <tt>cnR</tt> and seals it to the
client's ephemeral key, again using HPKE Base Mode:</t>
        <artwork><![CDATA[
aad_ee = Hash(cnC)

/* HPKE Base Mode (RFC 9180, Section 5.1) */
ctR = HPKE-Base-Seal(pkE, aad_ee, cnR)
]]></artwork>
        <t>The origin returns <tt>ctR</tt> in the <tt>nonce_challenge_ext</tt> extension of the
EncryptedExtensions. The client recovers <tt>cnR</tt>:</t>
        <artwork><![CDATA[
aad_ee = Hash(cnC)

/* HPKE Base Mode (RFC 9180, Section 5.1) */
cnR = HPKE-Base-Open(skE, aad_ee, ctR)
]]></artwork>
        <t>Only the holder of <tt>skE</tt> -- the client -- can recover <tt>cnR</tt>.</t>
      </section>
      <section anchor="derivation-of-pskattest-and-attestation-binder">
        <name>Derivation of psk_attest and Attestation Binder</name>
        <t>Both endpoints now hold both nonces.  The end-to-end Attestation Binder
is derived from the ephemeral KEM public keys exchanged during the HPKE
challenge:</t>
        <artwork><![CDATA[
c_attest_binder = HKDF-Expand-Label(0, "attestation",
                    Hash(TLS_Client_Public_Key || pkR), Hash.length)
s_attest_binder = HKDF-Expand-Label(0, "attestation",
                    Hash(TLS_Server_Public_Key || pkE), Hash.length)
]]></artwork>
        <t><tt>Hash</tt> is the hash of the negotiated TLS 1.3 cipher suite.</t>
        <t>By incorporating the respective ephemeral KEM public key into the
context hash, the Attestation Binder locks the resulting Evidence to the
specific HPKE parameters used to traverse the proxy, binding the
Evidence to the true end-to-end participants and replacing the severed
proxy transcript.</t>
      </section>
    </section>
    <section anchor="intra-handshake-evidence-delivery">
      <name>Intra-Handshake Evidence Delivery</name>
      <t>Evidence is delivered during the TLS handshake via the <tt>attestation</tt>
extension in the <tt>Certificate</tt> message, as defined in
<xref target="I-D.fossati-seat-early-attestation"/>. However, to ensure the
cooperative intermediary can route the evidence without violating the
confidentiality of the workload, the payload <bcp14>MUST</bcp14> be structured as
follows:</t>
      <ol spacing="normal" type="1"><li>
          <t>Evidence Generation: The Attester generates its Evidence (e.g.,
an EAT) and binds it to the session by placing <tt>rdata</tt> in the
<tt>eat_nonce</tt> claim, where <tt>rdata</tt> is computed as:  </t>
          <artwork><![CDATA[
rdata = Hash(s_attest_binder || psk_attest)
]]></artwork>
          <t>
This commits the signed Evidence to both the KEM public keys (via
<tt>s_attest_binder</tt>) and the dual-nonce session secret (via
<tt>psk_attest</tt>), ensuring the quote is bound to the full end-to-end
exchange.  To cryptographically commit to the proxy-traversing HPKE
exchange and prevent the TEE from acting as a blind signing oracle,
the Evidence <bcp14>MUST</bcp14> explicitly include the public parameters of the
origin KEM key (<tt>pkR</tt>) within the standardized <tt>cnf</tt> claim.</t>
        </li>
        <li>
          <t>Object-Level Encryption: To preserve confidentiality from the
terminating intermediary, the Evidence <bcp14>MUST</bcp14> be encrypted to the
public key of the receiving endpoint, for example using
<tt>COSE_Encrypt0</tt>.  This follows the object-level confidentiality
architecture discussed in <xref target="I-D.ounsworth-rats-privacy-framework"/>.</t>
        </li>
        <li>
          <t>CMW Encapsulation: The encrypted envelope is placed inside a
Conceptual Message Wrapper (CMW) Record <xref target="I-D.ietf-rats-msg-wrap"/>.
The outer CMW headers (such as the <tt>ind</tt> field indicating Evidence)
remain in plaintext.</t>
        </li>
      </ol>
      <t>Because the cooperative intermediary terminates TLS, it generates its
own <tt>Certificate</tt> message for the backend connection to the origin and
<bcp14>MUST</bcp14> actively move the <tt>attestation</tt> extension between the two
connections.  Adapting the routing role of the Lead Verifier
<xref target="I-D.ietf-rats-multi-verifier"/> to a zero-trust posture, the
intermediary acts only as a router and never as a Verifier: it <bcp14>MUST
NOT</bcp14> decrypt, decode, or appraise the inner Evidence.  The complete
routing procedure is defined in the Proxy Handshake Behavior section,
steps 5 and 7.</t>
    </section>
    <section anchor="key-schedule-integration-and-proxy-eviction">
      <name>Key Schedule Integration and Proxy Eviction</name>
      <t>Immediately upon completion of the TLS handshake, the client initiates
an Extended Key Update <xref target="I-D.ietf-tls-extended-key-update"/> that injects
<tt>psk_attest</tt> into the key schedule.  This rotates the application
traffic keys to values that incorporate attestation-derived keying
material inaccessible to the intermediary.</t>
      <section anchor="psk-injected-key-derivation">
        <name>PSK-Injected Key Derivation</name>
        <t>The Extended Key Update performs a fresh (EC)DHE (or KEM) exchange
yielding the shared secret <tt>eku_dh_shared</tt>.  In the standard EKU key
schedule, <tt>Derive-Secret(main_secret_N, "derived", "")</tt> serves as the
<tt>HKDF-Extract</tt> salt, chaining the new secret to the prior session
state.  Because the proxy terminated the original TLS connection, the
client and origin do not share a common <tt>main_secret_N</tt>; applying that
derivation would produce mismatched keys at the two endpoints.</t>
        <t>This document therefore mandates a key schedule reset: the
<tt>HKDF-Extract</tt> salt <bcp14>MUST</bcp14> be set to 0, severing the chain to the
proxy-terminated session, and the input keying material <bcp14>MUST</bcp14> be the
concatenation of <tt>eku_dh_shared</tt> and <tt>psk_attest</tt>.  A zero salt
instructs the key schedule to treat this rotation as a fresh derivation
anchored entirely in <tt>combined_ikm</tt>, analogous to how TLS 1.3 derives
its Early Secret from a PSK with no prior session state.</t>
        <figure>
          <name>Key Derivation Hierarchy with Key Schedule Reset</name>
          <artwork><![CDATA[
combined_ikm = eku_dh_shared || psk_attest

                0 (zero-length salt)
                |
                v
combined_ikm -> HKDF-Extract = main_secret_N+1
                |
                +-----> Derive-Secret(., "c ap traffic",
                |                     transcript_hash_N+1)
                |             = client_application_traffic_secret_N+1
                |
                +-----> Derive-Secret(., "s ap traffic",
                |                     transcript_hash_N+1)
                |             = server_application_traffic_secret_N+1
                |
                +-----> Derive-Secret(., "exp master",
                |                     transcript_hash_N+1)
                              = exporter_secret_N+1
]]></artwork>
        </figure>
      </section>
      <section anchor="post-handshake-re-attestation">
        <name>Post-Handshake Re-Attestation</name>
        <t>After eviction the client and origin share a common <tt>main_secret_N+1</tt>
and the connection is an ordinary end-to-end TLS session.  Any
subsequent Extended Key Update is therefore a normal end-to-end
exchange: the proxy is already a Layer 4 forwarder and plays no
cryptographic role, so the key schedule reset used at eviction does not
apply and standard EKU chaining <xref target="I-D.ietf-tls-extended-key-update"/> is
used.</t>
        <t>Each such rotation produces a fresh <tt>transcript_hash_N+1</tt> and a
fresh <tt>exporter_secret_N+1</tt>, suitable for anchoring a new round of
attestation: an intra-handshake-style mechanism re-anchors to the
transcript, and a post-handshake-style mechanism re-anchors to the
exporter.</t>
        <t>For example, EXPAT <xref target="I-D.fossati-seat-expat"/> performs its initial
attestation immediately after the handshake completes and re-attests by
initiating a fresh Exported Authenticator exchange.  This mechanism
aligns its Extended Key Update to that same post-handshake instant; the
resulting <tt>exporter_secret_N+1</tt> is the end-to-end exporter the EXPAT
binder consumes, which the evicted intermediary cannot reproduce.  No
element of the post-handshake protocol is otherwise modified.</t>
      </section>
    </section>
    <section anchor="security-considerations">
      <name>Security Considerations</name>
      <t>The adversary of concern is a TLS-terminating intermediary that attempts
to retain unauthorised Layer 7 visibility after the point at which it is
expected to step down to Layer 4 forwarding, or attempts to read
sensitive Evidence payloads.</t>
      <section anchor="key-separation">
        <name>Key Separation</name>
        <t>The mechanism relies on the separation between the key-encapsulation
role (the KEM key pair) and the TLS identity/authentication role.  The
ephemeral <tt>skE</tt> is generated by the client, never transmitted, and
never reused.  An intermediary that terminates TLS observes every
plaintext handshake message, including the EncryptedExtensions carrying
<tt>ctR</tt>, yet cannot open <tt>ctR</tt> without <tt>skE</tt>.</t>
      </section>
      <section anchor="transcript-and-replay-binding">
        <name>Transcript and Replay Binding</name>
        <t>Because the TLS-terminating intermediary breaks the native TLS
transcript hash by terminating the connection, the end-to-end
Attestation Binder is derived from the out-of-band HPKE exchange
instead.  <tt>aad_ct</tt> binds <tt>ctC</tt> to <tt>pkR</tt>, the ClientHello random, and the
negotiated parameters, preventing replay to a different origin or
session.  <tt>aad_ee</tt> is <tt>Hash(cnC)</tt>: because <tt>cnC</tt> was HPKE-sealed to
<tt>pkR</tt> and is never transmitted in the clear, the intermediary cannot
observe it, making <tt>aad_ee</tt> opaque to the proxy despite the severed
transcript.  An adversary cannot transfer either ciphertext to a
different origin or a different handshake.</t>
      </section>
      <section anchor="object-level-confidentiality">
        <name>Object-Level Confidentiality</name>
        <t>Because the proxy terminates TLS, the <tt>Certificate</tt> message is visible
to the proxy in plaintext.  The confidentiality of the Attester's
Evidence relies entirely on the object-level encryption (e.g.,
<tt>COSE_Encrypt0</tt>) applied to the Evidence payload.  The proxy can only
view the unencrypted outer CMW routing headers.  This confidentiality
guarantee is independent of transport security: the Evidence payload
remains confidential from the intermediary regardless of whether it is
cooperative or hostile, because confidentiality is a property of the
object, not the channel.  The privacy architecture motivating this
object-level protection is discussed in
<xref target="I-D.ounsworth-rats-privacy-framework"/>.</t>
      </section>
      <section anchor="non-cooperative-and-malicious-intermediaries">
        <name>Non-cooperative and Malicious Intermediaries</name>
        <t>A non-cooperative intermediary that suppresses the <tt>nonce_challenge_ext</tt>
extension or refuses the Extended Key Update eviction trigger cannot
derive post-rotation traffic keys.  The session terminates rather than
continuing on a compromised channel, providing fail-secure behaviour
against both misconfigured and malicious intermediaries without
requiring explicit detection of adversarial intent.</t>
      </section>
      <section anchor="interaction-with-post-handshake-attestation">
        <name>Interaction with Post-Handshake Attestation</name>
        <t>Intra-handshake Evidence delivery and the Extended Key Update complete
before any post-handshake protocol window opens.  For mechanisms such as
EXPAT <xref target="I-D.fossati-seat-expat"/> that depend on an end-to-end channel,
this ordering structurally closes the race condition that arises when
Exported Authenticators operate over a proxy-terminated session.</t>
        <t>Section 5.2.2 of <xref target="RFC9261"/> explicitly states that if the party
generating an Exported Authenticator does so on a different connection
than the party validating it -- including situations in which
application data is sent via a TLS-terminating proxy -- the Handshake
Context will not match and the CertificateVerify will not validate.</t>
        <t>The <tt>tls-exporter</tt> binding defined in <xref target="RFC9266"/> is unique to each
TLS connection; a terminating proxy creates two independent sessions
with independent EKM values, producing exactly this condition.  EXPAT
<xref target="I-D.fossati-seat-expat"/>, which builds on Exported Authenticators,
therefore cannot function across a TLS-terminating proxy without the
end-to-end channel this document restores.  The mechanism defined here
is a prerequisite for EXPAT to function in proxy-fronted deployments.</t>
      </section>
      <section anchor="key-substitution-and-oracle-protection">
        <name>Key Substitution and Oracle Protection</name>
        <t>Key binding to an attested execution environment is a complementary
concern addressed by <xref target="I-D.reddy-rats-key-binding"/>.</t>
        <t>In proxy-fronted topologies, the TLS handshake is terminated by the
intermediary, removing the standard transport-layer proofs of
possession. If the origin TEE signs an Attestation Binder provided by
the untrusted host OS without cryptographically committing to the key
exchange material, an active attacker could execute the HPKE challenge
exchange themselves and use the TEE as a blind signing oracle, producing
valid-looking Evidence bound to attacker-controlled KEM parameters.</t>
        <t>To mitigate this, the Evidence <bcp14>MUST</bcp14> explicitly carry the public
parameters of the key that executed the HPKE decapsulation (pkR)
using the EAT cnf claim. By enforcing this parameter-by-parameter
match, the protocol guarantees that the private component of the
key executing the HPKE exchange is physically confined within the exact
execution context being attested, wholly mitigating key substitution.</t>
      </section>
    </section>
    <section anchor="iana-considerations">
      <name>IANA Considerations</name>
      <t>IANA is requested to register the following entry in the "TLS
ExtensionType Values" registry <xref target="RFC8446"/>:</t>
      <table>
        <name>Requested TLS ExtensionType registration</name>
        <thead>
          <tr>
            <th align="left">Value</th>
            <th align="left">Extension Name</th>
            <th align="left">TLS 1.3</th>
            <th align="left">DTLS-Only</th>
            <th align="left">Recommended</th>
          </tr>
        </thead>
        <tbody>
          <tr>
            <td align="left">TBD1</td>
            <td align="left">nonce_challenge_ext</td>
            <td align="left">CH, EE</td>
            <td align="left">N</td>
            <td align="left">Y</td>
          </tr>
        </tbody>
      </table>
      <t>The <tt>nonce_challenge_ext</tt> extension is permitted in the ClientHello (CH)
and in the EncryptedExtensions (EE); its contents differ per message as
defined in this document.  Its presence in EncryptedExtensions is
conditional on its presence in the corresponding ClientHello.</t>
    </section>
  </middle>
  <back>
    <references anchor="sec-combined-references">
      <name>References</name>
      <references anchor="sec-normative-references">
        <name>Normative References</name>
        <reference anchor="RFC9334">
          <front>
            <title>Remote ATtestation procedureS (RATS) Architecture</title>
            <author fullname="H. Birkholz" initials="H." surname="Birkholz"/>
            <author fullname="D. Thaler" initials="D." surname="Thaler"/>
            <author fullname="M. Richardson" initials="M." surname="Richardson"/>
            <author fullname="N. Smith" initials="N." surname="Smith"/>
            <author fullname="W. Pan" initials="W." surname="Pan"/>
            <date month="January" year="2023"/>
            <abstract>
              <t>In network protocol exchanges, it is often useful for one end of a communication to know whether the other end is in an intended operating state. This document provides an architectural overview of the entities involved that make such tests possible through the process of generating, conveying, and evaluating evidentiary Claims. It provides a model that is neutral toward processor architectures, the content of Claims, and protocols.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="9334"/>
          <seriesInfo name="DOI" value="10.17487/RFC9334"/>
        </reference>
        <reference anchor="RFC5869">
          <front>
            <title>HMAC-based Extract-and-Expand Key Derivation Function (HKDF)</title>
            <author fullname="H. Krawczyk" initials="H." surname="Krawczyk"/>
            <author fullname="P. Eronen" initials="P." surname="Eronen"/>
            <date month="May" year="2010"/>
            <abstract>
              <t>This document specifies a simple Hashed Message Authentication Code (HMAC)-based key derivation function (HKDF), which can be used as a building block in various protocols and applications. The key derivation function (KDF) is intended to support a wide range of applications and requirements, and is conservative in its use of cryptographic hash functions. This document is not an Internet Standards Track specification; it is published for informational purposes.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="5869"/>
          <seriesInfo name="DOI" value="10.17487/RFC5869"/>
        </reference>
        <reference anchor="RFC7517">
          <front>
            <title>JSON Web Key (JWK)</title>
            <author fullname="M. Jones" initials="M." surname="Jones"/>
            <date month="May" year="2015"/>
            <abstract>
              <t>A JSON Web Key (JWK) is a JavaScript Object Notation (JSON) data structure that represents a cryptographic key. This specification also defines a JWK Set JSON data structure that represents a set of JWKs. Cryptographic algorithms and identifiers for use with this specification are described in the separate JSON Web Algorithms (JWA) specification and IANA registries established by that specification.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="7517"/>
          <seriesInfo name="DOI" value="10.17487/RFC7517"/>
        </reference>
        <reference anchor="RFC8446">
          <front>
            <title>The Transport Layer Security (TLS) Protocol Version 1.3</title>
            <author fullname="E. Rescorla" initials="E." surname="Rescorla"/>
            <date month="August" year="2018"/>
            <abstract>
              <t>This document specifies version 1.3 of the Transport Layer Security (TLS) protocol. TLS allows client/server applications to communicate over the Internet in a way that is designed to prevent eavesdropping, tampering, and message forgery.</t>
              <t>This document updates RFCs 5705 and 6066, and obsoletes RFCs 5077, 5246, and 6961. This document also specifies new requirements for TLS 1.2 implementations.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="8446"/>
          <seriesInfo name="DOI" value="10.17487/RFC8446"/>
        </reference>
        <reference anchor="RFC9180">
          <front>
            <title>Hybrid Public Key Encryption</title>
            <author fullname="R. Barnes" initials="R." surname="Barnes"/>
            <author fullname="K. Bhargavan" initials="K." surname="Bhargavan"/>
            <author fullname="B. Lipp" initials="B." surname="Lipp"/>
            <author fullname="C. Wood" initials="C." surname="Wood"/>
            <date month="February" year="2022"/>
            <abstract>
              <t>This document describes a scheme for hybrid public key encryption (HPKE). This scheme provides a variant of public key encryption of arbitrary-sized plaintexts for a recipient public key. It also includes three authenticated variants, including one that authenticates possession of a pre-shared key and two optional ones that authenticate possession of a key encapsulation mechanism (KEM) private key. HPKE works for any combination of an asymmetric KEM, key derivation function (KDF), and authenticated encryption with additional data (AEAD) encryption function. Some authenticated variants may not be supported by all KEMs. We provide instantiations of the scheme using widely used and efficient primitives, such as Elliptic Curve Diffie-Hellman (ECDH) key agreement, HMAC-based key derivation function (HKDF), and SHA2.</t>
              <t>This document is a product of the Crypto Forum Research Group (CFRG) in the IRTF.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="9180"/>
          <seriesInfo name="DOI" value="10.17487/RFC9180"/>
        </reference>
        <reference anchor="I-D.ietf-tls-extended-key-update">
          <front>
            <title>Extended Key Update for Transport Layer Security (TLS) 1.3</title>
            <author fullname="Hannes Tschofenig" initials="H." surname="Tschofenig">
              <organization>Siemens</organization>
            </author>
            <author fullname="Michael Tüxen" initials="M." surname="Tüxen">
              <organization>Münster Univ. of Applied Sciences</organization>
            </author>
            <author fullname="Tirumaleswar Reddy.K" initials="T." surname="Reddy.K">
              <organization>Nokia</organization>
            </author>
            <author fullname="Steffen Fries" initials="S." surname="Fries">
              <organization>Siemens</organization>
            </author>
            <author fullname="Yaroslav Rosomakho" initials="Y." surname="Rosomakho">
              <organization>Zscaler</organization>
            </author>
            <date day="4" month="July" year="2026"/>
            <abstract>
              <t>   TLS 1.3 ensures forward secrecy by performing an ephemeral Diffie-
   Hellman key exchange during the initial handshake, protecting past
   communications even if a party's long-term keys (typically a private
   key with a corresponding certificate) are later compromised.

   While the built-in KeyUpdate mechanism allows application traffic
   keys to be refreshed during a session, it does not incorporate fresh
   entropy from a new key exchange and therefore does not provide post-
   compromise security.  This limitation can pose a security risk in
   long-lived sessions, such as those found in industrial IoT or
   telecommunications environments.

   To address this, this specification defines an extended key update
   mechanism that performs a fresh execution of the key exchange
   negotiated during the initial handshake within an active session,
   thereby ensuring post-compromise security.

   By forcing attackers to exfiltrate new key material repeatedly, this
   approach mitigates the risks associated with static key compromise.
   Regular renewal of session keys helps contain the impact of such
   compromises.  The extension is applicable to both TLS 1.3 and DTLS
   1.3.

              </t>
            </abstract>
          </front>
          <seriesInfo name="Internet-Draft" value="draft-ietf-tls-extended-key-update-13"/>
        </reference>
        <reference anchor="I-D.fossati-seat-early-attestation">
          <front>
            <title>Using Attestation in Transport Layer Security (TLS) and Datagram Transport Layer Security (DTLS)</title>
            <author fullname="Yaron Sheffer" initials="Y." surname="Sheffer">
              <organization>Intuit</organization>
            </author>
            <author fullname="Ionuț Mihalcea" initials="I." surname="Mihalcea">
              <organization>Arm Limited</organization>
            </author>
            <author fullname="Yogesh Deshpande" initials="Y." surname="Deshpande">
              <organization>Arm Limited</organization>
            </author>
            <author fullname="Thomas Fossati" initials="T." surname="Fossati">
              <organization>Linaro</organization>
            </author>
            <author fullname="Tirumaleswar Reddy.K" initials="T." surname="Reddy.K">
              <organization>Nokia</organization>
            </author>
            <date day="3" month="July" year="2026"/>
            <abstract>
              <t>   The TLS handshake protocol allows authentication of one or both peers
   using static, long-term credentials.  In some cases, it is also
   desirable to ensure that the peer runtime environment is in a secure
   state.  Such an assurance can be achieved using remote attestation
   which is a process by which an entity produces Evidence about itself
   that another party can use to appraise whether that entity is found
   in a secure state.  This document describes a series of TLS
   extensions that enable the binding of the TLS authentication key to a
   remote attestation session.  This enables an entity capable of
   producing attestation Evidence, such as a confidential workload
   running in a Trusted Execution Environment (TEE), or an IoT device
   that is trying to authenticate itself to a network access point, to
   present a more comprehensive set of security metrics to its peer.
   These extensions have been designed to allow the peers to use any
   attestation technology, in any remote attestation topology, and to
   use them mutually.

              </t>
            </abstract>
          </front>
          <seriesInfo name="Internet-Draft" value="draft-fossati-seat-early-attestation-05"/>
        </reference>
        <reference anchor="I-D.ietf-rats-msg-wrap">
          <front>
            <title>RATS Conceptual Messages Wrapper (CMW)</title>
            <author fullname="Henk Birkholz" initials="H." surname="Birkholz">
              <organization>Fraunhofer SIT</organization>
            </author>
            <author fullname="Ned Smith" initials="N." surname="Smith">
              <organization>Independent</organization>
            </author>
            <author fullname="Thomas Fossati" initials="T." surname="Fossati">
              <organization>Linaro</organization>
            </author>
            <author fullname="Hannes Tschofenig" initials="H." surname="Tschofenig">
              <organization>University of Applied Sciences Bonn-Rhein-Sieg</organization>
            </author>
            <author fullname="Dionna Glaze" initials="D." surname="Glaze">
              <organization>Google LLC</organization>
            </author>
            <date day="11" month="December" year="2025"/>
            <abstract>
              <t>   The Conceptual Messages introduced by the RATS architecture (RFC
   9334) are protocol-agnostic data units that are conveyed between RATS
   roles during remote attestation procedures.  Conceptual Messages
   describe the meaning and function of such data units within RATS data
   flows without specifying a wire format, encoding, transport
   mechanism, or processing details.  The initial set of Conceptual
   Messages is defined in Section 8 of RFC 9334 and includes Evidence,
   Attestation Results, Endorsements, Reference Values, and Appraisal
   Policies.

   This document introduces the Conceptual Message Wrapper (CMW) that
   provides a common structure to encapsulate these messages.  It
   defines a dedicated CBOR tag, corresponding JSON Web Token (JWT) and
   CBOR Web Token (CWT) claims, and an X.509 extension.

   This allows CMWs to be used in CBOR-based protocols, web APIs using
   JWTs and CWTs, and PKIX artifacts like X.509 certificates.
   Additionally, the draft defines a media type and a CoAP content
   format to transport CMWs over protocols like HTTP, MIME, and CoAP.

   The goal is to improve the interoperability and flexibility of remote
   attestation protocols.  Introducing a shared message format such as
   CMW enables consistent support for different attestation message
   types, evolving message serialization formats without breaking
   compatibility, and avoiding the need to redefine how messages are
   handled within each protocol.

              </t>
            </abstract>
          </front>
          <seriesInfo name="Internet-Draft" value="draft-ietf-rats-msg-wrap-23"/>
        </reference>
        <reference anchor="I-D.ietf-rats-ear">
          <front>
            <title>EAT Attestation Results</title>
            <author fullname="Thomas Fossati" initials="T." surname="Fossati">
              <organization>Linaro</organization>
            </author>
            <author fullname="Eric Voit" initials="E." surname="Voit">
              <organization>Cisco</organization>
            </author>
            <author fullname="Sergei Trofimov" initials="S." surname="Trofimov">
              <organization>Arm Limited</organization>
            </author>
            <author fullname="Henk Birkholz" initials="H." surname="Birkholz">
              <organization>Fraunhofer SIT</organization>
            </author>
            <date day="26" month="May" year="2026"/>
            <abstract>
              <t>   This document defines the EAT Attestation Result (EAR) message
   format.

   EAR is used by a verifier to encode the result of the appraisal over
   an attester's evidence.  It embeds an AR4SI's "trustworthiness
   vector" to present a normalized view of the evaluation results, thus
   easing the task of defining and computing authorization policies by
   relying parties.  Alongside the trustworthiness vector, EAR provides
   contextual information bound to the appraisal process.  This allows a
   relying party (or an auditor) to reconstruct the frame of reference
   in which the trustworthiness vector was originally computed.  EAR
   supports simple devices with one attester as well as composite
   devices that are made of multiple attesters, allowing the state of
   each attester to be separately examined.  EAR can also accommodate
   registered and unregistered extensions.  It can be serialized and
   protected using either CWT or JWT.

              </t>
            </abstract>
          </front>
          <seriesInfo name="Internet-Draft" value="draft-ietf-rats-ear-04"/>
        </reference>
        <reference anchor="RFC2119">
          <front>
            <title>Key words for use in RFCs to Indicate Requirement Levels</title>
            <author fullname="S. Bradner" initials="S." surname="Bradner"/>
            <date month="March" year="1997"/>
            <abstract>
              <t>In many standards track documents several words are used to signify the requirements in the specification. These words are often capitalized. This document defines these words as they should be interpreted in IETF documents. This document specifies an Internet Best Current Practices for the Internet Community, and requests discussion and suggestions for improvements.</t>
            </abstract>
          </front>
          <seriesInfo name="BCP" value="14"/>
          <seriesInfo name="RFC" value="2119"/>
          <seriesInfo name="DOI" value="10.17487/RFC2119"/>
        </reference>
        <reference anchor="RFC8174">
          <front>
            <title>Ambiguity of Uppercase vs Lowercase in RFC 2119 Key Words</title>
            <author fullname="B. Leiba" initials="B." surname="Leiba"/>
            <date month="May" year="2017"/>
            <abstract>
              <t>RFC 2119 specifies common key words that may be used in protocol specifications. This document aims to reduce the ambiguity by clarifying that only UPPERCASE usage of the key words have the defined special meanings.</t>
            </abstract>
          </front>
          <seriesInfo name="BCP" value="14"/>
          <seriesInfo name="RFC" value="8174"/>
          <seriesInfo name="DOI" value="10.17487/RFC8174"/>
        </reference>
      </references>
      <references anchor="sec-informative-references">
        <name>Informative References</name>
        <reference anchor="RFC9261">
          <front>
            <title>Exported Authenticators in TLS</title>
            <author fullname="N. Sullivan" initials="N." surname="Sullivan"/>
            <date month="July" year="2022"/>
            <abstract>
              <t>This document describes a mechanism that builds on Transport Layer Security (TLS) or Datagram Transport Layer Security (DTLS) and enables peers to provide proof of ownership of an identity, such as an X.509 certificate. This proof can be exported by one peer, transmitted out of band to the other peer, and verified by the receiving peer.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="9261"/>
          <seriesInfo name="DOI" value="10.17487/RFC9261"/>
        </reference>
        <reference anchor="RFC9266">
          <front>
            <title>Channel Bindings for TLS 1.3</title>
            <author fullname="S. Whited" initials="S." surname="Whited"/>
            <date month="July" year="2022"/>
            <abstract>
              <t>This document defines a channel binding type, tls-exporter, that is compatible with TLS 1.3 in accordance with RFC 5056, "On the Use of Channel Bindings to Secure Channels". Furthermore, it updates the default channel binding to the new binding for versions of TLS greater than 1.2. This document updates RFCs 5801, 5802, 5929, and 7677.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="9266"/>
          <seriesInfo name="DOI" value="10.17487/RFC9266"/>
        </reference>
        <reference anchor="I-D.ietf-rats-multi-verifier">
          <front>
            <title>Remote Attestation with Multiple Verifiers</title>
            <author fullname="Yogesh Deshpande" initials="Y." surname="Deshpande">
              <organization>Arm Ltd</organization>
            </author>
            <author fullname="zhang jun" initials="Z." surname="jun">
              <organization>Huawei Technologies France S.A.S.U.</organization>
            </author>
            <author fullname="Houda Labiod" initials="H." surname="Labiod">
              <organization>Huawei Technologies France S.A.S.U.</organization>
            </author>
            <author fullname="Henk Birkholz" initials="H." surname="Birkholz">
              <organization>Fraunhofer SIT</organization>
            </author>
            <date day="5" month="May" year="2026"/>
            <abstract>
              <t>   IETF RATS Architecture, defines the key role of a Verifier.  In a
   complex system, this role needs to be performed by multiple Verfiers
   coordinating together to assess the full trustworthiness of an
   Attester.  This document focuses on various topological patterns for
   a multiple Verifier system.  It only covers the architectural aspects
   introduced by the Multi Verifier concept, which is neutral with
   regard to specific wire formats, encoding, transport mechanisms, or
   processing details.

              </t>
            </abstract>
          </front>
          <seriesInfo name="Internet-Draft" value="draft-ietf-rats-multi-verifier-00"/>
        </reference>
        <reference anchor="I-D.ounsworth-rats-privacy-framework">
          <front>
            <title>Privacy Framework for Remote ATtestation procedureS</title>
            <author fullname="Mike Ounsworth" initials="M." surname="Ounsworth">
              <organization>Cryptic Forest Software</organization>
            </author>
            <author fullname="Hannes Tschofenig" initials="H." surname="Tschofenig">
              <organization>University of the Bundeswehr Munich</organization>
            </author>
            <author fullname="Guiliano Lehmann" initials="G." surname="Lehmann">
              <organization>University of Applied Sciences Bonn-Rhein-Sieg</organization>
            </author>
            <date day="18" month="June" year="2026"/>
            <abstract>
              <t>   This document extends the RATS Architecture to consider "coercive
   uses of RATS" where a malicious Verifier or Relying Party uses RATS
   protocols to extract sensitive information from an Attester or a
   victim Verifier that it would not otherwise be inclined to disclose.
   This over-disclosure can include revealing sensitive measurements,
   stable identifiers, device fingerprints, vendor information, or
   conclusions derived from Evidence.  This document defines a privacy
   framework for Remote Attestation that identifies this threat
   surfaces; classifies claims produced by Attesters and Presenters;
   restricts sensitive Evidence disclosure to authorized Trusted
   Verifiers using confidentiality protection; and describes privacy-
   preserving Attestation Results based on data minimization, Selective
   Disclosure, and Zero-Knowledge Proofs.

              </t>
            </abstract>
          </front>
          <seriesInfo name="Internet-Draft" value="draft-ounsworth-rats-privacy-framework-00"/>
        </reference>
        <reference anchor="I-D.fossati-seat-expat">
          <front>
            <title>Remote Attestation with Exported Authenticators</title>
            <author fullname="Muhammad Usama Sardar" initials="M. U." surname="Sardar">
              <organization>TU Dresden</organization>
            </author>
            <author fullname="Thomas Fossati" initials="T." surname="Fossati">
              <organization>Linaro</organization>
            </author>
            <author fullname="Tirumaleswar Reddy.K" initials="T." surname="Reddy.K">
              <organization>Nokia</organization>
            </author>
            <author fullname="Yaron Sheffer" initials="Y." surname="Sheffer">
              <organization>Intuit</organization>
            </author>
            <author fullname="Hannes Tschofenig" initials="H." surname="Tschofenig">
              <organization>University of the Bundeswehr Munich</organization>
            </author>
            <author fullname="Ionuț Mihalcea" initials="I." surname="Mihalcea">
              <organization>Arm Limited</organization>
            </author>
            <date day="4" month="July" year="2026"/>
            <abstract>
              <t>   This specification defines a method for two parties in a
   communication interaction to exchange Evidence and Attestation
   Results using exported authenticators, as defined in [RFC9261].
   Additionally, it introduces the cmw_attestation extension, which
   allows attestation credentials to be included directly in the
   Certificate message sent during the Exported Authenticator-based
   post-handshake authentication.  The approach supports both the
   passport and background check models from the RATS architecture while
   ensuring that attestation remains bound to the underlying
   communication channel.

              </t>
            </abstract>
          </front>
          <seriesInfo name="Internet-Draft" value="draft-fossati-seat-expat-03"/>
        </reference>
        <reference anchor="I-D.reddy-wimse-workload-attestation">
          <front>
            <title>WIMSE Workload Attestation</title>
            <author fullname="Tirumaleswar Reddy.K" initials="T." surname="Reddy.K">
              <organization>Nokia</organization>
            </author>
            <author fullname="Nathanael Ritz" initials="N." surname="Ritz">
              <organization>Independent</organization>
            </author>
            <date day="7" month="June" year="2026"/>
            <abstract>
              <t>   This document extends the WIMSE workload-to-workload authentication
   architecture with a mechanism for conveying attestation across TLS-
   terminating proxies, a deployment topology where TLS-layer
   attestation mechanisms lose their end-to-end security properties.

              </t>
            </abstract>
          </front>
          <seriesInfo name="Internet-Draft" value="draft-reddy-wimse-workload-attestation-00"/>
        </reference>
        <reference anchor="I-D.friel-tls-atls">
          <front>
            <title>Application-Layer TLS</title>
            <author fullname="Owen Friel" initials="O." surname="Friel">
              <organization>Cisco</organization>
            </author>
            <author fullname="Richard Barnes" initials="R." surname="Barnes">
              <organization>Cisco</organization>
            </author>
            <author fullname="Max Pritikin" initials="M." surname="Pritikin">
              <organization>Cisco</organization>
            </author>
            <author fullname="Hannes Tschofenig" initials="H." surname="Tschofenig">
              <organization>Arm Ltd.</organization>
            </author>
            <author fullname="Mark Baugher" initials="M." surname="Baugher">
              <organization>Consultant</organization>
            </author>
            <date day="22" month="August" year="2021"/>
            <abstract>
              <t>   This document specifies how TLS and DTLS can be used at the
   application layer for the purpose of establishing secure end-to-end
   encrypted communication security.

   Encodings for carrying TLS and DTLS payloads are specified for HTTP
   and CoAP to improve interoperability.  While the use of TLS and DTLS
   is straight forward we present multiple deployment scenarios to
   illustrate the need for end-to-end application layer encryption and
   the benefits of reusing a widely deployed and readily available
   protocol.  Application software architectures for building, and
   network architectures for deploying application layer TLS are
   outlined.

              </t>
            </abstract>
          </front>
          <seriesInfo name="Internet-Draft" value="draft-friel-tls-atls-05"/>
        </reference>
        <reference anchor="I-D.ietf-lake-ra">
          <front>
            <title>Remote attestation over EDHOC</title>
            <author fullname="SONG Yuxuan" initials="Y." surname="Song">
              <organization>Inria</organization>
            </author>
            <author fullname="Göran Selander" initials="G." surname="Selander">
              <organization>Ericsson AB</organization>
            </author>
            <date day="26" month="April" year="2026"/>
            <abstract>
              <t>   This document specifies how to perform remote attestation as part of
   the lightweight authenticated Diffie-Hellman key exchange protocol
   EDHOC (Ephemeral Diffie-Hellman Over COSE), based on the Remote
   ATtestation procedureS (RATS) architecture.

              </t>
            </abstract>
          </front>
          <seriesInfo name="Internet-Draft" value="draft-ietf-lake-ra-05"/>
        </reference>
        <reference anchor="I-D.reddy-rats-key-binding">
          <front>
            <title>Key Attestation for Entity Attestation Tokens (EAT)</title>
            <author fullname="Tirumaleswar Reddy.K" initials="T." surname="Reddy.K">
              <organization>Nokia</organization>
            </author>
            <author fullname="Hannes Tschofenig" initials="H." surname="Tschofenig">
              <organization>University of the Bundeswehr Munich</organization>
            </author>
            <author fullname="Thomas Fossati" initials="T." surname="Fossati">
              <organization>Linaro</organization>
            </author>
            <author fullname="Ionuț Mihalcea" initials="I." surname="Mihalcea">
              <organization>Arm Limited</organization>
            </author>
            <date day="7" month="June" year="2026"/>
            <abstract>
              <t>   This document defines an Entity Attestation Token (EAT) profile and a
   new EAT claim that convey the subject public key and its protection
   properties within attestation evidence.  Combined with protocol-level
   proof of possession from the surrounding protocol, this establishes a
   cryptographic binding between a private key and an attested execution
   environment.

   The subject public key is conveyed using the EAT cnf claim defined in
   [RFC8747] and [RFC7800], and freshness uses the EAT eat_nonce claim
   defined in [RFC9711].  The proof of possession of the subject key is
   obtained from the surrounding protocol, such as TLS certificate-based
   authentication or CSR signature verification.  Because the EAT is
   signed by a hardware-backed Attestation Key (AK), successful
   verification of the EAT signature together with protocol-level proof
   of possession establishes a cryptographic binding between the private
   key and the attested platform state.  This mechanism addresses key
   substitution attacks that arise when attestation evidence and the
   certificate private keys are validated independently.

              </t>
            </abstract>
          </front>
          <seriesInfo name="Internet-Draft" value="draft-reddy-rats-key-binding-01"/>
        </reference>
      </references>
    </references>
    <?line 752?>

<section anchor="related-work">
      <name>Related Work</name>
      <t>This appendix positions the transport-layer proxy eviction mechanism
defined in this document relative to adjacent work on application-layer
attestation, gateway-mediated attestation, and multi-verifier
appraisal.</t>
      <section anchor="relationship-to-wimse-workload-attestation">
        <name>Relationship to WIMSE Workload Attestation</name>
        <t><xref target="I-D.reddy-wimse-workload-attestation"/> addresses the same deployment
topology at the HTTP application layer, requiring no changes to TLS or
proxy infrastructure.  This document operates at the transport layer and
is applicable independently of application protocol.  WIMSE Workload
Attestation addresses deployments where application-layer carry of
attestation information is readily available or where cooperative TLS
intermediaries are not available.</t>
      </section>
      <section anchor="relationship-to-application-layer-tls">
        <name>Relationship to Application-Layer TLS</name>
        <t>Application-Layer TLS (ATLS) <xref target="I-D.friel-tls-atls"/> addresses
end-to-end confidentiality across gateways and TLS-terminating
middleboxes by running TLS or DTLS at the application layer and carrying
the resulting TLS records over transports such as HTTP or CoAP.  In
that model, the middlebox remains part of the transport path but cannot
inspect the application-layer protected content.</t>
        <t>This document addresses a related middlebox problem at a different
layer and focuses on remote attestation. Rather than nesting an
end-to-end TLS session inside an application-layer transport, it
preserves the transport-layer interface used by RA+TLS mechanisms,
establishes an attestation-bound key update, and then causes the
cooperative intermediary to step down to transparent Layer 4
forwarding.  ATLS is therefore most applicable when the
application can explicitly carry an inner TLS record stream, whereas
this document targets deployments that want attestation-bound
end-to-end protection without requiring per-application encapsulation.</t>
      </section>
      <section anchor="relationship-to-remote-attestation-over-edhoc">
        <name>Relationship to Remote Attestation over EDHOC</name>
        <t>The structural problem this document addresses is not specific to TLS.
Remote Attestation over EDHOC <xref target="I-D.ietf-lake-ra"/> defines an
Attestation Binder derived from the EDHOC transcript, serving the same
relay-attack mitigation function as the transcript-based binder in TLS.
When a gateway terminates EDHOC between an Attester and its ultimate
Relying Party, that binding is severed at the gateway boundary, creating
conditions for a relay attack regardless of whether the Evidence payload
is sensitive.  The cooperative blind-routing pattern defined in this
document is architecturally applicable to this scenario; however, that
treatment is out of scope for the current revision of this document
(-00).</t>
      </section>
      <section anchor="applicability-to-multi-verifier-deployments">
        <name>Applicability to Multi-Verifier Deployments</name>
        <t>In the hierarchical multi-verifier topology defined in
<xref target="I-D.ietf-rats-multi-verifier"/>, a Lead Verifier coordinates appraisal
of a Composite Attester by receiving all Composite Evidence, decomposing
it, and routing Partial Evidence to the appropriate Component Verifiers.</t>
        <t>This structural position gives the Lead Verifier visibility into
Evidence it may not be authorised to appraise -- a concern explicitly
identified in the Privacy Considerations of
<xref target="I-D.ietf-rats-multi-verifier"/>, which notes that Evidence containing
sensitive information should be encrypted so that it can only be
accessed by the intended Verifier.</t>
        <t>The cooperative blind-routing pattern defined in this document is
applicable at the appraisal layer: object-level encryption of Partial
Evidence to the target Component Verifier's key, with CMW plaintext
headers carrying the routing directive, allows the Lead Verifier to
route Evidence it cannot read -- converting an operational recommendation
into a cryptographic guarantee.</t>
      </section>
    </section>
    <section numbered="false" anchor="acknowledgments">
      <name>Acknowledgments</name>
      <t>TODO</t>
    </section>
  </back>
  <!-- ##markdown-source:
H4sIAAAAAAAAA8V923bbRpboe31FHfVDJIdkLOcuJz0tS0zbE8vykZTO6eWV
JYJgkUQLBNgAKJkdu3/kvJy3+Y95ms86+1Y3ALTk7kyP1oojkUBddu37rYbD
oWqyJjdHeu9Zlc0WWbHQF2ZVNkYfN42pm6TJykLfZc1SX5p0Uxl9skyKwuT6
dVU2ZVrSL28zU++pZDqtzC0MdTk+vvIfz8q0SFYwxaxK5s2wypq/DWuTNMM1
PzF8/FilSWMWZbU90nUzU9m6OtJNtambJ48ff/v4iUoqk+C4uIKs2e6pu7K6
WVTlZm0/NXp8m81MkRqdFLNo8VdVUtTrsmr2VL2ZrrK6hk+b7RpW9GJ89YO6
MVsYbnak31S888S/PNBXLy+HjalWWQEfAHRw0duBfv76x/FAm7eNKWZmpmEM
vVnPYBcDfXL280BfHF9dAgiy2yTd6h8q2D8u+RelYOBidp3kZQHzb02t1hnM
DJAc6BrWWJl5Db9tV/gLPJ5smmVZHamhnm/ynOH4KmngDBI4gwuApdK6rBZJ
kf2NVgybghWtcVlFA9+ZVZLlRzozzfwPBcJ+lJaraLgXZbH5r/+rz7Jlkqcm
6Yx3fHEWjAMPN6OVPPuHpFp1xnuO+FHrqzpdlnNTZIvOiD8V2a2pajhJXc51
szT62QbWW9+ZZaXPNkWWLuEdi07w9LM7fTaCj1J4BfZvNtNsaiocuDILGvJZ
cptUGS4+LTdFg5j0Rzi1pNjSRzNY1zdffvn1134nhMb1qHHL/MNi9XZUmCba
zFVWbVZJDmtLKqCM2Wzb2c2r8oYmlnFvymLWZBWMBn8ScFRRwkoa2PMRPHbx
w8m3n3/+hfz65TdffSu/fv3l4dfy6zdffPGVffbwm8f464vh6QgPcdjk9dDi
3RDwbsh4Z5+Zl3UNczGFmaTKt8MAn6ORqqSph6t6MbyrknX3G3j5SKmsmLdX
/+SrQ//rVz1DbnJYAJxwNs9MZb+HY6mBBpolP7Rm2hjOLW30b+DtOmnsNxWC
f3iXrWozxDfyMpn1bW5eZSYnOCXwT7S+PLkxMH88Iq0HITnNihnQOOx6NBop
NRwOAQnrpkrSRqmrZVZr4GWbFRCWrtcmxe3VOgFOJQwGht+aSq9MCsiV1Svd
lBoXN82zegl8ScGhDZtyCP/TabVdN+UCIL/MUp0KU03SCrYPY6ZluTYVgV3X
zODkGbW2jDcrkDGZWZZUwJHqTQpz4Lu9LGuEOzDB2kwB64L197B7x0ph/RWi
daGncHwz/BuoVQFrNjrYC/y3LmE1tTa3BqTFEv5Bqs6KrMmSvLUBpLxZvYST
UABRWn8DLHS6BQhFexrBITV6UyOQC23WS7MCkOTEe3GwPDfFwijzFgdeAOeF
l6tk6Ib3+5iZHDkOQAmFAwwWYM2Qtwbnr5iS6NRus7SRPfgF6XlVrvRLOuSv
9W1WZ9MsRy42NUAkRiXrdZ6lDEMYKdGwP7u6mSDUKpvNcqPU74BPN1U526T4
eBu9+PBh4yh5M4amPagrf1BwsqmZAWwv1T5KnAOdVOkya0zaIMB//VWYzfv3
vPHZrDI1wdMicAqwWeflFmdVaVkgtsOWj2jGNTxN8AMu3UWrCDK8RgXUugRo
NHcGUCBhKciYBSDDJWQNYly+xQFeJ1WDeHmM+4BhceNpngD+w3x+WTUiFOym
QQjBEmcZ7X0O7LVGCOO8BtcCLKVGvLzNqrLANwGBzgNWXcugOPfZ6RmgblUC
Ds0GwetDmKDhj+FpwAIAFugZsGFYNP1m5HNE/tpU+CsQRDJHWDZLeGKx7AEV
sDkA7YbPBdAgLSvgGIhtIONAFhol2tBAH79+oRfwzV2yhb9WJeCYnVODQEsW
hlBkXQKubWG7gHopfaSYCBnJA4jcmakOUXOeVTB4ntdIYHRuNULQgQ1GwNOX
KZdlPhOugtAvDCEsEYmHGq9rpuKNDnRRNsI0dKRcAXTLKgN1k1XLO+CBS8AN
hZIDhA3CGiTnClUBJANAkrPkL2Wl13nSoDzSwGdmZVUjzaf5Brk2oE65mSEq
EU3dIl0iIHgbKoRcVSJjwLdBfdjkKCT1esNcGv5pCAE9U4MJeYUKYZAVSDoE
gxVoqIDtepbVyEtnqMKtDOwAkcbMTQXyBbefIN6u4ACSAlcC2giC/grhjvwh
39SEnaDlagAvUChSFLy3RtwounxIER+iT2AS3DtBER8jrdlzeaSOkojCboZ1
Q10WI2UXADvGMWhdFjjIJMs1CjU4g4ZWg/MtCGWZE6njUE+ugLSSFMfZS2aA
+BlyEhJftKQ9XmIs9WCucq5AmW3arB/pGnFnjSwCJwc+BPoiDtdmsoAbPy+J
23yYQdXCzhrG7jTPkGSceDb9ON4GPRMXspxo9HiY2sC6EVDdsRjr+fRVc1cG
j9QgGG9xNqe+e0nJOkZaZeuGqRYFnfJfB/JMW/0Azx4gG4EcqB6kFUzhZKOS
hYVLdXMRSjbIfVG+adGP7F4YhMgHY2D4oSIG8AFgHIOa3toCEDErBf5Bpilc
NAJ5ls3pLxBbsSoFDBz0Y9w8y02wtILlMj/jAwh0GGX3htYucaO2Vheuj0+I
pE+N7BtWmjSKRSboWqwtoQbTluszM88KWn68aDcZoRcPQjoI6gaOmkeoD81K
w7TBY0XrcgoPjDAHsQEcDgRqtlKsw8OfwMrwkQZp2iuzlmHXXS0xQGwLIuSH
0xKoua1vBUtR+/iUeZsA2wM5MCYeGzAM9euv91sr798fMDzKunnYNP/n9fGV
7hsa7QgYjvcHXI94LVgeM2TO8n79lPDEbx5OLlkUMDmeEKOsVZva6EoUN9I/
IHzv10JRlVEO/KTh4uCTYNAJOxdqRjc8aVCeHgq2EeqXV8QKy7xcbPlU0UmB
no5a7539dHm1N+D/61fn9PvF+H//9OJifIq/Xz4/fvnS/aLkicvn5z+9PPW/
+TdPzs/Oxq9O+WX4VEcfqb2z4z/vMevcO3999eL81fHLPdYZQ+ogblOiRM1Y
tTANHZACwQT8aEog0M9OXv/n/zv8Ao75f4F6++Tw8FtQb/mPbw6/Rl0XDRCe
rSwA7fhPAPAWNXQAF44CnFCnyTprkhw1JiDkZXlXaOR1AL1HbxAyvxzp76bp
+vCL38sHuOHoQwuz6EOCWfeTzssMxJ6PeqZx0Iw+b0E6Xu/xn6O/LdyDD7/7
txw5yPDwm3/7vWqzKoeVc9CGyzvi+4BRyCJOAuM05PxH6kgf95ufLIuAWO8S
REAipWxRwCngIx7BmTR0wDE3pOAEwsOxJMYZEscJ8vWi3FRsDmhmqJkVNmyy
fWHnxwE3a/gKKQJol6gGxVBodsMguzQS67VisfRJra9QxYH1n4CWt6FNP0tq
xKMTljn7kckz0BevDxBWIoJIM+NNiNOkjod3OjOAEpbXZMSoz1ko7jNXxdEv
wRwxVXfoO9IBe0YJ5eIdM3mAFi1iOyDvWgK8EFRbJiRr3qBEBUa3Qp0ggBEv
a+zs9B/HZwThdZJVer++GevP9PpmfMBo8iN8My6ABGvQwOmgzhzjdW8tTEGG
8AxMbwPauegDorxpEkWgb8Hmc/STkGuXUKJAsQzrBywGtRz/RRpnOyTN1rRj
nAUGgGHIo4BHps9ACdb79O/jAzGgD795DExFEAP0NA97u8P99c2FA7s7NvyW
zIoUHxqgmdAAF9s0jOmgnrywovjUsUBQRbRGry9+k1rPSHBOYHDBpkUcBUIR
VfuASzIZ2HXCGl+jYo/wQUypmZZgJ50l8OkgcaIJ7FQE610CJQNEbOgtujBw
goDj4+OLA5iSJVTkRgSBxPpWd79pUiHeAF5cyDPEFlAZgbHEGGGdOp+TcZ4I
p0BjBIdabEDXhr9A/CeOUaH5KlMgMyCZMjdNukTDEzEDfcRMs+KVIr5mfUpA
6aRl7qfFCahQBR+ux2yYcAYW2G2Sb0zg4nGeDzkqkkB8Aujftpg2ghFPkJ94
7I6PGN8D0Z6z9QigeYpr0MQYO+/IBO13xrCfdX1zzVQvh7pdgXlaAT7C+YNw
BYypgNPN2K+Fi8JRYCr2vMEKs+IvgCkM7xIhCROObdADseondpkhEdQI3U3O
XkNkqmS1kF8EvgYhywptsZBxup41kgpMxOgWCnDsGVpFlaWwWHemUxAHJS6T
hunTipGjgUbFAgWoeWgZBvEWUMtr8Zx4J62XOqL8ggpe0PoDUTnQGQErgiYu
wkSs0LMCPEePNCLh8IXYsxka1QwaNjVAwFoJx1baMqmXlr15Jpguy4oUwfNb
dFOZO/S0fdBGpgl4mIvjT8kYFpett44UW0c91hB5U0C65oY9eOQGDp8r0xQE
NOAW+XJU25cD5AvyZra1ho0TX7UJnTA6dsKothMGmR8ouaYSDwr66PxgQ+f3
JPpXgURF9hMqQCQ8xIh2zB/Oco17qpji+IBMrVo+D+fVYbdH29xzJob1s4KG
pKzuAXMKSjjuPkSfUqAwDbwmBYiNQ5uZcnYGTllukLrpKzrmhvVhdpcWdgHs
DyC6FLxVfd7t7U6XuQQ9O2YjUYPIkGQBLLtuvHtqaM1jAN9fN1lFXrlasV0K
2s+MDpuAMoQ1FWQEWOXFsWt9XOgMzTZ8m41BIFdEKOeiCE7zSKlDxDxU4oOQ
jENwZxTTcaOjues2wVUD4Wkd8RjvynQIS1EQPAPQlTwLoVdj5RXQhZy/fVGb
KBKi1BO7ekBKXU6RLYtjQjCAGBnAzfsAki1GyEilwxgOSk5aA4KJ95vQ+Tp+
Zc++NfXvfqePfVgBKOB4dgsSN1kA3qtHj16VoG0RHPxKRo8eaf0azXbrxRh0
HHd6DtK6JnHMUXHAZyLuUGqgP8ZLOUE8OTSACMyNLnmg9Q3FxjCSWbMzsXCf
Po1PK2DqVvtoL01ZEkpmHG2ATZtIV8VVL4Fboa346FkFcA4iFo4CUciEY6/K
GfKexIEo9IhkNRF8Ttju+QLRLYIlz6YVEg2dOux9jL6EcOnKu8xZZLC2HgcT
I4YPurCBD+vIpZLi3uBw3S7CVducB5wAiJcIA/ArB86f8lLRjVwVqi7nzV1C
BgLLpQQ4GM1B9vWjwFVFgWACh/swCxhb6BHNXcYACkEr6zY1ySYhCqC+PERF
VitlGlgegCGx1KKil9CPI5gBq6bgVRiGQnaS1emmrkNfzH1xbaf87joFlSbo
2gQMAlmSsfPy5OxnCTuBFICvUCyD4QAIW6ARmqQYJWBtzPpxhdwHjtbFbI5I
HQN5hYvIfYLh1wQUIubALABasSpYRI3xAJxringOZFWAmgs7o6NAhs484pJU
vjOwGEF6o65hj4eilIasfsbI2KtAOFEDg/773/+uXn5NiUNb/cos4KT4oLQ+
6SjUVn8inWnImi9xN/h5p+OftK3X32YJ/3rtvroGsD/dNUBXXe13ZOx6H+jZ
8lbWGvB8au3YPeq78uitYuf+88vIyALa8Gppx6NIG2KLr3f+jouQGIpzMI48
Fu0YAFAfWetaLFfCT9zJyfnl+HrMtPZ4tOttxH4+VUTzmt62WE3wQB5eByB4
7sxa9KjkBvAKfy5DKXE4+jwwf1N5zo/yzg83/vEnMlYuSgdN/HmxkuSDfMvu
oB9QhVuiwyByMvRDhHIbGvGh9NhEI1Ind70O5LdGqG4KF9EGGYPAAO2gmAWw
YMCNRYzqz/TLLyxM46gLswY2Qj6EDGybzVi8ktkIa0FN6S70le0kBYpUJBh4
CdxpwXqPA3l3imKef453S3+G4JOx0v0/XhJYwU+s4ldQnjF38fu9S2E0tTU6
xfVX770nzsQg9Ej1zCyT2wy4P2mtnhMBIEHhW3GuRL4ATtMsV9Yc4RCWYONU
RiCGqnbKV/PWpMzEE9FnReOjpBgRXsWMQaCeJSklNSJdLU16Q86oXKSHXdu0
rCoEHEcq6johrmYtrPkDAwSA6gvk7l8+5XgZHuYGZbnNa5qpqejCzh7KrI8c
LM3JaDSauPQBu7iBnrwZH+v//I+vlOMt9S8TgCCsUCglZEJFwOP9C2G441LE
8VcP39qIBUnkcQ2xCXkHI0T00/aiql7stz+7Pnds552IrOcGkOvjXvy0TzQ9
5EX82V/fjAc6bU4OHj7jsPfn9+/0m9Px1fjk6pcPztgz7o69P+DF/r0/4EX8
Cfb+Zn43++UhM/bvHXf/zyLAd9/zj+ATAWPAcVPQlmv9fevnn59x54u/ji0H
HTsqe/+QF/+p44ADSZuLg/ibe178btd5uBf79/LfTVZ2L28qg+YX4NYDEGDH
Th46Y+dr/esJuqrIFDOP3n/Ei5+GbPfRw198wHH0LulBx9G3pAcB5026umOd
ceZY0//Ecdw7I9M/gehPFFMDCH2qf7Vq5vsWO7ifA7w5vjgbn3b4sf6fO46d
suPeGXd8/a9Hct2PUb+B7PjtEWDXj3vRGiJgh0ho5oEvvvHBohAE9764EwHe
XF28+OMfxxdtfL13j/1beNg5gtgf6GcbzAzTp5jJ/MsDXrz3HD8w445vAmbV
sYeGwzh3XsRZpK5819YO7vnpLnWf7I0jXa6Tv24MGo1irZnqIF5qy5hi3dhb
1tbIQHtN7/fbKAdoaF05jyV72cn2MR1nD9ia4oy/YO9jpC06X/TFazQv2NcX
PiAhYLRcacuTHqke5k5hpdWCPFhh1gI7EWmAjzJIdGSQ4OsPM0oGnCytWaHW
4gbF988xvfIuq82A/WQYhKR4d+jr8C5riQS8EO8Du+3NQj/rSa9smzQ84Qkl
+W/SBt04IWCTqiKLCTOjdgDCng4NdPH6kzocYUR26n3nQbgx5REsRs44SjYB
/X1CxvcElPgJ+kZc6cTnhC+ge9HOApXa+rCDsGt737ZshRfd69aGGb6IZpj0
qJmTD81Fo0fzMQo/BCYW9IzQoGhOLJgCEIXQ+DKgHlptIDMnnmJ3AYQR4QXH
UDnSEHmeJ1kxm4iHzvrbJyAir8XHPJHACTtcxcG/K3kRgDEz7Ok01qcNy/+B
N+YOJh7fQbAvmBm6vW2UC4DylTvAEBwsdwWtrOCdfMQBjolwSfGydKu+/jj4
My/z4KapPgBy5xPtgXyAy51jZWxrg0bbzEWKkhtBa9jFN/8QwOBMPrQGpb4N
gDPpCPNJCywMXqcrhKwxQJHegXaxORiUZQ8Ha6m81GsEvmjK8fWpAemE+X8p
xYZM5APtd3hy5hlwynozrQ1IWEoYSCm7FrNFQK2zsVab3s9RkjMXeXc+XaWe
cX59I0m6tpK4E3bgWhxyowVahcRLFcdLmVxtaCGOd1J6j402cSTirsqaaDhl
t+GDFgiaeSOO2vYCc67xCEK2ACsV5cJMMCR1zTlH168+PZwMbMUPSro5cDbx
XgKul6spnsl1drOaKKm1kPID/N5rqROqG9Bh2D52gU/S4mKiWp8F7w/s8yll
bZq+ZQrA4CnZEXyyDXfLG8wayYBg+T5gdsGvt1A7dE/rBbq/KVDnkv2TAC+F
s+5yXwdZfCGCY5aUIFTCCI0TdFNge/CLOIV1ckuaVkt3s4viFJsFgAQmhEcP
Rz0xCR7PYGIlohzRDcKLrB4fYxnOKclJ/P8+yCefB9URMTlp/YSLR/R021DN
VVs8R+NHKhKlDCe3NkoyxbS9KUGRGMK2ZNTTcBJIqj05b0wnrtZDBrKCG+mq
Ma1Sl56F2GylgZV0Mk6onaDaauUfHbfWn9+z8Z3z/as3vvME/sGNo5p2XtiI
HcW3JeMHN8aI5dBlllVRbRVuVqbhcMes4nRSWnyHHJKWPAhlgR3mYySCjXnN
abEygk943EVAKLo7SwkmlupjbSnX0+qhC7kj2J4RrniNMivksSdEc58T49Zc
bWOz4nWarYEB24qqnppox2DpmJ5ynYVHhwYIn6s4rClapo1pai5RQXUlruv2
ObhjifAzZ/UxfBf5xywt1kM5KC1p4FFoe6B6lW8rgLgehMusKT87A1lkQ2KW
16nQTKIsOmaBPSYCJc7WvnBaypPTZJ1IMh0nCxCyUIKay5l72qmBlPAbl3uR
WF4UWM+bBYUU8PumYJLBuLWUt0uORDQA4CXVcyp4pVxhHfaOPWjqpFFIVseO
DHKns0gc3Orlzm8QxtAZGcopGu6U4R7mt8elDnGiLJqEFyjo+QRqGkjZBBdq
vYDZn5zrCsiMCyIWKCV8O1LOCzRAoxz7p9FIMM/xnxF5Kelc0hhTryJjqmty
p4KEXiqs+/eff2QFiMoGsJ2Hy/2ZYcZHXruMGZmIt2KKxPatofr52yTPZkx9
SSsDp07LtXgvguRGOCkClGQo3VdkMIiz+S9Ub8q+VI1M4I9rKe++xt0B7U64
qtClz9HkitwWCINg+2LYw3vX5Rreg7dRMEze7Infa+8XoEUfAucJqDJPT/aW
6xszvDErbM6xh2jwzKQJ5j8S5h5fAL78SbqMBGUDH1k0QLIOSwPo0ClHWe0u
EbhqITXXytgF+VW4rFcitPDIGUsp0fwttRZh8HnR3d43qrgVpm6p/rNg9m+z
rFw1eMi0xLNEiRpI1OF3r913Sr3ury0JKJmJWI68t+jknpITnUwBujYljge1
NQ1kDWAu/kAxLx/iYZsdBUWT+mYMyENeo4NBNAjXZ6hW3hdaBCei1GPCGHHP
SD+TTMK4HEi5cqCk1xX45egQKTKoFZIUhCSZXcPxfg+qe73EEiH9LgqNj6SM
BD4Nst3OURU7UOqzR52yJJhA4wyDcO4D/egzlTYnOA+mwuHzw0vYHs4Im6VF
YBHLyQGtKkRhTl7vON6sR6dPcvrMDmtqRi5APeEJJ1QyIAVmgQohDWSSagFk
HnF9KpHymPZJLSVfDCRXd+9ck2aG3GLotAEsuV+hown7Z5XtiUVLmRpO2d9K
YwblqsgtBqASx014RDGzVL87/y+kpnZle8Cx4iJ5J5bRpteAyxcTqiORhaK0
RyZEKMtE2yeqQ+K9WgaF8vQ2L49xf4p1FWEGcx+qH/3rEbeIEfd8bYr9OkLc
xiLu5YbSXkFzx3qMQmpLb9vVkqC/2twq9BjUrEEAdJRAx3MKZM7UL8xUQ88s
yHHQxyWUQ03PkwhtidnfB1FjLESJFj+WwC/6CHzMcEI5hlVqnsAdIoAwQnZN
TuUP0bVu07XqVW8D5uGQjOD1m220uOhDiHCjjd3oORelco8adlWTUMAQWyCz
sN1OUoQkdSEkdYo+HZs6p71vqNNDkOvPQOlFK843UynKO6Zfsu44ubjTWqJv
oI+qFttdK+YlnIA/lQ1cT2kehOSPpz8Mx2/XsKPhy2Rq8n0A+l7gq98b9OZd
0vmBKXXNdH/9mtZzjWIdyB7rXQf0zAinb5YHqv7tp2Z/bmfqcXtqQoYJfjQR
i4tL4kRAeYnhEodZMoAenJE//xk2sLItmSyAQfpQjdnt7qNx9YbKdh3BeQeB
Wzo8dZ2X6Y0tQsaaWZwp7LWGA7n6NCIZL9S4hhkfkpohjttwN0rXmAXJNh5Q
t5u1YQF7BvtPEIF9DVuryFBJ1b4rMhzZlmXJ0Hsi3VynkoiuVFjCIenpMd7i
EXjVUhLX4+hRoGNYltUXYBnECtlD80P18/IONzngHlZY/iBHuCOLl5iHC8eY
dpndbVbmDmtUT8UFvmX7FTJuRJEZtDNtuQV1u2CPq42SO4D+kcVWhj0nrxyC
maolz9zz+2a0GDGFcdU2N1NhvcxrvlZWgoJg8WBSYYa2lRccngNoXhODE+Nv
IF3Z3LO19aPjHsglrDUSJv6fnrFCoc0okKYd5z1w79EvV9zzbeX8FWKMh0ju
nMlttrl/S305YfGtKScHTpucbZJ8yBqSBYTURvu3g5jBwcBXEOPrf91gTzNY
Y9gfkXyLYW8hHMXycBQPZU91IW/SjhAli1utIhpHGgX5BmFX4zHLkiTljHM0
hKiYgIBGFVJgbuZm4MJiDoqSsIExoAxrrLipmrAYhmjAiYLkibLVB4HMwoOw
a6HNY8j+ZtC8KOaCP5LIcM71Vy+p/mrsiraOEEiueHdXwSJvZEfN5KBni1MT
FBMEUcyAowu9skedIjMi7anm1rYKYl2P0SOqgZnYMmIhYlZNwyKz1maYPsOu
jWGNmX5wjRmnSGAoOWqqYTuB2E2bAtaAPiTsh4bWH85C7qXEZoekZt0AVegz
CWP/TIU/YHDD4AcY2UXnf9tlZNvI4kqYcI1UZobFPvvW8UQ8nULe88zkVOJn
yxbtiTEnkPajGLa18XKU14EfaCfbdiHQGmUOGVcRp1RYy7Ajcl9yrHOapDet
PgCxvwCdmYRZ5J/HQqJVaXMCduRD2B4RJJvvShWGtLQ+niU+ycFWAFZlblOW
9EsM3VqvV8dzF7feff+ejFz9N1OVQ3ZCoXOfOjN2DFLYQc1tXohzVHx6vpcK
fWonPkJokjMWgxPi+x/gL6DekzMUcKZKMjkjrsa1J+vqISXOaLfpA/NZ/bEx
0IHiUMaXtOKvSVtBhfHSNqV4Id0LbRg8LqtSqlMMZoMp3tERaS6Rf9sVgymU
tD0hs+CcdvRvxrOi0nPquFGrUOr4thZhnw3Labieq5MWoKKYPLb14W4lMotv
QBoW9lujBN5B/oatOCvs4At0RLZ3Ns2dYtmtEn99+ePwhe0Ygrv39hVbpX2g
AeLFon3n+9P745OD0+djvQ+nC4LlwIk8tUVe4RTVZYL6kkjribnZXM+W1/xp
UJrk8uiwCBCb/FrwDfSEloe2NA6xH0X/wVARWGBHs70DdF1XVCnNEZ2JGDfk
wYUvkxxdFUspu2Wr484uzgl1RlhSMxQnusQ+bVG6fe6GZzVwCHEm4CDwSISF
sbOSoz0ICKr9Xq0AhePchslTwpStjZtycgMTx125yW0bVaNXWQ1IQH1zOLej
sYzLm8GdLoeNS9lYIfDZJxu1iEHJzk2G+yDp9WIGHpiNZJZY0BKcrfwWVcnD
TADsPYZZAWqpoLR2KO0ClKy0owAonCughU7sG23lnhBbpfWqTFIq6w6RssVm
CGyWVokFeXz3sFccIiAx3WSVIU2slROD20ryclFuiKiX5Z0zahlha0VWADVc
ZMwWtRDJk0MDRRnjostrIxdCMBuo7BEgYl1ddaz3x3qfZA0b5gSbg85D7zqf
3MaTDn+vQ5yARbQScx4w5Kecwa1jEh8BLaeA+jaDp8cB0Z/U7e3ga7TwcRE9
G4v++l6Ew3XAk69l3t9qL/W/bC81u2L+G/cC5gecMxq0v+1O4p/v0cwBTRr2
Eqw7zoCPJZd+DvoOKuhbJp5Iq7hAPmarjDFvwmsoF2YYdvdQnEFn87xC7SFg
3h/k2p8euoy4KJGm5pA/SEaqOfauHmQMNr2Em+wGuSl9spidZ8K7sUVCtUoi
S9aK4qBvEc0vnZuSdnqKaJAYcUFvaatVL+q1LljTlQ/Stq/xQHPJECS9pHg9
kO9OAD9I38pqhTNgz8IEzBKyTRyDFgHo2fSkB9tYMCRKnuhBrcmAnIzUQ5ES
hIjDc0U4aghcSlHOw36yR5IJEnaRHdbNNg87LFVmaJMV3K0Mdn2SB9Lqm/uA
IewGACQ/fExfXa/EZZQ1Q9c+RC1ys0C9TlwuaU//BnFJis+u1tOtClJM7GGM
eaEzfeyzOGjB3skSJdcosLUXhTjIehCf9g+YRl1qWu2GUbgnBWc2Ke+47T1t
634OC3zkMXZHICCVOL7wugVQmOpBkK5ie3H1pVhVRpCSGh8pw62vrHXSWrW/
JQSsukZqTLTNFCL7yF6nRCUh2BCf21uyqp7MqE8BJR7gSlNseZbd16iKoYhn
t1qDEUP3h1Cqzqbgm4wyJOmeHmMeJ7iFVtK4SwGQTgGIbFVgK3hsndHqVhGl
tZaVWwHfYJLMlO8f3+mPxbYLsXXu2+7MlZBUckx0Eb5du+cia57C0aHzRZHh
vm99kzZ1wXsfqZWdpOd8FiQk4cj4rsQtffiBw1u7W0cOxFgnXrDCRExOClNh
P1ROnO4eW+ww0eVUTB5Dnn1fr9CpDQtvYWh2JJW5GhcKRQ701rhYNwZzJUJp
feq0Tz6Yq6AbPYDtgsL3FFGRNDRvPn0QM6eABxJ9KdhbhC2k2l0Up9vIoRiL
2kGLtntaVPb2gYQdDcv5cIrrp7COs2iRt2AXsU7eBCdiYKrUmjID2nkGrawI
FcS4wkQIcRCTE4kBRw6hnqwH5RWFCUdaCc8mLo47OQJkZ1hTUoK+AxsmaL4E
I0sWmjQa7GCi9eWkuUmqnuxzSbQXvKOehavkhnitXZGkkIZecsxAWmcSnLHR
qyBuRcjuuZngHD2AKfMmQ+bYylHZkRcSwM3RgGRJhm7sk5aHV33AxBff5M4Y
FwKS2GTubmoQrSv0iFqHWm/oyXf78sE54WfOzLRd9vpbqNlQUsvVfcDuJudK
7xZl2dZruGCMoqF7UWErUnp8U3i/tPcVt9qejVwQKAaqy+DjNrX+zgxKsbQJ
4LWIuKPe9Sn2LseDe7Jttcpr9TYltGHpFLqgAU+WeGMAqk2WXtoHQ2JUOo/a
Y5JOdHJjxtIETQ4Zhty+LooU2F52xKhgHTub2f2jjesIt1+VxTDcIZL3WYKh
IvRBvIj6f2Pbt6L1fFfQYCayXETVPCTPDAXX3PWj79PfvFkF1LpAeo6KduKU
9tAxaptOiyMkoEtY/ZJUkoQaiwKUN3I/CJlndGVV7ZNDB9KsmioBkiwfyqVn
0ilqUymbEUrxSniXsGLBQV/sm+hAGrdUd+UR3CyVQlISqaPCSlc7ZXkc+2sb
YzO46YQSfows2JahGlmpL+67vMLpLn3H4Fz6kpOKxVK79NI7INryjoR/zfWg
4bVFEihS91oenONuLzWii+KC/s1yNoqcb1RuwsURHG7nwGteWswCKJnghjHW
ZVFlpSvICtVvddT2tjZuZuY6fXU8knAcPtvpyeiJzxp98tUhbCUIwNbWpY++
etHvsZGVEr2PbKFilxlEZjKY1YSrXmYFrWjd5Th8wZLNOKdOwZgv5fU50Jo3
bBegyOFrsPruucOblSibY8f9gzYny+GdOpGUmbsMC86B65Gj2eFXpyTVPyjL
tW2HJ2zis5k1cckwQQTJQvkrsvpB8GSiReD9Bir2qz/FsoLO6lMqY6nJ8R1K
G5skSh1jo2/GP55JyGUgzgQmXaBEyloLL7PDNA+yDHcjujUSp5ss54qiHdiI
yG5dOKLsuApLd71k/xFZ7ZtcAR0q0k2rPTZlslsO6m0lC3dchRJRZ4h51aim
UY9iomqAv1sZ1+UGDZ+DxquBgbaZgmhtNi6Kd04ZDXQXsWC2wueCi6pc52r0
qnM7Puxp4G+7Y2nMnItaSWNHVrF37YWJZGXx2fRfGUqy8kV7D025xut36Fa/
TgCRXAWeR7AZp+IMBrwz79YFvKynq30zFV2jhmqJ8qmvI9s7Q9RXzA6pyQXi
+r9GZosUTeA6FOtmtvgBtRl9fumQY1fqSuPabpMl7FyFLuIyoLPghDo4Egyt
ow8Eo01hr5Adt3vid6va5LfiInI2H2xsd6qLpzxFTGOYl+VNlHbnEnfsksIb
ICmjyJlTyG5KkNxNtuC6pazuSzIJ2DgZvUEWjepk0ZBTgNi8wGDmgRDna9Md
I4pzjGlSoKC0mEs2jX5mr4K02qBf+HC6Hbo/FHHZgbUkWBY7ZVpETmM1TpHp
ZeEdTZh1HzS2dKsNy/LWy23tkKNgdhDkBBETVJ4abfLk1JBcE3JFjlfiEAJx
/I6cxAET4KzE41fHHR8WfYgRN3R31+I6wtuia+to8oXNXGAji9tDt4BzXFxt
10b/idj4nrxebVme4CXN798fKfWOH7Cti0iRfIWORAld2PjcO32KfJeylt9R
Is1qxSrUO2WbEPU3I3rX81v7WRhDXz07PcQZ+zvdnTwfaKAW+O1VEFj5cxSv
8VGQCwc4XH8MEAEEJ/FK65/7ssoRLZDdhZ6A0KOxf/L8QH24ulLvj8cHTyVr
X0o0Wb3BoZ3JTBeGRRdK+Uq5dn1m0TsP2XS+LS+uvvUWO4YqzBEuWdaE9RF8
1S9mDyF+Yo8N3PTPYFRJqBwzquC1t6gdSy8ACqt3OXtwEWDgzt61PzTs2epC
jjb7Cyi02I6emnUXYXYITxC66Af20tmhu5I5+pZslCi9SEmOT5KzhKZ94l6W
2Rrn//nF2eWYdk3JrpGdEQrT3Td6473F7s5ikoFIVsGNxSJhtzYv4fnV1euo
NwZtc6C97VSUmvkU+YbJz1kp61IJO5937gNxt3PYHAjnZZALIouZytxdAhjw
6TSuD1fmLw1sASryKvrtdy9E7hynyJs4mqTdDe5MhNSIAaMwt2Cl8t1elQwY
Wu3IBVuGKN2ZiN3n7Zv9xx40PBuyex7HUr0f6/1j+PfAGnjRxe3h4UfqaMub
IkqtvTLZ3pcQ6reKb92elm/xGsutrjYFaQl8/MSW7al2kEd6gIj3msxEFwPC
91yNv/N2Ik44C5ZREiY5KY+5DRBfeIvXJOQsht3itPVHhZfMeTTjy7XdLQAq
Cxo4dXFB/D/cAEa8ATFCh9eBV8Kj/FrgfTjiFcIlvGzVw2QO49QcFInuduaG
WvrC+0/ofhA2WVV/eNolofYwKQ8BzOFUNiu4n2Pypchox29EbZebjLxvYRBf
+vvhm22chx27dFkX1O5SgXZ4KmweZJsKBV3TtT6mEFAYdl+hvh0wEbpGCScN
MROdqR0901174tESXR0mscn6IBhjacF1mDFvIey8S4qmC5fw8AL3orUMPJNt
33sSRcX6uYa93T68Lwopanz6/PyENQzvtnHI2exAaLms0V/2RKx+pD44S5g1
kGPAvEqAB7kre4u+cE8n1sMjhbF4uiTe2nAgvxT1EB6yveGUW7yPxJnpAW7T
IMNpQtgsIaaCNyPXXgvjC32XvAgbmwxu/ODYDJyyvWhdtW6m5C4qYj5H1xvT
kuxctvfLgB0jyBmdwlTLrYy0TTGrdrjPe53y7EziaG3P1Slk5w1dzrBcxtW+
QTTsWp+Elxfl25C47DVRNehJIOTKp5hQJ8VBmBdJqXt2HMRxWDz3YLAp4umm
qljx4lL3TnMGtT98/PhArlGSmTnmDZOfkULlmhicejokdwLlSEj6EbUMixUw
7dSfThXU7pTwAWbphEnkCF1KHmr4JiRW6RSqK3T9RkluG4dBU3ttkO0V6Z9x
F+1RIjh9Cohh7x6zR4aYlnH7s6hQDacuwepEo/PEGZ12lS7LNOQCojxTGyqm
mXhnQYIBXWDoi9PQ27jVUhIepCag2mwz10GFT1zqg+e24UVlLjudozOxEerv
LPjQabBbz16QAHTmFimNKxCGPn0h1ObqJXlPoqqWWjJZuJScE/qx2wmlb/t0
AQoQoOlpYWV7W3wspYX3Q6iAsrw6xfjEytTRzhAjoJsgRreCkbsFdHHik5rL
r7nfxdnPPiKqbMWJ62raBPUU0hbq1l4Z2oc6gC1c8xfijEvEgSexqrgsbtFL
zc748I7Ayhr3bO5Q/n77EkDndCEnxnF6U5R3uZktmPx/PSo2qyny3u/35kle
G7Kzz0/P1f8H40fzTrWNAAA=

-->

</rfc>
