<?xml version='1.0' encoding='utf-8'?>
<!DOCTYPE rfc [
  <!ENTITY nbsp    "&#160;">
  <!ENTITY zwsp   "&#8203;">
  <!ENTITY nbhy   "&#8209;">
  <!ENTITY wj     "&#8288;">
]>
<?xml-stylesheet type="text/xsl" href="rfc2629.xslt" ?>
<!-- generated by https://github.com/cabo/kramdown-rfc version 1.7.39 (Ruby 3.4.9) -->
<rfc xmlns:xi="http://www.w3.org/2001/XInclude" ipr="trust200902" docName="draft-westerlund-moq-overview-00" category="info" submissionType="IETF" version="3">
  <!-- xml2rfc v2v3 conversion 3.34.0 -->
  <front>
    <title abbrev="MoQ Overview">Media over QUIC Overview</title>
    <seriesInfo name="Internet-Draft" value="draft-westerlund-moq-overview-00"/>
    <author initials="M." surname="Westerlund" fullname="Magnus Westerlund">
      <organization>Ericsson</organization>
      <address>
        <email>magnus.westerlund@ericsson.com</email>
      </address>
    </author>
    <author initials="Z." surname="Sarker" fullname="Zaheduzzaman Sarker">
      <organization>Nokia</organization>
      <address>
        <email>zaheduzzaman.sarker@nokia.com</email>
      </address>
    </author>
    <date year="2026" month="June" day="30"/>
    <area>WIT</area>
    <workgroup>moq</workgroup>
    <abstract>
      <?line 48?>

<t>This document provides a high-level overview of the Media over QUIC
(MoQ) protocol suite. It describes the architecture, data model,
transport protocol, streaming formats, and security mechanisms that
together enable scalable low-latency media delivery over the Internet.
The document explains how these components relate to each other and
how they are composed to create interoperable media applications.</t>
    </abstract>
    <note removeInRFC="true">
      <name>About This Document</name>
      <t>
        Status information for this document may be found at <eref target="https://datatracker.ietf.org/doc/draft-westerlund-moq-overview/"/>.
      </t>
      <t>
        Discussion of this document takes place on the
        Media over QUIC (MOQ) Working Group mailing list (<eref target="mailto:moq@ietf.org"/>),
        which is archived at <eref target="https://mailarchive.ietf.org/arch/browse/moq/"/>.
        Subscribe at <eref target="https://www.ietf.org/mailman/listinfo/moq/"/>.
      </t>
      <t>Source for this draft and an issue tracker can be found at
        <eref target="https://github.com/https://github.com/gloinul/draft-westerlund-moq-overview"/>.</t>
    </note>
  </front>
  <middle>
    <?line 57?>

<section anchor="introduction">
      <name>Introduction</name>
      <t>Media over QUIC (MoQ) is an IETF working group that produces a
suite of protocol specifications for scalable, low-latency delivery
over the Internet. The central specification is the MoQ Transport
protocol (MOQT), a publish/subscribe protocol built on QUIC
<xref target="RFC9000"/> that uses intermediate relays to achieve distribution
at scale. Additional specifications build on MOQT to define
streaming formats, media containers, and end-to-end security
mechanisms.</t>
      <t>This document provides a high-level overview of these component protocols, how
they relate to each other, and how they are composed to create
interoperable applications. It is intended as an entry point for
implementers, reviewers, and protocol designers who want to understand
the overall system before reading the individual normative
specifications.</t>
      <t>Although the primary motivation of MoQ is media delivery,
MOQT itself is content-agnostic — it transports opaque objects
without knowledge of their payload. Media-specific logic (codecs,
containers, adaptive bitrate switching) is defined in separate
streaming format specifications that layer on top of the transport.
This separation means the protocol can serve other applications that
benefit from the same publish/subscribe, relay-based delivery model.</t>
      <section anchor="motivation">
        <name>Motivation</name>
        <t>Today's media delivery landscape uses separate protocols for different
stages of the pipeline. Content is typically ingested using protocols
like RTMP, then repackaged at origin servers for distribution via
HTTP-based protocols such as HLS or DASH. This separation introduces
repackaging overhead, limits end-to-end latency, and creates
complexity at the boundaries between protocol domains.</t>
        <t>MoQ addresses this by providing a single protocol that can carry media
from original publisher to end subscriber, including through
intermediate relay nodes. The design is driven by four goals:</t>
        <dl>
          <dt>Latency:</dt>
          <dd>
            <t>TCP-based protocols suffer from head-of-line blocking and are slow
to respond to congestion. MoQ leverages QUIC's multiplexed streams
and partial reliability to minimise queuing latency and react
quickly to changing network conditions.</t>
          </dd>
          <dt>Leveraging QUIC:</dt>
          <dd>
            <t>QUIC provides parallel streams with independent loss recovery,
unreliable datagrams, stream priorities, and flow control. MoQ
maps its data model onto these features to achieve flexible
trade-offs between latency and reliability.</t>
          </dd>
          <dt>Convergence:</dt>
          <dd>
            <t>A single protocol from contribution through distribution eliminates
the need for intermediate repackaging. The same MoQ objects
produced by an encoder can be delivered to end subscribers without
transformation at relay nodes.</t>
          </dd>
          <dt>Relays:</dt>
          <dd>
            <t>Scalable media delivery requires intermediaries that can cache and
fan out content. MoQ treats relays as first-class protocol
participants: object metadata is structured so that relays can
route, prioritise, and cache content without accessing the media
payload itself.</t>
          </dd>
        </dl>
        <t>The resulting protocol is a general-purpose pub/sub delivery layer.
The media-specific aspects — how audio and video samples are
packaged, how tracks are described in a catalog, how adaptive
bitrate switching works — are defined by separate streaming format
specifications that build on MOQT. Applications outside media
delivery can use MOQT directly with their own object formats,
without adopting any of the media-specific layers.</t>
      </section>
      <section anchor="scope">
        <name>Document Scope</name>
        <t>This document is informational. It does not define protocol behaviour
or create new requirements. Its purpose is to:</t>
        <ul spacing="normal">
          <li>
            <t>Orient readers to the MoQ architecture and its components.</t>
          </li>
          <li>
            <t>Explain how the components relate to each other.</t>
          </li>
          <li>
            <t>Point readers to the relevant normative specification for each
topic.</t>
          </li>
        </ul>
        <t>The covered specifications are:</t>
        <ul spacing="normal">
          <li>
            <t>MOQT (Media over QUIC Transport) <xref target="I-D.ietf-moq-transport"/> —
the publish/subscribe transport protocol.</t>
          </li>
          <li>
            <t>MSF (MOQT Streaming Format) <xref target="I-D.ietf-moq-msf"/> — a streaming
format defining media packaging, catalog, and timeline.</t>
          </li>
          <li>
            <t>CMSF (CMAF-compliant MSF) <xref target="I-D.ietf-moq-cmsf"/> — an extension
of MSF for CMAF/ISO-BMFF packaged media.</t>
          </li>
          <li>
            <t>MoQ Secure Objects <xref target="I-D.ietf-moq-secure-objects"/> — end-to-end
authenticated encryption for content objects.</t>
          </li>
          <li>
            <t>Privacy Pass Authentication <xref target="I-D.ietf-moq-privacy-pass-auth"/> —
privacy-preserving token-based authorization.</t>
          </li>
          <li>
            <t>Common Access Tokens for MoQ (C4M) <xref target="I-D.ietf-moq-c4m"/> —
bearer token authorization scheme.</t>
          </li>
          <li>
            <t>LOC (Low Overhead Container) <xref target="I-D.ietf-moq-loc"/> — a minimal
media container format.</t>
          </li>
        </ul>
      </section>
      <section anchor="terminology">
        <name>Terminology</name>
        <t>This document uses the following terms. Definitions attempt to be
consistent with <xref target="I-D.ietf-moq-transport"/> but in case of discrepancy
rely on the MOQT specification.</t>
        <dl>
          <dt>Client:</dt>
          <dd>
            <t>The party initiating a Transport Session.</t>
          </dd>
          <dt>Server:</dt>
          <dd>
            <t>The party accepting an incoming Transport Session.</t>
          </dd>
          <dt>Publisher:</dt>
          <dd>
            <t>An endpoint that handles subscriptions by sending objects from a
track.</t>
          </dd>
          <dt>Subscriber:</dt>
          <dd>
            <t>An endpoint that subscribes to and receives tracks.</t>
          </dd>
          <dt>Original Publisher:</dt>
          <dd>
            <t>The initial publisher of a given track — the entity that creates
the media content.</t>
          </dd>
          <dt>End Subscriber:</dt>
          <dd>
            <t>A subscriber that consumes the content and does not forward it to
other subscribers.</t>
          </dd>
          <dt>Relay:</dt>
          <dd>
            <t>An entity that is both a publisher and a subscriber, forwarding
content between other endpoints. Relays are neither the original
publisher nor the end subscriber.</t>
          </dd>
          <dt>Track:</dt>
          <dd>
            <t>A time-ordered sequence of groups, identified by a Full Track
Name. A track is the unit of subscription.</t>
          </dd>
          <dt>Group:</dt>
          <dd>
            <t>A collection of objects within a track that forms a join point.
Groups are independently useful — objects within a group should
not depend on objects in other groups.</t>
          </dd>
          <dt>Object:</dt>
          <dd>
            <t>The smallest addressable data unit in MoQ. An object is an
immutable sequence of bytes identified by its track, group ID,
and object ID.</t>
          </dd>
          <dt>Subgroup:</dt>
          <dd>
            <t>A sequence of objects within a group that share a QUIC stream.
Objects in a subgroup have consistent priority and dependency
relationships.</t>
          </dd>
          <dt>Transport Session:</dt>
          <dd>
            <t>A QUIC connection or WebTransport session over which MOQT
operates.</t>
          </dd>
        </dl>
      </section>
    </section>
    <section anchor="use-cases">
      <name>Use Cases</name>
      <t>As noted in <xref target="introduction"/>, MOQT is a content-agnostic
publish/subscribe protocol. It can carry any data that fits the
track/group/object model — media is simply the use case that
motivated its design. Other potential applications include IoT
telemetry distribution, collaborative document state
synchronisation, real-time game state replication, and financial
market data feeds.</t>
      <t>This section describes the primary media use cases that have driven
the protocol design. They illustrate the requirements that shaped
the architecture, but do not represent an exhaustive list of what
MOQT can be used for.</t>
      <section anchor="uc-live">
        <name>Live Streaming Media Delivery</name>
        <t>In live streaming, an original publisher encodes and publishes media
content that is delivered through one or more relays to a potentially
large number of end subscribers.</t>
        <artwork><![CDATA[
 Original                                            End
 Publisher --> Relay --> Relay --> ... --> Relay --> Subscribers
                                                     (many)
]]></artwork>
        <t>Key characteristics:</t>
        <ul spacing="normal">
          <li>
            <t>One-to-many distribution, typically through a tree of relays.</t>
          </li>
          <li>
            <t>Target end-to-end latency ranges from under one second to several
seconds, depending on the application.</t>
          </li>
          <li>
            <t>Subscribers may join at any time and must be able to start playback
from a recent group boundary.</t>
          </li>
          <li>
            <t>Adaptive bitrate (ABR) switching between alternate encodings of the
same content allows subscribers to adapt to varying network
conditions.</t>
          </li>
          <li>
            <t>The original publisher produces a catalog describing available
tracks (resolutions, bitrates, codecs) so subscribers can make
informed selections.</t>
          </li>
        </ul>
      </section>
      <section anchor="uc-conferencing">
        <name>Real-Time Conferencing</name>
        <t>In conferencing, multiple participants each act as both original
publisher and end subscriber. Each participant publishes their own
audio and video tracks and subscribes to tracks from other
participants.</t>
        <artwork><![CDATA[
 Participant A ---+            +--- Participant C
                  |            |
                  v            v
              +-------+    +-------+
              | Relay |<-->| Relay |
              +-------+    +-------+
                  ^            ^
                  |            |
 Participant B ---+            +--- Participant D
]]></artwork>
        <t>Key characteristics:</t>
        <ul spacing="normal">
          <li>
            <t>Many-to-many communication with low participant counts (tens to
hundreds).</t>
          </li>
          <li>
            <t>Target latency is interactive: below 500 milliseconds end-to-end.</t>
          </li>
          <li>
            <t>Each participant subscribes to a subset of available tracks (e.g.,
active speakers only).</t>
          </li>
          <li>
            <t>Scalable video coding (SVC) or simulcast may be used, with the
relay or subscriber selecting appropriate layers.</t>
          </li>
          <li>
            <t>End-to-end encryption is particularly important since relays
should not have access to media content.</t>
          </li>
        </ul>
      </section>
      <section anchor="uc-ingest">
        <name>Content Contribution and Primary Distribution</name>
        <t>In content contribution (ingest), a professional encoder at a
production site publishes high-quality media to a relay operated by a
distribution service (e.g., a CDN).</t>
        <artwork><![CDATA[
 Encoder/       CDN Ingress      CDN Edge
 Producer  -->  Relay       -->  Relay(s)  -->  Subscribers
]]></artwork>
        <t>Key characteristics:</t>
        <ul spacing="normal">
          <li>
            <t>The ingress relay receives the contributed content and may
transcode it into multiple representations (resolutions, bitrates).</t>
          </li>
          <li>
            <t>After transcoding, the distribution service becomes the original
publisher of the new representations — the transcoded tracks are
distinct from the contributed track.</t>
          </li>
          <li>
            <t>Reliability is prioritised over latency for the contribution link.</t>
          </li>
          <li>
            <t>The same MOQT protocol is used for both the contribution link
(encoder to ingress) and the distribution links (edge relays to
subscribers), achieving the convergence goal.</t>
          </li>
        </ul>
      </section>
    </section>
    <section anchor="architecture">
      <name>Architecture and Nodes</name>
      <section anchor="roles">
        <name>Roles</name>
        <t>A MOQT deployment involves endpoints in the following roles:</t>
        <dl>
          <dt>Publisher:</dt>
          <dd>
            <t>Sends objects belonging to one or more tracks. A publisher
responds to subscriptions and delivers matching objects to
subscribers.</t>
          </dd>
          <dt>Subscriber:</dt>
          <dd>
            <t>Requests tracks and receives objects. A subscriber issues
SUBSCRIBE or FETCH requests to obtain content.</t>
          </dd>
          <dt>Original Publisher:</dt>
          <dd>
            <t>The endpoint that creates and first publishes a track's content.
The original publisher is responsible for the media encoding,
object payload, and track properties.</t>
          </dd>
          <dt>End Subscriber:</dt>
          <dd>
            <t>The final consumer of a track's content. An end subscriber
decodes and renders the media.</t>
          </dd>
        </dl>
        <t>A single endpoint may act in multiple roles simultaneously. In
conferencing, each participant is both an original publisher (for
their own media) and an end subscriber (for other participants'
media).</t>
      </section>
      <section anchor="relays">
        <name>Relays</name>
        <t>Relays are intermediary nodes that are both publishers (to downstream
subscribers) and subscribers (to upstream publishers). They terminate
MOQT sessions on each side independently — a relay is not a
transparent proxy.</t>
        <t>Relays provide:</t>
        <ul spacing="normal">
          <li>
            <t>Fan-out: A single upstream subscription serves multiple downstream
subscribers requesting the same track.</t>
          </li>
          <li>
            <t>Caching: Objects can be stored and served to subscribers that join
later, without fetching from the original publisher again.</t>
          </li>
          <li>
            <t>Geographic distribution: Relays can be deployed close to
subscribers to reduce latency.</t>
          </li>
        </ul>
        <t>Relays are content-agnostic: they forward object payloads without
interpreting or modifying them. This enables end-to-end encryption
where relays cannot access media content, while still performing
their routing and caching functions based on object metadata
(track names, group IDs, priorities, properties).</t>
        <t>Relays are enforcement points for access and authorization. In many
deployments that have any restriction on access of the content the
relay is expected to be the node that receives proof of authorization
and will be responsible to verify and periodically re-verify this
proof before delivering content.</t>
        <t>Relays are also not necessarily application-agnostic when it
comes to deployment and operation. The configuration of relay
topologies, authorization policies, caching strategies, and resource
limits are application-specific concerns. A relay serving a live
streaming platform operates differently from one supporting a
conferencing service, even though the protocol mechanics are
identical. Moreover, even though relays need not parse media payload
formats in order to forward content, they may still apply
application-aware policy based on visible metadata, naming
conventions, and authorization state.</t>
        <t>For further discussion of relay operational considerations,
including denial-of-service resilience, see
<xref target="I-D.englishm-moq-relay-dos"/>.</t>
      </section>
      <section anchor="topologies">
        <name>Deployment Topologies</name>
        <t>MOQT supports several deployment topologies:</t>
        <dl>
          <dt>Point-to-point:</dt>
          <dd>
            <t>A publisher connects directly to a subscriber with no
intermediate relay. Suitable for contribution ingest,
AI produced dissemination,  or testing.</t>
          </dd>
        </dl>
        <artwork><![CDATA[
 Publisher <--> Subscriber
]]></artwork>
        <dl>
          <dt>Single relay:</dt>
          <dd>
            <t>A publisher connects to a relay, which serves one or more
subscribers. The relay provides fan-out and caching.</t>
          </dd>
        </dl>
        <artwork><![CDATA[
 Publisher <--> Relay <--> Subscriber(s)
]]></artwork>
        <dl>
          <dt>Relay tree:</dt>
          <dd>
            <t>A publisher connects to an origin relay, which fans out to edge
relays closer to subscribers. This is the typical CDN deployment
model.</t>
          </dd>
        </dl>
        <artwork><![CDATA[
 Publisher <--> Origin Relay <--> Edge Relay(s) <--> Subscriber(s)
]]></artwork>
        <dl>
          <dt>Relay mesh:</dt>
          <dd>
            <t>Relays interconnect with multiple peers, subscribing and
publishing bidirectionally between each other. Each relay both
receives content from and forwards content to its neighbouring
relays. This topology suits conferencing and multi-publisher
scenarios where content flows in multiple directions
simultaneously and there is no single origin.</t>
          </dd>
        </dl>
        <artwork><![CDATA[
 Publisher A <--> Relay 1 <----> Relay 2 <--> Subscriber C
                   ^    ^       ^    ^
                   |     \     /     |
                   |      v   v      |
                   |     Relay 3     |
                   |       ^         |
                   v       |         v
         Subscriber B  Publisher D  Subscriber E
]]></artwork>
        <t>In all topologies, each hop is an independent MOQT session. Relays
manage subscriptions on each session independently and can
aggregate multiple downstream subscriptions into a single upstream
subscription.</t>
        <t>MOQT supports graceful session migration: a relay that needs to shut
down sends a GOAWAY message directing its peers to reconnect to a
different server. The peers then establish new sessions and re-issue
their subscriptions, allowing relay maintenance or replacement, but
continuity depends on object availability, timing, and
application/session policy.</t>
      </section>
    </section>
    <section anchor="data-model">
      <name>Data Model</name>
      <t>MOQT defines a hierarchical data model for organising media content.
Understanding this model is essential to working with any part of
the MoQ protocol suite. The data model is defined in Section 2 of
<xref target="I-D.ietf-moq-transport"/> and summarised below for convenience.</t>
      <section anchor="hierarchy">
        <name>Hierarchy</name>
        <t>The data model has four levels:</t>
        <artwork><![CDATA[
 Track
   └── Group (join point)
         └── Subgroup (stream-mapped unit)
               └── Object (smallest addressable payload)
]]></artwork>
        <dl>
          <dt>Track:</dt>
          <dd>
            <t>A named, time-ordered sequence of groups. Tracks are the unit of
subscription — a subscriber requests a track by its Full Track
Name and receives objects from that track.</t>
          </dd>
          <dt>Group:</dt>
          <dd>
            <t>A temporal collection of objects within a track. A group
represents a join point: a subscriber can begin receiving content
at any group boundary without needing prior groups. For video,
a group typically corresponds to a Group of Pictures (GOP)
starting with a random access point.</t>
          </dd>
          <dt>Subgroup:</dt>
          <dd>
            <t>A sequence of objects within a group that are sent on a single
QUIC stream. Objects in a subgroup share priority and have
dependency relationships consistent with in-order delivery.
Subgroups enable the priority mechanism to favour certain objects
(e.g., base-layer frames) over others within the same group.</t>
          </dd>
          <dt>Object:</dt>
          <dd>
            <t>The basic data element — an addressable, immutable sequence of
bytes. Each object is uniquely identified by its Full Track Name,
group ID, and object ID. Objects within a group are ordered by
object ID.</t>
          </dd>
        </dl>
      </section>
      <section anchor="naming">
        <name>Track Naming</name>
        <t>Every track is identified by a Full Track Name consisting of two
parts:</t>
        <dl>
          <dt>Track Namespace:</dt>
          <dd>
            <t>An ordered tuple of one or more fields ( up to 32) (e.g.,
"example.com", "meeting123", "alice"). The namespace provides
hierarchical structure that relays use for prefix-based routing
and subscription matching.</t>
          </dd>
          <dt>Track Name:</dt>
          <dd>
            <t>A byte sequence identifying a specific track within the
namespace (e.g., "video-hd", "audio", "catalog").</t>
          </dd>
        </dl>
        <t>The combination of namespace and track name is unique within a
given scope. A scope is defined by the server or set of servers
that a client connects to — specifically, those sharing the same
host and path in the connection URI. Within a scope, no two
distinct tracks can have the same Full Track Name, which means it
can serve as a cache key at relays.</t>
      </section>
      <section anchor="properties">
        <name>Properties</name>
        <t>Tracks and objects can carry additional metadata called Properties.
Properties are visible to relays and can influence how content is
distributed. There are two scopes of properties — track-wide and
per-object — and within either scope, individual properties can
optionally be marked as immutable to support end-to-end
authentication.</t>
        <dl>
          <dt>Track Properties:</dt>
          <dd>
            <t>Metadata associated with an entire track. Examples include
default publisher priority, group order preference, maximum
cache duration, and delivery timeouts. Track Properties are
communicated in control messages (PUBLISH, SUBSCRIBE_OK,
FETCH_OK).</t>
          </dd>
          <dt>Object Properties:</dt>
          <dd>
            <t>Per-object metadata carried in object headers. MOQT defines
the framework for object properties, including gap indicators
(Prior Group ID Gap, Prior Object ID Gap). Media-specific
properties such as timestamps and frame markings are defined by
LOC and MSF for use with encoded audio/video samples.</t>
          </dd>
          <dt>Immutable Properties:</dt>
          <dd>
            <t>Either track or object properties may be placed inside an
Immutable Properties container. Once set by the original
publisher, these cannot be modified or removed by relays. This
enables end-to-end authentication: subscribers can verify that
immutable values have not been altered in transit.</t>
          </dd>
        </dl>
        <t>Properties are registered in IANA registries and use a Key-Value-Pair
encoding. Relays that do not understand a property must forward it
unchanged.</t>
      </section>
      <section anchor="immutability">
        <name>Object Immutability and Cacheability</name>
        <t>A fundamental property of MOQT objects is immutability: once an object
is published, its payload must never change. Two received objects with
the same Full Track Name, group ID, and object ID must contain
identical bytes.</t>
        <t>This guarantee enables:</t>
        <ul spacing="normal">
          <li>
            <t>Caching at relays without cache-invalidation complexity.</t>
          </li>
          <li>
            <t>Deduplication when the same object arrives from multiple upstream
sources.</t>
          </li>
          <li>
            <t>End-to-end integrity verification — a subscriber can detect if an
object has been tampered with.</t>
          </li>
        </ul>
        <t>An object can transition from "exists" to "does not exist" (e.g.,
cache expiry), but its contents cannot be modified. The protocol
signals object status (normal, end-of-group, end-of-track) to
communicate lifecycle information.</t>
      </section>
    </section>
    <section anchor="transport">
      <name>MOQT: The Transport Protocol</name>
      <t>Media over QUIC Transport (MOQT) <xref target="I-D.ietf-moq-transport"/> is the
publish/subscribe protocol that carries objects between publishers and
subscribers. MOQT treats all object payloads as opaque byte sequences
— it provides delivery, prioritisation, and caching without any
knowledge of the content being carried. This section provides an
overview of its key mechanisms.</t>
      <section anchor="session-establishment">
        <name>Session Establishment</name>
        <t>MOQT runs over either native QUIC or WebTransport:</t>
        <ul spacing="normal">
          <li>
            <t>Native QUIC: The client connects using the TLS
Application-Layer Protocol Negotiation (ALPN) identifier "moqt"
and identifies the server using a "moqt://" URI. The authority
and path are communicated via Setup Options.</t>
          </li>
          <li>
            <t>WebTransport: The client establishes a WebTransport session over
HTTP/3, using an HTTPS URI derived from the moqt:// URI.</t>
          </li>
        </ul>
        <t>Both provide stream multiplexing and secure transport, though the
deployment model differs — particularly in browser-based environments
where only WebTransport is available. Applications should treat them
as functionally similar substrates with some environment-specific
constraints.</t>
        <t>After the transport connection is established, each endpoint opens a
unidirectional control stream and sends a SETUP message. The SETUP
exchange negotiates the protocol version and extensions (Setup
Options) before any other messages are exchanged.</t>
      </section>
      <section anchor="pub-sub">
        <name>Publishing and Subscribing</name>
        <t>MOQT provides several mechanisms for publishers and subscribers to
exchange content:</t>
        <dl>
          <dt>SUBSCRIBE:</dt>
          <dd>
            <t>A subscriber requests newly published objects for a track. The
publisher responds with SUBSCRIBE_OK and begins forwarding
matching objects as they are produced. Subscription filters
(Largest Object, Next Group, AbsoluteStart, AbsoluteRange)
control which objects are delivered.</t>
          </dd>
          <dt>PUBLISH:</dt>
          <dd>
            <t>A publisher initiates a subscription by pushing content to a
subscriber. This inverts the usual direction — the publisher
offers a track rather than waiting for a subscription request.</t>
          </dd>
          <dt>FETCH:</dt>
          <dd>
            <t>A subscriber requests a specific range of previously published
objects. Unlike SUBSCRIBE, which delivers objects as they are
produced going forward, FETCH retrieves objects that already
exist. A subscriber that joins a track mid-stream typically
needs both: a SUBSCRIBE to receive new objects, and a FETCH
(called a Joining Fetch) to retrieve the recent objects needed
to start decoding — for example, the beginning of the current
video group of pictures.</t>
          </dd>
          <dt>Namespace Discovery:</dt>
          <dd>
            <t>Publishers advertise available namespaces via PUBLISH_NAMESPACE.
Subscribers discover content by sending SUBSCRIBE_NAMESPACE
(to learn about matching namespaces) or SUBSCRIBE_TRACKS (to
receive PUBLISH messages for tracks within matching namespaces).
Relays use namespace prefix matching to route subscriptions to
the appropriate upstream publishers.</t>
          </dd>
        </dl>
        <t>All subscription interactions follow a state machine: Idle →
Pending → Established → Terminated. Either endpoint can terminate
a subscription — the subscriber via cancellation, the publisher
via PUBLISH_DONE.</t>
      </section>
      <section anchor="priorities">
        <name>Priorities and Delivery</name>
        <t>When network capacity is insufficient to deliver all subscribed
content, MOQT's priority system determines what gets delivered
first:</t>
        <ul spacing="normal">
          <li>
            <t>Subscriber Priority: Set per-subscription by the subscriber to
express relative importance among its own subscriptions.</t>
          </li>
          <li>
            <t>Publisher Priority: Set per-object by the publisher to express
relative importance within a track (e.g., base layer vs.
enhancement layer).</t>
          </li>
          <li>
            <t>Group Order: Ascending (oldest first) or descending (newest
first) delivery of groups within a subscription.</t>
          </li>
        </ul>
        <t>Under congestion, lower-priority content may be delayed or dropped
entirely. Two timeout mechanisms support controlled data loss:</t>
        <ul spacing="normal">
          <li>
            <t>Object Delivery Timeout: If an object cannot be sent within this
duration after its first byte was produced, it is discarded.</t>
          </li>
          <li>
            <t>Subgroup Delivery Timeout: If a completed subgroup's data is not
fully acknowledged within this duration, the stream is reset —
meaning any undelivered data on that stream is abandoned and will
not be retransmitted.</t>
          </li>
        </ul>
        <t>Objects can be sent on QUIC streams (reliable, in-order within the
stream) or as QUIC datagrams (unreliable, low-latency). The choice
is the Object Forwarding Preference, set per-object by the original
publisher.</t>
        <t>Client side Adaptive Bitrate (ABR) is possible by either ending a
subscription and replace it with another track that is another
represenation at another bit-rate than the previous one. Steering
these changes to be done at the next group boundary.</t>
        <t>The WG is working on sender side ABR where the publisher uses
its understanding of the congestion situation to select the
set of tracks to be published to the subscriber.</t>
      </section>
      <section anchor="extensibility">
        <name>Extensibility and Session Management</name>
        <t>MOQT is designed for evolution without breaking existing
implementations:</t>
        <dl>
          <dt>Setup Options:</dt>
          <dd>
            <t>Negotiated per-session in the SETUP exchange. Unknown options are
ignored, allowing new features to be introduced without breaking
older endpoints.</t>
          </dd>
          <dt>Message Parameters:</dt>
          <dd>
            <t>Per-message metadata included in control messages. Parameters are
peer-to-peer and are not forwarded by relays.</t>
          </dd>
          <dt>Properties:</dt>
          <dd>
            <t>Per-track and per-object metadata that is forwarded and cached by
relays, unlike Message Parameters. Properties use IANA-registered
type codes. Unknown properties must be forwarded unchanged.</t>
          </dd>
          <dt>GREASE (Generate Random Extensions And Sustain Extensibility):</dt>
          <dd>
            <t>Reserved code points that implementations may send to exercise
their peers' handling of unknown values. This ensures that
deployed software does not break when new extensions are
introduced.</t>
          </dd>
        </dl>
        <t>GOAWAY supports graceful session migration and can reduce disruption
during relay maintenance or replacement, but continuity depends on
object availability, timing, and application/session policy.</t>
      </section>
    </section>
    <section anchor="streaming-formats">
      <name>Streaming Formats</name>
      <t>MOQT is content-agnostic — it transports opaque object payloads
without interpreting them. A streaming format defines how media
content is packaged into MOQT objects and how subscribers discover
and select tracks. Streaming formats bridge the gap between raw
media encodings and the MOQT data model.</t>
      <section anchor="sf-role">
        <name>Role of a Streaming Format</name>
        <t>A streaming format specifies:</t>
        <ul spacing="normal">
          <li>
            <t>How encoded media samples are mapped to MOQT objects and groups.</t>
          </li>
          <li>
            <t>A catalog format describing available tracks and their properties.</t>
          </li>
          <li>
            <t>Rules for time-alignment and ABR switching between tracks.</t>
          </li>
          <li>
            <t>Timeline information mapping MOQT group/object IDs to media
presentation time.</t>
          </li>
          <li>
            <t>Any additional metadata tracks (events, logs, metrics).</t>
          </li>
        </ul>
        <t>Without a streaming format, a subscriber receiving objects would have
no way to discover what content is available, how to decode it, or
how to synchronise multiple tracks.</t>
      </section>
      <section anchor="msf">
        <name>MSF: MOQT Streaming Format</name>
        <t>The MOQT Streaming Format (MSF) <xref target="I-D.ietf-moq-msf"/> is the primary
streaming format defined for MoQ. It uses LOC (Low
Overhead Container) <xref target="I-D.ietf-moq-loc"/> packaging, where each
encoded media sample (audio frame or video frame) is placed in a
separate MOQT object. This one-sample-per-object mapping allows
the transport to make independent delivery decisions for each
frame — for example, prioritising base-layer video frames over
enhancement layers, or dropping an expired frame without affecting
the delivery of subsequent frames.</t>
        <t>MSF defines:</t>
        <dl>
          <dt>Catalog:</dt>
          <dd>
            <t>A JSON track named "catalog" that describes all available tracks
in a namespace. The catalog includes codec information, bitrates,
resolutions, language, and relationships between tracks (render
groups for synchronised playback, alternate groups for ABR
switching). Delta updates allow efficient signalling of track
additions and removals.</t>
          </dd>
          <dt>Media Timeline:</dt>
          <dd>
            <t>An optional track that maps MOQT group/object IDs to media
presentation timestamps and wallclock times. This enables seeking
and synchronisation. A template mechanism supports regular
patterns without requiring an explicit timeline track.</t>
          </dd>
          <dt>Event Timelines:</dt>
          <dd>
            <t>Optional metadata tracks carrying time-synchronised application
data (e.g., sports scores, ad insertion markers, GPS coordinates).</t>
          </dd>
          <dt>Publish Tracks:</dt>
          <dd>
            <t>Tracks defined in the catalog to which the subscriber can publish
data back (e.g., QoE metrics, logs).</t>
          </dd>
        </dl>
        <t>MSF supports content with target latencies ranging from real-time
(under 500ms) to standard live (several seconds) to video-on-demand.</t>
      </section>
      <section anchor="cmsf">
        <name>CMSF: CMAF-Compliant Streaming Format</name>
        <t>CMSF <xref target="I-D.ietf-moq-cmsf"/> extends MSF to support CMAF (Common
Media Application Format) packaged media. It is designed for
workflows that use ISO-BMFF containers and existing DRM systems.</t>
        <t>Key differences from base MSF:</t>
        <ul spacing="normal">
          <li>
            <t>Objects contain CMAF Chunks rather than raw codec samples. A
CMAF Chunk is the elementary media segment structure used by
ISO-BMFF-based streaming (the container format behind DASH and
HLS fMP4), consisting of metadata and media data boxes.</t>
          </li>
          <li>
            <t>Initialization segments (CMAF Headers) are carried in the catalog
as base64-encoded inline data.</t>
          </li>
          <li>
            <t>Content protection uses Common Encryption (CENC) with commercial
DRM systems (Widevine, PlayReady, FairPlay) rather than the
application-layer encryption defined by MoQ Secure Objects.</t>
          </li>
          <li>
            <t>SAP-type event timelines signal stream access points for seeking.</t>
          </li>
        </ul>
        <t>CMSF targets deployments that need interoperability with existing
DASH/HLS ecosystems and hardware-based content decryption modules.</t>
      </section>
      <section anchor="layering">
        <name>Layering</name>
        <t>The relationship between the components is:</t>
        <artwork><![CDATA[
 +------------------+
 | Application      |
 +------------------+
 | Streaming Format |  <-- MSF or CMSF
 | (catalog, rules) |
 +------------------+
 | Media Container  |  <-- LOC or CMAF
 +------------------+
 | MOQT             |  <-- transport protocol
 +------------------+
 | QUIC / WebTrans  |
 +------------------+
 | UDP / IP         |
 +------------------+
]]></artwork>
        <t>The streaming format layer defines the media semantics. The
container layer defines how individual samples are serialised.
MOQT provides the delivery machinery. Applications select the
appropriate combination for their needs.</t>
      </section>
    </section>
    <section anchor="security">
      <name>Security Architecture</name>
      <t>MoQ employs a layered security model. Each layer addresses different
threats and operates at a different scope.</t>
      <section anchor="hbh-security">
        <name>Hop-by-Hop Security</name>
        <t>MOQT runs over QUIC or WebTransport, both of which use TLS 1.3 for
the underlying connection. This provides:</t>
        <ul spacing="normal">
          <li>
            <t>Confidentiality and integrity of all data on each hop.</t>
          </li>
          <li>
            <t>Server authentication (and optionally mutual authentication).</t>
          </li>
          <li>
            <t>Protection against on-path attackers between adjacent nodes.</t>
          </li>
        </ul>
        <t>However, hop-by-hop security does not protect content from relays.
A relay terminates the TLS session and has access to all MOQT
message contents, including object payloads, unless additional
end-to-end protection is applied.</t>
      </section>
      <section anchor="e2e-security">
        <name>End-to-End Object Encryption</name>
        <t>MoQ Secure Objects <xref target="I-D.ietf-moq-secure-objects"/> provides
end-to-end authenticated encryption of media object payloads. It is
based on the SFrame mechanism (<xref target="RFC9605"/>).</t>
        <t>The scheme:</t>
        <ul spacing="normal">
          <li>
            <t>Encrypts the object payload and optional encrypted properties.</t>
          </li>
          <li>
            <t>Authenticates the group ID, object ID, Full Track Name, and
immutable properties.</t>
          </li>
          <li>
            <t>Derives per-track keys from a shared base key using HKDF (a
standard key derivation function that deterministically produces
cryptographic keys from input material).</t>
          </li>
          <li>
            <t>Forms a unique nonce (a value used exactly once) for each object
from the group ID and object ID, ensuring that no two objects
are encrypted with the same parameters.</t>
          </li>
        </ul>
        <t>Relays can still route and cache objects based on unencrypted
metadata (track names, group IDs, priorities, object properties)
but cannot access the media content. The architecture separates
metadata required for routing/caching from metadata that can be
authenticated or encrypted end-to-end. The exact protected
elements depend on the object security scheme and application
profile.</t>
        <t>Key distribution is out of scope for the MoQ specifications —
applications use external key management systems (e.g., MLS-based key
distribution for conferencing <xref target="RFC9750"/>,<xref target="RFC9420"/>, or out-of-band provisioning
for streaming).</t>
      </section>
      <section anchor="authorization">
        <name>Authorization</name>
        <t>In general, MOQT defines where authorization material can be
carried in protocol exchanges, while the semantic interpretation
and verification procedure depend on the selected authorization
scheme and the relay or publisher’s local policy.</t>
        <t>MOQT provides a generic AUTHORIZATION TOKEN parameter that can be
included in control messages (SUBSCRIBE, FETCH, PUBLISH,
PUBLISH_NAMESPACE, and others). Both publishers and subscribers use
this single mechanism to present credentials; relays verify the
token before forwarding content or establishing upstream
subscriptions. Tokens can be registered with session-scoped aliases
to avoid retransmitting large values on every message.</t>
        <t>The working group has defined two authorization schemes that
operate over this mechanism:</t>
        <ul spacing="normal">
          <li>
            <t>Privacy Pass Authentication <xref target="I-D.ietf-moq-privacy-pass-auth"/> —
provides privacy-preserving, unlinkable authorization using
Privacy Pass tokens. It supports fine-grained access control
through namespace and track name matching rules, and defines
mechanisms for continuous re-authorization over long-lived
sessions — either by obtaining multiple tokens in advance
(batched issuance) or by exchanging a validated token for fresh
ones directly with the relay (reverse issuance flow).</t>
          </li>
          <li>
            <t>Common Access Tokens (C4M) <xref target="I-D.ietf-moq-c4m"/> — provides a
bearer token scheme using structured tokens with claims that
express authorization scope. C4M follows a model familiar from
HTTP-based systems.</t>
          </li>
        </ul>
        <t>The choice between schemes depends on application requirements:
Privacy Pass prioritises subscriber anonymity, while C4M offers
simpler integration for deployments with existing identity
infrastructure.</t>
        <t>The streaming format catalog can signal authorization requirements
per-track (via the authInfo field in MSF), allowing subscribers to
discover what credentials they need before attempting to subscribe.</t>
      </section>
      <section anchor="privacy">
        <name>Privacy Considerations</name>
        <t>MoQ's relay-based architecture means that intermediaries necessarily
observe certain metadata in the course of routing and caching
content. Key privacy considerations include:</t>
        <ul spacing="normal">
          <li>
            <t>Relay visibility of metadata: Track namespaces, track names,
group IDs, and object properties are visible to every relay in
the delivery path. This metadata can reveal information about
content and participants even when payloads are end-to-end
encrypted.</t>
          </li>
          <li>
            <t>Traffic analysis: Object sizes, timing patterns, and
subscription behaviour can allow relays or on-path observers to
infer what content is being consumed or who is communicating.</t>
          </li>
          <li>
            <t>Subscriber unlinkability: Without privacy-preserving
authorization (such as Privacy Pass), relays can correlate a
subscriber's identity across multiple sessions or subscriptions.</t>
          </li>
        </ul>
        <t>MOQT provides mechanisms that applications can use to mitigate
these risks, including padding (to obscure traffic patterns) and
token schemes that support unlinkable authentication. However,
achieving strong privacy requires deliberate application design —
for example, using generic namespace structures and consistent
object sizes.</t>
      </section>
    </section>
    <section anchor="application">
      <name>Defining a MoQ Application</name>
      <t>MOQT, streaming formats, container formats, and security mechanisms
are composable building blocks. A complete MoQ application is defined
by specifying which components to use and how they are configured.
This set of choices is also what creates an interoperability point:
two implementations that make the same choices can exchange content
without additional negotiation.</t>
      <section anchor="design-choices">
        <name>Application Design Choices</name>
        <t>Defining a MoQ application requires decisions in each of the
following areas:</t>
        <dl>
          <dt>Transport version:</dt>
          <dd>
            <t>Which MOQT version the application requires, as identified by
the protocol's ALPN string (the identifier used during TLS
connection setup to select the application protocol). This
determines the available protocol features.</t>
          </dd>
          <dt>Streaming format and catalog:</dt>
          <dd>
            <t>How media or data is packaged into MOQT objects, and how
available tracks are described to subscribers. An application may
adopt an existing format (MSF, CMSF) or define a new one.</t>
          </dd>
          <dt>Container and codecs:</dt>
          <dd>
            <t>What container format wraps the encoded samples (e.g., LOC, CMAF)
and which codecs are supported.</t>
          </dd>
          <dt>Security:</dt>
          <dd>
            <t>Whether end-to-end encryption is required (and which scheme), and
which authorization scheme(s) are used to control access.</t>
          </dd>
          <dt>Relay deployment model:</dt>
          <dd>
            <t>How relays are deployed and operated — tree, mesh, or hybrid —
and what trust and authorization policies apply between nodes.</t>
          </dd>
          <dt>Extensions:</dt>
          <dd>
            <t>Any mandatory MOQT extensions (Properties, Setup Options) that
endpoints must support. Applications that need relay-visible
metadata beyond what MOQT defines can register new Properties or
use the application-reserved type ranges.</t>
          </dd>
        </dl>
        <t>If existing components do not cover an application's needs, the MoQ
framework supports extension without modifying the base protocol:
new streaming formats can define their own catalog structures and
packaging rules, new Properties can be registered via IANA, and new
event timeline types can be defined for synchronised metadata.</t>
      </section>
      <section anchor="existing-apps">
        <name>Existing Application Definitions</name>
        <t>The MoQ working group has defined two complete application
specifications that illustrate the design choices above:</t>
        <dl>
          <dt>MSF (MOQT Streaming Format):</dt>
          <dd>
            <t>Uses MOQT + LOC packaging + a JSON catalog. Targets real-time and
live streaming with LOC's minimal per-sample overhead. Supports
ABR switching via time-aligned alternate groups, media timelines,
event timelines, and publish tracks for subscriber-to-platform
communication. Defined in <xref target="I-D.ietf-moq-msf"/>.</t>
          </dd>
          <dt>CMSF (CMAF-compliant Streaming Format):</dt>
          <dd>
            <t>Extends MSF with CMAF/ISO-BMFF packaging and Common Encryption
(CENC) for DRM integration. Targets deployments that interoperate
with existing DASH/HLS ecosystems and hardware content decryption.
Defined in <xref target="I-D.ietf-moq-cmsf"/>.</t>
          </dd>
        </dl>
        <t>Both specifications make concrete choices for every area listed in
<xref target="design-choices"/>, producing fully interoperable application
definitions.</t>
      </section>
      <section anchor="reading-guide">
        <name>Reading Guide</name>
        <t>The following table maps common goals to the relevant specifications:</t>
        <table>
          <thead>
            <tr>
              <th align="left">Goal</th>
              <th align="left">Specification</th>
            </tr>
          </thead>
          <tbody>
            <tr>
              <td align="left">Understand the wire protocol and session mechanics</td>
              <td align="left">
                <xref target="I-D.ietf-moq-transport"/></td>
            </tr>
            <tr>
              <td align="left">Build a live streaming or conferencing application using LOC</td>
              <td align="left">
                <xref target="I-D.ietf-moq-msf"/></td>
            </tr>
            <tr>
              <td align="left">Use CMAF packaging with DRM</td>
              <td align="left">
                <xref target="I-D.ietf-moq-cmsf"/></td>
            </tr>
            <tr>
              <td align="left">Add end-to-end encryption</td>
              <td align="left">
                <xref target="I-D.ietf-moq-secure-objects"/></td>
            </tr>
            <tr>
              <td align="left">Implement privacy-preserving authorization</td>
              <td align="left">
                <xref target="I-D.ietf-moq-privacy-pass-auth"/></td>
            </tr>
            <tr>
              <td align="left">Implement bearer-token authorization</td>
              <td align="left">
                <xref target="I-D.ietf-moq-c4m"/></td>
            </tr>
            <tr>
              <td align="left">Understand the LOC container format</td>
              <td align="left">
                <xref target="I-D.ietf-moq-loc"/></td>
            </tr>
            <tr>
              <td align="left">Operate relays and understand DoS resilience</td>
              <td align="left">
                <xref target="I-D.englishm-moq-relay-dos"/></td>
            </tr>
          </tbody>
        </table>
      </section>
    </section>
    <section anchor="security-considerations">
      <name>Security Considerations</name>
      <t>The MoQ security model is described in <xref target="security"/>. The key
residual risks are:</t>
      <dl>
        <dt>Relay Trust:</dt>
        <dd>
          <t>Relays see all MOQT metadata and, without E2E encryption, all
object payloads. Deployments must carefully consider which
entities operate relays and what authorization they require.</t>
        </dd>
        <dt>Cache Poisoning:</dt>
        <dd>
          <t>If a relay accepts objects from an unauthorized publisher, it may
serve corrupted content to subscribers. Relay implementations
must verify publisher identity and authorization before caching.</t>
        </dd>
        <dt>Traffic Analysis:</dt>
        <dd>
          <t>Even with E2E encryption, object sizes, timing patterns, and
track names can reveal content characteristics. Padding and
generic naming mitigate but do not eliminate this risk.</t>
        </dd>
        <dt>Authorization Token Replay:</dt>
        <dd>
          <t>Token replay protection is delegated to the specific token
scheme. Implementations must select schemes with appropriate
replay resistance for their threat model.</t>
        </dd>
        <dt>Amplification:</dt>
        <dd>
          <t>A single SUBSCRIBE can trigger unbounded data flow from a
publisher or relay. Rate limiting, per-session resource caps,
and the EXCESSIVE_LOAD error code provide defences. See
<xref target="I-D.englishm-moq-relay-dos"/> for detailed analysis.</t>
        </dd>
      </dl>
    </section>
    <section anchor="iana">
      <name>IANA Considerations</name>
      <t>This document has no IANA actions.</t>
    </section>
    <section anchor="contributors">
      <name>Contributors</name>
      <t>The following persons have contributed to this document:</t>
      <ul spacing="normal">
        <li>
          <t>Gwendal Simon</t>
        </li>
      </ul>
    </section>
    <section anchor="acknowledgments">
      <name>Acknowledgments</name>
    </section>
  </middle>
  <back>
    <references anchor="sec-informative-references">
      <name>Informative References</name>
      <reference anchor="RFC9000" target="https://www.rfc-editor.org/info/rfc9000" xml:base="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.9000.xml">
        <front>
          <title>QUIC: A UDP-Based Multiplexed and Secure Transport</title>
          <author fullname="J. Iyengar" initials="J." role="editor" surname="Iyengar"/>
          <author fullname="M. Thomson" initials="M." role="editor" surname="Thomson"/>
          <date month="May" year="2021"/>
          <abstract>
            <t>This document defines the core of the QUIC transport protocol. QUIC provides applications with flow-controlled streams for structured communication, low-latency connection establishment, and network path migration. QUIC includes security measures that ensure confidentiality, integrity, and availability in a range of deployment circumstances. Accompanying documents describe the integration of TLS for key negotiation, loss detection, and an exemplary congestion control algorithm.</t>
          </abstract>
        </front>
        <seriesInfo name="RFC" value="9000"/>
        <seriesInfo name="DOI" value="10.17487/RFC9000"/>
      </reference>
      <reference anchor="RFC9605" target="https://www.rfc-editor.org/info/rfc9605" xml:base="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.9605.xml">
        <front>
          <title>Secure Frame (SFrame): Lightweight Authenticated Encryption for Real-Time Media</title>
          <author fullname="E. Omara" initials="E." surname="Omara"/>
          <author fullname="J. Uberti" initials="J." surname="Uberti"/>
          <author fullname="S. G. Murillo" initials="S. G." surname="Murillo"/>
          <author fullname="R. Barnes" initials="R." role="editor" surname="Barnes"/>
          <author fullname="Y. Fablet" initials="Y." surname="Fablet"/>
          <date month="August" year="2024"/>
          <abstract>
            <t>This document describes the Secure Frame (SFrame) end-to-end encryption and authentication mechanism for media frames in a multiparty conference call, in which central media servers (Selective Forwarding Units or SFUs) can access the media metadata needed to make forwarding decisions without having access to the actual media.</t>
            <t>This mechanism differs from the Secure Real-Time Protocol (SRTP) in that it is independent of RTP (thus compatible with non-RTP media transport) and can be applied to whole media frames in order to be more bandwidth efficient.</t>
          </abstract>
        </front>
        <seriesInfo name="RFC" value="9605"/>
        <seriesInfo name="DOI" value="10.17487/RFC9605"/>
      </reference>
      <reference anchor="RFC9420" target="https://www.rfc-editor.org/info/rfc9420" xml:base="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.9420.xml">
        <front>
          <title>The Messaging Layer Security (MLS) Protocol</title>
          <author fullname="R. Barnes" initials="R." surname="Barnes"/>
          <author fullname="B. Beurdouche" initials="B." surname="Beurdouche"/>
          <author fullname="R. Robert" initials="R." surname="Robert"/>
          <author fullname="J. Millican" initials="J." surname="Millican"/>
          <author fullname="E. Omara" initials="E." surname="Omara"/>
          <author fullname="K. Cohn-Gordon" initials="K." surname="Cohn-Gordon"/>
          <date month="July" year="2023"/>
          <abstract>
            <t>Messaging applications are increasingly making use of end-to-end security mechanisms to ensure that messages are only accessible to the communicating endpoints, and not to any servers involved in delivering messages. Establishing keys to provide such protections is challenging for group chat settings, in which more than two clients need to agree on a key but may not be online at the same time. In this document, we specify a key establishment protocol that provides efficient asynchronous group key establishment with forward secrecy (FS) and post-compromise security (PCS) for groups in size ranging from two to thousands.</t>
          </abstract>
        </front>
        <seriesInfo name="RFC" value="9420"/>
        <seriesInfo name="DOI" value="10.17487/RFC9420"/>
      </reference>
      <reference anchor="RFC9750" target="https://www.rfc-editor.org/info/rfc9750" xml:base="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.9750.xml">
        <front>
          <title>The Messaging Layer Security (MLS) Architecture</title>
          <author fullname="B. Beurdouche" initials="B." surname="Beurdouche"/>
          <author fullname="E. Rescorla" initials="E." surname="Rescorla"/>
          <author fullname="E. Omara" initials="E." surname="Omara"/>
          <author fullname="S. Inguva" initials="S." surname="Inguva"/>
          <author fullname="A. Duric" initials="A." surname="Duric"/>
          <date month="April" year="2025"/>
          <abstract>
            <t>The Messaging Layer Security (MLS) protocol (RFC 9420) provides a group key agreement protocol for messaging applications. MLS is designed to protect against eavesdropping, tampering, and message forgery, and to provide forward secrecy (FS) and post-compromise security (PCS).</t>
            <t>This document describes the architecture for using MLS in a general secure group messaging infrastructure and defines the security goals for MLS. It provides guidance on building a group messaging system and discusses security and privacy trade-offs offered by multiple security mechanisms that are part of the MLS protocol (e.g., frequency of public encryption key rotation). The document also provides guidance for parts of the infrastructure that are not standardized by MLS and are instead left to the application.</t>
            <t>While the recommendations of this document are not mandatory to follow in order to interoperate at the protocol level, they affect the overall security guarantees that are achieved by a messaging application. This is especially true in the case of active adversaries that are able to compromise clients, the Delivery Service (DS), or the Authentication Service (AS).</t>
          </abstract>
        </front>
        <seriesInfo name="RFC" value="9750"/>
        <seriesInfo name="DOI" value="10.17487/RFC9750"/>
      </reference>
      <reference anchor="I-D.ietf-moq-transport" target="https://datatracker.ietf.org/doc/html/draft-ietf-moq-transport-18" xml:base="https://bib.ietf.org/public/rfc/bibxml3/reference.I-D.ietf-moq-transport.xml">
        <front>
          <title>Media over QUIC Transport</title>
          <author fullname="Suhas Nandakumar" initials="S." surname="Nandakumar">
            <organization>Cisco</organization>
          </author>
          <author fullname="Victor Vasiliev" initials="V." surname="Vasiliev">
            <organization>Google</organization>
          </author>
          <author fullname="Ian Swett" initials="I." surname="Swett">
            <organization>Google</organization>
          </author>
          <author fullname="Alan Frindell" initials="A." surname="Frindell">
            <organization>Meta</organization>
          </author>
          <date day="12" month="May" year="2026"/>
          <abstract>
            <t>This document defines Media over QUIC Transport (MOQT), a publish/ subscribe protocol that runs over QUIC and WebTransport. MOQT leverages the features of these transports, such as streams, datagrams, priorities, and partial reliability. MOQT operates both point-to-point and through intermediate relays, enabling scalable low-latency delivery. Despite its name, MOQT is media agnostic and can be used for a wide range of use cases.</t>
          </abstract>
        </front>
        <seriesInfo name="Internet-Draft" value="draft-ietf-moq-transport-18"/>
      </reference>
      <reference anchor="I-D.ietf-moq-msf" target="https://datatracker.ietf.org/doc/html/draft-ietf-moq-msf-01" xml:base="https://bib.ietf.org/public/rfc/bibxml3/reference.I-D.ietf-moq-msf.xml">
        <front>
          <title>MOQT Streaming Format</title>
          <author fullname="Will Law" initials="W." surname="Law">
            <organization>Akamai</organization>
          </author>
          <author fullname="Suhas Nandakumar" initials="S." surname="Nandakumar">
            <organization>Cisco</organization>
          </author>
          <date day="2" month="June" year="2026"/>
          <abstract>
            <t>This document specifies the MOQT Streaming Format, designed to operate on Media Over QUIC Transport.</t>
          </abstract>
        </front>
        <seriesInfo name="Internet-Draft" value="draft-ietf-moq-msf-01"/>
      </reference>
      <reference anchor="I-D.ietf-moq-cmsf" target="https://datatracker.ietf.org/doc/html/draft-ietf-moq-cmsf-01" xml:base="https://bib.ietf.org/public/rfc/bibxml3/reference.I-D.ietf-moq-cmsf.xml">
        <front>
          <title>CMSF- a CMAF compliant implementation of MOQT Streaming Format</title>
          <author fullname="Will Law" initials="W." surname="Law">
            <organization>Akamai</organization>
          </author>
          <date day="3" month="June" year="2026"/>
          <abstract>
            <t>This document updates MOQT Streaming Format by defining optional syntax and semantics for carrying CMAF-packaged media.</t>
          </abstract>
        </front>
        <seriesInfo name="Internet-Draft" value="draft-ietf-moq-cmsf-01"/>
      </reference>
      <reference anchor="I-D.ietf-moq-secure-objects" target="https://datatracker.ietf.org/doc/html/draft-ietf-moq-secure-objects-00" xml:base="https://bib.ietf.org/public/rfc/bibxml3/reference.I-D.ietf-moq-secure-objects.xml">
        <front>
          <title>End-to-End Secure Objects for Media over QUIC Transport</title>
          <author fullname="Cullen Fluffy Jennings" initials="C. F." surname="Jennings">
            <organization>Cisco</organization>
          </author>
          <author fullname="Suhas Nandakumar" initials="S." surname="Nandakumar">
            <organization>Cisco</organization>
          </author>
          <author fullname="Richard Barnes" initials="R." surname="Barnes">
            <organization>Cisco</organization>
          </author>
          <date day="2" month="March" year="2026"/>
          <abstract>
            <t>This document specifies an end-to-end authenticated encryption scheme for application objects transmitted via Media over QUIC (MoQ) Transport. The scheme enables original publishers that share a symmetric key with end subscribers, to ensuring that MoQ relays are unable to decrypt object contents. Additionally, subscribers can verify the integrity and authenticity of received objects, confirming that the content has not been modified in transit. Additionally it allows MoQ parameters to be protected so the publisher can select if they are readable and/or modifiable by relays.</t>
          </abstract>
        </front>
        <seriesInfo name="Internet-Draft" value="draft-ietf-moq-secure-objects-00"/>
      </reference>
      <reference anchor="I-D.ietf-moq-privacy-pass-auth" target="https://datatracker.ietf.org/doc/html/draft-ietf-moq-privacy-pass-auth-02" xml:base="https://bib.ietf.org/public/rfc/bibxml3/reference.I-D.ietf-moq-privacy-pass-auth.xml">
        <front>
          <title>Privacy Pass Authentication for Media over QUIC (MoQ)</title>
          <author fullname="Suhas Nandakumar" initials="S." surname="Nandakumar">
            <organization>Cisco</organization>
          </author>
          <author fullname="Cullen Fluffy Jennings" initials="C. F." surname="Jennings">
            <organization>Cisco</organization>
          </author>
          <author fullname="Thibault Meunier" initials="T." surname="Meunier">
            <organization>Cloudflare Inc.</organization>
          </author>
          <date day="2" month="March" year="2026"/>
          <abstract>
            <t>This document specifies the use of Privacy Pass architecture and issuance protocols for authorization in Media over QUIC (MoQ) transport protocol. It defines how Privacy Pass tokens can be integrated with MoQ's authorization framework to provide privacy- preserving authentication for subscriptions, fetches, publications, and relay operations while supporting fine-grained access control through prefix-based track namespace and track name matching rules.</t>
          </abstract>
        </front>
        <seriesInfo name="Internet-Draft" value="draft-ietf-moq-privacy-pass-auth-02"/>
      </reference>
      <reference anchor="I-D.ietf-moq-c4m" target="https://datatracker.ietf.org/doc/html/draft-ietf-moq-c4m-01" xml:base="https://bib.ietf.org/public/rfc/bibxml3/reference.I-D.ietf-moq-c4m.xml">
        <front>
          <title>Authorization scheme for MOQT using Common Access Tokens</title>
          <author fullname="Will Law" initials="W." surname="Law">
            <organization>Akamai</organization>
          </author>
          <author fullname="Chris Lemmons" initials="C." surname="Lemmons">
            <organization>Comcast</organization>
          </author>
          <author fullname="Gwendal Simon" initials="G." surname="Simon">
            <organization>Synamedia</organization>
          </author>
          <author fullname="Suhas Nandakumar" initials="S." surname="Nandakumar">
            <organization>Cisco</organization>
          </author>
          <date day="18" month="June" year="2026"/>
          <abstract>
            <t>A token-based authorization scheme for use with Media Over QUIC Transport.</t>
          </abstract>
        </front>
        <seriesInfo name="Internet-Draft" value="draft-ietf-moq-c4m-01"/>
      </reference>
      <reference anchor="I-D.ietf-moq-loc" target="https://datatracker.ietf.org/doc/html/draft-ietf-moq-loc-02" xml:base="https://bib.ietf.org/public/rfc/bibxml3/reference.I-D.ietf-moq-loc.xml">
        <front>
          <title>Low Overhead Media Container</title>
          <author fullname="Mo Zanaty" initials="M." surname="Zanaty">
            <organization>Cisco</organization>
          </author>
          <author fullname="Suhas Nandakumar" initials="S." surname="Nandakumar">
            <organization>Cisco</organization>
          </author>
          <author fullname="Peter Thatcher" initials="P." surname="Thatcher">
            <organization>Microsoft</organization>
          </author>
          <date day="15" month="March" year="2026"/>
          <abstract>
            <t>This specification describes a Low Overhead Media Container (LOC) format for encoded and encrypted audio and video media data to be used primarily for interactive Media over QUIC Transport (MOQT). It may be used in the MOQT Streaming Format (MSF) specification, which defines a catalog format for publishers to declare and describe their LOC tracks and for subscribers to consume them. Examples are also provided for building media applications using LOC and MOQT.</t>
          </abstract>
        </front>
        <seriesInfo name="Internet-Draft" value="draft-ietf-moq-loc-02"/>
      </reference>
      <reference anchor="I-D.ietf-webtrans-overview" target="https://datatracker.ietf.org/doc/html/draft-ietf-webtrans-overview-12" xml:base="https://bib.ietf.org/public/rfc/bibxml3/reference.I-D.ietf-webtrans-overview.xml">
        <front>
          <title>The WebTransport Protocol Framework</title>
          <author fullname="Eric Kinnear" initials="E." surname="Kinnear">
            <organization>Apple Inc.</organization>
          </author>
          <author fullname="Victor Vasiliev" initials="V." surname="Vasiliev">
            <organization>Google</organization>
          </author>
          <date day="2" month="March" year="2026"/>
          <abstract>
            <t>The WebTransport Protocol Framework enables clients constrained by the Web security model to communicate with a remote server using a secure multiplexed transport. It consists of a set of individual protocols that are safe to expose to untrusted applications, combined with an abstract model that allows them to be used interchangeably. This document defines the overall requirements on the protocols used in WebTransport, as well as the common features of the protocols, support for some of which may be optional.</t>
          </abstract>
        </front>
        <seriesInfo name="Internet-Draft" value="draft-ietf-webtrans-overview-12"/>
      </reference>
      <reference anchor="I-D.englishm-moq-relay-dos" target="https://datatracker.ietf.org/doc/html/draft-englishm-moq-relay-dos-00" xml:base="https://bib.ietf.org/public/rfc/bibxml3/reference.I-D.englishm-moq-relay-dos.xml">
        <front>
          <title>Denial-of-Service Considerations for Media over QUIC Relay Deployments</title>
          <author fullname="Mike English" initials="M." surname="English">
            <organization>Cloudflare</organization>
          </author>
          <author fullname="Lucas Pardue" initials="L." surname="Pardue">
            <organization>Cloudflare</organization>
          </author>
          <author fullname="Aman Sharma" initials="A." surname="Sharma">
            <organization>Meta</organization>
          </author>
          <author fullname="Ian Swett" initials="I." surname="Swett">
            <organization>Google</organization>
          </author>
          <date day="2" month="March" year="2026"/>
          <abstract>
            <t>The Media over QUIC Transport (MoQT) protocol presents denial-of- service risks that differ in character from those facing typical request-response protocols. MoQT relays forward, fan out, and optionally cache media content on behalf of publishers and subscribers. This document complements the MoQT Security Considerations, focusing on the unique considerations for relays.</t>
          </abstract>
        </front>
        <seriesInfo name="Internet-Draft" value="draft-englishm-moq-relay-dos-00"/>
      </reference>
    </references>
    <?line 1066?>



  </back>
  <!-- ##markdown-source:
H4sIAAAAAAAAA619W28b2bXme/2Kgv3QEkLSTqeTg6M5GESWZFunbUux1OmZ
YHCCImuTqrhYxVQVJTNuB3maHzDIy/y9/JJZ37rsS5GyO8EYQVok67Iv676+
tfZ0Os3KdtEUa3eSl12xHKYPrh9cV2+bcrpu/zxt7113X7mH6fPn2VANNV33
5K0rqyLHL/nvfrg8y6/0midZMZ937v4kf9v+zn+btfO+rd3g+pNsUQwnedUs
26zadCf50G374dvnz//9+bfZw+okpxdmReeKk/zHy9us387XVd9XbTPsNvTe
y4vbl1l275qtO8nyfNW12w29ajSYo7dXvzumn9dFVfMTf1u5YTlruxXuqYa7
7fwkvxuGTX/y7Jl8ni3a9bNV3VbNtn72xVXIsmI73LXdSTalp9FM+pM8fzvL
f/SX42tZzrfFqtn2o59oGCf5RVct+r5t8IXTcfLFs/Da3zq9CIOL3vaHWX5T
dB9cF170h+LOldu//KVYF030I7/qXfuhKqL3/CW6dtbztb9tcA2/JsPWdOti
qO5piXHb+5dn//78+fMT+/s3z3/t//7u2/D9v/1a/r6cns+w3rxqQ1c0/abt
hv2f1v1y/8vFwW97t9h2btrO/+QWQ7//+6ar7ovFbrop+n6K7Tnw4O/W+1/W
7SL98sHNecR+t/3PrlnVVX+35vs6Vxe7adnSULImWq1sOp3mxbynZyyGLLu9
q/qceGu7ds2Qb7r2vipdnxf5XbW6m9bu3tW5vShvl/lw58a0nB0RHx3j3qFd
tHXeb6vBzfLLIacnLbpqTs/DbUW3uKNfFgOt0yQvi6Egui9dPcn8DviHTHIa
oCvWVbPKZa/7SV40Zc7LXA27fO0Wd0VT9Ws8vBiyoV05ekuXu6aY1y7vF0XN
f9Ttw7QuBtcscBNGTu+kteh2MgUM7bIhem7cMKP1cGE53MdNXRA953ftA67r
XU70t2kb+rHPscKDy4c2d8XiLm/57TTGTK/e0Yz1ht6VuG5BU6I7Kryt3biO
xydjKjabuiK5Q2Kkn8kmrauyrF2WPcXwurbcLvBr/ulpFX38nGX7ogXbQdtK
fAZhlD+03QcsJIsiXi2sMz0AG53xdmFrwwZu3KJa2miw/n41J8ly2kJm+wuZ
YyEXtE5dMXogRsZURML31jY+8y+HYLw9ps3ON9s5yPkZCVghozDC+baqh5ye
xfT36ZPy/+fPMrttTzPjVebFpekxN/TYA9qqiqg6LyuisGq+xZAyugczJKo9
LcsKX41H3fM7S7wTA8STSresGpcdIFTZ0gVpBKIe1ynpOpLSQzt1ERVngYpn
/xIvxhTpl4feRySYMQkeIlIZzleoNEupNKFP8HYlK9yUdFPBtIbN3uUb0k8D
liKr1pvaYSq8AqRwadh+MfxW0gyrFRYpf7hr84eCbqYxkGqhrwZwE2gFsy5q
2pIdKZ51Pnf0fGxqUWLdcUXVlBUt15b2zUu7LN1BWuHTmtTidnXHt5BEXhc0
4nVLFwtp0qKCLGluqaSYZLzp1dC7eomfsbc0synpw7YfqkX+j7/9nX7OvSTr
83ZT/HlLQxeFkD1UePWQf2jah9qVK6c7WHX5ptjVbVHORLBObdTEaiv6/6MF
CclFP8kSeiqLDaaYzyt6JW1wT88nym5WzPlCmiWtCpHapsAVe3Q6pm/mHOIS
4mRaiaHdmLj3c5oJheoTsV5rVzS9Lqbu56LAOzsamgrEiHBEUs9dQ8MjGuna
Nd/bk32wz+0TYdrpvABdepnNKoO28ulT2iq/cZ+ehl0kkXjblsXum/Eu0uya
kvh840RC2NIExmFZV1bLpetod2nJihVdp+uwqTb0oIaExJnsPkuy3YZmV9c7
WusVzKKSno1F9s/M6uqDy9/fvr2e4DENTWtTLD7Qk4lxSIh11arSJetsAEE0
5fdkGL2+vb3WdQhD7bfEz8R5r9/c0EPy89Ob15C66QaZqnB9Zq/F4MBPd8Q9
JM6rNVF1LJtUuAubiizoM8iH2n2E4qUxYzXmLfFo0VW0PnM3PDiaWODpdg21
SbsEbirKsnN9z1YAjW6+U9GGgRQ5FquO6IfJEES0KLpONXbGpCIrRQyupAKV
0+YsTo1mSLRVzaLeqljowOvZviIgEUFiR3SUyB9mGrLQaBY0vmW77fJVW9Qw
nt7IepxkJ/nt2aFtALUIMWNJp+1yCirJ52S5sdrFOkLG9qQ6yVSjMdNykMgW
Ydsy2dBezVj0QMp3THVQbSDhbT1UWHt6q7BwTw9hEVp0Q0XLQVOqinlVY3Po
icTitKekGEj6bPF+09a4h+4nqy+n36rFh5qvhwJioiC1DUsBQxIdiA18I+PB
7xgQVoGNDK+dQGp1TZpJB5dD0EEcuw2UA3FJ3fYwlhatSNKchLsMmbYdVuCq
o9vM4INUpo0eiK6EApe0aixuu7bmJWKnadNDGEdGJMksmotoxCXRLNmYibpf
gnrpjdiArijJUF8uA+WmS+SXk+ZPrE7DXtGvDnM/3aNX3ngen3Gs0l3Kxg6M
1jAv5cw/jaMNBbePyNMzqZAny0YQhumR3Gy3EpTKahcKomOemTsTdqLKU+aQ
vSElJIvQ9OpF0fCI52LOyLL3bDBhyjdmSI+EaeeIiLrE0GJpEDHwAlY/e5RL
+gztp3pTaB0brnY02WYkypYV6fzpoiYXyS8wJgxCX1Qbsg3ItZSFoNEMBW8/
BB556OxW0GxbGYA+lMZBD6D9GEifGGn1ToUbD1CHZGtDFEPSsje7QuRPbjpa
TQA21rBbPbgzkvZsdudELrBXppttB6sKAgt6LVZEpGbF2VinOr/AX7QosCdg
oRUky1oeLditBT2QMOghUDJTIxOx5cih+8A/eL+LDQAyRGmZyJaQy8xyyPYs
B/YT5M3yELEhiMq8ohzbENkhGyIxlMmijg0AWuCe5qHL6tcD5EIqWUzrkqhq
MZBwYkkiJlL70NjGm5XtLaqibDeDCNqd6erRqvJ692I1nJuBfbMg65Yshx7/
/Tw2v9m+9QxS1OLQtrT0TTvo4kQOibsr7itSGxlxtLp5DVnpyiR4IpvNRNdK
E7AdWlIv0/yK2KYZ2JoFj4oYYwaJPWamAci84IHO6OYLcVHNmv+af4pbrtlC
H72OLnb3ML699Tzy2iCq8BzWYGTzKAuwVAffpYRABMRz4w09Gnuo3u07zj99
OhyLIVeOCFFl5b4nuB8xwMze3rwU/zG/8YT6kuez96J1v5RXwASxiyGoxDbm
/cXtIvS8UJ4EZsJ+DNVaTEJ6+Rm//ezt6cspW0sVVpO+23v1Ino3ie+PJH0Q
PaSXw/2gh2Cp8ZxnlzdX0xdvX77MvcHIw+GpEnnccMgpvxLNMH5NGpDSFwY7
D0bEFvbogE1zcE8X3W7j99rEot7PhCMhrPwa8vk03MwG+KcvR7v8fvpfSHjC
lYWcbT+4Rg0rCVxWf+Gn8rK26zU9/5Slcn6LS8VKxgocnX33dn99v1v7t80d
UWInb0ifTQ7/HfElXvHm6iw/ekMMdKVmMRv47GrtPZyMOk83bGkV0FAjh1+p
SOTNLSnHqmmJZnYkbIbwaU/kbHuNlC3bmqweXhq6nATHOZOjstZALvCGveS5
g1PYk51hCuxL/ESWCPTBgtYZlEbmyQLmBtk95BuQuGXTRWVwws4wg2rIKLaB
wY+kkOHw0IgKkbyBpYkqORhON92wT5PeBO1q0hq2estMeujua7Py2e6CnVNK
bIGVDBmtJfSgioSNxmigqxq2/pVuxT4rxOJZfMCovD108MFexoj5yAbhwpE8
7FXD0iOuzBNJxnjLYYiKbfLgotBKk0HAngXfz7SDdQbzwGJnc0ndrDwoL28q
ZdkFDWI06siq0yfQ9ImKelUCwrsYvVdZRJMPRVdylKKFsGH3PLIOzerzyxLG
B7eNrg9BOYl0QnZGrpe+QQSpjcFM7FaDs7LWRNPv1ezroCkr/pVDPbq2EBX+
XaSUdM1iexYqCEsqKwJZPG27UtQR6V3Y7Fh+DnuSN1HBGyGiVss5f7mt65wf
QO96R3b2DE/hPdIQ5ZZ2E0+IiYxe+opTOvxSUjy1W1jsyGgOnMiWlzyNlxAi
Abbhn2j6EiSb0Wv5UbIIkctEzEiyYLmtmVj2nipx3J6MnxpiXOwR3AoWtqsr
W3KZPqiWfzFK7ddw2/rB3HPvjsms6XYSsDMQgtpdHFCm11Xr9XaQEHu0yPPd
AFcgWWJYK7wCEx3y5flEfVd95uW5MOQqrGj80EdmLnx6h0UrxKAQDY4FvQrT
Z+KUO8g4Y64wUamegDh8tuwkB3MxmiBL7ipetD3JJKPkt9IDG9v8Lv/RzcPF
vVwsNs/DXUX2F+Qq2A4R1YF9rOxp/gPJ4rMCcv/TU9ryKYRzT4rhlHlWDPhP
n5KA/+eJiGj2NMZxyOzxoDkbsCGwAmOZt1uok/fqzmW8X8941Z6Zp8X+NShR
BBMcLsR2d8IjCEFDpXBsT6NwTkxVia3M8ismxE2LoUI6JjFBCdi4/LK9zQaH
iDHCyLHzPGE2K+ZtJ4apV5j9wIHNXbMgl7up+kKuJlqopxAH+QreM18Fz9re
qYEFkjLNgoaTrZFgHGQ1luSW+1h8r7ub5rF83JhXw+bfm17CADmSlCVxUVuL
W4Tcq7re9uJ+ifEdvARP3Rsnse80bQYlXrbM8zQj2FAs58mMvCvokVge2n+W
Wg/YECYVDQ1sewk5iF3yBtcGO1ls9HPzyIgcF1P8TcR42eQ1OwR2MRbwUDhO
QhG9RKf0Ww3CZqYPTJ9EcQqNl5DbAj5aS2jf52sC3dS7rC66FemL7XouqnUU
4KCZ/fWvf81yr6D/iX8XsIm9Qs+n0/8uKmr012w2G30TVDMU+L/w72hNzHjM
I8++J+pYkGgrFmT6VWDpXpzExsFwXzPbJrwRItC2kNA7jgWoLCNs3Fss3HAg
zpuTzEK4ke0kTrvwRhDpa4Sy5wgg9LF8R5pUJCZbWWIzRgyNl0Urkq9plVjn
FQPLHOZLEMiayBVUyaoE7xkKuHM04LmoZLHc2PwiuhFBrlHnHd5yOs6BHJ2+
eH8cxTPM9ChqJCVxBRMo/WQxfUwKIsIbTLC7+yRkBhLEi/DHPb05ipSKleNj
pVPWqwfYIiRbzXs0icJ28H1RcYDNbNQ+PyK+bmveX1ptnV4PMYhM0DGCXPEQ
wd7r4gMeICELNoDULtGox3vIxFusPfk2nN5Y4OXM5ovoG2H3+JuJD0EngTgJ
KhCZInDHxqG33FIbcWSz5Re4L3pSJCl8rCcbh70suBU/S2IX8oMkCKBmsniQ
Jg+uo9edEtNOfxHz3y+QbY8vOTvAxz8lHw5ccJ98GF2AV0ztvf7D6KKfVKj8
9B8kVvyHf+VJ+PdfyYefMaN4BV58fZHOvyyw3hKze4lFbt6azEqNFbCjirB+
TAUL4myiqiNEQ8RBuSNWJ/3QH0fyy4SWZp/xVsBaiNXxvF8/f05OeU3UJJIq
EnccKxtT3sjX48+OdadnSs+SbraasfW6sOAYcRwxX9vUOx6hj5MLxYqgyY9u
fn92DLVGJtO2JkNhYImo2njiY5xqeu740uDbKRtDTGxIjJDpATFm4cwplJbJ
8yh+U/U6zS3pS6Qm1zBKecYVTGtRCxB+7EOwNcGGi8S+OYs08kFJhFjW8yxO
doAjr9UgOo8THixZJCfqZQrfnuRKjuQKwXt07VLMZpKeltWA1sg2Af3SA6wS
JAYjI/68LWqBBGHMvJO6lmJri7+XJfkYjj3RUsi+0h1n5++OTVxcyMufKenT
T/lls4KXFL64KFe0adci2rucLQFlWfkXvjgikS0fY1Phi9wjsQR5pcwlRCHU
weep0NxiZ59Iy3I7mEHOjhx20yS4txnV+D6saZieT5cDXHJ9FisCvPrgKs6J
3yz4cNCB17C8hMTTIVg8xI+6jFIZ9BC8kKg2wgvEs9eozhQr7bOgoH+f6ynF
CTPJsdRQQkKGddV8MAUuGTeYzXFSx2xnUXUHH0BjPTKypTXX7TuWQPF45XAD
pAqAIN7YBUcGCgFTcPbSclGLkIvk7LS4kKfjJME7tsE/PY0dh89iBLQ1/9Lh
v/AyNeFCrlG7k6xHc9/WoDIfqIEHmsYk+e6TUYDuxkHemsMOcSxJZVqI2K7X
EBopYU8bLPk4H86CJw3oiX/OngJMSTXs7DXjFduL7r1HMKG3MESfhvMssp1G
06q+33Ik7uaHFzdn7y9fXGDwLy9uz16znyaPo1nNEeuNJOTjQcE0wKixPvVB
uz42gDRi9E0fnps/ZlVWva5bj7y2p2sRgmboQmOpG68ZTE1ccGBqw/gu5NoP
Rhnx4iW/VaOLGs0cj1GDqNEqgm1d8AU710iuycYHKJZl0v3qQC/CnqRVDfKK
KZZ1J+kv1277ejcjYZylFqoba3YfsDzopx4BnhYSizwk4dNiPBO+ViNpsWX5
TSZ3mXXNHEycxX98tvy5BvZ8flzz60II+I0H6QcG86cl9/6hEVc7i6VBavzq
tduNwSb8M441xiCZBgRIJKIvqhUGiywX52HToKOkNUTfVBI1LhScW3SKMPy4
8+gAA4GwxnpZNNN2O0QQCT+2mKUF6BRgLfFsE142ZjPhx2LZS/uzgiXBiY/3
aYijH1qEFAQpTC8qI5Ei7hxWHv4ovQ0qoZv4xP/SqXjxiuYA6RQr4nqM4JVr
V12xuasWiWA/MVrwcAzIVqjpGlnfscQSNBBMCFNQs4R2xvG9E4FsWiw/Ze2A
72CSIzXLq8eyt6yWO13KtcLEBCidYL+CDZk90GxdBKNgYhDzMLENJwhvIhg8
kOGdkziBA4oUgPAXoBcGgloUur7bZqH5Gs75+ai1B3VkRyKgUDnQh+hxP0ng
QUF8Haer5uAFL5zAaEWLgYt1+MznSZqRBEoOPyULmjAO58GDIVFLe6zB3sYe
pWZNiG25zHOP+wgkh1DgXOJ8YH6Dp6gSojkg0L1MR5RhjA9Y0LlLpDyCEGQo
LiVyTbOvaGcl+tO5qf4EmF0mD1akrKpQLH5QWNGCFXUvMcXGYV5FV9EDo6BO
wLk+AMFYDZnae21sPHBgn01uXlSBBzTLarXtPLyWlycb2g1SoALySrKy9D2J
WA52KLVInHTlAWGwWLe0u5lCF3n80VA96IPeTZZ5wwpedsUSzgXHMyNE7IaY
D3Tro/MBBEoLIcEFBMW2GzhS/IhEA5khTJqIE30xyFhtSEV6L8SslUTJomBI
W+dgoab3KuMxSgwbQwK4dx6NwOyeKRKGUz2dWp0mGTx3sryAahUGxUrtsmRr
H7CCvO67wJD3lRCcceQEvAi2ZiO0UYdhj5Uk2E7E9ZL4bbntWG8i07zVfMgy
cc3E1+PETKmf+0kWIJy0SlVRA1JpngbtfoVcNNa6dy6TfPfhypfPnxXxE0j0
1hMecvH+A6ooWEnKBvcW9IypO1wN2xdSBVKTxYvkhIKS0MRQH6BMPrygVgW7
/U3LEbsxOnVGZlglGTYDYni3QdxlWHWnlwEISAvcO1b2HBGGxB9EdfoAmB/b
f6Qha3FDb0Rjdz79e2gywbGeaEpLdXlk4I/s8VxQcthwDxhdiqEQa4RHRine
9GjA5EzLmOVXRLq/OGIzANORLwsBozE6ij15r+qgp7uR2aAaU9PCGnHnMEAg
EMBAFJt+aDLiHsRzQgQhBAi+PE0Stnfi0PAgmWh0mkJLIUbruEDABq+6Nzjj
HBivhDCZ/eqdD5RHODEJlsnWwUjlBVKdZepOAvRNaUIn/AL3d4D0qlZ3c5LW
AgnQbISspbLTjsvF+iTirOkBmtA09hL7BVkspPBQKeKCbcQI4T7xGvzsOMaV
OA/mjXdOLFwzVoVI9vfuNCbFX+JD+PjteNMOBo4lEPtfyYdDl0k49n/x/z+z
mOyjUdv73Eecv3CZjPNXX31aFCw+eJnFtkPIOApwR/N/kUdLd578dCHkfIl0
TJ3HBgBT3V270ZK1GDoeey6GGMnIUitWbhQo8F6NJt5Tx0ZkDZlVq1XnVpC0
B/yP0RM5cFaMnZksvmg2VhvkESwYt2HDWFcrUWsn3rFi+w96XcIdd2SuYwwM
XEIE4NXV6Y+n/xMc32OaSsvEFWAT5m5xGoz9McrMmytaSCKSV6+GyUbqoOCN
4RicdwbFoJpy0EMt9mQVJpIS47CPCKKCq74KRmh0nFUvxNLm3DSneatmiyic
bEAfmfcaVecg3QSZQM0ll7FB8szWTkwSCXKdIzf/loEIn57CHpmyrDW9LXBc
KZUjvY3AFwR0VB7AXny3Qq1dgHV6W/gHX24mPhIKwPg22PF9r7AFWmkrpWSZ
C78AMQGyajKD7I6rYLnEJAwjrc26UXzBt3jCF5B74vmv1yT9YJ5JskNtAzLG
2BwSU+e1Th8JfFsKARomw7gD2B5FLlxUCIOGxZ6BofJ//P3v//j73+h/AlDK
jwJq6TgwfrjKIDz5kXDJdE0bilKopopvGN8mzjvddAiLpFauqsEI6AWnsJx8
De81k9mIfxCBuYKFIvEIhQAHQeWDfAbfUiTTHlzsYDTRggfF4AGHEVwMyM22
Y5P367gx+C08F1adGjRPIWQn6dAl5iDGDoYV+XvIXEkCPk2k++gHJJJUMpCD
7dcQZjznszj1ZfgrjzhYtF0cuy2UXGhK19VCanCOXl1dgwQ4vR9YB7CDEuaD
ONIKiPsXsWBcXcVg5cZLbHplDA17BBgmKLIEDgaXn+OXhgpLMWExjExLnYQK
fXUHYrY2D4uyGHCoTWvX2WMr7sGJ5KpyQDnU+WhqCi7ZVOoylx3iIceS0GA7
za+HD5Hxa/fQfvQQBKogAZwU5Rr+PGK5yWFsH2DUQPepTRjggMRRdBHyi3uw
v8AszCoTa4QBCOAIAOh3ZrSz2Bhj7/kuxLEZMwhctT1dcAzinpKou2D8ksdx
Po76FCbW7eRA2TIfHloGEEAkhov6TaHlX40f0rCF9QDCjNIb9JqaWOEoB2W2
+a++PQ6J4yfuI9fuoIXFk0n+ZO04PPfLb3+FTwXpOvdEYrcS9sI7vdeEdHis
2XzFU1LtBCwa1ALJimX1URH1GoFT4GUi+yyhMosnK6yHHQ9EoIu405JNi7DI
IgcKzPJo6Eq+T1h8TO9KniVgHfhDcTBPjn0ZyXqu/ivWNDwlJCvwXaA6Ty2Z
YKu5iIdTOVzVE+nZueAUxS7i9Lqk+LXiNhMJQn5fpdlp7zuCQzwQnsQdgikI
4kJoxGHpjL4dtCSTBYIFBQ0d+sP7y1n+o5E3j3AC3wPU5tObmqKCDOeoo+fo
MS+pCyu11wjF+YrrQiBGqGr74Ha+qE8hQNc+XErsEmKnn3Xz+4gv+xgoGjoi
+Jo7LIcroyfOsujp4FyLH7GpKnFGscEBUaqFqu60slPKrUJ+3pXMBojrgcAf
WlmyXptU2Gs4cYyRTx+QyoAZST9pwYuKt9LoRBHmuvZRt4DogfAQ2k3kFeeM
DOX+BkEycmSA7f24mqZIymE8Q4VVAVu9tfUr+r5dVAxNUEuS4faWICVJ+1Hr
/BQdywppWZDTkuDKRJ9YgFzUEJifPWma57r4SN4vMitCFaVGYidxYlUweajM
U5spT/eSYW6G3xHDVetxzUkhiXf9w4s3lzevJyFt+ser7yH2OHNKfx97nTRa
lOuwZxF9dV0lr9Kf7qRcbZbH9r7WS7Ba5NJltvI1J+JfEteEr4oNbz7NpGW4
5tE12zuvVDnlr4rNJJfvrkzf4MvjcXcGKcS1ZbJifKwkWTrrjeZ3MTKmIgYd
pmWV9ARUHuE6q/qCAGeCEBxBKeWfz5LST1rHS0+M6VJeaBkFb+KhpTDsETtt
WN5eOIeGcuiZoaKJtDQ4FqJT5ekhmMfEWpJIuggMhMQTdpJ9xXV7LwI5jgTR
Aw5kolJ+OtnDO/pURzEkNQn3BQmXXiSojMEAoEJO7FZVMDVHAqsju7n3l12e
vjvVr7ioGZuEzSny791u+nu8ZHpdVF1miXZfz8LqRBHaoYuJwJvwvp0AX0M1
TrZtuASfpB6LaSM7mZIAWvAEpDydffHpaRX9zlCOJQx6WHZBqHE5LDOMrwrx
koxvPMmRI+EgKV+QATmju0kuFkcctPCZR90gLC4dA+DbPrTm/5SJfZ49rrse
sQLl8UpuITuihqfC8VfbgnZvcM4IhhPPmgoO2s67NCzzplVDNFGVYluEPhbI
4Z67cuvjDpLa8iO3kEXXsXvHbp0PGvloEPk1nIwag/EQJFmxrc+Eaq/YczZB
yqUb2KBeCiOawAOsFsQLacJkiWkBOOFlIm5WeuaqTQyRrEyi2f4J1NQTX/vF
Xz4xW1R0gfu4qbrdsZQUaAh2YA9zn301nGQl+ahkKGrzeTnnsyUdwKXD9YTZ
uF1Oeav9JxZKx0iAR8okr6ulW+wWtYuLrSXkA7oV5yWU1VxbdOXT0xAf2e+A
FW6QblJfqoqUmP4X6masoUHHgiAgnLTnScBuwABJcgbSKEqaHCDoOc7WF75J
UGJt95k2E/IpE9+GKMDaIjVuiVJfD9/ssnGXoagcj4MCol99vxgxU0PHqSaL
+0yBOGBPJs2qSFJpRVR+YbFF9is/PdUA3tTF31uortsiWoutUpOskaIe3rhR
GRXz97vwu5DD2FLf+mYNt29ukBmLkptv2G/2ZPPOrVquWQX09PTN9bvj4B92
5JK1fx6eqKPkv+9j90HeVcilJ8+ePRHbHsPSPOiw8+1ZYNhJb61gPN0Tod44
ch7zq42vG0jmHM/RryDHNh+tMKM3okXQs19NbIANf3GD0RH1dCyhPaxFx85D
z7IXDEGSrbcmLL7pjGVjpJg8lN1Pohx3hJrQ8KJEo8VCT4HITT7v2gdaTHVO
XXNfdW3DiAuFnABQnU4VeQHDY4/6SSiAmZmMsS0ZIpuKL2Ervq/WdKeEtQXd
KhZW365d/Ppg2CEiQFdWUj+gMNi4D1bs2nGA2Dap1GSGh7SRFkaQnVR8nHHz
5rOutiywRP9vLm5/uDa7WgiLv8rcR1G7pIOFhn01mtI2nFlDZPumAiSVmdoy
pbZjQ4RwrwzmP2/DM3LmY2KLXIecYRHBAyXiQqJvSqtqjO2lh+XOow6NHJRI
JOUIBBWmp4KKWN97EnsVzz5E27gH2mJvsYQgLNA+5kvdcmAiuE0+Ysl0EPsr
PDAOoPZpMfMe8rToQ+88S8PPbH20iUIFq5N9jDcoXiD7Rky7CYmhj4O4HJP8
dM4AbHeD+Gj4+B6Lcax11KAVcfr9+7uo0w+MWXG/xplwLdFn6ZFEftCEaysb
G+VsiyR9b0lvgI4HLYju4TJ7UvbY7ThN2wrvW/ScWE5Ku0kmPRTVoM1jxgPS
LQVyBA7j41sehZ+4ck2CAg7NV/qYFrwlRYr4h4Z7sPmtthCKRxYf2Na40dKq
1VGDIiYeDAzXIA79SySpRmcVKAE2umYHavURvw8LtK7KqQoCH1hHII0zhEi9
I8gfwMiDt7k5k6fvViiODA0kpxGaIv/PVhqZvAS68Vhul4Fr6eki6vLBb+W1
8wV5jOPFA7DX3ARGQhNSDcDM0ljwFIpr23WSbhCndWUJgY0mBGiHfUgVFSPS
FowDAZGAKEFzaGIWCnF8TLBnJaoU/8d3p28vbq5Pzy407O6FSqnPDqZPaA4R
mN7fjkWjSdeu6EiGzmFIea4Pr+ZSnnD37fvTs+9vcGPAR9jIgmBlaLaE2DQa
dejJGP/7EMeNY8CI5oZ7sIVoaDXKV/MYtBjTVwodwAdzG8w65T5fSyX9XpHy
5b44nCln8xKNrUvahX/87/+TXesq0t/B9iNiw+dbQx2TONRwhNeG7K94VHKx
n4djQyswC7Z5gUxzXau5m8qamAzOr95dWJjTEKLME1FFc8COks76Ed6eb3lX
0Epr5Qjx5na5BAhRhKIKCbbg/eBKq2eWYvxv+pDc0R6l8OowVdgbYPqVG6Ki
54yR/2zfRhgJHfoO5RQD0J3TsdAerRDvOTlyvk6ITWUr94Jnv24VOcAQg5hg
uKOP1xT7r1ZvRV+a9lyUN/p2Cek7R90vojSWthe972cc9LnD5Ww28vdcdSSB
uCtEMkkDAPIjZXRtXUKD8rIxE6KC1n4kQUg/omRYfg4Nni0bHAY1wm9w5j/q
wsgNjmn2fjtNemjkrASHSjyrJC5Dkb5EblGXgICIxlJj68fCxarKIZc5yonG
iFLcLUvtSfVWnkEstwyxmcgt7y35yKkGDqFZZDcv2F7FjktxCbuWD0XvtdmE
q8JEPpI6c6VWbIukPjwGjZvAgbHU6TfafVHqBLD2W5jbtOPmepbxEKPQM9Ow
SCWpYXGDdmtCSsMauSF2Zh0C+EVcao7WCP7WYo4ccqN4f8CltRsKg6bZXF9X
w8AG0rhOQLPFUYqYi+GkLeUkJHWj5JZcxsRXSHvO0L4yPwpNLZMe2ZrRW9y1
1cJlCiDU/X7pTUxivxC07w8y4H51tW/LJKUcvhz+RVIOj4ge0RknY+hRzstk
QTEnAkYADRwcBpFoaqKNgsrWvUG/zQyX4LtI2uXzaphqf4uiUUdFjDQkTMlU
Hhzj0TONGN9JFwLBymNTrc9sA1t5XPzPOcMfX2EkhshpBUGFHA+vxov3ChNM
pRd6bGXgjm0C+QlREpUDKDTdyqy4B0LNUCtQgWQPVZ/LeIMDot30kh5FpJMu
xB+LorkWO3nLYDYNnLj4MvOrKuujogWI7l4LNn3AZ050yWvAFicW1bfeFjcZ
zlQcc4C1ZaEQV4qi8bg5noC4oeaUwYIGW5Mosro8NpBpUCi3iUBiMEnj9qtz
F1oQl3sDho1el0lbKATzBPh2XSB5AhfKskQGiQutPyU5djAlNYseYPY8kRxj
tp21r+pc3BoryU3ECQIbgPCAVl7sJa2MN8LTfJNRTffIoydEe+yP7M90Fidf
YAUiDzENqQlYeLuN40YQfdiVOMGjXTXCIOL0wqv3F6c3F/nRK25QStz5XlA4
FyFecMp+fs9YlIRsjwV/rGVVXF6stTUy8ZTkpOTASQsR99F1C7LmxUBFx3MA
E7+RJm7KfludiyRwfIlSL5QkaR5fTNW3y4HLFnyEm0lKQvigwSgAoqTqqRDL
IBDLnwHb9FlrLdIipdltpUCqZFjzz4NF5gdhkdnXYJH512CR4zaXyOz7qpap
1odEguSfbVvvY9W+2WpSWSbFZKd7bWE9HhMZ/rT9D7cm0GaWjLBN0lN2LkF/
wI/LJEwmgljLiG9GLyaHuasQ9YYMQ67XwvRd8ZCllbG9r8uWjLIHR858qbRU
u47XGEu8nKIwldNuj7XV1+zUa5qNJXNlAFEH31xhkoeWwdq2TdFlTrvG+NXd
bx4TVzgrj0XgjGn+flubJwrcZFGT7PZFW1CW+21zrN3hlG1B7mkeJWl47Nw4
CiNPGoZdnocWEhxGCeX+/HaeVHMYWeLbbaDIqIcpteIDNVB8x2V+P1qWY2/l
J2Mcp0EgfWqSY8WM72tw1ASX5fgwwYO2UTQy9Uur7ZVbLWkmfpkQj2f6Zeg+
FoHKfadInFJw8/IkP9iUFqcW9EtF5x6+4uhQA1npH1sl3cj2j3cwoIH2SuX2
b9xh1NqdZj+73WnU/lZsKm4EfIis8yPp3CPABwOPykexRQ15ANvT2kpHxK+C
nwzAqTxxGqtaJTlp05SlQXlQXPEhKWkOjiBtXdVXdpoND1+GuBfV8hk2ZoWA
vYwmIvmrbM+B7SfeLdQkDOdYneFAfIJuuRRIP88gdla5AQ2ygIO+CfbQzUuT
pyRRzkQUSHz0P2+u3kXouDLg6hSG4PvWIXgxlhWsFYlnfKRJXRUVNmpc9dJ1
Kmb9qCWVNG8IHURqsjS2JNytVDMGzqZyBd4WTHBDhuo5Q4GbSt8LbBJ18Iqu
JamFeLU/+ARtcmv0r9yUEvLmMJbzsRzJWpu9MSiS24SQ1UKsW7JAxA4FWZvo
M/SnwsNid4hPI/jnpWAEE3qgYS1wXIT8MKrP7p37EAE4026HM0WVc6vvgCv2
pg3Zjsi9YQBoHNw1AR4hXQcDpaLwdvAtrT18/eKeCyf1a7aFrzaPiG1GDLJl
ACWTbGZkysCSw00aGVLDg8RwxzW+jEuC5mIlg7Pf6NtX1zdEiC28Ze1QY/1H
FOfPSGcZRVRhMUQEjfINDvuPgmgw79SDs5HNo8DV79oL0z+ijo6VKf0axycI
5EPcqAoWeafHa3D61bemzI6k196vnz9f98cabod3W0qvxSPLomkrK75EoLRt
My3dumg0R3fGCob7jp/5vuMHVM1CdA23KT/ckZyNZrJMcUWEcsSj8yPpw61c
EeVgfYP1UY9yPSMqdl0z+OpSrWfHdOW+xXk43UgzmArKPn//VkOqYEr0S7Ja
p4XBcji0iFUIsTQPXZPRn91t0W4nzkWRRaiSzXB1+Sltf7jcFKzi5UPHz96t
tPuoYbC5ORB7eDYdTW8HpXxkIIy4QTiODagQoz69ea1VmjjNZ/n2+rvjyQiZ
7lmNiyPlKA4m1fajWHiX0nraF2LLKHtpSZ+/FvzksSASArwyYhAIGGnJ8Jvv
pqbcq4aFAV4l3dgbbaDbDpoDZJtCu7RfhB5kR2cX786OhSeAgIAHyGjBaEPz
ox+JoslGI31xTcL+PTJnk/xlUXX4eJxsmODL48p1UcxR37MI8r3fH5/DnKfX
U3ag2bz0sq5X3eAT8lFRiuolkcEz5R9h8j7f6xfB9frRyWkS8BFIpwVnsNvP
sM/E2bYQUnjSlXBqlXZMqhCJ2vzIP9kKAhT9WzF7ycTX+udnO5YkqN2gddPD
ISpf9GU9BKN/v8jynxIet8rQx67dEzc/5aiNZUnChxncvMRlR/7whA7zOP7S
I0XQeMs0t0fCetXzEb5wM7TxqM4VN+8fG/H4MzjA+8wjUb44/x/Or+nSy+u4
ivbgtVLLduf23UYhZnOcQyenHqIefeEEyBBESHoDvJEI1R47maRLIRd6hD5S
pEZifmqer9uNITYh9hlnFuOKDe09RU5no+2TEZuwkzqTBmVAh8n3n+V0MNgu
LcoDZEIuPuKT3XGpOpLZhqPEwiFtw50i7Hz3EcwbDmJUFMvVIVIh2W6m892U
/hNG+Onp3fxuGg8sRaodwqZNtOnpUo0KKLNbYupfzn6Va3spiTHXO0VZKGRI
rTvbBMGwok1KKWWmFiEOEFKEIeraZ0GsXpoFmsDSUrQ0OWG8Fh4Dtd4OIIr0
qmM50sPLce5shM7RzVSga8NAGh362PfRLf9UMFrADol63T447lxyJ4uKIm6/
ez40p7oibRtgUVZrzeLzwr0h+XwwTmRjHzWnxGpwO3WLCBt0NYb6jyJYHHXl
9j8+6pBFePNIocH3BwMYCEphveiPpombSM19euq+ddMRTf+TB7P4Iq/D+Pf0
bBY2BRjums5PDa7Md3DhMP5LKUDwfsGRnJX6m+e//vzZaq/kIBSmQ52YNnJM
XpDHNGUDkpPwojBTdCqM7mQAfHu/aLIPCxfjJ8D406eeOwFhb3wM/oPb2dEe
UsNZihUImKpAIF9/f05WayGVp2JY40cGQ6rUUpig+cpCgtyEk7nG2jYDhIXJ
+n5f4eVVsxGcCItY5qiXes6Dlqk1DLA/KiSuLZai+1hwUxj8dOwDEgbBzwNQ
09YuxcpPJCwuAVjYHFxIFhWOSgss2yDrMKvHbIZcg+8AxQVk3B1IcCXhbDSP
djai2jb+wZm3SH9Ws669WpTjjAPjSWexoPZ8b8HbUQt8fxhZHwag/fMl1qX1
js98tzFG7idJGkkCZymPtV20aFHjYGnhiC0zIYGcf63d+sPBGxHLeBkorDUO
5aM317Kqnfdnor6glbSlQSyICxmtrSPEyuiMLeTMk5MUoILgw3XgUAZsh+Si
t7jFqX375kbNTLou7YyrfQWiHuGf9Oj0z58n8vd33+JvrjDaDgD3z/VI33sO
ssHIZaPZbBztkniadIr69DTpHCVNgvXkvElS5qVBx7TRlDGdbWbk03hIrOUv
e2tSJ0huMahCKiO0XEuKNegxC1duGWkZb7IYROOzqrJorwff9SjGvf7jb/+3
z+sWZS0+h5PaY3pyII3t9Ifb11fvL/9went59S6/vfr+4l1g3YSIv5QDzY8i
yCNDAycGmJpkewA6LckZtInki1FryjFol6gtY2SHdkhJitrtZIoFcaWYNf1/
s/IcX7pF9/O5XApJDojbcPhYF9DV+P5gFxZYxnIsmII7olIugXprPQJzFG1b
XeG8jgyGxH1blTFWpOLzUnHGhBaSwd4S81gh2aIz0yPVYZ2Y7wlRfOigMU1i
qoVqR8/zSdO6bqyB/z+dsWaHs+4dtibJ5+aDHOqdjJP1Jt2dDIF3SIwLH+/C
RKcrIOSxmiK5lfQ4wyunUDxaw+2BjOwEWimqFXSOUOOaOAVuhGymdMDS17lt
VnxQCQwI39eGz7oTqMt8p716ue+Lz9AIxSAAXt4jjA/85xwjAyv1/bZg5dzy
/SpHpPRDq8k4bQfqxSiXtL4IHraN6/fPr1RZcNSBkvjoR3k8d66CbHzklLsv
n24XiY1sdNCdiiIxhKLDUXXSEpOpi2rtM+uGIRxTLhfV0zAUFAoRpf10SLAT
H8nBx1p/YkEvH60LyCfvQxgzRM2BIh2WnIRzkiWUGDp6xwd0AHDU7NacORcZ
j9EKBj3jY4pcp65U8FXjsE0Sm9Gqn2FHYnXZFX7pZo847RZaZgtKQkjpCsbz
yYL5egTo6qBFQ5fNspXOEXzq1s3L4whQMyqTGGUrg3QV3DqHn6zCQ84JVMSw
f44HyfLKniWtFwUjix/EkfmmT85gT8wwO/q9GMYHAEc9RLN2Lp0JrLtJBN3R
iNS2k+MIDzSKzbwRCDNJRzbqFmlpKhae0u6MWw9I4C2Km2p2IEJcT/LYbo06
lPRJcerm0cYGTs9B5oavjaKvfTwFTrT6+lFdO0ji3hGdxKl0hptn4cw8f7q3
P2sFLS4Y3BKKB9nIj07z9MYrCxSa7JLPEyaa3PVVb52SiUz/wlOvpPGpJoXM
A0vxxnaoLY9b0mmqw2H6aZxAt7hTBHoFy3Evma5lh9JGnG3th7tWECn+ZBAO
ryZ4aFNVWqtsqf99rZblI747soL8WIQcT6J+xtK7iNNmadnLN72XAqTcOhxe
7rVGaKLdjcHUI1MuUmNSFhIb6nbcMZ/WPlRoSKc4yK7qPyRRjA3CFZw/gIfX
WxUe761tHrcGz2LRb6eIaQZnpPKjPhW5hXCycNQASblWGkHxyvlzvkHZc7Fe
YpEtGR62PJJEumgfM2iDNeCFqrYE8e2UDA7FFKpt3+wY3oIdoDgkTe5D+KQh
u8mehOZDk9Kki3J3iDL6ncq0WnPTSgcyPsiaYQDIzXIfYcNBy/HM0XBCw5kM
dSbsqXHgT6KDUeQdXdt756FOvozMWiWDgbUsl/1AUaBcus9tmk3y6yEC+9kG
bUkLQ3QMytN89Yeou4w9fsFJ4LQILzpi2yN1mlBCq15dtArnQgtn+sxPT4U4
pvoS2qbRjh7Q/X0E1qisJ6mc1hXOoKAFK7RHkwb0tfwRaeAf/XmLvihySA8p
8++acG+XuEWUinHzIUkaoE4YhOXTeFHJMMdzFAko1cdRbWjPmNsEPpwMwt5x
7BthREUjfLFHbHiX1sC16JU2tkZEdXp8yGsD3zEqRbH6j4PvJkaSEKZ7sLLk
VPlxc9zT1IiTU2j4WHaBFqhxtQyYpgnnhLSQg49SL6ScDWdpZyHrIxICp57J
xhbDfhL1oQMAg1O1mrS07IcGO95cnU04YXSsGArjSTxXUiQiKFl3WlZAXugM
Ln/4mCUfeToKzxURfGwqVb485BIeaTqWiWhovfsuLpXF5/JxebXtrfVV6qJT
BqIkSKkNkhz6AJF7wvGaux0AkuomypC5U+FWG1gdbsYuXcO9DW/h/4AaFnQM
B5xKdNbZCWXFZcjXUT+eBIx+7H0Qf+QMg5h1T0bZqJBlFctUzTF2HNXImrtd
azNLwkhifUlsgKktAlu3gMiwTk6ZdNoZ4pnzxnJYIlrwLANdR8JdG7+IjV4k
bPGNVFf2E4vnZaFvkXet/Yp5lE5ydIMEuU0YnGTcy3UPAytNRZirBn/Iibkq
qfrNPLTPvPHRuuyHVOC6AJYu8oIuz9JkOi9UdP5FQCEmeCDbLiuQ0LVMtUk4
9RzFEXLJlNa0N9AkqZAvh2K8wo7jr6NAqjgx6ZGsatWYdiQL/R4+BhLaRweh
mgyP/wHOKf/8C05Uh9X9BUpxAdfTfZjpiXZ9dFqtyIv0qFXxT+lZRD563rzU
awjcslUIJ2rPhYTQACOB87Kr6TG/HP9KwXQTOzjN0BDwhUYACdlsjQb6QxeT
s+q4skLPUUhahrGdeR4wWYfQrAasYLDKdPEojolX+SLCKfHy4KZnHkkUFp3b
Jo2RKQj0CDYF4wcaJQoPhG3Zg3YEO2uAuEnjBl/DdBxAc6AG8vFVWdiycBh2
RLBsweF4iw6UbTQqxUFwPWEd8THA/Ojs06eRGfZ5osktlhpctxdZkXXKLGXg
Qn+UKFvFr7YotMKZR/x5usJnZcxgqUk+jzGSC9kKHF3WW6UUSXF3zycTJlMk
Vvspf0UXAlwS/5L/lP0kYIqfRuAK+iEPfZz54Q9VF5lOYvVrgYc/jeOnLzUH
wjNfwAvQI0MivhxnSWIDSFwfCIC9pwvSjseKo78BzQr0yjQFity7bRHuOy3L
R+yRvbv2Ms24/9J8ggN+9Ej/7z3wUMg5fabEIafijH7laRLKPLBvWLk9M2/v
dsGm4/YrDapHnSaj1mvn7U10bIh/zmNnhtATE/jKXojMPMdpGomKVFKKYFEY
pNrOzOoeL/BZ0otIwmGIjN3hGAB4+MQswFvYZ9HxD71zHgORAAPDYVYX315E
pMEBxWx8FFw/i45GUatrQe8ViWCzEwOW7bNByurb/eVmYyvdbnZs1T6GeOeE
8nVb9ZwgxGy4sljCZzB5gTtIumgjStLYQ10Z9xmsBvUyNLzYdijLilBzYxdF
FnLkD8NqxKQ1IxX1TfEBoD2bWKOr4eQSi7SdWqQNGorjdeDm8T60PycKF8Ul
45ChP0E1PTAUlY4SJJK7o5ALpzw0whQfHe9wdlIjtg68GKI4tIVIJspJCFq3
jZ4JI5+5sm03gssQkfOpCqH+1XcIxk3YJnZ4ZkFQmCZjS1/cYwtdSdlxgJpx
jcFGzkBFqEhSJx5yJvgvX7t1CtPBtIW2kZEEZeihIo3zqtWKY4xcVmxV5ktu
rc/UlzQN4qI+PpznvfStW3Mrm0lSPGtHU6GfBFtRJtAu/sfZxc3N5e8v/vjm
6vQ8d13H6qP0DZ5hszKimQw5hxl/RUZJFoMEJDd5UcqTmBm3rtwTWmRNFZ+1
j2LZLrYsrGEsN63cUfjTwrOn4YhfNEkdKXSacI9ncovN5CjWViv99fEckn/1
QEqKaPemAnocx5X6BgGSFKGLplMG3GfZ/wMci6Cj6J8AAA==

-->

</rfc>
