rfc9802.original.xml   rfc9802.xml 
<?xml version='1.0' encoding='utf-8'?> <?xml version='1.0' encoding='utf-8'?>
<!DOCTYPE rfc [ <!DOCTYPE rfc [
<!ENTITY nbsp "&#160;"> <!ENTITY nbsp "&#160;">
<!ENTITY zwsp "&#8203;"> <!ENTITY zwsp "&#8203;">
<!ENTITY nbhy "&#8209;"> <!ENTITY nbhy "&#8209;">
<!ENTITY wj "&#8288;"> <!ENTITY wj "&#8288;">
]> ]>
<?xml-stylesheet type="text/xsl" href="rfc2629.xslt" ?> <rfc xmlns:xi="http://www.w3.org/2001/XInclude" ipr="trust200902" docName="draft
<!-- generated by https://github.com/cabo/kramdown-rfc version 1.7.21 (Ruby 3.3. -ietf-lamps-x509-shbs-13" number="9802" category="std" consensus="true" submissi
6) --> onType="IETF" tocInclude="true" sortRefs="true" symRefs="true" version="3" xml:l
<rfc xmlns:xi="http://www.w3.org/2001/XInclude" ipr="trust200902" docName="draft ang="en" updates="" obsoletes="">
-ietf-lamps-x509-shbs-13" category="std" consensus="true" submissionType="IETF"
tocInclude="true" sortRefs="true" symRefs="true" version="3">
<!-- xml2rfc v2v3 conversion 3.25.0 -->
<front> <front>
<title abbrev="HSS and XMSS for X.509">Use of the HSS and XMSS Hash-Based Si <title abbrev="HSS and XMSS for X.509">Use of the HSS and XMSS Hash-Based
gnature Algorithms in Internet X.509 Public Key Infrastructure</title> Signature Algorithms in Internet X.509 Public Key Infrastructure</title>
<seriesInfo name="Internet-Draft" value="draft-ietf-lamps-x509-shbs-13"/> <seriesInfo name="RFC" value="9802"/>
<author initials="D." surname="Van Geest" fullname="Daniel Van Geest"> <author initials="D." surname="Van Geest" fullname="Daniel Van Geest">
<organization>CryptoNext Security</organization> <organization>CryptoNext Security</organization>
<address> <address>
<email>daniel.vangeest@cryptonext-security.com</email> <email>daniel.vangeest@cryptonext-security.com</email>
</address> </address>
</author> </author>
<author initials="K." surname="Bashiri" fullname="Kaveh Bashiri"> <author initials="K." surname="Bashiri" fullname="Kaveh Bashiri">
<organization>BSI</organization> <organization>BSI</organization>
<address> <address>
<email>kaveh.bashiri.ietf@gmail.com</email> <email>kaveh.bashiri.ietf@gmail.com</email>
skipping to change at line 45 skipping to change at line 45
<address> <address>
<email>ietf@gazdag.de</email> <email>ietf@gazdag.de</email>
</address> </address>
</author> </author>
<author initials="S." surname="Kousidis" fullname="Stavros Kousidis"> <author initials="S." surname="Kousidis" fullname="Stavros Kousidis">
<organization>BSI</organization> <organization>BSI</organization>
<address> <address>
<email>kousidis.ietf@gmail.com</email> <email>kousidis.ietf@gmail.com</email>
</address> </address>
</author> </author>
<date year="2024" month="December" day="12"/> <date year="2025" month="June"/>
<area>sec</area> <area>SEC</area>
<workgroup>LAMPS - Limited Additional Mechanisms for PKIX and SMIME</workgro <workgroup>lamps</workgroup>
up>
<keyword>Internet-Draft</keyword>
<abstract>
<?line 164?>
<t>This document specifies algorithm identifiers and ASN.1 encoding formats for <!-- [rfced] Please insert any keywords (beyond those that appear in
the stateful hash-based signature (HBS) schemes Hierarchical Signature System the title) for use on https://www.rfc-editor.org/search. -->
(HSS), eXtended Merkle Signature Scheme (XMSS), and XMSS^MT, a multi-tree
variant of XMSS. This specification applies to the Internet X.509 Public Key <keyword>example</keyword>
infrastructure (PKI) when those digital signatures are used in Internet X.509
certificates and certificate revocation lists.</t> <!-- [rfced] We have updated the abstract for clarity. Please review and let us
know if any updates are needed.
Original:
This document specifies algorithm identifiers and ASN.1 encoding
formats for the stateful hash-based signature (HBS) schemes
Hierarchical Signature System (HSS), eXtended Merkle Signature Scheme
(XMSS), and XMSS^MT, a multi-tree variant of XMSS. This
specification applies to the Internet X.509 Public Key infrastructure
(PKI) when those digital signatures are used in Internet X.509
certificates and certificate revocation lists.
Perhaps:
This document specifies algorithm identifiers and ASN.1 encoding
formats for the following stateful Hash-Based Signature (HBS)
schemes: Hierarchical Signature System (HSS), eXtended Merkle
Signature Scheme (XMSS), and XMSS^MT (a multi-tree variant of XMSS).
When those digital signatures are used in Internet X.509 certificates
and certificate revocation lists, this specification applies to the
Internet X.509 Public Key Infrastructure (PKI).
-->
<!-- [rfced] Please note that we updated instances of MT in XMSS^MT to appear as
superscript to match how it appears in [SP800208]. Please review and let us kn
ow if you prefer otherwise.
Note that the text file will continue to display XMSS^MT, but the HTML and PDF w
ill display MT in superscript.
-->
<abstract>
<t>This document specifies algorithm identifiers and ASN.1 encoding
formats for the following stateful Hash-Based Signature (HBS) schemes:
Hierarchical Signature System (HSS), eXtended Merkle Signature Scheme
(XMSS), and XMSS<sup>MT</sup> (a multi-tree variant of XMSS). This specif
ication
applies to the Internet X.509 Public Key infrastructure (PKI) when those
digital signatures are used in Internet X.509 certificates and
certificate revocation lists.</t>
</abstract> </abstract>
<note removeInRFC="true">
<name>About This Document</name>
<t>
Status information for this document may be found at <eref target="https
://datatracker.ietf.org/doc/draft-ietf-lamps-x509-shbs/"/>.
</t>
<t>
Discussion of this document takes place on the
LAMPS Working Group mailing list (<eref target="mailto:spasm@ietf.org"/>
),
which is archived at <eref target="https://mailarchive.ietf.org/arch/bro
wse/spasm/"/>.
Subscribe at <eref target="https://www.ietf.org/mailman/listinfo/spasm/"
/>.
</t>
<t>Source for this draft and an issue tracker can be found at
<eref target="https://github.com/x509-hbs/draft-x509-shbs"/>.</t>
</note>
</front> </front>
<middle> <middle>
<?line 173?>
<section anchor="introduction"> <section anchor="introduction">
<name>Introduction</name> <name>Introduction</name>
<t>Stateful HBS schemes such as HSS, XMSS and XMSS^MT
combine Merkle trees with One Time Signatures (OTS) in order to provide digital <t>Stateful Hash-Based Signature (HBS) schemes such as the Hierarchical
signature schemes that remain secure even when quantum computers become Signature System (HSS), eXtended Merkle Signature Scheme (XMSS), and
available. Their theoretic security is well understood and depends only on the XMSS<sup>MT</sup> combine Merkle trees with One-Time Signatures (OTS). Thi
security of the underlying hash function. As such they can serve as an s is
important building block for quantum computer resistant information and done in order to provide digital signature schemes that remain secure
communication technology.</t> even when quantum computers become available. Their theoretic security
<t>A stateful HBS private key consists of a finite collection of OTS keys, is well understood and depends only on the security of the underlying
along hash function. As such, they can serve as an important building block for
with state information that tracks the usage of these keys to ensure the quantum computer resistant information and communication technology.</t>
security of the scheme. Only a
limited number of messages can be signed and the private key's state must be <t>A stateful HBS private key consists of a finite collection of OTS
updated and persisted after signing to prevent reuse of OTS keys. While the keys, along with state information that tracks the usage of these keys
right selection of algorithm parameters would allow a private key to sign a to ensure the security of the scheme. Only a limited number of messages
virtually unbounded number of messages (e.g. 2^60), this is at the cost of a can be signed, and the private key's state must be updated and persisted
larger signature size and longer signing time. Because the private key in after signing to prevent reuse of OTS keys. While the right selection
stateful HBS schemes is stateful and the number of signatures that can be of algorithm parameters would allow a private key to sign a virtually
generated is limited, these schemes may be unsuitable for use in interactive unbounded number of messages (e.g., 2<sup>60</sup>), this is at the cost
protocols. However, in some use of a larger signature size and longer signing time. Because the private
cases the deployment of stateful HBS schemes may be appropriate. Such use cases key in stateful HBS schemes is stateful and the number of signatures
are described that can be generated is limited, these schemes may be unsuitable for
and discussed in <xref target="use-cases-shbs-x509"/>.</t> use in interactive protocols. However, in some use cases, the deployment
of stateful HBS schemes may be appropriate. Such use cases are described
and discussed in <xref target="use-cases-shbs-x509"/>.</t>
</section> </section>
<section anchor="conventions-and-definitions"> <section anchor="conventions-and-definitions">
<name>Conventions and Definitions</name> <name>Conventions and Definitions</name>
<t>The key words "<bcp14>MUST</bcp14>", "<bcp14>MUST NOT</bcp14>", "<bcp14 <t>
>REQUIRED</bcp14>", "<bcp14>SHALL</bcp14>", "<bcp14>SHALL The key words "<bcp14>MUST</bcp14>", "<bcp14>MUST NOT</bcp14>",
NOT</bcp14>", "<bcp14>SHOULD</bcp14>", "<bcp14>SHOULD NOT</bcp14>", "<bcp14>RECO "<bcp14>REQUIRED</bcp14>", "<bcp14>SHALL</bcp14>", "<bcp14>SHALL NOT</bcp14>
MMENDED</bcp14>", "<bcp14>NOT RECOMMENDED</bcp14>", ",
"<bcp14>MAY</bcp14>", and "<bcp14>OPTIONAL</bcp14>" in this document are to be i "<bcp14>SHOULD</bcp14>", "<bcp14>SHOULD NOT</bcp14>",
nterpreted as "<bcp14>RECOMMENDED</bcp14>", "<bcp14>NOT RECOMMENDED</bcp14>",
described in BCP 14 <xref target="RFC2119"/> <xref target="RFC8174"/> when, and "<bcp14>MAY</bcp14>", and "<bcp14>OPTIONAL</bcp14>" in this document are to
only when, they be
appear in all capitals, as shown here.</t> interpreted as described in BCP&nbsp;14 <xref target="RFC2119"/> <xref
<?line -18?> target="RFC8174"/> when, and only when, they appear in all capitals, as
shown here.
</t>
</section>
</section>
<section anchor="use-cases-shbs-x509"> <section anchor="use-cases-shbs-x509">
<name>Use Cases of Stateful HBS Schemes in X.509</name> <name>Use Cases of Stateful HBS Schemes in X.509</name>
<t>As described in the Security Considerations of <xref target="sec-securi <t>As described in the Security Considerations in <xref
ty"/>, it is target="sec-security"/>, it is imperative that stateful HBS
imperative that stateful HBS implementations do not reuse OTS signatures. This m implementations do not reuse OTS signatures. This makes stateful HBS
akes algorithms inappropriate for general use cases. The exact conditions
stateful HBS algorithms inappropriate for general use cases. The exact condition under which stateful HBS certificates may be used is left to certificate
s policies <xref target="RFC3647"/>. However, the intended use of stateful
under which stateful HBS certificates may be used is left to certificate policie HBS schemes as described by <xref target="SP800208"/> can be used as a
s <xref target="RFC3647"/>. guideline:</t>
However the intended use of stateful HBS schemes as described by <xref target="S
P800208"/> can be used as a
guideline:</t>
<blockquote> <blockquote>
<t>1) it is necessary to implement a digital signature scheme in the nea 1) it is necessary to implement a digital signature scheme in the near
r future; 2) the implementation will have a long lifetime; and 3) it
future; <br/> would not be practical to transition to a different digital signature
2) the implementation will have a long lifetime; and <br/> scheme once the implementation has been deployed.
3) it would not be practical to transition to a different digital signature
scheme once the implementation has been deployed.</t>
</blockquote> </blockquote>
<t>In addition, since a stateful HBS private key can only generate a finit
e number of <t>In addition, since a stateful HBS private key can only generate a
signatures, use cases for stateful HBS public keys in certificates should have a finite number of signatures, use cases for stateful HBS public keys in
predictable range of the number of signatures that will be generated, falling certificates should have a predictable range of the number of signatures
safely below the maximum number of signatures that a private key can generate.</ that will be generated, falling safely below the maximum number of
t> signatures that a private key can generate.</t>
<t>Use cases where stateful HBS public keys in certificates may be appropr
iate due to <t>Use cases where stateful HBS public keys in certificates may be
the relatively small number of signatures generated and the signer's ability appropriate due to the relatively small number of signatures generated
to enforce security restrictions on the signing environment include:</t> and the signer's ability to enforce security restrictions on the signing
environment include:</t>
<ul spacing="normal"> <ul spacing="normal">
<li> <li>
<t>Firmware signing (Section 1.1 of <xref target="SP800208"/>, Table I <t>Firmware signing (see Section 1.1 of <xref target="SP800208"/>, Tab
V of <xref target="CNSA2.0"/>, Section le
6.7 of <xref target="BSI"/>)</t> IV of <xref target="CNSA2.0"/>, and Section 6.7 of <xref target="BSI"/
>)</t>
</li> </li>
<li> <li>
<t>Software signing (Table IV of <xref target="CNSA2.0"/>, <xref targe <t>Software signing (see Table IV of <xref target="CNSA2.0"/> and <xre
t="ANSSI"/>)</t> f
target="ANSSI"/>)</t>
</li> </li>
<li> <li>
<t>Certification Authority (CA) certificates.</t> <t>Certification Authority (CA) certificates</t>
</li> </li>
</ul> </ul>
<t>In each of these cases the operator tightly controls their secured sign
ing environment <t>In each of these cases, the operator tightly controls their secured
and can mitigate OTS key reuse by employing state management strategies signing environment and can mitigate OTS key reuse by employing state
such as those in <xref target="sec-security"/>. Also for secure private key back management strategies such as those in <xref
up and restoration, target="sec-security"/>. Also, for secure private key backup and
adequate mechanisms have to be implemented (<xref target="backup-restore"/>).</t restoration, adequate mechanisms have to be implemented (see <xref
> target="backup-restore"/>).</t>
<t>Generally speaking, stateful HBS public keys are not appropriate for us
e <t>Generally speaking, stateful HBS public keys are not appropriate for
in end-entity certificates, however in the firmware and software signing cases use in end-entity certificates, however, in the firmware and software
signature generation will often be more tightly controlled. Some signing cases, signature generation will often be more tightly
manufactures use common and well-established key formats like X.509 for their controlled. Some manufactures use common and well-established key
code signing and update mechanisms. Also there are multi-party IoT ecosystems formats like X.509 for their code signing and update mechanisms. Also,
where publicly trusted code signing certificates are useful.</t> there are multi-party Internet of Things (IoT) ecosystems where publicly
<t>In general, root CAs <xref target="RFC4949"/> generate signatures in a trusted code signing certificates are useful.</t>
more secure environment and issue
fewer certificates than subordinate CAs <xref target="RFC4949"/>. This makes the <t>In general, root CAs <xref target="RFC4949"/> generate signatures in
use of stateful HBS public a more secure environment and issue fewer certificates than subordinate
keys more appropriate in root CA certificates than in subordinate CA CAs <xref target="RFC4949"/>. This makes the use of stateful HBS public
certificates. However, if a subordinate CA can match the security and keys more appropriate in root CA certificates than in subordinate CA
signature count restrictions of a root CA, for example if the subordinate CA certificates. However, if a subordinate CA can match the security and
only issues code-signing certificates, then using a stateful HBS public key in t signature count restrictions of a root CA, for example, if the
he subordinate CA only issues code-signing certificates, then using a
subordinate CA certificate may be practical.</t> stateful HBS public key in the subordinate CA certificate may be
practical.</t>
</section> </section>
<section anchor="algorithm-identifiers-and-parameters"> <section anchor="algorithm-identifiers-and-parameters">
<name>Algorithm Identifiers and Parameters</name> <name>Algorithm Identifiers and Parameters</name>
<t>In this document, we define new object identifiers (OIDs) for identifyi
ng the different stateful <t>In this document, we define new Object Identifiers (OIDs) for
hash-based signature algorithms. An additional OID is defined in <xref target="I identifying the different stateful hash-based signature algorithms. An
-D.ietf-lamps-rfc8708bis"/> and additional OID is defined in <xref target="RFC9708"/> and repeated here
repeated here for convenience.</t> for convenience.</t>
<!-- Sourcecode matches that from [RFC5912].
SG: blockquote not used because it causes margin issues.
-->
<t>The AlgorithmIdentifier type is defined in <xref target="RFC5912"/> as follows:</t> <t>The AlgorithmIdentifier type is defined in <xref target="RFC5912"/> as follows:</t>
<sourcecode type="asn.1"><![CDATA[ <sourcecode type="asn.1"><![CDATA[
AlgorithmIdentifier{ALGORITHM-TYPE, ALGORITHM-TYPE:AlgorithmSet} ::= AlgorithmIdentifier{ALGORITHM-TYPE, ALGORITHM-TYPE:AlgorithmSet} ::=
SEQUENCE { SEQUENCE {
algorithm ALGORITHM-TYPE.&id({AlgorithmSet}), algorithm ALGORITHM-TYPE.&id({AlgorithmSet}),
parameters ALGORITHM-TYPE. parameters ALGORITHM-TYPE.
&Params({AlgorithmSet}{@algorithm}) OPTIONAL &Params({AlgorithmSet}{@algorithm}) OPTIONAL
} }
]]></sourcecode> ]]></sourcecode>
<aside> <aside>
<t>NOTE: The above syntax is from <xref target="RFC5912"/> and is compat <t>NOTE: The above syntax is from <xref target="RFC5912"/> and is
ible with the 2021 ASN.1 syntax <xref target="X680"/>. compatible with the 2021 ASN.1 syntax <xref target="X680"/>. See
See <xref target="RFC5280"/> for the 1988 ASN.1 syntax.</t> <xref target="RFC5280"/> for the 1988 ASN.1 syntax.</t>
</aside> </aside>
<t>The fields in AlgorithmIdentifier have the following meanings:</t> <t>The fields in AlgorithmIdentifier have the following meanings:</t>
<ul spacing="normal">
<li> <dl spacing="normal">
<t>algorithm identifies the cryptographic algorithm with an object <dt>algorithm:</dt><dd>this identifies the cryptographic algorithm wit
identifier.</t> h an object
</li> identifier.</dd>
<li> <dt>parameters:</dt><dd>these are optional and are the associated para
<t>parameters, which are optional, are the associated parameters for meters for
the algorithm identifier in the algorithm field.</t> the algorithm identifier in the algorithm field.</dd>
</li> </dl>
</ul>
<t>The parameters field of the AlgorithmIdentifier for HSS, XMSS, and XMSS <t>The parameters field of the AlgorithmIdentifier for HSS, XMSS, and
^MT XMSS<sup>MT</sup> public keys <bcp14>MUST</bcp14> be absent.</t>
public keys <bcp14>MUST</bcp14> be absent.</t>
<section anchor="hss-algorithm-identifier"> <section anchor="hss-algorithm-identifier">
<name>HSS Algorithm Identifier</name> <name>HSS Algorithm Identifier</name>
<t>The object identifier and public key algorithm identifier for HSS is
defined in <t>The object identifier and public key algorithm identifier for HSS
<xref target="I-D.ietf-lamps-rfc8708bis"/>. The definitions are repeated here fo is defined in <xref target="RFC9708"/>. The definitions are repeated
r reference.</t> here for reference.</t>
<t>The AlgorithmIdentifier for an HSS public key <bcp14>MUST</bcp14> use <t>The AlgorithmIdentifier for an HSS public key <bcp14>MUST</bcp14>
the id-alg-hss-lms-hashsig object identifier.</t> use the id-alg-hss-lms-hashsig object identifier.</t>
<artwork><![CDATA[
<sourcecode type="asn.1"><![CDATA[
id-alg-hss-lms-hashsig OBJECT IDENTIFIER ::= { id-alg-hss-lms-hashsig OBJECT IDENTIFIER ::= {
iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs9(9) iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs9(9)
smime(16) alg(3) 17 } smime(16) alg(3) 17 }
]]></artwork> ]]></sourcecode>
<t>Note that the id-alg-hss-lms-hashsig algorithm identifier is also ref
erred to <t>Note that the id-alg-hss-lms-hashsig algorithm identifier is also
as id-alg-mts-hashsig. This synonym is based on the terminology used in an referred to as id-alg-mts-hashsig. This synonym is based on the
early draft of the document that became <xref target="RFC8554"/>.</t> terminology used in an early draft of the document that became <xref
<t>The public key and signature values identify the hash function and th target="RFC8554"/>.</t>
e height used in the <t>The public key and signature values identify the hash function and
HSS tree. <xref target="RFC8554"/> and <xref target="SP800208"/> define these va the height used in the HSS tree. <xref target="RFC8554"/> and <xref
lues, but an IANA registry target="SP800208"/> define these values, and additional identifiers can
<xref target="IANA-LMS"/> permits the registration of additional identifiers in be registered in the “Leighton-Micali Signatures (LMS)” registry <xref
the future.</t> target="IANA-LMS"/>.</t>
</section> </section>
<section anchor="xmss-algorithm-identifier"> <section anchor="xmss-algorithm-identifier">
<name>XMSS Algorithm Identifier</name> <name>XMSS Algorithm Identifier</name>
<t>The AlgorithmIdentifier for an XMSS public key <bcp14>MUST</bcp14> us
e the id-alg-xmss-hashsig object identifier.</t> <t>The AlgorithmIdentifier for an XMSS public key <bcp14>MUST</bcp14>
<artwork><![CDATA[ use the id-alg-xmss-hashsig object identifier.</t>
<sourcecode type="asn.1"><![CDATA[
id-alg-xmss-hashsig OBJECT IDENTIFIER ::= { id-alg-xmss-hashsig OBJECT IDENTIFIER ::= {
iso(1) identified-organization(3) dod(6) internet(1) iso(1) identified-organization(3) dod(6) internet(1)
security(5) mechanisms(5) pkix(7) algorithms(6) 34 } security(5) mechanisms(5) pkix(7) algorithms(6) 34 }
]]></artwork> ]]></sourcecode>
<t>The public key and signature values identify the hash function and th
e height used in the <t>The public key and signature values identify the hash function and
XMSS tree. <xref target="RFC8391"/> and <xref target="SP800208"/> define these v the height used in the XMSS tree. <xref target="RFC8391"/> and <xref
alues, but an IANA registry target="SP800208"/> define these values, and additional identifiers can
<xref target="IANA-XMSS"/> permits the registration of additional identifiers in be registered in the “Leighton-Micali Signatures (LMS)” registry <xref
the future.</t> target="IANA-XMSS"/>.</t>
</section> </section>
<section anchor="xmssmt-algorithm-identifier"> <section anchor="xmssmt-algorithm-identifier">
<name>XMSS^MT Algorithm Identifier</name> <name>XMSS<sup>MT</sup> Algorithm Identifier</name>
<t>The AlgorithmIdentifier for an XMSS^MT public key <bcp14>MUST</bcp14>
use the id-alg-xmssmt-hashsig object identifier.</t> <t>The AlgorithmIdentifier for an XMSS<sup>MT</sup> public key
<artwork><![CDATA[ <bcp14>MUST</bcp14> use the id-alg-xmssmt-hashsig object
identifier.</t>
<sourcecode type="asn.1"><![CDATA[
id-alg-xmssmt-hashsig OBJECT IDENTIFIER ::= { id-alg-xmssmt-hashsig OBJECT IDENTIFIER ::= {
iso(1) identified-organization(3) dod(6) internet(1) iso(1) identified-organization(3) dod(6) internet(1)
security(5) mechanisms(5) pkix(7) algorithms(6) 35 } security(5) mechanisms(5) pkix(7) algorithms(6) 35 }
]]></artwork> ]]></sourcecode>
<t>The public key and signature values identify the hash function and th
e height used in the <t>The public key and signature values identify the hash function and
XMSS^MT tree. <xref target="RFC8391"/> and <xref target="SP800208"/> define thes the height used in the XMSS<sup>MT</sup> tree. <xref target="RFC8391"/>
e values, but an IANA registry and
<xref target="IANA-XMSS"/> permits the registration of additional identifiers in <xref target="SP800208"/> define these values, and additional identifier
the future.</t> s can be registered in the “Leighton-Micali Signatures (LMS)” registry
<xref target="IANA-XMSS"/>.</t>
</section> </section>
</section> </section>
<section anchor="public-key-identifiers"> <section anchor="public-key-identifiers">
<name>Public Key Identifiers</name> <name>Public Key Identifiers</name>
<t>Certificates conforming to <xref target="RFC5280"/> can convey a public
key for any public key <t>Certificates conforming to <xref target="RFC5280"/> can convey a
algorithm. The certificate indicates the algorithm through an algorithm public key for any public key algorithm. The certificate indicates the
identifier. An algorithm identifier consists of an OID and optional parameters.< algorithm through an algorithm identifier. An algorithm identifier
/t> consists of an OID and optional parameters.</t>
<t><xref target="RFC8554"/> defines the encoding of HSS public keys and <x
ref target="RFC8391"/> defines the encodings of XMSS <t><xref target="RFC8554"/> defines the encoding of HSS public keys, and
and XMSS^MT public keys. <xref target="RFC8391"/> defines the encodings of XMSS and XMSS<sup>MT</su
When used in a SubjectPublicKeyInfo type, the subjectPublicKey BIT STRING contai p>
ns public keys. When used in a SubjectPublicKeyInfo type, the
these encodings of the public key.</t> subjectPublicKey BIT STRING contains these encodings of the public
<t>This document defines ASN.1 <xref target="X680"/> OCTET STRING types fo key.</t>
r encoding the public keys
when not used in a SubjectPublicKeyInfo. The OCTET STRING is mapped to a <t>This document defines ASN.1 <xref target="X680"/> OCTET STRING types
subjectPublicKey (a value of type BIT STRING) as follows: the most significant for encoding the public keys when not used in a
bit of the OCTET STRING value becomes the most significant bit of the BIT SubjectPublicKeyInfo. The OCTET STRING is mapped to a subjectPublicKey
STRING value, and so on; the least significant bit of the OCTET STRING (a value of type BIT STRING) as follows: the most significant bit of the
becomes the least significant bit of the BIT STRING.</t> OCTET STRING value becomes the most significant bit of the BIT STRING
value, and so on; the least significant bit of the OCTET STRING becomes
the least significant bit of the BIT STRING.</t>
<section anchor="hss-public-keys"> <section anchor="hss-public-keys">
<name>HSS Public Keys</name> <name>HSS Public Keys</name>
<t>The HSS public key identifier is as follows:</t> <t>The HSS public key identifier is as follows:</t>
<artwork><![CDATA[
<sourcecode type="asn.1"><![CDATA[
pk-HSS-LMS-HashSig PUBLIC-KEY ::= { pk-HSS-LMS-HashSig PUBLIC-KEY ::= {
IDENTIFIER id-alg-hss-lms-hashsig IDENTIFIER id-alg-hss-lms-hashsig
-- KEY no ASN.1 wrapping -- -- KEY no ASN.1 wrapping --
PARAMS ARE absent PARAMS ARE absent
CERT-KEY-USAGE CERT-KEY-USAGE
{ digitalSignature, nonRepudiation, keyCertSign, cRLSign } } { digitalSignature, nonRepudiation, keyCertSign, cRLSign } }
]]></artwork> ]]></sourcecode>
<t>The HSS public key is defined as follows:</t> <t>The HSS public key is defined as follows:</t>
<artwork><![CDATA[
<sourcecode type="asn.1"><![CDATA[
HSS-LMS-HashSig-PublicKey ::= OCTET STRING HSS-LMS-HashSig-PublicKey ::= OCTET STRING
]]></artwork> ]]></sourcecode>
<t><xref target="RFC8554"/> defines the encoding of an HSS public key us
ing the <t>
<tt>hss_public_key</tt> structure. See <xref target="SP800208"/> and <xref targe <xref target="RFC8554"/> defines the encoding of an HSS public key
t="RFC8554"/> for more information on using the <tt>hss_public_key</tt> structure. See <xref
the contents and format of an HSS public key. Note that the Leighton-Micali Sign target="SP800208"/> and <xref target="RFC8554"/> for more
ature (LMS) single-tree signature information on the contents and format of an HSS public key. Note
scheme is instantiated as HSS with number of levels being equal to 1.</t> that the Leighton-Micali Signature (LMS) single-tree signature
scheme is instantiated as HSS with the number of levels being equal
to 1.</t>
</section> </section>
<section anchor="xmss-public-keys"> <section anchor="xmss-public-keys">
<name>XMSS Public Keys</name> <name>XMSS Public Keys</name>
<t>The XMSS public key identifier is as follows:</t> <t>The XMSS public key identifier is as follows:</t>
<artwork><![CDATA[
<sourcecode type="asn.1"><![CDATA[
pk-XMSS-HashSig PUBLIC-KEY ::= { pk-XMSS-HashSig PUBLIC-KEY ::= {
IDENTIFIER id-alg-xmss-hashsig IDENTIFIER id-alg-xmss-hashsig
-- KEY no ASN.1 wrapping -- -- KEY no ASN.1 wrapping --
PARAMS ARE absent PARAMS ARE absent
CERT-KEY-USAGE CERT-KEY-USAGE
{ digitalSignature, nonRepudiation, keyCertSign, cRLSign } } { digitalSignature, nonRepudiation, keyCertSign, cRLSign } }
]]></artwork> ]]></sourcecode>
<t>The XMSS public key is defined as follows:</t> <t>The XMSS public key is defined as follows:</t>
<artwork><![CDATA[
<sourcecode type="asn.1"><![CDATA[
XMSS-HashSig-PublicKey ::= OCTET STRING XMSS-HashSig-PublicKey ::= OCTET STRING
]]></artwork> ]]></sourcecode>
<t><xref target="RFC8391"/> defines the encoding of an XMSS public key u sing the <t><xref target="RFC8391"/> defines the encoding of an XMSS public key u sing the
<tt>xmss_public_key</tt> structure. See <xref target="SP800208"/> and <xref targ et="RFC8391"/> for more information <tt>xmss_public_key</tt> structure. See <xref target="SP800208"/> and <xref targ et="RFC8391"/> for more information
on the contents and format of an XMSS public key.</t> on the contents and format of an XMSS public key.</t>
</section> </section>
<section anchor="xmssmt-public-keys"> <section anchor="xmssmt-public-keys">
<name>XMSS^MT Public Keys</name> <name>XMSS<sup>MT</sup> Public Keys</name>
<t>The XMSS^MT public key identifier is as follows:</t> <t>The XMSS<sup>MT</sup> public key identifier is as follows:</t>
<artwork><![CDATA[
<sourcecode type="asn.1"><![CDATA[
pk-XMSSMT-HashSig PUBLIC-KEY ::= { pk-XMSSMT-HashSig PUBLIC-KEY ::= {
IDENTIFIER id-alg-xmssmt-hashsig IDENTIFIER id-alg-xmssmt-hashsig
-- KEY no ASN.1 wrapping -- -- KEY no ASN.1 wrapping --
PARAMS ARE absent PARAMS ARE absent
CERT-KEY-USAGE CERT-KEY-USAGE
{ digitalSignature, nonRepudiation, keyCertSign, cRLSign } } { digitalSignature, nonRepudiation, keyCertSign, cRLSign } }
]]></artwork> ]]></sourcecode>
<t>The XMSS^MT public key is defined as follows:</t>
<artwork><![CDATA[ <t>The XMSS<sup>MT</sup> public key is defined as follows:</t>
<sourcecode type="asn.1"><![CDATA[
XMSSMT-HashSig-PublicKey ::= OCTET STRING XMSSMT-HashSig-PublicKey ::= OCTET STRING
]]></artwork> ]]></sourcecode>
<t><xref target="RFC8391"/> defines the encoding of an XMSS^MT public ke
y using the <t><xref target="RFC8391"/> defines the encoding of an XMSS<sup>MT</sup>
public key using the
<tt>xmssmt_public_key</tt> structure. See <xref target="SP800208"/> and <xref ta rget="RFC8391"/> for more information <tt>xmssmt_public_key</tt> structure. See <xref target="SP800208"/> and <xref ta rget="RFC8391"/> for more information
on the contents and format of an XMSS^MT public key.</t> on the contents and format of an XMSS<sup>MT</sup> public key.</t>
</section> </section>
</section> </section>
<section anchor="key-usage-bits"> <section anchor="key-usage-bits">
<name>Key Usage Bits</name> <name>Key Usage Bits</name>
<t>The intended application for the key is indicated in the keyUsage certi
ficate <t>The intended application for the key is indicated in the keyUsage
extension <xref target="RFC5280"/>. certificate extension <xref target="RFC5280"/>. When
When id-alg-hss-lms-hashsig, id-alg-xmss-hashsig or id-alg-xmssmt-hashsig appear id-alg-hss-lms-hashsig, id-alg-xmss-hashsig, or id-alg-xmssmt-hashsig
s in the SubjectPublicKeyInfo appears in the SubjectPublicKeyInfo field of a CA X.509 certificate
field of a CA X.509 certificate <xref target="RFC5280"/>, the <xref target="RFC5280"/>, the certificate key usage extension
certificate key usage extension <bcp14>MUST</bcp14> contain at least one of the <bcp14>MUST</bcp14> contain at least one of the following values:
following values: digitalSignature, nonRepudiation, keyCertSign, or digitalSignature, nonRepudiation, keyCertSign, or cRLSign. However, it
cRLSign. However, it <bcp14>MUST NOT</bcp14> contain other values.</t> <bcp14>MUST NOT</bcp14> contain other values.</t>
<t>When id-alg-hss-lms-hashsig, id-alg-xmss-hashsig or id-alg-xmssmt-hashs
ig appears in the SubjectPublicKeyInfo <t>When id-alg-hss-lms-hashsig, id-alg-xmss-hashsig, or
field of an end entity X.509 certificate <xref target="RFC5280"/>, the certifica id-alg-xmssmt-hashsig appears in the SubjectPublicKeyInfo field of an
te key usage end entity X.509 certificate <xref target="RFC5280"/>, the certificate
extension <bcp14>MUST</bcp14> contain at least one of the following values: digi key usage extension <bcp14>MUST</bcp14> contain at least one of the
talSignature, following values: digitalSignature, nonRepudiation or cRLSign. However,
nonRepudiation or cRLSign. However, it <bcp14>MUST NOT</bcp14> contain other val it <bcp14>MUST NOT</bcp14> contain other values.</t>
ues.</t>
</section> </section>
<section anchor="signature-algorithms"> <section anchor="signature-algorithms">
<name>Signature Algorithms</name> <name>Signature Algorithms</name>
<t>The same OIDs used to identify HSS, XMSS, and XMSS^MT public keys are a
lso used to identify their respective signatures. <t>The same OIDs used to identify HSS, XMSS, and XMSS<sup>MT</sup> public
When these algorithm identifiers appear in the algorithm field of an keys are
AlgorithmIdentifier, the encoding <bcp14>MUST</bcp14> omit the parameters field. also used to identify their respective signatures. When these algorithm
That is, the identifiers appear in the algorithm field of an AlgorithmIdentifier, the
AlgorithmIdentifier <bcp14>SHALL</bcp14> be a SEQUENCE of one component, one of encoding <bcp14>MUST</bcp14> omit the parameters field. That is, the
the OIDs AlgorithmIdentifier <bcp14>SHALL</bcp14> be a SEQUENCE of one component,
defined in the following subsections.</t> one of the OIDs defined in the following subsections.</t>
<t>When the signature algorithm identifiers described in this document are
used to <t>When the signature algorithm identifiers described in this document
create a signature on a message, no digest algorithm is applied to the message are used to create a signature on a message, no digest algorithm is
before signing. That is, the full data to be signed is signed rather than applied to the message before signing. That is, the full data to be
a digest of the data.</t> signed is signed rather than a digest of the data.</t>
<t>The format of an HSS signature is described in <xref section="6.2" sect
ionFormat="of" target="RFC8554"/>. The format <t>The format of an HSS signature is described in <xref section="6.2"
of an XMSS signature is described in <xref section="B.2" sectionFormat="of" targ sectionFormat="of" target="RFC8554"/>. The format of an XMSS signature
et="RFC8391"/> and the format of is described in <xref section="B.2" sectionFormat="of"
an XMSS^MT signature is described in <xref section="C.2" sectionFormat="of" targ target="RFC8391"/>, and the format of an XMSS<sup>MT</sup> signature is de
et="RFC8391"/>. scribed
The octet string representing the signature is encoded in <xref section="C.2" sectionFormat="of" target="RFC8391"/>. The octet
directly in a BIT STRING without adding any additional ASN.1 wrapping. For string representing the signature is encoded directly in a BIT STRING
the Certificate and CertificateList structures, the octet string is encoded without adding any additional ASN.1 wrapping. For the Certificate and
in the "signatureValue" BIT STRING field.</t> CertificateList structures, the octet string is encoded in the
"signatureValue" BIT STRING field.</t>
<section anchor="hss-signature-algorithm"> <section anchor="hss-signature-algorithm">
<name>HSS Signature Algorithm</name> <name>HSS Signature Algorithm</name>
<t>The id-alg-hss-lms-hashsig OID is used to specify that an HSS signatu
re was <t>The id-alg-hss-lms-hashsig OID is used to specify that an HSS
generated on the full message, i.e. the message was not hashed before being signature was generated on the full message, i.e., the message was not
processed by the HSS signature algorithm.</t> hashed before being processed by the HSS signature algorithm.</t>
<t>See <xref target="SP800208"/> and <xref target="RFC8554"/> for more i
nformation on the contents and <t>See <xref target="SP800208"/> and <xref target="RFC8554"/> for more
format of an HSS signature.</t> information on the contents and format of an HSS signature.</t>
</section> </section>
<section anchor="xmss-signature-algorithm"> <section anchor="xmss-signature-algorithm">
<name>XMSS Signature Algorithm</name> <name>XMSS Signature Algorithm</name>
<t>The id-alg-xmss-hashsig OID is used to specify that an XMSS signature
was <t>The id-alg-xmss-hashsig OID is used to specify that an XMSS
generated on the full message, i.e. the message was not hashed before being signature was generated on the full message, i.e., the message was not
processed by the XMSS signature algorithm.</t> hashed before being processed by the XMSS signature algorithm.</t>
<t>See <xref target="SP800208"/> and <xref target="RFC8391"/> for more i
nformation on the contents and <t>See <xref target="SP800208"/> and <xref target="RFC8391"/> for more
format of an XMSS signature.</t> information on the contents and format of an XMSS signature.</t>
<t>The signature generation <bcp14>MUST</bcp14> be performed according t
o 7.2 of <t>The signature generation <bcp14>MUST</bcp14> be performed according
<xref target="SP800208"/>.</t> to Section 7.2 of <xref target="SP800208"/>.</t>
</section> </section>
<section anchor="xmssmt-signature-algorithm"> <section anchor="xmssmt-signature-algorithm">
<name>XMSS^MT Signature Algorithm</name> <name>XMSS<sup>MT</sup> Signature Algorithm</name>
<t>The id-alg-xmssmt-hashsig OID is used to specify that an XMSS^MT sign
ature <t>The id-alg-xmssmt-hashsig OID is used to specify that an XMSS<sup>MT<
was generated on the full message, i.e. the message was not hashed before being /sup>
processed by the XMSS^MT signature algorithm.</t> signature was generated on the full message, i.e., the message was not
<t>See <xref target="SP800208"/> and <xref target="RFC8391"/> for more i hashed before being processed by the XMSS<sup>MT</sup> signature algorit
nformation on the contents and hm.</t>
format of an XMSS^MT signature.</t>
<t>The signature generation <bcp14>MUST</bcp14> be performed according t <t>See <xref target="SP800208"/> and <xref target="RFC8391"/> for more
o 7.2 of information on the contents and format of an XMSS<sup>MT</sup> signature
<xref target="SP800208"/>.</t> .</t>
<t>The signature generation <bcp14>MUST</bcp14> be performed according
to Section 7.2 of <xref target="SP800208"/>.</t>
</section> </section>
</section> </section>
<section anchor="key-generation"> <section anchor="key-generation">
<name>Key Generation</name> <name>Key Generation</name>
<t>The key generation for XMSS and XMSS^MT <bcp14>MUST</bcp14> be performe
d according to 7.2 of <t>The key generation for XMSS and XMSS<sup>MT</sup> <bcp14>MUST</bcp14> b
<xref target="SP800208"/></t> e
performed according to Section 7.2 of <xref target="SP800208"/>.</t>
</section> </section>
<section anchor="sec-asn1"> <section anchor="sec-asn1">
<name>ASN.1 Module</name> <name>ASN.1 Module</name>
<t>For reference purposes, the ASN.1 syntax is presented as an ASN.1 modul
e here <xref target="X680"/>. <t>For reference purposes, the ASN.1 syntax is presented as an ASN.1
Note that as per <xref target="RFC5280"/>, certificates use the Distinguished En module here <xref target="X680"/>. Note that as per <xref
coding Rules; see target="RFC5280"/>, certificates use the Distinguished Encoding Rules;
<xref target="X690"/>. see <xref target="X690"/>. This ASN.1 module builds upon the
This ASN.1 Module builds upon the conventions established in <xref target="RFC59 conventions established in <xref target="RFC5912"/>. This module imports
12"/>. This objects from <xref target="RFC5912"/> and <xref
module imports objects from <xref target="RFC5912"/> and <xref target="I-D.ietf- target="RFC9708"/>.</t>
lamps-rfc8708bis"/>.</t>
<t>RFC EDITOR: Please replace <xref target="I-D.ietf-lamps-rfc8708bis"/> i <sourcecode type="asn1"><![CDATA[
n the module with a reference to the published RFC.</t>
<artwork><![CDATA[
X509-SHBS-2024 X509-SHBS-2024
{ iso(1) identified-organization(3) dod(6) internet(1) security(5) { iso(1) identified-organization(3) dod(6) internet(1) security(5)
mechanisms(5) pkix(7) id-mod(0) id-mod-pkix1-shbs-2024(TBD) } mechanisms(5) pkix(7) id-mod(0) id-mod-pkix1-shbs-2024(114) }
DEFINITIONS IMPLICIT TAGS ::= BEGIN DEFINITIONS IMPLICIT TAGS ::= BEGIN
EXPORTS ALL; EXPORTS ALL;
IMPORTS IMPORTS
PUBLIC-KEY, SIGNATURE-ALGORITHM PUBLIC-KEY, SIGNATURE-ALGORITHM
FROM AlgorithmInformation-2009 -- [RFC5912] FROM AlgorithmInformation-2009 -- [RFC5912]
{ iso(1) identified-organization(3) dod(6) internet(1) { iso(1) identified-organization(3) dod(6) internet(1)
security(5) mechanisms(5) pkix(7) id-mod(0) security(5) mechanisms(5) pkix(7) id-mod(0)
id-mod-algorithmInformation-02(58) } id-mod-algorithmInformation-02(58) }
sa-HSS-LMS-HashSig, pk-HSS-LMS-HashSig sa-HSS-LMS-HashSig, pk-HSS-LMS-HashSig
FROM MTS-HashSig-2013 -- [I-D.ietf-lamps-rfc8708bis] FROM MTS-HashSig-2013 -- [RFC9708]
{ iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs9(9) { iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs9(9)
id-smime(16) id-mod(0) id-mod-mts-hashsig-2013(64) }; id-smime(16) id-mod(0) id-mod-mts-hashsig-2013(64) };
-- --
-- Object Identifiers -- Object Identifiers
-- --
-- id-alg-hss-lms-hashsig is defined in [RFC9708]
id-alg-xmss-hashsig OBJECT IDENTIFIER ::= { id-alg-xmss-hashsig OBJECT IDENTIFIER ::= {
iso(1) identified-organization(3) dod(6) internet(1) security(5) iso(1) identified-organization(3) dod(6) internet(1) security(5)
mechanisms(5) pkix(7) algorithms(6) 34 } mechanisms(5) pkix(7) algorithms(6) 34 }
id-alg-xmssmt-hashsig OBJECT IDENTIFIER ::= { id-alg-xmssmt-hashsig OBJECT IDENTIFIER ::= {
iso(1) identified-organization(3) dod(6) internet(1) security(5) iso(1) identified-organization(3) dod(6) internet(1) security(5)
mechanisms(5) pkix(7) algorithms(6) 35 } mechanisms(5) pkix(7) algorithms(6) 35 }
-- --
-- Signature Algorithms and Public Keys -- Signature Algorithms and Public Keys
-- --
-- sa-HSS-LMS-HashSig is defined in [RFC9708]
sa-XMSS-HashSig SIGNATURE-ALGORITHM ::= { sa-XMSS-HashSig SIGNATURE-ALGORITHM ::= {
IDENTIFIER id-alg-xmss-hashsig IDENTIFIER id-alg-xmss-hashsig
PARAMS ARE absent PARAMS ARE absent
PUBLIC-KEYS { pk-XMSS-HashSig } PUBLIC-KEYS { pk-XMSS-HashSig }
SMIME-CAPS { IDENTIFIED BY id-alg-xmss-hashsig } } SMIME-CAPS { IDENTIFIED BY id-alg-xmss-hashsig } }
sa-XMSSMT-HashSig SIGNATURE-ALGORITHM ::= { sa-XMSSMT-HashSig SIGNATURE-ALGORITHM ::= {
IDENTIFIER id-alg-xmssmt-hashsig IDENTIFIER id-alg-xmssmt-hashsig
PARAMS ARE absent PARAMS ARE absent
PUBLIC-KEYS { pk-XMSSMT-HashSig } PUBLIC-KEYS { pk-XMSSMT-HashSig }
SMIME-CAPS { IDENTIFIED BY id-alg-xmssmt-hashsig } } SMIME-CAPS { IDENTIFIED BY id-alg-xmssmt-hashsig } }
-- pk-HSS-LMS-HashSig is defined in [RFC9708]
pk-XMSS-HashSig PUBLIC-KEY ::= { pk-XMSS-HashSig PUBLIC-KEY ::= {
IDENTIFIER id-alg-xmss-hashsig IDENTIFIER id-alg-xmss-hashsig
-- KEY no ASN.1 wrapping -- -- KEY no ASN.1 wrapping --
PARAMS ARE absent PARAMS ARE absent
CERT-KEY-USAGE CERT-KEY-USAGE
{ digitalSignature, nonRepudiation, keyCertSign, cRLSign } } { digitalSignature, nonRepudiation, keyCertSign, cRLSign } }
XMSS-HashSig-PublicKey ::= OCTET STRING XMSS-HashSig-PublicKey ::= OCTET STRING
skipping to change at line 479 skipping to change at line 601
-- --
SignatureAlgs SIGNATURE-ALGORITHM ::= { SignatureAlgs SIGNATURE-ALGORITHM ::= {
-- This expands SignatureAlgorithms from RFC 5912 -- This expands SignatureAlgorithms from RFC 5912
sa-HSS-LMS-HashSig | sa-HSS-LMS-HashSig |
sa-XMSS-HashSig | sa-XMSS-HashSig |
sa-XMSSMT-HashSig, sa-XMSSMT-HashSig,
... ...
} }
END END
]]></artwork> ]]></sourcecode>
</section> </section>
<section anchor="sec-security"> <section anchor="sec-security">
<name>Security Considerations</name> <name>Security Considerations</name>
<t>The security requirements of <xref target="SP800208"/> <bcp14>MUST</bcp 14> be taken into account.</t> <t>The security requirements of <xref target="SP800208"/> <bcp14>MUST</bcp 14> be taken into account.</t>
<t>As stateful HBS private keys can only generate a limited number of sign <t>As stateful HBS private keys can only generate a limited number of
atures, a signatures, a user needs to be aware of the total number of signatures
user needs to be aware of the total number of signatures they intend to they intend to generate in their use case; otherwise, they risk
generate in their use case, otherwise they risk exhausting the number of OTS exhausting the number of OTS keys in their private key.</t>
keys in their private key.</t> <t>For stateful HBS schemes, it is crucial to stress the importance of
<t>For stateful HBS schemes, it is crucial to stress the importance of cor
rect state management. correct state management. If an attacker were able to obtain signatures
If an attacker were able to obtain signatures for two different messages for two different messages created using the same OTS key, then it would
created using the same OTS key, then it would become computationally feasible become computationally feasible for that attacker to create forgeries
for that attacker to create forgeries <xref target="BH16"/>. As noted in <xref t <xref target="BH16"/>. As noted in <xref target="MCGREW"/> and <xref
arget="MCGREW"/> and target="ETSI-TR-103-692"/>, extreme care needs to be taken in order to
<xref target="ETSI-TR-103-692"/>, extreme care needs to be taken in order to avo avoid the risk that an OTS key will be reused accidentally. This is a
id the risk new requirement that most developers will not be familiar with and
that an OTS key will be reused accidentally. This is a new requirement that requires careful handling.</t>
most developers will not be familiar with and requires careful handling.</t>
<t>Various strategies for a correct state management can be applied:</t> <t>Various strategies for a correct state management can be applied:</t>
<ul spacing="normal"> <ul spacing="normal">
<li> <li>
<t>Implement a record of all signatures generated by a key pair associ <t>Implement a record of all signatures generated by a key pair
ated associated with a stateful HBS instance, for example, by logging the
with a stateful HBS instance, for example by logging the OTS key indexes OTS key indexes as signatures are generated. This record may be
as signatures are generated. This record may be stored outside the stored outside the device that is used to generate the
device which is used to generate the signature. Check the record to signature. Check the record to prevent OTS key reuse before a new
prevent OTS key reuse before a new signature is released. If OTS key reuse signature is released. If OTS key reuse is detected, freeze all new
is detected, freeze all new signature generation by the private key, signature generation by the private key, re-audit previously
re-audit previously released signatures (possibly revoking the private key released signatures (possibly revoking the private key if previously
if previously released signatures showed OTS key reuse), and perform a post-fail released signatures showed OTS key reuse), and perform a
ure audit.</t> post-failure audit.</t>
</li> </li>
<li> <li>
<t>Use a stateful HBS instance only for a moderate number of signature <t>Use a stateful HBS instance only for a moderate number of
s such signatures such that it is always practical to keep a consistent
that it is always practical to keep a consistent record and be able to record and be able to unambiguously trace back all generated
unambiguously trace back all generated signatures.</t> signatures.</t>
</li> </li>
<li> <li>
<t>Apply the state reservation strategy described in Section 5 of <xre <t>Apply the state reservation strategy described in Section 5 of
f target="MCGREW"/>, where <xref target="MCGREW"/>, where upcoming states are reserved in
upcoming states are reserved in advance by the signer. In this way the number of advance by the signer. In this way, the number of state
state synchronisations between nonvolatile and volatile memory is reduced.</t> synchronizations between nonvolatile and volatile memory is
reduced.</t>
</li> </li>
</ul> </ul>
</section> </section>
<section anchor="backup-restore"> <section anchor="backup-restore">
<name>Backup and Restore Management</name> <name>Backup and Restore Management</name>
<t>Certificate Authorities have high demands in order to ensure the availa
bility <t>Certificate Authorities have high demands in order to ensure the
of signature generation throughout the validity period of signing key pairs.</t> availability of signature generation throughout the validity period of
<t>Usual backup and restore strategies when using a stateless signature sc signing key pairs.</t>
heme
(e.g. SLH-DSA) are to duplicate private keying material and to operate <!-- [rfced] Please review some questions regarding the following text:
redundant signing devices or to store and safeguard a copy of the private
keying material such that it can be used to set up a new signing device in case a) For ease of the reader, may we reformat this text as follows?
of technical difficulties.</t>
<t>For stateful HBS schemes, such straightforward backup and restore strat Original:
egies will lead to OTS Usual backup and restore strategies when using a stateless signature
reuse with high probability as a correct state management is not guaranteed. scheme (e.g. SLH-DSA) are to duplicate private keying material and
Strategies for maintaining availability and keeping a correct state are to operate redundant signing devices or to store and safeguard a copy
described in Section 7 of <xref target="SP800208"/> and <xref target="I-D.draft- of the private keying material such that it can be used to set up a
wiggers-hbs-state"/>.</t> new signing device in case of technical difficulties.
Perhaps:
Usual backup and restore strategies when using a stateless signature
scheme (e.g., SLH-DSA) are to:
* duplicate private keying material and operate redundant signing
devices, or
* store and safeguard a copy of the private keying material such that it
can be used to set up a new signing device in case of technical
difficulties.
-->
<t>Usual backup and restore strategies when using a stateless signature
scheme (e.g., SLH-DSA) are to duplicate private keying material and to
operate redundant signing devices or to store and safeguard a copy of
the private keying material such that it can be used to set up a new
signing device in case of technical difficulties.</t>
<t>For stateful HBS schemes, such straightforward backup and restore
strategies will lead to OTS reuse with high probability as a correct
state management is not guaranteed. Strategies for maintaining
availability and keeping a correct state are described in Section 7 of
<xref target="SP800208"/> and <xref target="I-D.wiggers-hbs-state"/>.</t>
</section> </section>
<section anchor="iana-considerations"> <section anchor="iana-considerations">
<name>IANA Considerations</name> <name>IANA Considerations</name>
<t>One object identifier for the ASN.1 module in <xref target="sec-asn1"/>
is requested <t>IANA has registered the following object identifier for the ASN.1 modul
for the SMI Security for PKIX Module Identifiers (1.3.6.1.5.5.7.0) e (see <xref
registry:</t> target="sec-asn1"/>) in the "SMI Security for PKIX Module
Identifier" (1.3.6.1.5.5.7.0) registry:</t>
<table> <table>
<thead> <thead>
<tr> <tr>
<th align="left">Decimal</th> <th align="left">Decimal</th>
<th align="left">Description</th> <th align="left">Description</th>
<th align="left">References</th> <th align="left">References</th>
</tr> </tr>
</thead> </thead>
<tbody> <tbody>
<tr> <tr>
<td align="left">TBD</td> <td align="left">114</td>
<td align="left">id-mod-pkix1-shbs-2024</td> <td align="left">id-mod-pkix1-shbs-2024</td>
<td align="left">[EDNOTE: THIS RFC]</td> <td align="left">RFC 9802</td>
</tr> </tr>
</tbody> </tbody>
</table> </table>
<t>IANA has updated the "SMI Security for PKIX Algorithms" (1.3.6.1.5.5.7.
6) <t>IANA has registered the following entries in the "SMI Security for PKIX
registry <xref target="SMI-PKIX"/> with two additional entries:</t> Algorithms"
(1.3.6.1.5.5.7.6) registry <xref target="SMI-PKIX"/>:</t>
<table> <table>
<thead> <thead>
<tr> <tr>
<th align="left">Decimal</th> <th align="left">Decimal</th>
<th align="left">Description</th> <th align="left">Description</th>
<th align="left">References</th> <th align="left">References</th>
</tr> </tr>
</thead> </thead>
<tbody> <tbody>
<tr> <tr>
<td align="left">34</td> <td align="left">34</td>
<td align="left">id-alg-xmss-hashsig</td> <td align="left">id-alg-xmss-hashsig</td>
<td align="left">[EDNOTE: THIS RFC]</td> <td align="left">RFC 9802</td>
</tr> </tr>
<tr> <tr>
<td align="left">35</td> <td align="left">35</td>
<td align="left">id-alg-xmssmt-hashsig</td> <td align="left">id-alg-xmssmt-hashsig</td>
<td align="left">[EDNOTE: THIS RFC]</td> <td align="left">RFC 9802</td>
</tr> </tr>
</tbody> </tbody>
</table> </table>
</section> </section>
</middle> </middle>
<back> <back>
<displayreference target="I-D.wiggers-hbs-state" to="S-HBS"/>
<references anchor="sec-combined-references"> <references anchor="sec-combined-references">
<name>References</name> <name>References</name>
<references anchor="sec-normative-references"> <references anchor="sec-normative-references">
<name>Normative References</name> <name>Normative References</name>
<reference anchor="I-D.ietf-lamps-rfc8708bis">
<front>
<title>Use of the HSS/LMS Hash-Based Signature Algorithm in the Cryp
tographic Message Syntax (CMS)</title>
<author fullname="Russ Housley" initials="R." surname="Housley">
<organization>Vigil Security, LLC</organization>
</author>
<date day="19" month="September" year="2024"/>
<abstract>
<t> This document specifies the conventions for using the Hierar
chical
Signature System (HSS) / Leighton-Micali Signature (LMS) hash-based
signature algorithm with the Cryptographic Message Syntax (CMS). In
addition, the algorithm identifier and public key syntax are
provided. The HSS/LMS algorithm is one form of hash-based digital
signature; it is described in RFC 8554. This document obsoletes RFC
8708.
</t> <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.9
</abstract> 708.xml"/>
</front> <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.5
<seriesInfo name="Internet-Draft" value="draft-ietf-lamps-rfc8708bis-0 912.xml"/>
3"/> <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.5
</reference> 280.xml"/>
<reference anchor="RFC5912"> <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.8
<front> 391.xml"/>
<title>New ASN.1 Modules for the Public Key Infrastructure Using X.5 <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.8
09 (PKIX)</title> 554.xml"/>
<author fullname="P. Hoffman" initials="P." surname="Hoffman"/>
<author fullname="J. Schaad" initials="J." surname="Schaad"/>
<date month="June" year="2010"/>
<abstract>
<t>The Public Key Infrastructure using X.509 (PKIX) certificate fo
rmat, and many associated formats, are expressed using ASN.1. The current ASN.1
modules conform to the 1988 version of ASN.1. This document updates those ASN.1
modules to conform to the 2002 version of ASN.1. There are no bits-on-the-wire c
hanges to any of the formats; this is simply a change to the syntax. This docume
nt is not an Internet Standards Track specification; it is published for informa
tional purposes.</t>
</abstract>
</front>
<seriesInfo name="RFC" value="5912"/>
<seriesInfo name="DOI" value="10.17487/RFC5912"/>
</reference>
<reference anchor="RFC5280">
<front>
<title>Internet X.509 Public Key Infrastructure Certificate and Cert
ificate Revocation List (CRL) Profile</title>
<author fullname="D. Cooper" initials="D." surname="Cooper"/>
<author fullname="S. Santesson" initials="S." surname="Santesson"/>
<author fullname="S. Farrell" initials="S." surname="Farrell"/>
<author fullname="S. Boeyen" initials="S." surname="Boeyen"/>
<author fullname="R. Housley" initials="R." surname="Housley"/>
<author fullname="W. Polk" initials="W." surname="Polk"/>
<date month="May" year="2008"/>
<abstract>
<t>This memo profiles the X.509 v3 certificate and X.509 v2 certif
icate revocation list (CRL) for use in the Internet. An overview of this approac
h and model is provided as an introduction. The X.509 v3 certificate format is d
escribed in detail, with additional information regarding the format and semanti
cs of Internet name forms. Standard certificate extensions are described and two
Internet-specific extensions are defined. A set of required certificate extensi
ons is specified. The X.509 v2 CRL format is described in detail along with stan
dard and Internet-specific extensions. An algorithm for X.509 certification path
validation is described. An ASN.1 module and examples are provided in the appen
dices. [STANDARDS-TRACK]</t>
</abstract>
</front>
<seriesInfo name="RFC" value="5280"/>
<seriesInfo name="DOI" value="10.17487/RFC5280"/>
</reference>
<reference anchor="RFC8391">
<front>
<title>XMSS: eXtended Merkle Signature Scheme</title>
<author fullname="A. Huelsing" initials="A." surname="Huelsing"/>
<author fullname="D. Butin" initials="D." surname="Butin"/>
<author fullname="S. Gazdag" initials="S." surname="Gazdag"/>
<author fullname="J. Rijneveld" initials="J." surname="Rijneveld"/>
<author fullname="A. Mohaisen" initials="A." surname="Mohaisen"/>
<date month="May" year="2018"/>
<abstract>
<t>This note describes the eXtended Merkle Signature Scheme (XMSS)
, a hash-based digital signature system that is based on existing descriptions i
n scientific literature. This note specifies Winternitz One-Time Signature Plus
(WOTS+), a one-time signature scheme; XMSS, a single-tree scheme; and XMSS^MT, a
multi-tree variant of XMSS. Both XMSS and XMSS^MT use WOTS+ as a main building
block. XMSS provides cryptographic digital signatures without relying on the con
jectured hardness of mathematical problems. Instead, it is proven that it only r
elies on the properties of cryptographic hash functions. XMSS provides strong se
curity guarantees and is even secure when the collision resistance of the underl
ying hash function is broken. It is suitable for compact implementations, is rel
atively simple to implement, and naturally resists side-channel attacks. Unlike
most other signature systems, hash-based signatures can so far withstand known a
ttacks using quantum computers.</t>
</abstract>
</front>
<seriesInfo name="RFC" value="8391"/>
<seriesInfo name="DOI" value="10.17487/RFC8391"/>
</reference>
<reference anchor="RFC8554">
<front>
<title>Leighton-Micali Hash-Based Signatures</title>
<author fullname="D. McGrew" initials="D." surname="McGrew"/>
<author fullname="M. Curcio" initials="M." surname="Curcio"/>
<author fullname="S. Fluhrer" initials="S." surname="Fluhrer"/>
<date month="April" year="2019"/>
<abstract>
<t>This note describes a digital-signature system based on cryptog
raphic hash functions, following the seminal work in this area of Lamport, Diffi
e, Winternitz, and Merkle, as adapted by Leighton and Micali in 1995. It specifi
es a one-time signature scheme and a general signature scheme. These systems pro
vide asymmetric authentication without using large integer mathematics and can a
chieve a high security level. They are suitable for compact implementations, are
relatively simple to implement, and are naturally resistant to side-channel att
acks. Unlike many other signature systems, hash-based signatures would still be
secure even if it proves feasible for an attacker to build a quantum computer.</
t>
<t>This document is a product of the Crypto Forum Research Group (
CFRG) in the IRTF. This has been reviewed by many researchers, both in the resea
rch group and outside of it. The Acknowledgements section lists many of them.</t
>
</abstract>
</front>
<seriesInfo name="RFC" value="8554"/>
<seriesInfo name="DOI" value="10.17487/RFC8554"/>
</reference>
<reference anchor="SP800208" target="https://doi.org/10.6028/NIST.SP.800 -208"> <reference anchor="SP800208" target="https://doi.org/10.6028/NIST.SP.800 -208">
<front> <front>
<title>Recommendation for Stateful Hash-Based Signature Schemes</tit le> <title>Recommendation for Stateful Hash-Based Signature Schemes</tit le>
<author initials="" surname="National Institute of Standards and Tec <author fullname="David A. Cooper" surname="Cooper" initials="D"/>
hnology (NIST)"> <author fullname="Daniel C. Apon" surname="Apon" initials="D"/>
<organization/> <author fullname="Quynh H. Dang" surname="Dang" initials="Q"/>
</author> <author fullname="Michael S. Davidson" surname="Davidson" initials="
M"/>
<author fullname="Morris J. Dworkin" surname="Dworkin" initials="M"/
>
<author fullname="Carl A. Miller" surname="Miller" initials="C"/>
<date year="2020" month="October" day="29"/> <date year="2020" month="October" day="29"/>
</front> </front>
<seriesInfo name="NIST SP" value="800-208"/>
<seriesInfo name="DOI" value="10.6028/nist.sp.800-208"/>
</reference> </reference>
<reference anchor="X680" target="https://www.itu.int/rec/T-REC-X.680"> <reference anchor="X680" target="https://www.itu.int/rec/T-REC-X.680">
<front> <front>
<title>Information technology - Abstract Syntax Notation One (ASN.1) : Specification of basic notation</title> <title>Information technology - Abstract Syntax Notation One (ASN.1) : Specification of basic notation</title>
<author> <author>
<organization>ITU-T</organization> <organization>ITU-T</organization>
</author> </author>
<date year="2021" month="February"/> <date year="2021" month="February"/>
</front> </front>
<seriesInfo name="ITU-T Recommendation" value="X.680"/> <seriesInfo name="ITU-T Recommendation" value="X.680"/>
<seriesInfo name="ISO/IEC" value="8824-1:2021"/> <seriesInfo name="ISO/IEC" value="8824-1:2021"/>
skipping to change at line 686 skipping to change at line 787
<front> <front>
<title>Information technology - Abstract Syntax Notation One (ASN.1) : Specification of basic notation</title> <title>Information technology - Abstract Syntax Notation One (ASN.1) : Specification of basic notation</title>
<author> <author>
<organization>ITU-T</organization> <organization>ITU-T</organization>
</author> </author>
<date year="2021" month="February"/> <date year="2021" month="February"/>
</front> </front>
<seriesInfo name="ITU-T Recommendation" value="X.680"/> <seriesInfo name="ITU-T Recommendation" value="X.680"/>
<seriesInfo name="ISO/IEC" value="8824-1:2021"/> <seriesInfo name="ISO/IEC" value="8824-1:2021"/>
</reference> </reference>
<reference anchor="X690" target="https://www.itu.int/rec/T-REC-X.690"> <reference anchor="X690" target="https://www.itu.int/rec/T-REC-X.690">
<front> <front>
<title>Information technology - Abstract Syntax Notation One (ASN.1) <title>Information technology: ASN.1 encoding rules: Specification
: ASN.1 encoding rules: Specification of Basic Encoding Rules (BER), Canonical E of Basic Encoding Rules (BER), Canonical Encoding Rules (CER) and
ncoding Rules (CER) and Distinguished Encoding Rules (DER)</title> Distinguished Encoding Rules (DER)</title>
<author> <author>
<organization>ITU-T</organization> <organization>ITU-T</organization>
</author> </author>
<date year="2021" month="February"/> <date year="2021" month="February"/>
</front> </front>
<seriesInfo name="ITU-T Recommendation" value="X.690"/> <seriesInfo name="ITU-T Recommendation" value="X.690"/>
<seriesInfo name="ISO/IEC" value="8825-1:2021"/> <seriesInfo name="ISO/IEC" value="8825-1:2021"/>
</reference> </reference>
<reference anchor="RFC2119">
<front> <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.2
<title>Key words for use in RFCs to Indicate Requirement Levels</tit 119.xml"/>
le> <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.8
<author fullname="S. Bradner" initials="S." surname="Bradner"/> 174.xml"/>
<date month="March" year="1997"/>
<abstract>
<t>In many standards track documents several words are used to sig
nify the requirements in the specification. These words are often capitalized. T
his document defines these words as they should be interpreted in IETF documents
. This document specifies an Internet Best Current Practices for the Internet Co
mmunity, and requests discussion and suggestions for improvements.</t>
</abstract>
</front>
<seriesInfo name="BCP" value="14"/>
<seriesInfo name="RFC" value="2119"/>
<seriesInfo name="DOI" value="10.17487/RFC2119"/>
</reference>
<reference anchor="RFC8174">
<front>
<title>Ambiguity of Uppercase vs Lowercase in RFC 2119 Key Words</ti
tle>
<author fullname="B. Leiba" initials="B." surname="Leiba"/>
<date month="May" year="2017"/>
<abstract>
<t>RFC 2119 specifies common key words that may be used in protoco
l specifications. This document aims to reduce the ambiguity by clarifying that
only UPPERCASE usage of the key words have the defined special meanings.</t>
</abstract>
</front>
<seriesInfo name="BCP" value="14"/>
<seriesInfo name="RFC" value="8174"/>
<seriesInfo name="DOI" value="10.17487/RFC8174"/>
</reference>
</references> </references>
<references anchor="sec-informative-references"> <references anchor="sec-informative-references">
<name>Informative References</name> <name>Informative References</name>
<reference anchor="RFC3279"> <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.3
<front> 279.xml"/>
<title>Algorithms and Identifiers for the Internet X.509 Public Key <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.3
Infrastructure Certificate and Certificate Revocation List (CRL) Profile</title> 647.xml"/>
<author fullname="L. Bassham" initials="L." surname="Bassham"/> <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.4
<author fullname="W. Polk" initials="W." surname="Polk"/> 949.xml"/>
<author fullname="R. Housley" initials="R." surname="Housley"/> <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.8
<date month="April" year="2002"/> 410.xml"/>
<abstract> <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.8
<t>This document specifies algorithm identifiers and ASN.1 encodin 411.xml"/>
g formats for digital signatures and subject public keys used in the Internet X.
509 Public Key Infrastructure (PKI). Digital signatures are used to sign certifi
cates and certificate revocation list (CRLs). Certificates include the public ke
y of the named subject. [STANDARDS-TRACK]</t>
</abstract>
</front>
<seriesInfo name="RFC" value="3279"/>
<seriesInfo name="DOI" value="10.17487/RFC3279"/>
</reference>
<reference anchor="RFC3647">
<front>
<title>Internet X.509 Public Key Infrastructure Certificate Policy a
nd Certification Practices Framework</title>
<author fullname="S. Chokhani" initials="S." surname="Chokhani"/>
<author fullname="W. Ford" initials="W." surname="Ford"/>
<author fullname="R. Sabett" initials="R." surname="Sabett"/>
<author fullname="C. Merrill" initials="C." surname="Merrill"/>
<author fullname="S. Wu" initials="S." surname="Wu"/>
<date month="November" year="2003"/>
<abstract>
<t>This document presents a framework to assist the writers of cer
tificate policies or certification practice statements for participants within p
ublic key infrastructures, such as certification authorities, policy authorities
, and communities of interest that wish to rely on certificates. In particular,
the framework provides a comprehensive list of topics that potentially (at the w
riter's discretion) need to be covered in a certificate policy or a certificatio
n practice statement. This document supersedes RFC 2527.</t>
</abstract>
</front>
<seriesInfo name="RFC" value="3647"/>
<seriesInfo name="DOI" value="10.17487/RFC3647"/>
</reference>
<reference anchor="RFC4949">
<front>
<title>Internet Security Glossary, Version 2</title>
<author fullname="R. Shirey" initials="R." surname="Shirey"/>
<date month="August" year="2007"/>
<abstract>
<t>This Glossary provides definitions, abbreviations, and explanat
ions of terminology for information system security. The 334 pages of entries of
fer recommendations to improve the comprehensibility of written material that is
generated in the Internet Standards Process (RFC 2026). The recommendations fol
low the principles that such writing should (a) use the same term or definition
whenever the same concept is mentioned; (b) use terms in their plainest, diction
ary sense; (c) use terms that are already well-established in open publications;
and (d) avoid terms that either favor a particular vendor or favor a particular
technology or mechanism over other, competing techniques that already exist or
could be developed. This memo provides information for the Internet community.</
t>
</abstract>
</front>
<seriesInfo name="FYI" value="36"/>
<seriesInfo name="RFC" value="4949"/>
<seriesInfo name="DOI" value="10.17487/RFC4949"/>
</reference>
<reference anchor="RFC8410">
<front>
<title>Algorithm Identifiers for Ed25519, Ed448, X25519, and X448 fo
r Use in the Internet X.509 Public Key Infrastructure</title>
<author fullname="S. Josefsson" initials="S." surname="Josefsson"/>
<author fullname="J. Schaad" initials="J." surname="Schaad"/>
<date month="August" year="2018"/>
<abstract>
<t>This document specifies algorithm identifiers and ASN.1 encodin
g formats for elliptic curve constructs using the curve25519 and curve448 curves
. The signature algorithms covered are Ed25519 and Ed448. The key agreement algo
rithms covered are X25519 and X448. The encoding for public key, private key, an
d Edwards-curve Digital Signature Algorithm (EdDSA) structures is provided.</t>
</abstract>
</front>
<seriesInfo name="RFC" value="8410"/>
<seriesInfo name="DOI" value="10.17487/RFC8410"/>
</reference>
<reference anchor="RFC8411">
<front>
<title>IANA Registration for the Cryptographic Algorithm Object Iden
tifier Range</title>
<author fullname="J. Schaad" initials="J." surname="Schaad"/>
<author fullname="R. Andrews" initials="R." surname="Andrews"/>
<date month="August" year="2018"/>
<abstract>
<t>When the Curdle Security Working Group was chartered, a range o
f object identifiers was donated by DigiCert, Inc. for the purpose of registerin
g the Edwards Elliptic Curve key agreement and signature algorithms. This donate
d set of OIDs allowed for shorter values than would be possible using the existi
ng S/MIME or PKIX arcs. This document describes the donated range and the identi
fiers that were assigned from that range, transfers control of that range to IAN
A, and establishes IANA allocation policies for any future assignments within th
at range.</t>
</abstract>
</front>
<seriesInfo name="RFC" value="8411"/>
<seriesInfo name="DOI" value="10.17487/RFC8411"/>
</reference>
<reference anchor="MCGREW" target="https://eprint.iacr.org/2016/357"> <reference anchor="MCGREW" target="https://eprint.iacr.org/2016/357">
<front> <front>
<title>State Management for Hash-Based Signatures</title> <title>State Management for Hash-Based Signatures</title>
<author initials="D." surname="McGrew"> <author initials="D." surname="McGrew">
<organization/> <organization/>
</author> </author>
<author initials="P." surname="Kampanakis"> <author initials="P." surname="Kampanakis">
<organization/> <organization/>
</author> </author>
<author initials="S." surname="Fluhrer"> <author initials="S." surname="Fluhrer">
skipping to change at line 818 skipping to change at line 837
<organization/> <organization/>
</author> </author>
<author initials="D." surname="Butin"> <author initials="D." surname="Butin">
<organization/> <organization/>
</author> </author>
<author initials="J." surname="Buchmann"> <author initials="J." surname="Buchmann">
<organization/> <organization/>
</author> </author>
<date year="2016" month="November" day="02"/> <date year="2016" month="November" day="02"/>
</front> </front>
<refcontent>Cryptology ePrint Archive, Paper 2016/357</refcontent>
</reference> </reference>
<reference anchor="BH16" target="https://eprint.iacr.org/2016/1042.pdf">
<reference anchor="BH16" target="https://eprint.iacr.org/2016/1042">
<front> <front>
<title>Oops, I did it again – Security of One-Time Signatures under Two-Message Attacks.</title> <title>Oops, I did it again – Security of One-Time Signatures under Two-Message Attacks.</title>
<author initials="L." surname="Bruinderink"> <author initials="L." surname="Bruinderink">
<organization/> <organization/>
</author> </author>
<author initials="S." surname="Hülsing"> <author initials="S." surname="Hülsing">
<organization/> <organization/>
</author> </author>
<date year="2016"/> <date year="2016"/>
</front> </front>
<refcontent>Cryptology ePrint Archive, Paper 2016/1042</refcontent>
</reference> </reference>
<!-- [rfced] References: The original URL for the reference [CNSA2.0] returns
a 404 error. We found the following archived URL for this page from the
Internet Archive's Wayback Machine:
https://web.archive.org/web/20220908002358/https://media.defense.gov/2022/Sep/07
/2003071834/-1/-1/0/CSA_CNSA_2.0_ALGORITHMS_.PDF
Is there a better URL, or may we replace the current URL with this archived link
? This URL has an archive date of 8 September 2022 (the original date for this r
eference was 7
September 2025). -->
<reference anchor="CNSA2.0" target="https://media.defense.gov/2022/Sep/0 7/2003071834/-1/-1/0/CSA_CNSA_2.0_ALGORITHMS_.PDF"> <reference anchor="CNSA2.0" target="https://media.defense.gov/2022/Sep/0 7/2003071834/-1/-1/0/CSA_CNSA_2.0_ALGORITHMS_.PDF">
<front> <front>
<title>Commercial National Security Algorithm Suite 2.0 (CNSA 2.0) C ybersecurity Advisory (CSA)</title> <title>Commercial National Security Algorithm Suite 2.0 (CNSA 2.0) C ybersecurity Advisory (CSA)</title>
<author initials="" surname="National Security Agency (NSA)"> <author>
<organization/> <organization>National Security Agency (NSA)</organization>
</author> </author>
<date year="2022" month="September" day="07"/> <date year="2022" month="September" day="07"/>
</front> </front>
</reference> </reference>
<reference anchor="ETSI-TR-103-692" target="https://www.etsi.org/deliver /etsi_tr/103600_103699/103692/01.01.01_60/tr_103692v010101p.pdf"> <reference anchor="ETSI-TR-103-692" target="https://www.etsi.org/deliver /etsi_tr/103600_103699/103692/01.01.01_60/tr_103692v010101p.pdf">
<front> <front>
<title>State management for stateful authentication mechanisms</titl e> <title>CYBER; State management for stateful authentication mechanism s</title>
<author initials="" surname="European Telecommunications Standards I nstitute (ETSI)"> <author initials="" surname="European Telecommunications Standards I nstitute (ETSI)">
<organization/> <organization/>
</author> </author>
<date year="2021" month="November"/> <date year="2021" month="November"/>
</front> </front>
<seriesInfo name="ETSI TR" value="103 692 v1.1.1"/>
</reference> </reference>
<reference anchor="IANA-LMS" target="https://www.iana.org/assignments/le ighton-micali-signatures/"> <reference anchor="IANA-LMS" target="https://www.iana.org/assignments/le ighton-micali-signatures/">
<front> <front>
<title>Leighton-Micali Signatures (LMS)</title> <title>Leighton-Micali Signatures (LMS)</title>
<author initials="" surname="IANA"> <author>
<organization/> <organization>IANA</organization>
</author> </author>
<date>n.d.</date>
</front> </front>
</reference> </reference>
<reference anchor="IANA-XMSS" target="https://iana.org/assignments/xmss- extended-hash-based-signatures/"> <reference anchor="IANA-XMSS" target="https://iana.org/assignments/xmss- extended-hash-based-signatures/">
<front> <front>
<title>XMSS: Extended Hash-Based Signatures</title> <title>XMSS: Extended Hash-Based Signatures</title>
<author initials="" surname="IANA"> <author>
<organization/> <organization>IANA</organization>
</author> </author>
<date>n.d.</date>
</front> </front>
</reference> </reference>
<reference anchor="SMI-PKIX" target="https://www.iana.org/assignments/sm
i-numbers/smi-numbers.xhtml#smi-numbers-1.3.6.1.5.5.7.6"> <reference anchor="SMI-PKIX" target="https://www.iana.org/assignments/sm
i-numbers">
<front> <front>
<title>SMI Security for PKIX Algorithms</title> <title>SMI Security for PKIX Algorithms</title>
<author initials="" surname="IANA"> <author>
<organization/> <organization>IANA</organization>
</author> </author>
<date>n.d.</date>
</front> </front>
</reference> </reference>
<reference anchor="ANSSI" target="https://cyber.gouv.fr/sites/default/fi les/document/follow_up_position_paper_on_post_quantum_cryptography.pdf"> <reference anchor="ANSSI" target="https://cyber.gouv.fr/sites/default/fi les/document/follow_up_position_paper_on_post_quantum_cryptography.pdf">
<front> <front>
<title>ANSSI views on the Post-Quantum Cryptography transition (2023 follow up)</title> <title>ANSSI views on the Post-Quantum Cryptography transition (2023 follow up)</title>
<author initials="" surname="Agence nationale de la sécurité des sys tèmes d'information (ANSSI)"> <author initials="" surname="Agence nationale de la sécurité des sys tèmes d'information (ANSSI)">
<organization/> <organization/>
</author> </author>
<date year="2023" month="December" day="21"/> <date year="2023" month="December" day="21"/>
</front> </front>
</reference> </reference>
<reference anchor="BSI" target="https://www.bsi.bund.de/SharedDocs/Downl oads/EN/BSI/Publications/Brochure/quantum-safe-cryptography.pdf"> <reference anchor="BSI" target="https://www.bsi.bund.de/SharedDocs/Downl oads/EN/BSI/Publications/Brochure/quantum-safe-cryptography.pdf">
<front> <front>
<title>Quantum-safe cryptography – fundamentals, current development s and recommendations</title> <title>Quantum-safe cryptography – fundamentals, current development s and recommendations</title>
<author initials="" surname="Bundesamt für Sicherheit in der Informa tionstechnik (BSI)"> <author initials="" surname="Bundesamt für Sicherheit in der Informa tionstechnik (BSI)">
<organization/> <organization/>
</author> </author>
<date year="2022" month="May" day="18"/> <date year="2022" month="May" day="18"/>
</front> </front>
</reference> </reference>
<reference anchor="I-D.draft-wiggers-hbs-state">
<front>
<title>Hash-based Signatures: State and Backup Management</title>
<author fullname="Thom Wiggers" initials="T." surname="Wiggers">
<organization>PQShield</organization>
</author>
<author fullname="Kaveh Bashiri" initials="K." surname="Bashiri">
<organization>BSI</organization>
</author>
<author fullname="Stefan Kölbl" initials="S." surname="Kölbl">
<organization>Google</organization>
</author>
<author fullname="Jim Goodman" initials="J." surname="Goodman">
<organization>Crypto4A Technologies</organization>
</author>
<author fullname="Stavros Kousidis" initials="S." surname="Kousidis"
>
<organization>BSI</organization>
</author>
<date day="24" month="September" year="2024"/>
<abstract>
<t> Stateful Hash-Based Signature Schemes (S-HBS) such as LMS, H
SS, XMSS
and XMSS^MT combine Merkle trees with One-Time Signatures (OTS) to
provide signatures that are resistant against attacks using large-
scale quantum computers. Unlike conventional stateless digital
signature schemes, S-HBS have a state to keep track of which OTS keys
have been used, as double-signing with the same OTS key allows
forgeries.
This document provides guidance and documents security considerations <!-- [draft-wiggers-hbs-state-01] IESG State: I-D Exists as of 27 Jan 2025. -->
for the operational and technical aspects of deploying systems that <xi:include href="https://bib.ietf.org/public/rfc/bibxml3/reference.I-D.w
rely on S-HBS. Management of the state of the S-HBS, including any iggers-hbs-state.xml"/>
handling of redundant key material, is a sensitive topic, and we
discuss some approaches to handle the associated challenges. We also
describe the challenges that need to be resolved before certain
approaches should be considered.
</t>
</abstract>
</front>
<seriesInfo name="Internet-Draft" value="draft-wiggers-hbs-state-01"/>
</reference>
</references> </references>
</references> </references>
<?line 694?>
<section anchor="hss-x509-v3-certificate-example"> <section anchor="hss-x509-v3-certificate-example">
<name>HSS X.509 v3 Certificate Example</name> <name>HSS X.509 v3 Certificate Example</name>
<t>This section shows a self-signed X.509 v3 certificate using HSS.</t> <t>This section shows a self-signed X.509 v3 certificate using HSS.</t>
<artwork><![CDATA[
<sourcecode type="x509"><![CDATA[
Certificate: Certificate:
Data: Data:
Version: 3 (0x2) Version: 3 (0x2)
Serial Number: Serial Number:
e8:91:d6:06:91:4f:ce:f3 e8:91:d6:06:91:4f:ce:f3
Signature Algorithm: hss Signature Algorithm: hss
Issuer: C = US, ST = VA, L = Herndon, O = Bogus CA Issuer: C = US, ST = VA, L = Herndon, O = Bogus CA
Validity Validity
Not Before: May 14 08:58:11 2024 GMT Not Before: May 14 08:58:11 2024 GMT
Not After : May 14 08:58:11 2034 GMT Not After : May 14 08:58:11 2034 GMT
skipping to change at line 1047 skipping to change at line 1047
b2:4e:40:61:71:cb:c7:c3:de:16:6f:49:7f:5e:d5:17:00:00: b2:4e:40:61:71:cb:c7:c3:de:16:6f:49:7f:5e:d5:17:00:00:
00:05:79:47:12:9f:ce:eb:1d:a8:fd:0d:b0:18:44:6a:ef:54: 00:05:79:47:12:9f:ce:eb:1d:a8:fd:0d:b0:18:44:6a:ef:54:
28:46:e4:19:f6:2d:3e:74:bb:9d:36:0a:ae:67:4a:28:7a:1b: 28:46:e4:19:f6:2d:3e:74:bb:9d:36:0a:ae:67:4a:28:7a:1b:
80:39:a0:08:2a:28:a0:ec:55:ee:55:aa:a1:cc:94:d4:36:1a: 80:39:a0:08:2a:28:a0:ec:55:ee:55:aa:a1:cc:94:d4:36:1a:
b3:57:25:30:ad:2c:5e:63:ba:22:fc:aa:7a:59:64:f6:d8:03: b3:57:25:30:ad:2c:5e:63:ba:22:fc:aa:7a:59:64:f6:d8:03:
20:28:71:f9:dc:09:fa:4c:81:b9:64:1b:ad:ea:cb:db:18:17: 20:28:71:f9:dc:09:fa:4c:81:b9:64:1b:ad:ea:cb:db:18:17:
5d:d8:98:bd:d2:8d:c5:04:7c:5b:92:9a:89:f6:bc:d6:55:c7: 5d:d8:98:bd:d2:8d:c5:04:7c:5b:92:9a:89:f6:bc:d6:55:c7:
08:5d:3c:58:8e:18:ac:6f:88:a8:d7:9e:d4:ee:5d:f5:21:4e: 08:5d:3c:58:8e:18:ac:6f:88:a8:d7:9e:d4:ee:5d:f5:21:4e:
a5:8b:19:5f:e3:f4:66:f9:25:4d:f9:c6:60:62:31:72:5c:34: a5:8b:19:5f:e3:f4:66:f9:25:4d:f9:c6:60:62:31:72:5c:34:
34:67:1a:a7:6a:7d:54:a3:d8:9b:1f:5b:f8:08:41:79:5b:43 34:67:1a:a7:6a:7d:54:a3:d8:9b:1f:5b:f8:08:41:79:5b:43
]]></artwork> ]]></sourcecode>
<artwork><![CDATA[
<sourcecode type="x509"><![CDATA[
-----BEGIN CERTIFICATE----- -----BEGIN CERTIFICATE-----
MIIGnjCCAXagAwIBAgIJAOiR1gaRT87zMA0GCyqGSIb3DQEJEAMRMD8xCzAJBgNV MIIGnjCCAXagAwIBAgIJAOiR1gaRT87zMA0GCyqGSIb3DQEJEAMRMD8xCzAJBgNV
BAYTAlVTMQswCQYDVQQIDAJWQTEQMA4GA1UEBwwHSGVybmRvbjERMA8GA1UECgwI BAYTAlVTMQswCQYDVQQIDAJWQTEQMA4GA1UEBwwHSGVybmRvbjERMA8GA1UECgwI
Qm9ndXMgQ0EwHhcNMjQwNTE0MDg1ODExWhcNMzQwNTE0MDg1ODExWjA/MQswCQYD Qm9ndXMgQ0EwHhcNMjQwNTE0MDg1ODExWhcNMzQwNTE0MDg1ODExWjA/MQswCQYD
VQQGEwJVUzELMAkGA1UECAwCVkExEDAOBgNVBAcMB0hlcm5kb24xETAPBgNVBAoM VQQGEwJVUzELMAkGA1UECAwCVkExEDAOBgNVBAcMB0hlcm5kb24xETAPBgNVBAoM
CEJvZ3VzIENBME4wDQYLKoZIhvcNAQkQAxEDPQAAAAABAAAABQAAAATAlhKL6jgw CEJvZ3VzIENBME4wDQYLKoZIhvcNAQkQAxEDPQAAAAABAAAABQAAAATAlhKL6jgw
eOv2+0PXf5+egTnifLk0Tm5TGfDuaHWFg9Mr6XsURp5OxeNaGAsw5ROjYzBhMB0G eOv2+0PXf5+egTnifLk0Tm5TGfDuaHWFg9Mr6XsURp5OxeNaGAsw5ROjYzBhMB0G
A1UdDgQWBBRYFav0zwNpAmB6V03F1bNyihkhaDAfBgNVHSMEGDAWgBRYFav0zwNp A1UdDgQWBBRYFav0zwNpAmB6V03F1bNyihkhaDAfBgNVHSMEGDAWgBRYFav0zwNp
AmB6V03F1bNyihkhaDAPBgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB/wQEAwIBBjAN AmB6V03F1bNyihkhaDAPBgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB/wQEAwIBBjAN
BgsqhkiG9w0BCRADEQOCBREAAAAAAAAAAAAAAAAEnDdS/7nX3/VbAbpQwlDMb/Ox BgsqhkiG9w0BCRADEQOCBREAAAAAAAAAAAAAAAAEnDdS/7nX3/VbAbpQwlDMb/Ox
skipping to change at line 1087 skipping to change at line 1088
v0GlFGlUOrQ52URd8bL0XGufyV+7/MjHo4vh7OLQaVpAHJydij13O8FdwHJhSzfF v0GlFGlUOrQ52URd8bL0XGufyV+7/MjHo4vh7OLQaVpAHJydij13O8FdwHJhSzfF
loxti/hW2qw+PHIJzvbD/l3PN9lozafd95Zj2owd37gyz+uXEYP+a6q54kuy6mJz loxti/hW2qw+PHIJzvbD/l3PN9lozafd95Zj2owd37gyz+uXEYP+a6q54kuy6mJz
wxzpQJBWTxLDuvQr2RxQzOBR2Ou/ZygMLRONs28Tah2nVCC6glu45R+J8Wcmwdwb wxzpQJBWTxLDuvQr2RxQzOBR2Ou/ZygMLRONs28Tah2nVCC6glu45R+J8Wcmwdwb
YFftpizyFwF/pedcZMk8CPLPSOyIhO8DwvXrBTF9/n88cUEoF2RfuexUedCzmPuE YFftpizyFwF/pedcZMk8CPLPSOyIhO8DwvXrBTF9/n88cUEoF2RfuexUedCzmPuE
nDaLQwvUyewJSnATYvI2yLR1zCp3CKCd7xnWiNzisk5AYXHLx8PeFm9Jf17VFwAA nDaLQwvUyewJSnATYvI2yLR1zCp3CKCd7xnWiNzisk5AYXHLx8PeFm9Jf17VFwAA
AAV5RxKfzusdqP0NsBhEau9UKEbkGfYtPnS7nTYKrmdKKHobgDmgCCoooOxV7lWq AAV5RxKfzusdqP0NsBhEau9UKEbkGfYtPnS7nTYKrmdKKHobgDmgCCoooOxV7lWq
ocyU1DYas1clMK0sXmO6Ivyqellk9tgDIChx+dwJ+kyBuWQbrerL2xgXXdiYvdKN ocyU1DYas1clMK0sXmO6Ivyqellk9tgDIChx+dwJ+kyBuWQbrerL2xgXXdiYvdKN
xQR8W5Kaifa81lXHCF08WI4YrG+IqNee1O5d9SFOpYsZX+P0ZvklTfnGYGIxclw0 xQR8W5Kaifa81lXHCF08WI4YrG+IqNee1O5d9SFOpYsZX+P0ZvklTfnGYGIxclw0
NGcap2p9VKPYmx9b+AhBeVtD NGcap2p9VKPYmx9b+AhBeVtD
-----END CERTIFICATE----- -----END CERTIFICATE-----
]]></artwork> ]]></sourcecode>
</section> </section>
<section anchor="xmss-x509-v3-certificate-example"> <section anchor="xmss-x509-v3-certificate-example">
<name>XMSS X.509 v3 Certificate Example</name> <name>XMSS X.509 v3 Certificate Example</name>
<t>This section shows a self-signed X.509 v3 certificate using XMSS.</t> <t>This section shows a self-signed X.509 v3 certificate using XMSS.</t>
<artwork><![CDATA[
<sourcecode type="x509"><![CDATA[
Certificate: Certificate:
Data: Data:
Version: 3 (0x2) Version: 3 (0x2)
Serial Number: Serial Number:
54:7e:64:70:29:9e:03:c5:7a:a5:5c:78:d1:27:87:8c: 54:7e:64:70:29:9e:03:c5:7a:a5:5c:78:d1:27:87:8c:
54:35:17:5d 54:35:17:5d
Signature Algorithm: xmss Signature Algorithm: xmss
Issuer: C = FR, L = Paris, O = Bogus XMSS CA Issuer: C = FR, L = Paris, O = Bogus XMSS CA
Validity Validity
Not Before: Jul 10 08:27:24 2024 GMT Not Before: Jul 10 08:27:24 2024 GMT
skipping to change at line 1266 skipping to change at line 1270
5c:c5:20:1e:3d:b5:dc:92:b2:9c:d8:1b:1b:e0:bc:44:7b:9c: 5c:c5:20:1e:3d:b5:dc:92:b2:9c:d8:1b:1b:e0:bc:44:7b:9c:
95:c5:53:48:91:b2:a5:46:16:bf:50:af:a5:44:cc:54:78:3f: 95:c5:53:48:91:b2:a5:46:16:bf:50:af:a5:44:cc:54:78:3f:
ed:20:d8:2e:0b:41:3d:f1:04:9d:df:3c:4a:d7:81:04:ff:8c: ed:20:d8:2e:0b:41:3d:f1:04:9d:df:3c:4a:d7:81:04:ff:8c:
b7:79:f8:51:8d:b7:2e:ac:2c:54:e6:fc:43:76:8e:f9:be:8c: b7:79:f8:51:8d:b7:2e:ac:2c:54:e6:fc:43:76:8e:f9:be:8c:
b8:5c:ad:c4:13:af:b0:6e:3b:d1:82:57:1e:f5:52:84:ca:cc: b8:5c:ad:c4:13:af:b0:6e:3b:d1:82:57:1e:f5:52:84:ca:cc:
d2:68:f3:2d:04:ff:27:0a:e6:a2:fa:c0:a9:97:d6:64:45:18: d2:68:f3:2d:04:ff:27:0a:e6:a2:fa:c0:a9:97:d6:64:45:18:
5c:6f:9e:c1:64:22:66:db:56:02:c3:a8:57:fc:87:1b:5c:43: 5c:6f:9e:c1:64:22:66:db:56:02:c3:a8:57:fc:87:1b:5c:43:
15:8e:58:fc:f2:00:0b:4f:6a:4b:a0:5c:da:f2:e5:1b:82:4a: 15:8e:58:fc:f2:00:0b:4f:6a:4b:a0:5c:da:f2:e5:1b:82:4a:
6b:ef:db:63:d7:7d:93:1d:2f:20:78:37:17:22:82:cd:6b:c1: 6b:ef:db:63:d7:7d:93:1d:2f:20:78:37:17:22:82:cd:6b:c1:
83:61:05:81:99:0c:25:29:d6:5f:22:bc:06:67:7d:67 83:61:05:81:99:0c:25:29:d6:5f:22:bc:06:67:7d:67
]]></artwork> ]]></sourcecode>
<artwork><![CDATA[
<sourcecode type="x509"><![CDATA[
-----BEGIN CERTIFICATE----- -----BEGIN CERTIFICATE-----
MIILSDCCAW+gAwIBAgIUVH5kcCmeA8V6pVx40SeHjFQ1F10wCgYIKwYBBQUHBiIw MIILSDCCAW+gAwIBAgIUVH5kcCmeA8V6pVx40SeHjFQ1F10wCgYIKwYBBQUHBiIw
NTELMAkGA1UEBhMCRlIxDjAMBgNVBAcMBVBhcmlzMRYwFAYDVQQKDA1Cb2d1cyBY NTELMAkGA1UEBhMCRlIxDjAMBgNVBAcMBVBhcmlzMRYwFAYDVQQKDA1Cb2d1cyBY
TVNTIENBMB4XDTI0MDcxMDA4MjcyNFoXDTM0MDcwODA4MjcyNFowNTELMAkGA1UE TVNTIENBMB4XDTI0MDcxMDA4MjcyNFoXDTM0MDcwODA4MjcyNFowNTELMAkGA1UE
BhMCRlIxDjAMBgNVBAcMBVBhcmlzMRYwFAYDVQQKDA1Cb2d1cyBYTVNTIENBMFMw BhMCRlIxDjAMBgNVBAcMBVBhcmlzMRYwFAYDVQQKDA1Cb2d1cyBYTVNTIENBMFMw
CgYIKwYBBQUHBiIDRQAAAAABK+u/ZhTeb5ZbTSpQAHutXCKwE3lyAhSpX/yW4Jt4 CgYIKwYBBQUHBiIDRQAAAAABK+u/ZhTeb5ZbTSpQAHutXCKwE3lyAhSpX/yW4Jt4
jta+jBxwPNjdeLIaFEe+Hw10cj82dsLLGa0pkAuC3pt/36NjMGEwHQYDVR0OBBYE jta+jBxwPNjdeLIaFEe+Hw10cj82dsLLGa0pkAuC3pt/36NjMGEwHQYDVR0OBBYE
FGLONaVHd/8hhy68LSfnjvQ1a8/YMB8GA1UdIwQYMBaAFGLONaVHd/8hhy68LSfn FGLONaVHd/8hhy68LSfnjvQ1a8/YMB8GA1UdIwQYMBaAFGLONaVHd/8hhy68LSfn
jvQ1a8/YMA8GA1UdEwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgEGMAoGCCsGAQUF jvQ1a8/YMA8GA1UdEwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgEGMAoGCCsGAQUF
BwYiA4IJxQAAAAAA5YiouHOtTZL4XIHFimNXaqc7VKq2BorZ8cILyCceS6LP4tpE BwYiA4IJxQAAAAAA5YiouHOtTZL4XIHFimNXaqc7VKq2BorZ8cILyCceS6LP4tpE
skipping to change at line 1331 skipping to change at line 1336
S7Cs3ZAu0OHrcTKDXSqpubUk/OnsGMrJoQVZPvqv7U6Gsf5AR5tCd6+cK6DiPv1R S7Cs3ZAu0OHrcTKDXSqpubUk/OnsGMrJoQVZPvqv7U6Gsf5AR5tCd6+cK6DiPv1R
qwJ36PE5RapUthTUFCD8NoHmBJiKoMCKz672tdy36yaG088cOGVUBLG1CUj1LQe6 qwJ36PE5RapUthTUFCD8NoHmBJiKoMCKz672tdy36yaG088cOGVUBLG1CUj1LQe6
+OtJvdmxVOqswg0gEHnBy+ncLf9VUE/2BQJ4MTNvFX4kWmYjcLOyDBc5zhU4xf9g +OtJvdmxVOqswg0gEHnBy+ncLf9VUE/2BQJ4MTNvFX4kWmYjcLOyDBc5zhU4xf9g
FjhgdHLJcNhZt4B/2vZnP9C6vhuhh9qSLaNsmSlXqsvRjWbxLclWYCRWSxmf9WWE FjhgdHLJcNhZt4B/2vZnP9C6vhuhh9qSLaNsmSlXqsvRjWbxLclWYCRWSxmf9WWE
iYZ9TYv4W2Ddry1mdmxm2cb1OSVs5XtDl2RcxSAePbXckrKc2Bsb4LxEe5yVxVNI iYZ9TYv4W2Ddry1mdmxm2cb1OSVs5XtDl2RcxSAePbXckrKc2Bsb4LxEe5yVxVNI
kbKlRha/UK+lRMxUeD/tINguC0E98QSd3zxK14EE/4y3efhRjbcurCxU5vxDdo75 kbKlRha/UK+lRMxUeD/tINguC0E98QSd3zxK14EE/4y3efhRjbcurCxU5vxDdo75
voy4XK3EE6+wbjvRglce9VKEyszSaPMtBP8nCuai+sCpl9ZkRRhcb57BZCJm21YC voy4XK3EE6+wbjvRglce9VKEyszSaPMtBP8nCuai+sCpl9ZkRRhcb57BZCJm21YC
w6hX/IcbXEMVjlj88gALT2pLoFza8uUbgkpr79tj132THS8geDcXIoLNa8GDYQWB w6hX/IcbXEMVjlj88gALT2pLoFza8uUbgkpr79tj132THS8geDcXIoLNa8GDYQWB
mQwlKdZfIrwGZ31n mQwlKdZfIrwGZ31n
-----END CERTIFICATE----- -----END CERTIFICATE-----
]]></artwork> ]]></sourcecode>
</section> </section>
<section anchor="xmssmt-x509-v3-certificate-example"> <section anchor="xmssmt-x509-v3-certificate-example">
<name>XMSS^MT X.509 v3 Certificate Example</name> <name>XMSS<sup>MT</sup> X.509 v3 Certificate Example</name>
<t>This section shows a self-signed X.509 v3 certificate using XMSS^MT.</t
> <t>This section shows a self-signed X.509 v3 certificate using XMSS<sup>MT
<artwork><![CDATA[ </sup>.</t>
<sourcecode type="x509"><![CDATA[
Certificate: Certificate:
Data: Data:
Version: 3 (0x2) Version: 3 (0x2)
Serial Number: Serial Number:
5c:22:ad:8a:06:51:9e:67:02:6a:2d:43:3e:8b:c7:23: 5c:22:ad:8a:06:51:9e:67:02:6a:2d:43:3e:8b:c7:23:
43:77:80:c8 43:77:80:c8
Signature Algorithm: xmssmt Signature Algorithm: xmssmt
Issuer: C = FR, L = Paris, O = Bogus XMSSMT CA Issuer: C = FR, L = Paris, O = Bogus XMSSMT CA
Validity Validity
Not Before: Jul 10 08:28:04 2024 GMT Not Before: Jul 10 08:28:04 2024 GMT
skipping to change at line 1647 skipping to change at line 1655
21:78:6e:f4:7a:e2:04:e5:0e:21:52:bf:04:cd:0c:69:5d:d7: 21:78:6e:f4:7a:e2:04:e5:0e:21:52:bf:04:cd:0c:69:5d:d7:
f2:57:71:9f:d8:01:e0:f3:10:cc:15:2d:fd:99:78:ff:dc:1f: f2:57:71:9f:d8:01:e0:f3:10:cc:15:2d:fd:99:78:ff:dc:1f:
8f:a9:31:0d:0f:9f:f4:2c:a1:3d:4f:b2:51:92:68:f0:ec:d8: 8f:a9:31:0d:0f:9f:f4:2c:a1:3d:4f:b2:51:92:68:f0:ec:d8:
5f:c4:55:a1:4c:c8:12:e9:05:7e:05:93:5f:f9:76:99:85:18: 5f:c4:55:a1:4c:c8:12:e9:05:7e:05:93:5f:f9:76:99:85:18:
29:24:60:14:5d:b3:79:f9:4b:7c:e4:22:71:8a:c2:66:45:d2: 29:24:60:14:5d:b3:79:f9:4b:7c:e4:22:71:8a:c2:66:45:d2:
41:14:5d:59:4c:0a:b5:2b:ab:bd:c6:50:f8:87:37:42:e6:d4: 41:14:5d:59:4c:0a:b5:2b:ab:bd:c6:50:f8:87:37:42:e6:d4:
96:72:cf:45:f0:d4:bf:0d:c5:17:9f:f1:b9:12:5c:a8:74:89: 96:72:cf:45:f0:d4:bf:0d:c5:17:9f:f1:b9:12:5c:a8:74:89:
9e:56:07:cf:8f:98:9a:da:d7:db:7f:c7:d0:3a:0a:14:cd:5a: 9e:56:07:cf:8f:98:9a:da:d7:db:7f:c7:d0:3a:0a:14:cd:5a:
66:0c:eb:02:76:a0:d4:56:e6:e8:be:a1:f0:c7:23:b3:4f:86: 66:0c:eb:02:76:a0:d4:56:e6:e8:be:a1:f0:c7:23:b3:4f:86:
90:1a:5a:16:8e:07:0d:24:d1:ee:03:98:9f 90:1a:5a:16:8e:07:0d:24:d1:ee:03:98:9f
]]></artwork> ]]></sourcecode>
<artwork><![CDATA[
<sourcecode type="x509"><![CDATA[
-----BEGIN CERTIFICATE----- -----BEGIN CERTIFICATE-----
MIIU6zCCAXOgAwIBAgIUXCKtigZRnmcCai1DPovHI0N3gMgwCgYIKwYBBQUHBiMw MIIU6zCCAXOgAwIBAgIUXCKtigZRnmcCai1DPovHI0N3gMgwCgYIKwYBBQUHBiMw
NzELMAkGA1UEBhMCRlIxDjAMBgNVBAcMBVBhcmlzMRgwFgYDVQQKDA9Cb2d1cyBY NzELMAkGA1UEBhMCRlIxDjAMBgNVBAcMBVBhcmlzMRgwFgYDVQQKDA9Cb2d1cyBY
TVNTTVQgQ0EwHhcNMjQwNzEwMDgyODA0WhcNMzQwNzA4MDgyODA0WjA3MQswCQYD TVNTTVQgQ0EwHhcNMjQwNzEwMDgyODA0WhcNMzQwNzA4MDgyODA0WjA3MQswCQYD
VQQGEwJGUjEOMAwGA1UEBwwFUGFyaXMxGDAWBgNVBAoMD0JvZ3VzIFhNU1NNVCBD VQQGEwJGUjEOMAwGA1UEBwwFUGFyaXMxGDAWBgNVBAoMD0JvZ3VzIFhNU1NNVCBD
QTBTMAoGCCsGAQUFBwYjA0UAAAAAAUuniRFv/B370+dxc7iiSO9TuZ0fxop8vk+K QTBTMAoGCCsGAQUFBwYjA0UAAAAAAUuniRFv/B370+dxc7iiSO9TuZ0fxop8vk+K
KfpB/b3aIH/2O7DFuKfC8lryJhTrNvAmL4d0+w7Vfheg0U22z1GjYzBhMB0GA1Ud KfpB/b3aIH/2O7DFuKfC8lryJhTrNvAmL4d0+w7Vfheg0U22z1GjYzBhMB0GA1Ud
DgQWBBR8fVm4lWHVA2oePfEkqx3tBM3bXzAfBgNVHSMEGDAWgBR8fVm4lWHVA2oe DgQWBBR8fVm4lWHVA2oePfEkqx3tBM3bXzAfBgNVHSMEGDAWgBR8fVm4lWHVA2oe
PfEkqx3tBM3bXzAPBgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB/wQEAwIBBjAKBggr PfEkqx3tBM3bXzAPBgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB/wQEAwIBBjAKBggr
BgEFBQcGIwOCE2QAAAAAV8SYif/ZCo5ubxaVjOw1QiHCylbt+IHxsk8rbXP0N1X8 BgEFBQcGIwOCE2QAAAAAV8SYif/ZCo5ubxaVjOw1QiHCylbt+IHxsk8rbXP0N1X8
skipping to change at line 1763 skipping to change at line 1772
ViUm9TZI6wwg+Ttz/929IIEM9VWJfUYbBbYl35aZ6gl5YHLYN5Ko8XWjXG1Ut/My ViUm9TZI6wwg+Ttz/929IIEM9VWJfUYbBbYl35aZ6gl5YHLYN5Ko8XWjXG1Ut/My
FzUaLZblXvzNVDBJr28aQtmYUnJzdHK3cpWAHTFa5IO3ttQUAAtZzny8HXIkq3TW FzUaLZblXvzNVDBJr28aQtmYUnJzdHK3cpWAHTFa5IO3ttQUAAtZzny8HXIkq3TW
LJwgsQp4b6l2jWw3AjW9b5nu0UU28TRgehJXJ2gFJhR1PJ8NPrdduCpsHaewQcT0 LJwgsQp4b6l2jWw3AjW9b5nu0UU28TRgehJXJ2gFJhR1PJ8NPrdduCpsHaewQcT0
Pa6OUVQ3Za0KySigPwTtVFnEnx09cJdf+URT/xWfAxN7QWvA94+jJysDOTePvZFl Pa6OUVQ3Za0KySigPwTtVFnEnx09cJdf+URT/xWfAxN7QWvA94+jJysDOTePvZFl
TXSpn0VqpCXcTPl+WfxOk3yJj3GOpplmXmolpMCm+iX3aFyKAvV7Sc2J4Xd4lRup TXSpn0VqpCXcTPl+WfxOk3yJj3GOpplmXmolpMCm+iX3aFyKAvV7Sc2J4Xd4lRup
IXhu9HriBOUOIVK/BM0MaV3X8ldxn9gB4PMQzBUt/Zl4/9wfj6kxDQ+f9CyhPU+y IXhu9HriBOUOIVK/BM0MaV3X8ldxn9gB4PMQzBUt/Zl4/9wfj6kxDQ+f9CyhPU+y
UZJo8OzYX8RVoUzIEukFfgWTX/l2mYUYKSRgFF2zeflLfOQicYrCZkXSQRRdWUwK UZJo8OzYX8RVoUzIEukFfgWTX/l2mYUYKSRgFF2zeflLfOQicYrCZkXSQRRdWUwK
tSurvcZQ+Ic3QubUlnLPRfDUvw3FF5/xuRJcqHSJnlYHz4+YmtrX23/H0DoKFM1a tSurvcZQ+Ic3QubUlnLPRfDUvw3FF5/xuRJcqHSJnlYHz4+YmtrX23/H0DoKFM1a
ZgzrAnag1Fbm6L6h8Mcjs0+GkBpaFo4HDSTR7gOYnw== ZgzrAnag1Fbm6L6h8Mcjs0+GkBpaFo4HDSTR7gOYnw==
-----END CERTIFICATE----- -----END CERTIFICATE-----
]]></artwork> ]]></sourcecode>
</section> </section>
<!-- [rfced] Acknowledgements: How may we adjust to make more clear the
relationship between these various documents (as in, which documents are meant
to be similar to each other)?
Original:
This document uses a lot of text from similar documents [SP800208],
([RFC3279] and [RFC8410]) as well as [I-D.ietf-lamps-rfc8708bis].
Thanks go to the authors of those documents. "Copying always makes
things easier and less error prone" - [RFC8411].
Perhaps:
This document uses a lot of text from similar documents, including:
[SP800208], [RFC3279] and [RFC8410], as well as [RFC9708]. Thanks goes to th
e
authors of those documents. "Copying always makes things easier and less
error prone" [RFC8411].
-->
<section numbered="false" anchor="acknowledgments"> <section numbered="false" anchor="acknowledgments">
<name>Acknowledgments</name> <name>Acknowledgments</name>
<t>Thanks for Russ Housley, Panos Kampanakis, Michael StJohns and Corey Bo
nnell for helpful suggestions and reviews.</t> <t>Thanks to <contact fullname="Russ Housley"/>, <contact
<t>This document uses a lot of text from similar documents <xref target="S fullname="Panos Kampanakis"/>, <contact fullname="Michael StJohns"/>, and
P800208"/>, <contact fullname="Corey Bonnell"/> for their helpful suggestions and
(<xref target="RFC3279"/> and <xref target="RFC8410"/>) as well as <xref target= reviews.</t>
"I-D.ietf-lamps-rfc8708bis"/>. Thanks go to the authors of
those documents. "Copying always makes things easier and less error prone" - <t>This document uses a lot of text from similar documents <xref
<xref target="RFC8411"/>.</t> target="SP800208"/>, (<xref target="RFC3279"/> and <xref
target="RFC8410"/>) as well as <xref
target="RFC9708"/>. Thanks goes to the authors of those
documents. "Copying always makes things easier and less error prone" <xref
target="RFC8411"/>.</t>
</section> </section>
</back> </back>
<!-- ##markdown-source:
H4sIAAAAAAAAA9S9WZbjVpYg+I9VoBXnVLkX3YyYB0ZmZHAmjfNopClVKgwP <!-- [rfced] Terminology and Abbreviations:
JDiBRnA0hfL0HnoD/dm1h/rq3EmvpO+9AEnQjC65IkKZUR5+XGYk8N59dx5f
PDw8cFt/u2AZ/rtByPjA47dTxld6Pd5aufyoAT9UrHD6kLNC5vI9f7KytrsN a) We note that "object identifier" appears a few times after the abbreviation
47OLSbDxt9NlyPsrvrrass2KbfnRoyqYfHtnL3yHr7ETfONtrHC72Tn42nec "OID" is introduced. For consistency throughout the document, may we abbreviate
Zdsbtofdbrbwgk306necY20ZLH3K8OHW5cItPPOjtQhWACGswvg/8P2pH/IL all instances of "object identifier" to "OID" after first expansion?
tg35Xci7Ae9ZK+fEW7tt8DBhK7axtn6wwpNsmMc2bOWwkPPXG3o/3EqCYAoS
x7mBs7KWsKq7sbztg8+23sPCWq7DhyPA8RBO7fBBlLlwZy/9MIQVt6c1PF0t b) We note different uses of the following term. For clarity, may we
9kscwC9z1oZZACRzuEOwmU82wW6d4evZRrvHP/B1f+lvAWFZ1/URHGvBN5gz lowercase "certificate authorities" so that it does not
tVZ+CBjD47Zr1REhoNeoNorcnJ1gGTdzQeVDAeHi9my1YxmO55MbwK8RNM+w appear to reference the abbreviation "CA"?
s7+a8GX8Ej5dWv4CYFpb4fLPeKLHYDOBj62NMwWUT7fbdZhJp/Ep/Mjfs8fz
U2n8IG1vgkPI0rRA+jvcFUi8s+FdQgrgJB2h64Kj7zgOMD8NNhnuAZ7ngRvC Certification Authority (CA) certificates
DF945IfWii8zFm7p0wjVBTg/W7z7CjbP8PnNab0Nmuy45XvM2QFnnehLFp3I Certificate Authorities
pRcf99Zqgu/92aHHV/D4Qxg//ugEyyQItUceeHbqb/wEADVrz6Y3n9PuuV41
udscn3q0o6cIQ3+e4Dfvt+g98qXFbrphm8QWPSfYbm8+jw7oh07A907hli3D c) FYI - We have added expansions for abbreviations upon first use
5GahFz36ZwefuLNF2XpzrUlyhy0Dln+o7+ZWmPyW9gEJ2Fl8eWlXkptEZ6BH per Section 3.6 of RFC 7322 ("RFC Style Guide"). Please review
H132boNasAt91w9vtrD2myC8/eouquIH3mOJWwWbJQjinni3+lB4TAjYxnMM carefully to ensure correctness:
XTBsP8Qvu6W8aorS+UfJEDL8H/Yy77DNF34v8c5mEX1lyKYIXx2XYRh/oKoK
fDANwwXhtNc2BEESjAxBuLU2E7bN8GeudwOfGF0UHjVBMtLNaq//2Gs/wjsP Internet of Things (IoT)
8FL0TqQKuwzOsGQrN1IlKK6AEUD7bnFfG/acKVuyCE1nceDpz0P83xjdTSvW
BtVVCJvttqRye6jlrI0bkkLog6JYBYtgcuI/IZCfaQmABSCT4HwPIgBswocj
DXB196yHw+ERVn/0V9v0hjnp/kO3mH8YPcILyXP+KQYOlHRELjjs9rr7A5+1
QXVbDgjlabW1jnwz2EZPtVaM/5TtNR/Fz+eT9tbM8T3fuahfECAwAqv4ldtD
iA+gg99j6yHmsWp/8NCnT0K28VnoA3jnXei7dwTK8NeTwRO9VrpazGd4w5CU
BzGDuxGyzN+KLPP3Qxb9xoNtClzU35vdgqEwvkdhjlBYPD/Wxcf4T7li9/OX
eKG8tQpW8Mbiw1N5eIr4qeADq60mOz+cAtO+f6wAj/3etDHv0UY904bzzxiN
tAVItizp5vlHTdHjHxVTOX9qKKJw/VHEHxv5crf4fJ/EbL0B6j76lrMhHSAJ
opaWVT1JX5JwvmGtrAnI8mpLYn9P2r9BzMH+NZzyhh3uf90GpQuaELaax7r1
wyPvbMu97xOq/x4AuR1Q/f63T/itM11aq1uxFLUHMaZ+riJqvwGXoqBIj2vX
SyK0FazDL3yVd32X97e8NbHAU/z//s//62LhkcNBNh76/pIl0MvvVi7b8P1D
8NBgYQjk4LPbreXMw8dfx3wdjrbZ+biCv5p/FXeVf/9fC+Ddybvjw6/5Zi8r
PX5FVSyZ61tgQT22CtnjJNjD6SUp3WPrtKDDz4Is6KIhK+kHEf8K6Xwv+yOu
+CMs+WO2Xm51q/1Ko/fjY7tQSuIqjyKzcXyQ44uJuKDp4mvzvR14lTysBeIN
q+JPn/n8yWab8PKwu/dD8J/hiV7282+wSNftwIdw0Pac379oBukBvD4BpabY
71Uf+l0wRfKDZkpfV6zgpkdm12ULkO9NGj/4cbsBjpE1QfgR/2Oa9JsppQXx
kf7+qAnp7Sb6UtoLIv5v/Z6/IoFd3gpseLbTeGj48KxMlxfv+9dRUtxtgjUD
J7XPFqTMdqt4mTBhqq8W/BNi44MSFdHqVLPN7EO90fsFywPwRw44RBmTFR4k
TC+YP5mCg/uwRNXuP4QX4UgnMVA/P9agx5Iy9Ak2/QbqI3xnMDESuw/nXRjR
D3sADxw0PXMfpqgobVSUXwP2O1qfL8Zv3Fet330zyBA2PWAM9RsxGy79h9Vu
iRKT/PnxON0uF39IfPIgPsqP2qP4qML/9Eft5iiw+VVeLtHcNSb+9mNkm71e
9f4ZHJRrUDK7/aO3SYcg+RB9geu/W2zTnr/A3wJnh8dKe8FiERx+3K1/XAch
BZw/rq012/yIPwTh9sfXnbXa7pY/RoHTZGOtp6f38kSg8HufHUIefZsp49vw
7kMnejeO0aJ3IZa2VtFO/Cdgd5mPQOB362/gOtIwDGKNSPUw3mX8wuLDf/+f
hNJ//5/wQciHECz9+/8DbjXv/lc/4XR9IkDfyZv8IEoP5OjlvoZP5AkbtJEN
9gV0eLo3hRDeLQROmC4Eh9UisNwwXWymYYF0lMGIZD6d2wTOFLgzHWPxIbQ8
9vBLqOwkHuSTD5L98wAAC+lmLcBAwpE3qL1ctmeLYE1sSn7b5saR+ga9lUPD
GVpL0IT//r8gZPEhKtlMGdheMLxoUhOua0iuqz8Hb/IDLkHNg3NmcNzDwwNv
xV4tx1He5cxyfBj5qkAd62KefBc1Lny4iU7wzsuNNqf0B4fcddHVV+XBX5QH
/6mS633mwyiy4iuwKOUs0NVNBF4UUHOfKr3e5y88G8W6pcE28wX7EKDxn1AH
wYPnxNN/b/ThF34JIuU/bDeMcXtrA3pji64JPvAYZZvCG8fcWq8XePBtQELy
1eQXOraJ5Bf/CbTEZ/4AZgneC0Jge3/iAxNcDw1og+d2iIgPWTUOAuJtBASL
0Jv4AJhlH8TgLcDfB1eJqLf0XXfBOO4PuNgmcAESjMW4azib611wHIJPyFsh
Zv++RHm5BJ44YEbbh0gmxi1iK+QPQHeKb977cJ9afaAeHCLYIOcBqtabYA8M
cj40d6X0ef/t1NrCQZboJ5I/w3iQiVWEsVj2eABjDUYXOMxG+WCctcd0lr1g
SCvmb5AmwYaB5ecvThGQ8MAWi8izDLdB4NLRXLYGfkFttzjFKo8LE84pUpde
WZyQf5FNUXgJh498NsYYPHXiHQth3uwZItBacf5yHWy2yEn2zl8Q+9uLwJmT
tXh/Fjh06If0dFLRAYjcjfuRiDeBvtmrACEVwS3fIyfMERoQcOQCPITFe/4K
3UYHNDRzzqEl0AcfBQWE2dUJR5SkBW9gIJqgApiHETrIH49wE9JmJAfgDyO5
7iEwou4jcAkg2eIWcWY0MrP40DJy8kPCoc1IGlhEIHw/ca7/GsYQLnchIJZx
uzUqrehZMHd4ZvzNQ5ziMoh2Yj3kI+StXZTjPh/+keefp/4iAnyDzhQQMYGk
q2pbWxtQ2cR3h2C3gE3I3Fk3aIetcFc45d7fbHfwyAn4xw52pJTunPgTBBGP
vPTfNQGU0hY1DfxFhE+RXCGpIUAZGrJNQjWG/hujMyPlkkf1EdE55lh4znfI
A7Jy4T2x98OE1xwj/QprQjcRL0RE4uJMOyqqkI9p+iVmivPCS+uE9NwBb4DE
g4QS8yNoIOA+KjewKxAUcKAatgGwJ9CjEhyAVpsv+EgI4o2Pcw6Yhoj9QGIX
wYkMEMJ27zjxrqCkwYsHZb4FlPRQTnHjaCVUsmApnY1vM5cjTeCHzi6M9e5P
P8GjD/RoVAfAbPfPPz+iGs0HK2QligUoucJIushAg4WMMI2Z/JD/rjHo9b/7
Ev2Xb7bo526xM6h2iwX8uVfJ1uuXH7j4iV6lNagXrj9d38y3Go1isxC9DJ/y
Nx9x3zWy4+8i2/Zdq92vtprZ+nd4nu2N4cbDA6PaLCIByAbJTMhdMILv5PLt
//f/FhXAxf/RLeUlUQQExL8Yoq7AL6iVo91IfUa/oi7kAPXM2uAqIAGA8rUf
eTqgGcMpeFo8uCUMsPnfvkfM/JDh/8l21qLyp/gDPPDNh2ec3XxIOPv4yYeX
IyTe+ejONhds3nz+DtO38GbHN7+f8Z748J/+ZYFmExyqf/kThyyEdbY88WGU
+r2ycO8skavYl/jpD/c4EVR/yN9QC0XjEo/kUfm7cR2MNvnpJ1DKl0rJzz9/
wXyMH6KRosf2LJLtG3mCLxcUV8fruAHmcmMdigr0qhliL2lpzVl4q2OsZJkw
IZKkCSIdsrgKJllwnh0xiQomzI3lKsoHHcD3m96CeOMRnbVNGOsk5m2Rz5NO
0joAzww9t+/jxOIPj1yscAiFKBCkqmMzcVe/WEnc2yf++3PZ4YezASMQ0A3g
Jjsf8x4rluG4nzKvu2DLfub+xIufIwLwK+agKdiQ6bggHKzKB88w3v5M7BUI
GOft8Js/8v/6r7Cm9Dk6wg3VwD9boHuNbgkZC1DVHkMz8UeSXHpTJmgiq4YU
ttFsoGZGVxt93GuoB78hbB7VVbcfoeRiKAMM7+6AAx4ULM9WsR5nLmiBKqiJ
uEr6BVbCN61f8GwAxaRvzgbo6t9cbNbVtQSlc9X6N+khWjfy1MmHAbzecBMo
KsRHhDowUMz1nciGbbAIeXZuvm4nCfOAyouh/MJ7oA4x54hR4QKZFT0IXGVp
Hf0l+INfX836gITzuoDBweWIB9Ss337Ij6aSd3doHSg827AF6QYANVyiJr8L
3tUROPsO5L9twFezbH+BhVzyDwH7QNmLcwivbje+E6uo1eVFdGPYCtyngBI2
ALKz2LkoPw98yd8sD9bm+uCnXuyqiRBmAlhXUfzC94lY1SF9Hid14eP4DU57
1OkbiH5/+Axr9wJve7v2Vxb4nrIP9E7+gkuEIUuhOZ7tUz77+QbREZczC/TX
xXO++jQBKWFgzi06oAvy3iFWW9C3EM9EoZB7Dz3kuyA3gP/lT5B+sWcbq2lQ
T2yJkobvhe/zpRjYb9nER6Udh35RXEo+0K3JgHBnEQaRDEWhWZIhbYgPdus4
awHxVWR7vnCWyyDWwV2vzQ8kUrEDctYOcLpPP/0UrfIQrcB+/vkz4K0c2Qjk
QXAqsNnhy9f5G+mHGuy9oUEfEs4Euv0BfTcgUZI6X/hpbANi5eqd+QzPE75n
DCJcInpN9JyQzMPzjMzAMkBP65amC1B5wGsQtgIddp7lxBUPZAiI9KKgj2LV
B8ACcGBUtEMcn7MnC3/OYvcAz0Y8AmGie4UQl4giowTeYwJuSUPgeaKkB8Q1
gI5q0Ochmg7j9oRIjUSYXZyivhmA4maT22xElLUAmkSsHlv2L/wmAHLks5HF
xfrdD1fFnVAi6CpG+DrH/QkVgMfxw3DHOI8dgEo3O4N2hEBhZ4PHDQ4GrHqz
WdIxicPXj4Y9OidHHEQwJNkHIIvPcGdf//3WNzmaZDCDYfjto5HYWtsogXBV
jBj0X5nLgdhx+05Z4loxTF+IBcBhQkHCXWipW5DIWhL+QqLgwz0Kkue+AvQQ
/3xNwmIB4d6fJOFixSbl4kBQ0HQtYFXfZQjbl7Ca+OYmUvkCcgCOgofe84od
+MCegfK+STJ+alUL4WdCQvwxaTqKFC9eyvkw3N0049VDBQm5uiLg1cDa6KNF
EMSB4Vc7WSAgQsptGGgplBWSIITLoYDRx4T3YxQhXrBxRQa1c73b7Pu4MeYH
1MtRdj0EM/hv//Zv8MHqUeTurPPTpcT40B+3i1/4298zl1d6bPszn8n88yWB
3IMYq9jMF/mfLh9RvvlCOf7dWo//xXc//XSz4KUpIfqTSJm8f/fmufjPfyFe
CN+t+dOfLyD8/Jk/h1eX939GfHDcP1kY8QDzbeYuBJj//B3l2r77E8bUxQxF
FZYdgN0Jo9YMwLS3CZZJHJOSoYwc6HK0/JQQQ07Cal6cyo5f/+knbL3BjECP
sTgqxsYlYIJYJfOiaRg3Lz1y/5QmKP8UcQGQa+GS5rvHD5GRxMeI8MjUS2ah
2CIP/Ld7OfdIwSWKDSCz18foNOg7kxAB/q5ihJF4glhf4kgLdXqwjmThS5Q1
QDSGYeD4xOIJ+mJGn4++v1MMONvV63d0+Fgcksvgx2fX+h5aqCXjnJ2+SeNz
ST+Asgjo2NohvIoq6A/U0npPD0VAfNAtUUrxqvnunisG51ZwuV/UElGI616z
RoTZj2rj0rv6C0oDnwOSIgQJSOnw5/yf7z4A5A/TMHxYLEOq0oLq+3jcR1Is
KFZfeYNv5Z6K+T5fLRSb/WqpWuyi+rhoCz8MPkFUu2QYITzYgXv6BAHpLvxk
KMJnfhNabuh/EkVZVczP/HruhPg0/tf8ZH6O1wiXEJd+ErXPiOxPEJWK+lm+
mxA4x6norx/qPuthfQr8HsInetEQ3IA+jZdYbi+vnys9p1WwOi3xvchSxLEJ
8OfSj1u9zvUZa8VBGA7WlXpiz3x7SbQRvDZzgLtJ0WC74g9npk9w1ippjvbW
Ag312ZrRijd1h0uYNaXi/wUYtMvICViXebzuR48nUhSxPY1ikGizL7y9Qy+L
StKAqIkP3saJ+/7cu/ADptYhwIgUTPz9pUUtYTCTlvnsSlOKIpJAqih9XQR/
gcPpzV9hcWpH+Hb+vnn825j7spr7EGwmoIzfCAnIqW7gftI+RwnVFdvC02ee
jt26T+rnhC+Ov63n/vGT/jnhf+AKsnJm+d+PSwibCTaRTfFvZhNc8+/JJ6DR
/3pWwZe/gVuW29/IL4kX/oE4Rv2P4RhE6j8s09xMnFwf5Lh8MmYDVxyD6Lgo
+H3stEVpW3LTT5hnu2IwYqlT4iPugvvIjicjH3/lXmLDpK+znW6C3YScr8uH
XILTKOq4Z7puirgrCkeo2hL7ZAnHCVBwVfgRFSIoLq0XsMStmxCFX1dS3nsr
PHdBcAlHK7nGI/ccRY2xPeR7OxKkiBpADGw4odjmyzkyvfmaz1X7fK/frTbL
lCCx/FXIRexzA8P2hrMf37einGGP3O2zc8638v3iZXkEIkoBX3ByuyplPVaU
Pvrl80SUv1mcUgzrNXkXvMV9OOYnKxIHOgtGetdzf05Gd1EyGOu+FKMjY622
nO1ffIubXaMloy6I8O6rfOJV2JJLvvglzm6Bg/NHemDBrK+/ndyYS275i29d
j3n1wa+SGhdM37mv73y3d6EvKsn1/AHeQc/kAXsIe6CO24NcvZp/qBXHN2o4
oZ3v+4znPqoHHl9dBTELHSB8WiOLPJw7rNrZbrYB3ku3GAcV5/b7YreP2z4M
etly8RrW/nSujVxaYr7A8qsuW+9cP0qO4mlRPeETX3inW8cf+J+T2vw9aq5h
xj28vEPKw5X/ECc3FKQdfl1lfAwuogQR2oT/Aaj8MfrmR/jmf/CXPqdHHqPi
hF24aBraDGWQ0mzJNpNgxUU9D1iBi/vfom/vwvHI30YEX22Ejfpgsaw0WTDq
8PpYrMKuixV130RxbdQBFUXM15LHAtvzsHpFKfjXXVQbEyPGjjzUD6z93m/9
Jt7Gl347Yyf92X9wrv6AlV9m6yQ+vo2nv2rQYl56D0CCqRGNv5Wrabt7XM3F
sePXufodJLf+7112eufbfjNHNfp/HU9dfd7/DbjqPXJ+nbGuaPn7sdY7KN5x
13L7H8xft+CQt4yHHFAjXw487wh/l94H6m51rpOP27ipidRk5OJeek7g82id
hCPM0UwATkxfXezYUbxvhL/cD+E3Xwm9ou6iSxBwz0XjLolEC+sTUbEs6atf
ACO/NFm1iUmGZ7qegyLI2EHF9rzI6QlW5zYA7pqljcKezG9l6WDDxVydrBpt
+XM/1GX3AAt48S5Ay/8stFIxlY+Lqb+GX/4ufrlvxy//DfjlbvGLB/2rMPqH
u5ccRDISYioPS05RiIA9O+d4+n5W+kN1mnKRH16O6vwbhm3m1I2VaK2KSBwF
RV/ptL+0291JskfUulcr+nKrvwgvAUTiUVz0LimPQY+FLUuRwNxLwETtd5h1
vxaTYHOkIlZV4L9Y0ksQFRHJJQpet4SGICqMejUufH7uEXlXuLtBxru2uPeN
jzHqOWfDot6h63oB1aCjzlyUVmQxBmyY2CeMW//dc+t//DhERF5wbRF45G+w
xXu7xQKnK6y47SFucMZsc/TTxiIexJoyZ533PaeT4b04afzBIb4C7787+U8/
nVtjtEcJ34jd73MBIlqKS3gh37JW7roWGKWo5BmTLYaMSxidb1kx/27Fx6ga
42wZtafQbDRbgxwgheOY/WZd4l/mcq6/gSUXpyhuT+QV0I0PMAflulFvxCmZ
Vbr1YR75Ujyaksgb0SETv9f9cHs12zGJbyBOgBWz9XcXmIeoZ75LAniuhcXx
8R3tExvo+1WPuEp91inRpMop7hp7zyYHK0x0bgerK3teGN9/BFckwdv4DmVF
cEPseIxYneIgbNzGBsaoEXIbR6x3RBSO99fEhB+8G+7rIpCoMfwaCm8M4q/g
751s/O4IfLfft2Dwq/7hr2PwdrdYzdxtbTqXVNdsgyugn+g41ARCyVSd5Ji7
gncbynwLRRK+yDfQ5EbBcIji350stzrtP4AyNxv+vYlDQUD5ssZ1eCGxLl3L
9G4O7DdvRg1ApGYbgbtbMP6nP2BroRWuxJ85rpSsdYO7tFkH4Vmp3vRcAD/E
diBurl7F3y+jValyfm3MuOaH4FkANemS3jRynQtDv3RLxh/5kDEOFzeFyEb5
4e2ZaMgLFltfCXsZE0k28iX7eqKKMxfDHw2MhXEp6m5/yi83FnAcPMwXC9V+
q5vh2+hDU2PBwgLEfv/VN384u14xHFGjSIImsatDniydAbaJy2MjvAWqV8n1
HiRBUjgM5f+ayley5kVpgft1L9AVAOMn4fzTA34hRnMRuP+nfq7wmQeeKhRL
1WYVO4V6fLXRrlfzYG372XKPIvtcsVxtclxx1G51+z0enNY/chw8hr/B7tfs
yBe+Vy03s/1Bt/hw6V8i+ErdViNRhLzK9QPeLkY5kgvluHOS42+oCX5LVfCC
netMcIQl6x6cgvRJNQhZsLb1Pp/+5U6O/XrwRv+aj5MEUabjfp2/3iPgb+oR
oVNdG0U+sESioYNg+6QpcMo/4jAs/OVbUZ03WSKEL/Cbr3hX71ryfuGU3G9t
LPh7SMo3txRwv72M/R8GHxawY/rcvV+Q+kQTudCYYh/Z9rdQC96+SbTfEfUr
Kn493X4353lVJT1g//ep/Z/xEbr87yGfbeMTl20KfG5811nFjOcZ9ERG968A
/jav++3gJ3b9DQdIsNzPEbXvVfF+A/m+pU7y61T7lVz2XazczWL/TSls7lsr
HNy35fK/heD/QCf/thR8rCASfR6fABufkyk6eOKyQHgXM7AAuW7suLZw7j/x
OLlb6ECh0f5Klfkv9yp0yQ+vR6FO6MfHR+6XVdsnkOXP+MDlW/gy/GV5fn+I
5KvndT+c5o6y/Ev8+cfTfFAwydMUm4WoHvKHr06cRg7+ZXYoDlyuk1+vO3/D
ontOboa2LqHF1pozmhAPKLbYUQ9vNvzqVGB4dyzw400D17TqF97iwPPf8CvG
3DDOy1k05xPn3bYBTjZ+ZSKPRiGwXoK5xMuWkSPtby4zh1+i5PLBj2IMOLsf
zoFwU2sXXtJZ1y1a4ICe5/SihRJnfIxipXsjqfE4L+9sdnSDGIbMWwA0qlCd
b6Jw6GgQqWGi7MMw2CNXpbjTopvWcNyW5oSwER6WC2xKlSdwQJWhQ5AYszhf
ahDnVt1r4SvOm0eTafGkyWXiNGomia/CiC8EAjp6EL5gGz4XlaAwjjtDhkO9
UfoWvpvQLYT893hf3Q90JwfE9LEBiW4EpNiJ+/7djWUQBrLjFtkQKIVjYwk+
OLPf9e4Sax/4UaYTKcidExHnYbvzrCcN3VE8TF4THoRywfG9DjTFkmB/OhdH
TTvx5T90vQQuFs/hetbSX/jW5ty+755fDwnq6O6clYtTpcAfQ2vjB7swMdcX
tbB9lejngeU4q01DltXEFDLeQLSJSgiLm1tqrrkWG3vmEAdrC/j1Oh0AGiOO
JG+HyqnRwmG3g0uwyCKYTM7sckYr3uJ3pOsWrfD9HTkXCOK+7RjUePyIBggB
8N2W5kKwZMEjjn0Qgmi6IZFeusjvTXL5kc9PmTOP2xJpcZB1/nKXyLtByyh7
FJH4JkG9YRSJA5xV7/YlHMJAj2cLpKHx4A1jeK8Hkv9mlURGJk5HJfQC6uYN
e7DA3G4JOGSBxemybxJxn9ZBiFJ1ouuC5pcmuOtqCJP3a8vgJQ7wyc1h4kuV
4qQQ9lHi1WGe5S8oWYbQ4ZVEdPnBV3giUuARx0IsF9HkrgLGaVWaN8Eiyzbq
8T9Yp/B2bn3O2JqYn9ooo/tfiI4IqH1RbrDQbmUtbX+yi46Mt90wGmklWlx5
PVmVg6NkQWoickRyhdmpzT6iUyyCp9u6x7nqoZLdi9XTl2hqG8FYgxa8TOqe
J0PoVqGoH9HdE55iJqDi0Qb4Ki50AQZuDQrG9gRZeFo5000AgVhsoW22PTDq
dlztA5zyXkRljssvEKTjHZLEv+7OoUF9sPi565xvN5rSTV6Y+tMf3k3w3vTf
XgakUS/RfNPUn0wBQUtyY5Lq9nqbEB/f7hQNkie5ICkVcYstlnnwnb218F10
NYAb/cA9Mw9i9qypQhqbxyauD6PLLKk/Dx+mIhdoV69QRCaYiy7y6dUrD4Ve
9vP5jhV3F7VS3IgYzXLBzxs01VRAC+IRcMYhslcudlGeAY6UVojlbDLrwXks
2fLYZGchNwOHry+3LcUbce83im+qigQmeU8Frsq2PKLgonauG9OVASD/iPro
xjgULjT6voPzwyQKX/dLaFdEJ7bngWQfEOBfwTiaP9A5BBl6RJGCJWNCDLPe
BHbMEJQH/rp186MEP6IJUMqQiXu3phGvGkPPhuib4DQCDvVHRPjbHYC43F2x
1t+5s1HO9l8wjo1uzT/4kwleLYkZS1orvlSImuNvnWiOw1vVPo6lnTtybnLf
l3l9Sqr/HInt647h1DZ3fuP+nZVx/jo5l/vp9uZL4TN37tsHB+EvfIE5/hKY
4C9xQq5AqKCm9HOOLvqqe/m/Xzh/DG/jpXTRI+efPvz5ylf4dj9XiB+5nwKm
r/71+2IhnvusVHsYBv3rD/A2R1jGG0jOt4ZRZfZXr/J8jw/tig8gdnwL6Q/x
uCh4xInqMuAUvdP/dLTJyvmRu0lK/pfQ9hdM0H18O5lE/CWkI0wo8MjmWK+N
eoX28k2FvRj5gXFff9z2QW4GynfIFt5D3ClxeT3ZUhTpZ1g9Lksklo5uyixY
W+t8ZybPD/GiOLyZXOY/CUfpmlruRaqySfbz+jz+YUbGFDOulhE0/EHxMg7L
ePL11Y/RfYafhuHlgSoO4G8yfJ7/Z37Q+8JDoPvP/DD7ha/Dfytss3IxU9KC
X3LBBHz4fPYKb2zObgBqgmLLkdOZARN84kWFF4yMamREkSdJKDf6H17I0sV4
916Qb1+Iu7/+KnDjd9/9n8AEt/hMfPkVhJ3/wGeJLqrMh+/bHTLqZ0P38QH8
IwiZ+K+Yuf6sJn5WMo6QMbWMKN1fwbAzzMrIRkYWMrqRYXbG0zKenVHkjKtn
dC9jwl+WMcSMbN5fgUkZ3cnYZkZWMgrLaCyjyhnRzHhChsGvRkZXMwb8hQXl
+ytIAIOZ0e2MCCtouB2s46gZJmdUKyMaGcFG8JiaEa+ciTU6kJdLs114u3b8
9ZlotwNUH8FAflEz2VympGTypYwgZzQzI0gZDbCSzah6Rilk8mqmoGZycka/
g0sji2eWRDjwPTiul+j8Z0MS/V8voFFG92W1DTO8g84r+D8flspnM/3uoHhv
mUur7S+9ntBlUZI0363TT/ToL+qW65fUWXQ95pW1v/ZXyZhORtYzqpTxPGRM
V7++7noZT82oNkqMbWVUIeNI9K+T0eArOWOLGR1Y1csITkayUDjsBNsyl4SJ
oZpkOqoZkDbXyhhuxgJx0RHvipSRpYwLEmBmFCujuNfXPXjARo6GlUUnozpE
XBn3hV8BbFPNaG5GFjOmlXHMjAMrK9fXYSmLITwgtQ5QX8xYcFIvYwAkcByG
cmwrGdvD3V1YTciI3vV1AFuFb10ETLQymprRhYxLMmdrGctFUGF3UUOkgQ6Q
4N/E7iCOhoang0PBppaSMTxEI0BogsJQUEwlOSNJdBAdl3LV6+uwpqShFhEB
bBs3NSQERhQymoNg6wCSkgEMO8DkQsYWMnIC86BObBX1kEgPKyKeBQkt0GFh
UxkJqhgZw0E75goZKbE7PI8SZCNOVIbqUIIFdXwdzisSTeFX0FiukVFs/IEl
CCc7iCvPQY6SNaSgZWUkBc8LyAfLCci0DCSf5CIyAUhXTDCthFvDCgC/QSpN
1FExK0Bu4FJQeHrGAhXLkB/gXMAAWoJpgc2AH5iIGhG4ApgNwAOAgYtgF8Ak
qFjQoEzB08GLQBQ18bop4ZqujXgDfnYZ8g9wLyp7YHI9YwhIQZc4mQGQDJF/
JZycAYsKrAgCYhH+gSuAQHBkeAzNhYFQAf8D0dHgGGgQrrsD12kZBht5iFjH
xVMDACCVTMO3UProZ5AdyUHMyAnUAYaBYYA3gPMBCcgDSkb18HkQH2Ah00TM
y/CAiYRAciScIqARPiYjTuBbAAyODDCAsEiwIMk+sDrwA+wCog0nFRJ0h3PB
CvCJbZN+sDOqiSJveWQbQVKcjCUjQoBGYAk9KyMkdgdJ8UBeYFMdxVa0kQFc
l9QCSIGA2gZ+VekZ3MJFrri8DucC3rZJEgGrADkwgM4Q4ZqF9hA42VGQ7oxw
DgIoJF4HVIApAd6wJPTv4KRAIEdDnQCWFjbVTaQX8q2DBAJgnATbwBbAWiCD
JmgV2FHGUwC9gEagNIBvwV8wFdJjoBVdFDpLS/A8kQzkHfYF+28DDMS68CJg
Fc6LCCc1C3SxVFRlUgLz8C0oB1BxIE3wDDopCkICzgUyLUONDTJlkRKAX5FD
EsoKZURCtIA2ANIjbzgoX8A/sA4oajgXMA98BWdhHlpSIfE6eMRgIwDDwN7I
kzaeBbQfYBusA4gzqDs4FDyGOCEeYEZCWWm4I+yFGt4lXWegcKkqYhJMAEAL
GMCzWyiJwJBq4uyAItASIHFAdOAxsDUGoQLOC4rOEZEh4UVZxQVhNZAIOWki
GeITWBHAAx7TNZRokCOb7BogX7aRWOCaqaT3QHXICYEFroCzg7MG+hP0Bqpr
FykLxyS3OqOYqPnBWAA2HHIMzYRvCNuhMGqomkDkQRHB62CSgD+BSeBXh6wz
HAG4GiCXyPW7SlxkGlQ0cCAs4AYiB5K1gk8ksjgKqSMgARgOT7wxkbKLmh8g
dCJEqaj3gNwKuahAZXhAoygHNC3IJvCek2BakBc4NZzOJacYZA14A7AB6AWd
AwgHywVHA84HkyEZaA2dpLIiLQcaD7AEjAq/2oQl0CE6ObmIMYYwAGkUErck
3c0IHhnxA3jQic1cwpVOQiTKKONACNTJHqpfpt4YaBAEQI5N3A6cBu8C5IB5
kMHI0wDGg4NYkQ5xUCSvXCeS1bYRQmBIZH4BGQzME6ARnodvRTeOBoAc4Ed5
Ce8CaASLg7gBx4INRaPg4Q/gh8AiiHAdHwAFBVt4pFHlpHNiE2lUVCmAUnD8
beJeNEYMRRs1tkbm20MNBgrNTTonkU+iIZBK9JaHdhYEELAKuBIpnoCDgO5F
7Sci5yetDBwKaA0wo0QbKLA6nRqUEhAaKAK7g0YFcwmaUCWtcjXQsDJDbQw/
gISCkhQplgJmAH0OekYhqwH0AqkBfgYONBPAgwuEtkknJAuIYWBvQLtNOAGe
ATYDhjFIXkziuqRjBtwF/GCTiQcYQCFopH+AOkBigAQQBUINiwNHgfoCIM2E
xIE2A1dHIM0GMACqNaIdGGvAOfwrku1ApaSTT3sr74BV8ApAlQFUgGo0iCai
GvEm4dlBasBWgvoCEiBWBTRe190jb1BB388irgPDBACb5IzZ9BXIDoSVYJph
HTCXSdQBI4FCAxukkWkGnYM2XUStAtyOXrqDnKCQiQG6R/7VVV1YiDfQYGBn
YSMQRtAnNqFXpTVNUpjAcjY5S6CQkybSIlccHTMHzY1LUgasCxwY+/MuanIg
Ilocmxg76V0ISBGQO0AyiryKsmOQyYBlPdLPoIgsslzogko3AoupGg3VBbAK
LAskg0XgIEg+ikcAV8DMsCZwrEuyKSZ2B1sAKgJCFXgReBWlW0RPCVaDg4N/
C2oEDoVsIKH91Yh5rrtTzAI6DQ6LUqmhTQE/yiE/HBAIfOgSaaLwChxLNSEy
LgkIkAbUAsiXQNYf9BtYOpsEBH4GPhHpIEAydNcTbAN8BWoZ4MesgIei4ZHP
DEIKSHbJZIPDD+aGkfECVewlgmWRnGRgJ+AKjOMcZD+H7CCwmUc4AUUKZAWO
NchDEJJnl1D7Afwg1OCs6i4iDVZDGonIbBJ5+Bp5qohG54brQBiBVWzyrDwy
3+icaEh0hTS8S8Aw0s+gr0BkxMTuGDJI+LxD4R6oKYdiVeAxAB50JnAdACya
pDRIA7PE2YGaCiMHXkRowdAASwPVIC4ASQfMg4DDWUCTQESAiBJuvMoowwRH
gJgFyG2SMQVUIKUMVOzoLQuodlCoLTKgSWVloH0HlxVTRBoSHS2UgvIFYMOh
Ir8RSAkHh4fBZIgJZQWhCkgrnFGgIFqi8zIyMaAu4F/gW1BHgBDQEoBGDNYS
bAM4B5YAEw9xH2gb4Ao4pkYcC8oKBNwiKwaaBGjnkSFL0h2YEEESUQ26RB2P
HDmwHTa9go6ii8ICWHXtONC7mgkXF0R32kUzAawOIo+K10FmRutvESdTWIEu
qHqjbTCv6SKPgRsGBg6DUMpaAIktsvVgONCbJW0A/Im5iISNsyjsEkmbMYpZ
wEzAQQAbCuUEwBHSSM8jS0soFHJSVSpIFEAmyCOQFXgeyAoKEE9kowyqpLIA
SOD/yIdU5KilCv95wD/Uo04Nd9VSNZ/tF+lTrlGtllezfD47sibZQzWXnVSf
si2/K06sbt/Q3xpZoZw/vZZ7VVsudIpPxWyj2ygYx/xb9ik3aQ65XHbczy6G
/UYnPOQ748Kw06kWsk/PnX6x08gq5aw4KOYOh0qvPDzZy+7enhW7jaxBn+cn
hyrXWZord9SYdITioTJ1mo1Z59DsF4VGYSK2CsXjM3729u6zWTZ93pCDHcvF
w9Nw8FasN7LzaOXsIT+cF4/FQraFYOayTiMnTBfOUp3bknIs9rPt6POgweWL
T/sXefhWLTZzjaJyKHTG9VrwUp3unWa2M+9kYZl2J4t/cvQP/Qynntbq2mxy
4FhrL6WE9shTU2zSX/lefS70l2q/7BV2VuW5NDEbG20UDrprtXVkTaucDQ9q
tzUbv+WmAFaZA5DdwqTznMt1xyVrL7wdmuvsMqcNBbkk2s2TP51PrULWQ5Ar
vUaxXMg+TxLPcncepvNVuo1c1jOKuX62kO1U0jFF3MKhmEsfOkUkeW6WbXK5
Sfg6nftl8yDk8t1sodhp5XPdYvbdn+Kq4PbS+mokp4d21l53DotCw063jpxj
Go3a7vVNfxmzt507zrmvzbXsTDuz+ktqsG6ap3Bcmx4dq9N+qzydhna/bJ2c
12Lf0t58o3nkNoVUZWAryraefpGfsl5l0TNT3fXCaXbL21exaXctNXVaCYry
ku/NUvPZoVxcCp169VRzFpI85Ha9sVq0tuXJRujY9a720pIrnXr2zag/5yr1
bm74dDhIbq2/m/uNvpldALr1eUnpVevOoTQdM26b0se9lL5tVwpG+m08fvU7
s6laWrw+Dbbb6Vs3u9oeJuNgXDJypfFerQR9dT0slFbPT5upYiybnD5VXoXB
i6ixXuflUBrNF31729owP+Vt0nmWXZojS6lqh/Awq9la0TGLuUXYtpWTxUa5
xtTgVgs7rAv7Zne8H6mvbueYGk/rOedYPZa0zfpVnJbSy1G19vJaeF3Px8x6
Kp0K2ZeSkW5Iqfr6qcOljtXuYjJpnnqd5k5K68+d572nWkaQ7o6VfVDr7Z8a
pt6wJ65Y61j5ozx8auwkOfvaXOo1Z2Zwiqwr1m7Ijq1+4GXD7PQ4FIPJS2dh
jL1S6UnN1XxHr1cq1nz8tqxPZ6bmhGL5SVnkju5qkFpy+VdFHVSfT/mx6J8G
h+7qcOqurcO2aIvH7eTttfk07afzeoNpPae+ep3PWD2YZcvrVUETmxXnjZtM
KgNdrhbFxX5h+gd7E9hF5/BUnLq2vKm1A/N1KY7KYtlvroe7/FbrZ0+Waoju
ONjUTk92i5uNSroQFpvL2XBYUzqpwutIE19z0sxvvcnGXO9L0+fKbm6w4b7/
NOx0N5YVPudKTzNBLh76yxfOnb0uhZ452timsRp6jeZBWE/zC/0kWKWDUik1
1PXicDJyvca6aLfLxbabezqExZIku43dqGpytqGujXWlXOo9t6XZNKWLYWr0
9rxZrybPtWI9V8+nWHHYCPdOZ85Sq+LbTH7uOK47X1cKTWN74rpNp+lUB/28
dnor6IWFclKru5eTIr6pxqA8L7BFapcqH57GL+7mLZQXRmmUynn+qPKi5V68
UZpbrl4bi+1MeTNnztBRV2yS26TtMF1+ExeLRsnavuZb+9de6mmd8yoHe6DN
UsuFAJ8dp858Ygw55TCslUpFVlUq+7c0C/zKSKn3JvJT4KzG4iE3OKhsYNZW
5Va4P1SfnnJ2rglMOCg+leTUU55xp72mt51uXgyWxWWxLjzVW4IkKpuX11Xa
zs0GzJueHLFlZ3dC0ZHZ3GqY9f08fB6Ua5XUAKigaMVGZ10zXlljWw2qoicX
h34l95q1tsWXmrwYbHsjfbMtMkmpeqY0SDtzxxJX3fmiuM4aesjthfKiVF4M
WpuOKg26rmHXhVF5552GKT3dmFUCZT/VW/WONVxnQSO5/kyUW0bJPVSepr03
r8QtguPWT0+fpddDql2pPr3t7UJ6Ibeb5iJ4szzXVF9mUnBwZX1yekvtRsVx
O2Vpr6oy35205dMbdzi+rTtPuef+sV7Y7TsbqXvsvLVyXam1S7+cJo16t9UM
JaNvTaXVMJ/XJoudonZTT8azszy4B5sbl7zt2n87lQ6l9Jq5zktjbuTb9Xav
dapOW0bhsB9tcv2SmV4ZhjMoBiWp6+3YccDc/NuyvStyq4JV7xz2gxM7PPVW
2f54X5VO9a74ll/L+Vre1Y+rZ7/55odzNTseVepHo81KS/PJE/Vh6ZDNctns
UO0ea97bLnRf20IzzE2L1s4c1Ir2vOyNt+1VT1/1x7XN0q3VKoE9KSwn+XwQ
BK3jUF88v3KBcxqIhbEVis6iURPC0bKlVfenV7ZYzM3tpFDNT48p9/CUmp9y
u+eOvWGbunScjEauP967tSZ37HSNZ7Vm+Z5liItRJV8SjOeqMt6UU9XXJmNi
S3XNXqm1Hocvo1RbeNmD2vVW5XG5enQWB4Frlh1rLa3NYa09Xh5NO5Wd5thw
W4j8omKz8NErirvRaVD192svoP83yN+tvwBcRJ2hYwwhDITk4KBiVK5Stpay
o7pBeUIdcwuG8+FlmSIQ1f3lhgRs3LjbkVDqRpX9trXBSyuudX1C6m/pRXja
LXhRQBccYJWUX+9FwBd4I/nCL/UifDOgf0MXwg2Wzn/ww79vHwJW86PAXsOE
C0SVGlVKMB5wMWa7u4JKr+sUPgFbQDBmU9CrU9JWkHApi0IXz7m/AmzBqI6l
U3QE4ZPNKOVBpTuImjAX6eK39ld6IUTKDEJYCy9ihtHFuBRTxlTz0zXKKVME
Zbn3V0AWFzCANyQ8OALjZeL/C1388/dtWoBILV9EEcmqCDWE/6USBn2YpSxm
cvmMVEDmK4JkFbGd4MMC8KqWwy6Dwt/YtPB7Q/IP3rRwkaxv6lpgahyx2wYm
1KK6OwT/HmWro5qHYWFW4po4oJDbohwiRt2UHBc0fMylzBdwJnCdQ8pGpKSt
lWByTPBJmAFUqADMKMOlCASDGdfRFZNyJRLWKlwPOf+aOKC0LPA286iybiH8
WL+hbCaABPodoIWtXQGTWbaKhfBrtsuiKjvl0B0XcwoipSYtSo+aVLHAIo2S
EXSUd6wJJXPrFtYhMK9HO2qUDo4KeAo1emk6ChrWWiSskWANNaEimIPpDIVy
8aqIKRXZwseYiEl2QcGstENtS8C4skl5vUSOFd9VMaPBqALnUJYTVA08ZpFh
A7pgnZKSvwZVr4UE5k0T+xtEFxULHNyhqi1sxKiYChrSpL+iiLk2U0cloyfK
UZiNpfoWGEukOPUuyJQdM6mago0mlJUGlas4SCMl8TpgyaQkIJJexZI5oA7b
IwhLNtE0KsaYBjKMQQXaK9NSd4VCuU7gLp26OoA5bRFPFHEUQAJqGQiBhViG
C15T8wqmk2SqFMLz2JlBNVfZQEbyKEcGnxt0fIvKAzeZfepIiFrIPMrOY48Z
ZZ2wFUMmLa0jwK6OdS9DvakfgygBRSyBsuomFhWwYGxitleMiiImEh0WFKhM
Iqg36WngLqz6qHhMIKhqxmUnRhZEsChZJiFnxslfGel4RZ1MFUeq3GDZidqM
XKrqAaWw+CRgXUegvLNNouEl1AWWlqmIBZjRKH8tasjzNlWtsGht4g/YNiSg
8II0JctRtkPFS+oPMDyUEWzCsPGYwAACNR9gMtGkiqZJEpHQNmDgGJ0LiAKk
B+1hUa5fYSihjOrBcECQcVAjLpVAdPMGdajKJDTiKjU9AKgyJTc1EfnBoYyn
SYoISIx8mKydE8NrKn7liGjuFepJMmVUOyb1w2F5zEJuwWS3epPllGQUTNgR
eA9Owc4dUZ5Hi6goxUBxTHFS0hm4yDZutA3W7RR8Es5lEmzgh2BBVEZcYeFT
R7RoZN/hE8u80XUC6RPLpuop9UkgsUi9I5NbyM+gYC0qSQJ1jIRH5EblEJ2y
/y4qFsA2WARgAINK/oAZILopoq6GZUFgk4raoHI1PONSbxnQCLYDQjOqIntU
bfKi8pKFDIMdFckaKhV0kTFEalWhUivICxAdk7weZooxce9SzYlKL26iMGBG
lR5y/KIUuUONL45AtSgBP8euOx3F1qLFtYTImFR6xJqlhKYB+A2eAbMChkam
tDsj5wq4AvgWnkSrkSCcQCGEQPUqmZobkBMove5SvRwwoFA/B/5KNYNk4R9W
tqhtC3meCv9oyMgKw88qtaaBDtfJ4njUVZPs1PHIoIhEMrCkatTdRVUKgZQw
+IEKledBnwAasfqVUFYWUQqbewxU+PAvsIdAZWOVahhwZPRpqePTIm2sJqyM
HDXS6ajD0daLaGIkqkKBfrPJW0CzbqLei3RpspKHWo66MQCr8ABoD/g1KiIq
FjWaKKSrLbShWEHxbkpxOpWTseAddeEY6MzAGbWol0JEEmikQEAhSFS0u6nk
iQgqbAqAmVRD0qlGAhiOIFFI2QLbaFRNB+aXkkxLRgTeBVcE5Z1wqEQtCxpC
DsIOSi/qFwR8SsKNayQTW4IUANrBnIHC0ailEnsEBSrJSKj9QFFjL4iBOkFK
9otQPxywlkY9cDJVPgBFgElgVI00P34lZ6LuSbBQyQquSewKHyKbuYgZgd4F
2wHqCxQX9h5JuJRApeio6STZ9AAqUaLiNBo1kzrAPGQ87KXQEWD4xCMEAgAy
kT5ZCLSj+rSHJECXzEK5wKq2Q/LlIiTAvQoBjxJk3BBOox4pm3rUgEURQoe0
q4eWC2Qf9DwcUNPj5kgngXn4CphKpmYFkEfAm0UVL6CyRhVEbA+ykBA6tWPK
hMmrxMkEHlX6gSWA1hgqitSnRY6iTg3tInVWuRIpokS7Cag1hVwRV8TDgjRh
h5NGtTeR+mgpko37QkQ0/UmnFCAEtOAxBYp2qcMMBAFNOaP+XdJ+ACFWwckE
S8kuZJtE2CLgqZvKpmY4RiykkDMJbIb9HDJyvk7Hv7wOpzapHQpUOuo9mQwZ
aUswpsAkCnn4FtXzgD1APyTbDkAMLeJ2cDVBUqLWFpU0LdpHYkibGlawmUmm
Iyg3Rgo7q6gAj70y1F+oEMUxfhGwsojdutTIi305Dh7kijoKRljkjXh4CpWc
MZk6YBTKEiCxqPnDpSK3ptyoSoG8ZY/0Ffb5GfGsAUiWQJV+nBdw0IiAq6Pq
N2YC7JdBQgqAKeS6g7ETyLVQyGNU6PXINwO0AyrYbfu4SPyMXYwCtZs41N9G
DXNoYVUkOlDEorI9EFdKBCMgoTrpZEA4YFUhnSZRwxNQCrMcFLvpZLZM4joh
AbxIhkyn+rdJBWZsSHXJp6KYAjAgUrOLTLGJbd9kKkTyn2UyVcjq1A0jUKgI
28kkEchXGq2mUhNM0qeluEOlBItMiwPvobdGTgL2FdlogkFLRF2GgLpkNGFQ
h5BOTVQijYQoJF+AfNDJsCAjr8Ojdk+R7K+aMFJovGxk14hVQCPh0IqNhAMN
iT4PNQREkgvMI3i3tXOdmlapLQk8DYMaUwCZoA+BRow43CVJ0anVTHBvAnDg
bewPcFGXGmTEUX4pXlYJYIVcdIzlFdQJ2KmWIBzGaIQT7O+nnjxYEIgO2IAF
bToCMKRJ+sclhWYl2MamngybYMagQKVoRaYImpGHc+6GAdzCw8DhatI5Ib/I
ikaBKPZBG0Edt9ixFzW7aLisQmkB4CI5oagBV9glY6H3ZVEwFUVkZmQWSUgj
uw/qC6QJkGMm3UJGHTCkk11qCQKxchm6YSBEWtT7RdYtSn3o+s2oEZ6XYi5s
9Ke34OAG+faoAM+BAPp7NMsGaDcSTAv+JPwqUPIQhZ36pIF/gNtBUgAek5Qw
WBOH+kqRdgngwaBEKUeZmi+BT3RqFsehJxfJ4VBQ7EVxloOi5CbnPTRqB5Tj
Dioc0pDRRY/iON2MO7ZV6sYAjY092YnMCRgIl7xlh9qMLAooFOrwg8NKNOeg
UTMxGBcI4lD1JRU1za6I1NunUA8l/GtSZ5tFuAIFBXEKeqqkc0zvZtZFo5Z6
eMWg5hhGTiyIACMSMEpJ4bAKyQL4RRalIJIWVqfECCOogNboolAiAuNBGTkZ
qIBZFHIsHeqFStp3jdgGJAUUvhc12esIBtAL9D/IvkA9dvCvQw6qk/RpjbhH
E8AA/pSprRZUBGgGiaIhkHEgrmnHPdYY4iWcUpWa2nGgIkqUERdZhCjgKOxI
U5FLMRHhxoaGJdwDEEOHOswUgkqheM2hv3hwSqNJ1IpqUGuvKd3Iu06DQA4l
5SzqNIIjaJRsUcn/VymxHDl+Jo2F2IkQ2CUv0SN/241aDDVyBclFwQ5+GSGx
qKNUJhcx2UYctaaBYkc3kmYDFAouojwV/KBQPxxsalIfLc6NJoBXKR/iEu1w
SInwJlGeEA5ikGshU7bHo8EVFMlkfxi1jNvUFy6Rdwc8plKHokBxpUDNhS4R
Ak4hkVecDEYsSqOBXMBBAFEWhUJAUNTeAh4BUIElCXoAh6ySOStG7aoaTWhQ
9AePRWNF2OVPhDOp0dCkEFt5512QfcG4W0LH1aPuOpXCEDipRvrfotgKmzId
ZE4lwXUm9V2BFESbMoqkVJrHBDWl2nG6FaIkl6pojnITBoL2RgMaTZ2RNXep
8RS4CFQBRl6UKzOpK1Ene5H0rGxyn2Qa52Q0WSSTPTJpaAEnD8lAawzZSaZZ
HcZueB475ygMkajz24yarSl1gx6pjKoSe+9clEHttgPbJfdVpq5fmYbfQG2C
VXLUOM+jk+Q65DTq1DwnKjdWBlw+EC5G4z2ALpcynELUUW0gVCZ5HcDSHqWD
3GQ/KPWLWzTggY2w5PQCnAopHDg79hZTjAbmD+Q6mnK9Yt6N+7zRFtgoVmgT
HXTdJWoNhxc1msEwaIIFU/fJ3ncN4UHLS82ODg3OAUgmqT7sjyT1rpLjrdLP
NyMTGmVFRBqpIn1rUMZJI1YBbkQ9Rj4qgIGhsYSHvep5SqIKpACjRl4QE0Cg
Sd44PCxRGAgUx/wwuXCmfiMySG4VgZep9xEzNjRdIJM/HM0bmDQRESVhtNto
AlgdRwclNOvRXA2IPPbTU0IbyI2IZXG7IfBYsrgAes+k0A+jeJfknXrlJcrn
A2Yw90JRWJQqByNrJ31amrjQyNnDpnOZwBPinnud8rSwtUdzgxJNnSUNtE6u
pk5N7Q6FVN45/eKRfcfhHJpbww5Ral5PVgeiZIVMcatIE2I47UYjN2Y0HsNQ
d1nk1UB8Zzk33aiYlSIPEP0oJa7ORHREw6qhBmaUs0LqEOve5Oej8SQRD4UT
NdQCHo0xeBS2eDQX6lAUD0YWs3MJuoMpxxKGHo85wb5wQJzzsahr3EVCmKSy
VFLgyJ/CjZEC3QVSgF28FNqDqNqUNTUpGy9QMhNddDOexU02r8OLHrX4Y15I
JNMm0nQBFSYg1mCUV0cP2SCZIqfxijoVsYo2gprOAVQsnVC0a9KgOmJMJEeR
VCXQSEgoK5niSlTgNuGQZDPq/QUc2vQvkpK8rOgsUkJgMSMtkiWiORyVhgrg
+C65uAAMDqpZyPAgmLIbt+8nzQS49zINoKIapLSeRNlFnAEQ8EOV8tWMPH+T
/OSruqDhHEaZaiB9ZFgNauJHQ08WOQpRTUp9K/bNOKhFaQ0UB4YA4/CDjcgH
+YKwV6USv0XRCib2FZpaTI6LUADiRBqekINlCIYQWlReUWjQDvDjUZO6ot8M
q6BU6vgkTv3Z1PxN6PIokLdIX+mU+PJoMk2hjvAr3RWazqXWcJGGCryo856k
QKDpGnB3sWwk0Awe6a6kPw+HckmxM8oEYlpMxsdEqrloNDInEH3R+pg3GTOP
SlQQiuKARFSzo6gEhzwpP8lo2AOLuS7CJgo3hRWH3AlGDiGsA6oG2Bg4AfgW
o2aVzm4Q00YTFCoazatnpVAeW0NW0cnHw5nMaODWRD0mknF0qAqg0Vy0nAAe
x6epHcIhv9el+pFNw8M6FYUBBoxtafQac87spnHfom4AeMwkgwKaXHNijYQj
glHHvEgDohrSTnJvHDM1ymVRRkKhHgyTJvk1mgdGw6SRdbtMztD4x1XbuMgz
Ei2uk+ulUaDtUCVXpiZ4FGdKfynkqCSNFMg4oAUpQhXDiAdw2Ilm3V3SMPAX
YlLbiQeWzOQItIqvq+QFmTRfBD58lDEAhalSfIGfkHujksZOjsYxYgbMbzA0
lBhN0JySQGbdpbEThULFKNmOMW8ye6DH018qodemailO29JewPZYYpPjMVFQ
qlHbzPV1iqQsmkNDVUljh1g5jeglIfmwFkmDWwbVuJP1d/CyNPL9JDeGDWJV
DJc0VHSYmhZoOpfCNMA5hofGDeY1mqh0qPQvUSzjklMt0KyRRa4pHAHTSqSN
lWTeRsVDqRQNgekXqDkHo2aLeiQEfN6lIW2cI6K+naRDjvltyhJo0XUoLupS
MEPgCUiUXpYpPI/m3MBt0+ybcVDQhxqpOIMSwmjFqOaOts+jHicHda9GK2v6
Nw9L1HuFfD77nDoPSwyGFXXu5Jcsawy19fCoCD1WmZU6YkkUDvnJuFo7jHO5
zqCS86sHrtm/jijkpo18d1E9FmbZxmVEYZibOsvFW6M7PpSyNExRK2TFvC25
onPKjbn+sNmnMYWcMir0q0Kj4BwbhazSmDmnZimAzxr42aF1/eyQ3JT7a3a9
bFpqHLh3Zyp048GIWmqXfpn2ma2+2P3eupOt7LajfO1QlBen7LS3HqVPz8rT
VuFmWys1yx0P7ebMZfWqVSqyVOUgCs7MkNywXi9bwnqe3eXl9TYta81Zo1w8
VHCwpCu0crlxkSuV662mNay4aWM6PWlGveetZvuOaBnpcSNHkyVu9dCBn63s
vWe5y8PRGIpbjIYhSo0sDUscChParY0DE7lsp5CdFMuNbFDO58NytjMocbnD
2M8q1adjdPasOvaDXaW17b/UlVG1UvKXzZH16ujD2quUCzYvhlOtn/IO62n1
trJdFzltNzt1ar46fDo+NafVuSz3tmpvte+br9VCr+S2pO7sycwXty9DDcgk
v/U7I9k6uav5zHazrspN8yXLyNvN6nNXd9/gP2Vm1+u1ku28hY1BuB8MB9qU
VWq53Khlzx3VZPNjd1DZOs5Le7F/3nEv5VfT2eYbpUPtpZgTBs3GZtFNteWX
tfVcdJ9H7soqGOPeYjvJsfaSjdis7pxa20Zt8CIvXdviuuxFnxWH221vsUm/
+L4/FhqNYl3My6fR0S66cM7V68Cfr/yVMC6YzcrAL0xms30qDN3ptDzlSi99
XWRqkBr01PawezB0ZTRznd20JzpCrVBaDusNxhyn3Fzs2h0zzA2Lb7XCyM8u
Fl4lJSpcPnzxjYqcctRxoV/v5pVDIS8a+82gWygWyj2lmdZKQlXp2tb42dWL
LOvOmXHMO3KnbLQqQ8bNRJ89S0c9Py9Wn/vP61bQeFEq0tR0UrNKUakollBY
ePW+L8/fUqWqPziGrLFeT9tG11juZkNu25sdp+XR8OAdm6V1qzqXVrXUujdZ
DJTZZqpOlJYv7NPG82JUbDdGPX2/mVraqTf01UFQNOQZ9/o8ks1nzX61FlrO
0TZGqetL3boSdNeBrBnDmbLxXk7ek27L04llNZdB/23et1/8Ua+lK32HG2Ub
Vr7VHxmVumGPg1zzqb9IH6bdspLz1IM3Xp1G84rTVlQ37wwa5tLxVg3TyK+E
8ji3PbIJN5Ks0bpt+pvcaTI+CIdaa9kRh8t5rzmpTA9P9bY0ma07fSc03ZK5
PR30htVZT0/TVEUr7pbNFPe87AxYaSa6TkFUupLZG3rZTnZSWY7MQn1XXUgt
aVbeNRVj5O+z88WguVi2BLm2yIvV077LfA5QW6n2JuZuM54D26vdSkPUe8t5
uf62tRpibTnr18t+6m2kr9+Wx9mOvfq9p+fBYtLpzir56obb1V9zVftNXVlT
ZVl5NvTBpryV0tl5r7+peAtXaTWV/mQkNbOm3hl2n6q16uFl3T9KYSlsi0qH
m69rs0JFD/zTuFtpusGpX1JDrT8cH3LBIdUq1zvLXu8kzjx7UlgXj5Nt/tAT
Ozuv5M9e/XxK5yq5eb0gZM2X1KSeCu1Za9A77cdBuupKr3qt1eg1xcZy0CqL
gp+zUs/qTlx6layRLnqu0ZNYwC2cJ+P0tl2GleVy+Gxuw/yyNlrtd43y7E0e
FNdz70V1LK1ZHeWUylDumUZ61ZnNurNSbbneW0euVS9uqkplWjmVtsu+0dH0
8trRJ6nGy6oh9/bec96z82KwXo5Tx1Vqfuxss0tJbMneLJdbOO0Dl1Naelhu
iaX57LReZveNheAH7lrqz5zl4CAN2UlSc71Uv2b2vUPnyTa1Z79/LDmTdv+w
d7xXrt3c7pXdNvSM5ljql+SeIMtvm/3zqdybZd2Ruq7KgdFSnnL+od6uHWpD
czafjFavvY3YzSrTBicUD/Vj9piqM88rS65/aJadjb3vG5WRO9HWh2Xv8MIK
wrImuPunRmmSnap1t9PrVg4TJ5SXE25p7vVRP11RDnOv01fnO014afdH0/W+
u85rYMCE2vAYeguzNG69iFulWQ8rxji9csRdRTTTT1x9LDU6K6tSGg/r1UNj
0mwVbXNyYNNS+6Us6C+NQUNpKZPetDl5bdUrrYLhVMRyY7tQ5k4o9F44DZDT
WPVShedGt7qXtdmuWh9On54LxfHzZtDpPK1nzpuxHL68Kd3DyNZ2ufrrYm+/
zK1TugdqmptNB6WBdmIgx/auytKTYUHOvvazq9yk3bWO2iQ0y6XBUzbfrz2t
2Wtn/bIIUi+NBjNftNfWossp6zzbMWEqmYuUvD36ltDdrJRKyX1btiqjyQE+
609ahUJq/zqw8n53WbXT00lvvR9OjUbf8ThJDdaGUaoW87njKH0Qi6mtXtw9
mZXGaZQOTCfYypLw2jppi/KbDkqVdcLsIN0/DVZDSzx6Ja5h5QZ9PwzqRXPD
fEerZ/tWeBSK/ddua1E6BfNRfnMobsWV3nx9HWi16m6RTrNjX5XW28ZkV+de
hbeVN6qHuXLVKc8HrKEo8mYZ7E/t/ZvFhG7WawvD1Hwt9sPGKvtWPBkNZZSt
rMRZpSA1lDkn6upxafjPRWPtjFiv16mlykFxn16LA9VpS2F+V64cD6X6QShK
x3D8NhOMRS8QD/PXo7Fwjk/cq/v2bC3d3nq4Tdf1XVfR9eda++ALlaelll28
rU/t8jqYK/nUqBOmS9nWE6h/ddwtCf29ona73HxwdNPb1fYgW5N6f+/M7Pmx
5L2Iz5XOfqh31lWwq6NUWHY6G0FKp8v148vbWn7ZCKXdqjp8MzkjVwlsdd85
OatUc/RS6y1b9m7uhxsh1X1Rj07XnM3qnUZvtK/Uh7OuaL08b62nl1AVXrvO
fmdzu53fG+531rMo6Cu3XTqWnvLl9KLWFequK6ysmi6PFiVT35V7am72ZGjb
omSun5WhULTt5fjI1VtahS0OL3XTH/amVr/Xbo2e+sJ83NU74zdv1wqXs274
PAgqyvytYp5m3R5rF9rh28vG3Xb8DrfMLYfT/iydNqtsr9nFxbGxaQ+89VBc
9b2Xec5eNJuHam2UUlbPXt2ZFVbirqpM+7nAeE4L2RpXNuRhZV3MtVeONjJK
o9ZqXxaHlZGyOz0Vlzs3m+q5O1lsZTfmatZp1+Yl+7Bcu/WsLzYa42Wec9de
qm4Oam0WNFvlw8EdpnbzYXvUfe57u0noT4q9kt1RHYAhv1r0Zmz9nFqsFsvV
cOeLvlrhjuuFWXurO8ZmnJ8/izPxqVkaN7p5p5tnKTW7V1fD49tqCitv0srA
S7HerrUMymm5U5+xwuLIlfTGrJQru7WxMg1e/MMm27TsJ9V/aZntrBHI6508
Z81Bc9lbiaNyZdlr7EaFha7W25Z0lA8Nbt12LFNi4ijbSu/ljd+3avZoKHoD
twCoN16r5Ul1l847uY6+D4V5ozaV2qlOSx53Fke/IvvcrNVTNk8T+6DkhsHz
3i1q1XVfbfUFc5Br9E291VG0ofS2GZXXXlmTRvsXZ1Z+KpYK/k4Iu5UdlyqB
kW0WWDDTtGFVMMfma3dQCOaz7nxcPentRlV0lZSTn6c31VQrKKm7sDx5yjVL
w4n5tJ70uZ6eD+WX7E5oVTZOHxy43ut6Zw/m6dYqLDc2T0Fn+NLev+71gVYO
PTXbVbd5V0s5Na3gt/dil3s9PMlau6h2rfVgO+0PSvmC0Qwqy9yTXwsa+dqb
pktb9yRrJ6ssGIbTKg8HuXpZzA9mYr3DNC7V2j7t3eVx2HoNDxNhUqyscqfU
yql75nBQTEu5zpPS6Df3pZEyf16OZ069dSrkHPVtOlCOnjnhSrPpxK3Un5zm
9GWr5NLS/mXVNvPafrqbTs3XXt1qhsveYvQa7ruzZ/tYdxbP43z3uXdceubz
c5Hzxy9mf7xXnqWCuzmJSwBmKTm22OoNQ3W0LSykrnPsZVnbHjnzTc2RcqGt
1I9Fpp6Gx2Gzys3t2qI7tdKDWmrRbRwHrJDeVpuTXV4omkan58pvx5qoFItp
5SQzb9qd2c5ukz8O1P2x4Aa6yu2DkzKqycWiljrYs313snCYOawVT+Fbz2o3
trm2scrvLD8V5oHpX+bd7tSxVT33kn8CP2Gc5w7adJSuOvao2BjOFjPDmGTr
fWldD0pvlrEb2JP5eqOb25koS/1Kz5iwgjOqBvWmZZQL485zjlt2Doua++JV
N4fyiyyuvm36Dv/fIX/fATzY4XecwaNCsBU1/WpUsaVOHrxU1KLijowZVIPu
AZHe3dGq0J1AhpBxroM5X52BWW4vz3zzFB7g9q+cwzMywm+bw4tf+Kvn8G5B
/Rsn8RK4Ov+JPv77TuMpVAA36NZNjTpZsFuWutWwQUO8v0LUyYhtfTSrgU2I
1JwrUskd+AhrmwwTacZX5vmk6GoUkW76cqn+THli7MmleoJDVWWAzfnKNB62
w1BmTqKEPbOpHE2tVRJdeaoreBCB3dwyenMKFnea4yWZdC2ng2Woy7N/32k8
PZ/RC5gTz1HlWxPxjl68vjebEYsZuZApUeNyNpcRC5li4eMCgpLJFzKFXEYt
3YPj26fxfm9I/jeYxoul69fn8bBTP6r60H1prom5aYPmwbTzxIhBt2PKydtk
JazL4jioRZebupheN8T48jBs7qG7PHVqWpKpWyg5tupRJ5ZIN0hpVFp2GfaI
eDS2ivVsAZse8H4gMe4RSTbk4age1f+wM4lu5XGpa8SlqpJLcyY69axI1HTF
5JtmRJv6XDWDJqao/YXRTAv2PNGNRyZ18do0eRU1YLFEIQdLoR5dlWdjfQvO
K1FznkUtrQJ17bvU4IgJbrqg1E2cXaC7bLGIQu34UR+eqtDleVShwQkfmv6N
qybujU3COUkZ8alE7d0mEZEuDcdygoj6QKHbOnW6ntO8vTLNjnp/Hbo0jkYH
cQWqHhkyahTYTiAzaUX4pNrMTbuAjrrEpYZXga7ssqKyh47rWFTjx2uWqKrE
lJu+7egyOYFuJsY7a2VaiuYKJBrwk6PRDjGuowNLWImKO4uuIjNQs8p0wZJF
lX6cRFKRgbGoE7Uu0Q2C9u08nkAXG8sOXZqlU5uFRePWVnx9MotaG+nyaYPG
5JQE8Hh9HdUUNSqxYJnWoM6q6CrZqGWWGsUkGiMUqZX/CryHHRUq1YYlGhwy
ya/QqMouUX9qNGIk0m3WOGN2Wz7EBgW65hBnL2lmQKKGJ+wPE6g4RDwP1kag
JnjDuJF3bLaguhFsLdBlqDp5Pxp1n3hyXHrH6/fohstku4DkUJezidKhk1Dg
fV0kO6KM5sWmOrpOkx6ANKxMJ0yrToNbwFe2Rc3KOo2XUJeMRDUtgyZbsCaq
Upekg+XY6+4u9RxTOz4IC7a80A2UoC5E6nbCbk4XSaBTB4Bo3Nz3ZlLxUlXO
Hbc0+SaREGl0B5hENx8rDrXKUbtncirMIrYUqfcXeE8l3fj/N/Zlz+oqWbrv
/hU76unesKtkhrwR9eCEiCOCCnbUA7MD4ixqR//vTX7Jrzael9sRJ06dvcut
CJlrrVzrGxhA2QdqJMbonalOSkg0SS1UalDgo3NZEAgVEDjLe+tjSq3hzhDs
ccqa4Gh9wdX+nFJDVaCXGFLfp/uOUvQh1CehrqmE9CANyyQef6ePjH7G0dmb
DPaaHFc6zZRVC/Vrqqcu02koAYhE/r51jM1IcP3lNikfd4AVUt7kMpKUi9xH
JR3/iedfNA/wuMpHTEGWGBWH4EKXi42iFjjQVxjhTaAX4GNS+PvdgaugZBie
PhFKqFBo5CRMahTM5AjEzkSq5LTrSSoGNrGs1Ci1GFqGdJPG1dcJcWMpChCr
LgDMSAq+Vl35J4y7SEFR0HjjgkprUwSPlE3TRejEUyR07c/jP0w/mlmg2UyH
tZBOT7DMJAyMKQ5Gw52XvxTTFXCKyqNHqFHQMNP85gC/oAcV4DzKCBBA25VK
vapfY2MFKEP6BYGMV8GuIQhTZd6MQJKkkv+ALlEYJdTZfxM0OOQieLMUSIe5
eMJ0Z0GhpARUGTlUqX6sl9IJJvQqMGcBsCYhwxgxUAVkMjlU3wQ45gh4kToY
kc6zQ/pxZQrQQPD2wdwOGFAbaHUecZsiGuMvyXMGZNGY9GNMFySFUfqAUKv0
3xqwdDwwQD7UFutISg4PhYJfIQYvQC1bAgOTopFATyUYtyuAtXHkC0nJodZm
xX4EFgcV0wU3XoPUooaqgE7xUcWLmMHX0QYM4xuDBaHgRxpwwHin5b9Kw0ji
V8BxTf5CTtODKuKqhOAQIi5RkAR0E0JIGgcgn3OARBOIVf8ibFB1lK/RkEfK
C9a4irETAQPBygOaRMBuoqipWo5LQOeWtcpIobzUBKw5HtqrAYoxDtQjFXLp
qvSlpMuB68hBuZkyVPGCCHrV5T8R4ClllVL5AEDdXK6zg1T6hxRAibxGNy8q
qwSK7wrYoQFwwzzsHcojXZ0hw6M2iMGJotBecGwU7ErqwqIC8iIidABHyyLq
b3kAdIiEkEhAkJAh2hIxAjPkYynBCUmwzJsB94Wg1QDUUIEpkVAMq1AcV2Hf
ETDoDHCrslzxsurLJgQPgQB+ISGy+eBsB2pFeGCuHSLbDhGsD2r7nUnwlhUI
JUkyJX6CnQX4LwGIMAHJRAWJXf0WKwoYqJ2DHjyOvAqpQDyEIVDxhiIIzLTw
CL9AqBoqihBIPqrUwNCcMv1GEiglNGXgnBKDRkjEr2AVg5Uko+TTQMEt7yFD
6vAI7DIKFQKqAMWjAPD3m6SYfCyWegBEGgG1MgDEmW6EGPwHlFgqBFPrZAM1
qNwkqD46CmAfBDkJ+GNaSEMCloJ72P9LvtRky5VZZmceBQYHGfuIlXkCxIwh
l6ABIyghhJYhqI6c5qCXHKIIZwK05eOjyDCJPk2VCTYDKpdA7kTF4eUvKZLg
DBUzJByCgwJWVRmiJSQXxiBS4B1R19fQAH7lIc3u4/WxVn3HGAQSQasokRrw
0+V9ru+4AORSqhgSgIEDQhGBGi6jAsYIoWVY4LGwQ+6L3iPBWCBBaOKwehm9
JIZ8Ps3O0MqVUEgz3e46+5e+EneeapQQ+jVpQANVmDAoJOD4CiC8MZZBnTQe
oYoLcOwtbynFi/NAsCWVYFMErxIKc4SWRCR8lQcC+BsUAYn0yrT2o7ASribo
Dwl/IJ4CriSoa9WDZUePnKBeS6BIJaB2aGAFh7ApiCHhIYH2E9aPA2B7lvE8
EaqoXm5zBaxUJgJdbhMNQLSQkTdEep9/L14BGJqDtQUoIjTsQ5dHxvkoQvNM
QOhLGFa19txFsDRZScChsJfhO0Q1GnyIjCQ4QwU0yDP2Qly3NInBfJbxyACj
9IFaliA0wAF2LKBW96GfIoA/8LvmwR1KcPqm+gKEvj8T2vAh1eEjfQfoaVD8
bvTFfOZxLi4zAoe2RnlXZa6SwaYGI9i51FsAG1nFCVdOvtKEj1KEFjYi/XYJ
ymCq2qPRPS7DOIIyYKGyQRnv3140BD2Hcq2W7yCAA8Nhy8jg1zG2v4jvWBHY
+O8UCf0dhbEaIM5d+R5wdA34iKI+LJgUdBK+7FwY7UeEvj6OwCFkX1TmMQLF
Fso/B4uAKr+g//D76QLIACD9xhCuDoD8o4YS8Ijw0SWlpjo+jQP0udcWrQpB
mQgnCJqVJJBboIxAVZxEVBSgW3CgbGmQnvlNkQn9RlRnwacbSkKgK4MAD3w/
JRggRUroFotgcNXPsD4SE4/DO6VzxFBJAIHWh4ULs32Q5eoIzEdfoHMfQj8U
IQ3RAaqJl8APCmxbH4wdDgGEWmpo2E316gIFIQd+RaJVC6Z8Nx6nOSriAwug
8p5QIjrEX+pkgwDNOg3sRxE7lzbQYpANeGwW3G16MWi7/UVTJgQwvfxGCjgw
IXYNjx5aAhCnALJKABYQ9ZqIvuC/AsxPQtSuAlwIKPcsBpsFvgdUYgZaDz6D
FHNfRakPkSkZD13D+lShvRJg2chM9k5AyYGuGhUZ4b5ynIJ1yOPfPnizEVCw
lOeAFqgUVWrrMVyw6vhdDsQSHsYCCdZ5gCgR4GDF4ebTDh5KcRVeEPUzLFuf
IogBKjqNCmKsAC4ilefgwfMEoSLByKJeXUgQOaK9DhHC8CqsYzS6YHg0KkNY
u8gQ1JfBceK+D2IykM0hY1VBXEzGLhDg+KQqlZpSzOol9Ytgw8ESRPyTLEIo
/ftMKB0ni7KUJZBso/03BdjoWo5TEd8iHKIpRQpkEoK2WwChLi6p5P9ZZaVG
X9RlBdQFygHgQTWHBBX1NBBocOMxYKG8LxzTyg+Kpe8UKaBU5mlbTIEcj4hN
J8fV2VMCb4HD2VBhb1XXjEN/kok9BaBY+ODsMafJAMU/Ow0lKDmk5Kv5wIFK
56MGpgL54DSGiMYS+hWMyRaDtheC91VX95DRKmQ6FOVDp3J1TJ8F21PFgY56
xDHwOrNkqeO2EbtCVOkh9Fx8EJAIuvEEFBcN/lcR9gVVgki+AjUHQROqbSFj
nYAfQlsfIk0uMdOkY/If6GTWD+A+UPiyWJFv6QggrAxAVLbF8GSp8poM5ZRv
hgytWBK6KSi3Ad3UMjXE+Joq3kHGRqCjAdQ8KniJ9bJQhVQf7biiDa6hkNag
YpmgWcosFyJUvKw78fvpYJFp0AFkOlA8bpGANc+Kcx5HSNqChgtQvV8nsPYp
VDACaK5J6G1yiN6UWIs0EYPuzsOtpZ5lyptZXqSPAiYEV7D8IAXpKQYJNoFG
T4yimkddV+8aUdMh9DbpKwmEFRJ6eZTiiI4TbVcq0AqBLE4UfPns8ejFCeBd
q2CjyWidMb46rVRFSJ5Bj0ZlEn51vzWu4iozaTMNPEzWqA8wI4jBWKDnQfRh
ZOzi3+8eVuZgIfKXDA6eAp3HBK0MCWPYBAY45SKhcnu1LUO1k1CBMAuOEMYX
1DuOVWWg1yoQeqMmWvju9dFrgL4Q86NL4HPFJiMy+uRRUAmhUtdB1GZx8GWs
oTJ9ByZIhMonYSwgsRoE0L4K5KsiiKgq0RczimlCqZhoSOgdaSCA0YY5ZINU
NIHL8ChDoIqGytqtE9A6EP0/J5cE7C8kTQn7hXlcENaox8wlUb7+XILGpapW
insq5FEEPCOqLoS0riLvq6x8rd06AYxNGpowCKOsdUy5E746b9KzJMRBym2l
gCJb79tQaQaMbOgGQfkqoxXso0hQlUpjLlSrPBVDceN31eEgRgU+UJlL8BKR
0Gqg0z2seRltWw5bONa+glUIJ0+q7oGil4fQgIC7R9MWlLwCkFQJaMBMx+r3
uWO3RjA2YQ5UGsRB6JgAmgtU4RGKMD6pmGnqX/xYWCUG/owfVfY11OgPsowx
NBYj9D0CuLqJtQ1L1wlqngSjMV6seDVUngleiwHO1DFzQYz/qkwaYagUcZU8
lsoMf8Kq667hCC+Bg6dGFSuy3nRSgI1hzRMfwcHHBEFEaqD7F3JaGhqqTCer
/uACZH8BmYWAwqTCEZRav6KTQLu7CO8BdBjpsq/9eQjrKjoMQuMlALcwQaYO
0TuKoYQoQvigjPY++Py/GRZcfaq1pEBXBSpjilKNhzSQzSS0rVTQsCn5uT4R
g7tgBEFGgrQeQAtGTapWP5WqgZtruaJCCOGpdSZkAAItoEiaWPWsYvAJ2VlA
wyCMeUn5YLDX2/tMCzXBvEMA6V2ANx2PckuCRiEP5pWPcB0lX+c4duYlqCrp
RAZhSoA6W4SNLKLVI0B2hMoKoDlQX3UJxjEE9yrGUEADR1eCVAr1VkJnuNxK
VNcm+OpZ0TaFBHo/qRyWZLmSR1FQAKvMAhfZlid/lVVlxsVMP1HCFSpQp6VU
f+ihxJAx0oCy0WAoVB8uxIhFIR4oLfsFukqZi6+ACXLCV96ktIIiOBB9yzBp
aGhTZU+YoEZg7FPhYDDeE9geUoFghS5dRfgSieBhbUQLM/QMy/xCDwg+pjky
rXL9oJL5o30kEALrd56DsmeAQV65MiXwzOn8ET0rOquC5hSHgUW5qCjIqO54
JtLHQS221D+aCEolxSUiOaowgtOwbWOM2OotrwRaJwFERQmEcekDgqawDPIh
B72ABNam5UFVhY7J78Uz5QiGFQmrRhmPOQiHKRtHKvlI+gSR68P6IBXSXZSF
i7kDnUfj0MqjNRcg/SnYRJT76uPd6rZdPsoYzGJihCkJkrJUkxRJrdxrHBR2
fORB6q/7bdOnAmdCcD5N0Nam7S+0TEWstDIyi5gQ8XCQq9P1aTOWR2MN0AgO
4jgJppkSWig+qikRz52DtlE9w/rYpwqgDjKa5HTiHFcGvEStjhW0O53QH33x
S+xPQhOJQBONefxSSSxoFkhBtcLpGAuadFRSR/rCnNBDKPJyAhVpDUNzjsl1
EXpEktn0Gd5cGlZs/fivBFU0UGGHG+LhJkz4DE1XKvUbVPbjBIOS+gG8fHGI
aBOASx/gCRKI7FBaLMuP+HbsWOcj/3412EFmlqAjkJDK4bNMExIwCSIqZBlL
mkMM+RLAAiE/hPBQBO1yJrgQYb+Uv+RAgiUQ9BGxqusNtxjhSGNOhiG6HIBA
yChLOIgsUFUUQrd8guZGVD/+c0hMXLVCaDEPNJSMxheVThMwJmM/cnS31k2/
Q2Qxqi4XwMmNqaOqwMagOuJRGaoYlBDE/3qbl46nmfcy5tcBdLtUdHc5RCcB
KUbAp2gsdHwHK9Z24MSq30vdjJkgKc7a9Gaiza5BrDD+9kung1E0CihMAm1Y
EVxlOgdUsMwi+vQVpQKE+NHXWUYFbzlC5iVAesgQCKOeClBg5OSKxx5hJCpB
oeb3NIEJo4ihswiBS2oHx3pEWtX2pIEXFpEKhn1a/c9lFGZMZp1HWYIhe4BO
UYgsE8Ock8pboN9en4Qm6AHSVIV+ZozuhMryMjVUoMGW9ahFWPmx3lr9GEib
FTijScBUlBcZYDQpo3VMZSMALUgwpqeHpjpsQ6g0xWIUwApE0FQ447ERic+0
NfnKc7v8Ruq39TSHFBajoIogeKFC4F7EMcoPqgTKxE3i5Eutz8cxWcMVMhth
Apk2AbNUAdgAhbkHQx6lvJl1iQofQroxenS0RwSoDNWkAPYgwsqPYM6pArRW
3sC67BqHUEZxcYiKTA67jBgBcpkCVfQYGjoBfGW58Nua0q9QCiIEcRJEVJoo
E4iOMWFQHCEjgCRFAHh+6zow8ENgkxOYk5fHNxXKrRHTvscq5aEKFOANhVqc
D9EnkaHZR9iAHsGHQLxVBSyNThuZAiMgfPUEnaBcVKGLFyPBhdh3ErQD6PEZ
eUHAFarCX8FCEloEVCERYDMZx3xqL59A6IRAnwWQAAZMToQvJeIIvy93qApd
9fKJ0x47vKZ9VMsBCnvCV1dIDQ/qCRqy4BqaUQm0+FmtRZFOkGQVUOkFOArx
qFiiOjCSiR2jAyDCNFtgSFS4sxK0MghSJEFXJJK+ilIe+1QG9oDDWYkJ/vKQ
ieehlaOgIhVQz9M5l/+VJsqbE2CUw2HapUFHSUNrl1ZKEWpjpvufQH6lLs+B
msGHJEQMP9KIYVSAnZCBwQghdh+jBR1+i38liOEhNCnKGx5DoV6APlGEvgHH
1hXyiwYghPo9wubRIeEgvimhm0dfr0LGOkHFC1kWAoRe/I05Kb91CIwNgUBz
ebUyZJU4pmyC9MFBRD5AJ4G2Devzd57ec1oBApjvI63TPY4eKY8zSPldYijF
REzhvY674Cv5EpJUBtoBvHNlFOQMDBAguiaI9tRKuu5UTzA5FSvkajXX4PEy
gO6YHSitzRSI+UZfc1hFrsIFwcw9hgw3g8bxgJrQQg53g0e3XI2+6nkqRQTL
VsKMN/hqIlzGrgRnsRDWUiLKBhXfsR4uJJXebZqMUGCITMAUkDkezQcV/goi
6nmFycuGX6tOBWabqVhqkOahE2S07KhcNdqJIoQCFUj21Kf/MkI6cysptyTV
zUEzlkqMAQGi+ZXRgoJDMb113/A8NaysxX3W74WbS4BeCmuZSnD6FdB05aSv
plMZpgQ05DXYt/qQG1bRPGGHERnhokLjKJCSrPfnAYMUtarw4HGICOGlTN8T
uucBtJaYbBlRvup5WuahMlGAkY4gv6VhnqViME3JJajuaJNEQJ1c+3MZUrys
4GTHvfKCafcPQlrlnyuQwuGBnGTohbpfuiRUGsoJtCwDRCqCgCPiKCHjzgQY
9hG4Un0ZFQDrq8WVyzSDggcMPADxbglNNuYbH6A2qI/vVcwCNIhUyiC18JBr
1zDYKr8awRpQGAAeHfi6EJKgVp/igxSgwLydHo6SSuaVR+9OhHBYjNbZXxBu
CabeBNNShodPxAo6S+8hQanG/Ab+NAR+lw2SGus1yTj7CDjC0zEBFNYo9B3k
BRFnE5n/0v4OQTzhEKglKIoSYPUpVEYG3B228wp6xRqrPeSvW+fD1EQNK5k/
nknAI1zQSiyGUblaPY4Au/j3uYMwpEK8UgaSuVx49OCPNEFQ30rIraJU8aXq
RSkTsKZgQnQMqBsEqZZ3BJ8zkRVXaNxRcPt3o5UHUkVEk8QHwI9pNtGZJuZK
IaNj8PQrq2wv1GfQcBQLGKwRm1pGFmNIBg7qwyHiTLk3QxBD6kqFHErfCBVL
uW0pP0KoRv+UBwicj8piIECzvv8l/qWi+qLQJgG7DNWdijaUAqgh4Sp5qQiA
Ii34EnHmMPSModirYYYrA/LEsfk76+dDTTjEeZDnvqBKAnoRErDEtOULRBYP
oTQKFkoqE6myspLQRo74r0AdAQhEAJbmEM9jSNKXecrHvaINPWCVy/pcwgnr
L+VBhJE9D/wDB38CHvrjFOmEY2CMpoEGAW4t+RppsVlDhEMH9f2CzwdFsKO5
GmNkIOPkGCGIKd9pQgAFiYAfIWvV5IVePJCZAdgiHPNHAUw01L64AwR+DBFK
3xjgQx5deoIKgeo8KpWklwbQbLkwhHqrk69eQK2YoA9Im8ZMLC+AYjVQ3xVg
Ermj3jWi7lxoZNHnjtaoCK03VmYLMIGMSAVEJ/iUeqBm9k4BWhARKkMK6YFs
H7XYAc4tBGiKw3/8xa1dRZMnQg9fxLSRWrDghCKDPCJhCEjLFVC3CMAn9Ulo
xEiKXGWwxKDIIuJDgmKpOqkpcESQ6LL/XTYAWoiAdhDc2BhWWxxGihEAM2pc
uRPJEBL1v8tC5qMjst4RhLOr6RUuQ2NCbAiJCUbG9UZrACivgmhZhlxK40Wz
S8aIkHoqoIkhAFhL3xMgyfpQiUB4sQyVHGAVAraMgvYRF1agOBF4JwVj9ORb
ldUHqj/AYE6CNm7CiiVcrYjSLkA/JEa5Uhc6DACJFOCzKCI5ylB3pbANnMqp
eNwfpzdNrM7XvzsOd9jHMCiCbZuKAkMFY0JDh4r2ASA0SduY3zlO4ioHggDA
sAgDAmoM6VdcD+Y8JAHNXsYEQr7UOZlTUYXbVCswD40hfoVxouUlGua0nseA
8quiFqvBMQeEtgq4Aoc6NkC2Ys+xPBL6TFZP+nruIVpzHMMEIk0kWAACcAsa
+Ag8c1WBHi4Bl+d3zWMIq6FfVBkvoZcrA6OoxpXVB2V2AHDCGsj1LjEr2yIE
agpnlWCsolbNkFiovCUoshQz3Lo9hopJmYzmbQRdPA5d9ETDvVLRxcW6UgCP
F/At6rWNijOsitFbiDjDGiCaUJmpJMjCdIoK+N+XwCU6Hjw0YWkPXEMiCHC0
RFEkQrI8geeHiuAj1+88KiKaUEAmlSE+HqDhoKDmCUDSiaDXHwPiKNexB+jz
hDAuYtKECapuFZKFKqJQuSsl+GcEIAZydT1cQFUlOCjQ3h2zSFRprCijtwjn
Hgo6wgUQNPzrnFAqgYq5vABaB0EbVgP7Q4RBQowlF8CYR0Kj2K8PE9Hs8iEP
Svu0hL4VRTigKygk1WwuxgmO8ysW4e+OIyh9QUnTME6ScfiiKwGdah6ANw5y
/L5SNSJ+/xxNvBBOhIRUgZSwnSVWiP0EOVTFkC6QvjycqtkorNRi8FMSGGDE
OKHEOL9TIxzk/RggBzH6ivNMzZPiJ9VKLV1BPUytAYGIE/8ob0ooA6RaqGSY
TwoWQgdbhKZwuW5jyKkLDN8OFeYQ3k4C/5VhI1h3cNBJD5iyKihFAZuwsMoQ
0pYydDCpyW6dkco0tRO4M+LMpcCGjZcqPy1mHpaAPkDR8hjr/346KLQanEjY
J9KKXUApK6BY1SpUhow2I+9/yWuG6CgyQhx1VQSv00d+iQEaZCVTwmTNRajJ
1zMs5FxFjBXKRBOj1R9BiZighUVbYSh+QqA06ZDr2woogIZydevQMUuwDmlF
hFlYmXeoZCdTiVW+ICusmqUKwgR9XRGfhXKl/CVFxYcQRQUzVwVWv37xHLI5
a4QykkiMmZ2K4KbiuE0HKwLiPMKFX9f+DisqZaBWcBQevVweqDnCGj7oFYd4
GSUb1jKsj1qRB6Y3wjScogqxQZjIb4BTAG3jA8orfq+6GKGS9oSVSkmZKavK
2H0UqAydCRUoMh+t5jryQcCcmjbwGaMTfgz0aAmbQyocjzwrYnrLTmH1HBch
j4sIxSJMRlU2VFIrOgAnV6IRqlzxQeqhUgTGVYbdmgAJdR6kgwBAdNrylVCf
xCDKgeBcx5wosHDgQGISEJZFHL1j3GcZTWOCiCcybw/1CwDP7PdkrBYebQc6
HhIrjzoFdiwJO0TAUpdy6uvwPMA4ae0H+IGC/qQKexsCU5+qQsZkR8IsoH6K
lAHilTAwUlFmlG9FW4hxFVfLDSUzRxa5cgyqx/kEv2c5VEZJz6HwU4E4CpHQ
Y0yKVdb+Db7cMQVYG1I2pVTJxHMgOnGQuZeFqsMZYgqpwNIvqo918IgZl5OW
+jwNUMwDNURNxeZ3BOC9BIw5vl7T/sEgcYiKjCUkwPFRZFwA9CsIEyyGQ+RX
ywttYSYcL6Gjy8MUhwMfjUPalaFKr+JOat9CxgzGSWW1EVqZjxddDBhbx+jP
s14uG+pRbm99uMBXf0iZUPCbCdDBY0m5TBB00KBVh2tGPah7thE0FUOskAQD
oACbIkRznuHlAtb3A61blb7wdZRxrNACLMTpm6CzEfl/6pk/U+wy1HMolcPo
G44Li6yYibPDDyZiwHWlIhb5gNgx+aEA3ATt25uTB+WEh0Q1h8qHjcMokhPs
b5L8r9WTl8qn2227s3+rJ7vd0X2Xbhb5Mez6O743Pz2NITcV00n6F/XkSdGY
fv636slpoad/dIzJt3qys7JSi+sXxjacTvZWUb5pMeml71mvza3p7z70d23p
37/bt8WJdSu6ltdrlO846BfmYLnvzybtgl1JUejLgf723clr0Guv2dWcJj3O
fG7E1Weob6dLfjpddTu9huV0nLqUcKfw9m1uyWSEl498t9CfrY6ocs3oFaq7
nT0jzmPDJa/TWXsemqPGKDl3WoHoD42WMFN7+mOUdLXs+ja3znX6bB/HUsQ1
C3WVbOOUWwrChx/svU95tzoctI4bvdRadzoLLVkdpWxtrNrCKZ4n/cPlJd47
EzFwP+2EfgXDnvTp10n/8trGX148x4sXUE7ud5x2j6omT9oSPq3HlJX79HF3
9u1RJ02vjU7a1ztWOBgWs25fYBLKK832dklr0z3Jj+Dlr/azgrd2RvedBffm
0HjdDto1cOfclHe1BulLK0V4WOLeafLnTZENxY7Mnd6201as0SLnnk+/Od1t
40O6M2Yz7zntnLZ2bspJFK7uu7CRjuWTujCuM6v1fBfH96jXPY6KtSZu+7vn
zQm75onc+wfR4Bex+xYc79pdvVbc/vCcriwj3TTauh+fnv2Zrcg8fx6aNze/
vRfbfGAdB6m4iLqpfxWe3Wf7HE15cTLYKaP+qzg+Re+2msVW0ci1Q9v0048T
qScz8PguP2jFeztXhs6puc+Cyz56ZN7xZh7Os/dVOnf7N200inX/wvvceX5t
9B8Df/t6tWeatgr609muqy+XuTQNFuF5v1g9Vc70L7ZrZVL57O3RIX8v3aXP
jU/hw7nP18fGrTsMglXnMDrsSGfhD9uzqbq6t3s38XT30+dHvIwmwWnQHg9b
Z8HY39dybvbJQFDEfc/qPraN+GSNHtuR4W45yeyO5sVomhmdz2zsqdn41Wwe
+E/TmAin3JWbn9d+l09WS3FgbqPudLUZeNtGdnjn49Nled4vrXO8jYPz4HaZ
PO9L+35cWHN+2+Sn+758Xw2724l06ef25HWYeHrfj6Pnqj9qhFysdfuHxU3e
t9qLxZnXumlPdw/uY6xsR0V+k5a3o6vbeW8u5d7H7quvx8A4rM7F+KHHt7wh
jLTDrD0K3/veR9p3OmNhtBuP1p2BqN9vG5u89kLsZrouZk+Ob3q8TLYav9nf
klSV8nCQN2J1mt18fTyOP5v+YXU1ilvof26jTe7JZPIOpCB0CT/XCsXzyFvW
l9e+d3TdhR/cxXfn0m+4hc/vtFv3Nh7On6/Q2zhCHmb3Vy6bzdm92f8MVuFL
vxetsJDyrfloJlrSfn5GZL0btCbnV0NzeHVydZaFMkz1vWZ3xMFqRuyX8XxP
jI89eY8ek4e4dorF1d46ii+n9mA3lfLF7fohrdmssersL5eLtGxf9ZH/aB8i
rn3aO2GeD6NLauV2e8mlCVH6l2F3sj/Ous9jkGw/nfBh9EfKRj81wrXiZq12
7jwvD/+0vqUTTrL7eWcki8Fq4hbP1mmgmJ5SmG6xGwuz1EiJOOKjbhZEL6mb
NFqDheesuZzcQ38/Hobd+Ewc0d70lqfJY9x7llvoGZBPljaNffHYerpabtOd
eBN5RzCEeNe4actNU82NwedzedqfrSW4i/U2CQ+yqG+t12ramZr6Zrxbbp1F
6p937e1FeQcdZ+vJKreUuEZ0ecm8Oh0ermSV7Pjw44yCYjnIT5ogZvp7beyl
3Imfhbd8HKTPW/W9pahs3h4ZbBXPjSeNZ3Ao+KdBfDdtZedM9Z2jdRPfwm4m
TgfRubuZLd/OaFgQzTmZ8rRQk3P8PskKt5g99UDfNN6bx8KzbgM+LB7p+G4e
iNBcSrvmVeocEl1pxtIzdz/H50WIun7hX1SyOV+VQ9tQ2qt+22o2BHn2npLn
dbvKeqeTMO+cPuPTVjjNzRZ3Nj7DT9IqLsZhLpNdebMKd946PzrtaP6UvH4w
fw0aW3VpbX3LUEbNs6pzJ7d83pPwY9ykvtvl7sQwZa69VZ9iygVF2O47y4CI
7cfhtZ8ft9Y5bcyW3Li5zPqTZnt1XBxbL+k6yFLbmQr3SBnLH37YlVKr6R+W
zjxMx8472adJNApGrdbVOkpSI7l/pme5p4+7j3T4ieVNp3s0ha3xSozTviwB
7Djl7Yk67Pbfd+3CR8p6fH07r+12sR9MjTlpmBenWA5nwUa3L6v1xzvtBp2W
XOSzRat3StVsqRpuc9t6jrxn92DuL+M7rz+16e0kT42jNfEaZrzL1J0sKmKL
s5fZ5jgxtMtLuQ/HomTOue2AnP0O7w6X7eVrac7ezYEahByfTEfXz3Q4sxpa
X7+/+9M15y4NsvDSm3x8vz5W9mrL3Drrz+PPveVfso6urgxvx88f64HrzY6P
94V7BYfbqLGQX87mMp0V8kZr+93Z9TTVrYdv90+KGzR36V0UjlHXvgzHPSU/
70/J2PEns+Oya/riYzWdN6KVNnG88f4jKFpzN5039xM3MXeCcYjN+f24vRyG
G9NX4jk/7V/NwVrQ3Z7VEZWr50nelcsb47fHlcvMby8X3bduZ7PHoXxC207g
pLG054az82JuHHvWLRzNsp5T1k5qcbDdx7Fnc/vNatb4NLnI83JzveictGvx
cMdiu/cSwrH4aZvv5fJIlH00sE569727ndvKeXC2FE8dxbO1EOlB2jgcM3Lv
qqks+LZ+HqUFuc850nGd5emkXpNJZ6a5QlJ0Hi/lvS6GxOAveqgMOtk1/Lhu
njV87XAOP1bHj8+u1h40nec01IpLPi1294H5MRw9t9zg1tFWU+GtiZutrmjD
rS60o3x/fYW9RjvWJGckdhI/H3j2Q8mHg9X20lRDuRcKdmsxl1eXx9KbN6XF
ITGEwcY/WeHK27hCx05eudLgV9f0MLNlL1u9RkdDnr5J3BH13qcIRv59Zb97
8+01GDbPg36nPX6tXOv6kQ8a37nZpzn3HjeOWtaxW05n1ZS0or84LbPT/eEn
byu69veuGFjjQFsIU9/3DWM/KVpXfrCcyisvzXNbP1xajX5635z95SKMvdD7
PC9aV7MkMy4vdOFwxpibG6EazxT+cnzyD/5zni7JeeOFZ3P2MmJx6zfOmpFp
7pQ4bl4WEzK/JY/59Mlb89wJdeL05lyza+r9oL/1jl70cPTFQV4lS308UHQx
GE8ajtY2u/lmIMycd38z2ko9/2SGkT5Yvz1FvipF/G4PJuqiObH2x+dRMopV
vj+4Y/khjZv3e94whOHNdnfqapPGE87ca/fnI2xFaTrgk+NjN9k5WXA7ObtC
zkSN1zbqOL1+jp3NeOANmqHeazwSYTndSKe83EgtSxwMrrf0oHb2/mny7N6f
3ZukvMRkfR1YmRPf7+/5S8o6zZuf2Ia/646PDW18+ejr5koTx/Zb4IeP8Vm9
HDqtNFEUPTTF3Nt4T0Mwx/lNKUNdojlny9ZPmVN+azVShcb4IGZRmb+jp7V3
ZaPoidkmfk7eZsfo73rtrbl/vmKrrJsvQjeIz55zOc+6OVHd0foq5v65cQmT
jdR8rrfDdvdCzpM1d7RGoTtev4qBF+/8j+Jccqe/9nd9RbCH2aN3jJzZbBCV
BaQwdoLGbp6VK2ASbUnzPHGmyo1vN7WbcD+ZgucKn502TfNHOBQTSeCaQ8tx
3+b9KA2IMVvx1+t61eDCp/V6TCV1+HoF3iuyjIyse3zoiclkfCmjqNsvxvzh
og5HLznI18/WbSufEy0sL+rV3NuN1J29SPAS3le7mX+O/DgZNl/OeH/df0g0
6gvr7DUld9Xm15ttNEwftpBpI7uVju6Bd5CzTuNp3FutMhdtZ9y6aG+lJh9t
89NU4eKjeN1cdGMyU05Ny7unPWFqJzvzxVli34r61nonEG3UWG92oaadlNvb
u3OhpbW6xmfey8rzhk0OrvNsn+a+vTPbnkkuufSYa7EVH6Olu1oPQ6+tk8aL
M4LBRjq3g0vqcsbHi4WoZ36ek9Oj2J2OL7kdmGOO747SQX/kf16W392+A7sn
eKG/fJFWgx8u7XGef8bDdBAKZfV5/Ri7Zmhm11P3vvKvgdabR8fFrrdVeHmQ
dZ2YX2f3Q7S3onZ8W5MGJ5Nep2lH9513nQhnWfCuNzXTP9pmUChmpyu89NXq
dev058WiJcZc19LLc9NnHm6DpLsYmo3nMn9O1FzfO6s0krpz9Zx6z+tN8eIs
8NNj0d1KUjrLXos83g7ca6+jx1nU3PhtN7EP557QOK66xvzTHU0/nGgcb9HZ
6Gv+a2m0E49Ysr8nn9682y3eJ+2cB1nuL21l/TSjji2+kkyZzxuLXTfemN6Q
FEXPVu1eN7rfHrK1d55Ebb6b/U16WTdj3WsVnLYdjEJf6CbJPp9PWpPeWEus
xk5ofY7H8WSi2WVGeEupKTbz27jgTMkoK0fZUKKDs57LviY1F+1Tq7PaWT2r
SJMy7y/vvaxxFwzHz4bDqdxfzSeko86aw9W9WI625updLDtDKW+3btfYmo6t
7DJJOtzZy56Xtyru1poxyRrvsoKZkbT7aSajW/fgm662ynYiWV5v56L1bt3c
j9cTvW3HTh+76Njt3Z7T9qvVCwNrHq3G5RWYs8l1Jq4m+kWeSA6ZT6+hfFrc
i6PfPCh8npCn1TVXh/WucJLmsAwcH6s8ejwO2lDd9x6vhlsWd8pktlZX+c7L
ygzsCbwUGu+p/mitb5+X+ihIMBhstNv+0Fm1LrxbLneiBcNyeU4m7bzRHC0e
IbfuSNfDanmLU1nbk1hSRS799BXbPDt5Z/eSLrvzUde6/JnbW622vA7CgXHn
ZuLo2hhks48dE+uS+235pTuH0e3A2aq2ORjzm/Z+XOf51djm4lO32vr9UvDd
O/f6uGp3TnJ9OPUb5cldvA8mJ+nqS3y7cPzTW51MDDXol5FBc4rnzk1Gn8Oi
TAM9uXXo20Yy53SJBNusddOsZ+M1ey1cWSyL8l0ydI/TUyds6uKMI775Cmf+
5jXnJ9pxehi+x70w122LG2WH2XQT8b3WyTo8Gq/Wpqm3Rjs+l25RMrrm+410
4ePma6O/wu5bacuDdtay43KXKunc2o2uK15fJZubOYpvjhs0zPNGHJlv8xg9
glVknfUVWe5S3ruYSydbRDdfbV9OrZOvdhWul+4v++Zgsg4J8dq9z1NNDuWx
b3dsP1ozXn5PAz5w3457lsMyHNn7kbwPnq/uxuaXXF/VO58teRXG6xp0VDJR
4pd7NJpa490bxMnDU+6ThXj4ZOuVEOrbIddr34+tzuDZDL1L8366PBbjXiS8
yMV8rCw+0XpplAb5p3lsPDt3+748OrduQtbRgvhxtp9aj0C8GMuwXQyt5V3g
b+Jw473V41E9aPGw6MvCvizk1j1RII3r9H3JO2HnvAuXzcO1Y340I5a154IP
JprpScpqqxnC69PvFQu/e9Jc0WlOFWWsxM9BZ995Nrz9Kwy6orF+L+4fY9ni
iXMMj/boak3zayiOx+67a/v5Uxkfm9rx7VkH6bhIF97Zfpo783FoHFxt112Y
9uiuz6a7sbdUC+lQHqkGoZu/vUn7PvaLq+m93/f20I8de+RtuKh/bNrXUUvb
tbqN5ZNbzYec0d9fvBeX5elCeLnxnrPyY0o4W8o2re2U04N3MDAPxv2YPR4z
sfN0Q3V8LZZmp6F0udMjdy6JERtRdhP6PcHo6qOlfOyuisXTNDW9e9mbOzU8
Pzt9aTHbc0Sapkoxb8rHs/1qxGU1q/cum6l+nAll4ri4MT9e5dvRxgv6Unfc
N61mkRlBYVuD9iFeHxU5Mh37aQvuZ/e4Z41ktIqT0XhtLPtpv7jHyjF+Kyq5
LeZ3YbLaxtx+eg/kQrHcNtdfNzf7/ijid7dlHHRv/FRSGrfp3s6kna8LaTP2
d4V9j/P5YK6PQj2L8kWzuCuSHUpHl5i7sUXCz+DlFKMF31mNF8v97tEIt5HW
PkbXaL/Pw8tJCnXleTrv24V7SYP4bS09cXX0bnJnfb32hqG45m7tg/0iu6PY
Gb46/YaZnQ0iNufb7ad7lpuxPd90P1FfK0/2KzFta+r0sT1pnRZ5hap9/9gk
ssui8zAPFhMpTL1tQ5HtYVkVbMVn4J6Gu4vExaofp8XaG9uzo2iY57V91lND
IY+MC+6Ldnf/DLT9rAz2m33c/TT06cMSk8PxqnaH9kjahbb/5OPO1O0bx27L
DI/q/Zymmb8ezOTe8LSbKpfyNZdM8CM1Jy7X0CWBOHdp6F+s9HPx9VfrpL9I
2ouKT2T1hgvrfZmUR7Rx82IstM2iDIVr6TTlOuFaKsoj2rERnXrHwrLH2mQi
6ebuobQ4/TgdrJOr3VqGyuU+2LwmJlEWQXDn1sr8NnhnZNl6PGfnzN0teo2Q
u1v72/bUe0+HaiS2tmYcTCxBHU/vZ78ouPCjPPxozD8vu80zv7fTZ7kbkyU5
qQNOKguYxr24na9Om6zOgmbO8uN5LU7S11blN7u9S/hXuCtrA490ljdlcFyV
JU67iG+bxJ9tF6NzYQ4bQl/e98+5P5rlcW8RW7On6x9TXdMXo1a7vyWe9Da7
aiZmVj+/7acfW3mctLfzKKLJ5CRLx0ZrZ+1n0ogbZPJbNJXFLH/omzZXjI/3
1VJUdo4aWrIRb9vLy5sXtTAb+XmZmXav5lIsK8VbI7zqzods8l5ZzD6LMD2a
Waq+5XdhjOK43PSnZ6yl97tDhP1eXWrSZjgJRH8lidPb8OJYfIM8B2F0WsWf
1XH/HmbWWhXSTdvneFJuAnfl9uXerLN8pGRnFl1xl277vnEfhdPdZNN5bebj
RvRJFtdPNHwsk+DoXrzpaTw2hYsvntqH2S6/XlShsNrCcTlbH8LLZPNuTe39
Tov6M0K629WtYVtbZ+XZumtMnc9e8mTLts9lPeW4T+OyyWeXc6fcQuct2Zgf
4Wody/pZjmazbtMZp91ZmRfGMrlL0amseleD+zZePQY3J0lm24kniAulo192
HYd/trUyEOfl8WHyuiXj3lv3Rc4bvILhvXF2HmI74earxT1etztFNpq27KE8
2ijW0o27yv15DGQib4VB3LuOw44ijPXhdTucnTer5us8arwGk0ITU/18uU3k
zyzdzZOdxJ2C1trT9LH6GE777yx6uC2Sd5/GdSiPT4fykx/6c+tc1YXbWO2W
R+JshkpRpE3n/mkRgQyH/QlZrc1k6QWdwMtE2d8oaSZ7xtibyqMyu6z37oBf
3luTd0P/LP3xJsjc52e66nXMq6D51v3oLXPzExkjMTyv24aj+/JwJt7v1rLd
vm8++Vsz3OHhIjrrxtgs0pt1lgIlE/brQmzv1ySQ8we3XAqas0jjremaQqqb
2wU/N7Xp/BpFj+75ZvhxYYUO15j7ymy5ssSNz43e9i6dF859pef9/MWR0IyS
5nLhtF7rpP2aqtb62SZSc2++b72ZE8+fGz1rOK59zrnV5dx1Q2eeNdfJa3YQ
3+ZeHMzO5+zoHk/ZedI9Nneu6OvvUfu5Uu1QMCU3krLF49wYutsHMa67zmw5
G65Grc6Em/gr0dXK42hO0o40n1ifTnm/NpnUIkWyVw6vntVMSPe9nS+b78Zy
Y5602cdztcXqtPwM+4+DnqRrx21lQnkrvZG9SHVd+MRJNk5m1i70rt3NwbWt
xSJaL4tR424/rs9wYzXLBVvWFcssH88XSW/5LERdl1uvx8IML4Zt5plnfKSm
d7xfXUFsGVzvNNInvN/YpJ9rO/dTXg+OZdmw1Sbh/sY1B4fO2ddPktGznYWa
zry8+Oc///9mMu3wkJ+KLI7SY5zfb43/+n85/Fri6J9/S/zsFv/tv6mXjJ8f
bj/J6fqzeNxuP8bpccvi93/8zP38dPsZ+cezn/sHak8y2YXbsmb6se/maZvf
fvw8+umervH7p3PK8zjL8C7bODsnj+zn9kjT+EYtatgrr/FzFxe3f1T2NdEp
fNDL+nncYmpfk53uP6fk5x6/7j/J9XT8ue2Ou8y//vuFt5//tOcaxwmc9q//
aPyf/1zoXVFQyb/w5vQnTeK5f/3fH//2U9BrKf/3v/5r+PfeP3bxPfl7Vn6P
29+vSaipnBbsbv/93//4qb56evq5l/9s4x8fnhe38joa5X/c4t/P/sfP37qn
85sa6PhZ4b9vP0f/UF73fVv+6vYT+7ddfMWVZHF5E+PrtbwT5+spj//28/dG
dXX8v/7R+B8v6jwOKiQBAA==
--> -->
<!-- [rfced] We have changed all <artwork> elements in this document to
<sourcecode>. Please review to confirm this is correct.
In addition, please consider whether the "type" attribute of any <sourcecode>
element should be set and/or has been set correctly. Currently, some are set to
asn.1 and some are set to x509.
The current list of preferred values for "type" is available at
<https://www.rfc-editor.org/rpc/wiki/doku.php?id=sourcecode-types>.
If the current list does not contain an applicable type, feel free to
suggest additions for consideration. Note that it is also acceptable
to leave the "type" attribute not set. -->
<!-- [rfced] Please review whether any of the notes in this document should be
in the <aside> element. It is defined as "a container for content that is
semantically less important or tangential to the content that surrounds
it" (https://authors.ietf.org/en/rfcxml-vocabulary#aside). -->
<!-- [rfced] Please review the "Inclusive Language" portion of the online
Style Guide <https://www.rfc-editor.org/styleguide/part2/#inclusive_language>
and let us know if any changes are needed. Updates of this nature typically
result in more precise language, which is helpful for readers.
Note that our script did not flag any words in particular, but this should
still be reviewed as a best practice. -->
</rfc> </rfc>
 End of changes. 132 change blocks. 
1510 lines changed or deleted 667 lines changed or added

This html diff was produced by rfcdiff 1.48.