rfc9810.original.xml   rfc9810.xml 
<?xml version='1.0' encoding='utf-8'?> <?xml version='1.0' encoding='UTF-8'?>
<!DOCTYPE rfc [ <!DOCTYPE rfc [
<!ENTITY nbsp "&#160;"> <!ENTITY nbsp "&#160;">
<!ENTITY zwsp "&#8203;"> <!ENTITY zwsp "&#8203;">
<!ENTITY nbhy "&#8209;"> <!ENTITY nbhy "&#8209;">
<!ENTITY wj "&#8288;"> <!ENTITY wj "&#8288;">
]> ]>
<?xml-stylesheet type="text/xsl" href="rfc2629.xslt" ?>
<!-- generated by https://github.com/cabo/kramdown-rfc version 1.7.22 (Ruby 3.2. <rfc xmlns:xi="http://www.w3.org/2001/XInclude" ipr="trust200902" docName="draft
3) --> -ietf-lamps-rfc4210bis-18" number="9810" category="std" consensus="true" submiss
<rfc xmlns:xi="http://www.w3.org/2001/XInclude" ipr="trust200902" docName="draft ionType="IETF" xml:lang="en" obsoletes="4210, 9480" updates="5912" tocDepth="4"
-ietf-lamps-rfc4210bis-18" category="std" consensus="true" submissionType="IETF" tocInclude="true" sortRefs="false" symRefs="true" version="3">
xml:lang="en" obsoletes="4210 9480" updates="5912" tocDepth="4" tocInclude="tru
e" sortRefs="false" symRefs="true" version="3">
<!-- xml2rfc v2v3 conversion 3.26.0 -->
<front> <front>
<title abbrev="CMP">Internet X.509 Public Key Infrastructure -- Certificate <title abbrev="CMP">Internet X.509 Public Key Infrastructure --
Management Protocol (CMP)</title> Certificate Management Protocol (CMP)</title>
<seriesInfo name="Internet-Draft" value="draft-ietf-lamps-rfc4210bis-18"/> <seriesInfo name="RFC" value="9810"/>
<author initials="H." surname="Brockhaus" fullname="Hendrik Brockhaus"> <author initials="H." surname="Brockhaus" fullname="Hendrik Brockhaus">
<organization abbrev="Siemens">Siemens</organization> <organization abbrev="Siemens">Siemens</organization>
<address> <address>
<postal> <postal>
<street>Werner-von-Siemens-Strasse 1</street> <street>Werner-von-Siemens-Strasse 1</street>
<city>Munich</city> <city>Munich</city>
<code>80333</code> <code>80333</code>
<country>Germany</country> <country>Germany</country>
</postal> </postal>
<email>hendrik.brockhaus@siemens.com</email> <email>hendrik.brockhaus@siemens.com</email>
skipping to change at line 69 skipping to change at line 70
<street>1187 Park Place</street> <street>1187 Park Place</street>
<city>Minneapolis</city> <city>Minneapolis</city>
<region>MN</region> <region>MN</region>
<code>55379</code> <code>55379</code>
<country>United States of America</country> <country>United States of America</country>
</postal> </postal>
<email>john.gray@entrust.com</email> <email>john.gray@entrust.com</email>
<uri>https://www.entrust.com</uri> <uri>https://www.entrust.com</uri>
</address> </address>
</author> </author>
<date year="2025"/> <date year="2025" month="June"/>
<area>sec</area>
<workgroup>LAMPS Working Group</workgroup> <area>SEC</area>
<workgroup>lamps</workgroup>
<keyword>CMP</keyword> <keyword>CMP</keyword>
<keyword>Certificate Management</keyword> <keyword>Certificate Management</keyword>
<keyword>PKI</keyword> <keyword>PKI</keyword>
<abstract>
<?line 203?>
<!-- [rfced] To keep the abstract succinct, we suggest
moving some of its content to the Introduction. Perhaps the third paragraph cou
ld be worked into the Introduction?
As noted in
Section 4.3 of RFC 7322:
Every RFC must have an Abstract that provides a concise and
comprehensive overview of the purpose and contents of the entire
document, to give a technically knowledgeable reader a general
overview of the function of the document....
A satisfactory Abstract can often be
constructed in part from material within the Introduction section,
but an effective Abstract may be shorter, less detailed, and perhaps
broader in scope than the Introduction.
Please review and let us know how/if the text may be updated.
-->
<abstract>
<t>This document describes the Internet X.509 Public Key Infrastructure (PKI) <t>This document describes the Internet X.509 Public Key Infrastructure (PKI)
Certificate Management Protocol (CMP). Protocol messages are defined for Certificate Management Protocol (CMP). Protocol messages are defined for
X.509v3 certificate creation and management. CMP provides interactions between X.509v3 certificate creation and management. CMP provides interactions between
client systems and PKI components such as a Registration Authority (RA) and client systems and PKI components such as a Registration Authority (RA) and
a Certification Authority (CA).</t> a Certification Authority (CA).</t>
<t>This document adds support for management of certificates containing a Key Encapsulation Mechanism (KEM) public key and use <t>This document adds support for management of certificates containing a Key Encapsulation Mechanism (KEM) public key and uses
EnvelopedData instead of EncryptedValue. This document also includes the EnvelopedData instead of EncryptedValue. This document also includes the
updates specified in Section 2 and Appendix A.2 of RFC 9480.</t> updates specified in Section 2 and Appendix A.2 of RFC 9480.</t>
<t>The updates maintain backward compatibility with CMP version 2 wherever <t>The updates maintain backward compatibility with CMP version 2 wherever
possible. Updates to CMP version 2 are improving crypto agility, extending the possible. Updates to CMP version 2 are improving crypto agility, extending the
polling mechanism, adding new general message types, and adding extended polling mechanism, adding new general message types, and adding extended
key usages to identify special CMP server authorizations. CMP version 3 is key usages (EKUs) to identify special CMP server authorizations. CMP version 3 i
introduced for changes to the ASN.1 syntax, which are support of s
introduced for changes to the ASN.1 syntax, which support
EnvelopedData, certConf with hashAlg, POPOPrivKey with agreeMAC, and EnvelopedData, certConf with hashAlg, POPOPrivKey with agreeMAC, and
RootCaKeyUpdateContent in ckuann messages.</t> RootCaKeyUpdateContent in ckuann messages.</t>
<t>This document obsoletes RFC 4210 and together with I-D.ietf-lamps-rfc67 <t>This document obsoletes RFC 4210, and together with RFC 9811, it also o
12bis bsoletes RFC 9480. Appendix F of this document updates
and it also obsoletes RFC 9480. Appendix F of this document updates the
Section 9 of RFC 5912.</t> Section 9 of RFC 5912.</t>
</abstract> </abstract>
</front> </front>
<middle> <middle>
<?line 228?> <?line 228?>
<section anchor="sect-1"> <section anchor="sect-1">
<name>Introduction</name> <name>Introduction</name>
<t>[RFC Editor: please delete:</t>
<t>During IESG telechat the CMP Updates document was approved on condition
that
LAMPS provides a RFC4210bis document. Version -00 of this document shall
be identical to RFC 4210 and version -01 incorporates the changes specified
in CMP Updates Section 2 and Appendix A.2.</t>
<t>A history of changes is available in <xref target="sect-g"/> of this do
cument.</t>
<t>The authors of this document wish to thank Carlisle Adams, Stephen Farr
ell,
Tomi Kause, and Tero Mononen, the original authors of RFC4210, for their
work and invite them, next to further volunteers, to join the -bis activity
as co-authors.</t>
<t>]</t>
<t>[RFC Editor:</t>
<t>Please perform the following substitution.</t>
<ul spacing="normal">
<li>
<t>RFCXXXX --&gt; the assigned numerical RFC value for this draft
]</t>
</li>
</ul>
<t>This document describes the Internet X.509 Public Key Infrastructure <t>This document describes the Internet X.509 Public Key Infrastructure
(PKI) Certificate Management Protocol (CMP). Protocol messages are (PKI) Certificate Management Protocol (CMP). Protocol messages are
defined for certificate creation and management. The term defined for certificate creation and management. The term
"certificate" in this document refers to an X.509v3 Certificate as "certificate" in this document refers to an X.509v3 Certificate as
defined in <xref target="RFC5280"/>.</t> defined in <xref target="RFC5280"/>.</t>
<section anchor="sect-1.1"> <section anchor="sect-1.1">
<name>Changes Made by RFC 4210</name> <name>Changes Made by RFC 4210</name>
<t><xref target="RFC4210"/> differs from <xref target="RFC2510"/> in the following areas:</t> <t><xref target="RFC4210"/> differs from <xref target="RFC2510"/> in the following areas:</t>
<ul spacing="normal"> <ul spacing="normal">
<li> <li>
skipping to change at line 146 skipping to change at line 145
</li> </li>
<li> <li>
<t>The message confirmation mechanism has changed substantially.</t> <t>The message confirmation mechanism has changed substantially.</t>
</li> </li>
<li> <li>
<t>A new polling mechanism is introduced, deprecating the old pollin g <t>A new polling mechanism is introduced, deprecating the old pollin g
method at the CMP transport level.</t> method at the CMP transport level.</t>
</li> </li>
<li> <li>
<t>The CMP transport protocol issues are handled in a separate <t>The CMP transport protocol issues are handled in a separate
document <xref target="RFC6712"/>, thus the Transports section is removed.</t> document <xref target="RFC6712"/>, thus the "Transports" section is removed.</t>
</li> </li>
<li> <li>
<t>A new implicit confirmation method is introduced to reduce the <t>A new implicit confirmation method is introduced to reduce the
number of protocol messages exchanged in a transaction.</t> number of protocol messages exchanged in a transaction.</t>
</li> </li>
<li> <li>
<t>The new specification contains some less prominent protocol <t>The new specification contains some less prominent protocol
enhancements and improved explanatory text on several issues.</t> enhancements and improved explanatory text on several issues.</t>
</li> </li>
</ul> </ul>
skipping to change at line 173 skipping to change at line 172
<li> <li>
<t>Added new extended key usages for various CMP server types, e.g., registration <t>Added new extended key usages for various CMP server types, e.g., registration
authority and certification authority, to express the authorization of the authority and certification authority, to express the authorization of the
certificate holder that acts as the indicated type of PKI management entity.</t> certificate holder that acts as the indicated type of PKI management entity.</t>
</li> </li>
<li> <li>
<t>Extended the description of multiple protection to cover addition al use cases, <t>Extended the description of multiple protection to cover addition al use cases,
e.g., batch processing of messages.</t> e.g., batch processing of messages.</t>
</li> </li>
<li> <li>
<t>Use the Cryptographic Message Syntax (CMS) <xref target="RFC5652" /> type EnvelopedData as the preferred choice instead of <t>Used the Cryptographic Message Syntax (CMS) <xref target="RFC5652 "/> type EnvelopedData as the preferred choice instead of
EncryptedValue to better support crypto agility in CMP. </t> EncryptedValue to better support crypto agility in CMP. </t>
<t> <t>
For reasons of completeness and consistency, the type EncryptedValue has been For reasons of completeness and consistency, the type EncryptedValue has been
exchanged in all occurrences. This includes the protection of centrally exchanged in all occurrences. This includes the protection of centrally
generated private keys, encryption of certificates, proof-of-possession methods, and protection of revocation generated private keys, encryption of certificates, proof-of-possession methods, and protection of revocation
passphrases. To properly differentiate the support of EnvelopedData instead passphrases. To properly differentiate the support of EnvelopedData instead
of EncryptedValue, CMP version 3 is introduced in case a transaction of EncryptedValue, CMP version 3 is introduced in case a transaction
is supposed to use EnvelopedData. </t> is supposed to use EnvelopedData. </t>
<t> <t>
Note: According to <xref target="RFC4211"/>, Section 2.1, point 9, the use of th e EncryptedValue structure has been deprecated Note: According to point 9 in <xref section="2.1" target="RFC4211"/>, the use of the EncryptedValue structure has been deprecated
in favor of the EnvelopedData structure. <xref target="RFC4211"/> offers the Enc ryptedKey structure a choice of EncryptedValue and EnvelopedData in favor of the EnvelopedData structure. <xref target="RFC4211"/> offers the Enc ryptedKey structure a choice of EncryptedValue and EnvelopedData
for migration to EnvelopedData.</t> for migration to EnvelopedData.</t>
</li> </li>
<!--[rfced] It is unclear to us how "that has a signature algorithm..." fits
into the sentence below. Please review and let us know it may be updated for
clarity.
Original:
* Offer an optional hashAlg field in CertStatus supporting cases
that a certificate needs to be confirmed that has a signature
algorithm that does not indicate a specific hash algorithm to use
for computing the certHash.
Perhaps:
* Offer an optional hashAlg field in CertStatus supporting cases
where a certificate that has a signature algorithm but doesn't
specify a hash algorithm to compute the certHash needs to be
confirmed.
-->
<li> <li>
<t>Offer an optional hashAlg field in CertStatus supporting cases th at a certificate <t>Offered an optional hashAlg field in CertStatus supporting cases that a certificate
needs to be confirmed that has a signature algorithm that does not indicate needs to be confirmed that has a signature algorithm that does not indicate
a specific hash algorithm to use for computing the certHash. This is also in a specific hash algorithm to use for computing the certHash. This is also in
preparation for upcoming post-quantum algorithms.</t> preparation for upcoming post-quantum algorithms.</t>
</li> </li>
<li> <li>
<t>Added new general message types to request CA certificates, a roo t CA update, <t>Added new general message types to request CA certificates, a roo t CA update,
a certificate request template, or Certificate Revocation List (CRL) updates.</t > a certificate request template, or Certificate Revocation List (CRL) updates.</t >
</li> </li>
<li> <li>
<t>Extended the use of polling to p10cr, certConf, rr, genm, and err or messages.</t> <t>Extended the use of polling to p10cr, certConf, rr, genm, and err or messages.</t>
</li> </li>
<li> <li>
<t>Deleted the mandatory algorithm profile in <xref target="sect-c.2 "/> and refer instead to Section 7 of <xref target="RFC9481"/>.</t> <t>Deleted the mandatory algorithm profile in <xref target="sect-c.2 "/> and instead referred to <xref section="7" target="RFC9481"/>.</t>
</li> </li>
<li> <li>
<t>Added security considerations Sections <xref format="counter" tar get="sect-8.6"/>, <xref format="counter" target="sect-8.7"/>, <xref format="coun ter" target="sect-8.9"/>, and <xref format="counter" target="sect-8.10"/>.</t> <t>Added Sections <xref format="counter" target="sect-8.6"/>, <xref format="counter" target="sect-8.7"/>, <xref format="counter" target="sect-8.9"/> , and <xref format="counter" target="sect-8.10"/> to the security considerations .</t>
</li> </li>
</ul> </ul>
</section> </section>
<section anchor="sect-1.3"> <section anchor="sect-1.3">
<name>Changes Made by This Document</name> <name>Changes Made by This Document</name>
<t>This document obsoletes <xref target="RFC4210"/> and <xref target="RF
C9480"/>. It includes the changes specified by Section 2 and Appendix C.2 of <xr <!-- [rfced] FYI, we have updated the citations in the sentence below
ef target="RFC9480"/> as described in <xref target="sect-1.2"/>. Additionally th as follows. [RFC9480] does not have an Appendix C.2, but it does have
is document updates the content of <xref target="RFC4210"/> in the following are an Appendix A.2. Please review and confirm that these updates retain
as:</t> the intended meaning.
Original:
This document obsoletes [RFC4210] and [RFC9480]. It includes the
changes specified by Section 2 and Appendix C.2 of [RFC9480] as
described in Section 1.2.
Current:
This document obsoletes [RFC4210] and [RFC9480]. It includes the
changes specified by Section 2 and Appendix A.2 of [RFC9480] as
described in Section 1.2.
-->
<t>This document obsoletes <xref target="RFC4210"/> and <xref target="RF
C9480"/>. It includes the changes specified by Section <xref section="2" target=
"RFC9480" sectionFormat="bare"/> and <xref section="A.2" target="RFC9480"/> as d
escribed in <xref target="sect-1.2"/>. Additionally, this document updates the c
ontent of <xref target="RFC4210"/> in the following areas:</t>
<ul spacing="normal"> <ul spacing="normal">
<li> <li>
<t>Added <xref target="sect-3.1.1.4"/> introducing the Key Generatio n Authority.</t> <t>Added <xref target="sect-3.1.1.4"/> introducing the Key Generatio n Authority.</t>
</li> </li>
<li> <li>
<t>Extended <xref target="sect-3.1.2"/> regarding use of Certificate Transparency logs.</t> <t>Extended <xref target="sect-3.1.2"/> regarding use of Certificate Transparency logs.</t>
</li> </li>
<li> <li>
<t>Updated <xref target="sect-4.4"/> introducing RootCaKeyUpdateCont ent as alternative to using a repository to acquire new root CA certificates.</t > <t>Updated <xref target="sect-4.4"/> introducing RootCaKeyUpdateCont ent as an alternative to using a repository to acquire new root CA certificates. </t>
</li> </li>
<li> <li>
<t>Added <xref target="sect-5.1.1.3"/> containing description of ori gPKIMessage content moved here from <xref target="sect-5.1.3.4"/>.</t> <t>Added <xref target="sect-5.1.1.3"/> containing a description of o rigPKIMessage content, moved here from <xref target="sect-5.1.3.4"/>.</t>
</li> </li>
<li> <li>
<t>Added support for KEM keys for proof-of-possession to <xref targe t="sect-4.3"/> and <xref target="sect-5.2.8"/>, for message protection to <xref target="sect-5.1.1"/>, <xref target="sect-5.1.3.4"/>, and <xref target="sect-e"/ >, and for usage with CMS EnvelopedData to <xref target="sect-5.2.2"/>.</t> <t>Added support for KEM keys for proof-of-possession to Sections <x ref target="sect-4.3" format="counter"/> and <xref target="sect-5.2.8" format="c ounter"/>, for message protection to Sections <xref target="sect-5.1.1" format=" counter"/> and <xref target="sect-5.1.3.4" format="counter"/> and <xref target=" sect-e"/>, and for usage with CMS EnvelopedData to <xref target="sect-5.2.2"/>.< /t>
</li> </li>
<li> <li>
<t>Deprecated CAKeyUpdAnnContent in favor of RootCaKeyUpdateContent. </t> <t>Deprecated CAKeyUpdAnnContent in favor of RootCaKeyUpdateContent. </t>
</li> </li>
<li> <li>
<t>Incorporated the request message behavioral clarifications from A <t>Incorporated the request message behavioral clarifications from <
ppendix xref section="C" target="RFC4210"/> to <xref target="sect-5"/>. The definition o
C of <xref target="RFC4210"/> to <xref target="sect-5"/>. The definition of altC f altCertTemplate was incorporated into <xref target="sect-5.2.1"/>, and the cla
ertTemplate was incorporated into <xref target="sect-5.2.1"/> and the clarificat rification on POPOSigningKey and on POPOPrivKey was incorporated into <xref targ
ion on POPOSigningKey and on POPOPrivKey was incorporated into <xref target="sec et="sect-5.2.8"/>.</t>
t-5.2.8"/>.</t>
</li> </li>
<li> <li>
<t>Added support for CMS EnvelopedData to different proof-of-possess ion methods for transferring encrypted private keys, certificates, and challenge s to <xref target="sect-5.2.8"/>.</t> <t>Added support for CMS EnvelopedData to different proof-of-possess ion methods for transferring encrypted private keys, certificates, and challenge s to <xref target="sect-5.2.8"/>.</t>
</li> </li>
<li> <li>
<t>Added security considerations Sections <xref format="counter" tar get="sect-8.1"/>, <xref format="counter" target="sect-8.5"/>, <xref format="coun ter" target="sect-8.8"/>, and <xref format="counter" target="sect-8.11"/>.</t> <t>Added Sections <xref format="counter" target="sect-8.1"/>, <xref format="counter" target="sect-8.5"/>, <xref format="counter" target="sect-8.8"/> , and <xref format="counter" target="sect-8.11"/> to the security considerations .</t>
</li> </li>
</ul> </ul>
</section> </section>
</section> </section>
<section anchor="sect-2"> <section anchor="sect-2">
<name>Terminology and Abbreviations</name> <name>Terminology and Abbreviations</name>
<t>The key words "<bcp14>MUST</bcp14>", "<bcp14>MUST NOT</bcp14>", "<bcp14 <t>
>REQUIRED</bcp14>", "<bcp14>SHALL</bcp14>", "<bcp14>SHALL The key words "<bcp14>MUST</bcp14>", "<bcp14>MUST NOT</bcp14>", "<bcp14>REQU
NOT</bcp14>", "<bcp14>SHOULD</bcp14>", "<bcp14>SHOULD NOT</bcp14>", "<bcp14>RECO IRED</bcp14>", "<bcp14>SHALL</bcp14>", "<bcp14>SHALL
MMENDED</bcp14>", "<bcp14>NOT RECOMMENDED</bcp14>", NOT</bcp14>", "<bcp14>SHOULD</bcp14>", "<bcp14>SHOULD NOT</bcp14>", "<bcp14>
"<bcp14>MAY</bcp14>", and "<bcp14>OPTIONAL</bcp14>" in this document are to be i RECOMMENDED</bcp14>", "<bcp14>NOT RECOMMENDED</bcp14>",
nterpreted as "<bcp14>MAY</bcp14>", and "<bcp14>OPTIONAL</bcp14>" in this document are to
described in BCP 14 <xref target="RFC2119"/> <xref target="RFC8174"/> when, and be interpreted as
only when, they described in BCP&nbsp;14 <xref target="RFC2119"/> <xref target="RFC8174"/>
appear in all capitals, as shown here.</t> when, and only when, they appear in all capitals, as shown here.
<?line -18?> </t>
<t>This document relies on the terminology defined in <xref
<t>This document relies on the terminology defined in <xref target="RFC5280"/>. target="RFC5280"/>. The most important abbreviations are listed
The most important abbreviations are listed below:</t> below:</t>
<ul empty="true"> <dl spacing="normal" newline="false">
<li> <dt>CA:</dt><dd>Certification Authority</dd>
<t>CA: Certification Authority</t> <dt>CMP:</dt><dd>Certificate Management Protocol</dd>
</li> <dt>CMS:</dt><dd>Cryptographic Message Syntax</dd>
</ul> <dt>CRL:</dt><dd>Certificate Revocation List</dd>
<ul empty="true"> <dt>CRMF:</dt><dd>Certificate Request Message Format</dd>
<li> <dt>EE:</dt><dd>End Entity</dd>
<t>CMP: Certificate Management Protocol</t> <dt>KEM:</dt><dd>Key Encapsulation Mechanism</dd>
</li> <dt>KGA:</dt><dd>Key Generation Authority</dd>
</ul> <dt>LRA:</dt><dd>Local Registration Authority</dd>
<ul empty="true"> <dt>MAC:</dt><dd>Message Authentication Code</dd>
<li> <dt>PKI:</dt><dd>Public Key Infrastructure</dd>
<t>CMS: Cryptographic Message Syntax</t> <dt>POP:</dt><dd>Proof-of-Possession</dd>
</li> <dt>RA:</dt><dd>Registration Authority</dd>
</ul> <dt>TEE:</dt><dd>Trusted Execution Environment</dd>
<ul empty="true"> </dl>
<li>
<t>CRL: Certificate Revocation List</t>
</li>
</ul>
<ul empty="true">
<li>
<t>CRMF: Certificate Request Message Format</t>
</li>
</ul>
<ul empty="true">
<li>
<t>EE: End Entity</t>
</li>
</ul>
<ul empty="true">
<li>
<t>KEM: Key Encapsulation Mechanism</t>
</li>
</ul>
<ul empty="true">
<li>
<t>KGA: Key Generation Authority</t>
</li>
</ul>
<ul empty="true">
<li>
<t>LRA: Local Registration Authority</t>
</li>
</ul>
<ul empty="true">
<li>
<t>MAC: Message Authentication Code</t>
</li>
</ul>
<ul empty="true">
<li>
<t>PKI: Public Key Infrastructure</t>
</li>
</ul>
<ul empty="true">
<li>
<t>POP: Proof Of Possession</t>
</li>
</ul>
<ul empty="true">
<li>
<t>RA: Registration Authority</t>
</li>
</ul>
<ul empty="true">
<li>
<t>TEE: Trusted Execution Environment</t>
</li>
</ul>
</section> </section>
<section anchor="sect-3"> <section anchor="sect-3">
<name>PKI Management Overview</name> <name>PKI Management Overview</name>
<t>The PKI must be structured to be consistent with the types of <t>The PKI must be structured to be consistent with the types of
individuals who must administer it. Providing such administrators individuals who must administer it. Providing such administrators
with unbounded choices not only complicates the software required, with unbounded choices not only complicates the software required
but also increases the chances that a subtle mistake by an but also increases the chances that a subtle mistake by an
administrator or software developer will result in broader administrator or software developer will result in broader
compromise. Similarly, restricting administrators with cumbersome compromise. Similarly, restricting administrators with cumbersome
mechanisms will cause them not to use the PKI.</t> mechanisms will cause them not to use the PKI.</t>
<t>Management protocols are <bcp14>REQUIRED</bcp14> to support on-line int eractions <t>Management protocols are <bcp14>REQUIRED</bcp14> to support on-line int eractions
between Public Key Infrastructure (PKI) components. For example, a between Public Key Infrastructure (PKI) components. For example, a
management protocol might be used between a Certification Authority management protocol might be used between a Certification Authority
(CA) and a client system with which a key pair is associated, or (CA) and a client system with which a key pair is associated or
between two CAs that issue cross-certificates for each other.</t> between two CAs that issue cross-certificates for each other.</t>
<section anchor="sect-3.1"> <section anchor="sect-3.1">
<name>PKI Management Model</name> <name>PKI Management Model</name>
<t>Before specifying particular message formats and procedures, we first <t>Before specifying particular message formats and procedures, we first
define the entities involved in PKI management and their interactions define the entities involved in PKI management and their interactions
(in terms of the PKI management functions required). We then group (in terms of the PKI management functions required). We then group
these functions in order to accommodate different identifiable types these functions in order to accommodate different identifiable types
of end entities.</t> of end entities.</t>
<section anchor="sect-3.1.1"> <section anchor="sect-3.1.1">
<name>Definitions of PKI Entities</name> <name>Definitions of PKI Entities</name>
skipping to change at line 362 skipping to change at line 342
<section anchor="sect-3.1.1.1"> <section anchor="sect-3.1.1.1">
<name>Subjects and End Entities</name> <name>Subjects and End Entities</name>
<t>The term "subject" is used here to refer to the entity to whom th e <t>The term "subject" is used here to refer to the entity to whom th e
certificate is issued, typically named in the subject or certificate is issued, typically named in the subject or
subjectAltName field of a certificate. When we wish to distinguish subjectAltName field of a certificate. When we wish to distinguish
the tools and/or software used by the subject (e.g., a local the tools and/or software used by the subject (e.g., a local
certificate management module), we will use the term "subject equipment". certificate management module), we will use the term "subject equipment".
In general, the term "end entity" (EE), rather than In general, the term "end entity" (EE), rather than
"subject", is preferred in order to avoid confusion with the field "subject", is preferred in order to avoid confusion with the field
name. It is important to note that the end entities here will name. It is important to note that the end entities here will
include not only human users of applications, but also applications include not only human users of applications but also applications
themselves (e.g., for IKE/IPsec) or devices (e.g., routers or industrial themselves (e.g., for Internet Key Exchange Protocol (IKE) / IPsec) or
devices (e.g., routers or industrial
control systems). This factor influences the control systems). This factor influences the
protocols that the PKI management operations use; for example, protocols that the PKI management operations use; for example,
application software is far more likely to know exactly which application software is far more likely to know exactly which
certificate extensions are required than are human users. PKI certificate extensions are required than are human users. PKI
management entities are also end entities in the sense that they are management entities are also end entities in the sense that they are
sometimes named in the subject or subjectAltName field of a sometimes named in the subject or subjectAltName field of a
certificate or cross-certificate. Where appropriate, the term "end entity" certificate or cross-certificate. Where appropriate, the term "end entity"
will be used to refer to end entities who are not PKI will be used to refer to end entities who are not PKI
management entities.</t> management entities.</t>
<t>All end entities require secure local access to some information -- <t>All end entities require secure local access to some information --
at a minimum, their own name and private key, the name of a CA that at a minimum, their own name and private key, the name of a CA that
is directly trusted by this entity, and that CA's public key (or a is directly trusted by this entity, and that CA's public key (or a
fingerprint of the public key where a self-certified version is fingerprint of the public key where a self-certified version is
available elsewhere). Implementations <bcp14>MAY</bcp14> use secure local stora ge available elsewhere). Implementations <bcp14>MAY</bcp14> use secure local stora ge
for more than this minimum (e.g., the end entity's own certificates or for more than this minimum (e.g., the end entity's own certificates or
application-specific information). The form of storage will also application-specific information). The form of storage will also
vary -- from files to tamper-resistant cryptographic tokens. The vary -- from files to tamper-resistant cryptographic tokens. The
information stored in such local, trusted storage is referred to here information stored in such local, trusted storage is referred to here
as the end entity's Trusted Execution Environment (TEE) also known as as the end entity's Trusted Execution Environment (TEE), also known as
Personal Security Environment (PSE).</t> Personal Security Environment (PSE).</t>
<t>Though TEE formats are beyond the scope of this document (they ar e <t>Though TEE formats are beyond the scope of this document (they ar e
very dependent on equipment, et cetera), a generic interchange format very dependent on equipment, et cetera), a generic interchange format
for TEEs is defined here: a certification response message, see <xref target="se ct-5.3.4"/>, <bcp14>MAY</bcp14> be for TEEs is defined here: a certification response message (see <xref target="se ct-5.3.4"/>) <bcp14>MAY</bcp14> be
used.</t> used.</t>
</section> </section>
<section anchor="sect-3.1.1.2"> <section anchor="sect-3.1.1.2">
<name>Certification Authority</name> <name>Certification Authority</name>
<t>The certification authority (CA) may or may not actually be a rea l <t>The certification authority (CA) may or may not actually be a rea l
"third party" from the end entity's point of view. Quite often, the "third party" from the end entity's point of view. Quite often, the
CA will actually belong to the same organization as the end entities CA will actually belong to the same organization as the end entities
it supports.</t> it supports.</t>
<t>Again, we use the term "CA" to refer to the entity named in the <t>Again, we use the term "CA" to refer to the entity named in the
issuer field of a certificate. When it is necessary to distinguish issuer field of a certificate. When it is necessary to distinguish
skipping to change at line 408 skipping to change at line 388
<t>The CA equipment will often include both an "off-line" component and <t>The CA equipment will often include both an "off-line" component and
an "on-line" component, with the CA private key only available to the an "on-line" component, with the CA private key only available to the
"off-line" component. This is, however, a matter for implementers "off-line" component. This is, however, a matter for implementers
(though it is also relevant as a policy issue).</t> (though it is also relevant as a policy issue).</t>
<t>We use the term "root CA" to indicate a CA that is directly trust ed <t>We use the term "root CA" to indicate a CA that is directly trust ed
by an end entity; that is, securely acquiring the value of a root CA by an end entity; that is, securely acquiring the value of a root CA
public key requires some out-of-band step(s). This term is not meant public key requires some out-of-band step(s). This term is not meant
to imply that a root CA is necessarily at the top of any hierarchy, to imply that a root CA is necessarily at the top of any hierarchy,
simply that the CA in question is trusted directly. The "root CA" simply that the CA in question is trusted directly. The "root CA"
may provide its trust anchor information with or without using a may provide its trust anchor information with or without using a
certificate. In some circumstances such a certificate may be certificate. In some circumstances, such a certificate may be
self-signed, but in other circumstances it may be cross signed, self-signed, but in other circumstances, it may be cross-signed,
signed by a peer, signed by a superior CA, or unsigned.</t> signed by a peer, signed by a superior CA, or unsigned.</t>
<t>Note that other documents like <xref target="X509.2019"/> and <xr ef target="RFC5280"/> use the <t>Note that other documents like <xref target="X509.2019"/> and <xr ef target="RFC5280"/> use the
term "trusted CA" or "trust anchor" instead of "root CA". This term "trusted CA" or "trust anchor" instead of "root CA". This
document continues using "root CA" based on the above definition document continues using "root CA" based on the above definition
because it is also present in the ASN.1 syntax that cannot be changed because it is also present in the ASN.1 syntax that cannot be changed
easily.</t> easily.</t>
<t>A "subordinate CA" is one that is not a root CA for the end entit y in <t>A "subordinate CA" is one that is not a root CA for the end entit y in
question. Often, a subordinate CA will not be a root CA for any question. Often, a subordinate CA will not be a root CA for any
entity, but this is not mandatory.</t> entity, but this is not mandatory.</t>
</section> </section>
<section anchor="sect-3.1.1.3"> <section anchor="sect-3.1.1.3">
<name>Registration Authority</name> <name>Registration Authority</name>
<t>In addition to end-entities and CAs, many environments call for t he <t>In addition to end entities and CAs, many environments call for t he
existence of a Registration Authority (RA) separate from the existence of a Registration Authority (RA) separate from the
Certification Authority. The functions that the registration Certification Authority. The functions that the registration
authority may carry out will vary from case to case but <bcp14>MAY</bcp14> inclu de authority may carry out will vary from case to case but <bcp14>MAY</bcp14> inclu de
identity checking, token distribution, checking certificate requests identity checking, token distribution, checking certificate requests
and authentication of their origin, revocation reporting, and authentication of their origin, revocation reporting,
name assignment, archival of key pairs, et cetera.</t> name assignment, archival of key pairs, et cetera.</t>
<t>This document views the RA as an <bcp14>OPTIONAL</bcp14> componen t: when it is not <t>This document views the RA as an <bcp14>OPTIONAL</bcp14> componen t: When it is not
present, the CA is assumed to be able to carry out the RA's functions present, the CA is assumed to be able to carry out the RA's functions
so that the PKI management protocols are the same from the end-entity's so that the PKI management protocols are the same from the
point of view.</t> end entity's point of view.</t>
<t>Again, we distinguish, where necessary, between the RA and the to ols <t>Again, we distinguish, where necessary, between the RA and the to ols
used (the "RA equipment").</t> used (the "RA equipment").</t>
<t>Note that an RA is itself an end entity. We further assume that all <t>Note that an RA is itself an end entity. We further assume that all
RAs are in fact certified end entities and that RAs have private keys RAs are in fact certified end entities and that RAs have private keys
that are usable for signing. How a particular CA equipment that are usable for signing. How a particular CA equipment
identifies some end entities as RAs is an implementation issue (i.e., identifies some end entities as RAs is an implementation issue (i.e.,
this document specifies no special RA certification operation). We this document specifies no special RA certification operation). We
do not mandate that the RA is certified by the CA with which it is do not mandate that the RA is certified by the CA with which it is
interacting at the moment (so one RA may work with more than one CA interacting at the moment (so one RA may work with more than one CA
whilst only being certified once).</t> whilst only being certified once).</t>
<t>In some circumstances, end entities will communicate directly wit h a <t>In some circumstances, end entities will communicate directly wit h a
CA even where an RA is present. For example, for initial CA even where an RA is present. For example, for initial
registration and/or certification, the end entity may use its RA, but registration and/or certification, the end entity may use its RA but
communicate directly with the CA in order to refresh its certificate.</t> communicate directly with the CA in order to refresh its certificate.</t>
</section> </section>
<section anchor="sect-3.1.1.4"> <section anchor="sect-3.1.1.4">
<name>Key Generation Authority</name> <name>Key Generation Authority</name>
<t>A Key Generation Authority (KGA) is a PKI management entity gener ating key <t>A Key Generation Authority (KGA) is a PKI management entity gener ating key
pairs on behalf of an end entity. As the KGA generates the key pair it pairs on behalf of an end entity. As the KGA generates the key pair, it
knows the public and the private part.</t> knows the public and the private part.</t>
<t>This document views the KGA as an <bcp14>OPTIONAL</bcp14> compone nt. When it is not present <t>This document views the KGA as an <bcp14>OPTIONAL</bcp14> compone nt. When it is not present
and central key generation is needed, the CA is assumed to be able to carry and central key generation is needed, the CA is assumed to be able to carry
out the KGA's functions so that the PKI management protocol messages are the out the KGA's functions so that the PKI management protocol messages are the
same from the end-entity's point of view. If certain tasks of a CA are same from the end entity's point of view. If certain tasks of a CA are
delegated to other components, this delegation needs authorization, which can delegated to other components, this delegation needs authorization, which can
be indicated by extended key usages (see <xref target="sect-4.5"/>).</t> be indicated by extended key usages (see <xref target="sect-4.5"/>).</t>
<t>Note: When doing central generation of key pairs, implementers sh ould consider <t>Note: When doing central generation of key pairs, implementers sh ould consider
the implications of server-side retention on the overall security of the the implications of server-side retention on the overall security of the
system; in some case retention is good, for example for escrow reasons, but system; in some cases, retention is good, for example, for escrow reasons, but
in other cases the server should clear its copy after delivery to the end in other cases, the server should clear its copy after delivery to the end
entity.</t> entity.</t>
<t>Note: If the CA delegates key generation to a KGA, the KGA can be collocated <t>Note: If the CA delegates key generation to a KGA, the KGA can be collocated
with the RA.</t> with the RA.</t>
</section> </section>
</section> </section>
<section anchor="sect-3.1.2"> <section anchor="sect-3.1.2">
<name>PKI Management Requirements</name> <name>PKI Management Requirements</name>
<t>The protocols given here meet the following requirements on PKI <t>The protocols given here meet the following requirements on PKI
management</t> management</t>
<ol spacing="normal" type="1"><li> <ol spacing="normal" type="1"><li>
<!-- [rfced] For clarity, we recommend adding citations for ISO/IEC 9594-8/ITU-T
X.509". May we add a citation to the existing reference to [X509.2019]?
Original:
1. PKI management must conform to the ISO/IEC 9594-8/ITU-T X.509
standards.
-->
<t>PKI management must conform to the ISO/IEC 9594-8/ITU-T X.509 <t>PKI management must conform to the ISO/IEC 9594-8/ITU-T X.509
standards.</t> standards.</t>
</li> </li>
<li> <li>
<t>It must be possible to regularly update any key pair without <t>It must be possible to regularly update any key pair without
affecting any other key pair.</t> affecting any other key pair.</t>
</li> </li>
<li> <li>
<t>The use of confidentiality in PKI management protocols must be <t>The use of confidentiality in PKI management protocols must be
kept to a minimum in order to ease acceptance in environments kept to a minimum in order to ease acceptance in environments
where strong confidentiality might cause regulatory problems.</t> where strong confidentiality might cause regulatory problems.</t>
</li> </li>
<li> <li>
<t>PKI management protocols must allow the use of different <t>PKI management protocols must allow the use of different
industry-standard cryptographic algorithms, see CMP Algorithms <xref target="R FC9481"/>. industry-standard cryptographic algorithms (see CMP Algorithms <xref target="R FC9481"/>).
This means that any given This means that any given
CA, RA, or end entity may, in principle, use whichever CA, RA, or end entity may, in principle, use whichever
algorithms suit it for its own key pair(s).</t> algorithms suit it for its own key pair(s).</t>
</li> </li>
<li> <li>
<t>PKI management protocols must not preclude the generation of ke y <t>PKI management protocols must not preclude the generation of ke y
pairs by the end entity concerned, by a KGA or by a CA. Key pairs by the end entity concerned, by a KGA, or by a CA. Key
generation may also occur elsewhere, but for the purposes of PKI generation may also occur elsewhere, but for the purposes of PKI
management we can regard key generation as occurring wherever management, we can regard key generation as occurring wherever
the key is first present at an end entity, KGA, or CA.</t> the key is first present at an end entity, KGA, or CA.</t>
</li> </li>
<li> <li>
<t>PKI management protocols must support the publication of <t>PKI management protocols must support the publication of
certificates by the end entity concerned, by an RA, or by a CA. certificates by the end entity concerned, by an RA, or by a CA.
Different implementations and different environments may choose Different implementations and different environments may choose
any of the above approaches.</t> any of the above approaches.</t>
</li> </li>
<li> <li>
<t>PKI management protocols must support the production of <t>PKI management protocols must support the production of
Certificate Revocation Lists (CRLs) by allowing certified end Certificate Revocation Lists (CRLs) by allowing certified end
entities to make requests for the revocation of certificates. entities to make requests for the revocation of certificates.
This must be done in such a way that the denial-of-service This must be done in such a way that the denial-of-service
attacks, which are possible, are not made simpler.</t> attacks, which are possible, are not made simpler.</t>
</li> </li>
<!--[rfced] It is unclear what "off-line file-based" refers to in the
sentence below. Does it refer to "transport mechanisms"?
Original:
PKI management protocols must be usable over a variety of
"transport" mechanisms, specifically including mail, Hypertext
Transfer Protocol (HTTP), Message Queuing Telemetry Transport
(MQTT), Constrained Application Protocol (CoAP), and off-line
file-based.
Perhaps:
PKI management protocols must be usable over a variety of
"transport" mechanisms, specifically including mail, Hypertext
Transfer Protocol (HTTP), Message Queuing Telemetry Transport
(MQTT), Constrained Application Protocol (CoAP), and off-line
file-based transport mechanisms.
-->
<li> <li>
<t>PKI management protocols must be usable over a variety of <t>PKI management protocols must be usable over a variety of
"transport" mechanisms, specifically including mail, Hypertext "transport" mechanisms, specifically including mail, Hypertext
Transfer Protocol (HTTP), Message Queuing Telemetry Transport (MQTT), Transfer Protocol (HTTP), Message Queuing Telemetry Transport (MQTT),
Constrained Application Protocol (CoAP), and off-line file-based.</t> Constrained Application Protocol (CoAP), and off-line file-based.</t>
</li> </li>
<li> <li>
<t>Final authority for certification creation rests with the CA. <t>Final authority for certification creation rests with the CA.
No RA or end entity equipment can assume that any certificate No RA or end entity equipment can assume that any certificate
issued by a CA will contain what was requested; a CA may alter issued by a CA will contain what was requested; a CA may alter
certificate field values or may add, delete, or alter extensions certificate field values or may add, delete, or alter extensions
according to its operating policy. In other words, all PKI according to its operating policy. In other words, all PKI
entities (end-entities, RAs, KGAs, and CAs) must be capable of entities (end entities, RAs, KGAs, and CAs) must be capable of
handling responses to requests for certificates in which the handling responses to requests for certificates in which the
actual certificate issued is different from that requested (for actual certificate issued is different from that requested (for
example, a CA may shorten the validity period requested). Note example, a CA may shorten the validity period requested). Note
that policy may dictate that the CA must not publish or that policy may dictate that the CA must not publish or
otherwise distribute the certificate until the requesting entity otherwise distribute the certificate until the requesting entity
has reviewed and accepted the newly-created certificate or the has reviewed and accepted the newly created certificate or the
POP is completed. In case of publication of the certificate POP is completed. In case of publication of the certificate
(when using indirect POP, see <xref target="sect-8.11"/>) or a precertificate (when using indirect POP, see <xref target="sect-8.11"/>) or a precertificate
in a Certificate Transparency log <xref target="RFC9162"/>, the certificate in a Certificate Transparency log <xref target="RFC9162"/>, the certificate
must be revoked if it was not accepted by the EE or the POP could must be revoked if it was not accepted by the EE or the POP could
not be completed.</t> not be completed.</t>
</li> </li>
<li> <li>
<t>A graceful, scheduled change-over from one non-compromised CA <t>A graceful, scheduled changeover from one non-compromised CA
key pair to the next (CA key update) must be supported (note key pair to the next (CA key update) must be supported (note
that if the CA key is compromised, re-initialization must be that if the CA key is compromised, re-initialization must be
performed for all entities in the domain of that CA). An end performed for all entities in the domain of that CA). An end
entity whose TEE contains the new CA public key (following a CA entity whose TEE contains the new CA public key (following a CA
key update) may also need to be able to verify certificates verifiable key update) may also need to be able to verify certificates verifiable
using the old public key. End entities who directly trust the using the old public key. End entities who directly trust the
old CA key pair may also need to be able to verify certificates signed old CA key pair may also need to be able to verify certificates signed
using the new CA private key (required for situations where the using the new CA private key (required for situations where the
old CA public key is "hardwired" into the end entity's old CA public key is "hardwired" into the end entity's
cryptographic equipment).</t> cryptographic equipment).</t>
skipping to change at line 748 skipping to change at line 754
| | update | | update
| | | |
V | V |
+------+ +------+
| CA-2 | | CA-2 |
+------+ +------+
]]></artwork> ]]></artwork>
</artset> </artset>
</figure> </figure>
<t>At a high level, the set of operations for which management <t>At a high level, the set of operations for which management
messages are defined can be grouped as follows.</t> messages are defined can be grouped as follows.</t>
<ol spacing="normal" type="1"><li>
<t>CA establishment: When establishing a new CA, certain steps are <!--[rfced] For the nested lists in Section 3.1.3, we have updated the numbering
required (e.g., production of initial CRLs, export of CA public to letters and converted "Notes" to a hanging list to help with readability.
key).</t> Please review and let us know of any objections.
</li>
<li> Original:
<t>End entity initialization: This includes importing a root CA 1. CA establishment: When establishing a new CA, certain steps are
public key and requesting information about the options supported required (e.g., production of initial CRLs, export of CA public
by a PKI management entity.</t> key).
</li> ...
<li> 1. initial registration/certification: This is the process
<t>Certification: Various operations result in the creation of new whereby an end entity first makes itself known to a CA or RA,
certificates: </t> prior to the CA issuing a certificate or certificates for
<ol spacing="normal" type="1"><li> that end entity.
<t>initial registration/certification: This is the process ...
whereby an end entity first makes itself known to a CA or RA, 1. Note 1. The above definition of "cross-certificate"
prior to the CA issuing a certificate or certificates for aligns with the defined term "CA-certificate" in X.509.
that end entity. The end result of this process (when it is
successful) is that a CA issues a certificate for an end Current:
entity's public key, and returns that certificate to the end 1. CA establishment: When establishing a new CA, certain steps are
entity and/or posts that certificate in a repository. required (e.g., production of initial CRLs, export of CA public
This process may, and typically will, involve multiple key).
"steps", possibly including an initialization of the end ...
entity's equipment. For example, the end entity's equipment a. initial registration/certification: This is the process
must be securely initialized with the public key of a CA, e.g., whereby an end entity first makes itself known to a CA or RA,
using zero-touch methods like Bootstrapping Remote Secure Key prior to the CA issuing a certificate or certificates for
Infrastructure (BRSKI) <xref target="RFC8995"/> or Secure Zero Touch that end entity.
Provisioning (SZTP) <xref target="RFC8572"/>, to ...
be used in validating certificate paths. Furthermore, an end Note 1. The above definition of "cross-certificate"
entity typically needs to be initialized with its own key aligns with the defined term "CA-certificate" in X.509.
pair(s).</t> -->
</li>
<li> <ol spacing="normal" type="1">
<t>key pair update: Every key pair needs to be updated regular <li>CA establishment: When establishing a new CA, certain steps
ly are required (e.g., production of initial CRLs and export of CA
(i.e., replaced with a new key pair), and a new certificate public key).</li>
needs to be issued.</t> <li>End entity initialization: This includes importing a root
</li> CA public key and requesting information about the options
<li> supported by a PKI management entity.</li>
<t>certificate update: As certificates expire, they may be <li><t>Certification: Various operations result in the creation
"refreshed" if nothing relevant in the environment has of new certificates: </t>
changed.</t> <ol spacing="normal" type="a">
</li> <li>initial registration/certification: This is the process
<li> whereby an end entity first makes itself known to a CA or RA,
<t>CA key pair update: As with end entities, CA key pairs need prior to the CA issuing a certificate or certificates for that
to be updated regularly; however, different mechanisms are end entity. The end result of this process (when it is
required.</t> successful) is that a CA issues a certificate for an end
</li> entity's public key and returns that certificate to the end
<li> entity and/or posts that certificate in a repository. This
<t>cross-certification request: One CA requests issuance of a process may, and typically will, involve multiple "steps",
cross-certificate from another CA. For the purposes of this possibly including an initialization of the end entity's
standard, the following terms are defined. A "cross-certificate" is a certif equipment. For example, the end entity's equipment must be
icate securely initialized with the public key of a CA, e.g., using
in which the subject CA and the zero-touch methods like Bootstrapping Remote Secure Key
issuer CA are distinct and SubjectPublicKeyInfo contains a Infrastructure (BRSKI) <xref target="RFC8995"/> or Secure Zero
verification key (i.e., the certificate has been issued for Touch Provisioning (SZTP) <xref target="RFC8572"/>, to be used
the subject CA's signing key pair). When it is necessary to in validating certificate paths. Furthermore, an end entity
distinguish more finely, the following terms may be used: a typically needs to be initialized with its own key
cross-certificate is called an "inter-domain cross-certificate" if the subjec pair(s).</li>
t <li>key pair update: Every key pair needs to be updated
and issuer CAs belong to regularly (i.e., replaced with a new key pair), and a new
different administrative domains; it is called an "intra-domain cross-certifi certificate needs to be issued.</li>
cate" <li>certificate update: As certificates expire, they may be
otherwise.</t> "refreshed" if nothing relevant in the environment has
</li> changed.</li>
</ol> <li>CA key pair update: As with end entities, CA key pairs need
<ul empty="true"> to be updated regularly; however, different mechanisms are
<li> required.</li>
<t>Note 1: The above definition of "cross-certificate" <li><t>cross-certification request: One CA requests issuance of
aligns with the defined term "CA-certificate" in X.509. a
Note that this term is not to be confused with the X.500 cross-certificate from another CA. For the purposes of this
"cACertificate" attribute type, which is unrelated.</t> standard, the following terms are defined. A
</li> "cross-certificate" is a certificate in which the subject CA
</ul> and the issuer CA are distinct and SubjectPublicKeyInfo
<ul empty="true"> contains a verification key (i.e., the certificate has been
<li> issued for the subject CA's signing key pair). When it is
<t>Note 2: In many environments, the term "cross-certificate" necessary to distinguish more finely, the following terms may
, unless further be used: A cross-certificate is called an "inter-domain
qualified, will be cross-certificate" if the subject and issuer CAs belong to
understood to be synonymous with "inter-domain cross-certificate" as defined different administrative domains; it is called an
above.</t> "intra-domain cross-certificate" otherwise.</t>
</li> <ol type="Note %d:">
</ul> <li>The above definition of "cross-certificate"
<ul empty="true"> aligns with the defined term "CA-certificate" in X.509.
<li> Note that this term is not to be confused with the X.500
<t>Note 3: Issuance of cross-certificates may be, but is "cACertificate" attribute type, which is unrelated.</li>
not necessarily, mutual; that is, two CAs may issue <li>In many environments, the term
cross-certificates for each other.</t> "cross-certificate", unless further qualified, will be
</li> understood to be synonymous with "inter-domain
</ul> cross-certificate" as defined above.</li>
<ol spacing="normal" type="1"><li> <li>Issuance of cross-certificates may be, but is
<t>[RFC-Editor: Please fix the enumeration and continue with ' not necessarily, mutual; that is, two CAs may issue
6'.] cross-certificate update: Similar to a normal certificate cross-certificates for each other.</li>
update, but involving a cross-certificate.</t> </ol>
</li> </li>
<li>cross-certificate update: Similar to a normal certificate
update but involving a cross-certificate.</li>
</ol> </ol>
</li> </li>
<li> <li><t>Certificate/CRL discovery operations: Some PKI management
<t>Certificate/CRL discovery operations: Some PKI management operations result in the publication of certificates or CRLs: </t>
operations result in the publication of certificates or CRLs: </t> <ol spacing="normal" type="a">
<ol spacing="normal" type="1"><li> <li>certificate publication: Having gone to the trouble of
<t>certificate publication: Having gone to the trouble of producing a certificate, some means for publishing may be
producing a certificate, some means for publishing may be needed. The "means" defined in PKIX <bcp14>MAY</bcp14>
needed. The "means" defined in PKIX <bcp14>MAY</bcp14> involve the messages involve the messages specified in Sections <xref
specified in Sections <xref format="counter" target="sect-5.3.13"/> to <xref format="counter" target="sect-5.3.13"/> to <xref
format="counter" target="sect-5.3.16"/>, or <bcp14>MAY</bcp14> involve other format="counter" target="sect-5.3.16"/> or <bcp14>MAY</bcp14>
methods (LDAP, for example) as described in <xref target="RFC4511"/> or <xref involve other methods (for example, Lightweight Directory Access
target="RFC2585"/> Protocol (LDAP)) as described in
(the "Operational Protocols" documents of the PKIX <xref target="RFC4511"/> or <xref target="RFC2585"/> (the
series of specifications).</t> "Operational Protocols" documents of the PKIX series of
</li> specifications).</li>
<li> <li>CRL publication: As for certificate publication.</li>
<t>CRL publication: As for certificate publication.</t>
</li>
</ol> </ol>
</li> </li>
<li> <li><t>Recovery operations: Some PKI management operations are
<t>Recovery operations: Some PKI management operations are used wh used when an end entity has "lost" its TEE:</t>
en <ol spacing="normal" type="a">
an end entity has "lost" its TEE: </t> <li>key pair recovery: As an option, user client key
<ol spacing="normal" type="1"><li> materials (e.g., a user's private key used for decryption
<t>key pair recovery: As an option, user client key materials purposes) <bcp14>MAY</bcp14> be backed up by a CA, an RA, or a
(e.g., a user's private key used for decryption purposes) <bcp14>MAY</bcp14> key backup system associated with a CA or RA. If an entity
be backed up by a CA, an RA, or a key backup system needs to recover these backed up key materials (e.g., as a
associated with a CA or RA. If an entity needs to recover result of a forgotten password or a lost key chain file), a
these backed up key materials (e.g., as a result of a protocol exchange may be needed to support such recovery.</li>
forgotten password or a lost key chain file), a protocol
exchange may be needed to support such recovery.</t>
</li>
</ol> </ol>
</li> </li>
<li> <li><t>Revocation operations: Some PKI management operations
<t>Revocation operations: Some PKI management operations result in result in the creation of new CRL entries and/or new CRLs:</t>
the creation <ol spacing="normal" type="a">
of new CRL entries and/or new CRLs: </t> <li>revocation request: An authorized person advises a CA
<ol spacing="normal" type="1"><li> of an abnormal situation requiring certificate revocation.</li>
<t>revocation request: An authorized person advises a CA of an
abnormal situation requiring certificate revocation.</t>
</li>
</ol> </ol>
</li> </li>
<li> <li>TEE operations: Whilst the definition of TEE operations
<t>TEE operations: Whilst the definition of TEE operations (e.g., (e.g., moving a TEE, changing a PIN, etc.) are beyond the scope of
moving a TEE, changing a PIN, etc.) are beyond the scope of this this specification, we do define a PKIMessage (CertRepMessage)
specification, we do define a PKIMessage (CertRepMessage) that that can form the basis of such operations.</li>
can form the basis of such operations.</t>
</li>
</ol> </ol>
<t>Note that on-line protocols are not the only way of implementing th e <t>Note that on-line protocols are not the only way of implementing th e
above operations. For all operations, there are off-line methods of above operations. For all operations, there are off-line methods of
achieving the same result, and this specification does not mandate achieving the same result, and this specification does not mandate
use of on-line protocols. For example, when hardware tokens are use of on-line protocols. For example, when hardware tokens are
used, many of the operations <bcp14>MAY</bcp14> be achieved as part of the physi cal used, many of the operations <bcp14>MAY</bcp14> be achieved as part of the physi cal
token delivery.</t> token delivery.</t>
<t>Later sections define a set of standard messages supporting the abo ve <t>Later sections define a set of standard messages supporting the abo ve
operations. Transfer protocols for conveying these exchanges in operations. Transfer protocols for conveying these exchanges in
various environments (e.g., off-line: file-based, on-line: mail, various environments (e.g., off-line: file-based; on-line: mail,
HTTP <xref target="I-D.ietf-lamps-rfc6712bis"/>, MQTT, and CoAP <xref target="RF HTTP <xref target="RFC9811"/>, MQTT, and CoAP <xref target="RFC9482"/>) are
C9482"/>) are
beyond the scope of this document and must be specified separately. beyond the scope of this document and must be specified separately.
Appropriate transfer protocols <bcp14>MUST</bcp14> be capable of delivering the CMP Appropriate transfer protocols <bcp14>MUST</bcp14> be capable of delivering the CMP
messages reliably.</t> messages reliably.</t>
<t>CMP provides inbuilt integrity protection and authentication. The i nformation <t>CMP provides inbuilt integrity protection and authentication. The i nformation
communicated unencrypted in CMP messages does not contain sensitive communicated unencrypted in CMP messages does not contain sensitive
information endangering the security of the PKI when intercepted. However, information endangering the security of the PKI when intercepted. However,
it might be possible for an eavesdropper to utilize the available information to it might be possible for an eavesdropper to utilize the available information to
gather confidential technical or business critical information. Therefore, users gather confidential technical or business-critical information. Therefore, users
should consider protection of confidentiality on lower levels of the protocol should consider protection of confidentiality on lower levels of the protocol
stack, e.g., by using TLS <xref target="RFC8446"/>, DTLS <xref target="RFC9147"/ >, or IPsec <xref target="RFC7296"/><xref target="RFC4303"/>.</t> stack, e.g., by using TLS <xref target="RFC8446"/>, DTLS <xref target="RFC9147"/ >, or IPsec <xref target="RFC7296"/><xref target="RFC4303"/>.</t>
</section> </section>
</section> </section>
</section> </section>
<section anchor="sect-4"> <section anchor="sect-4">
<name>Assumptions and Restrictions</name> <name>Assumptions and Restrictions</name>
<section anchor="sect-4.1"> <section anchor="sect-4.1">
<name>End Entity Initialization</name> <name>End Entity Initialization</name>
<t>The first step for an end entity in dealing with PKI management <t>The first step for an end entity in dealing with PKI management
entities is to request information about the PKI functions supported entities is to request information about the PKI functions supported
and to securely acquire a copy of the relevant root CA public key(s).</t> and to securely acquire a copy of the relevant root CA public key(s).</t>
</section> </section>
<section anchor="sect-4.2"> <section anchor="sect-4.2">
<name>Initial Registration/Certification</name> <name>Initial Registration/Certification</name>
<t>There are many schemes that can be used to achieve initial <t>There are many schemes that can be used to achieve initial
registration and certification of end entities. No one method is registration and certification of end entities. No one method is
suitable for all situations due to the range of policies that a CA suitable for all situations due to the range of policies that a CA
may implement and the variation in the types of end entity which can may implement and the variation in the types of end entity that can
occur.</t> occur.</t>
<t>However, we can classify the initial registration/certification <t>However, we can classify the initial registration/certification
schemes that are supported by this specification. Note that the word schemes that are supported by this specification. Note that the word
"initial", above, is crucial: we are dealing with the situation where "initial", above, is crucial: We are dealing with the situation where
the end entity in question has had no previous contact with the PKI, the end entity in question has had no previous contact with the PKI,
except having received the root CA certificate of that PKI by some except having received the root CA certificate of that PKI by some
zero-touch method like BRSKI <xref target="RFC8995"/> and zero-touch method like BRSKI <xref target="RFC8995"/>
<xref target="I-D.ietf-anima-brski-ae"/> or SZTP <xref target="RFC8572"/>. In c <xref target="RFC9733"/> or SZTP <xref target="RFC8572"/>. In case the end
ase the end
entity already possesses certified keys, then some entity already possesses certified keys, then some
simplifications/alternatives are possible.</t> simplifications/alternatives are possible.</t>
<t>Having classified the schemes that are supported by this <t>Having classified the schemes that are supported by this
specification we can then specify some as mandatory and some as specification, we can then specify some as mandatory and some as
optional. The goal is that the mandatory schemes cover a sufficient optional. The goal is that the mandatory schemes cover a sufficient
number of the cases that will arise in real use, whilst the optional number of the cases that will arise in real use, whilst the optional
schemes are available for special cases that arise less frequently. schemes are available for special cases that arise less frequently.
In this way, we achieve a balance between flexibility and ease of In this way, we achieve a balance between flexibility and ease of
implementation.</t> implementation.</t>
<t>Further classification of mandatory and optional schemes addressing <t>Further classification of mandatory and optional schemes addressing
different environments is available, e.g., in <xref target="sect-c"/> and different environments is available, e.g., in Appendices <xref target="sect-c" f
<xref target="sect-d"/> of this specification on managing human user certificate ormat="counter"/> and
s <xref target="sect-d" format="counter"/> of this specification on managing human
user certificates
as well as in the Lightweight CMP Profile <xref target="RFC9483"/> on fully as well as in the Lightweight CMP Profile <xref target="RFC9483"/> on fully
automating certificate management in a machine-to-machine and IoT automating certificate management in a machine-to-machine and Internet of Things
environment. Also industry standards like <xref target="ETSI-3GPP.33.310"/> for (IoT)
environment.
<!--[rfced] May we update the phrasing of "Rail Automation adopted CMP"
to improve readability?
Original:
Also industry standards like [ETSI-3GPP.33.310] for
mobile networks and [UNISIG.Subset-137] for Rail Automation adopted
CMP and have specified a set of mandatory schemes for their use case.
Perhaps:
Also industry standards, like [ETSI-3GPP.33.310] for
mobile networks and [UNISIG.Subset-137] for CMP that has adopted rail
automation, have specified a set of mandatory schemes for their use cases.
-->
Also, industry standards like <xref target="ETSI-3GPP.33.310"/> for
mobile networks and <xref target="UNISIG.Subset-137"/> for Rail Automation adopt ed mobile networks and <xref target="UNISIG.Subset-137"/> for Rail Automation adopt ed
CMP and have specified a set of mandatory schemes for their use case.</t> CMP and have specified a set of mandatory schemes for their use case.</t>
<t>We will now describe the classification of initial <t>We will now describe the classification of initial
registration/certification schemes.</t> registration/certification schemes.</t>
<section anchor="sect-4.2.1"> <section anchor="sect-4.2.1">
<name>Criteria Used</name> <name>Criteria Used</name>
<section anchor="sect-4.2.1.1"> <section anchor="sect-4.2.1.1">
<name>Initiation of Registration/Certification</name> <name>Initiation of Registration/Certification</name>
<t>In terms of the PKI messages that are produced, we can regard the <t>In terms of the PKI messages that are produced, we can regard the
initiation of the initial registration/certification exchanges as initiation of the initial registration/certification exchanges as
occurring wherever the first PKI message relating to the end entity occurring wherever the first PKI message relating to the end entity
is produced. Note that the real-world initiation of the is produced. Note that the real-world initiation of the
registration/certification procedure may occur elsewhere (e.g., a registration/certification procedure may occur elsewhere (e.g., a
personnel department may telephone an RA operator or using zero touch personnel department may telephone an RA operator or use zero touch
methods like BRSKI <xref target="RFC8995"/> or SZTP <xref target="RFC8572"/>).</ t> methods like BRSKI <xref target="RFC8995"/> or SZTP <xref target="RFC8572"/>).</ t>
<t>The possible locations are at the end entity, an RA, or a CA.</t> <t>The possible locations are at the end entity, an RA, or a CA.</t>
</section> </section>
<section anchor="sect-4.2.1.2"> <section anchor="sect-4.2.1.2">
<name>End Entity Message Origin Authentication</name> <name>End Entity Message Origin Authentication</name>
<t>The on-line messages produced by the end entity that requires a <t>The on-line messages produced by the end entity that requires a
certificate may be authenticated or not. The requirement here is to certificate may be authenticated or not. The requirement here is to
authenticate the origin of any messages from the end entity to the authenticate the origin of any messages from the end entity to the
PKI (CA/RA).</t> PKI (CA/RA).</t>
<t>In this specification, such authentication is achieved by two dif ferent means:</t> <t>In this specification, such authentication is achieved by two dif ferent means:</t>
<ul spacing="normal"> <ul spacing="normal">
<li> <li>
<t>symmetric: The PKI (CA/RA) issuing the end entity with a secr et value (initial <t>symmetric: The PKI (CA/RA) issuing the end entity with a secr et value (initial
authentication key) and reference value (used to identify the secret value) authentication key) and reference value (used to identify the secret value)
via some out-of-band means. The initial authentication key can then be used via some out-of-band means. The initial authentication key can then be used
to protect relevant PKI messages.</t> to protect relevant PKI messages.</t>
</li> </li>
<li> <li>
<t>asymmetric: Using a private key and certificate issued by ano ther PKI trusted <t>asymmetric: Using a private key and certificate issued by ano ther PKI trusted
for initial authentication, e.g., an IDevID <xref target="IEEE.802.1AR-2018">IEE E 802.1AR</xref>. for initial authentication, e.g., an Initial Device Identifier (IDevID) <xref ta rget="IEEE.802.1AR-2018">IEEE 802.1AR</xref>.
The trust establishment in this external PKI is out of scope of this document.</ t> The trust establishment in this external PKI is out of scope of this document.</ t>
</li> </li>
</ul> </ul>
<t>Thus, we can classify the initial registration/certification sche me <t>Thus, we can classify the initial registration/certification sche me
according to whether or not the on-line 'end entity -&gt; PKI management according to whether or not the on-line 'end entity -&gt; PKI management
entity' messages are authenticated or not.</t> entity' messages are authenticated or not.</t>
<t>Note 1: We do not discuss the authentication of the 'PKI manageme <ol type="Note %d:">
nt <li>We do not discuss the authentication of the 'PKI management
entity -&gt; end entity' messages here, as this is always <bcp14>REQUIRED</bcp14 >. In any case, it can be entity -&gt; end entity' messages here, as this is always <bcp14>REQUIRED</bcp14 >. In any case, it can be
achieved simply once the root-CA public key has been installed at the achieved simply once the root-CA public key has been installed at the
end entity's equipment or it can be based on the initial end entity's equipment or it can be based on the initial
authentication key.</t> authentication key.</li>
<t>Note 2: An initial registration/certification procedure can be se <li>An initial registration/certification procedure can be secure
cure
where the messages from the end entity are authenticated via some where the messages from the end entity are authenticated via some
out-of-band means (e.g., a subsequent visit).</t> out-of-band means (e.g., a subsequent visit).</li>
</ol>
</section> </section>
<section anchor="sect-4.2.1.3"> <section anchor="sect-4.2.1.3">
<name>Location of Key Generation</name> <name>Location of Key Generation</name>
<t>In this specification, "key generation" is regarded as occurring <t>In this specification, "key generation" is regarded as occurring
wherever either the public or private component of a key pair first wherever either the public or private component of a key pair first
occurs in a PKIMessage. Note that this does not preclude a occurs in a PKIMessage. Note that this does not preclude a
centralized key generation service by a KGA; the actual key pair <bcp14>MAY</bcp 14> have centralized key generation service by a KGA; the actual key pair <bcp14>MAY</bcp 14> have
been been
generated elsewhere and transported to the end entity, RA, or CA generated elsewhere and transported to the end entity, RA, or CA
using a (proprietary or standardized) key generation request/response using a (proprietary or standardized) key generation request/response
skipping to change at line 1026 skipping to change at line 1051
symmetric or asymmetric authentication key or other means).</t> symmetric or asymmetric authentication key or other means).</t>
<t>This gives two further possibilities: confirmed or not.</t> <t>This gives two further possibilities: confirmed or not.</t>
</section> </section>
</section> </section>
<section anchor="sect-4.2.2"> <section anchor="sect-4.2.2">
<name>Initial Registration/Certification Schemes</name> <name>Initial Registration/Certification Schemes</name>
<t>The criteria above allow for a large number of initial <t>The criteria above allow for a large number of initial
registration/certification schemes. Examples of possible initial registration/certification schemes. Examples of possible initial
registration/certification schemes can be found in the following registration/certification schemes can be found in the following
subsections. An entity may support other schemes specified in subsections. An entity may support other schemes specified in
profiles of PKIX-CMP, such as <xref target="sect-c"/> and <xref target="sect-d"/ > or <xref target="RFC9483"/>.</t> profiles of PKIX-CMP, such as Appendices <xref target="sect-c" format="counter"/ > and <xref target="sect-d" format="counter"/> or <xref target="RFC9483"/>.</t>
<section anchor="sect-4.2.2.1"> <section anchor="sect-4.2.2.1">
<name>Centralized Scheme</name> <name>Centralized Scheme</name>
<t>In terms of the classification above, this scheme is, in some way s, <t>In terms of the classification above, this scheme is, in some way s,
the simplest possible, where:</t> the simplest possible, where:</t>
<ul spacing="normal"> <ul spacing="normal">
<li> <li>
<t>initiation occurs at the certifying CA;</t> <t>initiation occurs at the certifying CA;</t>
</li> </li>
<li> <li>
<t>no on-line message authentication is required;</t> <t>no on-line message authentication is required;</t>
</li> </li>
<li> <li>
<t>"key generation" occurs at the certifying CA (see <xref targe t="sect-4.2.1.3"/>);</t> <t>"key generation" occurs at the certifying CA (see <xref targe t="sect-4.2.1.3"/>); and</t>
</li> </li>
<li> <li>
<t>no confirmation message is required.</t> <t>no confirmation message is required.</t>
</li> </li>
</ul> </ul>
<t>In terms of message flow, this scheme means that the only message <t>In terms of message flow, this scheme means that the only message
required is sent from the CA to the end entity. The message must required is sent from the CA to the end entity. The message must
contain the entire TEE for the end entity. Some out-of-band means contain the entire TEE for the end entity. Some out-of-band means
must be provided to allow the end entity to authenticate the message must be provided to allow the end entity to authenticate the message
received and to decrypt any encrypted values.</t> received and to decrypt any encrypted values.</t>
skipping to change at line 1062 skipping to change at line 1087
<name>Basic Authenticated Scheme</name> <name>Basic Authenticated Scheme</name>
<t>In terms of the classification above, this scheme is where:</t> <t>In terms of the classification above, this scheme is where:</t>
<ul spacing="normal"> <ul spacing="normal">
<li> <li>
<t>initiation occurs at the end entity;</t> <t>initiation occurs at the end entity;</t>
</li> </li>
<li> <li>
<t>message authentication is required;</t> <t>message authentication is required;</t>
</li> </li>
<li> <li>
<t>"key generation" occurs at the end entity (see <xref target=" sect-4.2.1.3"/>);</t> <t>"key generation" occurs at the end entity (see <xref target=" sect-4.2.1.3"/>); and</t>
</li> </li>
<li> <li>
<t>a confirmation message is recommended.</t> <t>a confirmation message is recommended.</t>
</li> </li>
</ul> </ul>
<t>Note: An Initial Authentication Key (IAK) can be either a symmetr ic key or <t>Note: An Initial Authentication Key (IAK) can be either a symmetr ic key or
an asymmetric private key with a certificate issued by another PKI trusted an asymmetric private key with a certificate issued by another PKI trusted
for this purpose. The establishment of such trust is out of scope of this for this purpose. The establishment of such trust is out of scope of this
document.</t> document.</t>
<!--[rfced] We have removed the following from the figure in Section 4.2.2.2 bec
ause it is repetitive with the text introducing the figure. However, please rev
iew, as it seems like some of the blank space can also be removed from the SVG.
Original:
In terms of message flow, the basic authenticated scheme is as
follows:
-->
<t>In terms of message flow, the basic authenticated scheme is as
follows:</t>
<artset> <artset>
<artwork type="svg"><svg xmlns="http://www.w3.org/2000/svg" versio n="1.1" height="384" width="552" viewBox="0 0 552 384" class="diagram" text-anch or="middle" font-family="monospace" font-size="13px" stroke-linecap="round"> <artwork type="svg"><svg xmlns="http://www.w3.org/2000/svg" versio n="1.1" height="384" width="552" viewBox="0 0 552 384" class="diagram" text-anch or="middle" font-family="monospace" font-size="13px" stroke-linecap="round">
<path d="M 24,94 L 96,94" fill="none" stroke="black"/> <path d="M 24,94 L 96,94" fill="none" stroke="black"/>
<path d="M 24,98 L 96,98" fill="none" stroke="black"/> <path d="M 24,98 L 96,98" fill="none" stroke="black"/>
<path d="M 408,94 L 504,94" fill="none" stroke="black"/> <path d="M 408,94 L 504,94" fill="none" stroke="black"/>
<path d="M 408,98 L 504,98" fill="none" stroke="black"/> <path d="M 408,98 L 504,98" fill="none" stroke="black"/>
<path d="M 136,192 L 176,192" fill="none" stroke="black"/> <path d="M 136,192 L 176,192" fill="none" stroke="black"/>
<path d="M 368,192 L 408,192" fill="none" stroke="black"/> <path d="M 368,192 L 408,192" fill="none" stroke="black"/>
<path d="M 136,256 L 176,256" fill="none" stroke="black"/> <path d="M 136,256 L 176,256" fill="none" stroke="black"/>
<path d="M 376,256 L 416,256" fill="none" stroke="black"/> <path d="M 376,256 L 416,256" fill="none" stroke="black"/>
skipping to change at line 1095 skipping to change at line 1131
<path d="M 376,352 L 416,352" fill="none" stroke="black"/> <path d="M 376,352 L 416,352" fill="none" stroke="black"/>
<polygon class="arrowhead" points="424,304 412,298.4 412,309.6 " fill="black" transform="rotate(0,416,304)"/> <polygon class="arrowhead" points="424,304 412,298.4 412,309.6 " fill="black" transform="rotate(0,416,304)"/>
<polygon class="arrowhead" points="416,192 404,186.4 404,197.6 " fill="black" transform="rotate(0,408,192)"/> <polygon class="arrowhead" points="416,192 404,186.4 404,197.6 " fill="black" transform="rotate(0,408,192)"/>
<polygon class="arrowhead" points="384,352 372,346.4 372,357.6 " fill="black" transform="rotate(180,376,352)"/> <polygon class="arrowhead" points="384,352 372,346.4 372,357.6 " fill="black" transform="rotate(180,376,352)"/>
<polygon class="arrowhead" points="384,256 372,250.4 372,261.6 " fill="black" transform="rotate(180,376,256)"/> <polygon class="arrowhead" points="384,256 372,250.4 372,261.6 " fill="black" transform="rotate(180,376,256)"/>
<polygon class="arrowhead" points="184,304 172,298.4 172,309.6 " fill="black" transform="rotate(0,176,304)"/> <polygon class="arrowhead" points="184,304 172,298.4 172,309.6 " fill="black" transform="rotate(0,176,304)"/>
<polygon class="arrowhead" points="184,192 172,186.4 172,197.6 " fill="black" transform="rotate(0,176,192)"/> <polygon class="arrowhead" points="184,192 172,186.4 172,197.6 " fill="black" transform="rotate(0,176,192)"/>
<polygon class="arrowhead" points="144,352 132,346.4 132,357.6 " fill="black" transform="rotate(180,136,352)"/> <polygon class="arrowhead" points="144,352 132,346.4 132,357.6 " fill="black" transform="rotate(180,136,352)"/>
<polygon class="arrowhead" points="144,256 132,250.4 132,261.6 " fill="black" transform="rotate(180,136,256)"/> <polygon class="arrowhead" points="144,256 132,250.4 132,261.6 " fill="black" transform="rotate(180,136,256)"/>
<g class="text"> <g class="text">
<text x="12" y="36">In</text>
<text x="48" y="36">terms</text>
<text x="84" y="36">of</text>
<text x="128" y="36">message</text>
<text x="184" y="36">flow,</text>
<text x="224" y="36">the</text>
<text x="264" y="36">basic</text>
<text x="344" y="36">authenticated</text>
<text x="428" y="36">scheme</text>
<text x="468" y="36">is</text>
<text x="492" y="36">as</text>
<text x="36" y="52">follows:</text>
<text x="32" y="84">End</text> <text x="32" y="84">End</text>
<text x="76" y="84">entity</text> <text x="76" y="84">entity</text>
<text x="456" y="84">RA/CA</text> <text x="456" y="84">RA/CA</text>
<text x="104" y="116">out-of-band</text> <text x="104" y="116">out-of-band</text>
<text x="204" y="116">distribution</text> <text x="204" y="116">distribution</text>
<text x="268" y="116">of</text> <text x="268" y="116">of</text>
<text x="312" y="116">Initial</text> <text x="312" y="116">Initial</text>
<text x="404" y="116">Authentication</text> <text x="404" y="116">Authentication</text>
<text x="72" y="132">Key</text> <text x="72" y="132">Key</text>
<text x="112" y="132">(IAK)</text> <text x="112" y="132">(IAK)</text>
skipping to change at line 1163 skipping to change at line 1187
<text x="484" y="340">response</text> <text x="484" y="340">response</text>
<text x="204" y="356">conf</text> <text x="204" y="356">conf</text>
<text x="240" y="356">ack</text> <text x="240" y="356">ack</text>
<text x="300" y="356">(optional)</text> <text x="300" y="356">(optional)</text>
<text x="44" y="372">handle</text> <text x="44" y="372">handle</text>
<text x="108" y="372">response</text> <text x="108" y="372">response</text>
</g> </g>
</svg> </svg>
</artwork> </artwork>
<artwork type="ascii-art"><![CDATA[ <artwork type="ascii-art"><![CDATA[
In terms of message flow, the basic authenticated scheme is as
follows:
End entity RA/CA End entity RA/CA
========== ============= ========== =============
out-of-band distribution of Initial Authentication out-of-band distribution of Initial Authentication
Key (IAK) and reference value (RA/CA -> EE) Key (IAK) and reference value (RA/CA -> EE)
Key generation Key generation
Creation of certification request Creation of certification request
Protect request with IAK Protect request with IAK
-----> certification request -----> -----> certification request ----->
verify request verify request
process request process request
skipping to change at line 1215 skipping to change at line 1236
enforce POP (e.g., out-of-band procedural means versus PKIX-CMP enforce POP (e.g., out-of-band procedural means versus PKIX-CMP
in-band messages) in its certification exchanges (i.e., this may be a in-band messages) in its certification exchanges (i.e., this may be a
policy issue). However, it is <bcp14>REQUIRED</bcp14> that CAs/RAs <bcp14>MUST< /bcp14> enforce POP policy issue). However, it is <bcp14>REQUIRED</bcp14> that CAs/RAs <bcp14>MUST< /bcp14> enforce POP
by some means because there are currently many non-PKIX operational by some means because there are currently many non-PKIX operational
protocols in use (various electronic mail protocols are one example) protocols in use (various electronic mail protocols are one example)
that do not explicitly check the binding between the end entity and that do not explicitly check the binding between the end entity and
the private key. Until operational protocols that do verify the the private key. Until operational protocols that do verify the
binding (for signature, encryption, key agreement, and KEM key pairs) binding (for signature, encryption, key agreement, and KEM key pairs)
exist, and are ubiquitous, this binding can only be assumed to have exist, and are ubiquitous, this binding can only be assumed to have
been verified by the CA/RA. Therefore, if the binding is not been verified by the CA/RA. Therefore, if the binding is not
verified by the CA/RA, certificates in the Internet Public-Key verified by the CA/RA, certificates in the Internet Public Key
Infrastructure end up being somewhat less meaningful.</t> Infrastructure end up being somewhat less meaningful.</t>
<t>POP is accomplished in different ways depending upon the type of key <t>POP is accomplished in different ways depending upon the type of key
for which a certificate is requested. If a key can be used for for which a certificate is requested. If a key can be used for
multiple purposes (e.g., an RSA key) then any appropriate method <bcp14>MAY</bcp 14> multiple purposes (e.g., an RSA key), then any appropriate method <bcp14>MAY</bc p14>
be used (e.g., a key that may be used for signing, as well as other be used (e.g., a key that may be used for signing, as well as other
purposes, <bcp14>MUST NOT</bcp14> be sent to the CA/RA in order to prove purposes, <bcp14>MUST NOT</bcp14> be sent to the CA/RA in order to prove
possession unless archival of the private key is explicitly desired).</t> possession unless archival of the private key is explicitly desired).</t>
<t>This specification explicitly allows for cases where an end entity <t>This specification explicitly allows for cases where an end entity
supplies the relevant proof to an RA and the RA subsequently attests supplies the relevant proof to an RA and the RA subsequently attests
to the CA that the required proof has been received (and validated!). to the CA that the required proof has been received (and validated!).
For example, an end entity wishing to have a signing key certified For example, an end entity wishing to have a signing key certified
could send the appropriate signature to the RA, which then simply could send the appropriate signature to the RA, which then simply
notifies the relevant CA that the end entity has supplied the notifies the relevant CA that the end entity has supplied the
required proof. Of course, such a situation may be disallowed by required proof. Of course, such a situation may be disallowed by
some policies (e.g., CAs may be the only entities permitted to verify some policies (e.g., CAs may be the only entities permitted to verify
POP during certification).</t> POP during certification).</t>
<section anchor="sect-4.3.1"> <section anchor="sect-4.3.1">
<name>Signature Keys</name> <name>Signature Keys</name>
<t>For signature keys, the end entity can sign a value to prove <t>For signature keys, the end entity can sign a value to prove
possession of the private key, see <xref target="sect-5.2.8.2"/>.</t> possession of the private key; see <xref target="sect-5.2.8.2"/>.</t>
</section> </section>
<section anchor="sect-4.3.2"> <section anchor="sect-4.3.2">
<name>Encryption Keys</name> <name>Encryption Keys</name>
<t>For encryption keys, the end entity can provide the private key to <t>For encryption keys, the end entity can provide the private key to
the CA/RA (e.g., for archiving), see <xref target="sect-5.2.8.3.1"/>, or can be required to decrypt a value in order to prove the CA/RA (e.g., for archiving), see <xref target="sect-5.2.8.3.1"/>, or can be required to decrypt a value in order to prove
possession of the private key. Decrypting a possession of the private key. Decrypting a
value can be achieved either directly (see <xref target="sect-5.2.8.3.3"/>) or i ndirectly (see <xref target="sect-5.2.8.3.2"/>).</t> value can be achieved either directly (see <xref target="sect-5.2.8.3.3"/>) or i ndirectly (see <xref target="sect-5.2.8.3.2"/>).</t>
<t>The direct method is for the RA/CA to issue a random challenge to <t>The direct method is for the RA/CA to issue a random challenge to
which an immediate response by the EE is required.</t> which an immediate response by the EE is required.</t>
<t>The indirect method is to issue a certificate that is encrypted for <t>The indirect method is to issue a certificate that is encrypted for
skipping to change at line 1261 skipping to change at line 1282
requires no extra messages to be sent (i.e., the proof can be requires no extra messages to be sent (i.e., the proof can be
demonstrated using the {request, response, confirmation} triple of demonstrated using the {request, response, confirmation} triple of
messages).</t> messages).</t>
</section> </section>
<section anchor="sect-4.3.3"> <section anchor="sect-4.3.3">
<name>Key Agreement Keys</name> <name>Key Agreement Keys</name>
<t>For key agreement keys, the end entity and the PKI management entit y <t>For key agreement keys, the end entity and the PKI management entit y
(i.e., CA or RA) must establish a shared secret key in order to prove (i.e., CA or RA) must establish a shared secret key in order to prove
that the end entity has possession of the private key.</t> that the end entity has possession of the private key.</t>
<t>Note that this need not impose any restrictions on the keys that ca n <t>Note that this need not impose any restrictions on the keys that ca n
be certified by a given CA. In particular, for Diffie-Hellman keys be certified by a given CA. In particular, for Diffie-Hellman keys,
the end entity may freely choose its algorithm parameters provided the end entity may freely choose its algorithm parameters provided
that the CA can generate a short-term (or one-time) key pair with the that the CA can generate a short-term (or one-time) key pair with the
appropriate parameters when necessary.</t> appropriate parameters when necessary.</t>
</section> </section>
<section anchor="sect-4.3.4"> <section anchor="sect-4.3.4">
<name>Key Encapsulation Mechanism Keys</name> <name>Key Encapsulation Mechanism Keys</name>
<t>For key encapsulation mechanism (KEM) keys, the end entity can prov ide the private key to <t>For key encapsulation mechanism (KEM) keys, the end entity can prov ide the private key to
the CA/RA (e.g., for archiving), see <xref target="sect-5.2.8.3.1"/>, or can be required to decrypt the CA/RA (e.g., for archiving), see <xref target="sect-5.2.8.3.1"/>, or can be required to decrypt
a value in order to prove possession of the private key. a value in order to prove possession of the private key.
Decrypting a value can be achieved either directly (see <xref target="sect-5.2.8 .3.3"/>) or indirectly (see <xref target="sect-5.2.8.3.2"/>).</t> Decrypting a value can be achieved either directly (see <xref target="sect-5.2.8 .3.3"/>) or indirectly (see <xref target="sect-5.2.8.3.2"/>).</t>
<t>Note: A definition of key encapsulation mechanisms can be found in <xref section="1" sectionFormat="comma" target="RFC9629"/>.</t> <t>Note: A definition of key encapsulation mechanisms can be found in <xref section="1" sectionFormat="of" target="RFC9629"/>.</t>
<t>The direct method is for the RA/CA to issue a random challenge to w hich an <t>The direct method is for the RA/CA to issue a random challenge to w hich an
immediate response by the EE is required.</t> immediate response by the EE is required.</t>
<t>The indirect method is to issue a certificate that is encrypted for the end entity using a shared secret key derived from a key encapsulated using the public key (and have the end entity demonstrate its ability to use its priva te key for decapsulation of the KEM ciphertext, derive the shared secret key, de crypt this certificate, and provide a hash of the certificate in the confirmatio n message). This allows a CA to issue a certificate in a form that can only be used by the intended end entity.</t> <t>The indirect method is to issue a certificate that is encrypted for the end entity using a shared secret key derived from a key encapsulated using the public key (and have the end entity demonstrate its ability to use its priva te key for decapsulation of the KEM ciphertext, derive the shared secret key, de crypt this certificate, and provide a hash of the certificate in the confirmatio n message). This allows a CA to issue a certificate in a form that can only be used by the intended end entity.</t>
<t>This specification encourages use of the indirect method because it requires <t>This specification encourages use of the indirect method because it requires
no extra messages to be sent (i.e., the proof can be demonstrated using the no extra messages to be sent (i.e., the proof can be demonstrated using the
{request, response, confirmation} triple of messages).</t> {request, response, confirmation} triple of messages).</t>
<t>A certification request message for a KEM certificate <bcp14>SHALL< /bcp14> use POPOPrivKey by using the keyEncipherment choice of ProofOfPossession , see <xref target="sect-5.2.8"/>, in the popo field of CertReqMsg as long as no KEM-specific choice is available.</t> <t>A certification request message for a KEM certificate <bcp14>SHALL< /bcp14> use POPOPrivKey by using the keyEncipherment choice of ProofOfPossession (see <xref target="sect-5.2.8"/>) in the popo field of CertReqMsg as long as no KEM-specific choice is available.</t>
</section> </section>
</section> </section>
<section anchor="sect-4.4"> <section anchor="sect-4.4">
<name>Root CA Key Update</name> <name>Root CA Key Update</name>
<t>This discussion only applies to CAs that are directly trusted by some <t>This discussion only applies to CAs that are directly trusted by some
end entities. Recognizing whether a self-signed or non-self-signed end entities. Recognizing whether a self-signed or non-self-signed
CA is supposed to be directly trusted for some end entities is a CA is supposed to be directly trusted for some end entities is a
matter of CA policy and end entity configuration. This is thus beyond matter of CA policy and end entity configuration. Thus, this is beyond
the scope of this document.</t> the scope of this document.</t>
<t>The basis of the procedure described here is that the CA protects its <t>The basis of the procedure described here is that the CA protects its
new public key using its previous private key and vice versa. Thus, new public key using its previous private key and vice versa. Thus,
when a CA updates its key pair it may generate two link certificates when a CA updates its key pair, it may generate two link certificates:
"old with new" and "new with old".</t> "old with new" and "new with old".</t>
<t>Note: The usage of link certificates has been shown to be very use <t>Note: The usage of link certificates has been shown to be very
case specific and no assumptions are done on this aspect. specific for each use case, and no assumptions are done on this aspect.
RootCaKeyUpdateContent is updated to specify these link certificates RootCaKeyUpdateContent is updated to specify these link certificates
as optional.</t> as optional.</t>
<t>Note: When an LDAP directory is used to publish root CA updates, the <t>Note: When an LDAP directory is used to publish root CA updates, the
old and new root CA certificates together with the two link old and new root CA certificates together with the two link
certificates are stored as cACertificate attribute values.</t> certificates are stored as cACertificate attribute values.</t>
<t>When a CA changes its key pair, those entities who have acquired the <t>When a CA changes its key pair, those entities who have acquired the
old CA public key via "out-of-band" means are most affected. These old CA public key via "out-of-band" means are most affected. These
end entities need to acquire the new CA public key in a trusted way. end entities need to acquire the new CA public key in a trusted way.
This may be achieved "out-of-band", by using a repository, or by This may be achieved "out-of-band" by using a repository or by
using online messages also containing the link certificates using online messages also containing the link certificates
"new with old". Once the end entity acquired and properly verified "new with old". Once the end entity acquired and properly verified
the new CA public key, it must load the new trust anchor information the new CA public key, it must load the new trust anchor information
into its trusted store.</t> into its trusted store.</t>
<t>The data structure used to protect the new and old CA public keys is <t>The data structure used to protect the new and old CA public keys is
typically a standard X.509 v3 certificate (which may also typically a standard X.509 v3 certificate (which may also
contain extensions). There are no new data structures required.</t> contain extensions). There are no new data structures required.</t>
<t>Note: Sometimes self-signed root CA certificates do not make use of <t>Note: Sometimes self-signed root CA certificates do not make use of
X.509 v3 extensions and may be X.509 v1 certificates. Therefore, a X.509 v3 extensions and may be X.509 v1 certificates. Therefore, a
root CA key update must be able to work for version 1 certificates. root CA key update must be able to work for version 1 certificates.
skipping to change at line 1330 skipping to change at line 1351
the validity periods of certificates issued with the old CA key pair the validity periods of certificates issued with the old CA key pair
cannot exceed the end of the "old with new" certificate validity cannot exceed the end of the "old with new" certificate validity
period.</t> period.</t>
<t>Note: This scheme offers a mechanism to ensures that end entities <t>Note: This scheme offers a mechanism to ensures that end entities
will acquire the new CA public key, at the latest by the expiry of will acquire the new CA public key, at the latest by the expiry of
the last certificate they owned that was signed with the old CA the last certificate they owned that was signed with the old CA
private key. Certificate and/or key update operations occurring at private key. Certificate and/or key update operations occurring at
other times do not necessarily require this (depending on the end other times do not necessarily require this (depending on the end
entity's equipment).</t> entity's equipment).</t>
<t>Note: In practice, a new root CA may have a slightly different subje ct <t>Note: In practice, a new root CA may have a slightly different subje ct
DN, e.g., indicating a generation identifier like the year of issuance or Distinguished Name (DN), e.g., indicating a generation identifier like the year
a version number, for instance in an OU element. How to bridge trust to of issuance or
a version number, for instance, in an Organizational Unit (OU) element. How to
bridge trust to
the new root CA certificate in a CA DN change or a cross-certificate scenario the new root CA certificate in a CA DN change or a cross-certificate scenario
is out of scope for this document.</t> is out of scope for this document.</t>
<section anchor="sect-4.4.1"> <section anchor="sect-4.4.1">
<name>CA Operator Actions</name> <name>CA Operator Actions</name>
<t>To change the key of the CA, the CA operator does the following:</t > <t>To change the key of the CA, the CA operator does the following:</t >
<ol spacing="normal" type="1"><li> <ol spacing="normal" type="1"><li>
<t>Generate a new key pair.</t> <t>Generate a new key pair.</t>
</li> </li>
<li> <li>
<t>Create a certificate containing the new CA public key signed wi th <t>Create a certificate containing the new CA public key signed wi th
skipping to change at line 1378 skipping to change at line 1399
time that is before the notAfter time of the "old with old" certificate and time that is before the notAfter time of the "old with old" certificate and
a notAfter time that is after the notBefore time of the next update of this a notAfter time that is after the notBefore time of the next update of this
certificate.</t> certificate.</t>
<t>The "new with old" certificate must have a validity period with the same <t>The "new with old" certificate must have a validity period with the same
notBefore time as the "new with new" certificate and a notAfter time by which notBefore time as the "new with new" certificate and a notAfter time by which
all end entities of this CA will securely possess the new CA public key (at all end entities of this CA will securely possess the new CA public key (at
the latest, at the notAfter time of the "old with old" certificate).</t> the latest, at the notAfter time of the "old with old" certificate).</t>
<t>The "old with new" certificate must have a validity period with the same <t>The "old with new" certificate must have a validity period with the same
notBefore and notAfter time as the "old with old" certificate.</t> notBefore and notAfter time as the "old with old" certificate.</t>
<t>Note: Further operational considerations on transition from one ro ot CA <t>Note: Further operational considerations on transition from one ro ot CA
self-signed certificate to the next is available in <xref target="RFC8649">RFC 8 649 Section 5</xref>.</t> self-signed certificate to the next is available in <xref section="5" target="RF C8649"/>.</t>
</section> </section>
<section anchor="sect-4.4.2"> <section anchor="sect-4.4.2">
<name>Verifying Certificates</name> <name>Verifying Certificates</name>
<t>Normally when verifying a signature, the verifier verifies (among <t>Normally when verifying a signature, the verifier verifies (among
other things) the certificate containing the public key of the other things) the certificate containing the public key of the
signer. However, once a CA is allowed to update its key there are a signer. However, once a CA is allowed to update its key, there are a
range of new possibilities. These are shown in the table below.</t> range of new possibilities. These are shown in the table below.</t>
<table> <table>
<thead> <thead>
<tr> <tr>
<th align="left"> </th> <th align="left"/>
<th align="left">Verifier's TEE contains NEW public key</th> <th align="left">Verifier's TEE contains NEW public key</th>
<th align="left">Verifier's TEE contains OLD public key</th> <th align="left">Verifier's TEE contains OLD public key</th>
</tr> </tr>
</thead> </thead>
<tbody> <tbody>
<tr> <tr>
<td align="left">Signer's certificate is protected using NEW key pair</td> <th align="left">Signer's certificate is protected using NEW key pair</th>
<td align="left">Case 1: The verifier can directly verify the ce rtificate.</td> <td align="left">Case 1: The verifier can directly verify the ce rtificate.</td>
<td align="left">Case 2: The verifier is missing the NEW public key.</td> <td align="left">Case 2: The verifier is missing the NEW public key.</td>
</tr> </tr>
<tr> <tr>
<td align="left">Signer's certificate is protected using OLD key pair</td> <th align="left">Signer's certificate is protected using OLD key pair</th>
<td align="left">Case 3: The verifier is missing the OLD public key.</td> <td align="left">Case 3: The verifier is missing the OLD public key.</td>
<td align="left">Case 4: The verifier can directly verify the ce rtificate.</td> <td align="left">Case 4: The verifier can directly verify the ce rtificate.</td>
</tr> </tr>
</tbody> </tbody>
</table> </table>
<section anchor="sect-4.4.2.1"> <section anchor="sect-4.4.2.1">
<name>Verification in Cases 1 and 4</name> <name>Verification in Cases 1 and 4</name>
<t>In these cases, the verifier has a local copy of the CA public ke y <t>In these cases, the verifier has a local copy of the CA public ke y
that can be used to verify the certificate directly. This is the that can be used to verify the certificate directly. This is the
same as the situation where no key change has occurred.</t> same as the situation where no key change has occurred.</t>
</section> </section>
<section anchor="sect-4.4.2.2"> <section anchor="sect-4.4.2.2">
<name>Verification in Case 2</name> <name>Verification in Case 2</name>
<t>In case 2, the verifier must get access to the new public key of the <t>In case 2, the verifier must get access to the new public key of the
CA. Case 2 will arise when the CA operator has issued the verifier's CA. Case 2 will arise when the CA operator has issued the verifier's
certificate, then changed the CA's key, and then issued the signer's certificate, then changed the CA's key, and then issued the signer's
certificate; so it is quite a typical case.</t> certificate; so it is quite a typical case.</t>
<t>The verifier does the following:</t> <t>The verifier does the following:</t>
<ol spacing="normal" type="1"><li> <ol spacing="normal" type="1"><li>
<t>Get the "new with new" and "new with old" certificates. The <t>Get the "new with new" and "new with old" certificates. The
location to retrieve theses certificates from, may be available in location of where to retrieve these certificates may be available in
the authority information access extension of the "old with old" the authority information access extension of the "old with old"
certificate, see caIssuers access method in Section 4.2.2.1 of certificate (see the access method for caIssuers in <xref section="4.2.2.1" ta
<xref target="RFC5280"/>, or it may be locally configured. </t> rget="RFC5280"/>), or it may be locally configured. </t>
<ol spacing="normal" type="1"><li> <ol spacing="normal" type="a"><li>
<t>If a repository is available, look up the certificates in the <t>If a repository is available, look up the certificates in the
caCertificate attribute.</t> caCertificate attribute.</t>
</li> </li>
<li> <li>
<t>If a HTTP or FTP server is available, pick the certificat es <t>If an HTTP or FTP server is available, pick the certifica tes
from the "certs-only" CMS message.</t> from the "certs-only" CMS message.</t>
</li> </li>
<li> <li>
<t>If a CMP server is available, request the certificates us ing <t>If a CMP server is available, request the certificates us ing
the root CA update general message, see <xref target="sect-5.3.19.15"/>.</t> the root CA update the general message (see <xref target="sect-5.3.19.15"/>). </t>
</li> </li>
<li> <li>
<t>Otherwise, get the certificates "out-of-band" using any <t>Otherwise, get the certificates "out-of-band" using any
trustworthy mechanism.</t> trustworthy mechanism.</t>
</li> </li>
</ol> </ol>
</li> </li>
<li> <li>
<t>If received the certificates, check that the validity periods <t>If the certificates are received, check that the validity per iods
and the subject and issuer fields match. Verify the signatures and the subject and issuer fields match. Verify the signatures
using the old root CA key (which the verifier has locally).</t> using the old root CA key (which the verifier has locally).</t>
</li> </li>
<li> <li>
<t>If all checks were successful, securely store the new trust a nchor <t>If all checks are successful, securely store the new trust an chor
information and validate the signer's certificate.</t> information and validate the signer's certificate.</t>
</li> </li>
</ol> </ol>
</section> </section>
<section anchor="sect-4.4.2.3"> <section anchor="sect-4.4.2.3">
<name>Verification in Case 3</name> <name>Verification in Case 3</name>
<t>In case 3, the verifier must get access to the old public key of the <t>In case 3, the verifier must get access to the old public key of the
CA. Case 3 will arise when the CA operator has issued the signer's CA. Case 3 will arise when the CA operator has issued the signer's
certificate, then changed the key, and then issued the verifier's certificate, then changed the key, and then issued the verifier's
certificate.</t> certificate.</t>
<t>The verifier does the following:</t> <t>The verifier does the following:</t>
<ol spacing="normal" type="1"><li> <ol spacing="normal" type="1"><li>
<t>Get the "old with new" certificate. The location to retrieve <t>Get the "old with new" certificate. The location of where to
theses certificates from, may be available in the authority retrieve
information access extension of the "new with new" certificate, see these certificates may be available in the authority
caIssuers access method in Section 4.2.2.1 of <xref target="RFC5280"/>, or it information access extension of the "new with new" certificate (see
caIssuers access method in <xref section="4.2.2.1" target="RFC5280"/>), or it
may be locally configured. </t> may be locally configured. </t>
<ol spacing="normal" type="1"><li> <ol spacing="normal" type="a"><li>
<t>If a repository is available, look up the certificate in the <t>If a repository is available, look up the certificate in the
caCertificate attribute.</t> caCertificate attribute.</t>
</li> </li>
<li> <li>
<t>If a HTTP or FTP server is available, pick the certificat e <t>If an HTTP or FTP server is available, pick the certifica te
from the "certs-only" CMS message.</t> from the "certs-only" CMS message.</t>
</li> </li>
<li> <li>
<t>If a CMP server and an untrusted copy of the old root CA <t>If a CMP server and an untrusted copy of the old root CA
certificate is available (e.g., the signer provided it in-band certificate are available (e.g., the signer provided it in-band
in the CMP extraCerts filed), request the certificate using the in the CMP extraCerts filed), request the certificate using the
root CA update general message, see <xref target="sect-5.3.19.15"/>.</t> root CA update the general message (see <xref target="sect-5.3.19.15"/>).</t>
</li> </li>
<li> <li>
<t>Otherwise, get the certificate "out-of-band" using any <t>Otherwise, get the certificate "out-of-band" using any
trustworthy mechanism.</t> trustworthy mechanism.</t>
</li> </li>
</ol> </ol>
</li> </li>
<li> <li>
<t>If received the certificate, check that the validity periods <t>If the certificate is received, check that the validity perio ds
and the subject and issuer fields match. Verify the signatures and the subject and issuer fields match. Verify the signatures
using the new root CA key (which the verifier has locally).</t> using the new root CA key (which the verifier has locally).</t>
</li> </li>
<li> <li>
<t>If all checks were successful, securely store the old trust a nchor <t>If all checks were successful, securely store the old trust a nchor
information and validate the signer's certificate.</t> information and validate the signer's certificate.</t>
</li> </li>
</ol> </ol>
</section> </section>
</section> </section>
<section anchor="sect-4.4.3"> <section anchor="sect-4.4.3">
<name>Revocation - Change of CA Key</name> <name>Revocation - Change of the CA Key</name>
<t>As we saw above, the verification of a certificate becomes more <t>As we saw above, the verification of a certificate becomes more
complex once the CA is allowed to change its key. This is also true complex once the CA is allowed to change its key. This is also true
for revocation checks as the CA may have signed the CRL using a newer for revocation checks, as the CA may have signed the CRL using a newer
private key than the one within the user's TEE.</t> private key than the one within the user's TEE.</t>
<t>The analysis of the alternatives is the same as for certificate <t>The analysis of the alternatives is the same as for certificate
verification.</t> verification.</t>
</section> </section>
</section> </section>
<section anchor="sect-4.5"> <section anchor="sect-4.5">
<name>Extended Key Usage for PKI Entities</name> <name>Extended Key Usage for PKI Entities</name>
<t>The extended key usage (EKU) extension indicates the purposes for whi ch the <t>The extended key usage (EKU) extension indicates the purposes for whi ch the
certified key pair may be used. Therefore, it restricts the use of a certificate certified key pair may be used. Therefore, it restricts the use of a certificate
to specific applications.</t> to specific applications.</t>
skipping to change at line 1537 skipping to change at line 1557
security(5) mechanisms(5) pkix(7) kp(3) 27 } security(5) mechanisms(5) pkix(7) kp(3) 27 }
id-kp-cmcRA OBJECT IDENTIFIER ::= { id-kp-cmcRA OBJECT IDENTIFIER ::= {
iso(1) identified-organization(3) dod(6) internet(1) iso(1) identified-organization(3) dod(6) internet(1)
security(5) mechanisms(5) pkix(7) kp(3) 28 } security(5) mechanisms(5) pkix(7) kp(3) 28 }
id-kp-cmKGA OBJECT IDENTIFIER ::= { id-kp-cmKGA OBJECT IDENTIFIER ::= {
iso(1) identified-organization(3) dod(6) internet(1) iso(1) identified-organization(3) dod(6) internet(1)
security(5) mechanisms(5) pkix(7) kp(3) 32 } security(5) mechanisms(5) pkix(7) kp(3) 32 }
]]></sourcecode> ]]></sourcecode>
<t>Note: Section 2.10 of <xref target="RFC6402"/> specifies OIDs for a <t>Note: <xref section="2.10" target="RFC6402"/> specifies OIDs for a
Certificate Management over CMS (CMC) CA and a CMC RA. Certificate Management over CMS (CMC) CA and a CMC RA.
<!--[rfced] As "CMP" is expanded as "Certificate Management Protocol", may we
update this text to avoid repetition?
Original:
As the functionality of a
CA and RA is not specific to any certificate management protocol
(such as CMC or CMP), these EKUs are reused by CMP.
Perhaps:
As the functionality of a
CA and RA is not specific to any CMP (such as CMC), these EKUs are reused by
CMP.
-->
As the functionality of a CA and As the functionality of a CA and
RA is not specific to any certificate management protocol (such as CMC or CMP), RA is not specific to any certificate management protocol (such as CMC or CMP),
these EKUs are reused by CMP.</t> these EKUs are reused by CMP.</t>
<t>The meaning of the id-kp-cmKGA EKU is as follows:</t> <t>The meaning of the id-kp-cmKGA EKU is as follows:</t>
<dl indent="9"> <dl spacing="normal" newline="false">
<dt>CMP KGA:</dt> <dt>CMP KGA:</dt>
<dd> <dd>
<t>CMP key generation authorities are CAs or are identified by the i d-kp-cmKGA <t>CMP key generation authorities are CAs or are identified by the i d-kp-cmKGA
extended key usage. The CMP KGA knows the private key it generated on behalf extended key usage. The CMP KGA knows the private key it generated on behalf
of the end entity. This is a very sensitive service and needs specific authoriz ation, of the end entity. This is a very sensitive service and needs specific authoriz ation,
which by default is with the CA certificate itself. The CA may delegate which by default is with the CA certificate itself. The CA may delegate
its authorization by placing the id-kp-cmKGA extended key usage in the certifica te its authorization by placing the id-kp-cmKGA extended key usage in the certifica te
used to authenticate the origin of the generated private key. The authorization used to authenticate the origin of the generated private key. The authorization
may also be determined through local configuration of the end entity.</t> may also be determined through local configuration of the end entity.</t>
</dd> </dd>
skipping to change at line 1586 skipping to change at line 1620
PKIMessages ::= SEQUENCE SIZE (1..MAX) OF PKIMessage PKIMessages ::= SEQUENCE SIZE (1..MAX) OF PKIMessage
]]></sourcecode> ]]></sourcecode>
<t>The PKIHeader contains information that is common to many PKI <t>The PKIHeader contains information that is common to many PKI
messages.</t> messages.</t>
<t>The PKIBody contains message-specific information.</t> <t>The PKIBody contains message-specific information.</t>
<t>The PKIProtection, when used, contains bits that protect the PKI <t>The PKIProtection, when used, contains bits that protect the PKI
message.</t> message.</t>
<t>The extraCerts field can contain certificates that may be useful to <t>The extraCerts field can contain certificates that may be useful to
the recipient. For example, this can be used by a CA or RA to the recipient. For example, this can be used by a CA or RA to
present an end entity with certificates that it needs to verify its present an end entity with certificates that it needs to verify its
own new certificate (if, for example, the CA that issued the end own new certificate (for example, if the CA that issued the end
entity's certificate is not a root CA for the end entity). Note that entity's certificate is not a root CA for the end entity). Note that
this field does not necessarily contain a certification path; the this field does not necessarily contain a certification path; the
recipient may have to sort, select from, or otherwise process the recipient may have to sort, select from, or otherwise process the
extra certificates in order to use them.</t> extra certificates in order to use them.</t>
<section anchor="sect-5.1.1"> <section anchor="sect-5.1.1">
<name>PKI Message Header</name> <name>PKI Message Header</name>
<t>All PKI messages require some header information for addressing and <t>All PKI messages require some header information for addressing and
transaction identification. Some of this information will also be transaction identification. Some of this information will also be
present in a transport-specific envelope. However, if the PKI present in a transport-specific envelope. However, if the PKI
message is protected, then this information is also protected (i.e., message is protected, then this information is also protected (i.e.,
skipping to change at line 1626 skipping to change at line 1660
} }
PKIFreeText ::= SEQUENCE SIZE (1..MAX) OF UTF8String PKIFreeText ::= SEQUENCE SIZE (1..MAX) OF UTF8String
]]></sourcecode> ]]></sourcecode>
<t>The usage of the protocol version number (pvno) is described in <xr ef target="sect-7"/>.</t> <t>The usage of the protocol version number (pvno) is described in <xr ef target="sect-7"/>.</t>
<t>The sender field contains the name of the sender of the PKIMessage. <t>The sender field contains the name of the sender of the PKIMessage.
This name (in conjunction with senderKID, if supplied) should be This name (in conjunction with senderKID, if supplied) should be
sufficient to indicate the key to use to verify the protection on the sufficient to indicate the key to use to verify the protection on the
message. If nothing about the sender is known to the sending entity message. If nothing about the sender is known to the sending entity
(e.g., in the initial request message, where the end entity may not know (e.g., in the initial request message, where the end entity may not know
its own Distinguished Name (DN), e-mail name, IP address, etc.), then its own Distinguished Name (DN), email name, IP address, etc.), then
the "sender" field <bcp14>MUST</bcp14> contain a "NULL-DN" value in the director yName choice. the "sender" field <bcp14>MUST</bcp14> contain a "NULL-DN" value in the director yName choice.
A "NULL-DN" is a SEQUENCE OF relative distinguished names of zero length and is encoded as 0x3000. A "NULL-DN" is a SEQUENCE OF relative distinguished names of zero length and is encoded as 0x3000.
In such a case, the senderKID field <bcp14>MUST</bcp14> hold an identifier (i.e. , a reference In such a case, the senderKID field <bcp14>MUST</bcp14> hold an identifier (i.e. , a reference
number) that indicates to the receiver the appropriate shared secret number) that indicates to the receiver the appropriate shared secret
information to use to verify the message.</t> information to use to verify the message.</t>
<t>The recipient field contains the name of the recipient of the <t>The recipient field contains the name of the recipient of the
PKIMessage. This name (in conjunction with recipKID, if supplied) PKIMessage. This name (in conjunction with recipKID, if supplied)
should be usable to verify the protection on the message.</t> should be usable to verify the protection on the message.</t>
<t>The protectionAlg field specifies the algorithm used to protect the <t>The protectionAlg field specifies the algorithm used to protect the
message. If no protection bits are supplied (note that PKIProtection message. If no protection bits are supplied (note that PKIProtection
is <bcp14>OPTIONAL</bcp14>) then this field <bcp14>MUST</bcp14> be omitted; if p rotection bits are is <bcp14>OPTIONAL</bcp14>), then this field <bcp14>MUST</bcp14> be omitted; if protection bits are
supplied, then this field <bcp14>MUST</bcp14> be supplied.</t> supplied, then this field <bcp14>MUST</bcp14> be supplied.</t>
<t>senderKID and recipKID are usable to indicate which keys have been <t>senderKID and recipKID are usable to indicate which keys have been
used to protect the message (recipKID will normally only be required used to protect the message (recipKID will normally only be required
where protection of the message uses Diffie-Hellman (DH) or elliptic curve Diffi e-Hellman (ECDH) keys). where protection of the message uses Diffie-Hellman (DH) or Elliptic Curve Diffi e-Hellman (ECDH) keys).
These fields <bcp14>MUST</bcp14> be used if required to uniquely identify a key These fields <bcp14>MUST</bcp14> be used if required to uniquely identify a key
(e.g., if more than one key is associated with a given sender name). (e.g., if more than one key is associated with a given sender name).
The senderKID <bcp14>SHOULD</bcp14> be used in any case.</t> The senderKID <bcp14>SHOULD</bcp14> be used in any case.</t>
<t>Note: The recommendation of using senderKID is changed since <xref target="RFC4210"/>, <t>Note: The recommendation of using senderKID has changed since <xref target="RFC4210"/>,
where it was recommended to be omitted if not needed to identify the protection where it was recommended to be omitted if not needed to identify the protection
key.</t> key.</t>
<t>The transactionID field within the message header is to be used to <t>The transactionID field within the message header is to be used to
allow the recipient of a message to correlate this with an ongoing allow the recipient of a message to correlate this with an ongoing
transaction. This is needed for all transactions that consist of transaction. This is needed for all transactions that consist of
more than just a single request/response pair. For transactions that more than just a single request/response pair. For transactions that
consist of a single request/response pair, the rules are as follows. consist of a single request/response pair, the rules are as follows.
A client <bcp14>MUST</bcp14> populate the transactionID field if the message A client <bcp14>MUST</bcp14> populate the transactionID field if the message
contains an infoValue of type KemCiphertextInfo, see <xref target="sect-5.1.3.4" />. In all other cases contains an infoValue of type KemCiphertextInfo (see <xref target="sect-5.1.3.4" />). In all other cases,
the client <bcp14>MAY</bcp14> populate the transactionID field of the request. If a the client <bcp14>MAY</bcp14> populate the transactionID field of the request. If a
server receives such a request that has the transactionID field set, server receives such a request that has the transactionID field set,
then it <bcp14>MUST</bcp14> set the transactionID field of the response to the s ame then it <bcp14>MUST</bcp14> set the transactionID field of the response to the s ame
value. If a server receives such request with a missing value. If a server receives such request with a missing
transactionID field, then it <bcp14>MUST</bcp14> populate the transactionID fiel d if transactionID field, then it <bcp14>MUST</bcp14> populate the transactionID fiel d if
the message contains a KemCiphertextInfo field. In all other cases the message contains a KemCiphertextInfo field. In all other cases,
the server <bcp14>MAY</bcp14> set transactionID field of the response.</t> the server <bcp14>MAY</bcp14> set the transactionID field of the response.</t>
<t>For transactions that consist of more than just a single <t>For transactions that consist of more than just a single
request/response pair, the rules are as follows. If the message request/response pair, the rules are as follows. If the message
contains an infoValue of type KemCiphertextInfo, the client contains an infoValue of type KemCiphertextInfo, the client
<bcp14>MUST</bcp14> generate a transactionID, otherwise the client <bcp14>SHOULD </bcp14> <bcp14>MUST</bcp14> generate a transactionID; otherwise, the client <bcp14>SHOUL D</bcp14>
generate a transactionID for the first request. If a server receives generate a transactionID for the first request. If a server receives
such a request that has the transactionID field set, then it <bcp14>MUST</bcp14> set such a request that has the transactionID field set, then it <bcp14>MUST</bcp14> set
the transactionID field of the response to the same value. If a the transactionID field of the response to the same value. If a
server receives such request with a missing transactionID field, then server receives such request with a missing transactionID field, then
it <bcp14>MUST</bcp14> populate the transactionID field of the response with a it <bcp14>MUST</bcp14> populate the transactionID field of the response with a
server-generated ID. Subsequent requests and responses <bcp14>MUST</bcp14> all set server-generated ID. Subsequent requests and responses <bcp14>MUST</bcp14> all set
the transactionID field to the thus established value. In all cases the transactionID field to the thus established value. In all cases
where a transactionID is being used, a given client <bcp14>MUST NOT</bcp14> have where a transactionID is being used, a given client <bcp14>MUST NOT</bcp14> have
more than one transaction with the same transactionID in progress at more than one transaction with the same transactionID in progress at
any time (to a given server). Servers are free to require uniqueness any time (to a given server). Servers are free to require uniqueness
skipping to change at line 1687 skipping to change at line 1721
associate messages with the corresponding transaction. Typically, associate messages with the corresponding transaction. Typically,
this means that a server will require the {client, transactionID} this means that a server will require the {client, transactionID}
tuple to be unique, or even the transactionID alone to be unique, if tuple to be unique, or even the transactionID alone to be unique, if
it cannot distinguish clients based on any transport-level information. it cannot distinguish clients based on any transport-level information.
A server receiving the first message of a transaction (which requires A server receiving the first message of a transaction (which requires
more than a single request/response pair) that contains a more than a single request/response pair) that contains a
transactionID that does not allow it to meet the above constraints transactionID that does not allow it to meet the above constraints
(typically because the transactionID is already in use) <bcp14>MUST</bcp14> send (typically because the transactionID is already in use) <bcp14>MUST</bcp14> send
back an ErrorMsgContent with a PKIFailureInfo of transactionIdInUse. back an ErrorMsgContent with a PKIFailureInfo of transactionIdInUse.
It is <bcp14>RECOMMENDED</bcp14> that the clients fill the transactionID field w ith It is <bcp14>RECOMMENDED</bcp14> that the clients fill the transactionID field w ith
128 bits of (pseudo-) random data for the start of a transaction to 128 bits of (pseudo-)random data for the start of a transaction to
reduce the probability of having the transactionID in use at the reduce the probability of having the transactionID in use at the
server.</t> server.</t>
<t>The senderNonce and recipNonce fields protect the PKIMessage agains t <t>The senderNonce and recipNonce fields protect the PKIMessage agains t
replay attacks. The senderNonce will typically be 128 bits of replay attacks. The senderNonce will typically be 128 bits of
(pseudo-) random data generated by the sender, whereas the recipNonce (pseudo-)random data generated by the sender, whereas the recipNonce
is copied from the senderNonce field of the previous message in the is copied from the senderNonce field of the previous message in the
transaction.</t> transaction.</t>
<t>The messageTime field contains the time at which the sender created <t>The messageTime field contains the time at which the sender created
the message. This may be useful to allow end entities to the message. This may be useful to allow end entities to
correct/check their local time for consistency with the time on a correct/check their local time for consistency with the time on a
central system.</t> central system.</t>
<t>The freeText field may be used to send a human-readable message to <t>The freeText field may be used to send a human-readable message to
the recipient (in any number of languages). Each UTF8String <bcp14>MAY</bcp14> the recipient (in any number of languages). Each UTF8String <bcp14>MAY</bcp14>
include an <xref target="RFC5646"/> language tag to indicate the language of the include a language tag <xref target="RFC5646"/> to indicate the language of the
contained text. The first language used in this sequence indicates contained text. The first language used in this sequence indicates
the desired language for replies.</t> the desired language for replies.</t>
<t>The generalInfo field may be used to send machine-processable <t>The generalInfo field may be used to send machine-processable
additional data to the recipient. The following generalInfo additional data to the recipient. The following generalInfo
extensions are defined and <bcp14>MAY</bcp14> be supported.</t> extensions are defined and <bcp14>MAY</bcp14> be supported.</t>
<section anchor="sect-5.1.1.1"> <section anchor="sect-5.1.1.1">
<name>ImplicitConfirm</name> <name>ImplicitConfirm</name>
<t>This is used by the EE to inform the CA or RA that it does not wi sh to send <t>This is used by the EE to inform the CA or RA that it does not wi sh to send
a certificate confirmation for issued certificates.</t> a certificate confirmation for issued certificates.</t>
<sourcecode type="asn.1"><![CDATA[ <sourcecode type="asn.1"><![CDATA[
skipping to change at line 1741 skipping to change at line 1775
<name>OrigPKIMessage</name> <name>OrigPKIMessage</name>
<t>An RA <bcp14>MAY</bcp14> include the original PKIMessage from the EE in the generalInfo <t>An RA <bcp14>MAY</bcp14> include the original PKIMessage from the EE in the generalInfo
field of the PKIHeader of a PKIMessage. This is used by the RA to inform field of the PKIHeader of a PKIMessage. This is used by the RA to inform
the CA of the original PKIMessage that it received from the EE and modified the CA of the original PKIMessage that it received from the EE and modified
in some way (e.g., added or modified particular field values or added new in some way (e.g., added or modified particular field values or added new
extensions) before forwarding the new PKIMessage. This extensions) before forwarding the new PKIMessage. This
accommodates, for example, cases in which the CA wishes to check the message ori gin, the POP, or other accommodates, for example, cases in which the CA wishes to check the message ori gin, the POP, or other
information on the original EE message.</t> information on the original EE message.</t>
<t>Note: If the changes made by <t>Note: If the changes made by
the RA to the original PKIMessage break the POP of a certificate request, the RA to the original PKIMessage break the POP of a certificate request,
the RA can set the popo field of the new PKIMessage to raVerified, see <xref tar get="sect-5.2.8.4"/>.</t> the RA can set the popo field of the new PKIMessage to raVerified (see <xref tar get="sect-5.2.8.4"/>).</t>
<t>Unless the OrigPKIMessage infoValue is in the header of a nested message, it <bcp14>MUST</bcp14> contain exactly one PKIMessage. The contents of OrigPKIMessage infoValue in the header of a nested message <bcp14>MAY</bcp14> co ntain multiple PKIMessage structures, which <bcp14>MUST</bcp14> be in the same o rder as the PKIMessage structures in PKIBody.</t> <t>Unless the OrigPKIMessage infoValue is in the header of a nested message, it <bcp14>MUST</bcp14> contain exactly one PKIMessage. The contents of OrigPKIMessage infoValue in the header of a nested message <bcp14>MAY</bcp14> co ntain multiple PKIMessage structures, which <bcp14>MUST</bcp14> be in the same o rder as the PKIMessage structures in PKIBody.</t>
<sourcecode type="asn.1"><![CDATA[ <sourcecode type="asn.1"><![CDATA[
id-it-origPKIMessage OBJECT IDENTIFIER ::= {id-it 15} id-it-origPKIMessage OBJECT IDENTIFIER ::= {id-it 15}
OrigPKIMessageValue ::= PKIMessages OrigPKIMessageValue ::= PKIMessages
]]></sourcecode> ]]></sourcecode>
</section> </section>
<section anchor="sect-5.1.1.4"> <section anchor="sect-5.1.1.4">
<name>CertProfile</name> <name>CertProfile</name>
<t>This is used by the EE to indicate specific certificate profiles, e.g., when <t>This is used by the EE to indicate specific certificate profiles, e.g., when
requesting a new certificate or a certificate request template; see <xref target ="sect-5.3.19.16"/>.</t> requesting a new certificate or a certificate request template (see <xref target ="sect-5.3.19.16"/>).</t>
<sourcecode type="asn.1"><![CDATA[ <sourcecode type="asn.1"><![CDATA[
id-it-certProfile OBJECT IDENTIFIER ::= {id-it 21} id-it-certProfile OBJECT IDENTIFIER ::= {id-it 21}
CertProfileValue ::= SEQUENCE SIZE (1..MAX) OF UTF8String CertProfileValue ::= SEQUENCE SIZE (1..MAX) OF UTF8String
]]></sourcecode> ]]></sourcecode>
<t>When used in a p10cr message, the CertProfileValue sequence <bcp1 4>MUST NOT</bcp14> contain multiple certificate profile names. When used in an i r/cr/kur/genm message, the CertProfileValue sequence <bcp14>MUST NOT</bcp14> con tain more certificate profile names than the number of CertReqMsg or GenMsgConte nt InfoTypeAndValue elements contained in the message body.</t> <t>When used in a p10cr message, the CertProfileValue sequence <bcp1 4>MUST NOT</bcp14> contain multiple certificate profile names. When used in an i r/cr/kur/genm message, the CertProfileValue sequence <bcp14>MUST NOT</bcp14> con tain more certificate profile names than the number of CertReqMsg or GenMsgConte nt InfoTypeAndValue elements contained in the message body.</t>
<t>The certificate profile names in the CertProfileValue sequence re late to the CertReqMsg or GenMsgContent InfoTypeAndValue elements in the given o rder. An empty string means no certificate profile name is associated with the r espective CertReqMsg or GenMsgContent InfoTypeAndValue element. If the CertProfi leValue sequence contains less certificate profile entries than CertReqMsg or Ge nMsgContent InfoTypeAndValue elements, the remaining CertReqMsg or GenMsgContent InfoTypeAndValue elements have no profile name associated with them.</t> <t>The certificate profile names in the CertProfileValue sequence re late to the CertReqMsg or GenMsgContent InfoTypeAndValue elements in the given o rder. An empty string means no certificate profile name is associated with the r espective CertReqMsg or GenMsgContent InfoTypeAndValue element. If the CertProfi leValue sequence contains less certificate profile entries than CertReqMsg or Ge nMsgContent InfoTypeAndValue elements, the remaining CertReqMsg or GenMsgContent InfoTypeAndValue elements have no profile name associated with them.</t>
</section> </section>
<section anchor="sect-5.1.1.5"> <section anchor="sect-5.1.1.5">
<name>KemCiphertextInfo</name> <name>KemCiphertextInfo</name>
<t>A PKI entity <bcp14>MAY</bcp14> provide the KEM ciphertext for MA C-based message protection using KEM (see Section 5.1.3.4) in the generalInfo fi eld of a request message to a PKI management entity if it knows that the PKI man agement entity uses a KEM key pair and has its public key.</t> <t>A PKI entity <bcp14>MAY</bcp14> provide the KEM ciphertext for MA C-based message protection using KEM (see <xref target="sect-5.1.3.4"/>) in the generalInfo field of a request message to a PKI management entity if it knows th at the PKI management entity uses a KEM key pair and has its public key.</t>
<sourcecode type="asn.1"><![CDATA[ <sourcecode type="asn.1"><![CDATA[
id-it-KemCiphertextInfo OBJECT IDENTIFIER ::= { id-it TBD1 } id-it-KemCiphertextInfo OBJECT IDENTIFIER ::= { id-it 24 }
KemCiphertextInfoValue ::= KemCiphertextInfo KemCiphertextInfoValue ::= KemCiphertextInfo
]]></sourcecode> ]]></sourcecode>
<t>For more details of KEM-based message protection see <xref target ="sect-5.1.3.4"/>. See <xref target="sect-5.3.19.18"/> for the definition of {id -it TBD1}.</t> <t>For more details of KEM-based message protection, see <xref targe t="sect-5.1.3.4"/>. See <xref target="sect-5.3.19.18"/> for the definition of {i d-it 24}.</t>
</section> </section>
</section> </section>
<section anchor="sect-5.1.2"> <section anchor="sect-5.1.2">
<name>PKI Message Body</name> <name>PKI Message Body</name>
<sourcecode type="asn.1"><![CDATA[ <sourcecode type="asn.1"><![CDATA[
PKIBody ::= CHOICE { PKIBody ::= CHOICE {
ir [0] CertReqMessages, --Initialization Req ir [0] CertReqMessages, --Initialization Req
ip [1] CertRepMessage, --Initialization Resp ip [1] CertRepMessage, --Initialization Resp
cr [2] CertReqMessages, --Certification Req cr [2] CertReqMessages, --Certification Req
cp [3] CertRepMessage, --Certification Resp cp [3] CertRepMessage, --Certification Resp
skipping to change at line 1811 skipping to change at line 1845
]]></sourcecode> ]]></sourcecode>
<t>The specific types are described in <xref target="sect-5.3"/> below .</t> <t>The specific types are described in <xref target="sect-5.3"/> below .</t>
</section> </section>
<section anchor="sect-5.1.3"> <section anchor="sect-5.1.3">
<name>PKI Message Protection</name> <name>PKI Message Protection</name>
<t>Some PKI messages will be protected for integrity.</t> <t>Some PKI messages will be protected for integrity.</t>
<t>Note: If an asymmetric algorithm is used to protect a message and t he relevant <t>Note: If an asymmetric algorithm is used to protect a message and t he relevant
public component has been certified already, then the origin of the public component has been certified already, then the origin of the
message can also be authenticated. On the other hand, if the public message can also be authenticated. On the other hand, if the public
component is uncertified, then the message origin cannot be component is uncertified, then the message origin cannot be
automatically authenticated, but may be authenticated via out-of-band automatically authenticated but may be authenticated via out-of-band
means.</t> means.</t>
<t>When protection is applied, the following structure is used:</t> <t>When protection is applied, the following structure is used:</t>
<sourcecode type="asn.1"><![CDATA[ <sourcecode type="asn.1"><![CDATA[
PKIProtection ::= BIT STRING PKIProtection ::= BIT STRING
]]></sourcecode> ]]></sourcecode>
<t>The input to the calculation of PKIProtection is the DER encoding o f <t>The input to the calculation of PKIProtection is the DER encoding o f
the following data structure:</t> the following data structure:</t>
<sourcecode type="asn.1"><![CDATA[ <sourcecode type="asn.1"><![CDATA[
ProtectedPart ::= SEQUENCE { ProtectedPart ::= SEQUENCE {
header PKIHeader, header PKIHeader,
skipping to change at line 1834 skipping to change at line 1868
]]></sourcecode> ]]></sourcecode>
<t>There <bcp14>MAY</bcp14> be cases in which the PKIProtection BIT ST RING is <t>There <bcp14>MAY</bcp14> be cases in which the PKIProtection BIT ST RING is
deliberately not used to protect a message (i.e., this <bcp14>OPTIONAL</bcp14> f ield deliberately not used to protect a message (i.e., this <bcp14>OPTIONAL</bcp14> f ield
is omitted) because other protection, external to PKIX, will be is omitted) because other protection, external to PKIX, will be
applied instead. Such a choice is explicitly allowed in this applied instead. Such a choice is explicitly allowed in this
specification. Examples of such external protection include CMS <xref target="R FC5652"/> and Security Multiparts <xref target="RFC1847"/> encapsulation of the specification. Examples of such external protection include CMS <xref target="R FC5652"/> and Security Multiparts <xref target="RFC1847"/> encapsulation of the
PKIMessage (or simply the PKIBody (omitting the CHOICE tag), if the PKIMessage (or simply the PKIBody (omitting the CHOICE tag), if the
relevant PKIHeader information is securely carried in the external relevant PKIHeader information is securely carried in the external
mechanism). It is noted, however, that many such external mechanisms mechanism). It is noted, however, that many such external mechanisms
require that the end entity already possesses a public-key require that the end entity already possesses a public-key
certificate, and/or a unique Distinguished Name, and/or other such certificate, a unique Distinguished Name, and/or other such
infrastructure-related information. Thus, they may not be infrastructure-related information. Thus, they may not be
appropriate for initial registration, key-recovery, or any other appropriate for initial registration, key-recovery, or any other
process with "boot-strapping" characteristics. For those cases it process with "boot-strapping" characteristics. For those cases, it
may be necessary that the PKIProtection parameter be used. In the may be necessary that the PKIProtection parameter be used. In the
future, if/when external mechanisms are modified to accommodate future, if/when external mechanisms are modified to accommodate
boot-strapping scenarios, the use of PKIProtection may become rare or boot-strapping scenarios, the use of PKIProtection may become rare or
non-existent.</t> non-existent.</t>
<t>Depending on the circumstances, the PKIProtection bits may contain a <t>Depending on the circumstances, the PKIProtection bits may contain a
Message Authentication Code (MAC) or signature. Only the following Message Authentication Code (MAC) or signature. Only the following
cases can occur:</t> cases can occur:</t>
<section anchor="sect-5.1.3.1"> <section anchor="sect-5.1.3.1">
<name>Shared Secret Information</name> <name>Shared Secret Information</name>
<t>In this case, the sender and recipient share secret information w ith sufficient <t>In this case, the sender and recipient share secret information w ith sufficient
entropy (established via out-of-band means). PKIProtection will contain a entropy (established via out-of-band means). PKIProtection will contain a
MAC value and the protectionAlg <bcp14>MAY</bcp14> be one of the options describ MAC value, and the protectionAlg <bcp14>MAY</bcp14> be one of the options descri
ed in CMP bed in <xref section="6.1" target="RFC9481">CMP Algorithms</xref>.</t>
Algorithms Section 6.1 <xref target="RFC9481"/>.</t> <t>The algorithm identifier id-PasswordBasedMac is defined in <xref
<t>The algorithm identifier id-PasswordBasedMac is defined in Sectio section="4.4" target="RFC4211"/> and updated by <xref target="RFC9045"/>. It is
n 4.4 of <xref target="RFC4211"/> and updated by <xref target="RFC9045"/>. It is mentioned in <xref section="6.1.1" target="RFC9481"/> for backward compatibility
mentioned in Section 6.1.1 of <xref target="RFC9481"/> for backward compatibili . More modern alternatives are listed in <xref section="6.1" target="RFC9481"/>.
ty. More modern alternatives are listed in Section 6.1 of <xref target="RFC9481" </t>
/>.</t>
<sourcecode type="asn.1"><![CDATA[ <sourcecode type="asn.1"><![CDATA[
id-PasswordBasedMac OBJECT IDENTIFIER ::= {1 2 840 113533 7 66 13} id-PasswordBasedMac OBJECT IDENTIFIER ::= {1 2 840 113533 7 66 13}
PBMParameter ::= SEQUENCE { PBMParameter ::= SEQUENCE {
salt OCTET STRING, salt OCTET STRING,
owf AlgorithmIdentifier, owf AlgorithmIdentifier,
iterationCount INTEGER, iterationCount INTEGER,
mac AlgorithmIdentifier mac AlgorithmIdentifier
} }
]]></sourcecode> ]]></sourcecode>
<t>The following text gives a method of key expansion to be used whe <t>The following text gives a method of key expansion to be used whe
n the MAC-algorithm requires an input length that is larger than the size of the n the MAC algorithm requires an input length that is larger than the size of the
one-way-function.</t> one-way function.</t>
<t>Note: Section 4.4 of <xref target="RFC4211"/> and <xref target="R <t>Note: <xref section="4.4" target="RFC4211"/> and <xref target="RF
FC9045"/> do not mention this key expansion method and gives an example using HM C9045"/> do not mention this key expansion method or give an example using HMAC
AC algorithms where key expansion is not needed. It is recognized that this omis algorithms where key expansion is not needed. It is recognized that this omissio
sion in <xref target="RFC4211"/> can lead to confusion and possible incompatibil n in <xref target="RFC4211"/> can lead to confusion and possible incompatibility
ity if <xref target="RFC4210"/> key expansion is not used when needed. Therefore if key expansion <xref target="RFC4210"/> is not used when needed. Therefore, w
, when key expansion is required (when K &gt; H) the key expansion defined in th hen key expansion is required (when K &gt; H), the key expansion defined in the
e following text <bcp14>MUST</bcp14> be used.</t> following text <bcp14>MUST</bcp14> be used.</t>
<t>In the above protectionAlg, the salt value is appended to the sha red <t>In the above protectionAlg, the salt value is appended to the sha red
secret input. The OWF is then applied iterationCount times, where the secret input. The one-way function (OWF) is then applied iterationCount times, w here the
salted secret is the input to the first iteration and, for each salted secret is the input to the first iteration and, for each
successive iteration, the input is set to be the output of the successive iteration, the input is set to be the output of the
previous iteration. The output of the final iteration (called previous iteration. The output of the final iteration (called
"BASEKEY" for ease of reference, with a size of "H") is what is used "BASEKEY" for ease of reference, with a size of "H") is what is used
to form the symmetric key. If the MAC algorithm requires a K-bit key to form the symmetric key. If the MAC algorithm requires a K-bit key
and K &lt;= H, then the most significant K bits of BASEKEY are used. If and K &lt;= H, then the most significant K bits of BASEKEY are used. If
K &gt; H, then all of BASEKEY is used for the most significant H bits of K &gt; H, then all of BASEKEY is used for the most significant H bits of
the key, OWF("1" || BASEKEY) is used for the next most significant H the key, OWF("1" || BASEKEY) is used for the next most significant H
bits of the key, OWF("2" || BASEKEY) is used for the next most bits of the key, OWF("2" || BASEKEY) is used for the next most
significant H bits of the key, and so on, until all K bits have been significant H bits of the key, and so on, until all K bits have been
skipping to change at line 1886 skipping to change at line 1919
represents concatenation.]</t> represents concatenation.]</t>
<t>Note: It is <bcp14>RECOMMENDED</bcp14> that the fields of PBMPara meter remain <t>Note: It is <bcp14>RECOMMENDED</bcp14> that the fields of PBMPara meter remain
constant throughout the messages of a single transaction (e.g., constant throughout the messages of a single transaction (e.g.,
ir/ip/certConf/pkiConf) to reduce the overhead associated with ir/ip/certConf/pkiConf) to reduce the overhead associated with
PasswordBasedMac computation.</t> PasswordBasedMac computation.</t>
</section> </section>
<section anchor="sect-5.1.3.2"> <section anchor="sect-5.1.3.2">
<name>DH Key Pairs</name> <name>DH Key Pairs</name>
<t>Where the sender and receiver possess finite-field or elliptic-cu rve-based <t>Where the sender and receiver possess finite-field or elliptic-cu rve-based
Diffie-Hellman certificates Diffie-Hellman certificates
with compatible DH parameters, in order to protect the message the with compatible DH parameters in order to protect the message, the
end entity must generate a symmetric key based on its private DH key end entity must generate a symmetric key based on its private DH key
value and the DH public key of the recipient of the PKI message. value and the DH public key of the recipient of the PKI message.
PKIProtection will contain a MAC value keyed with this derived PKIProtection will contain a MAC value keyed with this derived
symmetric key and the protectionAlg will be the following:</t> symmetric key, and the protectionAlg will be the following:</t>
<sourcecode type="asn.1"><![CDATA[ <sourcecode type="asn.1"><![CDATA[
id-DHBasedMac OBJECT IDENTIFIER ::= {1 2 840 113533 7 66 30} id-DHBasedMac OBJECT IDENTIFIER ::= {1 2 840 113533 7 66 30}
DHBMParameter ::= SEQUENCE { DHBMParameter ::= SEQUENCE {
owf AlgorithmIdentifier, owf AlgorithmIdentifier,
-- AlgId for a One-Way Function -- AlgId for a One-Way Function
mac AlgorithmIdentifier mac AlgorithmIdentifier
-- the MAC AlgId -- the MAC AlgId
} }
]]></sourcecode> ]]></sourcecode>
<t>In the above protectionAlg, OWF is applied to the result of the <t>In the above protectionAlg, OWF is applied to the result of the
Diffie-Hellman computation. The OWF output (called "BASEKEY" for Diffie-Hellman computation. The OWF output (called "BASEKEY" for
ease of reference, with a size of "H") is what is used to form the ease of reference, with a size of "H") is what is used to form the
symmetric key. If the MAC algorithm requires a K-bit key and K &lt;= H, then symmetric key. If the MAC algorithm requires a K-bit key and K &lt;= H, then
the most significant K bits of BASEKEY are used. If K &gt; H, then the most significant K bits of BASEKEY are used. If K &gt; H, then
all of BASEKEY is used for the most significant H bits of the key, all of BASEKEY is used for the most significant H bits of the key,
OWF("1" || BASEKEY) is used for the next most significant H bits of OWF("1" || BASEKEY) is used for the next most significant H bits of
the key, OWF("2" || BASEKEY) is used for the next most significant H the key, OWF("2" || BASEKEY) is used for the next most significant H
bits of the key, and so on, until all K bits have been derived. bits of the key, and so on, until all K bits have been derived.
[Here "N" is the ASCII byte encoding the number N and "||" represents concatenat ion.]</t> [Here "N" is the ASCII byte encoding the number N and "||" represents concatenat ion.]</t>
<t>Note: Hash algorithms that can be used as one-way functions are l <t>Note: Hash algorithms that can be used as one-way functions are l
isted in isted in <xref section="2" target="RFC9481">CMP Algorithms</xref>.</t>
CMP Algorithms <xref target="RFC9481"/> Section 2.</t>
</section> </section>
<section anchor="sect-5.1.3.3"> <section anchor="sect-5.1.3.3">
<name>Signature</name> <name>Signature</name>
<t>In this case, the sender possesses a signature key pair and simpl y <t>In this case, the sender possesses a signature key pair and simpl y
signs the PKI message. PKIProtection will contain the signature signs the PKI message. PKIProtection will contain the signature
value and the protectionAlg will be an AlgorithmIdentifier for a value and the protectionAlg will be an AlgorithmIdentifier for a
digital signature <bcp14>MAY</bcp14> be one of the options described in CMP Algo digital signature, which <bcp14>MAY</bcp14> be one of the options described in <
rithms Section xref section="3" target="RFC9481">CMP
3 <xref target="RFC9481"/>.</t> Algorithms</xref>.</t>
</section> </section>
<section anchor="sect-5.1.3.4"> <section anchor="sect-5.1.3.4">
<name>Key Encapsulation</name> <name>Key Encapsulation</name>
<t>In case the sender of a message has a Key Encapsulation Mechanism (KEM) key pair, it can be used to establish a shared secret key for MAC-based m essage protection. This can be used for message authentication.</t> <t>In case the sender of a message has a Key Encapsulation Mechanism (KEM) key pair, it can be used to establish a shared secret key for MAC-based m essage protection. This can be used for message authentication.</t>
<t>This approach uses the definition of Key Encapsulation Mechanism (KEM) algorithm functions in Section 1 of <xref target="RFC9629"/> as follows:</ t> <t>This approach uses the definition of Key Encapsulation Mechanism (KEM) algorithm functions in <xref section="1" target="RFC9629"/> as follows:</t >
<t>A KEM algorithm provides three functions:</t> <t>A KEM algorithm provides three functions:</t>
<ul spacing="normal">
<li> <ol spacing="normal">
<t>KeyGen() -&gt; (pk, sk):</t> <li>KeyGen() -&gt; (pk, sk): Generate a public key (pk) and a
</li> private (secret) key (sk).</li>
</ul> <li>Encapsulate(pk) -&gt; (ct, ss): Given the public key
<ul empty="true"> (pk), produce a ciphertext (ct) and a shared secret (ss).</li>
<li> <li>Decapsulate(sk, ct) -&gt; (ss): Given the private key
<t>Generate a public key (pk) and a private (secret) key (sk).</ (sk) and the ciphertext (ct), produce the shared secret
t> (ss).</li>
</li> </ol>
</ul>
<ul spacing="normal">
<li>
<t>Encapsulate(pk) -&gt; (ct, ss):</t>
</li>
</ul>
<ul empty="true">
<li>
<t>Given the public key (pk), produce a ciphertext (ct) and a
shared secret (ss).</t>
</li>
</ul>
<ul spacing="normal">
<li>
<t>Decapsulate(sk, ct) -&gt; (ss):</t>
</li>
</ul>
<ul empty="true">
<li>
<t>Given the private key (sk) and the ciphertext (ct), produce t
he
shared secret (ss).</t>
</li>
</ul>
<t>To support a particular KEM algorithm, the PKI entity that posses ses a KEM key pair and wishes to use it for MAC-based message protection <bcp14> MUST</bcp14> support the KEM Decapsulate() function. The PKI entity that wishes to verify the MAC-based message protection <bcp14>MUST</bcp14> support the KEM E ncapsulate() function. The respective public KEM key is usually carried in a cer tificate <xref target="I-D.ietf-lamps-kyber-certificates"/>.</t> <t>To support a particular KEM algorithm, the PKI entity that posses ses a KEM key pair and wishes to use it for MAC-based message protection <bcp14> MUST</bcp14> support the KEM Decapsulate() function. The PKI entity that wishes to verify the MAC-based message protection <bcp14>MUST</bcp14> support the KEM E ncapsulate() function. The respective public KEM key is usually carried in a cer tificate <xref target="I-D.ietf-lamps-kyber-certificates"/>.</t>
<t>Note: Both PKI entities send and receive messages in a PKI manage <t>Note: Both PKI entities send and receive messages in a PKI manage
ment operation. Both PKI entities may independently wish to protect messages usi ment operation. Both PKI entities may independently wish to protect messages usi
ng their KEM key pairs. For ease of explanation we use the term "Alice" to denot ng their KEM key pairs. For ease of explanation, we use the terms "Alice" to den
e the PKI entity possessing the KEM key pair and who wishes to provide MAC-based ote the PKI entity possessing the KEM key pair and who wishes to provide MAC-bas
message protection, and "Bob" to denote the PKI entity having Alice’s authentic ed message protection and "Bob" to denote the PKI entity having Alice's authenti
public KEM key and who needs to verify the MAC-based protection provided by Ali c public KEM key and who needs to verify the MAC-based protection provided by Al
ce.</t> ice.</t>
<t>Assuming Bob has Alice's KEM public key, he generates the ciphert <t>Assuming Bob has Alice's KEM public key, he generates the ciphert
ext using KEM encapsulation and transfers it to Alice in an InfoTypeAndValue str ext using KEM encapsulation and transfers it to Alice in an InfoTypeAndValue str
ucture. Alice then retrieves the KEM shared secret from the ciphertext using KEM ucture. Alice then retrieves the KEM shared secret from the ciphertext using KEM
decapsulation and the associated KEM private key. Using a key derivation functi decapsulation and the associated KEM private key. Using a key derivation functi
on (KDF), she derives a shared secret key from the KEM shared secret and other d on (KDF), Alice derives a shared secret key from the KEM shared secret and other
ata sent by Bob. PKIProtection will contain a MAC value calculated using that sh data sent by Bob. PKIProtection will contain a MAC value calculated using that
ared secret key, and the protectionAlg will be the following:</t> shared secret key, and the protectionAlg will be the following:</t>
<sourcecode type="asn.1"><![CDATA[ <sourcecode type="asn.1"><![CDATA[
id-KemBasedMac OBJECT IDENTIFIER ::= {1 2 840 113533 7 66 16} id-KemBasedMac OBJECT IDENTIFIER ::= {1 2 840 113533 7 66 16}
KemBMParameter ::= SEQUENCE { KemBMParameter ::= SEQUENCE {
kdf AlgorithmIdentifier{KEY-DERIVATION, {...}}, kdf AlgorithmIdentifier{KEY-DERIVATION, {...}},
kemContext [0] OCTET STRING OPTIONAL, kemContext [0] OCTET STRING OPTIONAL,
len INTEGER (1..MAX), len INTEGER (1..MAX),
mac AlgorithmIdentifier{MAC-ALGORITHM, {...}} mac AlgorithmIdentifier{MAC-ALGORITHM, {...}}
} }
]]></sourcecode> ]]></sourcecode>
<t>Note: The OID for id-KemBasedMac was assigned on the private-use arc { iso(1) member-body(2) us(840) nortelnetworks(113533) entrust(7) }, and not assigned on an IANA-owned arc because the authors wished to placed it on the sa me branch as the existing OIDs for id-PasswordBasedMac and id-DHBasedMac.</t> <t>Note: The OID for id-KemBasedMac was assigned on the private-use arc { iso(1) member-body(2) us(840) nortelnetworks(113533) entrust(7) } and not assigned on an IANA-owned arc because the authors wished to place it on the same branch as the existing OIDs for id-PasswordBasedMac and id-DHBasedMac.</t>
<t>kdf is the algorithm identifier of the chosen KDF, and any associ ated parameters, used to derive the shared secret key.</t> <t>kdf is the algorithm identifier of the chosen KDF, and any associ ated parameters, used to derive the shared secret key.</t>
<t>kemContext <bcp14>MAY</bcp14> be used to transfer additional algo rithm specific context information, see also the definition of ukm in <xref targ et="RFC9629"/>, Section 3.</t> <t>kemContext <bcp14>MAY</bcp14> be used to transfer additional algo rithm-specific context information (see also the definition of ukm in <xref sect ion="3" target="RFC9629"/>).</t>
<t>len is the output length of the KDF and <bcp14>MUST</bcp14> be th e desired size of the key to be used for MAC-based message protection.</t> <t>len is the output length of the KDF and <bcp14>MUST</bcp14> be th e desired size of the key to be used for MAC-based message protection.</t>
<t>mac is the algorithm identifier of the chosen MAC algorithm, and any associated parameters, used to calculate the MAC value.</t> <t>mac is the algorithm identifier of the chosen MAC algorithm, and any associated parameters, used to calculate the MAC value.</t>
<t>The KDF and MAC algorithms <bcp14>MAY</bcp14> be chosen from the options in CMP Algorithms <xref target="RFC9481"/>.</t> <t>The KDF and MAC algorithms <bcp14>MAY</bcp14> be chosen from the options in CMP Algorithms <xref target="RFC9481"/>.</t>
<t>The InfoTypeAndValue transferring the KEM ciphertext uses OID id- <t>The InfoTypeAndValue transferring the KEM ciphertext uses OID id-
it-KemCiphertextInfo. It contains a KemCiphertextInfo structure as defined in <x it-KemCiphertextInfo. It contains a KemCiphertextInfo structure, as defined in <
ref target="sect-5.3.19.18"/>.</t> xref target="sect-5.3.19.18"/>.</t>
<t>Note: This InfoTypeAndValue can be carried in a genm/genp message <t>Note: This InfoTypeAndValue can be carried in a genm/genp message
body as specified in <xref target="sect-5.3.19.18"/> or in the generalInfo fiel body, as specified in <xref target="sect-5.3.19.18"/>, or in the generalInfo fi
d of PKIHeader in messages of other types, see <xref target="sect-5.1.1.5"/>.</t eld of PKIHeader in messages of other types (see <xref target="sect-5.1.1.5"/>).
> </t>
<t>In the following, a generic message flow for MAC-based protection <t>In the following, a generic message flow for MAC-based protection
using KEM is specified in more detail. It is assumed that Bob possesses the pub using KEM is specified in more detail. It is assumed that Bob possesses Alice's
lic KEM key of Alice. Alice can be the initiator of a PKI management operation o public KEM key. Alice can be the initiator of a PKI management operation or the
r the responder. For more detailed figures see <xref target="sect-e"/>.</t> responder. For more detailed figures, see <xref target="sect-e"/>.</t>
<t>Generic Message Flow:</t> <t>Generic Message Flow:</t>
<figure anchor="KEM"> <figure anchor="KEM">
<name>Generic Message Flow when Alice has a KEM key pair</name> <name>Generic Message Flow When Alice Has a KEM Key Pair</name>
<artset> <artset>
<artwork type="svg" align="left"><svg xmlns="http://www.w3.org/2 000/svg" version="1.1" height="240" width="560" viewBox="0 0 560 240" class="dia gram" text-anchor="middle" font-family="monospace" font-size="13px" stroke-linec ap="round"> <artwork type="svg" align="left"><svg xmlns="http://www.w3.org/2 000/svg" version="1.1" height="240" width="560" viewBox="0 0 560 240" class="dia gram" text-anchor="middle" font-family="monospace" font-size="13px" stroke-linec ap="round">
<path d="M 8,48 L 552,48" fill="none" stroke="black"/> <path d="M 8,48 L 552,48" fill="none" stroke="black"/>
<path d="M 184,80 L 200,80" fill="none" stroke="black"/> <path d="M 184,80 L 200,80" fill="none" stroke="black"/>
<path d="M 336,80 L 352,80" fill="none" stroke="black"/> <path d="M 336,80 L 352,80" fill="none" stroke="black"/>
<path d="M 184,160 L 200,160" fill="none" stroke="black"/> <path d="M 184,160 L 200,160" fill="none" stroke="black"/>
<path d="M 336,160 L 352,160" fill="none" stroke="black"/> <path d="M 336,160 L 352,160" fill="none" stroke="black"/>
<path d="M 8,224 L 152,224" fill="none" stroke="black"/> <path d="M 8,224 L 152,224" fill="none" stroke="black"/>
<path d="M 400,224 L 552,224" fill="none" stroke="black"/> <path d="M 400,224 L 552,224" fill="none" stroke="black"/>
<polygon class="arrowhead" points="360,160 348,154.4 348,165 .6" fill="black" transform="rotate(0,352,160)"/> <polygon class="arrowhead" points="360,160 348,154.4 348,165 .6" fill="black" transform="rotate(0,352,160)"/>
skipping to change at line 2052 skipping to change at line 2063
MAC-based protection MAC-based protection
--> message --> --> message -->
3 perform key derivation, 3 perform key derivation,
verify MAC-based verify MAC-based
protection protection
------------------- Alice authenticated by Bob -------------------- ------------------- Alice authenticated by Bob --------------------
]]></artwork> ]]></artwork>
</artset> </artset>
</figure> </figure>
<ol spacing="normal" type="1"><li> <ol spacing="normal" type="1"><li>
<t>Bob needs to possess the authentic public KEM key pk of Alice , for instance contained in a KEM certificate that was received and successfully validated by Bob beforehand. </t> <t>Bob needs to possess Alice's authentic public KEM key (pk), for instance, contained in a KEM certificate that was received and successfully val idated by Bob beforehand. </t>
<t> <t>
Bob generates a shared secret ss and the associated ciphertext ct using the KEM Encapsulate function with Alice's public KEM key pk. Bob <bcp14>MUST NOT</bcp14> reuse the ss and ct for other PKI management operations. From this data, Bob pr oduces a KemCiphertextInfo structure including the KEM algorithm identifier and the ciphertext ct and sends it to Alice in an InfoTypeAndValue structure as defi ned in <xref target="sect-5.3.19.18"/>. </t> Bob generates a shared secret (ss) and the associated ciphertext (ct) using the KEM Encapsulate function with Alice's public KEM key (pk). Bob <bcp14>MUST NOT</ bcp14> reuse the ss and ct for other PKI management operations. From this data, Bob produces a KemCiphertextInfo structure, including the KEM algorithm identifi er and the ciphertext (ct) and sends it to Alice in an InfoTypeAndValue structur e, as defined in <xref target="sect-5.3.19.18"/>. </t>
<sourcecode type="asn.1"><![CDATA[ <sourcecode type="asn.1"><![CDATA[
Encapsulate(pk) -> (ct, ss) Encapsulate(pk) -> (ct, ss)
]]></sourcecode> ]]></sourcecode>
</li> </li>
<li> <li>
<t>Alice decapsulates the shared secret ss from the ciphertext c t using the KEM Decapsulate function and its private KEM key sk. </t> <t>Alice decapsulates the shared secret (ss) from the ciphertext (ct) using the KEM Decapsulate function and its private KEM key (sk). </t>
<sourcecode type="asn.1"><![CDATA[ <sourcecode type="asn.1"><![CDATA[
Decapsulate(ct, sk) -> (ss) Decapsulate(ct, sk) -> (ss)
]]></sourcecode> ]]></sourcecode>
<t> <t>
If the decapsulation operation outputs an error, any failInfo field in an error response message <bcp14>SHALL</bcp14> contain the value badMessageCheck and the PKI management operation <bcp14>SHALL</bcp14> be terminated. </t> If the decapsulation operation outputs an error, any failInfo field in an error response message <bcp14>SHALL</bcp14> contain the value badMessageCheck and the PKI management operation <bcp14>SHALL</bcp14> be terminated. </t>
<t> <t>
Alice derives the shared secret key ssk using a KDF. The shared secret ss is use d as input key material for the KDF, the value len is the desired output length of the KDF as required by the MAC algorithm to be used for message protection. K DF, len, and MAC will be transferred to Bob in the protectionAlg KemBMParameter. The DER-encoded KemOtherInfo structure, as defined below, is used as context fo r the KDF. </t> Alice derives the shared secret key (ssk) using a KDF. The shared secret (ss) is used as input key material for the KDF, and the value len is the desired output length of the KDF as required by the MAC algorithm to be used for message prote ction. KDF, len, and MAC will be transferred to Bob in the protectionAlg KemBMPa rameter. The DER-encoded KemOtherInfo structure, as defined below, is used as co ntext for the KDF. </t>
<sourcecode type="asn.1"><![CDATA[ <sourcecode type="asn.1"><![CDATA[
KDF(ss, len, context)->(ssk) KDF(ss, len, context)->(ssk)
]]></sourcecode> ]]></sourcecode>
<t> <t>
The shared secret key ssk is used for MAC-based protection by Alice.</t> The shared secret key (ssk) is used for MAC-based protection by Alice.</t>
</li> </li>
<li> <li>
<t>Bob derives the same shared secret key ssk using the KDF. Als o here the shared secret ss is used as input key material for the KDF, the value len is the desired output length for the KDF, and the DER-encoded KemOtherInfo structure constructed in the same way as on Alice's side is used as context for the KDF. </t> <t>Bob derives the same shared secret key (ssk) using the KDF. A lso here, the shared secret (ss) is used as input key material for the KDF, the value len is the desired output length for the KDF, and the DER-encoded KemOther Info structure constructed in the same way as on Alice's side is used as context for the KDF. </t>
<sourcecode type="asn.1"><![CDATA[ <sourcecode type="asn.1"><![CDATA[
KDF(ss, len, context)->(ssk) KDF(ss, len, context)->(ssk)
]]></sourcecode> ]]></sourcecode>
<t> <t>
Bob uses the shared secret key ssk for verifying the MAC-based protection of the message received and in this way authenticates Alice.</t> Bob uses the shared secret key (ssk) for verifying the MAC-based protection of t he message received and in this way authenticates Alice.</t>
</li> </li>
</ol> </ol>
<t>This shared secret key ssk can be reused by Alice for MAC-based p <t>This shared secret key (ssk) can be reused by Alice for MAC-based
rotection of further messages sent to Bob within the current PKI management oper protection of further messages sent to Bob within the current PKI management op
ation.</t> eration.</t>
<t>This approach employs the notation of KDF(IKM, L, info) as descri <t>This approach employs the notation of KDF(IKM, L, info) as descri
bed in <xref section="5" sectionFormat="comma" target="RFC9629"/> with the follo bed in <xref section="5" sectionFormat="of" target="RFC9629"/> with the followin
wing changes:</t> g changes:</t>
<ul spacing="normal"> <ul spacing="normal">
<li> <li>
<t>IKM is the input key material. It is the symmetric secret cal led ss resulting from the key encapsulation mechanism.</t> <t>IKM is the input key material. It is the symmetric secret cal led "ss" resulting from the key encapsulation mechanism.</t>
</li> </li>
<li> <li>
<t>L is dependent of the MAC algorithm that is used with the sha red secret key for CMP message protection and is called len in this document.</t > <t>L is dependent of the MAC algorithm that is used with the sha red secret key for CMP message protection and is called "len" in this document.< /t>
</li> </li>
<li> <li>
<t>info is an additional input to the KDF, is called context in this document, and contains the DER-encoded KemOtherInfo structure defined as: </t> <t>info is an additional input to the KDF, is called "context" i n this document, and contains the DER-encoded KemOtherInfo structure defined as: </t>
<sourcecode type="asn.1"><![CDATA[ <sourcecode type="asn.1"><![CDATA[
KemOtherInfo ::= SEQUENCE { KemOtherInfo ::= SEQUENCE {
staticString PKIFreeText, staticString PKIFreeText,
transactionID OCTET STRING, transactionID OCTET STRING,
kemContext [0] OCTET STRING OPTIONAL kemContext [0] OCTET STRING OPTIONAL
} }
]]></sourcecode> ]]></sourcecode>
<t> <t>
staticString <bcp14>MUST</bcp14> be "CMP-KEM". </t> staticString <bcp14>MUST</bcp14> be "CMP-KEM". </t>
<t> <t>
transactionID <bcp14>MUST</bcp14> be the value from the message containing the c iphertext ct in KemCiphertextInfo. </t> transactionID <bcp14>MUST</bcp14> be the value from the message containing the c iphertext (ct) in KemCiphertextInfo. </t>
<t> <t>
Note: The transactionID is used to ensure domain separation of the derived share d secret key between different PKI management operations. For all PKI management operations with more than one exchange the transactionID <bcp14>MUST</bcp14> be set anyway, see <xref target="sect-5.1.1"/>. In case Bob provided a infoValue o f type KemCiphertextInfo to Alice in the initial request message, see <xref targ et="KEM-Flow2"/> of <xref target="sect-e"/>, the transactionID <bcp14>MUST</bcp1 4> be set by Bob. </t> Note: The transactionID is used to ensure domain separation of the derived share d secret key between different PKI management operations. For all PKI management operations with more than one exchange, the transactionID <bcp14>MUST</bcp14> b e set anyway (see <xref target="sect-5.1.1"/>). In case Bob provided an infoValu e of type KemCiphertextInfo to Alice in the initial request message (see <xref t arget="KEM-Flow2"/> of <xref target="sect-e"/>), the transactionID <bcp14>MUST</ bcp14> be set by Bob. </t>
<t> <t>
kemContext <bcp14>MAY</bcp14> contain additional algorithm specific context info rmation.</t> kemContext <bcp14>MAY</bcp14> contain additional algorithm-specific context info rmation.</t>
</li> </li>
<li> <li>
<t>OKM is the output keying material of the KDF used for MAC-bas ed message protection of length len and is called ssk in this document.</t> <t>OKM is the output keying material of the KDF used for MAC-bas ed message protection of length len and is called "ssk" in this document.</t>
</li> </li>
</ul> </ul>
<t>There are various ways how Alice can request, and Bob can provide the KEM ciphertext, see <xref target="sect-e"/> for details. The KemCiphertextI nfo can be requested using PKI general messages as described in <xref target="se ct-5.3.19.18"/>. Alternatively, the generalInfo field of the PKIHeader can be us ed to convey the same request and response InfoTypeAndValue structures as descri bed in <xref target="sect-5.1.1.5"/>. The procedure works also without Alice exp licitly requesting the KEM ciphertext in case Bob knows a KEM key of Alice befor ehand and can expect that she is ready to use it.</t> <t>There are various ways that Alice can request and Bob can provide the KEM ciphertext (see <xref target="sect-e"/> for details). The KemCiphertext Info can be requested using PKI general messages, as described in <xref target=" sect-5.3.19.18"/>. Alternatively, the generalInfo field of the PKIHeader can be used to convey the same request and response InfoTypeAndValue structures, as des cribed in <xref target="sect-5.1.1.5"/>. The procedure also works without Alice explicitly requesting the KEM ciphertext in case Bob knows one of Alice's KEM ke ys beforehand and can expect that she is ready to use it.</t>
<t>If both the initiator and responder in a PKI management operation have KEM key pairs, this procedure can be applied by both entities independentl y, establishing and using different shared secret keys for either direction.</t> <t>If both the initiator and responder in a PKI management operation have KEM key pairs, this procedure can be applied by both entities independentl y, establishing and using different shared secret keys for either direction.</t>
</section> </section>
<section anchor="sect-5.1.3.5"> <section anchor="sect-5.1.3.5">
<name>Multiple Protection</name> <name>Multiple Protection</name>
<t>When receiving a protected PKI message, a PKI management entity, such as an <t>When receiving a protected PKI message, a PKI management entity, such as an
RA, <bcp14>MAY</bcp14> forward that message adding its own protection. Addition ally, multiple RA, <bcp14>MAY</bcp14> forward that message adding its own protection. Addition ally, multiple
PKI messages <bcp14>MAY</bcp14> be aggregated. There are several use cases for such messages.</t> PKI messages <bcp14>MAY</bcp14> be aggregated. There are several use cases for such messages.</t>
<ul spacing="normal"> <ul spacing="normal">
<li> <li>
<t>The RA confirms having validated and authorized a message and forwards the <t>The RA confirms having validated and authorized a message and forwards the
original message unchanged.</t> original message unchanged.</t>
</li> </li>
<li> <li>
<t>A PKI management entity collects several messages that are to be forwarded <t>A PKI management entity collects several messages that are to be forwarded
in the same direction and forwards them in a batch. Request messages can in the same direction and forwards them in a batch. Request messages can
be transferred as batch upstream (towards the CA); response or announce messages be transferred as a batch upstream (towards the CA); response or announce messag
can be transferred as batch downstream (towards an RA but not to the EE). es
can be transferred as a batch downstream (towards an RA but not to the EE).
For instance, this can be used when bridging an off-line connection between For instance, this can be used when bridging an off-line connection between
two PKI management entities.</t> two PKI management entities.</t>
</li> </li>
</ul> </ul>
<t>These use cases are accomplished by nesting the messages within a new PKI <t>These use cases are accomplished by nesting the messages within a new PKI
message. The structure used is as follows:</t> message. The structure used is as follows:</t>
<sourcecode type="asn.1"><![CDATA[ <sourcecode type="asn.1"><![CDATA[
NestedMessageContent ::= PKIMessages NestedMessageContent ::= PKIMessages
]]></sourcecode> ]]></sourcecode>
<t>In case an RA needs to modify a request message, it <bcp14>MAY</b cp14> include the original <t>In case an RA needs to modify a request message, it <bcp14>MAY</b cp14> include the original
PKIMessage in the generalInfo field of the modified message as described in PKIMessage in the generalInfo field of the modified message, as described in
<xref target="sect-5.1.1.3"/>.</t> <xref target="sect-5.1.1.3"/>.</t>
</section> </section>
</section> </section>
</section> </section>
<section anchor="sect-5.2"> <section anchor="sect-5.2">
<name>Common Data Structures</name> <name>Common Data Structures</name>
<t>Before specifying the specific types that may be placed in a PKIBody, <t>Before specifying the specific types that may be placed in a PKIBody,
we define some data structures that are used in more than one case.</t> we define some data structures that are used in more than one case.</t>
<section anchor="sect-5.2.1"> <section anchor="sect-5.2.1">
<name>Requested Certificate Contents</name> <name>Requested Certificate Contents</name>
<t>Various PKI management messages require that the originator of the <t>Various PKI management messages require that the originator of the
message indicate some of the fields that are required to be present message indicate some of the fields that are required to be present
in a certificate. The CertTemplate structure allows an end entity or in a certificate. The CertTemplate structure allows an end entity or
RA to specify as much as it wishes about the certificate it requires. RA to specify as much as it wishes about the certificate it requires.
CertTemplate is identical to a Certificate, but with all fields CertTemplate is identical to a Certificate but with all fields
optional.</t> optional.</t>
<t>Note: Even if the originator completely specifies the contents of <t>Note: Even if the originator completely specifies the contents of
a certificate it requires, a CA is free to modify fields within the a certificate it requires, a CA is free to modify fields within the
certificate actually issued. If the modified certificate is certificate actually issued. If the modified certificate is
unacceptable to the requester, the requester <bcp14>MUST</bcp14> send back a unacceptable to the requester, the requester <bcp14>MUST</bcp14> send back a
certConf message that either does not include this certificate (via a certConf message that either does not include this certificate (via a
CertHash), or does include this certificate (via a CertHash) along CertHash) or does include this certificate (via a CertHash) along
with a status of "rejected". See <xref target="sect-5.3.18"/> for the definitio n with a status of "rejected". See <xref target="sect-5.3.18"/> for the definitio n
and use of CertHash and the certConf message.</t> and use of CertHash and the certConf message.</t>
<t>Note: Before requesting a new certificate, an end entity can reques t a certTemplate <t>Note: Before requesting a new certificate, an end entity can reques t a certTemplate
structure as a kind of certificate request blueprint, in order to learn which structure as a kind of certificate request blueprint in order to learn which
data the CA expects to be present in the certificate request, see <xref target=" data the CA expects to be present in the certificate request (see <xref target="
sect-5.3.19.16"/>.</t> sect-5.3.19.16"/>).</t>
<t>See <xref target="RFC4211">CRMF</xref> for CertTemplate syntax.</t> <t>See CRMF <xref target="RFC4211"/> for CertTemplate syntax.</t>
<t>If certTemplate is an empty SEQUENCE (i.e., all fields omitted), th en the <t>If certTemplate is an empty SEQUENCE (i.e., all fields omitted), th en the
controls field in the CertRequest structure <bcp14>MAY</bcp14> contain the id-re gCtrl-altCertTemplate controls field in the CertRequest structure <bcp14>MAY</bcp14> contain the id-re gCtrl-altCertTemplate
control, specifying a template for a certificate other than an X.509v3 public-ke y control, specifying a template for a certificate other than an X.509v3 public-ke y
certificate. Conversely, if certTemplate is not empty (i.e., at least one certificate. Conversely, if certTemplate is not empty (i.e., at least one
field is present), then controls <bcp14>MUST NOT</bcp14> contain id-regCtrl-altC ertTemplate. field is present), then controls <bcp14>MUST NOT</bcp14> contain id-regCtrl-altC ertTemplate.
The new control is defined as follows:</t> The new control is defined as follows:</t>
<sourcecode type="asn.1"><![CDATA[ <sourcecode type="asn.1"><![CDATA[
id-regCtrl-altCertTemplate OBJECT IDENTIFIER ::= { iso(1) id-regCtrl-altCertTemplate OBJECT IDENTIFIER ::= { iso(1)
identified-organization(3) dod(6) internet(1) security(5) identified-organization(3) dod(6) internet(1) security(5)
mechanisms(5) pkix(7) pkip(5) regCtrl(1) 7} mechanisms(5) pkix(7) pkip(5) regCtrl(1) 7}
AltCertTemplate ::= AttributeTypeAndValue AltCertTemplate ::= AttributeTypeAndValue
]]></sourcecode> ]]></sourcecode>
<t>See also <xref target="RFC4212"/> for more details on how to manage certificates in alternative formats using CRMF <xref target="RFC4211"/> syntax. </t> <t>Also see <xref target="RFC4212"/> for more details on how to manage certificates in alternative formats using CRMF <xref target="RFC4211"/> syntax. </t>
</section> </section>
<section anchor="sect-5.2.2"> <section anchor="sect-5.2.2">
<name>Encrypted Values</name> <name>Encrypted Values</name>
<t>When encrypted data like a private key, certificate, POP challenge, or revocation passphrase is sent in PKI messages it is <bcp14>RECOMMENDED</bcp1 4> to use the EnvelopedData structure. In some cases this is accomplished by us ing the EncryptedKey data structure instead of EncryptedValue.</t> <t>When encrypted data like a private key, certificate, POP challenge, or revocation passphrase is sent in PKI messages, it is <bcp14>RECOMMENDED</bcp 14> to use the EnvelopedData structure. In some cases, this is accomplished by using the EncryptedKey data structure instead of EncryptedValue.</t>
<sourcecode type="asn.1"><![CDATA[ <sourcecode type="asn.1"><![CDATA[
EncryptedKey ::= CHOICE { EncryptedKey ::= CHOICE {
encryptedValue EncryptedValue, -- deprecated encryptedValue EncryptedValue, -- deprecated
envelopedData [0] EnvelopedData } envelopedData [0] EnvelopedData }
]]></sourcecode> ]]></sourcecode>
<t>See Certificate Request Message Format (CRMF) <xref target="RFC4211 "/> for EncryptedKey and EncryptedValue syntax and Cryptographic Message <t>See Certificate Request Message Format (CRMF) <xref target="RFC4211 "/> for EncryptedKey and EncryptedValue syntax and Cryptographic Message
Syntax (CMS) <xref target="RFC5652"/> for EnvelopedData syntax. Using the Enc ryptedKey data structure offers the Syntax (CMS) <xref target="RFC5652"/> for EnvelopedData syntax. Using the Enc ryptedKey data structure offers the
choice to either use EncryptedValue (for backward compatibility only) or choice to either use EncryptedValue (for backward compatibility only) or
EnvelopedData. The use of the EncryptedValue structure has been deprecated EnvelopedData. The use of the EncryptedValue structure has been deprecated
in favor of the EnvelopedData structure. Therefore, it is <bcp14>RECOMMENDED</b cp14> to in favor of the EnvelopedData structure. Therefore, it is <bcp14>RECOMMENDED</b cp14> to
use EnvelopedData.</t> use EnvelopedData.</t>
<t>Note: The EncryptedKey structure defined in <xref target="RFC4211"> CRMF</xref> is used here, which makes the update backward compatible. Using the new syntax <t>Note: The EncryptedKey structure defined in CRMF <xref target="RFC4 211"/> is used here, which makes the update backward compatible. Using the new s yntax
with the untagged default choice EncryptedValue is bits-on-the-wire compatible with the untagged default choice EncryptedValue is bits-on-the-wire compatible
with the old syntax.</t> with the old syntax.</t>
<t>To indicate support for EnvelopedData, the pvno cmp2021 has been in troduced. <t>To indicate support for EnvelopedData, the pvno cmp2021 has been in troduced.
Details on the usage of the protocol version number (pvno) are described in <xre f target="sect-7"/>.</t> Details on the usage of the protocol version number (pvno) are described in <xre f target="sect-7"/>.</t>
<t>The EnvelopedData structure is <bcp14>RECOMMENDED</bcp14> to use in CMP to transport a private key, <t>The EnvelopedData structure is <bcp14>RECOMMENDED</bcp14> to be use d in CMP to transport a private key,
certificate, POP challenge, or revocation passphrase in encrypted form as follow s:</t> certificate, POP challenge, or revocation passphrase in encrypted form as follow s:</t>
<ul spacing="normal"> <ul spacing="normal">
<li> <li>
<t>It contains only one RecipientInfo structure because the conten t is encrypted <t>It contains only one RecipientInfo structure because the conten t is encrypted
only for one recipient.</t> only for one recipient.</t>
</li> </li>
<li> <li>
<t>It may contain a private key in the AsymmetricKeyPackage struct ure (which is placed in the encryptedContentInfo field), as defined <t>It may contain a private key in the AsymmetricKeyPackage struct ure (which is placed in the encryptedContentInfo field), as defined
in <xref target="RFC5958"/>, that is wrapped in a SignedData structure, as speci fied in in <xref target="RFC5958"/>, that is wrapped in a SignedData structure, as speci fied in
Section 5 of <xref target="RFC5652"/> and <xref target="RFC8933"/>, signed by th e Key Generation Authority or CA.</t> <xref section="5" target="RFC5652"/> and <xref target="RFC8933"/>, signed by the Key Generation Authority or CA.</t>
</li> </li>
<li> <li>
<t>It may contain a certificate, POP challenge, or revocation pass phrase directly in the encryptedContent <t>It may contain a certificate, POP challenge, or revocation pass phrase directly in the encryptedContent
field.</t> field.</t>
</li> </li>
</ul> </ul>
<t>The content of the EnvelopedData structure, as specified in Section 6 of <xref target="RFC5652"/>, <t>The content of the EnvelopedData structure, as specified in <xref s ection="6" target="RFC5652"/>,
<bcp14>MUST</bcp14> be encrypted using a newly generated symmetric content-encry ption <bcp14>MUST</bcp14> be encrypted using a newly generated symmetric content-encry ption
key. This content-encryption key <bcp14>MUST</bcp14> be securely provided to the recipient key. This content-encryption key <bcp14>MUST</bcp14> be securely provided to the recipient
using one of four key management techniques.</t> using one of four key management techniques.</t>
<t>The choice of the key management technique to be used by the sender depends <t>The choice of the key management technique to be used by the sender depends
on the credential available at the recipient:</t> on the credential available at the recipient:</t>
<ul spacing="normal"> <ul spacing="normal">
<li> <li>
<t>recipient's certificate with an algorithm identifier and a publ ic key that supports key transport and where any given key usage extension allow s keyEncipherment: <t>recipient's certificate with an algorithm identifier and a publ ic key that supports key transport and where any given key usage extension allow s keyEncipherment:
The content-encryption key will be protected using the key transport key managem ent technique, as specified in Section 6.2.1 of <xref target="RFC5652"/>.</t> The content-encryption key will be protected using the key transport key managem ent technique, as specified in <xref section="6.2.1" target="RFC5652"/>.</t>
</li> </li>
<li> <li>
<t>recipient's certificate with an algorithm identifier and a publ ic key that supports key agreement and where any given key usage extension allow s keyAgreement: <t>recipient's certificate with an algorithm identifier and a publ ic key that supports key agreement and where any given key usage extension allow s keyAgreement:
The content-encryption key will be protected using the key agreement key managem ent technique, as specified in Section 6.2.2 of <xref target="RFC5652"/>.</t> The content-encryption key will be protected using the key agreement key managem ent technique, as specified in <xref section="6.2.2" target="RFC5652"/>.</t>
</li> </li>
<li> <li>
<t>a password or shared secret: The content-encryption key will be protected <t>a password or shared secret: The content-encryption key will be protected
using the password-based key management technique, as specified in using the password-based key management technique, as specified in
Section 6.2.4 of <xref target="RFC5652"/>.</t> <xref section="6.2.4" target="RFC5652"/>.</t>
</li> </li>
<li> <li>
<t>recipient's certificate with an algorithm identifier and a publ ic key that supports key encapsulation mechanism and where any given key usage e xtension allows keyEncipherment: The content-encryption key will be protected us ing the key management technique for KEM keys, as specified in <xref target="RFC 9629"/>.</t> <t>recipient's certificate with an algorithm identifier and a publ ic key that supports key encapsulation mechanism and where any given key usage e xtension allows keyEncipherment: The content-encryption key will be protected us ing the key management technique for KEM keys, as specified in <xref target="RFC 9629"/>.</t>
</li> </li>
</ul> </ul>
<t>Note: There are cases where the algorithm identifier, the type of t he public key, <t>Note: There are cases where the algorithm identifier, the type of t he public key,
and the key usage extension will not be sufficient to decide on the key manageme nt and the key usage extension will not be sufficient to decide on the key manageme nt
technique to use, e.g., when rsaEncryption is the algorithm identifier. In technique to use, e.g., when rsaEncryption is the algorithm identifier. In
such cases it is a matter of local policy to decide.</t> such cases, it is a matter of local policy to decide.</t>
</section> </section>
<section anchor="sect-5.2.3"> <section anchor="sect-5.2.3">
<name>Status Codes and Failure Information for PKI Messages</name> <name>Status Codes and Failure Information for PKI Messages</name>
<t>All response messages will include some status information. The <t>All response messages will include some status information. The
following values are defined.</t> following values are defined.</t>
<sourcecode type="asn.1"><![CDATA[ <sourcecode type="asn.1"><![CDATA[
PKIStatus ::= INTEGER { PKIStatus ::= INTEGER {
accepted (0), accepted (0),
grantedWithMods (1), grantedWithMods (1),
rejection (2), rejection (2),
skipping to change at line 2313 skipping to change at line 2324
} }
]]></sourcecode> ]]></sourcecode>
</section> </section>
<section anchor="sect-5.2.4"> <section anchor="sect-5.2.4">
<name>Certificate Identification</name> <name>Certificate Identification</name>
<t>In order to identify particular certificates, the CertId data <t>In order to identify particular certificates, the CertId data
structure is used.</t> structure is used.</t>
<t>See <xref target="RFC4211"/> for CertId syntax.</t> <t>See <xref target="RFC4211"/> for CertId syntax.</t>
</section> </section>
<section anchor="sect-5.2.5"> <section anchor="sect-5.2.5">
<name>Out-of-band root CA Public Key</name> <name>Out-of-Band Root CA Public Key</name>
<t>Each root CA that provides a self-signed certificate must be able t o publish its current public key via some <t>Each root CA that provides a self-signed certificate must be able t o publish its current public key via some
"out-of-band" means or together with the respective link certificate using an on line mechanism. While such mechanisms are beyond the scope of "out-of-band" means or together with the respective link certificate using an on line mechanism. While such mechanisms are beyond the scope of
this document, we define data structures that can support such this document, we define data structures that can support such
mechanisms.</t> mechanisms.</t>
<t>There are generally two methods available: Either the CA directly <t>There are generally two methods available: Either the CA directly
publishes its self-signed certificate, or this information is publishes its self-signed certificate, or this information is
available via the directory (or equivalent) and the CA publishes a available via the directory (or equivalent) and the CA publishes a
hash of this value to allow verification of its integrity before use.</t> hash of this value to allow verification of its integrity before use.</t>
<t>Note: As an alternative to out-of-band distribution of root CA publ ic keys, the CA can provide the self-signed certificate together with link certi ficates, e.g., using RootCaKeyUpdateContent (<xref target="sect-5.3.19.15"/>).</ t> <t>Note: As an alternative to out-of-band distribution of root CA publ ic keys, the CA can provide the self-signed certificate together with link certi ficates, e.g., using RootCaKeyUpdateContent (<xref target="sect-5.3.19.15"/>).</ t>
<sourcecode type="asn.1"><![CDATA[ <sourcecode type="asn.1"><![CDATA[
skipping to change at line 2338 skipping to change at line 2349
<li> <li>
<t>The certificate <bcp14>MUST</bcp14> be self-signed (i.e., the s ignature must be <t>The certificate <bcp14>MUST</bcp14> be self-signed (i.e., the s ignature must be
verifiable using the SubjectPublicKeyInfo field);</t> verifiable using the SubjectPublicKeyInfo field);</t>
</li> </li>
<li> <li>
<t>The subject and issuer fields <bcp14>MUST</bcp14> be identical; </t> <t>The subject and issuer fields <bcp14>MUST</bcp14> be identical; </t>
</li> </li>
<li> <li>
<t>If the subject field contains a "NULL-DN", then both subjectAlt Names and <t>If the subject field contains a "NULL-DN", then both subjectAlt Names and
issuerAltNames extensions <bcp14>MUST</bcp14> be present and have exactly the issuerAltNames extensions <bcp14>MUST</bcp14> be present and have exactly the
same value;</t> same value; and</t>
</li> </li>
<li> <li>
<t>The values of all other extensions must be suitable for a self- signed <t>The values of all other extensions must be suitable for a self- signed
certificate (e.g., key identifiers for subject and issuer must be the certificate (e.g., key identifiers for the subject and issuer must be the
same).</t> same).</t>
</li> </li>
</ul> </ul>
<sourcecode type="asn.1"><![CDATA[ <sourcecode type="asn.1"><![CDATA[
OOBCertHash ::= SEQUENCE { OOBCertHash ::= SEQUENCE {
hashAlg [0] AlgorithmIdentifier OPTIONAL, hashAlg [0] AlgorithmIdentifier OPTIONAL,
certId [1] CertId OPTIONAL, certId [1] CertId OPTIONAL,
hashVal BIT STRING hashVal BIT STRING
} }
]]></sourcecode> ]]></sourcecode>
skipping to change at line 2372 skipping to change at line 2383
</section> </section>
<section anchor="sect-5.2.7"> <section anchor="sect-5.2.7">
<name>Publication Information</name> <name>Publication Information</name>
<t>Requesters may indicate that they wish the PKI to publish a <t>Requesters may indicate that they wish the PKI to publish a
certificate using the PKIPublicationInfo structure.</t> certificate using the PKIPublicationInfo structure.</t>
<t>See <xref target="RFC4211"/> for PKIPublicationInfo syntax.</t> <t>See <xref target="RFC4211"/> for PKIPublicationInfo syntax.</t>
</section> </section>
<section anchor="sect-5.2.8"> <section anchor="sect-5.2.8">
<name>Proof-of-Possession Structures</name> <name>Proof-of-Possession Structures</name>
<t>The proof-of-possession structure used is indicated in the popo fie ld <t>The proof-of-possession structure used is indicated in the popo fie ld
of type ProofOfPossession in the CertReqMsg sequence, see Section 4 of <xref tar get="RFC4211"/>.</t> of type ProofOfPossession in the CertReqMsg sequence (see <xref section="4" targ et="RFC4211"/>).</t>
<sourcecode type="asn.1"><![CDATA[ <sourcecode type="asn.1"><![CDATA[
ProofOfPossession ::= CHOICE { ProofOfPossession ::= CHOICE {
raVerified [0] NULL, raVerified [0] NULL,
signature [1] POPOSigningKey, signature [1] POPOSigningKey,
keyEncipherment [2] POPOPrivKey, keyEncipherment [2] POPOPrivKey,
keyAgreement [3] POPOPrivKey keyAgreement [3] POPOPrivKey
} }
]]></sourcecode> ]]></sourcecode>
<section anchor="sect-5.2.8.1"> <section anchor="sect-5.2.8.1">
<name>raVerified</name> <name>raVerified</name>
<t>An EE <bcp14>MUST NOT</bcp14> use raVerified. If an RA performs c hanges to a certification request breaking the provided proof-of-possession (POP ), or if the RA requests a certificate on behalf of an EE and cannot provide the POP itself, the RA <bcp14>MUST</bcp14> use raVerified. Otherwise, it <bcp14>SHO ULD NOT</bcp14> use raVerified.</t> <t>An EE <bcp14>MUST NOT</bcp14> use raVerified. If an RA performs c hanges to a certification request breaking the provided proof-of-possession (POP ), or if the RA requests a certificate on behalf of an EE and cannot provide the POP itself, the RA <bcp14>MUST</bcp14> use raVerified. Otherwise, it <bcp14>SHO ULD NOT</bcp14> use raVerified.</t>
<t>When introducing raVerified, the RA <bcp14>MUST</bcp14> check the existing POP, or it <bcp14>MUST</bcp14> ensure by other means that the EE is th e holder of the private key. The RA <bcp14>MAY</bcp14> provide the original mess age containing the POP in the generalInfo field using the id-it-origPKIMessage, see <xref target="sect-5.1.1.3"/>, enabling the CA to verify it.</t> <t>When introducing raVerified, the RA <bcp14>MUST</bcp14> check the existing POP, or it <bcp14>MUST</bcp14> ensure by other means that the EE is th e holder of the private key. The RA <bcp14>MAY</bcp14> provide the original mess age containing the POP in the generalInfo field using the id-it-origPKIMessage ( see <xref target="sect-5.1.1.3"/>) enabling the CA to verify it.</t>
</section> </section>
<section anchor="sect-5.2.8.2"> <section anchor="sect-5.2.8.2">
<name>POPOSigningKey Structure</name> <name>POPOSigningKey Structure</name>
<t>If the certification request is for a key pair that supports sign ing (i.e., a request for a verification certificate), then the proof-of-possessi on of the private key is demonstrated through use of the POPOSigningKey structur e, for details see Section 4.1 of <xref target="RFC4211"/>.</t> <t>If the certification request is for a key pair that supports sign ing (i.e., a request for a verification certificate), then the proof-of-possessi on of the private key is demonstrated through use of the POPOSigningKey structur e; for details, see <xref section="4.1" target="RFC4211"/>.</t>
<sourcecode type="asn.1"><![CDATA[ <sourcecode type="asn.1"><![CDATA[
POPOSigningKey ::= SEQUENCE { POPOSigningKey ::= SEQUENCE {
poposkInput [0] POPOSigningKeyInput OPTIONAL, poposkInput [0] POPOSigningKeyInput OPTIONAL,
algorithmIdentifier AlgorithmIdentifier, algorithmIdentifier AlgorithmIdentifier,
signature BIT STRING signature BIT STRING
} }
POPOSigningKeyInput ::= SEQUENCE { POPOSigningKeyInput ::= SEQUENCE {
authInfo CHOICE { authInfo CHOICE {
sender [0] GeneralName, sender [0] GeneralName,
publicKeyMAC PKMACValue publicKeyMAC PKMACValue
}, },
publicKey SubjectPublicKeyInfo publicKey SubjectPublicKeyInfo
} }
PKMACValue ::= SEQUENCE { PKMACValue ::= SEQUENCE {
algId AlgorithmIdentifier, algId AlgorithmIdentifier,
value BIT STRING value BIT STRING
} }
]]></sourcecode> ]]></sourcecode>
<t>Note: For the purposes of this specification, the ASN.1 comment g <t>Note: For the purposes of this specification, the ASN.1 comment g
iven in Appendix C of <xref target="RFC4211"/> pertains not only to certTemplate iven in <xref section="C" target="RFC4211"/> pertains not only to certTemplate b
, but also to the altCertTemplate control as defined in <xref target="sect-5.2.1 ut also to the altCertTemplate control, as defined in <xref target="sect-5.2.1"/
"/>.</t> >.</t>
<t>If certTemplate (or the altCertTemplate control) contains the sub <t>If certTemplate (or the altCertTemplate control) contains the sub
ject and publicKey values, then poposkInput <bcp14>MUST</bcp14> be omitted and t ject and publicKey values, then poposkInput <bcp14>MUST</bcp14> be omitted and t
he signature <bcp14>MUST</bcp14> be computed on the DER-encoded value of certReq he signature <bcp14>MUST</bcp14> be computed on the DER-encoded value of the cer
field of the CertReqMsg (or the DER-encoded value of AltCertTemplate). If certT tReq field of the CertReqMsg (or the DER-encoded value of AltCertTemplate). If c
emplate/altCertTemplate does not contain both the subject and public key values ertTemplate/altCertTemplate does not contain both the subject and public key val
(i.e., if it contains only one of these, or neither), then poposkInput <bcp14>MU ues (i.e., if it contains only one of these or neither), then poposkInput <bcp14
ST</bcp14> be present and the signature <bcp14>MUST</bcp14> be computed on the D >MUST</bcp14> be present and the signature <bcp14>MUST</bcp14> be computed on th
ER-encoded value of poposkInput (i.e., the "value" OCTETs of the POPOSigningKeyI e DER-encoded value of poposkInput (i.e., the "value" OCTETs of the POPOSigningK
nput DER).</t> eyInput DER).</t>
<t>In the special case that the CA/RA has a DH certificate that is k nown to the EE and the certification request is for a key agreement key pair, th e EE can also use the POPOSigningKey structure (where the algorithmIdentifier fi eld is DHBasedMAC and the signature field is the MAC) for demonstrating POP.</t> <t>In the special case that the CA/RA has a DH certificate that is k nown to the EE and the certification request is for a key agreement key pair, th e EE can also use the POPOSigningKey structure (where the algorithmIdentifier fi eld is DHBasedMAC and the signature field is the MAC) for demonstrating POP.</t>
</section> </section>
<section anchor="sect-5.2.8.3"> <section anchor="sect-5.2.8.3">
<name>POPOPrivKey Structure</name> <name>POPOPrivKey Structure</name>
<t>If the certification request is for a key pair that does not supp ort signing (i.e., a request for an encryption or key agreement certificate), th en the proof-of-possession of the private key is demonstrated through use of the POPOPrivKey structure in one of the following three ways, for details see Secti on 4.2 and 4.3 of <xref target="RFC4211"/>.</t> <t>If the certification request is for a key pair that does not supp ort signing (i.e., a request for an encryption or key agreement certificate), th en the proof-of-possession of the private key is demonstrated through use of the POPOPrivKey structure in one of the following three ways; for details see Secti ons <xref target="RFC4211" section="4.2" sectionFormat="bare"/> and <xref target ="RFC4211" section="4.3" sectionFormat="bare"/> in <xref target="RFC4211"/>.</t>
<sourcecode type="asn.1"><![CDATA[ <sourcecode type="asn.1"><![CDATA[
POPOPrivKey ::= CHOICE { POPOPrivKey ::= CHOICE {
thisMessage [0] BIT STRING, -- deprecated thisMessage [0] BIT STRING, -- deprecated
subsequentMessage [1] SubsequentMessage, subsequentMessage [1] SubsequentMessage,
dhMAC [2] BIT STRING, -- deprecated dhMAC [2] BIT STRING, -- deprecated
agreeMAC [3] PKMACValue, agreeMAC [3] PKMACValue,
encryptedKey [4] EnvelopedData encryptedKey [4] EnvelopedData
} }
SubsequentMessage ::= INTEGER { SubsequentMessage ::= INTEGER {
encrCert (0), encrCert (0),
challengeResp (1) challengeResp (1)
} }
]]></sourcecode> ]]></sourcecode>
<t>When using agreeMAC or encryptedKey choices, the pvno cmp2021(3) <bcp14>MUST</bcp14> be used. Details on the usage of the protocol version number (pvno) are described in <xref target="sect-7"/>.</t> <t>When using agreeMAC or encryptedKey choices, the pvno cmp2021(3) <bcp14>MUST</bcp14> be used. Details on the usage of the protocol version number (pvno) are described in <xref target="sect-7"/>.</t>
<section anchor="sect-5.2.8.3.1"> <section anchor="sect-5.2.8.3.1">
<name>Inclusion of the Private Key</name> <name>Inclusion of the Private Key</name>
<t>This method mentioned previously in <xref target="sect-4.3"/> d emonstrates proof-of-possession of the private key by including the encrypted pr ivate key in the CertRequest in the POPOPrivKey structure or in the PKIArchiveOp tions control structure. This method <bcp14>SHALL</bcp14> only be used if archiv al of the private key is desired.</t> <t>This method mentioned previously in <xref target="sect-4.3"/> d emonstrates proof-of-possession of the private key by including the encrypted pr ivate key in the CertRequest in the POPOPrivKey structure or in the PKIArchiveOp tions control structure. This method <bcp14>SHALL</bcp14> only be used if archiv al of the private key is desired.</t>
<t>For a certification request message indicating cmp2021(3) in th e pvno field of the PKIHeader, the encrypted private key <bcp14>MUST</bcp14> be transferred in the encryptedKey choice of POPOPrivKey (or within the PKIArchiveO ptions control) in a CMS EnvelopedData structure as defined in <xref target="sec t-5.2.2"/>.</t> <t>For a certification request message indicating cmp2021(3) in th e pvno field of the PKIHeader, the encrypted private key <bcp14>MUST</bcp14> be transferred in the encryptedKey choice of POPOPrivKey (or within the PKIArchiveO ptions control) in a CMS EnvelopedData structure, as defined in <xref target="se ct-5.2.2"/>.</t>
<t>Note: The thisMessage choice has been deprecated in favor of en cryptedKey. When using cmp2000(2) in the certification request message header f or backward compatibility, the thisMessage choice of POPOPrivKey is used contain ing the encrypted private key in an EncryptedValue structure wrapped in a BIT ST RING. This allows the necessary conveyance and protection of the private key wh ile maintaining bits-on-the-wire compatibility with <xref target="RFC4211"/>.</t > <t>Note: The thisMessage choice has been deprecated in favor of en cryptedKey. When using cmp2000(2) in the certification request message header f or backward compatibility, the thisMessage choice of POPOPrivKey is used contain ing the encrypted private key in an EncryptedValue structure wrapped in a BIT ST RING. This allows the necessary conveyance and protection of the private key wh ile maintaining bits-on-the-wire compatibility with <xref target="RFC4211"/>.</t >
</section> </section>
<section anchor="sect-5.2.8.3.2"> <section anchor="sect-5.2.8.3.2">
<name>Indirect Method - Encrypted Certificate</name> <name>Indirect Method - Encrypted Certificate</name>
<t>The indirect method mentioned previously in <xref target="sect- 4.3"/> demonstrates proof-of-possession of the private key by having the CA retu rn the requested certificate in encrypted form, see <xref target="sect-5.2.2"/>. This method is indicated in the CertRequest by requesting the encrCert option in the subsequentMessage choice of POPOPrivKey.</t> <t>The indirect method mentioned previously in <xref target="sect- 4.3"/> demonstrates proof-of-possession of the private key by having the CA retu rn the requested certificate in encrypted form (see <xref target="sect-5.2.2"/>) . This method is indicated in the CertRequest by requesting the encrCert option in the subsequentMessage choice of POPOPrivKey.</t>
<artset> <artset>
<artwork type="svg"><svg xmlns="http://www.w3.org/2000/svg" vers ion="1.1" height="128" width="264" viewBox="0 0 264 128" class="diagram" text-an chor="middle" font-family="monospace" font-size="13px" stroke-linecap="round"> <artwork type="svg"><svg xmlns="http://www.w3.org/2000/svg" vers ion="1.1" height="128" width="264" viewBox="0 0 264 128" class="diagram" text-an chor="middle" font-family="monospace" font-size="13px" stroke-linecap="round">
<path d="M 16,48 L 40,48" fill="none" stroke="black"/> <path d="M 16,48 L 40,48" fill="none" stroke="black"/>
<path d="M 192,48 L 224,48" fill="none" stroke="black"/> <path d="M 192,48 L 224,48" fill="none" stroke="black"/>
<path d="M 16,64 L 40,64" fill="none" stroke="black"/> <path d="M 16,64 L 40,64" fill="none" stroke="black"/>
<path d="M 192,64 L 224,64" fill="none" stroke="black"/> <path d="M 192,64 L 224,64" fill="none" stroke="black"/>
<path d="M 16,80 L 40,80" fill="none" stroke="black"/> <path d="M 16,80 L 40,80" fill="none" stroke="black"/>
<path d="M 192,80 L 224,80" fill="none" stroke="black"/> <path d="M 192,80 L 224,80" fill="none" stroke="black"/>
<path d="M 16,96 L 40,96" fill="none" stroke="black"/> <path d="M 16,96 L 40,96" fill="none" stroke="black"/>
<path d="M 192,96 L 224,96" fill="none" stroke="black"/> <path d="M 192,96 L 224,96" fill="none" stroke="black"/>
skipping to change at line 2476 skipping to change at line 2487
</svg> </svg>
</artwork> </artwork>
<artwork type="ascii-art"><![CDATA[ <artwork type="ascii-art"><![CDATA[
EE RA/CA EE RA/CA
---- req ----> ---- req ---->
<--- rep (enc cert) ----- <--- rep (enc cert) -----
---- conf (cert hash) ----> ---- conf (cert hash) ---->
<--- ack ----- <--- ack -----
]]></artwork> ]]></artwork>
</artset> </artset>
<t>The end entity proves knowledge of the private key to the CA by <t>The end entity proves knowledge of the private key to the CA by
providing the correct CertHash for this certificate in the certConf message. Th providing the correct CertHash for this certificate in the certConf message. Th
is demonstrates POP because the EE can only compute the correct CertHash if it i is demonstrates POP because the EE can only compute the correct CertHash if it i
s able to recover the encrypted certificate, and it can only recover the certifi s able to recover the encrypted certificate, and it can only recover the certifi
cate if it is able to obtain the symmetric key using the required private key. C cate if it is able to obtain the symmetric key using the required private key. C
learly, for this to work, the CA <bcp14>MUST NOT</bcp14> publish the certificate learly, for this to work, the CA <bcp14>MUST NOT</bcp14> publish the certificate
until the certConf message arrives (when certHash is to be used to demonstrate until the certConf message arrives (when certHash is to be used to demonstrate
POP). See <xref target="sect-5.3.18"/> for further details and see <xref target= POP). See <xref target="sect-5.3.18"/> for further details, and see <xref target
"sect-8.11"/> for security considerations regarding use of Certificate Transpare ="sect-8.11"/> for security considerations regarding use of Certificate Transpar
ncy logs.</t> ency logs.</t>
<t>The recipient <bcp14>SHOULD</bcp14> maintain a context of the P <t>The recipient <bcp14>SHOULD</bcp14> maintain a context of the P
KI management operation, e.g., using transactionID and certReqId, to identify th KI management operation, e.g., using transactionID and certReqId, to identify th
e private key to use when decrypting the EnvelopedData containing the newly issu e private key to use when decrypting the EnvelopedData containing the newly issu
ed certificate. The recipient may be unable to use the RecipientInfo structure a ed certificate. The recipient may be unable to use the RecipientInfo structure a
s it refers to the certificate that is still encrypted. The sender <bcp14>MUST</ s it refers to the certificate that is still encrypted. The sender <bcp14>MUST</
bcp14> populate the rid field as specified by CMS and the client <bcp14>MAY</bcp bcp14> populate the rid field as specified by CMS, and the client <bcp14>MAY</bc
14> ignore it.</t> p14> ignore it.</t>
</section> </section>
<section anchor="sect-5.2.8.3.3"> <section anchor="sect-5.2.8.3.3">
<name>Direct Method - Challenge-Response Protocol</name> <name>Direct Method - Challenge-Response Protocol</name>
<t>The direct method mentioned previously in <xref target="sect-4. 3"/> demonstrates proof-of-possession of the private key by having the end entit y engage in a challenge-response protocol (using the messages popdecc of type PO PODecKeyChall and popdecr of type POPODecKeyResp; see below) between CertReqMess ages and CertRepMessage. This method is indicated in the CertRequest by requesti ng the challengeResp option in the subsequentMessage choice of POPOPrivKey.</t> <t>The direct method mentioned previously in <xref target="sect-4. 3"/> demonstrates proof-of-possession of the private key by having the end entit y engage in a challenge-response protocol (using the messages popdecc of type PO PODecKeyChall and popdecr of type POPODecKeyResp; see below) between CertReqMess ages and CertRepMessage. This method is indicated in the CertRequest by requesti ng the challengeResp option in the subsequentMessage choice of POPOPrivKey.</t>
<t>Note: This method would typically be used in an environment in which an RA verifies POP and then makes a certification request to the CA on beh alf of the end entity. In such a scenario, the CA trusts the RA to have done POP correctly before the RA requests a certificate for the end entity.</t> <t>Note: This method would typically be used in an environment in which an RA verifies POP and then makes a certification request to the CA on beh alf of the end entity. In such a scenario, the CA trusts the RA to have done POP correctly before the RA requests a certificate for the end entity.</t>
<t>The complete protocol then looks as follows (note that req' doe s not necessarily encapsulate req as a nested message):</t> <t>The complete protocol then looks as follows (note that req' doe s not necessarily encapsulate req as a nested message):</t>
<artset> <artset>
<artwork type="svg"><svg xmlns="http://www.w3.org/2000/svg" vers ion="1.1" height="224" width="248" viewBox="0 0 248 224" class="diagram" text-an chor="middle" font-family="monospace" font-size="13px" stroke-linecap="round"> <artwork type="svg"><svg xmlns="http://www.w3.org/2000/svg" vers ion="1.1" height="224" width="248" viewBox="0 0 248 224" class="diagram" text-an chor="middle" font-family="monospace" font-size="13px" stroke-linecap="round">
<path d="M 16,48 L 40,48" fill="none" stroke="black"/> <path d="M 16,48 L 40,48" fill="none" stroke="black"/>
<path d="M 88,48 L 120,48" fill="none" stroke="black"/> <path d="M 88,48 L 120,48" fill="none" stroke="black"/>
skipping to change at line 2547 skipping to change at line 2558
---- resp ---> ---- resp --->
---- req' ---> ---- req' --->
<--- rep ----- <--- rep -----
---- conf ---> ---- conf --->
<--- ack ----- <--- ack -----
<--- rep ----- <--- rep -----
---- conf ---> ---- conf --->
<--- ack ----- <--- ack -----
]]></artwork> ]]></artwork>
</artset> </artset>
<t>This protocol is obviously much longer than the exchange given in <xref target="sect-5.2.8.3.2"/> above, but allows a local Registration Author ity to be involved and has the property that the certificate itself is not actua lly created until the proof-of-possession is complete. In some environments, a d ifferent order of the above messages may be required, such as the following (thi s may be determined by policy):</t> <t>This protocol is obviously much longer than the exchange given in <xref target="sect-5.2.8.3.2"/> above but allows a local Registration Authori ty to be involved and has the property that the certificate itself is not actual ly created until the proof-of-possession is complete. In some environments, a di fferent order of the above messages may be required, such as the following (this may be determined by policy):</t>
<artset> <artset>
<artwork type="svg"><svg xmlns="http://www.w3.org/2000/svg" vers ion="1.1" height="224" width="248" viewBox="0 0 248 224" class="diagram" text-an chor="middle" font-family="monospace" font-size="13px" stroke-linecap="round"> <artwork type="svg"><svg xmlns="http://www.w3.org/2000/svg" vers ion="1.1" height="224" width="248" viewBox="0 0 248 224" class="diagram" text-an chor="middle" font-family="monospace" font-size="13px" stroke-linecap="round">
<path d="M 16,48 L 40,48" fill="none" stroke="black"/> <path d="M 16,48 L 40,48" fill="none" stroke="black"/>
<path d="M 88,48 L 120,48" fill="none" stroke="black"/> <path d="M 88,48 L 120,48" fill="none" stroke="black"/>
<path d="M 16,64 L 40,64" fill="none" stroke="black"/> <path d="M 16,64 L 40,64" fill="none" stroke="black"/>
<path d="M 104,64 L 120,64" fill="none" stroke="black"/> <path d="M 104,64 L 120,64" fill="none" stroke="black"/>
<path d="M 16,80 L 40,80" fill="none" stroke="black"/> <path d="M 16,80 L 40,80" fill="none" stroke="black"/>
<path d="M 96,80 L 120,80" fill="none" stroke="black"/> <path d="M 96,80 L 120,80" fill="none" stroke="black"/>
<path d="M 128,96 L 152,96" fill="none" stroke="black"/> <path d="M 128,96 L 152,96" fill="none" stroke="black"/>
<path d="M 208,96 L 232,96" fill="none" stroke="black"/> <path d="M 208,96 L 232,96" fill="none" stroke="black"/>
skipping to change at line 2611 skipping to change at line 2622
---- resp ---> ---- resp --->
---- req' ---> ---- req' --->
<--- rep ----- <--- rep -----
<--- rep ----- <--- rep -----
---- conf ---> ---- conf --->
---- conf ---> ---- conf --->
<--- ack ----- <--- ack -----
<--- ack ----- <--- ack -----
]]></artwork> ]]></artwork>
</artset> </artset>
<t>The challenge-response messages for proof-of-possession of a pr ivate key are specified as follows (for decryption keys see <xref target="MvOV97 "/>, p.404 for details). This challenge-response exchange is associated with th e preceding certification request message (and subsequent certification response and confirmation messages) by the transactionID used in the PKIHeader and by th e protection applied to the PKIMessage.</t> <t>The challenge-response messages for proof-of-possession of a pr ivate key are specified as follows (for decryption keys, see <xref target="MvOV9 7"/>, p.404 for details). This challenge-response exchange is associated with t he preceding certification request message (and subsequent certification respons e and confirmation messages) by the transactionID used in the PKIHeader and by t he protection applied to the PKIMessage.</t>
<sourcecode type="asn.1"><![CDATA[ <sourcecode type="asn.1"><![CDATA[
POPODecKeyChallContent ::= SEQUENCE OF Challenge POPODecKeyChallContent ::= SEQUENCE OF Challenge
Challenge ::= SEQUENCE { Challenge ::= SEQUENCE {
owf AlgorithmIdentifier OPTIONAL, owf AlgorithmIdentifier OPTIONAL,
witness OCTET STRING, witness OCTET STRING,
challenge OCTET STRING, -- deprecated challenge OCTET STRING, -- deprecated
encryptedRand [0] EnvelopedData OPTIONAL encryptedRand [0] EnvelopedData OPTIONAL
} }
Rand ::= SEQUENCE { Rand ::= SEQUENCE {
int INTEGER, int INTEGER,
sender GeneralName sender GeneralName
} }
]]></sourcecode> ]]></sourcecode>
<t>More details on the fields in this syntax is available in <xref target="sect-f"/>.</t> <t>More details on the fields in this syntax are available in <xre f target="sect-f"/>.</t>
<t>For a popdecc message indicating cmp2021(3) in the pvno field o f the PKIHeader, the encryption of Rand <bcp14>MUST</bcp14> be transferred in th e encryptedRand field in a CMS EnvelopedData structure as defined in <xref targe t="sect-5.2.2"/>. The challenge field <bcp14>MUST</bcp14> contain an empty OCTE T STRING.</t> <t>For a popdecc message indicating cmp2021(3) in the pvno field o f the PKIHeader, the encryption of Rand <bcp14>MUST</bcp14> be transferred in th e encryptedRand field in a CMS EnvelopedData structure as defined in <xref targe t="sect-5.2.2"/>. The challenge field <bcp14>MUST</bcp14> contain an empty OCTE T STRING.</t>
<t>The recipient <bcp14>SHOULD</bcp14> maintain a context of the P KI management operation, e.g., using transactionID and certReqId, to identify th e private key to use when decrypting encryptedRand. The sender <bcp14>MUST</bcp1 4> populate the rid field in the EnvelopedData sequence using the issuerAndSeria lNumber choice containing a NULL-DN as issuer and the certReqId as serialNumber. The client <bcp14>MAY</bcp14> ignore the rid field.</t> <t>The recipient <bcp14>SHOULD</bcp14> maintain a context of the P KI management operation, e.g., using transactionID and certReqId, to identify th e private key to use when decrypting encryptedRand. The sender <bcp14>MUST</bcp1 4> populate the rid field in the EnvelopedData sequence using the issuerAndSeria lNumber choice containing a NULL-DN as issuer and the certReqId as serialNumber. The client <bcp14>MAY</bcp14> ignore the rid field.</t>
<t>Note: The challenge field has been deprecated in favor of encry ptedRand. When using cmp2000(2) in the popdecc message header for backward comp atibility, the challenge field <bcp14>MUST</bcp14> contain the encryption (invol ving the public key for which the certification request is being made) of Rand a nd encryptedRand <bcp14>MUST</bcp14> be omitted. Using challenge (omitting the optional encryptedRand field) is bit-compatible with <xref target="RFC4210"/>. N ote that the size of Rand, when used with challenge, needs to be appropriate for encryption, involving the public key of the requester. If, in some environment, names are so long that they cannot fit (e.g., very long DNs), then whatever por tion will fit should be used (as long as it includes at least the common name, a nd as long as the receiver is able to deal meaningfully with the abbreviation).< /t> <t>Note: The challenge field has been deprecated in favor of encry ptedRand. When using cmp2000(2) in the popdecc message header for backward comp atibility, the challenge field <bcp14>MUST</bcp14> contain the encryption (invol ving the public key for which the certification request is being made) of Rand a nd encryptedRand <bcp14>MUST</bcp14> be omitted. Using challenge (omitting the optional encryptedRand field) is bit-compatible with <xref target="RFC4210"/>. N ote that the size of Rand, when used with challenge, needs to be appropriate for encryption, involving the public key of the requester. If, in some environment, names are so long that they cannot fit (e.g., very long DNs), then whatever por tion will fit should be used (as long as it includes at least the common name, a nd as long as the receiver is able to deal meaningfully with the abbreviation).< /t>
<sourcecode type="asn.1"><![CDATA[ <sourcecode type="asn.1"><![CDATA[
POPODecKeyRespContent ::= SEQUENCE OF INTEGER POPODecKeyRespContent ::= SEQUENCE OF INTEGER
]]></sourcecode> ]]></sourcecode>
<t>On receiving the popdecc message, the end entity decrypts all i ncluded challenges <t>On receiving the popdecc message, the end entity decrypts all i ncluded challenges
and responds with a popdecr message containing the decrypted integer values in t he same order.</t> and responds with a popdecr message containing the decrypted integer values in t he same order.</t>
</section> </section>
</section> </section>
<section anchor="sect-5.2.8.4"> <section anchor="sect-5.2.8.4">
<name>Summary of PoP Options</name> <name>Summary of POP Options</name>
<t>The text in this section provides several options with respect to POP techniques. Using "SK" for "signing key", "EK" for "encryption key", "KAK" for "key agreement key", and "KEMK" for "key encapsulation mechanism key", the t echniques may be summarized as follows:</t> <t>The text in this section provides several options with respect to POP techniques. Using "SK" for "signing key", "EK" for "encryption key", "KAK" for "key agreement key", and "KEMK" for "key encapsulation mechanism key", the t echniques may be summarized as follows:</t>
<artwork><![CDATA[
RAVerified; <ul empty="true" spacing="compact">
SKPOP; <li> RAVerified;</li>
EKPOPThisMessage; -- deprecated <li> SKPOP;</li>
KAKPOPThisMessage; -- deprecated <li> EKPOPThisMessage; -- deprecated</li>
EKPOPEncryptedKey; <li> KAKPOPThisMessage; -- deprecated</li>
KAKPOPEncryptedKey; <li> EKPOPEncryptedKey;</li>
KEMKPOPEncryptedKey; <li> KAKPOPEncryptedKey;</li>
KAKPOPThisMessageDHMAC; <li> KEMKPOPEncryptedKey;</li>
EKPOPEncryptedCert; <li> KAKPOPThisMessageDHMAC;</li>
KAKPOPEncryptedCert; <li> EKPOPEncryptedCert;</li>
KEMKPOPEncryptedCert; <li> KAKPOPEncryptedCert;</li>
EKPOPChallengeResp; <li> KEMKPOPEncryptedCert;</li>
KAKPOPChallengeResp; and <li> EKPOPChallengeResp;</li>
KEMKPOPChallengeResp. <li> KAKPOPChallengeResp; and</li>
]]></artwork> <li> KEMKPOPChallengeResp.</li>
</ul>
<t>Given this array of options, it is natural to ask how an end enti ty can know what is supported by the CA/RA (i.e., which options it may use when requesting certificates). The following guidelines should clarify this situation for EE implementers.</t> <t>Given this array of options, it is natural to ask how an end enti ty can know what is supported by the CA/RA (i.e., which options it may use when requesting certificates). The following guidelines should clarify this situation for EE implementers.</t>
<t>RAVerified: This is not an EE decision; the RA uses this if and o
nly if it has verified POP before forwarding the request on to the CA, so it is <ul spacing="normal">
not possible for the EE to choose this technique.</t> <li>RAVerified: This is not an EE decision; the RA uses this if
<t>SKPOP: If the EE has a signing key pair, this is the only POP met and only if it has verified POP before forwarding the request on
hod specified for use in the request for a corresponding certificate.</t> to the CA, so it is not possible for the EE to choose this
<t>EKPOPThisMessage (deprecated), KAKPOPThisMessage (deprecated), EK technique.</li>
POPEncryptedKey, KAKPOPEncryptedKey, KEMKPOPEncryptedKey: Whether or not to give <li>SKPOP: If the EE has a signing key pair, this is the only POP
up its private key to the CA/RA is an EE decision. If the EE decides to reveal method specified for use in the request for a corresponding
its key, then these are the only POP methods available in this specification to certificate.</li>
achieve this (and the key pair type and protocol version used will determine whi <li>EKPOPThisMessage (deprecated), KAKPOPThisMessage
ch of these methods to use). The reason for deprecating EKPOPThisMessage and KA (deprecated), EKPOPEncryptedKey, KAKPOPEncryptedKey,
KPOPThisMessage options has been given in <xref target="sect-5.2.8.3.1"/>.</t> KEMKPOPEncryptedKey: Whether or not to give up its private key
<t>KAKPOPThisMessageDHMAC: The EE can only use this method if (1) th to the CA/RA is an EE decision. If the EE decides to reveal its
e CA/RA has a DH certificate available for this purpose, and (2) the EE already key, then these are the only POP methods available in this
has a copy of this certificate. If both these conditions hold, then this techniq specification to achieve this (and the key pair type and
ue is clearly supported and may be used by the EE, if desired.</t> protocol version used will determine which of these methods to
<t>EKPOPEncryptedCert, KAKPOPEncryptedCert, KEMKPOPEncryptedCert, EK use). The reason for deprecating EKPOPThisMessage and
POPChallengeResp, KAKPOPChallengeResp, and KEMKPOPChallengeResp: The EE picks on KAKPOPThisMessage options has been given in <xref
e of these (in the subsequentMessage field) in the request message, depending up target="sect-5.2.8.3.1"/>.</li>
on preference and key pair type. The EE is not doing POP at this point; it is si <li>KAKPOPThisMessageDHMAC: The EE can only use this method if
mply indicating which method it wants to use. Therefore, if the CA/RA replies wi (1) the CA/RA has a DH certificate available for this purpose
th a "badPOP" error, the EE can re-request using the other POP method chosen in and (2) the EE already has a copy of this certificate. If both
subsequentMessage. Note, however, that this specification encourages the use of these conditions hold, then this technique is clearly supported
the EncryptedCert choice and, furthermore, says that the challenge-response woul and may be used by the EE, if desired.</li>
d typically be used when an RA is involved and doing POP verification. Thus, the <li>EKPOPEncryptedCert, KAKPOPEncryptedCert,
EE should be able to make an intelligent decision regarding which of these POP KEMKPOPEncryptedCert, EKPOPChallengeResp, KAKPOPChallengeResp,
methods to choose in the request message.</t> and KEMKPOPChallengeResp: The EE picks one of these (in the
subsequentMessage field) in the request message, depending upon
preference and key pair type. The EE is not doing POP at this
point; it is simply indicating which method it wants to
use. Therefore, if the CA/RA replies with a "badPOP" error, the
EE can re-request using the other POP method chosen in
subsequentMessage. Note, however, that this specification
encourages the use of the EncryptedCert choice and, furthermore,
says that the challenge-response would typically be used when an
RA is involved and doing POP verification. Thus, the EE should
be able to make an intelligent decision regarding which of these
POP methods to choose in the request message.</li>
</ul>
</section> </section>
</section> </section>
<section anchor="sect-5.2.9"> <section anchor="sect-5.2.9">
<name>GeneralizedTime</name> <name>GeneralizedTime</name>
<t>GeneralizedTime is a standard ASN.1 type and <bcp14>SHALL</bcp14> b e used as specified in Section 4.1.2.5.2 of <xref target="RFC5280"/>.</t> <t>GeneralizedTime is a standard ASN.1 type and <bcp14>SHALL</bcp14> b e used as specified in <xref section="4.1.2.5.2" target="RFC5280"/>.</t>
</section> </section>
</section> </section>
<section anchor="sect-5.3"> <section anchor="sect-5.3">
<name>Operation-Specific Data Structures</name> <name>Operation-Specific Data Structures</name>
<section anchor="sect-5.3.1"> <section anchor="sect-5.3.1">
<name>Initialization Request</name> <name>Initialization Request</name>
<t>An Initialization request message contains as the PKIBody a <t>An Initialization request message contains as the PKIBody a
CertReqMessages data structure, which specifies the requested CertReqMessages data structure, which specifies the requested
certificate(s). Typically, SubjectPublicKeyInfo, KeyId, and Validity certificate(s). Typically, SubjectPublicKeyInfo, KeyId, and Validity
are the template fields which may be supplied for each certificate are the template fields that may be supplied for each certificate
requested (see the profiles defined in <xref target="RFC9483"/> Section 4.1.1, < requested (see the profiles defined in <xref section="4.1.1" target="RFC9483"/>
xref target="sect-c.4"/> and Appendices <xref target="sect-c.4" format="counter"/>
and <xref target="sect-d.7"/> for further information). This and <xref target="sect-d.7" format="counter"/> for further information). This
message is intended to be used for entities when first initializing message is intended to be used for entities when first initializing
into the PKI.</t> into the PKI.</t>
<t>See <xref target="sect-5.2.1"/> and <xref target="RFC4211"/> for Ce rtReqMessages syntax.</t> <t>See <xref target="sect-5.2.1"/> and <xref target="RFC4211"/> for Ce rtReqMessages syntax.</t>
</section> </section>
<section anchor="sect-5.3.2"> <section anchor="sect-5.3.2">
<name>Initialization Response</name> <name>Initialization Response</name>
<t>An Initialization response message contains as the PKIBody a <t>An Initialization response message contains as the PKIBody a
CertRepMessage data structure, which has for each certificate CertRepMessage data structure, which has for each certificate
requested a PKIStatusInfo field, a subject certificate, and possibly requested a PKIStatusInfo field, a subject certificate, and possibly
a private key (normally encrypted using EnvelopedData, see <xref target="RFC9483 a private key (normally encrypted using EnvelopedData; see <xref section="4.1.6"
"/> Section target="RFC9483"/> for further information).</t>
4.1.6 for further information).</t>
<t>See <xref target="sect-5.3.4"/> for CertRepMessage syntax. Note th at if the PKI <t>See <xref target="sect-5.3.4"/> for CertRepMessage syntax. Note th at if the PKI
Message Protection is "shared secret information" (see <xref target="sect-5.1.3. 1"/>), message protection is "shared secret information" (see <xref target="sect-5.1.3. 1"/>),
then any certificate transported in the caPubs field may be then any certificate transported in the caPubs field may be
directly trusted as a root CA certificate by the initiator.</t> directly trusted as a root CA certificate by the initiator.</t>
</section> </section>
<section anchor="sect-5.3.3"> <section anchor="sect-5.3.3">
<name>Certification Request</name> <name>Certification Request</name>
<t>A Certification request message contains as the PKIBody a <t>A Certification request message contains as the PKIBody a
CertReqMessages data structure, which specifies the requested CertReqMessages data structure, which specifies the requested
certificates (see the profiles defined in <xref target="RFC9483"/> Section 4.1.2 and <xref target="sect-c.2"/> certificates (see the profiles defined in <xref section="4.1.2" target="RFC9483" /> and <xref target="sect-c.2"/>
for further information). This message is intended to be used for existing PKI for further information). This message is intended to be used for existing PKI
entities who wish to obtain additional certificates.</t> entities who wish to obtain additional certificates.</t>
<t>See <xref target="sect-5.2.1"/> and <xref target="RFC4211"/> for Ce rtReqMessages syntax.</t> <t>See <xref target="sect-5.2.1"/> and <xref target="RFC4211"/> for Ce rtReqMessages syntax.</t>
<t>Alternatively, the PKIBody <bcp14>MAY</bcp14> be a CertificationReq uest (this <t>Alternatively, the PKIBody <bcp14>MAY</bcp14> be a CertificationReq uest (this
structure is fully specified by the ASN.1 structure structure is fully specified by the ASN.1 structure
CertificationRequest given in <xref target="RFC2986"/>, see the profiles defined CertificationRequest given in <xref target="RFC2986"/>; see the profiles defined
in in
<xref target="RFC9483"/> Section 4.1.4 for further information). <xref section="4.1.4" target="RFC9483"/> for further information).
This structure may be This structure may be
required for certificate requests for signing key pairs when required for certificate requests for signing key pairs when
interoperation with legacy systems is desired, but its use is interoperation with legacy systems is desired, but its use is
strongly discouraged whenever not absolutely necessary.</t> strongly discouraged whenever not absolutely necessary.</t>
</section> </section>
<section anchor="sect-5.3.4"> <section anchor="sect-5.3.4">
<name>Certification Response</name> <name>Certification Response</name>
<t>A Certification response message contains as the PKIBody a <t>A Certification response message contains as the PKIBody a
CertRepMessage data structure, which has a status value for each CertRepMessage data structure, which has a status value for each
certificate requested, and optionally has a CA public key, failure certificate requested and optionally has a CA public key, failure
information, a subject certificate, and an encrypted private key.</t> information, a subject certificate, and an encrypted private key.</t>
<sourcecode type="asn.1"><![CDATA[ <sourcecode type="asn.1"><![CDATA[
CertRepMessage ::= SEQUENCE { CertRepMessage ::= SEQUENCE {
caPubs [1] SEQUENCE SIZE (1..MAX) OF CMPCertificate caPubs [1] SEQUENCE SIZE (1..MAX) OF CMPCertificate
OPTIONAL, OPTIONAL,
response SEQUENCE OF CertResponse response SEQUENCE OF CertResponse
} }
CertResponse ::= SEQUENCE { CertResponse ::= SEQUENCE {
certReqId INTEGER, certReqId INTEGER,
skipping to change at line 2748 skipping to change at line 2793
-- See [RFC4211] for comments on encoding. -- See [RFC4211] for comments on encoding.
publicationInfo [1] PKIPublicationInfo OPTIONAL publicationInfo [1] PKIPublicationInfo OPTIONAL
} }
CertOrEncCert ::= CHOICE { CertOrEncCert ::= CHOICE {
certificate [0] CMPCertificate, certificate [0] CMPCertificate,
encryptedCert [1] EncryptedKey encryptedCert [1] EncryptedKey
} }
]]></sourcecode> ]]></sourcecode>
<t>A p10cr message contains exactly one CertificationRequestInfo data structure, <t>A p10cr message contains exactly one CertificationRequestInfo data structure,
as specified in PKCS#10 <xref target="RFC2986"/>, but no certReqId. as specified in PKCS #10 <xref target="RFC2986"/>, but no certReqId.
Therefore, the certReqId in the corresponding Certification Therefore, the certReqId in the corresponding Certification
Response (cp) message <bcp14>MUST</bcp14> be set to -1.</t> Response (cp) message <bcp14>MUST</bcp14> be set to -1.</t>
<t>Only one of the failInfo (in PKIStatusInfo) and certificate (in <t>Only one of the failInfo (in PKIStatusInfo) and certificate (in
CertifiedKeyPair) fields can be present in each CertResponse CertifiedKeyPair) fields can be present in each CertResponse
(depending on the status). For some status values (e.g., waiting), (depending on the status). For some status values (e.g., waiting),
neither of the optional fields will be present.</t> neither of the optional fields will be present.</t>
<t>Given an EncryptedCert and the relevant decryption key, the <t>Given an EncryptedCert and the relevant decryption key, the
certificate may be obtained. The purpose of this is to allow a CA to certificate may be obtained. The purpose of this is to allow a CA to
return the value of a certificate, but with the constraint that only return the value of a certificate but with the constraint that only
the intended recipient can obtain the actual certificate. The the intended recipient can obtain the actual certificate. The
benefit of this approach is that a CA may reply with a certificate benefit of this approach is that a CA may reply with a certificate
even in the absence of a proof that the requester is the end entity even in the absence of proof that the requester is the end entity
that can use the relevant private key (note that the proof is not that can use the relevant private key (note that the proof is not
obtained until the certConf message is received by the CA). Thus, obtained until the certConf message is received by the CA). Thus,
the CA will not have to revoke that certificate in the event that the CA will not have to revoke that certificate in the event that
something goes wrong with the proof-of-possession (but <bcp14>MAY</bcp14> do so something goes wrong with the proof-of-possession (but <bcp14>MAY</bcp14> do so
anyway, depending upon policy).</t> anyway, depending upon policy).</t>
<t>The use of EncryptedKey is described in <xref target="sect-5.2.2"/> .</t> <t>The use of EncryptedKey is described in <xref target="sect-5.2.2"/> .</t>
<t>Note: To indicate support for EnvelopedData, the pvno cmp2021 has b een <t>Note: To indicate support for EnvelopedData, the pvno cmp2021 has b een
introduced. Details on the usage of different protocol version introduced. Details on the usage of different protocol version
numbers (pvno) are described in <xref target="sect-7"/>.</t> numbers (pvnos) are described in <xref target="sect-7"/>.</t>
</section> </section>
<section anchor="sect-5.3.5"> <section anchor="sect-5.3.5">
<name>Key Update Request Content</name> <name>Key Update Request Content</name>
<t>For key update requests the CertReqMessages syntax is used. <t>For key update requests, the CertReqMessages syntax is used.
Typically, SubjectPublicKeyInfo, KeyId, and Validity are the template Typically, SubjectPublicKeyInfo, KeyId, and Validity are the template
fields that may be supplied for each key to be updated (see the profiles fields that may be supplied for each key to be updated (see the profiles
defined in <xref target="RFC9483"/> Section 4.1.3 and <xref target="sect-c.6"/> for further information). defined in <xref section="4.1.3" target="RFC9483"/> and <xref target="sect-c.6"/ > for further information).
This message This message
is intended to be used to request updates to existing (non-revoked is intended to be used to request updates to existing (non-revoked
and non-expired) certificates (therefore, it is sometimes referred to and non-expired) certificates (therefore, it is sometimes referred to
as a "Certificate Update" operation). An update is a replacement as a "Certificate Update" operation). An update is a replacement
certificate containing either a new subject public key or the current certificate containing either a new subject public key or the current
subject public key (although the latter practice may not be subject public key (although the latter practice may not be
appropriate for some environments).</t> appropriate for some environments).</t>
<t>See <xref target="sect-5.2.1"/> and <xref target="RFC4211"/> for Ce rtReqMessages syntax.</t> <t>See <xref target="sect-5.2.1"/> and <xref target="RFC4211"/> for Ce rtReqMessages syntax.</t>
</section> </section>
<section anchor="sect-5.3.6"> <section anchor="sect-5.3.6">
<name>Key Update Response Content</name> <name>Key Update Response Content</name>
<t>For key update responses, the CertRepMessage syntax is used. The <t>For key update responses, the CertRepMessage syntax is used. The
response is identical to the initialization response.</t> response is identical to the initialization response.</t>
<t>See <xref target="sect-5.3.4"/> for CertRepMessage syntax.</t> <t>See <xref target="sect-5.3.4"/> for CertRepMessage syntax.</t>
</section> </section>
<section anchor="sect-5.3.7"> <section anchor="sect-5.3.7">
<name>Key Recovery Request Content</name> <name>Key Recovery Request Content</name>
<t>For key recovery requests the syntax used is identical to the <t>For key recovery requests, the syntax used is identical to the
initialization request CertReqMessages. Typically, initialization request CertReqMessages. Typically,
SubjectPublicKeyInfo and KeyId are the template fields that may be SubjectPublicKeyInfo and KeyId are the template fields that may be
used to supply a signature public key for which a certificate is used to supply a signature public key for which a certificate is
required.</t> required.</t>
<t>See <xref target="sect-5.2.1"/> and <xref target="RFC4211"/> for Ce rtReqMessages syntax. Note that if a <t>See <xref target="sect-5.2.1"/> and <xref target="RFC4211"/> for Ce rtReqMessages syntax. Note that if a
key history is required, the requester must supply a Protocol key history is required, the requester must supply a Protocol
Encryption Key control in the request message.</t> Encryption Key control in the request message.</t>
</section> </section>
<section anchor="sect-5.3.8"> <section anchor="sect-5.3.8">
<name>Key Recovery Response Content</name> <name>Key Recovery Response Content</name>
<t>For key recovery responses, the following syntax is used. For some <t>For key recovery responses, the following syntax is used. For some
status values (e.g., waiting) none of the optional fields will be status values (e.g., waiting), none of the optional fields will be
present.</t> present.</t>
<sourcecode type="asn.1"><![CDATA[ <sourcecode type="asn.1"><![CDATA[
KeyRecRepContent ::= SEQUENCE { KeyRecRepContent ::= SEQUENCE {
status PKIStatusInfo, status PKIStatusInfo,
newSigCert [0] Certificate OPTIONAL, newSigCert [0] Certificate OPTIONAL,
caCerts [1] SEQUENCE SIZE (1..MAX) OF caCerts [1] SEQUENCE SIZE (1..MAX) OF
Certificate OPTIONAL, Certificate OPTIONAL,
keyPairHist [2] SEQUENCE SIZE (1..MAX) OF keyPairHist [2] SEQUENCE SIZE (1..MAX) OF
CertifiedKeyPair OPTIONAL CertifiedKeyPair OPTIONAL
} }
]]></sourcecode> ]]></sourcecode>
</section> </section>
<section anchor="sect-5.3.9"> <section anchor="sect-5.3.9">
<name>Revocation Request Content</name> <name>Revocation Request Content</name>
<t>When requesting revocation of a certificate (or several <t>When requesting revocation of a certificate (or several
certificates), the following data structure is used (see the profiles defined certificates), the following data structure is used (see the profiles defined
in <xref target="RFC9483"/> Section 4.2 for further information). The name of t he in <xref section="4.2" target="RFC9483"/> for further information). The name of the
requester is present in the PKIHeader structure.</t> requester is present in the PKIHeader structure.</t>
<sourcecode type="asn.1"><![CDATA[ <sourcecode type="asn.1"><![CDATA[
RevReqContent ::= SEQUENCE OF RevDetails RevReqContent ::= SEQUENCE OF RevDetails
RevDetails ::= SEQUENCE { RevDetails ::= SEQUENCE {
certDetails CertTemplate, certDetails CertTemplate,
crlEntryDetails Extensions OPTIONAL crlEntryDetails Extensions OPTIONAL
} }
]]></sourcecode> ]]></sourcecode>
</section> </section>
skipping to change at line 2850 skipping to change at line 2895
<sourcecode type="asn.1"><![CDATA[ <sourcecode type="asn.1"><![CDATA[
RevRepContent ::= SEQUENCE { RevRepContent ::= SEQUENCE {
status SEQUENCE SIZE (1..MAX) OF PKIStatusInfo, status SEQUENCE SIZE (1..MAX) OF PKIStatusInfo,
revCerts [0] SEQUENCE SIZE (1..MAX) OF CertId OPTIONAL, revCerts [0] SEQUENCE SIZE (1..MAX) OF CertId OPTIONAL,
crls [1] SEQUENCE SIZE (1..MAX) OF CertificateList crls [1] SEQUENCE SIZE (1..MAX) OF CertificateList
OPTIONAL OPTIONAL
} }
]]></sourcecode> ]]></sourcecode>
</section> </section>
<section anchor="sect-5.3.11"> <section anchor="sect-5.3.11">
<name>Cross Certification Request Content</name> <name>Cross-Certification Request Content</name>
<t>Cross certification requests use the same syntax (CertReqMessages) <t>Cross-certification requests use the same syntax (CertReqMessages)
as as
normal certification requests, with the restriction that the key pair normal certification requests, with the restriction that the key pair
<bcp14>MUST</bcp14> have been generated by the requesting CA and the private key <bcp14>MUST</bcp14> have been generated by the requesting CA and the private key
<bcp14>MUST NOT</bcp14> be sent to the responding CA (see the profiles defined i n <xref target="sect-d.6"/> <bcp14>MUST NOT</bcp14> be sent to the responding CA (see the profiles defined i n <xref target="sect-d.6"/>
for further information). This request <bcp14>MAY</bcp14> also be used for further information). This request <bcp14>MAY</bcp14> also be used
by subordinate CAs to get their certificates signed by the parent CA.</t> by subordinate CAs to get their certificates signed by the parent CA.</t>
<t>See <xref target="sect-5.2.1"/> and <xref target="RFC4211"/> for Ce rtReqMessages syntax.</t> <t>See <xref target="sect-5.2.1"/> and <xref target="RFC4211"/> for Ce rtReqMessages syntax.</t>
</section> </section>
<section anchor="sect-5.3.12"> <section anchor="sect-5.3.12">
<name>Cross Certification Response Content</name> <name>Cross-Certification Response Content</name>
<t>Cross certification responses use the same syntax (CertRepMessage) <t>Cross-certification responses use the same syntax (CertRepMessage)
as as
normal certification responses, with the restriction that no normal certification responses, with the restriction that no
encrypted private key can be sent.</t> encrypted private key can be sent.</t>
<t>See <xref target="sect-5.3.4"/> for CertRepMessage syntax.</t> <t>See <xref target="sect-5.3.4"/> for CertRepMessage syntax.</t>
</section> </section>
<section anchor="sect-5.3.13"> <section anchor="sect-5.3.13">
<name>CA Key Update Announcement Content</name> <name>CA Key Update Announcement Content</name>
<t>When a CA updates its own key pair, the following data structure <b cp14>MAY</bcp14> <t>When a CA updates its own key pair, the following data structure <b cp14>MAY</bcp14>
be used to announce this event.</t> be used to announce this event.</t>
<sourcecode type="asn.1"><![CDATA[ <sourcecode type="asn.1"><![CDATA[
RootCaKeyUpdateContent ::= SEQUENCE { RootCaKeyUpdateContent ::= SEQUENCE {
newWithNew CMPCertificate, newWithNew CMPCertificate,
newWithOld [0] CMPCertificate OPTIONAL, newWithOld [0] CMPCertificate OPTIONAL,
oldWithNew [1] CMPCertificate OPTIONAL oldWithNew [1] CMPCertificate OPTIONAL
} }
CAKeyUpdContent ::= CHOICE { CAKeyUpdContent ::= CHOICE {
cAKeyUpdAnnV2 CAKeyUpdAnnContent, -- deprecated cAKeyUpdAnnV2 CAKeyUpdAnnContent, -- deprecated
cAKeyUpdAnnV3 [0] RootCaKeyUpdateContent cAKeyUpdAnnV3 [0] RootCaKeyUpdateContent
} }
]]></sourcecode> ]]></sourcecode>
<t>When using RootCaKeyUpdateContent in the ckuann message, the pvno c mp2021 <bcp14>MUST</bcp14> be used. Details on the usage of the protocol version number (pvno) are described in Section 7.</t> <t>When using RootCaKeyUpdateContent in the ckuann message, the pvno c mp2021 <bcp14>MUST</bcp14> be used. Details on the usage of the protocol version number (pvno) are described in <xref target="sect-7"/>.</t>
<t>In contrast to CAKeyUpdAnnContent as supported with cmp2000, RootCa KeyUpdateContent offers omitting newWithOld and oldWithNew, depending on the nee ds of the EE.</t> <t>In contrast to CAKeyUpdAnnContent as supported with cmp2000, RootCa KeyUpdateContent offers omitting newWithOld and oldWithNew, depending on the nee ds of the EE.</t>
</section> </section>
<section anchor="sect-5.3.14"> <section anchor="sect-5.3.14">
<name>Certificate Announcement</name> <name>Certificate Announcement</name>
<t>This structure <bcp14>MAY</bcp14> be used to announce the existence of certificates.</t> <t>This structure <bcp14>MAY</bcp14> be used to announce the existence of certificates.</t>
<t>Note that this message is intended to be used for those cases (if <t>Note that this message is intended to be used for those cases (if
any) where there is no pre-existing method for publication of any) where there is no pre-existing method for publication of
certificates; it is not intended to be used where, for example, X.500 certificates; it is not intended to be used where, for example, X.500
is the method for publication of certificates.</t> is the method for publication of certificates.</t>
<sourcecode type="asn.1"><![CDATA[ <sourcecode type="asn.1"><![CDATA[
skipping to change at line 2919 skipping to change at line 2964
]]></sourcecode> ]]></sourcecode>
<t>A CA <bcp14>MAY</bcp14> use such an announcement to warn (or notify ) a subject that <t>A CA <bcp14>MAY</bcp14> use such an announcement to warn (or notify ) a subject that
its certificate is about to be (or has been) revoked. This would its certificate is about to be (or has been) revoked. This would
typically be used where the request for revocation did not come from typically be used where the request for revocation did not come from
the subject concerned.</t> the subject concerned.</t>
<t>The willBeRevokedAt field contains the time at which a new entry wi ll <t>The willBeRevokedAt field contains the time at which a new entry wi ll
be added to the relevant CRLs.</t> be added to the relevant CRLs.</t>
</section> </section>
<section anchor="sect-5.3.16"> <section anchor="sect-5.3.16">
<name>CRL Announcement</name> <name>CRL Announcement</name>
<t>When a CA issues a new CRL (or set of CRLs) the following data <t>When a CA issues a new CRL (or set of CRLs), the following data
structure <bcp14>MAY</bcp14> be used to announce this event.</t> structure <bcp14>MAY</bcp14> be used to announce this event.</t>
<sourcecode type="asn.1"><![CDATA[ <sourcecode type="asn.1"><![CDATA[
CRLAnnContent ::= SEQUENCE OF CertificateList CRLAnnContent ::= SEQUENCE OF CertificateList
]]></sourcecode> ]]></sourcecode>
</section> </section>
<section anchor="sect-5.3.17"> <section anchor="sect-5.3.17">
<name>PKI Confirmation Content</name> <name>PKI Confirmation Content</name>
<t>This data structure is used in the protocol exchange as the final <t>This data structure is used in the protocol exchange as the final
PKIMessage. Its content is the same in all cases -- actually there PKIMessage. Its content is the same in all cases -- actually, there
is no content since the PKIHeader carries all the required is no content since the PKIHeader carries all the required
information.</t> information.</t>
<sourcecode type="asn.1"><![CDATA[ <sourcecode type="asn.1"><![CDATA[
PKIConfirmContent ::= NULL PKIConfirmContent ::= NULL
]]></sourcecode> ]]></sourcecode>
<t>Use of this message for certificate confirmation is <bcp14>NOT RECO MMENDED</bcp14>; <t>Use of this message for certificate confirmation is <bcp14>NOT RECO MMENDED</bcp14>;
certConf <bcp14>SHOULD</bcp14> be used instead. Upon receiving a PKIConfirm for a certConf <bcp14>SHOULD</bcp14> be used instead. Upon receiving a PKIConfirm for a
certificate response, the recipient <bcp14>MAY</bcp14> treat it as a certConf wi th certificate response, the recipient <bcp14>MAY</bcp14> treat it as a certConf wi th
all certificates being accepted.</t> all certificates being accepted.</t>
</section> </section>
skipping to change at line 2956 skipping to change at line 3001
CertStatus ::= SEQUENCE { CertStatus ::= SEQUENCE {
certHash OCTET STRING, certHash OCTET STRING,
certReqId INTEGER, certReqId INTEGER,
statusInfo PKIStatusInfo OPTIONAL, statusInfo PKIStatusInfo OPTIONAL,
hashAlg [0] AlgorithmIdentifier{DIGEST-ALGORITHM, {...}} hashAlg [0] AlgorithmIdentifier{DIGEST-ALGORITHM, {...}}
OPTIONAL OPTIONAL
} }
]]></sourcecode> ]]></sourcecode>
<t>The hashAlg field <bcp14>SHOULD</bcp14> be used only in exceptional cases where the signatureAlgorithm <t>The hashAlg field <bcp14>SHOULD</bcp14> be used only in exceptional cases where the signatureAlgorithm
of the certificate to be confirmed does not specify a hash algorithm in the of the certificate to be confirmed does not specify a hash algorithm in the
OID or in the parameters or no hash algorithm is specified for hashing certifica tes signed using the signatureAlgorithm. Note that for EdDSA a hash algorithm is specified in Section 3.3 of <xref target="RFC9481"/>, such that the hashAlg fie ld is not needed for EdDSA. Otherwise, the certHash value OID or in the parameters or no hash algorithm is specified for hashing certifica tes signed using the signatureAlgorithm. Note that for EdDSA, a hash algorithm i s specified in <xref section="3.3" target="RFC9481"/>, such that the hashAlg fie ld is not needed for EdDSA. Otherwise, the certHash value
<bcp14>SHALL</bcp14> be computed using the same hash algorithm as used to create and verify <bcp14>SHALL</bcp14> be computed using the same hash algorithm as used to create and verify
the certificate signature or as specified for hashing certificates signed using the signatureAlgorithm. If hashAlg is used, the CMP version indicated the certificate signature or as specified for hashing certificates signed using the signatureAlgorithm. If hashAlg is used, the CMP version indicated
by the certConf message header must be cmp2021(3).</t> by the certConf message header must be cmp2021(3).</t>
<t>For any particular CertStatus, omission of the statusInfo field <t>For any particular CertStatus, omission of the statusInfo field
indicates acceptance of the specified certificate. Alternatively, indicates acceptance of the specified certificate. Alternatively,
explicit status details (with respect to acceptance or rejection) <bcp14>MAY</bc p14> explicit status details (with respect to acceptance or rejection) <bcp14>MAY</bc p14>
be provided in the statusInfo field, perhaps for auditing purposes at be provided in the statusInfo field, perhaps for auditing purposes at
the CA/RA.</t> the CA/RA.</t>
<t>Within CertConfirmContent, omission of a CertStatus structure <t>Within CertConfirmContent, omission of a CertStatus structure
corresponding to a certificate supplied in the previous response corresponding to a certificate supplied in the previous response
message indicates rejection of the certificate. Thus, an empty message indicates rejection of the certificate. Thus, an empty
CertConfirmContent (a zero-length SEQUENCE) <bcp14>MAY</bcp14> be used to indica te CertConfirmContent (a zero-length SEQUENCE) <bcp14>MAY</bcp14> be used to indica te
rejection of all supplied certificates. See <xref target="sect-5.2.8.3.2"/>, rejection of all supplied certificates. See <xref target="sect-5.2.8.3.2"/>
for a discussion of the certHash field with respect to for a discussion of the certHash field with respect to
proof-of-possession.</t> proof-of-possession.</t>
</section> </section>
<section anchor="sect-5.3.19"> <section anchor="sect-5.3.19">
<name>PKI General Message Content</name> <name>PKI General Message Content</name>
<sourcecode type="asn.1"><![CDATA[ <sourcecode type="asn.1"><![CDATA[
InfoTypeAndValue ::= SEQUENCE { InfoTypeAndValue ::= SEQUENCE {
infoType OBJECT IDENTIFIER, infoType OBJECT IDENTIFIER,
infoValue ANY DEFINED BY infoType OPTIONAL infoValue ANY DEFINED BY infoType OPTIONAL
} }
-- where {id-it} = {id-pkix 4} = {1 3 6 1 5 5 7 4} -- where {id-it} = {id-pkix 4} = {1 3 6 1 5 5 7 4}
GenMsgContent ::= SEQUENCE OF InfoTypeAndValue GenMsgContent ::= SEQUENCE OF InfoTypeAndValue
]]></sourcecode> ]]></sourcecode>
<section anchor="sect-5.3.19.1"> <section anchor="sect-5.3.19.1">
<name>CA Protocol Encryption Certificate</name> <name>CA Protocol Encryption Certificate</name>
<t>This <bcp14>MAY</bcp14> be used by the EE to get a certificate fr om the CA to use to <t>This <bcp14>MAY</bcp14> be used by the EE to get a certificate fr om the CA to use to
protect sensitive information during the protocol.</t> protect sensitive information during the protocol.</t>
<artwork><![CDATA[
<sourcecode type=""><![CDATA[
GenMsg: {id-it 1}, < absent > GenMsg: {id-it 1}, < absent >
GenRep: {id-it 1}, Certificate | < absent > GenRep: {id-it 1}, Certificate | < absent >
]]></artwork> ]]></sourcecode>
<t>EEs <bcp14>MUST</bcp14> ensure that the correct certificate is us ed for this <t>EEs <bcp14>MUST</bcp14> ensure that the correct certificate is us ed for this
purpose.</t> purpose.</t>
</section> </section>
<section anchor="sect-5.3.19.2"> <section anchor="sect-5.3.19.2">
<name>Signing Key Pair Types</name> <name>Signing Key Pair Types</name>
<t>This <bcp14>MAY</bcp14> be used by the EE to get the list of sign ature algorithm whose subject <t>This <bcp14>MAY</bcp14> be used by the EE to get the list of sign ature algorithms whose subject
public key values the CA is willing to public key values the CA is willing to
certify.</t> certify.</t>
<artwork><![CDATA[
<sourcecode type=""><![CDATA[
GenMsg: {id-it 2}, < absent > GenMsg: {id-it 2}, < absent >
GenRep: {id-it 2}, SEQUENCE SIZE (1..MAX) OF GenRep: {id-it 2}, SEQUENCE SIZE (1..MAX) OF
AlgorithmIdentifier AlgorithmIdentifier
]]></artwork> ]]></sourcecode>
<t>Note: For the purposes of this exchange, rsaEncryption and sha256 WithRSAEncryption, for <t>Note: For the purposes of this exchange, rsaEncryption and sha256 WithRSAEncryption, for
example, are considered to be equivalent; the question being asked is, "Is example, are considered to be equivalent; the question being asked is, "Is
the CA willing to certify an RSA public key?"</t> the CA willing to certify an RSA public key?"</t>
<t>Note: In case several elliptic curves are supported, several id-e cPublicKey elements <t>Note: In case several elliptic curves are supported, several id-e cPublicKey elements
as defined in <xref target="RFC5480"/> need to be given, one per named curve.</t > as defined in <xref target="RFC5480"/> need to be given, one per named curve.</t >
</section> </section>
<section anchor="sect-5.3.19.3"> <section anchor="sect-5.3.19.3">
<name>Encryption/Key Agreement Key Pair Types</name> <name>Encryption / Key Agreement Key Pair Types</name>
<t>This <bcp14>MAY</bcp14> be used by the client to get the list of <t>This <bcp14>MAY</bcp14> be used by the client to get the list of
encryption/key encryption / key
agreement algorithms whose subject public key values the CA is agreement algorithms whose subject public key values the CA is
willing to certify.</t> willing to certify.</t>
<artwork><![CDATA[
<sourcecode type=""><![CDATA[
GenMsg: {id-it 3}, < absent > GenMsg: {id-it 3}, < absent >
GenRep: {id-it 3}, SEQUENCE SIZE (1..MAX) OF GenRep: {id-it 3}, SEQUENCE SIZE (1..MAX) OF
AlgorithmIdentifier AlgorithmIdentifier
]]></artwork> ]]></sourcecode>
<t>Note: In case several elliptic curves are supported, several id-e cPublicKey elements <t>Note: In case several elliptic curves are supported, several id-e cPublicKey elements
as defined in <xref target="RFC5480"/> need to be given, one per named curve.</t > as defined in <xref target="RFC5480"/> need to be given, one per named curve.</t >
</section> </section>
<section anchor="sect-5.3.19.4"> <section anchor="sect-5.3.19.4">
<name>Preferred Symmetric Algorithm</name> <name>Preferred Symmetric Algorithm</name>
<t>This <bcp14>MAY</bcp14> be used by the client to get the CA-prefe rred symmetric <t>This <bcp14>MAY</bcp14> be used by the client to get the CA-prefe rred symmetric
encryption algorithm for any confidential information that needs to encryption algorithm for any confidential information that needs to
be exchanged between the EE and the CA (for example, if the EE wants be exchanged between the EE and the CA (for example, if the EE wants
to send its private decryption key to the CA for archival purposes).</t> to send its private decryption key to the CA for archival purposes).</t>
<artwork><![CDATA[
<sourcecode type=""><![CDATA[
GenMsg: {id-it 4}, < absent > GenMsg: {id-it 4}, < absent >
GenRep: {id-it 4}, AlgorithmIdentifier GenRep: {id-it 4}, AlgorithmIdentifier
]]></artwork> ]]></sourcecode>
</section> </section>
<section anchor="sect-5.3.19.5"> <section anchor="sect-5.3.19.5">
<name>Updated CA Key Pair</name> <name>Updated CA Key Pair</name>
<t>This <bcp14>MAY</bcp14> be used by the CA to announce a CA key up date event.</t> <t>This <bcp14>MAY</bcp14> be used by the CA to announce a CA key up date event.</t>
<artwork><![CDATA[
<sourcecode type=""><![CDATA[
GenMsg: {id-it 18}, RootCaKeyUpdateValue GenMsg: {id-it 18}, RootCaKeyUpdateValue
]]></artwork> ]]></sourcecode>
<t>See <xref target="sect-5.3.13"/> for details of CA key update ann ouncements.</t> <t>See <xref target="sect-5.3.13"/> for details of CA key update ann ouncements.</t>
</section> </section>
<section anchor="sect-5.3.19.6"> <section anchor="sect-5.3.19.6">
<name>CRL</name> <name>CRL</name>
<t>This <bcp14>MAY</bcp14> be used by the client to get a copy of th e latest CRL.</t> <t>This <bcp14>MAY</bcp14> be used by the client to get a copy of th e latest CRL.</t>
<artwork><![CDATA[
<sourcecode type=""><![CDATA[
GenMsg: {id-it 6}, < absent > GenMsg: {id-it 6}, < absent >
GenRep: {id-it 6}, CertificateList GenRep: {id-it 6}, CertificateList
]]></artwork> ]]></sourcecode>
</section> </section>
<section anchor="sect-5.3.19.7"> <section anchor="sect-5.3.19.7">
<name>Unsupported Object Identifiers</name> <name>Unsupported Object Identifiers</name>
<t>This is used by the server to return a list of object identifiers <t>This is used by the server to return a list of object identifiers
that it does not recognize or support from the list submitted by the that it does not recognize or support from the list submitted by the
client.</t> client.</t>
<artwork><![CDATA[
<sourcecode type=""><![CDATA[
GenRep: {id-it 7}, SEQUENCE SIZE (1..MAX) OF OBJECT IDENTIFIER GenRep: {id-it 7}, SEQUENCE SIZE (1..MAX) OF OBJECT IDENTIFIER
]]></artwork> ]]></sourcecode>
</section> </section>
<section anchor="sect-5.3.19.8"> <section anchor="sect-5.3.19.8">
<name>Key Pair Parameters</name> <name>Key Pair Parameters</name>
<t>This <bcp14>MAY</bcp14> be used by the EE to request the domain p arameters to use <t>This <bcp14>MAY</bcp14> be used by the EE to request the domain p arameters to use
for generating the key pair for certain public-key algorithms. It for generating the key pair for certain public-key algorithms. It
can be used, for example, to request the appropriate P, Q, and G to can be used, for example, to request the appropriate P, Q, and G to
generate the DH/DSA key, or to request a set of well-known elliptic generate the DH/DSA key or to request a set of well-known elliptic
curves.</t> curves.</t>
<artwork><![CDATA[
<sourcecode type=""><![CDATA[
GenMsg: {id-it 10}, OBJECT IDENTIFIER -- (Algorithm object-id) GenMsg: {id-it 10}, OBJECT IDENTIFIER -- (Algorithm object-id)
GenRep: {id-it 11}, AlgorithmIdentifier | < absent > GenRep: {id-it 11}, AlgorithmIdentifier | < absent >
]]></artwork> ]]></sourcecode>
<t>An absent infoValue in the GenRep indicates that the algorithm <t>An absent infoValue in the GenRep indicates that the algorithm
specified in GenMsg is not supported.</t> specified in GenMsg is not supported.</t>
<t>EEs <bcp14>MUST</bcp14> ensure that the parameters are acceptable to it and that the <t>EEs <bcp14>MUST</bcp14> ensure that the parameters are acceptable to it and that the
GenRep message is authenticated (to avoid substitution attacks).</t> GenRep message is authenticated (to avoid substitution attacks).</t>
</section> </section>
<section anchor="sect-5.3.19.9"> <section anchor="sect-5.3.19.9">
<name>Revocation Passphrase</name> <name>Revocation Passphrase</name>
<t>This <bcp14>MAY</bcp14> be used by the EE to send a passphrase to a CA/RA for the purpose <t>This <bcp14>MAY</bcp14> be used by the EE to send a passphrase to a CA/RA for the purpose
of authenticating a later revocation request (in the case that the appropriate of authenticating a later revocation request (in the case that the appropriate
signing private key is no longer available to authenticate the request). signing private key is no longer available to authenticate the request).
See <xref target="sect-b"/> for further details on the use of this mechanism.</t > See <xref target="sect-b"/> for further details on the use of this mechanism.</t >
<artwork><![CDATA[ <sourcecode type=""><![CDATA[
GenMsg: {id-it 12}, EncryptedKey GenMsg: {id-it 12}, EncryptedKey
GenRep: {id-it 12}, < absent > GenRep: {id-it 12}, < absent >
]]></artwork> ]]></sourcecode>
<t>The use of EncryptedKey is described in <xref target="sect-5.2.2" />.</t> <t>The use of EncryptedKey is described in <xref target="sect-5.2.2" />.</t>
</section> </section>
<section anchor="sect-5.3.19.10"> <section anchor="sect-5.3.19.10">
<name>ImplicitConfirm</name> <name>ImplicitConfirm</name>
<t>See <xref target="sect-5.1.1.1"/> for the definition and use of { id-it 13}.</t> <t>See <xref target="sect-5.1.1.1"/> for the definition and use of { id-it 13}.</t>
</section> </section>
<section anchor="sect-5.3.19.11"> <section anchor="sect-5.3.19.11">
<name>ConfirmWaitTime</name> <name>ConfirmWaitTime</name>
<t>See <xref target="sect-5.1.1.2"/> for the definition and use of { id-it 14}.</t> <t>See <xref target="sect-5.1.1.2"/> for the definition and use of { id-it 14}.</t>
</section> </section>
<section anchor="sect-5.3.19.12"> <section anchor="sect-5.3.19.12">
<name>Original PKIMessage</name> <name>Original PKIMessage</name>
<t>See <xref target="sect-5.1.1.3"/> for the definition and use of { id-it 15}.</t> <t>See <xref target="sect-5.1.1.3"/> for the definition and use of { id-it 15}.</t>
</section> </section>
<section anchor="sect-5.3.19.13"> <section anchor="sect-5.3.19.13">
<name>Supported Language Tags</name> <name>Supported Language Tags</name>
<t>This <bcp14>MAY</bcp14> be used to determine the appropriate <xre f target="RFC5646"/> language tag to use in <t>This <bcp14>MAY</bcp14> be used to determine the appropriate lang uage tag <xref target="RFC5646"/> to use in
subsequent messages. The sender sends its list of supported subsequent messages. The sender sends its list of supported
languages (in order, most preferred to least); the receiver returns languages (in order of most to least preferred); the receiver returns
the one it wishes to use. (Note: each UTF8String <bcp14>MUST</bcp14> include a the one it wishes to use. (Note: Each UTF8String <bcp14>MUST</bcp14> include a
language tag.) If none of the offered tags are supported, an error language tag.) If none of the offered tags are supported, an error
<bcp14>MUST</bcp14> be returned.</t> <bcp14>MUST</bcp14> be returned.</t>
<artwork><![CDATA[ <sourcecode type=""><![CDATA[
GenMsg: {id-it 16}, SEQUENCE SIZE (1..MAX) OF UTF8String GenMsg: {id-it 16}, SEQUENCE SIZE (1..MAX) OF UTF8String
GenRep: {id-it 16}, SEQUENCE SIZE (1) OF UTF8String GenRep: {id-it 16}, SEQUENCE SIZE (1) OF UTF8String
]]></artwork> ]]></sourcecode>
</section> </section>
<section anchor="sect-5.3.19.14"> <section anchor="sect-5.3.19.14">
<name>CA Certificates</name> <name>CA Certificates</name>
<t>This <bcp14>MAY</bcp14> be used by the client to get CA certifica tes.</t> <t>This <bcp14>MAY</bcp14> be used by the client to get CA certifica tes.</t>
<artwork><![CDATA[
<sourcecode type=""><![CDATA[
GenMsg: {id-it 17}, < absent > GenMsg: {id-it 17}, < absent >
GenRep: {id-it 17}, SEQUENCE SIZE (1..MAX) OF GenRep: {id-it 17}, SEQUENCE SIZE (1..MAX) OF
CMPCertificate | < absent > CMPCertificate | < absent >
]]></artwork> ]]></sourcecode>
</section> </section>
<section anchor="sect-5.3.19.15"> <section anchor="sect-5.3.19.15">
<name>Root CA Update</name> <name>Root CA Update</name>
<t>This <bcp14>MAY</bcp14> be used by the client to get an update of a root CA certificate, <t>This <bcp14>MAY</bcp14> be used by the client to get an update of a root CA certificate,
which is provided in the body of the request message. In contrast to the which is provided in the body of the request message. In contrast to the
ckuann message, this approach follows the request/response model.</t> ckuann message, this approach follows the request/response model.</t>
<t>The EE <bcp14>SHOULD</bcp14> reference its current trust anchor i n RootCaCertValue <t>The EE <bcp14>SHOULD</bcp14> reference its current trust anchor i n RootCaCertValue
in the request body, giving the root CA certificate if available.</t> in the request body, giving the root CA certificate if available.</t>
<artwork><![CDATA[ <sourcecode type=""><![CDATA[
GenMsg: {id-it 20}, RootCaCertValue | < absent > GenMsg: {id-it 20}, RootCaCertValue | < absent >
GenRep: {id-it 18}, RootCaKeyUpdateValue | < absent > GenRep: {id-it 18}, RootCaKeyUpdateValue | < absent >
]]></artwork> ]]></sourcecode>
<sourcecode type="asn.1"><![CDATA[ <sourcecode type="asn.1"><![CDATA[
RootCaCertValue ::= CMPCertificate RootCaCertValue ::= CMPCertificate
RootCaKeyUpdateValue ::= RootCaKeyUpdateContent RootCaKeyUpdateValue ::= RootCaKeyUpdateContent
RootCaKeyUpdateContent ::= SEQUENCE { RootCaKeyUpdateContent ::= SEQUENCE {
newWithNew CMPCertificate, newWithNew CMPCertificate,
newWithOld [0] CMPCertificate OPTIONAL, newWithOld [0] CMPCertificate OPTIONAL,
oldWithNew [1] CMPCertificate OPTIONAL oldWithNew [1] CMPCertificate OPTIONAL
} }
skipping to change at line 3155 skipping to change at line 3218
RootCaKeyUpdateContent offers omitting newWithOld and oldWithNew, RootCaKeyUpdateContent offers omitting newWithOld and oldWithNew,
depending on the needs of the EE.</t> depending on the needs of the EE.</t>
</section> </section>
<section anchor="sect-5.3.19.16"> <section anchor="sect-5.3.19.16">
<name>Certificate Request Template</name> <name>Certificate Request Template</name>
<t>This <bcp14>MAY</bcp14> be used by the client to get a template c ontaining requirements <t>This <bcp14>MAY</bcp14> be used by the client to get a template c ontaining requirements
for certificate request attributes and extensions. The controls id-regCtrl-algId for certificate request attributes and extensions. The controls id-regCtrl-algId
and id-regCtrl-rsaKeyLen <bcp14>MAY</bcp14> contain details on the types of subj ect public and id-regCtrl-rsaKeyLen <bcp14>MAY</bcp14> contain details on the types of subj ect public
keys the CA is willing to certify.</t> keys the CA is willing to certify.</t>
<t>The id-regCtrl-algId control <bcp14>MAY</bcp14> be used to identi fy a cryptographic algorithm <t>The id-regCtrl-algId control <bcp14>MAY</bcp14> be used to identi fy a cryptographic algorithm
(see Section 4.1.2.7 of <xref target="RFC5280"/>) other than rsaEncryption. The algorithm (see <xref section="4.1.2.7" target="RFC5280"/>) other than rsaEncryption. The a lgorithm
field <bcp14>SHALL</bcp14> identify a cryptographic field <bcp14>SHALL</bcp14> identify a cryptographic
algorithm. The contents of the optional parameters field will vary according algorithm. The contents of the optional parameters field will vary according
to the algorithm identified. For example, when the algorithm is set to id-ecPubl icKey, to the algorithm identified. For example, when the algorithm is set to id-ecPubl icKey,
the parameters identify the elliptic curve to be used; see <xref target="RFC5480 "/>.</t> the parameters identify the elliptic curve to be used; see <xref target="RFC5480 "/>.</t>
<t>Note: The client may specify a profile name in the certProfile fi eld, see <xref target="sect-5.1.1.4"/>.</t> <t>Note: The client may specify a profile name in the certProfile fi eld (see <xref target="sect-5.1.1.4"/>).</t>
<t>The id-regCtrl-rsaKeyLen control <bcp14>SHALL</bcp14> be used for algorithm rsaEncryption <t>The id-regCtrl-rsaKeyLen control <bcp14>SHALL</bcp14> be used for algorithm rsaEncryption
and <bcp14>SHALL</bcp14> contain the intended modulus bit length of the RSA key. </t> and <bcp14>SHALL</bcp14> contain the intended modulus bit length of the RSA key. </t>
<artwork><![CDATA[
<sourcecode type=""><![CDATA[
GenMsg: {id-it 19}, < absent > GenMsg: {id-it 19}, < absent >
GenRep: {id-it 19}, CertReqTemplateContent | < absent > GenRep: {id-it 19}, CertReqTemplateContent | < absent >
]]></artwork> ]]></sourcecode>
<sourcecode type="asn.1"><![CDATA[ <sourcecode type="asn.1"><![CDATA[
CertReqTemplateValue ::= CertReqTemplateContent CertReqTemplateValue ::= CertReqTemplateContent
CertReqTemplateContent ::= SEQUENCE { CertReqTemplateContent ::= SEQUENCE {
certTemplate CertTemplate, certTemplate CertTemplate,
keySpec Controls OPTIONAL } keySpec Controls OPTIONAL }
Controls ::= SEQUENCE SIZE (1..MAX) OF AttributeTypeAndValue Controls ::= SEQUENCE SIZE (1..MAX) OF AttributeTypeAndValue
id-regCtrl-algId OBJECT IDENTIFIER ::= { iso(1) id-regCtrl-algId OBJECT IDENTIFIER ::= { iso(1)
skipping to change at line 3193 skipping to change at line 3258
identified-organization(3) dod(6) internet(1) security(5) identified-organization(3) dod(6) internet(1) security(5)
mechanisms(5) pkix(7) pkip(5) regCtrl(1) 12 } mechanisms(5) pkix(7) pkip(5) regCtrl(1) 12 }
RsaKeyLenCtrl ::= INTEGER (1..MAX) RsaKeyLenCtrl ::= INTEGER (1..MAX)
]]></sourcecode> ]]></sourcecode>
<t>The CertReqTemplateValue contains the prefilled certTemplate to b e used for <t>The CertReqTemplateValue contains the prefilled certTemplate to b e used for
a future certificate request. The publicKey field in the certTemplate <bcp14>MU ST a future certificate request. The publicKey field in the certTemplate <bcp14>MU ST
NOT</bcp14> be used. In case the PKI management entity wishes to specify suppor ted NOT</bcp14> be used. In case the PKI management entity wishes to specify suppor ted
public-key algorithms, the keySpec field <bcp14>MUST</bcp14> be used. One Attri buteTypeAndValue public-key algorithms, the keySpec field <bcp14>MUST</bcp14> be used. One Attri buteTypeAndValue
per supported algorithm or RSA key length <bcp14>MUST</bcp14> be used.</t> per supported algorithm or RSA key length <bcp14>MUST</bcp14> be used.</t>
<t>Note: The controls ASN.1 type is defined in Section 6 of CRMF <xr ef target="RFC4211"/></t> <t>Note: The controls for an ASN.1 type are defined in <xref section ="6" target="RFC4211">CRMF</xref>.</t>
</section> </section>
<section anchor="sect-5.3.19.17"> <section anchor="sect-5.3.19.17">
<name>CRL Update Retrieval</name> <name>CRL Update Retrieval</name>
<t>This <bcp14>MAY</bcp14> be used by the client to get new CRLs, sp ecifying the source of <t>This <bcp14>MAY</bcp14> be used by the client to get new CRLs, sp ecifying the source of
the CRLs and the thisUpdate value of the latest CRL it already has, if available . the CRLs and the thisUpdate value of the latest CRL it already has, if available .
A CRL source is given either by a DistributionPointName or the GeneralNames A CRL source is given either by a DistributionPointName or the GeneralNames
of the issuing CA. The DistributionPointName should be treated as an internal of the issuing CA. The DistributionPointName should be treated as an internal
pointer to identify a CRL that the server already has and not as a way to pointer to identify a CRL that the server already has and not as a way to
ask the server to fetch CRLs from external locations. The server <bcp14>SHALL</b cp14> only provide ask the server to fetch CRLs from external locations. The server <bcp14>SHALL</b cp14> only provide
those CRLs that are more recent than the ones indicated by the client.</t> those CRLs that are more recent than the ones indicated by the client.</t>
<artwork><![CDATA[ <sourcecode type=""><![CDATA[
GenMsg: {id-it 22}, SEQUENCE SIZE (1..MAX) OF CRLStatus GenMsg: {id-it 22}, SEQUENCE SIZE (1..MAX) OF CRLStatus
GenRep: {id-it 23}, SEQUENCE SIZE (1..MAX) OF GenRep: {id-it 23}, SEQUENCE SIZE (1..MAX) OF
CertificateList | < absent > CertificateList | < absent >
]]></artwork> ]]></sourcecode>
<sourcecode type="asn.1"><![CDATA[ <sourcecode type="asn.1"><![CDATA[
CRLSource ::= CHOICE { CRLSource ::= CHOICE {
dpn [0] DistributionPointName, dpn [0] DistributionPointName,
issuer [1] GeneralNames } issuer [1] GeneralNames }
CRLStatus ::= SEQUENCE { CRLStatus ::= SEQUENCE {
source CRLSource, source CRLSource,
thisUpdate Time OPTIONAL } thisUpdate Time OPTIONAL }
]]></sourcecode> ]]></sourcecode>
</section> </section>
<section anchor="sect-5.3.19.18"> <section anchor="sect-5.3.19.18">
<name>KEM Ciphertext</name> <name>KEM Ciphertext</name>
<t>This <bcp14>MAY</bcp14> be used by a PKI entity to get the KEM ci phertext for MAC-based message protection using KEM (see <xref target="sect-5.1. 3.4"/>).</t> <t>This <bcp14>MAY</bcp14> be used by a PKI entity to get the KEM ci phertext for MAC-based message protection using KEM (see <xref target="sect-5.1. 3.4"/>).</t>
<t>The PKI entity which possesses a KEM key pair can request the cip <t>The PKI entity that possesses a KEM key pair can request the ciph
hertext by sending an InfoTypeAndValue structure of type KemCiphertextInfo where ertext by sending an InfoTypeAndValue structure of type KemCiphertextInfo where
the infoValue is absent. The ciphertext can be provided in the following genp m the infoValue is absent. The ciphertext can be provided in the following genp me
essage with an InfoTypeAndValue structure of the same type.</t> ssage with an InfoTypeAndValue structure of the same type.</t>
<artwork><![CDATA[ <sourcecode type=""><![CDATA[
GenMsg: {id-it TBD1}, < absent > GenMsg: {id-it 24}, < absent >
GenRep: {id-it TBD1}, KemCiphertextInfo GenRep: {id-it 24}, KemCiphertextInfo
]]></artwork> ]]></sourcecode>
<sourcecode type="asn.1"><![CDATA[ <sourcecode type="asn.1"><![CDATA[
KemCiphertextInfo ::= SEQUENCE { KemCiphertextInfo ::= SEQUENCE {
kem AlgorithmIdentifier{KEM-ALGORITHM, {...}}, kem AlgorithmIdentifier{KEM-ALGORITHM, {...}},
ct OCTET STRING ct OCTET STRING
} }
]]></sourcecode> ]]></sourcecode>
<t>kem is the algorithm identifier of the KEM algorithm, and any ass ociated parameters, used to generate the ciphertext ct.</t> <t>kem is the algorithm identifier of the KEM algorithm, and any ass ociated parameters, used to generate the ciphertext (ct).</t>
<t>ct is the ciphertext output from the KEM Encapsulate function.</t > <t>ct is the ciphertext output from the KEM Encapsulate function.</t >
<t>NOTE: These InfoTypeAndValue structures can also be transferred i n the generalInfo field of the PKIHeader in messages of other types (see <xref t arget="sect-5.1.1.5"/>).</t> <t>Note: These InfoTypeAndValue structures can also be transferred i n the generalInfo field of the PKIHeader in messages of other types (see <xref t arget="sect-5.1.1.5"/>).</t>
</section> </section>
</section> </section>
<section anchor="sect-5.3.20"> <section anchor="sect-5.3.20">
<name>PKI General Response Content</name> <name>PKI General Response Content</name>
<sourcecode type="asn.1"><![CDATA[ <sourcecode type="asn.1"><![CDATA[
GenRepContent ::= SEQUENCE OF InfoTypeAndValue GenRepContent ::= SEQUENCE OF InfoTypeAndValue
]]></sourcecode> ]]></sourcecode>
<t>Examples of GenReps that <bcp14>MAY</bcp14> be supported include th ose listed in the <t>Examples of GenReps that <bcp14>MAY</bcp14> be supported include th ose listed in the
subsections of <xref target="sect-5.3.19"/>.</t> subsections of <xref target="sect-5.3.19"/>.</t>
</section> </section>
<section anchor="sect-5.3.21"> <section anchor="sect-5.3.21">
<name>Error Message Content</name> <name>Error Message Content</name>
<t>This data structure <bcp14>MAY</bcp14> be used by EE, CA, or RA to convey error information and <t>This data structure <bcp14>MAY</bcp14> be used by an EE, CA, or RA to convey error information and
by a PKI management entity to initiate delayed delivery of responses.</t> by a PKI management entity to initiate delayed delivery of responses.</t>
<sourcecode type="asn.1"><![CDATA[ <sourcecode type="asn.1"><![CDATA[
ErrorMsgContent ::= SEQUENCE { ErrorMsgContent ::= SEQUENCE {
pKIStatusInfo PKIStatusInfo, pKIStatusInfo PKIStatusInfo,
errorCode INTEGER OPTIONAL, errorCode INTEGER OPTIONAL,
errorDetails PKIFreeText OPTIONAL errorDetails PKIFreeText OPTIONAL
} }
]]></sourcecode> ]]></sourcecode>
<t>This message <bcp14>MAY</bcp14> be generated at any time during a P KI transaction. If the <t>This message <bcp14>MAY</bcp14> be generated at any time during a P KI transaction. If the
client sends this request, the server <bcp14>MUST</bcp14> respond with a PKIConf irm response, client sends this request, the server <bcp14>MUST</bcp14> respond with a PKIConf irm response
or another ErrorMsg if any part of the header is not valid.</t> or another ErrorMsg if any part of the header is not valid.</t>
<t>In case a PKI management entity sends an error message to the EE wi th the <t>In case a PKI management entity sends an error message to the EE wi th the
pKIStatusInfo field containing the status "waiting", the EE <bcp14>SHOULD</bcp14 > initiate pKIStatusInfo field containing the status "waiting", the EE <bcp14>SHOULD</bcp14 > initiate
polling as described in <xref target="sect-5.3.22"/>. polling as described in <xref target="sect-5.3.22"/>.
If the EE does not initiate polling, both sides <bcp14>MUST</bcp14> treat this m essage If the EE does not initiate polling, both sides <bcp14>MUST</bcp14> treat this m essage
as the end of the transaction (if a transaction is in progress).</t> as the end of the transaction (if a transaction is in progress).</t>
<t>If protection is desired on the message, the client <bcp14>MUST</bc p14> protect it <t>If protection is desired on the message, the client <bcp14>MUST</bc p14> protect it
using the same technique (i.e., signature or MAC) as the starting using the same technique (i.e., signature or MAC) as the starting
message of the transaction. The CA <bcp14>MUST</bcp14> always sign it with a message of the transaction. The CA <bcp14>MUST</bcp14> always sign it with a
signature key.</t> signature key.</t>
skipping to change at line 3287 skipping to change at line 3352
certReqId INTEGER } certReqId INTEGER }
PollRepContent ::= SEQUENCE OF SEQUENCE { PollRepContent ::= SEQUENCE OF SEQUENCE {
certReqId INTEGER, certReqId INTEGER,
checkAfter INTEGER, -- time in seconds checkAfter INTEGER, -- time in seconds
reason PKIFreeText OPTIONAL } reason PKIFreeText OPTIONAL }
]]></sourcecode> ]]></sourcecode>
<t>Unless implicit confirmation has been requested and granted, in res ponse to an ir, cr, p10cr, kur, krr, or ccr request message, polling is initiate d <t>Unless implicit confirmation has been requested and granted, in res ponse to an ir, cr, p10cr, kur, krr, or ccr request message, polling is initiate d
with an ip, cp, kup, krp, or ccp response message containing status "waiting". F or with an ip, cp, kup, krp, or ccp response message containing status "waiting". F or
any type of request message, polling can be initiated with an error response any type of request message, polling can be initiated with an error response
messages with status "waiting". The following clauses describe how polling message with status "waiting". The following clauses describe how polling
messages are used. It is assumed that multiple certConf messages can be messages are used. It is assumed that multiple certConf messages can be
sent during transactions. There will be one sent in response to each ip, sent during transactions. There will be one sent in response to each ip,
cp, kup, krp, or ccp that contains a CertStatus for an issued certificate.</t> cp, kup, krp, or ccp that contains a CertStatus for an issued certifica
<ol spacing="normal" type="%d"><li> te.</t>
<t>In response to an ip, cp, kup, krp, or ccp message, an EE will
send a certConf for <!--[rfced] Should "PKIconf" be updated to "pkiconf", "pkiConf", or
all issued certificates and expect a PKIconf for each certConf. An EE will "PKIConf" to reflect usage elsewhere in the document?
send a pollReq message in response to each CertResponse element of an ip,
cp, or kup message with status "waiting" and in response to an error message Original:
with status "waiting". Its certReqId <bcp14>MUST</bcp14> be either the index In response to an ip, cp, kup, krp, or ccp message, an EE will
of a CertResponse send a certConf for all issued certificates and expect a PKIconf
data structure with status "waiting" or -1 referring to the complete response. for each certConf.
</t> -->
</li>
<li> <ol spacing="normal" type="1">
<t>In response to a pollReq, a CA/RA will return an ip, cp, kup, k <li>In response to an ip, cp, kup, krp, or ccp message, an EE will
rp, or ccp if one or send a certConf for all issued certificates and expect a PKIconf
more of still pending requested certificates are ready or the final response for each certConf. An EE will send a pollReq message in response
to some other type of request is available; otherwise, it will return a pollRe to each CertResponse element of an ip, cp, or kup message with
p.</t> status "waiting" and in response to an error message with status
</li> "waiting". Its certReqId <bcp14>MUST</bcp14> be either the index
<li> of a CertResponse data structure with status "waiting" or -1
<t>If the EE receives a pollRep, it will wait for at least the num referring to the complete response.</li>
ber of seconds <li>In response to a pollReq, a CA/RA will return an ip, cp, kup,
given in the checkAfter field before sending another pollReq.</t> krp, or ccp if one or more of the still pending requested certificat
</li> es
</ol> are ready or the final response to some other type of request is
<ul empty="true"> available; otherwise, it will return a pollRep.</li>
<li> <li>
<t>[RFC-Editor: Please fix the indentation. This note belongs to 3 <t>If the EE receives a pollRep, it will wait for at least the
.] Note that the checkAfter value heavily depends on the certificate management number of seconds given in the checkAfter field before sending
environment. There are different reasons for a delayed delivery of response another pollReq.</t>
messages possible, e.g., high load on the server's backend, offline transfer of <t>Note that the checkAfter value heavily depends on the
messages between two PKI management entities, or required RA operator certificate management environment. There are different possible r
approval. Therefore, the checkAfter time can vary greatly. This should also be easons
considered by the transfer protocol.</t> for a delayed delivery of response messages, e.g., high
</li> load on the server's backend, offline transfer of messages
</ul> between two PKI management entities, or required RA operator
<ol spacing="normal" type="1"><li> approval. Therefore, the checkAfter time can vary greatly. This
<t>[RFC-Editor: Please fix the enumeration and continue with '4'.] should also be considered by the transfer protocol.</t>
If the EE receives an ip, cp, kup, krp, or ccp, then it will be treated in the
same
way as the initial response; if it receives any other response, then this
will be treated as the final response to the original request.</t>
</li> </li>
<li>If the EE receives an ip, cp, kup, krp, or ccp, then it will
be treated in the same way as the initial response; if it receives
any other response, then this will be treated as the final
response to the original request.</li>
</ol> </ol>
<t>The following client-side state machine describes polling for indiv idual <t>The following client-side state machine describes polling for indiv idual
CertResponse elements at the example of an ir request message.</t> CertResponse elements at the example of an ir request message.</t>
<artset> <artset>
<artwork type="svg"><svg xmlns="http://www.w3.org/2000/svg" version= "1.1" height="464" width="504" viewBox="0 0 504 464" class="diagram" text-anchor ="middle" font-family="monospace" font-size="13px" stroke-linecap="round"> <artwork type="svg"><svg xmlns="http://www.w3.org/2000/svg" version= "1.1" height="464" width="504" viewBox="0 0 504 464" class="diagram" text-anchor ="middle" font-family="monospace" font-size="13px" stroke-linecap="round">
<path d="M 32,192 L 32,224" fill="none" stroke="black"/> <path d="M 32,192 L 32,224" fill="none" stroke="black"/>
<path d="M 176,384 L 176,416" fill="none" stroke="black"/> <path d="M 176,384 L 176,416" fill="none" stroke="black"/>
<path d="M 240,48 L 240,64" fill="none" stroke="black"/> <path d="M 240,48 L 240,64" fill="none" stroke="black"/>
<path d="M 240,96 L 240,112" fill="none" stroke="black"/> <path d="M 240,96 L 240,112" fill="none" stroke="black"/>
<path d="M 240,176 L 240,224" fill="none" stroke="black"/> <path d="M 240,176 L 240,224" fill="none" stroke="black"/>
<path d="M 320,384 L 320,416" fill="none" stroke="black"/> <path d="M 320,384 L 320,416" fill="none" stroke="black"/>
skipping to change at line 3889 skipping to change at line 3961
<name>Mandatory PKI Management Functions</name> <name>Mandatory PKI Management Functions</name>
<t>Some of the PKI management functions outlined in <xref target="sect-3.1 "/> are <t>Some of the PKI management functions outlined in <xref target="sect-3.1 "/> are
described in this section.</t> described in this section.</t>
<t>This section deals with functions that are "mandatory" in the sense <t>This section deals with functions that are "mandatory" in the sense
that all end entity and CA/RA implementations <bcp14>MUST</bcp14> be able to pro vide that all end entity and CA/RA implementations <bcp14>MUST</bcp14> be able to pro vide
the functionality described. This part is effectively the profile of the functionality described. This part is effectively the profile of
the PKI management functionality that <bcp14>MUST</bcp14> be supported. Note, the PKI management functionality that <bcp14>MUST</bcp14> be supported. Note,
however, that the management functions described in this section do however, that the management functions described in this section do
not need to be accomplished using the PKI messages defined in <xref target="sect -5"/> not need to be accomplished using the PKI messages defined in <xref target="sect -5"/>
if alternate means are suitable for a given environment. See if alternate means are suitable for a given environment. See
<xref target="RFC9483"/> Section 7 and <xref target="sect-c"/> for profiles of t he PKIMessage structures <xref section="7" target="RFC9483"/> and <xref target="sect-c"/> for profiles of the PKIMessage structures
that <bcp14>MUST</bcp14> be supported for specific use cases.</t> that <bcp14>MUST</bcp14> be supported for specific use cases.</t>
<section anchor="sect-6.1"> <section anchor="sect-6.1">
<name>Root CA Initialization</name> <name>Root CA Initialization</name>
<t>[See <xref target="sect-3.1.1.2"/> for this document's definition of "root CA".]</t> <t>[See <xref target="sect-3.1.1.2"/> for this document's definition of "root CA".]</t>
<t>If a newly created root CA is at the top of a PKI hierarchy, it usual ly <t>If a newly created root CA is at the top of a PKI hierarchy, it usual ly
produces a "self-certificate", which is a produces a "self-certificate", which is a
certificate structure with the profile defined for the "newWithNew" certificate structure with the profile defined for the "newWithNew"
certificate issued following a root CA key update.</t> certificate issued following a root CA key update.</t>
<t>In order to make the CA's self-certificate useful to end entities <t>In order to make the CA's self-certificate useful to end entities
that do not acquire the self-certificate via "out-of-band" means, the that do not acquire the self-certificate via "out-of-band" means, the
CA must also produce a fingerprint for its certificate. End entities CA must also produce a fingerprint for its certificate. End entities
that acquire this fingerprint securely via some "out-of-band" means that acquire this fingerprint securely via some "out-of-band" means
can then verify the CA's self-certificate and, hence, the other can then verify the CA's self-certificate and, hence, the other
attributes contained therein.</t> attributes contained therein.</t>
<t>The data structure used to carry the fingerprint may be the OOBCertHa sh, see <xref target="sect-5.2.5"/>.</t> <t>The data structure used to carry the fingerprint may be the OOBCertHa sh (see <xref target="sect-5.2.5"/>).</t>
</section> </section>
<section anchor="sect-6.2"> <section anchor="sect-6.2">
<name>Root CA Key Update</name> <name>Root CA Key Update</name>
<t>CA keys (as all other keys) have a finite lifetime and will have to <t>CA keys (as all other keys) have a finite lifetime and will have to
be updated on a periodic basis. The certificates NewWithNew, be updated on a periodic basis. The certificates NewWithNew,
NewWithOld, and OldWithNew (see <xref target="sect-4.4.1"/>) <bcp14>MAY</bcp14> be issued by the NewWithOld, and OldWithNew (see <xref target="sect-4.4.1"/>) <bcp14>MAY</bcp14> be issued by the
CA to aid existing end entities who hold the current root CA CA to aid existing end entities who hold the current root CA
certificate (OldWithOld) to transition securely to the new root certificate (OldWithOld) to transition securely to the new root
CA certificate (NewWithNew), and to aid new end entities who CA certificate (NewWithNew) and to aid new end entities who
will hold NewWithNew to acquire OldWithOld securely for verification will hold NewWithNew to acquire OldWithOld securely for verification
of existing data.</t> of existing data.</t>
</section> </section>
<section anchor="sect-6.3"> <section anchor="sect-6.3">
<name>Subordinate CA Initialization</name> <name>Subordinate CA Initialization</name>
<t>[See <xref target="sect-3.1.1.2"/> for this document's definition of "subordinate CA".]</t> <t>[See <xref target="sect-3.1.1.2"/> for this document's definition of "subordinate CA".]</t>
<t>From the perspective of PKI management protocols, the initialization of a <t>From the perspective of PKI management protocols, the initialization of a
subordinate CA is the same as the initialization of an end entity. The only subordinate CA is the same as the initialization of an end entity. The only
difference is that the subordinate CA must also produce an initial revocation difference is that the subordinate CA must also produce an initial revocation
list.</t> list.</t>
</section> </section>
<section anchor="sect-6.4"> <section anchor="sect-6.4">
<name>CRL production</name> <name>CRL Production</name>
<t>Before issuing any certificates, a newly established CA (which issues <t>Before issuing any certificates, a newly established CA (which issues
CRLs) must produce "empty" versions of each CRL which are to be CRLs) must produce "empty" versions of each CRL, which are to be
periodically produced.</t> periodically produced.</t>
</section> </section>
<section anchor="sect-6.5"> <section anchor="sect-6.5">
<name>PKI Information Request</name> <name>PKI Information Request</name>
<t>When a PKI entity (CA, RA, or EE) wishes to acquire information about <t>When a PKI entity (CA, RA, or EE) wishes to acquire information about
the current status of a CA, it <bcp14>MAY</bcp14> send that CA a request for suc h the current status of a CA, it <bcp14>MAY</bcp14> send that CA a request for suc h
information.</t> information.</t>
<t>The CA <bcp14>MUST</bcp14> respond to the request by providing (at le ast) all of the <t>The CA <bcp14>MUST</bcp14> respond to the request by providing (at le ast) all of the
information requested by the requester. If some of the information information requested by the requester. If some of the information
cannot be provided, then an error must be conveyed to the requester.</t> cannot be provided, then an error must be conveyed to the requester.</t>
<t>If PKIMessages are used to request and supply this PKI information, <t>If PKIMessages are used to request and supply this PKI information,
then the request <bcp14>MUST</bcp14> be the GenMsg message, the response <bcp14> MUST</bcp14> be the then the request <bcp14>MUST</bcp14> be the GenMsg message, the response <bcp14> MUST</bcp14> be the
GenRep message, and the error <bcp14>MUST</bcp14> be the Error message. These GenRep message, and the error <bcp14>MUST</bcp14> be the Error message. These
messages are protected using a MAC based on shared secret information messages are protected using a MAC based on shared secret information
(e.g., password-based MAC, see CMP Algorithms <xref target="RFC9481"/> Section 6 .1) or using any asymmetric authentication means such as a (e.g., password-based MAC; see <xref section="6.1" target="RFC9481">"CMP Algorit hms"</xref>) or using any asymmetric authentication means such as a
signature (if the end entity has an existing certificate).</t> signature (if the end entity has an existing certificate).</t>
</section> </section>
<section anchor="sect-6.6"> <section anchor="sect-6.6">
<name>Cross Certification</name> <name>Cross Certification</name>
<t>The requester CA is the CA that will become the subject of the <t>The requester CA is the CA that will become the subject of the
cross-certificate; the responder CA will become the issuer of the cross-certificate; the responder CA will become the issuer of the
cross-certificate.</t> cross-certificate.</t>
<t>The requester CA must be "up and running" before initiating the <t>The requester CA must be "up and running" before initiating the
cross-certification operation.</t> cross-certification operation.</t>
<section anchor="sect-6.6.1"> <section anchor="sect-6.6.1">
<name>One-Way Request-Response Scheme:</name> <name>One-Way Request-Response Scheme</name>
<t>The cross-certification scheme is essentially a one way operation; <t>The cross-certification scheme is essentially a one-way operation;
that is, when successful, this operation results in the creation of that is, when successful, this operation results in the creation of
one new cross-certificate. If the requirement is that cross-certificates one new cross-certificate. If the requirement is that cross-certificates
be created in "both directions", then each CA, in turn, be created in "both directions", then each CA, in turn,
must initiate a cross-certification operation (or use another must initiate a cross-certification operation (or use another
scheme).</t> scheme).</t>
<t>This scheme is suitable where the two CAs in question can already <t>This scheme is suitable where the two CAs in question can already
verify each other's signatures (they have some common points of verify each other's signatures (they have some common points of
trust) or where there is an out-of-band verification of the origin of trust) or where there is an out-of-band verification of the origin of
the certification request.</t> the certification request.</t>
<t>Detailed Description:</t> <t>Detailed Description:</t>
<t>Cross certification is initiated at one CA known as the responder. <t indent="3">Cross certification is initiated at one CA known as the responder.
The CA administrator for the responder identifies the CA it wants to The CA administrator for the responder identifies the CA it wants to
cross certify and the responder CA equipment generates an cross certify and the responder CA equipment generates an
authorization code. The responder CA administrator passes this authorization code. The responder CA administrator passes this
authorization code by out-of-band means to the requester CA authorization code by out-of-band means to the requester CA
administrator. The requester CA administrator enters the administrator. The requester CA administrator enters the
authorization code at the requester CA in order to initiate the authorization code at the requester CA in order to initiate the
on-line exchange.</t> on-line exchange.</t>
<t>The authorization code is used for authentication and integrity <t indent="3">The authorization code is used for authentication and in tegrity
purposes. This is done by generating a symmetric key based on the purposes. This is done by generating a symmetric key based on the
authorization code and using the symmetric key for generating Message authorization code and using the symmetric key for generating Message
Authentication Codes (MACs) on all messages exchanged. Authentication Codes (MACs) on all messages exchanged.
(Authentication may alternatively be done using signatures instead of (Authentication may alternatively be done using signatures instead of
MACs, if the CAs are able to retrieve and validate the required MACs, if the CAs are able to retrieve and validate the required
public keys by some means, such as an out-of-band hash comparison.)</t> public keys by some means, such as an out-of-band hash comparison.)</t>
<t>The requester CA initiates the exchange by generating a cross-certi fication <t indent="3">The requester CA initiates the exchange by generating a cross-certification
request (ccr) with a fresh random number (requester random number). request (ccr) with a fresh random number (requester random number).
The requester CA then sends the ccr message to the responder CA. The requester CA then sends the ccr message to the responder CA.
The fields in this message are protected from modification with a The fields in this message are protected from modification with a
MAC based on the authorization code.</t> MAC based on the authorization code.</t>
<t>Upon receipt of the ccr message, the responder CA validates the <t indent="3">Upon receipt of the ccr message, the responder CA valida tes the
message and the MAC, saves the requester random number, and generates message and the MAC, saves the requester random number, and generates
its own random number (responder random number). It then generates its own random number (responder random number). It then generates
(and archives, if desired) a new requester certificate that contains (and archives, if desired) a new requester certificate that contains
the requester CA public key and is signed with the responder CA the requester CA public key and is signed with the responder CA
signature private key. The responder CA responds with the cross signature private key. The responder CA responds with the cross-certification r
certification response (ccp) message. The fields in this message are esponse (ccp) message. The fields in this message are
protected from modification with a MAC based on the authorization protected from modification with a MAC based on the authorization
code.</t> code.</t>
<t>Upon receipt of the ccp message, the requester CA validates the <t indent="3">Upon receipt of the ccp message, the requester CA valida tes the
message (including the received random numbers) and the MAC. The message (including the received random numbers) and the MAC. The
requester CA responds with the certConf message. The fields in this requester CA responds with the certConf message. The fields in this
message are protected from modification with a MAC based on the message are protected from modification with a MAC based on the
authorization code. The requester CA <bcp14>MAY</bcp14> write the requester authorization code. The requester CA <bcp14>MAY</bcp14> write the requester
certificate to the Repository as an aid to later certificate path certificate to the Repository as an aid to later certificate path
construction.</t> construction.</t>
<t>Upon receipt of the certConf message, the responder CA validates th <t indent="3">Upon receipt of the certConf message, the responder CA v
e alidates the
message and the MAC, and sends back an acknowledgement using the message and the MAC and sends back an acknowledgement using the
PKIConfirm message. It <bcp14>MAY</bcp14> also publish the requester certificat e as PKIConfirm message. It <bcp14>MAY</bcp14> also publish the requester certificat e as
an aid to later path construction.</t> an aid to later path construction.</t>
<t>Notes:</t> <t>Notes:</t>
<ol spacing="normal" type="1"><li> <ol spacing="normal" type="1"><li>
<t>The ccr message must contain a "complete" certification request ; <t>The ccr message must contain a "complete" certification request ;
that is, all fields except the serial number (including, e.g., a that is, all fields except the serial number (including, e.g., a
BasicConstraints extension) must be specified by the requester BasicConstraints extension) must be specified by the requester
CA.</t> CA.</t>
</li> </li>
<li> <li>
skipping to change at line 4041 skipping to change at line 4112
<t>As with CAs, end entities must be initialized. Initialization of end <t>As with CAs, end entities must be initialized. Initialization of end
entities requires at least two steps:</t> entities requires at least two steps:</t>
<ul spacing="normal"> <ul spacing="normal">
<li> <li>
<t>acquisition of PKI information</t> <t>acquisition of PKI information</t>
</li> </li>
<li> <li>
<t>out-of-band verification of one root-CA public key</t> <t>out-of-band verification of one root-CA public key</t>
</li> </li>
</ul> </ul>
<t>(other possible steps include the retrieval of trust condition <t>(Other possible steps include the retrieval of trust condition
information and/or out-of-band verification of other CA public keys).</t> information and/or out-of-band verification of other CA public keys.)</t>
<section anchor="sect-6.7.1"> <section anchor="sect-6.7.1">
<name>Acquisition of PKI Information</name> <name>Acquisition of PKI Information</name>
<t>The information <bcp14>REQUIRED</bcp14> is:</t> <t>The information <bcp14>REQUIRED</bcp14> is:</t>
<ul spacing="normal"> <ul spacing="normal">
<li> <li>
<t>the current root-CA public key</t> <t>the current root-CA public key</t>
</li> </li>
<li> <li>
<t>(if the certifying CA is not a root-CA) the certification path <t>(if the certifying CA is not a root-CA) the certification path
from the root CA to the certifying CA together with appropriate from the root CA to the certifying CA together with appropriate
revocation lists</t> revocation lists</t>
</li> </li>
<li> <li>
<t>the algorithms and algorithm parameters that the certifying CA <t>the algorithms and algorithm parameters that the certifying CA
supports for each relevant usage</t> supports for each relevant usage</t>
</li> </li>
</ul> </ul>
<t>Additional information could be required (e.g., supported extension s <t>Additional information could be required (e.g., supported extension s
or CA policy information) in order to produce a certification request or CA policy information) in order to produce a certification request
that will be successful. However, for simplicity we do not mandate that will be successful. However, for simplicity, we do not mandate
that the end entity acquires this information via the PKI messages. that the end entity acquires this information via the PKI messages.
The end result is simply that some certification requests may fail The end result is simply that some certification requests may fail
(e.g., if the end entity wants to generate its own encryption key, (e.g., if the end entity wants to generate its own encryption key,
but the CA doesn't allow that).</t> but the CA doesn't allow that).</t>
<t>The required information <bcp14>MAY</bcp14> be acquired as describe d in <xref target="sect-6.5"/>.</t> <t>The required information <bcp14>MAY</bcp14> be acquired as describe d in <xref target="sect-6.5"/>.</t>
</section> </section>
<section anchor="sect-6.7.2"> <section anchor="sect-6.7.2">
<name>Out-of-Band Verification of Root CA Key</name> <name>Out-of-Band Verification of the Root CA Key</name>
<t>An end entity must securely possess the public key of its root CA. <t>An end entity must securely possess the public key of its root CA.
One method to achieve this is to provide the end entity with the CA's One method to achieve this is to provide the end entity with the CA's
self-certificate fingerprint via some secure "out-of-band" means. self-certificate fingerprint via some secure "out-of-band" means.
The end entity can then securely use the CA's self-certificate.</t> The end entity can then securely use the CA's self-certificate.</t>
<t>See <xref target="sect-6.1"/> for further details.</t> <t>See <xref target="sect-6.1"/> for further details.</t>
</section> </section>
</section> </section>
<section anchor="sect-6.8"> <section anchor="sect-6.8">
<name>Certificate Request</name> <name>Certificate Request</name>
<t>An initialized end entity <bcp14>MAY</bcp14> request an additional ce rtificate at <t>An initialized end entity <bcp14>MAY</bcp14> request an additional ce rtificate at
skipping to change at line 4106 skipping to change at line 4177
a signing key pair (with a corresponding verification certificate), a signing key pair (with a corresponding verification certificate),
then this message will typically be protected by the entity's digital then this message will typically be protected by the entity's digital
signature. The CA returns the new certificate (if the request is signature. The CA returns the new certificate (if the request is
successful) in a key update response (kup) message, which is successful) in a key update response (kup) message, which is
syntactically identical to a CertRepMessage.</t> syntactically identical to a CertRepMessage.</t>
</section> </section>
</section> </section>
<section anchor="sect-7"> <section anchor="sect-7">
<name>Version Negotiation</name> <name>Version Negotiation</name>
<t>This section defines the version negotiation used to support older <t>This section defines the version negotiation used to support older
protocols between client and servers.</t> protocols between clients and servers.</t>
<t>If a client knows the protocol version(s) supported by the server (e.g. , <t>If a client knows the protocol version(s) supported by the server (e.g. ,
from a previous PKIMessage exchange or via some out-of-band means), then from a previous PKIMessage exchange or via some out-of-band means), then
it <bcp14>MUST</bcp14> send a PKIMessage with the highest version supported by b oth it and it <bcp14>MUST</bcp14> send a PKIMessage with the highest version supported by b oth it and
the server. If a client does not know what version(s) the server supports, the server. If a client does not know what version(s) the server supports,
then it <bcp14>MUST</bcp14> send a PKIMessage using the highest version it suppo rts with then it <bcp14>MUST</bcp14> send a PKIMessage using the highest version it suppo rts with
the following exception: version cmp2021 <bcp14>SHOULD</bcp14> only be used if c mp2021 syntax the following exception: Version cmp2021 <bcp14>SHOULD</bcp14> only be used if c mp2021 syntax
is needed for the request being sent or for the expected response.</t> is needed for the request being sent or for the expected response.</t>
<t>Note: Using cmp2000 as the default pvno is done to avoid extra message exchanges <t>Note: Using cmp2000 as the default pvno is done to avoid extra message exchanges
for version negotiation and to foster compatibility with cmp2000 implementations . for version negotiation and to foster compatibility with cmp2000 implementations .
Version cmp2021 syntax is only needed if a message exchange uses EnvelopedData, Version cmp2021 syntax is only needed if a message exchange uses EnvelopedData,
hashAlg (in CertStatus), POPOPrivKey with agreeMAC, or ckuann with RootCaKeyUpda teContent.</t> hashAlg (in CertStatus), POPOPrivKey with agreeMAC, or ckuann with RootCaKeyUpda teContent.</t>
<t>If a server receives a message with a version that it supports, then <t>If a server receives a message with a version that it supports, then
the version of the response message <bcp14>MUST</bcp14> be the same as the recei ved the version of the response message <bcp14>MUST</bcp14> be the same as the recei ved
version. If a server receives a message with a version higher or version. If a server receives a message with a version higher or
lower than it supports, then it <bcp14>MUST</bcp14> send back an ErrorMsg with t he lower than it supports, then it <bcp14>MUST</bcp14> send back an ErrorMsg with t he
unsupportedVersion bit set (in the failureInfo field of the unsupportedVersion bit set (in the failureInfo field of the
pKIStatusInfo). If the received version is higher than the highest pKIStatusInfo). If the received version is higher than the highest
supported version, then the version in the error message <bcp14>MUST</bcp14> be the supported version, then the version in the error message <bcp14>MUST</bcp14> be the
highest version the server supports; if the received version is lower highest version the server supports; if the received version is lower
than the lowest supported version then the version in the error than the lowest supported version, then the version in the error
message <bcp14>MUST</bcp14> be the lowest version the server supports.</t> message <bcp14>MUST</bcp14> be the lowest version the server supports.</t>
<t>If a client gets back an ErrorMsgContent with the unsupportedVersion <t>If a client gets back an ErrorMsgContent with the unsupportedVersion
bit set and a version it supports, then it <bcp14>MAY</bcp14> retry the request with bit set and a version it supports, then it <bcp14>MAY</bcp14> retry the request with
that version.</t> that version.</t>
<section anchor="sect-7.1"> <section anchor="sect-7.1">
<name>Supporting RFC 2510 Implementations</name> <name>Supporting RFC 2510 Implementations</name>
<t>RFC 2510 did not specify the behavior of implementations receiving <t><xref target="RFC2510"/> did not specify the behavior of implementati ons receiving
versions they did not understand since there was only one version in versions they did not understand since there was only one version in
existence. With the introduction of the revision in <xref target="RFC4210"/>, t he following versioning behaviour is recommended.</t> existence. With the introduction of the revision in <xref target="RFC4210"/>, t he following versioning behavior is recommended.</t>
<section anchor="sect-7.1.1"> <section anchor="sect-7.1.1">
<name>Clients Talking to RFC 2510 Servers</name> <name>Clients Talking to RFC 2510 Servers</name>
<t>If, after sending a message with a protocol version number higher t han cmp1999, <t>If, after sending a message with a protocol version number higher t han cmp1999,
a client receives an ErrorMsgContent with a version of cmp1999, then it <bcp14>M UST</bcp14> a client receives an ErrorMsgContent with a version of cmp1999, then it <bcp14>M UST</bcp14>
abort the current transaction.</t> abort the current transaction.</t>
<t>If a client receives a non-error PKIMessage with a version of <t>If a client receives a non-error PKIMessage with a version of
cmp1999, then it <bcp14>MAY</bcp14> decide to continue the transaction (if the cmp1999, then it <bcp14>MAY</bcp14> decide to continue the transaction (if the
transaction hasn't finished) using RFC 2510 semantics. If it does transaction hasn't finished) using the semantics described in <xref target="RFC2 510"/>. If it does
not choose to do so and the transaction is not finished, then it <bcp14>MUST</bc p14> not choose to do so and the transaction is not finished, then it <bcp14>MUST</bc p14>
abort the transaction and send an ErrorMsgContent with a version of abort the transaction and send an ErrorMsgContent with a version of
cmp1999.</t> cmp1999.</t>
</section> </section>
<section anchor="sect-7.1.2"> <section anchor="sect-7.1.2">
<name>Servers Receiving Version cmp1999 PKIMessages</name> <name>Servers Receiving Version cmp1999 PKIMessages</name>
<t>If a server receives a version cmp1999 message it <bcp14>MAY</bcp14 <t>If a server receives a version cmp1999 message, it <bcp14>MAY</bcp1
> revert to RFC 4> revert to the behavior described in <xref target="RFC2510"/> and respond with
2510 behaviour and respond with version cmp1999 messages. If it does version cmp1999 messages. If it does
not choose to do so, then it <bcp14>MUST</bcp14> send back an ErrorMsgContent as not choose to do so, then it <bcp14>MUST</bcp14> send back an ErrorMsgContent as
described above in <xref target="sect-7"/>.</t> described above in <xref target="sect-7"/>.</t>
</section> </section>
</section> </section>
</section> </section>
<section anchor="sect-8"> <section anchor="sect-8">
<name>Security Considerations</name> <name>Security Considerations</name>
<section anchor="sect-8.1"> <section anchor="sect-8.1">
<name>On the Necessity of Proof-Of-Possession</name> <name>On the Necessity of Proof-of-Possession</name>
<t>It is well established that the role of a Certification Authority is to <t>It is well established that the role of a Certification Authority is to
verify that the name and public key belong to the end entity prior to verify that the name and public key belong to the end entity prior to
issuing a certificate. If an entity holding a private key obtains a certificate containing the corresponding public key issued for a different entity, it can au thenticate as the entity named in the certificate. This facilitates masquerading . It is not entirely clear what security guarantees are lost if an end entity is able to obtain a certificate containing a public key that they do not possess t he corresponding private key for. There are some scenarios, issuing a certificate. If an entity holding a private key obtains a certificate containing the corresponding public key issued for a different entity, it can au thenticate as the entity named in the certificate. This facilitates masquerading . It is not entirely clear what security guarantees are lost if an end entity is able to obtain a certificate containing a public key that they do not possess t he corresponding private key for. There are some scenarios,
described as "forwarding attacks" in Appendix A of <xref target="Gueneysu"/>, in described as "forwarding attacks" in Appendix A of <xref target="Gueneysu"/>, in
which this can lead to protocol attacks against a naively-implemented which this can lead to protocol attacks against a naively implemented
sign-then-encrypt protocol, but in general it merely results in the sign-then-encrypt protocol, but in general, it merely results in the
end entity obtaining a certificate that they can not use.</t> end entity obtaining a certificate that they cannot use.</t>
</section> </section>
<section anchor="sect-8.2"> <section anchor="sect-8.2">
<name>Proof-Of-Possession with a Decryption Key</name> <name>Proof-of-Possession with a Decryption Key</name>
<t>Some cryptographic considerations are worth explicitly spelling out. <t>Some cryptographic considerations are worth explicitly spelling out.
In the protocols specified above, when an end entity is required to In the protocols specified above, when an end entity is required to
prove possession of a decryption key, it is effectively challenged to prove possession of a decryption key, it is effectively challenged to
decrypt something (its own certificate). This scheme (and many decrypt something (its own certificate). This scheme (and many
others!) could be vulnerable to an attack if the possessor of the others!) could be vulnerable to an attack if the possessor of the
decryption key in question could be fooled into decrypting an decryption key in question could be fooled into decrypting an
arbitrary challenge and returning the cleartext to an attacker. arbitrary challenge and returning the cleartext to an attacker.
Although in this specification a number of other failures in security Although in this specification a number of other failures in security
are required in order for this attack to succeed, it is conceivable are required in order for this attack to succeed, it is conceivable
that some future services (e.g., notary, trusted time) could that some future services (e.g., notary, trusted time) could
potentially be vulnerable to such attacks. For this reason, we potentially be vulnerable to such attacks. For this reason, we
reiterate the general rule that implementations should be very careful reiterate the general rule that implementations should be very careful
about decrypting arbitrary "ciphertext" and revealing recovered about decrypting arbitrary "ciphertext" and revealing recovered
"plaintext" since such a practice can lead to serious security "plaintext" since such a practice can lead to serious security
vulnerabilities.</t> vulnerabilities.</t>
<t>The client <bcp14>MUST</bcp14> return the decrypted values only if th ey match the expected content type. In an Indirect Method, the decrypted value < bcp14>MUST</bcp14> be a valid certificate, and in the Direct Method, the decrypt ed value <bcp14>MUST</bcp14> be a Rand as defined in <xref target="sect-5.2.8.3. 3"/>.</t> <t>The client <bcp14>MUST</bcp14> return the decrypted values only if th ey match the expected content type. In an indirect method, the decrypted value < bcp14>MUST</bcp14> be a valid certificate, and in a direct method, the decrypted value <bcp14>MUST</bcp14> be a Rand as defined in <xref target="sect-5.2.8.3.3" />.</t>
</section> </section>
<section anchor="sect-8.3"> <section anchor="sect-8.3">
<name>Proof-Of-Possession by Exposing the Private Key</name> <name>Proof-of-Possession by Exposing the Private Key</name>
<t>Note also that exposing a private key to the CA/RA as a <t>Note also that exposing a private key to the CA/RA as a
proof-of-possession technique can carry some security risks (depending proof-of-possession technique can carry some security risks (depending
upon whether or not the CA/RA can be trusted to handle such material upon whether or not the CA/RA can be trusted to handle such material
appropriately). Implementers are advised to:</t> appropriately). Implementers are advised to:</t>
<ul spacing="normal"> <ul spacing="normal">
<li> <li>
<t>Exercise caution in selecting and using this particular POP <t>Exercise caution in selecting and using this particular POP
mechanism.</t> mechanism.</t>
</li> </li>
<li> <li>
skipping to change at line 4213 skipping to change at line 4283
<t>When appropriate, have the user of the application explicitly <t>When appropriate, have the user of the application explicitly
state that they are willing to trust the CA/RA to have a copy of state that they are willing to trust the CA/RA to have a copy of
their private key before proceeding to reveal the private key.</t> their private key before proceeding to reveal the private key.</t>
</li> </li>
</ul> </ul>
</section> </section>
<section anchor="sect-8.4"> <section anchor="sect-8.4">
<name>Attack Against Diffie-Hellman Key Exchange</name> <name>Attack Against Diffie-Hellman Key Exchange</name>
<t>A small subgroup attack during a Diffie-Hellman key exchange may be <t>A small subgroup attack during a Diffie-Hellman key exchange may be
carried out as follows. A malicious end entity may deliberately carried out as follows. A malicious end entity may deliberately
choose D-H parameters that enable it to derive (a significant choose DH parameters that enable it to derive (a significant
number of bits of) the D-H private key of the CA during a key number of bits of) the DH private key of the CA during a key
archival or key recovery operation. Armed with this knowledge, the archival or key recovery operation. Armed with this knowledge, the
EE would then be able to retrieve the decryption private key of EE would then be able to retrieve the decryption private key of
another unsuspecting end entity, EE2, during EE2's legitimate key another unsuspecting end entity, EE2, during EE2's legitimate key
archival or key recovery operation with that CA. In order to avoid archival or key recovery operation with that CA. In order to avoid
the possibility of such an attack, two courses of action are the possibility of such an attack, two courses of action are
available. (1) The CA may generate a fresh D-H key pair to be used available. (1) The CA may generate a fresh DH key pair to be used
as a protocol encryption key pair for each EE with which it as a protocol encryption key pair for each EE with which it
interacts. (2) The CA may enter into a key validation protocol (not interacts. (2) The CA may enter into a key validation protocol (not
specified in this document) with each requesting end entity to ensure specified in this document) with each requesting end entity to ensure
that the EE's protocol encryption key pair will not facilitate this that the EE's protocol encryption key pair will not facilitate this
attack. Option (1) is clearly simpler (requiring no extra protocol attack. Option (1) is clearly simpler (requiring no extra protocol
exchanges from either party) and is therefore <bcp14>RECOMMENDED</bcp14>.</t> exchanges from either party) and is therefore <bcp14>RECOMMENDED</bcp14>.</t>
</section> </section>
<section anchor="sect-8.5"> <section anchor="sect-8.5">
<name>Perfect Forward Secrecy</name> <name>Perfect Forward Secrecy</name>
<t>Long-term security typically requires perfect forward secrecy (pfs). <t>Long-term security typically requires perfect forward secrecy (pfs).
When transferring encrypted long-term confidential values such as centrally gene When transferring encrypted long-term confidential values such as centrally gene
rated private keys or revocation passphrases, pfs likely is important. rated private keys or revocation passphrases, pfs is likely important.
Yet it is not needed for CMP message protection providing integrity and authenti Yet, it is not needed for CMP message protection providing integrity and authent
city because transfer of PKI messages is usually completed in very limited time. icity because transfer of PKI messages is usually completed in very limited time
For the same reason it typically is not required for the indirect method of prov .
iding a POP <xref target="sect-5.2.8.3.2"/> delivering the newly issued certific For the same reason, it is not typically required for the indirect method to pro
ate in encrypted form.</t> vide a POP (<xref target="sect-5.2.8.3.2"/>) delivering the newly issued certifi
<t>Encrypted values <xref target="sect-5.2.2"/> are transferred using CM cate in encrypted form.</t>
S EnvelopedData <xref target="RFC5652"/>, which does not offer pfs. In cases whe <t>Encrypted values (<xref target="sect-5.2.2"/>) are transferred using
re long-term security is needed, CMP messages <bcp14>SHOULD</bcp14> be transferr CMS EnvelopedData <xref target="RFC5652"/>, which does not offer pfs. In cases w
ed over a mechanism that provides pfs, such as TLS with appropriate cipher suite here long-term security is needed, CMP messages <bcp14>SHOULD</bcp14> be transfe
s selected.</t> rred over a mechanism that provides pfs, such as TLS with appropriate cipher sui
tes selected.</t>
</section> </section>
<section anchor="sect-8.6"> <section anchor="sect-8.6">
<name>Private Keys for Certificate Signing and CMP Message Protection</n ame> <name>Private Keys for Certificate Signing and CMP Message Protection</n ame>
<t>A CA should not reuse its certificate signing key for other purposes, such <t>A CA should not reuse its certificate signing key for other purposes, such
as protecting CMP responses and TLS connections. This way, exposure to other as protecting CMP responses and TLS connections. This way, exposure to other
parts of the system and the number of uses of this particularly critical parts of the system and the number of uses of this particularly critical
key are reduced to a minimum.</t> key are reduced to a minimum.</t>
</section> </section>
<section anchor="sect-8.7"> <section anchor="sect-8.7">
<name>Entropy of Random Numbers, Key Pairs, and Shared Secret Informatio n</name> <name>Entropy of Random Numbers, Key Pairs, and Shared Secret Informatio n</name>
<t>Implementations must generate nonces and private keys from random inp ut. <t>Implementations must generate nonces and private keys from random inp ut.
The use of inadequate pseudorandom number generators (PRNGs) to generate The use of inadequate pseudorandom number generators (PRNGs) to generate
cryptographic keys can result in little or no security. An attacker may find cryptographic keys can result in little or no security. An attacker may find
it much easier to reproduce the PRNG environment that produced the keys and it much easier to reproduce the PRNG environment that produced the keys and
to search the resulting small set of possibilities than brute-force searching to search the resulting small set of possibilities than brute-force searching th
the whole key space. As an example of predictable random numbers, see <xref targ e whole key space. As an example of predictable random numbers, see <xref target
et="CVE-2008-0166"/>; consequences of low-entropy random numbers are discussed i ="CVE-2008-0166"/>; consequences of low-entropy random numbers are discussed in
n <xref target="MiningPsQs">Mining Your Ps and Qs</xref>. The generation of qual <xref target="MiningPsQs">Mining Your Ps and Qs</xref>. The generation of qualit
ity random numbers is difficult. <xref target="ISO.20543-2019">ISO/IEC 20543:201 y random numbers is difficult. <xref target="ISO.20543-2019">ISO/IEC 20543:2019<
9</xref>, <xref target="NIST.SP.800_90Ar1">NIST SP 800-90A Rev.1</xref>, <xref t /xref>, <xref target="NIST.SP.800_90Ar1">NIST SP 800-90A Rev.1</xref>, <xref tar
arget="AIS31">BSI AIS 31 V2.0</xref>, and other specifications offer valuable gu get="AIS31">BSI AIS 31 V2.0</xref>, and other specifications offer valuable guid
idance in this area.</t> ance in this area.</t>
<t>If shared secret information is generated by a cryptographically secu re random number <t>If shared secret information is generated by a cryptographically secu re random number
generator (CSRNG), it is safe to assume that the entropy of the shared secret generator (CSRNG), it is safe to assume that the entropy of the shared secret
information equals its bit length. If no CSRNG is used, the entropy of information equals its bit length. If no CSRNG is used, the entropy of
shared secret information depends on the details of the generation process shared secret information depends on the details of the generation process
and cannot be measured securely after it has been generated. If user-generated and cannot be measured securely after it has been generated.
<!--[rfced] In the sentence below, does "are typically insufficient..."
refer to "passwords" or "entropy"?
Original:
If user-generated passwords are used as
shared secret information, their entropy cannot be measured and are
typically insufficient for protected delivery of centrally generated
keys or trust anchors.
Perhaps A (refers to "passwords"):
If user-generated passwords are used as
shared secret information, their entropy cannot be measured and the passwords
are typically insufficient for protected delivery of centrally generated
keys or trust anchors.
Perhaps B (refers to "entropy"):
If user-generated passwords are used as
shared secret information, their entropy cannot be measured and is
typically insufficient for protected delivery of centrally generated
keys or trust anchors.
-->
If user-generated
passwords are used as shared secret information, their entropy cannot be passwords are used as shared secret information, their entropy cannot be
measured and are typically insufficient for protected delivery of centrally measured and are typically insufficient for protected delivery of centrally
generated keys or trust anchors.</t> generated keys or trust anchors.</t>
<t>If the entropy of shared secret information protecting the delivery o f <t>If the entropy of shared secret information protecting the delivery o f
a centrally generated key pair is known, it should not be less than the security a centrally generated key pair is known, it should not be less than the security
strength of that key pair; if the shared secret information is reused for strength of that key pair; if the shared secret information is reused for
different key pairs, the security of the shared secret information should different key pairs, the security of the shared secret information should
exceed the security strength of each individual key pair.</t> exceed the security strength of each individual key pair.</t>
<t>For the case of a PKI management operation that delivers a new trust anchor <t>For the case of a PKI management operation that delivers a new trust anchor
(e.g., a root CA certificate) using caPubs or genp that is (a) not concluded (e.g., a root CA certificate), using caPubs or genp that is (a) not concluded
in a timely manner or (b) where the shared secret information is reused in a timely manner or (b) where the shared secret information is reused
for several key management operations, the entropy of the shared secret informat ion, for several key management operations, the entropy of the shared secret informat ion,
if known, should not be less than the security strength of the trust anchor if known, should not be less than the security strength of the trust anchor
being managed by the operation. The shared secret information should have being managed by the operation. The shared secret information should have
an entropy that at least matches the security strength of the key material an entropy that at least matches the security strength of the key material
being managed by the operation. Certain use cases may require shared secret being managed by the operation. Certain use cases may require shared secret
information that may be of a low security strength, e.g., a human-generated information that may be of a low security strength, e.g., a human-generated
password. It is <bcp14>RECOMMENDED</bcp14> that such secret information be limit ed to a password. It is <bcp14>RECOMMENDED</bcp14> that such secret information be limit ed to a
single PKI management operation.</t> single PKI management operation.</t>
<t>Importantly for this section further information about algorithm use <t>Importantly for this section, further information about algorithm use
profiles profiles
and their security strength is available in CMP Algorithms <xref target="RFC9481 and their security strength is available in <xref section="7" target="RFC9481">C
"/> Section MP Algorithms</xref>.</t>
7.</t>
</section> </section>
<section anchor="sect-8.8"> <section anchor="sect-8.8">
<name>Recurring Usage of KEM Keys for Message Protection</name> <name>Recurring Usage of KEM Keys for Message Protection</name>
<t>For each PKI management operation using MAC-based message protection involving KEM, see <xref target="sect-5.1.3.4"/>, the KEM Encapsulate() function , providing a fresh KEM ciphertext (ct) and shared secret (ss), <bcp14>MUST</bcp 14> be invoked.</t> <t>For each PKI management operation using MAC-based message protection involving KEM (see <xref target="sect-5.1.3.4"/>), the KEM Encapsulate() functio n, providing a fresh KEM ciphertext (ct) and shared secret (ss), <bcp14>MUST</bc p14> be invoked.</t>
<t>It is assumed that the overall data size of the CMP messages <t>It is assumed that the overall data size of the CMP messages
in a PKI management operation protected by a single shared secret key in a PKI management operation protected by a single shared secret key
is small enough not to introduce extra security risks.</t> is small enough not to introduce extra security risks.</t>
<t>To be appropriate for use with this specification, the KEM algorithm <t>To be appropriate for use with this specification, the KEM algorithm
<bcp14>MUST</bcp14> explicitly be designed to be secure when the public key is u sed <bcp14>MUST</bcp14> explicitly be designed to be secure when the public key is u sed
many times. For example, a KEM algorithm with a single-use public many times. For example, a KEM algorithm with a single-use public
key is not appropriate because the public key is expected to be key is not appropriate because the public key is expected to be
carried in a long-lived certificate <xref target="RFC5280"/> and used over and o ver. carried in a long-lived certificate <xref target="RFC5280"/> and used over and o ver.
Thus, KEM algorithms that offer indistinguishability under adaptive Thus, KEM algorithms that offer indistinguishability under adaptive
chosen ciphertext attack (IND-CCA2) security are appropriate. A chosen ciphertext attack (IND-CCA2) security are appropriate. A
common design pattern for obtaining IND-CCA2 security with public key common design pattern for obtaining IND-CCA2 security with public key
reuse is to apply the Fujisaki-Okamoto (FO) transform <xref target="Fujisaki"/> or a reuse is to apply the Fujisaki-Okamoto (FO) transform <xref target="Fujisaki"/> or a
variant of the FO transform <xref target="Hofheinz"/>.</t> variant of the FO transform <xref target="Hofheinz"/>.</t>
<t>Therefore, given a long-term public key using an IND-CCA2 secure KEM <t>Therefore, given a long-term public key using an IND-CCA2-secure KEM
algorithm, there is no limit to the number of CMP messages that can algorithm, there is no limit to the number of CMP messages that can
be authenticated using KEM keys for MAC-based message protection.</t> be authenticated using KEM keys for MAC-based message protection.</t>
</section> </section>
<section anchor="sect-8.9"> <section anchor="sect-8.9">
<name>Trust Anchor Provisioning Using CMP Messages</name> <name>Trust Anchor Provisioning Using CMP Messages</name>
<t>A provider of trust anchors, which may be an RA involved in configura tion <t>A provider of trust anchors, which may be an RA involved in configura tion
management of its clients, <bcp14>MUST NOT</bcp14> include to-be-trusted CA cert ificates management of its clients, <bcp14>MUST NOT</bcp14> include to-be-trusted CA cert ificates
in a CMP message unless the specific deployment scenario can ensure that in a CMP message unless the specific deployment scenario can ensure that
it is adequate that the receiving EE trusts these certificates, e.g., by it is adequate that the receiving EE trusts these certificates, e.g., by
loading them into its trust store.</t> loading them into its trust store.</t>
<t>Whenever an EE receives in a CMP message a CA certificate to be used <t>Whenever an EE receives in a CMP message a CA certificate to be used
as a trust anchor (for example in the caPubs field of a certificate response as a trust anchor (for example, in the caPubs field of a certificate response
or in a general response), it <bcp14>MUST</bcp14> properly authenticate the mess age sender with or in a general response), it <bcp14>MUST</bcp14> properly authenticate the mess age sender with
existing trust anchors without requiring new trust anchor information included i n the existing trust anchors without requiring new trust anchor information included i n the
message.</t> message.</t>
<t>Additionally, the EE <bcp14>MUST</bcp14> verify that the sender is an authorized source <t>Additionally, the EE <bcp14>MUST</bcp14> verify that the sender is an authorized source
of trust anchors. This authorization is governed by local policy and typically of trust anchors. This authorization is governed by local policy and typically
indicated using shared secret information or with a signature-based message indicated using shared secret information or with a signature-based message
protection using a certificate issued by a PKI that is explicitly authorized protection using a certificate issued by a PKI that is explicitly authorized
for this purpose.</t> for this purpose.</t>
</section> </section>
<section anchor="sect-8.10"> <section anchor="sect-8.10">
<name>Authorizing Requests for Certificates with Specific EKUs</name> <name>Authorizing Requests for Certificates with Specific EKUs</name>
<t>When a CA issues a certificate containing extended key usage extensio ns as <t>When a CA issues a certificate containing extended key usage extensio ns as
defined in <xref target="sect-4.5"/>, this expresses delegation of an authorizat ion that defined in <xref target="sect-4.5"/>, this expresses delegation of an authorizat ion that
originally is only with the CA certificate itself. originally is only with the CA certificate itself.
Such delegation is a very sensitive action in a PKI and therefore Such delegation is a very sensitive action in a PKI, and therefore,
special care must be taken when approving such certificate requests to special care must be taken when approving such certificate requests to
ensure that only legitimate entities receive a certificate containing ensure that only legitimate entities receive a certificate containing
such an EKU.</t> such an EKU.</t>
</section> </section>
<section anchor="sect-8.11"> <section anchor="sect-8.11">
<name>Usage of Certificate Transparency Logs</name> <name>Usage of Certificate Transparency Logs</name>
<t>CAs that support indirect POP <bcp14>MUST NOT</bcp14> also publish fi <t>CAs that support indirect POP <bcp14>MUST NOT</bcp14> also publish fi
nal certificates to Certificate Transparency logs <xref target="RFC9162"/> befor nal certificates to Certificate Transparency (CT) logs <xref target="RFC9162"/>
e having received the certConf message containing the certHash of that certifica before having received the certConf message containing the certHash of that cert
te to complete the POP. The risk is that a malicious actor could fetch the final ificate to complete the POP. The risk is that a malicious actor could fetch the
certificate from the CT log and use that to spoof a response to the implicit PO final certificate from the CT log and use that to spoof a response to the implic
P challenge via a certConf response. This risk does not apply to CT precertifica it POP challenge via a certConf response. This risk does not apply to CT precert
tes, so those are ok to publish.</t> ificates, so those are OK to publish.</t>
<t>If a certificate or its precertificate was published in a CT log it m <t>If a certificate or its precertificate was published in a CT log, it
ust be revoked, if a required certConf message could not be verified, especially must be revoked if a required certConf message could not be verified, especially
when the implicit POP was used.</t> when the implicit POP was used.</t>
</section> </section>
</section> </section>
<section anchor="sect-9"> <section anchor="sect-9">
<name>IANA Considerations</name> <name>IANA Considerations</name>
<t>This document updates the ASN.1 modules of CMP Updates Appendix A.2 <xr <t>This document updates the ASN.1 modules in <xref section="A.2" target="
ef target="RFC9480"/>. The OID TBD2 (id-mod-cmp2023-02) was registered in the "S RFC9480">CMP Updates</xref>. The OID 116 (id-mod-cmp2023-02) was registered in t
MI Security for PKIX Module Identifier" registry to identify the updated ASN.1 m he "SMI Security for PKIX Module Identifier" registry to identify the updated AS
odule.</t> N.1 module.</t>
<t>In the SMI-numbers registry "SMI Security for PKIX CMP Information Type <t>IANA has added the following entry in the "SMI Security for PKIX CMP In
s (1.3.6.1.5.5.7.4)" (see https://www.iana.org/assignments/smi-numbers/smi-numbe formation Types" registry within the SMI Numbers registry group (see <eref brack
rs.xhtml#smi-numbers-1.3.6.1.5.5.7.4) as defined in <xref target="RFC7299"/> one ets="angle" target="https://www.iana.org/assignments/smi-numbers"/>) <xref targe
addition has been performed.</t> t="RFC7299"/>: </t>
<t>One new entry has been added:</t>
<t>Decimal: TBD1</t> <dl spacing="compact" newline="false">
<t>Description: id-it-KemCiphertextInfo</t> <dt>Decimal:</dt><dd>24</dd>
<t>Reference: [RFCXXXX]</t> <dt>Description:</dt><dd>id-it-KemCiphertextInfo</dd>
<t>The new OID 1.2.840.113533.7.66.16 was registered by Entrust for id-Kem <dt>Reference:</dt><dd>RFC 9810</dd>
BasedMac in the arch 1.2.840.113533.7.66. Entrust registered also the OIDs for i </dl>
d-PasswordBasedMac and id-DHBasedMac there.</t>
<t>All existing references to <xref target="RFC2510"/>, <xref target="RFC4 <!-- [rfced] We are unable to verify these registrations with Entrust. Please e
210"/>, and <xref target="RFC9480"/> at https://www.iana.org/assignments/smi-num nsure the descriptions and values are correct. In addition, please consider whe
bers/smi-numbers.xhtml except those in the "SMI Security for PKIX Module Identif ther it is appropriate for this text to appear in the IANA Considerations sectio
ier" registry should be replaced with references to this document.</t> n, as it seemingly does not provide any information for IANA and does not requir
</section> e any IANA actions.
<section anchor="Acknowledgements">
<name>Acknowledgements</name> Original:
<t>The authors of this document wish to thank Carlisle Adams, Stephen Farr The new OID 1.2.840.113533.7.66.16 was registered by Entrust for id-
ell, KemBasedMac in the arch 1.2.840.113533.7.66. Entrust registered also
Tomi Kause, and Tero Mononen, the original authors of <xref target="RFC4210"/>, the OIDs for id-PasswordBasedMac and id-DHBasedMac there.
for their work.</t> -->
<t>We also thank all reviewers of this document for their valuable feedbac
k.</t> <t>The new OID 1.2.840.113533.7.66.16 was registered by Entrust for id-Kem
<t>Adding KEM support to this document was partly funded by the German Fed BasedMac in the arc 1.2.840.113533.7.66. Entrust also registered the OIDs for id
eral Ministry of Education and Research in the project Quoryptan through grant n -PasswordBasedMac and id-DHBasedMac there.</t>
umber 16KIS2033.</t> <t>All existing references to <xref target="RFC2510"/>, <xref target="RFC4
210"/>, and <xref target="RFC9480"/> at <eref brackets="angle" target="https://w
ww.iana.org/assignments/smi-numbers"/> except those in the "SMI Security for PKI
X Module Identifier" registry have been replaced with references to this documen
t.</t>
</section> </section>
</middle> </middle>
<back> <back>
<displayreference target="I-D.ietf-lamps-kyber-certificates" to="ML-KEM"/>
<references anchor="sec-combined-references"> <references anchor="sec-combined-references">
<name>References</name> <name>References</name>
<!-- [rfced] Would you like the references to be alphabetized or left
in their current order?
-->
<references anchor="sec-normative-references"> <references anchor="sec-normative-references">
<name>Normative References</name> <name>Normative References</name>
<reference anchor="RFC2985"> <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.2
<front> 985.xml"/>
<title>PKCS #9: Selected Object Classes and Attribute Types Version <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.2
2.0</title> 986.xml"/>
<author fullname="M. Nystrom" initials="M." surname="Nystrom"/> <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.3
<author fullname="B. Kaliski" initials="B." surname="Kaliski"/> 629.xml"/>
<date month="November" year="2000"/> <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.4
<abstract> 211.xml"/>
<t>This memo represents a republication of PKCS #9 v2.0 from RSA L <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.5
aboratories' Public-Key Cryptography Standards (PKCS) series, and change control 280.xml"/>
is retained within the PKCS process. The body of this document, except for the <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.5
security considerations section, is taken directly from that specification. This 480.xml"/>
memo provides information for the Internet community.</t> <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.5
</abstract> 646.xml"/>
</front> <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.5
<seriesInfo name="RFC" value="2985"/> 652.xml"/>
<seriesInfo name="DOI" value="10.17487/RFC2985"/> <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.5
</reference> 958.xml"/>
<reference anchor="RFC2986"> <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.6
<front> 402.xml"/>
<title>PKCS #10: Certification Request Syntax Specification Version <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.8
1.7</title> 933.xml"/>
<author fullname="M. Nystrom" initials="M." surname="Nystrom"/> <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.9
<author fullname="B. Kaliski" initials="B." surname="Kaliski"/> 045.xml"/>
<date month="November" year="2000"/> <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.9
<abstract> 481.xml"/>
<t>This memo represents a republication of PKCS #10 v1.7 from RSA <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.9
Laboratories' Public-Key Cryptography Standards (PKCS) series, and change contro 629.xml"/>
l is retained within the PKCS process. The body of this document, except for the
security considerations section, is taken directly from the PKCS #9 v2.0 or the <!-- [rfced] Please review. We found the following URL:
PKCS #10 v1.7 document. This memo provides information for the Internet communi https://cacr.uwaterloo.ca/hac/index.html which is provided by authors
ty.</t> of this handbook and includes open-access PDF files of this
</abstract> reference. Would you like to add this URL to the reference?
</front>
<seriesInfo name="RFC" value="2986"/> [MvOV97] Menezes, A., van Oorschot, P., and S. Vanstone, "Handbook
<seriesInfo name="DOI" value="10.17487/RFC2986"/> of Applied Cryptography", CRC Press ISBN 0-8493-8523-7,
</reference> 1996.
<reference anchor="RFC3629"> -->
<front>
<title>UTF-8, a transformation format of ISO 10646</title>
<author fullname="F. Yergeau" initials="F." surname="Yergeau"/>
<date month="November" year="2003"/>
<abstract>
<t>ISO/IEC 10646-1 defines a large character set called the Univer
sal Character Set (UCS) which encompasses most of the world's writing systems. T
he originally proposed encodings of the UCS, however, were not compatible with m
any current applications and protocols, and this has led to the development of U
TF-8, the object of this memo. UTF-8 has the characteristic of preserving the fu
ll US-ASCII range, providing compatibility with file systems, parsers and other
software that rely on US-ASCII values but are transparent to other values. This
memo obsoletes and replaces RFC 2279.</t>
</abstract>
</front>
<seriesInfo name="STD" value="63"/>
<seriesInfo name="RFC" value="3629"/>
<seriesInfo name="DOI" value="10.17487/RFC3629"/>
</reference>
<reference anchor="RFC4211">
<front>
<title>Internet X.509 Public Key Infrastructure Certificate Request
Message Format (CRMF)</title>
<author fullname="J. Schaad" initials="J." surname="Schaad"/>
<date month="September" year="2005"/>
<abstract>
<t>This document describes the Certificate Request Message Format
(CRMF) syntax and semantics. This syntax is used to convey a request for a certi
ficate to a Certification Authority (CA), possibly via a Registration Authority
(RA), for the purposes of X.509 certificate production. The request will typical
ly include a public key and the associated registration information. This docume
nt does not define a certificate request protocol. [STANDARDS-TRACK]</t>
</abstract>
</front>
<seriesInfo name="RFC" value="4211"/>
<seriesInfo name="DOI" value="10.17487/RFC4211"/>
</reference>
<reference anchor="RFC5280">
<front>
<title>Internet X.509 Public Key Infrastructure Certificate and Cert
ificate Revocation List (CRL) Profile</title>
<author fullname="D. Cooper" initials="D." surname="Cooper"/>
<author fullname="S. Santesson" initials="S." surname="Santesson"/>
<author fullname="S. Farrell" initials="S." surname="Farrell"/>
<author fullname="S. Boeyen" initials="S." surname="Boeyen"/>
<author fullname="R. Housley" initials="R." surname="Housley"/>
<author fullname="W. Polk" initials="W." surname="Polk"/>
<date month="May" year="2008"/>
<abstract>
<t>This memo profiles the X.509 v3 certificate and X.509 v2 certif
icate revocation list (CRL) for use in the Internet. An overview of this approac
h and model is provided as an introduction. The X.509 v3 certificate format is d
escribed in detail, with additional information regarding the format and semanti
cs of Internet name forms. Standard certificate extensions are described and two
Internet-specific extensions are defined. A set of required certificate extensi
ons is specified. The X.509 v2 CRL format is described in detail along with stan
dard and Internet-specific extensions. An algorithm for X.509 certification path
validation is described. An ASN.1 module and examples are provided in the appen
dices. [STANDARDS-TRACK]</t>
</abstract>
</front>
<seriesInfo name="RFC" value="5280"/>
<seriesInfo name="DOI" value="10.17487/RFC5280"/>
</reference>
<reference anchor="RFC5480">
<front>
<title>Elliptic Curve Cryptography Subject Public Key Information</t
itle>
<author fullname="S. Turner" initials="S." surname="Turner"/>
<author fullname="D. Brown" initials="D." surname="Brown"/>
<author fullname="K. Yiu" initials="K." surname="Yiu"/>
<author fullname="R. Housley" initials="R." surname="Housley"/>
<author fullname="T. Polk" initials="T." surname="Polk"/>
<date month="March" year="2009"/>
<abstract>
<t>This document specifies the syntax and semantics for the Subjec
t Public Key Information field in certificates that support Elliptic Curve Crypt
ography. This document updates Sections 2.3.5 and 5, and the ASN.1 module of "Al
gorithms and Identifiers for the Internet X.509 Public Key Infrastructure Certif
icate and Certificate Revocation List (CRL) Profile", RFC 3279. [STANDARDS-TRACK
]</t>
</abstract>
</front>
<seriesInfo name="RFC" value="5480"/>
<seriesInfo name="DOI" value="10.17487/RFC5480"/>
</reference>
<reference anchor="RFC5646">
<front>
<title>Tags for Identifying Languages</title>
<author fullname="A. Phillips" initials="A." role="editor" surname="
Phillips"/>
<author fullname="M. Davis" initials="M." role="editor" surname="Dav
is"/>
<date month="September" year="2009"/>
<abstract>
<t>This document describes the structure, content, construction, a
nd semantics of language tags for use in cases where it is desirable to indicate
the language used in an information object. It also describes how to register v
alues for use in language tags and the creation of user-defined extensions for p
rivate interchange. This document specifies an Internet Best Current Practices f
or the Internet Community, and requests discussion and suggestions for improveme
nts.</t>
</abstract>
</front>
<seriesInfo name="BCP" value="47"/>
<seriesInfo name="RFC" value="5646"/>
<seriesInfo name="DOI" value="10.17487/RFC5646"/>
</reference>
<reference anchor="RFC5652">
<front>
<title>Cryptographic Message Syntax (CMS)</title>
<author fullname="R. Housley" initials="R." surname="Housley"/>
<date month="September" year="2009"/>
<abstract>
<t>This document describes the Cryptographic Message Syntax (CMS).
This syntax is used to digitally sign, digest, authenticate, or encrypt arbitra
ry message content. [STANDARDS-TRACK]</t>
</abstract>
</front>
<seriesInfo name="STD" value="70"/>
<seriesInfo name="RFC" value="5652"/>
<seriesInfo name="DOI" value="10.17487/RFC5652"/>
</reference>
<reference anchor="RFC5958">
<front>
<title>Asymmetric Key Packages</title>
<author fullname="S. Turner" initials="S." surname="Turner"/>
<date month="August" year="2010"/>
<abstract>
<t>This document defines the syntax for private-key information an
d a content type for it. Private-key information includes a private key for a sp
ecified public-key algorithm and a set of attributes. The Cryptographic Message
Syntax (CMS), as defined in RFC 5652, can be used to digitally sign, digest, aut
henticate, or encrypt the asymmetric key format content type. This document obso
letes RFC 5208. [STANDARDS-TRACK]</t>
</abstract>
</front>
<seriesInfo name="RFC" value="5958"/>
<seriesInfo name="DOI" value="10.17487/RFC5958"/>
</reference>
<reference anchor="RFC6402">
<front>
<title>Certificate Management over CMS (CMC) Updates</title>
<author fullname="J. Schaad" initials="J." surname="Schaad"/>
<date month="November" year="2011"/>
<abstract>
<t>This document contains a set of updates to the base syntax for
CMC, a Certificate Management protocol using the Cryptographic Message Syntax (C
MS). This document updates RFC 5272, RFC 5273, and RFC 5274.</t>
<t>The new items in this document are: new controls for future wor
k in doing server side key generation, definition of a Subject Information Acces
s value to identify CMC servers, and the registration of a port number for TCP/I
P for the CMC service to run on. [STANDARDS-TRACK]</t>
</abstract>
</front>
<seriesInfo name="RFC" value="6402"/>
<seriesInfo name="DOI" value="10.17487/RFC6402"/>
</reference>
<reference anchor="RFC8933">
<front>
<title>Update to the Cryptographic Message Syntax (CMS) for Algorith
m Identifier Protection</title>
<author fullname="R. Housley" initials="R." surname="Housley"/>
<date month="October" year="2020"/>
<abstract>
<t>This document updates the Cryptographic Message Syntax (CMS) sp
ecified in RFC 5652 to ensure that algorithm identifiers in signed-data and auth
enticated-data content types are adequately protected.</t>
</abstract>
</front>
<seriesInfo name="RFC" value="8933"/>
<seriesInfo name="DOI" value="10.17487/RFC8933"/>
</reference>
<reference anchor="RFC9045">
<front>
<title>Algorithm Requirements Update to the Internet X.509 Public Ke
y Infrastructure Certificate Request Message Format (CRMF)</title>
<author fullname="R. Housley" initials="R." surname="Housley"/>
<date month="June" year="2021"/>
<abstract>
<t>This document updates the cryptographic algorithm requirements
for the Password-Based Message Authentication Code in the Internet X.509 Public
Key Infrastructure Certificate Request Message Format (CRMF) specified in RFC 42
11.</t>
</abstract>
</front>
<seriesInfo name="RFC" value="9045"/>
<seriesInfo name="DOI" value="10.17487/RFC9045"/>
</reference>
<reference anchor="RFC9481">
<front>
<title>Certificate Management Protocol (CMP) Algorithms</title>
<author fullname="H. Brockhaus" initials="H." surname="Brockhaus"/>
<author fullname="H. Aschauer" initials="H." surname="Aschauer"/>
<author fullname="M. Ounsworth" initials="M." surname="Ounsworth"/>
<author fullname="J. Gray" initials="J." surname="Gray"/>
<date month="November" year="2023"/>
<abstract>
<t>This document describes the conventions for using several
cryptographic algorithms with the Certificate Management Protocol
(CMP). CMP is used to enroll and further manage the lifecycle of
X.509 certificates. This document also updates the algorithm use
profile from Appendix D.2 of RFC 4210.</t>
</abstract>
</front>
<seriesInfo name="RFC" value="9481"/>
<seriesInfo name="DOI" value="10.17487/RFC9481"/>
</reference>
<reference anchor="RFC9629">
<front>
<title>Using Key Encapsulation Mechanism (KEM) Algorithms in the Cry
ptographic Message Syntax (CMS)</title>
<author fullname="R. Housley" initials="R." surname="Housley"/>
<author fullname="J. Gray" initials="J." surname="Gray"/>
<author fullname="T. Okubo" initials="T." surname="Okubo"/>
<date month="August" year="2024"/>
<abstract>
<t>The Cryptographic Message Syntax (CMS) supports key transport a
nd key agreement algorithms. In recent years, cryptographers have been specifyin
g Key Encapsulation Mechanism (KEM) algorithms, including quantum-secure KEM alg
orithms. This document defines conventions for the use of KEM algorithms by the
originator and recipients to encrypt and decrypt CMS content. This document upda
tes RFC 5652.</t>
</abstract>
</front>
<seriesInfo name="RFC" value="9629"/>
<seriesInfo name="DOI" value="10.17487/RFC9629"/>
</reference>
<reference anchor="MvOV97"> <reference anchor="MvOV97">
<front> <front>
<title>Handbook of Applied Cryptography</title> <title>Handbook of Applied Cryptography</title>
<author initials="A." surname="Menezes" fullname="A. Menezes"> <author initials="A." surname="Menezes" fullname="A. Menezes">
<organization/> <organization/>
</author> </author>
<author initials="P." surname="van Oorschot" fullname="P. van Oorsch ot"> <author initials="P." surname="van Oorschot" fullname="P. van Oorsch ot">
<organization/> <organization/>
</author> </author>
<author initials="S." surname="Vanstone" fullname="S. Vanstone"> <author initials="S." surname="Vanstone" fullname="S. Vanstone">
<organization/> <organization/>
</author> </author>
<date year="1996"/> <date year="1996"/>
</front> </front>
<seriesInfo name="CRC" value="Press ISBN 0-8493-8523-7"/> <seriesInfo name="CRC" value="Press ISBN 0-8493-8523-7"/>
</reference> </reference>
<reference anchor="RFC2119"> <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.2
<front> 119.xml"/>
<title>Key words for use in RFCs to Indicate Requirement Levels</tit <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.8
le> 174.xml"/>
<author fullname="S. Bradner" initials="S." surname="Bradner"/>
<date month="March" year="1997"/>
<abstract>
<t>In many standards track documents several words are used to sig
nify the requirements in the specification. These words are often capitalized. T
his document defines these words as they should be interpreted in IETF documents
. This document specifies an Internet Best Current Practices for the Internet Co
mmunity, and requests discussion and suggestions for improvements.</t>
</abstract>
</front>
<seriesInfo name="BCP" value="14"/>
<seriesInfo name="RFC" value="2119"/>
<seriesInfo name="DOI" value="10.17487/RFC2119"/>
</reference>
<reference anchor="RFC8174">
<front>
<title>Ambiguity of Uppercase vs Lowercase in RFC 2119 Key Words</ti
tle>
<author fullname="B. Leiba" initials="B." surname="Leiba"/>
<date month="May" year="2017"/>
<abstract>
<t>RFC 2119 specifies common key words that may be used in protoco
l specifications. This document aims to reduce the ambiguity by clarifying that
only UPPERCASE usage of the key words have the defined special meanings.</t>
</abstract>
</front>
<seriesInfo name="BCP" value="14"/>
<seriesInfo name="RFC" value="8174"/>
<seriesInfo name="DOI" value="10.17487/RFC8174"/>
</reference>
</references> </references>
<references anchor="sec-informative-references"> <references anchor="sec-informative-references">
<name>Informative References</name> <name>Informative References</name>
<reference anchor="RFC9480"> <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.9
<front> 480.xml"/>
<title>Certificate Management Protocol (CMP) Updates</title> <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.9
<author fullname="H. Brockhaus" initials="H." surname="Brockhaus"/> 482.xml"/>
<author fullname="D. von Oheimb" initials="D." surname="von Oheimb"/ <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.9
> 483.xml"/>
<author fullname="J. Gray" initials="J." surname="Gray"/>
<date month="November" year="2023"/>
<abstract>
<t>This document contains a set of updates to the syntax of Certif
icate Management Protocol (CMP) version 2 and its HTTP transfer mechanism. This
document updates RFCs 4210, 5912, and 6712.</t>
<t>The aspects of CMP updated in this document are using Enveloped
Data instead of EncryptedValue, clarifying the handling of p10cr messages, impro
ving the crypto agility, as well as adding new general message types, extended k
ey usages to identify certificates for use with CMP, and well-known URI path seg
ments.</t>
<t>CMP version 3 is introduced to enable signaling support of Enve
lopedData instead of EncryptedValue and signal the use of an explicit hash Algor
ithmIdentifier in certConf messages, as far as needed.</t>
</abstract>
</front>
<seriesInfo name="RFC" value="9480"/>
<seriesInfo name="DOI" value="10.17487/RFC9480"/>
</reference>
<reference anchor="RFC9482">
<front>
<title>Constrained Application Protocol (CoAP) Transfer for the Cert
ificate Management Protocol</title>
<author fullname="M. Sahni" initials="M." role="editor" surname="Sah
ni"/>
<author fullname="S. Tripathi" initials="S." role="editor" surname="
Tripathi"/>
<date month="November" year="2023"/>
<abstract>
<t>This document specifies the use of the Constrained Application
Protocol (CoAP) as a transfer mechanism for the Certificate Management Protocol
(CMP). CMP defines the interaction between various PKI entities for the purpose
of certificate creation and management. CoAP is an HTTP-like client-server proto
col used by various constrained devices in the Internet of Things space.</t>
</abstract>
</front>
<seriesInfo name="RFC" value="9482"/>
<seriesInfo name="DOI" value="10.17487/RFC9482"/>
</reference>
<reference anchor="RFC9483">
<front>
<title>Lightweight Certificate Management Protocol (CMP) Profile</ti
tle>
<author fullname="H. Brockhaus" initials="H." surname="Brockhaus"/>
<author fullname="D. von Oheimb" initials="D." surname="von Oheimb"/
>
<author fullname="S. Fries" initials="S." surname="Fries"/>
<date month="November" year="2023"/>
<abstract>
<t>This document aims at simple, interoperable, and automated PKI
management operations covering typical use cases of industrial and Internet of T
hings (IoT) scenarios. This is achieved by profiling the Certificate Management
Protocol (CMP), the related Certificate Request Message Format (CRMF), and trans
fer based on HTTP or Constrained Application Protocol (CoAP) in a succinct but s
ufficiently detailed and self-contained way. To make secure certificate manageme
nt for simple scenarios and constrained devices as lightweight as possible, only
the most crucial types of operations and options are specified as mandatory. Mo
re specialized or complex use cases are supported with optional features.</t>
</abstract>
</front>
<seriesInfo name="RFC" value="9483"/>
<seriesInfo name="DOI" value="10.17487/RFC9483"/>
</reference>
<reference anchor="I-D.ietf-lamps-rfc6712bis">
<front>
<title>Internet X.509 Public Key Infrastructure -- HTTP Transfer for
the Certificate Management Protocol (CMP)</title>
<author fullname="Hendrik Brockhaus" initials="H." surname="Brockhau
s">
<organization>Siemens</organization>
</author>
<author fullname="David von Oheimb" initials="D." surname="von Oheim
b">
<organization>Siemens</organization>
</author>
<author fullname="Mike Ounsworth" initials="M." surname="Ounsworth">
<organization>Entrust</organization>
</author>
<author fullname="John Gray" initials="J." surname="Gray">
<organization>Entrust</organization>
</author>
<date day="9" month="January" year="2025"/>
<abstract>
<t> This document describes how to layer the Certificate Managem
ent
Protocol (CMP) over HTTP.
It includes the updates to RFC 6712 specified in RFC 9480 Section 3.
These updates introduce CMP URIs using a Well-known prefix. It
obsoletes RFC 6712 and together with I-D.ietf-lamps-rfc4210bis and it
also obsoletes RFC 9480.
</t>
</abstract>
</front>
<seriesInfo name="Internet-Draft" value="draft-ietf-lamps-rfc6712bis-1
0"/>
</reference>
<reference anchor="RFC1847">
<front>
<title>Security Multiparts for MIME: Multipart/Signed and Multipart/
Encrypted</title>
<author fullname="J. Galvin" initials="J." surname="Galvin"/>
<author fullname="S. Murphy" initials="S." surname="Murphy"/>
<author fullname="S. Crocker" initials="S." surname="Crocker"/>
<author fullname="N. Freed" initials="N." surname="Freed"/>
<date month="October" year="1995"/>
<abstract>
<t>This document defines a framework within which security service
s may be applied to MIME body parts. [STANDARDS-TRACK] This memo defines a new S
imple Mail Transfer Protocol (SMTP) [1] reply code, 521, which one may use to in
dicate that an Internet host does not accept incoming mail. This memo defines an
Experimental Protocol for the Internet community. This memo defines an extensio
n to the SMTP service whereby an interrupted SMTP transaction can be restarted a
t a later time without having to repeat all of the commands and message content
sent prior to the interruption. This memo defines an Experimental Protocol for t
he Internet community.</t>
</abstract>
</front>
<seriesInfo name="RFC" value="1847"/>
<seriesInfo name="DOI" value="10.17487/RFC1847"/>
</reference>
<reference anchor="RFC2510">
<front>
<title>Internet X.509 Public Key Infrastructure Certificate Manageme
nt Protocols</title>
<author fullname="C. Adams" initials="C." surname="Adams"/>
<author fullname="S. Farrell" initials="S." surname="Farrell"/>
<date month="March" year="1999"/>
<abstract>
<t>This document describes the Internet X.509 Public Key Infrastru
cture (PKI) Certificate Management Protocols. [STANDARDS-TRACK]</t>
</abstract>
</front>
<seriesInfo name="RFC" value="2510"/>
<seriesInfo name="DOI" value="10.17487/RFC2510"/>
</reference>
<reference anchor="RFC2585">
<front>
<title>Internet X.509 Public Key Infrastructure Operational Protocol
s: FTP and HTTP</title>
<author fullname="R. Housley" initials="R." surname="Housley"/>
<author fullname="P. Hoffman" initials="P." surname="Hoffman"/>
<date month="May" year="1999"/>
<abstract>
<t>The protocol conventions described in this document satisfy som
e of the operational requirements of the Internet Public Key Infrastructure (PKI
). This document specifies the conventions for using the File Transfer Protocol
(FTP) and the Hypertext Transfer Protocol (HTTP) to obtain certificates and cert
ificate revocation lists (CRLs) from PKI repositories. [STANDARDS-TRACK]</t>
</abstract>
</front>
<seriesInfo name="RFC" value="2585"/>
<seriesInfo name="DOI" value="10.17487/RFC2585"/>
</reference>
<reference anchor="RFC4210">
<front>
<title>Internet X.509 Public Key Infrastructure Certificate Manageme
nt Protocol (CMP)</title>
<author fullname="C. Adams" initials="C." surname="Adams"/>
<author fullname="S. Farrell" initials="S." surname="Farrell"/>
<author fullname="T. Kause" initials="T." surname="Kause"/>
<author fullname="T. Mononen" initials="T." surname="Mononen"/>
<date month="September" year="2005"/>
<abstract>
<t>This document describes the Internet X.509 Public Key Infrastru
cture (PKI) Certificate Management Protocol (CMP). Protocol messages are defined
for X.509v3 certificate creation and management. CMP provides on-line interacti
ons between PKI components, including an exchange between a Certification Author
ity (CA) and a client system. [STANDARDS-TRACK]</t>
</abstract>
</front>
<seriesInfo name="RFC" value="4210"/>
<seriesInfo name="DOI" value="10.17487/RFC4210"/>
</reference>
<reference anchor="RFC4212">
<front>
<title>Alternative Certificate Formats for the Public-Key Infrastruc
ture Using X.509 (PKIX) Certificate Management Protocols</title>
<author fullname="M. Blinov" initials="M." surname="Blinov"/>
<author fullname="C. Adams" initials="C." surname="Adams"/>
<date month="October" year="2005"/>
<abstract>
<t>The Public-Key Infrastructure using X.509 (PKIX) Working Group
of the Internet Engineering Task Force (IETF) has defined a number of certificat
e management protocols. These protocols are primarily focused on X.509v3 public-
key certificates. However, it is sometimes desirable to manage certificates in a
lternative formats as well. This document specifies how such certificates may be
requested using the Certificate Request Message Format (CRMF) syntax that is us
ed by several different protocols. It also explains how alternative certificate
formats may be incorporated into such popular protocols as PKIX Certificate Mana
gement Protocol (PKIX-CMP) and Certificate Management Messages over CMS (CMC). T
his memo provides information for the Internet community.</t>
</abstract>
</front>
<seriesInfo name="RFC" value="4212"/>
<seriesInfo name="DOI" value="10.17487/RFC4212"/>
</reference>
<reference anchor="RFC4303">
<front>
<title>IP Encapsulating Security Payload (ESP)</title>
<author fullname="S. Kent" initials="S." surname="Kent"/>
<date month="December" year="2005"/>
<abstract>
<t>This document describes an updated version of the Encapsulating
Security Payload (ESP) protocol, which is designed to provide a mix of security
services in IPv4 and IPv6. ESP is used to provide confidentiality, data origin
authentication, connectionless integrity, an anti-replay service (a form of part
ial sequence integrity), and limited traffic flow confidentiality. This document
obsoletes RFC 2406 (November 1998). [STANDARDS-TRACK]</t>
</abstract>
</front>
<seriesInfo name="RFC" value="4303"/>
<seriesInfo name="DOI" value="10.17487/RFC4303"/>
</reference>
<reference anchor="RFC4511">
<front>
<title>Lightweight Directory Access Protocol (LDAP): The Protocol</t
itle>
<author fullname="J. Sermersheim" initials="J." role="editor" surnam
e="Sermersheim"/>
<date month="June" year="2006"/>
<abstract>
<t>This document describes the protocol elements, along with their
semantics and encodings, of the Lightweight Directory Access Protocol (LDAP). L
DAP provides access to distributed directory services that act in accordance wit
h X.500 data and service models. These protocol elements are based on those desc
ribed in the X.500 Directory Access Protocol (DAP). [STANDARDS-TRACK]</t>
</abstract>
</front>
<seriesInfo name="RFC" value="4511"/>
<seriesInfo name="DOI" value="10.17487/RFC4511"/>
</reference>
<reference anchor="RFC5912">
<front>
<title>New ASN.1 Modules for the Public Key Infrastructure Using X.5
09 (PKIX)</title>
<author fullname="P. Hoffman" initials="P." surname="Hoffman"/>
<author fullname="J. Schaad" initials="J." surname="Schaad"/>
<date month="June" year="2010"/>
<abstract>
<t>The Public Key Infrastructure using X.509 (PKIX) certificate fo
rmat, and many associated formats, are expressed using ASN.1. The current ASN.1
modules conform to the 1988 version of ASN.1. This document updates those ASN.1
modules to conform to the 2002 version of ASN.1. There are no bits-on-the-wire c
hanges to any of the formats; this is simply a change to the syntax. This docume
nt is not an Internet Standards Track specification; it is published for informa
tional purposes.</t>
</abstract>
</front>
<seriesInfo name="RFC" value="5912"/>
<seriesInfo name="DOI" value="10.17487/RFC5912"/>
</reference>
<reference anchor="RFC6268">
<front>
<title>Additional New ASN.1 Modules for the Cryptographic Message Sy
ntax (CMS) and the Public Key Infrastructure Using X.509 (PKIX)</title>
<author fullname="J. Schaad" initials="J." surname="Schaad"/>
<author fullname="S. Turner" initials="S." surname="Turner"/>
<date month="July" year="2011"/>
<abstract>
<t>The Cryptographic Message Syntax (CMS) format, and many associa
ted formats, are expressed using ASN.1. The current ASN.1 modules conform to the
1988 version of ASN.1. This document updates some auxiliary ASN.1 modules to co
nform to the 2008 version of ASN.1; the 1988 ASN.1 modules remain the normative
version. There are no bits- on-the-wire changes to any of the formats; this is s
imply a change to the syntax. This document is not an Internet Standards Track s
pecification; it is published for informational purposes.</t>
</abstract>
</front>
<seriesInfo name="RFC" value="6268"/>
<seriesInfo name="DOI" value="10.17487/RFC6268"/>
</reference>
<reference anchor="RFC6712">
<front>
<title>Internet X.509 Public Key Infrastructure -- HTTP Transfer for
the Certificate Management Protocol (CMP)</title>
<author fullname="T. Kause" initials="T." surname="Kause"/>
<author fullname="M. Peylo" initials="M." surname="Peylo"/>
<date month="September" year="2012"/>
<abstract>
<t>This document describes how to layer the Certificate Management
Protocol (CMP) over HTTP. It is the "CMPtrans" document referenced in RFC 4210;
therefore, this document updates the reference given therein. [STANDARDS-TRACK]
</t>
</abstract>
</front>
<seriesInfo name="RFC" value="6712"/>
<seriesInfo name="DOI" value="10.17487/RFC6712"/>
</reference>
<reference anchor="RFC7296">
<front>
<title>Internet Key Exchange Protocol Version 2 (IKEv2)</title>
<author fullname="C. Kaufman" initials="C." surname="Kaufman"/>
<author fullname="P. Hoffman" initials="P." surname="Hoffman"/>
<author fullname="Y. Nir" initials="Y." surname="Nir"/>
<author fullname="P. Eronen" initials="P." surname="Eronen"/>
<author fullname="T. Kivinen" initials="T." surname="Kivinen"/>
<date month="October" year="2014"/>
<abstract>
<t>This document describes version 2 of the Internet Key Exchange
(IKE) protocol. IKE is a component of IPsec used for performing mutual authentic
ation and establishing and maintaining Security Associations (SAs). This documen
t obsoletes RFC 5996, and includes all of the errata for it. It advances IKEv2 t
o be an Internet Standard.</t>
</abstract>
</front>
<seriesInfo name="STD" value="79"/>
<seriesInfo name="RFC" value="7296"/>
<seriesInfo name="DOI" value="10.17487/RFC7296"/>
</reference>
<reference anchor="RFC7299">
<front>
<title>Object Identifier Registry for the PKIX Working Group</title>
<author fullname="R. Housley" initials="R." surname="Housley"/>
<date month="July" year="2014"/>
<abstract>
<t>When the Public-Key Infrastructure using X.509 (PKIX) Working G
roup was chartered, an object identifier arc was allocated by IANA for use by th
at working group. This document describes the object identifiers that were assig
ned in that arc, returns control of that arc to IANA, and establishes IANA alloc
ation policies for any future assignments within that arc.</t>
</abstract>
</front>
<seriesInfo name="RFC" value="7299"/>
<seriesInfo name="DOI" value="10.17487/RFC7299"/>
</reference>
<reference anchor="RFC8446">
<front>
<title>The Transport Layer Security (TLS) Protocol Version 1.3</titl
e>
<author fullname="E. Rescorla" initials="E." surname="Rescorla"/>
<date month="August" year="2018"/>
<abstract>
<t>This document specifies version 1.3 of the Transport Layer Secu
rity (TLS) protocol. TLS allows client/server applications to communicate over t
he Internet in a way that is designed to prevent eavesdropping, tampering, and m
essage forgery.</t>
<t>This document updates RFCs 5705 and 6066, and obsoletes RFCs 50
77, 5246, and 6961. This document also specifies new requirements for TLS 1.2 im
plementations.</t>
</abstract>
</front>
<seriesInfo name="RFC" value="8446"/>
<seriesInfo name="DOI" value="10.17487/RFC8446"/>
</reference>
<reference anchor="RFC8572">
<front>
<title>Secure Zero Touch Provisioning (SZTP)</title>
<author fullname="K. Watsen" initials="K." surname="Watsen"/>
<author fullname="I. Farrer" initials="I." surname="Farrer"/>
<author fullname="M. Abrahamsson" initials="M." surname="Abrahamsson
"/>
<date month="April" year="2019"/>
<abstract>
<t>This document presents a technique to securely provision a netw
orking device when it is booting in a factory-default state. Variations in the s
olution enable it to be used on both public and private networks. The provisioni
ng steps are able to update the boot image, commit an initial configuration, and
execute arbitrary scripts to address auxiliary needs. The updated device is sub
sequently able to establish secure connections with other systems. For instance,
a device may establish NETCONF (RFC 6241) and/or RESTCONF (RFC 8040) connection
s with deployment-specific network management systems.</t>
</abstract>
</front>
<seriesInfo name="RFC" value="8572"/>
<seriesInfo name="DOI" value="10.17487/RFC8572"/>
</reference>
<reference anchor="RFC8649">
<front>
<title>Hash Of Root Key Certificate Extension</title>
<author fullname="R. Housley" initials="R." surname="Housley"/>
<date month="August" year="2019"/>
<abstract>
<t>This document specifies the Hash Of Root Key certificate extens
ion. This certificate extension is carried in the self-signed certificate for a
trust anchor, which is often called a Root Certification Authority (CA) certific
ate. This certificate extension unambiguously identifies the next public key tha
t will be used at some point in the future as the next Root CA certificate, even
tually replacing the current one.</t>
</abstract>
</front>
<seriesInfo name="RFC" value="8649"/>
<seriesInfo name="DOI" value="10.17487/RFC8649"/>
</reference>
<reference anchor="RFC8995">
<front>
<title>Bootstrapping Remote Secure Key Infrastructure (BRSKI)</title
>
<author fullname="M. Pritikin" initials="M." surname="Pritikin"/>
<author fullname="M. Richardson" initials="M." surname="Richardson"/
>
<author fullname="T. Eckert" initials="T." surname="Eckert"/>
<author fullname="M. Behringer" initials="M." surname="Behringer"/>
<author fullname="K. Watsen" initials="K." surname="Watsen"/>
<date month="May" year="2021"/>
<abstract>
<t>This document specifies automated bootstrapping of an Autonomic
Control Plane. To do this, a Secure Key Infrastructure is bootstrapped. This is
done using manufacturer-installed X.509 certificates, in combination with a man
ufacturer's authorizing service, both online and offline. We call this process t
he Bootstrapping Remote Secure Key Infrastructure (BRSKI) protocol. Bootstrappin
g a new device can occur when using a routable address and a cloud service, only
link-local connectivity, or limited/disconnected networks. Support for deployme
nt models with less stringent security requirements is included. Bootstrapping i
s complete when the cryptographic identity of the new key infrastructure is succ
essfully deployed to the device. The established secure connection can be used t
o deploy a locally issued certificate to the device as well.</t>
</abstract>
</front>
<seriesInfo name="RFC" value="8995"/>
<seriesInfo name="DOI" value="10.17487/RFC8995"/>
</reference>
<reference anchor="RFC9147">
<front>
<title>The Datagram Transport Layer Security (DTLS) Protocol Version
1.3</title>
<author fullname="E. Rescorla" initials="E." surname="Rescorla"/>
<author fullname="H. Tschofenig" initials="H." surname="Tschofenig"/
>
<author fullname="N. Modadugu" initials="N." surname="Modadugu"/>
<date month="April" year="2022"/>
<abstract>
<t>This document specifies version 1.3 of the Datagram Transport L
ayer Security (DTLS) protocol. DTLS 1.3 allows client/server applications to com
municate over the Internet in a way that is designed to prevent eavesdropping, t
ampering, and message forgery.</t>
<t>The DTLS 1.3 protocol is based on the Transport Layer Security
(TLS) 1.3 protocol and provides equivalent security guarantees with the exceptio
n of order protection / non-replayability. Datagram semantics of the underlying
transport are preserved by the DTLS protocol.</t>
<t>This document obsoletes RFC 6347.</t>
</abstract>
</front>
<seriesInfo name="RFC" value="9147"/>
<seriesInfo name="DOI" value="10.17487/RFC9147"/>
</reference>
<reference anchor="RFC9162">
<front>
<title>Certificate Transparency Version 2.0</title>
<author fullname="B. Laurie" initials="B." surname="Laurie"/>
<author fullname="E. Messeri" initials="E." surname="Messeri"/>
<author fullname="R. Stradling" initials="R." surname="Stradling"/>
<date month="December" year="2021"/>
<abstract>
<t>This document describes version 2.0 of the Certificate Transpar
ency (CT) protocol for publicly logging the existence of Transport Layer Securit
y (TLS) server certificates as they are issued or observed, in a manner that all
ows anyone to audit certification authority (CA) activity and notice the issuanc
e of suspect certificates as well as to audit the certificate logs themselves. T
he intent is that eventually clients would refuse to honor certificates that do
not appear in a log, effectively forcing CAs to add all issued certificates to t
he logs.</t>
<t>This document obsoletes RFC 6962. It also specifies a new TLS e
xtension that is used to send various CT log artifacts.</t>
<t>Logs are network services that implement the protocol operation
s for submissions and queries that are defined in this document.</t>
</abstract>
</front>
<seriesInfo name="RFC" value="9162"/>
<seriesInfo name="DOI" value="10.17487/RFC9162"/>
</reference>
<reference anchor="I-D.ietf-anima-brski-ae">
<front>
<title>BRSKI-AE: Alternative Enrollment Protocols in BRSKI</title>
<author fullname="David von Oheimb" initials="D." surname="von Oheim
b">
<organization>Siemens AG</organization>
</author>
<author fullname="Steffen Fries" initials="S." surname="Fries">
<organization>Siemens AG</organization>
</author>
<author fullname="Hendrik Brockhaus" initials="H." surname="Brockhau
s">
<organization>Siemens AG</organization>
</author>
<date day="17" month="September" year="2024"/>
<abstract>
<t> This document defines enhancements to the Bootstrapping Remo
te Secure
Key Infrastructure (BRSKI) protocol, known as BRSKI-AE (Alternative
Enrollment).
BRSKI-AE extends BRSKI to support certificate enrollment mechanisms
instead of the originally specified use of EST. It supports
certificate enrollment protocols, such as CMP, that use authenticated
self-contained signed objects for certification messages, allowing
for flexibility in network device onboarding scenarios.
The enhancements address use cases where the existing enrollment
mechanism may not be feasible or optimal, providing a framework for
integrating suitable alternative enrollment protocols.
This document also updates the BRSKI reference architecture to
accommodate these alternative methods, ensuring secure and scalable
deployment across a range of network environments.
</t> <!-- [I-D.ietf-lamps-rfc6712bis] I-->
</abstract> <reference anchor="RFC9811" target="https://www.rfc-editor.org/info/rfc9811">
</front> <front>
<seriesInfo name="Internet-Draft" value="draft-ietf-anima-brski-ae-13" <title>
/> Internet X.509 Public Key Infrastructure -- HTTP Transfer for the Certificate Ma
</reference> nagement Protocol (CMP)
<reference anchor="I-D.ietf-lamps-kyber-certificates"> </title>
<front> <author fullname="Hendrik Brockhaus" initials="H." surname="Brockhaus">
<title>Internet X.509 Public Key Infrastructure - Algorithm Identifi <organization>Siemens</organization>
ers for the Module-Lattice-Based Key-Encapsulation Mechanism (ML-KEM)</title> </author>
<author fullname="Sean Turner" initials="S." surname="Turner"> <author fullname="David von Oheimb" initials="D." surname="von Oheimb">
<organization>sn3rd</organization> <organization>Siemens</organization>
</author> </author>
<author fullname="Panos Kampanakis" initials="P." surname="Kampanaki <author fullname="Mike Ounsworth" initials="M." surname="Ounsworth">
s"> <organization>Entrust</organization>
<organization>AWS</organization> </author>
</author> <author fullname="John Gray" initials="J." surname="Gray">
<author fullname="Jake Massimo" initials="J." surname="Massimo"> <organization>Entrust</organization>
<organization>AWS</organization> </author>
</author> <date month="June" year="2025"/>
<author fullname="Bas Westerbaan" initials="B." surname="Westerbaan" </front>
> <seriesInfo name="RFC" value="9811"/>
<organization>Cloudflare</organization> </reference>
</author> <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.1
<date day="7" month="January" year="2025"/> 847.xml"/>
<abstract> <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.2
<t> The Module-Lattice-Based Key-Encapsulation Mechanism (ML-KEM 510.xml"/>
) is a <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.2
quantum-resistant key-encapsulation mechanism (KEM). This document 585.xml"/>
describes the conventions for using the ML-KEM in X.509 Public Key <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.4
Infrastructure. The conventions for the subject public keys and 210.xml"/>
private keys are also described. <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.4
212.xml"/>
<xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.4
303.xml"/>
<xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.4
511.xml"/>
<xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.5
912.xml"/>
<xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.6
268.xml"/>
<xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.6
712.xml"/>
<xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.7
296.xml"/>
<xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.7
299.xml"/>
<xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.8
446.xml"/>
<xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.8
572.xml"/>
<xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.8
649.xml"/>
<xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.8
995.xml"/>
<xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.9
147.xml"/>
<xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.9
162.xml"/>
<!-- [I-D.ietf-anima-brski-ae] Published as RFC 9733 on 03/03/25 -->
<xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.9
733.xml"/>
<!-- [I-D.ietf-lamps-kyber-certificates] IESG State: I-D Exists as of 02/28/25 -
->
<xi:include href="https://bib.ietf.org/public/rfc/bibxml3/reference.I-D.
ietf-lamps-kyber-certificates.xml"/>
</t>
</abstract>
</front>
<seriesInfo name="Internet-Draft" value="draft-ietf-lamps-kyber-certif
icates-07"/>
</reference>
<reference anchor="NIST.SP.800_90Ar1" target="https://nvlpubs.nist.gov/n istpubs/SpecialPublications/NIST.SP.800-90Ar1.pdf"> <reference anchor="NIST.SP.800_90Ar1" target="https://nvlpubs.nist.gov/n istpubs/SpecialPublications/NIST.SP.800-90Ar1.pdf">
<front> <front>
<title>Recommendation for Random Number Generation Using Determinist ic Random Bit Generators</title> <title>Recommendation for Random Number Generation Using Determinist ic Random Bit Generators</title>
<author fullname="Elaine B. Barker" surname="Barker"> <author fullname="Elaine B. Barker" surname="Barker">
<organization>Information Technology Laboratory</organization> <organization>Information Technology Laboratory</organization>
</author> </author>
<author fullname="John M. Kelsey" surname="Kelsey"> <author fullname="John M. Kelsey" surname="Kelsey">
<organization>Information Technology Laboratory</organization> <organization>Information Technology Laboratory</organization>
</author> </author>
<author>
<organization abbrev="NIST">National Institute of Standards and Te
chnology</organization>
<address>
<postal>
<country>US</country>
<city>Gaithersburg</city>
</postal>
</address>
</author>
<date month="June" year="2015"/> <date month="June" year="2015"/>
</front> </front>
<seriesInfo name="NIST Special Publications (General)" value="800-90Ar 1"/> <seriesInfo name="NIST SP" value="800-90Ar1"/>
<seriesInfo name="DOI" value="10.6028/NIST.SP.800-90Ar1"/> <seriesInfo name="DOI" value="10.6028/NIST.SP.800-90Ar1"/>
</reference> </reference>
<reference anchor="IEEE.802.1AR-2018"> <reference anchor="IEEE.802.1AR-2018">
<front> <front>
<title>IEEE Standard for Local and Metropolitan Area Networks - Secu re Device Identity</title> <title>IEEE Standard for Local and Metropolitan Area Networks - Secu re Device Identity</title>
<author> <author>
<organization/> <organization>IEEE</organization>
</author> </author>
<date month="July" year="2018"/> <date month="August" year="2018"/>
</front> </front>
<seriesInfo name="IEEE Std" value="802.1AR-2018"/>
<seriesInfo name="DOI" value="10.1109/ieeestd.2018.8423794"/> <seriesInfo name="DOI" value="10.1109/ieeestd.2018.8423794"/>
<seriesInfo name="ISBN" value="[&quot;9781504450195&quot;]"/>
<refcontent>IEEE</refcontent>
</reference> </reference>
<reference anchor="CVE-2008-0166" target="https://nvd.nist.gov/vuln/deta il/CVE-2008-0166"> <reference anchor="CVE-2008-0166" target="https://nvd.nist.gov/vuln/deta il/CVE-2008-0166">
<front> <front>
<title>National Vulnerability Database - CVE-2008-0166</title> <title>National Vulnerability Database - CVE-2008-0166</title>
<author> <author>
<organization>National Institute of Science and Technology (NIST)< /organization> <organization>National Institute of Science and Technology (NIST)< /organization>
</author> </author>
<date year="2008" month="May"/> <date year="2008" month="May"/>
</front> </front>
</reference> </reference>
<reference anchor="MiningPsQs" target="https://www.usenix.org/conference /usenixsecurity12/technical-sessions/presentation/heninger"> <reference anchor="MiningPsQs" target="https://www.usenix.org/conference /usenixsecurity12/technical-sessions/presentation/heninger">
<front> <front>
<title>Mining Your Ps and Qs: Detection of Widespread Weak Keys in N etwork Devices</title> <title>Mining Your Ps and Qs: Detection of Widespread Weak Keys in N etwork Devices</title>
<author>
<organization>Security'12: Proceedings of the 21st USENIX conferen
ce on Security symposium</organization>
</author>
<author initials="N." surname="Heninger" fullname="Nadia Heninger"> <author initials="N." surname="Heninger" fullname="Nadia Heninger">
<organization>UC San Diego</organization> <organization>UC San Diego</organization>
</author> </author>
<author initials="Z." surname="Durumeric" fullname="Zakir Durumeric" > <author initials="Z." surname="Durumeric" fullname="Zakir Durumeric" >
<organization>University of Michigan</organization> <organization>University of Michigan</organization>
</author> </author>
<author initials="E." surname="Wustrow" fullname="Eric Wustrow"> <author initials="E." surname="Wustrow" fullname="Eric Wustrow">
<organization>University of Michigan</organization> <organization>University of Michigan</organization>
</author> </author>
<author initials="J. A." surname="Halderman" fullname="J. Alex Halde rman"> <author initials="J. A." surname="Halderman" fullname="J. Alex Halde rman">
<organization>University of Michigan</organization> <organization>University of Michigan</organization>
</author> </author>
<date year="2012" month="August"/> <date year="2012" month="August"/>
</front> </front>
<refcontent>21st USENIX Security Symposium (USENIX Security 12)</refco ntent>
</reference> </reference>
<reference anchor="X509.2019" target="https://handle.itu.int/11.1002/100 0/14033"> <reference anchor="X509.2019" target="https://handle.itu.int/11.1002/100 0/14033">
<front> <front>
<title>Information technology - Open Systems Interconnection - The D irectory: Public-key and attribute certificate frameworks</title> <title>Information technology - Open Systems Interconnection - The D irectory: Public-key and attribute certificate frameworks</title>
<author> <author>
<organization>International Telecommunications Union (ITU)</organi zation> <organization>ITU-T</organization>
</author> </author>
<date year="2019" month="October" day="14"/> <date year="2019" month="October"/>
</front> </front>
<seriesInfo name="ITU" value="Recommendation X.509 (10/2019)"/> <seriesInfo name="ITU-T Recommendation" value="X.509 (10/2019)"/>
</reference> </reference>
<reference anchor="ISO.20543-2019">
<reference anchor="ISO.20543-2019" target="https://www.iso.org/standard/
68296.html">
<front> <front>
<title>Information technology -- Security techniques -- Test and ana lysis methods for random bit generators within ISO/IEC 19790 and ISO/IEC 15408</ title> <title>Information technology -- Security techniques -- Test and ana lysis methods for random bit generators within ISO/IEC 19790 and ISO/IEC 15408</ title>
<author> <author>
<organization>International Organization for Standardization (ISO) </organization> <organization>ISO/IEC</organization>
</author> </author>
<date year="2019" month="October"/> <date year="2019" month="October"/>
</front> </front>
<seriesInfo name="ISO" value="Draft Standard 20543-2019"/> <seriesInfo name="ISO/IEC" value="20543:2019"/>
</reference> </reference>
<reference anchor="AIS31" target="https://www.bsi.bund.de/SharedDocs/Dow nloads/DE/BSI/Zertifizierung/Interpretationen/AIS_31_Functionality_classes_for_r andom_number_generators_e.pdf"> <reference anchor="AIS31" target="https://www.bsi.bund.de/SharedDocs/Dow nloads/DE/BSI/Zertifizierung/Interpretationen/AIS_31_Functionality_classes_for_r andom_number_generators_e.pdf">
<front> <front>
<title>A proposal for: Functionality classes for random number gener <title>A proposal for: Functionality classes for random number gener
ators, version 2.0</title> ators - Version 2.0</title>
<author>
<organization>Federal Office for Information Security (BSI)</organ
ization>
</author>
<author initials="W." surname="Killmann" fullname="Wolfgang Killmann "> <author initials="W." surname="Killmann" fullname="Wolfgang Killmann ">
<organization>T-Systems GEI GmbH</organization> <organization>T-Systems GEI GmbH</organization>
</author> </author>
<author initials="W." surname="Schindler" fullname="Werner Schindler "> <author initials="W." surname="Schindler" fullname="Werner Schindler ">
<organization>Federal Office for Information Security (BSI)</organ ization> <organization>Federal Office for Information Security (BSI)</organ ization>
</author> </author>
<date year="2011" month="September"/> <date year="2011" month="September"/>
</front> </front>
<refcontent>Federal Office for Information Security (BSI)</refcontent>
</reference> </reference>
<reference anchor="Gueneysu" target="https://eprint.iacr.org/2022/703"> <reference anchor="Gueneysu" target="https://eprint.iacr.org/2022/703">
<front> <front>
<title>Proof-of-possession for KEM certificates using verifiable gen eration</title> <title>Proof-of-possession for KEM certificates using verifiable gen eration</title>
<author initials="T." surname="Gueneysu" fullname="Tim Gueneysu"> <author initials="T." surname="Gueneysu" fullname="Tim Gueneysu">
<organization/> <organization/>
</author> </author>
<author initials="P." surname="Hodges" fullname="Philip Hodges"> <author initials="P." surname="Hodges" fullname="Philip Hodges">
<organization/> <organization/>
</author> </author>
<author initials="G." surname="Land" fullname="Georg Land"> <author initials="G." surname="Land" fullname="Georg Land">
skipping to change at line 5101 skipping to change at line 4670
<organization/> <organization/>
</author> </author>
<author initials="D." surname="Stebila" fullname="Douglas Stebila"> <author initials="D." surname="Stebila" fullname="Douglas Stebila">
<organization/> <organization/>
</author> </author>
<author initials="G." surname="Zaverucha" fullname="Greg Zaverucha"> <author initials="G." surname="Zaverucha" fullname="Greg Zaverucha">
<organization/> <organization/>
</author> </author>
<date year="2022"/> <date year="2022"/>
</front> </front>
<seriesInfo name="Cryptology ePrint Archive" value=""/> <refcontent>Cryptology ePrint Archive, Paper 2022/703</refcontent>
</reference> </reference>
<reference anchor="Fujisaki"> <reference anchor="Fujisaki">
<front> <front>
<title>Secure Integration of Asymmetric and Symmetric Encryption Sch emes</title> <title>Secure Integration of Asymmetric and Symmetric Encryption Sch emes</title>
<author fullname="Eiichiro Fujisaki" initials="E." surname="Fujisaki "> <author fullname="Eiichiro Fujisaki" initials="E." surname="Fujisaki ">
<organization/> <organization/>
</author> </author>
<author fullname="Tatsuaki Okamoto" initials="T." surname="Okamoto"> <author fullname="Tatsuaki Okamoto" initials="T." surname="Okamoto">
<organization/> <organization/>
</author> </author>
<date month="December" year="2011"/> <date month="December" year="2011"/>
</front> </front>
<seriesInfo name="Journal of Cryptology" value="vol. 26, no. 1, pp. 80 -101"/> <refcontent>Journal of Cryptology, vol. 26, no. 1, pp. 80-101</refcont ent>
<seriesInfo name="DOI" value="10.1007/s00145-011-9114-1"/> <seriesInfo name="DOI" value="10.1007/s00145-011-9114-1"/>
<refcontent>Springer Science and Business Media LLC</refcontent>
</reference> </reference>
<reference anchor="Hofheinz"> <reference anchor="Hofheinz">
<front> <front>
<title>A Modular Analysis of the Fujisaki-Okamoto Transformation</ti tle> <title>A Modular Analysis of the Fujisaki-Okamoto Transformation</ti tle>
<author fullname="Dennis Hofheinz" initials="D." surname="Hofheinz"> <author fullname="Dennis Hofheinz" initials="D." surname="Hofheinz">
<organization/> <organization/>
</author> </author>
<author fullname="Kathrin Hövelmanns" initials="K." surname="Hövelma nns"> <author fullname="Kathrin Hövelmanns" initials="K." surname="Hövelma nns">
<organization/> <organization/>
</author> </author>
<author fullname="Eike Kiltz" initials="E." surname="Kiltz"> <author fullname="Eike Kiltz" initials="E." surname="Kiltz">
<organization/> <organization/>
</author> </author>
<date year="2017"/> <date month="November" year="2017"/>
</front> </front>
<seriesInfo name="Lecture Notes in Computer Science" value="pp. 341-37 1"/> <refcontent>Theory of Cryptography (TCC 2017), Lecture Notes in Comput er Science, vol. 10677, pp. 341-371</refcontent>
<seriesInfo name="DOI" value="10.1007/978-3-319-70500-2_12"/> <seriesInfo name="DOI" value="10.1007/978-3-319-70500-2_12"/>
<seriesInfo name="ISBN" value="[&quot;9783319704999&quot;, &quot;97833
19705002&quot;]"/>
<refcontent>Springer International Publishing</refcontent>
</reference> </reference>
<reference anchor="ETSI-3GPP.33.310" target="http://www.3gpp.org/ftp/Spe cs/html-info/33310.htm"> <reference anchor="ETSI-3GPP.33.310" target="http://www.3gpp.org/ftp/Spe cs/html-info/33310.htm">
<front> <front>
<title>Network Domain Security (NDS); Authentication Framework (AF)< /title> <title>Network Domain Security (NDS); Authentication Framework (AF)< /title>
<author> <author>
<organization>3GPP</organization> <organization>3GPP</organization>
</author> </author>
<date year="2020" month="December"/> <date year="2020" month="December"/>
</front> </front>
<seriesInfo name="3GPP TS" value="33.310 16.6.0"/> <seriesInfo name="3GPP TS" value="33.310 16.6.0"/>
</reference> </reference>
skipping to change at line 5147 skipping to change at line 4716
<reference anchor="ETSI-3GPP.33.310" target="http://www.3gpp.org/ftp/Spe cs/html-info/33310.htm"> <reference anchor="ETSI-3GPP.33.310" target="http://www.3gpp.org/ftp/Spe cs/html-info/33310.htm">
<front> <front>
<title>Network Domain Security (NDS); Authentication Framework (AF)< /title> <title>Network Domain Security (NDS); Authentication Framework (AF)< /title>
<author> <author>
<organization>3GPP</organization> <organization>3GPP</organization>
</author> </author>
<date year="2020" month="December"/> <date year="2020" month="December"/>
</front> </front>
<seriesInfo name="3GPP TS" value="33.310 16.6.0"/> <seriesInfo name="3GPP TS" value="33.310 16.6.0"/>
</reference> </reference>
<reference anchor="UNISIG.Subset-137" target="https://www.era.europa.eu/ system/files/2023-01/sos3_index083_-_subset-137_v100.pdf"> <reference anchor="UNISIG.Subset-137" target="https://www.era.europa.eu/ system/files/2023-01/sos3_index083_-_subset-137_v100.pdf">
<front> <front>
<title>ERTMS/ETCS On-line Key Management FFFIS</title> <title>ERTMS/ETCS On-line Key Management FFFIS</title>
<author> <author>
<organization>UNISIG</organization> <organization>UNISIG</organization>
</author> </author>
<date year="2015" month="December"/> <date year="2015" month="December"/>
</front> </front>
<seriesInfo name="Subset-137, V1.0.0" value=""/> <refcontent>Subset-137, V1.0.0</refcontent>
</reference> </reference>
</references> </references>
</references> </references>
<?line 4061?> <?line 4061?>
<section anchor="sect-a"> <section anchor="sect-a">
<name>Reasons for the Presence of RAs</name> <name>Reasons for the Presence of RAs</name>
<t>The reasons that justify the presence of an RA can be split into <t>The reasons that justify the presence of an RA can be split into
those that are due to technical factors and those which are those that are due to technical factors and those that are
organizational in nature. Technical reasons include the following.</t> organizational in nature. Technical reasons include the following.</t>
<ul spacing="normal"> <ul spacing="normal">
<li> <li>
<t>If hardware tokens are in use, then not all end entities will have <t>If hardware tokens are in use, then not all end entities will have
the equipment needed to initialize these; the RA equipment can the equipment needed to initialize these; the RA equipment can
include the necessary functionality (this may also be a matter of include the necessary functionality (this may also be a matter of
policy).</t> policy).</t>
</li> </li>
<li> <li>
<t>Some end entities may not have the capability to publish <t>Some end entities may not have the capability to publish
skipping to change at line 5202 skipping to change at line 4772
<li> <li>
<t>Establishing RAs within an organization can reduce the number of <t>Establishing RAs within an organization can reduce the number of
CAs required, which is sometimes desirable.</t> CAs required, which is sometimes desirable.</t>
</li> </li>
<li> <li>
<t>RAs may be better placed to identify people with their <t>RAs may be better placed to identify people with their
"electronic" names, especially if the CA is physically remote from "electronic" names, especially if the CA is physically remote from
the end entity.</t> the end entity.</t>
</li> </li>
<li> <li>
<t>For many applications, there will already be in place some <t>For many applications, there will already be some
administrative structure so that candidates for the role of RA are administrative structure in place so that candidates for the role of RA are
easy to find (which may not be true of the CA).</t> easy to find (which may not be true of the CA).</t>
</li> </li>
</ul> </ul>
<t>Further reasons relevant for automated machine-to-machine certificate l ifecycle <t>Further reasons relevant for automated machine-to-machine certificate l ifecycle
management are available in the Lightweight CMP Profile <xref target="RFC9483"/> .</t> management are available in the Lightweight CMP Profile <xref target="RFC9483"/> .</t>
</section> </section>
<section anchor="sect-b"> <section anchor="sect-b">
<name>The Use of Revocation Passphrase</name> <name>The Use of Revocation Passphrase</name>
<t>A revocation request must incorporate suitable security mechanisms, <t>A revocation request must incorporate suitable security mechanisms,
including proper authentication, in order to reduce the probability including proper authentication, in order to reduce the probability
of successful denial-of-service attacks. A digital signature or DH/KEM-based me ssage protection on the of successful denial-of-service attacks. A digital signature or DH/KEM-based me ssage protection on the
request -- <bcp14>REQUIRED</bcp14> to support within this specification dependin g on the key type used if request -- <bcp14>REQUIRED</bcp14> to support within this specification dependin g on the key type used if
revocation requests are supported -- can provide the authentication revocation requests are supported -- can provide the authentication
required, but there are circumstances under which an alternative required, but there are circumstances under which an alternative
mechanism may be desirable (e.g., when the private key is no longer mechanism may be desirable (e.g., when the private key is no longer
accessible and the entity wishes to request a revocation prior to accessible and the entity wishes to request a revocation prior to
re-certification of another key pair). In order to accommodate such re-certification of another key pair). In order to accommodate such
circumstances, a password-based MAC, see CMP Algorithms <xref target="RFC9481"/> circumstances, a password-based MAC (see <xref section="6.1" target="RFC9481">CM
Section P Algorithms</xref>) on the request is also <bcp14>REQUIRED</bcp14> to
6.1, on the request is also <bcp14>REQUIRED</bcp14> to
support within this specification (subject to local security policy support within this specification (subject to local security policy
for a given environment) if revocation requests are supported and if for a given environment) if revocation requests are supported and if
shared secret information can be established between the requester shared secret information can be established between the requester
and the responder prior to the need for revocation.</t> and the responder prior to the need for revocation.</t>
<t>A mechanism that has seen use in some environments is "revocation passp hrase", <t>A mechanism that has seen use in some environments is "revocation passp hrase",
in which a value of sufficient entropy (i.e., a in which a value of sufficient entropy (i.e., a
relatively long passphrase rather than a short password) is shared relatively long passphrase rather than a short password) is shared
between (only) the entity and the CA/RA at some point prior to between (only) the entity and the CA/RA at some point prior to
revocation; this value is later used to authenticate the revocation revocation; this value is later used to authenticate the revocation
request.</t> request.</t>
skipping to change at line 5246 skipping to change at line 4815
<ul spacing="normal"> <ul spacing="normal">
<li> <li>
<t>The OID and value specified in <xref target="sect-5.3.19.9"/> <bcp1 4>MAY</bcp14> be sent in a GenMsg message <t>The OID and value specified in <xref target="sect-5.3.19.9"/> <bcp1 4>MAY</bcp14> be sent in a GenMsg message
at any time or <bcp14>MAY</bcp14> be sent in the generalInfo at any time or <bcp14>MAY</bcp14> be sent in the generalInfo
field of the PKIHeader of any PKIMessage at any time. (In particular, the field of the PKIHeader of any PKIMessage at any time. (In particular, the
EncryptedKey structure as described in <xref target="sect-5.2.2"/> may be sent i n the header EncryptedKey structure as described in <xref target="sect-5.2.2"/> may be sent i n the header
of the certConf message that confirms acceptance of the certConf message that confirms acceptance
of certificates requested in an initialization request or certificate request of certificates requested in an initialization request or certificate request
message.) This conveys a revocation passphrase chosen by the entity to the message.) This conveys a revocation passphrase chosen by the entity to the
relevant CA/RA. When EnvelopedData is used, this is in the decrypted bytes relevant CA/RA. When EnvelopedData is used, this is in the decrypted bytes
of encryptedContent field. When EncryptedValue is used, this is in the decrypted of the encryptedContent field. When EncryptedValue is used, this is in the decry pted
bytes of the encValue field. Furthermore, the transfer is accomplished with bytes of the encValue field. Furthermore, the transfer is accomplished with
appropriate confidentiality characteristics.</t> appropriate confidentiality characteristics.</t>
</li> </li>
<li> <li>
<t>If a CA/RA receives the revocation passphrase (OID and value <t>If a CA/RA receives the revocation passphrase (OID and value
specified in <xref target="sect-5.3.19.9"/>) in a GenMsg, it <bcp14>MUST</bcp14> construct and specified in <xref target="sect-5.3.19.9"/>) in a GenMsg, it <bcp14>MUST</bcp14> construct and
send a GenRep message that includes the OID (with absent value) send a GenRep message that includes the OID (with absent value)
specified in <xref target="sect-5.3.19.9"/>. If the CA/RA receives the specified in <xref target="sect-5.3.19.9"/>. If the CA/RA receives the
revocation passphrase in the generalInfo field of a PKIHeader of revocation passphrase in the generalInfo field of a PKIHeader of
any PKIMessage, it <bcp14>MUST</bcp14> include the OID (with absent value) in th e any PKIMessage, it <bcp14>MUST</bcp14> include the OID (with absent value) in th e
skipping to change at line 5272 skipping to change at line 4841
</li> </li>
<li> <li>
<t>Either the localKeyId attribute of EnvelopedData as specified in <t>Either the localKeyId attribute of EnvelopedData as specified in
<xref target="RFC2985"/> or the valueHint field of EncryptedValue <bcp14>MAY</bc p14> <xref target="RFC2985"/> or the valueHint field of EncryptedValue <bcp14>MAY</bc p14>
contain a key identifier (chosen contain a key identifier (chosen
by the entity, along with the passphrase itself) to assist in later retrieval by the entity, along with the passphrase itself) to assist in later retrieval
of the correct passphrase (e.g., when the revocation request is constructed of the correct passphrase (e.g., when the revocation request is constructed
by the end entity and received by the CA/RA).</t> by the end entity and received by the CA/RA).</t>
</li> </li>
<li> <li>
<t>The revocation request message is protected by a password-based MAC <t>The revocation request message is protected by a password-based MAC
, see (see
CMP Algorithms <xref target="RFC9481"/> Section 6.1, <xref section="6.1" target="RFC9481">"CMP Algorithms"</xref>)
with the revocation passphrase as the key. If appropriate, the with the revocation passphrase as the key. If appropriate, the
senderKID field in the PKIHeader <bcp14>MAY</bcp14> contain the value previously senderKID field in the PKIHeader <bcp14>MAY</bcp14> contain the value previously
transmitted in localKeyId or valueHint.</t> transmitted in localKeyId or valueHint.</t>
</li> </li>
</ul> </ul>
<t>Note: For a message transferring a revocation passphrase indicating cmp 2021(3) in the pvno field of the PKIHeader, the encrypted passphrase <bcp14>MUST </bcp14> be transferred in the envelopedData choice of EncryptedKey as defined i n Section 5.2.2. When using cmp2000(2) in the message header for backward compa tibility, the encryptedValue is used. This allows the necessary conveyance and p rotection of the passphrase while maintaining bits-on-the-wire compatibility wit h <xref target="RFC4210"/>. The encryaptedValue choice has been deprecated in fa vor of encryptedData.</t> <t>Note: For a message transferring a revocation passphrase indicating cmp 2021(3) in the pvno field of the PKIHeader, the encrypted passphrase <bcp14>MUST </bcp14> be transferred in the envelopedData choice of EncryptedKey as defined i n <xref target="sect-5.2.2"/>. When using cmp2000(2) in the message header for backward compatibility, the encryptedValue is used. This allows the necessary co nveyance and protection of the passphrase while maintaining bits-on-the-wire com patibility with <xref target="RFC4210"/>. The encryptedValue choice has been dep recated in favor of encryptedData.</t>
<t>Using the technique specified above, the revocation passphrase may be <t>Using the technique specified above, the revocation passphrase may be
initially established and updated at any time without requiring extra initially established and updated at any time without requiring extra
messages or out-of-band exchanges. For example, the revocation messages or out-of-band exchanges. For example, the revocation
request message itself (protected and authenticated through a MAC request message itself (protected and authenticated through a MAC
that uses the revocation passphrase as a key) may contain, in the that uses the revocation passphrase as a key) may contain, in the
PKIHeader, a new revocation passphrase to be used for authenticating PKIHeader, a new revocation passphrase to be used for authenticating
future revocation requests for any of the entity's other future revocation requests for any of the entity's other
certificates. In some environments this may be preferable to certificates. In some environments, this may be preferable to
mechanisms that reveal the passphrase in the revocation request mechanisms that reveal the passphrase in the revocation request
message, since this can allow a denial-of-service attack in which the message, since this can allow a denial-of-service attack in which the
revealed passphrase is used by an unauthorized third party to revealed passphrase is used by an unauthorized third party to
authenticate revocation requests on the entity's other certificates. authenticate revocation requests on the entity's other certificates.
However, because the passphrase is not revealed in the request However, because the passphrase is not revealed in the request
message, there is no requirement that the passphrase must always be message, there is no requirement that the passphrase must always be
updated when a revocation request is made (that is, the same updated when a revocation request is made (that is, the same
passphrase <bcp14>MAY</bcp14> be used by an entity to authenticate revocation passphrase <bcp14>MAY</bcp14> be used by an entity to authenticate revocation
requests for different certificates at different times).</t> requests for different certificates at different times).</t>
<t>Furthermore, the above technique can provide strong cryptographic <t>Furthermore, the above technique can provide strong cryptographic
protection over the entire revocation request message even when a protection over the entire revocation request message even when a
digital signature is not used. Techniques that do authentication of digital signature is not used. Techniques that do authentication of
the revocation request by simply revealing the revocation passphrase the revocation request by simply revealing the revocation passphrase
typically do not provide cryptographic protection over the fields of typically do not provide cryptographic protection over the fields of
the request message (so that a request for revocation of one the request message (so that a request for revocation of one
certificate may be modified by an unauthorized third party to a certificate may be modified by an unauthorized third party to a
request for revocation of another certificate for that entity).</t> request for revocation of another certificate for that entity).</t>
</section> </section>
<section anchor="sect-c"> <section anchor="sect-c">
<name>PKI Management Message Profiles (REQUIRED)</name> <name>PKI Management Message Profiles (<bcp14>REQUIRED</bcp14>)</name>
<t>This appendix contains detailed profiles for those PKIMessages that <t>This appendix contains detailed profiles for those PKIMessages that
<bcp14>MUST</bcp14> be supported by conforming implementations (see <xref target ="sect-6"/>).</t> <bcp14>MUST</bcp14> be supported by conforming implementations (see <xref target ="sect-6"/>).</t>
<t>Note: <xref target="sect-c"/> and <xref format="counter" target="sect-d "/> focus on PKI management operations <t>Note: Appendices <xref target="sect-c" format="counter"/> and <xref for mat="counter" target="sect-d"/> focus on PKI management operations
managing certificates for human end entities. managing certificates for human end entities.
In contrast, the Lightweight CMP Profile <xref target="RFC9483"/> focuses on typ ical use In contrast, the Lightweight CMP Profile <xref target="RFC9483"/> focuses on typ ical use
cases of industrial and IoT scenarios supporting highly automated certificate cases of industrial and IoT scenarios supporting highly automated certificate
lifecycle management scenarios.</t> lifecycle management scenarios.</t>
<t>Profiles for the PKIMessages used in the following PKI management <t>Profiles for the PKIMessages used in the following PKI management
operations are provided:</t> operations are provided:</t>
<ul spacing="normal"> <ul spacing="normal">
<li> <li>
<t>initial registration/certification</t> <t>initial registration/certification</t>
</li> </li>
skipping to change at line 5377 skipping to change at line 4946
names these using a "dot" notation (e.g., "certTemplate.subject" names these using a "dot" notation (e.g., "certTemplate.subject"
means the subject field within a field called certTemplate).</t> means the subject field within a field called certTemplate).</t>
</li> </li>
<li> <li>
<t>Where a "SEQUENCE OF types" is part of a message, a zero-based <t>Where a "SEQUENCE OF types" is part of a message, a zero-based
array notation is used to describe fields within the SEQUENCE OF array notation is used to describe fields within the SEQUENCE OF
(e.g., crm[0].certReq.certTemplate.subject refers to a subfield (e.g., crm[0].certReq.certTemplate.subject refers to a subfield
of the first CertReqMsg contained in a request message).</t> of the first CertReqMsg contained in a request message).</t>
</li> </li>
<li> <li>
<t>All PKI message exchanges in <xref target="sect-c.4"/> to <xref f ormat="counter" target="sect-c.6"/> require a <t>All PKI message exchanges in Appendices <xref target="sect-c.4" f ormat="counter"/> to <xref format="counter" target="sect-c.6"/> require a
certConf message to be sent by the initiating entity and a certConf message to be sent by the initiating entity and a
PKIConfirm to be sent by the responding entity. The PKIConfirm PKIConfirm to be sent by the responding entity. The PKIConfirm
is not included in some of the profiles given since its body is is not included in some of the profiles given since its body is
NULL and its header contents are clear from the context. Any NULL and its header contents are clear from the context. Any
authenticated means can be used for the protectionAlg (e.g., authenticated means can be used for the protectionAlg (e.g.,
password-based MAC, if shared secret information is known, or password-based MAC, if shared secret information is known, or
signature).</t> signature).</t>
</li> </li>
</ol> </ol>
</section> </section>
<section anchor="sect-c.2"> <section anchor="sect-c.2">
<name>Algorithm Use Profile</name> <name>Algorithm Use Profile</name>
<t>For specifications of algorithm identifiers and respective convention s for <t>For specifications of algorithm identifiers and respective convention s for
conforming implementations, please refer to Section 7.1 of CMP Algorithms <xref target="RFC9481"/>.</t> conforming implementations, please refer to <xref section="7.1" target="RFC9481" >CMP Algorithms</xref>.</t>
</section> </section>
<section anchor="sect-c.3"> <section anchor="sect-c.3">
<name>Proof-of-Possession Profile</name> <name>Proof-of-Possession Profile</name>
<!--[rfced] The following text in Appendices C.3, D.3, and D.6 are not complete
sentences. Please review and let us know how these may be made into complete
sentences.
Original:
POP fields for use (in signature field of pop field of
ProofOfPossession structure) when proving possession of a private
signing key that corresponds to a public verification key for which a
certificate has been requested.
...
Profile of how a certificate structure may be "self-signed".
...
Creation of a single cross-certificate (i.e., not two at once).
Perhaps:
The table below describes the POP fields for use (in signature field of pop f
ield of
ProofOfPossession structure) when proving possession of a private
signing key that corresponds to a public verification key for which a
certificate has been requested.
...
The table below is a profile of how a certificate structure may be "self-sign
ed".
...
This section describes the creation of a single cross-certificate (i.e., not
two at once).
-->
<t>POP fields for use (in signature field of pop field of <t>POP fields for use (in signature field of pop field of
ProofOfPossession structure) when proving possession of a private ProofOfPossession structure) when proving possession of a private
signing key that corresponds to a public verification key for which a signing key that corresponds to a public verification key for which a
certificate has been requested.</t> certificate has been requested.</t>
<table> <table>
<thead> <thead>
<tr> <tr>
<th align="left">Field</th> <th align="left">Field</th>
<th align="left">Value</th> <th align="left">Value</th>
<th align="left">Comment</th> <th align="left">Comment</th>
skipping to change at line 5420 skipping to change at line 5015
<td align="left">MSG_SIG_ALG</td> <td align="left">MSG_SIG_ALG</td>
<td align="left">only signature protection is allowed for this pro of</td> <td align="left">only signature protection is allowed for this pro of</td>
</tr> </tr>
<tr> <tr>
<td align="left">signature</td> <td align="left">signature</td>
<td align="left">present</td> <td align="left">present</td>
<td align="left">bits calculated using MSG_SIG_ALG</td> <td align="left">bits calculated using MSG_SIG_ALG</td>
</tr> </tr>
</tbody> </tbody>
</table> </table>
<t>Note: For examples of MSG_SIG_ALG OIDs see CMP Algorithms Section 3 < xref target="RFC9481"/>.</t> <t>Note: For examples of MSG_SIG_ALG OIDs, see <xref section="3" target= "RFC9481">CMP Algorithms</xref>.</t>
<t>Proof-of-possession of a private decryption key that corresponds to a <t>Proof-of-possession of a private decryption key that corresponds to a
public encryption key for which a certificate has been requested does public encryption key for which a certificate has been requested does
not use this profile; the CertHash field of the certConf message is not use this profile; the CertHash field of the certConf message is
used instead.</t> used instead.</t>
<t>Not every CA/RA will do Proof-of-Possession (of signing key, <t>Not every CA/RA will do Proof-of-Possession (of signing key,
decryption key, or key agreement key) in the PKIX-CMP in-band decryption key, or key agreement key) in the PKIX-CMP in-band
certification request protocol (how POP is done <bcp14>MAY</bcp14> ultimately be a certification request protocol (how POP is done <bcp14>MAY</bcp14> ultimately be a
policy issue that is made explicit for any given CA in its publicized policy issue that is made explicit for any given CA in its publicized
Policy OID and Certification Practice Statement). However, this Policy OID and Certification Practice Statement). However, this
specification mandates that CA/RA entities <bcp14>MUST</bcp14> do POP (by some specification mandates that CA/RA entities <bcp14>MUST</bcp14> do POP (by some
skipping to change at line 5443 skipping to change at line 5038
protocol <bcp14>MUST</bcp14> be supported).</t> protocol <bcp14>MUST</bcp14> be supported).</t>
</section> </section>
<section anchor="sect-c.4"> <section anchor="sect-c.4">
<name>Initial Registration/Certification (Basic Authenticated Scheme)</n ame> <name>Initial Registration/Certification (Basic Authenticated Scheme)</n ame>
<t>An (uninitialized) end entity requests a (first) certificate from a <t>An (uninitialized) end entity requests a (first) certificate from a
CA. When the CA responds with a message containing a certificate, CA. When the CA responds with a message containing a certificate,
the end entity replies with a certificate confirmation. The CA sends the end entity replies with a certificate confirmation. The CA sends
a PKIConfirm back, closing the transaction. All messages are a PKIConfirm back, closing the transaction. All messages are
authenticated.</t> authenticated.</t>
<t>This scheme allows the end entity to request certification of a <t>This scheme allows the end entity to request certification of a
locally-generated public key (typically a signature key). The end locally generated public key (typically a signature key). The end
entity <bcp14>MAY</bcp14> also choose to request the centralized generation and entity <bcp14>MAY</bcp14> also choose to request the centralized generation and
certification of another key pair (typically an encryption key pair).</t> certification of another key pair (typically an encryption key pair).</t>
<t>Certification may only be requested for one locally generated public <t>Certification may only be requested for one locally generated public
key (for more, use separate PKIMessages).</t> key (for more, use separate PKIMessages).</t>
<t>The end entity <bcp14>MUST</bcp14> support proof-of-possession of the private key <t>The end entity <bcp14>MUST</bcp14> support proof-of-possession of the private key
associated with the locally-generated public key.</t> associated with the locally generated public key.</t>
<t>Preconditions:</t> <t>Preconditions:</t>
<ol spacing="normal" type="1"><li> <ol spacing="normal" type="1"><li>
<t>The end entity can authenticate the CA's signature based on <t>The end entity can authenticate the CA's signature based on
out-of-band means</t> out-of-band means.</t>
</li> </li>
<li> <li>
<t>The end entity and the CA share a symmetric MACing key</t> <t>The end entity and the CA share a symmetric MACing key.</t>
</li> </li>
</ol> </ol>
<t>Message flow:</t> <t>Message Flow:</t>
<artset> <artset>
<artwork type="svg"><svg xmlns="http://www.w3.org/2000/svg" version="1 .1" height="256" width="560" viewBox="0 0 560 256" class="diagram" text-anchor=" middle" font-family="monospace" font-size="13px" stroke-linecap="round"> <artwork type="svg"><svg xmlns="http://www.w3.org/2000/svg" version="1 .1" height="256" width="560" viewBox="0 0 560 256" class="diagram" text-anchor=" middle" font-family="monospace" font-size="13px" stroke-linecap="round">
<path d="M 8,48 L 552,48" fill="none" stroke="black"/> <path d="M 8,48 L 552,48" fill="none" stroke="black"/>
<path d="M 200,80 L 216,80" fill="none" stroke="black"/> <path d="M 200,80 L 216,80" fill="none" stroke="black"/>
<path d="M 312,80 L 328,80" fill="none" stroke="black"/> <path d="M 312,80 L 328,80" fill="none" stroke="black"/>
<path d="M 200,128 L 216,128" fill="none" stroke="black"/> <path d="M 200,128 L 216,128" fill="none" stroke="black"/>
<path d="M 312,128 L 328,128" fill="none" stroke="black"/> <path d="M 312,128 L 328,128" fill="none" stroke="black"/>
<path d="M 200,176 L 216,176" fill="none" stroke="black"/> <path d="M 200,176 L 216,176" fill="none" stroke="black"/>
<path d="M 312,176 L 328,176" fill="none" stroke="black"/> <path d="M 312,176 L 328,176" fill="none" stroke="black"/>
<path d="M 200,224 L 216,224" fill="none" stroke="black"/> <path d="M 200,224 L 216,224" fill="none" stroke="black"/>
skipping to change at line 5537 skipping to change at line 5132
6 handle ip 6 handle ip
7 format certConf 7 format certConf
8 --> certConf --> 8 --> certConf -->
9 handle certConf 9 handle certConf
10 format PKIConf 10 format PKIConf
11 <-- PKIConf <-- 11 <-- PKIConf <--
12 handle PKIConf 12 handle PKIConf
]]></artwork> ]]></artwork>
</artset> </artset>
<t>For this profile, we mandate that the end entity <bcp14>MUST</bcp14> include all <t>For this profile, we mandate that the end entity <bcp14>MUST</bcp14> include all
(i.e., one or two) CertReqMsg in a single PKIMessage, and that the (i.e., one or two) CertReqMsg in a single PKIMessage and that the
PKI (CA) <bcp14>MUST</bcp14> produce a single response PKIMessage that contains the PKI (CA) <bcp14>MUST</bcp14> produce a single response PKIMessage that contains the
complete response (i.e., including the <bcp14>OPTIONAL</bcp14> second key pair, if complete response (i.e., including the <bcp14>OPTIONAL</bcp14> second key pair, if
it was requested and if centralized key generation is supported). it was requested and if centralized key generation is supported).
For simplicity, we also mandate that this message <bcp14>MUST</bcp14> be the fin al For simplicity, we also mandate that this message <bcp14>MUST</bcp14> be the fin al
one (i.e., no use of "waiting" status value).</t> one (i.e., no use of "waiting" status value).</t>
<!--[rfced] As "OPTIONALLY" is not a key word in BCP14, may we update this
sentence to rephrase to use the key word "OPTIONAL"?
Original:
This transaction established the shared secret, the referenceNumber and
OPTIONALLY the distinguished name used for both sender and subject
name in the certificate template.
Perhaps:
This transaction established the shared secret, the referenceNumber, and
an OPTIONAL distinguished name used for both the sender and subject
name in the certificate template.
-->
<t>The end entity has an out-of-band interaction with the CA/RA. This <t>The end entity has an out-of-band interaction with the CA/RA. This
transaction established the shared secret, the referenceNumber and transaction established the shared secret, the referenceNumber and
OPTIONALLY the distinguished name used for both sender and subject OPTIONALLY the distinguished name used for both the sender and subject
name in the certificate template. See <xref target="sect-8.7"/> for security name in the certificate template. See <xref target="sect-8.7"/> for security
considerations on quality of shared secret information.</t> considerations on quality of shared secret information.</t>
<t>Initialization Request -- ir</t> <t>Initialization Request -- ir</t>
<artwork><![CDATA[ <artwork><![CDATA[
Field Value Field Value
recipient CA name recipient CA name
-- the name of the CA who is being asked to produce a certificate -- the name of the CA who is being asked to produce a certificate
protectionAlg MSG_MAC_ALG protectionAlg MSG_MAC_ALG
-- only MAC protection is allowed for this request, based -- only MAC protection is allowed for this request, based
-- on initial authentication key -- on initial authentication key
senderKID referenceNum senderKID referenceNum
-- the reference number which the CA has previously issued -- the reference number that the CA has previously issued
-- to the end entity (together with the MACing key) -- to the end entity (together with the MACing key)
transactionID present transactionID present
-- implementation-specific value, meaningful to end -- implementation-specific value, meaningful to end
-- entity. -- entity.
-- [If already in use at the CA, then a rejection message MUST -- [If already in use at the CA, then a rejection message MUST
-- be produced by the CA] -- be produced by the CA]
senderNonce present senderNonce present
-- 128 (pseudo-)random bits -- 128 (pseudo-)random bits
freeText any valid value freeText any valid value
body ir (CertReqMessages) body ir (CertReqMessages)
only one or two CertReqMsg only one or two CertReqMsg
are allowed are allowed
-- if more certificates are required, requests MUST be -- if more certificates are required, requests MUST be
-- packaged in separate PKIMessages -- packaged in separate PKIMessages
CertReqMsg one or two present CertReqMsg one or two present
-- see below for details, note: crm[0] means the first -- see below for details, note: crm[0] means the first
-- (which MUST be present), crm[1] means the second (which -- (which MUST be present), crm[1] means the second (which
-- is OPTIONAL, and used to ask for a centrally-generated key) -- is OPTIONAL, and used to ask for a centrally generated key)
crm[0].certReq. fixed value of zero crm[0].certReq. fixed value of zero
certReqId certReqId
-- this is the index of the template within the message -- this is the index of the template within the message
crm[0].certReq present crm[0].certReq present
certTemplate certTemplate
-- MUST include subject public key value, otherwise unconstrained -- MUST include subject public key value, otherwise unconstrained
crm[0].pop... optionally present if public key crm[0].pop... optionally present if public key
POPOSigningKey from crm[0].certReq.certTemplate is POPOSigningKey from crm[0].certReq.certTemplate is
a signing key a signing key
-- proof-of-possession MAY be required in this exchange -- proof-of-possession MAY be required in this exchange
-- (see Appendix D.3 for details) -- (see Appendix D.3 for details)
crm[0].certReq. optionally present crm[0].certReq. optionally present
controls.archiveOptions controls.archiveOptions
-- the end entity MAY request that the locally-generated -- the end entity MAY request that the locally generated
-- private key be archived -- private key be archived
crm[0].certReq. optionally present crm[0].certReq. optionally present
controls.publicationInfo controls.publicationInfo
-- the end entity MAY ask for publication of resulting cert. -- the end entity MAY ask for publication of resulting cert.
crm[1].certReq fixed value of one crm[1].certReq fixed value of one
certReqId certReqId
-- the index of the template within the message -- the index of the template within the message
crm[1].certReq present crm[1].certReq present
skipping to change at line 5720 skipping to change at line 5330
<artwork><![CDATA[ <artwork><![CDATA[
Field Value Field Value
sender present sender present
-- same as in ir -- same as in ir
recipient CA name recipient CA name
-- the name of the CA who was asked to produce a certificate -- the name of the CA who was asked to produce a certificate
transactionID present transactionID present
-- value from corresponding ir and ip messages -- value from corresponding ir and ip messages
senderNonce present senderNonce present
-- 128 (pseudo-) random bits -- 128 (pseudo-)random bits
recipNonce present recipNonce present
-- value from senderNonce in corresponding ip message -- value from senderNonce in corresponding ip message
protectionAlg MSG_MAC_ALG protectionAlg MSG_MAC_ALG
-- only MAC protection is allowed for this message. The -- only MAC protection is allowed for this message. The
-- MAC is based on the initial authentication key shared -- MAC is based on the initial authentication key shared
-- between the EE and the CA. -- between the EE and the CA.
senderKID referenceNum senderKID referenceNum
-- the reference number which the CA has previously issued -- the reference number that the CA has previously issued
-- to the end entity (together with the MACing key) -- to the end entity (together with the MACing key)
body certConf body certConf
-- see Section 5.3.18, "PKI Confirmation Content", for the -- see Section 5.3.18, "PKI Confirmation Content", for the
-- contents of the certConf fields. -- contents of the certConf fields.
-- Note: two CertStatus structures are required if both an -- Note: two CertStatus structures are required if both an
-- encryption and a signing certificate were sent. -- encryption and a signing certificate were sent.
protection present protection present
-- bits calculated using MSG_MAC_ALG -- bits calculated using MSG_MAC_ALG
skipping to change at line 5752 skipping to change at line 5362
<artwork><![CDATA[ <artwork><![CDATA[
Field Value Field Value
sender present sender present
-- same as in ip -- same as in ip
recipient present recipient present
-- sender name from certConf -- sender name from certConf
transactionID present transactionID present
-- value from certConf message -- value from certConf message
senderNonce present senderNonce present
-- 128 (pseudo-) random bits -- 128 (pseudo-)random bits
recipNonce present recipNonce present
-- value from senderNonce from certConf message -- value from senderNonce from certConf message
protectionAlg MSG_MAC_ALG protectionAlg MSG_MAC_ALG
-- only MAC protection is allowed for this message. -- only MAC protection is allowed for this message.
senderKID referenceNum senderKID referenceNum
body PKIConf body PKIConf
protection present protection present
-- bits calculated using MSG_MAC_ALG -- bits calculated using MSG_MAC_ALG
]]></artwork> ]]></artwork>
</section> </section>
<section anchor="sect-c.5"> <section anchor="sect-c.5">
<name>Certificate Request</name> <name>Certificate Request</name>
<t>An (initialized) end entity requests a certificate from a CA (for any <t>An (initialized) end entity requests a certificate from a CA (for any
reason). When the CA responds with a message containing a reason). When the CA responds with a message containing a
certificate, the end entity replies with a certificate confirmation. certificate, the end entity replies with a certificate confirmation.
The CA replies with a PKIConfirm, to close the transaction. All The CA replies with a PKIConfirm to close the transaction. All
messages are authenticated.</t> messages are authenticated.</t>
<t>The profile for this exchange is identical to that given in <xref tar get="sect-c.4"/>, <t>The profile for this exchange is identical to that given in <xref tar get="sect-c.4"/>,
with the following exceptions:</t> with the following exceptions:</t>
<ul spacing="normal"> <ul spacing="normal">
<li> <li>
<t>sender name <bcp14>SHOULD</bcp14> be present</t> <t>sender name <bcp14>SHOULD</bcp14> be present;</t>
</li> </li>
<li> <li>
<t>protectionAlg of MSG_SIG_ALG <bcp14>MUST</bcp14> be supported (MS G_MAC_ALG <bcp14>MAY</bcp14> <t>protectionAlg of MSG_SIG_ALG <bcp14>MUST</bcp14> be supported (MS G_MAC_ALG <bcp14>MAY</bcp14>
also be supported) in request, response, certConfirm, and also be supported) in request, response, certConfirm, and
PKIConfirm messages;</t> PKIConfirm messages;</t>
</li> </li>
<li> <li>
<t>senderKID and recipKID are only present if required for message <t>senderKID and recipKID are only present if required for message
verification;</t> verification;</t>
</li> </li>
<li> <li>
<t>body is cr or cp;</t> <t>body is cr or cp;</t>
</li> </li>
<li> <li>
<t>body may contain one or two CertReqMsg structures, but either <t>body may contain one or two CertReqMsg structures, but either
CertReqMsg may be used to request certification of a CertReqMsg may be used to request certification of a
locally-generated public key or a centrally-generated public key locally generated public key or a centrally generated public key
(i.e., the position-dependence requirement of <xref target="sect-c.4"/> is (i.e., the position-dependence requirement of <xref target="sect-c.4"/> is
removed);</t> removed); and</t>
</li> </li>
<li> <li>
<t>protection bits are calculated according to the protectionAlg <t>protection bits are calculated according to the protectionAlg
field.</t> field.</t>
</li> </li>
</ul> </ul>
</section> </section>
<section anchor="sect-c.6"> <section anchor="sect-c.6">
<name>Key Update Request</name> <name>Key Update Request</name>
<t>An (initialized) end entity requests a certificate from a CA (to <t>An (initialized) end entity requests a certificate from a CA (to
update the key pair and/or corresponding certificate that it already update the key pair and/or corresponding certificate that it already
possesses). When the CA responds with a message containing a possesses). When the CA responds with a message containing a
certificate, the end entity replies with a certificate confirmation. certificate, the end entity replies with a certificate confirmation.
The CA replies with a PKIConfirm, to close the transaction. All The CA replies with a PKIConfirm to close the transaction. All
messages are authenticated.</t> messages are authenticated.</t>
<t>The profile for this exchange is identical to that given in <xref tar get="sect-c.4"/>, <t>The profile for this exchange is identical to that given in <xref tar get="sect-c.4"/>,
with the following exceptions:</t> with the following exceptions:</t>
<!--[rfced] May we update the numbered listed in Appendix C.6 to be a
bulleted list? This would reflect the bulleted list in Appendix C.5.
Appendix C.5:
* sender name SHOULD be present
* protectionAlg of MSG_SIG_ALG MUST be supported (MSG_MAC_ALG MAY
also be supported) in request, response, certConfirm, and
PKIConfirm messages;
...
Appendix C.6:
1. sender name SHOULD be present
2. protectionAlg of MSG_SIG_ALG MUST be supported (MSG_MAC_ALG MAY
also be supported) in request, response, certConfirm, and
PKIConfirm messages;
...
-->
<ol spacing="normal" type="1"><li> <ol spacing="normal" type="1"><li>
<t>sender name <bcp14>SHOULD</bcp14> be present</t> <t>sender name <bcp14>SHOULD</bcp14> be present;</t>
</li> </li>
<li> <li>
<t>protectionAlg of MSG_SIG_ALG <bcp14>MUST</bcp14> be supported (MS G_MAC_ALG <bcp14>MAY</bcp14> <t>protectionAlg of MSG_SIG_ALG <bcp14>MUST</bcp14> be supported (MS G_MAC_ALG <bcp14>MAY</bcp14>
also be supported) in request, response, certConfirm, and also be supported) in request, response, certConfirm, and
PKIConfirm messages;</t> PKIConfirm messages;</t>
</li> </li>
<li> <li>
<t>senderKID and recipKID are only present if required for message <t>senderKID and recipKID are only present if required for message
verification;</t> verification;</t>
</li> </li>
<li> <li>
<t>body is kur or kup;</t> <t>body is kur or kup;</t>
</li> </li>
<li> <li>
<t>body may contain one or two CertReqMsg structures, but either <t>body may contain one or two CertReqMsg structures, but either
CertReqMsg may be used to request certification of a locally-generated CertReqMsg may be used to request certification of a locally generated
public key or a centrally-generated public key (i.e.,the public key or a centrally generated public key (i.e.,the
position-dependence requirement of <xref target="sect-c.4"/> is removed);</t> position-dependence requirement of <xref target="sect-c.4"/> is removed);</t>
</li> </li>
<li> <li>
<t>protection bits are calculated according to the protectionAlg <t>protection bits are calculated according to the protectionAlg
field;</t> field; and</t>
</li> </li>
<li> <li>
<t>regCtrl OldCertId <bcp14>SHOULD</bcp14> be used (unless it is cle ar to both <t>regCtrl OldCertId <bcp14>SHOULD</bcp14> be used (unless it is cle ar to both the
sender and receiver -- by means not specified in this document -- sender and receiver -- by means not specified in this document --
that it is not needed).</t> that it is not needed).</t>
</li> </li>
</ol> </ol>
</section> </section>
</section> </section>
<section anchor="sect-d"> <section anchor="sect-d">
<name>PKI Management Message Profiles (OPTIONAL)</name> <name>PKI Management Message Profiles (<bcp14>OPTIONAL</bcp14>)</name>
<t>This appendix contains detailed profiles for those PKIMessages that <t>This appendix contains detailed profiles for those PKIMessages that
<bcp14>MAY</bcp14> be supported by implementations.</t> <bcp14>MAY</bcp14> be supported by implementations.</t>
<t>Profiles for the PKIMessages used in the following PKI management <t>Profiles for the PKIMessages used in the following PKI management
operations are provided:</t> operations are provided:</t>
<ul spacing="normal"> <ul spacing="normal">
<li> <li>
<t>root CA key update</t> <t>root CA key update</t>
</li> </li>
<li> <li>
<t>information request/response</t> <t>information request/response</t>
</li> </li>
<li> <li>
<t>cross-certification request/response (1-way)</t> <t>cross-certification request/response (1-way)</t>
</li> </li>
<li> <li>
<t>in-band initialization using external identity certificate</t> <t>in-band initialization using external identity certificate</t>
</li> </li>
</ul> </ul>
<t>Later versions of this document may extend the above to include <t>Future versions of this document may extend the above to include
profiles for the operations listed below (along with other profiles for the operations listed below (along with other
operations, if desired).</t> operations, if desired).</t>
<ul spacing="normal"> <ul spacing="normal">
<li> <li>
<t>revocation request</t> <t>revocation request</t>
</li> </li>
<li> <li>
<t>certificate publication</t> <t>certificate publication</t>
</li> </li>
<li> <li>
<t>CRL publication</t> <t>CRL publication</t>
</li> </li>
</ul> </ul>
<section anchor="sect-d.1"> <section anchor="sect-d.1">
<name>General Rules for Interpretation of These Profiles.</name> <name>General Rules for Interpretation of These Profiles</name>
<t>Identical to <xref target="sect-c.1"/>.</t> <t>Identical to <xref target="sect-c.1"/>.</t>
</section> </section>
<section anchor="sect-d.2"> <section anchor="sect-d.2">
<name>Algorithm Use Profile</name> <name>Algorithm Use Profile</name>
<t>Identical to <xref target="sect-c.2"/>.</t> <t>Identical to <xref target="sect-c.2"/>.</t>
</section> </section>
<section anchor="sect-d.3"> <section anchor="sect-d.3">
<name>Self-Signed Certificates</name> <name>Self-Signed Certificates</name>
<t>Profile of how a certificate structure may be "self-signed". These <t>Profile of how a certificate structure may be "self-signed". These
structures are used for distribution of new root CA public keys. This can structures are used for distribution of new root CA public keys. This can
skipping to change at line 5938 skipping to change at line 5569
<tr> <tr>
<th align="left">Field</th> <th align="left">Field</th>
<th align="left">Value</th> <th align="left">Value</th>
<th align="left">Comment</th> <th align="left">Comment</th>
</tr> </tr>
</thead> </thead>
<tbody> <tbody>
<tr> <tr>
<td align="left">sender</td> <td align="left">sender</td>
<td align="left">CA name CA name</td> <td align="left">CA name CA name</td>
<td align="left"> </td> <td align="left"> </td>
</tr> </tr>
<tr> <tr>
<td align="left">body</td> <td align="left">body</td>
<td align="left">ckuann(RootCaKeyUpdateContent)</td> <td align="left">ckuann(RootCaKeyUpdateContent)</td>
<td align="left"> </td> <td align="left"> </td>
</tr> </tr>
<tr> <tr>
<td align="left">newWithNew</td> <td align="left">newWithNew</td>
<td align="left">optionally present</td> <td align="left">optionally present</td>
<td align="left">see <xref target="sect-d.3"/> above</td> <td align="left">see <xref target="sect-d.3"/> above</td>
</tr> </tr>
<tr> <tr>
<td align="left">newWithOld</td> <td align="left">newWithOld</td>
<td align="left">optionally present</td> <td align="left">optionally present</td>
<td align="left">see <xref target="sect-d.3"/> above</td> <td align="left">see <xref target="sect-d.3"/> above</td>
skipping to change at line 5971 skipping to change at line 5602
<td align="left">extraCerts</td> <td align="left">extraCerts</td>
<td align="left">optionally present</td> <td align="left">optionally present</td>
<td align="left">can be used to "publish" certificates (e.g., cert ificates signed using the new private key)</td> <td align="left">can be used to "publish" certificates (e.g., cert ificates signed using the new private key)</td>
</tr> </tr>
</tbody> </tbody>
</table> </table>
</section> </section>
<section anchor="sect-d.5"> <section anchor="sect-d.5">
<name>PKI Information Request/Response</name> <name>PKI Information Request/Response</name>
<t>The end entity sends a general message to the PKI requesting details <t>The end entity sends a general message to the PKI requesting details
that will be required for later PKI management operations. RA/CA that will be required for later PKI management operations. The RA/CA
responds with a general response. If an RA generates the response, responds with a general response. If an RA generates the response,
then it will simply forward the equivalent message that it previously then it will simply forward the equivalent message that it previously
received from the CA, with the possible addition of certificates to received from the CA, with the possible addition of certificates to
the extraCerts fields of the PKIMessage. A confirmation message is the extraCerts fields of the PKIMessage. A confirmation message is
not required from the end entity.</t> not required from the end entity.</t>
<t>Message Flows:</t> <t>Message Flows:</t>
<artset> <artset>
<artwork type="svg"><svg xmlns="http://www.w3.org/2000/svg" version="1 .1" height="160" width="560" viewBox="0 0 560 160" class="diagram" text-anchor=" middle" font-family="monospace" font-size="13px" stroke-linecap="round"> <artwork type="svg"><svg xmlns="http://www.w3.org/2000/svg" version="1 .1" height="160" width="560" viewBox="0 0 560 160" class="diagram" text-anchor=" middle" font-family="monospace" font-size="13px" stroke-linecap="round">
<path d="M 8,48 L 552,48" fill="none" stroke="black"/> <path d="M 8,48 L 552,48" fill="none" stroke="black"/>
<path d="M 160,80 L 176,80" fill="none" stroke="black"/> <path d="M 160,80 L 176,80" fill="none" stroke="black"/>
skipping to change at line 6048 skipping to change at line 5679
GenMsgContent empty SEQUENCE GenMsgContent empty SEQUENCE
-- all relevant information requested -- all relevant information requested
protection present protection present
-- bits calculated using MSG_MAC_ALG or MSG_SIG_ALG -- bits calculated using MSG_MAC_ALG or MSG_SIG_ALG
]]></artwork> ]]></artwork>
<t>genP:</t> <t>genP:</t>
<artwork><![CDATA[ <artwork><![CDATA[
Field Value Field Value
sender CA name sender CA name
-- name of the CA which produced the message -- name of the CA that produced the message
protectionAlg MSG_MAC_ALG or MSG_SIG_ALG protectionAlg MSG_MAC_ALG or MSG_SIG_ALG
-- any authenticated protection alg. -- any authenticated protection alg.
senderKID present if required senderKID present if required
-- must be present if required for verification of message -- must be present if required for verification of message
-- protection -- protection
body genp (GenRepContent) body genp (GenRepContent)
CAProtEncCert present (object identifier one CAProtEncCert present (object identifier one
of PROT_ENC_ALG), with relevant of PROT_ENC_ALG), with relevant
value value
-- to be used if end entity needs to encrypt information for -- to be used if end entity needs to encrypt information for
-- the CA (e.g., private key for recovery purposes) -- the CA (e.g., private key for recovery purposes)
SignKeyPairTypes present, with relevant value SignKeyPairTypes present, with relevant value
-- the set of signature algorithm identifiers that this CA will -- the set of signature algorithm identifiers that this CA will
-- certify for subject public keys -- certify for subject public keys
EncKeyPairTypes present, with relevant value EncKeyPairTypes present, with relevant value
-- the set of encryption/key agreement algorithm identifiers that -- the set of encryption / key agreement algorithm identifiers that
-- this CA will certify for subject public keys -- this CA will certify for subject public keys
PreferredSymmAlg present (object identifier one PreferredSymmAlg present (object identifier one
of PROT_SYM_ALG) , with relevant of PROT_SYM_ALG) , with relevant
value value
-- the symmetric algorithm that this CA expects to be used -- the symmetric algorithm that this CA expects to be used
-- in later PKI messages (for encryption) -- in later PKI messages (for encryption)
RootCaKeyUpdate optionally present, with RootCaKeyUpdate optionally present, with
relevant value relevant value
-- Use RootCaKeyUpdate; if backward compatibility with cmp2000 is -- Use RootCaKeyUpdate; if backward compatibility with cmp2000 is
-- required, use CAKeyUpdateInfo. -- required, use CAKeyUpdateInfo.
skipping to change at line 6090 skipping to change at line 5721
-- the CA MAY provide a copy of a complete CRL (i.e., -- the CA MAY provide a copy of a complete CRL (i.e.,
-- fullest possible one) -- fullest possible one)
protection present protection present
-- bits calculated using MSG_MAC_ALG or MSG_SIG_ALG -- bits calculated using MSG_MAC_ALG or MSG_SIG_ALG
extraCerts optionally present extraCerts optionally present
-- can be used to send some certificates to the end -- can be used to send some certificates to the end
-- entity. An RA MAY add its certificate here. -- entity. An RA MAY add its certificate here.
]]></artwork> ]]></artwork>
</section> </section>
<section anchor="sect-d.6"> <section anchor="sect-d.6">
<name>Cross Certification Request/Response (1-way)</name> <name>Cross-Certification Request/Response (1-way)</name>
<t>Creation of a single cross-certificate (i.e., not two at once). The <t>Creation of a single cross-certificate (i.e., not two at once). The
requesting CA <bcp14>MAY</bcp14> choose who is responsible for publication of th e requesting CA <bcp14>MAY</bcp14> choose who is responsible for publication of th e
cross-certificate created by the responding CA through use of the cross-certificate created by the responding CA through use of the
PKIPublicationInfo control.</t> PKIPublicationInfo control.</t>
<t>Preconditions:</t> <t>Preconditions:</t>
<ol spacing="normal" type="1"><li> <ol spacing="normal" type="1"><li>
<t>Responding CA can verify the origin of the request (possibly <t>Responding CA can verify the origin of the request (possibly
requiring out-of-band means) before processing the request.</t> requiring out-of-band means) before processing the request.</t>
</li> </li>
<li> <li>
<t>Requesting CA can authenticate the authenticity of the origin of <t>Requesting CA can authenticate the authenticity of the origin of
the response (possibly requiring out-of-band means) before the response (possibly requiring out-of-band means) before
processing the response</t> processing the response.</t>
</li> </li>
</ol> </ol>
<t>The use of certificate confirmation and the corresponding server <t>The use of certificate confirmation and the corresponding server
confirmation is determined by the generalInfo field in the PKIHeader confirmation is determined by the generalInfo field in the PKIHeader
(see <xref target="sect-5.1.1"/>). The following profile does not mandate suppo rt (see <xref target="sect-5.1.1"/>). The following profile does not mandate suppo rt
for either confirmation.</t> for either confirmation.</t>
<t>Message Flows:</t> <t>Message Flows:</t>
<artset> <artset>
<artwork type="svg"><svg xmlns="http://www.w3.org/2000/svg" version="1 .1" height="160" width="560" viewBox="0 0 560 160" class="diagram" text-anchor=" middle" font-family="monospace" font-size="13px" stroke-linecap="round"> <artwork type="svg"><svg xmlns="http://www.w3.org/2000/svg" version="1 .1" height="160" width="560" viewBox="0 0 560 160" class="diagram" text-anchor=" middle" font-family="monospace" font-size="13px" stroke-linecap="round">
<path d="M 8,48 L 552,48" fill="none" stroke="black"/> <path d="M 8,48 L 552,48" fill="none" stroke="black"/>
skipping to change at line 6178 skipping to change at line 5809
protectionAlg MSG_SIG_ALG protectionAlg MSG_SIG_ALG
-- only signature protection is allowed for this request -- only signature protection is allowed for this request
senderKID present if required senderKID present if required
-- must be present if required for verification of message -- must be present if required for verification of message
-- protection -- protection
recipKID present if required recipKID present if required
-- must be present if required for verification of message -- must be present if required for verification of message
-- protection -- protection
transactionID present transactionID present
-- implementation-specific value, meaningful to requesting CA. -- implementation-specific value, meaningful to requesting CA.
-- [If already in use at responding CA then a rejection message -- [If already in use at responding CA, then a rejection message
-- MUST be produced by responding CA] -- MUST be produced by responding CA]
senderNonce present senderNonce present
-- 128 (pseudo-)random bits -- 128 (pseudo-)random bits
freeText any valid value freeText any valid value
body ccr (CertReqMessages) body ccr (CertReqMessages)
only one CertReqMsg only one CertReqMsg
allowed allowed
-- if multiple cross certificates are required, they MUST be -- if multiple cross-certificates are required, they MUST be
-- packaged in separate PKIMessages -- packaged in separate PKIMessages
certTemplate present certTemplate present
-- details follow -- details follow
version v1 or v3 version v1 or v3
-- v3 STRONGLY RECOMMENDED -- v3 STRONGLY RECOMMENDED
signingAlg present signingAlg present
-- the requesting CA must know in advance with which algorithm it -- the requesting CA must know in advance with which algorithm it
-- wishes the certificate to be signed -- wishes the certificate to be signed
subject present subject present
skipping to change at line 6208 skipping to change at line 5839
validity present validity present
-- MUST be completely specified (i.e., both fields present) -- MUST be completely specified (i.e., both fields present)
issuer present issuer present
-- may be NULL-DN only if issuerAltNames extension value proposed -- may be NULL-DN only if issuerAltNames extension value proposed
publicKey present publicKey present
-- the key to be certified (which must be for a signing algorithm) -- the key to be certified (which must be for a signing algorithm)
extensions optionally present extensions optionally present
-- a requesting CA must propose values for all extensions -- a requesting CA must propose values for all extensions
-- that it requires to be in the cross-certificate -- that it requires to be in the cross-certificate
POPOSigningKey present POPOSigningKey present
-- see Section D3: Proof-of-possession profile -- see Appendix C.3: Proof-of-Possession Profile
protection present protection present
-- bits calculated using MSG_SIG_ALG -- bits calculated using MSG_SIG_ALG
extraCerts optionally present extraCerts optionally present
-- MAY contain any additional certificates that requester wishes -- MAY contain any additional certificates that requester wishes
-- to include -- to include
]]></artwork> ]]></artwork>
<t>ccp:</t> <t>ccp:</t>
<artwork><![CDATA[ <artwork><![CDATA[
Field Value Field Value
skipping to change at line 6240 skipping to change at line 5871
recipKID present if required recipKID present if required
transactionID present transactionID present
-- value from corresponding ccr message -- value from corresponding ccr message
senderNonce present senderNonce present
-- 128 (pseudo-)random bits -- 128 (pseudo-)random bits
recipNonce present recipNonce present
-- senderNonce from corresponding ccr message -- senderNonce from corresponding ccr message
freeText any valid value freeText any valid value
body ccp (CertRepMessage) body ccp (CertRepMessage)
only one CertResponse allowed only one CertResponse allowed
-- if multiple cross certificates are required they MUST be -- if multiple cross-certificates are required, they MUST be
-- packaged in separate PKIMessages -- packaged in separate PKIMessages
response present response present
status present status present
PKIStatusInfo.status present PKIStatusInfo.status present
-- if PKIStatusInfo.status is one of: -- if PKIStatusInfo.status is one of:
-- accepted, or -- accepted, or
-- grantedWithMods, -- grantedWithMods,
-- then certifiedKeyPair MUST be present and failInfo MUST -- then certifiedKeyPair MUST be present and failInfo MUST
-- be absent -- be absent
failInfo present depending on failInfo present depending on
PKIStatusInfo.status PKIStatusInfo.status
-- if PKIStatusInfo.status is: -- if PKIStatusInfo.status is:
-- rejection -- rejection,
-- then certifiedKeyPair MUST be absent and failInfo MUST be -- then certifiedKeyPair MUST be absent and failInfo MUST be
-- present and contain appropriate bit settings -- present and contain appropriate bit settings
certifiedKeyPair present depending on certifiedKeyPair present depending on
PKIStatusInfo.status PKIStatusInfo.status
certificate present depending on certificate present depending on
certifiedKeyPair certifiedKeyPair
-- content of actual certificate must be examined by requesting CA -- content of actual certificate must be examined by requesting CA
-- before publication -- before publication
protection present protection present
skipping to change at line 6280 skipping to change at line 5911
]]></artwork> ]]></artwork>
</section> </section>
<section anchor="sect-d.7"> <section anchor="sect-d.7">
<name>In-Band Initialization Using External Identity Certificate</name> <name>In-Band Initialization Using External Identity Certificate</name>
<t>An (uninitialized) end entity wishes to initialize into the PKI with <t>An (uninitialized) end entity wishes to initialize into the PKI with
a CA, CA-1. It uses, for authentication purposes, a pre-existing a CA, CA-1. It uses, for authentication purposes, a pre-existing
identity certificate issued by another (external) CA, CA-X. A trust identity certificate issued by another (external) CA, CA-X. A trust
relationship must already have been established between CA-1 and CA-X relationship must already have been established between CA-1 and CA-X
so that CA-1 can validate the EE identity certificate signed by CA-X. so that CA-1 can validate the EE identity certificate signed by CA-X.
Furthermore, some mechanism must already have been established within Furthermore, some mechanism must already have been established within
the Trusted Execution Environment (TEE) also known as the Trusted Execution Environment (TEE), also known as
Personal Security Environment (PSE) of the EE that would allow it Personal Security Environment (PSE), of the EE that would allow it
to authenticate and verify PKIMessages signed by CA-1 (as one to authenticate and verify PKIMessages signed by CA-1 (as one
example, the TEE may contain a certificate issued for the public key example, the TEE may contain a certificate issued for the public key
of CA-1, signed by another CA that the EE trusts on the basis of of CA-1, signed by another CA that the EE trusts on the basis of
out-of-band authentication techniques).</t> out-of-band authentication techniques).</t>
<t>The EE sends an initialization request to start the transaction. <t>The EE sends an initialization request to start the transaction.
When CA-1 responds with a message containing the new certificate, the When CA-1 responds with a message containing the new certificate, the
end entity replies with a certificate confirmation. CA-1 replies end entity replies with a certificate confirmation. CA-1 replies
with a PKIConfirm to close the transaction. All messages are signed with a PKIConfirm to close the transaction. All messages are signed
(the EE messages are signed using the private key that corresponds to (the EE messages are signed using the private key that corresponds to
the public key in its external identity certificate; the CA-1 the public key in its external identity certificate; the CA-1
skipping to change at line 6310 skipping to change at line 5941
entities);</t> entities);</t>
</li> </li>
<li> <li>
<t>sender name in ir <bcp14>MUST</bcp14> be present (and identical t o the subject <t>sender name in ir <bcp14>MUST</bcp14> be present (and identical t o the subject
name present in the external identity certificate);</t> name present in the external identity certificate);</t>
</li> </li>
<li> <li>
<t>protectionAlg of MSG_SIG_ALG <bcp14>MUST</bcp14> be used in all m essages;</t> <t>protectionAlg of MSG_SIG_ALG <bcp14>MUST</bcp14> be used in all m essages;</t>
</li> </li>
<li> <li>
<t>external identity cert. <bcp14>MUST</bcp14> be carried in ir ext raCerts field</t> <t>external identity certificate <bcp14>MUST</bcp14> be carried in i r extraCerts field</t>
</li> </li>
<li> <li>
<t>senderKID and recipKID are not used;</t> <t>senderKID and recipKID are not used;</t>
</li> </li>
<li> <li>
<t>body is ir or ip;</t> <t>body is ir or ip; and</t>
</li> </li>
<li> <li>
<t>protection bits are calculated according to the protectionAlg <t>protection bits are calculated according to the protectionAlg
field.</t> field.</t>
</li> </li>
</ul> </ul>
</section> </section>
</section> </section>
<section anchor="sect-e"> <section anchor="sect-e">
<name>Variants of Using KEM Keys for PKI Message Protection</name> <name>Variants of Using KEM Keys for PKI Message Protection</name>
<t>As described in <xref target="sect-5.1.3.4"/>, any party in a PKI manag ement operation may wish to use a KEM key pair for message protection. Below pos sible cases are described.</t> <t>As described in <xref target="sect-5.1.3.4"/>, any party in a PKI manag ement operation may wish to use a KEM key pair for message protection. Possible cases are described below.</t>
<t>For any PKI management operation started by a PKI entity with any type of request message, the following message flows describe the use of a KEM key. T here are two cases to distinguish, namely whether the PKI entity or the PKI mana gement entity owns a KEM key pair. If both sides own KEM key pairs, the flows ne ed to be combined such that for each direction a shared secret key is establishe d.</t> <t>For any PKI management operation started by a PKI entity with any type of request message, the following message flows describe the use of a KEM key. T here are two cases to distinguish, namely whether the PKI entity or the PKI mana gement entity owns a KEM key pair. If both sides own KEM key pairs, the flows ne ed to be combined such that for each direction a shared secret key is establishe d.</t>
<t>In the following message flows Alice indicates the PKI entity that uses <t>In the following message flows, Alice indicates the PKI entity that use
a KEM key pair for message authentication and Bob provides the KEM ciphertext u s a KEM key pair for message authentication and Bob provides the KEM ciphertext
sing Alice's public KEM key, as described in <xref target="sect-5.1.3.4"/>.</t> using Alice's public KEM key, as described in <xref target="sect-5.1.3.4"/>.</t>
<!--[rfced] As the text preceeding these figures and the titles of the figures
are very similar, may we remove the preceeding text to avoid redundancy?
Original:
Message Flow when the PKI entity has a KEM key pair and certificate:
...
Figure 3: Message Flow when PKI entity has a KEM key pair
Message Flow when the PKI entity knows that the PKI management entity
uses a KEM key pair and has the authentic public key:
...
Figure 4: Message Flow when the PKI entity knows that the PKI
management entity uses a KEM key pair and has the authentic
public key
Message Flow when the PKI entity does not know that the PKI
management entity uses a KEM key pair:
...
Figure 5: Message Flow when the PKI entity does not know that the PKI
management entity uses a KEM key pair
-->
<t>Message Flow when the PKI entity has a KEM key pair and certificate:</t > <t>Message Flow when the PKI entity has a KEM key pair and certificate:</t >
<figure anchor="KEM-Flow1"> <figure anchor="KEM-Flow1">
<name>Message Flow when PKI entity has a KEM key pair</name> <name>Message Flow When the PKI Entity Has a KEM Key Pair</name>
<artset> <artset>
<artwork type="svg" align="left"><svg xmlns="http://www.w3.org/2000/sv g" version="1.1" height="688" width="560" viewBox="0 0 560 688" class="diagram" text-anchor="middle" font-family="monospace" font-size="13px" stroke-linecap="ro und"> <artwork type="svg" align="left"><svg xmlns="http://www.w3.org/2000/sv g" version="1.1" height="688" width="560" viewBox="0 0 560 688" class="diagram" text-anchor="middle" font-family="monospace" font-size="13px" stroke-linecap="ro und">
<path d="M 8,64 L 552,64" fill="none" stroke="black"/> <path d="M 8,64 L 552,64" fill="none" stroke="black"/>
<path d="M 200,176 L 216,176" fill="none" stroke="black"/> <path d="M 200,176 L 216,176" fill="none" stroke="black"/>
<path d="M 312,176 L 328,176" fill="none" stroke="black"/> <path d="M 312,176 L 328,176" fill="none" stroke="black"/>
<path d="M 200,288 L 216,288" fill="none" stroke="black"/> <path d="M 200,288 L 216,288" fill="none" stroke="black"/>
<path d="M 312,288 L 328,288" fill="none" stroke="black"/> <path d="M 312,288 L 328,288" fill="none" stroke="black"/>
<path d="M 200,384 L 216,384" fill="none" stroke="black"/> <path d="M 200,384 L 216,384" fill="none" stroke="black"/>
<path d="M 312,384 L 328,384" fill="none" stroke="black"/> <path d="M 312,384 L 328,384" fill="none" stroke="black"/>
<path d="M 8,480 L 64,480" fill="none" stroke="black"/> <path d="M 8,480 L 64,480" fill="none" stroke="black"/>
skipping to change at line 6532 skipping to change at line 6186
PKI management entity PKI management entity
16 Further messages of this PKI management operation 16 Further messages of this PKI management operation
can be exchanged with MAC-based protection by the PKI can be exchanged with MAC-based protection by the PKI
entity using the established shared secret key (ssk) entity using the established shared secret key (ssk)
]]></artwork> ]]></artwork>
</artset> </artset>
</figure> </figure>
<t>Message Flow when the PKI entity knows that the PKI management entity u ses a KEM key pair and has the authentic public key:</t> <t>Message Flow when the PKI entity knows that the PKI management entity u ses a KEM key pair and has the authentic public key:</t>
<figure anchor="KEM-Flow2"> <figure anchor="KEM-Flow2">
<name>Message Flow when the PKI entity knows that the PKI management ent ity uses a KEM key pair and has the authentic public key</name> <name>Message Flow When the PKI Entity Knows That the PKI Management Ent ity Uses a KEM Key Pair and Has the Authentic Public Key</name>
<artset> <artset>
<artwork type="svg" align="left"><svg xmlns="http://www.w3.org/2000/sv g" version="1.1" height="496" width="560" viewBox="0 0 560 496" class="diagram" text-anchor="middle" font-family="monospace" font-size="13px" stroke-linecap="ro und"> <artwork type="svg" align="left"><svg xmlns="http://www.w3.org/2000/sv g" version="1.1" height="496" width="560" viewBox="0 0 560 496" class="diagram" text-anchor="middle" font-family="monospace" font-size="13px" stroke-linecap="ro und">
<path d="M 8,64 L 552,64" fill="none" stroke="black"/> <path d="M 8,64 L 552,64" fill="none" stroke="black"/>
<path d="M 200,208 L 216,208" fill="none" stroke="black"/> <path d="M 200,208 L 216,208" fill="none" stroke="black"/>
<path d="M 312,208 L 328,208" fill="none" stroke="black"/> <path d="M 312,208 L 328,208" fill="none" stroke="black"/>
<path d="M 200,304 L 216,304" fill="none" stroke="black"/> <path d="M 200,304 L 216,304" fill="none" stroke="black"/>
<path d="M 312,304 L 328,304" fill="none" stroke="black"/> <path d="M 312,304 L 328,304" fill="none" stroke="black"/>
<path d="M 8,400 L 64,400" fill="none" stroke="black"/> <path d="M 8,400 L 64,400" fill="none" stroke="black"/>
<path d="M 496,400 L 552,400" fill="none" stroke="black"/> <path d="M 496,400 L 552,400" fill="none" stroke="black"/>
<polygon class="arrowhead" points="336,208 324,202.4 324,213.6" fi ll="black" transform="rotate(0,328,208)"/> <polygon class="arrowhead" points="336,208 324,202.4 324,213.6" fi ll="black" transform="rotate(0,328,208)"/>
skipping to change at line 6679 skipping to change at line 6333
-------- PKI management entity authenticated by PKI entity -------- -------- PKI management entity authenticated by PKI entity --------
10 Further messages of this PKI management operation 10 Further messages of this PKI management operation
can be exchanged with MAC-based protection by the can be exchanged with MAC-based protection by the
PKI management entity using the established PKI management entity using the established
shared secret key (ssk) shared secret key (ssk)
]]></artwork> ]]></artwork>
</artset> </artset>
</figure> </figure>
<t>Note: <xref target="KEM-Flow2"/> describes the situation where KEM-base d message protection may not require more that one message exchange. In this ca se, the transactionID <bcp14>MUST</bcp14> also be used by the PKI entity (Bob) t o ensure domain separation between different PKI management operations.</t> <t>Note: <xref target="KEM-Flow2"/> describes the situation where KEM-base d message protection may not require more than one message exchange. In this ca se, the transactionID <bcp14>MUST</bcp14> also be used by the PKI entity (Bob) t o ensure domain separation between different PKI management operations.</t>
<t>Message Flow when the PKI entity does not know that the PKI management entity uses a KEM key pair:</t> <t>Message Flow when the PKI entity does not know that the PKI management entity uses a KEM key pair:</t>
<figure anchor="KEM-Flow3"> <figure anchor="KEM-Flow3">
<name>Message Flow when the PKI entity does not know that the PKI manage ment entity uses a KEM key pair</name> <name>Message Flow When the PKI Entity Does Not Know That the PKI Manage ment Entity Uses a KEM Key Pair</name>
<artset> <artset>
<artwork type="svg" align="left"><svg xmlns="http://www.w3.org/2000/sv g" version="1.1" height="320" width="560" viewBox="0 0 560 320" class="diagram" text-anchor="middle" font-family="monospace" font-size="13px" stroke-linecap="ro und"> <artwork type="svg" align="left"><svg xmlns="http://www.w3.org/2000/sv g" version="1.1" height="320" width="560" viewBox="0 0 560 320" class="diagram" text-anchor="middle" font-family="monospace" font-size="13px" stroke-linecap="ro und">
<path d="M 8,64 L 552,64" fill="none" stroke="black"/> <path d="M 8,64 L 552,64" fill="none" stroke="black"/>
<path d="M 200,144 L 216,144" fill="none" stroke="black"/> <path d="M 200,144 L 216,144" fill="none" stroke="black"/>
<path d="M 312,144 L 328,144" fill="none" stroke="black"/> <path d="M 312,144 L 328,144" fill="none" stroke="black"/>
<path d="M 200,256 L 216,256" fill="none" stroke="black"/> <path d="M 200,256 L 216,256" fill="none" stroke="black"/>
<path d="M 312,256 L 328,256" fill="none" stroke="black"/> <path d="M 312,256 L 328,256" fill="none" stroke="black"/>
<polygon class="arrowhead" points="336,144 324,138.4 324,149.6" fi ll="black" transform="rotate(0,328,144)"/> <polygon class="arrowhead" points="336,144 324,138.4 324,149.6" fi ll="black" transform="rotate(0,328,144)"/>
<polygon class="arrowhead" points="320,256 308,250.4 308,261.6" fi ll="black" transform="rotate(180,312,256)"/> <polygon class="arrowhead" points="320,256 308,250.4 308,261.6" fi ll="black" transform="rotate(180,312,256)"/>
<polygon class="arrowhead" points="224,144 212,138.4 212,149.6" fi ll="black" transform="rotate(0,216,144)"/> <polygon class="arrowhead" points="224,144 212,138.4 212,149.6" fi ll="black" transform="rotate(0,216,144)"/>
skipping to change at line 6742 skipping to change at line 6396
<text x="24" y="276">5</text> <text x="24" y="276">5</text>
<text x="84" y="276">validate</text> <text x="84" y="276">validate</text>
<text x="136" y="276">KEM</text> <text x="136" y="276">KEM</text>
<text x="200" y="276">certificate</text> <text x="200" y="276">certificate</text>
<text x="24" y="308">6</text> <text x="24" y="308">6</text>
<text x="168" y="308">proceed</text> <text x="168" y="308">proceed</text>
<text x="212" y="308">as</text> <text x="212" y="308">as</text>
<text x="248" y="308">shown</text> <text x="248" y="308">shown</text>
<text x="284" y="308">in</text> <text x="284" y="308">in</text>
<text x="312" y="308">the</text> <text x="312" y="308">the</text>
<text x="356" y="308">Figure</text> <text x="356" y="308">figure</text>
<text x="412" y="308">before</text> <text x="412" y="308">before</text>
</g> </g>
</svg> </svg>
</artwork> </artwork>
<artwork type="ascii-art" align="left"><![CDATA[ <artwork type="ascii-art" align="left"><![CDATA[
Step# PKI entity PKI management entity Step# PKI entity PKI management entity
(Bob) (Alice) (Bob) (Alice)
--------------------------------------------------------------------- ---------------------------------------------------------------------
1 format request with 1 format request with
protection depending protection depending
skipping to change at line 6765 skipping to change at line 6419
2 --> request --> 2 --> request -->
3 format unprotected error 3 format unprotected error
with status "rejection" with status "rejection"
and failInfo and failInfo
"wrongIntegrity" and KEM "wrongIntegrity" and KEM
certificate in certificate in
extraCerts extraCerts
4 <-- error <-- 4 <-- error <--
5 validate KEM certificate 5 validate KEM certificate
6 proceed as shown in the Figure before 6 proceed as shown in the figure before
]]></artwork> ]]></artwork>
</artset> </artset>
</figure> </figure>
</section> </section>
<section anchor="sect-f"> <section anchor="sect-f">
<name>Compilable ASN.1 Definitions</name> <name>Compilable ASN.1 Definitions</name>
<t>This section contains the updated 2002 ASN.1 module for <xref target="R <t>This section contains the updated 2002 ASN.1 module from <xref target="
FC5912"/> RFC5912"/>, which
as updated in <xref target="RFC9480"/>. was updated in <xref target="RFC9480"/>.
This module replaces the module in Section 9 of <xref target="RFC5912"/>. This module replaces the module in <xref section="9" target="RFC5912"/>.
The module contains those changes to the normative ASN.1 module from The module contains those changes to the normative ASN.1 module from
Appendix F of <xref target="RFC4210"/> that were specified in <xref target="RFC9 <xref section="F" sectionFormat="of" target="RFC4210"/> that were specified in <
480"/>, xref target="RFC9480"/>,
as well as changes made in this document.</t> as well as changes made in this document.</t>
<!--[rfced] We note that the following references have citations only in
the ASN.1 module in Appendix F. In order to have a 1:1 matchup between
the references section and the text, please review the text and let us know
where a citation for each of the following may be included.
Alternatively, a sentence can be added before the module stating that it
refers to the following (and then list the citations).
[RFC3629]
[RFC6268]
-->
<sourcecode type="asn.1"><![CDATA[ <sourcecode type="asn.1"><![CDATA[
PKIXCMP-2023 PKIXCMP-2023
{ iso(1) identified-organization(3) dod(6) internet(1) { iso(1) identified-organization(3) dod(6) internet(1)
security(5) mechanisms(5) pkix(7) id-mod(0) security(5) mechanisms(5) pkix(7) id-mod(0)
id-mod-cmp2023-02(TBD2) } id-mod-cmp2023-02(116) }
DEFINITIONS EXPLICIT TAGS ::= DEFINITIONS EXPLICIT TAGS ::=
BEGIN BEGIN
IMPORTS IMPORTS
AttributeSet{}, SingleAttribute{}, Extensions{}, EXTENSION, ATTRIBUTE AttributeSet{}, SingleAttribute{}, Extensions{}, EXTENSION, ATTRIBUTE
FROM PKIX-CommonTypes-2009 FROM PKIX-CommonTypes-2009
{iso(1) identified-organization(3) dod(6) internet(1) security(5) {iso(1) identified-organization(3) dod(6) internet(1) security(5)
mechanisms(5) pkix(7) id-mod(0) id-mod-pkixCommon-02(57)} mechanisms(5) pkix(7) id-mod(0) id-mod-pkixCommon-02(57)}
AlgorithmIdentifier{}, SIGNATURE-ALGORITHM, ALGORITHM, AlgorithmIdentifier{}, SIGNATURE-ALGORITHM, ALGORITHM,
skipping to change at line 6847 skipping to change at line 6514
smime(16) modules(0) id-mod-cms-2009(58)} smime(16) modules(0) id-mod-cms-2009(58)}
-- The import of EnvelopedData and SignedData from [RFC6268] is -- The import of EnvelopedData and SignedData from [RFC6268] is
-- added due to the updates made in CMP Updates [RFC9480] -- added due to the updates made in CMP Updates [RFC9480]
KEM-ALGORITHM KEM-ALGORITHM
FROM KEMAlgorithmInformation-2023 -- [RFC9629] FROM KEMAlgorithmInformation-2023 -- [RFC9629]
{ iso(1) identified-organization(3) dod(6) internet(1) { iso(1) identified-organization(3) dod(6) internet(1)
security(5) mechanisms(5) pkix(7) id-mod(0) security(5) mechanisms(5) pkix(7) id-mod(0)
id-mod-kemAlgorithmInformation-2023(109) } id-mod-kemAlgorithmInformation-2023(109) }
-- The import of KEM-ALGORITHM was added due to the updates made -- The import of KEM-ALGORITHM was added due to the updates made
-- in [RFCXXXX] -- in [RFC9810]
; ;
-- History of the PKIXCMP ASN.1 modules -- History of the PKIXCMP ASN.1 modules
-- [RFC2510] -- [RFC2510]
-- 1988 Syntax, PKIXCMP, 1.3.6.1.5.5.7.0.9 (id-mod-cmp) -- 1988 Syntax, PKIXCMP, 1.3.6.1.5.5.7.0.9 (id-mod-cmp)
-- Obsoleted by RFC 4210 PKIXCMP, 1.3.6.1.5.5.7.0.16 -- Obsoleted by RFC 4210 PKIXCMP, 1.3.6.1.5.5.7.0.16
-- (id-mod-cmp2000) -- (id-mod-cmp2000)
-- [RFC4210] -- [RFC4210]
-- 1988 Syntax, PKIXCMP, 1.3.6.1.5.5.7.0.16 (id-mod-cmp2000) -- 1988 Syntax, PKIXCMP, 1.3.6.1.5.5.7.0.16 (id-mod-cmp2000)
-- Replaced by RFC 9480 PKIXCMP, 1.3.6.1.5.5.7.0.99 -- Replaced by RFC 9480 PKIXCMP, 1.3.6.1.5.5.7.0.99
-- (id-mod-cmp2021-88) -- (id-mod-cmp2021-88)
-- [RFC5912] -- [RFC5912]
-- 2002 Syntax, PKIXCMP-2009, 1.3.6.1.5.5.7.0.50 -- 2002 Syntax, PKIXCMP-2009, 1.3.6.1.5.5.7.0.50
-- (id-mod-cmp2000-02) -- (id-mod-cmp2000-02)
-- Replaced by RFC 9480 PKIXCMP-2021, 1.3.6.1.5.5.7.0.100 -- Replaced by RFC 9480 PKIXCMP-2021, 1.3.6.1.5.5.7.0.100
-- (id-mod-cmp2021-02) -- (id-mod-cmp2021-02)
-- [RFC9480] -- [RFC9480]
-- 1988 Syntax, PKIXCMP, 1.3.6.1.5.5.7.0.99 (id-mod-cmp2021-88) -- 1988 Syntax, PKIXCMP, 1.3.6.1.5.5.7.0.99 (id-mod-cmp2021-88)
-- 2002 Syntax, PKIXCMP-2021, 1.3.6.1.5.5.7.0.100 -- 2002 Syntax, PKIXCMP-2021, 1.3.6.1.5.5.7.0.100
-- (id-mod-cmp2021-02) -- (id-mod-cmp2021-02)
-- Obsoleted by [RFC9810] PKIXCMP-2023, 1.3.6.1.5.5.7.0.116
-- (id-mod-cmp2023-02) -- (id-mod-cmp2023-02)
-- [RFC9810]
-- 2002 Syntax, PKIXCMP-2023, 1.3.6.1.5.5.7.0.116
-- (id-mod-cmp2023-02) -- (id-mod-cmp2023-02)
-- The rest of the module contains locally defined OIDs and -- The rest of the module contains locally defined OIDs and
-- constructs: -- constructs:
CMPCertificate ::= CHOICE { x509v3PKCert Certificate, ... } CMPCertificate ::= CHOICE { x509v3PKCert Certificate, ... }
-- This syntax, while bits-on-the-wire compatible with the -- This syntax, while bits-on-the-wire compatible with the
-- standard X.509 definition of "Certificate", allows the -- standard X.509 definition of "Certificate", allows the
-- possibility of future certificate types (such as X.509 -- possibility of future certificate types (such as X.509
-- attribute certificates, card-verifiable certificates, or other -- attribute certificates, card-verifiable certificates, or other
skipping to change at line 6935 skipping to change at line 6602
-- nonces used to provide replay protection, senderNonce -- nonces used to provide replay protection, senderNonce
-- is inserted by the creator of this message; recipNonce -- is inserted by the creator of this message; recipNonce
-- is a nonce previously inserted in a related message by -- is a nonce previously inserted in a related message by
-- the intended recipient of this message. -- the intended recipient of this message.
freeText [7] PKIFreeText OPTIONAL, freeText [7] PKIFreeText OPTIONAL,
-- this may be used to indicate context-specific instructions -- this may be used to indicate context-specific instructions
-- (this field is intended for human consumption) -- (this field is intended for human consumption)
generalInfo [8] SEQUENCE SIZE (1..MAX) OF generalInfo [8] SEQUENCE SIZE (1..MAX) OF
InfoTypeAndValue OPTIONAL InfoTypeAndValue OPTIONAL
-- this may be used to convey context-specific information -- this may be used to convey context-specific information
-- (this field not primarily intended for human consumption) -- (this field is not primarily intended for human consumption)
} }
PKIFreeText ::= SEQUENCE SIZE (1..MAX) OF UTF8String PKIFreeText ::= SEQUENCE SIZE (1..MAX) OF UTF8String
-- text encoded as UTF-8 string [RFC3629] -- text encoded as UTF-8 string [RFC3629]
PKIBody ::= CHOICE { -- message-specific body elements PKIBody ::= CHOICE { -- message-specific body elements
ir [0] CertReqMessages, --Initialization Request ir [0] CertReqMessages, --Initialization Request
ip [1] CertRepMessage, --Initialization Response ip [1] CertRepMessage, --Initialization Response
cr [2] CertReqMessages, --Certification Request cr [2] CertReqMessages, --Certification Request
cp [3] CertRepMessage, --Certification Response cp [3] CertRepMessage, --Certification Response
skipping to change at line 7004 skipping to change at line 6671
id-DHBasedMac OBJECT IDENTIFIER ::= { iso(1) member-body(2) id-DHBasedMac OBJECT IDENTIFIER ::= { iso(1) member-body(2)
usa(840) nt(113533) nsn(7) algorithms(66) 30 } usa(840) nt(113533) nsn(7) algorithms(66) 30 }
DHBMParameter ::= SEQUENCE { DHBMParameter ::= SEQUENCE {
owf AlgorithmIdentifier{DIGEST-ALGORITHM, {...}}, owf AlgorithmIdentifier{DIGEST-ALGORITHM, {...}},
-- AlgId for a One-Way Function -- AlgId for a One-Way Function
mac AlgorithmIdentifier{MAC-ALGORITHM, {...}} mac AlgorithmIdentifier{MAC-ALGORITHM, {...}}
-- AlgId of the Message Authentication Code algorithm -- AlgId of the Message Authentication Code algorithm
} }
-- id-KemBasedMac and KemBMParameter were added in [RFC9810]
id-KemBasedMac OBJECT IDENTIFIER ::= { iso(1) member-body(2) id-KemBasedMac OBJECT IDENTIFIER ::= { iso(1) member-body(2)
usa(840) nt(113533) nsn(7) algorithms(66) 16 } usa(840) nt(113533) nsn(7) algorithms(66) 16 }
KemBMParameter ::= SEQUENCE { KemBMParameter ::= SEQUENCE {
kdf AlgorithmIdentifier{KEY-DERIVATION, {...}}, kdf AlgorithmIdentifier{KEY-DERIVATION, {...}},
-- AlgId of the Key Derivation Function algorithm -- AlgId of the Key Derivation Function algorithm
kemContext [0] OCTET STRING OPTIONAL, kemContext [0] OCTET STRING OPTIONAL,
-- MAY contain additional algorithm specific context information -- MAY contain additional algorithm-specific context information
len INTEGER (1..MAX), len INTEGER (1..MAX),
-- Defines the length of the keying material output of the KDF -- Defines the length of the keying material output of the KDF
-- SHOULD be the maximum key length of the MAC function -- SHOULD be the maximum key length of the MAC function
mac AlgorithmIdentifier{MAC-ALGORITHM, {...}} mac AlgorithmIdentifier{MAC-ALGORITHM, {...}}
-- AlgId of the Message Authentication Code algorithm -- AlgId of the Message Authentication Code algorithm
} }
PKIStatus ::= INTEGER { PKIStatus ::= INTEGER {
accepted (0), accepted (0),
-- you got exactly what you asked for -- you got exactly what you asked for
skipping to change at line 7132 skipping to change at line 6799
hashVal BIT STRING hashVal BIT STRING
-- hashVal is calculated over the DER encoding of the -- hashVal is calculated over the DER encoding of the
-- self-signed certificate with the identifier certID. -- self-signed certificate with the identifier certID.
} }
POPODecKeyChallContent ::= SEQUENCE OF Challenge POPODecKeyChallContent ::= SEQUENCE OF Challenge
-- One Challenge per encryption or key agreement key certification -- One Challenge per encryption or key agreement key certification
-- request (in the same order as these requests appear in -- request (in the same order as these requests appear in
-- CertReqMessages). -- CertReqMessages).
-- encryptedRand was added in [RFC9810]
Challenge ::= SEQUENCE { Challenge ::= SEQUENCE {
owf AlgorithmIdentifier{DIGEST-ALGORITHM, {...}} owf AlgorithmIdentifier{DIGEST-ALGORITHM, {...}}
OPTIONAL, OPTIONAL,
-- MUST be present in the first Challenge; MAY be omitted in -- MUST be present in the first Challenge; MAY be omitted in
-- any subsequent Challenge in POPODecKeyChallContent (if -- any subsequent Challenge in POPODecKeyChallContent (if
-- omitted, then the owf used in the immediately preceding -- omitted, then the owf used in the immediately preceding
-- Challenge is to be used). -- Challenge is to be used).
witness OCTET STRING, witness OCTET STRING,
-- the result of applying the one-way function (owf) to a -- the result of applying the one-way function (owf) to a
-- randomly-generated INTEGER, A. (Note that a different -- randomly generated INTEGER, A. (Note that a different
-- INTEGER MUST be used for each Challenge.) -- INTEGER MUST be used for each Challenge.)
challenge OCTET STRING, challenge OCTET STRING,
-- MUST be used for cmp2000(2) popdecc messages and MUST be -- MUST be used for cmp2000(2) popdecc messages and MUST be
-- the encryption of Rand (using a mechanism depending on the -- the encryption of Rand (using a mechanism depending on the
-- private key type). -- private key type).
-- MUST be an empty OCTET STRING for cmp2021(3) popdecc messages. -- MUST be an empty OCTET STRING for cmp2021(3) popdecc messages.
-- Note: Using challenge omitting the optional encryptedRand is -- Note: Using challenge omitting the optional encryptedRand is
-- bit-compatible to the syntax without adding this optional -- bit-compatible to the syntax without adding this optional
-- field. -- field.
encryptedRand [0] EnvelopedData OPTIONAL encryptedRand [0] EnvelopedData OPTIONAL
skipping to change at line 7251 skipping to change at line 6918
crls [1] SEQUENCE SIZE (1..MAX) OF CertificateList OPTIONAL crls [1] SEQUENCE SIZE (1..MAX) OF CertificateList OPTIONAL
-- the resulting CRLs (there may be more than one) -- the resulting CRLs (there may be more than one)
} }
CAKeyUpdAnnContent ::= SEQUENCE { CAKeyUpdAnnContent ::= SEQUENCE {
oldWithNew CMPCertificate, -- old pub signed with new priv oldWithNew CMPCertificate, -- old pub signed with new priv
newWithOld CMPCertificate, -- new pub signed with old priv newWithOld CMPCertificate, -- new pub signed with old priv
newWithNew CMPCertificate -- new pub signed with new priv newWithNew CMPCertificate -- new pub signed with new priv
} }
-- CAKeyUpdContent was added in [RFC9810]
CAKeyUpdContent ::= CHOICE { CAKeyUpdContent ::= CHOICE {
cAKeyUpdAnnV2 CAKeyUpdAnnContent, -- deprecated cAKeyUpdAnnV2 CAKeyUpdAnnContent, -- deprecated
cAKeyUpdAnnV3 [0] RootCaKeyUpdateContent cAKeyUpdAnnV3 [0] RootCaKeyUpdateContent
} }
-- With cmp2021, the use of CAKeyUpdAnnContent is deprecated, use
-- RootCaKeyUpdateContent instead. -- RootCaKeyUpdateContent instead.
CertAnnContent ::= CMPCertificate CertAnnContent ::= CMPCertificate
RevAnnContent ::= SEQUENCE { RevAnnContent ::= SEQUENCE {
status PKIStatus, status PKIStatus,
certId CertId, certId CertId,
willBeRevokedAt GeneralizedTime, willBeRevokedAt GeneralizedTime,
badSinceDate GeneralizedTime, badSinceDate GeneralizedTime,
crlDetails Extensions{{...}} OPTIONAL crlDetails Extensions{{...}} OPTIONAL
skipping to change at line 7345 skipping to change at line 7012
} }
CRLSource ::= CHOICE { CRLSource ::= CHOICE {
dpn [0] DistributionPointName, dpn [0] DistributionPointName,
issuer [1] GeneralNames } issuer [1] GeneralNames }
CRLStatus ::= SEQUENCE { CRLStatus ::= SEQUENCE {
source CRLSource, source CRLSource,
thisUpdate Time OPTIONAL } thisUpdate Time OPTIONAL }
-- KemCiphertextInfo and KemOtherInfo were added in [RFC9810]
KemCiphertextInfo ::= SEQUENCE { KemCiphertextInfo ::= SEQUENCE {
kem AlgorithmIdentifier{KEM-ALGORITHM, {...}}, kem AlgorithmIdentifier{KEM-ALGORITHM, {...}},
-- AlgId of the Key Encapsulation Mechanism algorithm -- AlgId of the Key Encapsulation Mechanism algorithm
ct OCTET STRING ct OCTET STRING
-- Ciphertext output from the Encapsulate function -- Ciphertext output from the Encapsulate function
} }
KemOtherInfo ::= SEQUENCE { KemOtherInfo ::= SEQUENCE {
staticString PKIFreeText, staticString PKIFreeText,
-- MUST be "CMP-KEM" -- MUST be "CMP-KEM"
transactionID OCTET STRING, transactionID OCTET STRING,
-- MUST contain the values from the message previously received -- MUST contain the values from the message previously received
-- containing the ciphertext (ct) in KemCiphertextInfo -- containing the ciphertext (ct) in KemCiphertextInfo
kemContext [0] OCTET STRING OPTIONAL kemContext [0] OCTET STRING OPTIONAL
-- MAY contain additional algorithm specific context information -- MAY contain additional algorithm-specific context information
} }
INFO-TYPE-AND-VALUE ::= TYPE-IDENTIFIER INFO-TYPE-AND-VALUE ::= TYPE-IDENTIFIER
InfoTypeAndValue ::= SEQUENCE { InfoTypeAndValue ::= SEQUENCE {
infoType INFO-TYPE-AND-VALUE. infoType INFO-TYPE-AND-VALUE.
&id({SupportedInfoSet}), &id({SupportedInfoSet}),
infoValue INFO-TYPE-AND-VALUE. infoValue INFO-TYPE-AND-VALUE.
&Type({SupportedInfoSet}{@infoType}) } &Type({SupportedInfoSet}{@infoType}) }
skipping to change at line 7440 skipping to change at line 7107
-- UTF8String -- UTF8String
-- - id-it-certProfile added in [RFC9480] -- - id-it-certProfile added in [RFC9480]
-- id-it-crlStatusList OBJECT IDENTIFIER ::= {id-it 22} -- id-it-crlStatusList OBJECT IDENTIFIER ::= {id-it 22}
-- CRLStatusListValue ::= SEQUENCE SIZE (1..MAX) OF -- CRLStatusListValue ::= SEQUENCE SIZE (1..MAX) OF
-- CRLStatus -- CRLStatus
-- - id-it-crlStatusList added in [RFC9480] -- - id-it-crlStatusList added in [RFC9480]
-- id-it-crls OBJECT IDENTIFIER ::= {id-it 23} -- id-it-crls OBJECT IDENTIFIER ::= {id-it 23}
-- CRLsValue ::= SEQUENCE SIZE (1..MAX) OF -- CRLsValue ::= SEQUENCE SIZE (1..MAX) OF
-- CertificateList -- CertificateList
-- - id-it-crls added in [RFC9480] -- - id-it-crls added in [RFC9480]
-- id-it-KemCiphertextInfo OBJECT IDENTIFIER ::= {id-it 24}
-- KemCiphertextInfoValue ::= KemCiphertextInfo -- KemCiphertextInfoValue ::= KemCiphertextInfo
-- - id-it-KemCiphertextInfo was added in [RFC9810]
-- --
-- where -- where
-- --
-- id-pkix OBJECT IDENTIFIER ::= { -- id-pkix OBJECT IDENTIFIER ::= {
-- iso(1) identified-organization(3) -- iso(1) identified-organization(3)
-- dod(6) internet(1) security(5) mechanisms(5) pkix(7)} -- dod(6) internet(1) security(5) mechanisms(5) pkix(7)}
-- and -- and
-- id-it OBJECT IDENTIFIER ::= {id-pkix 4} -- id-it OBJECT IDENTIFIER ::= {id-pkix 4}
-- --
-- --
skipping to change at line 7517 skipping to change at line 7184
-- [RFC6402] -- [RFC6402]
-- --
-- id-kp-cmcCA OBJECT IDENTIFIER ::= { id-kp 27 } -- id-kp-cmcCA OBJECT IDENTIFIER ::= { id-kp 27 }
-- id-kp-cmcRA OBJECT IDENTIFIER ::= { id-kp 28 } -- id-kp-cmcRA OBJECT IDENTIFIER ::= { id-kp 28 }
id-kp-cmKGA OBJECT IDENTIFIER ::= { id-kp 32 } id-kp-cmKGA OBJECT IDENTIFIER ::= { id-kp 32 }
END END
]]></sourcecode> ]]></sourcecode>
</section> </section>
<section anchor="sect-g"> <section anchor="Acknowledgements" numbered="false">
<name>History of Changes</name> <name>Acknowledgements</name>
<t>Note: This appendix will be deleted in the final version of the documen <t>The authors of this document wish to thank <contact
t.</t> fullname="Carlisle Adams"/>, <contact fullname="Stephen Farrell"/>,
<t>From version 17 -&gt; 18:</t> <contact fullname="Tomi Kause"/>, and <contact fullname="Tero
<ul spacing="normal"> Mononen"/>, the original authors of <xref target="RFC4210"/>, for their
<li> work.</t>
<t>Deleted last paragraph of Appendix D.3 to resolve the DISCUSS from <t>We also thank all reviewers of this document for their valuable
Paul Wouters</t> feedback.</t>
</li> <t>Adding KEM support to this document was partly funded by the German
</ul> Federal Ministry of Education and Research in the project Quoryptan
<t>From version 16 -&gt; 17:</t> through grant number 16KIS2033.</t>
<ul spacing="normal">
<li>
<t>Addressing DISCUSS from Paul Wouters by extending text of Sections
3.1.1.2, 4.4, 5.2.5, 6, and D.3.</t>
</li>
<li>
<t>Updated IPSEC -&gt; IPsec</t>
</li>
</ul>
<t>From version 15 -&gt; 16:</t>
<ul spacing="normal">
<li>
<t>Addressed IESG review comments from Erik Kline, Gunter Van de Velde
, Orie Steele, Zaheduzzaman Sarker, Éric Vyncke, and Paul Wouters, except the DI
SCUSS issue Paul raised</t>
</li>
</ul>
<t>From version 14 -&gt; 15:</t>
<ul spacing="normal">
<li>
<t>Addressed SECDIR, OPSDIR, and TSVART review comments</t>
</li>
</ul>
<t>From version 13 -&gt; 14:</t>
<ul spacing="normal">
<li>
<t>Implemented some editorial changes throughout the document, specifi
cally in Sections 5.1.1, 5.1.1.3, 5.1.3.4, 5.2.2, 5.2.8.3, 5.3.18, 5.3.19.2, 5.2
.22, 7, C.1, and C.4</t>
</li>
<li>
<t>Aligned formatting of message flow diagrams</t>
</li>
<li>
<t>Updated the page header to 'CMP'</t>
</li>
<li>
<t>Removed one instruction to RFC Editors</t>
</li>
<li>
<t>Fixed some nits in Section 5.2.2</t>
</li>
<li>
<t>Fixed one reference to RFC 9629 in the ASN.1 Module</t>
</li>
</ul>
<t>From version 12 -&gt; 13:</t>
<ul spacing="normal">
<li>
<t>Updated the definition of "NULL-DN" in Section 5.1.1 and Appendix D
.1 and added a specification of how the RA/CA shall generate the rid content to
Section 5.2.8.3.3 to clarify direct POP (see thread "CMS RecipientInfo for Envel
opedData in CMC")</t>
</li>
<li>
<t>Added one minor clarification in Section 5.2.2</t>
</li>
<li>
<t>Updated reference from draft-ietf-lamps-cms-kemri to RFC 9629</t>
</li>
</ul>
<t>From version 11 -&gt; 12:</t>
<ul spacing="normal">
<li>
<t>Adding a paragraph to Section 5.2.8.3.2 to clarify Indirect POP (se
e thread "Using cms-kemri this CMP Indirect POP")</t>
</li>
<li>
<t>Updated Appendix F addressing comments from Russ (see thread "WG La
st Call for draft-ietf-lamps-rfc4210bis and draft-ietf-lamps-rfc6712bis")</t>
</li>
<li>
<t>Extended the Acknowledgments section.</t>
</li>
</ul>
<t>From version 10 -&gt; 11:</t>
<ul spacing="normal">
<li>
<t>Updated Section 4.2.2 addressing the comment from Tomas Gustavsson
and as presented during IETF 119 (see thread "draft-ietf-lamps-rfc4210bis-v10 Se
ction 4.2.2 - removing normative language")</t>
</li>
</ul>
<t>From version 09 -&gt; 10:</t>
<ul spacing="normal">
<li>
<t>Implemented some minor editorial changes modernizing the text in Se
ction 3, 4, and 5.2.8 as proposed during IETF 119, without changing normative la
nguage.</t>
</li>
<li>
<t>Added to Section 4.2.2 two ToDos for further discussion, based on t
he comment from Tomas Gustavsson as presented during IETF 119.</t>
</li>
<li>
<t>Addressed erratum 7888</t>
</li>
</ul>
<t>From version 08 -&gt; 09:</t>
<ul spacing="normal">
<li>
<t>Changed reference from ITU-T X.509 to RFC 5280 (see thread " CMP vs
RFC5280").</t>
</li>
<li>
<t>Deprecated CAKeyUpdAnnContent in favor of RootCaKeyUpdateContent in
CMP V3 as proposed by Tomas.</t>
</li>
<li>
<t>Updated Section 4.4 incorporating RootCaKeyUpdateContent as alterna
tive to using a repository for providing root CA key updates.</t>
</li>
<li>
<t>Deleting an obsolete sentence in Section 8.8.</t>
</li>
<li>
<t>Added IANA considerations addressing IANA early review.</t>
</li>
</ul>
<t>From version 07 -&gt; 08:</t>
<ul spacing="normal">
<li>
<t>Aligned with released RFC 9480 - RFC 9483</t>
</li>
<li>
<t>Updated Section 1.3</t>
</li>
<li>
<t>Added text on usage of transactionID with KEM-bases message protect
ion to Section 5.1.1</t>
</li>
<li>
<t>Reverted a change to Section 5.1.3.1 from -02 and reinserting the d
eleted text and adding some text explaining when a key expansion is required.</t
>
</li>
<li>
<t>Consolidated the definition and transferal of KemCiphertextInfo. Ad
ded a new Section 5.1.1.5 introducing KemCiphertextInfo in the generalInfo filed
and moving text on how to request a KEM ciphertext using genm/genp from Section
5.1.3.4 to Section 5.3.19.18</t>
</li>
<li>
<t>Some editorial changes to Section 5.1.3.4 and Appendix E after disc
ussion with David resolving #30 and discussing at IETF 117. Also introducing opt
ional field kemContext to KemBasedMac and KemOtherInfo as CMP-specific alternati
ve to ukm in cms-kemri.</t>
</li>
<li>
<t>Added ToDo for reviewing the reduced content of KemOtherInfo to Sec
tion 5.1.3.4</t>
</li>
<li>
<t>Added a cross-reference to Section 5.1.1.3 regarding use of OrigPKI
Message to Section 5.1.3.5</t>
</li>
<li>
<t>Added POP for KEM keys to Section 5.2.8. Restructured the section a
nd fixed some references which broke from RFC2510 to RFC4210. Introduced a secti
on on the usage of raVerified.</t>
</li>
<li>
<t>Fixed the issue in Section 5.3.19.15, resulting from a change made
in draft-ietf-lamps-cmp-updates-14, that no plain public-key can be used in the
request message in CMPCertificate.</t>
</li>
<li>
<t>Updated Appendix B regarding KEM-based message protection and usage
of CMS EnvelopedData</t>
</li>
</ul>
<t>From version 06 -&gt; 07:</t>
<ul spacing="normal">
<li>
<t>Updated section 5.1.1.4 addressing a question from Liao Lijun on ho
w to interpret less profile names than certReqMsgs</t>
</li>
<li>
<t>Updated section 5.1.3.4 specifying establishing a shares secret key
for one arbitrary side of the CMP communication only</t>
</li>
<li>
<t>Removed the note and the security consideration regarding combiner
function for HPKE</t>
</li>
<li>
<t>Added security considerations 8.1 and 8.8</t>
</li>
<li>
<t>Updates IANA Considerations in section 9 to add new OID for the upd
ates ASN.1 module and for id-it-KemCiphertextInfo</t>
</li>
<li>
<t>Added new appendix E showing different variants of using KEM keys f
or PKI message protection</t>
</li>
<li>
<t>Updates ASN.1 module in appendix F</t>
</li>
</ul>
<t>From version 05 -&gt; 06:</t>
<ul spacing="normal">
<li>
<t>Updated section 5.1.3.4 exchanging HPKE with plain KEM+KDF as also
used in draft-ietf-lamps-cms-kemri</t>
</li>
</ul>
<t>From version 04 -&gt; 05:</t>
<ul spacing="normal">
<li>
<t>Updated sections 5.1.3.4, 5.2.2, and 8.9 addressing comments from R
uss (see thread "I-D Action: draft-ietf-lamps-rfc4210bis-04.txt")</t>
</li>
</ul>
<t>From version 03 -&gt; 04:</t>
<ul spacing="normal">
<li>
<t>Added Section 4.3.4 regarding POP for KEM keys</t>
</li>
<li>
<t>Added Section 5.1.3.4 on message protection using KEM keys and HPKE
</t>
</li>
<li>
<t>Aligned Section 5.2.2 on guidance which CMS key management techniqu
e to use with encrypted values (see thread "CMS: selection of key management tec
hnique to use for EnvelopedData") also adding support for KEM keys</t>
</li>
<li>
<t>Added Section 8.9 and extended Section 3.1.2 regarding use of Certi
ficate Transparency logs</t>
</li>
<li>
<t>Deleted former Appendix C as announced in the -03</t>
</li>
<li>
<t>Fixed some nits resulting from XML -&gt; MD conversion</t>
</li>
</ul>
<t>From version 02 -&gt; 03:</t>
<ul spacing="normal">
<li>
<t>Updated Section 4.4.1 clarifying the definition of "new with new" c
ertificate
validity period (see thread "RFC4210bis - notAfter time of newWithNew certificat
e")</t>
</li>
<li>
<t>Added ToDo to Section 4.3 and 5.2.8 on required alignment regarding
POP for
KEM keys.</t>
</li>
<li>
<t>Updated Sections 5.2.1, 5.2.8, and 5.2.8.1 incorporating text of fo
rmer Appendix
C (see thread "draft-ietf-lamps-rfc4210bis - ToDo on review of Appendix C")</t>
</li>
<li>
<t>Added a ToDo to Appendix B to indicate additional review need to tr
y pushing
the content to Sections 4 and Section 5</t>
</li>
</ul>
<t>From version 01 -&gt; 02:</t>
<ul spacing="normal">
<li>
<t>Added Section 3.1.1.4 introducing the Key Generation Authority</t>
</li>
<li>
<t>Added Section 5.1.1.3 containing description of origPKIMessage cont
ent moved
here from Section 5.1.3.4</t>
</li>
<li>
<t>Added ToDos on defining POP and message protection using KEM keys</
t>
</li>
<li>
<t>Added a ToDo to Section 4.4.3</t>
</li>
<li>
<t>Added a ToDo to Appendix C to do a more detailed review</t>
</li>
<li>
<t>Removed concrete algorithms and referred to CMP Algorithms instead<
/t>
</li>
<li>
<t>Added references to Appendix D and E as well as the Lightweight CMP
Profile
for further information</t>
</li>
<li>
<t>Broaden the scope from human users also to devices and services</t>
</li>
<li>
<t>Addressed idnits feedback, specifically changing from historic LDAP
V2 to
LDAP V3 (RFC4511)</t>
</li>
<li>
<t>Did some further editorial alignment to the XML</t>
</li>
</ul>
<t>From version 00 -&gt; 01:</t>
<ul spacing="normal">
<li>
<t>Performed all updates specified in CMP Updates Section 2 and Append
ix A.2.</t>
</li>
<li>
<t>Did some editorial alignment to the XML</t>
</li>
</ul>
<t>Version 00:</t>
<t>This version consists of the text of RFC4210 with the following changes
:</t>
<ul spacing="normal">
<li>
<t>Introduced the authors of this document and thanked the authors of
RFC4210
for their work.</t>
</li>
<li>
<t>Added a paragraph to the introduction explaining the background of
this document.</t>
</li>
<li>
<t>Added the change history to this appendix.</t>
</li>
</ul>
</section> </section>
</back> </back>
<!-- ##markdown-source:
H4sIAAAAAAAAA8y9a1vj2JUw+l2/QkN/KJyxDQbqAp3kfd1AdTFVVBGgupP0
9OlHtgUo2JIjyVCk0+c5f+N8m98yP+X8krOue68tyRTVmcw7zKQLbGlf1l57
3S+DwSC6O4h3o2xZHsR1uarqne3t/e2daFZM82SRHsSzMrmqB1laXw3myWJZ
Dcqr6d7OaHuSVYPRq2ia1AdxVc+iYlIV87ROq4P4GX4f7++92n4WrZazhD98
vj/aeRZNi7xK82qFn8B86bOoWk0WWVVlRV4/LGHCk+PL19E8ya8P4jSPltlB
FMd1MXXP01+zdFnf4Ez4d/WwKNOryjxRFWUtH10l8wo+q7N6joPndVrmaR3/
cfh8ez8+W03m2TR+mz7AN1dlUsEA03pVpjEAJo4P07LOrjLYYxqfJnlynS7S
vI7PygKWUMzjzcPTs16UTCZlClCEP6KkTBOARzqN7mH978anZxfx90V5m+XX
8bdlsVpGt+nDfVHODqIBvTBYMwl8cfb2JLrO6pvV5CDeYNjfX29NF8uBAHUD
wAT/wAFs3NT1sjrY2tLHhvziMCvsC1uPHObwpl7MNyJ87iDe2d55HiWr+qYo
caGMCW/SfFZmt/E3ZTG9vUlWFUCoKGGbFxkuGf9UUPhPAKJpCiv8HsFeDu6K
fCBfDi5qAHiVxiN4bFrMYIZnr7Z3d3fxAKdZ/XAQn67ybHpDX6/yuoRPvk3L
RZI/wEfpIsnmB/ENL2o40UX974qHH06LBTy2KjN4SKBzf38/tF/rzo6Su2wW
/z2G1cUfbtJsMfmfsLUZrmoIww4LWtOv2dlpdpvGH1Z5BThX3+iujnO66mZX
/hPd1Wj06mV8lpS38dk8mabwTZlewyWFMd/7XT1/vvty3+wqy/M0WRbzrLJb
+5hndTqLL2pEwri4iseLtASM93tdwDqHha7zf6e8nHU7tV/rTv+tuMnhiiUP
/3M3+RdY4vAalvgl+4uy/KoAzKizuxRJ4fnrQ6Ss/tcd/+su/noyOBqGN/zF
y9EO3HB5bvRq76X8uvN8tO1+ffVcfkWC4H/V4fd2t3f11+ejkfyKRF1+fbHz
4pX++tJ9+nJn/4X/dV9+fbW3p5++ev5Sn331Ys89sL+vy9kfufXuj17sBFtM
8myRDCZldZsNkrRj97cPE7iaU09iCQrvTy4uhxdnw1fb2z/tb49L2s3J8fEx
fLIzHI3PBzvbo1dAFz6cDEfbw9Foe38Lv764PBriN8NXezuAEnvIIr47hoe3
Xw22Ry9oS8CekvIakUtPNL+bDfMMjvO6uNu6W83zrVlaA0JsBe/yq8yl3sNp
F3kyj7+Dp9MymWRzwDwgU3UySYCsDOL2q0qt8fcB3wA3zElewcgrYDCAlhfT
LM2naZzks/gynd7kxby4fog3ESg9ep15wDMe//lgRGQLsB6Y2Fn1h6p7l4i3
K2Dt2achTL4FfP4qLXGiLf4UeCLgef0w2tmqcVY4jfmgSonxV1vLMoWnalrw
FtB0mCotLUie8fzxn4pVGZ9VtHpYSnwEIscU38KtfZ/N0gqGSmZAlJNb5OtV
nOXx+7QGunILD99l07R6tg5gzy5kkc+eAQIjn5+m6Qympftc36Txzqiq448X
x+9P/hj7LcYwvb6K0siyqLLV4pkMzfTpfTLLEuShfmtCqD4exhdJHh9l6XUR
vPLn5DYr46NVuSJKEryTAzkoK5wPVnYKrCS7TvLg7WN4Jf4eyEhZ3H/hq/82
jMfz9FP8JpnPiCs98X0VHkY7g+1X8MkfQcbCC7PfjTI3cIjzdAiYOczyems0
gsu2vbMF/9neGu0BvwwQ4ETpIAC79ng7iD8sUwD/Q1Wni4oFPDiZXLBiEF/C
sR1lJfxdIJlmkW8AYhjhUFLXZTbBq2GIRAyi4CJFlFmPKyxJ6g27TOcpUOsF
cnX6rEI4wfybJ5cfeyFw9gej7cFojz6s4GDTCkn8gcAYnj+Iz2kwEG14uyys
bo62t/B1HO7k4gMA9vne7sCAV0XcbjgNPIryBfzrCvgUfHwJIiTDAnbyUGVV
vEhhu7MqhoHiEr4pFvEkq+PrFIkRgLGK70G8hIsFywDCeBiP9l/ub9MY7pPn
e4QCT4DdhxLwJ/sbrxinBBYKOy9n+tkmDNoBw3UAvPgAZAEFXTdQ7EEFD41P
LnZH64nYpMqGk1U+G87SrYsbEOhnR8W02joq7vN5kczgt+Otby5Otv7M+PK3
LC1X+fUW7QloD9OwNN+CaX7aHf30epVPeaMA+Z+mc5QLq59gmz8xZH/KVwvg
UT954P6UDpezqwD3x/GyLICqALTgzYM4GDSWQe1x8aDmxPoxXVqA5s5wey1S
v07hvuORXMFFSGlAi04OgTYBAD15McuBDH8/jN9m8zmQCqUVTEm+L+ZXcLrX
zW9ptsuB3tpvj0/ibxeTN40hL4C2IIkowzFJ3m59+Ss34JjdaDTYBrR6hcD5
dgWAe6hW3ViSLkugV8MsmZbE60Bb2tl6uR2QK+AdxdUA/h9OTbgcrebt8aml
NFW8qpCtweHAJ8lknuqZwQutU/IU+jJbuEU2vjq7AWlhGb8pZtdp1fju2xTW
G78DHGl80dIT7JdHxeoaUAyuUwqSSNIcE0RmYFWwg9X0JmleyviwfFjWTILS
M4RbPC7h5O7S4ELv7MCfr1d/ySrgeV7w2t5+uVVtb4/2ng/wfPZHo70B6lRv
iitQifK/hU/uv3w12B3sAnF4uf18e3uw89MIhz2+vDgZ7H57djbc3R3usmwb
Hqrc/N3r5ZIO9Kpebl0sU7j1qBQPcCNboL3BPPB3cDGdZFGAiG/x6/3RRe/r
eAyHB2KN8IT4tbKVeHP8urf2FuJaQ+gAv9hZQ+7w4fjyAt6izcWjF8MXQ6SN
H0GgO/l2eLGaVGkNQtzL9SQP8G2YroDC4D9bFV3KratsnlaI27sA+62qqHZ/
gvuWftp+tfvT4KfKDfvTHQC/RbGOzy9PL7aOLw8v4g/5YJ7lKVlZjBXl9evX
JxdrYcCrD4n+8w4oxH5//fi70XAb9h7lDYVpZ98pN/Crah67L3ZU3QA9x2k0
O065eu71rOcvnMLy/MVzVVie7z93Ks/etlNj9ndVU9rf3nNqzN4rnWJfJj69
+/Dd/suAeb+BqzkpilvSH5fLeQYaJd8g0BuXNw8d4CJiOR7Gp0AN/uZuPN/N
1scs5j6zr54N4zsQPz8Ak5jeFHXwfvd3HYNcDOPvEtAygPMFA7Q/ty/zyY72
91+sQe7D80MkpUA/ga1/8z7eHrza298dvHoOSPkyigYgvSQTkHCTaR1F0eUN
yC6zYroi/AJVYAqiHZBYFNyfbPjbPHsLnOFJlr9h7D9YwBrhKVBMYIxZegUI
P0OCH9F8d7uBeDkFFYUIAkpMCzf8EC2CyOnvUI8BwMKSkylLkxMgNGmaR1NA
CVhIJYwTB4AFgy4CSgdIHXUVV0CGY6DWCUiR1xkCh6YaE9IQbTof9/DFKDG2
x8Yjh+PesAnQZDbD0ZdLYBHEy/zKEV0DrgYSOKi4pLElBOXjfJosq9WcZzoF
ARRkvmoRbwJD7MVLPg4VykFjjI7zu3ReLEH6Aq0XkaxGtQ7mgZHwQqSz75L5
Kh3GjUXOqwKens5XMz55tUDHFRB0WB8cCxNqWsgOzQc3DWTt7BPclx2cAu4o
ma8JBGmsIyCJx13Fk2R6e49yJYIddiT6OQrFdIRO1Irvb0BDhD8jFAMyYO/D
+KOMVheNZxFzsgUdP4CNNlnEyTWN3Y/TTzWuEb7BTS2L+Rx/Xygg+3g8+Eme
3osI4ZAyRsM6SIAk4/NTPFo6Q3M0gJswF2YDvANudfXAwIIRcIVwLWGRQnVE
Jq+GweJ346yKADhlMVtNGfFjXJgMixdwfPF+OAK8BQh+6gNcMsRS2LEiVHEV
HnmfEOoQdGyG601S3Yzn1/347AP8X5ndIVbRN8l1maan40PaYHReFPVhAl8y
nGGAGvECTm16uwIB1N3UFn47DwadP/kwEGJAekEdAgDQZGutaxE+mwkChkMR
Knkke83GBDu1YhgeraLmvmIi2tiGTOwW2Qwk3ij6CukZAZse/fmrCl4ajH6J
oh/wjeNZVqOasJynaC6apbiWgyg6AuEEDv/k+OJb0AHniDs1HQ6epeKlW9Q9
EpEl4iOcKMwCdxrGJbUS3ovYueGoVaKmw4nZGFDI7wRFBtvb7X1XN8l8Hk1S
QbwpYBygSwD+O/f+CO91UQK2KKwcjrm7DUgYbGb9PQeIjmNYDFoFiHzJULC8
5C4BMRdlcRjt558Jtte//NJavpAHvhhVe3f3WXXD6J/kt/FhUs6zCgYdz5IF
3EaQppcgHMavk7JM5/N+dFkssvhtAsSvL8a5sohPixzpep+2C9fvOkOV2Uwp
UO/TnYOHsjIiCZPQMb/LgN3Ap0AfcrjzuJqrVUnofFfMV3A3UtQN4eO/FFlO
kwzwAJHtwLsPUYK0fCDzwYZ/DFEsis4Yx5ZpiWoWjXAFxKm4R0xDKZEsj3AG
8HL0G1zuH+EnHgx+T8+C5ppdI6/M2cgFm8Ph75C2y5YQpKjO49z/FSw+Ihb/
NOfeOhYfGRb/NNZOdihY4CLaMM9vxAR1u6kyvYIzwSNJxPID0oNdbFK52Qk/
RWj95ReA8FdfxYeCyKfJLI0nD+42RT8fwDX73QaTiuFoA6gFvYxfAnbPsiua
+KosFjwqugfgC8ELf6ro5KwO6DhxUyh/GFFAmQ5QBlQh0BlKAMnwmgIvoxtx
j5bOhK/jFN3DOEOZ/nWVlbAtfZXIL+L9UkxF8gVA86JYoEQpZllEvbScP+A6
Zgld6avARIJGLaJjwo10RBhCx9Tt6PrRvJup4cDxWeRDQitmjN4JEC6gYg80
wJj4b4s74/yePfYBcZdlilIXs/O4mM/0JVgRm99iQ5tBiMsrYpNzkCbmbq3h
d0vF1KyqViKKso2VMCWBo1gmSDxhDodudNLIw375BYnMiu/SpQ5a2fMrUwKi
2SnIK3DJ4FAb0KINBJtGyMPZwq/E5WI1UcEJLls3LP2kIKZ10xZZEnZbx9mF
7Iv4KjInrBhwAwAFSgOMvMhQLHZzwMRpDmNPCVlZgGahCyZLPy3ngMiEPzWS
Sxi1QvEtUZgiEYM7puzF3jHk8o07toN3zLIjAjY+CNcKZ8bvQKhBoftm4b8e
wdcsEsxic0X7Kiwp2jRuHohOpRifA2EXH32XXd+ABoH/pbiDM7liOuUuDv/Y
TR/PZkilAeoqO8ZGdkQyeJeUWQH4Y2RGETzT4fWwT65VVUci1WLxciIkpoEm
4r4j1gTHQipg7ZitWob5+sNglgTfFOi1ICEF+ViFyhC+miGtIZjisvDdBvxQ
BKn5Hh/rHvFFZjNLnXGxmtcZiFaEU3I5YJXTgqTkGctIgDHAyOMp8Maqj0hH
IJgkNYi9S/QrVWT3w+G8PPqb+GOV8qX3Oj/wsFMhSRckPSNnuugJ4X/xHC4u
byjUmGTTS2InSFRBgUeTqNek0DQW6FK4C9AzgUk5qTzUQmKWrmClcfwajc2A
HYhtKD6BJoRSZo4HRQcKX8Bxp/n0gYUXWWMwIRLTCaq1cePKz+dxMZ2uSnKv
VcQ9iZp4vc5Cn7RPoDRIhmEosaASI8nuECUAUxENeXL3htdX+zhay14rbhCW
xsLpQKkrporJSxBiljclHjWoowXZ6okbMUtFtEpYDDPaTtyp4DJLC6HUb6la
lqyiYoMCWEAlYZhMdPWKSS8iYzAjHeL7Ag0w4ymI1axaFo7ejJAgOPF5OAIQ
FWi93efTxPGE+TbO1JtS9HQdu0txf7Dgq+SuKP3rFg7u7aFdCTzLQpGdDiU7
P1miCN6CHx1fMAusguwX2bUYR2DfTeDgbfyAs6IY5gQQ0UJjIK1zgj0KZhjy
saoscaZrLxTIIhqyvTSdVXzTlGkSmYFHb8hqg/JwwltSzsBfzwoYMy9qR8iQ
iDoeSEuzr/CZk3wKd3PlmAYu5w086y5VpUYTEoZYRFB3xWo5RQ56DYdf1YO/
ggJdrxZ+FiZanjV0Gh6Y86O3EVjPuHHvkhguHn3ODK9Pm7LkXF+tU6Aw+ASo
QYE8fO7uInA5eHDz8PxdT1XqNjUXzFUZDRa3HG1PS29vAE4Ff8FWFnzzgXwi
slgyfUQaNY/nRU4PfBVgvf44He4IzyeC7MgwTK+X7CUuy4gABrYaPMFUdebY
vLyKksNvaZpXwxd4b/2fL8M/9/FPXIX/aMSaQ5fqQPhxJJJiQ7bZRdlmnQHF
6hU8m5N7hvFJHRLylhKPU69R3A/ZQBfIUZXTA2cG4CME+BDhJ/wY6PFaowvJ
jmLHtGtfKxDpwchku0NQqIZ79AZTZr1tSKS+dR49b2IN8dIMg2gCklLCBFmQ
1aI7i+YJcsaHeF5ci+DgxEUaaa+1mDV2MSQ5c/HG36VMNdhqC5SgqDKWhUEC
mJJuRrdcb6y9ycMWTJ4TTECutMbghiiFBg0Qwk69ykWLYlUNTaeqjboRd3Fj
9mYYezT6VpHT0x9dDJ3Ym8Bn16GmjL0zfIWX48rf9YaAZ/fFtypcVd+Ol+rf
REVpNDEPXzQ4nh15h5CWKYyyTIA0n9o4z4010/HQ7oOlQU68vWzmNGykpbrB
SXqT3GUFkuzpPCmdAC5WAL12QJMPm1fDLBvv2eWNuD0yPVtAK0TbSyHbZE7M
7IIAO4Otj+RE6D7a1aAahlbfC+CMgERvxUsgnzpb8OfGf7UWcToPxQlvj8mG
bKLCG4lSNlnWVfZoCJ8NtocSMho/U7WRr1/o02n/KCT2z8M/X3XQ/pHQfjQ2
Ap9nPz1RXIqZzWQuMTDv/MIWT1T8MIi9ijdOP15cbvT53/j9B/r9/PgPH0/O
j4/w94s343fv3C+RPHHx5sPHd0f+N//m4YfT0+P3R/wyfBoHH0Ubp+M/bfAu
Nj6cXZ58eD9+12FDQ8sHi1iZhuUAJMlwZjjFN4dn//kfoz2Ax7+gtWs0Au4o
f7wavUQCen+DpldGNuAf/Cfg50OEtqukVF1lmiyzGqSoPtLT6qa4z4l64Sn+
gJD58SD+7WS6HO39Xj7ADQcfKsyCDwlm7U9aLzMQOz7qmMZBM/i8AelwveM/
BX8r3M2Hv/1f5OEfjF79r9+3HLFlOs8wIpp5aW0QbZ0Zk8xwIHCiZQbuaIIn
GuAjnu8ctUuQFeDW3gNH/j3QyYN1Dk36+vTs4HNGX37u4uBR/ZseOn938JgQ
ys+cvm4+xORXx3tNcQr47PExhqejmlLLcoGZHTzmOaVnvh0frJUw8IF35/DA
u4Ks6p3OYHzodHx44JbUiFg5LGYpPgNM+uARizo+8eFMop5AbYrPHKXE73AV
6+e/xM1fYsA7HOfxJyB39AwQ5KwschI9kUKhscYc2QdQiO8ykEaENu0KbSKb
DoyFl98tcOYVLjZK1MyN1S6BJowI1aq7bLaCeww3veBRkhlgK74Cd71mbwA8
w74N9GDK1xxkF9Ggq3xSrEisY42UlTYiIGQlERc5mQOKq/oekVlN3/1osvJO
bBQ2jZA89TpltZrUoF8sYOrklmT1JI+CxaCW5Iafpczc0IkJ5KpMAZ9IipiU
Bcj6ZYQLQ1tpRbb1bJEB/50/oM0OhsumpDyGe2UATsmIiwbXyBm7K55kip4s
8j3R/kUfFbMlUEZzlmqc5YutpBBfcfYSiSGyMRGRxER8LpjDBEcM2W6VfkrQ
WgXUOlq0V4F2gRvCn1VFBIZnWRstEWG0BDvX4yA8g0Ekrm5imsskK0nhrqpi
ikahGWqzbiP1fQFUTA6ZDM7xtISbFCQwkMiRJjBmgX48dvo0LscpXNt5oLDt
ssPnmxTeTkXVeiDFPoGhp0BevNjL8ZKVmr2m6QxgCbztHr7KSiBuTLfpLMlm
mlG0yl0xv2Ni3rCrilCHW7fHt4lsG7iBC65vvKYenMrdDnTHfU/z5vE1ZdPB
r2jkcE/CkCCXoPUXVRYMoi5QKDbCnIQ4cKwl3f0Ipk9Rz5etEES/AglcpdlK
bcXH8kQTsgzbyyeCQ5RfAZ/M+xBvZsN02I8cUEntAjq0cFYbZSNktAHkmPW8
vGxRM/KmdR40toM63KqaAyN4x5E10xsjPV8KokwkVq3bHpsSAH4Xq8lf0qmg
keNtndDz8EN8iDcqfnUDd0p3kFRBMiNd8dl2QynqhFIfjxk9y0CAMSrN+URk
GryB8ut4Xr+HJ8S8h0qMhQ9iH6Lefepc+zMAFdyiFfxJJ1cXRMXy2ZYlv0xH
HoJJN9kjkIAKD0sLVm6dqaC+z9Nen+eczx0NDQAV4/1Y4gsbw+gkVzNc3zzp
EW0j3jw+hhHhhG/YTZJHDuJ9BJv3GQTX6a7IyKx/tSINyDFQAlaEkAUAoXGn
MnIbvAjUP2W0CzAebwmdK+4r0kvhWOXNCsCA2+Uwh2TJjBOvYz92TNJ+jAew
qFJAy0qhS/Hfb4+3Ts4A2XrIEmecAqQPABGpaQakTTNMlsnwMAo0nMw1yq6n
ptKrBJNI4Mmr+SoVdpxGnnu5Ta53zMGGvmYKLjwoMlvwGEOTAUUuSNC9TeeE
57d5ge43WAUpI5hAavGGHHOVE5CdOx2PmJ3BHqYoyrw9iZrer0zcxgTc4Kj0
zsAM/jQfKBYC2X+dLVDQ6b5e8drrFawfTdVNdsd3DleEkUigUpMFuBOvI7og
yrYttQg2gqIdbhExbQ0IMDYIhgpeE2iyOp7yrUUWQ47Jgn3OmUk1GAwiktRQ
ZlqsFn3hgKgaIpSEuToLAe+JviGyczjmKCtUpCh5CTFAZOSJWDJ5331hAgna
5J5VNpZyEyCaRFeUcUY5C8ppzTP3DF3Y1/xKAZ/6sCsMbHPhUOm8Sul5vBEn
iL4LTdqrQI34E1GnAEAYXgXQjciqhshMuEirF8DoTQy5IewDIRXIPUCmzV0Z
OMeHgXpP4mwoFAn2KtMz6UScju6SknKhyL5FIe7ETuAupuUApJyMAjrE76n6
X13cYmI1jR3ZQ8bxGeFJG6A999056ewUOSEUFSZDAEbing12/KgOFG+CntTj
i4l0IEdzxhnK3uiXcokHwRtnF8ccxlusrm9Qz/KiXYnGv4dCxIdqWizTdgDb
prvigA6orqM5kAha7llOP04BXikKdj3kZ8R86FgwE49s+zItYQGsgnxOqvsj
NA4CPosbh5NYYqUIlUn7gFapt5GJvRVRbpJGeN+d2LFOSG8LHTsqdKyJPaAo
aCDjDzHFOj8QxQDauyJJYpKSjRy4xQYArZyRIA3MlRCrdbTsOwUAo8oKiPSH
VUbZuLUYlCK474ykfvx5we4pOiAiDDZRrolAKFhltSpMRMKukywnySEUGg7H
G+tkKUu/I5Keys/IQhnx+zxFOpiwq6ApEzmmBmC8ScrZPVvnkGFawehw3LnW
QLah47KfMdAIjk6unhQYFJzHG8XVFWmNG14D5Lh3/C5vftX3Es3h2JJmlkc8
FWSQRV3De59qP74p7jF0CK8E4D4aEBD9M6WacHMjuF90MxmIdLXLdJ7eJeKY
QSdlNn1gORZv8vdN+Igrhg5U3cKee8Qd3CMiW4HBzq/10b6QbtwseXvUh8XB
mIQBMl9kGIgwRgm7AnkKLeUT5Ekw3XITpSeCCS04Y2PIIoUtRrhmAMeDGjXU
r2QQKsPFsExVF0taQw6yYQbEBmjLQz+qzAhydIC+ZGaToDWlxgoIYREOdBFe
bQljhpOQF2Ce6Q3Leo7aE34UHAgO+1RPWRRei5OcITHNSiCjyE5QUGRrURyK
+XjLI2K8HATLgi0K3SSahyMAkvAbLCTF8kok8bN4rPEyRYSznwA9AGqMPo4x
Oc5XOX8LyPTeyeU8nZL9iiROILYufdt6cdlGq2gYMRoqjBETYZINC8INm7zh
oC43JXK8BmXuLF+5jEiP2ljyYKbm42RS3FlPUzRJ2dBk7pAUE1A51GYe8H6n
SY5YOFHf8yxKkyqjEM4xKVUUDoNnhPNnaLtO3YUiLuBwVaKurSKf5ZHiH+zy
A9N4MtmZYZlwySrC4bAIjIp2iA+1RGnQxdFgA8fv1thV2+yOHPaAnBqhJoLx
wMv9GJA4BjKAZWjgKydIVDEqz7rVKP3EcV1CEh7LMtKAU8cVozXsWeU2Z8hx
FzqIGjTmCLgK06TE2P2VcAES7WgiCojCkDz8F0GIgoKwh4gNQOhPu0mnWJip
z/Id8S2qBQAz9d23XbEonOyRhKZyFq1RxKco/b6JESNfOkUG9SMW/inqnaWn
hNJhE+RizkZYGaGqlaeCIgQz//MxsYk8VpeM50QH5KxS9lzUkVyKvqOSZIVc
LZxtXHmbhypPAdKLOxZQ9dYquaER1wktVh4aqDwUhfKQlVWM9NAX5cRJF31n
jNXdi/xK0gTJgSSzxhvnVm7oBcQOwHVO2wdaD6Q3ZIZsYNQUCQaQvDafR+dj
3hy536d17NWlQFV0+hg+f5PcpYErOOLhyCxEMMd7VbFre4ipzfdIyL1V1oo7
kVovld2G81Y0Y0YokQXqmViTnY0xSMKRuBvEE5f4dT5uiMXOhsFGWCDchiAZ
+w7D1kPGSXfWGk5oGTlrMHJRfntRsOKBOVQ5DYYXnRJa6HWvQ+LXIIjAePNK
TEaT1NxXYhlTkpo6OXK/YRUgl4Wr4JF6uYlzzFBAB3EuV31ZkUiuVdOxQKIe
cijQD0KDKpsGA9g2lV/aM/M0PFHiAtH6tXmxx9nqQLaHdd3QAFY6Uaax1mfY
Zht7yDbGa9+IN99+C4Qeca47nNrVM4CjAfSPiLwhN8fYE7h+ResGjpm4wbgu
kpc/8R6UOkIVuLK2DCUFetXwBj1COnH0dbRzGKg2Ra2HHHGgOgUa02J8qQaW
WdMZWZufQmAjJbCwEEth4ydQ2DDZGLnqekrb1DxPOPAZs1jrpLqtnLWJk5rm
6TUHCxUqgzrfWV+MA/wM7plDWYOIfM3sBAmL0vpcyD2Qga68gU2j1u9hwIrS
6gM+g1nBV5phbuAdMkurVWH8xWo+c+EypINmC28nJsMQ5ScM8IEYg0NyjTPC
hwvK+Jj7yBtJM2Bz8Ndk7iF6guKFfxuAc10Us7417/LvFUjs9xotz9fZC/nO
xSs5E7r8OcWX4AUuliDJX6EGCcDPyBTj1PZZ5LIWGGwnV4qAeppVE1fRmI94
13c3AY6L3eNzNGGhlugoy/lYqEbTx3jOeh8JiC264WwrXiq4zpB8EvVcpGnd
CKwszWgU2RVYZmEFo2Er0Qx1DPRHUN4hA0TLD+0/398bvNo6ufw4uOQkugir
/nE5IDSOjCgOVQMFNDubaef1irzfEiBKGqcjPaL7YZTy1VUqvAse4MPUx3iC
Sx9tTJHexLsTTaRYKz7JomCK23RZ82mpsdQSecq7RAv0kjgafmeFdnifeRVW
AMNL1FgCO/RYeeI9U6wnrAMAsRAYPb7IBE+P4C7bdG5WivMnf8rDQMHeMKr6
IHI27q3PhRpGYlZBs4GGQADMCaMwNhEw+ZzV25CJUkYTGr6nGXFlXCXRJ0rJ
j80SQDtDcs/hgHjp0MCqp4k2jCdAQziFd+62yBXliiD7E6HIrHaKwkrJNoAH
vp64H/r9cAzixdvUpLZQBGLyIMnmmCjjbfOsNKpeulyVmAOiLmzMLvQbuE/p
5nO4cZNKAHfkFBxEcVfHIHacGF1UGA3g1G2Wrf2e+kxjyPbwFPhprIdn6gq7
MMHrCeDLFR8UfjDCkQ8BaHgukK37AIFA8SU186YACCK65MoKxAxBPqkE0OlJ
tyXYn0/ep+09EkpWUUJD1aO9KLkMNA/KaRQ5FujCAiOCVFN1iGC00Ubyk79e
Qg1nBUXaqM3qPjH2NSAgQD/QxIfsKqOaqUldJ9PbylZ1UILad662BeYUkLUu
LZ8CrYnTjzivjtILU2LGMOWGy3rd8Fm2SEg0IxRN6KzxUyJuks378ZsH0GEw
rxM3LDG7Jt/7zeXlWa/vIuH+sEpX+C6W9lukQMh8Umy8efqHy8se5qocAgLB
WsiVMTaeXJNGXoxxWAoiFYsxOZ4GZNdiULw2Wf2IzldNFcHnlZd0qkbwH1Ie
F6ojIf3zNnK844EqC3gcJiVxoITeFlWGuNjJPb6CwdWCUunsa36KCVBNRCEo
nkgOAzIaV+o6SWaU9YzZIXQv6T3jsEYsslloRIKXqjewGZxtq8xoKfq4T7G3
TNXcBdi0Ni3kCxXRIYm5PhzDRVL8miZLRjDEKEqUZkmEXU82b6lq5vmTP5zR
vaYEVPbbNMJ0CKhkg1fiIjJ6UntoxptYJig2QWkKXJAEy1qMHQDObIbHSubc
mX8d1XGU/Igyw7jiMsD3QfauA90cx3WcCilshfZszDlEoN5nVeqNYGkzOihe
AVDnQkvYwEnh7hSwGlPyGkbopvcYaY3mMZJMJPEgT+/nDwNC4nQWN5z+DMGz
D2dkOZBE0tkQT5tEbMzWCvhBc2nw9iaZu9h0jFoHKsg4ZOA45IB3igNJiFWH
lyCM8Wtn2ohMMnohufLNNSheIam9xZO/QokCrw57DgUewr2Oj2XvtPMpCv2Y
Hih2aQcFog+gCZfJNL1aARWrgN9gUNBMjNcDoo+EWEi38yIf+GhOxHgSJEV8
FTGZaoFsAjqQKkZirr8WwqcQM3ODWJlTLIT7m1nQ2DkQe4c6KL0YK7VBpFpG
QpEVYVTJjMvn0clSHAOFouWWuWGkArBh8mK7TH9BLXLYmbAHk6/l9++2qXIT
qq8N1ZzKMD6EF92XZoSBGMFIScSSDW7OYUwhbkGQSeh5EyzH1wSEdCBfuhr2
3gQrUQAYj+Wmi/1h4yLQJhZ1WCMIlmIAB4e6QR5afHWDE2iarmwk9oEc7/hM
z2s93pzB5h224/Wd5tyUwJgAGsGrz/QZhE+044E8682IbLYVh4ETGsz1m6Xi
AFNTStvQp05UspuY0hAsCVPpCFg4AEtC5NI4KO6LgGKzYC58V9gw5u2i6NG2
6OHadFbgc0Se9FU5AsFTf/AiKJq089ZKGOTfq03SzOg4V+h0DAqzqQJlUOCO
M867lk+ULZmxjz9dsOBD9MHkRblFlsxHiaFb1Lzjqm0icbILlJk/mmiqG44/
0FoSIHtWfQk8oXoJkkTCBRwCwYOFI9o0xrBbuxLm+l1R8B/WXdd4YyL57KnW
bC5b1UcMcH8coGIqcbSHAb3vSCDp2TzhLqvJBxcK2LKZ7KrNxJOvWZbANVtQ
SlElrJcTQaqbbBl4Q1wQiO6BVZTPxFj7yES5UHOq/4C2eSbMsgAXW7DhbtxG
R0hg4iBYpXXUrrDhDJdicGK9kQJdOKKdF8mLADKHwjJB8v+GnzhJqjusj/Ov
g8HgX6k+JJ7+0Iky8oNfux9+Lv4LvPb3mP7320HXD37lE3DgD32MXjykl/3P
tf2ja74NEwexQUOkjSEaP3+P/6/mR1htmgsC/T0uP/e2fK0+B/yofuydhN6Z
0O/WQbHlAfWE6Rpx5/jN1hNfdRwQSCFKMA9fNLF7m7l65yGtezeQaf3r5/g9
4uvGx4vj84uNxuvf6euBW5fIDb3+Dv7XgVf/OvjX4F//S/DjN0/0Yvx+/O3x
6fH7S154AzXgAwsseOzk8uT4gr+0B2s/8Hts/3zX/Bje6ERaxHvdB/49azy/
pOeDG4azjumR3/r39PnCnslQx5J/+Om/2+crtx5/5816pnrI+nz2OErEzecf
vTIGUt8116/ACX9alCEzl7mbDsEPD3k45gXKh7+nNx/sfDefna9NheIQ4A3K
qTDx+Gb0rvD9w/N33W8rMD2RfuxH4N8M+84KLRT/uZ+UhrhqD5E+cQBLzRw1
ePKLT372uyc/q/j8xMeB7o0HO18+OnJUFEG+WoHqtrzNfBwQlaL+3TOb8PQs
TkoqdD4A/e46/93GPL2qyTGMPP8mu77hwnR9EQjI4WiyHlCeYmuJ8el0lkwW
wYCyuyhlW6QhkgJA1EU3fFUnhHgLinMhP6H7jAVbVon6ztWJkYhctzH2aRES
eB6YYpWBIn5jiMAnrdbUkNJF1zm2UV9W+z1oFKzihBgprCExlHGz7LExq9iw
QxDkxFfMZYgqr6HDGGSzW1fIDAFmL9VB/J0I1uZwfDYoSe5qaIRNAxgbpnes
BUeYBiMrqALxYRpOpxWGRJXBOB5BVNJEm7Go4lFAC7aLz+Fgd/KCHZLCdD7u
yxhLimwUJZVc7tWKYdxMK2nkT8r7oXaoQWgpHQXBRCPiZeliZeLoFR6iWlEK
yNVq3uN9khQsa0mb2heH94lZA3+8m96hQl9wAVRJdXbZIYzn1w6hgSVYp6nj
LbJt+YouQ3n30m6ONHQKo3Dpcqgs9zXZzxW+k5c36FZt9NXYbw3uGIAUmoNE
tO/YujMgNINomqYHEwfFQziLlcYtuznhejsTubllEuwgFQllFLak/C0ti0Fd
oMtDtUEKg/0Gbiti93JJVXRA7wVwXnCOC/vk9KeZe/zN+QVmH5PREPuZYRmz
Ul/9Mxb3vcTpzAiUXI5qNE61efHnyzN9/flLtjkW8rRmOZGqPM9mbCe3J75M
6hvKd+ZYNgyc6nfhnk2ONKXJWpA0TlG9fc41KgShIZQfxMcUq+A+tuNreUvn
bZdBRdEGVMWGfDI3E3QdR5wp/GGb4Qe7IBO8X2Fb9D/AcKOAPADNz0rGvgdv
oCCEl7Aqso1doan2hh0GErKfqSbuU3BuEiUUEmns12KtgGYttGFrserbJznK
SMlXNyS/9qkH3vFgsvOZDeKPskIDoLYgpmzpIP5AIXfesoTQTTQOWLfZFMPY
Mp3k7LchV/brDt80klklqRIv0G+EiLAdwwgLaCOON1ozbnA0WhszrMvGZSce
uihSfYrTXjgkSsJRp5zELinNXG8ALj+2FvLGaAUBG4wFeGSN9UnYQZ1SLY8o
jiLLl+z6nlUaHuqvwPr0GxnChNFy0CRCTA2TTZhKXgFSlINHTjLjQHDy78Qb
FL05EMt91yFc2X3IoFRuVwFc+SQnt2rFV1NsAuuS8TTV17LhcBllsn4ZMrBz
cA1VgInj35PfLB4dMNtvZhZQusLaAUkONn5YlV81bakBC6nkrXz3vUmJbqTG
+MqQRODdBPj+thKi6fjQDu+b2KFhVP3wmDyfk73Q3XC36Z0Dcqa2Iv1tam17
730YkIzjEiAtY/51BdDAYIR+LCm4ylnzWQryXFGoZ6N6yIv8YUGWXdzYZ5Eo
cTZZhTueUnM3u7gbQ4w6imYwikuCjWuSA/A2mUZ9ECjQi2syorQiB75OeLvu
cnSU5VCaivXyB9qSQcrlX2WfhFdg2XtfMV6zYBg8z148G/7YcRGVXUihFhaO
qenRvIPsSWFNyS1CUU5k5FauddTQGNItVPOBlLCFzigNB1SAvaF3oE9pnVrR
cOA2EntJ3bK6RSDJ+FexQRKt/poyclgUrkFXdG58/Fm6oocBF+iz74mDyKhE
4MqpjAGf50BezROj5zdsrSr0CkhKCQvGFLku2qwysY5uM75UG2awjna1ip75
jKp3wtLs6IW5aiqabr47Gp8Fkaa9jkKY0quXBU8p6f8K5FCVtShVwnkkAHnO
vHHfZ4N5z8EfdXPUqIniaG0FdisLOvuQHty4FUNhvxfUO0+fhmkWz1yBDdTN
0JUUKJTIZDfmoBRtkASLtaYMmrWM0LROV/CXIgZLLepzS/Ig0CuQi/WYXRUP
fBDVOOPpokWx28nVnVaRp4cn7GV5bCgED6+WGoLTNzFsXDoIH4HvOQZZiaEr
I6RysmrIGCsjgfWc2KtCsWzUCxqVnT3YottcRbqjKsQqH8DOrosa41Ow/jUG
5PBiEdg0EAicmCiTUf2SxLpZ8UfrfavwwZfO1nyi8DM9GIcgPort6SjSbeGI
YrFxELJiiLkk76AeLR8HRKlt+T/AIAUNgMeSj5SPD8ILqHGk/ON54Dk47iVU
2rnkRQZvJ5rpVLJxDHuwO/6e816c6OFElvBBOUP0jhdC9uGBPmsj/PfZyXvM
NpsOe49WBYji8LJzslYhdJFtUBo6t4ks5Dxdyt894qdoSUry2HWJmSTYahZp
CJ6zcUQGmalS9ytMLiM5Ce1hVJQxIb3ehRRoiyyW5wIH52sJP/EfkryDvnNM
T9foPCWywFCAn2fpnUZaULgAI5NW3ciqRhcKV6VbMqMiCY1u7aRp7SDTksmP
x5ITpKutKMBmYaJPzflyCYSY18kGU8x8cYU+bh4q1O4jSXGU/AGA8buE6vwr
Z3LHKMZbF7TtrLSN3hME3ij0H2tMpT8tLj+e36UP8l6VupuP5tFIHf1B1K0Q
Hj2QAxMv2VdAHnBQZ4RRm8Db1vblojoRf7i8lPi/YnzmQst3MBYMIfz5ShgU
JKDWJsfaNb0VM4fHvj6NKwhrAEFFP4OYQz0MBSh25XDAxpqZ8BweVKMn4GSV
ESmr02sKFTUBIu2kVI7GMcZkm0YGFD/31WqlcZZbgcNjjQNFN3+GylhQAQV7
VGN5GXdFwpwZIspsNKVyIBQBN8QkRzJQYMUKV23PJWGolTS5S6sZAHXJ+Q6r
OkN7FGOfadFl2l0X0TVXtbLJDrHrN08R4WjuQx0GBCXuOGZGIHiVVCOPeX8V
NbKJmm0nGkkV8Clo1vAYuUOc7OR4X4WR0toQZfIgtsfLdxdi59vbIwnwyH2y
P9p7KTIhFbHiT1/u7MNzLODtbu9yEV+qkjnGON+lj2s/1wKOpozv3i9UM9CE
O5wEttogMmXPF2dj4zxafY0h2/s/AKETiqAlWaShGviIv6AfQLefA981GXHO
28Ht+JplKqj3A+ZICbCdPU6T6r0BmM2VuHnZcZC9vhX4ShpQ0IwmYRZEjjEU
c6FFOcVzpcWnhCKvzQJtptc2ahBSTHfhmBHqrJii4hKGKT/Nx/XNVk4dKkmq
4g4H2TRLjVOCSl04RulSJpEGS1ybD6+qgiU9mLw+ygoBMOol1jQSakOucWuf
dw5FAfRMK0hT4SpgrcPQbpJSEHi0ITNhVWhkSVTBblquMIv5AJfGBkODmUSm
nPxFfqioEe9mS4igBnGTzDA5eokBzsitiCZOTRFZwNh+BIwNE7ZuWEXF8OLs
Tguvt0vmu2hXxHbYMBVRbXkhxAmBroTAk4B1bAzXS/JskQwmZXWbDZJUPA1/
vjyz7gOOn+faCEHuICATB/ZJHF9q87e5ejkyFV4hpXB4lW/LdA+ogtQPxBCG
hCBGliqL/dy5R6FIJfjFa+DKpazKJ5XtvoEVZ/jTSPu1iA5/XVADL485/i1d
jHRvgrVg53jU9yLfoIy0Bt/ShQs1lRgun+VUAyqmpo33XiZ3/eV0fCqq55gW
ReVKpr3tFUNjsoWNKGSO9Wowf51uwz066O6dsAernSRzsnlpIODVPP2k3Wip
dQmHz0dhvC2cjHiF3NF4KhQC1DW+cfuYzUruXRWtSZmyDTSV05k+KA536c+Z
aasZHjpluAH7QATydQsDwxEWUbtP8SxcIHmjzVnc0eYMR75aYacokJWKRdtz
FpRqpepNAO88hWs5kF8JNCfFZWQ2js4ILtvMaY8+21TL6TT70HNQarQoJrjC
nDvJV1Jpp9W9XUJYzwGymH1fKNOcFShSkZSIb1K5CS+hOnm+jfGuX6hrVMYF
pqQwzb0zJjH6txCli7GFFF6nkoK6hyBwoWUBm5zNmtyVpQwqTsCsWad5OoPW
OrInXSGvKtY6orN0zRjDLMiaSvzZFTyNnRm1BglQK3OSHS8kQZkFSTyvL/Tm
mVDErnlaZIv1IdEZAL5QE6rGYh87EVfOmevahZmjzuATsR0jT+cYeg3qJAfv
Yh4gyFbLmyLXChis/3G1ce9Hj4mDRaEfvcXCOlhUT0q8OVVgXmjSPhHQRgnZ
h9BMdqip6oFsq0aJD1SWp1HgvgOHXOq6auwOd/Q0OvJPXUoXVUJLGuV8uVqg
nzglUxkoV8KfTPI7J8iTkBzZN5ir8BakCppbV0fJQS1Sh6i2eTjeOh9LIZQ2
pe1LnmdYzYh6AItNAbd7XwTOZNBvuS1k9bDA5MhseuB6wcp8LhqnsTKxVALE
SyBNXFtu08ctN9aBsVa+bRZVnZJXVNB2PctF/XSj9mC0OyA3rbp0tHwBvV7s
9rRe5hCpPiKPu+h/Xsuw5IXatiQGJh+lmZK1C4fCv8sTpFgo9pLjkFquL7a1
ZBrLVPYKCz05Su9OjuIfTo6Pj//zP15tAyaPz3/c/Ar/Hsqfg53t0asep/um
kpUUBNO5RiqYmFmSQwBWgla6FRuFOo0jdGdX1a/VA4RLREH+p6be8DURYx9f
x2cGlwa/79QzH56FJVI6r56YGUcHWPFJqhmhq2tlOo0ajBBG8KxzPlyIiVTy
s3NCPtXq1FZ7mNLiehywTE4JuQmKkJnqkZG7fVLhEBPcnSoxCPO2fCRBDsfJ
rnFOOOsOn6Jy105jDerr6UVs3wcF2A4ZvZ9wrp7XuGwP1Nsjl4P2OAVrH5xe
5qh1mb0fBlsys+QcYyhV3XMs4Z1Jfw+rGXUwAS2W10UuN8JCCRtc3xeFB7a/
Ot4fOd6fZrUmksmxUYcypgm+OCmFpzmfFPdaoNEqlkS9iX3YiiFw9jpXggK5
ENXNIddEo7qDZO+7YhNfM85zFrNbAlqXUaKMqEmr76vqRQayIWhefDprizGu
NMfhONLWcptsKk1rDFlBVUhEZVxor7lSMRVtaV62q7cebwIeUAWftuE2OLKe
o1De2F/flKnKGagvZV4idkIHRYA0Dvsgam4vcWUuAgnk0DbEhoEuXKBo/Dkp
lkpuvfYxOo2o3HUhpbqiyPQgxrT/klREDazmUgWTBzVTNIRObIGNDb2pWQ3t
wIS4sk1j6bwLplW6JhVugkYjyWIda+81g6CGjaRJ0P0bncR5Bleoh7kvRm93
ki3Heuk8/F8d7B2FVrqVREF6WivsmgwZKO9oFcAASQ5M01bHSFi/+bxJMb5g
hah15r4UtepIUmCECuxcsV81KQEQ3ijxBfpXHB+zl6liu6AI108fQbHnChsb
tbpiRkR0p+oGGjuvMxUx0A4+BEsdz4ZHRNItVWvUUMalSqVVw3AQW8NBafV6
UwHcUz0GeBve3ZpiQ8kVeyITFBqIYoI0iZlyU7nCNdlXsBSOK3tC1JFFZKug
MTEXPYZBTZ6xw/HX+GheNLWODrlcozbpjRYzemSKRrW1HW7P2dOZOy+emW8Y
Asx1CwIkCIFkyjQ5L608HbnsC3zcVMSgyNIW8xAh3VKBSP1RtSS9lqlWtm+/
fNEp+keGmqBbje31rpZVqEW1lDC/E7HvildCojxiDqlTtxqXQXG4+U1SATUa
B2LNWhzd+bU4+iTsMxXA8bn/Gnyz/YzWI1vyCK6hg5LKBLqKdkBPlLQ2utOh
GLd5Mn7bU/okclbi1VIh9RGVwHEfWnVM9NGna2SMaWid4WAeTRsJNCmNa2At
a40KFRkVymQ4P3bLOG5i2pCM/cknVSQJUwcYt2ISlJ78cz7eouyk37mfp733
O/ujWQ328tkCy7i37lPVN/3hdqr/tErUu46PUdF/G6AlfHBoJKbOePaI8i1E
l2dvJKECTNnKpeMUzO5xYpef+YU/UuXBL+cLfzRv51cPwOV4XMGj1gCcobqu
M8dvNXGZKicFw8jA9pI/BlJ60GG6+fZXw/TRmf/L4IKrTqa3IPOKl6Tnv+2A
C2Vc+uKmwLeCTAFT1qibPF5h7QqmAXxFKaaEiw3Rp1RkSYlXQM+oEJGzEkjc
K0mwkS/9RBXanOuGIwqwgIV2P/Y9PePNsw9nPRLXhJBiJlTIwEiDPuvonMzv
KpNaWzZYrIgRwwgDBxqFgmk/vgETh1k4sh6FFUgoQporkNqiPUi3naPXV3zh
WCGQTKn2WaNsNCyf3GBCiGhkMZNh+YsJlQytqLoO/IPVyTiR8V9sTRLq1SyC
veoZYnzKfCFajk1HtQzF9g5YcjDy0HQ+7Yx/9NI2l1/FAoGZl1ajdjQHGzrv
Us27hKNggU7wKKz4IgkuCAEcjlt99ppHEreOxNhD8HufJZw0O/mZamlBIyBq
ls1Bts46jeW0xPVAZaTk3HkTGblWuQ4z1XXEZCk0tqcYiTLlYlwaf2Z4lxqz
krmIt9gga1U5fSXypWTYptXDwwnrb4deIpcV5OrgoOMlaPgSu0ApyXvxrVG5
TFa1hQXfiQ6Y9UcSTSAr1Q4Z3viB9inyLXMYC5YMo5j2woeCm652Gble400X
qjcH2JdFDqeGIXiN2Ez0DWlIOpe6F9uqtSxgbwUWZjJGhrCSjbcB5rOogUUA
lI9UiM4s1ixBZ/QllCKdY1ML7aPBAV3TuYZl99kufw2IIT0ZYAlvj0992l2P
u15I5iFGnE8ykIrrYqV1sXWWKdWmlwZRvv63s6IJ0beV8bcoXvvSR55J6pQO
KR0cOl8MG8uran6CwXZ5Wktr3AGS50Z6KkIZ482pZj5iC9E6ij1AtIFPr1Zz
oCxSlq9ZoMlfN7Jn+wpNq2VYo4mIsbnZzU6m7mZLyLpzvWgsFfnIJfPYpwxu
Os/H+cWYvUTkq0F8Nq0CNYoGo+11QGcrpmpbuGuT/2a7MZDhXgMMOAtD5+/H
2sXdlTFyaehEZkydZiKkkaGYkkRlG380SSX5YNx9wYpm1P5WbFRhpIR5kJRY
ibqlsBLXrcCY+NAiM89SV0+K3VjEXojc57azBvzqTerUjKmmBig+6d74pEW1
56GcuOEU5U0cVNKV09m/wHbCZswBB7qXzBy5O6jTmSRIF58UUeFEPAFerz17
d9f1bPC6uAzQXDwrEdwtljACeNidNYQOAeBMnO1219TwB4s5lujNkQK6PthM
EA04PZ0U3WVqn+mD9QQ7NelMwi+IorgYSqB8i6wWcztTOrqnwJ/CYBYxflM7
XgeMt9iEpCGssT3stSWQPvIrKLSc5PQIFeQV+aeF4G2EbvTvA7Y93HEmO2xx
rwkynYvb0cV5kr1+ddrKq3mlgMf7+2n6w/I1BLj1Oha5i3IaGfeFJPmmqsbi
I6B49NK3YQK4ciSZQdRGjAeReZz7T0warphkS/6BNe5KUVMtfLrmMRNgIQVS
XXCpM5+xWo1udWoYk2A46QxbKt2gXxEjSwGOQsqxyQywt8wqS6a6aWg6ZGd7
a14zU1DlQppteUMasoGmhckFPDW+MNUJSQRLJCQOlq5nRjy7USGD1K8Ozcv1
/xXySs1g1iyc/HSS4yJBwSoNmGaH1PqGemEYc2U3cc+RmJCTVBJJ6g5A+iZo
kQtCyQt045eJiX0qHLMyKelMrcXrbCA3MyVGfxYu3Xfn3A8g9Utcl8SfiyuX
w6CeVzLNjFW26r7gu3rBAzms+44rZ+pUGyMt1Ch5cFLV1tnmkBrfJCXlblCk
CDHb1r1dR/kfv882cYnwi2q6ouyL5X8q7iRR2oB8EZVwnw5fUE4J2iclToHh
aAHfG4oJGBa2z9LBGxBUMExSeky1Ggqh2jPXavZ8LbT9AQ6ZLFLqnqI2cQ+D
Q+4Pot5fAmFR1gPKEscWwwUGR2aLtBe2ySBEt/zYzEIpIa5sgcUU4AXJslpx
lcv4VMtWdOPNnsWbNHjTFbyIN0GS7/0P4hfRWn7xOfyy7CL+72IXYoRvpBk+
AvC2t5C9dC929vuaCh1TW49/nBWpVpFH/72sqIlIGtnQJi5wviT8chmUBtwC
ImsrWH85Z3MNwywOS/axOSVBK1Rup9nyhvsh9GWVHEjR3EI/Xsc0+9LFnC9Q
giTyxtoxfw1vjf9R3hr/03irC/CMfg1vjbt5a/QFvDW2vLXZoE/dEc5cTMZF
OmgDw4s343fvaLugMHxA8y0SXZeJJtzoOGfk4PYRN0XGdTXInPvhyhuC2xQQ
qZ+WfCiWhe8ezSnBfz2trlGbprIvVBgfV+h7uctcNoeA9Jf4XBJocLUfuUxj
yAz2OISCui0YO+qczAFzaY1yODYR4M3OyC4Jp5GIhUUJQPP8m0Rzq4fRt+3l
QJB8YD6KuAEcBT9UrrB7a0YyNrT6OOLuI+kZLaUH2SxIKR1B05ur7HpVutRF
rbW3qiSNm6MT1kdtmixsQVeJ2POFJFw8shEHJAqHSvRFmClvSJe0YCBCJNlS
zeBXCjxD+2mCi15V/YjEAbr6XKyERrb9/kiCcRIIRufMs/w2zAbZQJM7CR6w
pA2aaQMXx22b57MNx8xw49SADjfeGshbLrDsdi5nR2Up4N5ElEDlEBZnASRO
bNplKS10CokfTPBpADji8GECGMwIfFggoSLeojW86sIlONWUK93eJZqiNLsp
aJUHRAaLggiSYaZHVrlsRC3VqnloAmbuPU+uCtwHAKsjUQ1vzjWjvct30xOI
gucomQum5jjIoEiRqVHkQiK+d6fuEsLNqePaUFJ11wJ7KrApaKoylSw+jIbF
MNGg8q3YwSltE4tTcOc2rfBShRfeNWLQ5FLxrDVbJeDK9RrfJ8BhLq0hX8Wx
YB0m49cWY5RGVRIdCSQrSDqg5hAmwA6X04H7IaLHHzRa2CpOCjZh2ssUm9yp
VTnq3Cc5HkiFwmrkDhbrWqRH1DLCNVFHMQLRQSW9pE5ib4F2uCleeB2c8s6a
p4qULfKlChNfoIAKa8V3uwGb29Rqs9xdwwUN+Y5DPTW5S0UJmjpcYSA08k3D
gCJUdaqA/ndeGtcg91bb40VuqX4ZXFmAsUa+HoXduaxjIIl0Kt/RxMVGatsQ
6paLnAVJLMnajXZfTP6cwONWhRXttL+wac7UiMshSwz2S8fQyAQwDisSoOnf
AYmKk2hULgWmsJF2oi3xODYPXXCUdWlM1aJydbMB2/wX0FusnfhGoztSRPU2
aIM4gL3ezwJYiO/GrUpjo9NFhWPMVhNiYNqzArbnw2Y73uNIfR/+FnWsrWqV
vxKHvaOtjRYxkXSrx+xiyaBNqZcY/dpgevYO6MQRT+yP59IEixXoxkGx2+vL
1Be+IvxvtU+JOPf1MdLY11gw1G8q17mFympS9zb+rmqUtcVqm8BtU2mdjV2T
5HY1ABOFJtSAx3DtHnM3jBPcp+TBwXBUF99kuaimEJzeez7lzVb7EZ86bbMq
vLJMVhrqbD2lfl6WseJdV4fGHPNU0b/jnGlaLfHovU+ddcHUSdBw2N9Uyq/D
dT1gy1hEelcLr0Rjg5ABDh3W3tSVaxqKPZA/xiknCEsHcpR5ymx2rWlCYgxZ
IyFI66xxfPReWDmHw7cr11XTNEc3ctSMiHNBdUY+pWDesbRMge/H0oS+IfhL
gYpCpxYdRm/I4di1ZHbZipQsUdsY5gMus/StN3LZkrNSSpvjgtY21OmWFAwW
R7F7xsrE3KeyaX9C0FD4as2FU6lcG4zgWX3zxktR8g8iHs4fDvySmyLDo+vm
Gued9y/oMkUEKJA8wnLh/8iCAglgzYKagNxsU8TOBZ2JNMwydqOMcNXdN4pE
CaZ7MGZW6/1sy3Nkee4U9UUO0q2F/l5ySYIcgqpxWnrDIelGlpFELdKPkA9g
yQG0PnpEABqFmEm0vEyp9qYEeZDY4AtKdxxw69x8W8AOKbkiuZFCBiQjNRQM
48vmUet7HZDYZB88SQBXonMD2Fczjm/uMai4v5w5OdV8YQqKwmiWj2GBWPSW
zn3Iua2/eSyDCVlvtmrUEtZF/Q2JcRGyHWdWnNBnPG9Rj6nNNz3w+VPG6Jik
8ZYOy/3CZdRvZA4zLHUAVCYp0chhKdDL1tl/2Y5J/EsWadRYQFI10KoFTKnu
HexrIhVooseOlxDaHa8Y09eg5qaIZyylOKHlC89A/amPiGG/BlBsVbArUait
XYkXPrS2hw2Q0vJVifc7YdIem/Nd70jtTGF1m47eA4Q71kSH1AOr3P7nf7x6
sbfvbPzPf9z8ClP74TPnDPyOohUoH8Xqr02WTh7/91QrEUv83Wjc1IOY2X0U
F1FG1mHL2AWLbiYLIB4q5mEgSdXKPWtynLBPANIqAkFpw/BI8ZD+DrHGcKDx
nW+Sqiu1UyxBY9N6TMStbC6Z2h/YbkK2Ji3ARFDF6tj3ADhuT/N3hl1GdUaD
Lpjvj7+3i1//4Id3R8GD0d8PqOHQwbpWRM3ORE9+ENZ8QcB71vCyVyaFj1kn
rt6peH+PD9G8NmIbnTtXtKA746npjhhkEsq7O4130SqTVc66HQJrGH/JUhF+
zaXuPj5dCHK3yL1ftUHNIvrOxo1j4T5SoEdENvbad8knuxG2kbrduDgUS02J
r/OgllpAM6OuOmfdi3WbUfcOCzgRVdAUWtaowYUcX8rG4oW5cZnUZH5Zv/F4
p2PHmjpFxtqdxmaJIl+ndSN6vGHIFhqAXneextZ9ckKZ1SpwyaLM2/meBZxV
amlJOwgZ41nlO7/Q12aYSpDTDvI1yqgcEoxRqEiSxDamhXwC7HpE3am7mHHb
dN42SUWxz5Omgn5YPpddiKaAGAvUyGD6zjZquIYoRL7xeVAPkE/H26E6uXEo
4LNDapqcUI8Blx+gTl5XijuWLFAuGk7+6ec7r7bFd5+5kFC6EXPvamFc1ILA
FK9qBP+w9NW8KG4xxLZxNTRIVyvJJ51W8mE4CVU5hZW9hn8wdZ8JjZkMDv+2
NZNWatYUyw38shqgV2wjPjy9UCtzYzKsJdU5iboYWzsi8miaV4RuBrWT6XQN
r+HucLQ/HD2ngABZxodaklL6dE9b84XmfVHBcu0hQyrGfQFS0IM3a0kdZdhg
UJgvtAZqYLoIg03TXRS76CNtz2EaWpCrExXFenozFEHH3WCSVnCAsIO0Nedu
+uYkAV0WHBTdFU8IyBCtFKOTqX6eJuj3vfRL+kynwR7VV3vNTFBuQHAa0uUj
FHi3gwLvWgq8+zQKHPbUblHg3S+lwF2ks4P+riW93RT8y6nrWuWA9d8uOhrF
X0ZJQzraPOJ1lHStDkZXlCp2fwEl7aCjWHj8n0ZJ/9sI6T9OR0mlxch/NX9Y
IcsQAt1LKIf6g5Y4NI/cPocdxQHOQfLtjuh+wCooWAXBU1Ep7VlvLS03gSk8
yj+XlP9zKPl/MyG3VvF/JiFHPPkvIuS2kcIgPrxRHZUjbFrknIg5NidDS8W9
LzrQTmENjeMTdBui8RTNXpRAlH7ylaxaWrSI/qJFG9WBnOCwdU5VNH0YBHqi
UVj3ipgv6OPzd85MC2eFaTw2zvOG67yRBQSJodwb6egBCrQQ/CRP5g8mWiao
fCs9LlW/abQ6iSyYpGBMfPxJ4tQopsnFbNm+q42DeK5lYlJ9lSNuqOfC8duP
Peu0lY7t0ntT86Z8JhZe8aDMrzhZfS5U4Hqm8DcOXa4UPq0Dj1wAC4bGYNwV
b7mieDU5nvuEs6Vm6Ty9lrhgbjODBz9b1RKs5SsvNMO8M/ZiUwmRqdYa4wL5
DUfmBAbRTFbyLvGcel3SnBJWpRBsqtXE6PQQs1yzA2nxYWIog8GGWN7pxnwQ
aeQBVaX4tMSauRxhZmoOqQtBE7gaAV3k0yL/bKyVaqfOOF/kLgzV7InOoyzm
qfaR4YQutptrwaoO6V1C0UwDgKDOfam3ieIj0P8vlcWatbq0y4EvoGEXyEVo
EO70nJilyAqLoY84G5wT4HE19K1J71ITe9YYyTde4aqFvmjL1HV74dh5hEk/
7JCk1jW8Tx9OjlxjSgUGG0twNWifO9AKHVU+HCHhnQ1ul4PpYooOym/+7fjw
Mj45wk7sr0+Oz+ODg9/FPzMPy6pic9Tz7trZoCivAT8ZlzZ3eyA/zjZf9LhB
Qp7W8DS/qa0UNp/3THA1/rW8zT5tvuzFt0t8f+dl/Etkl3T+f35Jr8Ilvf32
//iSdndgSbYEg8qvILtuO+H1xd72zi+/uIT5ijGDQmkjK16emjx7lO9QCNw8
PD3sKYaj9HeIjZiisSgH0s9A+kRwI1py4XBWOoYgONJJt/YhYKWGBvoCeFoj
C+fi+9ujilQGceFqaXA0fC34Lhm+LuTZHBO8x3VkYl9HBrlQjkfzu419YEFI
JuDRg+iAKEaDBqgSkklAIMbcUtpEao7XxWr7maO4g61JbR2ZkXpBazNp4zyt
Y1+asEDr5E0yv+L2Tvhso56UiBQc0em6mriKiBwJie2yPCez5B+bKTEHnWA8
/lVCraVMK8hmbARVf9CNMAtU1kee5KrBXmBYbH6rvMceTgff19j6QFtxTSjW
VxAm2uigFsTUXDY5nmhxys9mmMOz4HaXN2Wxwu7vYjk2/KsD+tyi5AiZyIUP
spOuJM81flt5unNbMM2W6FoZdV2kXqQilLkvrjqvKiov4IorI6BmDhiVn1Gv
O2JHWSlBql5LoARojoIH7Rwf9f0er0TH4PIIWPGjswwHB7J/uEP9iSvrSjHP
QMp7ztb68dzlhbtQUO343FEtX2UB21K3UalWSkCY5q8OfE3mZlp5IY2+OP7D
x+P3h8dKrG/SBLOW/A88/4Y+k5bak2IW1puCB76Bz+RrI1rE8Q/bP+LXZ/6z
D2eXJx/ej9/J00Z3hadHP/rlXJz8+TjeHA2Hp+M/9uIPr5FMHLa09taPjg/f
E5Pyu63C7bbG908KJ8Gb4jbvETboSSQOeYyfZBMP1dwgLPFVo2UgBJIfRr73
2RG2U5F7x0NOeohxvzA3yiTThvA20NbMP3Q6hbcRYNIG1XKWuNkwHDysmYCF
QSU+DBTybJmlXa3csyrwHKl8Slma+DqKyCk1pWkVC29PntW+o6E4oDAVAT2o
jWieeDO7CvpkumAwORhn7AuC+hoGGGTOidPx2/lfPVuPN6LNMgxdVV4bXahA
taoTKTFJfUN1eCMHR6/PomZVlDUaBrD+ilgCtYgpFXDSgmA4AqcnNd0OLt1Q
iMFCouwMMYoZmZs0yVOloJ2CBkpSpJrQBYv9JDm5liFczwUDD5JpEMQoirEW
bBT9yg7Ell9mQA5XJAhfqg/7e5LmdyDcL9OggM5VE+8DD6+YhVvzqvHBFJ6l
9K7oXuooBckf0sOKbTd+ZRol4klvIxTeZGr48pbhSjpotJCdLhK9vIN1NX5O
3l8efwtiN/78HE8Xy9H+/j7I0X38fWd7e3tzp9d/arU0emVnhJL1L32VxPOQ
LcAPx1PO3yeLVJ7yqP3YU3JElxj6EguX+NbHjrvPLT1vcZfx/FpYxlgznX18
+8/jd99+OD+5fHPaj38eDoeuK+4jHCPY6NuTI/n6h50fG7Hza1+l3fs34x92
n/yquTf0/g97P8YfDi+PL+OLy/OT999+dsHvyfBGsz5/8qu0YP9m/MOLJ7+K
CeeXGCqke31JnP514+OuV8XKfALoz6++eoTtrz83fP/yYZmO89l3lC1tpzLs
3y3pcfb/8fL1K5Bb0dXp2b/LI2OtRDSzMOY63sT7SEXvGh2aiby+dLnQcoWE
/yoHJxtz4sPR5Cnf3kaLwrP8TI9uZsS8/yJaJzNSh7hEDrWMTS+WHodAWX37
K0rCFRuieskc5wjCPqyliB0yKlhQRSe0PhHtd+39ZP2wVNTncvX+VRJkr5Uc
XOso0oJcv4Egy1UKLTfYMXFN5Lo4Ppbfw8yC+Cir0HK04hpW7wlKR++B/KUD
qmOGcOvHJ2fKsKQrLnMGEm82eOUbckDWigWMaOP9x3fvBkfvN3x6P2kqmo9H
M3KC6zAam8dJG3VoB4jGTYHuqFCQWTIukCR76rGDKfAYWEp+C8pllv4D2592
gZhT2zApQMS9JTzokQCZLdxwAqBNKZAc5sTXXZV2aD2Rm7x1WboOsiuGBaOg
CJNNJ4/Cbp0dyBTKpJ5ZfOZK+AfFaRy0SvjMtVCiHN6KyN0KvOOSW/UY2jfW
HvIhXr+3K7EDQetvdKTCNS+RnY9Eeu2cR5WoNnNXeSRQCTDPQglez4g45vRh
fwVXk/oa998xjVYMC4SkcAR9AvbuUYzr9grD4zbtCkdHWdiSQgl+JOZSo4mu
zEAV2jbdiNKoTGJEtRKAMwQwYQjbtdqBVqgmN2qnbB69ocoY8CfaG6b/+R8g
yMGqmo8dH+KDuOoepdNh5Dw7DRUgrKtfBfU/VnkGxAtLtGrLIqoH4SjdVZDh
5hID2l3e2aYtZBTxmldhbvfFmw8f3x35hfgeM0EStEvrcxYb9pP5gVBtk1AJ
+GYqnfT2drB9XV9gnHG6ls0RZFu64BXujHUgbfEe9GzyRxT5WPtQ2mFkM845
PURVOQLrPbbOctXcA8rgCjawpF0SoRXXEMMWIX9dIIs3KzBmQ9mDtmA1D2kF
H4y0rmqqhORO8y/ktEUIXs/TVkcTTjFijbk1YOQH/MwITOHL1Vy7HjkTLrKb
6ZyAQPi5LJarufL1LkhnwVWJHNlFJgEUnIUpvE9Y4/Ftujh0pURQ5GoEBYyw
UA+2Hz3h5Az2gFEUKnFVXdn4T59fmCP3tH8pGRlJkIXwoErZng9xSLhq7bpR
q7QmszkWbGUIVRKq8OgaBPYqvmAIv2aKUvxH57KCWuOJxgpHHRMJtc2efmiR
vRr+0NonxG+sPRFZOJ4IAeLzQBhyGabHrkO85jpEX4rMBN1/CD091nENbVPa
Kthr3xhXDKYycY3WveXsQ9ztMcTVJlJEvwZX4yauRr8CV2OLq91XqBtXuyYS
IfnJuNpcF88gqxh4v8QJdki78D29ZEWVyBb8tnBdaon9CCxk71QexRWES2ce
DnwZ+BpocfJwIMrXoiq3ZGNVTmxpK5aEpTSzkJdbq1eQ9dOcgWIZrksqEFtH
yLUp/2fTVDBnKKHN8YJ+4xuiZa3VJMfSBra614TBcCbuXtS31XhqTMKm2yZi
GrFIDOOPnBDibX9uG4263iHf1JINfTaLmt4w7i5IHqLPKf+ZAdoPV/xLVK+W
vK6Jbo8soOiQ6dhgMifAB08DjeTGd9LtT7UrOcLKN8MjyDvT4hzmmIf293F4
ldVdx5deiTAxbXv2EhvmKkl5LHmcufccORVS1+AYUvdarM0s/mSkxC9S4WXc
Usp4u6JNX1DDFAlv47z2B+ck0Z6SnXwWTbD/ASz+uCyL8rS61po2QjHQtgKq
9apMiesgHpqxZyf5R2QdJ1Lb/PDD6enx+yMtb+4pLkUtztcSE0qtHu28YoUF
69Evq3Q1KwY9LRmncSt86+qkrNsnA1IjyOmrqVYCLCZaXI2KGbsDbt1XBJu0
W2SMCIw5bDtzqhD/KcpCwyGjFvgEm7RVWMpzOU+o5DJAWRuW2lHp4tgzjA0U
om4oeNo60ZapOKAYUhKtgqxLjch1tcy0gl3dWEJAzl3FJ2dhZ3uQJQkagODt
ux2qPac81j5STZUdbs0xs4KOCudNh5RcgiBXtC4iIWlbrgZ9Vor3mial0C+W
WdJ8+mAqHlE+aO67KsbVAzyzUNO+mhB5N7aiOHpuUgoJoT7mA7xLRGC9LhI6
z8hKQYX5XbO3OahgK678FsfH6HX2xkgqbg66GTd9lGqLz1/soZdb34vr5Lpl
0XNfis1EjgCXDDvhOAAmZ+7J0AWtTnFnDaJ9SLVy/xLHbFIRNoGWte+uB5g2
Xhe/Fofq+d6GhM7e/OQcj6GnxUwV2bI7VOTsinZLEWkg64odgxpZDrUZ+YJj
86SdY9stJtUnRD20dQiPjxniUrEwNe5O8WE6en1P1Qh421GrvoQvmkilO1r9
XaphOzgtqwdZuPR1AVj0cDzaRf9HY7csSONTaKsUo/eJywy8hmtdK8EQ8bWQ
rfe93qJWX9SPbHyqkj1xYzU1CifmAxwdoODA+PK3BvLFE71cnLciw4Puks1e
nd8nWY0UqeOQd9YdsnFh26OGNWNfERKsKDAf43bISHEPk0TKitYetFQFoOY+
ro9mI/Ufg4jqDq7UjQ3TcI+fwYY9xIYGWDw2NDxxghgMS2yzbuIk2qDkWHJq
MoCXTgkXboKjk7jttDJDx3WwjKuEdJorHfCfAJka7XK7Ds8em1ae0pyMjqXo
tXVpB3ZtVMermHEtNdMi0rWbmM24UqQ+ZOo4Cw2UmCN2madUj8+QrJ4iBfzn
PpFO2TecfdDaKXXTXsBUnNcWxD9wua0sN9yVaieAMlRxFL52Z3FSLAGD9eaz
D2c+7CCw54sV3EEOgOIt4mxzlBut5f6o49TkIfJnsQ70E2Catzp/O89AS6jq
SNSlQMTesAxpG2KkMyWSMj/rqOm8R+65j9y0A98PUdyYHDLXgOXGoGHOjYuc
x0rpk69Jl1DaN2or9iAvb9iIQwIwjLR+2s/NSRdNp3O9VMxYPpBOG2S4SO7c
a6ocPSIiYufb0pAKw5i6qVAR7uFxIvQciVC4a0+DTNRWQH8wgumMG8p2EJ+9
zzFrEY98QVqDZdqnVuP2MdpKrVcuuyR4g6tgtREVBCy4i5zI3c6fekEI10XD
/d4eB93OiOi3f9zD7Qvc299rNBkH2ixH29PSozHRjeYMTiR0tpAW2nVAlD2b
wzicEFh7uTUtt25X5RaQ/MWvnxqp5tppY5cA5MVtU6wYjhDYnVFtW0EFUjmt
ir383PBSTPg+XN48tgxN11u7L3VWFO65L19ikBRB93lI/ZoXyxozzUidYBMN
NgRes9Yup5SKYJLE8WtWN1T2sB4ETkkkWty1PtTNMj3UXwUjsTxTWSytU/Pl
gCZnJnttPdw6gLZQRaNlpu6gXpT/NaYIPAl0IKeJaWAQ1nUnvn86PhywVasj
tYfdffgWdQBwlXvYadPrkLg8K/VGa+NUW9fOkVtQavx+4mweHY+SYzYJ+q/F
XA+f64EGdbk6qGTb27GGVvLz8eU3R6P4F+oh23jRU8326TCJfF1IWdJZWmN7
ToQLFjRfC/Buz9hFmwloX0PWqG3rhZ/9sl0HJRvAidy3hTykwDQDCCncGLd3
+ObDiQ8ezDQKDaPuHP4Ls+1rcNVgIP17NW8BHpL3l/r+yL2/PFXi/cj71ZIH
mLoF7Dy6AB/sHcw/dfPvPjp/83WdnhldzCF2cfDUudbqx/fP3h5exF+NtukR
KhT/16GMUCxn6XTKkXZUaf8onb5NHw6xdYUQjz6MAM/Fh9rOwr5acqSdeRWX
596UV8+DDrXAJ32g3SNQ8yX043PbOvh2JXDDaLtHwBa8Hyyg1AXsf3YBWFSf
EnDcqd2WOv1om4Ii4RFYgN9z99t6aKXDmRFg3Xl6BwM33qXXTeJzsPvSI+2O
vN+cu/2+3f1UsfaHEaDdI0hLRVE9yvglTKcOAns/Poa34Qju1tyukpxSKkaA
dYdjrj7Z3AO8brsoAPfPBWmn/Da+/4Knh+9aILDXxr5d+rdfEvy6Xg7hZ6Yu
57p0wL3D83drXsZMbviqWIEwQEkt9PnyNqNezPD2PoWYiuEiHAHebnWFFjUJ
CQ3g3Hv6SwBuXh4M+BuXr0PvkkhKG94Z/RjKBcGaxVjSenkpL+/Qy2uwTV8O
US1Fbwu/DajW8L2Yk6ZvwolRZkI4wKuCY13ACg9ZbZ8M7GI+B6zFuQHLzviv
DizBb1C2CDCcX17iyy/0Zd133Pmy2/YvJubW50mC7KW23HZc7XPsdOTyfFt8
0kTJNbkl2agoFyHIdiB/yyQ1yQBcS7lOr0vOb3NmDnToVQ+LBZZzmZpIP9uT
Qbw/PihJs820CWUkog5WTihyhJFrTeEz98U552LzGkl+LtsBbSKawWfzArEN
wgd5keJAsG+5y5eQ+rt+BbiB3M1uZg2NRepjnbjseq3cb6fux5OVSyUKvqEu
DqY2SERaiTaNMAIV6iImOrErvU2B3pFCYdLOUA765kTj2g22ZTmZsFntgk1M
TS+lcAgpAnEEAibF43KKbRQuK0z9aK1JUesMnZSPZ9+tT7sT2S68NmWqXo4O
C2C4EQ8HbLswS+dws9BpOOew6vUYbJtaa9wpawxU8ZvjAXvO28wItzQZbGjv
LNH4B8NjT+q+XrpITplKl8OuKS6Eo5tdz6BmJ1zvq4qCdEn0obE1lAR2inVx
E1vcEts0ZneLV+05pofjPb2QvPP4lAwbVMKCnhm92nsJz4TN0VpRydQ4TxoG
CPxJGt8kGKltV+TyOsFmc3wjI9eh1lu7GwlLrnTMNCnLzJsjdIuRy5NHbyJ7
3zF+GG7Qja8YTTl++UMDOj7FPvIRG+1miRoxIDV4SaFjUjLAiNegVo9U7U8k
SKMjTt89w/iCK0LLs2lnPWDjyCwI0Yi5uxCHtWhKwCTsScgEXHMLrjPqz5VJ
S/BBKXImWbwRGNIFWhLtSInfmBRFPcD3lktY9gZat7H2f1riPqaVBnZSMxu5
eXUkNM+1QAyUYnMTXc9EX5Ql5kqe0dWKK+BmV1uU99lxRtLzRhwOVBjDuQWi
cN2uNL8YQKS8S7gaXjXW9AF5r6T+AliEm3qjc33zo2avhGlWTlcL7jYgQ4dj
UrgCDuwyKSK9I2PPEfDJwwLu4ubp+LCnJUmoGBPxL7lGjsxGDGnqEYdVRA/E
zHLB6QgX3N3uxLSuackApmwqJa+GORQ+pINc9pTmoE3zwsRFTLxxaTWYYlpi
7a/NIAQtZHZsgoPLGUKKKKGB0vhQMk1UbghTDoTYSyMU4u+SQx8IS4enZ5HL
j6ucCejFcCR9G/de+WaNRpDxySLZbHCWVNV9Uc6+QbvHaTLlVKcrNYb6WnF7
rtTG3s5oJLRU219NHmTK7b3nFDBMpAkFfXg5HOkFGsTcWLxGuswYkYTuMRKa
4Ag4hmcYnxZ8FeCKhJWb8NzmWVW3xm+M3mFsau16jaFpFO/Er/a249Fo9/nu
bvwyfvFCHO5n35yeuRvexe0rWGvc+LH5d8L6i/ur5lNdSY/ydFZLTYJD0KRk
eMkO1fxL2MwTxmvI5V7IIevjNcNXawZq19BPy4Q99yZk31VzRGulRzLXzJgi
e1EMk6wnzaqfJ+U1JR2JCb/K/uaxPU8H98nDQCuvDJuVX9Zgo0FB18SJUZAp
QbgJ2Ry+KPvN1dUq1tU3eFETf8M4tDQcJatMhoQifimNB7UnDs1eUBQuxz3Y
lSOlm6eJ5hBfreghavVFNcepSmRwJ1CgMNkc3Svyp6Nru/Q1wejz1mu+XwN9
/zb+ffyGi6+Hjxr6ULeRxybSDLV6tcQwBnROiDLekzv1wgJLc3ko9C1R/ciR
Z8Ak9q9++P61673hBMzwdlCTIJNnGOFULqNNZf5ASeCgKTdOTAqV1guJpMof
ukncI30zCElwtdwOQuRVvVy5zDYXZOdeli4a9ikMlAFJwC9hE7UvAMHGN+OL
47fHf9qQ9TCXd1l+fY3c1Iu08WaD8lbv5cLhcWCVNxfp4pVcqh0jLpwA5c01
jt8OJhl1lY0QNd/Gv/1d/MYqkdifDzk7SYfYLtwFdcrCJZGMbslVRMgl7ydc
MkWfy0xhs86h37hIScHNPqLD5sZoI/73v//733WgXmsk6n/QHi7SlYbD7Tx5
uKhzdX44alNSxIgt3HQFdywA8slz0nB4GP/7D28QZTc4wxRHGV8cnpwAl6UO
MaKfGsfney78javdwOBTrrJAfk2U1HNGtn//0Zk51sftSoArCpCWw7FXjVKa
aqoCyOWDNDHYGVpsrlMQPU2O9ygrt7Lllpqytpa3Gf7b4+h3F8KLkjsqy023
W9Ri20gWV3UYE3b0hqykZwnc5Q7ZkPwp37vc41Am5ExY7T9Cvpt0IH4zn1w4
oNxCdhVFjQzDoIo3F0ER0g0QgaX5Vur9ZhvxVsYkEg2bG821l30zd3uBffy7
bSUNE+KNDYVNXEWzVnMrD9faz4bRY+Js7MVZGM97SEmQJIyOwpV2C71qogs4
SkfxvqM3v0Zo292mkgHw8mfEti+TxwYD/PJE0gpBm0kH34NC9FoEly8VyXhE
JcM0shHUHuOkwg6VE7rg2gprnAn/aWKquTux46nCjITrxAHXiX4d14kN14ka
XOfpbCdmtvPvnu9EX8x3cDbDeKJfzXgcaY/+Icazho89nfF8jo89ifHoNR1G
/xDjiZ/AeN5gn3kjUbf6kmDvEJb+Xd3FhqJHRQyN2mvVSF8ZUo0GamroYAS7
jxoJrP3LGSzCsAY2AhLvr1oks2mkDmgmKzy6tMdMAUoVAUQdJEPqW86y66zG
vAa3zqdbEOK2BSHabWjPGufyEB9b22gHTClKzzUPMOAMUri5Z01rvPjUFQDe
fHt82jMNpbNW9xpnhMHzsZUq6K3Phc9Iz3U7Jr7i3DmB+WoogYdkfcQMDopz
aYd3fH5DnsJ55DamC2O4eLGzj0qtreU5psAaP4SrnAyyWOrLlOKjv8G1fJvm
m7148Pt4c3nbj6vbHnzxe9sn0/ZUW972pPqpig6bDE4+hU14fYjj+v2l9A4O
P8XaZpUMn2lKX2P0Pq6XJLzExjnByzJxFJ7iZlXxjEepn7GCjeALOGvHjLah
ZCUbYktmMJ9fCjGkrmkvC00oQYj4cO/gBJxN1NUvplp9hnC0IqF8rDZaabMn
xHlxQoSsRQPFLEx67uRZm2yux09pSqB8+ZT24JtTmvBBOXXdODGuFbeP8C6N
MLL2h5PB0TBL66vBPFksq8HtA3AW23u2+tEZgL7BquBuhxl1885nVnr3qghN
1AhUczU9hx1DoSkbq+WSBSJHX5Rm96hwbgp6CiPMyuCQqyFXTxQ5Cd1aSS7m
5FRr98VYhDXeGAOg0g2upy5FYILTE0RSjtvGpZvCHK7GEj52siwPbHxTTB6Z
VhImaXX/3//z/1aeGDYPVxfRLOgYIphBLNfxYvLA42NxeSzBhxPCqogx0BfP
KprF9qa+8VVvq+at9sGQofOOCABqodQqm7NqaXwJU25FgTq31FCeI/uEtnap
3EGERMNlk3QuaZa2lnQTRJTSTm0Z34/S8gCBTLKZ5JBp7aPNt0evgYpVxIFK
sdV2MEFdVnvFuAp2ybFTG+8GHAqcweOuC6PrqT89nbnbkNTtVfT/QXXvbbr4
VUb6F6Tv4duPK3y3s6vPamY/gxA+ODo+P/lujI5xLTvIOuBtyhE4VBcP4y6D
Inthebx5moeTaWVHjebnx1oKY9ea8IZ1VUIMa6WTWieVLRrQxMo/gIXcH6AI
WOiAMqPLKUbacn33RYry/gADFTZ3enDimwDxHhZxqtN5nmKrl9tqk0+gR7Hc
q6rGGu6/9LUnajAZXr7x+/GAG8fjVDaPnWtYV0zeOGBhnkzJwqsrpbyWSYn9
VDSxhZyZ1O1RS793eXqo7Jo1IwARQiTImqW9jJ+s0OynokK7+NHrvvQFerD3
2Jp2VEzl+2lM2eZq4MQeeURk1xeVbMUmb9avzWe5yNvGccmJUNx4pSWjrm4X
zv/AQmbfiZ+7sKB56oJhxBIgfhsBAezd94GQ66tpw9aFIzUHrXD9qDweRQv2
PT7xDAJ7wZNPw9EsZ3PgEiIRe8Hc5kK3j8be8MyOqqpG1daj2t7XFqPR4y0t
ew/YB7cwWBcZT56mRwsF+SCqJPDotqPVTWExOIDWUkVJCuQ3DKHcolBImymD
M2mhvDVzUXOxR1ITbGhMYFWWhsAYNtiqUjUacuOqk4Y/qh9L1QS4KLrOKywt
EKJjZ1ZF1tiKyRVQLx9VD1YXH4ovXvQ3CpBKS7AHlnlEshCwsvcIw1iwDZ5m
v3bKrLFYf6RkC2YANbIY8KZRi7bKgigl4HwrgNAQjdcACMdvk+ruOrqo0+VX
srrP/MBuoyd2FH78BxjW6HOT6Q/AgcyIDXVkTRXZ3w4G9KS/FvgRPLzTGMoo
U76Isj4QimD+e6a2DqvIO6HfdWHWmkUOQJONXdFk/Qge3v1SoKxb6JN+RHB3
C/+yt80uO044FowKg0RZ2MTdduAECTA/H8Rf4fGAUjJPf/esC33Zjc3Di03J
KEnPQKwguWSQzEHu+N3GPL2q0T41GtLcTm2x7ebXKjvLW3eD+xJ7xqFRYfIg
LyFovU5KOFdZ5ORzsh26hnHYNlp6vzmwcL44hvNyOz78zCs/TVm/qrq0CsNM
prVXWJu3x2sVZMlX7au1e4aZy9Ck3jQs1vDsU7ZldLb+Mp004tfMPtE5BJpH
n+kmm2M+x8c4qNPuo1NQ6LD6SJfAiko5fIka+BTeCecTKC3484iZTJ8nPORV
eA1RWEfrfLs0zNapGkLmT5XEXeMR1BOtbtcs3dqWaMm3zt7mlx47x02o3Rpe
RdIjB9VgMkOf5LMrYFKG4TP4OSnCFc1yxPDizfjdu8BmzprnJHGpHlTwQA98
Ld/kgSZseMnyhKvExLEDP+vQnUI6QP/W9SAEAZEtXq0DUg8NZjpSLMgtRa5i
LCkI7uq3Ic3Bb8QI2ypDrxe6TXjOxNlYzA1oSNtdNm+aHobuOynXaeEqjrKc
jJcyU43Qau2hPs2wAMV4oEWs4XtqGxre3L69RpTV0bcAUx3GQGkNbsI3m1je
m/Ygr/UGv4fPbkPkbJ+RHqV1pXWKgMY2JYwiwA9UOx9DEt0ADAIKmA8z+O9B
mOA95+//7AFJbbnVtPZRXbRT9MORS84xhgqNjP/cw0OYOxdLN6xxNhZaFOad
Z9koHB1wYK2FRVs0sknljp97WnXOL8K779DGlGQtUsFCrlZlzQ0kRamppFY/
btcUSJ6u4BZykkC35brpjcKCFMWDVFYvape2gPA+eXvaj9/1yTzQC7soWiuA
twFg6KQrC+AD+6TuC7mWYMwwds5irupGdHTO1S/Qk5iCqpLABBzZcTYKMQys
t7Zv8G/idxyZLMZ5PdoGDbRRB75YZ6d7cE3LTKnKL0ulCyeIMiumqwXHyv+G
AEo6YG4NNEEsId1BP5S31ITD8T0Niug94cK6Cmh4Jq3LFrzUFeWCpRQB3aUM
Hf2YbhqqPTQbl3QGMIcG0PUWUHr6l8jf82AJak/agGMZgIyyQUQkXIC1OTE9
dMjTKJ3sCm8F0hJAvm1HwWm8qbRVQNO5m/OKwF5gGBygElqXLImREIoOXJuk
9T0FWWRXFDSz/maL80h7zHU+wlgdVqhNP0n75bq1A1fln2z+D0Dr2sYTKfBN
HnuRxtlLkzylJnMgS3tjRke/D54Xayyg7obZWOTtVhNF/zPLF/cEnlfDauq8
E19qKaWb/MGTM+GlcGpUTUWZsZHCnmTMpLKPzI+RfoQUhWSQNkW55KrFpe9G
CGdVUSk6by7SYlk0JB4Vfri+iEi/YQSihUu5Cxbd2qfpGBvN5Hw7iI+NBvJV
BztpaUeweJewMZcOxp12P5HftR9fGOsBR3eXPnipRFHLlpJ+RIl7ZKVqOyRo
UHLYDK85eTPYhI73DaNc+RRMnqIpH9Vhv83MheLaKUnLEmjUfOYBlICw5ChQ
8qWlHJWP+XguZGBIhRypPXZoO/TQEPPpI5ZEiv0KHNeS+ulhIGegEYVw/WhO
5y0PPOV9H48j3eIEcTzVa1FGacSZsRuSeu3YMN5TV+3skWxvLqzzPTtptZhz
YtK8TUhWf12Jm36s3XiTPDof94moSK0+PgkXFzQj84P2JbK6VTx21AfBoUWz
oiANXTwJyfV1SV1kZxx4KTe/SqnDKJ0zJ8EhgGhtpuEkkCxEVqyVx9n9lbrs
vRmJMMr32A7z1GVn3G0w9kX7XHuVXPqGEHkcr6n1MwXZMMWO8rpqt0kuEV5q
AW+ZjoyKVrVwJ95a1IKRd5LU05uhliHw4wNiwlANpRWz6/H5eLWEe58mC6y7
7kaMD8e9rz2poMvCtSjcsFHsLPJdw87gvJsDJ1QKE/Pg0bvpCqj2sDTGa2Mh
7GiiSYbLSZnNrvm6YLf4wRwkOjzUXDVRlhxQDrovOo/B1eWtUoM1VAce00WX
kqQIdzc3pCqoA0+glrqKpnMRKdBO2uTKbo3e0oHM2VWBY021P5U1GHzOCkvJ
rg/t2lRcdnFNvVGbl/2YW4m2rdm07jKEXCEKuMKuRj7Gh9z/tdH8uEGLKKvg
Gy7zySKH00wbNS9sD1b1agut5k679yrdcyXSZr9kd7203F4oDEqnIKSg546J
N2qCUGHK5gY4afY73wu5qxFz3Eodl5MQ51Vtylb4koyFb/cl6SVuE7bLEtXn
oADiqBkkpk244ZNLKcBojbSEko0GtEUZcWVSOQ487oXQ+cyFxfnedmHnbxeC
PoyCSbH+5IxNBVyq3MKWi2JwRDwI8bzXiP3EoBqrm/UYAxazqyb46MKmVKoh
7DZmSok2Skybdfa5Ky/295J2EnKhBOLewmBz+IFO1Byex8WpTYsWvS1hQ91o
lQNpSZe1NppghyQjmvZ+0T9NNWduNxC5IjY+xQUQQWUArRXtb3oW1grcxHTr
hE4EI8l7lN1Pr33mldi9Qs0lriNNWwAddEX+5Y0y/QuJDBvUnSOs6tZd0i1i
MSfVupMc3G5KV9ud+hBGLRC9vvpov4HKRvaXa6H4GAWeiiS+zXKid12VSycg
FC9B2a7DxKN5mpRSTyTiwuzEL0USrcKLqUS2q4Tv+oKoCM4fDs9PX/+4+ZXk
vfbYBhPc5wdQ4z6xeDtt3LlEK106Q4b2OXT3zNUo8UmJVBe/LOaVdzfUN67E
JQHFw89qkiRYzwYgpB3W5XyQzGu7Uh22byl94irDSi5QUE2WgxeoWUge/3H4
fHv/bndNWY0hle/G5jCkMWVtYOAVYWgoEND+m2CvpjyVutokytORKTwcLFpV
VtfvlJvTEXby27Y6wHphYP2A6ws6UpiZJLmrL282KMrrJJcyg9ixeFbMNl/0
qHBTmac1RqZVUs5l83lPOxBrEQ34CEuMfcI4NPh3iX/LwvDNlxQiOG6sENcz
rmuQClZ1ahVKEV8uNLhKM7B3hDiE1SRz0t25aTxZphoNvU0lg/+fvXfvbuNI
8gX/z09Ryz57DPSAkEjqafXtPTBF2by2RI5Iu7u3xzunCBTJGoEoDAqgzBl7
P/tmPDMyKwukZHum757Le2fGIuuRlRkZGY9f/ILBBIIqho0SFYjrxsBT/Wgx
Xd0t4VTHUXXP8X11iSq9FDf2vP5QGYA/gjMjrQMM3VMhNUTdugqcb8uybZfX
K7Dcag5eE2e0QVx3y0q1YbkfN7X2nr2ODBpiRUETgazXNXM8pxZsSK/oDEDB
RdqPmziGQAfqZT8wxiuS0eghXSbNKrq50Kyu+SXQQEJA2rsx2NmE77NfyfHQ
+NN/MYJkDTNRSYpwIIjJAORhGAkESFs0fjh04sGx0OBfDuH3zdWqXF4HAAUM
94yuGRy+PRtGNEn0gmi9SAYZmnzfKjSXCLhGFUwcTxBCpVMe5CEZ66Cf/gO7
gwJrjIvGw/YgH77RcNIMvhKvmaXygntZ3qrJukU2zwNnQk66HX2NHZlF3kZz
1A3e+2F0jkWJOcN7hdId2tWTKUh8K925mld2aUBh04I5TYJs/D+voBmof3kJ
RaG8MMm8QZ+0et3uNotdf9fuxxqTg/KS8DhoPKx66dzyr3PdSEeEyDbE9vbc
gj4sTQ2HC0BAZmP3OmhQHPcndOnuoxMMbbp7FrpHbTGyU9C4Ug5k9Kf7PP1p
VTOit6KzFHJsBtyJ/XHBtXsvJdpJLsgip9lX4MbS9AoI8sAzEJ+zsC13+FUR
h1NURsW20ERTeV6QT73wRc0DpDUa2Bzq0MJtOgL2OYNPPrSQAAoMkf55+fQF
pQIokfcROK7EQz5D9Hi8cqMUc+qKkMvUcjrD/ob/fvHy4ABew3h0xlPAJuXy
OLh9QgE0dCW9QZyfrM9afwp9ze/65sl/A7X5ZOZ5XtPtyqozE4ERKZmHkZO8
SpBCQbh41eHHFVqNhRwuj2KX76m56S8XUnb+iOIT8jfMa6e5pbT7k6MBcMHq
ZbNZcVpZQxBrb9YhzZy0omIFZgDnuastLibqm8a5ZO+fs0uzqtDuhOzRrddA
6OBykEOHSbtT//lF7GtKI+JeWFpUc0kxflKXxE1ktAyWVmFgeHHHpP9wBWnD
0EKJIx/+T16PY/bhBkdpxCZdky4VarCs4kH0TekWSYMwUiJt499zxsqrVUWj
+/QZm8i9v2q6wgg+b7r2c9NVoraAshXky7OZky+LTxms1yRhuPJMTlw+eLxG
pcKIn/xXLnAPIuTXbpBPmsRkxbNaBs5Wzqe13QU35TbWPuS8D/k9SlOVnSvO
jkMKXmyhUBvpJOiUmwH8HOLPNGyGVJs0hcQx67/401ykQDdAjhBa5xSrtjwK
k7alageQBdQoWfgz0bWD3Pqa+yNiB8dl47/lLgyKI9hnFJ4D+khCGXNPUkv/
iFNv2KG7DjH1LcNOtTHElHmhJXaITihHBFM20soFMBR3+zKNCFPn0g+Hhw6e
pRT5sWtJ8dNqlqDoB4+5+o+681Wzv/i5fNvMWr1gTy6gUCV8e/yEfbkAWtUp
sMdccBCeIHbJX8rVQi8dPOle4KU1tFoYPJULPiBHvd/i0QOKwbOhqUF8L+lo
Kq4WI9UwPZMHauqXMYpiZt9RhP6SFx7FKDPdtlltzAct035RzgDB2pkTnfYU
VtyZdn+B+Oj5afcXYIe+3mn3F4DHf5ysfZh2fwFYdez6hwt02j+umsVVsEz1
gmdyAVAFYp9UCUDwBc/lAu4FDgP1MnojzRMGL8wYwJDtfMVLuWCK8dPb5kMs
w4O9x/YK5p631wz29qLvOBb+dXPFfjTbfKhQx1q+QmcT+P28dE7UWpMrdDol
WVHNTknByBVPu1ccqcbEK3RCy9kMpCp90WDvuRnpmWmsG77lRbLuGmPUK3RO
0RPxD1ifQ+GsTtpgX+e023+Zr9gL36JNUH9g/5iu0Dn1x8AkwALCSPd1Tqk1
7vcLNIHtFU/iK0QRmyt0TmcbAMn47+RAu17BusEqyF6EIuth/tHrR/avAl80
0EX8a1x0HYoO5FFWWVh84i+mH10UmpOy62mO92afWG+OTU6FD8A7Sx1iA8Ch
EdoxxWZdm1Lec9okDfvxPXFI+MQQEK8af9QfTopTLuCp0o5C+4SZwVbEcjER
lwifDPABzC932Tm21hwy0F2ELvNog7TXCIgR3LIx5yD1Boeq2zEUyTvcpgzS
ac1VhTHBXCOyeb34EL2cXVRIcyNSIsCDi+Iv19Cqi6EyEYf2RXXXsHXUThs0
n1yCvw0J92yuHVtSclQLCczDGyLgHgMPgM/6Y8Pssm3wJb8sjmpOA2F+TYIA
jiexoh5ZPVM/ouLPOrJMIB8bfFWYbUxQ4oOb1R0y1UN62BsskAjS3KR/e3hp
6a4hb4lWpX88AWu1CTeC7OX0by5xiNo2Q/qabtqQ3pwQJtpkN/yzLEP2DJja
IbnCTxQZDHIj22PSwTf2yWUsSKnkaNtHkqD3/oWH5bdivwhYZZCkLp/+8ssw
NTROTr6CDUj5AtOb2BApJ9n2JBtNkAeYAHQs0rDfeZJaDfGT8N3aqMFQiMnG
dFzKWaNABLflbHMBFiPpBP/lJhD3St7b0jUMV2031Uo+RjuKCvAB72GcgNyW
9IIvix3oPL37+t0O5x8RPchXT+brd9g6EfqDFPw6/aVp9i2vlvQzdZO7rbT1
KmHYEFCGkqufIy15L4ldFqXDPFg0WbupCcpASVsz0a6IcQQkQhgUVfdGEHqd
mZPHh+H1yRKCBrLdQvwfxGCFJFKO/i1z2E2NfQld3HL2ZuY2eNsPZTjxTT+V
mCkcG2Jb5DtqD+VvJmDP4g4CecANBCF+if45rb9J7huI6uoy6aMK4PJkf0r2
7H/CZpRrCtPimThZTa9B+5wQS0PnEHwGh6AgpFZK/mRqdtfXlTBAETgZtSI/
VsPkDg86/Iyw3/zF/H5+vckp5c/1zB3REU9bl9Rwf++D/fHzz/ssOchL1z1x
+TIzgjj/0P9FnVviT/Ka/xKW+5SJrqBSsxdfN35BDYAxLkP3LcN9XaiifLQm
I0I3aSfFDDiCk0vz/hghAp1DpYMpwVuUgD6hn083d+bR3RyzaV5d6DYHrSmV
NUG/h/0MfQUhEeJX5lsI/dBfkvgWtl+EK0+9kMaXadQTH3gQXQZXyV5HDHYY
YHc5CC84WUADZoWUgIcfbhpzP633E6EpaLWDOGLngrDBDClQCVqGa9BSMga5
ZR/4oRMIjOF0/k38lDaF4ACe9rqcX+KRsJDG79zsyhoZ4Px6M8ermpE8E78v
/TassPIbiVLDZ9+cfP/d69wkMBhDcpzwYbZruX1FaOCuXEbStV16j3Mh0gV3
tGFjWuGY/rM4HHfdzGeBNifiFzvnVyYtaDtI8KSaCiemD2QbdEWuX3iGsgUT
cNUCigakZ9LEkMhhoQMKYSzxQUVkRBKhL9KqPitbdcsnvVLpxTHnll6kyCq9
ke6KzGEjXgZ0lhXU7ioQkuoG625RTTGjusU0JF9uUn2mkifWSyb90qeZ4odm
qwNBV7YfjrGaEZRSfA/9PjEgQvjX2Cf9xNlGt0WmBoUHsi/MjhSqHFAKE9UK
b6A0H4yfmzFiR6pwwVLMYSgiPf3W/2/CedFff5Er9bKsGW3GrE/oGSoShW+Z
ErIi0umwbG5vGIO63Kz8AlWtem1RkzTSKZOzd14YoGkUKHvKkPjdO8EGG/VP
xWHaQcWraLLdQSEiYGDdRNhDgjcTsVjDIf8YOycowR7WjP0xCWQK8BzwZ/U8
bhhXx1pzO6wN2fu8Da38igvB8FB1gg1ZMl9BhOiVkuHZMtxbqYKcckwrKi0w
9oJ8S/bmBGs4xAPSTsWjdAoUEy2QAy386k5DoaZoK/qLmnd3oSQ07pbCCgtC
Zg23TJ71v37F5NlHGz92By/YobrhNq/96Cb/1GEg+kKp9+cVk03zEXg4eeQP
N+IDev1Nl4sHGgEtoHxLK3Yi0PY9Z0ac7yV2an6K9umUPEef/sb+Ommyz7J6
C4RXSAqhyL0z83oV/Bp7q9GpIGcKWw/2GGU7b+sZevC5Z6iKqgbLtp6lioFi
ZrN4cv9LzlaZDgsftZzpprERUmxDSe62s3cfV+nJ+OAhZ7C8POMXgEoXFCgc
X+FIyGJOQRWQm7LWu7yncJb+Vs6Z2TUIFLgI9z0Y1wMvBkdBzzd5UGXhjdBy
PYImhZOxM5JcWhSfhtG1kJILaCrIJBaMEJczEc1qjgrLQCHiaUdFIKG2Cz4E
NHnUqar43YCHf8D9dwxZZiuwp8LIlAnRv5Amhoiu4k5loZ2edJIiCBm/7Ak2
TTZy3z50u1zcJdxaAReWAQPa8gn+VX4zBarHbnRDLAWDtbWfSoxNeFwJeMsf
ZRR8CRX5nS2PlDgQX3iTlGBY9ZXUpyG9SZAJiRaAqOSr00dbpkgpKkwNaQry
C2KJhJdm6sB2MEwwvbM2JDwkNLftA7T2WmD7MQQl0jU8qgxiurCIafslmHvR
bYjz+PgxMAR3CoVyS8Adkfvh3wx76Y4xmTlBTScea68cQwCgDzAeYU6DhkQY
CIBXCFG0vrY9YImhAOkA0R7rUBDZ93/EZBUQichYeyHXhIHHrEZ8nqhSoWxP
8Zb2za4pD7EJipx+2ZeAWi0P+S/QM1yqzu7+qvIzvuDMnxSrRgWHKVI6CSSQ
PBeR7sgF/6zOuuhwN+jJ0zCgaSEWdnJsZYVvHJGoFsmPtwv7ft5PHh1OOjcU
RJqJPytNnuNv/9y9+E948aryh6P/Cpy7IbNq9jwZWAOKAVyIIfjh9ieTGRDQ
MIagE2XHVClCKKki23pezezZGSSATW6/9BcCBlauHoKthErKS8l4JgIhaiWq
riQJiIQSwlUWGs8WOh4q7K3kX0xOE2x1TnNzM+lEpaStsKVJDb7A3hKNP312
cxE6AkVd0kJATWukoyDeIRRuQoWgzpN/GhCXaPZUo7IS3U8HQy2hcvNZANkz
rCZ1Ap3q1LQWT41wPZ1xmHDv0fbVzgr/mZjORMip174Ya+ZAKvqQla6eKfUR
cGasUF5M0a18yznClkvoSnZXzJsrQYmHvnYcoRW9C/YBUwLZjncZtpQ4fRwz
FGEMmZTLMQRzDfYjI/swbpzQWUWuj9ZS2VM8OcQIkk/12XFNfPx9zCmwWYho
ieD31Y1QITz2cmtlZ+a8Za8o5/Mg+MyASdE1lDHv1gdW9VU9Y8MpQsH6/Q72
inracxwz8jpcLRDztw7H2uvkUDsUN2D3vUA4T9kizx5tB3K0/bccbEYn+jEz
NUUZfJldxaGqWzEIu12xqX5WvZhMlXoLjpzXFQS7cDq4QzBcs8pcAxP1CjcY
Em4OlYdMYlXK4rSY8e+WbyNl+tnHaey0fe6ZaijpeSQfm42XKv+dgEGwngGx
yC5u61WzuOHCVCpJouQTRe35SGAJXHBVXZ+XEE6qKHMUry8SpxF5UNFOqwWQ
Z6j6xRYYreR31g0BF2YQX8BCITp25oqi2Z6/EvoB83KpDiLaiCBM+HXzpvlg
CVuKATf7KZEz4osQrhErtp5buD0eO0QqsCC7jAVz+OUn2Dv+e8xPr7UDr9pm
hqBEFf02DWyoIn9//m1fPOjqP9HVyz57KvNstK4e/GwwrHqefd+773tb8nyx
2Ijii+QEepJfiBpEahSgxrBN2ZVZUNMHxvJGHwKq6qAfqeQGiIiFUf3vq6ua
QpFROR1ZEPXitpkLGes1t3DxY4M0xF2I5sZ0J5CVFQoEpS6ZripUTsGcyalt
rFKjrTLWknOjNJBBJdCVEZaTdzy1XFXNzCet2GWBPywOGg7QKuOLZxWRT9NR
SPUO/3srPfjvn7a5foet2N1KVe5EVxkBfd1jPcQltqUyRtURIpCq4sVQpNok
aevx9vbkh5fPIYG+HD95/MSGpIfiDWcGp9uZmpfY1tq8bfxRgAb29rDNgDoY
yEneuZpfx7y2UAUg5Vs0OUOpxIxtaTnMo2gbPuVCrOlA0xs3Og5Ig2ys3ZhN
lptMU7Qnb4KJiRFr/Vc+lQtNonN4vDQn7md2AZ0lcrS5uj7xX7NxeLW938Ns
dCklLMcuhdzxwuzYvfcjoXfNxZMtb7LkNsz+NuE1QSVHyFCBuHIZT23gzuaw
uMSIFYVkxaj9TYOwvK/eR42ptkRg8cLQgeDzA6nEQhFWkp5JUB4pERfmIrvK
/6v4ptGMPdjv4+lOZpRxdBYoRLDfxewMeXbfUUqF/QHjBJcFQ4nRYyWArc3Y
4veht2meQ6PtupnRUKNIeLqMDw6D0+Rsj4Oncv/AyPdW0Up2wIAsKgXOBUwA
vIX8oa1J3YuKaI9n1VC3U4nuht03CZ7CfzgRj4ShDvBPMg6hv8ttvyHzjewG
ihE6jf5Ose7HP46RnDuYg9JjDp7BxaiB7N1wLyitJFHYerNyVYsbFeZsVPTO
Ge875bIDqAYSp6V2o38XQdnhHG/QhC4C0JbxhZf1WhDk3hm9o6tev2slt/3R
3wA8qgUkzrVqF+5qr9HrFV934IUSb6bgDZeutoECjCKayFgJ4+LWeOEm+ijE
Ya9sHHJWIfCvhB1HXYnULCgvLiBcgvLSgbEnIYe+45VPHD5STixdb2Z7iHbX
OArrJMy+yEfPwnq3zpAfM0d6qcGRHjgjPxN39boCv4exM5alFt0A5SQ+29zc
QLoHghXNaS+2/AVVhGF6zVL+t3Ef3MCdK60EceBcAwWLAnECw3vBO23n7Nsd
FOQdQVh4gd0ZFTtH8vu4oh3+9O1E/tYBsexwW+Bvj97aa/oq7+kOtN50ZOLk
tDg/xDmcssOhVTIR3OsrxAV86z8Q/+sI/us8pPledc0g/wX3XoOPsaRLr8Kd
3V/77+2/3Lzo9TdvJ4evus+HKFjuBeH3yRv0D/icQxsmM8+Jf88lMvKs6I9j
3k7SAh2282pVonyySAltFWKGmLK0/YDcdF2OSUjdoCrCqK/Ukor1TbgqBvPQ
caItMNda3038ACEgaOuwhnQoBw/5auO3ARTztaLnpvOSe0jDEGrv4WuNP0Cb
wX8Hua1WEN8P4sSBQokMILwbmATA5XolkbVNoJe7pA7IkKmhjAwc9rcCxqfM
EQblmJfapmKqlprQSoBwBGqfZ7mh/u+1VBRx3gmAlNdN0zI/qW4cKJ2AVf1S
qqn8tQRcMztbQWb0gXimwsBhlBwZDf4jvJSpq+x4mZISQo6oI5OV8eNId2Ax
CFvLn1KdTZH8vbPzRpltN8rtuS/BcMLMEEARiUgbwk3FZhk1LovShyCJRAtq
FnpsZpFoJFrK3t3C2VYTo0gAk7VUjpeZz8SN6SJscRtNr6EnOP11YBk4CBIH
4XjBAkTQIbZX/EGmMSHZTozK1GGQWT5kP2PlD3jeCzL3sI6dlYO3dtdL9qqa
tX0xPQIY5LUg09qZTOpGhFrSBZcA0zLLlAVihvnV7CVjmukwAsuZV7KcUwME
es60Wd4p6jlKhpmmCC2e9UTH32IhhK663X0YEqQsqtF2WHtWhuwCa7+jI0TT
BoxR9yzoiDz/MnMKjDJHwCin/2k6cspfl2JZTz+0EaoXXIGebIuY3bF6ULOL
OLEwxbpEQ6XCcCjDWiLhHsv7We/NGgacEmkWrKj/zfoVq8YWdPed9feZ25DF
BnpkLtYi8uOIePHSiNOqgsCP2ng7xFaxI00GTaJ/BZEv+r7gc3J/yqA6uasz
GPbpZJHvMYLDEuy0kZj1HW0AOGd/ul4JSWOGlRLhJezaouvC6fAb/MK2vDM1
PJnIXV/qC09bSnJhns6E1MN62KIVmNhNq/MUvAvxAyArBk8Em3g+r6/ASBQF
azLwicKyujMcdnkpk/o/DjeBtQhkJB0r+iXY0MlFxB4EbRVm4DFTjYOqWu3z
KM3psqxbT8Z7QIJgmbf2XzwmVBXw/Z9IbGX3TJj7t3P/Y7aZ0FjY+oj5ioXQ
Nb1aC+eSy9Moa6ilbiUE9BU22XZpCneWEAHS4sQk8oqvshWeAwoXi1iNshUu
I0CoQgAJpvgH6DHi7UUnR2dgvebKd2YsZX+Aw7TodgPjhHm5C5CvAYS1OcJ7
Wc+rJOZG3dQhOW/XcG8kJ9d0/OSXXxyxO+IvZuPnCerEsCZIhDw0KiBKg8VM
2xBomyftdoMb7bJeIeaVl83vA+dv1Ai0FsLacpdAOpmweNgFjAtjO2JESqAj
R/t9cpQ0Ur1PkCTv3yNH12V73/qVCaELygLk06RIpYOVYivZy1Fk4A0WsEpz
ykRH1JQJl2wrFcexYDgQjGf9K5+s0AEIjlkRnQmhOzbRp1oDsU6uCp2JQIZ2
4g5H5r07JOCm/BGtrOHIrUl/38W4G2FgDKHraem3pNDY0+ZyyiK6ZsogNJCE
TsM+kE0YbRU17lDcbFNXRJ+WXPzfoKzaz1MT+4VRDFMI27t7FEPxEMWg9ble
HoyWaLi0XoF9pimd/ZbfQFdkWqvJrEufqXjRBLGDeemYcYgifhFaC55H56te
6bKPM36EH/n+yxfPkFq3f6lc31I92bJxqRmrjpn3gEIj4cZMUwom6EicaVLn
DrsIhJ5oxB3jLZzpHZNctaaqgAAONbL0YyMUP5ZmceVnbVa3bP6RPYZxXAxD
XLTNfIMNXRQp3rf1elT8k/ze++0VvLZC4caarO9dZk4rNgUksD8X3ywi8RkJ
ZZ8z67j1SCgt1ttCXZOIc/JNuSQnq0v9wXIouebs+P8+8j7qePx28tchpn7f
nlqsfC9OIMnu6jKYnyijjOPkheW8rP1dfuSazwo/cbY2Jkajn+j0NUQwuJmR
srtGspjDzO86n9UuA1mafLlt6JpOB90GEAkvDM0VdI9im4j6gMDTdjfryxen
uPVaIm0L3N908yWyZePFyLseKmo5F7T3o53E6Cv6JvJk5f0v9Lzo59D+jj+X
BQ2KSEhUMLluSnV6Vt8PGdvayOBIA1G1NabJsfjVf+mY35NwoSCXR5ciJeGj
c8mgM9WCdofKB8QSzSOuIl+UNoX9UkP04zfy3uNu5qRV2iWINuQOA/yGRMu4
1BE7/fbw7A97j+PzgtroBfkfOxMBiDO9YhNF0cxoNE732GC6HOpn2HayXkR3
98aQiopKogNZ4IC6m4R9NdSEunJC+bMsFcahOELc7s80TkIDOtIKgxBvYWAF
7W6wRAAvYRlppbCbaXiJ4dWbkFy9LePXdKsykQmbMY5jLNkCWwGFAiERzFU1
r25L8vpNEgkXIToO2McjO0daWUoYT2N0VDFAZHIlUXw4U/ajpeEJlb42UqOV
RkA2IFfQFIfAoyOLlq2zgKTAwGSoqSCQYLeVnLvwBzXkV2Wc2k5dSaxgsPCN
EHG6k3iT9X+q20pxzf6sxzAZw7safKyyx0s/NA7fh7SLU4ZBAevr9CdukU2C
0/Mp7uZk/rdVc2AXWebe0mwOmbtAqUn/DkzRCFSmyHnzgd+bKcKB76cVcSCo
a2z9egWwYmR3tbiyDHUPrDDYqbPGi7mT5tRpAJJwkoyX4cBapJ7rvta+Sanj
r2xR4kyLkt5K4YAeTYP+juqF24cVDKOFCB9HDIXaGUjaQ6RWIhJ6vuEaem4R
owbwOuD1Ex8iUI1+TgSoSCNAzvZ27A0AcRrnQnrZZII/7gFe3UHs1T3bFu5x
1qlzPU4dijtHi3FgqLfUzfM7cLFL+2GGkSb4d/XTElyDYdzca7BOewbh7qhv
sH0mQ9K8FkSbecfWMNFy7wR0F2zRyUKWFGOfoI3KKXG02z1pwA18IFBbQTG3
LbSFy9KIsNVlrhiUc+h6fUXbd05k7csVIMumpPiJUN6l0JoOqLoTcvncoFi0
Hfhw79sPz7L7gW4y3LudeI9uCDoi1MBPm36GYEon6PapESbzde+pZPDu3u3+
3H7eSu6KNjx/j5LhJaN3ndHzG+MliGLDLksiitkpUA4ddVB01YGTnYZq4Y7T
3MRmkoWrJd1OW/X3f7VUJZG9EmkcvZpA3txa+9zO0o6mSOypw9ciNNMNAcv7
pVvi1gRIsuj3CPWLnlWPxLrDrB8kWuxJt9WeBL1W3WNLumBLRo45QsCmXsaz
ILAsr3ef8+o111l9Ja4bujSJmxO5pwkFagkXyzu2+v73lQYURffFyds+kN3/
TY1tAYBV5Td4W/Bt++jJ34fOUvfpi5faENLgckxnqtT6Rh4KhqZFAdhhKmRp
80VmYeiN07reE31/e7amQjCjdJiODOqkM20oHLAEpZGc+qnzU9aHVPR/ZfvO
0bVi7fVFGeTvdgmVMo0vW82PvEa4s5ceBTLiWK62rvQ9SmLvsQAPzfrac4zU
Ef9bWNxsdRN2gPY7nGzdADtquWlMrA4VJSsv87cPJq6tluWKTl0dBQBhN4tp
1E9cAtX24WyOuCaloKrMwWCe+7FsQ2RyPMyt9ScopP4oYU5N+WGwqgEVtSXC
WCEJc6qnViI198QnwxR857VMTov0NjFYeY8rn+fplyHMT9OdWax4q84qQmRb
6SIan7TeyWkdpfN6HjOKeP+REx2xVeLmSrie2tWhU0rAJe1Ox76sUWvejZVA
hnGgnVIhJMJmA0iT+/JLnFp+9oAMkpz4IN9ICcduhrsAqNFFAyAKGNvhBN2M
qwq/uI67RCTtCZHcgCmufxOTOi8c92mY/X7pYFNkm3iI/btNOtSi6RePRePy
3D4cdWPz5HNMcS8HxteYWK3VOycHesJi1EgcSMgWAdFgzBTYe3x6YXHGHRWF
SSoYgy2dkyzfyiCn5rxFBQ2l3nmXMDY4cqFivvhkbtIQ3bhyqs+a+azzCqSg
z99FAe7DCQ3fjj0KcE/5Ar8SP+zzmMOv+LZc2Zy98YDGn58vlyGU65lZCT1/
2PjViasVorDR78csJybTc6LBRE+jJL6C7rQgBkqRjVQjQ6VJo74v5NbNWsJj
RAGTfrrGNlbHH0ZFNwJ9Oxp3G+nY7dTdRk+U8S7aFEV+UzBJtoRdk+y6LRt6
WEp/DUhA7lM3qC8hJDkMXfnIvF1Ao7JqV8NCDCLEYl/D0N9cRnbzKwMPz739
IzV7JlxBCRj3UfHX8dPHjx1bbL2vSb+6kyg1spBvWpKamNtX6Gms6K7R9sKg
GJGUQz0RtGvT4PEIe1lKE6S4XXLNhXlQ0YdNY6yulbj8QJBCXqtOvVR6H9Xl
dWF1m3zs/a5nt7HUtOq2yyDrTRqXeR/4q4rbn00os5iAFE1bsNp/zmvjsuav
9IZg6kRE7kHGupsgwZOfPThriX4gmUBggypXC3TmFtDDz0tzyL5j1B7bNkUB
lrB8F+QGSvx7KOssFg4iUl0WkSpVlqb2wNjrs3rGhMbeOLhcNTfOWP2gz/yI
qKUiuDHpdCdtZjDgBLhQv88lZARRzwq8LbwZTtRyFrUc5gTL4fvvWj303393
j+Q/iyUfhbblt8Hd5DOj3MKDh5mj3j1Eq/Ud9f6hfeKdcRHM3obK4UNbhd9r
xTxX9dvj10stqxxZyicg1BfQPcCZWnzvS661ObS4n2gV1tialbUt0iswmQeq
WkeqVm5sa9H4wbufAkNZRQWBIm0QsLNwk0yfSJ4JO49QXMwT9r1JXMqJkSKL
IkYDfx14FaZ3/Cun2Tcu6g40Rf6wKrFgdtnYAsjSDIwqdRLYDRnEEoqUTCfI
0BqoT0CRlsIXhG+Gk97h/Fp3gup7pd9hF4lUPVBOXtwnJ+ywcPE1xHsr7PQb
Td26cQHVj/U0MC5qmp4ChLJHW2Yp0y1Bql1QFKYlay6OgwR3RZEja7ConBwa
h6AbMQY202AJ2jn1tHL6z9fHXx+dne9Ovvv65P3x+TdvR8V/jsdj72oW6U/m
NABNKS8gDZnIHlW6LWDHVhLUTdsOayxeh5eLwdDRMNXmnoH1GyEeEBXHzk6m
GzBqDXdy/NowAkN86KbCFkV4PnVuapOiNvh7Wk8oDnIo7+h+gy0gx4Tv7PXZ
JDPInmKBA0Pm/fLJiz2ENm6wkp6jFPG818KpVc144PjCqFuMTOk32gHLaeWC
0uibbwJ9mQy3bPXsIPYjNM6pdYpLlywkWUC3/HYTe3ypH887n3Nrb0/Vm1Hq
OCdKIcUmMBOCdEwLLCDCGbKI2miGjTwCJyWi5GsTBLqTt7esXUr2FfBinYUY
HBLDal31EzQzhUJ80h5ChDJIa7XtG0SHQUhI3HptZFQvsoMdQQOO63LJ5Pqb
GbVw1lYf3l5TfQk9hYgnuqsI42kpreYLQN4YO5X0YjJpez3xiS5Rz6JQO6Ez
HJpSd7WGIE2UDcVlFPigLP6jWjW7UPrkp1ZU9DA1luSVLnojnHY67OjoKIok
WsbEZSNHVbGA391EcqSbk/Z0stIuA2cZG2OLbXzpR95/jmJeJjrWQBrO75bV
ZDHrbyRT80XpsfDV/zw6PC+OXx+9Oz9+c6wnFFxOD4t+Ju/+Vrw+enP87uh1
8dXfzENT/KE3zuiM+E9s7PRL8T/wv5Yf6p+KJ/ivveKgeFbsFU/9/3vuf+fQ
z3nbXvWSQSSfaVuOQetasS9NVtU6rt2JNFz5Vli0dFNirAmlonc+GAuldKm4
ulDUATZLW2MDU9txdbZZmc5kOMyx8hvQV38J00uTVez54+JPBA5bF3+mS95X
y/QSa4P9bG+giTk6aqPmX6FSkKmLEyfOhDTq1rEGCSQWjIaHKCemGGEpOjVt
MKv7D5tVxIhA+tNvn3DWhMPqIwZWJK/T7VXDS1BTgpkUElvAd9smd//+yYVL
Picdm7HQHtaISVyiUbFqSyO/yJh2Xe4/fQaK+/3Z5MiQ0Pilchr4KVeVEh9r
mCh08SU2A8p3IDMp2vTtBwR6jIqd49bC+Vi782RipeiZRen/XzvyRRBLhDY6
QkkCxZ9+eFOACd0KvY2EEkd6mZ/maqqQEH8Xus+tS2mzoMryCVRZomnEX4WV
IyNE3y6hZqIEgxLfp8IapukRPD90L7xfeg+2SW/wTVIJDtwpjyBzFKhSVKDb
WKIz3ZdUol13EbZJ9MH9En3wO0n0P+j6nypi7kzZ0YN/kln1J5+26oeT3aW+
QgnYXWV2ruqxS7ZG0fnBWYQJMIcDpaaYeQpsPtEGM2VfZs1pOnEPorBvrQwW
WA7vxHm2TBgxMNswFeMApUeKqKbhNoF7cr/AwSX9wkOr9D1DOTl3BvsytzZP
t60NHcIaCcMom8Hv2aBY/qh98UsnqWGti5SX/oCTgcpseJm80UZTWxXIw/ff
5T7t2cPFzpJYILgSk/Hvv9v2cc/uX6dnsR2RhAH9Gi1CJuiEFFdYzawCDfHA
JLDTVivsbdBIA49StWdDTzYtsgniXpv+YABe8ybIf6CjpGBsMcbwSV61crs+
eqWjKYymKPn+59sUY9c6juZGD5NTDUvkJuTF/faQ0odfA9U38DnaUAdZmeh3
MIhBjEml1pBwI96JenUXGbv08MGgquM8NzndkQZJBmERuqej4p8JxP01KCjB
UeB1r795BIERrPRoVvYppcS1P/ozYZda58np4Oh02LovH/uF6Uw/uBUDVSss
Nrv1bJi3kffySihnLE8W8pvg+bAbSw82Pqsa0jq9LooC0ddIUEf3z3iLSW5W
G45MjgowuUYtZTZ0seMBmeQk9DMlrC5C40Ej3jY1se2u6/WGjqT1upx+QM1O
8mvyd6dl2y6vV2WmmNRL8Mv7JZhjtUt9DoUHKE57Gdu9ECA0I6ZgNmi0KOMj
giSsNHG7RiOgTgp1k8Zei0aYyQNvEAzKzJXNOPl5Mcr+oqf/iCbjbcifSe62
yjP4FEndXEZiE+ckxGk/q4iFlvn4hmJRHDjJOsIIADxLmy0LIAjVEthltXol
PB4Z90F4Hb/mL2W9zhC00Ov2sq/bf/DrnoTXnUj76ZBAyr5yP/vKgwe/8ml4
5ZmeiN95M20De/C8vMrq/r28O4HMmcLilepbMnufPYHqlLm8YF1eSbShXjjD
on1jUPfXSrQL/4eQROpiy6CdPLPFrYVUlaPipmnXxdIUmhAx6PCVpI+I+pNO
bnIWwQAHAqa6va4CA1MxIM8Ay3a+P3/z4owqd1HtMQdnUTr7YeMhoEdjDDmW
RM3grx0nAqKBQNvkBC5Dg0IF27//nm096MNA8/syd3d6ozUNDm31fd7R3PsE
nyNm5th+cD5/QPBoq9WzDW+egLIyBykfLcwnQgZ19vO3mvWJ7avFTBibzpCV
jBzl8alRRRQxvwBOg5iX16KWYzAUGo0dmJYt9BSeffO4R4FaoZlVc8Yg+HOR
02mBDg2hE1RARfwr/tOm15TfIicEZpf8j6QKBD5jBL6vkkpmKFugJkXOuq0x
sMfq9egL48XMik2fr5STgwziMLwKQUUxf0IXlxgu7QHg/f8CyphGU7Yj8wYk
5h8xUKL84phqsEjC4cj9aqCeewBQj5Wd+TaBiUspQ3brf5Lbu7Z93blWkWEb
FDTqIXEBe9ebRps1d6uqFBrFJO9UbdUy38ThejXf9Qb9MRVqml+uWpjG76oF
jlZo1BODENjkWjpnbXjPYfuNXKjaBPZgNOkgtBgsTWMJF39ZoCXYXK3KpZcJ
44sM4vbSQFv3PCGtGzKjIbbsiULONDfhYYILgERz37tdGbK7MrPEZ5EUhBkv
R3Jk83lxC9zY3uNBePuVk/KSkGQXx202xgi6+qwfpb93nJAnmoY4xEjV6ub9
UU+DOGppMJavAmMYxSFj6v+5dtALMAYuAqDKI9N38pR/z1nbNrVEn+DDE1EI
oifiEJMVYuhOPz5aSBeoDS3zvwJJ/VG1mW+QR7/g3Ckv13ty6JHYsN/MePkA
M+MlB5e8UhB9IHrovhMjuY1TkQJG7T7Qde/ZdhhMTbWVPQu6RVh+JoDQsWMI
ifYQZc60K/Lr+K0de3MiuilKaPoHdPRANwYCT/5PL+kNNzYvzA7ZbVZX3hel
Al3oiTJrZoNnQ1x2byKvwWqVRpmDp3y7OrCt/1UBKdrBc/y/S/g3Dwfu3Nuj
r5zAyOCXOJYcLqkLSIq/LQj2P9T37dP3vZfR6TdK13lZQ+OZZyU1gpqCW+UV
HSMMVOxiILkri8sNpkAzZ5mypEjGJGqZEj0VnCLHNUtcwytJGoZC2o4wxCdi
fDhRZMFdzIYTRxJ+xL1huoyEt554by4v5pC1MczJIZy3Et0jGil6ZKR6ZZ8Z
Ltc6Sh7JAfiMsLVv39gyJxOWD/QAfqjVbZm2BiWL5fnDLRaG9vop4rlUMFSz
WSGQiFKt/hJN6ICLweNQaps4zI9BwMBpPUpM/Qlew2/woyR2PaZ0uIBz6TX0
1IO18JNyChTL76hRhYQ4pYdTK/A9wCpThRtLX/4JgQt4zQ31ylaYgFcA7EU+
Z4r7GwMChhvas1BmIOLsXhDeGxGqH8s7or74kCQSLqs1kCPBVGImAGw8eCl2
ElwHW4/voOMQUY3sJToq38AnEH8PsAQChT+EPIinhjZZs6hsS9No6be6WlvB
BPBmhptmgQifm7dNczqFP3DvO3H9SEh+umxhs+Ui9oOysiDQIeq1FNwfK118
TMpX5ysuaBj8ITIsfrrZKl4sAcRvTmCDCPr26G1xWC+9/EMzleym7k3MILRa
dKNJ+8Izp/pMtL7eTg53L0q4T8Lxpt0cASHhri6Tq7f3hKDIvIzcO0aIYaUA
3K1pHiIoD2kaMxgoEWV3rVx0IWEBbi1Nf7+tbsL8IKAwgHpNDqRloWHTPrxQ
mcricItp01EtQpKCiLDuHZgAV5EqfsuuOv/q9QNAUnxV50tz4t+djoxofqhu
4m2Ws338inUB2SS903V8e4QaN+EAeA/XPWT8IC2gB9nQvwsd5p1t0hg8npG6
kFECzy4o6LGpFlyYvzSb9XJjkq3w3iPT8/dys5hy5YS3PI7wiPZatX+tiedO
SpwzTfdojPOAc+208oMrtW0mpJDJoUU3PN1te+OntNs6aMt7C5f3H3fgliRn
n4hSPCKnFYdKD+ADR7gM1B6SGDmdTBC+12mhuP+UGlSgR2/0WeAAO4Lo+L1A
0v29voKMRBtCDwvoVwPmGaItvPF1C6gdfI1FskDTIVWfXSsTUbhIJg3Jlnl5
B4UA1bxGShr/OVrDndZt4Af1IUP50FhGZRT6k+NfwIEfNrME2yo2vtmdcXgP
7+uU3MEr3qyq6hx2SnxfVGthioN4ggMjARgefuNiTRpjRWkSTWtG6VPDoAZO
8awNb8DIWkdoOjNaW2gITcGQlgc5hCfR7pF5pk5HBKCXjceAe05q3wKdG9cS
g2vRt+Q0SMnY6ARwjAfwSlys75ZdKvi09Rpj6XeYdWhH+1FwnF2Ey5ucFGUr
+xKkXvoxQ2o6/wjMRCWUHzKi/jAt9gXCSaXqKVvt5crA0MjTZRYOyoIhjml+
g/XEcHRe+XXAjLwfyTLihWcCaYkvRkXj0p8Su2ky8Lheu6T4I3Ss4e5bUUWH
N1yGUoHnJ3YFM6r4/O5HsA8A5aPw1nL+EZqPwBMpBwjy5cILOH6E6pYXQyLD
cEr1NycI4GE0eJrLoOSTImxvmM/mfuzeTC9XdYMzatpV4hQ5begIq5k4D3EG
loULEkwLOPCwWwjFmoV2VXqYcdRR5TAomdAmSYgzO50PYTq28AhtZXYWDYU2
ND2o9xx6yIOkTu26mn6YXK7RaJc/IYQfFRI0uamgM1Ir9DXYUKqr/DqG+PeL
OfQxrhmAEFfymanShhBeNK68zGGatzYURAjxK4AKY+r/B1mGR8WHDfyv1QpP
pul01e1LJHoAJYe29cyJJVov/dOW8Bj4X6slP2bZS5SO/GiJCsKItEPdDTY1
HmI9g2B7WQeiJjGpxrRGhnsVdV94HhnZ03mJDepEz2GPPn5leBR4tRIMWnMf
7w3AZolmbzNf19446VRZCR2xQxtbihiCUmDQwapSvmBI4Quvll09RAP4GXfZ
GSeqWKWjt8VHhJ4lnzKuufLqxWsPmPb/sfN/zrza2BtDpCuVmb5V1vWhbnD4
AVJwKtMAYbmCmod23i9JJSzvweNvyreElifwEOLi5De4QoFSpAZMR+vufFnS
Z8FIs4KCqSzww4Dab5P4WanQ4FC7+yk6k13RJ3BUja3qQ2JyHFwid3FW/RTq
xgx9fWJZ5kfnB7G7xySnnBxDFd6AxWxKmf2SZ9ZYpnKkcDNcS8GYbhEBfywj
5AQWGWM+kL5bw82S+AyqKV55jA9BqIrjZ1jCHrZwgZFUYCoIXonVDbVpFfiK
rqEaTzxKzeD525b85Wqt8OnShivCvTCttG1sc1/mh4EvVF2uLThwtsMhQMYX
t7IMQQX6Fp5tP6I/I4397tGsXjerL4tTeBlMxU8qE35DS06R7Eag4gJMHh7J
B+MfkzbNZgwUBvVG520NzTIwFa3JVhshDzanMwyy3AmOiHCUX5lOLlYqW12Q
oDqlMae0TL+ur66LeVOqZUYGxRctduSuoElbc3k5R7OC/VoI+erzFNL/scna
zDVQWDUrZSYAn4uYfeGgARSKn5qo0V0yc3hmg97GvOoVGKvzO14CDtay4+1M
wRDHM3XIpkwNRG/bSldetqQbCnLde0VeLza827948oVf55zo9u9M7rsoEm1i
y6bJMiis8k5MWKam1QV8xR1azevueDdGzAjU3dEVnTdZcooO92EjoEPJz1Ag
zx7LYH7uwuyivgM5nV6DUMhB3aphcIle9Ky+rWebcu5yWr8teIdw7ltOgY7N
o9Zm2d5ebSUOPTufvD/fekVR/HzP32+3/f0MC1BW973CC8Hnv+UQxJ4PlP6r
cF8TRLD4027Pzz9tHcXUUMP2fMi9H3rP3/H+f+ob3p9/zoz8nzr3978l9xf7
u+T+AVk8Q/37rfxBOX+7909m6JnZkfISRULNXySX6/1oQM2JEVd+ci3k6C9y
RvMN98z/o+Jftv79nvsf+f/xDxhgGXoYaJie7v0Dc9Uj/M3WEWx7/yP+v8kD
6uXD7n+k/6UP6MoZyj9/n53aYfGDeZT8N648mx704qN3r2nhaeOrDc0/+Eu2
HYxUA0q8Z+Bdgf1/+H+iqx5898+Z3/bdnZmezG+3qIxBNIXsDh+nGZJQ9ivR
Iw6bQUnwYmXOB7AWrAkK6FCwXcP5Y9T+2bpaQg3szP8PPi7/Az3o+tTNJ/34
adgrcKveQM0WqPz9zPtgy9er8A9/2UHvBJofDvTgc5885AZvUm2wxnINptmC
I2r36GfzE7WHw+gfqn//gKeZq73Qh534J5yNZwV0iGqmGPyA/fG80OnhPeB/
+SLzMJgjcQ15jl4+ZMhTcxAKwV9gzH34p0duDlXdeTfHFXuPH3J39In+u/f2
MhfBfPEVPF97IC0fURPsHaSP8TO1l1v17kzt5Van+4W/0UzB7ksIFGSunj3k
ftktME3PM3/vitUeCIxsBrjtZXiMqFtX7OdWCiZLNTJO1n5uaTo//Dbz9NzG
7vs27w/5O3J7HGXgQ00HBH7c/pOiu/D7uRXtLvz+gyY8t/Ax6PtBT8ku+X5u
BTs/Zsn3c5u/u+T7sMRmyQ8eF5klP8itZXfJDx60dp0lP3iQkrZLfpDbr50l
Dwi6z3ebSg0SuTRq+3BPCH7OIAPyACm4z8rHa8jYYZ3ygBsSB8eaGdDpA/zX
4IFuMUDuczF6PwOcsEfT5SPvhz/ybvgj74I/ouAguvDRlehDp7d3Qnp977Ux
st9i5Lc9l2Vv5In9s6akHnpj5Od8yhvjG60N/Ek3doTgdx7q58wqCWTGOvzz
P+V8bhZdNQSS2Iw8/N6frSGI4htSZnmh6/ugX/lO/PHG9+cY/RpsFQCMxvUl
xe9Cw8XQnkMimRHRwj+ST+C/5ibvFcB2hL/yfz/IJ+Ajih96v0uA0xPlPyAa
Lb2Ve8z6+Ie/I0YxqLp7oPlATOqaSNF+ouwxJD9wYNL7xK0AI0PcCqqAJSei
41lkXAZrNZG1fL9Fn1pMadTzoWZTV5Z5GaAR5cMeIab1/VZrxwfJCJ11Qci0
BqFjDyRniOZci+6M3m+G/u4z+mA3Vyb0fsM1bOEl+yDJD8wmYj0LcVSM1Yq3
cWWwc38o3vpfl9guDZIfb0Py4w1jCNviP/+AcJBnUK/faPumNFlyqdc3m/U8
abdyQL1NVpWL8D+I2WEA3Vh6BjDkZlaVc865h0crJHznRsa9ozmICk4UumI+
t4ocVDRlIgH5gMMlMLrmToWLIqDQA4iynMMzdNzCnI5YLIgLXV7CiIFmlItL
qK6Mywp6ZokeSoBDaWesvCTU1W7krpuPwM81Cgm57Hz3Tmkxa5zQ2HJ1C5T1
AfqjvY54YXGUkhHrdst5+ssvDjBTzKkKNn25EB6AmnhRyPznOgeb+DurKpfr
FvY86v3JvA/asicImfZ3UbCqy88bta4k4pcpMjMgNzL2r9AC+OOoZWKEd3qG
/JP/8ndDSnGQ8GDA2d5MN/BhX7SWoMIPd4cLwHfG//Ij4seQVd5LxZQzWFIg
Xmv2aN0sKUsP839dexWyml7fYep40yKRurTwwiajbTW/3DUO786o0Cr7mGw8
yfBbuZTVFZaNnVCHveNibxohFsFQCoX+gV6LIIfIWQESdlN+qLi69gsQw3i8
sCaXG+xeqbuzluWcNVRfMsVYH+/o5P7b2s+CVy/A2nrhpWeHBJGaWkOfZ6zg
h2QqT5sfs//aq2q1XEHbaczsxd0SxmgbJmMJg6jb6AFYygY7HUaCgILMcJDV
CVOZxOS8ZUJKSE9fAxUBWZ/kzJlCaQbhIDKoWlX1gjObCY5DWaTL1epO8qQ6
au7iC78+OfnqkGlxk5rXfcBkE0ZQN0vooJRsFOoehYLQFoOS+PvJY4BfDanN
F05+vQbQ9GVF/R0WXGPMvamdaSDcIL7Cz1gz89v3omxr4VCJgqDvVFxH7p0W
yxPY/iTU+1vI+ZPxEzh/lIKYJZs5yZixrp6FNsFWOoElsrhu5mTlC1kE74Ro
wwz49f7/DDExDbl7Ug8qN5yvhpo0eIRL+CIG4euG9Ek8NOqGEY/K0UzC0MJt
xGFN4hvGEwYAWwDFkrvPQHWZfjdIFYvAWdTebLvaRE6dz9ebcSc1Up9vpLTB
CwQyNoO77S9OjlNBRXD9Y9IPF1Sri58eda+IoQr2roUxH1gIsVu9QFemlTaY
x6fF78iooYUBRAijloNcFE83lN/RxZn5RWKarwj+I1WAyGBp9sVIjxtvtvoD
mU54IKaUIwI6nThqaoIDlLHtYI5xR7je8egluJsfE3djWXF1rJP9iU0+pL0k
fwOszbGpPmCAcfIxtveQKbQaQEXDe6pqODoamgpYkeaosAH62zi7IQ1cGIsj
uCsRovtwnaClYNTMBvj/kzYjFlEtUP24WSYoDTISsZ24QLqGpACpHsAONADW
4iaH1Qo7dDIo7VKLvPg+OEKoN7fWczE6JsAEhWkfiz+qdKAYbzi+NAZUQJ1G
tIDAaEyNkHGbwpKYgSBPQ0x8I3bXmupUoTwhAsOr72MuTCjyRlpoS99iH3lk
XXraexb+Bd/AEHu1YEsAzxdU9QfK9rpEGtjKG17raFa5SzKQ4n30G5YLBf3N
dBZCx4NJoAc23SJC9fJ4bwgiyi/G4i5ltLUces2CjWTq6tRGaPwB88MaH4Vq
bIMqNnt7KDqi2+gx2VvPQttYae0aVB6cc7ARGFiFjZtYeSFBCkvvFN5ijZRX
ZlVn9MT0EVxh2veEcWZQIr47myUKw2qzWGCkmmGODMtmB6XzTFTUS0a5cYe6
k0W1+5dSG6/vKr7lzLv5N9WX6WQJ3bzfQ5mnt3gTenhtSyzB2Cwc8oyAc9O3
v2Jq1JZLEfyCQ0TIG7pMVaVXwiRu5utWIZ7gGHCjOXgsHPLdySsErGdIdvT0
6Vzegkk1Dei8HcyXz+oVl6ntsB4hDT9BWD9AsUYOV0SrbcrspIRPGeAmqASG
6mi6hurF6+ypgxiqWQE8AS1T/auVAZ3qDykKwmYzDhGf/kUbamW8vel/dUcW
JKpPL4Y3/glY196i3w1MXrhNk75/VEki5npkByk3DkaAxHuPvz6AO6jozM/w
a/S9keDly3w/VVvrAH4fLDRYzkjAWrbx5hrLEVTObvxd3sCHGIf6amETau1p
IDNaE9c0su6bcdwVcYSatzDI0hJFSareYHocqDA/BWwKTZsZq+D45nh0oE4r
qnzL3A8Hn5100oqdFtTelo6eqq81OiN+bbUgMl6vHTJvZcssVoTGU1VBh/ub
xS4ChCUVwAor81jbliFR94TpX1dXwHUi7RpaCRehBbzA2TCcwWUgK0enWs+w
vq9aRN18onsTOmLh3pzEo4QyS7+F/Jnn7cCG2rfp4apE52M3SO4DH7K0PXVA
eeMX0XjM/uQOabCH4DXKhg5bHsl0Odi2IoYPbnoEBYyWARa7wAVO/hYL6mG7
s8uv52q8p7HDEsS4ylXd+qNhmDsQee25SFDa36VLk1GA0rO+GEynq6GUcV76
r74uvLc3806LNH4Nb4z+MBx3x4MKWcpHKyydSgoz7e6jB2BNQKsRP7k+No+w
QPzG2+uqjbgwMLKX1llR93sgNLhbatmpGdyoq1VkFWlb6qBYAZGhVd5WbbI3
oxki41C1kpP2y535lfcm84slVTil4RkDLMVHTv2KBJLLOYfc+zGMJeqSZuug
XEefmI4RuPm14ZbteK2TY+w/Q4ycU6/8jzY8B0XRpacRmzdeFpfD2GLeIh7u
fvEotouH2yoey1Q8zITlxWNAFfbKo8mVmvG6QiP6IEb0lS56eGbWkvK57Ny4
T9s6nbnZdmSa0YEz+nFVxxTXVdRKVza7d5SatsacDOk3CAABAXCZyueyXF9j
0QgGAskSzq5KMhGft3PRVUQtBZU1OLApmDHeDuJwjB5NzlS2G25X8skpMrLB
GEUiI1Fs1FsTybfD9xbJ90KqpP2SqmLOE+2JJq2w7ZXFjoCTdvKG3SsoFBNb
Hg5GlhRqtyipfAjiiBJSyZVqpNI/4quyraeHOMoSTVJluhyq2xP46dO4ALDx
TMbmc0ItIZfVW/rAyIS1s+cP36KzyliEs/S/qRbrzPbEwZnAtSN2nzhCGXUp
gDA4JhGSKDjzu4E7MJh4rQhXe8W+8IYWooBLCughPS9i/zK+BlkcVBgFCSWY
QK5DDmXlgRRL4kRt5NRi2D1Qf9K2RjNipbtsxLMIpss6RPZjo5W/iPAe5F9R
xSkLMr+344+h2sBmzGFUDkelLQnrxW0zv60oW0bWIk0Mx+29zwUpxjmwsF15
y+UG4vGwDDcQfzC5Ni+1Fxvpsxu36qAQGnJIcMhU97jYP3AurqUzIpbhqWsD
RxuU4NczDhlMmyVnOEPHTVo2MLgwWmGgLVuDx8jkNmGt7U3EURznlg2jQVpm
0EtDtv4mpzfx97am5NK7nF7Ml6gp/kiy0moIOgl6wRXb/EQE+jfNejeyAbyo
S0UmVSjSCw1/TCUmb0mxwhWrpxkOxCXMLY/8Cm8dBb4sGgIyV0AoZNL9PhOZ
TVcgBELsEN4f/fP3x++PXvvFp0lL8x/p5/9R41rsefLGZIqSUm4ammvke/Ak
KwKjkWQapfQ4euC6uarw4+lINp0nChNex1KPVgZu2n6hLagsTravi9a92tdB
jTilmNtQ/aTtxzfoZLnJjBYxaSU1FS4+LWHgEGRIWgcaZGB+gSlt/Ize2ccM
I881pDazh5izQT4TjPK75hvBE2D4W1gg7oqPlWRfCVXBKIokQmn0K8Y0wlfK
KWBRBOSlEO4Wgl5kHd9QnNk/nCI3uQ9oUe9deiUk8dputFQiHYE7S7wE0/IL
muC4i410CEN1uPgC0SHNRxzF0EQma2K7Cl/FyUL+7Fkfec2zkDf9Q3FC+/Ur
ELEfkv1qkqqdDYj51InNOpHi07QdM9BRSiy4Hc0lfjjvlrEDjk8vzNcNJQ69
vwP+9ZoDEAHg0plPMZnhZHKdNLVNJuv5SGPLJcDD2vPjNSGu37Npt+AExlFj
kGfa9iTp/TLmkyZDd55M8AueXnOI2OHBSod8SFGGvRzZo2unnFADaSLHYZ6h
HNzyGNl/N+WsMmZxVuC9A7ey/ttxR9wlMGp5CKXJjnIRDthBiZsCR7lem1Qw
1daFMZlx4Ou7Jaf4LqxPxAlzGhTkcWtvjvhZUsc2kBJxXxJNdkcmZH1pfWkK
EouaQl0ntBXLt1o74Li/VxaO8NLkFHU+IOK2IfKOn5b1Sp0eVtz59XelAbe8
Ct4ApxMD12OpagWTHxRGiLw5AkTBx4clalZov0pnsGm9mm5uWmw3LRnczjPW
kq6Wxwxj/xI+1IgZfoDj9hwqYR82QcQgdqJtZXA8uJ9jQxIzVjt2a9HM74Qc
wHCbrAbOTPdZsholwDQLaUIZ9wtqkQqq+3RBLWJBdR1BNZ0GQ0DmwyYEZAJG
y7V33nGbrnnEFML3/82duToS7/4AZwh2tH5XXTWYDvP/zXDM5790AJMA7GrF
LcT7FuY+yfxKq75m7g0KpwgKJcJgMjPy9gG43o4ZzsZ/AZ9fiLS5xTO/b9AO
jWUTtxmks9yhhVeGVuQG4KeBWICo5L0wf7iw4nI1Z6KZv8c8Rw8zoAaBdZPZ
iIaGeTHq5ObCMEmk9VPVg4Jv9gtZru2nmq8TC5EltX9wIXqfjq5eBzsTPoFA
qLZMoaI8k97BzUUkLoA8ysIT6UVX/oxi95NDjH01M9A/xTRg92GkiTLJJqJS
qmaW7ocIv7/Hb8DHP34sOSwvfiXYedj2RLId2vjOW7mrsui4nI7hSB1hZejT
ZUNhIYjnr+uLeq7Girw9QfSO3Q/J5NDXowcL88NTgAyA6XAKZO46WtxWc6/k
Zq/LdTlykFCYzK+wN1fgwfJSeHri/9+qvoVTidQZ9BjGSBmwplDTIvxDvvWL
7CqWIEMhFHP06vxIB06VNdoIdr9rW6WEMc0CLCz0SWKtjh8g4v/gMaEQr4Cy
yYupNDDpjDHeDxI9VHZL5ZzchOamsozQDgMKM6TrIPgFXoF3iGhjvsqhzZpz
OFn3WSujVi5x3oouKAi+WI2kMMU8jrjyxEJd0n2d0RKvirp/cDiRTscG/2xN
10r73P6RudzK86O2DCzR9N7NbjvLJQSHqma7q+Zk1dDVzmk4IxdoVq1XURhU
FGDQt2NGJeLtSF/55rDYf7r3GNspGg0QmYYc2tBrZzWx2EtXBXjlRXVd+rMI
4StpfQCtD1D3KTpuDeADec4GAqvITMlRtzWx75WsbUAHhuVxiO4B9KAXz7/I
9NXQOYGBf2EDU7xTu24/2d97/MsvZMKGM4EfDf/JX7FZURU0YCKQmZMDQoe4
oG1xXs4/MKWbTsoZnfLpxNHUHV96WxB5rEItXKILUitAouN2l3ltvPfy5cuR
U9myvFNZ0SqtVpP7I3XiygswZGxcyjKkxrJsdBmEoWn/plaDfafrvtOL6swL
zqxi1mWi1YL3p/SyoAjs7/wpAqEHwL0CMHPIdoCuQVvdlGANtqS4OHiL1RvT
66YhpqsZkNiFHhUxfy1cKo/vnSZ7j6RzHrQAMhkS6GCZ4UpY+BRz7sKFFnjY
kax9kqzsQXObPEcJGUVV3AJBBMmvw7kLol8uxFrhHGzPw+6f5YecWzJZZWuq
mvxc31YmPPScgkNgzJ9xHxxgAEeatzKqr3rxC6q4E1LM77AcEq6G+O2q8Tbw
yeXuKTlVaQz3Be9V9AWhv3MEAlZnddUwU1kMIiwmlMGkktd1I/grvQ9bZ2mu
g5EqyBso8Vnj/y1XNTaedopUjsstjhleTahH74TQNbZXcHMhxKPWG0vIp2PX
0YxM61aQU1C5BumN6Mkj1sx2HVa6aBwUfG7Uy0fHjv7WZTkFOxQTQDdl68+r
VQljGDOVK0gTPAnjXNN5Va7IcZA2SMXVpkROXUazzqHTa52AzqnPA+FkaDr6
Z6O0Xy+LdichXRs5TObMTPklIK7OlaKRAnzC5Dyy8t0WO/7ij+WKFo56WGMR
3mSJJEs/FRMQsr9/vakW1V27+RFCDE5SdjVx2M4BIETxSDo7+EHeiIalh2zB
okSc0a6eyd5MBQd+FxZul+O8+gBKfdULLcWsgYMP1yBGXTozyTSzHSE1kwhj
xYO+lSBUZi+Kunxdaew5DfK+IJ2H9ZNxn8BprAxg9j96dX2t+cE5drMjggTv
DY+lgj147iGZjNqHcagdedIot9+cEAeuRDb4jAUGzih4DnOYVDh6R2kOvaDo
KXw9iotfWkDESxw+wi9zcJRBoQjGgdylwxRW+38MQ57kdjOH5ZPW4NIkXexl
HnCjWON4xDGiVJ552TRz3NDIMU7XI3jblStvqK6AllO/i88QCAqppoE9jH03
7JAArDmZQ2736joUXtpUKMiwsrxSto69l5Y5vFEfOGKv1QwEZ3q0cIZnACM3
02mFKXBcFy85cGrCZLmQU+GmZXCw1lA3yDkUL8QlpLox6QirV99UPO9u2awV
4NxZA8LZ0e70C/lGhkXcrV7WAIZTr0MHE9mAq82cd1JqVYcWVUjzOvUTcLmZ
OyzqiFZIl2cnND/Z4RW6rco5UQJPvSgDWHBnOQe8BV5D1jiN3e8UjLpVkeYB
JAcEoHQZ5LNBuddYNor4C0PtzyzAFO3gvu9EjMvmPknpnRfuNeMTNIjCPTip
kQ5wJmPvHcJlF28xZTPKPTmUKBNEJ6JJEh5puO/1pzzqPTpm2VLf8f74xfgA
GrGPe/UdNCH5CeATUj7MJ0lX62FpGJIKI5QDxaGSW+NTn00JKtTG8PMSX+3/
v9FToYkCLCbVO4Z0FGi6Vd36c2Sg3XLdBhBRXiWuKVKB+jy8iWngdV+ERgYg
PIC1AMSPM1nm+R2GF/RYWjGsdeZ9NnzCl5B0PvqpWk1rLELerNmVa6s5aFJU
PgHIy8Xk9XQz97bC6cmpMy0Sx/Csk4WmzKBE5+Q0/B0tBwQ2llKAFM1q6FyB
T6IkSfiWEVdiXmPwSxsZ+SvmosXCOQSZ8HV8PpbMNS804SuGEPHk4mxiJei0
Wd4pKKleRWPkkg+k0qhm/Cja4en38CE8IZ04YWPhtbfy6mr3G39K+nMF80RH
HNNL5BFL6SZFewPwrnZzcbVqoACFHqedXpLnwRg1RkigHAeSBycuqKyylS7k
QC7vr4D5At1i07nlHRJbX6Ci9HPJDsfr3W86EARvdoHyrdfUFWMFUKkBZ1Fg
50MfDT1YLvDEvaRoND7NWtKCvA7fBtmhIDBYrys61BS1wIesbgKU1YuRQv2o
3BoY9FGNo6N0kYF1GxWEEI9oXE74yyF6RBWetvDWn1RHR/sjGbb/7y9aA396
4FfI6LH8jxpvKowC49JOjAqJLWPD6Ol1OOZHRPXpvcuWWAnEe15VLvR7LApo
V8opJVhqxSUIOhxWRtNfodOow36KagXH6AW6WDEn0p2H80lrJ1A6ELvBfvR+
1Etk8lCOivGdtBD8tgHwvQTjUYwYqdRlfDvjXciuitaICvlbb24EwMjREQDu
tn0PJu4wWqGOVEG1Izjh0KmU7oApBTMHzC8wgglFSMj6GsVi0XBiQUFtmlng
/pPUEwHU691QQNproWov3h8dnrx9e/Tu9dFrse4JawdmDrg44LN7sUpPNaxh
/c77v7vQsSYcPSEdqQg0Bu8V7DNRVeL0rhgsLwGthfpY+63R9MqhPdcXYJ+W
GdloYnBI/QN0xVzhO0P7KrPVWuKuV1AUFOssr1dAjDEq/BiKef0BDPsa28J4
x6OEzMTfqjUbmcIfwh41lEhmGiuGklitgKHYr3jZ8IuLalriIRZo+GPiESyu
QdoLpRFEqcRNPa9vajFcx+6NTYxzA5x6bRagjpCPIedVi83FMJnm0gy+xLM1
sYSgip1bEoi9Q4XW3R4kMNiwfgAl8mJ1tEhMRfP8fWLFiTrukVlw+PYszkQh
5f/TZ0/3f5SMsiYnm0vsEHDZjqW1cMuVb/OujGoacGQXs5UkYtL+r8E+sMbc
wI3OKKIW3hkqcc6/O+sg8rhrIVYBVi0bQByVtmYjQess3OCMMQNI3uMHKnHa
U5W6ZFM+o6PdK0D2L2j9QeISzo8IjwDvZdwml2zRF4FmFgnH9TjVtBpBCOFz
/cZcVNJ6B33cj6U/utDC3VDRPJVHggZSUpv2zpuaNxrIDWf5phXmm8gmRA6Z
GrECCGImhxFL7wk7AGVxN5ubsSBv1yuyttDO92rwHZVQjNAyOvVKuCXX4Ywq
pc+oUroPIfqCMLpJnoUAanrOLcAZZUS01T6ohrmSo14sIX5xTsYm5lsW5czv
UKxlaKvNrImLfPjpjTeMBqfv333dDi3mz8WBFHwdNWQlwCEgQNfreUU2v+6A
MfT/ER+esIZeKQCe4AYE2euSmiyEVSVQS/Rx/PstRkZ3Aq/DNX8w4gngbWCe
SDYWGjpBip3MzgoLM4LZQVWc4IesNutq168C+K74APBf4BkfryF2C4vfLkvI
H024XFzbTyz9StZTKrWNK2eE6OXwh6Pd/cePX+w+3nv27JdfXmHoCc51XDn/
CG/B7lYsPPEjuG9LO920Lenkv7+lwNnfIO5+Sgv/z+2Pgz/Q70/bf/bHG1ok
UlNHQSa/2GhoJc8HswOMbi/v63Hx9+Ozk0fHR4fF/uOnTw6+3H+899I/2f9y
jL/YhV8MR8Xf3x17h/bstHjx+PHuy8eT4n11O97zV8Lvx2enY//7f/W/X+3B
xV+dHReT4zNg5/1hf/zYX+b/dbDHPCukAqL4TcuKFdQ2TuvVxptQiK1nS8nP
Sklppl7OAWz+rQczNuOMxBYPK4ZSRnPiVPiLweGZF76hxH3a8pKiY9gzrDBY
Xd33qGXskCJwOey4eYtaERK11NsdI/N+m+C7pM51lDzY9X9n0hKIMZoyGCME
zJhIhRRKc3Hj992GH00QUco6+vFpYzqdRxwr+Ku7+isnpA6G5qJs+9dlxH6o
fJuOxOlIqGawskaFN3ZBSDEkxHRlDDmzTYvUJHNh5cUUIw/ZS9F1I8CqZO36
p9gcRzTF+kpIq2bsQIuFxIJzFCFzPPqJn1NyoBQ8AEfD2vUKxYIW0EuYPEux
C1tFHs9dNIFcSMHII9pR9K6swEYPpBGDcV+xqtV77TipqZ127tH3+WkWexGb
oyrlmmESCj4jsZHR3LaM4LSrJqj0QIdmY91svk3L080FLjgyMTKO1HvxQ5x3
CN1CUcjMYWIHbNo5xAi8NYEhqsHF0PAlPGCmEUjVQm6Uvzv3aW26nbc/fQSc
fyw2D5GZIpaZKp41ApnRsBQbaOIN5w+QAAwmOUof4icQW5sU+WDYVQrA+gZF
k8NRvfsGdchAXSUTRHtByqn6NSy1caTyLZQ2qDjoDEmLBovrjR9DRplJTtE4
qvRstLkz8wSLI45Sg5wzi6t5h4XSMqcci9fH5GARgaQg7jvcS6aABuZGaBuF
DbleZRbAdtmDI/R+uh33XAjp4GHofn0v/XCh57k6Dvc6B1gB8EYiKb17nzbv
28khUwNlXF2q1oPL/AgSDr097y4+EZhO0pR9MFTKzlHkclJ8CK42Hd4H0zXF
K+ItMWgBeShxfBjKB3SmMk1EUZJRH8yZLbD+D6Wasp4fqaDeKYlQ1fAUFKh4
WBCNA6m5IeJVTIlhlL1RdFPFkZo4TA9JFuIlNS7jJVPLhNBjZJaF2VUZdDgj
JmF6gQ0KqBifgm1sYmmz4AgwQKG4GynvaLGLbKhyLeO3SbqXpmIX5T9UmEq1
m/kgDXx03qvpIWJXk6Ayrgj67nNEB1rfFcMA+y8e/8g5BHXSF/Qf4F9twNWz
Q+bAMtmzcEJiKG9T+2XkwCci2YpyVi4h0wvR6Raw4EEiOUY+OH73evfwcLI/
DEuJ2Y/wvd45cczJQ4sA1X3AHEK+tubc5UnhQTixpqSQvXeigWOOsqp4s/m3
ui0/1LsnH8qbxv9p8OZkyFELr6WKv8sFP8JRWrrb0g9rocXwb07std80l15d
Lf7jR8r3SQ9H4rEtTQDFLJyQfyVfgELpdM5HFGgkgSCtrPSP6vFHIRiimygX
QOFk8SkSE4Il/aAqb4uSYq15jufvBM9fUI2EKSQtKjGNLEbrBVXUTCTQswrl
qmy5SgyKzzg/F8CuTIXMKL8YsrzakBJxVrNQyRrlVVtWZu9OzkOdbLN7Ue1K
Pi42r1hZ2SjkZjEXeIty/3pfZN7c4esExIKRAQpW4zw78qU0/BBAUopoOzqi
b8aHtzENqRzdF3cOeo+ySX5DEXf4Ppqt1rtvAByBMG9FuzTqudn5mjL54E6q
wK5CVIyvgCWyPBUbHSNbtPMC9rg0fQ3kD+RlSid7fwqAJ2axUvAOGS3A4rgM
1ylzXSQnWv5ugvaJPR0btGwXC1gnNI8JFbbzuxGnGmicKVyNR0V8X8LOAYdV
s1lNK5eKsqBTYh4PcNtBnS7o4Js3UKjDpblo5IhT6ECd2l3ab8RK/5YyVMzF
W9gZO0OquTKUzHgQw4EtboU5+cL3OrXmOLApuVO+AvGnUnKbRF+5HP9MNtTR
t9+nGmLvsSm6kzK4LZg9rHOesVO64boLKX0mDGWKRXgCpbVMouc/cUWlj941
q64sVWu8cLi5hcefEgGIzTAlrvGcrqH8dOzOwKI2z64ZjHqHxPI18lUI2lYM
JrZ26dCgTBoUjcJ5KLwF6/JDtWBAFjYLRhHZJA00tfR53TijpGjkJu1pGA6o
A03fdDvJYvqVo2C7Gs42yH4OB+GyBEbbu+K75qqzyHtE9NyK10GlY5pEgXSJ
KvCI14X69EbMzV6V9b577t/NHsDeM8iKMCYAkL0E8qE6CYFkWjabDjKUCa41
dJHoU+1jjmHdk1PyPcEeVVrF0iTx/aJDPQ/6n5eVAHs63xe4Cw7P4XPEPGO9
1PjTqUF1nPYuljp8nMyAQ4MKuDJ8qxZhcZ0xjFYTQGwbNfDqJcyVPagQdgNQ
AxDLBoFkvEiKkLe8McSQHj8FCxqE6ITNU/5KDJuTqEOW8QPC0y6Zahczb5nl
MqEEpl7xd1W8f2CvipUezQ0MAg5C1GPF8eTdpAdJ/VJKIyWTzRWaZCVMzt6N
94BhZcN9BuD8/Z4vCBjW8b56pI9/+YVk5OT4dXH+1ev9YlDPdv0TdqnI7GD3
sTeHYXgrv1WhYi3gh3fO3h4H5Pcl1Rz8tXiLry+OhcZxtcP3rnAdmd6R7F0h
SLcDH2sjI//8XYmi6yN63gpfahmaz++WgBAEt/WZd16f+v/3fPxkuEPs6dfr
9bL98tGjjx8/jr0BXY6b1dUj72P6swuLhB+1N7W82v73+Kfr9c38D+Y3u+kb
OtgzP9HP91++9BsfSmakAj+EfiGN3gAgxX/4CVOlQhDoLlzib6pmXzrot/La
C5LfwF/CYu3xbwJPp5/d3Xq9+211c6juDcwKXvi+YoLvL9HT+qv/+ZGQgPBK
EIA9yAs/eex148HTgwP/Oc/8lz1Llx8gcguyM7DrwAze9xUc9m/LqQgHpohy
z9N7zRMZQIdS2MpDTzlQpE9GjMNs9/U3+hs8oMCAAt9cjLSVfCaqZZx/qKWA
4zaqN6IWHboNINb268QikGmBSvr8TRIwpCtv7JdTgSrFHxbhWeAcLCYxZRno
jPRXv1j2z5CPVWXyEXnLEMy4+FAcliuvFv0wJ7PyxqtbaOwF6uuN9+Wr+Xzk
zpubuvgWAgA0nefVqvGftvCCzrEM7TpkXhmtAoMXADzTrD6APxHwlH4IEHWB
irHqY5Ubb7hbM1mXVTWDcha2q9m3lOM9nThS/+UKQ4QbNOI4VPq194y9kfGm
mqET8ZboWTG0fDTbGGLU9xUnRGsFryM/1z9vGsiGYSR5hXGjK6iNEA9579m3
x2f7j/228Dof2i/CoGEZ3yPko1VYxymSmk3RwHk/0ZOgVD5suhzP4n/zG0t0
69LcR04s40Fbf/Cs0Z1zJKraeohJJQiICl7BJVoILVuDcK2y5ntD9KpcsGmK
3EBFICDQB8joLFOUFvmNkXvJn9PerZh9JCZ+b1JSmotC01yshJaA7XyEfSKk
2wbTwQXeX0b1KBcu0KKQp0uM3+8tSTBEJYpogNqvLelpNCCWhkDehsYUxH8I
/kk+1BDRqGfEO2Hpvvx98B2KSp2WSwlRBcPFxY2RX1HVyEiGzUEJZp6+K1g/
iD+Erz6nS4WnRcCLRObBkUMDm1IDHWPs3kiDTyHasTB4rwSbKRE9oy6q1yPK
4mh9UQQHpW5r5uUz3nfCO2HTd2K0gj/QtMhcZJtxJXIWyXu5utoEKpFY4h1g
rVd5kdMMxg1Y4lMoU9JSEC6ApKTjOm2Wxc57EcsQJYwaaTeQtMJqOrLr7x8Y
o9BPinhYuAPSvh3hRRQwvIABgL1IsnYkFXHo9zLhXI04fDt5jCBR2IeG6pCX
MRTRmNZLWP0CYWNCWiMgFN4IL+EZvKhwA7AgWgNvWTUQvBHvFJuq7yBKatV4
7bCD1WhtZB0rnTK8fHl91yrm8KZhP0Q2e2hiAgN6I5yBBt7dSpgSd4KQt2By
gYaLn+efZ8i3Yf1D7yGB9fuJmzGFqBJMcMEhCZl/iBdLXGpA3EhnEtnyBMIP
KYoJrNsbTkCJQCt9DxNwNze43bgr8e662ZUGxdZ9gf5D07vpvLKBSIxa23wU
vPW7+up6/bGC/43W8il3zTINzMj9AP3xPeWS3wc1caroSjmBLjCO2tUkBdPt
T5uVP3MRlCZE+RoOV9RdO3KBI5fCcgn7+CiiiDPy66++YAXqCNzM/DVeWBde
nqC8gmuFTJXPpMvtBJ7h628eeTuhPzfGjLjyidAuWUgEDfEMb7xMwZTWbAiK
BOtCvJMinCYup5KpDZ3QI/iXwha2RGfxVLmwhZkcjoseIzYmTojwSb6w3Ocu
oCF5e+u+l2qrkGaKSzEgEdAAl5orcR2QJlJ7oQgXm3S+UU6yCMAr9bWrKm3O
cCndGCKqqAj0PsXEzIzkbXrtOgxUn98bxXk3aCQLZ7ip0AwwcuDul4OB0LcC
8y9GXnVPkPngeroNDkE53i8j6CRtAzOxEWirqIUeyXwdLGOnt4KsDxtJbHeE
MYHJneJpwYdt4eEb8ok6fFwwjztZFPcOqAYRU67zwn2uOCXBSgzqcYUMxV6H
Coc/1nCHhxVeESllQwk+ll8mkQgE49OUOZmMAQQoh1Z6ZUK4jIuLErE3hxVd
+ZJXtPw0biA/QZ5noarqJB5M86zQjOM4J0MpVUaoG4OiBVlX+Z6MCMh05cHz
OBknp+fHJ+8m3xmhRpZrCp9B7RevZ5Tlw0S9Fgw5MUYhtMCNEDaWH9qW5h2M
916OIUjC3JRI2YTRuLgRExzX60LZCjFbGN0QIHlzjHwUEZcOeN/feDuA8n7w
GMOTYR4MZSfHCwNUHrHZp5B3wBsHS6GHQVOA8GK2mzFe4yjI1M6GfoWhH5jG
IVQLsQXQZXRLFH4OrbjI6kvMR9FYzSoXmceSPEpFDTlfRI232j4JKTiFHnHR
sV5Anlo2ZHCjjKkwLwb8Gwwm8XfWae3pxd0azWR0RPiXwkqBC6rP5T/+IPts
+4PBLYFHy7T7h9Od/FC2ym4aYVXUko66jVvMYmqwiCsCTDELkoP6Leg96GoF
oakpeWfH1MYNVIjmSuP9b2d6EO0dqFLcunuGdsuEdKfyyiOEuxDutrhzGafc
yA9uJRwnfIYXKLs4iuG9wxgLQ1X3O2MeY/Ol3a1rE71228KkRxs3fKj14nsG
Hzy47Ks6OgL3ZkQuoYnmwowhsHJxO2Yws0zdoFRXp5TOCZuZkK9KCXrMtreI
ublcoUlXbRHoj9J/I6Nlh1qwNsuQWi6xSh8/mF6AsrAmJ7Lm87Eiu8Trt2Po
6sT9WjHuFe3hso2kwD+KYq0vXzyFWDc9Cuf8m1o2LT0l2rFefUPMQzsZoDmp
YdFiQLoGt63RNtDEAA740APYSBKmPYeMI69bqpfA01dJyo3ehbWdrqNNl1i6
GReHlCRtKlYqaRyEavk5uXdxF2RjqFGanO8knEBtCk/rMV/BeX9Qc7+RiEu/
tuFgDvVuAUVlq6lp0xAC4Vu/t2hBeduGLQPHcdTGAVdZSDGx0hpV6k295gPL
iFuzChKjnIxvmpVh5ooqCvsOKAYuKJfj/t7gQHY+0TjmN7ygiOUUMo9UtjlT
Qia0dNG+8AJbT6tI0sFWiNNCsi5oIABl2nUluAimf4SqV36+fDqZDKgjIFiM
RZcRf2Qy/OhI5OwqMoQLJ6yEOem8x/oPqnIKbu9luru8PT6HUvFaE9NQpr3b
IHnN7sca42kdTksT86d8Iw6yDKPkWdOUl/eX/eYpWUQuy1siRtFve039fL9X
ooZgBXc4Y/oFnive2V5KOsxilpsTlNbm7OJ+EP8ZGnkm3Q20cJc5RhR8mTf7
DS0Y6LFiEPRAVHeK45LUAjbvoVLlTbvVokCold/hQ/x43qkjORXNTpDuUbmH
BOhWp13c4soxT0vOWZXzTa0vpjGmUkJr1JJ733UXNQaPtMiQEuNTNsQuODhs
aRY6dkZ3cLJ+I+U7ZEInItUve6NKhW3b4uitse6Q1nqgxxdgFwTkln/LakZV
3PANkVvYE6TvTlzkDYydNkOI0LnRcKiAlEdaR65/mIe1AXnaDp0KR7M7iRpD
fyyhnV3lZN8QOqjnBEVq74ESkcMToejZWa1Lzp2ZveBt9MyVi4QtlOhEHhPU
wehfMMJtQrLB+CfKu5iYRcJvLYSxr+KSN4tyQ+iyrFV2OwSW3lsFUrludJKX
i5Q459bgflqHWZN2a2yEg77zvos7aVQRSIZ6NYULxWHCt8ZfHhen5j6Zu0s1
MRu+krRLXD3uWm1GQZ1oIr54TdjMtLnU9r2E4aC+p0s0sctIXwqfHvUmRjDc
2xBaN+UYWBZSDCT+N5S4+FQwOqUgbqTPXuhAJFUl/FLIrNp21oj0E4sj4vYG
F7NZ3SAfQVK1PDAFG8+8L6gGFP9uCiAHBD38Cf89w94T0w0qlb4iiZbyCknf
Zho3lvZEeS1kcIOv9QLEbbgekHagUVSk3EjoQNodlSVhLfXMqxdsTwYfcNyc
BwY/mR4YIdCyElCUkydmyE4zJfY79TF+sk7jNYlXZNMGRRlCb/GsuTBr0nIP
+5tTjyE2MgTngdc9iltw+qsuoMNacsgTuRz8NRe+8b8OTP2Ih/yagc/vN/I1
x8CZ4k/LtW6Ac8R9yydH2MgpUW5Cm7a/4AmgwUDIkxy9mXz/3bnscPhM7K4D
o23YuA11ipAU51egNNwZLgb2ykNfJAkbheaJEKYEb1/8qBUqYOR7QR2GgfQy
B5ZEjKiMscVcNP46blOwYOcPcglvsT8QdCaMPw3DY/pxzIJGzE9+Ii+I6h+d
FjJs0bvQrVutUz/ZsKcOx2aSNZboJX463SCGHbPTGLFuFuoG8ERS1rGtgGEJ
c+c80VgbbEtWtN+elm8E1BGTGJgYqBkGizA+NHoVPXJS7HDidqf46/jp48fF
63foFwPMkyLlO+++/+673dfvdjgWTg2SS39hcPnJjfuPatXsUrV2ceYV6tG7
w6Pi5E3xngP6r0NZTzV7B3ljSKEDnPP10XvwChqiaEHLd1F8ceA9qC++iSa4
lH0Bt0ekkZRxwWWnxBlQKnDK0r9GI/ghpSp1shEPJRMmtOZYI6ivfwbAsHCA
fsSQ9g49aqp0WGRb+0fTpPIU4udi2B5uwWsjF/bwm5NjP2V0f4im8N3JRPCq
Fs1NTb2mLGk4fS7NiRnaiBLvTOFLjw1TQ4Pm/ovBoKQdHQXKJNBK7iiKuulr
ygUOEf19YaILWAtMrZKlGZf5MMj/31zUXkywdKtGTD3lRfykY/L1krf3SFLI
MBH+FYhFgN+1odvMzqxZ7yC9JKVNaNF3QAmfV/7whd3F6bwdVBPlIm7RSJ8h
aAz+J+8P+5RkeXbsDoAcMZDQEkyNoqGqCXjjYEQIFOVqRYgDxflLukmSE6Lc
NEFZ2e2GsBT8yOnq5u+PfxxPsXPLv49zn0x4RCpggy/GJ4e42mW98huAWr/8
OyRwWCgFZJ0YhTwFgOQ0xEnBdzaacwqFqITt/BP/wps7WrpcMoQqTqY0mn/h
UBx3yiZeKg3YlSRt0uC1e5uJAzP8hPrthJsATEYWu634aQ2iSY0/SvJKU0vv
ODUzyKX7J8AGo1yu/zXHfZhnkxQzsS/r4Yl/+wlydJMFhNhiA4IkkzO/6rXz
UNh4x0Yg1MimyMYa63uoQLicvoGcljovQ6nM0QrT74PZkVgd+1LI3KEqMQWq
tTm7hBOdcVsYxVrQPcDO0G8qj4ollNVXJMKwyhKPez7eE9x8PqIaUSU3EXVo
/quQJhQw/rzzpAQYun4EH08V3rJZ6j8cvuXk0rxDj+ch+YtSdpPSHTM4w1k6
KE4oSiqDdy4Xf0YNqoQ8inPvkR+mETpNOvop+fkNDvnngoJ5PxeH2KRhXfzs
fv5yF374/+j/9f/lfs6ZJP7mt2df/+vZ8df/Ovnua/8vLBSyDcZDvTqHMw0A
skBiVXitueVnPZh+Jk5Jr4KnWLkuhW3RG23cmWN1KIT2IgSqZ8AjIkcHicyc
Zvhe7UIl/NT5tXK8Vgn1oFmpYvtKhZ4AyrjKuohwsYdSXhSZFh1l6jUUu0P+
oeWM/EwIYnjjmbJfiLibNdltMgAMRxDLkUupuZnzEnsO3TC5ytAkGv66C5Ne
LzC62tN3MBBBXjcfscRG+jZBRAk4q27IagZTy0lfUkTISuUhRqe0k7EELkll
A0BxQdVEuCRYlHhKT5GMbdyI4FSImqGTD37W0LYtRZbIGCnEDUs5zEPzqnhc
dDBggv2XDS6IJ9hRE7GiDKaCLJ/pRksURXBQpHhqbKhBVtyyJDJ1Dfnge9T+
bCnGDzD/QP0mK6N914pOAENOA+5x7K174wrH8zXAVuNY0RnOsTN0hIeJhn3C
LTAHm4Xpgjm0pnkASxUDNEyG3fq20iGR6l/ExsUOerz7OM2acTSjLYct0uL3
evGp9P6koBGsBaGkPac3YhN6V1ob5AKpWqfzwEltO8HQOmrqAblb7ZyNpZUe
EdSb9E9Mdiobp4u7c5ifm9/tGhLOQBgwCFFCU/uLW5a/SttXUzdKxMyFliSh
7WQlPE8YyzOsWt1dnoEDRgNJe+UyYNC5WMYgpCid5YKORCaHBWfBY+7RQIWB
5ekUJwZVKr6xDRlJB17bjRNT+YwRzFGAd1muXYq81wR9z4rgYVNp621scL0n
ObeobW0HgkYda3UNyfZDkEC3V2HuoQEgR5YiSMSdtwPWKz80b0OyxndOXUEv
jH58/6//Kcqyvb1yUGJEDdb5mf0/fqrd7m/x479vzz+PjNkCYer72Tfu7v7Z
/28va/Ivf+XBlhFGP0y9jo9/8tCbZExLf9PT7BV/2t2FMS31X/7KZ+Z1cOfz
8CQ5y/1vX/R/o5749I0vP/Ebw0v2Hn/il7Le83fu9X8uX8Sfu7cf3iy3g0QJ
M1owcqCjgxyrIYmV7k/BEPkd5vjIA3UAz/rYDK1Hi35soKFSNBLtA3o8ZFSL
AXSGF+IJ7nDO9ykCyERIBPlHOQN4iNZ1h0asNLKAnUfIkwRqW1QAqvrAeQNW
ECrkFEVHUOFI68INRvPWbXR2v4l6q+NsojZPprQOnWxtiz4sK3cwlTz2RSNc
qTsfyxo88R0BMhFUq6tAwaSFaKjRRsIUXgdO9EqQhxhjipqVxc2jErInychz
mSVRy+LxIxP73d/wkpmNRlIPKfWqsfkqh7GQ5YqiJQ6v6nZeKtYSVilMY/AX
4+fcGFxZC5NmOs1C+Ua3ESsihjgCg74PFQxeF9FOIe8t+UFXzjmA+y4RbW1+
vIaH73GgLwhLUt6Y8hbgdAXhoaB72X5QY5KF3+Zl4hAE/4Cv5U8M8LXoJXhO
+9/c5/+xeI8KiYnhvZp8SVKlcBoFRJP5sUIQvlJ/K7VTmvaHj75GWmXBOTGj
Cd/c6SU2WDdX1LZDhTackEMrs2Fg7MXSI+OQxq4SBOHWGeEh7Z8G1TBIZc8D
kZIp/MffAeLFZVHMBKi9vzk+XRaKJ4w2NT2AOlMTS7Ai3H50PKXvoIguTGk0
+r39F8WAeJF3h0wOC665u/RO3zmQctkfcLyoRQzBYDFOlv6ADSjKWUwwlz1E
tH8l6XSj0vPXoylDgsZzf8mFgxGkwPQ6GgWPg1Ug3bj0tjzyMWLHlK7NSBYq
Hy92wDrWaBYhAAHd6j4S1IF4abEhUvUlh3BNVBodH7qR69NEPfNDhxT33bM3
8UlCN/DXh/KAUWBqQ7TlB84bKGPrbsTYOnQuCSzT913WP1WzUOEBMW1YCb7o
WDYRQ7opejurflIyTlahNqotENn4fR1RjMLw9JrICJBYt/F4eIOh+/ERKyEW
BAXF4La8cNksx+OxLqCCcEOO5NLSwflroOkyM8MDXhCmBdzSLZF4ChXnBNYG
WFjyMt4Gg2tsgy4mJOIGMyQrIGVKHvJ6fGCFbZhf0O734lwDMKCZt2Nqb1JR
M4w26FdrimFDTPENWS11/B75Nttwh3sG+T9+1thoUVCpcv1IfnAi7OZ6kMfA
iA5vHdMY9lIBTAQesC70Byvyhb76wdIOT8i9z3xoV+b5RR22On/8ANWw7YxZ
A62dSn64N9oCkkMSu4C6Mmgh7HXo042ocX4ErRUEDbCnFpMy4e47xREAQhiQ
6yy18Sf5ByDptiQ+FyEoa0LLBNxg8FC40yafvzo+L87O3x+/+1pzJOkoYOsi
xV54AvehIsYBZF9UKzROXyC8VnoihfuXhttjVV1xB0pcbaQM7PJej113scfR
Yhd/b0h3GTR9OIzu+Tl9f3L+r0fv0AD70Ync6B7hCB8AnL8l7SXn4gO9CTIX
/G+8pWFEHcvw/AXES1mG6EESzxlY3vloq4RdOlQGBEEPsp2G9hB1dxyUenN4
F7G40WryhcOkoVvv6/3jlUYhgFxlSKk2+Cxt+TmPSJWaMaLDT2Ra9OdJxCwn
H7vjXbB/CtKwfIB7wZ5S/PMQ9yJqTyH6j//vOcC089+FCG6vWsgAOpyE53SJ
Cn8bf4SLhbJuxkP9DD0B+9yMUH2HRv5v52YwGgQtkagKqg5lSL/C3EfvMrmz
dwD2PcjD2jOeX+FDLMWHWLJJ3uNCaHSm+slPH7sTpjAs86PNzkLdpf88xg5Q
iMhm+7i/lzH9QxKDTaaImNifBVOw972yb4QPjjAYA4Zli5X/yvGBOwVT314v
xj4KtzFU0QaxZWdwu8I54rEtZobFg/V9a48Fuj0+G4ZjR8MfJ3P2IMdAahy1
5ijlIaR5UOT5ImyVXhni4VA8SkbFUzKCdDvRZnLfK972X8LgOIQV/+xQ/W41
2xkVO8gDVc3+4lf4bTNrd/LyskC6zvw7sj+m9G/r8Kkj90z6usLztCwwCHj0
AP4mKtVPXxKPov8l7C1jORR0aup9Sf8X6izCnujOo42rdQbEbMpBOX4h2dv8
+5jXoptMgs+iVqaZH0kziy/FaergU4VqZj/Y7ZMWjTX/uphzPTvW/I2Q0N0+
0MRmoNsydgYHBZgqWNqzZYEIgWdzEOl4rMZoIXbJXpRXhs6RgtquEdhz+lSF
wIrukzXC3v/aGqFv+L+pRugs2W+gEcxs9YT0PlUdODbnOdSS/BElAZBqUckz
9gfKV15aPPGIbt/g7bYUk+hmotLPB++y32uT/RaeAJY/gjqzMt73DWwZgBcv
4JJS+c87rMrsP9ngNTselm+ZsRS4fSX3+JmuRxxf1TgF5Eo+OxMCabd7kiC/
zhBHo0uJHNpPNciL38kiX/5OPpXQlSC+hDW+vwsSTgxZMAjfXM5HuHE4iRHY
j46ODIhh7P4xc0N518Vk9jkzEBTNwXjvhT9lwM84NLCjgglVdpSGNZj2Ftml
cACCsHL2iECSkj85I1WdlI+E0PIlJUaRaxO3spopCLvWgHVEzY11MRVSAfx2
EYtoBvx9ghn4rRXGMq8wkgQOPhF1Bm1tWcVPUwgJQvO/RwHkh/L7bP0H7Mzs
LpHF/u3ECfCM9izi/HqCUXwqGMUHIBS7yETQIANGoDpibhl+BlTRGkSjVOk8
FKrozuWF0fUBsDjCCqR5w3XnHbCis2DFogtW1PqIsOrikyCh04wunzNP9Zoh
uUl9yMip7gzlmkTQLai4P0bbLxQmqmPzx6Q8IsGAd+tzB0Y8mNhGmIIDjgZG
qigFcUxGunFwBsltMyBQmbNXYdjfMs4Y9yv+A5gsk8hNVOMW4jcW7Y+P5MoT
b38jS9gy/NKwRORz5kbnU/UcRa78W8w1XL0tYfUtaNNiK7qx6E0vR8lUUypH
jlmz2CUGTjyhLZkBEpKbuiIMPwDf7K1fq1exEJBSwPKboBiAFIzzNU23psYx
/xwjn8HdoIYMPYri2a9XFOuG6RdwNAqQ9bLyCLt9WBstQiIh8H0tkBDHmWJA
sv5vXfMrdc3e+D5l46/4R9Q2OvDfUN34Z4q++bBBhfNhszS//y9WOVlYwaep
HFY4ZEF/usax+iaSg1+hcOhRq+rqcL2aFydzjDcez4zo4cwMOCxKPeOoqhCq
HhskNzQ4Ri3BB9vojhFCkNOPitvj5gqIRha1wkWRxM2PlSAPYdcQpJGya8x+
K3YNpg21GemkTPD354SQNsuWwOGPUWEli+0jzS0BC8TKa+aEITm9rhjs7X4s
wVv8o4Z2E1pQsmihU9kKGzjMpDbAxCXcd8ibB/2ipRYzXmLYZdT/DKeBCXMa
AZG4ZTqBZj7mNeKQCcE2MIR+xAZlmzt73cIYiyHxymb4mxJ+DBNZgz8dvv8u
/tVnEWWMo+N6RkwZx/aY0K0dikXvL36dUfFr/kH7+qCzan65e0YdHGxLu+RZ
VHIqNf6XxTXSV9m5CcS1rCV3gGpsl5pD7FBgBXLWsTevGGfAPyMtJM8REoWx
KAelqO0HocOGclqgQgcpWlXQfOsu5q15ghqRpIighLPQ3shxPIJR42tcmTDG
od9TP0Pfp+Ln4g13YNAC1FB3ioWnfsQQJ37nB/4zVNzbz7czRXWRIddpVL4c
yJtWaD61W2NlqmgGQBZ3da2FCLD7uW8fQNevVlI5s+gQOX30eqptoEBwiBWt
zXwWBi3RpMzES5MP3EuwNha6Yr7+BEt284sXPUPfFT/ITew8WvkahLoEpXUJ
LRGHxBbGs+p2sAuhn8MdSWzgys/nEm9KaPO48JkSL47RWZP5GkkxtIG03UoY
blvxJSPiRY2f8gHoJ0NluR1fxPBLAxwVFRgSUHggXbx5AoN9n+xJKlLUiZau
bXC8K6QLCLYJdm2oROLToVwsGi/adFrGTNFU3Y9Vq4aoBHrtIfcA2sZw1AWe
vKEYEGGNLJcT9Eqw5rit/yX+ODH2hIUgpoJy0w8bP1657cvPLxNnM+Rnibbr
//25QHlGq/Hngt43gLU4LP1K0EJwkHMoF0dbPwPM/dk2PvfKVPVRZ+d86s3R
/v3Um02Spedmy+/gF3aHE0E7cVJFCD7s73ivb7TCNFEaoH6I9sDbNrbLHvuw
jwT2lQg9Rr2SEh6scDXdeQ1DB9tXcqDDYBhmTMyWgueLvAwi9u2lLxtDp55H
hxOXOq1pd2BmvMVGWWLiC48me00O92bNA2EmPT8GTAei/PtxeQ3R2Zv12hLg
KilwaKs5GRkm40aaZ0irwJTuHRt3VVYilG8vsVF/zR6GSlKxx99A1fDnVWr+
TmWafokg+dIp1KQaTfhr8WklmlxByM99WIWm5PL8TdkKTSrOhL8WmdpMvIuC
yP4/3365JQOxpRbrvgRk2cbMO9FZyMmY0KwYWi/iBQlRkJW/bEjfxiKgKUOI
XHD2eXGXkNIYL7ecX43dWSainwkt0OOkMWtf7CGiM2kuY+haeHMWKvgQpKBf
sFUxQAL9f5cDxhHtvnQpoJ/qZun3hnAs8VxgU0M+cjPOnv/IXH7i09IT6Sqo
oJ1uE7SHw3I7eW7IdmZBufdlgD5TXrIZoN9dYLJZJdzhJA1LlYbDiXfB1keL
aQ7oNehi80MRSPLjR2Ph+MORtANVdrXMj/SLoATzhbaZskcxhGJaC4e3sniJ
RE4BsMF2g/UAiFZ12iDxC3dib4fOgYfKiB5qw2u+PBl8NM5rIkxkfhhyn/LM
T6HS+JDIZjhxjVqKBtat3GqdX4zOuD5tYCFv/SjmqOkfpzwjDPbecZ5iItOL
5tndzY1sml8jOmd/e4uiU3yy7MCna2VE+MhoAaqfgIKrNYImcCVrnUnUDBOZ
YR6HLrHXeeQdC3ckHVcyP7lVg1hL8uhtAC6cF+bepySQf0ao54SYw+FEnwRG
8DgguBNAk91H3oLfENMxD5FdwACDxuyM2N41G3PFYNFEJfXaER3NTlkdLgsw
GR3qnYi/ZF+zhlJxsKdhsg83K+C8hmiYEZOeye7dDSmAy8/l8o6C6UpVAK9Q
Cld/3+VmPkdqJrFvvdQOf4tEfHp+fBIcLXGasM8K+ssPQKKNiwm6C1gOOCOu
vgiSh92pDUwA4rYJL1TqQWncNvakMC14uKpM1oIJJNJgsKFXWGPaxIsIwDOY
jscZ54pXkcl4uGafvR1coUx9I6Q4uq+cwshCkVUsjtKjIITtgBTjNAE+cq1S
D33N++iJyAIcgm3UZFqMEUn0DFjQ7jCfK60aOkQ2QyZpFWaswIkuTdjw9XbS
suQ5+gumZIgG5ooYhqxje8jIXNEdmyQDzkM4tC+Lqoi2OPMLPQwqIkmsDYvj
DKJaN+gs8GJ22ySlPV+cjeA+He9B6FvYn0JeRDKtqsiENoRTMNj4kKte4izw
/W5ovD75n0iEfg+XdDrtoQ4inxT+zv96sFMaKHWmn8IbJH7pdNpDHESOKfyd
/xV7pnAfqS3/3q3uwlZ/IVmWzyvpy4LoEn3wm3GRZOsHudPgJd+T9RCmdKxq
eWGkZfMeUNfn+TSmS0l75QsLf3dHSHEA/6VvzcIifwUxSrROW2lR0jMtT45i
6k8ScpTo/h/zCM1fw5HysAJHVEIPpEkJPCn3EaR02VGAA2Ep1sk2npT1dUil
uYdxpEQUGPmp47Axnz6O09fJoG/3sN/YAYNaD6Du/+T/6+5bl9vIkTX/8ylq
PRHb1FmSw4skS+6djZUl2q21ZSkk2d19OvyjTJakWlEko4qUrPHxA5zn2hdb
5A1IoFAkZfdl4rAnxiKrcEskEolE5pfvXr/9NTkfHp6enAzfHQ2PBEFXL9yw
NaUuMHsguwMgMmKEje8xtRZq1AzU6k6LXIekRg7RocidB+3zDbnrCsbh9YXv
cwWgXSLJ/Fuy0pn8bH62GZzexw3koIo512tCuFs0fRBa1geElU909mYTosSd
Ntiy+A3d94yWK3o/txgNKycLEXaRsjYCyaZsZ0FFl8/ilW7na6uhjKV6qdQc
L9IYY3B3w9tOV7M63eXWRi/na8EQC5XwRhVApjJ4HRZwNHjh8HkVKoxg4kdP
ZpsezVaexWqppXMHogGwLjDoxm2xGCUBa8cau8T1RDSY+XdpME/SM56kwTxJ
NyLFBQ9knhbyh+kvWln+Q/QXP1bhX0N/iTa7gc5RG5wF2+3KoIzvwUmwZW0k
iQ7EqO3H96kPmyIkhNoDn3y/VVP4FkXBHrdjU9yIRuU6f1xTEcU0oalPXvY1
zask+hbkNUEvpxf0XpJI9CqnR6BrQT9ctWWX/9TtShIXGwC14ZHeRuh6eHyU
VanRqMbvavYmz1S0Okxrpi82snXDtuO1evEmg+JEUJUxuYlWo4455ZgVAvZ5
kKVlo1Fp53cZeTSW+Cm1ht1q6FA7lOQEt6UbElkHrk9ikvFPljztZMBS3o3/
+ps3iqZ1mzeBxbdfYtY333uVMr8OxXv1WLxXlV9kYEN9vh4nXrTwmfOVBYVL
+abgHUSKHhuHB+0e+WxB8rpWJRMq6FJ8KdZC/KisnX0m5NhGzNlWoHwwsyGh
mzfFO3dLWvwFXToWheEMI98m5ORyA6G2lICTjq2YnwyjwTXgrUS6QscpRYGp
ryHJGPFXm19NzJrDYdQxWFyGPj1Sp/zUmZyhid3MNukauRmgW8sljM38NPyc
jcjDdOjyvybNy+Fwi+IcMOEMgOGcmeMd8tkFg+X6Jc4uTAnWpsxwyJVotjSq
IGV2NUewMJsoEIcNzNrh2xt0L2mmKOgbXkJf0z8vgCGNTbFNv+OCljAgv91r
qUaEC9DewDc9MAAgkM0ECwkDMdOmth8HbGgTmFpQelMNO2JNQ7dwi7o4A+CK
YlGJrGlgLBBSYINIIHEnC+OBGt+UJoFbxdcblXCgNdFAXpoEOVQ3maqRZ8oh
Tl97R3KzNPzJlOQgK33rOeWKGVDju9pGYvpt+yTU7qFmSRJmE6T+QUYyHDC6
mRVyrBwOfyiBh7f+7FjMhQu/x0nmnLOrEgmoMD+8JaFMxXod1CesUlH/CNgl
bqtbP4aBoQj+UNHAmhhQ4Y/fQkU2KJ+cO01w0uZV7BDGGq4IAZO4k1SxNJaO
NwDJLcVkkxYFR+rkRcWBcE1sqSQh9gJGc4zfyue/a6Tk38yh3Kh2DEFAO/2b
4Ql4V5O5BMOGXKyQNMohQhlkLz0obdI7nXYTrqcGyJSopFCyYFwydS6kKM1B
MYBeozEY+2Jv7lWomxpQJ3mJYS32tpuS2QJFbLc6lKIA+lHbOIpg3g7wLaup
IJrCI+YHJOBZL59eK1hu0sMrzP9i0wGqcAo7LMzrAYsOko8+zLjnkETQwd63
kMGNCvhwQ0gVoh9x91y0lB6WPHzALKCaih1wviXofIqPMDu7fs75Gqn3CCfL
9rvZ3ScUaJjwFUWQxdkb54X4iwWCgOGylAKCOPkrSXYwyRHkZGzVWG/A2DQm
MV7BHsG2DCvs5eyTiwqBOqGwWXSGppDQj7cBbNzilUkDLXDuXMnkwd0pBT0E
PcecCn6f8aDlRFPsxlVVUP+JTj+fj5o4pq0VpeElQ56tP+KudjnlpZqNxeWX
TzdXuKLs9zfZ3aGdDQaEpg+sQHDt4XsljbSGc6i1PncodDI3flecBC7MT7wu
dsp70Icn3B4nRvgghjFUMZyO0nm5ZKjoeA6ayCdO5nnN2bjmE87FRp/6Cdvo
Q2tRNhy3EPmCvPrxfLz5Kh0S7mgiHmWaiHvqKSw5s9+Cgpcr04ERbtdGTpXl
bYPS7zA9Rch7nnBGIeI8ncq8WZd6B5lLqiHmqkm1EyPO6l5v9NFD68UXQOTD
hzE71CdPqtDFCpNEizDf0/hTZT8WSWeFien7xkvSzh1bI+vdGNf3fxNLU83H
BYXB9EH6Q6NiTcxA4nLhf6L7oxhQKdMSLH+eCc1qrpcY2syOQ/b3+C5gqpMF
xbYDdwSTKOM6rchWzacaOZNwuGJsQYg3E4Sj2DHytLqjljZJVFWGpmHaLbJM
fXmR/M2s7Dbsqr3E1DLJ/vFDdatduc3+YDQso18Vt20js6+n/3g2ya4WYKNa
u2WD5cM6QddpWTFlBDZ26IjnsKYOrn/MTg+b+DruZHXgd93r6/cxkDuBSLWC
39/FnSamNnHtErdWYWjZR0B9jqetLB69rt1StY/9JVujDkRk+7dt+v5+tfGm
/3tvDzU7buTz/SI2voniTl79RGTjN+3qtbta/YZVXefRvSu2YYlC8O3i9hsE
rj8LdZIqIn9rp29judyvl8t/ljytFfEEnvjli+3r16/2JMdY7PliKTAAcBqH
N4nGVWMDmihUOCdlp8LxwEWkFJBZg0sLhmqBs30rtJYeH5HBSNCEdP4MRTWS
6xg+VMJ9/3h2l7qrWG1kG+dXCMy3WBGn29hg37Ouw+ha9fT5+q+1va06E8Q0
RnfGnfrKoH2gdpgVR9Ngh3mqHqzPhFlRzIqnCWoUOHzjrKGnn1SJvmt+Wsln
D8Vsen0syB3PsCrDY0+rpcY4sNHHsyDU6+4JETeR/Ql19zrjQHWvxYgDsNli
Rp6HqdiwX+XXmBuYIhMqMnewscz93rVcK1obfwNYiTmz98HFu07PKDRXeMsF
XntsJL4SHKmS14lOuMpwG+Ok3+32uY672XjJFyFfvpy/OtzZ7xmp3TAEkpfR
AGee7G/vdcH2htVzMbizSkcs2/k387444+0TKpitlqDv+D3VM7jbIiFug5Km
dKdxnwX9LGZ3DZu27ZWtf7vfM53jW1AE2NX4Xar/LRjaQzaZYAg5t4nwIiHO
V0fEajnt9MBx5pfDk7N2v9sfIGd/SfJy1uxtuYjFcXtWXKdTvnFsDrZMVePm
7hYlc51mC/M2FpXsp82dLXefXMK3+W3+ufkc6mybATe79D59a2MYX3/Q7vab
ly+P+lvJ18bR8NXxu2PAErtIhr+cvT0+PL5MLg9eXyQvXvyj8XL4+vhd4/jk
7PT88qLROFgQvFF2kS2+fG0lFxhqZX+Fn4bWWRO//XI5fHdhKm8lB5eX58cv
318OG6/OT0+An39pA8zJbIoxp4Ys3X0iy7dQRVMEa1lDFaEIPKBeAFF2nm+B
K0Q1QxoO9vj1u4PL9+fD9sHb16fnx5c/nZhR2T+x1aPj18OLS/0CqIDq65vh
r+2j4fnxhwMgOZHCtefu4f5kcmgmSWPdAeLsAXEO9XW1+vI2ByBFcLBsQUW3
czfNveFnSo38F85xr51JJ2AoPRjKkULrOpuZhggFicHP0KPa+9aCezbHE2qA
x3f/AgOUBNQ4wH2ZKwkIaCXV2MKWy8PwBm5NCAmRODkIhWghJjrkTGsl59k1
f7mA3NCmE4ym6ChyeH7yShHjzxd0xd2VaX4HabEDcg4eclCyIdSsQNcyPXz0
xR2DmW68tKg7AkcF4l2qMFL+N94MPnaCTBZu91Z3cdQen9wIwgHPIXhTXtIt
PTqqMdolx8eqpWZoJKi4TOLDi3av+1dw2qjsdXFmm7vAY23Ig6o3SiBNf39v
9yMppL39/QHvv+Wj2a0/46jNhoIbDRRfpNcIpHswwTt62LAnhhdttBLCjplj
HN1aIjocecLZKHys1syma1o2YtryDSkRyRRXryKgv1LvMshO0Ib7+6bZGZdl
c2/bDLwo03GZN3u9wc72PlBmVMLb8G97v7nP1MN2SiAUPwABE2U515O1DCca
MIReCcM1Gl7mFdiCwSsG/qaRHQI3zq6LdH6Tj3j1XiCJzKwFLPM9Qy7vjKhv
9gxbqcFbNYO2c9oyalaeGgXyhBsI+WnDkHf7u3sfJfEVrJw15EqMfsUwc6Wm
GWjhdhMmOpmfavbd/sCRfLe///EvEmG32V1tB5u97n6tUPMGSzlWniDWfjGf
j40fwbyW/GQ2yFlho7ZZgfXU6bLBpOrv9AylKXy2t7+3lxDTtaRUK4Gr991O
r7Nj/nve6Xb2k6ZTS7e46OmncgaxU2hXMdUmoJbX19Hb5XJrPk2tAHe7W9Jr
qP1pve7tRitLIHAFTzK258B7K0a/v1HPvbb6vfbenu07HIik73gcC/qOS7Da
8E53fcPBCM0uuskggTV7EYp1N2ixbrzcslvLT+Kw/Tr61ZPsm0dQ0/Mk4Gm7
xnSbg2qbcD7bnGxh8wNNOFrSq0f9zT2ItYvC45LwGBYiPcIzO4OLJ2MwQRja
nB4fYZbMBnn/E3wt+ECaHuo8IuZYmhz+dHp8ODRC+fNOd/9+YHZzgJLyjiaQ
ZP4r9QNsGTzihxvw2QQfvLYRpaZb7QcwCwvizSSzcIMYO7QAJIZinPxiVs0+
9dQiDz5TzT1rkct0KSXJu40AdMy7V0sM/PKcTxFoqYnuWUZEYwtQMpXDtBcc
0AIPxXGbYrjQfuM/nRWMDQ3QOfmUIA/1K1suK3peenlZHMo4FD7jDNYtsG6h
KzhpsgC2m6RFTqkCGZmCnMv40g+BEZHeYIsJEMPJrMKuq6DrQsBlapVkrF3g
LiBgjsAuKuQ6Ofi1xVlUyfWwBVNHFvPlQohP2KAOyhm0i2eQiR3ffBZ4s8FF
wLzIwTFvRrwHNjILOqQ3O6OlNl0Sdtzn0VBPE93AaGXDPTVjn/6AFMBabQbu
aXp1RSbfT48NgcPi24gtXEcx9tcWSueHj88EUS/5ghv7DQKRqPVqwUnomFeJ
ZjPPX5rf6KkXLQNJdOEM6X4TDHp62YuKgQy6tisXx/8+TJq9Tufk4Jet5PRV
MKaImVdqTr7qAZb+CCvVujexFI0zRpX5/XQWNnn87nL4eniOf38BwCtzdAE9
viXgV0ZFbkW6GvvwHgBK4dcWK4HVKFptWrBamKiXkngYiuHDWLTsBjUAl05B
/bPl+bznB8TC5HJtEPzjBcr609xu18TN6uDVpIl3Y2jfVmPAmKxJbpa7ulW0
AMx2VTwrlzncd4JcFaAsH9cLe0BoswsupPArlnMM1xhl+XyxFTAyBeoCe8bM
fMpS98XsIF+/rpzwCmEcfIGFhBc3byZS4AmueMOF3P7W/+hbmmqbDGN1fxts
WpKDyuhFi1NAMHuu84E/Rhjw+9v2x+T08HJ4CQgRx+9er6RNwJeqLp5kXzIi
91OYgdTgR+6uSN7SolTEnNKMS9skkI7kLm74t51NRxIGHP+2+wQaTKFcaUHV
BCYO70C061hLd9ASENLnlVmh8MQQXgz2fn/1/ah6qUqn1L6CXHYV5oTaQvEI
sog/PbqFF5MkYbsdfD0Mo/7tOe4br2LR1VWmxOr8DDXiW05BoZ8XDromZzWR
sSGwhqbCCkSSca+Bn2+WdyleaJXLOwZZhFLabQl7vLdi86qVCFAcrjIOpmwL
1ANcNT7Tn/vsMTY6e+qPDQ5UKaO43BmtjHMmrBonbaR2ElZvpO8vX+1dLAq5
G4d+Q6HM6FBjuvs0b7T3QMeCpQiHjAGaShqsPvhaOn3cGnRDRPUjI22JZlDi
knFHqlqhbV1B1KuYR7GKuVTRs1VIUL6tIVYFg8fB05HtRn9lN6KghVSD7cVg
ZS/CGlQn5r0u9QMEbRIzB7ewCjEwO8MZmkGpjtl8nI1GJOIgu/npUQZAMIc3
5sTCmLwtU4d5L8Hfsul1pkoWJOJUSeiiLcglvW5D7iq78lfQLpLzjYoz5WAZ
riCcV1w3X0jz+2ubPxeUXq8DhXSg18X91LzlAIxbdRWoLhSWe3qGBc+ze4eG
7UZgajh3yXp0BwrHwH0uHrZeLa6ZV7j3t57hvRXMi1A5hxgK57HuyBJg++Mq
1vXK6w5QgguowHCdwMOGQzAV6MQgycF0SjvIiApD8V1q3zyqEEAvHVW4cIWf
I/FiZX3iuYaLifTb8N7h+duasgDheqAyjtB6uc0hKBcK739Uwbd+BaawitzF
glOENodW+4bf3uE3prYq227TE4nvk53rjgbb76EC73DWvQ5LQqeg7JzL9rFs
DZfZZFB6hsWHxhQ2LDaEb5Gm22184jVrE+H+1mfmitHJn1x+g8XSZGKYFVo2
vHVG3yLMAU9gc9KMTWXnUHZXysqYk2hZHjLtnuroC/vby2NR+jCrFLlunUFk
+MqDeO0JXPZO01g+bp+lZfkwK8YvwbfxJB0lpy//z/DwMjk+Gr67PH51bI6q
0Iy9mPAvc7DqZZnSjc50gbc5A3MenZZTuHKwJ5Wyubu7BUEbXxtnL09M743O
vYifmst0EkKseaqvVeLIiTM5DuwgAIQh8aKT/A4yaiL8C9qzSnPstDqc6JWs
X0AKKYIE0+gmjBUA8boO1UDdZhjaZQVhGSKiJaLR5eUt1G7OImbnh3BogHuF
AMZ0sUhHtyXJgdnDVTjQ6HGx6u5Bp0ZLCVPo2KEanE6z9s9G95MkXKStLNjV
89CIE6Yv2yLcuYEypwNZ8js+QJ3+/CqhbH/mQD3+3UmPObiIfn8u7e8Mq29C
+8CxRh3XLd3Z8izmsQM/yvRwNlYw+g1adUc//SnrbdAF16uf1iy4P4AN0zgT
/oVER9OA0aXuLOHRc9R8V8RBhzy6xvTuKRtB0T9URu6aOQv6FZm02/HVejr6
bmA188WUBA3pyAZNuAx+jorYbEYbKB6w4ezkGSUq52wPlMgBEjkDlj2i8bG0
cho1BwV/nGJAlYOkbQudTFlqwfECElnS0G6zRwwoZ/dqMOLPl/bG6M3RK6nC
JWfFq6T0c363pHASv0LDn8nVSsb+k7jaYmUhiwhpiEME9CxYb82uI9njbJlc
zyA3YIo+L5DxEH+0cIekwvlQabamXrUmgB6CC6BrI/9vs0iFP9qolHZbYUhG
kO/TEnQ4BWMjYQwj3kYc+q8/wL7fLboSgcif3Ghu6BKlkUiySZlRiAe7WN8p
LfIhzRHqK6ThYEuZkhzmPSpZgGmBUSlgOXnMFoS2xBDy2fhHztcB90BcxQ1k
/cWOUb4OzD3xAnFKzTcEBccrJKuuMBgc05ADoWCtLRl7Z86apenY3wujiXoo
SuJHpTZS8YPe6Qw6/f6Phsk8Lympjim0BKPh5FHbbaxxfZI+mj5DXxBpCqGo
lgu6opR7wSK7TovxFk+inI9+TouppXVzeysw1vnQRmBmfOACaK5PdUpa58qT
3wFyGysN7g2jvzhjSHNnS5lO1YNqxTCtmEq1YPLdSkYSr/dJc3dLauRc8IK/
NYaLQJuM16aF1s5tUlLBPrNZLc0nywKTnwQnA7Pk4SI5R5zjDMPEIL4CKC6x
SJT69SF9/G/w6skM76PHmTUT2m0P7y3pJjm/+jverQgKJKlOn9JxAMfsS5Xl
FDJIXE/hhgeujJdTl+U5lqdHKpXD6E02uq0IGJesdYTPryjVNKdFcqin45xM
lhTbtyV1n0vQTExKqEsCMndCCobFgnpv+y5VBeiuvjTQF14PLAPK5ZVhKbBk
GxHL+FiMV/RohN8datvucqe0vgqfHsl9AdZfPnqUDjDLqA5sawYO8Lvgdh0B
lZeQ2CJdjG4csBUHjI+KHHdGaQC8415RtBA3sOPLuzG4z5XLT0wlCcHD2ByO
MyLxCT/AJjYrbICXWRpeXal9LAZ4y4UiViHWwYawSaZEe5KY8gVFmJ3DEPk2
48PPFC91Rgv0++N+PI/K8Kz4oaTx4emEy1HWJDOZafGY8HmCcdvvckwMAjNu
tuI7tHU091zdNvgGz1T4BogzKpV8Wi7EBYK0jsIOrGmmnybecvHZ6Vmw7Pb9
QcwjgNK0UqxRBAxSt0oraPa6fh1eCh1w62PJhdtYQaU9E0te3Nn6jHL7hNpG
Utpxiw3tkvrUOg0iwoWGMDXREFiEZZLkocIuBYkHhNp1QsUhFSc2P2hzzraR
xEUHoyQyXJKO/TxpgHwMZ0yAuk+V1OErLLnJa/YG3l7D/XBXXXh11pI8LDJC
UzutLckDRaDSZhc7sIGEWPu2T/zLiwPDzXiLXc6WxSgjjLZFEOG+nIqueIb8
RnXtxNfHGGplxpTqnHznG0PzSlCzDdhJwJu3pmYHLL+uYrNbwTboUaDZC5a0
OnFE0zyydISGPtllh8pNuZjNxpSNM0IvM7MXIZh0s7cXm1lBsls9rWAa0dLd
S6/Q7O3HaiZouYW8OXPVUmIf8KgND1OIbWh6vRCQT6i+r9Y/vWB96XhFLKeE
9clrZ0GFiQ3VXb2ZEUj6ZmoMZIDeX1XavLwM8nwwy9hJ/yB5I5r9vl+jZJQI
OhpyDdm9DY/QHvNPJ6b6gQbP8yRbduoKmK36Lr1ltRpkw1jpvbJDgRMDgw94
7yWpOyPSZv9+irxk+7EdP0nA3QSyJecEsn7VrDIsp8yS5BPm6mcd0dYfX8Vr
67+iarDoeDnHcJ6MFVKq2Gm4nr5h6xU03WyUEmqfrSZWThgBEXpL72hr1d3Q
TuwBiNvXW+ohXS4nFb8A307hY3UHerbnI3Z6+hJdQPHa2Xcuk2c/peVN1DBv
fhetGewmTzGwNZKajz+OkdIL4U66oidGS0HHPqQT+1RdN/A8yRu5h1cN95HI
UkfDc7qyt2dUO8NlNrlqM6Cqnm2LR6qkAfb+qINTH70+9qkK7n32Htk0dQpI
9/IDLEaV4xKWp58uFL65DsEKVYu5yeon+gWRiZkU3NKuHzRTw6k9x5JhQp8O
2hszidk6R+QZGyHhmxZdp6tc872W2VrGqbBBu12BWJWjYG52Q0faH/Fsb16b
sfJP59U2pQw2Z4ISKDRVJaCimhlt5ldcmGtDLAxqF8YuSKvIKndGT4RbAQI+
d3IY6O/a0mlQt/C8aphtaibGH3t4n2TFY7mcEBz8fI4WDurLNIOskNbmlzRN
7xB7I+XClCxi8tiW3PVje7uSHHS0P2/qzjJcVsx2Hr6shdG0Y+ugwB3Zoa4e
TaUy515qnTUc7rHhTwf5L8TQC+gqQSZuElZMqtDFPeQkXvvgmq5Rkx/nGc2F
6lg65eTcngXZ9pTcWsOeSiV0/0TItI4iyER2zhgnP1iGZBpqI/5+Wznk2xM5
hvkJuCRokOKiLRVyeQbLTZKgARLvfuCZds9SJJAltGZ6Qsr5UxonlJtSNphV
5zXjVCN2cmluD08ugt5bfCCug8CwLEaERTevsEKFCQAtnuoQE4dne+yb//iu
Ji4yOc4OHwbSUsoArqwdXz69n03urb3DgXSb2bbKmssBgX75jpuKkHXq5BiM
KZ9WLq39C1aRMCwokoqgSA6SJsYU4DqP5kNSjtiqSnrVHPQQ9BpQ8Tl2lbos
fgBb/taq/KsqOyv3SPZV6eBfvatysI9R6rL7GN3oFsGcxwliveHRR84Kvnuv
k64UCO08kGJK3Cg9MxscT8bvFHsg/r5BrhxP0dEZfL5KR/l7rJtEOE/3C+/6
8VizQNBmd/eiNLOoF7QhtDJB0DV+u+dvuhA44zogJzIdu60UxBpfa8oFN0Kb
9YSs0+SluBXR/OnjHRecPhxmojmM/BbMRDmvJO6JeV6HLrdGIE5m17OlBYYh
wAKoq71cXO1Ba9bVhMWflAVhzu9ieLE1/Ev0aO9jw4FiuM7XzP1pMZyO8KBC
n0P9m4TcoGS2iepoz1IwBREehQvSLHNdoj2Iwp0wH4acAjr2BoNR6tBmG0AY
GCp5DSI+J/vyzqw7fVAIxLC/Oalw4wAkR6pwKAryy3sLeDe6mYHVLmgF0tXG
tAN7rPGVBB1MRcQNcmuDpIik3PaOlt4ceX7Nmpdt/iOYL1/EcHSUjISnH5rW
ZF49M8l/6akxVA69bNfbFVZKmGn2cJFfq5UWnZnwmF7N6bR6L1l5irOflW3e
ksCASHvXZv/72wwFkuZozx+5omKYp0eUJRbf5L/rJJo81g1byBkrgSk21jkV
gDkLNx5k4TuOgcWoTswh/8mwSHhX0UGpRhuQd6PszMb2gobuHin8ChDS8ikX
LNHP5B2504UmZNrDRsVkOF0Uj3pkCtSKzu/wY7jPKOs1V+GKNYTsG/P3yijH
kN3JV8BX4EBHF3OBN+Os1twTs8OqWKEskaWqst1ArHZ0OqDV6nz4PaNxWmqX
6xdaCDQVCasREwHqjudvSwiVAd8RvkT3LttR4RavdOfiHXXBm6B3zbvsobKS
W6hnTcawq0hyItTSIKsTbOMiiaCCU0ywGqkAXw4qwEqDCmI9SOoqsD2gM1vg
gF9n8Qpfq+51jmQfGAezSsUWnSLBEpQKD+iCA5LE57PZ4jB9I14awpsYsg/j
lTM0+bVQJpbIlMENtG0raeFlBZw4o7XLDSEfKYKZD+3GXujApvtRYO3Wll8t
IgVlC6IdX2Z883tAW0AQhtuyN1vgRHKk8ixGXzQLKpTJMfEVLiAM3oaFY1OE
sxA19bH7MURapiUEJ054tbeSbDHq0GrSsRJVg7C/fPEOwff6xyKQ3brRiAVA
4GOdwlQdQ2W7sfxn8Qh1NF4LSgw/z1MIkqtFMGunk4W/haEHoP9b4l6+NhPp
F8df0GcQfmjRQZseFiVw5Nts6hVRv4Kmdi5fEVAN3BQqrq9sbIkPP8Koo/Di
smarRuOgOf9MJnwrYAs5LAUdq9cmkI8Lyu11JinGUYXm+Mup3b5tXWj7end6
KdY+OpyinmmUoQujFiTBR5DnKtY6sndLGKVoFBGfJumurWlN/GOUg8SaXvqH
ZoC6U6dB89JXBZTpBYRiowFk5hdCKjFloszpYDPZk9l/+h8N3MujvJv8h8+o
6rviOcJJadTV4TUPjX1JLn89G4ZrwnlcHyUvf12xoDi4pe5prf+2LZI8R/oG
5eCtVZMmMwbnJXszT/7w+gBHuCOoJpj/ISbL/UCWhjNSegjBPo3r6cUSYRWl
oIKQPvDbBlTp9Ygs0goSZFOAA7Af/HTw9u2mq0nT6fziwNHA8lUtHTzxVk8L
V5FPD/f7JjTp42nHa1F7Y8uK35wEZrDK6Zx2obiq0YK99AJde0iuw1fSFzyB
7oNbNWr0lqpM97TCpKpa8phAESxMnZAq1U965Sum687GpirCQPJdGCvJTHmR
SJOMoS7+K2NnxRQVF+oJ3vZUbrwuj3ds036xir5Zv0RzjvSLtBya04puPJ4r
Z3egZhxcFi8kwP/CBQh/1JcHpbTiYgf8eWdvMZ5zy2LwCEwqHEmbIBCvd+gH
L70wA4tE2pzCcsYfauNsqmWrfbvN7vyNOx75clITqNSOxL247DRwuDyxd5te
7MsovODRVmHZ+Z13IgeZiLuqzoDjxY6gVUrRJjIZEF43El+WxHNnCa97nwHQ
mhk8AvKHQCr1F8USo4O+VRSHZzvu8l1YPA9xkeQqgpWgXDSbowUgVcazwm0W
S6S0sO+JJDJkPn736rQN20P74N1R+8PB2/ek7eBPTsJDKsoAYiNyKsv5Hfg7
UnEnakD77/m4+eVC5Dw0Y7Srr+yhBTUKosfmNUIfInV++d/Swa+A4NkIX4i1
wFsbq2p4jsHE2lXIEb4ytReNLfRjliS1GPmZIcLeYhYmQm1ahDQbDuLh5tNF
NN4UgxYcBIOmnOFYhYNuvTAvEoCg2ZTBNpxClLS6AanZw/HtpPfVgg8eHqiC
DlsldmpXzYFoZ/MnIsyvbq7vmrsICkqLK88MG2M1xoQiq2Kq89l05PV9decH
rvNDv6Cl1p/ZeThFZhCJc/F4ByC2qzu/7Tp/FhTUlN+s6ZFTnvgqZ1XTO5rH
vIIe3ap2J1usXdPuQ+oZph6URcvrLgQsTRdgd6HPyu7uqu7agmo9SHcDa4tq
T/nwIt7m6vaeu/be+wV/Z7aKjlz3m69JMPAWHV1Xi46u6/gbv6TX8Sc0OV/X
ZK+uybnX5GZcbDZ0gH+Y3xQpeR6sblvJrnNdMhCV3nWjY+BvvXFUVWgo/c0v
HVUFgt8d4vzCs2+5eVTFI85j6vJRU10SKLBlch3VldA99kt6M45GTb3k6Z2f
03xBAWurW1HS8dAv6bUS2IJ1g4bfrhVI6LoGlUw89Uo6bgqNsXrTNVLirSHs
ZXpdxpe115iSaBeqpJZpoS1ZYZN5cj+4u13drpJsh1TSF6Nhu98l2ZLwdB7Z
Paj3ETOvlgq+cWDdGPeUVPBLepxTcxETdjFsfHVXR75tel1X99V0+CX9fThq
8a5SM2h8E6oqV4HVamI3pGqgkyb1ammFmtjoekIa5fcqn2Sb9K7nE5JLet37
XfkaPuGCDGZCer9mnMWEbB5v2RNi9TjVjmetJVAy2PF+13G6lqrj9Hq/dqSB
y/vKkQ68kVbF1O880qju6I90nZiqmorWDfLy5ZGnPgXlecxQoGquCDtYbb3m
tpvOpggwoc+pkJOjrre2sbW5QOybq1PvxPOBICkYCZ+JupKC2GXUE3ggCHlv
MfTRQuOlLDVqGPk5orkTsgAkgbByoPAWEd66moJqZ91SXa5cxJ5nJNX2fFnM
IZyeL5FThZW35cqA4YABDQAJHtcV/ATB/WI0UgYFyIXqQdxV3aMDe0iDxoIe
IOgL8+kxGQ5byfkBQuYfHiRNzzVeY1lAVzuSyMBaUp0taG5BgIz2WzHEwMU+
2lke5znlOQjCChB/gy2dGZlzSrahoM+0bZpNeuiuBNC6iIh7PaUEUo9iepME
CoRMj+vWpqKyoA+Q3/aKCEHK/hAqOzwgUxAFfZQZFpaQf4XTbagFzjTgtE0M
+vh3MzAvgJdbR6ixjKerzucpNl3hkIFz147VDpTu2mWsjUaAShgFgvdiGe0n
4mKFgIeI8+N9NGo8i/MK8LWHxeawbwlCEaE+XAsV340IdHLou7G6AfbnEDfl
iNtF6KnBm1zD/V3n/YcxlUkNCiDwDEQoWv9+7fnkUlujbxi+5wNa0VV77tCy
EUuCTpacHzyEMbBR/xVn+9VO9iOFyLnC0R4Ae5TjD7GMHw1bjeAE89dTw0qj
7m0+iWAEYI31IOYh5opnxfqFE3DWu1MXoAR2erNuyTOSAJag/kgHVTBBLam9
q/XqNEJkiwfRWeG4DUIk1Dqz9dUKlSfVxz5TAFxzcLUIwnpsnCBOQY5Y9LB7
G44QnCvwh0rCj16x/hUc2e4ZqBsukpecf1zQFWA6bS7gXKDiKbEZ7o42L3ir
mtUrzEXraWcgV4dv3pcW4siIc/Q3OsDrgSKj4DXYFg5PDlsa7cbdUu9udzHl
lKD23c7bo7uRqWnFbfztPOk/p1Q8tsT52hJ7poS8/ub1utcHeNM/fHdEiZch
1bHKXXbIdOEEx9c2zTzqSamkApbMA+OMkjXZMFu4zgpwDVSG31dAMnnce560
/5c5er9oNP4tOeKKJqnRmkBdwKx8UIVNP3zUGRBKZjmb3NM6PDq+OHx/cUFT
cZYuJ8nPsyVkQWyEbe1iW8+xrYPxuMgIZaK2AtB+kNUodBLvQq8kyq9MBp2e
+a/fSrY72y0M+ttpJbvkvWD62YFm3nNG5+Ozi+EhNH98Zmha6dkO9mxX9wwK
DS9eg69wbpROG51CikiR3yZvJobbWsnrJejKyYcUMrQnH7IJ3GKdFnmWXCwy
Q9FW8u/pTTZe/vOfKYDcX6TFLfgm/r//LMyW9+FxOrpljws99JYZOMCdeBTG
i3h6rUhzAJIJx7GN49gJxmGGfnRsxMLp2QX+C41dXnw4OL8MR1epcIAVbmOF
FqPVVInaYDbODcsCDqLNZH1TzJbXbLN0XNey6jFqli5UszTTZiaxRf90BvTH
QOazT//s0QMz33v877486pt/n7eSQ6gDvVY62zj2CblJkKa3YDwB0ZavIJX5
OAf2vis1l2BsJ7zB4MeG038wguwHeOecc50CSpRK4wDvQF65IdICa3uVfxYK
TXO82vQjU907UBfeIAEUodQEORxlLdOF5gleaDYqk9PHyRm8CIcQ5P0Cg277
6N0zvyOG3kgxtbTpBxLTqZsyqegG07tnRgL/3UjQEuIdbewpObQDmAzvcmYw
etBmCklyjCYpqkKUHRXCYJMm5NYynANQSM8gaNiCHZFnppH/vmUet5fDZ1vM
5UzIu3wKugXWL72OkV4o5QiPS3pcpFeLdp4trtoTc7opMSnobXZX5HpiKnPQ
wznoy4qjmHYnOyNk6GsyHE/rCMEh6a4TmAft5MwrQjSQEakk8akTr77kOl+W
pd/Qz6+TtyDwD2E+gdgVShRXI8g7+SmnYPDY893nvb55Tv2xGgOy8AggfybZ
+Jp6URI5OhVKdpGSPY+bhXbbMHl6UKTv0u0/jutydmc0gNdLo+rel6DkICuX
gkGBige6vRwPL1+ZZvZ9IqwYc/vedM3vSJsyH0N1UzpL3gPi5vR6aYQH0MAf
Wncfh9aNS1Hi26osvTMHrcKcDGW47Ipiu2Jk4jYJPeQsGuwMrBiVsbbsTRJW
Hu93xy0nxbU04MXDzFD4aCYmkAL9Kcd5OVoiNFyLgM0kWn/NzKyYlY6/c5kT
oVHa75Lne3t7FaruAVW7+0hVuRMMFvXx5fv2JXvc8Sre6e91/bnHVXVfwlN4
+GyrQ8qQvQyPhXEAGt49ZTKqjd3Aij8MvJkxKg0SpBNn821CCpzPCjoe1dSN
8HcWWJXOViR6zJFvVuaoSXJCrPuczoPOOVDS6Xas0odljZDnxJ9ockEqKn7b
M9LLscjxwbsDNNnlY9Hw9frEx1laoIsXqBiV9d5FzbMLmqfasPEwW5guITvZ
hK1t+XMQI5vRGBTvopo45ZMKqL+e7xo2AD59n/A46VzSLNafJ7LNLkmb/31G
PsW8PMO3jE5CHNfu9tngSKmqLOQw69bYPd5m4RmKAEpW9Hk+Yd83RHpMcaoy
cLIXIDuHngosb0g+m+TRbR8awHFfYSYMSLIcmpk7TK8UbareiDs7YP/FXHnQ
m6qFmrUTnYbqCkFUoV0WjDIPqDXMnDE2xF4kxoW8IH/HBB9IRZ+02z61Uf/r
7QENLmrU0HBytn1VZ5ikeHh2Aoz44ii9RwzFkrE+/jbo0o7H78EqWYisem4o
CEZqTSoLFUPhJMov0XQpAhnvnDVT3NydLSxc3rd3QHWrDqiVCHKZ4/5hoTnw
UkhkMFagJH6DVRq5Kg2XY6YcTzf1WWTA2MvQHEe7+bfv1QZ2XAOg7UCXgRcw
g19FT4JUJhLEM2bwjZHl7SunYts+lhzc+amY3bL45zTfLPphP+8Y9Ymmi3Rc
wfdkOGqRGUX6ATPX8lIjbR2hGPAIFuBcAzvutFQ8JzZuRYWYNyIa5rzNorjd
226RfXg6S1AOsAt4+5ZjjJU1TMPvWcDCaXCF24lqhi/VtIkUHMekIHlPMjkq
SD6hLMeTffc5yXJptPQYZltvD2mCvUcLElT0Nk9n5v/+73KqRAbeQZlNeJFM
AHVrzvey05QyikDCOAtvUdY1DGuf4yKgYcDNNWQtb6gX5hBTZKiTQjNAauBK
OE2kxafcSFAA6YWMh2xGgQ0dlJvl1J6LppNHfTxEn/wZm32ZbZeENq03SzUN
pr5POWBlWkww6MNPZ2+Gbr3EKynNnkxnNrM3OwKUtPse+q+SKRDrR13IzAZK
/lOzKYqJjZmx6kcLL9RcV7pOQm2pE7HlDfnpOsDle3PmSRHh44rFvl3/Ykes
cqIel9cvMAvbA0/IkGjQ6e7WMyTwRfbZqsNAbtoDaPGZjv2PN0evSNEqZ3bp
1Z8Swx6gKaa7E+1BWTFz0CTuP+Xcdtw+MocrqO7FqiNbu7vdWXxewKnE7yCa
drrbrH/hDDo9FMjjWDQU19USQlJ1J6mESTDZMFjL36z4ecd0qOZ6aVQbRKFH
qQ4iqBYujO8WcP4CTLKyYl54AWCSDtd5XaUV88OzLWIJUeA4tfhq+uDcThmX
WD8AI2a/upfq+KFLTImQwiYHMO4k68RWCxYuIzusgD9EluXra7tbtLuDmGUq
2LF+OXkLPHFyRBk+kU9CrkGbU3fgs7U6v5j1ybYNp/l61iiQEhLz/yyI8UI8
YhBzc7P7zsb+1PEODlYIRC+m+w9J7aziy1Sd2kaEepJ3sh2o0/PM5SYw02t4
ErmhsgRMJ2WSYye4EmvrsdlSnc4NWfyDnVizg/kz9R9ubJkwdMBBYd/RjqtN
9Z6BLLXDV6qATlWrImG4Lsl1vzB74HyJO2Yj8XDuHDHLhDRsu4pDtkEzWbcf
EzYDVg+0Hi3hVOQlSjkPBd0/LnxAI1XRQ+OsHBW5hZwMXEplALhlNyDXXZFF
Dx4+9yA0FbEzcwSed9bJu9gs6BUzWDlNh+j9MgOkTHAroNtxtHTALGnVw4wK
1JhMB77SUZRiFNB3wigwB+4x40u4DihtWnfiiPyjEaYlm0wY/MZobNc3i4cM
/h9rZtc5Q1FtJtLhU6ahl8XMKMQM4TcyUpUoTymAjfgreMtFpx9Mj4CNS64E
30CUj1GQXRle/ZSOboOLBru9Uwt4w2bOVm+PDs6SD33Km0NfBkkT5MtOr4eL
5ihnMSljcGdMJxz4FtNIzZDb0ZTZ7RG3nxGcN8qViVWx/JB8QzvRcYQz+v6R
9QAQLXXP1vXog+2M6QZeHEr3UIcsSQ2zhkWwY5GAdQ4FLtaKD9Y0IHWCWti0
G6VNKiSXPqwBp9Pb6ovcFDPKAhPzPcyK245eCp4VHQ9f3DBlW3LmEngGs39d
YGqSsCPasGlvnZkbHqluda3aafx/LfGA6vH0AwA=
<!-- [rfced] Please review each artwork element and let us know if any should
be marked as sourcecode (or another element) instead.
We updated some artwork to sourcecode throughout the document. Please confirm
that these are correct.
In addition, please consider whether the "type" attribute of any sourcecode
element should be set and/or has been set correctly.
The current list of preferred values for "type" is available at
<https://www.rfc-editor.org/rpc/wiki/doku.php?id=sourcecode-types>.
If the current list does not contain an applicable type, feel free to
suggest additions for consideration. Note that it is also acceptable
to leave the "type" attribute not set.
-->
<!-- [rfced] Please review whether any of the notes in this document
should be in the <aside> element. It is defined as "a container for
content that is semantically less important or tangential to the
content that surrounds it" (https://authors.ietf.org/en/rfcxml-vocabulary#aside)
.
-->
<!--[rfced] Acronyms
a) Both the expansion and the acronym for the following terms are used
throughout the document. Would you like to update to using the expansion upon
first usage and the acronym for the rest of the document?
Certification Authority (CA)
Certificate Management Protocol (CMP)
Certificate Transparency (CT)
Diffie-Hellman (DH)
Distinguished Name (DN)
End Entity (EE)
extended key usage (EKU)
Key Encapsulation Mechansim (KEM)
Key Generation Authority (KGA)
Local Registration Authority (LRA)
Message Authentication Code (MAC)
one-way function (OWF)
Public Key Infrastructure (PKI)
Proof-of-Possession (POP)
Personal Security Environment (PSE)
protocol version number (pvno)
Registration Authority (RA)
Trusted Execution Environment (TEE)
b) FYI - We have added expansions for the following abbreviations
per Section 3.6 of RFC 7322 ("RFC Style Guide"). Please review each
expansion in the document carefully to ensure correctness.
Initial Device Identifier (IDevID)
Internet Key Exchange Protocol (IKE)
Internet of Things (IoT)
Lightweight Directory Access Protocol (LDAP)
Organizational Unit (OU)
-->
<!--[rfced] Terminology
a) May we update the following terms to the form on the right for consistency?
certification authority > Certification Authority
registration authority > Registration Authority
boot-strapping > bootstrapping
key encapsulation mechanism > Key Encapsulation Mechanism
off-line > offline
on-line > online
b) We note that the following terms are used inconsistently throughout the
document. Please review and let us know if/how these terms may be made consisten
t.
Protocol Encryption Key vs. protocl encryption key
X.509v1 vs. X.509 v1
X.509v3 vs. X.509 v3
X.509v3 certificate vs. X.509v3 Certificate
cross-cert* vs. cross cert*
-->
<!-- [rfced] Please review the "Inclusive Language" portion of the online
Style Guide <https://www.rfc-editor.org/styleguide/part2/#inclusive_language>
and let us know if any changes are needed. Updates of this nature typically
result in more precise language, which is helpful for readers.
Note that our script did not flag any words in particular, but this should
still be reviewed as a best practice.
--> -->
</rfc> </rfc>
 End of changes. 419 change blocks. 
3795 lines changed or deleted 1387 lines changed or added

This html diff was produced by rfcdiff 1.48.