<?xml version='1.0'encoding='utf-8'?>encoding='UTF-8'?> <!DOCTYPE rfc [ <!ENTITY nbsp " "> <!ENTITY zwsp "​"> <!ENTITY nbhy "‑"> <!ENTITY wj "⁠"> ]><?xml-stylesheet type="text/xsl" href="rfc2629.xslt" ?> <!-- generated by https://github.com/cabo/kramdown-rfc version 1.7.18 (Ruby 2.6.10) --><rfc xmlns:xi="http://www.w3.org/2001/XInclude" ipr="trust200902" docName="draft-ietf-lamps-private-key-stmt-attr-09" number="9883" updates="" obsoletes="" xml:lang="en" category="std" consensus="true" submissionType="IETF" tocInclude="true" sortRefs="true" symRefs="true" version="3"><!-- xml2rfc v2v3 conversion 3.28.1 --><front> <title abbrev="Statement of Private Key Possession">An Attribute for Statement of Possession of a Private Key</title> <seriesInfoname="Internet-Draft" value="draft-ietf-lamps-private-key-stmt-attr-09"/>name="RFC" value="9883"/> <author initials="R." surname="Housley" fullname="Russ Housley"> <organization abbrev="Vigil Security">Vigil Security, LLC</organization> <address> <postal><city>Herndon, VA</city> <country>US</country><city>Herndon</city><region>VA</region> <country>United States of America</country> </postal> <email>housley@vigilsec.com</email> </address> </author> <date year="2025"month="June" day="26"/> <area>Security</area> <keyword>Internet-Draft</keyword>month="October"/> <area>SEC</area> <workgroup>lamps</workgroup> <abstract><?line 61?><t>This document specifies an attribute for a statement of possession of a private key by a certificate subject. As part of X.509 certificate enrollment, a Certification Authority (CA) typically demands proof that the subject possesses the private key that corresponds to the to-be-certified public key. In some cases, a CA might accept a signed statement from the certificate subject. For example, when a certificate subject needs separate certificates for signature and key establishment, a statement that can be validated with the previously issued signature certificate for the same subject might be adequate for subsequent issuance of the key establishment certificate.</t> </abstract> </front> <middle> <?line 72?> <section anchor="introduction"> <name>Introduction</name> <t>This document specifies an attribute for a statement of possession of a private key by a certificate subject. X.509 certificate <xref target="RFC5280"/> enrollment often depends on PKCS#10 <xref target="RFC2986"/> or the Certificate Request Message Format (CRMF) <xref target="RFC4211"/>. As part of enrollment, a Certification Authority (CA) typically demands proof that the subject possesses the private key that corresponds to the to-be-certified public key. Alternatively, a CA may accept a signed statement from the certificate subject claiming knowledge of that private key. When a certificate subject needs separate certificates for signature and key establishment, a signed statement that can be validated with the previously issued signature certificate for the same subject might be adequate for subsequent issuance of the key establishment certificate.</t> <t>For example, a subject may need a signature certificate that containsaan ML-DSA (Module-Lattice-Based Digital Signature Algorithm) public key and a key establishment certificate that containsaan ML-KEM (Module-Lattice-Based Key-Encapsulation Mechanism) public key. For another example, a subject may need a signature certificate that containsaan ECDSA (Elliptic Curve Digital Signature Algorithm) public key and a key establishment certificate that containsaan ECDH (Elliptic Curve Diffie-Hellman) public key.</t> <t>A statement of possession may be used in lieu of the usualproof of possessionproof-of-possession mechanisms. The statement is simply a signed assertion that the requestor of a key establishment certificate has possession of the key establishment privatekey,key and that statement is signed using a signature private key that was previously shown to be in the possession of the same certificate subject. If allowed by the Certificate Policy <xref target="RFC3647"/>, the CA is permitted to accept this statement in lieu of proof that the requestor has possession of the private key, such as <xref target="RFC6955"/>.</t> <t>Note that <xref target="RFC6955"/> offers some algorithms that provide proof of possession for Diffie-Hellman private keys; however, these algorithms are not suitable for use with PKCS#10 <xref target="RFC2986"/>. In addition, the algorithms in <xref target="RFC6955"/> do not support key encapsulation mechanism algorithms, such as ML-KEM. The attribute specified in this document, on the other hand, is suitable for use with both PKCS#10 and the CRMF <xref target="RFC4211"/>.</t> <section anchor="asn1"> <name>ASN.1</name> <t>The attribute defined in this document is generated using ASN.1 <xref target="X680"/>, using the Distinguished Encoding Rules (DER) <xref target="X690"/>.</t> </section> <section anchor="terminology"> <name>Terminology</name><t>The<t> The key words "<bcp14>MUST</bcp14>", "<bcp14>MUST NOT</bcp14>", "<bcp14>REQUIRED</bcp14>", "<bcp14>SHALL</bcp14>", "<bcp14>SHALL NOT</bcp14>", "<bcp14>SHOULD</bcp14>", "<bcp14>SHOULD NOT</bcp14>", "<bcp14>RECOMMENDED</bcp14>", "<bcp14>NOT RECOMMENDED</bcp14>", "<bcp14>MAY</bcp14>", and "<bcp14>OPTIONAL</bcp14>" in this document are to be interpreted as described in BCP 14 <xref target="RFC2119"/> <xref target="RFC8174"/> when, and only when, they appear in all capitals, as shownhere.</t> <?line -18?>here. </t> </section> </section> <section anchor="overview"> <name>Overview</name> <t>When using the attribute defined in this document to make a statement about the possession of the key establishment private key, the process to obtain two certificates with PKCS#10is:</t>is as follows:</t> <ol spacing="normal" type="1"><li> <t>The subject generates the signature key pair.</t> </li> <li> <t>The subject composes a PKCS#10 Certificate Signing Request (CSR) in the usual manner. It includes a signature that is produced with the private key from step 1.</t> </li> <li> <t>The subject sends the CSR to the CA, and it gets back a signature certificate. The signature certificate includes a key usage of digitalSignature, nonRepudiation, or both (see <xref section="4.2.1.3" sectionFormat="of" target="RFC5280"/>).</t> </li> <li> <t>The subject generates the key establishment key pair.</t> </li> <li> <t>The subject composes a PKCS#10 CSR containing the key establishment public key. The CSR attributes include the attribute specified in <xref target="attr"/> of this document. The subject name matches the one from step 3. The CSR includes a signature that is produced with the private key from step 1.</t> </li> <li> <t>The subject sends the CSR to the CA, and it gets back a key establishment certificate. The key establishment certificate includes a key usage of keyEncipherment or keyAgreement (see <xref section="4.2.1.3" sectionFormat="of" target="RFC5280"/>).</t> </li> </ol> <t>In general, the issuer of the key establishment certificate will be the same as the issuer of the signature certificate. If the issuers of the two certificates will be different, then the certificate policy of the issuer of the key establishment certificate <bcp14>MUST</bcp14> explain the procedure that is used to verify the subject and subject alternative names.</t> </section> <section anchor="attr"> <name>Attribute for Statement of Possession of a Private Key</name> <t>The attribute for statement of possession of a private key is included in a certificate request to make the following statement:</t><ul empty="true"> <li> <t>The<t indent="3">The subject of the signature certificate that is used to validate the signature on this certificate request states, without providing proof, that it has possession of the private key that corresponds to the public key in the certificate request.</t></li> </ul><t>The CA <bcp14>MUST</bcp14> perform certification path validation for the signature certificate as specified in <xref section="6" sectionFormat="of" target="RFC5280"/>. If the certification path is not valid, then the CA <bcp14>MUST</bcp14> reject the request for the key establishment certificate.</t> <t>The CA <bcp14>MUST</bcp14> validate the signature on the certificate request using the public key from the signature certificate. If the signature is not valid, then the CA <bcp14>MUST</bcp14> reject the certificate request.</t> <t>The subject in the signature certificate <bcp14>SHOULD</bcp14> be the same as the subject name in the certificate request. If they are different, the certificate policy <bcp14>MUST</bcp14> describe how the CA can determine that the two subject names identify the same entity. If the CA is unable to determine that the two subject names identify the same entity, then the CA <bcp14>MUST</bcp14> reject the certificate request.</t> <t>If subject alternative names are present in the certificate request, they <bcp14>SHOULD</bcp14> match subject alternative names in the signature certificate. If they are different, the certificate policy <bcp14>MUST</bcp14> describe how the CA can determine that the two subject alternative names identify the same entity. If the CA is unable to determine that each of subject alternative names identifies the same entity as is named in the signature certificate, then the CA <bcp14>MUST</bcp14> reject the certificate request.</t> <t>When the CA rejects a certificate request for any of the reasons listed above, the CA should provide information to therequesterrequestor about the reason for the rejection to aid with diagnostic efforts. Likewise, the CA should log the rejection events.</t> <t>The attribute for statement of possession of a private key has the following structure:</t> <sourcecode type="asn.1"><![CDATA[ id-at-statementOfPossession OBJECT IDENTIFIER ::= { 1 3 6 1 4 1 22112 2 1 } privateKeyPossessionStatement ATTRIBUTE ::= { TYPE PrivateKeyPossessionStatement IDENTIFIED BY id-at-statementOfPossession } PrivateKeyPossessionStatement ::= SEQUENCE { signer IssuerAndSerialNumber, cert Certificate OPTIONAL} ]]></sourcecode>}]]></sourcecode> <t>The components of the PrivateKeyStatement SEQUENCE have the following semantics:</t><ul empty="true"> <li> <dl><dl spacing="normal" newline="false"> <dt>signer:</dt> <dd><t>the<t>The issuer name and certificate serial number of the signature certificate.</t> </dd></dl> </li> </ul> <ul empty="true"> <li> <dl><dt>cert:</dt> <dd><t>the<t>The signature certificate. If the issuer of the key establishment certificate will be the same as the issuer of the signature certificate, then this component <bcp14>MAY</bcp14> be omitted. When the signature certificate is omitted, the signer is assuming that the CA has a mechanism to obtain all valid certificates that it issued.</t> </dd> </dl></li> </ul></section> <section anchor="conventions-for-pkcs10"> <name>Conventions for PKCS#10</name> <t>This section specifies the conventions for using the attribute for statement of possession of a private key with PKCS#10 <xref target="RFC2986"/> when requesting a key establishment certificate.</t> <t>The PKCS#10 CertificationRequest always has three components, as follows:</t><ul empty="true"> <li> <dl><dl spacing="normal" newline="false"> <dt>certificationRequestInfo:</dt> <dd><t>the<t>The subject name <bcp14>SHOULD</bcp14> be the same as the subject name in the signature certificate, the subjectPKInfo <bcp14>MUST</bcp14> contain the public key for the key establishment algorithm, and the attributes <bcp14>MUST</bcp14> include privateKeyPossessionStatement attribute as specified in <xref target="attr"/> of this document.</t> </dd></dl> </li> </ul> <ul empty="true"> <li> <dl><dt>signatureAlgorithm:</dt> <dd><t>the<t>The signature algorithm <bcp14>MUST</bcp14> be one that can be validated with the public key in the signature certificate.</t> </dd></dl> </li> </ul> <ul empty="true"> <li> <dl><dt>signature:</dt> <dd><t>the<t>The signature over certificationRequestInfo <bcp14>MUST</bcp14> validate with the public key in the signature certificate, and certification path validation for the signature certificate <bcp14>MUST</bcp14> be successful as specified in <xref section="6" sectionFormat="of" target="RFC5280"/>.</t> </dd> </dl></li> </ul></section> <section anchor="conventions-for-crmf"> <name>Conventions for CRMF</name> <t>This section specifies the conventions for using the attribute for statement of possession of a private key with the CRMF <xref target="RFC4211"/> when requesting a key establishment certificate.</t> <t>The following ASN.1 types are defined for use with CRMF. They have exactly the same semantics and syntax as the attribute discussed above, but they offer a similar naming convention to the Registration Controls in <xref target="RFC4211"/>.</t> <sourcecode type="asn.1"><![CDATA[ regCtrl-privateKeyPossessionStatement ATTRIBUTE ::= privateKeyPossessionStatement id-regCtrl-statementOfPossession OBJECT IDENTIFIER ::=id-at-statementOfPossession ]]></sourcecode>id-at-statementOfPossession]]></sourcecode> <t>The CRMF CertificationRequest always has three components, as follows:</t><ul empty="true"> <li> <dl><dl spacing="normal" newline="false"> <dt>certReq:</dt> <dd><t>the<t>The certTemplate <bcp14>MUST</bcp14> include the subject and the publicKey components. The same subject name <bcp14>SHOULD</bcp14> match the subject name in the signature certificate, and publicKey <bcp14>MUST</bcp14> contain the public key for the key establishment algorithm.</t> </dd></dl> </li> </ul> <ul empty="true"> <li> <dl><dt>popo:</dt> <dd><t>the<t>The ProofOfPossession <bcp14>MUST</bcp14> use the signature CHOICE, the poposkInput <bcp14>MUST</bcp14> be present, POPOSigningKeyInput.authInfo <bcp14>MUST</bcp14> use the sender CHOICE, the sender <bcp14>SHOULD</bcp14> be set to the subject name that appears in the signature certificate, the publicKey <bcp14>MUST</bcp14> contain a copy of the public key from the certTemplate, the algorithmIdentifier <bcp14>MUST</bcp14> identify a signature algorithm that can be validated with the public key in the signature certificate, the signature over the poposkInput <bcp14>MUST</bcp14> validate with the public key in the signature certificate, and certification path validation for the signature certificate <bcp14>MUST</bcp14> be successful as specified in <xref section="6" sectionFormat="of" target="RFC5280"/>.</t> </dd></dl> </li> </ul> <ul empty="true"> <li> <dl><dt>regInfo:</dt> <dd><t>the<t>The attributes <bcp14>MUST</bcp14> include the privateKeyPossessionStatement attribute as specified in <xref target="attr"/> of this document.</t> </dd> </dl></li> </ul></section> <section anchor="security-considerations"> <name>Security Considerations</name> <t>The privateKeyPossessionStatement attribute <bcp14>MUST NOT</bcp14> be used to obtain a signature certificate. Performing proof of possession of the signature private key is easily accomplished by signing the certificate request.</t> <t>The subject is signing the privateKeyPossessionStatement attribute to tell the CA that it has possession of the key establishment private key. This is being done instead of providing technical proof of possession. If the subject has lost control of the signature private key, then the signed privateKeyPossessionStatement attribute could be generated by some other party. Timely revocation of the compromised signature certificate is the only protection against such loss of control.</t> <t>If the CA revokes a compromised signature certificate, then the CA <bcp14>SHOULD</bcp14> also revoke all key establishment certificates that were obtained with privateKeyPossessionStatement attributes signed by that compromised signature certificate.</t> <t>The signature key pair and the key establishment key pair are expected to have roughly the same security strength. To ensure that the signature on the statement is not the weakest part of the certificate enrollment, the signature key pair <bcp14>SHOULD</bcp14> be at least as strong as the key establishment key pair.</t> <t>If a CA allows a subject in the key establishment certificate to be different than the subject name in the signature certificate, then certificate policy <bcp14>MUST</bcp14> describe how to determine that the two subject names identify the same entity. Likewise, if a CA allows subject alternative names in the key establishment certificate that are not present in the signature certificate, then certificate policy <bcp14>MUST</bcp14> describe how to determine that the subject alternative names identify the same entity as is named in the signature certificate.</t> </section> <section anchor="iana"> <name>IANA Considerations</name> <t>For the ASN.1 Module inthe<xref target="appendix-asn1"/> of this document, IANAis requested to assignhas assigned an object identifier (OID) for the module identifier(TBD0)(118) with a Description of"id-mod-private-key-possession-stmt-2025". The OID for the module should be allocated"id-mod-private-key-possession-stmt-2025" in the "SMI Security for PKIX Module Identifier" registry (1.3.6.1.5.5.7.0).</t> </section> </middle> <back> <references anchor="sec-combined-references"> <name>References</name> <references anchor="sec-normative-references"> <name>Normative References</name><reference anchor="RFC2986"> <front> <title>PKCS #10: Certification Request Syntax Specification Version 1.7</title> <author fullname="M. Nystrom" initials="M." surname="Nystrom"/> <author fullname="B. Kaliski" initials="B." surname="Kaliski"/> <date month="November" year="2000"/> <abstract> <t>This memo represents a republication of PKCS #10 v1.7 from RSA Laboratories' Public-Key Cryptography Standards (PKCS) series, and change control is retained within the PKCS process. The body of this document, except for the security considerations section, is taken directly from the PKCS #9 v2.0 or the PKCS #10 v1.7 document. This memo provides information for the Internet community.</t> </abstract> </front> <seriesInfo name="RFC" value="2986"/> <seriesInfo name="DOI" value="10.17487/RFC2986"/> </reference> <reference anchor="RFC4211"> <front> <title>Internet X.509 Public Key Infrastructure Certificate Request Message Format (CRMF)</title> <author fullname="J. Schaad" initials="J." surname="Schaad"/> <date month="September" year="2005"/> <abstract> <t>This document describes the Certificate Request Message Format (CRMF) syntax and semantics. This syntax is used to convey a request for a certificate to a Certification Authority (CA), possibly via a Registration Authority (RA), for the purposes of X.509 certificate production. The request will typically include a public key and the associated registration information. This document does not define a certificate request protocol. [STANDARDS-TRACK]</t> </abstract> </front> <seriesInfo name="RFC" value="4211"/> <seriesInfo name="DOI" value="10.17487/RFC4211"/> </reference> <reference anchor="RFC5280"> <front> <title>Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile</title> <author fullname="D. Cooper" initials="D." surname="Cooper"/> <author fullname="S. Santesson" initials="S." surname="Santesson"/> <author fullname="S. Farrell" initials="S." surname="Farrell"/> <author fullname="S. Boeyen" initials="S." surname="Boeyen"/> <author fullname="R. Housley" initials="R." surname="Housley"/> <author fullname="W. Polk" initials="W." surname="Polk"/> <date month="May" year="2008"/> <abstract> <t>This memo profiles the X.509 v3 certificate and X.509 v2 certificate revocation list (CRL) for use in the Internet. An overview of this approach and model is provided as an introduction. The X.509 v3 certificate format is described in detail, with additional information regarding the format and semantics of Internet name forms. Standard certificate extensions are described and two Internet-specific extensions are defined. A set of required certificate extensions is specified. The X.509 v2 CRL format is described in detail along with standard and Internet-specific extensions. An algorithm for X.509 certification path validation is described. An ASN.1 module and examples are provided in the appendices. [STANDARDS-TRACK]</t> </abstract> </front> <seriesInfo name="RFC" value="5280"/> <seriesInfo name="DOI" value="10.17487/RFC5280"/> </reference> <reference anchor="RFC5912"> <front> <title>New ASN.1 Modules for the Public Key Infrastructure Using X.509 (PKIX)</title> <author fullname="P. Hoffman" initials="P." surname="Hoffman"/> <author fullname="J. Schaad" initials="J." surname="Schaad"/> <date month="June" year="2010"/> <abstract> <t>The Public Key Infrastructure using X.509 (PKIX) certificate format, and many associated formats, are expressed using ASN.1. The current ASN.1 modules conform to the 1988 version of ASN.1. This document updates those ASN.1 modules to conform to the 2002 version of ASN.1. There are no bits-on-the-wire changes to any of the formats; this is simply a change to the syntax. This document is not an Internet Standards Track specification; it is published for informational purposes.</t> </abstract> </front> <seriesInfo name="RFC" value="5912"/> <seriesInfo name="DOI" value="10.17487/RFC5912"/> </reference> <reference anchor="RFC6268"> <front> <title>Additional New ASN.1 Modules for the Cryptographic Message Syntax (CMS) and the Public Key Infrastructure Using X.509 (PKIX)</title> <author fullname="J. Schaad" initials="J." surname="Schaad"/> <author fullname="S. Turner" initials="S." surname="Turner"/> <date month="July" year="2011"/> <abstract> <t>The Cryptographic Message Syntax (CMS) format, and many associated formats, are expressed using ASN.1. The current ASN.1 modules conform to the 1988 version of ASN.1. This document updates some auxiliary ASN.1 modules to conform to the 2008 version of ASN.1; the 1988 ASN.1 modules remain the normative version. There are no bits- on-the-wire changes to any of the formats; this is simply a change to the syntax. This document is not an Internet Standards Track specification; it is published for informational purposes.</t> </abstract> </front> <seriesInfo name="RFC" value="6268"/> <seriesInfo name="DOI" value="10.17487/RFC6268"/> </reference><xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.2986.xml"/> <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.4211.xml"/> <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.5280.xml"/> <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.5912.xml"/> <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.6268.xml"/> <reference anchor="X680" target="https://www.itu.int/rec/T-REC-X.680"> <front> <title>Information technology -- Abstract Syntax Notation One (ASN.1): Specification of basic notation</title> <author> <organization>ITU-T</organization> </author> <date year="2021" month="February"/> </front> <seriesInfo name="ITU-T Recommendation" value="X.680"/> <seriesInfo name="ISO/IEC" value="8824-1:2021"/> </reference> <reference anchor="X690" target="https://www.itu.int/rec/T-REC-X.690"> <front> <title>Information technology -- ASN.1 encoding rules: Specification of Basic Encoding Rules (BER), Canonical Encoding Rules (CER) and Distinguished Encoding Rules (DER)</title> <author> <organization>ITU-T</organization> </author> <date year="2021" month="February"/> </front> <seriesInfo name="ITU-T Recommendation" value="X.690"/> <seriesInfo name="ISO/IEC"value="8825-1-2021"/> </reference> <reference anchor="RFC2119"> <front> <title>Key words for use in RFCs to Indicate Requirement Levels</title> <author fullname="S. Bradner" initials="S." surname="Bradner"/> <date month="March" year="1997"/> <abstract> <t>In many standards track documents several words are used to signify the requirements in the specification. These words are often capitalized. This document defines these words as they should be interpreted in IETF documents. This document specifies an Internet Best Current Practices for the Internet Community, and requests discussion and suggestions for improvements.</t> </abstract> </front> <seriesInfo name="BCP" value="14"/> <seriesInfo name="RFC" value="2119"/> <seriesInfo name="DOI" value="10.17487/RFC2119"/> </reference> <reference anchor="RFC8174"> <front> <title>Ambiguity of Uppercase vs Lowercase in RFC 2119 Key Words</title> <author fullname="B. Leiba" initials="B." surname="Leiba"/> <date month="May" year="2017"/> <abstract> <t>RFC 2119 specifies common key words that may be used in protocol specifications. This document aims to reduce the ambiguity by clarifying that only UPPERCASE usage of the key words have the defined special meanings.</t> </abstract> </front> <seriesInfo name="BCP" value="14"/> <seriesInfo name="RFC" value="8174"/> <seriesInfo name="DOI" value="10.17487/RFC8174"/>value="8825-1:2021"/> </reference> <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.2119.xml"/> <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.8174.xml"/> </references> <references anchor="sec-informative-references"> <name>Informative References</name><reference anchor="RFC3647"> <front> <title>Internet X.509 Public Key Infrastructure Certificate Policy and Certification Practices Framework</title> <author fullname="S. Chokhani" initials="S." surname="Chokhani"/> <author fullname="W. Ford" initials="W." surname="Ford"/> <author fullname="R. Sabett" initials="R." surname="Sabett"/> <author fullname="C. Merrill" initials="C." surname="Merrill"/> <author fullname="S. Wu" initials="S." surname="Wu"/> <date month="November" year="2003"/> <abstract> <t>This document presents a framework to assist the writers of certificate policies or certification practice statements for participants within public key infrastructures, such as certification authorities, policy authorities, and communities of interest that wish to rely on certificates. In particular, the framework provides a comprehensive list of topics that potentially (at the writer's discretion) need to be covered in a certificate policy or a certification practice statement. This document supersedes RFC 2527.</t> </abstract> </front> <seriesInfo name="RFC" value="3647"/> <seriesInfo name="DOI" value="10.17487/RFC3647"/> </reference> <reference anchor="RFC6955"> <front> <title>Diffie-Hellman Proof-of-Possession Algorithms</title> <author fullname="J. Schaad" initials="J." surname="Schaad"/> <author fullname="H. Prafullchandra" initials="H." surname="Prafullchandra"/> <date month="May" year="2013"/> <abstract> <t>This document describes two methods for producing an integrity check value from a Diffie-Hellman key pair and one method for producing an integrity check value from an Elliptic Curve key pair. This behavior is needed for such operations as creating the signature of a Public-Key Cryptography Standards (PKCS) #10 Certification Request. These algorithms are designed to provide a Proof-of-Possession of the private key and not to be a general purpose signing algorithm.</t> <t>This document obsoletes RFC 2875.</t> </abstract> </front> <seriesInfo name="RFC" value="6955"/> <seriesInfo name="DOI" value="10.17487/RFC6955"/> </reference><xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.3647.xml"/> <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.6955.xml"/> </references> </references><?line 355?><section anchor="appendix-asn1"> <name>ASN.1 Module</name> <t>This ASN.1 Module uses the conventions established by <xref target="RFC5912"/> and <xref target="RFC6268"/>.</t> <sourcecode type="asn.1" markers="true"><![CDATA[ PrivateKeyPossessionStatement-2025 { iso(1) identified-organization(3) dod(6) internet(1) security(5) mechanisms(5) pkix(7) id-mod(0)id-mod-private-key-possession-stmt-2025(TBD0)id-mod-private-key-possession-stmt-2025(118) } DEFINITIONS IMPLICIT TAGS ::= BEGIN EXPORTS ALL; IMPORTS ATTRIBUTE FROM PKIX-CommonTypes-2009 -- in [RFC5912] { iso(1) identified-organization(3) dod(6) internet(1) security(5) mechanisms(5) pkix(7) id-mod(0) id-mod-pkixCommon-02(57) } Certificate FROM PKIX1Explicit-2009 -- in [RFC5912] { iso(1) identified-organization(3) dod(6) internet(1) security(5) mechanisms(5) pkix(7) id-mod(0) id-mod-pkix1-explicit-02(51) } IssuerAndSerialNumber FROM CryptographicMessageSyntax-2010 -- [RFC6268] { iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9) smime(16) modules(0) id-mod-cms-2009(58) } ; -- -- Private Key Possession Statement Attribute -- id-at-statementOfPossession OBJECT IDENTIFIER ::= { 1 3 6 1 4 1 22112 2 1 } privateKeyPossessionStatement ATTRIBUTE ::= { TYPE PrivateKeyPossessionStatement IDENTIFIED BY id-at-statementOfPossession } PrivateKeyPossessionStatement ::= SEQUENCE { signer IssuerAndSerialNumber, cert Certificate OPTIONAL } -- -- Registration Control Support -- RegControlSet ATTRIBUTE ::= { regCtrl-privateKeyPossessionStatement, ... } regCtrl-privateKeyPossessionStatement ATTRIBUTE ::= privateKeyPossessionStatement id-regCtrl-statementOfPossession OBJECT IDENTIFIER ::= id-at-statementOfPossessionEND ]]></sourcecode>END]]></sourcecode> </section> <section anchor="example-use-of-the-privatekeypossessionstatement-attribute"> <name>ExampleuseUse of the privateKeyPossessionStatement Attribute</name> <t>In this example, the self-signed certificate for the CAis:</t>is as follows:</t> <artwork><![CDATA[ -----BEGIN CERTIFICATE----- MIIB7DCCAXKgAwIBAgIUL149AUxHunELBZMELEQm+isgKCQwCgYIKoZIzj0EAwMw NzELMAkGA1UEBhMCVVMxEzARBgNVBAoTCkV4YW1wbGUgQ0ExEzARBgNVBAMTCmNh LmV4YW1wbGUwHhcNMjUwMTAzMjAyNzA5WhcNMzUwMTAzMjAyNzA5WjA3MQswCQYD VQQGEwJVUzETMBEGA1UEChMKRXhhbXBsZSBDQTETMBEGA1UEAxMKY2EuZXhhbXBs ZTB2MBAGByqGSM49AgEGBSuBBAAiA2IABDxZdB/Glcxdk1p6Jf1j5en6QfliY9OS fjZbtje/w6M58PN8Sb3VFln1rPdvD17UXeazSG9Hr/Dq3enbsHHO0pPntcFOgb8n r8R8LUGhxRzjlxkaEJN+pa6Nf7qk49JDeaM/MD0wDwYDVR0TAQH/BAUwAwEB/zAL BgNVHQ8EBAMCAgQwHQYDVR0OBBYEFD6YvLLv3DQbvnGS0qP6bbzyZkCqMAoGCCqG SM49BAMDA2gAMGUCMGfb61IigoJ3QDnlsRdoktREHe0Dpm6DKw3qOyLL6A0cFK9Z g8m11xIwvptlran52gIxAK1VrOjzRsFiHRptO+gFXstTXnQkKBb2/3WQz2SqcIS/ BWEp+siJ19OXOlz6APDB7w== -----END CERTIFICATE----- ]]></artwork> <t>Alice generates her ECDSA signature key pair. Then, Alice composes a PKCS#10 Certificate Signing Request (CSR) in the usual manner as specified in <xref target="RFC2986"/>. The CSR includes a signature that is produced with her ECDSA private key. The CSRis:</t>is as follows:</t> <artwork><![CDATA[ -----BEGIN CERTIFICATE REQUEST----- MIIBhTCCAQsCAQAwPDELMAkGA1UEBhMCVVMxCzAJBgNVBAgTAlZBMRAwDgYDVQQH EwdIZXJuZG9uMQ4wDAYDVQQDEwVBbGljZTB2MBAGByqGSM49AgEGBSuBBAAiA2IA BIAc+6lXN1MIM/82QeWNb55H0zr+lVgWVeF0bf4jzxCb5MCjVaM0eFEvcjXMV5p4 kzqiJTHC0V2JAoqYMX/DMFIcwZ7xP9uQd9ep6KZ+RXut211L8+W1QI1QJSDNxANR saBQME4GCSqGSIb3DQEJDjFBMD8wDAYDVR0TAQH/BAIwADALBgNVHQ8EBAMCB4Aw IgYDVR0RBBswGYEXYWxpY2VAZW1haWwuZXhhbXBsZS5jb20wCgYIKoZIzj0EAwMD aAAwZQIwPa2rOCe60edAF43C/t57IW8liyy+69FE04hMAFgw3Ga+nR+8zDuUsVLw xXGAHtcDAjEA6LbvNkZjo6j2z5xRIjrHzEbGgiV4MF4xtnpfSSRI4dB0zT52bWkj TZsuS1YWIkjt -----END CERTIFICATE REQUEST----- ]]></artwork> <t>The CA issues a signature certificate to Alice:</t> <artwork><![CDATA[ -----BEGIN CERTIFICATE----- MIICJzCCAa6gAwIBAgIUf3Sj/ANs4hR4XFlhTm+N8kxHqHkwCgYIKoZIzj0EAwMw NzELMAkGA1UEBhMCVVMxEzARBgNVBAoTCkV4YW1wbGUgQ0ExEzARBgNVBAMTCmNh LmV4YW1wbGUwHhcNMjUwMTA5MTcwMzQ4WhcNMjYwMTA5MTcwMzQ4WjA8MQswCQYD VQQGEwJVUzELMAkGA1UECBMCVkExEDAOBgNVBAcTB0hlcm5kb24xDjAMBgNVBAMT BUFsaWNlMHYwEAYHKoZIzj0CAQYFK4EEACIDYgAEgBz7qVc3Uwgz/zZB5Y1vnkfT Ov6VWBZV4XRt/iPPEJvkwKNVozR4US9yNcxXmniTOqIlMcLRXYkCipgxf8MwUhzB nvE/25B316nopn5Fe63bXUvz5bVAjVAlIM3EA1Gxo3YwdDAMBgNVHRMBAf8EAjAA MAsGA1UdDwQEAwIHgDAdBgNVHQ4EFgQUIx0A0f7tCzkQEZgYzH3NcM2L05IwHwYD VR0jBBgwFoAUPpi8su/cNBu+cZLSo/ptvPJmQKowFwYDVR0gBBAwDjAMBgpghkgB ZQMCATAwMAoGCCqGSM49BAMDA2cAMGQCMGu/Uypd7BaVnUjB36UtX9m5ZmPi78y5 1RA8WhbOv0KQVrcYtj4qOdiMVKBcoVceyAIwRJ6U91048NAb3nicHcrGFf1UYrhb DlytK4tCa5HBxD/qAgy4/eUzA5NZwVaLK78u -----END CERTIFICATE----- ]]></artwork> <t>Alice generates her ECDH key establishment key pair. Then, Alice composes a PKCS#10 CSR. The CSR attributes include the privateKeyPossessionStatement attribute, which points to her ECDSA signature certificate. The CSR includes her ECDH public key and a signature that is produced with her ECDSA private key. The CSRis:</t>is as follows:</t> <artwork><![CDATA[ -----BEGIN CERTIFICATE REQUEST----- MIIEMTCCA7gCAQAwPDELMAkGA1UEBhMCVVMxCzAJBgNVBAgTAlZBMRAwDgYDVQQH EwdIZXJuZG9uMQ4wDAYDVQQDEwVBbGljZTB0MA4GBSuBBAEMBgUrgQQAIgNiAAQB RyQTH+cq1s5F94uFqFe7l1LqGdEC8Tm+e5VYBCfKAC8MJySQMj1GixEEXL+1Wjtg 23XvnJouCDoxSpDCSMqf3kvp5+naM37uxa3ZYgD6DPY3me5EZvyZPvSRJTFl/Bag ggL9MGcGCSqGSIb3DQEJDjFaMFgwDAYDVR0TAQH/BAIwADALBgNVHQ8EBAMCAwgw IgYDVR0RBBswGYEXYWxpY2VAZW1haWwuZXhhbXBsZS5jb20wFwYDVR0gBBAwDjAM BgpghkgBZQMCATAwMIICkAYKKwYBBAGBrGACATGCAoAwggJ8ME8wNzELMAkGA1UE BhMCVVMxEzARBgNVBAoTCkV4YW1wbGUgQ0ExEzARBgNVBAMTCmNhLmV4YW1wbGUC FH90o/wDbOIUeFxZYU5vjfJMR6h5MIICJzCCAa6gAwIBAgIUf3Sj/ANs4hR4XFlh Tm+N8kxHqHkwCgYIKoZIzj0EAwMwNzELMAkGA1UEBhMCVVMxEzARBgNVBAoTCkV4 YW1wbGUgQ0ExEzARBgNVBAMTCmNhLmV4YW1wbGUwHhcNMjUwMTA5MTcwMzQ4WhcN MjYwMTA5MTcwMzQ4WjA8MQswCQYDVQQGEwJVUzELMAkGA1UECBMCVkExEDAOBgNV BAcTB0hlcm5kb24xDjAMBgNVBAMTBUFsaWNlMHYwEAYHKoZIzj0CAQYFK4EEACID YgAEgBz7qVc3Uwgz/zZB5Y1vnkfTOv6VWBZV4XRt/iPPEJvkwKNVozR4US9yNcxX mniTOqIlMcLRXYkCipgxf8MwUhzBnvE/25B316nopn5Fe63bXUvz5bVAjVAlIM3E A1Gxo3YwdDAMBgNVHRMBAf8EAjAAMAsGA1UdDwQEAwIHgDAdBgNVHQ4EFgQUIx0A 0f7tCzkQEZgYzH3NcM2L05IwHwYDVR0jBBgwFoAUPpi8su/cNBu+cZLSo/ptvPJm QKowFwYDVR0gBBAwDjAMBgpghkgBZQMCATAwMAoGCCqGSM49BAMDA2cAMGQCMGu/ Uypd7BaVnUjB36UtX9m5ZmPi78y51RA8WhbOv0KQVrcYtj4qOdiMVKBcoVceyAIw RJ6U91048NAb3nicHcrGFf1UYrhbDlytK4tCa5HBxD/qAgy4/eUzA5NZwVaLK78u MAoGCCqGSM49BAMDA2cAMGQCL2TNHPULWcCS2DqZCCiQeSwx2JPLMI14Vi977bzy rImq5p0H3Bel6fAS8BnQ00WNAjEAhHDAlcbRuHhqdW6mOgDd5kWEGGqgixIuvEEc fVbnNCEyEE4n0mQ99PHURnXoHwqF -----END CERTIFICATE REQUEST----- ]]></artwork> <t>The CSR decodesto:</t>to the following:</t> <artwork><![CDATA[ 0 1073: SEQUENCE { 4 952: SEQUENCE { 8 1: INTEGER 0 11 60: SEQUENCE { 13 11: SET { 15 9: SEQUENCE { 17 3: OBJECT IDENTIFIER countryName (2 5 4 6) 22 2: PrintableString 'US' : } : } 26 11: SET { 28 9: SEQUENCE { 30 3: OBJECT IDENTIFIER stateOrProvinceName (2 5 4 8) 35 2: PrintableString 'VA' : } : } 39 16: SET { 41 14: SEQUENCE { 43 3: OBJECT IDENTIFIER localityName (2 5 4 7) 48 7: PrintableString 'Herndon' : } : } 57 14: SET { 59 12: SEQUENCE { 61 3: OBJECT IDENTIFIER commonName (2 5 4 3) 66 5: PrintableString 'Alice' : } : } : } 73 116: SEQUENCE { 75 14: SEQUENCE { 77 5: OBJECT IDENTIFIER ECDH (1 3 132 1 12) 84 5: OBJECT IDENTIFIER secp384r1 (1 3 132 0 34) : } 91 98: BIT STRING : 04 01 47 24 13 1F E7 2A D6 CE 45 F7 8B 85 A8 57 : BB 97 52 EA 19 D1 02 F1 39 BE 7B 95 58 04 27 CA : 00 2F 0C 27 24 90 32 3D 46 8B 11 04 5C BF B5 5A : 3B 60 DB 75 EF 9C 9A 2E 08 3A 31 4A 90 C2 48 CA : 9F DE 4B E9 E7 E9 DA 33 7E EE C5 AD D9 62 00 FA : 0C F6 37 99 EE 44 66 FC 99 3E F4 91 25 31 65 FC : 16 : } 191 765: [0] { 195 103: SEQUENCE { 197 9: OBJECT IDENTIFIER : extensionRequest (1 2 840 113549 1 9 14) 208 90: SET { 210 88: SEQUENCE { 212 12: SEQUENCE { 214 3: OBJECT IDENTIFIER : basicConstraints (2 5 29 19) 219 1: BOOLEAN TRUE 222 2: OCTET STRING, encapsulates { 224 0: SEQUENCE {} : } : } 226 11: SEQUENCE { 228 3: OBJECT IDENTIFIER keyUsage (2 5 29 15) 233 4: OCTET STRING, encapsulates { 235 2: BIT STRING 3 unused bits : '10000'B (bit 4) : } : } 239 34: SEQUENCE { 241 3: OBJECT IDENTIFIER subjectAltName (2 5 29 17) 246 27: OCTET STRING, encapsulates { 248 25: SEQUENCE { 250 23: [1] 'alice@email.example.com' : } : } : } 275 23: SEQUENCE { 277 3: OBJECT IDENTIFIER : certificatePolicies (2 5 29 32) 282 16: OCTET STRING, encapsulates { 284 14: SEQUENCE { 286 12: SEQUENCE { 288 10: OBJECT IDENTIFIER : testCertPolicy (2 16 840 1 101 3 2 1 48 48) : } : } : } : } : } : } : } 300 656: SEQUENCE { 304 10: OBJECT IDENTIFIER : statementOfPossession (1 3 6 1 4 1 22112 2 1) 316 640: SET { 320 636: SEQUENCE { 324 79: SEQUENCE { 326 55: SEQUENCE { 328 11: SET { 330 9: SEQUENCE { 332 3: OBJECT IDENTIFIER countryName (2 5 4 6) 337 2: PrintableString 'US' : } : } 341 19: SET { 343 17: SEQUENCE { 345 3: OBJECT IDENTIFIER : organizationName (2 5 4 10) 350 10: PrintableString 'Example CA' : } : } 362 19: SET { 364 17: SEQUENCE { 366 3: OBJECT IDENTIFIER commonName (2 5 4 3) 371 10: PrintableString 'ca.example' : } : } : } 383 20: INTEGER : 7F 74 A3 FC 03 6C E2 14 78 5C 59 61 4E 6F 8D F2 : 4C 47 A8 79 : } 405 551: SEQUENCE { 409 430: SEQUENCE { 413 3: [0] { 415 1: INTEGER 2 : } 418 20: INTEGER : 7F 74 A3 FC 03 6C E2 14 78 5C 59 61 4E 6F 8D F2 : 4C 47 A8 79 440 10: SEQUENCE { 442 8: OBJECT IDENTIFIER : ecdsaWithSHA384 (1 2 840 10045 4 3 3) : } 452 55: SEQUENCE { 454 11: SET { 456 9: SEQUENCE { 458 3: OBJECT IDENTIFIER : countryName (2 5 4 6) 463 2: PrintableString 'US' : } : } 467 19: SET { 469 17: SEQUENCE { 471 3: OBJECT IDENTIFIER : organizationName (2 5 4 10) 476 10: PrintableString 'Example CA' : } : } 488 19: SET { 490 17: SEQUENCE { 492 3: OBJECT IDENTIFIER : commonName (2 5 4 3) 497 10: PrintableString 'ca.example' : } : } : } 509 30: SEQUENCE { 511 13: UTCTime 09/01/2025 17:03:48 GMT 526 13: UTCTime 09/01/2026 17:03:48 GMT : } 541 60: SEQUENCE { 543 11: SET { 545 9: SEQUENCE { 547 3: OBJECT IDENTIFIER : countryName (2 5 4 6) 552 2: PrintableString 'US' : } : } 556 11: SET { 558 9: SEQUENCE { 560 3: OBJECT IDENTIFIER : stateOrProvinceName (2 5 4 8) 565 2: PrintableString 'VA' : } : } 569 16: SET { 571 14: SEQUENCE { 573 3: OBJECT IDENTIFIER : localityName (2 5 4 7) 578 7: PrintableString 'Herndon' : } : } 587 14: SET { 589 12: SEQUENCE { 591 3: OBJECT IDENTIFIER : commonName (2 5 4 3) 596 5: PrintableString 'Alice' : } : } : } 603 118: SEQUENCE { 605 16: SEQUENCE { 607 7: OBJECT IDENTIFIER : ecPublicKey (1 2 840 10045 2 1) 616 5: OBJECT IDENTIFIER : secp384r1 (1 3 132 0 34) : } 623 98: BIT STRING : 04 80 1C FB A9 57 37 53 08 33 FF 36 41 E5 8D 6F : 9E 47 D3 3A FE 95 58 16 55 E1 74 6D FE 23 CF 10 : 9B E4 C0 A3 55 A3 34 78 51 2F 72 35 CC 57 9A 78 : 93 3A A2 25 31 C2 D1 5D 89 02 8A 98 31 7F C3 30 : 52 1C C1 9E F1 3F DB 90 77 D7 A9 E8 A6 7E 45 7B : AD DB 5D 4B F3 E5 B5 40 8D 50 25 20 CD C4 03 51 : B1 : } 723 118: [3] { 725 116: SEQUENCE { 727 12: SEQUENCE { 729 3: OBJECT IDENTIFIER : basicConstraints (2 5 29 19) 734 1: BOOLEAN TRUE 737 2: OCTET STRING, encapsulates { 739 0: SEQUENCE {} : } : } 741 11: SEQUENCE { 743 3: OBJECT IDENTIFIER : keyUsage (2 5 29 15) 748 4: OCTET STRING, encapsulates { 750 2: BIT STRING 7 unused bits : '1'B (bit 0) : } : } 754 29: SEQUENCE { 756 3: OBJECT IDENTIFIER : subjectKeyIdentifier (2 5 29 14) 761 22: OCTET STRING, encapsulates { 763 20: OCTET STRING : 23 1D 00 D1 FE ED 0B 39 10 11 98 18 CC 7D CD 70 : CD 8B D3 92 : } : } 785 31: SEQUENCE { 787 3: OBJECT IDENTIFIER : authorityKeyIdentifier (2 5 29 35) 792 24: OCTET STRING, encapsulates { 794 22: SEQUENCE { 796 20: [0] : 3E 98 BC B2 EF DC 34 1B BE 71 92 D2 A3 FA 6D BC : F2 66 40 AA : } : } : } 818 23: SEQUENCE { 820 3: OBJECT IDENTIFIER : certificatePolicies (2 5 29 32) 825 16: OCTET STRING, encapsulates { 827 14: SEQUENCE { 829 12: SEQUENCE { 831 10: OBJECT IDENTIFIER : testCertPolicy (2 16 840 1 101 3 2 1 48 48) : } : } : } : } : } : } : } 843 10: SEQUENCE { 845 8: OBJECT IDENTIFIER : ecdsaWithSHA384 (1 2 840 10045 4 3 3) : } 855 103: BIT STRING, encapsulates { 858 100: SEQUENCE { 860 48: INTEGER : 6B BF 53 2A 5D EC 16 95 9D 48 C1 DF A5 2D 5F D9 : B9 66 63 E2 EF CC B9 D5 10 3C 5A 16 CE BF 42 90 : 56 B7 18 B6 3E 2A 39 D8 8C 54 A0 5C A1 57 1E C8 910 48: INTEGER : 44 9E 94 F7 5D 38 F0 D0 1B DE 78 9C 1D CA C6 15 : FD 54 62 B8 5B 0E 5C AD 2B 8B 42 6B 91 C1 C4 3F : EA 02 0C B8 FD E5 33 03 93 59 C1 56 8B 2B BF 2E : } : } : } : } : } : } : } : } 960 10: SEQUENCE { 962 8: OBJECT IDENTIFIER ecdsaWithSHA384 (1 2 840 10045 4 3 3) : } 972 103: BIT STRING, encapsulates { 975 100: SEQUENCE { 977 47: INTEGER : 64 CD 1C F5 0B 59 C0 92 D8 3A 99 08 28 90 79 2C : 31 D8 93 CB 30 8D 78 56 2F 7B ED BC F2 AC 89 AA : E6 9D 07 DC 17 A5 E9 F0 12 F0 19 D0 D3 45 8D 1026 49: INTEGER : 00 84 70 C0 95 C6 D1 B8 78 6A 75 6E A6 3A 00 DD : E6 45 84 18 6A A0 8B 12 2E BC 41 1C 7D 56 E7 34 : 21 32 10 4E 27 D2 64 3D F4 F1 D4 46 75 E8 1F 0A : 85 : } : } : } ]]></artwork> <t>The CA issues a key establishment certificate to Alice:</t> <artwork><![CDATA[ -----BEGIN CERTIFICATE----- MIICJTCCAaygAwIBAgIUf3Sj/ANs4hR4XFlhTm+N8kxHqHowCgYIKoZIzj0EAwMw NzELMAkGA1UEBhMCVVMxEzARBgNVBAoTCkV4YW1wbGUgQ0ExEzARBgNVBAMTCmNh LmV4YW1wbGUwHhcNMjUwMTA5MTcwNTAwWhcNMjYwMTA5MTcwNTAwWjA8MQswCQYD VQQGEwJVUzELMAkGA1UECBMCVkExEDAOBgNVBAcTB0hlcm5kb24xDjAMBgNVBAMT BUFsaWNlMHQwDgYFK4EEAQwGBSuBBAAiA2IABAFHJBMf5yrWzkX3i4WoV7uXUuoZ 0QLxOb57lVgEJ8oALwwnJJAyPUaLEQRcv7VaO2Dbde+cmi4IOjFKkMJIyp/eS+nn 6dozfu7FrdliAPoM9jeZ7kRm/Jk+9JElMWX8FqN2MHQwDAYDVR0TAQH/BAIwADAL BgNVHQ8EBAMCAwgwHQYDVR0OBBYEFAnLfJvnEUcvLXaPUDZMZlQ/zZ3WMB8GA1Ud IwQYMBaAFD6YvLLv3DQbvnGS0qP6bbzyZkCqMBcGA1UdIAQQMA4wDAYKYIZIAWUD AgEwMDAKBggqhkjOPQQDAwNnADBkAjARQ5LuV6yz8A5DZCll1S/gfxZ+QSJl/pKc cTL6Sdr1IS18U/zY8VUJeB2H0nBamLwCMBRQ6sEWpNoeeR8Bonpoot/zYD2luQ1V 2jevmYsnBihKF0debgfhGvh8WIgBR69DZg== -----END CERTIFICATE----- ]]></artwork> </section> <section numbered="false" anchor="acknowledgements"> <name>Acknowledgements</name> <t>Thanks toSean Turner, Joe Mandel, Mike StJohns, Mike Ounsworth, John Gray, Carl Wallace, Corey Bonnell, Hani Ezzadeen, Deb Cooley, Mohamed Boucadair, and Bron Gondwana<contact fullname="Sean Turner"/>, <contact fullname="Joe Mandel"/>, <contact fullname="Mike StJohns"/>, <contact fullname="Mike Ounsworth"/>, <contact fullname="John Gray"/>, <contact fullname="Carl Wallace"/>, <contact fullname="Corey Bonnell"/>, <contact fullname="Hani Ezzadeen"/>, <contact fullname="Deb Cooley"/>, <contact fullname="Mohamed Boucadair"/>, and <contact fullname="Bron Gondwana"/> for their constructive comments.</t> </section> </back><!-- ##markdown-source: H4sIAI1qXWgAA8196XbiSLrgfz1FTNaPdN40tiQkFvetvlcbBhuw2bzV6TNH CBlkCwlLwhjnyX6WeZZ5svm+CAkkEBhnVfcdV6UTQrF8+xYRykKhwIWR6Y3+ t+n6nn1GomBuc84soJ/CSOT5Ki9yI9/yzCk8HgXmY1Rw7Oix4JrTWViYBc6r GdmFZ3tZCKNpVDCjKCjwVc4yozMSRiPO8r3Q9sJ5eEa+4uxfuZlzxhES+Ra0 LO3wK3wJ/SAK7Mcw1bKcphsiJ3Jh/a+KRxRYwRnOI5s8+gHpRbD81PYi4j+S az8M7TB0fA+/meSaQUcu7eVXzhwOA/sV5sgOWXdJDf/KhfPh1KGf+8sZrNww +jXODGzzjPRsax440ZJ7XkC7F9mBZ0cFHUnDjWCuMyLyolzgSwWxxHHmPJr4 wRlXIIyE3XkYkro/D117CXj6wfiM3Dhjx13Ne0yaTQ0eJQBnn8IDC/46I3VY d+R7x+RGwTZ/7kUBNA968M2emo57RiZsmf9+xRlC2zqx/CnHOR4QbmpGzquN jOjWtGJJKscfS1VZPuM4b6OHWK2U4o+SKAjxR1ms8MnHqiAmU4ilCn68K7Gn wGszGNsgD5MomoVnp6eLxeLEieYnjhedBrZ12i90Da1wdwIDWH/G7b/TLwRo HAMMfI1sa+L5rj9eEpBd9lwZhlFgWhHpLb3IfCNtP2KdrzybHCm99onw7Szu 25vZlvPoWKwDCMDQDB2LePEQ2ithGX4uMA41+oNCnzasOCwUQDOwJbQDxw6R qskitDfp2kBukLMRnfmMrPGDHr2r04ahnZFKRZQKwhnOR0lW/SzJqr9GMiQK sT3LHznemARz1wZd2yKOSoljJN262I0cqUb323E8kWZ6vgcj3K1eGvQiYFqI 7oQRtM+dcGKPtrrp0O1fTPVqHtXlglCgVOcKhQLoGhMhjutPnJCAwZtTCxEy igCgpkfMjOUxwbylDMlsw/bElpGAZeSGS2iw7CBixLUJWJcn24pOgBEhmZkB neHuROarmW62F/iuiyscwwTa6gkKqkLJBZYAKK18I9Fyhlxwl2QEyu+NYNrA h0mjiRnBr9WSCZyAEbamoaRdLT8I7HDm4wyRT/tEfmFoF2K4gIOz+dAFqYAh JyhoYLynNrFMmJJCqZCpM55ExLQsexZxQCZn7MGwNbUeA39KZ84nSQ2Ia7+B e3HtY7KY2F6WeFyCiWfbAGRoA/1wglSXkDII1zWjeWBTKQRwiQ0wAOzhJCHp CqYYeWDy0CavpuugwI3IwokmMZ3sVwet6ZKAV5gjOqvZ01jgupTaYOtXgDJ6 wMTmyH6ZJ93gaQhfkSA4pelZNqEMs7dhTa9xwiR26oxGrs1xv6ELCvzR3KJi 8VfJL5eSDLJHfreF9seP2DP8/MmtBRgmjYCTI3tmo2jBKteXWu83gWf90b/8 /Eli6mkpbneRRmFEWgCcObZROsCugdB3W7VvbDB6pJ8/s8qUUR0uozrkF1WH 26k65HOqwzHVUVwMHaiXdZeJ6pjLWHHIHsXhcnhBLNd0pmhYnz1/4dqjcSxO AFkKVFj3lqpU7hyfViluW6U2gd6vWdyvaBbZ1Czur9KsjO0x1+sAW5A2MX7b 0MUCAOGH44GukVazoPcU7qgFiunahSaonmPZBfCnNjrEsROBx+ytplLcMQrk ZPotZV0pjc1tKn+08KXRIrkLcxDkFsD/mrNw7jJVaEFsYHpOmFk4tsHg2YFk u+jBfYoehgbkIEeG6zozAIho8+DVTgjBHUyI3byjK3LZFes5Cz6CHhbqNpgG 08vgzHHKToOI7AfpnSPzHI+4jj1PBGoO8uXGBsN/5NKDEtKGQM8+Su5qdrDQ oQM0Xa71xYRxAQvXEBGcOmCWDzhBA4r96E/McMOEo3Jtj0mZgmNKV8qpDdAo RPMQjYnJrRm8ZfEWuOhaf8OJv/DQ9AGtHI8ZyRVIXEwwqr/5vqQBaLquv4DF h8tNRwDZGbBqyVGLjwnLz5/HrI+CQM/sYOpEaFlg/diCRugKU6itOUf5xa0M /JrSuWTMEi2cWxNgF3M9mC6B6+E4yDliqU+1w/hHOwhZhGQmoh0mRtl/dUb2 SnbS64IV47KymoYh/Btkdgv71Q4oBcLM3JCjYjYDYDrId2YRQXI5anFznC4L 4szRyEHxYzRNzQdUS2M08nF2CG1mM8jZmVBmLMpK7FOTrInGzFOsEKt4hEvC lBGTm1QEc0x8JknMFsHUo2MqpBvoMYcyhF5cgiOTbhAQiBQygQIETb+xDAjD pRQcEAA8Ol4OFLji2PbsgPouphkshfrxA9NclEXaShX344SHDqvyCSx9FF6W ojGIkKwLPwBf/KU16PW/HLO/SfuKfu4anUGja+j4uVdXms3VBy7u0atfDZr6 +tN6pHbVahltnQ2GVpJp4r60lPsvzDJ8ubruN67aSvPLNj1QyhJFhygGjEBE jRg3skMLiMloqGrX//f/CBJg+79Q3AShChLEvlSEsgRfMLxnq/keWBD2FWi4 5MzZzDYDnAVsAsQPM/QUmGGEsZ0BcUCP/R9/IGX+cUb+c2jNBOnvcQMinGlM aJZppDTbbtkazIiY05SzzIqamfYNSmfhVe4z3xO6pxr/879cEExSECr/9XcO g/4r0P5Xx15wHA3nmEhGhwkzMG5qPtuZDMAc+vOIBWRb5u8DL8IspG/BIJza H6ILJtHC5zLxY8b+OOEZxwknzC/GQUWiYCy8XrsdXH5mOgEwW8yOgEwfoMXk ZjVx2mNgWEEVL04hjrQeqF7smajjxroAGFdYF60gugjLnY/ohOv1qbV2aFYA WVY2K1w7RIzNcbowsmdEAFiLWVhDmvdQe9TrJvmBpjDhdxD7KCRD03reFVOd 4Oz9DGXSbjQFOoIzp8kSMHDEYqxViHVMcB7P97r2bD5yTGb0wYii7SRHoY0Z XM+m2SSRTsQT4aSI86ySum+Am7SPc9vikuKg/DEHgTxxHJfIdI4AskQKMGHx aj+m60r6w4QgG0qR8TQ/fuAD6qepiuB8iZYkQVuSGWHYAomnNYmx9EEdaT5G GV5MwbDmBJWHX5CjtRCVfl2ItoiG0KTliUG8P6zcIVUx4cG1OTOwwyxkDrBJ GQc2sygHihLEHkx8XGZJaBIYHJSvAQHBNQztdcXFDHPmyNcmGm6uO4dJb7Bb mbyXSxYZORjM0ZAkQpO7WcCa0fg0meYDNDLZN/VX9tvMNZOoGa3pKC0zNPUA foPVdx6XmYIesH5VaTLXJQUqsSHGF7+4Y0J+/Ea1YzNGohn2gZVPBD0WIapw 2apDHHav/BFi9ehjBoCKv1oDPMXfubQW7OPrJsW4pOSwMcSPnWIePHTl8JhG zOgVWaSOMNFY/TheI9qRdB1SGEolt4zneYQ5YaSHBIdKCKQ4WNRPgYyLzkww IjGSceqQRTUzM0ZPWQuY6Gcpo5lr9cisxtHVgGyYYdBFU8qQwBnYlEupxGoF 1N5axga6+xhn5/JtFQRxKfKuis0fmIH14wx63D70dvMsEdVYofNFNQ4hUwaM xAYs7XU4ZyfGK+iXNCDPWqg844QIrEJ0TCITzLA+N4IYHvMQe135RGOYhgW0 eQTzr0wQgoffo+WakCwfn3s0OwNx/9S03IoSbNr94pVPf4Bjpz2kdIJsJYwL AjtmiXOQmEHU7e+Zcx+T1yziDmcROYxF3CYtc0DbZBfZZhe3j122Caj7+yga L+GAq9xYBKUZlQlaRnuJtM1l7kMu36ZGsM7hxiZF2viY3sozB7YZ+l5IwARB zspB4vNqrypJkFrO3dGqNuOkt1H9tEkD375KmeIpucTKMXDiMaYTB3oQa489 P8RipP0IXSOsCzadZ3vhhJsAcK4/3pjKfgWihid/yhtPYvOycrJcGAVzC9kB Tvaf//wncMzDqgiEd86oYEaF1dRXj6lQ4Uq9MLQ+aehGu9+oNYwuOTv7nbBN 1h9EIEXwJgKR4I8ISb9IRPj0k84aQwPhxXq6dUCi9PvdhjroG3S+H2zC/v21 kcQl+eNYvxU0OlHv94LPQNk7JQWgZ3QGRlszEkhoYTSAlWhsp3ijHkRjptue T4d2EG+IowDSffGUICb5PC4MRGYspJmPhzxNBHMN0BqMFQgT83UrQMLdKhCn kAZIDLgz7iwdftKsBXODTMGVQk08Cvb+IBknxu/JtAeF0gfF7kCtzeidHB69 rwwGzdlWpCQt5R5n9FkpONnr2u2BwTrFfemM3IrH8MAEMKYsoIjdFqgnapCZ qnGu6x1YpaIhA5fJssJVsMh2t2hArvkearODZggVOE59483bMNb49d4ttYIb Y/IqPhljwH1gDHbVg9mWe2zm2BbAR7tmKM/bBRgHawzMBJvuwlyGsf2BBDEl /bSix4SaCbKVM0GDHvM424qNDgyh9jsfPIy2HnB9iYsxNxyXITYj9lQ0u0GW VckbJ03qz6maBJ01KUzst4VrrqZjdpg2p26xLlokloBiudpM21bfFaAMpCGr Z3x0CGJFAgbGfruxerK9OnjcgOzi80b0//nVjzcs3mFZUkZrV1QJ5xbWNR/n 7uGpU56G4x7E/4B6U6u1sf2xrd8HpWVrv8M2PqLlLA6nkzpzZicGV2UVpiXz XfabaUVuKsBfuS/KrpAd3YuVN1XEdkJrHmIuHwdqQxZzLTm6t0aLpVPHNamv Q+jWhEwitq49dvB0F20DxkSB7673tVZ7QpnwJ7DHWhS4hc/EKzQA2DsAZ4bA JJn8E8EVnXtPTMORdWRBGf6XmGEYlygvfu3b05m70o50fTVVi0rpKhaR1ivQ SiZ62PQBjrQRZ2nW52w3rX6R1Hp/0m5TyzXzZytvc40Vnwx/6Aoo51motPpV QzMSZ4JThM8NbwbSmtiSOO08JtdX11fx3gSATDud4OnHtfXD/drYK9neCMQ8 nj3dtHZ9oR0lsp6hHDXnbB8N5T2ZcWdAtYuMkFb5s1X+tCq9Z6orafnY2ENu JAliEAtOkpOaGfO7dkkHu6EP/fqGy8nlzD5Ps7VA1k38kqfZiIL/nKf5OyTK 43R09O8NNn5bHUtHwxoCZ5mZDZklOnTRZMN2dcgmFVZzu3KOa1YOXZVlt5Pf LOc2ytKQsjsuPWwHFsplW/XDJe2feN4DynvhasChuKKi2pArxAlFqpT82Z1X 6l4dWmIZ2gjCCGM4xwsj2xzRw0irujU9Ak5PaeeQKlUDjdFCB+H6ITvBBd6S 28rFNjeA12qCpxwPIwVn0VoL8Hx9tAI5gIdl2GkPPMxJ0XSmNvAqsF/99dn0 KE6iwQI5eLhtZ4aHHenpAugaxYpkjvGYWMTOpQCqNAmPsWUlxFVp6dV/pvtf qbUOqWIx88yZbujHk9AUcW8qFSeLCxsNFpX/2O5xB5J0dXhruNp6yAGa247u tnfbV75893Yujf7sNzAX8bkrDPS4wJ+PJ26q4hgmJgKCMNsbRxPkqE/wUlCQ KgpvlfjXoW5ckcfGhW0+YyiTnPPd1NP0ud8oH7GYM3geOyIu2IGIWj1gPQbD B+xh4zk1ZDE9rBZu1vo/OKboZ/YSEX2P+2TMQ8XssOr+J8vvW2Vibl2gdPKx 3lkO37/nyWKT+KzaRkH+QLS53RXzXLQ/rpL/cgGbns3Ao/hKW9nwhOTHb47p mT/Z2WKcgeVP7IBuMis42RmejHfeCpCDCDne9phN7oRcUoFmRx1DBAhP9/ux FK6jraOrhv5tFYBM4wVTz/uqzn9jBwNNolMKzhLz+gWyDRiSueG39hnssh/e c/vCsjwO1tpcKi6mD6nlQ8u9puKXXquxjh1YDaxxFxOFW0eMXzATw+xtSY6E k+JJ6UQ4keG/8gn/Lb4Igccd6C53mqw/fsvSM869M33mYU7uvZJYZkTZZYaq IAJH0CCyo5BiqbKRMu4tJlM6cVgad0L/SPi25sGo4Adj03PeqawcFb8Bu0dH pW/sVJ1nR9A7vu3ESHUkf0sdLMZvs2fn7aiMcyK7jvhvSap4CPOYBGBdWjdq jXYD69Q90mhdNxtao0/6ynmPpraqcd5oc5xxd33V7feI0mz+Dcxgi36D9VZ5 MHyuda9alJkFzZ9O2fXJsIAXSQkwC9j/R0zRf3Bsu+CXafJ5qqzpAo8ZeAVe PJLL39iegJaJzFeYCMYbRIiWE/3/iIZQsBPoEBUhRiV3jyJBSguWs8gfB+Zs 4ljxxRp2dxIwFHjE8I9YzjfQm9o4T2Hoj5ZH4jdQoaOKBAIUhOYodI4EoShL 1QRIgN4KcRD+XageVb+RcAqR3JEAVGAmIlyjlOBkTZm0HMkVQIX8DZUc/t9x UTd1mmV1ygUHcJ/evuL2bl19dt/qoE2rT+1YfXK76sO9qo82qhjV82pnpMcO f1M6Q4e4uWfnFMR+HFZJOyYnJye46i/U3bgPi26/XHLbW3DDH85o67Tw9uMM 8pZ5YNmWP7ILUzN4toPwd3bh/Sd6J4NdoqGFo+ytgl04rsQZj8jRUGB1EYdV gdzHQhzt592Toscw2K4uuslCgdpwohldRFFT+gZt5VqNhlrWNU25uxwri4aq jBuDpiBVlcFbfe4ZTfWhZTSNzvS7E44vtc5CG983Lv2HxvsTbyiL1oJrvxvN lvJ8rggDQ520tJub1pvxrnTVcftGVfy+9nwj3d8Ki+H5YNzhjdSzVl+btidc c7rqsKhPrHbrabBo9ZX31pOybL8r8i22vW+0PSnFVidcaJ17nbvpdM6NxcXN 4N3otwBNhESbtC67d5PJ8E4NH3qq3umvnylvrct70Zg/xM+5h74qtlTlXF2+ nPdagPvYOFd7c1VVFEcRG4qqvz2M1NNz13obPQuz0sWj8CTbXqnz6Dr31ase 9/j0MIye7NNFqSVXrtuV3rB4U3M9IbgevepCeXBnm++982o9ONVfirY3DOv1 K3527UVW7Wo8rHhcUOlWmoPzyVv3/cl9ezaNi/b3mVlqP5ZfnqXqhW6brdOW zi/0xb1+0+X7Sqd+qiqDhbIw1NN3pckhReudigFU1ZRxZ1Hv0I5Xqnpv1PTS /Wuz+VrUO8NX77zHv1yXhsP35cOz9tJS/HNNeznnEG8YrCviWGmdD7TW+eOw JDScsX9R7OieG3ZH/nPUNeo2r8+mJf1yUXy5WjabJYW3apfVB25cmQrCW2Px OovcwPRkcdx4Uy6Fm+Dq6b0b1px6dxZdfR/X7sKof+d1ni/VoXhavO28i70X q9E75dRbY/Y9dC6E6tXdlfteUq51tbz4/XcmvqBp28JLa94KeD87dQYZKwfs vlnOGXIarHrHhA1Kjh9zv3qAPD49jjcfNkp26fs1tCqfORm851gwi8fXSGxW fOKp9us2wesORq+/1vFJH3S8E8IfZXGtb6us9q5cMLUc9xX3QW11lYU+BiHq dOqcsRg1Hu4u5g/n1XmrIy10hT7QjcWNOjx3nz5SIE5tKNb3knvXFlqN1mlF 7Ni37aEs1/n34Lt7M769sWv88FF6en/ThnJLe7oxW7xdM16tp7vWjTyTuOf3 F+eiX9f4G/FC8V/uW3eneqvWsBYP5bfr6rwzqtqz0uXD9+7dPALH3ax8vxU6 DaFz0dPbb0q7y4Wm2mkZ0rnWAxAbQ9AF40J/qqktvcLQWWlVY6HoSjOtUKqk LLjGmHbqqmq4OL837u5v32b34o3ycCtMzNvFypo89OSnochvGkqdMxVl8dBp LK5NMbjS7BJvj5SaVNROI7ncuK24znL5vVStGbw0aSm18aJ4bn73ut8r7/p8 EN40F9zb3blSjyxdeTKUUnP42n5+ePJLT+K7/NZtPAX1d2N4PnZupFZNeou8 2WOv121II5V/78vi8Pb5ies/hPOecH/beH6KcrUqKzbrHSWFnV4Id9/39JlG HeZwtIt3EEaztHI4j8Xe06nSDqVJV7qruZP+9Hu78vxWf6k///scjtzqW4vW e0eiDufpPtv2pFTyHM4KEk0FSJ5hNV25YqtZfZWfuNZUfh6K0pv+pLQSKDh1 UAvN27bbqt8vDOW+HuMHynlfu5QMQ9Ea+v1YMcbqe/nlxioOFuP30/cHVb4X Xr3nxz539Vq6uVUfbqS7bnTqXF8bF6/Pi8v2jf/elQa96rJtvd1NPad/9dJw W1aze3f/rDmz8dtjpbUYTN5Vzns1TkVZLQolz595cs0uFYd3g9d3eXijPN0o bqNVNBTh/M0v3i9GOgO93gUdf6wYypOicC0lRLxH+qIDbGnUx7oyYjojGbVx Z9B44xX+sRxp788d42F8/14vtq2W2OTlxqK+QCJ2+SdVHS9qvjK4njmVcH5q tdX5d+uh2fNPZ9Hr9cW0c+kvaszljcGYLBgRZ+PJ81jlHjrg6vogErELW3sw CzxYBzzY/HSwnI3KqnnjDZ7UYmkQ3VWn8sP02ilXljIndJXK7WR49cpfdm4C 6z56kl6uRk7r5lK1/BvLXoIp6F6UBlWBlyptZVj0HKtuBee1R2FwH0yGnO4u o0sp0ky5rr7ppy/KeCmd2gOIT9oPixuzeVmuzH/Re9X3lSAzTozLv0Pz4aWY Q2vK+A4Ox5qQme/gYTUs8247WC67N7Pl8FZYbd3qzjpCbut+zF/tCI0WOsLy +F/mCPmWIsXOzwBhHQTjTkdpjNuOonRUrrvs9OvfrRchlGtVaV57qdllV2i+ nI8MrQJmz5Zv7lXt8VLRKq2LZa/TehLOnTfDuGt+F26fojEnFu9evQt/run+ W2+ma73Wy2Px+XUmf/fMVrE8fzOLD/djvaRf3xentmw8vC4frl973Yt+zT1V zTE3HjerrXNr0xGaLXA5HzlCZTH+vCPcVGAu0eCVAoNHeFbuLy8X9yoGEcG5 Au3nmuLDeuOLSsuoLNJGn/sVq58y+hpXq1d5/3ShD68aA7v29nA/kF+fHi9a 3dJEPsQ/cfsc1CH+iTsQ1J3+idvnoA7xT9w+B3WIf+L2OahD/BO3z0Ed4p+4 fQ7qEP/E7XNQh/gnbp+DOsQ/cfsc1CH+idvnoA7yT7vAa4r9dv160Ly1tJ6o vzxomtOxe4s38eK62WoI0o1TLZchi+SCxvRFnvH1omq7pUelV1G9Ds/ftjFM ndR1xbWG3Xl98jK6LU2vxvpIfr41zs9fxs5bY/5qGBb3eDP02pqxNAzJ46ed avW6Puh6d3598VL7VJgK7mBEKzDopmK3QAjhicCXi2cb57klQqqyeEY2mitY 1xHO8EB5u2+cG12Cbw8TBGgo8dic6S4UsTftDg/6rE3Gb1XattG7jE1F9iSn 6hS/xK+NO1BHIpEBxhLWR0UR+4vxuOsAHDFe1+iBh4bs9Oug9zUpohISdyI/ t5qwRSxtwytWdsFb5PfDSytjV8E1njPwLDsNdwXhLsp74b5RDoa7WEW4Sxm4 JeSJIOXALRX3w42bUa4TZQhdRoAlSoryLoDjVy4eDLVcXkOYQC1TTMQcqEvC R9KBGxZpmIsIcwlZSuRdMNMY8WCIMy3YUC6ivJS2BL8sp1FLPyinwNlGgr2W B+vsQhFr64KIOFSkvYNC25oVK1IgrEfypCh9y0WhimSsVmiL2uiTXr/baJ9v duUlwgtEKhNRQiUWasSAzwrRS2BoiCSTWplUVFKRiVIBPm4OV1VSLRNZJIZC hCrRBcKLpCagnKoGKcNTmcgVXEUs4xWrzdV5ItYIr+FTAKAK2IikqBOphIuC sYGBskbUGlFhnq3hRRVsEdFV5IJRI1WNVBUiGoSvkKJCioCXgnNqIgr09urV GtEBR5UYVcQafuswqkjKBjEMogHKOtGrpCQinLVt4DVSK5FimVSr2F+SUARr Gn4tGqQmIQdEGcEoARm1zeFCKUfOBORauUQl4A/+HyhJApAQDHdxS8SEKhWx 6g5p2RIK+y2yvTB1DBaESASRA7dA96tACuEPSpPIo/5X+UQ5qcaKAlrBSiWe LQ2JKKBhTpR58xmV6USdDwEUfujbSPEAQRSYNN2imi4CfLitJgpVSsFVf/Xq qmkobdLvQlQMbiLjJ2BJrW8kCnCcek8P+EeEUKQQ8uvV1/BvW4eYUdutP3Gm lFvZpANzL3vogAndgL5YYIWsjMgWqRWXDsUm62xIWvnBZsw9erBw6ERhLmpf BR5+vqrkCLqQHNOyF3/qnopSLv5Sxqznmjd2MEVxo7VxRyqgSxIlJK1YPpQK 1IOJch5P4amMoiwWUyj9IfyDfDXRR/w3fWnwSbzJhK8KzvEaO6mwmzbUU6zX zMBTzgREB+pIqtRA3wmGVygSmhXRnYgVqpalQ2lGvY8g7aBZhcp2Sq42HiPB BT5NoG0O5xOSAAAR7jewV5shEkKJGSaYET0dekjgqFTJl8ddvPgki7Yac9py w4Ui+Acw8klYtqZKkZdSVPmYq/nbske52/FACsgKYV0pa6eLIgJTTLieAYda unI1TwaL1HbJa43JPqTcFdKiwRZjoXF1h1QUi9QSF/dLxY5wv1ikWpGWuANj /l3MS9jFIubqNjY0YBbKu7CR5I+x2QFN+hBMGlEBD34UqT3KKs8WpsnOuZaX LXyEcUncgXFJ2osxC6o/5F9eQF4sCx8jZZmJof08UjnNiGoFeSiul43T163+ 5RopS0QpYsjGg35pxACtggSogiEnpCeQh0gGKdVIRSc1cWu8pGHYDFFxubrD nki8jBqVGw5IfBXzMz5X3SQhk7iRVSwosZw6pYer7HwbwBUYQiVLkX8PSSRp U6gzKErUMlRSsB6oSrY1Cs1bJ5r06gokQ6koluclKnwsH9xBDBnXlXcEBpJM 1UHIqEOfPaGakDZ0GyM3wrtPYER2WUCpROUgYwE/YwJ3KQ8lRIkm5dUcVEs0 NS/vRLW8Ecl9CtW9hlAq0yCD34/wx5ZwL+IsUslDvMrvR7y67c0+w+M8KynR JO4jjD82k/swzmuHZnxhOda28lVBpqU+IY3soK/hDRTCV0954RTPzSKxIDOF 0Oy81YcxLP/ZO6a0MWYXcNK60pgDnJSqNyaP++xJuuqYN3Ij1MafP6unsryR cOLPX6SnspzNKVOoyumCZQ6qpUzZ8pOoflDTlEubaWYeyrmVzY9RLqWqnFmU y+laZw7K5U3H+RmUd5VD5XKmHLoD191F0Y8RrqQKpFmEK+kyaQ7C1T9ji/NN klzNVFJ3oLurnvohsnnt0FziaYW1kq/wJZ7WWbMikX5MtTrDoUOpYFvXq+u+ G7EEy7JKwjY9Dp384Irtmg4iinA1HRjtrt5ifbQC0GqkphKlioV2SJrkIq2A QhhXgwge9wcMGSO2Um1rfNXAiE0vYr20ZsTVWsBXlokhYDBY0rEdYNJqQJTt 8SoxJKLxGDTCGPhdZOGigIXdsohbH5qGcFUVaN8eT1dWxLhQqolYQpZ1AmLP AycUIAS2Q2CqQc/t9cHwAvKagIhg2bmG1WBw42VAqowUMSpEKWFFF9hZVrfG Y4VXxQUlldSKSCcV1IBHakFOBkBBMq3pRJMwHpaFrfHqdlPCyLK4KdB/FGkQ Xxbl1V5C/JOW5bJIjcFOlS+LtPj5iyq/v7BaLtJSqJAZky2ulnOy8g8KS2Va FiTZGOfDImtMxvwnSF+WxQs76ST9GV+QX4sts40x6TPI09x+g17pmmz5w5os /nwVkposv8t4fEAumtqIO6OFsryd6n8iWmClW3yNQ+peXUI6tHdluq0nfkpu Shup/NaYLXBA5wQdt2vAjIDdMuCziptRAm5yoDGBXBjsUVlHrS5v2xNoraho D6s78umPqFxBP1XcLZSVPxN+msk/2JNP5yIVUZqkiJ8S0SoVDXGXfmIPWn3f 4ARWJbZALRpIZlUjqoh7crqGHkFQ6XYgcAAMvEgrDAq6FnVrV4zURNxGAxOs bG24ZSi949E+5lRYIaS4izkV8c8EzB+W4yviVgzzEWcq4lZguAXzdoC42aW4 XYj7FGbkr6jQ489utv0iR3MffLZiWGHJZH4prsLyyZQXP4xsv16lQojk1JYv /qzdRY6MYBoIs+YHzhWaBErpcHJX9a+k4kY7BI+ighGRoSGPISKs6nT7XCB6 jSggzhAagV5vFz3VKmou2GyDaj6YWWjRZbS9RQgBFZwOgII1JJFUc2K5ElHL aKDVEloRgAIMt14hFRgsEYXHGqQiYCwpGESDWLIqHIybJGGECHauVkbcihVS Ax/Bo2HSDQxYqxo6Dk0hWglc/bZV0hGGkkhUiG1VwhsUGJ2IKvoLwAeIB6kY EAlCxeJ2nG0oGM/yGo6HuSDOhPAcQkqIf+UqDpPpiQeRskA0/kd3s7Itmw3w vVpaVXbTolYtrUu625sEv6IQuBbkELEq7FOCalleKUEGJrqzKrHEcIdwlCR0 +5hDyRgtID946qjoKZJqFZMpsUKziioRtzwWWFfoCYzUVDwoBpkD5j8lmv+o GIGALwSnpmiY1Gw7NaOECgb5K3hKoYwKZlRROAWR/q6ilEI8ImEGxwk8rbBJ 1X34QPQD9C3zFA0ZBRqCIZA7AKuk4FGZkoE5EeCGcZKeAxAuJqEmQn/QOzyK I+K5GsAEgm6Bxk+AoQHZprQ5XBTwDA9opmTgqR7w9kDfoo7nYSBB0yU824PH dSp41ojfIkdlS/dyBDD9/Wf+9ZwP3z7yqWs6eFTeXB5wTcf/N1/TafeVxeY1 Hdr2L7qm08ErAOzoc2eRvRuq1OoXautRXga37893RUe69W/K87vB3H/g+E7z 7Wool92bsXFR8ZXmYuFdXCjL64HZNDpd67V8Y16J+nBkf7emjtS4eqpdPrcu GsvZqd377nlcaeS/P87LtWDkOsq136o+2Q/l5+709OL5e/XCcFu3d5XaS1uk EOYc3uc2T+9n7oUqXvPx4tUzBtZr8868HugPrQe3c/r+ULxtqRV6fJprLDr3 LdVU9l4iVS3auaF0Oi2F3oq4vG88NJTbgc4pY2PR0pVLdTx+mTw/XV13Orqy aHuKrj4rT0q3IzfnN6Xle0WR9QfNdYXe6fjx7eF7p3fhns4uLc7qN0u9USA0 ekJlcPp+X7kZXNiqWOc91Zw2F1pL7XZKoXE7a/u23a2ovjfz/Qg66qI77wg3 nPhkv07vQ091Jpc1fmQPx4+T89dJ5bYxVrulqv4w/viS6W9EsVb/sCbqVYh3 vtk7lO3R7188/wt9yYjpPePhY65nmx7pzwMPb9tf+DZpmd7Ido+5lvNsk150 4U+8MP52NffChR9EE+w58ch5YC6POc0MXHJruq5p2fDND0CzATfPdmGWuuk5 xHh/N0e27R1zuj0kmu+7Noxr+RP6vhrVn1vmyHQC9pJENfBhZt8bLUzPTF5V 7gT48hP2EnB8HQ77p5PxNeP/D7p0QS4afgAA --></rfc>