<?xml version='1.0' encoding='utf-8'?>
<!DOCTYPE rfc [
  <!ENTITY nbsp    "&#160;">
  <!ENTITY zwsp   "&#8203;">
  <!ENTITY nbhy   "&#8209;">
  <!ENTITY wj     "&#8288;">
]>
<?xml-stylesheet type="text/xsl" href="rfc2629.xslt" ?>
<!-- generated by https://github.com/cabo/kramdown-rfc version 1.7.39 (Ruby 3.2.3) -->
<?rfc strict="yes"?>
<?rfc comments="yes"?>
<?rfc docmapping="yes"?>
<rfc xmlns:xi="http://www.w3.org/2001/XInclude" ipr="trust200902" docName="draft-ietf-ipsecme-ikev2-pqc-auth-09" category="std" consensus="true" submissionType="IETF" tocInclude="true" sortRefs="true" symRefs="true" version="3">
  <!-- xml2rfc v2v3 conversion 3.34.0 -->
  <front>
    <title abbrev="PQC Authentication in IKEv2">Signature Authentication in the Internet Key Exchange Version 2 (IKEv2) using PQC</title>
    <seriesInfo name="Internet-Draft" value="draft-ietf-ipsecme-ikev2-pqc-auth-09"/>
    <author fullname="Tirumaleswar Reddy">
      <organization>Nokia</organization>
      <address>
        <postal>
          <city>Bangalore</city>
          <region>Karnataka</region>
          <country>India</country>
        </postal>
        <email>kondtir@gmail.com</email>
      </address>
    </author>
    <author fullname="Valery Smyslov">
      <organization>ELVIS-PLUS</organization>
      <address>
        <postal>
          <country>Russian Federation</country>
        </postal>
        <email>svan@elvis.ru</email>
      </address>
    </author>
    <author fullname="Scott Fluhrer">
      <organization>Cisco Systems</organization>
      <address>
        <email>sfluhrer@cisco.com</email>
      </address>
    </author>
    <date year="2026" month="July" day="10"/>
    <area>Security</area>
    <workgroup>ipsecme</workgroup>
    <keyword>PQC</keyword>
    <keyword>IKEv2</keyword>
    <keyword>Digital Signature</keyword>
    <keyword>ML-DSA</keyword>
    <keyword>SLH-DSA</keyword>
    <abstract>
      <?line 92?>

<t>Signature-based authentication methods are utilized in the Internet Key Exchange Version 2 (IKEv2). The current version of the IKEv2 protocol, specified in RFC 7296, supports traditional digital signatures.</t>
      <t>This document specifies a generic mechanism for integrating post-quantum cryptographic (PQC) digital signature algorithms into the IKEv2 protocol. The approach allows for seamless inclusion of any PQC signature scheme within the existing authentication framework of IKEv2. Additionally, it outlines how Module-Lattice-Based Digital Signatures (ML-DSA) and Stateless Hash-Based Digital Signatures (SLH-DSA), can be employed as authentication methods within the IKEv2 protocol, as they have been standardized by US NIST.</t>
    </abstract>
    <note removeInRFC="true">
      <name>About This Document</name>
      <t>
        Status information for this document may be found at <eref target="https://datatracker.ietf.org/doc/draft-ietf-ipsecme-ikev2-pqc/"/>.
      </t>
      <t>
        Discussion of this document takes place on the
        ipsecme Working Group mailing list (<eref target="mailto:ipsecme@ietf.org"/>),
        which is archived at <eref target="https://mailarchive.ietf.org/arch/browse/ipsec/"/>.
        Subscribe at <eref target="https://www.ietf.org/mailman/listinfo/ipsecme/"/>.
      </t>
    </note>
  </front>
  <middle>
    <?line 98?>

<section anchor="introduction">
      <name>Introduction</name>
      <t>The Internet Key Exchange, or IKEv2 <xref target="RFC7296"/>, is a key agreement and security negotiation protocol; it is used for key establishment in IPsec. In the IKE_AUTH exchange, the initiator and responder independently select and use their preferred authentication method, which may differ between peers. The most common authentication method is digital signatures using asymmetric cryptography.  Currently, traditional digital signatures are defined for use within IKE_AUTH: RSA signatures, Elliptic Curve Digital Signature Algorithm (ECDSA) <xref target="RFC4754"/>,
and Edwards-curve Digital Signature Algorithm (EdDSA) <xref target="RFC8420"/>.</t>
      <t>The existence of a Cryptographically Relevant Quantum Computer (CRQC) would render traditional asymmetric algorithms obsolete and insecure. This is because the assumptions about the intractability of the mathematical problems these algorithms rely on, which offer confident levels of security today, no longer apply in the existence of a CRQC. Consequently, there is a requirement to update protocols and infrastructure to use post-quantum algorithms. Post-quantum algorithms are asymmetric algorithms designed to be secure against CRQCs as well as classical computers. The traditional cryptographic primitives that need to be replaced by post-quantum cryptographic (PQC) algorithms are discussed in PQC for Engineers <xref target="RFC9958"/>.</t>
      <t>This document defines a general approach to incorporating PQC digital signature algorithms into IKEv2 while maintaining interoperability and backward compatibility, as it does not change the IKEv2 protocol but adds negotiable PQC signature algorithms. Additionally, it outlines how Module-Lattice-Based Digital Signatures (ML-DSA) <xref target="FIPS204"/> and Stateless Hash-Based Digital Signatures (SLH-DSA) <xref target="FIPS205"/> can be employed as authentication methods within IKEv2, as they have been standardized the US National Institute of Standards and Technology (NIST) PQC project.</t>
    </section>
    <section anchor="conventions-and-definitions">
      <name>Conventions and Definitions</name>
      <t>The key words "<bcp14>MUST</bcp14>", "<bcp14>MUST NOT</bcp14>", "<bcp14>REQUIRED</bcp14>", "<bcp14>SHALL</bcp14>", "<bcp14>SHALL
NOT</bcp14>", "<bcp14>SHOULD</bcp14>", "<bcp14>SHOULD NOT</bcp14>", "<bcp14>RECOMMENDED</bcp14>", "<bcp14>NOT RECOMMENDED</bcp14>",
"<bcp14>MAY</bcp14>", and "<bcp14>OPTIONAL</bcp14>" in this document are to be interpreted as
described in BCP 14 <xref target="RFC2119"/> <xref target="RFC8174"/> when, and only when, they
appear in all capitals, as shown here.</t>
      <?line -18?>

<t>This document uses terms defined in Terminology for Post-Quantum Traditional Hybrid Schemes <xref target="RFC9794"/>. For the purposes of this document, it is helpful to be able to divide cryptographic algorithms into two classes:</t>
      <t>"Asymmetric Traditional Cryptographic Algorithm": An asymmetric cryptographic algorithm based on integer factorisation, finite field discrete logarithms, elliptic curve discrete logarithms, or related mathematical problems.</t>
      <t>"Post-Quantum Algorithm": An asymmetric cryptographic algorithm that is believed to be secure against attacks using quantum computers as well as classical computers. Post-quantum algorithms can also be called quantum-resistant or quantum-safe algorithms. Examples of quantum-resistant digital signature schemes include ML-DSA and SLH-DSA.</t>
    </section>
    <section anchor="general-framework-for-pqc-authentication-in-ikev2">
      <name>General Framework for PQC Authentication in IKEv2</name>
      <t>IKEv2 authentication commonly relies on digital signatures to verify the identity of communicating peers. The mechanism described in this document enables the use of any PQC digital signature algorithm without modifying core IKEv2 operations.</t>
      <section anchor="specifying-pqc-signature-algorithms">
        <name>Specifying PQC Signature Algorithms</name>
        <ul spacing="normal">
          <li>
            <t>IKEv2 can use arbitrary signature algorithms as described in Signature Authentication in IKEv2 <xref target="RFC7427"/>, where the "Digital Signature" authentication method supersedes previously defined signature authentication methods. Any PQC digital signature algorithm can be incorporated using the "Digital Signature" authentication method, as defined in <xref target="RFC7427"/>.</t>
          </li>
          <li>
            <t>DER encoded AlgorithmIdentifier ASN.1 objects will be used to uniquely identify PQC signature algorithm scheme and the parameter set associated with it. The AlgorithmIdentifier ASN.1 object is placed in the Authentication Data field of the Authentication payload (see Figure 2 of <xref target="RFC7427"/> for details).</t>
          </li>
        </ul>
      </section>
      <section anchor="sig">
        <name>Signature Generation and Verification</name>
        <t>PQC signatures may be generated in either deterministic or hedged modes. The terms deterministic and hedged used in this document are in accordance with ML-DSA <xref target="FIPS204"/> and SLH-DSA <xref target="FIPS205"/>, which define the ML-DSA and SLH-DSA algorithms. Future PQC signature algorithms may adopt different nomenclature, but will be expected to follow the same principles.</t>
        <t>In the deterministic mode, the signature is derived entirely from the message and the signer’s private key, without introducing fresh randomness at signing time. While this eliminates reliance on an external random number generator, it increases susceptibility to side-channel attacks, particularly fault injection attacks.</t>
        <t>The hedged mode provides some resistance against this risk by including precomputed randomness in the signer's private key and incorporating fresh randomness generated at signing time.
This foils some side channel attack approaches, while adding no additional strength against others.
If protection against side-channel attacks is required, an ML-DSA implementation that implements side-channel resistance should be used.</t>
        <t>In the context of signature-based authentication in IKEv2, the data used for generating a digital signature is unique for each session, as it includes session-specific information such as nonces. PQC signature algorithms can leverage the hedged variant within IKEv2 to enhance security against side-channel attacks. The choice between deterministic and hedged signing modes does not impact interoperability because the verification process remains the same for both variants.</t>
        <t>If the PQC signature algorithm uses a 'context' input parameter, it <bcp14>MUST</bcp14> be set to an empty string.</t>
        <t>Certain digital signature algorithms support two modes: "pure" mode and "pre-hash" mode. For example, ML-DSA and
SLH-DSA support both modes. In pure mode, the content is signed directly along with some domain separation
information. In contrast, pre-hash mode involves signing a digest of the message. This document specifies the use
of pure mode for signature-based authentication in IKEv2, where the message is signed directly along with domain separation information. The data used for authentication in IKEv2, as described in Section 2.15 of IKEv2 <xref target="RFC7296"/>, consists of elements such as nonces, SPIs, and initial exchange messages (messages preceding IKE_AUTH), which are typically within device memory constraints.</t>
        <section anchor="handsig">
          <name>Handling PQC Signatures in IKEv2</name>
          <t>As specified in Signature Authentication in IKEv2 <xref target="RFC7427"/>, both the initiator and responder <bcp14>MUST</bcp14> send the SIGNATURE_HASH_ALGORITHMS notify payload in the IKE_SA_INIT exchange to indicate the set of hash algorithms they support for signature generation and verification. The SIGNATURE_HASH_ALGORITHMS notify payload contains a list of 2-octet hash algorithm identifiers, defined in the IANA "IKEv2 Hash Algorithms" registry <xref target="IANA-IKEv2-Hash"/>.</t>
          <t>For PQC signature algorithms that inherently operate directly on the raw message without hashing, such as ML-DSA and SLH-DSA, only the 'Identity' hash function is applicable. The 'Identity' hash function (value 5) is defined in Section 2 of using EdDSA in IKEv2 <xref target="RFC8420"/> and indicates that the input message is used as-is, without any hash function applied. Therefore, implementations supporting such PQC signature algorithms <bcp14>MUST</bcp14> include the 'Identity' hash (5) in the SIGNATURE_HASH_ALGORITHMS notify. Furthermore, PQC signature algorithms requiring the 'Identity' hash <bcp14>MUST NOT</bcp14> be used with a peer that has not indicated support for the Identity hash in its notify payload.</t>
          <t>When generating a signature with a PQC signature algorithm, the IKEv2 implementation takes the InitiatorSignedOctets string or the ResponderSignedOctets string (as appropriate), logically sends it to the identity hash (which leaves it unchanged), and then passes it into the PQC signer as the message to be signed (with empty context string, if applicable). The resulting signature is placed into the Signature Value field of the Authentication Payload.</t>
          <t>When verifying a signature with a PQC signature algorithm, the IKEv2 implementation takes the InitiatorSignedOctets string or the ResponderSignedOctets string (as appropriate), logically sends it to the identity hash (which leaves it unchanged), and then passes it into the PQC signature verifier as the message to be verified (with empty context string, if applicable).</t>
          <t>IKEv2 peers supporting the PQC authentication mechanism defined in this specification <bcp14>MUST</bcp14> implement IKEv2 message fragmentation <xref target="RFC7383"/>, unless IKEv2 runs over a reliable transport (e.g., <xref target="RFC9329"/>) or the underlying network is known to support sufficiently large MTUs without fragmentation issues, since PQC public keys and signatures can be significantly larger than those used in traditional algorithms. 
For example, ML-DSA-44 requires a public key of 1,312 bytes and a signature of 2,420 bytes, while even the smallest SLH-DSA signature is around 7,856 bytes. As guidance, IKEv2 peers should assume a minimum PMTU of 1280 bytes for IPv6 (per <xref target="RFC8200"/>) and, where legacy IPv4 networks are a consideration, an effective MTU of 576 bytes for IPv4 (per <xref target="RFC1122"/>).</t>
        </section>
      </section>
      <section anchor="mechanisms-for-signaling-supported-key-pair-types">
        <name>Mechanisms for Signaling Supported Key Pair Types</name>
        <t>The following mechanisms can be used by peers to signal the types of digital signature algorithms and parameters they support:</t>
        <ul spacing="normal">
          <li>
            <t>Certificate Request Payload: One method to ascertain that the key pair type the initiator wants the responder to use is through a Certificate Request payload (defined in Section 3.7 of IKEv2 <xref target="RFC7296"/>) sent by the initiator. For example, the initiator can specify that it trusts certificates issued by a certificate authority (CA) that signs with a particular PQC signature algorithm. This implies that the initiator can process signatures generated using that algorithm, thereby allowing the responder to authenticate itself using a key pair associated with the specified PQC signature scheme.</t>
          </li>
          <li>
            <t>Authentication Method Announcement: Using Announcing Supported Authentication Method in IKEv2 <xref target="RFC9593"/>, which enables peers to declare their supported authentication methods. This improves interoperability when IKEv2 peers are configured with multiple credential types of different type to authenticate each other. The responder includes a SUPPORTED_AUTH_METHODS notification in the IKE_SA_INIT response message, listing the  signature scheme(s) it supports under the Digital Signature authentication method. The initiator includes the SUPPORTED_AUTH_METHODS notification in either the IKE_AUTH request message or in the IKE_INTERMEDIATE request. This notification lists the digital signature scheme(s) supported by the initiator, ordered by preference.</t>
          </li>
        </ul>
        <t>In traditional IKEv2 deployments, peers often implicitly know the signature algorithms in use based on pre-configured certificates, trusted CAs, and IKEv2 policies. However, cryptographic agility, the ability to negotiate and use different cryptographic algorithms is gaining increased attention for ensuring long-term security and interoperability. This requirement becomes even more relevant with the introduction of PQC algorithms, where multiple signature algorithms with varying security levels and performance characteristics may need to be supported over time.</t>
      </section>
    </section>
    <section anchor="ml-dsa">
      <name>Specifying ML-DSA within IKEv2</name>
      <t>ML-DSA <xref target="FIPS204"/> is a digital signature algorithm based on the hardness lattice problems over module lattices (i.e., the Module Learning with Errors problem ((commonly referred to as MLWE)). The design of the algorithm is based on the "Fiat-Shamir with Aborts" <xref target="Lyu09"/> framework introduced by Lyubashevsky that leverages rejection sampling to render lattice- based Fiat-Shamir (FS) schemes compact and secure. ML-DSA uses a uniform distribution over small integers for computing coefficients in error vectors, which simplifies implementation compared to schemes requiring discrete Gaussian sampling.</t>
      <t>ML-DSA is instantiated with three parameter sets for the PQ Security Levels 2, 3, and 5 (see Table 2 in Section 11 of PQC for Engineers <xref target="RFC9958"/>). Security properties of ML-DSA are discussed in Section 9 of PKIX Algorithm Identifiers for ML-DSA <xref target="RFC9881"/>. This document specifies the use of the ML-DSA algorithm in IKEv2 at three security levels: ML-DSA-44, ML-DSA-65, and ML-DSA-87. The DER encodings of the AlgorithmIdentifier objects for ML-DSA-44, ML-DSA-65, and ML-DSA-87 are listed in <xref target="ASN"/>.</t>
    </section>
    <section anchor="slh-dsa">
      <name>Specifying SLH-DSA within IKEv2</name>
      <t>SLH-DSA <xref target="FIPS205"/> utilizes the concept of stateless hash-based signatures. In contrast to stateful signature algorithms such as the eXtended Merkle Signature Scheme (XMSS) <xref target="RFC8391"/> or Hierarchical Signature System/Leighton-Micali Signature (HSS/LMS) <xref target="RFC8554"/>, SLH-DSA eliminates the need for maintaining state information during the signing process. SLH-DSA is designed to sign up to 2^64 messages and it offers three security levels. The parameters for PQ Security Levels 1, 3, and 5 were chosen to provide AES-128, AES-192, and AES-256 bits of security respectively (see Table 2 in Section 11 of PQC for Engineers <xref target="RFC9958"/>). This document specifies the use of the SLH-DSA algorithm in IKEv2 at each level.</t>
      <t>Each security level (1, 3, and 5) defines two variants of the algorithm: a small (S) version and a fast (F) version. The small version prioritizes smaller signature sizes, making them suitable for resource-constrained  IoT devices. Conversely, the fast version prioritizes speed over signature size, minimizing the time required to generate signatures. However, signature verification with the small version is faster than with the fast version. For hash function selection, the algorithm uses SHA-256 (<xref target="FIPS180"/>) for security level 1 and both SHA-256 and SHA-512 (<xref target="FIPS180"/>) for security levels 3 and 5. Alternatively, SHAKE256 (<xref target="FIPS202"/>) can be used across all security levels. Those hash function selections are internal to SLH-DSA implementations, and are not to be confused with those in the SIGNATURE_HASH_ALGORITHMS notification payload.</t>
      <t>ML-DSA outperforms SLH-DSA in both signature generation and validation time, as well as signature size. SLH-DSA, in contrast, offers smaller key sizes but larger signature sizes.</t>
      <t>The following combinations are defined in SLH-DSA <xref target="FIPS205"/>:</t>
      <ul spacing="normal">
        <li>
          <t>SLH-DSA-128S-SHA2</t>
        </li>
        <li>
          <t>SLH-DSA-128F-SHA2</t>
        </li>
        <li>
          <t>SLH-DSA-192S-SHA2</t>
        </li>
        <li>
          <t>SLH-DSA-192F-SHA2</t>
        </li>
        <li>
          <t>SLH-DSA-256S-SHA2</t>
        </li>
        <li>
          <t>SLH-DSA-256F-SHA2</t>
        </li>
        <li>
          <t>SLH-DSA-128S-SHAKE</t>
        </li>
        <li>
          <t>SLH-DSA-128F-SHAKE</t>
        </li>
        <li>
          <t>SLH-DSA-192S-SHAKE</t>
        </li>
        <li>
          <t>SLH-DSA-192F-SHAKE</t>
        </li>
        <li>
          <t>SLH-DSA-256S-SHAKE</t>
        </li>
        <li>
          <t>SLH-DSA-256F-SHAKE</t>
        </li>
      </ul>
      <t>SLH-DSA does not introduce a new hardness assumption beyond those inherent to the underlying hash functions. It builds upon established foundations in cryptography, making it a reliable and robust digital signature scheme in the face of a CRQC. While attacks on lattice-based schemes like ML-DSA are hypothetical as of 2026, such attacks, if realized, could compromise their security. SLH-DSA would remain unaffected by these attacks due to its distinct mathematical foundations. This ensures the continued security of systems and protocols that utilize SLH-DSA for digital signatures.</t>
      <t>The DER encodings of the AlgorithmIdentifier objects for each SLH-DSA variant are listed in <xref target="ASN"/>.</t>
    </section>
    <section anchor="use-of-ml-dsa-and-slh-dsa">
      <name>Use of ML-DSA and SLH-DSA</name>
      <t>Both ML-DSA and SLH-DSA offer deterministic and hedged signing modes, where the hedged signing modes includes fresh randomness in the signing procedure.
IKEv2 peers can use either mode of ML-DSA and SLH-DSA for authentication in IKEv2, with a preference for using the hedged mode (<xref target="sig"/>).</t>
      <t>The three security levels of ML-DSA are identified via AlgorithmIdentifier ASN.1 objects, as specified in NIST <xref target="CSOR"/> and referenced in PKIX Algorithm Identifiers for the ML-DSA <xref target="RFC9881"/>. <xref target="FIPS204"/> defines both a pure and a pre-hash variant of ML-DSA, but PKIX Algorithm Identifiers for the ML-DSA <xref target="RFC9881"/> specifies only the pure variant.</t>
      <t>The different parameter sets of SLH-DSA are identified via AlgorithmIdentifier ASN.1 objects, as specified in NIST <xref target="CSOR"/> and referenced in PKIX Algorithm
Identifiers for the SLH-DSA <xref target="RFC9909"/>. <xref target="FIPS205"/> defines two signature modes: pure mode and pre-hash mode. PKIX Algorithm Identifiers for the SLH-DSA <xref target="RFC9909"/> specifies the use of both Pure SLH-DSA and HashSLH-DSA in Public Key Infrastructure X.509 (PKIX) certificates and Certificate Revocation Lists (CRLs).</t>
    </section>
    <section anchor="iana-considerations">
      <name>IANA Considerations</name>
      <t>This document makes no requests to IANA.</t>
    </section>
    <section anchor="security-considerations">
      <name>Security Considerations</name>
      <t>PQC signature algorithms are generally modeled to achieve strong unforgeability under adaptive chosen-message attacks (SUF-CMA; see Section 10.1.1 of PQC for Engineers <xref target="RFC9958"/>). For example, ML-DSA provides SUF-CMA security. However, some algorithms, such as SLH-DSA, achieve existential unforgeability under chosen-message attacks (EUF-CMA; see Section 10.1.1 of PQC for Engineers <xref target="RFC9958"/>). This distinction does not impact IKEv2, as the signed data in each session is unique due to the inclusion of nonces. Consequently, the oracle-based forgery attack scenarios in the EUF-CMA model do not arise in IKEv2.</t>
      <t>Different PQC signature schemes are designed to provide security levels comparable to well-established cryptographic primitives. For example, some schemes align with the US NIST post-quantum security categories (Categories 1 through 5) as discussed in ML-DSA  <xref target="FIPS204"/> and SLH-DSA <xref target="FIPS205"/>. These categories specify target security strengths that correspond approximately to exhaustive key-search resistance for AES-128, AES-192, and AES-256, and collision-search resistance for SHA-256, SHA-384, and SHA-512. The choice of a PQC signature algorithm should be guided by the desired security level and performance requirements.</t>
      <t>ML-DSA-44, ML-DSA-65, and ML-DSA-87 are designed to offer security comparable with the SHA-256/SHA3-256 collision resistance (which is a harder problem than AES-128 key search), AES-192 key search, and AES-256 key search, respectively. Similarly, SLH-DSA-128{S,F}-{SHA2,SHAKE}, SLH-DSA-192{S,F}-{SHA2,SHAKE}, and SLH-DSA-256{S,F}-{SHA2,SHAKE} are designed to offer security comparable with the AES-128, AES-192, and AES-256 respectively.</t>
      <t>The Security Considerations section of PKIX Algorithm Identifiers for ML-DSA <xref target="RFC9881"/> and PKIX Algorithm Identifiers for SLH-DSA <xref target="RFC9909"/> apply to this specification as well.</t>
      <t>SLH-DSA keys are limited to 2^64 signatures. This upper bound is so large that even a IKEv2 server establishing IKEv2 sessions at an extremely high rate could not realistically reach it (at 10 billion signatures per second, it would still take over 58 years). The limit is therefore of theoretical interest only, but implementations may still track signature usage as a precautionary security measure. ML-DSA does not have a built-in signature limit, allowing for an arbitrary number of signatures to be made with the same key.</t>
    </section>
    <section numbered="false" anchor="acknowledgements">
      <name>Acknowledgements</name>
      <t>Thanks to Stefaan De Cnodder, Loganaden Velvindron, Paul Wouters, Andreas Steffen, Dan Wing, Wang Guilin, Rebecca Guthrie, Jonathan Hammell, Eric Vyncke, John Mattsson, Tero Kivinen and Daniel Van Geest for the discussion and comments.</t>
      <!-- Start of Appendices -->

</section>
  </middle>
  <back>
    <references anchor="sec-combined-references">
      <name>References</name>
      <references anchor="sec-normative-references">
        <name>Normative References</name>
        <reference anchor="RFC9593">
          <front>
            <title>Announcing Supported Authentication Methods in the Internet Key Exchange Protocol Version 2 (IKEv2)</title>
            <author fullname="V. Smyslov" initials="V." surname="Smyslov"/>
            <date month="July" year="2024"/>
            <abstract>
              <t>This specification defines a mechanism that allows implementations of the Internet Key Exchange Protocol Version 2 (IKEv2) to indicate the list of supported authentication methods to their peers while establishing IKEv2 Security Associations (SAs). This mechanism improves interoperability when IKEv2 partners are configured with multiple credentials of different types for authenticating each other.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="9593"/>
          <seriesInfo name="DOI" value="10.17487/RFC9593"/>
        </reference>
        <reference anchor="RFC7427">
          <front>
            <title>Signature Authentication in the Internet Key Exchange Version 2 (IKEv2)</title>
            <author fullname="T. Kivinen" initials="T." surname="Kivinen"/>
            <author fullname="J. Snyder" initials="J." surname="Snyder"/>
            <date month="January" year="2015"/>
            <abstract>
              <t>The Internet Key Exchange Version 2 (IKEv2) protocol has limited support for the Elliptic Curve Digital Signature Algorithm (ECDSA). The current version only includes support for three Elliptic Curve groups, and there is a fixed hash algorithm tied to each group. This document generalizes IKEv2 signature support to allow any signature method supported by PKIX and also adds signature hash algorithm negotiation. This is a generic mechanism and is not limited to ECDSA; it can also be used with other signature algorithms.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="7427"/>
          <seriesInfo name="DOI" value="10.17487/RFC7427"/>
        </reference>
        <reference anchor="RFC8420">
          <front>
            <title>Using the Edwards-Curve Digital Signature Algorithm (EdDSA) in the Internet Key Exchange Protocol Version 2 (IKEv2)</title>
            <author fullname="Y. Nir" initials="Y." surname="Nir"/>
            <date month="August" year="2018"/>
            <abstract>
              <t>This document describes the use of the Edwards-curve Digital Signature Algorithm (EdDSA) in the Internet Key Exchange Protocol Version 2 (IKEv2).</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="8420"/>
          <seriesInfo name="DOI" value="10.17487/RFC8420"/>
        </reference>
        <reference anchor="FIPS204" target="https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.204.pdf">
          <front>
            <title>FIPS 204: Module-Lattice-Based Digital Signature Standard</title>
            <author>
              <organization/>
            </author>
            <date/>
          </front>
        </reference>
        <reference anchor="FIPS205" target="https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.205.pdf">
          <front>
            <title>FIPS 205: Stateless Hash-Based Digital Signature Standard</title>
            <author>
              <organization/>
            </author>
            <date/>
          </front>
        </reference>
        <reference anchor="FIPS180" target="https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.180-4.pdf">
          <front>
            <title>US NIST, Secure Hash Standard (SHS), FIPS PUB 180-4, August 2015</title>
            <author>
              <organization/>
            </author>
            <date/>
          </front>
        </reference>
        <reference anchor="FIPS202" target="https://nvlpubs.nist.gov/nistpubs/fips/nist.fips.202.pdf">
          <front>
            <title>US NIST, SHA-3 Standard: Permutation-Based Hash and Extendable-Output Functions, FIPS PUB 202, August 2015.</title>
            <author>
              <organization/>
            </author>
            <date/>
          </front>
        </reference>
        <reference anchor="CSOR" target="https://csrc.nist.gov/projects/computer-security-objects-register/algorithm-registration">
          <front>
            <title>Computer Security Objects Register</title>
            <author initials="" surname="US NIST" fullname="US National Institute of Standards and Technology">
              <organization/>
            </author>
            <date year="2024" month="August" day="20"/>
          </front>
        </reference>
        <reference anchor="RFC7296">
          <front>
            <title>Internet Key Exchange Protocol Version 2 (IKEv2)</title>
            <author fullname="C. Kaufman" initials="C." surname="Kaufman"/>
            <author fullname="P. Hoffman" initials="P." surname="Hoffman"/>
            <author fullname="Y. Nir" initials="Y." surname="Nir"/>
            <author fullname="P. Eronen" initials="P." surname="Eronen"/>
            <author fullname="T. Kivinen" initials="T." surname="Kivinen"/>
            <date month="October" year="2014"/>
            <abstract>
              <t>This document describes version 2 of the Internet Key Exchange (IKE) protocol. IKE is a component of IPsec used for performing mutual authentication and establishing and maintaining Security Associations (SAs). This document obsoletes RFC 5996, and includes all of the errata for it. It advances IKEv2 to be an Internet Standard.</t>
            </abstract>
          </front>
          <seriesInfo name="STD" value="79"/>
          <seriesInfo name="RFC" value="7296"/>
          <seriesInfo name="DOI" value="10.17487/RFC7296"/>
        </reference>
        <reference anchor="RFC2119">
          <front>
            <title>Key words for use in RFCs to Indicate Requirement Levels</title>
            <author fullname="S. Bradner" initials="S." surname="Bradner"/>
            <date month="March" year="1997"/>
            <abstract>
              <t>In many standards track documents several words are used to signify the requirements in the specification. These words are often capitalized. This document defines these words as they should be interpreted in IETF documents. This document specifies an Internet Best Current Practices for the Internet Community, and requests discussion and suggestions for improvements.</t>
            </abstract>
          </front>
          <seriesInfo name="BCP" value="14"/>
          <seriesInfo name="RFC" value="2119"/>
          <seriesInfo name="DOI" value="10.17487/RFC2119"/>
        </reference>
        <reference anchor="RFC8174">
          <front>
            <title>Ambiguity of Uppercase vs Lowercase in RFC 2119 Key Words</title>
            <author fullname="B. Leiba" initials="B." surname="Leiba"/>
            <date month="May" year="2017"/>
            <abstract>
              <t>RFC 2119 specifies common key words that may be used in protocol specifications. This document aims to reduce the ambiguity by clarifying that only UPPERCASE usage of the key words have the defined special meanings.</t>
            </abstract>
          </front>
          <seriesInfo name="BCP" value="14"/>
          <seriesInfo name="RFC" value="8174"/>
          <seriesInfo name="DOI" value="10.17487/RFC8174"/>
        </reference>
        <reference anchor="RFC7383">
          <front>
            <title>Internet Key Exchange Protocol Version 2 (IKEv2) Message Fragmentation</title>
            <author fullname="V. Smyslov" initials="V." surname="Smyslov"/>
            <date month="November" year="2014"/>
            <abstract>
              <t>This document describes a way to avoid IP fragmentation of large Internet Key Exchange Protocol version 2 (IKEv2) messages. This allows IKEv2 messages to traverse network devices that do not allow IP fragments to pass through.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="7383"/>
          <seriesInfo name="DOI" value="10.17487/RFC7383"/>
        </reference>
      </references>
      <references anchor="sec-informative-references">
        <name>Informative References</name>
        <reference anchor="Lyu09" target="https://www.iacr.org/archive/asiacrypt2009/59120596/59120596.pdf">
          <front>
            <title>V. Lyubashevsky, “Fiat-Shamir With Aborts: Applications to Lattice and Factoring-Based Signatures“, ASIACRYPT 2009</title>
            <author>
              <organization/>
            </author>
            <date/>
          </front>
        </reference>
        <reference anchor="RFC5280">
          <front>
            <title>Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile</title>
            <author fullname="D. Cooper" initials="D." surname="Cooper"/>
            <author fullname="S. Santesson" initials="S." surname="Santesson"/>
            <author fullname="S. Farrell" initials="S." surname="Farrell"/>
            <author fullname="S. Boeyen" initials="S." surname="Boeyen"/>
            <author fullname="R. Housley" initials="R." surname="Housley"/>
            <author fullname="W. Polk" initials="W." surname="Polk"/>
            <date month="May" year="2008"/>
            <abstract>
              <t>This memo profiles the X.509 v3 certificate and X.509 v2 certificate revocation list (CRL) for use in the Internet. An overview of this approach and model is provided as an introduction. The X.509 v3 certificate format is described in detail, with additional information regarding the format and semantics of Internet name forms. Standard certificate extensions are described and two Internet-specific extensions are defined. A set of required certificate extensions is specified. The X.509 v2 CRL format is described in detail along with standard and Internet-specific extensions. An algorithm for X.509 certification path validation is described. An ASN.1 module and examples are provided in the appendices. [STANDARDS-TRACK]</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="5280"/>
          <seriesInfo name="DOI" value="10.17487/RFC5280"/>
        </reference>
        <reference anchor="IANA-IKEv2-Hash" target="https://www.iana.org/assignments/ikev2-parameters/ikev2-parameters.xhtml#hash-algorithms">
          <front>
            <title>Internet Key Exchange Version 2 (IKEv2) Parameters. IKEv2 Hash Algorithms</title>
            <author>
              <organization>IANA</organization>
            </author>
            <date/>
          </front>
        </reference>
        <reference anchor="RFC4754">
          <front>
            <title>IKE and IKEv2 Authentication Using the Elliptic Curve Digital Signature Algorithm (ECDSA)</title>
            <author fullname="D. Fu" initials="D." surname="Fu"/>
            <author fullname="J. Solinas" initials="J." surname="Solinas"/>
            <date month="January" year="2007"/>
            <abstract>
              <t>This document describes how the Elliptic Curve Digital Signature Algorithm (ECDSA) may be used as the authentication method within the Internet Key Exchange (IKE) and Internet Key Exchange version 2 (IKEv2) protocols. ECDSA may provide benefits including computational efficiency, small signature sizes, and minimal bandwidth compared to other available digital signature methods. This document adds ECDSA capability to IKE and IKEv2 without introducing any changes to existing IKE operation. [STANDARDS-TRACK]</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="4754"/>
          <seriesInfo name="DOI" value="10.17487/RFC4754"/>
        </reference>
        <reference anchor="RFC9958">
          <front>
            <title>Post-Quantum Cryptography for Engineers</title>
            <author fullname="A. Banerjee" initials="A." surname="Banerjee"/>
            <author fullname="T. Reddy.K" initials="T." surname="Reddy.K"/>
            <author fullname="D. Schoinianakis" initials="D." surname="Schoinianakis"/>
            <author fullname="T. Hollebeek" initials="T." surname="Hollebeek"/>
            <author fullname="M. Ounsworth" initials="M." surname="Ounsworth"/>
            <date month="June" year="2026"/>
            <abstract>
              <t>The advent of a cryptographically relevant quantum computer (CRQC) would render state-of-the-art, traditional public key algorithms deployed today obsolete, as the mathematical assumptions underpinning their security would no longer hold. To address this, protocols and infrastructure must transition to post-quantum algorithms, which are designed to resist both traditional and quantum attacks. This document explains why engineers need to be aware of and understand post-quantum cryptography (PQC), and it details the impact of CRQCs on existing systems and the challenges involved in transitioning to post-quantum algorithms. Unlike previous cryptographic updates, this shift may require significant protocol redesign due to the unique properties of post-quantum algorithms.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="9958"/>
          <seriesInfo name="DOI" value="10.17487/RFC9958"/>
        </reference>
        <reference anchor="RFC9794">
          <front>
            <title>Terminology for Post-Quantum Traditional Hybrid Schemes</title>
            <author fullname="F. Driscoll" initials="F." surname="Driscoll"/>
            <author fullname="M. Parsons" initials="M." surname="Parsons"/>
            <author fullname="B. Hale" initials="B." surname="Hale"/>
            <date month="June" year="2025"/>
            <abstract>
              <t>One aspect of the transition to post-quantum algorithms in cryptographic protocols is the development of hybrid schemes that incorporate both post-quantum and traditional asymmetric algorithms. This document defines terminology for such schemes. It is intended to be used as a reference and, hopefully, to ensure consistency and clarity across different protocols, standards, and organisations.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="9794"/>
          <seriesInfo name="DOI" value="10.17487/RFC9794"/>
        </reference>
        <reference anchor="RFC9329">
          <front>
            <title>TCP Encapsulation of Internet Key Exchange Protocol (IKE) and IPsec Packets</title>
            <author fullname="T. Pauly" initials="T." surname="Pauly"/>
            <author fullname="V. Smyslov" initials="V." surname="Smyslov"/>
            <date month="November" year="2022"/>
            <abstract>
              <t>This document describes a method to transport Internet Key Exchange Protocol (IKE) and IPsec packets over a TCP connection for traversing network middleboxes that may block IKE negotiation over UDP. This method, referred to as "TCP encapsulation", involves sending both IKE packets for Security Association (SA) establishment and Encapsulating Security Payload (ESP) packets over a TCP connection. This method is intended to be used as a fallback option when IKE cannot be negotiated over UDP.</t>
              <t>TCP encapsulation for IKE and IPsec was defined in RFC 8229. This document clarifies the specification for TCP encapsulation by including additional clarifications obtained during implementation and deployment of this method. This documents obsoletes RFC 8229.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="9329"/>
          <seriesInfo name="DOI" value="10.17487/RFC9329"/>
        </reference>
        <reference anchor="RFC8200">
          <front>
            <title>Internet Protocol, Version 6 (IPv6) Specification</title>
            <author fullname="S. Deering" initials="S." surname="Deering"/>
            <author fullname="R. Hinden" initials="R." surname="Hinden"/>
            <date month="July" year="2017"/>
            <abstract>
              <t>This document specifies version 6 of the Internet Protocol (IPv6). It obsoletes RFC 2460.</t>
            </abstract>
          </front>
          <seriesInfo name="STD" value="86"/>
          <seriesInfo name="RFC" value="8200"/>
          <seriesInfo name="DOI" value="10.17487/RFC8200"/>
        </reference>
        <reference anchor="RFC1122">
          <front>
            <title>Requirements for Internet Hosts - Communication Layers</title>
            <author fullname="R. Braden" initials="R." role="editor" surname="Braden"/>
            <date month="October" year="1989"/>
            <abstract>
              <t>This RFC is an official specification for the Internet community. It incorporates by reference, amends, corrects, and supplements the primary protocol standards documents relating to hosts. [STANDARDS-TRACK]</t>
            </abstract>
          </front>
          <seriesInfo name="STD" value="3"/>
          <seriesInfo name="RFC" value="1122"/>
          <seriesInfo name="DOI" value="10.17487/RFC1122"/>
        </reference>
        <reference anchor="RFC9881">
          <front>
            <title>Internet X.509 Public Key Infrastructure -- Algorithm Identifiers for the Module-Lattice-Based Digital Signature Algorithm (ML-DSA)</title>
            <author fullname="J. Massimo" initials="J." surname="Massimo"/>
            <author fullname="P. Kampanakis" initials="P." surname="Kampanakis"/>
            <author fullname="S. Turner" initials="S." surname="Turner"/>
            <author fullname="B. E. Westerbaan" initials="B. E." surname="Westerbaan"/>
            <date month="October" year="2025"/>
            <abstract>
              <t>Digital signatures are used within X.509 certificates and Certificate Revocation Lists (CRLs), and to sign messages. This document specifies the conventions for using FIPS 204, the Module-Lattice-Based Digital Signature Algorithm (ML-DSA) in Internet X.509 certificates and CRLs. The conventions for the associated signatures, subject public keys, and private key are also described.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="9881"/>
          <seriesInfo name="DOI" value="10.17487/RFC9881"/>
        </reference>
        <reference anchor="RFC8391">
          <front>
            <title>XMSS: eXtended Merkle Signature Scheme</title>
            <author fullname="A. Huelsing" initials="A." surname="Huelsing"/>
            <author fullname="D. Butin" initials="D." surname="Butin"/>
            <author fullname="S. Gazdag" initials="S." surname="Gazdag"/>
            <author fullname="J. Rijneveld" initials="J." surname="Rijneveld"/>
            <author fullname="A. Mohaisen" initials="A." surname="Mohaisen"/>
            <date month="May" year="2018"/>
            <abstract>
              <t>This note describes the eXtended Merkle Signature Scheme (XMSS), a hash-based digital signature system that is based on existing descriptions in scientific literature. This note specifies Winternitz One-Time Signature Plus (WOTS+), a one-time signature scheme; XMSS, a single-tree scheme; and XMSS^MT, a multi-tree variant of XMSS. Both XMSS and XMSS^MT use WOTS+ as a main building block. XMSS provides cryptographic digital signatures without relying on the conjectured hardness of mathematical problems. Instead, it is proven that it only relies on the properties of cryptographic hash functions. XMSS provides strong security guarantees and is even secure when the collision resistance of the underlying hash function is broken. It is suitable for compact implementations, is relatively simple to implement, and naturally resists side-channel attacks. Unlike most other signature systems, hash-based signatures can so far withstand known attacks using quantum computers.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="8391"/>
          <seriesInfo name="DOI" value="10.17487/RFC8391"/>
        </reference>
        <reference anchor="RFC8554">
          <front>
            <title>Leighton-Micali Hash-Based Signatures</title>
            <author fullname="D. McGrew" initials="D." surname="McGrew"/>
            <author fullname="M. Curcio" initials="M." surname="Curcio"/>
            <author fullname="S. Fluhrer" initials="S." surname="Fluhrer"/>
            <date month="April" year="2019"/>
            <abstract>
              <t>This note describes a digital-signature system based on cryptographic hash functions, following the seminal work in this area of Lamport, Diffie, Winternitz, and Merkle, as adapted by Leighton and Micali in 1995. It specifies a one-time signature scheme and a general signature scheme. These systems provide asymmetric authentication without using large integer mathematics and can achieve a high security level. They are suitable for compact implementations, are relatively simple to implement, and are naturally resistant to side-channel attacks. Unlike many other signature systems, hash-based signatures would still be secure even if it proves feasible for an attacker to build a quantum computer.</t>
              <t>This document is a product of the Crypto Forum Research Group (CFRG) in the IRTF. This has been reviewed by many researchers, both in the research group and outside of it. The Acknowledgements section lists many of them.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="8554"/>
          <seriesInfo name="DOI" value="10.17487/RFC8554"/>
        </reference>
        <reference anchor="RFC9909">
          <front>
            <title>Internet X.509 Public Key Infrastructure -- Algorithm Identifiers for the Stateless Hash-Based Digital Signature Algorithm (SLH-DSA)</title>
            <author fullname="K. Bashiri" initials="K." surname="Bashiri"/>
            <author fullname="S. Fluhrer" initials="S." surname="Fluhrer"/>
            <author fullname="S. Gazdag" initials="S." surname="Gazdag"/>
            <author fullname="D. Van Geest" initials="D." surname="Van Geest"/>
            <author fullname="S. Kousidis" initials="S." surname="Kousidis"/>
            <date month="December" year="2025"/>
            <abstract>
              <t>Digital signatures are used within the X.509 Public Key Infrastructure, such as X.509 certificates and Certificate Revocation Lists (CRLs), as well as to sign messages. This document specifies the conventions for using the Stateless Hash-Based Digital Signature Algorithm (SLH-DSA) in the X.509 Public Key Infrastructure. The conventions for the associated signatures, subject public keys, and private keys are also specified.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="9909"/>
          <seriesInfo name="DOI" value="10.17487/RFC9909"/>
        </reference>
      </references>
    </references>
    <?line 256?>

<section anchor="implementation-alternatives-for-ml-dsa">
      <name>Implementation Alternatives for ML-DSA</name>
      <t>With ML-DSA, there are two different approaches to implementing the signature process.
The first one is to provide the SignedOctets string to the cryptographic library to generate the full signature; this works for SLH-DSA as well.</t>
      <t>The second approach involves using the Externalμ-ML-DSA API allowed by <xref target="FIPS204"/>; specifically by the comment to line 6 of algorithm 7 of FIPS 204.
In this method, the implementation calls the External μ pre-hashing mode with the SignedOctets string and the ML-DSA public key, which externalizes the message pre-hashing originally performed inside the signing operation (see Appendix D of <xref target="RFC9881"/> for ML-DSA pre-hashing). The resulting μ value is then passed to the cryptographic library to execute the Externalμ-ML-DSA.Sign API, which uses μ and the ML-DSA private key to produce the signature. This document specifies only the use of ML-DSA's External μ mode and does not use HashML-DSA. This approach avoids requiring large message inputs to be processed within potentially constrained cryptographic modules, such as Hardware Security Modules (HSMs).</t>
      <t>Both approaches are considered "pure" mode and produce the same ML-DSA signature and are fully interoperable. The choice between them depends on implementation preferences, such as whether the External μ pre-hashing step is handled internally by the cryptographic module or performed explicitly by the IKEv2 implementation.</t>
    </section>
    <section anchor="ASN">
      <name>ASN.1 Objects</name>
      <t>This section lists AlgorithmIdentifier ASN.1 objects for algorithms mentioned in the document in binary form.<br/>
This section is not normative, and these values should only be used as
examples. If the ASN.1 object listed in this section and the ASN.1
object specified by the algorithm differ, then the algorithm
specification must be used.</t>
      <t>The generic format for the AlgorithmIdentifier ASN.1 object is defined in Section 4.1.1.2 of PKIX <xref target="RFC5280"/>.</t>
      <section anchor="ml-dsa-44">
        <name>ML-DSA-44</name>
        <t>id-ml-dsa-44 OBJECT IDENTIFIER ::= { joint-iso-itu-t(2)
country(16) us(840) organization(1) gov(101) csor(3)
nistAlgorithm(4) sigAlgs(3) id-ml-dsa-44(17) }</t>
        <t>Parameters are absent.</t>
        <artwork><![CDATA[
Name = id-ml-dsa-44, oid = 2.16.840.1.101.3.4.3.17
Length = 13
0000: 300b 0609 6086 4801 6503 0403 11
]]></artwork>
      </section>
      <section anchor="ml-dsa-65">
        <name>ML-DSA-65</name>
        <t>id-ml-dsa-65 OBJECT IDENTIFIER ::= { joint-iso-itu-t(2)
country(16) us(840) organization(1) gov(101) csor(3)
nistAlgorithm(4) sigAlgs(3) id-ml-dsa-65(18) }</t>
        <t>Parameters are absent.</t>
        <artwork><![CDATA[
Name = id-ml-dsa-65, oid = 2.16.840.1.101.3.4.3.18
Length = 13
0000: 300b 0609 6086 4801 6503 0403 12
]]></artwork>
      </section>
      <section anchor="ml-dsa-87">
        <name>ML-DSA-87</name>
        <t>id-ml-dsa-87 OBJECT IDENTIFIER ::= { joint-iso-itu-t(2)
country(16) us(840) organization(1) gov(101) csor(3)
nistAlgorithm(4) sigAlgs(3) id-ml-dsa-87(19) }</t>
        <t>Parameters are absent.</t>
        <artwork><![CDATA[
Name = id-ml-dsa-87, oid = 2.16.840.1.101.3.4.3.19
Length = 13
0000: 300b 0609 6086 4801 6503 0403 13
]]></artwork>
      </section>
      <section anchor="slh-dsa-128s-sha2">
        <name>SLH-DSA-128S-SHA2</name>
        <t>id-slh-dsa-sha2-128s OBJECT IDENTIFIER ::= { joint-iso-itu-t(2)
country(16) us(840) organization(1) gov(101) csor(3)
nistAlgorithm(4) sigAlgs(3) id-slh-dsa-sha2-128s(20) }</t>
        <t>Parameters are absent.</t>
        <artwork><![CDATA[
Name = id-slh-dsa-sha2-128s, oid = 2.16.840.1.101.3.4.3.20
Length = 13
0000: 300b 0609 6086 4801 6503 0403 14
]]></artwork>
      </section>
      <section anchor="slh-dsa-128f-sha2">
        <name>SLH-DSA-128F-SHA2</name>
        <t>id-slh-dsa-sha2-128f OBJECT IDENTIFIER ::= { joint-iso-itu-t(2)
country(16) us(840) organization(1) gov(101) csor(3)
nistAlgorithm(4) sigAlgs(3) id-slh-dsa-sha2-128f(21) }</t>
        <t>Parameters are absent.</t>
        <artwork><![CDATA[
Name = id-slh-dsa-sha2-128f, oid = 2.16.840.1.101.3.4.3.21
Length = 13
0000: 300b 0609 6086 4801 6503 0403 15
]]></artwork>
      </section>
      <section anchor="slh-dsa-192s-sha2">
        <name>SLH-DSA-192S-SHA2</name>
        <t>id-slh-dsa-sha2-192s OBJECT IDENTIFIER ::= { joint-iso-itu-t(2)
country(16) us(840) organization(1) gov(101) csor(3)
nistAlgorithm(4) sigAlgs(3) id-slh-dsa-sha2-192s(22) }</t>
        <t>Parameters are absent.</t>
        <artwork><![CDATA[
Name = id-slh-dsa-sha2-192s, oid = 2.16.840.1.101.3.4.3.22
Length = 13
0000: 300b 0609 6086 4801 6503 0403 16
]]></artwork>
      </section>
      <section anchor="slh-dsa-192f-sha2">
        <name>SLH-DSA-192F-SHA2</name>
        <t>id-slh-dsa-sha2-192f OBJECT IDENTIFIER ::= { joint-iso-itu-t(2)
country(16) us(840) organization(1) gov(101) csor(3)
nistAlgorithm(4) sigAlgs(3) id-slh-dsa-sha2-192f(23) }</t>
        <t>Parameters are absent.</t>
        <artwork><![CDATA[
Name = id-slh-dsa-sha2-192f, oid = 2.16.840.1.101.3.4.3.23
Length = 13
0000: 300b 0609 6086 4801 6503 0403 17
]]></artwork>
      </section>
      <section anchor="slh-dsa-256s-sha2">
        <name>SLH-DSA-256S-SHA2</name>
        <t>id-slh-dsa-sha2-256s OBJECT IDENTIFIER ::= { joint-iso-itu-t(2)
country(16) us(840) organization(1) gov(101) csor(3)
nistAlgorithm(4) sigAlgs(3) id-slh-dsa-sha2-256s(24) }</t>
        <t>Parameters are absent.</t>
        <artwork><![CDATA[
Name = id-slh-dsa-sha2-256s, oid = 2.16.840.1.101.3.4.3.24
Length = 13
0000: 300b 0609 6086 4801 6503 0403 18
]]></artwork>
      </section>
      <section anchor="slh-dsa-256f-sha2">
        <name>SLH-DSA-256F-SHA2</name>
        <t>id-slh-dsa-sha2-256f OBJECT IDENTIFIER ::= { joint-iso-itu-t(2)
country(16) us(840) organization(1) gov(101) csor(3)
nistAlgorithm(4) sigAlgs(3) id-slh-dsa-sha2-256f(25) }</t>
        <t>Parameters are absent.</t>
        <artwork><![CDATA[
Name = id-slh-dsa-sha2-256f, oid = 2.16.840.1.101.3.4.3.25
Length = 13
0000: 300b 0609 6086 4801 6503 0403 19
]]></artwork>
      </section>
      <section anchor="slh-dsa-128s-shake">
        <name>SLH-DSA-128S-SHAKE</name>
        <t>id-slh-dsa-shake-128s OBJECT IDENTIFIER ::= { joint-iso-itu-t(2)
country(16) us(840) organization(1) gov(101) csor(3)
nistAlgorithm(4) sigAlgs(3) id-slh-dsa-shake-128s(26) }</t>
        <t>Parameters are absent.</t>
        <artwork><![CDATA[
Name = id-slh-dsa-shake-128s, oid = 2.16.840.1.101.3.4.3.26
Length = 13
0000: 300b 0609 6086 4801 6503 0403 1a
]]></artwork>
      </section>
      <section anchor="slh-dsa-128f-shake">
        <name>SLH-DSA-128F-SHAKE</name>
        <t>id-slh-dsa-shake-128f OBJECT IDENTIFIER ::= { joint-iso-itu-t(2)
country(16) us(840) organization(1) gov(101) csor(3)
nistAlgorithm(4) sigAlgs(3) id-slh-dsa-shake-128f(27) }</t>
        <t>Parameters are absent.</t>
        <artwork><![CDATA[
Name = id-slh-dsa-shake-128f, oid = 2.16.840.1.101.3.4.3.27
Length = 13
0000: 300b 0609 6086 4801 6503 0403 1b
]]></artwork>
      </section>
      <section anchor="slh-dsa-192s-shake">
        <name>SLH-DSA-192S-SHAKE</name>
        <t>id-slh-dsa-shake-192s OBJECT IDENTIFIER ::= { joint-iso-itu-t(2)
country(16) us(840) organization(1) gov(101) csor(3)
nistAlgorithm(4) sigAlgs(3) id-slh-dsa-shake-192s(28) }</t>
        <t>Parameters are absent.</t>
        <artwork><![CDATA[
Name = id-slh-dsa-shake-192s, oid = 2.16.840.1.101.3.4.3.28
Length = 13
0000: 300b 0609 6086 4801 6503 0403 1c
]]></artwork>
      </section>
      <section anchor="slh-dsa-192f-shake">
        <name>SLH-DSA-192F-SHAKE</name>
        <t>id-slh-dsa-shake-192f OBJECT IDENTIFIER ::= { joint-iso-itu-t(2)
country(16) us(840) organization(1) gov(101) csor(3)
nistAlgorithm(4) sigAlgs(3) id-slh-dsa-shake-192f(29) }</t>
        <t>Parameters are absent.</t>
        <artwork><![CDATA[
Name = id-slh-dsa-shake-192f, oid = 2.16.840.1.101.3.4.3.29
Length = 13
0000: 300b 0609 6086 4801 6503 0403 1d
]]></artwork>
      </section>
      <section anchor="slh-dsa-256s-shake">
        <name>SLH-DSA-256S-SHAKE</name>
        <t>id-slh-dsa-shake-256s OBJECT IDENTIFIER ::= { joint-iso-itu-t(2)
country(16) us(840) organization(1) gov(101) csor(3)
nistAlgorithm(4) sigAlgs(3) id-slh-dsa-shake-256s(30) }</t>
        <t>Parameters are absent.</t>
        <artwork><![CDATA[
Name = id-slh-dsa-shake-256s, oid = 2.16.840.1.101.3.4.3.30
Length = 13
0000: 300b 0609 6086 4801 6503 0403 1e
]]></artwork>
      </section>
      <section anchor="slh-dsa-256f-shake">
        <name>SLH-DSA-256F-SHAKE</name>
        <t>id-slh-dsa-shake-256f OBJECT IDENTIFIER ::= { joint-iso-itu-t(2)
country(16) us(840) organization(1) gov(101) csor(3)
nistAlgorithm(4) sigAlgs(3) id-slh-dsa-shake-256f(31) }</t>
        <t>Parameters are absent.</t>
        <artwork><![CDATA[
Name = id-slh-dsa-shake-256f, oid = 2.16.840.1.101.3.4.3.31
Length = 13
0000: 300b 0609 6086 4801 6503 0403 1f
]]></artwork>
      </section>
    </section>
  </back>
  <!-- ##markdown-source:
H4sIAAAAAAAAA+1d63LbRpb+j6fokas21BRJidRdmZmE0SXSRLIVUbZnamo2
1QSaJEYgwKAByRyXt+Y1tmp/7LPso8yT7Ll0Nxq8SbK3dv1jXUlMgkD36dPn
8p1LI61WKyjiIlHHYqMfj1JZlLkSvbIYq7SIQ1nEWSriVMB3cZkWKk9VIX5S
M3H2IRzLdKTEO5VrvKkrGpc/nT10N0Wp43Qkbn4+2QjkYJCrBxgbvi0ZlR7Y
COCCGmX57FjoIgqCKAtTOQGKolwOi1asimErnmoVTlQrvlcP3db017AlYbRA
l4NJrHH+YjaFJy7P7s6DtJwMVH4cRDDscRBmqVapLvWxKPJSBUDNTiBzJXHF
KizzuJhtBI9Zfj/Ks3IKV81cG8G9msH16DgQLVwO/kUU44fTeBQXMhGOaXjx
+qp12u/hp/7VBX0MHlRaAhVCLIwuBNO88R7mRo79iHfg9YmMk+rO75EB7Swf
4U8yD8fw07gopvp4awvvxEvxg2rb27bwwtYgzx612qIxtjaCINCFTKNfZJKl
MOdM6WAaH4u/FFnYFDrLi1wNNXyaTcyHIo/DoinCbDKBPYMrsCsTOZ0CoX8N
AmR+liNjgCYhhmWS8JbdxXk5kYnSjzIXtyqKZnQDkCXT+O+08cfidXYfS7oe
AvOPxQ8gSEAY8hD+5GpEd/0kc+CsvDd3ZmVaoIhcppF5WBk+3WdpVMT59yP8
3gaKNxbpegc05TPRn8x0kj0soens6t1lv3Vz9bZfn+62BPGSqThXkcrp3trc
+kGm36vkIdbtvFwybz/MikKcJ+U4V/mSaU9iHWaiP9OFmuj6yEN+6PsQb+Fl
BWmWT+DJB5Ko2/OTo72jHfPxYLd7YD4e7na38eP55U2/u717TOMKq+Z4VeBl
cZ1FZaJaV7IApVStH6RW0aJgiz5KjsyjDTOOzEeqOBZWBtOHZFoOdDuNddEe
ZQ9b+AGvbOFMW68v+3dt/NSGOdvTaCh4GNJOMZSJVo7UveWk7h0jDYUCsdLi
Qurx/wKpe2tJ7Rxuz5H6ti/w8aYgm6KITEeOaPQv+ptNelTcvP1BwPOt3SZY
xFGpC1hhZ+9LKaYRn2BvdyXNF73WjqP2WNyofFIWJKKG1bQc+BnsfqHgrgHI
zZsSKAHhLtMQ79Te+mCu2uraL17eECwXfWvjJ9iQ7srFnfTf3PLK5ocPdR5W
Y0/z7G8qLPQW6BIQrvKWNva/lQ3olxbaHlDFfEsm4JDiYjwxlzzVN9w7MYMI
60TEGx4EzB4PQnc7S0l/2Cgg32k8kN3LVMOAMJDIhm4HNLH6ToXjNEuy0cw8
HaeaH4ZNCyo+AG92W9uHre52EMTp0DcRV7Ny+8hObrf9XRuvD2BH1YO+nzXF
P//xH+exLFr9sZzEuXgP6xa9ATgFmK43nSbGY2tRZMIYCyLwXIYFcCkdGSFx
eqhhRNj//mXv5PbPN3dA4fbRhqVibo8eHx/bsQxz57qA9C2p8dJsWuCTW3tH
HVDIo333AUXBDFcXBTB+e13Wzcve616L3HULhXe5gPDkqeTJwdKPUnJ3WwZn
yBw2DLZy8UL7w7iYJK/GaI2csGhfQDaei5duqkEZX7C29dyoG0skCQjGKWCR
G8E8H4IWoDr8j5ADFN2wCAK3N60B7ZWsgzGYf5yh3IHpKos4if8O97wM97XF
HdwMupDDuOLB/AxSTWPQukADAXBkCeCLqQrjYcyTwK6Jg+7RPlwup1OUO4Bq
MoqNikTGzGsnXu0guBvHGjFJifvlhoMFiJFKFYAXWBJSGuuJAJWAaQBjohYD
0Jpmumj9Wsq0KCeCxCyDn6ZjeKgBOG9zcUZRbTGOlC1ZEy8fEFKeyRBsZZIA
AKOptZITcl1xGial5YpMZwgqvTl0OFYTJR5hGsN59QEMCVI8t1tDFBiErDgQ
kdEWvcgyLAGVjguRlUUSp8CScfb4TFevRYMh7Cbp9/OcLjxk0C54uBCg0gAI
n0yTbIZipldJmrfMeeGAh+DyTIzlg4LRVCq0MYwkloOZNYJtlvJJHEUJiP0r
FNUcVkr+CGVkhfA2QX3MrB8/fofgCaTv0ydgGwoQwH4hR7lSJFrICOsnRApx
ShHzQiy93yKz4cESuYP7jc8roHiQxHpMY2CocwODgH67Ff/Se3t3ATtsKcLL
cRrj6DAGzgqsnQK0VSi8kZqC24WxkhlQk4CfoVtgTnwQjPYUcLsC1Vuh2U3x
COI9htBiBtI9hFuBscUj8naqyPIgsyagGAT54bmlw+A6F9XRRHwSoge4DXXP
U6pZGzw0GwUUzPWKTfYnUkOQW+YlLtBIiuUZYPJ+z3umKc6SJJ4CpTgPSMwi
LHSmVDTOTki8edt3D/Z2YdsDAjbRI3reVviMMSIzhsHanz61BUsbKaxKQ/Lm
Upz4tgUVE7BBoiBkKMTPxvw4GNE4uUXT85iVCW497bvPLI+7njHKBjpLwHeQ
NAA+IPCJmwkbBf8MVCiNjMAAupxM2ZHLAVgHI3LkIOQAbD4IuDHXgCDAFknc
/QQFHeDehJRS10xhrmBJWWqFKyO5goB7GKOoCliqSjSO6RSoyCIJUpBmAgLR
EdwNBhPG8O2dxz7gSBs4BMv6tbTyM1awGaSnOVyNc9ZSMMnlFH2gU0ttWAK2
EnwgmATcRLwNllBzANV62uJm+Q8klss3IFIoiSCtMDQYPt4AMB8SNqOgFWi0
Z48qwS0UYYIoA7lqQahRPX+r6y5pmseTGAEdboAswAa52XI1TWTIJvFJpza3
nAjCSoht2QOjI0J1O0tHoHpAlFGQo6O9Q5DueXfLGuqcLUqn9XtAGLi5LAc3
zs4Wh37an7IxBjFKUPjgEvyLT6PbzrMpzGEEFDd1IMN7VFbiIczCP5HfAFMc
ZUBZmoEhY6Cy6GHEAIRfRuCEjD0H8Z7zxb5Q/A971o8fTVz+6dPneVk3wh6M
8GKHS6x40sci014cpogGOuVNYqUJttAwvkIVfkCKyPTAI6coP8RTzXYTXSam
2rTYuH7bv9to8t/i9Rv6fHv289vL27NT/Ayx6tWV+xCYO/oXb95enVafqidP
3lxfn70+5YfhqqhdCjaue3+GX5CqjTc3d5dvXveuNtge+RIv2XgMFEskeNuC
mB2A/od5PGA1+uHk5r/+s7MLG/QbUJ5up3MEO8RfDjsHuOGPsDM8W5aC3eOv
uBEBaJCS6OoROsK2TnH/NW2UBjlLBRo+0MTf/gU589dj8btBOO3s/sFcwAXX
Llqe1S4SzxavLDzMTFxyack0jpu163OcrtPb+3Ptu+W7d/F336GGiVbn8Ls/
BPPmB0w4SK/KyfwyVgC23cGF2Agi2jKy5dbN3nnm9WI2yGPQO4LbztIdHO2i
Hz+HJ1H4pyWYMJyHPKI3e9PAvbFKpsMyMVJBJgQ+RvED+L45+7sQPDxm7AiU
Pg6CjV7lWHwya+Chgh8bEJOnK7CWP5fgOI8S7RD6gKsdcriuSaebglRQwV8K
AAd6A5RpcMsjybQ2hbK4ijHR0nuAXYACJGrDUtCABmCjthUvXwm5PUIzSQyQ
YoWvBQMMfsGCUecJrZt90guv8v1oYUETaUoEcTC/uasFZjlGs1kgG+xFLYd1
/3H2QYJ1ZlFafHLRN2ojmBQugjCx42BfwS6gjUb1R+N6z10wSFK/utASsBec
cw8M98EW5chdjQKzBJcDxyGij4czBo0I7wxcxOfLlEbD0NoLJlz8XbORdbuq
UtQc8kWEzLzAeA1oIF+GCHaSQTAzw4kBclg3T3CBnAt5n1eiT9mBmUUjSzC9
Dkxph3YbCZH5IAZMls+Wgxap66taVzuzgeZvTJYeA81HgrG46o0FV7+xIvbS
JSwMdBrYBf7nIc5KDdtmLaBH5lL/DzjmGYw1cKKCcCoyCvUiWpvMIGebKVTi
tbeB1adnt7DzYRbBr24PLkmowBzlotd/3e4Ik5SFzQatHSgOsBHBpzGEAxg1
8BPzeZRqNSajgppDNt0m2sB0FBgPZWFMK0RxArPOcvsUQWiJDOw2Ycvclp/K
QhqzasKpuRumcpZkMhINrZQ4j0dIdBfv9dhEyhwpwMGJ3myzGLsVsurTWLi2
d6iZdvCPr4ATn4KgxhNNgT/wkPF6wbSrGKMpnIVcJ+aaQrRkYxWN0J7D/tjo
xDhb/0ac2dxZ6mW6jZgJ4UwIshRJjOqIz8acLcBgNm0+uLVxJQsScXLRFtZM
7XlJ/FmF5YkLMsqmhUmCIJlpBtSCR8B7mxQaWIFTH8BwFCx0wwwTekSDBiHC
qCwNYzTrsDkmq1PnD7KP0zoVKcge2Cz0YSgPFD8P82zCQTfEAHJUiSsFlvk/
//HvqO/xAwa3gJObzvjFJtmF2jmEPR6LHB7NJinGEuAx8XnS3Hii2uI9xVa0
Q2DogUoYjyL4mLaGRAlWjNkyUHAeSXAp3UpNljP4SQEGSMRGutShmtoADNmk
QSdbaPdTlViP3ETFA46UicxxvbJMcBDUJZJgvsumUDzhQxCBcAomgj0S1meG
lc+n5QCkuccImP0leaFcGcce+Twx6sp8/abGVZMs8APXBZZWujPPXManwwx0
lUnVBAJrbHAhMmasONCFEBSHSDP6ZGCfLkAqR6Ando0ZKilI2eWQAljLNfPr
MoajmJnkCFri1GpNjDAEVZMtBcMqe03Xh/KYDeEH5qSMBa7EPcwAWH4oKL+z
vrpQhZ2kJmgfXbbUcJUSiEtcEyZWyd7TzQpTDCB5mhAsx/sGJml7vWWKAaFw
xTAgQZeYlMfEACwJ0d4qE4EeEBNXuTS5AyOQDwB5Ea/5YTRKvErHzCWb4lq3
M6ZGMs6whGYTsCvNqpUxMsRVXgO2TIbFYmrET/Y9+C4BxCZEAc6xtyDVlRFD
lg5AvuziyJaxy1rlUin2kuIbs/nfABlYBHaulSwEBaSE0Ckzh4ZlMgUKsask
HcEkJyrHDM/6xJApBlG4RCw4FhtTwhxkHChkB01vYQ2Or3H4phhvNz1nEVhn
YcekVRsHB+KMw3oGmxaXkqc32b0IdCnE5Ds20IzYkZGmg3HAhWiFHKCygyd1
NDYOhjnIprDEMv1x+pAlmNWz20zir3ThkrDsD0w2d0mty4DmAO53C+CK03PV
sYKh1vmsX/LCakVttXcL2r1y5gUAbexat93Zc1UtC5pNdQZbuUBJKJBSzmrV
FLsp+jeXumnMOVZTEldjsWvUouE+oadQZIVteWHTog5K+cymJnFv1D4C3B3i
SJMMQgMkCPY2Rs2hUOOVuICZk4VIQ3txwCsgJmKM1tP1QuhzoggviCAhXlc3
Ij3UyuCJ/uWPr3t3b2/Pfrno9S9+6V39+Ob28u7iuo9WBWG0xaVVWe6Xfu+X
y9eXdxUPKb8bIV0sN6jisB0k1p7uUm7RKltNJJ3BN+DVt1QsQc+mEzWLDJoU
Scx6021lgNiKOXpspABQHjvZqriEltl73RMbywvvwnR/zIDxcw0FlBY/NxH3
UvvF/jUdK659mbhUVYqVMQG5fHTqZ7Ed0g9S1HTivQh8m5xCxBG+uTQB+Te8
8KFpyaE6CTdwQJTN3F15b+NBJuBm9zYZpToeOc1E/nIsSAWwOaHkQphRPBYQ
wwKWUPQSnpEhCyF1K9YVoMXIv04TEQ+YAynPFcgRGOg6inFuAukiZq3cD9IG
m1RZxrYGrj19lq5gqJEjMJsQTSvnZBhm4+f5CW3i1kW3ZGQlZVGYd2NpfL5h
aVRTKhJfm4uhEYH8uNBzigKC+h6sSR1qVeSaSVesoekVUOYBpLw3XujSGqA+
+Y43qIPauHthCL21ZmnZPQ2pGSADJodlghFOspExvWjACOmZvou4tuIGW+tE
SfSlcBfIDpmqaLNpQykMuTHbynDRDGPXi0VIXfOBJr3IbrBB7GH8YhEvEw2i
OPTUyzTAgPWF+Iak0QexLmNgZq9M/TtSu3X5gpv6NnIi7v93cQlOZWeyakfN
ry/a08BkTSmx6dsaO/lC/qvKenpuJnae3tzHxsjuhNkZS+4Qgo9qgwwI2jnc
QadfplQr5AfyEgxg9oAL5lCeyhAQs2qyEQ3VHrWbtsKx0z369GnTbmSJm5iQ
GKUQiGD+GIi8T7HUhIG8MTO6HALNMXuwBNvnxPXdW+1sdp3UWOsSQRh4iZDZ
My0HwEsMsbn056WkTK6R4C/ypZqCjB+yLdOqSi75zRBezidYgvlbu7s2AkZ0
UBGBGtZp7nS6YjBDB4Uk+VqEEKIJnox/toE6hIMmdTDBAgBADRdP+Dou8wy4
Kg6ah3v7PEBbAMQblTGlv5qiJkocVVNXBiiqwABwUk7EDbCXqOweGirI1F/e
POyLBiAIs5uH3e1t3E1YgIXxiRrJcIZ37totNZ0LjJxtAzulBNRwiH79gbYT
59s72K9Pt+tP1+l0uzAdqANmIq+tkPPNZMsI9PZZamDDsN3qRsa5uJtNlany
cg6NItpqACMFtMvYxkDMoUwSDkpcx3MSBPrXhou4lVV/Zg2BHgdBS2DMyfqH
VuzXErfRWNZj8SZVNs2OAasOTYDqAAzKzhTXg8TMge5HDJ0ZyjnobTpNYrwO
YjFC27yMApcLXoK4dtoHy0OhTbSmBbKrRshc+FsnEvnMJmhmkGmBB2IwnAor
ujSrMG2F9H8w7adosBsnvU0eAvdBO9DiknyrnJDtS5pMk7gODn0ibbbCsxRV
5s3WIuDJum/LFVJs5WthLzwrrRAhqcRiWVlt7XxFgDTexWfLmjWxAXHeW1+z
GPXSFKxBSOb9WLylucy1uqYsf7wOrvGcR5UPt0UzpyuRChOZ21ZA7YZeVQmy
25Bn5G3nE0nYlVCzVTg2tXVhqcIwZ4IoB+RMhHAJJ0FlrRTVZtdZXeY2gNJ4
lNd0mMl1OppknhT9tzc3b27vzk4pLP/l+uzu4s2pwd/zJ9O8SJXH0s73Nyk2
tEKxsIMNvYma4BqPS5aY8bIWwKXs5BVUIuxWQCjveWswhRi7FOoMzY2BsJiA
hna3XL6+O7u9Pju97N2d2VvNvtYGTyhfQlnXFXVmZEAlMfMmBQv8wBBjm6nH
FPvzTBLY88gsLpHCNiRzYoxlJxsWIE2k82GMHh4hxlxZpNYgQXbTNS9gzswT
Pd9UNdl+wdWTnkn5GKHNcC70vhfZI6Zym/OtBSPTMYZkyKp6Ydt7lWuurQR5
dUsH2CfXrcaVEawQFNzwxGnrVJcEkDGT1sJsr5cupoC5roFmJ/0GxwFWNECq
CIpg0Il4j1tJna2Kve5n1EKCp45QCxOc4i7lPw32IHMCho5I08lJLlbllPFD
gAdOHJtHAVZj6prLa157YiVWBFG5VBLU6vEmrVFLqn98NUlakZafgmBJrZBa
P9eVsJ3oUPJe5hEVbxJzbsU1sxJJE2resz9q0Yjbqs1iwX194krJnPaWGHOW
51mu7SCi0fC6J0z7NcEHWNf7s00TEXKLqI3tvKSUrtO64R/CeawO4WzA+ukg
D1aFXbOH3WxWTf9AD7tHW8NAMbKlNo3IgExhZluMzdJbhhSfhMZ5f9M1o1Cr
Zei1w6u23TxTEigBxYNgYJsQhFKDkqUQuUyo2bYhMWTk8hw3bigbYZD2K2Qx
hGrYq6Stx9NkPyjpPRe9El2G75bWKuniWpZ+lOYcp2VB2wkXusKUenFqrj9X
cw0D2qVcbn6uDn1dsWZ0m2KHTdAel/XvKBTr+nCu07FKubrVFkTGDT0lk1DE
7FJtAnC+ddeOfkSD/3T5J69TvepgYOKdOtGEh4cd7Hh7orpg5dbOX4mv1VdC
cciuOXNxXAVjLi7b32Muma+HB6wiriEEdka7LMiSRgzbE1KtZu3oxC70gbYN
pdd/TYnbOTNkw7k5O6STsTFES7oT7DkpbUtGWAqnYqhr6KXTYaxY3uElvyhE
Yov3YyvhiioYJ4BxEvUnPHwJo12r/D7xk0jczCgaf7ru9+3phsOdI9hgBA4X
wDo6WhfWT8vSseOtKxWPxkWWtq7x99i7oXHR729dXVcj7tF5Cccur5EAySPT
jzvjd3DT6mql2Kh0CVFb+jKYv+1Gjuud9WRAyyl+7P7r/m5VySHvWfDJA71c
DFnCvMiQ2+QWVLjjqfAjOsoQ0w+UDDF9CKJ31m9BXN7kD0ddvh2/dDHij4v6
YQeEohxkg4P4QqvwTC1daIqpqSnhbuIKqMAZ19J9XomGx4RN1+aPBVhbIV5w
Y8eYPyED3wA5scf+OK8yRAlvnLvLvBV8t71zmsc4ECkSp1f8YpHG600QqHsj
MoCcyrggNg6p91RnZR4SRuRSHAiMuMzuTKVOt7n5PIeIz+A9Imrp7FNloUqd
gCYnZ+K/W7FFJOM6LFBAbIBaU3MHPufzkwabVzFmjSHYSSLx/DAnwdxdPt0c
6ddrJXwsjPI7dZxB/hmPeKOQNtiCdQ4pe8THE2si0OEjFlhatM9Q0Qk+73W6
Tz6vxQ6LTxvsNzUTsfzTIfOfzjwSutuYUarlf2SYZ9i7BNxYosSYDFyxZG2a
zUz3EuyIMyT1ahHLNt6MVRWGqRheVNUXTjo+rww019BXYYqsLAxO1hUlKXN1
dSUUjG9kcvIgYE2/Y7kukO2qBhj7DQbGDFo1wsQGKRB1tZnM6pxutedTcwCo
BmjTHVf9xNSiFzwOgt/a62gb+y3Y52792vnCtaPu4n1H3YX7QFoW7oNri+OZ
eX86WzJx/aKZef7i4p127vmL9k4HCaq+HIvIwfKl6rGKPaqTdyBus4yqGSxk
Y5MkyeZT8jU5R8gAEWAZJ5EGLwjDuOOl5HDhObNfKA3e0UtnOMFFegUCahLI
BvhyhlVZAasAQ1k/jMddhLbPDBMMJn4wKMcg8CS+Vz5iHc+mmO7howGSnAio
/74tb9s+wXgIREo6fI7dHpgfR3yfZ5PYHXS1hqHCCvbIJLWmlKmkzLbLZeiK
3Kjk/oVCU5AC0XpRP7TgsdJ4XIrcK4gHz2By1Bkn9Pb87haOjd3ZQwrBDEB0
hFJL7/LD7J8Jgcmh2+Fth9pKzPtKvGWksNhMEAQ/ZFVvrt9ey4c6n9ej5jcU
Le1hc8mxheZKrzfTAcIIo8xa/c1255uEGTU8LV3P+uYjm7F2+Sxz1tj6d78H
FbwVNutQ7QP3aSnGnAvQXLsJGPVYPt3izqe8/E4gPEgHW4evNjFNFY5WPrC5
PtDzAjbOH5tYz0+kWHRHTklyBxnDNtenZiXKrY77oz9rcg+zur4VmtNMYvt/
q4zbXPSNBw8tuv0/4HGwbJmVQySsjimadi1G9CF0ZWNNN2PVtMfGw+sObD+H
yUtmXx4Z0BbfUMhnOZjyO308cHLDRVIs3F3WT03/qb23fSQaSNFmvViEw9Sr
Wg+Z0bYryjw3Tm6v+PwC91md+IVIPX+wb0KtCGlmM9pU3MDnOG1odW5+kJXd
N9KBLOxAQL4mJkMHsTAoLhb9sbexxOh0pGwmmGsAMpJTKpByHNhy7fnGmzT6
b89bJ9e9bwVGdi6c22532s8L6Zb1qrqOdzO45+6qcAL7Tv28rk0ROFBol2fO
01NtZukaVy3t7AuXxttqfCzF/HPNy7VTyK7jFFtHMQXodXl7DeDGfXOm23uT
im3pXnhRgMhyGSYWm9Dy85ltx9ehSsHyZM71mDWzmADBRC7cwdEAv2UlCE6d
eVpWD7SIucpc2NTBvMPgvKU9Noowv+WDulWvAJiTGj5sYKdOMEvi4kXzjpT6
iwEcGeadi2goGifV544rV0P8L3U91Whk9DlHdyjS18qfxhWf6R1MFSX2wIMB
TWGWm3IgtxJ9iCeYTqP6jPowloBaUSkhtmlphUkt/6gCCuXaJA1/AYgGfKaz
AkuHMIGveTHa4W7TD4FrPfwEjVceP3MHJ7AFpKquoXzkPozkyHu+uuKVf7QL
LZ9Od/rSx+Ct2vRK6JyYmLVuwd87FO075vhcMf1ZVHzBuEblrghCWQrDdA45
iaebbgO8i/WEmX/dz5UBtAd5p9NCTT+c+9hvnn9qfcTgr0lB2KemH8Mt+9kT
T5xy8ZbPYdn6NGBtJYxpVngunMXV6l6cuadJn3is0szvKojAr1whS7rQlmZS
Du0qvOXOLQopwAYxjygH66e6yN6XU+wXGlAPFA6cmX4xUmuqW0qTitQqxyyb
M3im/55+IatP59f4PBoqAJA7jkcYLxTKxIVonClW1IVpMMzJbUCk24BnO9sC
HF1CSaKqj2TKO5thzxTcyIEjDJAk1AXJub+9QzEDodSmekfL5j4e04JsgjP4
xFEjpZ3o3EaKAosIeb5HGQujZp6cnI+zFiU7Xs2wO5RUNqNjx1ZmJkpqv9zm
XCm9ukNSXqBoxd5CmeZm1Q5DwVDqnWk25/r8k1vaZMMmMvJEnY4JgQgQAOuF
WLtPMDgioxR8POaBVPT7DXr13MYnFHiZ3tNo/UINJcx7qsRJmkURgperbCRT
mCIV7/C1qWmUY8LyRpaJeJ/RSXxQK7iqEM8U2KUGP5/CIO+pO/O9xBflwopj
uHyrBioMJXwHpxWDO/wjsI7M0YWcgNQkTXGG7xV4N0vDe/p5DE4M/L/WOOmd
yjPxUwxEKE7AwTQx2OF3MMCPCjfUAm3jBW2izr4UF5jyu9+0Wvg+lJyCpN4U
39JFleRW6w/8cjJ8WQ3B33rd0kuO+hoeBO+rM7L2bUfU2vOYeaFRdZaQEhp2
aL+swpJgCyuc5ItzklJuS6uwie1Hnm/nNWCrjkWSeEAi5Ge9KVNUJl5W41s2
LtyD6FuiysBQKYCUsXp7kDsTVcXiZ+ZI6r9Mym9bRgV6N5cs3OxTPTzybWXP
0CYYh2s2DGmm14rsk992VpO67Oxrcdt8vBGIt0fZCXDOVZ1hdF0jTyB9Loaz
GQ/PzS7hrz3oa7G/61J1jV5mcFdltEDdnwcWASiclmvQA6E1bXfWplTcaxG4
FGVk9YM4dSfPjV/x/I03z0J7Oy2Yz4ywdTT92dGTcqM+gG0zYrNke9vIK9xj
ywYqYNB08xzzDvCyPFP6taYCq0tnLg1R+lmxb/TcnroA3RlevB+DZ0MuT1C9
+fEhiyO/CYG9oDv7gidhrLE16mlqD2DDp5mJ1xLvdNlCPMBtK17kdwGQ7BHN
hEMa3L6isYR7TQE45fc8u2F6+giOqGjhZGWNl+gEDMs9nGsKKaj4M7+FyZ40
mjvmSsU7fo8hZY7nVKpKxnnrehwr1xm3WtMgxp3SK3nw7J2KXB3IMwBL2IeF
8Uph1AfXoGaeWXZYgl9nxXkl+7rfj68wwWpSGRbRcd/d0++2IM/svZ+Am8aq
w2lObLF6FBMwQILbQtTn474/4d4P7g5NaMU66hrOSepdwU0HJpbEGoPJOfvv
uqjyyIU/ndVDujcw91bJNcPBysKy52qylaj9FNTx5wSLEtVJcxQj+z5XbiBw
Pvk5r+lY0lO9izmMdtdBbjJ8+M5gSpFjb7sNs4IgjlrciYbHCd788Mezkztx
eXr2+u7y/PLsVhwf/158FH/LQNxasc5acVG2ikZ3MzAvj2909vF/htA43N3e
rL32vdHZFKPsodHZhg+hzvLGzmaAqXW3psbuJmoafNfwm/AJaXQONgW+36Nq
aKAe/wG2hMMS/s39CV6j3v6+9nRTgHGCa912Z78NhCE3tjvtnfYu/Ns5CK74
3QO/F52dYBv+HIud7e2B2N7fPhL724f7YvdwuyP297Z3xPYu/KfT8Sf0+Le/
5/Nvf+8r4d/+XqNz+Nn8w4B7Hf8OX86/7gr+HR74/IPQ/uvg3+FBo3P02fw7
PFjPv6OX829nnn+LtWjko+nkaumx7OJP+v+anwsENbrbL+frwihr+dvdfjl/
d9fw93w1f4dfG3+HjW7ny/k7XM/fzsv5u7eSv65HYpG/R92vTH6BoEa3+6X8
hVHW87f7cv7ur+HvSvk96n5l8gsENbo7X87fJ+R35+X8PVjF36p3Z4G/8NPX
Jb9IUKO7+4X8xVHW83f35fw9XMPfVfILP31d8osENbp7X87fJ+R37+X8PXoK
P2CrV52Se/W1IQhDUaO7/0UsNsOs5/H+y3ksn8IQq3j8NUmxoajR/Yzwa3GY
9Tz+jDhs8BSOWM7jrwtJGIoa3c8I0RaHWc/jz4jVwqewxCoef21yTHDiM8K4
xWHW8/gz4rnoKTyxlMdfGaIwFDV2viykM8Os5fHOZ8R06ilMsYrHX5kcE6zY
+bKwzgyznsefEdcNazwO/huwCByKaHUAAA==

-->

</rfc>
