<?xml version='1.0' encoding='utf-8'?>
<!DOCTYPE rfc [
  <!ENTITY nbsp    "&#160;">
  <!ENTITY zwsp   "&#8203;">
  <!ENTITY nbhy   "&#8209;">
  <!ENTITY wj     "&#8288;">
]>
<?xml-stylesheet type="text/xsl" href="rfc2629.xslt" ?>
<!-- generated by https://github.com/cabo/kramdown-rfc version 1.7.39 (Ruby 3.3.8) -->
<rfc xmlns:xi="http://www.w3.org/2001/XInclude" ipr="trust200902" docName="draft-ietf-lake-app-profiles-05" category="std" consensus="true" submissionType="IETF" tocInclude="true" sortRefs="true" symRefs="true" version="3">
  <!-- xml2rfc v2v3 conversion 3.34.0 -->
  <front>
    <title abbrev="EDHOC Application Profiles">Coordinating the Use of Application Profiles for Ephemeral Diffie-Hellman Over COSE (EDHOC)</title>
    <seriesInfo name="Internet-Draft" value="draft-ietf-lake-app-profiles-05"/>
    <author initials="M." surname="Tiloca" fullname="Marco Tiloca">
      <organization>RISE AB</organization>
      <address>
        <postal>
          <street>Isafjordsgatan 22</street>
          <city>Kista</city>
          <code>16440 Stockholm</code>
          <country>Sweden</country>
        </postal>
        <email>marco.tiloca@ri.se</email>
      </address>
    </author>
    <author initials="R." surname="Höglund" fullname="Rikard Höglund">
      <organization>RISE AB</organization>
      <address>
        <postal>
          <street>Isafjordsgatan 22</street>
          <city>Kista</city>
          <code>16440 Stockholm</code>
          <country>Sweden</country>
        </postal>
        <email>rikard.hoglund@ri.se</email>
      </address>
    </author>
    <date year="2026" month="July" day="06"/>
    <area>Security</area>
    <workgroup>LAKE Working Group</workgroup>
    <keyword>Internet-Draft</keyword>
    <abstract>
      <?line 105?>

<t>The lightweight authenticated key exchange protocol Ephemeral Diffie-Hellman Over COSE (EDHOC) requires certain parameters to be agreed out-of-band, in order to ensure its successful completion. To this end, application profiles specify the intended use of EDHOC to allow for the relevant processing and verifications to be made. In order to ensure the applicability of such parameters and information beyond transport- or setup-specific scenarios, this document defines a canonical, CBOR-based representation that can be used to describe, distribute, and store EDHOC application profiles. Furthermore, in order to facilitate interoperability between EDHOC implementations and support EDHOC extensibility for additional integrations, this document defines a number of means to coordinate the use of EDHOC application profiles. Finally, this document defines a set of well-known EDHOC application profiles.</t>
    </abstract>
    <note removeInRFC="true">
      <name>Discussion Venues</name>
      <t>Discussion of this document takes place on the
    Lightweight Authenticated Key Exchange Working Group mailing list (lake@ietf.org),
    which is archived at <eref target="https://mailarchive.ietf.org/arch/browse/lake/"/>.</t>
      <t>Source for this draft and an issue tracker can be found at
    <eref target="https://github.com/lake-wg/app-profiles"/>.</t>
    </note>
  </front>
  <middle>
    <?line 109?>

<section anchor="intro">
      <name>Introduction</name>
      <t>Ephemeral Diffie-Hellman Over COSE (EDHOC) <xref target="RFC9528"/> is a lightweight authenticated key exchange protocol, especially intended for use in constrained scenarios. A main use case for EDHOC is the establishment of a Security Context for Object Security for Constrained RESTful Environments (OSCORE) <xref target="RFC8613"/>.</t>
      <t>In order to successfully run EDHOC, the two peers acting as Initiator and Responder have to agree on certain parameters. Some of those are in-band and communicated through the protocol execution, during which a few of them may even be negotiated. However, other parameters have to be known out-of-band, before running the EDHOC protocol.</t>
      <t>As discussed in <xref section="3.9" sectionFormat="of" target="RFC9528"/>, applications can use EDHOC application profiles, which specify the intended usage of EDHOC to allow for the relevant processing and verifications to be made. An EDHOC application profile may include both in-band and out-of-band parameters.</t>
      <t>In order to ensure the applicability of such parameters and information beyond transport- or setup-specific scenarios, this document defines the EDHOC_Application_Profile object, i.e., a canonical, CBOR-based representation that can be used to describe, distribute, and store EDHOC application profiles as CBOR data items (see <xref target="sec-app-profile-cbor"/>). The defined representation is transport- and setup-independent, and it avoids the need to reinvent an encoding for the available options to run the EDHOC protocol or the selection logic to apply on those.</t>
      <t>The EDHOC_Application_Profile object is a specialized alternative to the EDHOC_Information object defined in <xref section="3.4" sectionFormat="of" target="I-D.ietf-ace-edhoc-oscore-profile"/>, building on a shared parameter namespace. In particular, an EDHOC_Information object provides a context-based description of an EDHOC application profile that is supported under a concrete circumstance to which the object applies. Conversely, an EDHOC_Application_Profile object provides a description of an EDHOC application profile as an established and immutable set of information about how EDHOC can be run, irrespective of the concrete circumstance where EDHOC is executed.</t>
      <t>An EDHOC_Application_Profile object providing the CBOR-based representation of an EDHOC application profile can be, for example: retrieved as a result of a discovery process; or retrieved/provided during the retrieval/provisioning of an EDHOC peer's public authentication credential; or obtained during the execution of a device on-boarding/registration workflow.</t>
      <t>Furthermore, in order to facilitate interoperability between EDHOC implementations and to support EDHOC extensibility for additional integrations (e.g., external security applications, or handling of authentication credentials), this document defines a number of means to coordinate the use of EDHOC application profiles, that is:</t>
      <ul spacing="normal">
        <li>
          <t>The new IANA registry "EDHOC Application Profiles" defined in <xref target="iana-edhoc-application-profiles"/>, where to register integer identifiers of EDHOC application profiles to use as corresponding Profile IDs.</t>
        </li>
        <li>
          <t>The new parameter "ed-prof" defined in <xref target="web-linking"/>. This parameter is employed to specify an EDHOC application profile identified by its Profile ID and can be used as target attribute in a web link <xref target="RFC8288"/> to an EDHOC resource, or as filter criterion in a discovery request to discover EDHOC resources.  </t>
          <t>
For instance, the target attribute can be used in a CoRE link-format document <xref target="RFC6690"/> describing EDHOC resources at a server, when EDHOC is transferred over the Constrained Application Protocol (CoAP) <xref target="RFC7252"/> (see <xref section="A.2" sectionFormat="of" target="RFC9528"/> as well as <xref target="RFC9668"/>).</t>
        </li>
        <li>
          <t>The new parameter "app_prof" defined in <xref target="sec-edhoc-information-object"/> for the EDHOC_Information object specified in <xref target="I-D.ietf-ace-edhoc-oscore-profile"/>. When present within an instance of the EDHOC_Information object, this parameter identifies one or more EDHOC application profiles that are supported under the concrete circumstance to which the EDHOC_Information object applies. In particular, this parameter identifies each EDHOC application profile by means of the corresponding Profile ID.  </t>
          <t>
For instance, the parameter can be used in the EDHOC and OSCORE profile <xref target="I-D.ietf-ace-edhoc-oscore-profile"/> of the ACE framework for authentication and authorization in constrained environments (ACE) <xref target="RFC9200"/>, in order to indicate the EDHOC application profiles supported by an ACE resource server.  </t>
          <t>
This parameter is also used in the EDHOC_Application_Profile object defined in <xref target="sec-app-profile-cbor"/> of this document. That is, given an instance of the EDHOC_Application_Profile object, the parameter "app_prof" included therein specifies the Profile ID of the EDHOC application profile that is described by the instance of the object in question.</t>
        </li>
        <li>
          <t>New parameters for web linking <xref target="RFC8288"/>, which can be used to obtain relevant pieces of information from the EDHOC application profile associated with an EDHOC resource (see <xref target="sec-parameters-web-linking"/>). These parameters correspond to analogous elements of the EDHOC_Information object and extend the set of parameters for web linking originally defined in <xref section="6" sectionFormat="of" target="RFC9668"/>. In particular, they can be used as target attributes in a web link to an EDHOC resource, or as filter criteria in a discovery request to discover EDHOC resources.</t>
        </li>
        <li>
          <t>A new EDHOC External Authorization Data (EAD) item (see <xref target="sec-app-profile-edhoc-message_1_2"/>) and a new error code for the EDHOC error message (see <xref target="sec-app-profile-edhoc-error-message"/>). When running EDHOC, a peer can use those in order to advertise the EDHOC application profiles that it supports to the other peer.</t>
        </li>
        <li>
          <t>The use of SVCB Resource Records (RR) <xref target="RFC9460"/><xref target="RFC9461"/> to advertise the support for EDHOC and for EDHOC application profiles of a given server (see <xref target="sec-svcb"/>).</t>
        </li>
      </ul>
      <t>Finally, this document defines a set of well-known EDHOC application profiles (see <xref target="sec-well-known-app-profiles"/>). These application profiles are meant to reflect what is most common and expected to be supported by EDHOC peers, while they are not intended as "default" application profiles or as a deviation from what is mandatory to support for EDHOC peers (see <xref section="8" sectionFormat="of" target="RFC9528"/>). On the other hand, they provide implementers and users with a quick overview of the several available options to run the EDHOC protocol and of their most expected combinations.</t>
      <section anchor="terminology">
        <name>Terminology</name>
        <t>The key words "<bcp14>MUST</bcp14>", "<bcp14>MUST NOT</bcp14>", "<bcp14>REQUIRED</bcp14>", "<bcp14>SHALL</bcp14>", "<bcp14>SHALL
NOT</bcp14>", "<bcp14>SHOULD</bcp14>", "<bcp14>SHOULD NOT</bcp14>", "<bcp14>RECOMMENDED</bcp14>", "<bcp14>NOT RECOMMENDED</bcp14>",
"<bcp14>MAY</bcp14>", and "<bcp14>OPTIONAL</bcp14>" in this document are to be interpreted as
described in BCP 14 <xref target="RFC2119"/> <xref target="RFC8174"/> when, and only when, they
appear in all capitals, as shown here.</t>
        <?line -18?>

<t>The reader is expected to be familiar with terms and concepts defined in EDHOC <xref target="RFC9528"/> and with the use of EDHOC with CoAP <xref target="RFC7252"/> and OSCORE <xref target="RFC8613"/> defined in <xref target="RFC9668"/>.</t>
        <t>The reader is also expected to be familiar with the concept of EDHOC_Information parameters defined in <xref target="I-D.ietf-ace-edhoc-oscore-profile"/> and with their categorization as prescriptive or non-prescriptive. In particular:</t>
        <ul spacing="normal">
          <li>
            <t>A prescriptive parameter is used to provide an authoritative statement about how an execution of EDHOC has to be performed. An example is the parameter "message_4" indicating whether the use of EDHOC message_4 in an EDHOC session is mandatory or not.  </t>
            <t>
If a prescriptive parameter applies to an EDHOC session, a peer participating in the session complies with what is indicated by the parameter, and it aborts the session if it determines that the other peer has violated such indication.</t>
          </li>
          <li>
            <t>A non-prescriptive parameter is used to provide convenient information to consider when executing EDHOC, e.g., in terms of features supported by peers. Such information is not necessarily exhaustive. An example is the parameter "methods" indicating a set of supported EDHOC methods.</t>
          </li>
        </ul>
        <t>Concise Binary Object Representation (CBOR) <xref target="RFC8949"/> and Concise Data Definition Language (CDDL) <xref target="RFC8610"/> are used in this document. CDDL predefined type names, especially bstr for CBOR byte strings and tstr for CBOR text strings, are used extensively in this document. The provided CDDL definitions can be extracted from the XML version of this document using the following XPath expression:</t>
        <artwork><![CDATA[
'//sourcecode[@type="cddl"]'
]]></artwork>
        <t>CBOR data items are represented using the CBOR extended diagnostic notation as defined in <xref section="8" sectionFormat="of" target="RFC8949"/> and <xref section="G" sectionFormat="of" target="RFC8610"/> ("diagnostic notation"). Diagnostic notation comments are used to provide a textual representation of the parameters' keys and values.</t>
        <t>In the CBOR diagnostic notation used in this document, constructs of the form e'SOME_NAME' are replaced by the value assigned to SOME_NAME in the CDDL model shown in <xref target="fig-cddl-model"/> of <xref target="sec-cddl-model"/>. For example, {e'methods' : [0, 1, 2, 3], e'cipher_suites': 3} stands for {1 : [0, 1, 2, 3], 2 : 3}.</t>
        <t>Note to RFC Editor: Please delete the paragraph immediately preceding this note. Also, in the CBOR diagnostic notation used in this document, please replace the constructs of the form e'SOME_NAME' with the value assigned to SOME_NAME in the CDDL model shown in <xref target="fig-cddl-model"/> of <xref target="sec-cddl-model"/>. Finally, please delete this note.</t>
      </section>
    </section>
    <section anchor="sec-app-profile-cbor">
      <name>EDHOC_Application_Profile</name>
      <t>This section defines the EDHOC_Application_Profile object, which can be used as a canonical representation of EDHOC application profiles for their description, distribution, and storage.</t>
      <t>An EDHOC_Application_Profile object is encoded as a CBOR map <xref target="RFC8949"/>. All elements that can be included in the EDHOC_Application_Profile object are elements that can be included in the CBOR-encoded EDHOC_Information object specified in <xref section="3.4" sectionFormat="of" target="I-D.ietf-ace-edhoc-oscore-profile"/>. In particular, they use the same CBOR abbreviations from the 'CBOR label' column of the IANA registry "EDHOC Information" defined in <xref target="I-D.ietf-ace-edhoc-oscore-profile"/>.</t>
      <t>More specifically, the EDHOC_Application_Profile object is a specialized alternative to the EDHOC_Information object. In particular, an EDHOC_Information object provides a context-based description of an EDHOC application profile that is supported under a concrete circumstance to which the object applies. Conversely, an EDHOC_Application_Profile object provides a description of an EDHOC application profile as an established and immutable set of information about how EDHOC can be run, irrespective of the concrete circumstance where EDHOC is executed.</t>
      <t>The CBOR map encoding an EDHOC_Application_Profile object <bcp14>MUST</bcp14> include the element "app_prof" defined in <xref target="sec-edhoc-information-object"/> of this document, as well as the elements "methods" and "cred_types" defined in <xref section="3.4" sectionFormat="of" target="I-D.ietf-ace-edhoc-oscore-profile"/>.</t>
      <t>Within the CBOR map, the element "app_prof" is encoded as a CBOR integer and identifies the EDHOC application profile being defined by the instance of the EDHOC_Application_Profile object in question. That is, the value of the element "app_prof" encodes the unique integer identifier of the EDHOC application profile described by the instance of the object in question. The identifier is taken from the 'Profile ID' column of the "EDHOC Application Profiles" registry defined in this document.</t>
      <t>The CBOR map <bcp14>MUST NOT</bcp14> include the following elements: "session_id", "uri_path", "initiator", "responder", and "trust_anchors". Also, the CBOR map <bcp14>MUST NOT</bcp14> include the element "exporter_out_len" defined in <xref target="exporter-out-length"/> of this document. A consumer <bcp14>MUST</bcp14> ignore those elements if they are included in the EDHOC_Application_Profile object.</t>
      <t>The CBOR map <bcp14>MAY</bcp14> include other elements.</t>
      <t>Furthermore, consistent with Sections <xref target="RFC9528" section="8" sectionFormat="bare"/> and <xref target="RFC9528" section="A.1" sectionFormat="bare"/> of <xref target="RFC9528"/> and with <xref section="5.4" sectionFormat="of" target="RFC8613"/>, the following applies:</t>
      <ul spacing="normal">
        <li>
          <t>If the element "cipher_suites" is not present in the CBOR map, this indicates that the EDHOC application profile uses the EDHOC cipher suites 2 and 3, and possibly other cipher suites.</t>
        </li>
        <li>
          <t>If the element "id_cred_types" is not present in the CBOR map, this indicates that the EDHOC application profile uses "kid" as type of authentication credential identifiers for EDHOC, and possibly other types of authentication credential identifiers.</t>
        </li>
        <li>
          <t>The absence of any other elements in the CBOR map <bcp14>MUST NOT</bcp14> result in assuming any value.</t>
        </li>
      </ul>
      <t>If an element is present in the CBOR map and the corresponding entry in the IANA registry "EDHOC Information" specifies "NP" (non-prescriptive) in the 'Type' column and "True or False" in the 'CBOR type' column, then the following applies. An EDHOC peer that adheres to the EDHOC application profile in question is either required to support or not required to support the property or feature of EDHOC associated with the element in the CBOR map, if that element encodes the CBOR simple value <tt>true</tt> (0xf5) or <tt>false</tt> (0xf4), respectively. For example, the presence of the parameter "comb_req" denotes whether EDHOC peers adhering to the EDHOC application profile have to support the EDHOC + OSCORE combined request defined in <xref target="RFC9668"/>, or instead do not have to but might if they are willing to.</t>
      <t>If an element present in the CBOR map specifies an information that is intrinsically a set of one or more co-existing alternatives, then all the specified alternatives apply for the EDHOC application profile in question. For example, the element "cipher_suites" with value the CBOR array [0, 2] means that, in order to adhere to the EDHOC application profile in question, an EDHOC peer has to implement both the EDHOC cipher suites 0 and 2, because either of them can be used by another EDHOC peer also adhering to the same EDHOC application profile.</t>
      <t>The CDDL grammar describing the EDHOC_Application_Profile object is:</t>
      <figure anchor="fig-cddl-edhoc_application-profile-object">
        <name>CDDL Definition of the EDHOC_Application_Profile object</name>
        <sourcecode type="cddl"><![CDATA[
EDHOC_Application_Profile = {
      1 => int / [2* int],    ; methods
      6 => int / [2* int],    ; cred_types
     23 => int,               ; app_prof
   * (int / tstr) => any
}
]]></sourcecode>
      </figure>
    </section>
    <section anchor="identifying-edhoc-application-profiles-by-profile-id">
      <name>Identifying EDHOC Application Profiles by Profile ID</name>
      <t>This document introduces the concept of Profile IDs, i.e., integer values that uniquely identify EDHOC application profiles, for which an IANA registry is defined in <xref target="iana-edhoc-application-profiles"/>.</t>
      <t>This section defines two parameters to convey such Profile IDs, i.e.:</t>
      <ul spacing="normal">
        <li>
          <t>The parameter "ed-prof" for web linking <xref target="RFC8288"/> (see <xref target="web-linking"/> of this document).</t>
        </li>
        <li>
          <t>The parameter "app_prof" of the EDHOC_Information object specified in <xref target="I-D.ietf-ace-edhoc-oscore-profile"/> (see <xref target="sec-edhoc-information-object"/> of this document).  </t>
          <t>
As defined in <xref target="sec-app-profile-cbor"/>, Profile IDs are also conveyed by the parameter "app_prof" in the EDHOC_Application_Profile object, in order to identify the EDHOC application profile described by a given instance of that object.</t>
        </li>
      </ul>
      <t>As defined later in this document, Profile IDs can be used to identify EDHOC application profiles also:</t>
      <ul spacing="normal">
        <li>
          <t>Within certain EDHOC messages sent during an EDHOC session by a peer that supports such EDHOC application profiles (see <xref target="sec-app-profile-edhoc-messages"/>).</t>
        </li>
        <li>
          <t>When using SVCB Resource Records (RR) <xref target="RFC9460"/><xref target="RFC9461"/> to advertise the support for EDHOC and for EDHOC application profiles of a given server (see <xref target="sec-svcb"/>).</t>
        </li>
      </ul>
      <section anchor="web-linking">
        <name>In Web Linking</name>
        <t><xref section="6" sectionFormat="of" target="RFC9668"/> defines a number of target attributes that can be used in a web link <xref target="RFC8288"/> with resource type "core.edhoc" (see <xref section="10.10" sectionFormat="of" target="RFC9528"/>). This is the case, e.g., when using a CoRE link-format document <xref target="RFC6690"/> describing EDHOC resources at a server, when EDHOC is transferred over CoAP <xref target="RFC7252"/> as defined in <xref section="A.2" sectionFormat="of" target="RFC9528"/>. This allows a client to obtain relevant information about the EDHOC application profile(s) to be used with a certain EDHOC resource.</t>
        <t>In the same spirit, this section defines the following additional parameter, which can be optionally specified as a target attribute with the same name in the link to the respective EDHOC resource, or among the filter criteria in a discovery request from a client.</t>
        <ul spacing="normal">
          <li>
            <t>'ed-prof', specifying an EDHOC application profile supported by the server. This parameter <bcp14>MUST</bcp14> specify a single value, which is taken from the 'Profile ID' column of the "EDHOC Application Profiles" registry defined in <xref target="iana-edhoc-application-profiles"/> of this document. This parameter <bcp14>MAY</bcp14> occur multiple times, with each occurrence specifying an EDHOC application profile.</t>
          </li>
        </ul>
        <t>When specifying the parameter 'ed-prof' in a link to an EDHOC resource, the target attribute rt="core.edhoc" <bcp14>MUST</bcp14> be included.</t>
        <t>If a link to an EDHOC resource includes occurrences of the target attribute 'ed-prof', then the following applies.</t>
        <ul spacing="normal">
          <li>
            <t>The link <bcp14>MUST NOT</bcp14> include other target attributes that provide information about an EDHOC application profile (see, e.g., <xref section="6" sectionFormat="of" target="RFC9668"/> and <xref target="sec-parameters-web-linking"/> of this document), with the exception of the target attribute 'ed-ead' that <bcp14>MAY</bcp14> be included.  </t>
            <t>
The recipient <bcp14>MUST</bcp14> ignore other target attributes that provide information about an EDHOC application profile, with the exception of the target attribute 'ed-ead'.</t>
          </li>
          <li>
            <t>If the link includes occurrences of the target attribute 'ed-ead', the link provides the following information: when using the target EDHOC resource as per the EDHOC application profile indicated by any occurrence of the target attribute 'ed-prof', the server supports the External Authorization Data (EAD) items that are specified in the definition of that EDHOC application profile, as well as the EAD items indicated by the occurrences of the target attribute 'ed-ead'.</t>
          </li>
        </ul>
        <t>The example in <xref target="fig-web-link-example"/> shows how a CoAP client discovers two EDHOC resources at a CoAP server and obtains information about the application profile corresponding to each of those resources. The CoRE Link Format notation from <xref section="5" sectionFormat="of" target="RFC6690"/> is used.</t>
        <t>The example assumes the existence of an EDHOC application profile identified by the integer Profile ID 500, which is supported by the EDHOC resource at /edhoc-alt and whose definition includes the support for the EAD items with EAD label 111 and 222.</t>
        <t>Therefore, the link to the EDHOC resource at /edhoc-alt indicates that, when using that EDHOC resource as per the EDHOC application profile with Profile ID 500, the server supports the EAD items with EAD label 111, 222, and 333.</t>
        <figure anchor="fig-web-link-example">
          <name>The Web Link.</name>
          <artwork align="center"><![CDATA[
REQ: GET /.well-known/core

RES: 2.05 Content
    </sensors/temp>;osc,
    </sensors/light>;if=sensor,
    </.well-known/edhoc>;rt=core.edhoc;ed-csuite=0;ed-csuite=2;
        ed-method=0;ed-cred-t=0;ed-cred-t=1;ed-idcred-t=4;
        ed-i;ed-r;ed-comb-req,
    </edhoc-alt>;rt=core.edhoc;ed-prof=500;ed-ead=333
]]></artwork>
        </figure>
      </section>
      <section anchor="sec-edhoc-information-object">
        <name>In the EDHOC_Information Object</name>
        <t><xref section="3.4" sectionFormat="of" target="I-D.ietf-ace-edhoc-oscore-profile"/> defines the EDHOC_Information object and an initial set of its parameters. The object can be used to convey information that guides two peers about executing the EDHOC protocol.</t>
        <t>This document defines the new parameter "app_prof" of the EDHOC_Information object. The parameter is of type non-prescriptive (NP) and is summarized in <xref target="_table-cbor-key-edhoc-params"/>. The parameter is specified further below.</t>
        <table align="center" anchor="_table-cbor-key-edhoc-params">
          <name>EDHOC_Information Parameter "app_prof"</name>
          <thead>
            <tr>
              <th align="left">Name</th>
              <th align="left">CBOR label</th>
              <th align="left">CBOR type</th>
              <th align="left">Registry</th>
              <th align="left">Description</th>
              <th align="left">Type</th>
            </tr>
          </thead>
          <tbody>
            <tr>
              <td align="left">app_prof</td>
              <td align="left">23</td>
              <td align="left">int or array</td>
              <td align="left">EDHOC Application Profiles registry</td>
              <td align="left">Set of supported EDHOC application profiles</td>
              <td align="left">NP</td>
            </tr>
          </tbody>
        </table>
        <ul spacing="normal">
          <li>
            <t>app_prof: This parameter specifies a set of supported EDHOC application profiles, identified by their Profile ID. If the set is composed of a single EDHOC application profile, its Profile ID is encoded as an integer. Otherwise, the set is encoded as an array of integers, where each array element encodes one Profile ID. In JSON, the "app_prof" value is an integer or an array of integers. In CBOR, "app_prof" is an integer or an array of integers, and it has label 23. The integer values are taken from the 'Profile ID' column of the "EDHOC Application Profiles" registry defined in <xref target="iana-edhoc-application-profiles"/> of this document.</t>
          </li>
        </ul>
        <t>When present within an instance of the EDHOC_Information object, the parameter "app_prof" identifies one or more EDHOC application profiles that are supported under the concrete circumstance to which the object applies. <xref target="sec-app-prof-in-edhoc-profile"/> describes the use of the parameter "app_prof" within an instance of the EDHOC_Information object, when using the EDHOC and OSCORE profile of the ACE Framework <xref target="I-D.ietf-ace-edhoc-oscore-profile"/>.</t>
        <t>The CDDL grammar describing the parameter "app_prof" when included in the CBOR-encoded EDHOC_Information object is:</t>
        <figure anchor="fig-cddl-app_prof">
          <name>CDDL Definition of the Parameter "app_prof" when Included in the CBOR-encoded EDHOC_Information Object.</name>
          <sourcecode type="cddl"><![CDATA[
app_prof = (
  ? 23 => int / [2* int]                      ; app_prof
)
]]></sourcecode>
        </figure>
        <section anchor="sec-app-prof-in-edhoc-profile">
          <name>Use in the EDHOC and OSCORE Profile of the ACE Framework</name>
          <t><xref section="3" sectionFormat="of" target="I-D.ietf-ace-edhoc-oscore-profile"/> defines how the EDHOC_Information object can be used within the workflow of the EDHOC and OSCORE transport profile of the ACE framework for authentication and authorization in constrained environments (ACE) <xref target="RFC9200"/>.</t>
          <t>In particular, the AS-to-C Access Token Response includes the parameter "edhoc_info", with value an EDHOC_Information object. This allows the ACE authorization server (AS) to provide the ACE client (C) with information about how to run the EDHOC protocol with the ACE resource server (RS) for which the access token is issued.</t>
          <t>Similarly, the access token includes the corresponding claim "edhoc_info", with value an EDHOC_Information object. This allows the AS to provide the ACE RS with information about how to run the EDHOC protocol with the ACE client, according to the issued access token.</t>
          <t>In turn, the EDHOC_Information object can include the parameter "app_prof" defined in this document. This parameter indicates a set of EDHOC application profiles associated with the EDHOC resource to use at the RS, which is either implied or specified by the parameter "uri_path" within the same EDHOC_Information object.</t>
          <t>If the EDHOC_Information object specified as the value of the parameter/claim "edhoc_info" includes the parameter "app_prof", then the following applies.</t>
          <ul spacing="normal">
            <li>
              <t>In addition to the parameter "app_prof", the object <bcp14>MUST NOT</bcp14> include other parameters, with the exception of the following parameters that <bcp14>MAY</bcp14> be included:  </t>
              <ul spacing="normal">
                <li>
                  <t>The parameter "eads".</t>
                </li>
                <li>
                  <t>Any parameter that is not allowed in the EDHOC_Application_Profile object defined in <xref target="sec-app-profile-cbor"/>, unless its inclusion in the EDHOC_Information object is explicitly forbidden by the parameter's definition.      </t>
                  <t>
For example, the parameter "session_id" is not allowed in the EDHOC_Application_Profile object (see <xref target="sec-app-profile-cbor"/>) and thus can be included in the EDHOC_Information object, where in fact it has to be present (see Sections <xref target="I-D.ietf-ace-edhoc-oscore-profile" section="3.3" sectionFormat="bare"/> and <xref target="I-D.ietf-ace-edhoc-oscore-profile" section="3.3.1" sectionFormat="bare"/> of <xref target="I-D.ietf-ace-edhoc-oscore-profile"/>).</t>
                </li>
              </ul>
              <t>
C and RS <bcp14>MUST</bcp14> ignore other parameters that are not admitted, in the case that they are present in the EDHOC_Information object.</t>
            </li>
            <li>
              <t>The object might provide an information that corresponds to an EDHOC_Information prescriptive parameter (see <xref section="3.4" sectionFormat="of" target="I-D.ietf-ace-edhoc-oscore-profile"/>), e.g., "message_4". The type of a parameter is indicated in the 'Type' column of the corresponding entry in the IANA registry "EDHOC Information" (see <xref target="I-D.ietf-ace-edhoc-oscore-profile"/>).  </t>
              <t>
If the object specifies such an information multiple times, then each occurrence of that information <bcp14>MUST</bcp14> convey exactly the same content. This <bcp14>MUST</bcp14> take into account prescriptive parameters that are included: i) as elements of the EDHOC_Information object; or ii) as elements of an EDHOC_Application_Profile object (see <xref target="sec-app-profile-cbor"/>) encoding an EDHOC application profile, which is identified by its Profile ID specified in the parameter "app_prof" of the EDHOC_Information object.  </t>
              <t>
A consumer <bcp14>MUST</bcp14> treat as malformed an EDHOC_Information object that does not comply with the restriction above.</t>
            </li>
            <li>
              <t>If the EDHOC_Information object specified in the parameter "edhoc_info" of the AS-to-C Access Token Response includes the parameter "eads", then the following applies.  </t>
              <t>
When using the target EDHOC resource as per any EDHOC application profile indicated by the parameter "app_prof", the ACE RS for which the access token is issued supports the EAD items that are specified in the definition of that EDHOC application profile, as well as the EAD items indicated by the parameter "eads".</t>
            </li>
            <li>
              <t>If the EDHOC_Information object specified in the claim "edhoc_info" of the access token includes the parameter "eads", then the following applies.  </t>
              <t>
When using the target EDHOC resource as per any EDHOC application profile indicated by the parameter "app_prof", the ACE client to which the access token is issued supports the EAD items that are specified in the definition of that EDHOC application profile, as well as the EAD items indicated by the parameter "eads".</t>
            </li>
          </ul>
        </section>
      </section>
    </section>
    <section anchor="sec-parameters-web-linking">
      <name>Additional Parameters for Web Linking</name>
      <t>Building on what is defined and prescribed in <xref section="6" sectionFormat="of" target="RFC9668"/>, this section defines additional parameters for web linking <xref target="RFC8288"/>, which can be used to obtain relevant pieces of information from the EDHOC application profile associated with an EDHOC resource.</t>
      <t>These parameters can be optionally specified as target attributes with the same name in a link with resource type "core.edhoc" (see <xref section="10.10" sectionFormat="of" target="RFC9528"/>) targeting an EDHOC resource, or as filter criteria in a discovery request from a client.</t>
      <t>When specifying any of the parameters defined below in a link to an EDHOC resource, the target attribute rt="core.edhoc" <bcp14>MUST</bcp14> be included.</t>
      <ul spacing="normal">
        <li>
          <t>'ed-ta-edcred-uuid': Specifies the identifier of a trust anchor supported by the server for verifying authentication credentials of other EDHOC peers, as a UUID <xref target="RFC9562"/>. This parameter <bcp14>MUST</bcp14> specify a single value, which is the UUID in its string format (see Section 4 of <xref target="RFC9562"/>). This parameter <bcp14>MAY</bcp14> occur multiple times, with each occurrence specifying one trust anchor identifier.</t>
        </li>
        <li>
          <t>'ed-ta-edcred-kid': Specifies the identifier of a trust anchor supported by the server for verifying authentication credentials of other EDHOC peers, as a binary key identifier. This parameter <bcp14>MUST</bcp14> specify a single value, which is the base64url-encoded text string of the binary representation of the key identifier. This parameter <bcp14>MAY</bcp14> occur multiple times, with each occurrence specifying one trust anchor identifier.</t>
        </li>
        <li>
          <t>'ed-ta-edcred-c5t': Specifies the identifier of a trust anchor supported by the server for verifying authentication credentials of other EDHOC peers, as a hash of a C509 certificate <xref target="I-D.ietf-cose-cbor-encoded-cert"/>. This parameter <bcp14>MUST</bcp14> specify a single value, which is the base64url-encoded text string of the binary representation of the certificate hash encoded as a COSE_CertHash <xref target="RFC9360"/>. This parameter <bcp14>MAY</bcp14> occur multiple times, with each occurrence specifying one trust anchor identifier.</t>
        </li>
        <li>
          <t>'ed-ta-edcred-c5u': Specifies the identifier of a trust anchor supported by the server for verifying authentication credentials of other EDHOC peers, as a URI <xref target="RFC3986"/> pointing to a C509 certificate <xref target="I-D.ietf-cose-cbor-encoded-cert"/>. This parameter <bcp14>MUST</bcp14> specify a single value, which is the URI pointing to the certificate. This parameter <bcp14>MAY</bcp14> occur multiple times, with each occurrence specifying one trust anchor identifier.</t>
        </li>
        <li>
          <t>'ed-ta-edcred-x5t': Specifies the identifier of a trust anchor supported by the server for verifying authentication credentials of other EDHOC peers, as a hash of an X.509 certificate <xref target="RFC5280"/>. This parameter <bcp14>MUST</bcp14> specify a single value, which is the base64url-encoded text string of the binary representation of the certificate hash encoded as a COSE_CertHash <xref target="RFC9360"/>. This parameter <bcp14>MAY</bcp14> occur multiple times, with each occurrence specifying one trust anchor identifier.</t>
        </li>
        <li>
          <t>'ed-ta-edcred-x5u': Specifies the identifier of a trust anchor supported by the server for verifying authentication credentials of other EDHOC peers, as a URI <xref target="RFC3986"/> pointing to an X.509 certificate <xref target="RFC5280"/>. This parameter <bcp14>MUST</bcp14> specify a single value, which is the URI pointing to the certificate. This parameter <bcp14>MAY</bcp14> occur multiple times, with each occurrence specifying one trust anchor identifier.</t>
        </li>
        <li>
          <t>'ed-psk-resumption': If present, specifies that the server supports EDHOC session resumption with EDHOC-PSK <xref target="I-D.ietf-lake-edhoc-psk"/>. A value <bcp14>MUST NOT</bcp14> be given to this parameter and any present value <bcp14>MUST</bcp14> be ignored by the recipient. Future documents may update the definition of this parameter by expanding its semantics and specifying what it can take as value.</t>
        </li>
      </ul>
      <t>The example in <xref target="fig-web-link-example-2"/> extends the earlier example in <xref target="fig-web-link-example"/>, by additionally showing the use of the target attributes 'ed-ta-edcred-kid' and 'ed-ta-edcred-x5t'. Compared to the example in <xref target="fig-web-link-example"/>, the following also applies.</t>
      <ul spacing="normal">
        <li>
          <t>The link to the EDHOC resource at /.well-known/edhoc includes the target attribute 'ed-ta-edcred-kid'. The target attribute has value "AKw", i.e., the base64url-encoded text string of 0x00ac. The latter is the binary key identifier of a trust anchor supported by the server when running EDHOC through that resource.</t>
        </li>
        <li>
          <t>The link to the EDHOC resource at /edhoc-alt includes the target attribute 'ed-ta-edcred-kid'. The target attribute has value "_wH_", i.e., the base64url-encoded text string of 0xff01ff. The latter is the binary key identifier of a trust anchor supported by the server when running EDHOC through that resource.</t>
        </li>
        <li>
          <t>The link to the EDHOC resource at /edhoc-alt includes the target attribute 'ed-ta-edcred-x5t'. The target attribute has value "gi5IefKkG1EMH5s", i.e., the base64url-encoded text string of 0x822e4879f2a41b510c1f9b. The latter is the binary representation of the COSE_CertHash <xref target="RFC9360"/> corresponding to an X.509 certificate <xref target="RFC5280"/> that the server supports as a trust anchor when running EDHOC through that resource. In CBOR diagnostic notation, the considered COSE_CertHash is as follows: [-15, h'79f2a41b510c1f9b'].</t>
        </li>
      </ul>
      <figure anchor="fig-web-link-example-2">
        <name>The Web Link.</name>
        <artwork align="center"><![CDATA[
REQ: GET /.well-known/core

RES: 2.05 Content
    </sensors/temp>;osc,
    </sensors/light>;if=sensor,
    </.well-known/edhoc>;rt=core.edhoc;ed-csuite=0;ed-csuite=2;
        ed-method=0;ed-cred-t=0;ed-cred-t=1;ed-idcred-t=4;
        ed-i;ed-r;ed-comb-req;ed-ta-edcred-kid="AKw",
    </edhoc-alt>;rt=core.edhoc;ed-prof=500;ed-ead=333;
        ed-ta-edcred-kid="_wH_";ed-ta-edcred-x5t="gi5IefKkG1EMH5s"
]]></artwork>
      </figure>
    </section>
    <section anchor="sec-app-profile-edhoc-messages">
      <name>Advertising Supported EDHOC Application Profiles during an EDHOC Session</name>
      <t>The rest of this section defines means that an EDHOC peer can use in order to advertise the EDHOC application profiles that it supports to another EDHOC peer, when running EDHOC with that other peer.</t>
      <t>Such means are an EDHOC EAD item (see <xref target="sec-app-profile-edhoc-message_1_2"/>) and an EDHOC error message with a dedicated error code (see <xref target="sec-app-profile-edhoc-error-message"/>).</t>
      <t>Differently from the discovery mechanisms defined in <xref target="sec-parameters-web-linking"/> and <xref target="sec-svcb"/>, these means display a number of benefits:</t>
      <ul spacing="normal">
        <li>
          <t>Since EAD fields and the EDHOC error message are a core feature of EDHOC, supporting the new EAD item and the new error code is the only prerequisite for their use.</t>
        </li>
        <li>
          <t>They allow an EDHOC peer to advertise what it supports even if it is a client-only peer.</t>
        </li>
        <li>
          <t>They allow an EDHOC peer to advertise what it supports and prefers in the context of a specific EDHOC session and in the light of its current status, instead of only in fixed and broad terms.</t>
        </li>
      </ul>
      <section anchor="sec-app-profile-edhoc-message_1_2">
        <name>In EDHOC Message 1 and Message 2</name>
        <t>This section defines the EDHOC EAD item "Supported EDHOC application profiles", which is registered in <xref target="iana-edhoc-ead-registry"/> of this document.</t>
        <t>The EAD item <bcp14>MAY</bcp14> be included:</t>
        <ul spacing="normal">
          <li>
            <t>In the EAD_1 field of EDHOC message_1, in order to specify EDHOC application profiles supported by the Initiator.</t>
          </li>
          <li>
            <t>In the EAD_2 field of EDHOC message_2, in order to specify EDHOC application profiles supported by the Responder.</t>
          </li>
        </ul>
        <t>When the EAD item is present, its ead_label TBD_EAD_LABEL <bcp14>MUST</bcp14> be used only with negative sign, i.e., the use of the EAD item is always critical (see <xref section="3.8" sectionFormat="of" target="RFC9528"/>).</t>
        <t>The EAD item <bcp14>MUST NOT</bcp14> occur more than once in the EAD fields of EDHOC message_1 or message_2. The recipient peer <bcp14>MUST</bcp14> abort the EDHOC session and <bcp14>MUST</bcp14> reply with an EDHOC error message with error code (ERR_CODE) 1 "Unspecified error", if the EAD item occurs multiple times in the EAD fields of EDHOC message_1 or message_2.</t>
        <t>The EAD item <bcp14>MUST NOT</bcp14> be included in the EAD fields of EDHOC message_3 or message_4. In the case that the recipient peer supports the EAD item, the recipient peer <bcp14>MUST</bcp14> silently ignore the EAD item if this is included in the EAD fields of EDHOC message_3 or message_4.</t>
        <t>The EAD item <bcp14>MUST</bcp14> specify an ead_value, as a CBOR byte string with value the binary representation of a CBOR sequence <xref target="RFC8742"/>. In particular:</t>
        <ul spacing="normal">
          <li>
            <t>When the EAD item is included in the EAD_1 field, the value of the CBOR byte string is the binary representation of the CBOR sequence OUTER_SEQ. In turn, OUTER_SEQ is composed of the following elements:  </t>
            <ul spacing="normal">
              <li>
                <t>The CBOR data item advertise_flag, which <bcp14>MAY</bcp14> be present. If present, it <bcp14>MUST</bcp14> encode the CBOR simple value <tt>true</tt> (0xf5) or <tt>false</tt> (0xf4). The semantics of this element is as follows.      </t>
                <ul spacing="normal">
                  <li>
                    <t>If advertise_flag is present and encodes the CBOR simple value <tt>true</tt> (0xf5), the Initiator is asking the Responder to advertise the EDHOC application profiles that it supports, within the EDHOC message sent in reply to EDHOC message_1.          </t>
                    <t>
If such a message is EDHOC message_2, the Responder relies on the EAD item "Supported EDHOC application profiles" included in the EAD_2 field. If such a message is an EDHOC error message with error code (ERR_CODE) TBD_ERROR_CODE "Unspecified error and supported EDHOC application profiles" (see <xref target="sec-app-profile-edhoc-error-message"/>), the Responder relies on ERR_INFO.          </t>
                    <t>
If the Responder sends either of those messages in reply to such an EDHOC message_1, the Responder <bcp14>MUST</bcp14> honor the wish of the Initiator and accordingly advertise the EDHOC application profiles that it supports.</t>
                  </li>
                  <li>
                    <t>If advertise_flag is present and encodes the CBOR simple value <tt>false</tt> (0xf4), the Initiator is suggesting the Responder to not advertise the EDHOC application profiles that it supports, within the EDHOC message sent in reply to EDHOC message_1. This is relevant when the Initiator already knows what EDHOC application profiles are supported by the Responder, e.g., based on previous interactions with that Responder or on the outcome of a discovery process.          </t>
                    <t>
In spite of the suggestion from the Initiator, the Responder <bcp14>MAY</bcp14> still advertise the EDHOC application profiles that it supports, when replying to EDHOC message_1 with EDHOC message_2 or with an EDHOC error message with error code (ERR_CODE) TBD_ERROR_CODE "Unspecified error and supported EDHOC application profiles" (see <xref target="sec-app-profile-edhoc-error-message"/>). For example, when sending EDHOC message_2, the Responder might wish to steer the rest of the EDHOC session in a specific way, by including the EAD item "Supported EDHOC application profiles" that specifies information corresponding to EDHOC_Information prescriptive parameters (see <xref section="3.4" sectionFormat="of" target="I-D.ietf-ace-edhoc-oscore-profile"/>).</t>
                  </li>
                </ul>
              </li>
              <li>
                <t>The CBOR sequence APP_PROF_SEQ, which <bcp14>MUST</bcp14> be present and is specified further below.</t>
              </li>
            </ul>
          </li>
          <li>
            <t>When the EAD item is included in the EAD_2 field, the value of the CBOR byte string is the binary representation of the CBOR sequence APP_PROF_SEQ.</t>
          </li>
        </ul>
        <t>The CBOR sequence APP_PROF_SEQ is composed of one or more elements, whose order has no meaning. Each element of the CBOR sequence <bcp14>MUST</bcp14> be either of the following:</t>
        <ul spacing="normal">
          <li>
            <t>A CBOR integer, specifying the Profile ID of an EDHOC application profile. The integer value is taken from the 'Profile ID' column of the "EDHOC Application Profiles" registry defined in <xref target="iana-edhoc-application-profiles"/> of this document.  </t>
            <t>
This element of the CBOR sequence indicates that the message sender supports the EDHOC application profile identified by the Profile ID.</t>
          </li>
          <li>
            <t>A CBOR array including at least two elements. In particular:  </t>
            <ul spacing="normal">
              <li>
                <t>The first element <bcp14>MUST</bcp14> be a CBOR integer, specifying the Profile ID of an EDHOC application profile. The integer value is taken from the 'Profile ID' column of the "EDHOC Application Profiles" registry.</t>
              </li>
              <li>
                <t>Each of the elements following the first one <bcp14>MUST</bcp14> be a CBOR unsigned integer, specifying the ead_label of an EAD item.</t>
              </li>
            </ul>
            <t>
This element of the CBOR sequence indicates that the message sender supports:  </t>
            <ul spacing="normal">
              <li>
                <t>The EDHOC application profile PROFILE identified by the Profile ID in the first element of the array; and</t>
              </li>
              <li>
                <t>The EAD items identified by the ead_label in the elements following the first one, in addition to the EAD items that are specified in the definition of the EDHOC application profile PROFILE.</t>
              </li>
            </ul>
          </li>
          <li>
            <t>An EDHOC_Information object encoded in CBOR, i.e., as a CBOR map (see <xref section="3.4" sectionFormat="of" target="I-D.ietf-ace-edhoc-oscore-profile"/>).  </t>
            <t>
The EDHOC_Information object <bcp14>MUST NOT</bcp14> include the element "app_prof". Also, it <bcp14>MUST NOT</bcp14> include elements that are not allowed within the EDHOC_Application_Profile object defined in <xref target="sec-app-profile-cbor"/>, with the exception of the following elements that <bcp14>MAY</bcp14> be included:  </t>
            <ul spacing="normal">
              <li>
                <t>"trust_anchors".</t>
              </li>
              <li>
                <t>"exporter_out_len" (see <xref target="exporter-out-length"/>).</t>
              </li>
            </ul>
            <t>
This element of the CBOR sequence indicates that the message sender supports an EDHOC application profile consistent with the pieces of information specified by the EDHOC_Information object.</t>
          </li>
        </ul>
        <t>When sending EDHOC message_1, the Initiator might want to include the EAD item "Supported EDHOC application profiles" and not advertise the EDHOC application profiles that it supports, but instead just take advantage of advertise_flag and ask the Responder to advertise what is supported on its side. In order to do that, the Initiator can compose ead_value such that, following advertise_flag, the CBOR sequence APP_PROF_SEQ only consists of a single EDHOC_Information object as an empty CBOR map.</t>
        <t>The recipient peer <bcp14>MUST</bcp14> abort the EDHOC session and <bcp14>MUST</bcp14> reply with an EDHOC error message with error code (ERR_CODE) 1 "Unspecified error", if ead_value is malformed or does not conform with the format defined above.</t>
        <t>It is possible that ead_value provides information corresponding to EDHOC_Information prescriptive parameters (see <xref section="3.4" sectionFormat="of" target="I-D.ietf-ace-edhoc-oscore-profile"/>), e.g., "message_4". The type of such parameters is indicated in the 'Type' column of the corresponding entry in the IANA registry "EDHOC Information" (see <xref target="I-D.ietf-ace-edhoc-oscore-profile"/>).</t>
        <t>If the EAD item "Supported EDHOC application profiles" is included in EDHOC message_1 and/or message_2 during an EDHOC session, the peers participating in that session <bcp14>MUST NOT</bcp14> act in violation of what is indicated by prescriptive parameters that are specified in those EAD items. Note that such indications can be provided: as elements of an EDHOC_Information object specified within APP_PROF_SEQ; or as elements of an EDHOC_Application_Profile object encoding an EDHOC application profile, which is identified by its Profile ID specified within APP_PROF_SEQ.</t>
        <t>Upon receiving an EDHOC message and throughout the session, a peer <bcp14>MUST</bcp14> check whether the other peer has violated such indications. If any violation is found, the peer <bcp14>MUST</bcp14> abort the EDHOC session and <bcp14>MUST</bcp14> reply with an EDHOC error message with error code (ERR_CODE) 1 "Unspecified error".</t>
        <t>When composing ead_value, the sender peer <bcp14>MUST</bcp14> comply with the content restrictions specified in <xref target="sec-app-profile-edhoc-message_1_2-restrictions"/>.</t>
        <t>The CDDL grammar describing ead_value for the EAD item "Supported EDHOC application profiles" is shown in <xref target="fig-cddl-ead-value"/>. The parameters "psk_resumption", "exporter_out_len", and "app_prof" of the EDHOC_Information object are defined in <xref target="support-psk-resumption"/>, <xref target="exporter-out-length"/>, and <xref target="sec-edhoc-information-object"/>, respectively.</t>
        <figure anchor="fig-cddl-ead-value">
          <name>CDDL Definition of ead_value for the EAD Item "Supported EDHOC application profiles"</name>
          <sourcecode type="cddl"><![CDATA[
ead_value = ead_1_value / ead_2_value

ead_1_value = bytes .cborseq OUTER_SEQ

ead_2_value = bytes .cborseq APP_PROF_SEQ

; This defines an array, the elements of which
; are to be used in the CBOR Sequence OUTER_SEQ:
OUTER_SEQ = [?advertise_flag, APP_PROF_SEQ]

advertise_flag = bool

; This defines an array, the elements of which
; are to be used in the CBOR Sequence APP_PROF_SEQ:
APP_PROF_SEQ = [1* element]

element = profile_id / profile_id_with_eads / EDHOC_Information

profile_id = int

profile_id_with_eads = [profile_id, 1* uint]

; The full definition is provided in
; draft-ietf-ace-edhoc-oscore-profile
EDHOC_Information = { * $$EDHOC_Information_item } .within
                    { * (int / tstr) => any }

; psk_resumption
$$EDHOC_Information_item //= (
  21: true / false
)

; exporter_out_len
$$EDHOC_Information_item //= (
  22: [1* [uint, uint]]
)

; app_prof
$$EDHOC_Information_item //= (
  23: profile_id / [2* profile_id]
)
]]></sourcecode>
        </figure>
        <t>Examples of ead_value are shown in <xref target="sec-examples-ead-value"/>.</t>
        <section anchor="sec-app-profile-edhoc-message_1_2-restrictions">
          <name>Content Restrictions</name>
          <t>When the sender peer composes ead_value of the EDHOC EAD item "Supported EDHOC application profiles", the following applies.</t>
          <t>It is possible that ead_value provides an information corresponding to an EDHOC_Information prescriptive parameter (see <xref section="3.4" sectionFormat="of" target="I-D.ietf-ace-edhoc-oscore-profile"/>).</t>
          <t>If ead_value specifies such an information multiple times, then each occurrence of that information <bcp14>MUST</bcp14> convey exactly the same content. With reference to the CBOR sequence APP_PROF_SEQ defined in <xref target="sec-app-profile-edhoc-message_1_2"/>, the enforcement of these content restrictions <bcp14>MUST</bcp14> take into account prescriptive parameters that are included:</t>
          <ul spacing="normal">
            <li>
              <t>As elements of an EDHOC_Information object specified within APP_PROF_SEQ; or</t>
            </li>
            <li>
              <t>As elements of an EDHOC_Application_Profile object encoding an EDHOC application profile, which is identified by its Profile ID specified within APP_PROF_SEQ.</t>
            </li>
          </ul>
          <t>If the Responder has received the EAD item in the EAD_1 field of EDHOC message_1 and intends to include the EAD item in the EAD_2 field of EDHOC message_2, then the Responder <bcp14>MUST</bcp14> further take into account the presence of such information in the received EAD item when composing ead_value.</t>
          <t>A consumer <bcp14>MUST</bcp14> treat as malformed an EAD item "Supported EDHOC application profiles" whose ead_value does not comply with the restrictions above.</t>
        </section>
        <section anchor="support-psk-resumption">
          <name>Indicating Support for Session Resumption with EDHOC-PSK</name>
          <t>The specification <xref target="I-D.ietf-lake-edhoc-psk"/> defines EDHOC-PSK, an EDHOC authentication method by which two peers use a symmetric Pre-Shared Key (PSK) to mutually authenticate during an EDHOC session.</t>
          <t>In particular, <xref section="6" sectionFormat="of" target="I-D.ietf-lake-edhoc-psk"/> defines how EDHOC-PSK is used to perform session resumption. That is, after successfully completing an EDHOC session, two peers that support session resumption with EDHOC-PSK can derive a resumption PSK and the corresponding key identifier. Later on, the two peers can run EDHOC using the authentication method EDHOC-PSK, authenticating each other by using the resumption PSK.</t>
          <t>This document defines the new parameter "psk_resumption" of the EDHOC_Information object (see <xref section="3.4" sectionFormat="of" target="I-D.ietf-ace-edhoc-oscore-profile"/>). The parameter is of type non-prescriptive (NP) and is summarized in <xref target="_table-cbor-key-edhoc-params-psk-resumption"/>. The parameter is specified further below.</t>
          <table align="center" anchor="_table-cbor-key-edhoc-params-psk-resumption">
            <name>EDHOC_Information Parameter "psk_resumption"</name>
            <thead>
              <tr>
                <th align="left">Name</th>
                <th align="left">CBOR label</th>
                <th align="left">CBOR type</th>
                <th align="left">Registry</th>
                <th align="left">Description</th>
                <th align="left">Type</th>
              </tr>
            </thead>
            <tbody>
              <tr>
                <td align="left">psk_resumption</td>
                <td align="left">21</td>
                <td align="left">True or False</td>
                <td align="left"> </td>
                <td align="left">Support for EDHOC session resumption with EDHOC-PSK</td>
                <td align="left">NP</td>
              </tr>
            </tbody>
          </table>
          <ul spacing="normal">
            <li>
              <t>psk_resumption: This parameter indicates whether EDHOC session resumption with the authentication method EDHOC-PSK is supported, as per <xref target="I-D.ietf-lake-edhoc-psk"/>. In JSON, the "psk_resumption" value is a boolean. In CBOR, "psk_resumption" is the simple value <tt>true</tt> (0xf5) or <tt>false</tt> (0xf4), and has label 21.</t>
            </li>
          </ul>
          <t>The CDDL grammar describing the parameter "psk_resumption" when included in the CBOR-encoded EDHOC_Information object is:</t>
          <figure anchor="fig-cddl-psk_resumption">
            <name>CDDL Definition of the Parameter "psk_resumption" when Included in the CBOR-encoded EDHOC_Information Object.</name>
            <sourcecode type="cddl"><![CDATA[
psk_resumption = (
  ? 21 => true / false                          ; psk_resumption
)
]]></sourcecode>
          </figure>
        </section>
        <section anchor="exporter-out-length">
          <name>Agreeing on EDHOC_Exporter Output Lengths</name>
          <t>The main output of a successfully completed EDHOC session is the shared secret session key PRK_out (see <xref section="4.1.3" sectionFormat="of" target="RFC9528"/>).</t>
          <t>After having established PRK_out, the two peers can use the EDHOC_Exporter interface defined in <xref section="4.2.1" sectionFormat="of" target="RFC9528"/>, e.g., to derive keying material for an application protocol. Among its inputs, the EDHOC_Exporter interface includes "exporter_label" as a registered numeric identifier of the intended output and "length" as the length in bytes of the intended output.</t>
          <t>When using the EDHOC_Exporter interface, it is crucial that the two peers agree about the length in bytes of each intended output, in order to ensure the correctness of their operations. To this end, the two peers can rely on pre-defined default lengths, or agree out-of-band on alternative lengths.</t>
          <t>However, the two peers might need or prefer to explicitly agree about specific output lengths to use on a per-session basis. As described below, this can be achieved in-band, by using the EDHOC EAD item "Supported EDHOC application profiles" defined in <xref target="sec-app-profile-edhoc-message_1_2"/>.</t>
          <t>This document defines the new parameter "exporter_out_len" of the EDHOC_Information object (see <xref section="3.4" sectionFormat="of" target="I-D.ietf-ace-edhoc-oscore-profile"/>). The parameter is of type prescriptive (P) and is summarized in <xref target="_table-cbor-key-edhoc-params-2"/>. The parameter is specified further below.</t>
          <table align="center" anchor="_table-cbor-key-edhoc-params-2">
            <name>EDHOC_Information Parameter "exporter_out_len"</name>
            <thead>
              <tr>
                <th align="left">Name</th>
                <th align="left">CBOR label</th>
                <th align="left">CBOR type</th>
                <th align="left">Registry</th>
                <th align="left">Description</th>
                <th align="left">Type</th>
              </tr>
            </thead>
            <tbody>
              <tr>
                <td align="left">exporter_out_len</td>
                <td align="left">22</td>
                <td align="left">array</td>
                <td align="left">EDHOC Exporter Labels</td>
                <td align="left">Set of output lengths to use with the EDHOC_Exporter interface</td>
                <td align="left">P</td>
              </tr>
            </tbody>
          </table>
          <ul spacing="normal">
            <li>
              <t>exporter_out_len: This parameter specifies a set of one or more pairs (X, Y), where:  </t>
              <ul spacing="normal">
                <li>
                  <t>The first element X specifies a value to use as first argument "exporter_label" when invoking the EDHOC_Exporter interface (see <xref section="4.2.1" sectionFormat="of" target="RFC9528"/>).      </t>
                  <t>
The value of X is taken from the 'Label' column of the "EDHOC Exporter Labels" registry within the "Ephemeral Diffie-Hellman Over COSE (EDHOC)" registry group <xref target="EDHOC.Exporter.Labels"/>.</t>
                </li>
                <li>
                  <t>The second element Y specifies the value to use as third argument "length" when invoking the EDHOC_Exporter interface using the value specified by X as first argument "exporter_label" (see <xref section="4.2.1" sectionFormat="of" target="RFC9528"/>).      </t>
                  <t>
The value specified by Y <bcp14>MUST</bcp14> be a valid value to use as "length" when using the value specified by X as "exporter_label". For example, when X specifies 0 as the "exporter_label" to derive an OSCORE Master Secret <xref target="RFC8613"/>, Y is required to be not less than the "length" default value defined in <xref section="A.1" sectionFormat="of" target="RFC9528"/>, i.e., the key length (in bytes) of the application AEAD Algorithm of the selected cipher suite for the EDHOC session.</t>
                </li>
              </ul>
              <t>
The set is encoded as a non-empty array, each element of which <bcp14>MUST</bcp14> be an array of exactly two elements, hence encoding one pair (X, Y). That is, each inner array includes X encoded as an unsigned integer and Y encoded as an unsigned integer, in this order.  </t>
              <t>
Within the set of pairs (X, Y), the order of the inner arrays encoding the pairs is not relevant. The set <bcp14>MUST NOT</bcp14> specify multiple pairs that have the same unsigned integer value as their first element X.  </t>
              <t>
In JSON, the "exporter_out_len" value is a non-empty array, each element of which is an array including two unsigned integers. In CBOR, "exporter_out_len" is a non-empty array that has label 22, each element of which is an array including two unsigned integers.</t>
            </li>
          </ul>
          <t>The CDDL grammar describing the parameter "exporter_out_len" when included in the CBOR-encoded EDHOC_Information object is:</t>
          <figure anchor="fig-cddl-exporter_out_len">
            <name>CDDL Definition of the Parameter "exporter_out_len" when Included in the CBOR-encoded EDHOC_Information Object.</name>
            <sourcecode type="cddl"><![CDATA[
exporter_out_len = (
  ? 22 => [1* [uint, uint]]                   ; exporter_out_len
)
]]></sourcecode>
          </figure>
          <t>Within ead_value of the EAD item "Supported EDHOC application profiles", the parameter "exporter_out_len" can be included within instances of the EDHOC_Information object that are specified within the CBOR sequence APP_PROF_SEQ (see <xref target="sec-app-profile-edhoc-message_1_2"/>).</t>
          <t>The recipient peer <bcp14>MUST</bcp14> abort the EDHOC session and <bcp14>MUST</bcp14> reply with an EDHOC error message with error code (ERR_CODE) 1 "Unspecified error", if any of the following occurs:</t>
          <ul spacing="normal">
            <li>
              <t>The recipient peer does not recognize the value encoded by the first element X of a pair (X, Y) as a valid "exporter_label" to be used when invoking the EDHOC_Exporter interface.</t>
            </li>
            <li>
              <t>In a pair (X, Y), the value encoded by the second element Y is not valid to be used as "length" when invoking the EDHOC_Exporter interface using the value encoded by the first element X as "exporter_label".</t>
            </li>
            <li>
              <t>For a pair (X, Y), the recipient peer is not going to be able to invoke the EDHOC_Exporter interface using the values encoded by X and Y as the first argument "exporter_label" and the third argument "length", respectively.</t>
            </li>
          </ul>
          <t>If the Responder has received an EDHOC message_1 including the EAD item "Supported EDHOC application profiles" and specifying the parameter "exporter_out_len", then the following applies if the Responder includes the EAD item "Supported EDHOC application profiles" in EDHOC message_2, with ead_value specifying the parameter "exporter_out_len". Within ead_value of the EAD item included in EDHOC message_2, the Responder <bcp14>MUST NOT</bcp14> specify any pair (X, Y) such that the unsigned integer value encoded by X was encoded by the first element of a pair within the EAD item included in the received EDHOC message_1.</t>
          <t>If the Initiator receives an EDHOC message_2 including the EAD item "Supported EDHOC application profiles" and specifying the parameter "exporter_out_len", then the following applies if the Initiator included the EAD item "Supported EDHOC application profiles" in EDHOC message_1, with ead_value specifying the parameter "exporter_out_len". The Initiator <bcp14>MUST</bcp14> abort the EDHOC session and <bcp14>MUST</bcp14> reply with an EDHOC error message with error code (ERR_CODE) 1 "Unspecified error", if ead_value of the EAD item included in EDHOC message_2 specifies any pair (X, Y) such that the unsigned integer value encoded by X was encoded by the first element of a pair of the EAD item included in the sent EDHOC message_1.</t>
          <t>Since the parameter "exporter_out_len" is of type prescriptive, the restrictions compiled in <xref target="sec-app-profile-edhoc-message_1_2-restrictions"/> apply. In particular, the "information" corresponding to the prescriptive parameter "exporter_out_len" is the "length" Y to use when invoking the EDHOC_Exporter interface using the paired "exporter_label" X.</t>
          <t>That is, if ead_value provides the length of the EDHOC_Exporter output for a given "exporter_label" multiple times, then each of such occurrences <bcp14>MUST</bcp14> specify the same "length" value. Within this constraint, it remains possible for ead_value to specify multiple instances of the EDHOC_Information object within APP_PROF_SEQ and for each of such instances to include the parameter "exporter_out_len", which can overall encode a value different from that of the same parameter in another instance of the EDHOC_Information object.</t>
          <t>The recipient peer <bcp14>MUST</bcp14> abort the EDHOC session and <bcp14>MUST</bcp14> reply with an EDHOC error message with error code (ERR_CODE) 1 "Unspecified error", if the parameter "exporter_out_len" is malformed or does not conform with the format and constraints defined above.</t>
          <t>In an EDHOC session during which the EAD item "Supported EDHOC application profiles" has been included in EDHOC message_1 and/or message_2 as specifying the parameter "exporter_out_len", the following applies.</t>
          <ul spacing="normal">
            <li>
              <t>The Initiator (Responder) considers the successful verification of EDHOC message_2 (message_3) as a confirmed agreement with the other peer about how to invoke the EDHOC_Exporter interface, once the session key PRK_out for the present EDHOC session is available.  </t>
              <t>
That is, for each pair (X, Y) specified by the exchanged EAD items, the two peers <bcp14>MUST</bcp14> use the unsigned integer values encoded by X and Y as the first argument "exporter_label" and the third argument "length", respectively.</t>
            </li>
            <li>
              <t>If a particular "exporter_label" value is not specified by the exchanged EAD items, then a possible invocation of the EDHOC_Exporter interface using that value as its first argument takes as value for its third argument "length" a pre-defined default value, or an alternative value agreed out-of-band.</t>
            </li>
          </ul>
          <t>When using the EDHOC and OSCORE transport profile of the ACE framework <xref target="I-D.ietf-ace-edhoc-oscore-profile"/>, the parameter "exporter_out_len" <bcp14>MUST NOT</bcp14> be included within the EDHOC_Information object specified as the value of the parameter/claim "edhoc_info".</t>
        </section>
        <section anchor="sec-examples-ead-value">
          <name>Examples of ead_value</name>
          <t><xref target="fig-example-ead-value-1"/> shows an example in CBOR diagnostic notation of ead_value for the EDHOC EAD item "Supported EDHOC application profiles", when used in EDHOC message_1. With reference to the CDDL grammar in <xref target="fig-cddl-ead-value"/>, the following applies.</t>
          <t>The CBOR data item advertise_flag is present and encodes the CBOR simple value <tt>true</tt> (0xf5), hence asking the Responder to advertise the EDHOC application profiles that it supports, when replying to the present EDHOC message_1.</t>
          <t>The CBOR sequence APP_PROF_SEQ includes the following three elements:</t>
          <ul spacing="normal">
            <li>
              <t>An element profile_id, specifying the Profile ID of an EDHOC application profile supported by the Initiator. Specifically, that EDHOC application profile is the well-known application profile MINIMAL-CS-2 defined in <xref target="sec-well-known-app-prof-id-0"/>.</t>
            </li>
            <li>
              <t>An element profile_id, specifying the Profile ID of an EDHOC application profile supported by the Initiator. Specifically, that EDHOC application profile is the well-known application profile MINIMAL-CS-0 defined in <xref target="sec-well-known-app-prof-id-1"/>.</t>
            </li>
            <li>
              <t>An element EDHOC_Information, which in turn includes the following parameters:  </t>
              <ul spacing="normal">
                <li>
                  <t>"message_4", with value the CBOR simple value <tt>true</tt> (0xf5), hence indicating that EDHOC message_4 is expected in the current EDHOC session.</t>
                </li>
                <li>
                  <t>"eads", with value a CBOR array. The array includes two elements encoded as unsigned integers, i.e., the EAD labels 500 and 333 of the corresponding EAD items supported by the Initiator.</t>
                </li>
                <li>
                  <t>"trust_anchors", with value a CBOR map. The map includes a single element with value a CBOR array, which pertains to trust anchors whose purpose is the verification of authentication credentials of other EDHOC peers in an EDHOC session.      </t>
                  <t>
In turn, the array includes two CBOR maps. Within the first CBOR map, its entry's value is a CBOR byte string that encodes 0x00ac. Within the second CBOR map, its entry's value is a CBOR byte string that encodes 0xff01ff. Both 0x00ac and 0xff01ff are binary key identifiers of trust anchors supported by the Initiator in the current EDHOC session.</t>
                </li>
              </ul>
            </li>
          </ul>
          <figure anchor="fig-example-ead-value-1">
            <name>Example of ead_value for the EAD Item "Supported EDHOC application profiles" in EDHOC message_1</name>
            <sourcecode type="cbor-diag"><![CDATA[
<<
   true,                      / advertise_flag /
   e'APP-PROF-MINIMAL-CS-2',  / profile_id /
   e'APP-PROF-MINIMAL-CS-0',  / profile_id /
   {                          / EDHOC_Information /
      e'message_4' : true,
      e'eads' : [500, 333],
      e'trust_anchors' : {
         e'edhoc_cred' : [
           { e'kid_ta_type' : h'00ac' },
           { e'kid_ta_type' : h'ff01ff' }
         ]
      }
   }
>>
]]></sourcecode>
          </figure>
          <t><xref target="fig-example-ead-value-2"/> shows an example in CBOR diagnostic notation of ead_value for the EDHOC EAD item "Supported EDHOC application profiles", when used in EDHOC message_2. With reference to the CDDL grammar in <xref target="fig-cddl-ead-value"/>, the following applies.</t>
          <t>The CBOR sequence APP_PROF_SEQ includes the following two elements:</t>
          <ul spacing="normal">
            <li>
              <t>An element profile_id, specifying the Profile ID of an EDHOC application profile supported by the Responder. Specifically, that EDHOC application profile is the well-known application profile MINIMAL-CS-2 defined in <xref target="sec-well-known-app-prof-id-0"/>.</t>
            </li>
            <li>
              <t>An element EDHOC_Information, which in turn includes the following parameters:  </t>
              <ul spacing="normal">
                <li>
                  <t>"comb_req", with value the CBOR simple value <tt>true</tt> (0xf5), hence indicating that the Responder supports the EDHOC + OSCORE combined request defined in <xref target="RFC9668"/>.</t>
                </li>
                <li>
                  <t>"eads", with value a CBOR array. The array includes two elements encoded as unsigned integers, i.e., the EAD labels 500 and 999 of the corresponding EAD items supported by the Responder.</t>
                </li>
                <li>
                  <t>"trust_anchors", with value a CBOR map. The map includes a single element with value an inner CBOR map, which pertains to trust anchors whose purpose is the verification of authentication credentials of other EDHOC peers in an EDHOC session.      </t>
                  <t>
Within the inner map, its entry's value is a CBOR byte string that encodes 0x91ab, i.e., the binary key identifier of a trust anchor supported by the Responder in the current EDHOC session.</t>
                </li>
              </ul>
            </li>
          </ul>
          <figure anchor="fig-example-ead-value-2">
            <name>Example of ead_value for the EAD Item "Supported EDHOC application profiles" in EDHOC message_2</name>
            <sourcecode type="cbor-diag"><![CDATA[
<<
   e'APP-PROF-MINIMAL-CS-2',  / profile_id /
   {                          / EDHOC_Information /
      e'comb_req' : true,
      e'eads' : [500, 999],
      e'trust_anchors' : {
         e'edhoc_cred' : { e'kid_ta_type' : h'91ab' }
      }
   }
>>
]]></sourcecode>
          </figure>
        </section>
      </section>
      <section anchor="sec-app-profile-edhoc-error-message">
        <name>In the EDHOC Error Message</name>
        <t>This section defines the error code (ERR_CODE) TBD_ERROR_CODE "Unspecified error and supported EDHOC application profiles", which is registered in <xref target="iana-edhoc-error-codes-registry"/> of this document.</t>
        <t>The error code (ERR_CODE) TBD_ERROR_CODE "Unspecified error and supported EDHOC application profiles" <bcp14>MUST</bcp14> only be used when replying to EDHOC message_1. If an EDHOC error message with error code (ERR_CODE) TBD_ERROR_CODE "Unspecified error and supported EDHOC application profiles" is received as reply to an EDHOC message different from EDHOC message_1, then the recipient of the error message <bcp14>MUST</bcp14> ignore what is specified in ERR_INFO.</t>
        <t>The Responder <bcp14>MUST NOT</bcp14> abort an EDHOC session exclusively due to the wish of sending an error message with error code (ERR_CODE) TBD_ERROR_CODE "Unspecified error and supported EDHOC application profiles". Instead, the Responder can advertise the EDHOC application profiles that it supports to the Initiator by means of the EAD item "Supported EDHOC application profiles" defined in <xref target="sec-app-profile-edhoc-message_1_2"/>, specifying it in the EAD_2 field of the EDHOC message_2 to send in the EDHOC session.</t>
        <t>When replying to an EDHOC message_1 with an error message, the Responder has to consider the reason for which it is aborting the EDHOC session and <bcp14>MUST NOT</bcp14> specify error code (ERR_CODE) TBD_ERROR_CODE "Unspecified error and supported EDHOC application profiles" if a different, more appropriate error code can be specified instead. For example, if the negotiation of the selected cipher suite fails (see <xref section="6.3" sectionFormat="of" target="RFC9528"/>), the error message <bcp14>MUST NOT</bcp14> specify error code (ERR_CODE) TBD_ERROR_CODE "Unspecified error and supported EDHOC application profiles", since the error message intended to be used in that case specifies error code (ERR_CODE) 2 "Wrong selected cipher suite" and conveys SUITES_R as ERR_INFO.</t>
        <t>When using error code (ERR_CODE) TBD_ERROR_CODE "Unspecified error and supported EDHOC application profiles", the error information specified in ERR_INFO <bcp14>MUST</bcp14> be a CBOR byte string with value the binary representation of the CBOR sequence ERROR_OUTER_SEQ. In turn, ERROR_OUTER_SEQ is composed of the following elements, in the order specified below:</t>
        <ul spacing="normal">
          <li>
            <t>The CBOR text string diagnostic_info, which encodes a human-readable diagnostic message that <bcp14>SHOULD</bcp14> be written in English (for example, "Method not supported"). The diagnostic text message provides information about the error that occurred, and it is mainly intended for software engineers who during debugging need to interpret it in the context of the EDHOC specification. The diagnostic message <bcp14>SHOULD</bcp14> be provided to the calling application where it <bcp14>SHOULD</bcp14> be logged.  </t>
            <t>
This element conveys the same information that would be conveyed by ERR_INFO within an EDHOC error message with error code (ERR_CODE) 1 "Unspecified error" (see <xref section="6.2" sectionFormat="of" target="RFC9528"/>).</t>
          </li>
          <li>
            <t>The CBOR sequence APP_PROF_SEQ, which has the same format and semantics specified in <xref target="sec-app-profile-edhoc-message_1_2"/>, except for the following difference: for each element of the CBOR sequence that is an EDHOC_Information object, such an object <bcp14>MUST NOT</bcp14> include the element "exporter_out_len" defined in <xref target="exporter-out-length"/>.  </t>
            <t>
The recipient peer <bcp14>MUST</bcp14> silently ignore elements of the CBOR sequence APP_PROF_SEQ that are malformed or do not conform with the intended format of APP_PROF_SEQ.</t>
          </li>
        </ul>
        <t>The CDDL grammar describing ERR_INFO is shown in <xref target="fig-cddl-edhoc-err-info"/>.</t>
        <figure anchor="fig-cddl-edhoc-err-info">
          <name>CDDL Definition of ERR_INFO for the EDHOC Error Message with Error Code (ERR_CODE) TBD_ERROR_CODE "Unspecified error and supported EDHOC application profiles"</name>
          <sourcecode type="cddl"><![CDATA[
err-info = bytes .cborseq ERROR_OUTER_SEQ

; This defines an array, the elements of which
; are to be used in the CBOR Sequence ERROR_OUTER_SEQ:
ERROR_OUTER_SEQ = [diagnostic_info, APP_PROF_SEQ]

diagnostic_info = tstr

; The full definition of APP_PROF_SEQ is provided in Section 5.1
]]></sourcecode>
        </figure>
        <section anchor="example-of-errinfo">
          <name>Example of ERR_INFO</name>
          <t><xref target="fig-example-err-info"/> shows an example in CBOR diagnostic notation of ERR_INFO for the EDHOC error message with error code (ERR_CODE) TBD_ERROR_CODE "Unspecified error and supported EDHOC application profiles". With reference to the CDDL grammar in <xref target="fig-cddl-edhoc-err-info"/> and <xref target="fig-cddl-ead-value"/>, the following applies.</t>
          <t>The CBOR text string diagnostic_info encodes the text string "Method not supported".</t>
          <t>The CBOR sequence APP_PROF_SEQ includes the following two elements:</t>
          <ul spacing="normal">
            <li>
              <t>An element profile_id, specifying the Profile ID of an EDHOC application profile supported by the Responder. Specifically, that EDHOC application profile is the well-known application profile MINIMAL-CS-0 defined in <xref target="sec-well-known-app-prof-id-1"/>.</t>
            </li>
            <li>
              <t>An element EDHOC_Information, which in turn includes the following parameters:  </t>
              <ul spacing="normal">
                <li>
                  <t>"comb_req", with value the CBOR simple value <tt>true</tt> (0xf5), hence indicating that the Responder supports the EDHOC + OSCORE combined request defined in <xref target="RFC9668"/>.</t>
                </li>
                <li>
                  <t>"eads", with value a CBOR array. The array includes two elements encoded as unsigned integers, i.e., the EAD labels 500 and 777 of the corresponding EAD items supported by the Responder.</t>
                </li>
                <li>
                  <t>"trust_anchors", with value a CBOR map. The map includes a single element with value an inner CBOR map, which pertains to trust anchors whose purpose is the verification of authentication credentials of other EDHOC peers in an EDHOC session.      </t>
                  <t>
Within the inner map, its entry's value is a COSE_CertHash <xref target="RFC9360"/> corresponding to an X.509 certificate <xref target="RFC5280"/> that the Responder supports as a trust anchor when running EDHOC.</t>
                </li>
              </ul>
            </li>
          </ul>
          <figure anchor="fig-example-err-info">
            <name>Example of ERR_INFO for the EDHOC Error Message with Error Code (ERR_CODE) TBD_ERROR_CODE "Unspecified error and supported EDHOC application profiles"</name>
            <sourcecode type="cbor-diag"><![CDATA[
<<                            / err-info /
   "Method not supported",    / diagnostic_info /
   e'APP-PROF-MINIMAL-CS-0',  / profile_id /
   {                          / EDHOC_Information /
      e'comb_req' : true,
      e'eads' : [500, 777],
      e'trust_anchors' : {
         e'edhoc_cred' : {
           e'x5t_ta_type' : [-15, h'79f2a41b510c1f9b']
         }
      }
   }
>>
]]></sourcecode>
          </figure>
        </section>
      </section>
    </section>
    <section anchor="sec-svcb">
      <name>Advertising Supported EDHOC Application Profiles using DNS SVCB Resource Records</name>
      <t>Given a server, its support for EDHOC and for EDHOC application profiles can be advertised using DNS SVCB Resource Records (RR) <xref target="RFC9460"/><xref target="RFC9461"/>.</t>
      <t>To this end, this document specifies the SvcParamKeys "edhocpath" and "edhoc-app-prof", which are defined below and are registered in <xref target="iana-svcb"/>.</t>
      <ul spacing="normal">
        <li>
          <t>"edhocpath" - The SvcParamKey "edhocpath" is single-valued and specifies a list of one or more absolute paths to EDHOC resources at the server.  </t>
          <ul spacing="normal">
            <li>
              <t>The wire-format value of "edhocpath" is the binary representation of the CBOR data item edhocpath-value, which <bcp14>MUST</bcp14> exactly fill the SvcParamValue.      </t>
              <t>
In particular, edhocpath-value <bcp14>MUST</bcp14> be a CBOR byte string PATH_BSTR or a CBOR array. In the latter case, the array <bcp14>MUST</bcp14> include at least two elements, each of which <bcp14>MUST</bcp14> be a CBOR byte string PATH_BSTR. The SVCB RR <bcp14>MUST</bcp14> be considered malformed if the SvcParamValue ends within edhocpath-value or if edhocpath-value is malformed.      </t>
              <t>
The value of each CBOR byte string PATH_BSTR is the binary representation of a CBOR sequence PATH_SEQ composed of zero or more CBOR text strings. In particular, each PATH_SEQ specifies the URI path of an EDHOC resource at the server, with each CBOR text string within that PATH_SEQ specifying a URI path segment.      </t>
              <t>
If edhocpath-value is a CBOR array, it <bcp14>MUST NOT</bcp14> include any two elements that specify the same URI path.      </t>
              <t>
The CDDL grammar describing the CBOR data item edhocpath-value is shown in <xref target="fig-cddl-edhocpath-value"/>.</t>
            </li>
            <li>
              <t>The presentation format value of "edhocpath" <bcp14>SHALL</bcp14> be a comma-separated list (see <xref section="A.1" sectionFormat="of" target="RFC9460"/>) of one or more absolute paths to EDHOC resources at the server. The same considerations for the "," and "\" characters in paths for zone-file implementations as for the alpn-ids in an "alpn" SvcParam apply (see <xref section="7.1.1" sectionFormat="of" target="RFC9460"/>).      </t>
              <t>
The i-th path in the presentation format value is the textual representation of the path specified by the i-th CBOR sequence PATH_SEQ in the wire-format value (see above).      </t>
              <t>
The textual representation of each path follows the semantics of path-absolute shown in the ABNF definition in <xref target="fig-edhocpath-value-path-abnf"/>, which is provided by the ABNF for path-absolute in <xref section="3.3" sectionFormat="of" target="RFC3986"/>. In particular, given the path specified by a CBOR sequence PATH_SEQ, segment-nz is the value of the first CBOR text string in PATH_SEQ (if any), while each segment is the value of a CBOR text string following the first one in PATH_SEQ (if any).</t>
            </li>
          </ul>
        </li>
        <li>
          <t>"edhoc-app-prof" - The SvcParamKey "edhoc-app-prof" is single-valued and specifies a set of EDHOC application profiles that the server supports.  </t>
          <ul spacing="normal">
            <li>
              <t>The wire-format value of "edhoc-app-prof" is the binary representation of the CBOR data item edhoc-app-prof-value, which <bcp14>MUST</bcp14> exactly fill the SvcParamValue.      </t>
              <t>
In particular, edhoc-app-prof-value <bcp14>MUST</bcp14> be a CBOR byte string. The value of the CBOR byte string is the binary representation of the CBOR sequence SVCB_EDHOC_APP_PROF, which is composed of one or two elements as specified below. The SVCB RR <bcp14>MUST</bcp14> be considered malformed if the SvcParamValue ends within edhoc-app-prof-value or if edhoc-app-prof-value is malformed.      </t>
              <ul spacing="normal">
                <li>
                  <t>The first element advertise_flag is <bcp14>OPTIONAL</bcp14>. If present, it <bcp14>MUST</bcp14> encode the CBOR simple value <tt>true</tt> (0xf5). If advertise_flag is present, a peer that runs EDHOC with the server is encouraged to advertise the EDHOC application profiles that it supports, when sending to the server its first EDHOC message in an EDHOC session.          </t>
                  <t>
In order to do that, the peer can rely as appropriate on the EDHOC EAD item "Supported EDHOC application profiles" (see <xref target="sec-app-profile-edhoc-message_1_2"/>) when sending an EDHOC message_1 or message_2, or on an EDHOC error message with error code (ERR_CODE) TBD_ERROR_CODE "Unspecified error and supported EDHOC application profiles" (see <xref target="sec-app-profile-edhoc-error-message"/>).          </t>
                  <t>
If the peer supports the EDHOC EAD item "Supported EDHOC application profiles" or the error code (ERR_CODE) TBD_ERROR_CODE "Unspecified error and supported EDHOC application profiles", the peer <bcp14>MUST</bcp14> use those as appropriate to honor the wish of the server and accordingly advertise the EDHOC application profiles that it supports.</t>
                </li>
                <li>
                  <t>The second element server_info is <bcp14>REQUIRED</bcp14>, and it <bcp14>MUST</bcp14> be a CBOR byte string APP_BSTR or a CBOR array. In the latter case, the array <bcp14>MUST</bcp14> include at least two elements, each of which <bcp14>MUST</bcp14> be a CBOR byte string APP_BSTR.          </t>
                  <t>
The value of each CBOR byte string APP_BSTR is the binary representation of the CBOR sequence APP_PROF_SEQ. In particular, APP_PROF_SEQ has the same format and semantics specified in <xref target="sec-app-profile-edhoc-message_1_2"/>, except for the following difference: for each element of the CBOR sequence that is an EDHOC_Information object, such an object <bcp14>MUST NOT</bcp14> include the element "exporter_out_len" defined in <xref target="exporter-out-length"/>.          </t>
                  <t>
The SVCB RR <bcp14>MUST</bcp14> be considered malformed if APP_PROF_SEQ is malformed or does not conform with the intended format.</t>
                </li>
              </ul>
              <t>
An SVCB RR might not be intended to advertise what EDHOC application profiles a server supports for a given EDHOC resource that it hosts. In such a case, server_info can be composed such that the CBOR sequence APP_PROF_SEQ pertaining to that resource only consists of a single EDHOC_Information object as an empty CBOR map.      </t>
              <t>
The CDDL grammar describing the CBOR data item edhoc-app-prof-value is shown in <xref target="fig-cddl-edhoc-app-prof-value"/>.</t>
            </li>
            <li>
              <t>The presentation format value of "edhoc-app-prof" <bcp14>SHALL</bcp14> be the CBOR extended diagnostic notation (see <xref section="8" sectionFormat="of" target="RFC8949"/> and <xref section="G" sectionFormat="of" target="RFC8610"/>) of edhoc-app-prof-value in the wire-format value (see above). When producing the presentation format value, care ought to be taken in representing Unicode with the limited ASCII character subset (e.g., by means of Punycode <xref target="RFC3492"/>) and in removing unnecessary common blank spaces within the CBOR extended diagnostic notation.</t>
            </li>
          </ul>
        </li>
      </ul>
      <t>If the SvcParamKey "edhoc-app-prof" is not present in the SVCB RR, then the SvcParamKey "edhocpath", if present, still specifies the URI paths of EDHOC resources at the server. However, no information is provided about what EDHOC application profiles the server supports.</t>
      <t>If the SvcParamKey "edhoc-app-prof" is present in the SVCB RR, then the following applies to server_info therein.</t>
      <ul spacing="normal">
        <li>
          <t>If the SvcParamKey "edhocpath" is not present in the SVCB RR, then server_info <bcp14>MUST</bcp14> be a CBOR byte string.  </t>
          <t>
The information specified by the SvcParamKey "edhoc-app-prof" pertains to the EDHOC resource at the server with URI path "/.well-known/edhoc".</t>
        </li>
        <li>
          <t>If the SvcParamKey "edhocpath" is present in the SVCB RR, then the following applies.  </t>
          <ul spacing="normal">
            <li>
              <t>If the value of the SvcParamKey "edhocpath" is a CBOR byte string, then server_info <bcp14>MUST</bcp14> be a CBOR byte string.      </t>
              <t>
The information specified by the SvcParamKey "edhoc-app-prof" pertains to the EDHOC resource at the server with URI path specified by the SvcParamKey "edhocpath".</t>
            </li>
            <li>
              <t>If the value of the SvcParamKey "edhocpath" is a CBOR array including N elements, then server_info <bcp14>MUST</bcp14> be a CBOR array including N elements.      </t>
              <t>
The information specified by the i-th element of server_info pertains to the EDHOC resource at the server with URI path specified by the i-th element of the CBOR array within the SvcParamKey "edhocpath".</t>
            </li>
          </ul>
        </li>
      </ul>
      <t>A consumer <bcp14>MUST</bcp14> treat as malformed an SVCB RR, in the case that the SvcParamKeys "edhocpath" and "edhoc-app-prof", if present, do not comply with the format and restrictions defined above.</t>
      <figure anchor="fig-cddl-edhocpath-value">
        <name>CDDL Definition of the Value of the SvcParamKey "edhocpath"</name>
        <sourcecode type="cddl"><![CDATA[
edhocpath-value = PATH_BSTR / [2* PATH_BSTR]

PATH_BSTR = bytes .cborseq PATH_SEQ

; This defines an array, the elements of which
; are to be used in the CBOR Sequence PATH_SEQ:
PATH_SEQ = [* path_segment]

path_segment = tstr
]]></sourcecode>
      </figure>
      <figure anchor="fig-edhocpath-value-path-abnf">
        <name>ABNF Definition of path-absolute</name>
        <sourcecode type="abnf"><![CDATA[
path-absolute = "/" [ segment-nz *( "/" segment ) ]

segment       = *pchar
segment-nz    = 1*pchar

pchar = unreserved / pct-encoded / sub-delims / ":" / "@"

unreserved    = ALPHA / DIGIT / "-" / "." / "_" / "~"
pct-encoded   = "%" HEXDIG HEXDIG
sub-delims    = "!" / "$" / "&" / "'" / "(" / ")"
              / "*" / "+" / "," / ";" / "="
]]></sourcecode>
      </figure>
      <figure anchor="fig-cddl-edhoc-app-prof-value">
        <name>CDDL Definition of the Value of the SvcParamKey "edhoc-app-prof"</name>
        <sourcecode type="cddl"><![CDATA[
edhoc-app-prof-value = bytes .cborseq SVCB_EDHOC_APP_PROF

; This defines an array, the elements of which
; are to be used in the CBOR Sequence SVCB_EDHOC_APP_PROF:
SVCB_EDHOC_APP_PROF = [?advertise_flag, server_info]

advertise_flag = bool

server_info = APP_BSTR / [2* APP_BSTR]

; The full definition of APP_PROF_SEQ
; is provided in Section 5.1
APP_BSTR = bytes .cborseq APP_PROF_SEQ
]]></sourcecode>
      </figure>
      <section anchor="examples-of-wire-format-values-of-the-svcparamkeys">
        <name>Examples of Wire-Format Values of the SvcParamKeys</name>
        <t>Using CBOR diagnostic notation, this section provides examples of wire-format values of the SvcParamKeys "edhocpath" and "edhoc-app-prof", within an SVCB RR corresponding to a given server.</t>
        <t><xref target="fig-example-svcb-edhocpath"/> shows an example of the SvcParamKey "edhocpath", with reference to the CDDL grammar in <xref target="fig-cddl-edhocpath-value"/>.</t>
        <t>In the example, two URI paths are specified, i.e., one for the EDHOC resource at "/.well-known/edhoc" and one for the EDHOC resource at "/edhoc-alt".</t>
        <figure anchor="fig-example-svcb-edhocpath">
          <name>Example of Wire-Format Value of the SvcParamKey "edhocpath" within an SVCB RR</name>
          <sourcecode type="cbor-diag"><![CDATA[
[                   / edhocpath-value /
  <<                / PATH_BSTR /
    ".well-known",  / path_segment /
    "edhoc"         / path_segment /
  >>,
  <<                / PATH_BSTR /
    "edhoc-alt"     / path_segment /
  >>
]
]]></sourcecode>
        </figure>
        <t>Assuming an SVCB RR that includes the SvcParamKey "edhocpath" shown in <xref target="fig-example-svcb-edhocpath"/>, the following <xref target="fig-example-svcb-edhoc-app-prof"/> shows an example of the SvcParamKey "edhoc-app-prof" within the same SVCB RR, with reference to the CDDL grammar in <xref target="fig-cddl-edhoc-app-prof-value"/>. In particular, the following applies.</t>
        <t>The CBOR data item advertise_flag is present and encodes the CBOR simple value <tt>true</tt> (0xf5), hence indicating that a peer that runs EDHOC with the server is encouraged to advertise the EDHOC application profiles that it supports, when sending to the server its first EDHOC message in an EDHOC session.</t>
        <t>The CBOR data item server_info is a CBOR array, which includes two CBOR byte strings APP_BSTR. In particular:</t>
        <ul spacing="normal">
          <li>
            <t>The value of the first CBOR byte string is the binary representation of a CBOR sequence APP_PROF_SEQ, which advertises the EDHOC application profiles that the server supports when running EDHOC through the resource with URI path "/.well-known/edhoc".</t>
          </li>
          <li>
            <t>The value of the second CBOR byte string is the binary representation of a CBOR sequence APP_PROF_SEQ, which advertises the EDHOC application profiles that the server supports when running EDHOC through the resource with URI path "/edhoc-alt".</t>
          </li>
        </ul>
        <figure anchor="fig-example-svcb-edhoc-app-prof">
          <name>Example of Wire-Format Value of the SvcParamKey "edhoc-app-prof" within an SVCB RR</name>
          <sourcecode type="cbor-diag"><![CDATA[
<<                                / edhoc-app-prof-value /
   true,                          / advertise_flag /
   [                              / server_info /
     <<                           / APP_BSTR /
       e'APP-PROF-MINIMAL-CS-2',  / profile_id /
       e'APP-PROF-MINIMAL-CS-0',  / profile_id /
       {                          / EDHOC_Information /
         e'message_4' : true,
         e'eads' : [500, 333],
         e'trust_anchors' : {
           e'edhoc_cred' : [
             { e'kid_ta_type' : h'00ac' },
             { e'kid_ta_type' : h'ff01ff' }
           ]
         }
       }
     >>,
     <<                           / APP_BSTR /
       e'APP-PROF-MINIMAL-CS-2',  / profile_id /
       {                          / EDHOC_Information /
         e'comb_req' : true,
         e'eads' : [500, 999],
         e'trust_anchors' : {
           e'edhoc_cred' : { e'kid_ta_type' : h'91ab' }
         }
       }
     >>
   ]
>>
]]></sourcecode>
        </figure>
      </section>
    </section>
    <section anchor="sec-well-known-app-profiles">
      <name>Well-known EDHOC Application Profiles</name>
      <t>This section defines a set of well-known EDHOC application profiles that are meant to reflect what is most common and expected to be supported by EDHOC peers.</t>
      <t>The well-known application profiles are <em>not</em> to be intended as "default" profiles to use, in the case that no other indication is provided to EDHOC peers.</t>
      <t>In particular, an EDHOC peer <bcp14>MUST NOT</bcp14> assume that, unless otherwise indicated, any of such profiles is used when running EDHOC through a well-known EDHOC resource, such as the resource at /.well-known/edhoc when EDHOC messages are transported as payload of CoAP messages (see <xref section="A.2" sectionFormat="of" target="RFC9528"/>).</t>
      <t>Building on the above, the well-known application profiles are <em>not</em> intended to deviate from what is mandatory to support for EDHOC peers, which is defined by the compliance requirements in <xref section="8" sectionFormat="of" target="RFC9528"/>.</t>
      <t>The rest of this section defines the well-known application profiles, each of which is represented by means of an EDHOC_Application_Profile object (see <xref target="sec-app-profile-cbor"/>) using the CBOR extended diagnostic notation.</t>
      <t>An entry for each well-known application profile is also registered at the "EDHOC Application Profiles" registry defined in <xref target="iana-edhoc-application-profiles"/> of this document.</t>
      <section anchor="sec-well-known-app-prof-id-0">
        <name>Well-Known Application Profile MINIMAL-CS-2</name>
        <sourcecode type="cbor-diag"><![CDATA[
{
        e'methods' : 3, / EDHOC Method Type 3 /
  e'cipher_suites' : 2, / EDHOC Cipher Suite 2 /
     e'cred_types' : 1, / CWT Claims Set (CCS) /
  e'id_cred_types' : 4, / kid /
       e'app_prof' : e'APP-PROF-MINIMAL-CS-2'
}
]]></sourcecode>
        <t>This minimal application profile is suitable for EDHOC peers with very limited capabilities, as they benefit from efficiently using: non-signature keys for authentication with EDHOC method 3; EDHOC cipher suite 2, which is already expected to be supported; the compact credential type CBOR Web Token Claims Set (CCS) <xref target="RFC8392"/> identified by reference with a compact "kid".</t>
        <t>This application profile is aligned with the example trace of EDHOC compiled in <xref section="3" sectionFormat="of" target="RFC9529"/>.</t>
      </section>
      <section anchor="sec-well-known-app-prof-id-1">
        <name>Well-Known Application Profile MINIMAL-CS-0</name>
        <sourcecode type="cbor-diag"><![CDATA[
{
        e'methods' : 3, / EDHOC Method Type 3 /
  e'cipher_suites' : 0, / EDHOC Cipher Suite 0 /
     e'cred_types' : 1, / CWT Claims Set (CCS) /
  e'id_cred_types' : 4, / kid /
       e'app_prof' : e'APP-PROF-MINIMAL-CS-0'
}
]]></sourcecode>
        <t>This minimal application profile is suitable for EDHOC peers with very limited capabilities, and it differs from the one in <xref target="sec-well-known-app-prof-id-0"/> only by indicating a different EDHOC cipher suite (0) from those intended for constrained environments.</t>
      </section>
      <section anchor="sec-well-known-app-prof-id-2">
        <name>Well-Known Application Profile BASIC-CS-2-X509</name>
        <sourcecode type="cbor-diag"><![CDATA[
{
        e'methods' : [0, 3], / EDHOC Method Types 0 and 3 /
  e'cipher_suites' : 2, / EDHOC Cipher Suite 2 /
     e'cred_types' : [1, 2], / CWT Claims Set (CCS)
                             and X.509 certificate /
  e'id_cred_types' : [4, 34], / kid and x5t /
       e'app_prof' : e'APP-PROF-BASIC-CS-2-X509'
}
]]></sourcecode>
        <t>This basic application profile is suitable for EDHOC peers with fairly limited capabilities, which can afford using: signature keys or non-signature keys for authentication with EDHOC method 0 or 3; EDHOC cipher suite 2; the credential type CCS identified by reference with "kid", or X.509 certificates <xref target="RFC5280"/> identified by reference with "x5t".</t>
        <t>This application profile is aligned with the example trace of EDHOC compiled in <xref section="3" sectionFormat="of" target="RFC9529"/>.</t>
      </section>
      <section anchor="sec-well-known-app-prof-id-3">
        <name>Well-Known Application Profile BASIC-CS-0-X509</name>
        <sourcecode type="cbor-diag"><![CDATA[
{
        e'methods' : [0, 3], / EDHOC Method Types 0 and 3 /
  e'cipher_suites' : 0, / EDHOC Cipher Suite 0 /
     e'cred_types' : [1, 2], / CWT Claims Set (CCS)
                             and X.509 certificate /
  e'id_cred_types' : [4, 34], / kid and x5t /
       e'app_prof' : e'APP-PROF-BASIC-CS-0-X509'
}
]]></sourcecode>
        <t>This basic application profile is suitable for EDHOC peers with fairly limited capabilities, and it differs from the one in <xref target="sec-well-known-app-prof-id-2"/> only by indicating a different EDHOC cipher suite (0) from those intended for constrained environments.</t>
        <t>This application profile is aligned with the example trace of EDHOC compiled in <xref section="2" sectionFormat="of" target="RFC9529"/>.</t>
      </section>
      <section anchor="sec-well-known-app-prof-id-4">
        <name>Well-Known Application Profile BASIC-CS-2-C509</name>
        <sourcecode type="cbor-diag"><![CDATA[
{
        e'methods' : [0, 3], / EDHOC Method Types 0 and 3 /
  e'cipher_suites' : 2, / EDHOC Cipher Suite 2 /
     e'cred_types' : [1, e'c509_cert'], / CWT Claims Set (CCS)
                                        and C509 certificate /
  e'id_cred_types' : [4, e'c5t'], / kid and c5t /
       e'app_prof' : e'APP-PROF-BASIC-CS-2-C509'
}
]]></sourcecode>
        <t>This basic application profile is suitable for EDHOC peers with fairly limited capabilities, and it differs from the one in <xref target="sec-well-known-app-prof-id-2"/> only by indicating support for C509 certificates <xref target="I-D.ietf-cose-cbor-encoded-cert"/> identified by reference with "c5t", instead of X.509 certificates identified by reference with "x5t".</t>
      </section>
      <section anchor="sec-well-known-app-prof-id-5">
        <name>Well-Known Application Profile BASIC-CS-0-C509</name>
        <sourcecode type="cbor-diag"><![CDATA[
{
        e'methods' : [0, 3], / EDHOC Method Types 0 and 3 /
  e'cipher_suites' : 0, / EDHOC Cipher Suite 0 /
     e'cred_types' : [1, e'c509_cert'], / CWT Claims Set (CCS)
                                        and C509 certificate /
  e'id_cred_types' : [4, e'c5t'], / kid and c5t /
       e'app_prof' : e'APP-PROF-BASIC-CS-0-C509'
}
]]></sourcecode>
        <t>This basic application profile is suitable for EDHOC peers with fairly limited capabilities, and it differs from the one in <xref target="sec-well-known-app-prof-id-3"/> only by indicating support for C509 certificates identified by reference with "c5t", instead of X.509 certificates identified by reference with "x5t".</t>
      </section>
      <section anchor="sec-well-known-app-prof-id-6">
        <name>Well-Known Application Profile INTERMEDIATE-CS-2</name>
        <sourcecode type="cbor-diag"><![CDATA[
{
        e'methods' : [0, 3], / EDHOC Method Types 0 and 3 /
  e'cipher_suites' : 2, / EDHOC Cipher Suite 2 /
     e'cred_types' : [1, 2, e'c509_cert'], / CWT Claims Set (CCS),
                                           X.509 certificate,
                                           and C509 certificate /
  e'id_cred_types' : [4, 14, 34, 33, e'c5t', e'c5c'], / kid, kccs,
                                                      x5t, x5chain,
                                                      c5t, and c5c /
       e'app_prof' : e'APP-PROF-INTERMEDIATE-CS-2'
}
]]></sourcecode>
        <t>This intermediate application profile is suitable for EDHOC peers that, even if with somewhat limited capabilities, can afford a moderate set of options: signature keys or non-signature keys for authentication with EDHOC method 0 or 3; EDHOC cipher suite 2; the credential type CCS identified by reference with "kid" or by value with "kccs", or X.509 certificates identified by reference with "x5t" or by value with "x5chain", or C509 certificates identified by reference with "c5t" or by value with "c5c".</t>
        <t>This application profile is aligned with the example trace of EDHOC compiled in <xref section="3" sectionFormat="of" target="RFC9529"/>.</t>
      </section>
      <section anchor="sec-well-known-app-prof-id-7">
        <name>Well-Known Application Profile INTERMEDIATE-CS-0</name>
        <sourcecode type="cbor-diag"><![CDATA[
{
        e'methods' : [0, 3], / EDHOC Method Types 0 and 3 /
  e'cipher_suites' : 0, / EDHOC Cipher Suite 0 /
     e'cred_types' : [1, 2, e'c509_cert'], / CWT Claims Set (CCS),
                                             X.509 certificate,
                                             and C509 certificate /
  e'id_cred_types' : [4, 14, 34, 33, e'c5t', e'c5c'], / kid, kccs,
                                                      x5t, x5chain,
                                                      c5t, and c5c /
       e'app_prof' : e'APP-PROF-INTERMEDIATE-CS-0'
}
]]></sourcecode>
        <t>This intermediate application profile is suitable for EDHOC peers that, even if with somewhat limited capabilities, can afford a moderate set of options, and it differs from the one in <xref target="sec-well-known-app-prof-id-6"/> only by indicating a different EDHOC cipher suite (0) from those inteded for constrained environments.</t>
        <t>This application profile is aligned with the example trace of EDHOC compiled in <xref section="2" sectionFormat="of" target="RFC9529"/>.</t>
      </section>
      <section anchor="sec-well-known-app-prof-id-8">
        <name>Well-Known Application Profile EXTENSIVE</name>
        <sourcecode type="cbor-diag"><![CDATA[
{
        e'methods' : [0, 1, 2, 3], / EDHOC Method Types
                                     0, 1, 2, and 3 /
  e'cipher_suites' : [0, 1, 2, 3], / EDHOC Cipher Suites
                                     0, 1, 2, and 3 /
     e'cred_types' : [1, 0, 2, e'c509_cert'], / CWT Claims Set (CCS),
                                              CWT, X.509 certificate,
                                              and C509 certificate /
  e'id_cred_types' : [4, 14, 13, 34, 33, e'c5t', e'c5c'], / kid,
                                                          kccs, kcwt,
                                                          x5t,
                                                          x5chain,
                                                          c5t, and
                                                          c5c /
       e'app_prof' : e'APP-PROF-EXTENSIVE'
}
]]></sourcecode>
        <t>This extensive application profile is suitable for EDHOC peers that, even if with somewhat limited capabilities, can afford an extensive set of options: all the four original EDHOC cipher suites intended for constrained environments; all the four original EDHOC authentication methods based on public key authentication; the credential type CCS identified by reference with "kid" or by value with "kccs", or CBOR Web Token (CWT) <xref target="RFC8392"/> identified by reference with "kid" or by value with "kcwt", or X.509 certificates identified by reference with "x5t" or by value with "x5chain", or C509 certificates identified by reference with "c5t" or by value with "c5c".</t>
        <t>This application profile is aligned with the example traces of EDHOC compiled in Sections <xref target="RFC9529" section="2" sectionFormat="bare"/> and <xref target="RFC9529" section="3" sectionFormat="bare"/> of <xref target="RFC9529"/>.</t>
      </section>
    </section>
    <section anchor="sec-edhoc-well-known-app-profiles">
      <name>Identifiers of Well-known EDHOC Application Profiles</name>
      <t>This document defines the following identifiers of well-known EDHOC application profiles.</t>
      <t>Note to RFC Editor: Please replace all occurrences of "[RFC-XXXX]" with the RFC number of this specification and delete this paragraph.</t>
      <table align="center" anchor="_table-edhoc-well-known-app-profiles">
        <name>EDHOC Well-known Application Profiles</name>
        <thead>
          <tr>
            <th align="left">Profile ID</th>
            <th align="left">Name</th>
            <th align="left">Description</th>
            <th align="left">Reference</th>
          </tr>
        </thead>
        <tbody>
          <tr>
            <td align="left">0</td>
            <td align="left">MINIMAL-CS-2</td>
            <td align="left">Method 3; Cipher Suite 2; CCS; kid</td>
            <td align="left">[RFC-XXXX, <xref target="sec-well-known-app-prof-id-0"/>]</td>
          </tr>
          <tr>
            <td align="left">1</td>
            <td align="left">MINIMAL-CS-0</td>
            <td align="left">Method 3; Cipher Suite 0; CCS; kid</td>
            <td align="left">[RFC-XXXX, <xref target="sec-well-known-app-prof-id-1"/>]</td>
          </tr>
          <tr>
            <td align="left">2</td>
            <td align="left">BASIC-CS-2-X509</td>
            <td align="left">Methods (0, 3); Cipher Suite 2; (CCS, X.509 certificates); (kid, x5t)</td>
            <td align="left">[RFC-XXXX, <xref target="sec-well-known-app-prof-id-2"/>]</td>
          </tr>
          <tr>
            <td align="left">3</td>
            <td align="left">BASIC-CS-0-X509</td>
            <td align="left">Methods (0, 3); Cipher Suite 0; (CCS, X.509 certificates); (kid, x5t)</td>
            <td align="left">[RFC-XXXX, <xref target="sec-well-known-app-prof-id-3"/>]</td>
          </tr>
          <tr>
            <td align="left">4</td>
            <td align="left">BASIC-CS-2-C509</td>
            <td align="left">Methods (0, 3); Cipher Suite 2; (CCS, C509 certificates); (kid, c5t)</td>
            <td align="left">[RFC-XXXX, <xref target="sec-well-known-app-prof-id-4"/>]</td>
          </tr>
          <tr>
            <td align="left">5</td>
            <td align="left">BASIC-CS-0-C509</td>
            <td align="left">Methods (0, 3); Cipher Suite 0; (CCS, C509 certificates); (kid, c5t)</td>
            <td align="left">[RFC-XXXX, <xref target="sec-well-known-app-prof-id-5"/>]</td>
          </tr>
          <tr>
            <td align="left">6</td>
            <td align="left">INTERMEDIATE-CS-2</td>
            <td align="left">Methods (0, 3); Cipher Suite 2; (CCS, X.509/C509 certificates); (kid, kccs, x5t, x5chain, c5t, c5c)</td>
            <td align="left">[RFC-XXXX, <xref target="sec-well-known-app-prof-id-6"/>]</td>
          </tr>
          <tr>
            <td align="left">7</td>
            <td align="left">INTERMEDIATE-CS-0</td>
            <td align="left">Methods (0, 3); Cipher Suite 0; (CCS, X.509/C509 certificates); (kid, kccs, x5t, x5chain, c5t, c5c)</td>
            <td align="left">[RFC-XXXX, <xref target="sec-well-known-app-prof-id-7"/>]</td>
          </tr>
          <tr>
            <td align="left">8</td>
            <td align="left">EXTENSIVE</td>
            <td align="left">Methods (0, 1, 2, 3); Cipher Suites (0, 1, 2, 3); (CCS, CWT, X.509/C509 certificates); (kid, kccs, kcwt, x5t, x5chain, c5t, c5c)</td>
            <td align="left">[RFC-XXXX, <xref target="sec-well-known-app-prof-id-8"/>]</td>
          </tr>
        </tbody>
      </table>
    </section>
    <section anchor="operational-considerations">
      <name>Operational Considerations</name>
      <t>This section compiles the operational considerations that hold for this document.</t>
      <section anchor="relation-with-network-operations">
        <name>Relation with Network Operations</name>
        <t>The means defined in this document are largely about aiding peers in running the EDHOC protocol by achieving a common understanding of what they support, thereby facilitating interoperability between EDHOC implementations. Such coordination is expected to keep authenticated key exchange through EDHOC a smooth process in itself and with respect to network operation and management.</t>
        <t>The use of these coordinating means in itself is not expected to have a notable impact on performance and network operations, and it is embedded within other relevant network protocols and components such as: the discovery of resources through web-linking <xref target="RFC8288"/> and CoRE Link Format <xref target="RFC6690"/> (see <xref target="web-linking"/> and <xref target="sec-parameters-web-linking"/>); the execution of the EDHOC protocol itself (see <xref target="sec-app-profile-edhoc-messages"/>); and the discovery of server-related information via DNS SVCB RR <xref target="RFC9460"/><xref target="RFC9461"/> (see <xref target="sec-svcb"/>).</t>
      </section>
      <section anchor="source-of-data-for-network-operators">
        <name>Source of Data for Network Operators</name>
        <t>As further discussed in <xref target="sec-security-considerations"/>, information about what EDHOC application profiles a peer supports could be advertised in plain, depending on the approach specifically used. In such a case, a network operator can passively observe the plain exchange of such information, thereby gaining (a partial) knowledge of EDHOC application profiles that are supported and used in the network.</t>
        <t>From the perspective of an individual network operator, this knowledge can be useful for (fine-)tuning the allocation of network resources.</t>
        <t>Multiple, cooperating network operators could build an aggregated knowledge that indicates broad "trends" about EDHOC application profiles and their use. This raises awareness of what appears to be most supported and preferred by EDHOC peers, which can influence priority decisions about the development and use of EDHOC implementations, as well as the operations of infrastructures for provisioning and validating public authentication credentials.</t>
        <t>As noted in <xref target="sec-well-known-app-profiles"/>, well-known EDHOC application profiles are not meant to be default profiles to use, and they are not meant to deviate from the EDHOC compliance requirements compiled in <xref section="8" sectionFormat="of" target="RFC9528"/>. Instead, they are meant to reflect what is most common and expected to be supported by EDHOC peers. Hence, developing aggregated knowledge on typical uses of EDHOC can help identify EDHOC application profiles that have become de facto well-known, thereby further accelerating their adoption.</t>
      </section>
      <section anchor="logging-and-reporting">
        <name>Logging and Reporting</name>
        <t>When using the means defined in this document, EDHOC peers are not expected to keep any particular log of such use, or to go beyond expectations already in place as to the logging of EDHOC sessions. However, after gaining knowledge about what EDHOC application profiles are supported by a given EDHOC peer and verifying that such knowledge is reliable and authentic (see <xref target="sec-security-considerations"/>), it is encouraged to locally persist that knowledge for a non-negligible amount of time determined by the application. Especially under the assumption that what EDHOC peers support does not (often) change, this avoids the need to repeatedly re-gain the same knowledge at least in the short term.</t>
        <t>If an EDHOC session fails due to an apparent mismatch with gained knowledge about commonly supported EDHOC application profiles, a peer can report such a failure to a network manager or infrastructure operator. This can help identify peers whose behavior deviates from what is advertised in terms of EDHOC application profiles that they allegedly support. In turn, this can be used to detect misbehaving peers, outdated information about what peers support, or ongoing tampering of such information if that is advertised in plain (see <xref target="sec-security-considerations"/>).</t>
        <t>It is out of the scope of this document what specific semantics and data model are used for producing and processing such reports. Specific semantics and data models can be defined by applications and future specifications.</t>
      </section>
    </section>
    <section anchor="sec-security-considerations">
      <name>Security Considerations</name>
      <t>The security considerations compiled in <xref section="9" sectionFormat="of" target="RFC9528"/> hold for this document. The security considerations compiled in <xref section="7" sectionFormat="of" target="RFC9668"/> also apply, when EDHOC is transported over CoAP <xref target="RFC7252"/> and specifically when using the EDHOC + OSCORE request defined in <xref section="3" sectionFormat="of" target="RFC9668"/>.</t>
      <t>Instances of the EDHOC_Application_Profile objects (see <xref target="sec-app-profile-cbor"/>) ought to be accepted only if provided by an identifiable, trusted party by using secure communication. When this is not the case, an EDHOC peer can be induced to: erroneously identify a given EDHOC application profile with a wrong Profile ID; erroneously believe a given EDHOC application profile to exist in the first place; develop a wrong understanding of what a given EDHOC application profile consists of.</t>
      <t>Different security guarantees can be achieved about the acquired information on the EDHOC application profiles supported by a given peer, depending on the specific approach used. The potential consequences of acquiring such information in a non secured way are discussed later in this section.</t>
      <ul spacing="normal">
        <li>
          <t>With respect to using web linking (see <xref target="web-linking"/> and <xref target="sec-parameters-web-linking"/>), the security considerations in <xref section="5" sectionFormat="of" target="RFC8288"/> apply. When specifically relying on CoRE Link Format <xref target="RFC6690"/>, the security considerations in <xref section="6" sectionFormat="of" target="RFC6690"/> also apply.  </t>
          <t>
Clearly, the discovery of EDHOC resources at a server is intended to happen before running EDHOC with the server. At that point in time, the peer attempting to discover EDHOC resources at the server is unlikely to already have a secure communication association with the server. Therefore, the discovery process is likely to use unsecured communication.  </t>
          <t>
Alternatively, EDHOC resources at a server can be discovered by securely interacting with separate discovery services, e.g., by using the CoRE Resource Directory <xref target="RFC9176"/>.</t>
        </li>
        <li>
          <t>With respect to using the EDHOC EAD item "Supported EDHOC application profiles" (see <xref target="sec-app-profile-edhoc-message_1_2"/>), the following applies.  </t>
          <ul spacing="normal">
            <li>
              <t>When the EAD item is included in EDHOC message_1, the information conveyed therein is not protected. However, changing EDHOC message_1 in transit (e.g., by adding, removing, or modifying the EAD item) would result in the Initiator aborting the EDHOC session, after receiving and failing to verify EDHOC message_2.</t>
            </li>
            <li>
              <t>When the EAD item is included in EDHOC message_2, the information conveyed therein is protected by EDHOC.</t>
            </li>
          </ul>
        </li>
        <li>
          <t>With respect to using an EDHOC error message with error code (ERR_CODE) TBD_ERROR_CODE "Unspecified error and supported EDHOC application profiles", the information conveyed in ERR_INFO is not protected, just like when any other error code is used.</t>
        </li>
        <li>
          <t>With respect to using the SvcParamKeys "edhocpath" and "edhoc-app-prof" within an SVCB RR (see <xref target="sec-svcb"/>), the security considerations from <xref section="12" sectionFormat="of" target="RFC9460"/> and <xref section="8" sectionFormat="of" target="RFC9461"/> apply.  </t>
          <t>
It is encouraged that DNS is used with secure communication. Known threats for unprotected DNS are described in <xref target="RFC3833"/> and <xref target="RFC9076"/>.</t>
        </li>
      </ul>
      <t>If information about EDHOC application profiles supported by a peer is distributed in an unprotected way (e.g., through unsecured communication), a consumer should treat such information as a hint and does not locally persist that information until verifying that it is reliable and authentic. For example, if the Responder receives an EDHOC message_1 that includes the EDHOC EAD item "Supported EDHOC application profiles", the Responder will initially treat the information conveyed therein as a hint, and it is able to verify such information as reliable and authentic after receiving and successfully processing the later EDHOC message_3 in the same EDHOC session.</t>
      <t>If the acquired information has been tampered with and does not reflect what a given peer supports and intends to advertise, this can set wrong expectations about what is effectively possible to do when running EDHOC with that peer. Although this can still result in successfully running EDHOC with a configuration that is commonly supported, such configuration would probably not have been selected, had reliable and authentic information been acquired. In the worst case, there might be the erroneous belief that there is not sufficient shared support with that peer.</t>
      <t>What is discussed above does not have an impact on the security of the EDHOC protocol in itself. That is, even when the available information about supported EDHOC application profiles is not guaranteed to be reliable and authentic, the successful completion of an EDHOC session still provides the security guarantees that are expected as per the way the session was run (e.g., based on the selected cipher suite and EDHOC method used).</t>
    </section>
    <section anchor="iana-considerations">
      <name>IANA Considerations</name>
      <t>This document has the following actions for IANA.</t>
      <t>Note to RFC Editor: Please replace all occurrences of "[RFC-XXXX]" with the RFC number of this specification and delete this paragraph.</t>
      <section anchor="iana-media-type">
        <name>Media Type Registrations</name>
        <t>IANA is asked to register the media type "application/edhoc-app-profile+cbor-seq". This registration follows the procedures specified in <xref target="RFC6838"/>.</t>
        <t>Type name: application</t>
        <t>Subtype name: edhoc-app-profile+cbor-seq</t>
        <t>Required parameters: N/A</t>
        <t>Optional parameters: N/A</t>
        <t>Encoding considerations: Must be encoded as a CBOR sequence <xref target="RFC8742"/> of CBOR maps <xref target="RFC8949"/>. Each of the CBOR maps is an EDHOC_Application_Profile object (see <xref target="sec-app-profile-cbor"/> of [RFC-XXXX]). Each element of each CBOR map is also defined as an element of the CBOR-encoded EDHOC_Information object from <xref section="3.4" sectionFormat="of" target="I-D.ietf-ace-edhoc-oscore-profile"/>.</t>
        <t>Security considerations: See <xref target="sec-security-considerations"/> of [RFC-XXXX].</t>
        <t>Interoperability considerations: N/A</t>
        <t>Published specification: [RFC-XXXX]</t>
        <t>Applications that use this media type: Applications that need to describe, distribute, and store a representation of an EDHOC application profile (see <xref target="sec-app-profile-cbor"/> of [RFC-XXXX] and <xref section="3.9" sectionFormat="of" target="RFC9528"/>).</t>
        <t>Fragment identifier considerations: N/A</t>
        <t>Additional information: N/A</t>
        <t>Person &amp; email address to contact for further information: LAKE WG mailing list (lake@ietf.org) or IETF Applications and Real-Time Area (art@ietf.org)</t>
        <t>Intended usage: COMMON</t>
        <t>Restrictions on usage: None</t>
        <t>Author/Change controller: IETF</t>
        <t>Provisional registration: No</t>
      </section>
      <section anchor="iana-content-format">
        <name>CoAP Content-Formats Registry</name>
        <t>IANA is asked to add the following entry to the "CoAP Content-Formats" registry <xref target="CoAP.Content.Formats"/> within the "Constrained RESTful Environments (CoRE) Parameters" registry group.</t>
        <t>Content Type: application/edhoc-app-profile+cbor-seq</t>
        <t>Content Coding: -</t>
        <t>ID: TBD (range 0-255)</t>
        <t>Reference: [RFC-XXXX]</t>
      </section>
      <section anchor="iana-target-attributes">
        <name>Target Attributes Registry</name>
        <t>IANA is asked to register the following entries in the "Target Attributes" registry <xref target="Target.Attributes"/> within the "Constrained RESTful Environments (CoRE) Parameters" registry group.</t>
        <ul spacing="normal">
          <li>
            <t>Attribute Name: ed-prof</t>
          </li>
          <li>
            <t>Brief Description: A supported EDHOC application profile</t>
          </li>
          <li>
            <t>Change Controller: IETF</t>
          </li>
          <li>
            <t>Reference: [RFC-XXXX, <xref target="web-linking"/>]</t>
          </li>
        </ul>
        <t><br/></t>
        <ul spacing="normal">
          <li>
            <t>Attribute Name: ed-ta-edcred-uuid</t>
          </li>
          <li>
            <t>Brief Description: Identifier of a supported trust anchor for verifying authentication credentials of other EDHOC peers, as a UUID</t>
          </li>
          <li>
            <t>Change Controller: IETF</t>
          </li>
          <li>
            <t>Reference: [RFC-XXXX, <xref target="sec-parameters-web-linking"/>]</t>
          </li>
        </ul>
        <t><br/></t>
        <ul spacing="normal">
          <li>
            <t>Attribute Name: ed-ta-edcred-kid</t>
          </li>
          <li>
            <t>Brief Description: Identifier of a supported trust anchor for verifying authentication credentials of other EDHOC peers, as a binary key identifier</t>
          </li>
          <li>
            <t>Change Controller: IETF</t>
          </li>
          <li>
            <t>Reference: [RFC-XXXX, <xref target="sec-parameters-web-linking"/>]</t>
          </li>
        </ul>
        <t><br/></t>
        <ul spacing="normal">
          <li>
            <t>Attribute Name: ed-ta-edcred-c5t</t>
          </li>
          <li>
            <t>Brief Description: Identifier of a supported trust anchor for verifying authentication credentials of other EDHOC peers, as a hash of a C509 certificate</t>
          </li>
          <li>
            <t>Change Controller: IETF</t>
          </li>
          <li>
            <t>Reference: [RFC-XXXX, <xref target="sec-parameters-web-linking"/>]</t>
          </li>
        </ul>
        <t><br/></t>
        <ul spacing="normal">
          <li>
            <t>Attribute Name: ed-ta-edcred-c5u</t>
          </li>
          <li>
            <t>Brief Description: Identifier of a supported trust anchor for verifying authentication credentials of other EDHOC peers, as a URI pointing to a C509 certificate</t>
          </li>
          <li>
            <t>Change Controller: IETF</t>
          </li>
          <li>
            <t>Reference: [RFC-XXXX, <xref target="sec-parameters-web-linking"/>]</t>
          </li>
        </ul>
        <t><br/></t>
        <ul spacing="normal">
          <li>
            <t>Attribute Name: ed-ta-edcred-x5t</t>
          </li>
          <li>
            <t>Brief Description: Identifier of a supported trust anchor for verifying authentication credentials of other EDHOC peers, as a hash of an X.509 certificate</t>
          </li>
          <li>
            <t>Change Controller: IETF</t>
          </li>
          <li>
            <t>Reference: [RFC-XXXX, <xref target="sec-parameters-web-linking"/>]</t>
          </li>
        </ul>
        <t><br/></t>
        <ul spacing="normal">
          <li>
            <t>Attribute Name: ed-ta-edcred-x5u</t>
          </li>
          <li>
            <t>Brief Description: Identifier of a supported trust anchor for verifying authentication credentials of other EDHOC peers, as a URI pointing to an X.509 certificate</t>
          </li>
          <li>
            <t>Change Controller: IETF</t>
          </li>
          <li>
            <t>Reference: [RFC-XXXX, <xref target="sec-parameters-web-linking"/>]</t>
          </li>
        </ul>
        <t><br/></t>
        <ul spacing="normal">
          <li>
            <t>Attribute Name: ed-psk-resumption</t>
          </li>
          <li>
            <t>Brief Description: Hint: support for EDHOC session resumption with EDHOC-PSK</t>
          </li>
          <li>
            <t>Change Controller: IETF</t>
          </li>
          <li>
            <t>Reference: [RFC-XXXX, <xref target="sec-parameters-web-linking"/>]</t>
          </li>
        </ul>
      </section>
      <section anchor="iana-edhoc-information-registry">
        <name>EDHOC Information Registry</name>
        <t>IANA is asked to register the following entries in the "EDHOC Information" registry defined in <xref target="I-D.ietf-ace-edhoc-oscore-profile"/> within the "Ephemeral Diffie-Hellman Over COSE (EDHOC)" registry group.</t>
        <ul spacing="normal">
          <li>
            <t>Name: psk_resumption</t>
          </li>
          <li>
            <t>CBOR label: 21 (suggested)</t>
          </li>
          <li>
            <t>CBOR type: True or False</t>
          </li>
          <li>
            <t>Registry:</t>
          </li>
          <li>
            <t>Description: Support for EDHOC session resumption with EDHOC-PSK</t>
          </li>
          <li>
            <t>Type: NP</t>
          </li>
          <li>
            <t>Specification: [RFC-XXXX]<xref target="I-D.ietf-lake-edhoc-psk"/></t>
          </li>
        </ul>
        <t><br/></t>
        <ul spacing="normal">
          <li>
            <t>Name: exporter_out_len</t>
          </li>
          <li>
            <t>CBOR label: 22 (suggested)</t>
          </li>
          <li>
            <t>CBOR type: array</t>
          </li>
          <li>
            <t>Registry: EDHOC Exporter Labels</t>
          </li>
          <li>
            <t>Description: Set of output lengths to use with the EDHOC_Exporter interface</t>
          </li>
          <li>
            <t>Type: P</t>
          </li>
          <li>
            <t>Specification: [RFC-XXXX]<xref target="RFC9528"/></t>
          </li>
        </ul>
        <t><br/></t>
        <ul spacing="normal">
          <li>
            <t>Name: app_prof</t>
          </li>
          <li>
            <t>CBOR label: 23 (suggested)</t>
          </li>
          <li>
            <t>CBOR type: int or array</t>
          </li>
          <li>
            <t>Registry: EDHOC Application Profiles registry</t>
          </li>
          <li>
            <t>Description: Set of supported EDHOC application profiles</t>
          </li>
          <li>
            <t>Type: NP</t>
          </li>
          <li>
            <t>Specification: [RFC-XXXX]<xref target="RFC9528"/></t>
          </li>
        </ul>
      </section>
      <section anchor="iana-edhoc-ead-registry">
        <name>EDHOC External Authorization Data Registry</name>
        <t>IANA is asked to register the following entry in the "EDHOC External Authorization Data" registry <xref target="EDHOC.External.Authorization.Data"/> within the "Ephemeral Diffie-Hellman Over COSE (EDHOC)" registry group.</t>
        <ul spacing="normal">
          <li>
            <t>Name: Supported EDHOC application profiles</t>
          </li>
          <li>
            <t>Label: TBD_EAD_LABEL (range 0-23)</t>
          </li>
          <li>
            <t>Description: Set of supported EDHOC application profiles</t>
          </li>
          <li>
            <t>Reference: [RFC-XXXX, <xref target="sec-app-profile-edhoc-message_1_2"/>]</t>
          </li>
        </ul>
      </section>
      <section anchor="iana-edhoc-error-codes-registry">
        <name>EDHOC Error Codes Registry</name>
        <t>IANA is asked to register the following entry in the "EDHOC Error Codes" registry <xref target="EDHOC.Error.Codes"/> within the "Ephemeral Diffie-Hellman Over COSE (EDHOC)" registry group.</t>
        <ul spacing="normal">
          <li>
            <t>ERR_CODE: TBD_ERROR_CODE (range -24 to 23)</t>
          </li>
          <li>
            <t>ERR_INFO Type: bstr</t>
          </li>
          <li>
            <t>Description: Unspecified error and supported EDHOC application profiles</t>
          </li>
          <li>
            <t>Change Controller: IETF</t>
          </li>
          <li>
            <t>Reference: [RFC-XXXX, <xref target="sec-app-profile-edhoc-error-message"/>]</t>
          </li>
        </ul>
      </section>
      <section anchor="iana-svcb">
        <name>DNS SVCB Service Parameter Keys (SvcParamKeys)</name>
        <t>IANA is asked to add the following entries to the "DNS SVCB Service Parameter Keys (SvcParamKeys)" registry <xref target="DNS.SVCB.SvcParamKeys"/> within the "DNS Service Bindings (SVCB)" registry group.</t>
        <ul spacing="normal">
          <li>
            <t>Number: 12 (suggested)</t>
          </li>
          <li>
            <t>Name: edhocpath</t>
          </li>
          <li>
            <t>Meaning: EDHOC resource path</t>
          </li>
          <li>
            <t>Change Controller: IETF</t>
          </li>
          <li>
            <t>Reference: [RFC-XXXX, <xref target="sec-svcb"/>]</t>
          </li>
        </ul>
        <t><br/></t>
        <ul spacing="normal">
          <li>
            <t>Number: 13 (suggested)</t>
          </li>
          <li>
            <t>Name: edhoc-app-prof</t>
          </li>
          <li>
            <t>Meaning: Supported EDHOC application profiles</t>
          </li>
          <li>
            <t>Change Controller: IETF</t>
          </li>
          <li>
            <t>Reference: [RFC-XXXX, <xref target="sec-svcb"/>]</t>
          </li>
        </ul>
      </section>
      <section anchor="iana-edhoc-application-profiles">
        <name>EDHOC Application Profiles Registry</name>
        <t>IANA is requested to create a new "EDHOC Application Profiles" registry within the "Ephemeral Diffie-Hellman Over COSE (EDHOC)" registry group defined in <xref target="RFC9528"/>.</t>
        <t>The registration policy is either "Private Use", "Standards Action with Expert Review", or "Specification Required" per <xref section="4.6" sectionFormat="of" target="RFC8126"/>. "Expert Review" guidelines are provided in <xref target="iana-expert-review"/>.</t>
        <t>All assignments according to "Standards Action with Expert Review" are made on a "Standards Action" basis per <xref section="4.9" sectionFormat="of" target="RFC8126"/>, with Expert Review additionally required per <xref section="4.5" sectionFormat="of" target="RFC8126"/>. The procedure for early IANA allocation of Standards Track code points defined in <xref target="RFC7120"/> also applies. When such a procedure is used, IANA will ask the designated expert(s) to approve the early allocation before registration. In addition, WG chairs are encouraged to consult the expert(s) early during the process outlined in <xref section="3.1" sectionFormat="of" target="RFC7120"/>.</t>
        <t>The columns of this registry are:</t>
        <ul spacing="normal">
          <li>
            <t>Profile ID: This field contains the value used to identify the EDHOC application profile. These values <bcp14>MUST</bcp14> be unique. The value can be a positive integer or a negative integer. Different ranges of values use different registration policies <xref target="RFC8126"/>. Integer values from -24 to 23 are designated as "Standards Action With Expert Review". Integer values from -65536 to -25 and from 24 to 65535 are designated as "Specification Required". Integer values smaller than -65536 and greater than 65535 are marked as "Private Use".</t>
          </li>
          <li>
            <t>Name: This field contains the name of the EDHOC application profile.</t>
          </li>
          <li>
            <t>Description: This field contains a short description of the EDHOC application profile.</t>
          </li>
          <li>
            <t>Reference: This field contains a pointer to the public specification for the EDHOC application profile.</t>
          </li>
        </ul>
        <t>This registry has been initially populated with the values in <xref target="_table-edhoc-well-known-app-profiles"/>.</t>
      </section>
      <section anchor="iana-expert-review">
        <name>Expert Review Instructions</name>
        <t>"Standards Action with Expert Review" and "Specification Required" are two of the registration policies defined for the IANA registry established in this document. This section gives some general guidelines for what the experts should be looking for, but they are being designated as experts for a reason so they should be given substantial latitude.</t>
        <t>Expert reviewers should take into consideration the following points:</t>
        <ul spacing="normal">
          <li>
            <t>Clarity and correctness of registrations. Experts are expected to check the clarity of purpose and use of the requested entries. Experts need to make sure that the object of registration is clearly defined in the corresponding specification. Entries that do not meet these objectives of clarity and completeness must not be registered.</t>
          </li>
          <li>
            <t>Point squatting should be discouraged. Reviewers are encouraged to get sufficient information for registration requests to ensure that the usage is not going to duplicate one that is already registered and that the point is likely to be used in deployments. The zones tagged as "Private Use" are intended for testing purposes and closed environments. Code points in other ranges should not be assigned for testing.</t>
          </li>
          <li>
            <t>Specifications are required for the "Standards Action With Expert Review" range of point assignment. Specifications should exist for "Specification Required" ranges, but early assignment before a specification is available is considered to be permissible. When specifications are not provided, the description provided needs to have sufficient information to identify what the point is being used for.</t>
          </li>
          <li>
            <t>Experts should take into account the expected usage of fields when approving point assignment. Documents published via Standards Action can also register points outside the Standards Action range. The length of the encoded value should be weighed against how many code points of that length are left, the size of device it will be used on, and the number of code points left that encode to that size.</t>
          </li>
        </ul>
      </section>
    </section>
  </middle>
  <back>
    <references anchor="sec-combined-references">
      <name>References</name>
      <references anchor="sec-normative-references">
        <name>Normative References</name>
        <reference anchor="RFC3986">
          <front>
            <title>Uniform Resource Identifier (URI): Generic Syntax</title>
            <author fullname="T. Berners-Lee" initials="T." surname="Berners-Lee"/>
            <author fullname="R. Fielding" initials="R." surname="Fielding"/>
            <author fullname="L. Masinter" initials="L." surname="Masinter"/>
            <date month="January" year="2005"/>
            <abstract>
              <t>A Uniform Resource Identifier (URI) is a compact sequence of characters that identifies an abstract or physical resource. This specification defines the generic URI syntax and a process for resolving URI references that might be in relative form, along with guidelines and security considerations for the use of URIs on the Internet. The URI syntax defines a grammar that is a superset of all valid URIs, allowing an implementation to parse the common components of a URI reference without knowing the scheme-specific requirements of every possible identifier. This specification does not define a generative grammar for URIs; that task is performed by the individual specifications of each URI scheme. [STANDARDS-TRACK]</t>
            </abstract>
          </front>
          <seriesInfo name="STD" value="66"/>
          <seriesInfo name="RFC" value="3986"/>
          <seriesInfo name="DOI" value="10.17487/RFC3986"/>
        </reference>
        <reference anchor="RFC5280">
          <front>
            <title>Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile</title>
            <author fullname="D. Cooper" initials="D." surname="Cooper"/>
            <author fullname="S. Santesson" initials="S." surname="Santesson"/>
            <author fullname="S. Farrell" initials="S." surname="Farrell"/>
            <author fullname="S. Boeyen" initials="S." surname="Boeyen"/>
            <author fullname="R. Housley" initials="R." surname="Housley"/>
            <author fullname="W. Polk" initials="W." surname="Polk"/>
            <date month="May" year="2008"/>
            <abstract>
              <t>This memo profiles the X.509 v3 certificate and X.509 v2 certificate revocation list (CRL) for use in the Internet. An overview of this approach and model is provided as an introduction. The X.509 v3 certificate format is described in detail, with additional information regarding the format and semantics of Internet name forms. Standard certificate extensions are described and two Internet-specific extensions are defined. A set of required certificate extensions is specified. The X.509 v2 CRL format is described in detail along with standard and Internet-specific extensions. An algorithm for X.509 certification path validation is described. An ASN.1 module and examples are provided in the appendices. [STANDARDS-TRACK]</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="5280"/>
          <seriesInfo name="DOI" value="10.17487/RFC5280"/>
        </reference>
        <reference anchor="RFC6690">
          <front>
            <title>Constrained RESTful Environments (CoRE) Link Format</title>
            <author fullname="Z. Shelby" initials="Z." surname="Shelby"/>
            <date month="August" year="2012"/>
            <abstract>
              <t>This specification defines Web Linking using a link format for use by constrained web servers to describe hosted resources, their attributes, and other relationships between links. Based on the HTTP Link Header field defined in RFC 5988, the Constrained RESTful Environments (CoRE) Link Format is carried as a payload and is assigned an Internet media type. "RESTful" refers to the Representational State Transfer (REST) architecture. A well-known URI is defined as a default entry point for requesting the links hosted by a server. [STANDARDS-TRACK]</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="6690"/>
          <seriesInfo name="DOI" value="10.17487/RFC6690"/>
        </reference>
        <reference anchor="RFC6838">
          <front>
            <title>Media Type Specifications and Registration Procedures</title>
            <author fullname="N. Freed" initials="N." surname="Freed"/>
            <author fullname="J. Klensin" initials="J." surname="Klensin"/>
            <author fullname="T. Hansen" initials="T." surname="Hansen"/>
            <date month="January" year="2013"/>
            <abstract>
              <t>This document defines procedures for the specification and registration of media types for use in HTTP, MIME, and other Internet protocols. This memo documents an Internet Best Current Practice.</t>
            </abstract>
          </front>
          <seriesInfo name="BCP" value="13"/>
          <seriesInfo name="RFC" value="6838"/>
          <seriesInfo name="DOI" value="10.17487/RFC6838"/>
        </reference>
        <reference anchor="RFC7120">
          <front>
            <title>Early IANA Allocation of Standards Track Code Points</title>
            <author fullname="M. Cotton" initials="M." surname="Cotton"/>
            <date month="January" year="2014"/>
            <abstract>
              <t>This memo describes the process for early allocation of code points by IANA from registries for which "Specification Required", "RFC Required", "IETF Review", or "Standards Action" policies apply. This process can be used to alleviate the problem where code point allocation is needed to facilitate desired or required implementation and deployment experience prior to publication of an RFC, which would normally trigger code point allocation. The procedures in this document are intended to apply only to IETF Stream documents.</t>
            </abstract>
          </front>
          <seriesInfo name="BCP" value="100"/>
          <seriesInfo name="RFC" value="7120"/>
          <seriesInfo name="DOI" value="10.17487/RFC7120"/>
        </reference>
        <reference anchor="RFC7252">
          <front>
            <title>The Constrained Application Protocol (CoAP)</title>
            <author fullname="Z. Shelby" initials="Z." surname="Shelby"/>
            <author fullname="K. Hartke" initials="K." surname="Hartke"/>
            <author fullname="C. Bormann" initials="C." surname="Bormann"/>
            <date month="June" year="2014"/>
            <abstract>
              <t>The Constrained Application Protocol (CoAP) is a specialized web transfer protocol for use with constrained nodes and constrained (e.g., low-power, lossy) networks. The nodes often have 8-bit microcontrollers with small amounts of ROM and RAM, while constrained networks such as IPv6 over Low-Power Wireless Personal Area Networks (6LoWPANs) often have high packet error rates and a typical throughput of 10s of kbit/s. The protocol is designed for machine- to-machine (M2M) applications such as smart energy and building automation.</t>
              <t>CoAP provides a request/response interaction model between application endpoints, supports built-in discovery of services and resources, and includes key concepts of the Web such as URIs and Internet media types. CoAP is designed to easily interface with HTTP for integration with the Web while meeting specialized requirements such as multicast support, very low overhead, and simplicity for constrained environments.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="7252"/>
          <seriesInfo name="DOI" value="10.17487/RFC7252"/>
        </reference>
        <reference anchor="RFC8126">
          <front>
            <title>Guidelines for Writing an IANA Considerations Section in RFCs</title>
            <author fullname="M. Cotton" initials="M." surname="Cotton"/>
            <author fullname="B. Leiba" initials="B." surname="Leiba"/>
            <author fullname="T. Narten" initials="T." surname="Narten"/>
            <date month="June" year="2017"/>
            <abstract>
              <t>Many protocols make use of points of extensibility that use constants to identify various protocol parameters. To ensure that the values in these fields do not have conflicting uses and to promote interoperability, their allocations are often coordinated by a central record keeper. For IETF protocols, that role is filled by the Internet Assigned Numbers Authority (IANA).</t>
              <t>To make assignments in a given registry prudently, guidance describing the conditions under which new values should be assigned, as well as when and how modifications to existing values can be made, is needed. This document defines a framework for the documentation of these guidelines by specification authors, in order to assure that the provided guidance for the IANA Considerations is clear and addresses the various issues that are likely in the operation of a registry.</t>
              <t>This is the third edition of this document; it obsoletes RFC 5226.</t>
            </abstract>
          </front>
          <seriesInfo name="BCP" value="26"/>
          <seriesInfo name="RFC" value="8126"/>
          <seriesInfo name="DOI" value="10.17487/RFC8126"/>
        </reference>
        <reference anchor="RFC8288">
          <front>
            <title>Web Linking</title>
            <author fullname="M. Nottingham" initials="M." surname="Nottingham"/>
            <date month="October" year="2017"/>
            <abstract>
              <t>This specification defines a model for the relationships between resources on the Web ("links") and the type of those relationships ("link relation types").</t>
              <t>It also defines the serialisation of such links in HTTP headers with the Link header field.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="8288"/>
          <seriesInfo name="DOI" value="10.17487/RFC8288"/>
        </reference>
        <reference anchor="RFC8392">
          <front>
            <title>CBOR Web Token (CWT)</title>
            <author fullname="M. Jones" initials="M." surname="Jones"/>
            <author fullname="E. Wahlstroem" initials="E." surname="Wahlstroem"/>
            <author fullname="S. Erdtman" initials="S." surname="Erdtman"/>
            <author fullname="H. Tschofenig" initials="H." surname="Tschofenig"/>
            <date month="May" year="2018"/>
            <abstract>
              <t>CBOR Web Token (CWT) is a compact means of representing claims to be transferred between two parties. The claims in a CWT are encoded in the Concise Binary Object Representation (CBOR), and CBOR Object Signing and Encryption (COSE) is used for added application-layer security protection. A claim is a piece of information asserted about a subject and is represented as a name/value pair consisting of a claim name and a claim value. CWT is derived from JSON Web Token (JWT) but uses CBOR rather than JSON.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="8392"/>
          <seriesInfo name="DOI" value="10.17487/RFC8392"/>
        </reference>
        <reference anchor="RFC8610">
          <front>
            <title>Concise Data Definition Language (CDDL): A Notational Convention to Express Concise Binary Object Representation (CBOR) and JSON Data Structures</title>
            <author fullname="H. Birkholz" initials="H." surname="Birkholz"/>
            <author fullname="C. Vigano" initials="C." surname="Vigano"/>
            <author fullname="C. Bormann" initials="C." surname="Bormann"/>
            <date month="June" year="2019"/>
            <abstract>
              <t>This document proposes a notational convention to express Concise Binary Object Representation (CBOR) data structures (RFC 7049). Its main goal is to provide an easy and unambiguous way to express structures for protocol messages and data formats that use CBOR or JSON.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="8610"/>
          <seriesInfo name="DOI" value="10.17487/RFC8610"/>
        </reference>
        <reference anchor="RFC8613">
          <front>
            <title>Object Security for Constrained RESTful Environments (OSCORE)</title>
            <author fullname="G. Selander" initials="G." surname="Selander"/>
            <author fullname="J. Mattsson" initials="J." surname="Mattsson"/>
            <author fullname="F. Palombini" initials="F." surname="Palombini"/>
            <author fullname="L. Seitz" initials="L." surname="Seitz"/>
            <date month="July" year="2019"/>
            <abstract>
              <t>This document defines Object Security for Constrained RESTful Environments (OSCORE), a method for application-layer protection of the Constrained Application Protocol (CoAP), using CBOR Object Signing and Encryption (COSE). OSCORE provides end-to-end protection between endpoints communicating using CoAP or CoAP-mappable HTTP. OSCORE is designed for constrained nodes and networks supporting a range of proxy operations, including translation between different transport protocols.</t>
              <t>Although an optional functionality of CoAP, OSCORE alters CoAP options processing and IANA registration. Therefore, this document updates RFC 7252.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="8613"/>
          <seriesInfo name="DOI" value="10.17487/RFC8613"/>
        </reference>
        <reference anchor="RFC8742">
          <front>
            <title>Concise Binary Object Representation (CBOR) Sequences</title>
            <author fullname="C. Bormann" initials="C." surname="Bormann"/>
            <date month="February" year="2020"/>
            <abstract>
              <t>This document describes the Concise Binary Object Representation (CBOR) Sequence format and associated media type "application/cbor-seq". A CBOR Sequence consists of any number of encoded CBOR data items, simply concatenated in sequence.</t>
              <t>Structured syntax suffixes for media types allow other media types to build on them and make it explicit that they are built on an existing media type as their foundation. This specification defines and registers "+cbor-seq" as a structured syntax suffix for CBOR Sequences.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="8742"/>
          <seriesInfo name="DOI" value="10.17487/RFC8742"/>
        </reference>
        <reference anchor="RFC8949">
          <front>
            <title>Concise Binary Object Representation (CBOR)</title>
            <author fullname="C. Bormann" initials="C." surname="Bormann"/>
            <author fullname="P. Hoffman" initials="P." surname="Hoffman"/>
            <date month="December" year="2020"/>
            <abstract>
              <t>The Concise Binary Object Representation (CBOR) is a data format whose design goals include the possibility of extremely small code size, fairly small message size, and extensibility without the need for version negotiation. These design goals make it different from earlier binary serializations such as ASN.1 and MessagePack.</t>
              <t>This document obsoletes RFC 7049, providing editorial improvements, new details, and errata fixes while keeping full compatibility with the interchange format of RFC 7049. It does not create a new version of the format.</t>
            </abstract>
          </front>
          <seriesInfo name="STD" value="94"/>
          <seriesInfo name="RFC" value="8949"/>
          <seriesInfo name="DOI" value="10.17487/RFC8949"/>
        </reference>
        <reference anchor="RFC9200">
          <front>
            <title>Authentication and Authorization for Constrained Environments Using the OAuth 2.0 Framework (ACE-OAuth)</title>
            <author fullname="L. Seitz" initials="L." surname="Seitz"/>
            <author fullname="G. Selander" initials="G." surname="Selander"/>
            <author fullname="E. Wahlstroem" initials="E." surname="Wahlstroem"/>
            <author fullname="S. Erdtman" initials="S." surname="Erdtman"/>
            <author fullname="H. Tschofenig" initials="H." surname="Tschofenig"/>
            <date month="August" year="2022"/>
            <abstract>
              <t>This specification defines a framework for authentication and authorization in Internet of Things (IoT) environments called ACE-OAuth. The framework is based on a set of building blocks including OAuth 2.0 and the Constrained Application Protocol (CoAP), thus transforming a well-known and widely used authorization solution into a form suitable for IoT devices. Existing specifications are used where possible, but extensions are added and profiles are defined to better serve the IoT use cases.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="9200"/>
          <seriesInfo name="DOI" value="10.17487/RFC9200"/>
        </reference>
        <reference anchor="RFC9360">
          <front>
            <title>CBOR Object Signing and Encryption (COSE): Header Parameters for Carrying and Referencing X.509 Certificates</title>
            <author fullname="J. Schaad" initials="J." surname="Schaad"/>
            <date month="February" year="2023"/>
            <abstract>
              <t>The CBOR Object Signing and Encryption (COSE) message structure uses references to keys in general. For some algorithms, additional properties are defined that carry parameters relating to keys as needed. The COSE Key structure is used for transporting keys outside of COSE messages. This document extends the way that keys can be identified and transported by providing attributes that refer to or contain X.509 certificates.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="9360"/>
          <seriesInfo name="DOI" value="10.17487/RFC9360"/>
        </reference>
        <reference anchor="RFC9460">
          <front>
            <title>Service Binding and Parameter Specification via the DNS (SVCB and HTTPS Resource Records)</title>
            <author fullname="B. Schwartz" initials="B." surname="Schwartz"/>
            <author fullname="M. Bishop" initials="M." surname="Bishop"/>
            <author fullname="E. Nygren" initials="E." surname="Nygren"/>
            <date month="November" year="2023"/>
            <abstract>
              <t>This document specifies the "SVCB" ("Service Binding") and "HTTPS" DNS resource record (RR) types to facilitate the lookup of information needed to make connections to network services, such as for HTTP origins. SVCB records allow a service to be provided from multiple alternative endpoints, each with associated parameters (such as transport protocol configuration), and are extensible to support future uses (such as keys for encrypting the TLS ClientHello). They also enable aliasing of apex domains, which is not possible with CNAME. The HTTPS RR is a variation of SVCB for use with HTTP (see RFC 9110, "HTTP Semantics"). By providing more information to the client before it attempts to establish a connection, these records offer potential benefits to both performance and privacy.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="9460"/>
          <seriesInfo name="DOI" value="10.17487/RFC9460"/>
        </reference>
        <reference anchor="RFC9461">
          <front>
            <title>Service Binding Mapping for DNS Servers</title>
            <author fullname="B. Schwartz" initials="B." surname="Schwartz"/>
            <date month="November" year="2023"/>
            <abstract>
              <t>The SVCB DNS resource record type expresses a bound collection of endpoint metadata, for use when establishing a connection to a named service. DNS itself can be such a service, when the server is identified by a domain name. This document provides the SVCB mapping for named DNS servers, allowing them to indicate support for encrypted transport protocols.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="9461"/>
          <seriesInfo name="DOI" value="10.17487/RFC9461"/>
        </reference>
        <reference anchor="RFC9528">
          <front>
            <title>Ephemeral Diffie-Hellman Over COSE (EDHOC)</title>
            <author fullname="G. Selander" initials="G." surname="Selander"/>
            <author fullname="J. Preuß Mattsson" initials="J." surname="Preuß Mattsson"/>
            <author fullname="F. Palombini" initials="F." surname="Palombini"/>
            <date month="March" year="2024"/>
            <abstract>
              <t>This document specifies Ephemeral Diffie-Hellman Over COSE (EDHOC), a very compact and lightweight authenticated Diffie-Hellman key exchange with ephemeral keys. EDHOC provides mutual authentication, forward secrecy, and identity protection. EDHOC is intended for usage in constrained scenarios, and a main use case is to establish an Object Security for Constrained RESTful Environments (OSCORE) security context. By reusing CBOR Object Signing and Encryption (COSE) for cryptography, Concise Binary Object Representation (CBOR) for encoding, and Constrained Application Protocol (CoAP) for transport, the additional code size can be kept very low.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="9528"/>
          <seriesInfo name="DOI" value="10.17487/RFC9528"/>
        </reference>
        <reference anchor="RFC9562">
          <front>
            <title>Universally Unique IDentifiers (UUIDs)</title>
            <author fullname="K. Davis" initials="K." surname="Davis"/>
            <author fullname="B. Peabody" initials="B." surname="Peabody"/>
            <author fullname="P. Leach" initials="P." surname="Leach"/>
            <date month="May" year="2024"/>
            <abstract>
              <t>This specification defines UUIDs (Universally Unique IDentifiers) --
also known as GUIDs (Globally Unique IDentifiers) -- and a Uniform
Resource Name namespace for UUIDs. A UUID is 128 bits long and is
intended to guarantee uniqueness across space and time. UUIDs were
originally used in the Apollo Network Computing System (NCS), later
in the Open Software Foundation's (OSF's) Distributed Computing
Environment (DCE), and then in Microsoft Windows platforms.</t>
              <t>This specification is derived from the OSF DCE specification with the
kind permission of the OSF (now known as "The Open Group"). Information from earlier versions of the OSF DCE specification have
been incorporated into this document. This document obsoletes RFC
4122.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="9562"/>
          <seriesInfo name="DOI" value="10.17487/RFC9562"/>
        </reference>
        <reference anchor="RFC9668">
          <front>
            <title>Using Ephemeral Diffie-Hellman Over COSE (EDHOC) with the Constrained Application Protocol (CoAP) and Object Security for Constrained RESTful Environments (OSCORE)</title>
            <author fullname="F. Palombini" initials="F." surname="Palombini"/>
            <author fullname="M. Tiloca" initials="M." surname="Tiloca"/>
            <author fullname="R. Höglund" initials="R." surname="Höglund"/>
            <author fullname="S. Hristozov" initials="S." surname="Hristozov"/>
            <author fullname="G. Selander" initials="G." surname="Selander"/>
            <date month="November" year="2024"/>
            <abstract>
              <t>The lightweight authenticated key exchange protocol Ephemeral Diffie-Hellman Over COSE (EDHOC) can be run over the Constrained Application Protocol (CoAP) and used by two peers to establish a Security Context for the security protocol Object Security for Constrained RESTful Environments (OSCORE). This document details this use of the EDHOC protocol by specifying a number of additional and optional mechanisms, including an optimization approach for combining the execution of EDHOC with the first OSCORE transaction. This combination reduces the number of round trips required to set up an OSCORE Security Context and to complete an OSCORE transaction using that Security Context.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="9668"/>
          <seriesInfo name="DOI" value="10.17487/RFC9668"/>
        </reference>
        <reference anchor="I-D.ietf-ace-edhoc-oscore-profile">
          <front>
            <title>Ephemeral Diffie-Hellman Over COSE (EDHOC) and Object Security for Constrained Environments (OSCORE) Profile for Authentication and Authorization for Constrained Environments (ACE)</title>
            <author fullname="Göran Selander" initials="G." surname="Selander">
              <organization>Ericsson</organization>
            </author>
            <author fullname="John Preuß Mattsson" initials="J. P." surname="Mattsson">
              <organization>Ericsson</organization>
            </author>
            <author fullname="Marco Tiloca" initials="M." surname="Tiloca">
              <organization>RISE</organization>
            </author>
            <author fullname="Rikard Höglund" initials="R." surname="Höglund">
              <organization>RISE</organization>
            </author>
            <date day="1" month="March" year="2026"/>
            <abstract>
              <t>   This document specifies a profile for the Authentication and
   Authorization for Constrained Environments (ACE) framework.  It
   utilizes Ephemeral Diffie-Hellman Over COSE (EDHOC) for achieving
   mutual authentication between an ACE-OAuth client and resource
   server, and it binds an authentication credential of the client to an
   ACE-OAuth access token.  EDHOC also establishes an Object Security
   for Constrained RESTful Environments (OSCORE) Security Context, which
   is used to secure communications between the client and resource
   server when accessing protected resources according to the
   authorization information indicated in the access token.  This
   profile can be used to delegate management of authorization
   information from a resource-constrained server to a trusted host with
   less severe limitations regarding processing power and memory.

              </t>
            </abstract>
          </front>
          <seriesInfo name="Internet-Draft" value="draft-ietf-ace-edhoc-oscore-profile-10"/>
        </reference>
        <reference anchor="I-D.ietf-cose-cbor-encoded-cert">
          <front>
            <title>CBOR Encoded X.509 Certificates (C509 Certificates)</title>
            <author fullname="John Preuß Mattsson" initials="J. P." surname="Mattsson">
              <organization>Ericsson AB</organization>
            </author>
            <author fullname="Göran Selander" initials="G." surname="Selander">
              <organization>Ericsson AB</organization>
            </author>
            <author fullname="Shahid Raza" initials="S." surname="Raza">
              <organization>University of Glasgow</organization>
            </author>
            <author fullname="Joel Höglund" initials="J." surname="Höglund">
              <organization>RISE AB</organization>
            </author>
            <author fullname="Martin Furuhed" initials="M." surname="Furuhed">
              <organization>IN Groupe</organization>
            </author>
            <author fullname="Lijun Liao" initials="L." surname="Liao">
              <organization>NIO</organization>
            </author>
            <date day="30" month="June" year="2026"/>
            <abstract>
              <t>   This document specifies a CBOR encoding of X.509 certificates.  The
   resulting certificates are called C509 certificates.  The CBOR
   encoding supports a large subset of RFC 5280 and common certificate
   profiles, and it is extensible.

   Two types of C509 certificates are defined.  One type is an
   invertible CBOR re-encoding of DER-encoded X.509 certificates with
   the signature field copied from the DER encoding.  The other type is
   identical except that the signature is computed over the CBOR
   encoding instead of the DER encoding, thereby avoiding the use of
   ASN.1.  Both types of certificates have the same semantics as X.509
   while providing comparable size reduction.

   This document also specifies CBOR-encoded data structures for
   certification requests and certification request templates, new COSE
   headers, as well as a TLS certificate type and a file format for
   C509.  This document updates RFC 6698 by extending the TLSA selectors
   registry to include C509 certificates.

              </t>
            </abstract>
          </front>
          <seriesInfo name="Internet-Draft" value="draft-ietf-cose-cbor-encoded-cert-20"/>
        </reference>
        <reference anchor="I-D.ietf-lake-edhoc-psk">
          <front>
            <title>EDHOC Authenticated with Pre-Shared Keys (PSK)</title>
            <author fullname="Elsa Lopez-Perez" initials="" surname="Lopez-Perez">
              <organization>Inria</organization>
            </author>
            <author fullname="Göran Selander" initials="G." surname="Selander">
              <organization>Ericsson</organization>
            </author>
            <author fullname="John Preuß Mattsson" initials="J. P." surname="Mattsson">
              <organization>Ericsson</organization>
            </author>
            <author fullname="Rafael Marin-Lopez" initials="R." surname="Marin-Lopez">
              <organization>University of Murcia</organization>
            </author>
            <author fullname="Francisco Lopez-Gomez" initials="F." surname="Lopez-Gomez">
              <organization>University of Murcia</organization>
            </author>
            <date day="16" month="June" year="2026"/>
            <abstract>
              <t>   This document specifies a Pre-Shared Key (PSK) authentication method
   for the Ephemeral Diffie-Hellman Over COSE (EDHOC) Lightweight
   Authenticated Key Exchange (LAKE) protocol.  The PSK method provides
   mutual authentication, ephemeral key exchange, identity protection,
   and quantum resistance while incurring lower computational costs than
   the public-key authentication methods specified for EDHOC.  It is
   suited for systems where nodes share a PSK provided out-of-band
   (external PSK) and enables efficient session resumption with less
   computational overhead when the PSK is provided from a previous EDHOC
   session (resumption PSK).  This document details the PSK message
   flow, key derivation changes, message formatting, processing, and
   security considerations.

              </t>
            </abstract>
          </front>
          <seriesInfo name="Internet-Draft" value="draft-ietf-lake-edhoc-psk-08"/>
        </reference>
        <reference anchor="EDHOC.Exporter.Labels" target="https://www.iana.org/assignments/edhoc/edhoc.xhtml#edhoc-exporter-labels">
          <front>
            <title>EDHOC Exporter Labels</title>
            <author>
              <organization>IANA</organization>
            </author>
            <date/>
          </front>
        </reference>
        <reference anchor="CoAP.Content.Formats" target="https://www.iana.org/assignments/core-parameters/core-parameters.xhtml#content-formats">
          <front>
            <title>CoAP Content-Formats</title>
            <author>
              <organization>IANA</organization>
            </author>
            <date/>
          </front>
        </reference>
        <reference anchor="Target.Attributes" target="https://www.iana.org/assignments/core-parameters/core-parameters.xhtml#target-attributes">
          <front>
            <title>Target Attributes</title>
            <author>
              <organization>IANA</organization>
            </author>
            <date/>
          </front>
        </reference>
        <reference anchor="EDHOC.External.Authorization.Data" target="https://www.iana.org/assignments/edhoc/edhoc.xhtml#edhoc-ead">
          <front>
            <title>EDHOC External Authorization Data</title>
            <author>
              <organization>IANA</organization>
            </author>
            <date/>
          </front>
        </reference>
        <reference anchor="EDHOC.Error.Codes" target="https://www.iana.org/assignments/edhoc/edhoc.xhtml#edhoc-error-codes">
          <front>
            <title>EDHOC Error Codes</title>
            <author>
              <organization>IANA</organization>
            </author>
            <date/>
          </front>
        </reference>
        <reference anchor="DNS.SVCB.SvcParamKeys" target="https://www.iana.org/assignments/dns-svcb/dns-svcb.xhtml#dns-svcparamkeys">
          <front>
            <title>DNS SVCB Service Parameter Keys (SvcParamKeys)</title>
            <author>
              <organization>IANA</organization>
            </author>
            <date/>
          </front>
        </reference>
        <reference anchor="RFC2119">
          <front>
            <title>Key words for use in RFCs to Indicate Requirement Levels</title>
            <author fullname="S. Bradner" initials="S." surname="Bradner"/>
            <date month="March" year="1997"/>
            <abstract>
              <t>In many standards track documents several words are used to signify the requirements in the specification. These words are often capitalized. This document defines these words as they should be interpreted in IETF documents. This document specifies an Internet Best Current Practices for the Internet Community, and requests discussion and suggestions for improvements.</t>
            </abstract>
          </front>
          <seriesInfo name="BCP" value="14"/>
          <seriesInfo name="RFC" value="2119"/>
          <seriesInfo name="DOI" value="10.17487/RFC2119"/>
        </reference>
        <reference anchor="RFC8174">
          <front>
            <title>Ambiguity of Uppercase vs Lowercase in RFC 2119 Key Words</title>
            <author fullname="B. Leiba" initials="B." surname="Leiba"/>
            <date month="May" year="2017"/>
            <abstract>
              <t>RFC 2119 specifies common key words that may be used in protocol specifications. This document aims to reduce the ambiguity by clarifying that only UPPERCASE usage of the key words have the defined special meanings.</t>
            </abstract>
          </front>
          <seriesInfo name="BCP" value="14"/>
          <seriesInfo name="RFC" value="8174"/>
          <seriesInfo name="DOI" value="10.17487/RFC8174"/>
        </reference>
      </references>
      <references anchor="sec-informative-references">
        <name>Informative References</name>
        <reference anchor="RFC3492">
          <front>
            <title>Punycode: A Bootstring encoding of Unicode for Internationalized Domain Names in Applications (IDNA)</title>
            <author fullname="A. Costello" initials="A." surname="Costello"/>
            <date month="March" year="2003"/>
            <abstract>
              <t>Punycode is a simple and efficient transfer encoding syntax designed for use with Internationalized Domain Names in Applications (IDNA). It uniquely and reversibly transforms a Unicode string into an ASCII string. ASCII characters in the Unicode string are represented literally, and non-ASCII characters are represented by ASCII characters that are allowed in host name labels (letters, digits, and hyphens). This document defines a general algorithm called Bootstring that allows a string of basic code points to uniquely represent any string of code points drawn from a larger set. Punycode is an instance of Bootstring that uses particular parameter values specified by this document, appropriate for IDNA. [STANDARDS-TRACK]</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="3492"/>
          <seriesInfo name="DOI" value="10.17487/RFC3492"/>
        </reference>
        <reference anchor="RFC3833">
          <front>
            <title>Threat Analysis of the Domain Name System (DNS)</title>
            <author fullname="D. Atkins" initials="D." surname="Atkins"/>
            <author fullname="R. Austein" initials="R." surname="Austein"/>
            <date month="August" year="2004"/>
            <abstract>
              <t>Although the DNS Security Extensions (DNSSEC) have been under development for most of the last decade, the IETF has never written down the specific set of threats against which DNSSEC is designed to protect. Among other drawbacks, this cart-before-the-horse situation has made it difficult to determine whether DNSSEC meets its design goals, since its design goals are not well specified. This note attempts to document some of the known threats to the DNS, and, in doing so, attempts to measure to what extent (if any) DNSSEC is a useful tool in defending against these threats. This memo provides information for the Internet community.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="3833"/>
          <seriesInfo name="DOI" value="10.17487/RFC3833"/>
        </reference>
        <reference anchor="RFC9076">
          <front>
            <title>DNS Privacy Considerations</title>
            <author fullname="T. Wicinski" initials="T." role="editor" surname="Wicinski"/>
            <date month="July" year="2021"/>
            <abstract>
              <t>This document describes the privacy issues associated with the use of the DNS by Internet users. It provides general observations about typical current privacy practices. It is intended to be an analysis of the present situation and does not prescribe solutions. This document obsoletes RFC 7626.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="9076"/>
          <seriesInfo name="DOI" value="10.17487/RFC9076"/>
        </reference>
        <reference anchor="RFC9176">
          <front>
            <title>Constrained RESTful Environments (CoRE) Resource Directory</title>
            <author fullname="C. Amsüss" initials="C." role="editor" surname="Amsüss"/>
            <author fullname="Z. Shelby" initials="Z." surname="Shelby"/>
            <author fullname="M. Koster" initials="M." surname="Koster"/>
            <author fullname="C. Bormann" initials="C." surname="Bormann"/>
            <author fullname="P. van der Stok" initials="P." surname="van der Stok"/>
            <date month="April" year="2022"/>
            <abstract>
              <t>In many Internet of Things (IoT) applications, direct discovery of resources is not practical due to sleeping nodes or networks where multicast traffic is inefficient. These problems can be solved by employing an entity called a Resource Directory (RD), which contains information about resources held on other servers, allowing lookups to be performed for those resources. The input to an RD is composed of links, and the output is composed of links constructed from the information stored in the RD. This document specifies the web interfaces that an RD supports for web servers to discover the RD and to register, maintain, look up, and remove information on resources. Furthermore, new target attributes useful in conjunction with an RD are defined.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="9176"/>
          <seriesInfo name="DOI" value="10.17487/RFC9176"/>
        </reference>
        <reference anchor="RFC9529">
          <front>
            <title>Traces of Ephemeral Diffie-Hellman Over COSE (EDHOC)</title>
            <author fullname="G. Selander" initials="G." surname="Selander"/>
            <author fullname="J. Preuß Mattsson" initials="J." surname="Preuß Mattsson"/>
            <author fullname="M. Serafin" initials="M." surname="Serafin"/>
            <author fullname="M. Tiloca" initials="M." surname="Tiloca"/>
            <author fullname="M. Vučinić" initials="M." surname="Vučinić"/>
            <date month="March" year="2024"/>
            <abstract>
              <t>This document contains example traces of Ephemeral Diffie-Hellman Over COSE (EDHOC).</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="9529"/>
          <seriesInfo name="DOI" value="10.17487/RFC9529"/>
        </reference>
        <reference anchor="I-D.serafin-lake-ta-hint">
          <front>
            <title>Trust Anchor Hints in Ephemeral Diffie-Hellman Over COSE (EDHOC)</title>
            <author fullname="Marek Serafin" initials="M." surname="Serafin">
              <organization>ASSA ABLOY</organization>
            </author>
            <author fullname="Göran Selander" initials="G." surname="Selander">
              <organization>Ericsson</organization>
            </author>
            <date day="21" month="October" year="2024"/>
            <abstract>
              <t>   This document defines a format for transport of hints about Trust
   Anchors of trusted third parties when using the lightweight
   authenticated key exchange protocol Ephemeral Diffie-Hellman Over
   COSE (EDHOC).

              </t>
            </abstract>
          </front>
          <seriesInfo name="Internet-Draft" value="draft-serafin-lake-ta-hint-00"/>
        </reference>
      </references>
    </references>
    <?line 1424?>

<section anchor="sec-cddl-model" removeInRFC="true">
      <name>CDDL Model</name>
      <figure anchor="fig-cddl-model">
        <name>CDDL model</name>
        <sourcecode type="cddl"><![CDATA[
; EDHOC Information
methods = 1
cipher_suites = 2
message_4 = 3
comb_req = 4
cred_types = 6
id_cred_types = 7
eads = 8
trust_anchors = 11
app_prof = 23

; EDHOC Application Profiles
APP-PROF-MINIMAL-CS-2 = 0
APP-PROF-MINIMAL-CS-0 = 1
APP-PROF-BASIC-CS-2-X509 = 2
APP-PROF-BASIC-CS-0-X509 = 3
APP-PROF-BASIC-CS-2-C509 = 4
APP-PROF-BASIC-CS-0-C509 = 5
APP-PROF-INTERMEDIATE-CS-2 = 6
APP-PROF-INTERMEDIATE-CS-0 = 7
APP-PROF-EXTENSIVE = 8

; COSE Header Parameters
c5t = 22
c5c = 25

; EDHOC Trust Anchor Purposes
edhoc_cred = 0

; EDHOC Trust Anchor Types
kid_ta_type = 4
x5t_ta_type = 34

; EDHOC Authentication Credential Types
c509_cert = 3
]]></sourcecode>
      </figure>
    </section>
    <section anchor="sec-document-updates" removeInRFC="true">
      <name>Document Updates</name>
      <section anchor="sec-04-05">
        <name>Version -04 to -05</name>
        <ul spacing="normal">
          <li>
            <t>Fixed CDDL definitions of the EDHOC_Application_Profile object and of the ead_value for the new EAD Item.</t>
          </li>
          <li>
            <t>Improved EDHOC error message with the new error code:  </t>
            <ul spacing="normal">
              <li>
                <t>Extended semantics of ERR_INFO to also provide diagnostic information.</t>
              </li>
              <li>
                <t>Updated error code description to "Unspecified error and supported EDHOC application profiles"</t>
              </li>
            </ul>
          </li>
          <li>
            <t>Defined the web link parameter "ed-psk-resumption" and the EDHOC_Information object parameter "psk_resumption", to indicate support for session resumption with EDHOC-PSK.</t>
          </li>
          <li>
            <t>Clarifications:  </t>
            <ul spacing="normal">
              <li>
                <t>Purpose of "app_prof" in the EDHOC_Application_Profile object and in the EDHOC_Information object.</t>
              </li>
              <li>
                <t>Difference between the EDHOC_Application_Profile object and the EDHOC_Information object.</t>
              </li>
              <li>
                <t>Purpose and applicability of parameters for web linking in the introduction.</t>
              </li>
              <li>
                <t>Motivation and benefits of the new EAD item and error code.</t>
              </li>
              <li>
                <t>Handling of deviations from what is specified by prescriptive EDHOC_Information parameters.</t>
              </li>
              <li>
                <t>Extraction of CDDL definitions from the XML, using an XPath expression.</t>
              </li>
              <li>
                <t>Short explanation of well-known profiles.</t>
              </li>
              <li>
                <t>Full name of error codes used through the text.</t>
              </li>
              <li>
                <t>Gained knowledge about other peers is persisted only if verified as reliable and authentic.</t>
              </li>
            </ul>
          </li>
          <li>
            <t>IANA considerations:  </t>
            <ul spacing="normal">
              <li>
                <t>Added references to IANA registries.</t>
              </li>
              <li>
                <t>More details in the media type registration.</t>
              </li>
              <li>
                <t>Proposed codepoints picked up among unassigned ones.</t>
              </li>
            </ul>
          </li>
          <li>
            <t>Editorial fixes and improvements.</t>
          </li>
        </ul>
      </section>
      <section anchor="sec-03-04">
        <name>Version -03 to -04</name>
        <ul spacing="normal">
          <li>
            <t>Removed parameters that were removed from draft-ietf-ace-edhoc-oscore-profile.</t>
          </li>
          <li>
            <t>Renamed "reply_flag" to "advertise_flag".</t>
          </li>
          <li>
            <t>Defined use of "advertise_flag" also in SVCB Resource Records.</t>
          </li>
          <li>
            <t>Added guidelines on using the EAD item "Supported EDHOC application profiles" only to take advantage of advertise_flag.</t>
          </li>
          <li>
            <t>Added guidelines on having per-resource empty advertisements in an SVCB RR.</t>
          </li>
          <li>
            <t>Clarifications:  </t>
            <ul spacing="normal">
              <li>
                <t>Deviations from prescriptive parameters are assessed throughout the whole EDHOC session.</t>
              </li>
            </ul>
          </li>
          <li>
            <t>CDDL definitions:  </t>
            <ul spacing="normal">
              <li>
                <t>Added CDDL definitions of the parameters "app_prof" and "exporter_out_len" for the CBOR-encoded EDHOC_Information object.</t>
              </li>
              <li>
                <t>Fixed CDDL definition of ead_value of the EAD item "Supported EDHOC application profiles".</t>
              </li>
            </ul>
          </li>
          <li>
            <t>Added new examples:  </t>
            <ul spacing="normal">
              <li>
                <t>Response in CoRE link-format using the target attributes 'ed-ta-edcred-*'.</t>
              </li>
              <li>
                <t>ead_value for the EDHOC EAD item "Supported EDHOC application profiles".</t>
              </li>
              <li>
                <t>Added examples of wire-format values of the SvcParamKeys "edhocpath" and "edhoc-app-prof".</t>
              </li>
              <li>
                <t>ERR_INFO for the EDHOC error message with Error Code TBD_ERROR_CODE.</t>
              </li>
            </ul>
          </li>
          <li>
            <t>Added "Operational Considerations" section.</t>
          </li>
          <li>
            <t>Added security considerations.</t>
          </li>
          <li>
            <t>Editorial fixes and improvements.</t>
          </li>
        </ul>
      </section>
      <section anchor="sec-02-03">
        <name>Version -02 to -03</name>
        <ul spacing="normal">
          <li>
            <t>Removed restrictions on the scope of the EDHOC_Application_Profile object.</t>
          </li>
          <li>
            <t>Forbidden violations of prescriptive indications in the EAD item. The EDHOC session fails if such a violation is detected.</t>
          </li>
          <li>
            <t>Extended semantics of ead_value: optional boolean flag when the EAD item is used in EDHOC message_1.</t>
          </li>
          <li>
            <t>Defined parameter "exporter_out_len", for in-band negotiation of EDHOC_Exporter output lengths through the EAD item "Supported EDHOC application profiles".</t>
          </li>
          <li>
            <t>Specified wire-format and presentation format for the SvcParamKeys.</t>
          </li>
          <li>
            <t>Fixed errors in CDDL notations.</t>
          </li>
          <li>
            <t>Specified type of "app_prof" in the IANA registration request.</t>
          </li>
          <li>
            <t>Clarifications and editorial improvements.</t>
          </li>
        </ul>
      </section>
      <section anchor="sec-01-02">
        <name>Version -01 to -02</name>
        <ul spacing="normal">
          <li>
            <t>Revised order of sections.</t>
          </li>
          <li>
            <t>Use of parameters aligned with corresponding updates in draft-ietf-ace-edhoc-oscore-profile.</t>
          </li>
          <li>
            <t>EAD item "Supported EDHOC application profiles":  </t>
            <ul spacing="normal">
              <li>
                <t>It can be used only in a critical way.</t>
              </li>
              <li>
                <t>Improved semantics of ead_value.</t>
              </li>
              <li>
                <t>Content restrictions to avoid inconsistent information.</t>
              </li>
            </ul>
          </li>
          <li>
            <t>Use of the parameter "app_prof" in draft-ietf-ace-edhoc-oscore-profile:  </t>
            <ul spacing="normal">
              <li>
                <t>Improved co-existence with other parameters.</t>
              </li>
              <li>
                <t>Content restrictions to avoid inconsistent information.</t>
              </li>
            </ul>
          </li>
          <li>
            <t>Error handling:  </t>
            <ul spacing="normal">
              <li>
                <t>EAD item "Supported EDHOC application profiles" occurring multiple times in EDHOC message_1 or message_2.</t>
              </li>
              <li>
                <t>EAD item "Supported EDHOC application profiles" in EDHOC message_3 or message_4.</t>
              </li>
              <li>
                <t>Invalid ead_value in EAD item "Supported EDHOC application profiles".</t>
              </li>
              <li>
                <t>Invalid information in EDHOC error message with new error code.</t>
              </li>
            </ul>
          </li>
          <li>
            <t>Fixed encoding of ERR_INFO for the EDHOC error message with the new error code.</t>
          </li>
          <li>
            <t>EDHOC_Application_Profile object  </t>
            <ul spacing="normal">
              <li>
                <t>Clarified scope.</t>
              </li>
              <li>
                <t>Clarified meaning of boolean parameters that are non-prescriptive.</t>
              </li>
              <li>
                <t>Forbid the presence of the element "trust_anchors".</t>
              </li>
            </ul>
          </li>
          <li>
            <t>Advertisement of Supported EDHOC Application Profiles using SVCB Resource Records.</t>
          </li>
          <li>
            <t>Updated integer abbreviations for the EDHOC_Information parameters.</t>
          </li>
          <li>
            <t>Editorial improvements.</t>
          </li>
        </ul>
      </section>
      <section anchor="sec-00-01">
        <name>Version -00 to -01</name>
        <ul spacing="normal">
          <li>
            <t>Clarified motivation in the abstract and introduction.</t>
          </li>
          <li>
            <t>Moved definition of EDHOC_Information parameters to draft-ietf-ace-edhoc-oscore-profile.</t>
          </li>
          <li>
            <t>Renamed ed-idep-t x as ed-epid-t.</t>
          </li>
          <li>
            <t>Content-Format abbreviated as "ct" (not "cf").</t>
          </li>
          <li>
            <t>CBOR abbreviation of "app_prof" changed to 23.</t>
          </li>
          <li>
            <t>Added preamble on identifying application profiles by Profile ID.</t>
          </li>
          <li>
            <t>Defined target attributes "ed-ta-*" for specifying supported trust anchors.</t>
          </li>
          <li>
            <t>Defined new EAD item and error code to advertise supported EDHOC application profiles.</t>
          </li>
          <li>
            <t>Defined how to handle non admitted parameters.</t>
          </li>
          <li>
            <t>Renamed well-known EDHOC application profiles.</t>
          </li>
          <li>
            <t>Updated IANA considerations:  </t>
            <ul spacing="normal">
              <li>
                <t>Suggested range 0-255 for CoAP Content-Format ID.</t>
              </li>
              <li>
                <t>Requested registration for target attributes "ed-ta-*".</t>
              </li>
              <li>
                <t>Removed requests for registration of removed parameters.</t>
              </li>
            </ul>
          </li>
          <li>
            <t>Updated references.</t>
          </li>
          <li>
            <t>Editorial improvements.</t>
          </li>
        </ul>
      </section>
    </section>
    <section numbered="false" anchor="acknowledgments">
      <name>Acknowledgments</name>
      <t>The authors sincerely thank <contact fullname="Christian Amsüss"/>, <contact fullname="Carsten Bormann"/>, <contact fullname="Geovane Fedrecheski"/>, <contact fullname="Martine Lenders"/>, <contact fullname="Gabriel Lopez Millan"/>, <contact fullname="Elsa Lopez-Perez"/>, <contact fullname="Michael Richardson"/>, <contact fullname="Göran Selander"/>, <contact fullname="Brian Sipos"/>, <contact fullname="Yuxuan Song"/>, and <contact fullname="Mališa Vučinić"/> for their feedback and comments.</t>
      <t>The target attributes "ed-ta-*" for specifying supported trust anchors build on a proposal originally described in <xref target="I-D.serafin-lake-ta-hint"/>.</t>
      <t>This work was supported by the Sweden's Innovation Agency VINNOVA within the EUREKA CELTIC-NEXT project CYPRESS.</t>
    </section>
  </back>
  <!-- ##markdown-source:
H4sIAAAAAAAAA+292Xbb5pooeM+n+A9TXZZcJC1R8iRvZxcjy7E6nkqSd5IV
e6lAEqRQIgluAJSsOD63fdXv0P0S56qvuk6/V3/DP+MHCUqeUmdrrTgSCfzj
N4/tdrtxsSd2Go0iKSbxnthP02yYzKIimY1FcRaLN3ks0pHozeeTZAAfpzPx
OktHySTOxSjNxMH8LJ7GWTQRT5LRKInbz+LJZBrNxKuLOBP7r44PxMbBk2ev
9jcbUb+fxTAb/RkcsTFMB7NoCusYZtGoaCdxMWpPovO4Hc3n7bl8Cj4p4rxo
wMt7Ii+GjXzRnyZ5DiMVV3N4+fDg5GmjkcyzPVFki7zobm093Oo2oiyO9sRx
PFhkSXHVuBzviee9nw7Ez2l2jtv9MUsX88b5JQwwK+JsFhftJ7iMRmOQwpnA
4wtYzoNGI1oUZ2m21xBtIXi5L6JskIqTZJIOooaAnzSDx48OYfe9H+iDvMji
GNZ7mEej/4AzzsdRAafU7dK3A1jQnvgpyQt+HSaEUY8P2tv3dne3xHGRDs7P
0slUfrmYFRk8f3wZD+MZfRZPo2SyJ6a4jk5B6/jXLOnksbXIo+Q8yobi2X/+
j/FkMRt+zXVmtJTOWUorkSttzNJsCgBxEcPRiqOn+zsPH9yTv97tPtiSv967
91D/+mDngfz1/nZXfXq/e7crf32w3VUjPOg+UM8+2HmoH7i3vWV+3VG/3t/V
DzzcfSh/fQhwpH7duad/3bV/3Va/woL1r/fUYA/v3aNPD9tPOgTb0SBux8Oz
dNBO80GaxQrGnYcGaR63B/00a8czPPBhexBnhfMI4QgPNM/P8StCss7B+3ma
ASx3nkf9eJLv0R1o8BUaAg57L3v09xBQa0+MoglCDvxIssAoq0YTPBo/EGVj
hJezopjne3fuXF5edpJoFnVg3DsRIOV4No1nRX6HVsf/dt6fFdPJd7zeWA4K
e5CD7qe91519QGZ4r/OUYOL6K8fBhBysLQdbb+F8L1EGOATLLP0tNzOQU4z0
FCc0QadXFFnSXwDFuvYeeCRhRvocG+Dh2pE9iQIipIbRpNOjpSe/E9HuPAHC
cGOA4pGFM7LAkT8RcEVDs40sSzOAq+ENbkIuG0cSNNInWiYO2B7IAZ+8PO4c
/23/h87xxeA1XtNP8dX1lwyjCRwNGF92kQxi8VrdvMBxxYY9y+Z6+xnO8nZ+
MejrX+Su5J8EY+cwLDDj2cgn7ruaCO882FGU9+HWfUWwH26bX+92Hyp6l4Ow
MUpmTPKKqH2WzIAWNmA9yJvgoeOD50/3RPM3eK/9C/y8azYa7XZbRH3gbdEA
2PkJyDWTZHxWXMb4L50qvg8CRTwUsGARvx+cRbNxLIAeA09LJ2vIOSKL/75I
MpCPkExHyUwYXBNFKvqxiMbAZIciXRTtdNTuR7NhS8BzwG5hLHgknuWLLBZJ
kYt8MRjEeT5aTICfTueTmHBPnKQgnSU5PAmvRpYopYQkkc/jQTK6IiEuQdoE
jEMsWJpjMIaJoskkvSQ5Dh/L4kl8Ec0KHAQnRaEI1iZgh8lITqC2MI2GcQcE
pdKicSC5oH4ygTvBCWEXZ/Yx4KgaJGDV/fgqhY/gfmY5soM2DCvyuFjM27yP
ZCDyQTyLsiTNW7x1kBUXCIZiGAM8wI4jMYhm6QwmnrTE/g+vjuBkc9h0Fs/h
NuBJnqs4iwp8EnexwO9h7YB4AyB7cUsMQbZhAtiiVeYFUEt5YKFz7oiniwz2
nE3hOfcWR9EADwCAii4gS+cAP/JM+jEAXzyTAyd4sVO1Qj6efDHHk5BPxEAp
Z3ki38YLi4bDBJ8GiMTRxxm/W304s8W0DwuD25jGEd/jQEn7fG0OdFRsFp6e
TK6qZ4FLwzEuATva57P0crZsOEbMaTIcTkD8+w7l7iwdLgb01Hfiw3cJfvCx
0VgD+z58kOLXx48iwRWtiektERPI4TYN4uCJ4/HA/QKnR0IC+x0amOyIHqAE
fIsPDQDsWDni283pdEFlifqTJD+jE4MzirQuwgLK+4JeetX/j3hQmO9GxGvM
nEcHxydIDg5mF0mWMiUWG6+O918dHcjtoyj78SMcr42fhpLAxrKFvJgWra24
TMU8JswckOoX5XAZAF9RgaAG4HgEpwIoCkOdRRcx0Q4kYgIuqkzmOuI4nRIs
AbuCs4iQmM2I0NFgQMmmi5m8heIM9K7xGa1Dk9v4PWwfwQAwEo4BVnR5lgAN
icQovuSB4ymcOFzgRUyoPIvHKa43HnbEs/QSPs5aIkXMtAmPWjy8wNDp0OB+
PEJsh8OZKf2Xr1CtC460lyONGCxyJB2w6w8f4KYIYHc6D3FlGvwcwpwTyUHo
qMaHltxkBemOxp+WePeW4CYdbTIbTBbDWPThGJ37sw7NvnUX3r46P9DXd2rZ
Gk6lrUGkhGZAsTtxp/V1eAdiGc6FolsE3D6eAiLngFQfPuTxwLZ5kPr38eMm
MH7YFG+wtDikM+bAaAF0YgnAzxyBaFbwuhIghBdpMuQjmsW8jyxOZhd4frA9
UjQRghR0RRegtwP5gnOba0hCIlLGESFfyQEgGTEm6RjuCyEWDuFK0DkCWeiw
JLbqipiKS5qc/A6LjSakNqAwiaOaez60QEi+rM7Kw9RdhMKVajjicH+RTOgo
4D1YxhnQMgvoybSSz2EAEobgc2Aui0mU4UlXrwrGv0iGLLMw6ZfwxsA052dH
eowgihIwJrmSFJBGEIGmMQcZLE8MkgyQAhjPbEBHxfQFD0wuhMZFxg4cBigF
3NmVtfIll2LtYJ01RzmBl2KFMdOTBNhBQdAlxQebFkR9IDfiDEgdDyvRD4AP
kDfLiFsTKDBXqNj8JTCC2DBk5i/AK4Cg196t4gnV9GHV9nntLUKr+H2EYt8e
jAFUA/jVkE4H/swXEykgIKdJ4V6uFFV/hNilX7gjb2GomCQzAvo2mvC3aBYl
8LWWhqz+Vi7mC7iEgS0U4Vrh8JBUALLRZGm/YLnDmkJzZ7nKmBTLFDhEGqFA
Ob6TxWMkhjziZZqdj4BXwWF/JmGZxJtryctiI+6MgQHEyhSRK7nLZt4tPAmQ
E4cTdZRVZ5ZvflYJvKWwHlTe28QMZiAPoQ1AyCO/Es1qA3vTpYeo1EvCZ02m
De1I/hhviD3g8LB8Oj38P+0YhHHg30vXjG/jxgC6gbhmLEjiOSokO3yCsoPZ
jqGuzXhIq/HWfRn323ATaLUHMRfeg/M2LyF6A4ykV8zXlDS1FDH1Zoaif0WK
t1kci6wW04eNsIlEaGsZrisCracvcF1SCu8+QCUE+Z6aGjafLrJBTPAEw8AM
uGIgn/A/4uEzB+vRlADEksQM+aE3Ep6cEE9TvBcmdVKi9xdob4Bm2U+PDmi1
0mZpIJZWj2Z2WL2UbvC6vIlhbNL3MpK0AU5mlr6DcsgozpBX0qKJbFpKjAec
LDhsoLFWqjBoxIfppTikGHev03VEbDxDVDXx/6z43bv3AOWkCnCCqz8NwBNK
W4wGFuNpM+2HSZQQVMnOpUyqhqshV3TEz3hgknmIywRoxgzhRN2i4mZVc0oq
Y0G9gmDAxlmM8DVdIX0SJUHVzBcgqrmoI0JUHocWKjyJqHrFcQRjVmMnoCRT
TM3iw2SkAhfMlB4SGOEVUZxVaD1prXtUK+rtH4gRzoK8jvmNyyFIdXKs3J4p
IXbUeRhPmTK6W1tIiG1mCRI9Kc/2BoI2QH2xfaJ/uEqFvxJz6cjKBBQYWVo+
pmUiUgmhyuoLH5bFG5F0EzdriXGCenwlAizT4NwrtnBc6q9oYohRu9F4yoqP
ReHtuZbK2krZoxNl/dxdrtJZZoIoNxprkRa9tOkQe84Vs0AQtviFMgJ4WiaL
YZaWn8RIgz1ZeZSl0xU7ifI8HZCdhKhOmTfZKqhZctvhuayI5rG9J4OUzPIi
UPvSBeA2S2v5KopGKEJy21DqjyQELzk1wKUx2yPDat49xSuIKQTIUXy1iq/n
HmOvz8yj6/Hy26JHTGulg0xsHPSebJLVoMpowCQL9FM0HZ1unwJD3WRCRFOQ
14lc+C6Hk1/I95YPzp4r+SjBBfE1ZUGTJsaINA5tAWOjoE3QoiGcRpHkKyka
42GhKFuu9H9p6IuJoDHrl7I0+b6OFGwfxQMMahAbR0eKvu7eA/qqft2WApuz
HqVaGJMuHqL1V2ilpBkxVWNKax8k+spYTPmkBnV7CvOCEzxj4W7YJAXyAPLa
gmX+EdpwgCIx9ZumAL9ovJUMLX6PujcTqH7sshujabJdk4goIBxOMEsLY9gE
zGnCdiNQepsVR5mxZox6pkXn9KpgKWinvrLVQHM7bNf2BMkHjhgJR/JqZsHR
GVmDablSwzZapzJXAnjBb0xCgdYng3OSdC8SbZ+Gq7sgn8U6xjMyr9LrScbn
rQ8ZDr5PoVkwAkDOd9+JE9Ckk1kKhPZKfIf+ksJ88JGta+jjuCSQb754c3zS
bPH/xctX9PvRwb+9OTw6eIK/Hz/rPX+uf2nIJ46fvXrz/In5zby5/+rFi4OX
T/hl+FQ4HzWaL3q/Ntng2Hz1+uTw1cve8yaLEzakR5kyyJPeP0ehE4GiYVgt
vPPD/uv/9//a3oUb/G9wa93t7YeAqPzHg+37u/AHKiA8WzoDhsB/4hU2AKbi
KCNyDJrCIJonBYg3LYSp/AwRCqUDJBu/4cm82xN/6Q/m27vfyw9ww86H6syc
D+nMyp+UXuZDDHwUmEafpvO5d9Luenu/On+rc7c+/MtfgZHFor394K/fNxhG
sjgaSr3ZRehRNE0mCZwdgTkCVy79NyDxzIvcZrsMx7b3DZ/kF33LBn1KkTm2
rmfJ4JYXy2Xthpv7SyeJdfn6pVoDK9dLceQQS9RwJq2jB9ibTZDVFfHYMGwA
NVT12Ex6QdrZjAwt5jNPPNljUcB5y5HQlWCoCBTwVqlfFGwZz9GYxiimLaho
e7Vtd3wdZ5FyDM3jDI8DfWi9mbJQKgemJWMrmWK3qXQRdtHFRD5L960fF6zk
8qd5TDGbLgmnkylIKzlEDlpxAFLFdOQxOZ4WN/gwkzkvTuoxalIKpsAR6NIU
K1GKlRbv9YzGc9JnucMaKxnhF8OYqa+SUlyxhA75IkknNDr5v9TJSRWhVwKJ
5Rc+QIv9LMELtlUAMirO8gTRgowy8sKNNMYGTzwPQmi4pVEcFYvMVxiJcXbE
Ma/VzABrQQY+QwUkj7Jkgl70s2iRMxivABwA0WHugI2WcczsCmzoYTidfUBb
lMZ+AP4HQCJd5Eeu8X0D7fLKA/5w96HESvUuCc1PEK/JDiyeR7PxggTc/SdP
nhvPOVq9kCkZ7dfRWPFhhEpFITDkmL1ATuQABhux6x4dfP2rAhESDejSYO18
Tb5/+XXLTC6N2BcxRSKUVedYwcKQVzXUm8uVXgNDYMwTRjAo1fCXF8/RKZxL
EuBy40WubPyjFN3L+NcvryNAESCtGcM7kKb/7v80bt25wyI26hO//SueyuPm
YDicNN/dCjze8P2euGntTCF3t+1tkXoheiGSaDwDsSgZIBBq6hrU/5SQZwGD
+fJH9SXf+EYzMHITBMMngQlRBCaVVl+VTYjpOhcg95WdQw425LdQOmN4uIgm
i1h60PWmQ3sNQmVLWpIWA6NmI76K+NbxqxcHpy97Lw5uqSOeABfT9I3mFRzT
x9vQLyiKSaA1hVudSHGJzniUjNt4vW36hm07rHjYn3bIGifJQUt8iG9JnL4l
9sTb37ZaYrslui2x8/YdYM8tINZAL0/zBcBEfmtP7HxELjYbsur/YTvwUlfg
Y3BwL9OCBEm4UnEwTICZ7InXkxhDcWApsTSW4eGPs2h+hj7HeIh2kAkK+UDL
pHuPqRvSMRAoWvoQ1ryPOc8sj1uJHiuvSMspn/9elN45985I7R/jsYgMv7WN
b2+19Q3VjaCZDwUz9EpLPFsvGqNs+4qcwL4ATi1Rh6VZA+Qxy0dtxWmwtCAj
NYAV1PQGU9wlReLz6gg4ptHcZj0IPxNj+7IDR7RZsq5pFRG31kjkmFZLq+ut
WD8oImxJWyhrCVA3PhJO+Emko1UzoFv0JYX73wKsmCymmjYGHZnWFpprC+Zw
pS/QD6LChpSx5TPHnfwjGuRPGg1yoog94rMOg6pzBmQrUCFzFCXBKHtdr6Mv
m7VsZ6c1fm5J1WRswWCEUxTAfHf/NTC90fiZXZOFdS6tqu0FCaOKF6CrNS6/
5V6KfozHrlZf4WtZjcGWF8a4mgx/leMEdsLb4FUuZgmMEoh7WO02uo67iAR7
axJUoqLz2HLu3DKeK5+ALo390ITVggpXqfDgX5m/HLA2ioECwD3RlKrwaTJE
Y+AiS05B7T7D3xMVRox/ZCqKWBkGKT/zFE7kLM3yphK6ipWL0Fem0sdOgSyc
TmKfQ+jsMgxZha/HxVnQD9kj8Qz+yCQeg6CXKU+FRrRkZGzY63Lx0tn2ftU7
YjOBmsYPkyJ1Pi9UnIBB5Bw0HDzFXmfbi4pQxiiD83cZ57VZreXdpST9ZHY6
9NDCEcubSv9XsQsB4mBZUixjSDWagOhgEwSeT/B8IOHjdnYYYOYpwFkfg0jp
yJwnO6G1J8NTmx5+prU3zwHwiS6jNWBZfJgTNqWdFMHN0ZJrD6b9XlEftsYU
JppdebDl79hglww7RANdDojAXO+KCSXqpcTK1bEmedURsnWjFKMRYyawena1
lGcc9c2Xr5tiw7eMbaqhbp3AIWkiSCTlJFuQgfUpZsI19YNsaLGeJgyYhdHA
Co4n4x2HygxRasgd0S8cTGaoObHEhK5ApoU5wYps7Qx+VbB5Zx5nBVlFpY3O
0ng8R74N9iW4JsoFe1AP2PyNnsrJwSX54r8DWY7/XWxsvR/d3cTJ/53SCvmT
3c2WMHLW5MrT8XndsYZBzwCITqxT2C/SadQzc201tr11dNSkj686a5XQYR8b
P/0vypnAfjMK1mUPfNijQG585M9xBJJ3Shej00VA5pxSBpHNAi6TyYQXWUKQ
KuwwgE2hLpbZVlug0QyYs6JiTKN2SNcgbcfvAXcIXo1KkkuARicX6WFazbMf
kjH4rsN/BRAHbriKNxAkMhDpfUdZFl2x4ab79p2KfYX9ukFNjF5rYZdRToyN
HcOjlK+WM1eqGMsW0Ysupv0MItReJaKq7CLbCkHxU6kHp+xz8mGV9N/K5Ssx
AI03Y8CKaZTZMZY1FdOQCRZ+BNp4GtXvPxYfZOrwtnj8PcKauCN+697G3961
8PNHyugun7tX+Zzhqvxod0c+2hLuzyOhxGp88LbY4OHQAr6JrwCXaXwMbqfx
YU98pw1apKGcBuKUpcrECc+Pm3S0lp2/prLQ/EgZiMxQr0y8a7DyCYCDkcGl
wUvb0BOZxSjJq+VytAKeVeKR0irYAMxkgBUONPrL1SwNCKeoKE6Om3msNcnX
jPfuVBnvMD/QyWIm79MVO7JK29LB6aFI7iWxbypKw4k1K0nrJro3GPW3Ksxs
/WBdO6xmDYV9k7yYvbxOaGTLPkRiLkRb+JQD7kg3zLGmcdUJIVWgtYYCq+KZ
XCUWAFZrONZm0dGZBSzj9j69GMca4E7HQuAl7RIq+dRxNCMAYxAVZ6yUHM60
FSPX6VgyAuZ60VWVYXa5ij6nODj2Yn3jIWjfYeK1+BlQ8rlESbTt2zjYaFQF
VQazW8pBlKW8yep0CZIgdCwq6VNNRMcOHXPTD+Ta3upsb/nBXETDpPMZk7GV
z/vS3MkXzn8oB7tU+Cz9DAe5Gcr1JQPxhDz+gYjgspV0KWpv5Jsy6IMuRAay
ueik9mr8kiTc5PMkS1QGQsjPY+lTJuvKCqVwvDwcE0firiWy4l5LOSxaz6Fl
oNNdET8VnFtQTJA2AocCdaep8nDXi9cls5s6eELtW5KX3Wqp5CKHzIToqBNY
wbEjFH3vh96TOq4zlgSCqtLK1LF9XntgDSEhGMbv7qL3q0gHgwUoLItJkaBi
WSQUIUE3SNke9H1GWmLNQ0RjNGKZ9bjLE/W98FUuCdjG90rQlRWPHUpDd2F5
2aSSVz2uejK3NqedvaXpLChaYohQog5NWjKFSkNRmN7q0NUSYVgKqkhgFcGs
JPscS7EsRaAsDrUsO8V7FIkt6Tx4OqCI3+KtIEC5NyHoVDKAhDkRRNtq+xlO
5Vprtw2SdH9rwweO0jLvazebCyvWVvZsHmcN6wEqxiPGqy0AVjAcmRINytYD
aiV2mGh9nLBWToOdnmYL7DjC0FPuomLZxXleM5hBTlAK9lvnVqQeryPdVOyF
woG2/AYQAaMzcg6/ZDlA8nDFali9CkoX9Lg8RAptJp6fV/D6YMa5Y4bFshxE
fFVlFpN6QvhEMhFKgYJL5Zk4F2I2ljtBkgMpJcnwRO9QyJAsoZUsVsYuXTsV
l51mrCNbCVt3t7Ysfljirj64F+KO5GgTzjO6pN1bgKRR05e2XZghKoB/UviC
2N7eZiNSt8t7z6iCjIWyjjmrYkGuv6HlonB0PeSlhfoHVomSS/bXws2xf2Jn
Z6cTiv07Ovi3PfHjwYm40zFZJ1RmsAHfHe+JbmfrrirCSNaiv9wBBS1Ps/wO
zDr//hFo3C3vCyrb9P2jZPSYP1Hf21PQEX7/CBi34duPsD4mWfgeb1m/dx81
lEEKPmQjl3wAhPR24fy+jb8nQ/nXrvNqgt9l9HA67bdBSlQr0xcaWBFey2O4
g0dMPh7DUQYOUtm7fCKiTFuIXEpP6zSBOBaYbgpTAuMD2YWyU8iORRpd2Aoi
Y2dV+FalPcPW+eoHDATCvSoy/cj+nZAXS4V5FJYMKQmSfMEzFEjjU8l+Pl4w
dzTVrIg2mghogzNzU9HpJJh5hY+Ws8ff1jMydTzzVMIMhUKF/SDvjZevOSuP
CBkahCnYiDgKhcFw7dfz+EpVeMVhc1YNvUkMqxyxBxlOjQtv/CFeorqEP38I
E4Cl/qCl0XdHSilY8vOHeGJF+az6+UOgk078AWtQRiv4rLtjPYAmYdTNyFPw
xzLLq9ZZ/hDH4ajxoCkEtv8aZyIUW3KqCtPKF2vKZr7Vtre3TUBCH/luCw0n
e75iZLl/qoLew0beElNMbHbYUVImjpnklNyQIq6QBUgqkUtEJK/ehRfGM1MM
uCNeIUxdJnncsqdzH+ZLpLAteitXRURI8uBvfTckurec7czE/3786iXPYuMd
u5YSe1UEOIFpaRQE7pYzQq13dbYHepQYUbo7MjLHNdhT+to3po5LPflmxSWq
jM1fvMyEH5voGmCBdSkEtngQG61l+FYe8kObHV3neDwlq7KGhFUd4qmuDlE3
bnWVnzC8m7NYC7NrxgWvcCtq2v1YbIDE81fj8bOcg2EOYLkAN2t4+vRMyz16
YYrMJ3C43gmwUNRh2ek7anpQVR7k9bKr9YPiy9DpiFXrClWoQy4VrGw56dIE
bqoCXF7AotmUrhsYgtzPWdeELcteLLnoHbeLtA10kiqWipMU6StXIM1jV1Vz
PIzoIEahsNmyAxGWhF671nW1YXc/ynXSO96003zUw1KZ39jf5DnDwcrVCd/a
rhQoziI2jmBS4+AlJZ/PpKAzITdHviDN+ziZJnCCKrzdfc4+MtckMJhEyfRT
Hd5x6ISOjj/ByfAxt3BbVDFNh1vw/p3tSnfFIpu1VqOLHVW6qlLUcqu3UeO1
cLfMkRkI3/IUfVU3ja07R8eWxUOGqiSUxDqk6qha9C/7inU8rk0UTJxK6G7J
1l3Tjy4ta05MtZ79ThnAKjFYH/pKkzjcr3ItKUCoHMcJ0C9bz43KuczIa5Zh
x0EEbNN7aJsuRz9Ew7zZ4a96syvrKxX4heFmhEpeSHFF+lX9qkstELcmiBsJ
hX/CKnNJppdeL1cDgImBB1O8WD8ZDuNZCbpu5ZYZjXYoAgGB5iSsSPHrb3t5
lVwZg7rIl2dcVQh2FNuN9SgLpQDI3HgpTrsO6FzsdHbYOtbZ4TjsGhydQ0OY
BQN5LDsvfCBTVVOi4TQpgGboxESqNa7ClDks0Ys9XILit20bC8c3zk05gZJ5
xTAOJ/HeraEQzl/3vPb1DUqbyhVl1RxgRUyHWrsmEGPVD4YIByvIrRmdLDdT
+54PnVwPYwOgeBPvoH2HKdFB32GqvB72iwRD0jAGuDdArNVkXnankSyLHkWl
FUX2lFjqQsaslq/OAkBN4kSyiUS/bmUvqiOblN+pk1W1AtNLGVoVzjvFN5fW
+Sw5mq4TX8ZBX146SZHFeIZY6GLCBTaWJgTSiQ/TmMkjlaq4MrwJrqnIkoGS
oy5i289YL+ytWnLWgv/1RHBkcyuYt7BDo1a6KNHvWNNFuVwIkJJoHWG6yjny
5T2SAQniGjcdkMDkLVcrCX+eSzURUX/qe/1O9Eys1GtDfRFg/di8JXEXjcYP
VsF6VddGiYmUZZTZhbWqIjwqortC8VzfdjlLNqR5pSqXR56VI0fCgWcyFOjm
EYtyRoePXbO6pB+t5kdMURyHX4jEJNqit+izRU9x5FyB5mxyrS4WyfDWnjh2
qrK66bURd/AUnCFaFUZHAEiNTniPlcXZKZWm8LKNWhxt+OYNiACyftm9bqCu
eM3YPFgVDQWnSA28qKyPkDGmBAsKEna5OIeecfMTBtKhcd45OnOugZs4/5Yu
os9FnrByobXo698G1lK4t7vIJtoAbNVbUsggJw2X7Fm1lC90S4O7xbdzS6AY
n/GU+3e3HlLgMPcZclSjcO/SGyHXza/TXittwy1a8Or44HQfHnmGXzF67mCA
/le898W3c+9vjg75ULA778ePYp6CEintsV8cFnAx9gK82/1qN/b+m8TUmfil
U74f2V35Hzi55g3/WXDy8936t4V98/y8jUUMpiTVw+WAniwhrWUZ3XRJBz8Q
0s0RMyPJmEj8tv36+Ceborltt6nol/SCaF8DSMCcgVXIjq1WDVOKgrvS9lrr
TZSbyRysoUVHumPDUSoEoPxQOfXqW8yHqiGEr7Q6k/bROjiP2O5J8mk8jRDg
ZNdRc+aXstQ6KktkLMQCprIaxMlZjdDnNuY5ceFGGQMcZRNEjhpB0y2KOdfK
JmpoZ2xzKNyQjrKuVpZsaWdlAo1lrqbzSNZdKOpsKVA3hVLAQ8ka1ZG/pRBW
1/QSjDl3dyQt4P6DZ+qKRLP302VT5RjXotBb77e2ogEPPIEhZeUhQ7ddIXgN
CndZ6gggTM/PqLA19VrHZwdOf+pje3t6+ezt6bonNxptbY9G/3XPjrFl1dmN
k7uH8ein8x+3D148u5uve4gPut1498H9h6NutLvdv7u9NdgePewvOdSwIFEp
KpRTIVaxxmpewemJ9gXWvigVlRiqJtqSviku34xlfZ3NJDQx054cS6G2t++2
xNkt/8xuvX33jzj9cpz+I58ePGYqeb3wfWcyb1ggIqfNRz4KPS5hyBopAO3u
2kkAoidTyCkH3QszDgZX+wnzx1IYCtV69bLeVTn+vNBCh287NoVfvLItqi/M
J+sIUy7V0gohqLTqYgGDwmofQwXPebFUiEGtVdnz12+3o0ZwG+vIlGsghtI5
YDXkWa/pTqOBbdGBYswoVkNZzY11eBpjl/MknwaKUVQmcJocT64VQNQpj+XR
wODzSXTlJP734xmMXnAVueMEhXg8NOB5k2GuK4OFzoIOGil0XCp01VJXq6Q/
ao+k7kIN6jU0kpyCWoEAl6ACWzm8YJUEXuSaa17JXtouWDpQeOmDGfUd58r/
iUnMb/OMVh+i64wt3TQjNM0rH57sEM8R/aoHtquzcBdtepyoskqqYY2qoI4Q
C0wmkEWuqK4U15YfJe+le6ifpdGQWwPo2hA8zQt5V5zypv7qrqYOhAurykKb
K236tCqE901LF1WtSQMh87DNtorlCIfKn1ieukAs122dSdV7crrNoGwi+/QG
3eIqSnteQrZKAt+hqpPZ8SbtVk3avfmkR6oep/IU2X5Lq8ofp4jAYZ5yMsTJ
D09OcW3Pez8cPNcqKzn3uPsOkrZZPOZayVjE3BYGLfXNniuaXEZXOXm4qNR3
KWbIb9rkX57SuaWNgQt4At5hASYdDWXoUfkWhaFIp92Ol2FOeEtzUAsQC3Jt
/KMHsOz7leePDNB+m94fHB2d7r96crAJ6NV8MzP+SHqoKSv4WbulTeaeJeUa
u6w6xFDY3JJRd+xRdzsKgJ3wNP8wg+74VuhJtkkBDBOD08VZbfiRmJ3kN1l2
6DCs/sGIANIQZuobW709/PJ3lYqKfDVHpy0CJzvM7+92S8XV93QtIR9dAttU
BCpQ47i01Fq6lLPIV29ODo5Ojw/+jW+Xwqv1Z37amWsl0ZWCMVKkzanmTgMQ
ww1PR5NorIi7pMdybR3HpJfIiF5WKK31rlHJknHcmMAUf7DqnBqNSwa3tqkx
kbNcux4q9cWrX12z5RJ/nvFciTqaPt9IJG7ZYd8O/AsVKMoUq0h9WiH3TDGM
HK6oX03yMj9y15zFE84Tc2G3Hn8PwrfkhZ3wctantcTHjo5e8d8BwstG0Vrr
XUtkrz4qXNzhy6ev7JN3n83JoGoXq0xJKpelz+zbVBGmJWnFHZHw6CydyXIH
l0l+pnDYQCZpMir7AmuTXhccPxkeeUVpS4iUL8bjOC+CyMTB1F8BoXRxMh37
dKmou3XWE2xsdyXQfJKzfrAslcRJrvRFOxVAzS0lOET7IsHOvNRwMZJh7EYZ
NucEK5HImy4KoO4y3trolbAEDLQzsIqxRqhmSehRN2DHculdlqAQiD08iwF0
N7gYUvPx8KWRzxd+jDfHEC7c6DWlta9GQbyivLRvpAzGvFFJlznSn7AcaUQR
y2RcY73xJVuKCNNaJ4jp5J9hCq2TYNek71x7Ufvl7Li/kqW2bp5Bqc/rGokG
HU820XJP7/Xr09dHr56imKMFE6ny2NRqaf2FNYS47ucU4uzN2C0Jgg/4Qp2d
8a1EupaspcN6KLoDZimZiGB9HXGAPl0lTQUXpE7SKb5sREfZB9PuJOJU3cOH
rRD+FcWFAin832I9PS5vZsmhwZMLtCmwuNCwpGCtUXHJqsVgnT+XSTBYD5Ni
87CCCq7o7hUl/UWlw42SLDcV6NW9R3+uu5U5fAe6ipbVHsToO4XeLqKMt9XF
THZ1q9qzsbPILUuC8cnhwrqcauhAYnD4/GAplCjy5V6xSjJAsHmEJNKazsTG
l4Y125ejrjpgsoP56aDXCe+vcQyMD0tyd5R/M1HFR9ju5TaKuyGX0hcWWsDy
fjk6gUI3OAy84Tab07mHMk3Tl32XpW/Vyk+tk3XrLimUc9sudRNicAu0CJLH
H2wOtPnpqe/Scnd+dx8cKJwNUcrwXpKC9nO1OLjta0pSHIw4icaGmnVFOpSC
bqhYYacN5Z/4D/Svc+jREDUlPNu0pDOSXpqfL7OXqDQYI4anMjgfqA8xLG1F
H6aCi/C5Z4QuSikJGSsgq9f8uF3y2LVkLZfB2F4ugSAvF2wKlk/jtnnTeXGl
SYruh/7tmKvNOSV24iOMYaU20u4M5KtS3CpfSaY3HnLLIe6PJA3KZnhdFvWr
6xArk5UJYqypvsWE5cPRtZDf02Z8vRug7Y7teKiqzi8LBlD5vkAHd9QZJfxq
thVxBz3uri65R7Cj+8oMZ09CQGzXckRHcIthbhng9G/XGWUSEod7lanOS/M1
JWe16cMjmf61bt70Z0qMDqwQIObNnCJmB3Fy4UypvfvkpKdoKFWrVt92ZFGq
wVk8ONcNocjuVKjADI40oyumTE73AsgiTP3KNBAkKC8uZkMDUF+NHCqGzByE
ENh4kvg0iGlZJ+HlfMsEfjv3O3ehtUY8Stt+e2WJMUNf/TK4a1CEUGdq9MnT
wKUSlrlozvPzUxN7jT0jS+KbbB1Zv+MLYrYriPLyvZBxFEUrhMKWFQxT3QHG
64u2rJiaOdzHdNDb8q879FeX/2o07K8ek+UnFx0Um0GWML43fq5b9ZyNrI3G
I5ZtdUKvrH7otPXKmYICaYDHI27KZXXu0BLNcck1uNcwHsHH4re/+sKQvZZ3
jYYnysHS03TymdZoT73XcGQwWOn2bTUwLEsJ/o8VMJ8mQ7ga88cpIuYppm7D
xyW4azSs1x6jmm9/Yr0L85rPWwLWsEhoAY/YYLKYTJwa1blmMDAoPDTMolHR
XsrSG2WseCw+gFr0T/9U+uaUkPuj6DCV1wGO9s+HcAcv8REX7SJvo3KKO3e4
hmB3ew+jaBHsyZfT2MRRfISvMU53j27wtwX1H6NDfMeD6cKDqwfZ2XOvG2sa
mg/e1SpdqGnbktqFYcJ6iGt5W4uyvm1ifOcBm/5zd0iSYgzRJYIlH3QILxc6
lLG+qDcZtlIrnsvlJVb0kM3KpMaUW+tz7Cxrh3y5NgGTdlFTP/Bq7YQCwr9A
RSMWsS0t8msWBPqZixdQ8OhAd19coq8utegEQmAl0caFDWxzSl4h1Ny4OBEZ
6D6h9L1svG9FAC/FCKCwzAJ5PPScTnXCGWUoqUzdqjAKlV1WwRjFQlEGL95A
ecjKd03yutVCVgr75urkzHqDekmXFVI2tqarV5JpTRGXfV8Gl+sUbcq1WeM7
Cq9lJcbE6BNbUKH3R5V5iN8RnQ5LsizZK4ctL3pJ3qKWtPToVmdVLyWVUzIQ
RmW5HV1sn2pVivxqCo/AVgF+4/bxGeXX/QQ0aAOGpQqq00Wx4O62ZuS4yhxQ
LhDrVaxZvSmsMmqOTbYqoUKlcUbWp3LOJ+olZD+AcxhR4fYFVRRCieyK79Yr
12KsF/o87OaCNfJK0YQAyIH0LbIfw+/CTbX9shTPqeWiMqGYheDIWGOVV2pq
NIVv1oYB6wFCJ+Q67Na+ssZxF7tORwVP21upyd2A6X7+jgwldfK6DRpUV4Tq
Ng12n4b1mjGY0XVTBvcSsDXDtv2Y3U4d/ra+sulV3ezpuo0YvMOs15fB3UlF
dwb3oVKLBuPXcRuTV22tBiI5roeWKoK2NI/cbYDgo4npgkAKcxzN7GYH/tMy
SGS9Du8I/lbzg+316tH7S/h8Vek94NW16anBta1bVqNCSW+to+h589avVO/D
6KeoV98bZ3EsS77xwwdShxavFsV8UYjnZMjKWWgImbj4eqdYlC3lV9gVFeB7
WiTS0WESwJjXg06QxYbhIZN6ffQTKvM++d7tbHd2SjkdPWK4ZxGZkkFqAhqR
5GcwsBwlxN0WtqvRbJ4CHEfAFcK9Vnc7Xa7Yq+dX/ht0BDIrhuXjOqYRVV2b
cAn8mS8Ncish0aPeolxnGY4wby1fVKJSsI2Nk9CtydECVlrTDOVWEKncHPJC
xrvMEEjkrZFplO+0qQoR8p+4d7YMhl9VRmqvrUVg4S2Z9DbIFgM8E+0Atxov
IURarekCSyBpwluDm9EUg7wu8zxI8BkUM6zqyMtP4AiAjCrz/4ksrxErg78n
/mA7dVbm2woW4P8RKNdybTkX2qN1I16ko3afWu7BZU+oYyHJBvJhOKxn6WVM
rX/d2dibPovZ08lZfLQZU0zbPhwdVCnvT46var/j7Mgt2rp3dZQnsF1qtK1b
c6MIIQs2SkcUnG0SXxDA0zZarsR2LfPL2qr/OpKgwoC3iOJvOUzjq0iDriR4
PUGwe1PZb4n0V9Wh63piYFgi9C2wKBN2rQc5EJB/l6CkiMRzXHBuunOFwdrt
eBCijX+I16KWnNitJxr6W6oQDstgWKeHlx0XO48SDCH4pSV+3ZT15K2sJzdA
7hdnMGk3lk0fcvlslI0ZeUpMQgpVF+n5KoJdZrw+49uUIfy4Rm2o/SUUP0kX
XBE66UGBFRFrxYw1D+ZnsP0MGAdmrSdx+1k8mUyBbr2iTumvjg/EBo23aQ0w
ztLFHLZAX3TURB2eiEiNOmIgTCnmjsgz/tWp/RSXThnWlQ2tU1a8c43TNXTV
NeiSleSXOld5jftxJvnVijGFr5NhaZvuvlav2F9iKN3ABt8tJWyU9mZkKbxi
7jf0IkLBBguhoqjI2Y/3tndQAPuVc2P+vkhkYaY+Rx9SCwtK56VZ1HYUE5fm
N5tD9eZzDIB7L3olKc/kIqN4KoWTDSWdbOrIVYsN9pBb9ibjNANQnuoEFwCz
AfLNQTI/IzuRVWSgZMkSEkBLXfPIBsEBXdLTGXuB827agd2zTtv2rSDsljgj
46k2QiOFQsokCZNl35Ji2CzOnPhuuNJfvMZ+ftwyccZfVzwkG1Ugg804z1yQ
z0E1oWEC6hJNCvwgIVBLqnp5udkT65wJR1EhiKiMqo4+Zh0ipJJ4tTeFXyTJ
FVSN2HhGSruUfrVcCp0eBecGD462HhJlLI295lUnVjNFK9EGLtlfodPpMDR5
aFq1da3hdz/FQtYyEoSW+vkMBSWZRpsKumgqKLmPg4aCkmu6lk/Yn7m+saAs
tdzUXCBxr+yQvY4rdsVl+t13pBCg2iyu7BsSisuzBIklTso1KvR8g4GzVo12
4+zmeg97qs6bt17td4LP0/EM1BSLuyvAkGHjvgyacg8dzRyYI7EYEeLmusFg
bQlJt+yyp2lVr7AkwkkCz2uyllASbK4nsK04oJA4hDtCiSiwJe9q5NrHqQwy
QPZNQQopr3aF5cpba24v9hfJgqXotUrKVF6kCpG3FL623KtcTiu/YUKoV390
NYFZ1pNE1Usxi0/sgofrFyMoO7Zl0Vo3jKPm0jtiJSGuDqYuJfSWxBwqK2th
tE5UoBcrRBwHsC6jfDlaGKph5wOFFu+66kv1JQ79QgPy2bwMYd1vEcKskgNq
058EwrZvCmEnzuK+kVSQNaDcNo58SXhetkTmTrMiAMdc766GWFRhbFTMw4oT
QYcLQMc147sJ0K68fFypoyR2ekgpDq44i6vC3qp25Cjlv2o733V4Ml5CHBA9
fiFRTaqtDlDpAD/L1eDIlno+aY4kL44szF2aZ0nEnYxFMpF3uVsjSmuR+ig4
/MiovJRRL7sjcxGjLEavmxW9iIsze7Mqu+mF1ZegA+FihOw8h7UlM6QX7rWK
QJr2TlgSJJpMVEEmZdAcqtKUyogY6YxKOirb9a4rd9Ztxf4NSu/1KMB6+XC4
ZgM2eTk/blaKRFIBVaYp2rocCaW9fuzp4yvTuqL8Giy2osuvy8E2tMCzqWsk
S8+z9lJzKwW1l3I4otjQld+knoNHnnD4H7rlpk4irpV+5HSsriG4t7jsIDOM
sitcmQhVAZGSRz26iJIJKgrSbijpnkZchx36mcHxe6z3OrZCI3PfT0kooPzm
YQ76JXUNamsYWYyqPKS2oSGm1N4yaZ2KtOK9GdioxY+iwlgA0bPvbRzdI7lu
jUDXkxTVXoUo6IGWmWAytMDyNsuZETCHtle6wldPpy5N7EAqgD4hCVSZ5nLH
2DNxhBiJZaPrZYXWsvYEK0eWagV80kbiMoQ2nAmh0hgC6Q+NBqejqdra+pv2
NohNmD7BGdamHURVxfaKfI7rZTdI10yQ0FZG6tu21so8u2oie3K2ohTjjWob
shficxQ09Mt8lWmpLZvrXVaUObJNA3aREYzTsGpXUuUPpTDYmVvXLlqzrA6w
6i40wGDplljefVTJ4KbqfvCpF4cvD1/0nrf3j9vdcjyHeVkrGu1k2N4i/+p/
qc1v1d78dnnzJUqm0zi4LGoVPJm0FVl4xyoT0PJrx9bErcSkD1hnpMclR+P7
OfsoVSlxWQ687J28rZv9WouJrOJPbFTw/IS249H2BpbcQ7bfFYnjhGNF7m5t
EWXZ2dkJVzswpXyWVs2m9bslYEIbwWIZtA0sxKM3oatuqEuuOAF11XOgXKS2
Ie2xGoHkMiVkvsioWIiETF8sXbPPF6tGgRsTphRvEb4Ztee8Y/tdWYpR38ny
3lhU4lZu+ypLBec4s06yANUyyPHnkuX+xgOrjjo/wFHIeQhG1DfkFQo212Gd
2LmRaqhZhRJhdyLGIaEs0PjLX/AKEC1b4ZiqOz4zvYMvxLeA+7SR+7Rtenyr
JZwk42UPb4Uf/lAd3hXIU+Z3aA5NMG4JTslt6a+QIuCnvwGethBJ35nvHGzD
hz6YpGF4kyQ1hG16384n/gBfnyfD0yI6LajayZ44u4W3fEt8bK18kGEAHjVP
vpO/0kcfG99/v9wxG5D8dByZlPo+TaZuQJRrLpE/u9+o/Nn97PLnepKZxXK+
kFxmWiV8y3LZpxNNsGvSaRb//ZNJJq74HyhN+S9KdcWp6QBUU3PnQHSL+m9A
ZHn48OHaIovdc+PziSwzGTRlOPE3JrdYQgOv9CbiwsPtqO+0m7tu2z3bXXxz
yWAtRn9t3q0wdRXrBmC9JusOMmE8c8OCr813u1+K73Y5W0q31mEeScZ91cuo
uvKFW317SS+jz14lvGbfI1ovoUeN/kefv7Q5GQep1KETPbSkULus6LWuX+ZT
Ljqxo11yU9K/VN/Mc3GV/Pg6iMD4qVTtYGdfdEqyu42uWWkX+bKaQ5yEI0DY
61VyBsXvgWnkZGwXw4WW3lSnB1UpFIXOr3DS6KOmkp9+YAu6FW/UCdDV9vpX
snnd9YIer1H7xBJAk6KiYobZlnFTodc3Nu3cfO7zs488gWAs5dh0LtQ/YPTx
wevKnSaBNMph2yPqakqkhhvh9K0efBUuVTsG6QvgJzejkLjX4vwbeDRL51mC
NSWsJchYVBubCOK8vAbpv53F4xRhxnIUVUT6R8mkVDD0np/V2qrC9S96Xi2U
F6VL0l2LzsL0a6hFBXfwMpE44VV2RfPnDHNfg6fUVP7ri/gqF8dvDk8Ojk+P
kKRa9MzyZ32BkzBnEK6wbNFav3z7dfp9GbVJabm8k1BLLe+beo21WopScN6E
5R3FFEMdNcxphFbnZWNSII+aEi6UZB2Js8U0mrWxGw0FrVomCAU8BCXHz169
ef4ET+kyS4qCggbEAWgnyGA2RjaKNV9weQTy4qrbasqUTGt8WqaaJFji16QX
81VyaAnH5gy5hAGTLgywoT6XEsxxPXk6Ki7RihjPxkDUY9aAVNTEMO4vxmP8
jTJ5yeUPktYc05UMIbeaclpE0a66U9qV2pA5MF3ST7IrNCtoG4mEXEojxInN
a5N0PI6H5WLlCs10fI19YnRCl+ligoAhH2XlR0O79Nh+ooiYMmnslvLaLNBc
2nPlLLJ2ZQXGmPZt6xZEpYR/qjmvFQ2DWoqxDOI9E3WxtCR8IUW2JeXGWrrG
W61q/eXS9Y4IEqxVqvPM6vRQtKualTfkmOJ0MoYXuhQOXLJxbcoRX6HWMxWZ
Qhoaq0rIKiWH6rDSnpdk/sjHypVRPVL7mQqPerPsNXwK/1j8VqLDXqFU73t4
BatvVhUK9Q7bKxwqFDLe7WzXSV9yznpJ8pK+NM8M7ajYXA6IPtpfzuDf3oDD
c4VMKzbEXl/J+q7BaG3Te8WWv44Otb6B3sMiWeT4mgb8JWKFEzRiPxeWBf7h
Fvh2Ixb+4Rao4Ra4f//+P9wCX8It8Or44HQflv4sAjWDYWDn3hZQslBp3186
d7ceigEak0Zcc5LeADkU31gGjBQo7DgO2Hq5mM10f506PoFqCz/a+DWLJdN+
mDS2+FGfvn7BSIG63gbAget6G2z/f3zr/d3Cdjz81t6+C7Tk1v2Ho260u92/
u7012B497N96Z167rlPCk3ECssO3I9uInrSLWpVj9XuhHnbSuPLk5bE4/tv+
Dwjn6SIbIMBjU19T9zu/GPRhhh8pOwZr3GRU5or6JZUqPqpkkiV2WVWSStlx
hytXsnF0tCnReRfRWf3KnM0r9WUXmHJLvRxfDCiZ/ifUhzlueB5RFDYWSdMt
GYlxar+K3SyCjCfcYCqLw+4WOizmt/YMXIrGWoDzLWo1RKNZvBpaiYlcCmiS
5KXCQlE/TyeLAiOiZSUlPvNMnl4uItVaBS/MqohzmWRxW+phOrbaW08985UJ
EtZvt2XwulWgRFUkGWEvX/si/iZrMSNuellp3njLjG6veyfPTn84PjmigHmH
p0vf3iQqCvIe5LEdF8fuFalnB5tXtnRSlFdvZckqmAUzIB/pN5RFHS7X6MvS
uuwch6Aa29Lq4p8C2idHpU/t9KFQ3Sbaw5JjW3XdkSd605sodtt2yN/jLNWw
6SsAfhdQea56IBdP3xwdElA70rcCaxeqdU6s2qGtTehkA3jFm4pk/cjMlMdj
3WmVWqwHztgN+wz1ScS0VEdmtHoaW8mAalbrrpaVSFmOaUtNIuYxpySWc8HL
CMHxs97z5wzwcNdTIG8xqgDIWIgkedY8q7AS0enNm9IsLtwjGxQQ/sj+Wort
NluSer992xSDswjbl0uBkqfAB3+HJbRZy0L+PVVbJ0FOjRRN5jPQlpQs2sS/
mxo1OXfW3+/9zra/Y+tOk3ZxxtAlBdjqY0+MKryIJhUUlwHVz3OiWSrwU85b
pve0D0oWtBdcPb3MMIOZWBeUhldtaKWSTQBq+n41ROJzvR9ePnX61ihA9WC0
LceYjagLqApr0KYquWMaDq/NndIp5bqjXW47Dx/ckxWUbfrDub7hY62idy1F
Jtqz37XmY+cmWVHUNh2Clekr2eB6LlQKECGSTlYOWxozKo9V1VM4NIclhRi5
plIUsR5ZKY/IMl2rnO8Gk7XuVE8McddyLVnEmEA+oUDiDbpEHui4LFiv8mbd
2lGqOGVtTNm/LEQJtGZ3uFGU+47ATy6r+AdkCSz+VwGpJdQXvJx99ur1yeGr
l73nFBEkz8zwY5ltXsMCxRFFVcltuhMhQTKo9rIbhnFpSMiWpfsWWTRmp91N
09hU8I002KppdK6pG2tUbToR1Y1suRuTqoOM5gwrSiJ1AuLWDIlZo9KWu9tA
xIqdR07ZsOl1/JCfMsJk6e7cmEAtCpA4qQ89YNBc94ilwPKFoiKMr5CTw1Ou
H2oDDEDXWTqTy1IhZBboksI8QFUemcrV9RHEIRNeUTCei81fgJJHB//25vDo
4Il2+y9R3ZCUfnX9US1CQ00NFU4vfH1O4jhffV7n+Fb+4Wav72ZX91aXo/pe
2ZpVQDxnupy6N9PzyqLz8G7fjebyeqAvwb3Il9ycIjmeTq4QFahDwbo+n7dE
GRs3pfVPyypu6aYlPj7pktCcMSrM/J+uafp1FfKAdFMdqOA+u65qbgnHWj/X
ywJVgS875KH21NcHUkV68HD3ofb2qi9/VF/e21aafHijdXRMQdF88NZwMdBl
YKp22gIYybDpAsIwB1Nw0fFkZkgbjvJmlhD703gxSaYJMrXe8f7hoTEHAIz1
UWPZ4GYedtTv68XsisYgk/LO7kMSTLjbHVZiSqnryGI2i7GgDBJXtINg34VJ
NDsHyheh0cIvQrrsEkyFu1UqGKKvKmEgR5f4bUWQV5iUKXJVS7KwAFB0wka2
3ChylVYY3dpiljrhY7ZyzsF3q6hKWCOseSArD6Nck4/ipg3xQcdjnMxUfZkl
B1jrAuyhl6iCKgArHFoqrRpLN++4Y7XMFDaJMjpoy2bzTsfEBdyhgZs197/+
eUtftRza0X6XzFM+svXP9yuecI2JaKs3Ohy/3vZLS8ZcdVbV79Y9OjIyWkKY
PdmnPDl/Hk1ReQsWna0+43qNPTUwq9DdKI+NGLKmp9CmtToA0u33aQnOTklH
v3LbkrBFz+7/2PLgcHNq/fe7RsN8V4pyVHbCzxTeqIbfa2iD5GPx22268VNp
6YQF2n+q8MWawYfWISwvnf63Khx7a+6U3efBY0dLdMM1Mj8GetoUv9mG4Nsb
9JnayqaAzak/+OexuD1HYaRhvUUfb8vPG/Q/+GAxQzDKMMHsjpgPCl3D/Q7K
MO1hDBIOtphv7jXx339tNhrWKzRm7/nrZz348snhj4cn+FCbHu3Qv6f0739v
Nuyx8a3m/9YUzw5+gZfk/xrWfPzEf6N3/4n+/Wf69xb9u0H/bja99vDw2W36
5l/o3xb9+4j+fdxcEX9R5RZQ100eAPe6nWuqvFGDSL4YW8KSgKn1MyFMYKa9
RuBDRKO/uvZKR7UCuPOsmY+pHSSCoyHXj43VgKmG+vNdzehheGpJ/LAevHSg
zhg1Md2/pZuhux5NhQM7leJ+Rg3mKZPpv3G5w/JQeaPxhoJVqqKAZQSKSgXW
eSqxNVNJVwrOVCdCRedmKMW/HOcmFXYdBOLGOmO4isG3UMTzcglF+t/XjjL2
HNPSzqZzgtCGZhQUp+ODCrVEB4cbfGWLHCGpV3D7vuWvyTOeFM3VAXy/BYPl
fBaFoXLlUL87Nvcm0tm0VtzkGD2bRcqH5FbMMKWHvv++VXdGs9nqwRrv6gXL
uZAUCJkr4ddKxlyGb0TbXg7CnfQYKLBn+5Mds1wlUXtGmSo88OPbq57W2LgW
6lh6hyXSkoFVy6XXw6uyaSlU7vtrFX70Y73/zB62wHl5LohQmbhyKTZLkc2N
E8C9NZ2vWRVtsI5X2Y9uCKXW6QPOa51wwKoTiIiGxzI06tHjmurWtFaUdm9X
lvsvtP11+M/yAHKLG/li1J0VZer41VCpuhDLc16ycUAGiS9d5h1LHFUaxFpl
cqpfqIh0x59rRruLpaXxxPLqeGJV3PuKEnlrFMmrXybPFMoTJkxe/cKShPgS
N3iTC6nKQBDLSx6J9e+jRt2j4DE26Jzrph0EpIsbilOW4hOWqb4TP5vEsyUp
AyolIJBpht9XFULSAWOX/izVRJUyi+NoRi4gkIMm1L5CunqnoHQpTwzJIqqk
LevaTjKVlWck2fbyJDvWN26DQndbDqcdqNj4S9Zob1rLpd4mAUviLBWqe8VQ
TWKrzjr8VS3OE9W01GFiMKikDwrAsYzmWcyoESrNc4kSkZyLCx5c6X4eerVJ
btdbCjKoqHxPil8pR3rucjHYbJlx8xSOLMVnq0vR85HOo6tJGlHU2n7ae22e
LUUXl2sF/LBIJrKhKQdmoBmVhdz6t2w7yIfxBcW0UOEmDW4AY1gwiKo9lXNe
6PqsODydLsJGbTIFJ9S9RPaxZTORE7D6wNmabmOSF7pGV6i62Io9+uEnVMBK
CkS8Pu0I1cETFt6fqkRYt7+6H9+BAgl6TU3zgTpOUMxGxQw+E+SxIvcVJepJ
ntppN1L2alZTLKtjtBPCYZVGs+YyhCxYGu07SSZ/ojUGpnPLdi4hllytc6WA
Z5gRih2Y/kc8aqelmKKQSYHUqX2H2CLwQyq1c0qlduj5rnl+n8vwHFOxoq7i
o/AOHCfxNHphG1/Y//lE7GOLhZx6t2/s7x9vyhmABbov7OIL565IBns9xb3i
91XyQONjmCUyGwEtP5lGkypowA1GqkGSnU3KCa4x3LkKCBhE86ifTJIiQaRg
6oWl52YAE7JIWzwaJYOEi2EQJO9Ri1xM9I2KRUadoWUMjJvcyll+ksrRbew8
kn87paG6FoWIJlhB56qSbz3ShCMCvDPps9wljNDr57gvTlIMiyhdEvfP3sFY
BlPuktDd2BO4GpieogmXx3n2SV6NfZz0rNVzZecAes6dmeSunS5lOiLfELiH
RODWwqatVdi0/cWwaasCm7a+MjZtfS1s4vhKjtvLVVOvWGUlrKpYLKtAXtnG
IauKWwiTNrY21TSUg26XcdJdsTDedXaRZOlMebpXA9wPvePDfaJM7V8wN3wF
zHWvDXO/oW74Lgh4uZDdDz4ZNf8NALD7rgoIPbed94MrKefJV8DtbwC4O7vv
FPTiu+/vFjWg2Dv3FYDcj3IQJa4FxqMoySZVgGw610UjeHuo2IDHAmDc6zKG
LXy5gjtIku+T+v3j5SScCDcFx5euKXfqGSwfBe7pmyP/Giq2amHjzlfBxrW5
wZ8IG7e+JjbehK10vyRb+Xw4070BznTb+zVwZvfPw8HgM9jQKQL+rWuij4dJ
+2sgEs4u51XINFiXte3/l0Im2wzin2RutxEcADKRjUAFHLXxyZUcCY4XI+u4
Ki8iQoC/1eJpazGaOkhz98/DaP7sSLP1Z0WanesgzTeDEIcvTw6OXhw8Oeyd
HNSyZd378/CRbk2saNVGC/gpXcVab6+LV9sk2aF3UeEY/3+gca0lzgeDfK1F
WD8AJy34Z3AG8s51xxjgGIzxgxoYX4K4FThP1Zen8ZBs9euiPntOYgyLS0aM
G3k6jcnaHyYFllIYiWlKdUhi5dRK5xTK/WdQFAU3PeAoAPkxAEqlArmangRG
lJDDg16HygXGBCj65vRTH2ZX2ijv/3kEh89CJW9KJ/9BKQOUcpXZ9xuklDcT
re59KuX+z6bbH/xycvDy+PBvB6vozIMb0RnG/ipqUw/I9TBLKVN4NptIXX86
EaZrW5+NtOEYrRsTuGtRuO2dlVTumrQJf4g+wr+XxU1GQUp5o9dvRGPxR9HZ
Gw1Rh0JrPF1BmSlAAntwfWGyPLNm9kXYSBbEGqWLDMSwZJzMQMIs09O8nnn0
0dIBPTFY0iHU57EABhzFog/HQl0b3Uc/mwjsedY3AKfXcKdXj39Z/C8gYucr
eF4OTI8JtM/6xKHbrnu9YEQO41kRkqhLAtvhUyYPwusXXitOEVb+MuXyR7Ab
cTBMijTbE6+xDFBM3dhQDkAEkD2IZvKMmm9/gxfav8DP23dNc5o4ymwx7XNr
Ug76spsH0ekN40mMk+K3WItznEVzrCT6h9224A/xEpNJnJ8/xBMqY0Kofn0a
eJOfP8SRhsU/YMVb9ldO7JT6TAfUuAaeR4jsj8iq+LlXbO6qtTKW4e072tZ2
xba2Vmxr61vc1rbeVtd+3w+VMNvKQdYGWWSzfGcoVgVEpBwe3SBVDKjd5hfa
Vldvaye4ra2a29r6tra1o7e1G9yWdAvWv60Sc9G7GtxwV+tsa1dv625wW1s1
t7X1bW3rrt7WPfv9svl9Ldy6U705luUdqwXLxcD8V+x6jW3d09u6v2xbW+vh
1lff1n29rQf2+0YtN5/Z25Iarrc5/zsJllqHXLlbUsgq97zGth7IbWEaCqkb
ywUqnYpCcpElqYXDr0lkfNwcYMR5xqkmr+ayjDcI7vtOWW8vfURKkSyrpdZb
XjFwSrY4SydDmdldito+iieWpf1lXFym2blZR87R9hwLb4WJu70kMF9gEmVj
qphKxa6ihFIPdAsblU1hcgbh0Ip0kE6oqvTgLIkv2FQlU1cW2FYmLyLORqUw
fQ5pv1KewhaXrILXR9EAtTk2dpFRj06EVDwMZS4uY51t4ZU57wDIYWRbShU4
dR6KHXx8HsdzW8mCT1Htit8DZM2oqSenhkhpWOTTNC0oqwTrouHmkyKPJyMS
UWXqMsqulL0zkweur5CemkazaBxbXcexvijnMOWxtVjYLt+MmUTW5rI3cBah
Hk0JBn0u9I5hzSitxxnljaHMidOWFpPbnUFjkL6HQ6niwIScv5OBzH2BqUjq
ZXWvuexkO52nM8rpkNkxewQDwyQfpBQ5C9syxdXUWV7G/fYkmZ1zfjnqmN0H
D2Qdvv306EA8hy+FTPGiB+7de4ihfDIPw3pfV+9DPDdNutrOI5uPpM4WDxZ2
2QwPVOUZ1ynkm9OgOHNpu5wH2s4Q8wibTPLeRRJZvV6OKhq72AvgpiqbjMzH
suTjSDzBzGtEeRej0yzHKgFitMjo9nBdizy3y5PCf4sM8KbtUhLM+y83lF1d
KdOt7DtQ/VStDjfYj2BCNHoYz2X2uUpZwkq6VAXe6hdHOVrlQpqRB74pV3Ge
R7ns5Z726eBpYJrQoLDKBEvsrm+KuoxlZc2NiDPQosmmQLIOOvzYsmUvT9cz
aXcIEnbBG7lquMCnytQP6ycCgVYozj9CY/5FMsQOBP4uZVUVsyJZRRTmGC0m
BAMbSLbbm8VCk2A4x9S0JFNDajyExbxYTIqECo4AuWF6QB1+3cn1jWKuGdX8
GY+zeMxEUq9IlqAYShNMP8OUtmaRYYn0poSkZUDESJRkuKcOlxnKIkpBj7At
8Yyy/CSHgBHiKMtl1gglQ7pnPyebT1ZKgLSDnAEOJpwCP8+SFLEBYHOQ5NwY
Q7dSHsYAWOl8qso+SCodZDSUWoNyg0oQNEQW34EZsygvssUA3eHsCqdkSJyT
K3oM0SSVDPkipP2vuplch/AcaL6N21WGIGwpUSv9FEEZ2YvOPu1TByjM+iwn
fcp7uyq/5WQSGjpblQ0YdhN5aYFAECj8p2Xm/OQ5suIZAkVLXTzdSwjgkXxd
zZFc4UnYxj8ArrN4MldGtauVxIOYdz+GxeJJo6gDazSXZQlBkqRHgwGw5EyV
EkG0iYZsxGYm8Tzlbt248aMYNwp/OU3li5USX8uxuav7LUtNsysraxf7cGtS
SxCSUvn9MR76VarvQTWgkYlgzB8GVFpdViWZyC3oc5W1R3KrHms0wvK2inib
u6nJuDIPDNzqzsTVCCWxu+OVrtpCWzNzUVIpQDSKXVTpXaGrw8GrGO5mS0le
ToUXpNzIBpFLYKMhmtjMyaWoMbpmFo9Bw0ho8mm6kGUjEwIkdHzbibjWIXTE
AbFb5rXU3ZGewNRqNpBya3RzggwFKoBP1+beSOEKZpuCmazkU9FFip2EmPPx
hjJg+4hAE7THt/HGTM0f695UEXn19RlOhvvgKrl+HRoMYAQhdLiIZU9L2GJE
LvBpkgOPx6xaFMbH7JrxAYSpw+RK1OkHoBticN8IOgYpnOAqFlzpzkgoLN9n
1ALEIfyasUo2V6YXMkKTPPX9GKhDguXQmZ7mbmq2K2PhSeV1xBUmn5NJPKYr
kfvngv+LTFVxM1KGzA0vkMDC0fKilO4HOL4ohiU510JCB3hkK4txShgVTeE0
JJ778hk3XQltlGW7WgiGkEMj4GpU8ZwB3EEpxZnXqsRQq8A/+R1Q2MaAjgnR
DToTycBlUW8WPEgh5FjXwZmEk9w0Q64cVZ+2lT1v3R8/PloQADleEUrtwxqE
tH/PomCaWFacD6ue6lvfshBmyg8dplxleRDrD3xfDUyNizndHc/gqmXXUsAK
R1YFBVS5uHACaU/3u3e7Uh10FIpLl/XxULqXcrCFcik2TvVTRikkUt4sPdqS
0gH5qtoBdrF3ZO5z2hmSJqqtaxqAoeAqfXXIcVrchhe+QxZMMUG8Rzp4SqGe
gkagiP7PXLk6yZUJQRXs8IttSFgEeX4xIOTfo+4pszhd5LgoRalcjhlym8pE
60t4eWy56B454/WBgcZkwFg1HBxR/D4xHIKLgJHs8EiJbHq6sH1p9SRWJwW4
7Sc6rkpD83gRAQQWsdXNlaxbug48MdMBibcuUXSaCwXpc1AiwUsJ6M6aVmkl
mvVmRL05qAUcHYDbkeW+uNYFLUzTKIfgzliukPAzFJcRi9nGiIAGjUwLi9JW
STXKfvbsXgyJl3FfKDPPdS03LVXyLEhMHGS9q/o2SGMSkg8J+A49wM5P8iSX
GZvWmPmenFlaqQz1oirj+yDYZBNZKtcxFQWaD0RW6T+7OssZar4IbyPsJulW
r/GqBnZET4qNc2C0jC8gFlpNjbCpDwp7XAhQLWl5LwQqnzObJOdobEFxR8rv
0vwYojooVKYgaRoDtL3IE9RscDf+wWjTai7MdKh8L2YKNl3ihofcmwDwoNEU
jUGtpSeruK2ckNGNR0YChwZmUMNUG1WhGn9aK8SBkgFVmVF9NawSMAhTupHz
E6ADAyqgwxa+7fv3ZJPkMM4YEvEZ+49V18LEZiw/qyYHegUEi1S+kfij162M
R7NpCeDKRXwVD1l7TWampURakAppKXKkPhhYNj3QEGyR2Sd2+5JoOKQmCapB
SYsbrA61lmZWvSkuyXgFR4z2C8k1DrFwMpkPgVxnhXvkUrdQ2iXcXJxcKAEP
RX2JMawWeivuXu/4uvWOTx+dNlosAaKv2ipuyX5w86p9vA8SLfEfIM4QxrPE
RjW8yOZhLVnW8FqBQGsVkw7Uki4b4JczA9LLDDvY1iHOZNr32gs9MF9uazaF
oHNYsgYgDUd/ga5cxvQoJN9x8HRxhi0f2L64mBmYwUG4nTu1c1JiLjb+ebCz
o5eIq9qSBOpwFFDp6gsvxGdQKcASVEl/IQ2V0cxZF8oYErmVb6iCyG+2yHko
21vkZ4Ta3OCiJMpggytxlkizrTZYBC0r9nsLEJomvs2HbTRhO08HxQZTu1s2
Cj3iMuSagMSmQZtF3sqFm69F9lvelJfY74iqw9Ne+YRWEhh9YrZHkPZrqF3o
mCvMXyHyCa8jV8cS+1e2skwGPxIs3RPaEbahyK9BLFvJBAVtbNvXR5cwWxgU
3jiw4JiMbVHbOLO4FVZBjV7tysuWhQRjiFnfcE2bxvyBCA06xIDlEhDIYAPy
WIdpqBKhFJOk5aSDcs2ZrJ2rJqWWVoarOQcbGIzQZpSMF9IDrcwqZROYLHHo
Ps5MFC6sDxd9RYcnjdZUTnoiifdZNKyCBvtu6C11a7rL5GWKqpxuMom2fWrj
J9u7aX2RtcWRNmRlsWIj+UIVMQPaEOGdK3uld6BoCef9G72GSica2GCJdmZ5
0h3aX+E7Vi56FGxpAhmmfqnEgegCBAh20Zfoah3GqraqNVDlzwgfu+RYGjjY
/RIrp2DJnspgNVddG5wtW0qvdnlqbwDWsZRGZCTn/CKPeYkkYjHT8psKb+dn
GHTcZCXcgpMPinxvkyOley974agZbcVTDTstyVbGXyNDxAGuH7n84cM/Hx88
f/rx46cKW/7uO/ECk9O46NoRF2uUFOTDd1SmkZLX2hji/xFIHu4fyXJ+rgzr
XA5SOnRwKMoGaFrQc8cVdgCO/oVSofL4703la7VmdprcE5Eekr/S63OKqu6D
HVmtE6ecAY3es6G20The9AvzVfUyGo2jWBJxYwTYEy/v9BqNV3MZ9lT65gAL
auAFu5LYnniBQmQ/FqrFT6Sr0eu65xxxcn+3y7UuVQtMWTSKW0J2xIGsH1qo
qp70iN1s9br1QnFUDU2bciar9ZfpeAtT6uKful0WN1oodwrTXY3KRaPlqjwx
daezi+/rciUA+VJbTEHRzWK1bLrm47DouyeOVxvinQ2TEdWL4fLHpCt+jT7w
/Cweuji1Z4ZqNHq2mZxIE7dqRiewRog9UX5MOaeUQNyyBFWWgfICDS1RqI7+
MgNi/Zv31IKdjmtc36SQkYgbkpgkjfBZ9UAtlqhiMRd1kIA2MME/i3gKHAhV
6AzNK7B7GKtAFofUUTmYnfef9346ED//KKZS952g3Lwxic7jf0WQ6aTZeBM1
8MODk6fuKbP7OZq0T9Aj2QMxVGxEWWFeYzAg89YCBb49sf/qxYtXL5EeWF3i
UCznr1+CDAA7Bf6WZnf2ObIHN5AByYqBhuMaYLMqqiKaOJQN3yeaS/4CYCNo
IpVVxHNFfa8U4R3I7/koQsQXTtFjNVzTV7qwm6FprJK8Hz7gAx35QEc+AEBh
dUVp7lu5ZUcHxyfIxQ+sHDOxgbamTfFaU0drhjGoU9jWV05BXMYh0UtYg3lr
n6jsnmjDETzZQzOB2Mjo6Lfa3bt3N/G2dNNqCzHhoE8wYrQQvUKilXXK332n
Drqgh9qRfmglo3MPPKF8PD6u0oTOefO3HfPt5zjs22Z2ykNCxkenC9/8kKHo
amUiAV2qI/jBqxLa931ovy2s03fDnh0r+tt3jcZf+tn3FQsssCA0Bhe1F4tk
GF6qyVOTTab1wskNJbiRAFESo0BXxy9R6iXRGydGi7j1mzeHT6636WWehNpn
cP4NHIHs4YKByIb0f8UzGdwtvvqZgHB/JtvYeAkCX/VgFl/9YKiHDnp6dOO7
b+iA3n9LkDMr56p91aP5BmHnWziieX7eRvsWx6OFz+gZrHkv0JFCmR7M+1aR
qfbr458+z26woybNb6tdAXmHZS5Lxm4rGeIGgk9p5qreDzVUPUcmOpifgZqZ
gSiNkRBJ3H4WTyZTgJFXFHnz6vhAbNDkm0FZiC8UbvPUuU1SbSdRP57sie42
aEyL8TjGSJZN9SVrbScZtvbJxFOA4Zguh2fYg98dWDi+FhSwQPzyNfx6XKFg
WieGOo88MtgQirgKgCXYvicUzU7TRXE6iUv77Fbvk9rk2ftTngA5pHiOY+Sl
XcsCFotivsDgydkYO4ZKV7k2UbExQA9F3u0RXL8+gOX71+qov19VAcTf5071
PtEhg47Eiu0GKx0oqKrYfB27ad2rtraqsfngPUUVTASrncnvPDSl31RidxwN
r4vVVx5OL5nfUW7YIaye7jhPd/Dpz4HYdfxT8PBzhgzyMPeenD7v/XDw3FIi
dzZvdrdLSfaKQAiHch+Ql3mfOntW3y0+1Kb2n5/sjs28oTvFbzv07ae9Q+X7
3/N9//Jq2t1d3Ajfj/baMyb1sWW9d2vXjxi4PkcuXy/fj7xkfcE65+6YA3eM
Ei8oRGDDDhjYtC6dvP+1rT9JrFMYmutN6Vw8vNrBVzv2I97l0/By5B8SigzE
MeGtCowlL8Uehia49PmlMc9jiAR88iKOZmTzcWOohPz6mlfFcRS24KeX5LOM
lwGPgb2umnTnxgvVlCHImSpJRLCrloEhGW/McDRA9zxl78aXNZt5fRoS4MqF
5e5rlktonsJyrsiTnZAW0XydJRe47Dd53GyJ5jGG2UbZMBe9gSVqvZ+DCgHH
dJHEl1yuqekwX6H8Pk3yHxpL+G5HxVM+2O5iMAps1BlMjBfJMJ5wg8UsNlHS
VoMzegFINL5A++pRbh6WpGVzXjQYUJ41qT219sBJZ9GQEsCi8jtNqsedl3bz
0NlNKzA0hbWx/Z7iU5U/zBvorncsJ7aTTnaTw6LeBGpuDqhZ60kWDc45mIoU
v7wECve3u04UK0YGyjBaTnoxc8rApBZPSbEnQCNl9iSX/4057ysrNoCyFinH
K8s8XV6utVIV3mrBHwUJqPNpoTMCSz7ItDQ3dYrCgyYc7mLm5ElguSraRMWX
guQ8CYT8d7blMfM5SJQYpJPFdJZrP69GJ1gGNak2Ae577FcFfJwM2cWSzNij
ykXHVFKNDqVfGhZO15zLd3PuhYmZObME6EjH6g6twtExyCSh5GIU9mUeElKY
cWR/2hEmup04Pu1NzoIqhCkqWiYHiWqxo0DxUE4l3ydPo5YgVOiZggdsJlpC
uJ/LCFcx7L27d3fu4cjt7l2OzMSPeTL87m5wvjDpKU2RTzE3ijqzz9RUOMeY
KLX83MwyjbJzOYNNFS0puQoW0C/uxpKELr/hi1mh4SKZLTe0qpzVGtlihOFx
iULEmZJqZFqyG+PA+T/LpzpxUEYHaJk4tXk6X3C9BK25ygsh5KxRnUWVknUJ
K+brYPId+RItTu2wh0ajJv3H6NEqHkbtXS9TdfBhnFGkVp0ZkU19LiAWRMrn
7afkymANVSBmTGGFWPpSjOMZiQAWU8ThVUEVSQlzFTPZx/zalHIyRlheoL9Q
OYEZBnXh5y7qqPc58xTQAJ3JecovmUE5hC5f9DHrhpJPsPJMsRji/cuD5POm
hEAZwBmdE0FKXbe2J1sznyIquz+JKAqBi49kGFuv6gPYJw4M60Au24lVwonO
4gFzqIEcC96dL7I5plxaaf58iUpWk+K9GVYFEExxBzmlgKoDl9EW3pIo5G4i
mZGddx3zRiiAkzJzbACDCZVigcMPU5lpH9NUuZqMoAEmHDjHQ/FeXD9hinZj
fLUfa91UhlG/piSR/O+LqOBOHfpKKeGB2WtHIkEcZLzodrUi8Oz4NoQa5xjk
mZKmFM/ckyNPv45zS1V+yoJJChfJ1lmhMv/Eboo7G5qxZO6LnUOiEloTbCU8
n6RXXOyaeOjvKZXGjMbjADmnLTtlXwvYAhdqIMCR1XAmaR57lbRJsVeSlimr
wwxXHrW8F5ZO3QnohhySw+evZURFSWoxVJ6XAJ5Ox8jDHX8SuTTOuBstE955
L0xIpECnh1UCXeTxDMoU1+GQucZ+HdM4xwR2jpX1U7jMIcj8AZL9W0ro1BxQ
awWIqrmulFQBp7Y8dlmCIaaLKvOX7ScuWTWUDBULzMZXtJcID0M2HDyx2Fxm
OJAorCmccx1PJN3PmekST8DyQaVrpvrGdndoBWwg3uKZckKE/xZdGkM+W44V
yVNBZCxTGlpwGSdjXEOECfU5Fh27xDz3K0eTSGVorhyS6obFo0KGoia/0wlg
Nvsgxhhz0hcUUlLajaynZGIq7dFxKB6fF8lSCSYAwMhwJ+12GzSwwTkGi+4/
efJcvKCcbZUHPRgOJ21KuP7Y+LBHCURwq9loUFkzHl5oPCr7dRqqXPNjsd1w
SrvDJ92GsjDuwl87DaDC/VPAVvhjt2GKmMOf9xpOWXP45H4DKBr+8qBBjr5T
dvTRRNsNZXHHSXYaemEhc0Ej2HMaXtwKfrNFO6nqSUqbqmqRSHusavlGe65q
bQVf3m1Ud8GhA6pu/UCnVa47TmcHR0Omj2dwmgBFJmCngT24YDfdBpYzh1/u
mmM8Ic9qjz2rryVVb5DESZdEhxd+mrsDnMNtFhHdJe37/d3C+ntn17ox11O7
b4p580i6Qj8dbrCMOlYsHCVjC6ZVcUICfPqESw4qOiLezIdUQ0KhgxIs2wv+
oowUIC7/DVNlYI3tLdKu2lt3WYjGAbZ24c+PSAqfJu/hgGhmkmwSGbpXL0Oe
sF5Rn2h4ypRH8TU0jGFKzGERT4nuHk7JfqCMf4EMN/WaSRvbw/Sq2+RNIQ5u
KjFgEq6ybVNSKxBSyTgEtouYpbmXwtDhsfg4h3Zums180KZ0gxw6VvtYSKTA
eplJbQKhMY3Nc5Q3Nf2sjAC2XnfdsphHlOoiXo5ffaUvtaMFc82e5YFLPKL4
eUW+mkrqrQUXzrPlDcnLUJaMQazLQdaeocbwry3tQF6XDFxGSUqTF1a7rJx3
ufgEDdDDxcCCnhdpgdJlIlME+iCkj5JCo4wCesoDowpWGsrkAM/g04ksbcDl
YRKdiKgSjwz09THjSkHnRWi/ZhcdjSsZJ09QjLyP27q01y8vnrdM1ukvryNM
MX2Ps+Vmu8dknoCPJ9FMmyStkmRWXXl8/OkC5AJlHzFbl0mQKlEQZy/i9+qS
fgwX+mF5WxYqzVXun1VigyJoEhb6K7L8iOygpu7FXvPEPaqaqVsNkKRp6/WJ
3teLlOxSBVUuksBh5W04Vk8JeVk6J50C9y/FoHkyQJPTYo5ln6jUhVYcUIdh
4ZTyWpCljIA2y1w2JpxWT3hD3XeYuu9a1H0H/vzIRqIp0VsL0LlCVEx6CH9J
8DDMolHRXhpgIs1OeLlD0cR8m6vT0SQaN4li6hw7/qxjk8GFoiPuM0yyE5W7
q5xVRzFa9/kw+IIs80jqlINZM82e4AYlTxT4YTHASKRo766scmpdPwlrhMrl
YjWGKzMAC/5OTnI1kX3iob+D6daloTQOkBLnFhKpgiWXZ+mknGR5u4T3DshX
MXxrTovqc+q1FyXT1Hy+VgaLog8heYMzZ5T4oGSP9S7XujMSIDixV+2ak2yp
hRYXeUA6L1MELIDikHZhQtrFLSfs7/YtuY2ysHOtDOCOfSdqyURgQT9Xy5PG
VHksa+XHK4agxCR3sQH5ywQ0eKEF1vE2q0thN53KMvx4ReL9tWhdl2ndjkXr
uvCnQ+syLwWF9FdTOWy1aEEre5pm/QTWj4V/00mkkcTBUNXITRaVsaGW9fNQ
2btkpHxxemRKaY1leQ02UISkXQ10e7L1EZxbPwXsB1KDZMvkq9rlK5TZzEti
dwi0LZr6aN4iqElm7T4Xoh6nRaIFAS9EzQ9os9j9ddD5WEtBNj7IUrEmr0t+
roDbxpCO0XEI2umeiPpgzW0DiGYmYudBodcWDBx7aIC+s+SnoXsZTG8zTHct
mN6GPyVMX1DtPOCHbFOR6MWLfsNs1eYTdqsj1zQtVUUyoNbk9WtemSS1h4VT
gZBlNXS6A9oUVHj1MrqShEkrhGE4l0+phCYHs1Hjw4KVWIeBC395ZkH7iBzW
5l1tjdPY81Y7SNtkXDXtqaSo6kviN1g5U+IzqSsoLXhdgYcSoakYvSwaTeWk
8gA9EIYVyHI4609XGnXHHnVXXfqMqiVbPBTfuxbjVEN5xdAq2ZtrWrCJg8pJ
to0KK7ll2VrBV7eCwUjYYIKBwI/cqeN/OuWYKVyRIvK+GM+GdAxVMkxJyVnE
v2TMBNLKgUYElX/cdAyVSoCyxFgKPvFuIxhPxQJUtRSvDC4qqCHq9zNL8rWP
uVqztaWFZfR0i+nptkVPt+DPjxaRxtM1Wrwk7xFGRkbaduHo/aj/IeK7Iuuy
BZPza02dCgRMkI/m7UK8J+ftsB3PExA/mb84+ajmCKXLa1A0xQY6VZqDUXOT
38DwbfuoPbbGxX+HHOdhCWwAL9EUNelUV6280pXG/MIW/SsresaRKcqydJNl
6dusObCJ44oLGoaSZHJnuCV2FafESy0jnTMyukPIwwSklvAJBpsmReHozc5F
1W20ZyC/ygTRBgST4ZPCys2lAwqkIfMZ42tH2r3t1YDIlh28flmJytKfW/L0
kgPctx04OzJGkxW4KXoDZdhh3RjRMnI/QwM2O47i4ePmCJNGmrLIbUTx8LkA
EjOIqcofhvGciw8fPuyfZbDiBAhjb5r/5/+T5x8xRA+/iDJkquIHaqEyUx//
GKeg8sfiaTzM4sFZnJ8n6qsXWAodvnoeU/FR/UbUz5J4Ip4Dgf5dvEgmk0iP
djDJI/6i/RoW9rseKgHEgneO8P9AAVMz/3/+jwytAjGMArOoj3/IcAvHyTzV
8/66eL/Az1LMUfrYkuUGYJWT5P/7vyPxt8X//D+BDv3P/wO+VOQzycQojofo
RFMhBKYfdEizXRcbZScJip+ck20LLlv1RqXACKc+GWbf5ADrgGOcgANzYZUq
GZUHignV28YyM075MZLgL9GtcisH/j5LJZXujQHYrsTfDl++fPW3nh1Ke/Dm
6OCnntg/eH5yuN9+efDLCa6PjMT7v74+Ojg+7jT+f2LLaLMj2gEA

-->

</rfc>
