<?xml version='1.0' encoding='utf-8'?>
<!DOCTYPE rfc [
  <!ENTITY nbsp    "&#160;">
  <!ENTITY zwsp   "&#8203;">
  <!ENTITY nbhy   "&#8209;">
  <!ENTITY wj     "&#8288;">
]>
<?xml-stylesheet type="text/xsl" href="rfc2629.xslt" ?>
<!-- generated by https://github.com/cabo/kramdown-rfc version 1.7.39 (Ruby 3.4.9) -->
<rfc xmlns:xi="http://www.w3.org/2001/XInclude" ipr="trust200902" docName="draft-ietf-wimse-mutual-tls-02" category="std" consensus="true" submissionType="IETF" tocInclude="true" sortRefs="true" symRefs="true" version="3">
  <!-- xml2rfc v2v3 conversion 3.34.0 -->
  <front>
    <title abbrev="Workload MTLS">Workload Authentication Using Mutual TLS</title>
    <seriesInfo name="Internet-Draft" value="draft-ietf-wimse-mutual-tls-02"/>
    <author initials="" surname="j Salowey" fullname="Joe Salowey">
      <organization>Palo Alto Networks</organization>
      <address>
        <email>joe@salowey.net</email>
      </address>
    </author>
    <author initials="Y." surname="Rosomakho" fullname="Yaroslav Rosomakho">
      <organization>Zscaler</organization>
      <address>
        <email>yaroslavros@gmail.com</email>
      </address>
    </author>
    <date year="2026" month="July" day="06"/>
    <area>Applications and Real-Time</area>
    <workgroup>Workload Identity in Multi System Environments</workgroup>
    <keyword>workload</keyword>
    <keyword>identity</keyword>
    <abstract>
      <?line 40?>

<t>The WIMSE architecture defines authentication and authorization for software workloads in a variety of runtime environments, from the most basic ones to complex multi-service, multi-cloud, multi-tenant deployments. This document profiles a workload authentication based on X.509 workload identity certificates using mutual TLS (mTLS).</t>
    </abstract>
    <note removeInRFC="true">
      <name>About This Document</name>
      <t>
        The latest revision of this draft can be found at <eref target="https://ietf-wg-wimse.github.io/draft-ietf-wimse-s2s-protocol/draft-ietf-wimsemutual-tls.html"/>.
        Status information for this document may be found at <eref target="https://datatracker.ietf.org/doc/draft-ietf-wimse-mutual-tls/"/>.
      </t>
      <t>
        Discussion of this document takes place on the
        Workload Identity in Multi System Environments Working Group mailing list (<eref target="mailto:wimse@ietf.org"/>),
        which is archived at <eref target="https://mailarchive.ietf.org/arch/browse/wimse/"/>.
        Subscribe at <eref target="https://www.ietf.org/mailman/listinfo/wimse/"/>.
      </t>
      <t>Source for this draft and an issue tracker can be found at
        <eref target="https://github.com/ietf-wg-wimse/draft-ietf-wimse-s2s-protocol"/>.</t>
    </note>
  </front>
  <middle>
    <?line 44?>

<section anchor="introduction">
      <name>Introduction</name>
      <t>This document defines authentication and authorization in the context of interaction between two workloads.
This is the core component of the WIMSE architecture <xref target="WIMSE-ARCH"/>.
This document focuses on using X.509 workload identity certificates as defined in <xref section="6.1" sectionFormat="of" target="WIMSE-CREDS"/> to authenticate the communication between workloads using TLS.</t>
      <t>The use of TLS for authentication is widely deployed, however it may not be applicable to all environments.  For example, some deployments may lack the PKI infrastructure necessary to manage certificates or inter-service communication consists of multiple separate TLS hops. For these cases, other options based on Workload Identity Tokens (WIT) as defined in <xref section="5" sectionFormat="of" target="WIMSE-CREDS"/> may be more appropriate since they are not based on X.509 certificates and are communicated at the application layer rather than the transport layer.</t>
      <section anchor="deployment-architecture-and-message-flow">
        <name>Deployment Architecture and Message Flow</name>
        <t>Refer to <xref section="1.2" sectionFormat="of" target="WIMSE-CREDS"/> for the deployment architecture which is common to all protection options.</t>
      </section>
    </section>
    <section anchor="conventions-and-definitions">
      <name>Conventions and Definitions</name>
      <t>All terminology in this document follows <xref target="WIMSE-ARCH"/>.</t>
      <t>The key words "<bcp14>MUST</bcp14>", "<bcp14>MUST NOT</bcp14>", "<bcp14>REQUIRED</bcp14>", "<bcp14>SHALL</bcp14>", "<bcp14>SHALL
NOT</bcp14>", "<bcp14>SHOULD</bcp14>", "<bcp14>SHOULD NOT</bcp14>", "<bcp14>RECOMMENDED</bcp14>", "<bcp14>NOT RECOMMENDED</bcp14>",
"<bcp14>MAY</bcp14>", and "<bcp14>OPTIONAL</bcp14>" in this document are to be interpreted as
described in BCP 14 <xref target="RFC2119"/> <xref target="RFC8174"/> when, and only when, they
appear in all capitals, as shown here.</t>
      <?line -18?>

</section>
    <section anchor="mutual-tls">
      <name>Using Mutual TLS for Workload-to-Workload Authentication</name>
      <t>As noted in the introduction, for many deployments, transport-level protection of application traffic using TLS is ideal.</t>
      <section anchor="to-wic">
        <name>The Workload Identity Certificate</name>
        <t>Workload identity certificates are X.509 certificates that carry workload identifiers as described in <xref section="6.1" sectionFormat="of" target="WIMSE-CREDS"/>.</t>
      </section>
      <section anchor="wic-validation">
        <name>Workload Identity Certificate Validation</name>
        <t>Workload Identity Certificates may be used to authenticate both the server and client side of the connections.  When validating a Workload Identity Certificate, the relying party <bcp14>MUST</bcp14> use the trust anchors configured for the trust domain in the workload identity to validate the peer's certificate.  Other PKIX <xref target="INET-X509-PROFILE"/> path validation rules apply. Workloads acting as TLS clients and servers <bcp14>MUST</bcp14> validate that the trust domain portion of the Workload Identity Certificate matches the expected trust domain for the other side of the connection.</t>
        <t>Servers wishing to use the Workload Identity Certificate for authorizing the client <bcp14>MUST</bcp14> require client certificate authentication in the TLS handshake. Other methods of post handshake authentication are not specified by this document.</t>
        <t>Workload Identity Certificates used by TLS servers <bcp14>SHOULD</bcp14> have the <tt>id-kp-serverAuth</tt> extended key usage <xref target="RFC5280"/> field set and Workload Identity Certificates used by TLS clients <bcp14>SHOULD</bcp14> have the <tt>id-kp-clientAuth</tt> extended key usage field set. A certificate that is used for both client and server connections may have both fields set. This specification does not make any other requirements beyond <xref target="INET-X509-PROFILE"/> on the contents of Workload Identity Certificates or on the certification authorities that issue workload certificates.</t>
        <section anchor="server-name">
          <name>Server Name Validation</name>
          <t>If a WIMSE client connects to a server using a DNS hostname, the server <bcp14>SHOULD</bcp14> present a certificate containing a matching DNS Subject Alternative Name (DNS-ID), and the client <bcp14>MUST</bcp14> perform standard TLS server identity validation as specified in <xref section="6.3" sectionFormat="of" target="TLS-IDENTITY"/>.</t>
          <t>In deployments that use Workload Identity Certificates, successful DNS hostname validation authenticates the server endpoint, while the workload identifier provides an additional identity that can be used for workload-specific authorization and policy decisions.</t>
          <t>Some deployments may not use DNS names for server discovery. In such cases, the client <bcp14>MUST</bcp14> be configured with sufficient information to determine the expected workload identity of the server and <bcp14>MUST</bcp14> validate that identity before accepting the connection.</t>
          <t>The host portion of the workload identifier is NOT treated as a hostname as specified in <xref section="6.4" sectionFormat="of" target="TLS-IDENTITY"/>, but rather as a trust domain. The server identity is encoded in the path portion of the workload identifier in a deployment-specific way.</t>
          <t>Validation of the workload identity may consist of an exact match of the trust domain and path, or may follow deployment-specific rules. The path portion of the workload identifier <bcp14>MUST</bcp14> always be interpreted within the context of the trust domain. In most cases it is preferable to validate the entire workload identifier; see <xref section="1.3" sectionFormat="of" target="WIMSE-CREDS"/> for additional implementation guidance.</t>
        </section>
      </section>
      <section anchor="client-name">
        <name>Client Authorization Using the Workload Identity</name>
        <t>The server application retrieves the workload identifier from the client certificate's URI subjectAltName (see <xref target="WIMSE-CREDS"/>), which in turn is obtained from the TLS layer. The identifier is used in authorization, accounting and auditing.
For example, the full workload identifier may be matched against ACLs to authorize actions requested by the peer and the identifier may be included in log messages to associate actions to the client workload for audit purposes.
A deployment may specify other authorization policies based on the specific details of how the workload identifier is constructed. The path portion of the workload identifier <bcp14>MUST</bcp14> always be considered in the scope of the trust domain.</t>
        <t>See <xref section="1.3" sectionFormat="of" target="WIMSE-CREDS"/> for additional security implications of workload identifiers.</t>
      </section>
    </section>
    <section anchor="iana-considerations">
      <name>IANA Considerations</name>
      <t>This document does not include any IANA considerations.</t>
    </section>
    <section anchor="security-considerations">
      <name>Security Considerations</name>
      <t>This document relies on the security properties of TLS <xref target="TLS"/>, PKIX path validation <xref target="INET-X509-PROFILE"/>, and workload identity certificate validation as described in <xref section="6.1" sectionFormat="of" target="WIMSE-CREDS"/>. Implementations <bcp14>MUST</bcp14> validate the peer certificate chain, the applicable extended key usage, and the workload identifier according to the rules in this document before using the authenticated identity for authorization decisions.</t>
      <t>Workload identifiers are meaningful only within the scope of their trust domain. Authorization policies <bcp14>MUST NOT</bcp14> evaluate only the path or other sub-components of a workload identifier without also considering the trust domain and the trust anchor used to validate the certificate. Failure to bind the workload identifier to the expected trust domain and configured trust anchor can allow one trust domain to impersonate workloads from another domain.</t>
      <t>When a server is identified by a DNS hostname, clients <bcp14>SHOULD</bcp14> authenticate the server using standard TLS DNS hostname validation as specified in <xref target="TLS-IDENTITY"/>. Workload identity validation complements, rather than replaces, DNS-based server authentication by providing an authenticated workload identity for authorization decisions. Only deployments that do not rely on DNS-based server identification should authenticate the server solely using its workload identity. Accepting any certificate issued by a trusted workload CA without validating that it represents the intended server workload would allow mis-issued or otherwise valid certificates for other workloads to be used for impersonation.</t>
      <t>Client authentication is based on the workload identity certificate presented by the TLS client. A server performing mTLS authentication <bcp14>MUST</bcp14> validate the client certificate chain, the associated trust domain, and the workload identifier before using that identity for authorization, accounting, or auditing. Accepting any valid client certificate from a trusted CA without checking whether the authenticated workload is authorized for the requested action can allow unintended workloads to gain access.</t>
      <t>Workload identity certificates are often issued to dynamic or short-lived workloads. Deployments <bcp14>SHOULD</bcp14> use certificate lifetimes that are appropriate for the workload environment and <bcp14>SHOULD</bcp14> provide timely revocation or replacement mechanisms when workload identity, authorization, or runtime state changes. Long-lived certificates increase the impact of private key compromise and stale authorization decisions.</t>
      <t>Private keys associated with workload identity certificates <bcp14>MUST</bcp14> be protected against disclosure and unauthorized use. In particular, deployments <bcp14>MUST NOT</bcp14> share private keys across unrelated workload instances. Where possible, private keys <bcp14>SHOULD</bcp14> be generated and held in the workload runtime environment or a dedicated key protection mechanism, rather than distributed over the network.</t>
      <t>This document specifies authentication at the TLS layer. If application traffic traverses intermediaries, gateways, service meshes, or other middleboxes that terminate and re-establish TLS, the application endpoint might not be directly authenticated to the peer workload. In such deployments, authorization decisions need to account for where TLS is terminated and whether the authenticated certificate represents the peer workload, an intermediary, or another delegated entity. Where end-to-end workload authentication context is required across such boundaries, deployments <bcp14>SHOULD</bcp14> use an application-layer WIMSE protection mechanism in addition to TLS-layer server authentication.</t>
      <t>Client certificate authentication exposes the client workload identity to the TLS server during the handshake. Deployments should consider whether disclosure of workload identifiers to servers, intermediaries, or logs is acceptable for their threat model. Workload identifiers included in certificates and audit records should avoid embedding unnecessary sensitive information.</t>
      <t>Authorization decisions based on workload identity need to be made using the authenticated identity obtained from the validated certificate, not from unauthenticated application-layer metadata such as HTTP headers. Application-layer identity assertions can be useful for logging or context, but they <bcp14>MUST NOT</bcp14> override the identity established by mutual TLS unless protected and authorized by another mechanism.</t>
    </section>
  </middle>
  <back>
    <references anchor="sec-combined-references">
      <name>References</name>
      <references anchor="sec-normative-references">
        <name>Normative References</name>
        <reference anchor="WIMSE-CREDS">
          <front>
            <title>WIMSE Workload Credentials</title>
            <author fullname="Brian Campbell" initials="B." surname="Campbell">
              <organization>Ping Identity</organization>
            </author>
            <author fullname="Joseph A. Salowey" initials="J. A." surname="Salowey">
              <organization>CyberArk</organization>
            </author>
            <author fullname="Arndt Schwenkschuster" initials="A." surname="Schwenkschuster">
              <organization>Defakto Security</organization>
            </author>
            <author fullname="Yaron Sheffer" initials="Y." surname="Sheffer">
              <organization>Intuit</organization>
            </author>
            <author fullname="Yaroslav Rosomakho" initials="Y." surname="Rosomakho">
              <organization>Zscaler</organization>
            </author>
            <date day="2" month="July" year="2026"/>
            <abstract>
              <t>   The WIMSE architecture defines authentication and authorization for
   software workloads in a variety of runtime environments, from the
   most basic ones up to complex multi-service, multi-cloud, multi-
   tenant deployments.

   This document defines the credentials that workloads use to represent
   their identity.  They can be used in various protocols to
   authenticate workloads to each other.  To use these credentials,
   workloads must provide proof of possession of the associated private
   key material, which is covered in other documents.  This document
   focuses on the credentials alone, independent of the proof-of-
   possession mechanism.

              </t>
            </abstract>
          </front>
          <seriesInfo name="Internet-Draft" value="draft-ietf-wimse-workload-creds-02"/>
        </reference>
        <reference anchor="RFC2119">
          <front>
            <title>Key words for use in RFCs to Indicate Requirement Levels</title>
            <author fullname="S. Bradner" initials="S." surname="Bradner"/>
            <date month="March" year="1997"/>
            <abstract>
              <t>In many standards track documents several words are used to signify the requirements in the specification. These words are often capitalized. This document defines these words as they should be interpreted in IETF documents. This document specifies an Internet Best Current Practices for the Internet Community, and requests discussion and suggestions for improvements.</t>
            </abstract>
          </front>
          <seriesInfo name="BCP" value="14"/>
          <seriesInfo name="RFC" value="2119"/>
          <seriesInfo name="DOI" value="10.17487/RFC2119"/>
        </reference>
        <reference anchor="RFC8174">
          <front>
            <title>Ambiguity of Uppercase vs Lowercase in RFC 2119 Key Words</title>
            <author fullname="B. Leiba" initials="B." surname="Leiba"/>
            <date month="May" year="2017"/>
            <abstract>
              <t>RFC 2119 specifies common key words that may be used in protocol specifications. This document aims to reduce the ambiguity by clarifying that only UPPERCASE usage of the key words have the defined special meanings.</t>
            </abstract>
          </front>
          <seriesInfo name="BCP" value="14"/>
          <seriesInfo name="RFC" value="8174"/>
          <seriesInfo name="DOI" value="10.17487/RFC8174"/>
        </reference>
        <reference anchor="INET-X509-PROFILE">
          <front>
            <title>Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile</title>
            <author fullname="D. Cooper" initials="D." surname="Cooper"/>
            <author fullname="S. Santesson" initials="S." surname="Santesson"/>
            <author fullname="S. Farrell" initials="S." surname="Farrell"/>
            <author fullname="S. Boeyen" initials="S." surname="Boeyen"/>
            <author fullname="R. Housley" initials="R." surname="Housley"/>
            <author fullname="W. Polk" initials="W." surname="Polk"/>
            <date month="May" year="2008"/>
            <abstract>
              <t>This memo profiles the X.509 v3 certificate and X.509 v2 certificate revocation list (CRL) for use in the Internet. An overview of this approach and model is provided as an introduction. The X.509 v3 certificate format is described in detail, with additional information regarding the format and semantics of Internet name forms. Standard certificate extensions are described and two Internet-specific extensions are defined. A set of required certificate extensions is specified. The X.509 v2 CRL format is described in detail along with standard and Internet-specific extensions. An algorithm for X.509 certification path validation is described. An ASN.1 module and examples are provided in the appendices. [STANDARDS-TRACK]</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="5280"/>
          <seriesInfo name="DOI" value="10.17487/RFC5280"/>
        </reference>
        <reference anchor="RFC5280">
          <front>
            <title>Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile</title>
            <author fullname="D. Cooper" initials="D." surname="Cooper"/>
            <author fullname="S. Santesson" initials="S." surname="Santesson"/>
            <author fullname="S. Farrell" initials="S." surname="Farrell"/>
            <author fullname="S. Boeyen" initials="S." surname="Boeyen"/>
            <author fullname="R. Housley" initials="R." surname="Housley"/>
            <author fullname="W. Polk" initials="W." surname="Polk"/>
            <date month="May" year="2008"/>
            <abstract>
              <t>This memo profiles the X.509 v3 certificate and X.509 v2 certificate revocation list (CRL) for use in the Internet. An overview of this approach and model is provided as an introduction. The X.509 v3 certificate format is described in detail, with additional information regarding the format and semantics of Internet name forms. Standard certificate extensions are described and two Internet-specific extensions are defined. A set of required certificate extensions is specified. The X.509 v2 CRL format is described in detail along with standard and Internet-specific extensions. An algorithm for X.509 certification path validation is described. An ASN.1 module and examples are provided in the appendices. [STANDARDS-TRACK]</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="5280"/>
          <seriesInfo name="DOI" value="10.17487/RFC5280"/>
        </reference>
        <reference anchor="TLS-IDENTITY">
          <front>
            <title>Service Identity in TLS</title>
            <author fullname="P. Saint-Andre" initials="P." surname="Saint-Andre"/>
            <author fullname="R. Salz" initials="R." surname="Salz"/>
            <date month="November" year="2023"/>
            <abstract>
              <t>Many application technologies enable secure communication between two entities by means of Transport Layer Security (TLS) with Internet Public Key Infrastructure using X.509 (PKIX) certificates. This document specifies procedures for representing and verifying the identity of application services in such interactions.</t>
              <t>This document obsoletes RFC 6125.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="9525"/>
          <seriesInfo name="DOI" value="10.17487/RFC9525"/>
        </reference>
        <reference anchor="TLS">
          <front>
            <title>The Transport Layer Security (TLS) Protocol Version 1.3</title>
            <author fullname="Eric Rescorla" initials="E." surname="Rescorla">
              <organization>Independent</organization>
            </author>
            <date day="13" month="September" year="2025"/>
            <abstract>
              <t>   This document specifies version 1.3 of the Transport Layer Security
   (TLS) protocol.  TLS allows client/server applications to communicate
   over the Internet in a way that is designed to prevent eavesdropping,
   tampering, and message forgery.

   This document updates RFCs 5705, 6066, 7627, and 8422 and obsoletes
   RFCs 5077, 5246, 6961, 8422, and 8446.  This document also specifies
   new requirements for TLS 1.2 implementations.

              </t>
            </abstract>
          </front>
          <seriesInfo name="Internet-Draft" value="draft-ietf-tls-rfc8446bis-14"/>
        </reference>
      </references>
      <references anchor="sec-informative-references">
        <name>Informative References</name>
        <reference anchor="WIMSE-ARCH">
          <front>
            <title>Workload Identity in a Multi System Environment (WIMSE) Architecture</title>
            <author fullname="Joseph A. Salowey" initials="J. A." surname="Salowey">
              <organization>CyberArk</organization>
            </author>
            <author fullname="Yaroslav Rosomakho" initials="Y." surname="Rosomakho">
              <organization>Zscaler</organization>
            </author>
            <author fullname="Hannes Tschofenig" initials="H." surname="Tschofenig">
              <organization>University of Applied Sciences Bonn-Rhein-Sieg</organization>
            </author>
            <date day="2" month="March" year="2026"/>
            <abstract>
              <t>   The increasing prevalence of cloud computing and micro service
   architectures has led to the rise of complex software functions being
   built and deployed as workloads, where a workload is defined as
   software executing for a specific purpose, potentially comprising one
   or more running instances.  This document discusses an architecture
   for designing and standardizing protocols and payloads for conveying
   workload identity and security context information.

              </t>
            </abstract>
          </front>
          <seriesInfo name="Internet-Draft" value="draft-ietf-wimse-arch-07"/>
        </reference>
      </references>
    </references>
    <?line 142?>

<section anchor="document-history">
      <name>Document History</name>
      <t><cref>RFC Editor: please remove before publication.</cref></t>
      <section anchor="draft-ietf-wimse-mutual-tls-02">
        <name>draft-ietf-wimse-mutual-tls-02</name>
        <ul spacing="normal">
          <li>
            <t>Improved Server Name Validation section</t>
          </li>
        </ul>
      </section>
      <section anchor="draft-ietf-wimse-mutual-tls-01">
        <name>draft-ietf-wimse-mutual-tls-01</name>
        <ul spacing="normal">
          <li>
            <t>Added security considerations</t>
          </li>
        </ul>
      </section>
      <section anchor="draft-ietf-wimse-mutual-tls-00">
        <name>draft-ietf-wimse-mutual-tls-00</name>
        <ul spacing="normal">
          <li>
            <t>Initial version, extracted from the draft-ietf-wimse-s2s-protocol-07 S2s draft with minimal edits.</t>
          </li>
          <li>
            <t>added security consideration for Server Name Validation</t>
          </li>
        </ul>
      </section>
    </section>
    <section numbered="false" anchor="acknowledgments">
      <name>Acknowledgments</name>
      <t>We thank Yaron Sheffer, Arndt Schwenkschuster, Brian Campbell,  and Daniel Feldman for their contributions to earlier versions of this document.</t>
    </section>
  </back>
  <!-- ##markdown-source:
H4sIAAAAAAAAA6Va65LbOHb+r6fAtn9kZkqSL2PvznTmpmm318r6lu52PE4q
VQuRkIRpklAAsmWty++SZ8mT5TsHAAmS6rYnqXK5JYoADs7lO985wGw2m9S6
LtSpOHln7HVhZC4WTb1VVa0zWWtTibdOVxvxsqkbWYirF5cnE7laWXWTDnnJ
zzFAbYw9nApX55PcZJUsMXNu5bqeaVWvZ3tdOjUrea5ZXbjZg0cT16xK7RyW
qg87vL48v3omxD0hC2ewhq5ytVP4r6pPpuJE5bo2VsuCviwXv+KPsfh0cfXs
ZFI15UrZ00kOQU4nmamcqlzjTkVtGzWBxN9OpFUSsy52uyJs0AlZ5eJCQaIr
XaqTyR672ljT7NIdLkkAXR+ErqCLotbi8uBqVYrz6kZbU5X42Z1MrtUBw/PT
iZiJfRhLn3UYPrlRVQPZhPi/riCEVxMPJMv8lSai56XUBZ6zjn8hdc+N3dAP
0mZb/LCt6507vX+f3qNH+kbN42v36cH9lTV7p+7zDPdp5EbX22ZFVmDrbbwB
748s6h652c6a2mSmoHEFDODqZM3e+Lmfdq7N3TONfu0cZ76tS6w0kfBVY0nd
WFVAdTD2ye9zcSkLs1eHE366borCu+LJvxjV/w17l5X+B3vCqXiDn8SiqI14
pWqyn+OXlFft70b94vzgeaXq/qLv5+LCOFPK663xU4cl30trXCFvhj/3V/53
l8lC2XS5QxiI/3/Z0KN5ZsrJpDK2xKAbeNFEV+vk22w2E3LlaiuzejK52irx
bvny8pztr2uV1Y1VIldrXSk4fT/KKQa8MoNIAjMLZ9b1HiHT+rIj75TiRlpY
5SDMWtgGk5RKqMRLp2JtTSmwgCiNq8VKOp0JQ8tCtdjFrlAfRElOPnPK3uhM
TcPXrDBNHr/UqpJVDZF3hTnwzHNxtdVOAFsa+i7gKmtd0HZaEYc7w+Iqx+Li
t/mTB993r8WQFJmytV7T65inYbQrW7QTX5X4/+u5126p87xQk8k9saxqa/Im
oyVI16lQX6xi6JJ0BKCq1YeatKnxiczHgsMFlcIre9Ppf+7Xwj8/0irWJ3Rb
8QT1cat//PgzP50tLs6e/7icPZ0nMUdvfvo0H+xijQ8Ou4AkXilfpD/pwvZz
2t3Hj5fKb+bP84ck3p+8FGcX508vh2LEmWeZVbn79Il8JVGhCjsuy6ZqbRtU
1LmnFxUmm/sIwBZoXbIkOfTAJNjvHvsoDsHHFFxvi/i+UVboGoh6EJWB/yoh
fcJYFYrFKoqew8+FeIbZ1QdJrj1F3JQqdVueqZDZNe/hzd+WUM7aSoRq4+1T
qUw5J+2BZi9lJTeqr1fMzr4R42WgCMp12mEh7JVjB2IIp3bSkuJo91uzg5gk
JUSAUjKEBQLV4JsVZuczYRsr46x0Za6RTMVX75ZXX99q5Se0fmJiGJF2viIc
sKxEa3bI3pAJdsrYpAdBAMNq7kdq368oeGy6bbwqa9an7JI5lHzAfrBr2la9
lT7CAImV2xlb+9/hG/fuiaetfcQijRVa6iVZAzZ4BrSfTC7UmmYzyU4fzh+N
97r22k0s34/C/VZnW3I62gUmCZ5E+S5MGwxBAoozU92Q8iNFeUoa1/x9Mllg
HNyh1JUpzObgoaQfvgVkdxC5C3wKco4K0BSKGcTLycu3l1fEpeivePWaP1+c
/+vbJfZEny+fL168aD9MwhuXz1+/ffG0+9SNPHv98uX5q6d+MJ6K3qPJycvF
e/xC+zl5/eZq+frV4sXJWHoyNbQDx2Gv31nF9naTXLnM6pV3vF/P3vzPfz98
jD3+6eLZ2aOHD7+HEfyX7x7+5TG+7BHtfjVTIcr9V3K6CZxGScvpDKrM5E7X
YJxTcm0HCKgEHEhBXd/8B2nmP0/FD6ts9/DxT+EBbbj3MOqs95B1Nn4yGuyV
eOTRkWVabfaeDzTdl3fxvvc96j15+MPPBaJZzB5+9/NPE3K+Ietn346oMKvN
7LZy4eO9jqV9gp86Cm1vLgoNneTNKU8KtDukWDntonVWAIn78bHuRTveXAMh
OtSn4AKgy8KHOHOgEZSddcACcbGXvc4g6rvPZDa45BFgAsbUcB9rD8PUuNbK
hoSY+OwoJfYgxIt9t8j/JgudR2VD9NlN+yDdxbGxLsJxQ0g7zK8rJAM2EuUY
AB6FTVZoikeHLUV6gVxT+S1Q3nuH8SJKACPIu6Xn6BMWKZdeRn7CzxxPlKg9
VDdgjLLKwJMIKKu13gA78xZc/Qs5qLRuGdSYlGBvQSg/7U4p+08uNR1kf81Z
Aun4N0KN5avzq9lvMPDszcXrZ8sX5z8CR548+u4BcGSHhCI6PYP1MumEKx7m
7YbxIPM6cOyLXncevL1Knd9rIllIYb1NkesHZ68/68Bg/9lWeTqoPuxgGLJs
Ol1UnE/1xy0Jv7sMEu6129ImoMFok7sliLyKeC0PpJm92/BurfqvRtv2WWKC
ER3z1mS6AqW5rbyGmbyVSoUVciY4O6op2hdGNDuwCQddUAzmYnXoZ5f5Z6OE
wwPDSJJouQDIW3njlfJ3nc+udzP/M4Hg36H/mjoVOefXhgmEz0bBiyBNQa5Q
s0v8ARmiJ90ig//5VhnaZedi0VM/u58OS5EZGQGCnTqvTSOeAYTX53d5aufn
5vIhaD3YIjeK8R+jyFAAeu+EwSU8N16pg8FaHz+OAhAqM0mJVHl++xm9YRtx
UPuY/cK7aK0jaGvnmgQ6UlRnGL4nfEiIVyjk+6jr9TKjCh+Qu1wT6nHRFX3c
K4zLXRm16JOUFE9fERt3NY2epngbrAuy49gAPVuRBhDNfgoOevpIc102q9+x
GPUtlK24GeBF/gq/zpZPv/YEaBiWO2WpeSBcjV+lzRNn72A0gTzpkpAaJLJv
ubbDBFju/NXV8uo9Yef3Tx494ZS2rHrFEGufsOVuS6KMajIqi9ZN0VNaT6ok
gblUmQiCnQHbmBLrLtSxNEEJmsjFDb4SSguZ58yvQXm6ROLze9VmTYqTtlSN
7j4o7EnfOwOaQswm0y5w+stjZSGFBymDdki7c77z4neRa5cZfECWgRKhj20s
3IbmXKk0We41gtM1RI74lbZR5KuOXPnaQfXTxjiNhkSREIIjCax9e6XWXObB
aru6TQVpkiFCRmYc5rhjlgGaEKutrfLFHjV5Whe4yxsfh4q/dcZPn6Zi1dSx
LOSZ0hQ5Z6I49H2sr6rM5B15ZRbwJZJTj6yzc+cle3mAEhIoOT4JFifPCEU9
k96KmgtZ7SM/DuulefY5CMgNcRruK8CjcjB98bv+0j2x3WWBHbhhWUbONm5l
DQVkD+Z2IHsw9VegYUyB2jr2VXqUjZa2R4X5Z9hK9Yrxb48X42lAU2eGtOAV
v2mwUJUpT7jPfCAtekHsS6Dj/OfjPR97MQUk/pPWJ9CP1ahh3K1qbRulY3YE
uvr2YokoZngHuntQ91vv7fXraWwtwAqN5b6WWVG6ILyKKxC++/YHG74faQxt
uurj2JRC2VCDl7IOty9Jn9VmPum1u2h2arIf3WFsADFPxRQbiAUnWJy9cLEC
oQWVkIFhEDlQro7EzXP3NoWNZ9ZVVjQhSguzAVPk3o2f3TmTcb8pzo6Hibpb
gT2Jxe7ErrEgmMQBFmkjhxbz8RNJTB/yGe6JW7RdLAbOGHFAXKkL5i9bBOUd
mEdRz31Blf+/IpTRI1e2gy+kkp06GprE/v9oQDmVNZZxskzO0jDqWBnMDa3l
4tWCuloslgyNrEHrPBLGYFTmjDwu643j+S6jBHfPiWJT+z62T2VhELUiKdiU
iw1icHX86drSdEBp19l3jx//eaUdJREuFYe14FHi6jnXnc3yAbn6I10Cseyh
2bisDEHTI5BbWHqaNkwJdMflQscWjzkZAYLNQ33IpTxXwqMGXqACTYuhKVFL
9JEWj6FmSAjTu6MdFcxbKklUmJihb+x1KSj1cm0HKWhxPGZjR08o6LAhbfGs
bc6nmsJXz81q1p63sOPIo2oieQwYBx1it64bVTFK28O+R9ue6Vm017t4BjRp
QpNU32GvYKXjnQFu8HSksScCUV7JBMJUA5ExJ2IepgAO1OnZIKcaWXlVtdDC
HaK2CvINOi8eI/ywIBrUuqMToF411Stebq0RRlyxTw67Ds7RwsefV4beZHqy
YJEdZEZknAotj/uRBAzOIA+hzvCJdBAMY5S4KyrE66o4jOup3DBuUmeNoG4k
UVR6kMjBPYv8Vu06U9BEXskaa4xkRCy1NJ9AOoUarqyDcdlz0k2eLdroSNqG
vpAg+UP562K72MNTkKudZe/FZwcttZuFJWOg7rULLtDv1q7bSO681p8ztLVd
59q+ZAnccHxy2Ev0dyN92FNHabqmDvVkwuZCRc4H0PTCYMkxxh/pqKUoH7lP
P+rvxvcBbqfV3cgpU3rIVUdLDwe+EQwxltYDRusjiWuAK2Z8vWW/VSHihjmk
E991LLLrE3c0Mpynd4jWVK1f9dxgw6DIPYdx8jl2HmDWmCa6O9XVB2APXXWw
FGB0gKFv0kXmyaFji3BU/KdKKfRa0ZWKENhycHAa99duPzmIZtO2bSRubAia
CqFs1Y0JjmRshC7PbBWcptKudHw+Nnbl6dDsNEG49gEA9l5XbaiifGGqTdh0
T1mgcyjjQzsZEUalLHVyrb6h8UQ+CGbhDhS43HqsZaHuoAZvuqEudXXufHzm
kkJsmISDpaQqoX5LYVw8Bm6qxLFgJ65h6dBCZ00h7bQHwy2JcFuy2a4nYGaN
Q5VVAZ8HzltRDstIee/oyJG6206vqKzqzRCsCqk3qiKqS1JDxC31dofHIEcu
5XB8Qt48RA+pPDlYa52gn+KgD1Swq4ZGUB+Kl6n83aj5kGjHJDu++VIPC9Dl
8XM8/KVeOzsMdaggLd00QobdQGiqbKYiXoBAgGz5BkNEdH85Z2U+xMjxPS4u
/qAoq2aAA5Be7bYkSo8KsxSxZYiZNts63vzItYWOEEF99AnEiml21HvXpOud
Z97ixNBjOITzKOo7i+wD4SSz3YA39e1QmMLHIIP2BCTsT1V78LAdGZsq1Ibn
iyneeyT0Qie+Ki1oBhaOfR/tYm8/jz7P+lhhg3kwZX4cAgmdO2PM/EUO31U/
5qfcrAjVKCmRKJ0fc5SCdYn8jvMnsGSq/I82CNKTxejMsUnbtNQ+ObZKkT6w
rVgItJZM4OaWwpmWCydQ01FQwHaF2fBtMN9z5ZIuJAiqfbbUOxWlgWVHJNdP
nzZPxhduuCEC9+erIpEy3hgkc1WiUmU621Td5SW6b6v5ACJpOEP1i1sioKVQ
YzXH4ODWUf4FleS44RW5Ui8+phzX/I5H926qsfuVqpaYQXonRh3x/OrqDSAX
AlkA9mI0oJUGGUlZX5t3hwdUrq690Ta0G2Nj4Pj+dE23odo0QnhrOYO3bS9M
3GKYJ5PJTcWmQiXu0qSWXDgMdDxEehtF4V7jSmbX1FF5GqH8OXDf2MPkB6Tt
9U8Xz87EOV+8PhUohSiPW1UaOgT0dHHXrKIi5j/c5zHcV/3M1e/JN9TIAE+B
dLectTkVrlh+braHNNsi97VCaPFkg77Q5+Z4wBLRHSuolEKO2Q7MQ1cyU8+6
89ry7MFfxOUj51/yfAQorkvMSbfXQV6+IeS6VVB2kePqIBstsuvK7AuVbxhb
Jh9P/bV3lf94spaFUyd0C4SPZqprQbePK3G5Veu1Al9Z2CqvxWW23avq2mVb
4t14/CuoZSXOZLlbqaKYCn/fDB6iCvEMBKOUVQIr5LNMCmJDVUlbUPEQVOZ8
96V34v6/CCnWAmowAAA=

-->

</rfc>
