<?xml version='1.0' encoding='utf-8'?>
<!DOCTYPE rfc [
  <!ENTITY nbsp    "&#160;">
  <!ENTITY zwsp   "&#8203;">
  <!ENTITY nbhy   "&#8209;">
  <!ENTITY wj     "&#8288;">
]>
<?xml-stylesheet type="text/xsl" href="rfc2629.xslt" ?>
<!-- generated by https://github.com/cabo/kramdown-rfc version 1.7.39 (Ruby 2.6.10) -->
<rfc xmlns:xi="http://www.w3.org/2001/XInclude" ipr="trust200902" docName="draft-jennings-moq-mocha-identity-00" category="std" consensus="true" submissionType="IETF" tocInclude="true" sortRefs="true" symRefs="true" version="3">
  <!-- xml2rfc v2v3 conversion 3.34.0 -->
  <front>
    <title abbrev="mocha-identity">MOCHA Identity: Authentication, Authorization, and Federation</title>
    <seriesInfo name="Internet-Draft" value="draft-jennings-moq-mocha-identity-00"/>
    <author fullname="Cullen Jennings">
      <organization>Cisco</organization>
      <address>
        <email>fluffy@iii.ca</email>
      </address>
    </author>
    <author fullname="Suhas Nandakumar">
      <organization>Cisco</organization>
      <address>
        <email>snandaku@cisco.com</email>
      </address>
    </author>
    <date year="2026" month="July" day="06"/>
    <area>Applications and Real-Time</area>
    <workgroup>Media Over QUIC</workgroup>
    <keyword>MoQ</keyword>
    <keyword>MOQT</keyword>
    <keyword>MOCHA</keyword>
    <keyword>Identity</keyword>
    <keyword>Authorization</keyword>
    <keyword>Federation</keyword>
    <keyword>Privacy Pass</keyword>
    <keyword>C4M</keyword>
    <keyword>DPoP</keyword>
    <abstract>
      <?line 57?>

<t>This document specifies identity, authentication, authorization,
and federation for MOCHA (MoQ Open Communication &amp; Hosting
Architecture). It defines how users authenticate with Identity
Providers (IdPs), how authorization tokens (C4M and Privacy Pass)
are issued and validated at relays, how permissions map to MOQT
namespaces, and how users from one Provider obtain access to
resources on a federated Provider.</t>
    </abstract>
    <note removeInRFC="true">
      <name>About This Document</name>
      <t>
        Status information for this document may be found at <eref target="https://datatracker.ietf.org/doc/draft-jennings-moq-mocha-identity/"/>.
      </t>
      <t>
        Discussion of this document takes place on the
        Media Over QUIC Working Group mailing list (<eref target="mailto:moq@ietf.org"/>),
        which is archived at <eref target="https://mailarchive.ietf.org/arch/browse/moq/"/>.
        Subscribe at <eref target="https://www.ietf.org/mailman/listinfo/moq/"/>.
      </t>
    </note>
  </front>
  <middle>
    <?line 67?>

<section anchor="introduction">
      <name>Introduction</name>
      <t>MOCHA requires participants to prove their identity and obtain
authorization before publishing or subscribing to tracks on MOQT
relays. This document specifies the identity and authorization
architecture, covering:</t>
      <ul spacing="normal">
        <li>
          <t>Identity Provider (IdP) authentication (OIDC, guest, future methods)</t>
        </li>
        <li>
          <t>Token issuance via C4M <xref target="C4M"/> for identified access with DPoP binding</t>
        </li>
        <li>
          <t>Role-to-scope mapping for the MOCHA namespace hierarchy</t>
        </li>
        <li>
          <t>Federated identity exchange across Providers</t>
        </li>
        <li>
          <t>Token refresh and revocation</t>
        </li>
      </ul>
    </section>
    <section anchor="conventions-and-definitions">
      <name>Conventions and Definitions</name>
      <t>See BCP 14 <xref target="RFC2119"/> <xref target="RFC8174"/>.</t>
      <t>This document uses terminology defined in <xref target="MOCHA-ARCH"/>, including
Provider, Organization, Team, Channel, Device, and DevID.</t>
      <t>The following identifiers are defined in this document:</t>
      <dl>
        <dt>HClientID:</dt>
        <dd>
          <t>A hashed client identifier derived via HMAC. Used in
namespace tuples and track names instead of the raw
clientID. See <xref target="id-derivation"/>.</t>
        </dd>
        <dt>HDevID:</dt>
        <dd>
          <t>A hashed device identifier derived via HMAC. Used in
track names instead of the raw devID. See <xref target="id-derivation"/>.</t>
        </dd>
      </dl>
      <t>The following additional terms are used:</t>
      <dl>
        <dt>Identity Provider (IdP):</dt>
        <dd>
          <t>A service that authenticates users and asserts their identity.
Examples include OIDC-compliant providers, enterprise SSO, and
self-hosted identity services. The IdP answers "who is this user?"</t>
        </dd>
        <dt>Provider Token Service:</dt>
        <dd>
          <t>The MOCHA component that validates identity assertions from IdPs,
determines user permissions, and issues access tokens
(C4M) for relay access.</t>
        </dd>
      </dl>
      <t>Access Tokens: A C4M (CAT for MOQT) CWT (CBOR Web Token) that encodes a
  user's identity and MOQT namespace permissions. Defined in
  <xref target="C4M"/>. When used in Mocha, the token includes a DPoP confirmation
  claim (<tt>cnf</tt>) binding it to the client's key.</t>
      <t>ID Token: : An OIDC (OpenID Connect) token that provides the
  authenticated identity of the user.</t>
      <dl>
        <dt>DPoP (Demonstrating Proof of Possession):</dt>
        <dd>
          <t>A mechanism that binds a C4M token to the client's asymmetric
key pair. The client generates a fresh DPoP proof for each MOQT
action, preventing token theft and replay. See <xref target="dpop"/>.</t>
        </dd>
        <dt>Authorization Parameter:</dt>
        <dd>
          <t>The MOQT parameter that carries authentication credentials. It
can appear in CLIENT_SETUP, SUBSCRIBE, SUBSCRIBE_NAMESPACE,
PUBLISH, PUBLISH_NAMESPACE, and FETCH messages.</t>
        </dd>
        <dt>Relay:</dt>
        <dd>
          <t>Validates access tokens and enforces access control for
MOQT operations. Relays do not authenticate users directly;
they trust tokens signed by known issuers.</t>
        </dd>
      </dl>
    </section>
    <section anchor="architecture-overview">
      <name>Architecture Overview</name>
      <t>The client does a normal OpenID SSO login flow to authenticate to the
Provider Token Service to get an ID Token and an Access Token with DPoP.</t>
      <t>For each Org at the Provider, the Provider keeps tracks of:
* all of the users in the Org
* for each users in its Org, all of their devices
* all the teams in its Org,
* for each team, all of  users (in the Org or other Providers/Orgs) and their roles,
* for each team, all of its channels,
* for each of the channels, its users (in this Org or other Providers/Orgs) and their roles,
* for each of the channels, all of the meetings</t>
      <t>TODO: Add  support for  federation</t>
      <t>The Provider Token Service takes an ID Token and generates Access
Token(s) with the required scopes for Relays for all the Mocha
services. The Provider Token Service coordiates with the CDNs providing
the Relays so the relays can validate the Access Tokens.</t>
      <t>The exact scopes needed for Access Tokens are defined in the
specifications that define the Mocha service.</t>
      <t>Clients use the Access Tokens when sending requests to the Relays.</t>
      <t>A Client that is acting as User on a different provider can also ask for
Access Tokens for this resources in this Provider. This allows federated
actions where a Client on Provider A can participated in meetings or
channels that are owned by an Org on Provier B.</t>
      <figure anchor="fig-arch">
        <name>Identity Architecture</name>
        <artwork><![CDATA[
                   MOCHA Identity Architecture

  +----------+                                    +----------+
  |   IdP    |  (OIDC, Enterprise SSO, etc.)      | PP-Issuer|
  +----+-----+                                    +----+-----+
       |                                               |
       | ID Token                          blind sign  |
       v                                               v
  +----+-----+     (2) AUTHORIZATION param     +------+------+
  |  Client  |  -----------------------------> |    Relay    |
  | (Device) |   (C4M + DPoP )                 | (Validates) |
  +----+-----+                                 +------+------+
       |                                               |
       | (1) authenticate + request token              |
       v                                               |
  +----+-----------------------------------------+     |
  |            Token Service                     |     |
  |  - Validates IdP assertions                  |     |
  |  - Checks membership/permissions             |     |
  |  - Mints C4M tokens with DPoP binding        |     |
  |  - Proxies PP blind token requests           |     |
  +----------------------------------------------+     |
                                                       |
            (3) SUBSCRIBE / PUBLISH granted            |
            <------------------------------------------+
]]></artwork>
      </figure>
    </section>
    <section anchor="idp-auth">
      <name>Identity Provider Authentication</name>
      <section anchor="overview">
        <name>Overview</name>
        <t>Before obtaining authorization tokens, a user must authenticate
with an Identity Provider. MOCHA supports pluggable IdPs. The
Token Service validates the IdP assertion and establishes a
session.</t>
      </section>
      <section anchor="oidc-authentication">
        <name>OIDC Authentication</name>
        <figure anchor="fig-oidc">
          <name>OIDC Authentication Flow</name>
          <artwork><![CDATA[
  Client                   IdP (OIDC)             Token Service
    |                          |                        |
    |  (1) OAuth/OIDC flow     |                        |
    |  (browser redirect or    |                        |
    |   native sign-in)        |                        |
    |------------------------->|                        |
    |                          |                        |
    |  (2) ID Token (JWT)      |                        |
    |<-------------------------|                        |
    |                          |                        |
    |  (3) POST /auth/oidc     |                        |
    |      Authorization: Bearer <ID Token>             |
    |-------------------------------------------------->|
    |                          |                        |
    |                          |  (4) Verify signature  |
    |                          |      via JWKS fetch    |
    |                          |<-----------------------|
    |                          |----------------------->|
    |                          |                        |
    |                          |  (5) Validate claims:  |
    |                          |      iss, aud, exp,    |
    |                          |      email_verified    |
    |                          |                        |
    |  (6) 200 OK                                      |
    |      { user_id, session_token }                  |
    |<--------------------------------------------------|
    |                          |                        |
]]></artwork>
        </figure>
        <t>The Token Service MUST validate the ID Token per <xref target="OIDC"/>
Section 3.1.3.7 (issuer, audience, expiry, signature via JWKS).</t>
      </section>
      <section anchor="guest-authentication">
        <name>Guest Authentication</name>
        <t>For deployments allowing pseudonymous access:</t>
        <figure anchor="fig-guest">
          <name>Guest Authentication</name>
          <artwork><![CDATA[
  Client                             Token Service
    |                                      |
    |  POST /auth/guest                    |
    |  { "display_name": "Alice" }         |
    |------------------------------------->|
    |                                      |
    |  200 OK                              |
    |  { "user_id": "guest-7a3f",          |
    |    "session_token": "s_..." }        |
    |<-------------------------------------|
    |                                      |
]]></artwork>
        </figure>
        <t>Guest users receive a server-assigned pseudonymous identity.
Guest sessions MAY have reduced permissions compared to
authenticated users.</t>
      </section>
    </section>
    <section anchor="c4m">
      <name>C4M Token Issuance and Validation</name>
      <section anchor="overview-1">
        <name>Overview</name>
        <t>C4M (CAT for MOQT) <xref target="C4M"/> is the primary authorization mechanism
for identified access. MOCHA deployments MUST use DPoP
(Demonstrating Proof of Possession) to bind C4M tokens to the
client's key pair, preventing token theft and replay.</t>
        <t>Token format and CWT claims (Section 2), DPoP claims and proof
generation (Section 3.1), and DPoP proof process and token
binding flow (Section 3.2) from <xref target="C4M"/> MUST be used for
MOCHA authorization.</t>
      </section>
      <section anchor="dpop">
        <name>Token Request</name>
        <t>After authentication, the client requests a C4M token scoped to
a specific channel and role. The client provides its public key
for DPoP binding. The Token Service validates the session,
checks membership, determines role permissions, and mints a
C4M token with a <tt>cnf</tt> claim binding it to the client's key.</t>
        <t>The complete HTTP issuance flow is specified in
<xref target="http-issuance"/>.</t>
        <t>The Token Service maps the user's role and channel membership
to <tt>moq_scopes</tt> within the C4M token. The scopes use the MOCHA
namespace hierarchy:</t>
        <artwork><![CDATA[
  moq_scopes: {
    publish: ["mocha/<provider>/<org>/<team>/<channel>/participant/*"],
    subscribe: ["mocha/<provider>/<org>/<team>/<channel>/*"]
  }
]]></artwork>
      </section>
      <section anchor="scope-enforcement">
        <name>Scope Enforcement</name>
        <t>Scope enforcement follows the positional namespace matching
rules defined in <xref target="C4M"/>, Section 2.1. The relay evaluates
each namespace field against the corresponding match object
in the token's <tt>moqt</tt> claim. Actions not explicitly permitted
by the token are denied by default.</t>
        <t>For example, a MOCHA participant token might encode scopes
that permit publishing under their device prefix within a
channel, while allowing subscription to all tracks in that
channel:</t>
        <artwork><![CDATA[
  Token scope (publish): mocha/provider.example/acme/eng/general/
                         participant/<device-id>/...
  Token scope (subscribe): mocha/provider.example/acme/eng/general/...

  PUBLISH request:  mocha/provider.example/acme/eng/general/
                    participant/device-a3f2/messages/live
  Result: PERMITTED (matches publish scope)

  SUBSCRIBE request: mocha/provider.example/acme/eng/general/
                     moderator/device-b1c4/messages/live
  Result: PERMITTED (matches subscribe scope)
]]></artwork>
      </section>
    </section>
    <section anchor="privacy-pass">
      <name>Privacy Pass Token Issuance and Validation</name>
      <section anchor="overview-2">
        <name>Overview</name>
        <t>Privacy Pass <xref target="PrivacyPassAuth"/> provides cryptographic
unlinkability: the relay can verify a token was legitimately
issued without correlating it to the identity that requested it.
This enables anonymous participation in channels. Illustrative
call flows are provided in <xref target="pp-call-flows"/>.</t>
        <t>For scoped access, Partially Blind RSA tokens carry public
metadata encoding the permitted MOCHA namespaces without breaking
unlinkability. The relay uses these extensions for scope
enforcement identical to C4M tokens, but cannot determine which
user holds the token.</t>
      </section>
      <section anchor="mocha-token-issuance">
        <name>MOCHA Token Issuance</name>
        <t>Token types, issuance protocol, attester authentication, and
token wire format are defined in <xref target="PrivacyPassAuth"/>. The Token
Service acts as Attester (<xref target="PrivacyPassAuth"/>, Section 3) and
authenticates to the PP-Issuer using HTTP Message Signatures
<xref target="RFC9421"/>.</t>
        <t>In the MOCHA context, the Token Service:</t>
        <ol spacing="normal" type="1"><li>
            <t>Validates the client's session and channel membership (as
in the C4M flow).</t>
          </li>
          <li>
            <t>Determines the namespace scope to encode in the token's
public metadata (for PBRS tokens).</t>
          </li>
          <li>
            <t>Attests to the PP-Issuer that the client is authorized for
the requested scope.</t>
          </li>
        </ol>
        <t>The client presents the resulting token in the AUTHORIZATION
parameter of any MOQT control message (CLIENT_SETUP, SUBSCRIBE,
PUBLISH, etc.).</t>
      </section>
      <section anchor="pp-reverse">
        <name>Reverse Flow</name>
        <t>MOCHA deployments MAY use the Privacy Pass reverse flow
<xref target="PP-REVERSE"/> where the relay acts as both attester and issuer.
The client bootstraps with a publicly verifiable token from an
external issuer, and the relay responds with privately verifiable
tokens for subsequent operations.</t>
        <t>The reverse flow enables continuous unlinkable authorization
without requiring an external issuer after the initial bootstrap.
Token replenishment is piggybacked on normal MOQT control message
exchanges using batched tokens <xref target="PP-BATCH"/>. The bootstrap,
continuous authorization, and batch token encoding are defined in
<xref target="PrivacyPassAuth"/> (Sections 4-5) and <xref target="PP-REVERSE"/> (Section 4).</t>
      </section>
    </section>
    <section anchor="roles">
      <name>Roles and Token Scopes</name>
      <t>Roles (Owner, Moderator, Participant, Observer) are defined in
<xref target="MOCHA-ARCH"/> and assigned at the  Organization, Team,
and Channel levels. The permissions associated with each role
(publish, subscribe, moderation, management) are application
policy specified in <xref target="MOCHA-ARCH"/>.</t>
      <t>This document defines how the Token Service translates a user's
role into C4M token scopes. When a user requests a token, the
Token Service determines their role for the target channel and
encodes the corresponding namespace permissions:</t>
      <artwork><![CDATA[
  User: alice@provider.example
  Team: acme/eng
  Channel: general
  Role: participant

  Resulting C4M scopes:
    publish:   ["mocha/provider.example/acme/eng/general/participant/*"]
    subscribe: ["mocha/provider.example/acme/eng/general/*"]

  User: bob@provider.example
  Role: moderator

  Resulting C4M scopes:
    publish:   ["mocha/provider.example/acme/eng/general/moderator/*",
                "mocha/provider.example/acme/eng/general/moderation/*"]
    subscribe: ["mocha/provider.example/acme/eng/general/*"]
]]></artwork>
      <t>The scope patterns follow the MOCHA namespace hierarchy and are
enforced by the relay per <xref target="C4M"/>, Section 2.1. The same scopes
apply when using Privacy Pass with PBRS tokens — the namespace
permissions are encoded in the token's public metadata extensions
(see <xref target="PrivacyPassAuth"/>) and enforced identically by the relay.</t>
    </section>
    <section anchor="federation">
      <name>Federation</name>
      <t>Federation allows a user authenticated with one Provider to
participate in Teams and Channels hosted by a different Provider.
The home Provider vouches for the user's identity via a signed
assertion, and the remote Provider issues a locally-valid C4M
token after verifying trust and applying its federation policies.</t>
      <section anchor="federation-model">
        <name>Federation Model</name>
        <figure anchor="fig-federation">
          <name>Federated Providers</name>
          <artwork><![CDATA[
  +------------------+                    +------------------+
  | Provider A       |                    | Provider B       |
  | (home)           |                    | (remote)         |
  |                  |    Federation      |                  |
  | Token Service A  |<------------------>| Token Service B  |
  | Relay A          |    Trust           | Relay B          |
  | Users: Alice     |                    | Users: Bob       |
  +------------------+                    +------------------+

  Alice (home: A) wants to join a Channel on Provider B.
]]></artwork>
        </figure>
      </section>
      <section anchor="federation-establishment">
        <name>Federation Establishment</name>
        <t>Providers establish federation trust via mutual discovery and
key exchange:</t>
        <figure anchor="fig-fed-establish">
          <name>Federation Establishment</name>
          <artwork><![CDATA[
  Provider A                                Provider B
      |                                          |
      | (1) GET /.well-known/mocha-federation    |
      |----------------------------------------->|
      |                                          |
      | (2) { realm, federation_relays,          |
      |       signing_key, policies }            |
      |<-----------------------------------------|
      |                                          |
      | (3) Verify signing_key via DNSSEC/TLS    |
      |                                          |
      | (4) Store Provider B's public key        |
      |     in trusted federation peers          |
      |                                          |
      | (5) Provider B does same for A           |
      |<---------------------------------------->|
      |                                          |
]]></artwork>
        </figure>
        <t>The well-known document:</t>
        <artwork><![CDATA[
GET https://provider-b.example/.well-known/mocha-federation

{
  "realm": "provider-b.example",
  "federation_relays": ["moqt://relay.provider-b.example:443"],
  "signing_key": "<Ed25519 public key, base64>",
  "token_exchange_endpoint": "https://auth.provider-b.example/federation/exchange",
  "policies": {
    "allow_inbound": true,
    "allowed_providers": ["*"],
    "blocked_providers": []
  }
}
]]></artwork>
      </section>
      <section anchor="fed-exchange">
        <name>Federated Token Exchange</name>
        <t>When Alice (Provider A) wants to access a Channel on Provider B,
a token exchange occurs:</t>
        <figure anchor="fig-fed-exchange">
          <name>Federated Token Exchange</name>
          <artwork><![CDATA[
  Alice        Token Service A       Token Service B        Relay B
    |                |                      |                  |
    | (1) Request    |                      |                  |
    |  federated     |                      |                  |
    |  access to     |                      |                  |
    |  provider-b/   |                      |                  |
    |  org/team/ch   |                      |                  |
    |--------------->|                      |                  |
    |                |                      |                  |
    |                | (2) Create signed    |                  |
    |                |  federation assertion|                  |
    |                |  (Ed25519):          |                  |
    |                |  { sub, home_realm,  |                  |
    |                |    target, roles,    |                  |
    |                |    exp }             |                  |
    |                |                      |                  |
    |                | (3) POST /federation/exchange           |
    |                |   { assertion, requested_scope }        |
    |                |--------------------->|                  |
    |                |                      |                  |
    |                |       (4) Verify assertion signature    |
    |                |           against Provider A's          |
    |                |           known public key              |
    |                |                      |                  |
    |                |       (5) Check federation policies:    |
    |                |           - Provider A allowed?         |
    |                |           - Target channel permits      |
    |                |             remote users?               |
    |                |           - Role mapping valid?         |
    |                |                      |                  |
    |                |       (6) Mint C4M token with           |
    |                |           Provider B's signing key      |
    |                |                      |                  |
    |                | (7) { token: <C4M>, expires_at }        |
    |                |<--------------------|                  |
    |                |                      |                  |
    | (8) Federated  |                      |                  |
    |  C4M token     |                      |                  |
    |<---------------|                      |                  |
    |                |                      |                  |
    | (9) CLIENT_SETUP { AUTHORIZATION: <C4M from B> }        |
    |-------------------------------------------------------->|
    |                |                      |                  |
    |                |                      |  (10) Validate   |
    |                |                      |  with B's key    |
    |                |                      |                  |
    | (11) SERVER_SETUP                                       |
    |<--------------------------------------------------------|
    |                |                      |                  |
]]></artwork>
        </figure>
        <t>The home Provider creates an Ed25519-signed assertion containing
the user's identity (issuer, subject), the target Provider and
namespace, the user's home roles, a validity window (issued-at
and expiry), and a fresh nonce to prevent replay. The assertion
is scoped to the remote Provider via an audience claim.</t>
        <t>The remote Provider validates the signature against the home
Provider's known public key, checks the assertion has not
expired, and maps the home roles to local permissions according
to its federation policy. The remote Provider MAY downgrade
roles (e.g., a home "moderator" becomes a remote "participant").</t>
      </section>
    </section>
    <section anchor="token-service">
      <name>Token Service</name>
      <t>The Token Service is the MOCHA component responsible for
minting, refreshing, and revoking C4M access tokens.</t>
      <t>The Token Service interacts with other components via two
mechanisms:</t>
      <dl>
        <dt>HTTP API:</dt>
        <dd>
          <t>Clients call the Token Service HTTP endpoint to mint
initial C4M tokens (before a MOQT session exists).
See <xref target="http-issuance"/>.</t>
        </dd>
        <dt>MOQT Tracks:</dt>
        <dd>
          <t>The Token Service publishes on MOQT tracks that relays
and clients subscribe to:
</t>
          <ul spacing="normal">
            <li>
              <t>Per-client refresh track: delivers rotated tokens to
each client. See <xref target="refresh"/>.</t>
            </li>
            <li>
              <t>Revocation track: notifies relays and clients of
revoked tokens. See <xref target="revocation"/>.</t>
            </li>
          </ul>
        </dd>
      </dl>
      <section anchor="http-issuance">
        <name>HTTP Token Issuance</name>
        <t>Before establishing a MOQT session, a client obtains a C4M
token from the Token Service via its HTTP API. The client
presents its session credentials (obtained after IdP
authentication per <xref target="idp-auth"/>) along with its DPoP public
key:</t>
        <figure anchor="fig-http-issue">
          <name>HTTP Token Issuance</name>
          <artwork><![CDATA[
  Client                              Token Service
    |                                       |
    |  POST /token                          |
    |  Authorization: Bearer <session_token>|
    |  {                                    |
    |    "org_id": "acme",                  |
    |    "team_id": "engineering",          |
    |    "channel_id": "general",           |
    |    "role": "participant",             |
    |    "dpop_jwk": { <client public key> }|
    |  }                                    |
    |-------------------------------------->|
    |                                       |
    |  (1) Validate session                 |
    |  (2) Check membership and role        |
    |  (3) Mint C4M token with DPoP binding |
    |                                       |
    |  200 OK                               |
    |  { "token": "<base64 CWT>",           |
    |    "expires_at": 1749903600 }         |
    |<--------------------------------------|
    |                                       |
]]></artwork>
        </figure>
        <t>The Token Service maps the user's role and channel membership
to <tt>moq_scopes</tt> within the C4M token per <xref target="roles"/>.</t>
      </section>
      <section anchor="refresh">
        <name>Token Refresh</name>
        <t>C4M tokens are intentionally short-lived. To maintain
continuous access without requiring the client to
re-authenticate via the IdP, MOCHA provides in-session token
refresh over MOQT.</t>
        <t>Once a MOQT session is active, the client subscribes to a
per-user token refresh track. The Token Service proactively
publishes a new token before the current one expires:</t>
        <figure anchor="fig-refresh">
          <name>In-Session Token Refresh</name>
          <artwork><![CDATA[
  Client                Relay              Token Service
    |                     |                      |
    | SUBSCRIBE           |                      |
    | mocha/<provider>/   |                      |
    |   tokens/<user_id>  |                      |
    |-------------------->|                      |
    |                     |--------------------->|
    |                     |                      |
    |                     |      (token nearing  |
    |                     |       expiry)        |
    |                     |                      |
    |                     |  OBJECT: new token   |
    |                     |<---------------------|
    |  new token          |                      |
    |<--------------------|                      |
    |                     |                      |
]]></artwork>
        </figure>
        <t>The Token Service SHOULD publish the refreshed token at
approximately 75% of the current token's lifetime, providing
an overlap window where both the old and new tokens are valid.</t>
      </section>
      <section anchor="revocation">
        <name>Token Revocation</name>
        <t>For immediate access removal (e.g., user banned, role changed,
device compromised), the Token Service publishes revocation
objects to a dedicated revocation track. Both relays and
clients subscribe to this track.</t>
        <section anchor="revocation-track">
          <name>Revocation Track</name>
          <artwork><![CDATA[
  Namespace: mocha/<provider>/tokens
  Track: revocations
]]></artwork>
        </section>
        <section anchor="revocation-object-format">
          <name>Revocation Object Format</name>
          <t>Each revocation object carries the SHA-256 hash of the
revoked token, enabling relays and clients to identify the
specific token without exposing its contents:</t>
          <sourcecode type="json"><![CDATA[
{
  "token_hash": "<SHA-256 hash of the revoked C4M token>",
  "revoked_at": 1749901500,
  "reason": "role_change",
  "affected_scopes": [
    "mocha/provider.example/acme/eng/private/*"
  ]
}
]]></sourcecode>
        </section>
        <section anchor="revocation-fields">
          <name>Revocation Fields</name>
          <dl>
            <dt>token_hash (REQUIRED):</dt>
            <dd>
              <t>SHA-256 hash of the C4M token being revoked, hex-encoded.
Relays and clients match this against hashes of tokens
they hold or have validated.</t>
            </dd>
            <dt>revoked_at (REQUIRED):</dt>
            <dd>
              <t>Revocation time in seconds since Unix epoch.</t>
            </dd>
            <dt>reason (OPTIONAL):</dt>
            <dd>
              <t>Human-readable reason for the revocation (e.g.,
"role_change", "ban", "device_compromised").</t>
            </dd>
            <dt>affected_scopes (OPTIONAL):</dt>
            <dd>
              <t>List of namespace scope patterns affected by this
revocation, for informational purposes.</t>
            </dd>
          </dl>
        </section>
        <section anchor="relay-enforcement">
          <name>Relay Enforcement</name>
          <t>Relays MUST subscribe to the revocation track of each Token
Service whose tokens they accept. Upon receiving a revocation
object, the relay:</t>
          <ol spacing="normal" type="1"><li>
              <t>Computes the SHA-256 hash of each active token it has
validated for the affected session(s).</t>
            </li>
            <li>
              <t>If a match is found, immediately terminates any SUBSCRIBE
or PUBLISH operations authorized by that token.</t>
            </li>
            <li>
              <t>Caches the token_hash for the remainder of the token's
original validity period to reject any late-arriving
requests using the revoked token.</t>
            </li>
          </ol>
        </section>
        <section anchor="client-behavior">
          <name>Client Behavior</name>
          <t>Clients SHOULD also subscribe to the revocation track. Upon
receiving a revocation matching a token they hold, clients
MUST stop using that token and request a new one via HTTP
(<xref target="http-issuance"/>) or await a refresh on their token track.</t>
          <figure anchor="fig-revocation">
            <name>Token Revocation Flow</name>
            <artwork><![CDATA[
  Token Service          Relay              Client
    |                     |                   |
    |  PUBLISH revocation |                   |
    |  (token_hash=0xab..) |                  |
    |-------------------->|                   |
    |                     |                   |
    |                     | (match found:     |
    |                     |  terminate session)|
    |                     |                   |
    |                     | OBJECT: revocation|
    |                     |------------------>|
    |                     |                   |
    |                     |                   | (stop using
    |                     |                   |  revoked token,
    |                     |                   |  request new one)
    |                     |                   |
]]></artwork>
          </figure>
        </section>
      </section>
    </section>
    <section anchor="id-derivation">
      <name>Identifier Derivation</name>
      <t>Both the HClientID and HDevID used in namespace tuples and
track names are derived using HMAC with a shared secret K
between the client and the provider. The clientID is the
identifier for the client participant obtained out of band,
and "||" denotes concatenation.</t>
      <t>The shared secret K is established during the authentication
flow (<xref target="idp-auth"/>) and is unique per client-provider pair.</t>
      <t>The HClientID is computed as:</t>
      <artwork><![CDATA[
  HClientID = HMAC(K, <namespace-tuple-without-HClientID> ||
                  clientID)
]]></artwork>
      <t>The HDevID is computed as:</t>
      <artwork><![CDATA[
  HDevID = HMAC(K, <namespace-tuple-with-HClientID> || devID)
]]></artwork>
      <t>where devID is the device identifier used as the device
identity in the MoQ track. The devID MAY be the hash of
the client's public key used for DPoP binding (<xref target="dpop"/>),
providing a stable per-device identifier tied to the
cryptographic material.</t>
      <t>These derived identifiers ensure that:</t>
      <ul spacing="normal">
        <li>
          <t>The actual clientID and devID are not exposed on the wire</t>
        </li>
        <li>
          <t>Different namespaces produce different HClientID/HDevID
values for the same client, preventing cross-namespace
correlation by relays</t>
        </li>
        <li>
          <t>Only the client and the provider (who share K) can verify
the mapping between the raw identifiers and their hashed
forms</t>
        </li>
      </ul>
    </section>
    <section anchor="discovery">
      <name>Service Discovery</name>
      <t>TODO</t>
    </section>
    <section anchor="security-considerations">
      <name>Security Considerations</name>
      <t>TODO</t>
    </section>
    <section anchor="iana-considerations">
      <name>IANA Considerations</name>
      <t>This document makes no requests of IANA.</t>
    </section>
  </middle>
  <back>
    <references anchor="sec-normative-references">
      <name>Normative References</name>
      <reference anchor="MoQTransport">
        <front>
          <title>Media over QUIC Transport</title>
          <author fullname="Suhas Nandakumar" initials="S." surname="Nandakumar">
            <organization>Cisco</organization>
          </author>
          <author fullname="Victor Vasiliev" initials="V." surname="Vasiliev">
            <organization>Google</organization>
          </author>
          <author fullname="Ian Swett" initials="I." surname="Swett">
            <organization>Google</organization>
          </author>
          <author fullname="Alan Frindell" initials="A." surname="Frindell">
            <organization>Meta</organization>
          </author>
          <date day="12" month="May" year="2026"/>
          <abstract>
            <t>   This document defines Media over QUIC Transport (MOQT), a publish/
   subscribe protocol that runs over QUIC and WebTransport.  MOQT
   leverages the features of these transports, such as streams,
   datagrams, priorities, and partial reliability.  MOQT operates both
   point-to-point and through intermediate relays, enabling scalable
   low-latency delivery.  Despite its name, MOQT is media agnostic and
   can be used for a wide range of use cases.

            </t>
          </abstract>
        </front>
        <seriesInfo name="Internet-Draft" value="draft-ietf-moq-transport-18"/>
      </reference>
      <reference anchor="MOCHA-ARCH">
        <front>
          <title>*** BROKEN REFERENCE ***</title>
          <author>
            <organization/>
          </author>
          <date/>
        </front>
      </reference>
      <reference anchor="C4M">
        <front>
          <title>Authorization scheme for MOQT using Common Access Tokens</title>
          <author fullname="Will Law" initials="W." surname="Law">
            <organization>Akamai</organization>
          </author>
          <author fullname="Chris Lemmons" initials="C." surname="Lemmons">
            <organization>Comcast</organization>
          </author>
          <author fullname="Gwendal Simon" initials="G." surname="Simon">
            <organization>Synamedia</organization>
          </author>
          <author fullname="Suhas Nandakumar" initials="S." surname="Nandakumar">
            <organization>Cisco</organization>
          </author>
          <date day="18" month="June" year="2026"/>
          <abstract>
            <t>   A token-based authorization scheme for use with Media Over QUIC
   Transport.

            </t>
          </abstract>
        </front>
        <seriesInfo name="Internet-Draft" value="draft-ietf-moq-c4m-01"/>
      </reference>
      <reference anchor="PrivacyPassAuth">
        <front>
          <title>Privacy Pass Authentication for Media over QUIC (MoQ)</title>
          <author fullname="Suhas Nandakumar" initials="S." surname="Nandakumar">
            <organization>Cisco</organization>
          </author>
          <author fullname="Cullen Fluffy Jennings" initials="C. F." surname="Jennings">
            <organization>Cisco</organization>
          </author>
          <author fullname="Thibault Meunier" initials="T." surname="Meunier">
            <organization>Cloudflare Inc.</organization>
          </author>
          <date day="2" month="March" year="2026"/>
          <abstract>
            <t>   This document specifies the use of Privacy Pass architecture and
   issuance protocols for authorization in Media over QUIC (MoQ)
   transport protocol.  It defines how Privacy Pass tokens can be
   integrated with MoQ's authorization framework to provide privacy-
   preserving authentication for subscriptions, fetches, publications,
   and relay operations while supporting fine-grained access control
   through prefix-based track namespace and track name matching rules.

            </t>
          </abstract>
        </front>
        <seriesInfo name="Internet-Draft" value="draft-ietf-moq-privacy-pass-auth-02"/>
      </reference>
      <reference anchor="PP-REVERSE">
        <front>
          <title>Privacy Pass Reverse Flow</title>
          <author fullname="Thibault Meunier" initials="T." surname="Meunier">
            <organization>Cloudflare Inc.</organization>
          </author>
          <date day="18" month="June" year="2026"/>
          <abstract>
            <t>   This document specifies an instantiation of Privacy Pass Architecture
   [RFC9576] that allows for a "reverse" flow from the Origin to the
   Client.  It describes a method for an Origin to issue a state update
   to the Client in response to a request in which a token is redeemed.

            </t>
          </abstract>
        </front>
        <seriesInfo name="Internet-Draft" value="draft-meunier-privacypass-reverse-flow-05"/>
      </reference>
      <reference anchor="PP-BATCH">
        <front>
          <title>Batched Token Issuance Protocol</title>
          <author fullname="Raphael Robert" initials="R." surname="Robert">
            <organization>Phoenix R&amp;D</organization>
          </author>
          <author fullname="Christopher A. Wood" initials="C. A." surname="Wood">
            <organization>Cloudflare</organization>
          </author>
          <author fullname="Thibault Meunier" initials="T." surname="Meunier">
            <organization>Cloudflare Inc.</organization>
          </author>
          <date day="4" month="May" year="2026"/>
          <abstract>
            <t>   This document specifies two variants of the Privacy Pass issuance
   protocol that allow for batched issuance of tokens.  These allow
   clients to request more than one token at a time and for issuers to
   issue more than one token at a time.

            </t>
          </abstract>
        </front>
        <seriesInfo name="Internet-Draft" value="draft-ietf-privacypass-batched-tokens-08"/>
      </reference>
      <reference anchor="RFC8392">
        <front>
          <title>CBOR Web Token (CWT)</title>
          <author fullname="M. Jones" initials="M." surname="Jones"/>
          <author fullname="E. Wahlstroem" initials="E." surname="Wahlstroem"/>
          <author fullname="S. Erdtman" initials="S." surname="Erdtman"/>
          <author fullname="H. Tschofenig" initials="H." surname="Tschofenig"/>
          <date month="May" year="2018"/>
          <abstract>
            <t>CBOR Web Token (CWT) is a compact means of representing claims to be transferred between two parties. The claims in a CWT are encoded in the Concise Binary Object Representation (CBOR), and CBOR Object Signing and Encryption (COSE) is used for added application-layer security protection. A claim is a piece of information asserted about a subject and is represented as a name/value pair consisting of a claim name and a claim value. CWT is derived from JSON Web Token (JWT) but uses CBOR rather than JSON.</t>
          </abstract>
        </front>
        <seriesInfo name="RFC" value="8392"/>
        <seriesInfo name="DOI" value="10.17487/RFC8392"/>
      </reference>
      <reference anchor="RFC9421">
        <front>
          <title>HTTP Message Signatures</title>
          <author fullname="A. Backman" initials="A." role="editor" surname="Backman"/>
          <author fullname="J. Richer" initials="J." role="editor" surname="Richer"/>
          <author fullname="M. Sporny" initials="M." surname="Sporny"/>
          <date month="February" year="2024"/>
          <abstract>
            <t>This document describes a mechanism for creating, encoding, and verifying digital signatures or message authentication codes over components of an HTTP message. This mechanism supports use cases where the full HTTP message may not be known to the signer and where the message may be transformed (e.g., by intermediaries) before reaching the verifier. This document also describes a means for requesting that a signature be applied to a subsequent HTTP message in an ongoing HTTP exchange.</t>
          </abstract>
        </front>
        <seriesInfo name="RFC" value="9421"/>
        <seriesInfo name="DOI" value="10.17487/RFC9421"/>
      </reference>
      <reference anchor="OIDC" target="https://openid.net/specs/openid-connect-core-1_0.html">
        <front>
          <title>OpenID Connect Core 1.0</title>
          <author>
            <organization/>
          </author>
          <date year="2014"/>
        </front>
      </reference>
      <reference anchor="RFC2119">
        <front>
          <title>Key words for use in RFCs to Indicate Requirement Levels</title>
          <author fullname="S. Bradner" initials="S." surname="Bradner"/>
          <date month="March" year="1997"/>
          <abstract>
            <t>In many standards track documents several words are used to signify the requirements in the specification. These words are often capitalized. This document defines these words as they should be interpreted in IETF documents. This document specifies an Internet Best Current Practices for the Internet Community, and requests discussion and suggestions for improvements.</t>
          </abstract>
        </front>
        <seriesInfo name="BCP" value="14"/>
        <seriesInfo name="RFC" value="2119"/>
        <seriesInfo name="DOI" value="10.17487/RFC2119"/>
      </reference>
      <reference anchor="RFC8174">
        <front>
          <title>Ambiguity of Uppercase vs Lowercase in RFC 2119 Key Words</title>
          <author fullname="B. Leiba" initials="B." surname="Leiba"/>
          <date month="May" year="2017"/>
          <abstract>
            <t>RFC 2119 specifies common key words that may be used in protocol specifications. This document aims to reduce the ambiguity by clarifying that only UPPERCASE usage of the key words have the defined special meanings.</t>
          </abstract>
        </front>
        <seriesInfo name="BCP" value="14"/>
        <seriesInfo name="RFC" value="8174"/>
        <seriesInfo name="DOI" value="10.17487/RFC8174"/>
      </reference>
    </references>
    <?line 795?>

<section anchor="pp-call-flows">
      <name>Privacy Pass Call Flows</name>
      <t>This appendix illustrates the Privacy Pass flows for MOCHA.
The normative protocol is defined in <xref target="PrivacyPassAuth"/> and
<xref target="PP-REVERSE"/>.</t>
      <section anchor="external-issuer-flow">
        <name>External Issuer Flow</name>
        <t>The client authenticates with the IdP, then obtains a Privacy
Pass token via the Token Service (Attester) and external
PP-Issuer, and finally presents it to the relay.</t>
        <figure anchor="fig-pp-external">
          <name>Privacy Pass External Issuer Flow</name>
          <artwork><![CDATA[
  Client          IdP        Token Service       PP-Issuer       Relay
    |              |          (Attester)              |              |
    |              |               |                  |              |
    | (1) Authenticate             |                  |              |
    |------------->|               |                  |              |
    |              |               |                  |              |
    | (2) ID Token |               |                  |              |
    |<-------------|               |                  |              |
    |              |               |                  |              |
    | (3) POST /auth/oidc          |                  |              |
    |   { ID Token }               |                  |              |
    |----------------------------->|                  |              |
    |              |               |                  |              |
    | (4) session_token            |                  |              |
    |<-----------------------------|                  |              |
    |              |               |                  |              |
    | (5) POST /auth/privacypass/challenge            |              |
    |   { room_id, token_type }    |                  |              |
    |----------------------------->|                  |              |
    |              |               |                  |              |
    |              |               | (6) Fetch issuer |              |
    |              |               |     public key   |              |
    |              |               |----------------->|              |
    |              |               |<-----------------|              |
    |              |               |                  |              |
    | (7) TokenChallenge +         |                  |              |
    |     issuer_pub_key           |                  |              |
    |<-----------------------------|                  |              |
    |              |               |                  |              |
    | (8) Generate nonce,          |                  |              |
    |     blind token_input        |                  |              |
    |              |               |                  |              |
    | (9) POST /auth/privacypass/token-request        |              |
    |   { blinded_element }        |                  |              |
    |----------------------------->|                  |              |
    |              |               |                  |              |
    |              |               | (10) Forward     |              |
    |              |               |   + HTTP sig     |              |
    |              |               |----------------->|              |
    |              |               |                  |              |
    |              |               |  (11) Verify     |              |
    |              |               |  attester sig,   |              |
    |              |               |  sign token      |              |
    |              |               |                  |              |
    |              |               | (12) blind_sig   |              |
    |              |               |<-----------------|              |
    |              |               |                  |              |
    | (13) blind_signature         |                  |              |
    |<-----------------------------|                  |              |
    |              |               |                  |              |
    | (14) Unblind, assemble       |                  |              |
    |      final token             |                  |              |
    |              |               |                  |              |
    | (15) CLIENT_SETUP { AUTHORIZATION: token }                    |
    |-------------------------------------------------------------->|
    |              |               |                  |              |
    |              |               |                  | (16) Verify  |
    |              |               |                  | with issuer  |
    |              |               |                  | public key   |
    |              |               |                  |              |
    | (17) SERVER_SETUP (identity unknown to relay)                 |
    |<--------------------------------------------------------------|
    |              |               |                  |              |
]]></artwork>
        </figure>
      </section>
      <section anchor="reverse-flow">
        <name>Reverse Flow</name>
        <t>The reverse flow has three phases: bootstrap, session
establishment, and continuous authorization with token
replenishment.</t>
        <section anchor="step-1-bootstrap">
          <name>Step 1: Bootstrap</name>
          <t>The client connects without credentials. The relay challenges
the client, who obtains a publicly verifiable token from an
external issuer.</t>
          <figure anchor="fig-pp-rev-step1">
            <name>Reverse Flow Step 1: Bootstrap</name>
            <artwork><![CDATA[
  Client              PP-Issuer (external)          Relay
    |                      |                          |
    | (1) CLIENT_SETUP (no auth)                      |
    |------------------------------------------------>|
    |                      |                          |
    | (2) UNAUTHORIZED { TokenChallenge }             |
    |<------------------------------------------------|
    |                      |                          |
    | (3) Blind token      |                          |
    |   request            |                          |
    |--------------------->|                          |
    |                      |                          |
    | (4) blind_signature  |                          |
    |<---------------------|                          |
    |                      |                          |
    | (5) Unblind, assemble publicly                  |
    |     verifiable token (type 0x0002)              |
    |                      |                          |
]]></artwork>
          </figure>
        </section>
        <section anchor="step-2-token-exchange">
          <name>Step 2: Token Exchange</name>
          <t>The client presents the bootstrap token and requests a batch
of privately verifiable tokens from the relay (now acting as
issuer).</t>
          <figure anchor="fig-pp-rev-step2">
            <name>Reverse Flow Step 2: Token Exchange</name>
            <artwork><![CDATA[
  Client                                    Relay (Issuer)
    |                                         |
    | (1) CLIENT_SETUP {                      |
    |       AUTHORIZATION: Token (0x0002),    |
    |       GenericBatchTokenRequest           |
    |     }                                   |
    |---------------------------------------->|
    |                                         |
    |     (2) Validate bootstrap token        |
    |     (3) Issue privately verifiable      |
    |         tokens (type 0x0001/0x0005)     |
    |                                         |
    | (4) SERVER_SETUP {                      |
    |       GenericBatchTokenResponse          |
    |     }                                   |
    |<----------------------------------------|
    |                                         |
]]></artwork>
          </figure>
        </section>
        <section anchor="step-3-continuous-authorization">
          <name>Step 3: Continuous Authorization</name>
          <t>On each subsequent operation, the client presents a privately
verifiable token and piggybacks a new batch request. The relay
validates and replenishes tokens.</t>
          <figure anchor="fig-pp-rev-step3">
            <name>Reverse Flow Step 3: Continuous Authorization</name>
            <artwork><![CDATA[
  Client                                    Relay
    |                                         |
    | (1) SUBSCRIBE {                         |
    |       AUTHORIZATION: PrivateTokenAuth,  |
    |       GenericBatchTokenRequest           |
    |     }                                   |
    |---------------------------------------->|
    |                                         |
    |     (2) Validate private token          |
    |     (3) Issue new batch of tokens       |
    |                                         |
    | (4) GenericBatchTokenResponse            |
    |<----------------------------------------|
    |                                         |
    | (5) PUBLISH {                           |
    |       AUTHORIZATION: PrivateTokenAuth,  |
    |       GenericBatchTokenRequest           |
    |     }                                   |
    |---------------------------------------->|
    |                                         |
    |     (6) Validate, issue new batch       |
    |                                         |
    | (7) GenericBatchTokenResponse            |
    |<----------------------------------------|
    |                                         |
    |     (continues for session lifetime)    |
    |                                         |
]]></artwork>
          </figure>
        </section>
      </section>
    </section>
  </back>
  <!-- ##markdown-source:
H4sIADVATGoAA+U9a3cbx3Xf51dModMGiPAQKcqOWUUJX4oYWyJNQvZpe3qY
xe6AWAvYhXcXpFiKOf0R/YX9Jb2PeS4WJEBZcdPiJBaInceduXfu+872ej1R
pdVU7crW25ODN3vyOFEZ/HKzK/cW1QS/x1GV5lmX/s6L9D/0n1GWyNcqUQX9
3RLRaFSoKxhnlseTqJfqcVoC+qvLvIARyyoRIsnjLJrBhEkRjaveTyrL0uyy
7M3yn3th196zZ6JcjGZpWcIM1c0cOh0fDV+LbDEbqWJXJDDyrojzrFRZuSh3
ZVUslAAYnouoUBHAsjefT/UCSoL4TEXT3jCdqZa4zosPl0W+mOPaVZJG8uRK
FfL798cHLfFB3cDzZFfInnybf0//nHw/5H9hn/CL2Sr8HmwO/uC2Bv86LdKr
KL6Rp1FZ4t8HO2/xn8PT/FRcqWwBy5ByJTBS8uJbPwLIsFnyT9gSf59F6ZS2
/Oc/pqoa9/PiEn+OingCP0+qal7uDgbYCn9Kr1TfNBvgD4NRkV+XagD9By0h
IloEgtKD/0s5XkynjKsD+KYy+WeNLHoKg0SZXjG0SMs4p98VAzWeLsbjmz+m
adqPI9Ew5vliEpXyHWAl+rCYRcU6g5YZN/9jjE/6cT4TIsuLGbS/oj0EXA2L
KCvneVEBtfQO+0xmuGwisco8xcaIyd7e2cEbv2kDReJeQXvAWuOY8c4Mnmoc
I4qRGhpbzrlNbw6Nerjd2O+0d3b0w9HZ+ZHfZaYWWaoK04M6wPlSRal642l+
zR3394Yh8DST32cUVfFEJb0q/wCHBHqdvT743fNvtnf56zc721v49eT48GCX
dtqwg5O5yo4P5UGeZSqu4N9Cya3+sxY1opMnt59t7XCfqLhUsN+G4HLomyb9
TFWDcq7iUv/Qi3kw+LdQva2LZ/1JNZsKkWZjh0PR6/VkNCoBUXElxHCSlhJ4
xmIGh03iaOk4VaU0TAIYUY1PRQGfEnjqx/YwSpiJ8S7bQCsSVwlrm81gt3kA
+U/yTV5WQAFiD89MBQAvCtXpy+NKJmqcZjD7JL+WixKQ4c+u5HVaTRxbOC3y
KwATGrWPk9Oy06VuAXiS0SLbQFrEn3xG0UEuJoH7LVRCD6+iaYo7D39VslDT
6KbkMeeq0FyyBJYwh1GZW+FBK+dRrErm1w7scZHPZJ4paYCU+aiK0kxGMbQu
YQRRqDJfFPAXtJOR2UOV2C59xtUsTZKpEuKJPM6qIk8WMXE9wbtcqJ8XKQwl
51EBu5TOo6zC4eUcRlESNi8tLDIJSAZEhPs0UmMkwPliNE3LCfJAwCMIhzIu
0hH+CSMixXwgaGnxvEF9uYqCYOpw4mBGEXnI78oYgC1gHqRPi2G3eYjgTo0S
ZRsPVVdeLlRZdYHx4UhypmCSBHDbk0PEPeE3ymIlr4DpIxnc3sJ/7+6IUhk+
ADcxiCESQ7khYdkJUmlPnuVTBQe8ByxxrpAA5rgj2B/XyHiwpCAnwFZwcTfC
SikY3u6E+ggcL7tUMGGRw4SWii3EhRoDQie0Z8CScl4uEgAwiyscxkjbQzwu
Kf0txLlScv/gVG7twBL/AXjP9tbWN7BO/uN3W1/v3N316wceqBUwheSd5dP8
8kafQIA3g46Ogd/ddeGneLqgLTEwd+WJJ0+6cqiiWVcewPoyNe0CeFdprLoa
1KvjQ5pewc5NgcPiHtr9x5MO2PNmr3w4gSzeHExT+HZ8uCtAd5Ig24Dtyph+
9MaBIeCIwxNE95u3ewd9+b6kEYGTOiRVi/lU8SYSWfMjaFVWKoIzMibUFhHK
gVhP3Je4xbe3wGhpElo07ekbWl0AWEJrXxew+2HAwe6bPtzTKEmIJKIpIZY3
FvAMypZYcbIYcmBcBHM1Afbn893S8GI8xCV8rcoaY+nDGo4+RjPaVKYTRTIP
RBH8mAJTIoZEhN6V0EkVIEVLJc/PT4hAYIBSTce9CcgG/7hooIjPKOAMp9C4
vEZoWteTHE43EwoC+AdQsey6+Cidc29c39AeVQQJWDOARCs1XL/0uBUtko4Z
MXIUL12AMFF8VPSO+HKBqZyESemYvNYJUPx0iGEQ09TPAXN73JCALREHyKDa
B3tDLUe/H3bkwY9D+Gn/5Ez+qEbctMOQqyzOE5wOpkB4flOGDBf7ezTvQdtn
1mHIT7PEvvwRcE60gifwLepmXSLCilkpIxYmZA4J6sY4JcUCtXA4J1E6k+2/
xNn4Lx3DPmVakeyAQfgcAZCg/MPaQfmhxexKWHhG1AIsPdCKOnpiWq2mHyI9
1ME9AvXoRZ8a3A6Yg8BsH6oZrLlCDQUAAhKBRvC/U2C/ivZDH4CZQtacljOe
EFeAa0WcaDhqC4nKmxkInCKNASBYFQjhtGBK1YzpUmUkAHAc5uoE0pxgQByr
KJ5o0wfIgtnoHBXRrGKxy+tX40rLgzkQkGEFyTyfEwcIzCNQbgpAeoUmnKF7
IIS5+ZVXF0dFgWK6JlTjQtFWRtMSNTJEawTqyXyuogKJ4uC746N3w4vzo+H7
0648f79/fnB2vH/kfb14t/f26Px07+AIj8zp+/3vjs/fdM0X7ymbuEegYcPO
l2V0qfBInOEJQcB/sOcyOE7US6FGG7tHQImgGk1xR8nugOWCqGaVFNZBY6I0
kVkesjbN2RJQoeJqevPPyIsngEiwdMvKzFiml3hURjfyQ5Zfs0oBvfookn0d
lmzKq1RdM0vWJJDkhH0yo6ZSEziwPQnyFjYUjQ0krAAqJrQV3AyfgjkAGyHN
GWLWnEmfnzhVBgB9bUgNBDZqt0jGTor7fwEdq3lplb3xrvitjKZT/2CVLJ8V
DgZPLRnbZykICHjW9TqmhRaJpR6P2AroC0EHf7SKlAk9gh677SZGBTWH74XT
oAbwc9lhoU4zAkmAar5yUJw1ZmUlbKXXap9RSx+CtHw8CEuDe7s7U6oiB4AY
nhyeAE9KEpCLizka1DSCZ2oxka0ikegDqTchhThuxIQi6FEbACZaIXWD7YlE
krJb0qT6+OBXgzmSDSIUzitAifO8SFKa1c5ycPiu1Awd9Un8SU9S5hoM+gt5
j5HP9HsgMLXqoz4C4zTwZgo2KCFYg7bL6qUS2lYx/itii9zErdEoIDAXK6BE
CMuwyGsUnaVioYe7CFZJaSQGLw7GECDimS3QbGlJTB+1thLVwYJtwSQdj1Wh
PKWJufAUdicqPxCbC2dnYwSGc1alIVRrTrKlFqGeWDpzU7DUoQXAFkUGPpQj
ZvI9mt5amBVvoSFWOAbCULNWHmEgYJTMM6EnnRU9Hgy3jxvx17/+lXwbtU/o
JQ3YKzq5nvbs52lD76WP3x66f4KfUIeU9FUbkEc1bVRVcb/D3T+hE+iY2P0n
M/vTDWd/amfXQ272+eQ62rO88gPWOxxzlFdex6sNZ7xqWml7uyP33g/fnJwd
/+ve8PjkHesT9Exv8tNgnzUZ4dfefZ9XvCN0Qsx6P6HOhqeuQw/Je/OUNafO
8gbJtlUVOnJjNC0Dr0fd7OOhqb3VCaX5U8MPtDrX3HFTNNVWus7nqe0YLC/k
141z+R17nmpGBpmzlh7qeDBRqFXMFAYYykk6H/iutXs6vk2R81pNvMFPs6Ij
8JyPqOaenurDUWkfi2bQTTOuv6G1XX3UJ+zYft5xqrQcGLVZXhZgQwNDXdnx
5QYAE/O93ZVPxuklOd/ZK/37ViPfbd2R83HJdRAGsOTtkzSZk9Md2z/xlOF9
di6y45GEXYOPFvQgNqpnqHn750cQrlGXqYPQ1+JCa0igUkwXl5fRaEqeAlZL
REjdztqvjD/BkC9bFmUVkQ+U7GptH/Z5QWihhos2Yswwu6UPTkBiJuRbAUzC
UV8zgdxPOSjIgOOcIGQDgpFMijV7coQKHRNsA6FOu1ZPmVFAgYRNL83s+h7q
uZIqX60x56oGD/ZE8WXFZ/vPPw476/Vcfaq+KLTABE5PzodygOdgkKdJvGZP
/ATOgF25D5Y7IPilWf6rpp6b8DuDrs9f5z092zsd+YMq0vENUVhE9vXae4s+
1j//+O05qLkVcLe15lyF6od7/ko79KJjBTH73srd9XcIZC6G8hJQdz/Ou+vO
iR8KFV9guIbiJhv0bHhgKf6rjtx+9kyefLt6lMaO+LklwXGRwmI0w75gKX+3
suMG0nJ9OlgNrC9v6TRredsgUuRr4N4octG0DWXX2/fAEgJz2LI0UKPk7S0O
d3cnzhWZdPJ5f6v/vP+1bLPDivANcgpDMoD0tLjpemfLHJkOC7s/kb5al3bo
RkrUfJrfzMgUjkzQYV6qRZJnN7N8YZxyuw8KR/fZSB42oFP67JICgvc2vpWt
JC3Rk3qB7vEWZrJMYeaWRzGbMMaHT3ojGOsQvA+zpnIEl9bY+zp6Pm51GxpL
2QpOAnYpL/r9vrfCjU7Chgv06Z3RoQm+iayQ2Pl3drGBGqJQs2Dfiyp6oKGx
BzagMhd74s56waV8u/cvchJdoRMpWcTYzbMxMPgToX+rykUYQqDJyaeLZgZT
5LEJHqNqqJkt67rxzqyu5jbEbkysOWV1c16ks6i4qem/NuwgGkPSRsn1zx1x
AvRDUYbTGgEOdEShoeSbUNrJ7IdlKICxTgBCaLWaE0voCcapWAzJtuFA252u
DhXxA2xHsQ+hXZEUx/f4VUdHi12QBP5Ljq7I2G7CGHyk5nqdQcWjaJ3ZdNqk
Ecc+yWXG+xhsPjM7XsuZNtJvn1BcRYi9MUZL6vkvLgLkrEg/SESOSKYvkw0R
G28vb2E+VUGQyEa20M1MKRgxIoPIwTdxudN99oxGd1fEdUO76wcvEYLl4OWM
bOxIuKWw4SUpoqfDew+G9WhdGPSF6eSb4fDUZWAQwuAomBwRij7e3mJWU880
sgHtcJmzaF7a+MNv9AoQaLOxbqUC4PrLLP/5gj3Cf6FV6LiBXRpvpfYZG4cu
Zx42ZHJYUeaG3ZW3xBJ1xsyu/DdOzBy8NC7bV4OXeXEJ/8WYA/yjIX018DJ1
Br9t/XuXxjG5NmqTkaA3dL4j4JCOzylB5YiDY8gphOCflPtJZwpohpSXJlfA
LXuGKW3oli8WGM4PMkLoZHWlPd+gYdBOclxbATUukBgFRTrckIDsKfCzywiT
G5hq8qKAhzlTE00p89FPMK7QuCI8AaoRl5Umv77c095qDOSBEgNHBQTLDRNz
he7s0Y0XsWanf5ayJxpWEi2mlQmHcb4C+h2YMXh40d1n6eXEhNk1sQiORdN0
frrUIksosuoCXchFx+lHQ36R8ZF35fUkReo1upNG/Vw7QzjGwuG3lGPfpqul
w6HjNLKtoejsSqYbQzZ9vcJBFM/UQGWXA2a608FqV5VPmy95Hb00eTUA1aE+
raXYDSbGYVxQ2PDPXfl5kPtAa5hBMdoemKjyYArqBOZjqhLQvytPj87eHg+H
R4eyTYSnSoNJXlsHYXROOAvl523vLKeIS14YGEdb8c4mMNoNN1DysQ9yGh/U
W/wM2boCEwx0e1tLuAWJagVVXNzMq/yyiOaTNBaLbJpmH6JROqXEdhu/4/Ad
G/GRESlRKafqErgOLEtNb4TOv8RTki8q5gtTVmScjLHpHXT6NEKQJ8FhpqiW
ytDrh1qCUQ9dtAoXDgfJhKj68ng6XbC2BFse43EbE0dEbqGXqNndfN7D55QR
XJJoQs6hJTyrZ11Mt8B8CeBC++RhPjvfMyoWJlncaJEuZqqKAA8RMxRSribK
ca56ImFp92RUqAjz0sON9hkvp/EBkWA0tIKZOXfJwCp8/s97GWN6WO6pg105
wu2HPcorpysgr4onghyzk3yalI65surEQIdUZ5RDzKrH4LkhRtjbKo9z4IAR
LLhsUq4wE8zoHoWy6mUYu20gTU81EkZniGJUZ0q5ZyZrN3R0suw5he1FmPim
6c9GAWGnEXGk17zloyvPjQ1dgjKjc76JVo4zL0EUU1QAN6w/1rLTBEjRHwJF
zipVWqNboevIdkTFAp56g6SKNvw25nhZjQ+fOnHMHBzWpkVbKHGFUWtiaUm2
jbR0un92rqkFZ3je11vbsE10Tj1NOS2t3q2VcSltvgGfZQKqH6TOgAQtyd7h
lsgZnU2igQ6CksIlOYHpEGU3nAtk0oM0swUrbUUWk7DpShQEZhI/47IAcswg
B52bQoE7k4QdmGZgfRqFMmCouhMhCAjFlSUAY+XYu2OchnRHOSrg9rCYDMOi
7+/SKM8rZGfz0ijsjD1gSOylo4AIbxoZSFEmkEsUqPZZ1xBnrOj5tWqmBySZ
gczaG09ULvEABROiEbMGXNYVY9JfteXSiI80WyCbNiwNFaIgP9wwP05IoahR
Jmtgy2jM+WxIwikyYbcZfWGyqUFGg3U9mWk6nKeXlzcjUK+A5uBg6bysJjoR
Jle71MdeF3sY7k5IpBIRw4Ds7F3hrTGsmKCtppE0Tqw4CNmcaJLAxtwt5U7v
BecZ1UjJGsQ7RL6UvM7Ws2Y6bPPcPqHMJCBhbtA+uc6QDt4aLUXLNVaruvJk
xM6YzjKUfpa4yRFmf43mAU1Z4lQ3ojPFQSG4IsE8nARmKQ6Uxyl5Z4gQyapA
uIVRertOK+oaDYsmmUUZYBBxzhBHrlJNzHP4ehOYobVk96U8eb8wZYmBSyp6
muo0T7ZQBVmoYFHndddAqdNsdbjT8yFQIxIQtaBlEjBynVVmCxC4Osh3MQiT
GbxsaTWmA1u7AlOQdsEAgUn/WNdzUf8HzMFjre+ia1fbJTqzbIoKbI7lTZ5K
LqxWi/PjZmgLOrSfpbV7H1awaxb0KgP64YGws132KB81LZoXZLX3L7AcZxn8
ttVdMh42HQYQ+vmbQqaFdZEAOitkvKV2Htxf98I8oLBaJ9neTrZwqGKVI6GE
8YypjWf2hhPrmP8G8pQ4gqeSyP/+z/8K9RwR8JJCaXUnqek7S8qOU6FFu6RE
6yVG3PHTkBOnUwO8/mKJA7tSVeC6Ln8TWK/3RKflaaYQeqZppUExWZULLxsP
1zOkVFqPqSKvIr0KU/C8jEJXXYbbPcln3rBX+YIsTcNZ6kUFGCOKdDq0sHkT
vvIwyytvPFMOIac57U2PvJVUnav9MyS/2UQkzY7Srol+EPdsBJZ+fSHx7pQy
xZ8EW4uCa2r4WEMGT2MmWFM7yhzyUh91TKOpu9du3/zE6Wu4r52gZWP3Nu+Y
a7mUm+V19xa7akzuHgqPveYgz6t6u33TnVPx9mqzDwk1/o/cbr8+OzJTrGWZ
mmSyFWvX7fbzkdf9sxAH/XlW2n4AoSOvTTnkTzn64KzG4We37veDeJVHbDpo
9XqpNLNs3dXp78gkDrHf1RWn2owin4yZ0PE8zRbVAvTPBAuu4SAQ98TyeFso
aIXzEk2u/LiliZWksurzyXbBrKI/HQ3loH+tptMe1T4MuGB7HJCi7bJWKJGJ
77MA2+7IW2A20XTW9Tb1wpTsNnThD3Iu4CkXsL1dy0nCLAHbZf0Mgc9by/Mg
z0VDR5Rx+O78/OhgMPzuvGktm82y05HnFSbhOdL4jR9rat6xVBOqCkq85wrJ
umGWxwAGRozHQ6lWhlQASuBv6rI2Xh5HYzVO0HOnN2QGS0fepGy4s+JXr+Kw
eJZMBb/Rwnojq4fdd8qEwGhTi0geY/nL3UlxbC0dhhYrfj9XMCdrJMtdd3d2
nnMYquWRIE7z8ijZfvFi6xuPULpgupbqq51XPCGJ8QvDqi5UlsyB0VYt73YM
1GUaZh04WAemP49pDmbLxNhapBxdpNkoX2SY/oD3kHS9Ryq5sNWltGIbVmuN
QPX4UH/OUTMXN3MMnkXikanRJn2tZ8ADDJPlpoWM48eenNEFaSskDZi9xug3
U+RxvCicBebEpqwnZu81/mrlrxbHzYkaK87AChXCcH8TEX/UAN6NBo8cwNb9
PXYAR3WDxw2AF7lg0HVASYQbD7DEkTaH4MGWmw6AwvMAGEmlTF3jphB4osDa
ABsN0NZspbP7uCWA8AfDtkvGy4VWAzbdRHaadHV93sYQSAw+1/IL/7ZotCnC
DXx0PQhupWfCWT885zcspYktDbBC5m6whMbP5gN4mcIuld/LGV4LApOa4Hj6
b5ZUnHsHYIm/rFCtPcD9Pz+0B6BGUW1Nk6m8uyYEPd/C0HL1D5ssoSeHoSuS
Y5vl2gNI40GgXLw/1FuuAwF66+wVLeRu2GgJ9//8EBa+6lChkqxlUG20hEBB
1/qYI6gvyFC+RqOq4hsZXsIKXuksYVVeRNXD/KBRL/+S7KD9u46nuD1mCxya
HgVBfcW/gnRvf9MJbmQADAbxUMYkR/32Xy0hcV1TaoVp9eVO0vLP7a1nXrnD
Iwagk7iv01wfM8CqJbS3QFM+Pzr74ehMI2G9z+MrETS5ff4Cloxdoz8sOb5C
u8jYuqH3OCatkm4d0Apez8QBrVzGqCgXAYomB7OtVAD9DnMBO10/wmVnQheZ
9fJ3fVc1QaR1uoj5P457nWYJJgtzslEvqij8yEUQOuXY3M+S5RlfsaGToO2V
K7hguxCBaawm0bfR902+8syWXOj8RRMUr7UNk3it7uInTOLKrFcRybimcHSl
zvmtfDjxOirMlRTMyhOd6Wuyad124TLISx8GYOMYL29AbOWNnnibhRQuCJMg
YMOzyyJKlOAJ2qp/2Ues0KQtG/RqyZGK8xnFCfQ4LS/A1+Iwdmj03j4hvt3T
lzM0VsvonPv6nU8cCy3TEUdQBWY9wwK75to1+m6uXvtgYnzBFTSNGcop3iJA
eRscrqF7Qey0JdFDdZ0Lm+2PNj/lEe2dHuN9N+Z6idjcsRGOT02NfwWxhYAL
aRMfvMT+tr7NL+KsBpNCpD6mZYWZO1JfH7SceE3th5R7au4OCqHQ8U1lrwE0
mao6MQ99TjA+ZSvp9bi0xSrfpYtK5SmY5DaFno8dDbMrE4V5kFgEklfEeGyt
AnE7SgDgnuYOJD0Agk/6n70wzwwJ1M8XEuo7RXzY8jENS6i2k7mRzVC0N0+e
MA5qGZa3T8JttOXO1nNIqR0BKvAU6PVzUbSuIBBeks4yBSAF4Rk0ROPXEAib
KoUtDMa9y5xkm2dCbkxBt+PkVNTufuLIrK3ixiDnNAfgiaBxXC7L4GxGYDmb
VHg9vsSrXuPVcIdCY+sVZbBBXZRTZG43gkTKVl5c6losDKD7VVhNrdGJpJur
7BLQQLddrqrd0vaTqfXiuHwwhd8a2Ss5hT2mGYLjt8baloufrj+gd1W+NIl2
VoyAkmhbN5RPrlzl5ymO94/NBe5W+TPUvbr1trGGvUxJU3mz3Pp5s9UWXC7x
SLjXKmn1S/xstd5LdrNjVdWrlZh39hl02fp655tvnj3/CqZcqmJcU8ncdJW+
/mi5oNUeG7hlc13rL13coxkZJ7jdhSVeLG1unxixIYQnOOk+YJDjGdfETG9k
CSyk6qFMSoDd5nghOCmwQXqfuzk2TFj08l/pvt9ecCsMKQR8B0XXVKDYQjBU
bZjKuebNiEkMEZMogVWdUIJ/KOP1hVJXKqhTsyKYQxSYF9OjPBNzGYong5uK
zAAuHnV6I5wGEMlMXeshtMZBcy6Kgi+QUsaB8ICgsHf/uM+60mKVtaO7uCKO
tbss1V493EVq+hm81BW6rx7q0swbH5ql4dnmXPYxs/A/bUZ1BoKU7ttZZxZt
Ym0wy4aAnez/+ehguOuR4gNdmlmh7eKPsxZg6/q91lhLcxefydqTqq/ryXrn
+uAH/K2ZzZ6/OXn/3aEtdWKjldob1VeiYTyf45VJXJ0jv37xj/bCQn2uTdbc
NB2rKp2prneRHxi8yKGm0dyY3JzZTnnsOEg+5avW7TYz0yUDOGTUVo1HXm0V
cS7ASWczRVcKGt6LdiOMYWxM4m0jlB0JR3gk+y2SrtC1eWiYgZadlirpNJRk
eHaOdwM31ycyDwVLJdHpeUXN5OjLfVyuMzdEkynEl/NxB1z4E3/NZIIZpvnO
eDp2l5mTvWJ4yMaOg6U00e1g4BNagnxNdTVCHFFCtXvMK7R3w+K+nL/Z622/
+IrutdakIAJ7qctp/Xzt4ZKFhX4Drmi/Ce5c9DQtFJrAJ/LSpPtRqQx0ZrHx
Uwlbf+uSDRAQ0pAaILOWnBXqOk9B/+5rSlsvnj3TzyKYAodEUrnwUxGi8Rj2
wwTFKHeA0woeyqXVJROD3+L7HP7dpRoEyHiNVbGlEG5dsn129P3747OjQ7qS
uGmFTssZKd5zWllXTtTHnk5wRVP4bBkXXGVLdGc8S3RbeUljG0qq8P5brPXC
q6DoHgX7XgQgVLeRNVh9wxu4AuYOlSqmIhJALByp91n6Uao5bBwNg3su2yen
6Kbe+46GeLOYRRnwuCihehDdxiSjemTKx1zIGsZkC848/sOH/MI75ORFqmGz
Nvt3KewHbES9TMrmPpvunOGb4l45mLr8PgHzpg0qqZ4vCqBqnav6RKs5QXW2
RhLdVFBjDmqJryBw5AAJy9yuJ3mprJ8EkYdMcV715ft5nunbNNgHscTLui5V
mavQDmDLFtWKo0+TsyJoarCIgvBIuHdnGHzZ7dK6aRtdT9t9eTwGSJgUU0w1
XmRAvJajg8zhWgftSr5xOhxOg1VounjYlRr5pWUjXSOqSxSfw5Iiymm2Cd98
0BxVoUqfcMFYrQgOhgRTHRBp/cgwZZqTy7dQxCkRQCz86CHHxF3Gfrakg7PW
fb7kKiefGGV4X8EhS7GwwHgAtaCm614fpApGs2hGs63lt/W39nR3DVsQTH1V
Prfwmv3TflBOAmJ1H7V6eoMBGHeiveRD7CCGousorQgObbRkumxFg6Blnl/K
vnT5ZINNwNuzoQrlnEe25txuzr3t245Yfv/sYzTq9zv3RIHWVug3VQHvb8+1
4XyIdtcZ354tcyo7vyxARh13u7yh+bKx7bJxe9l2tL5x3/Agdx/Tn0+TPkud
jVcbmgOezCWLYEl7NreJ2Rs86V0kh/YFInRtp/9CESH2jbJuX7lCfIBfcmLf
DtH0LhXhv8eE6wT5nSe6avrt3oEpUS0ndAsTqAiFquS3YqSqa8X8yXgtTFWJ
1bI8fzcAwvEd4b1hxfB049T07vOwzm9UNoHTg6KQcA1i69OnFt4RkldcmIo6
fWbuBqKKpBBSnNddEprIZGF9PaE7XfD9RDWHOpXwykWWAhmQn4qB7dmLvukV
Ejyz2/+UL65a0LupnDvFNfg9bW772658aRHTI8T0tIrds41fyU8mNdr/mI3t
uOIvjfJVs/PTB6YO5+VX2egp2DZMzBy4hcuvzSF6i/ynwoaLteMPXzTm+a54
QAxBjtgjpfUXERTWe6la5oKo0OXbNu/X6HSFtXCRcivSTtGHtgxtldqIsAgu
yUBJDIchmjJuS3c2/Hcg4XsWC34DD70Ji2LOMRWIxP5Z5CXiCdP34OQlVzPj
EvHmBOh7aEu+vCsl5vQCMeXVg1n0DBifgnS5hVcFRvn4PH1wNRi9v6rnqu2k
u7wD3yh2Y8KBPXmSTW/uO9myje/yoYMmv+1414awOWLzuXwmge9FCl4fZV+5
wG9ggq6oi5fI+Yx2cWiLbG6f2IKbO37ZAreL4TQDYR1ghNhEukvX4Hjv3d7y
w6BSeEZvXshypwUCu8F++nVuI7Lsa7e2HGDM9zVVANIFA96lI3p8fAML0OVH
mZrLS7ROG4zD95jYd/BxjZ99gaO9gANP2/33aRA3DyvL2T1zZCrw9UUPCHRw
Z0N4f4Z94wN5ufGJF/HUswoCnXVD4xQPtcK2ucJDl11qGIS9b4Ij9uOUnfZe
LNRpzVyN2eyG1q8EwE+TOuquteAP6aZNgtv70wP5PqHeqL3UBX+T2tk8DMbJ
9vwgw6OGuV+LXR+ae7ttsCj/7uZHDxP6aX/9Ra244nljaG7d3tTjtY9D+Dpm
zBfem51O7SLfxwxzf8zzb7+oFwHCvXfIDuJJhK//DfL270N4keczuu2YTVS8
Zolx//eK8AeGwbzq14odRsSGHw9NkKD/qGEe3K71hlmmzi9Mfl93mEscWGJ7
uqrPPcPgh5FwAVt5ERY6/N0ezd915J/0q7E4/7O7ss8D0HjvGLlIMzCZHjfM
ytk3WNQ3K/kN504WrrjvXmhueVEquVBTvkHubkWf1cP8nfEbzDV/nRfXUdFY
u7g2NE85V69MLx8/zC/Eb+TS55HDULq7rrf6jGHspWawOd3HD0OvuvJ0hF+Z
bkBTpcNywSj/+5AMW889qF3V3GbD/G9j6VugQ77PaFldSoefjWzu34bQkFnZ
8OquX2FRLx4q96kaDQF/lHvx9OCn2T3/5bjN8jDtra8c/3n8MJzTrK36xw8T
6pO/NLq/rhUWta3nc5Fx/QdFIqfRTcNr8TbK/Fx5cH+pJflhi/m8Zy9y1HGL
wIvV5GPSF+74d3E2XDA5IUdxoZScw1csfXU3MhqTUij/2g72HK26rFH7r3QK
pneRpA7hnldqLrfwEiM9S+AKi/kt1i41NHi58tBdk2xU8tJzUeM14bnnLNv4
Ts+V3i78OJdW23TzSGilg+sejNfojlxRAa9qZ/yS42VS9fv9MgxpEzhBZr9/
Z9jo0SHw1JqddNfUb+Nz9dlwgpTe995guG4/F3LcaL4Vm73OfE0PH+6HTp8l
LeThfivSOb8gnC+aFAt7Ou+db+notsl38+zjs2fPtuuO4kfDWWO1wCB7oGnP
twyvDe4zXuJgzGg1a9verVV+rr6e2TLa5dQRZF904a2g97ksXyZsspds4RPz
ReAY1+79yHxTfNG5l681fziZpM0c776Qe/OGcvslhraiZChEXE0/491sa4w3
vHeN/BBpvI/bRY3Plk6v32GdEp0NOeuGNTohPMhNbaFOnSSa2gNXI7Q000XD
hppke//sbA3onxedxvbrwk+XpPnq1loIbkAYFZiq5g4bIGxtEbP5glewiO3V
LGKJEwR84vkuRkWNChVU3mGdCmcONl0THpSpWH4SOWoQSzyT3iFl7vA2VSh8
n7bmN55uJVxptXl7FelwyqvlfRQ3+Qwm4opSVhcd3stETnlzCB+4193/y0xE
U8JSUUYjE3GkYDOaGzd0fXiQKaxxxP8Wh1YDhHEknct4X9Hq/28K+spREL+A
xKeNpg1af3yMpPyvoghasLZgddqOKQc0NTqdxy14hZh4vlpM3CMIQGD8D1Nw
uOAPlwAA

-->

</rfc>
